From dbc5cace14de14556da7a32cd9f4a82ef522e401 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Tue, 27 Feb 2001 18:22:39 +0000 Subject: Hmmm. I thought I'd added these files to CVS head..... Jeremy. (This used to be commit d573700a9218bce8efd21f0be70afec6b460f8b9) --- source3/rpc_server/srv_samr_nt.c | 2457 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 2457 insertions(+) create mode 100644 source3/rpc_server/srv_samr_nt.c (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c new file mode 100644 index 0000000000..bd04b40c4d --- /dev/null +++ b/source3/rpc_server/srv_samr_nt.c @@ -0,0 +1,2457 @@ +/* + * Unix SMB/Netbios implementation. + * Version 1.9. + * RPC Pipe client / server routines + * Copyright (C) Andrew Tridgell 1992-1997, + * Copyright (C) Luke Kenneth Casson Leighton 1996-1997, + * Copyright (C) Paul Ashton 1997. + * Copyright (C) Hewlett-Packard Company 1999. + * Copyright (C) Jeremy Allison 2001. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. + */ + +/* + * This is the implementation of the SAMR code. + */ + +#include "includes.h" + +extern int DEBUGLEVEL; + +extern fstring global_myworkgroup; +extern pstring global_myname; +extern DOM_SID global_sam_sid; + +extern rid_name domain_group_rids[]; +extern rid_name domain_alias_rids[]; +extern rid_name builtin_alias_rids[]; + +/******************************************************************* + This next function should be replaced with something that + dynamically returns the correct user info..... JRA. + ********************************************************************/ + +static BOOL get_sampwd_entries(SAM_USER_INFO_21 *pw_buf, int start_idx, + int *total_entries, int *num_entries, + int max_num_entries, uint16 acb_mask) +{ + void *vp = NULL; + struct sam_passwd *pwd = NULL; + + (*num_entries) = 0; + (*total_entries) = 0; + + if (pw_buf == NULL) + return False; + + vp = startsmbpwent(False); + if (!vp) { + DEBUG(0, ("get_sampwd_entries: Unable to open SMB password database.\n")); + return False; + } + + while (((pwd = getsam21pwent(vp)) != NULL) && (*num_entries) < max_num_entries) { + int user_name_len; + + if (start_idx > 0) { + /* skip the requested number of entries. + not very efficient, but hey... + */ + start_idx--; + continue; + } + + user_name_len = strlen(pwd->smb_name)+1; + init_unistr2(&pw_buf[(*num_entries)].uni_user_name, pwd->smb_name, user_name_len); + init_uni_hdr(&pw_buf[(*num_entries)].hdr_user_name, user_name_len); + pw_buf[(*num_entries)].user_rid = pwd->user_rid; + memset((char *)pw_buf[(*num_entries)].nt_pwd, '\0', 16); + + /* Now check if the NT compatible password is available. */ + if (pwd->smb_nt_passwd != NULL) { + memcpy( pw_buf[(*num_entries)].nt_pwd , pwd->smb_nt_passwd, 16); + } + + pw_buf[(*num_entries)].acb_info = (uint16)pwd->acct_ctrl; + + DEBUG(5, ("entry idx: %d user %s, rid 0x%x, acb %x", + (*num_entries), pwd->smb_name, pwd->user_rid, pwd->acct_ctrl)); + + if (acb_mask == 0 || (pwd->acct_ctrl & acb_mask)) { + DEBUG(5,(" acb_mask %x accepts\n", acb_mask)); + (*num_entries)++; + } + else + DEBUG(5,(" acb_mask %x rejects\n", acb_mask)); + + (*total_entries)++; + } + + endsmbpwent(vp); + + return (*num_entries) > 0; +} + +static BOOL jf_get_sampwd_entries(SAM_USER_INFO_21 *pw_buf, int start_idx, + int *total_entries, int *num_entries, + int max_num_entries, uint16 acb_mask) +{ + void *vp = NULL; + struct sam_passwd *pwd = NULL; + + *num_entries = 0; + *total_entries = 0; + + if (pw_buf == NULL) + return False; + + vp = startsmbpwent(False); + if (!vp) { + DEBUG(0, ("get_sampwd_entries: Unable to open SMB password database.\n")); + return False; + } + + while (((pwd = getsam21pwent(vp)) != NULL) && (*num_entries) < max_num_entries) { + int user_name_len; + int full_name_len; + + if (acb_mask != 0 && !(pwd->acct_ctrl & acb_mask)) + continue; + + if (start_idx > 0) { + /* skip the requested number of entries. + not very efficient, but hey... + */ + start_idx--; + continue; + } + + ZERO_STRUCTP(&pw_buf[(*num_entries)]); + + user_name_len = strlen(pwd->smb_name); + init_unistr2(&pw_buf[(*num_entries)].uni_user_name, pwd->smb_name, user_name_len); + init_uni_hdr(&pw_buf[(*num_entries)].hdr_user_name, user_name_len); + + full_name_len = strlen(pwd->full_name); + init_unistr2(&pw_buf[(*num_entries)].uni_full_name, pwd->full_name, full_name_len); + init_uni_hdr(&pw_buf[(*num_entries)].hdr_full_name, full_name_len); + + pw_buf[(*num_entries)].user_rid = pwd->user_rid; + memset((char *)pw_buf[(*num_entries)].nt_pwd, '\0', 16); + + /* Now check if the NT compatible password is available. */ + if (pwd->smb_nt_passwd != NULL) { + memcpy( pw_buf[(*num_entries)].nt_pwd , pwd->smb_nt_passwd, 16); + } + + pw_buf[(*num_entries)].acb_info = (uint16)pwd->acct_ctrl; + + DEBUG(5, ("entry idx: %d user %s, rid 0x%x, acb %x\n", (*num_entries), pwd->smb_name, pwd->user_rid, pwd->acct_ctrl)); + (*num_entries)++; + } + + endsmbpwent(vp); + + *total_entries = *num_entries; + return True; +} + +/******************************************************************* + This function uses the username map file and tries to map a UNIX + user name to an DOS name. (Sort of the reverse of the + map_username() function.) Since more than one DOS name can map + to the UNIX name, to reverse the mapping you have to specify + which corresponding DOS name you want; that's where the name_idx + parameter comes in. Returns the string requested or NULL if it + fails or can't complete the request for any reason. This doesn't + handle group names (starting with '@') or names starting with + '+' or '&'. If they are encountered, they are skipped. +********************************************************************/ + +static char *unmap_unixname(char *unix_user_name, int name_idx) +{ + char *mapfile = lp_username_map(); + char **lines; + static pstring tok; + int i; + + if (!*unix_user_name) return NULL; + if (!*mapfile) return NULL; + + lines = file_lines_load(mapfile, NULL,False); + if (!lines) { + DEBUG(0,("unmap_unixname: can't open username map %s\n", mapfile)); + return NULL; + } + + DEBUG(5,("unmap_unixname: scanning username map %s, index: %d\n", mapfile, name_idx)); + + for (i=0; lines[i]; i++) { + char *unixname = lines[i]; + char *dosname = strchr(unixname,'='); + + if (!dosname) + continue; + + *dosname++ = 0; + + while (isspace(*unixname)) + unixname++; + if ('!' == *unixname) { + unixname++; + while (*unixname && isspace(*unixname)) + unixname++; + } + + if (!*unixname || strchr("#;",*unixname)) + continue; + + if (strncmp(unixname, unix_user_name, strlen(unix_user_name))) + continue; + + /* We have matched the UNIX user name */ + + while(next_token(&dosname, tok, LIST_SEP, sizeof(tok))) { + if (!strchr("@&+", *tok)) { + name_idx--; + if (name_idx < 0 ) { + break; + } + } + } + + if (name_idx >= 0) { + DEBUG(0,("unmap_unixname: index too high - not that many DOS names\n")); + file_lines_free(lines); + return NULL; + } else { + file_lines_free(lines); + return tok; + } + } + + DEBUG(0,("unmap_unixname: Couldn't find the UNIX user name\n")); + file_lines_free(lines); + return NULL; +} + +/******************************************************************* + This function sets up a list of users taken from the list of + users that UNIX knows about, as well as all the user names that + Samba maps to a valid UNIX user name. (This should work with + /etc/passwd or NIS.) +********************************************************************/ + +static BOOL get_passwd_entries(SAM_USER_INFO_21 *pw_buf, + int start_idx, + int *total_entries, int *num_entries, + int max_num_entries, + uint16 acb_mask) +{ + static struct passwd *pwd = NULL; + static uint32 pw_rid; + static BOOL orig_done = False; + static int current_idx = 0; + static int mapped_idx = 0; + char *sep; + + DEBUG(5, ("get_passwd_entries: retrieving a list of UNIX users\n")); + + (*num_entries) = 0; + (*total_entries) = 0; + + /* Skip all this stuff if we're in appliance mode */ + + if (lp_hide_local_users()) goto done; + + if (pw_buf == NULL) return False; + + if (current_idx == 0) { + sys_setpwent(); + } + + /* These two cases are inefficient, but should be called very rarely */ + /* they are the cases where the starting index isn't picking up */ + /* where we left off last time. It is efficient when it starts over */ + /* at zero though. */ + if (start_idx > current_idx) { + /* We aren't far enough; advance to start_idx */ + while (current_idx <= start_idx) { + char *unmap_name; + + if(!orig_done) { + if ((pwd = sys_getpwent()) == NULL) break; + current_idx++; + orig_done = True; + } + + while (((unmap_name = unmap_unixname(pwd->pw_name, mapped_idx)) != NULL) && + (current_idx < start_idx)) { + current_idx++; + mapped_idx++; + } + + if (unmap_name == NULL) { + orig_done = False; + mapped_idx = 0; + } + } + } else if (start_idx < current_idx) { + /* We are already too far; start over and advance to start_idx */ + sys_endpwent(); + sys_setpwent(); + current_idx = 0; + mapped_idx = 0; + orig_done = False; + while (current_idx < start_idx) { + char *unmap_name; + + if(!orig_done) { + if ((pwd = sys_getpwent()) == NULL) break; + current_idx++; + orig_done = True; + } + + while (((unmap_name = unmap_unixname(pwd->pw_name, mapped_idx)) != NULL) && + (current_idx < start_idx)) { + current_idx++; + mapped_idx++; + } + + if (unmap_name == NULL) { + orig_done = False; + mapped_idx = 0; + } + } + } + + sep = lp_winbind_separator(); + + /* now current_idx == start_idx */ + while ((*num_entries) < max_num_entries) { + int user_name_len; + char *unmap_name; + + /* This does the original UNIX user itself */ + if(!orig_done) { + if ((pwd = sys_getpwent()) == NULL) break; + + /* Don't enumerate winbind users as they are not local */ + + if (strchr(pwd->pw_name, *sep) != NULL) { + continue; + } + + user_name_len = strlen(pwd->pw_name); + + /* skip the trust account stored in the /etc/passwd file */ + if (pwd->pw_name[user_name_len-1]=='$') + continue; + + pw_rid = pdb_uid_to_user_rid(pwd->pw_uid); + ZERO_STRUCTP(&pw_buf[(*num_entries)]); + init_unistr2(&pw_buf[(*num_entries)].uni_user_name, pwd->pw_name, user_name_len); + init_uni_hdr(&pw_buf[(*num_entries)].hdr_user_name, user_name_len); + pw_buf[(*num_entries)].user_rid = pw_rid; + memset((char *)pw_buf[(*num_entries)].nt_pwd, '\0', 16); + + pw_buf[(*num_entries)].acb_info = ACB_NORMAL; + + DEBUG(5, ("get_passwd_entries: entry idx %d user %s, rid 0x%x\n", (*num_entries), pwd->pw_name, pw_rid)); + + (*num_entries)++; + (*total_entries)++; + current_idx++; + orig_done = True; + } + + /* This does all the user names that map to the UNIX user */ + while (((unmap_name = unmap_unixname(pwd->pw_name, mapped_idx)) != NULL) && + (*num_entries < max_num_entries)) { + user_name_len = strlen(unmap_name); + ZERO_STRUCTP(&pw_buf[(*num_entries)]); + init_unistr2(&pw_buf[(*num_entries)].uni_user_name, unmap_name, user_name_len); + init_uni_hdr(&pw_buf[(*num_entries)].hdr_user_name, user_name_len); + pw_buf[(*num_entries)].user_rid = pw_rid; + memset((char *)pw_buf[(*num_entries)].nt_pwd, '\0', 16); + + pw_buf[(*num_entries)].acb_info = ACB_NORMAL; + + DEBUG(5, ("get_passwd_entries: entry idx %d user %s, rid 0x%x\n", (*num_entries), pwd->pw_name, pw_rid)); + + (*num_entries)++; + (*total_entries)++; + current_idx++; + mapped_idx++; + } + + if (unmap_name == NULL) { + /* done with 'aliases', go on to next UNIX user */ + orig_done = False; + mapped_idx = 0; + } + } + + if (pwd == NULL) { + /* totally done, reset everything */ + sys_endpwent(); + current_idx = 0; + mapped_idx = 0; + } + +done: + return (*num_entries) > 0; +} + +/******************************************************************* + _samr_close_hnd + ********************************************************************/ + +uint32 _samr_close_hnd(pipes_struct *p, SAMR_Q_CLOSE_HND *q_u, SAMR_R_CLOSE_HND *r_u) +{ + r_u->status = NT_STATUS_NOPROBLEMO; + + /* close the policy handle */ + if (!close_lsa_policy_hnd(&q_u->pol)) + return NT_STATUS_OBJECT_NAME_INVALID; + + DEBUG(5,("samr_reply_close_hnd: %d\n", __LINE__)); + + return r_u->status; +} + +/******************************************************************* + samr_reply_open_domain + ********************************************************************/ + +uint32 _samr_open_domain(pipes_struct *p, SAMR_Q_OPEN_DOMAIN *q_u, SAMR_R_OPEN_DOMAIN *r_u) +{ + r_u->status = NT_STATUS_NOPROBLEMO; + + /* find the connection policy handle. */ + if (find_lsa_policy_by_hnd(&q_u->pol) == -1) + return NT_STATUS_INVALID_HANDLE; + + /* get a (unique) handle. open a policy on it. */ + if (!open_lsa_policy_hnd(&r_u->domain_pol)) + return NT_STATUS_OBJECT_NAME_NOT_FOUND; + + /* associate the domain SID with the (unique) handle. */ + if (!set_lsa_policy_samr_sid(&r_u->domain_pol, &q_u->dom_sid.sid)) { + close_lsa_policy_hnd(&r_u->domain_pol); + return NT_STATUS_OBJECT_NAME_NOT_FOUND; + } + + DEBUG(5,("samr_open_domain: %d\n", __LINE__)); + + return r_u->status; +} + +/******************************************************************* + _samr_get_usrdom_pwinfo + ********************************************************************/ + +uint32 _samr_get_usrdom_pwinfo(pipes_struct *p, SAMR_Q_GET_USRDOM_PWINFO *q_u, SAMR_R_GET_USRDOM_PWINFO *r_u) +{ + r_u->status = NT_STATUS_NOPROBLEMO; + + /* find the policy handle. open a policy on it. */ + if (find_lsa_policy_by_hnd(&q_u->user_pol) == -1) { + return NT_STATUS_INVALID_HANDLE; + } + + /* find the user's rid */ + if (get_lsa_policy_samr_rid(&q_u->user_pol) == 0xffffffff) { + return NT_STATUS_OBJECT_TYPE_MISMATCH; + } + + init_samr_r_get_usrdom_pwinfo(r_u, NT_STATUS_NOPROBLEMO); + + DEBUG(5,("_samr_get_usrdom_pwinfo: %d\n", __LINE__)); + + return r_u->status; +} + +/******************************************************************* + samr_make_usr_obj_sd + ********************************************************************/ + +static uint32 samr_make_usr_obj_sd(TALLOC_CTX *ctx, SEC_DESC_BUF **buf, DOM_SID *usr_sid) +{ + extern DOM_SID global_sid_Builtin; + extern DOM_SID global_sid_World; + DOM_SID adm_sid; + DOM_SID act_sid; + + SEC_ACE ace[4]; + SEC_ACCESS mask; + + SEC_ACL *psa = NULL; + SEC_DESC *psd = NULL; + size_t sd_size; + + sid_copy(&adm_sid, &global_sid_Builtin); + sid_append_rid(&adm_sid, BUILTIN_ALIAS_RID_ADMINS); + + sid_copy(&act_sid, &global_sid_Builtin); + sid_append_rid(&act_sid, BUILTIN_ALIAS_RID_ACCOUNT_OPS); + + init_sec_access(&mask, 0x2035b); + init_sec_ace(&ace[0], &global_sid_World, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0); + + init_sec_access(&mask, 0xf07ff); + init_sec_ace(&ace[1], &adm_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0); + init_sec_ace(&ace[2], &act_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0); + + init_sec_access(&mask,0x20044); + init_sec_ace(&ace[3], usr_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0); + + if((psa = make_sec_acl(ctx, NT4_ACL_REVISION, 4, ace)) == NULL) + return NT_STATUS_NO_MEMORY; + + if((psd = make_sec_desc(ctx, SEC_DESC_REVISION, NULL, NULL, NULL, psa, &sd_size)) == NULL) + return NT_STATUS_NO_MEMORY; + + if((*buf = make_sec_desc_buf(ctx, sd_size, psd)) == NULL) + return NT_STATUS_NO_MEMORY; + + return NT_STATUS_NOPROBLEMO; +} + +/******************************************************************* + _samr_query_sec_obj + ********************************************************************/ + +uint32 _samr_query_sec_obj(pipes_struct *p, SAMR_Q_QUERY_SEC_OBJ *q_u, SAMR_R_QUERY_SEC_OBJ *r_u) +{ + DOM_SID pol_sid; + + r_u->status = NT_STATUS_NOPROBLEMO; + + /* find the policy handle. open a policy on it. */ + if ((find_lsa_policy_by_hnd(&q_u->user_pol)) == -1) + return NT_STATUS_INVALID_HANDLE; + + /* Get the SID. */ + if (!get_lsa_policy_samr_sid(&q_u->user_pol, &pol_sid)) + return NT_STATUS_OBJECT_TYPE_MISMATCH; + + r_u->status = samr_make_usr_obj_sd(p->mem_ctx, &r_u->buf, &pol_sid); + + if (r_u->status == NT_STATUS_NOPROBLEMO) + r_u->ptr = 1; + + return r_u->status; +} + +/******************************************************************* +makes a SAM_ENTRY / UNISTR2* structure from a user list. +********************************************************************/ + +static void make_user_sam_entry_list(TALLOC_CTX *ctx, SAM_ENTRY **sam_pp, UNISTR2 **uni_name_pp, + uint32 num_sam_entries, SAM_USER_INFO_21 *pass) +{ + uint32 i; + SAM_ENTRY *sam; + UNISTR2 *uni_name; + + *sam_pp = NULL; + *uni_name_pp = NULL; + + if (num_sam_entries == 0) + return; + + sam = (SAM_ENTRY *)talloc(ctx, sizeof(SAM_ENTRY)*num_sam_entries); + + uni_name = (UNISTR2 *)talloc(ctx, sizeof(UNISTR2)*num_sam_entries); + + if (sam == NULL || uni_name == NULL) { + DEBUG(0, ("NULL pointers in SAMR_R_QUERY_DISPINFO\n")); + return; + } + + for (i = 0; i < num_sam_entries; i++) { + int len = pass[i].uni_user_name.uni_str_len; + + init_sam_entry(&sam[i], len, pass[i].user_rid); + copy_unistr2(&uni_name[i], &pass[i].uni_user_name); + } + + *sam_pp = sam; + *uni_name_pp = uni_name; +} + +/******************************************************************* + samr_reply_enum_dom_users + ********************************************************************/ + +uint32 _samr_enum_dom_users(pipes_struct *p, SAMR_Q_ENUM_DOM_USERS *q_u, SAMR_R_ENUM_DOM_USERS *r_u) +{ + SAM_USER_INFO_21 pass[MAX_SAM_ENTRIES]; + int num_entries = 0; + int total_entries = 0; + BOOL ret; + + r_u->status = NT_STATUS_NOPROBLEMO; + + /* find the policy handle. open a policy on it. */ + if (find_lsa_policy_by_hnd(&q_u->pol) == -1) + return NT_STATUS_INVALID_HANDLE; + + DEBUG(5,("_samr_enum_dom_users: %d\n", __LINE__)); + + become_root(); + ret = get_sampwd_entries(pass, q_u->start_idx, &total_entries, &num_entries, + MAX_SAM_ENTRIES, q_u->acb_mask); + unbecome_root(); + + if (!ret) + return NT_STATUS_ACCESS_DENIED; + + /* + * Note from JRA. total_entries is not being used here. Currently if there is a + * large user base then it looks like NT will enumerate until get_sampwd_entries + * returns False due to num_entries being zero. This will cause an access denied + * return. I don't think this is right and needs further investigation. Note that + * this is also the same in the TNG code (I don't think that has been tested with + * a very large user list as MAX_SAM_ENTRIES is set to 600). + * + * I also think that one of the 'num_entries' return parameters is probably + * the "max entries" parameter - but in the TNG code they're all currently set to the same + * value (again I think this is wrong). + */ + + make_user_sam_entry_list(p->mem_ctx, &r_u->sam, &r_u->uni_acct_name, num_entries, pass); + + init_samr_r_enum_dom_users(r_u, q_u->start_idx + num_entries, num_entries); + + DEBUG(5,("_samr_enum_dom_users: %d\n", __LINE__)); + + return r_u->status; +} + +/******************************************************************* +makes a SAM_ENTRY / UNISTR2* structure from a group list. +********************************************************************/ + +static void make_group_sam_entry_list(TALLOC_CTX *ctx, SAM_ENTRY **sam_pp, UNISTR2 **uni_name_pp, + uint32 num_sam_entries, DOMAIN_GRP *grp) +{ + uint32 i; + SAM_ENTRY *sam; + UNISTR2 *uni_name; + + *sam_pp = NULL; + *uni_name_pp = NULL; + + if (num_sam_entries == 0) + return; + + sam = (SAM_ENTRY *)talloc(ctx, sizeof(SAM_ENTRY)*num_sam_entries); + + uni_name = (UNISTR2 *)talloc(ctx, sizeof(UNISTR2)*num_sam_entries); + + if (sam == NULL || uni_name == NULL) { + DEBUG(0, ("NULL pointers in SAMR_R_QUERY_DISPINFO\n")); + return; + } + + for (i = 0; i < num_sam_entries; i++) { + /* + * JRA. I think this should include the null. TNG does not. + */ + int len = strlen(grp[i].name)+1; + + init_sam_entry(&sam[i], len, grp[i].rid); + init_unistr2(&uni_name[i], grp[i].name, len); + } + + *sam_pp = sam; + *uni_name_pp = uni_name; +} + +/******************************************************************* + Get the group entries - similar to get_sampwd_entries(). + ********************************************************************/ + +static BOOL get_group_alias_entries(DOMAIN_GRP *d_grp, DOM_SID *sid, uint32 start_idx, + uint32 *p_num_entries, uint32 max_entries) +{ + fstring sid_str; + fstring sam_sid_str; + uint32 num_entries = 0; + + sid_to_string(sid_str, sid); + sid_to_string(sam_sid_str, &global_sam_sid); + + *p_num_entries = 0; + + /* well-known aliases */ + if (strequal(sid_str, "S-1-5-32")) { + char *name; + while (!lp_hide_local_users() && + num_entries < max_entries && + ((name = builtin_alias_rids[num_entries].name) != NULL)) { + + fstrcpy(d_grp[num_entries].name, name); + d_grp[num_entries].rid = builtin_alias_rids[num_entries].rid; + + num_entries++; + } + } else if (strequal(sid_str, sam_sid_str) && !lp_hide_local_users()) { + char *name; + char *sep; + struct group *grp; + + sep = lp_winbind_separator(); + + /* local aliases */ + /* we return the UNIX groups here. This seems to be the right */ + /* thing to do, since NT member servers return their local */ + /* groups in the same situation. */ + setgrent(); + + while (num_entries < max_entries && ((grp = getgrent()) != NULL)) { + int i; + uint32 trid; + name = grp->gr_name; + + /* Don't return winbind groups as they are not local! */ + + if (strchr(name, *sep) != NULL) + continue; + + trid = pdb_gid_to_group_rid(grp->gr_gid); + for( i = 0; i < num_entries; i++) + if ( d_grp[i].rid == trid ) break; + + if ( i < num_entries ) + continue; /* rid was there, dup! */ + + /* JRA - added this for large group db enumeration... */ + + if (start_idx > 0) { + /* skip the requested number of entries. + not very efficient, but hey... + */ + start_idx--; + continue; + } + + fstrcpy(d_grp[num_entries].name, name); + d_grp[num_entries].rid = trid; + num_entries++; + } + + endgrent(); + } + + *p_num_entries = num_entries; + + return True; +} + +/******************************************************************* + Get the group entries - similar to get_sampwd_entries(). + ********************************************************************/ + +static BOOL get_group_domain_entries(DOMAIN_GRP *d_grp, DOM_SID *sid, uint32 start_idx, + uint32 *p_num_entries, uint32 max_entries) +{ + fstring sid_str; + fstring sam_sid_str; + uint32 num_entries = 0; + fstring name="Domain Admins"; + fstring comment="Just to make it work !"; + + sid_to_string(sid_str, sid); + sid_to_string(sam_sid_str, &global_sam_sid); + + *p_num_entries = 0; + + fstrcpy(d_grp[0].name, name); + fstrcpy(d_grp[0].comment, comment); + d_grp[0].rid = DOMAIN_GROUP_RID_ADMINS; + d_grp[0].attr=SID_NAME_DOM_GRP; + + fstrcpy(d_grp[1].name, "Domain Users"); + fstrcpy(d_grp[1].comment, "Just to make it work !"); + d_grp[1].rid = DOMAIN_GROUP_RID_USERS; + d_grp[1].attr=SID_NAME_DOM_GRP; + + num_entries = 2; + + *p_num_entries = num_entries; + + return True; +} + +/******************************************************************* + samr_reply_enum_dom_groups + Only reply with one group - domain admins. This must be fixed for + a real PDC. JRA. + ********************************************************************/ + +uint32 _samr_enum_dom_groups(pipes_struct *p, SAMR_Q_ENUM_DOM_GROUPS *q_u, SAMR_R_ENUM_DOM_GROUPS *r_u) +{ + DOMAIN_GRP grp[2]; + int num_entries; + DOM_SID sid; + + r_u->status = NT_STATUS_NOPROBLEMO; + + if (!get_lsa_policy_samr_sid(&q_u->pol, &sid)) + return NT_STATUS_INVALID_HANDLE; + + DEBUG(5,("samr_reply_enum_dom_groups: %d\n", __LINE__)); + + get_group_domain_entries(grp, &sid, q_u->start_idx, &num_entries, MAX_SAM_ENTRIES); + + make_group_sam_entry_list(p->mem_ctx, &r_u->sam, &r_u->uni_grp_name, num_entries, grp); + + init_samr_r_enum_dom_groups(r_u, q_u->start_idx, num_entries); + + DEBUG(5,("samr_enum_dom_groups: %d\n", __LINE__)); + + return r_u->status; +} + + +/******************************************************************* + samr_reply_enum_dom_aliases + ********************************************************************/ + +uint32 _samr_enum_dom_aliases(pipes_struct *p, SAMR_Q_ENUM_DOM_ALIASES *q_u, SAMR_R_ENUM_DOM_ALIASES *r_u) +{ + DOMAIN_GRP grp[MAX_SAM_ENTRIES]; + int num_entries = 0; + fstring sid_str; + DOM_SID sid; + + r_u->status = NT_STATUS_NOPROBLEMO; + + /* find the policy handle. open a policy on it. */ + if (!get_lsa_policy_samr_sid(&q_u->pol, &sid)) + return NT_STATUS_INVALID_HANDLE; + + sid_to_string(sid_str, &sid); + DEBUG(5,("samr_reply_enum_dom_aliases: sid %s\n", sid_str)); + + if (!get_group_alias_entries(grp, &sid, q_u->start_idx, &num_entries, MAX_SAM_ENTRIES)) + return NT_STATUS_ACCESS_DENIED; + + make_group_sam_entry_list(p->mem_ctx, &r_u->sam, &r_u->uni_grp_name, num_entries, grp); + + init_samr_r_enum_dom_aliases(r_u, q_u->start_idx, num_entries); + + DEBUG(5,("samr_enum_dom_aliases: %d\n", __LINE__)); + + return r_u->status; +} + +/******************************************************************* + samr_reply_query_dispinfo + ********************************************************************/ + +uint32 _samr_query_dispinfo(pipes_struct *p, SAMR_Q_QUERY_DISPINFO *q_u, SAMR_R_QUERY_DISPINFO *r_u) +{ + SAM_USER_INFO_21 pass[MAX_SAM_ENTRIES]; + DOMAIN_GRP grps[MAX_SAM_ENTRIES]; + uint16 acb_mask = ACB_NORMAL; + int num_entries = 0; + int orig_num_entries = 0; + int total_entries = 0; + uint32 data_size = 0; + DOM_SID sid; + BOOL ret; + SAM_DISPINFO_CTR *ctr; + + DEBUG(5, ("samr_reply_query_dispinfo: %d\n", __LINE__)); + + r_u->status = NT_STATUS_NOPROBLEMO; + + if (!get_lsa_policy_samr_sid(&q_u->domain_pol, &sid)) + return NT_STATUS_INVALID_HANDLE; + + /* decide how many entries to get depending on the max_entries + and max_size passed by client */ + + if(q_u->max_entries > MAX_SAM_ENTRIES) + q_u->max_entries = MAX_SAM_ENTRIES; + + /* Get what we need from the password database */ + switch (q_u->switch_level) { + case 0x2: + acb_mask = ACB_WSTRUST; + /* Fall through */ + case 0x1: + case 0x4: + become_root(); +#if 0 + ret = get_passwd_entries(pass, q_u->start_idx, &total_entries, &num_entries, + MAX_SAM_ENTRIES, acb_mask); +#endif +#if 0 + /* + * Which should we use here ? JRA. + */ + ret = get_sampwd_entries(pass, q_u->start_idx, &total_entries, &num_entries, + MAX_SAM_ENTRIES, acb_mask); +#endif +#if 1 + ret = jf_get_sampwd_entries(pass, q_u->start_idx, &total_entries, &num_entries, + MAX_SAM_ENTRIES, acb_mask); +#endif + unbecome_root(); + if (!ret) { + DEBUG(5, ("get_sampwd_entries: failed\n")); + return NT_STATUS_ACCESS_DENIED; + } + break; + case 0x3: + case 0x5: + ret = get_group_domain_entries(grps, &sid, q_u->start_idx, &num_entries, MAX_SAM_ENTRIES); + if (!ret) + return NT_STATUS_ACCESS_DENIED; + break; + default: + DEBUG(0,("_samr_query_dispinfo: Unknown info level (%u)\n", (unsigned int)q_u->switch_level )); + return NT_STATUS_INVALID_INFO_CLASS; + } + + + if (num_entries > q_u->max_entries) + num_entries = q_u->max_entries; + + if (num_entries > MAX_SAM_ENTRIES) { + num_entries = MAX_SAM_ENTRIES; + DEBUG(5, ("limiting number of entries to %d\n", num_entries)); + } + + data_size = q_u->max_size; + orig_num_entries = num_entries; + + ctr = (SAM_DISPINFO_CTR *)talloc(p->mem_ctx,sizeof(SAM_DISPINFO_CTR)); + + /* Now create reply structure */ + switch (q_u->switch_level) { + case 0x1: + ctr->sam.info1 = (SAM_DISPINFO_1 *)talloc(p->mem_ctx,num_entries*sizeof(SAM_DISPINFO_1)); + init_sam_dispinfo_1(ctr->sam.info1, &num_entries, &data_size, q_u->start_idx, pass); + break; + case 0x2: + ctr->sam.info2 = (SAM_DISPINFO_2 *)talloc(p->mem_ctx,num_entries*sizeof(SAM_DISPINFO_2)); + init_sam_dispinfo_2(ctr->sam.info2, &num_entries, &data_size, q_u->start_idx, pass); + break; + case 0x3: + ctr->sam.info3 = (SAM_DISPINFO_3 *)talloc(p->mem_ctx,num_entries*sizeof(SAM_DISPINFO_3)); + init_sam_dispinfo_3(ctr->sam.info3, &num_entries, &data_size, q_u->start_idx, grps); + break; + case 0x4: + ctr->sam.info4 = (SAM_DISPINFO_4 *)talloc(p->mem_ctx,num_entries*sizeof(SAM_DISPINFO_4)); + init_sam_dispinfo_4(ctr->sam.info4, &num_entries, &data_size, q_u->start_idx, pass); + break; + case 0x5: + ctr->sam.info5 = (SAM_DISPINFO_5 *)talloc(p->mem_ctx,num_entries*sizeof(SAM_DISPINFO_5)); + init_sam_dispinfo_5(ctr->sam.info5, &num_entries, &data_size, q_u->start_idx, grps); + break; + default: + ctr->sam.info = NULL; + return NT_STATUS_INVALID_INFO_CLASS; + } + + DEBUG(5, ("_samr_query_dispinfo: %d\n", __LINE__)); + + init_samr_r_query_dispinfo(r_u, num_entries, data_size, q_u->switch_level, ctr, r_u->status); + + if (num_entries < orig_num_entries) { + return STATUS_MORE_ENTRIES; + } + + return r_u->status; +} + +/******************************************************************* + samr_reply_query_aliasinfo + ********************************************************************/ + +uint32 _samr_query_aliasinfo(pipes_struct *p, SAMR_Q_QUERY_ALIASINFO *q_u, SAMR_R_QUERY_ALIASINFO *r_u) +{ + fstring alias_desc = "Local Unix group"; + fstring alias=""; + enum SID_NAME_USE type; + uint32 alias_rid; + + r_u->status = NT_STATUS_NOPROBLEMO; + + DEBUG(5,("_samr_query_aliasinfo: %d\n", __LINE__)); + + /* find the policy handle. open a policy on it. */ + if (find_lsa_policy_by_hnd(&q_u->pol) == -1) + return NT_STATUS_INVALID_HANDLE; + + alias_rid = get_lsa_policy_samr_rid(&q_u->pol); + if(alias_rid == 0xffffffff) + return NT_STATUS_NO_SUCH_ALIAS; + + if(!local_lookup_rid(alias_rid, alias, &type)) + return NT_STATUS_NO_SUCH_ALIAS; + + switch (q_u->switch_level) { + case 3: + r_u->ptr = 1; + r_u->ctr.switch_value1 = 3; + init_samr_alias_info3(&r_u->ctr.alias.info3, alias_desc); + break; + default: + return NT_STATUS_INVALID_INFO_CLASS; + } + + DEBUG(5,("_samr_query_aliasinfo: %d\n", __LINE__)); + + return r_u->status; +} + +#if 0 +/******************************************************************* + samr_reply_lookup_ids + ********************************************************************/ + + uint32 _samr_lookup_ids(pipes_struct *p, SAMR_Q_LOOKUP_IDS *q_u, SAMR_R_LOOKUP_IDS *r_u) +{ + uint32 rid[MAX_SAM_ENTRIES]; + int num_rids = q_u->num_sids1; + + r_u->status = NT_STATUS_NOPROBLEMO; + + DEBUG(5,("_samr_lookup_ids: %d\n", __LINE__)); + + if (num_rids > MAX_SAM_ENTRIES) { + num_rids = MAX_SAM_ENTRIES; + DEBUG(5,("_samr_lookup_ids: truncating entries to %d\n", num_rids)); + } + +#if 0 + int i; + SMB_ASSERT_ARRAY(q_u->uni_user_name, num_rids); + + for (i = 0; i < num_rids && status == 0; i++) + { + struct sam_passwd *sam_pass; + fstring user_name; + + + fstrcpy(user_name, unistrn2(q_u->uni_user_name[i].buffer, + q_u->uni_user_name[i].uni_str_len)); + + /* find the user account */ + become_root(); + sam_pass = get_smb21pwd_entry(user_name, 0); + unbecome_root(); + + if (sam_pass == NULL) + { + status = 0xC0000000 | NT_STATUS_NO_SUCH_USER; + rid[i] = 0; + } + else + { + rid[i] = sam_pass->user_rid; + } + } +#endif + + num_rids = 1; + rid[0] = BUILTIN_ALIAS_RID_USERS; + + init_samr_r_lookup_ids(&r_u, num_rids, rid, NT_STATUS_NOPROBLEMO); + + DEBUG(5,("_samr_lookup_ids: %d\n", __LINE__)); + + return r_u->status; +} +#endif + +/******************************************************************* + _samr_lookup_names + ********************************************************************/ + +uint32 _samr_lookup_names(pipes_struct *p, SAMR_Q_LOOKUP_NAMES *q_u, SAMR_R_LOOKUP_NAMES *r_u) +{ + uint32 rid[MAX_SAM_ENTRIES]; + enum SID_NAME_USE type[MAX_SAM_ENTRIES]; + int i; + int num_rids = q_u->num_names1; + DOM_SID pol_sid; + + r_u->status = NT_STATUS_NOPROBLEMO; + + DEBUG(5,("_samr_lookup_names: %d\n", __LINE__)); + + ZERO_ARRAY(rid); + ZERO_ARRAY(type); + + if (!get_lsa_policy_samr_sid(&q_u->pol, &pol_sid)) { + init_samr_r_lookup_names(p->mem_ctx, r_u, 0, NULL, NULL, NT_STATUS_OBJECT_TYPE_MISMATCH); + return r_u->status; + } + + if (num_rids > MAX_SAM_ENTRIES) { + num_rids = MAX_SAM_ENTRIES; + DEBUG(5,("_samr_lookup_names: truncating entries to %d\n", num_rids)); + } + + SMB_ASSERT_ARRAY(q_u->uni_name, num_rids); + + for (i = 0; i < num_rids; i++) { + fstring name; + + r_u->status = NT_STATUS_NONE_MAPPED; + + rid [i] = 0xffffffff; + type[i] = SID_NAME_UNKNOWN; + + fstrcpy(name, dos_unistrn2(q_u->uni_name[i].buffer, q_u->uni_name[i].uni_str_len)); + + if(sid_equal(&pol_sid, &global_sam_sid)) { + DOM_SID sid; + if(local_lookup_name(global_myname, name, &sid, &type[i])) { + sid_split_rid( &sid, &rid[i]); + r_u->status = NT_STATUS_NOPROBLEMO; + } + } + } + + init_samr_r_lookup_names(p->mem_ctx, r_u, num_rids, rid, type, r_u->status); + + DEBUG(5,("_samr_lookup_names: %d\n", __LINE__)); + + return r_u->status; +} + +/******************************************************************* + _samr_chgpasswd_user + ********************************************************************/ + +uint32 _samr_chgpasswd_user(pipes_struct *p, SAMR_Q_CHGPASSWD_USER *q_u, SAMR_R_CHGPASSWD_USER *r_u) +{ + fstring user_name; + fstring wks; + + DEBUG(5,("_samr_chgpasswd_user: %d\n", __LINE__)); + + r_u->status = NT_STATUS_NOPROBLEMO; + + fstrcpy(user_name, dos_unistrn2(q_u->uni_user_name.buffer, q_u->uni_user_name.uni_str_len)); + fstrcpy(wks , dos_unistrn2(q_u->uni_dest_host.buffer, q_u->uni_dest_host.uni_str_len)); + + DEBUG(5,("samr_chgpasswd_user: user: %s wks: %s\n", user_name, wks)); + + if (!pass_oem_change(user_name, q_u->lm_newpass.pass, q_u->lm_oldhash.hash, + q_u->nt_newpass.pass, q_u->nt_oldhash.hash)) + r_u->status = NT_STATUS_WRONG_PASSWORD; + + init_samr_r_chgpasswd_user(r_u, r_u->status); + + DEBUG(5,("_samr_chgpasswd_user: %d\n", __LINE__)); + + return r_u->status; +} + +/******************************************************************* +makes a SAMR_R_LOOKUP_RIDS structure. +********************************************************************/ + +static BOOL make_samr_lookup_rids(TALLOC_CTX *ctx, uint32 num_names, fstring names[], + UNIHDR **pp_hdr_name, UNISTR2 **pp_uni_name) +{ + uint32 i; + UNIHDR *hdr_name; + UNISTR2 *uni_name; + + *pp_uni_name = NULL; + *pp_hdr_name = NULL; + + if (num_names != 0) { + hdr_name = (UNIHDR *)talloc(ctx, sizeof(UNIHDR)*num_names); + if (hdr_name == NULL) + return False; + + uni_name = (UNISTR2 *)talloc(ctx,sizeof(UNISTR2)*num_names); + if (uni_name == NULL) + return False; + } + + for (i = 0; i < num_names; i++) { + int len = names[i] != NULL ? strlen(names[i]) : 0; + DEBUG(10, ("names[%d]:%s\n", i, names[i])); + init_uni_hdr(&hdr_name[i], len); + init_unistr2(&uni_name[i], names[i], len); + } + + *pp_uni_name = uni_name; + *pp_hdr_name = hdr_name; + + return True; +} + +/******************************************************************* + _samr_lookup_rids + ********************************************************************/ + +uint32 _samr_lookup_rids(pipes_struct *p, SAMR_Q_LOOKUP_RIDS *q_u, SAMR_R_LOOKUP_RIDS *r_u) +{ + fstring group_names[MAX_SAM_ENTRIES]; + uint32 group_attrs[MAX_SAM_ENTRIES]; + UNIHDR *hdr_name = NULL; + UNISTR2 *uni_name = NULL; + DOM_SID pol_sid; + int num_rids = q_u->num_rids1; + int i; + + r_u->status = NT_STATUS_NOPROBLEMO; + + DEBUG(5,("_samr_lookup_rids: %d\n", __LINE__)); + + /* find the policy handle. open a policy on it. */ + if (!get_lsa_policy_samr_sid(&q_u->pol, &pol_sid)) + return NT_STATUS_INVALID_HANDLE; + + if (num_rids > MAX_SAM_ENTRIES) { + num_rids = MAX_SAM_ENTRIES; + DEBUG(5,("_samr_lookup_rids: truncating entries to %d\n", num_rids)); + } + + r_u->status = NT_STATUS_NONE_MAPPED; + + for (i = 0; i < num_rids; i++) { + fstring tmpname; + fstring domname; + DOM_SID sid; + enum SID_NAME_USE type; + + group_attrs[i] = SID_NAME_UNKNOWN; + *group_names[i] = '\0'; + + if (sid_equal(&pol_sid, &global_sam_sid)) { + sid_copy(&sid, &pol_sid); + sid_append_rid(&sid, q_u->rid[i]); + + if (lookup_sid(&sid, domname, tmpname, &type)) { + r_u->status = NT_STATUS_NOPROBLEMO; + group_attrs[i] = (uint32)type; + fstrcpy(group_names[i],tmpname); + } + } + } + + if(!make_samr_lookup_rids(p->mem_ctx, num_rids, group_names, &hdr_name, &uni_name)) + return NT_STATUS_NO_MEMORY; + + init_samr_r_lookup_rids(r_u, num_rids, hdr_name, uni_name, group_attrs); + + DEBUG(5,("_samr_lookup_rids: %d\n", __LINE__)); + + return r_u->status; +} + +/******************************************************************* + _api_samr_open_user + ********************************************************************/ + +uint32 _api_samr_open_user(pipes_struct *p, SAMR_Q_OPEN_USER *q_u, SAMR_R_OPEN_USER *r_u) +{ + struct sam_passwd *sam_pass; + DOM_SID sid; + POLICY_HND domain_pol = q_u->domain_pol; + uint32 user_rid = q_u->user_rid; + POLICY_HND *user_pol = &r_u->user_pol; + + r_u->status = NT_STATUS_NO_PROBLEMO; + + /* find the domain policy handle. */ + if (find_lsa_policy_by_hnd(&domain_pol) == -1) + return NT_STATUS_INVALID_HANDLE; + + /* get a (unique) handle. open a policy on it. */ + if (!open_lsa_policy_hnd(user_pol)) + return NT_STATUS_OBJECT_NAME_NOT_FOUND; + + become_root(); + sam_pass = getsam21pwrid(user_rid); + unbecome_root(); + + /* check that the RID exists in our domain. */ + if (sam_pass == NULL) { + close_lsa_policy_hnd(user_pol); + return NT_STATUS_NO_SUCH_USER; + } + + /* Get the domain SID stored in the domain policy */ + if(!get_lsa_policy_samr_sid(&domain_pol, &sid)) { + close_lsa_policy_hnd(user_pol); + return NT_STATUS_INVALID_HANDLE; + } + + /* append the user's RID to it */ + if(!sid_append_rid(&sid, user_rid)) { + close_lsa_policy_hnd(user_pol); + return NT_STATUS_NO_SUCH_USER; + } + + /* associate the user's SID with the handle. */ + if (!set_lsa_policy_samr_sid(user_pol, &sid)) { + /* oh, whoops. don't know what error message to return, here */ + close_lsa_policy_hnd(user_pol); + return NT_STATUS_OBJECT_NAME_NOT_FOUND; + } + + return r_u->status; +} + +/************************************************************************* + get_user_info_10 + *************************************************************************/ + +static BOOL get_user_info_10(SAM_USER_INFO_10 *id10, uint32 user_rid) +{ + struct smb_passwd *smb_pass; + + if (!pdb_rid_is_user(user_rid)) { + DEBUG(4,("RID 0x%x is not a user RID\n", user_rid)); + return False; + } + + become_root(); + smb_pass = getsmbpwrid(user_rid); + unbecome_root(); + + if (smb_pass == NULL) + { + DEBUG(4,("User 0x%x not found\n", user_rid)); + return False; + } + + DEBUG(3,("User:[%s]\n", smb_pass->smb_name)); + + init_sam_user_info10(id10, smb_pass->acct_ctrl); + + return True; +} + +/************************************************************************* + get_user_info_12 + *************************************************************************/ + +static BOOL get_user_info_12(SAM_USER_INFO_12 * id12, uint32 user_rid) +{ + struct smb_passwd *smb_pass; + + become_root(); + smb_pass = getsmbpwrid(user_rid); + unbecome_root(); + + if (smb_pass == NULL) { + DEBUG(4, ("User 0x%x not found\n", user_rid)); + return False; + } + + DEBUG(3,("User:[%s] 0x%x\n", smb_pass->smb_name, smb_pass->acct_ctrl)); + + if (smb_pass->acct_ctrl & ACB_DISABLED) + return False; + + init_sam_user_info12(id12, smb_pass->smb_passwd, smb_pass->smb_nt_passwd); + + return True; +} + +/************************************************************************* + get_user_info_21 + *************************************************************************/ + +static BOOL get_user_info_21(SAM_USER_INFO_21 *id21, uint32 user_rid) +{ + NTTIME dummy_time; + struct sam_passwd *sam_pass; + LOGON_HRS hrs; + int i; + + if (!pdb_rid_is_user(user_rid)) { + DEBUG(4,("RID 0x%x is not a user RID\n", user_rid)); + return False; + } + + become_root(); + sam_pass = getsam21pwrid(user_rid); + unbecome_root(); + + if (sam_pass == NULL) { + DEBUG(4,("User 0x%x not found\n", user_rid)); + return False; + } + + DEBUG(3,("User:[%s]\n", sam_pass->smb_name)); + + dummy_time.low = 0xffffffff; + dummy_time.high = 0x7fffffff; + + DEBUG(5,("get_user_info_21 - TODO: convert unix times to NTTIMEs\n")); + + /* create a LOGON_HRS structure */ + hrs.len = sam_pass->hours_len; + SMB_ASSERT_ARRAY(hrs.hours, hrs.len); + for (i = 0; i < hrs.len; i++) + hrs.hours[i] = sam_pass->hours[i]; + + init_sam_user_info21A(id21, + + &dummy_time, /* logon_time */ + &dummy_time, /* logoff_time */ + &dummy_time, /* kickoff_time */ + &dummy_time, /* pass_last_set_time */ + &dummy_time, /* pass_can_change_time */ + &dummy_time, /* pass_must_change_time */ + + sam_pass->smb_name, /* user_name */ + sam_pass->full_name, /* full_name */ + sam_pass->home_dir, /* home_dir */ + sam_pass->dir_drive, /* dir_drive */ + sam_pass->logon_script, /* logon_script */ + sam_pass->profile_path, /* profile_path */ + sam_pass->acct_desc, /* description */ + sam_pass->workstations, /* workstations user can log in from */ + sam_pass->unknown_str, /* don't know, yet */ + sam_pass->munged_dial, /* dialin info. contains dialin path and tel no */ + + sam_pass->user_rid, /* RID user_id */ + sam_pass->group_rid, /* RID group_id */ + sam_pass->acct_ctrl, + + sam_pass->unknown_3, /* unknown_3 */ + sam_pass->logon_divs, /* divisions per week */ + &hrs, /* logon hours */ + sam_pass->unknown_5, + sam_pass->unknown_6); + + return True; +} + +/******************************************************************* + _samr_query_userinfo + ********************************************************************/ + +uint32 _samr_query_userinfo(pipes_struct *p, SAMR_Q_QUERY_USERINFO *q_u, SAMR_R_QUERY_USERINFO *r_u) +{ + SAM_USERINFO_CTR *ctr; + uint32 rid = 0; + + r_u->status=NT_STATUS_NO_PROBLEMO; + + /* search for the handle */ + if (find_lsa_policy_by_hnd(&q_u->pol) == -1) + return NT_STATUS_INVALID_HANDLE; + + /* find the user's rid */ + if ((rid = get_lsa_policy_samr_rid(&q_u->pol)) == 0xffffffff) + return NT_STATUS_OBJECT_TYPE_MISMATCH; + + DEBUG(5,("_samr_query_userinfo: rid:0x%x\n", rid)); + + ctr = (SAM_USERINFO_CTR *)talloc(p->mem_ctx, sizeof(SAM_USERINFO_CTR)); + if (!ctr) + return NT_STATUS_NO_MEMORY; + + ZERO_STRUCTP(ctr); + + /* ok! user info levels (lots: see MSDEV help), off we go... */ + ctr->switch_value = q_u->switch_value; + + switch (q_u->switch_value) { + case 0x10: + ctr->info.id10 = (SAM_USER_INFO_10 *)talloc(p->mem_ctx, sizeof(SAM_USER_INFO_10)); + if (ctr->info.id10 == NULL) + return NT_STATUS_NO_MEMORY; + + if (!get_user_info_10(ctr->info.id10, rid)) + return NT_STATUS_NO_SUCH_USER; + break; + +#if 0 +/* whoops - got this wrong. i think. or don't understand what's happening. */ + case 0x11: + { + NTTIME expire; + info = (void *)&id11; + + expire.low = 0xffffffff; + expire.high = 0x7fffffff; + + ctr->info.id = (SAM_USER_INFO_11 *)talloc(p->mem_ctx, + sizeof + (*ctr-> + info. + id11)); + init_sam_user_info11(ctr->info.id11, &expire, + "BROOKFIELDS$", /* name */ + 0x03ef, /* user rid */ + 0x201, /* group rid */ + 0x0080); /* acb info */ + + break; + } +#endif + + case 0x12: + ctr->info.id12 = (SAM_USER_INFO_12 *)talloc(p->mem_ctx, sizeof(SAM_USER_INFO_12)); + if (ctr->info.id12 == NULL) + return NT_STATUS_NO_MEMORY; + + if (!get_user_info_12(ctr->info.id12, rid)) + return NT_STATUS_NO_SUCH_USER; + break; + + case 21: + ctr->info.id21 = (SAM_USER_INFO_21 *)talloc(p->mem_ctx,sizeof(SAM_USER_INFO_21)); + if (ctr->info.id21 == NULL) + return NT_STATUS_NO_MEMORY; + if (!get_user_info_21(ctr->info.id21, rid)) + return NT_STATUS_NO_SUCH_USER; + break; + + default: + return NT_STATUS_INVALID_INFO_CLASS; + } + + init_samr_r_query_userinfo(r_u, ctr, r_u->status); + + DEBUG(5,("_samr_query_userinfo: %d\n", __LINE__)); + + return r_u->status; +} + +/******************************************************************* + samr_reply_query_usergroups + ********************************************************************/ + +uint32 _samr_query_usergroups(pipes_struct *p, SAMR_Q_QUERY_USERGROUPS *q_u, SAMR_R_QUERY_USERGROUPS *r_u) +{ + struct sam_passwd *sam_pass; + DOM_GID *gids = NULL; + int num_groups = 0; + pstring groups; + uint32 rid; + + r_u->status = NT_STATUS_NO_PROBLEMO; + + DEBUG(5,("_samr_query_usergroups: %d\n", __LINE__)); + + /* find the policy handle. open a policy on it. */ + if (find_lsa_policy_by_hnd(&q_u->pol) == -1) + return NT_STATUS_INVALID_HANDLE; + + /* find the user's rid */ + if ((rid = get_lsa_policy_samr_rid(&q_u->pol)) == 0xffffffff) + return NT_STATUS_OBJECT_TYPE_MISMATCH; + + become_root(); + sam_pass = getsam21pwrid(rid); + unbecome_root(); + + if (sam_pass == NULL) + return NT_STATUS_NO_SUCH_USER; + + get_domain_user_groups(groups, sam_pass->smb_name); + gids = NULL; + num_groups = make_dom_gids(p->mem_ctx, groups, &gids); + + /* construct the response. lkclXXXX: gids are not copied! */ + init_samr_r_query_usergroups(r_u, num_groups, gids, r_u->status); + + DEBUG(5,("_samr_query_usergroups: %d\n", __LINE__)); + + return r_u->status; +} + +/******************************************************************* + _samr_query_dom_info + ********************************************************************/ + +uint32 _samr_query_dom_info(pipes_struct *p, SAMR_Q_QUERY_DOMAIN_INFO *q_u, SAMR_R_QUERY_DOMAIN_INFO *r_u) +{ + SAM_UNK_CTR *ctr; + uint16 switch_value = 0; + + if ((ctr = (SAM_UNK_CTR *)talloc(p->mem_ctx, sizeof(SAM_UNK_CTR))) == NULL) + return NT_STATUS_NO_MEMORY; + + ZERO_STRUCTP(ctr); + + r_u->status = NT_STATUS_NO_PROBLEMO; + + DEBUG(5,("_samr_query_dom_info: %d\n", __LINE__)); + + /* find the policy handle. open a policy on it. */ + if (find_lsa_policy_by_hnd(&q_u->domain_pol) == -1) + return NT_STATUS_INVALID_HANDLE; + + switch (q_u->switch_value) { + case 0x01: + switch_value = 0x1; + init_unk_info1(&ctr->info.inf1); + break; + case 0x02: + switch_value = 0x2; + /* The time call below is to get a sequence number for the sam. FIXME !!! JRA. */ + init_unk_info2(&ctr->info.inf2, global_myworkgroup, global_myname, (uint32) time(NULL)); + break; + case 0x03: + switch_value = 0x3; + init_unk_info3(&ctr->info.inf3); + break; + case 0x06: + switch_value = 0x6; + init_unk_info6(&ctr->info.inf6); + break; + case 0x07: + switch_value = 0x7; + init_unk_info7(&ctr->info.inf7); + break; + case 0x0c: + switch_value = 0xc; + init_unk_info12(&ctr->info.inf12); + break; + default: + return NT_STATUS_INVALID_INFO_CLASS; + break; + } + + init_samr_r_query_dom_info(r_u, q_u->switch_value, ctr, NT_STATUS_NOPROBLEMO); + + DEBUG(5,("_samr_query_dom_info: %d\n", __LINE__)); + + return r_u->status; +} + +/******************************************************************* + _api_samr_create_user + ********************************************************************/ + +uint32 _api_samr_create_user(pipes_struct *p, SAMR_Q_CREATE_USER *q_u, SAMR_R_CREATE_USER *r_u) +{ + struct sam_passwd *sam_pass; + fstring mach_acct; + pstring err_str; + pstring msg_str; + int local_flags=0; + DOM_SID sid; + pstring add_script; + POLICY_HND dom_pol = q_u->domain_pol; + UNISTR2 user_account = q_u->uni_name; + uint16 acb_info = q_u->acb_info; + POLICY_HND *user_pol = &r_u->user_pol; + + /* find the policy handle. open a policy on it. */ + if (find_lsa_policy_by_hnd(&dom_pol) == -1) + return NT_STATUS_INVALID_HANDLE; + + /* find the machine account: tell the caller if it exists. + lkclXXXX i have *no* idea if this is a problem or not + or even if you are supposed to construct a different + reply if the account already exists... + */ + + fstrcpy(mach_acct, dos_unistrn2(user_account.buffer, user_account.uni_str_len)); + strlower(mach_acct); + + become_root(); + sam_pass = getsam21pwnam(mach_acct); + unbecome_root(); + if (sam_pass != NULL) { + /* machine account exists: say so */ + return NT_STATUS_USER_EXISTS; + } + + /* get a (unique) handle. open a policy on it. */ + if (!open_lsa_policy_hnd(user_pol)) + return NT_STATUS_OBJECT_NAME_NOT_FOUND; + + local_flags=LOCAL_ADD_USER|LOCAL_DISABLE_USER|LOCAL_SET_NO_PASSWORD; + local_flags|= (acb_info & ACB_WSTRUST) ? LOCAL_TRUST_ACCOUNT:0; + + /* + * NB. VERY IMPORTANT ! This call must be done as the current pipe user, + * *NOT* surrounded by a become_root()/unbecome_root() call. This ensures + * that only people with write access to the smbpasswd file will be able + * to create a user. JRA. + */ + + /* + * add the user in the /etc/passwd file or the unix authority system. + * We don't check if the smb_create_user() function succed or not for 2 reasons: + * a) local_password_change() checks for us if the /etc/passwd account really exists + * b) smb_create_user() would return an error if the account already exists + * and as it could return an error also if it can't create the account, it would be tricky. + * + * So we go the easy way, only check after if the account exists. + * JFM (2/3/2001), to clear any possible bad understanding (-: + */ + + pstrcpy(add_script, lp_adduser_script()); + + if(*add_script) + smb_create_user(mach_acct, NULL); + + /* add the user in the smbpasswd file or the Samba authority database */ + if (!local_password_change(mach_acct, local_flags, NULL, err_str, + sizeof(err_str), msg_str, sizeof(msg_str))) + { + DEBUG(0, ("%s\n", err_str)); + close_lsa_policy_hnd(user_pol); + return NT_STATUS_ACCESS_DENIED; + } + + become_root(); + sam_pass = getsam21pwnam(mach_acct); + unbecome_root(); + if (sam_pass == NULL) { + /* account doesn't exist: say so */ + close_lsa_policy_hnd(user_pol); + return NT_STATUS_ACCESS_DENIED; + } + + /* Get the domain SID stored in the domain policy */ + if(!get_lsa_policy_samr_sid(&dom_pol, &sid)) { + close_lsa_policy_hnd(user_pol); + return NT_STATUS_INVALID_HANDLE; + } + + /* append the user's RID to it */ + if(!sid_append_rid(&sid, sam_pass->user_rid)) { + close_lsa_policy_hnd(user_pol); + return NT_STATUS_NO_SUCH_USER; + } + + /* associate the SID with the (unique) handle. */ + if (!set_lsa_policy_samr_sid(user_pol, &sid)) { + /* oh, whoops. don't know what error message to return, here */ + close_lsa_policy_hnd(user_pol); + return NT_STATUS_OBJECT_NAME_NOT_FOUND; + } + + r_u->user_rid=sam_pass->user_rid; + r_u->unknown_0 = 0x000703ff; + + return NT_STATUS_NO_PROBLEMO; +} + +/******************************************************************* + samr_reply_connect_anon + ********************************************************************/ + +uint32 _samr_connect_anon(pipes_struct *p, SAMR_Q_CONNECT_ANON *q_u, SAMR_R_CONNECT_ANON *r_u) +{ + /* set up the SAMR connect_anon response */ + + r_u->status = NT_STATUS_NO_PROBLEMO; + + /* get a (unique) handle. open a policy on it. */ + if (!open_lsa_policy_hnd(&r_u->connect_pol)) + return NT_STATUS_OBJECT_NAME_NOT_FOUND; + + /* associate the domain SID with the (unique) handle. */ + if (!set_lsa_policy_samr_pol_status(&r_u->connect_pol, q_u->unknown_0)) { + close_lsa_policy_hnd(&r_u->connect_pol); + return NT_STATUS_OBJECT_NAME_NOT_FOUND; + } + + return r_u->status; +} + +/******************************************************************* + samr_reply_connect + ********************************************************************/ + +uint32 _samr_connect(pipes_struct *p, SAMR_Q_CONNECT *q_u, SAMR_R_CONNECT *r_u) +{ + DEBUG(5,("_samr_connect: %d\n", __LINE__)); + + r_u->status = NT_STATUS_NO_PROBLEMO; + + /* get a (unique) handle. open a policy on it. */ + if (!open_lsa_policy_hnd(&r_u->connect_pol)) + return NT_STATUS_OBJECT_NAME_NOT_FOUND; + + /* associate the domain SID with the (unique) handle. */ + if (!set_lsa_policy_samr_pol_status(&r_u->connect_pol, q_u->access_mask)) { + close_lsa_policy_hnd(&r_u->connect_pol); + return NT_STATUS_OBJECT_NAME_NOT_FOUND; + } + + DEBUG(5,("_samr_connect: %d\n", __LINE__)); + + return r_u->status; +} + +/********************************************************************** + api_samr_lookup_domain + **********************************************************************/ + +uint32 _samr_lookup_domain(pipes_struct *p, SAMR_Q_LOOKUP_DOMAIN *q_u, SAMR_R_LOOKUP_DOMAIN *r_u) +{ + r_u->status = NT_STATUS_NO_PROBLEMO; + + if (find_lsa_policy_by_hnd(&q_u->connect_pol) == -1) + return NT_STATUS_INVALID_HANDLE; + + /* assume the domain name sent is our global_myname and + send global_sam_sid */ + init_samr_r_lookup_domain(r_u, &global_sam_sid, r_u->status); + + return r_u->status; +} + +/****************************************************************** +makes a SAMR_R_ENUM_DOMAINS structure. +********************************************************************/ + +static BOOL make_enum_domains(TALLOC_CTX *ctx, SAM_ENTRY **pp_sam, + UNISTR2 **pp_uni_name, uint32 num_sam_entries, fstring doms[]) +{ + uint32 i; + SAM_ENTRY *sam; + UNISTR2 *uni_name; + + DEBUG(5, ("make_enum_domains\n")); + + *pp_sam = NULL; + *pp_uni_name = NULL; + + if (num_sam_entries == 0) + return True; + + sam = (SAM_ENTRY *)talloc(ctx, sizeof(SAM_ENTRY)*num_sam_entries); + uni_name = (UNISTR2 *)talloc(ctx, sizeof(UNISTR2)*num_sam_entries); + + if (sam == NULL || uni_name == NULL) + return False; + + for (i = 0; i < num_sam_entries; i++) { + int len = doms[i] != NULL ? strlen(doms[i]) : 0; + + init_sam_entry(&sam[i], len, 0); + init_unistr2(&uni_name[i], doms[i], len); + } + + *pp_sam = sam; + *pp_uni_name = uni_name; + + return True; +} + +/********************************************************************** + api_samr_enum_domains + **********************************************************************/ + +uint32 _samr_enum_domains(pipes_struct *p, SAMR_Q_ENUM_DOMAINS *q_u, SAMR_R_ENUM_DOMAINS *r_u) +{ + uint32 num_entries = 2; + fstring dom[2]; + + r_u->status = NT_STATUS_NO_PROBLEMO; + + fstrcpy(dom[0],global_myworkgroup); + fstrcpy(dom[1],"Builtin"); + + if (!make_enum_domains(p->mem_ctx, &r_u->sam, &r_u->uni_dom_name, num_entries, dom)) + return NT_STATUS_NO_MEMORY; + + init_samr_r_enum_domains(r_u, q_u->start_idx + num_entries, num_entries); + + return r_u->status; +} + +/******************************************************************* + api_samr_open_alias + ********************************************************************/ + +uint32 _api_samr_open_alias(pipes_struct *p, SAMR_Q_OPEN_ALIAS *q_u, SAMR_R_OPEN_ALIAS *r_u) +{ + DOM_SID sid; + POLICY_HND domain_pol = q_u->dom_pol; + uint32 alias_rid = q_u->rid_alias; + POLICY_HND *alias_pol = &r_u->pol; + + r_u->status = NT_STATUS_NO_PROBLEMO; + + /* get the domain policy. */ + if (find_lsa_policy_by_hnd(&domain_pol) == -1) + return NT_STATUS_INVALID_HANDLE; + + /* get a (unique) handle. open a policy on it. */ + if (!open_lsa_policy_hnd(alias_pol)) + return NT_STATUS_OBJECT_NAME_NOT_FOUND; + + /* Get the domain SID stored in the domain policy */ + if(!get_lsa_policy_samr_sid(&domain_pol, &sid)) { + close_lsa_policy_hnd(alias_pol); + return NT_STATUS_INVALID_HANDLE; + } + + /* + * we should check if the rid really exist !!! + * JFM. + */ + + + /* append the alias' RID to it */ + if(!sid_append_rid(&sid, alias_rid)) { + close_lsa_policy_hnd(alias_pol); + return NT_STATUS_NO_SUCH_USER; + } + + /* associate a SID with the (unique) handle. */ + if (!set_lsa_policy_samr_sid(alias_pol, &sid)) { + /* oh, whoops. don't know what error message to return, here */ + close_lsa_policy_hnd(alias_pol); + return NT_STATUS_OBJECT_NAME_NOT_FOUND; + } + + return r_u->status; +} + +/******************************************************************* + set_user_info_10 + ********************************************************************/ + +static BOOL set_user_info_10(const SAM_USER_INFO_10 *id10, uint32 rid) +{ + struct sam_passwd *pwd = getsam21pwrid(rid); + struct sam_passwd new_pwd; + + if (id10 == NULL) { + DEBUG(5, ("set_user_info_10: NULL id10\n")); + return False; + } + + if (pwd == NULL) + return False; + + copy_sam_passwd(&new_pwd, pwd); + + new_pwd.acct_ctrl = id10->acb_info; + + if(!mod_sam21pwd_entry(&new_pwd, True)) + return False; + + return True; +} + +/******************************************************************* + set_user_info_12 + ********************************************************************/ + +static BOOL set_user_info_12(SAM_USER_INFO_12 *id12, uint32 rid) +{ + struct sam_passwd *pwd = getsam21pwrid(rid); + struct sam_passwd new_pwd; + static uchar nt_hash[16]; + static uchar lm_hash[16]; + + if (pwd == NULL) + return False; + + if (id12 == NULL) { + DEBUG(2, ("set_user_info_12: id12 is NULL\n")); + return False; + } + + pdb_init_sam(&new_pwd); + copy_sam_passwd(&new_pwd, pwd); + + memcpy(nt_hash, id12->nt_pwd, sizeof(nt_hash)); + memcpy(lm_hash, id12->lm_pwd, sizeof(lm_hash)); + + new_pwd.smb_passwd = lm_hash; + new_pwd.smb_nt_passwd = nt_hash; + + if(!mod_sam21pwd_entry(&new_pwd, True)) + return False; + + return True; +} + +/******************************************************************* + set_user_info_21 + ********************************************************************/ + +static BOOL set_user_info_21 (SAM_USER_INFO_21 *id21, uint32 rid) +{ + struct sam_passwd *pwd = getsam21pwrid(rid); + struct sam_passwd new_pwd; + static uchar nt_hash[16]; + static uchar lm_hash[16]; + + if (id21 == NULL) { + DEBUG(5, ("set_user_info_21: NULL id21\n")); + return False; + } + + if (pwd == NULL) + return False; + + pdb_init_sam(&new_pwd); + /* we make a copy so that we can modify stuff */ + copy_sam_passwd(&new_pwd, pwd); + copy_id21_to_sam_passwd(&new_pwd, id21); + + if (pwd->smb_nt_passwd != NULL) { + memcpy(nt_hash, pwd->smb_nt_passwd, 16); + new_pwd.smb_nt_passwd = nt_hash; + } else + new_pwd.smb_nt_passwd = NULL; + + if (pwd->smb_nt_passwd != NULL) { + memcpy(lm_hash, pwd->smb_passwd, 16); + new_pwd.smb_passwd = lm_hash; + } else + new_pwd.smb_passwd = NULL; + + if(!mod_sam21pwd_entry(&new_pwd, True)) + return False; + + return True; +} + +/******************************************************************* + set_user_info_23 + ********************************************************************/ + +static BOOL set_user_info_23(SAM_USER_INFO_23 *id23, uint32 rid) +{ + struct sam_passwd *pwd = getsam21pwrid(rid); + struct sam_passwd new_pwd; + static uchar nt_hash[16]; + static uchar lm_hash[16]; + pstring buf; + uint32 len; + + if (id23 == NULL) { + DEBUG(5, ("set_user_info_23: NULL id23\n")); + return False; + } + + if (pwd == NULL) + return False; + + pdb_init_sam(&new_pwd); + copy_sam_passwd(&new_pwd, pwd); + copy_id23_to_sam_passwd(&new_pwd, id23); + + memset(buf, 0, sizeof(pstring)); + + if (!decode_pw_buffer((char*)id23->pass, buf, 256, &len, nt_hash, lm_hash)) + return False; + + new_pwd.smb_passwd = lm_hash; + new_pwd.smb_nt_passwd = nt_hash; + + /* if it's a trust account, don't update /etc/passwd */ + if ( ( (new_pwd.acct_ctrl & ACB_DOMTRUST) == ACB_DOMTRUST ) || + ( (new_pwd.acct_ctrl & ACB_WSTRUST) == ACB_WSTRUST) || + ( (new_pwd.acct_ctrl & ACB_SVRTRUST) == ACB_SVRTRUST) ) { + DEBUG(5, ("Changing trust account password, not updating /etc/passwd\n")); + } else { + + /* update the UNIX password */ + if (lp_unix_password_sync() ) + if(!chgpasswd(new_pwd.smb_name, "", buf, True)) + return False; + } + + memset(buf, 0, sizeof(buf)); + + if(!mod_sam21pwd_entry(&new_pwd, True)) + return False; + + return True; +} + +/******************************************************************* + set_user_info_24 + ********************************************************************/ + +static BOOL set_user_info_24(SAM_USER_INFO_24 *id24, uint32 rid) +{ + struct sam_passwd *pwd = getsam21pwrid(rid); + struct sam_passwd new_pwd; + static uchar nt_hash[16]; + static uchar lm_hash[16]; + uint32 len; + pstring buf; + + if (pwd == NULL) + return False; + + pdb_init_sam(&new_pwd); + copy_sam_passwd(&new_pwd, pwd); + + memset(buf, 0, sizeof(pstring)); + + if (!decode_pw_buffer((char*)id24->pass, buf, 256, &len, nt_hash, lm_hash)) + return False; + + new_pwd.smb_passwd = lm_hash; + new_pwd.smb_nt_passwd = nt_hash; + + /* if it's a trust account, don't update /etc/passwd */ + if ( ( (new_pwd.acct_ctrl & ACB_DOMTRUST) == ACB_DOMTRUST ) || + ( (new_pwd.acct_ctrl & ACB_WSTRUST) == ACB_WSTRUST) || + ( (new_pwd.acct_ctrl & ACB_SVRTRUST) == ACB_SVRTRUST) ) { + DEBUG(5, ("Changing trust account password, not updating /etc/passwd\n")); + } else { + + /* update the UNIX password */ + if (lp_unix_password_sync() ) + if(!chgpasswd(new_pwd.smb_name, "", buf, True)) + return False; + } + + memset(buf, 0, sizeof(buf)); + + DEBUG(5,("set_user_info_24: pdb_update_sam_account()\n")); + + /* update the SAMBA password */ + if(!mod_sam21pwd_entry(&new_pwd, True)) + return False; + + return True; +} + +/******************************************************************* + samr_reply_set_userinfo + ********************************************************************/ + +uint32 _samr_set_userinfo(pipes_struct *p, SAMR_Q_SET_USERINFO *q_u, SAMR_R_SET_USERINFO *r_u) +{ + uint32 rid = 0x0; + DOM_SID sid; + struct current_user user; + struct smb_passwd *smb_pass; + unsigned char sess_key[16]; + POLICY_HND *pol = &q_u->pol; + uint16 switch_value = q_u->switch_value; + SAM_USERINFO_CTR *ctr = q_u->ctr; + + DEBUG(5, ("_samr_set_userinfo: %d\n", __LINE__)); + + r_u->status = NT_STATUS_NOPROBLEMO; + + if (p->ntlmssp_auth_validated) { + memcpy(&user, &p->pipe_user, sizeof(user)); + } else { + extern struct current_user current_user; + memcpy(&user, ¤t_user, sizeof(user)); + } + + /* search for the handle */ + if (find_lsa_policy_by_hnd(pol) == -1) + return NT_STATUS_INVALID_HANDLE; + + /* find the policy handle. open a policy on it. */ + if (!get_lsa_policy_samr_sid(pol, &sid)) + return NT_STATUS_INVALID_HANDLE; + + sid_split_rid(&sid, &rid); + + DEBUG(5, ("_samr_set_userinfo: rid:0x%x, level:%d\n", rid, switch_value)); + + if (ctr == NULL) { + DEBUG(5, ("_samr_set_userinfo: NULL info level\n")); + return NT_STATUS_INVALID_INFO_CLASS; + } + + + /* + * We need the NT hash of the user who is changing the user's password. + * This NT hash is used to generate a "user session key" + * This "user session key" is in turn used to encrypt/decrypt the user's password. + */ + + become_root(); + smb_pass = getsmbpwuid(user.uid); + unbecome_root(); + if(smb_pass == NULL) { + DEBUG(0,("_samr_set_userinfo: Unable to get smbpasswd entry for uid %u\n", (unsigned int)user.uid )); + return NT_STATUS_ACCESS_DENIED; + } + + memset(sess_key, '\0', 16); + mdfour(sess_key, smb_pass->smb_nt_passwd, 16); + + /* ok! user info levels (lots: see MSDEV help), off we go... */ + switch (switch_value) { + case 0x12: + if (!set_user_info_12(ctr->info.id12, rid)) + return NT_STATUS_ACCESS_DENIED; + break; + + case 24: + SamOEMhash(ctr->info.id24->pass, sess_key, 1); + if (!set_user_info_24(ctr->info.id24, rid)) + return NT_STATUS_ACCESS_DENIED; + break; + + case 23: + SamOEMhash(ctr->info.id23->pass, sess_key, 1); + if (!set_user_info_23(ctr->info.id23, rid)) + return NT_STATUS_ACCESS_DENIED; + break; + + default: + return NT_STATUS_INVALID_INFO_CLASS; + } + + return r_u->status; +} + +/******************************************************************* + samr_reply_set_userinfo2 + ********************************************************************/ + +uint32 _samr_set_userinfo2(pipes_struct *p, SAMR_Q_SET_USERINFO2 *q_u, SAMR_R_SET_USERINFO2 *r_u) +{ + DOM_SID sid; + uint32 rid = 0x0; + SAM_USERINFO_CTR *ctr = NULL; + POLICY_HND *pol = &q_u->pol; + uint16 switch_value = q_u->switch_value; + + DEBUG(5, ("samr_reply_set_userinfo2: %d\n", __LINE__)); + + r_u->status = NT_STATUS_NOPROBLEMO; + + ctr = (SAM_USERINFO_CTR *)talloc(p->mem_ctx, sizeof(SAM_USERINFO_CTR)); + if (!ctr) + return NT_STATUS_NO_MEMORY; + + q_u->ctr = ctr; + + /* search for the handle */ + if (find_lsa_policy_by_hnd(pol) == -1) + return NT_STATUS_INVALID_HANDLE; + + /* find the policy handle. open a policy on it. */ + if (!get_lsa_policy_samr_sid(pol, &sid)) + return NT_STATUS_INVALID_HANDLE; + + sid_split_rid(&sid, &rid); + + DEBUG(5, ("samr_reply_set_userinfo2: rid:0x%x\n", rid)); + + if (ctr == NULL) { + DEBUG(5, ("samr_reply_set_userinfo2: NULL info level\n")); + return NT_STATUS_INVALID_INFO_CLASS; + } + + ctr->switch_value = switch_value; + + /* ok! user info levels (lots: see MSDEV help), off we go... */ + switch (switch_value) { + case 21: + if (!set_user_info_21(ctr->info.id21, rid)) + return NT_STATUS_ACCESS_DENIED; + break; + case 16: + if (!set_user_info_10(ctr->info.id10, rid)) + return NT_STATUS_ACCESS_DENIED; + break; + default: + return NT_STATUS_INVALID_INFO_CLASS; + } + + return r_u->status; +} + +/********************************************************************* + _samr_query_aliasmem +*********************************************************************/ + +uint32 _samr_query_useraliases(pipes_struct *p, SAMR_Q_QUERY_USERALIASES *q_u, SAMR_R_QUERY_USERALIASES *r_u) +{ + DEBUG(0,("_samr_query_useraliases: Not yet implemented.\n")); + return False; +} + +/********************************************************************* + _samr_query_aliasmem +*********************************************************************/ + +uint32 _samr_query_aliasmem(pipes_struct *p, SAMR_Q_QUERY_ALIASMEM *q_u, SAMR_R_QUERY_ALIASMEM *r_u) +{ + DEBUG(0,("_samr_query_aliasmem: Not yet implemented.\n")); + return False; +} + +/********************************************************************* + _samr_query_groupmem +*********************************************************************/ + +uint32 _samr_query_groupmem(pipes_struct *p, SAMR_Q_QUERY_GROUPMEM *q_u, SAMR_R_QUERY_GROUPMEM *r_u) +{ + DEBUG(0,("_samr_query_groupmem: Not yet implemented.\n")); + return False; +} + +/********************************************************************* + _samr_add_aliasmem +*********************************************************************/ + +uint32 _samr_add_aliasmem(pipes_struct *p, SAMR_Q_ADD_ALIASMEM *q_u, SAMR_R_ADD_ALIASMEM *r_u) +{ + DEBUG(0,("_samr_add_aliasmem: Not yet implemented.\n")); + return False; +} + +/********************************************************************* + _samr_del_aliasmem +*********************************************************************/ + +uint32 _samr_del_aliasmem(pipes_struct *p, SAMR_Q_DEL_ALIASMEM *q_u, SAMR_R_DEL_ALIASMEM *r_u) +{ + DEBUG(0,("_samr_del_aliasmem: Not yet implemented.\n")); + return False; +} + +/********************************************************************* + _samr_add_groupmem +*********************************************************************/ + +uint32 _samr_add_groupmem(pipes_struct *p, SAMR_Q_ADD_GROUPMEM *q_u, SAMR_R_ADD_GROUPMEM *r_u) +{ + DEBUG(0,("_samr_add_groupmem: Not yet implemented.\n")); + return False; +} + +/********************************************************************* + _samr_del_groupmem +*********************************************************************/ + +uint32 _samr_del_groupmem(pipes_struct *p, SAMR_Q_DEL_GROUPMEM *q_u, SAMR_R_DEL_GROUPMEM *r_u) +{ + DEBUG(0,("_samr_del_groupmem: Not yet implemented.\n")); + return False; +} + +/********************************************************************* + _samr_delete_dom_user +*********************************************************************/ + +uint32 _samr_delete_dom_user(pipes_struct *p, SAMR_Q_DELETE_DOM_USER *q_u, SAMR_R_DELETE_DOM_USER *r_u ) +{ + DEBUG(0,("_samr_delete_dom_user: Not yet implemented.\n")); + return False; +} + +/********************************************************************* + _samr_delete_dom_group +*********************************************************************/ + +uint32 _samr_delete_dom_group(pipes_struct *p, SAMR_Q_DELETE_DOM_GROUP *q_u, SAMR_R_DELETE_DOM_GROUP *r_u) +{ + DEBUG(0,("_samr_delete_dom_group: Not yet implemented.\n")); + return False; +} + +/********************************************************************* + _samr_delete_dom_alias +*********************************************************************/ + +uint32 _samr_delete_dom_alias(pipes_struct *p, SAMR_Q_DELETE_DOM_ALIAS *q_u, SAMR_R_DELETE_DOM_ALIAS *r_u) +{ + DEBUG(0,("_samr_delete_dom_alias: Not yet implemented.\n")); + return False; +} + +/********************************************************************* + _samr_create_dom_group +*********************************************************************/ + +uint32 _samr_create_dom_group(pipes_struct *p, SAMR_Q_CREATE_DOM_GROUP *q_u, SAMR_R_CREATE_DOM_GROUP *r_u) +{ + DEBUG(0,("_samr_create_dom_group: Not yet implemented.\n")); + return False; +} + +/********************************************************************* + _samr_create_dom_alias +*********************************************************************/ + +uint32 _samr_create_dom_alias(pipes_struct *p, SAMR_Q_CREATE_DOM_ALIAS *q_u, SAMR_R_CREATE_DOM_ALIAS *r_u) +{ + DEBUG(0,("_samr_create_dom_alias: Not yet implemented.\n")); + return False; +} + +/********************************************************************* + _samr_query_groupinfo +*********************************************************************/ + +uint32 _samr_query_groupinfo(pipes_struct *p, SAMR_Q_QUERY_GROUPINFO *q_u, SAMR_R_QUERY_GROUPINFO *r_u) +{ + DEBUG(0,("_samr_query_groupinfo: Not yet implemented.\n")); + return False; +} + +/********************************************************************* + _samr_set_groupinfo +*********************************************************************/ + +uint32 _samr_set_groupinfo(pipes_struct *p, SAMR_Q_SET_GROUPINFO *q_u, SAMR_R_SET_GROUPINFO *r_u) +{ + DEBUG(0,("_samr_set_groupinfo: Not yet implemented.\n")); + return False; +} + +/********************************************************************* + _samr_get_dom_pwinfo +*********************************************************************/ + +uint32 _samr_get_dom_pwinfo(pipes_struct *p, SAMR_Q_GET_DOM_PWINFO *q_u, SAMR_R_GET_DOM_PWINFO *r_u) +{ + DEBUG(0,("_samr_get_dom_pwinfo: Not yet implemented.\n")); + return False; +} + +/********************************************************************* + _samr_open_group +*********************************************************************/ + +uint32 _samr_open_group(pipes_struct *p, SAMR_Q_OPEN_GROUP *q_u, SAMR_R_OPEN_GROUP *r_u) +{ + DEBUG(0,("_samr_open_group: Not yet implemented.\n")); + return False; +} + +/********************************************************************* + _samr_unknown_2d +*********************************************************************/ + +uint32 _samr_unknown_2d(pipes_struct *p, SAMR_Q_UNKNOWN_2D *q_u, SAMR_R_UNKNOWN_2D *r_u) +{ + DEBUG(0,("_samr_unknown_2d: Not yet implemented.\n")); + return False; +} -- cgit From da3053048c3d224a20d6383ac6682d31059cd46c Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Sun, 11 Mar 2001 00:32:10 +0000 Subject: Merge of new 2.2 code into HEAD (Gerald I hate you :-) :-). Allows new SAMR RPC code to merge with new passdb code. Currently rpcclient doesn't compile. I'm working on it... Jeremy. (This used to be commit 0be41d5158ea4e645e93e8cd30617c038416e549) --- source3/rpc_server/srv_samr_nt.c | 672 ++++++++++++++++++--------------------- 1 file changed, 316 insertions(+), 356 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index bd04b40c4d..ff484a8ff1 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -39,6 +39,23 @@ extern rid_name domain_group_rids[]; extern rid_name domain_alias_rids[]; extern rid_name builtin_alias_rids[]; +struct samr_info { + /* for use by the \PIPE\samr policy */ + DOM_SID sid; + uint32 status; /* some sort of flag. best to record it. comes from opnum 0x39 */ +}; + +/******************************************************************* + Function to free the per handle data. + ********************************************************************/ + +static void free_samr_info(void *ptr) +{ + struct samr_info *samr = (struct samr_info *)ptr; + + safe_free(samr); +} + /******************************************************************* This next function should be replaced with something that dynamically returns the correct user info..... JRA. @@ -48,8 +65,7 @@ static BOOL get_sampwd_entries(SAM_USER_INFO_21 *pw_buf, int start_idx, int *total_entries, int *num_entries, int max_num_entries, uint16 acb_mask) { - void *vp = NULL; - struct sam_passwd *pwd = NULL; + SAM_ACCOUNT *pwd = NULL; (*num_entries) = 0; (*total_entries) = 0; @@ -57,13 +73,12 @@ static BOOL get_sampwd_entries(SAM_USER_INFO_21 *pw_buf, int start_idx, if (pw_buf == NULL) return False; - vp = startsmbpwent(False); - if (!vp) { - DEBUG(0, ("get_sampwd_entries: Unable to open SMB password database.\n")); + if (!pdb_setsampwent(False)) { + DEBUG(0, ("get_sampwd_entries: Unable to open passdb.\n")); return False; } - while (((pwd = getsam21pwent(vp)) != NULL) && (*num_entries) < max_num_entries) { + while (((pwd = pdb_getsampwent()) != NULL) && (*num_entries) < max_num_entries) { int user_name_len; if (start_idx > 0) { @@ -74,21 +89,20 @@ static BOOL get_sampwd_entries(SAM_USER_INFO_21 *pw_buf, int start_idx, continue; } - user_name_len = strlen(pwd->smb_name)+1; - init_unistr2(&pw_buf[(*num_entries)].uni_user_name, pwd->smb_name, user_name_len); + user_name_len = strlen(pdb_get_username(pwd))+1; + init_unistr2(&pw_buf[(*num_entries)].uni_user_name, pdb_get_username(pwd), user_name_len); init_uni_hdr(&pw_buf[(*num_entries)].hdr_user_name, user_name_len); pw_buf[(*num_entries)].user_rid = pwd->user_rid; memset((char *)pw_buf[(*num_entries)].nt_pwd, '\0', 16); /* Now check if the NT compatible password is available. */ - if (pwd->smb_nt_passwd != NULL) { - memcpy( pw_buf[(*num_entries)].nt_pwd , pwd->smb_nt_passwd, 16); - } + if (pdb_get_nt_passwd(pwd)) + memcpy( pw_buf[(*num_entries)].nt_pwd , pdb_get_nt_passwd(pwd), 16); - pw_buf[(*num_entries)].acb_info = (uint16)pwd->acct_ctrl; + pw_buf[(*num_entries)].acb_info = pdb_get_acct_ctrl(pwd); DEBUG(5, ("entry idx: %d user %s, rid 0x%x, acb %x", - (*num_entries), pwd->smb_name, pwd->user_rid, pwd->acct_ctrl)); + (*num_entries), pdb_get_username(pwd), pdb_get_user_rid(pwd), pdb_get_acct_ctrl(pwd) )); if (acb_mask == 0 || (pwd->acct_ctrl & acb_mask)) { DEBUG(5,(" acb_mask %x accepts\n", acb_mask)); @@ -100,17 +114,16 @@ static BOOL get_sampwd_entries(SAM_USER_INFO_21 *pw_buf, int start_idx, (*total_entries)++; } - endsmbpwent(vp); + pdb_endsampwent(); return (*num_entries) > 0; } static BOOL jf_get_sampwd_entries(SAM_USER_INFO_21 *pw_buf, int start_idx, - int *total_entries, int *num_entries, + int *total_entries, uint32 *num_entries, int max_num_entries, uint16 acb_mask) { - void *vp = NULL; - struct sam_passwd *pwd = NULL; + SAM_ACCOUNT *pwd = NULL; *num_entries = 0; *total_entries = 0; @@ -118,17 +131,16 @@ static BOOL jf_get_sampwd_entries(SAM_USER_INFO_21 *pw_buf, int start_idx, if (pw_buf == NULL) return False; - vp = startsmbpwent(False); - if (!vp) { - DEBUG(0, ("get_sampwd_entries: Unable to open SMB password database.\n")); - return False; - } + if (!pdb_setsampwent(False)) { + DEBUG(0, ("jf_get_sampwd_entries: Unable to open passdb.\n")); + return False; + } - while (((pwd = getsam21pwent(vp)) != NULL) && (*num_entries) < max_num_entries) { + while (((pwd = pdb_getsampwent()) != NULL) && (*num_entries) < max_num_entries) { int user_name_len; int full_name_len; - if (acb_mask != 0 && !(pwd->acct_ctrl & acb_mask)) + if (acb_mask != 0 && !(pdb_get_acct_ctrl(pwd) & acb_mask)) continue; if (start_idx > 0) { @@ -141,29 +153,29 @@ static BOOL jf_get_sampwd_entries(SAM_USER_INFO_21 *pw_buf, int start_idx, ZERO_STRUCTP(&pw_buf[(*num_entries)]); - user_name_len = strlen(pwd->smb_name); - init_unistr2(&pw_buf[(*num_entries)].uni_user_name, pwd->smb_name, user_name_len); + user_name_len = strlen(pdb_get_username(pwd)); + init_unistr2(&pw_buf[(*num_entries)].uni_user_name, pdb_get_username(pwd), user_name_len); init_uni_hdr(&pw_buf[(*num_entries)].hdr_user_name, user_name_len); - full_name_len = strlen(pwd->full_name); - init_unistr2(&pw_buf[(*num_entries)].uni_full_name, pwd->full_name, full_name_len); + full_name_len = strlen(pdb_get_fullname(pwd)); + init_unistr2(&pw_buf[(*num_entries)].uni_full_name, pdb_get_fullname(pwd), full_name_len); init_uni_hdr(&pw_buf[(*num_entries)].hdr_full_name, full_name_len); - pw_buf[(*num_entries)].user_rid = pwd->user_rid; + pw_buf[(*num_entries)].user_rid = pdb_get_user_rid(pwd); memset((char *)pw_buf[(*num_entries)].nt_pwd, '\0', 16); /* Now check if the NT compatible password is available. */ - if (pwd->smb_nt_passwd != NULL) { - memcpy( pw_buf[(*num_entries)].nt_pwd , pwd->smb_nt_passwd, 16); - } + if (pdb_get_nt_passwd(pwd)) + memcpy( pw_buf[(*num_entries)].nt_pwd , pdb_get_nt_passwd(pwd), 16); - pw_buf[(*num_entries)].acb_info = (uint16)pwd->acct_ctrl; + pw_buf[(*num_entries)].acb_info = pdb_get_acct_ctrl(pwd); - DEBUG(5, ("entry idx: %d user %s, rid 0x%x, acb %x\n", (*num_entries), pwd->smb_name, pwd->user_rid, pwd->acct_ctrl)); + DEBUG(5, ("entry idx: %d user %s, rid 0x%x, acb %x\n", (*num_entries), + pdb_get_username(pwd), pdb_get_user_rid(pwd), pdb_get_acct_ctrl(pwd) )); (*num_entries)++; } - endsmbpwent(vp); + pdb_endsampwent(); *total_entries = *num_entries; return True; @@ -425,7 +437,7 @@ uint32 _samr_close_hnd(pipes_struct *p, SAMR_Q_CLOSE_HND *q_u, SAMR_R_CLOSE_HND r_u->status = NT_STATUS_NOPROBLEMO; /* close the policy handle */ - if (!close_lsa_policy_hnd(&q_u->pol)) + if (!close_policy_hnd(p, &q_u->pol)) return NT_STATUS_OBJECT_NAME_INVALID; DEBUG(5,("samr_reply_close_hnd: %d\n", __LINE__)); @@ -439,42 +451,57 @@ uint32 _samr_close_hnd(pipes_struct *p, SAMR_Q_CLOSE_HND *q_u, SAMR_R_CLOSE_HND uint32 _samr_open_domain(pipes_struct *p, SAMR_Q_OPEN_DOMAIN *q_u, SAMR_R_OPEN_DOMAIN *r_u) { + struct samr_info *info; + r_u->status = NT_STATUS_NOPROBLEMO; /* find the connection policy handle. */ - if (find_lsa_policy_by_hnd(&q_u->pol) == -1) + if (!find_policy_by_hnd(p, &q_u->pol, NULL)) return NT_STATUS_INVALID_HANDLE; - /* get a (unique) handle. open a policy on it. */ - if (!open_lsa_policy_hnd(&r_u->domain_pol)) - return NT_STATUS_OBJECT_NAME_NOT_FOUND; - /* associate the domain SID with the (unique) handle. */ - if (!set_lsa_policy_samr_sid(&r_u->domain_pol, &q_u->dom_sid.sid)) { - close_lsa_policy_hnd(&r_u->domain_pol); + if ((info = (struct samr_info *)malloc(sizeof(struct samr_info))) == NULL) + return NT_STATUS_NO_MEMORY; + + ZERO_STRUCTP(info); + info->sid = q_u->dom_sid.sid; + + /* get a (unique) handle. open a policy on it. */ + if (!create_policy_hnd(p, &r_u->domain_pol, free_samr_info, (void *)info)) return NT_STATUS_OBJECT_NAME_NOT_FOUND; - } DEBUG(5,("samr_open_domain: %d\n", __LINE__)); return r_u->status; } +static uint32 get_lsa_policy_samr_rid(struct samr_info *info) +{ + if (!info) { + DEBUG(3,("Error getting policy\n")); + return 0xffffffff; + } + + return info->sid.sub_auths[info->sid.num_auths-1]; +} + /******************************************************************* _samr_get_usrdom_pwinfo ********************************************************************/ uint32 _samr_get_usrdom_pwinfo(pipes_struct *p, SAMR_Q_GET_USRDOM_PWINFO *q_u, SAMR_R_GET_USRDOM_PWINFO *r_u) { + struct samr_info *info = NULL; + r_u->status = NT_STATUS_NOPROBLEMO; /* find the policy handle. open a policy on it. */ - if (find_lsa_policy_by_hnd(&q_u->user_pol) == -1) { + if (!find_policy_by_hnd(p, &q_u->user_pol, (void **)&info)) { return NT_STATUS_INVALID_HANDLE; } /* find the user's rid */ - if (get_lsa_policy_samr_rid(&q_u->user_pol) == 0xffffffff) { + if (get_lsa_policy_samr_rid(info) == 0xffffffff) { return NT_STATUS_OBJECT_TYPE_MISMATCH; } @@ -531,6 +558,21 @@ static uint32 samr_make_usr_obj_sd(TALLOC_CTX *ctx, SEC_DESC_BUF **buf, DOM_SID return NT_STATUS_NOPROBLEMO; } +static BOOL get_lsa_policy_samr_sid(pipes_struct *p, POLICY_HND *pol, DOM_SID *sid) +{ + struct samr_info *info = NULL; + + /* find the policy handle. open a policy on it. */ + if (!find_policy_by_hnd(p, pol, (void **)&info)) + return False; + + if (!info) + return False; + + *sid = info->sid; + return True; +} + /******************************************************************* _samr_query_sec_obj ********************************************************************/ @@ -541,13 +583,10 @@ uint32 _samr_query_sec_obj(pipes_struct *p, SAMR_Q_QUERY_SEC_OBJ *q_u, SAMR_R_QU r_u->status = NT_STATUS_NOPROBLEMO; - /* find the policy handle. open a policy on it. */ - if ((find_lsa_policy_by_hnd(&q_u->user_pol)) == -1) - return NT_STATUS_INVALID_HANDLE; - /* Get the SID. */ - if (!get_lsa_policy_samr_sid(&q_u->user_pol, &pol_sid)) - return NT_STATUS_OBJECT_TYPE_MISMATCH; + + if (!get_lsa_policy_samr_sid(p, &q_u->user_pol, &pol_sid)) + return NT_STATUS_INVALID_HANDLE; r_u->status = samr_make_usr_obj_sd(p->mem_ctx, &r_u->buf, &pol_sid); @@ -608,7 +647,7 @@ uint32 _samr_enum_dom_users(pipes_struct *p, SAMR_Q_ENUM_DOM_USERS *q_u, SAMR_R_ r_u->status = NT_STATUS_NOPROBLEMO; /* find the policy handle. open a policy on it. */ - if (find_lsa_policy_by_hnd(&q_u->pol) == -1) + if (!find_policy_by_hnd(p, &q_u->pol, NULL)) return NT_STATUS_INVALID_HANDLE; DEBUG(5,("_samr_enum_dom_users: %d\n", __LINE__)); @@ -808,12 +847,12 @@ static BOOL get_group_domain_entries(DOMAIN_GRP *d_grp, DOM_SID *sid, uint32 sta uint32 _samr_enum_dom_groups(pipes_struct *p, SAMR_Q_ENUM_DOM_GROUPS *q_u, SAMR_R_ENUM_DOM_GROUPS *r_u) { DOMAIN_GRP grp[2]; - int num_entries; + uint32 num_entries; DOM_SID sid; r_u->status = NT_STATUS_NOPROBLEMO; - if (!get_lsa_policy_samr_sid(&q_u->pol, &sid)) + if (!get_lsa_policy_samr_sid(p, &q_u->pol, &sid)) return NT_STATUS_INVALID_HANDLE; DEBUG(5,("samr_reply_enum_dom_groups: %d\n", __LINE__)); @@ -837,14 +876,13 @@ uint32 _samr_enum_dom_groups(pipes_struct *p, SAMR_Q_ENUM_DOM_GROUPS *q_u, SAMR_ uint32 _samr_enum_dom_aliases(pipes_struct *p, SAMR_Q_ENUM_DOM_ALIASES *q_u, SAMR_R_ENUM_DOM_ALIASES *r_u) { DOMAIN_GRP grp[MAX_SAM_ENTRIES]; - int num_entries = 0; + uint32 num_entries = 0; fstring sid_str; DOM_SID sid; r_u->status = NT_STATUS_NOPROBLEMO; - /* find the policy handle. open a policy on it. */ - if (!get_lsa_policy_samr_sid(&q_u->pol, &sid)) + if (!get_lsa_policy_samr_sid(p, &q_u->pol, &sid)) return NT_STATUS_INVALID_HANDLE; sid_to_string(sid_str, &sid); @@ -871,7 +909,7 @@ uint32 _samr_query_dispinfo(pipes_struct *p, SAMR_Q_QUERY_DISPINFO *q_u, SAMR_R_ SAM_USER_INFO_21 pass[MAX_SAM_ENTRIES]; DOMAIN_GRP grps[MAX_SAM_ENTRIES]; uint16 acb_mask = ACB_NORMAL; - int num_entries = 0; + uint32 num_entries = 0; int orig_num_entries = 0; int total_entries = 0; uint32 data_size = 0; @@ -883,7 +921,7 @@ uint32 _samr_query_dispinfo(pipes_struct *p, SAMR_Q_QUERY_DISPINFO *q_u, SAMR_R_ r_u->status = NT_STATUS_NOPROBLEMO; - if (!get_lsa_policy_samr_sid(&q_u->domain_pol, &sid)) + if (!get_lsa_policy_samr_sid(p, &q_u->domain_pol, &sid)) return NT_STATUS_INVALID_HANDLE; /* decide how many entries to get depending on the max_entries @@ -994,21 +1032,22 @@ uint32 _samr_query_aliasinfo(pipes_struct *p, SAMR_Q_QUERY_ALIASINFO *q_u, SAMR_ fstring alias=""; enum SID_NAME_USE type; uint32 alias_rid; + struct samr_info *info = NULL; r_u->status = NT_STATUS_NOPROBLEMO; DEBUG(5,("_samr_query_aliasinfo: %d\n", __LINE__)); /* find the policy handle. open a policy on it. */ - if (find_lsa_policy_by_hnd(&q_u->pol) == -1) + if (!find_policy_by_hnd(p, &q_u->pol, (void **)&info)) return NT_STATUS_INVALID_HANDLE; - alias_rid = get_lsa_policy_samr_rid(&q_u->pol); + alias_rid = get_lsa_policy_samr_rid(info); if(alias_rid == 0xffffffff) return NT_STATUS_NO_SUCH_ALIAS; if(!local_lookup_rid(alias_rid, alias, &type)) - return NT_STATUS_NO_SUCH_ALIAS; + return NT_STATUS_NO_SUCH_ALIAS; switch (q_u->switch_level) { case 3: @@ -1104,7 +1143,7 @@ uint32 _samr_lookup_names(pipes_struct *p, SAMR_Q_LOOKUP_NAMES *q_u, SAMR_R_LOOK ZERO_ARRAY(rid); ZERO_ARRAY(type); - if (!get_lsa_policy_samr_sid(&q_u->pol, &pol_sid)) { + if (!get_lsa_policy_samr_sid(p, &q_u->pol, &pol_sid)) { init_samr_r_lookup_names(p->mem_ctx, r_u, 0, NULL, NULL, NT_STATUS_OBJECT_TYPE_MISMATCH); return r_u->status; } @@ -1135,7 +1174,7 @@ uint32 _samr_lookup_names(pipes_struct *p, SAMR_Q_LOOKUP_NAMES *q_u, SAMR_R_LOOK } } - init_samr_r_lookup_names(p->mem_ctx, r_u, num_rids, rid, type, r_u->status); + init_samr_r_lookup_names(p->mem_ctx, r_u, num_rids, rid, (uint32 *)type, r_u->status); DEBUG(5,("_samr_lookup_names: %d\n", __LINE__)); @@ -1227,7 +1266,7 @@ uint32 _samr_lookup_rids(pipes_struct *p, SAMR_Q_LOOKUP_RIDS *q_u, SAMR_R_LOOKUP DEBUG(5,("_samr_lookup_rids: %d\n", __LINE__)); /* find the policy handle. open a policy on it. */ - if (!get_lsa_policy_samr_sid(&q_u->pol, &pol_sid)) + if (!get_lsa_policy_samr_sid(p, &q_u->pol, &pol_sid)) return NT_STATUS_INVALID_HANDLE; if (num_rids > MAX_SAM_ENTRIES) { @@ -1274,50 +1313,45 @@ uint32 _samr_lookup_rids(pipes_struct *p, SAMR_Q_LOOKUP_RIDS *q_u, SAMR_R_LOOKUP uint32 _api_samr_open_user(pipes_struct *p, SAMR_Q_OPEN_USER *q_u, SAMR_R_OPEN_USER *r_u) { - struct sam_passwd *sam_pass; + SAM_ACCOUNT *sampass; DOM_SID sid; POLICY_HND domain_pol = q_u->domain_pol; uint32 user_rid = q_u->user_rid; POLICY_HND *user_pol = &r_u->user_pol; + struct samr_info *info = NULL; r_u->status = NT_STATUS_NO_PROBLEMO; /* find the domain policy handle. */ - if (find_lsa_policy_by_hnd(&domain_pol) == -1) + if (!find_policy_by_hnd(p, &domain_pol, NULL)) return NT_STATUS_INVALID_HANDLE; - /* get a (unique) handle. open a policy on it. */ - if (!open_lsa_policy_hnd(user_pol)) - return NT_STATUS_OBJECT_NAME_NOT_FOUND; - become_root(); - sam_pass = getsam21pwrid(user_rid); + sampass = pdb_getsampwrid(user_rid); unbecome_root(); /* check that the RID exists in our domain. */ - if (sam_pass == NULL) { - close_lsa_policy_hnd(user_pol); + if (sampass == NULL) return NT_STATUS_NO_SUCH_USER; - } /* Get the domain SID stored in the domain policy */ - if(!get_lsa_policy_samr_sid(&domain_pol, &sid)) { - close_lsa_policy_hnd(user_pol); + if(!get_lsa_policy_samr_sid(p, &domain_pol, &sid)) return NT_STATUS_INVALID_HANDLE; - } /* append the user's RID to it */ - if(!sid_append_rid(&sid, user_rid)) { - close_lsa_policy_hnd(user_pol); + if(!sid_append_rid(&sid, user_rid)) return NT_STATUS_NO_SUCH_USER; - } - /* associate the user's SID with the handle. */ - if (!set_lsa_policy_samr_sid(user_pol, &sid)) { - /* oh, whoops. don't know what error message to return, here */ - close_lsa_policy_hnd(user_pol); + /* associate the user's SID with the new handle. */ + if ((info = (struct samr_info *)malloc(sizeof(struct samr_info))) == NULL) + return NT_STATUS_NO_MEMORY; + + ZERO_STRUCTP(info); + info->sid = sid; + + /* get a (unique) handle. open a policy on it. */ + if (!create_policy_hnd(p, user_pol, free_samr_info, (void *)info)) return NT_STATUS_OBJECT_NAME_NOT_FOUND; - } return r_u->status; } @@ -1328,7 +1362,7 @@ uint32 _api_samr_open_user(pipes_struct *p, SAMR_Q_OPEN_USER *q_u, SAMR_R_OPEN_U static BOOL get_user_info_10(SAM_USER_INFO_10 *id10, uint32 user_rid) { - struct smb_passwd *smb_pass; + SAM_ACCOUNT *smbpass; if (!pdb_rid_is_user(user_rid)) { DEBUG(4,("RID 0x%x is not a user RID\n", user_rid)); @@ -1336,18 +1370,17 @@ static BOOL get_user_info_10(SAM_USER_INFO_10 *id10, uint32 user_rid) } become_root(); - smb_pass = getsmbpwrid(user_rid); + smbpass = pdb_getsampwrid(user_rid); unbecome_root(); - if (smb_pass == NULL) - { + if (smbpass == NULL) { DEBUG(4,("User 0x%x not found\n", user_rid)); return False; } - DEBUG(3,("User:[%s]\n", smb_pass->smb_name)); + DEBUG(3,("User:[%s]\n", pdb_get_username(smbpass) )); - init_sam_user_info10(id10, smb_pass->acct_ctrl); + init_sam_user_info10(id10, pdb_get_acct_ctrl(smbpass) ); return True; } @@ -1358,23 +1391,23 @@ static BOOL get_user_info_10(SAM_USER_INFO_10 *id10, uint32 user_rid) static BOOL get_user_info_12(SAM_USER_INFO_12 * id12, uint32 user_rid) { - struct smb_passwd *smb_pass; + SAM_ACCOUNT *smbpass; become_root(); - smb_pass = getsmbpwrid(user_rid); + smbpass = pdb_getsampwrid(user_rid); unbecome_root(); - if (smb_pass == NULL) { + if (smbpass == NULL) { DEBUG(4, ("User 0x%x not found\n", user_rid)); return False; } - DEBUG(3,("User:[%s] 0x%x\n", smb_pass->smb_name, smb_pass->acct_ctrl)); + DEBUG(3,("User:[%s] 0x%x\n", pdb_get_username(smbpass), pdb_get_acct_ctrl(smbpass) )); - if (smb_pass->acct_ctrl & ACB_DISABLED) + if ( pdb_get_acct_ctrl(smbpass) & ACB_DISABLED) return False; - init_sam_user_info12(id12, smb_pass->smb_passwd, smb_pass->smb_nt_passwd); + init_sam_user_info12(id12, pdb_get_lanman_passwd(smbpass), pdb_get_nt_passwd(smbpass)); return True; } @@ -1385,10 +1418,7 @@ static BOOL get_user_info_12(SAM_USER_INFO_12 * id12, uint32 user_rid) static BOOL get_user_info_21(SAM_USER_INFO_21 *id21, uint32 user_rid) { - NTTIME dummy_time; - struct sam_passwd *sam_pass; - LOGON_HRS hrs; - int i; + SAM_ACCOUNT *sampass; if (!pdb_rid_is_user(user_rid)) { DEBUG(4,("RID 0x%x is not a user RID\n", user_rid)); @@ -1396,56 +1426,17 @@ static BOOL get_user_info_21(SAM_USER_INFO_21 *id21, uint32 user_rid) } become_root(); - sam_pass = getsam21pwrid(user_rid); + sampass = pdb_getsampwrid(user_rid); unbecome_root(); - if (sam_pass == NULL) { + if (sampass == NULL) { DEBUG(4,("User 0x%x not found\n", user_rid)); return False; } - DEBUG(3,("User:[%s]\n", sam_pass->smb_name)); - - dummy_time.low = 0xffffffff; - dummy_time.high = 0x7fffffff; - - DEBUG(5,("get_user_info_21 - TODO: convert unix times to NTTIMEs\n")); - - /* create a LOGON_HRS structure */ - hrs.len = sam_pass->hours_len; - SMB_ASSERT_ARRAY(hrs.hours, hrs.len); - for (i = 0; i < hrs.len; i++) - hrs.hours[i] = sam_pass->hours[i]; - - init_sam_user_info21A(id21, - - &dummy_time, /* logon_time */ - &dummy_time, /* logoff_time */ - &dummy_time, /* kickoff_time */ - &dummy_time, /* pass_last_set_time */ - &dummy_time, /* pass_can_change_time */ - &dummy_time, /* pass_must_change_time */ - - sam_pass->smb_name, /* user_name */ - sam_pass->full_name, /* full_name */ - sam_pass->home_dir, /* home_dir */ - sam_pass->dir_drive, /* dir_drive */ - sam_pass->logon_script, /* logon_script */ - sam_pass->profile_path, /* profile_path */ - sam_pass->acct_desc, /* description */ - sam_pass->workstations, /* workstations user can log in from */ - sam_pass->unknown_str, /* don't know, yet */ - sam_pass->munged_dial, /* dialin info. contains dialin path and tel no */ - - sam_pass->user_rid, /* RID user_id */ - sam_pass->group_rid, /* RID group_id */ - sam_pass->acct_ctrl, - - sam_pass->unknown_3, /* unknown_3 */ - sam_pass->logon_divs, /* divisions per week */ - &hrs, /* logon hours */ - sam_pass->unknown_5, - sam_pass->unknown_6); + DEBUG(3,("User:[%s]\n", pdb_get_username(sampass) )); + + init_sam_user_info21A(id21, sampass); return True; } @@ -1458,15 +1449,16 @@ uint32 _samr_query_userinfo(pipes_struct *p, SAMR_Q_QUERY_USERINFO *q_u, SAMR_R_ { SAM_USERINFO_CTR *ctr; uint32 rid = 0; + struct samr_info *info = NULL; r_u->status=NT_STATUS_NO_PROBLEMO; /* search for the handle */ - if (find_lsa_policy_by_hnd(&q_u->pol) == -1) + if (!find_policy_by_hnd(p, &q_u->pol, (void **)&info)) return NT_STATUS_INVALID_HANDLE; /* find the user's rid */ - if ((rid = get_lsa_policy_samr_rid(&q_u->pol)) == 0xffffffff) + if ((rid = get_lsa_policy_samr_rid(info)) == 0xffffffff) return NT_STATUS_OBJECT_TYPE_MISMATCH; DEBUG(5,("_samr_query_userinfo: rid:0x%x\n", rid)); @@ -1554,27 +1546,28 @@ uint32 _samr_query_usergroups(pipes_struct *p, SAMR_Q_QUERY_USERGROUPS *q_u, SAM int num_groups = 0; pstring groups; uint32 rid; + struct samr_info *info = NULL; r_u->status = NT_STATUS_NO_PROBLEMO; DEBUG(5,("_samr_query_usergroups: %d\n", __LINE__)); /* find the policy handle. open a policy on it. */ - if (find_lsa_policy_by_hnd(&q_u->pol) == -1) + if (!find_policy_by_hnd(p, &q_u->pol, (void **)&info)) return NT_STATUS_INVALID_HANDLE; /* find the user's rid */ - if ((rid = get_lsa_policy_samr_rid(&q_u->pol)) == 0xffffffff) + if ((rid = get_lsa_policy_samr_rid(info)) == 0xffffffff) return NT_STATUS_OBJECT_TYPE_MISMATCH; become_root(); - sam_pass = getsam21pwrid(rid); + sam_pass = pdb_getsampwrid(rid); unbecome_root(); if (sam_pass == NULL) return NT_STATUS_NO_SUCH_USER; - get_domain_user_groups(groups, sam_pass->smb_name); + get_domain_user_groups(groups, pdb_get_username(sam_pass)); gids = NULL; num_groups = make_dom_gids(p->mem_ctx, groups, &gids); @@ -1593,7 +1586,6 @@ uint32 _samr_query_usergroups(pipes_struct *p, SAMR_Q_QUERY_USERGROUPS *q_u, SAM uint32 _samr_query_dom_info(pipes_struct *p, SAMR_Q_QUERY_DOMAIN_INFO *q_u, SAMR_R_QUERY_DOMAIN_INFO *r_u) { SAM_UNK_CTR *ctr; - uint16 switch_value = 0; if ((ctr = (SAM_UNK_CTR *)talloc(p->mem_ctx, sizeof(SAM_UNK_CTR))) == NULL) return NT_STATUS_NO_MEMORY; @@ -1605,38 +1597,31 @@ uint32 _samr_query_dom_info(pipes_struct *p, SAMR_Q_QUERY_DOMAIN_INFO *q_u, SAMR DEBUG(5,("_samr_query_dom_info: %d\n", __LINE__)); /* find the policy handle. open a policy on it. */ - if (find_lsa_policy_by_hnd(&q_u->domain_pol) == -1) + if (!find_policy_by_hnd(p, &q_u->domain_pol, NULL)) return NT_STATUS_INVALID_HANDLE; switch (q_u->switch_value) { case 0x01: - switch_value = 0x1; init_unk_info1(&ctr->info.inf1); break; case 0x02: - switch_value = 0x2; /* The time call below is to get a sequence number for the sam. FIXME !!! JRA. */ init_unk_info2(&ctr->info.inf2, global_myworkgroup, global_myname, (uint32) time(NULL)); break; case 0x03: - switch_value = 0x3; init_unk_info3(&ctr->info.inf3); break; case 0x06: - switch_value = 0x6; init_unk_info6(&ctr->info.inf6); break; case 0x07: - switch_value = 0x7; init_unk_info7(&ctr->info.inf7); break; case 0x0c: - switch_value = 0xc; init_unk_info12(&ctr->info.inf12); break; default: return NT_STATUS_INVALID_INFO_CLASS; - break; } init_samr_r_query_dom_info(r_u, q_u->switch_value, ctr, NT_STATUS_NOPROBLEMO); @@ -1652,7 +1637,7 @@ uint32 _samr_query_dom_info(pipes_struct *p, SAMR_Q_QUERY_DOMAIN_INFO *q_u, SAMR uint32 _api_samr_create_user(pipes_struct *p, SAMR_Q_CREATE_USER *q_u, SAMR_R_CREATE_USER *r_u) { - struct sam_passwd *sam_pass; + SAM_ACCOUNT *sam_pass; fstring mach_acct; pstring err_str; pstring msg_str; @@ -1663,9 +1648,10 @@ uint32 _api_samr_create_user(pipes_struct *p, SAMR_Q_CREATE_USER *q_u, SAMR_R_CR UNISTR2 user_account = q_u->uni_name; uint16 acb_info = q_u->acb_info; POLICY_HND *user_pol = &r_u->user_pol; + struct samr_info *info = NULL; /* find the policy handle. open a policy on it. */ - if (find_lsa_policy_by_hnd(&dom_pol) == -1) + if (!find_policy_by_hnd(p, &dom_pol, NULL)) return NT_STATUS_INVALID_HANDLE; /* find the machine account: tell the caller if it exists. @@ -1678,17 +1664,13 @@ uint32 _api_samr_create_user(pipes_struct *p, SAMR_Q_CREATE_USER *q_u, SAMR_R_CR strlower(mach_acct); become_root(); - sam_pass = getsam21pwnam(mach_acct); + sam_pass = pdb_getsampwnam(mach_acct); unbecome_root(); if (sam_pass != NULL) { /* machine account exists: say so */ return NT_STATUS_USER_EXISTS; } - /* get a (unique) handle. open a policy on it. */ - if (!open_lsa_policy_hnd(user_pol)) - return NT_STATUS_OBJECT_NAME_NOT_FOUND; - local_flags=LOCAL_ADD_USER|LOCAL_DISABLE_USER|LOCAL_SET_NO_PASSWORD; local_flags|= (acb_info & ACB_WSTRUST) ? LOCAL_TRUST_ACCOUNT:0; @@ -1720,37 +1702,41 @@ uint32 _api_samr_create_user(pipes_struct *p, SAMR_Q_CREATE_USER *q_u, SAMR_R_CR sizeof(err_str), msg_str, sizeof(msg_str))) { DEBUG(0, ("%s\n", err_str)); - close_lsa_policy_hnd(user_pol); + close_policy_hnd(p, user_pol); return NT_STATUS_ACCESS_DENIED; } become_root(); - sam_pass = getsam21pwnam(mach_acct); + sam_pass = pdb_getsampwnam(mach_acct); unbecome_root(); if (sam_pass == NULL) { /* account doesn't exist: say so */ - close_lsa_policy_hnd(user_pol); + close_policy_hnd(p, user_pol); return NT_STATUS_ACCESS_DENIED; } /* Get the domain SID stored in the domain policy */ - if(!get_lsa_policy_samr_sid(&dom_pol, &sid)) { - close_lsa_policy_hnd(user_pol); + if(!get_lsa_policy_samr_sid(p, &dom_pol, &sid)) { + close_policy_hnd(p, user_pol); return NT_STATUS_INVALID_HANDLE; } /* append the user's RID to it */ - if(!sid_append_rid(&sid, sam_pass->user_rid)) { - close_lsa_policy_hnd(user_pol); + if(!sid_append_rid(&sid, pdb_get_user_rid(sam_pass) )) { + close_policy_hnd(p, user_pol); return NT_STATUS_NO_SUCH_USER; } - /* associate the SID with the (unique) handle. */ - if (!set_lsa_policy_samr_sid(user_pol, &sid)) { - /* oh, whoops. don't know what error message to return, here */ - close_lsa_policy_hnd(user_pol); + /* associate the user's SID with the new handle. */ + if ((info = (struct samr_info *)malloc(sizeof(struct samr_info))) == NULL) + return NT_STATUS_NO_MEMORY; + + ZERO_STRUCTP(info); + info->sid = sid; + + /* get a (unique) handle. open a policy on it. */ + if (!create_policy_hnd(p, user_pol, free_samr_info, (void *)info)) return NT_STATUS_OBJECT_NAME_NOT_FOUND; - } r_u->user_rid=sam_pass->user_rid; r_u->unknown_0 = 0x000703ff; @@ -1764,19 +1750,22 @@ uint32 _api_samr_create_user(pipes_struct *p, SAMR_Q_CREATE_USER *q_u, SAMR_R_CR uint32 _samr_connect_anon(pipes_struct *p, SAMR_Q_CONNECT_ANON *q_u, SAMR_R_CONNECT_ANON *r_u) { + struct samr_info *info = NULL; + /* set up the SAMR connect_anon response */ r_u->status = NT_STATUS_NO_PROBLEMO; - /* get a (unique) handle. open a policy on it. */ - if (!open_lsa_policy_hnd(&r_u->connect_pol)) - return NT_STATUS_OBJECT_NAME_NOT_FOUND; + /* associate the user's SID with the new handle. */ + if ((info = (struct samr_info *)malloc(sizeof(struct samr_info))) == NULL) + return NT_STATUS_NO_MEMORY; + + ZERO_STRUCTP(info); + info->status = q_u->unknown_0; - /* associate the domain SID with the (unique) handle. */ - if (!set_lsa_policy_samr_pol_status(&r_u->connect_pol, q_u->unknown_0)) { - close_lsa_policy_hnd(&r_u->connect_pol); + /* get a (unique) handle. open a policy on it. */ + if (!create_policy_hnd(p, &r_u->connect_pol, free_samr_info, (void *)info)) return NT_STATUS_OBJECT_NAME_NOT_FOUND; - } return r_u->status; } @@ -1787,19 +1776,22 @@ uint32 _samr_connect_anon(pipes_struct *p, SAMR_Q_CONNECT_ANON *q_u, SAMR_R_CONN uint32 _samr_connect(pipes_struct *p, SAMR_Q_CONNECT *q_u, SAMR_R_CONNECT *r_u) { + struct samr_info *info = NULL; + DEBUG(5,("_samr_connect: %d\n", __LINE__)); r_u->status = NT_STATUS_NO_PROBLEMO; - /* get a (unique) handle. open a policy on it. */ - if (!open_lsa_policy_hnd(&r_u->connect_pol)) - return NT_STATUS_OBJECT_NAME_NOT_FOUND; + /* associate the user's SID with the new handle. */ + if ((info = (struct samr_info *)malloc(sizeof(struct samr_info))) == NULL) + return NT_STATUS_NO_MEMORY; + + ZERO_STRUCTP(info); + info->status = q_u->access_mask; - /* associate the domain SID with the (unique) handle. */ - if (!set_lsa_policy_samr_pol_status(&r_u->connect_pol, q_u->access_mask)) { - close_lsa_policy_hnd(&r_u->connect_pol); + /* get a (unique) handle. open a policy on it. */ + if (!create_policy_hnd(p, &r_u->connect_pol, free_samr_info, (void *)info)) return NT_STATUS_OBJECT_NAME_NOT_FOUND; - } DEBUG(5,("_samr_connect: %d\n", __LINE__)); @@ -1814,7 +1806,7 @@ uint32 _samr_lookup_domain(pipes_struct *p, SAMR_Q_LOOKUP_DOMAIN *q_u, SAMR_R_LO { r_u->status = NT_STATUS_NO_PROBLEMO; - if (find_lsa_policy_by_hnd(&q_u->connect_pol) == -1) + if (!find_policy_by_hnd(p, &q_u->connect_pol, NULL)) return NT_STATUS_INVALID_HANDLE; /* assume the domain name sent is our global_myname and @@ -1894,41 +1886,37 @@ uint32 _api_samr_open_alias(pipes_struct *p, SAMR_Q_OPEN_ALIAS *q_u, SAMR_R_OPEN POLICY_HND domain_pol = q_u->dom_pol; uint32 alias_rid = q_u->rid_alias; POLICY_HND *alias_pol = &r_u->pol; + struct samr_info *info = NULL; r_u->status = NT_STATUS_NO_PROBLEMO; /* get the domain policy. */ - if (find_lsa_policy_by_hnd(&domain_pol) == -1) + if (!find_policy_by_hnd(p, &domain_pol, NULL)) return NT_STATUS_INVALID_HANDLE; - /* get a (unique) handle. open a policy on it. */ - if (!open_lsa_policy_hnd(alias_pol)) - return NT_STATUS_OBJECT_NAME_NOT_FOUND; - /* Get the domain SID stored in the domain policy */ - if(!get_lsa_policy_samr_sid(&domain_pol, &sid)) { - close_lsa_policy_hnd(alias_pol); + if(!get_lsa_policy_samr_sid(p, &domain_pol, &sid)) return NT_STATUS_INVALID_HANDLE; - } + + /* append the alias' RID to it */ + if(!sid_append_rid(&sid, alias_rid)) + return NT_STATUS_NO_SUCH_USER; /* * we should check if the rid really exist !!! * JFM. */ + /* associate the user's SID with the new handle. */ + if ((info = (struct samr_info *)malloc(sizeof(struct samr_info))) == NULL) + return NT_STATUS_NO_MEMORY; - /* append the alias' RID to it */ - if(!sid_append_rid(&sid, alias_rid)) { - close_lsa_policy_hnd(alias_pol); - return NT_STATUS_NO_SUCH_USER; - } + ZERO_STRUCTP(info); + info->sid = sid; - /* associate a SID with the (unique) handle. */ - if (!set_lsa_policy_samr_sid(alias_pol, &sid)) { - /* oh, whoops. don't know what error message to return, here */ - close_lsa_policy_hnd(alias_pol); + /* get a (unique) handle. open a policy on it. */ + if (!create_policy_hnd(p, alias_pol, free_samr_info, (void *)info)) return NT_STATUS_OBJECT_NAME_NOT_FOUND; - } return r_u->status; } @@ -1939,22 +1927,20 @@ uint32 _api_samr_open_alias(pipes_struct *p, SAMR_Q_OPEN_ALIAS *q_u, SAMR_R_OPEN static BOOL set_user_info_10(const SAM_USER_INFO_10 *id10, uint32 rid) { - struct sam_passwd *pwd = getsam21pwrid(rid); - struct sam_passwd new_pwd; + SAM_ACCOUNT *pwd = pdb_getsampwrid(rid); if (id10 == NULL) { DEBUG(5, ("set_user_info_10: NULL id10\n")); return False; } - if (pwd == NULL) + pwd = pdb_getsampwrid(rid); + if (!pwd) return False; - copy_sam_passwd(&new_pwd, pwd); - - new_pwd.acct_ctrl = id10->acb_info; + pdb_set_acct_ctrl(pwd, id10->acb_info); - if(!mod_sam21pwd_entry(&new_pwd, True)) + if(!pdb_update_sam_account(pwd, True)) return False; return True; @@ -1966,31 +1952,22 @@ static BOOL set_user_info_10(const SAM_USER_INFO_10 *id10, uint32 rid) static BOOL set_user_info_12(SAM_USER_INFO_12 *id12, uint32 rid) { - struct sam_passwd *pwd = getsam21pwrid(rid); - struct sam_passwd new_pwd; - static uchar nt_hash[16]; - static uchar lm_hash[16]; - + SAM_ACCOUNT *pwd = pdb_getsampwrid(rid); + if (pwd == NULL) return False; - + if (id12 == NULL) { DEBUG(2, ("set_user_info_12: id12 is NULL\n")); return False; } - - pdb_init_sam(&new_pwd); - copy_sam_passwd(&new_pwd, pwd); - - memcpy(nt_hash, id12->nt_pwd, sizeof(nt_hash)); - memcpy(lm_hash, id12->lm_pwd, sizeof(lm_hash)); - - new_pwd.smb_passwd = lm_hash; - new_pwd.smb_nt_passwd = nt_hash; - - if(!mod_sam21pwd_entry(&new_pwd, True)) + + pdb_set_lanman_passwd (pwd, id12->lm_pwd); + pdb_set_nt_passwd (pwd, id12->nt_pwd); + + if(!pdb_update_sam_account(pwd, True)) return False; - + return True; } @@ -1998,41 +1975,34 @@ static BOOL set_user_info_12(SAM_USER_INFO_12 *id12, uint32 rid) set_user_info_21 ********************************************************************/ -static BOOL set_user_info_21 (SAM_USER_INFO_21 *id21, uint32 rid) +static BOOL set_user_info_21(SAM_USER_INFO_21 *id21, uint32 rid) { - struct sam_passwd *pwd = getsam21pwrid(rid); - struct sam_passwd new_pwd; - static uchar nt_hash[16]; - static uchar lm_hash[16]; - + SAM_ACCOUNT *pwd = pdb_getsampwrid(rid); + SAM_ACCOUNT new_pwd; + if (id21 == NULL) { DEBUG(5, ("set_user_info_21: NULL id21\n")); return False; } - + if (pwd == NULL) return False; - - pdb_init_sam(&new_pwd); - /* we make a copy so that we can modify stuff */ + + /* we make a copy so that we can modify stuff */ copy_sam_passwd(&new_pwd, pwd); copy_id21_to_sam_passwd(&new_pwd, id21); - - if (pwd->smb_nt_passwd != NULL) { - memcpy(nt_hash, pwd->smb_nt_passwd, 16); - new_pwd.smb_nt_passwd = nt_hash; - } else - new_pwd.smb_nt_passwd = NULL; - - if (pwd->smb_nt_passwd != NULL) { - memcpy(lm_hash, pwd->smb_passwd, 16); - new_pwd.smb_passwd = lm_hash; - } else - new_pwd.smb_passwd = NULL; - - if(!mod_sam21pwd_entry(&new_pwd, True)) + + /* + * The funny part about the previous two calls is + * that pwd still has the password hashes from the + * passdb entry. These have not been updated from + * id21. I don't know if they need to be set. --jerry + */ + + /* write the change out */ + if(!pdb_update_sam_account(&new_pwd, True)) return False; - + return True; } @@ -2042,52 +2012,54 @@ static BOOL set_user_info_21 (SAM_USER_INFO_21 *id21, uint32 rid) static BOOL set_user_info_23(SAM_USER_INFO_23 *id23, uint32 rid) { - struct sam_passwd *pwd = getsam21pwrid(rid); - struct sam_passwd new_pwd; - static uchar nt_hash[16]; - static uchar lm_hash[16]; - pstring buf; - uint32 len; - - if (id23 == NULL) { - DEBUG(5, ("set_user_info_23: NULL id23\n")); - return False; - } - - if (pwd == NULL) - return False; - - pdb_init_sam(&new_pwd); - copy_sam_passwd(&new_pwd, pwd); - copy_id23_to_sam_passwd(&new_pwd, id23); - - memset(buf, 0, sizeof(pstring)); - - if (!decode_pw_buffer((char*)id23->pass, buf, 256, &len, nt_hash, lm_hash)) - return False; - - new_pwd.smb_passwd = lm_hash; - new_pwd.smb_nt_passwd = nt_hash; + SAM_ACCOUNT *pwd = pdb_getsampwrid(rid); + SAM_ACCOUNT new_pwd; + BYTE nt_hash[16]; + BYTE lm_hash[16]; + pstring buf; + uint32 len; + uint16 acct_ctrl; + + if (id23 == NULL) { + DEBUG(5, ("set_user_info_23: NULL id23\n")); + return False; + } + + if (pwd == NULL) + return False; + + acct_ctrl = pdb_get_acct_ctrl(pwd); + copy_sam_passwd(&new_pwd, pwd); + copy_id23_to_sam_passwd(&new_pwd, id23); + + if (!decode_pw_buffer((char*)id23->pass, buf, 256, &len)) + return False; + + nt_lm_owf_gen(buf, nt_hash, lm_hash); + + pdb_set_lanman_passwd (&new_pwd, lm_hash); + pdb_set_nt_passwd (&new_pwd, nt_hash); + /* if it's a trust account, don't update /etc/passwd */ - if ( ( (new_pwd.acct_ctrl & ACB_DOMTRUST) == ACB_DOMTRUST ) || - ( (new_pwd.acct_ctrl & ACB_WSTRUST) == ACB_WSTRUST) || - ( (new_pwd.acct_ctrl & ACB_SVRTRUST) == ACB_SVRTRUST) ) { + if ( ( (acct_ctrl & ACB_DOMTRUST) == ACB_DOMTRUST ) || + ( (acct_ctrl & ACB_WSTRUST) == ACB_WSTRUST) || + ( (acct_ctrl & ACB_SVRTRUST) == ACB_SVRTRUST) ) { DEBUG(5, ("Changing trust account password, not updating /etc/passwd\n")); - } else { - + } else { + /* update the UNIX password */ /* update the UNIX password */ if (lp_unix_password_sync() ) - if(!chgpasswd(new_pwd.smb_name, "", buf, True)) + if(!chgpasswd(pdb_get_username(&new_pwd), "", buf, True)) return False; } - - memset(buf, 0, sizeof(buf)); - - if(!mod_sam21pwd_entry(&new_pwd, True)) - return False; - - return True; + + memset(buf, 0, sizeof(buf)); + + if(!pdb_update_sam_account(&new_pwd, True)) + return False; + + return True; } /******************************************************************* @@ -2096,49 +2068,51 @@ static BOOL set_user_info_23(SAM_USER_INFO_23 *id23, uint32 rid) static BOOL set_user_info_24(SAM_USER_INFO_24 *id24, uint32 rid) { - struct sam_passwd *pwd = getsam21pwrid(rid); - struct sam_passwd new_pwd; - static uchar nt_hash[16]; - static uchar lm_hash[16]; + SAM_ACCOUNT *pwd = pdb_getsampwrid(rid); + uchar nt_hash[16]; + uchar lm_hash[16]; uint32 len; pstring buf; - + uint16 acct_ctrl; + if (pwd == NULL) return False; + + acct_ctrl = pdb_get_acct_ctrl(pwd); - pdb_init_sam(&new_pwd); - copy_sam_passwd(&new_pwd, pwd); - - memset(buf, 0, sizeof(pstring)); - - if (!decode_pw_buffer((char*)id24->pass, buf, 256, &len, nt_hash, lm_hash)) + memset(buf, 0, sizeof(buf)); + + if (!decode_pw_buffer((char*)id24->pass, buf, 256, &len)) return False; - - new_pwd.smb_passwd = lm_hash; - new_pwd.smb_nt_passwd = nt_hash; - + + DEBUG(5,("set_user_info_24:nt_lm_owf_gen\n")); + + nt_lm_owf_gen(buf, nt_hash, lm_hash); + + pdb_set_lanman_passwd (pwd, lm_hash); + pdb_set_nt_passwd (pwd, nt_hash); + /* if it's a trust account, don't update /etc/passwd */ - if ( ( (new_pwd.acct_ctrl & ACB_DOMTRUST) == ACB_DOMTRUST ) || - ( (new_pwd.acct_ctrl & ACB_WSTRUST) == ACB_WSTRUST) || - ( (new_pwd.acct_ctrl & ACB_SVRTRUST) == ACB_SVRTRUST) ) { + if ( ( (acct_ctrl & ACB_DOMTRUST) == ACB_DOMTRUST ) || + ( (acct_ctrl & ACB_WSTRUST) == ACB_WSTRUST) || + ( (acct_ctrl & ACB_SVRTRUST) == ACB_SVRTRUST) ) { DEBUG(5, ("Changing trust account password, not updating /etc/passwd\n")); } else { - /* update the UNIX password */ - if (lp_unix_password_sync() ) - if(!chgpasswd(new_pwd.smb_name, "", buf, True)) + if (lp_unix_password_sync()) + if(!chgpasswd(pdb_get_username(pwd), "", buf, True)) return False; } - - memset(buf, 0, sizeof(buf)); - - DEBUG(5,("set_user_info_24: pdb_update_sam_account()\n")); - - /* update the SAMBA password */ - if(!mod_sam21pwd_entry(&new_pwd, True)) - return False; - - return True; + + memset(buf, 0, sizeof(buf)); + + DEBUG(0,("set_user_info_24: pdb_update_sam_account()\n")); + + /* update the SAMBA password */ + if(!pdb_update_sam_account(pwd, True)) + return False; + + return True; } /******************************************************************* @@ -2150,7 +2124,7 @@ uint32 _samr_set_userinfo(pipes_struct *p, SAMR_Q_SET_USERINFO *q_u, SAMR_R_SET_ uint32 rid = 0x0; DOM_SID sid; struct current_user user; - struct smb_passwd *smb_pass; + SAM_ACCOUNT *sam_pass; unsigned char sess_key[16]; POLICY_HND *pol = &q_u->pol; uint16 switch_value = q_u->switch_value; @@ -2167,12 +2141,8 @@ uint32 _samr_set_userinfo(pipes_struct *p, SAMR_Q_SET_USERINFO *q_u, SAMR_R_SET_ memcpy(&user, ¤t_user, sizeof(user)); } - /* search for the handle */ - if (find_lsa_policy_by_hnd(pol) == -1) - return NT_STATUS_INVALID_HANDLE; - /* find the policy handle. open a policy on it. */ - if (!get_lsa_policy_samr_sid(pol, &sid)) + if (!get_lsa_policy_samr_sid(p, pol, &sid)) return NT_STATUS_INVALID_HANDLE; sid_split_rid(&sid, &rid); @@ -2192,15 +2162,15 @@ uint32 _samr_set_userinfo(pipes_struct *p, SAMR_Q_SET_USERINFO *q_u, SAMR_R_SET_ */ become_root(); - smb_pass = getsmbpwuid(user.uid); + sam_pass = pdb_getsampwuid(user.uid); unbecome_root(); - if(smb_pass == NULL) { + if(sam_pass == NULL) { DEBUG(0,("_samr_set_userinfo: Unable to get smbpasswd entry for uid %u\n", (unsigned int)user.uid )); return NT_STATUS_ACCESS_DENIED; } memset(sess_key, '\0', 16); - mdfour(sess_key, smb_pass->smb_nt_passwd, 16); + mdfour(sess_key, pdb_get_nt_passwd(sam_pass), 16); /* ok! user info levels (lots: see MSDEV help), off we go... */ switch (switch_value) { @@ -2236,7 +2206,7 @@ uint32 _samr_set_userinfo2(pipes_struct *p, SAMR_Q_SET_USERINFO2 *q_u, SAMR_R_SE { DOM_SID sid; uint32 rid = 0x0; - SAM_USERINFO_CTR *ctr = NULL; + SAM_USERINFO_CTR *ctr = q_u->ctr; POLICY_HND *pol = &q_u->pol; uint16 switch_value = q_u->switch_value; @@ -2244,18 +2214,8 @@ uint32 _samr_set_userinfo2(pipes_struct *p, SAMR_Q_SET_USERINFO2 *q_u, SAMR_R_SE r_u->status = NT_STATUS_NOPROBLEMO; - ctr = (SAM_USERINFO_CTR *)talloc(p->mem_ctx, sizeof(SAM_USERINFO_CTR)); - if (!ctr) - return NT_STATUS_NO_MEMORY; - - q_u->ctr = ctr; - - /* search for the handle */ - if (find_lsa_policy_by_hnd(pol) == -1) - return NT_STATUS_INVALID_HANDLE; - /* find the policy handle. open a policy on it. */ - if (!get_lsa_policy_samr_sid(pol, &sid)) + if (!get_lsa_policy_samr_sid(p, pol, &sid)) return NT_STATUS_INVALID_HANDLE; sid_split_rid(&sid, &rid); @@ -2267,7 +2227,7 @@ uint32 _samr_set_userinfo2(pipes_struct *p, SAMR_Q_SET_USERINFO2 *q_u, SAMR_R_SE return NT_STATUS_INVALID_INFO_CLASS; } - ctr->switch_value = switch_value; + switch_value=ctr->switch_value; /* ok! user info levels (lots: see MSDEV help), off we go... */ switch (switch_value) { -- cgit From a2e5dbb1120e726ba80b00a159dad1a1ca2e3a18 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Sun, 11 Mar 2001 00:51:54 +0000 Subject: Remove "BYTE" - we already have uint8 - don't need more conflicts with system header files... Jeremy. (This used to be commit 31e0ce310ec38b3a3a05b344d6450d442c6be471) --- source3/rpc_server/srv_samr_nt.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index ff484a8ff1..181e1140eb 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -2014,8 +2014,8 @@ static BOOL set_user_info_23(SAM_USER_INFO_23 *id23, uint32 rid) { SAM_ACCOUNT *pwd = pdb_getsampwrid(rid); SAM_ACCOUNT new_pwd; - BYTE nt_hash[16]; - BYTE lm_hash[16]; + uint8 nt_hash[16]; + uint8 lm_hash[16]; pstring buf; uint32 len; uint16 acct_ctrl; -- cgit From 769659eb0849fbc30a3284f99563dde965318bfd Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Tue, 13 Mar 2001 00:32:43 +0000 Subject: Ensure we never return passwords from a user query. Jeremy. (This used to be commit 37248e99e8b8d8a7e247d968b93a7d0cf5f63c8e) --- source3/rpc_server/srv_samr_nt.c | 75 +++++++++++++++++++++++++++++++++------- 1 file changed, 62 insertions(+), 13 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 181e1140eb..9f0ce9b05d 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -56,6 +56,34 @@ static void free_samr_info(void *ptr) safe_free(samr); } +/******************************************************************* + Ensure password info is never given out. Paranioa... JRA. + ********************************************************************/ + +static void samr_clear_passwd_fields( SAM_USER_INFO_21 *pass, int num_entries) +{ + int i; + + if (!pass) + return; + + for (i = 0; i < num_entries; i++) { + memset(&pass[i].lm_pwd, '\0', sizeof(pass[i].lm_pwd)); + memset(&pass[i].nt_pwd, '\0', sizeof(pass[i].nt_pwd)); + } +} + +static void samr_clear_sam_passwd( SAM_ACCOUNT *sam_pass) +{ + if (!sam_pass) + return; + + if (sam_pass->lm_pw) + memset(sam_pass->lm_pw, '\0', 16); + if (sam_pass->nt_pw) + memset(sam_pass->nt_pw, '\0', 16); +} + /******************************************************************* This next function should be replaced with something that dynamically returns the correct user info..... JRA. @@ -660,6 +688,8 @@ uint32 _samr_enum_dom_users(pipes_struct *p, SAMR_Q_ENUM_DOM_USERS *q_u, SAMR_R_ if (!ret) return NT_STATUS_ACCESS_DENIED; + samr_clear_passwd_fields(pass, num_entries); + /* * Note from JRA. total_entries is not being used here. Currently if there is a * large user base then it looks like NT will enumerate until get_sampwd_entries @@ -979,6 +1009,9 @@ uint32 _samr_query_dispinfo(pipes_struct *p, SAMR_Q_QUERY_DISPINFO *q_u, SAMR_R_ DEBUG(5, ("limiting number of entries to %d\n", num_entries)); } + /* Ensure password info is never given out here. PARANOIA... JRA */ + samr_clear_passwd_fields(pass, num_entries); + data_size = q_u->max_size; orig_num_entries = num_entries; @@ -1308,7 +1341,7 @@ uint32 _samr_lookup_rids(pipes_struct *p, SAMR_Q_LOOKUP_RIDS *q_u, SAMR_R_LOOKUP } /******************************************************************* - _api_samr_open_user + _api_samr_open_user. Safe - gives out no passwd info. ********************************************************************/ uint32 _api_samr_open_user(pipes_struct *p, SAMR_Q_OPEN_USER *q_u, SAMR_R_OPEN_USER *r_u) @@ -1334,6 +1367,8 @@ uint32 _api_samr_open_user(pipes_struct *p, SAMR_Q_OPEN_USER *q_u, SAMR_R_OPEN_U if (sampass == NULL) return NT_STATUS_NO_SUCH_USER; + samr_clear_sam_passwd(sampass); + /* Get the domain SID stored in the domain policy */ if(!get_lsa_policy_samr_sid(p, &domain_pol, &sid)) return NT_STATUS_INVALID_HANDLE; @@ -1357,7 +1392,7 @@ uint32 _api_samr_open_user(pipes_struct *p, SAMR_Q_OPEN_USER *q_u, SAMR_R_OPEN_U } /************************************************************************* - get_user_info_10 + get_user_info_10. Safe. Only gives out acb bits. *************************************************************************/ static BOOL get_user_info_10(SAM_USER_INFO_10 *id10, uint32 user_rid) @@ -1386,30 +1421,40 @@ static BOOL get_user_info_10(SAM_USER_INFO_10 *id10, uint32 user_rid) } /************************************************************************* - get_user_info_12 + get_user_info_12. OK - this is the killer as it gives out password info. + Ensure that this is only allowed on an encrypted connection with a root + user. JRA. *************************************************************************/ -static BOOL get_user_info_12(SAM_USER_INFO_12 * id12, uint32 user_rid) +static uint32 get_user_info_12(pipes_struct *p, SAM_USER_INFO_12 * id12, uint32 user_rid) { SAM_ACCOUNT *smbpass; - become_root(); + if (!p->ntlmssp_auth_validated) + return NT_STATUS_ACCESS_DENIED; + + if (!(p->ntlmssp_chal_flags & NTLMSSP_NEGOTIATE_SIGN) || !(p->ntlmssp_chal_flags & NTLMSSP_NEGOTIATE_SEAL)) + return NT_STATUS_ACCESS_DENIED; + + /* + * Do *NOT* do become_root()/unbecome_root() here ! JRA. + */ + smbpass = pdb_getsampwrid(user_rid); - unbecome_root(); if (smbpass == NULL) { DEBUG(4, ("User 0x%x not found\n", user_rid)); - return False; + return (geteuid() == (uid_t)0) ? NT_STATUS_NO_SUCH_USER : NT_STATUS_ACCESS_DENIED; } DEBUG(3,("User:[%s] 0x%x\n", pdb_get_username(smbpass), pdb_get_acct_ctrl(smbpass) )); if ( pdb_get_acct_ctrl(smbpass) & ACB_DISABLED) - return False; + return NT_STATUS_ACCOUNT_DISABLED; init_sam_user_info12(id12, pdb_get_lanman_passwd(smbpass), pdb_get_nt_passwd(smbpass)); - return True; + return NT_STATUS_NOPROBLEMO; } /************************************************************************* @@ -1434,6 +1479,8 @@ static BOOL get_user_info_21(SAM_USER_INFO_21 *id21, uint32 user_rid) return False; } + samr_clear_sam_passwd(sampass); + DEBUG(3,("User:[%s]\n", pdb_get_username(sampass) )); init_sam_user_info21A(id21, sampass); @@ -1512,8 +1559,8 @@ uint32 _samr_query_userinfo(pipes_struct *p, SAMR_Q_QUERY_USERINFO *q_u, SAMR_R_ if (ctr->info.id12 == NULL) return NT_STATUS_NO_MEMORY; - if (!get_user_info_12(ctr->info.id12, rid)) - return NT_STATUS_NO_SUCH_USER; + if ((r_u->status = get_user_info_12(p, ctr->info.id12, rid)) != NT_STATUS_NOPROBLEMO) + return r_u->status; break; case 21: @@ -1567,6 +1614,8 @@ uint32 _samr_query_usergroups(pipes_struct *p, SAMR_Q_QUERY_USERGROUPS *q_u, SAM if (sam_pass == NULL) return NT_STATUS_NO_SUCH_USER; + samr_clear_sam_passwd(sam_pass); + get_domain_user_groups(groups, pdb_get_username(sam_pass)); gids = NULL; num_groups = make_dom_gids(p->mem_ctx, groups, &gids); @@ -2392,8 +2441,8 @@ uint32 _samr_set_groupinfo(pipes_struct *p, SAMR_Q_SET_GROUPINFO *q_u, SAMR_R_SE uint32 _samr_get_dom_pwinfo(pipes_struct *p, SAMR_Q_GET_DOM_PWINFO *q_u, SAMR_R_GET_DOM_PWINFO *r_u) { - DEBUG(0,("_samr_get_dom_pwinfo: Not yet implemented.\n")); - return False; + /* Actually, returning zeros here works quite well :-). */ + return NT_STATUS_NOPROBLEMO; } /********************************************************************* -- cgit From 0ef2179d23a2f9826e17c2b858fd8f2a9634b332 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Tue, 13 Mar 2001 01:44:05 +0000 Subject: Fixed reading of strings from big-endian RPC clients. Jeremy. (This used to be commit e7ecb9410ff2e4fcd33bca9f82e14c060590942a) --- source3/rpc_server/srv_samr_nt.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 9f0ce9b05d..4ff7125fce 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -1196,7 +1196,7 @@ uint32 _samr_lookup_names(pipes_struct *p, SAMR_Q_LOOKUP_NAMES *q_u, SAMR_R_LOOK rid [i] = 0xffffffff; type[i] = SID_NAME_UNKNOWN; - fstrcpy(name, dos_unistrn2(q_u->uni_name[i].buffer, q_u->uni_name[i].uni_str_len)); + fstrcpy(name, rpc_unistrn2(q_u->uni_name[i].buffer, q_u->uni_name[i].uni_str_len, p->endian)); if(sid_equal(&pol_sid, &global_sam_sid)) { DOM_SID sid; @@ -1227,8 +1227,8 @@ uint32 _samr_chgpasswd_user(pipes_struct *p, SAMR_Q_CHGPASSWD_USER *q_u, SAMR_R_ r_u->status = NT_STATUS_NOPROBLEMO; - fstrcpy(user_name, dos_unistrn2(q_u->uni_user_name.buffer, q_u->uni_user_name.uni_str_len)); - fstrcpy(wks , dos_unistrn2(q_u->uni_dest_host.buffer, q_u->uni_dest_host.uni_str_len)); + fstrcpy(user_name, rpc_unistrn2(q_u->uni_user_name.buffer, q_u->uni_user_name.uni_str_len, p->endian)); + fstrcpy(wks , rpc_unistrn2(q_u->uni_dest_host.buffer, q_u->uni_dest_host.uni_str_len, p->endian)); DEBUG(5,("samr_chgpasswd_user: user: %s wks: %s\n", user_name, wks)); @@ -1709,7 +1709,7 @@ uint32 _api_samr_create_user(pipes_struct *p, SAMR_Q_CREATE_USER *q_u, SAMR_R_CR reply if the account already exists... */ - fstrcpy(mach_acct, dos_unistrn2(user_account.buffer, user_account.uni_str_len)); + fstrcpy(mach_acct, rpc_unistrn2(user_account.buffer, user_account.uni_str_len, p->endian)); strlower(mach_acct); become_root(); -- cgit From 0f710e9bdc740a30468cc85131bf60848306b6bb Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Tue, 13 Mar 2001 19:21:51 +0000 Subject: AS/U does setuserinfo2, level 0x12 when joining a domain - identical to setuserinfo level 0x12. Jeremy. (This used to be commit d4ad197f711d5c5f2f60083b396f6dd7e6eca8c0) --- source3/rpc_server/srv_samr_nt.c | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 4ff7125fce..dbed5227b0 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -2288,6 +2288,11 @@ uint32 _samr_set_userinfo2(pipes_struct *p, SAMR_Q_SET_USERINFO2 *q_u, SAMR_R_SE if (!set_user_info_10(ctr->info.id10, rid)) return NT_STATUS_ACCESS_DENIED; break; + case 18: + /* Used by AS/U JRA. */ + if (!set_user_info_12(ctr->info.id12, rid)) + return NT_STATUS_ACCESS_DENIED; + break; default: return NT_STATUS_INVALID_INFO_CLASS; } -- cgit From 4ab6182a0ffdbe92a01dd6533e0862aa8d0f6d83 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Thu, 15 Mar 2001 00:49:13 +0000 Subject: AS/U on a sparc now joins and authenticates against a Samba PDC ! Jeremy. (This used to be commit 28a0bc5f5710aa732db662caa38f9da2138b5db2) --- source3/rpc_server/srv_samr_nt.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index dbed5227b0..c3df798c3c 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -1196,7 +1196,7 @@ uint32 _samr_lookup_names(pipes_struct *p, SAMR_Q_LOOKUP_NAMES *q_u, SAMR_R_LOOK rid [i] = 0xffffffff; type[i] = SID_NAME_UNKNOWN; - fstrcpy(name, rpc_unistrn2(q_u->uni_name[i].buffer, q_u->uni_name[i].uni_str_len, p->endian)); + fstrcpy(name, dos_unistrn2(q_u->uni_name[i].buffer, q_u->uni_name[i].uni_str_len)); if(sid_equal(&pol_sid, &global_sam_sid)) { DOM_SID sid; @@ -1227,8 +1227,8 @@ uint32 _samr_chgpasswd_user(pipes_struct *p, SAMR_Q_CHGPASSWD_USER *q_u, SAMR_R_ r_u->status = NT_STATUS_NOPROBLEMO; - fstrcpy(user_name, rpc_unistrn2(q_u->uni_user_name.buffer, q_u->uni_user_name.uni_str_len, p->endian)); - fstrcpy(wks , rpc_unistrn2(q_u->uni_dest_host.buffer, q_u->uni_dest_host.uni_str_len, p->endian)); + fstrcpy(user_name, dos_unistrn2(q_u->uni_user_name.buffer, q_u->uni_user_name.uni_str_len)); + fstrcpy(wks , dos_unistrn2(q_u->uni_dest_host.buffer, q_u->uni_dest_host.uni_str_len)); DEBUG(5,("samr_chgpasswd_user: user: %s wks: %s\n", user_name, wks)); @@ -1709,7 +1709,7 @@ uint32 _api_samr_create_user(pipes_struct *p, SAMR_Q_CREATE_USER *q_u, SAMR_R_CR reply if the account already exists... */ - fstrcpy(mach_acct, rpc_unistrn2(user_account.buffer, user_account.uni_str_len, p->endian)); + fstrcpy(mach_acct, dos_unistrn2(user_account.buffer, user_account.uni_str_len)); strlower(mach_acct); become_root(); -- cgit From 65d35749b721b76ae826a9423bdefd2f673f35c6 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Fri, 16 Mar 2001 05:55:30 +0000 Subject: Added Michael Sweet's CUPS patch to call directly into the CUPS backend. Parameterises the printing functions so other backends can be plugged directly in (this is a good thing :-). Jeremy. (This used to be commit c0345bbaed5d1aac777f1a33ff84ad1899f2ed6d) --- source3/rpc_server/srv_samr_nt.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index c3df798c3c..ec5ea29f70 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -5,7 +5,7 @@ * Copyright (C) Andrew Tridgell 1992-1997, * Copyright (C) Luke Kenneth Casson Leighton 1996-1997, * Copyright (C) Paul Ashton 1997. - * Copyright (C) Hewlett-Packard Company 1999. + * Copyright (C) Marc Jacobsen 1999. * Copyright (C) Jeremy Allison 2001. * * This program is free software; you can redistribute it and/or modify -- cgit From 0053bd8b80cc08d65948c97f8ab0b4e2b829f083 Mon Sep 17 00:00:00 2001 From: Jean-François Micouleau Date: Fri, 23 Mar 2001 00:50:31 +0000 Subject: first pass of the new group mapping code J.F. (This used to be commit 7154deb026d53cb0cd503562174c3332a372be63) --- source3/rpc_server/srv_samr_nt.c | 451 ++++++++++++++++++++++++++++++++++++--- 1 file changed, 427 insertions(+), 24 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index ec5ea29f70..94524da352 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -5,7 +5,7 @@ * Copyright (C) Andrew Tridgell 1992-1997, * Copyright (C) Luke Kenneth Casson Leighton 1996-1997, * Copyright (C) Paul Ashton 1997. - * Copyright (C) Marc Jacobsen 1999. + * Copyright (C) Marc Jacobsen 1999. * Copyright (C) Jeremy Allison 2001. * * This program is free software; you can redistribute it and/or modify @@ -34,6 +34,7 @@ extern int DEBUGLEVEL; extern fstring global_myworkgroup; extern pstring global_myname; extern DOM_SID global_sam_sid; +extern DOM_SID global_sid_Builtin; extern rid_name domain_group_rids[]; extern rid_name domain_alias_rids[]; @@ -546,7 +547,6 @@ uint32 _samr_get_usrdom_pwinfo(pipes_struct *p, SAMR_Q_GET_USRDOM_PWINFO *q_u, S static uint32 samr_make_usr_obj_sd(TALLOC_CTX *ctx, SEC_DESC_BUF **buf, DOM_SID *usr_sid) { - extern DOM_SID global_sid_Builtin; extern DOM_SID global_sid_World; DOM_SID adm_sid; DOM_SID act_sid; @@ -1251,8 +1251,8 @@ static BOOL make_samr_lookup_rids(TALLOC_CTX *ctx, uint32 num_names, fstring nam UNIHDR **pp_hdr_name, UNISTR2 **pp_uni_name) { uint32 i; - UNIHDR *hdr_name; - UNISTR2 *uni_name; + UNIHDR *hdr_name=NULL; + UNISTR2 *uni_name=NULL; *pp_uni_name = NULL; *pp_hdr_name = NULL; @@ -2306,8 +2306,22 @@ uint32 _samr_set_userinfo2(pipes_struct *p, SAMR_Q_SET_USERINFO2 *q_u, SAMR_R_SE uint32 _samr_query_useraliases(pipes_struct *p, SAMR_Q_QUERY_USERALIASES *q_u, SAMR_R_QUERY_USERALIASES *r_u) { - DEBUG(0,("_samr_query_useraliases: Not yet implemented.\n")); - return False; + uint32 *rid=NULL; + int num_rids; + + num_rids = 1; + rid=(uint32 *)talloc(p->mem_ctx, num_rids*sizeof(uint32)); + if (rid==NULL) + return NT_STATUS_NO_MEMORY; + + /* until i see a real useraliases query, we fack one up */ + + rid[0] = BUILTIN_ALIAS_RID_USERS; + + init_samr_r_query_useraliases(r_u, num_rids, rid, NT_STATUS_NO_PROBLEMO); + + return NT_STATUS_NO_PROBLEMO; + } /********************************************************************* @@ -2316,8 +2330,61 @@ uint32 _samr_query_useraliases(pipes_struct *p, SAMR_Q_QUERY_USERALIASES *q_u, S uint32 _samr_query_aliasmem(pipes_struct *p, SAMR_Q_QUERY_ALIASMEM *q_u, SAMR_R_QUERY_ALIASMEM *r_u) { - DEBUG(0,("_samr_query_aliasmem: Not yet implemented.\n")); - return False; + int i; + + GROUP_MAP map; + int num_uids = 0; + DOM_SID2 *sid; + uid_t *uid=NULL; + + DOM_SID alias_sid; + DOM_SID als_sid; + uint32 alias_rid; + fstring alias_sid_str; + DOM_SID temp_sid; + + + /* find the policy handle. open a policy on it. */ + if (!get_lsa_policy_samr_sid(p, &q_u->alias_pol, &alias_sid)) + return NT_STATUS_INVALID_HANDLE; + + sid_copy(&als_sid, &alias_sid); + sid_to_string(alias_sid_str, &alias_sid); + sid_split_rid(&alias_sid, &alias_rid); + + DEBUG(10, ("sid is %s\n", alias_sid_str)); + + if (sid_equal(&alias_sid, &global_sid_Builtin)) { + DEBUG(10, ("lookup on Builtin SID (S-1-5-32)\n")); + if(!get_builtin_group_from_sid(als_sid, &map)) + return NT_STATUS_NO_SUCH_ALIAS; + } else { + if (sid_equal(&alias_sid, &global_sam_sid)) { + DEBUG(10, ("lookup on Server SID\n")); + if(!get_local_group_from_sid(als_sid, &map)) + return NT_STATUS_NO_SUCH_ALIAS; + } + } + + if(!get_uid_list_of_group(map.gid, &uid, &num_uids)) + return NT_STATUS_NO_SUCH_ALIAS; + + DEBUG(10, ("sid is %s\n", alias_sid_str)); + sid = (DOM_SID2 *)talloc(p->mem_ctx, sizeof(DOM_SID2) * num_uids); + if (sid == NULL) + return NT_STATUS_NO_SUCH_ALIAS; + + for (i = 0; i < num_uids; i++) { + sid_copy(&temp_sid, &global_sam_sid); + sid_append_rid(&temp_sid, pdb_uid_to_user_rid(uid[i])); + + init_dom_sid2(&sid[i], &temp_sid); + } + + DEBUG(10, ("sid is %s\n", alias_sid_str)); + init_samr_r_query_aliasmem(r_u, num_uids, sid, NT_STATUS_NO_PROBLEMO); + + return NT_STATUS_NOPROBLEMO; } /********************************************************************* @@ -2326,8 +2393,56 @@ uint32 _samr_query_aliasmem(pipes_struct *p, SAMR_Q_QUERY_ALIASMEM *q_u, SAMR_R_ uint32 _samr_query_groupmem(pipes_struct *p, SAMR_Q_QUERY_GROUPMEM *q_u, SAMR_R_QUERY_GROUPMEM *r_u) { - DEBUG(0,("_samr_query_groupmem: Not yet implemented.\n")); - return False; + int num_uids = 0; + int i; + DOM_SID group_sid; + uint32 group_rid; + fstring group_sid_str; + uid_t *uid=NULL; + + GROUP_MAP map; + + uint32 *rid=NULL; + uint32 *attr=NULL; + + + /* find the policy handle. open a policy on it. */ + if (!get_lsa_policy_samr_sid(p, &q_u->group_pol, &group_sid)) + return NT_STATUS_INVALID_HANDLE; + + /* todo: change to use sid_compare_front */ + + sid_split_rid(&group_sid, &group_rid); + sid_to_string(group_sid_str, &group_sid); + DEBUG(10, ("sid is %s\n", group_sid_str)); + + /* can we get a query for an SID outside our domain ? */ + if (!sid_equal(&group_sid, &global_sam_sid)) + return NT_STATUS_NO_SUCH_GROUP; + + sid_append_rid(&group_sid, group_rid); + DEBUG(10, ("lookup on Domain SID\n")); + + if(!get_domain_group_from_sid(group_sid, &map)) + return NT_STATUS_NO_SUCH_GROUP; + + if(!get_uid_list_of_group(map.gid, &uid, &num_uids)) + return NT_STATUS_NO_SUCH_GROUP; + + rid=talloc(p->mem_ctx, sizeof(uint32)*num_uids); + attr=talloc(p->mem_ctx, sizeof(uint32)*num_uids); + + if (rid==NULL || attr==NULL) + return NT_STATUS_NO_MEMORY; + + for (i=0; ialias_pol, &alias_sid)) + return NT_STATUS_INVALID_HANDLE; + + sid_to_string(alias_sid_str, &alias_sid); + DEBUG(10, ("sid is %s\n", alias_sid_str)); + + if (sid_compare(&alias_sid, &global_sam_sid)>0) { + DEBUG(10, ("adding member on Server SID\n")); + if(!get_local_group_from_sid(alias_sid, &map)) + return NT_STATUS_NO_SUCH_ALIAS; + + } else { + if (sid_compare(&alias_sid, &global_sid_Builtin)>0) { + DEBUG(10, ("adding member on BUILTIN SID\n")); + if( !get_builtin_group_from_sid(alias_sid, &map)) + return NT_STATUS_NO_SUCH_ALIAS; + + } else + return NT_STATUS_NO_SUCH_ALIAS; + } + + sid_split_rid(&q_u->sid.sid, &rid); + uid=pdb_user_rid_to_uid(rid); + + if ((pwd=getpwuid(uid)) == NULL) + return NT_STATUS_NO_SUCH_USER; + + if ((grp=getgrgid(map.gid)) == NULL) + return NT_STATUS_NO_SUCH_ALIAS; + + /* we need to copy the name otherwise it's overloaded in user_in_group_list */ + fstrcpy(grp_name, grp->gr_name); + + /* if the user is already in the group */ + if(user_in_group_list(pwd->pw_name, grp_name)) + return NT_STATUS_MEMBER_IN_ALIAS; + + /* + * ok, the group exist, the user exist, the user is not in the group, + * we can (finally) add it to the group ! + */ + smb_add_user_group(grp_name, pwd->pw_name); + + /* check if the user has been added then ... */ + if(!user_in_group_list(pwd->pw_name, grp_name)) + return NT_STATUS_MEMBER_NOT_IN_ALIAS; /* don't know what to reply else */ + + return NT_STATUS_NOPROBLEMO; } /********************************************************************* @@ -2356,8 +2527,54 @@ uint32 _samr_del_aliasmem(pipes_struct *p, SAMR_Q_DEL_ALIASMEM *q_u, SAMR_R_DEL_ uint32 _samr_add_groupmem(pipes_struct *p, SAMR_Q_ADD_GROUPMEM *q_u, SAMR_R_ADD_GROUPMEM *r_u) { - DEBUG(0,("_samr_add_groupmem: Not yet implemented.\n")); - return False; + DOM_SID group_sid; + fstring group_sid_str; + struct passwd *pwd; + struct group *grp; + fstring grp_name; + GROUP_MAP map; + + /* Find the policy handle. Open a policy on it. */ + if (!get_lsa_policy_samr_sid(p, &q_u->pol, &group_sid)) + return NT_STATUS_INVALID_HANDLE; + + sid_to_string(group_sid_str, &group_sid); + DEBUG(10, ("sid is %s\n", group_sid_str)); + + if (sid_compare(&group_sid, &global_sam_sid)<=0) + return NT_STATUS_NO_SUCH_GROUP; + + DEBUG(10, ("lookup on Domain SID\n")); + + if(!get_domain_group_from_sid(group_sid, &map)) + return NT_STATUS_NO_SUCH_GROUP; + + if ((pwd=getpwuid(pdb_user_rid_to_uid(q_u->rid))) ==NULL) + return NT_STATUS_NO_SUCH_USER; + + if ((grp=getgrgid(map.gid)) == NULL) + return NT_STATUS_NO_SUCH_GROUP; + + /* we need to copy the name otherwise it's overloaded in user_in_group_list */ + fstrcpy(grp_name, grp->gr_name); + + /* if the user is already in the group */ + if(user_in_group_list(pwd->pw_name, grp_name)) + return NT_STATUS_MEMBER_IN_GROUP; + + /* + * ok, the group exist, the user exist, the user is not in the group, + * + * we can (finally) add it to the group ! + */ + + smb_add_user_group(grp_name, pwd->pw_name); + + /* check if the user has been added then ... */ + if(!user_in_group_list(pwd->pw_name, grp_name)) + return NT_STATUS_MEMBER_NOT_IN_GROUP; /* don't know what to reply else */ + + return NT_STATUS_NOPROBLEMO; } /********************************************************************* @@ -2406,8 +2623,55 @@ uint32 _samr_delete_dom_alias(pipes_struct *p, SAMR_Q_DELETE_DOM_ALIAS *q_u, SAM uint32 _samr_create_dom_group(pipes_struct *p, SAMR_Q_CREATE_DOM_GROUP *q_u, SAMR_R_CREATE_DOM_GROUP *r_u) { - DEBUG(0,("_samr_create_dom_group: Not yet implemented.\n")); - return False; + DOM_SID dom_sid; + DOM_SID info_sid; + fstring name; + fstring sid_string; + struct group *grp; + struct samr_info *info; + + /* Find the policy handle. Open a policy on it. */ + if (!get_lsa_policy_samr_sid(p, &q_u->pol, &dom_sid)) + return NT_STATUS_INVALID_HANDLE; + + if (!sid_equal(&dom_sid, &global_sam_sid)) + return NT_STATUS_ACCESS_DENIED; + + /* TODO: check if allowed to create group and add a become_root/unbecome_root pair.*/ + + unistr2_to_ascii(name, &q_u->uni_acct_desc, sizeof(name)-1); + + /* check if group already exist */ + if ((grp=getgrnam(name)) != NULL) + return NT_STATUS_GROUP_EXISTS; + + /* we can create the UNIX group */ + smb_create_group(name); + + /* check if the group has been successfully created */ + if ((grp=getgrnam(name)) == NULL) + return NT_STATUS_ACCESS_DENIED; + + r_u->rid=pdb_gid_to_group_rid(grp->gr_gid); + + /* add the group to the mapping table */ + if(!add_initial_entry(grp->gr_gid, sid_string, SID_NAME_DOM_GRP, name, NULL, SE_PRIV_NONE)) + return NT_STATUS_ACCESS_DENIED; + + if ((info = (struct samr_info *)malloc(sizeof(struct samr_info))) == NULL) + return NT_STATUS_NO_MEMORY; + + ZERO_STRUCTP(info); + + sid_copy(&info_sid, &global_sam_sid); + sid_append_rid(&info->sid, r_u->rid); + sid_to_string(sid_string, &info->sid); + + /* get a (unique) handle. open a policy on it. */ + if (!create_policy_hnd(p, &r_u->pol, free_samr_info, (void *)info)) + return NT_STATUS_OBJECT_NAME_NOT_FOUND; + + return NT_STATUS_NOPROBLEMO; } /********************************************************************* @@ -2416,28 +2680,137 @@ uint32 _samr_create_dom_group(pipes_struct *p, SAMR_Q_CREATE_DOM_GROUP *q_u, SAM uint32 _samr_create_dom_alias(pipes_struct *p, SAMR_Q_CREATE_DOM_ALIAS *q_u, SAMR_R_CREATE_DOM_ALIAS *r_u) { - DEBUG(0,("_samr_create_dom_alias: Not yet implemented.\n")); - return False; + DOM_SID dom_sid; + fstring name; + fstring sid_string; + struct group *grp; + struct samr_info *info; + + /* Find the policy handle. Open a policy on it. */ + if (!get_lsa_policy_samr_sid(p, &q_u->dom_pol, &dom_sid)) + return NT_STATUS_INVALID_HANDLE; + + if (!sid_equal(&dom_sid, &global_sam_sid)) + return NT_STATUS_ACCESS_DENIED; + + /* TODO: check if allowed to create group and add a become_root/unbecome_root pair.*/ + + unistr2_to_ascii(name, &q_u->uni_acct_desc, sizeof(name)-1); + + /* check if group already exists */ + if ( (grp=getgrnam(name)) != NULL) + return NT_STATUS_GROUP_EXISTS; + + /* we can create the UNIX group */ + smb_create_group(name); + + /* check if the group has been successfully created */ + if ((grp=getgrnam(name)) == NULL) + return NT_STATUS_ACCESS_DENIED; + + r_u->rid=pdb_gid_to_group_rid(grp->gr_gid); + + /* add the group to the mapping table */ + if(!add_initial_entry(grp->gr_gid, sid_string, SID_NAME_ALIAS, NULL, NULL, SE_PRIV_NONE)) + return NT_STATUS_ACCESS_DENIED; + + if ((info = (struct samr_info *)malloc(sizeof(struct samr_info))) == NULL) + return NT_STATUS_NO_MEMORY; + + ZERO_STRUCTP(info); + + sid_copy(&info->sid, &global_sam_sid); + sid_append_rid(&info->sid, r_u->rid); + sid_to_string(sid_string, &info->sid); + + /* get a (unique) handle. open a policy on it. */ + if (!create_policy_hnd(p, &r_u->alias_pol, free_samr_info, (void *)info)) + return NT_STATUS_OBJECT_NAME_NOT_FOUND; + + return NT_STATUS_NOPROBLEMO; } /********************************************************************* _samr_query_groupinfo + +sends the name/comment pair of a domain group +level 1 send also the number of users of that group *********************************************************************/ uint32 _samr_query_groupinfo(pipes_struct *p, SAMR_Q_QUERY_GROUPINFO *q_u, SAMR_R_QUERY_GROUPINFO *r_u) { - DEBUG(0,("_samr_query_groupinfo: Not yet implemented.\n")); - return False; + DOM_SID group_sid; + GROUP_MAP map; + uid_t *uid; + int num_uids=0; + GROUP_INFO_CTR *ctr; + + if (!get_lsa_policy_samr_sid(p, &q_u->pol, &group_sid)) + return NT_STATUS_INVALID_HANDLE; + + if (!get_domain_group_from_sid(group_sid, &map)) + return NT_STATUS_INVALID_HANDLE; + + ctr=(GROUP_INFO_CTR *)talloc(p->mem_ctx, sizeof(GROUP_INFO_CTR)); + if (ctr==NULL) + return NT_STATUS_NO_MEMORY; + + switch (q_u->switch_level) { + case 1: + ctr->switch_value1 = 1; + if(!get_uid_list_of_group(map.gid, &uid, &num_uids)) + return NT_STATUS_NO_SUCH_GROUP; + init_samr_group_info1(&ctr->group.info1, map.nt_name, map.comment, num_uids); + safe_free(uid); + break; + case 4: + ctr->switch_value1 = 4; + init_samr_group_info4(&ctr->group.info4, map.comment); + break; + default: + return NT_STATUS_INVALID_INFO_CLASS; + } + + init_samr_r_query_groupinfo(r_u, ctr, NT_STATUS_NO_PROBLEMO); + + return NT_STATUS_NO_PROBLEMO; } /********************************************************************* _samr_set_groupinfo + + update a domain group's comment. *********************************************************************/ uint32 _samr_set_groupinfo(pipes_struct *p, SAMR_Q_SET_GROUPINFO *q_u, SAMR_R_SET_GROUPINFO *r_u) { - DEBUG(0,("_samr_set_groupinfo: Not yet implemented.\n")); - return False; + DOM_SID group_sid; + GROUP_MAP map; + GROUP_INFO_CTR *ctr; + + if (!get_lsa_policy_samr_sid(p, &q_u->pol, &group_sid)) + return NT_STATUS_INVALID_HANDLE; + + if (!get_domain_group_from_sid(group_sid, &map)) + return NT_STATUS_NO_SUCH_GROUP; + + ctr=q_u->ctr; + + switch (ctr->switch_value1) { + case 1: + unistr2_to_ascii(map.comment, &(ctr->group.info1.uni_acct_desc), sizeof(map.comment)-1); + break; + case 4: + unistr2_to_ascii(map.comment, &(ctr->group.info4.uni_acct_desc), sizeof(map.comment)-1); + break; + default: + return NT_STATUS_INVALID_INFO_CLASS; + } + + if(!add_mapping_entry(&map, TDB_REPLACE)) + return NT_STATUS_NO_SUCH_GROUP; + + return NT_STATUS_NO_PROBLEMO; } /********************************************************************* @@ -2456,8 +2829,38 @@ uint32 _samr_get_dom_pwinfo(pipes_struct *p, SAMR_Q_GET_DOM_PWINFO *q_u, SAMR_R_ uint32 _samr_open_group(pipes_struct *p, SAMR_Q_OPEN_GROUP *q_u, SAMR_R_OPEN_GROUP *r_u) { - DEBUG(0,("_samr_open_group: Not yet implemented.\n")); - return False; + DOM_SID sid; + GROUP_MAP map; + struct samr_info *info; + fstring sid_string; + + if (!get_lsa_policy_samr_sid(p, &q_u->domain_pol, &sid)) + return NT_STATUS_INVALID_HANDLE; + + /* this should not be hard-coded like this */ + if (!sid_equal(&sid, &global_sam_sid)) + return NT_STATUS_ACCESS_DENIED; + + if ((info = (struct samr_info *)malloc(sizeof(struct samr_info))) == NULL) + return NT_STATUS_NO_MEMORY; + + ZERO_STRUCTP(info); + + sid_copy(&info->sid, &global_sam_sid); + sid_append_rid(&info->sid, q_u->rid_group); + sid_to_string(sid_string, &info->sid); + + DEBUG(10, ("Opening SID: %s\n", sid_string)); + + /* check if that group really exists */ + if (!get_domain_group_from_sid(info->sid, &map)) + return NT_STATUS_NO_SUCH_USER; + + /* get a (unique) handle. open a policy on it. */ + if (!create_policy_hnd(p, &r_u->pol, free_samr_info, (void *)info)) + return NT_STATUS_OBJECT_NAME_NOT_FOUND; + + return NT_STATUS_NO_PROBLEMO; } /********************************************************************* -- cgit From da8805b377e361a7cab399b3c786a25f7175e7cf Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Fri, 23 Mar 2001 02:14:08 +0000 Subject: groupdb/mapping.c: include/proto.h: Fix missing (void) in proto. rpc_server/srv_samr_nt.c: Fix user private group problem by filtering out groups that clash with users. smbd/posix_acls.c: Ensure default ACE's are sensible. utils/pdbedit.c: Fix from Simo Sorce. Jeremy. (This used to be commit 29414fe0d6665642d9b5f88a35e712426376c47f) --- source3/rpc_server/srv_samr_nt.c | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 94524da352..2434fad74a 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -798,10 +798,20 @@ static BOOL get_group_alias_entries(DOMAIN_GRP *d_grp, DOM_SID *sid, uint32 star uint32 trid; name = grp->gr_name; + DEBUG(10,("get_group_alias_entries: got group %s\n", name )); + /* Don't return winbind groups as they are not local! */ - if (strchr(name, *sep) != NULL) + if (strchr(name, *sep) != NULL) { + DEBUG(10,("get_group_alias_entries: not returing %s, not local.\n", name )); continue; + } + + /* Don't return user private groups... */ + if (Get_Pwnam(name, False) != 0) { + DEBUG(10,("get_group_alias_entries: not returing %s, clashes with user.\n", name )); + continue; + } trid = pdb_gid_to_group_rid(grp->gr_gid); for( i = 0; i < num_entries; i++) -- cgit From 06a50f51845bf639f7abd47cf39638054f255131 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Sun, 15 Apr 2001 22:29:36 +0000 Subject: Patch from "Christoph Zwerschke" to map usernames before calling password change. Jeremy. (This used to be commit ce2a236dc61d819e083b32556a2d9f827944b91c) --- source3/rpc_server/srv_samr_nt.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 2434fad74a..9e9c5d950e 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -1242,6 +1242,18 @@ uint32 _samr_chgpasswd_user(pipes_struct *p, SAMR_Q_CHGPASSWD_USER *q_u, SAMR_R_ DEBUG(5,("samr_chgpasswd_user: user: %s wks: %s\n", user_name, wks)); + /* + * Pass the user through the NT -> unix user mapping + * function. + */ + + (void)map_username(user_name); + + /* + * Do any UNIX username case mangling. + */ + (void)Get_Pwnam( user_name, True); + if (!pass_oem_change(user_name, q_u->lm_newpass.pass, q_u->lm_oldhash.hash, q_u->nt_newpass.pass, q_u->nt_oldhash.hash)) r_u->status = NT_STATUS_WRONG_PASSWORD; -- cgit From ac9e221c3e6bc892e0f73a403c89434ae13a8eec Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Sun, 22 Apr 2001 02:54:04 +0000 Subject: merging from 2.2 to head (This used to be commit bfcc6f88271025760732271f03933839b1cbe0de) --- source3/rpc_server/srv_samr_nt.c | 12 +++--------- 1 file changed, 3 insertions(+), 9 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 9e9c5d950e..e0d6d6056e 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -2104,11 +2104,9 @@ static BOOL set_user_info_23(SAM_USER_INFO_23 *id23, uint32 rid) copy_sam_passwd(&new_pwd, pwd); copy_id23_to_sam_passwd(&new_pwd, id23); - if (!decode_pw_buffer((char*)id23->pass, buf, 256, &len)) + if (!decode_pw_buffer((char*)id23->pass, buf, 256, &len, nt_hash, lm_hash)) return False; - - nt_lm_owf_gen(buf, nt_hash, lm_hash); - + pdb_set_lanman_passwd (&new_pwd, lm_hash); pdb_set_nt_passwd (&new_pwd, nt_hash); @@ -2153,13 +2151,9 @@ static BOOL set_user_info_24(SAM_USER_INFO_24 *id24, uint32 rid) memset(buf, 0, sizeof(buf)); - if (!decode_pw_buffer((char*)id24->pass, buf, 256, &len)) + if (!decode_pw_buffer((char*)id24->pass, buf, 256, &len, nt_hash, lm_hash)) return False; - DEBUG(5,("set_user_info_24:nt_lm_owf_gen\n")); - - nt_lm_owf_gen(buf, nt_hash, lm_hash); - pdb_set_lanman_passwd (pwd, lm_hash); pdb_set_nt_passwd (pwd, nt_hash); -- cgit From c3bf153c0c0c7c1c0f1d012147fb4c061b2be324 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Wed, 25 Apr 2001 22:12:13 +0000 Subject: converted the passdb smbpasswd implementation to using talloc for memory allocation. This fixes a long standing seg fault (i knew i would get around to it one day :) ) Tested with NT4 and Win2k. Needs a little more testing with the "create the machine account on the fly" code for NT4. Simo, this is probably going to break the tdb passdb code. Can you look at that when you get a chance and see what you think? (This used to be commit 1c13110873e456748dc09fd51749f664643fe888) --- source3/rpc_server/srv_samr_nt.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index e0d6d6056e..7054f85ff9 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -2060,6 +2060,7 @@ static BOOL set_user_info_21(SAM_USER_INFO_21 *id21, uint32 rid) return False; /* we make a copy so that we can modify stuff */ + ZERO_STRUCT(new_pwd); copy_sam_passwd(&new_pwd, pwd); copy_id21_to_sam_passwd(&new_pwd, id21); @@ -2099,8 +2100,9 @@ static BOOL set_user_info_23(SAM_USER_INFO_23 *id23, uint32 rid) if (pwd == NULL) return False; - acct_ctrl = pdb_get_acct_ctrl(pwd); + acct_ctrl = pdb_get_acct_ctrl(pwd); + ZERO_STRUCT (new_pwd); copy_sam_passwd(&new_pwd, pwd); copy_id23_to_sam_passwd(&new_pwd, id23); -- cgit From f35157f39293f9fa240a28642c41708b55d301c8 Mon Sep 17 00:00:00 2001 From: Jean-François Micouleau Date: Fri, 4 May 2001 15:44:27 +0000 Subject: Big cleanup of passdb and backends. I did some basic tests but I have probably broken something. Notably the password changing. So don't cry ;-) J.F. (This used to be commit a4a4c02b12f030a3b9e6225b999c90689dfc4719) --- source3/rpc_server/srv_samr_nt.c | 782 +++++++++++++++++++++++---------------- 1 file changed, 458 insertions(+), 324 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 7054f85ff9..38b4bbd0a9 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -74,15 +74,13 @@ static void samr_clear_passwd_fields( SAM_USER_INFO_21 *pass, int num_entries) } } -static void samr_clear_sam_passwd( SAM_ACCOUNT *sam_pass) +static void samr_clear_sam_passwd(SAM_ACCOUNT *sam_pass) { if (!sam_pass) return; - if (sam_pass->lm_pw) - memset(sam_pass->lm_pw, '\0', 16); - if (sam_pass->nt_pw) - memset(sam_pass->nt_pw, '\0', 16); + memset(sam_pass->lm_pw, '\0', 16); + memset(sam_pass->nt_pw, '\0', 16); } /******************************************************************* @@ -94,20 +92,24 @@ static BOOL get_sampwd_entries(SAM_USER_INFO_21 *pw_buf, int start_idx, int *total_entries, int *num_entries, int max_num_entries, uint16 acb_mask) { - SAM_ACCOUNT *pwd = NULL; + SAM_ACCOUNT *pwd = NULL; + BOOL ret; + + (*num_entries) = 0; + (*total_entries) = 0; - (*num_entries) = 0; - (*total_entries) = 0; + if (pw_buf == NULL) + return False; - if (pw_buf == NULL) - return False; + pdb_init_sam(&pwd); if (!pdb_setsampwent(False)) { - DEBUG(0, ("get_sampwd_entries: Unable to open passdb.\n")); - return False; - } + DEBUG(0, ("get_sampwd_entries: Unable to open passdb.\n")); + pdb_clear_sam(pwd); + return False; + } - while (((pwd = pdb_getsampwent()) != NULL) && (*num_entries) < max_num_entries) { + while (((ret = pdb_getsampwent(pwd)) != False) && (*num_entries) < max_num_entries) { int user_name_len; if (start_idx > 0) { @@ -143,29 +145,35 @@ static BOOL get_sampwd_entries(SAM_USER_INFO_21 *pw_buf, int start_idx, (*total_entries)++; } - pdb_endsampwent(); + pdb_endsampwent(); + pdb_clear_sam(pwd); - return (*num_entries) > 0; + return (*num_entries) > 0; } static BOOL jf_get_sampwd_entries(SAM_USER_INFO_21 *pw_buf, int start_idx, int *total_entries, uint32 *num_entries, int max_num_entries, uint16 acb_mask) { - SAM_ACCOUNT *pwd = NULL; + SAM_ACCOUNT *pwd = NULL; *num_entries = 0; *total_entries = 0; if (pw_buf == NULL) return False; + + DEBUG(10,("jf_get_sampwd_entries: start index:%d, max entries:%d, mask:%d\n", + start_idx, max_num_entries, acb_mask)); if (!pdb_setsampwent(False)) { - DEBUG(0, ("jf_get_sampwd_entries: Unable to open passdb.\n")); - return False; - } + DEBUG(0, ("jf_get_sampwd_entries: Unable to open passdb.\n")); + return False; + } + + pdb_init_sam(&pwd); - while (((pwd = pdb_getsampwent()) != NULL) && (*num_entries) < max_num_entries) { + while ((pdb_getsampwent(pwd) != False) && (*num_entries) < max_num_entries) { int user_name_len; int full_name_len; @@ -194,19 +202,23 @@ static BOOL jf_get_sampwd_entries(SAM_USER_INFO_21 *pw_buf, int start_idx, memset((char *)pw_buf[(*num_entries)].nt_pwd, '\0', 16); /* Now check if the NT compatible password is available. */ - if (pdb_get_nt_passwd(pwd)) - memcpy( pw_buf[(*num_entries)].nt_pwd , pdb_get_nt_passwd(pwd), 16); + if (pdb_get_nt_passwd(pwd)) + memcpy( pw_buf[(*num_entries)].nt_pwd , pdb_get_nt_passwd(pwd), 16); pw_buf[(*num_entries)].acb_info = pdb_get_acct_ctrl(pwd); DEBUG(5, ("entry idx: %d user %s, rid 0x%x, acb %x\n", (*num_entries), pdb_get_username(pwd), pdb_get_user_rid(pwd), pdb_get_acct_ctrl(pwd) )); + (*num_entries)++; } - pdb_endsampwent(); + pdb_endsampwent(); *total_entries = *num_entries; + + pdb_clear_sam(pwd); + return True; } @@ -756,35 +768,42 @@ static void make_group_sam_entry_list(TALLOC_CTX *ctx, SAM_ENTRY **sam_pp, UNIST Get the group entries - similar to get_sampwd_entries(). ********************************************************************/ -static BOOL get_group_alias_entries(DOMAIN_GRP *d_grp, DOM_SID *sid, uint32 start_idx, +static BOOL get_group_alias_entries(DOMAIN_GRP **d_grp, DOM_SID *sid, uint32 start_idx, uint32 *p_num_entries, uint32 max_entries) { fstring sid_str; - fstring sam_sid_str; uint32 num_entries = 0; + int i; + GROUP_MAP smap; + GROUP_MAP *map; sid_to_string(sid_str, sid); - sid_to_string(sam_sid_str, &global_sam_sid); + DEBUG(5, ("get_group_alias_entries: enumerating aliases on SID: %s\n", sid_str)); *p_num_entries = 0; /* well-known aliases */ - if (strequal(sid_str, "S-1-5-32")) { - char *name; - while (!lp_hide_local_users() && - num_entries < max_entries && - ((name = builtin_alias_rids[num_entries].name) != NULL)) { - - fstrcpy(d_grp[num_entries].name, name); - d_grp[num_entries].rid = builtin_alias_rids[num_entries].rid; + if (sid_equal(sid, &global_sid_Builtin) && !lp_hide_local_users()) { + + enum_group_mapping(SID_NAME_WKN_GRP, &map, &num_entries, ENUM_ONLY_MAPPED); + + *d_grp=(DOMAIN_GRP *)malloc(num_entries*sizeof(DOMAIN_GRP)); + if (*d_grp==NULL) + return NT_STATUS_NO_MEMORY; + + for(i=0; igr_name; + + if(!get_group_from_gid(grp->gr_gid, &smap)) + continue; + + if (smap.sid_name_use!=SID_NAME_ALIAS) + continue; - DEBUG(10,("get_group_alias_entries: got group %s\n", name )); + sid_split_rid(&smap.sid, &trid); /* Don't return winbind groups as they are not local! */ - - if (strchr(name, *sep) != NULL) { - DEBUG(10,("get_group_alias_entries: not returing %s, not local.\n", name )); + if (strchr(smap.nt_name, *sep) != NULL) { + DEBUG(10,("get_group_alias_entries: not returing %s, not local.\n", smap.nt_name )); continue; } /* Don't return user private groups... */ - if (Get_Pwnam(name, False) != 0) { - DEBUG(10,("get_group_alias_entries: not returing %s, clashes with user.\n", name )); - continue; + if (Get_Pwnam(smap.nt_name, False) != 0) { + DEBUG(10,("get_group_alias_entries: not returing %s, clashes with user.\n", smap.nt_name )); + continue; } - trid = pdb_gid_to_group_rid(grp->gr_gid); for( i = 0; i < num_entries; i++) - if ( d_grp[i].rid == trid ) break; + if ( (*d_grp)[i].rid == trid ) break; if ( i < num_entries ) continue; /* rid was there, dup! */ @@ -830,8 +852,12 @@ static BOOL get_group_alias_entries(DOMAIN_GRP *d_grp, DOM_SID *sid, uint32 star continue; } - fstrcpy(d_grp[num_entries].name, name); - d_grp[num_entries].rid = trid; + *d_grp=Realloc(*d_grp, (num_entries+1)*sizeof(DOMAIN_GRP)); + if (*d_grp==NULL) + return NT_STATUS_NO_MEMORY; + + fstrcpy((*d_grp)[num_entries].name, smap.nt_name); + (*d_grp)[num_entries].rid = trid; num_entries++; } @@ -847,31 +873,29 @@ static BOOL get_group_alias_entries(DOMAIN_GRP *d_grp, DOM_SID *sid, uint32 star Get the group entries - similar to get_sampwd_entries(). ********************************************************************/ -static BOOL get_group_domain_entries(DOMAIN_GRP *d_grp, DOM_SID *sid, uint32 start_idx, +static BOOL get_group_domain_entries(DOMAIN_GRP **d_grp, DOM_SID *sid, uint32 start_idx, uint32 *p_num_entries, uint32 max_entries) { - fstring sid_str; - fstring sam_sid_str; + GROUP_MAP *map=NULL; + int i; uint32 num_entries = 0; - fstring name="Domain Admins"; - fstring comment="Just to make it work !"; - - sid_to_string(sid_str, sid); - sid_to_string(sam_sid_str, &global_sam_sid); *p_num_entries = 0; - fstrcpy(d_grp[0].name, name); - fstrcpy(d_grp[0].comment, comment); - d_grp[0].rid = DOMAIN_GROUP_RID_ADMINS; - d_grp[0].attr=SID_NAME_DOM_GRP; + enum_group_mapping(SID_NAME_DOM_GRP, &map, &num_entries, ENUM_ONLY_MAPPED); - fstrcpy(d_grp[1].name, "Domain Users"); - fstrcpy(d_grp[1].comment, "Just to make it work !"); - d_grp[1].rid = DOMAIN_GROUP_RID_USERS; - d_grp[1].attr=SID_NAME_DOM_GRP; + *d_grp=(DOMAIN_GRP *)malloc(num_entries*sizeof(DOMAIN_GRP)); + if (*d_grp==NULL) + return False; + + for (i=0; istart_idx, &num_entries, MAX_SAM_ENTRIES); + /* the domain group array is being allocated in the function below */ + get_group_domain_entries(&grp, &sid, q_u->start_idx, &num_entries, MAX_SAM_ENTRIES); make_group_sam_entry_list(p->mem_ctx, &r_u->sam, &r_u->uni_grp_name, num_entries, grp); + safe_free(grp); + init_samr_r_enum_dom_groups(r_u, q_u->start_idx, num_entries); DEBUG(5,("samr_enum_dom_groups: %d\n", __LINE__)); @@ -915,7 +942,7 @@ uint32 _samr_enum_dom_groups(pipes_struct *p, SAMR_Q_ENUM_DOM_GROUPS *q_u, SAMR_ uint32 _samr_enum_dom_aliases(pipes_struct *p, SAMR_Q_ENUM_DOM_ALIASES *q_u, SAMR_R_ENUM_DOM_ALIASES *r_u) { - DOMAIN_GRP grp[MAX_SAM_ENTRIES]; + DOMAIN_GRP *grp=NULL; uint32 num_entries = 0; fstring sid_str; DOM_SID sid; @@ -928,11 +955,13 @@ uint32 _samr_enum_dom_aliases(pipes_struct *p, SAMR_Q_ENUM_DOM_ALIASES *q_u, SAM sid_to_string(sid_str, &sid); DEBUG(5,("samr_reply_enum_dom_aliases: sid %s\n", sid_str)); - if (!get_group_alias_entries(grp, &sid, q_u->start_idx, &num_entries, MAX_SAM_ENTRIES)) + if (!get_group_alias_entries(&grp, &sid, q_u->start_idx, &num_entries, MAX_SAM_ENTRIES)) return NT_STATUS_ACCESS_DENIED; make_group_sam_entry_list(p->mem_ctx, &r_u->sam, &r_u->uni_grp_name, num_entries, grp); + safe_free(grp); + init_samr_r_enum_dom_aliases(r_u, q_u->start_idx, num_entries); DEBUG(5,("samr_enum_dom_aliases: %d\n", __LINE__)); @@ -947,12 +976,12 @@ uint32 _samr_enum_dom_aliases(pipes_struct *p, SAMR_Q_ENUM_DOM_ALIASES *q_u, SAM uint32 _samr_query_dispinfo(pipes_struct *p, SAMR_Q_QUERY_DISPINFO *q_u, SAMR_R_QUERY_DISPINFO *r_u) { SAM_USER_INFO_21 pass[MAX_SAM_ENTRIES]; - DOMAIN_GRP grps[MAX_SAM_ENTRIES]; + DOMAIN_GRP *grps=NULL; uint16 acb_mask = ACB_NORMAL; - uint32 num_entries = 0; - int orig_num_entries = 0; - int total_entries = 0; - uint32 data_size = 0; + uint32 num_entries = 0; + int orig_num_entries = 0; + int total_entries = 0; + uint32 data_size = 0; DOM_SID sid; BOOL ret; SAM_DISPINFO_CTR *ctr; @@ -1001,7 +1030,7 @@ uint32 _samr_query_dispinfo(pipes_struct *p, SAMR_Q_QUERY_DISPINFO *q_u, SAMR_R_ break; case 0x3: case 0x5: - ret = get_group_domain_entries(grps, &sid, q_u->start_idx, &num_entries, MAX_SAM_ENTRIES); + ret = get_group_domain_entries(&grps, &sid, q_u->start_idx, &num_entries, MAX_SAM_ENTRIES); if (!ret) return NT_STATUS_ACCESS_DENIED; break; @@ -1040,6 +1069,7 @@ uint32 _samr_query_dispinfo(pipes_struct *p, SAMR_Q_QUERY_DISPINFO *q_u, SAMR_R_ case 0x3: ctr->sam.info3 = (SAM_DISPINFO_3 *)talloc(p->mem_ctx,num_entries*sizeof(SAM_DISPINFO_3)); init_sam_dispinfo_3(ctr->sam.info3, &num_entries, &data_size, q_u->start_idx, grps); + safe_free(grps); break; case 0x4: ctr->sam.info4 = (SAM_DISPINFO_4 *)talloc(p->mem_ctx,num_entries*sizeof(SAM_DISPINFO_4)); @@ -1048,6 +1078,7 @@ uint32 _samr_query_dispinfo(pipes_struct *p, SAMR_Q_QUERY_DISPINFO *q_u, SAMR_R_ case 0x5: ctr->sam.info5 = (SAM_DISPINFO_5 *)talloc(p->mem_ctx,num_entries*sizeof(SAM_DISPINFO_5)); init_sam_dispinfo_5(ctr->sam.info5, &num_entries, &data_size, q_u->start_idx, grps); + safe_free(grps); break; default: ctr->sam.info = NULL; @@ -1368,49 +1399,53 @@ uint32 _samr_lookup_rids(pipes_struct *p, SAMR_Q_LOOKUP_RIDS *q_u, SAMR_R_LOOKUP uint32 _api_samr_open_user(pipes_struct *p, SAMR_Q_OPEN_USER *q_u, SAMR_R_OPEN_USER *r_u) { - SAM_ACCOUNT *sampass; - DOM_SID sid; - POLICY_HND domain_pol = q_u->domain_pol; - uint32 user_rid = q_u->user_rid; - POLICY_HND *user_pol = &r_u->user_pol; + SAM_ACCOUNT *sampass=NULL; + DOM_SID sid; + POLICY_HND domain_pol = q_u->domain_pol; + uint32 user_rid = q_u->user_rid; + POLICY_HND *user_pol = &r_u->user_pol; struct samr_info *info = NULL; + BOOL ret; - r_u->status = NT_STATUS_NO_PROBLEMO; + r_u->status = NT_STATUS_NO_PROBLEMO; - /* find the domain policy handle. */ - if (!find_policy_by_hnd(p, &domain_pol, NULL)) - return NT_STATUS_INVALID_HANDLE; + /* find the domain policy handle. */ + if (!find_policy_by_hnd(p, &domain_pol, NULL)) + return NT_STATUS_INVALID_HANDLE; - become_root(); - sampass = pdb_getsampwrid(user_rid); - unbecome_root(); + become_root(); + ret=pdb_getsampwrid(sampass, user_rid); + unbecome_root(); - /* check that the RID exists in our domain. */ - if (sampass == NULL) - return NT_STATUS_NO_SUCH_USER; + /* check that the RID exists in our domain. */ + if (ret == False) { + pdb_clear_sam(sampass); + return NT_STATUS_NO_SUCH_USER; + } samr_clear_sam_passwd(sampass); + pdb_clear_sam(sampass); - /* Get the domain SID stored in the domain policy */ - if(!get_lsa_policy_samr_sid(p, &domain_pol, &sid)) - return NT_STATUS_INVALID_HANDLE; + /* Get the domain SID stored in the domain policy */ + if(!get_lsa_policy_samr_sid(p, &domain_pol, &sid)) + return NT_STATUS_INVALID_HANDLE; - /* append the user's RID to it */ - if(!sid_append_rid(&sid, user_rid)) - return NT_STATUS_NO_SUCH_USER; + /* append the user's RID to it */ + if(!sid_append_rid(&sid, user_rid)) + return NT_STATUS_NO_SUCH_USER; - /* associate the user's SID with the new handle. */ - if ((info = (struct samr_info *)malloc(sizeof(struct samr_info))) == NULL) - return NT_STATUS_NO_MEMORY; + /* associate the user's SID with the new handle. */ + if ((info = (struct samr_info *)malloc(sizeof(struct samr_info))) == NULL) + return NT_STATUS_NO_MEMORY; - ZERO_STRUCTP(info); - info->sid = sid; + ZERO_STRUCTP(info); + info->sid = sid; - /* get a (unique) handle. open a policy on it. */ - if (!create_policy_hnd(p, user_pol, free_samr_info, (void *)info)) - return NT_STATUS_OBJECT_NAME_NOT_FOUND; + /* get a (unique) handle. open a policy on it. */ + if (!create_policy_hnd(p, user_pol, free_samr_info, (void *)info)) + return NT_STATUS_OBJECT_NAME_NOT_FOUND; - return r_u->status; + return r_u->status; } /************************************************************************* @@ -1419,27 +1454,34 @@ uint32 _api_samr_open_user(pipes_struct *p, SAMR_Q_OPEN_USER *q_u, SAMR_R_OPEN_U static BOOL get_user_info_10(SAM_USER_INFO_10 *id10, uint32 user_rid) { - SAM_ACCOUNT *smbpass; + SAM_ACCOUNT *smbpass=NULL; + BOOL ret; - if (!pdb_rid_is_user(user_rid)) { - DEBUG(4,("RID 0x%x is not a user RID\n", user_rid)); - return False; - } + if (!pdb_rid_is_user(user_rid)) { + DEBUG(4,("RID 0x%x is not a user RID\n", user_rid)); + return False; + } - become_root(); - smbpass = pdb_getsampwrid(user_rid); - unbecome_root(); + pdb_init_sam(&smbpass); - if (smbpass == NULL) { - DEBUG(4,("User 0x%x not found\n", user_rid)); - return False; - } + become_root(); + ret = pdb_getsampwrid(smbpass, user_rid); + unbecome_root(); + + if (ret==False) { + DEBUG(4,("User 0x%x not found\n", user_rid)); + pdb_clear_sam(smbpass); + return False; + } + + DEBUG(3,("User:[%s]\n", pdb_get_username(smbpass) )); - DEBUG(3,("User:[%s]\n", pdb_get_username(smbpass) )); + init_sam_user_info10(id10, pdb_get_acct_ctrl(smbpass) ); - init_sam_user_info10(id10, pdb_get_acct_ctrl(smbpass) ); + samr_clear_sam_passwd(smbpass); + pdb_clear_sam(smbpass); - return True; + return True; } /************************************************************************* @@ -1450,7 +1492,8 @@ static BOOL get_user_info_10(SAM_USER_INFO_10 *id10, uint32 user_rid) static uint32 get_user_info_12(pipes_struct *p, SAM_USER_INFO_12 * id12, uint32 user_rid) { - SAM_ACCOUNT *smbpass; + SAM_ACCOUNT *smbpass=NULL; + BOOL ret; if (!p->ntlmssp_auth_validated) return NT_STATUS_ACCESS_DENIED; @@ -1461,20 +1504,26 @@ static uint32 get_user_info_12(pipes_struct *p, SAM_USER_INFO_12 * id12, uint32 /* * Do *NOT* do become_root()/unbecome_root() here ! JRA. */ + pdb_init_sam(&smbpass); - smbpass = pdb_getsampwrid(user_rid); + ret = pdb_getsampwrid(smbpass, user_rid); - if (smbpass == NULL) { + if (ret == False) { DEBUG(4, ("User 0x%x not found\n", user_rid)); + pdb_clear_sam(smbpass); return (geteuid() == (uid_t)0) ? NT_STATUS_NO_SUCH_USER : NT_STATUS_ACCESS_DENIED; } - DEBUG(3,("User:[%s] 0x%x\n", pdb_get_username(smbpass), pdb_get_acct_ctrl(smbpass) )); + DEBUG(3,("User:[%s] 0x%x\n", pdb_get_username(smbpass), pdb_get_acct_ctrl(smbpass) )); - if ( pdb_get_acct_ctrl(smbpass) & ACB_DISABLED) - return NT_STATUS_ACCOUNT_DISABLED; + if ( pdb_get_acct_ctrl(smbpass) & ACB_DISABLED) { + pdb_clear_sam(smbpass); + return NT_STATUS_ACCOUNT_DISABLED; + } init_sam_user_info12(id12, pdb_get_lanman_passwd(smbpass), pdb_get_nt_passwd(smbpass)); + + pdb_clear_sam(smbpass); return NT_STATUS_NOPROBLEMO; } @@ -1485,29 +1534,33 @@ static uint32 get_user_info_12(pipes_struct *p, SAM_USER_INFO_12 * id12, uint32 static BOOL get_user_info_21(SAM_USER_INFO_21 *id21, uint32 user_rid) { - SAM_ACCOUNT *sampass; + SAM_ACCOUNT *sampass=NULL; + BOOL ret; - if (!pdb_rid_is_user(user_rid)) { - DEBUG(4,("RID 0x%x is not a user RID\n", user_rid)); - return False; - } + if (!pdb_rid_is_user(user_rid)) { + DEBUG(4,("RID 0x%x is not a user RID\n", user_rid)); + return False; + } - become_root(); - sampass = pdb_getsampwrid(user_rid); - unbecome_root(); + become_root(); + ret = pdb_getsampwrid(sampass, user_rid); + unbecome_root(); - if (sampass == NULL) { - DEBUG(4,("User 0x%x not found\n", user_rid)); - return False; - } + if (ret == False) { + DEBUG(4,("User 0x%x not found\n", user_rid)); + pdb_clear_sam(sampass); + return False; + } samr_clear_sam_passwd(sampass); - DEBUG(3,("User:[%s]\n", pdb_get_username(sampass) )); + DEBUG(3,("User:[%s]\n", pdb_get_username(sampass) )); init_sam_user_info21A(id21, sampass); + + pdb_clear_sam(sampass); - return True; + return True; } /******************************************************************* @@ -1610,44 +1663,49 @@ uint32 _samr_query_userinfo(pipes_struct *p, SAMR_Q_QUERY_USERINFO *q_u, SAMR_R_ uint32 _samr_query_usergroups(pipes_struct *p, SAMR_Q_QUERY_USERGROUPS *q_u, SAMR_R_QUERY_USERGROUPS *r_u) { - struct sam_passwd *sam_pass; - DOM_GID *gids = NULL; - int num_groups = 0; - pstring groups; - uint32 rid; + struct sam_passwd *sam_pass=NULL; + DOM_GID *gids = NULL; + int num_groups = 0; + pstring groups; + uint32 rid; struct samr_info *info = NULL; + BOOL ret; - r_u->status = NT_STATUS_NO_PROBLEMO; + r_u->status = NT_STATUS_NO_PROBLEMO; - DEBUG(5,("_samr_query_usergroups: %d\n", __LINE__)); + DEBUG(5,("_samr_query_usergroups: %d\n", __LINE__)); - /* find the policy handle. open a policy on it. */ - if (!find_policy_by_hnd(p, &q_u->pol, (void **)&info)) - return NT_STATUS_INVALID_HANDLE; + /* find the policy handle. open a policy on it. */ + if (!find_policy_by_hnd(p, &q_u->pol, (void **)&info)) + return NT_STATUS_INVALID_HANDLE; - /* find the user's rid */ - if ((rid = get_lsa_policy_samr_rid(info)) == 0xffffffff) - return NT_STATUS_OBJECT_TYPE_MISMATCH; + /* find the user's rid */ + if ((rid = get_lsa_policy_samr_rid(info)) == 0xffffffff) + return NT_STATUS_OBJECT_TYPE_MISMATCH; - become_root(); - sam_pass = pdb_getsampwrid(rid); - unbecome_root(); + pdb_init_sam(&sam_pass); - if (sam_pass == NULL) - return NT_STATUS_NO_SUCH_USER; + become_root(); + ret = pdb_getsampwrid(sam_pass, rid); + unbecome_root(); - samr_clear_sam_passwd(sam_pass); + if (ret == False) { + samr_clear_sam_passwd(sam_pass); + return NT_STATUS_NO_SUCH_USER; + } - get_domain_user_groups(groups, pdb_get_username(sam_pass)); - gids = NULL; - num_groups = make_dom_gids(p->mem_ctx, groups, &gids); + get_domain_user_groups(groups, pdb_get_username(sam_pass)); + gids = NULL; + num_groups = make_dom_gids(p->mem_ctx, groups, &gids); - /* construct the response. lkclXXXX: gids are not copied! */ - init_samr_r_query_usergroups(r_u, num_groups, gids, r_u->status); + /* construct the response. lkclXXXX: gids are not copied! */ + init_samr_r_query_usergroups(r_u, num_groups, gids, r_u->status); - DEBUG(5,("_samr_query_usergroups: %d\n", __LINE__)); + DEBUG(5,("_samr_query_usergroups: %d\n", __LINE__)); + + samr_clear_sam_passwd(sam_pass); - return r_u->status; + return r_u->status; } /******************************************************************* @@ -1708,111 +1766,124 @@ uint32 _samr_query_dom_info(pipes_struct *p, SAMR_Q_QUERY_DOMAIN_INFO *q_u, SAMR uint32 _api_samr_create_user(pipes_struct *p, SAMR_Q_CREATE_USER *q_u, SAMR_R_CREATE_USER *r_u) { - SAM_ACCOUNT *sam_pass; - fstring mach_acct; - pstring err_str; - pstring msg_str; - int local_flags=0; - DOM_SID sid; - pstring add_script; - POLICY_HND dom_pol = q_u->domain_pol; - UNISTR2 user_account = q_u->uni_name; - uint16 acb_info = q_u->acb_info; - POLICY_HND *user_pol = &r_u->user_pol; + SAM_ACCOUNT *sam_pass=NULL; + fstring mach_acct; + pstring err_str; + pstring msg_str; + int local_flags=0; + DOM_SID sid; + pstring add_script; + POLICY_HND dom_pol = q_u->domain_pol; + UNISTR2 user_account = q_u->uni_name; + uint16 acb_info = q_u->acb_info; + POLICY_HND *user_pol = &r_u->user_pol; struct samr_info *info = NULL; + BOOL ret; - /* find the policy handle. open a policy on it. */ - if (!find_policy_by_hnd(p, &dom_pol, NULL)) - return NT_STATUS_INVALID_HANDLE; + /* find the policy handle. open a policy on it. */ + if (!find_policy_by_hnd(p, &dom_pol, NULL)) + return NT_STATUS_INVALID_HANDLE; - /* find the machine account: tell the caller if it exists. - lkclXXXX i have *no* idea if this is a problem or not - or even if you are supposed to construct a different - reply if the account already exists... - */ - - fstrcpy(mach_acct, dos_unistrn2(user_account.buffer, user_account.uni_str_len)); - strlower(mach_acct); - - become_root(); - sam_pass = pdb_getsampwnam(mach_acct); - unbecome_root(); - if (sam_pass != NULL) { - /* machine account exists: say so */ - return NT_STATUS_USER_EXISTS; - } + /* find the machine account: tell the caller if it exists. + lkclXXXX i have *no* idea if this is a problem or not + or even if you are supposed to construct a different + reply if the account already exists... + */ - local_flags=LOCAL_ADD_USER|LOCAL_DISABLE_USER|LOCAL_SET_NO_PASSWORD; - local_flags|= (acb_info & ACB_WSTRUST) ? LOCAL_TRUST_ACCOUNT:0; - - /* - * NB. VERY IMPORTANT ! This call must be done as the current pipe user, - * *NOT* surrounded by a become_root()/unbecome_root() call. This ensures - * that only people with write access to the smbpasswd file will be able - * to create a user. JRA. - */ - - /* - * add the user in the /etc/passwd file or the unix authority system. - * We don't check if the smb_create_user() function succed or not for 2 reasons: - * a) local_password_change() checks for us if the /etc/passwd account really exists - * b) smb_create_user() would return an error if the account already exists - * and as it could return an error also if it can't create the account, it would be tricky. - * - * So we go the easy way, only check after if the account exists. - * JFM (2/3/2001), to clear any possible bad understanding (-: - */ - - pstrcpy(add_script, lp_adduser_script()); - - if(*add_script) - smb_create_user(mach_acct, NULL); - - /* add the user in the smbpasswd file or the Samba authority database */ - if (!local_password_change(mach_acct, local_flags, NULL, err_str, - sizeof(err_str), msg_str, sizeof(msg_str))) - { - DEBUG(0, ("%s\n", err_str)); - close_policy_hnd(p, user_pol); - return NT_STATUS_ACCESS_DENIED; - } + fstrcpy(mach_acct, dos_unistrn2(user_account.buffer, user_account.uni_str_len)); + strlower(mach_acct); - become_root(); - sam_pass = pdb_getsampwnam(mach_acct); - unbecome_root(); - if (sam_pass == NULL) { - /* account doesn't exist: say so */ - close_policy_hnd(p, user_pol); - return NT_STATUS_ACCESS_DENIED; - } + pdb_init_sam(&sam_pass); - /* Get the domain SID stored in the domain policy */ - if(!get_lsa_policy_samr_sid(p, &dom_pol, &sid)) { - close_policy_hnd(p, user_pol); - return NT_STATUS_INVALID_HANDLE; - } + become_root(); + ret = pdb_getsampwnam(sam_pass, mach_acct); + unbecome_root(); + if (ret == True) { + /* machine account exists: say so */ + pdb_clear_sam(sam_pass); + return NT_STATUS_USER_EXISTS; + } - /* append the user's RID to it */ - if(!sid_append_rid(&sid, pdb_get_user_rid(sam_pass) )) { - close_policy_hnd(p, user_pol); - return NT_STATUS_NO_SUCH_USER; - } + local_flags=LOCAL_ADD_USER|LOCAL_DISABLE_USER|LOCAL_SET_NO_PASSWORD; + local_flags|= (acb_info & ACB_WSTRUST) ? LOCAL_TRUST_ACCOUNT:0; - /* associate the user's SID with the new handle. */ - if ((info = (struct samr_info *)malloc(sizeof(struct samr_info))) == NULL) - return NT_STATUS_NO_MEMORY; + /* + * NB. VERY IMPORTANT ! This call must be done as the current pipe user, + * *NOT* surrounded by a become_root()/unbecome_root() call. This ensures + * that only people with write access to the smbpasswd file will be able + * to create a user. JRA. + */ - ZERO_STRUCTP(info); - info->sid = sid; + /* + * add the user in the /etc/passwd file or the unix authority system. + * We don't check if the smb_create_user() function succed or not for 2 reasons: + * a) local_password_change() checks for us if the /etc/passwd account really exists + * b) smb_create_user() would return an error if the account already exists + * and as it could return an error also if it can't create the account, it would be tricky. + * + * So we go the easy way, only check after if the account exists. + * JFM (2/3/2001), to clear any possible bad understanding (-: + */ - /* get a (unique) handle. open a policy on it. */ - if (!create_policy_hnd(p, user_pol, free_samr_info, (void *)info)) - return NT_STATUS_OBJECT_NAME_NOT_FOUND; + pstrcpy(add_script, lp_adduser_script()); + + if(*add_script) + smb_create_user(mach_acct, NULL); + + /* add the user in the smbpasswd file or the Samba authority database */ + if (!local_password_change(mach_acct, local_flags, NULL, err_str, + sizeof(err_str), msg_str, sizeof(msg_str))) { + DEBUG(0, ("%s\n", err_str)); + close_policy_hnd(p, user_pol); + pdb_clear_sam(sam_pass); + return NT_STATUS_ACCESS_DENIED; + } + + become_root(); + ret = pdb_getsampwnam(sam_pass, mach_acct); + unbecome_root(); + if (ret == False) { + /* account doesn't exist: say so */ + close_policy_hnd(p, user_pol); + pdb_clear_sam(sam_pass); + return NT_STATUS_ACCESS_DENIED; + } + + /* Get the domain SID stored in the domain policy */ + if(!get_lsa_policy_samr_sid(p, &dom_pol, &sid)) { + close_policy_hnd(p, user_pol); + pdb_clear_sam(sam_pass); + return NT_STATUS_INVALID_HANDLE; + } + + /* append the user's RID to it */ + if(!sid_append_rid(&sid, pdb_get_user_rid(sam_pass) )) { + close_policy_hnd(p, user_pol); + pdb_clear_sam(sam_pass); + return NT_STATUS_NO_SUCH_USER; + } + + /* associate the user's SID with the new handle. */ + if ((info = (struct samr_info *)malloc(sizeof(struct samr_info))) == NULL) { + pdb_clear_sam(sam_pass); + return NT_STATUS_NO_MEMORY; + } + + ZERO_STRUCTP(info); + info->sid = sid; + + /* get a (unique) handle. open a policy on it. */ + if (!create_policy_hnd(p, user_pol, free_samr_info, (void *)info)) { + pdb_clear_sam(sam_pass); + return NT_STATUS_OBJECT_NAME_NOT_FOUND; + } - r_u->user_rid=sam_pass->user_rid; - r_u->unknown_0 = 0x000703ff; + r_u->user_rid=sam_pass->user_rid; + r_u->unknown_0 = 0x000703ff; - return NT_STATUS_NO_PROBLEMO; + pdb_clear_sam(sam_pass); + + return NT_STATUS_NO_PROBLEMO; } /******************************************************************* @@ -1998,21 +2069,32 @@ uint32 _api_samr_open_alias(pipes_struct *p, SAMR_Q_OPEN_ALIAS *q_u, SAMR_R_OPEN static BOOL set_user_info_10(const SAM_USER_INFO_10 *id10, uint32 rid) { - SAM_ACCOUNT *pwd = pdb_getsampwrid(rid); + SAM_ACCOUNT *pwd =NULL; + BOOL ret; + + pdb_init_sam(&pwd); + + ret = pdb_getsampwrid(pwd, rid); + + if(ret==False) { + pdb_clear_sam(pwd); + return False; + } if (id10 == NULL) { DEBUG(5, ("set_user_info_10: NULL id10\n")); + pdb_clear_sam(pwd); return False; } - pwd = pdb_getsampwrid(rid); - if (!pwd) - return False; - pdb_set_acct_ctrl(pwd, id10->acb_info); - if(!pdb_update_sam_account(pwd, True)) + if(!pdb_update_sam_account(pwd, True)) { + pdb_clear_sam(pwd); return False; + } + + pdb_clear_sam(pwd); return True; } @@ -2023,22 +2105,31 @@ static BOOL set_user_info_10(const SAM_USER_INFO_10 *id10, uint32 rid) static BOOL set_user_info_12(SAM_USER_INFO_12 *id12, uint32 rid) { - SAM_ACCOUNT *pwd = pdb_getsampwrid(rid); - - if (pwd == NULL) + SAM_ACCOUNT *pwd = NULL; + BOOL ret; + + pdb_init_sam(&pwd); + + if(!pdb_getsampwrid(pwd, rid)) { + pdb_clear_sam(pwd); return False; - + } + if (id12 == NULL) { DEBUG(2, ("set_user_info_12: id12 is NULL\n")); + pdb_clear_sam(pwd); return False; } pdb_set_lanman_passwd (pwd, id12->lm_pwd); pdb_set_nt_passwd (pwd, id12->nt_pwd); - if(!pdb_update_sam_account(pwd, True)) + if(!pdb_update_sam_account(pwd, True)) { + pdb_clear_sam(pwd); return False; - + } + + pdb_clear_sam(pwd); return True; } @@ -2048,21 +2139,26 @@ static BOOL set_user_info_12(SAM_USER_INFO_12 *id12, uint32 rid) static BOOL set_user_info_21(SAM_USER_INFO_21 *id21, uint32 rid) { - SAM_ACCOUNT *pwd = pdb_getsampwrid(rid); - SAM_ACCOUNT new_pwd; + SAM_ACCOUNT *pwd = NULL; + SAM_ACCOUNT *new_pwd = NULL; if (id21 == NULL) { DEBUG(5, ("set_user_info_21: NULL id21\n")); return False; } - if (pwd == NULL) + pdb_init_sam(&pwd); + pdb_init_sam(&new_pwd); + + if (!pdb_getsampwrid(pwd, rid)) { + pdb_clear_sam(pwd); + pdb_clear_sam(new_pwd); return False; + } /* we make a copy so that we can modify stuff */ - ZERO_STRUCT(new_pwd); - copy_sam_passwd(&new_pwd, pwd); - copy_id21_to_sam_passwd(&new_pwd, id21); + copy_sam_passwd(new_pwd, pwd); + copy_id21_to_sam_passwd(new_pwd, id21); /* * The funny part about the previous two calls is @@ -2072,9 +2168,15 @@ static BOOL set_user_info_21(SAM_USER_INFO_21 *id21, uint32 rid) */ /* write the change out */ - if(!pdb_update_sam_account(&new_pwd, True)) + if(!pdb_update_sam_account(new_pwd, True)) { + pdb_clear_sam(pwd); + pdb_clear_sam(new_pwd); return False; - + } + + pdb_clear_sam(pwd); + pdb_clear_sam(new_pwd); + return True; } @@ -2084,33 +2186,42 @@ static BOOL set_user_info_21(SAM_USER_INFO_21 *id21, uint32 rid) static BOOL set_user_info_23(SAM_USER_INFO_23 *id23, uint32 rid) { - SAM_ACCOUNT *pwd = pdb_getsampwrid(rid); - SAM_ACCOUNT new_pwd; - uint8 nt_hash[16]; - uint8 lm_hash[16]; - pstring buf; - uint32 len; + SAM_ACCOUNT *pwd = NULL; + SAM_ACCOUNT *new_pwd = NULL; + uint8 nt_hash[16]; + uint8 lm_hash[16]; + pstring buf; + uint32 len; uint16 acct_ctrl; - if (id23 == NULL) { - DEBUG(5, ("set_user_info_23: NULL id23\n")); - return False; - } + if (id23 == NULL) { + DEBUG(5, ("set_user_info_23: NULL id23\n")); + return False; + } - if (pwd == NULL) - return False; + pdb_init_sam(&pwd); + pdb_init_sam(&new_pwd); - acct_ctrl = pdb_get_acct_ctrl(pwd); + if (pdb_getsampwrid(pwd, rid)) { + pdb_clear_sam(pwd); + pdb_clear_sam(new_pwd); + return False; + } - ZERO_STRUCT (new_pwd); - copy_sam_passwd(&new_pwd, pwd); - copy_id23_to_sam_passwd(&new_pwd, id23); + acct_ctrl = pdb_get_acct_ctrl(pwd); + + copy_sam_passwd(new_pwd, pwd); + pdb_clear_sam(pwd); + + copy_id23_to_sam_passwd(new_pwd, id23); - if (!decode_pw_buffer((char*)id23->pass, buf, 256, &len, nt_hash, lm_hash)) - return False; + if (!decode_pw_buffer((char*)id23->pass, buf, 256, &len, nt_hash, lm_hash)) { + pdb_clear_sam(new_pwd); + return False; + } - pdb_set_lanman_passwd (&new_pwd, lm_hash); - pdb_set_nt_passwd (&new_pwd, nt_hash); + pdb_set_lanman_passwd (new_pwd, lm_hash); + pdb_set_nt_passwd (new_pwd, nt_hash); /* if it's a trust account, don't update /etc/passwd */ if ( ( (acct_ctrl & ACB_DOMTRUST) == ACB_DOMTRUST ) || @@ -2118,19 +2229,24 @@ static BOOL set_user_info_23(SAM_USER_INFO_23 *id23, uint32 rid) ( (acct_ctrl & ACB_SVRTRUST) == ACB_SVRTRUST) ) { DEBUG(5, ("Changing trust account password, not updating /etc/passwd\n")); } else { - /* update the UNIX password */ /* update the UNIX password */ if (lp_unix_password_sync() ) - if(!chgpasswd(pdb_get_username(&new_pwd), "", buf, True)) + if(!chgpasswd(pdb_get_username(new_pwd), "", buf, True)) { + pdb_clear_sam(new_pwd); return False; + } } - memset(buf, 0, sizeof(buf)); + memset(buf, 0, sizeof(buf)); - if(!pdb_update_sam_account(&new_pwd, True)) - return False; + if(!pdb_update_sam_account(new_pwd, True)) { + pdb_clear_sam(new_pwd); + return False; + } - return True; + pdb_clear_sam(new_pwd); + + return True; } /******************************************************************* @@ -2139,23 +2255,29 @@ static BOOL set_user_info_23(SAM_USER_INFO_23 *id23, uint32 rid) static BOOL set_user_info_24(SAM_USER_INFO_24 *id24, uint32 rid) { - SAM_ACCOUNT *pwd = pdb_getsampwrid(rid); + SAM_ACCOUNT *pwd = NULL; uchar nt_hash[16]; uchar lm_hash[16]; uint32 len; pstring buf; uint16 acct_ctrl; - if (pwd == NULL) - return False; + pdb_init_sam(&pwd); + if (!pdb_getsampwrid(pwd, rid)) { + pdb_clear_sam(pwd); + return False; + } + acct_ctrl = pdb_get_acct_ctrl(pwd); memset(buf, 0, sizeof(buf)); - if (!decode_pw_buffer((char*)id24->pass, buf, 256, &len, nt_hash, lm_hash)) + if (!decode_pw_buffer((char*)id24->pass, buf, 256, &len, nt_hash, lm_hash)) { + pdb_clear_sam(pwd); return False; - + } + pdb_set_lanman_passwd (pwd, lm_hash); pdb_set_nt_passwd (pwd, nt_hash); @@ -2167,19 +2289,25 @@ static BOOL set_user_info_24(SAM_USER_INFO_24 *id24, uint32 rid) } else { /* update the UNIX password */ if (lp_unix_password_sync()) - if(!chgpasswd(pdb_get_username(pwd), "", buf, True)) + if(!chgpasswd(pdb_get_username(pwd), "", buf, True)) { + pdb_clear_sam(pwd); return False; + } } - memset(buf, 0, sizeof(buf)); - - DEBUG(0,("set_user_info_24: pdb_update_sam_account()\n")); + memset(buf, 0, sizeof(buf)); - /* update the SAMBA password */ - if(!pdb_update_sam_account(pwd, True)) - return False; + DEBUG(0,("set_user_info_24: pdb_update_sam_account()\n")); - return True; + /* update the SAMBA password */ + if(!pdb_update_sam_account(pwd, True)) { + pdb_clear_sam(pwd); + return False; + } + + pdb_clear_sam(pwd); + + return True; } /******************************************************************* @@ -2191,11 +2319,12 @@ uint32 _samr_set_userinfo(pipes_struct *p, SAMR_Q_SET_USERINFO *q_u, SAMR_R_SET_ uint32 rid = 0x0; DOM_SID sid; struct current_user user; - SAM_ACCOUNT *sam_pass; + SAM_ACCOUNT *sam_pass=NULL; unsigned char sess_key[16]; POLICY_HND *pol = &q_u->pol; uint16 switch_value = q_u->switch_value; SAM_USERINFO_CTR *ctr = q_u->ctr; + BOOL ret; DEBUG(5, ("_samr_set_userinfo: %d\n", __LINE__)); @@ -2222,6 +2351,8 @@ uint32 _samr_set_userinfo(pipes_struct *p, SAMR_Q_SET_USERINFO *q_u, SAMR_R_SET_ } + pdb_init_sam(&sam_pass); + /* * We need the NT hash of the user who is changing the user's password. * This NT hash is used to generate a "user session key" @@ -2229,16 +2360,19 @@ uint32 _samr_set_userinfo(pipes_struct *p, SAMR_Q_SET_USERINFO *q_u, SAMR_R_SET_ */ become_root(); - sam_pass = pdb_getsampwuid(user.uid); + ret = pdb_getsampwuid(sam_pass, user.uid); unbecome_root(); - if(sam_pass == NULL) { + if(ret == False) { DEBUG(0,("_samr_set_userinfo: Unable to get smbpasswd entry for uid %u\n", (unsigned int)user.uid )); + pdb_clear_sam(sam_pass); return NT_STATUS_ACCESS_DENIED; } memset(sess_key, '\0', 16); mdfour(sess_key, pdb_get_nt_passwd(sam_pass), 16); + pdb_clear_sam(sam_pass); + /* ok! user info levels (lots: see MSDEV help), off we go... */ switch (switch_value) { case 0x12: -- cgit From 30c4c04c2f584857633ce7605555dcfb37a3e1af Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Mon, 7 May 2001 14:04:46 +0000 Subject: Patch from Simo: o sed 's/pdb_clear_sam/pdb_free_sam/g' o add pdb_reset_sam() o password changing should be ok now as well. (This used to be commit 96d0e7c3301ad990f6c83b9c216720cb32661fb5) --- source3/rpc_server/srv_samr_nt.c | 96 ++++++++++++++++++++-------------------- 1 file changed, 48 insertions(+), 48 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 38b4bbd0a9..8c8418d2e0 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -105,7 +105,7 @@ static BOOL get_sampwd_entries(SAM_USER_INFO_21 *pw_buf, int start_idx, if (!pdb_setsampwent(False)) { DEBUG(0, ("get_sampwd_entries: Unable to open passdb.