diff options
Diffstat (limited to 'source3/rpc_server')
-rw-r--r-- | source3/rpc_server/srv_dssetup_nt.c | 220 | ||||
-rw-r--r-- | source3/rpc_server/srv_eventlog.c | 88 | ||||
-rw-r--r-- | source3/rpc_server/srv_eventlog_lib.c | 8 | ||||
-rw-r--r-- | source3/rpc_server/srv_eventlog_nt.c | 162 | ||||
-rw-r--r-- | source3/rpc_server/srv_lsa.c | 1069 | ||||
-rw-r--r-- | source3/rpc_server/srv_lsa_ds.c | 85 | ||||
-rw-r--r-- | source3/rpc_server/srv_lsa_ds_nt.c | 130 | ||||
-rw-r--r-- | source3/rpc_server/srv_lsa_nt.c | 1710 | ||||
-rw-r--r-- | source3/rpc_server/srv_netlog.c | 405 | ||||
-rw-r--r-- | source3/rpc_server/srv_netlog_nt.c | 1175 | ||||
-rw-r--r-- | source3/rpc_server/srv_ntsvcs.c | 107 | ||||
-rw-r--r-- | source3/rpc_server/srv_ntsvcs_nt.c | 636 | ||||
-rw-r--r-- | source3/rpc_server/srv_pipe.c | 67 | ||||
-rw-r--r-- | source3/rpc_server/srv_samr.c | 1571 | ||||
-rw-r--r-- | source3/rpc_server/srv_samr_nt.c | 3508 | ||||
-rw-r--r-- | source3/rpc_server/srv_samr_util.c | 759 | ||||
-rw-r--r-- | source3/rpc_server/srv_srvsvc_nt.c | 20 | ||||
-rw-r--r-- | source3/rpc_server/srv_svcctl.c | 180 | ||||
-rw-r--r-- | source3/rpc_server/srv_svcctl_nt.c | 502 | ||||
-rw-r--r-- | source3/rpc_server/srv_winreg_nt.c | 303 | ||||
-rw-r--r-- | source3/rpc_server/srv_wkssvc_nt.c | 113 |
21 files changed, 5186 insertions, 7632 deletions
diff --git a/source3/rpc_server/srv_dssetup_nt.c b/source3/rpc_server/srv_dssetup_nt.c new file mode 100644 index 0000000000..ea535a3375 --- /dev/null +++ b/source3/rpc_server/srv_dssetup_nt.c @@ -0,0 +1,220 @@ +/* + * Unix SMB/CIFS implementation. + * RPC Pipe client / server routines + * Copyright (C) Andrew Tridgell 1992-1997. + * Copyright (C) Luke Kenneth Casson Leighton 1996-1997. + * Copyright (C) Paul Ashton 1997. + * Copyright (C) Jeremy Allison 2001. + * Copyright (C) Gerald Carter 2002. + * Copyright (C) Guenther Deschner 2008. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, see <http://www.gnu.org/licenses/>. + */ + +#include "includes.h" + +#undef DBGC_CLASS +#define DBGC_CLASS DBGC_RPC_SRV + +/******************************************************************** + Fill in a dssetup_DsRolePrimaryDomInfoBasic structure + ********************************************************************/ + +static WERROR fill_dsrole_dominfo_basic(TALLOC_CTX *ctx, + struct dssetup_DsRolePrimaryDomInfoBasic **info) +{ + struct dssetup_DsRolePrimaryDomInfoBasic *basic = NULL; + fstring dnsdomain; + + DEBUG(10,("fill_dsrole_dominfo_basic: enter\n")); + + basic = TALLOC_ZERO_P(ctx, struct dssetup_DsRolePrimaryDomInfoBasic); + if (!basic) { + DEBUG(0,("fill_dsrole_dominfo_basic: out of memory\n")); + return WERR_NOMEM; + } + + switch (lp_server_role()) { + case ROLE_STANDALONE: + basic->role = DS_ROLE_STANDALONE_SERVER; + basic->domain = get_global_sam_name(); + break; + case ROLE_DOMAIN_MEMBER: + basic->role = DS_ROLE_MEMBER_SERVER; + basic->domain = lp_workgroup(); + break; + case ROLE_DOMAIN_BDC: + basic->role = DS_ROLE_BACKUP_DC; + basic->domain = get_global_sam_name(); + break; + case ROLE_DOMAIN_PDC: + basic->role = DS_ROLE_PRIMARY_DC; + basic->domain = get_global_sam_name(); + break; + } + + if (secrets_fetch_domain_guid(lp_workgroup(), &basic->domain_guid)) { + basic->flags |= DS_ROLE_PRIMARY_DOMAIN_GUID_PRESENT; + } + + /* fill in some additional fields if we are a member of an AD domain */ + + if (lp_security() == SEC_ADS) { + fstrcpy(dnsdomain, lp_realm()); + strlower_m(dnsdomain); + basic->dns_domain = dnsdomain; + + /* FIXME!! We really should fill in the correct forest + name. Should get this information from winbindd. */ + basic->forest = dnsdomain; + } else { + /* security = domain should not fill in the dns or + forest name */ + basic->dns_domain = NULL; + basic->forest = NULL; + } + + *info = basic; + + return WERR_OK; +} + +/******************************************************************** + Implement the _dssetup_DsRoleGetPrimaryDomainInformation() call + ********************************************************************/ + +WERROR _dssetup_DsRoleGetPrimaryDomainInformation(pipes_struct *p, + struct dssetup_DsRoleGetPrimaryDomainInformation *r) +{ + WERROR werr = WERR_OK; + + switch (r->in.level) { + + case DS_ROLE_BASIC_INFORMATION: { + struct dssetup_DsRolePrimaryDomInfoBasic *basic = NULL; + werr = fill_dsrole_dominfo_basic(p->mem_ctx, &basic); + if (W_ERROR_IS_OK(werr)) { + r->out.info->basic = *basic; + } + break; + } + default: + DEBUG(0,("_dssetup_DsRoleGetPrimaryDomainInformation: " + "Unknown info level [%d]!\n", r->in.level)); + werr = WERR_UNKNOWN_LEVEL; + } + + return werr; +} + +/**************************************************************** +****************************************************************/ + +WERROR _dssetup_DsRoleDnsNameToFlatName(pipes_struct *p, + struct dssetup_DsRoleDnsNameToFlatName *r) +{ + p->rng_fault_state = true; + return WERR_NOT_SUPPORTED; +} + +/**************************************************************** +****************************************************************/ + +WERROR _dssetup_DsRoleDcAsDc(pipes_struct *p, + struct dssetup_DsRoleDcAsDc *r) +{ + p->rng_fault_state = true; + return WERR_NOT_SUPPORTED; +} + +/**************************************************************** +****************************************************************/ + +WERROR _dssetup_DsRoleDcAsReplica(pipes_struct *p, + struct dssetup_DsRoleDcAsReplica *r) +{ + p->rng_fault_state = true; + return WERR_NOT_SUPPORTED; +} + +/**************************************************************** +****************************************************************/ + +WERROR _dssetup_DsRoleDemoteDc(pipes_struct *p, + struct dssetup_DsRoleDemoteDc *r) +{ + p->rng_fault_state = true; + return WERR_NOT_SUPPORTED; +} + +/**************************************************************** +****************************************************************/ + +WERROR _dssetup_DsRoleGetDcOperationProgress(pipes_struct *p, + struct dssetup_DsRoleGetDcOperationProgress *r) +{ + p->rng_fault_state = true; + return WERR_NOT_SUPPORTED; +} + +/**************************************************************** +****************************************************************/ + +WERROR _dssetup_DsRoleGetDcOperationResults(pipes_struct *p, + struct dssetup_DsRoleGetDcOperationResults *r) +{ + p->rng_fault_state = true; + return WERR_NOT_SUPPORTED; +} + +/**************************************************************** +****************************************************************/ + +WERROR _dssetup_DsRoleCancel(pipes_struct *p, + struct dssetup_DsRoleCancel *r) +{ + p->rng_fault_state = true; + return WERR_NOT_SUPPORTED; +} + +/**************************************************************** +****************************************************************/ + +WERROR _dssetup_DsRoleServerSaveStateForUpgrade(pipes_struct *p, + struct dssetup_DsRoleServerSaveStateForUpgrade *r) +{ + p->rng_fault_state = true; + return WERR_NOT_SUPPORTED; +} + +/**************************************************************** +****************************************************************/ + +WERROR _dssetup_DsRoleUpgradeDownlevelServer(pipes_struct *p, + struct dssetup_DsRoleUpgradeDownlevelServer *r) +{ + p->rng_fault_state = true; + return WERR_NOT_SUPPORTED; +} + +/**************************************************************** +****************************************************************/ + +WERROR _dssetup_DsRoleAbortDownlevelServerUpgrade(pipes_struct *p, + struct dssetup_DsRoleAbortDownlevelServerUpgrade *r) +{ + p->rng_fault_state = true; + return WERR_NOT_SUPPORTED; +} + diff --git a/source3/rpc_server/srv_eventlog.c b/source3/rpc_server/srv_eventlog.c index 516ea134f2..5679a6acb6 100644 --- a/source3/rpc_server/srv_eventlog.c +++ b/source3/rpc_server/srv_eventlog.c @@ -42,27 +42,7 @@ static bool proxy_eventlog_call(pipes_struct *p, uint8 opnum) static bool api_eventlog_open_eventlog(pipes_struct *p) { - EVENTLOG_Q_OPEN_EVENTLOG q_u; - EVENTLOG_R_OPEN_EVENTLOG r_u; - prs_struct *data = &p->in_data.data; - prs_struct *rdata = &p->out_data.rdata; - - ZERO_STRUCT(q_u); - ZERO_STRUCT(r_u); - - if (!(eventlog_io_q_open_eventlog("", &q_u, data, 0))) { - DEBUG(0, ("eventlog_io_q_open_eventlog: unable to unmarshall EVENTLOG_Q_OPEN_EVENTLOG.\n")); - return False; - } - - r_u.status = _eventlog_open_eventlog(p, &q_u, &r_u); - - if (!(eventlog_io_r_open_eventlog("", &r_u, rdata, 0))) { - DEBUG(0, ("eventlog_io_r_open_eventlog: unable to marshall EVENTLOG_R_OPEN_EVENTLOG.\n")); - return False; - } - - return True; + return proxy_eventlog_call(p, NDR_EVENTLOG_OPENEVENTLOGW); } static bool api_eventlog_close_eventlog(pipes_struct *p) @@ -72,52 +52,12 @@ static bool api_eventlog_close_eventlog(pipes_struct *p) static bool api_eventlog_get_num_records(pipes_struct *p) { - EVENTLOG_Q_GET_NUM_RECORDS q_u; - EVENTLOG_R_GET_NUM_RECORDS r_u; - prs_struct *data = &p->in_data.data; - prs_struct *rdata = &p->out_data.rdata; - - ZERO_STRUCT(q_u); - ZERO_STRUCT(r_u); - - if (!(eventlog_io_q_get_num_records("", &q_u, data, 0))) { - DEBUG(0, ("eventlog_io_q_get_num_records: unable to unmarshall EVENTLOG_Q_GET_NUM_RECORDS.\n")); - return False; - } - - r_u.status = _eventlog_get_num_records(p, &q_u, &r_u); - - if (!(eventlog_io_r_get_num_records("", &r_u, rdata, 0))) { - DEBUG(0, ("eventlog_io_r_get_num_records: unable to marshall EVENTLOG_R_GET_NUM_RECORDS.\n")); - return False; - } - - return True; + return proxy_eventlog_call(p, NDR_EVENTLOG_GETNUMRECORDS); } static bool api_eventlog_get_oldest_entry(pipes_struct *p) { - EVENTLOG_Q_GET_OLDEST_ENTRY q_u; - EVENTLOG_R_GET_OLDEST_ENTRY r_u; - prs_struct *data = &p->in_data.data; - prs_struct *rdata = &p->out_data.rdata; - - ZERO_STRUCT(q_u); - ZERO_STRUCT(r_u); - - if (!(eventlog_io_q_get_oldest_entry("", &q_u, data, 0))) { - DEBUG(0, ("eventlog_io_q_get_oldest_entry: unable to unmarshall EVENTLOG_Q_GET_OLDEST_ENTRY.\n")); - return False; - } - - r_u.status = _eventlog_get_oldest_entry(p, &q_u, &r_u); - - if (!(eventlog_io_r_get_oldest_entry("", &r_u, rdata, 0))) { - DEBUG(0, ("eventlog_io_r_get_oldest_entry: unable to marshall EVENTLOG_R_GET_OLDEST_ENTRY.\n")); - return False; - } - - return True; + return proxy_eventlog_call(p, NDR_EVENTLOG_GETOLDESTRECORD); } static bool api_eventlog_read_eventlog(pipes_struct *p) @@ -147,27 +87,7 @@ static bool api_eventlog_read_eventlog(pipes_struct *p) static bool api_eventlog_clear_eventlog(pipes_struct *p) { - EVENTLOG_Q_CLEAR_EVENTLOG q_u; - EVENTLOG_R_CLEAR_EVENTLOG r_u; - prs_struct *data = &p->in_data.data; - prs_struct *rdata = &p->out_data.rdata; - - ZERO_STRUCT(q_u); - ZERO_STRUCT(r_u); - - if (!(eventlog_io_q_clear_eventlog("", &q_u, data, 0))) { - DEBUG(0, ("eventlog_io_q_clear_eventlog: unable to unmarshall EVENTLOG_Q_CLEAR_EVENTLOG.\n")); - return False; - } - - r_u.status = _eventlog_clear_eventlog(p, &q_u, &r_u); - - if (!(eventlog_io_r_clear_eventlog("", &r_u, rdata, 0))) { - DEBUG(0, ("eventlog_io_q_clear_eventlog: unable to marshall EVENTLOG_Q_CLEAR_EVENTLOG.\n")); - return False; - } - - return True; + return proxy_eventlog_call(p, NDR_EVENTLOG_CLEAREVENTLOGW); } /* diff --git a/source3/rpc_server/srv_eventlog_lib.c b/source3/rpc_server/srv_eventlog_lib.c index 4e996ee19b..269e2f318e 100644 --- a/source3/rpc_server/srv_eventlog_lib.c +++ b/source3/rpc_server/srv_eventlog_lib.c @@ -140,15 +140,14 @@ int elog_tdb_size( TDB_CONTEXT * tdb, int *MaxSize, int *Retention ) return True if we made enough room to accommodate needed bytes ********************************************************************/ -bool make_way_for_eventlogs( TDB_CONTEXT * the_tdb, int32 needed, - bool whack_by_date ) +static bool make_way_for_eventlogs( TDB_CONTEXT * the_tdb, int32 needed, + bool whack_by_date ) { int start_record, i, new_start; int end_record; int nbytes, reclen, len, Retention, MaxSize; int tresv1, trecnum, timegen, timewr; TDB_DATA key, ret; - TALLOC_CTX *mem_ctx = NULL; time_t current_time, exp_time; /* discard some eventlogs */ @@ -156,10 +155,7 @@ bool make_way_for_eventlogs( TDB_CONTEXT * the_tdb, int32 needed, /* read eventlogs from oldest_entry -- there can't be any discontinuity in recnos, although records not necessarily guaranteed to have successive times */ /* */ - mem_ctx = talloc_init( "make_way_for_eventlogs" ); /* Homage to BPG */ - if ( mem_ctx == NULL ) - return False; /* can't allocate memory indicates bigger problems */ /* lock */ tdb_lock_bystring_with_timeout( the_tdb, EVT_NEXT_RECORD, 1 ); /* read */ diff --git a/source3/rpc_server/srv_eventlog_nt.c b/source3/rpc_server/srv_eventlog_nt.c index 3c9c835bad..0e2bcf4126 100644 --- a/source3/rpc_server/srv_eventlog_nt.c +++ b/source3/rpc_server/srv_eventlog_nt.c @@ -423,12 +423,12 @@ static bool sync_eventlog_params( EVENTLOG_INFO *info ) char *path = NULL; uint32 uiMaxSize; uint32 uiRetention; - REGISTRY_KEY *keyinfo; - REGISTRY_VALUE *val; - REGVAL_CTR *values; + struct registry_key *key; + struct registry_value *value; WERROR wresult; char *elogname = info->logname; TALLOC_CTX *ctx = talloc_tos(); + bool ret = false; DEBUG( 4, ( "sync_eventlog_params with %s\n", elogname ) ); @@ -451,44 +451,48 @@ static bool sync_eventlog_params( EVENTLOG_INFO *info ) return false; } - wresult = regkey_open_internal( NULL, &keyinfo, path, - get_root_nt_token( ), REG_KEY_READ ); + wresult = reg_open_path(ctx, path, REG_KEY_READ, get_root_nt_token(), + &key); if ( !W_ERROR_IS_OK( wresult ) ) { DEBUG( 4, ( "sync_eventlog_params: Failed to open key [%s] (%s)\n", path, dos_errstr( wresult ) ) ); - return False; + return false; } - if ( !( values = TALLOC_ZERO_P( keyinfo, REGVAL_CTR ) ) ) { - TALLOC_FREE( keyinfo ); - DEBUG( 0, ( "control_eventlog_hook: talloc() failed!\n" ) ); - - return False; + wresult = reg_queryvalue(key, key, "Retention", &value); + if (!W_ERROR_IS_OK(wresult)) { + DEBUG(4, ("Failed to query value \"Retention\": %s\n", + dos_errstr(wresult))); + ret = false; + goto done; } - fetch_reg_values( keyinfo, values ); - - if ( ( val = regval_ctr_getvalue( values, "Retention" ) ) != NULL ) - uiRetention = IVAL( regval_data_p( val ), 0 ); + uiRetention = value->v.dword; - if ( ( val = regval_ctr_getvalue( values, "MaxSize" ) ) != NULL ) - uiMaxSize = IVAL( regval_data_p( val ), 0 ); - - TALLOC_FREE( keyinfo ); + wresult = reg_queryvalue(key, key, "MaxSize", &value); + if (!W_ERROR_IS_OK(wresult)) { + DEBUG(4, ("Failed to query value \"MaxSize\": %s\n", + dos_errstr(wresult))); + ret = false; + goto done; + } + uiMaxSize = value->v.dword; tdb_store_int32( ELOG_TDB_CTX(info->etdb), EVT_MAXSIZE, uiMaxSize ); tdb_store_int32( ELOG_TDB_CTX(info->etdb), EVT_RETENTION, uiRetention ); - return True; + ret = true; + +done: + TALLOC_FREE(ctx); + return ret; } /******************************************************************** ********************************************************************/ static Eventlog_entry *read_package_entry( prs_struct * ps, - EVENTLOG_Q_READ_EVENTLOG * q_u, - EVENTLOG_R_READ_EVENTLOG * r_u, Eventlog_entry * entry ) { uint8 *offset; @@ -604,28 +608,23 @@ static bool add_record_to_resp( EVENTLOG_R_READ_EVENTLOG * r_u, } /******************************************************************** + _eventlog_OpenEventLogW ********************************************************************/ -NTSTATUS _eventlog_open_eventlog( pipes_struct * p, - EVENTLOG_Q_OPEN_EVENTLOG * q_u, - EVENTLOG_R_OPEN_EVENTLOG * r_u ) +NTSTATUS _eventlog_OpenEventLogW(pipes_struct *p, + struct eventlog_OpenEventLogW *r) { - fstring servername, logname; + const char *servername = ""; + const char *logname = ""; EVENTLOG_INFO *info; NTSTATUS result; - fstrcpy( servername, "" ); - if ( q_u->servername.string ) { - rpcstr_pull( servername, q_u->servername.string->buffer, - sizeof( servername ), - q_u->servername.string->uni_str_len * 2, 0 ); + if (r->in.servername->string) { + servername = r->in.servername->string; } - fstrcpy( logname, "" ); - if ( q_u->logname.string ) { - rpcstr_pull( logname, q_u->logname.string->buffer, - sizeof( logname ), - q_u->logname.string->uni_str_len * 2, 0 ); + if (r->in.logname->string) { + logname = r->in.logname->string; } DEBUG( 10,("_eventlog_open_eventlog: Server [%s], Log [%s]\n", @@ -634,13 +633,13 @@ NTSTATUS _eventlog_open_eventlog( pipes_struct * p, /* according to MSDN, if the logfile cannot be found, we should default to the "Application" log */ - if ( !NT_STATUS_IS_OK( result = elog_open( p, logname, &r_u->handle )) ) + if ( !NT_STATUS_IS_OK( result = elog_open( p, logname, r->out.handle )) ) return result; - if ( !(info = find_eventlog_info_by_hnd( p, &r_u->handle )) ) { + if ( !(info = find_eventlog_info_by_hnd( p, r->out.handle )) ) { DEBUG(0,("_eventlog_open_eventlog: eventlog (%s) opened but unable to find handle!\n", logname )); - elog_close( p, &r_u->handle ); + elog_close( p, r->out.handle ); return NT_STATUS_INVALID_HANDLE; } @@ -653,28 +652,35 @@ NTSTATUS _eventlog_open_eventlog( pipes_struct * p, } /******************************************************************** + _eventlog_ClearEventLogW This call still needs some work ********************************************************************/ - -NTSTATUS _eventlog_clear_eventlog( pipes_struct * p, - EVENTLOG_Q_CLEAR_EVENTLOG * q_u, - EVENTLOG_R_CLEAR_EVENTLOG * r_u ) -{ - EVENTLOG_INFO *info = find_eventlog_info_by_hnd( p, &q_u->handle ); - char *backup_file_name = NULL; +/** The windows client seems to be doing something funny with the file name + A call like + ClearEventLog(handle, "backup_file") + on the client side will result in the backup file name looking like this on the + server side: + \??\${CWD of client}\backup_file + If an absolute path gets specified, such as + ClearEventLog(handle, "C:\\temp\\backup_file") + then it is still mangled by the client into this: + \??\C:\temp\backup_file + when it is on the wire. + I'm not sure where the \?? is coming from, or why the ${CWD} of the client process + would be added in given that the backup file gets written on the server side. */ + +NTSTATUS _eventlog_ClearEventLogW(pipes_struct *p, + struct eventlog_ClearEventLogW *r) +{ + EVENTLOG_INFO *info = find_eventlog_info_by_hnd( p, r->in.handle ); + const char *backup_file_name = NULL; if ( !info ) return NT_STATUS_INVALID_HANDLE; - if (q_u->backupfile.string) { - size_t len = rpcstr_pull_talloc(p->mem_ctx, - &backup_file_name, - q_u->backupfile.string->buffer, - q_u->backupfile.string->uni_str_len * 2, - 0 ); - if (len == (size_t)-1 || !backup_file_name) { - return NT_STATUS_INVALID_PARAMETER; - } + if (r->in.backupfile && r->in.backupfile->string) { + + backup_file_name = r->in.backupfile->string; DEBUG(8,( "_eventlog_clear_eventlog: Using [%s] as the backup " "file name for log [%s].", @@ -765,7 +771,7 @@ NTSTATUS _eventlog_read_eventlog( pipes_struct * p, /* Now see if there is enough room to add */ - if ( !(ee_new = read_package_entry( ps, q_u, r_u, entry )) ) + if ( !(ee_new = read_package_entry( ps, entry )) ) return NT_STATUS_NO_MEMORY; if ( r_u->num_bytes_in_resp + ee_new->record.length > q_u->max_read_size ) { @@ -805,13 +811,13 @@ NTSTATUS _eventlog_read_eventlog( pipes_struct * p, } /******************************************************************** + _eventlog_GetOldestRecord ********************************************************************/ -NTSTATUS _eventlog_get_oldest_entry( pipes_struct * p, - EVENTLOG_Q_GET_OLDEST_ENTRY * q_u, - EVENTLOG_R_GET_OLDEST_ENTRY * r_u ) +NTSTATUS _eventlog_GetOldestRecord(pipes_struct *p, + struct eventlog_GetOldestRecord *r) { - EVENTLOG_INFO *info = find_eventlog_info_by_hnd( p, &q_u->handle ); + EVENTLOG_INFO *info = find_eventlog_info_by_hnd( p, r->in.handle ); if (info == NULL) { return NT_STATUS_INVALID_HANDLE; @@ -820,19 +826,19 @@ NTSTATUS _eventlog_get_oldest_entry( pipes_struct * p, if ( !( get_oldest_entry_hook( info ) ) ) return NT_STATUS_ACCESS_DENIED; - r_u->oldest_entry = info->oldest_entry; + *r->out.oldest_entry = info->oldest_entry; return NT_STATUS_OK; } /******************************************************************** +_eventlog_GetNumRecords ********************************************************************/ -NTSTATUS _eventlog_get_num_records( pipes_struct * p, - EVENTLOG_Q_GET_NUM_RECORDS * q_u, - EVENTLOG_R_GET_NUM_RECORDS * r_u ) +NTSTATUS _eventlog_GetNumRecords(pipes_struct *p, + struct eventlog_GetNumRecords *r) { - EVENTLOG_INFO *info = find_eventlog_info_by_hnd( p, &q_u->handle ); + EVENTLOG_INFO *info = find_eventlog_info_by_hnd( p, r->in.handle ); if (info == NULL) { return NT_STATUS_INVALID_HANDLE; @@ -841,17 +847,11 @@ NTSTATUS _eventlog_get_num_records( pipes_struct * p, if ( !( get_num_records_hook( info ) ) ) return NT_STATUS_ACCESS_DENIED; - r_u->num_records = info->num_records; + *r->out.number = info->num_records; return NT_STATUS_OK; } -NTSTATUS _eventlog_ClearEventLogW(pipes_struct *p, struct eventlog_ClearEventLogW *r) -{ - p->rng_fault_state = True; - return NT_STATUS_NOT_IMPLEMENTED; -} - NTSTATUS _eventlog_BackupEventLogW(pipes_struct *p, struct eventlog_BackupEventLogW *r) { p->rng_fault_state = True; @@ -864,30 +864,12 @@ NTSTATUS _eventlog_DeregisterEventSource(pipes_struct *p, struct eventlog_Deregi return NT_STATUS_NOT_IMPLEMENTED; } -NTSTATUS _eventlog_GetNumRecords(pipes_struct *p, struct eventlog_GetNumRecords *r) -{ - p->rng_fault_state = True; - return NT_STATUS_NOT_IMPLEMENTED; -} - -NTSTATUS _eventlog_GetOldestRecord(pipes_struct *p, struct eventlog_GetOldestRecord *r) -{ - p->rng_fault_state = True; - return NT_STATUS_NOT_IMPLEMENTED; -} - NTSTATUS _eventlog_ChangeNotify(pipes_struct *p, struct eventlog_ChangeNotify *r) { p->rng_fault_state = True; return NT_STATUS_NOT_IMPLEMENTED; } -NTSTATUS _eventlog_OpenEventLogW(pipes_struct *p, struct eventlog_OpenEventLogW *r) -{ - p->rng_fault_state = True; - return NT_STATUS_NOT_IMPLEMENTED; -} - NTSTATUS _eventlog_RegisterEventSourceW(pipes_struct *p, struct eventlog_RegisterEventSourceW *r) { p->rng_fault_state = True; diff --git a/source3/rpc_server/srv_lsa.c b/source3/rpc_server/srv_lsa.c deleted file mode 100644 index b433ac2c8f..0000000000 --- a/source3/rpc_server/srv_lsa.c +++ /dev/null @@ -1,1069 +0,0 @@ -/* - * Unix SMB/CIFS implementation. - * RPC Pipe client / server routines - * Copyright (C) Andrew Tridgell 1992-1997, - * Copyright (C) Luke Kenneth Casson Leighton 1996-1997, - * Copyright (C) Paul Ashton 1997, - * Copyright (C) Jeremy Allison 2001, - * Copyright (C) Jim McDonough <jmcd@us.ibm.com> 2002-2003. - * Copyright (C) Gerald (Jerry) Carter 2005 - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 3 of the License, or - * (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program; if not, see <http://www.gnu.org/licenses/>. - */ - -/* This is the interface to the lsa server code. */ - -#include "includes.h" - -#undef DBGC_CLASS -#define DBGC_CLASS DBGC_RPC_SRV - -static bool proxy_lsa_call(pipes_struct *p, uint8 opnum) -{ - struct api_struct *fns; - int n_fns; - - lsarpc_get_pipe_fns(&fns, &n_fns); - - if (opnum >= n_fns) - return False; - - if (fns[opnum].opnum != opnum) { - smb_panic("LSA function table not sorted"); - } - - return fns[opnum].fn(p); -} - -/*************************************************************************** - api_lsa_open_policy2 - ***************************************************************************/ - -static bool api_lsa_open_policy2(pipes_struct *p) -{ - LSA_Q_OPEN_POL2 q_u; - LSA_R_OPEN_POL2 r_u; - prs_struct *data = &p->in_data.data; - prs_struct *rdata = &p->out_data.rdata; - - ZERO_STRUCT(q_u); - ZERO_STRUCT(r_u); - - /* grab the server, object attributes and desired access flag...*/ - if(!lsa_io_q_open_pol2("", &q_u, data, 0)) { - DEBUG(0,("api_lsa_open_policy2: unable to unmarshall LSA_Q_OPEN_POL2.\n")); - return False; - } - - r_u.status = _lsa_open_policy2(p, &q_u, &r_u); - - /* store the response in the SMB stream */ - if(!lsa_io_r_open_pol2("", &r_u, rdata, 0)) { - DEBUG(0,("api_lsa_open_policy2: unable to marshall LSA_R_OPEN_POL2.\n")); - return False; - } - - return True; -} - -/*************************************************************************** -api_lsa_open_policy - ***************************************************************************/ - -static bool api_lsa_open_policy(pipes_struct *p) -{ - LSA_Q_OPEN_POL q_u; - LSA_R_OPEN_POL r_u; - prs_struct *data = &p->in_data.data; - prs_struct *rdata = &p->out_data.rdata; - - ZERO_STRUCT(q_u); - ZERO_STRUCT(r_u); - - /* grab the server, object attributes and desired access flag...*/ - if(!lsa_io_q_open_pol("", &q_u, data, 0)) { - DEBUG(0,("api_lsa_open_policy: unable to unmarshall LSA_Q_OPEN_POL.\n")); - return False; - } - - r_u.status = _lsa_open_policy(p, &q_u, &r_u); - - /* store the response in the SMB stream */ - if(!lsa_io_r_open_pol("", &r_u, rdata, 0)) { - DEBUG(0,("api_lsa_open_policy: unable to marshall LSA_R_OPEN_POL.\n")); - return False; - } - - return True; -} - -/*************************************************************************** - api_lsa_enum_trust_dom - ***************************************************************************/ - -static bool api_lsa_enum_trust_dom(pipes_struct *p) -{ - LSA_Q_ENUM_TRUST_DOM q_u; - LSA_R_ENUM_TRUST_DOM r_u; - prs_struct *data = &p->in_data.data; - prs_struct *rdata = &p->out_data.rdata; - - ZERO_STRUCT(q_u); - ZERO_STRUCT(r_u); - - /* grab the enum trust domain context etc. */ - if(!lsa_io_q_enum_trust_dom("", &q_u, data, 0)) - return False; - - /* get required trusted domains information */ - r_u.status = _lsa_enum_trust_dom(p, &q_u, &r_u); - - /* prepare the response */ - if(!lsa_io_r_enum_trust_dom("", &r_u, rdata, 0)) - return False; - - return True; -} - -/*************************************************************************** - api_lsa_query_info - ***************************************************************************/ - -static bool api_lsa_query_info(pipes_struct *p) -{ - LSA_Q_QUERY_INFO q_u; - LSA_R_QUERY_INFO r_u; - prs_struct *data = &p->in_data.data; - prs_struct *rdata = &p->out_data.rdata; - - ZERO_STRUCT(q_u); - ZERO_STRUCT(r_u); - - /* grab the info class and policy handle */ - if(!lsa_io_q_query("", &q_u, data, 0)) { - DEBUG(0,("api_lsa_query_info: failed to unmarshall LSA_Q_QUERY_INFO.\n")); - return False; - } - - r_u.status = _lsa_query_info(p, &q_u, &r_u); - - /* store the response in the SMB stream */ - if(!lsa_io_r_query("", &r_u, rdata, 0)) { - DEBUG(0,("api_lsa_query_info: failed to marshall LSA_R_QUERY_INFO.\n")); - return False; - } - - return True; -} - -/*************************************************************************** - api_lsa_lookup_sids - ***************************************************************************/ - -static bool api_lsa_lookup_sids(pipes_struct *p) -{ - LSA_Q_LOOKUP_SIDS q_u; - LSA_R_LOOKUP_SIDS r_u; - prs_struct *data = &p->in_data.data; - prs_struct *rdata = &p->out_data.rdata; - - ZERO_STRUCT(q_u); - ZERO_STRUCT(r_u); - - /* grab the info class and policy handle */ - if(!lsa_io_q_lookup_sids("", &q_u, data, 0)) { - DEBUG(0,("api_lsa_lookup_sids: failed to unmarshall LSA_Q_LOOKUP_SIDS.\n")); - return False; - } - - r_u.status = _lsa_lookup_sids(p, &q_u, &r_u); - - if(!lsa_io_r_lookup_sids("", &r_u, rdata, 0)) { - DEBUG(0,("api_lsa_lookup_sids: Failed to marshall LSA_R_LOOKUP_SIDS.\n")); - return False; - } - - return True; -} - -/*************************************************************************** - api_lsa_lookup_names - ***************************************************************************/ - -static bool api_lsa_lookup_names(pipes_struct *p) -{ - LSA_Q_LOOKUP_NAMES q_u; - LSA_R_LOOKUP_NAMES r_u; - prs_struct *data = &p->in_data.data; - prs_struct *rdata = &p->out_data.rdata; - - ZERO_STRUCT(q_u); - ZERO_STRUCT(r_u); - - /* grab the info class and policy handle */ - if(!lsa_io_q_lookup_names("", &q_u, data, 0)) { - DEBUG(0,("api_lsa_lookup_names: failed to unmarshall LSA_Q_LOOKUP_NAMES.\n")); - return False; - } - - r_u.status = _lsa_lookup_names(p, &q_u, &r_u); - - /* store the response in the SMB stream */ - if(!lsa_io_r_lookup_names("", &r_u, rdata, 0)) { - DEBUG(0,("api_lsa_lookup_names: Failed to marshall LSA_R_LOOKUP_NAMES.\n")); - return False; - } - - return True; -} - -/*************************************************************************** - api_lsa_close. - ***************************************************************************/ - -static bool api_lsa_close(pipes_struct *p) -{ - return proxy_lsa_call(p, NDR_LSA_CLOSE); -} - -/*************************************************************************** - api_lsa_open_secret. - ***************************************************************************/ - -static bool api_lsa_open_secret(pipes_struct *p) -{ - return proxy_lsa_call(p, NDR_LSA_OPENSECRET); -} - -/*************************************************************************** - api_lsa_open_secret. - ***************************************************************************/ - -static bool api_lsa_enum_privs(pipes_struct *p) -{ - LSA_Q_ENUM_PRIVS q_u; - LSA_R_ENUM_PRIVS r_u; - prs_struct *data = &p->in_data.data; - prs_struct *rdata = &p->out_data.rdata; - - ZERO_STRUCT(q_u); - ZERO_STRUCT(r_u); - - if(!lsa_io_q_enum_privs("", &q_u, data, 0)) { - DEBUG(0,("api_lsa_enum_privs: failed to unmarshall LSA_Q_ENUM_PRIVS.\n")); - return False; - } - - r_u.status = _lsa_enum_privs(p, &q_u, &r_u); - - /* store the response in the SMB stream */ - if(!lsa_io_r_enum_privs("", &r_u, rdata, 0)) { - DEBUG(0,("api_lsa_enum_privs: Failed to marshall LSA_R_ENUM_PRIVS.\n")); - return False; - } - - return True; -} - -/*************************************************************************** - api_lsa_open_secret. - ***************************************************************************/ - -static bool api_lsa_priv_get_dispname(pipes_struct *p) -{ - LSA_Q_PRIV_GET_DISPNAME q_u; - LSA_R_PRIV_GET_DISPNAME r_u; - prs_struct *data = &p->in_data.data; - prs_struct *rdata = &p->out_data.rdata; - - ZERO_STRUCT(q_u); - ZERO_STRUCT(r_u); - - if(!lsa_io_q_priv_get_dispname("", &q_u, data, 0)) { - DEBUG(0,("api_lsa_priv_get_dispname: failed to unmarshall LSA_Q_PRIV_GET_DISPNAME.\n")); - return False; - } - - r_u.status = _lsa_priv_get_dispname(p, &q_u, &r_u); - - /* store the response in the SMB stream */ - if(!lsa_io_r_priv_get_dispname("", &r_u, rdata, 0)) { - DEBUG(0,("api_lsa_priv_get_dispname: Failed to marshall LSA_R_PRIV_GET_DISPNAME.\n")); - return False; - } - - return True; -} - -/*************************************************************************** - api_lsa_open_secret. - ***************************************************************************/ - -static bool api_lsa_enum_accounts(pipes_struct *p) -{ - LSA_Q_ENUM_ACCOUNTS q_u; - LSA_R_ENUM_ACCOUNTS r_u; - prs_struct *data = &p->in_data.data; - prs_struct *rdata = &p->out_data.rdata; - - ZERO_STRUCT(q_u); - ZERO_STRUCT(r_u); - - if(!lsa_io_q_enum_accounts("", &q_u, data, 0)) { - DEBUG(0,("api_lsa_enum_accounts: failed to unmarshall LSA_Q_ENUM_ACCOUNTS.\n")); - return False; - } - - r_u.status = _lsa_enum_accounts(p, &q_u, &r_u); - - /* store the response in the SMB stream */ - if(!lsa_io_r_enum_accounts("", &r_u, rdata, 0)) { - DEBUG(0,("api_lsa_enum_accounts: Failed to marshall LSA_R_ENUM_ACCOUNTS.\n")); - return False; - } - - return True; -} - -/*************************************************************************** - api_lsa_UNK_GET_CONNUSER - ***************************************************************************/ - -static bool api_lsa_unk_get_connuser(pipes_struct *p) -{ - LSA_Q_UNK_GET_CONNUSER q_u; - LSA_R_UNK_GET_CONNUSER r_u; - - prs_struct *data = &p->in_data.data; - prs_struct *rdata = &p->out_data.rdata; - - ZERO_STRUCT(q_u); - ZERO_STRUCT(r_u); - - if(!lsa_io_q_unk_get_connuser("", &q_u, data, 0)) { - DEBUG(0,("api_lsa_unk_get_connuser: failed to unmarshall LSA_Q_UNK_GET_CONNUSER.\n")); - return False; - } - - r_u.status = _lsa_unk_get_connuser(p, &q_u, &r_u); - - /* store the response in the SMB stream */ - if(!lsa_io_r_unk_get_connuser("", &r_u, rdata, 0)) { - DEBUG(0,("api_lsa_unk_get_connuser: Failed to marshall LSA_R_UNK_GET_CONNUSER.\n")); - return False; - } - - return True; -} - -/*************************************************************************** - api_lsa_create_user - ***************************************************************************/ - -static bool api_lsa_create_account(pipes_struct *p) -{ - LSA_Q_CREATEACCOUNT q_u; - LSA_R_CREATEACCOUNT r_u; - - prs_struct *data = &p->in_data.data; - prs_struct *rdata = &p->out_data.rdata; - - ZERO_STRUCT(q_u); - ZERO_STRUCT(r_u); - - if(!lsa_io_q_create_account("", &q_u, data, 0)) { - DEBUG(0,("api_lsa_create_account: failed to unmarshall LSA_Q_CREATEACCOUNT.\n")); - return False; - } - - r_u.status = _lsa_create_account(p, &q_u, &r_u); - - /* store the response in the SMB stream */ - if(!lsa_io_r_create_account("", &r_u, rdata, 0)) { - DEBUG(0,("api_lsa_create_account: Failed to marshall LSA_R_CREATEACCOUNT.\n")); - return False; - } - - return True; -} - -/*************************************************************************** - api_lsa_open_user - ***************************************************************************/ - -static bool api_lsa_open_account(pipes_struct *p) -{ - LSA_Q_OPENACCOUNT q_u; - LSA_R_OPENACCOUNT r_u; - - prs_struct *data = &p->in_data.data; - prs_struct *rdata = &p->out_data.rdata; - - ZERO_STRUCT(q_u); - ZERO_STRUCT(r_u); - - if(!lsa_io_q_open_account("", &q_u, data, 0)) { - DEBUG(0,("api_lsa_open_account: failed to unmarshall LSA_Q_OPENACCOUNT.\n")); - return False; - } - - r_u.status = _lsa_open_account(p, &q_u, &r_u); - - /* store the response in the SMB stream */ - if(!lsa_io_r_open_account("", &r_u, rdata, 0)) { - DEBUG(0,("api_lsa_open_account: Failed to marshall LSA_R_OPENACCOUNT.\n")); - return False; - } - - return True; -} - -/*************************************************************************** - api_lsa_get_privs - ***************************************************************************/ - -static bool api_lsa_enum_privsaccount(pipes_struct *p) -{ - LSA_Q_ENUMPRIVSACCOUNT q_u; - LSA_R_ENUMPRIVSACCOUNT r_u; - - prs_struct *data = &p->in_data.data; - prs_struct *rdata = &p->out_data.rdata; - - ZERO_STRUCT(q_u); - ZERO_STRUCT(r_u); - - if(!lsa_io_q_enum_privsaccount("", &q_u, data, 0)) { - DEBUG(0,("api_lsa_enum_privsaccount: failed to unmarshall LSA_Q_ENUMPRIVSACCOUNT.\n")); - return False; - } - - r_u.status = _lsa_enum_privsaccount(p, rdata, &q_u, &r_u); - - /* store the response in the SMB stream */ - if(!lsa_io_r_enum_privsaccount("", &r_u, rdata, 0)) { - DEBUG(0,("api_lsa_enum_privsaccount: Failed to marshall LSA_R_ENUMPRIVSACCOUNT.\n")); - return False; - } - - return True; -} - -/*************************************************************************** - api_lsa_getsystemaccount - ***************************************************************************/ - -static bool api_lsa_getsystemaccount(pipes_struct *p) -{ - LSA_Q_GETSYSTEMACCOUNT q_u; - LSA_R_GETSYSTEMACCOUNT r_u; - - prs_struct *data = &p->in_data.data; - prs_struct *rdata = &p->out_data.rdata; - - ZERO_STRUCT(q_u); - ZERO_STRUCT(r_u); - - if(!lsa_io_q_getsystemaccount("", &q_u, data, 0)) { - DEBUG(0,("api_lsa_getsystemaccount: failed to unmarshall LSA_Q_GETSYSTEMACCOUNT.\n")); - return False; - } - - r_u.status = _lsa_getsystemaccount(p, &q_u, &r_u); - - /* store the response in the SMB stream */ - if(!lsa_io_r_getsystemaccount("", &r_u, rdata, 0)) { - DEBUG(0,("api_lsa_getsystemaccount: Failed to marshall LSA_R_GETSYSTEMACCOUNT.\n")); - return False; - } - - return True; -} - - -/*************************************************************************** - api_lsa_setsystemaccount - ***************************************************************************/ - -static bool api_lsa_setsystemaccount(pipes_struct *p) -{ - LSA_Q_SETSYSTEMACCOUNT q_u; - LSA_R_SETSYSTEMACCOUNT r_u; - - prs_struct *data = &p->in_data.data; - prs_struct *rdata = &p->out_data.rdata; - - ZERO_STRUCT(q_u); - ZERO_STRUCT(r_u); - - if(!lsa_io_q_setsystemaccount("", &q_u, data, 0)) { - DEBUG(0,("api_lsa_setsystemaccount: failed to unmarshall LSA_Q_SETSYSTEMACCOUNT.\n")); - return False; - } - - r_u.status = _lsa_setsystemaccount(p, &q_u, &r_u); - - /* store the response in the SMB stream */ - if(!lsa_io_r_setsystemaccount("", &r_u, rdata, 0)) { - DEBUG(0,("api_lsa_setsystemaccount: Failed to marshall LSA_R_SETSYSTEMACCOUNT.\n")); - return False; - } - - return True; -} - -/*************************************************************************** - api_lsa_addprivs - ***************************************************************************/ - -static bool api_lsa_addprivs(pipes_struct *p) -{ - LSA_Q_ADDPRIVS q_u; - LSA_R_ADDPRIVS r_u; - - prs_struct *data = &p->in_data.data; - prs_struct *rdata = &p->out_data.rdata; - - ZERO_STRUCT(q_u); - ZERO_STRUCT(r_u); - - if(!lsa_io_q_addprivs("", &q_u, data, 0)) { - DEBUG(0,("api_lsa_addprivs: failed to unmarshall LSA_Q_ADDPRIVS.\n")); - return False; - } - - r_u.status = _lsa_addprivs(p, &q_u, &r_u); - - /* store the response in the SMB stream */ - if(!lsa_io_r_addprivs("", &r_u, rdata, 0)) { - DEBUG(0,("api_lsa_addprivs: Failed to marshall LSA_R_ADDPRIVS.\n")); - return False; - } - - return True; -} - -/*************************************************************************** - api_lsa_removeprivs - ***************************************************************************/ - -static bool api_lsa_removeprivs(pipes_struct *p) -{ - LSA_Q_REMOVEPRIVS q_u; - LSA_R_REMOVEPRIVS r_u; - - prs_struct *data = &p->in_data.data; - prs_struct *rdata = &p->out_data.rdata; - - ZERO_STRUCT(q_u); - ZERO_STRUCT(r_u); - - if(!lsa_io_q_removeprivs("", &q_u, data, 0)) { - DEBUG(0,("api_lsa_removeprivs: failed to unmarshall LSA_Q_REMOVEPRIVS.\n")); - return False; - } - - r_u.status = _lsa_removeprivs(p, &q_u, &r_u); - - /* store the response in the SMB stream */ - if(!lsa_io_r_removeprivs("", &r_u, rdata, 0)) { - DEBUG(0,("api_lsa_removeprivs: Failed to marshall LSA_R_REMOVEPRIVS.\n")); - return False; - } - - return True; -} - -/*************************************************************************** - api_lsa_query_secobj - ***************************************************************************/ - -static bool api_lsa_query_secobj(pipes_struct *p) -{ - LSA_Q_QUERY_SEC_OBJ q_u; - LSA_R_QUERY_SEC_OBJ r_u; - - prs_struct *data = &p->in_data.data; - prs_struct *rdata = &p->out_data.rdata; - - ZERO_STRUCT(q_u); - ZERO_STRUCT(r_u); - - if(!lsa_io_q_query_sec_obj("", &q_u, data, 0)) { - DEBUG(0,("api_lsa_query_secobj: failed to unmarshall LSA_Q_QUERY_SEC_OBJ.\n")); - return False; - } - - r_u.status = _lsa_query_secobj(p, &q_u, &r_u); - - /* store the response in the SMB stream */ - if(!lsa_io_r_query_sec_obj("", &r_u, rdata, 0)) { - DEBUG(0,("api_lsa_query_secobj: Failed to marshall LSA_R_QUERY_SEC_OBJ.\n")); - return False; - } - - return True; -} - -/*************************************************************************** - api_lsa_add_acct_rights - ***************************************************************************/ - -static bool api_lsa_add_acct_rights(pipes_struct *p) -{ - LSA_Q_ADD_ACCT_RIGHTS q_u; - LSA_R_ADD_ACCT_RIGHTS r_u; - - prs_struct *data = &p->in_data.data; - prs_struct *rdata = &p->out_data.rdata; - - ZERO_STRUCT(q_u); - ZERO_STRUCT(r_u); - - if(!lsa_io_q_add_acct_rights("", &q_u, data, 0)) { - DEBUG(0,("api_lsa_add_acct_rights: failed to unmarshall LSA_Q_ADD_ACCT_RIGHTS.\n")); - return False; - } - - r_u.status = _lsa_add_acct_rights(p, &q_u, &r_u); - - /* store the response in the SMB stream */ - if(!lsa_io_r_add_acct_rights("", &r_u, rdata, 0)) { - DEBUG(0,("api_lsa_add_acct_rights: Failed to marshall LSA_R_ADD_ACCT_RIGHTS.\n")); - return False; - } - - return True; -} - -/*************************************************************************** - api_lsa_remove_acct_rights - ***************************************************************************/ - -static bool api_lsa_remove_acct_rights(pipes_struct *p) -{ - LSA_Q_REMOVE_ACCT_RIGHTS q_u; - LSA_R_REMOVE_ACCT_RIGHTS r_u; - - prs_struct *data = &p->in_data.data; - prs_struct *rdata = &p->out_data.rdata; - - ZERO_STRUCT(q_u); - ZERO_STRUCT(r_u); - - if(!lsa_io_q_remove_acct_rights("", &q_u, data, 0)) { - DEBUG(0,("api_lsa_remove_acct_rights: failed to unmarshall LSA_Q_REMOVE_ACCT_RIGHTS.\n")); - return False; - } - - r_u.status = _lsa_remove_acct_rights(p, &q_u, &r_u); - - /* store the response in the SMB stream */ - if(!lsa_io_r_remove_acct_rights("", &r_u, rdata, 0)) { - DEBUG(0,("api_lsa_remove_acct_rights: Failed to marshall LSA_R_REMOVE_ACCT_RIGHTS.\n")); - return False; - } - - return True; -} - -/*************************************************************************** - api_lsa_enum_acct_rights - ***************************************************************************/ - -static bool api_lsa_enum_acct_rights(pipes_struct *p) -{ - LSA_Q_ENUM_ACCT_RIGHTS q_u; - LSA_R_ENUM_ACCT_RIGHTS r_u; - - prs_struct *data = &p->in_data.data; - prs_struct *rdata = &p->out_data.rdata; - - ZERO_STRUCT(q_u); - ZERO_STRUCT(r_u); - - if(!lsa_io_q_enum_acct_rights("", &q_u, data, 0)) { - DEBUG(0,("api_lsa_enum_acct_rights: failed to unmarshall LSA_Q_ENUM_ACCT_RIGHTS.\n")); - return False; - } - - r_u.status = _lsa_enum_acct_rights(p, &q_u, &r_u); - - /* store the response in the SMB stream */ - if(!lsa_io_r_enum_acct_rights("", &r_u, rdata, 0)) { - DEBUG(0,("api_lsa_enum_acct_rights: Failed to marshall LSA_R_ENUM_ACCT_RIGHTS.\n")); - return False; - } - - return True; -} - -/*************************************************************************** - api_lsa_lookup_priv_value - ***************************************************************************/ - -static bool api_lsa_lookup_priv_value(pipes_struct *p) -{ - LSA_Q_LOOKUP_PRIV_VALUE q_u; - LSA_R_LOOKUP_PRIV_VALUE r_u; - - prs_struct *data = &p->in_data.data; - prs_struct *rdata = &p->out_data.rdata; - - ZERO_STRUCT(q_u); - ZERO_STRUCT(r_u); - - if(!lsa_io_q_lookup_priv_value("", &q_u, data, 0)) { - DEBUG(0,("api_lsa_lookup_priv_value: failed to unmarshall LSA_Q_LOOKUP_PRIV_VALUE .\n")); - return False; - } - - r_u.status = _lsa_lookup_priv_value(p, &q_u, &r_u); - - /* store the response in the SMB stream */ - if(!lsa_io_r_lookup_priv_value("", &r_u, rdata, 0)) { - DEBUG(0,("api_lsa_lookup_priv_value: Failed to marshall LSA_R_LOOKUP_PRIV_VALUE.\n")); - return False; - } - - return True; -} - -/*************************************************************************** - ***************************************************************************/ - -static bool api_lsa_open_trust_dom(pipes_struct *p) -{ - return proxy_lsa_call(p, NDR_LSA_OPENTRUSTEDDOMAIN); -} - -/*************************************************************************** - ***************************************************************************/ - -static bool api_lsa_create_trust_dom(pipes_struct *p) -{ - return proxy_lsa_call(p, NDR_LSA_CREATETRUSTEDDOMAIN); -} - -/*************************************************************************** - ***************************************************************************/ - -static bool api_lsa_create_secret(pipes_struct *p) -{ - return proxy_lsa_call(p, NDR_LSA_CREATESECRET); -} - -/*************************************************************************** - ***************************************************************************/ - -static bool api_lsa_set_secret(pipes_struct *p) -{ - return proxy_lsa_call(p, NDR_LSA_SETSECRET); -} - -/*************************************************************************** - ***************************************************************************/ - -static bool api_lsa_delete_object(pipes_struct *p) -{ - LSA_Q_DELETE_OBJECT q_u; - LSA_R_DELETE_OBJECT r_u; - - prs_struct *data = &p->in_data.data; - prs_struct *rdata = &p->out_data.rdata; - - ZERO_STRUCT(q_u); - ZERO_STRUCT(r_u); - - if(!lsa_io_q_delete_object("", &q_u, data, 0)) { - DEBUG(0,("api_lsa_delete_object: failed to unmarshall LSA_Q_DELETE_OBJECT.\n")); - return False; - } - - r_u.status = _lsa_delete_object(p, &q_u, &r_u); - - /* store the response in the SMB stream */ - if(!lsa_io_r_delete_object("", &r_u, rdata, 0)) { - DEBUG(0,("api_lsa_delete_object: Failed to marshall LSA_R_DELETE_OBJECT.\n")); - return False; - } - - return True; -} - -/*************************************************************************** - api_lsa_lookup_sids2 - ***************************************************************************/ - -static bool api_lsa_lookup_sids2(pipes_struct *p) -{ - LSA_Q_LOOKUP_SIDS2 q_u; - LSA_R_LOOKUP_SIDS2 r_u; - prs_struct *data = &p->in_data.data; - prs_struct *rdata = &p->out_data.rdata; - - ZERO_STRUCT(q_u); - ZERO_STRUCT(r_u); - - /* grab the info class and policy handle */ - if(!lsa_io_q_lookup_sids2("", &q_u, data, 0)) { - DEBUG(0,("api_lsa_lookup_sids2: failed to unmarshall LSA_Q_LOOKUP_SIDS2.\n")); - return False; - } - - r_u.status = _lsa_lookup_sids2(p, &q_u, &r_u); - - if(!lsa_io_r_lookup_sids2("", &r_u, rdata, 0)) { - DEBUG(0,("api_lsa_lookup_sids2: Failed to marshall LSA_R_LOOKUP_SIDS2.\n")); - return False; - } - - return True; -} - -/*************************************************************************** - api_lsa_lookup_sids3 - ***************************************************************************/ - -static bool api_lsa_lookup_sids3(pipes_struct *p) -{ - LSA_Q_LOOKUP_SIDS3 q_u; - LSA_R_LOOKUP_SIDS3 r_u; - prs_struct *data = &p->in_data.data; - prs_struct *rdata = &p->out_data.rdata; - - ZERO_STRUCT(q_u); - ZERO_STRUCT(r_u); - - /* grab the info class and policy handle */ - if(!lsa_io_q_lookup_sids3("", &q_u, data, 0)) { - DEBUG(0,("api_lsa_lookup_sids3: failed to unmarshall LSA_Q_LOOKUP_SIDS3.\n")); - return False; - } - - r_u.status = _lsa_lookup_sids3(p, &q_u, &r_u); - - if(!lsa_io_r_lookup_sids3("", &r_u, rdata, 0)) { - DEBUG(0,("api_lsa_lookup_sids3: Failed to marshall LSA_R_LOOKUP_SIDS3.\n")); - return False; - } - - return True; -} - -/*************************************************************************** - api_lsa_lookup_names2 - ***************************************************************************/ - -static bool api_lsa_lookup_names2(pipes_struct *p) -{ - LSA_Q_LOOKUP_NAMES2 q_u; - LSA_R_LOOKUP_NAMES2 r_u; - prs_struct *data = &p->in_data.data; - prs_struct *rdata = &p->out_data.rdata; - - ZERO_STRUCT(q_u); - ZERO_STRUCT(r_u); - - /* grab the info class and policy handle */ - if(!lsa_io_q_lookup_names2("", &q_u, data, 0)) { - DEBUG(0,("api_lsa_lookup_names2: failed to unmarshall LSA_Q_LOOKUP_NAMES2.\n")); - return False; - } - - r_u.status = _lsa_lookup_names2(p, &q_u, &r_u); - - /* store the response in the SMB stream */ - if(!lsa_io_r_lookup_names2("", &r_u, rdata, 0)) { - DEBUG(0,("api_lsa_lookup_names2: Failed to marshall LSA_R_LOOKUP_NAMES2.\n")); - return False; - } - - return True; -} - -/*************************************************************************** - api_lsa_lookup_names3 - ***************************************************************************/ - -static bool api_lsa_lookup_names3(pipes_struct *p) -{ - LSA_Q_LOOKUP_NAMES3 q_u; - LSA_R_LOOKUP_NAMES3 r_u; - prs_struct *data = &p->in_data.data; - prs_struct *rdata = &p->out_data.rdata; - - ZERO_STRUCT(q_u); - ZERO_STRUCT(r_u); - - /* grab the info class and policy handle */ - if(!lsa_io_q_lookup_names3("", &q_u, data, 0)) { - DEBUG(0,("api_lsa_lookup_names3: failed to unmarshall LSA_Q_LOOKUP_NAMES3.\n")); - return False; - } - - r_u.status = _lsa_lookup_names3(p, &q_u, &r_u); - - /* store the response in the SMB stream */ - if(!lsa_io_r_lookup_names3("", &r_u, rdata, 0)) { - DEBUG(0,("api_lsa_lookup_names3: Failed to marshall LSA_R_LOOKUP_NAMES3.\n")); - return False; - } - - return True; -} - -/*************************************************************************** - api_lsa_lookup_names4 - ***************************************************************************/ - -static bool api_lsa_lookup_names4(pipes_struct *p) -{ - LSA_Q_LOOKUP_NAMES4 q_u; - LSA_R_LOOKUP_NAMES4 r_u; - prs_struct *data = &p->in_data.data; - prs_struct *rdata = &p->out_data.rdata; - - ZERO_STRUCT(q_u); - ZERO_STRUCT(r_u); - - /* grab the info class and policy handle */ - if(!lsa_io_q_lookup_names4("", &q_u, data, 0)) { - DEBUG(0,("api_lsa_lookup_names4: failed to unmarshall LSA_Q_LOOKUP_NAMES4.\n")); - return False; - } - - r_u.status = _lsa_lookup_names4(p, &q_u, &r_u); - - /* store the response in the SMB stream */ - if(!lsa_io_r_lookup_names4("", &r_u, rdata, 0)) { - DEBUG(0,("api_lsa_lookup_names4: Failed to marshall LSA_R_LOOKUP_NAMES4.\n")); - return False; - } - - return True; -} - -#if 0 /* AD DC work in ongoing in Samba 4 */ - -/*************************************************************************** - api_lsa_query_info2 - ***************************************************************************/ - -static bool api_lsa_query_info2(pipes_struct *p) -{ - LSA_Q_QUERY_INFO2 q_u; - LSA_R_QUERY_INFO2 r_u; - - prs_struct *data = &p->in_data.data; - prs_struct *rdata = &p->out_data.rdata; - - ZERO_STRUCT(q_u); - ZERO_STRUCT(r_u); - - if(!lsa_io_q_query_info2("", &q_u, data, 0)) { - DEBUG(0,("api_lsa_query_info2: failed to unmarshall LSA_Q_QUERY_INFO2.\n")); - return False; - } - - r_u.status = _lsa_query_info2(p, &q_u, &r_u); - - if (!lsa_io_r_query_info2("", &r_u, rdata, 0)) { - DEBUG(0,("api_lsa_query_info2: failed to marshall LSA_R_QUERY_INFO2.\n")); - return False; - } - - return True; -} -#endif /* AD DC work in ongoing in Samba 4 */ - -/*************************************************************************** - \PIPE\ntlsa commands - ***************************************************************************/ - -static struct api_struct api_lsa_cmds[] = -{ - { "LSA_OPENPOLICY2" , LSA_OPENPOLICY2 , api_lsa_open_policy2 }, - { "LSA_OPENPOLICY" , LSA_OPENPOLICY , api_lsa_open_policy }, - { "LSA_QUERYINFOPOLICY" , LSA_QUERYINFOPOLICY , api_lsa_query_info }, - { "LSA_ENUMTRUSTDOM" , LSA_ENUMTRUSTDOM , api_lsa_enum_trust_dom }, - { "LSA_CLOSE" , LSA_CLOSE , api_lsa_close }, - { "LSA_OPENSECRET" , LSA_OPENSECRET , api_lsa_open_secret }, - { "LSA_LOOKUPSIDS" , LSA_LOOKUPSIDS , api_lsa_lookup_sids }, - { "LSA_LOOKUPNAMES" , LSA_LOOKUPNAMES , api_lsa_lookup_names }, - { "LSA_ENUM_PRIVS" , LSA_ENUM_PRIVS , api_lsa_enum_privs }, - { "LSA_PRIV_GET_DISPNAME",LSA_PRIV_GET_DISPNAME,api_lsa_priv_get_dispname}, - { "LSA_ENUM_ACCOUNTS" , LSA_ENUM_ACCOUNTS , api_lsa_enum_accounts }, - { "LSA_UNK_GET_CONNUSER", LSA_UNK_GET_CONNUSER, api_lsa_unk_get_connuser }, - { "LSA_CREATEACCOUNT" , LSA_CREATEACCOUNT , api_lsa_create_account }, - { "LSA_OPENACCOUNT" , LSA_OPENACCOUNT , api_lsa_open_account }, - { "LSA_ENUMPRIVSACCOUNT", LSA_ENUMPRIVSACCOUNT, api_lsa_enum_privsaccount}, - { "LSA_GETSYSTEMACCOUNT", LSA_GETSYSTEMACCOUNT, api_lsa_getsystemaccount }, - { "LSA_SETSYSTEMACCOUNT", LSA_SETSYSTEMACCOUNT, api_lsa_setsystemaccount }, - { "LSA_ADDPRIVS" , LSA_ADDPRIVS , api_lsa_addprivs }, - { "LSA_REMOVEPRIVS" , LSA_REMOVEPRIVS , api_lsa_removeprivs }, - { "LSA_ADDACCTRIGHTS" , LSA_ADDACCTRIGHTS , api_lsa_add_acct_rights }, - { "LSA_REMOVEACCTRIGHTS", LSA_REMOVEACCTRIGHTS, api_lsa_remove_acct_rights }, - { "LSA_ENUMACCTRIGHTS" , LSA_ENUMACCTRIGHTS , api_lsa_enum_acct_rights }, - { "LSA_QUERYSECOBJ" , LSA_QUERYSECOBJ , api_lsa_query_secobj }, - { "LSA_LOOKUPPRIVVALUE" , LSA_LOOKUPPRIVVALUE , api_lsa_lookup_priv_value }, - { "LSA_OPENTRUSTDOM" , LSA_OPENTRUSTDOM , api_lsa_open_trust_dom }, - { "LSA_OPENSECRET" , LSA_OPENSECRET , api_lsa_open_secret }, - { "LSA_CREATETRUSTDOM" , LSA_CREATETRUSTDOM , api_lsa_create_trust_dom }, - { "LSA_CREATSECRET" , LSA_CREATESECRET , api_lsa_create_secret }, - { "LSA_SETSECRET" , LSA_SETSECRET , api_lsa_set_secret }, - { "LSA_DELETEOBJECT" , LSA_DELETEOBJECT , api_lsa_delete_object }, - { "LSA_LOOKUPSIDS2" , LSA_LOOKUPSIDS2 , api_lsa_lookup_sids2 }, - { "LSA_LOOKUPNAMES2" , LSA_LOOKUPNAMES2 , api_lsa_lookup_names2 }, - { "LSA_LOOKUPNAMES3" , LSA_LOOKUPNAMES3 , api_lsa_lookup_names3 }, - { "LSA_LOOKUPSIDS3" , LSA_LOOKUPSIDS3 , api_lsa_lookup_sids3 }, - { "LSA_LOOKUPNAMES4" , LSA_LOOKUPNAMES4 , api_lsa_lookup_names4 } -#if 0 /* AD DC work in ongoing in Samba 4 */ - /* be careful of the adding of new RPC's. See commentrs below about - ADS DC capabilities */ - { "LSA_QUERYINFO2" , LSA_QUERYINFO2 , api_lsa_query_info2 } -#endif /* AD DC work in ongoing in Samba 4 */ -}; - -static int count_fns(void) -{ - int funcs = sizeof(api_lsa_cmds) / sizeof(struct api_struct); - -#if 0 /* AD DC work is on going in Samba 4 */ - /* - * NOTE: Certain calls can not be enabled if we aren't an ADS DC. Make sure - * these calls are always last and that you decrement by the amount of calls - * to disable. - */ - if (!(SEC_ADS == lp_security() && ROLE_DOMAIN_PDC == lp_server_role())) { - funcs -= 1; - } -#endif /* AD DC work in ongoing in Samba 4 */ - - return funcs; -} -void lsa_get_pipe_fns( struct api_struct **fns, int *n_fns ) -{ - *fns = api_lsa_cmds; - *n_fns = count_fns(); -} - - -NTSTATUS rpc_lsa_init(void) -{ - int funcs = count_fns(); - - return rpc_pipe_register_commands(SMB_RPC_INTERFACE_VERSION, "lsarpc", "lsass", api_lsa_cmds, - funcs); -} diff --git a/source3/rpc_server/srv_lsa_ds.c b/source3/rpc_server/srv_lsa_ds.c deleted file mode 100644 index 55baa40261..0000000000 --- a/source3/rpc_server/srv_lsa_ds.c +++ /dev/null @@ -1,85 +0,0 @@ -/* - * Unix SMB/CIFS implementation. - * RPC Pipe client / server routines - * Copyright (C) Gerald Carter 2003 - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 3 of the License, or - * (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program; if not, see <http://www.gnu.org/licenses/>. - */ - -/* This is the interface for the registry functions. */ - -#include "includes.h" - -#undef DBGC_CLASS -#define DBGC_CLASS DBGC_RPC_SRV - -/******************************************************************* - ********************************************************************/ - -static bool api_dsrole_get_primary_dominfo(pipes_struct *p) -{ - DS_Q_GETPRIMDOMINFO q_u; - DS_R_GETPRIMDOMINFO r_u; - prs_struct *data = &p->in_data.data; - prs_struct *rdata = &p->out_data.rdata; - - ZERO_STRUCT(q_u); - ZERO_STRUCT(r_u); - - /* grab the request */ - if ( !ds_io_q_getprimdominfo("", &q_u, data, 0) ) - return False; - - /* construct reply. */ - r_u.status = _dsrole_get_primary_dominfo( p, &q_u, &r_u ); - - if ( !ds_io_r_getprimdominfo("", &r_u, rdata, 0) ) - return False; - - return True; -} - -/******************************************************************* - stub functions for unimplemented RPC -*******************************************************************/ - -static bool api_dsrole_stub( pipes_struct *p ) -{ - DEBUG(0,("api_dsrole_stub: Hmmm....didn't know this RPC existed...\n")); - - return False; -} - - -/******************************************************************* - array of \PIPE\lsass (new windows 2000 UUID) operations -********************************************************************/ -static struct api_struct api_lsa_ds_cmds[] = { - { "DS_NOP", DS_NOP, api_dsrole_stub }, - { "DS_GETPRIMDOMINFO", DS_GETPRIMDOMINFO, api_dsrole_get_primary_dominfo } - -}; - -void lsa_ds_get_pipe_fns( struct api_struct **fns, int *n_fns ) -{ - *fns = api_lsa_ds_cmds; - *n_fns = sizeof(api_lsa_ds_cmds) / sizeof(struct api_struct); -} - - -NTSTATUS rpc_lsa_ds_init(void) -{ - return rpc_pipe_register_commands(SMB_RPC_INTERFACE_VERSION, "lsa_ds", "lsa_ds", api_lsa_ds_cmds, - sizeof(api_lsa_ds_cmds) / sizeof(struct api_struct)); -} diff --git a/source3/rpc_server/srv_lsa_ds_nt.c b/source3/rpc_server/srv_lsa_ds_nt.c deleted file mode 100644 index 994b3cccca..0000000000 --- a/source3/rpc_server/srv_lsa_ds_nt.c +++ /dev/null @@ -1,130 +0,0 @@ -/* - * Unix SMB/CIFS implementation. - * RPC Pipe client / server routines - * Copyright (C) Andrew Tridgell 1992-1997. - * Copyright (C) Luke Kenneth Casson Leighton 1996-1997. - * Copyright (C) Paul Ashton 1997. - * Copyright (C) Jeremy Allison 2001. - * Copyright (C) Gerald Carter 2002. - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 3 of the License, or - * (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program; if not, see <http://www.gnu.org/licenses/>. - */ - -/* Implementation of registry functions. */ - -#include "includes.h" - -#undef DBGC_CLASS -#define DBGC_CLASS DBGC_RPC_SRV - -/******************************************************************** - Fill in a DS_DOMINFO_CTR structure - ********************************************************************/ - -static NTSTATUS fill_dsrole_dominfo_basic(TALLOC_CTX *ctx, DSROLE_PRIMARY_DOMAIN_INFO_BASIC **info) -{ - DSROLE_PRIMARY_DOMAIN_INFO_BASIC *basic; - const char *netbios_domain = ""; - fstring dnsdomain; - - DEBUG(10,("fill_dsrole_dominfo_basic: enter\n")); - - if ( !(basic = TALLOC_ZERO_P(ctx, DSROLE_PRIMARY_DOMAIN_INFO_BASIC)) ) { - DEBUG(0,("fill_dsrole_dominfo_basic: FATAL error! talloc_xero() failed\n")); - return NT_STATUS_NO_MEMORY; - } - - switch ( lp_server_role() ) { - case ROLE_STANDALONE: - basic->machine_role = DSROLE_STANDALONE_SRV; - basic->netbios_ptr = 1; - netbios_domain = get_global_sam_name(); - break; - case ROLE_DOMAIN_MEMBER: - basic->netbios_ptr = 1; - netbios_domain = lp_workgroup(); - basic->machine_role = DSROLE_DOMAIN_MEMBER_SRV; - break; - case ROLE_DOMAIN_BDC: - basic->netbios_ptr = 1; - netbios_domain = get_global_sam_name(); - basic->machine_role = DSROLE_BDC; - break; - case ROLE_DOMAIN_PDC: - basic->netbios_ptr = 1; - netbios_domain = get_global_sam_name(); - basic->machine_role = DSROLE_PDC; - break; - } - - /* always set netbios name */ - - init_unistr2( &basic->netbios_domain, netbios_domain, UNI_STR_TERMINATE); - - if ( secrets_fetch_domain_guid( lp_workgroup(), &basic->domain_guid ) ) - basic->flags |= DSROLE_PRIMARY_DOMAIN_GUID_PRESENT; - - /* fill in some additional fields if we are a member of an AD domain */ - - if ( lp_security() == SEC_ADS ) { - fstrcpy( dnsdomain, lp_realm() ); - strlower_m( dnsdomain ); - - basic->dnsname_ptr = 1; - init_unistr2( &basic->dns_domain, dnsdomain, UNI_STR_TERMINATE); - - /* FIXME!! We really should fill in the correct forest - name. Should get this information from winbindd. */ - basic->forestname_ptr = 1; - init_unistr2( &basic->forest_domain, dnsdomain, UNI_STR_TERMINATE); - } else { - /* security = domain should not fill in the dns or - forest name */ - basic->dnsname_ptr = 0; - basic->forestname_ptr = 0; - } - - *info = basic; - - return NT_STATUS_OK; -} - -/******************************************************************** - Implement the DsroleGetPrimaryDomainInfo() call - ********************************************************************/ - -NTSTATUS _dsrole_get_primary_dominfo(pipes_struct *p, DS_Q_GETPRIMDOMINFO *q_u, DS_R_GETPRIMDOMINFO *r_u) -{ - NTSTATUS result = NT_STATUS_OK; - uint32 level = q_u->level; - - switch ( level ) { - - case DsRolePrimaryDomainInfoBasic: - r_u->level = DsRolePrimaryDomainInfoBasic; - r_u->ptr = 1; - result = fill_dsrole_dominfo_basic( p->mem_ctx, &r_u->info.basic ); - break; - - default: - DEBUG(0,("_dsrole_get_primary_dominfo: Unsupported info level [%d]!\n", - level)); - result = NT_STATUS_INVALID_LEVEL; - } - - return result; -} - - - diff --git a/source3/rpc_server/srv_lsa_nt.c b/source3/rpc_server/srv_lsa_nt.c index 1b78772a79..1333d656d4 100644 --- a/source3/rpc_server/srv_lsa_nt.c +++ b/source3/rpc_server/srv_lsa_nt.c @@ -10,17 +10,18 @@ * Copyright (C) Simo Sorce 2003. * Copyright (C) Gerald (Jerry) Carter 2005. * Copyright (C) Volker Lendecke 2005. + * Copyright (C) Guenther Deschner 2008. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation; either version 3 of the License, or * (at your option) any later version. - * + * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. - * + * * You should have received a copy of the GNU General Public License * along with this program; if not, see <http://www.gnu.org/licenses/>. */ @@ -40,82 +41,31 @@ struct lsa_info { }; const struct generic_mapping lsa_generic_mapping = { - POLICY_READ, - POLICY_WRITE, - POLICY_EXECUTE, - POLICY_ALL_ACCESS + LSA_POLICY_READ, + LSA_POLICY_WRITE, + LSA_POLICY_EXECUTE, + LSA_POLICY_ALL_ACCESS }; -/******************************************************************* - Function to free the per handle data. - ********************************************************************/ - -static void free_lsa_info(void *ptr) -{ - struct lsa_info *lsa = (struct lsa_info *)ptr; - - SAFE_FREE(lsa); -} - /*************************************************************************** -Init dom_query - ***************************************************************************/ - -static void init_dom_query_3(DOM_QUERY_3 *d_q, const char *dom_name, DOM_SID *dom_sid) -{ - d_q->buffer_dom_name = (dom_name != NULL) ? 1 : 0; /* domain buffer pointer */ - d_q->buffer_dom_sid = (dom_sid != NULL) ? 1 : 0; /* domain sid pointer */ - - /* this string is supposed to be non-null terminated. */ - /* But the maxlen in this UNISTR2 must include the terminating null. */ - init_unistr2(&d_q->uni_domain_name, dom_name, UNI_BROKEN_NON_NULL); - - /* - * I'm not sure why this really odd combination of length - * values works, but it does appear to. I need to look at - * this *much* more closely - but at the moment leave alone - * until it's understood. This allows a W2k client to join - * a domain with both odd and even length names... JRA. - */ - - /* - * IMPORTANT NOTE !!!! - * The two fields below probably are reversed in meaning, ie. - * the first field is probably the str_len, the second the max - * len. Both are measured in bytes anyway. - */ - - d_q->uni_dom_str_len = d_q->uni_domain_name.uni_max_len * 2; - d_q->uni_dom_max_len = d_q->uni_domain_name.uni_str_len * 2; - - if (dom_sid != NULL) - init_dom_sid2(&d_q->dom_sid, dom_sid); -} - -/*************************************************************************** -Init dom_query - ***************************************************************************/ - -static void init_dom_query_5(DOM_QUERY_5 *d_q, const char *dom_name, DOM_SID *dom_sid) -{ - init_dom_query_3(d_q, dom_name, dom_sid); -} - -/*************************************************************************** - init_dom_ref - adds a domain if it's not already in, returns the index. + init_lsa_ref_domain_list - adds a domain if it's not already in, returns the index. ***************************************************************************/ -static int init_dom_ref(DOM_R_REF *ref, const char *dom_name, DOM_SID *dom_sid) +static int init_lsa_ref_domain_list(TALLOC_CTX *mem_ctx, + struct lsa_RefDomainList *ref, + const char *dom_name, + DOM_SID *dom_sid) { int num = 0; if (dom_name != NULL) { - for (num = 0; num < ref->num_ref_doms_1; num++) { - if (sid_equal(dom_sid, &ref->ref_dom[num].ref_dom.sid)) + for (num = 0; num < ref->count; num++) { + if (sid_equal(dom_sid, ref->domains[num].sid)) { return num; + } } } else { - num = ref->num_ref_doms_1; + num = ref->count; } if (num >= MAX_REF_DOMAINS) { @@ -123,32 +73,71 @@ static int init_dom_ref(DOM_R_REF *ref, const char *dom_name, DOM_SID *dom_sid) return -1; } - ref->num_ref_doms_1 = num+1; - ref->ptr_ref_dom = 1; - ref->max_entries = MAX_REF_DOMAINS; - ref->num_ref_doms_2 = num+1; + ref->count = num + 1; + ref->max_size = MAX_REF_DOMAINS; - ref->hdr_ref_dom[num].ptr_dom_sid = 1; /* dom sid cannot be NULL. */ - - init_unistr2(&ref->ref_dom[num].uni_dom_name, dom_name, UNI_FLAGS_NONE); - init_uni_hdr(&ref->hdr_ref_dom[num].hdr_dom_name, &ref->ref_dom[num].uni_dom_name); + ref->domains = TALLOC_REALLOC_ARRAY(mem_ctx, ref->domains, + struct lsa_DomainInfo, ref->count); + if (!ref->domains) { + return -1; + } - init_dom_sid2(&ref->ref_dom[num].ref_dom, dom_sid ); + init_lsa_StringLarge(&ref->domains[num].name, dom_name); + ref->domains[num].sid = sid_dup_talloc(mem_ctx, dom_sid); + if (!ref->domains[num].sid) { + return -1; + } return num; } + +/******************************************************************* + Function to free the per handle data. + ********************************************************************/ + +static void free_lsa_info(void *ptr) +{ + struct lsa_info *lsa = (struct lsa_info *)ptr; + + SAFE_FREE(lsa); +} + +/*************************************************************************** + initialize a lsa_DomainInfo structure. + ***************************************************************************/ + +static void init_dom_query_3(struct lsa_DomainInfo *r, + const char *name, + DOM_SID *sid) +{ + init_lsa_StringLarge(&r->name, name); + r->sid = sid; +} + +/*************************************************************************** + initialize a lsa_DomainInfo structure. + ***************************************************************************/ + +static void init_dom_query_5(struct lsa_DomainInfo *r, + const char *name, + DOM_SID *sid) +{ + init_lsa_StringLarge(&r->name, name); + r->sid = sid; +} + /*************************************************************************** lookup_lsa_rids. Must be called as root for lookup_name to work. ***************************************************************************/ static NTSTATUS lookup_lsa_rids(TALLOC_CTX *mem_ctx, - DOM_R_REF *ref, - DOM_RID *prid, - uint32 num_entries, - const UNISTR2 *name, - int flags, - uint32 *pmapped_count) + struct lsa_RefDomainList *ref, + struct lsa_TranslatedSid *prid, + uint32_t num_entries, + struct lsa_String *name, + int flags, + uint32_t *pmapped_count) { uint32 mapped_count, i; @@ -161,15 +150,14 @@ static NTSTATUS lookup_lsa_rids(TALLOC_CTX *mem_ctx, DOM_SID sid; uint32 rid; int dom_idx; - char *full_name; + const char *full_name; const char *domain; enum lsa_SidType type = SID_NAME_UNKNOWN; /* Split name into domain and user component */ - full_name = rpcstr_pull_unistr2_talloc(mem_ctx, &name[i]); + full_name = name[i].string; if (full_name == NULL) { - DEBUG(0, ("pull_ucs2_talloc failed\n")); return NT_STATUS_NO_MEMORY; } @@ -202,11 +190,11 @@ static NTSTATUS lookup_lsa_rids(TALLOC_CTX *mem_ctx, if (type != SID_NAME_UNKNOWN) { sid_split_rid(&sid, &rid); - dom_idx = init_dom_ref(ref, domain, &sid); + dom_idx = init_lsa_ref_domain_list(mem_ctx, ref, domain, &sid); mapped_count++; } - init_dom_rid(&prid[i], rid, type, dom_idx); + init_lsa_translated_sid(&prid[i], type, rid, dom_idx); } *pmapped_count = mapped_count; @@ -218,12 +206,12 @@ static NTSTATUS lookup_lsa_rids(TALLOC_CTX *mem_ctx, ***************************************************************************/ static NTSTATUS lookup_lsa_sids(TALLOC_CTX *mem_ctx, - DOM_R_REF *ref, - LSA_TRANSLATED_SID3 *trans_sids, - uint32 num_entries, - const UNISTR2 *name, - int flags, - uint32 *pmapped_count) + struct lsa_RefDomainList *ref, + struct lsa_TranslatedSid3 *trans_sids, + uint32_t num_entries, + struct lsa_String *name, + int flags, + uint32 *pmapped_count) { uint32 mapped_count, i; @@ -236,15 +224,14 @@ static NTSTATUS lookup_lsa_sids(TALLOC_CTX *mem_ctx, DOM_SID sid; uint32 rid; int dom_idx; - char *full_name; + const char *full_name; const char *domain; enum lsa_SidType type = SID_NAME_UNKNOWN; /* Split name into domain and user component */ - full_name = rpcstr_pull_unistr2_talloc(mem_ctx, &name[i]); + full_name = name[i].string; if (full_name == NULL) { - DEBUG(0, ("pull_ucs2_talloc failed\n")); return NT_STATUS_NO_MEMORY; } @@ -279,164 +266,20 @@ static NTSTATUS lookup_lsa_sids(TALLOC_CTX *mem_ctx, DOM_SID domain_sid; sid_copy(&domain_sid, &sid); sid_split_rid(&domain_sid, &rid); - dom_idx = init_dom_ref(ref, domain, &domain_sid); + dom_idx = init_lsa_ref_domain_list(mem_ctx, ref, domain, &domain_sid); mapped_count++; } - /* Initialize the LSA_TRANSLATED_SID3 return. */ + /* Initialize the lsa_TranslatedSid3 return. */ trans_sids[i].sid_type = type; - trans_sids[i].sid2 = TALLOC_P(mem_ctx, DOM_SID2); - if (trans_sids[i].sid2 == NULL) { - return NT_STATUS_NO_MEMORY; - } - init_dom_sid2(trans_sids[i].sid2, &sid); - trans_sids[i].sid_idx = dom_idx; + trans_sids[i].sid = sid_dup_talloc(mem_ctx, &sid); + trans_sids[i].sid_index = dom_idx; } *pmapped_count = mapped_count; return NT_STATUS_OK; } -/*************************************************************************** - init_reply_lookup_names - ***************************************************************************/ - -static void init_reply_lookup_names(LSA_R_LOOKUP_NAMES *r_l, - DOM_R_REF *ref, uint32 num_entries, - DOM_RID *rid, uint32 mapped_count) -{ - r_l->ptr_dom_ref = 1; - r_l->dom_ref = ref; - - r_l->num_entries = num_entries; - r_l->ptr_entries = 1; - r_l->num_entries2 = num_entries; - r_l->dom_rid = rid; - - r_l->mapped_count = mapped_count; -} - -/*************************************************************************** - init_reply_lookup_names2 - ***************************************************************************/ - -static void init_reply_lookup_names2(LSA_R_LOOKUP_NAMES2 *r_l, - DOM_R_REF *ref, uint32 num_entries, - DOM_RID2 *rid, uint32 mapped_count) -{ - r_l->ptr_dom_ref = 1; - r_l->dom_ref = ref; - - r_l->num_entries = num_entries; - r_l->ptr_entries = 1; - r_l->num_entries2 = num_entries; - r_l->dom_rid = rid; - - r_l->mapped_count = mapped_count; -} - -/*************************************************************************** - init_reply_lookup_names3 - ***************************************************************************/ - -static void init_reply_lookup_names3(LSA_R_LOOKUP_NAMES3 *r_l, - DOM_R_REF *ref, uint32 num_entries, - LSA_TRANSLATED_SID3 *trans_sids, uint32 mapped_count) -{ - r_l->ptr_dom_ref = 1; - r_l->dom_ref = ref; - - r_l->num_entries = num_entries; - r_l->ptr_entries = 1; - r_l->num_entries2 = num_entries; - r_l->trans_sids = trans_sids; - - r_l->mapped_count = mapped_count; -} - -/*************************************************************************** - init_reply_lookup_names4 - ***************************************************************************/ - -static void init_reply_lookup_names4(LSA_R_LOOKUP_NAMES4 *r_l, - DOM_R_REF *ref, uint32 num_entries, - LSA_TRANSLATED_SID3 *trans_sids, uint32 mapped_count) -{ - r_l->ptr_dom_ref = 1; - r_l->dom_ref = ref; - - r_l->num_entries = num_entries; - r_l->ptr_entries = 1; - r_l->num_entries2 = num_entries; - r_l->trans_sids = trans_sids; - - r_l->mapped_count = mapped_count; -} - -/*************************************************************************** - Init_reply_lookup_sids. - ***************************************************************************/ - -static void init_reply_lookup_sids2(LSA_R_LOOKUP_SIDS2 *r_l, - DOM_R_REF *ref, - uint32 mapped_count) -{ - r_l->ptr_dom_ref = ref ? 