diff options
| author | Luke Leighton <lkcl@samba.org> | 1998-11-17 16:19:04 +0000 |
|---|---|---|
| committer | Luke Leighton <lkcl@samba.org> | 1998-11-17 16:19:04 +0000 |
| commit | 74d539f5573a3ed3ff1b96c54752a389da4c3e14 (patch) | |
| tree | cc4cee5bc8c5ff3e7ebfef04c4ed3ff6a199df48 /source3/rpc_server | |
| parent | b7c4cd9fc6460c2138750237ee4525f929e93a76 (diff) | |
| download | samba-74d539f5573a3ed3ff1b96c54752a389da4c3e14.tar.gz samba-74d539f5573a3ed3ff1b96c54752a389da4c3e14.tar.bz2 samba-74d539f5573a3ed3ff1b96c54752a389da4c3e14.zip | |
- group database API. oops and oh dear, the threat has been carried out:
the pre-alpha "domain group" etc parameters have disappeared.
- interactive debug detection
- re-added mem_man (andrew's memory management, detects memory corruption)
- american spellings of "initialise" replaced with english spelling of
"initialise".
- started on "lookup_name()" and "lookup_sid()" functions. proper ones.
- moved lots of functions around. created some modules of commonly used
code. e.g the password file locking code, which is used in groupfile.c
and aliasfile.c and smbpass.c
- moved RID_TYPE_MASK up another bit. this is really unfortunate, but
there is no other "fast" way to identify users from groups from aliases.
i do not believe that this code saves us anything (the multipliers)
and puts us at a disadvantage (reduces the useable rid space).
the designers of NT aren't silly: if they can get away with a user-
interface-speed LsaLookupNames / LsaLookupSids, then so can we. i
spoke with isaac at the cifs conference, the only time for example that
they do a security context check is on file create. certainly not on
individual file reads / writes, which would drastically hit their
performance and ours, too.
- renamed myworkgroup to global_sam_name, amongst other things, when used
in the rpc code. there is also a global_member_name, as we are always
responsible for a SAM database, the scope of which is limited by the role
of the machine (e.g if a member of a workgroup, your SAM is for _local_
logins only, and its name is the name of your server. you even still
have a SID. see LsaQueryInfoPolicy, levels 3 and 5).
- updated functionality of groupname.c to be able to cope with names
like DOMAIN\group and SERVER\alias. used this code to be able to
do aliases as well as groups. this code may actually be better
off being used in username mapping, too.
- created a connect to serverlist function in clientgen.c and used it
in password.c
- initialisation in server.c depends on the role of the server. well,
it does now.
- rpctorture. smbtorture. EXERCISE EXTREME CAUTION.
(This used to be commit 0d21e1e6090b933f396c764af535ca3388a562db)
Diffstat (limited to 'source3/rpc_server')
| -rw-r--r-- | source3/rpc_server/srv_lsa.c | 271 | ||||
| -rw-r--r-- | source3/rpc_server/srv_lsa_hnd.c | 4 | ||||
| -rw-r--r-- | source3/rpc_server/srv_netlog.c | 416 | ||||
| -rw-r--r-- | source3/rpc_server/srv_samr.c | 262 | ||||
| -rw-r--r-- | source3/rpc_server/srv_util.c | 323 |
5 files changed, 538 insertions, 738 deletions
diff --git a/source3/rpc_server/srv_lsa.c b/source3/rpc_server/srv_lsa.c index 5e6e101883..51b6e8d25b 100644 --- a/source3/rpc_server/srv_lsa.c +++ b/source3/rpc_server/srv_lsa.c @@ -29,6 +29,12 @@ extern int DEBUGLEVEL; extern DOM_SID global_sam_sid; +extern fstring global_sam_name; +extern DOM_SID global_member_sid; +extern fstring global_myworkgroup; +extern DOM_SID global_sid_S_1_1; +extern DOM_SID global_sid_S_1_3; +extern DOM_SID global_sid_S_1_5; /*************************************************************************** lsa_reply_open_policy2 @@ -84,8 +90,8 @@ static void make_dom_query(DOM_QUERY *d_q, char *dom_name, DOM_SID *dom_sid) d_q->uni_dom_max_len = domlen * 2; d_q->uni_dom_str_len = domlen * 2; - d_q->buffer_dom_name = 4; /* domain buffer pointer */ - d_q->buffer_dom_sid = 2; /* domain sid pointer */ + d_q->buffer_dom_name = domlen != 0 ? 1 : 0; /* domain buffer pointer */ + d_q->buffer_dom_sid = dom_sid != NULL ? 1 : 0; /* domain sid pointer */ /* this string is supposed to be character short */ make_unistr2(&(d_q->uni_domain_name), dom_name, domlen); @@ -137,50 +143,70 @@ static void lsa_reply_query_info(LSA_Q_QUERY_INFO *q_q, prs_struct *rdata, /*************************************************************************** -make_dom_ref +make_dom_ref - adds a domain if it's not already in, returns the index ***************************************************************************/ -static void make_dom_ref(DOM_R_REF *ref, int num_domains, - char **dom_names, DOM_SID **dom_sids) +static int make_dom_ref(DOM_R_REF *ref, char *dom_name, DOM_SID *dom_sid) { - int i; + int num = 0; + int len; - if (num_domains > MAX_REF_DOMAINS) + if (dom_name != NULL) { - num_domains = MAX_REF_DOMAINS; + for (num = 0; num < ref->num_ref_doms_1; num++) + { + fstring domname; + fstrcpy(domname, unistr2_to_str(&ref->ref_dom[num].uni_dom_name)); + if (strequal(domname, dom_name)) + { + return num; + } + } + + } + else + { + num = ref->num_ref_doms_1; + } + + if (num >= MAX_REF_DOMAINS) + { + /* index not found, already at maximum domain limit */ + return -1; } ref->undoc_buffer = 1; - ref->num_ref_doms_1 = num_domains; + ref->num_ref_doms_1 = num+1; ref->undoc_buffer2 = 1; ref->max_entries = MAX_REF_DOMAINS; - ref->num_ref_doms_2 = num_domains; + ref->num_ref_doms_2 = num+1; - for (i = 0; i < num_domains; i++) - { - int len = dom_names[i] != NULL ? strlen(dom_names[i]) : 0; + len = dom_name != NULL ? strlen(dom_name) : 0; - make_uni_hdr(&(ref->hdr_ref_dom[i].hdr_dom_name), len, len, len != 0 ? 1 : 0); - ref->hdr_ref_dom[i].ptr_dom_sid = dom_sids[i] != NULL ? 1 : 0; + make_uni_hdr(&(ref->hdr_ref_dom[num].hdr_dom_name), len, len, len != 0 ? 1 : 0); + ref->hdr_ref_dom[num].ptr_dom_sid = dom_sid != NULL ? 