\n")); - pdb_clear_sam(pwd); + pdb_free_sam(pwd); return False; } @@ -146,7 +146,7 @@ static BOOL get_sampwd_entries(SAM_USER_INFO_21 *pw_buf, int start_idx, } pdb_endsampwent(); - pdb_clear_sam(pwd); + pdb_free_sam(pwd); return (*num_entries) > 0; } @@ -217,7 +217,7 @@ static BOOL jf_get_sampwd_entries(SAM_USER_INFO_21 *pw_buf, int start_idx, *total_entries = *num_entries; - pdb_clear_sam(pwd); + pdb_free_sam(pwd); return True; } @@ -1419,12 +1419,12 @@ uint32 _api_samr_open_user(pipes_struct *p, SAMR_Q_OPEN_USER *q_u, SAMR_R_OPEN_U /* check that the RID exists in our domain. */ if (ret == False) { - pdb_clear_sam(sampass); + pdb_free_sam(sampass); return NT_STATUS_NO_SUCH_USER; } samr_clear_sam_passwd(sampass); - pdb_clear_sam(sampass); + pdb_free_sam(sampass); /* Get the domain SID stored in the domain policy */ if(!get_lsa_policy_samr_sid(p, &domain_pol, &sid)) @@ -1470,7 +1470,7 @@ static BOOL get_user_info_10(SAM_USER_INFO_10 *id10, uint32 user_rid) if (ret==False) { DEBUG(4,("User 0x%x not found\n", user_rid)); - pdb_clear_sam(smbpass); + pdb_free_sam(smbpass); return False; } @@ -1479,7 +1479,7 @@ static BOOL get_user_info_10(SAM_USER_INFO_10 *id10, uint32 user_rid) init_sam_user_info10(id10, pdb_get_acct_ctrl(smbpass) ); samr_clear_sam_passwd(smbpass); - pdb_clear_sam(smbpass); + pdb_free_sam(smbpass); return True; } @@ -1510,20 +1510,20 @@ static uint32 get_user_info_12(pipes_struct *p, SAM_USER_INFO_12 * id12, uint32 if (ret == False) { DEBUG(4, ("User 0x%x not found\n", user_rid)); - pdb_clear_sam(smbpass); + pdb_free_sam(smbpass); return (geteuid() == (uid_t)0) ? NT_STATUS_NO_SUCH_USER : NT_STATUS_ACCESS_DENIED; } DEBUG(3,("User:[%s] 0x%x\n", pdb_get_username(smbpass), pdb_get_acct_ctrl(smbpass) )); if ( pdb_get_acct_ctrl(smbpass) & ACB_DISABLED) { - pdb_clear_sam(smbpass); + pdb_free_sam(smbpass); return NT_STATUS_ACCOUNT_DISABLED; } init_sam_user_info12(id12, pdb_get_lanman_passwd(smbpass), pdb_get_nt_passwd(smbpass)); - pdb_clear_sam(smbpass); + pdb_free_sam(smbpass); return NT_STATUS_NOPROBLEMO; } @@ -1548,7 +1548,7 @@ static BOOL get_user_info_21(SAM_USER_INFO_21 *id21, uint32 user_rid) if (ret == False) { DEBUG(4,("User 0x%x not found\n", user_rid)); - pdb_clear_sam(sampass); + pdb_free_sam(sampass); return False; } @@ -1558,7 +1558,7 @@ static BOOL get_user_info_21(SAM_USER_INFO_21 *id21, uint32 user_rid) init_sam_user_info21A(id21, sampass); - pdb_clear_sam(sampass); + pdb_free_sam(sampass); return True; } @@ -1800,7 +1800,7 @@ uint32 _api_samr_create_user(pipes_struct *p, SAMR_Q_CREATE_USER *q_u, SAMR_R_CR unbecome_root(); if (ret == True) { /* machine account exists: say so */ - pdb_clear_sam(sam_pass); + pdb_free_sam(sam_pass); return NT_STATUS_USER_EXISTS; } @@ -1835,7 +1835,7 @@ uint32 _api_samr_create_user(pipes_struct *p, SAMR_Q_CREATE_USER *q_u, SAMR_R_CR sizeof(err_str), msg_str, sizeof(msg_str))) { DEBUG(0, ("%s\n", err_str)); close_policy_hnd(p, user_pol); - pdb_clear_sam(sam_pass); + pdb_free_sam(sam_pass); return NT_STATUS_ACCESS_DENIED; } @@ -1845,27 +1845,27 @@ uint32 _api_samr_create_user(pipes_struct *p, SAMR_Q_CREATE_USER *q_u, SAMR_R_CR if (ret == False) { /* account doesn't exist: say so */ close_policy_hnd(p, user_pol); - pdb_clear_sam(sam_pass); + pdb_free_sam(sam_pass); return NT_STATUS_ACCESS_DENIED; } /* Get the domain SID stored in the domain policy */ if(!get_lsa_policy_samr_sid(p, &dom_pol, &sid)) { close_policy_hnd(p, user_pol); - pdb_clear_sam(sam_pass); + pdb_free_sam(sam_pass); return NT_STATUS_INVALID_HANDLE; } /* append the user's RID to it */ if(!sid_append_rid(&sid, pdb_get_user_rid(sam_pass) )) { close_policy_hnd(p, user_pol); - pdb_clear_sam(sam_pass); + pdb_free_sam(sam_pass); return NT_STATUS_NO_SUCH_USER; } /* associate the user's SID with the new handle. */ if ((info = (struct samr_info *)malloc(sizeof(struct samr_info))) == NULL) { - pdb_clear_sam(sam_pass); + pdb_free_sam(sam_pass); return NT_STATUS_NO_MEMORY; } @@ -1874,14 +1874,14 @@ uint32 _api_samr_create_user(pipes_struct *p, SAMR_Q_CREATE_USER *q_u, SAMR_R_CR /* get a (unique) handle. open a policy on it. */ if (!create_policy_hnd(p, user_pol, free_samr_info, (void *)info)) { - pdb_clear_sam(sam_pass); + pdb_free_sam(sam_pass); return NT_STATUS_OBJECT_NAME_NOT_FOUND; } r_u->user_rid=sam_pass->user_rid; r_u->unknown_0 = 0x000703ff; - pdb_clear_sam(sam_pass); + pdb_free_sam(sam_pass); return NT_STATUS_NO_PROBLEMO; } @@ -2077,24 +2077,24 @@ static BOOL set_user_info_10(const SAM_USER_INFO_10 *id10, uint32 rid) ret = pdb_getsampwrid(pwd, rid); if(ret==False) { - pdb_clear_sam(pwd); + pdb_free_sam(pwd); return False; } if (id10 == NULL) { DEBUG(5, ("set_user_info_10: NULL id10\n")); - pdb_clear_sam(pwd); + pdb_free_sam(pwd); return False; } pdb_set_acct_ctrl(pwd, id10->acb_info); if(!pdb_update_sam_account(pwd, True)) { - pdb_clear_sam(pwd); + pdb_free_sam(pwd); return False; } - pdb_clear_sam(pwd); + pdb_free_sam(pwd); return True; } @@ -2111,13 +2111,13 @@ static BOOL set_user_info_12(SAM_USER_INFO_12 *id12, uint32 rid) pdb_init_sam(&pwd); if(!pdb_getsampwrid(pwd, rid)) { - pdb_clear_sam(pwd); + pdb_free_sam(pwd); return False; } if (id12 == NULL) { DEBUG(2, ("set_user_info_12: id12 is NULL\n")); - pdb_clear_sam(pwd); + pdb_free_sam(pwd); return False; } @@ -2125,11 +2125,11 @@ static BOOL set_user_info_12(SAM_USER_INFO_12 *id12, uint32 rid) pdb_set_nt_passwd (pwd, id12->nt_pwd); if(!pdb_update_sam_account(pwd, True)) { - pdb_clear_sam(pwd); + pdb_free_sam(pwd); return False; } - pdb_clear_sam(pwd); + pdb_free_sam(pwd); return True; } @@ -2151,8 +2151,8 @@ static BOOL set_user_info_21(SAM_USER_INFO_21 *id21, uint32 rid) pdb_init_sam(&new_pwd); if (!pdb_getsampwrid(pwd, rid)) { - pdb_clear_sam(pwd); - pdb_clear_sam(new_pwd); + pdb_free_sam(pwd); + pdb_free_sam(new_pwd); return False; } @@ -2169,13 +2169,13 @@ static BOOL set_user_info_21(SAM_USER_INFO_21 *id21, uint32 rid) /* write the change out */ if(!pdb_update_sam_account(new_pwd, True)) { - pdb_clear_sam(pwd); - pdb_clear_sam(new_pwd); + pdb_free_sam(pwd); + pdb_free_sam(new_pwd); return False; } - pdb_clear_sam(pwd); - pdb_clear_sam(new_pwd); + pdb_free_sam(pwd); + pdb_free_sam(new_pwd); return True; } @@ -2203,20 +2203,20 @@ static BOOL set_user_info_23(SAM_USER_INFO_23 *id23, uint32 rid) pdb_init_sam(&new_pwd); if (pdb_getsampwrid(pwd, rid)) { - pdb_clear_sam(pwd); - pdb_clear_sam(new_pwd); + pdb_free_sam(pwd); + pdb_free_sam(new_pwd); return False; } acct_ctrl = pdb_get_acct_ctrl(pwd); copy_sam_passwd(new_pwd, pwd); - pdb_clear_sam(pwd); + pdb_free_sam(pwd); copy_id23_to_sam_passwd(new_pwd, id23); if (!decode_pw_buffer((char*)id23->pass, buf, 256, &len, nt_hash, lm_hash)) { - pdb_clear_sam(new_pwd); + pdb_free_sam(new_pwd); return False; } @@ -2232,7 +2232,7 @@ static BOOL set_user_info_23(SAM_USER_INFO_23 *id23, uint32 rid) /* update the UNIX password */ if (lp_unix_password_sync() ) if(!chgpasswd(pdb_get_username(new_pwd), "", buf, True)) { - pdb_clear_sam(new_pwd); + pdb_free_sam(new_pwd); return False; } } @@ -2240,11 +2240,11 @@ static BOOL set_user_info_23(SAM_USER_INFO_23 *id23, uint32 rid) memset(buf, 0, sizeof(buf)); if(!pdb_update_sam_account(new_pwd, True)) { - pdb_clear_sam(new_pwd); + pdb_free_sam(new_pwd); return False; } - pdb_clear_sam(new_pwd); + pdb_free_sam(new_pwd); return True; } @@ -2265,7 +2265,7 @@ static BOOL set_user_info_24(SAM_USER_INFO_24 *id24, uint32 rid) pdb_init_sam(&pwd); if (!pdb_getsampwrid(pwd, rid)) { - pdb_clear_sam(pwd); + pdb_free_sam(pwd); return False; } @@ -2274,7 +2274,7 @@ static BOOL set_user_info_24(SAM_USER_INFO_24 *id24, uint32 rid) memset(buf, 0, sizeof(buf)); if (!decode_pw_buffer((char*)id24->pass, buf, 256, &len, nt_hash, lm_hash)) { - pdb_clear_sam(pwd); + pdb_free_sam(pwd); return False; } @@ -2290,7 +2290,7 @@ static BOOL set_user_info_24(SAM_USER_INFO_24 *id24, uint32 rid) /* update the UNIX password */ if (lp_unix_password_sync()) if(!chgpasswd(pdb_get_username(pwd), "", buf, True)) { - pdb_clear_sam(pwd); + pdb_free_sam(pwd); return False; } } @@ -2301,11 +2301,11 @@ static BOOL set_user_info_24(SAM_USER_INFO_24 *id24, uint32 rid) /* update the SAMBA password */ if(!pdb_update_sam_account(pwd, True)) { - pdb_clear_sam(pwd); + pdb_free_sam(pwd); return False; } - pdb_clear_sam(pwd); + pdb_free_sam(pwd); return True; } @@ -2364,14 +2364,14 @@ uint32 _samr_set_userinfo(pipes_struct *p, SAMR_Q_SET_USERINFO *q_u, SAMR_R_SET_ unbecome_root(); if(ret == False) { DEBUG(0,("_samr_set_userinfo: Unable to get smbpasswd entry for uid %u\n", (unsigned int)user.uid )); - pdb_clear_sam(sam_pass); + pdb_free_sam(sam_pass); return NT_STATUS_ACCESS_DENIED; } memset(sess_key, '\0', 16); mdfour(sess_key, pdb_get_nt_passwd(sam_pass), 16); - pdb_clear_sam(sam_pass); + pdb_free_sam(sam_pass); /* ok! user info levels (lots: see MSDEV help), off we go... */ switch (switch_value) { -- cgit From dbd7e0a54ee39a67e9e368b279cf89ef159b204c Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Mon, 7 May 2001 22:08:34 +0000 Subject: removed unused variables (This used to be commit 09103b16cf0b70c476b48255190725e3dbb77bdb) --- source3/rpc_server/srv_samr_nt.c | 2 -- 1 file changed, 2 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 8c8418d2e0..62ebeeb89b 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -802,7 +802,6 @@ static BOOL get_group_alias_entries(DOMAIN_GRP **d_grp, DOM_SID *sid, uint32 sta } else if (sid_equal(sid, &global_sam_sid) && !lp_hide_local_users()) { char *sep; struct group *grp; - fstring sid_string; sep = lp_winbind_separator(); @@ -2106,7 +2105,6 @@ static BOOL set_user_info_10(const SAM_USER_INFO_10 *id10, uint32 rid) static BOOL set_user_info_12(SAM_USER_INFO_12 *id12, uint32 rid) { SAM_ACCOUNT *pwd = NULL; - BOOL ret; pdb_init_sam(&pwd); -- cgit From f39cb774e76dd54221119c43b3ff34e933983cf1 Mon Sep 17 00:00:00 2001 From: Tim Potter Date: Tue, 8 May 2001 06:09:52 +0000 Subject: Fixed compiler warning. (This used to be commit 9f1f811154e6d8f1a14687b1ee7f85d1dd18a925) --- source3/rpc_server/srv_samr_nt.c | 1 - 1 file changed, 1 deletion(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 62ebeeb89b..e09f93185c 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -812,7 +812,6 @@ static BOOL get_group_alias_entries(DOMAIN_GRP **d_grp, DOM_SID *sid, uint32 sta setgrent(); while (num_entries < max_entries && ((grp = getgrent()) != NULL)) { - int i; uint32 trid; if(!get_group_from_gid(grp->gr_gid, &smap)) -- cgit From b6a6b4b02ef923ce71a8be8258ccee1cbb439c6f Mon Sep 17 00:00:00 2001 From: Jean-François Micouleau Date: Tue, 8 May 2001 16:33:18 +0000 Subject: fixes to the group mapping code. Not ready yet. J.F. (This used to be commit 62a7a567fdea230b77cc97a3f74d868542c34700) --- source3/rpc_server/srv_samr_nt.c | 56 ++++++++++++++++++++++++++++++++++------ 1 file changed, 48 insertions(+), 8 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index e09f93185c..693ef95df9 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -211,6 +211,8 @@ static BOOL jf_get_sampwd_entries(SAM_USER_INFO_21 *pw_buf, int start_idx, pdb_get_username(pwd), pdb_get_user_rid(pwd), pdb_get_acct_ctrl(pwd) )); (*num_entries)++; + + pdb_reset_sam(pwd); } pdb_endsampwent(); @@ -1411,6 +1413,8 @@ uint32 _api_samr_open_user(pipes_struct *p, SAMR_Q_OPEN_USER *q_u, SAMR_R_OPEN_U if (!find_policy_by_hnd(p, &domain_pol, NULL)) return NT_STATUS_INVALID_HANDLE; + pdb_init_sam(&sampass); + become_root(); ret=pdb_getsampwrid(sampass, user_rid); unbecome_root(); @@ -1540,6 +1544,8 @@ static BOOL get_user_info_21(SAM_USER_INFO_21 *id21, uint32 user_rid) return False; } + pdb_init_sam(&sampass); + become_root(); ret = pdb_getsampwrid(sampass, user_rid); unbecome_root(); @@ -2520,8 +2526,8 @@ uint32 _samr_query_aliasmem(pipes_struct *p, SAMR_Q_QUERY_ALIASMEM *q_u, SAMR_R_ DEBUG(10, ("sid is %s\n", alias_sid_str)); sid = (DOM_SID2 *)talloc(p->mem_ctx, sizeof(DOM_SID2) * num_uids); - if (sid == NULL) - return NT_STATUS_NO_SUCH_ALIAS; + if (num_uids!=0 && sid == NULL) + return NT_STATUS_NO_MEMORY; for (i = 0; i < num_uids; i++) { sid_copy(&temp_sid, &global_sam_sid); @@ -2581,7 +2587,7 @@ uint32 _samr_query_groupmem(pipes_struct *p, SAMR_Q_QUERY_GROUPMEM *q_u, SAMR_R_ rid=talloc(p->mem_ctx, sizeof(uint32)*num_uids); attr=talloc(p->mem_ctx, sizeof(uint32)*num_uids); - if (rid==NULL || attr==NULL) + if (num_uids!=0 && (rid==NULL || attr==NULL)) return NT_STATUS_NO_MEMORY; for (i=0; irid=pdb_gid_to_group_rid(grp->gr_gid); - /* add the group to the mapping table */ - if(!add_initial_entry(grp->gr_gid, sid_string, SID_NAME_ALIAS, NULL, NULL, SE_PRIV_NONE)) - return NT_STATUS_ACCESS_DENIED; - if ((info = (struct samr_info *)malloc(sizeof(struct samr_info))) == NULL) return NT_STATUS_NO_MEMORY; @@ -2872,6 +2874,10 @@ uint32 _samr_create_dom_alias(pipes_struct *p, SAMR_Q_CREATE_DOM_ALIAS *q_u, SAM sid_append_rid(&info->sid, r_u->rid); sid_to_string(sid_string, &info->sid); + /* add the group to the mapping table */ + if(!add_initial_entry(grp->gr_gid, sid_string, SID_NAME_ALIAS, name, NULL, SE_PRIV_NONE)) + return NT_STATUS_ACCESS_DENIED; + /* get a (unique) handle. open a policy on it. */ if (!create_policy_hnd(p, &r_u->alias_pol, free_samr_info, (void *)info)) return NT_STATUS_OBJECT_NAME_NOT_FOUND; @@ -2890,7 +2896,7 @@ uint32 _samr_query_groupinfo(pipes_struct *p, SAMR_Q_QUERY_GROUPINFO *q_u, SAMR_ { DOM_SID group_sid; GROUP_MAP map; - uid_t *uid; + uid_t *uid=NULL; int num_uids=0; GROUP_INFO_CTR *ctr; @@ -2962,6 +2968,40 @@ uint32 _samr_set_groupinfo(pipes_struct *p, SAMR_Q_SET_GROUPINFO *q_u, SAMR_R_SE return NT_STATUS_NO_PROBLEMO; } +/********************************************************************* + _samr_set_groupinfo + + update a domain group's comment. +*********************************************************************/ + +uint32 _samr_set_aliasinfo(pipes_struct *p, SAMR_Q_SET_ALIASINFO *q_u, SAMR_R_SET_ALIASINFO *r_u) +{ + DOM_SID group_sid; + GROUP_MAP map; + ALIAS_INFO_CTR *ctr; + + if (!get_lsa_policy_samr_sid(p, &q_u->alias_pol, &group_sid)) + return NT_STATUS_INVALID_HANDLE; + + if (!get_local_group_from_sid(group_sid, &map)) + return NT_STATUS_NO_SUCH_GROUP; + + ctr=&q_u->ctr; + + switch (ctr->switch_value1) { + case 3: + unistr2_to_ascii(map.comment, &(ctr->alias.info3.uni_acct_desc), sizeof(map.comment)-1); + break; + default: + return NT_STATUS_INVALID_INFO_CLASS; + } + + if(!add_mapping_entry(&map, TDB_REPLACE)) + return NT_STATUS_NO_SUCH_GROUP; + + return NT_STATUS_NO_PROBLEMO; +} + /********************************************************************* _samr_get_dom_pwinfo *********************************************************************/ -- cgit From f874646136270eddc54227796356e2d2fc7e4e67 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Wed, 9 May 2001 17:57:08 +0000 Subject: check for valid pointer before calling memset() in samr_clear_sam_passwd (This used to be commit a6a4a17f6afce9d1c10c5ab551ce0b6b5f5c1865) --- source3/rpc_server/srv_samr_nt.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 693ef95df9..e4289dd457 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -79,8 +79,8 @@ static void samr_clear_sam_passwd(SAM_ACCOUNT *sam_pass) if (!sam_pass) return; - memset(sam_pass->lm_pw, '\0', 16); - memset(sam_pass->nt_pw, '\0', 16); + if (sam_pass->lm_pw) memset(sam_pass->lm_pw, '\0', 16); + if (sam_pass->nt_pw) memset(sam_pass->nt_pw, '\0', 16); } /******************************************************************* -- cgit From 6dd8c06ce9dcd5896a00ad99e81d6e9e9a5f4296 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Thu, 10 May 2001 20:05:06 +0000 Subject: Should be faliing on False and not True. Bad check on return value (This used to be commit 5be97aacf4db43a91562b77f010850afb818ac05) --- source3/rpc_server/srv_samr_nt.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index e4289dd457..71b50a359e 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -2205,7 +2205,7 @@ static BOOL set_user_info_23(SAM_USER_INFO_23 *id23, uint32 rid) pdb_init_sam(&pwd); pdb_init_sam(&new_pwd); - if (pdb_getsampwrid(pwd, rid)) { + if (!pdb_getsampwrid(pwd, rid)) { pdb_free_sam(pwd); pdb_free_sam(new_pwd); return False; -- cgit From bbf5ea221aad91a99564ee130a6334d3b25e2a9a Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Tue, 29 May 2001 07:34:01 +0000 Subject: 4 new functions to retrieve single linked list of group and passwd entries + a fix to an infinite loop in srv_samr_nt.c caused by misuse of setgrent/getgrent/endgrent solved by these new functions (This used to be commit 97dbb54a13e2285f1905ee1ec9aafeebdaee8917) --- source3/rpc_server/srv_samr_nt.c | 35 +++++++++++++++++++++++++++-------- 1 file changed, 27 insertions(+), 8 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 71b50a359e..55e20ebd07 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -803,7 +803,8 @@ static BOOL get_group_alias_entries(DOMAIN_GRP **d_grp, DOM_SID *sid, uint32 sta } else if (sid_equal(sid, &global_sam_sid) && !lp_hide_local_users()) { char *sep; - struct group *grp; + struct sys_grent *glist; + struct sys_grent *grp; sep = lp_winbind_separator(); @@ -811,36 +812,50 @@ static BOOL get_group_alias_entries(DOMAIN_GRP **d_grp, DOM_SID *sid, uint32 sta /* we return the UNIX groups here. This seems to be the right */ /* thing to do, since NT member servers return their local */ /* groups in the same situation. */ - setgrent(); - while (num_entries < max_entries && ((grp = getgrent()) != NULL)) { + /* use getgrent_list() to retrieve the list of groups to avoid + * problems with getgrent possible infinite loop by internal + * libc grent structures overwrites by called functions */ + grp = glist = getgrent_list(); + if (grp == NULL) + return NT_STATUS_NO_MEMORY; + + while ((num_entries < max_entries) && (grp != NULL)) { uint32 trid; - if(!get_group_from_gid(grp->gr_gid, &smap)) + if(!get_group_from_gid(grp->gr_gid, &smap)) { + grp = grp->next; continue; + } - if (smap.sid_name_use!=SID_NAME_ALIAS) + if (smap.sid_name_use!=SID_NAME_ALIAS) { + grp = grp->next; continue; + } sid_split_rid(&smap.sid, &trid); /* Don't return winbind groups as they are not local! */ if (strchr(smap.nt_name, *sep) != NULL) { DEBUG(10,("get_group_alias_entries: not returing %s, not local.\n", smap.nt_name )); + grp = grp->next; continue; } /* Don't return user private groups... */ if (Get_Pwnam(smap.nt_name, False) != 0) { DEBUG(10,("get_group_alias_entries: not returing %s, clashes with user.\n", smap.nt_name )); + grp = grp->next; continue; } for( i = 0; i < num_entries; i++) if ( (*d_grp)[i].rid == trid ) break; - if ( i < num_entries ) + if ( i < num_entries ) { + grp = grp->next; continue; /* rid was there, dup! */ + } /* JRA - added this for large group db enumeration... */ @@ -849,19 +864,23 @@ static BOOL get_group_alias_entries(DOMAIN_GRP **d_grp, DOM_SID *sid, uint32 sta not very efficient, but hey... */ start_idx--; + grp = grp->next; continue; } *d_grp=Realloc(*d_grp, (num_entries+1)*sizeof(DOMAIN_GRP)); - if (*d_grp==NULL) + if (*d_grp==NULL) { + grent_free(glist); return NT_STATUS_NO_MEMORY; + } fstrcpy((*d_grp)[num_entries].name, smap.nt_name); (*d_grp)[num_entries].rid = trid; num_entries++; + grp = grp->next; } - endgrent(); + grent_free(glist); } *p_num_entries = num_entries; -- cgit From 11b2de50fc0e8bfcd810e8b07a7eb39a5d903621 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Wed, 6 Jun 2001 23:07:10 +0000 Subject: Added getconf flags for RH7.1 lfs support. Changed while() to a for() loop in Simo's code (removes much grp = gep->next code). Jeremy. (This used to be commit d0c276c2429fa19cd95ca887654e049593de68d5) --- source3/rpc_server/srv_samr_nt.c | 15 ++++----------- 1 file changed, 4 insertions(+), 11 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 55e20ebd07..010da5c3e5 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -820,16 +820,14 @@ static BOOL get_group_alias_entries(DOMAIN_GRP **d_grp, DOM_SID *sid, uint32 sta if (grp == NULL) return NT_STATUS_NO_MEMORY; - while ((num_entries < max_entries) && (grp != NULL)) { + for (; (num_entries < max_entries) && (grp != NULL); grp = grp->next) { uint32 trid; if(!get_group_from_gid(grp->gr_gid, &smap)) { - grp = grp->next; continue; } if (smap.sid_name_use!=SID_NAME_ALIAS) { - grp = grp->next; continue; } @@ -838,24 +836,21 @@ static BOOL get_group_alias_entries(DOMAIN_GRP **d_grp, DOM_SID *sid, uint32 sta /* Don't return winbind groups as they are not local! */ if (strchr(smap.nt_name, *sep) != NULL) { DEBUG(10,("get_group_alias_entries: not returing %s, not local.\n", smap.nt_name )); - grp = grp->next; continue; } /* Don't return user private groups... */ if (Get_Pwnam(smap.nt_name, False) != 0) { DEBUG(10,("get_group_alias_entries: not returing %s, clashes with user.\n", smap.nt_name )); - grp = grp->next; continue; } for( i = 0; i < num_entries; i++) - if ( (*d_grp)[i].rid == trid ) break; + if ( (*d_grp)[i].rid == trid ) + break; - if ( i < num_entries ) { - grp = grp->next; + if ( i < num_entries ) continue; /* rid was there, dup! */ - } /* JRA - added this for large group db enumeration... */ @@ -864,7 +859,6 @@ static BOOL get_group_alias_entries(DOMAIN_GRP **d_grp, DOM_SID *sid, uint32 sta not very efficient, but hey... */ start_idx--; - grp = grp->next; continue; } @@ -877,7 +871,6 @@ static BOOL get_group_alias_entries(DOMAIN_GRP **d_grp, DOM_SID *sid, uint32 sta fstrcpy((*d_grp)[num_entries].name, smap.nt_name); (*d_grp)[num_entries].rid = trid; num_entries++; - grp = grp->next; } grent_free(glist); -- cgit From 809c0258780cc75cd456518571891fc30998d30d Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Mon, 18 Jun 2001 20:27:35 +0000 Subject: Added patches to remove Linux specific XFS ACLs. These are now handled by the generic Linux ACL code. rpc_server/srv_samr_nt.c: Don't delete a policy handle before it's created. Jeremy. (This used to be commit db5b82e53a7061c4764d39ceb3df82e706aad42f) --- source3/rpc_server/srv_samr_nt.c | 4 ---- 1 file changed, 4 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 010da5c3e5..1db69716be 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -1850,7 +1850,6 @@ uint32 _api_samr_create_user(pipes_struct *p, SAMR_Q_CREATE_USER *q_u, SAMR_R_CR if (!local_password_change(mach_acct, local_flags, NULL, err_str, sizeof(err_str), msg_str, sizeof(msg_str))) { DEBUG(0, ("%s\n", err_str)); - close_policy_hnd(p, user_pol); pdb_free_sam(sam_pass); return NT_STATUS_ACCESS_DENIED; } @@ -1860,21 +1859,18 @@ uint32 _api_samr_create_user(pipes_struct *p, SAMR_Q_CREATE_USER *q_u, SAMR_R_CR unbecome_root(); if (ret == False) { /* account doesn't exist: say so */ - close_policy_hnd(p, user_pol); pdb_free_sam(sam_pass); return NT_STATUS_ACCESS_DENIED; } /* Get the domain SID stored in the domain policy */ if(!get_lsa_policy_samr_sid(p, &dom_pol, &sid)) { - close_policy_hnd(p, user_pol); pdb_free_sam(sam_pass); return NT_STATUS_INVALID_HANDLE; } /* append the user's RID to it */ if(!sid_append_rid(&sid, pdb_get_user_rid(sam_pass) )) { - close_policy_hnd(p, user_pol); pdb_free_sam(sam_pass); return NT_STATUS_NO_SUCH_USER; } -- cgit From 48a5c872402e5c445858dd4054571ca0fada11c4 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Mon, 18 Jun 2001 21:34:01 +0000 Subject: Fix for assert fail - left over when moved to dynamic allocation. Jeremy. (This used to be commit 0fcf2006334bd41d4036e703a6725aaaf684e008) --- source3/rpc_server/srv_samr_nt.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 1db69716be..0a82c90a1d 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -1219,7 +1219,7 @@ uint32 _samr_lookup_names(pipes_struct *p, SAMR_Q_LOOKUP_NAMES *q_u, SAMR_R_LOOK uint32 rid[MAX_SAM_ENTRIES]; enum SID_NAME_USE type[MAX_SAM_ENTRIES]; int i; - int num_rids = q_u->num_names1; + int num_rids = q_u->num_names2; DOM_SID pol_sid; r_u->status = NT_STATUS_NOPROBLEMO; @@ -1239,8 +1239,6 @@ uint32 _samr_lookup_names(pipes_struct *p, SAMR_Q_LOOKUP_NAMES *q_u, SAMR_R_LOOK DEBUG(5,("_samr_lookup_names: truncating entries to %d\n", num_rids)); } - SMB_ASSERT_ARRAY(q_u->uni_name, num_rids); - for (i = 0; i < num_rids; i++) { fstring name; -- cgit From 3f1254bee1b3cc8cce1e17be6f0250090f579417 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Wed, 20 Jun 2001 19:55:59 +0000 Subject: Fixed W2K SP2 joining a Samba PDC hosted domain. Jermey. (This used to be commit 05a2911403a0710d994a618e72743205a3b0b87a) --- source3/rpc_server/srv_samr_nt.c | 40 +++++++++++++++++++++++++++++++++------- 1 file changed, 33 insertions(+), 7 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 0a82c90a1d..502774e986 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -2259,10 +2259,10 @@ static BOOL set_user_info_23(SAM_USER_INFO_23 *id23, uint32 rid) } /******************************************************************* - set_user_info_24 + set_user_info_pw ********************************************************************/ -static BOOL set_user_info_24(SAM_USER_INFO_24 *id24, uint32 rid) +static BOOL set_user_info_pw(char *pass, uint32 rid) { SAM_ACCOUNT *pwd = NULL; uchar nt_hash[16]; @@ -2282,7 +2282,7 @@ static BOOL set_user_info_24(SAM_USER_INFO_24 *id24, uint32 rid) memset(buf, 0, sizeof(buf)); - if (!decode_pw_buffer((char*)id24->pass, buf, 256, &len, nt_hash, lm_hash)) { + if (!decode_pw_buffer(pass, buf, 256, &len, nt_hash, lm_hash)) { pdb_free_sam(pwd); return False; } @@ -2306,7 +2306,7 @@ static BOOL set_user_info_24(SAM_USER_INFO_24 *id24, uint32 rid) memset(buf, 0, sizeof(buf)); - DEBUG(0,("set_user_info_24: pdb_update_sam_account()\n")); + DEBUG(5,("set_user_info_pw: pdb_update_sam_account()\n")); /* update the SAMBA password */ if(!pdb_update_sam_account(pwd, True)) { @@ -2390,13 +2390,39 @@ uint32 _samr_set_userinfo(pipes_struct *p, SAMR_Q_SET_USERINFO *q_u, SAMR_R_SET_ break; case 24: - SamOEMhash(ctr->info.id24->pass, sess_key, 1); - if (!set_user_info_24(ctr->info.id24, rid)) + SamOEMhash(ctr->info.id24->pass, sess_key, 516); + + dump_data(100, (char *)ctr->info.id24->pass, 516); + + if (!set_user_info_pw(ctr->info.id24->pass, rid)) return NT_STATUS_ACCESS_DENIED; break; + case 25: +#if 0 + /* + * Currently we don't really know how to unmarshall + * the level 25 struct, and the password encryption + * is different. This is a placeholder for when we + * do understand it. In the meantime just return INVALID + * info level and W2K SP2 drops down to level 23... JRA. + */ + + SamOEMhash(ctr->info.id25->pass, sess_key, 532); + + dump_data(100, (char *)ctr->info.id25->pass, 532); + + if (!set_user_info_pw(ctr->info.id25->pass, rid)) + return NT_STATUS_ACCESS_DENIED; + break; +#endif + return NT_STATUS_INVALID_INFO_CLASS; + case 23: - SamOEMhash(ctr->info.id23->pass, sess_key, 1); + SamOEMhash(ctr->info.id23->pass, sess_key, 516); + + dump_data(100, (char *)ctr->info.id23->pass, 516); + if (!set_user_info_23(ctr->info.id23, rid)) return NT_STATUS_ACCESS_DENIED; break; -- cgit From 2cddd5fe8ca05cd642428b4a7e2356f05cee6386 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Fri, 29 Jun 2001 18:41:31 +0000 Subject: From JF.... hi jeremy, can you commit the following patch against HEAD. I can't do it right now Thanks Tim for me. He changed the SAM_DISPINFO_1 array without checking if he didn't break the server code. And he did. So on my way I cleaned info_1, 2, .. 5 it may break winbind. I leave to tim the pleasure to fix it ;-) jf. I added some talloc changes and checks for alloc fails. Jeremy. (This used to be commit 001e9b7b540f04c80ba65c879aaa41acddc86f3e) --- source3/rpc_server/srv_samr_nt.c | 44 +++++++++++++++++++++++----------------- 1 file changed, 25 insertions(+), 19 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 502774e986..5106271c60 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -770,7 +770,7 @@ static void make_group_sam_entry_list(TALLOC_CTX *ctx, SAM_ENTRY **sam_pp, UNIST Get the group entries - similar to get_sampwd_entries(). ********************************************************************/ -static BOOL get_group_alias_entries(DOMAIN_GRP **d_grp, DOM_SID *sid, uint32 start_idx, +static BOOL get_group_alias_entries(TALLOC_CTX *ctx, DOMAIN_GRP **d_grp, DOM_SID *sid, uint32 start_idx, uint32 *p_num_entries, uint32 max_entries) { fstring sid_str; @@ -789,7 +789,7 @@ static BOOL get_group_alias_entries(DOMAIN_GRP **d_grp, DOM_SID *sid, uint32 sta enum_group_mapping(SID_NAME_WKN_GRP, &map, &num_entries, ENUM_ONLY_MAPPED); - *d_grp=(DOMAIN_GRP *)malloc(num_entries*sizeof(DOMAIN_GRP)); + *d_grp=(DOMAIN_GRP *)talloc(ctx, num_entries*sizeof(DOMAIN_GRP)); if (*d_grp==NULL) return NT_STATUS_NO_MEMORY; @@ -862,7 +862,7 @@ static BOOL get_group_alias_entries(DOMAIN_GRP **d_grp, DOM_SID *sid, uint32 sta continue; } - *d_grp=Realloc(*d_grp, (num_entries+1)*sizeof(DOMAIN_GRP)); + *d_grp=talloc_realloc(ctx,*d_grp, (num_entries+1)*sizeof(DOMAIN_GRP)); if (*d_grp==NULL) { grent_free(glist); return NT_STATUS_NO_MEMORY; @@ -885,7 +885,7 @@ static BOOL get_group_alias_entries(DOMAIN_GRP **d_grp, DOM_SID *sid, uint32 sta Get the group entries - similar to get_sampwd_entries(). ********************************************************************/ -static BOOL get_group_domain_entries(DOMAIN_GRP **d_grp, DOM_SID *sid, uint32 start_idx, +static BOOL get_group_domain_entries(TALLOC_CTX *ctx, DOMAIN_GRP **d_grp, DOM_SID *sid, uint32 start_idx, uint32 *p_num_entries, uint32 max_entries) { GROUP_MAP *map=NULL; @@ -896,7 +896,7 @@ static BOOL get_group_domain_entries(DOMAIN_GRP **d_grp, DOM_SID *sid, uint32 st enum_group_mapping(SID_NAME_DOM_GRP, &map, &num_entries, ENUM_ONLY_MAPPED); - *d_grp=(DOMAIN_GRP *)malloc(num_entries*sizeof(DOMAIN_GRP)); + *d_grp=(DOMAIN_GRP *)talloc(ctx, num_entries*sizeof(DOMAIN_GRP)); if (*d_grp==NULL) return False; @@ -934,7 +934,7 @@ uint32 _samr_enum_dom_groups(pipes_struct *p, SAMR_Q_ENUM_DOM_GROUPS *q_u, SAMR_ DEBUG(5,("samr_reply_enum_dom_groups: %d\n", __LINE__)); /* the domain group array is being allocated in the function below */ - get_group_domain_entries(&grp, &sid, q_u->start_idx, &num_entries, MAX_SAM_ENTRIES); + get_group_domain_entries(p->mem_ctx, &grp, &sid, q_u->start_idx, &num_entries, MAX_SAM_ENTRIES); make_group_sam_entry_list(p->mem_ctx, &r_u->sam, &r_u->uni_grp_name, num_entries, grp); @@ -967,7 +967,7 @@ uint32 _samr_enum_dom_aliases(pipes_struct *p, SAMR_Q_ENUM_DOM_ALIASES *q_u, SAM sid_to_string(sid_str, &sid); DEBUG(5,("samr_reply_enum_dom_aliases: sid %s\n", sid_str)); - if (!get_group_alias_entries(&grp, &sid, q_u->start_idx, &num_entries, MAX_SAM_ENTRIES)) + if (!get_group_alias_entries(p->mem_ctx, &grp, &sid, q_u->start_idx, &num_entries, MAX_SAM_ENTRIES)) return NT_STATUS_ACCESS_DENIED; make_group_sam_entry_list(p->mem_ctx, &r_u->sam, &r_u->uni_grp_name, num_entries, grp); @@ -1042,7 +1042,7 @@ uint32 _samr_query_dispinfo(pipes_struct *p, SAMR_Q_QUERY_DISPINFO *q_u, SAMR_R_ break; case 0x3: case 0x5: - ret = get_group_domain_entries(&grps, &sid, q_u->start_idx, &num_entries, MAX_SAM_ENTRIES); + ret = get_group_domain_entries(p->mem_ctx, &grps, &sid, q_u->start_idx, &num_entries, MAX_SAM_ENTRIES); if (!ret) return NT_STATUS_ACCESS_DENIED; break; @@ -1066,30 +1066,36 @@ uint32 _samr_query_dispinfo(pipes_struct *p, SAMR_Q_QUERY_DISPINFO *q_u, SAMR_R_ data_size = q_u->max_size; orig_num_entries = num_entries; - ctr = (SAM_DISPINFO_CTR *)talloc(p->mem_ctx,sizeof(SAM_DISPINFO_CTR)); + if (!(ctr = (SAM_DISPINFO_CTR *)talloc(p->mem_ctx,sizeof(SAM_DISPINFO_CTR)))) + return NT_STATUS_NO_MEMORY; /* Now create reply structure */ switch (q_u->switch_level) { case 0x1: - ctr->sam.info1 = (SAM_DISPINFO_1 *)talloc(p->mem_ctx,num_entries*sizeof(SAM_DISPINFO_1)); - init_sam_dispinfo_1(ctr->sam.info1, &num_entries, &data_size, q_u->start_idx, pass); + if (!(ctr->sam.info1 = (SAM_DISPINFO_1 *)talloc(p->mem_ctx,sizeof(SAM_DISPINFO_1)))) + return NT_STATUS_NO_MEMORY; + init_sam_dispinfo_1(p->mem_ctx, ctr->sam.info1, &num_entries, &data_size, q_u->start_idx, pass); break; case 0x2: - ctr->sam.info2 = (SAM_DISPINFO_2 *)talloc(p->mem_ctx,num_entries*sizeof(SAM_DISPINFO_2)); - init_sam_dispinfo_2(ctr->sam.info2, &num_entries, &data_size, q_u->start_idx, pass); + if (!(ctr->sam.info2 = (SAM_DISPINFO_2 *)talloc(p->mem_ctx,sizeof(SAM_DISPINFO_2)))) + return NT_STATUS_NO_MEMORY; + init_sam_dispinfo_2(p->mem_ctx, ctr->sam.info2, &num_entries, &data_size, q_u->start_idx, pass); break; case 0x3: - ctr->sam.info3 = (SAM_DISPINFO_3 *)talloc(p->mem_ctx,num_entries*sizeof(SAM_DISPINFO_3)); - init_sam_dispinfo_3(ctr->sam.info3, &num_entries, &data_size, q_u->start_idx, grps); + if (!(ctr->sam.info3 = (SAM_DISPINFO_3 *)talloc(p->mem_ctx,sizeof(SAM_DISPINFO_3)))) + return NT_STATUS_NO_MEMORY; + init_sam_dispinfo_3(p->mem_ctx, ctr->sam.info3, &num_entries, &data_size, q_u->start_idx, grps); safe_free(grps); break; case 0x4: - ctr->sam.info4 = (SAM_DISPINFO_4 *)talloc(p->mem_ctx,num_entries*sizeof(SAM_DISPINFO_4)); - init_sam_dispinfo_4(ctr->sam.info4, &num_entries, &data_size, q_u->start_idx, pass); + if (!(ctr->sam.info4 = (SAM_DISPINFO_4 *)talloc(p->mem_ctx,sizeof(SAM_DISPINFO_4)))) + return NT_STATUS_NO_MEMORY; + init_sam_dispinfo_4(p->mem_ctx, ctr->sam.info4, &num_entries, &data_size, q_u->start_idx, pass); break; case 0x5: - ctr->sam.info5 = (SAM_DISPINFO_5 *)talloc(p->mem_ctx,num_entries*sizeof(SAM_DISPINFO_5)); - init_sam_dispinfo_5(ctr->sam.info5, &num_entries, &data_size, q_u->start_idx, grps); + if (!(ctr->sam.info5 = (SAM_DISPINFO_5 *)talloc(p->mem_ctx,sizeof(SAM_DISPINFO_5)))) + return NT_STATUS_NO_MEMORY; + init_sam_dispinfo_5(p->mem_ctx, ctr->sam.info5, &num_entries, &data_size, q_u->start_idx, grps); safe_free(grps); break; default: -- cgit From 87fbb7092b8f8b2f0db0f361c3d625e19de57cd9 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Wed, 4 Jul 2001 07:15:53 +0000 Subject: The big character set handling changeover! This commit gets rid of all our old codepage handling and replaces it with iconv. All internal strings in Samba are now in "unix" charset, which may be multi-byte. See internals.doc and my posting to samba-technical for a more complete explanation. (This used to be commit debb471267960e56005a741817ebd227ecfc512a) --- source3/rpc_server/srv_samr_nt.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 5106271c60..d783de3b4b 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -246,7 +246,7 @@ static char *unmap_unixname(char *unix_user_name, int name_idx) if (!*unix_user_name) return NULL; if (!*mapfile) return NULL; - lines = file_lines_load(mapfile, NULL,False); + lines = file_lines_load(mapfile, NULL); if (!lines) { DEBUG(0,("unmap_unixname: can't open username map %s\n", mapfile)); return NULL; @@ -1253,7 +1253,7 @@ uint32 _samr_lookup_names(pipes_struct *p, SAMR_Q_LOOKUP_NAMES *q_u, SAMR_R_LOOK rid [i] = 0xffffffff; type[i] = SID_NAME_UNKNOWN; - fstrcpy(name, dos_unistrn2(q_u->uni_name[i].buffer, q_u->uni_name[i].uni_str_len)); + rpcstr_pull(name, q_u->uni_name[i].buffer, sizeof(name), q_u->uni_name[i].uni_str_len*2, 0); if(sid_equal(&pol_sid, &global_sam_sid)) { DOM_SID sid; @@ -1284,8 +1284,8 @@ uint32 _samr_chgpasswd_user(pipes_struct *p, SAMR_Q_CHGPASSWD_USER *q_u, SAMR_R_ r_u->status = NT_STATUS_NOPROBLEMO; - fstrcpy(user_name, dos_unistrn2(q_u->uni_user_name.buffer, q_u->uni_user_name.uni_str_len)); - fstrcpy(wks , dos_unistrn2(q_u->uni_dest_host.buffer, q_u->uni_dest_host.uni_str_len)); + rpcstr_pull(user_name, q_u->uni_user_name.buffer, sizeof(user_name), q_u->uni_user_name.uni_str_len*2, 0); + rpcstr_pull(wks, q_u->uni_dest_host.buffer, sizeof(wks), q_u->uni_dest_host.uni_str_len,0); DEBUG(5,("samr_chgpasswd_user: user: %s wks: %s\n", user_name, wks)); @@ -1810,7 +1810,7 @@ uint32 _api_samr_create_user(pipes_struct *p, SAMR_Q_CREATE_USER *q_u, SAMR_R_CR reply if the account already exists... */ - fstrcpy(mach_acct, dos_unistrn2(user_account.buffer, user_account.uni_str_len)); + rpcstr_pull(mach_acct, user_account.buffer, sizeof(mach_acct), user_account.uni_str_len*2, 0); strlower(mach_acct); pdb_init_sam(&sam_pass); -- cgit From 527e824293ee934ca5da0ef5424efe5ab7757248 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Wed, 4 Jul 2001 07:36:09 +0000 Subject: strchr and strrchr are macros when compiling with optimisation in gcc, so we can't redefine them. damn. (This used to be commit c41fc06376d1a2b83690612304e85010b5e5f3cf) --- source3/rpc_server/srv_samr_nt.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index d783de3b4b..a73dcb30d2 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -256,7 +256,7 @@ static char *unmap_unixname(char *unix_user_name, int name_idx) for (i=0; lines[i]; i++) { char *unixname = lines[i]; - char *dosname = strchr(unixname,'='); + char *dosname = strchr_m(unixname,'='); if (!dosname) continue; @@ -271,7 +271,7 @@ static char *unmap_unixname(char *unix_user_name, int name_idx) unixname++; } - if (!*unixname || strchr("#;",*unixname)) + if (!*unixname || strchr_m("#;",*unixname)) continue; if (strncmp(unixname, unix_user_name, strlen(unix_user_name))) @@ -280,7 +280,7 @@ static char *unmap_unixname(char *unix_user_name, int name_idx) /* We have matched the UNIX user name */ while(next_token(&dosname, tok, LIST_SEP, sizeof(tok))) { - if (!strchr("@&+", *tok)) { + if (!strchr_m("@&+", *tok)) { name_idx--; if (name_idx < 0 ) { break; @@ -406,7 +406,7 @@ static BOOL get_passwd_entries(SAM_USER_INFO_21 *pw_buf, /* Don't enumerate winbind users as they are not local */ - if (strchr(pwd->pw_name, *sep) != NULL) { + if (strchr_m(pwd->pw_name, *sep) != NULL) { continue; } @@ -834,7 +834,7 @@ static BOOL get_group_alias_entries(TALLOC_CTX *ctx, DOMAIN_GRP **d_grp, DOM_SID sid_split_rid(&smap.sid, &trid); /* Don't return winbind groups as they are not local! */ - if (strchr(smap.nt_name, *sep) != NULL) { + if (strchr_m(smap.nt_name, *sep) != NULL) { DEBUG(10,("get_group_alias_entries: not returing %s, not local.\n", smap.nt_name )); continue; } -- cgit From 3a40f80a94cba569c1a1f19ba36165069ba7e83a Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Thu, 5 Jul 2001 22:36:25 +0000 Subject: Fix for enumerating large numbers of users. Jeremy. (This used to be commit c8c138c1fbb49799a2dd4c6e781bd89f51c0c0c5) --- source3/rpc_server/srv_samr_nt.c | 81 ++++++++++++++++++++++++---------------- 1 file changed, 48 insertions(+), 33 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index a73dcb30d2..fb2dcf03cc 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -88,28 +88,28 @@ static void samr_clear_sam_passwd(SAM_ACCOUNT *sam_pass) dynamically returns the correct user info..... JRA. ********************************************************************/ -static BOOL get_sampwd_entries(SAM_USER_INFO_21 *pw_buf, int start_idx, +static uint32 get_sampwd_entries(SAM_USER_INFO_21 *pw_buf, int start_idx, int *total_entries, int *num_entries, int max_num_entries, uint16 acb_mask) { SAM_ACCOUNT *pwd = NULL; - BOOL ret; + BOOL not_finished = True; (*num_entries) = 0; (*total_entries) = 0; if (pw_buf == NULL) - return False; + return NT_STATUS_NO_MEMORY; pdb_init_sam(&pwd); if (!pdb_setsampwent(False)) { DEBUG(0, ("get_sampwd_entries: Unable to open passdb.\n")); pdb_free_sam(pwd); - return False; + return NT_STATUS_ACCESS_DENIED; } - while (((ret = pdb_getsampwent(pwd)) != False) && (*num_entries) < max_num_entries) { + while (((not_finished = pdb_getsampwent(pwd)) != False) && (*num_entries) < max_num_entries) { int user_name_len; if (start_idx > 0) { @@ -148,32 +148,36 @@ static BOOL get_sampwd_entries(SAM_USER_INFO_21 *pw_buf, int start_idx, pdb_endsampwent(); pdb_free_sam(pwd); - return (*num_entries) > 0; + if (not_finished) + return STATUS_MORE_ENTRIES; + else + return NT_STATUS_NO_PROBLEMO; } -static BOOL jf_get_sampwd_entries(SAM_USER_INFO_21 *pw_buf, int start_idx, +static uint32 jf_get_sampwd_entries(SAM_USER_INFO_21 *pw_buf, int start_idx, int *total_entries, uint32 *num_entries, int max_num_entries, uint16 acb_mask) { SAM_ACCOUNT *pwd = NULL; + BOOL not_finished = True; *num_entries = 0; *total_entries = 0; if (pw_buf == NULL) - return False; + return NT_STATUS_NO_MEMORY; DEBUG(10,("jf_get_sampwd_entries: start index:%d, max entries:%d, mask:%d\n", start_idx, max_num_entries, acb_mask)); if (!pdb_setsampwent(False)) { DEBUG(0, ("jf_get_sampwd_entries: Unable to open passdb.\n")); - return False; + return NT_STATUS_ACCESS_DENIED; } pdb_init_sam(&pwd); - while ((pdb_getsampwent(pwd) != False) && (*num_entries) < max_num_entries) { + while (((not_finished = pdb_getsampwent(pwd)) != False) && (*num_entries) < max_num_entries) { int user_name_len; int full_name_len; @@ -221,7 +225,10 @@ static BOOL jf_get_sampwd_entries(SAM_USER_INFO_21 *pw_buf, int start_idx, pdb_free_sam(pwd); - return True; + if (not_finished) + return STATUS_MORE_ENTRIES; + else + return NT_STATUS_NO_PROBLEMO; } /******************************************************************* @@ -684,7 +691,6 @@ uint32 _samr_enum_dom_users(pipes_struct *p, SAMR_Q_ENUM_DOM_USERS *q_u, SAMR_R_ SAM_USER_INFO_21 pass[MAX_SAM_ENTRIES]; int num_entries = 0; int total_entries = 0; - BOOL ret; r_u->status = NT_STATUS_NOPROBLEMO; @@ -695,12 +701,12 @@ uint32 _samr_enum_dom_users(pipes_struct *p, SAMR_Q_ENUM_DOM_USERS *q_u, SAMR_R_ DEBUG(5,("_samr_enum_dom_users: %d\n", __LINE__)); become_root(); - ret = get_sampwd_entries(pass, q_u->start_idx, &total_entries, &num_entries, + r_u->status = get_sampwd_entries(pass, q_u->start_idx, &total_entries, &num_entries, MAX_SAM_ENTRIES, q_u->acb_mask); unbecome_root(); - if (!ret) - return NT_STATUS_ACCESS_DENIED; + if (r_u->status != NT_STATUS_NOPROBLEMO && r_u->status != STATUS_MORE_ENTRIES) + return r_u->status; samr_clear_passwd_fields(pass, num_entries); @@ -995,7 +1001,7 @@ uint32 _samr_query_dispinfo(pipes_struct *p, SAMR_Q_QUERY_DISPINFO *q_u, SAMR_R_ int total_entries = 0; uint32 data_size = 0; DOM_SID sid; - BOOL ret; + uint32 disp_ret; SAM_DISPINFO_CTR *ctr; DEBUG(5, ("samr_reply_query_dispinfo: %d\n", __LINE__)); @@ -1020,30 +1026,30 @@ uint32 _samr_query_dispinfo(pipes_struct *p, SAMR_Q_QUERY_DISPINFO *q_u, SAMR_R_ case 0x4: become_root(); #if 0 - ret = get_passwd_entries(pass, q_u->start_idx, &total_entries, &num_entries, + r_u->status = get_passwd_entries(pass, q_u->start_idx, &total_entries, &num_entries, MAX_SAM_ENTRIES, acb_mask); #endif #if 0 /* * Which should we use here ? JRA. */ - ret = get_sampwd_entries(pass, q_u->start_idx, &total_entries, &num_entries, + r_u->status = get_sampwd_entries(pass, q_u->start_idx, &total_entries, &num_entries, MAX_SAM_ENTRIES, acb_mask); #endif #if 1 - ret = jf_get_sampwd_entries(pass, q_u->start_idx, &total_entries, &num_entries, + r_u->status = jf_get_sampwd_entries(pass, q_u->start_idx, &total_entries, &num_entries, MAX_SAM_ENTRIES, acb_mask); #endif unbecome_root(); - if (!ret) { + if (r_u->status!=STATUS_MORE_ENTRIES && r_u->status!=NT_STATUS_NO_PROBLEMO) { DEBUG(5, ("get_sampwd_entries: failed\n")); - return NT_STATUS_ACCESS_DENIED; + return r_u->status; } break; case 0x3: case 0x5: - ret = get_group_domain_entries(p->mem_ctx, &grps, &sid, q_u->start_idx, &num_entries, MAX_SAM_ENTRIES); - if (!ret) + r_u->status = get_group_domain_entries(p->mem_ctx, &grps, &sid, q_u->start_idx, &num_entries, MAX_SAM_ENTRIES); + if (r_u->status != NT_STATUS_NO_PROBLEMO) return NT_STATUS_ACCESS_DENIED; break; default: @@ -1051,6 +1057,7 @@ uint32 _samr_query_dispinfo(pipes_struct *p, SAMR_Q_QUERY_DISPINFO *q_u, SAMR_R_ return NT_STATUS_INVALID_INFO_CLASS; } + orig_num_entries = num_entries; if (num_entries > q_u->max_entries) num_entries = q_u->max_entries; @@ -1064,7 +1071,6 @@ uint32 _samr_query_dispinfo(pipes_struct *p, SAMR_Q_QUERY_DISPINFO *q_u, SAMR_R_ samr_clear_passwd_fields(pass, num_entries); data_size = q_u->max_size; - orig_num_entries = num_entries; if (!(ctr = (SAM_DISPINFO_CTR *)talloc(p->mem_ctx,sizeof(SAM_DISPINFO_CTR)))) return NT_STATUS_NO_MEMORY; @@ -1074,29 +1080,39 @@ uint32 _samr_query_dispinfo(pipes_struct *p, SAMR_Q_QUERY_DISPINFO *q_u, SAMR_R_ case 0x1: if (!(ctr->sam.info1 = (SAM_DISPINFO_1 *)talloc(p->mem_ctx,sizeof(SAM_DISPINFO_1)))) return NT_STATUS_NO_MEMORY; - init_sam_dispinfo_1(p->mem_ctx, ctr->sam.info1, &num_entries, &data_size, q_u->start_idx, pass); + disp_ret = init_sam_dispinfo_1(p->mem_ctx, ctr->sam.info1, &num_entries, &data_size, q_u->start_idx, pass); + if (disp_ret != NT_STATUS_NO_PROBLEMO) + return disp_ret; break; case 0x2: if (!(ctr->sam.info2 = (SAM_DISPINFO_2 *)talloc(p->mem_ctx,sizeof(SAM_DISPINFO_2)))) return NT_STATUS_NO_MEMORY; - init_sam_dispinfo_2(p->mem_ctx, ctr->sam.info2, &num_entries, &data_size, q_u->start_idx, pass); + disp_ret = init_sam_dispinfo_2(p->mem_ctx, ctr->sam.info2, &num_entries, &data_size, q_u->start_idx, pass); + if (disp_ret != NT_STATUS_NO_PROBLEMO) + return disp_ret; break; case 0x3: if (!(ctr->sam.info3 = (SAM_DISPINFO_3 *)talloc(p->mem_ctx,sizeof(SAM_DISPINFO_3)))) return NT_STATUS_NO_MEMORY; - init_sam_dispinfo_3(p->mem_ctx, ctr->sam.info3, &num_entries, &data_size, q_u->start_idx, grps); + disp_ret = init_sam_dispinfo_3(p->mem_ctx, ctr->sam.info3, &num_entries, &data_size, q_u->start_idx, grps); safe_free(grps); + if (disp_ret != NT_STATUS_NO_PROBLEMO) + return disp_ret; break; case 0x4: if (!(ctr->sam.info4 = (SAM_DISPINFO_4 *)talloc(p->mem_ctx,sizeof(SAM_DISPINFO_4)))) return NT_STATUS_NO_MEMORY; - init_sam_dispinfo_4(p->mem_ctx, ctr->sam.info4, &num_entries, &data_size, q_u->start_idx, pass); + disp_ret = init_sam_dispinfo_4(p->mem_ctx, ctr->sam.info4, &num_entries, &data_size, q_u->start_idx, pass); + if (disp_ret != NT_STATUS_NO_PROBLEMO) + return disp_ret; break; case 0x5: if (!(ctr->sam.info5 = (SAM_DISPINFO_5 *)talloc(p->mem_ctx,sizeof(SAM_DISPINFO_5)))) return NT_STATUS_NO_MEMORY; - init_sam_dispinfo_5(p->mem_ctx, ctr->sam.info5, &num_entries, &data_size, q_u->start_idx, grps); + disp_ret = init_sam_dispinfo_5(p->mem_ctx, ctr->sam.info5, &num_entries, &data_size, q_u->start_idx, grps); safe_free(grps); + if (disp_ret != NT_STATUS_NO_PROBLEMO) + return disp_ret; break; default: ctr->sam.info = NULL; @@ -1105,11 +1121,10 @@ uint32 _samr_query_dispinfo(pipes_struct *p, SAMR_Q_QUERY_DISPINFO *q_u, SAMR_R_ DEBUG(5, ("_samr_query_dispinfo: %d\n", __LINE__)); - init_samr_r_query_dispinfo(r_u, num_entries, data_size, q_u->switch_level, ctr, r_u->status); - - if (num_entries < orig_num_entries) { + if (num_entries < orig_num_entries) return STATUS_MORE_ENTRIES; - } + + init_samr_r_query_dispinfo(r_u, num_entries, data_size, q_u->switch_level, ctr, r_u->status); return r_u->status; } -- cgit From 28a53730a9c321eed6b833e3b0da69254b5bc08c Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Sat, 7 Jul 2001 08:45:39 +0000 Subject: Add a new paramater: add machine script This allows the administrator to define different scripts for adding unix users and automaticly adding machines. If it is not defined, it falls back to the value of 'add user script'. Andrew Bartlett (This used to be commit 7a478e050f3ab33bd0141a58c698d748f0d2b204) --- source3/rpc_server/srv_samr_nt.c | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index fb2dcf03cc..829218008d 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -1860,10 +1860,18 @@ uint32 _api_samr_create_user(pipes_struct *p, SAMR_Q_CREATE_USER *q_u, SAMR_R_CR * JFM (2/3/2001), to clear any possible bad understanding (-: */ - pstrcpy(add_script, lp_adduser_script()); + pstrcpy(add_script, lp_addmachine_script()); - if(*add_script) - smb_create_user(mach_acct, NULL); + if (!*add_script) { + pstrcpy(add_script, lp_adduser_script()); + } + + if(*add_script) { + int add_ret; + all_string_sub(add_script, "%u", mach_acct, sizeof(mach_acct)); + add_ret = smbrun(add_script,NULL); + DEBUG(3,("_api_samr_create_user: Running the command `%s' gave %d\n",add_script,add_ret)); + } /* add the user in the smbpasswd file or the Samba authority database */ if (!local_password_change(mach_acct, local_flags, NULL, err_str, -- cgit From 62d399f3cf588b8b2f31672111ac67034009ee78 Mon Sep 17 00:00:00 2001 From: Jean-François Micouleau Date: Mon, 9 Jul 2001 18:25:40 +0000 Subject: add query user info level 20 (for RAS) add query dominfo level 5 some cleanup, don't free talloced memory. implement delete domain and local groups. J.F. (This used to be commit 3f14dda2a21850edfd540be2624867e5f70a382c) --- source3/rpc_server/srv_samr_nt.c | 217 +++++++++++++++++++++++++++++++++++---- 1 file changed, 195 insertions(+), 22 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 829218008d..95caa1dda8 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -181,14 +181,17 @@ static uint32 jf_get_sampwd_entries(SAM_USER_INFO_21 *pw_buf, int start_idx, int user_name_len; int full_name_len; - if (acb_mask != 0 && !(pdb_get_acct_ctrl(pwd) & acb_mask)) + if (acb_mask != 0 && !(pdb_get_acct_ctrl(pwd) & acb_mask)) { + pdb_reset_sam(pwd); continue; + } if (start_idx > 0) { /* skip the requested number of entries. not very efficient, but hey... */ start_idx--; + pdb_reset_sam(pwd); continue; } @@ -671,6 +674,9 @@ static void make_user_sam_entry_list(TALLOC_CTX *ctx, SAM_ENTRY **sam_pp, UNISTR return; } + ZERO_STRUCTP(sam); + ZERO_STRUCTP(uni_name); + for (i = 0; i < num_sam_entries; i++) { int len = pass[i].uni_user_name.uni_str_len; @@ -793,7 +799,7 @@ static BOOL get_group_alias_entries(TALLOC_CTX *ctx, DOMAIN_GRP **d_grp, DOM_SID /* well-known aliases */ if (sid_equal(sid, &global_sid_Builtin) && !lp_hide_local_users()) { - enum_group_mapping(SID_NAME_WKN_GRP, &map, &num_entries, ENUM_ONLY_MAPPED); + enum_group_mapping(SID_NAME_WKN_GRP, &map, &num_entries, ENUM_ALL_MAPPED); *d_grp=(DOMAIN_GRP *)talloc(ctx, num_entries*sizeof(DOMAIN_GRP)); if (*d_grp==NULL) @@ -877,6 +883,7 @@ static BOOL get_group_alias_entries(TALLOC_CTX *ctx, DOMAIN_GRP **d_grp, DOM_SID fstrcpy((*d_grp)[num_entries].name, smap.nt_name); (*d_grp)[num_entries].rid = trid; num_entries++; + DEBUG(10,("get_group_alias_entries: added entry %d, rid:%d\n", num_entries, trid)); } grent_free(glist); @@ -884,32 +891,45 @@ static BOOL get_group_alias_entries(TALLOC_CTX *ctx, DOMAIN_GRP **d_grp, DOM_SID *p_num_entries = num_entries; - return True; + DEBUG(10,("get_group_alias_entries: returning %d entries\n", *p_num_entries)); + + return NT_STATUS_NO_PROBLEMO; } /******************************************************************* Get the group entries - similar to get_sampwd_entries(). ********************************************************************/ -static BOOL get_group_domain_entries(TALLOC_CTX *ctx, DOMAIN_GRP **d_grp, DOM_SID *sid, uint32 start_idx, +static uint32 get_group_domain_entries(TALLOC_CTX *ctx, DOMAIN_GRP **d_grp, DOM_SID *sid, uint32 start_idx, uint32 *p_num_entries, uint32 max_entries) { GROUP_MAP *map=NULL; int i; + uint32 group_entries = 0; uint32 num_entries = 0; *p_num_entries = 0; - enum_group_mapping(SID_NAME_DOM_GRP, &map, &num_entries, ENUM_ONLY_MAPPED); + enum_group_mapping(SID_NAME_DOM_GRP, &map, &group_entries, ENUM_ONLY_MAPPED); + + num_entries=group_entries-start_idx; + + /* limit the number of entries */ + if (num_entries>max_entries) { + DEBUG(5,("Limiting to %d entries\n", max_entries)); + num_entries=max_entries; + } *d_grp=(DOMAIN_GRP *)talloc(ctx, num_entries*sizeof(DOMAIN_GRP)); - if (*d_grp==NULL) - return False; + if (num_entries!=0 && *d_grp==NULL){ + safe_free(map); + return NT_STATUS_NO_MEMORY; + } for (i=0; imem_ctx, &r_u->sam, &r_u->uni_grp_name, num_entries, grp); - safe_free(grp); - init_samr_r_enum_dom_groups(r_u, q_u->start_idx, num_entries); DEBUG(5,("samr_enum_dom_groups: %d\n", __LINE__)); @@ -973,12 +991,12 @@ uint32 _samr_enum_dom_aliases(pipes_struct *p, SAMR_Q_ENUM_DOM_ALIASES *q_u, SAM sid_to_string(sid_str, &sid); DEBUG(5,("samr_reply_enum_dom_aliases: sid %s\n", sid_str)); - if (!get_group_alias_entries(p->mem_ctx, &grp, &sid, q_u->start_idx, &num_entries, MAX_SAM_ENTRIES)) + if (get_group_alias_entries(p->mem_ctx, &grp, &sid, q_u->start_idx, &num_entries, MAX_SAM_ENTRIES)!=NT_STATUS_NO_PROBLEMO) return NT_STATUS_ACCESS_DENIED; make_group_sam_entry_list(p->mem_ctx, &r_u->sam, &r_u->uni_grp_name, num_entries, grp); - safe_free(grp); + /*safe_free(grp);*/ init_samr_r_enum_dom_aliases(r_u, q_u->start_idx, num_entries); @@ -1014,9 +1032,13 @@ uint32 _samr_query_dispinfo(pipes_struct *p, SAMR_Q_QUERY_DISPINFO *q_u, SAMR_R_ /* decide how many entries to get depending on the max_entries and max_size passed by client */ + DEBUG(5, ("samr_reply_query_dispinfo: max_entries before %d\n", q_u->max_entries)); + if(q_u->max_entries > MAX_SAM_ENTRIES) q_u->max_entries = MAX_SAM_ENTRIES; + DEBUG(5, ("samr_reply_query_dispinfo: max_entries after %d\n", q_u->max_entries)); + /* Get what we need from the password database */ switch (q_u->switch_level) { case 0x2: @@ -1095,7 +1117,6 @@ uint32 _samr_query_dispinfo(pipes_struct *p, SAMR_Q_QUERY_DISPINFO *q_u, SAMR_R_ if (!(ctr->sam.info3 = (SAM_DISPINFO_3 *)talloc(p->mem_ctx,sizeof(SAM_DISPINFO_3)))) return NT_STATUS_NO_MEMORY; disp_ret = init_sam_dispinfo_3(p->mem_ctx, ctr->sam.info3, &num_entries, &data_size, q_u->start_idx, grps); - safe_free(grps); if (disp_ret != NT_STATUS_NO_PROBLEMO) return disp_ret; break; @@ -1110,7 +1131,6 @@ uint32 _samr_query_dispinfo(pipes_struct *p, SAMR_Q_QUERY_DISPINFO *q_u, SAMR_R_ if (!(ctr->sam.info5 = (SAM_DISPINFO_5 *)talloc(p->mem_ctx,sizeof(SAM_DISPINFO_5)))) return NT_STATUS_NO_MEMORY; disp_ret = init_sam_dispinfo_5(p->mem_ctx, ctr->sam.info5, &num_entries, &data_size, q_u->start_idx, grps); - safe_free(grps); if (disp_ret != NT_STATUS_NO_PROBLEMO) return disp_ret; break; @@ -1371,7 +1391,7 @@ static BOOL make_samr_lookup_rids(TALLOC_CTX *ctx, uint32 num_names, fstring nam uint32 _samr_lookup_rids(pipes_struct *p, SAMR_Q_LOOKUP_RIDS *q_u, SAMR_R_LOOKUP_RIDS *r_u) { fstring group_names[MAX_SAM_ENTRIES]; - uint32 group_attrs[MAX_SAM_ENTRIES]; + uint32 *group_attrs = NULL; UNIHDR *hdr_name = NULL; UNISTR2 *uni_name = NULL; DOM_SID pol_sid; @@ -1391,6 +1411,11 @@ uint32 _samr_lookup_rids(pipes_struct *p, SAMR_Q_LOOKUP_RIDS *q_u, SAMR_R_LOOKUP DEBUG(5,("_samr_lookup_rids: truncating entries to %d\n", num_rids)); } + if (num_rids) { + if ((group_attrs = (uint32 *)talloc(p->mem_ctx, num_rids * sizeof(uint32))) == NULL) + return NT_STATUS_NO_MEMORY; + } + r_u->status = NT_STATUS_NONE_MAPPED; for (i = 0; i < num_rids; i++) { @@ -1410,6 +1435,7 @@ uint32 _samr_lookup_rids(pipes_struct *p, SAMR_Q_LOOKUP_RIDS *q_u, SAMR_R_LOOKUP r_u->status = NT_STATUS_NOPROBLEMO; group_attrs[i] = (uint32)type; fstrcpy(group_names[i],tmpname); + DEBUG(5,("_samr_lookup_rids: %s:%d\n", group_names[i], group_attrs[i])); } } } @@ -1509,6 +1535,7 @@ static BOOL get_user_info_10(SAM_USER_INFO_10 *id10, uint32 user_rid) DEBUG(3,("User:[%s]\n", pdb_get_username(smbpass) )); + ZERO_STRUCTP(id10); init_sam_user_info10(id10, pdb_get_acct_ctrl(smbpass) ); samr_clear_sam_passwd(smbpass); @@ -1554,6 +1581,7 @@ static uint32 get_user_info_12(pipes_struct *p, SAM_USER_INFO_12 * id12, uint32 return NT_STATUS_ACCOUNT_DISABLED; } + ZERO_STRUCTP(id12); init_sam_user_info12(id12, pdb_get_lanman_passwd(smbpass), pdb_get_nt_passwd(smbpass)); pdb_free_sam(smbpass); @@ -1561,6 +1589,44 @@ static uint32 get_user_info_12(pipes_struct *p, SAM_USER_INFO_12 * id12, uint32 return NT_STATUS_NOPROBLEMO; } +/************************************************************************* + get_user_info_20 + *************************************************************************/ + +static BOOL get_user_info_20(SAM_USER_INFO_20 *id20, uint32 user_rid) +{ + SAM_ACCOUNT *sampass=NULL; + BOOL ret; + + if (!pdb_rid_is_user(user_rid)) { + DEBUG(4,("RID 0x%x is not a user RID\n", user_rid)); + return False; + } + + pdb_init_sam(&sampass); + + become_root(); + ret = pdb_getsampwrid(sampass, user_rid); + unbecome_root(); + + if (ret == False) { + DEBUG(4,("User 0x%x not found\n", user_rid)); + pdb_free_sam(sampass); + return False; + } + + samr_clear_sam_passwd(sampass); + + DEBUG(3,("User:[%s]\n", pdb_get_username(sampass) )); + + ZERO_STRUCTP(id20); + init_sam_user_info20A(id20, sampass); + + pdb_free_sam(sampass); + + return True; +} + /************************************************************************* get_user_info_21 *************************************************************************/ @@ -1591,6 +1657,7 @@ static BOOL get_user_info_21(SAM_USER_INFO_21 *id21, uint32 user_rid) DEBUG(3,("User:[%s]\n", pdb_get_username(sampass) )); + ZERO_STRUCTP(id21); init_sam_user_info21A(id21, sampass); pdb_free_sam(sampass); @@ -1654,6 +1721,7 @@ uint32 _samr_query_userinfo(pipes_struct *p, SAMR_Q_QUERY_USERINFO *q_u, SAMR_R_ (*ctr-> info. id11)); + ZERO_STRUCTP(ctr->info.id11); init_sam_user_info11(ctr->info.id11, &expire, "BROOKFIELDS$", /* name */ 0x03ef, /* user rid */ @@ -1673,6 +1741,14 @@ uint32 _samr_query_userinfo(pipes_struct *p, SAMR_Q_QUERY_USERINFO *q_u, SAMR_R_ return r_u->status; break; + case 20: + ctr->info.id20 = (SAM_USER_INFO_20 *)talloc(p->mem_ctx,sizeof(SAM_USER_INFO_20)); + if (ctr->info.id20 == NULL) + return NT_STATUS_NO_MEMORY; + if (!get_user_info_20(ctr->info.id20, rid)) + return NT_STATUS_NO_SUCH_USER; + break; + case 21: ctr->info.id21 = (SAM_USER_INFO_21 *)talloc(p->mem_ctx,sizeof(SAM_USER_INFO_21)); if (ctr->info.id21 == NULL) @@ -1775,6 +1851,9 @@ uint32 _samr_query_dom_info(pipes_struct *p, SAMR_Q_QUERY_DOMAIN_INFO *q_u, SAMR case 0x03: init_unk_info3(&ctr->info.inf3); break; + case 0x05: + init_unk_info5(&ctr->info.inf5, global_myname); + break; case 0x06: init_unk_info6(&ctr->info.inf6); break; @@ -2819,8 +2898,55 @@ uint32 _samr_delete_dom_user(pipes_struct *p, SAMR_Q_DELETE_DOM_USER *q_u, SAMR_ uint32 _samr_delete_dom_group(pipes_struct *p, SAMR_Q_DELETE_DOM_GROUP *q_u, SAMR_R_DELETE_DOM_GROUP *r_u) { - DEBUG(0,("_samr_delete_dom_group: Not yet implemented.\n")); - return False; + DOM_SID group_sid; + DOM_SID dom_sid; + uint32 group_rid; + fstring group_sid_str; + gid_t gid; + struct group *grp; + GROUP_MAP map; + + DEBUG(5, ("samr_delete_dom_group: %d\n", __LINE__)); + + /* Find the policy handle. Open a policy on it. */ + if (!get_lsa_policy_samr_sid(p, &q_u->group_pol, &group_sid)) + return NT_STATUS_INVALID_HANDLE; + + sid_copy(&dom_sid, &group_sid); + sid_to_string(group_sid_str, &dom_sid); + sid_split_rid(&dom_sid, &group_rid); + + DEBUG(10, ("sid is %s\n", group_sid_str)); + + /* we check if it's our SID before deleting */ + if (!sid_equal(&dom_sid, &global_sam_sid)) + return NT_STATUS_NO_SUCH_GROUP; + + DEBUG(10, ("lookup on Domain SID\n")); + + if(!get_domain_group_from_sid(group_sid, &map)) + return NT_STATUS_NO_SUCH_ALIAS; + + gid=map.gid; + + /* check if group really exists */ + if ( (grp=getgrgid(gid)) == NULL) + return NT_STATUS_NO_SUCH_GROUP; + + /* we can delete the UNIX group */ + smb_delete_group(grp->gr_name); + + /* check if the group has been successfully deleted */ + if ( (grp=getgrgid(gid)) != NULL) + return NT_STATUS_ACCESS_DENIED; + + if(!group_map_remove(group_sid)) + return NT_STATUS_ACCESS_DENIED; + + if (!close_policy_hnd(p, &q_u->group_pol)) + return NT_STATUS_OBJECT_NAME_INVALID; + + return NT_STATUS_NOPROBLEMO; } /********************************************************************* @@ -2829,8 +2955,55 @@ uint32 _samr_delete_dom_group(pipes_struct *p, SAMR_Q_DELETE_DOM_GROUP *q_u, SAM uint32 _samr_delete_dom_alias(pipes_struct *p, SAMR_Q_DELETE_DOM_ALIAS *q_u, SAMR_R_DELETE_DOM_ALIAS *r_u) { - DEBUG(0,("_samr_delete_dom_alias: Not yet implemented.\n")); - return False; + DOM_SID alias_sid; + DOM_SID dom_sid; + uint32 alias_rid; + fstring alias_sid_str; + gid_t gid; + struct group *grp; + GROUP_MAP map; + + DEBUG(5, ("_samr_delete_dom_alias: %d\n", __LINE__)); + + /* Find the policy handle. Open a policy on it. */ + if (!get_lsa_policy_samr_sid(p, &q_u->alias_pol, &alias_sid)) + return NT_STATUS_INVALID_HANDLE; + + sid_copy(&dom_sid, &alias_sid); + sid_to_string(alias_sid_str, &dom_sid); + sid_split_rid(&dom_sid, &alias_rid); + + DEBUG(10, ("sid is %s\n", alias_sid_str)); + + /* we check if it's our SID before deleting */ + if (!sid_equal(&dom_sid, &global_sam_sid)) + return NT_STATUS_NO_SUCH_ALIAS; + + DEBUG(10, ("lookup on Local SID\n")); + + if(!get_local_group_from_sid(alias_sid, &map)) + return NT_STATUS_NO_SUCH_ALIAS; + + gid=map.gid; + + /* check if group really exists */ + if ( (grp=getgrgid(gid)) == NULL) + return NT_STATUS_NO_SUCH_ALIAS; + + /* we can delete the UNIX group */ + smb_delete_group(grp->gr_name); + + /* check if the group has been successfully deleted */ + if ( (grp=getgrgid(gid)) != NULL) + return NT_STATUS_ACCESS_DENIED; + + /* don't check if we removed it as it could be an un-mapped group */ + group_map_remove(alias_sid); + + if (!close_policy_hnd(p, &q_u->alias_pol)) + return NT_STATUS_OBJECT_NAME_INVALID; + + return NT_STATUS_NOPROBLEMO; } /********************************************************************* -- cgit From 3015fde98080ae0a1c4a4a68df552655a059742e Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Tue, 17 Jul 2001 02:26:04 +0000 Subject: Fix usermanager for domains - we were returning no memory when we should have been returning empty space at end of enumeration. Jeremy. (This used to be commit 175c6406925cbd798c3aa049912ab63802f44de4) --- source3/rpc_server/srv_samr_nt.c | 32 ++++++++++++++++++++++---------- 1 file changed, 22 insertions(+), 10 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 95caa1dda8..b808d4c9d6 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -1097,39 +1097,51 @@ uint32 _samr_query_dispinfo(pipes_struct *p, SAMR_Q_QUERY_DISPINFO *q_u, SAMR_R_ if (!(ctr = (SAM_DISPINFO_CTR *)talloc(p->mem_ctx,sizeof(SAM_DISPINFO_CTR)))) return NT_STATUS_NO_MEMORY; + ZERO_STRUCTP(ctr); + /* Now create reply structure */ switch (q_u->switch_level) { case 0x1: - if (!(ctr->sam.info1 = (SAM_DISPINFO_1 *)talloc(p->mem_ctx,sizeof(SAM_DISPINFO_1)))) - return NT_STATUS_NO_MEMORY; + if (num_entries) { + if (!(ctr->sam.info1 = (SAM_DISPINFO_1 *)talloc(p->mem_ctx,num_entries*sizeof(SAM_DISPINFO_1)))) + return NT_STATUS_NO_MEMORY; + } disp_ret = init_sam_dispinfo_1(p->mem_ctx, ctr->sam.info1, &num_entries, &data_size, q_u->start_idx, pass); if (disp_ret != NT_STATUS_NO_PROBLEMO) return disp_ret; break; case 0x2: - if (!(ctr->sam.info2 = (SAM_DISPINFO_2 *)talloc(p->mem_ctx,sizeof(SAM_DISPINFO_2)))) - return NT_STATUS_NO_MEMORY; + if (num_entries) { + if (!(ctr->sam.info2 = (SAM_DISPINFO_2 *)talloc(p->mem_ctx,num_entries*sizeof(SAM_DISPINFO_2)))) + return NT_STATUS_NO_MEMORY; + } disp_ret = init_sam_dispinfo_2(p->mem_ctx, ctr->sam.info2, &num_entries, &data_size, q_u->start_idx, pass); if (disp_ret != NT_STATUS_NO_PROBLEMO) return disp_ret; break; case 0x3: - if (!(ctr->sam.info3 = (SAM_DISPINFO_3 *)talloc(p->mem_ctx,sizeof(SAM_DISPINFO_3)))) - return NT_STATUS_NO_MEMORY; + if (num_entries) { + if (!(ctr->sam.info3 = (SAM_DISPINFO_3 *)talloc(p->mem_ctx,num_entries*sizeof(SAM_DISPINFO_3)))) + return NT_STATUS_NO_MEMORY; + } disp_ret = init_sam_dispinfo_3(p->mem_ctx, ctr->sam.info3, &num_entries, &data_size, q_u->start_idx, grps); if (disp_ret != NT_STATUS_NO_PROBLEMO) return disp_ret; break; case 0x4: - if (!(ctr->sam.info4 = (SAM_DISPINFO_4 *)talloc(p->mem_ctx,sizeof(SAM_DISPINFO_4)))) - return NT_STATUS_NO_MEMORY; + if (num_entries) { + if (!(ctr->sam.info4 = (SAM_DISPINFO_4 *)talloc(p->mem_ctx,num_entries*sizeof(SAM_DISPINFO_4)))) + return NT_STATUS_NO_MEMORY; + } disp_ret = init_sam_dispinfo_4(p->mem_ctx, ctr->sam.info4, &num_entries, &data_size, q_u->start_idx, pass); if (disp_ret != NT_STATUS_NO_PROBLEMO) return disp_ret; break; case 0x5: - if (!(ctr->sam.info5 = (SAM_DISPINFO_5 *)talloc(p->mem_ctx,sizeof(SAM_DISPINFO_5)))) - return NT_STATUS_NO_MEMORY; + if (num_entries) { + if (!(ctr->sam.info5 = (SAM_DISPINFO_5 *)talloc(p->mem_ctx,num_entries*sizeof(SAM_DISPINFO_5)))) + return NT_STATUS_NO_MEMORY; + } disp_ret = init_sam_dispinfo_5(p->mem_ctx, ctr->sam.info5, &num_entries, &data_size, q_u->start_idx, grps); if (disp_ret != NT_STATUS_NO_PROBLEMO) return disp_ret; -- cgit From cdcf646c65f479ff25644cf1844c36ff76a24f3a Mon Sep 17 00:00:00 2001 From: Tim Potter Date: Thu, 19 Jul 2001 07:44:59 +0000 Subject: #ifdef'ed out some unused functions. (This used to be commit ab5ccce2edd6118db0389701ff9e325ee1f818c7) --- source3/rpc_server/srv_samr_nt.c | 8 ++++++++ 1 file changed, 8 insertions(+) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index b808d4c9d6..680f5affc8 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -234,6 +234,8 @@ static uint32 jf_get_sampwd_entries(SAM_USER_INFO_21 *pw_buf, int start_idx, return NT_STATUS_NO_PROBLEMO; } +#if 0 /* This function appears to be unused! */ + /******************************************************************* This function uses the username map file and tries to map a UNIX user name to an DOS name. (Sort of the reverse of the @@ -313,6 +315,10 @@ static char *unmap_unixname(char *unix_user_name, int name_idx) return NULL; } +#endif /* Unused function */ + +#if 0 /* This function seems to be not used anywhere! */ + /******************************************************************* This function sets up a list of users taken from the list of users that UNIX knows about, as well as all the user names that @@ -481,6 +487,8 @@ done: return (*num_entries) > 0; } +#endif /* Unused function */ + /******************************************************************* _samr_close_hnd ********************************************************************/ -- cgit From a9ab7eaa5d023f0f6c2421f504f81988fd41467b Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Mon, 23 Jul 2001 22:06:05 +0000 Subject: Fix case insensitive password change code. Fixed crash bug with un-zeroed talloced memory. Jeremy. (This used to be commit eea1c30df246e081e672d7132345d0fd35ad9841) --- source3/rpc_server/srv_samr_nt.c | 58 ++++++++++++++++++++-------------------- 1 file changed, 29 insertions(+), 29 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 680f5affc8..2e8338c530 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -673,9 +673,9 @@ static void make_user_sam_entry_list(TALLOC_CTX *ctx, SAM_ENTRY **sam_pp, UNISTR if (num_sam_entries == 0) return; - sam = (SAM_ENTRY *)talloc(ctx, sizeof(SAM_ENTRY)*num_sam_entries); + sam = (SAM_ENTRY *)talloc_zero(ctx, sizeof(SAM_ENTRY)*num_sam_entries); - uni_name = (UNISTR2 *)talloc(ctx, sizeof(UNISTR2)*num_sam_entries); + uni_name = (UNISTR2 *)talloc_zero(ctx, sizeof(UNISTR2)*num_sam_entries); if (sam == NULL || uni_name == NULL) { DEBUG(0, ("NULL pointers in SAMR_R_QUERY_DISPINFO\n")); @@ -763,9 +763,9 @@ static void make_group_sam_entry_list(TALLOC_CTX *ctx, SAM_ENTRY **sam_pp, UNIST if (num_sam_entries == 0) return; - sam = (SAM_ENTRY *)talloc(ctx, sizeof(SAM_ENTRY)*num_sam_entries); + sam = (SAM_ENTRY *)talloc_zero(ctx, sizeof(SAM_ENTRY)*num_sam_entries); - uni_name = (UNISTR2 *)talloc(ctx, sizeof(UNISTR2)*num_sam_entries); + uni_name = (UNISTR2 *)talloc_zero(ctx, sizeof(UNISTR2)*num_sam_entries); if (sam == NULL || uni_name == NULL) { DEBUG(0, ("NULL pointers in SAMR_R_QUERY_DISPINFO\n")); @@ -809,7 +809,7 @@ static BOOL get_group_alias_entries(TALLOC_CTX *ctx, DOMAIN_GRP **d_grp, DOM_SID enum_group_mapping(SID_NAME_WKN_GRP, &map, &num_entries, ENUM_ALL_MAPPED); - *d_grp=(DOMAIN_GRP *)talloc(ctx, num_entries*sizeof(DOMAIN_GRP)); + *d_grp=(DOMAIN_GRP *)talloc_zero(ctx, num_entries*sizeof(DOMAIN_GRP)); if (*d_grp==NULL) return NT_STATUS_NO_MEMORY; @@ -928,7 +928,7 @@ static uint32 get_group_domain_entries(TALLOC_CTX *ctx, DOMAIN_GRP **d_grp, DOM_ num_entries=max_entries; } - *d_grp=(DOMAIN_GRP *)talloc(ctx, num_entries*sizeof(DOMAIN_GRP)); + *d_grp=(DOMAIN_GRP *)talloc_zero(ctx, num_entries*sizeof(DOMAIN_GRP)); if (num_entries!=0 && *d_grp==NULL){ safe_free(map); return NT_STATUS_NO_MEMORY; @@ -1102,7 +1102,7 @@ uint32 _samr_query_dispinfo(pipes_struct *p, SAMR_Q_QUERY_DISPINFO *q_u, SAMR_R_ data_size = q_u->max_size; - if (!(ctr = (SAM_DISPINFO_CTR *)talloc(p->mem_ctx,sizeof(SAM_DISPINFO_CTR)))) + if (!(ctr = (SAM_DISPINFO_CTR *)talloc_zero(p->mem_ctx,sizeof(SAM_DISPINFO_CTR)))) return NT_STATUS_NO_MEMORY; ZERO_STRUCTP(ctr); @@ -1111,7 +1111,7 @@ uint32 _samr_query_dispinfo(pipes_struct *p, SAMR_Q_QUERY_DISPINFO *q_u, SAMR_R_ switch (q_u->switch_level) { case 0x1: if (num_entries) { - if (!(ctr->sam.info1 = (SAM_DISPINFO_1 *)talloc(p->mem_ctx,num_entries*sizeof(SAM_DISPINFO_1)))) + if (!(ctr->sam.info1 = (SAM_DISPINFO_1 *)talloc_zero(p->mem_ctx,num_entries*sizeof(SAM_DISPINFO_1)))) return NT_STATUS_NO_MEMORY; } disp_ret = init_sam_dispinfo_1(p->mem_ctx, ctr->sam.info1, &num_entries, &data_size, q_u->start_idx, pass); @@ -1120,7 +1120,7 @@ uint32 _samr_query_dispinfo(pipes_struct *p, SAMR_Q_QUERY_DISPINFO *q_u, SAMR_R_ break; case 0x2: if (num_entries) { - if (!(ctr->sam.info2 = (SAM_DISPINFO_2 *)talloc(p->mem_ctx,num_entries*sizeof(SAM_DISPINFO_2)))) + if (!(ctr->sam.info2 = (SAM_DISPINFO_2 *)talloc_zero(p->mem_ctx,num_entries*sizeof(SAM_DISPINFO_2)))) return NT_STATUS_NO_MEMORY; } disp_ret = init_sam_dispinfo_2(p->mem_ctx, ctr->sam.info2, &num_entries, &data_size, q_u->start_idx, pass); @@ -1129,7 +1129,7 @@ uint32 _samr_query_dispinfo(pipes_struct *p, SAMR_Q_QUERY_DISPINFO *q_u, SAMR_R_ break; case 0x3: if (num_entries) { - if (!(ctr->sam.info3 = (SAM_DISPINFO_3 *)talloc(p->mem_ctx,num_entries*sizeof(SAM_DISPINFO_3)))) + if (!(ctr->sam.info3 = (SAM_DISPINFO_3 *)talloc_zero(p->mem_ctx,num_entries*sizeof(SAM_DISPINFO_3)))) return NT_STATUS_NO_MEMORY; } disp_ret = init_sam_dispinfo_3(p->mem_ctx, ctr->sam.info3, &num_entries, &data_size, q_u->start_idx, grps); @@ -1138,7 +1138,7 @@ uint32 _samr_query_dispinfo(pipes_struct *p, SAMR_Q_QUERY_DISPINFO *q_u, SAMR_R_ break; case 0x4: if (num_entries) { - if (!(ctr->sam.info4 = (SAM_DISPINFO_4 *)talloc(p->mem_ctx,num_entries*sizeof(SAM_DISPINFO_4)))) + if (!(ctr->sam.info4 = (SAM_DISPINFO_4 *)talloc_zero(p->mem_ctx,num_entries*sizeof(SAM_DISPINFO_4)))) return NT_STATUS_NO_MEMORY; } disp_ret = init_sam_dispinfo_4(p->mem_ctx, ctr->sam.info4, &num_entries, &data_size, q_u->start_idx, pass); @@ -1147,7 +1147,7 @@ uint32 _samr_query_dispinfo(pipes_struct *p, SAMR_Q_QUERY_DISPINFO *q_u, SAMR_R_ break; case 0x5: if (num_entries) { - if (!(ctr->sam.info5 = (SAM_DISPINFO_5 *)talloc(p->mem_ctx,num_entries*sizeof(SAM_DISPINFO_5)))) + if (!(ctr->sam.info5 = (SAM_DISPINFO_5 *)talloc_zero(p->mem_ctx,num_entries*sizeof(SAM_DISPINFO_5)))) return NT_STATUS_NO_MEMORY; } disp_ret = init_sam_dispinfo_5(p->mem_ctx, ctr->sam.info5, &num_entries, &data_size, q_u->start_idx, grps); @@ -1382,11 +1382,11 @@ static BOOL make_samr_lookup_rids(TALLOC_CTX *ctx, uint32 num_names, fstring nam *pp_hdr_name = NULL; if (num_names != 0) { - hdr_name = (UNIHDR *)talloc(ctx, sizeof(UNIHDR)*num_names); + hdr_name = (UNIHDR *)talloc_zero(ctx, sizeof(UNIHDR)*num_names); if (hdr_name == NULL) return False; - uni_name = (UNISTR2 *)talloc(ctx,sizeof(UNISTR2)*num_names); + uni_name = (UNISTR2 *)talloc_zero(ctx,sizeof(UNISTR2)*num_names); if (uni_name == NULL) return False; } @@ -1432,7 +1432,7 @@ uint32 _samr_lookup_rids(pipes_struct *p, SAMR_Q_LOOKUP_RIDS *q_u, SAMR_R_LOOKUP } if (num_rids) { - if ((group_attrs = (uint32 *)talloc(p->mem_ctx, num_rids * sizeof(uint32))) == NULL) + if ((group_attrs = (uint32 *)talloc_zero(p->mem_ctx, num_rids * sizeof(uint32))) == NULL) return NT_STATUS_NO_MEMORY; } @@ -1707,7 +1707,7 @@ uint32 _samr_query_userinfo(pipes_struct *p, SAMR_Q_QUERY_USERINFO *q_u, SAMR_R_ DEBUG(5,("_samr_query_userinfo: rid:0x%x\n", rid)); - ctr = (SAM_USERINFO_CTR *)talloc(p->mem_ctx, sizeof(SAM_USERINFO_CTR)); + ctr = (SAM_USERINFO_CTR *)talloc_zero(p->mem_ctx, sizeof(SAM_USERINFO_CTR)); if (!ctr) return NT_STATUS_NO_MEMORY; @@ -1718,7 +1718,7 @@ uint32 _samr_query_userinfo(pipes_struct *p, SAMR_Q_QUERY_USERINFO *q_u, SAMR_R_ switch (q_u->switch_value) { case 0x10: - ctr->info.id10 = (SAM_USER_INFO_10 *)talloc(p->mem_ctx, sizeof(SAM_USER_INFO_10)); + ctr->info.id10 = (SAM_USER_INFO_10 *)talloc_zero(p->mem_ctx, sizeof(SAM_USER_INFO_10)); if (ctr->info.id10 == NULL) return NT_STATUS_NO_MEMORY; @@ -1736,7 +1736,7 @@ uint32 _samr_query_userinfo(pipes_struct *p, SAMR_Q_QUERY_USERINFO *q_u, SAMR_R_ expire.low = 0xffffffff; expire.high = 0x7fffffff; - ctr->info.id = (SAM_USER_INFO_11 *)talloc(p->mem_ctx, + ctr->info.id = (SAM_USER_INFO_11 *)talloc_zero(p->mem_ctx, sizeof (*ctr-> info. @@ -1753,7 +1753,7 @@ uint32 _samr_query_userinfo(pipes_struct *p, SAMR_Q_QUERY_USERINFO *q_u, SAMR_R_ #endif case 0x12: - ctr->info.id12 = (SAM_USER_INFO_12 *)talloc(p->mem_ctx, sizeof(SAM_USER_INFO_12)); + ctr->info.id12 = (SAM_USER_INFO_12 *)talloc_zero(p->mem_ctx, sizeof(SAM_USER_INFO_12)); if (ctr->info.id12 == NULL) return NT_STATUS_NO_MEMORY; @@ -1762,7 +1762,7 @@ uint32 _samr_query_userinfo(pipes_struct *p, SAMR_Q_QUERY_USERINFO *q_u, SAMR_R_ break; case 20: - ctr->info.id20 = (SAM_USER_INFO_20 *)talloc(p->mem_ctx,sizeof(SAM_USER_INFO_20)); + ctr->info.id20 = (SAM_USER_INFO_20 *)talloc_zero(p->mem_ctx,sizeof(SAM_USER_INFO_20)); if (ctr->info.id20 == NULL) return NT_STATUS_NO_MEMORY; if (!get_user_info_20(ctr->info.id20, rid)) @@ -1770,7 +1770,7 @@ uint32 _samr_query_userinfo(pipes_struct *p, SAMR_Q_QUERY_USERINFO *q_u, SAMR_R_ break; case 21: - ctr->info.id21 = (SAM_USER_INFO_21 *)talloc(p->mem_ctx,sizeof(SAM_USER_INFO_21)); + ctr->info.id21 = (SAM_USER_INFO_21 *)talloc_zero(p->mem_ctx,sizeof(SAM_USER_INFO_21)); if (ctr->info.id21 == NULL) return NT_STATUS_NO_MEMORY; if (!get_user_info_21(ctr->info.id21, rid)) @@ -1847,7 +1847,7 @@ uint32 _samr_query_dom_info(pipes_struct *p, SAMR_Q_QUERY_DOMAIN_INFO *q_u, SAMR { SAM_UNK_CTR *ctr; - if ((ctr = (SAM_UNK_CTR *)talloc(p->mem_ctx, sizeof(SAM_UNK_CTR))) == NULL) + if ((ctr = (SAM_UNK_CTR *)talloc_zero(p->mem_ctx, sizeof(SAM_UNK_CTR))) == NULL) return NT_STATUS_NO_MEMORY; ZERO_STRUCTP(ctr); @@ -2115,8 +2115,8 @@ static BOOL make_enum_domains(TALLOC_CTX *ctx, SAM_ENTRY **pp_sam, if (num_sam_entries == 0) return True; - sam = (SAM_ENTRY *)talloc(ctx, sizeof(SAM_ENTRY)*num_sam_entries); - uni_name = (UNISTR2 *)talloc(ctx, sizeof(UNISTR2)*num_sam_entries); + sam = (SAM_ENTRY *)talloc_zero(ctx, sizeof(SAM_ENTRY)*num_sam_entries); + uni_name = (UNISTR2 *)talloc_zero(ctx, sizeof(UNISTR2)*num_sam_entries); if (sam == NULL || uni_name == NULL) return False; @@ -2625,7 +2625,7 @@ uint32 _samr_query_useraliases(pipes_struct *p, SAMR_Q_QUERY_USERALIASES *q_u, S int num_rids; num_rids = 1; - rid=(uint32 *)talloc(p->mem_ctx, num_rids*sizeof(uint32)); + rid=(uint32 *)talloc_zero(p->mem_ctx, num_rids*sizeof(uint32)); if (rid==NULL) return NT_STATUS_NO_MEMORY; @@ -2685,7 +2685,7 @@ uint32 _samr_query_aliasmem(pipes_struct *p, SAMR_Q_QUERY_ALIASMEM *q_u, SAMR_R_ return NT_STATUS_NO_SUCH_ALIAS; DEBUG(10, ("sid is %s\n", alias_sid_str)); - sid = (DOM_SID2 *)talloc(p->mem_ctx, sizeof(DOM_SID2) * num_uids); + sid = (DOM_SID2 *)talloc_zero(p->mem_ctx, sizeof(DOM_SID2) * num_uids); if (num_uids!=0 && sid == NULL) return NT_STATUS_NO_MEMORY; @@ -2744,8 +2744,8 @@ uint32 _samr_query_groupmem(pipes_struct *p, SAMR_Q_QUERY_GROUPMEM *q_u, SAMR_R_ if(!get_uid_list_of_group(map.gid, &uid, &num_uids)) return NT_STATUS_NO_SUCH_GROUP; - rid=talloc(p->mem_ctx, sizeof(uint32)*num_uids); - attr=talloc(p->mem_ctx, sizeof(uint32)*num_uids); + rid=talloc_zero(p->mem_ctx, sizeof(uint32)*num_uids); + attr=talloc_zero(p->mem_ctx, sizeof(uint32)*num_uids); if (num_uids!=0 && (rid==NULL || attr==NULL)) return NT_STATUS_NO_MEMORY; @@ -3160,7 +3160,7 @@ uint32 _samr_query_groupinfo(pipes_struct *p, SAMR_Q_QUERY_GROUPINFO *q_u, SAMR_ if (!get_domain_group_from_sid(group_sid, &map)) return NT_STATUS_INVALID_HANDLE; - ctr=(GROUP_INFO_CTR *)talloc(p->mem_ctx, sizeof(GROUP_INFO_CTR)); + ctr=(GROUP_INFO_CTR *)talloc_zero(p->mem_ctx, sizeof(GROUP_INFO_CTR)); if (ctr==NULL) return NT_STATUS_NO_MEMORY; -- cgit From 648528196ca136469d82b83cd2ba89b1b30290ae Mon Sep 17 00:00:00 2001 From: Tim Potter Date: Wed, 25 Jul 2001 06:42:05 +0000 Subject: Held a shoot-out between NT_STATUS_NO_PROBLEMO and NT_STATUS_NOPROBLEMO. According to the incorruptible judges find and grep, the latter won. Mmm - procrastination. (-: (This used to be commit 2e339403605177b15d5185a8fdd1b06f3f043168) --- source3/rpc_server/srv_samr_nt.c | 60 ++++++++++++++++++++-------------------- 1 file changed, 30 insertions(+), 30 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 2e8338c530..a4754beb52 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -151,7 +151,7 @@ static uint32 get_sampwd_entries(SAM_USER_INFO_21 *pw_buf, int start_idx, if (not_finished) return STATUS_MORE_ENTRIES; else - return NT_STATUS_NO_PROBLEMO; + return NT_STATUS_NOPROBLEMO; } static uint32 jf_get_sampwd_entries(SAM_USER_INFO_21 *pw_buf, int start_idx, @@ -231,7 +231,7 @@ static uint32 jf_get_sampwd_entries(SAM_USER_INFO_21 *pw_buf, int start_idx, if (not_finished) return STATUS_MORE_ENTRIES; else - return NT_STATUS_NO_PROBLEMO; + return NT_STATUS_NOPROBLEMO; } #if 0 /* This function appears to be unused! */ @@ -901,7 +901,7 @@ static BOOL get_group_alias_entries(TALLOC_CTX *ctx, DOMAIN_GRP **d_grp, DOM_SID DEBUG(10,("get_group_alias_entries: returning %d entries\n", *p_num_entries)); - return NT_STATUS_NO_PROBLEMO; + return NT_STATUS_NOPROBLEMO; } /******************************************************************* @@ -945,7 +945,7 @@ static uint32 get_group_domain_entries(TALLOC_CTX *ctx, DOMAIN_GRP **d_grp, DOM_ *p_num_entries = num_entries; - return NT_STATUS_NO_PROBLEMO; + return NT_STATUS_NOPROBLEMO; } /******************************************************************* @@ -999,7 +999,7 @@ uint32 _samr_enum_dom_aliases(pipes_struct *p, SAMR_Q_ENUM_DOM_ALIASES *q_u, SAM sid_to_string(sid_str, &sid); DEBUG(5,("samr_reply_enum_dom_aliases: sid %s\n", sid_str)); - if (get_group_alias_entries(p->mem_ctx, &grp, &sid, q_u->start_idx, &num_entries, MAX_SAM_ENTRIES)!=NT_STATUS_NO_PROBLEMO) + if (get_group_alias_entries(p->mem_ctx, &grp, &sid, q_u->start_idx, &num_entries, MAX_SAM_ENTRIES)!=NT_STATUS_NOPROBLEMO) return NT_STATUS_ACCESS_DENIED; make_group_sam_entry_list(p->mem_ctx, &r_u->sam, &r_u->uni_grp_name, num_entries, grp); @@ -1071,7 +1071,7 @@ uint32 _samr_query_dispinfo(pipes_struct *p, SAMR_Q_QUERY_DISPINFO *q_u, SAMR_R_ MAX_SAM_ENTRIES, acb_mask); #endif unbecome_root(); - if (r_u->status!=STATUS_MORE_ENTRIES && r_u->status!=NT_STATUS_NO_PROBLEMO) { + if (r_u->status!=STATUS_MORE_ENTRIES && r_u->status!=NT_STATUS_NOPROBLEMO) { DEBUG(5, ("get_sampwd_entries: failed\n")); return r_u->status; } @@ -1079,7 +1079,7 @@ uint32 _samr_query_dispinfo(pipes_struct *p, SAMR_Q_QUERY_DISPINFO *q_u, SAMR_R_ case 0x3: case 0x5: r_u->status = get_group_domain_entries(p->mem_ctx, &grps, &sid, q_u->start_idx, &num_entries, MAX_SAM_ENTRIES); - if (r_u->status != NT_STATUS_NO_PROBLEMO) + if (r_u->status != NT_STATUS_NOPROBLEMO) return NT_STATUS_ACCESS_DENIED; break; default: @@ -1115,7 +1115,7 @@ uint32 _samr_query_dispinfo(pipes_struct *p, SAMR_Q_QUERY_DISPINFO *q_u, SAMR_R_ return NT_STATUS_NO_MEMORY; } disp_ret = init_sam_dispinfo_1(p->mem_ctx, ctr->sam.info1, &num_entries, &data_size, q_u->start_idx, pass); - if (disp_ret != NT_STATUS_NO_PROBLEMO) + if (disp_ret != NT_STATUS_NOPROBLEMO) return disp_ret; break; case 0x2: @@ -1124,7 +1124,7 @@ uint32 _samr_query_dispinfo(pipes_struct *p, SAMR_Q_QUERY_DISPINFO *q_u, SAMR_R_ return NT_STATUS_NO_MEMORY; } disp_ret = init_sam_dispinfo_2(p->mem_ctx, ctr->sam.info2, &num_entries, &data_size, q_u->start_idx, pass); - if (disp_ret != NT_STATUS_NO_PROBLEMO) + if (disp_ret != NT_STATUS_NOPROBLEMO) return disp_ret; break; case 0x3: @@ -1133,7 +1133,7 @@ uint32 _samr_query_dispinfo(pipes_struct *p, SAMR_Q_QUERY_DISPINFO *q_u, SAMR_R_ return NT_STATUS_NO_MEMORY; } disp_ret = init_sam_dispinfo_3(p->mem_ctx, ctr->sam.info3, &num_entries, &data_size, q_u->start_idx, grps); - if (disp_ret != NT_STATUS_NO_PROBLEMO) + if (disp_ret != NT_STATUS_NOPROBLEMO) return disp_ret; break; case 0x4: @@ -1142,7 +1142,7 @@ uint32 _samr_query_dispinfo(pipes_struct *p, SAMR_Q_QUERY_DISPINFO *q_u, SAMR_R_ return NT_STATUS_NO_MEMORY; } disp_ret = init_sam_dispinfo_4(p->mem_ctx, ctr->sam.info4, &num_entries, &data_size, q_u->start_idx, pass); - if (disp_ret != NT_STATUS_NO_PROBLEMO) + if (disp_ret != NT_STATUS_NOPROBLEMO) return disp_ret; break; case 0x5: @@ -1151,7 +1151,7 @@ uint32 _samr_query_dispinfo(pipes_struct *p, SAMR_Q_QUERY_DISPINFO *q_u, SAMR_R_ return NT_STATUS_NO_MEMORY; } disp_ret = init_sam_dispinfo_5(p->mem_ctx, ctr->sam.info5, &num_entries, &data_size, q_u->start_idx, grps); - if (disp_ret != NT_STATUS_NO_PROBLEMO) + if (disp_ret != NT_STATUS_NOPROBLEMO) return disp_ret; break; default: @@ -1484,7 +1484,7 @@ uint32 _api_samr_open_user(pipes_struct *p, SAMR_Q_OPEN_USER *q_u, SAMR_R_OPEN_U struct samr_info *info = NULL; BOOL ret; - r_u->status = NT_STATUS_NO_PROBLEMO; + r_u->status = NT_STATUS_NOPROBLEMO; /* find the domain policy handle. */ if (!find_policy_by_hnd(p, &domain_pol, NULL)) @@ -1695,7 +1695,7 @@ uint32 _samr_query_userinfo(pipes_struct *p, SAMR_Q_QUERY_USERINFO *q_u, SAMR_R_ uint32 rid = 0; struct samr_info *info = NULL; - r_u->status=NT_STATUS_NO_PROBLEMO; + r_u->status=NT_STATUS_NOPROBLEMO; /* search for the handle */ if (!find_policy_by_hnd(p, &q_u->pol, (void **)&info)) @@ -1802,7 +1802,7 @@ uint32 _samr_query_usergroups(pipes_struct *p, SAMR_Q_QUERY_USERGROUPS *q_u, SAM struct samr_info *info = NULL; BOOL ret; - r_u->status = NT_STATUS_NO_PROBLEMO; + r_u->status = NT_STATUS_NOPROBLEMO; DEBUG(5,("_samr_query_usergroups: %d\n", __LINE__)); @@ -1852,7 +1852,7 @@ uint32 _samr_query_dom_info(pipes_struct *p, SAMR_Q_QUERY_DOMAIN_INFO *q_u, SAMR ZERO_STRUCTP(ctr); - r_u->status = NT_STATUS_NO_PROBLEMO; + r_u->status = NT_STATUS_NOPROBLEMO; DEBUG(5,("_samr_query_dom_info: %d\n", __LINE__)); @@ -2021,7 +2021,7 @@ uint32 _api_samr_create_user(pipes_struct *p, SAMR_Q_CREATE_USER *q_u, SAMR_R_CR pdb_free_sam(sam_pass); - return NT_STATUS_NO_PROBLEMO; + return NT_STATUS_NOPROBLEMO; } /******************************************************************* @@ -2034,7 +2034,7 @@ uint32 _samr_connect_anon(pipes_struct *p, SAMR_Q_CONNECT_ANON *q_u, SAMR_R_CONN /* set up the SAMR connect_anon response */ - r_u->status = NT_STATUS_NO_PROBLEMO; + r_u->status = NT_STATUS_NOPROBLEMO; /* associate the user's SID with the new handle. */ if ((info = (struct samr_info *)malloc(sizeof(struct samr_info))) == NULL) @@ -2060,7 +2060,7 @@ uint32 _samr_connect(pipes_struct *p, SAMR_Q_CONNECT *q_u, SAMR_R_CONNECT *r_u) DEBUG(5,("_samr_connect: %d\n", __LINE__)); - r_u->status = NT_STATUS_NO_PROBLEMO; + r_u->status = NT_STATUS_NOPROBLEMO; /* associate the user's SID with the new handle. */ if ((info = (struct samr_info *)malloc(sizeof(struct samr_info))) == NULL) @@ -2084,7 +2084,7 @@ uint32 _samr_connect(pipes_struct *p, SAMR_Q_CONNECT *q_u, SAMR_R_CONNECT *r_u) uint32 _samr_lookup_domain(pipes_struct *p, SAMR_Q_LOOKUP_DOMAIN *q_u, SAMR_R_LOOKUP_DOMAIN *r_u) { - r_u->status = NT_STATUS_NO_PROBLEMO; + r_u->status = NT_STATUS_NOPROBLEMO; if (!find_policy_by_hnd(p, &q_u->connect_pol, NULL)) return NT_STATUS_INVALID_HANDLE; @@ -2143,7 +2143,7 @@ uint32 _samr_enum_domains(pipes_struct *p, SAMR_Q_ENUM_DOMAINS *q_u, SAMR_R_ENUM uint32 num_entries = 2; fstring dom[2]; - r_u->status = NT_STATUS_NO_PROBLEMO; + r_u->status = NT_STATUS_NOPROBLEMO; fstrcpy(dom[0],global_myworkgroup); fstrcpy(dom[1],"Builtin"); @@ -2168,7 +2168,7 @@ uint32 _api_samr_open_alias(pipes_struct *p, SAMR_Q_OPEN_ALIAS *q_u, SAMR_R_OPEN POLICY_HND *alias_pol = &r_u->pol; struct samr_info *info = NULL; - r_u->status = NT_STATUS_NO_PROBLEMO; + r_u->status = NT_STATUS_NOPROBLEMO; /* get the domain policy. */ if (!find_policy_by_hnd(p, &domain_pol, NULL)) @@ -2633,9 +2633,9 @@ uint32 _samr_query_useraliases(pipes_struct *p, SAMR_Q_QUERY_USERALIASES *q_u, S rid[0] = BUILTIN_ALIAS_RID_USERS; - init_samr_r_query_useraliases(r_u, num_rids, rid, NT_STATUS_NO_PROBLEMO); + init_samr_r_query_useraliases(r_u, num_rids, rid, NT_STATUS_NOPROBLEMO); - return NT_STATUS_NO_PROBLEMO; + return NT_STATUS_NOPROBLEMO; } @@ -2697,7 +2697,7 @@ uint32 _samr_query_aliasmem(pipes_struct *p, SAMR_Q_QUERY_ALIASMEM *q_u, SAMR_R_ } DEBUG(10, ("sid is %s\n", alias_sid_str)); - init_samr_r_query_aliasmem(r_u, num_uids, sid, NT_STATUS_NO_PROBLEMO); + init_samr_r_query_aliasmem(r_u, num_uids, sid, NT_STATUS_NOPROBLEMO); return NT_STATUS_NOPROBLEMO; } @@ -3180,9 +3180,9 @@ uint32 _samr_query_groupinfo(pipes_struct *p, SAMR_Q_QUERY_GROUPINFO *q_u, SAMR_ return NT_STATUS_INVALID_INFO_CLASS; } - init_samr_r_query_groupinfo(r_u, ctr, NT_STATUS_NO_PROBLEMO); + init_samr_r_query_groupinfo(r_u, ctr, NT_STATUS_NOPROBLEMO); - return NT_STATUS_NO_PROBLEMO; + return NT_STATUS_NOPROBLEMO; } /********************************************************************* @@ -3219,7 +3219,7 @@ uint32 _samr_set_groupinfo(pipes_struct *p, SAMR_Q_SET_GROUPINFO *q_u, SAMR_R_SE if(!add_mapping_entry(&map, TDB_REPLACE)) return NT_STATUS_NO_SUCH_GROUP; - return NT_STATUS_NO_PROBLEMO; + return NT_STATUS_NOPROBLEMO; } /********************************************************************* @@ -3253,7 +3253,7 @@ uint32 _samr_set_aliasinfo(pipes_struct *p, SAMR_Q_SET_ALIASINFO *q_u, SAMR_R_SE if(!add_mapping_entry(&map, TDB_REPLACE)) return NT_STATUS_NO_SUCH_GROUP; - return NT_STATUS_NO_PROBLEMO; + return NT_STATUS_NOPROBLEMO; } /********************************************************************* @@ -3303,7 +3303,7 @@ uint32 _samr_open_group(pipes_struct *p, SAMR_Q_OPEN_GROUP *q_u, SAMR_R_OPEN_GRO if (!create_policy_hnd(p, &r_u->pol, free_samr_info, (void *)info)) return NT_STATUS_OBJECT_NAME_NOT_FOUND; - return NT_STATUS_NO_PROBLEMO; + return NT_STATUS_NOPROBLEMO; } /********************************************************************* -- cgit From f8d3cac8af0185eca2995e524c62f064ab9b4017 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Thu, 9 Aug 2001 15:53:49 +0000 Subject: a few cleanups while mergeing the passdb code into 2.2 (This used to be commit ef01739708479c43f529c646dd136ee5670b08f9) --- source3/rpc_server/srv_samr_nt.c | 43 ++++++++++++++++++++-------------------- 1 file changed, 22 insertions(+), 21 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index a4754beb52..d617dd9809 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -109,26 +109,27 @@ static uint32 get_sampwd_entries(SAM_USER_INFO_21 *pw_buf, int start_idx, return NT_STATUS_ACCESS_DENIED; } - while (((not_finished = pdb_getsampwent(pwd)) != False) && (*num_entries) < max_num_entries) { - int user_name_len; - - if (start_idx > 0) { - /* skip the requested number of entries. - not very efficient, but hey... - */ - start_idx--; - continue; + while (((not_finished = pdb_getsampwent(pwd)) != False) + && (*num_entries) < max_num_entries) + { + int user_name_len; + + if (start_idx > 0) { + /* skip the requested number of entries. + not very efficient, but hey... */ + start_idx--; + continue; } - user_name_len = strlen(pdb_get_username(pwd))+1; - init_unistr2(&pw_buf[(*num_entries)].uni_user_name, pdb_get_username(pwd), user_name_len); - init_uni_hdr(&pw_buf[(*num_entries)].hdr_user_name, user_name_len); - pw_buf[(*num_entries)].user_rid = pwd->user_rid; - memset((char *)pw_buf[(*num_entries)].nt_pwd, '\0', 16); + user_name_len = strlen(pdb_get_username(pwd))+1; + init_unistr2(&pw_buf[(*num_entries)].uni_user_name, pdb_get_username(pwd), user_name_len); + init_uni_hdr(&pw_buf[(*num_entries)].hdr_user_name, user_name_len); + pw_buf[(*num_entries)].user_rid = pwd->user_rid; + memset((char *)pw_buf[(*num_entries)].nt_pwd, '\0', 16); /* Now check if the NT compatible password is available. */ if (pdb_get_nt_passwd(pwd)) - memcpy( pw_buf[(*num_entries)].nt_pwd , pdb_get_nt_passwd(pwd), 16); + memcpy( pw_buf[(*num_entries)].nt_pwd , pdb_get_nt_passwd(pwd), 16); pw_buf[(*num_entries)].acb_info = pdb_get_acct_ctrl(pwd); @@ -136,14 +137,14 @@ static uint32 get_sampwd_entries(SAM_USER_INFO_21 *pw_buf, int start_idx, (*num_entries), pdb_get_username(pwd), pdb_get_user_rid(pwd), pdb_get_acct_ctrl(pwd) )); if (acb_mask == 0 || (pwd->acct_ctrl & acb_mask)) { - DEBUG(5,(" acb_mask %x accepts\n", acb_mask)); - (*num_entries)++; + DEBUG(5,(" acb_mask %x accepts\n", acb_mask)); + (*num_entries)++; } else - DEBUG(5,(" acb_mask %x rejects\n", acb_mask)); + DEBUG(5,(" acb_mask %x rejects\n", acb_mask)); - (*total_entries)++; - } + (*total_entries)++; + } pdb_endsampwent(); pdb_free_sam(pwd); @@ -1794,7 +1795,7 @@ uint32 _samr_query_userinfo(pipes_struct *p, SAMR_Q_QUERY_USERINFO *q_u, SAMR_R_ uint32 _samr_query_usergroups(pipes_struct *p, SAMR_Q_QUERY_USERGROUPS *q_u, SAMR_R_QUERY_USERGROUPS *r_u) { - struct sam_passwd *sam_pass=NULL; + SAM_ACCOUNT *sam_pass=NULL; DOM_GID *gids = NULL; int num_groups = 0; pstring groups; -- cgit From 717533483b41ef975953f58e0c6be04828a3d467 Mon Sep 17 00:00:00 2001 From: Herb Lewis Date: Fri, 24 Aug 2001 20:32:01 +0000 Subject: get rid of compiler warnings (This used to be commit 0768991d04ea03e774ca8662c9cae5e1951b88e0) --- source3/rpc_server/srv_samr_nt.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index d617dd9809..a81b026c65 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -808,7 +808,7 @@ static BOOL get_group_alias_entries(TALLOC_CTX *ctx, DOMAIN_GRP **d_grp, DOM_SID /* well-known aliases */ if (sid_equal(sid, &global_sid_Builtin) && !lp_hide_local_users()) { - enum_group_mapping(SID_NAME_WKN_GRP, &map, &num_entries, ENUM_ALL_MAPPED); + enum_group_mapping(SID_NAME_WKN_GRP, &map, (int *)&num_entries, ENUM_ALL_MAPPED); *d_grp=(DOMAIN_GRP *)talloc_zero(ctx, num_entries*sizeof(DOMAIN_GRP)); if (*d_grp==NULL) @@ -919,7 +919,7 @@ static uint32 get_group_domain_entries(TALLOC_CTX *ctx, DOMAIN_GRP **d_grp, DOM_ *p_num_entries = 0; - enum_group_mapping(SID_NAME_DOM_GRP, &map, &group_entries, ENUM_ONLY_MAPPED); + enum_group_mapping(SID_NAME_DOM_GRP, &map, (int *)&group_entries, ENUM_ONLY_MAPPED); num_entries=group_entries-start_idx; @@ -2523,7 +2523,7 @@ uint32 _samr_set_userinfo(pipes_struct *p, SAMR_Q_SET_USERINFO *q_u, SAMR_R_SET_ dump_data(100, (char *)ctr->info.id24->pass, 516); - if (!set_user_info_pw(ctr->info.id24->pass, rid)) + if (!set_user_info_pw((char *)ctr->info.id24->pass, rid)) return NT_STATUS_ACCESS_DENIED; break; -- cgit From 3820578473da81b7ae0dfa978605da809be59f62 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Mon, 27 Aug 2001 03:56:09 +0000 Subject: As per plug-fest discussions this paramater no longer defaults to the value of add user script. (This used to be commit 9e0c9a99f6ca01cd6a0ee3084f85e1c36b11d7c3) --- source3/rpc_server/srv_samr_nt.c | 4 ---- 1 file changed, 4 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index a81b026c65..ba59aa548c 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -1962,10 +1962,6 @@ uint32 _api_samr_create_user(pipes_struct *p, SAMR_Q_CREATE_USER *q_u, SAMR_R_CR pstrcpy(add_script, lp_addmachine_script()); - if (!