1 : 0; - r_l->dom_ref = ref; - r_l->mapped_count = mapped_count; -} - -/*************************************************************************** - Init_reply_lookup_sids. - ***************************************************************************/ - -static void init_reply_lookup_sids3(LSA_R_LOOKUP_SIDS3 *r_l, - DOM_R_REF *ref, - uint32 mapped_count) -{ - r_l->ptr_dom_ref = ref ? 1 : 0; - r_l->dom_ref = ref; - r_l->mapped_count = mapped_count; -} - -/*************************************************************************** - Init_reply_lookup_sids. - ***************************************************************************/ - -static NTSTATUS init_reply_lookup_sids(TALLOC_CTX *mem_ctx, - LSA_R_LOOKUP_SIDS *r_l, - DOM_R_REF *ref, - LSA_TRANS_NAME_ENUM2 *names, - uint32 mapped_count) -{ - LSA_TRANS_NAME_ENUM *oldnames = &r_l->names; - - oldnames->num_entries = names->num_entries; - oldnames->ptr_trans_names = names->ptr_trans_names; - oldnames->num_entries2 = names->num_entries2; - oldnames->uni_name = names->uni_name; - - if (names->num_entries) { - int i; - - oldnames->name = TALLOC_ARRAY(mem_ctx, LSA_TRANS_NAME, names->num_entries); - - if (!oldnames->name) { - return NT_STATUS_NO_MEMORY; - } - for (i = 0; i < names->num_entries; i++) { - oldnames->name[i].sid_name_use = names->name[i].sid_name_use; - oldnames->name[i].hdr_name = names->name[i].hdr_name; - oldnames->name[i].domain_idx = names->name[i].domain_idx; - } - } - - r_l->ptr_dom_ref = ref ? 1 : 0; - r_l->dom_ref = ref; - r_l->mapped_count = mapped_count; - return NT_STATUS_OK; -} - static NTSTATUS lsa_get_generic_sd(TALLOC_CTX *mem_ctx, SEC_DESC **sd, size_t *sd_size) { DOM_SID local_adm_sid; @@ -447,17 +290,17 @@ static NTSTATUS lsa_get_generic_sd(TALLOC_CTX *mem_ctx, SEC_DESC **sd, size_t *s SEC_ACL *psa = NULL; - init_sec_access(&mask, POLICY_EXECUTE); + init_sec_access(&mask, LSA_POLICY_EXECUTE); init_sec_ace(&ace[0], &global_sid_World, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0); sid_copy(&adm_sid, get_global_sam_sid()); sid_append_rid(&adm_sid, DOMAIN_GROUP_RID_ADMINS); - init_sec_access(&mask, POLICY_ALL_ACCESS); + init_sec_access(&mask, LSA_POLICY_ALL_ACCESS); init_sec_ace(&ace[1], &adm_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0); sid_copy(&local_adm_sid, &global_sid_Builtin); sid_append_rid(&local_adm_sid, BUILTIN_ALIAS_RID_ADMINS); - init_sec_access(&mask, POLICY_ALL_ACCESS); + init_sec_access(&mask, LSA_POLICY_ALL_ACCESS); init_sec_ace(&ace[2], &local_adm_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0); if((psa = make_sec_acl(mem_ctx, NT4_ACL_REVISION, 3, ace)) == NULL) @@ -487,7 +330,7 @@ static void init_dns_dom_info(LSA_DNS_DOM_INFO *r_l, const char *nb_name, r_l->hdr_nb_dom_name.uni_max_len += 2; r_l->uni_nb_dom_name.uni_max_len += 1; } - + if (dns_name && *dns_name) { init_unistr2(&r_l->uni_dns_dom_name, dns_name, UNI_FLAGS_NONE); init_uni_hdr(&r_l->hdr_dns_dom_name, &r_l->uni_dns_dom_name); @@ -506,7 +349,7 @@ static void init_dns_dom_info(LSA_DNS_DOM_INFO *r_l, const char *nb_name, if (dom_guid) { memcpy(&r_l->dom_guid, dom_guid, sizeof(struct GUID)); } - + if (dom_sid) { r_l->ptr_dom_sid = 1; init_dom_sid2(&r_l->dom_sid, dom_sid); @@ -516,15 +359,16 @@ static void init_dns_dom_info(LSA_DNS_DOM_INFO *r_l, const char *nb_name, /*************************************************************************** - _lsa_open_policy2. + _lsa_OpenPolicy2 ***************************************************************************/ -NTSTATUS _lsa_open_policy2(pipes_struct *p, LSA_Q_OPEN_POL2 *q_u, LSA_R_OPEN_POL2 *r_u) +NTSTATUS _lsa_OpenPolicy2(pipes_struct *p, + struct lsa_OpenPolicy2 *r) { struct lsa_info *info; SEC_DESC *psd = NULL; size_t sd_size; - uint32 des_access=q_u->des_access; + uint32 des_access = r->in.access_mask; uint32 acc_granted; NTSTATUS status; @@ -547,7 +391,7 @@ NTSTATUS _lsa_open_policy2(pipes_struct *p, LSA_Q_OPEN_POL2 *q_u, LSA_R_OPEN_POL /* This is needed for lsa_open_account and rpcclient .... :-) */ if (p->pipe_user.ut.uid == sec_initial_uid()) - acc_granted = POLICY_ALL_ACCESS; + acc_granted = LSA_POLICY_ALL_ACCESS; /* associate the domain SID with the (unique) handle. */ if ((info = SMB_MALLOC_P(struct lsa_info)) == NULL) @@ -558,22 +402,23 @@ NTSTATUS _lsa_open_policy2(pipes_struct *p, LSA_Q_OPEN_POL2 *q_u, LSA_R_OPEN_POL info->access = acc_granted; /* set up the LSA QUERY INFO response */ - if (!create_policy_hnd(p, &r_u->pol, free_lsa_info, (void *)info)) + if (!create_policy_hnd(p, r->out.handle, free_lsa_info, (void *)info)) return NT_STATUS_OBJECT_NAME_NOT_FOUND; return NT_STATUS_OK; } /*************************************************************************** - _lsa_open_policy + _lsa_OpenPolicy ***************************************************************************/ -NTSTATUS _lsa_open_policy(pipes_struct *p, LSA_Q_OPEN_POL *q_u, LSA_R_OPEN_POL *r_u) +NTSTATUS _lsa_OpenPolicy(pipes_struct *p, + struct lsa_OpenPolicy *r) { struct lsa_info *info; SEC_DESC *psd = NULL; size_t sd_size; - uint32 des_access=q_u->des_access; + uint32 des_access= r->in.access_mask; uint32 acc_granted; NTSTATUS status; @@ -603,23 +448,25 @@ NTSTATUS _lsa_open_policy(pipes_struct *p, LSA_Q_OPEN_POL *q_u, LSA_R_OPEN_POL * info->access = acc_granted; /* set up the LSA QUERY INFO response */ - if (!create_policy_hnd(p, &r_u->pol, free_lsa_info, (void *)info)) + if (!create_policy_hnd(p, r->out.handle, free_lsa_info, (void *)info)) return NT_STATUS_OBJECT_NAME_NOT_FOUND; return NT_STATUS_OK; } /*************************************************************************** - _lsa_enum_trust_dom - this needs fixing to do more than return NULL ! JRA. + _lsa_EnumTrustDom - this needs fixing to do more than return NULL ! JRA. ufff, done :) mimir ***************************************************************************/ -NTSTATUS _lsa_enum_trust_dom(pipes_struct *p, LSA_Q_ENUM_TRUST_DOM *q_u, - LSA_R_ENUM_TRUST_DOM *r_u) +NTSTATUS _lsa_EnumTrustDom(pipes_struct *p, + struct lsa_EnumTrustDom *r) { struct lsa_info *info; uint32 next_idx; struct trustdom_info **domains; + struct lsa_DomainInfo *lsa_domains = NULL; + int i; /* * preferred length is set to 5 as a "our" preferred length @@ -628,16 +475,16 @@ NTSTATUS _lsa_enum_trust_dom(pipes_struct *p, LSA_Q_ENUM_TRUST_DOM *q_u, * it needs further investigation how to optimally choose this value */ uint32 max_num_domains = - q_u->preferred_len < 5 ? q_u->preferred_len : 10; + r->in.max_size < 5 ? r->in.max_size : 10; uint32 num_domains; NTSTATUS nt_status; uint32 num_thistime; - if (!find_policy_by_hnd(p, &q_u->pol, (void **)(void *)&info)) + if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info)) return NT_STATUS_INVALID_HANDLE; /* check if the user have enough rights */ - if (!(info->access & POLICY_VIEW_LOCAL_INFORMATION)) + if (!(info->access & LSA_POLICY_VIEW_LOCAL_INFORMATION)) return NT_STATUS_ACCESS_DENIED; nt_status = pdb_enum_trusteddoms(p->mem_ctx, &num_domains, &domains); @@ -646,81 +493,105 @@ NTSTATUS _lsa_enum_trust_dom(pipes_struct *p, LSA_Q_ENUM_TRUST_DOM *q_u, return nt_status; } - if (q_u->enum_context < num_domains) { + if (*r->in.resume_handle < num_domains) { num_thistime = MIN(num_domains, max_num_domains); - r_u->status = STATUS_MORE_ENTRIES; + nt_status = STATUS_MORE_ENTRIES; - if (q_u->enum_context + num_thistime > num_domains) { - num_thistime = num_domains - q_u->enum_context; - r_u->status = NT_STATUS_OK; + if (*r->in.resume_handle + num_thistime > num_domains) { + num_thistime = num_domains - *r->in.resume_handle; + nt_status = NT_STATUS_OK; } - next_idx = q_u->enum_context + num_thistime; + next_idx = *r->in.resume_handle + num_thistime; } else { num_thistime = 0; next_idx = 0xffffffff; - r_u->status = NT_STATUS_NO_MORE_ENTRIES; + nt_status = NT_STATUS_NO_MORE_ENTRIES; } - + /* set up the lsa_enum_trust_dom response */ - init_r_enum_trust_dom(p->mem_ctx, r_u, next_idx, - num_thistime, domains+q_u->enum_context); + lsa_domains = TALLOC_ZERO_ARRAY(p->mem_ctx, struct lsa_DomainInfo, + num_thistime); + if (!lsa_domains) { + return NT_STATUS_NO_MEMORY; + } - return r_u->status; + for (i=0; i<num_thistime; i++) { + init_lsa_StringLarge(&lsa_domains[i].name, domains[i]->name); + lsa_domains[i].sid = &domains[i]->sid; + } + + *r->out.resume_handle = next_idx; + r->out.domains->count = num_thistime; + r->out.domains->domains = lsa_domains; + + return nt_status; } +#define LSA_AUDIT_NUM_CATEGORIES_NT4 7 +#define LSA_AUDIT_NUM_CATEGORIES_WIN2K 9 +#define LSA_AUDIT_NUM_CATEGORIES LSA_AUDIT_NUM_CATEGORIES_NT4 + /*************************************************************************** - _lsa_query_info. See the POLICY_INFOMATION_CLASS docs at msdn. + _lsa_QueryInfoPolicy ***************************************************************************/ -NTSTATUS _lsa_query_info(pipes_struct *p, LSA_Q_QUERY_INFO *q_u, LSA_R_QUERY_INFO *r_u) +NTSTATUS _lsa_QueryInfoPolicy(pipes_struct *p, + struct lsa_QueryInfoPolicy *r) { + NTSTATUS status = NT_STATUS_OK; struct lsa_info *handle; - LSA_INFO_CTR *ctr = &r_u->ctr; DOM_SID domain_sid; const char *name; DOM_SID *sid = NULL; + union lsa_PolicyInformation *info = NULL; - r_u->status = NT_STATUS_OK; - - if (!find_policy_by_hnd(p, &q_u->pol, (void **)(void *)&handle)) + if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle)) return NT_STATUS_INVALID_HANDLE; - switch (q_u->info_class) { + info = TALLOC_ZERO_P(p->mem_ctx, union lsa_PolicyInformation); + if (!info) { + return NT_STATUS_NO_MEMORY; + } + + switch (r->in.level) { case 0x02: { uint32 policy_def = LSA_AUDIT_POLICY_ALL; - + /* check if the user have enough rights */ - if (!(handle->access & POLICY_VIEW_AUDIT_INFORMATION)) { - DEBUG(10,("_lsa_query_info: insufficient access rights\n")); + if (!(handle->access & LSA_POLICY_VIEW_AUDIT_INFORMATION)) { + DEBUG(10,("_lsa_QueryInfoPolicy: insufficient access rights\n")); return NT_STATUS_ACCESS_DENIED; } /* fake info: We audit everything. ;) */ - ctr->info.id2.ptr = 1; - ctr->info.id2.auditing_enabled = True; - ctr->info.id2.count1 = ctr->info.id2.count2 = LSA_AUDIT_NUM_CATEGORIES; - if ((ctr->info.id2.auditsettings = TALLOC_ZERO_ARRAY(p->mem_ctx, uint32, LSA_AUDIT_NUM_CATEGORIES)) == NULL) + info->audit_events.auditing_mode = true; + info->audit_events.count = LSA_AUDIT_NUM_CATEGORIES; + info->audit_events.settings = TALLOC_ZERO_ARRAY(p->mem_ctx, + enum lsa_PolicyAuditPolicy, + info->audit_events.count); + if (!info->audit_events.settings) { return NT_STATUS_NO_MEMORY; + } - ctr->info.id2.auditsettings[LSA_AUDIT_CATEGORY_ACCOUNT_MANAGEMENT] = policy_def; - ctr->info.id2.auditsettings[LSA_AUDIT_CATEGORY_FILE_AND_OBJECT_ACCESS] = policy_def; - ctr->info.id2.auditsettings[LSA_AUDIT_CATEGORY_LOGON] = policy_def; - ctr->info.id2.auditsettings[LSA_AUDIT_CATEGORY_PROCCESS_TRACKING] = policy_def; - ctr->info.id2.auditsettings[LSA_AUDIT_CATEGORY_SECURITY_POLICY_CHANGES] = policy_def; - ctr->info.id2.auditsettings[LSA_AUDIT_CATEGORY_SYSTEM] = policy_def; - ctr->info.id2.auditsettings[LSA_AUDIT_CATEGORY_USE_OF_USER_RIGHTS] = policy_def; + info->audit_events.settings[LSA_AUDIT_CATEGORY_ACCOUNT_MANAGEMENT] = policy_def; + info->audit_events.settings[LSA_AUDIT_CATEGORY_FILE_AND_OBJECT_ACCESS] = policy_def; + info->audit_events.settings[LSA_AUDIT_CATEGORY_LOGON] = policy_def; + info->audit_events.settings[LSA_AUDIT_CATEGORY_PROCCESS_TRACKING] = policy_def; + info->audit_events.settings[LSA_AUDIT_CATEGORY_SECURITY_POLICY_CHANGES] = policy_def; + info->audit_events.settings[LSA_AUDIT_CATEGORY_SYSTEM] = policy_def; + info->audit_events.settings[LSA_AUDIT_CATEGORY_USE_OF_USER_RIGHTS] = policy_def; break; } case 0x03: /* check if the user have enough rights */ - if (!(handle->access & POLICY_VIEW_LOCAL_INFORMATION)) + if (!(handle->access & LSA_POLICY_VIEW_LOCAL_INFORMATION)) return NT_STATUS_ACCESS_DENIED; /* Request PolicyPrimaryDomainInformation. */ @@ -745,21 +616,22 @@ NTSTATUS _lsa_query_info(pipes_struct *p, LSA_Q_QUERY_INFO *q_u, LSA_R_QUERY_INF default: return NT_STATUS_CANT_ACCESS_DOMAIN_INFO; } - init_dom_query_3(&r_u->ctr.info.id3, name, sid); + init_dom_query_3(&info->domain, name, sid); break; case 0x05: /* check if the user have enough rights */ - if (!(handle->access & POLICY_VIEW_LOCAL_INFORMATION)) + if (!(handle->access & LSA_POLICY_VIEW_LOCAL_INFORMATION)) return NT_STATUS_ACCESS_DENIED; /* Request PolicyAccountDomainInformation. */ name = get_global_sam_name(); sid = get_global_sam_sid(); - init_dom_query_5(&r_u->ctr.info.id5, name, sid); + + init_dom_query_5(&info->account_domain, name, sid); break; case 0x06: /* check if the user have enough rights */ - if (!(handle->access & POLICY_VIEW_LOCAL_INFORMATION)) + if (!(handle->access & LSA_POLICY_VIEW_LOCAL_INFORMATION)) return NT_STATUS_ACCESS_DENIED; switch (lp_server_role()) { @@ -768,29 +640,27 @@ NTSTATUS _lsa_query_info(pipes_struct *p, LSA_Q_QUERY_INFO *q_u, LSA_R_QUERY_INF * only a BDC is a backup controller * of the domain, it controls. */ - ctr->info.id6.server_role = 2; + info->role.role = 2; break; default: /* * any other role is a primary * of the domain, it controls. */ - ctr->info.id6.server_role = 3; - break; + info->role.role = 3; + break; } break; default: - DEBUG(0,("_lsa_query_info: unknown info level in Lsa Query: %d\n", q_u->info_class)); - r_u->status = NT_STATUS_INVALID_INFO_CLASS; + DEBUG(0,("_lsa_QueryInfoPolicy: unknown info level in Lsa Query: %d\n", + r->in.level)); + status = NT_STATUS_INVALID_INFO_CLASS; break; } - if (NT_STATUS_IS_OK(r_u->status)) { - r_u->dom_ptr = 0x22000000; /* bizarre */ - ctr->info_class = q_u->info_class; - } + *r->out.info = info; - return r_u->status; + return status; } /*************************************************************************** @@ -798,38 +668,40 @@ NTSTATUS _lsa_query_info(pipes_struct *p, LSA_Q_QUERY_INFO *q_u, LSA_R_QUERY_INF ***************************************************************************/ static NTSTATUS _lsa_lookup_sids_internal(pipes_struct *p, - uint16 level, /* input */ - int num_sids, /* input */ - const DOM_SID2 *sid, /* input */ - DOM_R_REF **pp_ref, /* output */ - LSA_TRANS_NAME_ENUM2 *names, /* input/output */ - uint32 *pp_mapped_count) + TALLOC_CTX *mem_ctx, + uint16_t level, /* input */ + int num_sids, /* input */ + struct lsa_SidPtr *sid, /* input */ + struct lsa_RefDomainList **pp_ref, /* input/output */ + struct lsa_TranslatedName2 **pp_names,/* input/output */ + uint32_t *pp_mapped_count) /* input/output */ { NTSTATUS status; int i; const DOM_SID **sids = NULL; - DOM_R_REF *ref = NULL; + struct lsa_RefDomainList *ref = NULL; uint32 mapped_count = 0; struct lsa_dom_info *dom_infos = NULL; struct lsa_name_info *name_infos = NULL; + struct lsa_TranslatedName2 *names = NULL; *pp_mapped_count = 0; + *pp_names = NULL; *pp_ref = NULL; - ZERO_STRUCTP(names); if (num_sids == 0) { return NT_STATUS_OK; } sids = TALLOC_ARRAY(p->mem_ctx, const DOM_SID *, num_sids); - ref = TALLOC_ZERO_P(p->mem_ctx, DOM_R_REF); + ref = TALLOC_ZERO_P(p->mem_ctx, struct lsa_RefDomainList); if (sids == NULL || ref == NULL) { return NT_STATUS_NO_MEMORY; } for (i=0; i<num_sids; i++) { - sids[i] = &sid[i].sid; + sids[i] = sid[i].sid; } status = lookup_sids(p->mem_ctx, num_sids, sids, level, @@ -839,9 +711,8 @@ static NTSTATUS _lsa_lookup_sids_internal(pipes_struct *p, return status; } - names->name = TALLOC_ARRAY(p->mem_ctx, LSA_TRANS_NAME2, num_sids); - names->uni_name = TALLOC_ARRAY(p->mem_ctx, UNISTR2, num_sids); - if ((names->name == NULL) || (names->uni_name == NULL)) { + names = TALLOC_ARRAY(p->mem_ctx, struct lsa_TranslatedName2, num_sids); + if (names == NULL) { return NT_STATUS_NO_MEMORY; } @@ -851,8 +722,9 @@ static NTSTATUS _lsa_lookup_sids_internal(pipes_struct *p, break; } - if (init_dom_ref(ref, dom_infos[i].name, - &dom_infos[i].sid) != i) { + if (init_lsa_ref_domain_list(mem_ctx, ref, + dom_infos[i].name, + &dom_infos[i].sid) != i) { DEBUG(0, ("Domain %s mentioned twice??\n", dom_infos[i].name)); return NT_STATUS_INTERNAL_ERROR; @@ -871,7 +743,7 @@ static NTSTATUS _lsa_lookup_sids_internal(pipes_struct *p, * RID as 8 bytes hex, in others it returns the full * SID. We (Jerry/VL) could not figure out which the * hard cases are, so leave it with the SID. */ - name->name = talloc_asprintf(p->mem_ctx, "%s", + name->name = talloc_asprintf(p->mem_ctx, "%s", sid_to_fstring(tmp, sids[i])); if (name->name == NULL) { @@ -880,13 +752,10 @@ static NTSTATUS _lsa_lookup_sids_internal(pipes_struct *p, } else { mapped_count += 1; } - init_lsa_trans_name2(&names->name[i], &names->uni_name[i], - name->type, name->name, name->dom_idx); - } - names->num_entries = num_sids; - names->ptr_trans_names = 1; - names->num_entries2 = num_sids; + init_lsa_translated_name2(&names[i], name->type, + name->name, name->dom_idx, 0); + } status = NT_STATUS_NONE_MAPPED; if (mapped_count > 0) { @@ -898,147 +767,173 @@ static NTSTATUS _lsa_lookup_sids_internal(pipes_struct *p, num_sids, mapped_count, nt_errstr(status))); *pp_mapped_count = mapped_count; + *pp_names = names; *pp_ref = ref; return status; } /*************************************************************************** - _lsa_lookup_sids + _lsa_LookupSids ***************************************************************************/ -NTSTATUS _lsa_lookup_sids(pipes_struct *p, - LSA_Q_LOOKUP_SIDS *q_u, - LSA_R_LOOKUP_SIDS *r_u) +NTSTATUS _lsa_LookupSids(pipes_struct *p, + struct lsa_LookupSids *r) { + NTSTATUS status; struct lsa_info *handle; - int num_sids = q_u->sids.num_entries; + int num_sids = r->in.sids->num_sids; uint32 mapped_count = 0; - DOM_R_REF *ref = NULL; - LSA_TRANS_NAME_ENUM2 names; - NTSTATUS status; + struct lsa_RefDomainList *domains = NULL; + struct lsa_TranslatedName *names_out = NULL; + struct lsa_TranslatedName2 *names = NULL; + int i; - if ((q_u->level < 1) || (q_u->level > 6)) { + if ((r->in.level < 1) || (r->in.level > 6)) { return NT_STATUS_INVALID_PARAMETER; } - if (!find_policy_by_hnd(p, &q_u->pol, (void **)(void *)&handle)) { + if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle)) { return NT_STATUS_INVALID_HANDLE; } /* check if the user has enough rights */ - if (!(handle->access & POLICY_LOOKUP_NAMES)) { + if (!(handle->access & LSA_POLICY_LOOKUP_NAMES)) { return NT_STATUS_ACCESS_DENIED; } if (num_sids > MAX_LOOKUP_SIDS) { - DEBUG(5,("_lsa_lookup_sids: limit of %d exceeded, requested %d\n", + DEBUG(5,("_lsa_LookupSids: limit of %d exceeded, requested %d\n", MAX_LOOKUP_SIDS, num_sids)); return NT_STATUS_NONE_MAPPED; } - r_u->status = _lsa_lookup_sids_internal(p, - q_u->level, - num_sids, - q_u->sids.sid, - &ref, - &names, - &mapped_count); + status = _lsa_lookup_sids_internal(p, + p->mem_ctx, + r->in.level, + num_sids, + r->in.sids->sids, + &domains, + &names, + &mapped_count); - /* Convert from LSA_TRANS_NAME_ENUM2 to LSA_TRANS_NAME_ENUM */ + /* Convert from lsa_TranslatedName2 to lsa_TranslatedName */ + names_out = TALLOC_ARRAY(p->mem_ctx, struct lsa_TranslatedName, + num_sids); + if (!names_out) { + return NT_STATUS_NO_MEMORY; + } - status = init_reply_lookup_sids(p->mem_ctx, r_u, ref, &names, mapped_count); - if (!NT_STATUS_IS_OK(status)) { - return status; + for (i=0; i<num_sids; i++) { + names_out[i].sid_type = names[i].sid_type; + names_out[i].name = names[i].name; + names_out[i].sid_index = names[i].sid_index; } - return r_u->status; + + *r->out.domains = domains; + r->out.names->count = num_sids; + r->out.names->names = names_out; + *r->out.count = mapped_count; + + return status; } /*************************************************************************** - _lsa_lookup_sids2 + _lsa_LookupSids2 ***************************************************************************/ -NTSTATUS _lsa_lookup_sids2(pipes_struct *p, - LSA_Q_LOOKUP_SIDS2 *q_u, - LSA_R_LOOKUP_SIDS2 *r_u) +NTSTATUS _lsa_LookupSids2(pipes_struct *p, + struct lsa_LookupSids2 *r) { + NTSTATUS status; struct lsa_info *handle; - int num_sids = q_u->sids.num_entries; + int num_sids = r->in.sids->num_sids; uint32 mapped_count = 0; - DOM_R_REF *ref = NULL; + struct lsa_RefDomainList *domains = NULL; + struct lsa_TranslatedName2 *names = NULL; + bool check_policy = true; - if ((q_u->level < 1) || (q_u->level > 6)) { - return NT_STATUS_INVALID_PARAMETER; + switch (p->hdr_req.opnum) { + case NDR_LSA_LOOKUPSIDS3: + check_policy = false; + break; + case NDR_LSA_LOOKUPSIDS2: + default: + check_policy = true; } - if (!find_policy_by_hnd(p, &q_u->pol, (void **)(void *)&handle)) { - return NT_STATUS_INVALID_HANDLE; + if ((r->in.level < 1) || (r->in.level > 6)) { + return NT_STATUS_INVALID_PARAMETER; } - /* check if the user have enough rights */ - if (!(handle->access & POLICY_LOOKUP_NAMES)) { - return NT_STATUS_ACCESS_DENIED; + if (check_policy) { + if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle)) { + return NT_STATUS_INVALID_HANDLE; + } + + /* check if the user have enough rights */ + if (!(handle->access & LSA_POLICY_LOOKUP_NAMES)) { + return NT_STATUS_ACCESS_DENIED; + } } if (num_sids > MAX_LOOKUP_SIDS) { - DEBUG(5,("_lsa_lookup_sids2: limit of %d exceeded, requested %d\n", + DEBUG(5,("_lsa_LookupSids2: limit of %d exceeded, requested %d\n", MAX_LOOKUP_SIDS, num_sids)); return NT_STATUS_NONE_MAPPED; } - r_u->status = _lsa_lookup_sids_internal(p, - q_u->level, - num_sids, - q_u->sids.sid, - &ref, - &r_u->names, - &mapped_count); + status = _lsa_lookup_sids_internal(p, + p->mem_ctx, + r->in.level, + num_sids, + r->in.sids->sids, + &domains, + &names, + &mapped_count); - init_reply_lookup_sids2(r_u, ref, mapped_count); - return r_u->status; + *r->out.domains = domains; + r->out.names->count = num_sids; + r->out.names->names = names; + *r->out.count = mapped_count; + + return status; } /*************************************************************************** - _lsa_lookup_sida3 + _lsa_LookupSids3 ***************************************************************************/ -NTSTATUS _lsa_lookup_sids3(pipes_struct *p, - LSA_Q_LOOKUP_SIDS3 *q_u, - LSA_R_LOOKUP_SIDS3 *r_u) +NTSTATUS _lsa_LookupSids3(pipes_struct *p, + struct lsa_LookupSids3 *r) { - int num_sids = q_u->sids.num_entries; - uint32 mapped_count = 0; - DOM_R_REF *ref = NULL; - - if ((q_u->level < 1) || (q_u->level > 6)) { - return NT_STATUS_INVALID_PARAMETER; - } + struct lsa_LookupSids2 q; /* No policy handle on this call. Restrict to crypto connections. */ if (p->auth.auth_type != PIPE_AUTH_TYPE_SCHANNEL) { - DEBUG(0,("_lsa_lookup_sids3: client %s not using schannel for netlogon\n", + DEBUG(0,("_lsa_LookupSids3: client %s not using schannel for netlogon\n", get_remote_machine_name() )); return NT_STATUS_INVALID_PARAMETER; } - if (num_sids > MAX_LOOKUP_SIDS) { - DEBUG(5,("_lsa_lookup_sids3: limit of %d exceeded, requested %d\n", - MAX_LOOKUP_SIDS, num_sids)); - return NT_STATUS_NONE_MAPPED; - } + q.in.handle = NULL; + q.in.sids = r->in.sids; + q.in.level = r->in.level; + q.in.unknown1 = r->in.unknown1; + q.in.unknown2 = r->in.unknown2; + q.in.names = r->in.names; + q.in.count = r->in.count; - r_u->status = _lsa_lookup_sids_internal(p, - q_u->level, - num_sids, - q_u->sids.sid, - &ref, - &r_u->names, - &mapped_count); + q.out.domains = r->out.domains; + q.out.names = r->out.names; + q.out.count = r->out.count; - init_reply_lookup_sids3(r_u, ref, mapped_count); - return r_u->status; + return _lsa_LookupSids2(p, &q); } +/*************************************************************************** + ***************************************************************************/ + static int lsa_lookup_level_to_flags(uint16 level) { int flags; @@ -1065,33 +960,37 @@ static int lsa_lookup_level_to_flags(uint16 level) } /*************************************************************************** -lsa_reply_lookup_names + _lsa_LookupNames ***************************************************************************/ -NTSTATUS _lsa_lookup_names(pipes_struct *p,LSA_Q_LOOKUP_NAMES *q_u, LSA_R_LOOKUP_NAMES *r_u) +NTSTATUS _lsa_LookupNames(pipes_struct *p, + struct lsa_LookupNames *r) { + NTSTATUS status = NT_STATUS_NONE_MAPPED; struct lsa_info *handle; - UNISTR2 *names = q_u->uni_name; - uint32 num_entries = q_u->num_entries; - DOM_R_REF *ref; - DOM_RID *rids; + struct lsa_String *names = r->in.names; + uint32 num_entries = r->in.num_names; + struct lsa_RefDomainList *domains = NULL; + struct lsa_TranslatedSid *rids = NULL; uint32 mapped_count = 0; int flags = 0; if (num_entries > MAX_LOOKUP_SIDS) { num_entries = MAX_LOOKUP_SIDS; - DEBUG(5,("_lsa_lookup_names: truncating name lookup list to %d\n", num_entries)); + DEBUG(5,("_lsa_LookupNames: truncating name lookup list to %d\n", + num_entries)); } - - flags = lsa_lookup_level_to_flags(q_u->lookup_level); - ref = TALLOC_ZERO_P(p->mem_ctx, DOM_R_REF); - if (!ref) { + flags = lsa_lookup_level_to_flags(r->in.level); + + domains = TALLOC_ZERO_P(p->mem_ctx, struct lsa_RefDomainList); + if (!domains) { return NT_STATUS_NO_MEMORY; } if (num_entries) { - rids = TALLOC_ZERO_ARRAY(p->mem_ctx, DOM_RID, num_entries); + rids = TALLOC_ZERO_ARRAY(p->mem_ctx, struct lsa_TranslatedSid, + num_entries); if (!rids) { return NT_STATUS_NO_MEMORY; } @@ -1099,146 +998,136 @@ NTSTATUS _lsa_lookup_names(pipes_struct *p,LSA_Q_LOOKUP_NAMES *q_u, LSA_R_LOOKUP rids = NULL; } - if (!find_policy_by_hnd(p, &q_u->pol, (void **)(void *)&handle)) { - r_u->status = NT_STATUS_INVALID_HANDLE; + if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle)) { + status = NT_STATUS_INVALID_HANDLE; goto done; } /* check if the user have enough rights */ - if (!(handle->access & POLICY_LOOKUP_NAMES)) { - r_u->status = NT_STATUS_ACCESS_DENIED; + if (!(handle->access & LSA_POLICY_LOOKUP_NAMES)) { + status = NT_STATUS_ACCESS_DENIED; goto done; } /* set up the LSA Lookup RIDs response */ become_root(); /* lookup_name can require root privs */ - r_u->status = lookup_lsa_rids(p->mem_ctx, ref, rids, num_entries, - names, flags, &mapped_count); + status = lookup_lsa_rids(p->mem_ctx, domains, rids, num_entries, + names, flags, &mapped_count); unbecome_root(); done: - if (NT_STATUS_IS_OK(r_u->status) && (num_entries != 0) ) { - if (mapped_count == 0) - r_u->status = NT_STATUS_NONE_MAPPED; - else if (mapped_count != num_entries) - r_u->status = STATUS_SOME_UNMAPPED; + if (NT_STATUS_IS_OK(status) && (num_entries != 0) ) { + if (mapped_count == 0) { + status = NT_STATUS_NONE_MAPPED; + } else if (mapped_count != num_entries) { + status = STATUS_SOME_UNMAPPED; + } } - init_reply_lookup_names(r_u, ref, num_entries, rids, mapped_count); - return r_u->status; + *r->out.count = num_entries; + *r->out.domains = domains; + r->out.sids->sids = rids; + r->out.sids->count = mapped_count; + + return status; } /*************************************************************************** -lsa_reply_lookup_names2 + _lsa_LookupNames2 ***************************************************************************/ -NTSTATUS _lsa_lookup_names2(pipes_struct *p, LSA_Q_LOOKUP_NAMES2 *q_u, LSA_R_LOOKUP_NAMES2 *r_u) +NTSTATUS _lsa_LookupNames2(pipes_struct *p, + struct lsa_LookupNames2 *r) { - struct lsa_info *handle; - UNISTR2 *names = q_u->uni_name; - uint32 num_entries = q_u->num_entries; - DOM_R_REF *ref; - DOM_RID *rids; - DOM_RID2 *rids2; - int i; - uint32 mapped_count = 0; - int flags = 0; - - if (num_entries > MAX_LOOKUP_SIDS) { - num_entries = MAX_LOOKUP_SIDS; - DEBUG(5,("_lsa_lookup_names2: truncating name lookup list to %d\n", num_entries)); - } - - flags = lsa_lookup_level_to_flags(q_u->lookup_level); + NTSTATUS status; + struct lsa_LookupNames q; + struct lsa_TransSidArray2 *sid_array2 = r->in.sids; + struct lsa_TransSidArray *sid_array = NULL; + uint32_t i; - ref = TALLOC_ZERO_P(p->mem_ctx, DOM_R_REF); - if (ref == NULL) { - r_u->status = NT_STATUS_NO_MEMORY; + sid_array = TALLOC_ZERO_P(p->mem_ctx, struct lsa_TransSidArray); + if (!sid_array) { return NT_STATUS_NO_MEMORY; } - if (num_entries) { - rids = TALLOC_ZERO_ARRAY(p->mem_ctx, DOM_RID, num_entries); - rids2 = TALLOC_ZERO_ARRAY(p->mem_ctx, DOM_RID2, num_entries); - if ((rids == NULL) || (rids2 == NULL)) { - r_u->status = NT_STATUS_NO_MEMORY; - return NT_STATUS_NO_MEMORY; - } - } else { - rids = NULL; - rids2 = NULL; - } - - if (!find_policy_by_hnd(p, &q_u->pol, (void **)(void *)&handle)) { - r_u->status = NT_STATUS_INVALID_HANDLE; - goto done; - } - - /* check if the user have enough rights */ - if (!(handle->access & POLICY_LOOKUP_NAMES)) { - r_u->status = NT_STATUS_ACCESS_DENIED; - goto done; - } + q.in.handle = r->in.handle; + q.in.num_names = r->in.num_names; + q.in.names = r->in.names; + q.in.level = r->in.level; + q.in.sids = sid_array; + q.in.count = r->in.count; + /* we do not know what this is for */ + /* = r->in.unknown1; */ + /* = r->in.unknown2; */ - /* set up the LSA Lookup RIDs response */ - become_root(); /* lookup_name can require root privs */ - r_u->status = lookup_lsa_rids(p->mem_ctx, ref, rids, num_entries, - names, flags, &mapped_count); - unbecome_root(); + q.out.domains = r->out.domains; + q.out.sids = sid_array; + q.out.count = r->out.count; -done: + status = _lsa_LookupNames(p, &q); - if (NT_STATUS_IS_OK(r_u->status)) { - if (mapped_count == 0) { - r_u->status = NT_STATUS_NONE_MAPPED; - } else if (mapped_count != num_entries) { - r_u->status = STATUS_SOME_UNMAPPED; - } + sid_array2->sids = TALLOC_ARRAY(p->mem_ctx, struct lsa_TranslatedSid2, sid_array->count); + if (!sid_array2->sids) { + return NT_STATUS_NO_MEMORY; } - /* Convert the rids array to rids2. */ - for (i = 0; i < num_entries; i++) { - rids2[i].type = rids[i].type; - rids2[i].rid = rids[i].rid; - rids2[i].rid_idx = rids[i].rid_idx; - rids2[i].unknown = 0; + for (i=0; i<sid_array->count; i++) { + sid_array2->sids[i].sid_type = sid_array->sids[i].sid_type; + sid_array2->sids[i].rid = sid_array->sids[i].rid; + sid_array2->sids[i].sid_index = sid_array->sids[i].sid_index; + sid_array2->sids[i].unknown = 0; } - init_reply_lookup_names2(r_u, ref, num_entries, rids2, mapped_count); - return r_u->status; + r->out.sids = sid_array2; + + return status; } /*************************************************************************** -lsa_reply_lookup_names3. + _lsa_LookupNames3 ***************************************************************************/ -NTSTATUS _lsa_lookup_names3(pipes_struct *p, LSA_Q_LOOKUP_NAMES3 *q_u, LSA_R_LOOKUP_NAMES3 *r_u) +NTSTATUS _lsa_LookupNames3(pipes_struct *p, + struct lsa_LookupNames3 *r) { + NTSTATUS status; struct lsa_info *handle; - UNISTR2 *names = q_u->uni_name; - uint32 num_entries = q_u->num_entries; - DOM_R_REF *ref = NULL; - LSA_TRANSLATED_SID3 *trans_sids = NULL; + struct lsa_String *names = r->in.names; + uint32 num_entries = r->in.num_names; + struct lsa_RefDomainList *domains = NULL; + struct lsa_TranslatedSid3 *trans_sids = NULL; uint32 mapped_count = 0; int flags = 0; + bool check_policy = true; + + switch (p->hdr_req.opnum) { + case NDR_LSA_LOOKUPNAMES4: + check_policy = false; + break; + case NDR_LSA_LOOKUPNAMES3: + default: + check_policy = true; + } if (num_entries > MAX_LOOKUP_SIDS) { num_entries = MAX_LOOKUP_SIDS; - DEBUG(5,("_lsa_lookup_names3: truncating name lookup list to %d\n", num_entries)); + DEBUG(5,("_lsa_LookupNames3: truncating name lookup list to %d\n", num_entries)); } - + /* Probably the lookup_level is some sort of bitmask. */ - if (q_u->lookup_level == 1) { + if (r->in.level == 1) { flags = LOOKUP_NAME_ALL; } - ref = TALLOC_ZERO_P(p->mem_ctx, DOM_R_REF); - if (ref == NULL) { + domains = TALLOC_ZERO_P(p->mem_ctx, struct lsa_RefDomainList); + if (!domains) { return NT_STATUS_NO_MEMORY; } + if (num_entries) { - trans_sids = TALLOC_ZERO_ARRAY(p->mem_ctx, LSA_TRANSLATED_SID3, num_entries); + trans_sids = TALLOC_ZERO_ARRAY(p->mem_ctx, struct lsa_TranslatedSid3, + num_entries); if (!trans_sids) { return NT_STATUS_NO_MEMORY; } @@ -1246,59 +1135,52 @@ NTSTATUS _lsa_lookup_names3(pipes_struct *p, LSA_Q_LOOKUP_NAMES3 *q_u, LSA_R_LOO trans_sids = NULL; } - if (!find_policy_by_hnd(p, &q_u->pol, (void **)(void *)&handle)) { - r_u->status = NT_STATUS_INVALID_HANDLE; - goto done; - } + if (check_policy) { - /* check if the user have enough rights */ - if (!(handle->access & POLICY_LOOKUP_NAMES)) { - r_u->status = NT_STATUS_ACCESS_DENIED; - goto done; + if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle)) { + status = NT_STATUS_INVALID_HANDLE; + goto done; + } + + /* check if the user have enough rights */ + if (!(handle->access & LSA_POLICY_LOOKUP_NAMES)) { + status = NT_STATUS_ACCESS_DENIED; + goto done; + } } /* set up the LSA Lookup SIDs response */ become_root(); /* lookup_name can require root privs */ - r_u->status = lookup_lsa_sids(p->mem_ctx, ref, trans_sids, num_entries, - names, flags, &mapped_count); + status = lookup_lsa_sids(p->mem_ctx, domains, trans_sids, num_entries, + names, flags, &mapped_count); unbecome_root(); done: - if (NT_STATUS_IS_OK(r_u->status)) { + if (NT_STATUS_IS_OK(status)) { if (mapped_count == 0) { - r_u->status = NT_STATUS_NONE_MAPPED; + status = NT_STATUS_NONE_MAPPED; } else if (mapped_count != num_entries) { - r_u->status = STATUS_SOME_UNMAPPED; + status = STATUS_SOME_UNMAPPED; } } - init_reply_lookup_names3(r_u, ref, num_entries, trans_sids, mapped_count); - return r_u->status; + *r->out.count = num_entries; + *r->out.domains = domains; + r->out.sids->sids = trans_sids; + r->out.sids->count = mapped_count; + + return status; } /*************************************************************************** -lsa_reply_lookup_names4. + _lsa_LookupNames4 ***************************************************************************/ -NTSTATUS _lsa_lookup_names4(pipes_struct *p, LSA_Q_LOOKUP_NAMES4 *q_u, LSA_R_LOOKUP_NAMES4 *r_u) +NTSTATUS _lsa_LookupNames4(pipes_struct *p, + struct lsa_LookupNames4 *r) { - UNISTR2 *names = q_u->uni_name; - uint32 num_entries = q_u->num_entries; - DOM_R_REF *ref = NULL; - LSA_TRANSLATED_SID3 *trans_sids = NULL; - uint32 mapped_count = 0; - int flags = 0; - - if (num_entries > MAX_LOOKUP_SIDS) { - num_entries = MAX_LOOKUP_SIDS; - DEBUG(5,("_lsa_lookup_names4: truncating name lookup list to %d\n", num_entries)); - } - - /* Probably the lookup_level is some sort of bitmask. */ - if (q_u->lookup_level == 1) { - flags = LOOKUP_NAME_ALL; - } + struct lsa_LookupNames3 q; /* No policy handle on this call. Restrict to crypto connections. */ if (p->auth.auth_type != PIPE_AUTH_TYPE_SCHANNEL) { @@ -1307,36 +1189,20 @@ NTSTATUS _lsa_lookup_names4(pipes_struct *p, LSA_Q_LOOKUP_NAMES4 *q_u, LSA_R_LOO return NT_STATUS_INVALID_PARAMETER; } - ref = TALLOC_ZERO_P(p->mem_ctx, DOM_R_REF); - if (!ref) { - return NT_STATUS_NO_MEMORY; - } + q.in.handle = NULL; + q.in.num_names = r->in.num_names; + q.in.names = r->in.names; + q.in.level = r->in.level; + q.in.unknown1 = r->in.unknown1; + q.in.unknown2 = r->in.unknown2; + q.in.sids = r->in.sids; + q.in.count = r->in.count; - if (num_entries) { - trans_sids = TALLOC_ZERO_ARRAY(p->mem_ctx, LSA_TRANSLATED_SID3, num_entries); - if (!trans_sids) { - return NT_STATUS_NO_MEMORY; - } - } else { - trans_sids = NULL; - } + q.out.domains = r->out.domains; + q.out.sids = r->out.sids; + q.out.count = r->out.count; - /* set up the LSA Lookup SIDs response */ - become_root(); /* lookup_name can require root privs */ - r_u->status = lookup_lsa_sids(p->mem_ctx, ref, trans_sids, num_entries, - names, flags, &mapped_count); - unbecome_root(); - - if (NT_STATUS_IS_OK(r_u->status)) { - if (mapped_count == 0) { - r_u->status = NT_STATUS_NONE_MAPPED; - } else if (mapped_count != num_entries) { - r_u->status = STATUS_SOME_UNMAPPED; - } - } - - init_reply_lookup_names4(r_u, ref, num_entries, trans_sids, mapped_count); - return r_u->status; + return _lsa_LookupNames3(p, &q); } /*************************************************************************** @@ -1394,86 +1260,94 @@ NTSTATUS _lsa_SetSecret(pipes_struct *p, struct lsa_SetSecret *r) } /*************************************************************************** + _lsa_DeleteObject ***************************************************************************/ -NTSTATUS _lsa_delete_object(pipes_struct *p, LSA_Q_DELETE_OBJECT *q_u, LSA_R_DELETE_OBJECT *r_u) +NTSTATUS _lsa_DeleteObject(pipes_struct *p, + struct lsa_DeleteObject *r) { return NT_STATUS_ACCESS_DENIED; } /*************************************************************************** -_lsa_enum_privs. + _lsa_EnumPrivs ***************************************************************************/ -NTSTATUS _lsa_enum_privs(pipes_struct *p, LSA_Q_ENUM_PRIVS *q_u, LSA_R_ENUM_PRIVS *r_u) +NTSTATUS _lsa_EnumPrivs(pipes_struct *p, + struct lsa_EnumPrivs *r) { struct lsa_info *handle; uint32 i; - uint32 enum_context = q_u->enum_context; + uint32 enum_context = *r->in.resume_handle; int num_privs = count_all_privileges(); - LSA_PRIV_ENTRY *entries = NULL; + struct lsa_PrivEntry *entries = NULL; LUID_ATTR luid; /* remember that the enum_context starts at 0 and not 1 */ if ( enum_context >= num_privs ) return NT_STATUS_NO_MORE_ENTRIES; - - DEBUG(10,("_lsa_enum_privs: enum_context:%d total entries:%d\n", + + DEBUG(10,("_lsa_EnumPrivs: enum_context:%d total entries:%d\n", enum_context, num_privs)); - - if (!find_policy_by_hnd(p, &q_u->pol, (void **)(void *)&handle)) + + if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle)) return NT_STATUS_INVALID_HANDLE; /* check if the user have enough rights I don't know if it's the right one. not documented. */ - if (!(handle->access & POLICY_VIEW_LOCAL_INFORMATION)) + if (!(handle->access & LSA_POLICY_VIEW_LOCAL_INFORMATION)) return NT_STATUS_ACCESS_DENIED; if (num_privs) { - if ( !(entries = TALLOC_ZERO_ARRAY(p->mem_ctx, LSA_PRIV_ENTRY, num_privs )) ) + entries = TALLOC_ZERO_ARRAY(p->mem_ctx, struct lsa_PrivEntry, num_privs); + if (!entries) { return NT_STATUS_NO_MEMORY; + } } else { entries = NULL; } for (i = 0; i < num_privs; i++) { if( i < enum_context) { - init_unistr2(&entries[i].name, NULL, UNI_FLAGS_NONE); - init_uni_hdr(&entries[i].hdr_name, &entries[i].name); - - entries[i].luid_low = 0; - entries[i].luid_high = 0; + + init_lsa_StringLarge(&entries[i].name, NULL); + + entries[i].luid.low = 0; + entries[i].luid.high = 0; } else { - init_unistr2(&entries[i].name, privs[i].name, UNI_FLAGS_NONE); - init_uni_hdr(&entries[i].hdr_name, &entries[i].name); - + + init_lsa_StringLarge(&entries[i].name, privs[i].name); + luid = get_privilege_luid( &privs[i].se_priv ); - - entries[i].luid_low = luid.luid.low; - entries[i].luid_high = luid.luid.high; + + entries[i].luid.low = luid.luid.low; + entries[i].luid.high = luid.luid.high; } } enum_context = num_privs; - - init_lsa_r_enum_privs(r_u, enum_context, num_privs, entries); + + *r->out.resume_handle = enum_context; + r->out.privs->count = num_privs; + r->out.privs->privs = entries; return NT_STATUS_OK; } /*************************************************************************** -_lsa_priv_get_dispname. + _lsa_LookupPrivDisplayName ***************************************************************************/ -NTSTATUS _lsa_priv_get_dispname(pipes_struct *p, LSA_Q_PRIV_GET_DISPNAME *q_u, LSA_R_PRIV_GET_DISPNAME *r_u) +NTSTATUS _lsa_LookupPrivDisplayName(pipes_struct *p, + struct lsa_LookupPrivDisplayName *r) { struct lsa_info *handle; - fstring name_asc; const char *description; + struct lsa_StringLarge *lsa_name; - if (!find_policy_by_hnd(p, &q_u->pol, (void **)(void *)&handle)) + if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle)) return NT_STATUS_INVALID_HANDLE; /* check if the user have enough rights */ @@ -1481,50 +1355,49 @@ NTSTATUS _lsa_priv_get_dispname(pipes_struct *p, LSA_Q_PRIV_GET_DISPNAME *q_u, L /* * I don't know if it's the right one. not documented. */ - if (!(handle->access & POLICY_VIEW_LOCAL_INFORMATION)) + if (!(handle->access & LSA_POLICY_VIEW_LOCAL_INFORMATION)) return NT_STATUS_ACCESS_DENIED; - unistr2_to_ascii(name_asc, &q_u->name, sizeof(name_asc)); + DEBUG(10,("_lsa_LookupPrivDisplayName: name = %s\n", r->in.name->string)); - DEBUG(10,("_lsa_priv_get_dispname: name = %s\n", name_asc)); + description = get_privilege_dispname(r->in.name->string); + if (!description) { + DEBUG(10,("_lsa_LookupPrivDisplayName: doesn't exist\n")); + return NT_STATUS_NO_SUCH_PRIVILEGE; + } - description = get_privilege_dispname( name_asc ); - - if ( description ) { - DEBUG(10,("_lsa_priv_get_dispname: display name = %s\n", description)); - - init_unistr2(&r_u->desc, description, UNI_FLAGS_NONE); - init_uni_hdr(&r_u->hdr_desc, &r_u->desc); + DEBUG(10,("_lsa_LookupPrivDisplayName: display name = %s\n", description)); - r_u->ptr_info = 0xdeadbeef; - r_u->lang_id = q_u->lang_id; - - return NT_STATUS_OK; - } else { - DEBUG(10,("_lsa_priv_get_dispname: doesn't exist\n")); - - r_u->ptr_info = 0; - - return NT_STATUS_NO_SUCH_PRIVILEGE; + lsa_name = TALLOC_ZERO_P(p->mem_ctx, struct lsa_StringLarge); + if (!lsa_name) { + return NT_STATUS_NO_MEMORY; } + + init_lsa_StringLarge(lsa_name, description); + + *r->out.returned_language_id = r->in.language_id; + *r->out.disp_name = lsa_name; + + return NT_STATUS_OK; } /*************************************************************************** -_lsa_enum_accounts. + _lsa_EnumAccounts ***************************************************************************/ -NTSTATUS _lsa_enum_accounts(pipes_struct *p, LSA_Q_ENUM_ACCOUNTS *q_u, LSA_R_ENUM_ACCOUNTS *r_u) +NTSTATUS _lsa_EnumAccounts(pipes_struct *p, + struct lsa_EnumAccounts *r) { struct lsa_info *handle; DOM_SID *sid_list; int i, j, num_entries; - LSA_SID_ENUM *sids=&r_u->sids; - NTSTATUS ret; + NTSTATUS status; + struct lsa_SidPtr *sids = NULL; - if (!find_policy_by_hnd(p, &q_u->pol, (void **)(void *)&handle)) + if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle)) return NT_STATUS_INVALID_HANDLE; - if (!(handle->access & POLICY_VIEW_LOCAL_INFORMATION)) + if (!(handle->access & LSA_POLICY_VIEW_LOCAL_INFORMATION)) return NT_STATUS_ACCESS_DENIED; sid_list = NULL; @@ -1533,44 +1406,53 @@ NTSTATUS _lsa_enum_accounts(pipes_struct *p, LSA_Q_ENUM_ACCOUNTS *q_u, LSA_R_ENU /* The only way we can currently find out all the SIDs that have been privileged is to scan all privileges */ - if (!NT_STATUS_IS_OK(ret = privilege_enumerate_accounts(&sid_list, &num_entries))) { - return ret; + status = privilege_enumerate_accounts(&sid_list, &num_entries); + if (!NT_STATUS_IS_OK(status)) { + return status; } - if (q_u->enum_context >= num_entries) + if (*r->in.resume_handle >= num_entries) { return NT_STATUS_NO_MORE_ENTRIES; + } - if (num_entries-q_u->enum_context) { - sids->ptr_sid = TALLOC_ZERO_ARRAY(p->mem_ctx, uint32, num_entries-q_u->enum_context); - sids->sid = TALLOC_ZERO_ARRAY(p->mem_ctx, DOM_SID2, num_entries-q_u->enum_context); - - if (sids->ptr_sid==NULL || sids->sid==NULL) { + if (num_entries - *r->in.resume_handle) { + sids = TALLOC_ZERO_ARRAY(p->mem_ctx, struct lsa_SidPtr, + num_entries - *r->in.resume_handle); + if (!sids) { SAFE_FREE(sid_list); return NT_STATUS_NO_MEMORY; } - for (i = q_u->enum_context, j = 0; i < num_entries; i++, j++) { - init_dom_sid2(&(*sids).sid[j], &sid_list[i]); - (*sids).ptr_sid[j] = 1; + for (i = *r->in.resume_handle, j = 0; i < num_entries; i++, j++) { + sids[j].sid = sid_dup_talloc(p->mem_ctx, &sid_list[i]); + if (!sids[j].sid) { + SAFE_FREE(sid_list); + return NT_STATUS_NO_MEMORY; + } } - } else { - sids->ptr_sid = NULL; - sids->sid = NULL; } talloc_free(sid_list); - init_lsa_r_enum_accounts(r_u, num_entries); + *r->out.resume_handle = num_entries; + r->out.sids->num_sids = num_entries; + r->out.sids->sids = sids; return NT_STATUS_OK; } +/*************************************************************************** + _lsa_GetUserName + ***************************************************************************/ -NTSTATUS _lsa_unk_get_connuser(pipes_struct *p, LSA_Q_UNK_GET_CONNUSER *q_u, LSA_R_UNK_GET_CONNUSER *r_u) +NTSTATUS _lsa_GetUserName(pipes_struct *p, + struct lsa_GetUserName *r) { const char *username, *domname; user_struct *vuser = get_valid_user_struct(p->vuid); - + struct lsa_String *account_name = NULL; + struct lsa_String *authority_name = NULL; + if (vuser == NULL) return NT_STATUS_CANT_ACCESS_DOMAIN_INFO; @@ -1588,33 +1470,38 @@ NTSTATUS _lsa_unk_get_connuser(pipes_struct *p, LSA_Q_UNK_GET_CONNUSER *q_u, LSA username = vuser->user.smb_name; domname = vuser->user.domain; } - - r_u->ptr_user_name = 1; - init_unistr2(&r_u->uni2_user_name, username, UNI_STR_TERMINATE); - init_uni_hdr(&r_u->hdr_user_name, &r_u->uni2_user_name); - r_u->unk1 = 1; - - r_u->ptr_dom_name = 1; - init_unistr2(&r_u->uni2_dom_name, domname, UNI_STR_TERMINATE); - init_uni_hdr(&r_u->hdr_dom_name, &r_u->uni2_dom_name); + account_name = TALLOC_ZERO_P(p->mem_ctx, struct lsa_String); + if (!account_name) { + return NT_STATUS_NO_MEMORY; + } - r_u->status = NT_STATUS_OK; - - return r_u->status; + authority_name = TALLOC_ZERO_P(p->mem_ctx, struct lsa_String); + if (!authority_name) { + return NT_STATUS_NO_MEMORY; + } + + init_lsa_String(account_name, username); + init_lsa_String(authority_name, domname); + + *r->out.account_name = account_name; + *r->out.authority_name = authority_name; + + return NT_STATUS_OK; } /*************************************************************************** - Lsa Create Account + _lsa_CreateAccount ***************************************************************************/ -NTSTATUS _lsa_create_account(pipes_struct *p, LSA_Q_CREATEACCOUNT *q_u, LSA_R_CREATEACCOUNT *r_u) +NTSTATUS _lsa_CreateAccount(pipes_struct *p, + struct lsa_CreateAccount *r) { struct lsa_info *handle; struct lsa_info *info; /* find the connection policy handle. */ - if (!find_policy_by_hnd(p, &q_u->pol, (void **)(void *)&handle)) + if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle)) return NT_STATUS_INVALID_HANDLE; /* check if the user have enough rights */ @@ -1623,29 +1510,29 @@ NTSTATUS _lsa_create_account(pipes_struct *p, LSA_Q_CREATEACCOUNT *q_u, LSA_R_CR * I don't know if it's the right one. not documented. * but guessed with rpcclient. */ - if (!(handle->access & POLICY_GET_PRIVATE_INFORMATION)) + if (!(handle->access & LSA_POLICY_GET_PRIVATE_INFORMATION)) return NT_STATUS_ACCESS_DENIED; - /* check to see if the pipe_user is a Domain Admin since + /* check to see if the pipe_user is a Domain Admin since account_pol.tdb was already opened as root, this is all we have */ - + if ( !nt_token_check_domain_rid( p->pipe_user.nt_user_token, DOMAIN_GROUP_RID_ADMINS ) ) return NT_STATUS_ACCESS_DENIED; - - if ( is_privileged_sid( &q_u->sid.sid ) ) + + if ( is_privileged_sid( r->in.sid ) ) return NT_STATUS_OBJECT_NAME_COLLISION; /* associate the user/group SID with the (unique) handle. */ - + if ((info = SMB_MALLOC_P(struct lsa_info)) == NULL) return NT_STATUS_NO_MEMORY; ZERO_STRUCTP(info); - info->sid = q_u->sid.sid; - info->access = q_u->access; + info->sid = *r->in.sid; + info->access = r->in.access_mask; /* get a (unique) handle. open a policy on it. */ - if (!create_policy_hnd(p, &r_u->pol, free_lsa_info, (void *)info)) + if (!create_policy_hnd(p, r->out.acct_handle, free_lsa_info, (void *)info)) return NT_STATUS_OBJECT_NAME_NOT_FOUND; return privilege_create_account( &info->sid ); @@ -1653,16 +1540,17 @@ NTSTATUS _lsa_create_account(pipes_struct *p, LSA_Q_CREATEACCOUNT *q_u, LSA_R_CR /*************************************************************************** - Lsa Open Account + _lsa_OpenAccount ***************************************************************************/ -NTSTATUS _lsa_open_account(pipes_struct *p, LSA_Q_OPENACCOUNT *q_u, LSA_R_OPENACCOUNT *r_u) +NTSTATUS _lsa_OpenAccount(pipes_struct *p, + struct lsa_OpenAccount *r) { struct lsa_info *handle; struct lsa_info *info; /* find the connection policy handle. */ - if (!find_policy_by_hnd(p, &q_u->pol, (void **)(void *)&handle)) + if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle)) return NT_STATUS_INVALID_HANDLE; /* check if the user have enough rights */ @@ -1671,7 +1559,7 @@ NTSTATUS _lsa_open_account(pipes_struct *p, LSA_Q_OPENACCOUNT *q_u, LSA_R_OPENAC * I don't know if it's the right one. not documented. * but guessed with rpcclient. */ - if (!(handle->access & POLICY_GET_PRIVATE_INFORMATION)) + if (!(handle->access & LSA_POLICY_GET_PRIVATE_INFORMATION)) return NT_STATUS_ACCESS_DENIED; /* TODO: Fis the parsing routine before reenabling this check! */ @@ -1684,62 +1572,94 @@ NTSTATUS _lsa_open_account(pipes_struct *p, LSA_Q_OPENACCOUNT *q_u, LSA_R_OPENAC return NT_STATUS_NO_MEMORY; ZERO_STRUCTP(info); - info->sid = q_u->sid.sid; - info->access = q_u->access; + info->sid = *r->in.sid; + info->access = r->in.access_mask; /* get a (unique) handle. open a policy on it. */ - if (!create_policy_hnd(p, &r_u->pol, free_lsa_info, (void *)info)) + if (!create_policy_hnd(p, r->out.acct_handle, free_lsa_info, (void *)info)) return NT_STATUS_OBJECT_NAME_NOT_FOUND; return NT_STATUS_OK; } /*************************************************************************** + _lsa_EnumPrivsAccount For a given SID, enumerate all the privilege this account has. ***************************************************************************/ -NTSTATUS _lsa_enum_privsaccount(pipes_struct *p, prs_struct *ps, LSA_Q_ENUMPRIVSACCOUNT *q_u, LSA_R_ENUMPRIVSACCOUNT *r_u) +NTSTATUS _lsa_EnumPrivsAccount(pipes_struct *p, + struct lsa_EnumPrivsAccount *r) { + NTSTATUS status = NT_STATUS_OK; struct lsa_info *info=NULL; SE_PRIV mask; PRIVILEGE_SET privileges; + struct lsa_PrivilegeSet *priv_set = NULL; + struct lsa_LUIDAttribute *luid_attrs = NULL; + int i; /* find the connection policy handle. */ - if (!find_policy_by_hnd(p, &q_u->pol, (void **)(void *)&info)) + if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info)) return NT_STATUS_INVALID_HANDLE; - if ( !get_privileges_for_sids( &mask, &info->sid, 1 ) ) + if ( !get_privileges_for_sids( &mask, &info->sid, 1 ) ) return NT_STATUS_OBJECT_NAME_NOT_FOUND; privilege_set_init( &privileges ); if ( se_priv_to_privilege_set( &privileges, &mask ) ) { - DEBUG(10,("_lsa_enum_privsaccount: %s has %d privileges\n", + DEBUG(10,("_lsa_EnumPrivsAccount: %s has %d privileges\n", sid_string_dbg(&info->sid), privileges.count)); - r_u->status = init_lsa_r_enum_privsaccount(ps->mem_ctx, r_u, privileges.set, privileges.count, 0); + priv_set = TALLOC_ZERO_P(p->mem_ctx, struct lsa_PrivilegeSet); + if (!priv_set) { + status = NT_STATUS_NO_MEMORY; + goto done; + } + + luid_attrs = TALLOC_ZERO_ARRAY(p->mem_ctx, + struct lsa_LUIDAttribute, + privileges.count); + if (!luid_attrs) { + status = NT_STATUS_NO_MEMORY; + goto done; + } + + for (i=0; i<privileges.count; i++) { + luid_attrs[i].luid.low = privileges.set[i].luid.low; + luid_attrs[i].luid.high = privileges.set[i].luid.high; + luid_attrs[i].attribute = privileges.set[i].attr; + } + + priv_set->count = privileges.count; + priv_set->unknown = 0; + priv_set->set = luid_attrs; + + *r->out.privs = priv_set; + } else { + status = NT_STATUS_NO_SUCH_PRIVILEGE; } - else - r_u->status = NT_STATUS_NO_SUCH_PRIVILEGE; + done: privilege_set_free( &privileges ); - return r_u->status; + return status; } /*************************************************************************** - + _lsa_GetSystemAccessAccount ***************************************************************************/ -NTSTATUS _lsa_getsystemaccount(pipes_struct *p, LSA_Q_GETSYSTEMACCOUNT *q_u, LSA_R_GETSYSTEMACCOUNT *r_u) +NTSTATUS _lsa_GetSystemAccessAccount(pipes_struct *p, + struct lsa_GetSystemAccessAccount *r) { struct lsa_info *info=NULL; /* find the connection policy handle. */ - if (!find_policy_by_hnd(p, &q_u->pol, (void **)(void *)&info)) + if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info)) return NT_STATUS_INVALID_HANDLE; if (!lookup_sid(p->mem_ctx, &info->sid, NULL, NULL, NULL)) @@ -1750,11 +1670,11 @@ NTSTATUS _lsa_getsystemaccount(pipes_struct *p, LSA_Q_GETSYSTEMACCOUNT *q_u, LSA 0x02 -> Access this computer from network 0x04 -> Log on as a batch job 0x10 -> Log on as a service - + they can be ORed together */ - r_u->access = PR_LOG_ON_LOCALLY | PR_ACCESS_FROM_NETWORK; + *r->out.access_mask = PR_LOG_ON_LOCALLY | PR_ACCESS_FROM_NETWORK; return NT_STATUS_OK; } @@ -1763,19 +1683,19 @@ NTSTATUS _lsa_getsystemaccount(pipes_struct *p, LSA_Q_GETSYSTEMACCOUNT *q_u, LSA update the systemaccount information ***************************************************************************/ -NTSTATUS _lsa_setsystemaccount(pipes_struct *p, LSA_Q_SETSYSTEMACCOUNT *q_u, LSA_R_SETSYSTEMACCOUNT *r_u) +NTSTATUS _lsa_SetSystemAccessAccount(pipes_struct *p, + struct lsa_SetSystemAccessAccount *r) { struct lsa_info *info=NULL; GROUP_MAP map; - r_u->status = NT_STATUS_OK; /* find the connection policy handle. */ - if (!find_policy_by_hnd(p, &q_u->pol, (void **)(void *)&info)) + if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info)) return NT_STATUS_INVALID_HANDLE; - /* check to see if the pipe_user is a Domain Admin since + /* check to see if the pipe_user is a Domain Admin since account_pol.tdb was already opened as root, this is all we have */ - + if ( !nt_token_check_domain_rid( p->pipe_user.nt_user_token, DOMAIN_GROUP_RID_ADMINS ) ) return NT_STATUS_ACCESS_DENIED; @@ -1786,35 +1706,36 @@ NTSTATUS _lsa_setsystemaccount(pipes_struct *p, LSA_Q_SETSYSTEMACCOUNT *q_u, LSA } /*************************************************************************** + _lsa_AddPrivilegesToAccount For a given SID, add some privileges. ***************************************************************************/ -NTSTATUS _lsa_addprivs(pipes_struct *p, LSA_Q_ADDPRIVS *q_u, LSA_R_ADDPRIVS *r_u) +NTSTATUS _lsa_AddPrivilegesToAccount(pipes_struct *p, + struct lsa_AddPrivilegesToAccount *r) { struct lsa_info *info = NULL; SE_PRIV mask; - PRIVILEGE_SET *set = NULL; + struct lsa_PrivilegeSet *set = NULL; /* find the connection policy handle. */ - if (!find_policy_by_hnd(p, &q_u->pol, (void **)(void *)&info)) + if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info)) return NT_STATUS_INVALID_HANDLE; - - /* check to see if the pipe_user is root or a Domain Admin since + + /* check to see if the pipe_user is root or a Domain Admin since account_pol.tdb was already opened as root, this is all we have */ - - if ( p->pipe_user.ut.uid != sec_initial_uid() + + if ( p->pipe_user.ut.uid != sec_initial_uid() && !nt_token_check_domain_rid( p->pipe_user.nt_user_token, DOMAIN_GROUP_RID_ADMINS ) ) { return NT_STATUS_ACCESS_DENIED; } - set = &q_u->set; - + set = r->in.privs; if ( !privilege_set_to_se_priv( &mask, set ) ) return NT_STATUS_NO_SUCH_PRIVILEGE; if ( !grant_privilege( &info->sid, &mask ) ) { - DEBUG(3,("_lsa_addprivs: grant_privilege(%s) failed!\n", + DEBUG(3,("_lsa_AddPrivilegesToAccount: grant_privilege(%s) failed!\n", sid_string_dbg(&info->sid) )); DEBUG(3,("Privilege mask:\n")); dump_se_priv( DBGC_ALL, 3, &mask ); @@ -1825,35 +1746,37 @@ NTSTATUS _lsa_addprivs(pipes_struct *p, LSA_Q_ADDPRIVS *q_u, LSA_R_ADDPRIVS *r_u } /*************************************************************************** + _lsa_RemovePrivilegesFromAccount For a given SID, remove some privileges. ***************************************************************************/ -NTSTATUS _lsa_removeprivs(pipes_struct *p, LSA_Q_REMOVEPRIVS *q_u, LSA_R_REMOVEPRIVS *r_u) +NTSTATUS _lsa_RemovePrivilegesFromAccount(pipes_struct *p, + struct lsa_RemovePrivilegesFromAccount *r) { struct lsa_info *info = NULL; SE_PRIV mask; - PRIVILEGE_SET *set = NULL; + struct lsa_PrivilegeSet *set = NULL; /* find the connection policy handle. */ - if (!find_policy_by_hnd(p, &q_u->pol, (void **)(void *)&info)) + if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info)) return NT_STATUS_INVALID_HANDLE; - /* check to see if the pipe_user is root or a Domain Admin since + /* check to see if the pipe_user is root or a Domain Admin since account_pol.tdb was already opened as root, this is all we have */ - + if ( p->pipe_user.ut.uid != sec_initial_uid() - && !nt_token_check_domain_rid( p->pipe_user.nt_user_token, DOMAIN_GROUP_RID_ADMINS ) ) + && !nt_token_check_domain_rid( p->pipe_user.nt_user_token, DOMAIN_GROUP_RID_ADMINS ) ) { return NT_STATUS_ACCESS_DENIED; } - set = &q_u->set; + set = r->in.privs; if ( !privilege_set_to_se_priv( &mask, set ) ) return NT_STATUS_NO_SUCH_PRIVILEGE; if ( !revoke_privilege( &info->sid, &mask ) ) { - DEBUG(3,("_lsa_removeprivs: revoke_privilege(%s) failed!\n", + DEBUG(3,("_lsa_RemovePrivilegesFromAccount: revoke_privilege(%s) failed!\n", sid_string_dbg(&info->sid) )); DEBUG(3,("Privilege mask:\n")); dump_se_priv( DBGC_ALL, 3, &mask ); @@ -1864,28 +1787,27 @@ NTSTATUS _lsa_removeprivs(pipes_struct *p, LSA_Q_REMOVEPRIVS *q_u, LSA_R_REMOVEP } /*************************************************************************** - For a given SID, remove some privileges. + _lsa_QuerySecurity ***************************************************************************/ -NTSTATUS _lsa_query_secobj(pipes_struct *p, LSA_Q_QUERY_SEC_OBJ *q_u, LSA_R_QUERY_SEC_OBJ *r_u) +NTSTATUS _lsa_QuerySecurity(pipes_struct *p, + struct lsa_QuerySecurity *r) { struct lsa_info *handle=NULL; SEC_DESC *psd = NULL; size_t sd_size; NTSTATUS status; - r_u->status = NT_STATUS_OK; - /* find the connection policy handle. */ - if (!find_policy_by_hnd(p, &q_u->pol, (void **)(void *)&handle)) + if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle)) return NT_STATUS_INVALID_HANDLE; /* check if the user have enough rights */ - if (!(handle->access & POLICY_VIEW_LOCAL_INFORMATION)) + if (!(handle->access & LSA_POLICY_VIEW_LOCAL_INFORMATION)) return NT_STATUS_ACCESS_DENIED; - switch (q_u->sec_info) { + switch (r->in.sec_info) { case 1: /* SD contains only the owner */ @@ -1894,7 +1816,7 @@ NTSTATUS _lsa_query_secobj(pipes_struct *p, LSA_Q_QUERY_SEC_OBJ *q_u, LSA_R_QUER return NT_STATUS_NO_MEMORY; - if((r_u->buf = make_sec_desc_buf(p->mem_ctx, sd_size, psd)) == NULL) + if((*r->out.sdbuf = make_sec_desc_buf(p->mem_ctx, sd_size, psd)) == NULL) return NT_STATUS_NO_MEMORY; break; case 4: @@ -1904,16 +1826,14 @@ NTSTATUS _lsa_query_secobj(pipes_struct *p, LSA_Q_QUERY_SEC_OBJ *q_u, LSA_R_QUER if(!NT_STATUS_IS_OK(status)) return NT_STATUS_NO_MEMORY; - if((r_u->buf = make_sec_desc_buf(p->mem_ctx, sd_size, psd)) == NULL) + if((*r->out.sdbuf = make_sec_desc_buf(p->mem_ctx, sd_size, psd)) == NULL) return NT_STATUS_NO_MEMORY; break; default: return NT_STATUS_INVALID_LEVEL; } - r_u->ptr=1; - - return r_u->status; + return status; } #if 0 /* AD DC work in ongoing in Samba 4 */ @@ -1921,7 +1841,7 @@ NTSTATUS _lsa_query_secobj(pipes_struct *p, LSA_Q_QUERY_SEC_OBJ *q_u, LSA_R_QUER /*************************************************************************** ***************************************************************************/ -NTSTATUS _lsa_query_info2(pipes_struct *p, LSA_Q_QUERY_INFO2 *q_u, LSA_R_QUERY_INFO2 *r_u) + NTSTATUS _lsa_query_info2(pipes_struct *p, LSA_Q_QUERY_INFO2 *q_u, LSA_R_QUERY_INFO2 *r_u) { struct lsa_info *handle; const char *nb_name; @@ -1940,7 +1860,7 @@ NTSTATUS _lsa_query_info2(pipes_struct *p, LSA_Q_QUERY_INFO2 *q_u, LSA_R_QUERY_I switch (q_u->info_class) { case 0x0c: /* check if the user have enough rights */ - if (!(handle->access & POLICY_VIEW_LOCAL_INFORMATION)) + if (!(handle->access & LSA_POLICY_VIEW_LOCAL_INFORMATION)) return NT_STATUS_ACCESS_DENIED; /* Request PolicyPrimaryDomainInformation. */ @@ -1966,7 +1886,7 @@ NTSTATUS _lsa_query_info2(pipes_struct *p, LSA_Q_QUERY_INFO2 *q_u, LSA_R_QUERY_I default: return NT_STATUS_CANT_ACCESS_DOMAIN_INFO; } - init_dns_dom_info(&r_u->info.dns_dom_info, nb_name, dns_name, + init_dns_dom_info(&r_u->info.dns_dom_info, nb_name, dns_name, forest_name,&guid,sid); break; default: @@ -1985,54 +1905,46 @@ NTSTATUS _lsa_query_info2(pipes_struct *p, LSA_Q_QUERY_INFO2 *q_u, LSA_R_QUERY_I #endif /* AD DC work in ongoing in Samba 4 */ /*************************************************************************** + _lsa_AddAccountRights ***************************************************************************/ -NTSTATUS _lsa_add_acct_rights(pipes_struct *p, LSA_Q_ADD_ACCT_RIGHTS *q_u, LSA_R_ADD_ACCT_RIGHTS *r_u) +NTSTATUS _lsa_AddAccountRights(pipes_struct *p, + struct lsa_AddAccountRights *r) { struct lsa_info *info = NULL; int i = 0; DOM_SID sid; - fstring privname; - UNISTR4_ARRAY *uni_privnames = q_u->rights; - /* find the connection policy handle. */ - if (!find_policy_by_hnd(p, &q_u->pol, (void **)(void *)&info)) + if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info)) return NT_STATUS_INVALID_HANDLE; - - /* check to see if the pipe_user is a Domain Admin since + + /* check to see if the pipe_user is a Domain Admin since account_pol.tdb was already opened as root, this is all we have */ - + if ( p->pipe_user.ut.uid != sec_initial_uid() - && !nt_token_check_domain_rid( p->pipe_user.nt_user_token, DOMAIN_GROUP_RID_ADMINS ) ) + && !nt_token_check_domain_rid( p->pipe_user.nt_user_token, DOMAIN_GROUP_RID_ADMINS ) ) { return NT_STATUS_ACCESS_DENIED; } /* according to an NT4 PDC, you can add privileges to SIDs even without call_lsa_create_account() first. And you can use any arbitrary SID. */ - - sid_copy( &sid, &q_u->sid.sid ); - - /* just a little sanity check */ - - if ( q_u->count != uni_privnames->count ) { - DEBUG(0,("_lsa_add_acct_rights: count != number of UNISTR2 elements!\n")); - return NT_STATUS_INVALID_HANDLE; - } - - for ( i=0; i<q_u->count; i++ ) { - UNISTR4 *uni4_str = &uni_privnames->strings[i]; + + sid_copy( &sid, r->in.sid ); + + for ( i=0; i < r->in.rights->count; i++ ) { + + const char *privname = r->in.rights->names[i].string; /* only try to add non-null strings */ - if ( !uni4_str->string ) + if ( !privname ) continue; - rpcstr_pull( privname, uni4_str->string->buffer, sizeof(privname), -1, STR_TERMINATE ); - if ( !grant_privilege_by_name( &sid, privname ) ) { - DEBUG(2,("_lsa_add_acct_rights: Failed to add privilege [%s]\n", privname )); + DEBUG(2,("_lsa_AddAccountRights: Failed to add privilege [%s]\n", + privname )); return NT_STATUS_NO_SUCH_PRIVILEGE; } } @@ -2041,58 +1953,51 @@ NTSTATUS _lsa_add_acct_rights(pipes_struct *p, LSA_Q_ADD_ACCT_RIGHTS *q_u, LSA_R } /*************************************************************************** + _lsa_RemoveAccountRights ***************************************************************************/ -NTSTATUS _lsa_remove_acct_rights(pipes_struct *p, LSA_Q_REMOVE_ACCT_RIGHTS *q_u, LSA_R_REMOVE_ACCT_RIGHTS *r_u) +NTSTATUS _lsa_RemoveAccountRights(pipes_struct *p, + struct lsa_RemoveAccountRights *r) { struct lsa_info *info = NULL; int i = 0; DOM_SID sid; - fstring privname; - UNISTR4_ARRAY *uni_privnames = q_u->rights; - + const char *privname = NULL; /* find the connection policy handle. */ - if (!find_policy_by_hnd(p, &q_u->pol, (void **)(void *)&info)) + if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info)) return NT_STATUS_INVALID_HANDLE; - - /* check to see if the pipe_user is a Domain Admin since + + /* check to see if the pipe_user is a Domain Admin since account_pol.tdb was already opened as root, this is all we have */ - + if ( p->pipe_user.ut.uid != sec_initial_uid() && !nt_token_check_domain_rid( p->pipe_user.nt_user_token, DOMAIN_GROUP_RID_ADMINS ) ) { return NT_STATUS_ACCESS_DENIED; } - sid_copy( &sid, &q_u->sid.sid ); + sid_copy( &sid, r->in.sid ); - if ( q_u->removeall ) { - if ( !revoke_all_privileges( &sid ) ) + if ( r->in.remove_all ) { + if ( !revoke_all_privileges( &sid ) ) return NT_STATUS_ACCESS_DENIED; - + return NT_STATUS_OK; } - - /* just a little sanity check */ - - if ( q_u->count != uni_privnames->count ) { - DEBUG(0,("_lsa_add_acct_rights: count != number of UNISTR2 elements!