diff options
-rw-r--r-- | libgpo/gpo_sec.c | 4 | ||||
-rw-r--r-- | source3/rpc_server/srv_samr_nt.c | 497 |
2 files changed, 195 insertions, 306 deletions
diff --git a/libgpo/gpo_sec.c b/libgpo/gpo_sec.c index 5547f1e0cb..f20746422c 100644 --- a/libgpo/gpo_sec.c +++ b/libgpo/gpo_sec.c @@ -80,11 +80,7 @@ static bool gpo_sd_check_agp_object(const struct security_ace *ace) static bool gpo_sd_check_agp_access_bits(uint32_t access_mask) { -#if _SAMBA_BUILD_ == 4 return (access_mask & SEC_ADS_CONTROL_ACCESS); -#else - return (access_mask & SEC_RIGHTS_EXTENDED); -#endif } #if 0 diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index b54ed717a3..90131e1624 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -58,6 +58,18 @@ struct samr_domain_info { struct disp_info *disp_info; }; +struct samr_user_info { + struct dom_sid sid; +}; + +struct samr_group_info { + struct dom_sid sid; +}; + +struct samr_alias_info { + struct dom_sid sid; +}; + typedef struct disp_info { DOM_SID sid; /* identify which domain this is. */ struct pdb_search *users; /* querydispinfo 1 and 4 */ @@ -658,7 +670,7 @@ NTSTATUS _samr_OpenDomain(pipes_struct *p, NTSTATUS _samr_GetUserPwInfo(pipes_struct *p, struct samr_GetUserPwInfo *r) { - struct samr_info *info = NULL; + struct samr_user_info *uinfo; enum lsa_SidType sid_type; uint32_t min_password_length = 0; uint32_t password_properties = 0; @@ -667,24 +679,19 @@ NTSTATUS _samr_GetUserPwInfo(pipes_struct *p, DEBUG(5,("_samr_GetUserPwInfo: %d\n", __LINE__)); - /* find the policy handle. open a policy on it. */ - if (!find_policy_by_hnd(p, r->in.user_handle, (void **)(void *)&info)) { - return NT_STATUS_INVALID_HANDLE; - } - - status = access_check_samr_function(info->acc_granted, - SAMR_USER_ACCESS_GET_ATTRIBUTES, - "_samr_GetUserPwInfo" ); + uinfo = policy_handle_find(p, r->in.user_handle, + SAMR_USER_ACCESS_GET_ATTRIBUTES, NULL, + struct samr_user_info, &status); if (!NT_STATUS_IS_OK(status)) { return status; } - if (!sid_check_is_in_our_domain(&info->sid)) { + if (!sid_check_is_in_our_domain(&uinfo->sid)) { return NT_STATUS_OBJECT_TYPE_MISMATCH; } become_root(); - ret = lookup_sid(p->mem_ctx, &info->sid, NULL, NULL, &sid_type); + ret = lookup_sid(p->mem_ctx, &uinfo->sid, NULL, NULL, &sid_type); unbecome_root(); if (ret == false) { return NT_STATUS_NO_SUCH_USER; @@ -1690,9 +1697,8 @@ NTSTATUS _samr_QueryDisplayInfo3(pipes_struct *p, NTSTATUS _samr_QueryAliasInfo(pipes_struct *p, struct samr_QueryAliasInfo *r) { - DOM_SID sid; + struct samr_alias_info *ainfo; struct acct_info info; - uint32 acc_granted; NTSTATUS status; union samr_AliasInfo *alias_info = NULL; const char *alias_name = NULL; @@ -1700,24 +1706,20 @@ NTSTATUS _samr_QueryAliasInfo(pipes_struct *p, DEBUG(5,("_samr_QueryAliasInfo: %d\n", __LINE__)); + ainfo = policy_handle_find(p, r->in.alias_handle, + SAMR_ALIAS_ACCESS_LOOKUP_INFO, NULL, + struct samr_alias_info, &status); + if (!NT_STATUS_IS_OK(status)) { + return status; + } + alias_info = TALLOC_ZERO_P(p->mem_ctx, union samr_AliasInfo); if (!alias_info) { return NT_STATUS_NO_MEMORY; } - /* find the policy handle. open a policy on it. */ - if (!get_lsa_policy_samr_sid(p, r->in.alias_handle, &sid, &acc_granted, NULL)) - return NT_STATUS_INVALID_HANDLE; - - status = access_check_samr_function(acc_granted, - SAMR_ALIAS_ACCESS_LOOKUP_INFO, - "_samr_QueryAliasInfo"); - if (!NT_STATUS_IS_OK(status)) { - return status; - } - become_root(); - status = pdb_get_aliasinfo(&sid, &info); + status = pdb_get_aliasinfo(&ainfo->sid, &info); unbecome_root(); if ( !NT_STATUS_IS_OK(status)) @@ -2092,7 +2094,7 @@ NTSTATUS _samr_OpenUser(pipes_struct *p, struct samu *sampass=NULL; DOM_SID sid; struct samr_domain_info *dinfo; - struct samr_info *info; + struct samr_user_info *uinfo; SEC_DESC *psd = NULL; uint32 acc_granted; uint32 des_access = r->in.access_mask; @@ -2146,14 +2148,12 @@ NTSTATUS _samr_OpenUser(pipes_struct *p, TALLOC_FREE(sampass); - /* associate the user's SID and access bits with the new handle. */ - if ((info = get_samr_info_by_sid(p->mem_ctx, &sid)) == NULL) - return NT_STATUS_NO_MEMORY; - info->acc_granted = acc_granted; - - /* get a (unique) handle. open a policy on it. */ - if (!create_policy_hnd(p, r->out.user_handle, info)) - return NT_STATUS_OBJECT_NAME_NOT_FOUND; + uinfo = policy_handle_create(p, r->out.user_handle, acc_granted, + struct samr_user_info, &nt_status); + if (!NT_STATUS_IS_OK(nt_status)) { + return nt_status; + } + uinfo->sid = sid; return NT_STATUS_OK; } @@ -2507,32 +2507,28 @@ NTSTATUS _samr_QueryUserInfo(pipes_struct *p, { NTSTATUS status; union samr_UserInfo *user_info = NULL; - struct samr_info *info = NULL; + struct samr_user_info *uinfo; DOM_SID domain_sid; uint32 rid; bool ret = false; struct samu *pwd = NULL; - /* search for the handle */ - if (!find_policy_by_hnd(p, r->in.user_handle, (void **)(void *)&info)) - return NT_STATUS_INVALID_HANDLE; - - status = access_check_samr_function(info->acc_granted, - SAMR_USER_ACCESS_GET_ATTRIBUTES, - "_samr_QueryUserInfo"); + uinfo = policy_handle_find(p, r->in.user_handle, + SAMR_USER_ACCESS_GET_ATTRIBUTES, NULL, + struct samr_user_info, &status); if (!NT_STATUS_IS_OK(status)) { return status; } - domain_sid = info->sid; + domain_sid = uinfo->sid; sid_split_rid(&domain_sid, &rid); - if (!sid_check_is_in_our_domain(&info->sid)) + if (!sid_check_is_in_our_domain(&uinfo->sid)) return NT_STATUS_OBJECT_TYPE_MISMATCH; DEBUG(5,("_samr_QueryUserInfo: sid:%s\n", - sid_string_dbg(&info->sid))); + sid_string_dbg(&uinfo->sid))); user_info = TALLOC_ZERO_P(p->mem_ctx, union samr_UserInfo); if (!user_info) { @@ -2546,11 +2542,11 @@ NTSTATUS _samr_QueryUserInfo(pipes_struct *p, } become_root(); - ret = pdb_getsampwsid(pwd, &info->sid); + ret = pdb_getsampwsid(pwd, &uinfo->sid); unbecome_root(); if (ret == false) { - DEBUG(4,("User %s not found\n", sid_string_dbg(&info->sid))); + DEBUG(4,("User %s not found\n", sid_string_dbg(&uinfo->sid))); TALLOC_FREE(pwd); return NT_STATUS_NO_SUCH_USER; } @@ -2574,7 +2570,8 @@ NTSTATUS _samr_QueryUserInfo(pipes_struct *p, break; case 18: /* level 18 is special */ - status = get_user_info_18(p, p->mem_ctx, &user_info->info18, &info->sid); + status = get_user_info_18(p, p->mem_ctx, &user_info->info18, + &uinfo->sid); break; case 20: status = get_user_info_20(p->mem_ctx, &user_info->info20, pwd); @@ -2618,8 +2615,8 @@ NTSTATUS _samr_QueryUserInfo2(pipes_struct *p, NTSTATUS _samr_GetGroupsForUser(pipes_struct *p, struct samr_GetGroupsForUser *r) { + struct samr_user_info *uinfo; struct samu *sam_pass=NULL; - DOM_SID sid; DOM_SID *sids; struct samr_RidWithAttribute dom_gid; struct samr_RidWithAttribute *gids = NULL; @@ -2627,7 +2624,6 @@ NTSTATUS _samr_GetGroupsForUser(pipes_struct *p, size_t num_groups = 0; gid_t *unix_gids; size_t i, num_gids; - uint32 acc_granted; bool ret; NTSTATUS result; bool success = False; @@ -2648,23 +2644,19 @@ NTSTATUS _samr_GetGroupsForUser(pipes_struct *p, DEBUG(5,("_samr_GetGroupsForUser: %d\n", __LINE__)); + uinfo = policy_handle_find(p, r->in.user_handle, + SAMR_USER_ACCESS_GET_GROUPS, NULL, + struct samr_user_info, &result); + if (!NT_STATUS_IS_OK(result)) { + return result; + } + rids = TALLOC_ZERO_P(p->mem_ctx, struct samr_RidWithAttributeArray); if (!rids) { return NT_STATUS_NO_MEMORY; } - /* find the policy handle. open a policy on it. */ - if (!get_lsa_policy_samr_sid(p, r->in.user_handle, &sid, &acc_granted, NULL)) - return NT_STATUS_INVALID_HANDLE; - - result = access_check_samr_function(acc_granted, - SAMR_USER_ACCESS_GET_GROUPS, - "_samr_GetGroupsForUser"); - if (!NT_STATUS_IS_OK(result)) { - return result; - } - - if (!sid_check_is_in_our_domain(&sid)) + if (!sid_check_is_in_our_domain(&uinfo->sid)) return NT_STATUS_OBJECT_TYPE_MISMATCH; if ( !(sam_pass = samu_new( p->mem_ctx )) ) { @@ -2672,12 +2664,12 @@ NTSTATUS _samr_GetGroupsForUser(pipes_struct *p, } become_root(); - ret = pdb_getsampwsid(sam_pass, &sid); + ret = pdb_getsampwsid(sam_pass, &uinfo->sid); unbecome_root(); if (!ret) { DEBUG(10, ("pdb_getsampwsid failed for %s\n", - sid_string_dbg(&sid))); + sid_string_dbg(&uinfo->sid))); return NT_STATUS_NO_SUCH_USER; } @@ -2696,7 +2688,7 @@ NTSTATUS _samr_GetGroupsForUser(pipes_struct *p, if (!NT_STATUS_IS_OK(result)) { DEBUG(10, ("pdb_enum_group_memberships failed for %s\n", - sid_string_dbg(&sid))); + sid_string_dbg(&uinfo->sid))); return result; } @@ -2996,7 +2988,7 @@ NTSTATUS _samr_CreateUser2(pipes_struct *p, DOM_SID sid; uint32_t acb_info = r->in.acct_flags; struct samr_domain_info *dinfo; - struct samr_info *info; + struct samr_user_info *uinfo; NTSTATUS nt_status; uint32 acc_granted; SEC_DESC *psd; @@ -3104,19 +3096,12 @@ NTSTATUS _samr_CreateUser2(pipes_struct *p, return nt_status; } - /* associate the user's SID with the new handle. */ - if ((info = get_samr_info_by_sid(p->mem_ctx, &sid)) == NULL) { - return NT_STATUS_NO_MEMORY; - } - - ZERO_STRUCTP(info); - info->sid = sid; - info->acc_granted = acc_granted; - - /* get a (unique) handle. open a policy on it. */ - if (!create_policy_hnd(p, r->out.user_handle, info)) { - return NT_STATUS_OBJECT_NAME_NOT_FOUND; + uinfo = policy_handle_create(p, r->out.user_handle, acc_granted, + struct samr_user_info, &nt_status); + if (!NT_STATUS_IS_OK(nt_status)) { + return nt_status; } + uinfo->sid = sid; /* After a "set" ensure we have no cached display info. */ force_flush_samr_cache(&sid); @@ -3419,7 +3404,7 @@ NTSTATUS _samr_OpenAlias(pipes_struct *p, { DOM_SID sid; uint32 alias_rid = r->in.rid; - struct samr_info *info = NULL; + struct samr_alias_info *ainfo; struct samr_domain_info *dinfo; SEC_DESC *psd = NULL; uint32 acc_granted; @@ -3479,15 +3464,12 @@ NTSTATUS _samr_OpenAlias(pipes_struct *p, } - /* associate the alias SID with the new handle. */ - if ((info = get_samr_info_by_sid(p->mem_ctx, &sid)) == NULL) - return NT_STATUS_NO_MEMORY; - - info->acc_granted = acc_granted; - - /* get a (unique) handle. open a policy on it. */ - if (!create_policy_hnd(p, r->out.alias_handle, info)) - return NT_STATUS_OBJECT_NAME_NOT_FOUND; + ainfo = policy_handle_create(p, r->out.alias_handle, acc_granted, + struct samr_alias_info, &status); + if (!NT_STATUS_IS_OK(status)) { + return status; + } + ainfo->sid = sid; return NT_STATUS_OK; } @@ -4040,25 +4022,18 @@ static NTSTATUS set_user_info_26(TALLOC_CTX *mem_ctx, NTSTATUS _samr_SetUserInfo(pipes_struct *p, struct samr_SetUserInfo *r) { + struct samr_user_info *uinfo; NTSTATUS status; struct samu *pwd = NULL; - DOM_SID sid; union samr_UserInfo *info = r->in.info; uint16_t switch_value = r->in.level; - uint32_t acc_granted; uint32_t acc_required; bool ret; bool has_enough_rights = False; uint32_t acb_info; - DISP_INFO *disp_info = NULL; DEBUG(5,("_samr_SetUserInfo: %d\n", __LINE__)); - /* find the policy handle. open a policy on it. */ - if (!get_lsa_policy_samr_sid(p, r->in.user_handle, &sid, &acc_granted, &disp_info)) { - return NT_STATUS_INVALID_HANDLE; - } - /* This is tricky. A WinXP domain join sets (SAMR_USER_ACCESS_SET_PASSWORD|SAMR_USER_ACCESS_SET_ATTRIBUTES|SAMR_USER_ACCESS_GET_ATTRIBUTES) The MMC lusrmgr plugin includes these perms and more in the SamrOpenUser(). But the @@ -4080,15 +4055,14 @@ NTSTATUS _samr_SetUserInfo(pipes_struct *p, break; } - status = access_check_samr_function(acc_granted, - acc_required, - "_samr_SetUserInfo"); + uinfo = policy_handle_find(p, r->in.user_handle, acc_required, NULL, + struct samr_user_info, &status); if (!NT_STATUS_IS_OK(status)) { return status; } DEBUG(5, ("_samr_SetUserInfo: sid:%s, level:%d\n", - sid_string_dbg(&sid), switch_value)); + sid_string_dbg(&uinfo->sid), switch_value)); if (info == NULL) { DEBUG(5, ("_samr_SetUserInfo: NULL info level\n")); @@ -4100,7 +4074,7 @@ NTSTATUS _samr_SetUserInfo(pipes_struct *p, } become_root(); - ret = pdb_getsampwsid(pwd, &sid); + ret = pdb_getsampwsid(pwd, &uinfo->sid); unbecome_root(); if (!ret) { @@ -4239,7 +4213,7 @@ NTSTATUS _samr_SetUserInfo(pipes_struct *p, /* ================ END SeMachineAccountPrivilege BLOCK ================ */ if (NT_STATUS_IS_OK(status)) { - force_flush_samr_cache(&sid); + force_flush_samr_cache(&uinfo->sid); } return status; @@ -4329,31 +4303,24 @@ NTSTATUS _samr_GetAliasMembership(pipes_struct *p, NTSTATUS _samr_GetMembersInAlias(pipes_struct *p, struct samr_GetMembersInAlias *r) { + struct samr_alias_info *ainfo; NTSTATUS status; size_t i; size_t num_sids = 0; struct lsa_SidPtr *sids = NULL; DOM_SID *pdb_sids = NULL; - DOM_SID alias_sid; - - uint32 acc_granted; - - /* find the policy handle. open a policy on it. */ - if (!get_lsa_policy_samr_sid(p, r->in.alias_handle, &alias_sid, &acc_granted, NULL)) - return