summaryrefslogtreecommitdiff
path: root/source3/rpc_server/srv_lsa_nt.c
diff options
context:
space:
mode:
Diffstat (limited to 'source3/rpc_server/srv_lsa_nt.c')
-rw-r--r--source3/rpc_server/srv_lsa_nt.c222
1 files changed, 44 insertions, 178 deletions
diff --git a/source3/rpc_server/srv_lsa_nt.c b/source3/rpc_server/srv_lsa_nt.c
index 3581be0181..ca3021a876 100644
--- a/source3/rpc_server/srv_lsa_nt.c
+++ b/source3/rpc_server/srv_lsa_nt.c
@@ -403,8 +403,16 @@ NTSTATUS _lsa_open_policy2(pipes_struct *p, LSA_Q_OPEN_POL2 *q_u, LSA_R_OPEN_POL
/* get the generic lsa policy SD until we store it */
lsa_get_generic_sd(p->mem_ctx, &psd, &sd_size);
- if(!se_access_check(psd, p->pipe_user.nt_user_token, des_access, &acc_granted, &status))
- return status;
+ if(!se_access_check(psd, p->pipe_user.nt_user_token, des_access, &acc_granted, &status)) {
+ if (geteuid() != 0) {
+ return status;
+ }
+ DEBUG(4,("ACCESS should be DENIED (granted: %#010x; required: %#010x)\n",
+ acc_granted, des_access));
+ DEBUGADD(4,("but overwritten by euid == 0\n"));
+ acc_granted = des_access;
+ }
+
/* associate the domain SID with the (unique) handle. */
if ((info = (struct lsa_info *)malloc(sizeof(struct lsa_info))) == NULL)
@@ -441,8 +449,15 @@ NTSTATUS _lsa_open_policy(pipes_struct *p, LSA_Q_OPEN_POL *q_u, LSA_R_OPEN_POL *
/* get the generic lsa policy SD until we store it */
lsa_get_generic_sd(p->mem_ctx, &psd, &sd_size);
- if(!se_access_check(psd, p->pipe_user.nt_user_token, des_access, &acc_granted, &status))
- return status;
+ if(!se_access_check(psd, p->pipe_user.nt_user_token, des_access, &acc_granted, &status)) {
+ if (geteuid() != 0) {
+ return status;
+ }
+ DEBUG(4,("ACCESS should be DENIED (granted: %#010x; required: %#010x)\n",
+ acc_granted, des_access));
+ DEBUGADD(4,("but overwritten by euid == 0\n"));
+ acc_granted = des_access;
+ }
/* associate the domain SID with the (unique) handle. */
if ((info = (struct lsa_info *)malloc(sizeof(struct lsa_info))) == NULL)
@@ -547,7 +562,7 @@ NTSTATUS _lsa_query_info(pipes_struct *p, LSA_Q_QUERY_INFO *q_u, LSA_R_QUERY_INF
switch (lp_server_role()) {
case ROLE_DOMAIN_PDC:
case ROLE_DOMAIN_BDC:
- name = lp_workgroup();
+ name = get_global_sam_name();
sid = get_global_sam_sid();
break;
case ROLE_DOMAIN_MEMBER:
@@ -573,23 +588,8 @@ NTSTATUS _lsa_query_info(pipes_struct *p, LSA_Q_QUERY_INFO *q_u, LSA_R_QUERY_INF
return NT_STATUS_ACCESS_DENIED;
/* Request PolicyAccountDomainInformation. */
- switch (lp_server_role()) {
- case ROLE_DOMAIN_PDC:
- case ROLE_DOMAIN_BDC:
- name = lp_workgroup();
- sid = get_global_sam_sid();
- break;
- case ROLE_DOMAIN_MEMBER:
- name = global_myname();
- sid = get_global_sam_sid();
- break;
- case ROLE_STANDALONE:
- name = global_myname();