\n")); - return NT_STATUS_INVALID_HANDLE; - } - - for ( i=0; i<q_u->count; i++ ) { - UNISTR4 *uni4_str = &uni_privnames->strings[i]; + + for ( i=0; i < r->in.rights->count; i++ ) { + + privname = r->in.rights->names[i].string; /* only try to add non-null strings */ - if ( !uni4_str->string ) + if ( !privname ) continue; - rpcstr_pull( privname, uni4_str->string->buffer, sizeof(privname), -1, STR_TERMINATE ); - if ( !revoke_privilege_by_name( &sid, privname ) ) { - DEBUG(2,("_lsa_remove_acct_rights: Failed to revoke privilege [%s]\n", privname )); + DEBUG(2,("_lsa_RemoveAccountRights: Failed to revoke privilege [%s]\n", + privname )); return NT_STATUS_NO_SUCH_PRIVILEGE; } } @@ -2100,28 +2005,70 @@ NTSTATUS _lsa_remove_acct_rights(pipes_struct *p, LSA_Q_REMOVE_ACCT_RIGHTS *q_u, return NT_STATUS_OK; } +/******************************************************************* +********************************************************************/ + +static NTSTATUS init_lsa_right_set(TALLOC_CTX *mem_ctx, + struct lsa_RightSet *r, + PRIVILEGE_SET *privileges) +{ + uint32 i; + const char *privname; + const char **privname_array = NULL; + int num_priv = 0; + + for (i=0; i<privileges->count; i++) { + + privname = luid_to_privilege_name(&privileges->set[i].luid); + if (privname) { + if (!add_string_to_array(mem_ctx, privname, + &privname_array, &num_priv)) { + return NT_STATUS_NO_MEMORY; + } + } + } + + if (num_priv) { + + r->names = TALLOC_ZERO_ARRAY(mem_ctx, struct lsa_StringLarge, + num_priv); + if (!r->names) { + return NT_STATUS_NO_MEMORY; + } + + for (i=0; i<num_priv; i++) { + init_lsa_StringLarge(&r->names[i], privname_array[i]); + } + + r->count = num_priv; + } + + return NT_STATUS_OK; +} /*************************************************************************** + _lsa_EnumAccountRights ***************************************************************************/ -NTSTATUS _lsa_enum_acct_rights(pipes_struct *p, LSA_Q_ENUM_ACCT_RIGHTS *q_u, LSA_R_ENUM_ACCT_RIGHTS *r_u) +NTSTATUS _lsa_EnumAccountRights(pipes_struct *p, + struct lsa_EnumAccountRights *r) { + NTSTATUS status; struct lsa_info *info = NULL; DOM_SID sid; PRIVILEGE_SET privileges; SE_PRIV mask; - /* find the connection policy handle. */ - - if (!find_policy_by_hnd(p, &q_u->pol, (void **)(void *)&info)) + + if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info)) return NT_STATUS_INVALID_HANDLE; - + /* according to an NT4 PDC, you can add privileges to SIDs even without call_lsa_create_account() first. And you can use any arbitrary SID. */ - - sid_copy( &sid, &q_u->sid.sid ); - + + sid_copy( &sid, r->in.sid ); + if ( !get_privileges_for_sids( &mask, &sid, 1 ) ) return NT_STATUS_OBJECT_NAME_NOT_FOUND; @@ -2129,37 +2076,38 @@ NTSTATUS _lsa_enum_acct_rights(pipes_struct *p, LSA_Q_ENUM_ACCT_RIGHTS *q_u, LSA if ( se_priv_to_privilege_set( &privileges, &mask ) ) { - DEBUG(10,("_lsa_enum_acct_rights: %s has %d privileges\n", + DEBUG(10,("_lsa_EnumAccountRights: %s has %d privileges\n", sid_string_dbg(&sid), privileges.count)); - r_u->status = init_r_enum_acct_rights( r_u, &privileges ); + status = init_lsa_right_set(p->mem_ctx, r->out.rights, &privileges); + } else { + status = NT_STATUS_NO_SUCH_PRIVILEGE; } - else - r_u->status = NT_STATUS_NO_SUCH_PRIVILEGE; privilege_set_free( &privileges ); - return r_u->status; + return status; } - /*************************************************************************** + _lsa_LookupPrivValue ***************************************************************************/ -NTSTATUS _lsa_lookup_priv_value(pipes_struct *p, LSA_Q_LOOKUP_PRIV_VALUE *q_u, LSA_R_LOOKUP_PRIV_VALUE *r_u) +NTSTATUS _lsa_LookupPrivValue(pipes_struct *p, + struct lsa_LookupPrivValue *r) { struct lsa_info *info = NULL; - fstring name; + const char *name = NULL; LUID_ATTR priv_luid; SE_PRIV mask; - + /* find the connection policy handle. */ - - if (!find_policy_by_hnd(p, &q_u->pol, (void **)(void *)&info)) + + if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info)) return NT_STATUS_INVALID_HANDLE; - - unistr2_to_ascii(name, &q_u->privname.unistring, sizeof(name)); - + + name = r->in.name->string; + DEBUG(10,("_lsa_lookup_priv_value: name = %s\n", name)); if ( !se_priv_from_name( name, &mask ) ) @@ -2167,19 +2115,17 @@ NTSTATUS _lsa_lookup_priv_value(pipes_struct *p, LSA_Q_LOOKUP_PRIV_VALUE *q_u, L priv_luid = get_privilege_luid( &mask ); - r_u->luid.low = priv_luid.luid.low; - r_u->luid.high = priv_luid.luid.high; - + r->out.luid->low = priv_luid.luid.low; + r->out.luid->high = priv_luid.luid.high; return NT_STATUS_OK; } - /* * From here on the server routines are just dummy ones to make smbd link with * librpc/gen_ndr/srv_lsa.c. These routines are actually never called, we are * pulling the server stubs across one by one. - */ + */ NTSTATUS _lsa_Delete(pipes_struct *p, struct lsa_Delete *r) { @@ -2187,18 +2133,6 @@ NTSTATUS _lsa_Delete(pipes_struct *p, struct lsa_Delete *r) return NT_STATUS_NOT_IMPLEMENTED; } -NTSTATUS _lsa_EnumPrivs(pipes_struct *p, struct lsa_EnumPrivs *r) -{ - p->rng_fault_state = True; - return NT_STATUS_NOT_IMPLEMENTED; -} - -NTSTATUS _lsa_QuerySecurity(pipes_struct *p, struct lsa_QuerySecurity *r) -{ - p->rng_fault_state = True; - return NT_STATUS_NOT_IMPLEMENTED; -} - NTSTATUS _lsa_SetSecObj(pipes_struct *p, struct lsa_SetSecObj *r) { p->rng_fault_state = True; @@ -2211,18 +2145,6 @@ NTSTATUS _lsa_ChangePassword(pipes_struct *p, struct lsa_ChangePassword *r) return NT_STATUS_NOT_IMPLEMENTED; } -NTSTATUS _lsa_OpenPolicy(pipes_struct *p, struct lsa_OpenPolicy *r) -{ - p->rng_fault_state = True; - return NT_STATUS_NOT_IMPLEMENTED; -} - -NTSTATUS _lsa_QueryInfoPolicy(pipes_struct *p, struct lsa_QueryInfoPolicy *r) -{ - p->rng_fault_state = True; - return NT_STATUS_NOT_IMPLEMENTED; -} - NTSTATUS _lsa_SetInfoPolicy(pipes_struct *p, struct lsa_SetInfoPolicy *r) { p->rng_fault_state = True; @@ -2235,60 +2157,6 @@ NTSTATUS _lsa_ClearAuditLog(pipes_struct *p, struct lsa_ClearAuditLog *r) return NT_STATUS_NOT_IMPLEMENTED; } -NTSTATUS _lsa_CreateAccount(pipes_struct *p, struct lsa_CreateAccount *r) -{ - p->rng_fault_state = True; - return NT_STATUS_NOT_IMPLEMENTED; -} - -NTSTATUS _lsa_EnumAccounts(pipes_struct *p, struct lsa_EnumAccounts *r) -{ - p->rng_fault_state = True; - return NT_STATUS_NOT_IMPLEMENTED; -} - -NTSTATUS _lsa_EnumTrustDom(pipes_struct *p, struct lsa_EnumTrustDom *r) -{ - p->rng_fault_state = True; - return NT_STATUS_NOT_IMPLEMENTED; -} - -NTSTATUS _lsa_LookupNames(pipes_struct *p, struct lsa_LookupNames *r) -{ - p->rng_fault_state = True; - return NT_STATUS_NOT_IMPLEMENTED; -} - -NTSTATUS _lsa_LookupSids(pipes_struct *p, struct lsa_LookupSids *r) -{ - p->rng_fault_state = True; - return NT_STATUS_NOT_IMPLEMENTED; -} - -NTSTATUS _lsa_OpenAccount(pipes_struct *p, struct lsa_OpenAccount *r) -{ - p->rng_fault_state = True; - return NT_STATUS_NOT_IMPLEMENTED; -} - -NTSTATUS _lsa_EnumPrivsAccount(pipes_struct *p, struct lsa_EnumPrivsAccount *r) -{ - p->rng_fault_state = True; - return NT_STATUS_NOT_IMPLEMENTED; -} - -NTSTATUS _lsa_AddPrivilegesToAccount(pipes_struct *p, struct lsa_AddPrivilegesToAccount *r) -{ - p->rng_fault_state = True; - return NT_STATUS_NOT_IMPLEMENTED; -} - -NTSTATUS _lsa_RemovePrivilegesFromAccount(pipes_struct *p, struct lsa_RemovePrivilegesFromAccount *r) -{ - p->rng_fault_state = True; - return NT_STATUS_NOT_IMPLEMENTED; -} - NTSTATUS _lsa_GetQuotasForAccount(pipes_struct *p, struct lsa_GetQuotasForAccount *r) { p->rng_fault_state = True; @@ -2301,18 +2169,6 @@ NTSTATUS _lsa_SetQuotasForAccount(pipes_struct *p, struct lsa_SetQuotasForAccoun return NT_STATUS_NOT_IMPLEMENTED; } -NTSTATUS _lsa_GetSystemAccessAccount(pipes_struct *p, struct lsa_GetSystemAccessAccount *r) -{ - p->rng_fault_state = True; - return NT_STATUS_NOT_IMPLEMENTED; -} - -NTSTATUS _lsa_SetSystemAccessAccount(pipes_struct *p, struct lsa_SetSystemAccessAccount *r) -{ - p->rng_fault_state = True; - return NT_STATUS_NOT_IMPLEMENTED; -} - NTSTATUS _lsa_QueryTrustedDomainInfo(pipes_struct *p, struct lsa_QueryTrustedDomainInfo *r) { p->rng_fault_state = True; @@ -2331,54 +2187,18 @@ NTSTATUS _lsa_QuerySecret(pipes_struct *p, struct lsa_QuerySecret *r) return NT_STATUS_NOT_IMPLEMENTED; } -NTSTATUS _lsa_LookupPrivValue(pipes_struct *p, struct lsa_LookupPrivValue *r) -{ - p->rng_fault_state = True; - return NT_STATUS_NOT_IMPLEMENTED; -} - NTSTATUS _lsa_LookupPrivName(pipes_struct *p, struct lsa_LookupPrivName *r) { p->rng_fault_state = True; return NT_STATUS_NOT_IMPLEMENTED; } -NTSTATUS _lsa_LookupPrivDisplayName(pipes_struct *p, struct lsa_LookupPrivDisplayName *r) -{ - p->rng_fault_state = True; - return NT_STATUS_NOT_IMPLEMENTED; -} - -NTSTATUS _lsa_DeleteObject(pipes_struct *p, struct lsa_DeleteObject *r) -{ - p->rng_fault_state = True; - return NT_STATUS_NOT_IMPLEMENTED; -} - NTSTATUS _lsa_EnumAccountsWithUserRight(pipes_struct *p, struct lsa_EnumAccountsWithUserRight *r) { p->rng_fault_state = True; return NT_STATUS_NOT_IMPLEMENTED; } -NTSTATUS _lsa_EnumAccountRights(pipes_struct *p, struct lsa_EnumAccountRights *r) -{ - p->rng_fault_state = True; - return NT_STATUS_NOT_IMPLEMENTED; -} - -NTSTATUS _lsa_AddAccountRights(pipes_struct *p, struct lsa_AddAccountRights *r) -{ - p->rng_fault_state = True; - return NT_STATUS_NOT_IMPLEMENTED; -} - -NTSTATUS _lsa_RemoveAccountRights(pipes_struct *p, struct lsa_RemoveAccountRights *r) -{ - p->rng_fault_state = True; - return NT_STATUS_NOT_IMPLEMENTED; -} - NTSTATUS _lsa_QueryTrustedDomainInfoBySid(pipes_struct *p, struct lsa_QueryTrustedDomainInfoBySid *r) { p->rng_fault_state = True; @@ -2409,18 +2229,6 @@ NTSTATUS _lsa_RetrievePrivateData(pipes_struct *p, struct lsa_RetrievePrivateDat return NT_STATUS_NOT_IMPLEMENTED; } -NTSTATUS _lsa_OpenPolicy2(pipes_struct *p, struct lsa_OpenPolicy2 *r) -{ - p->rng_fault_state = True; - return NT_STATUS_NOT_IMPLEMENTED; -} - -NTSTATUS _lsa_GetUserName(pipes_struct *p, struct lsa_GetUserName *r) -{ - p->rng_fault_state = True; - return NT_STATUS_NOT_IMPLEMENTED; -} - NTSTATUS _lsa_QueryInfoPolicy2(pipes_struct *p, struct lsa_QueryInfoPolicy2 *r) { p->rng_fault_state = True; @@ -2487,18 +2295,6 @@ NTSTATUS _lsa_TestCall(pipes_struct *p, struct lsa_TestCall *r) return NT_STATUS_NOT_IMPLEMENTED; } -NTSTATUS _lsa_LookupSids2(pipes_struct *p, struct lsa_LookupSids2 *r) -{ - p->rng_fault_state = True; - return NT_STATUS_NOT_IMPLEMENTED; -} - -NTSTATUS _lsa_LookupNames2(pipes_struct *p, struct lsa_LookupNames2 *r) -{ - p->rng_fault_state = True; - return NT_STATUS_NOT_IMPLEMENTED; -} - NTSTATUS _lsa_CreateTrustedDomainEx2(pipes_struct *p, struct lsa_CreateTrustedDomainEx2 *r) { p->rng_fault_state = True; @@ -2553,12 +2349,6 @@ NTSTATUS _lsa_CREDRPROFILELOADED(pipes_struct *p, struct lsa_CREDRPROFILELOADED return NT_STATUS_NOT_IMPLEMENTED; } -NTSTATUS _lsa_LookupNames3(pipes_struct *p, struct lsa_LookupNames3 *r) -{ - p->rng_fault_state = True; - return NT_STATUS_NOT_IMPLEMENTED; -} - NTSTATUS _lsa_CREDRGETSESSIONTYPES(pipes_struct *p, struct lsa_CREDRGETSESSIONTYPES *r) { p->rng_fault_state = True; @@ -2583,7 +2373,7 @@ NTSTATUS _lsa_LSARUNREGISTERAUDITEVENT(pipes_struct *p, struct lsa_LSARUNREGISTE return NT_STATUS_NOT_IMPLEMENTED; } -NTSTATUS _lsa_LSARQUERYFORESTTRUSTINFORMATION(pipes_struct *p, struct lsa_LSARQUERYFORESTTRUSTINFORMATION *r) +NTSTATUS _lsa_lsaRQueryForestTrustInformation(pipes_struct *p, struct lsa_lsaRQueryForestTrustInformation *r) { p->rng_fault_state = True; return NT_STATUS_NOT_IMPLEMENTED; @@ -2601,18 +2391,6 @@ NTSTATUS _lsa_CREDRRENAME(pipes_struct *p, struct lsa_CREDRRENAME *r) return NT_STATUS_NOT_IMPLEMENTED; } -NTSTATUS _lsa_LookupSids3(pipes_struct *p, struct lsa_LookupSids3 *r) -{ - p->rng_fault_state = True; - return NT_STATUS_NOT_IMPLEMENTED; -} - -NTSTATUS _lsa_LookupNames4(pipes_struct *p, struct lsa_LookupNames4 *r) -{ - p->rng_fault_state = True; - return NT_STATUS_NOT_IMPLEMENTED; -} - NTSTATUS _lsa_LSAROPENPOLICYSCE(pipes_struct *p, struct lsa_LSAROPENPOLICYSCE *r) { p->rng_fault_state = True; diff --git a/source3/rpc_server/srv_netlog.c b/source3/rpc_server/srv_netlog.c deleted file mode 100644 index 6d9859a9ae..0000000000 --- a/source3/rpc_server/srv_netlog.c +++ /dev/null @@ -1,405 +0,0 @@ -/* - * Unix SMB/CIFS implementation. - * RPC Pipe client / server routines - * Copyright (C) Andrew Tridgell 1992-1997, - * Copyright (C) Luke Kenneth Casson Leighton 1996-1997, - * Copyright (C) Paul Ashton 1997, - * Copyright (C) Jeremy Allison 1998-2001, - * Copyright (C) Jim McDonough <jmcd@us.ibm.com> 2003. - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 3 of the License, or - * (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program; if not, see <http://www.gnu.org/licenses/>. - */ - -/* This is the interface to the netlogon pipe. */ - -#include "includes.h" - -#undef DBGC_CLASS -#define DBGC_CLASS DBGC_RPC_SRV - -/************************************************************************* - api_net_req_chal: - *************************************************************************/ - -static bool api_net_req_chal(pipes_struct *p) -{ - NET_Q_REQ_CHAL q_u; - NET_R_REQ_CHAL r_u; - prs_struct *data = &p->in_data.data; - prs_struct *rdata = &p->out_data.rdata; - - ZERO_STRUCT(q_u); - ZERO_STRUCT(r_u); - - /* grab the challenge... */ - if(!net_io_q_req_chal("", &q_u, data, 0)) { - DEBUG(0,("api_net_req_chal: Failed to unmarshall NET_Q_REQ_CHAL.\n")); - return False; - } - - r_u.status = _net_req_chal(p, &q_u, &r_u); - - /* store the response in the SMB stream */ - if(!net_io_r_req_chal("", &r_u, rdata, 0)) { - DEBUG(0,("api_net_req_chal: Failed to marshall NET_R_REQ_CHAL.\n")); - return False; - } - - return True; -} - -/************************************************************************* - api_net_auth: - *************************************************************************/ - -static bool api_net_auth(pipes_struct *p) -{ - NET_Q_AUTH q_u; - NET_R_AUTH r_u; - prs_struct *data = &p->in_data.data; - prs_struct *rdata = &p->out_data.rdata; - - ZERO_STRUCT(q_u); - ZERO_STRUCT(r_u); - - /* grab the challenge... */ - if(!net_io_q_auth("", &q_u, data, 0)) { - DEBUG(0,("api_net_auth: Failed to unmarshall NET_Q_AUTH.\n")); - return False; - } - - r_u.status = _net_auth(p, &q_u, &r_u); - - /* store the response in the SMB stream */ - if(!net_io_r_auth("", &r_u, rdata, 0)) { - DEBUG(0,("api_net_auth: Failed to marshall NET_R_AUTH.\n")); - return False; - } - - return True; -} - -/************************************************************************* - api_net_auth_2: - *************************************************************************/ - -static bool api_net_auth_2(pipes_struct *p) -{ - NET_Q_AUTH_2 q_u; - NET_R_AUTH_2 r_u; - prs_struct *data = &p->in_data.data; - prs_struct *rdata = &p->out_data.rdata; - - ZERO_STRUCT(q_u); - ZERO_STRUCT(r_u); - - /* grab the challenge... */ - if(!net_io_q_auth_2("", &q_u, data, 0)) { - DEBUG(0,("api_net_auth_2: Failed to unmarshall NET_Q_AUTH_2.\n")); - return False; - } - - r_u.status = _net_auth_2(p, &q_u, &r_u); - - /* store the response in the SMB stream */ - if(!net_io_r_auth_2("", &r_u, rdata, 0)) { - DEBUG(0,("api_net_auth_2: Failed to marshall NET_R_AUTH_2.\n")); - return False; - } - - return True; -} - -/************************************************************************* - api_net_srv_pwset: - *************************************************************************/ - -static bool api_net_srv_pwset(pipes_struct *p) -{ - NET_Q_SRV_PWSET q_u; - NET_R_SRV_PWSET r_u; - prs_struct *data = &p->in_data.data; - prs_struct *rdata = &p->out_data.rdata; - - ZERO_STRUCT(q_u); - ZERO_STRUCT(r_u); - - /* grab the challenge and encrypted password ... */ - if(!net_io_q_srv_pwset("", &q_u, data, 0)) { - DEBUG(0,("api_net_srv_pwset: Failed to unmarshall NET_Q_SRV_PWSET.\n")); - return False; - } - - r_u.status = _net_srv_pwset(p, &q_u, &r_u); - - /* store the response in the SMB stream */ - if(!net_io_r_srv_pwset("", &r_u, rdata, 0)) { - DEBUG(0,("api_net_srv_pwset: Failed to marshall NET_R_SRV_PWSET.\n")); - return False; - } - - return True; -} - -/************************************************************************* - api_net_sam_logoff: - *************************************************************************/ - -static bool api_net_sam_logoff(pipes_struct *p) -{ - NET_Q_SAM_LOGOFF q_u; - NET_R_SAM_LOGOFF r_u; - prs_struct *data = &p->in_data.data; - prs_struct *rdata = &p->out_data.rdata; - - ZERO_STRUCT(q_u); - ZERO_STRUCT(r_u); - - if(!net_io_q_sam_logoff("", &q_u, data, 0)) { - DEBUG(0,("api_net_sam_logoff: Failed to unmarshall NET_Q_SAM_LOGOFF.\n")); - return False; - } - - r_u.status = _net_sam_logoff(p, &q_u, &r_u); - - /* store the response in the SMB stream */ - if(!net_io_r_sam_logoff("", &r_u, rdata, 0)) { - DEBUG(0,("api_net_sam_logoff: Failed to marshall NET_R_SAM_LOGOFF.\n")); - return False; - } - - return True; -} - -/************************************************************************* - api_net_sam_logon: - *************************************************************************/ - -static bool api_net_sam_logon(pipes_struct *p) -{ - NET_Q_SAM_LOGON q_u; - NET_R_SAM_LOGON r_u; - prs_struct *data = &p->in_data.data; - prs_struct *rdata = &p->out_data.rdata; - - ZERO_STRUCT(q_u); - ZERO_STRUCT(r_u); - - if(!net_io_q_sam_logon("", &q_u, data, 0)) { - DEBUG(0, ("api_net_sam_logon: Failed to unmarshall NET_Q_SAM_LOGON.\n")); - return False; - } - - r_u.status = _net_sam_logon(p, &q_u, &r_u); - - /* store the response in the SMB stream */ - if(!net_io_r_sam_logon("", &r_u, rdata, 0)) { - DEBUG(0,("api_net_sam_logon: Failed to marshall NET_R_SAM_LOGON.\n")); - return False; - } - - return True; -} - -/************************************************************************* - api_net_trust_dom_list: - *************************************************************************/ - -static bool api_net_trust_dom_list(pipes_struct *p) -{ - NET_Q_TRUST_DOM_LIST q_u; - NET_R_TRUST_DOM_LIST r_u; - prs_struct *data = &p->in_data.data; - prs_struct *rdata = &p->out_data.rdata; - - ZERO_STRUCT(q_u); - ZERO_STRUCT(r_u); - - /* grab the lsa trusted domain list query... */ - if(!net_io_q_trust_dom("", &q_u, data, 0)) { - DEBUG(0,("api_net_trust_dom_list: Failed to unmarshall NET_Q_TRUST_DOM_LIST.\n")); - return False; - } - - /* construct reply. */ - r_u.status = _net_trust_dom_list(p, &q_u, &r_u); - - /* store the response in the SMB stream */ - if(!net_io_r_trust_dom("", &r_u, rdata, 0)) { - DEBUG(0,("net_reply_trust_dom_list: Failed to marshall NET_R_TRUST_DOM_LIST.\n")); - return False; - } - - return True; -} - -/************************************************************************* - api_net_logon_ctrl2: - *************************************************************************/ - -static bool api_net_logon_ctrl2(pipes_struct *p) -{ - NET_Q_LOGON_CTRL2 q_u; - NET_R_LOGON_CTRL2 r_u; - prs_struct *data = &p->in_data.data; - prs_struct *rdata = &p->out_data.rdata; - - ZERO_STRUCT(q_u); - ZERO_STRUCT(r_u); - - - /* grab the lsa netlogon ctrl2 query... */ - if(!net_io_q_logon_ctrl2("", &q_u, data, 0)) { - DEBUG(0,("api_net_logon_ctrl2: Failed to unmarshall NET_Q_LOGON_CTRL2.\n")); - return False; - } - - r_u.status = _net_logon_ctrl2(p, &q_u, &r_u); - - if(!net_io_r_logon_ctrl2("", &r_u, rdata, 0)) { - DEBUG(0,("net_reply_logon_ctrl2: Failed to marshall NET_R_LOGON_CTRL2.\n")); - return False; - } - - return True; -} - -/************************************************************************* - api_net_logon_ctrl: - *************************************************************************/ - -static bool api_net_logon_ctrl(pipes_struct *p) -{ - NET_Q_LOGON_CTRL q_u; - NET_R_LOGON_CTRL r_u; - prs_struct *data = &p->in_data.data; - prs_struct *rdata = &p->out_data.rdata; - - ZERO_STRUCT(q_u); - ZERO_STRUCT(r_u); - - /* grab the lsa netlogon ctrl query... */ - if(!net_io_q_logon_ctrl("", &q_u, data, 0)) { - DEBUG(0,("api_net_logon_ctrl: Failed to unmarshall NET_Q_LOGON_CTRL.\n")); - return False; - } - - r_u.status = _net_logon_ctrl(p, &q_u, &r_u); - - if(!net_io_r_logon_ctrl("", &r_u, rdata, 0)) { - DEBUG(0,("net_reply_logon_ctrl2: Failed to marshall NET_R_LOGON_CTRL.\n")); - return False; - } - - return True; -} - -/************************************************************************* - api_net_sam_logon_ex: - *************************************************************************/ - -static bool api_net_sam_logon_ex(pipes_struct *p) -{ - NET_Q_SAM_LOGON_EX q_u; - NET_R_SAM_LOGON_EX r_u; - prs_struct *data = &p->in_data.data; - prs_struct *rdata = &p->out_data.rdata; - - ZERO_STRUCT(q_u); - ZERO_STRUCT(r_u); - - if(!net_io_q_sam_logon_ex("", &q_u, data, 0)) { - DEBUG(0, ("api_net_sam_logon_ex: Failed to unmarshall NET_Q_SAM_LOGON_EX.\n")); - return False; - } - - r_u.status = _net_sam_logon_ex(p, &q_u, &r_u); - - /* store the response in the SMB stream */ - if(!net_io_r_sam_logon_ex("", &r_u, rdata, 0)) { - DEBUG(0,("api_net_sam_logon_ex: Failed to marshall NET_R_SAM_LOGON_EX.\n")); - return False; - } - - return True; -} - - -/************************************************************************* - api_ds_enum_dom_trusts: - *************************************************************************/ - -#if 0 /* JERRY */ -static bool api_ds_enum_dom_trusts(pipes_struct *p) -{ - DS_Q_ENUM_DOM_TRUSTS q_u; - DS_R_ENUM_DOM_TRUSTS r_u; - - prs_struct *data = &p->in_data.data; - prs_struct *rdata = &p->out_data.rdata; - - ZERO_STRUCT(q_u); - ZERO_STRUCT(r_u); - - DEBUG(6,("api_ds_enum_dom_trusts\n")); - - if ( !ds_io_q_enum_domain_trusts("", data, 0, &q_u) ) { - DEBUG(0,("api_ds_enum_domain_trusts: Failed to unmarshall DS_Q_ENUM_DOM_TRUSTS.\n")); - return False; - } - - r_u.status = _ds_enum_dom_trusts(p, &q_u, &r_u); - - if ( !ds_io_r_enum_domain_trusts("", rdata, 0, &r_u) ) { - DEBUG(0,("api_ds_enum_domain_trusts: Failed to marshall DS_R_ENUM_DOM_TRUSTS.\n")); - return False; - } - - DEBUG(6,("api_ds_enum_dom_trusts\n")); - - return True; -} -#endif /* JERRY */ - -/******************************************************************* - array of \PIPE\NETLOGON operations - ********************************************************************/ -static struct api_struct api_net_cmds [] = - { - { "NET_REQCHAL" , NET_REQCHAL , api_net_req_chal }, - { "NET_AUTH" , NET_AUTH , api_net_auth }, - { "NET_AUTH2" , NET_AUTH2 , api_net_auth_2 }, - { "NET_SRVPWSET" , NET_SRVPWSET , api_net_srv_pwset }, - { "NET_SAMLOGON" , NET_SAMLOGON , api_net_sam_logon }, - { "NET_SAMLOGOFF" , NET_SAMLOGOFF , api_net_sam_logoff }, - { "NET_LOGON_CTRL2" , NET_LOGON_CTRL2 , api_net_logon_ctrl2 }, - { "NET_TRUST_DOM_LIST", NET_TRUST_DOM_LIST, api_net_trust_dom_list }, - { "NET_LOGON_CTRL" , NET_LOGON_CTRL , api_net_logon_ctrl }, - { "NET_SAMLOGON_EX" , NET_SAMLOGON_EX , api_net_sam_logon_ex }, -#if 0 /* JERRY */ - { "DS_ENUM_DOM_TRUSTS", DS_ENUM_DOM_TRUSTS, api_ds_enum_dom_trusts } -#endif /* JERRY */ - }; - -void netlog_get_pipe_fns( struct api_struct **fns, int *n_fns ) -{ - *fns = api_net_cmds; - *n_fns = sizeof(api_net_cmds) / sizeof(struct api_struct); -} - -NTSTATUS rpc_net_init(void) -{ - return rpc_pipe_register_commands(SMB_RPC_INTERFACE_VERSION, "NETLOGON", "lsass", api_net_cmds, - sizeof(api_net_cmds) / sizeof(struct api_struct)); -} diff --git a/source3/rpc_server/srv_netlog_nt.c b/source3/rpc_server/srv_netlog_nt.c index 218ce73444..5b26f55845 100644 --- a/source3/rpc_server/srv_netlog_nt.c +++ b/source3/rpc_server/srv_netlog_nt.c @@ -1,4 +1,4 @@ -/* +/* * Unix SMB/CIFS implementation. * RPC Pipe client / server routines * Copyright (C) Andrew Tridgell 1992-1997, @@ -6,17 +6,18 @@ * Copyright (C) Paul Ashton 1997. * Copyright (C) Jeremy Allison 1998-2001. * Copyright (C) Andrew Bartlett 2001. + * Copyright (C) Guenther Deschner 2008. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation; either version 3 of the License, or * (at your option) any later version. - * + * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. - * + * * You should have received a copy of the GNU General Public License * along with this program; if not, see <http://www.gnu.org/licenses/>. */ @@ -34,38 +35,83 @@ extern userdom_struct current_user_info; init_net_r_req_chal: *************************************************************************/ -static void init_net_r_req_chal(NET_R_REQ_CHAL *r_c, - DOM_CHAL *srv_chal, NTSTATUS status) +static void init_net_r_req_chal(struct netr_Credential *r, + struct netr_Credential *srv_chal) { DEBUG(6,("init_net_r_req_chal: %d\n", __LINE__)); - memcpy(r_c->srv_chal.data, srv_chal->data, sizeof(srv_chal->data)); - r_c->status = status; + + memcpy(r->data, srv_chal->data, sizeof(r->data)); } -/************************************************************************* - error messages cropping up when using nltest.exe... - *************************************************************************/ +/******************************************************************* + Inits a netr_NETLOGON_INFO_1 structure. +********************************************************************/ + +static void init_netlogon_info1(struct netr_NETLOGON_INFO_1 *r, + uint32_t flags, + uint32_t pdc_connection_status) +{ + r->flags = flags; + r->pdc_connection_status = pdc_connection_status; +} -#define ERROR_NO_SUCH_DOMAIN 0x54b -#define ERROR_NO_LOGON_SERVERS 0x51f -#define NO_ERROR 0x0 +/******************************************************************* + Inits a netr_NETLOGON_INFO_2 structure. +********************************************************************/ + +static void init_netlogon_info2(struct netr_NETLOGON_INFO_2 *r, + uint32_t flags, + uint32_t pdc_connection_status, + const char *trusted_dc_name, + uint32_t tc_connection_status) +{ + r->flags = flags; + r->pdc_connection_status = pdc_connection_status; + r->trusted_dc_name = trusted_dc_name; + r->tc_connection_status = tc_connection_status; +} + +/******************************************************************* + Inits a netr_NETLOGON_INFO_3 structure. +********************************************************************/ + +static void init_netlogon_info3(struct netr_NETLOGON_INFO_3 *r, + uint32_t flags, + uint32_t logon_attempts) +{ + r->flags = flags; + r->logon_attempts = logon_attempts; +} /************************************************************************* - net_reply_logon_ctrl: + _netr_LogonControl *************************************************************************/ -NTSTATUS _net_logon_ctrl(pipes_struct *p, NET_Q_LOGON_CTRL *q_u, - NET_R_LOGON_CTRL *r_u) +WERROR _netr_LogonControl(pipes_struct *p, + struct netr_LogonControl *r) { - uint32 flags = 0x0; - uint32 pdc_connection_status = 0x00; /* Maybe a win32 error code? */ - + struct netr_NETLOGON_INFO_1 *info1; + uint32_t flags = 0x0; + uint32_t pdc_connection_status = W_ERROR_V(WERR_OK); + /* Setup the Logon Control response */ - init_net_r_logon_ctrl(r_u, q_u->query_level, flags, - pdc_connection_status); + switch (r->in.level) { + case 1: + info1 = TALLOC_ZERO_P(p->mem_ctx, struct netr_NETLOGON_INFO_1); + if (!info1) { + return WERR_NOMEM; + } + init_netlogon_info1(info1, + flags, + pdc_connection_status); + r->out.info->info1 = info1; + break; + default: + return WERR_UNKNOWN_LEVEL; + } - return r_u->status; + return WERR_OK; } /**************************************************************************** @@ -80,129 +126,153 @@ static void send_sync_message(void) } /************************************************************************* - net_reply_logon_ctrl2: + _netr_LogonControl2 *************************************************************************/ -NTSTATUS _net_logon_ctrl2(pipes_struct *p, NET_Q_LOGON_CTRL2 *q_u, NET_R_LOGON_CTRL2 *r_u) +WERROR _netr_LogonControl2(pipes_struct *p, + struct netr_LogonControl2 *r) { uint32 flags = 0x0; uint32 pdc_connection_status = 0x0; uint32 logon_attempts = 0x0; uint32 tc_status; - fstring servername, domain, dc_name, dc_name2; + fstring dc_name, dc_name2; struct sockaddr_storage dc_ss; + const char *domain = NULL; + struct netr_NETLOGON_INFO_1 *info1; + struct netr_NETLOGON_INFO_2 *info2; + struct netr_NETLOGON_INFO_3 *info3; - /* this should be \\global_myname() */ - unistr2_to_ascii(servername, &q_u->uni_server_name, sizeof(servername)); - - r_u->status = NT_STATUS_OK; - - tc_status = ERROR_NO_SUCH_DOMAIN; + tc_status = W_ERROR_V(WERR_NO_SUCH_DOMAIN); fstrcpy( dc_name, "" ); - - switch ( q_u->function_code ) { + + switch (r->in.function_code) { case NETLOGON_CONTROL_TC_QUERY: - unistr2_to_ascii(domain, &q_u->info.info6.domain, sizeof(domain)); - + domain = r->in.data->domain; + if ( !is_trusted_domain( domain ) ) break; - + if ( !get_dc_name( domain, NULL, dc_name2, &dc_ss ) ) { - tc_status = ERROR_NO_LOGON_SERVERS; + tc_status = W_ERROR_V(WERR_NO_LOGON_SERVERS); break; } fstr_sprintf( dc_name, "\\\\%s", dc_name2 ); - - tc_status = NO_ERROR; - + + tc_status = W_ERROR_V(WERR_OK); + break; - + case NETLOGON_CONTROL_REDISCOVER: - unistr2_to_ascii(domain, &q_u->info.info6.domain, sizeof(domain)); - + domain = r->in.data->domain; + if ( !is_trusted_domain( domain ) ) break; - + if ( !get_dc_name( domain, NULL, dc_name2, &dc_ss ) ) { - tc_status = ERROR_NO_LOGON_SERVERS; + tc_status = W_ERROR_V(WERR_NO_LOGON_SERVERS); break; } fstr_sprintf( dc_name, "\\\\%s", dc_name2 ); - - tc_status = NO_ERROR; - + + tc_status = W_ERROR_V(WERR_OK); + break; - + default: /* no idea what this should be */ - DEBUG(0,("_net_logon_ctrl2: unimplemented function level [%d]\n", - q_u->function_code)); + DEBUG(0,("_netr_LogonControl2: unimplemented function level [%d]\n", + r->in.function_code)); + return WERR_UNKNOWN_LEVEL; } - + /* prepare the response */ - - init_net_r_logon_ctrl2( r_u, q_u->query_level, flags, - pdc_connection_status, logon_attempts, tc_status, dc_name ); - if (lp_server_role() == ROLE_DOMAIN_BDC) + switch (r->in.level) { + case 1: + info1 = TALLOC_ZERO_P(p->mem_ctx, struct netr_NETLOGON_INFO_1); + W_ERROR_HAVE_NO_MEMORY(info1); + + init_netlogon_info1(info1, + flags, + pdc_connection_status); + r->out.query->info1 = info1; + break; + case 2: + info2 = TALLOC_ZERO_P(p->mem_ctx, struct netr_NETLOGON_INFO_2); + W_ERROR_HAVE_NO_MEMORY(info2); + + init_netlogon_info2(info2, + flags, + pdc_connection_status, + dc_name, + tc_status); + r->out.query->info2 = info2; + break; + case 3: + info3 = TALLOC_ZERO_P(p->mem_ctx, struct netr_NETLOGON_INFO_3); + W_ERROR_HAVE_NO_MEMORY(info3); + + init_netlogon_info3(info3, + flags, + logon_attempts); + r->out.query->info3 = info3; + break; + default: + return WERR_UNKNOWN_LEVEL; + } + + if (lp_server_role() == ROLE_DOMAIN_BDC) { send_sync_message(); + } - return r_u->status; + return WERR_OK; } /************************************************************************* - net_reply_trust_dom_list: + _netr_NetrEnumerateTrustedDomains *************************************************************************/ -NTSTATUS _net_trust_dom_list(pipes_struct *p, NET_Q_TRUST_DOM_LIST *q_u, NET_R_TRUST_DOM_LIST *r_u) +WERROR _netr_NetrEnumerateTrustedDomains(pipes_struct *p, + struct netr_NetrEnumerateTrustedDomains *r) { - const char *trusted_domain = "test_domain"; - uint32 num_trust_domains = 1; + struct netr_Blob trusted_domains_blob; + DATA_BLOB blob; - DEBUG(6,("_net_trust_dom_list: %d\n", __LINE__)); + DEBUG(6,("_netr_NetrEnumerateTrustedDomains: %d\n", __LINE__)); /* set up the Trusted Domain List response */ - init_r_trust_dom(r_u, num_trust_domains, trusted_domain); - - DEBUG(6,("_net_trust_dom_list: %d\n", __LINE__)); - - return r_u->status; -} -/*********************************************************************************** - init_net_r_srv_pwset: - ***********************************************************************************/ + blob = data_blob_talloc_zero(p->mem_ctx, 2); + trusted_domains_blob.data = blob.data; + trusted_domains_blob.length = blob.length; -static void init_net_r_srv_pwset(NET_R_SRV_PWSET *r_s, - DOM_CRED *srv_cred, NTSTATUS status) -{ - DEBUG(5,("init_net_r_srv_pwset: %d\n", __LINE__)); + DEBUG(6,("_netr_NetrEnumerateTrustedDomains: %d\n", __LINE__)); - memcpy(&r_s->srv_cred, srv_cred, sizeof(r_s->srv_cred)); - r_s->status = status; + *r->out.trusted_domains_blob = trusted_domains_blob; - DEBUG(5,("init_net_r_srv_pwset: %d\n", __LINE__)); + return WERR_OK; } /****************************************************************** gets a machine password entry. checks access rights of the host. ******************************************************************/ -static NTSTATUS get_md4pw(char *md4pw, char *mach_acct, uint16 sec_chan_type) +static NTSTATUS get_md4pw(char *md4pw, const char *mach_acct, uint16 sec_chan_type) { struct samu *sampass = NULL; const uint8 *pass; bool ret; uint32 acct_ctrl; - + #if 0 char addr[INET6_ADDRSTRLEN]; /* * Currently this code is redundent as we already have a filter - * by hostname list. What this code really needs to do is to + * by hostname list. What this code really needs to do is to * get a hosts allowed/hosts denied list from the SAM database * on a per user basis, and make the access decision there. * I will leave this code here for now as a reminder to implement @@ -225,7 +295,7 @@ static NTSTATUS get_md4pw(char *md4pw, char *mach_acct, uint16 sec_chan_type) become_root(); ret = pdb_getsampwnam(sampass, mach_acct); unbecome_root(); - + if (!ret) { DEBUG(0,("get_md4pw: Workstation %s: no account in domain\n", mach_acct)); TALLOC_FREE(sampass); @@ -241,7 +311,7 @@ static NTSTATUS get_md4pw(char *md4pw, char *mach_acct, uint16 sec_chan_type) if (!(acct_ctrl & ACB_SVRTRUST) && !(acct_ctrl & ACB_WSTRUST) && - !(acct_ctrl & ACB_DOMTRUST)) + !(acct_ctrl & ACB_DOMTRUST)) { DEBUG(0,("get_md4pw: Workstation %s: account is not a trust account\n", mach_acct)); TALLOC_FREE(sampass); @@ -287,17 +357,18 @@ static NTSTATUS get_md4pw(char *md4pw, char *mach_acct, uint16 sec_chan_type) dump_data(5, (uint8 *)md4pw, 16); TALLOC_FREE(sampass); - + return NT_STATUS_OK; - + } /************************************************************************* - _net_req_chal + _netr_ServerReqChallenge *************************************************************************/ -NTSTATUS _net_req_chal(pipes_struct *p, NET_Q_REQ_CHAL *q_u, NET_R_REQ_CHAL *r_u) +NTSTATUS _netr_ServerReqChallenge(pipes_struct *p, + struct netr_ServerReqChallenge *r) { if (!p->dc) { p->dc = TALLOC_ZERO_P(p->pipe_state_mem_ctx, struct dcinfo); @@ -305,65 +376,53 @@ NTSTATUS _net_req_chal(pipes_struct *p, NET_Q_REQ_CHAL *q_u, NET_R_REQ_CHAL *r_u return NT_STATUS_NO_MEMORY; } } else { - DEBUG(10,("_net_req_chal: new challenge requested. Clearing old state.\n")); + DEBUG(10,("_netr_ServerReqChallenge: new challenge requested. Clearing old state.\n")); ZERO_STRUCTP(p->dc); } - rpcstr_pull(p->dc->remote_machine, - q_u->uni_logon_clnt.buffer, - sizeof(fstring),q_u->uni_logon_clnt.uni_str_len*2,0); + fstrcpy(p->dc->remote_machine, r->in.computer_name); /* Save the client challenge to the server. */ - memcpy(p->dc->clnt_chal.data, q_u->clnt_chal.data, sizeof(q_u->clnt_chal.data)); + memcpy(p->dc->clnt_chal.data, r->in.credentials->data, + sizeof(r->in.credentials->data)); /* Create a server challenge for the client */ /* Set this to a random value. */ generate_random_buffer(p->dc->srv_chal.data, 8); - + /* set up the LSA REQUEST CHALLENGE response */ - init_net_r_req_chal(r_u, &p->dc->srv_chal, NT_STATUS_OK); - + init_net_r_req_chal(r->out.return_credentials, &p->dc->srv_chal); + p->dc->challenge_sent = True; return NT_STATUS_OK; } /************************************************************************* - init_net_r_auth: + _netr_ServerAuthenticate + Create the initial credentials. *************************************************************************/ -static void init_net_r_auth(NET_R_AUTH *r_a, DOM_CHAL *resp_cred, NTSTATUS status) -{ - memcpy(r_a->srv_chal.data, resp_cred->data, sizeof(resp_cred->data)); - r_a->status = status; -} - -/************************************************************************* - _net_auth. Create the initial credentials. - *************************************************************************/ - -NTSTATUS _net_auth(pipes_struct *p, NET_Q_AUTH *q_u, NET_R_AUTH *r_u) +NTSTATUS _netr_ServerAuthenticate(pipes_struct *p, + struct netr_ServerAuthenticate *r) { NTSTATUS status; - fstring mach_acct; - fstring remote_machine; - DOM_CHAL srv_chal_out; + struct netr_Credential srv_chal_out; if (!p->dc || !p->dc->challenge_sent) { return NT_STATUS_ACCESS_DENIED; } - rpcstr_pull(mach_acct, q_u->clnt_id.uni_acct_name.buffer,sizeof(fstring), - q_u->clnt_id.uni_acct_name.uni_str_len*2,0); - rpcstr_pull(remote_machine, q_u->clnt_id.uni_comp_name.buffer,sizeof(fstring), - q_u->clnt_id.uni_comp_name.uni_str_len*2,0); - - status = get_md4pw((char *)p->dc->mach_pw, mach_acct, q_u->clnt_id.sec_chan); + status = get_md4pw((char *)p->dc->mach_pw, + r->in.account_name, + r->in.secure_channel_type); if (!NT_STATUS_IS_OK(status)) { - DEBUG(0,("_net_auth: creds_server_check failed. Failed to " + DEBUG(0,("_netr_ServerAuthenticate: get_md4pw failed. Failed to " "get password for machine account %s " "from client %s: %s\n", - mach_acct, remote_machine, nt_errstr(status) )); + r->in.account_name, + r->in.computer_name, + nt_errstr(status) )); /* always return NT_STATUS_ACCESS_DENIED */ return NT_STATUS_ACCESS_DENIED; } @@ -374,110 +433,101 @@ NTSTATUS _net_auth(pipes_struct *p, NET_Q_AUTH *q_u, NET_R_AUTH *r_u) &p->dc->clnt_chal, /* Stored client chal. */ &p->dc->srv_chal, /* Stored server chal. */ p->dc->mach_pw, - &srv_chal_out); + &srv_chal_out); /* Check client credentials are valid. */ - if (!creds_server_check(p->dc, &q_u->clnt_chal)) { - DEBUG(0,("_net_auth: creds_server_check failed. Rejecting auth " + if (!netlogon_creds_server_check(p->dc, r->in.credentials)) { + DEBUG(0,("_netr_ServerAuthenticate: netlogon_creds_server_check failed. Rejecting auth " "request from client %s machine account %s\n", - remote_machine, mach_acct )); + r->in.computer_name, + r->in.account_name)); return NT_STATUS_ACCESS_DENIED; } - fstrcpy(p->dc->mach_acct, mach_acct); - fstrcpy(p->dc->remote_machine, remote_machine); + fstrcpy(p->dc->mach_acct, r->in.account_name); + fstrcpy(p->dc->remote_machine, r->in.computer_name); p->dc->authenticated = True; /* set up the LSA AUTH response */ /* Return the server credentials. */ - init_net_r_auth(r_u, &srv_chal_out, NT_STATUS_OK); - return r_u->status; -} + memcpy(r->out.return_credentials->data, &srv_chal_out.data, + sizeof(r->out.return_credentials->data)); -/************************************************************************* - init_net_r_auth_2: - *************************************************************************/ - -static void init_net_r_auth_2(NET_R_AUTH_2 *r_a, - DOM_CHAL *resp_cred, NEG_FLAGS *flgs, NTSTATUS status) -{ - memcpy(r_a->srv_chal.data, resp_cred->data, sizeof(resp_cred->data)); - memcpy(&r_a->srv_flgs, flgs, sizeof(r_a->srv_flgs)); - r_a->status = status; + return NT_STATUS_OK; } /************************************************************************* - _net_auth_2 + _netr_ServerAuthenticate2 *************************************************************************/ -NTSTATUS _net_auth_2(pipes_struct *p, NET_Q_AUTH_2 *q_u, NET_R_AUTH_2 *r_u) +NTSTATUS _netr_ServerAuthenticate2(pipes_struct *p, + struct netr_ServerAuthenticate2 *r) { NTSTATUS status; - NEG_FLAGS srv_flgs; - fstring mach_acct; - fstring remote_machine; - DOM_CHAL srv_chal_out; - - rpcstr_pull(mach_acct, q_u->clnt_id.uni_acct_name.buffer,sizeof(fstring), - q_u->clnt_id.uni_acct_name.uni_str_len*2,0); + uint32_t srv_flgs; + struct netr_Credential srv_chal_out; - /* We use this as the key to store the creds. */ - rpcstr_pull(remote_machine, q_u->clnt_id.uni_comp_name.buffer,sizeof(fstring), - q_u->clnt_id.uni_comp_name.uni_str_len*2,0); + /* We use this as the key to store the creds: */ + /* r->in.computer_name */ if (!p->dc || !p->dc->challenge_sent) { - DEBUG(0,("_net_auth2: no challenge sent to client %s\n", - remote_machine )); + DEBUG(0,("_netr_ServerAuthenticate2: no challenge sent to client %s\n", + r->in.computer_name)); return NT_STATUS_ACCESS_DENIED; } - if ( (lp_server_schannel() == True) && - ((q_u->clnt_flgs.neg_flags & NETLOGON_NEG_SCHANNEL) == 0) ) { + if ( (lp_server_schannel() == true) && + ((*r->in.negotiate_flags & NETLOGON_NEG_SCHANNEL) == 0) ) { /* schannel must be used, but client did not offer it. */ - DEBUG(0,("_net_auth2: schannel required but client failed " + DEBUG(0,("_netr_ServerAuthenticate2: schannel required but client failed " "to offer it. Client was %s\n", - mach_acct )); + r->in.account_name)); return NT_STATUS_ACCESS_DENIED; } - status = get_md4pw((char *)p->dc->mach_pw, mach_acct, q_u->clnt_id.sec_chan); + status = get_md4pw((char *)p->dc->mach_pw, + r->in.account_name, + r->in.secure_channel_type); if (!NT_STATUS_IS_OK(status)) { - DEBUG(0,("_net_auth2: failed to get machine password for " + DEBUG(0,("_netr_ServerAuthenticate2: failed to get machine password for " "account %s: %s\n", - mach_acct, nt_errstr(status) )); + r->in.account_name, nt_errstr(status) )); /* always return NT_STATUS_ACCESS_DENIED */ return NT_STATUS_ACCESS_DENIED; } /* From the client / server challenges and md4 password, generate sess key */ - creds_server_init(q_u->clnt_flgs.neg_flags, + creds_server_init(*r->in.negotiate_flags, p->dc, &p->dc->clnt_chal, /* Stored client chal. */ &p->dc->srv_chal, /* Stored server chal. */ p->dc->mach_pw, - &srv_chal_out); + &srv_chal_out); /* Check client credentials are valid. */ - if (!creds_server_check(p->dc, &q_u->clnt_chal)) { - DEBUG(0,("_net_auth2: creds_server_check failed. Rejecting auth " + if (!netlogon_creds_server_check(p->dc, r->in.credentials)) { + DEBUG(0,("_netr_ServerAuthenticate2: netlogon_creds_server_check failed. Rejecting auth " "request from client %s machine account %s\n", - remote_machine, mach_acct )); + r->in.computer_name, + r->in.account_name)); return NT_STATUS_ACCESS_DENIED; } - srv_flgs.neg_flags = 0x000001ff; + srv_flgs = 0x000001ff; - if (lp_server_schannel() != False) { - srv_flgs.neg_flags |= NETLOGON_NEG_SCHANNEL; + if (lp_server_schannel() != false) { + srv_flgs |= NETLOGON_NEG_SCHANNEL; } /* set up the LSA AUTH 2 response */ - init_net_r_auth_2(r_u, &srv_chal_out, &srv_flgs, NT_STATUS_OK); + memcpy(r->out.return_credentials->data, &srv_chal_out.data, + sizeof(r->out.return_credentials->data)); + *r->out.negotiate_flags = srv_flgs; - fstrcpy(p->dc->mach_acct, mach_acct); - fstrcpy(p->dc->remote_machine, remote_machine); + fstrcpy(p->dc->mach_acct, r->in.account_name); + fstrcpy(p->dc->remote_machine, r->in.computer_name); fstrcpy(p->dc->domain, lp_workgroup() ); p->dc->authenticated = True; @@ -485,39 +535,40 @@ NTSTATUS _net_auth_2(pipes_struct *p, NET_Q_AUTH_2 *q_u, NET_R_AUTH_2 *r_u) /* Store off the state so we can continue after client disconnect. */ become_root(); secrets_store_schannel_session_info(p->mem_ctx, - remote_machine, - p->dc); + r->in.computer_name, + p->dc); unbecome_root(); - return r_u->status; + return NT_STATUS_OK; } /************************************************************************* - _net_srv_pwset + _netr_ServerPasswordSet *************************************************************************/ -NTSTATUS _net_srv_pwset(pipes_struct *p, NET_Q_SRV_PWSET *q_u, NET_R_SRV_PWSET *r_u) +NTSTATUS _netr_ServerPasswordSet(pipes_struct *p, + struct netr_ServerPasswordSet *r) { + NTSTATUS status = NT_STATUS_OK; fstring remote_machine; struct samu *sampass=NULL; bool ret = False; unsigned char pwd[16]; int i; uint32 acct_ctrl; - DOM_CRED cred_out; + struct netr_Authenticator cred_out; const uchar *old_pw; - DEBUG(5,("_net_srv_pwset: %d\n", __LINE__)); + DEBUG(5,("_netr_ServerPasswordSet: %d\n", __LINE__)); /* We need the remote machine name for the creds lookup. */ - rpcstr_pull(remote_machine,q_u->clnt_id.login.uni_comp_name.buffer, - sizeof(remote_machine),q_u->clnt_id.login.uni_comp_name.uni_str_len*2,0); + fstrcpy(remote_machine, r->in.computer_name); if ( (lp_server_schannel() == True) && (p->auth.auth_type != PIPE_AUTH_TYPE_SCHANNEL) ) { /* 'server schannel = yes' should enforce use of schannel, the client did offer it in auth2, but obviously did not use it. */ - DEBUG(0,("_net_srv_pwset: client %s not using schannel for netlogon\n", + DEBUG(0,("_netr_ServerPasswordSet: client %s not using schannel for netlogon\n", remote_machine )); return NT_STATUS_ACCESS_DENIED; } @@ -538,12 +589,12 @@ NTSTATUS _net_srv_pwset(pipes_struct *p, NET_Q_SRV_PWSET *q_u, NET_R_SRV_PWSET * return NT_STATUS_INVALID_HANDLE; } - DEBUG(3,("_net_srv_pwset: Server Password Set by remote machine:[%s] on account [%s]\n", + DEBUG(3,("_netr_ServerPasswordSet: Server Password Set by remote machine:[%s] on account [%s]\n", remote_machine, p->dc->mach_acct)); - + /* Step the creds chain forward. */ - if (!creds_server_step(p->dc, &q_u->clnt_id.cred, &cred_out)) { - DEBUG(2,("_net_srv_pwset: creds_server_step failed. Rejecting auth " + if (!netlogon_creds_server_step(p->dc, r->in.credential, &cred_out)) { + DEBUG(2,("_netr_ServerPasswordSet: netlogon_creds_server_step failed. Rejecting auth " "request from client %s machine account %s\n", remote_machine, p->dc->mach_acct )); return NT_STATUS_INVALID_PARAMETER; @@ -568,7 +619,7 @@ NTSTATUS _net_srv_pwset(pipes_struct *p, NET_Q_SRV_PWSET *q_u, NET_R_SRV_PWSET * } /* Ensure the account exists and is a machine account. */ - + acct_ctrl = pdb_get_acct_ctrl(sampass); if (!(acct_ctrl & ACB_WSTRUST || @@ -577,16 +628,16 @@ NTSTATUS _net_srv_pwset(pipes_struct *p, NET_Q_SRV_PWSET *q_u, NET_R_SRV_PWSET * TALLOC_FREE(sampass); return NT_STATUS_NO_SUCH_USER; } - + if (pdb_get_acct_ctrl(sampass) & ACB_DISABLED) { TALLOC_FREE(sampass); return NT_STATUS_ACCOUNT_DISABLED; } /* Woah - what does this to to the credential chain ? JRA */ - cred_hash3( pwd, q_u->pwd, p->dc->sess_key, 0); + cred_hash3(pwd, r->in.new_password->hash, p->dc->sess_key, 0); - DEBUG(100,("Server password set : new given value was :\n")); + DEBUG(100,("_netr_ServerPasswordSet: new given value was :\n")); for(i = 0; i < sizeof(pwd); i++) DEBUG(100,("%02X ", pwd[i])); DEBUG(100,("\n")); @@ -594,7 +645,7 @@ NTSTATUS _net_srv_pwset(pipes_struct *p, NET_Q_SRV_PWSET *q_u, NET_R_SRV_PWSET * old_pw = pdb_get_nt_passwd(sampass); if (old_pw && memcmp(pwd, old_pw, 16) == 0) { - /* Avoid backend modificiations and other fun if the + /* Avoid backend modificiations and other fun if the client changed the password to the *same thing* */ ret = True; @@ -605,43 +656,44 @@ NTSTATUS _net_srv_pwset(pipes_struct *p, NET_Q_SRV_PWSET *q_u, NET_R_SRV_PWSET * TALLOC_FREE(sampass); return NT_STATUS_NO_MEMORY; } - + if (!pdb_set_nt_passwd(sampass, pwd, PDB_CHANGED)) { TALLOC_FREE(sampass); return NT_STATUS_NO_MEMORY; } - + if (!pdb_set_pass_last_set_time(sampass, time(NULL), PDB_CHANGED)) { TALLOC_FREE(sampass); /* Not quite sure what this one qualifies as, but this will do */ - return NT_STATUS_UNSUCCESSFUL; + return NT_STATUS_UNSUCCESSFUL; } - + become_root(); - r_u->status = pdb_update_sam_account(sampass); + status = pdb_update_sam_account(sampass); unbecome_root(); } /* set up the LSA Server Password Set response */ - init_net_r_srv_pwset(r_u, &cred_out, r_u->status); + + memcpy(r->out.return_authenticator, &cred_out, + sizeof(r->out.return_authenticator)); TALLOC_FREE(sampass); - return r_u->status; + return status; } /************************************************************************* - _net_sam_logoff: + _netr_LogonSamLogoff *************************************************************************/ -NTSTATUS _net_sam_logoff(pipes_struct *p, NET_Q_SAM_LOGOFF *q_u, NET_R_SAM_LOGOFF *r_u) +NTSTATUS _netr_LogonSamLogoff(pipes_struct *p, + struct netr_LogonSamLogoff *r) { - fstring remote_machine; - if ( (lp_server_schannel() == True) && (p->auth.auth_type != PIPE_AUTH_TYPE_SCHANNEL) ) { /* 'server schannel = yes' should enforce use of schannel, the client did offer it in auth2, but obviously did not use it. */ - DEBUG(0,("_net_sam_logoff: client %s not using schannel for netlogon\n", + DEBUG(0,("_netr_LogonSamLogoff: client %s not using schannel for netlogon\n", get_remote_machine_name() )); return NT_STATUS_ACCESS_DENIED; } @@ -650,9 +702,8 @@ NTSTATUS _net_sam_logoff(pipes_struct *p, NET_Q_SAM_LOGOFF *q_u, NET_R_SAM_LOGOF if (!get_valid_user_struct(p->vuid)) return NT_STATUS_NO_SUCH_USER; - /* Get the remote machine name for the creds store. */ - rpcstr_pull(remote_machine,q_u->sam_id.client.login.uni_comp_name.buffer, - sizeof(remote_machine),q_u->sam_id.client.login.uni_comp_name.uni_str_len*2,0); + /* Using the remote machine name for the creds store: */ + /* r->in.computer_name */ if (!p->dc) { /* Restore the saved state of the netlogon creds. */ @@ -660,8 +711,8 @@ NTSTATUS _net_sam_logoff(pipes_struct *p, NET_Q_SAM_LOGOFF *q_u, NET_R_SAM_LOGOF become_root(); ret = secrets_restore_schannel_session_info(p->pipe_state_mem_ctx, - remote_machine, - &p->dc); + r->in.computer_name, + &p->dc); unbecome_root(); if (!ret) { return NT_STATUS_INVALID_HANDLE; @@ -672,25 +723,22 @@ NTSTATUS _net_sam_logoff(pipes_struct *p, NET_Q_SAM_LOGOFF *q_u, NET_R_SAM_LOGOF return NT_STATUS_INVALID_HANDLE; } - r_u->buffer_creds = 1; /* yes, we have valid server credentials */ - /* checks and updates credentials. creates reply credentials */ - if (!creds_server_step(p->dc, &q_u->sam_id.client.cred, &r_u->srv_creds)) { - DEBUG(2,("_net_sam_logoff: creds_server_step failed. Rejecting auth " + if (!netlogon_creds_server_step(p->dc, r->in.credential, r->out.return_authenticator)) { + DEBUG(2,("_netr_LogonSamLogoff: netlogon_creds_server_step failed. Rejecting auth " "request from client %s machine account %s\n", - remote_machine, p->dc->mach_acct )); + r->in.computer_name, p->dc->mach_acct )); return NT_STATUS_INVALID_PARAMETER; } /* We must store the creds state after an update. */ become_root(); secrets_store_schannel_session_info(p->pipe_state_mem_ctx, - remote_machine, - p->dc); + r->in.computer_name, + p->dc); unbecome_root(); - r_u->status = NT_STATUS_OK; - return r_u->status; + return NT_STATUS_OK; } /******************************************************************* @@ -701,7 +749,7 @@ static NTSTATUS nt_token_to_group_list(TALLOC_CTX *mem_ctx, const DOM_SID *domain_sid, size_t num_sids, const DOM_SID *sids, - int *numgroups, DOM_GID **pgids) + int *numgroups, DOM_GID **pgids) { int i; @@ -724,53 +772,54 @@ static NTSTATUS nt_token_to_group_list(TALLOC_CTX *mem_ctx, } /************************************************************************* - _net_sam_logon + _netr_LogonSamLogon *************************************************************************/ -static NTSTATUS _net_sam_logon_internal(pipes_struct *p, - NET_Q_SAM_LOGON *q_u, - NET_R_SAM_LOGON *r_u, - bool process_creds) +NTSTATUS _netr_LogonSamLogon(pipes_struct *p, + struct netr_LogonSamLogon *r) { NTSTATUS status = NT_STATUS_OK; - NET_USER_INFO_3 *usr_info = NULL; - NET_ID_INFO_CTR *ctr = q_u->sam_id.ctr; - UNISTR2 *uni_samlogon_user = NULL; - UNISTR2 *uni_samlogon_domain = NULL; - UNISTR2 *uni_samlogon_workstation = NULL; + struct netr_SamInfo3 *sam3 = NULL; + union netr_LogonLevel *logon = r->in.logon; fstring nt_username, nt_domain, nt_workstation; auth_usersupplied_info *user_info = NULL; auth_serversupplied_info *server_info = NULL; struct samu *sampw; struct auth_context *auth_context = NULL; - + bool process_creds = true; + + switch (p->hdr_req.opnum) { + case NDR_NETR_LOGONSAMLOGON: + process_creds = true; + break; + case NDR_NETR_LOGONSAMLOGONEX: + default: + process_creds = false; + } + if ( (lp_server_schannel() == True) && (p->auth.auth_type != PIPE_AUTH_TYPE_SCHANNEL) ) { /* 'server schannel = yes' should enforce use of schannel, the client did offer it in auth2, but obviously did not use it. */ - DEBUG(0,("_net_sam_logon_internal: client %s not using schannel for netlogon\n", + DEBUG(0,("_netr_LogonSamLogon: client %s not using schannel for netlogon\n", get_remote_machine_name() )); return NT_STATUS_ACCESS_DENIED; } - usr_info = TALLOC_P(p->mem_ctx, NET_USER_INFO_3); - if (!usr_info) { + sam3 = TALLOC_ZERO_P(p->mem_ctx, struct netr_SamInfo3); + if (!sam3) { return NT_STATUS_NO_MEMORY; } - ZERO_STRUCTP(usr_info); - /* store the user information, if there is any. */ - r_u->user = usr_info; - r_u->auth_resp = 1; /* authoritative response */ - if (q_u->validation_level != 2 && q_u->validation_level != 3) { - DEBUG(0,("_net_sam_logon: bad validation_level value %d.\n", (int)q_u->validation_level )); + r->out.validation->sam3 = sam3; + *r->out.authoritative = true; /* authoritative response */ + if (r->in.validation_level != 2 && r->in.validation_level != 3) { + DEBUG(0,("_netr_LogonSamLogon: bad validation_level value %d.\n", + (int)r->in.validation_level)); return NT_STATUS_ACCESS_DENIED; } - /* We handle the return of USER_INFO_2 instead of 3 in the parse return. Sucks, I know... */ - r_u->switch_value = q_u->validation_level; /* indicates type of validation user info */ - r_u->buffer_creds = 1; /* Ensure we always return server creds. */ - + if (!get_valid_user_struct(p->vuid)) return NT_STATUS_NO_SUCH_USER; @@ -781,8 +830,8 @@ static NTSTATUS _net_sam_logon_internal(pipes_struct *p, /* Note this is the remote machine this request is coming from (member server), not neccessarily the workstation name the user is logging onto. */ - rpcstr_pull(remote_machine,q_u->sam_id.client.login.uni_comp_name.buffer, - sizeof(remote_machine),q_u->sam_id.client.login.uni_comp_name.uni_str_len*2,0); + + fstrcpy(remote_machine, r->in.computer_name); if (!p->dc) { /* Restore the saved state of the netlogon creds. */ @@ -803,8 +852,8 @@ static NTSTATUS _net_sam_logon_internal(pipes_struct *p, } /* checks and updates credentials. creates reply credentials */ - if (!creds_server_step(p->dc, &q_u->sam_id.client.cred, &r_u->srv_creds)) { - DEBUG(2,("_net_sam_logon: creds_server_step failed. Rejecting auth " + if (!netlogon_creds_server_step(p->dc, r->in.credential, r->out.return_authenticator)) { + DEBUG(2,("_netr_LogonSamLogon: creds_server_step failed. Rejecting auth " "request from client %s machine account %s\n", remote_machine, p->dc->mach_acct )); return NT_STATUS_INVALID_PARAMETER; @@ -818,20 +867,25 @@ static NTSTATUS _net_sam_logon_internal(pipes_struct *p, unbecome_root(); } - switch (q_u->sam_id.logon_level) { + switch (r->in.logon_level) { case INTERACTIVE_LOGON_TYPE: - uni_samlogon_user = &ctr->auth.id1.uni_user_name; - uni_samlogon_domain = &ctr->auth.id1.uni_domain_name; + fstrcpy(nt_username, + logon->password->identity_info.account_name.string); + fstrcpy(nt_domain, + logon->password->identity_info.domain_name.string); + fstrcpy(nt_workstation, + logon->password->identity_info.workstation.string); - uni_samlogon_workstation = &ctr->auth.id1.uni_wksta_name; - DEBUG(3,("SAM Logon (Interactive). Domain:[%s]. ", lp_workgroup())); break; case NET_LOGON_TYPE: - uni_samlogon_user = &ctr->auth.id2.uni_user_name; - uni_samlogon_domain = &ctr->auth.id2.uni_domain_name; - uni_samlogon_workstation = &ctr->auth.id2.uni_wksta_name; - + fstrcpy(nt_username, + logon->network->identity_info.account_name.string); + fstrcpy(nt_domain, + logon->network->identity_info.domain_name.string); + fstrcpy(nt_workstation, + logon->network->identity_info.workstation.string); + DEBUG(3,("SAM Logon (Network). Domain:[%s]. ", lp_workgroup())); break; default: @@ -839,24 +893,23 @@ static NTSTATUS _net_sam_logon_internal(pipes_struct *p, return NT_STATUS_INVALID_INFO_CLASS; } /* end switch */ - rpcstr_pull(nt_username,uni_samlogon_user->buffer,sizeof(nt_username),uni_samlogon_user->uni_str_len*2,0); - rpcstr_pull(nt_domain,uni_samlogon_domain->buffer,sizeof(nt_domain),uni_samlogon_domain->uni_str_len*2,0); - rpcstr_pull(nt_workstation,uni_samlogon_workstation->buffer,sizeof(nt_workstation),uni_samlogon_workstation->uni_str_len*2,0); - DEBUG(3,("User:[%s@%s] Requested Domain:[%s]\n", nt_username, nt_workstation, nt_domain)); fstrcpy(current_user_info.smb_name, nt_username); sub_set_smb_name(nt_username); - - DEBUG(5,("Attempting validation level %d for unmapped username %s.\n", q_u->sam_id.ctr->switch_value, nt_username)); + + DEBUG(5,("Attempting validation level %d for unmapped username %s.\n", + r->in.validation_level, nt_username)); status = NT_STATUS_OK; - - switch (ctr->switch_value) { + + switch (r->in.logon_level) { case NET_LOGON_TYPE: { const char *wksname = nt_workstation; - - if (!NT_STATUS_IS_OK(status = make_auth_context_fixed(&auth_context, ctr->auth.id2.lm_chal))) { + + status = make_auth_context_fixed(&auth_context, + logon->network->challenge); + if (!NT_STATUS_IS_OK(status)) { return status; } @@ -867,16 +920,16 @@ static NTSTATUS _net_sam_logon_internal(pipes_struct *p, if (*wksname == '\\') wksname++; /* Standard challenge/response authenticaion */ - if (!make_user_info_netlogon_network(&user_info, - nt_username, nt_domain, + if (!make_user_info_netlogon_network(&user_info, + nt_username, nt_domain, wksname, - ctr->auth.id2.param_ctrl, - ctr->auth.id2.lm_chal_resp.buffer, - ctr->auth.id2.lm_chal_resp.str_str_len, - ctr->auth.id2.nt_chal_resp.buffer, - ctr->auth.id2.nt_chal_resp.str_str_len)) { + logon->network->identity_info.parameter_control, + logon->network->lm.data, + logon->network->lm.length, + logon->network->nt.data, + logon->network->nt.length)) { status = NT_STATUS_NO_MEMORY; - } + } break; } case INTERACTIVE_LOGON_TYPE: @@ -886,20 +939,20 @@ static NTSTATUS _net_sam_logon_internal(pipes_struct *p, on */ { const uint8 *chal; - + if (!NT_STATUS_IS_OK(status = make_auth_context_subsystem(&auth_context))) { return status; } - + chal = auth_context->get_ntlm_challenge(auth_context); - if (!make_user_info_netlogon_interactive(&user_info, - nt_username, nt_domain, - nt_workstation, - ctr->auth.id1.param_ctrl, + if (!make_user_info_netlogon_interactive(&user_info, + nt_username, nt_domain, + nt_workstation, + logon->password->identity_info.parameter_control, chal, - ctr->auth.id1.lm_owf.data, - ctr->auth.id1.nt_owf.data, + logon->password->lmpassword.hash, + logon->password->ntpassword.hash, p->dc->sess_key)) { status = NT_STATUS_NO_MEMORY; } @@ -909,29 +962,29 @@ static NTSTATUS _net_sam_logon_internal(pipes_struct *p, DEBUG(2,("SAM Logon: unsupported switch value\n")); return NT_STATUS_INVALID_INFO_CLASS; } /* end switch */ - + if ( NT_STATUS_IS_OK(status) ) { - status = auth_context->check_ntlm_password(auth_context, + status = auth_context->check_ntlm_password(auth_context, user_info, &server_info); } - (auth_context->free)(&auth_context); + (auth_context->free)(&auth_context); free_user_info(&user_info); - - DEBUG(5, ("_net_sam_logon: check_password returned status %s\n", + + DEBUG(5,("_netr_LogonSamLogon: check_password returned status %s\n", nt_errstr(status))); /* Check account and password */ - + if (!NT_STATUS_IS_OK(status)) { - /* If we don't know what this domain is, we need to - indicate that we are not authoritative. This - allows the client to decide if it needs to try + /* If we don't know what this domain is, we need to + indicate that we are not authoritative. This + allows the client to decide if it needs to try a local user. Fix by jpjanosi@us.ibm.com, #2976 */ - if ( NT_STATUS_EQUAL(status, NT_STATUS_NO_SUCH_USER) + if ( NT_STATUS_EQUAL(status, NT_STATUS_NO_SUCH_USER) && !strequal(nt_domain, get_global_sam_name()) && !is_trusted_domain(nt_domain) ) - r_u->auth_resp = 0; /* We are not authoritative */ + *r->out.authoritative = false; /* We are not authoritative */ TALLOC_FREE(server_info); return status; @@ -939,7 +992,7 @@ static NTSTATUS _net_sam_logon_internal(pipes_struct *p, if (server_info->guest) { /* We don't like guest domain logons... */ - DEBUG(5,("_net_sam_logon: Attempted domain logon as GUEST " + DEBUG(5,("_netr_LogonSamLogon: Attempted domain logon as GUEST " "denied.\n")); TALLOC_FREE(server_info); return NT_STATUS_LOGON_FAILURE; @@ -958,29 +1011,40 @@ static NTSTATUS _net_sam_logon_internal(pipes_struct *p, int num_gids = 0; const char *my_name; - unsigned char user_session_key[16]; - unsigned char lm_session_key[16]; + + struct netr_UserSessionKey user_session_key; + struct netr_LMSessionKey lm_session_key; unsigned char pipe_session_key[16]; - sampw = server_info->sam_account; + NTTIME last_logon, last_logoff, acct_expiry, last_password_change; + NTTIME allow_password_change, force_password_change; + struct samr_RidWithAttributeArray groups; + int i; + struct dom_sid2 *sid = NULL; + + ZERO_STRUCT(user_session_key); + ZERO_STRUCT(lm_session_key); - /* set up pointer indicating user/password failed to be - * found */ - usr_info->ptr_user_info = 0; + sampw = server_info->sam_account; user_sid = pdb_get_user_sid(sampw); group_sid = pdb_get_group_sid(sampw); if ((user_sid == NULL) || (group_sid == NULL)) { - DEBUG(1, ("_net_sam_logon: User without group or user SID\n")); + DEBUG(1, ("_netr_LogonSamLogon: User without group or user SID\n")); return NT_STATUS_UNSUCCESSFUL; } sid_copy(&domain_sid, user_sid); sid_split_rid(&domain_sid, &user_rid); + sid = sid_dup_talloc(p->mem_ctx, &domain_sid); + if (!sid) { + return NT_STATUS_NO_MEMORY; + } + if (!sid_peek_check_rid(&domain_sid, group_sid, &group_rid)) { - DEBUG(1, ("_net_sam_logon: user %s\\%s has user sid " + DEBUG(1, ("_netr_LogonSamLogon: user %s\\%s has user sid " "%s\n but group sid %s.\n" "The conflicting domain portions are not " "supported for NETLOGON calls\n", @@ -1007,9 +1071,9 @@ static NTSTATUS _net_sam_logon_internal(pipes_struct *p, } if (server_info->user_session_key.length) { - memcpy(user_session_key, + memcpy(user_session_key.key, server_info->user_session_key.data, - MIN(sizeof(user_session_key), + MIN(sizeof(user_session_key.key), server_info->user_session_key.length)); if (process_creds) { /* Get the pipe session key from the creds. */ @@ -1021,13 +1085,13 @@ static NTSTATUS _net_sam_logon_internal(pipes_struct *p, } memcpy(pipe_session_key, p->auth.a_u.schannel_auth->sess_key, 16); } - SamOEMhash(user_session_key, pipe_session_key, 16); + SamOEMhash(user_session_key.key, pipe_session_key, 16); memset(pipe_session_key, '\0', 16); } if (server_info->lm_session_key.length) { - memcpy(lm_session_key, + memcpy(lm_session_key.key, server_info->lm_session_key.data, - MIN(sizeof(lm_session_key), + MIN(sizeof(lm_session_key.key), server_info->lm_session_key.length)); if (process_creds) { /* Get the pipe session key from the creds. */ @@ -1039,36 +1103,56 @@ static NTSTATUS _net_sam_logon_internal(pipes_struct *p, } memcpy(pipe_session_key, p->auth.a_u.schannel_auth->sess_key, 16); } - SamOEMhash(lm_session_key, pipe_session_key, 16); + SamOEMhash(lm_session_key.key, pipe_session_key, 16); memset(pipe_session_key, '\0', 16); } - init_net_user_info3(p->mem_ctx, usr_info, - user_rid, - group_rid, - pdb_get_username(sampw), - pdb_get_fullname(sampw), - pdb_get_homedir(sampw), - pdb_get_dir_drive(sampw), - pdb_get_logon_script(sampw), - pdb_get_profile_path(sampw), - pdb_get_logon_time(sampw), - get_time_t_max(), - get_time_t_max(), - pdb_get_pass_last_set_time(sampw), - pdb_get_pass_can_change_time(sampw), - pdb_get_pass_must_change_time(sampw), - 0, /* logon_count */ - 0, /* bad_pw_count */ - num_gids, /* uint32 num_groups */ - gids , /* DOM_GID *gids */ - LOGON_EXTRA_SIDS, /* uint32 user_flgs (?) */ - pdb_get_acct_ctrl(sampw), - server_info->user_session_key.length ? user_session_key : NULL, - server_info->lm_session_key.length ? lm_session_key : NULL, - my_name , /* char *logon_srv */ - pdb_get_domain(sampw), - &domain_sid); /* DOM_SID *dom_sid */ + groups.count = num_gids; + groups.rids = TALLOC_ARRAY(p->mem_ctx, struct samr_RidWithAttribute, + groups.count); + if (!groups.rids) { + return NT_STATUS_NO_MEMORY; + } + + for (i=0; i < groups.count; i++) { + groups.rids[i].rid = gids[i].g_rid; + groups.rids[i].attributes = gids[i].attr; + } + + unix_to_nt_time(&last_logon, pdb_get_logon_time(sampw)); + unix_to_nt_time(&last_logoff, get_time_t_max()); + unix_to_nt_time(&acct_expiry, get_time_t_max()); + unix_to_nt_time(&last_password_change, pdb_get_pass_last_set_time(sampw)); + unix_to_nt_time(&allow_password_change, pdb_get_pass_can_change_time(sampw)); + unix_to_nt_time(&force_password_change, pdb_get_pass_must_change_time(sampw)); + + init_netr_SamInfo3(sam3, + last_logon, + last_logoff, + acct_expiry, + last_password_change, + allow_password_change, + force_password_change, + talloc_strdup(p->mem_ctx, pdb_get_username(sampw)), + talloc_strdup(p->mem_ctx, pdb_get_fullname(sampw)), + talloc_strdup(p->mem_ctx, pdb_get_logon_script(sampw)), + talloc_strdup(p->mem_ctx, pdb_get_profile_path(sampw)), + talloc_strdup(p->mem_ctx, pdb_get_homedir(sampw)), + talloc_strdup(p->mem_ctx, pdb_get_dir_drive(sampw)), + 0, /* logon_count */ + 0, /* bad_password_count */ + user_rid, + group_rid, + groups, + NETLOGON_EXTRA_SIDS, + user_session_key, + my_name, + talloc_strdup(p->mem_ctx, pdb_get_domain(sampw)), + sid, + lm_session_key, + pdb_get_acct_ctrl(sampw), + 0, /* sidcount */ + NULL); /* struct netr_SidAttr *sids */ ZERO_STRUCT(user_session_key); ZERO_STRUCT(lm_session_key); } @@ -1077,25 +1161,14 @@ static NTSTATUS _net_sam_logon_internal(pipes_struct *p, } /************************************************************************* - _net_sam_logon + _netr_LogonSamLogonEx + - no credential chaining. Map into net sam logon. *************************************************************************/ -NTSTATUS _net_sam_logon(pipes_struct *p, NET_Q_SAM_LOGON *q_u, NET_R_SAM_LOGON *r_u) +NTSTATUS _netr_LogonSamLogonEx(pipes_struct *p, + struct netr_LogonSamLogonEx *r) { - return _net_sam_logon_internal(p, q_u, r_u, True); -} - -/************************************************************************* - _net_sam_logon_ex - no credential chaining. Map into net sam logon. - *************************************************************************/ - -NTSTATUS _net_sam_logon_ex(pipes_struct *p, NET_Q_SAM_LOGON_EX *q_u, NET_R_SAM_LOGON_EX *r_u) -{ - NET_Q_SAM_LOGON q; - NET_R_SAM_LOGON r; - - ZERO_STRUCT(q); - ZERO_STRUCT(r); + struct netr_LogonSamLogon q; /* Only allow this if the pipe is protected. */ if (p->auth.auth_type != PIPE_AUTH_TYPE_SCHANNEL) { @@ -1104,43 +1177,409 @@ NTSTATUS _net_sam_logon_ex(pipes_struct *p, NET_Q_SAM_LOGON_EX *q_u, NET_R_SAM_L return NT_STATUS_INVALID_PARAMETER; } - /* Map a NET_Q_SAM_LOGON_EX to NET_Q_SAM_LOGON. */ - q.validation_level = q_u->validation_level; - - /* Map a DOM_SAM_INFO_EX into a DOM_SAM_INFO with no creds. */ - q.sam_id.client.login = q_u->sam_id.client; - q.sam_id.logon_level = q_u->sam_id.logon_level; - q.sam_id.ctr = q_u->sam_id.ctr; + q.in.server_name = r->in.server_name; + q.in.computer_name = r->in.computer_name; + q.in.logon_level = r->in.logon_level; + q.in.logon = r->in.logon; + q.in.validation_level = r->in.validation_level; + /* we do not handle the flags */ + /* = r->in.flags; */ - r_u->status = _net_sam_logon_internal(p, &q, &r, False); - - if (!NT_STATUS_IS_OK(r_u->status)) { - return r_u->status; - } + q.out.validation = r->out.validation; + q.out.authoritative = r->out.authoritative; + /* we do not handle the flags */ + /* = r->out.flags; */ - /* Map the NET_R_SAM_LOGON to NET_R_SAM_LOGON_EX. */ - r_u->switch_value = r.switch_value; - r_u->user = r.user; - r_u->auth_resp = r.auth_resp; - r_u->flags = 0; /* FIXME ! */ - return r_u->status; + return _netr_LogonSamLogon(p, &q); } /************************************************************************* _ds_enum_dom_trusts *************************************************************************/ #if 0 /* JERRY -- not correct */ -NTSTATUS _ds_enum_dom_trusts(pipes_struct *p, DS_Q_ENUM_DOM_TRUSTS *q_u, + NTSTATUS _ds_enum_dom_trusts(pipes_struct *p, DS_Q_ENUM_DOM_TRUSTS *q_u, DS_R_ENUM_DOM_TRUSTS *r_u) { NTSTATUS status = NT_STATUS_OK; - /* TODO: According to MSDN, the can only be executed against a + /* TODO: According to MSDN, the can only be executed against a DC or domain member running Windows 2000 or later. Need - to test against a standalone 2k server and see what it - does. A windows 2000 DC includes its own domain in the + to test against a standalone 2k server and see what it + does. A windows 2000 DC includes its own domain in the list. --jerry */ return status; } #endif /* JERRY */ + + +/**************************************************************** +****************************************************************/ + +WERROR _netr_LogonUasLogon(pipes_struct *p, + struct netr_LogonUasLogon *r) +{ + p->rng_fault_state = true; + return WERR_NOT_SUPPORTED; +} + +/**************************************************************** +****************************************************************/ + +WERROR _netr_LogonUasLogoff(pipes_struct *p, + struct netr_LogonUasLogoff *r) +{ + p->rng_fault_state = true; + return WERR_NOT_SUPPORTED; +} + +/**************************************************************** +****************************************************************/ + +NTSTATUS _netr_DatabaseDeltas(pipes_struct *p, + struct netr_DatabaseDeltas *r) +{ + p->rng_fault_state = true; + return NT_STATUS_NOT_IMPLEMENTED; +} + +/**************************************************************** +****************************************************************/ + +NTSTATUS _netr_DatabaseSync(pipes_struct *p, + struct netr_DatabaseSync *r) +{ + p->rng_fault_state = true; + return NT_STATUS_NOT_IMPLEMENTED; +} + +/**************************************************************** +****************************************************************/ + +NTSTATUS _netr_AccountDeltas(pipes_struct *p, + struct netr_AccountDeltas *r) +{ + p->rng_fault_state = true; + return NT_STATUS_NOT_IMPLEMENTED; +} + +/**************************************************************** +****************************************************************/ + +NTSTATUS _netr_AccountSync(pipes_struct *p, + struct netr_AccountSync *r) +{ + p->rng_fault_state = true; + return NT_STATUS_NOT_IMPLEMENTED; +} + +/**************************************************************** +****************************************************************/ + +WERROR _netr_GetDcName(pipes_struct *p, + struct netr_GetDcName *r) +{ + p->rng_fault_state = true; + return WERR_NOT_SUPPORTED; +} + +/**************************************************************** +****************************************************************/ + +WERROR _netr_GetAnyDCName(pipes_struct *p, + struct netr_GetAnyDCName *r) +{ + p->rng_fault_state = true; + return WERR_NOT_SUPPORTED; +} + +/**************************************************************** +****************************************************************/ + +NTSTATUS _netr_DatabaseSync2(pipes_struct *p, + struct netr_DatabaseSync2 *r) +{ + p->rng_fault_state = true; + return NT_STATUS_NOT_IMPLEMENTED; +} + +/**************************************************************** +****************************************************************/ + +NTSTATUS _netr_DatabaseRedo(pipes_struct *p, + struct netr_DatabaseRedo *r) +{ + p->rng_fault_state = true; + return NT_STATUS_NOT_IMPLEMENTED; +} + +/**************************************************************** +****************************************************************/ + +WERROR _netr_LogonControl2Ex(pipes_struct *p, + struct netr_LogonControl2Ex *r) +{ + p->rng_fault_state = true; + return WERR_NOT_SUPPORTED; +} + +/**************************************************************** +****************************************************************/ + +WERROR _netr_DsRGetDCName(pipes_struct *p, + struct netr_DsRGetDCName *r) +{ + p->rng_fault_state = true; + return WERR_NOT_SUPPORTED; +} + +/**************************************************************** +****************************************************************/ + +WERROR _netr_NETRLOGONDUMMYROUTINE1(pipes_struct *p, + struct netr_NETRLOGONDUMMYROUTINE1 *r) +{ + p->rng_fault_state = true; + return WERR_NOT_SUPPORTED; +} + +/**************************************************************** +****************************************************************/ + +WERROR _netr_NETRLOGONSETSERVICEBITS(pipes_struct *p, + struct netr_NETRLOGONSETSERVICEBITS *r) +{ + p->rng_fault_state = true; + return WERR_NOT_SUPPORTED; +} + +/**************************************************************** +****************************************************************/ + +WERROR _netr_LogonGetTrustRid(pipes_struct *p, + struct netr_LogonGetTrustRid *r) +{ + p->rng_fault_state = true; + return WERR_NOT_SUPPORTED; +} + +/**************************************************************** +****************************************************************/ + +WERROR _netr_NETRLOGONCOMPUTESERVERDIGEST(pipes_struct *p, + struct netr_NETRLOGONCOMPUTESERVERDIGEST *r) +{ + p->rng_fault_state = true; + return WERR_NOT_SUPPORTED; +} + +/**************************************************************** +****************************************************************/ + +WERROR _netr_NETRLOGONCOMPUTECLIENTDIGEST(pipes_struct *p, + struct netr_NETRLOGONCOMPUTECLIENTDIGEST *r) +{ + p->rng_fault_state = true; + return WERR_NOT_SUPPORTED; +} + +/**************************************************************** +****************************************************************/ + +NTSTATUS _netr_ServerAuthenticate3(pipes_struct *p, + struct netr_ServerAuthenticate3 *r) +{ + p->rng_fault_state = true; + return NT_STATUS_NOT_IMPLEMENTED; +} + +/**************************************************************** +****************************************************************/ + +WERROR _netr_DsRGetDCNameEx(pipes_struct *p, + struct netr_DsRGetDCNameEx *r) +{ + p->rng_fault_state = true; + return WERR_NOT_SUPPORTED; +} + +/**************************************************************** +****************************************************************/ + +WERROR _netr_DsRGetSiteName(pipes_struct *p, + struct netr_DsRGetSiteName *r) +{ + p->rng_fault_state = true; + return WERR_NOT_SUPPORTED; +} + +/**************************************************************** +****************************************************************/ + +NTSTATUS _netr_LogonGetDomainInfo(pipes_struct *p, + struct netr_LogonGetDomainInfo *r) +{ + p->rng_fault_state = true; + return NT_STATUS_NOT_IMPLEMENTED; +} + +/**************************************************************** +****************************************************************/ + +NTSTATUS _netr_ServerPasswordSet2(pipes_struct *p, + struct netr_ServerPasswordSet2 *r) +{ + p->rng_fault_state = true; + return NT_STATUS_NOT_IMPLEMENTED; +} + +/**************************************************************** +****************************************************************/ + +WERROR _netr_ServerPasswordGet(pipes_struct *p, + struct netr_ServerPasswordGet *r) +{ + p->rng_fault_state = true; + return WERR_NOT_SUPPORTED; +} + +/**************************************************************** +****************************************************************/ + +WERROR _netr_NETRLOGONSENDTOSAM(pipes_struct *p, + struct netr_NETRLOGONSENDTOSAM *r) +{ + p->rng_fault_state = true; + return WERR_NOT_SUPPORTED; +} + +/**************************************************************** +****************************************************************/ + +WERROR _netr_DsRAddressToSitenamesW(pipes_struct *p, + struct netr_DsRAddressToSitenamesW *r) +{ + p->rng_fault_state = true; + return WERR_NOT_SUPPORTED; +} + +/**************************************************************** +****************************************************************/ + +WERROR _netr_DsRGetDCNameEx2(pipes_struct *p, + struct netr_DsRGetDCNameEx2 *r) +{ + p->rng_fault_state = true; + return WERR_NOT_SUPPORTED; +} + +/**************************************************************** +****************************************************************/ + +WERROR _netr_NETRLOGONGETTIMESERVICEPARENTDOMAIN(pipes_struct *p, + struct netr_NETRLOGONGETTIMESERVICEPARENTDOMAIN *r) +{ + p->rng_fault_state = true; + return WERR_NOT_SUPPORTED; +} + +/**************************************************************** +****************************************************************/ + +WERROR _netr_NetrEnumerateTrustedDomainsEx(pipes_struct *p, + struct netr_NetrEnumerateTrustedDomainsEx *r) +{ + p->rng_fault_state = true; + return WERR_NOT_SUPPORTED; +} + +/**************************************************************** +****************************************************************/ + +WERROR _netr_DsRAddressToSitenamesExW(pipes_struct *p, + struct netr_DsRAddressToSitenamesExW *r) +{ + p->rng_fault_state = true; + return WERR_NOT_SUPPORTED; +} + +/**************************************************************** +****************************************************************/ + +WERROR _netr_DsrGetDcSiteCoverageW(pipes_struct *p, + struct netr_DsrGetDcSiteCoverageW *r) +{ + p->rng_fault_state = true; + return WERR_NOT_SUPPORTED; +} + +/**************************************************************** +****************************************************************/ + +WERROR _netr_DsrEnumerateDomainTrusts(pipes_struct *p, + struct netr_DsrEnumerateDomainTrusts *r) +{ + p->rng_fault_state = true; + return WERR_NOT_SUPPORTED; +} + +/**************************************************************** +****************************************************************/ + +WERROR _netr_DsrDeregisterDNSHostRecords(pipes_struct *p, + struct netr_DsrDeregisterDNSHostRecords *r) +{ + p->rng_fault_state = true; + return WERR_NOT_SUPPORTED; +} + +/**************************************************************** +****************************************************************/ + +NTSTATUS _netr_ServerTrustPasswordsGet(pipes_struct *p, + struct netr_ServerTrustPasswordsGet *r) +{ + p->rng_fault_state = true; + return NT_STATUS_NOT_IMPLEMENTED; +} + +/**************************************************************** +****************************************************************/ + +WERROR _netr_DsRGetForestTrustInformation(pipes_struct *p, + struct netr_DsRGetForestTrustInformation *r) +{ + p->rng_fault_state = true; + return WERR_NOT_SUPPORTED; +} + +/**************************************************************** +****************************************************************/ + +WERROR _netr_GetForestTrustInformation(pipes_struct *p, + struct netr_GetForestTrustInformation *r) +{ + p->rng_fault_state = true; + return WERR_NOT_SUPPORTED; +} + +/**************************************************************** +****************************************************************/ + +NTSTATUS _netr_LogonSamLogonWithFlags(pipes_struct *p, + struct netr_LogonSamLogonWithFlags *r) +{ + p->rng_fault_state = true; + return NT_STATUS_NOT_IMPLEMENTED; +} + +/**************************************************************** +****************************************************************/ + +WERROR _netr_NETRSERVERGETTRUSTINFO(pipes_struct *p, + struct netr_NETRSERVERGETTRUSTINFO *r) +{ + p->rng_fault_state = true; + return WERR_NOT_SUPPORTED; +} + diff --git a/source3/rpc_server/srv_ntsvcs.c b/source3/rpc_server/srv_ntsvcs.c index b3e93ac459..12fffc3e96 100644 --- a/source3/rpc_server/srv_ntsvcs.c +++ b/source3/rpc_server/srv_ntsvcs.c @@ -25,49 +25,38 @@ /******************************************************************* ********************************************************************/ -static bool api_ntsvcs_get_version(pipes_struct *p) +static bool proxy_ntsvcs_call(pipes_struct *p, uint8_t opnum) { - NTSVCS_Q_GET_VERSION q_u; - NTSVCS_R_GET_VERSION r_u; - prs_struct *data = &p->in_data.data; - prs_struct *rdata = &p->out_data.rdata; - - ZERO_STRUCT(q_u); - ZERO_STRUCT(r_u); + struct api_struct *fns; + int n_fns; - if(!ntsvcs_io_q_get_version("", &q_u, data, 0)) - return False; + ntsvcs_get_pipe_fns(&fns, &n_fns); - r_u.status = _ntsvcs_get_version(p, &q_u, &r_u); + if (opnum >= n_fns) { + return false; + } - if(!ntsvcs_io_r_get_version("", &r_u, rdata, 0)) - return False; + if (fns[opnum].opnum != opnum) { + smb_panic("NTSVCS function table not sorted"); + } - return True; + return fns[opnum].fn(p); } /******************************************************************* ********************************************************************/ -static bool api_ntsvcs_get_device_list_size(pipes_struct *p) +static bool api_ntsvcs_get_version(pipes_struct *p) { - NTSVCS_Q_GET_DEVICE_LIST_SIZE q_u; - NTSVCS_R_GET_DEVICE_LIST_SIZE r_u; - prs_struct *data = &p->in_data.data; - prs_struct *rdata = &p->out_data.rdata; - - ZERO_STRUCT(q_u); - ZERO_STRUCT(r_u); - - if(!ntsvcs_io_q_get_device_list_size("", &q_u, data, 0)) - return False; - - r_u.status = _ntsvcs_get_device_list_size(p, &q_u, &r_u); + return proxy_ntsvcs_call(p, NDR_PNP_GETVERSION); +} - if(!ntsvcs_io_r_get_device_list_size("", &r_u, rdata, 0)) - return False; +/******************************************************************* + ********************************************************************/ - return True; +static bool api_ntsvcs_get_device_list_size(pipes_struct *p) +{ + return proxy_ntsvcs_call(p, NDR_PNP_GETDEVICELISTSIZE); } /******************************************************************* @@ -99,23 +88,7 @@ static bool api_ntsvcs_get_device_list(pipes_struct *p) static bool api_ntsvcs_validate_device_instance(pipes_struct *p) { - NTSVCS_Q_VALIDATE_DEVICE_INSTANCE q_u; - NTSVCS_R_VALIDATE_DEVICE_INSTANCE r_u; - prs_struct *data = &p->in_data.data; - prs_struct *rdata = &p->out_data.rdata; - - ZERO_STRUCT(q_u); - ZERO_STRUCT(r_u); - - if(!ntsvcs_io_q_validate_device_instance("", &q_u, data, 0)) - return False; - - r_u.status = _ntsvcs_validate_device_instance(p, &q_u, &r_u); - - if(!ntsvcs_io_r_validate_device_instance("", &r_u, rdata, 0)) - return False; - - return True; + return proxy_ntsvcs_call(p, NDR_PNP_VALIDATEDEVICEINSTANCE); } /******************************************************************* @@ -147,23 +120,7 @@ static bool api_ntsvcs_get_device_reg_property(pipes_struct *p) static bool api_ntsvcs_get_hw_profile_info(pipes_struct *p) { - NTSVCS_Q_GET_HW_PROFILE_INFO q_u; - NTSVCS_R_GET_HW_PROFILE_INFO r_u; - prs_struct *data = &p->in_data.data; - prs_struct *rdata = &p->out_data.rdata; - - ZERO_STRUCT(q_u); - ZERO_STRUCT(r_u); - - if(!ntsvcs_io_q_get_hw_profile_info("", &q_u, data, 0)) - return False; - - r_u.status = _ntsvcs_get_hw_profile_info(p, &q_u, &r_u); - - if(!ntsvcs_io_r_get_hw_profile_info("", &r_u, rdata, 0)) - return False; - - return True; + return proxy_ntsvcs_call(p, NDR_PNP_GETHWPROFINFO); } /******************************************************************* @@ -171,23 +128,7 @@ static bool api_ntsvcs_get_hw_profile_info(pipes_struct *p) static bool api_ntsvcs_hw_profile_flags(pipes_struct *p) { - NTSVCS_Q_HW_PROFILE_FLAGS q_u; - NTSVCS_R_HW_PROFILE_FLAGS r_u; - prs_struct *data = &p->in_data.data; - prs_struct *rdata = &p->out_data.rdata; - - ZERO_STRUCT(q_u); - ZERO_STRUCT(r_u); - - if(!ntsvcs_io_q_hw_profile_flags("", &q_u, data, 0)) - return False; - - r_u.status = _ntsvcs_hw_profile_flags(p, &q_u, &r_u); - - if(!ntsvcs_io_r_hw_profile_flags("", &r_u, rdata, 0)) - return False; - - return True; + return proxy_ntsvcs_call(p, NDR_PNP_HWPROFFLAGS); } /******************************************************************* @@ -206,13 +147,13 @@ static struct api_struct api_ntsvcs_cmds[] = }; -void ntsvcs_get_pipe_fns( struct api_struct **fns, int *n_fns ) +void ntsvcs2_get_pipe_fns( struct api_struct **fns, int *n_fns ) { *fns = api_ntsvcs_cmds; *n_fns = sizeof(api_ntsvcs_cmds) / sizeof(struct api_struct); } -NTSTATUS rpc_ntsvcs_init(void) +NTSTATUS rpc_ntsvcs2_init(void) { return rpc_pipe_register_commands(SMB_RPC_INTERFACE_VERSION, "ntsvcs", "ntsvcs", api_ntsvcs_cmds, sizeof(api_ntsvcs_cmds) / sizeof(struct api_struct)); diff --git a/source3/rpc_server/srv_ntsvcs_nt.c b/source3/rpc_server/srv_ntsvcs_nt.c index 16c74c5d6d..11ea5d0cd1 100644 --- a/source3/rpc_server/srv_ntsvcs_nt.c +++ b/source3/rpc_server/srv_ntsvcs_nt.c @@ -34,31 +34,31 @@ static char* get_device_path(TALLOC_CTX *mem_ctx, const char *device ) /******************************************************************** ********************************************************************/ -WERROR _ntsvcs_get_version( pipes_struct *p, NTSVCS_Q_GET_VERSION *q_u, NTSVCS_R_GET_VERSION *r_u ) +WERROR _PNP_GetVersion(pipes_struct *p, + struct PNP_GetVersion *r) { - r_u->version = 0x00000400; /* no idea what this means */ - + *r->out.version = 0x0400; /* no idea what this means */ + return WERR_OK; } /******************************************************************** ********************************************************************/ -WERROR _ntsvcs_get_device_list_size( pipes_struct *p, NTSVCS_Q_GET_DEVICE_LIST_SIZE *q_u, NTSVCS_R_GET_DEVICE_LIST_SIZE *r_u ) +WERROR _PNP_GetDeviceListSize(pipes_struct *p, + struct PNP_GetDeviceListSize *r) { - fstring device; char *devicepath; - if ( !q_u->devicename ) + if (!r->in.devicename) { return WERR_ACCESS_DENIED; + } - rpcstr_pull(device, q_u->devicename->buffer, sizeof(device), q_u->devicename->uni_str_len*2, 0); - - if (!(devicepath = get_device_path(p->mem_ctx, device))) { + if (!(devicepath = get_device_path(p->mem_ctx, r->in.devicename))) { return WERR_NOMEM; } - r_u->size = strlen(devicepath) + 2; + *r->out.size = strlen(devicepath) + 2; TALLOC_FREE(devicepath); @@ -143,7 +143,8 @@ WERROR _ntsvcs_get_device_reg_property( pipes_struct *p, NTSVCS_Q_GET_DEVICE_REG /******************************************************************** ********************************************************************/ -WERROR _ntsvcs_validate_device_instance( pipes_struct *p, NTSVCS_Q_VALIDATE_DEVICE_INSTANCE *q_u, NTSVCS_R_VALIDATE_DEVICE_INSTANCE *r_u ) +WERROR _PNP_ValidateDeviceInstance(pipes_struct *p, + struct PNP_ValidateDeviceInstance *r) { /* whatever dude */ return WERR_OK; @@ -152,12 +153,12 @@ WERROR _ntsvcs_validate_device_instance( pipes_struct *p, NTSVCS_Q_VALIDATE_DEVI /******************************************************************** ********************************************************************/ -WERROR _ntsvcs_get_hw_profile_info( pipes_struct *p, NTSVCS_Q_GET_HW_PROFILE_INFO *q_u, NTSVCS_R_GET_HW_PROFILE_INFO *r_u ) +WERROR _PNP_GetHwProfInfo(pipes_struct *p, + struct PNP_GetHwProfInfo *r) { /* steal the incoming buffer */ - r_u->buffer_size = q_u->buffer_size; - r_u->buffer = q_u->buffer; + r->out.info = r->in.info; /* Take the 5th Ammentment */ @@ -167,10 +168,611 @@ WERROR _ntsvcs_get_hw_profile_info( pipes_struct *p, NTSVCS_Q_GET_HW_PROFILE_INF /******************************************************************** ********************************************************************/ -WERROR _ntsvcs_hw_profile_flags( pipes_struct *p, NTSVCS_Q_HW_PROFILE_FLAGS *q_u, NTSVCS_R_HW_PROFILE_FLAGS *r_u ) -{ +WERROR _PNP_HwProfFlags(pipes_struct *p, + struct PNP_HwProfFlags *r) +{ /* just nod your head */ - + return WERR_OK; } +/**************************************************************** +****************************************************************/ + +WERROR _PNP_Disconnect(pipes_struct *p, + struct PNP_Disconnect *r) +{ + p->rng_fault_state = true; + return WERR_NOT_SUPPORTED; +} + +/**************************************************************** +****************************************************************/ + +WERROR _PNP_Connect(pipes_struct *p, + struct PNP_Connect *r) +{ + p->rng_fault_state = true; + return WERR_NOT_SUPPORTED; +} + +/**************************************************************** +****************************************************************/ + +WERROR _PNP_GetGlobalState(pipes_struct *p, + struct PNP_GetGlobalState *r) +{ + p->rng_fault_state = true; + return WERR_NOT_SUPPORTED; +} + +/**************************************************************** +****************************************************************/ + +WERROR _PNP_InitDetection(pipes_struct *p, + struct PNP_InitDetection *r) +{ + p->rng_fault_state = true; + return WERR_NOT_SUPPORTED; +} + +/**************************************************************** +****************************************************************/ + +WERROR _PNP_ReportLogOn(pipes_struct *p, + struct PNP_ReportLogOn *r) +{ + p->rng_fault_state = true; + return WERR_NOT_SUPPORTED; +} + +/**************************************************************** +****************************************************************/ + +WERROR _PNP_GetRootDeviceInstance(pipes_struct *p, + struct PNP_GetRootDeviceInstance *r) +{ + p->rng_fault_state = true; + return WERR_NOT_SUPPORTED; +} + +/**************************************************************** +****************************************************************/ + +WERROR _PNP_GetRelatedDeviceInstance(pipes_struct *p, + struct PNP_GetRelatedDeviceInstance *r) +{ + p->rng_fault_state = true; + return WERR_NOT_SUPPORTED; +} + +/**************************************************************** +****************************************************************/ + +WERROR _PNP_EnumerateSubKeys(pipes_struct *p, + struct PNP_EnumerateSubKeys *r) +{ + p->rng_fault_state = true; + return WERR_NOT_SUPPORTED; +} + +/**************************************************************** +****************************************************************/ + +WERROR _PNP_GetDeviceList(pipes_struct *p, + struct PNP_GetDeviceList *r) +{ + p->rng_fault_state = true; + return WERR_NOT_SUPPORTED; +} + +/**************************************************************** +****************************************************************/ + +WERROR _PNP_GetDepth(pipes_struct *p, + struct PNP_GetDepth *r) +{ + p->rng_fault_state = true; + return WERR_NOT_SUPPORTED; +} + +/**************************************************************** +****************************************************************/ + +WERROR _PNP_GetDeviceRegProp(pipes_struct *p, + struct PNP_GetDeviceRegProp *r) +{ + p->rng_fault_state = true; + return WERR_NOT_SUPPORTED; +} + +/**************************************************************** +****************************************************************/ + +WERROR _PNP_SetDeviceRegProp(pipes_struct *p, + struct PNP_SetDeviceRegProp *r) +{ + p->rng_fault_state = true; + return WERR_NOT_SUPPORTED; +} + +/**************************************************************** +****************************************************************/ + +WERROR _PNP_GetClassInstance(pipes_struct *p, + struct PNP_GetClassInstance *r) +{ + p->rng_fault_state = true; + return WERR_NOT_SUPPORTED; +} + +/**************************************************************** +****************************************************************/ + +WERROR _PNP_CreateKey(pipes_struct *p, + struct PNP_CreateKey *r) +{ + p->rng_fault_state = true; + return WERR_NOT_SUPPORTED; +} + +/**************************************************************** +****************************************************************/ + +WERROR _PNP_DeleteRegistryKey(pipes_struct *p, + struct PNP_DeleteRegistryKey *r) +{ + p->rng_fault_state = true; + return WERR_NOT_SUPPORTED; +} + +/**************************************************************** +****************************************************************/ + +WERROR _PNP_GetClassCount(pipes_struct *p, + struct PNP_GetClassCount *r) +{ + p->rng_fault_state = true; + return WERR_NOT_SUPPORTED; +} + +/**************************************************************** +****************************************************************/ + +WERROR _PNP_GetClassName(pipes_struct *p, + struct PNP_GetClassName *r) +{ + p->rng_fault_state = true; + return WERR_NOT_SUPPORTED; +} + +/**************************************************************** +****************************************************************/ + +WERROR _PNP_DeleteClassKey(pipes_struct *p, + struct PNP_DeleteClassKey *r) +{ + p->rng_fault_state = true; + return WERR_NOT_SUPPORTED; +} + +/**************************************************************** +****************************************************************/ + +WERROR _PNP_GetInterfaceDeviceAlias(pipes_struct *p, + struct PNP_GetInterfaceDeviceAlias *r) +{ + p->rng_fault_state = true; + return WERR_NOT_SUPPORTED; +} + +/**************************************************************** +****************************************************************/ + +WERROR _PNP_GetInterfaceDeviceList(pipes_struct *p, + struct PNP_GetInterfaceDeviceList *r) +{ + p->rng_fault_state = true; + return WERR_NOT_SUPPORTED; +} + +/**************************************************************** +****************************************************************/ + +WERROR _PNP_GetInterfaceDeviceListSize(pipes_struct *p, + struct PNP_GetInterfaceDeviceListSize *r) +{ + p->rng_fault_state = true; + return WERR_NOT_SUPPORTED; +} + +/**************************************************************** +****************************************************************/ + +WERROR _PNP_RegisterDeviceClassAssociation(pipes_struct *p, + struct PNP_RegisterDeviceClassAssociation *r) +{ + p->rng_fault_state = true; + return WERR_NOT_SUPPORTED; +} + +/**************************************************************** +****************************************************************/ + +WERROR _PNP_UnregisterDeviceClassAssociation(pipes_struct *p, + struct PNP_UnregisterDeviceClassAssociation *r) +{ + p->rng_fault_state = true; + return WERR_NOT_SUPPORTED; +} + +/**************************************************************** +****************************************************************/ + +WERROR _PNP_GetClassRegProp(pipes_struct *p, + struct PNP_GetClassRegProp *r) +{ + p->rng_fault_state = true; + return WERR_NOT_SUPPORTED; +} + +/**************************************************************** +****************************************************************/ + +WERROR _PNP_SetClassRegProp(pipes_struct *p, + struct PNP_SetClassRegProp *r) +{ + p->rng_fault_state = true; + return WERR_NOT_SUPPORTED; +} + +/**************************************************************** +****************************************************************/ + +WERROR _PNP_CreateDevInst(pipes_struct *p, + struct PNP_CreateDevInst *r) +{ + p->rng_fault_state = true; + return WERR_NOT_SUPPORTED; +} + +/**************************************************************** +****************************************************************/ + +WERROR _PNP_DeviceInstanceAction(pipes_struct *p, + struct PNP_DeviceInstanceAction *r) +{ + p->rng_fault_state = true; + return WERR_NOT_SUPPORTED; +} + +/**************************************************************** +****************************************************************/ + +WERROR _PNP_GetDeviceStatus(pipes_struct *p, + struct PNP_GetDeviceStatus *r) +{ + p->rng_fault_state = true; + return WERR_NOT_SUPPORTED; +} + +/**************************************************************** +****************************************************************/ + +WERROR _PNP_SetDeviceProblem(pipes_struct *p, + struct PNP_SetDeviceProblem *r) +{ + p->rng_fault_state = true; + return WERR_NOT_SUPPORTED; +} + +/**************************************************************** +****************************************************************/ + +WERROR _PNP_DisableDevInst(pipes_struct *p, + struct PNP_DisableDevInst *r) +{ + p->rng_fault_state = true; + return WERR_NOT_SUPPORTED; +} + +/**************************************************************** +****************************************************************/ + +WERROR _PNP_UninstallDevInst(pipes_struct *p, + struct PNP_UninstallDevInst *r) +{ + p->rng_fault_state = true; + return WERR_NOT_SUPPORTED; +} + +/**************************************************************** +****************************************************************/ + +WERROR _PNP_AddID(pipes_struct *p, + struct PNP_AddID *r) +{ + p->rng_fault_state = true; + return WERR_NOT_SUPPORTED; +} + +/**************************************************************** +****************************************************************/ + +WERROR _PNP_RegisterDriver(pipes_struct *p, + struct PNP_RegisterDriver *r) +{ + p->rng_fault_state = true; + return WERR_NOT_SUPPORTED; +} + +/**************************************************************** +****************************************************************/ + +WERROR _PNP_QueryRemove(pipes_struct *p, + struct PNP_QueryRemove *r) +{ + p->rng_fault_state = true; + return WERR_NOT_SUPPORTED; +} + +/**************************************************************** +****************************************************************/ + +WERROR _PNP_RequestDeviceEject(pipes_struct *p, + struct PNP_RequestDeviceEject *r) +{ + p->rng_fault_state = true; + return WERR_NOT_SUPPORTED; +} + +/**************************************************************** +****************************************************************/ + +WERROR _PNP_IsDockStationPresent(pipes_struct *p, + struct PNP_IsDockStationPresent *r) +{ + p->rng_fault_state = true; + return WERR_NOT_SUPPORTED; +} + +/**************************************************************** +****************************************************************/ + +WERROR _PNP_RequestEjectPC(pipes_struct *p, + struct PNP_RequestEjectPC *r) +{ + p->rng_fault_state = true; + return WERR_NOT_SUPPORTED; +} + +/**************************************************************** +****************************************************************/ + +WERROR _PNP_AddEmptyLogConf(pipes_struct *p, + struct PNP_AddEmptyLogConf *r) +{ + p->rng_fault_state = true; + return WERR_NOT_SUPPORTED; +} + +/**************************************************************** +****************************************************************/ + +WERROR _PNP_FreeLogConf(pipes_struct *p, + struct PNP_FreeLogConf *r) +{ + p->rng_fault_state = true; + return WERR_NOT_SUPPORTED; +} + +/**************************************************************** +****************************************************************/ + +WERROR _PNP_GetFirstLogConf(pipes_struct *p, + struct PNP_GetFirstLogConf *r) +{ + p->rng_fault_state = true; + return WERR_NOT_SUPPORTED; +} + +/**************************************************************** +****************************************************************/ + +WERROR _PNP_GetNextLogConf(pipes_struct *p, + struct PNP_GetNextLogConf *r) +{ + p->rng_fault_state = true; + return WERR_NOT_SUPPORTED; +} + +/**************************************************************** +****************************************************************/ + +WERROR _PNP_GetLogConfPriority(pipes_struct *p, + struct PNP_GetLogConfPriority *r) +{ + p->rng_fault_state = true; + return WERR_NOT_SUPPORTED; +} + +/**************************************************************** +****************************************************************/ + +WERROR _PNP_AddResDes(pipes_struct *p, + struct PNP_AddResDes *r) +{ + p->rng_fault_state = true; + return WERR_NOT_SUPPORTED; +} + +/**************************************************************** +****************************************************************/ + +WERROR _PNP_FreeResDes(pipes_struct *p, + struct PNP_FreeResDes *r) +{ + p->rng_fault_state = true; + return WERR_NOT_SUPPORTED; +} + +/**************************************************************** +****************************************************************/ + +WERROR _PNP_GetNextResDes(pipes_struct *p, + struct PNP_GetNextResDes *r) +{ + p->rng_fault_state = true; + return WERR_NOT_SUPPORTED; +} + +/**************************************************************** +****************************************************************/ + +WERROR _PNP_GetResDesData(pipes_struct *p, + struct PNP_GetResDesData *r) +{ + p->rng_fault_state = true; + return WERR_NOT_SUPPORTED; +} + +/**************************************************************** +****************************************************************/ + +WERROR _PNP_GetResDesDataSize(pipes_struct *p, + struct PNP_GetResDesDataSize *r) +{ + p->rng_fault_state = true; + return WERR_NOT_SUPPORTED; +} + +/**************************************************************** +****************************************************************/ + +WERROR _PNP_ModifyResDes(pipes_struct *p, + struct PNP_ModifyResDes *r) +{ + p->rng_fault_state = true; + return WERR_NOT_SUPPORTED; +} + +/**************************************************************** +****************************************************************/ + +WERROR _PNP_DetectResourceLimit(pipes_struct *p, + struct PNP_DetectResourceLimit *r) +{ + p->rng_fault_state = true; + return WERR_NOT_SUPPORTED; +} + +/**************************************************************** +****************************************************************/ + +WERROR _PNP_QueryResConfList(pipes_struct *p, + struct PNP_QueryResConfList *r) +{ + p->rng_fault_state = true; + return WERR_NOT_SUPPORTED; +} + +/**************************************************************** +****************************************************************/ + +WERROR _PNP_SetHwProf(pipes_struct *p, + struct PNP_SetHwProf *r) +{ + p->rng_fault_state = true; + return WERR_NOT_SUPPORTED; +} + +/**************************************************************** +****************************************************************/ + +WERROR _PNP_QueryArbitratorFreeData(pipes_struct *p, + struct PNP_QueryArbitratorFreeData *r) +{ + p->rng_fault_state = true; + return WERR_NOT_SUPPORTED; +} + +/**************************************************************** +****************************************************************/ + +WERROR _PNP_QueryArbitratorFreeSize(pipes_struct *p, + struct PNP_QueryArbitratorFreeSize *r) +{ + p->rng_fault_state = true; + return WERR_NOT_SUPPORTED; +} + +/**************************************************************** +****************************************************************/ + +WERROR _PNP_RunDetection(pipes_struct *p, + struct PNP_RunDetection *r) +{ + p->rng_fault_state = true; + return WERR_NOT_SUPPORTED; +} + +/**************************************************************** +****************************************************************/ + +WERROR _PNP_RegisterNotification(pipes_struct *p, + struct PNP_RegisterNotification *r) +{ + p->rng_fault_state = true; + return WERR_NOT_SUPPORTED; +} + +/**************************************************************** +****************************************************************/ + +WERROR _PNP_UnregisterNotification(pipes_struct *p, + struct PNP_UnregisterNotification *r) +{ + p->rng_fault_state = true; + return WERR_NOT_SUPPORTED; +} + +/**************************************************************** +****************************************************************/ + +WERROR _PNP_GetCustomDevProp(pipes_struct *p, + struct PNP_GetCustomDevProp *r) +{ + p->rng_fault_state = true; + return WERR_NOT_SUPPORTED; +} + +/**************************************************************** +****************************************************************/ + +WERROR _PNP_GetVersionInternal(pipes_struct *p, + struct PNP_GetVersionInternal *r) +{ + p->rng_fault_state = true; + return WERR_NOT_SUPPORTED; +} + +/**************************************************************** +****************************************************************/ + +WERROR _PNP_GetBlockedDriverInfo(pipes_struct *p, + struct PNP_GetBlockedDriverInfo *r) +{ + p->rng_fault_state = true; + return WERR_NOT_SUPPORTED; +} + +/**************************************************************** +****************************************************************/ + +WERROR _PNP_GetServerSideDeviceInstallFlags(pipes_struct *p, + struct PNP_GetServerSideDeviceInstallFlags *r) +{ + p->rng_fault_state = true; + return WERR_NOT_SUPPORTED; +} + diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c index 5ede0c93f4..19c8db0533 100644 --- a/source3/rpc_server/srv_pipe.c +++ b/source3/rpc_server/srv_pipe.c @@ -993,7 +993,7 @@ bool check_bind_req(struct pipes_struct *p, RPC_IFACE* abstract, /* we have to check all now since win2k introduced a new UUID on the lsaprpc pipe */ for ( i=0; pipe_names[i].client_pipe; i++ ) { - DEBUG(10,("checking %s\n", pipe_names[i].client_pipe)); + DEBUGADD(10,("checking %s\n", pipe_names[i].client_pipe)); if ( strequal(pipe_names[i].client_pipe, pname) && (abstract->version == pipe_names[i].abstr_syntax.version) && (memcmp(&abstract->uuid, &pipe_names[i].abstr_syntax.uuid, sizeof(struct GUID)) == 0) @@ -1105,7 +1105,7 @@ static bool pipe_spnego_auth_bind_negotiate(pipes_struct *p, prs_struct *rpc_in_ char *OIDs[ASN1_MAX_OIDS]; int i; NTSTATUS status; - bool got_kerberos_mechanism = False; + bool got_kerberos_mechanism = false; AUTH_NTLMSSP_STATE *a = NULL; RPC_HDR_AUTH auth_info; @@ -1133,7 +1133,7 @@ static bool pipe_spnego_auth_bind_negotiate(pipes_struct *p, prs_struct *rpc_in_ } if (strcmp(OID_KERBEROS5, OIDs[0]) == 0 || strcmp(OID_KERBEROS5_OLD, OIDs[0]) == 0) { - got_kerberos_mechanism = True; + got_kerberos_mechanism = true; } for (i=0;OIDs[i];i++) { @@ -1154,27 +1154,38 @@ static bool pipe_spnego_auth_bind_negotiate(pipes_struct *p, prs_struct *rpc_in_ free_pipe_ntlmssp_auth_data(&p->auth); } - /* Initialize the NTLM engine. */ - status = auth_ntlmssp_start(&a); - if (!NT_STATUS_IS_OK(status)) { - goto err; - } + if (!got_kerberos_mechanism) { + /* Initialize the NTLM engine. */ + status = auth_ntlmssp_start(&a); + if (!NT_STATUS_IS_OK(status)) { + goto err; + } - /* - * Pass the first security blob of data to it. - * This can return an error or NT_STATUS_MORE_PROCESSING_REQUIRED - * which means we need another packet to complete the bind. - */ + /* + * Pass the first security blob of data to it. + * This can return an error or NT_STATUS_MORE_PROCESSING_REQUIRED + * which means we need another packet to complete the bind. + */ - status = auth_ntlmssp_update(a, secblob, &chal); + status = auth_ntlmssp_update(a, secblob, &chal); - if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) { - DEBUG(3,("pipe_spnego_auth_bind_negotiate: auth_ntlmssp_update failed.\n")); - goto err; - } + if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) { + DEBUG(3,("pipe_spnego_auth_bind_negotiate: auth_ntlmssp_update failed.\n")); + goto err; + } - /* Generate the response blob we need for step 2 of the bind. */ - response = spnego_gen_auth_response(&chal, status, OID_NTLMSSP); + /* Generate the response blob we need for step 2 of the bind. */ + response = spnego_gen_auth_response(&chal, status, OID_NTLMSSP); + } else { + /* + * SPNEGO negotiate down to NTLMSSP. The subsequent + * code to process follow-up packets is not complete + * yet. JRA. + */ + response = spnego_gen_auth_response(NULL, + NT_STATUS_MORE_PROCESSING_REQUIRED, + OID_NTLMSSP); + } /* Copy the blob into the pout_auth parse struct */ init_rpc_hdr_auth(&auth_info, RPC_SPNEGO_AUTH_TYPE, pauth_info->auth_level, RPC_HDR_AUTH_LEN, 1); @@ -1231,6 +1242,10 @@ static bool pipe_spnego_auth_bind_continue(pipes_struct *p, prs_struct *rpc_in_p ZERO_STRUCT(auth_reply); ZERO_STRUCT(response); + /* + * NB. If we've negotiated down from krb5 to NTLMSSP we'll currently + * fail here as 'a' == NULL. + */ if (p->auth.auth_type != PIPE_AUTH_TYPE_SPNEGO_NTLMSSP || !a) { DEBUG(0,("pipe_spnego_auth_bind_continue: not in NTLMSSP auth state.\n")); goto err; @@ -1259,7 +1274,7 @@ static bool pipe_spnego_auth_bind_continue(pipes_struct *p, prs_struct *rpc_in_p * The following call actually checks the challenge/response data. * for correctness against the given DOMAIN\user name. */ - + if (!pipe_ntlmssp_verify_final(p, &auth_blob)) { goto err; } @@ -2361,16 +2376,16 @@ void get_pipe_fns( int idx, struct api_struct **fns, int *n_fns ) switch ( idx ) { case PI_LSARPC: - lsa_get_pipe_fns( &cmds, &n_cmds ); + lsarpc_get_pipe_fns( &cmds, &n_cmds ); break; - case PI_LSARPC_DS: - lsa_ds_get_pipe_fns( &cmds, &n_cmds ); + case PI_DSSETUP: + dssetup_get_pipe_fns( &cmds, &n_cmds ); break; case PI_SAMR: samr_get_pipe_fns( &cmds, &n_cmds ); break; case PI_NETLOGON: - netlog_get_pipe_fns( &cmds, &n_cmds ); + netlogon_get_pipe_fns( &cmds, &n_cmds ); break; case PI_SRVSVC: srvsvc2_get_pipe_fns( &cmds, &n_cmds ); @@ -2394,7 +2409,7 @@ void get_pipe_fns( int idx, struct api_struct **fns, int *n_fns ) eventlog2_get_pipe_fns( &cmds, &n_cmds ); break; case PI_NTSVCS: - ntsvcs_get_pipe_fns( &cmds, &n_cmds ); + ntsvcs2_get_pipe_fns( &cmds, &n_cmds ); break; #ifdef DEVELOPER case PI_RPCECHO: diff --git a/source3/rpc_server/srv_samr.c b/source3/rpc_server/srv_samr.c deleted file mode 100644 index a1deac083d..0000000000 --- a/source3/rpc_server/srv_samr.c +++ /dev/null @@ -1,1571 +0,0 @@ -/* - * Unix SMB/CIFS implementation. - * RPC Pipe client / server routines - * Copyright (C) Andrew Tridgell 1992-1997, - * Copyright (C) Luke Kenneth Casson Leighton 1996-1997, - * Copyright (C) Paul Ashton 1997, - * Copyright (C) Marc Jacobsen 1999, - * Copyright (C) Jean François Micouleau 1998-2001, - * Copyright (C) Jim McDonough <jmcd@us.ibm.com> 2002-2003. - * - * Split into interface and implementation modules by, - * - * Copyright (C) Jeremy Allison 2001. - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 3 of the License, or - * (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program; if not, see <http://www.gnu.org/licenses/>. - */ - -/* - * This is the interface to the SAMR code. - */ - -#include "includes.h" - -#undef DBGC_CLASS -#define DBGC_CLASS DBGC_RPC_SRV - -/******************************************************************* - api_samr_close_hnd - ********************************************************************/ - -static bool api_samr_close_hnd(pipes_struct *p) -{ - SAMR_Q_CLOSE_HND q_u; - SAMR_R_CLOSE_HND r_u; - prs_struct *data = &p->in_data.data; - prs_struct *rdata = &p->out_data.rdata; - - ZERO_STRUCT(q_u); - ZERO_STRUCT(r_u); - - if(!samr_io_q_close_hnd("", &q_u, data, 0)) { - DEBUG(0,("api_samr_close_hnd: unable to unmarshall SAMR_Q_CLOSE_HND.\n")); - return False; - } - - r_u.status = _samr_close_hnd(p, &q_u, &r_u); - - /* store the response in the SMB stream */ - if(!samr_io_r_close_hnd("", &r_u, rdata, 0)) { - DEBUG(0,("api_samr_close_hnd: unable to marshall SAMR_R_CLOSE_HND.\n")); - return False; - } - - return True; -} - -/******************************************************************* - api_samr_open_domain - ********************************************************************/ - -static bool api_samr_open_domain(pipes_struct *p) -{ - SAMR_Q_OPEN_DOMAIN q_u; - SAMR_R_OPEN_DOMAIN r_u; - - prs_struct *data = &p->in_data.data; - prs_struct *rdata = &p->out_data.rdata; - - ZERO_STRUCT(q_u); - ZERO_STRUCT(r_u); - - if(!samr_io_q_open_domain("", &q_u, data, 0)) { - DEBUG(0,("api_samr_open_domain: unable to unmarshall SAMR_Q_OPEN_DOMAIN.\n")); - return False; - } - - r_u.status = _samr_open_domain(p, &q_u, &r_u); - - /* store the response in the SMB stream */ - if(!samr_io_r_open_domain("", &r_u, rdata, 0)) { - DEBUG(0,("api_samr_open_domain: unable to marshall SAMR_R_OPEN_DOMAIN.\n")); - return False; - } - - return True; -} - -/******************************************************************* - api_samr_get_usrdom_pwinfo - ********************************************************************/ - -static bool api_samr_get_usrdom_pwinfo(pipes_struct *p) -{ - SAMR_Q_GET_USRDOM_PWINFO q_u; - SAMR_R_GET_USRDOM_PWINFO r_u; - - prs_struct *data = &p->in_data.data; - prs_struct *rdata = &p->out_data.rdata; - - ZERO_STRUCT(q_u); - ZERO_STRUCT(r_u); - - if(!samr_io_q_get_usrdom_pwinfo("", &q_u, data, 0)) { - DEBUG(0,("api_samr_get_usrdom_pwinfo: unable to unmarshall SAMR_Q_GET_USRDOM_PWINFO.\n")); - return False; - } - - r_u.status = _samr_get_usrdom_pwinfo(p, &q_u, &r_u); - - if(!samr_io_r_get_usrdom_pwinfo("", &r_u, rdata, 0)) { - DEBUG(0,("api_samr_get_usrdom_pwinfo: unable to marshall SAMR_R_GET_USRDOM_PWINFO.\n")); - return False; - } - - return True; -} - -/******************************************************************* - api_samr_set_sec_obj - ********************************************************************/ - -static bool api_samr_set_sec_obj(pipes_struct *p) -{ - SAMR_Q_SET_SEC_OBJ q_u; - SAMR_R_SET_SEC_OBJ r_u; - - prs_struct *data = &p->in_data.data; - prs_struct *rdata = &p->out_data.rdata; - - ZERO_STRUCT(q_u); - ZERO_STRUCT(r_u); - - if(!samr_io_q_set_sec_obj("", &q_u, data, 0)) { - DEBUG(0,("api_samr_set_sec_obj: unable to unmarshall SAMR_Q_SET_SEC_OBJ.\n")); - return False; - } - - r_u.status = _samr_set_sec_obj(p, &q_u, &r_u); - - if(!samr_io_r_set_sec_obj("", &r_u, rdata, 0)) { - DEBUG(0,("api_samr_set_sec_obj: unable to marshall SAMR_R_SET_SEC_OBJ.\n")); - return False; - } - - return True; -} - -/******************************************************************* - api_samr_query_sec_obj - ********************************************************************/ - -static bool api_samr_query_sec_obj(pipes_struct *p) -{ - SAMR_Q_QUERY_SEC_OBJ q_u; - SAMR_R_QUERY_SEC_OBJ r_u; - - prs_struct *data = &p->in_data.data; - prs_struct *rdata = &p->out_data.rdata; - - ZERO_STRUCT(q_u); - ZERO_STRUCT(r_u); - - if(!samr_io_q_query_sec_obj("", &q_u, data, 0)) { - DEBUG(0,("api_samr_query_sec_obj: unable to unmarshall SAMR_Q_QUERY_SEC_OBJ.\n")); - return False; - } - - r_u.status = _samr_query_sec_obj(p, &q_u, &r_u); - - if(!samr_io_r_query_sec_obj("", &r_u, rdata, 0)) { - DEBUG(0,("api_samr_query_sec_obj: unable to marshall SAMR_R_QUERY_SEC_OBJ.\n")); - return False; - } - - return True; -} - -/******************************************************************* - api_samr_enum_dom_users - ********************************************************************/ - -static bool api_samr_enum_dom_users(pipes_struct *p) -{ - SAMR_Q_ENUM_DOM_USERS q_u; - SAMR_R_ENUM_DOM_USERS r_u; - prs_struct *data = &p->in_data.data; - prs_struct *rdata = &p->out_data.rdata; - - ZERO_STRUCT(q_u); - ZERO_STRUCT(r_u); - - /* grab the samr open */ - if(!samr_io_q_enum_dom_users("", &q_u, data, 0)) { - DEBUG(0,("api_samr_enum_dom_users: unable to unmarshall SAMR_Q_ENUM_DOM_USERS.\n")); - return False; - } - - r_u.status = _samr_enum_dom_users(p, &q_u, &r_u); - - /* store the response in the SMB stream */ - if(!samr_io_r_enum_dom_users("", &r_u, rdata, 0)) { - DEBUG(0,("api_samr_enum_dom_users: unable to marshall SAMR_R_ENUM_DOM_USERS.\n")); - return False; - } - - return True; -} - -/******************************************************************* - api_samr_enum_dom_groups - ********************************************************************/ - -static bool api_samr_enum_dom_groups(pipes_struct *p) -{ - SAMR_Q_ENUM_DOM_GROUPS q_u; - SAMR_R_ENUM_DOM_GROUPS r_u; - prs_struct *data = &p->in_data.data; - prs_struct *rdata = &p->out_data.rdata; - - ZERO_STRUCT(q_u); - ZERO_STRUCT(r_u); - - /* grab the samr open */ - if(!samr_io_q_enum_dom_groups("", &q_u, data, 0)) { - DEBUG(0,("api_samr_enum_dom_groups: unable to unmarshall SAMR_Q_ENUM_DOM_GROUPS.\n")); - return False; - } - - r_u.status = _samr_enum_dom_groups(p, &q_u, &r_u); - - /* store the response in the SMB stream */ - if(!samr_io_r_enum_dom_groups("", &r_u, rdata, 0)) { - DEBUG(0,("api_samr_enum_dom_groups: unable to marshall SAMR_R_ENUM_DOM_GROUPS.\n")); - return False; - } - - return True; -} - -/******************************************************************* - api_samr_enum_dom_aliases - ********************************************************************/ - -static bool api_samr_enum_dom_aliases(pipes_struct *p) -{ - SAMR_Q_ENUM_DOM_ALIASES q_u; - SAMR_R_ENUM_DOM_ALIASES r_u; - prs_struct *data = &p->in_data.data; - prs_struct *rdata = &p->out_data.rdata; - - ZERO_STRUCT(q_u); - ZERO_STRUCT(r_u); - - /* grab the samr open */ - if(!samr_io_q_enum_dom_aliases("", &q_u, data, 0)) { - DEBUG(0,("api_samr_enum_dom_aliases: unable to unmarshall SAMR_Q_ENUM_DOM_ALIASES.\n")); - return False; - } - - r_u.status = _samr_enum_dom_aliases(p, &q_u, &r_u); - - /* store the response in the SMB stream */ - if(!samr_io_r_enum_dom_aliases("", &r_u, rdata, 0)) { - DEBUG(0,("api_samr_enum_dom_aliases: unable to marshall SAMR_R_ENUM_DOM_ALIASES.\n")); - return False; - } - - return True; -} - -/******************************************************************* - api_samr_query_dispinfo - ********************************************************************/ - -static bool api_samr_query_dispinfo(pipes_struct *p) -{ - SAMR_Q_QUERY_DISPINFO q_u; - SAMR_R_QUERY_DISPINFO r_u; - prs_struct *data = &p->in_data.data; - prs_struct *rdata = &p->out_data.rdata; - - ZERO_STRUCT(q_u); - ZERO_STRUCT(r_u); - - if(!samr_io_q_query_dispinfo("", &q_u, data, 0)) { - DEBUG(0,("api_samr_query_dispinfo: unable to unmarshall SAMR_Q_QUERY_DISPINFO.\n")); - return False; - } - - r_u.status = _samr_query_dispinfo(p, &q_u, &r_u); - - /* store the response in the SMB stream */ - if(!samr_io_r_query_dispinfo("", &r_u, rdata, 0)) { - DEBUG(0,("api_samr_query_dispinfo: unable to marshall SAMR_R_QUERY_DISPINFO.\n")); - return False; - } - - return True; -} - -/******************************************************************* - api_samr_query_aliasinfo - ********************************************************************/ - -static bool api_samr_query_aliasinfo(pipes_struct *p) -{ - SAMR_Q_QUERY_ALIASINFO q_u; - SAMR_R_QUERY_ALIASINFO r_u; - prs_struct *data = &p->in_data.data; - prs_struct *rdata = &p->out_data.rdata; - - ZERO_STRUCT(q_u); - ZERO_STRUCT(r_u); - - /* grab the samr open */ - if(!samr_io_q_query_aliasinfo("", &q_u, data, 0)) { - DEBUG(0,("api_samr_query_aliasinfo: unable to unmarshall SAMR_Q_QUERY_ALIASINFO.\n")); - return False; - } - - r_u.status = _samr_query_aliasinfo(p, &q_u, &r_u); - - /* store the response in the SMB stream */ - if(!samr_io_r_query_aliasinfo("", &r_u, rdata, 0)) { - DEBUG(0,("api_samr_query_aliasinfo: unable to marshall SAMR_R_QUERY_ALIASINFO.\n")); - return False; - } - - return True; -} - -/******************************************************************* - api_samr_lookup_names - ********************************************************************/ - -static bool api_samr_lookup_names(pipes_struct *p) -{ - SAMR_Q_LOOKUP_NAMES q_u; - SAMR_R_LOOKUP_NAMES r_u; - prs_struct *data = &p->in_data.data; - prs_struct *rdata = &p->out_data.rdata; - - ZERO_STRUCT(q_u); - ZERO_STRUCT(r_u); - - /* grab the samr lookup names */ - if(!samr_io_q_lookup_names("", &q_u, data, 0)) { - DEBUG(0,("api_samr_lookup_names: unable to unmarshall SAMR_Q_LOOKUP_NAMES.\n")); - return False; - } - - r_u.status = _samr_lookup_names(p, &q_u, &r_u); - - /* store the response in the SMB stream */ - if(!samr_io_r_lookup_names("", &r_u, rdata, 0)) { - DEBUG(0,("api_samr_lookup_names: unable to marshall SAMR_R_LOOKUP_NAMES.\n")); - return False; - } - - return True; -} - -/******************************************************************* - api_samr_chgpasswd_user - ********************************************************************/ - -static bool api_samr_chgpasswd_user(pipes_struct *p) -{ - SAMR_Q_CHGPASSWD_USER q_u; - SAMR_R_CHGPASSWD_USER r_u; - prs_struct *data = &p->in_data.data; - prs_struct *rdata = &p->out_data.rdata; - - ZERO_STRUCT(q_u); - ZERO_STRUCT(r_u); - - /* change password request */ - if (!samr_io_q_chgpasswd_user("", &q_u, data, 0)) { - DEBUG(0,("api_samr_chgpasswd_user: Failed to unmarshall SAMR_Q_CHGPASSWD_USER.\n")); - return False; - } - - r_u.status = _samr_chgpasswd_user(p, &q_u, &r_u); - - /* store the response in the SMB stream */ - if(!samr_io_r_chgpasswd_user("", &r_u, rdata, 0)) { - DEBUG(0,("api_samr_chgpasswd_user: Failed to marshall SAMR_R_CHGPASSWD_USER.\n" )); - return False; - } - - return True; -} - -/******************************************************************* - api_samr_lookup_rids - ********************************************************************/ - -static bool api_samr_lookup_rids(pipes_struct *p) -{ - SAMR_Q_LOOKUP_RIDS q_u; - SAMR_R_LOOKUP_RIDS r_u; - prs_struct *data = &p->in_data.data; - prs_struct *rdata = &p->out_data.rdata; - - ZERO_STRUCT(q_u); - ZERO_STRUCT(r_u); - - /* grab the samr lookup names */ - if(!samr_io_q_lookup_rids("", &q_u, data, 0)) { - DEBUG(0,("api_samr_lookup_rids: unable to unmarshall SAMR_Q_LOOKUP_RIDS.\n")); - return False; - } - - r_u.status = _samr_lookup_rids(p, &q_u, &r_u); - - /* store the response in the SMB stream */ - if(!samr_io_r_lookup_rids("", &r_u, rdata, 0)) { - DEBUG(0,("api_samr_lookup_rids: unable to marshall SAMR_R_LOOKUP_RIDS.\n")); - return False; - } - - return True; -} - -/******************************************************************* - api_samr_open_user - ********************************************************************/ - -static bool api_samr_open_user(pipes_struct *p) -{ - SAMR_Q_OPEN_USER q_u; - SAMR_R_OPEN_USER r_u; - prs_struct *data = &p->in_data.data; - prs_struct *rdata = &p->out_data.rdata; - - ZERO_STRUCT(q_u); - ZERO_STRUCT(r_u); - - if(!samr_io_q_open_user("", &q_u, data, 0)) { - DEBUG(0,("api_samr_open_user: unable to unmarshall SAMR_Q_OPEN_USER.\n")); - return False; - } - - r_u.status = _samr_open_user(p, &q_u, &r_u); - - /* store the response in the SMB stream */ - if(!samr_io_r_open_user("", &r_u, rdata, 0)) { - DEBUG(0,("api_samr_open_user: unable to marshall SAMR_R_OPEN_USER.\n")); - return False; - } - - return True; -} - -/******************************************************************* - api_samr_query_userinfo - ********************************************************************/ - -static bool api_samr_query_userinfo(pipes_struct *p) -{ - SAMR_Q_QUERY_USERINFO q_u; - SAMR_R_QUERY_USERINFO r_u; - prs_struct *data = &p->in_data.data; - prs_struct *rdata = &p->out_data.rdata; - - ZERO_STRUCT(q_u); - ZERO_STRUCT(r_u); - - if(!samr_io_q_query_userinfo("", &q_u, data, 0)){ - DEBUG(0,("api_samr_query_userinfo: unable to unmarshall SAMR_Q_QUERY_USERINFO.\n")); - return False; - } - - r_u.status = _samr_query_userinfo(p, &q_u, &r_u); - - /* store the response in the SMB stream */ - if(!samr_io_r_query_userinfo("", &r_u, rdata, 0)) { - DEBUG(0,("api_samr_query_userinfo: unable to marshall SAMR_R_QUERY_USERINFO.\n")); - return False; - } - - return True; -} - -/******************************************************************* - api_samr_query_usergroups - ********************************************************************/ - -static bool api_samr_query_usergroups(pipes_struct *p) -{ - SAMR_Q_QUERY_USERGROUPS q_u; - SAMR_R_QUERY_USERGROUPS r_u; - prs_struct *data = &p->in_data.data; - prs_struct *rdata = &p->out_data.rdata; - - ZERO_STRUCT(q_u); - ZERO_STRUCT(r_u); - - if(!samr_io_q_query_usergroups("", &q_u, data, 0)) { - DEBUG(0,("api_samr_query_usergroups: unable to unmarshall SAMR_Q_QUERY_USERGROUPS.\n")); - return False; - } - - r_u.status = _samr_query_usergroups(p, &q_u, &r_u); - - /* store the response in the SMB stream */ - if(!samr_io_r_query_usergroups("", &r_u, rdata, 0)) { - DEBUG(0,("api_samr_query_usergroups: unable to marshall SAMR_R_QUERY_USERGROUPS.\n")); - return False; - } - - return True; -} - -/******************************************************************* - api_samr_query_domain_info - ********************************************************************/ - -static bool api_samr_query_domain_info(pipes_struct *p) -{ - SAMR_Q_QUERY_DOMAIN_INFO q_u; - SAMR_R_QUERY_DOMAIN_INFO r_u; - prs_struct *data = &p->in_data.data; - prs_struct *rdata = &p->out_data.rdata; - - ZERO_STRUCT(q_u); - ZERO_STRUCT(r_u); - - if(!samr_io_q_query_domain_info("", &q_u, data, 0)) { - DEBUG(0,("api_samr_query_domain_info: unable to unmarshall SAMR_Q_QUERY_DOMAIN_INFO.\n")); - return False; - } - - r_u.status = _samr_query_domain_info(p, &q_u, &r_u); - - /* store the response in the SMB stream */ - if(!samr_io_r_query_domain_info("", &r_u, rdata, 0)) { - DEBUG(0,("api_samr_query_domain_info: unable to marshall SAMR_R_QUERY_DOMAIN_INFO.\n")); - return False; - } - - return True; -} - -/******************************************************************* - api_samr_create_user - ********************************************************************/ - -static bool api_samr_create_user(pipes_struct *p) -{ - prs_struct *data = &p->in_data.data; - prs_struct *rdata = &p->out_data.rdata; - - SAMR_Q_CREATE_USER q_u; - SAMR_R_CREATE_USER r_u; - - ZERO_STRUCT(q_u); - ZERO_STRUCT(r_u); - - /* grab the samr create user */ - if (!samr_io_q_create_user("", &q_u, data, 0)) { - DEBUG(0,("api_samr_create_user: Unable to unmarshall SAMR_Q_CREATE_USER.\n")); - return False; - } - - r_u.status=_samr_create_user(p, &q_u, &r_u); - - /* store the response in the SMB stream */ - if(!samr_io_r_create_user("", &r_u, rdata, 0)) { - DEBUG(0,("api_samr_create_user: Unable to marshall SAMR_R_CREATE_USER.\n")); - return False; - } - - return True; -} - -/******************************************************************* - api_samr_connect_anon - ********************************************************************/ - -static bool api_samr_connect_anon(pipes_struct *p) -{ - SAMR_Q_CONNECT_ANON q_u; - SAMR_R_CONNECT_ANON r_u; - prs_struct *data = &p->in_data.data; - prs_struct *rdata = &p->out_data.rdata; - - ZERO_STRUCT(q_u); - ZERO_STRUCT(r_u); - - /* grab the samr open policy */ - if(!samr_io_q_connect_anon("", &q_u, data, 0)) { - DEBUG(0,("api_samr_connect_anon: unable to unmarshall SAMR_Q_CONNECT_ANON.\n")); - return False; - } - - r_u.status = _samr_connect_anon(p, &q_u, &r_u); - - /* store the response in the SMB stream */ - if(!samr_io_r_connect_anon("", &r_u, rdata, 0)) { - DEBUG(0,("api_samr_connect_anon: unable to marshall SAMR_R_CONNECT_ANON.\n")); - return False; - } - - return True; -} - -/******************************************************************* - api_samr_connect - ********************************************************************/ - -static bool api_samr_connect(pipes_struct *p) -{ - SAMR_Q_CONNECT q_u; - SAMR_R_CONNECT r_u; - prs_struct *data = &p->in_data.data; - prs_struct *rdata = &p->out_data.rdata; - - ZERO_STRUCT(q_u); - ZERO_STRUCT(r_u); - - /* grab the samr open policy */ - if(!samr_io_q_connect("", &q_u, data, 0)) { - DEBUG(0,("api_samr_connect: unable to unmarshall SAMR_Q_CONNECT.\n")); - return False; - } - - r_u.status = _samr_connect(p, &q_u, &r_u); - - /* store the response in the SMB stream */ - if(!samr_io_r_connect("", &r_u, rdata, 0)) { - DEBUG(0,("api_samr_connect: unable to marshall SAMR_R_CONNECT.\n")); - return False; - } - - return True; -} - -/******************************************************************* - api_samr_connect4 - ********************************************************************/ - -static bool api_samr_connect4(pipes_struct *p) -{ - SAMR_Q_CONNECT4 q_u; - SAMR_R_CONNECT4 r_u; - prs_struct *data = &p->in_data.data; - prs_struct *rdata = &p->out_data.rdata; - - ZERO_STRUCT(q_u); - ZERO_STRUCT(r_u); - - /* grab the samr open policy */ - if(!samr_io_q_connect4("", &q_u, data, 0)) { - DEBUG(0,("api_samr_connect4: unable to unmarshall SAMR_Q_CONNECT4.\n")); - return False; - } - - r_u.status = _samr_connect4(p, &q_u, &r_u); - - /* store the response in the SMB stream */ - if(!samr_io_r_connect4("", &r_u, rdata, 0)) { - DEBUG(0,("api_samr_connect4: unable to marshall SAMR_R_CONNECT4.\n")); - return False; - } - - return True; -} - -/******************************************************************* - api_samr_chgpasswd_user3 - ********************************************************************/ - -static bool api_samr_chgpasswd_user3(pipes_struct *p) -{ - SAMR_Q_CHGPASSWD_USER3 q_u; - SAMR_R_CHGPASSWD_USER3 r_u; - prs_struct *data = &p->in_data.data; - prs_struct *rdata = &p->out_data.rdata; - - ZERO_STRUCT(q_u); - ZERO_STRUCT(r_u); - - /* change password request */ - if (!samr_io_q_chgpasswd_user3("", &q_u, data, 0)) { - DEBUG(0,("api_samr_chgpasswd_user3: Failed to unmarshall SAMR_Q_CHGPASSWD_USER3.\n")); - return False; - } - - r_u.status = _samr_chgpasswd_user3(p, &q_u, &r_u); - - /* store the response in the SMB stream */ - if(!samr_io_r_chgpasswd_user3("", &r_u, rdata, 0)) { - DEBUG(0,("api_samr_chgpasswd_user3: Failed to marshall SAMR_R_CHGPASSWD_USER3.\n" )); - return False; - } - - return True; -} - -/******************************************************************* - api_samr_connect5 - ********************************************************************/ - -static bool api_samr_connect5(pipes_struct *p) -{ - SAMR_Q_CONNECT5 q_u; - SAMR_R_CONNECT5 r_u; - prs_struct *data = &p->in_data.data; - prs_struct *rdata = &p->out_data.rdata; - - ZERO_STRUCT(q_u); - ZERO_STRUCT(r_u); - - /* grab the samr open policy */ - if(!samr_io_q_connect5("", &q_u, data, 0)) { - DEBUG(0,("api_samr_connect5: unable to unmarshall SAMR_Q_CONNECT5.\n")); - return False; - } - - r_u.status = _samr_connect5(p, &q_u, &r_u); - - /* store the response in the SMB stream */ - if(!samr_io_r_connect5("", &r_u, rdata, 0)) { - DEBUG(0,("api_samr_connect5: unable to marshall SAMR_R_CONNECT5.\n")); - return False; - } - - return True; -} - -/********************************************************************** - api_samr_lookup_domain - **********************************************************************/ - -static bool api_samr_lookup_domain(pipes_struct *p) -{ - SAMR_Q_LOOKUP_DOMAIN q_u; - SAMR_R_LOOKUP_DOMAIN r_u; - prs_struct *data = &p->in_data.data; - prs_struct *rdata = &p->out_data.rdata; - - ZERO_STRUCT(q_u); - ZERO_STRUCT(r_u); - - if(!samr_io_q_lookup_domain("", &q_u, data, 0)) { - DEBUG(0,("api_samr_lookup_domain: Unable to unmarshall SAMR_Q_LOOKUP_DOMAIN.\n")); - return False; - } - - r_u.status = _samr_lookup_domain(p, &q_u, &r_u); - - if(!samr_io_r_lookup_domain("", &r_u, rdata, 0)){ - DEBUG(0,("api_samr_lookup_domain: Unable to marshall SAMR_R_LOOKUP_DOMAIN.\n")); - return False; - } - - return True; -} - -/********************************************************************** - api_samr_enum_domains - **********************************************************************/ - -static bool api_samr_enum_domains(pipes_struct *p) -{ - SAMR_Q_ENUM_DOMAINS q_u; - SAMR_R_ENUM_DOMAINS r_u; - prs_struct *data = &p->in_data.data; - prs_struct *rdata = &p->out_data.rdata; - - ZERO_STRUCT(q_u); - ZERO_STRUCT(r_u); - - if(!samr_io_q_enum_domains("", &q_u, data, 0)) { - DEBUG(0,("api_samr_enum_domains: Unable to unmarshall SAMR_Q_ENUM_DOMAINS.\n")); - return False; - } - - r_u.status = _samr_enum_domains(p, &q_u, &r_u); - - if(!samr_io_r_enum_domains("", &r_u, rdata, 0)) { - DEBUG(0,("api_samr_enum_domains: Unable to marshall SAMR_R_ENUM_DOMAINS.\n")); - return False; - } - - return True; -} - -/******************************************************************* - api_samr_open_alias - ********************************************************************/ - -static bool api_samr_open_alias(pipes_struct *p) -{ - SAMR_Q_OPEN_ALIAS q_u; - SAMR_R_OPEN_ALIAS r_u; - prs_struct *data = &p->in_data.data; - prs_struct *rdata = &p->out_data.rdata; - - ZERO_STRUCT(q_u); - ZERO_STRUCT(r_u); - - /* grab the samr open policy */ - if(!samr_io_q_open_alias("", &q_u, data, 0)) { - DEBUG(0,("api_samr_open_alias: Unable to unmarshall SAMR_Q_OPEN_ALIAS.\n")); - return False; - } - - r_u.status=_samr_open_alias(p, &q_u, &r_u); - - /* store the response in the SMB stream */ - if(!samr_io_r_open_alias("", &r_u, rdata, 0)) { - DEBUG(0,("api_samr_open_alias: Unable to marshall SAMR_R_OPEN_ALIAS.\n")); - return False; - } - - return True; -} - -/******************************************************************* - api_samr_set_userinfo - ********************************************************************/ - -static bool api_samr_set_userinfo(pipes_struct *p) -{ - SAMR_Q_SET_USERINFO q_u; - SAMR_R_SET_USERINFO r_u; - prs_struct *data = &p->in_data.data; - prs_struct *rdata = &p->out_data.rdata; - - ZERO_STRUCT(q_u); - ZERO_STRUCT(r_u); - - if (!samr_io_q_set_userinfo("", &q_u, data, 0)) { - DEBUG(0,("api_samr_set_userinfo: Unable to unmarshall SAMR_Q_SET_USERINFO.\n")); - /* Fix for W2K SP2 */ - /* what is that status-code ? - gd */ - if (q_u.switch_value == 0x1a) { - setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_INVALID_TAG)); - return True; - } - return False; - } - - r_u.status = _samr_set_userinfo(p, &q_u, &r_u); - - if(!samr_io_r_set_userinfo("", &r_u, rdata, 0)) { - DEBUG(0,("api_samr_set_userinfo: Unable to marshall SAMR_R_SET_USERINFO.\n")); - return False; - } - - return True; -} - -/******************************************************************* - api_samr_set_userinfo2 - ********************************************************************/ - -static bool api_samr_set_userinfo2(pipes_struct *p) -{ - SAMR_Q_SET_USERINFO2 q_u; - SAMR_R_SET_USERINFO2 r_u; - - prs_struct *data = &p->in_data.data; - prs_struct *rdata = &p->out_data.rdata; - - ZERO_STRUCT(q_u); - ZERO_STRUCT(r_u); - - if (!samr_io_q_set_userinfo2("", &q_u, data, 0)) { - DEBUG(0,("api_samr_set_userinfo2: Unable to unmarshall SAMR_Q_SET_USERINFO2.\n")); - return False; - } - - r_u.status = _samr_set_userinfo2(p, &q_u, &r_u); - - if(!samr_io_r_set_userinfo2("", &r_u, rdata, 0)) { - DEBUG(0,("api_samr_set_userinfo2: Unable to marshall SAMR_R_SET_USERINFO2.\n")); - return False; - } - - return True; -} - -/******************************************************************* - api_samr_query_useraliases - ********************************************************************/ - -static bool api_samr_query_useraliases(pipes_struct *p) -{ - SAMR_Q_QUERY_USERALIASES q_u; - SAMR_R_QUERY_USERALIASES r_u; - - prs_struct *data = &p->in_data.data; - prs_struct *rdata = &p->out_data.rdata; - - ZERO_STRUCT(q_u); - ZERO_STRUCT(r_u); - - if (!samr_io_q_query_useraliases("", &q_u, data, 0)) { - DEBUG(0,("api_samr_query_useraliases: Unable to unmarshall SAMR_Q_QUERY_USERALIASES.\n")); - return False; - } - - r_u.status = _samr_query_useraliases(p, &q_u, &r_u); - - if (! samr_io_r_query_useraliases("", &r_u, rdata, 0)) { - DEBUG(0,("api_samr_query_useraliases: Unable to nmarshall SAMR_R_QUERY_USERALIASES.\n")); - return False; - } - - return True; -} - -/******************************************************************* - api_samr_query_aliasmem - ********************************************************************/ - -static bool api_samr_query_aliasmem(pipes_struct *p) -{ - SAMR_Q_QUERY_ALIASMEM q_u; - SAMR_R_QUERY_ALIASMEM r_u; - - prs_struct *data = &p->in_data.data; - prs_struct *rdata = &p->out_data.rdata; - - ZERO_STRUCT(q_u); - ZERO_STRUCT(r_u); - - if (!samr_io_q_query_aliasmem("", &q_u, data, 0)) { - DEBUG(0,("api_samr_query_aliasmem: unable to unmarshall SAMR_Q_QUERY_ALIASMEM.\n")); - return False; - } - - r_u.status = _samr_query_aliasmem(p, &q_u, &r_u); - - if (!samr_io_r_query_aliasmem("", &r_u, rdata, 0)) { - DEBUG(0,("api_samr_query_aliasmem: unable to marshall SAMR_R_QUERY_ALIASMEM.\n")); - return False; - } - - return True; -} - -/******************************************************************* - api_samr_query_groupmem - ********************************************************************/ - -static bool api_samr_query_groupmem(pipes_struct *p) -{ - SAMR_Q_QUERY_GROUPMEM q_u; - SAMR_R_QUERY_GROUPMEM r_u; - - prs_struct *data = &p->in_data.data; - prs_struct *rdata = &p->out_data.rdata; - - ZERO_STRUCT(q_u); - ZERO_STRUCT(r_u); - - if (!samr_io_q_query_groupmem("", &q_u, data, 0)) { - DEBUG(0,("api_samr_query_groupmem: unable to unmarshall SAMR_Q_QUERY_GROUPMEM.\n")); - return False; - } - - r_u.status = _samr_query_groupmem(p, &q_u, &r_u); - - if (!samr_io_r_query_groupmem("", &r_u, rdata, 0)) { - DEBUG(0,("api_samr_query_groupmem: unable to marshall SAMR_R_QUERY_GROUPMEM.\n")); - return False; - } - - return True; -} - -/******************************************************************* - api_samr_add_aliasmem - ********************************************************************/ - -static bool api_samr_add_aliasmem(pipes_struct *p) -{ - SAMR_Q_ADD_ALIASMEM q_u; - SAMR_R_ADD_ALIASMEM r_u; - - prs_struct *data = &p->in_data.data; - prs_struct *rdata = &p->out_data.rdata; - - ZERO_STRUCT(q_u); - ZERO_STRUCT(r_u); - - if (!samr_io_q_add_aliasmem("", &q_u, data, 0)) { - DEBUG(0,("api_samr_add_aliasmem: unable to unmarshall SAMR_Q_ADD_ALIASMEM.\n")); - return False; - } - - r_u.status = _samr_add_aliasmem(p, &q_u, &r_u); - - if (!samr_io_r_add_aliasmem("", &r_u, rdata, 0)) { - DEBUG(0,("api_samr_add_aliasmem: unable to marshall SAMR_R_ADD_ALIASMEM.\n")); - return False; - } - - return True; -} - -/******************************************************************* - api_samr_del_aliasmem - ********************************************************************/ - -static bool api_samr_del_aliasmem(pipes_struct *p) -{ - SAMR_Q_DEL_ALIASMEM q_u; - SAMR_R_DEL_ALIASMEM r_u; - - prs_struct *data = &p->in_data.data; - prs_struct *rdata = &p->out_data.rdata; - - ZERO_STRUCT(q_u); - ZERO_STRUCT(r_u); - - if (!samr_io_q_del_aliasmem("", &q_u, data, 0)) { - DEBUG(0,("api_samr_del_aliasmem: unable to unmarshall SAMR_Q_DEL_ALIASMEM.\n")); - return False; - } - - r_u.status = _samr_del_aliasmem(p, &q_u, &r_u); - - if (!samr_io_r_del_aliasmem("", &r_u, rdata, 0)) { - DEBUG(0,("api_samr_del_aliasmem: unable to marshall SAMR_R_DEL_ALIASMEM.\n")); - return False; - } - - return True; -} - -/******************************************************************* - api_samr_add_groupmem - ********************************************************************/ - -static bool api_samr_add_groupmem(pipes_struct *p) -{ - SAMR_Q_ADD_GROUPMEM q_u; - SAMR_R_ADD_GROUPMEM r_u; - - prs_struct *data = &p->in_data.data; - prs_struct *rdata = &p->out_data.rdata; - - ZERO_STRUCT(q_u); - ZERO_STRUCT(r_u); - - if (!samr_io_q_add_groupmem("", &q_u, data, 0)) { - DEBUG(0,("api_samr_add_groupmem: unable to unmarshall SAMR_Q_ADD_GROUPMEM.\n")); - return False; - } - - r_u.status = _samr_add_groupmem(p, &q_u, &r_u); - - if (!samr_io_r_add_groupmem("", &r_u, rdata, 0)) { - DEBUG(0,("api_samr_add_groupmem: unable to marshall SAMR_R_ADD_GROUPMEM.\n")); - return False; - } - - return True; -} - -/******************************************************************* - api_samr_del_groupmem - ********************************************************************/ - -static bool api_samr_del_groupmem(pipes_struct *p) -{ - SAMR_Q_DEL_GROUPMEM q_u; - SAMR_R_DEL_GROUPMEM r_u; - - prs_struct *data = &p->in_data.data; - prs_struct *rdata = &p->out_data.rdata; - - ZERO_STRUCT(q_u); - ZERO_STRUCT(r_u); - - if (!samr_io_q_del_groupmem("", &q_u, data, 0)) { - DEBUG(0,("api_samr_del_groupmem: unable to unmarshall SAMR_Q_DEL_GROUPMEM.\n")); - return False; - } - - r_u.status = _samr_del_groupmem(p, &q_u, &r_u); - - if (!samr_io_r_del_groupmem("", &r_u, rdata, 0)) { - DEBUG(0,("api_samr_del_groupmem: unable to marshall SAMR_R_DEL_GROUPMEM.\n")); - return False; - } - - return True; -} - -/******************************************************************* - api_samr_delete_dom_user - ********************************************************************/ - -static bool api_samr_delete_dom_user(pipes_struct *p) -{ - SAMR_Q_DELETE_DOM_USER q_u; - SAMR_R_DELETE_DOM_USER r_u; - - prs_struct *data = &p->in_data.data; - prs_struct *rdata = &p->out_data.rdata; - - ZERO_STRUCT(q_u); - ZERO_STRUCT(r_u); - - if (!samr_io_q_delete_dom_user("", &q_u, data, 0)) { - DEBUG(0,("api_samr_delete_dom_user: unable to unmarshall SAMR_Q_DELETE_DOM_USER.\n")); - return False; - } - - r_u.status = _samr_delete_dom_user(p, &q_u, &r_u); - - if (!samr_io_r_delete_dom_user("", &r_u, rdata, 0)) { - DEBUG(0,("api_samr_delete_dom_user: unable to marshall SAMR_R_DELETE_DOM_USER.\n")); - return False; - } - - return True; -} - -/******************************************************************* - api_samr_delete_dom_group - ********************************************************************/ - -static bool api_samr_delete_dom_group(pipes_struct *p) -{ - SAMR_Q_DELETE_DOM_GROUP q_u; - SAMR_R_DELETE_DOM_GROUP r_u; - - prs_struct *data = &p->in_data.data; - prs_struct *rdata = &p->out_data.rdata; - - ZERO_STRUCT(q_u); - ZERO_STRUCT(r_u); - - if (!samr_io_q_delete_dom_group("", &q_u, data, 0)) { - DEBUG(0,("api_samr_delete_dom_group: unable to unmarshall SAMR_Q_DELETE_DOM_GROUP.\n")); - return False; - } - - r_u.status = _samr_delete_dom_group(p, &q_u, &r_u); - - if (!samr_io_r_delete_dom_group("", &r_u, rdata, 0)) { - DEBUG(0,("api_samr_delete_dom_group: unable to marshall SAMR_R_DELETE_DOM_GROUP.\n")); - return False; - } - - return True; -} - -/******************************************************************* - api_samr_delete_dom_alias - ********************************************************************/ - -static bool api_samr_delete_dom_alias(pipes_struct *p) -{ - SAMR_Q_DELETE_DOM_ALIAS q_u; - SAMR_R_DELETE_DOM_ALIAS r_u; - - prs_struct *data = &p->in_data.data; - prs_struct *rdata = &p->out_data.rdata; - - ZERO_STRUCT(q_u); - ZERO_STRUCT(r_u); - - if (!samr_io_q_delete_dom_alias("", &q_u, data, 0)) { - DEBUG(0,("api_samr_delete_dom_alias: unable to unmarshall SAMR_Q_DELETE_DOM_ALIAS.\n")); - return False; - } - - r_u.status = _samr_delete_dom_alias(p, &q_u, &r_u); - - if (!samr_io_r_delete_dom_alias("", &r_u, rdata, 0)) { - DEBUG(0,("api_samr_delete_dom_alias: unable to marshall SAMR_R_DELETE_DOM_ALIAS.\n")); - return False; - } - - return True; -} - -/******************************************************************* - api_samr_create_dom_group - ********************************************************************/ - -static bool api_samr_create_dom_group(pipes_struct *p) -{ - SAMR_Q_CREATE_DOM_GROUP q_u; - SAMR_R_CREATE_DOM_GROUP r_u; - - prs_struct *data = &p->in_data.data; - prs_struct *rdata = &p->out_data.rdata; - - ZERO_STRUCT(q_u); - ZERO_STRUCT(r_u); - - if (!samr_io_q_create_dom_group("", &q_u, data, 0)) { - DEBUG(0,("api_samr_create_dom_group: unable to unmarshall SAMR_Q_CREATE_DOM_GROUP.\n")); - return False; - } - - r_u.status = _samr_create_dom_group(p, &q_u, &r_u); - - if (!samr_io_r_create_dom_group("", &r_u, rdata, 0)) { - DEBUG(0,("api_samr_create_dom_group: unable to marshall SAMR_R_CREATE_DOM_GROUP.\n")); - return False; - } - - return True; -} - -/******************************************************************* - api_samr_create_dom_alias - ********************************************************************/ - -static bool api_samr_create_dom_alias(pipes_struct *p) -{ - SAMR_Q_CREATE_DOM_ALIAS q_u; - SAMR_R_CREATE_DOM_ALIAS r_u; - - prs_struct *data = &p->in_data.data; - prs_struct *rdata = &p->out_data.rdata; - - ZERO_STRUCT(q_u); - ZERO_STRUCT(r_u); - - if (!samr_io_q_create_dom_alias("", &q_u, data, 0)) { - DEBUG(0,("api_samr_create_dom_alias: unable to unmarshall SAMR_Q_CREATE_DOM_ALIAS.\n")); - return False; - } - - r_u.status = _samr_create_dom_alias(p, &q_u, &r_u); - - if (!samr_io_r_create_dom_alias("", &r_u, rdata, 0)) { - DEBUG(0,("api_samr_create_dom_alias: unable to marshall SAMR_R_CREATE_DOM_ALIAS.\n")); - return False; - } - - return True; -} - -/******************************************************************* - api_samr_query_groupinfo - ********************************************************************/ - -static bool api_samr_query_groupinfo(pipes_struct *p) -{ - SAMR_Q_QUERY_GROUPINFO q_u; - SAMR_R_QUERY_GROUPINFO r_u; - - prs_struct *data = &p->in_data.data; - prs_struct *rdata = &p->out_data.rdata; - - ZERO_STRUCT(q_u); - ZERO_STRUCT(r_u); - - if (!samr_io_q_query_groupinfo("", &q_u, data, 0)) { - DEBUG(0,("api_samr_query_groupinfo: unable to unmarshall SAMR_Q_QUERY_GROUPINFO.\n")); - return False; - } - - r_u.status = _samr_query_groupinfo(p, &q_u, &r_u); - - if (!samr_io_r_query_groupinfo("", &r_u, rdata, 0)) { - DEBUG(0,("api_samr_query_groupinfo: unable to marshall SAMR_R_QUERY_GROUPINFO.