NT_STATUS_INVALID_HANDLE; - - status = access_check_samr_function(acc_granted, - SAMR_ALIAS_ACCESS_GET_MEMBERS, - "_samr_GetMembersInAlias"); + ainfo = policy_handle_find(p, r->in.alias_handle, + SAMR_ALIAS_ACCESS_GET_MEMBERS, NULL, + struct samr_alias_info, &status); if (!NT_STATUS_IS_OK(status)) { return status; } - DEBUG(10, ("sid is %s\n", sid_string_dbg(&alias_sid))); + DEBUG(10, ("sid is %s\n", sid_string_dbg(&ainfo->sid))); become_root(); - status = pdb_enum_aliasmem(&alias_sid, &pdb_sids, &num_sids); + status = pdb_enum_aliasmem(&ainfo->sid, &pdb_sids, &num_sids); unbecome_root(); if (!NT_STATUS_IS_OK(status)) { @@ -4391,45 +4358,39 @@ NTSTATUS _samr_GetMembersInAlias(pipes_struct *p, NTSTATUS _samr_QueryGroupMember(pipes_struct *p, struct samr_QueryGroupMember *r) { - DOM_SID group_sid; + struct samr_group_info *ginfo; size_t i, num_members; uint32 *rid=NULL; uint32 *attr=NULL; - uint32 acc_granted; - NTSTATUS status; struct samr_RidTypeArray *rids = NULL; + ginfo = policy_handle_find(p, r->in.group_handle, + SAMR_GROUP_ACCESS_GET_MEMBERS, NULL, + struct samr_group_info, &status); + if (!NT_STATUS_IS_OK(status)) { + return status; + } + rids = TALLOC_ZERO_P(p->mem_ctx, struct samr_RidTypeArray); if (!rids) { return NT_STATUS_NO_MEMORY; } - /* find the policy handle. open a policy on it. */ - if (!get_lsa_policy_samr_sid(p, r->in.group_handle, &group_sid, &acc_granted, NULL)) - return NT_STATUS_INVALID_HANDLE; - - status = access_check_samr_function(acc_granted, - SAMR_GROUP_ACCESS_GET_MEMBERS, - "_samr_QueryGroupMember"); - if (!NT_STATUS_IS_OK(status)) { - return status; - } + DEBUG(10, ("sid is %s\n", sid_string_dbg(&ginfo->sid))); - DEBUG(10, ("sid is %s\n", sid_string_dbg(&group_sid))); - - if (!sid_check_is_in_our_domain(&group_sid)) { + if (!sid_check_is_in_our_domain(&ginfo->sid)) { DEBUG(3, ("sid %s is not in our domain\n", - sid_string_dbg(&group_sid))); + sid_string_dbg(&ginfo->sid))); return NT_STATUS_NO_SUCH_GROUP; } DEBUG(10, ("lookup on Domain SID\n")); become_root(); - status = pdb_enum_group_members(p->mem_ctx, &group_sid, + status = pdb_enum_group_members(p->mem_ctx, &ginfo->sid, &rid, &num_members); unbecome_root(); @@ -4464,25 +4425,19 @@ NTSTATUS _samr_QueryGroupMember(pipes_struct *p, NTSTATUS _samr_AddAliasMember(pipes_struct *p, struct samr_AddAliasMember *r) { - DOM_SID alias_sid; - uint32 acc_granted; + struct samr_alias_info *ainfo; SE_PRIV se_rights; bool can_add_accounts; NTSTATUS status; - DISP_INFO *disp_info = NULL; - - /* Find the policy handle. Open a policy on it. */ - if (!get_lsa_policy_samr_sid(p, r->in.alias_handle, &alias_sid, &acc_granted, &disp_info)) - return NT_STATUS_INVALID_HANDLE; - status = access_check_samr_function(acc_granted, - SAMR_ALIAS_ACCESS_ADD_MEMBER, - "_samr_AddAliasMember"); + ainfo = policy_handle_find(p, r->in.alias_handle, + SAMR_ALIAS_ACCESS_ADD_MEMBER, NULL, + struct samr_alias_info, &status); if (!NT_STATUS_IS_OK(status)) { return status; } - DEBUG(10, ("sid is %s\n", sid_string_dbg(&alias_sid))); + DEBUG(10, ("sid is %s\n", sid_string_dbg(&ainfo->sid))); se_priv_copy( &se_rights, &se_add_users ); can_add_accounts = user_has_privileges( p->server_info->ptok, &se_rights ); @@ -4492,7 +4447,7 @@ NTSTATUS _samr_AddAliasMember(pipes_struct *p, if ( can_add_accounts ) become_root(); - status = pdb_add_aliasmem(&alias_sid, r->in.sid); + status = pdb_add_aliasmem(&ainfo->sid, r->in.sid); if ( can_add_accounts ) unbecome_root(); @@ -4500,7 +4455,7 @@ NTSTATUS _samr_AddAliasMember(pipes_struct *p, /******** END SeAddUsers BLOCK *********/ if (NT_STATUS_IS_OK(status)) { - force_flush_samr_cache(&alias_sid); + force_flush_samr_cache(&ainfo->sid); } return status; @@ -4513,26 +4468,20 @@ NTSTATUS _samr_AddAliasMember(pipes_struct *p, NTSTATUS _samr_DeleteAliasMember(pipes_struct *p, struct samr_DeleteAliasMember *r) { - DOM_SID alias_sid; - uint32 acc_granted; + struct samr_alias_info *ainfo; SE_PRIV se_rights; bool can_add_accounts; NTSTATUS status; - DISP_INFO *disp_info = NULL; - - /* Find the policy handle. Open a policy on it. */ - if (!get_lsa_policy_samr_sid(p, r->in.alias_handle, &alias_sid, &acc_granted, &disp_info)) - return