- sid = get_global_sam_sid();
- break;
- default:
- return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
- }
+ name = get_global_sam_name();
+ sid = get_global_sam_sid();
init_dom_query(&r_u->dom.id5, name, sid);
break;
case 0x06:
@@ -645,7 +645,7 @@ NTSTATUS _lsa_lookup_sids(pipes_struct *p, LSA_Q_LOOKUP_SIDS *q_u, LSA_R_LOOKUP_
num_entries = MAX_LOOKUP_SIDS;
DEBUG(5,("_lsa_lookup_sids: truncating SID lookup list to %d\n", num_entries));
}
-
+
ref = (DOM_R_REF *)talloc_zero(p->mem_ctx, sizeof(DOM_R_REF));
names = (LSA_TRANS_NAME_ENUM *)talloc_zero(p->mem_ctx, sizeof(LSA_TRANS_NAME_ENUM));
@@ -859,7 +859,7 @@ NTSTATUS _lsa_enum_accounts(pipes_struct *p, LSA_Q_ENUM_ACCOUNTS *q_u, LSA_R_ENU
return NT_STATUS_ACCESS_DENIED;
/* get the list of mapped groups (domain, local, builtin) */
- if(!pdb_enum_group_mapping(SID_NAME_UNKNOWN, &map, &num_entries, ENUM_ONLY_MAPPED, MAPPING_WITHOUT_PRIV))
+ if(!pdb_enum_group_mapping(SID_NAME_UNKNOWN, &map, &num_entries, ENUM_ONLY_MAPPED))
return NT_STATUS_OK;
if (q_u->enum_context >= num_entries)
@@ -964,8 +964,6 @@ NTSTATUS _lsa_enum_privsaccount(pipes_struct *p, LSA_Q_ENUMPRIVSACCOUNT *q_u, LS
{
struct lsa_info *info=NULL;
GROUP_MAP map;
- int i=0;
-
LUID_ATTR *set=NULL;
r_u->status = NT_STATUS_OK;
@@ -974,9 +972,10 @@ NTSTATUS _lsa_enum_privsaccount(pipes_struct *p, LSA_Q_ENUMPRIVSACCOUNT *q_u, LS
if (!find_policy_by_hnd(p, &q_u->pol, (void **)&info))
return NT_STATUS_INVALID_HANDLE;
- if (!pdb_getgrsid(&map, info->sid, MAPPING_WITH_PRIV))
+ if (!pdb_getgrsid(&map, info->sid))
return NT_STATUS_NO_SUCH_GROUP;
+#if 0 /* privileges currently not implemented! */
DEBUG(10,("_lsa_enum_privsaccount: %d privileges\n", map.priv_set.count));
if (map.priv_set.count!=0) {
@@ -997,6 +996,9 @@ NTSTATUS _lsa_enum_privsaccount(pipes_struct *p, LSA_Q_ENUMPRIVSACCOUNT *q_u, LS
init_lsa_r_enum_privsaccount(r_u, set, map.priv_set.count, 0);
free_privilege(&map.priv_set);
+#endif
+
+ init_lsa_r_enum_privsaccount(r_u, set, 0, 0);
return r_u->status;
}
@@ -1015,7 +1017,7 @@ NTSTATUS _lsa_getsystemaccount(pipes_struct *p, LSA_Q_GETSYSTEMACCOUNT *q_u, LSA
if (!find_policy_by_hnd(p, &q_u->pol, (void **)&info))
return NT_STATUS_INVALID_HANDLE;
- if (!pdb_getgrsid(&map, info->sid, MAPPING_WITHOUT_PRIV))
+ if (!pdb_getgrsid(&map, info->sid))
return NT_STATUS_NO_SUCH_GROUP;
/*
@@ -1027,7 +1029,7 @@ NTSTATUS _lsa_getsystemaccount(pipes_struct *p, LSA_Q_GETSYSTEMACCOUNT *q_u, LSA
they can be ORed together
*/
- r_u->access=map.systemaccount;
+ r_u->access = PR_LOG_ON_LOCALLY | PR_ACCESS_FROM_NETWORK;
return r_u->status;
}
@@ -1046,16 +1048,12 @@ NTSTATUS _lsa_setsystemaccount(pipes_struct *p, LSA_Q_SETSYSTEMACCOUNT *q_u, LSA
if (!find_policy_by_hnd(p, &q_u->pol, (void **)&info))
return NT_STATUS_INVALID_HANDLE;