\n")); - return False; - } - - return True; -} - -/******************************************************************* - api_samr_set_groupinfo - ********************************************************************/ - -static bool api_samr_set_groupinfo(pipes_struct *p) -{ - SAMR_Q_SET_GROUPINFO q_u; - SAMR_R_SET_GROUPINFO r_u; - - prs_struct *data = &p->in_data.data; - prs_struct *rdata = &p->out_data.rdata; - - ZERO_STRUCT(q_u); - ZERO_STRUCT(r_u); - - if (!samr_io_q_set_groupinfo("", &q_u, data, 0)) { - DEBUG(0,("api_samr_set_groupinfo: unable to unmarshall SAMR_Q_SET_GROUPINFO.\n")); - return False; - } - - r_u.status = _samr_set_groupinfo(p, &q_u, &r_u); - - if (!samr_io_r_set_groupinfo("", &r_u, rdata, 0)) { - DEBUG(0,("api_samr_set_groupinfo: unable to marshall SAMR_R_SET_GROUPINFO.\n")); - return False; - } - - return True; -} - -/******************************************************************* - api_samr_set_aliasinfo - ********************************************************************/ - -static bool api_samr_set_aliasinfo(pipes_struct *p) -{ - SAMR_Q_SET_ALIASINFO q_u; - SAMR_R_SET_ALIASINFO r_u; - - prs_struct *data = &p->in_data.data; - prs_struct *rdata = &p->out_data.rdata; - - ZERO_STRUCT(q_u); - ZERO_STRUCT(r_u); - - if (!samr_io_q_set_aliasinfo("", &q_u, data, 0)) { - DEBUG(0,("api_samr_set_aliasinfo: unable to unmarshall SAMR_Q_SET_ALIASINFO.\n")); - return False; - } - - r_u.status = _samr_set_aliasinfo(p, &q_u, &r_u); - - if (!samr_io_r_set_aliasinfo("", &r_u, rdata, 0)) { - DEBUG(0,("api_samr_set_aliasinfo: unable to marshall SAMR_R_SET_ALIASINFO.\n")); - return False; - } - - return True; -} - -/******************************************************************* - api_samr_get_dom_pwinfo - ********************************************************************/ - -static bool api_samr_get_dom_pwinfo(pipes_struct *p) -{ - SAMR_Q_GET_DOM_PWINFO q_u; - SAMR_R_GET_DOM_PWINFO r_u; - - prs_struct *data = &p->in_data.data; - prs_struct *rdata = &p->out_data.rdata; - - ZERO_STRUCT(q_u); - ZERO_STRUCT(r_u); - - if (!samr_io_q_get_dom_pwinfo("", &q_u, data, 0)) { - DEBUG(0,("api_samr_get_dom_pwinfo: unable to unmarshall SAMR_Q_GET_DOM_PWINFO.\n")); - return False; - } - - r_u.status = _samr_get_dom_pwinfo(p, &q_u, &r_u); - - if (!samr_io_r_get_dom_pwinfo("", &r_u, rdata, 0)) { - DEBUG(0,("api_samr_get_dom_pwinfo: unable to marshall SAMR_R_GET_DOM_PWINFO.\n")); - return False; - } - - return True; -} - -/******************************************************************* - api_samr_open_group - ********************************************************************/ - -static bool api_samr_open_group(pipes_struct *p) -{ - SAMR_Q_OPEN_GROUP q_u; - SAMR_R_OPEN_GROUP r_u; - - prs_struct *data = &p->in_data.data; - prs_struct *rdata = &p->out_data.rdata; - - ZERO_STRUCT(q_u); - ZERO_STRUCT(r_u); - - if (!samr_io_q_open_group("", &q_u, data, 0)) { - DEBUG(0,("api_samr_open_group: unable to unmarshall SAMR_Q_OPEN_GROUP.\n")); - return False; - } - - r_u.status = _samr_open_group(p, &q_u, &r_u); - - if (!samr_io_r_open_group("", &r_u, rdata, 0)) { - DEBUG(0,("api_samr_open_group: unable to marshall SAMR_R_OPEN_GROUP.\n")); - return False; - } - - return True; -} - -/******************************************************************* - api_samr_remove_sid_foreign_domain - ********************************************************************/ - -static bool api_samr_remove_sid_foreign_domain(pipes_struct *p) -{ - SAMR_Q_REMOVE_SID_FOREIGN_DOMAIN q_u; - SAMR_R_REMOVE_SID_FOREIGN_DOMAIN r_u; - - prs_struct *data = &p->in_data.data; - prs_struct *rdata = &p->out_data.rdata; - - ZERO_STRUCT(q_u); - ZERO_STRUCT(r_u); - - if (!samr_io_q_remove_sid_foreign_domain("", &q_u, data, 0)) { - DEBUG(0,("api_samr_remove_sid_foreign_domain: unable to unmarshall SAMR_Q_REMOVE_SID_FOREIGN_DOMAIN.\n")); - return False; - } - - r_u.status = _samr_remove_sid_foreign_domain(p, &q_u, &r_u); - - if (!samr_io_r_remove_sid_foreign_domain("", &r_u, rdata, 0)) { - DEBUG(0,("api_samr_remove_sid_foreign_domain: unable to marshall SAMR_R_REMOVE_SID_FOREIGN_DOMAIN.\n")); - return False; - } - - return True; -} - -/******************************************************************* - api_samr_query_dom_info2 - ********************************************************************/ - -static bool api_samr_query_domain_info2(pipes_struct *p) -{ - SAMR_Q_QUERY_DOMAIN_INFO2 q_u; - SAMR_R_QUERY_DOMAIN_INFO2 r_u; - prs_struct *data = &p->in_data.data; - prs_struct *rdata = &p->out_data.rdata; - - ZERO_STRUCT(q_u); - ZERO_STRUCT(r_u); - - if(!samr_io_q_query_domain_info2("", &q_u, data, 0)) { - DEBUG(0,("api_samr_query_domain_info2: unable to unmarshall SAMR_Q_QUERY_DOMAIN_INFO2.\n")); - return False; - } - - r_u.status = _samr_query_domain_info2(p, &q_u, &r_u); - - /* store the response in the SMB stream */ - if(!samr_io_r_query_domain_info2("", &r_u, rdata, 0)) { - DEBUG(0,("api_samr_query_domain_info2: unable to marshall SAMR_R_QUERY_DOMAIN_INFO2.\n")); - return False; - } - - return True; -} - -/******************************************************************* - api_samr_set_dom_info - ********************************************************************/ - -static bool api_samr_set_dom_info(pipes_struct *p) -{ - SAMR_Q_SET_DOMAIN_INFO q_u; - SAMR_R_SET_DOMAIN_INFO r_u; - prs_struct *data = &p->in_data.data; - prs_struct *rdata = &p->out_data.rdata; - - ZERO_STRUCT(q_u); - ZERO_STRUCT(r_u); - - if(!samr_io_q_set_domain_info("", &q_u, data, 0)) { - DEBUG(0,("api_samr_set_dom_info: unable to unmarshall SAMR_Q_SET_DOMAIN_INFO.\n")); - return False; - } - - r_u.status = _samr_set_dom_info(p, &q_u, &r_u); - - /* store the response in the SMB stream */ - if(!samr_io_r_set_domain_info("", &r_u, rdata, 0)) { - DEBUG(0,("api_samr_set_dom_info: unable to marshall SAMR_R_SET_DOMAIN_INFO.\n")); - return False; - } - - return True; -} - -/******************************************************************* - array of \PIPE\samr operations - ********************************************************************/ - -static struct api_struct api_samr_cmds [] = -{ - {"SAMR_CLOSE_HND" , SAMR_CLOSE_HND , api_samr_close_hnd }, - {"SAMR_CONNECT" , SAMR_CONNECT , api_samr_connect }, - {"SAMR_CONNECT_ANON" , SAMR_CONNECT_ANON , api_samr_connect_anon }, - {"SAMR_ENUM_DOMAINS" , SAMR_ENUM_DOMAINS , api_samr_enum_domains }, - {"SAMR_ENUM_DOM_USERS" , SAMR_ENUM_DOM_USERS , api_samr_enum_dom_users }, - - {"SAMR_ENUM_DOM_GROUPS" , SAMR_ENUM_DOM_GROUPS , api_samr_enum_dom_groups }, - {"SAMR_ENUM_DOM_ALIASES" , SAMR_ENUM_DOM_ALIASES , api_samr_enum_dom_aliases }, - {"SAMR_QUERY_USERALIASES" , SAMR_QUERY_USERALIASES, api_samr_query_useraliases}, - {"SAMR_QUERY_ALIASMEM" , SAMR_QUERY_ALIASMEM , api_samr_query_aliasmem }, - {"SAMR_QUERY_GROUPMEM" , SAMR_QUERY_GROUPMEM , api_samr_query_groupmem }, - {"SAMR_ADD_ALIASMEM" , SAMR_ADD_ALIASMEM , api_samr_add_aliasmem }, - {"SAMR_DEL_ALIASMEM" , SAMR_DEL_ALIASMEM , api_samr_del_aliasmem }, - {"SAMR_ADD_GROUPMEM" , SAMR_ADD_GROUPMEM , api_samr_add_groupmem }, - {"SAMR_DEL_GROUPMEM" , SAMR_DEL_GROUPMEM , api_samr_del_groupmem }, - - {"SAMR_DELETE_DOM_USER" , SAMR_DELETE_DOM_USER , api_samr_delete_dom_user }, - {"SAMR_DELETE_DOM_GROUP" , SAMR_DELETE_DOM_GROUP , api_samr_delete_dom_group }, - {"SAMR_DELETE_DOM_ALIAS" , SAMR_DELETE_DOM_ALIAS , api_samr_delete_dom_alias }, - {"SAMR_CREATE_DOM_GROUP" , SAMR_CREATE_DOM_GROUP , api_samr_create_dom_group }, - {"SAMR_CREATE_DOM_ALIAS" , SAMR_CREATE_DOM_ALIAS , api_samr_create_dom_alias }, - {"SAMR_LOOKUP_NAMES" , SAMR_LOOKUP_NAMES , api_samr_lookup_names }, - {"SAMR_OPEN_USER" , SAMR_OPEN_USER , api_samr_open_user }, - {"SAMR_QUERY_USERINFO" , SAMR_QUERY_USERINFO , api_samr_query_userinfo }, - {"SAMR_SET_USERINFO" , SAMR_SET_USERINFO , api_samr_set_userinfo }, - {"SAMR_SET_USERINFO2" , SAMR_SET_USERINFO2 , api_samr_set_userinfo2 }, - - {"SAMR_QUERY_DOMAIN_INFO" , SAMR_QUERY_DOMAIN_INFO, api_samr_query_domain_info}, - {"SAMR_QUERY_USERGROUPS" , SAMR_QUERY_USERGROUPS , api_samr_query_usergroups }, - {"SAMR_QUERY_DISPINFO" , SAMR_QUERY_DISPINFO , api_samr_query_dispinfo }, - {"SAMR_QUERY_DISPINFO3" , SAMR_QUERY_DISPINFO3 , api_samr_query_dispinfo }, - {"SAMR_QUERY_DISPINFO4" , SAMR_QUERY_DISPINFO4 , api_samr_query_dispinfo }, - - {"SAMR_QUERY_ALIASINFO" , SAMR_QUERY_ALIASINFO , api_samr_query_aliasinfo }, - {"SAMR_QUERY_GROUPINFO" , SAMR_QUERY_GROUPINFO , api_samr_query_groupinfo }, - {"SAMR_SET_GROUPINFO" , SAMR_SET_GROUPINFO , api_samr_set_groupinfo }, - {"SAMR_SET_ALIASINFO" , SAMR_SET_ALIASINFO , api_samr_set_aliasinfo }, - {"SAMR_CREATE_USER" , SAMR_CREATE_USER , api_samr_create_user }, - {"SAMR_LOOKUP_RIDS" , SAMR_LOOKUP_RIDS , api_samr_lookup_rids }, - {"SAMR_GET_DOM_PWINFO" , SAMR_GET_DOM_PWINFO , api_samr_get_dom_pwinfo }, - {"SAMR_CHGPASSWD_USER" , SAMR_CHGPASSWD_USER , api_samr_chgpasswd_user }, - {"SAMR_OPEN_ALIAS" , SAMR_OPEN_ALIAS , api_samr_open_alias }, - {"SAMR_OPEN_GROUP" , SAMR_OPEN_GROUP , api_samr_open_group }, - {"SAMR_OPEN_DOMAIN" , SAMR_OPEN_DOMAIN , api_samr_open_domain }, - {"SAMR_REMOVE_SID_FOREIGN_DOMAIN" , SAMR_REMOVE_SID_FOREIGN_DOMAIN , api_samr_remove_sid_foreign_domain }, - {"SAMR_LOOKUP_DOMAIN" , SAMR_LOOKUP_DOMAIN , api_samr_lookup_domain }, - - {"SAMR_QUERY_SEC_OBJECT" , SAMR_QUERY_SEC_OBJECT , api_samr_query_sec_obj }, - {"SAMR_SET_SEC_OBJECT" , SAMR_SET_SEC_OBJECT , api_samr_set_sec_obj }, - {"SAMR_GET_USRDOM_PWINFO" , SAMR_GET_USRDOM_PWINFO, api_samr_get_usrdom_pwinfo}, - {"SAMR_QUERY_DOMAIN_INFO2", SAMR_QUERY_DOMAIN_INFO2, api_samr_query_domain_info2}, - {"SAMR_SET_DOMAIN_INFO" , SAMR_SET_DOMAIN_INFO , api_samr_set_dom_info }, - {"SAMR_CONNECT4" , SAMR_CONNECT4 , api_samr_connect4 }, - {"SAMR_CHGPASSWD_USER3" , SAMR_CHGPASSWD_USER3 , api_samr_chgpasswd_user3 }, - {"SAMR_CONNECT5" , SAMR_CONNECT5 , api_samr_connect5 } -}; - -void samr_get_pipe_fns( struct api_struct **fns, int *n_fns ) -{ - *fns = api_samr_cmds; - *n_fns = sizeof(api_samr_cmds) / sizeof(struct api_struct); -} - - -NTSTATUS rpc_samr_init(void) -{ - return rpc_pipe_register_commands(SMB_RPC_INTERFACE_VERSION, "samr", "lsass", api_samr_cmds, - sizeof(api_samr_cmds) / sizeof(struct api_struct)); -} diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 01ce932afa..f38a8fcfc0 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -11,6 +11,7 @@ * Copyright (C) Gerald (Jerry) Carter 2003-2004, * Copyright (C) Simo Sorce 2003. * Copyright (C) Volker Lendecke 2005. + * Copyright (C) Guenther Deschner 2008. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by @@ -125,12 +126,12 @@ static NTSTATUS make_samr_object_sd( TALLOC_CTX *ctx, SEC_DESC **psd, size_t *sd /* add Full Access 'BUILTIN\Administrators' and 'BUILTIN\Account Operators */ init_sec_access(&mask, map->generic_all); - + init_sec_ace(&ace[i++], &global_sid_Builtin_Administrators, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0); init_sec_ace(&ace[i++], &global_sid_Builtin_Account_Operators, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0); /* Add Full Access for Domain Admins if we are a DC */ - + if ( IS_DC ) { sid_copy( &domadmin_sid, get_global_sam_sid() ); sid_append_rid( &domadmin_sid, DOMAIN_GROUP_RID_ADMINS ); @@ -162,57 +163,57 @@ static NTSTATUS make_samr_object_sd( TALLOC_CTX *ctx, SEC_DESC **psd, size_t *sd level of access for further checks. ********************************************************************/ -static NTSTATUS access_check_samr_object( SEC_DESC *psd, NT_USER_TOKEN *token, +static NTSTATUS access_check_samr_object( SEC_DESC *psd, NT_USER_TOKEN *token, SE_PRIV *rights, uint32 rights_mask, - uint32 des_access, uint32 *acc_granted, + uint32 des_access, uint32 *acc_granted, const char *debug ) { NTSTATUS status = NT_STATUS_ACCESS_DENIED; uint32 saved_mask = 0; - /* check privileges; certain SAM access bits should be overridden - by privileges (mostly having to do with creating/modifying/deleting + /* check privileges; certain SAM access bits should be overridden + by privileges (mostly having to do with creating/modifying/deleting users and groups) */ - + if ( rights && user_has_any_privilege( token, rights ) ) { - + saved_mask = (des_access & rights_mask); des_access &= ~saved_mask; - + DEBUG(4,("access_check_samr_object: user rights access mask [0x%x]\n", rights_mask)); } - - + + /* check the security descriptor first */ - + if ( se_access_check(psd, token, des_access, acc_granted, &status) ) goto done; - + /* give root a free pass */ - + if ( geteuid() == sec_initial_uid() ) { - + DEBUG(4,("%s: ACCESS should be DENIED (requested: %#010x)\n", debug, des_access)); DEBUGADD(4,("but overritten by euid == sec_initial_uid()\n")); - + *acc_granted = des_access; - + status = NT_STATUS_OK; goto done; } - - + + done: - /* add in any bits saved during the privilege check (only + /* add in any bits saved during the privilege check (only matters is status is ok) */ - + *acc_granted |= rights_mask; - DEBUG(4,("%s: access %s (requested: 0x%08x, granted: 0x%08x)\n", - debug, NT_STATUS_IS_OK(status) ? "GRANTED" : "DENIED", + DEBUG(4,("%s: access %s (requested: 0x%08x, granted: 0x%08x)\n", + debug, NT_STATUS_IS_OK(status) ? "GRANTED" : "DENIED", des_access, *acc_granted)); - + return status; } @@ -222,28 +223,28 @@ done: static NTSTATUS access_check_samr_function(uint32 acc_granted, uint32 acc_required, const char *debug) { - DEBUG(5,("%s: access check ((granted: %#010x; required: %#010x)\n", + DEBUG(5,("%s: access check ((granted: %#010x; required: %#010x)\n", debug, acc_granted, acc_required)); /* check the security descriptor first */ - + if ( (acc_granted&acc_required) == acc_required ) return NT_STATUS_OK; - + /* give root a free pass */ if (geteuid() == sec_initial_uid()) { - + DEBUG(4,("%s: ACCESS should be DENIED (granted: %#010x; required: %#010x)\n", debug, acc_granted, acc_required)); DEBUGADD(4,("but overwritten by euid == 0\n")); - + return NT_STATUS_OK; } - - DEBUG(2,("%s: ACCESS DENIED (granted: %#010x; required: %#010x)\n", + + DEBUG(2,("%s: ACCESS DENIED (granted: %#010x; required: %#010x)\n", debug, acc_granted, acc_required)); - + return NT_STATUS_ACCESS_DENIED; } @@ -278,7 +279,7 @@ static DISP_INFO *get_samr_dispinfo_by_sid(DOM_SID *psid) /* There are two cases to consider here: 1) The SID is a domain SID and we look for an equality match, or - 2) This is an account SID and so we return the DISP_INFO* for our + 2) This is an account SID and so we return the DISP_INFO* for our domain */ if (psid == NULL) { @@ -293,7 +294,7 @@ static DISP_INFO *get_samr_dispinfo_by_sid(DOM_SID *psid) return &builtin_dispinfo; } - + if (sid_check_is_domain(psid) || sid_check_is_in_our_domain(psid)) { /* * Necessary only once, but it does not really hurt. @@ -315,7 +316,7 @@ static struct samr_info *get_samr_info_by_sid(DOM_SID *psid) struct samr_info *info; fstring sid_str; TALLOC_CTX *mem_ctx; - + if (psid) { sid_to_fstring(sid_str, psid); } else { @@ -465,7 +466,7 @@ static void force_flush_samr_cache(DISP_INFO *disp_info) static void samr_clear_sam_passwd(struct samu *sam_pass) { - + if (!sam_pass) return; @@ -543,116 +544,113 @@ static uint32 count_sam_aliases(struct disp_info *info) } /******************************************************************* - _samr_close_hnd + _samr_Close ********************************************************************/ -NTSTATUS _samr_close_hnd(pipes_struct *p, SAMR_Q_CLOSE_HND *q_u, SAMR_R_CLOSE_HND *r_u) +NTSTATUS _samr_Close(pipes_struct *p, struct samr_Close *r) { - r_u->status = NT_STATUS_OK; - - /* close the policy handle */ - if (!close_policy_hnd(p, &q_u->pol)) - return NT_STATUS_OBJECT_NAME_INVALID; + if (!close_policy_hnd(p, r->in.handle)) { + return NT_STATUS_INVALID_HANDLE; + } - DEBUG(5,("samr_reply_close_hnd: %d\n", __LINE__)); + ZERO_STRUCTP(r->out.handle); - return r_u->status; + return NT_STATUS_OK; } /******************************************************************* - samr_reply_open_domain + _samr_OpenDomain ********************************************************************/ -NTSTATUS _samr_open_domain(pipes_struct *p, SAMR_Q_OPEN_DOMAIN *q_u, SAMR_R_OPEN_DOMAIN *r_u) +NTSTATUS _samr_OpenDomain(pipes_struct *p, + struct samr_OpenDomain *r) { struct samr_info *info; SEC_DESC *psd = NULL; uint32 acc_granted; - uint32 des_access = q_u->flags; + uint32 des_access = r->in.access_mask; NTSTATUS status; size_t sd_size; SE_PRIV se_rights; - r_u->status = NT_STATUS_OK; - /* find the connection policy handle. */ - - if ( !find_policy_by_hnd(p, &q_u->pol, (void**)(void *)&info) ) + + if ( !find_policy_by_hnd(p, r->in.connect_handle, (void**)(void *)&info) ) return NT_STATUS_INVALID_HANDLE; - status = access_check_samr_function( info->acc_granted, - SA_RIGHT_SAM_OPEN_DOMAIN, "_samr_open_domain" ); - + status = access_check_samr_function(info->acc_granted, + SA_RIGHT_SAM_OPEN_DOMAIN, + "_samr_OpenDomain" ); + if ( !NT_STATUS_IS_OK(status) ) return status; /*check if access can be granted as requested by client. */ - + make_samr_object_sd( p->mem_ctx, &psd, &sd_size, &dom_generic_mapping, NULL, 0 ); se_map_generic( &des_access, &dom_generic_mapping ); - + se_priv_copy( &se_rights, &se_machine_account ); se_priv_add( &se_rights, &se_add_users ); - status = access_check_samr_object( psd, p->pipe_user.nt_user_token, - &se_rights, GENERIC_RIGHTS_DOMAIN_WRITE, des_access, - &acc_granted, "_samr_open_domain" ); - + status = access_check_samr_object( psd, p->pipe_user.nt_user_token, + &se_rights, GENERIC_RIGHTS_DOMAIN_WRITE, des_access, + &acc_granted, "_samr_OpenDomain" ); + if ( !NT_STATUS_IS_OK(status) ) return status; - if (!sid_check_is_domain(&q_u->dom_sid.sid) && - !sid_check_is_builtin(&q_u->dom_sid.sid)) { + if (!sid_check_is_domain(r->in.sid) && + !sid_check_is_builtin(r->in.sid)) { return NT_STATUS_NO_SUCH_DOMAIN; } /* associate the domain SID with the (unique) handle. */ - if ((info = get_samr_info_by_sid(&q_u->dom_sid.sid))==NULL) + if ((info = get_samr_info_by_sid(r->in.sid))==NULL) return NT_STATUS_NO_MEMORY; info->acc_granted = acc_granted; /* get a (unique) handle. open a policy on it. */ - if (!create_policy_hnd(p, &r_u->domain_pol, free_samr_info, (void *)info)) + if (!create_policy_hnd(p, r->out.domain_handle, free_samr_info, (void *)info)) return NT_STATUS_OBJECT_NAME_NOT_FOUND; - DEBUG(5,("samr_open_domain: %d\n", __LINE__)); + DEBUG(5,("_samr_OpenDomain: %d\n", __LINE__)); - return r_u->status; + return NT_STATUS_OK; } /******************************************************************* - _samr_get_usrdom_pwinfo + _samr_GetUserPwInfo ********************************************************************/ -NTSTATUS _samr_get_usrdom_pwinfo(pipes_struct *p, SAMR_Q_GET_USRDOM_PWINFO *q_u, SAMR_R_GET_USRDOM_PWINFO *r_u) +NTSTATUS _samr_GetUserPwInfo(pipes_struct *p, + struct samr_GetUserPwInfo *r) { struct samr_info *info = NULL; - r_u->status = NT_STATUS_OK; - /* find the policy handle. open a policy on it. */ - if (!find_policy_by_hnd(p, &q_u->user_pol, (void **)(void *)&info)) + if (!find_policy_by_hnd(p, r->in.user_handle, (void **)(void *)&info)) return NT_STATUS_INVALID_HANDLE; if (!sid_check_is_in_our_domain(&info->sid)) return NT_STATUS_OBJECT_TYPE_MISMATCH; - init_samr_r_get_usrdom_pwinfo(r_u, NT_STATUS_OK); + ZERO_STRUCTP(r->out.info); - DEBUG(5,("_samr_get_usrdom_pwinfo: %d\n", __LINE__)); + DEBUG(5,("_samr_GetUserPwInfo: %d\n", __LINE__)); - /* + /* * NT sometimes return NT_STATUS_ACCESS_DENIED * I don't know yet why. */ - return r_u->status; + return NT_STATUS_OK; } /******************************************************************* ********************************************************************/ -static bool get_lsa_policy_samr_sid( pipes_struct *p, POLICY_HND *pol, +static bool get_lsa_policy_samr_sid( pipes_struct *p, POLICY_HND *pol, DOM_SID *sid, uint32 *acc_granted, DISP_INFO **ppdisp_info) { @@ -675,10 +673,11 @@ static bool get_lsa_policy_samr_sid( pipes_struct *p, POLICY_HND *pol, } /******************************************************************* - _samr_set_sec_obj + _samr_SetSecurity ********************************************************************/ -NTSTATUS _samr_set_sec_obj(pipes_struct *p, SAMR_Q_SET_SEC_OBJ *q_u, SAMR_R_SET_SEC_OBJ *r_u) +NTSTATUS _samr_SetSecurity(pipes_struct *p, + struct samr_SetSecurity *r) { DOM_SID pol_sid; uint32 acc_granted, i; @@ -687,9 +686,7 @@ NTSTATUS _samr_set_sec_obj(pipes_struct *p, SAMR_Q_SET_SEC_OBJ *q_u, SAMR_R_SET_ struct samu *sampass=NULL; NTSTATUS status; - r_u->status = NT_STATUS_OK; - - if (!get_lsa_policy_samr_sid(p, &q_u->pol, &pol_sid, &acc_granted, NULL)) + if (!get_lsa_policy_samr_sid(p, r->in.handle, &pol_sid, &acc_granted, NULL)) return NT_STATUS_INVALID_HANDLE; if (!(sampass = samu_new( p->mem_ctx))) { @@ -708,12 +705,12 @@ NTSTATUS _samr_set_sec_obj(pipes_struct *p, SAMR_Q_SET_SEC_OBJ *q_u, SAMR_R_SET_ return NT_STATUS_INVALID_HANDLE; } - dacl = q_u->buf->sd->dacl; + dacl = r->in.sdbuf->sd->dacl; for (i=0; i < dacl->num_aces; i++) { if (sid_equal(&pol_sid, &dacl->aces[i].trustee)) { - ret = pdb_set_pass_can_change(sampass, - (dacl->aces[i].access_mask & - SA_RIGHT_USER_CHANGE_PASSWORD) ? + ret = pdb_set_pass_can_change(sampass, + (dacl->aces[i].access_mask & + SA_RIGHT_USER_CHANGE_PASSWORD) ? True: False); break; } @@ -724,7 +721,9 @@ NTSTATUS _samr_set_sec_obj(pipes_struct *p, SAMR_Q_SET_SEC_OBJ *q_u, SAMR_R_SET_ return NT_STATUS_ACCESS_DENIED; } - status = access_check_samr_function(acc_granted, SA_RIGHT_USER_SET_ATTRIBUTES, "_samr_set_sec_obj"); + status = access_check_samr_function(acc_granted, + SA_RIGHT_USER_SET_ATTRIBUTES, + "_samr_SetSecurity"); if (NT_STATUS_IS_OK(status)) { become_root(); status = pdb_update_sam_account(sampass); @@ -771,98 +770,92 @@ static bool check_change_pw_access(TALLOC_CTX *mem_ctx, DOM_SID *user_sid) /******************************************************************* - _samr_query_sec_obj + _samr_QuerySecurity ********************************************************************/ -NTSTATUS _samr_query_sec_obj(pipes_struct *p, SAMR_Q_QUERY_SEC_OBJ *q_u, SAMR_R_QUERY_SEC_OBJ *r_u) +NTSTATUS _samr_QuerySecurity(pipes_struct *p, + struct samr_QuerySecurity *r) { + NTSTATUS status; DOM_SID pol_sid; SEC_DESC * psd = NULL; uint32 acc_granted; size_t sd_size; - r_u->status = NT_STATUS_OK; - /* Get the SID. */ - if (!get_lsa_policy_samr_sid(p, &q_u->user_pol, &pol_sid, &acc_granted, NULL)) + if (!get_lsa_policy_samr_sid(p, r->in.handle, &pol_sid, &acc_granted, NULL)) return NT_STATUS_INVALID_HANDLE; - DEBUG(10,("_samr_query_sec_obj: querying security on SID: %s\n", + DEBUG(10,("_samr_QuerySecurity: querying security on SID: %s\n", sid_string_dbg(&pol_sid))); /* Check what typ of SID is beeing queried (e.g Domain SID, User SID, Group SID) */ /* To query the security of the SAM it self an invalid SID with S-0-0 is passed to this function */ if (pol_sid.sid_rev_num == 0) { - DEBUG(5,("_samr_query_sec_obj: querying security on SAM\n")); - r_u->status = make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &sam_generic_mapping, NULL, 0); - } else if (sid_equal(&pol_sid,get_global_sam_sid())) { + DEBUG(5,("_samr_QuerySecurity: querying security on SAM\n")); + status = make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &sam_generic_mapping, NULL, 0); + } else if (sid_equal(&pol_sid,get_global_sam_sid())) { /* check if it is our domain SID */ - DEBUG(5,("_samr_query_sec_obj: querying security on Domain " + DEBUG(5,("_samr_QuerySecurity: querying security on Domain " "with SID: %s\n", sid_string_dbg(&pol_sid))); - r_u->status = make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &dom_generic_mapping, NULL, 0); + status = make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &dom_generic_mapping, NULL, 0); } else if (sid_equal(&pol_sid,&global_sid_Builtin)) { /* check if it is the Builtin Domain */ /* TODO: Builtin probably needs a different SD with restricted write access*/ - DEBUG(5,("_samr_query_sec_obj: querying security on Builtin " + DEBUG(5,("_samr_QuerySecurity: querying security on Builtin " "Domain with SID: %s\n", sid_string_dbg(&pol_sid))); - r_u->status = make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &dom_generic_mapping, NULL, 0); + status = make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &dom_generic_mapping, NULL, 0); } else if (sid_check_is_in_our_domain(&pol_sid) || sid_check_is_in_builtin(&pol_sid)) { /* TODO: different SDs have to be generated for aliases groups and users. Currently all three get a default user SD */ - DEBUG(10,("_samr_query_sec_obj: querying security on Object " + DEBUG(10,("_samr_QuerySecurity: querying security on Object " "with SID: %s\n", sid_string_dbg(&pol_sid))); if (check_change_pw_access(p->mem_ctx, &pol_sid)) { - r_u->status = make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &usr_generic_mapping, + status = make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &usr_generic_mapping, &pol_sid, SAMR_USR_RIGHTS_WRITE_PW); } else { - r_u->status = make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &usr_nopwchange_generic_mapping, + status = make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &usr_nopwchange_generic_mapping, &pol_sid, SAMR_USR_RIGHTS_CANT_WRITE_PW); } } else { return NT_STATUS_OBJECT_TYPE_MISMATCH; } - if ((r_u->buf = make_sec_desc_buf(p->mem_ctx, sd_size, psd)) == NULL) + if ((*r->out.sdbuf = make_sec_desc_buf(p->mem_ctx, sd_size, psd)) == NULL) return NT_STATUS_NO_MEMORY; - if (NT_STATUS_IS_OK(r_u->status)) - r_u->ptr = 1; - - return r_u->status; + return status; } /******************************************************************* makes a SAM_ENTRY / UNISTR2* structure from a user list. ********************************************************************/ -static NTSTATUS make_user_sam_entry_list(TALLOC_CTX *ctx, SAM_ENTRY **sam_pp, - UNISTR2 **uni_name_pp, - uint32 num_entries, uint32 start_idx, +static NTSTATUS make_user_sam_entry_list(TALLOC_CTX *ctx, + struct samr_SamEntry **sam_pp, + uint32_t num_entries, + uint32_t start_idx, struct samr_displayentry *entries) { - uint32 i; - SAM_ENTRY *sam; - UNISTR2 *uni_name; - + uint32_t i; + struct samr_SamEntry *sam; + *sam_pp = NULL; - *uni_name_pp = NULL; - if (num_entries == 0) + if (num_entries == 0) { return NT_STATUS_OK; + } - sam = TALLOC_ZERO_ARRAY(ctx, SAM_ENTRY, num_entries); - - uni_name = TALLOC_ZERO_ARRAY(ctx, UNISTR2, num_entries); - - if (sam == NULL || uni_name == NULL) { + sam = TALLOC_ZERO_ARRAY(ctx, struct samr_SamEntry, num_entries); + if (sam == NULL) { DEBUG(0, ("make_user_sam_entry_list: TALLOC_ZERO failed!\n")); return NT_STATUS_NO_MEMORY; } for (i = 0; i < num_entries; i++) { - UNISTR2 uni_temp_name; +#if 0 /* * usrmgr expects a non-NULL terminated string with * trust relationships @@ -874,50 +867,59 @@ static NTSTATUS make_user_sam_entry_list(TALLOC_CTX *ctx, SAM_ENTRY **sam_pp, init_unistr2(&uni_temp_name, entries[i].account_name, UNI_STR_TERMINATE); } - - init_sam_entry(&sam[i], &uni_temp_name, entries[i].rid); - copy_unistr2(&uni_name[i], &uni_temp_name); +#endif + init_lsa_String(&sam[i].name, entries[i].account_name); + sam[i].idx = entries[i].rid; } *sam_pp = sam; - *uni_name_pp = uni_name; + return NT_STATUS_OK; } +#define MAX_SAM_ENTRIES MAX_SAM_ENTRIES_W2K + /******************************************************************* - samr_reply_enum_dom_users + _samr_EnumDomainUsers ********************************************************************/ -NTSTATUS _samr_enum_dom_users(pipes_struct *p, SAMR_Q_ENUM_DOM_USERS *q_u, - SAMR_R_ENUM_DOM_USERS *r_u) +NTSTATUS _samr_EnumDomainUsers(pipes_struct *p, + struct samr_EnumDomainUsers *r) { + NTSTATUS status; struct samr_info *info = NULL; int num_account; - uint32 enum_context=q_u->start_idx; + uint32 enum_context = *r->in.resume_handle; enum remote_arch_types ra_type = get_remote_arch(); int max_sam_entries = (ra_type == RA_WIN95) ? MAX_SAM_ENTRIES_W95 : MAX_SAM_ENTRIES_W2K; uint32 max_entries = max_sam_entries; struct samr_displayentry *entries = NULL; - - r_u->status = NT_STATUS_OK; + struct samr_SamArray *samr_array = NULL; + struct samr_SamEntry *samr_entries = NULL; /* find the policy handle. open a policy on it. */ - if (!find_policy_by_hnd(p, &q_u->pol, (void **)(void *)&info)) + if (!find_policy_by_hnd(p, r->in.domain_handle, (void **)(void *)&info)) return NT_STATUS_INVALID_HANDLE; - if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(info->acc_granted, - SA_RIGHT_DOMAIN_ENUM_ACCOUNTS, - "_samr_enum_dom_users"))) { - return r_u->status; + status = access_check_samr_function(info->acc_granted, + SA_RIGHT_DOMAIN_ENUM_ACCOUNTS, + "_samr_EnumDomainUsers"); + if (!NT_STATUS_IS_OK(status)) { + return status; } - - DEBUG(5,("_samr_enum_dom_users: %d\n", __LINE__)); + + DEBUG(5,("_samr_EnumDomainUsers: %d\n", __LINE__)); if (info->builtin_domain) { /* No users in builtin. */ - init_samr_r_enum_dom_users(r_u, q_u->start_idx, 0); - DEBUG(5,("_samr_enum_dom_users: No users in BUILTIN\n")); - return r_u->status; + *r->out.resume_handle = *r->in.resume_handle; + DEBUG(5,("_samr_EnumDomainUsers: No users in BUILTIN\n")); + return status; + } + + samr_array = TALLOC_ZERO_P(p->mem_ctx, struct samr_SamArray); + if (!samr_array) { + return NT_STATUS_NO_MEMORY; } become_root(); @@ -925,14 +927,14 @@ NTSTATUS _samr_enum_dom_users(pipes_struct *p, SAMR_Q_ENUM_DOM_USERS *q_u, /* AS ROOT !!!! */ if ((info->disp_info->enum_users != NULL) && - (info->disp_info->enum_acb_mask != q_u->acb_mask)) { + (info->disp_info->enum_acb_mask != r->in.acct_flags)) { pdb_search_destroy(info->disp_info->enum_users); info->disp_info->enum_users = NULL; } if (info->disp_info->enum_users == NULL) { - info->disp_info->enum_users = pdb_search_users(q_u->acb_mask); - info->disp_info->enum_acb_mask = q_u->acb_mask; + info->disp_info->enum_users = pdb_search_users(r->in.acct_flags); + info->disp_info->enum_acb_mask = r->in.acct_flags; } if (info->disp_info->enum_users == NULL) { @@ -950,63 +952,62 @@ NTSTATUS _samr_enum_dom_users(pipes_struct *p, SAMR_Q_ENUM_DOM_USERS *q_u, unbecome_root(); if (num_account == 0) { - DEBUG(5, ("_samr_enum_dom_users: enumeration handle over " + DEBUG(5, ("_samr_EnumDomainUsers: enumeration handle over " "total entries\n")); - init_samr_r_enum_dom_users(r_u, q_u->start_idx, 0); + *r->out.resume_handle = *r->in.resume_handle; return NT_STATUS_OK; } - r_u->status = make_user_sam_entry_list(p->mem_ctx, &r_u->sam, - &r_u->uni_acct_name, - num_account, enum_context, - entries); - - if (!NT_STATUS_IS_OK(r_u->status)) - return r_u->status; + status = make_user_sam_entry_list(p->mem_ctx, &samr_entries, + num_account, enum_context, + entries); + if (!NT_STATUS_IS_OK(status)) { + return status; + } if (max_entries <= num_account) { - r_u->status = STATUS_MORE_ENTRIES; + status = STATUS_MORE_ENTRIES; } else { - r_u->status = NT_STATUS_OK; + status = NT_STATUS_OK; } /* Ensure we cache this enumeration. */ set_disp_info_cache_timeout(info->disp_info, DISP_INFO_CACHE_TIMEOUT); - DEBUG(5, ("_samr_enum_dom_users: %d\n", __LINE__)); + DEBUG(5, ("_samr_EnumDomainUsers: %d\n", __LINE__)); - init_samr_r_enum_dom_users(r_u, q_u->start_idx + num_account, - num_account); + samr_array->count = num_account; + samr_array->entries = samr_entries; - DEBUG(5,("_samr_enum_dom_users: %d\n", __LINE__)); + *r->out.resume_handle = *r->in.resume_handle + num_account; + *r->out.sam = samr_array; + *r->out.num_entries = num_account; - return r_u->status; + DEBUG(5,("_samr_EnumDomainUsers: %d\n", __LINE__)); + + return status; } /******************************************************************* makes a SAM_ENTRY / UNISTR2* structure from a group list. ********************************************************************/ -static void make_group_sam_entry_list(TALLOC_CTX *ctx, SAM_ENTRY **sam_pp, - UNISTR2 **uni_name_pp, - uint32 num_sam_entries, +static void make_group_sam_entry_list(TALLOC_CTX *ctx, + struct samr_SamEntry **sam_pp, + uint32_t num_sam_entries, struct samr_displayentry *entries) { - uint32 i; - SAM_ENTRY *sam; - UNISTR2 *uni_name; + struct samr_SamEntry *sam; + uint32_t i; *sam_pp = NULL; - *uni_name_pp = NULL; - if (num_sam_entries == 0) + if (num_sam_entries == 0) { return; + } - sam = TALLOC_ZERO_ARRAY(ctx, SAM_ENTRY, num_sam_entries); - uni_name = TALLOC_ZERO_ARRAY(ctx, UNISTR2, num_sam_entries); - - if (sam == NULL || uni_name == NULL) { - DEBUG(0, ("NULL pointers in SAMR_R_QUERY_DISPINFO\n")); + sam = TALLOC_ZERO_ARRAY(ctx, struct samr_SamEntry, num_sam_entries); + if (sam == NULL) { return; } @@ -1014,44 +1015,50 @@ static void make_group_sam_entry_list(TALLOC_CTX *ctx, SAM_ENTRY **sam_pp, /* * JRA. I think this should include the null. TNG does not. */ - init_unistr2(&uni_name[i], entries[i].account_name, - UNI_STR_TERMINATE); - init_sam_entry(&sam[i], &uni_name[i], entries[i].rid); + init_lsa_String(&sam[i].name, entries[i].account_name); + sam[i].idx = entries[i].rid; } *sam_pp = sam; - *uni_name_pp = uni_name; } /******************************************************************* - samr_reply_enum_dom_groups + _samr_EnumDomainGroups ********************************************************************/ -NTSTATUS _samr_enum_dom_groups(pipes_struct *p, SAMR_Q_ENUM_DOM_GROUPS *q_u, SAMR_R_ENUM_DOM_GROUPS *r_u) +NTSTATUS _samr_EnumDomainGroups(pipes_struct *p, + struct samr_EnumDomainGroups *r) { + NTSTATUS status; struct samr_info *info = NULL; struct samr_displayentry *groups; uint32 num_groups; - - r_u->status = NT_STATUS_OK; + struct samr_SamArray *samr_array = NULL; + struct samr_SamEntry *samr_entries = NULL; /* find the policy handle. open a policy on it. */ - if (!find_policy_by_hnd(p, &q_u->pol, (void **)(void *)&info)) + if (!find_policy_by_hnd(p, r->in.domain_handle, (void **)(void *)&info)) return NT_STATUS_INVALID_HANDLE; - r_u->status = access_check_samr_function(info->acc_granted, - SA_RIGHT_DOMAIN_ENUM_ACCOUNTS, - "_samr_enum_dom_groups"); - if (!NT_STATUS_IS_OK(r_u->status)) - return r_u->status; + status = access_check_samr_function(info->acc_granted, + SA_RIGHT_DOMAIN_ENUM_ACCOUNTS, + "_samr_EnumDomainGroups"); + if (!NT_STATUS_IS_OK(status)) { + return status; + } - DEBUG(5,("samr_reply_enum_dom_groups: %d\n", __LINE__)); + DEBUG(5,("_samr_EnumDomainGroups: %d\n", __LINE__)); if (info->builtin_domain) { /* No groups in builtin. */ - init_samr_r_enum_dom_groups(r_u, q_u->start_idx, 0); - DEBUG(5,("_samr_enum_dom_users: No groups in BUILTIN\n")); - return r_u->status; + *r->out.resume_handle = *r->in.resume_handle; + DEBUG(5,("_samr_EnumDomainGroups: No groups in BUILTIN\n")); + return status; + } + + samr_array = TALLOC_ZERO_P(p->mem_ctx, struct samr_SamArray); + if (!samr_array) { + return NT_STATUS_NO_MEMORY; } /* the domain group array is being allocated in the function below */ @@ -1067,46 +1074,64 @@ NTSTATUS _samr_enum_dom_groups(pipes_struct *p, SAMR_Q_ENUM_DOM_GROUPS *q_u, SAM } } - num_groups = pdb_search_entries(info->disp_info->groups, q_u->start_idx, + num_groups = pdb_search_entries(info->disp_info->groups, + *r->in.resume_handle, MAX_SAM_ENTRIES, &groups); unbecome_root(); - + /* Ensure we cache this enumeration. */ set_disp_info_cache_timeout(info->disp_info, DISP_INFO_CACHE_TIMEOUT); - make_group_sam_entry_list(p->mem_ctx, &r_u->sam, &r_u->uni_grp_name, + make_group_sam_entry_list(p->mem_ctx, &samr_entries, num_groups, groups); - init_samr_r_enum_dom_groups(r_u, q_u->start_idx, num_groups); + samr_array->count = num_groups; + samr_array->entries = samr_entries; + + *r->out.sam = samr_array; + *r->out.num_entries = num_groups; + /* this was missing, IMHO: + *r->out.resume_handle = num_groups + *r->in.resume_handle; + */ - DEBUG(5,("samr_enum_dom_groups: %d\n", __LINE__)); + DEBUG(5,("_samr_EnumDomainGroups: %d\n", __LINE__)); - return r_u->status; + return status; } /******************************************************************* - samr_reply_enum_dom_aliases + _samr_EnumDomainAliases ********************************************************************/ -NTSTATUS _samr_enum_dom_aliases(pipes_struct *p, SAMR_Q_ENUM_DOM_ALIASES *q_u, SAMR_R_ENUM_DOM_ALIASES *r_u) +NTSTATUS _samr_EnumDomainAliases(pipes_struct *p, + struct samr_EnumDomainAliases *r) { + NTSTATUS status; struct samr_info *info; struct samr_displayentry *aliases; uint32 num_aliases = 0; + struct samr_SamArray *samr_array = NULL; + struct samr_SamEntry *samr_entries = NULL; /* find the policy handle. open a policy on it. */ - if (!find_policy_by_hnd(p, &q_u->pol, (void **)(void *)&info)) + if (!find_policy_by_hnd(p, r->in.domain_handle, (void **)(void *)&info)) return NT_STATUS_INVALID_HANDLE; - r_u->status = access_check_samr_function(info->acc_granted, - SA_RIGHT_DOMAIN_ENUM_ACCOUNTS, - "_samr_enum_dom_aliases"); - if (!NT_STATUS_IS_OK(r_u->status)) - return r_u->status; + status = access_check_samr_function(info->acc_granted, + SA_RIGHT_DOMAIN_ENUM_ACCOUNTS, + "_samr_EnumDomainAliases"); + if (!NT_STATUS_IS_OK(status)) { + return status; + } - DEBUG(5,("samr_reply_enum_dom_aliases: sid %s\n", + DEBUG(5,("_samr_EnumDomainAliases: sid %s\n", sid_string_dbg(&info->sid))); + samr_array = TALLOC_ZERO_P(p->mem_ctx, struct samr_SamArray); + if (!samr_array) { + return NT_STATUS_NO_MEMORY; + } + become_root(); if (info->disp_info->aliases == NULL) { @@ -1117,39 +1142,244 @@ NTSTATUS _samr_enum_dom_aliases(pipes_struct *p, SAMR_Q_ENUM_DOM_ALIASES *q_u, S } } - num_aliases = pdb_search_entries(info->disp_info->aliases, q_u->start_idx, + num_aliases = pdb_search_entries(info->disp_info->aliases, + *r->in.resume_handle, MAX_SAM_ENTRIES, &aliases); unbecome_root(); - + /* Ensure we cache this enumeration. */ set_disp_info_cache_timeout(info->disp_info, DISP_INFO_CACHE_TIMEOUT); - make_group_sam_entry_list(p->mem_ctx, &r_u->sam, &r_u->uni_grp_name, + make_group_sam_entry_list(p->mem_ctx, &samr_entries, num_aliases, aliases); - init_samr_r_enum_dom_aliases(r_u, q_u->start_idx + num_aliases, - num_aliases); + DEBUG(5,("_samr_EnumDomainAliases: %d\n", __LINE__)); + + samr_array->count = num_aliases; + samr_array->entries = samr_entries; + + *r->out.sam = samr_array; + *r->out.num_entries = num_aliases; + *r->out.resume_handle = num_aliases + *r->in.resume_handle; + + return status; +} + +/******************************************************************* + inits a samr_DispInfoGeneral structure. +********************************************************************/ + +static NTSTATUS init_samr_dispinfo_1(TALLOC_CTX *ctx, + struct samr_DispInfoGeneral *r, + uint32_t num_entries, + uint32_t start_idx, + struct samr_displayentry *entries) +{ + uint32 i; + + DEBUG(10, ("init_samr_dispinfo_1: num_entries: %d\n", num_entries)); + + if (num_entries == 0) { + return NT_STATUS_OK; + } + + r->count = num_entries; + + r->entries = TALLOC_ZERO_ARRAY(ctx, struct samr_DispEntryGeneral, num_entries); + if (!r->entries) { + return NT_STATUS_NO_MEMORY; + } + + for (i = 0; i < num_entries ; i++) { - DEBUG(5,("samr_enum_dom_aliases: %d\n", __LINE__)); + init_lsa_String(&r->entries[i].account_name, + entries[i].account_name); - return r_u->status; + init_lsa_String(&r->entries[i].description, + entries[i].description); + + init_lsa_String(&r->entries[i].full_name, + entries[i].fullname); + + r->entries[i].rid = entries[i].rid; + r->entries[i].acct_flags = entries[i].acct_flags; + r->entries[i].idx = start_idx+i+1; + } + + return NT_STATUS_OK; +} + +/******************************************************************* + inits a samr_DispInfoFull structure. +********************************************************************/ + +static NTSTATUS init_samr_dispinfo_2(TALLOC_CTX *ctx, + struct samr_DispInfoFull *r, + uint32_t num_entries, + uint32_t start_idx, + struct samr_displayentry *entries) +{ + uint32_t i; + + DEBUG(10, ("init_samr_dispinfo_2: num_entries: %d\n", num_entries)); + + if (num_entries == 0) { + return NT_STATUS_OK; + } + + r->count = num_entries; + + r->entries = TALLOC_ZERO_ARRAY(ctx, struct samr_DispEntryFull, num_entries); + if (!r->entries) { + return NT_STATUS_NO_MEMORY; + } + + for (i = 0; i < num_entries ; i++) { + + init_lsa_String(&r->entries[i].account_name, + entries[i].account_name); + + init_lsa_String(&r->entries[i].description, + entries[i].description); + + r->entries[i].rid = entries[i].rid; + r->entries[i].acct_flags = entries[i].acct_flags; + r->entries[i].idx = start_idx+i+1; + } + + return NT_STATUS_OK; +} + +/******************************************************************* + inits a samr_DispInfoFullGroups structure. +********************************************************************/ + +static NTSTATUS init_samr_dispinfo_3(TALLOC_CTX *ctx, + struct samr_DispInfoFullGroups *r, + uint32_t num_entries, + uint32_t start_idx, + struct samr_displayentry *entries) +{ + uint32_t i; + + DEBUG(5, ("init_samr_dispinfo_3: num_entries: %d\n", num_entries)); + + if (num_entries == 0) { + return NT_STATUS_OK; + } + + r->count = num_entries; + + r->entries = TALLOC_ZERO_ARRAY(ctx, struct samr_DispEntryFullGroup, num_entries); + if (!r->entries) { + return NT_STATUS_NO_MEMORY; + } + + for (i = 0; i < num_entries ; i++) { + + init_lsa_String(&r->entries[i].account_name, + entries[i].account_name); + + init_lsa_String(&r->entries[i].description, + entries[i].description); + + r->entries[i].rid = entries[i].rid; + r->entries[i].acct_flags = entries[i].acct_flags; + r->entries[i].idx = start_idx+i+1; + } + + return NT_STATUS_OK; +} + +/******************************************************************* + inits a samr_DispInfoAscii structure. +********************************************************************/ + +static NTSTATUS init_samr_dispinfo_4(TALLOC_CTX *ctx, + struct samr_DispInfoAscii *r, + uint32_t num_entries, + uint32_t start_idx, + struct samr_displayentry *entries) +{ + uint32_t i; + + DEBUG(5, ("init_samr_dispinfo_4: num_entries: %d\n", num_entries)); + + if (num_entries == 0) { + return NT_STATUS_OK; + } + + r->count = num_entries; + + r->entries = TALLOC_ZERO_ARRAY(ctx, struct samr_DispEntryAscii, num_entries); + if (!r->entries) { + return NT_STATUS_NO_MEMORY; + } + + for (i = 0; i < num_entries ; i++) { + + init_lsa_AsciiStringLarge(&r->entries[i].account_name, + entries[i].account_name); + + r->entries[i].idx = start_idx+i+1; + } + + return NT_STATUS_OK; } /******************************************************************* - samr_reply_query_dispinfo + inits a samr_DispInfoAscii structure. +********************************************************************/ + +static NTSTATUS init_samr_dispinfo_5(TALLOC_CTX *ctx, + struct samr_DispInfoAscii *r, + uint32_t num_entries, + uint32_t start_idx, + struct samr_displayentry *entries) +{ + uint32_t i; + + DEBUG(5, ("init_samr_dispinfo_5: num_entries: %d\n", num_entries)); + + if (num_entries == 0) { + return NT_STATUS_OK; + } + + r->count = num_entries; + + r->entries = TALLOC_ZERO_ARRAY(ctx, struct samr_DispEntryAscii, num_entries); + if (!r->entries) { + return NT_STATUS_NO_MEMORY; + } + + for (i = 0; i < num_entries ; i++) { + + init_lsa_AsciiStringLarge(&r->entries[i].account_name, + entries[i].account_name); + + r->entries[i].idx = start_idx+i+1; + } + + return NT_STATUS_OK; +} + +/******************************************************************* + _samr_QueryDisplayInfo ********************************************************************/ -NTSTATUS _samr_query_dispinfo(pipes_struct *p, SAMR_Q_QUERY_DISPINFO *q_u, - SAMR_R_QUERY_DISPINFO *r_u) +NTSTATUS _samr_QueryDisplayInfo(pipes_struct *p, + struct samr_QueryDisplayInfo *r) { + NTSTATUS status; struct samr_info *info = NULL; uint32 struct_size=0x20; /* W2K always reply that, client doesn't care */ - - uint32 max_entries=q_u->max_entries; - uint32 enum_context=q_u->start_idx; - uint32 max_size=q_u->max_size; - SAM_DISPINFO_CTR *ctr; + uint32 max_entries = r->in.max_entries; + uint32 enum_context = r->in.start_idx; + uint32 max_size = r->in.buf_size; + + union samr_DispInfo *disp_info = r->out.info; + uint32 temp_size=0, total_data_size=0; NTSTATUS disp_ret = NT_STATUS_UNSUCCESSFUL; uint32 num_account = 0; @@ -1157,16 +1387,15 @@ NTSTATUS _samr_query_dispinfo(pipes_struct *p, SAMR_Q_QUERY_DISPINFO *q_u, int max_sam_entries = (ra_type == RA_WIN95) ? MAX_SAM_ENTRIES_W95 : MAX_SAM_ENTRIES_W2K; struct samr_displayentry *entries = NULL; - DEBUG(5, ("samr_reply_query_dispinfo: %d\n", __LINE__)); - r_u->status = NT_STATUS_UNSUCCESSFUL; + DEBUG(5,("_samr_QueryDisplayInfo: %d\n", __LINE__)); /* find the policy handle. open a policy on it. */ - if (!find_policy_by_hnd(p, &q_u->domain_pol, (void **)(void *)&info)) + if (!find_policy_by_hnd(p, r->in.domain_handle, (void **)(void *)&info)) return NT_STATUS_INVALID_HANDLE; /* * calculate how many entries we will return. - * based on + * based on * - the number of entries the client asked * - our limit on that * - the starting point (enumeration context) @@ -1192,15 +1421,15 @@ NTSTATUS _samr_query_dispinfo(pipes_struct *p, SAMR_Q_QUERY_DISPINFO *q_u, * JFM, 12/20/2001 */ - if ((q_u->switch_level < 1) || (q_u->switch_level > 5)) { - DEBUG(0,("_samr_query_dispinfo: Unknown info level (%u)\n", - (unsigned int)q_u->switch_level )); + if ((r->in.level < 1) || (r->in.level > 5)) { + DEBUG(0,("_samr_QueryDisplayInfo: Unknown info level (%u)\n", + (unsigned int)r->in.level )); return NT_STATUS_INVALID_INFO_CLASS; } /* first limit the number of entries we will return */ if(max_entries > max_sam_entries) { - DEBUG(5, ("samr_reply_query_dispinfo: client requested %d " + DEBUG(5, ("_samr_QueryDisplayInfo: client requested %d " "entries, limiting to %d\n", max_entries, max_sam_entries)); max_entries = max_sam_entries; @@ -1210,23 +1439,18 @@ NTSTATUS _samr_query_dispinfo(pipes_struct *p, SAMR_Q_QUERY_DISPINFO *q_u, * return */ temp_size=max_entries*struct_size; - + if (temp_size>max_size) { max_entries=MIN((max_size/struct_size),max_entries);; - DEBUG(5, ("samr_reply_query_dispinfo: buffer size limits to " + DEBUG(5, ("_samr_QueryDisplayInfo: buffer size limits to " "only %d entries\n", max_entries)); } - if (!(ctr = TALLOC_ZERO_P(p->mem_ctx,SAM_DISPINFO_CTR))) - return NT_STATUS_NO_MEMORY; - - ZERO_STRUCTP(ctr); - become_root(); /* THe following done as ROOT. Don't return without unbecome_root(). */ - switch (q_u->switch_level) { + switch (r->in.level) { case 0x1: case 0x4: if (info->disp_info->users == NULL) { @@ -1235,10 +1459,10 @@ NTSTATUS _samr_query_dispinfo(pipes_struct *p, SAMR_Q_QUERY_DISPINFO *q_u, unbecome_root(); return NT_STATUS_ACCESS_DENIED; } - DEBUG(10,("samr_reply_query_dispinfo: starting user enumeration at index %u\n", + DEBUG(10,("_samr_QueryDisplayInfo: starting user enumeration at index %u\n", (unsigned int)enum_context )); } else { - DEBUG(10,("samr_reply_query_dispinfo: using cached user enumeration at index %u\n", + DEBUG(10,("_samr_QueryDisplayInfo: using cached user enumeration at index %u\n", (unsigned int)enum_context )); } @@ -1254,10 +1478,10 @@ NTSTATUS _samr_query_dispinfo(pipes_struct *p, SAMR_Q_QUERY_DISPINFO *q_u, unbecome_root(); return NT_STATUS_ACCESS_DENIED; } - DEBUG(10,("samr_reply_query_dispinfo: starting machine enumeration at index %u\n", + DEBUG(10,("_samr_QueryDisplayInfo: starting machine enumeration at index %u\n", (unsigned int)enum_context )); } else { - DEBUG(10,("samr_reply_query_dispinfo: using cached machine enumeration at index %u\n", + DEBUG(10,("_samr_QueryDisplayInfo: using cached machine enumeration at index %u\n", (unsigned int)enum_context )); } @@ -1273,10 +1497,10 @@ NTSTATUS _samr_query_dispinfo(pipes_struct *p, SAMR_Q_QUERY_DISPINFO *q_u, unbecome_root(); return NT_STATUS_ACCESS_DENIED; } - DEBUG(10,("samr_reply_query_dispinfo: starting group enumeration at index %u\n", + DEBUG(10,("_samr_QueryDisplayInfo: starting group enumeration at index %u\n", (unsigned int)enum_context )); } else { - DEBUG(10,("samr_reply_query_dispinfo: using cached group enumeration at index %u\n", + DEBUG(10,("_samr_QueryDisplayInfo: using cached group enumeration at index %u\n", (unsigned int)enum_context )); } @@ -1291,32 +1515,33 @@ NTSTATUS _samr_query_dispinfo(pipes_struct *p, SAMR_Q_QUERY_DISPINFO *q_u, } unbecome_root(); + /* Now create reply structure */ - switch (q_u->switch_level) { + switch (r->in.level) { case 0x1: - disp_ret = init_sam_dispinfo_1(p->mem_ctx, &ctr->sam.info1, - num_account, enum_context, - entries); + disp_ret = init_samr_dispinfo_1(p->mem_ctx, &disp_info->info1, + num_account, enum_context, + entries); break; case 0x2: - disp_ret = init_sam_dispinfo_2(p->mem_ctx, &ctr->sam.info2, - num_account, enum_context, - entries); + disp_ret = init_samr_dispinfo_2(p->mem_ctx, &disp_info->info2, + num_account, enum_context, + entries); break; case 0x3: - disp_ret = init_sam_dispinfo_3(p->mem_ctx, &ctr->sam.info3, - num_account, enum_context, - entries); + disp_ret = init_samr_dispinfo_3(p->mem_ctx, &disp_info->info3, + num_account, enum_context, + entries); break; case 0x4: - disp_ret = init_sam_dispinfo_4(p->mem_ctx, &ctr->sam.info4, - num_account, enum_context, - entries); + disp_ret = init_samr_dispinfo_4(p->mem_ctx, &disp_info->info4, + num_account, enum_context, + entries); break; case 0x5: - disp_ret = init_sam_dispinfo_5(p->mem_ctx, &ctr->sam.info5, - num_account, enum_context, - entries); + disp_ret = init_samr_dispinfo_5(p->mem_ctx, &disp_info->info5, + num_account, enum_context, + entries); break; default: smb_panic("info class changed"); @@ -1330,73 +1555,130 @@ NTSTATUS _samr_query_dispinfo(pipes_struct *p, SAMR_Q_QUERY_DISPINFO *q_u, total_data_size=num_account*struct_size; if (num_account) { - r_u->status = STATUS_MORE_ENTRIES; + status = STATUS_MORE_ENTRIES; } else { - r_u->status = NT_STATUS_OK; + status = NT_STATUS_OK; } /* Ensure we cache this enumeration. */ set_disp_info_cache_timeout(info->disp_info, DISP_INFO_CACHE_TIMEOUT); - DEBUG(5, ("_samr_query_dispinfo: %d\n", __LINE__)); + DEBUG(5, ("_samr_QueryDisplayInfo: %d\n", __LINE__)); + + *r->out.total_size = total_data_size; + *r->out.returned_size = temp_size; + + return status; +} + +/**************************************************************** + _samr_QueryDisplayInfo2 +****************************************************************/ + +NTSTATUS _samr_QueryDisplayInfo2(pipes_struct *p, + struct samr_QueryDisplayInfo2 *r) +{ + struct samr_QueryDisplayInfo q; + + q.in.domain_handle = r->in.domain_handle; + q.in.level = r->in.level; + q.in.start_idx = r->in.start_idx; + q.in.max_entries = r->in.max_entries; + q.in.buf_size = r->in.buf_size; + + q.out.total_size = r->out.total_size; + q.out.returned_size = r->out.returned_size; + q.out.info = r->out.info; + + return _samr_QueryDisplayInfo(p, &q); +} + +/**************************************************************** + _samr_QueryDisplayInfo3 +****************************************************************/ + +NTSTATUS _samr_QueryDisplayInfo3(pipes_struct *p, + struct samr_QueryDisplayInfo3 *r) +{ + struct samr_QueryDisplayInfo q; - init_samr_r_query_dispinfo(r_u, num_account, total_data_size, - temp_size, q_u->switch_level, ctr, - r_u->status); + q.in.domain_handle = r->in.domain_handle; + q.in.level = r->in.level; + q.in.start_idx = r->in.start_idx; + q.in.max_entries = r->in.max_entries; + q.in.buf_size = r->in.buf_size; - return r_u->status; + q.out.total_size = r->out.total_size; + q.out.returned_size = r->out.returned_size; + q.out.info = r->out.info; + return _samr_QueryDisplayInfo(p, &q); } /******************************************************************* - samr_reply_query_aliasinfo + _samr_QueryAliasInfo ********************************************************************/ -NTSTATUS _samr_query_aliasinfo(pipes_struct *p, SAMR_Q_QUERY_ALIASINFO *q_u, SAMR_R_QUERY_ALIASINFO *r_u) +NTSTATUS _samr_QueryAliasInfo(pipes_struct *p, + struct samr_QueryAliasInfo *r) { DOM_SID sid; struct acct_info info; uint32 acc_granted; NTSTATUS status; + union samr_AliasInfo *alias_info = NULL; + const char *alias_name = NULL; + const char *alias_description = NULL; - r_u->status = NT_STATUS_OK; + DEBUG(5,("_samr_QueryAliasInfo: %d\n", __LINE__)); - DEBUG(5,("_samr_query_aliasinfo: %d\n", __LINE__)); + alias_info = TALLOC_ZERO_P(p->mem_ctx, union samr_AliasInfo); + if (!alias_info) { + return NT_STATUS_NO_MEMORY; + } /* find the policy handle. open a policy on it. */ - if (!get_lsa_policy_samr_sid(p, &q_u->pol, &sid, &acc_granted, NULL)) + if (!get_lsa_policy_samr_sid(p, r->in.alias_handle, &sid, &acc_granted, NULL)) return NT_STATUS_INVALID_HANDLE; - if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, SA_RIGHT_ALIAS_LOOKUP_INFO, "_samr_query_aliasinfo"))) { - return r_u->status; + + status = access_check_samr_function(acc_granted, + SA_RIGHT_ALIAS_LOOKUP_INFO, + "_samr_QueryAliasInfo"); + if (!NT_STATUS_IS_OK(status)) { + return status; } become_root(); status = pdb_get_aliasinfo(&sid, &info); unbecome_root(); - + if ( !NT_STATUS_IS_OK(status)) return status; - if ( !(r_u->ctr = TALLOC_ZERO_P( p->mem_ctx, ALIAS_INFO_CTR )) ) - return NT_STATUS_NO_MEMORY; - + /* FIXME: info contains fstrings */ + alias_name = talloc_strdup(r, info.acct_name); + alias_description = talloc_strdup(r, info.acct_desc); - switch (q_u->level ) { - case 1: - r_u->ctr->level = 1; - init_samr_alias_info1(&r_u->ctr->alias.info1, info.acct_name, 1, info.acct_desc); + switch (r->in.level) { + case ALIASINFOALL: + init_samr_alias_info1(&alias_info->all, + alias_name, + 1, + alias_description); break; - case 3: - r_u->ctr->level = 3; - init_samr_alias_info3(&r_u->ctr->alias.info3, info.acct_desc); + case ALIASINFODESCRIPTION: + init_samr_alias_info3(&alias_info->description, + alias_description); break; default: return NT_STATUS_INVALID_INFO_CLASS; } - DEBUG(5,("_samr_query_aliasinfo: %d\n", __LINE__)); + *r->out.info = alias_info; - return r_u->status; + DEBUG(5,("_samr_QueryAliasInfo: %d\n", __LINE__)); + + return NT_STATUS_OK; } #if 0 @@ -1460,170 +1742,184 @@ NTSTATUS _samr_query_aliasinfo(pipes_struct *p, SAMR_Q_QUERY_ALIASINFO *q_u, SAM #endif /******************************************************************* - _samr_lookup_names + _samr_LookupNames ********************************************************************/ -NTSTATUS _samr_lookup_names(pipes_struct *p, SAMR_Q_LOOKUP_NAMES *q_u, SAMR_R_LOOKUP_NAMES *r_u) +NTSTATUS _samr_LookupNames(pipes_struct *p, + struct samr_LookupNames *r) { + NTSTATUS status; uint32 rid[MAX_SAM_ENTRIES]; enum lsa_SidType type[MAX_SAM_ENTRIES]; int i; - int num_rids = q_u->num_names2; + int num_rids = r->in.num_names; DOM_SID pol_sid; uint32 acc_granted; + struct samr_Ids rids, types; - r_u->status = NT_STATUS_OK; - - DEBUG(5,("_samr_lookup_names: %d\n", __LINE__)); + DEBUG(5,("_samr_LookupNames: %d\n", __LINE__)); ZERO_ARRAY(rid); ZERO_ARRAY(type); - if (!get_lsa_policy_samr_sid(p, &q_u->pol, &pol_sid, &acc_granted, NULL)) { - init_samr_r_lookup_names(p->mem_ctx, r_u, 0, NULL, NULL, NT_STATUS_OBJECT_TYPE_MISMATCH); - return r_u->status; + if (!get_lsa_policy_samr_sid(p, r->in.domain_handle, &pol_sid, &acc_granted, NULL)) { + return NT_STATUS_OBJECT_TYPE_MISMATCH; } - - if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, 0, "_samr_lookup_names"))) { /* Don't know the acc_bits yet */ - return r_u->status; + + status = access_check_samr_function(acc_granted, + 0, /* Don't know the acc_bits yet */ + "_samr_LookupNames"); + if (!NT_STATUS_IS_OK(status)) { + return status; } if (num_rids > MAX_SAM_ENTRIES) { num_rids = MAX_SAM_ENTRIES; - DEBUG(5,("_samr_lookup_names: truncating entries to %d\n", num_rids)); + DEBUG(5,("_samr_LookupNames: truncating entries to %d\n", num_rids)); } - DEBUG(5,("_samr_lookup_names: looking name on SID %s\n", + DEBUG(5,("_samr_LookupNames: looking name on SID %s\n", sid_string_dbg(&pol_sid))); - + for (i = 0; i < num_rids; i++) { - fstring name; - int ret; - r_u->status = NT_STATUS_NONE_MAPPED; + status = NT_STATUS_NONE_MAPPED; type[i] = SID_NAME_UNKNOWN; - rid [i] = 0xffffffff; - - ret = rpcstr_pull(name, q_u->uni_name[i].buffer, sizeof(name), q_u->uni_name[i].uni_str_len*2, 0); - - if (ret <= 0) { - continue; - } + rid[i] = 0xffffffff; if (sid_check_is_builtin(&pol_sid)) { - if (lookup_builtin_name(name, &rid[i])) { + if (lookup_builtin_name(r->in.names[i].string, + &rid[i])) + { type[i] = SID_NAME_ALIAS; } } else { - lookup_global_sam_name(name, 0, &rid[i], &type[i]); + lookup_global_sam_name(r->in.names[i].string, 0, + &rid[i], &type[i]); } if (type[i] != SID_NAME_UNKNOWN) { - r_u->status = NT_STATUS_OK; + status = NT_STATUS_OK; } } - init_samr_r_lookup_names(p->mem_ctx, r_u, num_rids, rid, type, r_u->status); + rids.count = num_rids; + rids.ids = rid; + + types.count = num_rids; + types.ids = type; - DEBUG(5,("_samr_lookup_names: %d\n", __LINE__)); + *r->out.rids = rids; + *r->out.types = types; - return r_u->status; + DEBUG(5,("_samr_LookupNames: %d\n", __LINE__)); + + return status; } /******************************************************************* - _samr_chgpasswd_user + _samr_ChangePasswordUser2 ********************************************************************/ -NTSTATUS _samr_chgpasswd_user(pipes_struct *p, SAMR_Q_CHGPASSWD_USER *q_u, SAMR_R_CHGPASSWD_USER *r_u) +NTSTATUS _samr_ChangePasswordUser2(pipes_struct *p, + struct samr_ChangePasswordUser2 *r) { + NTSTATUS status; fstring user_name; fstring wks; - DEBUG(5,("_samr_chgpasswd_user: %d\n", __LINE__)); + DEBUG(5,("_samr_ChangePasswordUser2: %d\n", __LINE__)); - r_u->status = NT_STATUS_OK; + fstrcpy(user_name, r->in.account->string); + fstrcpy(wks, r->in.server->string); - rpcstr_pull(user_name, q_u->uni_user_name.buffer, sizeof(user_name), q_u->uni_user_name.uni_str_len*2, 0); - rpcstr_pull(wks, q_u->uni_dest_host.buffer, sizeof(wks), q_u->uni_dest_host.uni_str_len*2,0); - - DEBUG(5,("samr_chgpasswd_user: user: %s wks: %s\n", user_name, wks)); + DEBUG(5,("_samr_ChangePasswordUser2: user: %s wks: %s\n", user_name, wks)); /* * Pass the user through the NT -> unix user mapping * function. */ - + (void)map_username(user_name); - + /* - * UNIX username case mangling not required, pass_oem_change + * UNIX username case mangling not required, pass_oem_change * is case insensitive. */ - r_u->status = pass_oem_change(user_name, q_u->lm_newpass.pass, q_u->lm_oldhash.hash, - q_u->nt_newpass.pass, q_u->nt_oldhash.hash, NULL); - - init_samr_r_chgpasswd_user(r_u, r_u->status); + status = pass_oem_change(user_name, + r->in.lm_password->data, + r->in.lm_verifier->hash, + r->in.nt_password->data, + r->in.nt_verifier->hash, + NULL); - DEBUG(5,("_samr_chgpasswd_user: %d\n", __LINE__)); + DEBUG(5,("_samr_ChangePasswordUser2: %d\n", __LINE__)); - return r_u->status; + return status; } /******************************************************************* - _samr_chgpasswd_user3 + _samr_ChangePasswordUser3 ********************************************************************/ -NTSTATUS _samr_chgpasswd_user3(pipes_struct *p, SAMR_Q_CHGPASSWD_USER3 *q_u, SAMR_R_CHGPASSWD_USER3 *r_u) +NTSTATUS _samr_ChangePasswordUser3(pipes_struct *p, + struct samr_ChangePasswordUser3 *r) { + NTSTATUS status; fstring user_name; - fstring wks; + const char *wks = NULL; uint32 reject_reason; - SAM_UNK_INFO_1 *info = NULL; - SAMR_CHANGE_REJECT *reject = NULL; + struct samr_DomInfo1 *dominfo = NULL; + struct samr_ChangeReject *reject = NULL; - DEBUG(5,("_samr_chgpasswd_user3: %d\n", __LINE__)); + DEBUG(5,("_samr_ChangePasswordUser3: %d\n", __LINE__)); - rpcstr_pull(user_name, q_u->uni_user_name.buffer, sizeof(user_name), q_u->uni_user_name.uni_str_len*2, 0); - rpcstr_pull(wks, q_u->uni_dest_host.buffer, sizeof(wks), q_u->uni_dest_host.uni_str_len*2,0); + fstrcpy(user_name, r->in.account->string); + if (r->in.server && r->in.server->string) { + wks = r->in.server->string; + } - DEBUG(5,("_samr_chgpasswd_user3: user: %s wks: %s\n", user_name, wks)); + DEBUG(5,("_samr_ChangePasswordUser3: user: %s wks: %s\n", user_name, wks)); /* * Pass the user through the NT -> unix user mapping * function. */ - + (void)map_username(user_name); - + /* - * UNIX username case mangling not required, pass_oem_change + * UNIX username case mangling not required, pass_oem_change * is case insensitive. */ - r_u->status = pass_oem_change(user_name, q_u->lm_newpass.pass, q_u->lm_oldhash.hash, - q_u->nt_newpass.pass, q_u->nt_oldhash.hash, &reject_reason); + status = pass_oem_change(user_name, + r->in.lm_password->data, + r->in.lm_verifier->hash, + r->in.nt_password->data, + r->in.nt_verifier->hash, + &reject_reason); - if (NT_STATUS_EQUAL(r_u->status, NT_STATUS_PASSWORD_RESTRICTION) || - NT_STATUS_EQUAL(r_u->status, NT_STATUS_ACCOUNT_RESTRICTION)) { + if (NT_STATUS_EQUAL(status, NT_STATUS_PASSWORD_RESTRICTION) || + NT_STATUS_EQUAL(status, NT_STATUS_ACCOUNT_RESTRICTION)) { uint32 min_pass_len,pass_hist,password_properties; time_t u_expire, u_min_age; NTTIME nt_expire, nt_min_age; uint32 account_policy_temp; - if ((info = TALLOC_ZERO_P(p->mem_ctx, SAM_UNK_INFO_1)) == NULL) { + dominfo = TALLOC_ZERO_P(p->mem_ctx, struct samr_DomInfo1); + if (!dominfo) { return NT_STATUS_NO_MEMORY; } - if ((reject = TALLOC_ZERO_P(p->mem_ctx, SAMR_CHANGE_REJECT)) == NULL) { + reject = TALLOC_ZERO_P(p->mem_ctx, struct samr_ChangeReject); + if (!reject) { return NT_STATUS_NO_MEMORY; } - ZERO_STRUCTP(info); - ZERO_STRUCTP(reject); - become_root(); /* AS ROOT !!! */ @@ -1644,23 +1940,32 @@ NTSTATUS _samr_chgpasswd_user3(pipes_struct *p, SAMR_Q_CHGPASSWD_USER3 *q_u, SAM u_min_age = account_policy_temp; /* !AS ROOT */ - + unbecome_root(); unix_to_nt_time_abs(&nt_expire, u_expire); unix_to_nt_time_abs(&nt_min_age, u_min_age); - init_unk_info1(info, (uint16)min_pass_len, (uint16)pass_hist, - password_properties, nt_expire, nt_min_age); + if (lp_check_password_script() && *lp_check_password_script()) { + password_properties |= DOMAIN_PASSWORD_COMPLEX; + } + + init_samr_DomInfo1(dominfo, + min_pass_len, + pass_hist, + password_properties, + u_expire, + u_min_age); - reject->reject_reason = reject_reason; + reject->reason = reject_reason; + + *r->out.dominfo = dominfo; + *r->out.reject = reject; } - - init_samr_r_chgpasswd_user3(r_u, r_u->status, reject, info); - DEBUG(5,("_samr_chgpasswd_user3: %d\n", __LINE__)); + DEBUG(5,("_samr_ChangePasswordUser3: %d\n", __LINE__)); - return r_u->status; + return status; } /******************************************************************* @@ -1668,60 +1973,54 @@ makes a SAMR_R_LOOKUP_RIDS structure. ********************************************************************/ static bool make_samr_lookup_rids(TALLOC_CTX *ctx, uint32 num_names, - const char **names, UNIHDR **pp_hdr_name, - UNISTR2 **pp_uni_name) + const char **names, + struct lsa_String **lsa_name_array_p) { - uint32 i; - UNIHDR *hdr_name=NULL; - UNISTR2 *uni_name=NULL; + struct lsa_String *lsa_name_array = NULL; + uint32_t i; - *pp_uni_name = NULL; - *pp_hdr_name = NULL; + *lsa_name_array_p = NULL; if (num_names != 0) { - hdr_name = TALLOC_ZERO_ARRAY(ctx, UNIHDR, num_names); - if (hdr_name == NULL) - return False; - - uni_name = TALLOC_ZERO_ARRAY(ctx,UNISTR2, num_names); - if (uni_name == NULL) - return False; + lsa_name_array = TALLOC_ZERO_ARRAY(ctx, struct lsa_String, num_names); + if (!lsa_name_array) { + return false; + } } for (i = 0; i < num_names; i++) { DEBUG(10, ("names[%d]:%s\n", i, names[i] && *names[i] ? names[i] : "")); - init_unistr2(&uni_name[i], names[i], UNI_FLAGS_NONE); - init_uni_hdr(&hdr_name[i], &uni_name[i]); + init_lsa_String(&lsa_name_array[i], names[i]); } - *pp_uni_name = uni_name; - *pp_hdr_name = hdr_name; + *lsa_name_array_p = lsa_name_array; - return True; + return true; } /******************************************************************* - _samr_lookup_rids + _samr_LookupRids ********************************************************************/ -NTSTATUS _samr_lookup_rids(pipes_struct *p, SAMR_Q_LOOKUP_RIDS *q_u, SAMR_R_LOOKUP_RIDS *r_u) +NTSTATUS _samr_LookupRids(pipes_struct *p, + struct samr_LookupRids *r) { + NTSTATUS status; const char **names; enum lsa_SidType *attrs = NULL; uint32 *wire_attrs = NULL; - UNIHDR *hdr_name = NULL; - UNISTR2 *uni_name = NULL; DOM_SID pol_sid; - int num_rids = (int)q_u->num_rids1; + int num_rids = (int)r->in.num_rids; uint32 acc_granted; int i; + struct lsa_Strings names_array; + struct samr_Ids types_array; + struct lsa_String *lsa_names = NULL; - r_u->status = NT_STATUS_OK; - - DEBUG(5,("_samr_lookup_rids: %d\n", __LINE__)); + DEBUG(5,("_samr_LookupRids: %d\n", __LINE__)); /* find the policy handle. open a policy on it. */ - if (!get_lsa_policy_samr_sid(p, &q_u->pol, &pol_sid, &acc_granted, NULL)) + if (!get_lsa_policy_samr_sid(p, r->in.domain_handle, &pol_sid, &acc_granted, NULL)) return NT_STATUS_INVALID_HANDLE; if (num_rids > 1000) { @@ -1744,59 +2043,67 @@ NTSTATUS _samr_lookup_rids(pipes_struct *p, SAMR_Q_LOOKUP_RIDS *q_u, SAMR_R_LOOK } become_root(); /* lookup_sid can require root privs */ - r_u->status = pdb_lookup_rids(&pol_sid, num_rids, q_u->rid, - names, attrs); + status = pdb_lookup_rids(&pol_sid, num_rids, r->in.rids, + names, attrs); unbecome_root(); - if ( NT_STATUS_EQUAL(r_u->status, NT_STATUS_NONE_MAPPED) && (num_rids == 0) ) { - r_u->status = NT_STATUS_OK; + if (NT_STATUS_EQUAL(status, NT_STATUS_NONE_MAPPED) && (num_rids == 0)) { + status = NT_STATUS_OK; } - if(!make_samr_lookup_rids(p->mem_ctx, num_rids, names, - &hdr_name, &uni_name)) + if (!make_samr_lookup_rids(p->mem_ctx, num_rids, names, + &lsa_names)) { return NT_STATUS_NO_MEMORY; + } /* Convert from enum lsa_SidType to uint32 for wire format. */ for (i = 0; i < num_rids; i++) { wire_attrs[i] = (uint32)attrs[i]; } - init_samr_r_lookup_rids(r_u, num_rids, hdr_name, uni_name, wire_attrs); + names_array.count = num_rids; + names_array.names = lsa_names; + + types_array.count = num_rids; + types_array.ids = wire_attrs; - DEBUG(5,("_samr_lookup_rids: %d\n", __LINE__)); + *r->out.names = names_array; + *r->out.types = types_array; - return r_u->status; + DEBUG(5,("_samr_LookupRids: %d\n", __LINE__)); + + return status; } /******************************************************************* - _samr_open_user. Safe - gives out no passwd info. - ********************************************************************/ + _samr_OpenUser +********************************************************************/ -NTSTATUS _samr_open_user(pipes_struct *p, SAMR_Q_OPEN_USER *q_u, SAMR_R_OPEN_USER *r_u) +NTSTATUS _samr_OpenUser(pipes_struct *p, + struct samr_OpenUser *r) { struct samu *sampass=NULL; DOM_SID sid; - POLICY_HND domain_pol = q_u->domain_pol; - POLICY_HND *user_pol = &r_u->user_pol; + POLICY_HND domain_pol = *r->in.domain_handle; + POLICY_HND *user_pol = r->out.user_handle; struct samr_info *info = NULL; SEC_DESC *psd = NULL; uint32 acc_granted; - uint32 des_access = q_u->access_mask; + uint32 des_access = r->in.access_mask; size_t sd_size; bool ret; NTSTATUS nt_status; SE_PRIV se_rights; - r_u->status = NT_STATUS_OK; - /* find the domain policy handle and get domain SID / access bits in the domain policy. */ - + if ( !get_lsa_policy_samr_sid(p, &domain_pol, &sid, &acc_granted, NULL) ) return NT_STATUS_INVALID_HANDLE; - - nt_status = access_check_samr_function( acc_granted, - SA_RIGHT_DOMAIN_OPEN_ACCOUNT, "_samr_open_user" ); - + + nt_status = access_check_samr_function(acc_granted, + SA_RIGHT_DOMAIN_OPEN_ACCOUNT, + "_samr_OpenUser" ); + if ( !NT_STATUS_IS_OK(nt_status) ) return nt_status; @@ -1805,22 +2112,22 @@ NTSTATUS _samr_open_user(pipes_struct *p, SAMR_Q_OPEN_USER *q_u, SAMR_R_OPEN_USE } /* append the user's RID to it */ - - if (!sid_append_rid(&sid, q_u->user_rid)) + + if (!sid_append_rid(&sid, r->in.rid)) return NT_STATUS_NO_SUCH_USER; - + /* check if access can be granted as requested by client. */ - + make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &usr_generic_mapping, &sid, SAMR_USR_RIGHTS_WRITE_PW); se_map_generic(&des_access, &usr_generic_mapping); - + se_priv_copy( &se_rights, &se_machine_account ); se_priv_add( &se_rights, &se_add_users ); - - nt_status = access_check_samr_object(psd, p->pipe_user.nt_user_token, - &se_rights, GENERIC_RIGHTS_USER_WRITE, des_access, - &acc_granted, "_samr_open_user"); - + + nt_status = access_check_samr_object(psd, p->pipe_user.nt_user_token, + &se_rights, GENERIC_RIGHTS_USER_WRITE, des_access, + &acc_granted, "_samr_OpenUser"); + if ( !NT_STATUS_IS_OK(nt_status) ) return nt_status; @@ -1844,22 +2151,27 @@ NTSTATUS _samr_open_user(pipes_struct *p, SAMR_Q_OPEN_USER *q_u, SAMR_R_OPEN_USE if (!create_policy_hnd(p, user_pol, free_samr_info, (void *)info)) return NT_STATUS_OBJECT_NAME_NOT_FOUND; - return r_u->status; + return NT_STATUS_OK; } /************************************************************************* get_user_info_7. Safe. Only gives out account_name. *************************************************************************/ -static NTSTATUS get_user_info_7(TALLOC_CTX *mem_ctx, SAM_USER_INFO_7 *id7, DOM_SID *user_sid) +static NTSTATUS get_user_info_7(TALLOC_CTX *mem_ctx, + struct samr_UserInfo7 *r, + DOM_SID *user_sid) { struct samu *smbpass=NULL; bool ret; + const char *account_name = NULL; + + ZERO_STRUCTP(r); if ( !(smbpass = samu_new( mem_ctx )) ) { return NT_STATUS_NO_MEMORY; } - + become_root(); ret = pdb_getsampwsid(smbpass, user_sid); unbecome_root(); @@ -1869,12 +2181,16 @@ static NTSTATUS get_user_info_7(TALLOC_CTX *mem_ctx, SAM_USER_INFO_7 *id7, DOM_S return NT_STATUS_NO_SUCH_USER; } - DEBUG(3,("User:[%s]\n", pdb_get_username(smbpass) )); + account_name = talloc_strdup(mem_ctx, pdb_get_username(smbpass)); + if (!account_name) { + TALLOC_FREE(smbpass); + return NT_STATUS_NO_MEMORY; + } + TALLOC_FREE(smbpass); - ZERO_STRUCTP(id7); - init_sam_user_info7(id7, pdb_get_username(smbpass) ); + DEBUG(3,("User:[%s]\n", account_name)); - TALLOC_FREE(smbpass); + init_samr_user_info7(r, account_name); return NT_STATUS_OK; } @@ -1882,11 +2198,16 @@ static NTSTATUS get_user_info_7(TALLOC_CTX *mem_ctx, SAM_USER_INFO_7 *id7, DOM_S /************************************************************************* get_user_info_9. Only gives out primary group SID. *************************************************************************/ -static NTSTATUS get_user_info_9(TALLOC_CTX *mem_ctx, SAM_USER_INFO_9 * id9, DOM_SID *user_sid) + +static NTSTATUS get_user_info_9(TALLOC_CTX *mem_ctx, + struct samr_UserInfo9 *r, + DOM_SID *user_sid) { struct samu *smbpass=NULL; bool ret; + ZERO_STRUCTP(r); + if ( !