*add_script) { - pstrcpy(add_script, lp_adduser_script()); - } - if(*add_script) { int add_ret; all_string_sub(add_script, "%u", mach_acct, sizeof(mach_acct)); -- cgit From b031af348c7dcc8c74bf49945211c466b8eca079 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Mon, 27 Aug 2001 19:46:22 +0000 Subject: converted another bunch of stuff to NTSTATUS (This used to be commit 1d36250e338ae0ff9fbbf86019809205dd97d05e) --- source3/rpc_server/srv_samr_nt.c | 254 ++++++++++++++++++++------------------- 1 file changed, 128 insertions(+), 126 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index ba59aa548c..dce082d31d 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -88,7 +88,7 @@ static void samr_clear_sam_passwd(SAM_ACCOUNT *sam_pass) dynamically returns the correct user info..... JRA. ********************************************************************/ -static uint32 get_sampwd_entries(SAM_USER_INFO_21 *pw_buf, int start_idx, +static NTSTATUS get_sampwd_entries(SAM_USER_INFO_21 *pw_buf, int start_idx, int *total_entries, int *num_entries, int max_num_entries, uint16 acb_mask) { @@ -152,10 +152,10 @@ static uint32 get_sampwd_entries(SAM_USER_INFO_21 *pw_buf, int start_idx, if (not_finished) return STATUS_MORE_ENTRIES; else - return NT_STATUS_NOPROBLEMO; + return NT_STATUS_OK; } -static uint32 jf_get_sampwd_entries(SAM_USER_INFO_21 *pw_buf, int start_idx, +static NTSTATUS jf_get_sampwd_entries(SAM_USER_INFO_21 *pw_buf, int start_idx, int *total_entries, uint32 *num_entries, int max_num_entries, uint16 acb_mask) { @@ -232,7 +232,7 @@ static uint32 jf_get_sampwd_entries(SAM_USER_INFO_21 *pw_buf, int start_idx, if (not_finished) return STATUS_MORE_ENTRIES; else - return NT_STATUS_NOPROBLEMO; + return NT_STATUS_OK; } #if 0 /* This function appears to be unused! */ @@ -494,9 +494,9 @@ done: _samr_close_hnd ********************************************************************/ -uint32 _samr_close_hnd(pipes_struct *p, SAMR_Q_CLOSE_HND *q_u, SAMR_R_CLOSE_HND *r_u) +NTSTATUS _samr_close_hnd(pipes_struct *p, SAMR_Q_CLOSE_HND *q_u, SAMR_R_CLOSE_HND *r_u) { - r_u->status = NT_STATUS_NOPROBLEMO; + r_u->status = NT_STATUS_OK; /* close the policy handle */ if (!close_policy_hnd(p, &q_u->pol)) @@ -511,11 +511,11 @@ uint32 _samr_close_hnd(pipes_struct *p, SAMR_Q_CLOSE_HND *q_u, SAMR_R_CLOSE_HND samr_reply_open_domain ********************************************************************/ -uint32 _samr_open_domain(pipes_struct *p, SAMR_Q_OPEN_DOMAIN *q_u, SAMR_R_OPEN_DOMAIN *r_u) +NTSTATUS _samr_open_domain(pipes_struct *p, SAMR_Q_OPEN_DOMAIN *q_u, SAMR_R_OPEN_DOMAIN *r_u) { struct samr_info *info; - r_u->status = NT_STATUS_NOPROBLEMO; + r_u->status = NT_STATUS_OK; /* find the connection policy handle. */ if (!find_policy_by_hnd(p, &q_u->pol, NULL)) @@ -540,8 +540,8 @@ uint32 _samr_open_domain(pipes_struct *p, SAMR_Q_OPEN_DOMAIN *q_u, SAMR_R_OPEN_D static uint32 get_lsa_policy_samr_rid(struct samr_info *info) { if (!info) { - DEBUG(3,("Error getting policy\n")); - return 0xffffffff; + DEBUG(3,("Error getting policy\n")); + return 0xffffffff; } return info->sid.sub_auths[info->sid.num_auths-1]; @@ -551,11 +551,11 @@ static uint32 get_lsa_policy_samr_rid(struct samr_info *info) _samr_get_usrdom_pwinfo ********************************************************************/ -uint32 _samr_get_usrdom_pwinfo(pipes_struct *p, SAMR_Q_GET_USRDOM_PWINFO *q_u, SAMR_R_GET_USRDOM_PWINFO *r_u) +NTSTATUS _samr_get_usrdom_pwinfo(pipes_struct *p, SAMR_Q_GET_USRDOM_PWINFO *q_u, SAMR_R_GET_USRDOM_PWINFO *r_u) { struct samr_info *info = NULL; - r_u->status = NT_STATUS_NOPROBLEMO; + r_u->status = NT_STATUS_OK; /* find the policy handle. open a policy on it. */ if (!find_policy_by_hnd(p, &q_u->user_pol, (void **)&info)) { @@ -567,7 +567,7 @@ uint32 _samr_get_usrdom_pwinfo(pipes_struct *p, SAMR_Q_GET_USRDOM_PWINFO *q_u, S return NT_STATUS_OBJECT_TYPE_MISMATCH; } - init_samr_r_get_usrdom_pwinfo(r_u, NT_STATUS_NOPROBLEMO); + init_samr_r_get_usrdom_pwinfo(r_u, NT_STATUS_OK); DEBUG(5,("_samr_get_usrdom_pwinfo: %d\n", __LINE__)); @@ -578,7 +578,7 @@ uint32 _samr_get_usrdom_pwinfo(pipes_struct *p, SAMR_Q_GET_USRDOM_PWINFO *q_u, S samr_make_usr_obj_sd ********************************************************************/ -static uint32 samr_make_usr_obj_sd(TALLOC_CTX *ctx, SEC_DESC_BUF **buf, DOM_SID *usr_sid) +static NTSTATUS samr_make_usr_obj_sd(TALLOC_CTX *ctx, SEC_DESC_BUF **buf, DOM_SID *usr_sid) { extern DOM_SID global_sid_World; DOM_SID adm_sid; @@ -616,7 +616,7 @@ static uint32 samr_make_usr_obj_sd(TALLOC_CTX *ctx, SEC_DESC_BUF **buf, DOM_SID if((*buf = make_sec_desc_buf(ctx, sd_size, psd)) == NULL) return NT_STATUS_NO_MEMORY; - return NT_STATUS_NOPROBLEMO; + return NT_STATUS_OK; } static BOOL get_lsa_policy_samr_sid(pipes_struct *p, POLICY_HND *pol, DOM_SID *sid) @@ -638,11 +638,11 @@ static BOOL get_lsa_policy_samr_sid(pipes_struct *p, POLICY_HND *pol, DOM_SID *s _samr_query_sec_obj ********************************************************************/ -uint32 _samr_query_sec_obj(pipes_struct *p, SAMR_Q_QUERY_SEC_OBJ *q_u, SAMR_R_QUERY_SEC_OBJ *r_u) +NTSTATUS _samr_query_sec_obj(pipes_struct *p, SAMR_Q_QUERY_SEC_OBJ *q_u, SAMR_R_QUERY_SEC_OBJ *r_u) { DOM_SID pol_sid; - r_u->status = NT_STATUS_NOPROBLEMO; + r_u->status = NT_STATUS_OK; /* Get the SID. */ @@ -651,7 +651,7 @@ uint32 _samr_query_sec_obj(pipes_struct *p, SAMR_Q_QUERY_SEC_OBJ *q_u, SAMR_R_QU r_u->status = samr_make_usr_obj_sd(p->mem_ctx, &r_u->buf, &pol_sid); - if (r_u->status == NT_STATUS_NOPROBLEMO) + if (NT_STATUS_IS_OK(r_u->status)) r_u->ptr = 1; return r_u->status; @@ -701,13 +701,13 @@ static void make_user_sam_entry_list(TALLOC_CTX *ctx, SAM_ENTRY **sam_pp, UNISTR samr_reply_enum_dom_users ********************************************************************/ -uint32 _samr_enum_dom_users(pipes_struct *p, SAMR_Q_ENUM_DOM_USERS *q_u, SAMR_R_ENUM_DOM_USERS *r_u) +NTSTATUS _samr_enum_dom_users(pipes_struct *p, SAMR_Q_ENUM_DOM_USERS *q_u, SAMR_R_ENUM_DOM_USERS *r_u) { SAM_USER_INFO_21 pass[MAX_SAM_ENTRIES]; int num_entries = 0; int total_entries = 0; - r_u->status = NT_STATUS_NOPROBLEMO; + r_u->status = NT_STATUS_OK; /* find the policy handle. open a policy on it. */ if (!find_policy_by_hnd(p, &q_u->pol, NULL)) @@ -720,7 +720,7 @@ uint32 _samr_enum_dom_users(pipes_struct *p, SAMR_Q_ENUM_DOM_USERS *q_u, SAMR_R_ MAX_SAM_ENTRIES, q_u->acb_mask); unbecome_root(); - if (r_u->status != NT_STATUS_NOPROBLEMO && r_u->status != STATUS_MORE_ENTRIES) + if (NT_STATUS_IS_ERR(r_u->status)) return r_u->status; samr_clear_passwd_fields(pass, num_entries); @@ -791,7 +791,7 @@ static void make_group_sam_entry_list(TALLOC_CTX *ctx, SAM_ENTRY **sam_pp, UNIST Get the group entries - similar to get_sampwd_entries(). ********************************************************************/ -static BOOL get_group_alias_entries(TALLOC_CTX *ctx, DOMAIN_GRP **d_grp, DOM_SID *sid, uint32 start_idx, +static NTSTATUS get_group_alias_entries(TALLOC_CTX *ctx, DOMAIN_GRP **d_grp, DOM_SID *sid, uint32 start_idx, uint32 *p_num_entries, uint32 max_entries) { fstring sid_str; @@ -902,14 +902,14 @@ static BOOL get_group_alias_entries(TALLOC_CTX *ctx, DOMAIN_GRP **d_grp, DOM_SID DEBUG(10,("get_group_alias_entries: returning %d entries\n", *p_num_entries)); - return NT_STATUS_NOPROBLEMO; + return NT_STATUS_OK; } /******************************************************************* Get the group entries - similar to get_sampwd_entries(). ********************************************************************/ -static uint32 get_group_domain_entries(TALLOC_CTX *ctx, DOMAIN_GRP **d_grp, DOM_SID *sid, uint32 start_idx, +static NTSTATUS get_group_domain_entries(TALLOC_CTX *ctx, DOMAIN_GRP **d_grp, DOM_SID *sid, uint32 start_idx, uint32 *p_num_entries, uint32 max_entries) { GROUP_MAP *map=NULL; @@ -946,7 +946,7 @@ static uint32 get_group_domain_entries(TALLOC_CTX *ctx, DOMAIN_GRP **d_grp, DOM_ *p_num_entries = num_entries; - return NT_STATUS_NOPROBLEMO; + return NT_STATUS_OK; } /******************************************************************* @@ -955,13 +955,13 @@ static uint32 get_group_domain_entries(TALLOC_CTX *ctx, DOMAIN_GRP **d_grp, DOM_ a real PDC. JRA. ********************************************************************/ -uint32 _samr_enum_dom_groups(pipes_struct *p, SAMR_Q_ENUM_DOM_GROUPS *q_u, SAMR_R_ENUM_DOM_GROUPS *r_u) +NTSTATUS _samr_enum_dom_groups(pipes_struct *p, SAMR_Q_ENUM_DOM_GROUPS *q_u, SAMR_R_ENUM_DOM_GROUPS *r_u) { DOMAIN_GRP *grp=NULL; uint32 num_entries; DOM_SID sid; - r_u->status = NT_STATUS_NOPROBLEMO; + r_u->status = NT_STATUS_OK; if (!get_lsa_policy_samr_sid(p, &q_u->pol, &sid)) return NT_STATUS_INVALID_HANDLE; @@ -985,14 +985,15 @@ uint32 _samr_enum_dom_groups(pipes_struct *p, SAMR_Q_ENUM_DOM_GROUPS *q_u, SAMR_ samr_reply_enum_dom_aliases ********************************************************************/ -uint32 _samr_enum_dom_aliases(pipes_struct *p, SAMR_Q_ENUM_DOM_ALIASES *q_u, SAMR_R_ENUM_DOM_ALIASES *r_u) +NTSTATUS _samr_enum_dom_aliases(pipes_struct *p, SAMR_Q_ENUM_DOM_ALIASES *q_u, SAMR_R_ENUM_DOM_ALIASES *r_u) { DOMAIN_GRP *grp=NULL; uint32 num_entries = 0; fstring sid_str; DOM_SID sid; + NTSTATUS status; - r_u->status = NT_STATUS_NOPROBLEMO; + r_u->status = NT_STATUS_OK; if (!get_lsa_policy_samr_sid(p, &q_u->pol, &sid)) return NT_STATUS_INVALID_HANDLE; @@ -1000,8 +1001,9 @@ uint32 _samr_enum_dom_aliases(pipes_struct *p, SAMR_Q_ENUM_DOM_ALIASES *q_u, SAM sid_to_string(sid_str, &sid); DEBUG(5,("samr_reply_enum_dom_aliases: sid %s\n", sid_str)); - if (get_group_alias_entries(p->mem_ctx, &grp, &sid, q_u->start_idx, &num_entries, MAX_SAM_ENTRIES)!=NT_STATUS_NOPROBLEMO) - return NT_STATUS_ACCESS_DENIED; + status = get_group_alias_entries(p->mem_ctx, &grp, &sid, q_u->start_idx, + &num_entries, MAX_SAM_ENTRIES); + if (NT_STATUS_IS_ERR(status)) return status; make_group_sam_entry_list(p->mem_ctx, &r_u->sam, &r_u->uni_grp_name, num_entries, grp); @@ -1018,7 +1020,7 @@ uint32 _samr_enum_dom_aliases(pipes_struct *p, SAMR_Q_ENUM_DOM_ALIASES *q_u, SAM samr_reply_query_dispinfo ********************************************************************/ -uint32 _samr_query_dispinfo(pipes_struct *p, SAMR_Q_QUERY_DISPINFO *q_u, SAMR_R_QUERY_DISPINFO *r_u) +NTSTATUS _samr_query_dispinfo(pipes_struct *p, SAMR_Q_QUERY_DISPINFO *q_u, SAMR_R_QUERY_DISPINFO *r_u) { SAM_USER_INFO_21 pass[MAX_SAM_ENTRIES]; DOMAIN_GRP *grps=NULL; @@ -1028,12 +1030,12 @@ uint32 _samr_query_dispinfo(pipes_struct *p, SAMR_Q_QUERY_DISPINFO *q_u, SAMR_R_ int total_entries = 0; uint32 data_size = 0; DOM_SID sid; - uint32 disp_ret; + NTSTATUS disp_ret; SAM_DISPINFO_CTR *ctr; DEBUG(5, ("samr_reply_query_dispinfo: %d\n", __LINE__)); - r_u->status = NT_STATUS_NOPROBLEMO; + r_u->status = NT_STATUS_OK; if (!get_lsa_policy_samr_sid(p, &q_u->domain_pol, &sid)) return NT_STATUS_INVALID_HANDLE; @@ -1072,7 +1074,7 @@ uint32 _samr_query_dispinfo(pipes_struct *p, SAMR_Q_QUERY_DISPINFO *q_u, SAMR_R_ MAX_SAM_ENTRIES, acb_mask); #endif unbecome_root(); - if (r_u->status!=STATUS_MORE_ENTRIES && r_u->status!=NT_STATUS_NOPROBLEMO) { + if (NT_STATUS_IS_ERR(r_u->status)) { DEBUG(5, ("get_sampwd_entries: failed\n")); return r_u->status; } @@ -1080,8 +1082,8 @@ uint32 _samr_query_dispinfo(pipes_struct *p, SAMR_Q_QUERY_DISPINFO *q_u, SAMR_R_ case 0x3: case 0x5: r_u->status = get_group_domain_entries(p->mem_ctx, &grps, &sid, q_u->start_idx, &num_entries, MAX_SAM_ENTRIES); - if (r_u->status != NT_STATUS_NOPROBLEMO) - return NT_STATUS_ACCESS_DENIED; + if (NT_STATUS_IS_ERR(r_u->status)) + return r_u->status; break; default: DEBUG(0,("_samr_query_dispinfo: Unknown info level (%u)\n", (unsigned int)q_u->switch_level )); @@ -1116,7 +1118,7 @@ uint32 _samr_query_dispinfo(pipes_struct *p, SAMR_Q_QUERY_DISPINFO *q_u, SAMR_R_ return NT_STATUS_NO_MEMORY; } disp_ret = init_sam_dispinfo_1(p->mem_ctx, ctr->sam.info1, &num_entries, &data_size, q_u->start_idx, pass); - if (disp_ret != NT_STATUS_NOPROBLEMO) + if (NT_STATUS_IS_ERR(disp_ret)) return disp_ret; break; case 0x2: @@ -1125,7 +1127,7 @@ uint32 _samr_query_dispinfo(pipes_struct *p, SAMR_Q_QUERY_DISPINFO *q_u, SAMR_R_ return NT_STATUS_NO_MEMORY; } disp_ret = init_sam_dispinfo_2(p->mem_ctx, ctr->sam.info2, &num_entries, &data_size, q_u->start_idx, pass); - if (disp_ret != NT_STATUS_NOPROBLEMO) + if (NT_STATUS_IS_ERR(disp_ret)) return disp_ret; break; case 0x3: @@ -1134,7 +1136,7 @@ uint32 _samr_query_dispinfo(pipes_struct *p, SAMR_Q_QUERY_DISPINFO *q_u, SAMR_R_ return NT_STATUS_NO_MEMORY; } disp_ret = init_sam_dispinfo_3(p->mem_ctx, ctr->sam.info3, &num_entries, &data_size, q_u->start_idx, grps); - if (disp_ret != NT_STATUS_NOPROBLEMO) + if (NT_STATUS_IS_ERR(disp_ret)) return disp_ret; break; case 0x4: @@ -1143,7 +1145,7 @@ uint32 _samr_query_dispinfo(pipes_struct *p, SAMR_Q_QUERY_DISPINFO *q_u, SAMR_R_ return NT_STATUS_NO_MEMORY; } disp_ret = init_sam_dispinfo_4(p->mem_ctx, ctr->sam.info4, &num_entries, &data_size, q_u->start_idx, pass); - if (disp_ret != NT_STATUS_NOPROBLEMO) + if (NT_STATUS_IS_ERR(disp_ret)) return disp_ret; break; case 0x5: @@ -1152,7 +1154,7 @@ uint32 _samr_query_dispinfo(pipes_struct *p, SAMR_Q_QUERY_DISPINFO *q_u, SAMR_R_ return NT_STATUS_NO_MEMORY; } disp_ret = init_sam_dispinfo_5(p->mem_ctx, ctr->sam.info5, &num_entries, &data_size, q_u->start_idx, grps); - if (disp_ret != NT_STATUS_NOPROBLEMO) + if (NT_STATUS_IS_ERR(disp_ret)) return disp_ret; break; default: @@ -1174,7 +1176,7 @@ uint32 _samr_query_dispinfo(pipes_struct *p, SAMR_Q_QUERY_DISPINFO *q_u, SAMR_R_ samr_reply_query_aliasinfo ********************************************************************/ -uint32 _samr_query_aliasinfo(pipes_struct *p, SAMR_Q_QUERY_ALIASINFO *q_u, SAMR_R_QUERY_ALIASINFO *r_u) +NTSTATUS _samr_query_aliasinfo(pipes_struct *p, SAMR_Q_QUERY_ALIASINFO *q_u, SAMR_R_QUERY_ALIASINFO *r_u) { fstring alias_desc = "Local Unix group"; fstring alias=""; @@ -1182,7 +1184,7 @@ uint32 _samr_query_aliasinfo(pipes_struct *p, SAMR_Q_QUERY_ALIASINFO *q_u, SAMR_ uint32 alias_rid; struct samr_info *info = NULL; - r_u->status = NT_STATUS_NOPROBLEMO; + r_u->status = NT_STATUS_OK; DEBUG(5,("_samr_query_aliasinfo: %d\n", __LINE__)); @@ -1222,7 +1224,7 @@ uint32 _samr_query_aliasinfo(pipes_struct *p, SAMR_Q_QUERY_ALIASINFO *q_u, SAMR_ uint32 rid[MAX_SAM_ENTRIES]; int num_rids = q_u->num_sids1; - r_u->status = NT_STATUS_NOPROBLEMO; + r_u->status = NT_STATUS_OK; DEBUG(5,("_samr_lookup_ids: %d\n", __LINE__)); @@ -1264,7 +1266,7 @@ uint32 _samr_query_aliasinfo(pipes_struct *p, SAMR_Q_QUERY_ALIASINFO *q_u, SAMR_ num_rids = 1; rid[0] = BUILTIN_ALIAS_RID_USERS; - init_samr_r_lookup_ids(&r_u, num_rids, rid, NT_STATUS_NOPROBLEMO); + init_samr_r_lookup_ids(&r_u, num_rids, rid, NT_STATUS_OK); DEBUG(5,("_samr_lookup_ids: %d\n", __LINE__)); @@ -1276,7 +1278,7 @@ uint32 _samr_query_aliasinfo(pipes_struct *p, SAMR_Q_QUERY_ALIASINFO *q_u, SAMR_ _samr_lookup_names ********************************************************************/ -uint32 _samr_lookup_names(pipes_struct *p, SAMR_Q_LOOKUP_NAMES *q_u, SAMR_R_LOOKUP_NAMES *r_u) +NTSTATUS _samr_lookup_names(pipes_struct *p, SAMR_Q_LOOKUP_NAMES *q_u, SAMR_R_LOOKUP_NAMES *r_u) { uint32 rid[MAX_SAM_ENTRIES]; enum SID_NAME_USE type[MAX_SAM_ENTRIES]; @@ -1284,7 +1286,7 @@ uint32 _samr_lookup_names(pipes_struct *p, SAMR_Q_LOOKUP_NAMES *q_u, SAMR_R_LOOK int num_rids = q_u->num_names2; DOM_SID pol_sid; - r_u->status = NT_STATUS_NOPROBLEMO; + r_u->status = NT_STATUS_OK; DEBUG(5,("_samr_lookup_names: %d\n", __LINE__)); @@ -1315,7 +1317,7 @@ uint32 _samr_lookup_names(pipes_struct *p, SAMR_Q_LOOKUP_NAMES *q_u, SAMR_R_LOOK DOM_SID sid; if(local_lookup_name(global_myname, name, &sid, &type[i])) { sid_split_rid( &sid, &rid[i]); - r_u->status = NT_STATUS_NOPROBLEMO; + r_u->status = NT_STATUS_OK; } } } @@ -1331,14 +1333,14 @@ uint32 _samr_lookup_names(pipes_struct *p, SAMR_Q_LOOKUP_NAMES *q_u, SAMR_R_LOOK _samr_chgpasswd_user ********************************************************************/ -uint32 _samr_chgpasswd_user(pipes_struct *p, SAMR_Q_CHGPASSWD_USER *q_u, SAMR_R_CHGPASSWD_USER *r_u) +NTSTATUS _samr_chgpasswd_user(pipes_struct *p, SAMR_Q_CHGPASSWD_USER *q_u, SAMR_R_CHGPASSWD_USER *r_u) { fstring user_name; fstring wks; DEBUG(5,("_samr_chgpasswd_user: %d\n", __LINE__)); - r_u->status = NT_STATUS_NOPROBLEMO; + r_u->status = NT_STATUS_OK; rpcstr_pull(user_name, q_u->uni_user_name.buffer, sizeof(user_name), q_u->uni_user_name.uni_str_len*2, 0); rpcstr_pull(wks, q_u->uni_dest_host.buffer, sizeof(wks), q_u->uni_dest_host.uni_str_len,0); @@ -1409,7 +1411,7 @@ static BOOL make_samr_lookup_rids(TALLOC_CTX *ctx, uint32 num_names, fstring nam _samr_lookup_rids ********************************************************************/ -uint32 _samr_lookup_rids(pipes_struct *p, SAMR_Q_LOOKUP_RIDS *q_u, SAMR_R_LOOKUP_RIDS *r_u) +NTSTATUS _samr_lookup_rids(pipes_struct *p, SAMR_Q_LOOKUP_RIDS *q_u, SAMR_R_LOOKUP_RIDS *r_u) { fstring group_names[MAX_SAM_ENTRIES]; uint32 *group_attrs = NULL; @@ -1419,7 +1421,7 @@ uint32 _samr_lookup_rids(pipes_struct *p, SAMR_Q_LOOKUP_RIDS *q_u, SAMR_R_LOOKUP int num_rids = q_u->num_rids1; int i; - r_u->status = NT_STATUS_NOPROBLEMO; + r_u->status = NT_STATUS_OK; DEBUG(5,("_samr_lookup_rids: %d\n", __LINE__)); @@ -1453,7 +1455,7 @@ uint32 _samr_lookup_rids(pipes_struct *p, SAMR_Q_LOOKUP_RIDS *q_u, SAMR_R_LOOKUP sid_append_rid(&sid, q_u->rid[i]); if (lookup_sid(&sid, domname, tmpname, &type)) { - r_u->status = NT_STATUS_NOPROBLEMO; + r_u->status = NT_STATUS_OK; group_attrs[i] = (uint32)type; fstrcpy(group_names[i],tmpname); DEBUG(5,("_samr_lookup_rids: %s:%d\n", group_names[i], group_attrs[i])); @@ -1475,7 +1477,7 @@ uint32 _samr_lookup_rids(pipes_struct *p, SAMR_Q_LOOKUP_RIDS *q_u, SAMR_R_LOOKUP _api_samr_open_user. Safe - gives out no passwd info. ********************************************************************/ -uint32 _api_samr_open_user(pipes_struct *p, SAMR_Q_OPEN_USER *q_u, SAMR_R_OPEN_USER *r_u) +NTSTATUS _api_samr_open_user(pipes_struct *p, SAMR_Q_OPEN_USER *q_u, SAMR_R_OPEN_USER *r_u) { SAM_ACCOUNT *sampass=NULL; DOM_SID sid; @@ -1485,7 +1487,7 @@ uint32 _api_samr_open_user(pipes_struct *p, SAMR_Q_OPEN_USER *q_u, SAMR_R_OPEN_U struct samr_info *info = NULL; BOOL ret; - r_u->status = NT_STATUS_NOPROBLEMO; + r_u->status = NT_STATUS_OK; /* find the domain policy handle. */ if (!find_policy_by_hnd(p, &domain_pol, NULL)) @@ -1571,7 +1573,7 @@ static BOOL get_user_info_10(SAM_USER_INFO_10 *id10, uint32 user_rid) user. JRA. *************************************************************************/ -static uint32 get_user_info_12(pipes_struct *p, SAM_USER_INFO_12 * id12, uint32 user_rid) +static NTSTATUS get_user_info_12(pipes_struct *p, SAM_USER_INFO_12 * id12, uint32 user_rid) { SAM_ACCOUNT *smbpass=NULL; BOOL ret; @@ -1607,7 +1609,7 @@ static uint32 get_user_info_12(pipes_struct *p, SAM_USER_INFO_12 * id12, uint32 pdb_free_sam(smbpass); - return NT_STATUS_NOPROBLEMO; + return NT_STATUS_OK; } /************************************************************************* @@ -1690,13 +1692,13 @@ static BOOL get_user_info_21(SAM_USER_INFO_21 *id21, uint32 user_rid) _samr_query_userinfo ********************************************************************/ -uint32 _samr_query_userinfo(pipes_struct *p, SAMR_Q_QUERY_USERINFO *q_u, SAMR_R_QUERY_USERINFO *r_u) +NTSTATUS _samr_query_userinfo(pipes_struct *p, SAMR_Q_QUERY_USERINFO *q_u, SAMR_R_QUERY_USERINFO *r_u) { SAM_USERINFO_CTR *ctr; uint32 rid = 0; struct samr_info *info = NULL; - r_u->status=NT_STATUS_NOPROBLEMO; + r_u->status=NT_STATUS_OK; /* search for the handle */ if (!find_policy_by_hnd(p, &q_u->pol, (void **)&info)) @@ -1758,7 +1760,7 @@ uint32 _samr_query_userinfo(pipes_struct *p, SAMR_Q_QUERY_USERINFO *q_u, SAMR_R_ if (ctr->info.id12 == NULL) return NT_STATUS_NO_MEMORY; - if ((r_u->status = get_user_info_12(p, ctr->info.id12, rid)) != NT_STATUS_NOPROBLEMO) + if (NT_STATUS_IS_ERR(r_u->status = get_user_info_12(p, ctr->info.id12, rid))) return r_u->status; break; @@ -1793,7 +1795,7 @@ uint32 _samr_query_userinfo(pipes_struct *p, SAMR_Q_QUERY_USERINFO *q_u, SAMR_R_ samr_reply_query_usergroups ********************************************************************/ -uint32 _samr_query_usergroups(pipes_struct *p, SAMR_Q_QUERY_USERGROUPS *q_u, SAMR_R_QUERY_USERGROUPS *r_u) +NTSTATUS _samr_query_usergroups(pipes_struct *p, SAMR_Q_QUERY_USERGROUPS *q_u, SAMR_R_QUERY_USERGROUPS *r_u) { SAM_ACCOUNT *sam_pass=NULL; DOM_GID *gids = NULL; @@ -1803,7 +1805,7 @@ uint32 _samr_query_usergroups(pipes_struct *p, SAMR_Q_QUERY_USERGROUPS *q_u, SAM struct samr_info *info = NULL; BOOL ret; - r_u->status = NT_STATUS_NOPROBLEMO; + r_u->status = NT_STATUS_OK; DEBUG(5,("_samr_query_usergroups: %d\n", __LINE__)); @@ -1844,7 +1846,7 @@ uint32 _samr_query_usergroups(pipes_struct *p, SAMR_Q_QUERY_USERGROUPS *q_u, SAM _samr_query_dom_info ********************************************************************/ -uint32 _samr_query_dom_info(pipes_struct *p, SAMR_Q_QUERY_DOMAIN_INFO *q_u, SAMR_R_QUERY_DOMAIN_INFO *r_u) +NTSTATUS _samr_query_dom_info(pipes_struct *p, SAMR_Q_QUERY_DOMAIN_INFO *q_u, SAMR_R_QUERY_DOMAIN_INFO *r_u) { SAM_UNK_CTR *ctr; @@ -1853,7 +1855,7 @@ uint32 _samr_query_dom_info(pipes_struct *p, SAMR_Q_QUERY_DOMAIN_INFO *q_u, SAMR ZERO_STRUCTP(ctr); - r_u->status = NT_STATUS_NOPROBLEMO; + r_u->status = NT_STATUS_OK; DEBUG(5,("_samr_query_dom_info: %d\n", __LINE__)); @@ -1888,7 +1890,7 @@ uint32 _samr_query_dom_info(pipes_struct *p, SAMR_Q_QUERY_DOMAIN_INFO *q_u, SAMR return NT_STATUS_INVALID_INFO_CLASS; } - init_samr_r_query_dom_info(r_u, q_u->switch_value, ctr, NT_STATUS_NOPROBLEMO); + init_samr_r_query_dom_info(r_u, q_u->switch_value, ctr, NT_STATUS_OK); DEBUG(5,("_samr_query_dom_info: %d\n", __LINE__)); @@ -1899,7 +1901,7 @@ uint32 _samr_query_dom_info(pipes_struct *p, SAMR_Q_QUERY_DOMAIN_INFO *q_u, SAMR _api_samr_create_user ********************************************************************/ -uint32 _api_samr_create_user(pipes_struct *p, SAMR_Q_CREATE_USER *q_u, SAMR_R_CREATE_USER *r_u) +NTSTATUS _api_samr_create_user(pipes_struct *p, SAMR_Q_CREATE_USER *q_u, SAMR_R_CREATE_USER *r_u) { SAM_ACCOUNT *sam_pass=NULL; fstring mach_acct; @@ -2018,20 +2020,20 @@ uint32 _api_samr_create_user(pipes_struct *p, SAMR_Q_CREATE_USER *q_u, SAMR_R_CR pdb_free_sam(sam_pass); - return NT_STATUS_NOPROBLEMO; + return NT_STATUS_OK; } /******************************************************************* samr_reply_connect_anon ********************************************************************/ -uint32 _samr_connect_anon(pipes_struct *p, SAMR_Q_CONNECT_ANON *q_u, SAMR_R_CONNECT_ANON *r_u) +NTSTATUS _samr_connect_anon(pipes_struct *p, SAMR_Q_CONNECT_ANON *q_u, SAMR_R_CONNECT_ANON *r_u) { struct samr_info *info = NULL; /* set up the SAMR connect_anon response */ - r_u->status = NT_STATUS_NOPROBLEMO; + r_u->status = NT_STATUS_OK; /* associate the user's SID with the new handle. */ if ((info = (struct samr_info *)malloc(sizeof(struct samr_info))) == NULL) @@ -2051,13 +2053,13 @@ uint32 _samr_connect_anon(pipes_struct *p, SAMR_Q_CONNECT_ANON *q_u, SAMR_R_CONN samr_reply_connect ********************************************************************/ -uint32 _samr_connect(pipes_struct *p, SAMR_Q_CONNECT *q_u, SAMR_R_CONNECT *r_u) +NTSTATUS _samr_connect(pipes_struct *p, SAMR_Q_CONNECT *q_u, SAMR_R_CONNECT *r_u) { struct samr_info *info = NULL; DEBUG(5,("_samr_connect: %d\n", __LINE__)); - r_u->status = NT_STATUS_NOPROBLEMO; + r_u->status = NT_STATUS_OK; /* associate the user's SID with the new handle. */ if ((info = (struct samr_info *)malloc(sizeof(struct samr_info))) == NULL) @@ -2079,9 +2081,9 @@ uint32 _samr_connect(pipes_struct *p, SAMR_Q_CONNECT *q_u, SAMR_R_CONNECT *r_u) api_samr_lookup_domain **********************************************************************/ -uint32 _samr_lookup_domain(pipes_struct *p, SAMR_Q_LOOKUP_DOMAIN *q_u, SAMR_R_LOOKUP_DOMAIN *r_u) +NTSTATUS _samr_lookup_domain(pipes_struct *p, SAMR_Q_LOOKUP_DOMAIN *q_u, SAMR_R_LOOKUP_DOMAIN *r_u) { - r_u->status = NT_STATUS_NOPROBLEMO; + r_u->status = NT_STATUS_OK; if (!find_policy_by_hnd(p, &q_u->connect_pol, NULL)) return NT_STATUS_INVALID_HANDLE; @@ -2135,12 +2137,12 @@ static BOOL make_enum_domains(TALLOC_CTX *ctx, SAM_ENTRY **pp_sam, api_samr_enum_domains **********************************************************************/ -uint32 _samr_enum_domains(pipes_struct *p, SAMR_Q_ENUM_DOMAINS *q_u, SAMR_R_ENUM_DOMAINS *r_u) +NTSTATUS _samr_enum_domains(pipes_struct *p, SAMR_Q_ENUM_DOMAINS *q_u, SAMR_R_ENUM_DOMAINS *r_u) { uint32 num_entries = 2; fstring dom[2]; - r_u->status = NT_STATUS_NOPROBLEMO; + r_u->status = NT_STATUS_OK; fstrcpy(dom[0],global_myworkgroup); fstrcpy(dom[1],"Builtin"); @@ -2157,7 +2159,7 @@ uint32 _samr_enum_domains(pipes_struct *p, SAMR_Q_ENUM_DOMAINS *q_u, SAMR_R_ENUM api_samr_open_alias ********************************************************************/ -uint32 _api_samr_open_alias(pipes_struct *p, SAMR_Q_OPEN_ALIAS *q_u, SAMR_R_OPEN_ALIAS *r_u) +NTSTATUS _api_samr_open_alias(pipes_struct *p, SAMR_Q_OPEN_ALIAS *q_u, SAMR_R_OPEN_ALIAS *r_u) { DOM_SID sid; POLICY_HND domain_pol = q_u->dom_pol; @@ -2165,7 +2167,7 @@ uint32 _api_samr_open_alias(pipes_struct *p, SAMR_Q_OPEN_ALIAS *q_u, SAMR_R_OPEN POLICY_HND *alias_pol = &r_u->pol; struct samr_info *info = NULL; - r_u->status = NT_STATUS_NOPROBLEMO; + r_u->status = NT_STATUS_OK; /* get the domain policy. */ if (!find_policy_by_hnd(p, &domain_pol, NULL)) @@ -2448,7 +2450,7 @@ static BOOL set_user_info_pw(char *pass, uint32 rid) samr_reply_set_userinfo ********************************************************************/ -uint32 _samr_set_userinfo(pipes_struct *p, SAMR_Q_SET_USERINFO *q_u, SAMR_R_SET_USERINFO *r_u) +NTSTATUS _samr_set_userinfo(pipes_struct *p, SAMR_Q_SET_USERINFO *q_u, SAMR_R_SET_USERINFO *r_u) { uint32 rid = 0x0; DOM_SID sid; @@ -2462,7 +2464,7 @@ uint32 _samr_set_userinfo(pipes_struct *p, SAMR_Q_SET_USERINFO *q_u, SAMR_R_SET_ DEBUG(5, ("_samr_set_userinfo: %d\n", __LINE__)); - r_u->status = NT_STATUS_NOPROBLEMO; + r_u->status = NT_STATUS_OK; if (p->ntlmssp_auth_validated) { memcpy(&user, &p->pipe_user, sizeof(user)); @@ -2563,7 +2565,7 @@ uint32 _samr_set_userinfo(pipes_struct *p, SAMR_Q_SET_USERINFO *q_u, SAMR_R_SET_ samr_reply_set_userinfo2 ********************************************************************/ -uint32 _samr_set_userinfo2(pipes_struct *p, SAMR_Q_SET_USERINFO2 *q_u, SAMR_R_SET_USERINFO2 *r_u) +NTSTATUS _samr_set_userinfo2(pipes_struct *p, SAMR_Q_SET_USERINFO2 *q_u, SAMR_R_SET_USERINFO2 *r_u) { DOM_SID sid; uint32 rid = 0x0; @@ -2573,7 +2575,7 @@ uint32 _samr_set_userinfo2(pipes_struct *p, SAMR_Q_SET_USERINFO2 *q_u, SAMR_R_SE DEBUG(5, ("samr_reply_set_userinfo2: %d\n", __LINE__)); - r_u->status = NT_STATUS_NOPROBLEMO; + r_u->status = NT_STATUS_OK; /* find the policy handle. open a policy on it. */ if (!get_lsa_policy_samr_sid(p, pol, &sid)) @@ -2616,7 +2618,7 @@ uint32 _samr_set_userinfo2(pipes_struct *p, SAMR_Q_SET_USERINFO2 *q_u, SAMR_R_SE _samr_query_aliasmem *********************************************************************/ -uint32 _samr_query_useraliases(pipes_struct *p, SAMR_Q_QUERY_USERALIASES *q_u, SAMR_R_QUERY_USERALIASES *r_u) +NTSTATUS _samr_query_useraliases(pipes_struct *p, SAMR_Q_QUERY_USERALIASES *q_u, SAMR_R_QUERY_USERALIASES *r_u) { uint32 *rid=NULL; int num_rids; @@ -2630,9 +2632,9 @@ uint32 _samr_query_useraliases(pipes_struct *p, SAMR_Q_QUERY_USERALIASES *q_u, S rid[0] = BUILTIN_ALIAS_RID_USERS; - init_samr_r_query_useraliases(r_u, num_rids, rid, NT_STATUS_NOPROBLEMO); + init_samr_r_query_useraliases(r_u, num_rids, rid, NT_STATUS_OK); - return NT_STATUS_NOPROBLEMO; + return NT_STATUS_OK; } @@ -2640,7 +2642,7 @@ uint32 _samr_query_useraliases(pipes_struct *p, SAMR_Q_QUERY_USERALIASES *q_u, S _samr_query_aliasmem *********************************************************************/ -uint32 _samr_query_aliasmem(pipes_struct *p, SAMR_Q_QUERY_ALIASMEM *q_u, SAMR_R_QUERY_ALIASMEM *r_u) +NTSTATUS _samr_query_aliasmem(pipes_struct *p, SAMR_Q_QUERY_ALIASMEM *q_u, SAMR_R_QUERY_ALIASMEM *r_u) { int i; @@ -2694,16 +2696,16 @@ uint32 _samr_query_aliasmem(pipes_struct *p, SAMR_Q_QUERY_ALIASMEM *q_u, SAMR_R_ } DEBUG(10, ("sid is %s\n", alias_sid_str)); - init_samr_r_query_aliasmem(r_u, num_uids, sid, NT_STATUS_NOPROBLEMO); + init_samr_r_query_aliasmem(r_u, num_uids, sid, NT_STATUS_OK); - return NT_STATUS_NOPROBLEMO; + return NT_STATUS_OK; } /********************************************************************* _samr_query_groupmem *********************************************************************/ -uint32 _samr_query_groupmem(pipes_struct *p, SAMR_Q_QUERY_GROUPMEM *q_u, SAMR_R_QUERY_GROUPMEM *r_u) +NTSTATUS _samr_query_groupmem(pipes_struct *p, SAMR_Q_QUERY_GROUPMEM *q_u, SAMR_R_QUERY_GROUPMEM *r_u) { int num_uids = 0; int i; @@ -2752,16 +2754,16 @@ uint32 _samr_query_groupmem(pipes_struct *p, SAMR_Q_QUERY_GROUPMEM *q_u, SAMR_R_ attr[i] = SID_NAME_USER; } - init_samr_r_query_groupmem(r_u, num_uids, rid, attr, NT_STATUS_NOPROBLEMO); + init_samr_r_query_groupmem(r_u, num_uids, rid, attr, NT_STATUS_OK); - return NT_STATUS_NOPROBLEMO; + return NT_STATUS_OK; } /********************************************************************* _samr_add_aliasmem *********************************************************************/ -uint32 _samr_add_aliasmem(pipes_struct *p, SAMR_Q_ADD_ALIASMEM *q_u, SAMR_R_ADD_ALIASMEM *r_u) +NTSTATUS _samr_add_aliasmem(pipes_struct *p, SAMR_Q_ADD_ALIASMEM *q_u, SAMR_R_ADD_ALIASMEM *r_u) { DOM_SID alias_sid; fstring alias_sid_str; @@ -2820,24 +2822,24 @@ uint32 _samr_add_aliasmem(pipes_struct *p, SAMR_Q_ADD_ALIASMEM *q_u, SAMR_R_ADD_ if(!user_in_group_list(pwd->pw_name, grp_name)) return NT_STATUS_MEMBER_NOT_IN_ALIAS; /* don't know what to reply else */ - return NT_STATUS_NOPROBLEMO; + return NT_STATUS_OK; } /********************************************************************* _samr_del_aliasmem *********************************************************************/ -uint32 _samr_del_aliasmem(pipes_struct *p, SAMR_Q_DEL_ALIASMEM *q_u, SAMR_R_DEL_ALIASMEM *r_u) +NTSTATUS _samr_del_aliasmem(pipes_struct *p, SAMR_Q_DEL_ALIASMEM *q_u, SAMR_R_DEL_ALIASMEM *r_u) { - DEBUG(0,("_samr_del_aliasmem: Not yet implemented.\n")); - return False; + DEBUG(0,("_samr_del_aliasmem: Not yet implemented.\n")); + return NT_STATUS_NOT_IMPLEMENTED; } /********************************************************************* _samr_add_groupmem *********************************************************************/ -uint32 _samr_add_groupmem(pipes_struct *p, SAMR_Q_ADD_GROUPMEM *q_u, SAMR_R_ADD_GROUPMEM *r_u) +NTSTATUS _samr_add_groupmem(pipes_struct *p, SAMR_Q_ADD_GROUPMEM *q_u, SAMR_R_ADD_GROUPMEM *r_u) { DOM_SID group_sid; fstring group_sid_str; @@ -2886,34 +2888,34 @@ uint32 _samr_add_groupmem(pipes_struct *p, SAMR_Q_ADD_GROUPMEM *q_u, SAMR_R_ADD_ if(!user_in_group_list(pwd->pw_name, grp_name)) return NT_STATUS_MEMBER_NOT_IN_GROUP; /* don't know what to reply else */ - return NT_STATUS_NOPROBLEMO; + return NT_STATUS_OK; } /********************************************************************* _samr_del_groupmem *********************************************************************/ -uint32 _samr_del_groupmem(pipes_struct *p, SAMR_Q_DEL_GROUPMEM *q_u, SAMR_R_DEL_GROUPMEM *r_u) +NTSTATUS _samr_del_groupmem(pipes_struct *p, SAMR_Q_DEL_GROUPMEM *q_u, SAMR_R_DEL_GROUPMEM *r_u) { - DEBUG(0,("_samr_del_groupmem: Not yet implemented.\n")); - return False; + DEBUG(0,("_samr_del_groupmem: Not yet implemented.\n")); + return NT_STATUS_NOT_IMPLEMENTED; } /********************************************************************* _samr_delete_dom_user *********************************************************************/ -uint32 _samr_delete_dom_user(pipes_struct *p, SAMR_Q_DELETE_DOM_USER *q_u, SAMR_R_DELETE_DOM_USER *r_u ) +NTSTATUS _samr_delete_dom_user(pipes_struct *p, SAMR_Q_DELETE_DOM_USER *q_u, SAMR_R_DELETE_DOM_USER *r_u ) { - DEBUG(0,("_samr_delete_dom_user: Not yet implemented.\n")); - return False; + DEBUG(0,("_samr_delete_dom_user: Not yet implemented.\n")); + return NT_STATUS_NOT_IMPLEMENTED; } /********************************************************************* _samr_delete_dom_group *********************************************************************/ -uint32 _samr_delete_dom_group(pipes_struct *p, SAMR_Q_DELETE_DOM_GROUP *q_u, SAMR_R_DELETE_DOM_GROUP *r_u) +NTSTATUS _samr_delete_dom_group(pipes_struct *p, SAMR_Q_DELETE_DOM_GROUP *q_u, SAMR_R_DELETE_DOM_GROUP *r_u) { DOM_SID group_sid; DOM_SID dom_sid; @@ -2963,14 +2965,14 @@ uint32 _samr_delete_dom_group(pipes_struct *p, SAMR_Q_DELETE_DOM_GROUP *q_u, SAM if (!close_policy_hnd(p, &q_u->group_pol)) return NT_STATUS_OBJECT_NAME_INVALID; - return NT_STATUS_NOPROBLEMO; + return NT_STATUS_OK; } /********************************************************************* _samr_delete_dom_alias *********************************************************************/ -uint32 _samr_delete_dom_alias(pipes_struct *p, SAMR_Q_DELETE_DOM_ALIAS *q_u, SAMR_R_DELETE_DOM_ALIAS *r_u) +NTSTATUS _samr_delete_dom_alias(pipes_struct *p, SAMR_Q_DELETE_DOM_ALIAS *q_u, SAMR_R_DELETE_DOM_ALIAS *r_u) { DOM_SID alias_sid; DOM_SID dom_sid; @@ -3020,14 +3022,14 @@ uint32 _samr_delete_dom_alias(pipes_struct *p, SAMR_Q_DELETE_DOM_ALIAS *q_u, SAM if (!close_policy_hnd(p, &q_u->alias_pol)) return NT_STATUS_OBJECT_NAME_INVALID; - return NT_STATUS_NOPROBLEMO; + return NT_STATUS_OK; } /********************************************************************* _samr_create_dom_group *********************************************************************/ -uint32 _samr_create_dom_group(pipes_struct *p, SAMR_Q_CREATE_DOM_GROUP *q_u, SAMR_R_CREATE_DOM_GROUP *r_u) +NTSTATUS _samr_create_dom_group(pipes_struct *p, SAMR_Q_CREATE_DOM_GROUP *q_u, SAMR_R_CREATE_DOM_GROUP *r_u) { DOM_SID dom_sid; DOM_SID info_sid; @@ -3077,14 +3079,14 @@ uint32 _samr_create_dom_group(pipes_struct *p, SAMR_Q_CREATE_DOM_GROUP *q_u, SAM if (!create_policy_hnd(p, &r_u->pol, free_samr_info, (void *)info)) return NT_STATUS_OBJECT_NAME_NOT_FOUND; - return NT_STATUS_NOPROBLEMO; + return NT_STATUS_OK; } /********************************************************************* _samr_create_dom_alias *********************************************************************/ -uint32 _samr_create_dom_alias(pipes_struct *p, SAMR_Q_CREATE_DOM_ALIAS *q_u, SAMR_R_CREATE_DOM_ALIAS *r_u) +NTSTATUS _samr_create_dom_alias(pipes_struct *p, SAMR_Q_CREATE_DOM_ALIAS *q_u, SAMR_R_CREATE_DOM_ALIAS *r_u) { DOM_SID dom_sid; fstring name; @@ -3133,7 +3135,7 @@ uint32 _samr_create_dom_alias(pipes_struct *p, SAMR_Q_CREATE_DOM_ALIAS *q_u, SAM if (!create_policy_hnd(p, &r_u->alias_pol, free_samr_info, (void *)info)) return NT_STATUS_OBJECT_NAME_NOT_FOUND; - return NT_STATUS_NOPROBLEMO; + return NT_STATUS_OK; } /********************************************************************* @@ -3143,7 +3145,7 @@ sends the name/comment pair of a domain group level 1 send also the number of users of that group *********************************************************************/ -uint32 _samr_query_groupinfo(pipes_struct *p, SAMR_Q_QUERY_GROUPINFO *q_u, SAMR_R_QUERY_GROUPINFO *r_u) +NTSTATUS _samr_query_groupinfo(pipes_struct *p, SAMR_Q_QUERY_GROUPINFO *q_u, SAMR_R_QUERY_GROUPINFO *r_u) { DOM_SID group_sid; GROUP_MAP map; @@ -3177,9 +3179,9 @@ uint32 _samr_query_groupinfo(pipes_struct *p, SAMR_Q_QUERY_GROUPINFO *q_u, SAMR_ return NT_STATUS_INVALID_INFO_CLASS; } - init_samr_r_query_groupinfo(r_u, ctr, NT_STATUS_NOPROBLEMO); + init_samr_r_query_groupinfo(r_u, ctr, NT_STATUS_OK); - return NT_STATUS_NOPROBLEMO; + return NT_STATUS_OK; } /********************************************************************* @@ -3188,7 +3190,7 @@ uint32 _samr_query_groupinfo(pipes_struct *p, SAMR_Q_QUERY_GROUPINFO *q_u, SAMR_ update a domain group's comment. *********************************************************************/ -uint32 _samr_set_groupinfo(pipes_struct *p, SAMR_Q_SET_GROUPINFO *q_u, SAMR_R_SET_GROUPINFO *r_u) +NTSTATUS _samr_set_groupinfo(pipes_struct *p, SAMR_Q_SET_GROUPINFO *q_u, SAMR_R_SET_GROUPINFO *r_u) { DOM_SID group_sid; GROUP_MAP map; @@ -3216,7 +3218,7 @@ uint32 _samr_set_groupinfo(pipes_struct *p, SAMR_Q_SET_GROUPINFO *q_u, SAMR_R_SE if(!add_mapping_entry(&map, TDB_REPLACE)) return NT_STATUS_NO_SUCH_GROUP; - return NT_STATUS_NOPROBLEMO; + return NT_STATUS_OK; } /********************************************************************* @@ -3225,7 +3227,7 @@ uint32 _samr_set_groupinfo(pipes_struct *p, SAMR_Q_SET_GROUPINFO *q_u, SAMR_R_SE update a domain group's comment. *********************************************************************/ -uint32 _samr_set_aliasinfo(pipes_struct *p, SAMR_Q_SET_ALIASINFO *q_u, SAMR_R_SET_ALIASINFO *r_u) +NTSTATUS _samr_set_aliasinfo(pipes_struct *p, SAMR_Q_SET_ALIASINFO *q_u, SAMR_R_SET_ALIASINFO *r_u) { DOM_SID group_sid; GROUP_MAP map; @@ -3250,24 +3252,24 @@ uint32 _samr_set_aliasinfo(pipes_struct *p, SAMR_Q_SET_ALIASINFO *q_u, SAMR_R_SE if(!add_mapping_entry(&map, TDB_REPLACE)) return NT_STATUS_NO_SUCH_GROUP; - return NT_STATUS_NOPROBLEMO; + return NT_STATUS_OK; } /********************************************************************* _samr_get_dom_pwinfo *********************************************************************/ -uint32 _samr_get_dom_pwinfo(pipes_struct *p, SAMR_Q_GET_DOM_PWINFO *q_u, SAMR_R_GET_DOM_PWINFO *r_u) +NTSTATUS _samr_get_dom_pwinfo(pipes_struct *p, SAMR_Q_GET_DOM_PWINFO *q_u, SAMR_R_GET_DOM_PWINFO *r_u) { /* Actually, returning zeros here works quite well :-). */ - return NT_STATUS_NOPROBLEMO; + return NT_STATUS_OK; } /********************************************************************* _samr_open_group *********************************************************************/ -uint32 _samr_open_group(pipes_struct *p, SAMR_Q_OPEN_GROUP *q_u, SAMR_R_OPEN_GROUP *r_u) +NTSTATUS _samr_open_group(pipes_struct *p, SAMR_Q_OPEN_GROUP *q_u, SAMR_R_OPEN_GROUP *r_u) { DOM_SID sid; GROUP_MAP map; @@ -3300,15 +3302,15 @@ uint32 _samr_open_group(pipes_struct *p, SAMR_Q_OPEN_GROUP *q_u, SAMR_R_OPEN_GRO if (!create_policy_hnd(p, &r_u->pol, free_samr_info, (void *)info)) return NT_STATUS_OBJECT_NAME_NOT_FOUND; - return NT_STATUS_NOPROBLEMO; + return NT_STATUS_OK; } /********************************************************************* _samr_unknown_2d *********************************************************************/ -uint32 _samr_unknown_2d(pipes_struct *p, SAMR_Q_UNKNOWN_2D *q_u, SAMR_R_UNKNOWN_2D *r_u) +NTSTATUS _samr_unknown_2d(pipes_struct *p, SAMR_Q_UNKNOWN_2D *q_u, SAMR_R_UNKNOWN_2D *r_u) { - DEBUG(0,("_samr_unknown_2d: Not yet implemented.\n")); - return False; + DEBUG(0,("_samr_unknown_2d: Not yet implemented.\n")); + return NT_STATUS_NOT_IMPLEMENTED; } -- cgit From cbd99a13c510bd1cdfdd448ab1f1e94686180f50 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Fri, 14 Sep 2001 10:31:39 +0000 Subject: Finally commit my fix to this little mess... The same function that adds machines to the system also adds users, and the new 'add user script'/'add machine script' distinction needs to be made correctly. Also introduces a sainity check for correct $ termination. Andrew Bartlett (This used to be commit ef377ea0cc55cb6647ecd7a634cf5983e11cfe99) --- source3/rpc_server/srv_samr_nt.c | 35 +++++++++++++++++++++++++---------- 1 file changed, 25 insertions(+), 10 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index dce082d31d..c753764c79 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -1899,12 +1899,14 @@ NTSTATUS _samr_query_dom_info(pipes_struct *p, SAMR_Q_QUERY_DOMAIN_INFO *q_u, SA /******************************************************************* _api_samr_create_user + Create an account, can be either a normal user or a machine. + This funcion will need to be updated for bdc/domain trusts. ********************************************************************/ NTSTATUS _api_samr_create_user(pipes_struct *p, SAMR_Q_CREATE_USER *q_u, SAMR_R_CREATE_USER *r_u) { SAM_ACCOUNT *sam_pass=NULL; - fstring mach_acct; + fstring account; pstring err_str; pstring msg_str; int local_flags=0; @@ -1921,22 +1923,22 @@ NTSTATUS _api_samr_create_user(pipes_struct *p, SAMR_Q_CREATE_USER *q_u, SAMR_R_ if (!find_policy_by_hnd(p, &dom_pol, NULL)) return NT_STATUS_INVALID_HANDLE; - /* find the machine account: tell the caller if it exists. + /* find the account: tell the caller if it exists. lkclXXXX i have *no* idea if this is a problem or not or even if you are supposed to construct a different reply if the account already exists... */ - rpcstr_pull(mach_acct, user_account.buffer, sizeof(mach_acct), user_account.uni_str_len*2, 0); - strlower(mach_acct); + rpcstr_pull(account, user_account.buffer, sizeof(account), user_account.uni_str_len*2, 0); + strlower(account); pdb_init_sam(&sam_pass); become_root(); - ret = pdb_getsampwnam(sam_pass, mach_acct); + ret = pdb_getsampwnam(sam_pass, account); unbecome_root(); if (ret == True) { - /* machine account exists: say so */ + /* this account exists: say so */ pdb_free_sam(sam_pass); return NT_STATUS_USER_EXISTS; } @@ -1960,19 +1962,32 @@ NTSTATUS _api_samr_create_user(pipes_struct *p, SAMR_Q_CREATE_USER *q_u, SAMR_R_ * * So we go the easy way, only check after if the account exists. * JFM (2/3/2001), to clear any possible bad understanding (-: + * + * We now have seperate script paramaters for adding users/machines so we + * now have some sainity-checking to match. */ - pstrcpy(add_script, lp_addmachine_script()); + DEBUG(10,("checking account %s at pos %d for $ termination\n",account, strlen(account)-1)); + + if ((acb_info & ACB_WSTRUST) && (account[strlen(account)-1] == '$')) { + pstrcpy(add_script, lp_addmachine_script()); + } else if ((!(acb_info & ACB_WSTRUST)) && (account[strlen(account)-1] != '$')) { + pstrcpy(add_script, lp_adduser_script()); + } else { + DEBUG(0, ("_api_samr_create_user: mismatch between trust flags and $ termination\n")); + pdb_free_sam(sam_pass); + return NT_STATUS_UNSUCCESSFUL; + } if(*add_script) { int add_ret; - all_string_sub(add_script, "%u", mach_acct, sizeof(mach_acct)); + all_string_sub(add_script, "%u", account, sizeof(account)); add_ret = smbrun(add_script,NULL); DEBUG(3,("_api_samr_create_user: Running the command `%s' gave %d\n",add_script,add_ret)); } /* add the user in the smbpasswd file or the Samba authority database */ - if (!local_password_change(mach_acct, local_flags, NULL, err_str, + if (!local_password_change(account, local_flags, NULL, err_str, sizeof(err_str), msg_str, sizeof(msg_str))) { DEBUG(0, ("%s\n", err_str)); pdb_free_sam(sam_pass); @@ -1980,7 +1995,7 @@ NTSTATUS _api_samr_create_user(pipes_struct *p, SAMR_Q_CREATE_USER *q_u, SAMR_R_ } become_root(); - ret = pdb_getsampwnam(sam_pass, mach_acct); + ret = pdb_getsampwnam(sam_pass, account); unbecome_root(); if (ret == False) { /* account doesn't exist: say so */ -- cgit From 87945989c0383bd012be7ab8bc5920b6d03fa105 Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Mon, 17 Sep 2001 10:26:23 +0000 Subject: move to SAFE_FREE() (This used to be commit 5ceecc7bef71b455ba7c4efd9928e2433dccc961) --- source3/rpc_server/srv_samr_nt.c | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index c753764c79..7409acec27 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -52,9 +52,7 @@ struct samr_info { static void free_samr_info(void *ptr) { - struct samr_info *samr = (struct samr_info *)ptr; - - safe_free(samr); + SAFE_FREE(ptr); } /******************************************************************* @@ -820,7 +818,7 @@ static NTSTATUS get_group_alias_entries(TALLOC_CTX *ctx, DOMAIN_GRP **d_grp, DOM } - safe_free(map); + SAFE_FREE(map); } else if (sid_equal(sid, &global_sam_sid) && !lp_hide_local_users()) { char *sep; @@ -931,7 +929,7 @@ static NTSTATUS get_group_domain_entries(TALLOC_CTX *ctx, DOMAIN_GRP **d_grp, DO *d_grp=(DOMAIN_GRP *)talloc_zero(ctx, num_entries*sizeof(DOMAIN_GRP)); if (num_entries!=0 && *d_grp==NULL){ - safe_free(map); + SAFE_FREE(map); return NT_STATUS_NO_MEMORY; } @@ -942,7 +940,7 @@ static NTSTATUS get_group_domain_entries(TALLOC_CTX *ctx, DOMAIN_GRP **d_grp, DO (*d_grp)[i].attr=SID_NAME_DOM_GRP; } - safe_free(map); + SAFE_FREE(map); *p_num_entries = num_entries; @@ -3184,7 +3182,7 @@ NTSTATUS _samr_query_groupinfo(pipes_struct *p, SAMR_Q_QUERY_GROUPINFO *q_u, SAM if(!get_uid_list_of_group(map.gid, &uid, &num_uids)) return NT_STATUS_NO_SUCH_GROUP; init_samr_group_info1(&ctr->group.info1, map.nt_name, map.comment, num_uids); - safe_free(uid); + SAFE_FREE(uid); break; case 4: ctr->switch_value1 = 4; -- cgit From 008ba27b2884a5553f4c28a2c9c7ae584b61c3a4 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Tue, 25 Sep 2001 00:50:37 +0000 Subject: Fixed enumeration of large numbers of groups from a Samba DC. Tidied up debug messages in lib/messages.c Jeremy. (This used to be commit dfb58f227609d6c8a255677b85ec853efa19f602) --- source3/rpc_server/srv_samr_nt.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 7409acec27..4ffd1c85b5 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -900,6 +900,8 @@ static NTSTATUS get_group_alias_entries(TALLOC_CTX *ctx, DOMAIN_GRP **d_grp, DOM DEBUG(10,("get_group_alias_entries: returning %d entries\n", *p_num_entries)); + if (num_entries >= max_entries) + return STATUS_MORE_ENTRIES; return NT_STATUS_OK; } @@ -1007,7 +1009,7 @@ NTSTATUS _samr_enum_dom_aliases(pipes_struct *p, SAMR_Q_ENUM_DOM_ALIASES *q_u, S /*safe_free(grp);*/ - init_samr_r_enum_dom_aliases(r_u, q_u->start_idx, num_entries); + init_samr_r_enum_dom_aliases(r_u, q_u->start_idx + num_entries, num_entries); DEBUG(5,("samr_enum_dom_aliases: %d\n", __LINE__)); -- cgit From d74d82bddce5d6cf3f554ff014e08f2aeb2c14bc Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Wed, 26 Sep 2001 11:51:25 +0000 Subject: Make use of the pdb_set_plaintext_passwd() update to vastly simplify decode_pw_buffer() and the samr password changing routines. And yes, I know that we can lost some information in the Unicode->UTF->Unicode bit of this, but its worth the code cleanup. This also takes into account the possability of multibyte passwords. Andrew Bartlett (This used to be commit 42402c87d6bcff71b700e497b74d2600d7ce8b95) --- source3/rpc_server/srv_samr_nt.c | 28 +++++++++++----------------- 1 file changed, 11 insertions(+), 17 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 4ffd1c85b5..4290e24395 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -2339,9 +2339,7 @@ static BOOL set_user_info_23(SAM_USER_INFO_23 *id23, uint32 rid) { SAM_ACCOUNT *pwd = NULL; SAM_ACCOUNT *new_pwd = NULL; - uint8 nt_hash[16]; - uint8 lm_hash[16]; - pstring buf; + pstring plaintext_buf; uint32 len; uint16 acct_ctrl; @@ -2366,13 +2364,12 @@ static BOOL set_user_info_23(SAM_USER_INFO_23 *id23, uint32 rid) copy_id23_to_sam_passwd(new_pwd, id23); - if (!decode_pw_buffer((char*)id23->pass, buf, 256, &len, nt_hash, lm_hash)) { + if (!decode_pw_buffer((char*)id23->pass, plaintext_buf, 256, &len)) { pdb_free_sam(new_pwd); return False; } - pdb_set_lanman_passwd (new_pwd, lm_hash); - pdb_set_nt_passwd (new_pwd, nt_hash); + pdb_set_plaintext_passwd (new_pwd, plaintext_buf); /* if it's a trust account, don't update /etc/passwd */ if ( ( (acct_ctrl & ACB_DOMTRUST) == ACB_DOMTRUST ) || @@ -2382,13 +2379,13 @@ static BOOL set_user_info_23(SAM_USER_INFO_23 *id23, uint32 rid) } else { /* update the UNIX password */ if (lp_unix_password_sync() ) - if(!chgpasswd(pdb_get_username(new_pwd), "", buf, True)) { + if(!chgpasswd(pdb_get_username(new_pwd), "", plaintext_buf, True)) { pdb_free_sam(new_pwd); return False; } } - memset(buf, 0, sizeof(buf)); + ZERO_STRUCT(plaintext_buf); if(!pdb_update_sam_account(new_pwd, True)) { pdb_free_sam(new_pwd); @@ -2407,10 +2404,8 @@ static BOOL set_user_info_23(SAM_USER_INFO_23 *id23, uint32 rid) static BOOL set_user_info_pw(char *pass, uint32 rid) { SAM_ACCOUNT *pwd = NULL; - uchar nt_hash[16]; - uchar lm_hash[16]; uint32 len; - pstring buf; + pstring plaintext_buf; uint16 acct_ctrl; pdb_init_sam(&pwd); @@ -2422,15 +2417,14 @@ static BOOL set_user_info_pw(char *pass, uint32 rid) acct_ctrl = pdb_get_acct_ctrl(pwd); - memset(buf, 0, sizeof(buf)); + ZERO_STRUCT(plaintext_buf); - if (!decode_pw_buffer(pass, buf, 256, &len, nt_hash, lm_hash)) { + if (!decode_pw_buffer(pass, plaintext_buf, 256, &len)) { pdb_free_sam(pwd); return False; } - pdb_set_lanman_passwd (pwd, lm_hash); - pdb_set_nt_passwd (pwd, nt_hash); + pdb_set_plaintext_passwd (pwd, plaintext_buf); /* if it's a trust account, don't update /etc/passwd */ if ( ( (acct_ctrl & ACB_DOMTRUST) == ACB_DOMTRUST ) || @@ -2440,13 +2434,13 @@ static BOOL set_user_info_pw(char *pass, uint32 rid) } else { /* update the UNIX password */ if (lp_unix_password_sync()) - if(!chgpasswd(pdb_get_username(pwd), "", buf, True)) { + if(!chgpasswd(pdb_get_username(pwd), "", plaintext_buf, True)) { pdb_free_sam(pwd); return False; } } - memset(buf, 0, sizeof(buf)); + ZERO_STRUCT(plaintext_buf); DEBUG(5,("set_user_info_pw: pdb_update_sam_account()\n")); -- cgit From 2a9cd3b79af12ad32aafe204b2a964348385eba7 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Thu, 27 Sep 2001 09:13:26 +0000 Subject: Fix memory leak in get_sampwd_entries(), reindent for clarity. - call pdb_reset_sam() after each getent call. Fix bug in get_group_alias_entries(), were if num_entries was zero this caused talloc() to return NULL, failing a test below with NT_STATUS_NO_MEMORY. Fix pdb_reset_sam() to correctly initalise the sam structure. Move default value code into a single place, likewise for sam freeing code. - should make things easier if we decide to malloc other strings, or get more non-zero default values. Finally, add a function in init a sam struct from a getpwnam() return. Andrew Bartlett (This used to be commit a41fb44f5e90cf8734d57217e836e14f4a80bd47) --- source3/rpc_server/srv_samr_nt.c | 85 ++++++++++++++++++++++------------------ 1 file changed, 46 insertions(+), 39 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 4290e24395..f7e6317edf 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -106,44 +106,50 @@ static NTSTATUS get_sampwd_entries(SAM_USER_INFO_21 *pw_buf, int start_idx, pdb_free_sam(pwd); return NT_STATUS_ACCESS_DENIED; } - + while (((not_finished = pdb_getsampwent(pwd)) != False) - && (*num_entries) < max_num_entries) + && (*num_entries) < max_num_entries) { int user_name_len; - + if (start_idx > 0) { - /* skip the requested number of entries. - not very efficient, but hey... */ - start_idx--; - continue; - } - - user_name_len = strlen(pdb_get_username(pwd))+1; - init_unistr2(&pw_buf[(*num_entries)].uni_user_name, pdb_get_username(pwd), user_name_len); - init_uni_hdr(&pw_buf[(*num_entries)].hdr_user_name, user_name_len); - pw_buf[(*num_entries)].user_rid = pwd->user_rid; - memset((char *)pw_buf[(*num_entries)].nt_pwd, '\0', 16); - /* Now check if the NT compatible password is available. */ - if (pdb_get_nt_passwd(pwd)) - memcpy( pw_buf[(*num_entries)].nt_pwd , pdb_get_nt_passwd(pwd), 16); - - pw_buf[(*num_entries)].acb_info = pdb_get_acct_ctrl(pwd); - - DEBUG(5, ("entry idx: %d user %s, rid 0x%x, acb %x", - (*num_entries), pdb_get_username(pwd), pdb_get_user_rid(pwd), pdb_get_acct_ctrl(pwd) )); + pdb_reset_sam(pwd); - if (acb_mask == 0 || (pwd->acct_ctrl & acb_mask)) { - DEBUG(5,(" acb_mask %x accepts\n", acb_mask)); - (*num_entries)++; - } - else - DEBUG(5,(" acb_mask %x rejects\n", acb_mask)); + /* skip the requested number of entries. + not very efficient, but hey... */ + start_idx--; + continue; + } + + user_name_len = strlen(pdb_get_username(pwd))+1; + init_unistr2(&pw_buf[(*num_entries)].uni_user_name, pdb_get_username(pwd), user_name_len); + init_uni_hdr(&pw_buf[(*num_entries)].hdr_user_name, user_name_len); + pw_buf[(*num_entries)].user_rid = pwd->user_rid; + memset((char *)pw_buf[(*num_entries)].nt_pwd, '\0', 16); + + /* Now check if the NT compatible password is available. */ + if (pdb_get_nt_passwd(pwd)) + memcpy( pw_buf[(*num_entries)].nt_pwd , pdb_get_nt_passwd(pwd), 16); + + pw_buf[(*num_entries)].acb_info = pdb_get_acct_ctrl(pwd); + + DEBUG(5, ("entry idx: %d user %s, rid 0x%x, acb %x", + (*num_entries), pdb_get_username(pwd), pdb_get_user_rid(pwd), pdb_get_acct_ctrl(pwd) )); + + if (acb_mask == 0 || (pwd->acct_ctrl & acb_mask)) { + DEBUG(5,(" acb_mask %x accepts\n", acb_mask)); + (*num_entries)++; + } else { + DEBUG(5,(" acb_mask %x rejects\n", acb_mask)); + } (*total_entries)++; - } + + pdb_reset_sam(pwd); + } + pdb_endsampwent(); pdb_free_sam(pwd); @@ -807,17 +813,18 @@ static NTSTATUS get_group_alias_entries(TALLOC_CTX *ctx, DOMAIN_GRP **d_grp, DOM if (sid_equal(sid, &global_sid_Builtin) && !lp_hide_local_users()) { enum_group_mapping(SID_NAME_WKN_GRP, &map, (int *)&num_entries, ENUM_ALL_MAPPED); - - *d_grp=(DOMAIN_GRP *)talloc_zero(ctx, num_entries*sizeof(DOMAIN_GRP)); - if (*d_grp==NULL) - return NT_STATUS_NO_MEMORY; - for(i=0; istatus = NT_STATUS_OK; rpcstr_pull(user_name, q_u->uni_user_name.buffer, sizeof(user_name), q_u->uni_user_name.uni_str_len*2, 0); - rpcstr_pull(wks, q_u->uni_dest_host.buffer, sizeof(wks), q_u->uni_dest_host.uni_str_len,0); + rpcstr_pull(wks, q_u->uni_dest_host.buffer, sizeof(wks), q_u->uni_dest_host.uni_str_len*2,0); DEBUG(5,("samr_chgpasswd_user: user: %s wks: %s\n", user_name, wks)); -- cgit From 81697d5ebe33ad95dedfc376118fcdf0367cf052 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Sat, 29 Sep 2001 13:08:26 +0000 Subject: Fix up a number of intertwined issues: The big one is a global change to allow us to NULLify the free'ed pointer to a former passdb object. This was done to allow idra's SAFE_FREE() macro to do its magic, and to satisfy the input test in pdb_init_sam() for a NULL pointer to start with. This NULL pointer test was what was breaking the adding of accounts up until now, and this code has been reworked to avoid duplicating work - I hope this will avoid a similar mess-up in future. Finally, I fixed a few nasty bugs where the pdb_ fuctions's return codes were being ignored. Some of these functions malloc() and are permitted to fail. Also, this caught a nasty bug where pdb_set_lanman_password(sam, NULL) acheived precisely didilly-squat, just returning False. Now that we check the returns this bug was spotted. This could allow different LM and NT passwords. - the pdbedit code needs to start checking these too, but I havn't had a chance to fix it. I have also fixed up where some of the password changing code was using the pdb_set functions to store *internal* data. I assume this is from a previous lot of mass conversion work... Most likally (and going on past experience) I have missed somthing, probably in the LanMan password change code which I havn't yet been able to test, but this lot is in much better shape than it was before. If all this is too much to swallow (particularly for 2.2.2) then just adding a sam_pass = NULL to the particular line of passdb.c should do the trick for the ovbious bug. Andrew Bartlett (This used to be commit 762c8758a7869809d89b4da9c2a5249678942930) --- source3/rpc_server/srv_samr_nt.c | 127 ++++++++++++++++++++++----------------- 1 file changed, 71 insertions(+), 56 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index f7e6317edf..9748d0e950 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -103,7 +103,7 @@ static NTSTATUS get_sampwd_entries(SAM_USER_INFO_21 *pw_buf, int start_idx, if (!pdb_setsampwent(False)) { DEBUG(0, ("get_sampwd_entries: Unable to open passdb.\n")); - pdb_free_sam(pwd); + pdb_free_sam(&pwd); return NT_STATUS_ACCESS_DENIED; } @@ -151,7 +151,7 @@ static NTSTATUS get_sampwd_entries(SAM_USER_INFO_21 *pw_buf, int start_idx, } pdb_endsampwent(); - pdb_free_sam(pwd); + pdb_free_sam(&pwd); if (not_finished) return STATUS_MORE_ENTRIES; @@ -231,7 +231,7 @@ static NTSTATUS jf_get_sampwd_entries(SAM_USER_INFO_21 *pw_buf, int start_idx, *total_entries = *num_entries; - pdb_free_sam(pwd); + pdb_free_sam(&pwd); if (not_finished) return STATUS_MORE_ENTRIES; @@ -1508,12 +1508,12 @@ NTSTATUS _api_samr_open_user(pipes_struct *p, SAMR_Q_OPEN_USER *q_u, SAMR_R_OPEN /* check that the RID exists in our domain. */ if (ret == False) { - pdb_free_sam(sampass); + pdb_free_sam(&sampass); return NT_STATUS_NO_SUCH_USER; } samr_clear_sam_passwd(sampass); - pdb_free_sam(sampass); + pdb_free_sam(&sampass); /* Get the domain SID stored in the domain policy */ if(!get_lsa_policy_samr_sid(p, &domain_pol, &sid)) @@ -1559,7 +1559,7 @@ static BOOL get_user_info_10(SAM_USER_INFO_10 *id10, uint32 user_rid) if (ret==False) { DEBUG(4,("User 0x%x not found\n", user_rid)); - pdb_free_sam(smbpass); + pdb_free_sam(&smbpass); return False; } @@ -1569,7 +1569,7 @@ static BOOL get_user_info_10(SAM_USER_INFO_10 *id10, uint32 user_rid) init_sam_user_info10(id10, pdb_get_acct_ctrl(smbpass) ); samr_clear_sam_passwd(smbpass); - pdb_free_sam(smbpass); + pdb_free_sam(&smbpass); return True; } @@ -1600,21 +1600,21 @@ static NTSTATUS get_user_info_12(pipes_struct *p, SAM_USER_INFO_12 * id12, uint3 if (ret == False) { DEBUG(4, ("User 0x%x not found\n", user_rid)); - pdb_free_sam(smbpass); + pdb_free_sam(&smbpass); return (geteuid() == (uid_t)0) ? NT_STATUS_NO_SUCH_USER : NT_STATUS_ACCESS_DENIED; } DEBUG(3,("User:[%s] 0x%x\n", pdb_get_username(smbpass), pdb_get_acct_ctrl(smbpass) )); if ( pdb_get_acct_ctrl(smbpass) & ACB_DISABLED) { - pdb_free_sam(smbpass); + pdb_free_sam(&smbpass); return NT_STATUS_ACCOUNT_DISABLED; } ZERO_STRUCTP(id12); init_sam_user_info12(id12, pdb_get_lanman_passwd(smbpass), pdb_get_nt_passwd(smbpass)); - pdb_free_sam(smbpass); + pdb_free_sam(&smbpass); return NT_STATUS_OK; } @@ -1641,7 +1641,7 @@ static BOOL get_user_info_20(SAM_USER_INFO_20 *id20, uint32 user_rid) if (ret == False) { DEBUG(4,("User 0x%x not found\n", user_rid)); - pdb_free_sam(sampass); + pdb_free_sam(&sampass); return False; } @@ -1652,7 +1652,7 @@ static BOOL get_user_info_20(SAM_USER_INFO_20 *id20, uint32 user_rid) ZERO_STRUCTP(id20); init_sam_user_info20A(id20, sampass); - pdb_free_sam(sampass); + pdb_free_sam(&sampass); return True; } @@ -1679,7 +1679,7 @@ static BOOL get_user_info_21(SAM_USER_INFO_21 *id21, uint32 user_rid) if (ret == False) { DEBUG(4,("User 0x%x not found\n", user_rid)); - pdb_free_sam(sampass); + pdb_free_sam(&sampass); return False; } @@ -1690,7 +1690,7 @@ static BOOL get_user_info_21(SAM_USER_INFO_21 *id21, uint32 user_rid) ZERO_STRUCTP(id21); init_sam_user_info21A(id21, sampass); - pdb_free_sam(sampass); + pdb_free_sam(&sampass); return True; } @@ -1946,7 +1946,7 @@ NTSTATUS _api_samr_create_user(pipes_struct *p, SAMR_Q_CREATE_USER *q_u, SAMR_R_ unbecome_root(); if (ret == True) { /* this account exists: say so */ - pdb_free_sam(sam_pass); + pdb_free_sam(&sam_pass); return NT_STATUS_USER_EXISTS; } @@ -1982,7 +1982,7 @@ NTSTATUS _api_samr_create_user(pipes_struct *p, SAMR_Q_CREATE_USER *q_u, SAMR_R_ pstrcpy(add_script, lp_adduser_script()); } else { DEBUG(0, ("_api_samr_create_user: mismatch between trust flags and $ termination\n")); - pdb_free_sam(sam_pass); + pdb_free_sam(&sam_pass); return NT_STATUS_UNSUCCESSFUL; } @@ -1997,7 +1997,7 @@ NTSTATUS _api_samr_create_user(pipes_struct *p, SAMR_Q_CREATE_USER *q_u, SAMR_R_ if (!local_password_change(account, local_flags, NULL, err_str, sizeof(err_str), msg_str, sizeof(msg_str))) { DEBUG(0, ("%s\n", err_str)); - pdb_free_sam(sam_pass); + pdb_free_sam(&sam_pass); return NT_STATUS_ACCESS_DENIED; } @@ -2006,25 +2006,25 @@ NTSTATUS _api_samr_create_user(pipes_struct *p, SAMR_Q_CREATE_USER *q_u, SAMR_R_ unbecome_root(); if (ret == False) { /* account doesn't exist: say so */ - pdb_free_sam(sam_pass); + pdb_free_sam(&sam_pass); return NT_STATUS_ACCESS_DENIED; } /* Get the domain SID stored in the domain policy */ if(!get_lsa_policy_samr_sid(p, &dom_pol, &sid)) { - pdb_free_sam(sam_pass); + pdb_free_sam(&sam_pass); return NT_STATUS_INVALID_HANDLE; } /* append the user's RID to it */ if(!sid_append_rid(&sid, pdb_get_user_rid(sam_pass) )) { - pdb_free_sam(sam_pass); + pdb_free_sam(&sam_pass); return NT_STATUS_NO_SUCH_USER; } /* associate the user's SID with the new handle. */ if ((info = (struct samr_info *)malloc(sizeof(struct samr_info))) == NULL) { - pdb_free_sam(sam_pass); + pdb_free_sam(&sam_pass); return NT_STATUS_NO_MEMORY; } @@ -2033,14 +2033,14 @@ NTSTATUS _api_samr_create_user(pipes_struct *p, SAMR_Q_CREATE_USER *q_u, SAMR_R_ /* get a (unique) handle. open a policy on it. */ if (!create_policy_hnd(p, user_pol, free_samr_info, (void *)info)) { - pdb_free_sam(sam_pass); + pdb_free_sam(&sam_pass); return NT_STATUS_OBJECT_NAME_NOT_FOUND; } r_u->user_rid=sam_pass->user_rid; r_u->unknown_0 = 0x000703ff; - pdb_free_sam(sam_pass); + pdb_free_sam(&sam_pass); return NT_STATUS_OK; } @@ -2236,24 +2236,27 @@ static BOOL set_user_info_10(const SAM_USER_INFO_10 *id10, uint32 rid) ret = pdb_getsampwrid(pwd, rid); if(ret==False) { - pdb_free_sam(pwd); + pdb_free_sam(&pwd); return False; } if (id10 == NULL) { DEBUG(5, ("set_user_info_10: NULL id10\n")); - pdb_free_sam(pwd); + pdb_free_sam(&pwd); return False; } - pdb_set_acct_ctrl(pwd, id10->acb_info); + if (!pdb_set_acct_ctrl(pwd, id10->acb_info)) { + pdb_free_sam(&pwd); + return False; + } if(!pdb_update_sam_account(pwd, True)) { - pdb_free_sam(pwd); + pdb_free_sam(&pwd); return False; } - pdb_free_sam(pwd); + pdb_free_sam(&pwd); return True; } @@ -2269,25 +2272,31 @@ static BOOL set_user_info_12(SAM_USER_INFO_12 *id12, uint32 rid) pdb_init_sam(&pwd); if(!pdb_getsampwrid(pwd, rid)) { - pdb_free_sam(pwd); + pdb_free_sam(&pwd); return False; } if (id12 == NULL) { DEBUG(2, ("set_user_info_12: id12 is NULL\n")); - pdb_free_sam(pwd); + pdb_free_sam(&pwd); return False; } - pdb_set_lanman_passwd (pwd, id12->lm_pwd); - pdb_set_nt_passwd (pwd, id12->nt_pwd); + if (!pdb_set_lanman_passwd (pwd, id12->lm_pwd)) { + pdb_free_sam(&pwd); + return False; + } + if (!pdb_set_nt_passwd (pwd, id12->nt_pwd)) { + pdb_free_sam(&pwd); + return False; + } if(!pdb_update_sam_account(pwd, True)) { - pdb_free_sam(pwd); + pdb_free_sam(&pwd); return False; } - pdb_free_sam(pwd); + pdb_free_sam(&pwd); return True; } @@ -2309,8 +2318,8 @@ static BOOL set_user_info_21(SAM_USER_INFO_21 *id21, uint32 rid) pdb_init_sam(&new_pwd); if (!pdb_getsampwrid(pwd, rid)) { - pdb_free_sam(pwd); - pdb_free_sam(new_pwd); + pdb_free_sam(&pwd); + pdb_free_sam(&new_pwd); return False; } @@ -2327,13 +2336,13 @@ static BOOL set_user_info_21(SAM_USER_INFO_21 *id21, uint32 rid) /* write the change out */ if(!pdb_update_sam_account(new_pwd, True)) { - pdb_free_sam(pwd); - pdb_free_sam(new_pwd); + pdb_free_sam(&pwd); + pdb_free_sam(&new_pwd); return False; } - pdb_free_sam(pwd); - pdb_free_sam(new_pwd); + pdb_free_sam(&pwd); + pdb_free_sam(&new_pwd); return True; } @@ -2359,24 +2368,27 @@ static BOOL set_user_info_23(SAM_USER_INFO_23 *id23, uint32 rid) pdb_init_sam(&new_pwd); if (!pdb_getsampwrid(pwd, rid)) { - pdb_free_sam(pwd); - pdb_free_sam(new_pwd); + pdb_free_sam(&pwd); + pdb_free_sam(&new_pwd); return False; } acct_ctrl = pdb_get_acct_ctrl(pwd); copy_sam_passwd(new_pwd, pwd); - pdb_free_sam(pwd); + pdb_free_sam(&pwd); copy_id23_to_sam_passwd(new_pwd, id23); if (!decode_pw_buffer((char*)id23->pass, plaintext_buf, 256, &len)) { - pdb_free_sam(new_pwd); + pdb_free_sam(&new_pwd); return False; } - pdb_set_plaintext_passwd (new_pwd, plaintext_buf); + if (!pdb_set_plaintext_passwd (new_pwd, plaintext_buf)) { + pdb_free_sam(&new_pwd); + return False; + } /* if it's a trust account, don't update /etc/passwd */ if ( ( (acct_ctrl & ACB_DOMTRUST) == ACB_DOMTRUST ) || @@ -2387,7 +2399,7 @@ static BOOL set_user_info_23(SAM_USER_INFO_23 *id23, uint32 rid) /* update the UNIX password */ if (lp_unix_password_sync() ) if(!chgpasswd(pdb_get_username(new_pwd), "", plaintext_buf, True)) { - pdb_free_sam(new_pwd); + pdb_free_sam(&new_pwd); return False; } } @@ -2395,11 +2407,11 @@ static BOOL set_user_info_23(SAM_USER_INFO_23 *id23, uint32 rid) ZERO_STRUCT(plaintext_buf); if(!pdb_update_sam_account(new_pwd, True)) { - pdb_free_sam(new_pwd); + pdb_free_sam(&new_pwd); return False; } - pdb_free_sam(new_pwd); + pdb_free_sam(&new_pwd); return True; } @@ -2418,7 +2430,7 @@ static BOOL set_user_info_pw(char *pass, uint32 rid) pdb_init_sam(&pwd); if (!pdb_getsampwrid(pwd, rid)) { - pdb_free_sam(pwd); + pdb_free_sam(&pwd); return False; } @@ -2427,11 +2439,14 @@ static BOOL set_user_info_pw(char *pass, uint32 rid) ZERO_STRUCT(plaintext_buf); if (!decode_pw_buffer(pass, plaintext_buf, 256, &len)) { - pdb_free_sam(pwd); + pdb_free_sam(&pwd); return False; } - pdb_set_plaintext_passwd (pwd, plaintext_buf); + if (!pdb_set_plaintext_passwd (pwd, plaintext_buf)) { + pdb_free_sam(&pwd); + return False; + } /* if it's a trust account, don't update /etc/passwd */ if ( ( (acct_ctrl & ACB_DOMTRUST) == ACB_DOMTRUST ) || @@ -2442,7 +2457,7 @@ static BOOL set_user_info_pw(char *pass, uint32 rid) /* update the UNIX password */ if (lp_unix_password_sync()) if(!chgpasswd(pdb_get_username(pwd), "", plaintext_buf, True)) { - pdb_free_sam(pwd); + pdb_free_sam(&pwd); return False; } } @@ -2453,11 +2468,11 @@ static BOOL set_user_info_pw(char *pass, uint32 rid) /* update the SAMBA password */ if(!pdb_update_sam_account(pwd, True)) { - pdb_free_sam(pwd); + pdb_free_sam(&pwd); return False; } - pdb_free_sam(pwd); + pdb_free_sam(&pwd); return True; } @@ -2516,14 +2531,14 @@ NTSTATUS _samr_set_userinfo(pipes_struct *p, SAMR_Q_SET_USERINFO *q_u, SAMR_R_SE unbecome_root(); if(ret == False) { DEBUG(0,("_samr_set_userinfo: Unable to get smbpasswd entry for uid %u\n", (unsigned int)user.uid )); - pdb_free_sam(sam_pass); + pdb_free_sam(&sam_pass); return NT_STATUS_ACCESS_DENIED; } memset(sess_key, '\0', 16); mdfour(sess_key, pdb_get_nt_passwd(sam_pass), 16); - pdb_free_sam(sam_pass); + pdb_free_sam(&sam_pass); /* ok! user info levels (lots: see MSDEV help), off we go... */ switch (switch_value) { -- cgit From dc1fc3ee8ec2199bc73bb5d7ec711c6800f61d65 Mon Sep 17 00:00:00 2001 From: Tim Potter Date: Tue, 2 Oct 2001 04:29:50 +0000 Subject: Removed 'extern int DEBUGLEVEL' as it is now in the smb.h header. (This used to be commit 2d0922b0eabfdc0aaf1d0797482fef47ed7fde8e) --- source3/rpc_server/srv_samr_nt.c | 2 -- 1 file changed, 2 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 9748d0e950..d9cae42145 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -29,8 +29,6 @@ #include "includes.h" -extern int DEBUGLEVEL; - extern fstring global_myworkgroup; extern pstring global_myname; extern DOM_SID global_sam_sid; -- cgit From ab5d5cfbe0aee4387ec7ae8805c69b31a1696435 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Mon, 29 Oct 2001 07:15:51 +0000 Subject: This commit is number 1 of 4. In particular this commit focusses on: Adding the new 'pass changed now' helper function. While these changes have been mildly tested, and are pretty small, any assistance in this is appreciated. (This used to be commit a8971a5448cf6d203b379c3ed01e331d5263c9ee) --- source3/rpc_server/srv_samr_nt.c | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index d9cae42145..7e48d74359 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -2288,6 +2288,10 @@ static BOOL set_user_info_12(SAM_USER_INFO_12 *id12, uint32 rid) pdb_free_sam(&pwd); return False; } + if (!pdb_set_pass_changed_now (pwd)) { + pdb_free_sam(&pwd); + return False; + } if(!pdb_update_sam_account(pwd, True)) { pdb_free_sam(&pwd); -- cgit From 2038649e51f48a489aeec49947e1b791f0b3df43 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Mon, 29 Oct 2001 07:28:32 +0000 Subject: This commit is number 3 of 4. In particular this commit focuses on: Changing the Get_Pwnam code so that it can work in a const-enforced environment. While these changes have been mildly tested, and are pretty small, any assistance in this is appreciated. ---- These changes allow for 'const' in the Samba tree. There are a number of good reasons to do this: - I want to allow the SAM_ACCOUNT structure to move from wasteful pstrings and fstrings to allocated strings. We can't do that if people are modifying these outputs, as they may well make assumptions about getting pstrings and fstrings - I want --with-pam_smbpass to compile with a slightly sane volume of warnings, currently its pretty bad, even in 2.2 where is compiles at all. - Tridge assures me that he no longer opposes 'const religion' based on the ability to #define const the problem away. - Changed Get_Pwnam(x,y) into two variants (so that the const parameter can work correctly): - Get_Pwnam(const x) and Get_Pwnam_Modify(x). - Reworked smbd/chgpasswd.c to work with these mods, passing around a 'struct passwd' rather than the modified username (This used to be commit e7634f81c5116ff4addfb7e495f54b6bb78e8f77) --- source3/rpc_server/srv_samr_nt.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 7e48d74359..6d57069149 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -864,7 +864,7 @@ static NTSTATUS get_group_alias_entries(TALLOC_CTX *ctx, DOMAIN_GRP **d_grp, DOM } /* Don't return user private groups... */ - if (Get_Pwnam(smap.nt_name, False) != 0) { + if (Get_Pwnam(smap.nt_name) != 0) { DEBUG(10,("get_group_alias_entries: not returing %s, clashes with user.\n", smap.nt_name )); continue; } @@ -1362,7 +1362,7 @@ NTSTATUS _samr_chgpasswd_user(pipes_struct *p, SAMR_Q_CHGPASSWD_USER *q_u, SAMR_ /* * Do any UNIX username case mangling. */ - (void)Get_Pwnam( user_name, True); + (void)Get_Pwnam_Modify( user_name); if (!pass_oem_change(user_name, q_u->lm_newpass.pass, q_u->lm_oldhash.hash, q_u->nt_newpass.pass, q_u->nt_oldhash.hash)) -- cgit From 848d01cde5eeb2d445e4a0b5364d9f163aef41fd Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Wed, 7 Nov 2001 02:16:22 +0000 Subject: Initilising these variables before appending the domain groups to them (This used to be commit 8004cfea19e10ad942c59f2f6a6bd992791017ba) --- source3/rpc_server/srv_samr_nt.c | 2 ++ 1 file changed, 2 insertions(+) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 6d57069149..c872c9f99f 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -1833,6 +1833,8 @@ NTSTATUS _samr_query_usergroups(pipes_struct *p, SAMR_Q_QUERY_USERGROUPS *q_u, S return NT_STATUS_NO_SUCH_USER; } + *groups = 0; + get_domain_user_groups(groups, pdb_get_username(sam_pass)); gids = NULL; num_groups = make_dom_gids(p->mem_ctx, groups, &gids); -- cgit From 2527f5ef52400294c98b4f4345a4f18b981ff22f Mon Sep 17 00:00:00 2001 From: Jean-François Micouleau Date: Fri, 23 Nov 2001 15:11:22 +0000 Subject: Changed how the privileges are stored in the group mapping code. It's now an array of uint32. That's not perfect but that's better. Added more privileges too. Changed the local_lookup_rid/name functions in passdb.c to check if the group is mapped. Makes the LSA rpc calls return correct groups Corrected the return code in the LSA server code enum_sids. Only enumerate well known aliases if they are mapped to real unix groups. Won't confuse user seeing groups not available. Added a short/long view to smbgroupedit. now decoding rpc calls to add/remove privileges to sid. J.F. (This used to be commit f29774e58973f421bfa163c45bfae201a140f28c) --- source3/rpc_server/srv_samr_nt.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index c872c9f99f..f1f3040ba4 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -810,7 +810,7 @@ static NTSTATUS get_group_alias_entries(TALLOC_CTX *ctx, DOMAIN_GRP **d_grp, DOM /* well-known aliases */ if (sid_equal(sid, &global_sid_Builtin) && !lp_hide_local_users()) { - enum_group_mapping(SID_NAME_WKN_GRP, &map, (int *)&num_entries, ENUM_ALL_MAPPED); + enum_group_mapping(SID_NAME_WKN_GRP, &map, (int *)&num_entries, ENUM_ONLY_MAPPED); if (num_entries != 0) { *d_grp=(DOMAIN_GRP *)talloc_zero(ctx, num_entries*sizeof(DOMAIN_GRP)); -- cgit From af1a0238aa106a43006902e8ef593d7853913b0e Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Sat, 24 Nov 2001 00:36:37 +0000 Subject: Kill off that crazy copy_sam_passwd(). You simply can't do that if the structre contains pointers (well not if you intend of free those pointers at some stage) There is no reason (given the new passdb interface) that you can't modify a SAM_ACCOUNT in any case. Andrew Bartlett (This used to be commit e8e73f7f0fcd86c8c2bfe3fc0b44ea2fd6570cc5) --- source3/rpc_server/srv_samr_nt.c | 35 +++++++++++------------------------ 1 file changed, 11 insertions(+), 24 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index f1f3040ba4..71237a9eec 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -2311,7 +2311,6 @@ static BOOL set_user_info_12(SAM_USER_INFO_12 *id12, uint32 rid) static BOOL set_user_info_21(SAM_USER_INFO_21 *id21, uint32 rid) { SAM_ACCOUNT *pwd = NULL; - SAM_ACCOUNT *new_pwd = NULL; if (id21 == NULL) { DEBUG(5, ("set_user_info_21: NULL id21\n")); @@ -2319,17 +2318,13 @@ static BOOL set_user_info_21(SAM_USER_INFO_21 *id21, uint32 rid) } pdb_init_sam(&pwd); - pdb_init_sam(&new_pwd); if (!pdb_getsampwrid(pwd, rid)) { pdb_free_sam(&pwd); - pdb_free_sam(&new_pwd); return False; } - /* we make a copy so that we can modify stuff */ - copy_sam_passwd(new_pwd, pwd); - copy_id21_to_sam_passwd(new_pwd, id21); + copy_id21_to_sam_passwd(pwd, id21); /* * The funny part about the previous two calls is @@ -2339,14 +2334,12 @@ static BOOL set_user_info_21(SAM_USER_INFO_21 *id21, uint32 rid) */ /* write the change out */ - if(!pdb_update_sam_account(new_pwd, True)) { + if(!pdb_update_sam_account(pwd, True)) { pdb_free_sam(&pwd); - pdb_free_sam(&new_pwd); return False; } pdb_free_sam(&pwd); - pdb_free_sam(&new_pwd); return True; } @@ -2358,7 +2351,6 @@ static BOOL set_user_info_21(SAM_USER_INFO_21 *id21, uint32 rid) static BOOL set_user_info_23(SAM_USER_INFO_23 *id23, uint32 rid) { SAM_ACCOUNT *pwd = NULL; - SAM_ACCOUNT *new_pwd = NULL; pstring plaintext_buf; uint32 len; uint16 acct_ctrl; @@ -2369,28 +2361,23 @@ static BOOL set_user_info_23(SAM_USER_INFO_23 *id23, uint32 rid) } pdb_init_sam(&pwd); - pdb_init_sam(&new_pwd); if (!pdb_getsampwrid(pwd, rid)) { pdb_free_sam(&pwd); - pdb_free_sam(&new_pwd); return False; } acct_ctrl = pdb_get_acct_ctrl(pwd); - copy_sam_passwd(new_pwd, pwd); - pdb_free_sam(&pwd); - - copy_id23_to_sam_passwd(new_pwd, id23); + copy_id23_to_sam_passwd(pwd, id23); if (!decode_pw_buffer((char*)id23->pass, plaintext_buf, 256, &len)) { - pdb_free_sam(&new_pwd); + pdb_free_sam(&pwd); return False; } - if (!pdb_set_plaintext_passwd (new_pwd, plaintext_buf)) { - pdb_free_sam(&new_pwd); + if (!pdb_set_plaintext_passwd (pwd, plaintext_buf)) { + pdb_free_sam(&pwd); return False; } @@ -2402,20 +2389,20 @@ static BOOL set_user_info_23(SAM_USER_INFO_23 *id23, uint32 rid) } else { /* update the UNIX password */ if (lp_unix_password_sync() ) - if(!chgpasswd(pdb_get_username(new_pwd), "", plaintext_buf, True)) { - pdb_free_sam(&new_pwd); + if(!chgpasswd(pdb_get_username(pwd), "", plaintext_buf, True)) { + pdb_free_sam(&pwd); return False; } } ZERO_STRUCT(plaintext_buf); - if(!pdb_update_sam_account(new_pwd, True)) { - pdb_free_sam(&new_pwd); + if(!pdb_update_sam_account(pwd, True)) { + pdb_free_sam(&pwd); return False; } - pdb_free_sam(&new_pwd); + pdb_free_sam(&pwd); return True; } -- cgit From e158c4123d6d47cc43472365f5e6215a0851e001 Mon Sep 17 00:00:00 2001 From: Jean-François Micouleau Date: Wed, 28 Nov 2001 00:06:00 +0000 Subject: added samr_set_domain_info and samr_unknown_2E. We now get the full account policy window in usermanager, and the framework to store all those values. I plan to add a TDB file to store them. oh, and found that the last value in a sam_unknown_info_12_inf struct is an uint16 and not a uint32. andrewb: you hardcoded the MAX_PASSWORD_AGE to 21 days. We can now turn it to a value setable in usermanager. J.F. (This used to be commit 99471d25693f6672d433b90a060378f6faad867f) --- source3/rpc_server/srv_samr_nt.c | 98 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 98 insertions(+) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 71237a9eec..12b37834d8 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -3336,3 +3336,101 @@ NTSTATUS _samr_unknown_2d(pipes_struct *p, SAMR_Q_UNKNOWN_2D *q_u, SAMR_R_UNKNOW DEBUG(0,("_samr_unknown_2d: Not yet implemented.\n")); return NT_STATUS_NOT_IMPLEMENTED; } + +/******************************************************************* + _samr_unknown_2e + ********************************************************************/ + +NTSTATUS _samr_unknown_2e(pipes_struct *p, SAMR_Q_UNKNOWN_2E *q_u, SAMR_R_UNKNOWN_2E *r_u) +{ + SAM_UNK_CTR *ctr; + + if ((ctr = (SAM_UNK_CTR *)talloc_zero(p->mem_ctx, sizeof(SAM_UNK_CTR))) == NULL) + return NT_STATUS_NO_MEMORY; + + ZERO_STRUCTP(ctr); + + r_u->status = NT_STATUS_OK; + + DEBUG(5,("_samr_unknown_2e: %d\n", __LINE__)); + + /* find the policy handle. open a policy on it. */ + if (!find_policy_by_hnd(p, &q_u->domain_pol, NULL)) + return NT_STATUS_INVALID_HANDLE; + + switch (q_u->switch_value) { + case 0x01: + init_unk_info1(&ctr->info.inf1); + break; + case 0x02: + /* The time call below is to get a sequence number for the sam. FIXME !!! JRA. */ + init_unk_info2(&ctr->info.inf2, global_myworkgroup, global_myname, (uint32) time(NULL)); + break; + case 0x03: + init_unk_info3(&ctr->info.inf3); + break; + case 0x05: + init_unk_info5(&ctr->info.inf5, global_myname); + break; + case 0x06: + init_unk_info6(&ctr->info.inf6); + break; + case 0x07: + init_unk_info7(&ctr->info.inf7); + break; + case 0x0c: + init_unk_info12(&ctr->info.inf12); + break; + default: + return NT_STATUS_INVALID_INFO_CLASS; + } + + init_samr_r_samr_unknown_2e(r_u, q_u->switch_value, ctr, NT_STATUS_OK); + + DEBUG(5,("_samr_unknown_2e: %d\n", __LINE__)); + + return r_u->status; +} + +/******************************************************************* + _samr_ + ********************************************************************/ + +NTSTATUS _samr_set_dom_info(pipes_struct *p, SAMR_Q_SET_DOMAIN_INFO *q_u, SAMR_R_SET_DOMAIN_INFO *r_u) +{ + r_u->status = NT_STATUS_OK; + + DEBUG(5,("_samr_set_dom_info: %d\n", __LINE__)); + + /* find the policy handle. open a policy on it. */ + if (!find_policy_by_hnd(p, &q_u->domain_pol, NULL)) + return NT_STATUS_INVALID_HANDLE; + + DEBUG(0,("_samr_set_dom_info: switch_value: %d\n", q_u->switch_value)); + + switch (q_u->switch_value) { + case 0x01: + break; + case 0x02: + break; + case 0x03: + break; + case 0x05: + break; + case 0x06: + break; + case 0x07: + break; + case 0x0c: + break; + default: + return NT_STATUS_INVALID_INFO_CLASS; + } + + init_samr_r_set_domain_info(r_u, NT_STATUS_OK); + + DEBUG(5,("_samr_set_dom_info: %d\n", __LINE__)); + + return r_u->status; +} + -- cgit From fac01bda8bb4f52b930496c362f55aca5b112240 Mon Sep 17 00:00:00 2001 From: Jean-François Micouleau Date: Thu, 29 Nov 2001 16:05:05 +0000 Subject: Changed again how the privilege list is handled in the group mapping code. This time it's a PRIVILEGE_SET struct instead of a simple uint32 array. It makes much more sense. Also added a uint32 systemaccount to the GROUP_MAP struct as some privilege showing in USRMGR.EXE are not real privs but a bitmask flag. I guess it's an heritage from NT 3.0 ! I could setup an NT 3.1 box to verify, but I'm too lazy (yes I still have my CDs). Added 3 more LSA calls: SetSystemAccount, AddPrivileges and RemovePrivileges, we can manage all this privilege from UserManager. Time to change the NT_USER_TOKEN struct and add checks in all the rpc functions. Fun, fun, fun. J.F. (This used to be commit 3f0a9ef2b8c626cfa2878394bb7b642342342bf3) --- source3/rpc_server/srv_samr_nt.c | 63 +++++++++++++++++++++++++++++++++++----- 1 file changed, 56 insertions(+), 7 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 12b37834d8..112b1bb293 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -813,13 +813,16 @@ static NTSTATUS get_group_alias_entries(TALLOC_CTX *ctx, DOMAIN_GRP **d_grp, DOM enum_group_mapping(SID_NAME_WKN_GRP, &map, (int *)&num_entries, ENUM_ONLY_MAPPED); if (num_entries != 0) { + for (i=0; isid.sid, &rid); uid=pdb_user_rid_to_uid(rid); @@ -2885,6 +2908,8 @@ NTSTATUS _samr_add_groupmem(pipes_struct *p, SAMR_Q_ADD_GROUPMEM *q_u, SAMR_R_AD if(!get_domain_group_from_sid(group_sid, &map)) return NT_STATUS_NO_SUCH_GROUP; + free_privilege(&map.priv_set); + if ((pwd=getpwuid(pdb_user_rid_to_uid(q_u->rid))) ==NULL) return NT_STATUS_NO_SUCH_USER; @@ -2968,6 +2993,8 @@ NTSTATUS _samr_delete_dom_group(pipes_struct *p, SAMR_Q_DELETE_DOM_GROUP *q_u, S if(!get_domain_group_from_sid(group_sid, &map)) return NT_STATUS_NO_SUCH_ALIAS; + free_privilege(&map.priv_set); + gid=map.gid; /* check if group really exists */ @@ -3025,6 +3052,8 @@ NTSTATUS _samr_delete_dom_alias(pipes_struct *p, SAMR_Q_DELETE_DOM_ALIAS *q_u, S if(!get_local_group_from_sid(alias_sid, &map)) return NT_STATUS_NO_SUCH_ALIAS; + free_privilege(&map.priv_set); + gid=map.gid; /* check if group really exists */ @@ -3059,6 +3088,9 @@ NTSTATUS _samr_create_dom_group(pipes_struct *p, SAMR_Q_CREATE_DOM_GROUP *q_u, S fstring sid_string; struct group *grp; struct samr_info *info; + PRIVILEGE_SET priv_set; + + init_privilege(&priv_set); /* Find the policy handle. Open a policy on it. */ if (!get_lsa_policy_samr_sid(p, &q_u->pol, &dom_sid)) @@ -3085,7 +3117,7 @@ NTSTATUS _samr_create_dom_group(pipes_struct *p, SAMR_Q_CREATE_DOM_GROUP *q_u, S r_u->rid=pdb_gid_to_group_rid(grp->gr_gid); /* add the group to the mapping table */ - if(!add_initial_entry(grp->gr_gid, sid_string, SID_NAME_DOM_GRP, name, NULL, SE_PRIV_NONE)) + if(!add_initial_entry(grp->gr_gid, sid_string, SID_NAME_DOM_GRP, name, NULL, priv_set, PR_ACCESS_FROM_NETWORK)) return NT_STATUS_ACCESS_DENIED; if ((info = (struct samr_info *)malloc(sizeof(struct samr_info))) == NULL) @@ -3115,6 +3147,9 @@ NTSTATUS _samr_create_dom_alias(pipes_struct *p, SAMR_Q_CREATE_DOM_ALIAS *q_u, S fstring sid_string; struct group *grp; struct samr_info *info; + PRIVILEGE_SET priv_set; + + init_privilege(&priv_set); /* Find the policy handle. Open a policy on it. */ if (!get_lsa_policy_samr_sid(p, &q_u->dom_pol, &dom_sid)) @@ -3150,7 +3185,7 @@ NTSTATUS _samr_create_dom_alias(pipes_struct *p, SAMR_Q_CREATE_DOM_ALIAS *q_u, S sid_to_string(sid_string, &info->sid); /* add the group to the mapping table */ - if(!add_initial_entry(grp->gr_gid, sid_string, SID_NAME_ALIAS, name, NULL, SE_PRIV_NONE)) + if(!add_initial_entry(grp->gr_gid, sid_string, SID_NAME_ALIAS, name, NULL, priv_set, PR_ACCESS_FROM_NETWORK)) return NT_STATUS_ACCESS_DENIED; /* get a (unique) handle. open a policy on it. */ @@ -3180,6 +3215,8 @@ NTSTATUS _samr_query_groupinfo(pipes_struct *p, SAMR_Q_QUERY_GROUPINFO *q_u, SAM if (!get_domain_group_from_sid(group_sid, &map)) return NT_STATUS_INVALID_HANDLE; + + free_privilege(&map.priv_set); ctr=(GROUP_INFO_CTR *)talloc_zero(p->mem_ctx, sizeof(GROUP_INFO_CTR)); if (ctr==NULL) @@ -3234,11 +3271,16 @@ NTSTATUS _samr_set_groupinfo(pipes_struct *p, SAMR_Q_SET_GROUPINFO *q_u, SAMR_R_ unistr2_to_ascii(map.comment, &(ctr->group.info4.uni_acct_desc), sizeof(map.comment)-1); break; default: + free_privilege(&map.priv_set); return NT_STATUS_INVALID_INFO_CLASS; } - if(!add_mapping_entry(&map, TDB_REPLACE)) + if(!add_mapping_entry(&map, TDB_REPLACE)) { + free_privilege(&map.priv_set); return NT_STATUS_NO_SUCH_GROUP; + } + + free_privilege(&map.priv_set); return NT_STATUS_OK; } @@ -3268,11 +3310,16 @@ NTSTATUS _samr_set_aliasinfo(pipes_struct *p, SAMR_Q_SET_ALIASINFO *q_u, SAMR_R_ unistr2_to_ascii(map.comment, &(ctr->alias.info3.uni_acct_desc), sizeof(map.comment)-1); break; default: + free_privilege(&map.priv_set); return NT_STATUS_INVALID_INFO_CLASS; } - if(!add_mapping_entry(&map, TDB_REPLACE)) + if(!add_mapping_entry(&map, TDB_REPLACE)) { + free_privilege(&map.priv_set); return NT_STATUS_NO_SUCH_GROUP; + } + + free_privilege(&map.priv_set); return NT_STATUS_OK; } @@ -3320,6 +3367,8 @@ NTSTATUS _samr_open_group(pipes_struct *p, SAMR_Q_OPEN_GROUP *q_u, SAMR_R_OPEN_G if (!get_domain_group_from_sid(info->sid, &map)) return NT_STATUS_NO_SUCH_USER; + free_privilege(&map.priv_set); + /* get a (unique) handle. open a policy on it. */ if (!create_policy_hnd(p, &r_u->pol, free_samr_info, (void *)info)) return NT_STATUS_OBJECT_NAME_NOT_FOUND; -- cgit From 043dfe985c07dfe1ec87f78ef4de71eeb2ae13af Mon Sep 17 00:00:00 2001 From: Jean-François Micouleau Date: Sun, 2 Dec 2001 00:06:10 +0000 Subject: there was a bug in samr_lookup_names (my fault) and added comments and some debugs. J.F. (This used to be commit 114eba496fa020a7f491eb549c91fb38ca34dabb) --- source3/rpc_server/srv_samr_nt.c | 119 +++++++++++++++++++++++++-------------- 1 file changed, 77 insertions(+), 42 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 112b1bb293..f791ba2e34 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -643,6 +643,7 @@ static BOOL get_lsa_policy_samr_sid(pipes_struct *p, POLICY_HND *pol, DOM_SID *s NTSTATUS _samr_query_sec_obj(pipes_struct *p, SAMR_Q_QUERY_SEC_OBJ *q_u, SAMR_R_QUERY_SEC_OBJ *r_u) { DOM_SID pol_sid; + fstring str_sid; r_u->status = NT_STATUS_OK; @@ -651,6 +652,8 @@ NTSTATUS _samr_query_sec_obj(pipes_struct *p, SAMR_Q_QUERY_SEC_OBJ *q_u, SAMR_R_ if (!get_lsa_policy_samr_sid(p, &q_u->user_pol, &pol_sid)) return NT_STATUS_INVALID_HANDLE; + DEBUG(10,("_samr_query_sec_obj: querying security on SID: %s\n", sid_to_string(str_sid, &pol_sid))); + r_u->status = samr_make_usr_obj_sd(p->mem_ctx, &r_u->buf, &pol_sid); if (NT_STATUS_IS_OK(r_u->status)) @@ -1302,53 +1305,72 @@ NTSTATUS _samr_query_aliasinfo(pipes_struct *p, SAMR_Q_QUERY_ALIASINFO *q_u, SAM NTSTATUS _samr_lookup_names(pipes_struct *p, SAMR_Q_LOOKUP_NAMES *q_u, SAMR_R_LOOKUP_NAMES *r_u) { - uint32 rid[MAX_SAM_ENTRIES]; - enum SID_NAME_USE type[MAX_SAM_ENTRIES]; - int i; - int num_rids = q_u->num_names2; - DOM_SID pol_sid; - - r_u->status = NT_STATUS_OK; - - DEBUG(5,("_samr_lookup_names: %d\n", __LINE__)); - - ZERO_ARRAY(rid); - ZERO_ARRAY(type); + uint32 rid[MAX_SAM_ENTRIES]; + uint32 local_rid; + enum SID_NAME_USE type[MAX_SAM_ENTRIES]; + enum SID_NAME_USE local_type; + int i; + int num_rids = q_u->num_names2; + DOM_SID pol_sid; + fstring sid_str; - if (!get_lsa_policy_samr_sid(p, &q_u->pol, &pol_sid)) { - init_samr_r_lookup_names(p->mem_ctx, r_u, 0, NULL, NULL, NT_STATUS_OBJECT_TYPE_MISMATCH); - return r_u->status; - } + r_u->status = NT_STATUS_OK; - if (num_rids > MAX_SAM_ENTRIES) { - num_rids = MAX_SAM_ENTRIES; - DEBUG(5,("_samr_lookup_names: truncating entries to %d\n", num_rids)); - } + DEBUG(5,("_samr_lookup_names: %d\n", __LINE__)); - for (i = 0; i < num_rids; i++) { - fstring name; + ZERO_ARRAY(rid); + ZERO_ARRAY(type); - r_u->status = NT_STATUS_NONE_MAPPED; + if (!get_lsa_policy_samr_sid(p, &q_u->pol, &pol_sid)) { + init_samr_r_lookup_names(p->mem_ctx, r_u, 0, NULL, NULL, NT_STATUS_OBJECT_TYPE_MISMATCH); + return r_u->status; + } - rid [i] = 0xffffffff; - type[i] = SID_NAME_UNKNOWN; + if (num_rids > MAX_SAM_ENTRIES) { + num_rids = MAX_SAM_ENTRIES; + DEBUG(5,("_samr_lookup_names: truncating entries to %d\n", num_rids)); + } - rpcstr_pull(name, q_u->uni_name[i].buffer, sizeof(name), q_u->uni_name[i].uni_str_len*2, 0); + DEBUG(5,("_samr_lookup_names: looking name on SID %s\n", sid_to_string(sid_str, &pol_sid))); - if(sid_equal(&pol_sid, &global_sam_sid)) { - DOM_SID sid; - if(local_lookup_name(global_myname, name, &sid, &type[i])) { - sid_split_rid( &sid, &rid[i]); - r_u->status = NT_STATUS_OK; - } - } - } + for (i = 0; i < num_rids; i++) { + fstring name; + DOM_SID sid; + + r_u->status = NT_STATUS_NONE_MAPPED; + + rid [i] = 0xffffffff; + type[i] = SID_NAME_UNKNOWN; + + rpcstr_pull(name, q_u->uni_name[i].buffer, sizeof(name), q_u->uni_name[i].uni_str_len*2, 0); + + /* + * we are only looking for a name + * the SID we get back can be outside + * the scope of the pol_sid + * + * in clear: it prevents to reply to domain\group: yes + * when only builtin\group exists. + * + * a cleaner code is to add the sid of the domain we're looking in + * to the local_lookup_name function. + */ + if(local_lookup_name(global_myname, name, &sid, &local_type)) { + sid_split_rid(&sid, &local_rid); + + if (sid_equal(&sid, &pol_sid)) { + rid[i]=local_rid; + type[i]=local_type; + r_u->status = NT_STATUS_OK; + } + } + } - init_samr_r_lookup_names(p->mem_ctx, r_u, num_rids, rid, (uint32 *)type, r_u->status); + init_samr_r_lookup_names(p->mem_ctx, r_u, num_rids, rid, (uint32 *)type, r_u->status); - DEBUG(5,("_samr_lookup_names: %d\n", __LINE__)); + DEBUG(5,("_samr_lookup_names: %d\n", __LINE__)); - return r_u->status; + return r_u->status; } /******************************************************************* @@ -1992,7 +2014,7 @@ NTSTATUS _api_samr_create_user(pipes_struct *p, SAMR_Q_CREATE_USER *q_u, SAMR_R_ */ DEBUG(10,("checking account %s at pos %d for $ termination\n",account, strlen(account)-1)); - +#if 0 if ((acb_info & ACB_WSTRUST) && (account[strlen(account)-1] == '$')) { pstrcpy(add_script, lp_addmachine_script()); } else if ((!