1 : 0; - make_unistr2 (&(ref->ref_dom[i].uni_dom_name), dom_names[i], len); - make_dom_sid2(&(ref->ref_dom[i].ref_dom ), dom_sids [i]); - } + make_unistr2 (&(ref->ref_dom[num].uni_dom_name), dom_name, len); + make_dom_sid2(&(ref->ref_dom[num].ref_dom ), dom_sid ); + return num; } /*************************************************************************** make_reply_lookup_rids ***************************************************************************/ static void make_reply_lookup_rids(LSA_R_LOOKUP_RIDS *r_l, - int num_entries, uint32 dom_rids[MAX_LOOKUP_SIDS], - int num_ref_doms, - char **dom_names, DOM_SID **dom_sids) + int num_entries, + uint32 dom_rids[MAX_LOOKUP_SIDS], + uint8 dom_types[MAX_LOOKUP_SIDS]) { int i; - make_dom_ref(&(r_l->dom_ref), num_ref_doms, dom_names, dom_sids); + r_l->num_entries = 0; + r_l->undoc_buffer = 0; + r_l->num_entries2 = 0; +#if 0 r_l->num_entries = num_entries; r_l->undoc_buffer = 1; r_l->num_entries2 = num_entries; @@ -189,58 +215,85 @@ static void make_reply_lookup_rids(LSA_R_LOOKUP_RIDS *r_l, for (i = 0; i < num_entries; i++) { - make_dom_rid2(&(r_l->dom_rid[i]), dom_rids[i], 0x01); + make_dom_ref(&(r_l->dom_ref), dom_name, dom_sid); + make_dom_rid2(&(r_l->dom_rid[i]), dom_rids[i], dom_types[i]); } r_l->num_entries3 = num_entries; +#endif } /*************************************************************************** make_lsa_trans_names ***************************************************************************/ -static void make_lsa_trans_names(LSA_TRANS_NAME_ENUM *trn, +static void make_lsa_trans_names(DOM_R_REF *ref, + LSA_TRANS_NAME_ENUM *trn, int num_entries, DOM_SID2 sid[MAX_LOOKUP_SIDS], - uint32 *total) + uint32 *mapped_count) { - uint32 status = 0x0; int i; - (*total) = 0; + int total = 0; + (*mapped_count) = 0; SMB_ASSERT(num_entries <= MAX_LOOKUP_SIDS); for (i = 0; i < num_entries; i++) { + uint32 status = 0x0; + DOM_SID find_sid = sid[i].sid; + DOM_SID tmp = sid[i].sid; uint32 rid = 0xffffffff; - uint8 num_auths = sid[i].sid.num_auths; + int dom_idx = -1; fstring name; - uint32 type; + fstring dom_name; + uint8 sid_name_use = 0; - SMB_ASSERT_ARRAY(sid[i].sid.sub_auths, num_auths); + memset(dom_name, 0, sizeof(dom_name)); + memset(name , 0, sizeof(name )); - /* find the rid to look up */ - if (num_auths != 0) + if (map_domain_sid_to_name(&find_sid, dom_name)) + { + sid_name_use = SID_NAME_DOMAIN; + dom_idx = make_dom_ref(ref, dom_name, &find_sid); + } + else if (sid_split_rid (&find_sid, &rid) && + map_domain_sid_to_name(&find_sid, dom_name)) + { + if (sid_equal(&find_sid, &global_sam_sid)) + { + status = lookup_name(&tmp, name, &sid_name_use); + } + else + { + status = 0xC0000000 | NT_STATUS_NONE_MAPPED; + } + } + else { - rid = sid[i].sid.sub_auths[num_auths-1]; - status = 0xC0000000 | NT_STATUS_NONE_MAPPED; - - status = (status != 0x0) ? lookup_user_name (rid, name, &type) : status; - status = (status != 0x0) ? lookup_group_name(rid, name, &type) : status; - status = (status != 0x0) ? lookup_alias_name(rid, name, &type) : status; } + dom_idx = make_dom_ref(ref, dom_name, &find_sid); + if (status == 0x0) { - make_lsa_trans_name(&(trn->name [(*total)]), - &(trn->uni_name[(*total)]), - type, name, (*total)); - (*total)++; + (*mapped_count)++; + } + else + { + snprintf(name, sizeof(name), "%08x", rid); + sid_name_use = SID_NAME_UNKNOWN; + } + make_lsa_trans_name(&(trn->name [total]), + &(trn->uni_name[total]), + sid_name_use, name, dom_idx); + total++; } - trn->num_entries = (*total); + trn->num_entries = total; trn->ptr_trans_names = 1; - trn->num_entries2 = (*total); + trn->num_entries2 = total; } /*************************************************************************** @@ -260,9 +313,7 @@ static void make_reply_lookup_sids(LSA_R_LOOKUP_SIDS *r_l, lsa_reply_lookup_sids ***************************************************************************/ static void lsa_reply_lookup_sids(prs_struct *rdata, - int num_entries, DOM_SID2 sid[MAX_LOOKUP_SIDS], - int num_ref_doms, - char **dom_names, DOM_SID **dom_sids) + DOM_SID2 *sid, int num_entries) { LSA_R_LOOKUP_SIDS r_l; DOM_R_REF ref; @@ -274,8 +325,7 @@ static void lsa_reply_lookup_sids(prs_struct *rdata, ZERO_STRUCT(names); /* set up the LSA Lookup SIDs response */ - make_dom_ref(&ref, num_ref_doms, dom_names, dom_sids); - make_lsa_trans_names(&names, num_entries, sid, &mapped_count); + make_lsa_trans_names(&ref, &names, num_entries, sid, &mapped_count); make_reply_lookup_sids(&r_l, &ref, &names, mapped_count, 0x0); /* store the response in the SMB stream */ @@ -286,17 +336,17 @@ static void lsa_reply_lookup_sids(prs_struct *rdata, lsa_reply_lookup_rids ***************************************************************************/ static void lsa_reply_lookup_rids(prs_struct *rdata, - int num_entries, uint32 dom_rids[MAX_LOOKUP_SIDS], - int num_ref_doms, - char **dom_names, DOM_SID **dom_sids) + int num_entries, + uint32 dom_rids[MAX_LOOKUP_SIDS], + uint8 dom_types[MAX_LOOKUP_SIDS]) { LSA_R_LOOKUP_RIDS r_l; ZERO_STRUCT(r_l); /* set up the LSA Lookup RIDs response */ - make_reply_lookup_rids(&r_l, num_entries, dom_rids, - num_ref_doms, dom_names, dom_sids); + make_reply_lookup_rids(&r_l, num_entries, dom_rids, dom_types); + r_l.status = 0x0; /* store the response in the SMB stream */ @@ -365,17 +415,39 @@ static void api_lsa_query_info( uint16 vuid, prs_struct *data, prs_struct *rdata ) { LSA_Q_QUERY_INFO q_i; - pstring dom_name; + fstring name; + DOM_SID *sid = NULL; + memset(name, 0, sizeof(name)); ZERO_STRUCT(q_i); /* grab the info class and policy handle */ lsa_io_q_query("", &q_i, data, 0); - pstrcpy(dom_name, lp_workgroup()); + switch (q_i.info_class) + { + case 0x03: + { + fstrcpy(name, global_myworkgroup); + sid = &global_member_sid; + break; + } + case 0x05: + { + fstrcpy(name, global_sam_name); + sid = &global_sam_sid; + break; + } + default: + { + DEBUG(5,("unknown info level in Lsa Query: %d\n", + q_i.info_class)); + break; + } + } /* construct reply. return status is always 0x0 */ - lsa_reply_query_info(&q_i, rdata, dom_name, &global_sam_sid); + lsa_reply_query_info(&q_i, rdata, name, sid); } /*************************************************************************** @@ -385,44 +457,13 @@ static void api_lsa_lookup_sids( uint16 vuid, prs_struct *data, prs_struct *rdata ) { LSA_Q_LOOKUP_SIDS q_l; - pstring dom_name; - DOM_SID sid_S_1_1; - DOM_SID sid_S_1_3; - DOM_SID sid_S_1_5; - - DOM_SID *sid_array[4]; - char *dom_names[4]; - ZERO_STRUCT(q_l); - ZERO_STRUCT(sid_S_1_1); - ZERO_STRUCT(sid_S_1_3); - ZERO_STRUCT(sid_S_1_5); /* grab the info class and policy handle */ lsa_io_q_lookup_sids("", &q_l, data, 0); - pstrcpy(dom_name, lp_workgroup()); - - string_to_sid(&sid_S_1_1, "S-1-1"); - string_to_sid(&sid_S_1_3, "S-1-3"); - string_to_sid(&sid_S_1_5, "S-1-5"); - - dom_names[0] = dom_name; - sid_array[0] = &global_sam_sid; - - dom_names[1] = "Everyone"; - sid_array[1] = &sid_S_1_1; - - dom_names[2] = "don't know"; - sid_array[2] = &sid_S_1_3; - - dom_names[3] = "NT AUTHORITY"; - sid_array[3] = &sid_S_1_5; - /* construct reply. return status is always 0x0 */ - lsa_reply_lookup_sids(rdata, - q_l.sids.num_entries, q_l.sids.sid, /* SIDs */ - 4, dom_names, sid_array); + lsa_reply_lookup_sids(rdata, q_l.sids.sid, q_l.sids.num_entries); } /*************************************************************************** @@ -433,63 +474,24 @@ static void api_lsa_lookup_names( uint16 vuid, prs_struct *data, { int i; LSA_Q_LOOKUP_RIDS q_l; - pstring dom_name; uint32 dom_rids[MAX_LOOKUP_SIDS]; - uint32 dummy_g_rid; - - DOM_SID sid_S_1_1; - DOM_SID sid_S_1_3; - DOM_SID sid_S_1_5; - - DOM_SID *sid_array[4]; - char *dom_names[4]; + uint8 dom_types[MAX_LOOKUP_SIDS]; ZERO_STRUCT(q_l); - ZERO_STRUCT(sid_S_1_1); - ZERO_STRUCT(sid_S_1_3); - ZERO_STRUCT(sid_S_1_5); ZERO_ARRAY(dom_rids); /* grab the info class and policy handle */ lsa_io_q_lookup_rids("", &q_l, data, 0); - pstrcpy(dom_name, lp_workgroup()); - - string_to_sid(&sid_S_1_1, "S-1-1"); - string_to_sid(&sid_S_1_3, "S-1-3"); - string_to_sid(&sid_S_1_5, "S-1-5"); - - dom_names[0] = dom_name; - sid_array[0] = &global_sam_sid; - - dom_names[1] = "Everyone"; - sid_array[1] = &sid_S_1_1; - - dom_names[2] = "don't know"; - sid_array[2] = &sid_S_1_3; - - dom_names[3] = "NT AUTHORITY"; - sid_array[3] = &sid_S_1_5; - SMB_ASSERT_ARRAY(q_l.lookup_name, q_l.num_entries); /* convert received RIDs to strings, so we can do them. */ for (i = 0; i < q_l.num_entries; i++) { - fstring user_name; - fstrcpy(user_name, unistr2(q_l.lookup_name[i].str.buffer)); - - /* - * Map to the UNIX username. - */ - map_username(user_name); - - /* - * Do any case conversions. - */ - (void)Get_Pwnam(user_name, True); + fstring name; + fstrcpy(name, unistr2(q_l.lookup_name[i].str.buffer)); - if (!pdb_name_to_rid(user_name, &dom_rids[i], &dummy_g_rid)) + if (lookup_rid(name, &dom_rids[i], &dom_types[i])) { /* WHOOPS! we should really do something about this... */ dom_rids[i] = 0; @@ -498,8 +500,9 @@ static void api_lsa_lookup_names( uint16 vuid, prs_struct *data, /* construct reply. return status is always 0x0 */ lsa_reply_lookup_rids(rdata, - q_l.num_entries, dom_rids, /* text-converted SIDs */ - 4, dom_names, sid_array); + q_l.num_entries, + dom_rids, /* text-converted SIDs */ + dom_types); /* SID_NAME_USE types */ } /*************************************************************************** diff --git a/source3/rpc_server/srv_lsa_hnd.c b/source3/rpc_server/srv_lsa_hnd.c index b807c40604..dabc5520ff 100644 --- a/source3/rpc_server/srv_lsa_hnd.c +++ b/source3/rpc_server/srv_lsa_hnd.c @@ -290,7 +290,8 @@ BOOL close_lsa_policy_hnd(POLICY_HND *hnd) { struct policy *p = find_lsa_policy(hnd); - if (!p) { + if (!p) + { DEBUG(3,("Error closing policy\n")); return False; } @@ -302,6 +303,7 @@ BOOL close_lsa_policy_hnd(POLICY_HND *hnd) bitmap_clear(bmap, p->pnum); ZERO_STRUCTP(p); + ZERO_STRUCTP(hnd); free(p); diff --git a/source3/rpc_server/srv_netlog.c b/source3/rpc_server/srv_netlog.c index 04118800e2..77b17dca2f 100644 --- a/source3/rpc_server/srv_netlog.c +++ b/source3/rpc_server/srv_netlog.c @@ -1,4 +1,3 @@ - /* * Unix SMB/Netbios implementation. * Version 1.9. @@ -544,7 +543,8 @@ static uint32 net_login_interactive(NET_ID_INFO_1 *id1, net_login_network: *************************************************************************/ static uint32 net_login_network(NET_ID_INFO_2 *id2, - struct smb_passwd *smb_pass) + struct smb_passwd *smb_pass, + user_struct *vuser) { DEBUG(5,("net_login_network: lm_len: %d nt_len: %d\n", id2->hdr_lm_chal_resp.str_str_len, @@ -593,221 +593,213 @@ static void api_net_sam_logon( uint16 vuid, prs_struct *data, prs_struct *rdata) { - NET_Q_SAM_LOGON q_l; - NET_ID_INFO_CTR ctr; - NET_USER_INFO_3 usr_info; - uint32 status = 0x0; - DOM_CRED srv_cred; - struct smb_passwd *smb_pass = NULL; - UNISTR2 *uni_samlogon_user = NULL; - - user_struct *vuser = NULL; - - if ((vuser = get_valid_user_struct(vuid)) == NULL) - return; - - q_l.sam_id.ctr = &ctr; - - net_io_q_sam_logon("", &q_l, data, 0); - - /* checks and updates credentials. creates reply credentials */ - if (!deal_with_creds(vuser->dc.sess_key, &(vuser->dc.clnt_cred), - &(q_l.sam_id.client.cred), &srv_cred)) - { - status = 0xC0000000 | NT_STATUS_INVALID_HANDLE; - } - else - { - memcpy(&(vuser->dc.srv_cred), &(vuser->dc.clnt_cred), sizeof(vuser->dc.clnt_cred)); - } - - /* find the username */ - - if (status == 0) - { - switch (q_l.sam_id.logon_level) - { - case INTERACTIVE_LOGON_TYPE: - { - uni_samlogon_user = &(q_l.sam_id.ctr->auth.id1.uni_user_name); - - DEBUG(3,("SAM Logon (Interactive). Domain:[%s]. ", lp_workgroup())); - break; - } - case NET_LOGON_TYPE: - { - uni_samlogon_user = &(q_l.sam_id.ctr->auth.id2.uni_user_name); - - DEBUG(3,("SAM Logon (Network). Domain:[%s]. ", lp_workgroup())); - break; - } - default: - { - DEBUG(2,("SAM Logon: unsupported switch value\n")); - status = 0xC0000000 | NT_STATUS_INVALID_INFO_CLASS; - break; - } - } /* end switch */ - } /* end if status == 0 */ - - /* check username exists */ - - if (status == 0) - { - pstrcpy(samlogon_user, unistrn2(uni_samlogon_user->buffer, - uni_samlogon_user->uni_str_len)); - - DEBUG(3,("User:[%s]\n", samlogon_user)); + NET_Q_SAM_LOGON q_l; + NET_ID_INFO_CTR ctr; + NET_USER_INFO_3 usr_info; + uint32 status = 0x0; + DOM_CRED srv_cred; + struct smb_passwd *smb_pass = NULL; + UNISTR2 *uni_samlogon_user = NULL; - /* - * Convert to a UNIX username. - */ - map_username(samlogon_user); + user_struct *vuser = NULL; - /* - * Do any case conversions. - */ - (void)Get_Pwnam(samlogon_user, True); - - become_root(True); - smb_pass = getsmbpwnam(samlogon_user); - unbecome_root(True); - - if (smb_pass == NULL) - status = 0xC0000000 | NT_STATUS_NO_SUCH_USER; - else if (smb_pass->acct_ctrl & ACB_PWNOTREQ) - status = 0; - else if (smb_pass->acct_ctrl & ACB_DISABLED) - status = 0xC0000000 | NT_STATUS_ACCOUNT_DISABLED; - } - - /* Validate password - if required. */ - - if ((status == 0) && !(smb_pass->acct_ctrl & ACB_PWNOTREQ)) - { - switch (q_l.sam_id.logon_level) - { - case INTERACTIVE_LOGON_TYPE: - { - /* interactive login. */ - status = net_login_interactive(&q_l.sam_id.ctr->auth.id1, smb_pass, vuser); - break; - } - case NET_LOGON_TYPE: - { - /* network login. lm challenge and 24 byte responses */ - status = net_login_network(&q_l.sam_id.ctr->auth.id2, smb_pass); - break; - } - } - } - - /* lkclXXXX this is the point at which, if the login was - successful, that the SAM Local Security Authority should - record that the user is logged in to the domain. - */ - - /* return the profile plus other bits :-) */ - - if (status == 0) - { - DOM_GID *gids = NULL; - int num_gids = 0; - NTTIME dummy_time; - pstring logon_script; - pstring profile_path; - pstring home_dir; - pstring home_drive; - pstring my_name; - pstring my_workgroup; - pstring domain_groups; - uint32 r_uid; - uint32 r_gid; - - /* set up pointer indicating user/password failed to be found */ - usr_info.ptr_user_info = 0; - - dummy_time.low = 0xffffffff; - dummy_time.high = 0x7fffffff; - - /* XXXX hack to get standard_sub_basic() to use sam logon username */ - /* possibly a better way would be to do a become_user() call */ - sam_logon_in_ssb = True; - - pstrcpy(logon_script, lp_logon_script()); - pstrcpy(profile_path, lp_logon_path()); - - pstrcpy(my_workgroup, lp_workgroup()); - - pstrcpy(home_drive, lp_logon_drive()); - pstrcpy(home_dir, lp_logon_home()); - - pstrcpy(my_name, global_myname); - strupper(my_name); + if ((vuser = get_valid_user_struct(vuid)) == NULL) + return; - /* - * This is the point at which we get the group - * database - we should be getting the gid_t list - * from /etc/group and then turning the uids into - * rids and then into machine sids for this user. - * JRA. - */ + q_l.sam_id.ctr = &ctr; - get_domain_user_groups(domain_groups, samlogon_user); + net_io_q_sam_logon("", &q_l, data, 0); - /* - * make_dom_gids allocates the gids array. JRA. - */ - gids = NULL; - num_gids = make_dom_gids(domain_groups, &gids); - - sam_logon_in_ssb = False; - - if (pdb_name_to_rid(samlogon_user, &r_uid, &r_gid)) - { - make_net_user_info3(&usr_info, - &dummy_time, /* logon_time */ - &dummy_time, /* logoff_time */ - &dummy_time, /* kickoff_time */ - &dummy_time, /* pass_last_set_time */ - &dummy_time, /* pass_can_change_time */ - &dummy_time, /* pass_must_change_time */ - - samlogon_user , /* user_name */ - vuser->real_name, /* full_name */ - logon_script , /* logon_script */ - profile_path , /* profile_path */ - home_dir , /* home_dir */ - home_drive , /* dir_drive */ - - 0, /* logon_count */ - 0, /* bad_pw_count */ - - r_uid , /* RID user_id */ - r_gid , /* RID group_id */ - num_gids, /* uint32 num_groups */ - gids , /* DOM_GID *gids */ - 0x20 , /* uint32 user_flgs (?) */ - - NULL, /* char sess_key[16] */ - - my_name , /* char *logon_srv */ - my_workgroup, /* char *logon_dom */ - - &global_sam_sid, /* DOM_SID *dom_sid */ - NULL); /* char *other_sids */ - } - else - { - status = 0xC0000000 | NT_STATUS_NO_SUCH_USER; - } - - /* Free any allocated groups array. */ - if(gids) - free((char *)gids); - } - - net_reply_sam_logon(&q_l, rdata, &srv_cred, &usr_info, status); + /* checks and updates credentials. creates reply credentials */ + if (!deal_with_creds(vuser->dc.sess_key, &(vuser->dc.clnt_cred), + &(q_l.sam_id.client.cred), &srv_cred)) + { + status = 0xC0000000 | NT_STATUS_INVALID_HANDLE; + } + else + { + memcpy(&(vuser->dc.srv_cred), &(vuser->dc.clnt_cred), sizeof(vuser->dc.clnt_cred)); + } + + /* find the username */ + + if (status == 0) + { + switch (q_l.sam_id.logon_level) + { + case INTERACTIVE_LOGON_TYPE: + { + uni_samlogon_user = &(q_l.sam_id.ctr->auth.id1.uni_user_name); + + DEBUG(3,("SAM Logon (Interactive). Domain:[%s]. ", lp_workgroup())); + break; + } + case NET_LOGON_TYPE: + { + uni_samlogon_user = &(q_l.sam_id.ctr->auth.id2.uni_user_name); + + DEBUG(3,("SAM Logon (Network). Domain:[%s]. ", lp_workgroup())); + break; + } + default: + { + DEBUG(2,("SAM Logon: unsupported switch value\n")); + status = 0xC0000000 | NT_STATUS_INVALID_INFO_CLASS; + break; + } + } /* end switch */ + } /* end if status == 0 */ + + /* check username exists */ + + if (status == 0) + { + pstrcpy(samlogon_user, unistrn2(uni_samlogon_user->buffer, + uni_samlogon_user->uni_str_len)); + + DEBUG(3,("User:[%s]\n", samlogon_user)); + + /* + * Convert to a UNIX username. + */ + map_username(samlogon_user); + + /* + * Do any case conversions. + */ + (void)Get_Pwnam(samlogon_user, True); + + become_root(True); + smb_pass = getsmbpwnam(samlogon_user); + unbecome_root(True); + + if (smb_pass == NULL) + { + status = 0xC0000000 | NT_STATUS_NO_SUCH_USER; + } + else if (IS_BITS_SET_ALL(smb_pass->acct_ctrl, ACB_DISABLED) && + IS_BITS_CLR_ALL(smb_pass->acct_ctrl, ACB_PWNOTREQ)) + { + status = 0xC0000000 | NT_STATUS_ACCOUNT_DISABLED; + } + } + + /* validate password - if required */ + + if (status == 0 && !