(smbpass = samu_new( mem_ctx )) ) { return NT_STATUS_NO_MEMORY; } @@ -1897,13 +2218,13 @@ static NTSTATUS get_user_info_9(TALLOC_CTX *mem_ctx, SAM_USER_INFO_9 * id9, DOM_ if (ret==False) { DEBUG(4,("User %s not found\n", sid_string_dbg(user_sid))); + TALLOC_FREE(smbpass); return NT_STATUS_NO_SUCH_USER; } DEBUG(3,("User:[%s]\n", pdb_get_username(smbpass) )); - ZERO_STRUCTP(id9); - init_sam_user_info9(id9, pdb_get_group_rid(smbpass) ); + init_samr_user_info9(r, pdb_get_group_rid(smbpass)); TALLOC_FREE(smbpass); @@ -1914,11 +2235,15 @@ static NTSTATUS get_user_info_9(TALLOC_CTX *mem_ctx, SAM_USER_INFO_9 * id9, DOM_ get_user_info_16. Safe. Only gives out acb bits. *************************************************************************/ -static NTSTATUS get_user_info_16(TALLOC_CTX *mem_ctx, SAM_USER_INFO_16 *id16, DOM_SID *user_sid) +static NTSTATUS get_user_info_16(TALLOC_CTX *mem_ctx, + struct samr_UserInfo16 *r, + DOM_SID *user_sid) { struct samu *smbpass=NULL; bool ret; + ZERO_STRUCTP(r); + if ( !(smbpass = samu_new( mem_ctx )) ) { return NT_STATUS_NO_MEMORY; } @@ -1929,13 +2254,13 @@ static NTSTATUS get_user_info_16(TALLOC_CTX *mem_ctx, SAM_USER_INFO_16 *id16, DO if (ret==False) { DEBUG(4,("User %s not found\n", sid_string_dbg(user_sid))); + TALLOC_FREE(smbpass); return NT_STATUS_NO_SUCH_USER; } DEBUG(3,("User:[%s]\n", pdb_get_username(smbpass) )); - ZERO_STRUCTP(id16); - init_sam_user_info16(id16, pdb_get_acct_ctrl(smbpass) ); + init_samr_user_info16(r, pdb_get_acct_ctrl(smbpass)); TALLOC_FREE(smbpass); @@ -1945,14 +2270,19 @@ static NTSTATUS get_user_info_16(TALLOC_CTX *mem_ctx, SAM_USER_INFO_16 *id16, DO /************************************************************************* get_user_info_18. OK - this is the killer as it gives out password info. Ensure that this is only allowed on an encrypted connection with a root - user. JRA. + user. JRA. *************************************************************************/ -static NTSTATUS get_user_info_18(pipes_struct *p, TALLOC_CTX *mem_ctx, SAM_USER_INFO_18 * id18, DOM_SID *user_sid) +static NTSTATUS get_user_info_18(pipes_struct *p, + TALLOC_CTX *mem_ctx, + struct samr_UserInfo18 *r, + DOM_SID *user_sid) { struct samu *smbpass=NULL; bool ret; + ZERO_STRUCTP(r); + if (p->auth.auth_type != PIPE_AUTH_TYPE_NTLMSSP || p->auth.auth_type != PIPE_AUTH_TYPE_SPNEGO_NTLMSSP) { return NT_STATUS_ACCESS_DENIED; } @@ -1984,9 +2314,9 @@ static NTSTATUS get_user_info_18(pipes_struct *p, TALLOC_CTX *mem_ctx, SAM_USER_ return NT_STATUS_ACCOUNT_DISABLED; } - ZERO_STRUCTP(id18); - init_sam_user_info18(id18, pdb_get_lanman_passwd(smbpass), pdb_get_nt_passwd(smbpass)); - + init_samr_user_info18(r, pdb_get_lanman_passwd(smbpass), + pdb_get_nt_passwd(smbpass)); + TALLOC_FREE(smbpass); return NT_STATUS_OK; @@ -1996,10 +2326,17 @@ static NTSTATUS get_user_info_18(pipes_struct *p, TALLOC_CTX *mem_ctx, SAM_USER_ get_user_info_20 *************************************************************************/ -static NTSTATUS get_user_info_20(TALLOC_CTX *mem_ctx, SAM_USER_INFO_20 *id20, DOM_SID *user_sid) +static NTSTATUS get_user_info_20(TALLOC_CTX *mem_ctx, + struct samr_UserInfo20 *r, + DOM_SID *user_sid) { struct samu *sampass=NULL; bool ret; + const char *munged_dial = NULL; + const char *munged_dial_decoded = NULL; + DATA_BLOB blob; + + ZERO_STRUCTP(r); if ( !(sampass = samu_new( mem_ctx )) ) { return NT_STATUS_NO_MEMORY; @@ -2011,72 +2348,221 @@ static NTSTATUS get_user_info_20(TALLOC_CTX *mem_ctx, SAM_USER_INFO_20 *id20, DO if (ret == False) { DEBUG(4,("User %s not found\n", sid_string_dbg(user_sid))); + TALLOC_FREE(sampass); return NT_STATUS_NO_SUCH_USER; } + munged_dial = pdb_get_munged_dial(sampass); + samr_clear_sam_passwd(sampass); DEBUG(3,("User:[%s]\n", pdb_get_username(sampass) )); - ZERO_STRUCTP(id20); - init_sam_user_info20A(id20, sampass); - + if (munged_dial) { + blob = base64_decode_data_blob(munged_dial); + munged_dial_decoded = talloc_strndup(mem_ctx, + (const char *)blob.data, + blob.length); + data_blob_free(&blob); + if (!munged_dial_decoded) { + TALLOC_FREE(sampass); + return NT_STATUS_NO_MEMORY; + } + } + +#if 0 + init_unistr2_from_datablob(&usr->uni_munged_dial, &blob); + init_uni_hdr(&usr->hdr_munged_dial, &usr->uni_munged_dial); + data_blob_free(&blob); +#endif + init_samr_user_info20(r, munged_dial_decoded); + TALLOC_FREE(sampass); return NT_STATUS_OK; } + /************************************************************************* get_user_info_21 *************************************************************************/ -static NTSTATUS get_user_info_21(TALLOC_CTX *mem_ctx, SAM_USER_INFO_21 *id21, - DOM_SID *user_sid, DOM_SID *domain_sid) +static NTSTATUS get_user_info_21(TALLOC_CTX *mem_ctx, + struct samr_UserInfo21 *r, + DOM_SID *user_sid, + DOM_SID *domain_sid) { - struct samu *sampass=NULL; + struct samu *pw = NULL; bool ret; - NTSTATUS nt_status; - - if ( !(sampass = samu_new( mem_ctx )) ) { + const DOM_SID *sid_user, *sid_group; + uint32_t rid, primary_gid; + NTTIME last_logon, last_logoff, last_password_change, + acct_expiry, allow_password_change, force_password_change; + time_t must_change_time; + uint8_t password_expired; + const char *account_name, *full_name, *home_directory, *home_drive, + *logon_script, *profile_path, *description, + *workstations, *comment, *parameters; + struct samr_LogonHours logon_hours; + const char *munged_dial = NULL; + DATA_BLOB blob; + + ZERO_STRUCTP(r); + + if (!(pw = samu_new(mem_ctx))) { return NT_STATUS_NO_MEMORY; } become_root(); - ret = pdb_getsampwsid(sampass, user_sid); + ret = pdb_getsampwsid(pw, user_sid); unbecome_root(); if (ret == False) { DEBUG(4,("User %s not found\n", sid_string_dbg(user_sid))); + TALLOC_FREE(pw); return NT_STATUS_NO_SUCH_USER; } - samr_clear_sam_passwd(sampass); + samr_clear_sam_passwd(pw); - DEBUG(3,("User:[%s]\n", pdb_get_username(sampass) )); + DEBUG(3,("User:[%s]\n", pdb_get_username(pw))); - ZERO_STRUCTP(id21); - nt_status = init_sam_user_info21A(id21, sampass, domain_sid); - - TALLOC_FREE(sampass); + sid_user = pdb_get_user_sid(pw); - return nt_status; + if (!sid_peek_check_rid(domain_sid, sid_user, &rid)) { + DEBUG(0, ("get_user_info_21: User %s has SID %s, \nwhich conflicts with " + "the domain sid %s. Failing operation.\n", + pdb_get_username(pw), sid_string_dbg(sid_user), + sid_string_dbg(domain_sid))); + TALLOC_FREE(pw); + return NT_STATUS_UNSUCCESSFUL; + } + + become_root(); + sid_group = pdb_get_group_sid(pw); + unbecome_root(); + + if (!sid_peek_check_rid(domain_sid, sid_group, &primary_gid)) { + DEBUG(0, ("get_user_info_21: User %s has Primary Group SID %s, \n" + "which conflicts with the domain sid %s. Failing operation.\n", + pdb_get_username(pw), sid_string_dbg(sid_group), + sid_string_dbg(domain_sid))); + TALLOC_FREE(pw); + return NT_STATUS_UNSUCCESSFUL; + } + + unix_to_nt_time(&last_logon, pdb_get_logon_time(pw)); + unix_to_nt_time(&last_logoff, pdb_get_logoff_time(pw)); + unix_to_nt_time(&acct_expiry, pdb_get_kickoff_time(pw)); + unix_to_nt_time(&last_password_change, pdb_get_pass_last_set_time(pw)); + unix_to_nt_time(&allow_password_change, pdb_get_pass_can_change_time(pw)); + + must_change_time = pdb_get_pass_must_change_time(pw); + if (must_change_time == get_time_t_max()) { + unix_to_nt_time_abs(&force_password_change, must_change_time); + } else { + unix_to_nt_time(&force_password_change, must_change_time); + } + + if (pdb_get_pass_must_change_time(pw) == 0) { + password_expired = PASS_MUST_CHANGE_AT_NEXT_LOGON; + } else { + password_expired = 0; + } + + munged_dial = pdb_get_munged_dial(pw); + if (munged_dial) { + blob = base64_decode_data_blob(munged_dial); + parameters = talloc_strndup(mem_ctx, (const char *)blob.data, blob.length); + data_blob_free(&blob); + if (!parameters) { + TALLOC_FREE(pw); + return NT_STATUS_NO_MEMORY; + } + } else { + parameters = NULL; + } + + + account_name = talloc_strdup(mem_ctx, pdb_get_username(pw)); + full_name = talloc_strdup(mem_ctx, pdb_get_fullname(pw)); + home_directory = talloc_strdup(mem_ctx, pdb_get_homedir(pw)); + home_drive = talloc_strdup(mem_ctx, pdb_get_dir_drive(pw)); + logon_script = talloc_strdup(mem_ctx, pdb_get_logon_script(pw)); + profile_path = talloc_strdup(mem_ctx, pdb_get_profile_path(pw)); + description = talloc_strdup(mem_ctx, pdb_get_acct_desc(pw)); + workstations = talloc_strdup(mem_ctx, pdb_get_workstations(pw)); + comment = talloc_strdup(mem_ctx, pdb_get_comment(pw)); + + logon_hours = get_logon_hours_from_pdb(mem_ctx, pw); +#if 0 + + /* + Look at a user on a real NT4 PDC with usrmgr, press + 'ok'. Then you will see that fields_present is set to + 0x08f827fa. Look at the user immediately after that again, + and you will see that 0x00fffff is returned. This solves + the problem that you get access denied after having looked + at the user. + -- Volker + */ + +#if 0 + init_unistr2_from_datablob(&usr->uni_munged_dial, &munged_dial_blob); + init_uni_hdr(&usr->hdr_munged_dial, &usr->uni_munged_dial); + data_blob_free(&munged_dial_blob); +#endif +#endif + + init_samr_user_info21(r, + last_logon, + last_logoff, + last_password_change, + acct_expiry, + allow_password_change, + force_password_change, + account_name, + full_name, + home_directory, + home_drive, + logon_script, + profile_path, + description, + workstations, + comment, + parameters, + rid, + primary_gid, + pdb_get_acct_ctrl(pw), + pdb_build_fields_present(pw), + logon_hours, + pdb_get_bad_password_count(pw), + pdb_get_logon_count(pw), + 0, /* country_code */ + 0, /* code_page */ + 0, /* nt_password_set */ + 0, /* lm_password_set */ + password_expired); + TALLOC_FREE(pw); + + return NT_STATUS_OK; } /******************************************************************* - _samr_query_userinfo + _samr_QueryUserInfo ********************************************************************/ -NTSTATUS _samr_query_userinfo(pipes_struct *p, SAMR_Q_QUERY_USERINFO *q_u, SAMR_R_QUERY_USERINFO *r_u) +NTSTATUS _samr_QueryUserInfo(pipes_struct *p, + struct samr_QueryUserInfo *r) { - SAM_USERINFO_CTR *ctr; + NTSTATUS status; + union samr_UserInfo *user_info = NULL; struct samr_info *info = NULL; DOM_SID domain_sid; uint32 rid; - - r_u->status=NT_STATUS_OK; /* search for the handle */ - if (!find_policy_by_hnd(p, &q_u->pol, (void **)(void *)&info)) + if (!find_policy_by_hnd(p, r->in.user_handle, (void **)(void *)&info)) return NT_STATUS_INVALID_HANDLE; domain_sid = info->sid; @@ -2086,94 +2572,81 @@ NTSTATUS _samr_query_userinfo(pipes_struct *p, SAMR_Q_QUERY_USERINFO *q_u, SAMR_ if (!sid_check_is_in_our_domain(&info->sid)) return NT_STATUS_OBJECT_TYPE_MISMATCH; - DEBUG(5,("_samr_query_userinfo: sid:%s\n", + DEBUG(5,("_samr_QueryUserInfo: sid:%s\n", sid_string_dbg(&info->sid))); - ctr = TALLOC_ZERO_P(p->mem_ctx, SAM_USERINFO_CTR); - if (!ctr) + user_info = TALLOC_ZERO_P(p->mem_ctx, union samr_UserInfo); + if (!user_info) { return NT_STATUS_NO_MEMORY; + } - ZERO_STRUCTP(ctr); - - /* ok! user info levels (lots: see MSDEV help), off we go... */ - ctr->switch_value = q_u->switch_value; - - DEBUG(5,("_samr_query_userinfo: user info level: %d\n", q_u->switch_value)); + DEBUG(5,("_samr_QueryUserInfo: user info level: %d\n", r->in.level)); - switch (q_u->switch_value) { + switch (r->in.level) { case 7: - ctr->info.id7 = TALLOC_ZERO_P(p->mem_ctx, SAM_USER_INFO_7); - if (ctr->info.id7 == NULL) - return NT_STATUS_NO_MEMORY; - - if (!NT_STATUS_IS_OK(r_u->status = get_user_info_7(p->mem_ctx, ctr->info.id7, &info->sid))) - return r_u->status; + status = get_user_info_7(p->mem_ctx, &user_info->info7, &info->sid); + if (!NT_STATUS_IS_OK(status)) { + return status; + } break; case 9: - ctr->info.id9 = TALLOC_ZERO_P(p->mem_ctx, SAM_USER_INFO_9); - if (ctr->info.id9 == NULL) - return NT_STATUS_NO_MEMORY; - - if (!NT_STATUS_IS_OK(r_u->status = get_user_info_9(p->mem_ctx, ctr->info.id9, &info->sid))) - return r_u->status; + status = get_user_info_9(p->mem_ctx, &user_info->info9, &info->sid); + if (!NT_STATUS_IS_OK(status)) { + return status; + } break; case 16: - ctr->info.id16 = TALLOC_ZERO_P(p->mem_ctx, SAM_USER_INFO_16); - if (ctr->info.id16 == NULL) - return NT_STATUS_NO_MEMORY; - - if (!NT_STATUS_IS_OK(r_u->status = get_user_info_16(p->mem_ctx, ctr->info.id16, &info->sid))) - return r_u->status; + status = get_user_info_16(p->mem_ctx, &user_info->info16, &info->sid); + if (!NT_STATUS_IS_OK(status)) { + return status; + } break; case 18: - ctr->info.id18 = TALLOC_ZERO_P(p->mem_ctx, SAM_USER_INFO_18); - if (ctr->info.id18 == NULL) - return NT_STATUS_NO_MEMORY; - - if (!NT_STATUS_IS_OK(r_u->status = get_user_info_18(p, p->mem_ctx, ctr->info.id18, &info->sid))) - return r_u->status; + status = get_user_info_18(p, p->mem_ctx, &user_info->info18, &info->sid); + if (!NT_STATUS_IS_OK(status)) { + return status; + } break; - + case 20: - ctr->info.id20 = TALLOC_ZERO_P(p->mem_ctx,SAM_USER_INFO_20); - if (ctr->info.id20 == NULL) - return NT_STATUS_NO_MEMORY; - if (!NT_STATUS_IS_OK(r_u->status = get_user_info_20(p->mem_ctx, ctr->info.id20, &info->sid))) - return r_u->status; + status = get_user_info_20(p->mem_ctx, &user_info->info20, &info->sid); + if (!NT_STATUS_IS_OK(status)) { + return status; + } break; case 21: - ctr->info.id21 = TALLOC_ZERO_P(p->mem_ctx,SAM_USER_INFO_21); - if (ctr->info.id21 == NULL) - return NT_STATUS_NO_MEMORY; - if (!NT_STATUS_IS_OK(r_u->status = get_user_info_21(p->mem_ctx, ctr->info.id21, - &info->sid, &domain_sid))) - return r_u->status; + status = get_user_info_21(p->mem_ctx, &user_info->info21, + &info->sid, &domain_sid); + if (!NT_STATUS_IS_OK(status)) { + return status; + } break; default: return NT_STATUS_INVALID_INFO_CLASS; } - init_samr_r_query_userinfo(r_u, ctr, r_u->status); + *r->out.info = user_info; + + DEBUG(5,("_samr_QueryUserInfo: %d\n", __LINE__)); - DEBUG(5,("_samr_query_userinfo: %d\n", __LINE__)); - - return r_u->status; + return status; } /******************************************************************* - samr_reply_query_usergroups + _samr_GetGroupsForUser ********************************************************************/ -NTSTATUS _samr_query_usergroups(pipes_struct *p, SAMR_Q_QUERY_USERGROUPS *q_u, SAMR_R_QUERY_USERGROUPS *r_u) +NTSTATUS _samr_GetGroupsForUser(pipes_struct *p, + struct samr_GetGroupsForUser *r) { struct samu *sam_pass=NULL; DOM_SID sid; DOM_SID *sids; - DOM_GID dom_gid; - DOM_GID *gids = NULL; + struct samr_RidWithAttribute dom_gid; + struct samr_RidWithAttribute *gids = NULL; uint32 primary_group_rid; size_t num_groups = 0; gid_t *unix_gids; @@ -2183,6 +2656,8 @@ NTSTATUS _samr_query_usergroups(pipes_struct *p, SAMR_Q_QUERY_USERGROUPS *q_u, S NTSTATUS result; bool success = False; + struct samr_RidWithAttributeArray *rids = NULL; + /* * from the SID in the request: * we should send back the list of DOMAIN GROUPS @@ -2195,16 +2670,22 @@ NTSTATUS _samr_query_usergroups(pipes_struct *p, SAMR_Q_QUERY_USERGROUPS *q_u, S * JFM, 12/2/2001 */ - r_u->status = NT_STATUS_OK; + DEBUG(5,("_samr_GetGroupsForUser: %d\n", __LINE__)); - DEBUG(5,("_samr_query_usergroups: %d\n", __LINE__)); + rids = TALLOC_ZERO_P(p->mem_ctx, struct samr_RidWithAttributeArray); + if (!rids) { + return NT_STATUS_NO_MEMORY; + } /* find the policy handle. open a policy on it. */ - if (!get_lsa_policy_samr_sid(p, &q_u->pol, &sid, &acc_granted, NULL)) + if (!get_lsa_policy_samr_sid(p, r->in.user_handle, &sid, &acc_granted, NULL)) return NT_STATUS_INVALID_HANDLE; - - if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, SA_RIGHT_USER_GET_GROUPS, "_samr_query_usergroups"))) { - return r_u->status; + + result = access_check_samr_function(acc_granted, + SA_RIGHT_USER_GET_GROUPS, + "_samr_GetGroupsForUser"); + if (!NT_STATUS_IS_OK(result)) { + return result; } if (!sid_check_is_in_our_domain(&sid)) @@ -2231,7 +2712,7 @@ NTSTATUS _samr_query_usergroups(pipes_struct *p, SAMR_Q_QUERY_USERGROUPS *q_u, S result = pdb_enum_group_memberships(p->mem_ctx, sam_pass, &sids, &unix_gids, &num_groups); if ( NT_STATUS_IS_OK(result) ) { - success = sid_peek_check_rid(get_global_sam_sid(), + success = sid_peek_check_rid(get_global_sam_sid(), pdb_get_group_sid(sam_pass), &primary_group_rid); } @@ -2254,48 +2735,53 @@ NTSTATUS _samr_query_usergroups(pipes_struct *p, SAMR_Q_QUERY_USERGROUPS *q_u, S gids = NULL; num_gids = 0; - dom_gid.attr = (SE_GROUP_MANDATORY|SE_GROUP_ENABLED_BY_DEFAULT| - SE_GROUP_ENABLED); - dom_gid.g_rid = primary_group_rid; - ADD_TO_ARRAY(p->mem_ctx, DOM_GID, dom_gid, &gids, &num_gids); + dom_gid.attributes = (SE_GROUP_MANDATORY|SE_GROUP_ENABLED_BY_DEFAULT| + SE_GROUP_ENABLED); + dom_gid.rid = primary_group_rid; + ADD_TO_ARRAY(p->mem_ctx, struct samr_RidWithAttribute, dom_gid, &gids, &num_gids); for (i=0; i<num_groups; i++) { if (!sid_peek_check_rid(get_global_sam_sid(), - &(sids[i]), &dom_gid.g_rid)) { + &(sids[i]), &dom_gid.rid)) { DEBUG(10, ("Found sid %s not in our domain\n", sid_string_dbg(&sids[i]))); continue; } - if (dom_gid.g_rid == primary_group_rid) { + if (dom_gid.rid == primary_group_rid) { /* We added the primary group directly from the * sam_account. The other SIDs are unique from * enum_group_memberships */ continue; } - ADD_TO_ARRAY(p->mem_ctx, DOM_GID, dom_gid, &gids, &num_gids); + ADD_TO_ARRAY(p->mem_ctx, struct samr_RidWithAttribute, dom_gid, &gids, &num_gids); } - - /* construct the response. lkclXXXX: gids are not copied! */ - init_samr_r_query_usergroups(r_u, num_gids, gids, r_u->status); - - DEBUG(5,("_samr_query_usergroups: %d\n", __LINE__)); - - return r_u->status; + + rids->count = num_gids; + rids->rids = gids; + + *r->out.rids = rids; + + DEBUG(5,("_samr_GetGroupsForUser: %d\n", __LINE__)); + + return result; } /******************************************************************* - _samr_query_domain_info + samr_QueryDomainInfo_internal ********************************************************************/ -NTSTATUS _samr_query_domain_info(pipes_struct *p, - SAMR_Q_QUERY_DOMAIN_INFO *q_u, - SAMR_R_QUERY_DOMAIN_INFO *r_u) +static NTSTATUS samr_QueryDomainInfo_internal(const char *fn_name, + pipes_struct *p, + struct policy_handle *handle, + uint32_t level, + union samr_DomainInfo **dom_info_ptr) { + NTSTATUS status = NT_STATUS_OK; struct samr_info *info = NULL; - SAM_UNK_CTR *ctr; + union samr_DomainInfo *dom_info; uint32 min_pass_len,pass_hist,password_properties; time_t u_expire, u_min_age; NTTIME nt_expire, nt_min_age; @@ -2313,24 +2799,23 @@ NTSTATUS _samr_query_domain_info(pipes_struct *p, uint32 num_users=0, num_groups=0, num_aliases=0; - if ((ctr = TALLOC_ZERO_P(p->mem_ctx, SAM_UNK_CTR)) == NULL) { + DEBUG(5,("%s: %d\n", fn_name, __LINE__)); + + dom_info = TALLOC_ZERO_P(p->mem_ctx, union samr_DomainInfo); + if (!dom_info) { return NT_STATUS_NO_MEMORY; } - ZERO_STRUCTP(ctr); + *dom_info_ptr = dom_info; - r_u->status = NT_STATUS_OK; - - DEBUG(5,("_samr_query_domain_info: %d\n", __LINE__)); - /* find the policy handle. open a policy on it. */ - if (!find_policy_by_hnd(p, &q_u->domain_pol, (void **)(void *)&info)) { + if (!find_policy_by_hnd(p, handle, (void **)(void *)&info)) { return NT_STATUS_INVALID_HANDLE; } - - switch (q_u->switch_value) { + + switch (level) { case 0x01: - + become_root(); /* AS ROOT !!! */ @@ -2351,14 +2836,18 @@ NTSTATUS _samr_query_domain_info(pipes_struct *p, u_min_age = account_policy_temp; /* !AS ROOT */ - + unbecome_root(); unix_to_nt_time_abs(&nt_expire, u_expire); unix_to_nt_time_abs(&nt_min_age, u_min_age); - init_unk_info1(&ctr->info.inf1, (uint16)min_pass_len, (uint16)pass_hist, - password_properties, nt_expire, nt_min_age); + init_samr_DomInfo1(&dom_info->info1, + (uint16)min_pass_len, + (uint16)pass_hist, + password_properties, + nt_expire, + nt_min_age); break; case 0x02: @@ -2379,15 +2868,25 @@ NTSTATUS _samr_query_domain_info(pipes_struct *p, seq_num = time(NULL); /* !AS ROOT */ - + unbecome_root(); server_role = ROLE_DOMAIN_PDC; if (lp_server_role() == ROLE_DOMAIN_BDC) server_role = ROLE_DOMAIN_BDC; - init_unk_info2(&ctr->info.inf2, lp_serverstring(), lp_workgroup(), global_myname(), seq_num, - num_users, num_groups, num_aliases, nt_logout, server_role); + init_samr_DomInfo2(&dom_info->info2, + nt_logout, + lp_serverstring(), + lp_workgroup(), + global_myname(), + seq_num, + 1, + server_role, + 1, + num_users, + num_groups, + num_aliases); break; case 0x03: @@ -2402,31 +2901,37 @@ NTSTATUS _samr_query_domain_info(pipes_struct *p, } /* !AS ROOT */ - + unbecome_root(); unix_to_nt_time_abs(&nt_logout, u_logout); - - init_unk_info3(&ctr->info.inf3, nt_logout); + + init_samr_DomInfo3(&dom_info->info3, + nt_logout); + break; case 0x04: - init_unk_info4(&ctr->info.inf4, lp_serverstring()); + init_samr_DomInfo4(&dom_info->info4, + lp_serverstring()); break; case 0x05: - init_unk_info5(&ctr->info.inf5, get_global_sam_name()); + init_samr_DomInfo5(&dom_info->info5, + get_global_sam_name()); break; case 0x06: /* NT returns its own name when a PDC. win2k and later * only the name of the PDC if itself is a BDC (samba4 * idl) */ - init_unk_info6(&ctr->info.inf6, global_myname()); + init_samr_DomInfo6(&dom_info->info6, + global_myname()); break; case 0x07: server_role = ROLE_DOMAIN_PDC; if (lp_server_role() == ROLE_DOMAIN_BDC) server_role = ROLE_DOMAIN_BDC; - init_unk_info7(&ctr->info.inf7, server_role); + init_samr_DomInfo7(&dom_info->info7, + server_role); break; case 0x08: @@ -2439,10 +2944,12 @@ NTSTATUS _samr_query_domain_info(pipes_struct *p, } /* !AS ROOT */ - + unbecome_root(); - init_unk_info8(&ctr->info.inf8, (uint32) seq_num); + init_samr_DomInfo8(&dom_info->info8, + seq_num, + 0); break; case 0x0c: @@ -2463,24 +2970,38 @@ NTSTATUS _samr_query_domain_info(pipes_struct *p, lockout = account_policy_temp; /* !AS ROOT */ - + unbecome_root(); unix_to_nt_time_abs(&nt_lock_duration, u_lock_duration); unix_to_nt_time_abs(&nt_reset_time, u_reset_time); - - init_unk_info12(&ctr->info.inf12, nt_lock_duration, nt_reset_time, (uint16)lockout); + + init_samr_DomInfo12(&dom_info->info12, + nt_lock_duration, + nt_reset_time, + (uint16)lockout); break; default: return NT_STATUS_INVALID_INFO_CLASS; - } - + } + + DEBUG(5,("%s: %d\n", fn_name, __LINE__)); + + return status; +} - init_samr_r_query_domain_info(r_u, q_u->switch_value, ctr, NT_STATUS_OK); - - DEBUG(5,("_samr_query_domain_info: %d\n", __LINE__)); - - return r_u->status; +/******************************************************************* + _samr_QueryDomainInfo + ********************************************************************/ + +NTSTATUS _samr_QueryDomainInfo(pipes_struct *p, + struct samr_QueryDomainInfo *r) +{ + return samr_QueryDomainInfo_internal("_samr_QueryDomainInfo", + p, + r->in.domain_handle, + r->in.level, + r->out.info); } /* W2k3 seems to use the same check for all 3 objects that can be created via @@ -2522,19 +3043,17 @@ static NTSTATUS can_create(TALLOC_CTX *mem_ctx, const char *new_name) } /******************************************************************* - _samr_create_user - Create an account, can be either a normal user or a machine. - This funcion will need to be updated for bdc/domain trusts. + _samr_CreateUser2 ********************************************************************/ -NTSTATUS _samr_create_user(pipes_struct *p, SAMR_Q_CREATE_USER *q_u, - SAMR_R_CREATE_USER *r_u) +NTSTATUS _samr_CreateUser2(pipes_struct *p, + struct samr_CreateUser2 *r) { - char *account; + const char *account = NULL; DOM_SID sid; - POLICY_HND dom_pol = q_u->domain_pol; - uint16 acb_info = q_u->acb_info; - POLICY_HND *user_pol = &r_u->user_pol; + POLICY_HND dom_pol = *r->in.domain_handle; + uint32_t acb_info = r->in.acct_flags; + POLICY_HND *user_pol = r->out.user_handle; struct samr_info *info = NULL; NTSTATUS nt_status; uint32 acc_granted; @@ -2553,19 +3072,19 @@ NTSTATUS _samr_create_user(pipes_struct *p, SAMR_Q_CREATE_USER *q_u, nt_status = access_check_samr_function(acc_granted, SA_RIGHT_DOMAIN_CREATE_USER, - "_samr_create_user"); + "_samr_CreateUser2"); if (!NT_STATUS_IS_OK(nt_status)) { return nt_status; } if (!(acb_info == ACB_NORMAL || acb_info == ACB_DOMTRUST || - acb_info == ACB_WSTRUST || acb_info == ACB_SVRTRUST)) { - /* Match Win2k, and return NT_STATUS_INVALID_PARAMETER if + acb_info == ACB_WSTRUST || acb_info == ACB_SVRTRUST)) { + /* Match Win2k, and return NT_STATUS_INVALID_PARAMETER if this parameter is not an account type */ return NT_STATUS_INVALID_PARAMETER; } - account = rpcstr_pull_unistr2_talloc(p->mem_ctx, &q_u->uni_name); + account = r->in.account_name->string; if (account == NULL) { return NT_STATUS_NO_MEMORY; } @@ -2576,14 +3095,14 @@ NTSTATUS _samr_create_user(pipes_struct *p, SAMR_Q_CREATE_USER *q_u, } /* determine which user right we need to check based on the acb_info */ - + if ( acb_info & ACB_WSTRUST ) { se_priv_copy( &se_rights, &se_machine_account ); can_add_account = user_has_privileges( p->pipe_user.nt_user_token, &se_rights ); - } - /* usrmgr.exe (and net rpc trustdom grant) creates a normal user + } + /* usrmgr.exe (and net rpc trustdom grant) creates a normal user account for domain trusts and changes the ACB flags later */ else if ( acb_info & ACB_NORMAL && (account[strlen(account)-1] != '$') ) @@ -2591,7 +3110,7 @@ NTSTATUS _samr_create_user(pipes_struct *p, SAMR_Q_CREATE_USER *q_u, se_priv_copy( &se_rights, &se_add_users ); can_add_account = user_has_privileges( p->pipe_user.nt_user_token, &se_rights ); - } + } else /* implicit assumption of a BDC or domain trust account here * (we already check the flags earlier) */ { @@ -2603,41 +3122,41 @@ NTSTATUS _samr_create_user(pipes_struct *p, SAMR_Q_CREATE_USER *q_u, DOMAIN_GROUP_RID_ADMINS ); } } - - DEBUG(5, ("_samr_create_user: %s can add this account : %s\n", + + DEBUG(5, ("_samr_CreateUser2: %s can add this account : %s\n", uidtoname(p->pipe_user.ut.uid), can_add_account ? "True":"False" )); - + /********** BEGIN Admin BLOCK **********/ if ( can_add_account ) become_root(); nt_status = pdb_create_user(p->mem_ctx, account, acb_info, - &r_u->user_rid); + r->out.rid); if ( can_add_account ) unbecome_root(); /********** END Admin BLOCK **********/ - + /* now check for failure */ - + if ( !NT_STATUS_IS_OK(nt_status) ) return nt_status; - + /* Get the user's SID */ - sid_compose(&sid, get_global_sam_sid(), r_u->user_rid); - + sid_compose(&sid, get_global_sam_sid(), *r->out.rid); + make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &usr_generic_mapping, &sid, SAMR_USR_RIGHTS_WRITE_PW); se_map_generic(&des_access, &usr_generic_mapping); - - nt_status = access_check_samr_object(psd, p->pipe_user.nt_user_token, - &se_rights, GENERIC_RIGHTS_USER_WRITE, des_access, - &acc_granted, "_samr_create_user"); - + + nt_status = access_check_samr_object(psd, p->pipe_user.nt_user_token, + &se_rights, GENERIC_RIGHTS_USER_WRITE, des_access, + &acc_granted, "_samr_CreateUser2"); + if ( !NT_STATUS_IS_OK(nt_status) ) { return nt_status; } @@ -2659,40 +3178,38 @@ NTSTATUS _samr_create_user(pipes_struct *p, SAMR_Q_CREATE_USER *q_u, /* After a "set" ensure we have no cached display info. */ force_flush_samr_cache(info->disp_info); - r_u->access_granted = acc_granted; + *r->out.access_granted = acc_granted; return NT_STATUS_OK; } /******************************************************************* - samr_reply_connect_anon + _samr_Connect ********************************************************************/ -NTSTATUS _samr_connect_anon(pipes_struct *p, SAMR_Q_CONNECT_ANON *q_u, SAMR_R_CONNECT_ANON *r_u) +NTSTATUS _samr_Connect(pipes_struct *p, + struct samr_Connect *r) { struct samr_info *info = NULL; - uint32 des_access = q_u->access_mask; + uint32 des_access = r->in.access_mask; /* Access check */ if (!pipe_access_check(p)) { - DEBUG(3, ("access denied to samr_connect_anon\n")); - r_u->status = NT_STATUS_ACCESS_DENIED; - return r_u->status; + DEBUG(3, ("access denied to _samr_Connect\n")); + return NT_STATUS_ACCESS_DENIED; } /* set up the SAMR connect_anon response */ - r_u->status = NT_STATUS_OK; - /* associate the user's SID with the new handle. */ if ((info = get_samr_info_by_sid(NULL)) == NULL) return NT_STATUS_NO_MEMORY; /* don't give away the farm but this is probably ok. The SA_RIGHT_SAM_ENUM_DOMAINS - was observed from a win98 client trying to enumerate users (when configured + was observed from a win98 client trying to enumerate users (when configured user level access control on shares) --jerry */ - + if (des_access == MAXIMUM_ALLOWED_ACCESS) { /* Map to max possible knowing we're filtered below. */ des_access = GENERIC_ALL_ACCESS; @@ -2700,152 +3217,143 @@ NTSTATUS _samr_connect_anon(pipes_struct *p, SAMR_Q_CONNECT_ANON *q_u, SAMR_R_CO se_map_generic( &des_access, &sam_generic_mapping ); info->acc_granted = des_access & (SA_RIGHT_SAM_ENUM_DOMAINS|SA_RIGHT_SAM_OPEN_DOMAIN); - - info->status = q_u->unknown_0; /* get a (unique) handle. open a policy on it. */ - if (!create_policy_hnd(p, &r_u->connect_pol, free_samr_info, (void *)info)) + if (!create_policy_hnd(p, r->out.connect_handle, free_samr_info, (void *)info)) return NT_STATUS_OBJECT_NAME_NOT_FOUND; - return r_u->status; + return NT_STATUS_OK; } /******************************************************************* - samr_reply_connect + _samr_Connect2 ********************************************************************/ -NTSTATUS _samr_connect(pipes_struct *p, SAMR_Q_CONNECT *q_u, SAMR_R_CONNECT *r_u) +NTSTATUS _samr_Connect2(pipes_struct *p, + struct samr_Connect2 *r) { struct samr_info *info = NULL; SEC_DESC *psd = NULL; uint32 acc_granted; - uint32 des_access = q_u->access_mask; + uint32 des_access = r->in.access_mask; NTSTATUS nt_status; size_t sd_size; - DEBUG(5,("_samr_connect: %d\n", __LINE__)); + DEBUG(5,("_samr_Connect2: %d\n", __LINE__)); /* Access check */ if (!pipe_access_check(p)) { - DEBUG(3, ("access denied to samr_connect\n")); - r_u->status = NT_STATUS_ACCESS_DENIED; - return r_u->status; + DEBUG(3, ("access denied to _samr_Connect2\n")); + return NT_STATUS_ACCESS_DENIED; } make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &sam_generic_mapping, NULL, 0); se_map_generic(&des_access, &sam_generic_mapping); - - nt_status = access_check_samr_object(psd, p->pipe_user.nt_user_token, - NULL, 0, des_access, &acc_granted, "_samr_connect"); - - if ( !NT_STATUS_IS_OK(nt_status) ) - return nt_status; - r_u->status = NT_STATUS_OK; + nt_status = access_check_samr_object(psd, p->pipe_user.nt_user_token, + NULL, 0, des_access, &acc_granted, "_samr_Connect2"); + + if ( !NT_STATUS_IS_OK(nt_status) ) + return nt_status; /* associate the user's SID and access granted with the new handle. */ if ((info = get_samr_info_by_sid(NULL)) == NULL) return NT_STATUS_NO_MEMORY; info->acc_granted = acc_granted; - info->status = q_u->access_mask; + info->status = r->in.access_mask; /* this looks so wrong... - gd */ /* get a (unique) handle. open a policy on it. */ - if (!create_policy_hnd(p, &r_u->connect_pol, free_samr_info, (void *)info)) + if (!create_policy_hnd(p, r->out.connect_handle, free_samr_info, (void *)info)) return NT_STATUS_OBJECT_NAME_NOT_FOUND; - DEBUG(5,("_samr_connect: %d\n", __LINE__)); + DEBUG(5,("_samr_Connect2: %d\n", __LINE__)); - return r_u->status; + return nt_status; } /******************************************************************* - samr_connect4 + _samr_Connect4 ********************************************************************/ -NTSTATUS _samr_connect4(pipes_struct *p, SAMR_Q_CONNECT4 *q_u, SAMR_R_CONNECT4 *r_u) +NTSTATUS _samr_Connect4(pipes_struct *p, + struct samr_Connect4 *r) { struct samr_info *info = NULL; SEC_DESC *psd = NULL; uint32 acc_granted; - uint32 des_access = q_u->access_mask; + uint32 des_access = r->in.access_mask; NTSTATUS nt_status; size_t sd_size; - DEBUG(5,("_samr_connect4: %d\n", __LINE__)); + DEBUG(5,("_samr_Connect4: %d\n", __LINE__)); /* Access check */ if (!pipe_access_check(p)) { - DEBUG(3, ("access denied to samr_connect4\n")); - r_u->status = NT_STATUS_ACCESS_DENIED; - return r_u->status; + DEBUG(3, ("access denied to samr_Connect4\n")); + return NT_STATUS_ACCESS_DENIED; } make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &sam_generic_mapping, NULL, 0); se_map_generic(&des_access, &sam_generic_mapping); - - nt_status = access_check_samr_object(psd, p->pipe_user.nt_user_token, - NULL, 0, des_access, &acc_granted, "_samr_connect4"); - - if ( !NT_STATUS_IS_OK(nt_status) ) - return nt_status; - r_u->status = NT_STATUS_OK; + nt_status = access_check_samr_object(psd, p->pipe_user.nt_user_token, + NULL, 0, des_access, &acc_granted, "_samr_Connect4"); + + if ( !NT_STATUS_IS_OK(nt_status) ) + return nt_status; /* associate the user's SID and access granted with the new handle. */ if ((info = get_samr_info_by_sid(NULL)) == NULL) return NT_STATUS_NO_MEMORY; info->acc_granted = acc_granted; - info->status = q_u->access_mask; + info->status = r->in.access_mask; /* ??? */ /* get a (unique) handle. open a policy on it. */ - if (!create_policy_hnd(p, &r_u->connect_pol, free_samr_info, (void *)info)) + if (!create_policy_hnd(p, r->out.connect_handle, free_samr_info, (void *)info)) return NT_STATUS_OBJECT_NAME_NOT_FOUND; - DEBUG(5,("_samr_connect: %d\n", __LINE__)); + DEBUG(5,("_samr_Connect4: %d\n", __LINE__)); - return r_u->status; + return NT_STATUS_OK; } /******************************************************************* - samr_connect5 + _samr_Connect5 ********************************************************************/ -NTSTATUS _samr_connect5(pipes_struct *p, SAMR_Q_CONNECT5 *q_u, SAMR_R_CONNECT5 *r_u) +NTSTATUS _samr_Connect5(pipes_struct *p, + struct samr_Connect5 *r) { struct samr_info *info = NULL; SEC_DESC *psd = NULL; uint32 acc_granted; - uint32 des_access = q_u->access_mask; + uint32 des_access = r->in.access_mask; NTSTATUS nt_status; - POLICY_HND pol; size_t sd_size; + struct samr_ConnectInfo1 info1; - - DEBUG(5,("_samr_connect5: %d\n", __LINE__)); - - ZERO_STRUCTP(r_u); + DEBUG(5,("_samr_Connect5: %d\n", __LINE__)); /* Access check */ if (!pipe_access_check(p)) { - DEBUG(3, ("access denied to samr_connect5\n")); - r_u->status = NT_STATUS_ACCESS_DENIED; - return r_u->status; + DEBUG(3, ("access denied to samr_Connect5\n")); + return NT_STATUS_ACCESS_DENIED; } make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &sam_generic_mapping, NULL, 0); se_map_generic(&des_access, &sam_generic_mapping); - - nt_status = access_check_samr_object(psd, p->pipe_user.nt_user_token, - NULL, 0, des_access, &acc_granted, "_samr_connect5"); - - if ( !NT_STATUS_IS_OK(nt_status) ) + + nt_status = access_check_samr_object(psd, p->pipe_user.nt_user_token, + NULL, 0, des_access, &acc_granted, "_samr_Connect5"); + + if ( !NT_STATUS_IS_OK(nt_status) ) return nt_status; /* associate the user's SID and access granted with the new handle. */ @@ -2853,181 +3361,169 @@ NTSTATUS _samr_connect5(pipes_struct *p, SAMR_Q_CONNECT5 *q_u, SAMR_R_CONNECT5 * return NT_STATUS_NO_MEMORY; info->acc_granted = acc_granted; - info->status = q_u->access_mask; + info->status = r->in.access_mask; /* ??? */ /* get a (unique) handle. open a policy on it. */ - if (!create_policy_hnd(p, &pol, free_samr_info, (void *)info)) + if (!create_policy_hnd(p, r->out.connect_handle, free_samr_info, (void *)info)) return NT_STATUS_OBJECT_NAME_NOT_FOUND; - DEBUG(5,("_samr_connect: %d\n", __LINE__)); + DEBUG(5,("_samr_Connect5: %d\n", __LINE__)); - init_samr_r_connect5(r_u, &pol, NT_STATUS_OK); + info1.client_version = SAMR_CONNECT_AFTER_W2K; + info1.unknown2 = 0; - return r_u->status; + *r->out.level_out = 1; + r->out.info_out->info1 = info1; + + return NT_STATUS_OK; } /********************************************************************** - api_samr_lookup_domain + _samr_LookupDomain **********************************************************************/ -NTSTATUS _samr_lookup_domain(pipes_struct *p, SAMR_Q_LOOKUP_DOMAIN *q_u, SAMR_R_LOOKUP_DOMAIN *r_u) +NTSTATUS _samr_LookupDomain(pipes_struct *p, + struct samr_LookupDomain *r) { + NTSTATUS status = NT_STATUS_OK; struct samr_info *info; - fstring domain_name; - DOM_SID sid; - - r_u->status = NT_STATUS_OK; + const char *domain_name; + DOM_SID *sid = NULL; - if (!find_policy_by_hnd(p, &q_u->connect_pol, (void**)(void *)&info)) + if (!find_policy_by_hnd(p, r->in.connect_handle, (void**)(void *)&info)) return NT_STATUS_INVALID_HANDLE; - /* win9x user manager likes to use SA_RIGHT_SAM_ENUM_DOMAINS here. + /* win9x user manager likes to use SA_RIGHT_SAM_ENUM_DOMAINS here. Reverted that change so we will work with RAS servers again */ - if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(info->acc_granted, - SA_RIGHT_SAM_OPEN_DOMAIN, "_samr_lookup_domain"))) - { - return r_u->status; + status = access_check_samr_function(info->acc_granted, + SA_RIGHT_SAM_OPEN_DOMAIN, + "_samr_LookupDomain"); + if (!NT_STATUS_IS_OK(status)) { + return status; } - rpcstr_pull(domain_name, q_u->uni_domain.buffer, sizeof(domain_name), q_u->uni_domain.uni_str_len*2, 0); + domain_name = r->in.domain_name->string; - ZERO_STRUCT(sid); + sid = TALLOC_ZERO_P(p->mem_ctx, struct dom_sid2); + if (!sid) { + return NT_STATUS_NO_MEMORY; + } if (strequal(domain_name, builtin_domain_name())) { - sid_copy(&sid, &global_sid_Builtin); + sid_copy(sid, &global_sid_Builtin); } else { - if (!secrets_fetch_domain_sid(domain_name, &sid)) { - r_u->status = NT_STATUS_NO_SUCH_DOMAIN; + if (!secrets_fetch_domain_sid(domain_name, sid)) { + status = NT_STATUS_NO_SUCH_DOMAIN; } } DEBUG(2,("Returning domain sid for domain %s -> %s\n", domain_name, - sid_string_dbg(&sid))); - - init_samr_r_lookup_domain(r_u, &sid, r_u->status); + sid_string_dbg(sid))); - return r_u->status; -} + *r->out.sid = sid; -/****************************************************************** -makes a SAMR_R_ENUM_DOMAINS structure. -********************************************************************/ - -static bool make_enum_domains(TALLOC_CTX *ctx, SAM_ENTRY **pp_sam, - UNISTR2 **pp_uni_name, uint32 num_sam_entries, fstring doms[]) -{ - uint32 i; - SAM_ENTRY *sam; - UNISTR2 *uni_name; - - DEBUG(5, ("make_enum_domains\n")); - - *pp_sam = NULL; - *pp_uni_name = NULL; - - if (num_sam_entries == 0) - return True; - - sam = TALLOC_ZERO_ARRAY(ctx, SAM_ENTRY, num_sam_entries); - uni_name = TALLOC_ZERO_ARRAY(ctx, UNISTR2, num_sam_entries); - - if (sam == NULL || uni_name == NULL) - return False; - - for (i = 0; i < num_sam_entries; i++) { - init_unistr2(&uni_name[i], doms[i], UNI_FLAGS_NONE); - init_sam_entry(&sam[i], &uni_name[i], 0); - } - - *pp_sam = sam; - *pp_uni_name = uni_name; - - return True; + return status; } /********************************************************************** - api_samr_enum_domains + _samr_EnumDomains **********************************************************************/ -NTSTATUS _samr_enum_domains(pipes_struct *p, SAMR_Q_ENUM_DOMAINS *q_u, SAMR_R_ENUM_DOMAINS *r_u) +NTSTATUS _samr_EnumDomains(pipes_struct *p, + struct samr_EnumDomains *r) { + NTSTATUS status; struct samr_info *info; - uint32 num_entries = 2; - fstring dom[2]; - const char *name; + uint32_t num_entries = 2; + struct samr_SamEntry *entry_array = NULL; + struct samr_SamArray *sam; - r_u->status = NT_STATUS_OK; - - if (!find_policy_by_hnd(p, &q_u->pol, (void**)(void *)&info)) + if (!find_policy_by_hnd(p, r->in.connect_handle, (void**)(void *)&info)) return NT_STATUS_INVALID_HANDLE; - - if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(info->acc_granted, SA_RIGHT_SAM_ENUM_DOMAINS, "_samr_enum_domains"))) { - return r_u->status; - } - name = get_global_sam_name(); + status = access_check_samr_function(info->acc_granted, + SA_RIGHT_SAM_ENUM_DOMAINS, + "_samr_EnumDomains"); + if (!NT_STATUS_IS_OK(status)) { + return status; + } - fstrcpy(dom[0],name); - strupper_m(dom[0]); - fstrcpy(dom[1],"Builtin"); + sam = TALLOC_ZERO_P(p->mem_ctx, struct samr_SamArray); + if (!sam) { + return NT_STATUS_NO_MEMORY; + } - if (!make_enum_domains(p->mem_ctx, &r_u->sam, &r_u->uni_dom_name, num_entries, dom)) + entry_array = TALLOC_ZERO_ARRAY(p->mem_ctx, + struct samr_SamEntry, + num_entries); + if (!entry_array) { return NT_STATUS_NO_MEMORY; + } + + entry_array[0].idx = 0; + init_lsa_String(&entry_array[0].name, get_global_sam_name()); - init_samr_r_enum_domains(r_u, q_u->start_idx + num_entries, num_entries); + entry_array[1].idx = 1; + init_lsa_String(&entry_array[1].name, "Builtin"); - return r_u->status; + sam->count = num_entries; + sam->entries = entry_array; + + *r->out.sam = sam; + *r->out.num_entries = num_entries; + + return status; } /******************************************************************* - api_samr_open_alias + _samr_OpenAlias ********************************************************************/ -NTSTATUS _samr_open_alias(pipes_struct *p, SAMR_Q_OPEN_ALIAS *q_u, SAMR_R_OPEN_ALIAS *r_u) +NTSTATUS _samr_OpenAlias(pipes_struct *p, + struct samr_OpenAlias *r) { DOM_SID sid; - POLICY_HND domain_pol = q_u->dom_pol; - uint32 alias_rid = q_u->rid_alias; - POLICY_HND *alias_pol = &r_u->pol; + POLICY_HND domain_pol = *r->in.domain_handle; + uint32 alias_rid = r->in.rid; + POLICY_HND *alias_pol = r->out.alias_handle; struct samr_info *info = NULL; SEC_DESC *psd = NULL; uint32 acc_granted; - uint32 des_access = q_u->access_mask; + uint32 des_access = r->in.access_mask; size_t sd_size; NTSTATUS status; SE_PRIV se_rights; - r_u->status = NT_STATUS_OK; - /* find the domain policy and get the SID / access bits stored in the domain policy */ - + if ( !get_lsa_policy_samr_sid(p, &domain_pol, &sid, &acc_granted, NULL) ) return NT_STATUS_INVALID_HANDLE; - - status = access_check_samr_function(acc_granted, - SA_RIGHT_DOMAIN_OPEN_ACCOUNT, "_samr_open_alias"); - - if ( !NT_STATUS_IS_OK(status) ) + + status = access_check_samr_function(acc_granted, + SA_RIGHT_DOMAIN_OPEN_ACCOUNT, + "_samr_OpenAlias"); + + if ( !NT_STATUS_IS_OK(status) ) return status; /* append the alias' RID to it */ - + if (!sid_append_rid(&sid, alias_rid)) return NT_STATUS_NO_SUCH_ALIAS; - + /*check if access can be granted as requested by client. */ - + make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &ali_generic_mapping, NULL, 0); se_map_generic(&des_access,&ali_generic_mapping); - + se_priv_copy( &se_rights, &se_add_users ); - - - status = access_check_samr_object(psd, p->pipe_user.nt_user_token, - &se_rights, GENERIC_RIGHTS_ALIAS_WRITE, des_access, - &acc_granted, "_samr_open_alias"); - + + + status = access_check_samr_object(psd, p->pipe_user.nt_user_token, + &se_rights, GENERIC_RIGHTS_ALIAS_WRITE, des_access, + &acc_granted, "_samr_OpenAlias"); + if ( !NT_STATUS_IS_OK(status) ) return status; @@ -3046,7 +3542,7 @@ NTSTATUS _samr_open_alias(pipes_struct *p, SAMR_Q_OPEN_ALIAS *q_u, SAMR_R_OPEN_A } /* make sure there is a mapping */ - + if ( !sid_to_gid( &sid, &gid ) ) { return NT_STATUS_NO_SUCH_ALIAS; } @@ -3056,23 +3552,24 @@ NTSTATUS _samr_open_alias(pipes_struct *p, SAMR_Q_OPEN_ALIAS *q_u, SAMR_R_OPEN_A /* associate the alias SID with the new handle. */ if ((info = get_samr_info_by_sid(&sid)) == NULL) return NT_STATUS_NO_MEMORY; - + info->acc_granted = acc_granted; /* get a (unique) handle. open a policy on it. */ if (!create_policy_hnd(p, alias_pol, free_samr_info, (void *)info)) return NT_STATUS_OBJECT_NAME_NOT_FOUND; - return r_u->status; + return NT_STATUS_OK; } /******************************************************************* set_user_info_7 ********************************************************************/ + static NTSTATUS set_user_info_7(TALLOC_CTX *mem_ctx, - const SAM_USER_INFO_7 *id7, struct samu *pwd) + struct samr_UserInfo7 *id7, + struct samu *pwd) { - fstring new_name; NTSTATUS rc; if (id7 == NULL) { @@ -3081,14 +3578,14 @@ static NTSTATUS set_user_info_7(TALLOC_CTX *mem_ctx, return NT_STATUS_ACCESS_DENIED; } - if(!rpcstr_pull(new_name, id7->uni_name.buffer, sizeof(new_name), id7->uni_name.uni_str_len*2, 0)) { + if (!id7->account_name.string) { DEBUG(5, ("set_user_info_7: failed to get new username\n")); TALLOC_FREE(pwd); return NT_STATUS_ACCESS_DENIED; } /* check to see if the new username already exists. Note: we can't - reliably lock all backends, so there is potentially the + reliably lock all backends, so there is potentially the possibility that a user can be created in between this check and the rename. The rename should fail, but may not get the exact same failure status code. I think this is small enough @@ -3096,12 +3593,12 @@ static NTSTATUS set_user_info_7(TALLOC_CTX *mem_ctx, simply that the rename fails with a slightly different status code (like UNSUCCESSFUL instead of ALREADY_EXISTS). */ - rc = can_create(mem_ctx, new_name); + rc = can_create(mem_ctx, id7->account_name.string); if (!NT_STATUS_IS_OK(rc)) { return rc; } - rc = pdb_rename_sam_account(pwd, new_name); + rc = pdb_rename_sam_account(pwd, id7->account_name.string); TALLOC_FREE(pwd); return rc; @@ -3111,16 +3608,17 @@ static NTSTATUS set_user_info_7(TALLOC_CTX *mem_ctx, set_user_info_16 ********************************************************************/ -static bool set_user_info_16(const SAM_USER_INFO_16 *id16, struct samu *pwd) +static bool set_user_info_16(struct samr_UserInfo16 *id16, + struct samu *pwd) { if (id16 == NULL) { DEBUG(5, ("set_user_info_16: NULL id16\n")); TALLOC_FREE(pwd); return False; } - + /* FIX ME: check if the value is really changed --metze */ - if (!pdb_set_acct_ctrl(pwd, id16->acb_info, PDB_CHANGED)) { + if (!pdb_set_acct_ctrl(pwd, id16->acct_flags, PDB_CHANGED)) { TALLOC_FREE(pwd); return False; } @@ -3139,28 +3637,28 @@ static bool set_user_info_16(const SAM_USER_INFO_16 *id16, struct samu *pwd) set_user_info_18 ********************************************************************/ -static bool set_user_info_18(SAM_USER_INFO_18 *id18, struct samu *pwd) +static bool set_user_info_18(struct samr_UserInfo18 *id18, + struct samu *pwd) { - if (id18 == NULL) { DEBUG(2, ("set_user_info_18: id18 is NULL\n")); TALLOC_FREE(pwd); return False; } - - if (!pdb_set_lanman_passwd (pwd, id18->lm_pwd, PDB_CHANGED)) { + + if (!pdb_set_lanman_passwd (pwd, id18->lm_pwd.hash, PDB_CHANGED)) { TALLOC_FREE(pwd); return False; } - if (!pdb_set_nt_passwd (pwd, id18->nt_pwd, PDB_CHANGED)) { + if (!pdb_set_nt_passwd (pwd, id18->nt_pwd.hash, PDB_CHANGED)) { TALLOC_FREE(pwd); return False; } if (!pdb_set_pass_last_set_time (pwd, time(NULL), PDB_CHANGED)) { TALLOC_FREE(pwd); - return False; + return False; } - + if(!NT_STATUS_IS_OK(pdb_update_sam_account(pwd))) { TALLOC_FREE(pwd); return False; @@ -3174,13 +3672,14 @@ static bool set_user_info_18(SAM_USER_INFO_18 *id18, struct samu *pwd) set_user_info_20 ********************************************************************/ -static bool set_user_info_20(SAM_USER_INFO_20 *id20, struct samu *pwd) +static bool set_user_info_20(struct samr_UserInfo20 *id20, + struct samu *pwd) { if (id20 == NULL) { DEBUG(5, ("set_user_info_20: NULL id20\n")); return False; } - + copy_id20_to_sam_passwd(pwd, id20); /* write the change out */ @@ -3193,30 +3692,30 @@ static bool set_user_info_20(SAM_USER_INFO_20 *id20, struct samu *pwd) return True; } + /******************************************************************* set_user_info_21 ********************************************************************/ -static NTSTATUS set_user_info_21(TALLOC_CTX *mem_ctx, SAM_USER_INFO_21 *id21, +static NTSTATUS set_user_info_21(TALLOC_CTX *mem_ctx, + struct samr_UserInfo21 *id21, struct samu *pwd) { - fstring new_name; NTSTATUS status; - + if (id21 == NULL) { DEBUG(5, ("set_user_info_21: NULL id21\n")); return NT_STATUS_INVALID_PARAMETER; } /* we need to separately check for an account rename first */ - - if (rpcstr_pull(new_name, id21->uni_user_name.buffer, - sizeof(new_name), id21->uni_user_name.uni_str_len*2, 0) - && (!strequal(new_name, pdb_get_username(pwd)))) + + if (id21->account_name.string && + (!strequal(id21->account_name.string, pdb_get_username(pwd)))) { /* check to see if the new username already exists. Note: we can't - reliably lock all backends, so there is potentially the + reliably lock all backends, so there is potentially the possibility that a user can be created in between this check and the rename. The rename should fail, but may not get the exact same failure status code. I think this is small enough @@ -3224,43 +3723,43 @@ static NTSTATUS set_user_info_21(TALLOC_CTX *mem_ctx, SAM_USER_INFO_21 *id21, simply that the rename fails with a slightly different status code (like UNSUCCESSFUL instead of ALREADY_EXISTS). */ - status = can_create(mem_ctx, new_name); + status = can_create(mem_ctx, id21->account_name.string); if (!NT_STATUS_IS_OK(status)) { return status; } - status = pdb_rename_sam_account(pwd, new_name); + status = pdb_rename_sam_account(pwd, id21->account_name.string); if (!NT_STATUS_IS_OK(status)) { - DEBUG(0,("set_user_info_21: failed to rename account: %s\n", + DEBUG(0,("set_user_info_21: failed to rename account: %s\n", nt_errstr(status))); TALLOC_FREE(pwd); return status; } - /* set the new username so that later + /* set the new username so that later functions can work on the new account */ - pdb_set_username(pwd, new_name, PDB_SET); + pdb_set_username(pwd, id21->account_name.string, PDB_SET); } - copy_id21_to_sam_passwd(pwd, id21); - + copy_id21_to_sam_passwd("INFO_21", pwd, id21); + /* * The funny part about the previous two calls is * that pwd still has the password hashes from the * passdb entry. These have not been updated from * id21. I don't know if they need to be set. --jerry */ - + if ( IS_SAM_CHANGED(pwd, PDB_GROUPSID) ) { status = pdb_set_unix_primary_group(mem_ctx, pwd); if ( !NT_STATUS_IS_OK(status) ) { return status; } } - + /* Don't worry about writing out the user account since the - primary group SID is generated solely from the user's Unix + primary group SID is generated solely from the user's Unix primary group. */ /* write the change out */ @@ -3278,7 +3777,8 @@ static NTSTATUS set_user_info_21(TALLOC_CTX *mem_ctx, SAM_USER_INFO_21 *id21, set_user_info_23 ********************************************************************/ -static NTSTATUS set_user_info_23(TALLOC_CTX *mem_ctx, SAM_USER_INFO_23 *id23, +static NTSTATUS set_user_info_23(TALLOC_CTX *mem_ctx, + struct samr_UserInfo23 *id23, struct samu *pwd) { char *plaintext_buf = NULL; @@ -3297,7 +3797,7 @@ static NTSTATUS set_user_info_23(TALLOC_CTX *mem_ctx, SAM_USER_INFO_23 *id23, acct_ctrl = pdb_get_acct_ctrl(pwd); if (!decode_pw_buffer(mem_ctx, - id23->pass, + id23->password.data, &plaintext_buf, &len, STR_UNICODE)) { @@ -3445,18 +3945,19 @@ static bool set_user_info_pw(uint8 *pass, struct samu *pwd) set_user_info_25 ********************************************************************/ -static NTSTATUS set_user_info_25(TALLOC_CTX *mem_ctx, SAM_USER_INFO_25 *id25, +static NTSTATUS set_user_info_25(TALLOC_CTX *mem_ctx, + struct samr_UserInfo25 *id25, struct samu *pwd) { NTSTATUS status; - + if (id25 == NULL) { DEBUG(5, ("set_user_info_25: NULL id25\n")); return NT_STATUS_INVALID_PARAMETER; } copy_id25_to_sam_passwd(pwd, id25); - + /* write the change out */ if(!NT_STATUS_IS_OK(status = pdb_update_sam_account(pwd))) { TALLOC_FREE(pwd); @@ -3477,7 +3978,7 @@ static NTSTATUS set_user_info_25(TALLOC_CTX *mem_ctx, SAM_USER_INFO_25 *id25, return status; } } - + /* WARNING: No TALLOC_FREE(pwd), we are about to set the password * hereafter! */ @@ -3485,38 +3986,41 @@ static NTSTATUS set_user_info_25(TALLOC_CTX *mem_ctx, SAM_USER_INFO_25 *id25, } /******************************************************************* - samr_reply_set_userinfo + samr_SetUserInfo_internal ********************************************************************/ -NTSTATUS _samr_set_userinfo(pipes_struct *p, SAMR_Q_SET_USERINFO *q_u, SAMR_R_SET_USERINFO *r_u) +static NTSTATUS samr_SetUserInfo_internal(const char *fn_name, + pipes_struct *p, + struct policy_handle *user_handle, + uint16_t level, + union samr_UserInfo *info) { + NTSTATUS status; struct samu *pwd = NULL; DOM_SID sid; - POLICY_HND *pol = &q_u->pol; - uint16 switch_value = q_u->switch_value; - SAM_USERINFO_CTR *ctr = q_u->ctr; - uint32 acc_granted; - uint32 acc_required; + POLICY_HND *pol = user_handle; + uint16_t switch_value = level; + uint32_t acc_granted; + uint32_t acc_required; bool ret; bool has_enough_rights = False; - uint32 acb_info; + uint32_t acb_info; DISP_INFO *disp_info = NULL; - DEBUG(5, ("_samr_set_userinfo: %d\n", __LINE__)); - - r_u->status = NT_STATUS_OK; + DEBUG(5,("%s: %d\n", fn_name, __LINE__)); /* find the policy handle. open a policy on it. */ - if (!get_lsa_policy_samr_sid(p, pol, &sid, &acc_granted, &disp_info)) + if (!get_lsa_policy_samr_sid(p, pol, &sid, &acc_granted, &disp_info)) { return NT_STATUS_INVALID_HANDLE; + } - /* This is tricky. A WinXP domain join sets + /* This is tricky. A WinXP domain join sets (SA_RIGHT_USER_SET_PASSWORD|SA_RIGHT_USER_SET_ATTRIBUTES|SA_RIGHT_USER_ACCT_FLAGS_EXPIRY) - The MMC lusrmgr plugin includes these perms and more in the SamrOpenUser(). But the - standard Win32 API calls just ask for SA_RIGHT_USER_SET_PASSWORD in the SamrOpenUser(). - This should be enough for levels 18, 24, 25,& 26. Info level 23 can set more so + The MMC lusrmgr plugin includes these perms and more in the SamrOpenUser(). But the + standard Win32 API calls just ask for SA_RIGHT_USER_SET_PASSWORD in the SamrOpenUser(). + This should be enough for levels 18, 24, 25,& 26. Info level 23 can set more so we'll use the set from the WinXP join as the basis. */ - + switch (switch_value) { case 18: case 24: @@ -3525,319 +4029,252 @@ NTSTATUS _samr_set_userinfo(pipes_struct *p, SAMR_Q_SET_USERINFO *q_u, SAMR_R_SE acc_required = SA_RIGHT_USER_SET_PASSWORD; break; default: - acc_required = SA_RIGHT_USER_SET_PASSWORD | SA_RIGHT_USER_SET_ATTRIBUTES | SA_RIGHT_USER_ACCT_FLAGS_EXPIRY; + acc_required = SA_RIGHT_USER_SET_PASSWORD | + SA_RIGHT_USER_SET_ATTRIBUTES | + SA_RIGHT_USER_ACCT_FLAGS_EXPIRY; break; } - - if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, acc_required, "_samr_set_userinfo"))) { - return r_u->status; + + status = access_check_samr_function(acc_granted, + acc_required, + fn_name); + if (!NT_STATUS_IS_OK(status)) { + return status; } - DEBUG(5, ("_samr_set_userinfo: sid:%s, level:%d\n", - sid_string_dbg(&sid), switch_value)); + DEBUG(5, ("%s: sid:%s, level:%d\n", + fn_name, sid_string_dbg(&sid), switch_value)); - if (ctr == NULL) { - DEBUG(5, ("_samr_set_userinfo: NULL info level\n")); + if (info == NULL) { + DEBUG(5, ("%s: NULL info level\n", fn_name)); return NT_STATUS_INVALID_INFO_CLASS; } - - if ( !(pwd = samu_new( NULL )) ) { + + if (!(pwd = samu_new(NULL))) { return NT_STATUS_NO_MEMORY; } - + become_root(); ret = pdb_getsampwsid(pwd, &sid); unbecome_root(); - - if ( !ret ) { + + if (!ret) { TALLOC_FREE(pwd); return NT_STATUS_NO_SUCH_USER; } - + /* deal with machine password changes differently from userinfo changes */ /* check to see if we have the sufficient rights */ - + acb_info = pdb_get_acct_ctrl(pwd); - if ( acb_info & ACB_WSTRUST ) - has_enough_rights = user_has_privileges( p->pipe_user.nt_user_token, &se_machine_account); - else if ( acb_info & ACB_NORMAL ) - has_enough_rights = user_has_privileges( p->pipe_user.nt_user_token, &se_add_users ); - else if ( acb_info & (ACB_SVRTRUST|ACB_DOMTRUST) ) { - if ( lp_enable_privileges() ) - has_enough_rights = nt_token_check_domain_rid( p->pipe_user.nt_user_token, DOMAIN_GROUP_RID_ADMINS ); - } - - DEBUG(5, ("_samr_set_userinfo: %s does%s possess sufficient rights\n", + if (acb_info & ACB_WSTRUST) + has_enough_rights = user_has_privileges(p->pipe_user.nt_user_token, + &se_machine_account); + else if (acb_info & ACB_NORMAL) + has_enough_rights = user_has_privileges(p->pipe_user.nt_user_token, + &se_add_users); + else if (acb_info & (ACB_SVRTRUST|ACB_DOMTRUST)) { + if (lp_enable_privileges()) { + has_enough_rights = nt_token_check_domain_rid(p->pipe_user.nt_user_token, + DOMAIN_GROUP_RID_ADMINS); + } + } + + DEBUG(5, ("%s: %s does%s possess sufficient rights\n", + fn_name, uidtoname(p->pipe_user.ut.uid), has_enough_rights ? "" : " not")); /* ================ BEGIN SeMachineAccountPrivilege BLOCK ================ */ - - if ( has_enough_rights ) - become_root(); - + + if (has_enough_rights) { + become_root(); + } + /* ok! user info levels (lots: see MSDEV help), off we go... */ switch (switch_value) { + + case 7: + status = set_user_info_7(p->mem_ctx, + &info->info7, pwd); + break; + + case 16: + if (!set_user_info_16(&info->info16, pwd)) { + status = NT_STATUS_ACCESS_DENIED; + } + break; + case 18: - if (!set_user_info_18(ctr->info.id18, pwd)) - r_u->status = NT_STATUS_ACCESS_DENIED; + /* Used by AS/U JRA. */ + if (!set_user_info_18(&info->info18, pwd)) { + status = NT_STATUS_ACCESS_DENIED; + } break; - case 24: + case 20: + if (!set_user_info_20(&info->info20, pwd)) { + status = NT_STATUS_ACCESS_DENIED; + } + break; + + case 21: + status = set_user_info_21(p->mem_ctx, + &info->info21, pwd); + break; + + case 23: if (!p->session_key.length) { - r_u->status = NT_STATUS_NO_USER_SESSION_KEY; + status = NT_STATUS_NO_USER_SESSION_KEY; } - SamOEMhashBlob(ctr->info.id24->pass, 516, &p->session_key); + SamOEMhashBlob(info->info23.password.data, 516, + &p->session_key); - dump_data(100, ctr->info.id24->pass, 516); + dump_data(100, info->info23.password.data, 516); - if (!set_user_info_pw(ctr->info.id24->pass, pwd)) - r_u->status = NT_STATUS_ACCESS_DENIED; + status = set_user_info_23(p->mem_ctx, + &info->info23, pwd); break; - case 25: + case 24: if (!p->session_key.length) { - r_u->status = NT_STATUS_NO_USER_SESSION_KEY; + status = NT_STATUS_NO_USER_SESSION_KEY; } - encode_or_decode_arc4_passwd_buffer(ctr->info.id25->pass, &p->session_key); + SamOEMhashBlob(info->info24.password.data, + 516, + &p->session_key); - dump_data(100, ctr->info.id25->pass, 532); + dump_data(100, info->info24.password.data, 516); - r_u->status = set_user_info_25(p->mem_ctx, - ctr->info.id25, pwd); - if (!NT_STATUS_IS_OK(r_u->status)) { - goto done; + if (!set_user_info_pw(info->info24.password.data, pwd)) { + status = NT_STATUS_ACCESS_DENIED; } - if (!set_user_info_pw(ctr->info.id25->pass, pwd)) - r_u->status = NT_STATUS_ACCESS_DENIED; break; - case 26: + case 25: if (!p->session_key.length) { - r_u->status = NT_STATUS_NO_USER_SESSION_KEY; + status = NT_STATUS_NO_USER_SESSION_KEY; } - encode_or_decode_arc4_passwd_buffer(ctr->info.id26->pass, &p->session_key); + encode_or_decode_arc4_passwd_buffer(info->info25.password.data, + &p->session_key); - dump_data(100, ctr->info.id26->pass, 516); + dump_data(100, info->info25.password.data, 532); - if (!set_user_info_pw(ctr->info.id26->pass, pwd)) - r_u->status = NT_STATUS_ACCESS_DENIED; + status = set_user_info_25(p->mem_ctx, + &info->info25, pwd); + if (!NT_STATUS_IS_OK(status)) { + goto done; + } + if (!set_user_info_pw(info->info25.password.data, pwd)) { + status = NT_STATUS_ACCESS_DENIED; + } break; - case 23: + case 26: if (!p->session_key.length) { - r_u->status = NT_STATUS_NO_USER_SESSION_KEY; + status = NT_STATUS_NO_USER_SESSION_KEY; } - SamOEMhashBlob(ctr->info.id23->pass, 516, &p->session_key); + encode_or_decode_arc4_passwd_buffer(info->info26.password.data, + &p->session_key); - dump_data(100, ctr->info.id23->pass, 516); + dump_data(100, info->info26.password.data, 516); - r_u->status = set_user_info_23(p->mem_ctx, - ctr->info.id23, pwd); + if (!set_user_info_pw(info->info26.password.data, pwd)) { + status = NT_STATUS_ACCESS_DENIED; + } break; default: - r_u->status = NT_STATUS_INVALID_INFO_CLASS; + status = NT_STATUS_INVALID_INFO_CLASS; } done: - - if ( has_enough_rights ) + + if (has_enough_rights) { unbecome_root(); - + } + /* ================ END SeMachineAccountPrivilege BLOCK ================ */ - if (NT_STATUS_IS_OK(r_u->status)) { + if (NT_STATUS_IS_OK(status)) { force_flush_samr_cache(disp_info); } - return r_u->status; + return status; } /******************************************************************* - samr_reply_set_userinfo2 + _samr_SetUserInfo ********************************************************************/ -NTSTATUS _samr_set_userinfo2(pipes_struct *p, SAMR_Q_SET_USERINFO2 *q_u, SAMR_R_SET_USERINFO2 *r_u) +NTSTATUS _samr_SetUserInfo(pipes_struct *p, + struct samr_SetUserInfo *r) { - struct samu *pwd = NULL; - DOM_SID sid; - SAM_USERINFO_CTR *ctr = q_u->ctr; - POLICY_HND *pol = &q_u->pol; - uint16 switch_value = q_u->switch_value; - uint32 acc_granted; - uint32 acc_required; - bool ret; - bool has_enough_rights = False; - uint32 acb_info; - DISP_INFO *disp_info = NULL; - - DEBUG(5, ("samr_reply_set_userinfo2: %d\n", __LINE__)); - - r_u->status = NT_STATUS_OK; - - /* find the policy handle. open a policy on it. */ - if (!get_lsa_policy_samr_sid(p, pol, &sid, &acc_granted, &disp_info)) - return NT_STATUS_INVALID_HANDLE; - - -#if 0 /* this really should be applied on a per info level basis --jerry */ - - /* observed when joining XP client to Samba domain */ - acc_required = SA_RIGHT_USER_SET_PASSWORD | SA_RIGHT_USER_SET_ATTRIBUTES | SA_RIGHT_USER_ACCT_FLAGS_EXPIRY; -#else - acc_required = SA_RIGHT_USER_SET_ATTRIBUTES; -#endif - - if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, acc_required, "_samr_set_userinfo2"))) { - return r_u->status; - } - - DEBUG(5, ("samr_reply_set_userinfo2: sid:%s\n", - sid_string_dbg(&sid))); - - if (ctr == NULL) { - DEBUG(5, ("samr_reply_set_userinfo2: NULL info level\n")); - return NT_STATUS_INVALID_INFO_CLASS; - } - - switch_value=ctr->switch_value; - - if ( !(pwd = samu_new( NULL )) ) { - return NT_STATUS_NO_MEMORY; - } - - become_root(); - ret = pdb_getsampwsid(pwd, &sid); - unbecome_root(); - - if ( !ret ) { - TALLOC_FREE(pwd); - return NT_STATUS_NO_SUCH_USER; - } - - acb_info = pdb_get_acct_ctrl(pwd); - if ( acb_info & ACB_WSTRUST ) - has_enough_rights = user_has_privileges( p->pipe_user.nt_user_token, &se_machine_account); - else if ( acb_info & ACB_NORMAL ) - has_enough_rights = user_has_privileges( p->pipe_user.nt_user_token, &se_add_users ); - else if ( acb_info & (ACB_SVRTRUST|ACB_DOMTRUST) ) { - if ( lp_enable_privileges() ) - has_enough_rights = nt_token_check_domain_rid( p->pipe_user.nt_user_token, DOMAIN_GROUP_RID_ADMINS ); - } - - DEBUG(5, ("_samr_set_userinfo2: %s does%s possess sufficient rights\n", - uidtoname(p->pipe_user.ut.uid), - has_enough_rights ? "" : " not")); - - /* ================ BEGIN SeMachineAccountPrivilege BLOCK ================ */ - - if ( has_enough_rights ) - become_root(); - - /* ok! user info levels (lots: see MSDEV help), off we go... */ - - switch (switch_value) { - case 7: - r_u->status = set_user_info_7(p->mem_ctx, - ctr->info.id7, pwd); - break; - case 16: - if (!set_user_info_16(ctr->info.id16, pwd)) - r_u->status = NT_STATUS_ACCESS_DENIED; - break; - case 18: - /* Used by AS/U JRA. */ - if (!set_user_info_18(ctr->info.id18, pwd)) - r_u->status = NT_STATUS_ACCESS_DENIED; - break; - case 20: - if (!set_user_info_20(ctr->info.id20, pwd)) - r_u->status = NT_STATUS_ACCESS_DENIED; - break; - case 21: - r_u->status = set_user_info_21(p->mem_ctx, - ctr->info.id21, pwd); - break; - case 23: - if (!p->session_key.length) { - r_u->status = NT_STATUS_NO_USER_SESSION_KEY; - } - SamOEMhashBlob(ctr->info.id23->pass, 516, &p->session_key); - - dump_data(100, ctr->info.id23->pass, 516); - - r_u->status = set_user_info_23(p->mem_ctx, - ctr->info.id23, pwd); - break; - case 26: - if (!p->session_key.length) { - r_u->status = NT_STATUS_NO_USER_SESSION_KEY; - } - encode_or_decode_arc4_passwd_buffer(ctr->info.id26->pass, &p->session_key); - - dump_data(100, ctr->info.id26->pass, 516); - - if (!set_user_info_pw(ctr->info.id26->pass, pwd)) - r_u->status = NT_STATUS_ACCESS_DENIED; - break; - default: - r_u->status = NT_STATUS_INVALID_INFO_CLASS; - } - - if ( has_enough_rights ) - unbecome_root(); - - /* ================ END SeMachineAccountPrivilege BLOCK ================ */ + return samr_SetUserInfo_internal("_samr_SetUserInfo", + p, + r->in.user_handle, + r->in.level, + r->in.info); +} - if (NT_STATUS_IS_OK(r_u->status)) { - force_flush_samr_cache(disp_info); - } +/******************************************************************* + _samr_SetUserInfo2 + ********************************************************************/ - return r_u->status; +NTSTATUS _samr_SetUserInfo2(pipes_struct *p, + struct samr_SetUserInfo2 *r) +{ + return samr_SetUserInfo_internal("_samr_SetUserInfo2", + p, + r->in.user_handle, + r->in.level, + r->in.info); } /********************************************************************* - _samr_query_aliasmem + _samr_GetAliasMembership *********************************************************************/ -NTSTATUS _samr_query_useraliases(pipes_struct *p, SAMR_Q_QUERY_USERALIASES *q_u, SAMR_R_QUERY_USERALIASES *r_u) +NTSTATUS _samr_GetAliasMembership(pipes_struct *p, + struct samr_GetAliasMembership *r) { size_t num_alias_rids; uint32 *alias_rids; struct samr_info *info = NULL; size_t i; - + NTSTATUS ntstatus1; NTSTATUS ntstatus2; DOM_SID *members; - r_u->status = NT_STATUS_OK; - - DEBUG(5,("_samr_query_useraliases: %d\n", __LINE__)); + DEBUG(5,("_samr_GetAliasMembership: %d\n", __LINE__)); /* find the policy handle. open a policy on it. */ - if (!find_policy_by_hnd(p, &q_u->pol, (void **)(void *)&info)) + if (!find_policy_by_hnd(p, r->in.domain_handle, (void **)(void *)&info)) return NT_STATUS_INVALID_HANDLE; - - ntstatus1 = access_check_samr_function(info->acc_granted, SA_RIGHT_DOMAIN_LOOKUP_ALIAS_BY_MEM, "_samr_query_useraliases"); - ntstatus2 = access_check_samr_function(info->acc_granted, SA_RIGHT_DOMAIN_OPEN_ACCOUNT, "_samr_query_useraliases"); - + + ntstatus1 = access_check_samr_function(info->acc_granted, + SA_RIGHT_DOMAIN_LOOKUP_ALIAS_BY_MEM, + "_samr_GetAliasMembership"); + ntstatus2 = access_check_samr_function(info->acc_granted, + SA_RIGHT_DOMAIN_OPEN_ACCOUNT, + "_samr_GetAliasMembership"); + if (!NT_STATUS_IS_OK(ntstatus1) || !NT_STATUS_IS_OK(ntstatus2)) { if (!(NT_STATUS_EQUAL(ntstatus1,NT_STATUS_ACCESS_DENIED) && NT_STATUS_IS_OK(ntstatus2)) && !