(acb_info & ACB_WSTRUST)) && (account[strlen(account)-1] != '$')) { @@ -2002,6 +2024,19 @@ NTSTATUS _api_samr_create_user(pipes_struct *p, SAMR_Q_CREATE_USER *q_u, SAMR_R_ pdb_free_sam(&sam_pass); return NT_STATUS_UNSUCCESSFUL; } +#endif + + /* + * we can't check both the ending $ and the acb_info. + * + * UserManager creates trust accounts (ending in $, + * normal that hidden accounts) with the acb_info equals to ACB_NORMAL. + * JFM, 11/29/2001 + */ + if (account[strlen(account)-1] == '$') + pstrcpy(add_script, lp_addmachine_script()); + else + pstrcpy(add_script, lp_adduser_script()); if(*add_script) { int add_ret; @@ -2709,7 +2744,7 @@ NTSTATUS _samr_query_aliasmem(pipes_struct *p, SAMR_Q_QUERY_ALIASMEM *q_u, SAMR_ if (sid_equal(&alias_sid, &global_sid_Builtin)) { DEBUG(10, ("lookup on Builtin SID (S-1-5-32)\n")); - if(!get_builtin_group_from_sid(als_sid, &map)) + if(!get_local_group_from_sid(als_sid, &map)) return NT_STATUS_NO_SUCH_ALIAS; } else { if (sid_equal(&alias_sid, &global_sam_sid)) { @@ -2832,7 +2867,7 @@ NTSTATUS _samr_add_aliasmem(pipes_struct *p, SAMR_Q_ADD_ALIASMEM *q_u, SAMR_R_AD } else { if (sid_compare(&alias_sid, &global_sid_Builtin)>0) { DEBUG(10, ("adding member on BUILTIN SID\n")); - if( !get_builtin_group_from_sid(alias_sid, &map)) + if( !get_local_group_from_sid(alias_sid, &map)) return NT_STATUS_NO_SUCH_ALIAS; } else @@ -3361,11 +3396,11 @@ NTSTATUS _samr_open_group(pipes_struct *p, SAMR_Q_OPEN_GROUP *q_u, SAMR_R_OPEN_G sid_append_rid(&info->sid, q_u->rid_group); sid_to_string(sid_string, &info->sid); - DEBUG(10, ("Opening SID: %s\n", sid_string)); + DEBUG(10, ("_samr_open_group:Opening SID: %s\n", sid_string)); /* check if that group really exists */ if (!get_domain_group_from_sid(info->sid, &map)) - return NT_STATUS_NO_SUCH_USER; + return NT_STATUS_NO_SUCH_GROUP; free_privilege(&map.priv_set); -- cgit From 633ee99afa1f25fcd16796bedec571471f3617ca Mon Sep 17 00:00:00 2001 From: Jean-François Micouleau Date: Sun, 2 Dec 2001 01:45:50 +0000 Subject: added queryuseraliases to rpcclient and some comments to the samr server code, to explain what we should return here. J.F. (This used to be commit 06cb20a46d9d9f8abf0d92ba4cfa4d23187ad715) --- source3/rpc_server/srv_samr_nt.c | 33 +++++++++++++++++++++++++++++++++ 1 file changed, 33 insertions(+) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index f791ba2e34..8882b0801a 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -1849,6 +1849,19 @@ NTSTATUS _samr_query_usergroups(pipes_struct *p, SAMR_Q_QUERY_USERGROUPS *q_u, S struct samr_info *info = NULL; BOOL ret; + /* + * from the SID in the request: + * we should send back the list of DOMAIN GROUPS + * the user is a member of + * + * and only the DOMAIN GROUPS + * no ALIASES !!! neither aliases of the domain + * nor aliases of the builtin SID + * + * JFM, 12/2/2001 + */ + + r_u->status = NT_STATUS_OK; DEBUG(5,("_samr_query_usergroups: %d\n", __LINE__)); @@ -2704,6 +2717,26 @@ NTSTATUS _samr_query_useraliases(pipes_struct *p, SAMR_Q_QUERY_USERALIASES *q_u, /* until i see a real useraliases query, we fack one up */ + /* I have seen one, JFM 2/12/2001 */ + /* + * Explanation of what this call does: + * for all the SID given in the request: + * return a list of alias (local groups) + * that have those SID as members. + * + * and that's the alias in the domain specified + * in the policy_handle + * + * if the policy handle is on an incorrect sid + * for example a user's sid + * we should reply NT_STATUS_OBJECT_TYPE_MISMATCH + */ + + + + + + rid[0] = BUILTIN_ALIAS_RID_USERS; init_samr_r_query_useraliases(r_u, num_rids, rid, NT_STATUS_OK); -- cgit From cdf9b42754b7e97faa7fc4eb1ec69e32c0bfd1a0 Mon Sep 17 00:00:00 2001 From: Jean-François Micouleau Date: Mon, 3 Dec 2001 17:14:23 +0000 Subject: added a tdb to store the account policy informations. You can change them with either usermanager->policies->account or from a command prompt on NT/W2K: net accounts /domain we can add a rpc accounts to the net command. As the net_rpc.c is still empty, I did not start. How should I add command to it ? Should I take the rpcclient/cmd_xxx functions and call them from there ? alse changed the SAM_UNK_INFO_3 parser, it's an NTTIME. This one is more for jeremy ;-) J.F. (This used to be commit bc28a8eebd9245ce3004ae4b1a359db51f77bf21) --- source3/rpc_server/srv_samr_nt.c | 255 ++++++++++++++++++++++++++------------- 1 file changed, 168 insertions(+), 87 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 8882b0801a..13340d0a60 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -1907,53 +1907,84 @@ NTSTATUS _samr_query_usergroups(pipes_struct *p, SAMR_Q_QUERY_USERGROUPS *q_u, S NTSTATUS _samr_query_dom_info(pipes_struct *p, SAMR_Q_QUERY_DOMAIN_INFO *q_u, SAMR_R_QUERY_DOMAIN_INFO *r_u) { - SAM_UNK_CTR *ctr; + SAM_UNK_CTR *ctr; + uint32 min_pass_len,pass_hist,flag; + time_t u_expire, u_min_age; + NTTIME nt_expire, nt_min_age; + + time_t u_lock_duration, u_reset_time; + NTTIME nt_lock_duration, nt_reset_time; + uint32 lockout; + + time_t u_logout; + NTTIME nt_logout; + if ((ctr = (SAM_UNK_CTR *)talloc_zero(p->mem_ctx, sizeof(SAM_UNK_CTR))) == NULL) return NT_STATUS_NO_MEMORY; - ZERO_STRUCTP(ctr); + ZERO_STRUCTP(ctr); - r_u->status = NT_STATUS_OK; + r_u->status = NT_STATUS_OK; - DEBUG(5,("_samr_query_dom_info: %d\n", __LINE__)); + DEBUG(5,("_samr_query_dom_info: %d\n", __LINE__)); - /* find the policy handle. open a policy on it. */ - if (!find_policy_by_hnd(p, &q_u->domain_pol, NULL)) - return NT_STATUS_INVALID_HANDLE; + /* find the policy handle. open a policy on it. */ + if (!find_policy_by_hnd(p, &q_u->domain_pol, NULL)) + return NT_STATUS_INVALID_HANDLE; - switch (q_u->switch_value) { - case 0x01: - init_unk_info1(&ctr->info.inf1); - break; - case 0x02: + switch (q_u->switch_value) { + case 0x01: + account_policy_get(AP_MIN_PASSWORD_LEN, &min_pass_len); + account_policy_get(AP_PASSWORD_HISTORY, &pass_hist); + account_policy_get(AP_USER_MUST_LOGON_TO_CHG_PASS, &flag); + account_policy_get(AP_MAX_PASSWORD_AGE, (int *)&u_expire); + account_policy_get(AP_MIN_PASSWORD_AGE, (int *)&u_min_age); + + unix_to_nt_time_abs(&nt_expire, u_expire); + unix_to_nt_time_abs(&nt_min_age, u_min_age); + + init_unk_info1(&ctr->info.inf1, (uint16)min_pass_len, (uint16)pass_hist, + flag, nt_expire, nt_min_age); + break; + case 0x02: /* The time call below is to get a sequence number for the sam. FIXME !!! JRA. */ - init_unk_info2(&ctr->info.inf2, global_myworkgroup, global_myname, (uint32) time(NULL)); - break; - case 0x03: - init_unk_info3(&ctr->info.inf3); - break; - case 0x05: - init_unk_info5(&ctr->info.inf5, global_myname); - break; - case 0x06: - init_unk_info6(&ctr->info.inf6); - break; - case 0x07: - init_unk_info7(&ctr->info.inf7); - break; - case 0x0c: - init_unk_info12(&ctr->info.inf12); - break; - default: - return NT_STATUS_INVALID_INFO_CLASS; - } + init_unk_info2(&ctr->info.inf2, global_myworkgroup, global_myname, (uint32) time(NULL)); + break; + case 0x03: + account_policy_get(AP_TIME_TO_LOGOUT, (int *)&u_logout); + unix_to_nt_time_abs(&nt_logout, u_logout); + + init_unk_info3(&ctr->info.inf3, nt_logout); + break; + case 0x05: + init_unk_info5(&ctr->info.inf5, global_myname); + break; + case 0x06: + init_unk_info6(&ctr->info.inf6); + break; + case 0x07: + init_unk_info7(&ctr->info.inf7); + break; + case 0x0c: + account_policy_get(AP_LOCK_ACCOUNT_DURATION, (int *)&u_lock_duration); + account_policy_get(AP_RESET_COUNT_TIME, (int *)&u_reset_time); + account_policy_get(AP_BAD_ATTEMPT_LOCKOUT, &lockout); + + unix_to_nt_time_abs(&nt_lock_duration, u_lock_duration); + unix_to_nt_time_abs(&nt_reset_time, u_reset_time); + + init_unk_info12(&ctr->info.inf12, nt_lock_duration, nt_reset_time, (uint16)lockout); + break; + default: + return NT_STATUS_INVALID_INFO_CLASS; + } - init_samr_r_query_dom_info(r_u, q_u->switch_value, ctr, NT_STATUS_OK); + init_samr_r_query_dom_info(r_u, q_u->switch_value, ctr, NT_STATUS_OK); - DEBUG(5,("_samr_query_dom_info: %d\n", __LINE__)); + DEBUG(5,("_samr_query_dom_info: %d\n", __LINE__)); - return r_u->status; + return r_u->status; } /******************************************************************* @@ -3460,53 +3491,83 @@ NTSTATUS _samr_unknown_2d(pipes_struct *p, SAMR_Q_UNKNOWN_2D *q_u, SAMR_R_UNKNOW NTSTATUS _samr_unknown_2e(pipes_struct *p, SAMR_Q_UNKNOWN_2E *q_u, SAMR_R_UNKNOWN_2E *r_u) { - SAM_UNK_CTR *ctr; + SAM_UNK_CTR *ctr; + uint32 min_pass_len,pass_hist,flag; + time_t u_expire, u_min_age; + NTTIME nt_expire, nt_min_age; + + time_t u_lock_duration, u_reset_time; + NTTIME nt_lock_duration, nt_reset_time; + uint32 lockout; + + time_t u_logout; + NTTIME nt_logout; if ((ctr = (SAM_UNK_CTR *)talloc_zero(p->mem_ctx, sizeof(SAM_UNK_CTR))) == NULL) return NT_STATUS_NO_MEMORY; - ZERO_STRUCTP(ctr); + ZERO_STRUCTP(ctr); - r_u->status = NT_STATUS_OK; + r_u->status = NT_STATUS_OK; - DEBUG(5,("_samr_unknown_2e: %d\n", __LINE__)); + DEBUG(5,("_samr_unknown_2e: %d\n", __LINE__)); - /* find the policy handle. open a policy on it. */ - if (!find_policy_by_hnd(p, &q_u->domain_pol, NULL)) - return NT_STATUS_INVALID_HANDLE; + /* find the policy handle. open a policy on it. */ + if (!find_policy_by_hnd(p, &q_u->domain_pol, NULL)) + return NT_STATUS_INVALID_HANDLE; - switch (q_u->switch_value) { - case 0x01: - init_unk_info1(&ctr->info.inf1); - break; - case 0x02: + switch (q_u->switch_value) { + case 0x01: + account_policy_get(AP_MIN_PASSWORD_LEN, &min_pass_len); + account_policy_get(AP_PASSWORD_HISTORY, &pass_hist); + account_policy_get(AP_USER_MUST_LOGON_TO_CHG_PASS, &flag); + account_policy_get(AP_MAX_PASSWORD_AGE, (int *)&u_expire); + account_policy_get(AP_MIN_PASSWORD_AGE, (int *)&u_min_age); + + unix_to_nt_time_abs(&nt_expire, u_expire); + unix_to_nt_time_abs(&nt_min_age, u_min_age); + + init_unk_info1(&ctr->info.inf1, (uint16)min_pass_len, (uint16)pass_hist, + flag, nt_expire, nt_min_age); + break; + case 0x02: /* The time call below is to get a sequence number for the sam. FIXME !!! JRA. */ - init_unk_info2(&ctr->info.inf2, global_myworkgroup, global_myname, (uint32) time(NULL)); - break; - case 0x03: - init_unk_info3(&ctr->info.inf3); - break; - case 0x05: - init_unk_info5(&ctr->info.inf5, global_myname); - break; - case 0x06: - init_unk_info6(&ctr->info.inf6); - break; - case 0x07: - init_unk_info7(&ctr->info.inf7); - break; - case 0x0c: - init_unk_info12(&ctr->info.inf12); - break; - default: - return NT_STATUS_INVALID_INFO_CLASS; - } + init_unk_info2(&ctr->info.inf2, global_myworkgroup, global_myname, (uint32) time(NULL)); + break; + case 0x03: + account_policy_get(AP_TIME_TO_LOGOUT, (int *)&u_logout); + unix_to_nt_time_abs(&nt_logout, u_logout); + + init_unk_info3(&ctr->info.inf3, nt_logout); + break; + case 0x05: + init_unk_info5(&ctr->info.inf5, global_myname); + break; + case 0x06: + init_unk_info6(&ctr->info.inf6); + break; + case 0x07: + init_unk_info7(&ctr->info.inf7); + break; + case 0x0c: + account_policy_get(AP_LOCK_ACCOUNT_DURATION, (int *)&u_lock_duration); + account_policy_get(AP_RESET_COUNT_TIME, (int *)&u_reset_time); + account_policy_get(AP_BAD_ATTEMPT_LOCKOUT, &lockout); + + unix_to_nt_time_abs(&nt_lock_duration, u_lock_duration); + unix_to_nt_time_abs(&nt_reset_time, u_reset_time); + + init_unk_info12(&ctr->info.inf12, nt_lock_duration, nt_reset_time, (uint16)lockout); + break; + default: + return NT_STATUS_INVALID_INFO_CLASS; + } - init_samr_r_samr_unknown_2e(r_u, q_u->switch_value, ctr, NT_STATUS_OK); + init_samr_r_samr_unknown_2e(r_u, q_u->switch_value, ctr, NT_STATUS_OK); - DEBUG(5,("_samr_unknown_2e: %d\n", __LINE__)); + DEBUG(5,("_samr_unknown_2e: %d\n", __LINE__)); - return r_u->status; + return r_u->status; } /******************************************************************* @@ -3515,6 +3576,10 @@ NTSTATUS _samr_unknown_2e(pipes_struct *p, SAMR_Q_UNKNOWN_2E *q_u, SAMR_R_UNKNOW NTSTATUS _samr_set_dom_info(pipes_struct *p, SAMR_Q_SET_DOMAIN_INFO *q_u, SAMR_R_SET_DOMAIN_INFO *r_u) { + time_t u_expire, u_min_age; + time_t u_logout; + time_t u_lock_duration, u_reset_time; + r_u->status = NT_STATUS_OK; DEBUG(5,("_samr_set_dom_info: %d\n", __LINE__)); @@ -3523,25 +3588,41 @@ NTSTATUS _samr_set_dom_info(pipes_struct *p, SAMR_Q_SET_DOMAIN_INFO *q_u, SAMR_R if (!find_policy_by_hnd(p, &q_u->domain_pol, NULL)) return NT_STATUS_INVALID_HANDLE; - DEBUG(0,("_samr_set_dom_info: switch_value: %d\n", q_u->switch_value)); + DEBUG(5,("_samr_set_dom_info: switch_value: %d\n", q_u->switch_value)); switch (q_u->switch_value) { - case 0x01: - break; - case 0x02: - break; - case 0x03: - break; - case 0x05: - break; - case 0x06: - break; - case 0x07: - break; - case 0x0c: - break; - default: - return NT_STATUS_INVALID_INFO_CLASS; + case 0x01: + u_expire=nt_time_to_unix_abs(&q_u->ctr->info.inf1.expire); + u_min_age=nt_time_to_unix_abs(&q_u->ctr->info.inf1.min_passwordage); + + account_policy_set(AP_MIN_PASSWORD_LEN, (uint32)q_u->ctr->info.inf1.min_length_password); + account_policy_set(AP_PASSWORD_HISTORY, (uint32)q_u->ctr->info.inf1.password_history); + account_policy_set(AP_USER_MUST_LOGON_TO_CHG_PASS, (uint32)q_u->ctr->info.inf1.flag); + account_policy_set(AP_MAX_PASSWORD_AGE, (int)u_expire); + account_policy_set(AP_MIN_PASSWORD_AGE, (int)u_min_age); + break; + case 0x02: + break; + case 0x03: + u_logout=nt_time_to_unix_abs(&q_u->ctr->info.inf3.logout); + account_policy_set(AP_TIME_TO_LOGOUT, (int)u_logout); + break; + case 0x05: + break; + case 0x06: + break; + case 0x07: + break; + case 0x0c: + u_lock_duration=nt_time_to_unix_abs(&q_u->ctr->info.inf12.duration); + u_reset_time=nt_time_to_unix_abs(&q_u->ctr->info.inf12.reset_count); + + account_policy_set(AP_LOCK_ACCOUNT_DURATION, (int)u_lock_duration); + account_policy_set(AP_RESET_COUNT_TIME, (int)u_reset_time); + account_policy_set(AP_BAD_ATTEMPT_LOCKOUT, (uint32)q_u->ctr->info.inf12.bad_attempt_lockout); + break; + default: + return NT_STATUS_INVALID_INFO_CLASS; } init_samr_r_set_domain_info(r_u, NT_STATUS_OK); -- cgit From 922eb763d7365716fd3c20aa069746fc9bfb8ab3 Mon Sep 17 00:00:00 2001 From: Jean-François Micouleau Date: Tue, 4 Dec 2001 21:53:47 +0000 Subject: added a boolean to the group mapping functions to specify if we need or not the privileges. Usually we don't need them, so the memory is free early. lib/util_sid.c: added some helper functions to check an SID. passdb/passdb.c: renamed local_lookup_rid() to local_lookup_sid() and pass an RID all the way. If the group doesn't exist on the domain SID, don't return a faked one as it can collide with a builtin one. Some rpc structures have been badly designed, they return only rids and force the client to do subsequent lsa_lookup_sid() on the domain sid and the builtin sid ! rpc_server/srv_util.c: wrote a new version of get_domain_user_groups(). Only the samr code uses it atm. It uses the group mapping code instead of a bloody hard coded crap. The netlogon code will use it too, but I have to do some test first. J.F. (This used to be commit 6c87e96149101995b7d049657d5c26eefef37d8c) --- source3/rpc_server/srv_samr_nt.c | 124 +++++++++++++-------------------------- 1 file changed, 40 insertions(+), 84 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 13340d0a60..cc81bac630 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -539,16 +539,6 @@ NTSTATUS _samr_open_domain(pipes_struct *p, SAMR_Q_OPEN_DOMAIN *q_u, SAMR_R_OPEN return r_u->status; } -static uint32 get_lsa_policy_samr_rid(struct samr_info *info) -{ - if (!info) { - DEBUG(3,("Error getting policy\n")); - return 0xffffffff; - } - - return info->sid.sub_auths[info->sid.num_auths-1]; -} - /******************************************************************* _samr_get_usrdom_pwinfo ********************************************************************/ @@ -560,14 +550,11 @@ NTSTATUS _samr_get_usrdom_pwinfo(pipes_struct *p, SAMR_Q_GET_USRDOM_PWINFO *q_u, r_u->status = NT_STATUS_OK; /* find the policy handle. open a policy on it. */ - if (!find_policy_by_hnd(p, &q_u->user_pol, (void **)&info)) { + if (!find_policy_by_hnd(p, &q_u->user_pol, (void **)&info)) return NT_STATUS_INVALID_HANDLE; - } - /* find the user's rid */ - if (get_lsa_policy_samr_rid(info) == 0xffffffff) { + if (!sid_check_is_in_our_domain(&info->sid)) return NT_STATUS_OBJECT_TYPE_MISMATCH; - } init_samr_r_get_usrdom_pwinfo(r_u, NT_STATUS_OK); @@ -813,12 +800,9 @@ static NTSTATUS get_group_alias_entries(TALLOC_CTX *ctx, DOMAIN_GRP **d_grp, DOM /* well-known aliases */ if (sid_equal(sid, &global_sid_Builtin) && !lp_hide_local_users()) { - enum_group_mapping(SID_NAME_WKN_GRP, &map, (int *)&num_entries, ENUM_ONLY_MAPPED); - - if (num_entries != 0) { - for (i=0; inext) { uint32 trid; - if(!get_group_from_gid(grp->gr_gid, &smap)) { + if(!get_group_from_gid(grp->gr_gid, &smap, MAPPING_WITHOUT_PRIV)) continue; - } - - /* - * free early the privilege struct as it's not used - * and prevent leaking mem. - */ - free_privilege(&smap.priv_set); if (smap.sid_name_use!=SID_NAME_ALIAS) { continue; } sid_split_rid(&smap.sid, &trid); + + if (!sid_equal(sid, &smap.sid)) + continue; /* Don't return winbind groups as they are not local! */ if (strchr_m(smap.nt_name, *sep) != NULL) { @@ -937,14 +917,7 @@ static NTSTATUS get_group_domain_entries(TALLOC_CTX *ctx, DOMAIN_GRP **d_grp, DO *p_num_entries = 0; - enum_group_mapping(SID_NAME_DOM_GRP, &map, (int *)&group_entries, ENUM_ONLY_MAPPED); - - /* - * free early the privilege struct as it's not used - * and prevent leaking mem. - */ - for (i=0; istatus = NT_STATUS_OK; @@ -1217,11 +1189,11 @@ NTSTATUS _samr_query_aliasinfo(pipes_struct *p, SAMR_Q_QUERY_ALIASINFO *q_u, SAM if (!find_policy_by_hnd(p, &q_u->pol, (void **)&info)) return NT_STATUS_INVALID_HANDLE; - alias_rid = get_lsa_policy_samr_rid(info); - if(alias_rid == 0xffffffff) - return NT_STATUS_NO_SUCH_ALIAS; + if (!sid_check_is_in_our_domain(&info->sid) && + !sid_check_is_in_builtin(&info->sid)) + return NT_STATUS_OBJECT_TYPE_MISMATCH; - if(!local_lookup_rid(alias_rid, alias, &type)) + if(!local_lookup_sid(&info->sid, alias, &type)) return NT_STATUS_NO_SUCH_ALIAS; switch (q_u->switch_level) { @@ -1748,10 +1720,11 @@ NTSTATUS _samr_query_userinfo(pipes_struct *p, SAMR_Q_QUERY_USERINFO *q_u, SAMR_ if (!find_policy_by_hnd(p, &q_u->pol, (void **)&info)) return NT_STATUS_INVALID_HANDLE; - /* find the user's rid */ - if ((rid = get_lsa_policy_samr_rid(info)) == 0xffffffff) + if (!sid_check_is_in_our_domain(&info->sid)) return NT_STATUS_OBJECT_TYPE_MISMATCH; + sid_peek_rid(&info->sid, &rid); + DEBUG(5,("_samr_query_userinfo: rid:0x%x\n", rid)); ctr = (SAM_USERINFO_CTR *)talloc_zero(p->mem_ctx, sizeof(SAM_USERINFO_CTR)); @@ -1861,7 +1834,6 @@ NTSTATUS _samr_query_usergroups(pipes_struct *p, SAMR_Q_QUERY_USERGROUPS *q_u, S * JFM, 12/2/2001 */ - r_u->status = NT_STATUS_OK; DEBUG(5,("_samr_query_usergroups: %d\n", __LINE__)); @@ -1870,10 +1842,11 @@ NTSTATUS _samr_query_usergroups(pipes_struct *p, SAMR_Q_QUERY_USERGROUPS *q_u, S if (!find_policy_by_hnd(p, &q_u->pol, (void **)&info)) return NT_STATUS_INVALID_HANDLE; - /* find the user's rid */ - if ((rid = get_lsa_policy_samr_rid(info)) == 0xffffffff) + if (!sid_check_is_in_our_domain(&info->sid)) return NT_STATUS_OBJECT_TYPE_MISMATCH; + sid_peek_rid(&info->sid, &rid); + pdb_init_sam(&sam_pass); become_root(); @@ -1885,11 +1858,10 @@ NTSTATUS _samr_query_usergroups(pipes_struct *p, SAMR_Q_QUERY_USERGROUPS *q_u, S return NT_STATUS_NO_SUCH_USER; } - *groups = 0; - - get_domain_user_groups(groups, pdb_get_username(sam_pass)); - gids = NULL; - num_groups = make_dom_gids(p->mem_ctx, groups, &gids); + if(!new_get_domain_user_groups(p->mem_ctx, &num_groups, &gids, sam_pass)) { + samr_clear_sam_passwd(sam_pass); + return NT_STATUS_NO_SUCH_GROUP; + } /* construct the response. lkclXXXX: gids are not copied! */ init_samr_r_query_usergroups(r_u, num_groups, gids, r_u->status); @@ -2304,12 +2276,12 @@ NTSTATUS _api_samr_open_alias(pipes_struct *p, SAMR_Q_OPEN_ALIAS *q_u, SAMR_R_OP * JFM. */ - /* associate the user's SID with the new handle. */ - if ((info = (struct samr_info *)malloc(sizeof(struct samr_info))) == NULL) - return NT_STATUS_NO_MEMORY; + /* associate the user's SID with the new handle. */ + if ((info = (struct samr_info *)malloc(sizeof(struct samr_info))) == NULL) + return NT_STATUS_NO_MEMORY; - ZERO_STRUCTP(info); - info->sid = sid; + ZERO_STRUCTP(info); + info->sid = sid; /* get a (unique) handle. open a policy on it. */ if (!create_policy_hnd(p, alias_pol, free_samr_info, (void *)info)) @@ -2808,18 +2780,16 @@ NTSTATUS _samr_query_aliasmem(pipes_struct *p, SAMR_Q_QUERY_ALIASMEM *q_u, SAMR_ if (sid_equal(&alias_sid, &global_sid_Builtin)) { DEBUG(10, ("lookup on Builtin SID (S-1-5-32)\n")); - if(!get_local_group_from_sid(als_sid, &map)) + if(!get_local_group_from_sid(als_sid, &map, MAPPING_WITHOUT_PRIV)) return NT_STATUS_NO_SUCH_ALIAS; } else { if (sid_equal(&alias_sid, &global_sam_sid)) { DEBUG(10, ("lookup on Server SID\n")); - if(!get_local_group_from_sid(als_sid, &map)) + if(!get_local_group_from_sid(als_sid, &map, MAPPING_WITHOUT_PRIV)) return NT_STATUS_NO_SUCH_ALIAS; } } - free_privilege(&map.priv_set); - if(!get_uid_list_of_group(map.gid, &uid, &num_uids)) return NT_STATUS_NO_SUCH_ALIAS; @@ -2877,11 +2847,9 @@ NTSTATUS _samr_query_groupmem(pipes_struct *p, SAMR_Q_QUERY_GROUPMEM *q_u, SAMR_ sid_append_rid(&group_sid, group_rid); DEBUG(10, ("lookup on Domain SID\n")); - if(!get_domain_group_from_sid(group_sid, &map)) + if(!get_domain_group_from_sid(group_sid, &map, MAPPING_WITHOUT_PRIV)) return NT_STATUS_NO_SUCH_GROUP; - free_privilege(&map.priv_set); - if(!get_uid_list_of_group(map.gid, &uid, &num_uids)) return NT_STATUS_NO_SUCH_GROUP; @@ -2925,21 +2893,19 @@ NTSTATUS _samr_add_aliasmem(pipes_struct *p, SAMR_Q_ADD_ALIASMEM *q_u, SAMR_R_AD if (sid_compare(&alias_sid, &global_sam_sid)>0) { DEBUG(10, ("adding member on Server SID\n")); - if(!get_local_group_from_sid(alias_sid, &map)) + if(!get_local_group_from_sid(alias_sid, &map, MAPPING_WITHOUT_PRIV)) return NT_STATUS_NO_SUCH_ALIAS; } else { if (sid_compare(&alias_sid, &global_sid_Builtin)>0) { DEBUG(10, ("adding member on BUILTIN SID\n")); - if( !get_local_group_from_sid(alias_sid, &map)) + if( !get_local_group_from_sid(alias_sid, &map, MAPPING_WITHOUT_PRIV)) return NT_STATUS_NO_SUCH_ALIAS; } else return NT_STATUS_NO_SUCH_ALIAS; } - free_privilege(&map.priv_set); - sid_split_rid(&q_u->sid.sid, &rid); uid=pdb_user_rid_to_uid(rid); @@ -3004,11 +2970,9 @@ NTSTATUS _samr_add_groupmem(pipes_struct *p, SAMR_Q_ADD_GROUPMEM *q_u, SAMR_R_AD DEBUG(10, ("lookup on Domain SID\n")); - if(!get_domain_group_from_sid(group_sid, &map)) + if(!get_domain_group_from_sid(group_sid, &map, MAPPING_WITHOUT_PRIV)) return NT_STATUS_NO_SUCH_GROUP; - free_privilege(&map.priv_set); - if ((pwd=getpwuid(pdb_user_rid_to_uid(q_u->rid))) ==NULL) return NT_STATUS_NO_SUCH_USER; @@ -3089,11 +3053,9 @@ NTSTATUS _samr_delete_dom_group(pipes_struct *p, SAMR_Q_DELETE_DOM_GROUP *q_u, S DEBUG(10, ("lookup on Domain SID\n")); - if(!get_domain_group_from_sid(group_sid, &map)) + if(!get_domain_group_from_sid(group_sid, &map, MAPPING_WITHOUT_PRIV)) return NT_STATUS_NO_SUCH_ALIAS; - free_privilege(&map.priv_set); - gid=map.gid; /* check if group really exists */ @@ -3148,11 +3110,9 @@ NTSTATUS _samr_delete_dom_alias(pipes_struct *p, SAMR_Q_DELETE_DOM_ALIAS *q_u, S DEBUG(10, ("lookup on Local SID\n")); - if(!get_local_group_from_sid(alias_sid, &map)) + if(!get_local_group_from_sid(alias_sid, &map, MAPPING_WITHOUT_PRIV)) return NT_STATUS_NO_SUCH_ALIAS; - free_privilege(&map.priv_set); - gid=map.gid; /* check if group really exists */ @@ -3312,11 +3272,9 @@ NTSTATUS _samr_query_groupinfo(pipes_struct *p, SAMR_Q_QUERY_GROUPINFO *q_u, SAM if (!get_lsa_policy_samr_sid(p, &q_u->pol, &group_sid)) return NT_STATUS_INVALID_HANDLE; - if (!get_domain_group_from_sid(group_sid, &map)) + if (!get_domain_group_from_sid(group_sid, &map, MAPPING_WITHOUT_PRIV)) return NT_STATUS_INVALID_HANDLE; - free_privilege(&map.priv_set); - ctr=(GROUP_INFO_CTR *)talloc_zero(p->mem_ctx, sizeof(GROUP_INFO_CTR)); if (ctr==NULL) return NT_STATUS_NO_MEMORY; @@ -3357,7 +3315,7 @@ NTSTATUS _samr_set_groupinfo(pipes_struct *p, SAMR_Q_SET_GROUPINFO *q_u, SAMR_R_ if (!get_lsa_policy_samr_sid(p, &q_u->pol, &group_sid)) return NT_STATUS_INVALID_HANDLE; - if (!get_domain_group_from_sid(group_sid, &map)) + if (!get_domain_group_from_sid(group_sid, &map, MAPPING_WITH_PRIV)) return NT_STATUS_NO_SUCH_GROUP; ctr=q_u->ctr; @@ -3399,7 +3357,7 @@ NTSTATUS _samr_set_aliasinfo(pipes_struct *p, SAMR_Q_SET_ALIASINFO *q_u, SAMR_R_ if (!get_lsa_policy_samr_sid(p, &q_u->alias_pol, &group_sid)) return NT_STATUS_INVALID_HANDLE; - if (!get_local_group_from_sid(group_sid, &map)) + if (!get_local_group_from_sid(group_sid, &map, MAPPING_WITH_PRIV)) return NT_STATUS_NO_SUCH_GROUP; ctr=&q_u->ctr; @@ -3463,11 +3421,9 @@ NTSTATUS _samr_open_group(pipes_struct *p, SAMR_Q_OPEN_GROUP *q_u, SAMR_R_OPEN_G DEBUG(10, ("_samr_open_group:Opening SID: %s\n", sid_string)); /* check if that group really exists */ - if (!get_domain_group_from_sid(info->sid, &map)) + if (!get_domain_group_from_sid(info->sid, &map, MAPPING_WITHOUT_PRIV)) return NT_STATUS_NO_SUCH_GROUP; - free_privilege(&map.priv_set); - /* get a (unique) handle. open a policy on it. */ if (!create_policy_hnd(p, &r_u->pol, free_samr_info, (void *)info)) return NT_STATUS_OBJECT_NAME_NOT_FOUND; -- cgit From 7b53a92f59984211e5ceb731163efa6e767e55a3 Mon Sep 17 00:00:00 2001 From: Jean-François Micouleau Date: Wed, 5 Dec 2001 15:41:44 +0000 Subject: added samr_queryuseralias(). instead of returning BUILTIN_ALIAS_RID_USERS, now return the alias correctly. time to look at the netlogon case. J.F. (This used to be commit 72ee1791084d09e73d8057e37ced4a79cecffb35) --- source3/rpc_server/srv_samr_nt.c | 64 ++++++++++++++++++++++++++++++---------- 1 file changed, 48 insertions(+), 16 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index cc81bac630..5e19fd1e7c 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -1817,7 +1817,6 @@ NTSTATUS _samr_query_usergroups(pipes_struct *p, SAMR_Q_QUERY_USERGROUPS *q_u, S SAM_ACCOUNT *sam_pass=NULL; DOM_GID *gids = NULL; int num_groups = 0; - pstring groups; uint32 rid; struct samr_info *info = NULL; BOOL ret; @@ -2710,14 +2709,10 @@ NTSTATUS _samr_set_userinfo2(pipes_struct *p, SAMR_Q_SET_USERINFO2 *q_u, SAMR_R_ NTSTATUS _samr_query_useraliases(pipes_struct *p, SAMR_Q_QUERY_USERALIASES *q_u, SAMR_R_QUERY_USERALIASES *r_u) { - uint32 *rid=NULL; - int num_rids; - - num_rids = 1; - rid=(uint32 *)talloc_zero(p->mem_ctx, num_rids*sizeof(uint32)); - if (rid==NULL) - return NT_STATUS_NO_MEMORY; - + int num_groups = 0, tmp_num_groups=0; + uint32 *rids=NULL, *new_rids=NULL, *tmp_rids=NULL; + struct samr_info *info = NULL; + int i,j; /* until i see a real useraliases query, we fack one up */ /* I have seen one, JFM 2/12/2001 */ @@ -2735,17 +2730,54 @@ NTSTATUS _samr_query_useraliases(pipes_struct *p, SAMR_Q_QUERY_USERALIASES *q_u, * we should reply NT_STATUS_OBJECT_TYPE_MISMATCH */ - - - - + r_u->status = NT_STATUS_OK; - rid[0] = BUILTIN_ALIAS_RID_USERS; + DEBUG(5,("_samr_query_useraliases: %d\n", __LINE__)); - init_samr_r_query_useraliases(r_u, num_rids, rid, NT_STATUS_OK); + /* find the policy handle. open a policy on it. */ + if (!find_policy_by_hnd(p, &q_u->pol, (void **)&info)) + return NT_STATUS_INVALID_HANDLE; - return NT_STATUS_OK; + if (!sid_check_is_domain(&info->sid) && + !sid_check_is_builtin(&info->sid)) + return NT_STATUS_OBJECT_TYPE_MISMATCH; + + + for (i=0; inum_sids1; i++) { + + r_u->status=new_get_alias_user_groups(p->mem_ctx, &info->sid, &tmp_num_groups, &tmp_rids, &(q_u->sid[i].sid)); + /* + * if there is an error, we just continue as + * it can be an unfound user or group + */ + if (NT_STATUS_IS_ERR(r_u->status)) { + DEBUG(10,("_samr_query_useraliases: an error occured while getting groups\n")); + continue; + } + + if (tmp_num_groups==0) { + DEBUG(10,("_samr_query_useraliases: no groups found\n")); + continue; + } + + new_rids=(uint32 *)talloc_realloc(p->mem_ctx, rids, (num_groups+tmp_num_groups)*sizeof(uint32)); + if (new_rids==NULL) { + DEBUG(0,("_samr_query_useraliases: could not realloc memory\n")); + return NT_STATUS_NO_MEMORY; + } + rids=new_rids; + + for (j=0; j Date: Thu, 6 Dec 2001 13:09:15 +0000 Subject: again an intrusive patch: - removed the ugly as hell sam_logon_in_ssb variable, I changed a bit the definition of standard_sub_basic() to cope with that. - removed the smb.conf: 'domain admin group' and 'domain guest group' parameters ! We're not playing anymore with the user's group RIDs ! - in get_domain_user_groups(), if the user's gid is a group, put it first in the group RID list. I just have to write an HOWTO now ;-) J.F. (This used to be commit fef52c4b96c987115fb1818c00c2352c67790e50) --- source3/rpc_server/srv_samr_nt.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 5e19fd1e7c..853a130859 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -1854,11 +1854,13 @@ NTSTATUS _samr_query_usergroups(pipes_struct *p, SAMR_Q_QUERY_USERGROUPS *q_u, S if (ret == False) { samr_clear_sam_passwd(sam_pass); + pdb_free_sam(&sam_pass); return NT_STATUS_NO_SUCH_USER; } - if(!new_get_domain_user_groups(p->mem_ctx, &num_groups, &gids, sam_pass)) { + if(!get_domain_user_groups(p->mem_ctx, &num_groups, &gids, sam_pass)) { samr_clear_sam_passwd(sam_pass); + pdb_free_sam(&sam_pass); return NT_STATUS_NO_SUCH_GROUP; } @@ -1868,6 +1870,7 @@ NTSTATUS _samr_query_usergroups(pipes_struct *p, SAMR_Q_QUERY_USERGROUPS *q_u, S DEBUG(5,("_samr_query_usergroups: %d\n", __LINE__)); samr_clear_sam_passwd(sam_pass); + pdb_free_sam(&sam_pass); return r_u->status; } @@ -2745,7 +2748,7 @@ NTSTATUS _samr_query_useraliases(pipes_struct *p, SAMR_Q_QUERY_USERALIASES *q_u, for (i=0; inum_sids1; i++) { - r_u->status=new_get_alias_user_groups(p->mem_ctx, &info->sid, &tmp_num_groups, &tmp_rids, &(q_u->sid[i].sid)); + r_u->status=get_alias_user_groups(p->mem_ctx, &info->sid, &tmp_num_groups, &tmp_rids, &(q_u->sid[i].sid)); /* * if there is an error, we just continue as -- cgit From 6490fbce6b42277b3a75c060bc4f1c00c89924c3 Mon Sep 17 00:00:00 2001 From: Jean-François Micouleau Date: Sat, 8 Dec 2001 23:57:35 +0000 Subject: small comment I don't want to loose. J.F. (This used to be commit a0b5ae58228d01ff5099180f16ffba4353bd28a7) --- source3/rpc_server/srv_samr_nt.c | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 853a130859..3c82924f1e 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -560,6 +560,11 @@ NTSTATUS _samr_get_usrdom_pwinfo(pipes_struct *p, SAMR_Q_GET_USRDOM_PWINFO *q_u, DEBUG(5,("_samr_get_usrdom_pwinfo: %d\n", __LINE__)); + /* + * NT sometimes return NT_STATUS_ACCESS_DENIED + * I don't know yet why. + */ + return r_u->status; } -- cgit From 0ff1a9568b4bc0220cf90ea78f2657a92682307d Mon Sep 17 00:00:00 2001 From: Jean-François Micouleau Date: Mon, 10 Dec 2001 15:03:16 +0000 Subject: added info level 3 to samrgetgroupinfo. I don't know what the value is. It's just to keep usermanager happy ;-) clean up a bit samr_query_aliasinfo to return the group description added: samr_del_aliasmem, samr_del_groupmem and samr_del_domuser with the correct scripts, you can now entirely manage the users from usermanager ! Closer to full PDC every day ;-) J.F. (This used to be commit 0a727afc669704cda9b44d44dbac9e989e906ae3) --- source3/rpc_server/srv_samr_nt.c | 176 ++++++++++++++++++++++++++++++++++++--- 1 file changed, 164 insertions(+), 12 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 3c82924f1e..042978495a 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -1181,10 +1181,8 @@ NTSTATUS _samr_query_dispinfo(pipes_struct *p, SAMR_Q_QUERY_DISPINFO *q_u, SAMR_ NTSTATUS _samr_query_aliasinfo(pipes_struct *p, SAMR_Q_QUERY_ALIASINFO *q_u, SAMR_R_QUERY_ALIASINFO *r_u) { - fstring alias_desc = "Local Unix group"; - fstring alias=""; - enum SID_NAME_USE type; struct samr_info *info = NULL; + GROUP_MAP map; r_u->status = NT_STATUS_OK; @@ -1198,14 +1196,14 @@ NTSTATUS _samr_query_aliasinfo(pipes_struct *p, SAMR_Q_QUERY_ALIASINFO *q_u, SAM !sid_check_is_in_builtin(&info->sid)) return NT_STATUS_OBJECT_TYPE_MISMATCH; - if(!local_lookup_sid(&info->sid, alias, &type)) + if(!get_local_group_from_sid(info->sid, &map, MAPPING_WITHOUT_PRIV)) return NT_STATUS_NO_SUCH_ALIAS; switch (q_u->switch_level) { case 3: r_u->ptr = 1; r_u->ctr.switch_value1 = 3; - init_samr_alias_info3(&r_u->ctr.alias.info3, alias_desc); + init_samr_alias_info3(&r_u->ctr.alias.info3, map.comment); break; default: return NT_STATUS_INVALID_INFO_CLASS; @@ -2981,8 +2979,62 @@ NTSTATUS _samr_add_aliasmem(pipes_struct *p, SAMR_Q_ADD_ALIASMEM *q_u, SAMR_R_AD NTSTATUS _samr_del_aliasmem(pipes_struct *p, SAMR_Q_DEL_ALIASMEM *q_u, SAMR_R_DEL_ALIASMEM *r_u) { - DEBUG(0,("_samr_del_aliasmem: Not yet implemented.\n")); - return NT_STATUS_NOT_IMPLEMENTED; + DOM_SID alias_sid; + fstring alias_sid_str; + struct group *grp; + fstring grp_name; + uint32 rid; + GROUP_MAP map; + SAM_ACCOUNT *sam_pass=NULL; + + /* Find the policy handle. Open a policy on it. */ + if (!get_lsa_policy_samr_sid(p, &q_u->alias_pol, &alias_sid)) + return NT_STATUS_INVALID_HANDLE; + + sid_to_string(alias_sid_str, &alias_sid); + DEBUG(10, ("_samr_del_aliasmem:sid is %s\n", alias_sid_str)); + + if (!sid_check_is_in_our_domain(&alias_sid) && + !sid_check_is_in_builtin(&alias_sid)) { + DEBUG(10, ("_samr_del_aliasmem:invalid alias group\n")); + return NT_STATUS_NO_SUCH_ALIAS; + } + + if( !get_local_group_from_sid(alias_sid, &map, MAPPING_WITHOUT_PRIV)) + return NT_STATUS_NO_SUCH_ALIAS; + + if ((grp=getgrgid(map.gid)) == NULL) + return NT_STATUS_NO_SUCH_ALIAS; + + /* we need to copy the name otherwise it's overloaded in user_in_group_list */ + fstrcpy(grp_name, grp->gr_name); + + sid_peek_rid(&q_u->sid.sid, &rid); + + /* check if the user exists before trying to remove it from the group */ + pdb_init_sam(&sam_pass); + if(!pdb_getsampwrid(sam_pass, rid)) { + DEBUG(5,("_samr_del_aliasmem:User %d doesn't exist.\n", sam_pass->username)); + pdb_free_sam(&sam_pass); + return NT_STATUS_NO_SUCH_USER; + } + + /* if the user is not in the group */ + if(!user_in_group_list(sam_pass->username, grp_name)) { + pdb_free_sam(&sam_pass); + return NT_STATUS_MEMBER_IN_ALIAS; + } + + smb_delete_user_group(grp_name, sam_pass->username); + + /* check if the user has been removed then ... */ + if(user_in_group_list(sam_pass->username, grp_name)) { + pdb_free_sam(&sam_pass); + return NT_STATUS_MEMBER_NOT_IN_ALIAS; /* don't know what to reply else */ + } + + pdb_free_sam(&sam_pass); + return NT_STATUS_OK; } /********************************************************************* @@ -3047,8 +3099,62 @@ NTSTATUS _samr_add_groupmem(pipes_struct *p, SAMR_Q_ADD_GROUPMEM *q_u, SAMR_R_AD NTSTATUS _samr_del_groupmem(pipes_struct *p, SAMR_Q_DEL_GROUPMEM *q_u, SAMR_R_DEL_GROUPMEM *r_u) { - DEBUG(0,("_samr_del_groupmem: Not yet implemented.\n")); - return NT_STATUS_NOT_IMPLEMENTED; + DOM_SID group_sid; + SAM_ACCOUNT *sam_pass=NULL; + uint32 rid; + GROUP_MAP map; + fstring grp_name; + struct group *grp; + + /* + * delete the group member named q_u->rid + * who is a member of the sid associated with the handle + * the rid is a user's rid as the group is a domain group. + */ + + /* Find the policy handle. Open a policy on it. */ + if (!get_lsa_policy_samr_sid(p, &q_u->pol, &group_sid)) + return NT_STATUS_INVALID_HANDLE; + + if(!sid_check_is_in_our_domain(&group_sid)) + return NT_STATUS_NO_SUCH_GROUP; + + rid=q_u->rid; + + if(!get_domain_group_from_sid(group_sid, &map, MAPPING_WITHOUT_PRIV)) + return NT_STATUS_NO_SUCH_GROUP; + + if ((grp=getgrgid(map.gid)) == NULL) + return NT_STATUS_NO_SUCH_GROUP; + + /* we need to copy the name otherwise it's overloaded in user_in_group_list */ + fstrcpy(grp_name, grp->gr_name); + + /* check if the user exists before trying to remove it from the group */ + pdb_init_sam(&sam_pass); + if(!pdb_getsampwrid(sam_pass, rid)) { + DEBUG(5,("User %d doesn't exist.\n", sam_pass->username)); + pdb_free_sam(&sam_pass); + return NT_STATUS_NO_SUCH_USER; + } + + /* if the user is not in the group */ + if(!user_in_group_list(sam_pass->username, grp_name)) { + pdb_free_sam(&sam_pass); + return NT_STATUS_MEMBER_NOT_IN_GROUP; + } + + smb_delete_user_group(grp_name, sam_pass->username); + + /* check if the user has been removed then ... */ + if(user_in_group_list(sam_pass->username, grp_name)) { + pdb_free_sam(&sam_pass); + return NT_STATUS_ACCESS_DENIED; /* don't know what to reply else */ + } + + pdb_free_sam(&sam_pass); + return NT_STATUS_OK; + } /********************************************************************* @@ -3057,8 +3163,50 @@ NTSTATUS _samr_del_groupmem(pipes_struct *p, SAMR_Q_DEL_GROUPMEM *q_u, SAMR_R_DE NTSTATUS _samr_delete_dom_user(pipes_struct *p, SAMR_Q_DELETE_DOM_USER *q_u, SAMR_R_DELETE_DOM_USER *r_u ) { - DEBUG(0,("_samr_delete_dom_user: Not yet implemented.\n")); - return NT_STATUS_NOT_IMPLEMENTED; + DOM_SID user_sid; + SAM_ACCOUNT *sam_pass=NULL; + uint32 rid; + + DEBUG(5, ("_samr_delete_dom_user: %d\n", __LINE__)); + + /* Find the policy handle. Open a policy on it. */ + if (!get_lsa_policy_samr_sid(p, &q_u->user_pol, &user_sid)) + return NT_STATUS_INVALID_HANDLE; + + if (!sid_check_is_in_our_domain(&user_sid)) + return NT_STATUS_CANNOT_DELETE; + + sid_peek_rid(&user_sid, &rid); + + /* check if the user exists before trying to delete */ + pdb_init_sam(&sam_pass); + if(!pdb_getsampwrid(sam_pass, rid)) { + DEBUG(5,("_samr_delete_dom_user:User %d doesn't exist.\n", sam_pass->username)); + pdb_free_sam(&sam_pass); + return NT_STATUS_NO_SUCH_USER; + } + + /* delete the unix side */ + /* + * note: we don't check if the delete really happened + * as the script is not necessary present + * and maybe the sysadmin doesn't want to delete the unix side + */ + smb_delete_user(sam_pass->username); + + /* and delete the samba side */ + if (!pdb_delete_sam_account(sam_pass->username)) { + DEBUG(5,("_samr_delete_dom_user:Failed to delete entry for user %s.\n", sam_pass->username)); + pdb_free_sam(&sam_pass); + return NT_STATUS_CANNOT_DELETE; + } + + pdb_free_sam(&sam_pass); + + if (!close_policy_hnd(p, &q_u->user_pol)) + return NT_STATUS_OBJECT_NAME_INVALID; + + return NT_STATUS_OK; } /********************************************************************* @@ -3094,7 +3242,7 @@ NTSTATUS _samr_delete_dom_group(pipes_struct *p, SAMR_Q_DELETE_DOM_GROUP *q_u, S DEBUG(10, ("lookup on Domain SID\n")); if(!get_domain_group_from_sid(group_sid, &map, MAPPING_WITHOUT_PRIV)) - return NT_STATUS_NO_SUCH_ALIAS; + return NT_STATUS_NO_SUCH_GROUP; gid=map.gid; @@ -3327,6 +3475,10 @@ NTSTATUS _samr_query_groupinfo(pipes_struct *p, SAMR_Q_QUERY_GROUPINFO *q_u, SAM init_samr_group_info1(&ctr->group.info1, map.nt_name, map.comment, num_uids); SAFE_FREE(uid); break; + case 3: + ctr->switch_value1 = 3; + init_samr_group_info3(&ctr->group.info3); + break; case 4: ctr->switch_value1 = 4; init_samr_group_info4(&ctr->group.info4, map.comment); -- cgit From 140f1ccf1f70f795bb8c208426ed507b06b1f32d Mon Sep 17 00:00:00 2001 From: Tim Potter Date: Tue, 18 Dec 2001 05:00:07 +0000 Subject: Fixed bad args to debug statements. (This used to be commit 5e0f0716ca9826de110fd9eeaf231970e7c19b42) --- source3/rpc_server/srv_samr_nt.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 042978495a..78535e4c2b 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -3014,7 +3014,7 @@ NTSTATUS _samr_del_aliasmem(pipes_struct *p, SAMR_Q_DEL_ALIASMEM *q_u, SAMR_R_DE /* check if the user exists before trying to remove it from the group */ pdb_init_sam(&sam_pass); if(!pdb_getsampwrid(sam_pass, rid)) { - DEBUG(5,("_samr_del_aliasmem:User %d doesn't exist.\n", sam_pass->username)); + DEBUG(5,("_samr_del_aliasmem:User %s doesn't exist.\n", sam_pass->username)); pdb_free_sam(&sam_pass); return NT_STATUS_NO_SUCH_USER; } @@ -3133,7 +3133,7 @@ NTSTATUS _samr_del_groupmem(pipes_struct *p, SAMR_Q_DEL_GROUPMEM *q_u, SAMR_R_DE /* check if the user exists before trying to remove it from the group */ pdb_init_sam(&sam_pass); if(!pdb_getsampwrid(sam_pass, rid)) { - DEBUG(5,("User %d doesn't exist.\n", sam_pass->username)); + DEBUG(5,("User %s doesn't exist.\n", sam_pass->username)); pdb_free_sam(&sam_pass); return NT_STATUS_NO_SUCH_USER; } @@ -3181,7 +3181,7 @@ NTSTATUS _samr_delete_dom_user(pipes_struct *p, SAMR_Q_DELETE_DOM_USER *q_u, SAM /* check if the user exists before trying to delete */ pdb_init_sam(&sam_pass); if(!pdb_getsampwrid(sam_pass, rid)) { - DEBUG(5,("_samr_delete_dom_user:User %d doesn't exist.\n", sam_pass->username)); + DEBUG(5,("_samr_delete_dom_user:User %s doesn't exist.\n", sam_pass->username)); pdb_free_sam(&sam_pass); return NT_STATUS_NO_SUCH_USER; } -- cgit From ea274ac97ff5c46c5f910c38b463d6a553dea9e6 Mon Sep 17 00:00:00 2001 From: Jean-François Micouleau Date: Wed, 19 Dec 2001 00:15:29 +0000 Subject: added info level 1 to samr_query_alias() (This used to be commit 589aa4fe226ee5bdae0a244631193714b0b556ac) --- source3/rpc_server/srv_samr_nt.c | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 78535e4c2b..b918b4dca1 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -1200,6 +1200,11 @@ NTSTATUS _samr_query_aliasinfo(pipes_struct *p, SAMR_Q_QUERY_ALIASINFO *q_u, SAM return NT_STATUS_NO_SUCH_ALIAS; switch (q_u->switch_level) { + case 1: + r_u->ptr = 1; + r_u->ctr.switch_value1 = 1; + init_samr_alias_info1(&r_u->ctr.alias.info1, map.nt_name, 1, map.comment); + break; case 3: r_u->ptr = 1; r_u->ctr.switch_value1 = 3; -- cgit From 595dd015071395bae2ffc61573c72bb9f6a77553 Mon Sep 17 00:00:00 2001 From: Jean-François Micouleau Date: Fri, 21 Dec 2001 13:36:14 +0000 Subject: re-done all of samr_query_disp_info() instead of enumerating the whole user db or group db every time, we store a in memory copy linked to the handle. that's much faster for large enumeration where the db can't fit in a single rpc packet. And as it's a copy, it's constant between enumeration. still some stuff to clean. But now I can fix the W95 userlist bug, as I've finally found it. J.F. (This used to be commit 3ab45215369e8e93d750f4687e9c1f7d47782590) --- source3/rpc_server/srv_samr_nt.c | 396 ++++++++++++++++++++++++++++++--------- 1 file changed, 310 insertions(+), 86 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index b918b4dca1..1cd061369f 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -38,10 +38,22 @@ extern rid_name domain_group_rids[]; extern rid_name domain_alias_rids[]; extern rid_name builtin_alias_rids[]; + +typedef struct _disp_info { + BOOL user_dbloaded; + BOOL group_dbloaded; + uint32 num_account; + uint32 total_size; + uint32 last_enum; + DISP_USER_INFO *disp_user_info; + DISP_GROUP_INFO *disp_group_info; +} DISP_INFO; + struct samr_info { - /* for use by the \PIPE\samr policy */ - DOM_SID sid; - uint32 status; /* some sort of flag. best to record it. comes from opnum 0x39 */ + /* for use by the \PIPE\samr policy */ + DOM_SID sid; + uint32 status; /* some sort of flag. best to record it. comes from opnum 0x39 */ + DISP_INFO disp_info; }; /******************************************************************* @@ -50,6 +62,24 @@ struct samr_info { static void free_samr_info(void *ptr) { + int i; + + struct samr_info *info=(struct samr_info *) ptr; + + if (info->disp_info.group_dbloaded) { + for (i=0; idisp_info.num_account; i++) + SAFE_FREE(info->disp_info.disp_group_info[i].grp); + + SAFE_FREE(info->disp_info.disp_group_info); + } + + if (info->disp_info.user_dbloaded){ + for (i=0; idisp_info.num_account; i++) + SAFE_FREE(info->disp_info.disp_user_info[i].sam); + + SAFE_FREE(info->disp_info.disp_user_info); + } + SAFE_FREE(ptr); } @@ -79,6 +109,137 @@ static void samr_clear_sam_passwd(SAM_ACCOUNT *sam_pass) if (sam_pass->nt_pw) memset(sam_pass->nt_pw, '\0', 16); } + +static NTSTATUS load_sampwd_entries(struct samr_info *info, uint16 acb_mask) +{ + SAM_ACCOUNT *pwd = NULL; + DISP_USER_INFO *pwd_array = NULL; + + DEBUG(10,("load_sampwd_entries\n")); + + /* if the snapshoot is already loaded, return */ + if (info->disp_info.user_dbloaded==True) { + DEBUG(10,("load_sampwd_entries: already in memory\n")); + return NT_STATUS_OK; + } + + if (!pdb_setsampwent(False)) { + DEBUG(0, ("get_sampwd_entries: Unable to open passdb.\n")); + return NT_STATUS_ACCESS_DENIED; + } + + for (pdb_init_sam(&pwd); pdb_getsampwent(pwd) == True; pwd=NULL, pdb_init_sam(&pwd) ) { + + uint32 len_sam_name, len_sam_full, len_sam_desc; + + if (acb_mask != 0 && !(pwd->acct_ctrl & acb_mask)) { + pdb_free_sam(&pwd); + DEBUG(5,(" acb_mask %x reject\n", acb_mask)); + continue; + } + DEBUG(0,("load_sampwd_entries: entry: %d\n", info->disp_info.num_account)); + + /* Realloc some memory for the array of ptr to the SAM_ACCOUNT structs */ + if (info->disp_info.num_account % MAX_SAM_ENTRIES == 0) { + + DEBUG(0,("load_sampwd_entries: allocating more memory\n")); + + + pwd_array=(DISP_USER_INFO *)Realloc(info->disp_info.disp_user_info, + (info->disp_info.num_account+MAX_SAM_ENTRIES)*sizeof(DISP_USER_INFO)); + + if (pwd_array==NULL) + return NT_STATUS_NO_MEMORY; + + info->disp_info.disp_user_info=pwd_array; + } + + /* link the SAM_ACCOUNT to the array */ + info->disp_info.disp_user_info[info->disp_info.num_account].sam=pwd; + + /* calculate the size needed to store the data */ + len_sam_name = strlen(pdb_get_username(pwd)); + len_sam_full = strlen(pdb_get_fullname(pwd)); + len_sam_desc = strlen(pdb_get_acct_desc(pwd)); + + info->disp_info.disp_user_info[info->disp_info.num_account].size=len_sam_name+ + len_sam_full+ + len_sam_desc; + /* keep the total size up to date too */ + info->disp_info.total_size+=info->disp_info.disp_user_info[info->disp_info.num_account].size; + + /* + * note: the size calculated are smaller than the size sent on the wire + * we add the SAM_ENTRY_x size later + */ + DEBUG(0,("load_sampwd_entries: entry: %d size: %d total: %d\n", info->disp_info.num_account, info->disp_info.disp_user_info[info->disp_info.num_account].size,info->disp_info.total_size)); + + info->disp_info.num_account++; + } + + pdb_endsampwent(); + + /* the snapshoot is in memory, we're ready to enumerate fast */ + + info->disp_info.user_dbloaded=True; + info->disp_info.last_enum=0; + + DEBUG(10,("load_sampwd_entries: done\n")); + + return NT_STATUS_OK; +} + +static NTSTATUS load_group_domain_entries(struct samr_info *info, DOM_SID *sid) +{ + GROUP_MAP *map=NULL; + DISP_GROUP_INFO *grp_array = NULL; + uint32 group_entries = 0; + uint32 i; + + DEBUG(10,("load_group_domain_entries\n")); + + /* if the snapshoot is already loaded, return */ + if (info->disp_info.group_dbloaded==True) { + DEBUG(10,("load_group_domain_entries: already in memory\n")); + return NT_STATUS_OK; + } + + enum_group_mapping(SID_NAME_DOM_GRP, &map, (int *)&group_entries, ENUM_ONLY_MAPPED, MAPPING_WITHOUT_PRIV); + + info->disp_info.num_account=group_entries; + + grp_array=(DISP_GROUP_INFO *)malloc(info->disp_info.num_account*sizeof(DISP_GROUP_INFO)); + + if (group_entries!=0 && grp_array==NULL) { + SAFE_FREE(map); + return NT_STATUS_NO_MEMORY; + } + + info->disp_info.disp_group_info=grp_array; + + for (i=0; iname, map[i].nt_name); + fstrcpy(grp_array[i].grp->comment, map[i].comment); + sid_split_rid(&map[i].sid, &grp_array[i].grp->rid); + grp_array[i].grp->attr=SID_NAME_DOM_GRP; + } + + SAFE_FREE(map); + + /* the snapshoot is in memory, we're ready to enumerate fast */ + + info->disp_info.group_dbloaded=True; + info->disp_info.last_enum=0; + + DEBUG(10,("load_group_domain_entries: done\n")); + + return NT_STATUS_OK; +} + + /******************************************************************* This next function should be replaced with something that dynamically returns the correct user info..... JRA. @@ -1022,91 +1183,147 @@ NTSTATUS _samr_enum_dom_aliases(pipes_struct *p, SAMR_Q_ENUM_DOM_ALIASES *q_u, S /******************************************************************* samr_reply_query_dispinfo ********************************************************************/ - NTSTATUS _samr_query_dispinfo(pipes_struct *p, SAMR_Q_QUERY_DISPINFO *q_u, SAMR_R_QUERY_DISPINFO *r_u) { - SAM_USER_INFO_21 pass[MAX_SAM_ENTRIES]; - DOMAIN_GRP *grps=NULL; - uint16 acb_mask = ACB_NORMAL; - uint32 num_entries = 0; - int orig_num_entries = 0; - int total_entries = 0; - uint32 data_size = 0; - DOM_SID sid; - NTSTATUS disp_ret; + struct samr_info *info = NULL; + uint32 struct_size=0; + uint16 acb_mask; + + uint32 max_entries=q_u->max_entries; + uint32 enum_context=q_u->start_idx; + uint32 max_size=q_u->max_size; + SAM_DISPINFO_CTR *ctr; + uint32 temp_size=0, total_data_size=0; + uint32 i; + NTSTATUS disp_ret; DEBUG(5, ("samr_reply_query_dispinfo: %d\n", __LINE__)); - r_u->status = NT_STATUS_OK; - if (!get_lsa_policy_samr_sid(p, &q_u->domain_pol, &sid)) + /* find the policy handle. open a policy on it. */ + if (!find_policy_by_hnd(p, &q_u->domain_pol, (void **)&info)) return NT_STATUS_INVALID_HANDLE; - /* decide how many entries to get depending on the max_entries - and max_size passed by client */ - - DEBUG(5, ("samr_reply_query_dispinfo: max_entries before %d\n", q_u->max_entries)); + /* + * calculate how many entries we will return. + * based on + * - the number of entries the client asked + * - our limit on that + * - the starting point (enumeration context) + * - the buffer size the client will accept + */ - if(q_u->max_entries > MAX_SAM_ENTRIES) - q_u->max_entries = MAX_SAM_ENTRIES; + /* + * We are a lot more like W2K. Instead of reading the SAM + * each time to find the records we need to send back, + * we read it once and link that copy to the sam handle. + * For large user list (over the MAX_SAM_ENTRIES) + * it's a definitive win. + * second point to notice: between enumerations + * our sam is now the same as it's a snapshoot. + * third point: got rid of the static SAM_USER_21 struct + * no more intermediate. + * con: it uses much more memory, as a full copy is stored + * in memory. + * + * If you want to change it, think twice and think + * of the second point , that's really important. + * + * JFM, 12/20/2001 + */ - DEBUG(5, ("samr_reply_query_dispinfo: max_entries after %d\n", q_u->max_entries)); + /* Get what we need from the password database */ + switch (q_u->switch_level) { + case 0x1: + acb_mask = ACB_NORMAL; + struct_size=0x20; + break; + case 0x2: + acb_mask = ACB_WSTRUST; + struct_size=0x20; + break; + case 0x3: + struct_size=0x20; + break; + case 0x4: + acb_mask = ACB_NORMAL; + struct_size=0x20; + break; + case 0x5: + struct_size=0x20; + break; + default: + DEBUG(0,("_samr_query_dispinfo: Unknown info level (%u)\n", (unsigned int)q_u->switch_level )); + return NT_STATUS_INVALID_INFO_CLASS; + } /* Get what we need from the password database */ switch (q_u->switch_level) { - case 0x2: - acb_mask = ACB_WSTRUST; - /* Fall through */ - case 0x1: - case 0x4: - become_root(); -#if 0 - r_u->status = get_passwd_entries(pass, q_u->start_idx, &total_entries, &num_entries, - MAX_SAM_ENTRIES, acb_mask); -#endif -#if 0 - /* - * Which should we use here ? JRA. - */ - r_u->status = get_sampwd_entries(pass, q_u->start_idx, &total_entries, &num_entries, - MAX_SAM_ENTRIES, acb_mask); -#endif -#if 1 - r_u->status = jf_get_sampwd_entries(pass, q_u->start_idx, &total_entries, &num_entries, - MAX_SAM_ENTRIES, acb_mask); -#endif - unbecome_root(); - if (NT_STATUS_IS_ERR(r_u->status)) { - DEBUG(5, ("get_sampwd_entries: failed\n")); - return r_u->status; - } - break; - case 0x3: - case 0x5: - r_u->status = get_group_domain_entries(p->mem_ctx, &grps, &sid, q_u->start_idx, &num_entries, MAX_SAM_ENTRIES); - if (NT_STATUS_IS_ERR(r_u->status)) - return r_u->status; - break; - default: - DEBUG(0,("_samr_query_dispinfo: Unknown info level (%u)\n", (unsigned int)q_u->switch_level )); - return NT_STATUS_INVALID_INFO_CLASS; + case 0x1: + case 0x2: + case 0x4: + if (enum_context!=0 && info->disp_info.user_dbloaded==False) + return NT_STATUS_UNSUCCESSFUL; + + become_root(); + r_u->status=load_sampwd_entries(info, acb_mask); + unbecome_root(); + if (NT_STATUS_IS_ERR(r_u->status)) { + DEBUG(5, ("_samr_query_dispinfo: load_sampwd_entries failed\n")); + return r_u->status; + } + break; + case 0x3: + case 0x5: + if (enum_context!=0 && info->disp_info.group_dbloaded==False) + return NT_STATUS_UNSUCCESSFUL; + + r_u->status = load_group_domain_entries(info, &info->sid); + if (NT_STATUS_IS_ERR(r_u->status)) + return r_u->status; + break; + default: + DEBUG(0,("_samr_query_dispinfo: Unknown info level (%u)\n", (unsigned int)q_u->switch_level )); + return NT_STATUS_INVALID_INFO_CLASS; + } + + /* first limit the number of entries we will return */ + if(max_entries > MAX_SAM_ENTRIES) { + DEBUG(5, ("samr_reply_query_dispinfo: client requested %d entries, limiting to %d\n", max_entries, MAX_SAM_ENTRIES)); + max_entries = MAX_SAM_ENTRIES; } - orig_num_entries = num_entries; + if (enum_context > info->disp_info.num_account) { + DEBUG(5, ("samr_reply_query_dispinfo: enumeration handle over total entries\n")); + return NT_STATUS_OK; + } - if (num_entries > q_u->max_entries) - num_entries = q_u->max_entries; - if (num_entries > MAX_SAM_ENTRIES) { - num_entries = MAX_SAM_ENTRIES; - DEBUG(5, ("limiting number of entries to %d\n", num_entries)); + /* verify we won't overflow */ + if (max_entries > info->disp_info.num_account-enum_context) { + max_entries = info->disp_info.num_account-enum_context; + DEBUG(5, ("samr_reply_query_dispinfo: only %d entries to return\n", max_entries)); } - /* Ensure password info is never given out here. PARANOIA... JRA */ - samr_clear_passwd_fields(pass, num_entries); - data_size = q_u->max_size; + /* calculate the size */ + if (q_u->switch_level==3 || q_u->switch_level==5) + for (i=enum_context; (idisp_info.disp_group_info[i].size * 2;*/ + temp_size+=struct_size; + } + + else + for (i=enum_context; (idisp_info.disp_user_info[i].size * 2;*/ + temp_size+=struct_size; + } + + if (imem_ctx,sizeof(SAM_DISPINFO_CTR)))) return NT_STATUS_NO_MEMORY; @@ -1116,65 +1333,72 @@ NTSTATUS _samr_query_dispinfo(pipes_struct *p, SAMR_Q_QUERY_DISPINFO *q_u, SAMR_ /* Now create reply structure */ switch (q_u->switch_level) { case 0x1: - if (num_entries) { - if (!(ctr->sam.info1 = (SAM_DISPINFO_1 *)talloc_zero(p->mem_ctx,num_entries*sizeof(SAM_DISPINFO_1)))) + if (max_entries) { + if (!(ctr->sam.info1 = (SAM_DISPINFO_1 *)talloc_zero(p->mem_ctx,max_entries*sizeof(SAM_DISPINFO_1)))) return NT_STATUS_NO_MEMORY; } - disp_ret = init_sam_dispinfo_1(p->mem_ctx, ctr->sam.info1, &num_entries, &data_size, q_u->start_idx, pass); + disp_ret = init_sam_dispinfo_1(p->mem_ctx, ctr->sam.info1, max_entries, enum_context, info->disp_info.disp_user_info); if (NT_STATUS_IS_ERR(disp_ret)) return disp_ret; break; case 0x2: - if (num_entries) { - if (!(ctr->sam.info2 = (SAM_DISPINFO_2 *)talloc_zero(p->mem_ctx,num_entries*sizeof(SAM_DISPINFO_2)))) + if (max_entries) { + if (!(ctr->sam.info2 = (SAM_DISPINFO_2 *)talloc_zero(p->mem_ctx,max_entries*sizeof(SAM_DISPINFO_2)))) return NT_STATUS_NO_MEMORY; } - disp_ret = init_sam_dispinfo_2(p->mem_ctx, ctr->sam.info2, &num_entries, &data_size, q_u->start_idx, pass); + disp_ret = init_sam_dispinfo_2(p->mem_ctx, ctr->sam.info2, max_entries, enum_context, info->disp_info.disp_user_info); if (NT_STATUS_IS_ERR(disp_ret)) return disp_ret; break; case 0x3: - if (num_entries) { - if (!(ctr->sam.info3 = (SAM_DISPINFO_3 *)talloc_zero(p->mem_ctx,num_entries*sizeof(SAM_DISPINFO_3)))) + if (max_entries) { + if (!(ctr->sam.info3 = (SAM_DISPINFO_3 *)talloc_zero(p->mem_ctx,max_entries*sizeof(SAM_DISPINFO_3)))) return NT_STATUS_NO_MEMORY; } - disp_ret = init_sam_dispinfo_3(p->mem_ctx, ctr->sam.info3, &num_entries, &data_size, q_u->start_idx, grps); + disp_ret = init_sam_dispinfo_3(p->mem_ctx, ctr->sam.info3, max_entries, enum_context, info->disp_info.disp_group_info); if (NT_STATUS_IS_ERR(disp_ret)) return disp_ret; break; case 0x4: - if (num_entries) { - if (!(ctr->sam.info4 = (SAM_DISPINFO_4 *)talloc_zero(p->mem_ctx,num_entries*sizeof(SAM_DISPINFO_4)))) + if (max_entries) { + if (!(ctr->sam.info4 = (SAM_DISPINFO_4 *)talloc_zero(p->mem_ctx,max_entries*sizeof(SAM_DISPINFO_4)))) return NT_STATUS_NO_MEMORY; } - disp_ret = init_sam_dispinfo_4(p->mem_ctx, ctr->sam.info4, &num_entries, &data_size, q_u->start_idx, pass); + disp_ret = init_sam_dispinfo_4(p->mem_ctx, ctr->sam.info4, max_entries, enum_context, info->disp_info.disp_user_info); if (NT_STATUS_IS_ERR(disp_ret)) return disp_ret; break; case 0x5: - if (num_entries) { - if (!(ctr->sam.info5 = (SAM_DISPINFO_5 *)talloc_zero(p->mem_ctx,num_entries*sizeof(SAM_DISPINFO_5)))) + if (max_entries) { + if (!(ctr->sam.info5 = (SAM_DISPINFO_5 *)talloc_zero(p->mem_ctx,max_entries*sizeof(SAM_DISPINFO_5)))) return NT_STATUS_NO_MEMORY; } - disp_ret = init_sam_dispinfo_5(p->mem_ctx, ctr->sam.info5, &num_entries, &data_size, q_u->start_idx, grps); + disp_ret = init_sam_dispinfo_5(p->mem_ctx, ctr->sam.info5, max_entries, enum_context, info->disp_info.disp_group_info); if (NT_STATUS_IS_ERR(disp_ret)) return disp_ret; break; + default: ctr->sam.info = NULL; return NT_STATUS_INVALID_INFO_CLASS; } - DEBUG(5, ("_samr_query_dispinfo: %d\n", __LINE__)); + /* calculate the total size */ + /*total_data_size=info->disp_info.total_size+(info->disp_info.num_account*struct_size);*/ + total_data_size=info->disp_info.num_account*struct_size; - if (num_entries < orig_num_entries) - return STATUS_MORE_ENTRIES; + if (enum_context+max_entries < info->disp_info.num_account) + r_u->status = STATUS_MORE_ENTRIES; - init_samr_r_query_dispinfo(r_u, num_entries, data_size, q_u->switch_level, ctr, r_u->status); + DEBUG(5, ("_samr_query_dispinfo: %d\n", __LINE__)); + + init_samr_r_query_dispinfo(r_u, max_entries, total_data_size, temp_size, q_u->switch_level, ctr, r_u->status); return r_u->status; + } + /******************************************************************* samr_reply_query_aliasinfo ********************************************************************/ -- cgit From fff44cc7009da6db0cc6478e0e239324316b4550 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Fri, 21 Dec 2001 19:34:32 +0000 Subject: Use pdb_free_sam() to free a SAM_ACCOUNT struct, not safe_free(). There are pointers withing the SAM_ACCOUNT struct that also need freeing. Jeremy. (This used to be commit a7d099cc75f813b4010a5f313c3fa6e6e8284b6d) --- source3/rpc_server/srv_samr_nt.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 1cd061369f..c3d4f826d4 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -75,7 +75,7 @@ static void free_samr_info(void *ptr) if (info->disp_info.user_dbloaded){ for (i=0; idisp_info.num_account; i++) - SAFE_FREE(info->disp_info.disp_user_info[i].sam); + pdb_free_sam(&info->disp_info.disp_user_info[i].sam); SAFE_FREE(info->disp_info.disp_user_info); } -- cgit From 5829284a07463aa560527b38b69570444160e019 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Fri, 21 Dec 2001 22:27:20 +0000 Subject: Fixup some DEBUG statements (0 -> 10). Jeremy. (This used to be commit bf65331cb49299189d35ad5834167ec24b3a1ecb) --- source3/rpc_server/srv_samr_nt.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index c3d4f826d4..5af797f1cb 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -124,7 +124,7 @@ static NTSTATUS load_sampwd_entries(struct samr_info *info, uint16 acb_mask) } if (!pdb_setsampwent(False)) { - DEBUG(0, ("get_sampwd_entries: Unable to open passdb.\n")); + DEBUG(0, ("load_sampwd_entries: Unable to open passdb.\n")); return NT_STATUS_ACCESS_DENIED; } @@ -142,7 +142,7 @@ static NTSTATUS load_sampwd_entries(struct samr_info *info, uint16 acb_mask) /* Realloc some memory for the array of ptr to the SAM_ACCOUNT structs */ if (info->disp_info.num_account % MAX_SAM_ENTRIES == 0) { - DEBUG(0,("load_sampwd_entries: allocating more memory\n")); + DEBUG(10,("load_sampwd_entries: allocating more memory\n")); pwd_array=(DISP_USER_INFO *)Realloc(info->disp_info.disp_user_info, @@ -172,7 +172,7 @@ static NTSTATUS load_sampwd_entries(struct samr_info *info, uint16 acb_mask) * note: the size calculated are smaller than the size sent on the wire * we add the SAM_ENTRY_x size later */ - DEBUG(0,("load_sampwd_entries: entry: %d size: %d total: %d\n", info->disp_info.num_account, info->disp_info.disp_user_info[info->disp_info.num_account].size,info->disp_info.total_size)); + DEBUG(10,("load_sampwd_entries: entry: %d size: %d total: %d\n", info->disp_info.num_account, info->disp_info.disp_user_info[info->disp_info.num_account].size,info->disp_info.total_size)); info->disp_info.num_account++; } -- cgit From 0e550b2c11bde9a05167b237fb9910e2beccd14c Mon Sep 17 00:00:00 2001 From: Jean-François Micouleau Date: Fri, 21 Dec 2001 22:34:49 +0000 Subject: doesn't keep track of the struct's size we enumerate. W2K doesn't calculate them and always reply a size of 32 bytes whereas NT4 did the maths. Anyway, it looks like the clients don't complain. in query_dom_info() at level 2, return the real number of users and groups. That's the fix to the W95/98 userlist bug ! as W95/98 does a query_dom_info(2) followed by a query_disp_info(4) on the SAME context handle (err we call it an lsa policy handle ! plain wrong name), I was tempted to keep the snapshoot in memory, to prevent 2 full user db enumerations in a row and just have one shared. But if some client does the 2 calls on two different handles, we would have 2 copies in memory not free'ed before the samr_close(). We still have too many fixed constant and too many magic values in that code. And btw, I really hates how the sequence number is generated ! J.F. (This used to be commit c0178e1a03f8225e5b350feb8fcbfb02f43327b4) --- source3/rpc_server/srv_samr_nt.c | 147 ++++++++++++++++++++------------------- 1 file changed, 76 insertions(+), 71 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 5af797f1cb..a5c6f9a44f 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -59,13 +59,10 @@ struct samr_info { /******************************************************************* Function to free the per handle data. ********************************************************************/ - -static void free_samr_info(void *ptr) +static void free_samr_db(struct samr_info *info) { int i; - struct samr_info *info=(struct samr_info *) ptr; - if (info->disp_info.group_dbloaded) { for (i=0; idisp_info.num_account; i++) SAFE_FREE(info->disp_info.disp_group_info[i].grp); @@ -79,7 +76,20 @@ static void free_samr_info(void *ptr) SAFE_FREE(info->disp_info.disp_user_info); } - + + info->disp_info.user_dbloaded=False; + info->disp_info.group_dbloaded=False; + info->disp_info.num_account=0; + info->disp_info.total_size=0; + info->disp_info.last_enum=0; +} + + +static void free_samr_info(void *ptr) +{ + struct samr_info *info=(struct samr_info *) ptr; + + free_samr_db(info); SAFE_FREE(ptr); } @@ -137,14 +147,12 @@ static NTSTATUS load_sampwd_entries(struct samr_info *info, uint16 acb_mask) DEBUG(5,(" acb_mask %x reject\n", acb_mask)); continue; } - DEBUG(0,("load_sampwd_entries: entry: %d\n", info->disp_info.num_account)); + DEBUG(11,("load_sampwd_entries: entry: %d\n", info->disp_info.num_account)); /* Realloc some memory for the array of ptr to the SAM_ACCOUNT structs */ if (info->disp_info.num_account % MAX_SAM_ENTRIES == 0) { DEBUG(10,("load_sampwd_entries: allocating more memory\n")); - - pwd_array=(DISP_USER_INFO *)Realloc(info->disp_info.disp_user_info, (info->disp_info.num_account+MAX_SAM_ENTRIES)*sizeof(DISP_USER_INFO)); @@ -157,22 +165,7 @@ static NTSTATUS load_sampwd_entries(struct samr_info *info, uint16 acb_mask) /* link the SAM_ACCOUNT to the array */ info->disp_info.disp_user_info[info->disp_info.num_account].sam=pwd; - /* calculate the size needed to store the data */ - len_sam_name = strlen(pdb_get_username(pwd)); - len_sam_full = strlen(pdb_get_fullname(pwd)); - len_sam_desc = strlen(pdb_get_acct_desc(pwd)); - - info->disp_info.disp_user_info[info->disp_info.num_account].size=len_sam_name+ - len_sam_full+ - len_sam_desc; - /* keep the total size up to date too */ - info->disp_info.total_size+=info->disp_info.disp_user_info[info->disp_info.num_account].size; - - /* - * note: the size calculated are smaller than the size sent on the wire - * we add the SAM_ENTRY_x size later - */ - DEBUG(10,("load_sampwd_entries: entry: %d size: %d total: %d\n", info->disp_info.num_account, info->disp_info.disp_user_info[info->disp_info.num_account].size,info->disp_info.total_size)); + DEBUG(10,("load_sampwd_entries: entry: %d\n", info->disp_info.num_account)); info->disp_info.num_account++; } @@ -184,7 +177,7 @@ static NTSTATUS load_sampwd_entries(struct samr_info *info, uint16 acb_mask) info->disp_info.user_dbloaded=True; info->disp_info.last_enum=0; - DEBUG(10,("load_sampwd_entries: done\n")); + DEBUG(12,("load_sampwd_entries: done\n")); return NT_STATUS_OK; } @@ -234,7 +227,7 @@ static NTSTATUS load_group_domain_entries(struct samr_info *info, DOM_SID *sid) info->disp_info.group_dbloaded=True; info->disp_info.last_enum=0; - DEBUG(10,("load_group_domain_entries: done\n")); + DEBUG(12,("load_group_domain_entries: done\n")); return NT_STATUS_OK; } @@ -1186,7 +1179,7 @@ NTSTATUS _samr_enum_dom_aliases(pipes_struct *p, SAMR_Q_ENUM_DOM_ALIASES *q_u, S NTSTATUS _samr_query_dispinfo(pipes_struct *p, SAMR_Q_QUERY_DISPINFO *q_u, SAMR_R_QUERY_DISPINFO *r_u) { struct samr_info *info = NULL; - uint32 struct_size=0; + uint32 struct_size=0x20; /* W2K always reply that, client doesn't care */ uint16 acb_mask; uint32 max_entries=q_u->max_entries; @@ -1234,29 +1227,11 @@ NTSTATUS _samr_query_dispinfo(pipes_struct *p, SAMR_Q_QUERY_DISPINFO *q_u, SAMR_ */ /* Get what we need from the password database */ - switch (q_u->switch_level) { - case 0x1: - acb_mask = ACB_NORMAL; - struct_size=0x20; - break; - case 0x2: - acb_mask = ACB_WSTRUST; - struct_size=0x20; - break; - case 0x3: - struct_size=0x20; - break; - case 0x4: - acb_mask = ACB_NORMAL; - struct_size=0x20; - break; - case 0x5: - struct_size=0x20; - break; - default: - DEBUG(0,("_samr_query_dispinfo: Unknown info level (%u)\n", (unsigned int)q_u->switch_level )); - return NT_STATUS_INVALID_INFO_CLASS; - } + + if (q_u->switch_level==2) + acb_mask = ACB_WSTRUST; + else + acb_mask = ACB_NORMAL; /* Get what we need from the password database */ switch (q_u->switch_level) { @@ -1299,29 +1274,17 @@ NTSTATUS _samr_query_dispinfo(pipes_struct *p, SAMR_Q_QUERY_DISPINFO *q_u, SAMR_ return NT_STATUS_OK; } - /* verify we won't overflow */ if (max_entries > info->disp_info.num_account-enum_context) { max_entries = info->disp_info.num_account-enum_context; DEBUG(5, ("samr_reply_query_dispinfo: only %d entries to return\n", max_entries)); } - - /* calculate the size */ - if (q_u->switch_level==3 || q_u->switch_level==5) - for (i=enum_context; (idisp_info.disp_group_info[i].size * 2;*/ - temp_size+=struct_size; - } + /* calculate the size and limit on the number of entries we will return */ + temp_size=(enum_context+max_entries)*struct_size; - else - for (i=enum_context; (idisp_info.disp_user_info[i].size * 2;*/ - temp_size+=struct_size; - } - - if (imax_size) { + max_entries=max_size/struct_size; DEBUG(5, ("samr_reply_query_dispinfo: buffer size limits to only %d entries\n", max_entries)); } @@ -1384,7 +1347,6 @@ NTSTATUS _samr_query_dispinfo(pipes_struct *p, SAMR_Q_QUERY_DISPINFO *q_u, SAMR_ } /* calculate the total size */ - /*total_data_size=info->disp_info.total_size+(info->disp_info.num_account*struct_size);*/ total_data_size=info->disp_info.num_account*struct_size; if (enum_context+max_entries < info->disp_info.num_account) @@ -2113,6 +2075,7 @@ NTSTATUS _samr_query_usergroups(pipes_struct *p, SAMR_Q_QUERY_USERGROUPS *q_u, S NTSTATUS _samr_query_dom_info(pipes_struct *p, SAMR_Q_QUERY_DOMAIN_INFO *q_u, SAMR_R_QUERY_DOMAIN_INFO *r_u) { + struct samr_info *info = NULL; SAM_UNK_CTR *ctr; uint32 min_pass_len,pass_hist,flag; time_t u_expire, u_min_age; @@ -2125,6 +2088,7 @@ NTSTATUS _samr_query_dom_info(pipes_struct *p, SAMR_Q_QUERY_DOMAIN_INFO *q_u, SA time_t u_logout; NTTIME nt_logout; + uint32 num_users=0, num_groups=0, num_aliases=0; if ((ctr = (SAM_UNK_CTR *)talloc_zero(p->mem_ctx, sizeof(SAM_UNK_CTR))) == NULL) return NT_STATUS_NO_MEMORY; @@ -2136,7 +2100,7 @@ NTSTATUS _samr_query_dom_info(pipes_struct *p, SAMR_Q_QUERY_DOMAIN_INFO *q_u, SA DEBUG(5,("_samr_query_dom_info: %d\n", __LINE__)); /* find the policy handle. open a policy on it. */ - if (!find_policy_by_hnd(p, &q_u->domain_pol, NULL)) + if (!find_policy_by_hnd(p, &q_u->domain_pol, (void **)&info)) return NT_STATUS_INVALID_HANDLE; switch (q_u->switch_value) { @@ -2154,8 +2118,27 @@ NTSTATUS _samr_query_dom_info(pipes_struct *p, SAMR_Q_QUERY_DOMAIN_INFO *q_u, SA flag, nt_expire, nt_min_age); break; case 0x02: + become_root(); + r_u->status=load_sampwd_entries(info, ACB_NORMAL); + unbecome_root(); + if (NT_STATUS_IS_ERR(r_u->status)) { + DEBUG(5, ("_samr_query_dispinfo: load_sampwd_entries failed\n")); + return r_u->status; + } + num_users=info->disp_info.num_account; + free_samr_db(info); + + r_u->status=load_group_domain_entries(info, &global_sam_sid); + if (NT_STATUS_IS_ERR(r_u->status)) { + DEBUG(5, ("_samr_query_dispinfo: load_group_domain_entries failed\n")); + return r_u->status; + } + num_groups=info->disp_info.num_account; + free_samr_db(info); + /* The time call below is to get a sequence number for the sam. FIXME !!! JRA. */ - init_unk_info2(&ctr->info.inf2, global_myworkgroup, global_myname, (uint32) time(NULL)); + init_unk_info2(&ctr->info.inf2, global_myworkgroup, global_myname, (uint32) time(NULL), + num_users, num_groups, num_aliases); break; case 0x03: account_policy_get(AP_TIME_TO_LOGOUT, (int *)&u_logout); @@ -3868,6 +3851,7 @@ NTSTATUS _samr_unknown_2d(pipes_struct *p, SAMR_Q_UNKNOWN_2D *q_u, SAMR_R_UNKNOW NTSTATUS _samr_unknown_2e(pipes_struct *p, SAMR_Q_UNKNOWN_2E *q_u, SAMR_R_UNKNOWN_2E *r_u) { + struct samr_info *info = NULL; SAM_UNK_CTR *ctr; uint32 min_pass_len,pass_hist,flag; time_t u_expire, u_min_age; @@ -3880,6 +3864,8 @@ NTSTATUS _samr_unknown_2e(pipes_struct *p, SAMR_Q_UNKNOWN_2E *q_u, SAMR_R_UNKNOW time_t u_logout; NTTIME nt_logout; + uint32 num_users=0, num_groups=0, num_aliases=0; + if ((ctr = (SAM_UNK_CTR *)talloc_zero(p->mem_ctx, sizeof(SAM_UNK_CTR))) == NULL) return NT_STATUS_NO_MEMORY; @@ -3890,7 +3876,7 @@ NTSTATUS _samr_unknown_2e(pipes_struct *p, SAMR_Q_UNKNOWN_2E *q_u, SAMR_R_UNKNOW DEBUG(5,("_samr_unknown_2e: %d\n", __LINE__)); /* find the policy handle. open a policy on it. */ - if (!find_policy_by_hnd(p, &q_u->domain_pol, NULL)) + if (!find_policy_by_hnd(p, &q_u->domain_pol, (void **)&info)) return NT_STATUS_INVALID_HANDLE; switch (q_u->switch_value) { @@ -3908,8 +3894,27 @@ NTSTATUS _samr_unknown_2e(pipes_struct *p, SAMR_Q_UNKNOWN_2E *q_u, SAMR_R_UNKNOW flag, nt_expire, nt_min_age); break; case 0x02: + become_root(); + r_u->status=load_sampwd_entries(info, ACB_NORMAL); + unbecome_root(); + if (NT_STATUS_IS_ERR(r_u->status)) { + DEBUG(5, ("_samr_query_dispinfo: load_sampwd_entries failed\n")); + return r_u->status; + } + num_users=info->disp_info.num_account; + free_samr_db(info); + + r_u->status=load_group_domain_entries(info, &global_sam_sid); + if (NT_STATUS_IS_ERR(r_u->status)) { + DEBUG(5, ("_samr_query_dispinfo: load_group_domain_entries failed\n")); + return r_u->status; + } + num_groups=info->disp_info.num_account; + free_samr_db(info); + /* The time call below is to get a sequence number for the sam. FIXME !!! JRA. */ - init_unk_info2(&ctr->info.inf2, global_myworkgroup, global_myname, (uint32) time(NULL)); + init_unk_info2(&ctr->info.inf2, global_myworkgroup, global_myname, (uint32) time(NULL), + num_users, num_groups, num_aliases); break; case 0x03: account_policy_get(AP_TIME_TO_LOGOUT, (int *)&u_logout); -- cgit From 1acf4f67a26a8c51f250bef40630052fb2d4baff Mon Sep 17 00:00:00 2001 From: Jean-François Micouleau Date: Fri, 21 Dec 2001 22:54:53 +0000 Subject: added a copyright notice. J.F. (This used to be commit 87928c4d91940447191af4fe83a2be7ac3477361) --- source3/rpc_server/srv_samr_nt.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index a5c6f9a44f..3f63df660b 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -7,6 +7,7 @@ * Copyright (C) Paul Ashton 1997. * Copyright (C) Marc Jacobsen 1999. * Copyright (C) Jeremy Allison 2001. + * Copyright (C) Jean François Micouleau 1998-2001. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by @@ -147,7 +148,6 @@ static NTSTATUS load_sampwd_entries(struct samr_info *info, uint16 acb_mask) DEBUG(5,(" acb_mask %x reject\n", acb_mask)); continue; } - DEBUG(11,("load_sampwd_entries: entry: %d\n", info->disp_info.num_account)); /* Realloc some memory for the array of ptr to the SAM_ACCOUNT structs */ if (info->disp_info.num_account % MAX_SAM_ENTRIES == 0) { -- cgit From e1e64a26fac829b17d448da1a46d6eb9f9e006a6 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Fri, 21 Dec 2001 23:25:32 +0000 Subject: The jf_get_sampasswd_entries() is not used anymore. Jeremy. (This used to be commit bf1816099707b816c9b62ad5ab794dc49b833181) --- source3/rpc_server/srv_samr_nt.c | 335 --------------------------------------- 1 file changed, 335 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 3f63df660b..b6ed81407d 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -311,341 +311,6 @@ static NTSTATUS get_sampwd_entries(SAM_USER_INFO_21 *pw_buf, int start_idx, return NT_STATUS_OK; } -static NTSTATUS jf_get_sampwd_entries(SAM_USER_INFO_21 *pw_buf, int start_idx, - int *total_entries, uint32 *num_entries, - int max_num_entries, uint16 acb_mask) -{ - SAM_ACCOUNT *pwd = NULL; - BOOL not_finished = True; - - *num_entries = 0; - *total_entries = 0; - - if (pw_buf == NULL) - return NT_STATUS_NO_MEMORY; - - DEBUG(10,("jf_get_sampwd_entries: start index:%d, max entries:%d, mask:%d\n", - start_idx, max_num_entries, acb_mask)); - - if (!pdb_setsampwent(False)) { - DEBUG(0, ("jf_get_sampwd_entries: Unable to open passdb.\n")); - return NT_STATUS_ACCESS_DENIED; - } - - pdb_init_sam(&pwd); - - while (((not_finished = pdb_getsampwent(pwd)) != False) && (*num_entries) < max_num_entries) { - int user_name_len; - int full_name_len; - - if (acb_mask != 0 && !(pdb_get_acct_ctrl(pwd) & acb_mask)) { - pdb_reset_sam(pwd); - continue; - } - - if (start_idx > 0) { - /* skip the requested number of entries. - not very efficient, but hey... - */ - start_idx--; - pdb_reset_sam(pwd); - continue; - } - - ZERO_STRUCTP(&pw_buf[(*num_entries)]); - - user_name_len = strlen(pdb_get_username(pwd)); - init_unistr2(&pw_buf[(*num_entries)].uni_user_name, pdb_get_username(pwd), user_name_len); - init_uni_hdr(&pw_buf[(*num_entries)].hdr_user_name, user_name_len); - - full_name_len = strlen(pdb_get_fullname(pwd)); - init_unistr2(&pw_buf[(*num_entries)].uni_full_name, pdb_get_fullname(pwd), full_name_len); - init_uni_hdr(&pw_buf[(*num_entries)].hdr_full_name, full_name_len); - - pw_buf[(*num_entries)].user_rid = pdb_get_user_rid(pwd); - memset((char *)pw_buf[(*num_entries)].nt_pwd, '\0', 16); - - /* Now check if the NT compatible password is available. */ - if (pdb_get_nt_passwd(pwd)) - memcpy( pw_buf[(*num_entries)].nt_pwd , pdb_get_nt_passwd(pwd), 16); - - pw_buf[(*num_entries)].acb_info = pdb_get_acct_ctrl(pwd); - - DEBUG(5, ("entry idx: %d user %s, rid 0x%x, acb %x\n", (*num_entries), - pdb_get_username(pwd), pdb_get_user_rid(pwd), pdb_get_acct_ctrl(pwd) )); - - (*num_entries)++; - - pdb_reset_sam(pwd); - } - - pdb_endsampwent(); - - *total_entries = *num_entries; - - pdb_free_sam(&pwd); - - if (not_finished) - return STATUS_MORE_ENTRIES; - else - return NT_STATUS_OK; -} - -#if 0 /* This function appears to be unused! */ - -/******************************************************************* - This function uses the username map file and tries to map a UNIX - user name to an DOS name. (Sort of the reverse of the - map_username() function.) Since more than one DOS name can map - to the UNIX name, to reverse the mapping you have to specify - which corresponding DOS name you want; that's where the name_idx - parameter comes in. Returns the string requested or NULL if it - fails or can't complete the request for any reason. This doesn't - handle group names (starting with '@') or names starting with - '+' or '&'. If they are encountered, they are skipped. -********************************************************************/ - -static char *unmap_unixname(char *unix_user_name, int name_idx) -{ - char *mapfile = lp_username_map(); - char **lines; - static pstring tok; - int i; - - if (!*unix_user_name) return NULL; - if (!*mapfile) return NULL; - - lines = file_lines_load(mapfile, NULL); - if (!lines) { - DEBUG(0,("unmap_unixname: can't open username map %s\n", mapfile)); - return NULL; - } - - DEBUG(5,("unmap_unixname: scanning username map %s, index: %d\n", mapfile, name_idx)); - - for (i=0; lines[i]; i++) { - char *unixname = lines[i]; - char *dosname = strchr_m(unixname,'='); - - if (!dosname) - continue; - - *dosname++ = 0; - - while (isspace(*unixname)) - unixname++; - if ('!' == *unixname) { - unixname++; - while (*unixname && isspace(*unixname)) - unixname++; - } - - if (!*unixname || strchr_m("#;",*unixname)) - continue; - - if (strncmp(unixname, unix_user_name, strlen(unix_user_name))) - continue; - - /* We have matched the UNIX user name */ - - while(next_token(&dosname, tok, LIST_SEP, sizeof(tok))) { - if (!strchr_m("@&+", *tok)) { - name_idx--; - if (name_idx < 0 ) { - break; - } - } - } - - if (name_idx >= 0) { - DEBUG(0,("unmap_unixname: index too high - not that many DOS names\n")); - file_lines_free(lines); - return NULL; - } else { - file_lines_free(lines); - return tok; - } - } - - DEBUG(0,("unmap_unixname: Couldn't find the UNIX user name\n")); - file_lines_free(lines); - return NULL; -} - -#endif /* Unused function */ - -#if 0 /* This function seems to be not used anywhere! */ - -/******************************************************************* - This function sets up a list of users taken from the list of - users that UNIX knows about, as well as all the user names that - Samba maps to a valid UNIX user name. (This should work with - /etc/passwd or NIS.) -********************************************************************/ - -static BOOL get_passwd_entries(SAM_USER_INFO_21 *pw_buf, - int start_idx, - int *total_entries, int *num_entries, - int max_num_entries, - uint16 acb_mask) -{ - static struct passwd *pwd = NULL; - static uint32 pw_rid; - static BOOL orig_done = False; - static int current_idx = 0; - static int mapped_idx = 0; - char *sep; - - DEBUG(5, ("get_passwd_entries: retrieving a list of UNIX users\n")); - - (*num_entries) = 0; - (*total_entries) = 0; - - /* Skip all this stuff if we're in appliance mode */ - - if (lp_hide_local_users()) goto done; - - if (pw_buf == NULL) return False; - - if (current_idx == 0) { - sys_setpwent(); - } - - /* These two cases are inefficient, but should be called very rarely */ - /* they are the cases where the starting index isn't picking up */ - /* where we left off last time. It is efficient when it starts over */ - /* at zero though. */ - if (start_idx > current_idx) { - /* We aren't far enough; advance to start_idx */ - while (current_idx <= start_idx) { - char *unmap_name; - - if(!orig_done) { - if ((pwd = sys_getpwent()) == NULL) break; - current_idx++; - orig_done = True; - } - - while (((unmap_name = unmap_unixname(pwd->pw_name, mapped_idx)) != NULL) && - (current_idx < start_idx)) { - current_idx++; - mapped_idx++; - } - - if (unmap_name == NULL) { - orig_done = False; - mapped_idx = 0; - } - } - } else if (start_idx < current_idx) { - /* We are already too far; start over and advance to start_idx */ - sys_endpwent(); - sys_setpwent(); - current_idx = 0; - mapped_idx = 0; - orig_done = False; - while (current_idx < start_idx) { - char *unmap_name; - - if(!orig_done) { - if ((pwd = sys_getpwent()) == NULL) break; - current_idx++; - orig_done = True; - } - - while (((unmap_name = unmap_unixname(pwd->pw_name, mapped_idx)) != NULL) && - (current_idx < start_idx)) { - current_idx++; - mapped_idx++; - } - - if (unmap_name == NULL) { - orig_done = False; - mapped_idx = 0; - } - } - } - - sep = lp_winbind_separator(); - - /* now current_idx == start_idx */ - while ((*num_entries) < max_num_entries) { - int user_name_len; - char *unmap_name; - - /* This does the original UNIX user itself */ - if(!orig_done) { - if ((pwd = sys_getpwent()) == NULL) break; - - /* Don't enumerate winbind users as they are not local */ - - if (strchr_m(pwd->pw_name, *sep) != NULL) { - continue; - } - - user_name_len = strlen(pwd->pw_name); - - /* skip the trust account stored in the /etc/passwd file */ - if (pwd->pw_name[user_name_len-1]=='$') - continue; - - pw_rid = pdb_uid_to_user_rid(pwd->pw_uid); - ZERO_STRUCTP(&pw_buf[(*num_entries)]); - init_unistr2(&pw_buf[(*num_entries)].uni_user_name, pwd->pw_name, user_name_len); - init_uni_hdr(&pw_buf[(*num_entries)].hdr_user_name, user_name_len); - pw_buf[(*num_entries)].user_rid = pw_rid; - memset((char *)pw_buf[(*num_entries)].nt_pwd, '\0', 16); - - pw_buf[(*num_entries)].acb_info = ACB_NORMAL; - - DEBUG(5, ("get_passwd_entries: entry idx %d user %s, rid 0x%x\n", (*num_entries), pwd->pw_name, pw_rid)); - - (*num_entries)++; - (*total_entries)++; - current_idx++; - orig_done = True; - } - - /* This does all the user names that map to the UNIX user */ - while (((unmap_name = unmap_unixname(pwd->pw_name, mapped_idx)) != NULL) && - (*num_entries < max_num_entries)) { - user_name_len = strlen(unmap_name); - ZERO_STRUCTP(&pw_buf[(*num_entries)]); - init_unistr2(&pw_buf[(*num_entries)].uni_user_name, unmap_name, user_name_len); - init_uni_hdr(&pw_buf[(*num_entries)].hdr_user_name, user_name_len); - pw_buf[(*num_entries)].user_rid = pw_rid; - memset((char *)pw_buf[(*num_entries)].nt_pwd, '\0', 16); - - pw_buf[(*num_entries)].acb_info = ACB_NORMAL; - - DEBUG(5, ("get_passwd_entries: entry idx %d user %s, rid 0x%x\n", (*num_entries), pwd->pw_name, pw_rid)); - - (*num_entries)++; - (*total_entries)++; - current_idx++; - mapped_idx++; - } - - if (unmap_name == NULL) { - /* done with 'aliases', go on to next UNIX user */ - orig_done = False; - mapped_idx = 0; - } - } - - if (pwd == NULL) { - /* totally done, reset everything */ - sys_endpwent(); - current_idx = 0; - mapped_idx = 0; - } - -done: - return (*num_entries) > 0; -} - -#endif /* Unused function */ - /******************************************************************* _samr_close_hnd ********************************************************************/ -- cgit From 7478d27e70722b3c8f280a38ac4698e472db73a4 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Fri, 21 Dec 2001 23:28:04 +0000 Subject: Removed unused variables. Jeremy. (This used to be commit 621fa227bdf6af15daa13f62287978dc2310c04c) --- source3/rpc_server/srv_samr_nt.c | 2 -- 1 file changed, 2 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index b6ed81407d..6e25da1710 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -141,8 +141,6 @@ static NTSTATUS load_sampwd_entries(struct samr_info *info, uint16 acb_mask) for (pdb_init_sam(&pwd); pdb_getsampwent(pwd) == True; pwd=NULL, pdb_init_sam(&pwd) ) { - uint32 len_sam_name, len_sam_full, len_sam_desc; - if (acb_mask != 0 && !(pwd->acct_ctrl & acb_mask)) { pdb_free_sam(&pwd); DEBUG(5,(" acb_mask %x reject\n", acb_mask)); -- cgit From 120607cab1ccd5e10a26a7ef367c53e766ba4293 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Mon, 31 Dec 2001 22:37:51 +0000 Subject: Fixed enumeration of a large (<1500) users from a Samba PDC to a W2k member server. Firstly, use the same max enumeration size (0x400) as W2K uses, otherwise W2K won't ask for any more. Secondly, if a enumeration request with a non-zero offset comes in on a handle that hasn't started an enumeration, don't bitch about it (return NT_STATUS_UNSUCCESSFUL), just load the db on that handle and return at that offset. Jeremy. (This used to be commit 0b7da4a50ea02e28ab23e71de1e5f8b9194a9af3) --- source3/rpc_server/srv_samr_nt.c | 6 ------ 1 file changed, 6 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 6e25da1710..2c599c9d79 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -901,9 +901,6 @@ NTSTATUS _samr_query_dispinfo(pipes_struct *p, SAMR_Q_QUERY_DISPINFO *q_u, SAMR_ case 0x1: case 0x2: case 0x4: - if (enum_context!=0 && info->disp_info.user_dbloaded==False) - return NT_STATUS_UNSUCCESSFUL; - become_root(); r_u->status=load_sampwd_entries(info, acb_mask); unbecome_root(); @@ -914,9 +911,6 @@ NTSTATUS _samr_query_dispinfo(pipes_struct *p, SAMR_Q_QUERY_DISPINFO *q_u, SAMR_ break; case 0x3: case 0x5: - if (enum_context!=0 && info->disp_info.group_dbloaded==False) - return NT_STATUS_UNSUCCESSFUL; - r_u->status = load_group_domain_entries(info, &info->sid); if (NT_STATUS_IS_ERR(r_u->status)) return r_u->status; -- cgit From 38851c64d916c89d494380d13fed8749ee56158b Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Mon, 31 Dec 2001 23:24:48 +0000 Subject: last_enum not used. Jeremy. (This used to be commit efbec935fe727d5d5bd852c7bae9baf92df18686) --- source3/rpc_server/srv_samr_nt.c | 4 ---- 1 file changed, 4 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 2c599c9d79..17d5f2eb6a 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -45,7 +45,6 @@ typedef struct _disp_info { BOOL group_dbloaded; uint32 num_account; uint32 total_size; - uint32 last_enum; DISP_USER_INFO *disp_user_info; DISP_GROUP_INFO *disp_group_info; } DISP_INFO; @@ -82,7 +81,6 @@ static void free_samr_db(struct samr_info *info) info->disp_info.group_dbloaded=False; info->disp_info.num_account=0; info->disp_info.total_size=0; - info->disp_info.last_enum=0; } @@ -173,7 +171,6 @@ static NTSTATUS load_sampwd_entries(struct samr_info *info, uint16 acb_mask) /* the snapshoot is in memory, we're ready to enumerate fast */ info->disp_info.user_dbloaded=True; - info->disp_info.last_enum=0; DEBUG(12,("load_sampwd_entries: done\n")); @@ -223,7 +220,6 @@ static NTSTATUS load_group_domain_entries(struct samr_info *info, DOM_SID *sid) /* the snapshoot is in memory, we're ready to enumerate fast */ info->disp_info.group_dbloaded=True; - info->disp_info.last_enum=0; DEBUG(12,("load_group_domain_entries: done\n")); -- cgit From 71f982c9f2f450d660406d6015ff9756bf317218 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Wed, 2 Jan 2002 07:27:33 +0000 Subject: Make user enumeration work for w2k and win9x. This means different return sizes depending on client bugs. This sucks :-(. Jeremy. (This used to be commit f6592628eb526c487069bb3fcd809aca930e668e) --- source3/rpc_server/srv_samr_nt.c | 156 +++++++++++++++++++++------------------ 1 file changed, 85 insertions(+), 71 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 17d5f2eb6a..febbf21f67 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -6,7 +6,7 @@ * Copyright (C) Luke Kenneth Casson Leighton 1996-1997, * Copyright (C) Paul Ashton 1997. * Copyright (C) Marc Jacobsen 1999. - * Copyright (C) Jeremy Allison 2001. + * Copyright (C) Jeremy Allison 2001-2002. * Copyright (C) Jean François Micouleau 1998-2001. * * This program is free software; you can redistribute it and/or modify @@ -42,10 +42,10 @@ extern rid_name builtin_alias_rids[]; typedef struct _disp_info { BOOL user_dbloaded; - BOOL group_dbloaded; - uint32 num_account; - uint32 total_size; + uint32 num_user_account; DISP_USER_INFO *disp_user_info; + BOOL group_dbloaded; + uint32 num_group_account; DISP_GROUP_INFO *disp_group_info; } DISP_INFO; @@ -56,6 +56,28 @@ struct samr_info { DISP_INFO disp_info; }; +/******************************************************************* + Create a samr_info struct. +********************************************************************/ + +static struct samr_info *get_samr_info_by_sid(DOM_SID *psid) +{ + struct samr_info *info; + fstring sid_str; + + if ((info = (struct samr_info *)malloc(sizeof(struct samr_info))) == NULL) + return NULL; + + ZERO_STRUCTP(info); + if (psid) { + DEBUG(10,("get_samr_info_by_sid: created new info for sid %s\n", sid_to_string(sid_str, psid) )); + sid_copy( &info->sid, psid); + } else { + DEBUG(10,("get_samr_info_by_sid: created new info for NULL sid.\n")); + } + return info; +} + /******************************************************************* Function to free the per handle data. ********************************************************************/ @@ -64,14 +86,14 @@ static void free_samr_db(struct samr_info *info) int i; if (info->disp_info.group_dbloaded) { - for (i=0; idisp_info.num_account; i++) + for (i=0; idisp_info.num_group_account; i++) SAFE_FREE(info->disp_info.disp_group_info[i].grp); SAFE_FREE(info->disp_info.disp_group_info); } if (info->disp_info.user_dbloaded){ - for (i=0; idisp_info.num_account; i++) + for (i=0; idisp_info.num_user_account; i++) pdb_free_sam(&info->disp_info.disp_user_info[i].sam); SAFE_FREE(info->disp_info.disp_user_info); @@ -79,8 +101,8 @@ static void free_samr_db(struct samr_info *info) info->disp_info.user_dbloaded=False; info->disp_info.group_dbloaded=False; - info->disp_info.num_account=0; - info->disp_info.total_size=0; + info->disp_info.num_group_account=0; + info->disp_info.num_user_account=0; } @@ -89,7 +111,7 @@ static void free_samr_info(void *ptr) struct samr_info *info=(struct samr_info *) ptr; free_samr_db(info); - SAFE_FREE(ptr); + SAFE_FREE(info); } /******************************************************************* @@ -114,8 +136,10 @@ static void samr_clear_sam_passwd(SAM_ACCOUNT *sam_pass) if (!sam_pass) return; - if (sam_pass->lm_pw) memset(sam_pass->lm_pw, '\0', 16); - if (sam_pass->nt_pw) memset(sam_pass->nt_pw, '\0', 16); + if (sam_pass->lm_pw) + memset(sam_pass->lm_pw, '\0', 16); + if (sam_pass->nt_pw) + memset(sam_pass->nt_pw, '\0', 16); } @@ -146,11 +170,11 @@ static NTSTATUS load_sampwd_entries(struct samr_info *info, uint16 acb_mask) } /* Realloc some memory for the array of ptr to the SAM_ACCOUNT structs */ - if (info->disp_info.num_account % MAX_SAM_ENTRIES == 0) { + if (info->disp_info.num_user_account % MAX_SAM_ENTRIES == 0) { DEBUG(10,("load_sampwd_entries: allocating more memory\n")); pwd_array=(DISP_USER_INFO *)Realloc(info->disp_info.disp_user_info, - (info->disp_info.num_account+MAX_SAM_ENTRIES)*sizeof(DISP_USER_INFO)); + (info->disp_info.num_user_account+MAX_SAM_ENTRIES)*sizeof(DISP_USER_INFO)); if (pwd_array==NULL) return NT_STATUS_NO_MEMORY; @@ -159,11 +183,11 @@ static NTSTATUS load_sampwd_entries(struct samr_info *info, uint16 acb_mask) } /* link the SAM_ACCOUNT to the array */ - info->disp_info.disp_user_info[info->disp_info.num_account].sam=pwd; + info->disp_info.disp_user_info[info->disp_info.num_user_account].sam=pwd; - DEBUG(10,("load_sampwd_entries: entry: %d\n", info->disp_info.num_account)); + DEBUG(10,("load_sampwd_entries: entry: %d\n", info->disp_info.num_user_account)); - info->disp_info.num_account++; + info->disp_info.num_user_account++; } pdb_endsampwent(); @@ -194,9 +218,9 @@ static NTSTATUS load_group_domain_entries(struct samr_info *info, DOM_SID *sid) enum_group_mapping(SID_NAME_DOM_GRP, &map, (int *)&group_entries, ENUM_ONLY_MAPPED, MAPPING_WITHOUT_PRIV); - info->disp_info.num_account=group_entries; + info->disp_info.num_group_account=group_entries; - grp_array=(DISP_GROUP_INFO *)malloc(info->disp_info.num_account*sizeof(DISP_GROUP_INFO)); + grp_array=(DISP_GROUP_INFO *)malloc(info->disp_info.num_group_account*sizeof(DISP_GROUP_INFO)); if (group_entries!