- if (!pdb_getgrsid(&map, info->sid, MAPPING_WITH_PRIV))
+ if (!pdb_getgrsid(&map, info->sid))
return NT_STATUS_NO_SUCH_GROUP;
- map.systemaccount=q_u->access;
-
if(!pdb_update_group_mapping_entry(&map))
return NT_STATUS_NO_SUCH_GROUP;
- free_privilege(&map.priv_set);
-
return r_u->status;
}
@@ -1065,20 +1063,22 @@ NTSTATUS _lsa_setsystemaccount(pipes_struct *p, LSA_Q_SETSYSTEMACCOUNT *q_u, LSA
NTSTATUS _lsa_addprivs(pipes_struct *p, LSA_Q_ADDPRIVS *q_u, LSA_R_ADDPRIVS *r_u)
{
+#if 0
struct lsa_info *info=NULL;
GROUP_MAP map;
int i=0;
-
LUID_ATTR *luid_attr=NULL;
PRIVILEGE_SET *set=NULL;
+#endif
r_u->status = NT_STATUS_OK;
+#if 0 /* privileges are not implemented */
/* find the connection policy handle. */
if (!find_policy_by_hnd(p, &q_u->pol, (void **)&info))
return NT_STATUS_INVALID_HANDLE;
- if (!pdb_getgrsid(&map, info->sid, MAPPING_WITH_PRIV))
+ if (!pdb_getgrsid(&map, info->sid))
return NT_STATUS_NO_SUCH_GROUP;
set=&q_u->set;
@@ -1100,6 +1100,7 @@ NTSTATUS _lsa_addprivs(pipes_struct *p, LSA_Q_ADDPRIVS *q_u, LSA_R_ADDPRIVS *r_u
free_privilege(&map.priv_set);
+#endif
return r_u->status;
}
@@ -1109,20 +1110,22 @@ NTSTATUS _lsa_addprivs(pipes_struct *p, LSA_Q_ADDPRIVS *q_u, LSA_R_ADDPRIVS *r_u
NTSTATUS _lsa_removeprivs(pipes_struct *p, LSA_Q_REMOVEPRIVS *q_u, LSA_R_REMOVEPRIVS *r_u)
{
+#if 0
struct lsa_info *info=NULL;
GROUP_MAP map;
int i=0;
-
LUID_ATTR *luid_attr=NULL;
PRIVILEGE_SET *set=NULL;
+#endif
r_u->status = NT_STATUS_OK;
+#if 0 /* privileges are not implemented */
/* find the connection policy handle. */
if (!find_policy_by_hnd(p, &q_u->pol, (void **)&info))
return NT_STATUS_INVALID_HANDLE;
- if (!pdb_getgrsid(&map, info->sid, MAPPING_WITH_PRIV))
+ if (!pdb_getgrsid(&map, info->sid))
return NT_STATUS_NO_SUCH_GROUP;
if (q_u->allrights!=0) {
@@ -1156,7 +1159,7 @@ NTSTATUS _lsa_removeprivs(pipes_struct *p, LSA_Q_REMOVEPRIVS *q_u, LSA_R_REMOVEP
return NT_STATUS_NO_SUCH_GROUP;
free_privilege(&map.priv_set);
-
+#endif
return r_u->status;
}
@@ -1240,13 +1243,13 @@ NTSTATUS _lsa_query_info2(pipes_struct *p, LSA_Q_QUERY_INFO2 *q_u, LSA_R_QUERY_I
switch (lp_server_role()) {
case ROLE_DOMAIN_PDC:
case ROLE_DOMAIN_BDC:
- nb_name = lp_workgroup();
+ nb_name = get_global_sam_name();
/* ugly temp hack for these next two */
/* This should be a 'netbios domain -> DNS domain' mapping */
dnsdomname[0] = '\0';
get_mydomname(dnsdomname);
- strlower(dnsdomname);
+ strlower_m(dnsdomname);
dns_name = dnsdomname;
forest_name = dnsdomname;
@@ -1273,140 +1276,3 @@ NTSTATUS _lsa_query_info2(pipes_struct *p, LSA_Q_QUERY_INFO2 *q_u, LSA_R_QUERY_I
return r_u->status;
}
-
-
-/***************************************************************************
- For a given SID, enumerate all the privilege this account has.