(IS_BITS_SET_ALL(smb_pass->acct_ctrl, ACB_PWNOTREQ))) + { + switch (q_l.sam_id.logon_level) + { + case INTERACTIVE_LOGON_TYPE: + { + /* interactive login. */ + status = net_login_interactive(&q_l.sam_id.ctr->auth.id1, smb_pass, vuser); + break; + } + case NET_LOGON_TYPE: + { + /* network login. lm challenge and 24 byte responses */ + status = net_login_network(&q_l.sam_id.ctr->auth.id2, smb_pass, vuser); + break; + } + } + } + + /* lkclXXXX this is the point at which, if the login was + successful, that the SAM Local Security Authority should + record that the user is logged in to the domain. + */ + + /* return the profile plus other bits :-) */ + + if (status == 0) + { + DOM_GID *gids = NULL; + int num_gids = 0; + NTTIME dummy_time; + pstring logon_script; + pstring profile_path; + pstring home_dir; + pstring home_drive; + pstring my_name; + pstring my_workgroup; + DOMAIN_GRP *grp_mem; + uint32 r_uid; + uint32 r_gid; + + /* set up pointer indicating user/password failed to be found */ + usr_info.ptr_user_info = 0; + + dummy_time.low = 0xffffffff; + dummy_time.high = 0x7fffffff; + + /* XXXX hack to get standard_sub_basic() to use sam logon username */ + /* possibly a better way would be to do a become_user() call */ + sam_logon_in_ssb = True; + + pstrcpy(logon_script, lp_logon_script()); + pstrcpy(profile_path, lp_logon_path()); + + pstrcpy(my_workgroup, lp_workgroup()); + + pstrcpy(home_drive, lp_logon_drive()); + pstrcpy(home_dir, lp_logon_home()); + pstrcpy(my_name, global_myname); + strupper(my_name); + + status = lookup_user_rids(samlogon_user, &r_uid, &r_gid); + status = status == 0 ? getusergroupsnam(samlogon_user, &grp_mem, &num_gids) : 0xC0000000 | NT_STATUS_INVALID_PRIMARY_GROUP; + + if (status == 0x0) + { + gids = NULL; + num_gids = make_dom_gids(grp_mem, num_gids, &gids); + + make_net_user_info3(&usr_info, + &dummy_time, /* logon_time */ + &dummy_time, /* logoff_time */ + &dummy_time, /* kickoff_time */ + &dummy_time, /* pass_last_set_time */ + &dummy_time, /* pass_can_change_time */ + &dummy_time, /* pass_must_change_time */ + + samlogon_user , /* user_name */ + vuser->real_name, /* full_name */ + logon_script , /* logon_script */ + profile_path , /* profile_path */ + home_dir , /* home_dir */ + home_drive , /* dir_drive */ + + 0, /* logon_count */ + 0, /* bad_pw_count */ + + r_uid , /* RID user_id */ + r_gid , /* RID group_id */ + num_gids, /* uint32 num_groups */ + gids , /* DOM_GID *gids */ + 0x20 , /* uint32 user_flgs (?) */ + + NULL, /* char sess_key[16] */ + + my_name , /* char *logon_srv */ + my_workgroup, /* char *logon_dom */ + + &global_sam_sid, /* DOM_SID *dom_sid */ + NULL); /* char *other_sids */ + } + else + { + status = 0xC0000000 | NT_STATUS_NO_SUCH_USER; + } + + /* Free any allocated groups array. */ + if (gids) + { + free((char *)gids); + } + } + + net_reply_sam_logon(&q_l, rdata, &srv_cred, &usr_info, status); } diff --git a/source3/rpc_server/srv_samr.c b/source3/rpc_server/srv_samr.c index 323298ef7a..b70a71b5c0 100644 --- a/source3/rpc_server/srv_samr.c +++ b/source3/rpc_server/srv_samr.c @@ -30,9 +30,11 @@ extern int DEBUGLEVEL; extern BOOL sam_logon_in_ssb; extern pstring samlogon_user; -extern fstring global_myworkgroup; +extern fstring global_sam_name; extern pstring global_myname; extern DOM_SID global_sam_sid; +extern DOM_SID global_sid_S_1_1; +extern DOM_SID global_sid_S_1_5_20; extern rid_name domain_group_rids[]; extern rid_name domain_alias_rids[]; @@ -79,8 +81,8 @@ static BOOL get_sampwd_entries(SAM_USER_INFO_21 *pw_buf, user_name_len = strlen(pwd->smb_name); make_unistr2(&(pw_buf[(*num_entries)].uni_user_name), pwd->smb_name, user_name_len); - make_uni_hdr(&(pw_buf[(*num_entries)].hdr_user_name), user_name_len, - user_name_len, 1); + make_uni_hdr(&(pw_buf[(*num_entries)].hdr_user_name), user_name_len-1, + user_name_len-1, 1); pw_buf[(*num_entries)].user_rid = pwd->user_rid; bzero( pw_buf[(*num_entries)].nt_pwd , 16); @@ -292,24 +294,21 @@ static void samr_reply_unknown_3(SAMR_Q_UNKNOWN_3 *q_u, if (status == 0x0) { - DOM_SID user_sid; - DOM_SID everyone_sid; + DOM_SID usr_sid; - user_sid = global_sam_sid; + usr_sid = global_sam_sid; - SMB_ASSERT_ARRAY(user_sid.sub_auths, user_sid.num_auths+1); + SMB_ASSERT_ARRAY(usr_sid.sub_auths, usr_sid.num_auths+1); /* * Add the user RID. */ - user_sid.sub_auths[user_sid.num_auths++] = rid; + sid_append_rid(&usr_sid, rid); - string_to_sid(&everyone_sid, "S-1-1"); - - /* maybe need another 1 or 2 (S-1-5-0x20-0x220 and S-1-5-20-0x224) */ - /* these two are DOMAIN_ADMIN and DOMAIN_ACCT_OP group RIDs */ - make_dom_sid3(&(sid[0]), 0x035b, 0x0002, &everyone_sid); - make_dom_sid3(&(sid[1]), 0x0044, 0x0002, &user_sid); + /* maybe need another 1 or 2 (S-1-5-0x20-0x220 and S-1-5-20-0x224) */ + /* these two are DOMAIN_ADMIN and DOMAIN_ACCT_OP group RIDs */ + make_dom_sid3(&(sid[0]), 0x035b, 0x0002, &global_sid_S_1_1); + make_dom_sid3(&(sid[1]), 0x0044, 0x0002, &usr_sid); } make_samr_r_unknown_3(&r_u, @@ -400,37 +399,92 @@ static void samr_reply_enum_dom_groups(SAMR_Q_ENUM_DOM_GROUPS *q_u, prs_struct *rdata) { SAMR_R_ENUM_DOM_GROUPS r_e; - SAM_USER_INFO_21 pass[MAX_SAM_ENTRIES]; - int num_entries; + DOMAIN_GRP *grps = NULL; + int num_entries = 0; BOOL got_grps; - char *dummy_group = "Domain Admins"; + DOM_SID sid; + fstring sid_str; r_e.status = 0x0; r_e.num_entries = 0; /* find the policy handle. open a policy on it. */ - if (r_e.status == 0x0 && (find_lsa_policy_by_hnd(&(q_u->pol)) == -1)) + if (r_e.status == 0x0 && !get_lsa_policy_samr_sid(&q_u->pol, &sid)) { r_e.status = 0xC0000000 | NT_STATUS_INVALID_HANDLE; } - DEBUG(5,("samr_reply_enum_dom_groups: %d\n", __LINE__)); + sid_to_string(sid_str, &sid); + + DEBUG(5,("samr_reply_enum_dom_groups: sid %s\n", sid_str)); + + /* well-known groups */ + if (sid_equal(&sid, &global_sid_S_1_5_20)) + { + char *name; + got_grps = True; + + while (num_entries < MAX_SAM_ENTRIES && ((name = domain_group_rids[num_entries].name) != NULL)) + { + DOMAIN_GRP tmp_grp; + + fstrcpy(tmp_grp.name , name); + fstrcpy(tmp_grp.comment, ""); + tmp_grp.rid = domain_group_rids[num_entries].rid; + tmp_grp.attr = 0x7; + + if (!add_domain_group(&grps, &num_entries, &tmp_grp)) + { + r_e.status = 0xC0000000 | NT_STATUS_NO_MEMORY; + break; + } + } + } + else if (sid_equal(&sid, &global_sam_sid)) + { + BOOL ret; + char *name; + got_grps = True; + + while (num_entries < MAX_SAM_ENTRIES && ((name = domain_group_rids[num_entries].name) != NULL)) + { + DOMAIN_GRP tmp_grp; + + fstrcpy(tmp_grp.name , name); + fstrcpy(tmp_grp.comment, ""); + tmp_grp.rid = domain_group_rids[num_entries].rid; + tmp_grp.attr = 0x7; - got_grps = True; - num_entries = 1; - make_unistr2(&(pass[0].uni_user_name), dummy_group, strlen(dummy_group)); - pass[0].user_rid = DOMAIN_GROUP_RID_ADMINS; + if (!add_domain_group(&grps, &num_entries, &tmp_grp)) + { + r_e.status = 0xC0000000 | NT_STATUS_NO_MEMORY; + break; + } + } + + become_root(True); + ret = enumdomgroups(&grps, &num_entries); + unbecome_root(True); + if (!ret) + { + r_e.status = 0xC0000000 | NT_STATUS_NO_MEMORY; + } + } if (r_e.status == 0 && got_grps) { - make_samr_r_enum_dom_groups(&r_e, q_u->start_idx, num_entries, pass, r_e.status); + make_samr_r_enum_dom_groups(&r_e, q_u->start_idx, num_entries, grps, r_e.status); } /* store the response in the SMB stream */ samr_io_r_enum_dom_groups("", &r_e, rdata, 0); - DEBUG(5,("samr_enum_dom_groups: %d\n", __LINE__)); + if (grps != NULL) + { + free(grps); + } + DEBUG(5,("samr_enum_dom_groups: %d\n", __LINE__)); } /******************************************************************* @@ -455,11 +509,10 @@ static void samr_reply_enum_dom_aliases(SAMR_Q_ENUM_DOM_ALIASES *q_u, prs_struct *rdata) { SAMR_R_ENUM_DOM_ALIASES r_e; - SAM_USER_INFO_21 pass[MAX_SAM_ENTRIES]; + LOCAL_GRP *alss = NULL; int num_entries = 0; DOM_SID sid; fstring sid_str; - fstring sam_sid_str; r_e.status = 0x0; r_e.num_entries = 0; @@ -471,34 +524,57 @@ static void samr_reply_enum_dom_aliases(SAMR_Q_ENUM_DOM_ALIASES *q_u, } sid_to_string(sid_str, &sid); - sid_to_string(sam_sid_str, &global_sam_sid); DEBUG(5,("samr_reply_enum_dom_aliases: sid %s\n", sid_str)); /* well-known aliases */ - if (strequal(sid_str, "S-1-5-32")) + if (sid_equal(&sid, &global_sid_S_1_5_20)) { char *name; - while (num_entries < MAX_SAM_ENTRIES && ((name = builtin_alias_rids[num_entries].name) != NULL)) + + while ((name = builtin_alias_rids[num_entries].name) != NULL) { - make_unistr2(&(pass[num_entries].uni_user_name), name, strlen(name)); - pass[num_entries].user_rid = builtin_alias_rids[num_entries].rid; - num_entries++; + LOCAL_GRP tmp_als; + + fstrcpy(tmp_als.name , name); + fstrcpy(tmp_als.comment, ""); + tmp_als.rid = builtin_alias_rids[num_entries].rid; + + if (!add_domain_alias(&alss, &num_entries, &tmp_als)) + { + r_e.status = 0xC0000000 | NT_STATUS_NO_MEMORY; + break; + } } } - else if (strequal(sid_str, sam_sid_str)) + else if (sid_equal(&sid, &global_sam_sid)) { + BOOL ret; /* local aliases */ - /* oops! there's no code to deal with this */ - DEBUG(3,("samr_reply_enum_dom_aliases: enum of aliases in our domain not supported yet\n")); num_entries = 0; + + become_root(True); + ret = enumdomaliases(&alss, &num_entries); + unbecome_root(True); + if (!ret) + { + r_e.status = 0xC0000000 | NT_STATUS_NO_MEMORY; + } } - make_samr_r_enum_dom_aliases(&r_e, num_entries, pass, r_e.status); + if (r_e.status == 0x0) + { + make_samr_r_enum_dom_aliases(&r_e, num_entries, alss, r_e.status); + } /* store the response in the SMB stream */ samr_io_r_enum_dom_aliases("", &r_e, rdata, 0); + if (alss != NULL) + { + free(alss); + } + DEBUG(5,("samr_enum_dom_aliases: %d\n", __LINE__)); } @@ -669,50 +745,92 @@ static void samr_reply_lookup_ids(SAMR_Q_LOOKUP_IDS *q_u, { uint32 rid[MAX_SAM_ENTRIES]; uint32 status = 0; - int num_rids = q_u->num_sids1; + int num_rids = 0; + int i; + struct sam_passwd *sam_pass; + DOM_SID usr_sid; + DOM_SID dom_sid; + uint32 user_rid; + fstring sam_sid_str; + fstring dom_sid_str; + fstring usr_sid_str; SAMR_R_LOOKUP_IDS r_u; DEBUG(5,("samr_lookup_ids: %d\n", __LINE__)); + /* find the policy handle. open a policy on it. */ + if (status == 0x0 && !get_lsa_policy_samr_sid(&q_u->pol, &dom_sid)) + { + status = 0xC0000000 | NT_STATUS_INVALID_HANDLE; + } + else + { + sid_to_string(dom_sid_str, &dom_sid ); + sid_to_string(sam_sid_str, &global_sam_sid); + } + if (num_rids > MAX_SAM_ENTRIES) { num_rids = MAX_SAM_ENTRIES; DEBUG(5,("samr_lookup_ids: truncating entries to %d\n", num_rids)); } -#if 0 - int i; - SMB_ASSERT_ARRAY(q_u->uni_user_name, num_rids); - - for (i = 0; i < num_rids && status == 0; i++) + if (status == 0x0) { - struct sam_passwd *sam_pass; - fstring user_name; - + usr_sid = q_u->sid[0].sid; + sid_split_rid(&usr_sid, &user_rid); + sid_to_string(usr_sid_str, &usr_sid); - fstrcpy(user_name, unistrn2(q_u->uni_user_name[i].buffer, - q_u->uni_user_name[i].uni_str_len)); + } + if (status == 0x0) + { /* find the user account */ become_root(True); - sam_pass = get_smb21pwd_entry(user_name, 0); + sam_pass = getsam21pwrid(user_rid); unbecome_root(True); if (sam_pass == NULL) { status = 0xC0000000 | NT_STATUS_NO_SUCH_USER; - rid[i] = 0; + num_rids = 0; + } + } + + if (status == 0x0) + { + if (sid_equal(&dom_sid, &global_sid_S_1_5_20)) + { + DEBUG(5,("lookup