(NT_STATUS_EQUAL(ntstatus1,NT_STATUS_ACCESS_DENIED) && NT_STATUS_IS_OK(ntstatus1))) { return (NT_STATUS_IS_OK(ntstatus1)) ? ntstatus2 : ntstatus1; } - } + } if (!sid_check_is_domain(&info->sid) && !sid_check_is_builtin(&info->sid)) return NT_STATUS_OBJECT_TYPE_MISMATCH; - if (q_u->num_sids1) { - members = TALLOC_ARRAY(p->mem_ctx, DOM_SID, q_u->num_sids1); + if (r->in.sids->num_sids) { + members = TALLOC_ARRAY(p->mem_ctx, DOM_SID, r->in.sids->num_sids); if (members == NULL) return NT_STATUS_NO_MEMORY; @@ -3845,15 +4282,15 @@ NTSTATUS _samr_query_useraliases(pipes_struct *p, SAMR_Q_QUERY_USERALIASES *q_u, members = NULL; } - for (i=0; i<q_u->num_sids1; i++) - sid_copy(&members[i], &q_u->sid[i].sid); + for (i=0; i<r->in.sids->num_sids; i++) + sid_copy(&members[i], r->in.sids->sids[i].sid); alias_rids = NULL; num_alias_rids = 0; become_root(); ntstatus1 = pdb_enum_alias_memberships(p->mem_ctx, &info->sid, members, - q_u->num_sids1, + r->in.sids->num_sids, &alias_rids, &num_alias_rids); unbecome_root(); @@ -3861,40 +4298,44 @@ NTSTATUS _samr_query_useraliases(pipes_struct *p, SAMR_Q_QUERY_USERALIASES *q_u, return ntstatus1; } - init_samr_r_query_useraliases(r_u, num_alias_rids, alias_rids, - NT_STATUS_OK); + r->out.rids->count = num_alias_rids; + r->out.rids->ids = alias_rids; + return NT_STATUS_OK; } /********************************************************************* - _samr_query_aliasmem + _samr_GetMembersInAlias *********************************************************************/ -NTSTATUS _samr_query_aliasmem(pipes_struct *p, SAMR_Q_QUERY_ALIASMEM *q_u, SAMR_R_QUERY_ALIASMEM *r_u) +NTSTATUS _samr_GetMembersInAlias(pipes_struct *p, + struct samr_GetMembersInAlias *r) { NTSTATUS status; size_t i; size_t num_sids = 0; - DOM_SID2 *sid; - DOM_SID *sids=NULL; + struct lsa_SidPtr *sids = NULL; + DOM_SID *pdb_sids = NULL; DOM_SID alias_sid; uint32 acc_granted; /* find the policy handle. open a policy on it. */ - if (!get_lsa_policy_samr_sid(p, &q_u->alias_pol, &alias_sid, &acc_granted, NULL)) + if (!get_lsa_policy_samr_sid(p, r->in.alias_handle, &alias_sid, &acc_granted, NULL)) return NT_STATUS_INVALID_HANDLE; - - if (!NT_STATUS_IS_OK(r_u->status = - access_check_samr_function(acc_granted, SA_RIGHT_ALIAS_GET_MEMBERS, "_samr_query_aliasmem"))) { - return r_u->status; + + status = access_check_samr_function(acc_granted, + SA_RIGHT_ALIAS_GET_MEMBERS, + "_samr_GetMembersInAlias"); + if (!NT_STATUS_IS_OK(status)) { + return status; } DEBUG(10, ("sid is %s\n", sid_string_dbg(&alias_sid))); become_root(); - status = pdb_enum_aliasmem(&alias_sid, &sids, &num_sids); + status = pdb_enum_aliasmem(&alias_sid, &pdb_sids, &num_sids); unbecome_root(); if (!NT_STATUS_IS_OK(status)) { @@ -3902,31 +4343,35 @@ NTSTATUS _samr_query_aliasmem(pipes_struct *p, SAMR_Q_QUERY_ALIASMEM *q_u, SAMR_ } if (num_sids) { - sid = TALLOC_ZERO_ARRAY(p->mem_ctx, DOM_SID2, num_sids); - if (sid == NULL) { - SAFE_FREE(sids); + sids = TALLOC_ZERO_ARRAY(p->mem_ctx, struct lsa_SidPtr, num_sids); + if (sids == NULL) { + TALLOC_FREE(pdb_sids); return NT_STATUS_NO_MEMORY; } - } else { - sid = NULL; } for (i = 0; i < num_sids; i++) { - init_dom_sid2(&sid[i], &sids[i]); + sids[i].sid = sid_dup_talloc(p->mem_ctx, &pdb_sids[i]); + if (!sids[i].sid) { + TALLOC_FREE(pdb_sids); + return NT_STATUS_NO_MEMORY; + } } - init_samr_r_query_aliasmem(r_u, num_sids, sid, NT_STATUS_OK); + r->out.sids->num_sids = num_sids; + r->out.sids->sids = sids; - TALLOC_FREE(sids); + TALLOC_FREE(pdb_sids); return NT_STATUS_OK; } /********************************************************************* - _samr_query_groupmem + _samr_QueryGroupMember *********************************************************************/ -NTSTATUS _samr_query_groupmem(pipes_struct *p, SAMR_Q_QUERY_GROUPMEM *q_u, SAMR_R_QUERY_GROUPMEM *r_u) +NTSTATUS _samr_QueryGroupMember(pipes_struct *p, + struct samr_QueryGroupMember *r) { DOM_SID group_sid; size_t i, num_members; @@ -3936,16 +4381,25 @@ NTSTATUS _samr_query_groupmem(pipes_struct *p, SAMR_Q_QUERY_GROUPMEM *q_u, SAMR_ uint32 acc_granted; - NTSTATUS result; + NTSTATUS status; + struct samr_RidTypeArray *rids = NULL; + + rids = TALLOC_ZERO_P(p->mem_ctx, struct samr_RidTypeArray); + if (!rids) { + return NT_STATUS_NO_MEMORY; + } /* find the policy handle. open a policy on it. */ - if (!get_lsa_policy_samr_sid(p, &q_u->group_pol, &group_sid, &acc_granted, NULL)) + if (!get_lsa_policy_samr_sid(p, r->in.group_handle, &group_sid, &acc_granted, NULL)) return NT_STATUS_INVALID_HANDLE; - - if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, SA_RIGHT_GROUP_GET_MEMBERS, "_samr_query_groupmem"))) { - return r_u->status; + + status = access_check_samr_function(acc_granted, + SA_RIGHT_GROUP_GET_MEMBERS, + "_samr_QueryGroupMember"); + if (!NT_STATUS_IS_OK(status)) { + return status; } - + DEBUG(10, ("sid is %s\n", sid_string_dbg(&group_sid))); if (!sid_check_is_in_our_domain(&group_sid)) { @@ -3957,12 +4411,12 @@ NTSTATUS _samr_query_groupmem(pipes_struct *p, SAMR_Q_QUERY_GROUPMEM *q_u, SAMR_ DEBUG(10, ("lookup on Domain SID\n")); become_root(); - result = pdb_enum_group_members(p->mem_ctx, &group_sid, + status = pdb_enum_group_members(p->mem_ctx, &group_sid, &rid, &num_members); unbecome_root(); - if (!NT_STATUS_IS_OK(result)) - return result; + if (!NT_STATUS_IS_OK(status)) + return status; if (num_members) { attr=TALLOC_ZERO_ARRAY(p->mem_ctx, uint32, num_members); @@ -3972,81 +4426,93 @@ NTSTATUS _samr_query_groupmem(pipes_struct *p, SAMR_Q_QUERY_GROUPMEM *q_u, SAMR_ } else { attr = NULL; } - + for (i=0; i<num_members; i++) attr[i] = SID_NAME_USER; - init_samr_r_query_groupmem(r_u, num_members, rid, attr, NT_STATUS_OK); + rids->count = num_members; + rids->types = attr; + rids->rids = rid; + + *r->out.rids = rids; return NT_STATUS_OK; } /********************************************************************* - _samr_add_aliasmem + _samr_AddAliasMember *********************************************************************/ -NTSTATUS _samr_add_aliasmem(pipes_struct *p, SAMR_Q_ADD_ALIASMEM *q_u, SAMR_R_ADD_ALIASMEM *r_u) +NTSTATUS _samr_AddAliasMember(pipes_struct *p, + struct samr_AddAliasMember *r) { DOM_SID alias_sid; uint32 acc_granted; SE_PRIV se_rights; bool can_add_accounts; - NTSTATUS ret; + NTSTATUS status; DISP_INFO *disp_info = NULL; /* Find the policy handle. Open a policy on it. */ - if (!get_lsa_policy_samr_sid(p, &q_u->alias_pol, &alias_sid, &acc_granted, &disp_info)) + if (!get_lsa_policy_samr_sid(p, r->in.alias_handle, &alias_sid, &acc_granted, &disp_info)) return NT_STATUS_INVALID_HANDLE; - - if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, SA_RIGHT_ALIAS_ADD_MEMBER, "_samr_add_aliasmem"))) { - return r_u->status; + + status = access_check_samr_function(acc_granted, + SA_RIGHT_ALIAS_ADD_MEMBER, + "_samr_AddAliasMember"); + if (!NT_STATUS_IS_OK(status)) { + return status; } - + DEBUG(10, ("sid is %s\n", sid_string_dbg(&alias_sid))); - + se_priv_copy( &se_rights, &se_add_users ); can_add_accounts = user_has_privileges( p->pipe_user.nt_user_token, &se_rights ); /******** BEGIN SeAddUsers BLOCK *********/ - + if ( can_add_accounts ) become_root(); - - ret = pdb_add_aliasmem(&alias_sid, &q_u->sid.sid); - + + status = pdb_add_aliasmem(&alias_sid, r->in.sid); + if ( can_add_accounts ) unbecome_root(); - + /******** END SeAddUsers BLOCK *********/ - - if (NT_STATUS_IS_OK(ret)) { + + if (NT_STATUS_IS_OK(status)) { force_flush_samr_cache(disp_info); } - return ret; + return status; } /********************************************************************* - _samr_del_aliasmem + _samr_DeleteAliasMember *********************************************************************/ -NTSTATUS _samr_del_aliasmem(pipes_struct *p, SAMR_Q_DEL_ALIASMEM *q_u, SAMR_R_DEL_ALIASMEM *r_u) +NTSTATUS _samr_DeleteAliasMember(pipes_struct *p, + struct samr_DeleteAliasMember *r) { DOM_SID alias_sid; uint32 acc_granted; SE_PRIV se_rights; bool can_add_accounts; - NTSTATUS ret; + NTSTATUS status; DISP_INFO *disp_info = NULL; /* Find the policy handle. Open a policy on it. */ - if (!get_lsa_policy_samr_sid(p, &q_u->alias_pol, &alias_sid, &acc_granted, &disp_info)) + if (!get_lsa_policy_samr_sid(p, r->in.alias_handle, &alias_sid, &acc_granted, &disp_info)) return NT_STATUS_INVALID_HANDLE; - - if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, SA_RIGHT_ALIAS_REMOVE_MEMBER, "_samr_del_aliasmem"))) { - return r_u->status; + + status = access_check_samr_function(acc_granted, + SA_RIGHT_ALIAS_REMOVE_MEMBER, + "_samr_DeleteAliasMember"); + if (!NT_STATUS_IS_OK(status)) { + return status; } - + DEBUG(10, ("_samr_del_aliasmem:sid is %s\n", sid_string_dbg(&alias_sid))); @@ -4054,30 +4520,32 @@ NTSTATUS _samr_del_aliasmem(pipes_struct *p, SAMR_Q_DEL_ALIASMEM *q_u, SAMR_R_DE can_add_accounts = user_has_privileges( p->pipe_user.nt_user_token, &se_rights ); /******** BEGIN SeAddUsers BLOCK *********/ - + if ( can_add_accounts ) become_root(); - ret = pdb_del_aliasmem(&alias_sid, &q_u->sid.sid); - + status = pdb_del_aliasmem(&alias_sid, r->in.sid); + if ( can_add_accounts ) unbecome_root(); - + /******** END SeAddUsers BLOCK *********/ - - if (NT_STATUS_IS_OK(ret)) { + + if (NT_STATUS_IS_OK(status)) { force_flush_samr_cache(disp_info); } - return ret; + return status; } /********************************************************************* - _samr_add_groupmem + _samr_AddGroupMember *********************************************************************/ -NTSTATUS _samr_add_groupmem(pipes_struct *p, SAMR_Q_ADD_GROUPMEM *q_u, SAMR_R_ADD_GROUPMEM *r_u) +NTSTATUS _samr_AddGroupMember(pipes_struct *p, + struct samr_AddGroupMember *r) { + NTSTATUS status; DOM_SID group_sid; uint32 group_rid; uint32 acc_granted; @@ -4086,11 +4554,14 @@ NTSTATUS _samr_add_groupmem(pipes_struct *p, SAMR_Q_ADD_GROUPMEM *q_u, SAMR_R_AD DISP_INFO *disp_info = NULL; /* Find the policy handle. Open a policy on it. */ - if (!get_lsa_policy_samr_sid(p, &q_u->pol, &group_sid, &acc_granted, &disp_info)) + if (!get_lsa_policy_samr_sid(p, r->in.group_handle, &group_sid, &acc_granted, &disp_info)) return NT_STATUS_INVALID_HANDLE; - - if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, SA_RIGHT_GROUP_ADD_MEMBER, "_samr_add_groupmem"))) { - return r_u->status; + + status = access_check_samr_function(acc_granted, + SA_RIGHT_GROUP_ADD_MEMBER, + "_samr_AddGroupMember"); + if (!NT_STATUS_IS_OK(status)) { + return status; } DEBUG(10, ("sid is %s\n", sid_string_dbg(&group_sid))); @@ -4104,28 +4575,31 @@ NTSTATUS _samr_add_groupmem(pipes_struct *p, SAMR_Q_ADD_GROUPMEM *q_u, SAMR_R_AD can_add_accounts = user_has_privileges( p->pipe_user.nt_user_token, &se_rights ); /******** BEGIN SeAddUsers BLOCK *********/ - + if ( can_add_accounts ) become_root(); - r_u->status = pdb_add_groupmem(p->mem_ctx, group_rid, q_u->rid); - + status = pdb_add_groupmem(p->mem_ctx, group_rid, r->in.rid); + if ( can_add_accounts ) unbecome_root(); - + /******** END SeAddUsers BLOCK *********/ - + force_flush_samr_cache(disp_info); - return r_u->status; + return status; } /********************************************************************* - _samr_del_groupmem + _samr_DeleteGroupMember *********************************************************************/ -NTSTATUS _samr_del_groupmem(pipes_struct *p, SAMR_Q_DEL_GROUPMEM *q_u, SAMR_R_DEL_GROUPMEM *r_u) +NTSTATUS _samr_DeleteGroupMember(pipes_struct *p, + struct samr_DeleteGroupMember *r) + { + NTSTATUS status; DOM_SID group_sid; uint32 group_rid; uint32 acc_granted; @@ -4134,17 +4608,20 @@ NTSTATUS _samr_del_groupmem(pipes_struct *p, SAMR_Q_DEL_GROUPMEM *q_u, SAMR_R_DE DISP_INFO *disp_info = NULL; /* - * delete the group member named q_u->rid + * delete the group member named r->in.rid * who is a member of the sid associated with the handle * the rid is a user's rid as the group is a domain group. */ /* Find the policy handle. Open a policy on it. */ - if (!get_lsa_policy_samr_sid(p, &q_u->pol, &group_sid, &acc_granted, &disp_info)) + if (!get_lsa_policy_samr_sid(p, r->in.group_handle, &group_sid, &acc_granted, &disp_info)) return NT_STATUS_INVALID_HANDLE; - - if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, SA_RIGHT_GROUP_REMOVE_MEMBER, "_samr_del_groupmem"))) { - return r_u->status; + + status = access_check_samr_function(acc_granted, + SA_RIGHT_GROUP_REMOVE_MEMBER, + "_samr_DeleteGroupMember"); + if (!NT_STATUS_IS_OK(status)) { + return status; } if (!sid_peek_check_rid(get_global_sam_sid(), &group_sid, @@ -4156,28 +4633,30 @@ NTSTATUS _samr_del_groupmem(pipes_struct *p, SAMR_Q_DEL_GROUPMEM *q_u, SAMR_R_DE can_add_accounts = user_has_privileges( p->pipe_user.nt_user_token, &se_rights ); /******** BEGIN SeAddUsers BLOCK *********/ - + if ( can_add_accounts ) become_root(); - - r_u->status = pdb_del_groupmem(p->mem_ctx, group_rid, q_u->rid); + + status = pdb_del_groupmem(p->mem_ctx, group_rid, r->in.rid); if ( can_add_accounts ) unbecome_root(); - + /******** END SeAddUsers BLOCK *********/ - + force_flush_samr_cache(disp_info); - return r_u->status; + return status; } /********************************************************************* - _samr_delete_dom_user + _samr_DeleteUser *********************************************************************/ -NTSTATUS _samr_delete_dom_user(pipes_struct *p, SAMR_Q_DELETE_DOM_USER *q_u, SAMR_R_DELETE_DOM_USER *r_u ) +NTSTATUS _samr_DeleteUser(pipes_struct *p, + struct samr_DeleteUser *r) { + NTSTATUS status; DOM_SID user_sid; struct samu *sam_pass=NULL; uint32 acc_granted; @@ -4186,16 +4665,19 @@ NTSTATUS _samr_delete_dom_user(pipes_struct *p, SAMR_Q_DELETE_DOM_USER *q_u, SAM DISP_INFO *disp_info = NULL; bool ret; - DEBUG(5, ("_samr_delete_dom_user: %d\n", __LINE__)); + DEBUG(5, ("_samr_DeleteUser: %d\n", __LINE__)); /* Find the policy handle. Open a policy on it. */ - if (!get_lsa_policy_samr_sid(p, &q_u->user_pol, &user_sid, &acc_granted, &disp_info)) + if (!get_lsa_policy_samr_sid(p, r->in.user_handle, &user_sid, &acc_granted, &disp_info)) return NT_STATUS_INVALID_HANDLE; - - if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, STD_RIGHT_DELETE_ACCESS, "_samr_delete_dom_user"))) { - return r_u->status; + + status = access_check_samr_function(acc_granted, + STD_RIGHT_DELETE_ACCESS, + "_samr_DeleteUser"); + if (!NT_STATUS_IS_OK(status)) { + return status; } - + if (!sid_check_is_in_our_domain(&user_sid)) return NT_STATUS_CANNOT_DELETE; @@ -4209,12 +4691,12 @@ NTSTATUS _samr_delete_dom_user(pipes_struct *p, SAMR_Q_DELETE_DOM_USER *q_u, SAM unbecome_root(); if( !ret ) { - DEBUG(5,("_samr_delete_dom_user:User %s doesn't exist.\n", + DEBUG(5,("_samr_DeleteUser: User %s doesn't exist.\n", sid_string_dbg(&user_sid))); TALLOC_FREE(sam_pass); return NT_STATUS_NO_SUCH_USER; } - + acb_info = pdb_get_acct_ctrl(sam_pass); /* For machine accounts it's the SeMachineAccountPrivilege that counts. */ @@ -4222,32 +4704,32 @@ NTSTATUS _samr_delete_dom_user(pipes_struct *p, SAMR_Q_DELETE_DOM_USER *q_u, SAM can_add_accounts = user_has_privileges( p->pipe_user.nt_user_token, &se_machine_account ); } else { can_add_accounts = user_has_privileges( p->pipe_user.nt_user_token, &se_add_users ); - } + } /******** BEGIN SeAddUsers BLOCK *********/ - + if ( can_add_accounts ) become_root(); - r_u->status = pdb_delete_user(p->mem_ctx, sam_pass); + status = pdb_delete_user(p->mem_ctx, sam_pass); if ( can_add_accounts ) unbecome_root(); - + /******** END SeAddUsers BLOCK *********/ - - if ( !NT_STATUS_IS_OK(r_u->status) ) { - DEBUG(5,("_samr_delete_dom_user: Failed to delete entry for " + + if ( !NT_STATUS_IS_OK(status) ) { + DEBUG(5,("_samr_DeleteUser: Failed to delete entry for " "user %s: %s.\n", pdb_get_username(sam_pass), - nt_errstr(r_u->status))); + nt_errstr(status))); TALLOC_FREE(sam_pass); - return r_u->status; + return status; } TALLOC_FREE(sam_pass); - if (!close_policy_hnd(p, &q_u->user_pol)) + if (!close_policy_hnd(p, r->in.user_handle)) return NT_STATUS_OBJECT_NAME_INVALID; force_flush_samr_cache(disp_info); @@ -4256,11 +4738,13 @@ NTSTATUS _samr_delete_dom_user(pipes_struct *p, SAMR_Q_DELETE_DOM_USER *q_u, SAM } /********************************************************************* - _samr_delete_dom_group + _samr_DeleteDomainGroup *********************************************************************/ -NTSTATUS _samr_delete_dom_group(pipes_struct *p, SAMR_Q_DELETE_DOM_GROUP *q_u, SAMR_R_DELETE_DOM_GROUP *r_u) +NTSTATUS _samr_DeleteDomainGroup(pipes_struct *p, + struct samr_DeleteDomainGroup *r) { + NTSTATUS status; DOM_SID group_sid; uint32 group_rid; uint32 acc_granted; @@ -4268,14 +4752,17 @@ NTSTATUS _samr_delete_dom_group(pipes_struct *p, SAMR_Q_DELETE_DOM_GROUP *q_u, S bool can_add_accounts; DISP_INFO *disp_info = NULL; - DEBUG(5, ("samr_delete_dom_group: %d\n", __LINE__)); + DEBUG(5, ("samr_DeleteDomainGroup: %d\n", __LINE__)); /* Find the policy handle. Open a policy on it. */ - if (!get_lsa_policy_samr_sid(p, &q_u->group_pol, &group_sid, &acc_granted, &disp_info)) + if (!get_lsa_policy_samr_sid(p, r->in.group_handle, &group_sid, &acc_granted, &disp_info)) return NT_STATUS_INVALID_HANDLE; - - if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, STD_RIGHT_DELETE_ACCESS, "_samr_delete_dom_group"))) { - return r_u->status; + + status = access_check_samr_function(acc_granted, + STD_RIGHT_DELETE_ACCESS, + "_samr_DeleteDomainGroup"); + if (!NT_STATUS_IS_OK(status)) { + return status; } DEBUG(10, ("sid is %s\n", sid_string_dbg(&group_sid))); @@ -4289,26 +4776,26 @@ NTSTATUS _samr_delete_dom_group(pipes_struct *p, SAMR_Q_DELETE_DOM_GROUP *q_u, S can_add_accounts = user_has_privileges( p->pipe_user.nt_user_token, &se_rights ); /******** BEGIN SeAddUsers BLOCK *********/ - + if ( can_add_accounts ) become_root(); - r_u->status = pdb_delete_dom_group(p->mem_ctx, group_rid); + status = pdb_delete_dom_group(p->mem_ctx, group_rid); if ( can_add_accounts ) unbecome_root(); - + /******** END SeAddUsers BLOCK *********/ - - if ( !NT_STATUS_IS_OK(r_u->status) ) { - DEBUG(5,("_samr_delete_dom_group: Failed to delete mapping " + + if ( !NT_STATUS_IS_OK(status) ) { + DEBUG(5,("_samr_DeleteDomainGroup: Failed to delete mapping " "entry for group %s: %s\n", sid_string_dbg(&group_sid), - nt_errstr(r_u->status))); - return r_u->status; + nt_errstr(status))); + return status; } - - if (!close_policy_hnd(p, &q_u->group_pol)) + + if (!close_policy_hnd(p, r->in.group_handle)) return NT_STATUS_OBJECT_NAME_INVALID; force_flush_samr_cache(disp_info); @@ -4317,10 +4804,11 @@ NTSTATUS _samr_delete_dom_group(pipes_struct *p, SAMR_Q_DELETE_DOM_GROUP *q_u, S } /********************************************************************* - _samr_delete_dom_alias + _samr_DeleteDomAlias *********************************************************************/ -NTSTATUS _samr_delete_dom_alias(pipes_struct *p, SAMR_Q_DELETE_DOM_ALIAS *q_u, SAMR_R_DELETE_DOM_ALIAS *r_u) +NTSTATUS _samr_DeleteDomAlias(pipes_struct *p, + struct samr_DeleteDomAlias *r) { DOM_SID alias_sid; uint32 acc_granted; @@ -4329,18 +4817,21 @@ NTSTATUS _samr_delete_dom_alias(pipes_struct *p, SAMR_Q_DELETE_DOM_ALIAS *q_u, S NTSTATUS status; DISP_INFO *disp_info = NULL; - DEBUG(5, ("_samr_delete_dom_alias: %d\n", __LINE__)); + DEBUG(5, ("_samr_DeleteDomAlias: %d\n", __LINE__)); /* Find the policy handle. Open a policy on it. */ - if (!get_lsa_policy_samr_sid(p, &q_u->alias_pol, &alias_sid, &acc_granted, &disp_info)) + if (!get_lsa_policy_samr_sid(p, r->in.alias_handle, &alias_sid, &acc_granted, &disp_info)) return NT_STATUS_INVALID_HANDLE; - + /* copy the handle to the outgoing reply */ - memcpy( &r_u->pol, &q_u->alias_pol, sizeof(r_u->pol) ); + memcpy(r->out.alias_handle, r->in.alias_handle, sizeof(r->out.alias_handle)); - if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, STD_RIGHT_DELETE_ACCESS, "_samr_delete_dom_alias"))) { - return r_u->status; + status = access_check_samr_function(acc_granted, + STD_RIGHT_DELETE_ACCESS, + "_samr_DeleteDomAlias"); + if (!NT_STATUS_IS_OK(status)) { + return status; } DEBUG(10, ("sid is %s\n", sid_string_dbg(&alias_sid))); @@ -4353,29 +4844,29 @@ NTSTATUS _samr_delete_dom_alias(pipes_struct *p, SAMR_Q_DELETE_DOM_ALIAS *q_u, S if (!sid_check_is_in_our_domain(&alias_sid)) return NT_STATUS_NO_SUCH_ALIAS; - + DEBUG(10, ("lookup on Local SID\n")); se_priv_copy( &se_rights, &se_add_users ); can_add_accounts = user_has_privileges( p->pipe_user.nt_user_token, &se_rights ); /******** BEGIN SeAddUsers BLOCK *********/ - + if ( can_add_accounts ) become_root(); /* Have passdb delete the alias */ status = pdb_delete_alias(&alias_sid); - + if ( can_add_accounts ) unbecome_root(); - + /******** END SeAddUsers BLOCK *********/ if ( !NT_STATUS_IS_OK(status)) return status; - if (!close_policy_hnd(p, &q_u->alias_pol)) + if (!close_policy_hnd(p, r->in.alias_handle)) return NT_STATUS_OBJECT_NAME_INVALID; force_flush_samr_cache(disp_info); @@ -4384,11 +4875,14 @@ NTSTATUS _samr_delete_dom_alias(pipes_struct *p, SAMR_Q_DELETE_DOM_ALIAS *q_u, S } /********************************************************************* - _samr_create_dom_group + _samr_CreateDomainGroup *********************************************************************/ -NTSTATUS _samr_create_dom_group(pipes_struct *p, SAMR_Q_CREATE_DOM_GROUP *q_u, SAMR_R_CREATE_DOM_GROUP *r_u) +NTSTATUS _samr_CreateDomainGroup(pipes_struct *p, + struct samr_CreateDomainGroup *r) + { + NTSTATUS status; DOM_SID dom_sid; DOM_SID info_sid; const char *name; @@ -4399,50 +4893,53 @@ NTSTATUS _samr_create_dom_group(pipes_struct *p, SAMR_Q_CREATE_DOM_GROUP *q_u, S DISP_INFO *disp_info = NULL; /* Find the policy handle. Open a policy on it. */ - if (!get_lsa_policy_samr_sid(p, &q_u->pol, &dom_sid, &acc_granted, &disp_info)) + if (!get_lsa_policy_samr_sid(p, r->in.domain_handle, &dom_sid, &acc_granted, &disp_info)) return NT_STATUS_INVALID_HANDLE; - - if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, SA_RIGHT_DOMAIN_CREATE_GROUP, "_samr_create_dom_group"))) { - return r_u->status; + + status = access_check_samr_function(acc_granted, + SA_RIGHT_DOMAIN_CREATE_GROUP, + "_samr_CreateDomainGroup"); + if (!NT_STATUS_IS_OK(status)) { + return status; } - + if (!sid_equal(&dom_sid, get_global_sam_sid())) return NT_STATUS_ACCESS_DENIED; - name = rpcstr_pull_unistr2_talloc(p->mem_ctx, &q_u->uni_acct_desc); + name = r->in.name->string; if (name == NULL) { return NT_STATUS_NO_MEMORY; } - r_u->status = can_create(p->mem_ctx, name); - if (!NT_STATUS_IS_OK(r_u->status)) { - return r_u->status; + status = can_create(p->mem_ctx, name); + if (!NT_STATUS_IS_OK(status)) { + return status; } se_priv_copy( &se_rights, &se_add_users ); can_add_accounts = user_has_privileges( p->pipe_user.nt_user_token, &se_rights ); /******** BEGIN SeAddUsers BLOCK *********/ - + if ( can_add_accounts ) become_root(); - + /* check that we successfully create the UNIX group */ - - r_u->status = pdb_create_dom_group(p->mem_ctx, name, &r_u->rid); + + status = pdb_create_dom_group(p->mem_ctx, name, r->out.rid); if ( can_add_accounts ) unbecome_root(); - + /******** END SeAddUsers BLOCK *********/ - + /* check if we should bail out here */ - - if ( !NT_STATUS_IS_OK(r_u->status) ) - return r_u->status; - sid_compose(&info_sid, get_global_sam_sid(), r_u->rid); - + if ( !NT_STATUS_IS_OK(status) ) + return status; + + sid_compose(&info_sid, get_global_sam_sid(), *r->out.rid); + if ((info = get_samr_info_by_sid(&info_sid)) == NULL) return NT_STATUS_NO_MEMORY; @@ -4451,7 +4948,7 @@ NTSTATUS _samr_create_dom_group(pipes_struct *p, SAMR_Q_CREATE_DOM_GROUP *q_u, S info->acc_granted = GENERIC_RIGHTS_GROUP_ALL_ACCESS; /* get a (unique) handle. open a policy on it. */ - if (!create_policy_hnd(p, &r_u->pol, free_samr_info, (void *)info)) + if (!create_policy_hnd(p, r->out.group_handle, free_samr_info, (void *)info)) return NT_STATUS_OBJECT_NAME_NOT_FOUND; force_flush_samr_cache(disp_info); @@ -4460,14 +4957,15 @@ NTSTATUS _samr_create_dom_group(pipes_struct *p, SAMR_Q_CREATE_DOM_GROUP *q_u, S } /********************************************************************* - _samr_create_dom_alias + _samr_CreateDomAlias *********************************************************************/ -NTSTATUS _samr_create_dom_alias(pipes_struct *p, SAMR_Q_CREATE_DOM_ALIAS *q_u, SAMR_R_CREATE_DOM_ALIAS *r_u) +NTSTATUS _samr_CreateDomAlias(pipes_struct *p, + struct samr_CreateDomAlias *r) { DOM_SID dom_sid; DOM_SID info_sid; - fstring name; + const char *name = NULL; struct samr_info *info; uint32 acc_granted; gid_t gid; @@ -4477,17 +4975,20 @@ NTSTATUS _samr_create_dom_alias(pipes_struct *p, SAMR_Q_CREATE_DOM_ALIAS *q_u, S DISP_INFO *disp_info = NULL; /* Find the policy handle. Open a policy on it. */ - if (!get_lsa_policy_samr_sid(p, &q_u->dom_pol, &dom_sid, &acc_granted, &disp_info)) + if (!get_lsa_policy_samr_sid(p, r->in.domain_handle, &dom_sid, &acc_granted, &disp_info)) return NT_STATUS_INVALID_HANDLE; - - if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, SA_RIGHT_DOMAIN_CREATE_ALIAS, "_samr_create_alias"))) { - return r_u->status; + + result = access_check_samr_function(acc_granted, + SA_RIGHT_DOMAIN_CREATE_ALIAS, + "_samr_CreateDomAlias"); + if (!NT_STATUS_IS_OK(result)) { + return result; } - + if (!sid_equal(&dom_sid, get_global_sam_sid())) return NT_STATUS_ACCESS_DENIED; - unistr2_to_ascii(name, &q_u->uni_acct_desc, sizeof(name)); + name = r->in.alias_name->string; se_priv_copy( &se_rights, &se_add_users ); can_add_accounts = user_has_privileges( p->pipe_user.nt_user_token, &se_rights ); @@ -4498,16 +4999,16 @@ NTSTATUS _samr_create_dom_alias(pipes_struct *p, SAMR_Q_CREATE_DOM_ALIAS *q_u, S } /******** BEGIN SeAddUsers BLOCK *********/ - + if ( can_add_accounts ) become_root(); /* Have passdb create the alias */ - result = pdb_create_alias(name, &r_u->rid); + result = pdb_create_alias(name, r->out.rid); if ( can_add_accounts ) unbecome_root(); - + /******** END SeAddUsers BLOCK *********/ if (!NT_STATUS_IS_OK(result)) { @@ -4517,7 +5018,7 @@ NTSTATUS _samr_create_dom_alias(pipes_struct *p, SAMR_Q_CREATE_DOM_ALIAS *q_u, S } sid_copy(&info_sid, get_global_sam_sid()); - sid_append_rid(&info_sid, r_u->rid); + sid_append_rid(&info_sid, *r->out.rid); if (!sid_to_gid(&info_sid, &gid)) { DEBUG(10, ("Could not find alias just created\n")); @@ -4539,7 +5040,7 @@ NTSTATUS _samr_create_dom_alias(pipes_struct *p, SAMR_Q_CREATE_DOM_ALIAS *q_u, S info->acc_granted = GENERIC_RIGHTS_ALIAS_ALL_ACCESS; /* get a (unique) handle. open a policy on it. */ - if (!create_policy_hnd(p, &r_u->alias_pol, free_samr_info, (void *)info)) + if (!create_policy_hnd(p, r->out.alias_handle, free_samr_info, (void *)info)) return NT_STATUS_OBJECT_NAME_NOT_FOUND; force_flush_samr_cache(disp_info); @@ -4548,68 +5049,81 @@ NTSTATUS _samr_create_dom_alias(pipes_struct *p, SAMR_Q_CREATE_DOM_ALIAS *q_u, S } /********************************************************************* - _samr_query_groupinfo - -sends the name/comment pair of a domain group -level 1 send also the number of users of that group + _samr_QueryGroupInfo *********************************************************************/ -NTSTATUS _samr_query_groupinfo(pipes_struct *p, SAMR_Q_QUERY_GROUPINFO *q_u, SAMR_R_QUERY_GROUPINFO *r_u) +NTSTATUS _samr_QueryGroupInfo(pipes_struct *p, + struct samr_QueryGroupInfo *r) { + NTSTATUS status; DOM_SID group_sid; GROUP_MAP map; - GROUP_INFO_CTR *ctr; + union samr_GroupInfo *info = NULL; uint32 acc_granted; bool ret; + uint32_t attributes = SE_GROUP_MANDATORY | + SE_GROUP_ENABLED_BY_DEFAULT | + SE_GROUP_ENABLED; + const char *group_name = NULL; + const char *group_description = NULL; - if (!get_lsa_policy_samr_sid(p, &q_u->pol, &group_sid, &acc_granted, NULL)) + if (!get_lsa_policy_samr_sid(p, r->in.group_handle, &group_sid, &acc_granted, NULL)) return NT_STATUS_INVALID_HANDLE; - - if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, SA_RIGHT_GROUP_LOOKUP_INFO, "_samr_query_groupinfo"))) { - return r_u->status; + + status = access_check_samr_function(acc_granted, + SA_RIGHT_GROUP_LOOKUP_INFO, + "_samr_QueryGroupInfo"); + if (!NT_STATUS_IS_OK(status)) { + return status; } - + become_root(); ret = get_domain_group_from_sid(group_sid, &map); unbecome_root(); if (!ret) return NT_STATUS_INVALID_HANDLE; - ctr=TALLOC_ZERO_P(p->mem_ctx, GROUP_INFO_CTR); - if (ctr==NULL) + /* FIXME: map contains fstrings */ + group_name = talloc_strdup(r, map.nt_name); + group_description = talloc_strdup(r, map.comment); + + info = TALLOC_ZERO_P(p->mem_ctx, union samr_GroupInfo); + if (!info) { return NT_STATUS_NO_MEMORY; + } - switch (q_u->switch_level) { + switch (r->in.level) { case 1: { uint32 *members; size_t num_members; - ctr->switch_value1 = 1; - become_root(); - r_u->status = pdb_enum_group_members( + status = pdb_enum_group_members( p->mem_ctx, &group_sid, &members, &num_members); unbecome_root(); - - if (!NT_STATUS_IS_OK(r_u->status)) { - return r_u->status; + + if (!NT_STATUS_IS_OK(status)) { + return status; } - init_samr_group_info1(&ctr->group.info1, map.nt_name, - map.comment, num_members); + init_samr_group_info1(&info->all, + group_name, + attributes, + num_members, + group_description); break; } case 2: - ctr->switch_value1 = 2; - init_samr_group_info2(&ctr->group.info2, map.nt_name); + init_samr_group_info2(&info->name, + group_name); break; case 3: - ctr->switch_value1 = 3; - init_samr_group_info3(&ctr->group.info3); + init_samr_group_info3(&info->attributes, + attributes); break; case 4: - ctr->switch_value1 = 4; - init_samr_group_info4(&ctr->group.info4, map.comment); + init_samr_group_info4(&info->description, + group_description); break; case 5: { /* @@ -4617,69 +5131,70 @@ NTSTATUS _samr_query_groupinfo(pipes_struct *p, SAMR_Q_QUERY_GROUPINFO *q_u, SAM size_t num_members; */ - ctr->switch_value1 = 5; - /* become_root(); - r_u->status = pdb_enum_group_members( + status = pdb_enum_group_members( p->mem_ctx, &group_sid, &members, &num_members); unbecome_root(); - - if (!NT_STATUS_IS_OK(r_u->status)) { - return r_u->status; + + if (!NT_STATUS_IS_OK(status)) { + return status; } */ - init_samr_group_info5(&ctr->group.info5, map.nt_name, - map.comment, 0 /* num_members */); /* in w2k3 this is always 0 */ + init_samr_group_info5(&info->all2, + group_name, + attributes, + 0, /* num_members - in w2k3 this is always 0 */ + group_description); + break; } default: return NT_STATUS_INVALID_INFO_CLASS; } - init_samr_r_query_groupinfo(r_u, ctr, NT_STATUS_OK); + *r->out.info = info; return NT_STATUS_OK; } /********************************************************************* - _samr_set_groupinfo - - update a domain group's comment. + _samr_SetGroupInfo *********************************************************************/ -NTSTATUS _samr_set_groupinfo(pipes_struct *p, SAMR_Q_SET_GROUPINFO *q_u, SAMR_R_SET_GROUPINFO *r_u) +NTSTATUS _samr_SetGroupInfo(pipes_struct *p, + struct samr_SetGroupInfo *r) { DOM_SID group_sid; GROUP_MAP map; - GROUP_INFO_CTR *ctr; uint32 acc_granted; - NTSTATUS ret; - bool result; + NTSTATUS status; + bool ret; bool can_mod_accounts; DISP_INFO *disp_info = NULL; - if (!get_lsa_policy_samr_sid(p, &q_u->pol, &group_sid, &acc_granted, &disp_info)) + if (!get_lsa_policy_samr_sid(p, r->in.group_handle, &group_sid, &acc_granted, &disp_info)) return NT_STATUS_INVALID_HANDLE; - - if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, SA_RIGHT_GROUP_SET_INFO, "_samr_set_groupinfo"))) { - return r_u->status; + + status = access_check_samr_function(acc_granted, + SA_RIGHT_GROUP_SET_INFO, + "_samr_SetGroupInfo"); + if (!NT_STATUS_IS_OK(status)) { + return status; } become_root(); - result = get_domain_group_from_sid(group_sid, &map); + ret = get_domain_group_from_sid(group_sid, &map); unbecome_root(); - if (!result) + if (!ret) return NT_STATUS_NO_SUCH_GROUP; - - ctr=q_u->ctr; - switch (ctr->switch_value1) { + switch (r->in.level) { case 1: - unistr2_to_ascii(map.comment, &(ctr->group.info1.uni_acct_desc), sizeof(map.comment)); + fstrcpy(map.comment, r->in.info->all.description.string); break; case 4: - unistr2_to_ascii(map.comment, &(ctr->group.info4.uni_acct_desc), sizeof(map.comment)); + fstrcpy(map.comment, r->in.info->description.string); break; default: return NT_STATUS_INVALID_INFO_CLASS; @@ -4691,45 +5206,44 @@ NTSTATUS _samr_set_groupinfo(pipes_struct *p, SAMR_Q_SET_GROUPINFO *q_u, SAMR_R_ if ( can_mod_accounts ) become_root(); - - ret = pdb_update_group_mapping_entry(&map); + + status = pdb_update_group_mapping_entry(&map); if ( can_mod_accounts ) unbecome_root(); /******** End SeAddUsers BLOCK *********/ - if (NT_STATUS_IS_OK(ret)) { + if (NT_STATUS_IS_OK(status)) { force_flush_samr_cache(disp_info); } - return ret; + return status; } /********************************************************************* - _samr_set_aliasinfo - - update an alias's comment. + _samr_SetAliasInfo *********************************************************************/ -NTSTATUS _samr_set_aliasinfo(pipes_struct *p, SAMR_Q_SET_ALIASINFO *q_u, SAMR_R_SET_ALIASINFO *r_u) +NTSTATUS _samr_SetAliasInfo(pipes_struct *p, + struct samr_SetAliasInfo *r) { DOM_SID group_sid; struct acct_info info; - ALIAS_INFO_CTR *ctr; uint32 acc_granted; bool can_mod_accounts; NTSTATUS status; DISP_INFO *disp_info = NULL; - if (!get_lsa_policy_samr_sid(p, &q_u->alias_pol, &group_sid, &acc_granted, &disp_info)) + if (!get_lsa_policy_samr_sid(p, r->in.alias_handle, &group_sid, &acc_granted, &disp_info)) return NT_STATUS_INVALID_HANDLE; - - if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, SA_RIGHT_ALIAS_SET_INFO, "_samr_set_aliasinfo"))) { - return r_u->status; + + status = access_check_samr_function(acc_granted, + SA_RIGHT_ALIAS_SET_INFO, + "_samr_SetAliasInfo"); + if (!NT_STATUS_IS_OK(status)) { + return status; } - - ctr=&q_u->ctr; /* get the current group information */ @@ -4740,13 +5254,13 @@ NTSTATUS _samr_set_aliasinfo(pipes_struct *p, SAMR_Q_SET_ALIASINFO *q_u, SAMR_R_ if ( !NT_STATUS_IS_OK(status)) return status; - switch (ctr->level) { - case 2: + switch (r->in.level) { + case ALIASINFONAME: { - fstring group_name, acct_name; + fstring group_name; /* We currently do not support renaming groups in the - the BUILTIN domain. Refer to util_builtin.c to understand + the BUILTIN domain. Refer to util_builtin.c to understand why. The eventually needs to be fixed to be like Windows where you can rename builtin groups, just not delete them */ @@ -4756,37 +5270,33 @@ NTSTATUS _samr_set_aliasinfo(pipes_struct *p, SAMR_Q_SET_ALIASINFO *q_u, SAMR_R_ /* There has to be a valid name (and it has to be different) */ - if ( !ctr->alias.info2.name.string ) + if ( !r->in.info->name.string ) return NT_STATUS_INVALID_PARAMETER; - unistr2_to_ascii( acct_name, ctr->alias.info2.name.string, - sizeof(acct_name)); - /* If the name is the same just reply "ok". Yes this doesn't allow you to change the case of a group name. */ - if ( strequal( acct_name, info.acct_name ) ) + if ( strequal( r->in.info->name.string, info.acct_name ) ) return NT_STATUS_OK; - fstrcpy( info.acct_name, acct_name ); + fstrcpy( info.acct_name, r->in.info->name.string); - /* make sure the name doesn't already exist as a user + /* make sure the name doesn't already exist as a user or local group */ fstr_sprintf( group_name, "%s\\%s", global_myname(), info.acct_name ); status = can_create( p->mem_ctx, group_name ); - if ( !NT_STATUS_IS_OK( status ) ) + if ( !NT_STATUS_IS_OK( status ) ) return status; break; } - case 3: - if ( ctr->alias.info3.description.string ) { - unistr2_to_ascii( info.acct_desc, - ctr->alias.info3.description.string, - sizeof(info.acct_desc)); - } - else + case ALIASINFODESCRIPTION: + if (r->in.info->description.string) { + fstrcpy(info.acct_desc, + r->in.info->description.string); + } else { fstrcpy( info.acct_desc, "" ); + } break; default: return NT_STATUS_INVALID_INFO_CLASS; @@ -4812,32 +5322,35 @@ NTSTATUS _samr_set_aliasinfo(pipes_struct *p, SAMR_Q_SET_ALIASINFO *q_u, SAMR_R_ return status; } -/********************************************************************* - _samr_get_dom_pwinfo -*********************************************************************/ +/**************************************************************** + _samr_GetDomPwInfo +****************************************************************/ -NTSTATUS _samr_get_dom_pwinfo(pipes_struct *p, SAMR_Q_GET_DOM_PWINFO *q_u, SAMR_R_GET_DOM_PWINFO *r_u) +NTSTATUS _samr_GetDomPwInfo(pipes_struct *p, + struct samr_GetDomPwInfo *r) { /* Perform access check. Since this rpc does not require a policy handle it will not be caught by the access checks on SAMR_CONNECT or SAMR_CONNECT_ANON. */ if (!pipe_access_check(p)) { - DEBUG(3, ("access denied to samr_get_dom_pwinfo\n")); - r_u->status = NT_STATUS_ACCESS_DENIED; - return r_u->status; + DEBUG(3, ("access denied to _samr_GetDomPwInfo\n")); + return NT_STATUS_ACCESS_DENIED; } /* Actually, returning zeros here works quite well :-). */ + ZERO_STRUCTP(r->out.info); return NT_STATUS_OK; } /********************************************************************* - _samr_open_group + _samr_OpenGroup *********************************************************************/ -NTSTATUS _samr_open_group(pipes_struct *p, SAMR_Q_OPEN_GROUP *q_u, SAMR_R_OPEN_GROUP *r_u) +NTSTATUS _samr_OpenGroup(pipes_struct *p, + struct samr_OpenGroup *r) + { DOM_SID sid; DOM_SID info_sid; @@ -4845,50 +5358,51 @@ NTSTATUS _samr_open_group(pipes_struct *p, SAMR_Q_OPEN_GROUP *q_u, SAMR_R_OPEN_G struct samr_info *info; SEC_DESC *psd = NULL; uint32 acc_granted; - uint32 des_access = q_u->access_mask; + uint32 des_access = r->in.access_mask; size_t sd_size; NTSTATUS status; fstring sid_string; bool ret; SE_PRIV se_rights; - if (!get_lsa_policy_samr_sid(p, &q_u->domain_pol, &sid, &acc_granted, NULL)) + if (!get_lsa_policy_samr_sid(p, r->in.domain_handle, &sid, &acc_granted, NULL)) return NT_STATUS_INVALID_HANDLE; - - status = access_check_samr_function(acc_granted, - SA_RIGHT_DOMAIN_OPEN_ACCOUNT, "_samr_open_group"); - + + status = access_check_samr_function(acc_granted, + SA_RIGHT_DOMAIN_OPEN_ACCOUNT, + "_samr_OpenGroup"); + if ( !NT_STATUS_IS_OK(status) ) return status; - + /*check if access can be granted as requested by client. */ make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &grp_generic_mapping, NULL, 0); se_map_generic(&des_access,&grp_generic_mapping); se_priv_copy( &se_rights, &se_add_users ); - status = access_check_samr_object(psd, p->pipe_user.nt_user_token, - &se_rights, GENERIC_RIGHTS_GROUP_WRITE, des_access, - &acc_granted, "_samr_open_group"); - - if ( !NT_STATUS_IS_OK(status) ) + status = access_check_samr_object(psd, p->pipe_user.nt_user_token, + &se_rights, GENERIC_RIGHTS_GROUP_WRITE, des_access, + &acc_granted, "_samr_OpenGroup"); + + if ( !NT_STATUS_IS_OK(status) ) return status; /* this should not be hard-coded like this */ - + if (!sid_equal(&sid, get_global_sam_sid())) return NT_STATUS_ACCESS_DENIED; sid_copy(&info_sid, get_global_sam_sid()); - sid_append_rid(&info_sid, q_u->rid_group); + sid_append_rid(&info_sid, r->in.rid); sid_to_fstring(sid_string, &info_sid); if ((info = get_samr_info_by_sid(&info_sid)) == NULL) return NT_STATUS_NO_MEMORY; - + info->acc_granted = acc_granted; - DEBUG(10, ("_samr_open_group:Opening SID: %s\n", sid_string)); + DEBUG(10, ("_samr_OpenGroup:Opening SID: %s\n", sid_string)); /* check if that group really exists */ become_root(); @@ -4898,46 +5412,46 @@ NTSTATUS _samr_open_group(pipes_struct *p, SAMR_Q_OPEN_GROUP *q_u, SAMR_R_OPEN_G return NT_STATUS_NO_SUCH_GROUP; /* get a (unique) handle. open a policy on it. */ - if (!create_policy_hnd(p, &r_u->pol, free_samr_info, (void *)info)) + if (!create_policy_hnd(p, r->out.group_handle, free_samr_info, (void *)info)) return NT_STATUS_OBJECT_NAME_NOT_FOUND; return NT_STATUS_OK; } /********************************************************************* - _samr_remove_sid_foreign_domain + _samr_RemoveMemberFromForeignDomain *********************************************************************/ -NTSTATUS _samr_remove_sid_foreign_domain(pipes_struct *p, - SAMR_Q_REMOVE_SID_FOREIGN_DOMAIN *q_u, - SAMR_R_REMOVE_SID_FOREIGN_DOMAIN *r_u) +NTSTATUS _samr_RemoveMemberFromForeignDomain(pipes_struct *p, + struct samr_RemoveMemberFromForeignDomain *r) { DOM_SID delete_sid, domain_sid; uint32 acc_granted; NTSTATUS result; DISP_INFO *disp_info = NULL; - sid_copy( &delete_sid, &q_u->sid.sid ); + sid_copy( &delete_sid, r->in.sid ); - DEBUG(5,("_samr_remove_sid_foreign_domain: removing SID [%s]\n", + DEBUG(5,("_samr_RemoveMemberFromForeignDomain: removing SID [%s]\n", sid_string_dbg(&delete_sid))); /* Find the policy handle. Open a policy on it. */ - if (!get_lsa_policy_samr_sid(p, &q_u->dom_pol, &domain_sid, - &acc_granted, &disp_info)) + if (!get_lsa_policy_samr_sid(p, r->in.domain_handle, &domain_sid, + &acc_granted, &disp_info)) return NT_STATUS_INVALID_HANDLE; - - result = access_check_samr_function(acc_granted, STD_RIGHT_DELETE_ACCESS, - "_samr_remove_sid_foreign_domain"); - - if (!NT_STATUS_IS_OK(result)) + + result = access_check_samr_function(acc_granted, + STD_RIGHT_DELETE_ACCESS, + "_samr_RemoveMemberFromForeignDomain"); + + if (!NT_STATUS_IS_OK(result)) return result; - - DEBUG(8, ("_samr_remove_sid_foreign_domain:sid is %s\n", + + DEBUG(8, ("_samr_RemoveMemberFromForeignDomain: sid is %s\n", sid_string_dbg(&domain_sid))); - /* we can only delete a user from a group since we don't have + /* we can only delete a user from a group since we don't have nested groups anyways. So in the latter case, just say OK */ /* TODO: The above comment nowadays is bogus. Since we have nested @@ -4952,7 +5466,7 @@ NTSTATUS _samr_remove_sid_foreign_domain(pipes_struct *p, * other cases. */ if (!sid_check_is_builtin(&domain_sid)) { - DEBUG(1,("_samr_remove_sid_foreign_domain: domain_sid = %s, " + DEBUG(1,("_samr_RemoveMemberFromForeignDomain: domain_sid = %s, " "global_sam_sid() = %s\n", sid_string_dbg(&domain_sid), sid_string_dbg(get_global_sam_sid()))); @@ -4968,68 +5482,52 @@ NTSTATUS _samr_remove_sid_foreign_domain(pipes_struct *p, } /******************************************************************* - _samr_query_domain_info2 + _samr_QueryDomainInfo2 ********************************************************************/ -NTSTATUS _samr_query_domain_info2(pipes_struct *p, - SAMR_Q_QUERY_DOMAIN_INFO2 *q_u, - SAMR_R_QUERY_DOMAIN_INFO2 *r_u) +NTSTATUS _samr_QueryDomainInfo2(pipes_struct *p, + struct samr_QueryDomainInfo2 *r) { - SAMR_Q_QUERY_DOMAIN_INFO q; - SAMR_R_QUERY_DOMAIN_INFO r; - - ZERO_STRUCT(q); - ZERO_STRUCT(r); - - DEBUG(5,("_samr_query_domain_info2: %d\n", __LINE__)); - - q.domain_pol = q_u->domain_pol; - q.switch_value = q_u->switch_value; - - r_u->status = _samr_query_domain_info(p, &q, &r); - - r_u->ptr_0 = r.ptr_0; - r_u->switch_value = r.switch_value; - r_u->ctr = r.ctr; - - return r_u->status; + return samr_QueryDomainInfo_internal("_samr_QueryDomainInfo2", + p, + r->in.domain_handle, + r->in.level, + r->out.info); } /******************************************************************* - _samr_set_dom_info + _samr_SetDomainInfo ********************************************************************/ -NTSTATUS _samr_set_dom_info(pipes_struct *p, SAMR_Q_SET_DOMAIN_INFO *q_u, SAMR_R_SET_DOMAIN_INFO *r_u) +NTSTATUS _samr_SetDomainInfo(pipes_struct *p, + struct samr_SetDomainInfo *r) { time_t u_expire, u_min_age; time_t u_logout; time_t u_lock_duration, u_reset_time; - r_u->status = NT_STATUS_OK; - - DEBUG(5,("_samr_set_dom_info: %d\n", __LINE__)); + DEBUG(5,("_samr_SetDomainInfo: %d\n", __LINE__)); /* find the policy handle. open a policy on it. */ - if (!find_policy_by_hnd(p, &q_u->domain_pol, NULL)) + if (!find_policy_by_hnd(p, r->in.domain_handle, NULL)) return NT_STATUS_INVALID_HANDLE; - DEBUG(5,("_samr_set_dom_info: switch_value: %d\n", q_u->switch_value)); + DEBUG(5,("_samr_SetDomainInfo: level: %d\n", r->in.level)); - switch (q_u->switch_value) { + switch (r->in.level) { case 0x01: - u_expire=nt_time_to_unix_abs(&q_u->ctr->info.inf1.expire); - u_min_age=nt_time_to_unix_abs(&q_u->ctr->info.inf1.min_passwordage); - - pdb_set_account_policy(AP_MIN_PASSWORD_LEN, (uint32)q_u->ctr->info.inf1.min_length_password); - pdb_set_account_policy(AP_PASSWORD_HISTORY, (uint32)q_u->ctr->info.inf1.password_history); - pdb_set_account_policy(AP_USER_MUST_LOGON_TO_CHG_PASS, (uint32)q_u->ctr->info.inf1.password_properties); + u_expire=nt_time_to_unix_abs((NTTIME *)&r->in.info->info1.max_password_age); + u_min_age=nt_time_to_unix_abs((NTTIME *)&r->in.info->info1.min_password_age); + pdb_set_account_policy(AP_MIN_PASSWORD_LEN, (uint32)r->in.info->info1.min_password_length); + pdb_set_account_policy(AP_PASSWORD_HISTORY, (uint32)r->in.info->info1.password_history_length); + pdb_set_account_policy(AP_USER_MUST_LOGON_TO_CHG_PASS, (uint32)r->in.info->info1.password_properties); pdb_set_account_policy(AP_MAX_PASSWORD_AGE, (int)u_expire); pdb_set_account_policy(AP_MIN_PASSWORD_AGE, (int)u_min_age); break; case 0x02: break; case 0x03: - u_logout=nt_time_to_unix_abs(&q_u->ctr->info.inf3.logout); + u_logout=nt_time_to_unix_abs((NTTIME *)&r->in.info->info3.force_logoff_time); pdb_set_account_policy(AP_TIME_TO_LOGOUT, (int)u_logout); break; case 0x05: @@ -5039,23 +5537,201 @@ NTSTATUS _samr_set_dom_info(pipes_struct *p, SAMR_Q_SET_DOMAIN_INFO *q_u, SAMR_R case 0x07: break; case 0x0c: - u_lock_duration=nt_time_to_unix_abs(&q_u->ctr->info.inf12.duration); + u_lock_duration=nt_time_to_unix_abs((NTTIME *)&r->in.info->info12.lockout_duration); if (u_lock_duration != -1) u_lock_duration /= 60; - u_reset_time=nt_time_to_unix_abs(&q_u->ctr->info.inf12.reset_count)/60; - + u_reset_time=nt_time_to_unix_abs((NTTIME *)&r->in.info->info12.lockout_window)/60; + pdb_set_account_policy(AP_LOCK_ACCOUNT_DURATION, (int)u_lock_duration); pdb_set_account_policy(AP_RESET_COUNT_TIME, (int)u_reset_time); - pdb_set_account_policy(AP_BAD_ATTEMPT_LOCKOUT, (uint32)q_u->ctr->info.inf12.bad_attempt_lockout); + pdb_set_account_policy(AP_BAD_ATTEMPT_LOCKOUT, (uint32)r->in.info->info12.lockout_threshold); break; default: return NT_STATUS_INVALID_INFO_CLASS; } - init_samr_r_set_domain_info(r_u, NT_STATUS_OK); + DEBUG(5,("_samr_SetDomainInfo: %d\n", __LINE__)); + + return NT_STATUS_OK; +} + +/**************************************************************** +****************************************************************/ + +NTSTATUS _samr_Shutdown(pipes_struct *p, + struct samr_Shutdown *r) +{ + p->rng_fault_state = true; + return NT_STATUS_NOT_IMPLEMENTED; +} + +/**************************************************************** +****************************************************************/ + +NTSTATUS _samr_CreateUser(pipes_struct *p, + struct samr_CreateUser *r) +{ + p->rng_fault_state = true; + return NT_STATUS_NOT_IMPLEMENTED; +} + +/**************************************************************** +****************************************************************/ + +NTSTATUS _samr_SetMemberAttributesOfGroup(pipes_struct *p, + struct samr_SetMemberAttributesOfGroup *r) +{ + p->rng_fault_state = true; + return NT_STATUS_NOT_IMPLEMENTED; +} + +/**************************************************************** +****************************************************************/ + +NTSTATUS _samr_ChangePasswordUser(pipes_struct *p, + struct samr_ChangePasswordUser *r) +{ + p->rng_fault_state = true; + return NT_STATUS_NOT_IMPLEMENTED; +} + +/**************************************************************** +****************************************************************/ + +NTSTATUS _samr_GetDisplayEnumerationIndex(pipes_struct *p, + struct samr_GetDisplayEnumerationIndex *r) +{ + p->rng_fault_state = true; + return NT_STATUS_NOT_IMPLEMENTED; +} - DEBUG(5,("_samr_set_dom_info: %d\n", __LINE__)); +/**************************************************************** +****************************************************************/ + +NTSTATUS _samr_TestPrivateFunctionsDomain(pipes_struct *p, + struct samr_TestPrivateFunctionsDomain *r) +{ + p->rng_fault_state = true; + return NT_STATUS_NOT_IMPLEMENTED; +} + +/**************************************************************** +****************************************************************/ + +NTSTATUS _samr_TestPrivateFunctionsUser(pipes_struct *p, + struct samr_TestPrivateFunctionsUser *r) +{ + p->rng_fault_state = true; + return NT_STATUS_NOT_IMPLEMENTED; +} - return r_u->status; +/**************************************************************** +****************************************************************/ + +NTSTATUS _samr_QueryUserInfo2(pipes_struct *p, + struct samr_QueryUserInfo2 *r) +{ + p->rng_fault_state = true; + return NT_STATUS_NOT_IMPLEMENTED; +} + +/**************************************************************** +****************************************************************/ + +NTSTATUS _samr_GetDisplayEnumerationIndex2(pipes_struct *p, + struct samr_GetDisplayEnumerationIndex2 *r) +{ + p->rng_fault_state = true; + return NT_STATUS_NOT_IMPLEMENTED; +} + +/**************************************************************** +****************************************************************/ + +NTSTATUS _samr_AddMultipleMembersToAlias(pipes_struct *p, + struct samr_AddMultipleMembersToAlias *r) +{ + p->rng_fault_state = true; + return NT_STATUS_NOT_IMPLEMENTED; +} + +/**************************************************************** +****************************************************************/ + +NTSTATUS _samr_RemoveMultipleMembersFromAlias(pipes_struct *p, + struct samr_RemoveMultipleMembersFromAlias *r) +{ + p->rng_fault_state = true; + return NT_STATUS_NOT_IMPLEMENTED; +} + +/**************************************************************** +****************************************************************/ + +NTSTATUS _samr_OemChangePasswordUser2(pipes_struct *p, + struct samr_OemChangePasswordUser2 *r) +{ + p->rng_fault_state = true; + return NT_STATUS_NOT_IMPLEMENTED; +} + +/**************************************************************** +****************************************************************/ + +NTSTATUS _samr_SetBootKeyInformation(pipes_struct *p, + struct samr_SetBootKeyInformation *r) +{ + p->rng_fault_state = true; + return NT_STATUS_NOT_IMPLEMENTED; +} + +/**************************************************************** +****************************************************************/ + +NTSTATUS _samr_GetBootKeyInformation(pipes_struct *p, + struct samr_GetBootKeyInformation *r) +{ + p->rng_fault_state = true; + return NT_STATUS_NOT_IMPLEMENTED; +} + +/**************************************************************** +****************************************************************/ + +NTSTATUS _samr_Connect3(pipes_struct *p, + struct samr_Connect3 *r) +{ + p->rng_fault_state = true; + return NT_STATUS_NOT_IMPLEMENTED; +} + +/**************************************************************** +****************************************************************/ + +NTSTATUS _samr_RidToSid(pipes_struct *p, + struct samr_RidToSid *r) +{ + p->rng_fault_state = true; + return NT_STATUS_NOT_IMPLEMENTED; +} + +/**************************************************************** +****************************************************************/ + +NTSTATUS _samr_SetDsrmPassword(pipes_struct *p, + struct samr_SetDsrmPassword *r) +{ + p->rng_fault_state = true; + return NT_STATUS_NOT_IMPLEMENTED; +} + +/**************************************************************** +****************************************************************/ + +NTSTATUS _samr_ValidatePassword(pipes_struct *p, + struct samr_ValidatePassword *r) +{ + p->rng_fault_state = true; + return NT_STATUS_NOT_IMPLEMENTED; } diff --git a/source3/rpc_server/srv_samr_util.c b/source3/rpc_server/srv_samr_util.c index bde7936343..688d72064f 100644 --- a/source3/rpc_server/srv_samr_util.c +++ b/source3/rpc_server/srv_samr_util.c @@ -1,22 +1,23 @@ -/* +/* Unix SMB/CIFS implementation. SAMR Pipe utility functions. - + Copyright (C) Luke Kenneth Casson Leighton 1996-1998 Copyright (C) Gerald (Jerry) Carter 2000-2001 Copyright (C) Andrew Bartlett 2001-2002 Copyright (C) Stefan (metze) Metzmacher 2002 - + Copyright (C) Guenther Deschner 2008 + This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. - + This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. - + You should have received a copy of the GNU General Public License along with this program. If not, see <http://www.gnu.org/licenses/>. */ @@ -35,682 +36,340 @@ ((s1) && (s2) && (strcmp((s1), (s2)) != 0)) /************************************************************* - Copies a SAM_USER_INFO_20 to a struct samu + Copies a struct samr_UserInfo20 to a struct samu **************************************************************/ -void copy_id20_to_sam_passwd(struct samu *to, SAM_USER_INFO_20 *from) +void copy_id20_to_sam_passwd(struct samu *to, + struct samr_UserInfo20 *from) { const char *old_string; char *new_string; DATA_BLOB mung; - if (from == NULL || to == NULL) + if (from == NULL || to == NULL) { return; - - if (from->hdr_munged_dial.buffer) { + } + + if (from->parameters.string) { old_string = pdb_get_munged_dial(to); - mung.length = from->hdr_munged_dial.uni_str_len; - mung.data = (uint8 *) from->uni_munged_dial.buffer; + mung.length = from->parameters.length; + mung.data = (uint8_t *)from->parameters.string; mung.free = NULL; new_string = (mung.length == 0) ? - NULL : base64_encode_data_blob(mung); - DEBUG(10,("INFO_20 UNI_MUNGED_DIAL: %s -> %s\n",old_string, new_string)); - if (STRING_CHANGED_NC(old_string,new_string)) - pdb_set_munged_dial(to , new_string, PDB_CHANGED); + NULL : base64_encode_data_blob(talloc_tos(), mung); + DEBUG(10,("INFO_20 PARAMETERS: %s -> %s\n", + old_string, new_string)); + if (STRING_CHANGED_NC(old_string,new_string)) { + pdb_set_munged_dial(to, new_string, PDB_CHANGED); + } TALLOC_FREE(new_string); } } /************************************************************* - Copies a SAM_USER_INFO_21 to a struct samu + Copies a struct samr_UserInfo21 to a struct samu **************************************************************/ -void copy_id21_to_sam_passwd(struct samu *to, SAM_USER_INFO_21 *from) +void copy_id21_to_sam_passwd(const char *log_prefix, + struct samu *to, + struct samr_UserInfo21 *from) { time_t unix_time, stored_time; const char *old_string, *new_string; DATA_BLOB mung; + const char *l; - if (from == NULL || to == NULL) + if (from == NULL || to == NULL) { return; + } + + if (log_prefix) { + l = log_prefix; + } else { + l = "INFO_21"; + } - if (from->fields_present & ACCT_LAST_LOGON) { - unix_time=nt_time_to_unix(from->logon_time); + if (from->fields_present & SAMR_FIELD_LAST_LOGON) { + unix_time = nt_time_to_unix(from->last_logon); stored_time = pdb_get_logon_time(to); - DEBUG(10,("INFO_21 LOGON_TIME: %lu -> %lu\n",(long unsigned int)stored_time, (long unsigned int)unix_time)); - if (stored_time != unix_time) + DEBUG(10,("%s SAMR_FIELD_LAST_LOGON: %lu -> %lu\n", l, + (long unsigned int)stored_time, + (long unsigned int)unix_time)); + if (stored_time != unix_time) { pdb_set_logon_time(to, unix_time, PDB_CHANGED); + } } - if (from->fields_present & ACCT_LAST_LOGOFF) { - unix_time=nt_time_to_unix(from->logoff_time); + if (from->fields_present & SAMR_FIELD_LAST_LOGOFF) { + unix_time = nt_time_to_unix(from->last_logoff); stored_time = pdb_get_logoff_time(to); - DEBUG(10,("INFO_21 LOGOFF_TIME: %lu -> %lu\n",(long unsigned int)stored_time, (long unsigned int)unix_time)); - if (stored_time != unix_time) + DEBUG(10,("%s SAMR_FIELD_LAST_LOGOFF: %lu -> %lu\n", l, + (long unsigned int)stored_time, + (long unsigned int)unix_time)); + if (stored_time != unix_time) { pdb_set_logoff_time(to, unix_time, PDB_CHANGED); + } } - if (from->fields_present & ACCT_EXPIRY) { - unix_time=nt_time_to_unix(from->kickoff_time); + if (from->fields_present & SAMR_FIELD_ACCT_EXPIRY) { + unix_time = nt_time_to_unix(from->acct_expiry); stored_time = pdb_get_kickoff_time(to); - DEBUG(10,("INFO_21 KICKOFF_TIME: %lu -> %lu\n",(long unsigned int)stored_time, (long unsigned int)unix_time)); - if (stored_time != unix_time) + DEBUG(10,("%s SAMR_FIELD_ACCT_EXPIRY: %lu -> %lu\n", l, + (long unsigned int)stored_time, + (long unsigned int)unix_time)); + if (stored_time != unix_time) { pdb_set_kickoff_time(to, unix_time , PDB_CHANGED); - } + } + } - if (from->fields_present & ACCT_LAST_PWD_CHANGE) { - unix_time=nt_time_to_unix(from->pass_last_set_time); + if (from->fields_present & SAMR_FIELD_LAST_PWD_CHANGE) { + unix_time = nt_time_to_unix(from->last_password_change); stored_time = pdb_get_pass_last_set_time(to); - DEBUG(10,("INFO_21 PASS_LAST_SET: %lu -> %lu\n",(long unsigned int)stored_time, (long unsigned int)unix_time)); - if (stored_time != unix_time) + DEBUG(10,("%s SAMR_FIELD_LAST_PWD_CHANGE: %lu -> %lu\n", l, + (long unsigned int)stored_time, + (long unsigned int)unix_time)); + if (stored_time != unix_time) { pdb_set_pass_last_set_time(to, unix_time, PDB_CHANGED); + } } - if ((from->fields_present & ACCT_USERNAME) && - (from->hdr_user_name.buffer)) { + if ((from->fields_present & SAMR_FIELD_ACCOUNT_NAME) && + (from->account_name.string)) { old_string = pdb_get_username(to); - new_string = unistr2_static(&from->uni_user_name); - DEBUG(10,("INFO_21 UNI_USER_NAME: %s -> %s\n", old_string, new_string)); - if (STRING_CHANGED) - pdb_set_username(to , new_string, PDB_CHANGED); + new_string = from->account_name.string; + DEBUG(10,("%s SAMR_FIELD_ACCOUNT_NAME: %s -> %s\n", l, + old_string, new_string)); + if (STRING_CHANGED) { + pdb_set_username(to, new_string, PDB_CHANGED); + } } - if ((from->fields_present & ACCT_FULL_NAME) && - (from->hdr_full_name.buffer)) { + if ((from->fields_present & SAMR_FIELD_FULL_NAME) && + (from->full_name.string)) { old_string = pdb_get_fullname(to); - new_string = unistr2_static(&from->uni_full_name); - DEBUG(10,("INFO_21 UNI_FULL_NAME: %s -> %s\n",old_string, new_string)); - if (STRING_CHANGED) - pdb_set_fullname(to , new_string, PDB_CHANGED); + new_string = from->full_name.string; + DEBUG(10,("%s SAMR_FIELD_FULL_NAME: %s -> %s\n", l, + old_string, new_string)); + if (STRING_CHANGED) { + pdb_set_fullname(to, new_string, PDB_CHANGED); + } } - - if ((from->fields_present & ACCT_HOME_DIR) && - (from->hdr_home_dir.buffer)) { + + if ((from->fields_present & SAMR_FIELD_HOME_DIRECTORY) && + (from->home_directory.string)) { old_string = pdb_get_homedir(to); - new_string = unistr2_static(&from->uni_home_dir); - DEBUG(10,("INFO_21 UNI_HOME_DIR: %s -> %s\n",old_string,new_string)); - if (STRING_CHANGED) - pdb_set_homedir(to , new_string, PDB_CHANGED); + new_string = from->home_directory.string; + DEBUG(10,("%s SAMR_FIELD_HOME_DIRECTORY: %s -> %s\n", l, + old_string, new_string)); + if (STRING_CHANGED) { + pdb_set_homedir(to, new_string, PDB_CHANGED); + } } - if ((from->fields_present & ACCT_HOME_DRIVE) && - (from->hdr_dir_drive.buffer)) { + if ((from->fields_present & SAMR_FIELD_HOME_DRIVE) && + (from->home_drive.string)) { old_string = pdb_get_dir_drive(to); - new_string = unistr2_static(&from->uni_dir_drive); - DEBUG(10,("INFO_21 UNI_DIR_DRIVE: %s -> %s\n",old_string,new_string)); - if (STRING_CHANGED) - pdb_set_dir_drive(to , new_string, PDB_CHANGED); + new_string = from->home_drive.string; + DEBUG(10,("%s SAMR_FIELD_HOME_DRIVE: %s -> %s\n", l, + old_string, new_string)); + if (STRING_CHANGED) { + pdb_set_dir_drive(to, new_string, PDB_CHANGED); + } } - if ((from->fields_present & ACCT_LOGON_SCRIPT) && - (from->hdr_logon_script.buffer)) { + if ((from->fields_present & SAMR_FIELD_LOGON_SCRIPT) && + (from->logon_script.string)) { old_string = pdb_get_logon_script(to); - new_string = unistr2_static(&from->uni_logon_script); - DEBUG(10,("INFO_21 UNI_LOGON_SCRIPT: %s -> %s\n",old_string,new_string)); - if (STRING_CHANGED) + new_string = from->logon_script.string; + DEBUG(10,("%s SAMR_FIELD_LOGON_SCRIPT: %s -> %s\n", l, + old_string, new_string)); + if (STRING_CHANGED) { pdb_set_logon_script(to , new_string, PDB_CHANGED); + } } - if ((from->fields_present & ACCT_PROFILE) && - (from->hdr_profile_path.buffer)) { + if ((from->fields_present & SAMR_FIELD_PROFILE_PATH) && + (from->profile_path.string)) { old_string = pdb_get_profile_path(to); - new_string = unistr2_static(&from->uni_profile_path); - DEBUG(10,("INFO_21 UNI_PROFILE_PATH: %s -> %s\n",old_string, new_string)); - if (STRING_CHANGED) + new_string = from->profile_path.string; + DEBUG(10,("%s SAMR_FIELD_PROFILE_PATH: %s -> %s\n", l, + old_string, new_string)); + if (STRING_CHANGED) { pdb_set_profile_path(to , new_string, PDB_CHANGED); + } } - - if ((from->fields_present & ACCT_DESCRIPTION) && - (from->hdr_acct_desc.buffer)) { + + if ((from->fields_present & SAMR_FIELD_DESCRIPTION) && + (from->description.string)) { old_string = pdb_get_acct_desc(to); - new_string = unistr2_static(&from->uni_acct_desc); - DEBUG(10,("INFO_21 UNI_ACCT_DESC: %s -> %s\n",old_string,new_string)); - if (STRING_CHANGED) - pdb_set_acct_desc(to , new_string, PDB_CHANGED); + new_string = from->description.string; + DEBUG(10,("%s SAMR_FIELD_DESCRIPTION: %s -> %s\n", l, + old_string, new_string)); + if (STRING_CHANGED) { + pdb_set_acct_desc(to, new_string, PDB_CHANGED); + } } - - if ((from->fields_present & ACCT_WORKSTATIONS) && - (from->hdr_workstations.buffer)) { + + if ((from->fields_present & SAMR_FIELD_WORKSTATIONS) && + (from->workstations.string)) { old_string = pdb_get_workstations(to); - new_string = unistr2_static(&from->uni_workstations); - DEBUG(10,("INFO_21 UNI_WORKSTATIONS: %s -> %s\n",old_string, new_string)); - if (STRING_CHANGED) + new_string = from->workstations.string; + DEBUG(10,("%s SAMR_FIELD_WORKSTATIONS: %s -> %s\n", l, + old_string, new_string)); + if (STRING_CHANGED) { pdb_set_workstations(to , new_string, PDB_CHANGED); + } } - if ((from->fields_present & ACCT_COMMENT) && - (from->hdr_comment.buffer)) { + if ((from->fields_present & SAMR_FIELD_COMMENT) && + (from->comment.string)) { old_string = pdb_get_comment(to); - new_string = unistr2_static(&from->uni_comment); - DEBUG(10,("INFO_21 UNI_COMMENT: %s -> %s\n",old_string, new_string)); - if (STRING_CHANGED) + new_string = from->comment.string; + DEBUG(10,("%s SAMR_FIELD_COMMENT: %s -> %s\n", l, + old_string, new_string)); + if (STRING_CHANGED) { pdb_set_comment(to, new_string, PDB_CHANGED); + } } - - if ((from->fields_present & ACCT_CALLBACK) && - (from->hdr_munged_dial.buffer)) { + + if ((from->fields_present & SAMR_FIELD_PARAMETERS) && + (from->parameters.string)) { char *newstr; old_string = pdb_get_munged_dial(to); - mung.length = from->hdr_munged_dial.uni_str_len; - mung.data = (uint8 *) from->uni_munged_dial.buffer; + mung.length = from->parameters.length; + mung.data = (uint8_t *)from->parameters.string; mung.free = NULL; newstr = (mung.length == 0) ? - NULL : base64_encode_data_blob(mung); - DEBUG(10,("INFO_21 UNI_MUNGED_DIAL: %s -> %s\n",old_string, newstr)); - if (STRING_CHANGED_NC(old_string,newstr)) - pdb_set_munged_dial(to , newstr, PDB_CHANGED); + NULL : base64_encode_data_blob(talloc_tos(), mung); + DEBUG(10,("%s SAMR_FIELD_PARAMETERS: %s -> %s\n", l, + old_string, newstr)); + if (STRING_CHANGED_NC(old_string,newstr)) { + pdb_set_munged_dial(to, newstr, PDB_CHANGED); + } TALLOC_FREE(newstr); } - - if (from->fields_present & ACCT_RID) { - if (from->user_rid == 0) { - DEBUG(10, ("INFO_21: Asked to set User RID to 0 !? Skipping change!\n")); - } else if (from->user_rid != pdb_get_user_rid(to)) { - DEBUG(10,("INFO_21 USER_RID: %u -> %u NOT UPDATED!\n",pdb_get_user_rid(to),from->user_rid)); + + if (from->fields_present & SAMR_FIELD_RID) { + if (from->rid == 0) { + DEBUG(10,("%s: Asked to set User RID to 0 !? Skipping change!\n", l)); + } else if (from->rid != pdb_get_user_rid(to)) { + DEBUG(10,("%s SAMR_FIELD_RID: %u -> %u NOT UPDATED!\n", l, + pdb_get_user_rid(to), from->rid)); } } - - if (from->fields_present & ACCT_PRIMARY_GID) { - if (from->group_rid == 0) { - DEBUG(10, ("INFO_21: Asked to set Group RID to 0 !? Skipping change!\n")); - } else if (from->group_rid != pdb_get_group_rid(to)) { - DEBUG(10,("INFO_21 GROUP_RID: %u -> %u\n",pdb_get_group_rid(to),from->group_rid)); - pdb_set_group_sid_from_rid(to, from->group_rid, PDB_CHANGED); + + if (from->fields_present & SAMR_FIELD_PRIMARY_GID) { + if (from->primary_gid == 0) { + DEBUG(10,("%s: Asked to set Group RID to 0 !? Skipping change!\n", l)); + } else if (from->primary_gid != pdb_get_group_rid(to)) { + DEBUG(10,("%s SAMR_FIELD_PRIMARY_GID: %u -> %u\n", l, + pdb_get_group_rid(to), from->primary_gid)); + pdb_set_group_sid_from_rid(to, + from->primary_gid, PDB_CHANGED); } } - - if (from->fields_present & ACCT_FLAGS) { - DEBUG(10,("INFO_21 ACCT_CTRL: %08X -> %08X\n",pdb_get_acct_ctrl(to),from->acb_info)); - if (from->acb_info != pdb_get_acct_ctrl(to)) { - if (!(from->acb_info & ACB_AUTOLOCK) && (pdb_get_acct_ctrl(to) & ACB_AUTOLOCK)) { + + if (from->fields_present & SAMR_FIELD_ACCT_FLAGS) { + DEBUG(10,("%s SAMR_FIELD_ACCT_FLAGS: %08X -> %08X\n", l, + pdb_get_acct_ctrl(to), from->acct_flags)); + if (from->acct_flags != pdb_get_acct_ctrl(to)) { + if (!(from->acct_flags & ACB_AUTOLOCK) && + (pdb_get_acct_ctrl(to) & ACB_AUTOLOCK)) { /* We're unlocking a previously locked user. Reset bad password counts. Patch from Jianliang Lu. <Jianliang.Lu@getronics.com> */ pdb_set_bad_password_count(to, 0, PDB_CHANGED); pdb_set_bad_password_time(to, 0, PDB_CHANGED); } - pdb_set_acct_ctrl(to, from->acb_info, PDB_CHANGED); + pdb_set_acct_ctrl(to, from->acct_flags, PDB_CHANGED); } } - if (from->fields_present & ACCT_LOGON_HOURS) { + if (from->fields_present & SAMR_FIELD_LOGON_HOURS) { char oldstr[44]; /* hours strings are 42 bytes. */ char newstr[44]; - DEBUG(15,("INFO_21 LOGON_DIVS: %08X -> %08X\n",pdb_get_logon_divs(to),from->logon_divs)); - if (from->logon_divs != pdb_get_logon_divs(to)) { - pdb_set_logon_divs(to, from->logon_divs, PDB_CHANGED); + DEBUG(15,("%s SAMR_FIELD_LOGON_HOURS (units_per_week): %08X -> %08X\n", l, + pdb_get_logon_divs(to), from->logon_hours.units_per_week)); + if (from->logon_hours.units_per_week != pdb_get_logon_divs(to)) { + pdb_set_logon_divs(to, + from->logon_hours.units_per_week, PDB_CHANGED); } - DEBUG(15,("INFO_21 LOGON_HRS.LEN: %08X -> %08X\n",pdb_get_hours_len(to),from->logon_hrs.len)); - if (from->logon_hrs.len != pdb_get_hours_len(to)) { - pdb_set_hours_len(to, from->logon_hrs.len, PDB_CHANGED); + DEBUG(15,("%s SAMR_FIELD_LOGON_HOURS (units_per_week/8): %08X -> %08X\n", l, + pdb_get_hours_len(to), + from->logon_hours.units_per_week/8)); + if (from->logon_hours.units_per_week/8 != pdb_get_hours_len(to)) { + pdb_set_hours_len(to, + from->logon_hours.units_per_week/8, PDB_CHANGED); } - DEBUG(15,("INFO_21 LOGON_HRS.HOURS: %s -> %s\n",pdb_get_hours(to),from->logon_hrs.hours)); + DEBUG(15,("%s SAMR_FIELD_LOGON_HOURS (bits): %s -> %s\n", l, + pdb_get_hours(to), from->logon_hours.bits)); pdb_sethexhours(oldstr, pdb_get_hours(to)); - pdb_sethexhours(newstr, from->logon_hrs.hours); + pdb_sethexhours(newstr, from->logon_hours.bits); if (!strequal(oldstr, newstr)) { - pdb_set_hours(to, from->logon_hrs.hours, PDB_CHANGED); + pdb_set_hours(to, from->logon_hours.bits, PDB_CHANGED); } } - if (from->fields_present & ACCT_BAD_PWD_COUNT) { - DEBUG(10,("INFO_21 BAD_PASSWORD_COUNT: %08X -> %08X\n",pdb_get_bad_password_count(to),from->bad_password_count)); + if (from->fields_present & SAMR_FIELD_BAD_PWD_COUNT) { + DEBUG(10,("%s SAMR_FIELD_BAD_PWD_COUNT: %08X -> %08X\n", l, + pdb_get_bad_password_count(to), from->bad_password_count)); if (from->bad_password_count != pdb_get_bad_password_count(to)) { - pdb_set_bad_password_count(to, from->bad_password_count, PDB_CHANGED); + pdb_set_bad_password_count(to, + from->bad_password_count, PDB_CHANGED); } } - if (from->fields_present & ACCT_NUM_LOGONS) { - DEBUG(10,("INFO_21 LOGON_COUNT: %08X -> %08X\n",pdb_get_logon_count(to),from->logon_count)); + if (from->fields_present & SAMR_FIELD_NUM_LOGONS) { + DEBUG(10,("%s SAMR_FIELD_NUM_LOGONS: %08X -> %08X\n", l, + pdb_get_logon_count(to), from->logon_count)); if (from->logon_count != pdb_get_logon_count(to)) { pdb_set_logon_count(to, from->logon_count, PDB_CHANGED); } } /* If the must change flag is set, the last set time goes to zero. - the must change and can change fields also do, but they are + the must change and can change fields also do, but they are calculated from policy, not set from the wire */ - if (from->fields_present & ACCT_EXPIRED_FLAG) { - DEBUG(10,("INFO_21 PASS_MUST_CHANGE_AT_NEXT_LOGON: %02X\n",from->passmustchange)); - if (from->passmustchange == PASS_MUST_CHANGE_AT_NEXT_LOGON) { - pdb_set_pass_last_set_time(to, 0, PDB_CHANGED); + if (from->fields_present & SAMR_FIELD_EXPIRED_FLAG) { + DEBUG(10,("%s SAMR_FIELD_EXPIRED_FLAG: %02X\n", l, + from->password_expired)); + if (from->password_expired == PASS_MUST_CHANGE_AT_NEXT_LOGON) { + pdb_set_pass_last_set_time(to, 0, PDB_CHANGED); } else { pdb_set_pass_last_set_time(to, time(NULL),PDB_CHANGED); } } - - DEBUG(10,("INFO_21 PADDING_2: %02X\n",from->padding2)); } /************************************************************* - Copies a SAM_USER_INFO_23 to a struct samu + Copies a struct samr_UserInfo23 to a struct samu **************************************************************/ -void copy_id23_to_sam_passwd(struct samu *to, SAM_USER_INFO_23 *from) +void copy_id23_to_sam_passwd(struct samu *to, + struct samr_UserInfo23 *from) { - time_t unix_time, stored_time; - const char *old_string, *new_string; - DATA_BLOB mung; - - if (from == NULL || to == NULL) + if (from == NULL || to == NULL) { return; - - if (from->fields_present & ACCT_LAST_LOGON) { - unix_time=nt_time_to_unix(from->logon_time); - stored_time = pdb_get_logon_time(to); - DEBUG(10,("INFO_23 LOGON_TIME: %lu -> %lu\n",(long unsigned int)stored_time, (long unsigned int)unix_time)); - if (stored_time != unix_time) - pdb_set_logon_time(to, unix_time, PDB_CHANGED); - } - - if (from->fields_present & ACCT_LAST_LOGOFF) { - unix_time=nt_time_to_unix(from->logoff_time); - stored_time = pdb_get_logoff_time(to); - DEBUG(10,("INFO_23 LOGOFF_TIME: %lu -> %lu\n",(long unsigned int)stored_time, (long unsigned int)unix_time)); - if (stored_time != unix_time) - pdb_set_logoff_time(to, unix_time, PDB_CHANGED); - } - - if (from->fields_present & ACCT_EXPIRY) { - unix_time=nt_time_to_unix(from->kickoff_time); - stored_time = pdb_get_kickoff_time(to); - DEBUG(10,("INFO_23 KICKOFF_TIME: %lu -> %lu\n",(long unsigned int)stored_time, (long unsigned int)unix_time)); - if (stored_time != unix_time) - pdb_set_kickoff_time(to, unix_time , PDB_CHANGED); - } - - if (from->fields_present & ACCT_LAST_PWD_CHANGE) { - unix_time=nt_time_to_unix(from->pass_last_set_time); - stored_time = pdb_get_pass_last_set_time(to); - DEBUG(10,("INFO_23 PASS_LAST_SET: %lu -> %lu\n",(long unsigned int)stored_time, (long unsigned int)unix_time)); - if (stored_time != unix_time) - pdb_set_pass_last_set_time(to, unix_time, PDB_CHANGED); } - /* Backend should check this for sanity */ - if ((from->fields_present & ACCT_USERNAME) && - (from->hdr_user_name.buffer)) { - old_string = pdb_get_username(to); - new_string = unistr2_static(&from->uni_user_name); - DEBUG(10,("INFO_23 UNI_USER_NAME: %s -> %s\n", old_string, new_string)); - if (STRING_CHANGED) - pdb_set_username(to , new_string, PDB_CHANGED); - } - - if ((from->fields_present & ACCT_FULL_NAME) && - (from->hdr_full_name.buffer)) { - old_string = pdb_get_fullname(to); - new_string = unistr2_static(&from->uni_full_name); - DEBUG(10,("INFO_23 UNI_FULL_NAME: %s -> %s\n",old_string, new_string)); - if (STRING_CHANGED) - pdb_set_fullname(to , new_string, PDB_CHANGED); - } - - if ((from->fields_present & ACCT_HOME_DIR) && - (from->hdr_home_dir.buffer)) { - old_string = pdb_get_homedir(to); - new_string = unistr2_static(&from->uni_home_dir); - DEBUG(10,("INFO_23 UNI_HOME_DIR: %s -> %s\n",old_string,new_string)); - if (STRING_CHANGED) - pdb_set_homedir(to , new_string, PDB_CHANGED); - } - - if ((from->fields_present & ACCT_HOME_DRIVE) && - (from->hdr_dir_drive.buffer)) { - old_string = pdb_get_dir_drive(to); - new_string = unistr2_static(&from->uni_dir_drive); - DEBUG(10,("INFO_23 UNI_DIR_DRIVE: %s -> %s\n",old_string,new_string)); - if (STRING_CHANGED) - pdb_set_dir_drive(to , new_string, PDB_CHANGED); - } - - if ((from->fields_present & ACCT_LOGON_SCRIPT) && - (from->hdr_logon_script.buffer)) { - old_string = pdb_get_logon_script(to); - new_string = unistr2_static(&from->uni_logon_script); - DEBUG(10,("INFO_23 UNI_LOGON_SCRIPT: %s -> %s\n",old_string,new_string)); - if (STRING_CHANGED) - pdb_set_logon_script(to , new_string, PDB_CHANGED); - } - - if ((from->fields_present & ACCT_PROFILE) && - (from->hdr_profile_path.buffer)) { - old_string = pdb_get_profile_path(to); - new_string = unistr2_static(&from->uni_profile_path); - DEBUG(10,("INFO_23 UNI_PROFILE_PATH: %s -> %s\n",old_string, new_string)); - if (STRING_CHANGED) - pdb_set_profile_path(to , new_string, PDB_CHANGED); - } - - if ((from->fields_present & ACCT_DESCRIPTION) && - (from->hdr_acct_desc.buffer)) { - old_string = pdb_get_acct_desc(to); - new_string = unistr2_static(&from->uni_acct_desc); - DEBUG(10,("INFO_23 UNI_ACCT_DESC: %s -> %s\n",old_string,new_string)); - if (STRING_CHANGED) - pdb_set_acct_desc(to , new_string, PDB_CHANGED); - } - - if ((from->fields_present & ACCT_WORKSTATIONS) && - (from->hdr_workstations.buffer)) { - old_string = pdb_get_workstations(to); - new_string = unistr2_static(&from->uni_workstations); - DEBUG(10,("INFO_23 UNI_WORKSTATIONS: %s -> %s\n",old_string, new_string)); - if (STRING_CHANGED) - pdb_set_workstations(to , new_string, PDB_CHANGED); - } - - if ((from->fields_present & ACCT_COMMENT) && - (from->hdr_comment.buffer)) { - old_string = pdb_get_comment(to); - new_string = unistr2_static(&from->uni_comment); - DEBUG(10,("INFO_23 UNI_UNKNOWN_STR: %s -> %s\n",old_string, new_string)); - if (STRING_CHANGED) - pdb_set_comment(to , new_string, PDB_CHANGED); - } - - if ((from->fields_present & ACCT_CALLBACK) && - (from->hdr_munged_dial.buffer)) { - char *newstr; - old_string = pdb_get_munged_dial(to); - mung.length = from->hdr_munged_dial.uni_str_len; - mung.data = (uint8 *) from->uni_munged_dial.buffer; - mung.free = NULL; - newstr = (mung.length == 0) ? - NULL : base64_encode_data_blob(mung); - DEBUG(10,("INFO_23 UNI_MUNGED_DIAL: %s -> %s\n",old_string, newstr)); - if (STRING_CHANGED_NC(old_string, newstr)) - pdb_set_munged_dial(to , newstr, PDB_CHANGED); - - TALLOC_FREE(newstr); - } - - if (from->fields_present & ACCT_RID) { - if (from->user_rid == 0) { - DEBUG(10, ("INFO_23: Asked to set User RID to 0 !? Skipping change!