=0 && grp_array==NULL) { SAFE_FREE(map); @@ -337,12 +361,9 @@ NTSTATUS _samr_open_domain(pipes_struct *p, SAMR_Q_OPEN_DOMAIN *q_u, SAMR_R_OPEN return NT_STATUS_INVALID_HANDLE; /* associate the domain SID with the (unique) handle. */ - if ((info = (struct samr_info *)malloc(sizeof(struct samr_info))) == NULL) + if ((info = get_samr_info_by_sid(&q_u->dom_sid.sid))==NULL) return NT_STATUS_NO_MEMORY; - ZERO_STRUCTP(info); - info->sid = q_u->dom_sid.sid; - /* get a (unique) handle. open a policy on it. */ if (!create_policy_hnd(p, &r_u->domain_pol, free_samr_info, (void *)info)) return NT_STATUS_OBJECT_NAME_NOT_FOUND; @@ -847,8 +868,12 @@ NTSTATUS _samr_query_dispinfo(pipes_struct *p, SAMR_Q_QUERY_DISPINFO *q_u, SAMR_ SAM_DISPINFO_CTR *ctr; uint32 temp_size=0, total_data_size=0; - uint32 i; NTSTATUS disp_ret; + uint32 num_account = 0; + enum remote_arch_types ra_type = get_remote_arch(); + int max_sam_entries; + + max_sam_entries = (ra_type == RA_WIN95) ? MAX_SAM_ENTRIES_W95 : MAX_SAM_ENTRIES_W2K; DEBUG(5, ("samr_reply_query_dispinfo: %d\n", __LINE__)); r_u->status = NT_STATUS_OK; @@ -904,12 +929,14 @@ NTSTATUS _samr_query_dispinfo(pipes_struct *p, SAMR_Q_QUERY_DISPINFO *q_u, SAMR_ DEBUG(5, ("_samr_query_dispinfo: load_sampwd_entries failed\n")); return r_u->status; } + num_account = info->disp_info.num_user_account; break; case 0x3: case 0x5: r_u->status = load_group_domain_entries(info, &info->sid); if (NT_STATUS_IS_ERR(r_u->status)) return r_u->status; + num_account = info->disp_info.num_group_account; break; default: DEBUG(0,("_samr_query_dispinfo: Unknown info level (%u)\n", (unsigned int)q_u->switch_level )); @@ -917,19 +944,19 @@ NTSTATUS _samr_query_dispinfo(pipes_struct *p, SAMR_Q_QUERY_DISPINFO *q_u, SAMR_ } /* first limit the number of entries we will return */ - if(max_entries > MAX_SAM_ENTRIES) { - DEBUG(5, ("samr_reply_query_dispinfo: client requested %d entries, limiting to %d\n", max_entries, MAX_SAM_ENTRIES)); - max_entries = MAX_SAM_ENTRIES; + if(max_entries > max_sam_entries) { + DEBUG(5, ("samr_reply_query_dispinfo: client requested %d entries, limiting to %d\n", max_entries, max_sam_entries)); + max_entries = max_sam_entries; } - if (enum_context > info->disp_info.num_account) { + if (enum_context > num_account) { DEBUG(5, ("samr_reply_query_dispinfo: enumeration handle over total entries\n")); return NT_STATUS_OK; } /* verify we won't overflow */ - if (max_entries > info->disp_info.num_account-enum_context) { - max_entries = info->disp_info.num_account-enum_context; + if (max_entries > num_account-enum_context) { + max_entries = num_account-enum_context; DEBUG(5, ("samr_reply_query_dispinfo: only %d entries to return\n", max_entries)); } @@ -1000,9 +1027,9 @@ NTSTATUS _samr_query_dispinfo(pipes_struct *p, SAMR_Q_QUERY_DISPINFO *q_u, SAMR_ } /* calculate the total size */ - total_data_size=info->disp_info.num_account*struct_size; + total_data_size=num_account*struct_size; - if (enum_context+max_entries < info->disp_info.num_account) + if (enum_context+max_entries < num_account) r_u->status = STATUS_MORE_ENTRIES; DEBUG(5, ("_samr_query_dispinfo: %d\n", __LINE__)); @@ -1013,7 +1040,6 @@ NTSTATUS _samr_query_dispinfo(pipes_struct *p, SAMR_Q_QUERY_DISPINFO *q_u, SAMR_ } - /******************************************************************* samr_reply_query_aliasinfo ********************************************************************/ @@ -1380,12 +1406,9 @@ NTSTATUS _api_samr_open_user(pipes_struct *p, SAMR_Q_OPEN_USER *q_u, SAMR_R_OPEN return NT_STATUS_NO_SUCH_USER; /* associate the user's SID with the new handle. */ - if ((info = (struct samr_info *)malloc(sizeof(struct samr_info))) == NULL) + if ((info = get_samr_info_by_sid(&sid)) == NULL) return NT_STATUS_NO_MEMORY; - ZERO_STRUCTP(info); - info->sid = sid; - /* get a (unique) handle. open a policy on it. */ if (!create_policy_hnd(p, user_pol, free_samr_info, (void *)info)) return NT_STATUS_OBJECT_NAME_NOT_FOUND; @@ -1778,7 +1801,7 @@ NTSTATUS _samr_query_dom_info(pipes_struct *p, SAMR_Q_QUERY_DOMAIN_INFO *q_u, SA DEBUG(5, ("_samr_query_dispinfo: load_sampwd_entries failed\n")); return r_u->status; } - num_users=info->disp_info.num_account; + num_users=info->disp_info.num_user_account; free_samr_db(info); r_u->status=load_group_domain_entries(info, &global_sam_sid); @@ -1786,7 +1809,7 @@ NTSTATUS _samr_query_dom_info(pipes_struct *p, SAMR_Q_QUERY_DOMAIN_INFO *q_u, SA DEBUG(5, ("_samr_query_dispinfo: load_group_domain_entries failed\n")); return r_u->status; } - num_groups=info->disp_info.num_account; + num_groups=info->disp_info.num_group_account; free_samr_db(info); /* The time call below is to get a sequence number for the sam. FIXME !!! JRA. */ @@ -1961,7 +1984,7 @@ NTSTATUS _api_samr_create_user(pipes_struct *p, SAMR_Q_CREATE_USER *q_u, SAMR_R_ } /* associate the user's SID with the new handle. */ - if ((info = (struct samr_info *)malloc(sizeof(struct samr_info))) == NULL) { + if ((info = get_samr_info_by_sid(&sid)) == NULL) { pdb_free_sam(&sam_pass); return NT_STATUS_NO_MEMORY; } @@ -1996,10 +2019,9 @@ NTSTATUS _samr_connect_anon(pipes_struct *p, SAMR_Q_CONNECT_ANON *q_u, SAMR_R_CO r_u->status = NT_STATUS_OK; /* associate the user's SID with the new handle. */ - if ((info = (struct samr_info *)malloc(sizeof(struct samr_info))) == NULL) + if ((info = get_samr_info_by_sid(NULL)) == NULL) return NT_STATUS_NO_MEMORY; - ZERO_STRUCTP(info); info->status = q_u->unknown_0; /* get a (unique) handle. open a policy on it. */ @@ -2022,10 +2044,9 @@ NTSTATUS _samr_connect(pipes_struct *p, SAMR_Q_CONNECT *q_u, SAMR_R_CONNECT *r_u r_u->status = NT_STATUS_OK; /* associate the user's SID with the new handle. */ - if ((info = (struct samr_info *)malloc(sizeof(struct samr_info))) == NULL) + if ((info = get_samr_info_by_sid(NULL)) == NULL) return NT_STATUS_NO_MEMORY; - ZERO_STRUCTP(info); info->status = q_u->access_mask; /* get a (unique) handle. open a policy on it. */ @@ -2147,12 +2168,9 @@ NTSTATUS _api_samr_open_alias(pipes_struct *p, SAMR_Q_OPEN_ALIAS *q_u, SAMR_R_OP */ /* associate the user's SID with the new handle. */ - if ((info = (struct samr_info *)malloc(sizeof(struct samr_info))) == NULL) + if ((info = get_samr_info_by_sid(&sid)) == NULL) return NT_STATUS_NO_MEMORY; - ZERO_STRUCTP(info); - info->sid = sid; - /* get a (unique) handle. open a policy on it. */ if (!create_policy_hnd(p, alias_pol, free_samr_info, (void *)info)) return NT_STATUS_OBJECT_NAME_NOT_FOUND; @@ -3229,18 +3247,16 @@ NTSTATUS _samr_create_dom_group(pipes_struct *p, SAMR_Q_CREATE_DOM_GROUP *q_u, S r_u->rid=pdb_gid_to_group_rid(grp->gr_gid); /* add the group to the mapping table */ + sid_copy(&info_sid, &global_sam_sid); + sid_append_rid(&info_sid, r_u->rid); + sid_to_string(sid_string, &info_sid); + if(!add_initial_entry(grp->gr_gid, sid_string, SID_NAME_DOM_GRP, name, NULL, priv_set, PR_ACCESS_FROM_NETWORK)) return NT_STATUS_ACCESS_DENIED; - if ((info = (struct samr_info *)malloc(sizeof(struct samr_info))) == NULL) + if ((info = get_samr_info_by_sid(&info_sid)) == NULL) return NT_STATUS_NO_MEMORY; - ZERO_STRUCTP(info); - - sid_copy(&info_sid, &global_sam_sid); - sid_append_rid(&info->sid, r_u->rid); - sid_to_string(sid_string, &info->sid); - /* get a (unique) handle. open a policy on it. */ if (!create_policy_hnd(p, &r_u->pol, free_samr_info, (void *)info)) return NT_STATUS_OBJECT_NAME_NOT_FOUND; @@ -3255,6 +3271,7 @@ NTSTATUS _samr_create_dom_group(pipes_struct *p, SAMR_Q_CREATE_DOM_GROUP *q_u, S NTSTATUS _samr_create_dom_alias(pipes_struct *p, SAMR_Q_CREATE_DOM_ALIAS *q_u, SAMR_R_CREATE_DOM_ALIAS *r_u) { DOM_SID dom_sid; + DOM_SID info_sid; fstring name; fstring sid_string; struct group *grp; @@ -3287,19 +3304,17 @@ NTSTATUS _samr_create_dom_alias(pipes_struct *p, SAMR_Q_CREATE_DOM_ALIAS *q_u, S r_u->rid=pdb_gid_to_group_rid(grp->gr_gid); - if ((info = (struct samr_info *)malloc(sizeof(struct samr_info))) == NULL) - return NT_STATUS_NO_MEMORY; - - ZERO_STRUCTP(info); - - sid_copy(&info->sid, &global_sam_sid); - sid_append_rid(&info->sid, r_u->rid); - sid_to_string(sid_string, &info->sid); + sid_copy(&info_sid, &global_sam_sid); + sid_append_rid(&info_sid, r_u->rid); + sid_to_string(sid_string, &info_sid); /* add the group to the mapping table */ if(!add_initial_entry(grp->gr_gid, sid_string, SID_NAME_ALIAS, name, NULL, priv_set, PR_ACCESS_FROM_NETWORK)) return NT_STATUS_ACCESS_DENIED; + if ((info = get_samr_info_by_sid(&info_sid)) == NULL) + return NT_STATUS_NO_MEMORY; + /* get a (unique) handle. open a policy on it. */ if (!create_policy_hnd(p, &r_u->alias_pol, free_samr_info, (void *)info)) return NT_STATUS_OBJECT_NAME_NOT_FOUND; @@ -3455,6 +3470,7 @@ NTSTATUS _samr_get_dom_pwinfo(pipes_struct *p, SAMR_Q_GET_DOM_PWINFO *q_u, SAMR_ NTSTATUS _samr_open_group(pipes_struct *p, SAMR_Q_OPEN_GROUP *q_u, SAMR_R_OPEN_GROUP *r_u) { DOM_SID sid; + DOM_SID info_sid; GROUP_MAP map; struct samr_info *info; fstring sid_string; @@ -3466,14 +3482,12 @@ NTSTATUS _samr_open_group(pipes_struct *p, SAMR_Q_OPEN_GROUP *q_u, SAMR_R_OPEN_G if (!sid_equal(&sid, &global_sam_sid)) return NT_STATUS_ACCESS_DENIED; - if ((info = (struct samr_info *)malloc(sizeof(struct samr_info))) == NULL) - return NT_STATUS_NO_MEMORY; - - ZERO_STRUCTP(info); + sid_copy(&info_sid, &global_sam_sid); + sid_append_rid(&info_sid, q_u->rid_group); + sid_to_string(sid_string, &info_sid); - sid_copy(&info->sid, &global_sam_sid); - sid_append_rid(&info->sid, q_u->rid_group); - sid_to_string(sid_string, &info->sid); + if ((info = get_samr_info_by_sid(&info_sid)) == NULL) + return NT_STATUS_NO_MEMORY; DEBUG(10, ("_samr_open_group:Opening SID: %s\n", sid_string)); @@ -3554,7 +3568,7 @@ NTSTATUS _samr_unknown_2e(pipes_struct *p, SAMR_Q_UNKNOWN_2E *q_u, SAMR_R_UNKNOW DEBUG(5, ("_samr_query_dispinfo: load_sampwd_entries failed\n")); return r_u->status; } - num_users=info->disp_info.num_account; + num_users=info->disp_info.num_user_account; free_samr_db(info); r_u->status=load_group_domain_entries(info, &global_sam_sid); @@ -3562,7 +3576,7 @@ NTSTATUS _samr_unknown_2e(pipes_struct *p, SAMR_Q_UNKNOWN_2E *q_u, SAMR_R_UNKNOW DEBUG(5, ("_samr_query_dispinfo: load_group_domain_entries failed\n")); return r_u->status; } - num_groups=info->disp_info.num_account; + num_groups=info->disp_info.num_group_account; free_samr_db(info); /* The time call below is to get a sequence number for the sam. FIXME !!! JRA. */ -- cgit From a3f891dbd2e9ee1681e3c8295cd62a877c727d4f Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Wed, 2 Jan 2002 07:41:54 +0000 Subject: Actually enforce the passdb API. Thou shalt not reference SAM_ACCOUNT members directly - always use pdb_get/pdb_set. This is achived by making the whole of SAM_ACCOUNT have a .private member, where the real members live. This caught a pile of examples, and these have beeen fixed. The pdb_get..() functions are 'const' (have been for some time) and this required a few small changes to constify other functions. I've also added some debugs to the pdb get and set, they can be removed if requested. I've rewritten the copy_id2x_to_sam_pass() functions to use the new passdb interface, but I need the flags info to do it properly. The pdb_free_sam() funciton now blanks out the LM and NT hashes, and as such I have removed many extra 'samr_clear_sam_passwd(smbpass)' calls as a result. Finally, any and all testing is always appriciated - but the basics seem to work. Andrew Bartlett (This used to be commit d3dd28f6c443187b8d820d5a39c7c5b3be2fa95c) --- source3/rpc_server/srv_samr_nt.c | 46 ++++++++++++++++++---------------------- 1 file changed, 21 insertions(+), 25 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index febbf21f67..a54bf0d175 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -133,13 +133,14 @@ static void samr_clear_passwd_fields( SAM_USER_INFO_21 *pass, int num_entries) static void samr_clear_sam_passwd(SAM_ACCOUNT *sam_pass) { + if (!sam_pass) return; - if (sam_pass->lm_pw) - memset(sam_pass->lm_pw, '\0', 16); - if (sam_pass->nt_pw) - memset(sam_pass->nt_pw, '\0', 16); + /* These now zero out the old password */ + + pdb_set_lanman_passwd(sam_pass, NULL); + pdb_set_nt_passwd(sam_pass, NULL); } @@ -163,7 +164,7 @@ static NTSTATUS load_sampwd_entries(struct samr_info *info, uint16 acb_mask) for (pdb_init_sam(&pwd); pdb_getsampwent(pwd) == True; pwd=NULL, pdb_init_sam(&pwd) ) { - if (acb_mask != 0 && !(pwd->acct_ctrl & acb_mask)) { + if (acb_mask != 0 && !(pdb_get_acct_ctrl(pwd) & acb_mask)) { pdb_free_sam(&pwd); DEBUG(5,(" acb_mask %x reject\n", acb_mask)); continue; @@ -295,7 +296,7 @@ static NTSTATUS get_sampwd_entries(SAM_USER_INFO_21 *pw_buf, int start_idx, user_name_len = strlen(pdb_get_username(pwd))+1; init_unistr2(&pw_buf[(*num_entries)].uni_user_name, pdb_get_username(pwd), user_name_len); init_uni_hdr(&pw_buf[(*num_entries)].hdr_user_name, user_name_len); - pw_buf[(*num_entries)].user_rid = pwd->user_rid; + pw_buf[(*num_entries)].user_rid = pdb_get_user_rid(pwd); memset((char *)pw_buf[(*num_entries)].nt_pwd, '\0', 16); /* Now check if the NT compatible password is available. */ @@ -307,7 +308,7 @@ static NTSTATUS get_sampwd_entries(SAM_USER_INFO_21 *pw_buf, int start_idx, DEBUG(5, ("entry idx: %d user %s, rid 0x%x, acb %x", (*num_entries), pdb_get_username(pwd), pdb_get_user_rid(pwd), pdb_get_acct_ctrl(pwd) )); - if (acb_mask == 0 || (pwd->acct_ctrl & acb_mask)) { + if (acb_mask == 0 || (pdb_get_acct_ctrl(pwd) & acb_mask)) { DEBUG(5,(" acb_mask %x accepts\n", acb_mask)); (*num_entries)++; } else { @@ -1394,7 +1395,6 @@ NTSTATUS _api_samr_open_user(pipes_struct *p, SAMR_Q_OPEN_USER *q_u, SAMR_R_OPEN return NT_STATUS_NO_SUCH_USER; } - samr_clear_sam_passwd(sampass); pdb_free_sam(&sampass); /* Get the domain SID stored in the domain policy */ @@ -1447,7 +1447,6 @@ static BOOL get_user_info_10(SAM_USER_INFO_10 *id10, uint32 user_rid) ZERO_STRUCTP(id10); init_sam_user_info10(id10, pdb_get_acct_ctrl(smbpass) ); - samr_clear_sam_passwd(smbpass); pdb_free_sam(&smbpass); return True; @@ -1723,13 +1722,11 @@ NTSTATUS _samr_query_usergroups(pipes_struct *p, SAMR_Q_QUERY_USERGROUPS *q_u, S unbecome_root(); if (ret == False) { - samr_clear_sam_passwd(sam_pass); pdb_free_sam(&sam_pass); return NT_STATUS_NO_SUCH_USER; } if(!get_domain_user_groups(p->mem_ctx, &num_groups, &gids, sam_pass)) { - samr_clear_sam_passwd(sam_pass); pdb_free_sam(&sam_pass); return NT_STATUS_NO_SUCH_GROUP; } @@ -1739,7 +1736,6 @@ NTSTATUS _samr_query_usergroups(pipes_struct *p, SAMR_Q_QUERY_USERGROUPS *q_u, S DEBUG(5,("_samr_query_usergroups: %d\n", __LINE__)); - samr_clear_sam_passwd(sam_pass); pdb_free_sam(&sam_pass); return r_u->status; @@ -1998,7 +1994,7 @@ NTSTATUS _api_samr_create_user(pipes_struct *p, SAMR_Q_CREATE_USER *q_u, SAMR_R_ return NT_STATUS_OBJECT_NAME_NOT_FOUND; } - r_u->user_rid=sam_pass->user_rid; + r_u->user_rid=pdb_get_user_rid(sam_pass); r_u->unknown_0 = 0x000703ff; pdb_free_sam(&sam_pass); @@ -2897,21 +2893,21 @@ NTSTATUS _samr_del_aliasmem(pipes_struct *p, SAMR_Q_DEL_ALIASMEM *q_u, SAMR_R_DE /* check if the user exists before trying to remove it from the group */ pdb_init_sam(&sam_pass); if(!pdb_getsampwrid(sam_pass, rid)) { - DEBUG(5,("_samr_del_aliasmem:User %s doesn't exist.\n", sam_pass->username)); + DEBUG(5,("_samr_del_aliasmem:User %s doesn't exist.\n", pdb_get_username(sam_pass))); pdb_free_sam(&sam_pass); return NT_STATUS_NO_SUCH_USER; } /* if the user is not in the group */ - if(!user_in_group_list(sam_pass->username, grp_name)) { + if(!user_in_group_list(pdb_get_username(sam_pass), grp_name)) { pdb_free_sam(&sam_pass); return NT_STATUS_MEMBER_IN_ALIAS; } - smb_delete_user_group(grp_name, sam_pass->username); + smb_delete_user_group(grp_name, pdb_get_username(sam_pass)); /* check if the user has been removed then ... */ - if(user_in_group_list(sam_pass->username, grp_name)) { + if(user_in_group_list(pdb_get_username(sam_pass), grp_name)) { pdb_free_sam(&sam_pass); return NT_STATUS_MEMBER_NOT_IN_ALIAS; /* don't know what to reply else */ } @@ -3016,21 +3012,21 @@ NTSTATUS _samr_del_groupmem(pipes_struct *p, SAMR_Q_DEL_GROUPMEM *q_u, SAMR_R_DE /* check if the user exists before trying to remove it from the group */ pdb_init_sam(&sam_pass); if(!pdb_getsampwrid(sam_pass, rid)) { - DEBUG(5,("User %s doesn't exist.\n", sam_pass->username)); + DEBUG(5,("User %s doesn't exist.\n", pdb_get_username(sam_pass))); pdb_free_sam(&sam_pass); return NT_STATUS_NO_SUCH_USER; } /* if the user is not in the group */ - if(!user_in_group_list(sam_pass->username, grp_name)) { + if(!user_in_group_list(pdb_get_username(sam_pass), grp_name)) { pdb_free_sam(&sam_pass); return NT_STATUS_MEMBER_NOT_IN_GROUP; } - smb_delete_user_group(grp_name, sam_pass->username); + smb_delete_user_group(grp_name, pdb_get_username(sam_pass)); /* check if the user has been removed then ... */ - if(user_in_group_list(sam_pass->username, grp_name)) { + if(user_in_group_list(pdb_get_username(sam_pass), grp_name)) { pdb_free_sam(&sam_pass); return NT_STATUS_ACCESS_DENIED; /* don't know what to reply else */ } @@ -3064,7 +3060,7 @@ NTSTATUS _samr_delete_dom_user(pipes_struct *p, SAMR_Q_DELETE_DOM_USER *q_u, SAM /* check if the user exists before trying to delete */ pdb_init_sam(&sam_pass); if(!pdb_getsampwrid(sam_pass, rid)) { - DEBUG(5,("_samr_delete_dom_user:User %s doesn't exist.\n", sam_pass->username)); + DEBUG(5,("_samr_delete_dom_user:User %s doesn't exist.\n", pdb_get_username(sam_pass))); pdb_free_sam(&sam_pass); return NT_STATUS_NO_SUCH_USER; } @@ -3075,11 +3071,11 @@ NTSTATUS _samr_delete_dom_user(pipes_struct *p, SAMR_Q_DELETE_DOM_USER *q_u, SAM * as the script is not necessary present * and maybe the sysadmin doesn't want to delete the unix side */ - smb_delete_user(sam_pass->username); + smb_delete_user(pdb_get_username(sam_pass)); /* and delete the samba side */ - if (!pdb_delete_sam_account(sam_pass->username)) { - DEBUG(5,("_samr_delete_dom_user:Failed to delete entry for user %s.\n", sam_pass->username)); + if (!pdb_delete_sam_account(pdb_get_username(sam_pass))) { + DEBUG(5,("_samr_delete_dom_user:Failed to delete entry for user %s.\n", pdb_get_username(sam_pass))); pdb_free_sam(&sam_pass); return NT_STATUS_CANNOT_DELETE; } -- cgit From c311d24ce32d2a8aa244f126bcec67ec03549727 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Thu, 17 Jan 2002 08:45:58 +0000 Subject: A nice *big* change to the fundemental way we do things. Samba (ab)uses the returns from getpwnam() a lot - in particular it keeps them around for a long time - often past the next call... This adds a getpwnam_alloc and a getpwuid_alloc to the collection. These function as expected, returning a malloced structure that can be free()ed with passwd_free(&passwd). This patch also cuts down on the number of calls to getpwnam - mostly by taking advantage of the fact that the passdb interface is already case-insensiteve. With this patch most of the recursive cases have been removed (that I know of) and the problems are reduced further by not using the sys_ interface in the new code. This means that pointers to the cache won't be affected. (This is a tempoary HACK, I intend to kill the password cache entirly). The only change I'm a little worried about is the change to rpc_server/srv_samr_nt.c for private groups. In this case we are getting groups from the new group mapping DB. Do we still need to check for private groups? I've toned down the check to a case sensitve match with the new code, but we might be able to kill it entirly. I've also added a make_modifyable_passwd() function, that copies a passwd struct into the form that the old sys_getpw* code provided. As far as I can tell this is only actually used in the pass_check.c crazies, where I moved the final 'special case' for shadow passwords (out of _Get_Pwnam()). The matching case for getpwent() is dealt with already, in lib/util_getent.c Also included in here is a small change to register the [homes] share at vuid creation rather than just in one varient of the session setup. (This picks up the SPNEGO cases). The home directory is now stored on the vuid, and I am hoping this might provide a saner way to do %H substitions. TODO: Kill off remaining Get_Pwnam_Modify calls (they are not needed), change the remaining sys_getpwnam() callers to use getpwnam_alloc() and move Get_Pwnam to return an allocated struct. Andrew Bartlett (This used to be commit 1d86c7f94230bc53daebd4d2cd829da6292e05da) --- source3/rpc_server/srv_samr_nt.c | 17 ++++++++++++++--- 1 file changed, 14 insertions(+), 3 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index a54bf0d175..c17e22ada2 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -659,6 +659,7 @@ static NTSTATUS get_group_alias_entries(TALLOC_CTX *ctx, DOMAIN_GRP **d_grp, DOM char *sep; struct sys_grent *glist; struct sys_grent *grp; + struct passwd *pw; sep = lp_winbind_separator(); @@ -696,8 +697,18 @@ static NTSTATUS get_group_alias_entries(TALLOC_CTX *ctx, DOMAIN_GRP **d_grp, DOM } /* Don't return user private groups... */ - if (Get_Pwnam(smap.nt_name) != 0) { + + /* + * We used to do a Get_Pwnam() here, but this has been + * trimmed back to the common case for private groups + * to save lookups and to use the _alloc interface. + * + * This also matches the group mapping code + */ + + if ((pw = getpwnam_alloc(smap.nt_name)) != 0) { DEBUG(10,("get_group_alias_entries: not returing %s, clashes with user.\n", smap.nt_name )); + passwd_free(&pw); continue; } @@ -1245,9 +1256,9 @@ NTSTATUS _samr_chgpasswd_user(pipes_struct *p, SAMR_Q_CHGPASSWD_USER *q_u, SAMR_ (void)map_username(user_name); /* - * Do any UNIX username case mangling. + * UNIX username case mangling not required, pass_oem_change + * is case insensitive. */ - (void)Get_Pwnam_Modify( user_name); if (!pass_oem_change(user_name, q_u->lm_newpass.pass, q_u->lm_oldhash.hash, q_u->nt_newpass.pass, q_u->nt_oldhash.hash)) -- cgit From 93a8358910d2b8788ffea33c04244ffd5ffecabf Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Sun, 20 Jan 2002 01:24:59 +0000 Subject: This patch makes the 'winbind use default domain' code interact better with smbd, and also makes it much cleaner inside winbindd. It is mostly my code, with a few changes and testing performed by Alexander Bokovoy . ab has tested it in security=domain and security=ads, but more testing is always appricatiated. The idea is that we no longer cart around a 'domain\user' string, we keep them seperate until the last moment - when we push that string into a pwent on onto the socket. This removes the need to be constantly parsing that string - the domain prefix is almost always already provided, (only a couple of functions actually changed arguments in all this). Some consequential changes to the RPC client code, to stop it concatonating the two strings (it now passes them both back as params). I havn't changed the cache code, however the usernames will no longer have a double domain prefix in the key string. The actual structures are unchanged - but the meaning of 'username' in the 'rid' will have changed. (The cache is invalidated at startup, so on-disk formats are not an issue here). Andrew Bartlett (This used to be commit e870f0e727952aeb8599cf93ad2650ae56eca033) --- source3/rpc_server/srv_samr_nt.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index c17e22ada2..6ac71298fa 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -656,12 +656,12 @@ static NTSTATUS get_group_alias_entries(TALLOC_CTX *ctx, DOMAIN_GRP **d_grp, DOM SAFE_FREE(map); } else if (sid_equal(sid, &global_sam_sid) && !lp_hide_local_users()) { - char *sep; struct sys_grent *glist; struct sys_grent *grp; struct passwd *pw; + gid_t winbind_gid_low, winbind_gid_high; - sep = lp_winbind_separator(); + lp_winbind_gid(&winbind_gid_low, &winbind_gid_high); /* local aliases */ /* we return the UNIX groups here. This seems to be the right */ @@ -691,7 +691,7 @@ static NTSTATUS get_group_alias_entries(TALLOC_CTX *ctx, DOMAIN_GRP **d_grp, DOM continue; /* Don't return winbind groups as they are not local! */ - if (strchr_m(smap.nt_name, *sep) != NULL) { + if ((grp->gr_gid >= winbind_gid_low)&&(grp->gr_gid <= winbind_gid_high)) { DEBUG(10,("get_group_alias_entries: not returing %s, not local.\n", smap.nt_name )); continue; } -- cgit From 32101155d4a0c80faf392f56a6baa7b91847dd99 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Sun, 20 Jan 2002 13:26:31 +0000 Subject: Kill off another ugly wart from the side of the passdb subsystem. This time its the pdb_getsampwuid() function - which was only being used by the SAMR rpc subsystem to gain a 'user session key'. This 'user session key' is actually generated at login time, and the other changes here simply move that data around. This also means that (when I check some details) we will be able to use the user session key, even when we are not actually the DC, becouse its one of the components of the info3 struct returned on logon. Andrew Bartlett (This used to be commit 799ac01fe08a338e4e94289f5d6767ebf905c1fa) --- source3/rpc_server/srv_samr_nt.c | 39 +++------------------------------------ 1 file changed, 3 insertions(+), 36 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 6ac71298fa..cf9be78f3d 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -2439,9 +2439,6 @@ NTSTATUS _samr_set_userinfo(pipes_struct *p, SAMR_Q_SET_USERINFO *q_u, SAMR_R_SE { uint32 rid = 0x0; DOM_SID sid; - struct current_user user; - SAM_ACCOUNT *sam_pass=NULL; - unsigned char sess_key[16]; POLICY_HND *pol = &q_u->pol; uint16 switch_value = q_u->switch_value; SAM_USERINFO_CTR *ctr = q_u->ctr; @@ -2451,13 +2448,6 @@ NTSTATUS _samr_set_userinfo(pipes_struct *p, SAMR_Q_SET_USERINFO *q_u, SAMR_R_SE r_u->status = NT_STATUS_OK; - if (p->ntlmssp_auth_validated) { - memcpy(&user, &p->pipe_user, sizeof(user)); - } else { - extern struct current_user current_user; - memcpy(&user, ¤t_user, sizeof(user)); - } - /* find the policy handle. open a policy on it. */ if (!get_lsa_policy_samr_sid(p, pol, &sid)) return NT_STATUS_INVALID_HANDLE; @@ -2471,29 +2461,6 @@ NTSTATUS _samr_set_userinfo(pipes_struct *p, SAMR_Q_SET_USERINFO *q_u, SAMR_R_SE return NT_STATUS_INVALID_INFO_CLASS; } - - pdb_init_sam(&sam_pass); - - /* - * We need the NT hash of the user who is changing the user's password. - * This NT hash is used to generate a "user session key" - * This "user session key" is in turn used to encrypt/decrypt the user's password. - */ - - become_root(); - ret = pdb_getsampwuid(sam_pass, user.uid); - unbecome_root(); - if(ret == False) { - DEBUG(0,("_samr_set_userinfo: Unable to get smbpasswd entry for uid %u\n", (unsigned int)user.uid )); - pdb_free_sam(&sam_pass); - return NT_STATUS_ACCESS_DENIED; - } - - memset(sess_key, '\0', 16); - mdfour(sess_key, pdb_get_nt_passwd(sam_pass), 16); - - pdb_free_sam(&sam_pass); - /* ok! user info levels (lots: see MSDEV help), off we go... */ switch (switch_value) { case 0x12: @@ -2502,7 +2469,7 @@ NTSTATUS _samr_set_userinfo(pipes_struct *p, SAMR_Q_SET_USERINFO *q_u, SAMR_R_SE break; case 24: - SamOEMhash(ctr->info.id24->pass, sess_key, 516); + SamOEMhash(ctr->info.id24->pass, p->session_key, 516); dump_data(100, (char *)ctr->info.id24->pass, 516); @@ -2520,7 +2487,7 @@ NTSTATUS _samr_set_userinfo(pipes_struct *p, SAMR_Q_SET_USERINFO *q_u, SAMR_R_SE * info level and W2K SP2 drops down to level 23... JRA. */ - SamOEMhash(ctr->info.id25->pass, sess_key, 532); + SamOEMhash(ctr->info.id25->pass, p->session_key, 532); dump_data(100, (char *)ctr->info.id25->pass, 532); @@ -2531,7 +2498,7 @@ NTSTATUS _samr_set_userinfo(pipes_struct *p, SAMR_Q_SET_USERINFO *q_u, SAMR_R_SE return NT_STATUS_INVALID_INFO_CLASS; case 23: - SamOEMhash(ctr->info.id23->pass, sess_key, 516); + SamOEMhash(ctr->info.id23->pass, p->session_key, 516); dump_data(100, (char *)ctr->info.id23->pass, 516); -- cgit From 1a74d8d1f0758d15c5c35d20e33d9868565812cf Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Sun, 20 Jan 2002 14:30:58 +0000 Subject: This is another *BIG* change... Samba now features a pluggable passdb interface, along the same lines as the one in use in the auth subsystem. In this case, only one backend may be active at a time by the 'normal' interface, and only one backend per passdb_context is permitted outside that. This pluggable interface is designed to allow any number of passdb backends to be compiled in, with the selection at runtime. The 'passdb backend' paramater has been created (and documented!) to support this. As such, configure has been modfied to allow (for example) --with-ldap and the old smbpasswd to be selected at the same time. This patch also introduces two new backends: smbpasswd_nua and tdbsam_nua. These two backends accept 'non unix accounts', where the user does *not* exist in /etc/passwd. These accounts' don't have UIDs in the unix sense, but to avoid conflicts in the algroitmic mapping of RIDs, they use the values specified in the 'non unix account range' paramter - in the same way as the winbind ranges are specifed. While I was at it, I cleaned up some of the code in pdb_tdb (code copied directly from smbpasswd and not really considered properly). Most of this was to do with % macro expansion on stored data. It isn't easy to get the macros into the tdb, and the first password change will 'expand' them. tdbsam needs to use a similar system to pdb_ldap in this regard. This patch only makes minor adjustments to pdb_nisplus and pdb_ldap, becouse I don't have the test facilities for these. I plan to incoroprate at least pdb_ldap into this scheme after consultation with Jerry. Each (converted) passdb module now no longer has any 'static' variables, and only exports 1 init function outside its .c file. The non-unix-account support in this patch has been proven! It is now possible to join a win2k machine to a Samba PDC without an account in /etc/passwd! Other changes: Minor interface adjustments: pdb_delete_sam_account() now takes a SAM_ACCOUNT, not a char*. pdb_update_sam_account() no longer takes the 'override' argument that was being ignored so often (every other passdb backend). Extra checks have been added in some places. Minor code changes: smbpasswd no longer attempts to initialise the passdb at startup, this is now done on first use. pdbedit has lost some of its 'machine account' logic, as this behaviour is now controlled by the passdb subsystem directly. The samr subsystem no longer calls 'local password change', but does the pdb interactions directly. This allow the ACB_ flags specifed to be transferred direct to the backend, without interference. Doco: I've updated the doco to reflect some of the changes, and removed some paramters no longer applicable to HEAD. (This used to be commit ff354c99c585068af6dc1ff35a1f109a806b326b) --- source3/rpc_server/srv_samr_nt.c | 116 ++++++++++++++++++++++++--------------- 1 file changed, 72 insertions(+), 44 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index cf9be78f3d..d079403455 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -1869,9 +1869,6 @@ NTSTATUS _api_samr_create_user(pipes_struct *p, SAMR_Q_CREATE_USER *q_u, SAMR_R_ { SAM_ACCOUNT *sam_pass=NULL; fstring account; - pstring err_str; - pstring msg_str; - int local_flags=0; DOM_SID sid; pstring add_script; POLICY_HND dom_pol = q_u->domain_pol; @@ -1880,6 +1877,8 @@ NTSTATUS _api_samr_create_user(pipes_struct *p, SAMR_Q_CREATE_USER *q_u, SAMR_R_ POLICY_HND *user_pol = &r_u->user_pol; struct samr_info *info = NULL; BOOL ret; + NTSTATUS nt_status; + struct passwd *pw; /* find the policy handle. open a policy on it. */ if (!find_policy_by_hnd(p, &dom_pol, NULL)) @@ -1905,8 +1904,7 @@ NTSTATUS _api_samr_create_user(pipes_struct *p, SAMR_Q_CREATE_USER *q_u, SAMR_R_ return NT_STATUS_USER_EXISTS; } - local_flags=LOCAL_ADD_USER|LOCAL_DISABLE_USER|LOCAL_SET_NO_PASSWORD; - local_flags|= (acb_info & ACB_WSTRUST) ? LOCAL_TRUST_ACCOUNT:0; + pdb_free_sam(&sam_pass); /* * NB. VERY IMPORTANT ! This call must be done as the current pipe user, @@ -1955,32 +1953,54 @@ NTSTATUS _api_samr_create_user(pipes_struct *p, SAMR_Q_CREATE_USER *q_u, SAMR_R_ pstrcpy(add_script, lp_adduser_script()); if(*add_script) { - int add_ret; - all_string_sub(add_script, "%u", account, sizeof(account)); - add_ret = smbrun(add_script,NULL); - DEBUG(3,("_api_samr_create_user: Running the command `%s' gave %d\n",add_script,add_ret)); - } + int add_ret; + all_string_sub(add_script, "%u", account, sizeof(account)); + add_ret = smbrun(add_script,NULL); + DEBUG(3,("_api_samr_create_user: Running the command `%s' gave %d\n", add_script, add_ret)); + } + + pw = getpwnam_alloc(account); - /* add the user in the smbpasswd file or the Samba authority database */ - if (!local_password_change(account, local_flags, NULL, err_str, - sizeof(err_str), msg_str, sizeof(msg_str))) { - DEBUG(0, ("%s\n", err_str)); - pdb_free_sam(&sam_pass); - return NT_STATUS_ACCESS_DENIED; + if (pw) { + if (!NT_STATUS_IS_OK(nt_status = pdb_init_sam_pw(&sam_pass, pw))) { + passwd_free(&pw); + return nt_status; + } + passwd_free(&pw); /* done with this now */ + } else { + DEBUG(3,("attempting to create non-unix account %s\n", account)); + + if (!NT_STATUS_IS_OK(nt_status = pdb_init_sam(&sam_pass))) { + return nt_status; + } + + if (!pdb_set_username(sam_pass, account)) { + pdb_free_sam(&sam_pass); + return NT_STATUS_NO_MEMORY; + } } - become_root(); - ret = pdb_getsampwnam(sam_pass, account); - unbecome_root(); - if (ret == False) { - /* account doesn't exist: say so */ - pdb_free_sam(&sam_pass); - return NT_STATUS_ACCESS_DENIED; - } + pdb_set_acct_ctrl(sam_pass, acb_info); + + if (!pdb_add_sam_account(sam_pass)) { + pdb_free_sam(&sam_pass); + DEBUG(0, ("could not add user/computer %s to passdb. Check permissions?\n", + account)); + return NT_STATUS_ACCESS_DENIED; + } - /* Get the domain SID stored in the domain policy */ - if(!get_lsa_policy_samr_sid(p, &dom_pol, &sid)) { - pdb_free_sam(&sam_pass); + pdb_reset_sam(sam_pass); + + if (!pdb_getsampwnam(sam_pass, account)) { + pdb_free_sam(&sam_pass); + DEBUG(0, ("could not find user/computer %s just added to passdb?!?\n", + account)); + return NT_STATUS_ACCESS_DENIED; + } + + /* Get the domain SID stored in the domain policy */ + if(!get_lsa_policy_samr_sid(p, &dom_pol, &sid)) { + pdb_free_sam(&sam_pass); return NT_STATUS_INVALID_HANDLE; } @@ -2214,7 +2234,7 @@ static BOOL set_user_info_10(const SAM_USER_INFO_10 *id10, uint32 rid) return False; } - if(!pdb_update_sam_account(pwd, True)) { + if(!pdb_update_sam_account(pwd)) { pdb_free_sam(&pwd); return False; } @@ -2258,7 +2278,7 @@ static BOOL set_user_info_12(SAM_USER_INFO_12 *id12, uint32 rid) return False; } - if(!pdb_update_sam_account(pwd, True)) { + if(!pdb_update_sam_account(pwd)) { pdb_free_sam(&pwd); return False; } @@ -2297,7 +2317,7 @@ static BOOL set_user_info_21(SAM_USER_INFO_21 *id21, uint32 rid) */ /* write the change out */ - if(!pdb_update_sam_account(pwd, True)) { + if(!pdb_update_sam_account(pwd)) { pdb_free_sam(&pwd); return False; } @@ -2330,6 +2350,9 @@ static BOOL set_user_info_23(SAM_USER_INFO_23 *id23, uint32 rid) return False; } + DEBUG(5, ("Attempting administrator password change (level 23) for user %s\n", + pdb_get_username(pwd))); + acct_ctrl = pdb_get_acct_ctrl(pwd); copy_id23_to_sam_passwd(pwd, id23); @@ -2345,10 +2368,11 @@ static BOOL set_user_info_23(SAM_USER_INFO_23 *id23, uint32 rid) } /* if it's a trust account, don't update /etc/passwd */ - if ( ( (acct_ctrl & ACB_DOMTRUST) == ACB_DOMTRUST ) || - ( (acct_ctrl & ACB_WSTRUST) == ACB_WSTRUST) || - ( (acct_ctrl & ACB_SVRTRUST) == ACB_SVRTRUST) ) { - DEBUG(5, ("Changing trust account password, not updating /etc/passwd\n")); + if ( (!IS_SAM_UNIX_USER(pwd)) || + ( (acct_ctrl & ACB_DOMTRUST) == ACB_DOMTRUST ) || + ( (acct_ctrl & ACB_WSTRUST) == ACB_WSTRUST) || + ( (acct_ctrl & ACB_SVRTRUST) == ACB_SVRTRUST) ) { + DEBUG(5, ("Changing trust account or non-unix-user password, not updating /etc/passwd\n")); } else { /* update the UNIX password */ if (lp_unix_password_sync() ) @@ -2360,7 +2384,7 @@ static BOOL set_user_info_23(SAM_USER_INFO_23 *id23, uint32 rid) ZERO_STRUCT(plaintext_buf); - if(!pdb_update_sam_account(pwd, True)) { + if(!pdb_update_sam_account(pwd)) { pdb_free_sam(&pwd); return False; } @@ -2388,6 +2412,9 @@ static BOOL set_user_info_pw(char *pass, uint32 rid) return False; } + DEBUG(5, ("Attempting administrator password change for user %s\n", + pdb_get_username(pwd))); + acct_ctrl = pdb_get_acct_ctrl(pwd); ZERO_STRUCT(plaintext_buf); @@ -2403,25 +2430,27 @@ static BOOL set_user_info_pw(char *pass, uint32 rid) } /* if it's a trust account, don't update /etc/passwd */ - if ( ( (acct_ctrl & ACB_DOMTRUST) == ACB_DOMTRUST ) || - ( (acct_ctrl & ACB_WSTRUST) == ACB_WSTRUST) || - ( (acct_ctrl & ACB_SVRTRUST) == ACB_SVRTRUST) ) { - DEBUG(5, ("Changing trust account password, not updating /etc/passwd\n")); + if ( (!IS_SAM_UNIX_USER(pwd)) || + ( (acct_ctrl & ACB_DOMTRUST) == ACB_DOMTRUST ) || + ( (acct_ctrl & ACB_WSTRUST) == ACB_WSTRUST) || + ( (acct_ctrl & ACB_SVRTRUST) == ACB_SVRTRUST) ) { + DEBUG(5, ("Changing trust account or non-unix-user password, not updating /etc/passwd\n")); } else { /* update the UNIX password */ - if (lp_unix_password_sync()) + if (lp_unix_password_sync()) { if(!chgpasswd(pdb_get_username(pwd), "", plaintext_buf, True)) { pdb_free_sam(&pwd); return False; } + } } ZERO_STRUCT(plaintext_buf); - DEBUG(5,("set_user_info_pw: pdb_update_sam_account()\n")); + DEBUG(5,("set_user_info_pw: pdb_update_pwd()\n")); /* update the SAMBA password */ - if(!pdb_update_sam_account(pwd, True)) { + if(!pdb_update_sam_account(pwd)) { pdb_free_sam(&pwd); return False; } @@ -2442,7 +2471,6 @@ NTSTATUS _samr_set_userinfo(pipes_struct *p, SAMR_Q_SET_USERINFO *q_u, SAMR_R_SE POLICY_HND *pol = &q_u->pol; uint16 switch_value = q_u->switch_value; SAM_USERINFO_CTR *ctr = q_u->ctr; - BOOL ret; DEBUG(5, ("_samr_set_userinfo: %d\n", __LINE__)); @@ -3052,7 +3080,7 @@ NTSTATUS _samr_delete_dom_user(pipes_struct *p, SAMR_Q_DELETE_DOM_USER *q_u, SAM smb_delete_user(pdb_get_username(sam_pass)); /* and delete the samba side */ - if (!pdb_delete_sam_account(pdb_get_username(sam_pass))) { + if (!pdb_delete_sam_account(sam_pass)) { DEBUG(5,("_samr_delete_dom_user:Failed to delete entry for user %s.\n", pdb_get_username(sam_pass))); pdb_free_sam(&sam_pass); return NT_STATUS_CANNOT_DELETE; -- cgit From abd7df24dcabb54cb22c0e088f8d71f84bbef2d7 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Sat, 26 Jan 2002 10:03:25 +0000 Subject: Add the become_root()/unbecome_root() wrapper around the lookup_name() call, and its new args. (This used to be commit e7b3d64f6055b5d3b036f525f0ece3c9479d4f7a) --- source3/rpc_server/srv_samr_nt.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index d079403455..bd75eceb6b 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -1189,6 +1189,8 @@ NTSTATUS _samr_lookup_names(pipes_struct *p, SAMR_Q_LOOKUP_NAMES *q_u, SAMR_R_LO } DEBUG(5,("_samr_lookup_names: looking name on SID %s\n", sid_to_string(sid_str, &pol_sid))); + + become_root(); /* local_lookup_name can require root privs */ for (i = 0; i < num_rids; i++) { fstring name; @@ -1212,7 +1214,7 @@ NTSTATUS _samr_lookup_names(pipes_struct *p, SAMR_Q_LOOKUP_NAMES *q_u, SAMR_R_LO * a cleaner code is to add the sid of the domain we're looking in * to the local_lookup_name function. */ - if(local_lookup_name(global_myname, name, &sid, &local_type)) { + if(local_lookup_name(name, &sid, &local_type)) { sid_split_rid(&sid, &local_rid); if (sid_equal(&sid, &pol_sid)) { @@ -1223,6 +1225,8 @@ NTSTATUS _samr_lookup_names(pipes_struct *p, SAMR_Q_LOOKUP_NAMES *q_u, SAMR_R_LO } } + unbecome_root(); + init_samr_r_lookup_names(p->mem_ctx, r_u, num_rids, rid, (uint32 *)type, r_u->status); DEBUG(5,("_samr_lookup_names: %d\n", __LINE__)); @@ -1342,6 +1346,8 @@ NTSTATUS _samr_lookup_rids(pipes_struct *p, SAMR_Q_LOOKUP_RIDS *q_u, SAMR_R_LOOK r_u->status = NT_STATUS_NONE_MAPPED; + become_root(); /* lookup_sid can require root privs */ + for (i = 0; i < num_rids; i++) { fstring tmpname; fstring domname; @@ -1364,6 +1370,8 @@ NTSTATUS _samr_lookup_rids(pipes_struct *p, SAMR_Q_LOOKUP_RIDS *q_u, SAMR_R_LOOK } } + unbecome_root(); + if(!make_samr_lookup_rids(p->mem_ctx, num_rids, group_names, &hdr_name, &uni_name)) return NT_STATUS_NO_MEMORY; -- cgit From cd68afe31256ad60748b34f7318a180cfc2127cc Mon Sep 17 00:00:00 2001 From: Tim Potter Date: Wed, 30 Jan 2002 06:08:46 +0000 Subject: Removed version number from file header. Changed "SMB/Netbios" to "SMB/CIFS" in file header. (This used to be commit 6a58c9bd06d0d7502a24bf5ce5a2faf0a146edfa) --- source3/rpc_server/srv_samr_nt.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index bd75eceb6b..552623306f 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -1,6 +1,5 @@ /* - * Unix SMB/Netbios implementation. - * Version 1.9. + * Unix SMB/CIFS implementation. * RPC Pipe client / server routines * Copyright (C) Andrew Tridgell 1992-1997, * Copyright (C) Luke Kenneth Casson Leighton 1996-1997, -- cgit From 664fa8e572b4ed3db6d1eb2b5023cce4ed25659c Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Sun, 10 Mar 2002 01:45:49 +0000 Subject: return the correct SID and domain name for the samr enum_domain and lookup_domain calls. We were incorrectly returning the PDCs domain nameand SID when we are a domain member. We should only do that when we are the DC (This used to be commit f56d689497eaa670cbfb214486ba88d5972129db) --- source3/rpc_server/srv_samr_nt.c | 38 ++++++++++++++++++++++++++++++-------- 1 file changed, 30 insertions(+), 8 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 552623306f..eb8ec16f45 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -2098,16 +2098,27 @@ NTSTATUS _samr_connect(pipes_struct *p, SAMR_Q_CONNECT *q_u, SAMR_R_CONNECT *r_u NTSTATUS _samr_lookup_domain(pipes_struct *p, SAMR_Q_LOOKUP_DOMAIN *q_u, SAMR_R_LOOKUP_DOMAIN *r_u) { - r_u->status = NT_STATUS_OK; + fstring domain_name; + DOM_SID sid; + + r_u->status = NT_STATUS_OK; - if (!find_policy_by_hnd(p, &q_u->connect_pol, NULL)) - return NT_STATUS_INVALID_HANDLE; + if (!find_policy_by_hnd(p, &q_u->connect_pol, NULL)) + return NT_STATUS_INVALID_HANDLE; - /* assume the domain name sent is our global_myname and - send global_sam_sid */ - init_samr_r_lookup_domain(r_u, &global_sam_sid, r_u->status); + rpcstr_pull(domain_name, q_u->uni_domain.buffer, sizeof(domain_name), q_u->uni_domain.uni_str_len*2, 0); - return r_u->status; + ZERO_STRUCT(sid); + + if (!secrets_fetch_domain_sid(domain_name, &sid)) { + r_u->status = NT_STATUS_NO_SUCH_DOMAIN; + } + + DEBUG(2,("Returning domain sid for domain %s -> %s\n", domain_name, sid_string_static(&sid))); + + init_samr_r_lookup_domain(r_u, &sid, r_u->status); + + return r_u->status; } /****************************************************************** @@ -2156,10 +2167,21 @@ NTSTATUS _samr_enum_domains(pipes_struct *p, SAMR_Q_ENUM_DOMAINS *q_u, SAMR_R_EN { uint32 num_entries = 2; fstring dom[2]; + char *name; r_u->status = NT_STATUS_OK; - fstrcpy(dom[0],global_myworkgroup); + switch (lp_server_role()) { + case ROLE_DOMAIN_PDC: + case ROLE_DOMAIN_BDC: + name = global_myworkgroup; + break; + default: + name = global_myname; + } + + fstrcpy(dom[0],name); + strupper(dom[0]); fstrcpy(dom[1],"Builtin"); if (!make_enum_domains(p->mem_ctx, &r_u->sam, &r_u->uni_dom_name, num_entries, dom)) -- cgit From 32334bc6553c25b706e60a321f9c16f8931f94c1 Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Mon, 18 Mar 2002 23:57:14 +0000 Subject: more verbose checking in talloc and util_pw fixed tdbsam memory corruption (and segfault) reducing calls to pdb_uid_to_user_rid and countrary to 0 to move to a non alghoritmic rid allocation with some passdb modules. (This used to be commit 9836af7cd623357feaec07bc49cfb78f0aa01fc3) --- source3/rpc_server/srv_samr_nt.c | 44 ++++++++++++++++++++++++++++++++++++++-- 1 file changed, 42 insertions(+), 2 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index eb8ec16f45..542e4796c2 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -2835,6 +2835,9 @@ NTSTATUS _samr_add_aliasmem(pipes_struct *p, SAMR_Q_ADD_ALIASMEM *q_u, SAMR_R_AD fstring grp_name; uint32 rid; GROUP_MAP map; + NTSTATUS ret; + SAM_ACCOUNT *sam_user; + BOOL check; /* Find the policy handle. Open a policy on it. */ if (!get_lsa_policy_samr_sid(p, &q_u->alias_pol, &alias_sid)) @@ -2859,7 +2862,23 @@ NTSTATUS _samr_add_aliasmem(pipes_struct *p, SAMR_Q_ADD_ALIASMEM *q_u, SAMR_R_AD } sid_split_rid(&q_u->sid.sid, &rid); - uid=pdb_user_rid_to_uid(rid); + + ret = pdb_init_sam(&sam_user); + if (NT_STATUS_IS_ERR(ret)) + return ret; + + become_root(); + check = pdb_getsampwrid(sam_user, rid); + unbecome_root(); + + if (check != True) + return NT_STATUS_NO_SUCH_USER; + + uid = pdb_get_uid(sam_user); + if (uid == -1) + return NT_STATUS_NO_SUCH_USER; + + pdb_free_sam(&sam_user); if ((pwd=getpwuid(uid)) == NULL) return NT_STATUS_NO_SUCH_USER; @@ -2963,6 +2982,10 @@ NTSTATUS _samr_add_groupmem(pipes_struct *p, SAMR_Q_ADD_GROUPMEM *q_u, SAMR_R_AD struct group *grp; fstring grp_name; GROUP_MAP map; + uid_t uid; + NTSTATUS ret; + SAM_ACCOUNT *sam_user; + BOOL check; /* Find the policy handle. Open a policy on it. */ if (!get_lsa_policy_samr_sid(p, &q_u->pol, &group_sid)) @@ -2979,7 +3002,24 @@ NTSTATUS _samr_add_groupmem(pipes_struct *p, SAMR_Q_ADD_GROUPMEM *q_u, SAMR_R_AD if(!get_domain_group_from_sid(group_sid, &map, MAPPING_WITHOUT_PRIV)) return NT_STATUS_NO_SUCH_GROUP; - if ((pwd=getpwuid(pdb_user_rid_to_uid(q_u->rid))) ==NULL) + ret = pdb_init_sam(&sam_user); + if (NT_STATUS_IS_ERR(ret)) + return ret; + + become_root(); + check = pdb_getsampwrid(sam_user, q_u->rid); + unbecome_root(); + + if (check != True) + return NT_STATUS_NO_SUCH_USER; + + uid = pdb_get_uid(sam_user); + if (uid == -1) + return NT_STATUS_NO_SUCH_USER; + + pdb_free_sam(&sam_user); + + if ((pwd=getpwuid(uid)) == NULL) return NT_STATUS_NO_SUCH_USER; if ((grp=getgrgid(map.gid)) == NULL) -- cgit From 050b80356edea52f1bbb0a27599186ad84c18b73 Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Tue, 19 Mar 2002 13:57:53 +0000 Subject: second step to gain free uid<->rid mapping we still need to free gid<->rid mapping and few other stuff (This used to be commit aa4b6f8181f34196a28951264dd8b631a5deef7f) --- source3/rpc_server/srv_samr_nt.c | 92 +++++++++++++++++++++++++++++++++++----- 1 file changed, 82 insertions(+), 10 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 542e4796c2..d6aea7cd63 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -2719,6 +2719,8 @@ NTSTATUS _samr_query_aliasmem(pipes_struct *p, SAMR_Q_QUERY_ALIASMEM *q_u, SAMR_ fstring alias_sid_str; DOM_SID temp_sid; + SAM_ACCOUNT *sam_user; + BOOL check; /* find the policy handle. open a policy on it. */ if (!get_lsa_policy_samr_sid(p, &q_u->alias_pol, &alias_sid)) @@ -2751,8 +2753,40 @@ NTSTATUS _samr_query_aliasmem(pipes_struct *p, SAMR_Q_QUERY_ALIASMEM *q_u, SAMR_ return NT_STATUS_NO_MEMORY; for (i = 0; i < num_uids; i++) { + struct passwd *pass; + uint32 rid; + sid_copy(&temp_sid, &global_sam_sid); - sid_append_rid(&temp_sid, pdb_uid_to_user_rid(uid[i])); + + pass = getpwuid_alloc(uid[i]); + if (!pass) continue; + + if (NT_STATUS_IS_ERR(pdb_init_sam(&sam_user))) { + passwd_free(&pass); + continue; + } + + become_root(); + check = pdb_getsampwnam(sam_user, pass->pw_name); + unbecome_root(); + + if (check != True) { + pdb_free_sam(&sam_user); + passwd_free(&pass); + continue; + } + + rid = pdb_get_user_rid(sam_user); + if (rid == 0) { + pdb_free_sam(&sam_user); + passwd_free(&pass); + continue; + } + + pdb_free_sam(&sam_user); + passwd_free(&pass); + + sid_append_rid(&temp_sid, rid); init_dom_sid2(&sid[i], &temp_sid); } @@ -2781,6 +2815,9 @@ NTSTATUS _samr_query_groupmem(pipes_struct *p, SAMR_Q_QUERY_GROUPMEM *q_u, SAMR_ uint32 *rid=NULL; uint32 *attr=NULL; + SAM_ACCOUNT *sam_user; + BOOL check; + /* find the policy handle. open a policy on it. */ if (!get_lsa_policy_samr_sid(p, &q_u->group_pol, &group_sid)) @@ -2812,7 +2849,38 @@ NTSTATUS _samr_query_groupmem(pipes_struct *p, SAMR_Q_QUERY_GROUPMEM *q_u, SAMR_ return NT_STATUS_NO_MEMORY; for (i=0; ipw_name); + unbecome_root(); + + if (check != True) { + pdb_free_sam(&sam_user); + passwd_free(&pass); + continue; + } + + urid = pdb_get_user_rid(sam_user); + if (urid == 0) { + pdb_free_sam(&sam_user); + passwd_free(&pass); + continue; + } + + pdb_free_sam(&sam_user); + passwd_free(&pass); + + rid[i] = urid; attr[i] = SID_NAME_USER; } @@ -2867,16 +2935,18 @@ NTSTATUS _samr_add_aliasmem(pipes_struct *p, SAMR_Q_ADD_ALIASMEM *q_u, SAMR_R_AD if (NT_STATUS_IS_ERR(ret)) return ret; - become_root(); check = pdb_getsampwrid(sam_user, rid); - unbecome_root(); - if (check != True) + if (check != True) { + pdb_free_sam(&sam_user); return NT_STATUS_NO_SUCH_USER; + } uid = pdb_get_uid(sam_user); - if (uid == -1) + if (uid == -1) { + pdb_free_sam(&sam_user); return NT_STATUS_NO_SUCH_USER; + } pdb_free_sam(&sam_user); @@ -3006,16 +3076,18 @@ NTSTATUS _samr_add_groupmem(pipes_struct *p, SAMR_Q_ADD_GROUPMEM *q_u, SAMR_R_AD if (NT_STATUS_IS_ERR(ret)) return ret; - become_root(); check = pdb_getsampwrid(sam_user, q_u->rid); - unbecome_root(); - if (check != True) + if (check != True) { + pdb_free_sam(&sam_user); return NT_STATUS_NO_SUCH_USER; + } uid = pdb_get_uid(sam_user); - if (uid == -1) + if (uid == -1) { + pdb_free_sam(&sam_user); return NT_STATUS_NO_SUCH_USER; + } pdb_free_sam(&sam_user); -- cgit From 93d25c293ff1a763f275e1769cabf68058f09a4e Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Thu, 21 Mar 2002 03:53:44 +0000 Subject: Make sure to initaliase SAM_ACCOUNT pointers to NULL, otherwise pdb_init_sam() fails. Andrew Bartlett (This used to be commit 56009ffbaa00259d15f286248a7ab73c55371819) --- source3/rpc_server/srv_samr_nt.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index d6aea7cd63..e47619eb74 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -2719,7 +2719,7 @@ NTSTATUS _samr_query_aliasmem(pipes_struct *p, SAMR_Q_QUERY_ALIASMEM *q_u, SAMR_ fstring alias_sid_str; DOM_SID temp_sid; - SAM_ACCOUNT *sam_user; + SAM_ACCOUNT *sam_user = NULL; BOOL check; /* find the policy handle. open a policy on it. */ @@ -2815,7 +2815,7 @@ NTSTATUS _samr_query_groupmem(pipes_struct *p, SAMR_Q_QUERY_GROUPMEM *q_u, SAMR_ uint32 *rid=NULL; uint32 *attr=NULL; - SAM_ACCOUNT *sam_user; + SAM_ACCOUNT *sam_user = NULL; BOOL check; @@ -2904,7 +2904,7 @@ NTSTATUS _samr_add_aliasmem(pipes_struct *p, SAMR_Q_ADD_ALIASMEM *q_u, SAMR_R_AD uint32 rid; GROUP_MAP map; NTSTATUS ret; - SAM_ACCOUNT *sam_user; + SAM_ACCOUNT *sam_user = NULL; BOOL check; /* Find the policy handle. Open a policy on it. */ -- cgit From a5dc8cb59145b400b6145b9f13231efdb7ff047c Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Fri, 29 Mar 2002 21:50:21 +0000 Subject: Don't core dump listing thousands of users in usrmgr. Jeremy. (This used to be commit c6566fa5fadf37a2b133e7be1f13c0de93efab34) --- source3/rpc_server/srv_samr_nt.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index e47619eb74..c83f6b3d8d 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -972,10 +972,10 @@ NTSTATUS _samr_query_dispinfo(pipes_struct *p, SAMR_Q_QUERY_DISPINFO *q_u, SAMR_ } /* calculate the size and limit on the number of entries we will return */ - temp_size=(enum_context+max_entries)*struct_size; + temp_size=max_entries*struct_size; if (temp_size>max_size) { - max_entries=max_size/struct_size; + max_entries=MIN((max_size/struct_size),max_entries);; DEBUG(5, ("samr_reply_query_dispinfo: buffer size limits to only %d entries\n", max_entries)); } -- cgit From 4023a61892278c9e09acd035166a55ff2b3d4f30 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Fri, 12 Apr 2002 10:18:46 +0000 Subject: merged the mangling test and passdb bugfixes into SAMBA_3_0 (This used to be commit 97eb3a121d33200ee7559b2413d6252efc04ebaf) --- source3/rpc_server/srv_samr_nt.c | 15 --------------- 1 file changed, 15 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index c83f6b3d8d..106d7c1923 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -1443,11 +1443,6 @@ static BOOL get_user_info_10(SAM_USER_INFO_10 *id10, uint32 user_rid) SAM_ACCOUNT *smbpass=NULL; BOOL ret; - if (!pdb_rid_is_user(user_rid)) { - DEBUG(4,("RID 0x%x is not a user RID\n", user_rid)); - return False; - } - pdb_init_sam(&smbpass); become_root(); @@ -1524,11 +1519,6 @@ static BOOL get_user_info_20(SAM_USER_INFO_20 *id20, uint32 user_rid) SAM_ACCOUNT *sampass=NULL; BOOL ret; - if (!pdb_rid_is_user(user_rid)) { - DEBUG(4,("RID 0x%x is not a user RID\n", user_rid)); - return False; - } - pdb_init_sam(&sampass); become_root(); @@ -1562,11 +1552,6 @@ static BOOL get_user_info_21(SAM_USER_INFO_21 *id21, uint32 user_rid) SAM_ACCOUNT *sampass=NULL; BOOL ret; - if (!pdb_rid_is_user(user_rid)) { - DEBUG(4,("RID 0x%x is not a user RID\n", user_rid)); - return False; - } - pdb_init_sam(&sampass); become_root(); -- cgit From e90b65284812aaa5ff9e9935ce9bbad7791cbbcd Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Mon, 15 Jul 2002 10:35:28 +0000 Subject: updated the 3.0 branch from the head branch - ready for alpha18 (This used to be commit 03ac082dcb375b6f3ca3d810a6a6367542bc23ce) --- source3/rpc_server/srv_samr_nt.c | 1339 ++++++++++++++++++++++++++------------ 1 file changed, 929 insertions(+), 410 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 106d7c1923..88d728d810 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -29,9 +29,11 @@ #include "includes.h" +#undef DBGC_CLASS +#define DBGC_CLASS DBGC_RPC_SRV + extern fstring global_myworkgroup; extern pstring global_myname; -extern DOM_SID global_sam_sid; extern DOM_SID global_sid_Builtin; extern rid_name domain_group_rids[]; @@ -52,9 +54,69 @@ struct samr_info { /* for use by the \PIPE\samr policy */ DOM_SID sid; uint32 status; /* some sort of flag. best to record it. comes from opnum 0x39 */ + uint32 acc_granted; DISP_INFO disp_info; + + TALLOC_CTX *mem_ctx; }; +struct generic_mapping sam_generic_mapping = {SAMR_READ, SAMR_WRITE, SAMR_EXECUTE, SAMR_ALL_ACCESS}; +struct generic_mapping dom_generic_mapping = {DOMAIN_READ, DOMAIN_WRITE, DOMAIN_EXECUTE, DOMAIN_ALL_ACCESS}; +struct generic_mapping usr_generic_mapping = {USER_READ, USER_WRITE, USER_EXECUTE, USER_ALL_ACCESS}; +struct generic_mapping grp_generic_mapping = {GROUP_READ, GROUP_WRITE, GROUP_EXECUTE, GROUP_ALL_ACCESS}; +struct generic_mapping ali_generic_mapping = {ALIAS_READ, ALIAS_WRITE, ALIAS_EXECUTE, ALIAS_ALL_ACCESS}; + +static NTSTATUS samr_make_dom_obj_sd(TALLOC_CTX *ctx, SEC_DESC **psd, size_t *d_size); + + +/******************************************************************* + Checks if access to an object should be granted, and returns that + level of access for further checks. +********************************************************************/ + +NTSTATUS access_check_samr_object(SEC_DESC *psd, NT_USER_TOKEN *nt_user_token, uint32 des_access, + uint32 *acc_granted, const char *debug) +{ + NTSTATUS status = NT_STATUS_ACCESS_DENIED; + + if (!se_access_check(psd, nt_user_token, des_access, acc_granted, &status)) { + if (geteuid() == sec_initial_uid()) { + DEBUG(4,("%s: ACCESS should be DENIED (requested: %#010x)\n", + debug, des_access)); + DEBUGADD(4,("but overritten by euid == sec_initial_uid()\n")); + status = NT_STATUS_OK; + } + else { + DEBUG(2,("%s: ACCESS DENIED (requested: %#010x)\n", + debug, des_access)); + } + } + return status; +} + +/******************************************************************* + Checks if access to a function can be granted +********************************************************************/ + +NTSTATUS access_check_samr_function(uint32 acc_granted, uint32 acc_required, const char *debug) +{ + DEBUG(5,("%s: access check ((granted: %#010x; required: %#010x)\n", + debug, acc_granted, acc_required)); + if ((acc_granted & acc_required) != acc_required) { + if (geteuid() == sec_initial_uid()) { + DEBUG(4,("%s: ACCESS should be DENIED (granted: %#010x; required: %#010x)\n", + debug, acc_granted, acc_required)); + DEBUGADD(4,("but overwritten by euid == 0\n")); + return NT_STATUS_OK; + } + DEBUG(2,("%s: ACCESS DENIED (granted: %#010x; required: %#010x)\n", + debug, acc_granted, acc_required)); + return NT_STATUS_ACCESS_DENIED; + } + return NT_STATUS_OK; +} + + /******************************************************************* Create a samr_info struct. ********************************************************************/ @@ -63,17 +125,27 @@ static struct samr_info *get_samr_info_by_sid(DOM_SID *psid) { struct samr_info *info; fstring sid_str; + TALLOC_CTX *mem_ctx; + + if (psid) { + sid_to_string(sid_str, psid); + } else { + fstrcpy(sid_str,"(NULL)"); + } + + mem_ctx = talloc_init_named("samr_info for domain sid %s", sid_str); - if ((info = (struct samr_info *)malloc(sizeof(struct samr_info))) == NULL) + if ((info = (struct samr_info *)talloc(mem_ctx, sizeof(struct samr_info))) == NULL) return NULL; ZERO_STRUCTP(info); + DEBUG(10,("get_samr_info_by_sid: created new info for sid %s\n", sid_str)); if (psid) { - DEBUG(10,("get_samr_info_by_sid: created new info for sid %s\n", sid_to_string(sid_str, psid) )); sid_copy( &info->sid, psid); } else { DEBUG(10,("get_samr_info_by_sid: created new info for NULL sid.\n")); } + info->mem_ctx = mem_ctx; return info; } @@ -84,18 +156,13 @@ static void free_samr_db(struct samr_info *info) { int i; - if (info->disp_info.group_dbloaded) { - for (i=0; idisp_info.num_group_account; i++) - SAFE_FREE(info->disp_info.disp_group_info[i].grp); - - SAFE_FREE(info->disp_info.disp_group_info); - } + /* Groups are talloced */ if (info->disp_info.user_dbloaded){ - for (i=0; idisp_info.num_user_account; i++) + for (i=0; idisp_info.num_user_account; i++) { + /* Not really a free, actually a 'clear' */ pdb_free_sam(&info->disp_info.disp_user_info[i].sam); - - SAFE_FREE(info->disp_info.disp_user_info); + } } info->disp_info.user_dbloaded=False; @@ -110,26 +177,13 @@ static void free_samr_info(void *ptr) struct samr_info *info=(struct samr_info *) ptr; free_samr_db(info); - SAFE_FREE(info); + talloc_destroy(info->mem_ctx); } /******************************************************************* Ensure password info is never given out. Paranioa... JRA. ********************************************************************/ -static void samr_clear_passwd_fields( SAM_USER_INFO_21 *pass, int num_entries) -{ - int i; - - if (!pass) - return; - - for (i = 0; i < num_entries; i++) { - memset(&pass[i].lm_pwd, '\0', sizeof(pass[i].lm_pwd)); - memset(&pass[i].nt_pwd, '\0', sizeof(pass[i].nt_pwd)); - } -} - static void samr_clear_sam_passwd(SAM_ACCOUNT *sam_pass) { @@ -147,6 +201,8 @@ static NTSTATUS load_sampwd_entries(struct samr_info *info, uint16 acb_mask) { SAM_ACCOUNT *pwd = NULL; DISP_USER_INFO *pwd_array = NULL; + NTSTATUS nt_status = NT_STATUS_OK; + TALLOC_CTX *mem_ctx = info->mem_ctx; DEBUG(10,("load_sampwd_entries\n")); @@ -161,7 +217,8 @@ static NTSTATUS load_sampwd_entries(struct samr_info *info, uint16 acb_mask) return NT_STATUS_ACCESS_DENIED; } - for (pdb_init_sam(&pwd); pdb_getsampwent(pwd) == True; pwd=NULL, pdb_init_sam(&pwd) ) { + for (; (NT_STATUS_IS_OK(nt_status = pdb_init_sam_talloc(mem_ctx, &pwd))) + && pdb_getsampwent(pwd) == True; pwd=NULL) { if (acb_mask != 0 && !(pdb_get_acct_ctrl(pwd) & acb_mask)) { pdb_free_sam(&pwd); @@ -173,7 +230,7 @@ static NTSTATUS load_sampwd_entries(struct samr_info *info, uint16 acb_mask) if (info->disp_info.num_user_account % MAX_SAM_ENTRIES == 0) { DEBUG(10,("load_sampwd_entries: allocating more memory\n")); - pwd_array=(DISP_USER_INFO *)Realloc(info->disp_info.disp_user_info, + pwd_array=(DISP_USER_INFO *)talloc_realloc(mem_ctx, info->disp_info.disp_user_info, (info->disp_info.num_user_account+MAX_SAM_ENTRIES)*sizeof(DISP_USER_INFO)); if (pwd_array==NULL) @@ -198,7 +255,7 @@ static NTSTATUS load_sampwd_entries(struct samr_info *info, uint16 acb_mask) DEBUG(12,("load_sampwd_entries: done\n")); - return NT_STATUS_OK; + return nt_status; } static NTSTATUS load_group_domain_entries(struct samr_info *info, DOM_SID *sid) @@ -207,6 +264,7 @@ static NTSTATUS load_group_domain_entries(struct samr_info *info, DOM_SID *sid) DISP_GROUP_INFO *grp_array = NULL; uint32 group_entries = 0; uint32 i; + TALLOC_CTX *mem_ctx = info->mem_ctx; DEBUG(10,("load_group_domain_entries\n")); @@ -216,11 +274,13 @@ static NTSTATUS load_group_domain_entries(struct samr_info *info, DOM_SID *sid) return NT_STATUS_OK; } - enum_group_mapping(SID_NAME_DOM_GRP, &map, (int *)&group_entries, ENUM_ONLY_MAPPED, MAPPING_WITHOUT_PRIV); + if (!enum_group_mapping(SID_NAME_DOM_GRP, &map, (int *)&group_entries, ENUM_ONLY_MAPPED, MAPPING_WITHOUT_PRIV)) { + return NT_STATUS_NO_MEMORY; + } info->disp_info.num_group_account=group_entries; - grp_array=(DISP_GROUP_INFO *)malloc(info->disp_info.num_group_account*sizeof(DISP_GROUP_INFO)); + grp_array=(DISP_GROUP_INFO *)talloc(mem_ctx, info->disp_info.num_group_account*sizeof(DISP_GROUP_INFO)); if (group_entries!=0 && grp_array==NULL) { SAFE_FREE(map); @@ -231,7 +291,7 @@ static NTSTATUS load_group_domain_entries(struct samr_info *info, DOM_SID *sid) for (i=0; iname, map[i].nt_name); fstrcpy(grp_array[i].grp->comment, map[i].comment); @@ -251,84 +311,6 @@ static NTSTATUS load_group_domain_entries(struct samr_info *info, DOM_SID *sid) } -/******************************************************************* - This next function should be replaced with something that - dynamically returns the correct user info..... JRA. - ********************************************************************/ - -static NTSTATUS get_sampwd_entries(SAM_USER_INFO_21 *pw_buf, int start_idx, - int *total_entries, int *num_entries, - int max_num_entries, uint16 acb_mask) -{ - SAM_ACCOUNT *pwd = NULL; - BOOL not_finished = True; - - (*num_entries) = 0; - (*total_entries) = 0; - - if (pw_buf == NULL) - return NT_STATUS_NO_MEMORY; - - pdb_init_sam(&pwd); - - if (!pdb_setsampwent(False)) { - DEBUG(0, ("get_sampwd_entries: Unable to open passdb.\n")); - pdb_free_sam(&pwd); - return NT_STATUS_ACCESS_DENIED; - } - - while (((not_finished = pdb_getsampwent(pwd)) != False) - && (*num_entries) < max_num_entries) - { - int user_name_len; - - if (start_idx > 0) { - - pdb_reset_sam(pwd); - - /* skip the requested number of entries. - not very efficient, but hey... */ - start_idx--; - continue; - } - - user_name_len = strlen(pdb_get_username(pwd))+1; - init_unistr2(&pw_buf[(*num_entries)].uni_user_name, pdb_get_username(pwd), user_name_len); - init_uni_hdr(&pw_buf[(*num_entries)].hdr_user_name, user_name_len); - pw_buf[(*num_entries)].user_rid = pdb_get_user_rid(pwd); - memset((char *)pw_buf[(*num_entries)].nt_pwd, '\0', 16); - - /* Now check if the NT compatible password is available. */ - if (pdb_get_nt_passwd(pwd)) - memcpy( pw_buf[(*num_entries)].nt_pwd , pdb_get_nt_passwd(pwd), 16); - - pw_buf[(*num_entries)].acb_info = pdb_get_acct_ctrl(pwd); - - DEBUG(5, ("entry idx: %d user %s, rid 0x%x, acb %x", - (*num_entries), pdb_get_username(pwd), pdb_get_user_rid(pwd), pdb_get_acct_ctrl(pwd) )); - - if (acb_mask == 0 || (pdb_get_acct_ctrl(pwd) & acb_mask)) { - DEBUG(5,(" acb_mask %x accepts\n", acb_mask)); - (*num_entries)++; - } else { - DEBUG(5,(" acb_mask %x rejects\n", acb_mask)); - } - - (*total_entries)++; - - pdb_reset_sam(pwd); - - } - - pdb_endsampwent(); - pdb_free_sam(&pwd); - - if (not_finished) - return STATUS_MORE_ENTRIES; - else - return NT_STATUS_OK; -} - /******************************************************************* _samr_close_hnd ********************************************************************/ @@ -352,17 +334,37 @@ NTSTATUS _samr_close_hnd(pipes_struct *p, SAMR_Q_CLOSE_HND *q_u, SAMR_R_CLOSE_HN NTSTATUS _samr_open_domain(pipes_struct *p, SAMR_Q_OPEN_DOMAIN *q_u, SAMR_R_OPEN_DOMAIN *r_u) { - struct samr_info *info; + struct samr_info *info; + SEC_DESC *psd = NULL; + uint32 acc_granted; + uint32 des_access = q_u->flags; + size_t sd_size; + NTSTATUS status; r_u->status = NT_STATUS_OK; /* find the connection policy handle. */ - if (!find_policy_by_hnd(p, &q_u->pol, NULL)) + if (!find_policy_by_hnd(p, &q_u->pol, (void**)&info)) return NT_STATUS_INVALID_HANDLE; + if (!NT_STATUS_IS_OK(status = access_check_samr_function(info->acc_granted, SAMR_ACCESS_OPEN_DOMAIN,"_samr_open_domain"))) { + return status; + } + + /*check if access can be granted as requested by client. */ + samr_make_dom_obj_sd(p->mem_ctx, &psd, &sd_size); + se_map_generic(&des_access,&dom_generic_mapping); + + if (!NT_STATUS_IS_OK(status = + access_check_samr_object(psd, p->pipe_user.nt_user_token, + des_access, &acc_granted, "_samr_open_domain"))) { + return status; + } + /* associate the domain SID with the (unique) handle. */ if ((info = get_samr_info_by_sid(&q_u->dom_sid.sid))==NULL) return NT_STATUS_NO_MEMORY; + info->acc_granted = acc_granted; /* get a (unique) handle. open a policy on it. */ if (!create_policy_hnd(p, &r_u->domain_pol, free_samr_info, (void *)info)) @@ -402,11 +404,90 @@ NTSTATUS _samr_get_usrdom_pwinfo(pipes_struct *p, SAMR_Q_GET_USRDOM_PWINFO *q_u, return r_u->status; } + +/******************************************************************* + samr_make_sam_obj_sd + ********************************************************************/ + +static NTSTATUS samr_make_sam_obj_sd(TALLOC_CTX *ctx, SEC_DESC **psd, size_t *sd_size) +{ + extern DOM_SID global_sid_World; + DOM_SID adm_sid; + DOM_SID act_sid; + + SEC_ACE ace[3]; + SEC_ACCESS mask; + + SEC_ACL *psa = NULL; + + sid_copy(&adm_sid, &global_sid_Builtin); + sid_append_rid(&adm_sid, BUILTIN_ALIAS_RID_ADMINS); + + sid_copy(&act_sid, &global_sid_Builtin); + sid_append_rid(&act_sid, BUILTIN_ALIAS_RID_ACCOUNT_OPS); + + /*basic access for every one*/ + init_sec_access(&mask, SAMR_EXECUTE | SAMR_READ); + init_sec_ace(&ace[0], &global_sid_World, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0); + + /*full access for builtin aliases Administrators and Account Operators*/ + init_sec_access(&mask, SAMR_ALL_ACCESS); + init_sec_ace(&ace[1], &adm_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0); + init_sec_ace(&ace[2], &act_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0); + + if ((psa = make_sec_acl(ctx, NT4_ACL_REVISION, 3, ace)) == NULL) + return NT_STATUS_NO_MEMORY; + + if ((*psd = make_sec_desc(ctx, SEC_DESC_REVISION, NULL, NULL, NULL, psa, sd_size)) == NULL) + return NT_STATUS_NO_MEMORY; + + return NT_STATUS_OK; +} + +/******************************************************************* + samr_make_dom_obj_sd + ********************************************************************/ + +static NTSTATUS samr_make_dom_obj_sd(TALLOC_CTX *ctx, SEC_DESC **psd, size_t *sd_size) +{ + extern DOM_SID global_sid_World; + DOM_SID adm_sid; + DOM_SID act_sid; + + SEC_ACE ace[3]; + SEC_ACCESS mask; + + SEC_ACL *psa = NULL; + + sid_copy(&adm_sid, &global_sid_Builtin); + sid_append_rid(&adm_sid, BUILTIN_ALIAS_RID_ADMINS); + + sid_copy(&act_sid, &global_sid_Builtin); + sid_append_rid(&act_sid, BUILTIN_ALIAS_RID_ACCOUNT_OPS); + + /*basic access for every one*/ + init_sec_access(&mask, DOMAIN_EXECUTE | DOMAIN_READ); + init_sec_ace(&ace[0], &global_sid_World, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0); + + /*full access for builtin aliases Administrators and Account Operators*/ + init_sec_access(&mask, DOMAIN_ALL_ACCESS); + init_sec_ace(&ace[1], &adm_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0); + init_sec_ace(&ace[2], &act_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0); + + if ((psa = make_sec_acl(ctx, NT4_ACL_REVISION, 3, ace)) == NULL) + return NT_STATUS_NO_MEMORY; + + if ((*psd = make_sec_desc(ctx, SEC_DESC_REVISION, NULL, NULL, NULL, psa, sd_size)) == NULL) + return NT_STATUS_NO_MEMORY; + + return NT_STATUS_OK; +} + /******************************************************************* samr_make_usr_obj_sd ********************************************************************/ -static NTSTATUS samr_make_usr_obj_sd(TALLOC_CTX *ctx, SEC_DESC_BUF **buf, DOM_SID *usr_sid) +static NTSTATUS samr_make_usr_obj_sd(TALLOC_CTX *ctx, SEC_DESC **psd, size_t *sd_size, DOM_SID *usr_sid) { extern DOM_SID global_sid_World; DOM_SID adm_sid; @@ -416,8 +497,6 @@ static NTSTATUS samr_make_usr_obj_sd(TALLOC_CTX *ctx, SEC_DESC_BUF **buf, DOM_SI SEC_ACCESS mask; SEC_ACL *psa = NULL; - SEC_DESC *psd = NULL; - size_t sd_size; sid_copy(&adm_sid, &global_sid_Builtin); sid_append_rid(&adm_sid, BUILTIN_ALIAS_RID_ADMINS); @@ -425,29 +504,107 @@ static NTSTATUS samr_make_usr_obj_sd(TALLOC_CTX *ctx, SEC_DESC_BUF **buf, DOM_SI sid_copy(&act_sid, &global_sid_Builtin); sid_append_rid(&act_sid, BUILTIN_ALIAS_RID_ACCOUNT_OPS); - init_sec_access(&mask, 0x2035b); + /*basic access for every one*/ + init_sec_access(&mask, USER_EXECUTE | USER_READ); init_sec_ace(&ace[0], &global_sid_World, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0); - init_sec_access(&mask, 0xf07ff); + /*full access for builtin aliases Administrators and Account Operators*/ + init_sec_access(&mask, USER_ALL_ACCESS); init_sec_ace(&ace[1], &adm_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0); init_sec_ace(&ace[2], &act_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0); - init_sec_access(&mask,0x20044); + /*extended access for the user*/ + init_sec_access(&mask,READ_CONTROL_ACCESS | USER_ACCESS_CHANGE_PASSWORD | USER_ACCESS_SET_LOC_COM); init_sec_ace(&ace[3], usr_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0); - if((psa = make_sec_acl(ctx, NT4_ACL_REVISION, 4, ace)) == NULL) + if ((psa = make_sec_acl(ctx, NT4_ACL_REVISION, 4, ace)) == NULL) return NT_STATUS_NO_MEMORY; - if((psd = make_sec_desc(ctx, SEC_DESC_REVISION, NULL, NULL, NULL, psa, &sd_size)) == NULL) + if ((*psd = make_sec_desc(ctx, SEC_DESC_REVISION, NULL, NULL, NULL, psa, sd_size)) == NULL) return NT_STATUS_NO_MEMORY; - if((*buf = make_sec_desc_buf(ctx, sd_size, psd)) == NULL) + return NT_STATUS_OK; +} + +/******************************************************************* + samr_make_grp_obj_sd + ********************************************************************/ + +static NTSTATUS samr_make_grp_obj_sd(TALLOC_CTX *ctx, SEC_DESC **psd, size_t *sd_size) +{ + extern DOM_SID global_sid_World; + DOM_SID adm_sid; + DOM_SID act_sid; + + SEC_ACE ace[3]; + SEC_ACCESS mask; + + SEC_ACL *psa = NULL; + + sid_copy(&adm_sid, &global_sid_Builtin); + sid_append_rid(&adm_sid, BUILTIN_ALIAS_RID_ADMINS); + + sid_copy(&act_sid, &global_sid_Builtin); + sid_append_rid(&act_sid, BUILTIN_ALIAS_RID_ACCOUNT_OPS); + + /*basic access for every one*/ + init_sec_access(&mask, GROUP_EXECUTE | GROUP_READ); + init_sec_ace(&ace[0], &global_sid_World, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0); + + /*full access for builtin aliases Administrators and Account Operators*/ + init_sec_access(&mask, GROUP_ALL_ACCESS); + init_sec_ace(&ace[1], &adm_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0); + init_sec_ace(&ace[2], &act_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0); + + if ((psa = make_sec_acl(ctx, NT4_ACL_REVISION, 3, ace)) == NULL) + return NT_STATUS_NO_MEMORY; + + if ((*psd = make_sec_desc(ctx, SEC_DESC_REVISION, NULL, NULL, NULL, psa, sd_size)) == NULL) return NT_STATUS_NO_MEMORY; return NT_STATUS_OK; } -static BOOL get_lsa_policy_samr_sid(pipes_struct *p, POLICY_HND *pol, DOM_SID *sid) +/******************************************************************* + samr_make_ali_obj_sd + ********************************************************************/ + +static NTSTATUS samr_make_ali_obj_sd(TALLOC_CTX *ctx, SEC_DESC **psd, size_t *sd_size) +{ + extern DOM_SID global_sid_World; + DOM_SID adm_sid; + DOM_SID act_sid; + + SEC_ACE ace[3]; + SEC_ACCESS mask; + + SEC_ACL *psa = NULL; + + sid_copy(&adm_sid, &global_sid_Builtin); + sid_append_rid(&adm_sid, BUILTIN_ALIAS_RID_ADMINS); + + sid_copy(&act_sid, &global_sid_Builtin); + sid_append_rid(&act_sid, BUILTIN_ALIAS_RID_ACCOUNT_OPS); + + /*basic access for every one*/ + init_sec_access(&mask, ALIAS_EXECUTE | ALIAS_READ); + init_sec_ace(&ace[0], &global_sid_World, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0); + + /*full access for builtin aliases Administrators and Account Operators*/ + init_sec_access(&mask, ALIAS_ALL_ACCESS); + init_sec_ace(&ace[1], &adm_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0); + init_sec_ace(&ace[2], &act_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0); + + if ((psa = make_sec_acl(ctx, NT4_ACL_REVISION, 3, ace)) == NULL) + return NT_STATUS_NO_MEMORY; + + if ((*psd = make_sec_desc(ctx, SEC_DESC_REVISION, NULL, NULL, NULL, psa, sd_size)) == NULL) + return NT_STATUS_NO_MEMORY; + + return NT_STATUS_OK; +} + +static BOOL get_lsa_policy_samr_sid(pipes_struct *p, POLICY_HND *pol, DOM_SID *sid, uint32 *acc_granted) { struct samr_info *info = NULL; @@ -459,9 +616,21 @@ static BOOL get_lsa_policy_samr_sid(pipes_struct *p, POLICY_HND *pol, DOM_SID *s return False; *sid = info->sid; + *acc_granted = info->acc_granted; return True; } +/******************************************************************* + _samr_set_sec_obj + ********************************************************************/ + +NTSTATUS _samr_set_sec_obj(pipes_struct *p, SAMR_Q_SET_SEC_OBJ *q_u, SAMR_R_SET_SEC_OBJ *r_u) +{ + DEBUG(0,("_samr_set_sec_obj: Not yet implemented!\n")); + return NT_STATUS_NOT_IMPLEMENTED; +} + + /******************************************************************* _samr_query_sec_obj ********************************************************************/ @@ -470,17 +639,52 @@ NTSTATUS _samr_query_sec_obj(pipes_struct *p, SAMR_Q_QUERY_SEC_OBJ *q_u, SAMR_R_ { DOM_SID pol_sid; fstring str_sid; + SEC_DESC * psd = NULL; + size_t sd_size; + uint32 acc_granted; r_u->status = NT_STATUS_OK; /* Get the SID. */ - - if (!get_lsa_policy_samr_sid(p, &q_u->user_pol, &pol_sid)) + if (!get_lsa_policy_samr_sid(p, &q_u->user_pol, &pol_sid, &acc_granted)) return NT_STATUS_INVALID_HANDLE; + + DEBUG(10,("_samr_query_sec_obj: querying security on SID: %s\n", sid_to_string(str_sid, &pol_sid))); - r_u->status = samr_make_usr_obj_sd(p->mem_ctx, &r_u->buf, &pol_sid); + /* Check what typ of SID is beeing queried (e.g Domain SID, User SID, Group SID) */ + + /* To query the security of the SAM it self an invalid SID with S-0-0 is passed to this function */ + if (pol_sid.sid_rev_num == 0) + { + DEBUG(5,("_samr_query_sec_obj: querying security on SAM\n")); + r_u->status = samr_make_sam_obj_sd(p->mem_ctx, &psd, &sd_size); + } + else if (sid_equal(&pol_sid,get_global_sam_sid())) /* check if it is our domain SID */ + + { + DEBUG(5,("_samr_query_sec_obj: querying security on Domain with SID: %s\n", sid_to_string(str_sid, &pol_sid))); + r_u->status = samr_make_dom_obj_sd(p->mem_ctx, &psd, &sd_size); + } + else if (sid_equal(&pol_sid,&global_sid_Builtin)) /* check if it is the Builtin Domain */ + { + /* TODO: Builtin probably needs a different SD with restricted write access*/ + DEBUG(5,("_samr_query_sec_obj: querying security on Builtin Domain with SID: %s\n", sid_to_string(str_sid, &pol_sid))); + r_u->status = samr_make_dom_obj_sd(p->mem_ctx, &psd, &sd_size); + } + else if (sid_check_is_in_our_domain(&pol_sid) || + sid_check_is_in_builtin(&pol_sid)) + { + /* TODO: different SDs have to be generated for aliases groups and users. + Currently all three get a default user SD */ + DEBUG(10,("_samr_query_sec_obj: querying security on Object with SID: %s\n", sid_to_string(str_sid, &pol_sid))); + r_u->status = samr_make_usr_obj_sd(p->mem_ctx, &psd,&sd_size, &pol_sid); + } + else return NT_STATUS_OBJECT_TYPE_MISMATCH; + + if ((r_u->buf = make_sec_desc_buf(p->mem_ctx, sd_size, psd)) == NULL) + return NT_STATUS_NO_MEMORY; if (NT_STATUS_IS_OK(r_u->status)) r_u->ptr = 1; @@ -492,69 +696,123 @@ NTSTATUS _samr_query_sec_obj(pipes_struct *p, SAMR_Q_QUERY_SEC_OBJ *q_u, SAMR_R_ makes a SAM_ENTRY / UNISTR2* structure from a user list. ********************************************************************/ -static void make_user_sam_entry_list(TALLOC_CTX *ctx, SAM_ENTRY **sam_pp, UNISTR2 **uni_name_pp, - uint32 num_sam_entries, SAM_USER_INFO_21 *pass) +static NTSTATUS make_user_sam_entry_list(TALLOC_CTX *ctx, SAM_ENTRY **sam_pp, UNISTR2 **uni_name_pp, + uint32 num_entries, uint32 start_idx, DISP_USER_INFO *disp_user_info, + DOM_SID *domain_sid) { uint32 i; SAM_ENTRY *sam; UNISTR2 *uni_name; - + SAM_ACCOUNT *pwd = NULL; + UNISTR2 uni_temp_name; + const char *temp_name; + const DOM_SID *user_sid; + uint32 user_rid; + fstring user_sid_string; + fstring domain_sid_string; + *sam_pp = NULL; *uni_name_pp = NULL; - if (num_sam_entries == 0) - return; + if (num_entries == 0) + return NT_STATUS_OK; - sam = (SAM_ENTRY *)talloc_zero(ctx, sizeof(SAM_ENTRY)*num_sam_entries); + sam = (SAM_ENTRY *)talloc_zero(ctx, sizeof(SAM_ENTRY)*num_entries); - uni_name = (UNISTR2 *)talloc_zero(ctx, sizeof(UNISTR2)*num_sam_entries); + uni_name = (UNISTR2 *)talloc_zero(ctx, sizeof(UNISTR2)*num_entries); if (sam == NULL || uni_name == NULL) { - DEBUG(0, ("NULL pointers in SAMR_R_QUERY_DISPINFO\n")); - return; + DEBUG(0, ("make_user_sam_entry_list: talloc_zero failed!\n")); + return NT_STATUS_NO_MEMORY; } - ZERO_STRUCTP(sam); - ZERO_STRUCTP(uni_name); - - for (i = 0; i < num_sam_entries; i++) { - int len = pass[i].uni_user_name.uni_str_len; + for (i = 0; i < num_entries; i++) { + int len = uni_temp_name.uni_str_len; + + pwd = disp_user_info[i+start_idx].sam; + temp_name = pdb_get_username(pwd); + init_unistr2(&uni_temp_name, temp_name, strlen(temp_name)+1); + user_sid = pdb_get_user_sid(pwd); + + if (!sid_peek_check_rid(domain_sid, user_sid, &user_rid)) { + DEBUG(0, ("make_user_sam_entry_list: User %s has SID %s, which conflicts with " + "the domain sid %s. Failing operation.\n", + temp_name, + sid_to_string(user_sid_string, user_sid), + sid_to_string(domain_sid_string, domain_sid))); + return NT_STATUS_UNSUCCESSFUL; + } - init_sam_entry(&sam[i], len, pass[i].user_rid); - copy_unistr2(&uni_name[i], &pass[i].uni_user_name); + init_sam_entry(&sam[i], len, user_rid); + copy_unistr2(&uni_name[i], &uni_temp_name); } *sam_pp = sam; *uni_name_pp = uni_name; + return NT_STATUS_OK; } /******************************************************************* samr_reply_enum_dom_users ********************************************************************/ -NTSTATUS _samr_enum_dom_users(pipes_struct *p, SAMR_Q_ENUM_DOM_USERS *q_u, SAMR_R_ENUM_DOM_USERS *r_u) +NTSTATUS _samr_enum_dom_users(pipes_struct *p, SAMR_Q_ENUM_DOM_USERS *q_u, + SAMR_R_ENUM_DOM_USERS *r_u) { - SAM_USER_INFO_21 pass[MAX_SAM_ENTRIES]; - int num_entries = 0; - int total_entries = 0; + struct samr_info *info = NULL; + uint32 struct_size=0x20; /* W2K always reply that, client doesn't care */ + int num_account; + uint32 enum_context=q_u->start_idx; + uint32 max_size=q_u->max_size; + uint32 temp_size; + enum remote_arch_types ra_type = get_remote_arch(); + int max_sam_entries = (ra_type == RA_WIN95) ? MAX_SAM_ENTRIES_W95 : MAX_SAM_ENTRIES_W2K; + uint32 max_entries = max_sam_entries; + DOM_SID domain_sid; r_u->status = NT_STATUS_OK; /* find the policy handle. open a policy on it. */ - if (!find_policy_by_hnd(p, &q_u->pol, NULL)) + if (!find_policy_by_hnd(p, &q_u->pol, (void **)&info)) return NT_STATUS_INVALID_HANDLE; + domain_sid = info->sid; + + if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(info->acc_granted, + DOMAIN_ACCESS_ENUM_ACCOUNTS, + "_samr_enum_dom_users"))) { + return r_u->status; + } + DEBUG(5,("_samr_enum_dom_users: %d\n", __LINE__)); become_root(); - r_u->status = get_sampwd_entries(pass, q_u->start_idx, &total_entries, &num_entries, - MAX_SAM_ENTRIES, q_u->acb_mask); + r_u->status=load_sampwd_entries(info, q_u->acb_mask); unbecome_root(); - - if (NT_STATUS_IS_ERR(r_u->status)) + + if (!NT_STATUS_IS_OK(r_u->status)) return r_u->status; - samr_clear_passwd_fields(pass, num_entries); + num_account = info->disp_info.num_user_account; + + if (enum_context > num_account) { + DEBUG(5, ("_samr_enum_dom_users: enumeration handle over total entries\n")); + return NT_STATUS_OK; + } + + /* verify we won't overflow */ + if (max_entries > num_account-enum_context) { + max_entries = num_account-enum_context; + DEBUG(5, ("_samr_enum_dom_users: only %d entries to return\n", max_entries)); + } + + /* calculate the size and limit on the number of entries we will return */ + temp_size=max_entries*struct_size; + + if (temp_size>max_size) { + max_entries=MIN((max_size/struct_size),max_entries);; + DEBUG(5, ("_samr_enum_dom_users: buffer size limits to only %d entries\n", max_entries)); + } /* * Note from JRA. total_entries is not being used here. Currently if there is a @@ -569,9 +827,20 @@ NTSTATUS _samr_enum_dom_users(pipes_struct *p, SAMR_Q_ENUM_DOM_USERS *q_u, SAMR_ * value (again I think this is wrong). */ - make_user_sam_entry_list(p->mem_ctx, &r_u->sam, &r_u->uni_acct_name, num_entries, pass); + r_u->status = make_user_sam_entry_list(p->mem_ctx, &r_u->sam, &r_u->uni_acct_name, + max_entries, enum_context, + info->disp_info.disp_user_info, + &domain_sid); + + if (!NT_STATUS_IS_OK(r_u->status)) + return r_u->status; + + if (enum_context+max_entries < num_account) + r_u->status = STATUS_MORE_ENTRIES; - init_samr_r_enum_dom_users(r_u, q_u->start_idx + num_entries, num_entries); + DEBUG(5, ("_samr_enum_dom_users: %d\n", __LINE__)); + + init_samr_r_enum_dom_users(r_u, q_u->start_idx + max_entries, max_entries); DEBUG(5,("_samr_enum_dom_users: %d\n", __LINE__)); @@ -654,13 +923,12 @@ static NTSTATUS get_group_alias_entries(TALLOC_CTX *ctx, DOMAIN_GRP **d_grp, DOM } SAFE_FREE(map); - } else if (sid_equal(sid, &global_sam_sid) && !lp_hide_local_users()) { + } else if (sid_equal(sid, get_global_sam_sid()) && !lp_hide_local_users()) { struct sys_grent *glist; struct sys_grent *grp; struct passwd *pw; gid_t winbind_gid_low, winbind_gid_high; - - lp_winbind_gid(&winbind_gid_low, &winbind_gid_high); + BOOL winbind_groups_exist = lp_winbind_gid(&winbind_gid_low, &winbind_gid_high); /* local aliases */ /* we return the UNIX groups here. This seems to be the right */ @@ -690,24 +958,15 @@ static NTSTATUS get_group_alias_entries(TALLOC_CTX *ctx, DOMAIN_GRP **d_grp, DOM continue; /* Don't return winbind groups as they are not local! */ - if ((grp->gr_gid >= winbind_gid_low)&&(grp->gr_gid <= winbind_gid_high)) { + if (winbind_groups_exist && (grp->gr_gid >= winbind_gid_low)&&(grp->gr_gid <= winbind_gid_high)) { DEBUG(10,("get_group_alias_entries: not returing %s, not local.\n", smap.nt_name )); continue; } /* Don't return user private groups... */ - - /* - * We used to do a Get_Pwnam() here, but this has been - * trimmed back to the common case for private groups - * to save lookups and to use the _alloc interface. - * - * This also matches the group mapping code - */ - if ((pw = getpwnam_alloc(smap.nt_name)) != 0) { + if ((pw = Get_Pwnam(smap.nt_name)) != 0) { DEBUG(10,("get_group_alias_entries: not returing %s, clashes with user.\n", smap.nt_name )); - passwd_free(&pw); continue; } @@ -808,11 +1067,16 @@ NTSTATUS _samr_enum_dom_groups(pipes_struct *p, SAMR_Q_ENUM_DOM_GROUPS *q_u, SAM DOMAIN_GRP *grp=NULL; uint32 num_entries; DOM_SID sid; + uint32 acc_granted; r_u->status = NT_STATUS_OK; - if (!get_lsa_policy_samr_sid(p, &q_u->pol, &sid)) + if (!get_lsa_policy_samr_sid(p, &q_u->pol, &sid, &acc_granted)) return NT_STATUS_INVALID_HANDLE; + + if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, DOMAIN_ACCESS_ENUM_ACCOUNTS, "_samr_enum_dom_groups"))) { + return r_u->status; + } DEBUG(5,("samr_reply_enum_dom_groups: %d\n", __LINE__)); @@ -840,12 +1104,17 @@ NTSTATUS _samr_enum_dom_aliases(pipes_struct *p, SAMR_Q_ENUM_DOM_ALIASES *q_u, S fstring sid_str; DOM_SID sid; NTSTATUS status; + uint32 acc_granted; r_u->status = NT_STATUS_OK; - if (!get_lsa_policy_samr_sid(p, &q_u->pol, &sid)) + if (!get_lsa_policy_samr_sid(p, &q_u->pol, &sid, &acc_granted)) return NT_STATUS_INVALID_HANDLE; + if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, DOMAIN_ACCESS_ENUM_ACCOUNTS, "_samr_enum_dom_aliases"))) { + return r_u->status; + } + sid_to_string(sid_str, &sid); DEBUG(5,("samr_reply_enum_dom_aliases: sid %s\n", sid_str)); @@ -867,7 +1136,8 @@ NTSTATUS _samr_enum_dom_aliases(pipes_struct *p, SAMR_Q_ENUM_DOM_ALIASES *q_u, S /******************************************************************* samr_reply_query_dispinfo ********************************************************************/ -NTSTATUS _samr_query_dispinfo(pipes_struct *p, SAMR_Q_QUERY_DISPINFO *q_u, SAMR_R_QUERY_DISPINFO *r_u) +NTSTATUS _samr_query_dispinfo(pipes_struct *p, SAMR_Q_QUERY_DISPINFO *q_u, + SAMR_R_QUERY_DISPINFO *r_u) { struct samr_info *info = NULL; uint32 struct_size=0x20; /* W2K always reply that, client doesn't care */ @@ -882,9 +1152,8 @@ NTSTATUS _samr_query_dispinfo(pipes_struct *p, SAMR_Q_QUERY_DISPINFO *q_u, SAMR_ NTSTATUS disp_ret; uint32 num_account = 0; enum remote_arch_types ra_type = get_remote_arch(); - int max_sam_entries; - - max_sam_entries = (ra_type == RA_WIN95) ? MAX_SAM_ENTRIES_W95 : MAX_SAM_ENTRIES_W2K; + int max_sam_entries = (ra_type == RA_WIN95) ? MAX_SAM_ENTRIES_W95 : MAX_SAM_ENTRIES_W2K; + DOM_SID domain_sid; DEBUG(5, ("samr_reply_query_dispinfo: %d\n", __LINE__)); r_u->status = NT_STATUS_OK; @@ -893,6 +1162,8 @@ NTSTATUS _samr_query_dispinfo(pipes_struct *p, SAMR_Q_QUERY_DISPINFO *q_u, SAMR_ if (!find_policy_by_hnd(p, &q_u->domain_pol, (void **)&info)) return NT_STATUS_INVALID_HANDLE; + domain_sid = info->sid; + /* * calculate how many entries we will return. * based on @@ -936,7 +1207,7 @@ NTSTATUS _samr_query_dispinfo(pipes_struct *p, SAMR_Q_QUERY_DISPINFO *q_u, SAMR_ become_root(); r_u->status=load_sampwd_entries(info, acb_mask); unbecome_root(); - if (NT_STATUS_IS_ERR(r_u->status)) { + if (!NT_STATUS_IS_OK(r_u->status)) { DEBUG(5, ("_samr_query_dispinfo: load_sampwd_entries failed\n")); return r_u->status; } @@ -945,7 +1216,7 @@ NTSTATUS _samr_query_dispinfo(pipes_struct *p, SAMR_Q_QUERY_DISPINFO *q_u, SAMR_ case 0x3: case 0x5: r_u->status = load_group_domain_entries(info, &info->sid); - if (NT_STATUS_IS_ERR(r_u->status)) + if (!NT_STATUS_IS_OK(r_u->status)) return r_u->status; num_account = info->disp_info.num_group_account; break; @@ -962,7 +1233,7 @@ NTSTATUS _samr_query_dispinfo(pipes_struct *p, SAMR_Q_QUERY_DISPINFO *q_u, SAMR_ if (enum_context > num_account) { DEBUG(5, ("samr_reply_query_dispinfo: enumeration handle over total entries\n")); - return NT_STATUS_OK; + return NT_STATUS_NO_MORE_ENTRIES; } /* verify we won't overflow */ @@ -991,8 +1262,9 @@ NTSTATUS _samr_query_dispinfo(pipes_struct *p, SAMR_Q_QUERY_DISPINFO *q_u, SAMR_ if (!(ctr->sam.info1 = (SAM_DISPINFO_1 *)talloc_zero(p->mem_ctx,max_entries*sizeof(SAM_DISPINFO_1)))) return NT_STATUS_NO_MEMORY; } - disp_ret = init_sam_dispinfo_1(p->mem_ctx, ctr->sam.info1, max_entries, enum_context, info->disp_info.disp_user_info); - if (NT_STATUS_IS_ERR(disp_ret)) + disp_ret = init_sam_dispinfo_1(p->mem_ctx, ctr->sam.info1, max_entries, enum_context, + info->disp_info.disp_user_info, &domain_sid); + if (!NT_STATUS_IS_OK(disp_ret)) return disp_ret; break; case 0x2: @@ -1000,8 +1272,9 @@ NTSTATUS _samr_query_dispinfo(pipes_struct *p, SAMR_Q_QUERY_DISPINFO *q_u, SAMR_ if (!