NT_STATUS_INVALID_HANDLE; - status = access_check_samr_function(acc_granted, - SAMR_ALIAS_ACCESS_REMOVE_MEMBER, - "_samr_DeleteAliasMember"); + ainfo = policy_handle_find(p, r->in.alias_handle, + SAMR_ALIAS_ACCESS_REMOVE_MEMBER, NULL, + struct samr_alias_info, &status); if (!NT_STATUS_IS_OK(status)) { return status; } DEBUG(10, ("_samr_del_aliasmem:sid is %s\n", - sid_string_dbg(&alias_sid))); + sid_string_dbg(&ainfo->sid))); se_priv_copy( &se_rights, &se_add_users ); can_add_accounts = user_has_privileges( p->server_info->ptok, &se_rights ); @@ -4542,7 +4491,7 @@ NTSTATUS _samr_DeleteAliasMember(pipes_struct *p, if ( can_add_accounts ) become_root(); - status = pdb_del_aliasmem(&alias_sid, r->in.sid); + status = pdb_del_aliasmem(&ainfo->sid, r->in.sid); if ( can_add_accounts ) unbecome_root(); @@ -4550,7 +4499,7 @@ NTSTATUS _samr_DeleteAliasMember(pipes_struct *p, /******** END SeAddUsers BLOCK *********/ if (NT_STATUS_IS_OK(status)) { - force_flush_samr_cache(&alias_sid); + force_flush_samr_cache(&ainfo->sid); } return status; @@ -4563,28 +4512,22 @@ NTSTATUS _samr_DeleteAliasMember(pipes_struct *p, NTSTATUS _samr_AddGroupMember(pipes_struct *p, struct samr_AddGroupMember *r) { + struct samr_group_info *ginfo; NTSTATUS status; - DOM_SID group_sid; uint32 group_rid; - uint32 acc_granted; SE_PRIV se_rights; bool can_add_accounts; - DISP_INFO *disp_info = NULL; - - /* Find the policy handle. Open a policy on it. */ - if (!get_lsa_policy_samr_sid(p, r->in.group_handle, &group_sid, &acc_granted, &disp_info)) - return NT_STATUS_INVALID_HANDLE; - status = access_check_samr_function(acc_granted, - SAMR_GROUP_ACCESS_ADD_MEMBER, - "_samr_AddGroupMember"); + ginfo = policy_handle_find(p, r->in.group_handle, + SAMR_GROUP_ACCESS_ADD_MEMBER, NULL, + struct samr_group_info, &status); if (!NT_STATUS_IS_OK(status)) { return status; } - DEBUG(10, ("sid is %s\n", sid_string_dbg(&group_sid))); + DEBUG(10, ("sid is %s\n", sid_string_dbg(&ginfo->sid))); - if (!sid_peek_check_rid(get_global_sam_sid(), &group_sid, + if (!sid_peek_check_rid(get_global_sam_sid(), &ginfo->sid, &group_rid)) { return NT_STATUS_INVALID_HANDLE; } @@ -4604,7 +4547,7 @@ NTSTATUS _samr_AddGroupMember(pipes_struct *p, /******** END SeAddUsers BLOCK *********/ - force_flush_samr_cache(&group_sid); + force_flush_samr_cache(&ginfo->sid); return status; } @@ -4617,13 +4560,11 @@ NTSTATUS _samr_DeleteGroupMember(pipes_struct *p, struct samr_DeleteGroupMember *r) { + struct samr_group_info *ginfo; NTSTATUS status; - DOM_SID group_sid; uint32 group_rid; - uint32 acc_granted; SE_PRIV se_rights; bool can_add_accounts; - DISP_INFO *disp_info = NULL; /* * delete the group member named r->in.rid @@ -4631,18 +4572,14 @@ NTSTATUS _samr_DeleteGroupMember(pipes_struct *p, * the rid is a user's rid as the group is a domain group. */ - /* Find the policy handle. Open a policy on it. */ - if (!get_lsa_policy_samr_sid(p, r->in.group_handle, &group_sid, &acc_granted, &disp_info)) - return NT_STATUS_INVALID_HANDLE; - - status = access_check_samr_function(acc_granted, - SAMR_GROUP_ACCESS_REMOVE_MEMBER, - "_samr_DeleteGroupMember"); + ginfo = policy_handle_find(p, r->in.group_handle, + SAMR_GROUP_ACCESS_REMOVE_MEMBER, NULL, + struct samr_group_info, &status); if (!NT_STATUS_IS_OK(status)) { return status; } - if (!sid_peek_check_rid(get_global_sam_sid(), &group_sid, + if (!sid_peek_check_rid(get_global_sam_sid(), &ginfo->sid, &group_rid)) { return NT_STATUS_INVALID_HANDLE; } @@ -4662,7 +4599,7 @@ NTSTATUS _samr_DeleteGroupMember(pipes_struct *p, /******** END SeAddUsers BLOCK *********/ - force_flush_samr_cache(&group_sid); + force_flush_samr_cache(&ginfo->sid); return status; } @@ -4674,29 +4611,23 @@ NTSTATUS _samr_DeleteGroupMember(pipes_struct *p, NTSTATUS _samr_DeleteUser(pipes_struct *p, struct samr_DeleteUser *r) { + struct samr_user_info *uinfo; NTSTATUS status; - DOM_SID user_sid; struct samu *sam_pass=NULL; - uint32 acc_granted; bool can_add_accounts; uint32 acb_info; - DISP_INFO *disp_info = NULL; bool ret; DEBUG(5, ("_samr_DeleteUser: %d\n", __LINE__)); - /* Find the policy handle. Open a policy on it. */ - if (!get_lsa_policy_samr_sid(p, r->in.user_handle, &user_sid, &acc_granted, &disp_info)) - return