diff options
Diffstat (limited to 'source4/rpc_server')
-rw-r--r-- | source4/rpc_server/dcerpc_server.c | 10 | ||||
-rw-r--r-- | source4/rpc_server/dcesrv_auth.c | 2 | ||||
-rw-r--r-- | source4/rpc_server/netlogon/dcerpc_netlogon.c | 22 | ||||
-rw-r--r-- | source4/rpc_server/samr/dcesrv_samr.c | 42 |
4 files changed, 45 insertions, 31 deletions
diff --git a/source4/rpc_server/dcerpc_server.c b/source4/rpc_server/dcerpc_server.c index b043424faa..6e53c7c8ae 100644 --- a/source4/rpc_server/dcerpc_server.c +++ b/source4/rpc_server/dcerpc_server.c @@ -462,7 +462,7 @@ static NTSTATUS dcesrv_fault(struct dcesrv_call_state *call, uint32_t fault_code return NT_STATUS_NO_MEMORY; } - status = ncacn_push_auth(&rep->blob, call, &pkt, NULL); + status = ncacn_push_auth(&rep->blob, call, lp_iconv_convenience(call->conn->dce_ctx->lp_ctx), &pkt, NULL); if (!NT_STATUS_IS_OK(status)) { return status; } @@ -501,7 +501,7 @@ static NTSTATUS dcesrv_bind_nak(struct dcesrv_call_state *call, uint32_t reason) return NT_STATUS_NO_MEMORY; } - status = ncacn_push_auth(&rep->blob, call, &pkt, NULL); + status = ncacn_push_auth(&rep->blob, call, lp_iconv_convenience(call->conn->dce_ctx->lp_ctx), &pkt, NULL); if (!NT_STATUS_IS_OK(status)) { return status; } @@ -642,8 +642,7 @@ static NTSTATUS dcesrv_bind(struct dcesrv_call_state *call) return NT_STATUS_NO_MEMORY; } - status = ncacn_push_auth(&rep->blob, call, &pkt, - call->conn->auth_state.auth_info); + status = ncacn_push_auth(&rep->blob, call, lp_iconv_convenience(call->conn->dce_ctx->lp_ctx), &pkt, call->conn->auth_state.auth_info); if (!NT_STATUS_IS_OK(status)) { return status; } @@ -787,8 +786,7 @@ static NTSTATUS dcesrv_alter(struct dcesrv_call_state *call) return NT_STATUS_NO_MEMORY; } - status = ncacn_push_auth(&rep->blob, call, &pkt, - call->conn->auth_state.auth_info); + status = ncacn_push_auth(&rep->blob, call, lp_iconv_convenience(call->conn->dce_ctx->lp_ctx), &pkt, call->conn->auth_state.auth_info); if (!NT_STATUS_IS_OK(status)) { return status; } diff --git a/source4/rpc_server/dcesrv_auth.c b/source4/rpc_server/dcesrv_auth.c index dce775591b..75b13bb824 100644 --- a/source4/rpc_server/dcesrv_auth.c +++ b/source4/rpc_server/dcesrv_auth.c @@ -402,7 +402,7 @@ bool dcesrv_auth_response(struct dcesrv_call_state *call, /* non-signed packets are simple */ if (!dce_conn->auth_state.auth_info || !dce_conn->auth_state.gensec_security) { - status = ncacn_push_auth(blob, call, pkt, NULL); + status = ncacn_push_auth(blob, call, lp_iconv_convenience(dce_conn->dce_ctx->lp_ctx), pkt, NULL); return NT_STATUS_IS_OK(status); } diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c index 4d38dc069e..37e6351864 100644 --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c @@ -27,6 +27,7 @@ #include "auth/auth.h" #include "auth/auth_sam_reply.h" #include "dsdb/samdb/samdb.h" +#include "dsdb/common/flags.h" #include "rpc_server/samr/proto.h" #include "util/util_ldb.h" #include "libcli/auth/libcli_auth.h" @@ -76,7 +77,7 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3(struct dcesrv_call_state *dce_ca struct creds_CredentialState *creds; void *sam_ctx; struct samr_Password *mach_pwd; - uint16_t acct_flags; + uint32_t user_account_control; int num_records; struct ldb_message **msgs; NTSTATUS nt_status; @@ -113,27 +114,28 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3(struct dcesrv_call_state *dce_ca return NT_STATUS_INTERNAL_DB_CORRUPTION; } - acct_flags = samdb_result_acct_flags(msgs[0], - "userAccountControl"); + + user_account_control = ldb_msg_find_attr_as_uint(msgs[0], "userAccountControl", 0); - if (acct_flags & ACB_DISABLED) { + if (user_account_control & UF_ACCOUNTDISABLE) { DEBUG(1, ("Account [%s] is disabled\n", r->in.account_name)); return NT_STATUS_ACCESS_DENIED; } if (r->in.secure_channel_type == SEC_CHAN_WKSTA) { - if (!(acct_flags & ACB_WSTRUST)) { - DEBUG(1, ("Client asked for a workstation secure channel, but is not a workstation (member server) acb flags: 0x%x\n", acct_flags)); + if (!(user_account_control & UF_WORKSTATION_TRUST_ACCOUNT)) { + DEBUG(1, ("Client asked for a workstation secure channel, but is not a workstation (member server) acb flags: 0x%x\n", user_account_control)); return NT_STATUS_ACCESS_DENIED; } } else if (r->in.secure_channel_type == SEC_CHAN_DOMAIN) { - if (!(acct_flags & ACB_DOMTRUST)) { - DEBUG(1, ("Client asked for a trusted domain secure channel, but is not a trusted domain: acb flags: 0x%x\n", acct_flags)); + if (!(user_account_control & UF_INTERDOMAIN_TRUST_ACCOUNT)) { + DEBUG(1, ("Client asked for a trusted domain secure channel, but is not a trusted domain: acb flags: 0x%x\n", user_account_control)); + return NT_STATUS_ACCESS_DENIED; } } else if (r->in.secure_channel_type == SEC_CHAN_BDC) { - if (!(acct_flags & ACB_SVRTRUST)) { - DEBUG(1, ("Client asked for a server secure channel, but is not a server (domain controller): acb flags: 0x%x\n", acct_flags)); + if (!(user_account_control & UF_SERVER_TRUST_ACCOUNT)) { + DEBUG(1, ("Client asked for a server secure channel, but is not a server (domain controller): acb flags: 0x%x\n", user_account_control)); return NT_STATUS_ACCESS_DENIED; } } else { diff --git a/source4/rpc_server/samr/dcesrv_samr.c b/source4/rpc_server/samr/dcesrv_samr.c index 760d774f2e..8193e0a882 100644 --- a/source4/rpc_server/samr/dcesrv_samr.c +++ b/source4/rpc_server/samr/dcesrv_samr.c @@ -56,7 +56,7 @@ #define QUERY_LHOURS(msg, field, attr) \ r->out.info->field = samdb_result_logon_hours(mem_ctx, msg, attr); #define QUERY_AFLAGS(msg, field, attr) \ - r->out.info->field = samdb_result_acct_flags(msg, attr); + r->out.info->field = samdb_result_acct_flags(sam_ctx, mem_ctx, msg, a_state->domain_state->domain_dn); /* these are used to make the Set[User|Group]Info code easier to follow */ @@ -102,10 +102,25 @@ set_el = ldb_msg_find_element(msg, attr); \ set_el->flags = LDB_FLAG_MOD_REPLACE; \ } while (0) - + +#define CHECK_FOR_MULTIPLES(value, flag, poss_flags) \ + do { \ + if ((value & flag) && ((value & flag) != (value & (poss_flags)))) { \ + return NT_STATUS_INVALID_PARAMETER; \ + } \ + } while (0) \ + +/* Set account flags, discarding flags that cannot be set with SAMR */ #define SET_AFLAGS(msg, field, attr) do { \ struct ldb_message_element *set_el; \ - if (samdb_msg_add_acct_flags(sam_ctx, mem_ctx, msg, attr, r->in.info->field) != 0) { \ + if ((r->in.info->field & (ACB_NORMAL | ACB_DOMTRUST | ACB_WSTRUST | ACB_SVRTRUST)) == 0) { \ + return NT_STATUS_INVALID_PARAMETER; \ + } \ + CHECK_FOR_MULTIPLES(r->in.info->field, ACB_NORMAL, ACB_NORMAL | ACB_DOMTRUST | ACB_WSTRUST | ACB_SVRTRUST); \ + CHECK_FOR_MULTIPLES(r->in.info->field, ACB_DOMTRUST, ACB_NORMAL | ACB_DOMTRUST | ACB_WSTRUST | ACB_SVRTRUST); \ + CHECK_FOR_MULTIPLES(r->in.info->field, ACB_WSTRUST, ACB_NORMAL | ACB_DOMTRUST | ACB_WSTRUST | ACB_SVRTRUST); \ + CHECK_FOR_MULTIPLES(r->in.info->field, ACB_SVRTRUST, ACB_NORMAL | ACB_DOMTRUST | ACB_WSTRUST | ACB_SVRTRUST); \ + if (samdb_msg_add_acct_flags(sam_ctx, mem_ctx, msg, attr, (r->in.info->field & ~(ACB_AUTOLOCK|ACB_PW_EXPIRED))) != 0) { \ return NT_STATUS_NO_MEMORY; \ } \ set_el = ldb_msg_find_element(msg, attr); \ @@ -1484,8 +1499,8 @@ static NTSTATUS dcesrv_samr_EnumDomainUsers(struct dcesrv_call_state *dce_call, for (i=0;i<count;i++) { /* Check if a mask has been requested */ if (r->in.acct_flags - && ((samdb_result_acct_flags(res[i], - "userAccountControl") & r->in.acct_flags) == 0)) { + && ((samdb_result_acct_flags(d_state->sam_ctx, mem_ctx, res[i], + d_state->domain_dn) & r->in.acct_flags) == 0)) { continue; } entries[num_filtered_entries].idx = samdb_result_rid_from_sid(mem_ctx, res[i], "objectSid", 0); @@ -3066,7 +3081,7 @@ static NTSTATUS dcesrv_samr_QueryUserInfo(struct dcesrv_call_state *dce_call, TA } case 16: { - static const char * const attrs2[] = {"userAccountControl", NULL}; + static const char * const attrs2[] = {"userAccountControl", "pwdLastSet", NULL}; attrs = attrs2; break; } @@ -3613,7 +3628,7 @@ static NTSTATUS dcesrv_samr_QueryDisplayInfo(struct dcesrv_call_state *dce_call, struct ldb_message **res; int ldb_cnt, count, i; const char * const attrs[] = { "objectSid", "sAMAccountName", "displayName", - "description", "userAccountControl", NULL }; + "description", "userAccountControl", "pwdLastSet", NULL }; struct samr_DispEntryFull *entriesFull = NULL; struct samr_DispEntryFullGroup *entriesFullGroup = NULL; struct samr_DispEntryAscii *entriesAscii = NULL; @@ -3702,8 +3717,9 @@ static NTSTATUS dcesrv_samr_QueryDisplayInfo(struct dcesrv_call_state *dce_call, entriesGeneral[count].rid = objectsid->sub_auths[objectsid->num_auths-1]; entriesGeneral[count].acct_flags = - samdb_result_acct_flags(res[i], - "userAccountControl"); + samdb_result_acct_flags(d_state->sam_ctx, mem_ctx, + res[i], + d_state->domain_dn); entriesGeneral[count].account_name.string = samdb_result_string(res[i], "sAMAccountName", ""); @@ -3719,8 +3735,9 @@ static NTSTATUS dcesrv_samr_QueryDisplayInfo(struct dcesrv_call_state *dce_call, /* No idea why we need to or in ACB_NORMAL here, but this is what Win2k3 seems to do... */ entriesFull[count].acct_flags = - samdb_result_acct_flags(res[i], - "userAccountControl") | ACB_NORMAL; + samdb_result_acct_flags(d_state->sam_ctx, mem_ctx, + res[i], + d_state->domain_dn) | ACB_NORMAL; entriesFull[count].account_name.string = samdb_result_string(res[i], "sAMAccountName", ""); @@ -3731,9 +3748,6 @@ static NTSTATUS dcesrv_samr_QueryDisplayInfo(struct dcesrv_call_state *dce_call, entriesFullGroup[count].idx = count + 1; entriesFullGroup[count].rid = objectsid->sub_auths[objectsid->num_auths-1]; - entriesFullGroup[count].acct_flags = - samdb_result_acct_flags(res[i], - "userAccountControl"); /* We get a "7" here for groups */ entriesFullGroup[count].acct_flags = SE_GROUP_MANDATORY | SE_GROUP_ENABLED_BY_DEFAULT | SE_GROUP_ENABLED; |