(ctr->sam.info2 = (SAM_DISPINFO_2 *)talloc_zero(p->mem_ctx,max_entries*sizeof(SAM_DISPINFO_2)))) return NT_STATUS_NO_MEMORY; } - disp_ret = init_sam_dispinfo_2(p->mem_ctx, ctr->sam.info2, max_entries, enum_context, info->disp_info.disp_user_info); - if (NT_STATUS_IS_ERR(disp_ret)) + disp_ret = init_sam_dispinfo_2(p->mem_ctx, ctr->sam.info2, max_entries, enum_context, + info->disp_info.disp_user_info, &domain_sid); + if (!NT_STATUS_IS_OK(disp_ret)) return disp_ret; break; case 0x3: @@ -1010,7 +1283,7 @@ NTSTATUS _samr_query_dispinfo(pipes_struct *p, SAMR_Q_QUERY_DISPINFO *q_u, SAMR_ return NT_STATUS_NO_MEMORY; } disp_ret = init_sam_dispinfo_3(p->mem_ctx, ctr->sam.info3, max_entries, enum_context, info->disp_info.disp_group_info); - if (NT_STATUS_IS_ERR(disp_ret)) + if (!NT_STATUS_IS_OK(disp_ret)) return disp_ret; break; case 0x4: @@ -1019,7 +1292,7 @@ NTSTATUS _samr_query_dispinfo(pipes_struct *p, SAMR_Q_QUERY_DISPINFO *q_u, SAMR_ return NT_STATUS_NO_MEMORY; } disp_ret = init_sam_dispinfo_4(p->mem_ctx, ctr->sam.info4, max_entries, enum_context, info->disp_info.disp_user_info); - if (NT_STATUS_IS_ERR(disp_ret)) + if (!NT_STATUS_IS_OK(disp_ret)) return disp_ret; break; case 0x5: @@ -1028,7 +1301,7 @@ NTSTATUS _samr_query_dispinfo(pipes_struct *p, SAMR_Q_QUERY_DISPINFO *q_u, SAMR_ return NT_STATUS_NO_MEMORY; } disp_ret = init_sam_dispinfo_5(p->mem_ctx, ctr->sam.info5, max_entries, enum_context, info->disp_info.disp_group_info); - if (NT_STATUS_IS_ERR(disp_ret)) + if (!NT_STATUS_IS_OK(disp_ret)) return disp_ret; break; @@ -1057,22 +1330,26 @@ NTSTATUS _samr_query_dispinfo(pipes_struct *p, SAMR_Q_QUERY_DISPINFO *q_u, SAMR_ NTSTATUS _samr_query_aliasinfo(pipes_struct *p, SAMR_Q_QUERY_ALIASINFO *q_u, SAMR_R_QUERY_ALIASINFO *r_u) { - struct samr_info *info = NULL; + DOM_SID sid; GROUP_MAP map; + uint32 acc_granted; r_u->status = NT_STATUS_OK; DEBUG(5,("_samr_query_aliasinfo: %d\n", __LINE__)); /* find the policy handle. open a policy on it. */ - if (!find_policy_by_hnd(p, &q_u->pol, (void **)&info)) + if (!get_lsa_policy_samr_sid(p, &q_u->pol, &sid, &acc_granted)) return NT_STATUS_INVALID_HANDLE; + if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, ALIAS_ACCESS_LOOKUP_INFO, "_samr_query_aliasinfo"))) { + return r_u->status; + } - if (!sid_check_is_in_our_domain(&info->sid) && - !sid_check_is_in_builtin(&info->sid)) + if (!sid_check_is_in_our_domain(&sid) && + !sid_check_is_in_builtin(&sid)) return NT_STATUS_OBJECT_TYPE_MISMATCH; - if(!get_local_group_from_sid(info->sid, &map, MAPPING_WITHOUT_PRIV)) + if (!get_local_group_from_sid(sid, &map, MAPPING_WITHOUT_PRIV)) return NT_STATUS_NO_SUCH_ALIAS; switch (q_u->switch_level) { @@ -1169,6 +1446,7 @@ NTSTATUS _samr_lookup_names(pipes_struct *p, SAMR_Q_LOOKUP_NAMES *q_u, SAMR_R_LO int num_rids = q_u->num_names2; DOM_SID pol_sid; fstring sid_str; + uint32 acc_granted; r_u->status = NT_STATUS_OK; @@ -1177,10 +1455,14 @@ NTSTATUS _samr_lookup_names(pipes_struct *p, SAMR_Q_LOOKUP_NAMES *q_u, SAMR_R_LO ZERO_ARRAY(rid); ZERO_ARRAY(type); - if (!get_lsa_policy_samr_sid(p, &q_u->pol, &pol_sid)) { + if (!get_lsa_policy_samr_sid(p, &q_u->pol, &pol_sid, &acc_granted)) { init_samr_r_lookup_names(p->mem_ctx, r_u, 0, NULL, NULL, NT_STATUS_OBJECT_TYPE_MISMATCH); return r_u->status; } + + if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, 0, "_samr_lookup_names"))) { /* Don't know the acc_bits yet */ + return r_u->status; + } if (num_rids > MAX_SAM_ENTRIES) { num_rids = MAX_SAM_ENTRIES; @@ -1324,13 +1606,14 @@ NTSTATUS _samr_lookup_rids(pipes_struct *p, SAMR_Q_LOOKUP_RIDS *q_u, SAMR_R_LOOK DOM_SID pol_sid; int num_rids = q_u->num_rids1; int i; + uint32 acc_granted; r_u->status = NT_STATUS_OK; DEBUG(5,("_samr_lookup_rids: %d\n", __LINE__)); /* find the policy handle. open a policy on it. */ - if (!get_lsa_policy_samr_sid(p, &q_u->pol, &pol_sid)) + if (!get_lsa_policy_samr_sid(p, &q_u->pol, &pol_sid, &acc_granted)) return NT_STATUS_INVALID_HANDLE; if (num_rids > MAX_SAM_ENTRIES) { @@ -1356,7 +1639,7 @@ NTSTATUS _samr_lookup_rids(pipes_struct *p, SAMR_Q_LOOKUP_RIDS *q_u, SAMR_R_LOOK group_attrs[i] = SID_NAME_UNKNOWN; *group_names[i] = '\0'; - if (sid_equal(&pol_sid, &global_sam_sid)) { + if (sid_equal(&pol_sid, get_global_sam_sid())) { sid_copy(&sid, &pol_sid); sid_append_rid(&sid, q_u->rid[i]); @@ -1390,42 +1673,58 @@ NTSTATUS _api_samr_open_user(pipes_struct *p, SAMR_Q_OPEN_USER *q_u, SAMR_R_OPEN SAM_ACCOUNT *sampass=NULL; DOM_SID sid; POLICY_HND domain_pol = q_u->domain_pol; - uint32 user_rid = q_u->user_rid; POLICY_HND *user_pol = &r_u->user_pol; struct samr_info *info = NULL; + SEC_DESC *psd = NULL; + uint32 acc_granted; + uint32 des_access = q_u->access_mask; + size_t sd_size; BOOL ret; + NTSTATUS nt_status; r_u->status = NT_STATUS_OK; - /* find the domain policy handle. */ - if (!find_policy_by_hnd(p, &domain_pol, NULL)) + /* find the domain policy handle and get domain SID / access bits in the domain policy. */ + if (!get_lsa_policy_samr_sid(p, &domain_pol, &sid, &acc_granted)) return NT_STATUS_INVALID_HANDLE; + + if (!NT_STATUS_IS_OK(nt_status = access_check_samr_function(acc_granted, DOMAIN_ACCESS_OPEN_ACCOUNT, "_samr_open_user"))) { + return nt_status; + } + + nt_status = pdb_init_sam_talloc(p->mem_ctx, &sampass); + if (!NT_STATUS_IS_OK(nt_status)) { + return nt_status; + } - pdb_init_sam(&sampass); + /* append the user's RID to it */ + if (!sid_append_rid(&sid, q_u->user_rid)) + return NT_STATUS_NO_SUCH_USER; + + /* check if access can be granted as requested by client. */ + samr_make_usr_obj_sd(p->mem_ctx, &psd, &sd_size, &sid); + se_map_generic(&des_access, &usr_generic_mapping); + if (!NT_STATUS_IS_OK(nt_status = + access_check_samr_object(psd, p->pipe_user.nt_user_token, + des_access, &acc_granted, "_samr_open_user"))) { + return nt_status; + } become_root(); - ret=pdb_getsampwrid(sampass, user_rid); + ret=pdb_getsampwsid(sampass, &sid); unbecome_root(); - /* check that the RID exists in our domain. */ + /* check that the SID exists in our domain. */ if (ret == False) { - pdb_free_sam(&sampass); return NT_STATUS_NO_SUCH_USER; } pdb_free_sam(&sampass); - /* Get the domain SID stored in the domain policy */ - if(!get_lsa_policy_samr_sid(p, &domain_pol, &sid)) - return NT_STATUS_INVALID_HANDLE; - - /* append the user's RID to it */ - if(!sid_append_rid(&sid, user_rid)) - return NT_STATUS_NO_SUCH_USER; - - /* associate the user's SID with the new handle. */ + /* associate the user's SID and access bits with the new handle. */ if ((info = get_samr_info_by_sid(&sid)) == NULL) return NT_STATUS_NO_MEMORY; + info->acc_granted = acc_granted; /* get a (unique) handle. open a policy on it. */ if (!create_policy_hnd(p, user_pol, free_samr_info, (void *)info)) @@ -1438,21 +1737,25 @@ NTSTATUS _api_samr_open_user(pipes_struct *p, SAMR_Q_OPEN_USER *q_u, SAMR_R_OPEN get_user_info_10. Safe. Only gives out acb bits. *************************************************************************/ -static BOOL get_user_info_10(SAM_USER_INFO_10 *id10, uint32 user_rid) +static NTSTATUS get_user_info_10(TALLOC_CTX *mem_ctx, SAM_USER_INFO_10 *id10, DOM_SID *user_sid) { SAM_ACCOUNT *smbpass=NULL; BOOL ret; + NTSTATUS nt_status; - pdb_init_sam(&smbpass); + nt_status = pdb_init_sam_talloc(mem_ctx, &smbpass); + + if (!NT_STATUS_IS_OK(nt_status)) { + return nt_status; + } become_root(); - ret = pdb_getsampwrid(smbpass, user_rid); + ret = pdb_getsampwsid(smbpass, user_sid); unbecome_root(); if (ret==False) { - DEBUG(4,("User 0x%x not found\n", user_rid)); - pdb_free_sam(&smbpass); - return False; + DEBUG(4,("User %s not found\n", sid_string_static(user_sid))); + return NT_STATUS_NO_SUCH_USER; } DEBUG(3,("User:[%s]\n", pdb_get_username(smbpass) )); @@ -1462,7 +1765,7 @@ static BOOL get_user_info_10(SAM_USER_INFO_10 *id10, uint32 user_rid) pdb_free_sam(&smbpass); - return True; + return NT_STATUS_OK; } /************************************************************************* @@ -1471,10 +1774,11 @@ static BOOL get_user_info_10(SAM_USER_INFO_10 *id10, uint32 user_rid) user. JRA. *************************************************************************/ -static NTSTATUS get_user_info_12(pipes_struct *p, SAM_USER_INFO_12 * id12, uint32 user_rid) +static NTSTATUS get_user_info_12(pipes_struct *p, TALLOC_CTX *mem_ctx, SAM_USER_INFO_12 * id12, DOM_SID *user_sid) { SAM_ACCOUNT *smbpass=NULL; BOOL ret; + NTSTATUS nt_status; if (!p->ntlmssp_auth_validated) return NT_STATUS_ACCESS_DENIED; @@ -1485,12 +1789,17 @@ static NTSTATUS get_user_info_12(pipes_struct *p, SAM_USER_INFO_12 * id12, uint3 /* * Do *NOT* do become_root()/unbecome_root() here ! JRA. */ - pdb_init_sam(&smbpass); - ret = pdb_getsampwrid(smbpass, user_rid); + nt_status = pdb_init_sam_talloc(mem_ctx, &smbpass); + + if (!NT_STATUS_IS_OK(nt_status)) { + return nt_status; + } + + ret = pdb_getsampwsid(smbpass, user_sid); if (ret == False) { - DEBUG(4, ("User 0x%x not found\n", user_rid)); + DEBUG(4, ("User %s not found\n", sid_string_static(user_sid))); pdb_free_sam(&smbpass); return (geteuid() == (uid_t)0) ? NT_STATUS_NO_SUCH_USER : NT_STATUS_ACCESS_DENIED; } @@ -1514,21 +1823,20 @@ static NTSTATUS get_user_info_12(pipes_struct *p, SAM_USER_INFO_12 * id12, uint3 get_user_info_20 *************************************************************************/ -static BOOL get_user_info_20(SAM_USER_INFO_20 *id20, uint32 user_rid) +static NTSTATUS get_user_info_20(TALLOC_CTX *mem_ctx, SAM_USER_INFO_20 *id20, DOM_SID *user_sid) { SAM_ACCOUNT *sampass=NULL; BOOL ret; - pdb_init_sam(&sampass); + pdb_init_sam_talloc(mem_ctx, &sampass); become_root(); - ret = pdb_getsampwrid(sampass, user_rid); + ret = pdb_getsampwsid(sampass, user_sid); unbecome_root(); if (ret == False) { - DEBUG(4,("User 0x%x not found\n", user_rid)); - pdb_free_sam(&sampass); - return False; + DEBUG(4,("User %s not found\n", sid_string_static(user_sid))); + return NT_STATUS_NO_SUCH_USER; } samr_clear_sam_passwd(sampass); @@ -1540,28 +1848,32 @@ static BOOL get_user_info_20(SAM_USER_INFO_20 *id20, uint32 user_rid) pdb_free_sam(&sampass); - return True; + return NT_STATUS_OK; } /************************************************************************* get_user_info_21 *************************************************************************/ -static BOOL get_user_info_21(SAM_USER_INFO_21 *id21, uint32 user_rid) +static NTSTATUS get_user_info_21(TALLOC_CTX *mem_ctx, SAM_USER_INFO_21 *id21, + DOM_SID *user_sid, DOM_SID *domain_sid) { SAM_ACCOUNT *sampass=NULL; BOOL ret; + NTSTATUS nt_status; - pdb_init_sam(&sampass); + nt_status = pdb_init_sam_talloc(mem_ctx, &sampass); + if (!NT_STATUS_IS_OK(nt_status)) { + return nt_status; + } become_root(); - ret = pdb_getsampwrid(sampass, user_rid); + ret = pdb_getsampwsid(sampass, user_sid); unbecome_root(); if (ret == False) { - DEBUG(4,("User 0x%x not found\n", user_rid)); - pdb_free_sam(&sampass); - return False; + DEBUG(4,("User %s not found\n", sid_string_static(user_sid))); + return NT_STATUS_NO_SUCH_USER; } samr_clear_sam_passwd(sampass); @@ -1569,11 +1881,11 @@ static BOOL get_user_info_21(SAM_USER_INFO_21 *id21, uint32 user_rid) DEBUG(3,("User:[%s]\n", pdb_get_username(sampass) )); ZERO_STRUCTP(id21); - init_sam_user_info21A(id21, sampass); + nt_status = init_sam_user_info21A(id21, sampass, domain_sid); pdb_free_sam(&sampass); - return True; + return NT_STATUS_OK; } /******************************************************************* @@ -1583,21 +1895,24 @@ static BOOL get_user_info_21(SAM_USER_INFO_21 *id21, uint32 user_rid) NTSTATUS _samr_query_userinfo(pipes_struct *p, SAMR_Q_QUERY_USERINFO *q_u, SAMR_R_QUERY_USERINFO *r_u) { SAM_USERINFO_CTR *ctr; - uint32 rid = 0; struct samr_info *info = NULL; - + DOM_SID domain_sid; + uint32 rid; + r_u->status=NT_STATUS_OK; /* search for the handle */ if (!find_policy_by_hnd(p, &q_u->pol, (void **)&info)) return NT_STATUS_INVALID_HANDLE; + domain_sid = info->sid; + + sid_split_rid(&domain_sid, &rid); + if (!sid_check_is_in_our_domain(&info->sid)) return NT_STATUS_OBJECT_TYPE_MISMATCH; - sid_peek_rid(&info->sid, &rid); - - DEBUG(5,("_samr_query_userinfo: rid:0x%x\n", rid)); + DEBUG(5,("_samr_query_userinfo: sid:%s\n", sid_string_static(&info->sid))); ctr = (SAM_USERINFO_CTR *)talloc_zero(p->mem_ctx, sizeof(SAM_USERINFO_CTR)); if (!ctr) @@ -1614,8 +1929,8 @@ NTSTATUS _samr_query_userinfo(pipes_struct *p, SAMR_Q_QUERY_USERINFO *q_u, SAMR_ if (ctr->info.id10 == NULL) return NT_STATUS_NO_MEMORY; - if (!get_user_info_10(ctr->info.id10, rid)) - return NT_STATUS_NO_SUCH_USER; + if (!NT_STATUS_IS_OK(r_u->status = get_user_info_10(p->mem_ctx, ctr->info.id10, &info->sid))) + return r_u->status; break; #if 0 @@ -1649,24 +1964,25 @@ NTSTATUS _samr_query_userinfo(pipes_struct *p, SAMR_Q_QUERY_USERINFO *q_u, SAMR_ if (ctr->info.id12 == NULL) return NT_STATUS_NO_MEMORY; - if (NT_STATUS_IS_ERR(r_u->status = get_user_info_12(p, ctr->info.id12, rid))) + if (!NT_STATUS_IS_OK(r_u->status = get_user_info_12(p, p->mem_ctx, ctr->info.id12, &info->sid))) return r_u->status; break; - + case 20: ctr->info.id20 = (SAM_USER_INFO_20 *)talloc_zero(p->mem_ctx,sizeof(SAM_USER_INFO_20)); if (ctr->info.id20 == NULL) return NT_STATUS_NO_MEMORY; - if (!get_user_info_20(ctr->info.id20, rid)) - return NT_STATUS_NO_SUCH_USER; + if (!NT_STATUS_IS_OK(r_u->status = get_user_info_20(p->mem_ctx, ctr->info.id20, &info->sid))) + return r_u->status; break; case 21: ctr->info.id21 = (SAM_USER_INFO_21 *)talloc_zero(p->mem_ctx,sizeof(SAM_USER_INFO_21)); if (ctr->info.id21 == NULL) return NT_STATUS_NO_MEMORY; - if (!get_user_info_21(ctr->info.id21, rid)) - return NT_STATUS_NO_SUCH_USER; + if (!NT_STATUS_IS_OK(r_u->status = get_user_info_21(p->mem_ctx, ctr->info.id21, + &info->sid, &domain_sid))) + return r_u->status; break; default: @@ -1676,7 +1992,7 @@ NTSTATUS _samr_query_userinfo(pipes_struct *p, SAMR_Q_QUERY_USERINFO *q_u, SAMR_ init_samr_r_query_userinfo(r_u, ctr, r_u->status); DEBUG(5,("_samr_query_userinfo: %d\n", __LINE__)); - + return r_u->status; } @@ -1687,10 +2003,10 @@ NTSTATUS _samr_query_userinfo(pipes_struct *p, SAMR_Q_QUERY_USERINFO *q_u, SAMR_ NTSTATUS _samr_query_usergroups(pipes_struct *p, SAMR_Q_QUERY_USERGROUPS *q_u, SAMR_R_QUERY_USERGROUPS *r_u) { SAM_ACCOUNT *sam_pass=NULL; + DOM_SID sid; DOM_GID *gids = NULL; int num_groups = 0; - uint32 rid; - struct samr_info *info = NULL; + uint32 acc_granted; BOOL ret; /* @@ -1710,37 +2026,39 @@ NTSTATUS _samr_query_usergroups(pipes_struct *p, SAMR_Q_QUERY_USERGROUPS *q_u, S DEBUG(5,("_samr_query_usergroups: %d\n", __LINE__)); /* find the policy handle. open a policy on it. */ - if (!find_policy_by_hnd(p, &q_u->pol, (void **)&info)) + if (!get_lsa_policy_samr_sid(p, &q_u->pol, &sid, &acc_granted)) return NT_STATUS_INVALID_HANDLE; + + if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, USER_ACCESS_GET_GROUPS, "_samr_query_usergroups"))) { + return r_u->status; + } - if (!sid_check_is_in_our_domain(&info->sid)) + if (!sid_check_is_in_our_domain(&sid)) return NT_STATUS_OBJECT_TYPE_MISMATCH; - sid_peek_rid(&info->sid, &rid); - pdb_init_sam(&sam_pass); - + become_root(); - ret = pdb_getsampwrid(sam_pass, rid); + ret = pdb_getsampwsid(sam_pass, &sid); unbecome_root(); if (ret == False) { pdb_free_sam(&sam_pass); return NT_STATUS_NO_SUCH_USER; } - + if(!get_domain_user_groups(p->mem_ctx, &num_groups, &gids, sam_pass)) { pdb_free_sam(&sam_pass); return NT_STATUS_NO_SUCH_GROUP; } - + /* construct the response. lkclXXXX: gids are not copied! */ init_samr_r_query_usergroups(r_u, num_groups, gids, r_u->status); - + DEBUG(5,("_samr_query_usergroups: %d\n", __LINE__)); pdb_free_sam(&sam_pass); - + return r_u->status; } @@ -1771,13 +2089,13 @@ NTSTATUS _samr_query_dom_info(pipes_struct *p, SAMR_Q_QUERY_DOMAIN_INFO *q_u, SA ZERO_STRUCTP(ctr); r_u->status = NT_STATUS_OK; - + DEBUG(5,("_samr_query_dom_info: %d\n", __LINE__)); - + /* find the policy handle. open a policy on it. */ if (!find_policy_by_hnd(p, &q_u->domain_pol, (void **)&info)) return NT_STATUS_INVALID_HANDLE; - + switch (q_u->switch_value) { case 0x01: account_policy_get(AP_MIN_PASSWORD_LEN, &min_pass_len); @@ -1796,15 +2114,15 @@ NTSTATUS _samr_query_dom_info(pipes_struct *p, SAMR_Q_QUERY_DOMAIN_INFO *q_u, SA become_root(); r_u->status=load_sampwd_entries(info, ACB_NORMAL); unbecome_root(); - if (NT_STATUS_IS_ERR(r_u->status)) { + if (!NT_STATUS_IS_OK(r_u->status)) { DEBUG(5, ("_samr_query_dispinfo: load_sampwd_entries failed\n")); return r_u->status; } num_users=info->disp_info.num_user_account; free_samr_db(info); - r_u->status=load_group_domain_entries(info, &global_sam_sid); - if (NT_STATUS_IS_ERR(r_u->status)) { + r_u->status=load_group_domain_entries(info, get_global_sam_sid()); + if (!NT_STATUS_IS_OK(r_u->status)) { DEBUG(5, ("_samr_query_dispinfo: load_group_domain_entries failed\n")); return r_u->status; } @@ -1842,12 +2160,12 @@ NTSTATUS _samr_query_dom_info(pipes_struct *p, SAMR_Q_QUERY_DOMAIN_INFO *q_u, SA break; default: return NT_STATUS_INVALID_INFO_CLASS; - } - + } + init_samr_r_query_dom_info(r_u, q_u->switch_value, ctr, NT_STATUS_OK); - + DEBUG(5,("_samr_query_dom_info: %d\n", __LINE__)); - + return r_u->status; } @@ -1871,11 +2189,19 @@ NTSTATUS _api_samr_create_user(pipes_struct *p, SAMR_Q_CREATE_USER *q_u, SAMR_R_ BOOL ret; NTSTATUS nt_status; struct passwd *pw; + uint32 acc_granted; + SEC_DESC *psd; + size_t sd_size; + uint32 des_access; - /* find the policy handle. open a policy on it. */ - if (!find_policy_by_hnd(p, &dom_pol, NULL)) + /* Get the domain SID stored in the domain policy */ + if (!get_lsa_policy_samr_sid(p, &dom_pol, &sid, &acc_granted)) return NT_STATUS_INVALID_HANDLE; + if (!NT_STATUS_IS_OK(nt_status = access_check_samr_function(acc_granted, DOMAIN_ACCESS_CREATE_USER, "_samr_create_user"))) { + return nt_status; + } + /* find the account: tell the caller if it exists. lkclXXXX i have *no* idea if this is a problem or not or even if you are supposed to construct a different @@ -1944,7 +2270,7 @@ NTSTATUS _api_samr_create_user(pipes_struct *p, SAMR_Q_CREATE_USER *q_u, SAMR_R_ else pstrcpy(add_script, lp_adduser_script()); - if(*add_script) { + if (*add_script) { int add_ret; all_string_sub(add_script, "%u", account, sizeof(account)); add_ret = smbrun(add_script,NULL); @@ -1990,16 +2316,15 @@ NTSTATUS _api_samr_create_user(pipes_struct *p, SAMR_Q_CREATE_USER *q_u, SAMR_R_ return NT_STATUS_ACCESS_DENIED; } - /* Get the domain SID stored in the domain policy */ - if(!get_lsa_policy_samr_sid(p, &dom_pol, &sid)) { - pdb_free_sam(&sam_pass); - return NT_STATUS_INVALID_HANDLE; - } - - /* append the user's RID to it */ - if(!sid_append_rid(&sid, pdb_get_user_rid(sam_pass) )) { - pdb_free_sam(&sam_pass); - return NT_STATUS_NO_SUCH_USER; + /* Get the user's SID */ + sid_copy(&sid, pdb_get_user_sid(sam_pass)); + + samr_make_usr_obj_sd(p->mem_ctx, &psd, &sd_size, &sid); + se_map_generic(&des_access, &usr_generic_mapping); + if (!NT_STATUS_IS_OK(nt_status = + access_check_samr_object(psd, p->pipe_user.nt_user_token, + des_access, &acc_granted, "_samr_create_user"))) { + return nt_status; } /* associate the user's SID with the new handle. */ @@ -2010,6 +2335,7 @@ NTSTATUS _api_samr_create_user(pipes_struct *p, SAMR_Q_CREATE_USER *q_u, SAMR_R_ ZERO_STRUCTP(info); info->sid = sid; + info->acc_granted = acc_granted; /* get a (unique) handle. open a policy on it. */ if (!create_policy_hnd(p, user_pol, free_samr_info, (void *)info)) { @@ -2033,21 +2359,29 @@ NTSTATUS _samr_connect_anon(pipes_struct *p, SAMR_Q_CONNECT_ANON *q_u, SAMR_R_CO { struct samr_info *info = NULL; - /* set up the SAMR connect_anon response */ + /* Access check */ - r_u->status = NT_STATUS_OK; + if (!pipe_access_check(p)) { + DEBUG(3, ("access denied to samr_connect_anon\n")); + r_u->status = NT_STATUS_ACCESS_DENIED; + return r_u->status; + } + + /* set up the SAMR connect_anon response */ - /* associate the user's SID with the new handle. */ - if ((info = get_samr_info_by_sid(NULL)) == NULL) - return NT_STATUS_NO_MEMORY; + r_u->status = NT_STATUS_OK; + + /* associate the user's SID with the new handle. */ + if ((info = get_samr_info_by_sid(NULL)) == NULL) + return NT_STATUS_NO_MEMORY; - info->status = q_u->unknown_0; + info->status = q_u->unknown_0; - /* get a (unique) handle. open a policy on it. */ - if (!create_policy_hnd(p, &r_u->connect_pol, free_samr_info, (void *)info)) - return NT_STATUS_OBJECT_NAME_NOT_FOUND; + /* get a (unique) handle. open a policy on it. */ + if (!create_policy_hnd(p, &r_u->connect_pol, free_samr_info, (void *)info)) + return NT_STATUS_OBJECT_NAME_NOT_FOUND; - return r_u->status; + return r_u->status; } /******************************************************************* @@ -2057,24 +2391,47 @@ NTSTATUS _samr_connect_anon(pipes_struct *p, SAMR_Q_CONNECT_ANON *q_u, SAMR_R_CO NTSTATUS _samr_connect(pipes_struct *p, SAMR_Q_CONNECT *q_u, SAMR_R_CONNECT *r_u) { struct samr_info *info = NULL; + SEC_DESC *psd = NULL; + uint32 acc_granted; + uint32 des_access = q_u->access_mask; + size_t sd_size; + NTSTATUS nt_status; - DEBUG(5,("_samr_connect: %d\n", __LINE__)); - r_u->status = NT_STATUS_OK; + DEBUG(5,("_samr_connect: %d\n", __LINE__)); + + /* Access check */ + + if (!pipe_access_check(p)) { + DEBUG(3, ("access denied to samr_connect\n")); + r_u->status = NT_STATUS_ACCESS_DENIED; + return r_u->status; + } + + samr_make_sam_obj_sd(p->mem_ctx, &psd, &sd_size); + se_map_generic(&des_access, &sam_generic_mapping); + if (!NT_STATUS_IS_OK(nt_status = + access_check_samr_object(psd, p->pipe_user.nt_user_token, + des_access, &acc_granted, "_samr_connect"))) { + return nt_status; + } + + r_u->status = NT_STATUS_OK; - /* associate the user's SID with the new handle. */ + /* associate the user's SID and access granted with the new handle. */ if ((info = get_samr_info_by_sid(NULL)) == NULL) - return NT_STATUS_NO_MEMORY; + return NT_STATUS_NO_MEMORY; - info->status = q_u->access_mask; + info->acc_granted = acc_granted; + info->status = q_u->access_mask; - /* get a (unique) handle. open a policy on it. */ - if (!create_policy_hnd(p, &r_u->connect_pol, free_samr_info, (void *)info)) - return NT_STATUS_OBJECT_NAME_NOT_FOUND; + /* get a (unique) handle. open a policy on it. */ + if (!create_policy_hnd(p, &r_u->connect_pol, free_samr_info, (void *)info)) + return NT_STATUS_OBJECT_NAME_NOT_FOUND; - DEBUG(5,("_samr_connect: %d\n", __LINE__)); + DEBUG(5,("_samr_connect: %d\n", __LINE__)); - return r_u->status; + return r_u->status; } /********************************************************************** @@ -2083,14 +2440,19 @@ NTSTATUS _samr_connect(pipes_struct *p, SAMR_Q_CONNECT *q_u, SAMR_R_CONNECT *r_u NTSTATUS _samr_lookup_domain(pipes_struct *p, SAMR_Q_LOOKUP_DOMAIN *q_u, SAMR_R_LOOKUP_DOMAIN *r_u) { + struct samr_info *info; fstring domain_name; DOM_SID sid; r_u->status = NT_STATUS_OK; - if (!find_policy_by_hnd(p, &q_u->connect_pol, NULL)) + if (!find_policy_by_hnd(p, &q_u->connect_pol, (void**)&info)) return NT_STATUS_INVALID_HANDLE; + if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(info->acc_granted, SAMR_ACCESS_OPEN_DOMAIN, "_samr_lookup_domain"))) { + return r_u->status; + } + rpcstr_pull(domain_name, q_u->uni_domain.buffer, sizeof(domain_name), q_u->uni_domain.uni_str_len*2, 0); ZERO_STRUCT(sid); @@ -2150,11 +2512,19 @@ static BOOL make_enum_domains(TALLOC_CTX *ctx, SAM_ENTRY **pp_sam, NTSTATUS _samr_enum_domains(pipes_struct *p, SAMR_Q_ENUM_DOMAINS *q_u, SAMR_R_ENUM_DOMAINS *r_u) { + struct samr_info *info; uint32 num_entries = 2; fstring dom[2]; char *name; r_u->status = NT_STATUS_OK; + + if (!find_policy_by_hnd(p, &q_u->pol, (void**)&info)) + return NT_STATUS_INVALID_HANDLE; + + if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(info->acc_granted, SAMR_ACCESS_ENUM_DOMAINS, "_samr_enum_domains"))) { + return r_u->status; + } switch (lp_server_role()) { case ROLE_DOMAIN_PDC: @@ -2187,21 +2557,35 @@ NTSTATUS _api_samr_open_alias(pipes_struct *p, SAMR_Q_OPEN_ALIAS *q_u, SAMR_R_OP POLICY_HND domain_pol = q_u->dom_pol; uint32 alias_rid = q_u->rid_alias; POLICY_HND *alias_pol = &r_u->pol; - struct samr_info *info = NULL; + struct samr_info *info = NULL; + SEC_DESC *psd = NULL; + uint32 acc_granted; + uint32 des_access = q_u->access_mask; + size_t sd_size; + NTSTATUS status; r_u->status = NT_STATUS_OK; - /* get the domain policy. */ - if (!find_policy_by_hnd(p, &domain_pol, NULL)) - return NT_STATUS_INVALID_HANDLE; - - /* Get the domain SID stored in the domain policy */ - if(!get_lsa_policy_samr_sid(p, &domain_pol, &sid)) + /* find the domain policy and get the SID / access bits stored in the domain policy */ + if (!get_lsa_policy_samr_sid(p, &domain_pol, &sid, &acc_granted)) return NT_STATUS_INVALID_HANDLE; + + if (!NT_STATUS_IS_OK(status = access_check_samr_function(acc_granted, DOMAIN_ACCESS_OPEN_ACCOUNT, "_samr_open_alias"))) { + return status; + } /* append the alias' RID to it */ - if(!sid_append_rid(&sid, alias_rid)) + if (!sid_append_rid(&sid, alias_rid)) return NT_STATUS_NO_SUCH_USER; + + /*check if access can be granted as requested by client. */ + samr_make_ali_obj_sd(p->mem_ctx, &psd, &sd_size); + se_map_generic(&des_access,&ali_generic_mapping); + if (!NT_STATUS_IS_OK(status = + access_check_samr_object(psd, p->pipe_user.nt_user_token, + des_access, &acc_granted, "_samr_open_alias"))) { + return status; + } /* * we should check if the rid really exist !!! @@ -2211,6 +2595,8 @@ NTSTATUS _api_samr_open_alias(pipes_struct *p, SAMR_Q_OPEN_ALIAS *q_u, SAMR_R_OP /* associate the user's SID with the new handle. */ if ((info = get_samr_info_by_sid(&sid)) == NULL) return NT_STATUS_NO_MEMORY; + + info->acc_granted = acc_granted; /* get a (unique) handle. open a policy on it. */ if (!create_policy_hnd(p, alias_pol, free_samr_info, (void *)info)) @@ -2223,14 +2609,14 @@ NTSTATUS _api_samr_open_alias(pipes_struct *p, SAMR_Q_OPEN_ALIAS *q_u, SAMR_R_OP set_user_info_10 ********************************************************************/ -static BOOL set_user_info_10(const SAM_USER_INFO_10 *id10, uint32 rid) +static BOOL set_user_info_10(const SAM_USER_INFO_10 *id10, DOM_SID *sid) { SAM_ACCOUNT *pwd =NULL; BOOL ret; pdb_init_sam(&pwd); - ret = pdb_getsampwrid(pwd, rid); + ret = pdb_getsampwsid(pwd, sid); if(ret==False) { pdb_free_sam(&pwd); @@ -2262,13 +2648,13 @@ static BOOL set_user_info_10(const SAM_USER_INFO_10 *id10, uint32 rid) set_user_info_12 ********************************************************************/ -static BOOL set_user_info_12(SAM_USER_INFO_12 *id12, uint32 rid) +static BOOL set_user_info_12(SAM_USER_INFO_12 *id12, DOM_SID *sid) { SAM_ACCOUNT *pwd = NULL; pdb_init_sam(&pwd); - if(!pdb_getsampwrid(pwd, rid)) { + if(!pdb_getsampwsid(pwd, sid)) { pdb_free_sam(&pwd); return False; } @@ -2305,7 +2691,7 @@ static BOOL set_user_info_12(SAM_USER_INFO_12 *id12, uint32 rid) set_user_info_21 ********************************************************************/ -static BOOL set_user_info_21(SAM_USER_INFO_21 *id21, uint32 rid) +static BOOL set_user_info_21(SAM_USER_INFO_21 *id21, DOM_SID *sid) { SAM_ACCOUNT *pwd = NULL; @@ -2316,7 +2702,7 @@ static BOOL set_user_info_21(SAM_USER_INFO_21 *id21, uint32 rid) pdb_init_sam(&pwd); - if (!pdb_getsampwrid(pwd, rid)) { + if (!pdb_getsampwsid(pwd, sid)) { pdb_free_sam(&pwd); return False; } @@ -2345,7 +2731,7 @@ static BOOL set_user_info_21(SAM_USER_INFO_21 *id21, uint32 rid) set_user_info_23 ********************************************************************/ -static BOOL set_user_info_23(SAM_USER_INFO_23 *id23, uint32 rid) +static BOOL set_user_info_23(SAM_USER_INFO_23 *id23, DOM_SID *sid) { SAM_ACCOUNT *pwd = NULL; pstring plaintext_buf; @@ -2359,7 +2745,7 @@ static BOOL set_user_info_23(SAM_USER_INFO_23 *id23, uint32 rid) pdb_init_sam(&pwd); - if (!pdb_getsampwrid(pwd, rid)) { + if (!pdb_getsampwsid(pwd, sid)) { pdb_free_sam(&pwd); return False; } @@ -2412,7 +2798,7 @@ static BOOL set_user_info_23(SAM_USER_INFO_23 *id23, uint32 rid) set_user_info_pw ********************************************************************/ -static BOOL set_user_info_pw(char *pass, uint32 rid) +static BOOL set_user_info_pw(char *pass, DOM_SID *sid) { SAM_ACCOUNT *pwd = NULL; uint32 len; @@ -2421,7 +2807,7 @@ static BOOL set_user_info_pw(char *pass, uint32 rid) pdb_init_sam(&pwd); - if (!pdb_getsampwrid(pwd, rid)) { + if (!pdb_getsampwsid(pwd, sid)) { pdb_free_sam(&pwd); return False; } @@ -2480,23 +2866,27 @@ static BOOL set_user_info_pw(char *pass, uint32 rid) NTSTATUS _samr_set_userinfo(pipes_struct *p, SAMR_Q_SET_USERINFO *q_u, SAMR_R_SET_USERINFO *r_u) { - uint32 rid = 0x0; DOM_SID sid; POLICY_HND *pol = &q_u->pol; uint16 switch_value = q_u->switch_value; SAM_USERINFO_CTR *ctr = q_u->ctr; + uint32 acc_granted; + uint32 acc_required; DEBUG(5, ("_samr_set_userinfo: %d\n", __LINE__)); r_u->status = NT_STATUS_OK; /* find the policy handle. open a policy on it. */ - if (!get_lsa_policy_samr_sid(p, pol, &sid)) + if (!get_lsa_policy_samr_sid(p, pol, &sid, &acc_granted)) return NT_STATUS_INVALID_HANDLE; - - sid_split_rid(&sid, &rid); - - DEBUG(5, ("_samr_set_userinfo: rid:0x%x, level:%d\n", rid, switch_value)); + + acc_required = USER_ACCESS_SET_LOC_COM | USER_ACCESS_SET_ATTRIBUTES; /* This is probably wrong */ + if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, acc_required, "_samr_set_userinfo"))) { + return r_u->status; + } + + DEBUG(5, ("_samr_set_userinfo: sid:%s, level:%d\n", sid_string_static(&sid), switch_value)); if (ctr == NULL) { DEBUG(5, ("_samr_set_userinfo: NULL info level\n")); @@ -2506,7 +2896,7 @@ NTSTATUS _samr_set_userinfo(pipes_struct *p, SAMR_Q_SET_USERINFO *q_u, SAMR_R_SE /* ok! user info levels (lots: see MSDEV help), off we go... */ switch (switch_value) { case 0x12: - if (!set_user_info_12(ctr->info.id12, rid)) + if (!set_user_info_12(ctr->info.id12, &sid)) return NT_STATUS_ACCESS_DENIED; break; @@ -2515,7 +2905,7 @@ NTSTATUS _samr_set_userinfo(pipes_struct *p, SAMR_Q_SET_USERINFO *q_u, SAMR_R_SE dump_data(100, (char *)ctr->info.id24->pass, 516); - if (!set_user_info_pw((char *)ctr->info.id24->pass, rid)) + if (!set_user_info_pw((char *)ctr->info.id24->pass, &sid)) return NT_STATUS_ACCESS_DENIED; break; @@ -2533,7 +2923,7 @@ NTSTATUS _samr_set_userinfo(pipes_struct *p, SAMR_Q_SET_USERINFO *q_u, SAMR_R_SE dump_data(100, (char *)ctr->info.id25->pass, 532); - if (!set_user_info_pw(ctr->info.id25->pass, rid)) + if (!set_user_info_pw(ctr->info.id25->pass, &sid)) return NT_STATUS_ACCESS_DENIED; break; #endif @@ -2544,7 +2934,7 @@ NTSTATUS _samr_set_userinfo(pipes_struct *p, SAMR_Q_SET_USERINFO *q_u, SAMR_R_SE dump_data(100, (char *)ctr->info.id23->pass, 516); - if (!set_user_info_23(ctr->info.id23, rid)) + if (!set_user_info_23(ctr->info.id23, &sid)) return NT_STATUS_ACCESS_DENIED; break; @@ -2562,22 +2952,26 @@ NTSTATUS _samr_set_userinfo(pipes_struct *p, SAMR_Q_SET_USERINFO *q_u, SAMR_R_SE NTSTATUS _samr_set_userinfo2(pipes_struct *p, SAMR_Q_SET_USERINFO2 *q_u, SAMR_R_SET_USERINFO2 *r_u) { DOM_SID sid; - uint32 rid = 0x0; SAM_USERINFO_CTR *ctr = q_u->ctr; POLICY_HND *pol = &q_u->pol; uint16 switch_value = q_u->switch_value; + uint32 acc_granted; + uint32 acc_required; DEBUG(5, ("samr_reply_set_userinfo2: %d\n", __LINE__)); r_u->status = NT_STATUS_OK; /* find the policy handle. open a policy on it. */ - if (!get_lsa_policy_samr_sid(p, pol, &sid)) + if (!get_lsa_policy_samr_sid(p, pol, &sid, &acc_granted)) return NT_STATUS_INVALID_HANDLE; + + acc_required = USER_ACCESS_SET_LOC_COM | USER_ACCESS_SET_ATTRIBUTES; /* This is probably wrong */ + if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, acc_required, "_samr_set_userinfo2"))) { + return r_u->status; + } - sid_split_rid(&sid, &rid); - - DEBUG(5, ("samr_reply_set_userinfo2: rid:0x%x\n", rid)); + DEBUG(5, ("samr_reply_set_userinfo2: sid:%s\n", sid_string_static(&sid))); if (ctr == NULL) { DEBUG(5, ("samr_reply_set_userinfo2: NULL info level\n")); @@ -2589,16 +2983,16 @@ NTSTATUS _samr_set_userinfo2(pipes_struct *p, SAMR_Q_SET_USERINFO2 *q_u, SAMR_R_ /* ok! user info levels (lots: see MSDEV help), off we go... */ switch (switch_value) { case 21: - if (!set_user_info_21(ctr->info.id21, rid)) + if (!set_user_info_21(ctr->info.id21, &sid)) return NT_STATUS_ACCESS_DENIED; break; case 16: - if (!set_user_info_10(ctr->info.id10, rid)) + if (!set_user_info_10(ctr->info.id10, &sid)) return NT_STATUS_ACCESS_DENIED; break; case 18: /* Used by AS/U JRA. */ - if (!set_user_info_12(ctr->info.id12, rid)) + if (!set_user_info_12(ctr->info.id12, &sid)) return NT_STATUS_ACCESS_DENIED; break; default: @@ -2642,6 +3036,10 @@ NTSTATUS _samr_query_useraliases(pipes_struct *p, SAMR_Q_QUERY_USERALIASES *q_u, /* find the policy handle. open a policy on it. */ if (!find_policy_by_hnd(p, &q_u->pol, (void **)&info)) return NT_STATUS_INVALID_HANDLE; + + if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(info->acc_granted, USER_ACCESS_GET_GROUPS, "_samr_query_useraliases"))) { + return r_u->status; + } if (!sid_check_is_domain(&info->sid) && !sid_check_is_builtin(&info->sid)) @@ -2656,7 +3054,7 @@ NTSTATUS _samr_query_useraliases(pipes_struct *p, SAMR_Q_QUERY_USERALIASES *q_u, * if there is an error, we just continue as * it can be an unfound user or group */ - if (NT_STATUS_IS_ERR(r_u->status)) { + if (!NT_STATUS_IS_OK(r_u->status)) { DEBUG(10,("_samr_query_useraliases: an error occured while getting groups\n")); continue; } @@ -2706,11 +3104,16 @@ NTSTATUS _samr_query_aliasmem(pipes_struct *p, SAMR_Q_QUERY_ALIASMEM *q_u, SAMR_ SAM_ACCOUNT *sam_user = NULL; BOOL check; + uint32 acc_granted; /* find the policy handle. open a policy on it. */ - if (!get_lsa_policy_samr_sid(p, &q_u->alias_pol, &alias_sid)) + if (!get_lsa_policy_samr_sid(p, &q_u->alias_pol, &alias_sid, &acc_granted)) return NT_STATUS_INVALID_HANDLE; - + + if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, ALIAS_ACCESS_GET_MEMBERS, "_samr_query_aliasmem"))) { + return r_u->status; + } + sid_copy(&als_sid, &alias_sid); sid_to_string(alias_sid_str, &alias_sid); sid_split_rid(&alias_sid, &alias_rid); @@ -2722,7 +3125,7 @@ NTSTATUS _samr_query_aliasmem(pipes_struct *p, SAMR_Q_QUERY_ALIASMEM *q_u, SAMR_ if(!get_local_group_from_sid(als_sid, &map, MAPPING_WITHOUT_PRIV)) return NT_STATUS_NO_SUCH_ALIAS; } else { - if (sid_equal(&alias_sid, &global_sam_sid)) { + if (sid_equal(&alias_sid, get_global_sam_sid())) { DEBUG(10, ("lookup on Server SID\n")); if(!get_local_group_from_sid(als_sid, &map, MAPPING_WITHOUT_PRIV)) return NT_STATUS_NO_SUCH_ALIAS; @@ -2741,12 +3144,12 @@ NTSTATUS _samr_query_aliasmem(pipes_struct *p, SAMR_Q_QUERY_ALIASMEM *q_u, SAMR_ struct passwd *pass; uint32 rid; - sid_copy(&temp_sid, &global_sam_sid); + sid_copy(&temp_sid, get_global_sam_sid()); pass = getpwuid_alloc(uid[i]); if (!pass) continue; - if (NT_STATUS_IS_ERR(pdb_init_sam(&sam_user))) { + if (!NT_STATUS_IS_OK(pdb_init_sam(&sam_user))) { passwd_free(&pass); continue; } @@ -2802,12 +3205,16 @@ NTSTATUS _samr_query_groupmem(pipes_struct *p, SAMR_Q_QUERY_GROUPMEM *q_u, SAMR_ SAM_ACCOUNT *sam_user = NULL; BOOL check; - + uint32 acc_granted; /* find the policy handle. open a policy on it. */ - if (!get_lsa_policy_samr_sid(p, &q_u->group_pol, &group_sid)) + if (!get_lsa_policy_samr_sid(p, &q_u->group_pol, &group_sid, &acc_granted)) return NT_STATUS_INVALID_HANDLE; - + + if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, GROUP_ACCESS_GET_MEMBERS, "_samr_query_groupmem"))) { + return r_u->status; + } + /* todo: change to use sid_compare_front */ sid_split_rid(&group_sid, &group_rid); @@ -2815,7 +3222,7 @@ NTSTATUS _samr_query_groupmem(pipes_struct *p, SAMR_Q_QUERY_GROUPMEM *q_u, SAMR_ DEBUG(10, ("sid is %s\n", group_sid_str)); /* can we get a query for an SID outside our domain ? */ - if (!sid_equal(&group_sid, &global_sam_sid)) + if (!sid_equal(&group_sid, get_global_sam_sid())) return NT_STATUS_NO_SUCH_GROUP; sid_append_rid(&group_sid, group_rid); @@ -2840,7 +3247,7 @@ NTSTATUS _samr_query_groupmem(pipes_struct *p, SAMR_Q_QUERY_GROUPMEM *q_u, SAMR_ pass = getpwuid_alloc(uid[i]); if (!pass) continue; - if (NT_STATUS_IS_ERR(pdb_init_sam(&sam_user))) { + if (!NT_STATUS_IS_OK(pdb_init_sam(&sam_user))) { passwd_free(&pass); continue; } @@ -2886,20 +3293,24 @@ NTSTATUS _samr_add_aliasmem(pipes_struct *p, SAMR_Q_ADD_ALIASMEM *q_u, SAMR_R_AD struct passwd *pwd; struct group *grp; fstring grp_name; - uint32 rid; GROUP_MAP map; NTSTATUS ret; SAM_ACCOUNT *sam_user = NULL; BOOL check; + uint32 acc_granted; /* Find the policy handle. Open a policy on it. */ - if (!get_lsa_policy_samr_sid(p, &q_u->alias_pol, &alias_sid)) + if (!get_lsa_policy_samr_sid(p, &q_u->alias_pol, &alias_sid, &acc_granted)) return NT_STATUS_INVALID_HANDLE; - + + if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, ALIAS_ACCESS_ADD_MEMBER, "_samr_add_aliasmem"))) { + return r_u->status; + } + sid_to_string(alias_sid_str, &alias_sid); DEBUG(10, ("sid is %s\n", alias_sid_str)); - if (sid_compare(&alias_sid, &global_sam_sid)>0) { + if (sid_compare(&alias_sid, get_global_sam_sid())>0) { DEBUG(10, ("adding member on Server SID\n")); if(!get_local_group_from_sid(alias_sid, &map, MAPPING_WITHOUT_PRIV)) return NT_STATUS_NO_SUCH_ALIAS; @@ -2914,13 +3325,11 @@ NTSTATUS _samr_add_aliasmem(pipes_struct *p, SAMR_Q_ADD_ALIASMEM *q_u, SAMR_R_AD return NT_STATUS_NO_SUCH_ALIAS; } - sid_split_rid(&q_u->sid.sid, &rid); - ret = pdb_init_sam(&sam_user); - if (NT_STATUS_IS_ERR(ret)) + if (!NT_STATUS_IS_OK(ret)) return ret; - check = pdb_getsampwrid(sam_user, rid); + check = pdb_getsampwsid(sam_user, &q_u->sid.sid); if (check != True) { pdb_free_sam(&sam_user); @@ -2935,8 +3344,11 @@ NTSTATUS _samr_add_aliasmem(pipes_struct *p, SAMR_Q_ADD_ALIASMEM *q_u, SAMR_R_AD pdb_free_sam(&sam_user); - if ((pwd=getpwuid(uid)) == NULL) + if ((pwd=getpwuid_alloc(uid)) == NULL) { return NT_STATUS_NO_SUCH_USER; + } else { + passwd_free(&pwd); + } if ((grp=getgrgid(map.gid)) == NULL) return NT_STATUS_NO_SUCH_ALIAS; @@ -2971,14 +3383,18 @@ NTSTATUS _samr_del_aliasmem(pipes_struct *p, SAMR_Q_DEL_ALIASMEM *q_u, SAMR_R_DE fstring alias_sid_str; struct group *grp; fstring grp_name; - uint32 rid; GROUP_MAP map; SAM_ACCOUNT *sam_pass=NULL; + uint32 acc_granted; /* Find the policy handle. Open a policy on it. */ - if (!get_lsa_policy_samr_sid(p, &q_u->alias_pol, &alias_sid)) + if (!get_lsa_policy_samr_sid(p, &q_u->alias_pol, &alias_sid, &acc_granted)) return NT_STATUS_INVALID_HANDLE; - + + if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, ALIAS_ACCESS_REMOVE_MEMBER, "_samr_del_aliasmem"))) { + return r_u->status; + } + sid_to_string(alias_sid_str, &alias_sid); DEBUG(10, ("_samr_del_aliasmem:sid is %s\n", alias_sid_str)); @@ -2997,11 +3413,9 @@ NTSTATUS _samr_del_aliasmem(pipes_struct *p, SAMR_Q_DEL_ALIASMEM *q_u, SAMR_R_DE /* we need to copy the name otherwise it's overloaded in user_in_group_list */ fstrcpy(grp_name, grp->gr_name); - sid_peek_rid(&q_u->sid.sid, &rid); - /* check if the user exists before trying to remove it from the group */ pdb_init_sam(&sam_pass); - if(!pdb_getsampwrid(sam_pass, rid)) { + if(!pdb_getsampwsid(sam_pass, &q_u->sid.sid)) { DEBUG(5,("_samr_del_aliasmem:User %s doesn't exist.\n", pdb_get_username(sam_pass))); pdb_free_sam(&sam_pass); return NT_STATUS_NO_SUCH_USER; @@ -3032,6 +3446,7 @@ NTSTATUS _samr_del_aliasmem(pipes_struct *p, SAMR_Q_DEL_ALIASMEM *q_u, SAMR_R_DE NTSTATUS _samr_add_groupmem(pipes_struct *p, SAMR_Q_ADD_GROUPMEM *q_u, SAMR_R_ADD_GROUPMEM *r_u) { DOM_SID group_sid; + DOM_SID user_sid; fstring group_sid_str; struct passwd *pwd; struct group *grp; @@ -3041,15 +3456,20 @@ NTSTATUS _samr_add_groupmem(pipes_struct *p, SAMR_Q_ADD_GROUPMEM *q_u, SAMR_R_AD NTSTATUS ret; SAM_ACCOUNT *sam_user; BOOL check; + uint32 acc_granted; /* Find the policy handle. Open a policy on it. */ - if (!get_lsa_policy_samr_sid(p, &q_u->pol, &group_sid)) + if (!get_lsa_policy_samr_sid(p, &q_u->pol, &group_sid, &acc_granted)) return NT_STATUS_INVALID_HANDLE; + + if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, GROUP_ACCESS_ADD_MEMBER, "_samr_add_groupmem"))) { + return r_u->status; + } sid_to_string(group_sid_str, &group_sid); DEBUG(10, ("sid is %s\n", group_sid_str)); - if (sid_compare(&group_sid, &global_sam_sid)<=0) + if (sid_compare(&group_sid, get_global_sam_sid())<=0) return NT_STATUS_NO_SUCH_GROUP; DEBUG(10, ("lookup on Domain SID\n")); @@ -3057,11 +3477,14 @@ NTSTATUS _samr_add_groupmem(pipes_struct *p, SAMR_Q_ADD_GROUPMEM *q_u, SAMR_R_AD if(!get_domain_group_from_sid(group_sid, &map, MAPPING_WITHOUT_PRIV)) return NT_STATUS_NO_SUCH_GROUP; + sid_copy(&user_sid, get_global_sam_sid()); + sid_append_rid(&user_sid, q_u->rid); + ret = pdb_init_sam(&sam_user); - if (NT_STATUS_IS_ERR(ret)) + if (!NT_STATUS_IS_OK(ret)) return ret; - check = pdb_getsampwrid(sam_user, q_u->rid); + check = pdb_getsampwsid(sam_user, &user_sid); if (check != True) { pdb_free_sam(&sam_user); @@ -3076,8 +3499,11 @@ NTSTATUS _samr_add_groupmem(pipes_struct *p, SAMR_Q_ADD_GROUPMEM *q_u, SAMR_R_AD pdb_free_sam(&sam_user); - if ((pwd=getpwuid(uid)) == NULL) + if ((pwd=getpwuid_alloc(uid)) == NULL) { return NT_STATUS_NO_SUCH_USER; + } else { + passwd_free(&pwd); + } if ((grp=getgrgid(map.gid)) == NULL) return NT_STATUS_NO_SUCH_GROUP; @@ -3111,11 +3537,12 @@ NTSTATUS _samr_add_groupmem(pipes_struct *p, SAMR_Q_ADD_GROUPMEM *q_u, SAMR_R_AD NTSTATUS _samr_del_groupmem(pipes_struct *p, SAMR_Q_DEL_GROUPMEM *q_u, SAMR_R_DEL_GROUPMEM *r_u) { DOM_SID group_sid; + DOM_SID user_sid; SAM_ACCOUNT *sam_pass=NULL; - uint32 rid; GROUP_MAP map; fstring grp_name; struct group *grp; + uint32 acc_granted; /* * delete the group member named q_u->rid @@ -3124,15 +3551,20 @@ NTSTATUS _samr_del_groupmem(pipes_struct *p, SAMR_Q_DEL_GROUPMEM *q_u, SAMR_R_DE */ /* Find the policy handle. Open a policy on it. */ - if (!get_lsa_policy_samr_sid(p, &q_u->pol, &group_sid)) + if (!get_lsa_policy_samr_sid(p, &q_u->pol, &group_sid, &acc_granted)) return NT_STATUS_INVALID_HANDLE; - - if(!sid_check_is_in_our_domain(&group_sid)) + + if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, GROUP_ACCESS_REMOVE_MEMBER, "_samr_del_groupmem"))) { + return r_u->status; + } + + if (!sid_check_is_in_our_domain(&group_sid)) return NT_STATUS_NO_SUCH_GROUP; - rid=q_u->rid; + sid_copy(&user_sid, get_global_sam_sid()); + sid_append_rid(&user_sid, q_u->rid); - if(!get_domain_group_from_sid(group_sid, &map, MAPPING_WITHOUT_PRIV)) + if (!get_domain_group_from_sid(group_sid, &map, MAPPING_WITHOUT_PRIV)) return NT_STATUS_NO_SUCH_GROUP; if ((grp=getgrgid(map.gid)) == NULL) @@ -3143,14 +3575,14 @@ NTSTATUS _samr_del_groupmem(pipes_struct *p, SAMR_Q_DEL_GROUPMEM *q_u, SAMR_R_DE /* check if the user exists before trying to remove it from the group */ pdb_init_sam(&sam_pass); - if(!pdb_getsampwrid(sam_pass, rid)) { + if (!pdb_getsampwsid(sam_pass, &user_sid)) { DEBUG(5,("User %s doesn't exist.\n", pdb_get_username(sam_pass))); pdb_free_sam(&sam_pass); return NT_STATUS_NO_SUCH_USER; } /* if the user is not in the group */ - if(!user_in_group_list(pdb_get_username(sam_pass), grp_name)) { + if (!user_in_group_list(pdb_get_username(sam_pass), grp_name)) { pdb_free_sam(&sam_pass); return NT_STATUS_MEMBER_NOT_IN_GROUP; } @@ -3158,7 +3590,7 @@ NTSTATUS _samr_del_groupmem(pipes_struct *p, SAMR_Q_DEL_GROUPMEM *q_u, SAMR_R_DE smb_delete_user_group(grp_name, pdb_get_username(sam_pass)); /* check if the user has been removed then ... */ - if(user_in_group_list(pdb_get_username(sam_pass), grp_name)) { + if (user_in_group_list(pdb_get_username(sam_pass), grp_name)) { pdb_free_sam(&sam_pass); return NT_STATUS_ACCESS_DENIED; /* don't know what to reply else */ } @@ -3168,6 +3600,24 @@ NTSTATUS _samr_del_groupmem(pipes_struct *p, SAMR_Q_DEL_GROUPMEM *q_u, SAMR_R_DE } +/**************************************************************************** + Delete a UNIX user on demand. +****************************************************************************/ + +static int smb_delete_user(const char *unix_user) +{ + pstring del_script; + int ret; + + pstrcpy(del_script, lp_deluser_script()); + if (! *del_script) + return -1; + all_string_sub(del_script, "%u", unix_user, sizeof(pstring)); + ret = smbrun(del_script,NULL); + DEBUG(3,("smb_delete_user: Running the command `%s' gave %d\n",del_script,ret)); + return ret; +} + /********************************************************************* _samr_delete_dom_user *********************************************************************/ @@ -3176,22 +3626,24 @@ NTSTATUS _samr_delete_dom_user(pipes_struct *p, SAMR_Q_DELETE_DOM_USER *q_u, SAM { DOM_SID user_sid; SAM_ACCOUNT *sam_pass=NULL; - uint32 rid; + uint32 acc_granted; DEBUG(5, ("_samr_delete_dom_user: %d\n", __LINE__)); /* Find the policy handle. Open a policy on it. */ - if (!get_lsa_policy_samr_sid(p, &q_u->user_pol, &user_sid)) + if (!get_lsa_policy_samr_sid(p, &q_u->user_pol, &user_sid, &acc_granted)) return NT_STATUS_INVALID_HANDLE; - + + if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, DELETE_ACCESS, "_samr_delete_dom_user"))) { + return r_u->status; + } + if (!sid_check_is_in_our_domain(&user_sid)) return NT_STATUS_CANNOT_DELETE; - sid_peek_rid(&user_sid, &rid); - /* check if the user exists before trying to delete */ pdb_init_sam(&sam_pass); - if(!pdb_getsampwrid(sam_pass, rid)) { + if(!pdb_getsampwsid(sam_pass, &user_sid)) { DEBUG(5,("_samr_delete_dom_user:User %s doesn't exist.\n", pdb_get_username(sam_pass))); pdb_free_sam(&sam_pass); return NT_STATUS_NO_SUCH_USER; @@ -3233,13 +3685,18 @@ NTSTATUS _samr_delete_dom_group(pipes_struct *p, SAMR_Q_DELETE_DOM_GROUP *q_u, S gid_t gid; struct group *grp; GROUP_MAP map; + uint32 acc_granted; DEBUG(5, ("samr_delete_dom_group: %d\n", __LINE__)); /* Find the policy handle. Open a policy on it. */ - if (!get_lsa_policy_samr_sid(p, &q_u->group_pol, &group_sid)) + if (!get_lsa_policy_samr_sid(p, &q_u->group_pol, &group_sid, &acc_granted)) return NT_STATUS_INVALID_HANDLE; - + + if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, DELETE_ACCESS, "_samr_delete_dom_group"))) { + return r_u->status; + } + sid_copy(&dom_sid, &group_sid); sid_to_string(group_sid_str, &dom_sid); sid_split_rid(&dom_sid, &group_rid); @@ -3247,7 +3704,7 @@ NTSTATUS _samr_delete_dom_group(pipes_struct *p, SAMR_Q_DELETE_DOM_GROUP *q_u, S DEBUG(10, ("sid is %s\n", group_sid_str)); /* we check if it's our SID before deleting */ - if (!sid_equal(&dom_sid, &global_sam_sid)) + if (!sid_equal(&dom_sid, get_global_sam_sid())) return NT_STATUS_NO_SUCH_GROUP; DEBUG(10, ("lookup on Domain SID\n")); @@ -3290,13 +3747,18 @@ NTSTATUS _samr_delete_dom_alias(pipes_struct *p, SAMR_Q_DELETE_DOM_ALIAS *q_u, S gid_t gid; struct group *grp; GROUP_MAP map; + uint32 acc_granted; DEBUG(5, ("_samr_delete_dom_alias: %d\n", __LINE__)); /* Find the policy handle. Open a policy on it. */ - if (!get_lsa_policy_samr_sid(p, &q_u->alias_pol, &alias_sid)) + if (!get_lsa_policy_samr_sid(p, &q_u->alias_pol, &alias_sid, &acc_granted)) return NT_STATUS_INVALID_HANDLE; - + + if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, DELETE_ACCESS, "_samr_delete_dom_alias"))) { + return r_u->status; + } + sid_copy(&dom_sid, &alias_sid); sid_to_string(alias_sid_str, &dom_sid); sid_split_rid(&dom_sid, &alias_rid); @@ -3304,7 +3766,7 @@ NTSTATUS _samr_delete_dom_alias(pipes_struct *p, SAMR_Q_DELETE_DOM_ALIAS *q_u, S DEBUG(10, ("sid is %s\n", alias_sid_str)); /* we check if it's our SID before deleting */ - if (!sid_equal(&dom_sid, &global_sam_sid)) + if (!sid_equal(&dom_sid, get_global_sam_sid())) return NT_STATUS_NO_SUCH_ALIAS; DEBUG(10, ("lookup on Local SID\n")); @@ -3347,14 +3809,19 @@ NTSTATUS _samr_create_dom_group(pipes_struct *p, SAMR_Q_CREATE_DOM_GROUP *q_u, S struct group *grp; struct samr_info *info; PRIVILEGE_SET priv_set; + uint32 acc_granted; init_privilege(&priv_set); /* Find the policy handle. Open a policy on it. */ - if (!get_lsa_policy_samr_sid(p, &q_u->pol, &dom_sid)) + if (!get_lsa_policy_samr_sid(p, &q_u->pol, &dom_sid, &acc_granted)) return NT_STATUS_INVALID_HANDLE; - - if (!sid_equal(&dom_sid, &global_sam_sid)) + + if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, DOMAIN_ACCESS_CREATE_GROUP, "_samr_create_dom_group"))) { + return r_u->status; + } + + if (!sid_equal(&dom_sid, get_global_sam_sid())) return NT_STATUS_ACCESS_DENIED; /* TODO: check if allowed to create group and add a become_root/unbecome_root pair.*/ @@ -3375,7 +3842,7 @@ NTSTATUS _samr_create_dom_group(pipes_struct *p, SAMR_Q_CREATE_DOM_GROUP *q_u, S r_u->rid=pdb_gid_to_group_rid(grp->gr_gid); /* add the group to the mapping table */ - sid_copy(&info_sid, &global_sam_sid); + sid_copy(&info_sid, get_global_sam_sid()); sid_append_rid(&info_sid, r_u->rid); sid_to_string(sid_string, &info_sid); @@ -3405,14 +3872,19 @@ NTSTATUS _samr_create_dom_alias(pipes_struct *p, SAMR_Q_CREATE_DOM_ALIAS *q_u, S struct group *grp; struct samr_info *info; PRIVILEGE_SET priv_set; + uint32 acc_granted; init_privilege(&priv_set); /* Find the policy handle. Open a policy on it. */ - if (!get_lsa_policy_samr_sid(p, &q_u->dom_pol, &dom_sid)) + if (!get_lsa_policy_samr_sid(p, &q_u->dom_pol, &dom_sid, &acc_granted)) return NT_STATUS_INVALID_HANDLE; - - if (!sid_equal(&dom_sid, &global_sam_sid)) + + if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, DOMAIN_ACCESS_CREATE_ALIAS, "_samr_create_alias"))) { + return r_u->status; + } + + if (!sid_equal(&dom_sid, get_global_sam_sid())) return NT_STATUS_ACCESS_DENIED; /* TODO: check if allowed to create group and add a become_root/unbecome_root pair.*/ @@ -3432,7 +3904,7 @@ NTSTATUS _samr_create_dom_alias(pipes_struct *p, SAMR_Q_CREATE_DOM_ALIAS *q_u, S r_u->rid=pdb_gid_to_group_rid(grp->gr_gid); - sid_copy(&info_sid, &global_sam_sid); + sid_copy(&info_sid, get_global_sam_sid()); sid_append_rid(&info_sid, r_u->rid); sid_to_string(sid_string, &info_sid); @@ -3464,10 +3936,15 @@ NTSTATUS _samr_query_groupinfo(pipes_struct *p, SAMR_Q_QUERY_GROUPINFO *q_u, SAM uid_t *uid=NULL; int num_uids=0; GROUP_INFO_CTR *ctr; + uint32 acc_granted; - if (!get_lsa_policy_samr_sid(p, &q_u->pol, &group_sid)) + if (!get_lsa_policy_samr_sid(p, &q_u->pol, &group_sid, &acc_granted)) return NT_STATUS_INVALID_HANDLE; - + + if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, GROUP_ACCESS_LOOKUP_INFO, "_samr_query_groupinfo"))) { + return r_u->status; + } + if (!get_domain_group_from_sid(group_sid, &map, MAPPING_WITHOUT_PRIV)) return NT_STATUS_INVALID_HANDLE; @@ -3511,10 +3988,15 @@ NTSTATUS _samr_set_groupinfo(pipes_struct *p, SAMR_Q_SET_GROUPINFO *q_u, SAMR_R_ DOM_SID group_sid; GROUP_MAP map; GROUP_INFO_CTR *ctr; + uint32 acc_granted; - if (!get_lsa_policy_samr_sid(p, &q_u->pol, &group_sid)) + if (!get_lsa_policy_samr_sid(p, &q_u->pol, &group_sid, &acc_granted)) return NT_STATUS_INVALID_HANDLE; - + + if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, GROUP_ACCESS_SET_INFO, "_samr_set_groupinfo"))) { + return r_u->status; + } + if (!get_domain_group_from_sid(group_sid, &map, MAPPING_WITH_PRIV)) return NT_STATUS_NO_SUCH_GROUP; @@ -3553,10 +4035,15 @@ NTSTATUS _samr_set_aliasinfo(pipes_struct *p, SAMR_Q_SET_ALIASINFO *q_u, SAMR_R_ DOM_SID group_sid; GROUP_MAP map; ALIAS_INFO_CTR *ctr; + uint32 acc_granted; - if (!get_lsa_policy_samr_sid(p, &q_u->alias_pol, &group_sid)) + if (!get_lsa_policy_samr_sid(p, &q_u->alias_pol, &group_sid, &acc_granted)) return NT_STATUS_INVALID_HANDLE; - + + if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, ALIAS_ACCESS_SET_INFO, "_samr_set_aliasinfo"))) { + return r_u->status; + } + if (!get_local_group_from_sid(group_sid, &map, MAPPING_WITH_PRIV)) return NT_STATUS_NO_SUCH_GROUP; @@ -3587,7 +4074,18 @@ NTSTATUS _samr_set_aliasinfo(pipes_struct *p, SAMR_Q_SET_ALIASINFO *q_u, SAMR_R_ NTSTATUS _samr_get_dom_pwinfo(pipes_struct *p, SAMR_Q_GET_DOM_PWINFO *q_u, SAMR_R_GET_DOM_PWINFO *r_u) { + /* Perform access check. Since this rpc does not require a + policy handle it will not be caught by the access checks on + SAMR_CONNECT or SAMR_CONNECT_ANON. */ + + if (!pipe_access_check(p)) { + DEBUG(3, ("access denied to samr_get_dom_pwinfo\n")); + r_u->status = NT_STATUS_ACCESS_DENIED; + return r_u->status; + } + /* Actually, returning zeros here works quite well :-). */ + return NT_STATUS_OK; } @@ -3601,21 +4099,42 @@ NTSTATUS _samr_open_group(pipes_struct *p, SAMR_Q_OPEN_GROUP *q_u, SAMR_R_OPEN_G DOM_SID info_sid; GROUP_MAP map; struct samr_info *info; + SEC_DESC *psd = NULL; + uint32 acc_granted; + uint32 des_access; + size_t sd_size; + NTSTATUS status; fstring sid_string; - if (!get_lsa_policy_samr_sid(p, &q_u->domain_pol, &sid)) + if (!get_lsa_policy_samr_sid(p, &q_u->domain_pol, &sid, &acc_granted)) return NT_STATUS_INVALID_HANDLE; + + if (!NT_STATUS_IS_OK(status = access_check_samr_function(acc_granted, DOMAIN_ACCESS_OPEN_ACCOUNT, "_samr_open_group"))) { + return status; + } + + /*check if access can be granted as requested by client. */ + samr_make_grp_obj_sd(p->mem_ctx, &psd, &sd_size); + se_map_generic(&des_access,&grp_generic_mapping); + if (!NT_STATUS_IS_OK(status = + access_check_samr_object(psd, p->pipe_user.nt_user_token, + des_access, &acc_granted, "_samr_open_group"))) { + return status; + } + /* this should not be hard-coded like this */ - if (!sid_equal(&sid, &global_sam_sid)) + if (!sid_equal(&sid, get_global_sam_sid())) return NT_STATUS_ACCESS_DENIED; - sid_copy(&info_sid, &global_sam_sid); + sid_copy(&info_sid, get_global_sam_sid()); sid_append_rid(&info_sid, q_u->rid_group); sid_to_string(sid_string, &info_sid); if ((info = get_samr_info_by_sid(&info_sid)) == NULL) return NT_STATUS_NO_MEMORY; + + info->acc_granted = acc_granted; DEBUG(10, ("_samr_open_group:Opening SID: %s\n", sid_string)); @@ -3692,14 +4211,14 @@ NTSTATUS _samr_unknown_2e(pipes_struct *p, SAMR_Q_UNKNOWN_2E *q_u, SAMR_R_UNKNOW become_root(); r_u->status=load_sampwd_entries(info, ACB_NORMAL); unbecome_root(); - if (NT_STATUS_IS_ERR(r_u->status)) { + if (!NT_STATUS_IS_OK(r_u->status)) { DEBUG(5, ("_samr_query_dispinfo: load_sampwd_entries failed\n")); return r_u->status; } num_users=info->disp_info.num_user_account; free_samr_db(info); - r_u->status=load_group_domain_entries(info, &global_sam_sid); + r_u->status=load_group_domain_entries(info, get_global_sam_sid()); if (NT_STATUS_IS_ERR(r_u->status)) { DEBUG(5, ("_samr_query_dispinfo: load_group_domain_entries failed\n")); return r_u->status; -- cgit From 8c53b214da14e7fbfeee3ccf28bddedb55592ab8 Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Sat, 17 Aug 2002 15:34:15 +0000 Subject: Sync 3.0 branch with HEAD (This used to be commit e01596853e3eea533baa08c33f26ded75f33fdd4) --- source3/rpc_server/srv_samr_nt.c | 142 +++++++++++++++++++++++++++++++-------- 1 file changed, 115 insertions(+), 27 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 88d728d810..a30622c600 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -3,10 +3,12 @@ * RPC Pipe client / server routines * Copyright (C) Andrew Tridgell 1992-1997, * Copyright (C) Luke Kenneth Casson Leighton 1996-1997, - * Copyright (C) Paul Ashton 1997. - * Copyright (C) Marc Jacobsen 1999. - * Copyright (C) Jeremy Allison 2001-2002. - * Copyright (C) Jean François Micouleau 1998-2001. + * Copyright (C) Paul Ashton 1997, + * Copyright (C) Marc Jacobsen 1999, + * Copyright (C) Jeremy Allison 2001-2002, + * Copyright (C) Jean François Micouleau 1998-2001, + * Copyright (C) Anthony Liguori 2002, + * Copyright (C) Jim McDonough 2002. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by @@ -727,8 +729,6 @@ static NTSTATUS make_user_sam_entry_list(TALLOC_CTX *ctx, SAM_ENTRY **sam_pp, UN } for (i = 0; i < num_entries; i++) { - int len = uni_temp_name.uni_str_len; - pwd = disp_user_info[i+start_idx].sam; temp_name = pdb_get_username(pwd); init_unistr2(&uni_temp_name, temp_name, strlen(temp_name)+1); @@ -743,7 +743,7 @@ static NTSTATUS make_user_sam_entry_list(TALLOC_CTX *ctx, SAM_ENTRY **sam_pp, UN return NT_STATUS_UNSUCCESSFUL; } - init_sam_entry(&sam[i], len, user_rid); + init_sam_entry(&sam[i], uni_temp_name.uni_str_len, user_rid); copy_unistr2(&uni_name[i], &uni_temp_name); } @@ -1081,7 +1081,9 @@ NTSTATUS _samr_enum_dom_groups(pipes_struct *p, SAMR_Q_ENUM_DOM_GROUPS *q_u, SAM DEBUG(5,("samr_reply_enum_dom_groups: %d\n", __LINE__)); /* the domain group array is being allocated in the function below */ - get_group_domain_entries(p->mem_ctx, &grp, &sid, q_u->start_idx, &num_entries, MAX_SAM_ENTRIES); + if (!NT_STATUS_IS_OK(r_u->status = get_group_domain_entries(p->mem_ctx, &grp, &sid, q_u->start_idx, &num_entries, MAX_SAM_ENTRIES))) { + return r_u->status; + } make_group_sam_entry_list(p->mem_ctx, &r_u->sam, &r_u->uni_grp_name, num_entries, grp); @@ -2081,6 +2083,8 @@ NTSTATUS _samr_query_dom_info(pipes_struct *p, SAMR_Q_QUERY_DOMAIN_INFO *q_u, SA time_t u_logout; NTTIME nt_logout; + uint32 account_policy_temp; + uint32 num_users=0, num_groups=0, num_aliases=0; if ((ctr = (SAM_UNK_CTR *)talloc_zero(p->mem_ctx, sizeof(SAM_UNK_CTR))) == NULL) @@ -2098,12 +2102,22 @@ NTSTATUS _samr_query_dom_info(pipes_struct *p, SAMR_Q_QUERY_DOMAIN_INFO *q_u, SA switch (q_u->switch_value) { case 0x01: - account_policy_get(AP_MIN_PASSWORD_LEN, &min_pass_len); - account_policy_get(AP_PASSWORD_HISTORY, &pass_hist); - account_policy_get(AP_USER_MUST_LOGON_TO_CHG_PASS, &flag); - account_policy_get(AP_MAX_PASSWORD_AGE, (int *)&u_expire); - account_policy_get(AP_MIN_PASSWORD_AGE, (int *)&u_min_age); + + account_policy_get(AP_MIN_PASSWORD_LEN, &account_policy_temp); + min_pass_len = account_policy_temp; + account_policy_get(AP_PASSWORD_HISTORY, &account_policy_temp); + pass_hist = account_policy_temp; + + account_policy_get(AP_USER_MUST_LOGON_TO_CHG_PASS, &account_policy_temp); + flag = account_policy_temp; + + account_policy_get(AP_MAX_PASSWORD_AGE, &account_policy_temp); + u_expire = account_policy_temp; + + account_policy_get(AP_MIN_PASSWORD_AGE, &account_policy_temp); + u_min_age = account_policy_temp; + unix_to_nt_time_abs(&nt_expire, u_expire); unix_to_nt_time_abs(&nt_min_age, u_min_age); @@ -2149,10 +2163,15 @@ NTSTATUS _samr_query_dom_info(pipes_struct *p, SAMR_Q_QUERY_DOMAIN_INFO *q_u, SA init_unk_info7(&ctr->info.inf7); break; case 0x0c: - account_policy_get(AP_LOCK_ACCOUNT_DURATION, (int *)&u_lock_duration); - account_policy_get(AP_RESET_COUNT_TIME, (int *)&u_reset_time); - account_policy_get(AP_BAD_ATTEMPT_LOCKOUT, &lockout); - + account_policy_get(AP_LOCK_ACCOUNT_DURATION, &account_policy_temp); + u_lock_duration = account_policy_temp; + + account_policy_get(AP_RESET_COUNT_TIME, &account_policy_temp); + u_reset_time = account_policy_temp; + + account_policy_get(AP_BAD_ATTEMPT_LOCKOUT, &account_policy_temp); + lockout = account_policy_temp; + unix_to_nt_time_abs(&nt_lock_duration, u_lock_duration); unix_to_nt_time_abs(&nt_reset_time, u_reset_time); @@ -2344,7 +2363,8 @@ NTSTATUS _api_samr_create_user(pipes_struct *p, SAMR_Q_CREATE_USER *q_u, SAMR_R_ } r_u->user_rid=pdb_get_user_rid(sam_pass); - r_u->unknown_0 = 0x000703ff; + + r_u->access_granted = acc_granted; pdb_free_sam(&sam_pass); @@ -2434,6 +2454,56 @@ NTSTATUS _samr_connect(pipes_struct *p, SAMR_Q_CONNECT *q_u, SAMR_R_CONNECT *r_u return r_u->status; } +/******************************************************************* + samr_connect4 + ********************************************************************/ + +NTSTATUS _samr_connect4(pipes_struct *p, SAMR_Q_CONNECT4 *q_u, SAMR_R_CONNECT4 *r_u) +{ + struct samr_info *info = NULL; + SEC_DESC *psd = NULL; + uint32 acc_granted; + uint32 des_access = q_u->access_mask; + size_t sd_size; + NTSTATUS nt_status; + + + DEBUG(5,("_samr_connect4: %d\n", __LINE__)); + + /* Access check */ + + if (!pipe_access_check(p)) { + DEBUG(3, ("access denied to samr_connect4\n")); + r_u->status = NT_STATUS_ACCESS_DENIED; + return r_u->status; + } + + samr_make_sam_obj_sd(p->mem_ctx, &psd, &sd_size); + se_map_generic(&des_access, &sam_generic_mapping); + if (!NT_STATUS_IS_OK(nt_status = + access_check_samr_object(psd, p->pipe_user.nt_user_token, + des_access, &acc_granted, "_samr_connect"))) { + return nt_status; + } + + r_u->status = NT_STATUS_OK; + + /* associate the user's SID and access granted with the new handle. */ + if ((info = get_samr_info_by_sid(NULL)) == NULL) + return NT_STATUS_NO_MEMORY; + + info->acc_granted = acc_granted; + info->status = q_u->access_mask; + + /* get a (unique) handle. open a policy on it. */ + if (!create_policy_hnd(p, &r_u->connect_pol, free_samr_info, (void *)info)) + return NT_STATUS_OBJECT_NAME_NOT_FOUND; + + DEBUG(5,("_samr_connect: %d\n", __LINE__)); + + return r_u->status; +} + /********************************************************************** api_samr_lookup_domain **********************************************************************/ @@ -4180,6 +4250,8 @@ NTSTATUS _samr_unknown_2e(pipes_struct *p, SAMR_Q_UNKNOWN_2E *q_u, SAMR_R_UNKNOW uint32 num_users=0, num_groups=0, num_aliases=0; + uint32 account_policy_temp; + if ((ctr = (SAM_UNK_CTR *)talloc_zero(p->mem_ctx, sizeof(SAM_UNK_CTR))) == NULL) return NT_STATUS_NO_MEMORY; @@ -4195,11 +4267,20 @@ NTSTATUS _samr_unknown_2e(pipes_struct *p, SAMR_Q_UNKNOWN_2E *q_u, SAMR_R_UNKNOW switch (q_u->switch_value) { case 0x01: - account_policy_get(AP_MIN_PASSWORD_LEN, &min_pass_len); - account_policy_get(AP_PASSWORD_HISTORY, &pass_hist); - account_policy_get(AP_USER_MUST_LOGON_TO_CHG_PASS, &flag); - account_policy_get(AP_MAX_PASSWORD_AGE, (int *)&u_expire); - account_policy_get(AP_MIN_PASSWORD_AGE, (int *)&u_min_age); + account_policy_get(AP_MIN_PASSWORD_LEN, &account_policy_temp); + min_pass_len = account_policy_temp; + + account_policy_get(AP_PASSWORD_HISTORY, &account_policy_temp); + pass_hist = account_policy_temp; + + account_policy_get(AP_USER_MUST_LOGON_TO_CHG_PASS, &account_policy_temp); + flag = account_policy_temp; + + account_policy_get(AP_MAX_PASSWORD_AGE, &account_policy_temp); + u_expire = account_policy_temp; + + account_policy_get(AP_MIN_PASSWORD_AGE, &account_policy_temp); + u_min_age = account_policy_temp; unix_to_nt_time_abs(&nt_expire, u_expire); unix_to_nt_time_abs(&nt_min_age, u_min_age); @@ -4231,7 +4312,9 @@ NTSTATUS _samr_unknown_2e(pipes_struct *p, SAMR_Q_UNKNOWN_2E *q_u, SAMR_R_UNKNOW num_users, num_groups, num_aliases); break; case 0x03: - account_policy_get(AP_TIME_TO_LOGOUT, (int *)&u_logout); + account_policy_get(AP_TIME_TO_LOGOUT, &account_policy_temp); + u_logout = account_policy_temp; + unix_to_nt_time_abs(&nt_logout, u_logout); init_unk_info3(&ctr->info.inf3, nt_logout); @@ -4246,9 +4329,14 @@ NTSTATUS _samr_unknown_2e(pipes_struct *p, SAMR_Q_UNKNOWN_2E *q_u, SAMR_R_UNKNOW init_unk_info7(&ctr->info.inf7); break; case 0x0c: - account_policy_get(AP_LOCK_ACCOUNT_DURATION, (int *)&u_lock_duration); - account_policy_get(AP_RESET_COUNT_TIME, (int *)&u_reset_time); - account_policy_get(AP_BAD_ATTEMPT_LOCKOUT, &lockout); + account_policy_get(AP_LOCK_ACCOUNT_DURATION, &account_policy_temp); + u_lock_duration = account_policy_temp; + + account_policy_get(AP_RESET_COUNT_TIME, &account_policy_temp); + u_reset_time = account_policy_temp; + + account_policy_get(AP_BAD_ATTEMPT_LOCKOUT, &account_policy_temp); + lockout = account_policy_temp; unix_to_nt_time_abs(&nt_lock_duration, u_lock_duration); unix_to_nt_time_abs(&nt_reset_time, u_reset_time); -- cgit From a834a73e341059be154426390304a42e4a011f72 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Wed, 25 Sep 2002 15:19:00 +0000 Subject: sync'ing up for 3.0alpha20 release (This used to be commit 65e7b5273bb58802bf0c389b77f7fcae0a1f6139) --- source3/rpc_server/srv_samr_nt.c | 131 +++++++++++++++++---------------------- 1 file changed, 56 insertions(+), 75 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index a30622c600..ea631838da 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -57,6 +57,8 @@ struct samr_info { DOM_SID sid; uint32 status; /* some sort of flag. best to record it. comes from opnum 0x39 */ uint32 acc_granted; + uint16 acb_mask; + BOOL all_machines; DISP_INFO disp_info; TALLOC_CTX *mem_ctx; @@ -68,8 +70,7 @@ struct generic_mapping usr_generic_mapping = {USER_READ, USER_WRITE, USER_EXECUT struct generic_mapping grp_generic_mapping = {GROUP_READ, GROUP_WRITE, GROUP_EXECUTE, GROUP_ALL_ACCESS}; struct generic_mapping ali_generic_mapping = {ALIAS_READ, ALIAS_WRITE, ALIAS_EXECUTE, ALIAS_ALL_ACCESS}; -static NTSTATUS samr_make_dom_obj_sd(TALLOC_CTX *ctx, SEC_DESC **psd, size_t *d_size); - +static NTSTATUS samr_make_dom_obj_sd(TALLOC_CTX *ctx, SEC_DESC **psd, size_t *sd_size); /******************************************************************* Checks if access to an object should be granted, and returns that @@ -151,26 +152,36 @@ static struct samr_info *get_samr_info_by_sid(DOM_SID *psid) return info; } + /******************************************************************* Function to free the per handle data. ********************************************************************/ -static void free_samr_db(struct samr_info *info) +static void free_samr_users(struct samr_info *info) { int i; - /* Groups are talloced */ - if (info->disp_info.user_dbloaded){ for (i=0; idisp_info.num_user_account; i++) { /* Not really a free, actually a 'clear' */ pdb_free_sam(&info->disp_info.disp_user_info[i].sam); } } - info->disp_info.user_dbloaded=False; + info->disp_info.num_user_account=0; +} + + +/******************************************************************* + Function to free the per handle data. + ********************************************************************/ +static void free_samr_db(struct samr_info *info) +{ + /* Groups are talloced */ + + free_samr_users(info); + info->disp_info.group_dbloaded=False; info->disp_info.num_group_account=0; - info->disp_info.num_user_account=0; } @@ -199,7 +210,7 @@ static void samr_clear_sam_passwd(SAM_ACCOUNT *sam_pass) } -static NTSTATUS load_sampwd_entries(struct samr_info *info, uint16 acb_mask) +static NTSTATUS load_sampwd_entries(struct samr_info *info, uint16 acb_mask, BOOL all_machines) { SAM_ACCOUNT *pwd = NULL; DISP_USER_INFO *pwd_array = NULL; @@ -209,11 +220,15 @@ static NTSTATUS load_sampwd_entries(struct samr_info *info, uint16 acb_mask) DEBUG(10,("load_sampwd_entries\n")); /* if the snapshoot is already loaded, return */ - if (info->disp_info.user_dbloaded==True) { + if ((info->disp_info.user_dbloaded==True) + && (info->acb_mask == acb_mask) + && (info->all_machines == all_machines)) { DEBUG(10,("load_sampwd_entries: already in memory\n")); return NT_STATUS_OK; } + free_samr_users(info); + if (!pdb_setsampwent(False)) { DEBUG(0, ("load_sampwd_entries: Unable to open passdb.\n")); return NT_STATUS_ACCESS_DENIED; @@ -222,10 +237,19 @@ static NTSTATUS load_sampwd_entries(struct samr_info *info, uint16 acb_mask) for (; (NT_STATUS_IS_OK(nt_status = pdb_init_sam_talloc(mem_ctx, &pwd))) && pdb_getsampwent(pwd) == True; pwd=NULL) { - if (acb_mask != 0 && !(pdb_get_acct_ctrl(pwd) & acb_mask)) { - pdb_free_sam(&pwd); - DEBUG(5,(" acb_mask %x reject\n", acb_mask)); - continue; + if (all_machines) { + if (!((pdb_get_acct_ctrl(pwd) & ACB_WSTRUST) + || (pdb_get_acct_ctrl(pwd) & ACB_SVRTRUST))) { + DEBUG(5,("load_sampwd_entries: '%s' is not a machine account - ACB: %x - skipping\n", pdb_get_username(pwd), acb_mask)); + pdb_free_sam(&pwd); + continue; + } + } else { + if (acb_mask != 0 && !(pdb_get_acct_ctrl(pwd) & acb_mask)) { + pdb_free_sam(&pwd); + DEBUG(5,(" acb_mask %x reject\n", acb_mask)); + continue; + } } /* Realloc some memory for the array of ptr to the SAM_ACCOUNT structs */ @@ -253,6 +277,8 @@ static NTSTATUS load_sampwd_entries(struct samr_info *info, uint16 acb_mask) /* the snapshoot is in memory, we're ready to enumerate fast */ + info->acb_mask = acb_mask; + info->all_machines = all_machines; info->disp_info.user_dbloaded=True; DEBUG(12,("load_sampwd_entries: done\n")); @@ -406,46 +432,6 @@ NTSTATUS _samr_get_usrdom_pwinfo(pipes_struct *p, SAMR_Q_GET_USRDOM_PWINFO *q_u, return r_u->status; } - -/******************************************************************* - samr_make_sam_obj_sd - ********************************************************************/ - -static NTSTATUS samr_make_sam_obj_sd(TALLOC_CTX *ctx, SEC_DESC **psd, size_t *sd_size) -{ - extern DOM_SID global_sid_World; - DOM_SID adm_sid; - DOM_SID act_sid; - - SEC_ACE ace[3]; - SEC_ACCESS mask; - - SEC_ACL *psa = NULL; - - sid_copy(&adm_sid, &global_sid_Builtin); - sid_append_rid(&adm_sid, BUILTIN_ALIAS_RID_ADMINS); - - sid_copy(&act_sid, &global_sid_Builtin); - sid_append_rid(&act_sid, BUILTIN_ALIAS_RID_ACCOUNT_OPS); - - /*basic access for every one*/ - init_sec_access(&mask, SAMR_EXECUTE | SAMR_READ); - init_sec_ace(&ace[0], &global_sid_World, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0); - - /*full access for builtin aliases Administrators and Account Operators*/ - init_sec_access(&mask, SAMR_ALL_ACCESS); - init_sec_ace(&ace[1], &adm_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0); - init_sec_ace(&ace[2], &act_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0); - - if ((psa = make_sec_acl(ctx, NT4_ACL_REVISION, 3, ace)) == NULL) - return NT_STATUS_NO_MEMORY; - - if ((*psd = make_sec_desc(ctx, SEC_DESC_REVISION, NULL, NULL, NULL, psa, sd_size)) == NULL) - return NT_STATUS_NO_MEMORY; - - return NT_STATUS_OK; -} - /******************************************************************* samr_make_dom_obj_sd ********************************************************************/ @@ -787,7 +773,7 @@ NTSTATUS _samr_enum_dom_users(pipes_struct *p, SAMR_Q_ENUM_DOM_USERS *q_u, DEBUG(5,("_samr_enum_dom_users: %d\n", __LINE__)); become_root(); - r_u->status=load_sampwd_entries(info, q_u->acb_mask); + r_u->status=load_sampwd_entries(info, q_u->acb_mask, False); unbecome_root(); if (!NT_STATUS_IS_OK(r_u->status)) @@ -1058,8 +1044,6 @@ static NTSTATUS get_group_domain_entries(TALLOC_CTX *ctx, DOMAIN_GRP **d_grp, DO /******************************************************************* samr_reply_enum_dom_groups - Only reply with one group - domain admins. This must be fixed for - a real PDC. JRA. ********************************************************************/ NTSTATUS _samr_enum_dom_groups(pipes_struct *p, SAMR_Q_ENUM_DOM_GROUPS *q_u, SAMR_R_ENUM_DOM_GROUPS *r_u) @@ -1143,7 +1127,6 @@ NTSTATUS _samr_query_dispinfo(pipes_struct *p, SAMR_Q_QUERY_DISPINFO *q_u, { struct samr_info *info = NULL; uint32 struct_size=0x20; /* W2K always reply that, client doesn't care */ - uint16 acb_mask; uint32 max_entries=q_u->max_entries; uint32 enum_context=q_u->start_idx; @@ -1194,20 +1177,14 @@ NTSTATUS _samr_query_dispinfo(pipes_struct *p, SAMR_Q_QUERY_DISPINFO *q_u, * JFM, 12/20/2001 */ - /* Get what we need from the password database */ - - if (q_u->switch_level==2) - acb_mask = ACB_WSTRUST; - else - acb_mask = ACB_NORMAL; - /* Get what we need from the password database */ switch (q_u->switch_level) { case 0x1: case 0x2: case 0x4: become_root(); - r_u->status=load_sampwd_entries(info, acb_mask); + /* Level 2 is for all machines, otherwise only 'normal' users */ + r_u->status=load_sampwd_entries(info, ACB_NORMAL, q_u->switch_level==2); unbecome_root(); if (!NT_STATUS_IS_OK(r_u->status)) { DEBUG(5, ("_samr_query_dispinfo: load_sampwd_entries failed\n")); @@ -2126,7 +2103,7 @@ NTSTATUS _samr_query_dom_info(pipes_struct *p, SAMR_Q_QUERY_DOMAIN_INFO *q_u, SA break; case 0x02: become_root(); - r_u->status=load_sampwd_entries(info, ACB_NORMAL); + r_u->status=load_sampwd_entries(info, ACB_NORMAL, False); unbecome_root(); if (!NT_STATUS_IS_OK(r_u->status)) { DEBUG(5, ("_samr_query_dispinfo: load_sampwd_entries failed\n")); @@ -3880,6 +3857,7 @@ NTSTATUS _samr_create_dom_group(pipes_struct *p, SAMR_Q_CREATE_DOM_GROUP *q_u, S struct samr_info *info; PRIVILEGE_SET priv_set; uint32 acc_granted; + gid_t gid; init_privilege(&priv_set); @@ -3903,10 +3881,11 @@ NTSTATUS _samr_create_dom_group(pipes_struct *p, SAMR_Q_CREATE_DOM_GROUP *q_u, S return NT_STATUS_GROUP_EXISTS; /* we can create the UNIX group */ - smb_create_group(name); + if (smb_create_group(name, &gid) != 0) + return NT_STATUS_ACCESS_DENIED; /* check if the group has been successfully created */ - if ((grp=getgrnam(name)) == NULL) + if ((grp=getgrgid(gid)) == NULL) return NT_STATUS_ACCESS_DENIED; r_u->rid=pdb_gid_to_group_rid(grp->gr_gid); @@ -3943,6 +3922,7 @@ NTSTATUS _samr_create_dom_alias(pipes_struct *p, SAMR_Q_CREATE_DOM_ALIAS *q_u, S struct samr_info *info; PRIVILEGE_SET priv_set; uint32 acc_granted; + gid_t gid; init_privilege(&priv_set); @@ -3966,10 +3946,11 @@ NTSTATUS _samr_create_dom_alias(pipes_struct *p, SAMR_Q_CREATE_DOM_ALIAS *q_u, S return NT_STATUS_GROUP_EXISTS; /* we can create the UNIX group */ - smb_create_group(name); + if (smb_create_group(name, &gid) != 0) + return NT_STATUS_ACCESS_DENIED; /* check if the group has been successfully created */ - if ((grp=getgrnam(name)) == NULL) + if ((grp=getgrgid(gid)) == NULL) return NT_STATUS_ACCESS_DENIED; r_u->rid=pdb_gid_to_group_rid(grp->gr_gid); @@ -4095,9 +4076,9 @@ NTSTATUS _samr_set_groupinfo(pipes_struct *p, SAMR_Q_SET_GROUPINFO *q_u, SAMR_R_ } /********************************************************************* - _samr_set_groupinfo + _samr_set_aliasinfo - update a domain group's comment. + update an alias's comment. *********************************************************************/ NTSTATUS _samr_set_aliasinfo(pipes_struct *p, SAMR_Q_SET_ALIASINFO *q_u, SAMR_R_SET_ALIASINFO *r_u) @@ -4290,10 +4271,10 @@ NTSTATUS _samr_unknown_2e(pipes_struct *p, SAMR_Q_UNKNOWN_2E *q_u, SAMR_R_UNKNOW break; case 0x02: become_root(); - r_u->status=load_sampwd_entries(info, ACB_NORMAL); + r_u->status=load_sampwd_entries(info, ACB_NORMAL, False); unbecome_root(); if (!NT_STATUS_IS_OK(r_u->status)) { - DEBUG(5, ("_samr_query_dispinfo: load_sampwd_entries failed\n")); + DEBUG(5, ("_samr_unknown_2e: load_sampwd_entries failed\n")); return r_u->status; } num_users=info->disp_info.num_user_account; @@ -4301,7 +4282,7 @@ NTSTATUS _samr_unknown_2e(pipes_struct *p, SAMR_Q_UNKNOWN_2E *q_u, SAMR_R_UNKNOW r_u->status=load_group_domain_entries(info, get_global_sam_sid()); if (NT_STATUS_IS_ERR(r_u->status)) { - DEBUG(5, ("_samr_query_dispinfo: load_group_domain_entries failed\n")); + DEBUG(5, ("_samr_unknown_2e: load_group_domain_entries failed\n")); return r_u->status; } num_groups=info->disp_info.num_group_account; -- cgit From d9729d81a993234db850fa733fd4591e1a5ae56e Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Thu, 26 Sep 2002 18:37:55 +0000 Subject: syncing up with HEAD again.... (This used to be commit e026b84815ad1a5fa981c24fff197fefa73b4928) --- source3/rpc_server/srv_samr_nt.c | 23 +++++++++++++++++------ 1 file changed, 17 insertions(+), 6 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index ea631838da..c5a2c54511 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -2802,8 +2802,6 @@ static BOOL set_user_info_23(SAM_USER_INFO_23 *id23, DOM_SID *sid) acct_ctrl = pdb_get_acct_ctrl(pwd); - copy_id23_to_sam_passwd(pwd, id23); - if (!decode_pw_buffer((char*)id23->pass, plaintext_buf, 256, &len)) { pdb_free_sam(&pwd); return False; @@ -2814,6 +2812,8 @@ static BOOL set_user_info_23(SAM_USER_INFO_23 *id23, DOM_SID *sid) return False; } + copy_id23_to_sam_passwd(pwd, id23); + /* if it's a trust account, don't update /etc/passwd */ if ( (!IS_SAM_UNIX_USER(pwd)) || ( (acct_ctrl & ACB_DOMTRUST) == ACB_DOMTRUST ) || @@ -3059,6 +3059,10 @@ NTSTATUS _samr_query_useraliases(pipes_struct *p, SAMR_Q_QUERY_USERALIASES *q_u, uint32 *rids=NULL, *new_rids=NULL, *tmp_rids=NULL; struct samr_info *info = NULL; int i,j; + + NTSTATUS ntstatus1; + NTSTATUS ntstatus2; + /* until i see a real useraliases query, we fack one up */ /* I have seen one, JFM 2/12/2001 */ @@ -3084,9 +3088,15 @@ NTSTATUS _samr_query_useraliases(pipes_struct *p, SAMR_Q_QUERY_USERALIASES *q_u, if (!find_policy_by_hnd(p, &q_u->pol, (void **)&info)) return NT_STATUS_INVALID_HANDLE; - if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(info->acc_granted, USER_ACCESS_GET_GROUPS, "_samr_query_useraliases"))) { - return r_u->status; - } + ntstatus1 = access_check_samr_function(info->acc_granted, DOMAIN_ACCESS_LOOKUP_ALIAS_BY_MEM, "_samr_query_useraliases"); + ntstatus2 = access_check_samr_function(info->acc_granted, DOMAIN_ACCESS_OPEN_ACCOUNT, "_samr_query_useraliases"); + + if (!NT_STATUS_IS_OK(ntstatus1) || !NT_STATUS_IS_OK(ntstatus2)) { + if (!(NT_STATUS_EQUAL(ntstatus1,NT_STATUS_ACCESS_DENIED) && NT_STATUS_IS_OK(ntstatus2)) && + !(NT_STATUS_EQUAL(ntstatus1,NT_STATUS_ACCESS_DENIED) && NT_STATUS_IS_OK(ntstatus1))) { + return (NT_STATUS_IS_OK(ntstatus1)) ? ntstatus2 : ntstatus1; + } + } if (!sid_check_is_domain(&info->sid) && !sid_check_is_builtin(&info->sid)) @@ -3157,7 +3167,8 @@ NTSTATUS _samr_query_aliasmem(pipes_struct *p, SAMR_Q_QUERY_ALIASMEM *q_u, SAMR_ if (!get_lsa_policy_samr_sid(p, &q_u->alias_pol, &alias_sid, &acc_granted)) return NT_STATUS_INVALID_HANDLE; - if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, ALIAS_ACCESS_GET_MEMBERS, "_samr_query_aliasmem"))) { + if (!NT_STATUS_IS_OK(r_u->status = + access_check_samr_function(acc_granted, ALIAS_ACCESS_GET_MEMBERS, "_samr_query_aliasmem"))) { return r_u->status; } -- cgit From f2d1f19a66ebaf9b88d23c0faa2412536cc74cda Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Tue, 1 Oct 2002 18:26:00 +0000 Subject: syncing up with HEAD. Seems to be a lot of differences creeping in (i ignored the new SAMBA stuff, but the rest of this looks like it should have been merged already). (This used to be commit 3de09e5cf1f667e410ee8b9516a956860ce7290f) --- source3/rpc_server/srv_samr_nt.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index c5a2c54511..020a3c6aaf 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -894,7 +894,7 @@ static NTSTATUS get_group_alias_entries(TALLOC_CTX *ctx, DOMAIN_GRP **d_grp, DOM /* well-known aliases */ if (sid_equal(sid, &global_sid_Builtin) && !lp_hide_local_users()) { - enum_group_mapping(SID_NAME_ALIAS, &map, (int *)&num_entries, ENUM_ONLY_MAPPED, MAPPING_WITHOUT_PRIV); + enum_group_mapping(SID_NAME_WKN_GRP, &map, (int *)&num_entries, ENUM_ONLY_MAPPED, MAPPING_WITHOUT_PRIV); if (num_entries != 0) { *d_grp=(DOMAIN_GRP *)talloc_zero(ctx, num_entries*sizeof(DOMAIN_GRP)); @@ -1328,7 +1328,7 @@ NTSTATUS _samr_query_aliasinfo(pipes_struct *p, SAMR_Q_QUERY_ALIASINFO *q_u, SAM !sid_check_is_in_builtin(&sid)) return NT_STATUS_OBJECT_TYPE_MISMATCH; - if (!get_local_group_from_sid(sid, &map, MAPPING_WITHOUT_PRIV)) + if (!get_group_map_from_sid(sid, &map, MAPPING_WITHOUT_PRIV)) return NT_STATUS_NO_SUCH_ALIAS; switch (q_u->switch_level) { -- cgit From f735551b9edef66b152261cf6eb2f29b7b69d65b Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Wed, 23 Oct 2002 01:22:32 +0000 Subject: First cut of new ACL mapping code from Andreas Gruenbacher . This is not 100% the same as what SuSE shipped in their Samba, there is a crash bug fix, a race condition fix, and a few logic changes I'd like to discuss with Andreas. Added Andreas to (C) notices for posix_acls.c Jeremy. (This used to be commit 40eafb9dde113af9f7f1808fda22908953f7e8c3) --- source3/rpc_server/srv_samr_nt.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 020a3c6aaf..f02be9acd3 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -884,7 +884,7 @@ static NTSTATUS get_group_alias_entries(TALLOC_CTX *ctx, DOMAIN_GRP **d_grp, DOM uint32 num_entries = 0; int i; GROUP_MAP smap; - GROUP_MAP *map; + GROUP_MAP *map = NULL; sid_to_string(sid_str, sid); DEBUG(5, ("get_group_alias_entries: enumerating aliases on SID: %s\n", sid_str)); -- cgit From 1a96aeebc804603d29a406947c8e69933528bb97 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Wed, 23 Oct 2002 01:55:27 +0000 Subject: Debug level 12 is a typo. Jeremy. (This used to be commit c4e4cc9ce169038c4bb8cdcc477d15a9661d1b8e) --- source3/rpc_server/srv_samr_nt.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index f02be9acd3..b3df2b830e 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -281,7 +281,7 @@ static NTSTATUS load_sampwd_entries(struct samr_info *info, uint16 acb_mask, BOO info->all_machines = all_machines; info->disp_info.user_dbloaded=True; - DEBUG(12,("load_sampwd_entries: done\n")); + DEBUG(10,("load_sampwd_entries: done\n")); return nt_status; } @@ -333,7 +333,7 @@ static NTSTATUS load_group_domain_entries(struct samr_info *info, DOM_SID *sid) info->disp_info.group_dbloaded=True; - DEBUG(12,("load_group_domain_entries: done\n")); + DEBUG(10,("load_group_domain_entries: done\n")); return NT_STATUS_OK; } -- cgit From 6d7195d1d79c43f5ccc8dc4a9215c02177d5fa89 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Sat, 2 Nov 2002 03:47:48 +0000 Subject: Merge passdb from HEAD -> 3.0 The work here includes: - metze' set/changed patch, which avoids making changes to ldap on unmodified attributes. - volker's group mapping in passdb patch - volker's samsync stuff - volkers SAMR changes. - mezte's connection caching patch - my recent changes (fix magic root check, ldap ssl) Andrew Bartlett (This used to be commit 2044d60bbe0043cdbb9aba931115672bde975d2f) --- source3/rpc_server/srv_samr_nt.c | 69 +++++++++++++++++++++++----------------- 1 file changed, 40 insertions(+), 29 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index b3df2b830e..543f9ee379 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -205,8 +205,8 @@ static void samr_clear_sam_passwd(SAM_ACCOUNT *sam_pass) /* These now zero out the old password */ - pdb_set_lanman_passwd(sam_pass, NULL); - pdb_set_nt_passwd(sam_pass, NULL); + pdb_set_lanman_passwd(sam_pass, NULL, PDB_DEFAULT); + pdb_set_nt_passwd(sam_pass, NULL, PDB_DEFAULT); } @@ -302,7 +302,7 @@ static NTSTATUS load_group_domain_entries(struct samr_info *info, DOM_SID *sid) return NT_STATUS_OK; } - if (!enum_group_mapping(SID_NAME_DOM_GRP, &map, (int *)&group_entries, ENUM_ONLY_MAPPED, MAPPING_WITHOUT_PRIV)) { + if (!pdb_enum_group_mapping(SID_NAME_DOM_GRP, &map, (int *)&group_entries, ENUM_ONLY_MAPPED, MAPPING_WITHOUT_PRIV)) { return NT_STATUS_NO_MEMORY; } @@ -894,7 +894,7 @@ static NTSTATUS get_group_alias_entries(TALLOC_CTX *ctx, DOMAIN_GRP **d_grp, DOM /* well-known aliases */ if (sid_equal(sid, &global_sid_Builtin) && !lp_hide_local_users()) { - enum_group_mapping(SID_NAME_WKN_GRP, &map, (int *)&num_entries, ENUM_ONLY_MAPPED, MAPPING_WITHOUT_PRIV); + pdb_enum_group_mapping(SID_NAME_WKN_GRP, &map, (int *)&num_entries, ENUM_ONLY_MAPPED, MAPPING_WITHOUT_PRIV); if (num_entries != 0) { *d_grp=(DOMAIN_GRP *)talloc_zero(ctx, num_entries*sizeof(DOMAIN_GRP)); @@ -931,7 +931,7 @@ static NTSTATUS get_group_alias_entries(TALLOC_CTX *ctx, DOMAIN_GRP **d_grp, DOM for (; (num_entries < max_entries) && (grp != NULL); grp = grp->next) { uint32 trid; - if(!get_group_from_gid(grp->gr_gid, &smap, MAPPING_WITHOUT_PRIV)) + if(!pdb_getgrgid(&smap, grp->gr_gid, MAPPING_WITHOUT_PRIV)) continue; if (smap.sid_name_use!=SID_NAME_ALIAS) { @@ -1012,7 +1012,7 @@ static NTSTATUS get_group_domain_entries(TALLOC_CTX *ctx, DOMAIN_GRP **d_grp, DO *p_num_entries = 0; - enum_group_mapping(SID_NAME_DOM_GRP, &map, (int *)&group_entries, ENUM_ONLY_MAPPED, MAPPING_WITHOUT_PRIV); + pdb_enum_group_mapping(SID_NAME_DOM_GRP, &map, (int *)&group_entries, ENUM_ONLY_MAPPED, MAPPING_WITHOUT_PRIV); num_entries=group_entries-start_idx; @@ -1328,7 +1328,7 @@ NTSTATUS _samr_query_aliasinfo(pipes_struct *p, SAMR_Q_QUERY_ALIASINFO *q_u, SAM !sid_check_is_in_builtin(&sid)) return NT_STATUS_OBJECT_TYPE_MISMATCH; - if (!get_group_map_from_sid(sid, &map, MAPPING_WITHOUT_PRIV)) + if (!pdb_getgrsid(&map, sid, MAPPING_WITHOUT_PRIV)) return NT_STATUS_NO_SUCH_ALIAS; switch (q_u->switch_level) { @@ -2288,13 +2288,13 @@ NTSTATUS _api_samr_create_user(pipes_struct *p, SAMR_Q_CREATE_USER *q_u, SAMR_R_ return nt_status; } - if (!pdb_set_username(sam_pass, account)) { + if (!pdb_set_username(sam_pass, account, PDB_CHANGED)) { pdb_free_sam(&sam_pass); return NT_STATUS_NO_MEMORY; } } - pdb_set_acct_ctrl(sam_pass, acb_info); + pdb_set_acct_ctrl(sam_pass, acb_info, PDB_CHANGED); if (!pdb_add_sam_account(sam_pass)) { pdb_free_sam(&sam_pass); @@ -2675,8 +2675,9 @@ static BOOL set_user_info_10(const SAM_USER_INFO_10 *id10, DOM_SID *sid) pdb_free_sam(&pwd); return False; } - - if (!pdb_set_acct_ctrl(pwd, id10->acb_info)) { + + /* FIX ME: check if the value is really changed --metze */ + if (!pdb_set_acct_ctrl(pwd, id10->acb_info, PDB_CHANGED)) { pdb_free_sam(&pwd); return False; } @@ -2712,11 +2713,11 @@ static BOOL set_user_info_12(SAM_USER_INFO_12 *id12, DOM_SID *sid) return False; } - if (!pdb_set_lanman_passwd (pwd, id12->lm_pwd)) { + if (!pdb_set_lanman_passwd (pwd, id12->lm_pwd, PDB_CHANGED)) { pdb_free_sam(&pwd); return False; } - if (!pdb_set_nt_passwd (pwd, id12->nt_pwd)) { + if (!pdb_set_nt_passwd (pwd, id12->nt_pwd, PDB_CHANGED)) { pdb_free_sam(&pwd); return False; } @@ -3180,7 +3181,7 @@ NTSTATUS _samr_query_aliasmem(pipes_struct *p, SAMR_Q_QUERY_ALIASMEM *q_u, SAMR_ if (sid_equal(&alias_sid, &global_sid_Builtin)) { DEBUG(10, ("lookup on Builtin SID (S-1-5-32)\n")); - if(!get_local_group_from_sid(als_sid, &map, MAPPING_WITHOUT_PRIV)) + if(!get_builtin_group_from_sid(als_sid, &map, MAPPING_WITHOUT_PRIV)) return NT_STATUS_NO_SUCH_ALIAS; } else { if (sid_equal(&alias_sid, get_global_sam_sid())) { @@ -3404,19 +3405,21 @@ NTSTATUS _samr_add_aliasmem(pipes_struct *p, SAMR_Q_ADD_ALIASMEM *q_u, SAMR_R_AD if ((pwd=getpwuid_alloc(uid)) == NULL) { return NT_STATUS_NO_SUCH_USER; - } else { - passwd_free(&pwd); } - if ((grp=getgrgid(map.gid)) == NULL) + if ((grp=getgrgid(map.gid)) == NULL) { + passwd_free(&pwd); return NT_STATUS_NO_SUCH_ALIAS; + } /* we need to copy the name otherwise it's overloaded in user_in_group_list */ fstrcpy(grp_name, grp->gr_name); /* if the user is already in the group */ - if(user_in_group_list(pwd->pw_name, grp_name)) + if(user_in_group_list(pwd->pw_name, grp_name)) { + passwd_free(&pwd); return NT_STATUS_MEMBER_IN_ALIAS; + } /* * ok, the group exist, the user exist, the user is not in the group, @@ -3425,9 +3428,12 @@ NTSTATUS _samr_add_aliasmem(pipes_struct *p, SAMR_Q_ADD_ALIASMEM *q_u, SAMR_R_AD smb_add_user_group(grp_name, pwd->pw_name); /* check if the user has been added then ... */ - if(!user_in_group_list(pwd->pw_name, grp_name)) + if(!user_in_group_list(pwd->pw_name, grp_name)) { + passwd_free(&pwd); return NT_STATUS_MEMBER_NOT_IN_ALIAS; /* don't know what to reply else */ + } + passwd_free(&pwd); return NT_STATUS_OK; } @@ -3512,7 +3518,7 @@ NTSTATUS _samr_add_groupmem(pipes_struct *p, SAMR_Q_ADD_GROUPMEM *q_u, SAMR_R_AD GROUP_MAP map; uid_t uid; NTSTATUS ret; - SAM_ACCOUNT *sam_user; + SAM_ACCOUNT *sam_user=NULL; BOOL check; uint32 acc_granted; @@ -3559,19 +3565,21 @@ NTSTATUS _samr_add_groupmem(pipes_struct *p, SAMR_Q_ADD_GROUPMEM *q_u, SAMR_R_AD if ((pwd=getpwuid_alloc(uid)) == NULL) { return NT_STATUS_NO_SUCH_USER; - } else { - passwd_free(&pwd); } - if ((grp=getgrgid(map.gid)) == NULL) + if ((grp=getgrgid(map.gid)) == NULL) { + passwd_free(&pwd); return NT_STATUS_NO_SUCH_GROUP; + } /* we need to copy the name otherwise it's overloaded in user_in_group_list */ fstrcpy(grp_name, grp->gr_name); /* if the user is already in the group */ - if(user_in_group_list(pwd->pw_name, grp_name)) + if(user_in_group_list(pwd->pw_name, grp_name)) { + passwd_free(&pwd); return NT_STATUS_MEMBER_IN_GROUP; + } /* * ok, the group exist, the user exist, the user is not in the group, @@ -3582,9 +3590,12 @@ NTSTATUS _samr_add_groupmem(pipes_struct *p, SAMR_Q_ADD_GROUPMEM *q_u, SAMR_R_AD smb_add_user_group(grp_name, pwd->pw_name); /* check if the user has been added then ... */ - if(!user_in_group_list(pwd->pw_name, grp_name)) + if(!user_in_group_list(pwd->pw_name, grp_name)) { + passwd_free(&pwd); return NT_STATUS_MEMBER_NOT_IN_GROUP; /* don't know what to reply else */ + } + passwd_free(&pwd); return NT_STATUS_OK; } @@ -3783,7 +3794,7 @@ NTSTATUS _samr_delete_dom_group(pipes_struct *p, SAMR_Q_DELETE_DOM_GROUP *q_u, S if ( (grp=getgrgid(gid)) != NULL) return NT_STATUS_ACCESS_DENIED; - if(!group_map_remove(group_sid)) + if(!pdb_delete_group_mapping_entry(group_sid)) return NT_STATUS_ACCESS_DENIED; if (!close_policy_hnd(p, &q_u->group_pol)) @@ -3846,7 +3857,7 @@ NTSTATUS _samr_delete_dom_alias(pipes_struct *p, SAMR_Q_DELETE_DOM_ALIAS *q_u, S return NT_STATUS_ACCESS_DENIED; /* don't check if we removed it as it could be an un-mapped group */ - group_map_remove(alias_sid); + pdb_delete_group_mapping_entry(alias_sid); if (!close_policy_hnd(p, &q_u->alias_pol)) return NT_STATUS_OBJECT_NAME_INVALID; @@ -4076,7 +4087,7 @@ NTSTATUS _samr_set_groupinfo(pipes_struct *p, SAMR_Q_SET_GROUPINFO *q_u, SAMR_R_ return NT_STATUS_INVALID_INFO_CLASS; } - if(!add_mapping_entry(&map, TDB_REPLACE)) { + if(!pdb_update_group_mapping_entry(&map)) { free_privilege(&map.priv_set); return NT_STATUS_NO_SUCH_GROUP; } @@ -4120,7 +4131,7 @@ NTSTATUS _samr_set_aliasinfo(pipes_struct *p, SAMR_Q_SET_ALIASINFO *q_u, SAMR_R_ return NT_STATUS_INVALID_INFO_CLASS; } - if(!add_mapping_entry(&map, TDB_REPLACE)) { + if(!pdb_update_group_mapping_entry(&map)) { free_privilege(&map.priv_set); return NT_STATUS_NO_SUCH_GROUP; } -- cgit From d12baf7bf7a81cc579dc717d9592c36ad10fda38 Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Sat, 2 Nov 2002 12:53:13 +0000 Subject: port sec_desc headers reordering from HEAD. Thanks to Andrew Brtlet for the diff :-) (This used to be commit cf67981e73cf52803eae589a6b86e1274bf72d2c) --- source3/rpc_server/srv_samr_nt.c | 88 ++++++++++++++++++++-------------------- 1 file changed, 44 insertions(+), 44 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 543f9ee379..7b611922f6 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -64,11 +64,11 @@ struct samr_info { TALLOC_CTX *mem_ctx; }; -struct generic_mapping sam_generic_mapping = {SAMR_READ, SAMR_WRITE, SAMR_EXECUTE, SAMR_ALL_ACCESS}; -struct generic_mapping dom_generic_mapping = {DOMAIN_READ, DOMAIN_WRITE, DOMAIN_EXECUTE, DOMAIN_ALL_ACCESS}; -struct generic_mapping usr_generic_mapping = {USER_READ, USER_WRITE, USER_EXECUTE, USER_ALL_ACCESS}; -struct generic_mapping grp_generic_mapping = {GROUP_READ, GROUP_WRITE, GROUP_EXECUTE, GROUP_ALL_ACCESS}; -struct generic_mapping ali_generic_mapping = {ALIAS_READ, ALIAS_WRITE, ALIAS_EXECUTE, ALIAS_ALL_ACCESS}; +struct generic_mapping sam_generic_mapping = {GENERIC_RIGHTS_SAM_READ, GENERIC_RIGHTS_SAM_WRITE, GENERIC_RIGHTS_SAM_EXECUTE, GENERIC_RIGHTS_SAM_ALL_ACCESS}; +struct generic_mapping dom_generic_mapping = {GENERIC_RIGHTS_DOMAIN_READ, GENERIC_RIGHTS_DOMAIN_WRITE, GENERIC_RIGHTS_DOMAIN_EXECUTE, GENERIC_RIGHTS_DOMAIN_ALL_ACCESS}; +struct generic_mapping usr_generic_mapping = {GENERIC_RIGHTS_USER_READ, GENERIC_RIGHTS_USER_WRITE, GENERIC_RIGHTS_USER_EXECUTE, GENERIC_RIGHTS_USER_ALL_ACCESS}; +struct generic_mapping grp_generic_mapping = {GENERIC_RIGHTS_GROUP_READ, GENERIC_RIGHTS_GROUP_WRITE, GENERIC_RIGHTS_GROUP_EXECUTE, GENERIC_RIGHTS_GROUP_ALL_ACCESS}; +struct generic_mapping ali_generic_mapping = {GENERIC_RIGHTS_ALIAS_READ, GENERIC_RIGHTS_ALIAS_WRITE, GENERIC_RIGHTS_ALIAS_EXECUTE, GENERIC_RIGHTS_ALIAS_ALL_ACCESS}; static NTSTATUS samr_make_dom_obj_sd(TALLOC_CTX *ctx, SEC_DESC **psd, size_t *sd_size); @@ -375,7 +375,7 @@ NTSTATUS _samr_open_domain(pipes_struct *p, SAMR_Q_OPEN_DOMAIN *q_u, SAMR_R_OPEN if (!find_policy_by_hnd(p, &q_u->pol, (void**)&info)) return NT_STATUS_INVALID_HANDLE; - if (!NT_STATUS_IS_OK(status = access_check_samr_function(info->acc_granted, SAMR_ACCESS_OPEN_DOMAIN,"_samr_open_domain"))) { + if (!NT_STATUS_IS_OK(status = access_check_samr_function(info->acc_granted, SA_RIGHT_SAM_OPEN_DOMAIN,"_samr_open_domain"))) { return status; } @@ -454,11 +454,11 @@ static NTSTATUS samr_make_dom_obj_sd(TALLOC_CTX *ctx, SEC_DESC **psd, size_t *sd sid_append_rid(&act_sid, BUILTIN_ALIAS_RID_ACCOUNT_OPS); /*basic access for every one*/ - init_sec_access(&mask, DOMAIN_EXECUTE | DOMAIN_READ); + init_sec_access(&mask, GENERIC_RIGHTS_DOMAIN_EXECUTE | GENERIC_RIGHTS_DOMAIN_READ); init_sec_ace(&ace[0], &global_sid_World, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0); /*full access for builtin aliases Administrators and Account Operators*/ - init_sec_access(&mask, DOMAIN_ALL_ACCESS); + init_sec_access(&mask, GENERIC_RIGHTS_DOMAIN_ALL_ACCESS); init_sec_ace(&ace[1], &adm_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0); init_sec_ace(&ace[2], &act_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0); @@ -493,16 +493,16 @@ static NTSTATUS samr_make_usr_obj_sd(TALLOC_CTX *ctx, SEC_DESC **psd, size_t *sd sid_append_rid(&act_sid, BUILTIN_ALIAS_RID_ACCOUNT_OPS); /*basic access for every one*/ - init_sec_access(&mask, USER_EXECUTE | USER_READ); + init_sec_access(&mask, GENERIC_RIGHTS_USER_EXECUTE | GENERIC_RIGHTS_USER_READ); init_sec_ace(&ace[0], &global_sid_World, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0); /*full access for builtin aliases Administrators and Account Operators*/ - init_sec_access(&mask, USER_ALL_ACCESS); + init_sec_access(&mask, GENERIC_RIGHTS_USER_ALL_ACCESS); init_sec_ace(&ace[1], &adm_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0); init_sec_ace(&ace[2], &act_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0); /*extended access for the user*/ - init_sec_access(&mask,READ_CONTROL_ACCESS | USER_ACCESS_CHANGE_PASSWORD | USER_ACCESS_SET_LOC_COM); + init_sec_access(&mask,READ_CONTROL_ACCESS | SA_RIGHT_USER_CHANGE_PASSWORD | SA_RIGHT_USER_SET_LOC_COM); init_sec_ace(&ace[3], usr_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0); if ((psa = make_sec_acl(ctx, NT4_ACL_REVISION, 4, ace)) == NULL) @@ -536,11 +536,11 @@ static NTSTATUS samr_make_grp_obj_sd(TALLOC_CTX *ctx, SEC_DESC **psd, size_t *sd sid_append_rid(&act_sid, BUILTIN_ALIAS_RID_ACCOUNT_OPS); /*basic access for every one*/ - init_sec_access(&mask, GROUP_EXECUTE | GROUP_READ); + init_sec_access(&mask, GENERIC_RIGHTS_GROUP_EXECUTE | GENERIC_RIGHTS_GROUP_READ); init_sec_ace(&ace[0], &global_sid_World, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0); /*full access for builtin aliases Administrators and Account Operators*/ - init_sec_access(&mask, GROUP_ALL_ACCESS); + init_sec_access(&mask, GENERIC_RIGHTS_GROUP_ALL_ACCESS); init_sec_ace(&ace[1], &adm_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0); init_sec_ace(&ace[2], &act_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0); @@ -575,11 +575,11 @@ static NTSTATUS samr_make_ali_obj_sd(TALLOC_CTX *ctx, SEC_DESC **psd, size_t *sd sid_append_rid(&act_sid, BUILTIN_ALIAS_RID_ACCOUNT_OPS); /*basic access for every one*/ - init_sec_access(&mask, ALIAS_EXECUTE | ALIAS_READ); + init_sec_access(&mask, GENERIC_RIGHTS_ALIAS_EXECUTE | GENERIC_RIGHTS_ALIAS_READ); init_sec_ace(&ace[0], &global_sid_World, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0); /*full access for builtin aliases Administrators and Account Operators*/ - init_sec_access(&mask, ALIAS_ALL_ACCESS); + init_sec_access(&mask, GENERIC_RIGHTS_ALIAS_ALL_ACCESS); init_sec_ace(&ace[1], &adm_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0); init_sec_ace(&ace[2], &act_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0); @@ -765,7 +765,7 @@ NTSTATUS _samr_enum_dom_users(pipes_struct *p, SAMR_Q_ENUM_DOM_USERS *q_u, domain_sid = info->sid; if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(info->acc_granted, - DOMAIN_ACCESS_ENUM_ACCOUNTS, + SA_RIGHT_DOMAIN_ENUM_ACCOUNTS, "_samr_enum_dom_users"))) { return r_u->status; } @@ -1058,7 +1058,7 @@ NTSTATUS _samr_enum_dom_groups(pipes_struct *p, SAMR_Q_ENUM_DOM_GROUPS *q_u, SAM if (!get_lsa_policy_samr_sid(p, &q_u->pol, &sid, &acc_granted)) return NT_STATUS_INVALID_HANDLE; - if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, DOMAIN_ACCESS_ENUM_ACCOUNTS, "_samr_enum_dom_groups"))) { + if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, SA_RIGHT_DOMAIN_ENUM_ACCOUNTS, "_samr_enum_dom_groups"))) { return r_u->status; } @@ -1097,7 +1097,7 @@ NTSTATUS _samr_enum_dom_aliases(pipes_struct *p, SAMR_Q_ENUM_DOM_ALIASES *q_u, S if (!get_lsa_policy_samr_sid(p, &q_u->pol, &sid, &acc_granted)) return NT_STATUS_INVALID_HANDLE; - if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, DOMAIN_ACCESS_ENUM_ACCOUNTS, "_samr_enum_dom_aliases"))) { + if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, SA_RIGHT_DOMAIN_ENUM_ACCOUNTS, "_samr_enum_dom_aliases"))) { return r_u->status; } @@ -1320,7 +1320,7 @@ NTSTATUS _samr_query_aliasinfo(pipes_struct *p, SAMR_Q_QUERY_ALIASINFO *q_u, SAM /* find the policy handle. open a policy on it. */ if (!get_lsa_policy_samr_sid(p, &q_u->pol, &sid, &acc_granted)) return NT_STATUS_INVALID_HANDLE; - if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, ALIAS_ACCESS_LOOKUP_INFO, "_samr_query_aliasinfo"))) { + if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, SA_RIGHT_ALIAS_LOOKUP_INFO, "_samr_query_aliasinfo"))) { return r_u->status; } @@ -1667,7 +1667,7 @@ NTSTATUS _api_samr_open_user(pipes_struct *p, SAMR_Q_OPEN_USER *q_u, SAMR_R_OPEN if (!get_lsa_policy_samr_sid(p, &domain_pol, &sid, &acc_granted)) return NT_STATUS_INVALID_HANDLE; - if (!NT_STATUS_IS_OK(nt_status = access_check_samr_function(acc_granted, DOMAIN_ACCESS_OPEN_ACCOUNT, "_samr_open_user"))) { + if (!NT_STATUS_IS_OK(nt_status = access_check_samr_function(acc_granted, SA_RIGHT_DOMAIN_OPEN_ACCOUNT, "_samr_open_user"))) { return nt_status; } @@ -2008,7 +2008,7 @@ NTSTATUS _samr_query_usergroups(pipes_struct *p, SAMR_Q_QUERY_USERGROUPS *q_u, S if (!get_lsa_policy_samr_sid(p, &q_u->pol, &sid, &acc_granted)) return NT_STATUS_INVALID_HANDLE; - if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, USER_ACCESS_GET_GROUPS, "_samr_query_usergroups"))) { + if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, SA_RIGHT_USER_GET_GROUPS, "_samr_query_usergroups"))) { return r_u->status; } @@ -2194,7 +2194,7 @@ NTSTATUS _api_samr_create_user(pipes_struct *p, SAMR_Q_CREATE_USER *q_u, SAMR_R_ if (!get_lsa_policy_samr_sid(p, &dom_pol, &sid, &acc_granted)) return NT_STATUS_INVALID_HANDLE; - if (!NT_STATUS_IS_OK(nt_status = access_check_samr_function(acc_granted, DOMAIN_ACCESS_CREATE_USER, "_samr_create_user"))) { + if (!NT_STATUS_IS_OK(nt_status = access_check_samr_function(acc_granted, SA_RIGHT_DOMAIN_CREATE_USER, "_samr_create_user"))) { return nt_status; } @@ -2496,7 +2496,7 @@ NTSTATUS _samr_lookup_domain(pipes_struct *p, SAMR_Q_LOOKUP_DOMAIN *q_u, SAMR_R_ if (!find_policy_by_hnd(p, &q_u->connect_pol, (void**)&info)) return NT_STATUS_INVALID_HANDLE; - if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(info->acc_granted, SAMR_ACCESS_OPEN_DOMAIN, "_samr_lookup_domain"))) { + if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(info->acc_granted, SA_RIGHT_SAM_OPEN_DOMAIN, "_samr_lookup_domain"))) { return r_u->status; } @@ -2569,7 +2569,7 @@ NTSTATUS _samr_enum_domains(pipes_struct *p, SAMR_Q_ENUM_DOMAINS *q_u, SAMR_R_EN if (!find_policy_by_hnd(p, &q_u->pol, (void**)&info)) return NT_STATUS_INVALID_HANDLE; - if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(info->acc_granted, SAMR_ACCESS_ENUM_DOMAINS, "_samr_enum_domains"))) { + if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(info->acc_granted, SA_RIGHT_SAM_ENUM_DOMAINS, "_samr_enum_domains"))) { return r_u->status; } @@ -2617,7 +2617,7 @@ NTSTATUS _api_samr_open_alias(pipes_struct *p, SAMR_Q_OPEN_ALIAS *q_u, SAMR_R_OP if (!get_lsa_policy_samr_sid(p, &domain_pol, &sid, &acc_granted)) return NT_STATUS_INVALID_HANDLE; - if (!NT_STATUS_IS_OK(status = access_check_samr_function(acc_granted, DOMAIN_ACCESS_OPEN_ACCOUNT, "_samr_open_alias"))) { + if (!NT_STATUS_IS_OK(status = access_check_samr_function(acc_granted, SA_RIGHT_DOMAIN_OPEN_ACCOUNT, "_samr_open_alias"))) { return status; } @@ -2929,7 +2929,7 @@ NTSTATUS _samr_set_userinfo(pipes_struct *p, SAMR_Q_SET_USERINFO *q_u, SAMR_R_SE if (!get_lsa_policy_samr_sid(p, pol, &sid, &acc_granted)) return NT_STATUS_INVALID_HANDLE; - acc_required = USER_ACCESS_SET_LOC_COM | USER_ACCESS_SET_ATTRIBUTES; /* This is probably wrong */ + acc_required = SA_RIGHT_USER_SET_LOC_COM | SA_RIGHT_USER_SET_ATTRIBUTES; /* This is probably wrong */ if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, acc_required, "_samr_set_userinfo"))) { return r_u->status; } @@ -3014,7 +3014,7 @@ NTSTATUS _samr_set_userinfo2(pipes_struct *p, SAMR_Q_SET_USERINFO2 *q_u, SAMR_R_ if (!get_lsa_policy_samr_sid(p, pol, &sid, &acc_granted)) return NT_STATUS_INVALID_HANDLE; - acc_required = USER_ACCESS_SET_LOC_COM | USER_ACCESS_SET_ATTRIBUTES; /* This is probably wrong */ + acc_required = SA_RIGHT_USER_SET_LOC_COM | SA_RIGHT_USER_SET_ATTRIBUTES; /* This is probably wrong */ if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, acc_required, "_samr_set_userinfo2"))) { return r_u->status; } @@ -3089,8 +3089,8 @@ NTSTATUS _samr_query_useraliases(pipes_struct *p, SAMR_Q_QUERY_USERALIASES *q_u, if (!find_policy_by_hnd(p, &q_u->pol, (void **)&info)) return NT_STATUS_INVALID_HANDLE; - ntstatus1 = access_check_samr_function(info->acc_granted, DOMAIN_ACCESS_LOOKUP_ALIAS_BY_MEM, "_samr_query_useraliases"); - ntstatus2 = access_check_samr_function(info->acc_granted, DOMAIN_ACCESS_OPEN_ACCOUNT, "_samr_query_useraliases"); + ntstatus1 = access_check_samr_function(info->acc_granted, SA_RIGHT_DOMAIN_LOOKUP_ALIAS_BY_MEM, "_samr_query_useraliases"); + ntstatus2 = access_check_samr_function(info->acc_granted, SA_RIGHT_DOMAIN_OPEN_ACCOUNT, "_samr_query_useraliases"); if (!NT_STATUS_IS_OK(ntstatus1) || !NT_STATUS_IS_OK(ntstatus2)) { if (!