NT_STATUS_INVALID_HANDLE; - - status = access_check_samr_function(acc_granted, - STD_RIGHT_DELETE_ACCESS, - "_samr_DeleteUser"); + uinfo = policy_handle_find(p, r->in.user_handle, + STD_RIGHT_DELETE_ACCESS, NULL, + struct samr_user_info, &status); if (!NT_STATUS_IS_OK(status)) { return status; } - if (!sid_check_is_in_our_domain(&user_sid)) + if (!sid_check_is_in_our_domain(&uinfo->sid)) return NT_STATUS_CANNOT_DELETE; /* check if the user exists before trying to delete */ @@ -4705,12 +4636,12 @@ NTSTATUS _samr_DeleteUser(pipes_struct *p, } become_root(); - ret = pdb_getsampwsid(sam_pass, &user_sid); + ret = pdb_getsampwsid(sam_pass, &uinfo->sid); unbecome_root(); if( !ret ) { DEBUG(5,("_samr_DeleteUser: User %s doesn't exist.\n", - sid_string_dbg(&user_sid))); + sid_string_dbg(&uinfo->sid))); TALLOC_FREE(sam_pass); return NT_STATUS_NO_SUCH_USER; } @@ -4752,7 +4683,7 @@ NTSTATUS _samr_DeleteUser(pipes_struct *p, ZERO_STRUCTP(r->out.user_handle); - force_flush_samr_cache(&user_sid); + force_flush_samr_cache(&uinfo->sid); return NT_STATUS_OK; } @@ -4764,30 +4695,24 @@ NTSTATUS _samr_DeleteUser(pipes_struct *p, NTSTATUS _samr_DeleteDomainGroup(pipes_struct *p, struct samr_DeleteDomainGroup *r) { + struct samr_group_info *ginfo; NTSTATUS status; - DOM_SID group_sid; uint32 group_rid; - uint32 acc_granted; SE_PRIV se_rights; bool can_add_accounts; - DISP_INFO *disp_info = NULL; DEBUG(5, ("samr_DeleteDomainGroup: %d\n", __LINE__)); - /* Find the policy handle. Open a policy on it. */ - if (!get_lsa_policy_samr_sid(p, r->in.group_handle, &group_sid, &acc_granted, &disp_info)) - return NT_STATUS_INVALID_HANDLE; - - status = access_check_samr_function(acc_granted, - STD_RIGHT_DELETE_ACCESS, - "_samr_DeleteDomainGroup"); + ginfo = policy_handle_find(p, r->in.group_handle, + STD_RIGHT_DELETE_ACCESS, NULL, + struct samr_group_info, &status); if (!NT_STATUS_IS_OK(status)) { return status; } - DEBUG(10, ("sid is %s\n", sid_string_dbg(&group_sid))); + DEBUG(10, ("sid is %s\n", sid_string_dbg(&ginfo->sid))); - if (!sid_peek_check_rid(get_global_sam_sid(), &group_sid, + if (!sid_peek_check_rid(get_global_sam_sid(), &ginfo->sid, &group_rid)) { return NT_STATUS_NO_SUCH_GROUP; } @@ -4810,7 +4735,7 @@ NTSTATUS _samr_DeleteDomainGroup(pipes_struct *p, if ( !NT_STATUS_IS_OK(status) ) { DEBUG(5,("_samr_DeleteDomainGroup: Failed to delete mapping " "entry for group %s: %s\n", - sid_string_dbg(&group_sid), + sid_string_dbg(&ginfo->sid), nt_errstr(status))); return status; } @@ -4818,7 +4743,7 @@ NTSTATUS _samr_DeleteDomainGroup(pipes_struct *p, if (!close_policy_hnd(p, r->in.group_handle)) return NT_STATUS_OBJECT_NAME_INVALID; - force_flush_samr_cache(&group_sid); + force_flush_samr_cache(&ginfo->sid); return NT_STATUS_OK; } @@ -4830,39 +4755,29 @@ NTSTATUS _samr_DeleteDomainGroup(pipes_struct *p, NTSTATUS _samr_DeleteDomAlias(pipes_struct *p, struct samr_DeleteDomAlias *r) { - DOM_SID alias_sid; - uint32 acc_granted; + struct samr_alias_info *ainfo; SE_PRIV se_rights; bool can_add_accounts; NTSTATUS status; - DISP_INFO *disp_info = NULL; DEBUG(5, ("_samr_DeleteDomAlias: %d\n", __LINE__)); - /* Find the policy handle. Open a policy on it. */ - if (!get_lsa_policy_samr_sid(p, r->in.alias_handle, &alias_sid, &acc_granted, &disp_info)) - return NT_STATUS_INVALID_HANDLE; - - /* copy the handle to the outgoing reply */ - - memcpy(r->out.alias_handle, r->in.alias_handle, sizeof(r->out.alias_handle)); - - status = access_check_samr_function(acc_granted, - STD_RIGHT_DELETE_ACCESS, - "_samr_DeleteDomAlias"); + ainfo = policy_handle_find(p, r->in.alias_handle, + STD_RIGHT_DELETE_ACCESS, NULL, + struct samr_alias_info, &status); if (!NT_STATUS_IS_OK(status)) { return status; } - DEBUG(10, ("sid is %s\n", sid_string_dbg(&alias_sid))); + DEBUG(10, ("sid is %s\n", sid_string_dbg(&ainfo->sid))); /* Don't let Windows delete builtin groups */ - if ( sid_check_is_in_builtin( &alias_sid ) ) { + if ( sid_check_is_in_builtin( &ainfo->sid ) ) { return NT_STATUS_SPECIAL_ACCOUNT; } - if (!sid_check_is_in_our_domain(&alias_sid)) + if (!sid_check_is_in_our_domain(&ainfo->sid)) return NT_STATUS_NO_SUCH_ALIAS; DEBUG(10, ("lookup on Local SID\n")); @@ -4876,7 +4791,7 @@ NTSTATUS _samr_DeleteDomAlias(pipes_struct *p, become_root(); /* Have passdb delete the alias */ - status = pdb_delete_alias(&alias_sid); + status = pdb_delete_alias(&ainfo->sid); if ( can_add_accounts ) unbecome_root(); @@ -4889,7 +4804,7 @@ NTSTATUS _samr_DeleteDomAlias(pipes_struct *p, if (!close_policy_hnd(p, r->in.alias_handle)) return NT_STATUS_OBJECT_NAME_INVALID; - force_flush_samr_cache(&alias_sid); + force_flush_samr_cache(&ainfo->sid); return NT_STATUS_OK; } @@ -4903,10 +4818,9 @@ NTSTATUS _samr_CreateDomainGroup(pipes_struct *p, { NTSTATUS status; - DOM_SID info_sid; const char *name; struct samr_domain_info *dinfo; - struct samr_info *info; + struct samr_group_info *ginfo; SE_PRIV se_rights; bool can_add_accounts; @@ -4952,20 +4866,15 @@ NTSTATUS _samr_CreateDomainGroup(pipes_struct *p, if ( !NT_STATUS_IS_OK(status) ) return status; - sid_compose(&info_sid, &dinfo->sid, *r->out.rid); - - if ((info = get_samr_info_by_sid(p->mem_ctx, &info_sid)) == NULL) - return NT_STATUS_NO_MEMORY; - - /* they created it; let the user do what he wants with it */ - - info->acc_granted = GENERIC_RIGHTS_GROUP_ALL_ACCESS; - - /* get a (unique) handle. open a policy on it. */ - if (!create_policy_hnd(p, r->out.group_handle, info)) - return NT_STATUS_OBJECT_NAME_NOT_FOUND; + ginfo = policy_handle_create(p, r->out.group_handle, + GENERIC_RIGHTS_GROUP_ALL_ACCESS, + struct samr_group_info, &status); + if (!NT_STATUS_IS_OK(status)) { + return status; + } + sid_compose(&ginfo->sid, &dinfo->sid, *r->out.rid); - force_flush_samr_cache(&info_sid); + force_flush_samr_cache(&dinfo->sid); return NT_STATUS_OK; } @@ -4980,7 +4889,7 @@ NTSTATUS _samr_CreateDomAlias(pipes_struct *p, DOM_SID info_sid; const char *name = NULL; struct samr_domain_info *dinfo; - struct samr_info *info; + struct samr_alias_info *ainfo; gid_t gid; NTSTATUS result; SE_PRIV se_rights; @@ -5039,16 +4948,13 @@ NTSTATUS _samr_CreateDomAlias(pipes_struct *p, return NT_STATUS_ACCESS_DENIED; } - if ((info = get_samr_info_by_sid(p->mem_ctx, &info_sid)) == NULL) - return NT_STATUS_NO_MEMORY; - - /* they created it; let the user do what he wants with it */ - - info->acc_granted = GENERIC_RIGHTS_ALIAS_ALL_ACCESS; - - /* get a (unique) handle. open a policy on it. */ - if (!create_policy_hnd(p, r->out.alias_handle, info)) - return NT_STATUS_OBJECT_NAME_NOT_FOUND; + ainfo = policy_handle_create(p, r->out.alias_handle, + GENERIC_RIGHTS_ALIAS_ALL_ACCESS, + struct samr_alias_info, &result); + if (!NT_STATUS_IS_OK(result)) { + return result; + } + ainfo->sid = info_sid; force_flush_samr_cache(&info_sid); @@ -5062,11 +4968,10 @@ NTSTATUS _samr_CreateDomAlias(pipes_struct *p, NTSTATUS _samr_QueryGroupInfo(pipes_struct *p, struct samr_QueryGroupInfo *r) { + struct samr_group_info *ginfo; NTSTATUS status; - DOM_SID group_sid; GROUP_MAP map; union samr_GroupInfo *info = NULL; - uint32 acc_granted; bool ret; uint32_t attributes = SE_GROUP_MANDATORY | SE_GROUP_ENABLED_BY_DEFAULT | @@ -5074,18 +4979,15 @@ NTSTATUS _samr_QueryGroupInfo(pipes_struct *p, const char *group_name = NULL; const char *group_description = NULL; - if (!get_lsa_policy_samr_sid(p, r->in.group_handle, &group_sid, &acc_granted, NULL)) - return NT_STATUS_INVALID_HANDLE; - - status = access_check_samr_function(acc_granted, - SAMR_GROUP_ACCESS_LOOKUP_INFO, - "_samr_QueryGroupInfo"); + ginfo = policy_handle_find(p, r->in.group_handle, + SAMR_GROUP_ACCESS_LOOKUP_INFO, NULL, + struct samr_group_info, &status); if (!NT_STATUS_IS_OK(status)) { return status; } become_root(); - ret = get_domain_group_from_sid(group_sid, &map); + ret = get_domain_group_from_sid(ginfo->sid, &map); unbecome_root(); if (!ret) return NT_STATUS_INVALID_HANDLE; @@ -5106,7 +5008,8 @@ NTSTATUS _samr_QueryGroupInfo(pipes_struct *p, become_root(); status = pdb_enum_group_members( - p->mem_ctx, &group_sid, &members, &num_members); + p->mem_ctx, &ginfo->sid, &members, + &num_members); unbecome_root(); if (!NT_STATUS_IS_OK(status)) { @@ -5137,7 +5040,8 @@ NTSTATUS _samr_QueryGroupInfo(pipes_struct *p, /* become_root(); status = pdb_enum_group_members( - p->mem_ctx, &group_sid, &members, &num_members); + p->mem_ctx, &ginfo->sid, &members, + &num_members); unbecome_root(); if (!NT_STATUS_IS_OK(status)) { @@ -5167,26 +5071,21 @@ NTSTATUS _samr_QueryGroupInfo(pipes_struct *p, NTSTATUS _samr_SetGroupInfo(pipes_struct *p, struct samr_SetGroupInfo *r) { - DOM_SID group_sid; + struct samr_group_info *ginfo; GROUP_MAP map; - uint32 acc_granted; NTSTATUS status; bool ret; bool can_mod_accounts; - DISP_INFO *disp_info = NULL; - - if (!get_lsa_policy_samr_sid(p, r->in.group_handle, &group_sid, &acc_granted, &disp_info)) - return NT_STATUS_INVALID_HANDLE; - status = access_check_samr_function(acc_granted, - SAMR_GROUP_ACCESS_SET_INFO, - "_samr_SetGroupInfo"); + ginfo = policy_handle_find(p, r->in.group_handle, + SAMR_GROUP_ACCESS_SET_INFO, NULL, + struct samr_group_info, &status); if (!NT_STATUS_IS_OK(status)) { return status; } become_root(); - ret = get_domain_group_from_sid(group_sid, &map); + ret = get_domain_group_from_sid(ginfo->sid, &map); unbecome_root(); if (!ret) return NT_STATUS_NO_SUCH_GROUP; @@ -5220,7 +5119,7 @@ NTSTATUS _samr_SetGroupInfo(pipes_struct *p, /******** End SeAddUsers BLOCK *********/ if (NT_STATUS_IS_OK(status)) { - force_flush_samr_cache(&group_sid); + force_flush_samr_cache(&ginfo->sid); } return status; @@ -5233,19 +5132,14 @@ NTSTATUS _samr_SetGroupInfo(pipes_struct *p, NTSTATUS _samr_SetAliasInfo(pipes_struct *p, struct samr_SetAliasInfo *r) { - DOM_SID group_sid; + struct samr_alias_info *ainfo; struct acct_info info; - uint32 acc_granted; bool can_mod_accounts; NTSTATUS status; - DISP_INFO *disp_info = NULL; - if (!get_lsa_policy_samr_sid(p, r->in.alias_handle, &group_sid, &acc_granted, &disp_info)) - return NT_STATUS_INVALID_HANDLE; - - status = access_check_samr_function(acc_granted, - SAMR_ALIAS_ACCESS_SET_INFO, - "_samr_SetAliasInfo"); + ainfo = policy_handle_find(p, r->in.alias_handle, + SAMR_ALIAS_ACCESS_SET_INFO, NULL, + struct samr_alias_info, &status); if (!NT_STATUS_IS_OK(status)) { return status; } @@ -5253,7 +5147,7 @@ NTSTATUS _samr_SetAliasInfo(pipes_struct *p, /* get the current group information */ become_root(); - status = pdb_get_aliasinfo( &group_sid, &info ); + status = pdb_get_aliasinfo( &ainfo->sid, &info ); unbecome_root(); if ( !NT_STATUS_IS_OK(status)) @@ -5269,7 +5163,7 @@ NTSTATUS _samr_SetAliasInfo(pipes_struct *p, why. The eventually needs to be fixed to be like Windows where you can rename builtin groups, just not delete them */ - if ( sid_check_is_in_builtin( &group_sid ) ) { + if ( sid_check_is_in_builtin( &ainfo->sid ) ) { return NT_STATUS_SPECIAL_ACCOUNT; } @@ -5314,7 +5208,7 @@ NTSTATUS _samr_SetAliasInfo(pipes_struct *p, if ( can_mod_accounts ) become_root(); - status = pdb_set_aliasinfo( &group_sid, &info ); + status = pdb_set_aliasinfo( &ainfo->sid, &info ); if ( can_mod_accounts ) unbecome_root(); @@ -5322,7 +5216,7 @@ NTSTATUS _samr_SetAliasInfo(pipes_struct *p, /******** End SeAddUsers BLOCK *********/ if (NT_STATUS_IS_OK(status)) - force_flush_samr_cache(&group_sid); + force_flush_samr_cache(&ainfo->sid); return status; } @@ -5374,7 +5268,7 @@ NTSTATUS _samr_OpenGroup(pipes_struct *p, DOM_SID info_sid; GROUP_MAP map; struct samr_domain_info *dinfo; - struct samr_info *info; + struct samr_group_info *ginfo; SEC_DESC *psd = NULL; uint32 acc_granted; uint32 des_access = r->in.access_mask; @@ -5412,24 +5306,23 @@ NTSTATUS _samr_OpenGroup(pipes_struct *p, sid_compose(&info_sid, &dinfo->sid, r->in.rid); - if ((info = get_samr_info_by_sid(p->mem_ctx, &info_sid)) == NULL) - return NT_STATUS_NO_MEMORY; - - info->acc_granted = acc_granted; - DEBUG(10, ("_samr_OpenGroup:Opening SID: %s\n", sid_string_dbg(&info_sid))); /* check if that group really exists */ become_root(); - ret = get_domain_group_from_sid(info->sid, &map); + ret = get_domain_group_from_sid(info_sid, &map); unbecome_root(); if (!ret) return NT_STATUS_NO_SUCH_GROUP; - /* get a (unique) handle. open a policy on it. */ - if (!create_policy_hnd(p, r->out.group_handle, info)) - return NT_STATUS_OBJECT_NAME_NOT_FOUND; + ginfo = policy_handle_create(p, r->out.group_handle, + GENERIC_RIGHTS_GROUP_ALL_ACCESS, + struct samr_group_info, &status); + if (!NT_STATUS_IS_OK(status)) { + return status; + } + ginfo->sid = info_sid; return NT_STATUS_OK; } |