on S-1-5-20\n")); + } + else if (sid_equal(&dom_sid, &usr_sid)) + { + DOMAIN_GRP *mem_grp = NULL; + BOOL ret; + + DEBUG(5,("lookup on Domain SID\n")); + + become_root(True); + ret = getusergroupsnam(sam_pass->smb_name, &mem_grp, &num_rids); + unbecome_root(True); + + num_rids = MIN(num_rids, MAX_SAM_ENTRIES); + + if (mem_grp != NULL) + { + for (i = 0; i < num_rids; i++) + { + rid[i] = mem_grp[i].rid; + } + free(mem_grp); + } } else { - rid[i] = sam_pass->user_rid; + status = 0xC0000000 | NT_STATUS_NO_SUCH_USER; } } -#endif - - num_rids = 1; - rid[0] = BUILTIN_ALIAS_RID_USERS; make_samr_r_lookup_ids(&r_u, num_rids, rid, status); @@ -743,7 +861,8 @@ static void api_samr_lookup_ids( uint16 vuid, prs_struct *data, prs_struct *rdat static void samr_reply_lookup_names(SAMR_Q_LOOKUP_NAMES *q_u, prs_struct *rdata) { - uint32 rid[MAX_SAM_ENTRIES]; + uint32 rid [MAX_SAM_ENTRIES]; + uint8 type[MAX_SAM_ENTRIES]; uint32 status = 0; int i; int num_rids = q_u->num_rids1; @@ -763,17 +882,12 @@ static void samr_reply_lookup_names(SAMR_Q_LOOKUP_NAMES *q_u, for (i = 0; i < num_rids && status == 0; i++) { fstring name; - - status = 0xC0000000 | NT_STATUS_NONE_MAPPED; - fstrcpy(name, unistrn2(q_u->uni_user_name[i].buffer, q_u->uni_user_name[i].uni_str_len)); - status = (status != 0x0) ? lookup_user_rid (name, &(rid[i])) : status; - status = (status != 0x0) ? lookup_group_rid(name, &(rid[i])) : status; - status = (status != 0x0) ? lookup_alias_rid(name, &(rid[i])) : status; + status = lookup_rid(name, &(rid[i]), &(type[i])); } - make_samr_r_lookup_names(&r_u, num_rids, rid, status); + make_samr_r_lookup_names(&r_u, num_rids, rid, type, status); /* store the response in the SMB stream */ samr_io_r_lookup_names("", &r_u, rdata, 0); @@ -1017,7 +1131,7 @@ static BOOL get_user_info_10(SAM_USER_INFO_10 *id10, uint32 user_rid) { struct smb_passwd *smb_pass; - if (!pdb_rid_is_user(user_rid)) + if (!pwdb_rid_is_user(user_rid)) { DEBUG(4,("RID 0x%x is not a user RID\n", user_rid)); return False; @@ -1050,7 +1164,7 @@ static BOOL get_user_info_21(SAM_USER_INFO_21 *id21, uint32 user_rid) LOGON_HRS hrs; int i; - if (!pdb_rid_is_user(user_rid)) + if (!pwdb_rid_is_user(user_rid)) { DEBUG(4,("RID 0x%x is not a user RID\n", user_rid)); return False; @@ -1255,10 +1369,20 @@ static void samr_reply_query_usergroups(SAMR_Q_QUERY_USERGROUPS *q_u, if (status == 0x0) { - pstring groups; - get_domain_user_groups(groups, sam_pass->smb_name); + DOMAIN_GRP *mem_grp = NULL; + BOOL ret; + + become_root(True); + ret = getusergroupsnam(sam_pass->smb_name, &mem_grp, &num_groups); + unbecome_root(True); + gids = NULL; - num_groups = make_dom_gids(groups, &gids); + num_groups = make_dom_gids(mem_grp, num_groups, &gids); + + if (mem_grp != NULL) + { + free(mem_grp); + } } /* construct the response. lkclXXXX: gids are not copied! */ @@ -1322,7 +1446,7 @@ static void samr_reply_query_dom_info(SAMR_Q_QUERY_DOMAIN_INFO *q_u, case 0x02: { switch_value = 0x2; - make_unk_info2(&ctr.info.inf2, global_myworkgroup, global_myname); + make_unk_info2(&ctr.info.inf2, global_sam_name, global_myname); break; } diff --git a/source3/rpc_server/srv_util.c b/source3/rpc_server/srv_util.c index 097ab92d76..25dceb41a0 100644 --- a/source3/rpc_server/srv_util.c +++ b/source3/rpc_server/srv_util.c @@ -22,325 +22,4 @@ * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. */ -/* this module apparently provides an implementation of DCE/RPC over a - * named pipe (IPC$ connection using SMBtrans). details of DCE/RPC - * documentation are available (in on-line form) from the X-Open group. - * - * this module should provide a level of abstraction between SMB - * and DCE/RPC, while minimising the amount of mallocs, unnecessary - * data copies, and network traffic. - * - * in this version, which takes a "let's learn what's going on and - * get something running" approach, there is additional network - * traffic generated, but the code should be easier to understand... - * - * ... if you read the docs. or stare at packets for weeks on end. - * - */ - -#include "includes.h" -#include "nterr.h" - -extern int DEBUGLEVEL; - -/* - * A list of the rids of well known BUILTIN and Domain users - * and groups. - */ - -rid_name builtin_alias_rids[] = -{ - { BUILTIN_ALIAS_RID_ADMINS , "Administrators" }, - { BUILTIN_ALIAS_RID_USERS , "Users" }, - { BUILTIN_ALIAS_RID_GUESTS , "Guests" }, - { BUILTIN_ALIAS_RID_POWER_USERS , "Power Users" }, - - { BUILTIN_ALIAS_RID_ACCOUNT_OPS , "Account Operators" }, - { BUILTIN_ALIAS_RID_SYSTEM_OPS , "System Operators" }, - { BUILTIN_ALIAS_RID_PRINT_OPS , "Print Operators" }, - { BUILTIN_ALIAS_RID_BACKUP_OPS , "Backup Operators" }, - { BUILTIN_ALIAS_RID_REPLICATOR , "Replicator" }, - { 0 , NULL } -}; - -/* array lookup of well-known Domain RID users. */ -rid_name domain_user_rids[] = -{ - { DOMAIN_USER_RID_ADMIN , "Administrator" }, - { DOMAIN_USER_RID_GUEST , "Guest" }, - { 0 , NULL } -}; - -/* array lookup of well-known Domain RID groups. */ -rid_name domain_group_rids[] = -{ - { DOMAIN_GROUP_RID_ADMINS , "Domain Admins" }, - { DOMAIN_GROUP_RID_USERS , "Domain Users" }, - { DOMAIN_GROUP_RID_GUESTS , "Domain Guests" }, - { 0 , NULL } -}; - -int make_dom_gids(char *gids_str, DOM_GID **ppgids) -{ - char *ptr; - pstring s2; - int count; - DOM_GID *gids; - - *ppgids = NULL; - - DEBUG(4,("make_dom_gids: %s\n", gids_str)); - - if (gids_str == NULL || *gids_str == 0) - return 0; - - for (count = 0, ptr = gids_str; - next_token(&ptr, s2, NULL, sizeof(s2)); - count++) - ; - - gids = (DOM_GID *)malloc( sizeof(DOM_GID) * count ); - if(!gids) - { - DEBUG(0,("make_dom_gids: malloc fail !\n")); - return 0; - } - - for (count = 0, ptr = gids_str; - next_token(&ptr, s2, NULL, sizeof(s2)) && - count < LSA_MAX_GROUPS; - count++) - { - /* the entries are of the form GID/ATTR, ATTR being optional.