- ***************************************************************************/
-NTSTATUS _lsa_enum_acct_rights(pipes_struct *p, LSA_Q_ENUM_ACCT_RIGHTS *q_u, LSA_R_ENUM_ACCT_RIGHTS *r_u)
-{
- struct lsa_info *info=NULL;
- char **rights = NULL;
- int num_rights = 0;
- int i;
-
- r_u->status = NT_STATUS_OK;
-
- /* find the connection policy handle. */
- if (!find_policy_by_hnd(p, &q_u->pol, (void **)&info))
- return NT_STATUS_INVALID_HANDLE;
-
- r_u->status = privilege_enum_account_rights(&q_u->sid.sid, &num_rights, &rights);
-
- init_r_enum_acct_rights(r_u, num_rights, (const char **)rights);
-
- for (i=0;i<num_rights;i++) {
- free(rights[i]);
- }
- safe_free(rights);
-
- return r_u->status;
-}
-
-/***************************************************************************
-return a list of SIDs for a particular privilege
- ***************************************************************************/
-NTSTATUS _lsa_enum_acct_with_right(pipes_struct *p,
- LSA_Q_ENUM_ACCT_WITH_RIGHT *q_u,
- LSA_R_ENUM_ACCT_WITH_RIGHT *r_u)
-{
- struct lsa_info *info=NULL;
- char *right;
- DOM_SID *sids = NULL;
- uint32 count = 0;
-
- r_u->status = NT_STATUS_OK;
-
- /* find the connection policy handle. */
- if (!find_policy_by_hnd(p, &q_u->pol, (void **)&info))
- return NT_STATUS_INVALID_HANDLE;
-
- right = unistr2_tdup(p->mem_ctx, &q_u->right);
-
- DEBUG(5,("lsa_enum_acct_with_right on right %s\n", right));
-
- r_u->status = privilege_enum_account_with_right(right, &count, &sids);
-
- init_r_enum_acct_with_right(r_u, count, sids);
-
- safe_free(sids);
-
- return r_u->status;
-}
-
-/***************************************************************************
- add privileges to a acct by SID
- ***************************************************************************/
-NTSTATUS _lsa_add_acct_rights(pipes_struct *p, LSA_Q_ADD_ACCT_RIGHTS *q_u, LSA_R_ADD_ACCT_RIGHTS *r_u)
-{
- struct lsa_info *info=NULL;
- int i;
-
- r_u->status = NT_STATUS_OK;
-
- /* find the connection policy handle. */
- if (!find_policy_by_hnd(p, &q_u->pol, (void **)&info))
- return NT_STATUS_INVALID_HANDLE;
-
- DEBUG(5,("_lsa_add_acct_rights to %s (%d rights)\n",
- sid_string_static(&q_u->sid.sid), q_u->rights.count));
-
- for (i=0;i<q_u->rights.count;i++) {
- DEBUG(5,("\t%s\n", unistr2_static(&q_u->rights.strings[i].string)));
- }
-
-
- for (i=0;i<q_u->rights.count;i++) {
- r_u->status = privilege_add_account_right(unistr2_static(&q_u->rights.strings[i].string),
- &q_u->sid.sid);
- if (!NT_STATUS_IS_OK(r_u->status)) {
- DEBUG(2,("Failed to add right '%s'\n",
- unistr2_static(&q_u->rights.strings[i].string)));
- break;
- }
- }
-
- init_r_add_acct_rights(r_u);
-
- return r_u->status;
-}
-
-
-/***************************************************************************
- remove privileges from a acct by SID
- ***************************************************************************/
-NTSTATUS _lsa_remove_acct_rights(pipes_struct *p, LSA_Q_REMOVE_ACCT_RIGHTS *q_u, LSA_R_REMOVE_ACCT_RIGHTS *r_u)
-{
- struct lsa_info *info=NULL;
- int i;
-
- r_u->status = NT_STATUS_OK;
-
- /* find the connection policy handle. */
- if (!find_policy_by_hnd(p, &q_u->pol, (void **)&info))
- return NT_STATUS_INVALID_HANDLE;
-
-
- DEBUG(5,("_lsa_remove_acct_rights from %s all=%d (%d rights)\n",
- sid_string_static(&q_u->sid.sid),
- q_u->removeall,
- q_u->rights.count));
-
- for (i=0;i<q_u->rights.count;i++) {
- DEBUG(5,("\t%s\n", unistr2_static(&q_u->rights.strings[i].string)));
- }
-
- for (i=0;i<q_u->rights.count;i++) {
- r_u->status = privilege_remove_account_right(unistr2_static(&q_u->rights.strings[i].string),
- &q_u->sid.sid);
- if (!NT_STATUS_IS_OK(r_u->status)) {
- DEBUG(2,("Failed to remove right '%s'\n",
- unistr2_static(&q_u->rights.strings[i].string)));
- break;
- }
- }
-
- init_r_remove_acct_rights(r_u);
-
- return r_u->status;
-}