\n")); - } else if (from->user_rid != pdb_get_user_rid(to)) { - DEBUG(10,("INFO_23 USER_RID: %u -> %u NOT UPDATED!\n",pdb_get_user_rid(to),from->user_rid)); - } - } - - if (from->fields_present & ACCT_PRIMARY_GID) { - if (from->group_rid == 0) { - DEBUG(10, ("INFO_23: Asked to set Group RID to 0 !? Skipping change!\n")); - } else if (from->group_rid != pdb_get_group_rid(to)) { - DEBUG(10,("INFO_23 GROUP_RID: %u -> %u\n",pdb_get_group_rid(to),from->group_rid)); - pdb_set_group_sid_from_rid(to, from->group_rid, PDB_CHANGED); - } - } - - if (from->fields_present & ACCT_FLAGS) { - DEBUG(10,("INFO_23 ACCT_CTRL: %08X -> %08X\n",pdb_get_acct_ctrl(to),from->acb_info)); - if (from->acb_info != pdb_get_acct_ctrl(to)) { - pdb_set_acct_ctrl(to, from->acb_info, PDB_CHANGED); - } - } - - if (from->fields_present & ACCT_LOGON_HOURS) { - DEBUG(15,("INFO_23 LOGON_DIVS: %08X -> %08X\n",pdb_get_logon_divs(to),from->logon_divs)); - if (from->logon_divs != pdb_get_logon_divs(to)) { - pdb_set_logon_divs(to, from->logon_divs, PDB_CHANGED); - } - - DEBUG(15,("INFO_23 LOGON_HRS.LEN: %08X -> %08X\n",pdb_get_hours_len(to),from->logon_hrs.len)); - if (from->logon_hrs.len != pdb_get_hours_len(to)) { - pdb_set_hours_len(to, from->logon_hrs.len, PDB_CHANGED); - } - - DEBUG(15,("INFO_23 LOGON_HRS.HOURS: %s -> %s\n",pdb_get_hours(to),from->logon_hrs.hours)); - /* Fix me: only update if it changes --metze */ - pdb_set_hours(to, from->logon_hrs.hours, PDB_CHANGED); - } - - if (from->fields_present & ACCT_BAD_PWD_COUNT) { - DEBUG(10,("INFO_23 BAD_PASSWORD_COUNT: %08X -> %08X\n",pdb_get_bad_password_count(to),from->bad_password_count)); - if (from->bad_password_count != pdb_get_bad_password_count(to)) { - pdb_set_bad_password_count(to, from->bad_password_count, PDB_CHANGED); - } - } - - if (from->fields_present & ACCT_NUM_LOGONS) { - DEBUG(10,("INFO_23 LOGON_COUNT: %08X -> %08X\n",pdb_get_logon_count(to),from->logon_count)); - if (from->logon_count != pdb_get_logon_count(to)) { - pdb_set_logon_count(to, from->logon_count, PDB_CHANGED); - } - } - - /* If the must change flag is set, the last set time goes to zero. - the must change and can change fields also do, but they are - calculated from policy, not set from the wire */ - - if (from->fields_present & ACCT_EXPIRED_FLAG) { - DEBUG(10,("INFO_23 PASS_MUST_CHANGE_AT_NEXT_LOGON: %02X\n",from->passmustchange)); - if (from->passmustchange == PASS_MUST_CHANGE_AT_NEXT_LOGON) { - pdb_set_pass_last_set_time(to, 0, PDB_CHANGED); - } else { - pdb_set_pass_last_set_time(to, time(NULL),PDB_CHANGED); - } - } - - DEBUG(10,("INFO_23 PADDING_2: %02X\n",from->padding2)); + copy_id21_to_sam_passwd("INFO 23", to, &from->info); } /************************************************************* - Copies a SAM_USER_INFO_25 to a struct samu + Copies a struct samr_UserInfo25 to a struct samu **************************************************************/ -void copy_id25_to_sam_passwd(struct samu *to, SAM_USER_INFO_25 *from) +void copy_id25_to_sam_passwd(struct samu *to, + struct samr_UserInfo25 *from) { - time_t unix_time, stored_time; - const char *old_string, *new_string; - DATA_BLOB mung; - - if (from == NULL || to == NULL) + if (from == NULL || to == NULL) { return; - - if (from->fields_present & ACCT_LAST_LOGON) { - unix_time=nt_time_to_unix(from->logon_time); - stored_time = pdb_get_logon_time(to); - DEBUG(10,("INFO_25 LOGON_TIME: %lu -> %lu\n",(long unsigned int)stored_time, (long unsigned int)unix_time)); - if (stored_time != unix_time) - pdb_set_logon_time(to, unix_time, PDB_CHANGED); - } - - if (from->fields_present & ACCT_LAST_LOGOFF) { - unix_time=nt_time_to_unix(from->logoff_time); - stored_time = pdb_get_logoff_time(to); - DEBUG(10,("INFO_25 LOGOFF_TIME: %lu -> %lu\n",(long unsigned int)stored_time, (long unsigned int)unix_time)); - if (stored_time != unix_time) - pdb_set_logoff_time(to, unix_time, PDB_CHANGED); } - if (from->fields_present & ACCT_EXPIRY) { - unix_time=nt_time_to_unix(from->kickoff_time); - stored_time = pdb_get_kickoff_time(to); - DEBUG(10,("INFO_25 KICKOFF_TIME: %lu -> %lu\n",(long unsigned int)stored_time, (long unsigned int)unix_time)); - if (stored_time != unix_time) - pdb_set_kickoff_time(to, unix_time , PDB_CHANGED); - } - - if (from->fields_present & ACCT_LAST_PWD_CHANGE) { - unix_time=nt_time_to_unix(from->pass_last_set_time); - stored_time = pdb_get_pass_last_set_time(to); - DEBUG(10,("INFO_25 PASS_LAST_SET: %lu -> %lu\n",(long unsigned int)stored_time, (long unsigned int)unix_time)); - if (stored_time != unix_time) - pdb_set_pass_last_set_time(to, unix_time, PDB_CHANGED); - } - - if ((from->fields_present & ACCT_USERNAME) && - (from->hdr_user_name.buffer)) { - old_string = pdb_get_username(to); - new_string = unistr2_static(&from->uni_user_name); - DEBUG(10,("INFO_25 UNI_USER_NAME: %s -> %s\n", old_string, new_string)); - if (STRING_CHANGED) - pdb_set_username(to , new_string, PDB_CHANGED); - } - - if ((from->fields_present & ACCT_FULL_NAME) && - (from->hdr_full_name.buffer)) { - old_string = pdb_get_fullname(to); - new_string = unistr2_static(&from->uni_full_name); - DEBUG(10,("INFO_25 UNI_FULL_NAME: %s -> %s\n",old_string, new_string)); - if (STRING_CHANGED) - pdb_set_fullname(to , new_string, PDB_CHANGED); - } - - if ((from->fields_present & ACCT_HOME_DIR) && - (from->hdr_home_dir.buffer)) { - old_string = pdb_get_homedir(to); - new_string = unistr2_static(&from->uni_home_dir); - DEBUG(10,("INFO_25 UNI_HOME_DIR: %s -> %s\n",old_string,new_string)); - if (STRING_CHANGED) - pdb_set_homedir(to , new_string, PDB_CHANGED); - } - - if ((from->fields_present & ACCT_HOME_DRIVE) && - (from->hdr_dir_drive.buffer)) { - old_string = pdb_get_dir_drive(to); - new_string = unistr2_static(&from->uni_dir_drive); - DEBUG(10,("INFO_25 UNI_DIR_DRIVE: %s -> %s\n",old_string,new_string)); - if (STRING_CHANGED) - pdb_set_dir_drive(to , new_string, PDB_CHANGED); - } - - if ((from->fields_present & ACCT_LOGON_SCRIPT) && - (from->hdr_logon_script.buffer)) { - old_string = pdb_get_logon_script(to); - new_string = unistr2_static(&from->uni_logon_script); - DEBUG(10,("INFO_25 UNI_LOGON_SCRIPT: %s -> %s\n",old_string,new_string)); - if (STRING_CHANGED) - pdb_set_logon_script(to , new_string, PDB_CHANGED); - } - - if ((from->fields_present & ACCT_PROFILE) && - (from->hdr_profile_path.buffer)) { - old_string = pdb_get_profile_path(to); - new_string = unistr2_static(&from->uni_profile_path); - DEBUG(10,("INFO_25 UNI_PROFILE_PATH: %s -> %s\n",old_string, new_string)); - if (STRING_CHANGED) - pdb_set_profile_path(to , new_string, PDB_CHANGED); - } - - if ((from->fields_present & ACCT_DESCRIPTION) && - (from->hdr_acct_desc.buffer)) { - old_string = pdb_get_acct_desc(to); - new_string = unistr2_static(&from->uni_acct_desc); - DEBUG(10,("INFO_25 UNI_ACCT_DESC: %s -> %s\n",old_string,new_string)); - if (STRING_CHANGED) - pdb_set_acct_desc(to , new_string, PDB_CHANGED); - } - - if ((from->fields_present & ACCT_WORKSTATIONS) && - (from->hdr_workstations.buffer)) { - old_string = pdb_get_workstations(to); - new_string = unistr2_static(&from->uni_workstations); - DEBUG(10,("INFO_25 UNI_WORKSTATIONS: %s -> %s\n",old_string, new_string)); - if (STRING_CHANGED) - pdb_set_workstations(to , new_string, PDB_CHANGED); - } - - if ((from->fields_present & ACCT_COMMENT) && - (from->hdr_comment.buffer)) { - old_string = pdb_get_comment(to); - new_string = unistr2_static(&from->uni_comment); - DEBUG(10,("INFO_25 UNI_UNKNOWN_STR: %s -> %s\n",old_string, new_string)); - if (STRING_CHANGED) - pdb_set_comment(to , new_string, PDB_CHANGED); - } - - if ((from->fields_present & ACCT_CALLBACK) && - (from->hdr_munged_dial.buffer)) { - char *newstr; - old_string = pdb_get_munged_dial(to); - mung.length = from->hdr_munged_dial.uni_str_len; - mung.data = (uint8 *) from->uni_munged_dial.buffer; - mung.free = NULL; - newstr = (mung.length == 0) ? - NULL : base64_encode_data_blob(mung); - DEBUG(10,("INFO_25 UNI_MUNGED_DIAL: %s -> %s\n",old_string, newstr)); - if (STRING_CHANGED_NC(old_string,newstr)) - pdb_set_munged_dial(to , newstr, PDB_CHANGED); - - TALLOC_FREE(newstr); - } - - if (from->fields_present & ACCT_RID) { - if (from->user_rid == 0) { - DEBUG(10, ("INFO_25: Asked to set User RID to 0 !? Skipping change!\n")); - } else if (from->user_rid != pdb_get_user_rid(to)) { - DEBUG(10,("INFO_25 USER_RID: %u -> %u NOT UPDATED!\n",pdb_get_user_rid(to),from->user_rid)); - } - } - - if (from->fields_present & ACCT_PRIMARY_GID) { - if (from->group_rid == 0) { - DEBUG(10, ("INFO_25: Asked to set Group RID to 0 !? Skipping change!\n")); - } else if (from->group_rid != pdb_get_group_rid(to)) { - DEBUG(10,("INFO_25 GROUP_RID: %u -> %u\n",pdb_get_group_rid(to),from->group_rid)); - pdb_set_group_sid_from_rid(to, from->group_rid, PDB_CHANGED); - } - } - - if (from->fields_present & ACCT_FLAGS) { - DEBUG(10,("INFO_25 ACCT_CTRL: %08X -> %08X\n",pdb_get_acct_ctrl(to),from->acb_info)); - if (from->acb_info != pdb_get_acct_ctrl(to)) { - if (!(from->acb_info & ACB_AUTOLOCK) && (pdb_get_acct_ctrl(to) & ACB_AUTOLOCK)) { - /* We're unlocking a previously locked user. Reset bad password counts. - Patch from Jianliang Lu. <Jianliang.Lu@getronics.com> */ - pdb_set_bad_password_count(to, 0, PDB_CHANGED); - pdb_set_bad_password_time(to, 0, PDB_CHANGED); - } - pdb_set_acct_ctrl(to, from->acb_info, PDB_CHANGED); - } - } - - if (from->fields_present & ACCT_LOGON_HOURS) { - DEBUG(15,("INFO_25 LOGON_DIVS: %08X -> %08X\n",pdb_get_logon_divs(to),from->logon_divs)); - if (from->logon_divs != pdb_get_logon_divs(to)) { - pdb_set_logon_divs(to, from->logon_divs, PDB_CHANGED); - } - - DEBUG(15,("INFO_25 LOGON_HRS.LEN: %08X -> %08X\n",pdb_get_hours_len(to),from->logon_hrs.len)); - if (from->logon_hrs.len != pdb_get_hours_len(to)) { - pdb_set_hours_len(to, from->logon_hrs.len, PDB_CHANGED); - } - - DEBUG(15,("INFO_25 LOGON_HRS.HOURS: %s -> %s\n",pdb_get_hours(to),from->logon_hrs.hours)); - /* Fix me: only update if it changes --metze */ - pdb_set_hours(to, from->logon_hrs.hours, PDB_CHANGED); - } - - if (from->fields_present & ACCT_BAD_PWD_COUNT) { - DEBUG(10,("INFO_25 BAD_PASSWORD_COUNT: %08X -> %08X\n",pdb_get_bad_password_count(to),from->bad_password_count)); - if (from->bad_password_count != pdb_get_bad_password_count(to)) { - pdb_set_bad_password_count(to, from->bad_password_count, PDB_CHANGED); - } - } - - if (from->fields_present & ACCT_NUM_LOGONS) { - DEBUG(10,("INFO_25 LOGON_COUNT: %08X -> %08X\n",pdb_get_logon_count(to),from->logon_count)); - if (from->logon_count != pdb_get_logon_count(to)) { - pdb_set_logon_count(to, from->logon_count, PDB_CHANGED); - } - } - - /* If the must change flag is set, the last set time goes to zero. - the must change and can change fields also do, but they are - calculated from policy, not set from the wire */ - - if (from->fields_present & ACCT_EXPIRED_FLAG) { - DEBUG(10,("INFO_25 PASS_MUST_CHANGE_AT_NEXT_LOGON: %02X\n",from->passmustchange)); - if (from->passmustchange == PASS_MUST_CHANGE_AT_NEXT_LOGON) { - pdb_set_pass_last_set_time(to, 0, PDB_CHANGED); - } else { - pdb_set_pass_last_set_time(to, time(NULL),PDB_CHANGED); - } - } + copy_id21_to_sam_passwd("INFO_25", to, &from->info); } diff --git a/source3/rpc_server/srv_srvsvc_nt.c b/source3/rpc_server/srv_srvsvc_nt.c index 1b877ee5b4..37bd204f75 100644 --- a/source3/rpc_server/srv_srvsvc_nt.c +++ b/source3/rpc_server/srv_srvsvc_nt.c @@ -225,9 +225,6 @@ static WERROR net_enum_files( TALLOC_CTX *ctx, const char *username, ********************************************************************/ static uint32 get_share_type(int snum) { - char *net_name = lp_servicename(snum); - int len_net_name = strlen(net_name); - /* work out the share type */ uint32 type = STYPE_DISKTREE; @@ -235,7 +232,7 @@ static uint32 get_share_type(int snum) type = STYPE_PRINTQ; if (strequal(lp_fstype(snum), "IPC")) type = STYPE_IPC; - if (net_name[len_net_name-1] == '$') + if (lp_hidden(snum)) type |= STYPE_HIDDEN; return type; @@ -1219,17 +1216,20 @@ done: WERROR _srv_net_file_enum(pipes_struct *p, SRV_Q_NET_FILE_ENUM *q_u, SRV_R_NET_FILE_ENUM *r_u) { + const char *username = NULL; + switch ( q_u->level ) { - case 3: { - char *username; - if (!(username = rpcstr_pull_unistr2_talloc( - p->mem_ctx, q_u->username))) { - return WERR_NOMEM; + case 3: + if (q_u->username) { + username = rpcstr_pull_unistr2_talloc( + p->mem_ctx, q_u->username); + if (!username) { + return WERR_NOMEM; + } } return net_file_enum_3(username, r_u, get_enum_hnd(&q_u->enum_hnd)); - } default: return WERR_UNKNOWN_LEVEL; } diff --git a/source3/rpc_server/srv_svcctl.c b/source3/rpc_server/srv_svcctl.c index ce81a24202..5e125145d6 100644 --- a/source3/rpc_server/srv_svcctl.c +++ b/source3/rpc_server/srv_svcctl.c @@ -53,23 +53,7 @@ static bool api_svcctl_close_service(pipes_struct *p) static bool api_svcctl_open_scmanager(pipes_struct *p) { - SVCCTL_Q_OPEN_SCMANAGER q_u; - SVCCTL_R_OPEN_SCMANAGER r_u; - prs_struct *data = &p->in_data.data; - prs_struct *rdata = &p->out_data.rdata; - - ZERO_STRUCT(q_u); - ZERO_STRUCT(r_u); - - if(!svcctl_io_q_open_scmanager("", &q_u, data, 0)) - return False; - - r_u.status = _svcctl_open_scmanager(p, &q_u, &r_u); - - if(!svcctl_io_r_open_scmanager("", &r_u, rdata, 0)) - return False; - - return True; + return proxy_svcctl_call(p, NDR_SVCCTL_OPENSCMANAGERW); } /******************************************************************* @@ -77,23 +61,7 @@ static bool api_svcctl_open_scmanager(pipes_struct *p) static bool api_svcctl_open_service(pipes_struct *p) { - SVCCTL_Q_OPEN_SERVICE q_u; - SVCCTL_R_OPEN_SERVICE r_u; - prs_struct *data = &p->in_data.data; - prs_struct *rdata = &p->out_data.rdata; - - ZERO_STRUCT(q_u); - ZERO_STRUCT(r_u); - - if(!svcctl_io_q_open_service("", &q_u, data, 0)) - return False; - - r_u.status = _svcctl_open_service(p, &q_u, &r_u); - - if(!svcctl_io_r_open_service("", &r_u, rdata, 0)) - return False; - - return True; + return proxy_svcctl_call(p, NDR_SVCCTL_OPENSERVICEW); } /******************************************************************* @@ -101,23 +69,7 @@ static bool api_svcctl_open_service(pipes_struct *p) static bool api_svcctl_get_display_name(pipes_struct *p) { - SVCCTL_Q_GET_DISPLAY_NAME q_u; - SVCCTL_R_GET_DISPLAY_NAME r_u; - prs_struct *data = &p->in_data.data; - prs_struct *rdata = &p->out_data.rdata; - - ZERO_STRUCT(q_u); - ZERO_STRUCT(r_u); - - if(!svcctl_io_q_get_display_name("", &q_u, data, 0)) - return False; - - r_u.status = _svcctl_get_display_name(p, &q_u, &r_u); - - if(!svcctl_io_r_get_display_name("", &r_u, rdata, 0)) - return False; - - return True; + return proxy_svcctl_call(p, NDR_SVCCTL_GETSERVICEDISPLAYNAMEW); } /******************************************************************* @@ -125,23 +77,7 @@ static bool api_svcctl_get_display_name(pipes_struct *p) static bool api_svcctl_query_status(pipes_struct *p) { - SVCCTL_Q_QUERY_STATUS q_u; - SVCCTL_R_QUERY_STATUS r_u; - prs_struct *data = &p->in_data.data; - prs_struct *rdata = &p->out_data.rdata; - - ZERO_STRUCT(q_u); - ZERO_STRUCT(r_u); - - if(!svcctl_io_q_query_status("", &q_u, data, 0)) - return False; - - r_u.status = _svcctl_query_status(p, &q_u, &r_u); - - if(!svcctl_io_r_query_status("", &r_u, rdata, 0)) - return False; - - return True; + return proxy_svcctl_call(p, NDR_SVCCTL_QUERYSERVICESTATUS); } /******************************************************************* @@ -219,23 +155,7 @@ static bool api_svcctl_enum_dependent_services(pipes_struct *p) static bool api_svcctl_start_service(pipes_struct *p) { - SVCCTL_Q_START_SERVICE q_u; - SVCCTL_R_START_SERVICE r_u; - prs_struct *data = &p->in_data.data; - prs_struct *rdata = &p->out_data.rdata; - - ZERO_STRUCT(q_u); - ZERO_STRUCT(r_u); - - if(!svcctl_io_q_start_service("", &q_u, data, 0)) - return False; - - r_u.status = _svcctl_start_service(p, &q_u, &r_u); - - if(!svcctl_io_r_start_service("", &r_u, rdata, 0)) - return False; - - return True; + return proxy_svcctl_call(p, NDR_SVCCTL_STARTSERVICEW); } /******************************************************************* @@ -243,23 +163,7 @@ static bool api_svcctl_start_service(pipes_struct *p) static bool api_svcctl_control_service(pipes_struct *p) { - SVCCTL_Q_CONTROL_SERVICE q_u; - SVCCTL_R_CONTROL_SERVICE r_u; - prs_struct *data = &p->in_data.data; - prs_struct *rdata = &p->out_data.rdata; - - ZERO_STRUCT(q_u); - ZERO_STRUCT(r_u); - - if(!svcctl_io_q_control_service("", &q_u, data, 0)) - return False; - - r_u.status = _svcctl_control_service(p, &q_u, &r_u); - - if(!svcctl_io_r_control_service("", &r_u, rdata, 0)) - return False; - - return True; + return proxy_svcctl_call(p, NDR_SVCCTL_CONTROLSERVICE); } /******************************************************************* @@ -315,23 +219,7 @@ static bool api_svcctl_query_service_config2(pipes_struct *p) static bool api_svcctl_lock_service_db(pipes_struct *p) { - SVCCTL_Q_LOCK_SERVICE_DB q_u; - SVCCTL_R_LOCK_SERVICE_DB r_u; - prs_struct *data = &p->in_data.data; - prs_struct *rdata = &p->out_data.rdata; - - ZERO_STRUCT(q_u); - ZERO_STRUCT(r_u); - - if(!svcctl_io_q_lock_service_db("", &q_u, data, 0)) - return False; - - r_u.status = _svcctl_lock_service_db(p, &q_u, &r_u); - - if(!svcctl_io_r_lock_service_db("", &r_u, rdata, 0)) - return False; - - return True; + return proxy_svcctl_call(p, NDR_SVCCTL_LOCKSERVICEDATABASE); } @@ -340,23 +228,7 @@ static bool api_svcctl_lock_service_db(pipes_struct *p) static bool api_svcctl_unlock_service_db(pipes_struct *p) { - SVCCTL_Q_UNLOCK_SERVICE_DB q_u; - SVCCTL_R_UNLOCK_SERVICE_DB r_u; - prs_struct *data = &p->in_data.data; - prs_struct *rdata = &p->out_data.rdata; - - ZERO_STRUCT(q_u); - ZERO_STRUCT(r_u); - - if(!svcctl_io_q_unlock_service_db("", &q_u, data, 0)) - return False; - - r_u.status = _svcctl_unlock_service_db(p, &q_u, &r_u); - - if(!svcctl_io_r_unlock_service_db("", &r_u, rdata, 0)) - return False; - - return True; + return proxy_svcctl_call(p, NDR_SVCCTL_UNLOCKSERVICEDATABASE); } /******************************************************************* @@ -364,23 +236,7 @@ static bool api_svcctl_unlock_service_db(pipes_struct *p) static bool api_svcctl_query_security_sec(pipes_struct *p) { - SVCCTL_Q_QUERY_SERVICE_SEC q_u; - SVCCTL_R_QUERY_SERVICE_SEC r_u; - prs_struct *data = &p->in_data.data; - prs_struct *rdata = &p->out_data.rdata; - - ZERO_STRUCT(q_u); - ZERO_STRUCT(r_u); - - if(!svcctl_io_q_query_service_sec("", &q_u, data, 0)) - return False; - - r_u.status = _svcctl_query_service_sec(p, &q_u, &r_u); - - if(!svcctl_io_r_query_service_sec("", &r_u, rdata, 0)) - return False; - - return True; + return proxy_svcctl_call(p, NDR_SVCCTL_QUERYSERVICEOBJECTSECURITY); } /******************************************************************* @@ -388,23 +244,7 @@ static bool api_svcctl_query_security_sec(pipes_struct *p) static bool api_svcctl_set_security_sec(pipes_struct *p) { - SVCCTL_Q_SET_SERVICE_SEC q_u; - SVCCTL_R_SET_SERVICE_SEC r_u; - prs_struct *data = &p->in_data.data; - prs_struct *rdata = &p->out_data.rdata; - - ZERO_STRUCT(q_u); - ZERO_STRUCT(r_u); - - if(!svcctl_io_q_set_service_sec("", &q_u, data, 0)) - return False; - - r_u.status = _svcctl_set_service_sec(p, &q_u, &r_u); - - if(!svcctl_io_r_set_service_sec("", &r_u, rdata, 0)) - return False; - - return True; + return proxy_svcctl_call(p, NDR_SVCCTL_SETSERVICEOBJECTSECURITY); } diff --git a/source3/rpc_server/srv_svcctl_nt.c b/source3/rpc_server/srv_svcctl_nt.c index ac45d8bf75..73d09b1bbb 100644 --- a/source3/rpc_server/srv_svcctl_nt.c +++ b/source3/rpc_server/srv_svcctl_nt.c @@ -1,22 +1,22 @@ -/* +/* * Unix SMB/CIFS implementation. * RPC Pipe client / server routines * * Copyright (C) Marcin Krzysztof Porwit 2005. - * + * * Largely Rewritten (Again) by: * Copyright (C) Gerald (Jerry) Carter 2005. - * + * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation; either version 3 of the License, or * (at your option) any later version. - * + * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. - * + * * You should have received a copy of the GNU General Public License * along with this program; if not, see <http://www.gnu.org/licenses/>. */ @@ -63,42 +63,42 @@ bool init_service_op_table( void ) const char **service_list = lp_svcctl_list(); int num_services = SVCCTL_NUM_INTERNAL_SERVICES + str_list_count( service_list ); int i; - + if ( !(svcctl_ops = TALLOC_ARRAY( NULL, struct service_control_op, num_services+1)) ) { DEBUG(0,("init_service_op_table: talloc() failed!\n")); return False; } /* services listed in smb.conf get the rc.init interface */ - + for ( i=0; service_list && service_list[i]; i++ ) { svcctl_ops[i].name = talloc_strdup( svcctl_ops, service_list[i] ); svcctl_ops[i].ops = &rcinit_svc_ops; } - + /* add builtin services */ - + svcctl_ops[i].name = talloc_strdup( svcctl_ops, "Spooler" ); svcctl_ops[i].ops = &spoolss_svc_ops; i++; - + svcctl_ops[i].name = talloc_strdup( svcctl_ops, "NETLOGON" ); svcctl_ops[i].ops = &netlogon_svc_ops; i++; - + svcctl_ops[i].name = talloc_strdup( svcctl_ops, "RemoteRegistry" ); svcctl_ops[i].ops = &winreg_svc_ops; i++; - + svcctl_ops[i].name = talloc_strdup( svcctl_ops, "WINS" ); svcctl_ops[i].ops = &wins_svc_ops; i++; - + /* NULL terminate the array */ - + svcctl_ops[i].name = NULL; svcctl_ops[i].ops = NULL; - + return True; } @@ -119,7 +119,7 @@ static struct service_control_op* find_service_by_name( const char *name ) /******************************************************************** ********************************************************************/ -static NTSTATUS svcctl_access_check( SEC_DESC *sec_desc, NT_USER_TOKEN *token, +static NTSTATUS svcctl_access_check( SEC_DESC *sec_desc, NT_USER_TOKEN *token, uint32 access_desired, uint32 *access_granted ) { NTSTATUS result; @@ -128,7 +128,7 @@ static NTSTATUS svcctl_access_check( SEC_DESC *sec_desc, NT_USER_TOKEN *token, DEBUG(5,("svcctl_access_check: using root's token\n")); token = get_root_nt_token(); } - + se_access_check( sec_desc, token, access_desired, access_granted, &result ); return result; @@ -139,7 +139,7 @@ static NTSTATUS svcctl_access_check( SEC_DESC *sec_desc, NT_USER_TOKEN *token, static SEC_DESC* construct_scm_sd( TALLOC_CTX *ctx ) { - SEC_ACE ace[2]; + SEC_ACE ace[2]; SEC_ACCESS mask; size_t i = 0; SEC_DESC *sd; @@ -147,18 +147,18 @@ static SEC_DESC* construct_scm_sd( TALLOC_CTX *ctx ) size_t sd_size; /* basic access for Everyone */ - + init_sec_access(&mask, SC_MANAGER_READ_ACCESS ); init_sec_ace(&ace[i++], &global_sid_World, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0); - + /* Full Access 'BUILTIN\Administrators' */ - + init_sec_access(&mask,SC_MANAGER_ALL_ACCESS ); init_sec_ace(&ace[i++], &global_sid_Builtin_Administrators, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0); - - + + /* create the security descriptor */ - + if ( !(acl = make_sec_acl(ctx, NT4_ACL_REVISION, i, ace)) ) return NULL; @@ -173,7 +173,7 @@ static SEC_DESC* construct_scm_sd( TALLOC_CTX *ctx ) /****************************************************************** free() function for REGISTRY_KEY *****************************************************************/ - + static void free_service_handle_info(void *ptr) { TALLOC_FREE( ptr ); @@ -197,21 +197,21 @@ static SERVICE_INFO *find_service_info_by_hnd(pipes_struct *p, POLICY_HND *hnd) /****************************************************************** *****************************************************************/ - + static WERROR create_open_service_handle( pipes_struct *p, POLICY_HND *handle, uint32 type, const char *service, uint32 access_granted ) { SERVICE_INFO *info = NULL; WERROR result = WERR_OK; struct service_control_op *s_op; - + if ( !(info = TALLOC_ZERO_P( NULL, SERVICE_INFO )) ) return WERR_NOMEM; /* the Service Manager has a NULL name */ - + info->type = SVC_HANDLE_IS_SCM; - + switch ( type ) { case SVC_HANDLE_IS_SCM: info->type = SVC_HANDLE_IS_SCM; @@ -220,17 +220,17 @@ static WERROR create_open_service_handle( pipes_struct *p, POLICY_HND *handle, u case SVC_HANDLE_IS_DBLOCK: info->type = SVC_HANDLE_IS_DBLOCK; break; - + case SVC_HANDLE_IS_SERVICE: info->type = SVC_HANDLE_IS_SERVICE; - + /* lookup the SERVICE_CONTROL_OPS */ if ( !(s_op = find_service_by_name( service )) ) { result = WERR_NO_SUCH_SERVICE; goto done; } - + info->ops = s_op->ops; if ( !(info->name = talloc_strdup( info, s_op->name )) ) { @@ -244,15 +244,15 @@ static WERROR create_open_service_handle( pipes_struct *p, POLICY_HND *handle, u goto done; } - info->access_granted = access_granted; - + info->access_granted = access_granted; + /* store the SERVICE_INFO and create an open handle */ - + if ( !create_policy_hnd( p, handle, free_service_handle_info, info ) ) { result = WERR_ACCESS_DENIED; goto done; } - + done: if ( !W_ERROR_IS_OK(result) ) free_service_handle_info( info ); @@ -263,62 +263,61 @@ done: /******************************************************************** ********************************************************************/ -WERROR _svcctl_open_scmanager(pipes_struct *p, SVCCTL_Q_OPEN_SCMANAGER *q_u, SVCCTL_R_OPEN_SCMANAGER *r_u) +WERROR _svcctl_OpenSCManagerW(pipes_struct *p, + struct svcctl_OpenSCManagerW *r) { SEC_DESC *sec_desc; uint32 access_granted = 0; NTSTATUS status; - + /* perform access checks */ - + if ( !(sec_desc = construct_scm_sd( p->mem_ctx )) ) return WERR_NOMEM; - - se_map_generic( &q_u->access, &scm_generic_map ); - status = svcctl_access_check( sec_desc, p->pipe_user.nt_user_token, q_u->access, &access_granted ); + + se_map_generic( &r->in.access_mask, &scm_generic_map ); + status = svcctl_access_check( sec_desc, p->pipe_user.nt_user_token, r->in.access_mask, &access_granted ); if ( !NT_STATUS_IS_OK(status) ) return ntstatus_to_werror( status ); - - return create_open_service_handle( p, &r_u->handle, SVC_HANDLE_IS_SCM, NULL, access_granted ); + + return create_open_service_handle( p, r->out.handle, SVC_HANDLE_IS_SCM, NULL, access_granted ); } /******************************************************************** + _svcctl_OpenServiceW ********************************************************************/ -WERROR _svcctl_open_service(pipes_struct *p, SVCCTL_Q_OPEN_SERVICE *q_u, SVCCTL_R_OPEN_SERVICE *r_u) +WERROR _svcctl_OpenServiceW(pipes_struct *p, + struct svcctl_OpenServiceW *r) { SEC_DESC *sec_desc; uint32 access_granted = 0; NTSTATUS status; - char *service = NULL; - size_t ret = rpcstr_pull_talloc(p->mem_ctx, - &service, - q_u->servicename.buffer, - q_u->servicename.uni_str_len*2, - 0); - - if (ret == (size_t)-1 || !service) { + const char *service = NULL; + + service = r->in.ServiceName; + if (!service) { return WERR_NOMEM; } - DEBUG(5, ("_svcctl_open_service: Attempting to open Service [%s], \n", service)); + DEBUG(5, ("_svcctl_OpenServiceW: Attempting to open Service [%s], \n", service)); /* based on my tests you can open a service if you have a valid scm handle */ - if ( !find_service_info_by_hnd( p, &q_u->handle ) ) + if ( !find_service_info_by_hnd( p, r->in.scmanager_handle) ) return WERR_BADFID; - /* perform access checks. Use the root token in order to ensure that we + /* perform access checks. Use the root token in order to ensure that we retrieve the security descriptor */ if ( !(sec_desc = svcctl_get_secdesc( p->mem_ctx, service, get_root_nt_token() )) ) return WERR_NOMEM; - se_map_generic( &q_u->access, &svc_generic_map ); - status = svcctl_access_check( sec_desc, p->pipe_user.nt_user_token, q_u->access, &access_granted ); + se_map_generic( &r->in.access_mask, &svc_generic_map ); + status = svcctl_access_check( sec_desc, p->pipe_user.nt_user_token, r->in.access_mask, &access_granted ); if ( !NT_STATUS_IS_OK(status) ) return ntstatus_to_werror( status ); - return create_open_service_handle( p, &r_u->handle, SVC_HANDLE_IS_SERVICE, service, access_granted ); + return create_open_service_handle( p, r->out.handle, SVC_HANDLE_IS_SERVICE, service, access_granted ); } /******************************************************************** @@ -329,49 +328,58 @@ WERROR _svcctl_CloseServiceHandle(pipes_struct *p, struct svcctl_CloseServiceHan if ( !close_policy_hnd( p, r->in.handle ) ) return WERR_BADFID; - return WERR_OK; + return WERR_OK; } /******************************************************************** + _svcctl_GetServiceDisplayNameW ********************************************************************/ -WERROR _svcctl_get_display_name(pipes_struct *p, SVCCTL_Q_GET_DISPLAY_NAME *q_u, SVCCTL_R_GET_DISPLAY_NAME *r_u) +WERROR _svcctl_GetServiceDisplayNameW(pipes_struct *p, + struct svcctl_GetServiceDisplayNameW *r) { - fstring service; + const char *service; const char *display_name; - SERVICE_INFO *info = find_service_info_by_hnd( p, &q_u->handle ); - + SERVICE_INFO *info = find_service_info_by_hnd( p, r->in.handle ); + /* can only use an SCM handle here */ - + if ( !info || (info->type != SVC_HANDLE_IS_SCM) ) return WERR_BADFID; - - rpcstr_pull(service, q_u->servicename.buffer, sizeof(service), q_u->servicename.uni_str_len*2, 0); - + + service = r->in.service_name; + display_name = svcctl_lookup_dispname(p->mem_ctx, service, p->pipe_user.nt_user_token ); - init_svcctl_r_get_display_name( r_u, display_name ? display_name : ""); + if (!display_name) { + display_name = ""; + } + + *r->out.display_name = display_name; + *r->out.display_name_length = strlen(display_name); return WERR_OK; } /******************************************************************** + _svcctl_QueryServiceStatus ********************************************************************/ -WERROR _svcctl_query_status(pipes_struct *p, SVCCTL_Q_QUERY_STATUS *q_u, SVCCTL_R_QUERY_STATUS *r_u) +WERROR _svcctl_QueryServiceStatus(pipes_struct *p, + struct svcctl_QueryServiceStatus *r) { - SERVICE_INFO *info = find_service_info_by_hnd( p, &q_u->handle ); - + SERVICE_INFO *info = find_service_info_by_hnd( p, r->in.handle ); + /* perform access checks */ if ( !info || (info->type != SVC_HANDLE_IS_SERVICE) ) return WERR_BADFID; - + if ( !(info->access_granted & SC_RIGHT_SVC_QUERY_STATUS) ) return WERR_ACCESS_DENIED; - + /* try the service specific status call */ - return info->ops->service_status( info->name, &r_u->svc_status ); + return info->ops->service_status( info->name, r->out.service_status ); } /******************************************************************** @@ -383,7 +391,7 @@ static int enumerate_status( TALLOC_CTX *ctx, ENUM_SERVICES_STATUS **status, NT_ int i; ENUM_SERVICES_STATUS *st; const char *display_name; - + /* just count */ while ( svcctl_ops[num_services].name ) num_services++; @@ -392,16 +400,16 @@ static int enumerate_status( TALLOC_CTX *ctx, ENUM_SERVICES_STATUS **status, NT_ DEBUG(0,("enumerate_status: talloc() failed!\n")); return -1; } - + for ( i=0; i<num_services; i++ ) { init_unistr( &st[i].servicename, svcctl_ops[i].name ); - + display_name = svcctl_lookup_dispname(ctx, svcctl_ops[i].name, token ); init_unistr( &st[i].displayname, display_name ? display_name : ""); - + svcctl_ops[i].ops->service_status( svcctl_ops[i].name, &st[i].status ); } - + *status = st; return num_services; @@ -419,12 +427,12 @@ WERROR _svcctl_enum_services_status(pipes_struct *p, SVCCTL_Q_ENUM_SERVICES_STAT WERROR result = WERR_OK; SERVICE_INFO *info = find_service_info_by_hnd( p, &q_u->handle ); NT_USER_TOKEN *token = p->pipe_user.nt_user_token; - + /* perform access checks */ if ( !info || (info->type != SVC_HANDLE_IS_SCM) ) return WERR_BADFID; - + if ( !(info->access_granted & SC_RIGHT_MGR_ENUMERATE_SERVICE) ) { return WERR_ACCESS_DENIED; } @@ -464,51 +472,57 @@ WERROR _svcctl_enum_services_status(pipes_struct *p, SVCCTL_Q_ENUM_SERVICES_STAT } /******************************************************************** + _svcctl_StartServiceW ********************************************************************/ -WERROR _svcctl_start_service(pipes_struct *p, SVCCTL_Q_START_SERVICE *q_u, SVCCTL_R_START_SERVICE *r_u) +WERROR _svcctl_StartServiceW(pipes_struct *p, + struct svcctl_StartServiceW *r) { - SERVICE_INFO *info = find_service_info_by_hnd( p, &q_u->handle ); - + SERVICE_INFO *info = find_service_info_by_hnd( p, r->in.handle ); + /* perform access checks */ if ( !info || (info->type != SVC_HANDLE_IS_SERVICE) ) return WERR_BADFID; - + if ( !(info->access_granted & SC_RIGHT_SVC_START) ) return WERR_ACCESS_DENIED; - + return info->ops->start_service( info->name ); } /******************************************************************** + _svcctl_ControlService ********************************************************************/ -WERROR _svcctl_control_service(pipes_struct *p, SVCCTL_Q_CONTROL_SERVICE *q_u, SVCCTL_R_CONTROL_SERVICE *r_u) +WERROR _svcctl_ControlService(pipes_struct *p, + struct svcctl_ControlService *r) { - SERVICE_INFO *info = find_service_info_by_hnd( p, &q_u->handle ); - + SERVICE_INFO *info = find_service_info_by_hnd( p, r->in.handle ); + /* perform access checks */ - + if ( !info || (info->type != SVC_HANDLE_IS_SERVICE) ) - return WERR_BADFID; - - switch ( q_u->control ) { + return WERR_BADFID; + + switch ( r->in.control ) { case SVCCTL_CONTROL_STOP: if ( !(info->access_granted & SC_RIGHT_SVC_STOP) ) return WERR_ACCESS_DENIED; - - return info->ops->stop_service( info->name, &r_u->svc_status ); - + + return info->ops->stop_service( info->name, + r->out.service_status ); + case SVCCTL_CONTROL_INTERROGATE: if ( !(info->access_granted & SC_RIGHT_SVC_QUERY_STATUS) ) return WERR_ACCESS_DENIED; - - return info->ops->service_status( info->name, &r_u->svc_status ); + + return info->ops->service_status( info->name, + r->out.service_status ); } - + /* default control action */ - + return WERR_ACCESS_DENIED; } @@ -518,22 +532,22 @@ WERROR _svcctl_control_service(pipes_struct *p, SVCCTL_Q_CONTROL_SERVICE *q_u, S WERROR _svcctl_enum_dependent_services( pipes_struct *p, SVCCTL_Q_ENUM_DEPENDENT_SERVICES *q_u, SVCCTL_R_ENUM_DEPENDENT_SERVICES *r_u ) { SERVICE_INFO *info = find_service_info_by_hnd( p, &q_u->handle ); - + /* perform access checks */ if ( !info || (info->type != SVC_HANDLE_IS_SERVICE) ) - return WERR_BADFID; - + return WERR_BADFID; + if ( !(info->access_granted & SC_RIGHT_SVC_ENUMERATE_DEPENDENTS) ) return WERR_ACCESS_DENIED; - - /* we have to set the outgoing buffer size to the same as the + + /* we have to set the outgoing buffer size to the same as the incoming buffer size (even in the case of failure */ rpcbuf_init( &r_u->buffer, q_u->buffer_size, p->mem_ctx ); - + r_u->needed = q_u->buffer_size; - + /* no dependent services...basically a stub function */ r_u->returned = 0; @@ -547,21 +561,21 @@ WERROR _svcctl_query_service_status_ex( pipes_struct *p, SVCCTL_Q_QUERY_SERVICE_ { SERVICE_INFO *info = find_service_info_by_hnd( p, &q_u->handle ); uint32 buffer_size; - + /* perform access checks */ if ( !info || (info->type != SVC_HANDLE_IS_SERVICE) ) - return WERR_BADFID; - + return WERR_BADFID; + if ( !(info->access_granted & SC_RIGHT_SVC_QUERY_STATUS) ) return WERR_ACCESS_DENIED; - /* we have to set the outgoing buffer size to the same as the + /* we have to set the outgoing buffer size to the same as the incoming buffer size (even in the case of failure) */ rpcbuf_init( &r_u->buffer, q_u->buffer_size, p->mem_ctx ); r_u->needed = q_u->buffer_size; - + switch ( q_u->level ) { case SVC_STATUS_PROCESS_INFO: { @@ -576,18 +590,18 @@ WERROR _svcctl_query_service_status_ex( pipes_struct *p, SVCCTL_Q_QUERY_SERVICE_ buffer_size = sizeof(SERVICE_STATUS_PROCESS); break; } - + default: - return WERR_UNKNOWN_LEVEL; + return WERR_UNKNOWN_LEVEL; } - + buffer_size += buffer_size % 4; r_u->needed = (buffer_size > q_u->buffer_size) ? buffer_size : q_u->buffer_size; - if (buffer_size > q_u->buffer_size ) + if (buffer_size > q_u->buffer_size ) return WERR_MORE_DATA; - + return WERR_OK; } @@ -600,12 +614,12 @@ static WERROR fill_svc_config( TALLOC_CTX *ctx, const char *name, SERVICE_CONFIG REGISTRY_VALUE *val; /* retrieve the registry values for this service */ - + if ( !(values = svcctl_fetch_regvalues( name, token )) ) return WERR_REG_CORRUPT; - + /* now fill in the individual values */ - + config->displayname = TALLOC_ZERO_P( ctx, UNISTR2 ); if ( (val = regval_ctr_getvalue( values, "DisplayName" )) != NULL ) init_unistr2( config->displayname, regval_sz( val ), UNI_STR_TERMINATE ); @@ -613,23 +627,23 @@ static WERROR fill_svc_config( TALLOC_CTX *ctx, const char *name, SERVICE_CONFIG init_unistr2( config->displayname, name, UNI_STR_TERMINATE ); if ( (val = regval_ctr_getvalue( values, "ObjectName" )) != NULL ) { - config->startname = TALLOC_ZERO_P( ctx, UNISTR2 ); + config->startname = TALLOC_ZERO_P( ctx, UNISTR2 ); init_unistr2( config->startname, regval_sz( val ), UNI_STR_TERMINATE ); } - + if ( (val = regval_ctr_getvalue( values, "ImagePath" )) != NULL ) { - config->executablepath = TALLOC_ZERO_P( ctx, UNISTR2 ); + config->executablepath = TALLOC_ZERO_P( ctx, UNISTR2 ); init_unistr2( config->executablepath, regval_sz( val ), UNI_STR_TERMINATE ); } /* a few hard coded values */ /* loadordergroup and dependencies are empty */ - + config->tag_id = 0x00000000; /* unassigned loadorder group */ config->service_type = SVCCTL_WIN32_OWN_PROC; config->error_control = SVCCTL_SVC_ERROR_NORMAL; - /* set the start type. NetLogon and WINS are disabled to prevent + /* set the start type. NetLogon and WINS are disabled to prevent the client from showing the "Start" button (if of course the services are not running */ @@ -639,7 +653,7 @@ static WERROR fill_svc_config( TALLOC_CTX *ctx, const char *name, SERVICE_CONFIG config->start_type = SVCCTL_DISABLED; else config->start_type = SVCCTL_DEMAND_START; - + TALLOC_FREE( values ); @@ -654,24 +668,24 @@ WERROR _svcctl_query_service_config( pipes_struct *p, SVCCTL_Q_QUERY_SERVICE_CON SERVICE_INFO *info = find_service_info_by_hnd( p, &q_u->handle ); uint32 buffer_size; WERROR wresult; - + /* perform access checks */ if ( !info || (info->type != SVC_HANDLE_IS_SERVICE) ) - return WERR_BADFID; - + return WERR_BADFID; + if ( !(info->access_granted & SC_RIGHT_SVC_QUERY_CONFIG) ) return WERR_ACCESS_DENIED; - /* we have to set the outgoing buffer size to the same as the + /* we have to set the outgoing buffer size to the same as the incoming buffer size (even in the case of failure */ r_u->needed = q_u->buffer_size; - + wresult = fill_svc_config( p->mem_ctx, info->name, &r_u->config, p->pipe_user.nt_user_token ); if ( !W_ERROR_IS_OK(wresult) ) return wresult; - + buffer_size = svcctl_sizeof_service_config( &r_u->config ); r_u->needed = (buffer_size > q_u->buffer_size) ? buffer_size : q_u->buffer_size; @@ -679,7 +693,7 @@ WERROR _svcctl_query_service_config( pipes_struct *p, SVCCTL_Q_QUERY_SERVICE_CON ZERO_STRUCTP( &r_u->config ); return WERR_INSUFFICIENT_BUFFER; } - + return WERR_OK; } @@ -750,53 +764,61 @@ WERROR _svcctl_query_service_config2( pipes_struct *p, SVCCTL_Q_QUERY_SERVICE_CO } /******************************************************************** + _svcctl_LockServiceDatabase ********************************************************************/ -WERROR _svcctl_lock_service_db( pipes_struct *p, SVCCTL_Q_LOCK_SERVICE_DB *q_u, SVCCTL_R_LOCK_SERVICE_DB *r_u ) +WERROR _svcctl_LockServiceDatabase(pipes_struct *p, + struct svcctl_LockServiceDatabase *r) { - SERVICE_INFO *info = find_service_info_by_hnd( p, &q_u->handle ); - + SERVICE_INFO *info = find_service_info_by_hnd( p, r->in.handle ); + /* perform access checks */ if ( !info || (info->type != SVC_HANDLE_IS_SCM) ) - return WERR_BADFID; - + return WERR_BADFID; + if ( !(info->access_granted & SC_RIGHT_MGR_LOCK) ) return WERR_ACCESS_DENIED; /* Just open a handle. Doesn't actually lock anything */ - - return create_open_service_handle( p, &r_u->h_lock, SVC_HANDLE_IS_DBLOCK, NULL, 0 ); -; + + return create_open_service_handle( p, r->out.lock, SVC_HANDLE_IS_DBLOCK, NULL, 0 ); } /******************************************************************** + _svcctl_UnlockServiceDatabase ********************************************************************/ -WERROR _svcctl_unlock_service_db( pipes_struct *p, SVCCTL_Q_UNLOCK_SERVICE_DB *q_u, SVCCTL_R_UNLOCK_SERVICE_DB *r_u ) +WERROR _svcctl_UnlockServiceDatabase(pipes_struct *p, + struct svcctl_UnlockServiceDatabase *r) { - SERVICE_INFO *info = find_service_info_by_hnd( p, &q_u->h_lock ); + SERVICE_INFO *info = find_service_info_by_hnd( p, r->in.lock ); if ( !info || (info->type != SVC_HANDLE_IS_DBLOCK) ) - return WERR_BADFID; - - return close_policy_hnd( p, &q_u->h_lock) ? WERR_OK : WERR_BADFID; + return WERR_BADFID; + + return close_policy_hnd( p, r->out.lock) ? WERR_OK : WERR_BADFID; } /******************************************************************** + _svcctl_QueryServiceObjectSecurity ********************************************************************/ -WERROR _svcctl_query_service_sec( pipes_struct *p, SVCCTL_Q_QUERY_SERVICE_SEC *q_u, SVCCTL_R_QUERY_SERVICE_SEC *r_u ) +WERROR _svcctl_QueryServiceObjectSecurity(pipes_struct *p, + struct svcctl_QueryServiceObjectSecurity *r) { - SERVICE_INFO *info = find_service_info_by_hnd( p, &q_u->handle ); + SERVICE_INFO *info = find_service_info_by_hnd( p, r->in.handle ); SEC_DESC *sec_desc; + NTSTATUS status; + uint8_t *buffer = NULL; + size_t len = 0; /* only support the SCM and individual services */ if ( !info || !(info->type & (SVC_HANDLE_IS_SERVICE|SVC_HANDLE_IS_SCM)) ) - return WERR_BADFID; + return WERR_BADFID; /* check access reights (according to MSDN) */ @@ -805,7 +827,7 @@ WERROR _svcctl_query_service_sec( pipes_struct *p, SVCCTL_Q_QUERY_SERVICE_SEC *q /* TODO: handle something besides DACL_SECURITY_INFORMATION */ - if ( (q_u->security_flags & DACL_SECURITY_INFORMATION) != DACL_SECURITY_INFORMATION ) + if ( (r->in.security_flags & DACL_SECURITY_INFORMATION) != DACL_SECURITY_INFORMATION ) return WERR_INVALID_PARAM; /* lookup the security descriptor and marshall it up for a reply */ @@ -813,29 +835,35 @@ WERROR _svcctl_query_service_sec( pipes_struct *p, SVCCTL_Q_QUERY_SERVICE_SEC *q if ( !(sec_desc = svcctl_get_secdesc( p->mem_ctx, info->name, get_root_nt_token() )) ) return WERR_NOMEM; - r_u->needed = ndr_size_security_descriptor( sec_desc, 0 ); + *r->out.needed = ndr_size_security_descriptor( sec_desc, 0 ); - if ( r_u->needed > q_u->buffer_size ) { - ZERO_STRUCTP( &r_u->buffer ); + if ( *r->out.needed > r->in.buffer_size ) { + ZERO_STRUCTP( &r->out.buffer ); return WERR_INSUFFICIENT_BUFFER; } - rpcbuf_init( &r_u->buffer, q_u->buffer_size, p->mem_ctx ); + status = marshall_sec_desc(p->mem_ctx, sec_desc, &buffer, &len); + if (!NT_STATUS_IS_OK(status)) { + return ntstatus_to_werror(status); + } + + *r->out.needed = len; + r->out.buffer = buffer; - if ( !sec_io_desc("", &sec_desc, &r_u->buffer.prs, 0 ) ) - return WERR_NOMEM; - return WERR_OK; } /******************************************************************** + _svcctl_SetServiceObjectSecurity ********************************************************************/ -WERROR _svcctl_set_service_sec( pipes_struct *p, SVCCTL_Q_SET_SERVICE_SEC *q_u, SVCCTL_R_SET_SERVICE_SEC *r_u ) +WERROR _svcctl_SetServiceObjectSecurity(pipes_struct *p, + struct svcctl_SetServiceObjectSecurity *r) { - SERVICE_INFO *info = find_service_info_by_hnd( p, &q_u->handle ); + SERVICE_INFO *info = find_service_info_by_hnd( p, r->in.handle ); SEC_DESC *sec_desc = NULL; uint32 required_access; + NTSTATUS status; if ( !info || !(info->type & (SVC_HANDLE_IS_SERVICE|SVC_HANDLE_IS_SCM)) ) return WERR_BADFID; @@ -843,298 +871,242 @@ WERROR _svcctl_set_service_sec( pipes_struct *p, SVCCTL_Q_SET_SERVICE_SEC *q_u, /* can't set the security de4scriptor on the ServiceControlManager */ if ( info->type == SVC_HANDLE_IS_SCM ) - return WERR_ACCESS_DENIED; + return WERR_ACCESS_DENIED; /* check the access on the open handle */ - - switch ( q_u->security_flags ) { + + switch ( r->in.security_flags ) { case DACL_SECURITY_INFORMATION: required_access = STD_RIGHT_WRITE_DAC_ACCESS; break; - + case OWNER_SECURITY_INFORMATION: case GROUP_SECURITY_INFORMATION: required_access = STD_RIGHT_WRITE_OWNER_ACCESS; break; - + case SACL_SECURITY_INFORMATION: return WERR_INVALID_PARAM; default: return WERR_INVALID_PARAM; } - + if ( !(info->access_granted & required_access) ) return WERR_ACCESS_DENIED; - + /* read the security descfriptor */ - - if ( !sec_io_desc("", &sec_desc, &q_u->buffer.prs, 0 ) ) - return WERR_NOMEM; - + + status = unmarshall_sec_desc(p->mem_ctx, + r->in.buffer, r->in.buffer_size, + &sec_desc); + if (!NT_STATUS_IS_OK(status)) { + return ntstatus_to_werror(status); + } + /* store the new SD */ - if ( !svcctl_set_secdesc( p->mem_ctx, info->name, sec_desc, p->pipe_user.nt_user_token ) ) + if ( !svcctl_set_secdesc( p->mem_ctx, info->name, sec_desc, p->pipe_user.nt_user_token ) ) return WERR_ACCESS_DENIED; return WERR_OK; } -WERROR _svcctl_ControlService(pipes_struct *p, struct svcctl_ControlService *r) -{ - p->rng_fault_state = True; - return WERR_NOT_SUPPORTED; -} - WERROR _svcctl_DeleteService(pipes_struct *p, struct svcctl_DeleteService *r) { p->rng_fault_state = True; - return WERR_NOT_SUPPORTED; -} - -WERROR _svcctl_LockServiceDatabase(pipes_struct *p, struct svcctl_LockServiceDatabase *r) -{ - p->rng_fault_state = True; - return WERR_NOT_SUPPORTED; -} - -WERROR _svcctl_QueryServiceObjectSecurity(pipes_struct *p, struct svcctl_QueryServiceObjectSecurity *r) -{ - p->rng_fault_state = True; - return WERR_NOT_SUPPORTED; -} - -WERROR _svcctl_SetServiceObjectSecurity(pipes_struct *p, struct svcctl_SetServiceObjectSecurity *r) -{ - p->rng_fault_state = True; - return WERR_NOT_SUPPORTED; -} - -WERROR _svcctl_QueryServiceStatus(pipes_struct *p, struct svcctl_QueryServiceStatus *r) -{ - p->rng_fault_state = True; - return WERR_NOT_SUPPORTED; + return WERR_NOT_SUPPORTED; } WERROR _svcctl_SetServiceStatus(pipes_struct *p, struct svcctl_SetServiceStatus *r) { p->rng_fault_state = True; - return WERR_NOT_SUPPORTED; -} - -WERROR _svcctl_UnlockServiceDatabase(pipes_struct *p, struct svcctl_UnlockServiceDatabase *r) -{ - p->rng_fault_state = True; - return WERR_NOT_SUPPORTED; + return WERR_NOT_SUPPORTED; } WERROR _svcctl_NotifyBootConfigStatus(pipes_struct *p, struct svcctl_NotifyBootConfigStatus *r) { p->rng_fault_state = True; - return WERR_NOT_SUPPORTED; + return WERR_NOT_SUPPORTED; } WERROR _svcctl_SCSetServiceBitsW(pipes_struct *p, struct svcctl_SCSetServiceBitsW *r) { p->rng_fault_state = True; - return WERR_NOT_SUPPORTED; + return WERR_NOT_SUPPORTED; } WERROR _svcctl_ChangeServiceConfigW(pipes_struct *p, struct svcctl_ChangeServiceConfigW *r) { p->rng_fault_state = True; - return WERR_NOT_SUPPORTED; + return WERR_NOT_SUPPORTED; } WERROR _svcctl_CreateServiceW(pipes_struct *p, struct svcctl_CreateServiceW *r) { p->rng_fault_state = True; - return WERR_NOT_SUPPORTED; + return WERR_NOT_SUPPORTED; } WERROR _svcctl_EnumDependentServicesW(pipes_struct *p, struct svcctl_EnumDependentServicesW *r) { p->rng_fault_state = True; - return WERR_NOT_SUPPORTED; + return WERR_NOT_SUPPORTED; } WERROR _svcctl_EnumServicesStatusW(pipes_struct *p, struct svcctl_EnumServicesStatusW *r) { p->rng_fault_state = True; - return WERR_NOT_SUPPORTED; -} - -WERROR _svcctl_OpenSCManagerW(pipes_struct *p, struct svcctl_OpenSCManagerW *r) -{ - p->rng_fault_state = True; - return WERR_NOT_SUPPORTED; -} - -WERROR _svcctl_OpenServiceW(pipes_struct *p, struct svcctl_OpenServiceW *r) -{ - p->rng_fault_state = True; - return WERR_NOT_SUPPORTED; + return WERR_NOT_SUPPORTED; } WERROR _svcctl_QueryServiceConfigW(pipes_struct *p, struct svcctl_QueryServiceConfigW *r) { p->rng_fault_state = True; - return WERR_NOT_SUPPORTED; + return WERR_NOT_SUPPORTED; } WERROR _svcctl_QueryServiceLockStatusW(pipes_struct *p, struct svcctl_QueryServiceLockStatusW *r) { p->rng_fault_state = True; - return WERR_NOT_SUPPORTED; -} - -WERROR _svcctl_StartServiceW(pipes_struct *p, struct svcctl_StartServiceW *r) -{ - p->rng_fault_state = True; - return WERR_NOT_SUPPORTED; -} - -WERROR _svcctl_GetServiceDisplayNameW(pipes_struct *p, struct svcctl_GetServiceDisplayNameW *r) -{ - p->rng_fault_state = True; - return WERR_NOT_SUPPORTED; + return WERR_NOT_SUPPORTED; } WERROR _svcctl_GetServiceKeyNameW(pipes_struct *p, struct svcctl_GetServiceKeyNameW *r) { p->rng_fault_state = True; - return WERR_NOT_SUPPORTED; + return WERR_NOT_SUPPORTED; } WERROR _svcctl_SCSetServiceBitsA(pipes_struct *p, struct svcctl_SCSetServiceBitsA *r) { p->rng_fault_state = True; - return WERR_NOT_SUPPORTED; + return WERR_NOT_SUPPORTED; } WERROR _svcctl_ChangeServiceConfigA(pipes_struct *p, struct svcctl_ChangeServiceConfigA *r) { p->rng_fault_state = True; - return WERR_NOT_SUPPORTED; + return WERR_NOT_SUPPORTED; } WERROR _svcctl_CreateServiceA(pipes_struct *p, struct svcctl_CreateServiceA *r) { p->rng_fault_state = True; - return WERR_NOT_SUPPORTED; + return WERR_NOT_SUPPORTED; } WERROR _svcctl_EnumDependentServicesA(pipes_struct *p, struct svcctl_EnumDependentServicesA *r) { p->rng_fault_state = True; - return WERR_NOT_SUPPORTED; + return WERR_NOT_SUPPORTED; } WERROR _svcctl_EnumServicesStatusA(pipes_struct *p, struct svcctl_EnumServicesStatusA *r) { p->rng_fault_state = True; - return WERR_NOT_SUPPORTED; + return WERR_NOT_SUPPORTED; } WERROR _svcctl_OpenSCManagerA(pipes_struct *p, struct svcctl_OpenSCManagerA *r) { p->rng_fault_state = True; - return WERR_NOT_SUPPORTED; + return WERR_NOT_SUPPORTED; } WERROR _svcctl_OpenServiceA(pipes_struct *p, struct svcctl_OpenServiceA *r) { p->rng_fault_state = True; - return WERR_NOT_SUPPORTED; + return WERR_NOT_SUPPORTED; } WERROR _svcctl_QueryServiceConfigA(pipes_struct *p, struct svcctl_QueryServiceConfigA *r) { p->rng_fault_state = True; - return WERR_NOT_SUPPORTED; + return WERR_NOT_SUPPORTED; } WERROR _svcctl_QueryServiceLockStatusA(pipes_struct *p, struct svcctl_QueryServiceLockStatusA *r) { p->rng_fault_state = True; - return WERR_NOT_SUPPORTED; + return WERR_NOT_SUPPORTED; } WERROR _svcctl_StartServiceA(pipes_struct *p, struct svcctl_StartServiceA *r) { p->rng_fault_state = True; - return WERR_NOT_SUPPORTED; + return WERR_NOT_SUPPORTED; } WERROR _svcctl_GetServiceDisplayNameA(pipes_struct *p, struct svcctl_GetServiceDisplayNameA *r) { p->rng_fault_state = True; - return WERR_NOT_SUPPORTED; + return WERR_NOT_SUPPORTED; } WERROR _svcctl_GetServiceKeyNameA(pipes_struct *p, struct svcctl_GetServiceKeyNameA *r) { p->rng_fault_state = True; - return WERR_NOT_SUPPORTED; + return WERR_NOT_SUPPORTED; } WERROR _svcctl_GetCurrentGroupeStateW(pipes_struct *p, struct svcctl_GetCurrentGroupeStateW *r) { p->rng_fault_state = True; - return WERR_NOT_SUPPORTED; + return WERR_NOT_SUPPORTED; } WERROR _svcctl_EnumServiceGroupW(pipes_struct *p, struct svcctl_EnumServiceGroupW *r) { p->rng_fault_state = True; - return WERR_NOT_SUPPORTED; + return WERR_NOT_SUPPORTED; } WERROR _svcctl_ChangeServiceConfig2A(pipes_struct *p, struct svcctl_ChangeServiceConfig2A *r) { p->rng_fault_state = True; - return WERR_NOT_SUPPORTED; + return WERR_NOT_SUPPORTED; } WERROR _svcctl_ChangeServiceConfig2W(pipes_struct *p, struct svcctl_ChangeServiceConfig2W *r) { p->rng_fault_state = True; - return WERR_NOT_SUPPORTED; + return WERR_NOT_SUPPORTED; } WERROR _svcctl_QueryServiceConfig2A(pipes_struct *p, struct svcctl_QueryServiceConfig2A *r) { p->rng_fault_state = True; - return WERR_NOT_SUPPORTED; + return WERR_NOT_SUPPORTED; } WERROR _svcctl_QueryServiceConfig2W(pipes_struct *p, struct svcctl_QueryServiceConfig2W *r) { p->rng_fault_state = True; - return WERR_NOT_SUPPORTED; + return WERR_NOT_SUPPORTED; } WERROR _svcctl_QueryServiceStatusEx(pipes_struct *p, struct svcctl_QueryServiceStatusEx *r) { p->rng_fault_state = True; - return WERR_NOT_SUPPORTED; + return WERR_NOT_SUPPORTED; } WERROR _EnumServicesStatusExA(pipes_struct *p, struct EnumServicesStatusExA *r) { p->rng_fault_state = True; - return WERR_NOT_SUPPORTED; + return WERR_NOT_SUPPORTED; } WERROR _EnumServicesStatusExW(pipes_struct *p, struct EnumServicesStatusExW *r) { p->rng_fault_state = True; - return WERR_NOT_SUPPORTED; + return WERR_NOT_SUPPORTED; } WERROR _svcctl_SCSendTSMessage(pipes_struct *p, struct svcctl_SCSendTSMessage *r) { p->rng_fault_state = True; - return WERR_NOT_SUPPORTED; + return WERR_NOT_SUPPORTED; } diff --git a/source3/rpc_server/srv_winreg_nt.c b/source3/rpc_server/srv_winreg_nt.c index 74ee94cf75..7ff93e0b07 100644 --- a/source3/rpc_server/srv_winreg_nt.c +++ b/source3/rpc_server/srv_winreg_nt.c @@ -21,14 +21,10 @@ /* Implementation of registry functions. */ #include "includes.h" -#include "regfio.h" #undef DBGC_CLASS #define DBGC_CLASS DBGC_RPC_SRV -static const struct generic_mapping reg_generic_map = - { REG_KEY_READ, REG_KEY_WRITE, REG_KEY_EXECUTE, REG_KEY_ALL }; - /****************************************************************** free() function for struct registry_key *****************************************************************/ @@ -40,7 +36,7 @@ static void free_regkey(void *ptr) } /****************************************************************** - Find a registry key handle and return a REGISTRY_KEY + Find a registry key handle and return a struct registry_key * *****************************************************************/ static struct registry_key *find_regkey_by_hnd(pipes_struct *p, @@ -370,9 +366,7 @@ WERROR _winreg_GetVersion(pipes_struct *p, struct winreg_GetVersion *r) if ( !regkey ) return WERR_BADFID; - *r->out.version = 0x00000005; /* Windows 2000 registry API version */ - - return WERR_OK; + return reg_getversion(r->out.version); } @@ -657,125 +651,6 @@ static int validate_reg_filename(TALLOC_CTX *ctx, char **pp_fname ) } /******************************************************************* - Note: topkeypat is the *full* path that this *key will be - loaded into (including the name of the key) - ********************************************************************/ - -static WERROR reg_load_tree( REGF_FILE *regfile, const char *topkeypath, - REGF_NK_REC *key ) -{ - REGF_NK_REC *subkey; - REGISTRY_KEY registry_key; - REGVAL_CTR *values; - REGSUBKEY_CTR *subkeys; - int i; - char *path = NULL; - WERROR result = WERR_OK; - - /* initialize the REGISTRY_KEY structure */ - - if ( !(registry_key.hook = reghook_cache_find(topkeypath)) ) { - DEBUG(0,("reg_load_tree: Failed to assigned a REGISTRY_HOOK to [%s]\n", - topkeypath )); - return WERR_BADFILE; - } - - registry_key.name = talloc_strdup( regfile->mem_ctx, topkeypath ); - if ( !registry_key.name ) { - DEBUG(0,("reg_load_tree: Talloc failed for reg_key.name!\n")); - return WERR_NOMEM; - } - - /* now start parsing the values and subkeys */ - - if ( !(subkeys = TALLOC_ZERO_P( regfile->mem_ctx, REGSUBKEY_CTR )) ) - return WERR_NOMEM; - - if ( !(values = TALLOC_ZERO_P( subkeys, REGVAL_CTR )) ) - return WERR_NOMEM; - - /* copy values into the REGVAL_CTR */ - - for ( i=0; i<key->num_values; i++ ) { - regval_ctr_addvalue( values, key->values[i].valuename, key->values[i].type, - (char*)key->values[i].data, (key->values[i].data_size & ~VK_DATA_IN_OFFSET) ); - } - - /* copy subkeys into the REGSUBKEY_CTR */ - - key->subkey_index = 0; - while ( (subkey = regfio_fetch_subkey( regfile, key )) ) { - regsubkey_ctr_addkey( subkeys, subkey->keyname ); - } - - /* write this key and values out */ - - if ( !store_reg_values( ®istry_key, values ) - || !store_reg_keys( ®istry_key, subkeys ) ) - { - DEBUG(0,("reg_load_tree: Failed to load %s!\n", topkeypath)); - result = WERR_REG_IO_FAILURE; - } - - TALLOC_FREE( subkeys ); - - if ( !W_ERROR_IS_OK(result) ) - return result; - - /* now continue to load each subkey registry tree */ - - key->subkey_index = 0; - while ( (subkey = regfio_fetch_subkey( regfile, key )) ) { - path = talloc_asprintf(regfile->mem_ctx, - "%s\\%s", - topkeypath, - subkey->keyname); - if (!path) { - return WERR_NOMEM; - } - result = reg_load_tree( regfile, path, subkey ); - if ( !W_ERROR_IS_OK(result) ) - break; - } - - return result; -} - -/******************************************************************* - ********************************************************************/ - -static WERROR restore_registry_key ( REGISTRY_KEY *krecord, const char *fname ) -{ - REGF_FILE *regfile; - REGF_NK_REC *rootkey; - WERROR result; - - /* open the registry file....fail if the file already exists */ - - if ( !(regfile = regfio_open( fname, (O_RDONLY), 0 )) ) { - DEBUG(0,("restore_registry_key: failed to open \"%s\" (%s)\n", - fname, strerror(errno) )); - return ( ntstatus_to_werror(map_nt_error_from_unix( errno )) ); - } - - /* get the rootkey from the regf file and then load the tree - via recursive calls */ - - if ( !(rootkey = regfio_rootkey( regfile )) ) { - regfio_close( regfile ); - return WERR_REG_FILE_INVALID; - } - - result = reg_load_tree( regfile, krecord->name, rootkey ); - - /* cleanup */ - - regfio_close( regfile ); - - return result; -} - -/******************************************************************* ********************************************************************/ WERROR _winreg_RestoreKey(pipes_struct *p, struct winreg_RestoreKey *r) @@ -809,175 +684,9 @@ WERROR _winreg_RestoreKey(pipes_struct *p, struct winreg_RestoreKey *r) DEBUG(2,("_winreg_RestoreKey: Restoring [%s] from %s in share %s\n", regkey->key->name, fname, lp_servicename(snum) )); - return restore_registry_key( regkey->key, fname ); -} - -/******************************************************************** -********************************************************************/ - -static WERROR reg_write_tree( REGF_FILE *regfile, const char *keypath, - REGF_NK_REC *parent, SEC_DESC *sec_desc ) -{ - REGF_NK_REC *key; - REGVAL_CTR *values; - REGSUBKEY_CTR *subkeys; - int i, num_subkeys; - char *key_tmp = NULL; - char *keyname, *parentpath; - char *subkeypath = NULL; - char *subkeyname; - REGISTRY_KEY registry_key; - WERROR result = WERR_OK; - - if (!regfile) - return WERR_GENERAL_FAILURE; - - if (!keypath) - return WERR_OBJECT_PATH_INVALID; - - /* split up the registry key path */ - - key_tmp = talloc_strdup(regfile->mem_ctx, keypath); - if (!key_tmp) { - return WERR_NOMEM; - } - if (!reg_split_key( key_tmp, &parentpath, &keyname ) ) - return WERR_OBJECT_PATH_INVALID; - - if ( !keyname ) - keyname = parentpath; - - /* we need a REGISTRY_KEY object here to enumerate subkeys and values */ - - ZERO_STRUCT( registry_key ); - - if ( (registry_key.name = talloc_strdup(regfile->mem_ctx, keypath)) == NULL ) - return WERR_NOMEM; - - if ( (registry_key.hook = reghook_cache_find( registry_key.name )) == NULL ) - return WERR_BADFILE; - - /* lookup the values and subkeys */ - - if ( !(subkeys = TALLOC_ZERO_P( regfile->mem_ctx, REGSUBKEY_CTR )) ) - return WERR_NOMEM; - - if ( !(values = TALLOC_ZERO_P( subkeys, REGVAL_CTR )) ) - return WERR_NOMEM; - - fetch_reg_keys( ®istry_key, subkeys ); - fetch_reg_values( ®istry_key, values ); - - /* write out this key */ - - if ( !(key = regfio_write_key( regfile, keyname, values, subkeys, sec_desc, parent )) ) { - result = WERR_CAN_NOT_COMPLETE; - goto done; - } - - /* write each one of the subkeys out */ - - num_subkeys = regsubkey_ctr_numkeys( subkeys ); - for ( i=0; i<num_subkeys; i++ ) { - subkeyname = regsubkey_ctr_specific_key( subkeys, i ); - subkeypath = talloc_asprintf(regfile->mem_ctx, - "%s\\%s", keypath, subkeyname); - if (!subkeypath) { - result = WERR_NOMEM; - goto done; - } - result = reg_write_tree( regfile, subkeypath, key, sec_desc ); - if ( !W_ERROR_IS_OK(result) ) - goto done; - } - - DEBUG(6,("reg_write_tree: wrote key [%s]\n", keypath )); - -done: - TALLOC_FREE( subkeys ); - TALLOC_FREE( registry_key.name ); - - return result; -} - -/******************************************************************* - ********************************************************************/ - -static WERROR make_default_reg_sd( TALLOC_CTX *ctx, SEC_DESC **psd ) -{ - DOM_SID adm_sid, owner_sid; - SEC_ACE ace[2]; /* at most 2 entries */ - SEC_ACCESS mask; - SEC_ACL *psa = NULL; - size_t sd_size; - - /* set the owner to BUILTIN\Administrator */ - - sid_copy(&owner_sid, &global_sid_Builtin); - sid_append_rid(&owner_sid, DOMAIN_USER_RID_ADMIN ); - - - /* basic access for Everyone */ - - init_sec_access(&mask, reg_generic_map.generic_execute | reg_generic_map.generic_read ); - init_sec_ace(&ace[0], &global_sid_World, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0); - - /* add Full Access 'BUILTIN\Administrators' */ - - init_sec_access(&mask, reg_generic_map.generic_all); - sid_copy(&adm_sid, &global_sid_Builtin); - sid_append_rid(&adm_sid, BUILTIN_ALIAS_RID_ADMINS); - init_sec_ace(&ace[1], &adm_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0); - - /* create the security descriptor */ - - if ((psa = make_sec_acl(ctx, NT4_ACL_REVISION, 2, ace)) == NULL) - return WERR_NOMEM; - - if ((*psd = make_sec_desc(ctx, SECURITY_DESCRIPTOR_REVISION_1, - SEC_DESC_SELF_RELATIVE, &owner_sid, NULL, - NULL, psa, &sd_size)) == NULL) - return WERR_NOMEM; - - return WERR_OK; + return reg_restorekey(regkey, fname); } -/******************************************************************* - ********************************************************************/ - -static WERROR backup_registry_key ( REGISTRY_KEY *krecord, const char *fname ) -{ - REGF_FILE *regfile; - WERROR result; - SEC_DESC *sd = NULL; - - /* open the registry file....fail if the file already exists */ - - if ( !(regfile = regfio_open( fname, (O_RDWR|O_CREAT|O_EXCL), (S_IREAD|S_IWRITE) )) ) { - DEBUG(0,("backup_registry_key: failed to open \"%s\" (%s)\n", - fname, strerror(errno) )); - return ( ntstatus_to_werror(map_nt_error_from_unix( errno )) ); - } - - if ( !W_ERROR_IS_OK(result = make_default_reg_sd( regfile->mem_ctx, &sd )) ) { - regfio_close( regfile ); - return result; - } - - /* write the registry tree to the file */ - - result = reg_write_tree( regfile, krecord->name, NULL, sd ); - - /* cleanup */ - - regfio_close( regfile ); - - return result; -} - -/******************************************************************* - ********************************************************************/ - WERROR _winreg_SaveKey(pipes_struct *p, struct winreg_SaveKey *r) { struct registry_key *regkey = find_regkey_by_hnd( p, r->in.handle ); @@ -1004,7 +713,7 @@ WERROR _winreg_SaveKey(pipes_struct *p, struct winreg_SaveKey *r) DEBUG(2,("_winreg_SaveKey: Saving [%s] to %s in share %s\n", regkey->key->name, fname, lp_servicename(snum) )); - return backup_registry_key( regkey->key, fname ); + return reg_savekey(regkey, fname); } /******************************************************************* @@ -1115,7 +824,7 @@ WERROR _winreg_GetKeySecurity(pipes_struct *p, struct winreg_GetKeySecurity *r) if ( !(key->key->access_granted & STD_RIGHT_READ_CONTROL_ACCESS) ) return WERR_ACCESS_DENIED; - err = regkey_get_secdesc(p->mem_ctx, key->key, &secdesc); + err = reg_getkeysecurity(p->mem_ctx, key, &secdesc); if (!W_ERROR_IS_OK(err)) { return err; } @@ -1161,7 +870,7 @@ WERROR _winreg_SetKeySecurity(pipes_struct *p, struct winreg_SetKeySecurity *r) return err; } - return regkey_set_secdesc(key->key, secdesc); + return reg_setkeysecurity(key, secdesc); } /******************************************************************* diff --git a/source3/rpc_server/srv_wkssvc_nt.c b/source3/rpc_server/srv_wkssvc_nt.c index 849ec9c4eb..6d03009d00 100644 --- a/source3/rpc_server/srv_wkssvc_nt.c +++ b/source3/rpc_server/srv_wkssvc_nt.c @@ -281,19 +281,20 @@ WERROR _wkssvc_NetrGetJoinableOus(pipes_struct *p, struct wkssvc_NetrGetJoinable } /******************************************************************** + _wkssvc_NetrJoinDomain2 ********************************************************************/ -WERROR _wkssvc_NetrJoinDomain2(pipes_struct *p, struct wkssvc_NetrJoinDomain2 *r) +WERROR _wkssvc_NetrJoinDomain2(pipes_struct *p, + struct wkssvc_NetrJoinDomain2 *r) { -#if 0 struct libnet_JoinCtx *j = NULL; - char *pwd = NULL; + char *cleartext_pwd = NULL; char *admin_domain = NULL; char *admin_account = NULL; WERROR werr; NTSTATUS status; struct nt_user_token *token = p->pipe_user.nt_user_token; - struct DS_DOMAIN_CONTROLLER_INFO *info = NULL; + struct netr_DsRGetDCNameInfo *info = NULL; if (!r->in.domain_name) { return WERR_INVALID_PARAM; @@ -302,18 +303,15 @@ WERROR _wkssvc_NetrJoinDomain2(pipes_struct *p, struct wkssvc_NetrJoinDomain2 *r if (!user_has_privileges(token, &se_machine_account) && !nt_token_check_domain_rid(token, DOMAIN_GROUP_RID_ADMINS) && !nt_token_check_domain_rid(token, BUILTIN_ALIAS_RID_ADMINS)) { + DEBUG(5,("_wkssvc_NetrJoinDomain2: account doesn't have " + "sufficient privileges\n")); return WERR_ACCESS_DENIED; } werr = decode_wkssvc_join_password_buffer(p->mem_ctx, r->in.encrypted_password, &p->session_key, - &pwd); - if (!W_ERROR_IS_OK(werr)) { - return werr; - } - - werr = libnet_init_JoinCtx(p->mem_ctx, &j); + &cleartext_pwd); if (!W_ERROR_IS_OK(werr)) { return werr; } @@ -323,8 +321,7 @@ WERROR _wkssvc_NetrJoinDomain2(pipes_struct *p, struct wkssvc_NetrJoinDomain2 *r &admin_domain, &admin_account); - status = DsGetDcName(p->mem_ctx, - NULL, + status = dsgetdcname(p->mem_ctx, r->in.domain_name, NULL, NULL, @@ -336,33 +333,101 @@ WERROR _wkssvc_NetrJoinDomain2(pipes_struct *p, struct wkssvc_NetrJoinDomain2 *r return ntstatus_to_werror(status); } - j->in.server_name = info->domain_controller_name; + werr = libnet_init_JoinCtx(p->mem_ctx, &j); + if (!W_ERROR_IS_OK(werr)) { + return werr; + } + + j->in.dc_name = info->dc_unc; j->in.domain_name = r->in.domain_name; j->in.account_ou = r->in.account_ou; j->in.join_flags = r->in.join_flags; - - j->in.admin_account = admin_account; - j->in.password = pwd; - j->in.modify_config = true; + j->in.admin_account = admin_account; + j->in.admin_password = cleartext_pwd; + j->in.debug = true; become_root(); werr = libnet_Join(p->mem_ctx, j); unbecome_root(); + if (!W_ERROR_IS_OK(werr)) { + DEBUG(5,("_wkssvc_NetrJoinDomain2: libnet_Join gave %s\n", + j->out.error_string ? j->out.error_string : + dos_errstr(werr))); + } + + TALLOC_FREE(j); return werr; -#endif - p->rng_fault_state = True; - return WERR_NOT_SUPPORTED; } /******************************************************************** + _wkssvc_NetrUnjoinDomain2 ********************************************************************/ -WERROR _wkssvc_NetrUnjoinDomain2(pipes_struct *p, struct wkssvc_NetrUnjoinDomain2 *r) +WERROR _wkssvc_NetrUnjoinDomain2(pipes_struct *p, + struct wkssvc_NetrUnjoinDomain2 *r) { - /* FIXME: Add implementation code here */ - p->rng_fault_state = True; - return WERR_NOT_SUPPORTED; + struct libnet_UnjoinCtx *u = NULL; + char *cleartext_pwd = NULL; + char *admin_domain = NULL; + char *admin_account = NULL; + WERROR werr; + NTSTATUS status; + struct nt_user_token *token = p->pipe_user.nt_user_token; + struct netr_DsRGetDCNameInfo *info = NULL; + + if (!user_has_privileges(token, &se_machine_account) && + !nt_token_check_domain_rid(token, DOMAIN_GROUP_RID_ADMINS) && + !nt_token_check_domain_rid(token, BUILTIN_ALIAS_RID_ADMINS)) { + DEBUG(5,("_wkssvc_NetrUnjoinDomain2: account doesn't have " + "sufficient privileges\n")); + return WERR_ACCESS_DENIED; + } + + werr = decode_wkssvc_join_password_buffer(p->mem_ctx, + r->in.encrypted_password, + &p->session_key, + &cleartext_pwd); + if (!W_ERROR_IS_OK(werr)) { + return werr; + } + + split_domain_user(p->mem_ctx, + r->in.account, + &admin_domain, + &admin_account); + + status = dsgetdcname(p->mem_ctx, + lp_realm(), + NULL, + NULL, + DS_DIRECTORY_SERVICE_REQUIRED | + DS_WRITABLE_REQUIRED | + DS_RETURN_DNS_NAME, + &info); + if (!NT_STATUS_IS_OK(status)) { + return ntstatus_to_werror(status); + } + + werr = libnet_init_UnjoinCtx(p->mem_ctx, &u); + if (!W_ERROR_IS_OK(werr)) { + return werr; + } + + u->in.dc_name = info->dc_unc; + u->in.domain_name = lp_realm(); + u->in.unjoin_flags = r->in.unjoin_flags | + WKSSVC_JOIN_FLAGS_JOIN_TYPE; + u->in.admin_account = admin_account; + u->in.admin_password = cleartext_pwd; + u->in.debug = true; + + become_root(); + werr = libnet_Unjoin(p->mem_ctx, u); + unbecome_root(); + + TALLOC_FREE(u); + return werr; } /******************************************************************** |