*/ - char *attr; - uint32 rid = 0; - int i; - - attr = strchr(s2,'/'); - if (attr) - *attr++ = 0; - - if (!attr || !*attr) - attr = "7"; /* default value for attribute is 7 */ - - /* look up the RID string and see if we can turn it into a rid number */ - for (i = 0; builtin_alias_rids[i].name != NULL; i++) - { - if (strequal(builtin_alias_rids[i].name, s2)) - { - rid = builtin_alias_rids[i].rid; - break; - } - } - - if (rid == 0) - rid = atoi(s2); - - if (rid == 0) - { - DEBUG(1,("make_dom_gids: unknown well-known alias RID %s/%s\n", s2, attr)); - count--; - } - else - { - gids[count].g_rid = rid; - gids[count].attr = atoi(attr); - - DEBUG(5,("group id: %d attr: %d\n", gids[count].g_rid, gids[count].attr)); - } - } - - *ppgids = gids; - return count; -} - - -/******************************************************************* - gets a domain user's groups - ********************************************************************/ -void get_domain_user_groups(char *domain_groups, char *user) -{ - pstring tmp; - - if (domain_groups == NULL || user == NULL) return; - - /* any additional groups this user is in. e.g power users */ - pstrcpy(domain_groups, lp_domain_groups()); - - /* can only be a user or a guest. cannot be guest _and_ admin */ - if (user_in_list(user, lp_domain_guest_group())) - { - slprintf(tmp, sizeof(tmp) - 1, " %ld/7 ", DOMAIN_GROUP_RID_GUESTS); - pstrcat(domain_groups, tmp); - - DEBUG(3,("domain guest group access %s granted\n", tmp)); - } - else - { - slprintf(tmp, sizeof(tmp) -1, " %ld/7 ", DOMAIN_GROUP_RID_USERS); - pstrcat(domain_groups, tmp); - - DEBUG(3,("domain group access %s granted\n", tmp)); - - if (user_in_list(user, lp_domain_admin_group())) - { - slprintf(tmp, sizeof(tmp) - 1, " %ld/7 ", DOMAIN_GROUP_RID_ADMINS); - pstrcat(domain_groups, tmp); - - DEBUG(3,("domain admin group access %s granted\n", tmp)); - } - } -} - - -/******************************************************************* - lookup_group_name - ********************************************************************/ -uint32 lookup_group_name(uint32 rid, char *group_name, uint32 *type) -{ - int i = 0; - (*type) = SID_NAME_DOM_GRP; - - DEBUG(5,("lookup_group_name: rid: %d", rid)); - - while (domain_group_rids[i].rid != rid && domain_group_rids[i].rid != 0) - { - i++; - } - - if (domain_group_rids[i].rid != 0) - { - fstrcpy(group_name, domain_group_rids[i].name); - DEBUG(5,(" = %s\n", group_name)); - return 0x0; - } - - DEBUG(5,(" none mapped\n")); - return 0xC0000000 | NT_STATUS_NONE_MAPPED; -} - -/******************************************************************* - lookup_alias_name - ********************************************************************/ -uint32 lookup_alias_name(uint32 rid, char *alias_name, uint32 *type) -{ - int i = 0; - (*type) = SID_NAME_WKN_GRP; - - DEBUG(5,("lookup_alias_name: rid: %d", rid)); - - while (builtin_alias_rids[i].rid != rid && builtin_alias_rids[i].rid != 0) - { - i++; - } - - if (builtin_alias_rids[i].rid != 0) - { - fstrcpy(alias_name, builtin_alias_rids[i].name); - DEBUG(5,(" = %s\n", alias_name)); - return 0x0; - } - - DEBUG(5,(" none mapped\n")); - return 0xC0000000 | NT_STATUS_NONE_MAPPED; -} - -/******************************************************************* - lookup_user_name - ********************************************************************/ -uint32 lookup_user_name(uint32 rid, char *user_name, uint32 *type) -{ - struct sam_disp_info *disp_info; - int i = 0; - (*type) = SID_NAME_USER; - - DEBUG(5,("lookup_user_name: rid: %d", rid)); - - /* look up the well-known domain user rids first */ - while (domain_user_rids[i].rid != rid && domain_user_rids[i].rid != 0) - { - i++; - } - - if (domain_user_rids[i].rid != 0) - { - fstrcpy(user_name, domain_user_rids[i].name); - DEBUG(5,(" = %s\n", user_name)); - return 0x0; - } - - /* ok, it's a user. find the user account */ - become_root(True); - disp_info = getsamdisprid(rid); - unbecome_root(True); - - if (disp_info != NULL) - { - fstrcpy(user_name, disp_info->smb_name); - DEBUG(5,(" = %s\n", user_name)); - return 0x0; - } - - DEBUG(5,(" none mapped\n")); - return 0xC0000000 | NT_STATUS_NONE_MAPPED; -} - -/******************************************************************* - lookup_group_rid - ********************************************************************/ -uint32 lookup_group_rid(char *group_name, uint32 *rid) -{ - char *grp_name; - int i = -1; /* start do loop at -1 */ - - do /* find, if it exists, a group rid for the group name*/ - { - i++; - (*rid) = domain_group_rids[i].rid; - grp_name = domain_group_rids[i].name; - - } while (grp_name != NULL && !strequal(grp_name, group_name)); - - return (grp_name != NULL) ? 0 : 0xC0000000 | NT_STATUS_NONE_MAPPED; -} - -/******************************************************************* - lookup_alias_rid - ********************************************************************/ -uint32 lookup_alias_rid(char *alias_name, uint32 *rid) -{ - char *als_name; - int i = -1; /* start do loop at -1 */ - - do /* find, if it exists, a alias rid for the alias name*/ - { - i++; - (*rid) = builtin_alias_rids[i].rid; - als_name = builtin_alias_rids[i].name; - - } while (als_name != NULL && !strequal(als_name, alias_name)); - - return (als_name != NULL) ? 0 : 0xC0000000 | NT_STATUS_NONE_MAPPED; -} - -/******************************************************************* - lookup_user_rid - ********************************************************************/ -uint32 lookup_user_rid(char *user_name, uint32 *rid) -{ - struct sam_passwd *sam_pass; - (*rid) = 0; - - /* find the user account */ - become_root(True); - sam_pass = getsam21pwnam(user_name); - unbecome_root(True); - - if (sam_pass != NULL) - { - (*rid) = sam_pass->user_rid; - return 0x0; - } - - return 0xC0000000 | NT_STATUS_NONE_MAPPED; -} +/* retired module */ |