(NT_STATUS_EQUAL(ntstatus1,NT_STATUS_ACCESS_DENIED) && NT_STATUS_IS_OK(ntstatus2)) && @@ -3169,7 +3169,7 @@ NTSTATUS _samr_query_aliasmem(pipes_struct *p, SAMR_Q_QUERY_ALIASMEM *q_u, SAMR_ return NT_STATUS_INVALID_HANDLE; if (!NT_STATUS_IS_OK(r_u->status = - access_check_samr_function(acc_granted, ALIAS_ACCESS_GET_MEMBERS, "_samr_query_aliasmem"))) { + access_check_samr_function(acc_granted, SA_RIGHT_ALIAS_GET_MEMBERS, "_samr_query_aliasmem"))) { return r_u->status; } @@ -3270,7 +3270,7 @@ NTSTATUS _samr_query_groupmem(pipes_struct *p, SAMR_Q_QUERY_GROUPMEM *q_u, SAMR_ if (!get_lsa_policy_samr_sid(p, &q_u->group_pol, &group_sid, &acc_granted)) return NT_STATUS_INVALID_HANDLE; - if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, GROUP_ACCESS_GET_MEMBERS, "_samr_query_groupmem"))) { + if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, SA_RIGHT_GROUP_GET_MEMBERS, "_samr_query_groupmem"))) { return r_u->status; } @@ -3362,7 +3362,7 @@ NTSTATUS _samr_add_aliasmem(pipes_struct *p, SAMR_Q_ADD_ALIASMEM *q_u, SAMR_R_AD if (!get_lsa_policy_samr_sid(p, &q_u->alias_pol, &alias_sid, &acc_granted)) return NT_STATUS_INVALID_HANDLE; - if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, ALIAS_ACCESS_ADD_MEMBER, "_samr_add_aliasmem"))) { + if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, SA_RIGHT_ALIAS_ADD_MEMBER, "_samr_add_aliasmem"))) { return r_u->status; } @@ -3455,7 +3455,7 @@ NTSTATUS _samr_del_aliasmem(pipes_struct *p, SAMR_Q_DEL_ALIASMEM *q_u, SAMR_R_DE if (!get_lsa_policy_samr_sid(p, &q_u->alias_pol, &alias_sid, &acc_granted)) return NT_STATUS_INVALID_HANDLE; - if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, ALIAS_ACCESS_REMOVE_MEMBER, "_samr_del_aliasmem"))) { + if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, SA_RIGHT_ALIAS_REMOVE_MEMBER, "_samr_del_aliasmem"))) { return r_u->status; } @@ -3526,7 +3526,7 @@ NTSTATUS _samr_add_groupmem(pipes_struct *p, SAMR_Q_ADD_GROUPMEM *q_u, SAMR_R_AD if (!get_lsa_policy_samr_sid(p, &q_u->pol, &group_sid, &acc_granted)) return NT_STATUS_INVALID_HANDLE; - if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, GROUP_ACCESS_ADD_MEMBER, "_samr_add_groupmem"))) { + if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, SA_RIGHT_GROUP_ADD_MEMBER, "_samr_add_groupmem"))) { return r_u->status; } @@ -3623,7 +3623,7 @@ NTSTATUS _samr_del_groupmem(pipes_struct *p, SAMR_Q_DEL_GROUPMEM *q_u, SAMR_R_DE if (!get_lsa_policy_samr_sid(p, &q_u->pol, &group_sid, &acc_granted)) return NT_STATUS_INVALID_HANDLE; - if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, GROUP_ACCESS_REMOVE_MEMBER, "_samr_del_groupmem"))) { + if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, SA_RIGHT_GROUP_REMOVE_MEMBER, "_samr_del_groupmem"))) { return r_u->status; } @@ -3703,7 +3703,7 @@ NTSTATUS _samr_delete_dom_user(pipes_struct *p, SAMR_Q_DELETE_DOM_USER *q_u, SAM if (!get_lsa_policy_samr_sid(p, &q_u->user_pol, &user_sid, &acc_granted)) return NT_STATUS_INVALID_HANDLE; - if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, DELETE_ACCESS, "_samr_delete_dom_user"))) { + if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, STD_RIGHT_DELETE_ACCESS, "_samr_delete_dom_user"))) { return r_u->status; } @@ -3762,7 +3762,7 @@ NTSTATUS _samr_delete_dom_group(pipes_struct *p, SAMR_Q_DELETE_DOM_GROUP *q_u, S if (!get_lsa_policy_samr_sid(p, &q_u->group_pol, &group_sid, &acc_granted)) return NT_STATUS_INVALID_HANDLE; - if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, DELETE_ACCESS, "_samr_delete_dom_group"))) { + if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, STD_RIGHT_DELETE_ACCESS, "_samr_delete_dom_group"))) { return r_u->status; } @@ -3824,7 +3824,7 @@ NTSTATUS _samr_delete_dom_alias(pipes_struct *p, SAMR_Q_DELETE_DOM_ALIAS *q_u, S if (!get_lsa_policy_samr_sid(p, &q_u->alias_pol, &alias_sid, &acc_granted)) return NT_STATUS_INVALID_HANDLE; - if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, DELETE_ACCESS, "_samr_delete_dom_alias"))) { + if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, STD_RIGHT_DELETE_ACCESS, "_samr_delete_dom_alias"))) { return r_u->status; } @@ -3887,7 +3887,7 @@ NTSTATUS _samr_create_dom_group(pipes_struct *p, SAMR_Q_CREATE_DOM_GROUP *q_u, S if (!get_lsa_policy_samr_sid(p, &q_u->pol, &dom_sid, &acc_granted)) return NT_STATUS_INVALID_HANDLE; - if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, DOMAIN_ACCESS_CREATE_GROUP, "_samr_create_dom_group"))) { + if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, SA_RIGHT_DOMAIN_CREATE_GROUP, "_samr_create_dom_group"))) { return r_u->status; } @@ -3952,7 +3952,7 @@ NTSTATUS _samr_create_dom_alias(pipes_struct *p, SAMR_Q_CREATE_DOM_ALIAS *q_u, S if (!get_lsa_policy_samr_sid(p, &q_u->dom_pol, &dom_sid, &acc_granted)) return NT_STATUS_INVALID_HANDLE; - if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, DOMAIN_ACCESS_CREATE_ALIAS, "_samr_create_alias"))) { + if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, SA_RIGHT_DOMAIN_CREATE_ALIAS, "_samr_create_alias"))) { return r_u->status; } @@ -4014,7 +4014,7 @@ NTSTATUS _samr_query_groupinfo(pipes_struct *p, SAMR_Q_QUERY_GROUPINFO *q_u, SAM if (!get_lsa_policy_samr_sid(p, &q_u->pol, &group_sid, &acc_granted)) return NT_STATUS_INVALID_HANDLE; - if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, GROUP_ACCESS_LOOKUP_INFO, "_samr_query_groupinfo"))) { + if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, SA_RIGHT_GROUP_LOOKUP_INFO, "_samr_query_groupinfo"))) { return r_u->status; } @@ -4066,7 +4066,7 @@ NTSTATUS _samr_set_groupinfo(pipes_struct *p, SAMR_Q_SET_GROUPINFO *q_u, SAMR_R_ if (!get_lsa_policy_samr_sid(p, &q_u->pol, &group_sid, &acc_granted)) return NT_STATUS_INVALID_HANDLE; - if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, GROUP_ACCESS_SET_INFO, "_samr_set_groupinfo"))) { + if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, SA_RIGHT_GROUP_SET_INFO, "_samr_set_groupinfo"))) { return r_u->status; } @@ -4113,7 +4113,7 @@ NTSTATUS _samr_set_aliasinfo(pipes_struct *p, SAMR_Q_SET_ALIASINFO *q_u, SAMR_R_ if (!get_lsa_policy_samr_sid(p, &q_u->alias_pol, &group_sid, &acc_granted)) return NT_STATUS_INVALID_HANDLE; - if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, ALIAS_ACCESS_SET_INFO, "_samr_set_aliasinfo"))) { + if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, SA_RIGHT_ALIAS_SET_INFO, "_samr_set_aliasinfo"))) { return r_u->status; } @@ -4182,7 +4182,7 @@ NTSTATUS _samr_open_group(pipes_struct *p, SAMR_Q_OPEN_GROUP *q_u, SAMR_R_OPEN_G if (!get_lsa_policy_samr_sid(p, &q_u->domain_pol, &sid, &acc_granted)) return NT_STATUS_INVALID_HANDLE; - if (!NT_STATUS_IS_OK(status = access_check_samr_function(acc_granted, DOMAIN_ACCESS_OPEN_ACCOUNT, "_samr_open_group"))) { + if (!NT_STATUS_IS_OK(status = access_check_samr_function(acc_granted, SA_RIGHT_DOMAIN_OPEN_ACCOUNT, "_samr_open_group"))) { return status; } -- cgit From c19598f2a6a3329e973e14e389e0577ebb914f3b Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Fri, 8 Nov 2002 23:08:59 +0000 Subject: Merge from HEAD: - change auth_sam to use the initialisation flags to determine if the password attributes are set - add const to secrets.c, cliconnect.c - passdb: fix spelling in pdb_ldap, add group mapping back to smbpasswd - SAMR: add debugs to show what fails for group enum. Andrew Bartlett (This used to be commit 4e74d00b3634abf52aa24bfaa6dbe88202aa57a1) --- source3/rpc_server/srv_samr_nt.c | 2 ++ 1 file changed, 2 insertions(+) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 7b611922f6..0b5870b16c 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -303,6 +303,7 @@ static NTSTATUS load_group_domain_entries(struct samr_info *info, DOM_SID *sid) } if (!pdb_enum_group_mapping(SID_NAME_DOM_GRP, &map, (int *)&group_entries, ENUM_ONLY_MAPPED, MAPPING_WITHOUT_PRIV)) { + DEBUG(1, ("load_group_domain_entries: pdb_enum_group_mapping() failed!\n")); return NT_STATUS_NO_MEMORY; } @@ -311,6 +312,7 @@ static NTSTATUS load_group_domain_entries(struct samr_info *info, DOM_SID *sid) grp_array=(DISP_GROUP_INFO *)talloc(mem_ctx, info->disp_info.num_group_account*sizeof(DISP_GROUP_INFO)); if (group_entries!=0 && grp_array==NULL) { + DEBUG(1, ("load_group_domain_entries: talloc() failed for grp_array!\n")); SAFE_FREE(map); return NT_STATUS_NO_MEMORY; } -- cgit From 2f194322d419350f35a48dff750066894d68eccf Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Tue, 12 Nov 2002 23:20:50 +0000 Subject: Removed global_myworkgroup, global_myname, global_myscope. Added liberal dashes of const. This is a rather large check-in, some things may break. It does compile though :-). Jeremy. (This used to be commit f755711df8f74f9b8e8c1a2b0d07d02a931eeb89) --- source3/rpc_server/srv_samr_nt.c | 16 +++++++--------- 1 file changed, 7 insertions(+), 9 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 0b5870b16c..603dcd0017 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -34,8 +34,6 @@ #undef DBGC_CLASS #define DBGC_CLASS DBGC_RPC_SRV -extern fstring global_myworkgroup; -extern pstring global_myname; extern DOM_SID global_sid_Builtin; extern rid_name domain_group_rids[]; @@ -2123,7 +2121,7 @@ NTSTATUS _samr_query_dom_info(pipes_struct *p, SAMR_Q_QUERY_DOMAIN_INFO *q_u, SA free_samr_db(info); /* The time call below is to get a sequence number for the sam. FIXME !!! JRA. */ - init_unk_info2(&ctr->info.inf2, global_myworkgroup, global_myname, (uint32) time(NULL), + init_unk_info2(&ctr->info.inf2, lp_workgroup(), global_myname(), (uint32) time(NULL), num_users, num_groups, num_aliases); break; case 0x03: @@ -2133,7 +2131,7 @@ NTSTATUS _samr_query_dom_info(pipes_struct *p, SAMR_Q_QUERY_DOMAIN_INFO *q_u, SA init_unk_info3(&ctr->info.inf3, nt_logout); break; case 0x05: - init_unk_info5(&ctr->info.inf5, global_myname); + init_unk_info5(&ctr->info.inf5, global_myname()); break; case 0x06: init_unk_info6(&ctr->info.inf6); @@ -2564,7 +2562,7 @@ NTSTATUS _samr_enum_domains(pipes_struct *p, SAMR_Q_ENUM_DOMAINS *q_u, SAMR_R_EN struct samr_info *info; uint32 num_entries = 2; fstring dom[2]; - char *name; + const char *name; r_u->status = NT_STATUS_OK; @@ -2578,10 +2576,10 @@ NTSTATUS _samr_enum_domains(pipes_struct *p, SAMR_Q_ENUM_DOMAINS *q_u, SAMR_R_EN switch (lp_server_role()) { case ROLE_DOMAIN_PDC: case ROLE_DOMAIN_BDC: - name = global_myworkgroup; + name = lp_workgroup(); break; default: - name = global_myname; + name = global_myname(); } fstrcpy(dom[0],name); @@ -4313,7 +4311,7 @@ NTSTATUS _samr_unknown_2e(pipes_struct *p, SAMR_Q_UNKNOWN_2E *q_u, SAMR_R_UNKNOW free_samr_db(info); /* The time call below is to get a sequence number for the sam. FIXME !!! JRA. */ - init_unk_info2(&ctr->info.inf2, global_myworkgroup, global_myname, (uint32) time(NULL), + init_unk_info2(&ctr->info.inf2, lp_workgroup(), global_myname(), (uint32) time(NULL), num_users, num_groups, num_aliases); break; case 0x03: @@ -4325,7 +4323,7 @@ NTSTATUS _samr_unknown_2e(pipes_struct *p, SAMR_Q_UNKNOWN_2E *q_u, SAMR_R_UNKNOW init_unk_info3(&ctr->info.inf3, nt_logout); break; case 0x05: - init_unk_info5(&ctr->info.inf5, global_myname); + init_unk_info5(&ctr->info.inf5, global_myname()); break; case 0x06: init_unk_info6(&ctr->info.inf6); -- cgit From ef8bd7c4f7ae8192ea05db070962ecf0ff3615f3 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Fri, 20 Dec 2002 20:21:31 +0000 Subject: Forward port the change to talloc_init() to make all talloc contexts named. Ensure we can query them. Jeremy. (This used to be commit 09a218a9f6fb0bd922940467bf8500eb4f1bcf84) --- source3/rpc_server/srv_samr_nt.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 603dcd0017..fd152aa3b3 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -134,7 +134,7 @@ static struct samr_info *get_samr_info_by_sid(DOM_SID *psid) fstrcpy(sid_str,"(NULL)"); } - mem_ctx = talloc_init_named("samr_info for domain sid %s", sid_str); + mem_ctx = talloc_init("samr_info for domain sid %s", sid_str); if ((info = (struct samr_info *)talloc(mem_ctx, sizeof(struct samr_info))) == NULL) return NULL; -- cgit From e3ed8eaa2fd47a72c7b89d769ee594f238130ff7 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Sat, 4 Jan 2003 08:45:17 +0000 Subject: Merge from HEAD - move user password changes into the NTSTATUS era, and add suppport for the 'min password age' and 'min passwd len' concepts. (This used to be commit d9417b08d1b649e598b44135bc57008f4e4f7769) --- source3/rpc_server/srv_samr_nt.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index fd152aa3b3..c72153eda7 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -1524,9 +1524,8 @@ NTSTATUS _samr_chgpasswd_user(pipes_struct *p, SAMR_Q_CHGPASSWD_USER *q_u, SAMR_ * is case insensitive. */ - if (!pass_oem_change(user_name, q_u->lm_newpass.pass, q_u->lm_oldhash.hash, - q_u->nt_newpass.pass, q_u->nt_oldhash.hash)) - r_u->status = NT_STATUS_WRONG_PASSWORD; + r_u->status = pass_oem_change(user_name, q_u->lm_newpass.pass, q_u->lm_oldhash.hash, + q_u->nt_newpass.pass, q_u->nt_oldhash.hash); init_samr_r_chgpasswd_user(r_u, r_u->status); -- cgit From 4242eda183393b0535ac8ef880b4f441c60137af Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Wed, 15 Jan 2003 17:22:48 +0000 Subject: merging some rpcclient and net functionality from HEAD (This used to be commit 7a4c87484237308cb3ad0d671687da7e0f6e733b) --- source3/rpc_server/srv_samr_nt.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index c72153eda7..2896fd79e4 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -1180,6 +1180,18 @@ NTSTATUS _samr_query_dispinfo(pipes_struct *p, SAMR_Q_QUERY_DISPINFO *q_u, /* Get what we need from the password database */ switch (q_u->switch_level) { case 0x1: + /* When playing with usrmgr, this is necessary + if you want immediate refresh after editing + a user. I would like to do this after the + setuserinfo2, but we do not have access to + the domain handle in that call, only to the + user handle. Where else does this hurt? + -- Volker + */ +#if 0 + /* We cannot do this here - it kills performace. JRA. */ + free_samr_users(info); +#endif case 0x2: case 0x4: become_root(); -- cgit From e72ecdc862804339912325fe848401e8ec57cde7 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Mon, 24 Feb 2003 02:35:54 +0000 Subject: Merge of server-side authentication changes to 3.0: - user_ok() and user_in_group() now take a list of groups, instead of looking for the user in the members of all groups. - The 'server_info' returned from the authentication is now kept around - in future we won't copy the sesion key, username etc, we will just referece them directly. - rhosts upgraded to use the SAM if possible, otherwise fake up based on getpwnam(). - auth_util code to deal with groups upgraded to deal with non-winbind domain members again. Andrew Bartlett (This used to be commit 74b5436c75114170ce7c780c19226103d0df9060) --- source3/rpc_server/srv_samr_nt.c | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 2896fd79e4..d766e9c19e 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -3427,7 +3427,7 @@ NTSTATUS _samr_add_aliasmem(pipes_struct *p, SAMR_Q_ADD_ALIASMEM *q_u, SAMR_R_AD fstrcpy(grp_name, grp->gr_name); /* if the user is already in the group */ - if(user_in_group_list(pwd->pw_name, grp_name)) { + if(user_in_unix_group_list(pwd->pw_name, grp_name)) { passwd_free(&pwd); return NT_STATUS_MEMBER_IN_ALIAS; } @@ -3439,7 +3439,7 @@ NTSTATUS _samr_add_aliasmem(pipes_struct *p, SAMR_Q_ADD_ALIASMEM *q_u, SAMR_R_AD smb_add_user_group(grp_name, pwd->pw_name); /* check if the user has been added then ... */ - if(!user_in_group_list(pwd->pw_name, grp_name)) { + if(!user_in_unix_group_list(pwd->pw_name, grp_name)) { passwd_free(&pwd); return NT_STATUS_MEMBER_NOT_IN_ALIAS; /* don't know what to reply else */ } @@ -3485,7 +3485,7 @@ NTSTATUS _samr_del_aliasmem(pipes_struct *p, SAMR_Q_DEL_ALIASMEM *q_u, SAMR_R_DE if ((grp=getgrgid(map.gid)) == NULL) return NT_STATUS_NO_SUCH_ALIAS; - /* we need to copy the name otherwise it's overloaded in user_in_group_list */ + /* we need to copy the name otherwise it's overloaded in user_in_unix_group_list */ fstrcpy(grp_name, grp->gr_name); /* check if the user exists before trying to remove it from the group */ @@ -3497,7 +3497,7 @@ NTSTATUS _samr_del_aliasmem(pipes_struct *p, SAMR_Q_DEL_ALIASMEM *q_u, SAMR_R_DE } /* if the user is not in the group */ - if(!user_in_group_list(pdb_get_username(sam_pass), grp_name)) { + if(!user_in_unix_group_list(pdb_get_username(sam_pass), grp_name)) { pdb_free_sam(&sam_pass); return NT_STATUS_MEMBER_IN_ALIAS; } @@ -3505,7 +3505,7 @@ NTSTATUS _samr_del_aliasmem(pipes_struct *p, SAMR_Q_DEL_ALIASMEM *q_u, SAMR_R_DE smb_delete_user_group(grp_name, pdb_get_username(sam_pass)); /* check if the user has been removed then ... */ - if(user_in_group_list(pdb_get_username(sam_pass), grp_name)) { + if(user_in_unix_group_list(pdb_get_username(sam_pass), grp_name)) { pdb_free_sam(&sam_pass); return NT_STATUS_MEMBER_NOT_IN_ALIAS; /* don't know what to reply else */ } @@ -3583,11 +3583,11 @@ NTSTATUS _samr_add_groupmem(pipes_struct *p, SAMR_Q_ADD_GROUPMEM *q_u, SAMR_R_AD return NT_STATUS_NO_SUCH_GROUP; } - /* we need to copy the name otherwise it's overloaded in user_in_group_list */ + /* we need to copy the name otherwise it's overloaded in user_in_unix_group_list */ fstrcpy(grp_name, grp->gr_name); /* if the user is already in the group */ - if(user_in_group_list(pwd->pw_name, grp_name)) { + if(user_in_unix_group_list(pwd->pw_name, grp_name)) { passwd_free(&pwd); return NT_STATUS_MEMBER_IN_GROUP; } @@ -3601,7 +3601,7 @@ NTSTATUS _samr_add_groupmem(pipes_struct *p, SAMR_Q_ADD_GROUPMEM *q_u, SAMR_R_AD smb_add_user_group(grp_name, pwd->pw_name); /* check if the user has been added then ... */ - if(!user_in_group_list(pwd->pw_name, grp_name)) { + if(!user_in_unix_group_list(pwd->pw_name, grp_name)) { passwd_free(&pwd); return NT_STATUS_MEMBER_NOT_IN_GROUP; /* don't know what to reply else */ } @@ -3662,7 +3662,7 @@ NTSTATUS _samr_del_groupmem(pipes_struct *p, SAMR_Q_DEL_GROUPMEM *q_u, SAMR_R_DE } /* if the user is not in the group */ - if (!user_in_group_list(pdb_get_username(sam_pass), grp_name)) { + if (!user_in_unix_group_list(pdb_get_username(sam_pass), grp_name)) { pdb_free_sam(&sam_pass); return NT_STATUS_MEMBER_NOT_IN_GROUP; } @@ -3670,7 +3670,7 @@ NTSTATUS _samr_del_groupmem(pipes_struct *p, SAMR_Q_DEL_GROUPMEM *q_u, SAMR_R_DE smb_delete_user_group(grp_name, pdb_get_username(sam_pass)); /* check if the user has been removed then ... */ - if (user_in_group_list(pdb_get_username(sam_pass), grp_name)) { + if (user_in_unix_group_list(pdb_get_username(sam_pass), grp_name)) { pdb_free_sam(&sam_pass); return NT_STATUS_ACCESS_DENIED; /* don't know what to reply else */ } -- cgit From eeae85278106abff538ed672116a81bec29906e3 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Fri, 21 Mar 2003 13:35:15 +0000 Subject: (merge from HEAD) Give volker a hand, and let domain joins with existing user accounts work a bit better. This just sets the minimum possible attributes - if we are 'upgrading' an LDAP based user account, the attributes will be there anyway. This matches NT pretty well to. This also fixes some use of unitialised values in the desired_access checking. (found by valgrind). Andrew Bartlett (This used to be commit 536e24ee5b83eaa77be81dd50e3e1a5010b5abf4) --- source3/rpc_server/srv_samr_nt.c | 40 +++++++++++++++++++++++++++++++++------- 1 file changed, 33 insertions(+), 7 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index d766e9c19e..f174114473 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -81,6 +81,7 @@ NTSTATUS access_check_samr_object(SEC_DESC *psd, NT_USER_TOKEN *nt_user_token, u NTSTATUS status = NT_STATUS_ACCESS_DENIED; if (!se_access_check(psd, nt_user_token, des_access, acc_granted, &status)) { + *acc_granted = des_access; if (geteuid() == sec_initial_uid()) { DEBUG(4,("%s: ACCESS should be DENIED (requested: %#010x)\n", debug, des_access)); @@ -2199,7 +2200,7 @@ NTSTATUS _api_samr_create_user(pipes_struct *p, SAMR_Q_CREATE_USER *q_u, SAMR_R_ uint32 acc_granted; SEC_DESC *psd; size_t sd_size; - uint32 des_access; + uint32 des_access = GENERIC_RIGHTS_USER_ALL_ACCESS; /* Get the domain SID stored in the domain policy */ if (!get_lsa_policy_samr_sid(p, &dom_pol, &sid, &acc_granted)) @@ -2284,25 +2285,50 @@ NTSTATUS _api_samr_create_user(pipes_struct *p, SAMR_Q_CREATE_USER *q_u, SAMR_R_ DEBUG(3,("_api_samr_create_user: Running the command `%s' gave %d\n", add_script, add_ret)); } + if (!NT_STATUS_IS_OK(nt_status = pdb_init_sam(&sam_pass))) { + return nt_status; + } + pw = getpwnam_alloc(account); if (pw) { - if (!NT_STATUS_IS_OK(nt_status = pdb_init_sam_pw(&sam_pass, pw))) { - passwd_free(&pw); - return nt_status; + DOM_SID user_sid; + DOM_SID group_sid; + if (!uid_to_sid(&user_sid, pw->pw_uid)) { + passwd_free(&pw); /* done with this now */ + pdb_free_sam(&sam_pass); + DEBUG(1, ("_api_samr_create_user: uid_to_sid failed, cannot add user.\n")); + return NT_STATUS_ACCESS_DENIED; } + + if (!pdb_set_user_sid(sam_pass, &user_sid, PDB_CHANGED)) { + passwd_free(&pw); /* done with this now */ + pdb_free_sam(&sam_pass); + return NT_STATUS_NO_MEMORY; + } + + if (!gid_to_sid(&group_sid, pw->pw_gid)) { + passwd_free(&pw); /* done with this now */ + pdb_free_sam(&sam_pass); + DEBUG(1, ("_api_samr_create_user: gid_to_sid failed, cannot add user.\n")); + return NT_STATUS_ACCESS_DENIED; + } + + if (!pdb_set_group_sid(sam_pass, &group_sid, PDB_CHANGED)) { + passwd_free(&pw); /* done with this now */ + pdb_free_sam(&sam_pass); + return NT_STATUS_NO_MEMORY; + } + passwd_free(&pw); /* done with this now */ } else { DEBUG(3,("attempting to create non-unix account %s\n", account)); - if (!NT_STATUS_IS_OK(nt_status = pdb_init_sam(&sam_pass))) { - return nt_status; } if (!pdb_set_username(sam_pass, account, PDB_CHANGED)) { pdb_free_sam(&sam_pass); return NT_STATUS_NO_MEMORY; - } } pdb_set_acct_ctrl(sam_pass, acb_info, PDB_CHANGED); -- cgit From 6f99b229dbf4a9b72fe825ebb2e3751ef3d7b680 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Tue, 22 Apr 2003 03:15:32 +0000 Subject: wrap pdb_enum_group_mapping() in [un]become_root() so LDAP queries can get the credentials from secrets.tdb (This used to be commit bb8b63b865b941abecc0d821e710702dd12866fe) --- source3/rpc_server/srv_samr_nt.c | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index f174114473..794fea56df 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -300,11 +300,16 @@ static NTSTATUS load_group_domain_entries(struct samr_info *info, DOM_SID *sid) DEBUG(10,("load_group_domain_entries: already in memory\n")); return NT_STATUS_OK; } + + + become_root(); if (!pdb_enum_group_mapping(SID_NAME_DOM_GRP, &map, (int *)&group_entries, ENUM_ONLY_MAPPED, MAPPING_WITHOUT_PRIV)) { DEBUG(1, ("load_group_domain_entries: pdb_enum_group_mapping() failed!\n")); return NT_STATUS_NO_MEMORY; } + + unbecome_root(); info->disp_info.num_group_account=group_entries; -- cgit From 846a773bda69ecbf512f8e455e5695dbf868cda7 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Wed, 23 Apr 2003 01:04:20 +0000 Subject: Now that Volker fixed the real issues with ldapsam and adding null attributes etc, move the SAMR create_user code back to using the 'pdb_init_sam_pw' method to fill out the attributes. This is basicly the same code, but we really didn't need the duplication. Also, take advantage of the fact that RIDs will always be returned back into the SAM_ACCOUNT on ADD, so we don't need to duplicate the 'get'. This should also help in sites with replicated LDAP - the second fetch might occour before the first is replicated back. Andrew Bartlett (This used to be commit 39714c24fd9da4701d4fe69ddd3d61a25254409f) --- source3/rpc_server/srv_samr_nt.c | 48 +++++++--------------------------------- 1 file changed, 8 insertions(+), 40 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 794fea56df..7b2cd78dc6 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -2205,6 +2205,7 @@ NTSTATUS _api_samr_create_user(pipes_struct *p, SAMR_Q_CREATE_USER *q_u, SAMR_R_ uint32 acc_granted; SEC_DESC *psd; size_t sd_size; + /* check this, when giving away 'add computer to domain' privs */ uint32 des_access = GENERIC_RIGHTS_USER_ALL_ACCESS; /* Get the domain SID stored in the domain policy */ @@ -2290,50 +2291,26 @@ NTSTATUS _api_samr_create_user(pipes_struct *p, SAMR_Q_CREATE_USER *q_u, SAMR_R_ DEBUG(3,("_api_samr_create_user: Running the command `%s' gave %d\n", add_script, add_ret)); } - if (!NT_STATUS_IS_OK(nt_status = pdb_init_sam(&sam_pass))) { - return nt_status; - } - pw = getpwnam_alloc(account); if (pw) { - DOM_SID user_sid; - DOM_SID group_sid; - if (!uid_to_sid(&user_sid, pw->pw_uid)) { - passwd_free(&pw); /* done with this now */ - pdb_free_sam(&sam_pass); - DEBUG(1, ("_api_samr_create_user: uid_to_sid failed, cannot add user.\n")); - return NT_STATUS_ACCESS_DENIED; - } - - if (!pdb_set_user_sid(sam_pass, &user_sid, PDB_CHANGED)) { - passwd_free(&pw); /* done with this now */ - pdb_free_sam(&sam_pass); - return NT_STATUS_NO_MEMORY; - } - - if (!gid_to_sid(&group_sid, pw->pw_gid)) { - passwd_free(&pw); /* done with this now */ - pdb_free_sam(&sam_pass); - DEBUG(1, ("_api_samr_create_user: gid_to_sid failed, cannot add user.\n")); - return NT_STATUS_ACCESS_DENIED; - } - - if (!pdb_set_group_sid(sam_pass, &group_sid, PDB_CHANGED)) { - passwd_free(&pw); /* done with this now */ + nt_status = pdb_init_sam_pw(&sam_pass, pw); + passwd_free(&pw); /* done with this now */ + if (!NT_STATUS_IS_OK(nt_status)) { pdb_free_sam(&sam_pass); - return NT_STATUS_NO_MEMORY; + return nt_status; } - - passwd_free(&pw); /* done with this now */ } else { DEBUG(3,("attempting to create non-unix account %s\n", account)); + if (!NT_STATUS_IS_OK(nt_status = pdb_init_sam(&sam_pass))) { + return nt_status; } if (!pdb_set_username(sam_pass, account, PDB_CHANGED)) { pdb_free_sam(&sam_pass); return NT_STATUS_NO_MEMORY; + } } pdb_set_acct_ctrl(sam_pass, acb_info, PDB_CHANGED); @@ -2344,15 +2321,6 @@ NTSTATUS _api_samr_create_user(pipes_struct *p, SAMR_Q_CREATE_USER *q_u, SAMR_R_ account)); return NT_STATUS_ACCESS_DENIED; } - - pdb_reset_sam(sam_pass); - - if (!pdb_getsampwnam(sam_pass, account)) { - pdb_free_sam(&sam_pass); - DEBUG(0, ("could not find user/computer %s just added to passdb?!?\n", - account)); - return NT_STATUS_ACCESS_DENIED; - } /* Get the user's SID */ sid_copy(&sid, pdb_get_user_sid(sam_pass)); -- cgit From 66468d23158694383f3759464ffa7ade1c1d6d6c Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Wed, 23 Apr 2003 14:07:33 +0000 Subject: Patch by Metze to ensure that we always at least initialize our output string for rpc_pull_string. If we had a NULL or zero-length string, we would use uninitialised data in the result string. Andrew Bartlett (This used to be commit df10aee451b431a8a056a949a98393da256185da) --- source3/rpc_server/srv_samr_nt.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 7b2cd78dc6..d6441fd361 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -1473,13 +1473,14 @@ NTSTATUS _samr_lookup_names(pipes_struct *p, SAMR_Q_LOOKUP_NAMES *q_u, SAMR_R_LO for (i = 0; i < num_rids; i++) { fstring name; DOM_SID sid; + int ret; r_u->status = NT_STATUS_NONE_MAPPED; rid [i] = 0xffffffff; type[i] = SID_NAME_UNKNOWN; - rpcstr_pull(name, q_u->uni_name[i].buffer, sizeof(name), q_u->uni_name[i].uni_str_len*2, 0); + ret = rpcstr_pull(name, q_u->uni_name[i].buffer, sizeof(name), q_u->uni_name[i].uni_str_len*2, 0); /* * we are only looking for a name @@ -1492,7 +1493,8 @@ NTSTATUS _samr_lookup_names(pipes_struct *p, SAMR_Q_LOOKUP_NAMES *q_u, SAMR_R_LO * a cleaner code is to add the sid of the domain we're looking in * to the local_lookup_name function. */ - if(local_lookup_name(name, &sid, &local_type)) { + + if ((ret > 0) && local_lookup_name(name, &sid, &local_type)) { sid_split_rid(&sid, &local_rid); if (sid_equal(&sid, &pol_sid)) { -- cgit From 2aa8a05f336781d7cc7c8cdce9533f96ba9ca8d6 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Tue, 29 Apr 2003 05:30:29 +0000 Subject: only call the add_script if the getpwnam_alloc() fails (This used to be commit c0807e21999ec718d722fc0be6b3353c9369db04) --- source3/rpc_server/srv_samr_nt.c | 47 ++++++++++++++++++++++++---------------- 1 file changed, 28 insertions(+), 19 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index d6441fd361..8ff993d8a6 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -2274,26 +2274,35 @@ NTSTATUS _api_samr_create_user(pipes_struct *p, SAMR_Q_CREATE_USER *q_u, SAMR_R_ } #endif - /* - * we can't check both the ending $ and the acb_info. - * - * UserManager creates trust accounts (ending in $, - * normal that hidden accounts) with the acb_info equals to ACB_NORMAL. - * JFM, 11/29/2001 - */ - if (account[strlen(account)-1] == '$') - pstrcpy(add_script, lp_addmachine_script()); - else - pstrcpy(add_script, lp_adduser_script()); - - if (*add_script) { - int add_ret; - all_string_sub(add_script, "%u", account, sizeof(account)); - add_ret = smbrun(add_script,NULL); - DEBUG(3,("_api_samr_create_user: Running the command `%s' gave %d\n", add_script, add_ret)); - } - + /* the passdb lookup has failed; check to see if we need to run the + add user/machine script */ + pw = getpwnam_alloc(account); + + if ( !pw ) { + /* + * we can't check both the ending $ and the acb_info. + * + * UserManager creates trust accounts (ending in $, + * normal that hidden accounts) with the acb_info equals to ACB_NORMAL. + * JFM, 11/29/2001 + */ + if (account[strlen(account)-1] == '$') + pstrcpy(add_script, lp_addmachine_script()); + else + pstrcpy(add_script, lp_adduser_script()); + + if (*add_script) { + int add_ret; + all_string_sub(add_script, "%u", account, sizeof(account)); + add_ret = smbrun(add_script,NULL); + DEBUG(3,("_api_samr_create_user: Running the command `%s' gave %d\n", add_script, add_ret)); + } + + /* try again */ + pw = getpwnam_alloc(account); + } + if (pw) { nt_status = pdb_init_sam_pw(&sam_pass, pw); -- cgit From 281d95e2f35f8276d23d075d6e528d16eda9fadc Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Tue, 29 Apr 2003 09:43:17 +0000 Subject: Use a common function to create the SAM_ACCOUNT being used to add accounts to the system. This means that we always run Get_Pwnam(), and can never add FOO when foo exists on the system (the idea is to instead add foo into the passdb, using it's full name, RID etc). Andrew Bartlett (This used to be commit bb79b127e02cefae13c822fd0fd165f1f214b740) --- source3/rpc_server/srv_samr_nt.c | 29 +++++------------------------ 1 file changed, 5 insertions(+), 24 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 8ff993d8a6..62d5f8ab0c 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -2277,7 +2277,7 @@ NTSTATUS _api_samr_create_user(pipes_struct *p, SAMR_Q_CREATE_USER *q_u, SAMR_R_ /* the passdb lookup has failed; check to see if we need to run the add user/machine script */ - pw = getpwnam_alloc(account); + pw = Get_Pwnam(account); if ( !pw ) { /* @@ -2299,33 +2299,14 @@ NTSTATUS _api_samr_create_user(pipes_struct *p, SAMR_Q_CREATE_USER *q_u, SAMR_R_ DEBUG(3,("_api_samr_create_user: Running the command `%s' gave %d\n", add_script, add_ret)); } - /* try again */ - pw = getpwnam_alloc(account); } - - if (pw) { - nt_status = pdb_init_sam_pw(&sam_pass, pw); - passwd_free(&pw); /* done with this now */ - if (!NT_STATUS_IS_OK(nt_status)) { - pdb_free_sam(&sam_pass); - return nt_status; - } - } else { - DEBUG(3,("attempting to create non-unix account %s\n", account)); - - if (!NT_STATUS_IS_OK(nt_status = pdb_init_sam(&sam_pass))) { - return nt_status; - } + nt_status = pdb_init_sam_new(&sam_pass, account); + if (!NT_STATUS_IS_OK(nt_status)) + return nt_status; - if (!pdb_set_username(sam_pass, account, PDB_CHANGED)) { - pdb_free_sam(&sam_pass); - return NT_STATUS_NO_MEMORY; - } - } - pdb_set_acct_ctrl(sam_pass, acb_info, PDB_CHANGED); - + if (!pdb_add_sam_account(sam_pass)) { pdb_free_sam(&sam_pass); DEBUG(0, ("could not add user/computer %s to passdb. Check permissions?\n", -- cgit From 3eeb40f9b54a4a48a4860a498991fd78274b44cf Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Wed, 7 May 2003 08:21:06 +0000 Subject: Set our 'global sam name' in one place. For domain controllers, this is lp_workgroup(), for all other server this is global_myname(). This is the name of the domain for accounts on *this* system, and getting this wrong caused interesting bugs with 'take ownership' on member servers and standalone servers at Snap. (They lookup the username that they got, then convert that to a SID - but becouse the domain out of the smbpasswd entry was wrong, we would fail the lookup). Andrew Bartlett (This used to be commit 5fc78eba20411f3f5a8ccadfcba5c4ab73180dba) --- source3/rpc_server/srv_samr_nt.c | 9 +-------- 1 file changed, 1 insertion(+), 8 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 62d5f8ab0c..970756d47c 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -2575,14 +2575,7 @@ NTSTATUS _samr_enum_domains(pipes_struct *p, SAMR_Q_ENUM_DOMAINS *q_u, SAMR_R_EN return r_u->status; } - switch (lp_server_role()) { - case ROLE_DOMAIN_PDC: - case ROLE_DOMAIN_BDC: - name = lp_workgroup(); - break; - default: - name = global_myname(); - } + name = get_global_sam_name(); fstrcpy(dom[0],name); strupper(dom[0]); -- cgit From c823b191ab476fc2583d6d6aaa1e2edb09cbb88e Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Mon, 12 May 2003 18:12:31 +0000 Subject: And finally IDMAP in 3_0 We really need idmap_ldap to have a good solution with ldapsam, porting it from the prvious code is beeing made, the code is really simple to do so I am confident it is not a problem to commit this code in. Not committing it would have been worst. I really would have been able to finish also the group code, maybe we can put it into a followin release after 3.0.0 even if it may be an upgrade problem. The code has been tested and seem to work right, more testing is needed for corner cases. Currently winbind pdc (working only for users and not for groups) is disabled as I was not able to make a complete group code replacement that works somewhat in a week (I have a complete patch, but there are bugs) Simo. (This used to be commit 0e58085978f984436815114a2ec347cf7899a89d) --- source3/rpc_server/srv_samr_nt.c | 30 ++++++++---------------------- 1 file changed, 8 insertions(+), 22 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 970756d47c..8c9e22966a 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -6,7 +6,7 @@ * Copyright (C) Paul Ashton 1997, * Copyright (C) Marc Jacobsen 1999, * Copyright (C) Jeremy Allison 2001-2002, - * Copyright (C) Jean François Micouleau 1998-2001, + * Copyright (C) Jean François Micouleau 1998-2001, * Copyright (C) Anthony Liguori 2002, * Copyright (C) Jim McDonough 2002. * @@ -920,7 +920,7 @@ static NTSTATUS get_group_alias_entries(TALLOC_CTX *ctx, DOMAIN_GRP **d_grp, DOM struct sys_grent *grp; struct passwd *pw; gid_t winbind_gid_low, winbind_gid_high; - BOOL winbind_groups_exist = lp_winbind_gid(&winbind_gid_low, &winbind_gid_high); + BOOL winbind_groups_exist = lp_idmap_gid(&winbind_gid_low, &winbind_gid_high); /* local aliases */ /* we return the UNIX groups here. This seems to be the right */ @@ -2811,8 +2811,7 @@ static BOOL set_user_info_23(SAM_USER_INFO_23 *id23, DOM_SID *sid) copy_id23_to_sam_passwd(pwd, id23); /* if it's a trust account, don't update /etc/passwd */ - if ( (!IS_SAM_UNIX_USER(pwd)) || - ( (acct_ctrl & ACB_DOMTRUST) == ACB_DOMTRUST ) || + if ( ( (acct_ctrl & ACB_DOMTRUST) == ACB_DOMTRUST ) || ( (acct_ctrl & ACB_WSTRUST) == ACB_WSTRUST) || ( (acct_ctrl & ACB_SVRTRUST) == ACB_SVRTRUST) ) { DEBUG(5, ("Changing trust account or non-unix-user password, not updating /etc/passwd\n")); @@ -2873,8 +2872,7 @@ static BOOL set_user_info_pw(char *pass, DOM_SID *sid) } /* if it's a trust account, don't update /etc/passwd */ - if ( (!IS_SAM_UNIX_USER(pwd)) || - ( (acct_ctrl & ACB_DOMTRUST) == ACB_DOMTRUST ) || + if ( ( (acct_ctrl & ACB_DOMTRUST) == ACB_DOMTRUST ) || ( (acct_ctrl & ACB_WSTRUST) == ACB_WSTRUST) || ( (acct_ctrl & ACB_SVRTRUST) == ACB_SVRTRUST) ) { DEBUG(5, ("Changing trust account or non-unix-user password, not updating /etc/passwd\n")); @@ -3389,9 +3387,9 @@ NTSTATUS _samr_add_aliasmem(pipes_struct *p, SAMR_Q_ADD_ALIASMEM *q_u, SAMR_R_AD pdb_free_sam(&sam_user); return NT_STATUS_NO_SUCH_USER; } - - uid = pdb_get_uid(sam_user); - if (uid == -1) { + + /* check a real user exist before we run the script to add a user to a group */ + if (NT_STATUS_IS_ERR(sid_to_uid(pdb_get_user_sid(sam_user), &uid))) { pdb_free_sam(&sam_user); return NT_STATUS_NO_SUCH_USER; } @@ -3401,7 +3399,7 @@ NTSTATUS _samr_add_aliasmem(pipes_struct *p, SAMR_Q_ADD_ALIASMEM *q_u, SAMR_R_AD if ((pwd=getpwuid_alloc(uid)) == NULL) { return NT_STATUS_NO_SUCH_USER; } - + if ((grp=getgrgid(map.gid)) == NULL) { passwd_free(&pwd); return NT_STATUS_NO_SUCH_ALIAS; @@ -3550,18 +3548,6 @@ NTSTATUS _samr_add_groupmem(pipes_struct *p, SAMR_Q_ADD_GROUPMEM *q_u, SAMR_R_AD return NT_STATUS_NO_SUCH_USER; } - uid = pdb_get_uid(sam_user); - if (uid == -1) { - pdb_free_sam(&sam_user); - return NT_STATUS_NO_SUCH_USER; - } - - pdb_free_sam(&sam_user); - - if ((pwd=getpwuid_alloc(uid)) == NULL) { - return NT_STATUS_NO_SUCH_USER; - } - if ((grp=getgrgid(map.gid)) == NULL) { passwd_free(&pwd); return NT_STATUS_NO_SUCH_GROUP; -- cgit From 6abef0810007c317c3ee866eb3933ce2c696085f Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Mon, 12 May 2003 21:27:54 +0000 Subject: Fix obvious compiler warnings. Jeremy. (This used to be commit 2a6d0c2481c3c34351e57c30a85004babdbf99b0) --- source3/rpc_server/srv_samr_nt.c | 1 - 1 file changed, 1 deletion(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 8c9e22966a..fa7a10bb1a 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -3509,7 +3509,6 @@ NTSTATUS _samr_add_groupmem(pipes_struct *p, SAMR_Q_ADD_GROUPMEM *q_u, SAMR_R_AD struct group *grp; fstring grp_name; GROUP_MAP map; - uid_t uid; NTSTATUS ret; SAM_ACCOUNT *sam_user=NULL; BOOL check; -- cgit From 3ebfe59d0fdeb6d58400b25f5b444fda42c6200a Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Fri, 16 May 2003 18:30:22 +0000 Subject: Patch from "Esh, Andrew" to fix core dump bug in add groupmem code. Jeremy. (This used to be commit f41eb9ce9af2075f62abaecd8792d30617d05818) --- source3/rpc_server/srv_samr_nt.c | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index fa7a10bb1a..ee496126ad 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -3505,6 +3505,7 @@ NTSTATUS _samr_add_groupmem(pipes_struct *p, SAMR_Q_ADD_GROUPMEM *q_u, SAMR_R_AD DOM_SID group_sid; DOM_SID user_sid; fstring group_sid_str; + uid_t uid; struct passwd *pwd; struct group *grp; fstring grp_name; @@ -3546,7 +3547,19 @@ NTSTATUS _samr_add_groupmem(pipes_struct *p, SAMR_Q_ADD_GROUPMEM *q_u, SAMR_R_AD pdb_free_sam(&sam_user); return NT_STATUS_NO_SUCH_USER; } - + + /* check a real user exist before we run the script to add a user to a group */ + if (NT_STATUS_IS_ERR(sid_to_uid(pdb_get_user_sid(sam_user), &uid))) { + pdb_free_sam(&sam_user); + return NT_STATUS_NO_SUCH_USER; + } + + pdb_free_sam(&sam_user); + + if ((pwd=getpwuid_alloc(uid)) == NULL) { + return NT_STATUS_NO_SUCH_USER; + } + if ((grp=getgrgid(map.gid)) == NULL) { passwd_free(&pwd); return NT_STATUS_NO_SUCH_GROUP; -- cgit From 98c9504583c2afe89f6115985d6cacc2905be1f8 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Wed, 11 Jun 2003 20:42:10 +0000 Subject: Set the user's primary unix group from usrmgr.exe. This part of a fix to bug#45. Volker (This used to be commit 43d306011fe0497dabdf6f43a0d120900fd96e6d) --- source3/rpc_server/srv_samr_nt.c | 41 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 41 insertions(+) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index ee496126ad..40f6579e27 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -2730,6 +2730,41 @@ static BOOL set_user_info_12(SAM_USER_INFO_12 *id12, DOM_SID *sid) return True; } +/******************************************************************* + The GROUPSID field in the SAM_ACCOUNT changed. Try to tell unix. + ********************************************************************/ +static BOOL set_unix_primary_group(SAM_ACCOUNT *sampass) +{ + struct group *grp; + gid_t gid; + + if (!NT_STATUS_IS_OK(sid_to_gid(pdb_get_group_sid(sampass), + &gid))) { + DEBUG(2,("Could not get gid for primary group of " + "user %s\n", pdb_get_username(sampass))); + return False; + } + + grp = getgrgid(gid); + + if (grp == NULL) { + DEBUG(2,("Could not find primary group %d for " + "user %s\n", gid, pdb_get_username(sampass))); + return False; + } + + if (smb_set_primary_group(grp->gr_name, + pdb_get_username(sampass)) != 0) { + DEBUG(2,("Could not set primary group for user %s to " + "%s\n", + pdb_get_username(sampass), grp->gr_name)); + return False; + } + + return True; +} + + /******************************************************************* set_user_info_21 ********************************************************************/ @@ -2759,6 +2794,9 @@ static BOOL set_user_info_21(SAM_USER_INFO_21 *id21, DOM_SID *sid) * id21. I don't know if they need to be set. --jerry */ + if (IS_SAM_CHANGED(pwd, PDB_GROUPSID)) + set_unix_primary_group(pwd); + /* write the change out */ if(!pdb_update_sam_account(pwd)) { pdb_free_sam(&pwd); @@ -2826,6 +2864,9 @@ static BOOL set_user_info_23(SAM_USER_INFO_23 *id23, DOM_SID *sid) ZERO_STRUCT(plaintext_buf); + if (IS_SAM_CHANGED(pwd, PDB_GROUPSID)) + set_unix_primary_group(pwd); + if(!pdb_update_sam_account(pwd)) { pdb_free_sam(&pwd); return False; -- cgit From 75a5c0b307a79536316b651273d3f6983323f5ce Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Wed, 18 Jun 2003 15:24:10 +0000 Subject: Ok, this patch removes the privilege stuff we had in, unused, for some time. The code was nice, but put in the wrong place (group mapping) and not supported by most of the code, thus useless. We will put back most of the code when our infrastructure will be changed so that privileges actually really make sense to be set. This is a first patch of a set to enhance all our mapping code cleaness and stability towards a sane next beta for 3.0 code base Simo. (This used to be commit e341e7c49f8c17a9ee30ca3fab3aa0397c1f0c7e) --- source3/rpc_server/srv_samr_nt.c | 56 +++++++++++++++------------------------- 1 file changed, 21 insertions(+), 35 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 40f6579e27..6039cac96c 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -304,7 +304,7 @@ static NTSTATUS load_group_domain_entries(struct samr_info *info, DOM_SID *sid) become_root(); - if (!pdb_enum_group_mapping(SID_NAME_DOM_GRP, &map, (int *)&group_entries, ENUM_ONLY_MAPPED, MAPPING_WITHOUT_PRIV)) { + if (!pdb_enum_group_mapping(SID_NAME_DOM_GRP, &map, (int *)&group_entries, ENUM_ONLY_MAPPED)) { DEBUG(1, ("load_group_domain_entries: pdb_enum_group_mapping() failed!\n")); return NT_STATUS_NO_MEMORY; } @@ -900,7 +900,7 @@ static NTSTATUS get_group_alias_entries(TALLOC_CTX *ctx, DOMAIN_GRP **d_grp, DOM /* well-known aliases */ if (sid_equal(sid, &global_sid_Builtin) && !lp_hide_local_users()) { - pdb_enum_group_mapping(SID_NAME_WKN_GRP, &map, (int *)&num_entries, ENUM_ONLY_MAPPED, MAPPING_WITHOUT_PRIV); + pdb_enum_group_mapping(SID_NAME_WKN_GRP, &map, (int *)&num_entries, ENUM_ONLY_MAPPED); if (num_entries != 0) { *d_grp=(DOMAIN_GRP *)talloc_zero(ctx, num_entries*sizeof(DOMAIN_GRP)); @@ -937,7 +937,7 @@ static NTSTATUS get_group_alias_entries(TALLOC_CTX *ctx, DOMAIN_GRP **d_grp, DOM for (; (num_entries < max_entries) && (grp != NULL); grp = grp->next) { uint32 trid; - if(!pdb_getgrgid(&smap, grp->gr_gid, MAPPING_WITHOUT_PRIV)) + if(!pdb_getgrgid(&smap, grp->gr_gid)) continue; if (smap.sid_name_use!=SID_NAME_ALIAS) { @@ -1018,7 +1018,7 @@ static NTSTATUS get_group_domain_entries(TALLOC_CTX *ctx, DOMAIN_GRP **d_grp, DO *p_num_entries = 0; - pdb_enum_group_mapping(SID_NAME_DOM_GRP, &map, (int *)&group_entries, ENUM_ONLY_MAPPED, MAPPING_WITHOUT_PRIV); + pdb_enum_group_mapping(SID_NAME_DOM_GRP, &map, (int *)&group_entries, ENUM_ONLY_MAPPED); num_entries=group_entries-start_idx; @@ -1346,7 +1346,7 @@ NTSTATUS _samr_query_aliasinfo(pipes_struct *p, SAMR_Q_QUERY_ALIASINFO *q_u, SAM !sid_check_is_in_builtin(&sid)) return NT_STATUS_OBJECT_TYPE_MISMATCH; - if (!pdb_getgrsid(&map, sid, MAPPING_WITHOUT_PRIV)) + if (!pdb_getgrsid(&map, sid)) return NT_STATUS_NO_SUCH_ALIAS; switch (q_u->switch_level) { @@ -3215,12 +3215,12 @@ NTSTATUS _samr_query_aliasmem(pipes_struct *p, SAMR_Q_QUERY_ALIASMEM *q_u, SAMR_ if (sid_equal(&alias_sid, &global_sid_Builtin)) { DEBUG(10, ("lookup on Builtin SID (S-1-5-32)\n")); - if(!get_builtin_group_from_sid(als_sid, &map, MAPPING_WITHOUT_PRIV)) + if(!get_builtin_group_from_sid(als_sid, &map)) return NT_STATUS_NO_SUCH_ALIAS; } else { if (sid_equal(&alias_sid, get_global_sam_sid())) { DEBUG(10, ("lookup on Server SID\n")); - if(!get_local_group_from_sid(als_sid, &map, MAPPING_WITHOUT_PRIV)) + if(!get_local_group_from_sid(als_sid, &map)) return NT_STATUS_NO_SUCH_ALIAS; } } @@ -3321,7 +3321,7 @@ NTSTATUS _samr_query_groupmem(pipes_struct *p, SAMR_Q_QUERY_GROUPMEM *q_u, SAMR_ sid_append_rid(&group_sid, group_rid); DEBUG(10, ("lookup on Domain SID\n")); - if(!get_domain_group_from_sid(group_sid, &map, MAPPING_WITHOUT_PRIV)) + if(!get_domain_group_from_sid(group_sid, &map)) return NT_STATUS_NO_SUCH_GROUP; if(!get_uid_list_of_group(map.gid, &uid, &num_uids)) @@ -3405,13 +3405,13 @@ NTSTATUS _samr_add_aliasmem(pipes_struct *p, SAMR_Q_ADD_ALIASMEM *q_u, SAMR_R_AD if (sid_compare(&alias_sid, get_global_sam_sid())>0) { DEBUG(10, ("adding member on Server SID\n")); - if(!get_local_group_from_sid(alias_sid, &map, MAPPING_WITHOUT_PRIV)) + if(!get_local_group_from_sid(alias_sid, &map)) return NT_STATUS_NO_SUCH_ALIAS; } else { if (sid_compare(&alias_sid, &global_sid_Builtin)>0) { DEBUG(10, ("adding member on BUILTIN SID\n")); - if( !get_local_group_from_sid(alias_sid, &map, MAPPING_WITHOUT_PRIV)) + if( !get_local_group_from_sid(alias_sid, &map)) return NT_STATUS_NO_SUCH_ALIAS; } else @@ -3502,7 +3502,7 @@ NTSTATUS _samr_del_aliasmem(pipes_struct *p, SAMR_Q_DEL_ALIASMEM *q_u, SAMR_R_DE return NT_STATUS_NO_SUCH_ALIAS; } - if( !get_local_group_from_sid(alias_sid, &map, MAPPING_WITHOUT_PRIV)) + if( !get_local_group_from_sid(alias_sid, &map)) return NT_STATUS_NO_SUCH_ALIAS; if ((grp=getgrgid(map.gid)) == NULL) @@ -3572,7 +3572,7 @@ NTSTATUS _samr_add_groupmem(pipes_struct *p, SAMR_Q_ADD_GROUPMEM *q_u, SAMR_R_AD DEBUG(10, ("lookup on Domain SID\n")); - if(!get_domain_group_from_sid(group_sid, &map, MAPPING_WITHOUT_PRIV)) + if(!get_domain_group_from_sid(group_sid, &map)) return NT_STATUS_NO_SUCH_GROUP; sid_copy(&user_sid, get_global_sam_sid()); @@ -3667,7 +3667,7 @@ NTSTATUS _samr_del_groupmem(pipes_struct *p, SAMR_Q_DEL_GROUPMEM *q_u, SAMR_R_DE sid_copy(&user_sid, get_global_sam_sid()); sid_append_rid(&user_sid, q_u->rid); - if (!get_domain_group_from_sid(group_sid, &map, MAPPING_WITHOUT_PRIV)) + if (!get_domain_group_from_sid(group_sid, &map)) return NT_STATUS_NO_SUCH_GROUP; if ((grp=getgrgid(map.gid)) == NULL) @@ -3812,7 +3812,7 @@ NTSTATUS _samr_delete_dom_group(pipes_struct *p, SAMR_Q_DELETE_DOM_GROUP *q_u, S DEBUG(10, ("lookup on Domain SID\n")); - if(!get_domain_group_from_sid(group_sid, &map, MAPPING_WITHOUT_PRIV)) + if(!get_domain_group_from_sid(group_sid, &map)) return NT_STATUS_NO_SUCH_GROUP; gid=map.gid; @@ -3874,7 +3874,7 @@ NTSTATUS _samr_delete_dom_alias(pipes_struct *p, SAMR_Q_DELETE_DOM_ALIAS *q_u, S DEBUG(10, ("lookup on Local SID\n")); - if(!get_local_group_from_sid(alias_sid, &map, MAPPING_WITHOUT_PRIV)) + if(!get_local_group_from_sid(alias_sid, &map)) return NT_STATUS_NO_SUCH_ALIAS; gid=map.gid; @@ -3911,12 +3911,9 @@ NTSTATUS _samr_create_dom_group(pipes_struct *p, SAMR_Q_CREATE_DOM_GROUP *q_u, S fstring sid_string; struct group *grp; struct samr_info *info; - PRIVILEGE_SET priv_set; uint32 acc_granted; gid_t gid; - init_privilege(&priv_set); - /* Find the policy handle. Open a policy on it. */ if (!get_lsa_policy_samr_sid(p, &q_u->pol, &dom_sid, &acc_granted)) return NT_STATUS_INVALID_HANDLE; @@ -3951,7 +3948,7 @@ NTSTATUS _samr_create_dom_group(pipes_struct *p, SAMR_Q_CREATE_DOM_GROUP *q_u, S sid_append_rid(&info_sid, r_u->rid); sid_to_string(sid_string, &info_sid); - if(!add_initial_entry(grp->gr_gid, sid_string, SID_NAME_DOM_GRP, name, NULL, priv_set, PR_ACCESS_FROM_NETWORK)) + if(!add_initial_entry(grp->gr_gid, sid_string, SID_NAME_DOM_GRP, name, NULL)) return NT_STATUS_ACCESS_DENIED; if ((info = get_samr_info_by_sid(&info_sid)) == NULL) @@ -3976,12 +3973,9 @@ NTSTATUS _samr_create_dom_alias(pipes_struct *p, SAMR_Q_CREATE_DOM_ALIAS *q_u, S fstring sid_string; struct group *grp; struct samr_info *info; - PRIVILEGE_SET priv_set; uint32 acc_granted; gid_t gid; - init_privilege(&priv_set); - /* Find the policy handle. Open a policy on it. */ if (!get_lsa_policy_samr_sid(p, &q_u->dom_pol, &dom_sid, &acc_granted)) return NT_STATUS_INVALID_HANDLE; @@ -4016,7 +4010,7 @@ NTSTATUS _samr_create_dom_alias(pipes_struct *p, SAMR_Q_CREATE_DOM_ALIAS *q_u, S sid_to_string(sid_string, &info_sid); /* add the group to the mapping table */ - if(!add_initial_entry(grp->gr_gid, sid_string, SID_NAME_ALIAS, name, NULL, priv_set, PR_ACCESS_FROM_NETWORK)) + if(!add_initial_entry(grp->gr_gid, sid_string, SID_NAME_ALIAS, name, NULL)) return NT_STATUS_ACCESS_DENIED; if ((info = get_samr_info_by_sid(&info_sid)) == NULL) @@ -4052,7 +4046,7 @@ NTSTATUS _samr_query_groupinfo(pipes_struct *p, SAMR_Q_QUERY_GROUPINFO *q_u, SAM return r_u->status; } - if (!get_domain_group_from_sid(group_sid, &map, MAPPING_WITHOUT_PRIV)) + if (!get_domain_group_from_sid(group_sid, &map)) return NT_STATUS_INVALID_HANDLE; ctr=(GROUP_INFO_CTR *)talloc_zero(p->mem_ctx, sizeof(GROUP_INFO_CTR)); @@ -4104,7 +4098,7 @@ NTSTATUS _samr_set_groupinfo(pipes_struct *p, SAMR_Q_SET_GROUPINFO *q_u, SAMR_R_ return r_u->status; } - if (!get_domain_group_from_sid(group_sid, &map, MAPPING_WITH_PRIV)) + if (!get_domain_group_from_sid(group_sid, &map)) return NT_STATUS_NO_SUCH_GROUP; ctr=q_u->ctr; @@ -4117,17 +4111,13 @@ NTSTATUS _samr_set_groupinfo(pipes_struct *p, SAMR_Q_SET_GROUPINFO *q_u, SAMR_R_ unistr2_to_ascii(map.comment, &(ctr->group.info4.uni_acct_desc), sizeof(map.comment)-1); break; default: - free_privilege(&map.priv_set); return NT_STATUS_INVALID_INFO_CLASS; } if(!pdb_update_group_mapping_entry(&map)) { - free_privilege(&map.priv_set); return NT_STATUS_NO_SUCH_GROUP; } - free_privilege(&map.priv_set); - return NT_STATUS_OK; } @@ -4151,7 +4141,7 @@ NTSTATUS _samr_set_aliasinfo(pipes_struct *p, SAMR_Q_SET_ALIASINFO *q_u, SAMR_R_ return r_u->status; } - if (!get_local_group_from_sid(group_sid, &map, MAPPING_WITH_PRIV)) + if (!get_local_group_from_sid(group_sid, &map)) return NT_STATUS_NO_SUCH_GROUP; ctr=&q_u->ctr; @@ -4161,17 +4151,13 @@ NTSTATUS _samr_set_aliasinfo(pipes_struct *p, SAMR_Q_SET_ALIASINFO *q_u, SAMR_R_ unistr2_to_ascii(map.comment, &(ctr->alias.info3.uni_acct_desc), sizeof(map.comment)-1); break; default: - free_privilege(&map.priv_set); return NT_STATUS_INVALID_INFO_CLASS; } if(!pdb_update_group_mapping_entry(&map)) { - free_privilege(&map.priv_set); return NT_STATUS_NO_SUCH_GROUP; } - free_privilege(&map.priv_set); - return NT_STATUS_OK; } @@ -4246,7 +4232,7 @@ NTSTATUS _samr_open_group(pipes_struct *p, SAMR_Q_OPEN_GROUP *q_u, SAMR_R_OPEN_G DEBUG(10, ("_samr_open_group:Opening SID: %s\n", sid_string)); /* check if that group really exists */ - if (!get_domain_group_from_sid(info->sid, &map, MAPPING_WITHOUT_PRIV)) + if (!get_domain_group_from_sid(info->sid, &map)) return NT_STATUS_NO_SUCH_GROUP; /* get a (unique) handle. open a policy on it. */ -- cgit From f5974dfaae680d98b78d600cd1f1aaece332a085 Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Sun, 22 Jun 2003 10:09:52 +0000 Subject: Found out a good number of NT_STATUS_IS_ERR used the wrong way. As abartlet rememberd me NT_STATUS_IS_ERR != !NT_STATUS_IS_OK This patch will cure the problem. Working on this one I found 16 functions where I think NT_STATUS_IS_ERR() is used correctly, but I'm not 100% sure, coders should check the use of NT_STATUS_IS_ERR() in samba is ok now. Simo. (This used to be commit c501e84d412563eb3f674f76038ec48c2b458687) --- source3/rpc_server/srv_samr_nt.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 6039cac96c..ebf483da66 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -3430,7 +3430,7 @@ NTSTATUS _samr_add_aliasmem(pipes_struct *p, SAMR_Q_ADD_ALIASMEM *q_u, SAMR_R_AD } /* check a real user exist before we run the script to add a user to a group */ - if (NT_STATUS_IS_ERR(sid_to_uid(pdb_get_user_sid(sam_user), &uid))) { + if (!NT_STATUS_IS_OK(sid_to_uid(pdb_get_user_sid(sam_user), &uid))) { pdb_free_sam(&sam_user); return NT_STATUS_NO_SUCH_USER; } @@ -3590,7 +3590,7 @@ NTSTATUS _samr_add_groupmem(pipes_struct *p, SAMR_Q_ADD_GROUPMEM *q_u, SAMR_R_AD } /* check a real user exist before we run the script to add a user to a group */ - if (NT_STATUS_IS_ERR(sid_to_uid(pdb_get_user_sid(sam_user), &uid))) { + if (!NT_STATUS_IS_OK(sid_to_uid(pdb_get_user_sid(sam_user), &uid))) { pdb_free_sam(&sam_user); return NT_STATUS_NO_SUCH_USER; } -- cgit From ce72beb2b558d86fb49063c6b1fa00e07952ce56 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Thu, 3 Jul 2003 19:11:31 +0000 Subject: Removed strupper/strlower macros that automatically map to strupper_m/strlower_m. I really want people to think about when they're using multibyte strings. Jeremy. (This used to be commit ff222716a08af65d26ad842ce4c2841cc6540959) --- source3/rpc_server/srv_samr_nt.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index ebf483da66..c475260cca 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -2225,7 +2225,7 @@ NTSTATUS _api_samr_create_user(pipes_struct *p, SAMR_Q_CREATE_USER *q_u, SAMR_R_ */ rpcstr_pull(account, user_account.buffer, sizeof(account), user_account.uni_str_len*2, 0); - strlower(account); + strlower_m(account); pdb_init_sam(&sam_pass); @@ -2578,7 +2578,7 @@ NTSTATUS _samr_enum_domains(pipes_struct *p, SAMR_Q_ENUM_DOMAINS *q_u, SAMR_R_EN name = get_global_sam_name(); fstrcpy(dom[0],name); - strupper(dom[0]); + strupper_m(dom[0]); fstrcpy(dom[1],"Builtin"); if (!make_enum_domains(p->mem_ctx, &r_u->sam, &r_u->uni_dom_name, num_entries, dom)) -- cgit From e4bfa0a4608d794fd0c6228b58469ddf5473b7b4 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Tue, 8 Jul 2003 21:58:29 +0000 Subject: Moved SAM_ACCOUNT marshall/unmarshall functions to make them externally available. Removed extra auth_init (thanks metze). Jeremy. (This used to be commit 88135fbc4998c266052647f8b8e437ac01cf50ae) --- source3/rpc_server/srv_samr_nt.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index c475260cca..1628a51e53 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -151,10 +151,10 @@ static struct samr_info *get_samr_info_by_sid(DOM_SID *psid) return info; } - /******************************************************************* Function to free the per handle data. ********************************************************************/ + static void free_samr_users(struct samr_info *info) { int i; @@ -169,10 +169,10 @@ static void free_samr_users(struct samr_info *info) info->disp_info.num_user_account=0; } - /******************************************************************* Function to free the per handle data. ********************************************************************/ + static void free_samr_db(struct samr_info *info) { /* Groups are talloced */ @@ -183,7 +183,6 @@ static void free_samr_db(struct samr_info *info) info->disp_info.num_group_account=0; } - static void free_samr_info(void *ptr) { struct samr_info *info=(struct samr_info *) ptr; @@ -1128,6 +1127,7 @@ NTSTATUS _samr_enum_dom_aliases(pipes_struct *p, SAMR_Q_ENUM_DOM_ALIASES *q_u, S /******************************************************************* samr_reply_query_dispinfo ********************************************************************/ + NTSTATUS _samr_query_dispinfo(pipes_struct *p, SAMR_Q_QUERY_DISPINFO *q_u, SAMR_R_QUERY_DISPINFO *r_u) { -- cgit From 4072006fecf56bebf113fe1d4566156c0d89bacc Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Wed, 9 Jul 2003 00:23:42 +0000 Subject: Get rid of DISP_USER_INFO/DISP_GROUP_INFO as they serve no useful purpose. Replace with an array of SAM_ACCOUNT/DOMAIN_GRP entries. ZERO struct's in smbd/uid.c stops core dumps when sid_to_XX functions fail. Getting ready to add caching. Jeremy. (This used to be commit 9d0692a54fe2cb087f25796ec2ab5e1d8433e388) --- source3/rpc_server/srv_samr_nt.c | 37 +++++++++++++++++-------------------- 1 file changed, 17 insertions(+), 20 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 1628a51e53..e43cf4f759 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -44,10 +44,10 @@ extern rid_name builtin_alias_rids[]; typedef struct _disp_info { BOOL user_dbloaded; uint32 num_user_account; - DISP_USER_INFO *disp_user_info; + SAM_ACCOUNT *disp_user_info; BOOL group_dbloaded; uint32 num_group_account; - DISP_GROUP_INFO *disp_group_info; + DOMAIN_GRP *disp_group_info; } DISP_INFO; struct samr_info { @@ -161,8 +161,9 @@ static void free_samr_users(struct samr_info *info) if (info->disp_info.user_dbloaded){ for (i=0; idisp_info.num_user_account; i++) { + SAM_ACCOUNT *sam = &info->disp_info.disp_user_info[i]; /* Not really a free, actually a 'clear' */ - pdb_free_sam(&info->disp_info.disp_user_info[i].sam); + pdb_free_sam(&sam); } } info->disp_info.user_dbloaded=False; @@ -211,7 +212,7 @@ static void samr_clear_sam_passwd(SAM_ACCOUNT *sam_pass) static NTSTATUS load_sampwd_entries(struct samr_info *info, uint16 acb_mask, BOOL all_machines) { SAM_ACCOUNT *pwd = NULL; - DISP_USER_INFO *pwd_array = NULL; + SAM_ACCOUNT *pwd_array = NULL; NTSTATUS nt_status = NT_STATUS_OK; TALLOC_CTX *mem_ctx = info->mem_ctx; @@ -254,8 +255,8 @@ static NTSTATUS load_sampwd_entries(struct samr_info *info, uint16 acb_mask, BOO if (info->disp_info.num_user_account % MAX_SAM_ENTRIES == 0) { DEBUG(10,("load_sampwd_entries: allocating more memory\n")); - pwd_array=(DISP_USER_INFO *)talloc_realloc(mem_ctx, info->disp_info.disp_user_info, - (info->disp_info.num_user_account+MAX_SAM_ENTRIES)*sizeof(DISP_USER_INFO)); + pwd_array=(SAM_ACCOUNT *)talloc_realloc(mem_ctx, info->disp_info.disp_user_info, + (info->disp_info.num_user_account+MAX_SAM_ENTRIES)*sizeof(SAM_ACCOUNT)); if (pwd_array==NULL) return NT_STATUS_NO_MEMORY; @@ -263,8 +264,8 @@ static NTSTATUS load_sampwd_entries(struct samr_info *info, uint16 acb_mask, BOO info->disp_info.disp_user_info=pwd_array; } - /* link the SAM_ACCOUNT to the array */ - info->disp_info.disp_user_info[info->disp_info.num_user_account].sam=pwd; + /* Copy the SAM_ACCOUNT into the array */ + info->disp_info.disp_user_info[info->disp_info.num_user_account]=*pwd; DEBUG(10,("load_sampwd_entries: entry: %d\n", info->disp_info.num_user_account)); @@ -287,7 +288,7 @@ static NTSTATUS load_sampwd_entries(struct samr_info *info, uint16 acb_mask, BOO static NTSTATUS load_group_domain_entries(struct samr_info *info, DOM_SID *sid) { GROUP_MAP *map=NULL; - DISP_GROUP_INFO *grp_array = NULL; + DOMAIN_GRP *grp_array = NULL; uint32 group_entries = 0; uint32 i; TALLOC_CTX *mem_ctx = info->mem_ctx; @@ -312,8 +313,7 @@ static NTSTATUS load_group_domain_entries(struct samr_info *info, DOM_SID *sid) info->disp_info.num_group_account=group_entries; - grp_array=(DISP_GROUP_INFO *)talloc(mem_ctx, info->disp_info.num_group_account*sizeof(DISP_GROUP_INFO)); - + grp_array=(DOMAIN_GRP *)talloc(mem_ctx, info->disp_info.num_group_account*sizeof(DOMAIN_GRP)); if (group_entries!=0 && grp_array==NULL) { DEBUG(1, ("load_group_domain_entries: talloc() failed for grp_array!\n")); SAFE_FREE(map); @@ -323,13 +323,10 @@ static NTSTATUS load_group_domain_entries(struct samr_info *info, DOM_SID *sid) info->disp_info.disp_group_info=grp_array; for (i=0; iname, map[i].nt_name); - fstrcpy(grp_array[i].grp->comment, map[i].comment); - sid_split_rid(&map[i].sid, &grp_array[i].grp->rid); - grp_array[i].grp->attr=SID_NAME_DOM_GRP; + fstrcpy(grp_array[i].name, map[i].nt_name); + fstrcpy(grp_array[i].comment, map[i].comment); + sid_split_rid(&map[i].sid, &grp_array[i].rid); + grp_array[i].attr=SID_NAME_DOM_GRP; } SAFE_FREE(map); @@ -690,7 +687,7 @@ makes a SAM_ENTRY / UNISTR2* structure from a user list. ********************************************************************/ static NTSTATUS make_user_sam_entry_list(TALLOC_CTX *ctx, SAM_ENTRY **sam_pp, UNISTR2 **uni_name_pp, - uint32 num_entries, uint32 start_idx, DISP_USER_INFO *disp_user_info, + uint32 num_entries, uint32 start_idx, SAM_ACCOUNT *disp_user_info, DOM_SID *domain_sid) { uint32 i; @@ -720,7 +717,7 @@ static NTSTATUS make_user_sam_entry_list(TALLOC_CTX *ctx, SAM_ENTRY **sam_pp, UN } for (i = 0; i < num_entries; i++) { - pwd = disp_user_info[i+start_idx].sam; + pwd = &disp_user_info[i+start_idx]; temp_name = pdb_get_username(pwd); init_unistr2(&uni_temp_name, temp_name, strlen(temp_name)+1); user_sid = pdb_get_user_sid(pwd); -- cgit From 16ff7b26f6b9d288cbd1d39e075b637e24da13a6 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Wed, 9 Jul 2003 16:44:47 +0000 Subject: Large set of changes to add UNIX account/group management to winbindd. See README.idmap-and-winbind-changes for details. (This used to be commit 1111bc7b0c7165e1cdf8d90eb49f4c368d2eded6) --- source3/rpc_server/srv_samr_nt.c | 28 +++++++++++++++------------- 1 file changed, 15 insertions(+), 13 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index e43cf4f759..dfa3a8b62e 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -2259,17 +2259,13 @@ NTSTATUS _api_samr_create_user(pipes_struct *p, SAMR_Q_CREATE_USER *q_u, SAMR_R_ */ DEBUG(10,("checking account %s at pos %d for $ termination\n",account, strlen(account)-1)); -#if 0 - if ((acb_info & ACB_WSTRUST) && (account[strlen(account)-1] == '$')) { - pstrcpy(add_script, lp_addmachine_script()); - } else if ((!(acb_info & ACB_WSTRUST)) && (account[strlen(account)-1] != '$')) { - pstrcpy(add_script, lp_adduser_script()); - } else { - DEBUG(0, ("_api_samr_create_user: mismatch between trust flags and $ termination\n")); - pdb_free_sam(&sam_pass); - return NT_STATUS_UNSUCCESSFUL; - } -#endif + + /* + * we used to have code here that made sure the acb_info flags + * matched with the users named (e.g. an account flags as a machine + * trust account ended in '$'). It has been ifdef'd out for a long + * time, so I replaced it with this comment. --jerry + */ /* the passdb lookup has failed; check to see if we need to run the add user/machine script */ @@ -2295,11 +2291,17 @@ NTSTATUS _api_samr_create_user(pipes_struct *p, SAMR_Q_CREATE_USER *q_u, SAMR_R_ add_ret = smbrun(add_script,NULL); DEBUG(3,("_api_samr_create_user: Running the command `%s' gave %d\n", add_script, add_ret)); } + else /* no add user script -- ask winbindd to do it */ + { + if ( !winbind_create_user( account ) ) + DEBUG(3,("_api_samr_create_user: winbind_create_user(%s) failed\n", account)); + } } - nt_status = pdb_init_sam_new(&sam_pass, account); - if (!NT_STATUS_IS_OK(nt_status)) + /* implicit call to getpwnam() next */ + + if ( !NT_STATUS_IS_OK(nt_status = pdb_init_sam_new(&sam_pass, account)) ) return nt_status; pdb_set_acct_ctrl(sam_pass, acb_info, PDB_CHANGED); -- cgit From 03d5867d529f126da368ebda70bf2d997aa602e0 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Fri, 11 Jul 2003 05:33:40 +0000 Subject: moving more code around. * move rid allocation into IDMAP. See comments in _api_samr_create_user() * add winbind delete user/group functions I'm checking this in to sync up with everyone. But I'm going to split the add a separate winbindd_allocate_rid() function for systems that have an 'add user script' but need idmap to give them a RID. Life would be so much simplier without 'enable rid algorithm'. The current RID allocation is horrible due to this one fact. Tested idmap_tdb but not idmap_ldap yet. Will do that tomorrow. Nothing has changed in the way a samba domain is represented, stored, or search in the directory so things should be ok with previous installations. going to bed now. (This used to be commit 0463045cc7ff177fab44b25faffad5bf7140244d) --- source3/rpc_server/srv_samr_nt.c | 35 +++++++++++++++++++++++++++++++---- 1 file changed, 31 insertions(+), 4 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index dfa3a8b62e..9324fd4765 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -2204,6 +2204,7 @@ NTSTATUS _api_samr_create_user(pipes_struct *p, SAMR_Q_CREATE_USER *q_u, SAMR_R_ uint32 acc_granted; SEC_DESC *psd; size_t sd_size; + uint32 new_rid = 0; /* check this, when giving away 'add computer to domain' privs */ uint32 des_access = GENERIC_RIGHTS_USER_ALL_ACCESS; @@ -2272,6 +2273,17 @@ NTSTATUS _api_samr_create_user(pipes_struct *p, SAMR_Q_CREATE_USER *q_u, SAMR_R_ pw = Get_Pwnam(account); + /********************************************************************* + * HEADS UP! If we have to create a new user account, we have to get + * a new RID from somewhere. This used to be done by the passdb + * backend. It has been moved into idmap now. Since idmap is now + * wrapped up behind winbind, this means you have to run winbindd if you + * want new accounts to get a new RID when "enable rid algorithm = no". + * Tough. We now have a uniform way of allocating RIDs regardless + * of what ever passdb backend people may use. + * --jerry (2003-07-10) + *********************************************************************/ + if ( !pw ) { /* * we can't check both the ending $ and the acb_info. @@ -2293,15 +2305,17 @@ NTSTATUS _api_samr_create_user(pipes_struct *p, SAMR_Q_CREATE_USER *q_u, SAMR_R_ } else /* no add user script -- ask winbindd to do it */ { - if ( !winbind_create_user( account ) ) - DEBUG(3,("_api_samr_create_user: winbind_create_user(%s) failed\n", account)); + if ( !winbind_create_user( account, &new_rid ) ) { + DEBUG(3,("_api_samr_create_user: winbind_create_user(%s) failed\n", + account)); + } } } - /* implicit call to getpwnam() next */ + /* implicit call to getpwnam() next. we have a valid SID coming out of this call */ - if ( !NT_STATUS_IS_OK(nt_status = pdb_init_sam_new(&sam_pass, account)) ) + if ( !NT_STATUS_IS_OK(nt_status = pdb_init_sam_new(&sam_pass, account, new_rid)) ) return nt_status; pdb_set_acct_ctrl(sam_pass, acb_info, PDB_CHANGED); @@ -3711,12 +3725,25 @@ static int smb_delete_user(const char *unix_user) pstring del_script; int ret; + /* try winbindd first since it is impossible to determine where + a user came from via NSS. Try the delete user script if this fails + meaning the user did not exist in winbindd's list of accounts */ + + if ( winbind_delete_user( unix_user ) ) { + DEBUG(3,("winbind_delete_user: removed user (%s)\n", unix_user)); + return 0; + } + + + /* fall back to 'delete user script' */ + pstrcpy(del_script, lp_deluser_script()); if (! *del_script) return -1; all_string_sub(del_script, "%u", unix_user, sizeof(pstring)); ret = smbrun(del_script,NULL); DEBUG(3,("smb_delete_user: Running the command `%s' gave %d\n",del_script,ret)); + return ret; } -- cgit From c9bc4b27b71f6baaa9dde1722061f3d59d8554bc Mon Sep 17 00:00:00 2001 From: Tim Potter Date: Tue, 22 Jul 2003 06:52:39 +0000 Subject: Another round of uid/gid/pid format string changes I missed the first time. (This used to be commit 6616485dbad74dab7506609c6bfd183fc9c1f93c) --- source3/rpc_server/srv_samr_nt.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 9324fd4765..99970197c7 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -2761,8 +2761,9 @@ static BOOL set_unix_primary_group(SAM_ACCOUNT *sampass) grp = getgrgid(gid); if (grp == NULL) { - DEBUG(2,("Could not find primary group %d for " - "user %s\n", gid, pdb_get_username(sampass))); + DEBUG(2,("Could not find primary group %lu for " + "user %s\n", (unsigned long)gid, + pdb_get_username(sampass))); return False; } -- cgit From 77373f1f8e3b2f61e9bbcd9fadfb83257d390cf2 Mon Sep 17 00:00:00 2001 From: Tim Potter Date: Thu, 24 Jul 2003 23:46:27 +0000 Subject: More printf fixes - size_t is long on some architectures. (This used to be commit ba4d334b822248d8ab929c9568533431603d967e) --- source3/rpc_server/srv_samr_nt.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 99970197c7..d7238463f6 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -2259,7 +2259,7 @@ NTSTATUS _api_samr_create_user(pipes_struct *p, SAMR_Q_CREATE_USER *q_u, SAMR_R_ * now have some sainity-checking to match. */ - DEBUG(10,("checking account %s at pos %d for $ termination\n",account, strlen(account)-1)); + DEBUG(10,("checking account %s at pos %l for $ termination\n",account, strlen(account)-1)); /* * we used to have code here that made sure the acb_info flags -- cgit From 7d833de662b83f026b54a236588da27dd8899630 Mon Sep 17 00:00:00 2001 From: Tim Potter Date: Fri, 25 Jul 2003 04:24:40 +0000 Subject: More printf portability fixes. Got caught out by some gcc'isms last time. )-: (This used to be commit 59dae1da66a5eb7e128263bd578f167d8746e9f0) --- source3/rpc_server/srv_samr_nt.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index d7238463f6..2f7101fcc2 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -2259,7 +2259,7 @@ NTSTATUS _api_samr_create_user(pipes_struct *p, SAMR_Q_CREATE_USER *q_u, SAMR_R_ * now have some sainity-checking to match. */ - DEBUG(10,("checking account %s at pos %l for $ termination\n",account, strlen(account)-1)); + DEBUG(10,("checking account %s at pos %lu for $ termination\n",account, (unsigned long)strlen(account)-1)); /* * we used to have code here that made sure the acb_info flags -- cgit From ba12e6bb5fcfbf4bdba8f2c38978d38e1f857286 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Thu, 31 Jul 2003 01:33:44 +0000 Subject: Wrap calls to change_oem_password() in become_root()/unbecome_root() pairs to allow UNIX password change scripts to work correctly. This is safe as the old password has been checked as correct before invoking this. Jeremy. (This used to be commit 1734d43eb55561d46a6ffb5d806afedfd3746f9f) --- source3/rpc_server/srv_samr_nt.c | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 2f7101fcc2..ea014d7ce0 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -1517,17 +1517,17 @@ NTSTATUS _samr_lookup_names(pipes_struct *p, SAMR_Q_LOOKUP_NAMES *q_u, SAMR_R_LO NTSTATUS _samr_chgpasswd_user(pipes_struct *p, SAMR_Q_CHGPASSWD_USER *q_u, SAMR_R_CHGPASSWD_USER *r_u) { - fstring user_name; - fstring wks; + fstring user_name; + fstring wks; - DEBUG(5,("_samr_chgpasswd_user: %d\n", __LINE__)); + DEBUG(5,("_samr_chgpasswd_user: %d\n", __LINE__)); - r_u->status = NT_STATUS_OK; + r_u->status = NT_STATUS_OK; - rpcstr_pull(user_name, q_u->uni_user_name.buffer, sizeof(user_name), q_u->uni_user_name.uni_str_len*2, 0); - rpcstr_pull(wks, q_u->uni_dest_host.buffer, sizeof(wks), q_u->uni_dest_host.uni_str_len*2,0); + rpcstr_pull(user_name, q_u->uni_user_name.buffer, sizeof(user_name), q_u->uni_user_name.uni_str_len*2, 0); + rpcstr_pull(wks, q_u->uni_dest_host.buffer, sizeof(wks), q_u->uni_dest_host.uni_str_len*2,0); - DEBUG(5,("samr_chgpasswd_user: user: %s wks: %s\n", user_name, wks)); + DEBUG(5,("samr_chgpasswd_user: user: %s wks: %s\n", user_name, wks)); /* * Pass the user through the NT -> unix user mapping @@ -1541,14 +1541,14 @@ NTSTATUS _samr_chgpasswd_user(pipes_struct *p, SAMR_Q_CHGPASSWD_USER *q_u, SAMR_ * is case insensitive. */ - r_u->status = pass_oem_change(user_name, q_u->lm_newpass.pass, q_u->lm_oldhash.hash, - q_u->nt_newpass.pass, q_u->nt_oldhash.hash); + r_u->status = pass_oem_change(user_name, q_u->lm_newpass.pass, q_u->lm_oldhash.hash, + q_u->nt_newpass.pass, q_u->nt_oldhash.hash); - init_samr_r_chgpasswd_user(r_u, r_u->status); + init_samr_r_chgpasswd_user(r_u, r_u->status); - DEBUG(5,("_samr_chgpasswd_user: %d\n", __LINE__)); + DEBUG(5,("_samr_chgpasswd_user: %d\n", __LINE__)); - return r_u->status; + return r_u->status; } /******************************************************************* -- cgit From f210ee9b99b3b6ac0234680f1af83fd783ef9af4 Mon Sep 17 00:00:00 2001 From: Jim McDonough Date: Fri, 1 Aug 2003 14:47:39 +0000 Subject: Fix copyright statements for various pieces of Anthony Liguori's work. (This used to be commit 15d2bc47854df75f8b2644ccbc887d0357d9cd27) --- source3/rpc_server/srv_samr_nt.c | 1 - 1 file changed, 1 deletion(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index ea014d7ce0..ce586622e5 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -7,7 +7,6 @@ * Copyright (C) Marc Jacobsen 1999, * Copyright (C) Jeremy Allison 2001-2002, * Copyright (C) Jean François Micouleau 1998-2001, - * Copyright (C) Anthony Liguori 2002, * Copyright (C) Jim McDonough 2002. * * This program is free software; you can redistribute it and/or modify -- cgit From 8c64504f7c58b05769ec1014242c15a2eb93ca84 Mon Sep 17 00:00:00 2001 From: Jim McDonough Date: Fri, 1 Aug 2003 15:30:44 +0000 Subject: Update my copyrights according to my agreement with IBM (This used to be commit a2bd8f0bfa12f2a1e33c96bc9dabcc0e2171700d) --- source3/rpc_server/srv_samr_nt.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index ce586622e5..14aad5d6f8 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -7,7 +7,7 @@ * Copyright (C) Marc Jacobsen 1999, * Copyright (C) Jeremy Allison 2001-2002, * Copyright (C) Jean François Micouleau 1998-2001, - * Copyright (C) Jim McDonough 2002. + * Copyright (C) Jim McDonough 2002. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by -- cgit From 998ded9155ce22008a4563d678dfb2a4d1385726 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Wed, 13 Aug 2003 03:59:41 +0000 Subject: fix bug #286. Fixed by storing the access requested on the anonymous samr connect. Restricted this to enum_domain|open_domain. Added become/unbecome_root() around pdb_enum_group_mapping() enum domain groups samr call. (This used to be commit 36fc199e5f573fea9b7e2c1cf01ad42744a42f08) --- source3/rpc_server/srv_samr_nt.c | 19 +++++++++++++++++-- 1 file changed, 17 insertions(+), 2 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 14aad5d6f8..5f44acc962 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -1013,8 +1013,13 @@ static NTSTATUS get_group_domain_entries(TALLOC_CTX *ctx, DOMAIN_GRP **d_grp, DO *p_num_entries = 0; + /* access checks for the users were performed higher up. become/unbecome_root() + needed for some passdb backends to enumerate groups */ + + become_root(); pdb_enum_group_mapping(SID_NAME_DOM_GRP, &map, (int *)&group_entries, ENUM_ONLY_MAPPED); - + unbecome_root(); + num_entries=group_entries-start_idx; /* limit the number of entries */ @@ -2369,6 +2374,7 @@ NTSTATUS _api_samr_create_user(pipes_struct *p, SAMR_Q_CREATE_USER *q_u, SAMR_R_ NTSTATUS _samr_connect_anon(pipes_struct *p, SAMR_Q_CONNECT_ANON *q_u, SAMR_R_CONNECT_ANON *r_u) { struct samr_info *info = NULL; + uint32 des_access = q_u->access_mask; /* Access check */ @@ -2386,6 +2392,13 @@ NTSTATUS _samr_connect_anon(pipes_struct *p, SAMR_Q_CONNECT_ANON *q_u, SAMR_R_CO if ((info = get_samr_info_by_sid(NULL)) == NULL) return NT_STATUS_NO_MEMORY; + /* don't give away the farm but this is probably ok. The SA_RIGHT_SAM_ENUM_DOMAINS + was observed from a win98 client trying to enumerate users (when configured + user level access control on shares) --jerry */ + + se_map_generic( &des_access, &sam_generic_mapping ); + info->acc_granted = des_access & (SA_RIGHT_SAM_ENUM_DOMAINS|SA_RIGHT_SAM_OPEN_DOMAIN); + info->status = q_u->unknown_0; /* get a (unique) handle. open a policy on it. */ @@ -2510,7 +2523,9 @@ NTSTATUS _samr_lookup_domain(pipes_struct *p, SAMR_Q_LOOKUP_DOMAIN *q_u, SAMR_R_ if (!find_policy_by_hnd(p, &q_u->connect_pol, (void**)&info)) return NT_STATUS_INVALID_HANDLE; - if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(info->acc_granted, SA_RIGHT_SAM_OPEN_DOMAIN, "_samr_lookup_domain"))) { + if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(info->acc_granted, + SA_RIGHT_SAM_ENUM_DOMAINS, "_samr_lookup_domain"))) + { return r_u->status; } -- cgit From 062f89bc2833bf49f873a7fd5c2624babd702db0 Mon Sep 17 00:00:00 2001 From: Herb Lewis Date: Fri, 15 Aug 2003 01:42:30 +0000 Subject: get rid of some sompiler warnings on IRIX (This used to be commit a6a39c61e8228c8b3b7552ab3c61ec3a6a639143) --- source3/rpc_server/srv_samr_nt.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 5f44acc962..a338b5eb4d 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -913,7 +913,6 @@ static NTSTATUS get_group_alias_entries(TALLOC_CTX *ctx, DOMAIN_GRP **d_grp, DOM } else if (sid_equal(sid, get_global_sam_sid()) && !lp_hide_local_users()) { struct sys_grent *glist; struct sys_grent *grp; - struct passwd *pw; gid_t winbind_gid_low, winbind_gid_high; BOOL winbind_groups_exist = lp_idmap_gid(&winbind_gid_low, &winbind_gid_high); @@ -952,7 +951,7 @@ static NTSTATUS get_group_alias_entries(TALLOC_CTX *ctx, DOMAIN_GRP **d_grp, DOM /* Don't return user private groups... */ - if ((pw = Get_Pwnam(smap.nt_name)) != 0) { + if (Get_Pwnam(smap.nt_name) != 0) { DEBUG(10,("get_group_alias_entries: not returing %s, clashes with user.\n", smap.nt_name )); continue; } @@ -2145,7 +2144,7 @@ NTSTATUS _samr_query_dom_info(pipes_struct *p, SAMR_Q_QUERY_DOMAIN_INFO *q_u, SA num_users, num_groups, num_aliases); break; case 0x03: - account_policy_get(AP_TIME_TO_LOGOUT, (int *)&u_logout); + account_policy_get(AP_TIME_TO_LOGOUT, (unsigned int *)&u_logout); unix_to_nt_time_abs(&nt_logout, u_logout); init_unk_info3(&ctr->info.inf3, nt_logout); -- cgit From 65409a49feb83c48043b980c7cda79149e2d837b Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Wed, 20 Aug 2003 16:07:19 +0000 Subject: Fix bug #252. Implement missing SAMR_REMOVE_USER_FOREIGN_DOMAIN call. (This used to be commit dd2cf4897ec3db25c24a2724ffdef4f905625f6a) --- source3/rpc_server/srv_samr_nt.c | 74 +++++++++++++++++++++++++++++++++++++--- 1 file changed, 69 insertions(+), 5 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index a338b5eb4d..a14c6cd7e8 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -8,6 +8,7 @@ * Copyright (C) Jeremy Allison 2001-2002, * Copyright (C) Jean François Micouleau 1998-2001, * Copyright (C) Jim McDonough 2002. + * Copyright (C) Gerald (Jerry) Carter 2003. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by @@ -3787,7 +3788,8 @@ NTSTATUS _samr_delete_dom_user(pipes_struct *p, SAMR_Q_DELETE_DOM_USER *q_u, SAM /* check if the user exists before trying to delete */ pdb_init_sam(&sam_pass); if(!pdb_getsampwsid(sam_pass, &user_sid)) { - DEBUG(5,("_samr_delete_dom_user:User %s doesn't exist.\n", pdb_get_username(sam_pass))); + DEBUG(5,("_samr_delete_dom_user:User %s doesn't exist.\n", + sid_string_static(&user_sid))); pdb_free_sam(&sam_pass); return NT_STATUS_NO_SUCH_USER; } @@ -4283,13 +4285,75 @@ NTSTATUS _samr_open_group(pipes_struct *p, SAMR_Q_OPEN_GROUP *q_u, SAMR_R_OPEN_G } /********************************************************************* - _samr_unknown_2d + _samr_remove_user_foreign_domain *********************************************************************/ -NTSTATUS _samr_unknown_2d(pipes_struct *p, SAMR_Q_UNKNOWN_2D *q_u, SAMR_R_UNKNOWN_2D *r_u) +NTSTATUS _samr_remove_user_foreign_domain(pipes_struct *p, + SAMR_Q_REMOVE_USER_FOREIGN_DOMAIN *q_u, + SAMR_R_REMOVE_USER_FOREIGN_DOMAIN *r_u) { - DEBUG(0,("_samr_unknown_2d: Not yet implemented.\n")); - return NT_STATUS_NOT_IMPLEMENTED; + DOM_SID user_sid, dom_sid; + SAM_ACCOUNT *sam_pass=NULL; + uint32 acc_granted; + + sid_copy( &user_sid, &q_u->sid.sid ); + + DEBUG(5,("_samr_remove_user_foreign_domain: removing user [%s]\n", + sid_string_static(&user_sid))); + + /* Find the policy handle. Open a policy on it. */ + + if (!get_lsa_policy_samr_sid(p, &q_u->dom_pol, &dom_sid, &acc_granted)) + return NT_STATUS_INVALID_HANDLE; + + if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, + STD_RIGHT_DELETE_ACCESS, "_samr_remove_user_foreign_domain"))) + { + return r_u->status; + } + + if ( !sid_check_is_in_our_domain(&user_sid) ) { + DEBUG(5,("_samr_remove_user_foreign_domain: user not is our domain!\n")); + return NT_STATUS_NO_SUCH_USER; + } + + /* check if the user exists before trying to delete */ + + pdb_init_sam(&sam_pass); + + if ( !pdb_getsampwsid(sam_pass, &user_sid) ) { + + DEBUG(5,("_samr_remove_user_foreign_domain:User %s doesn't exist.\n", + sid_string_static(&user_sid))); + + pdb_free_sam(&sam_pass); + + return NT_STATUS_NO_SUCH_USER; + } + + /* + * delete the unix side + * + * note: we don't check if the delete really happened + * as the script is not necessary present + * and maybe the sysadmin doesn't want to delete the unix side + */ + + smb_delete_user(pdb_get_username(sam_pass)); + + /* and delete the samba side */ + + if ( !pdb_delete_sam_account(sam_pass) ) { + + DEBUG(5,("_samr_delete_dom_user:Failed to delete entry for user %s.\n", pdb_get_username(sam_pass))); + pdb_free_sam(&sam_pass); + + return NT_STATUS_CANNOT_DELETE; + } + + pdb_free_sam(&sam_pass); + + return NT_STATUS_OK; } /******************************************************************* -- cgit From 2f70d0d9a732556fd7616ec5c8e1fd777310c99e Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Wed, 27 Aug 2003 20:50:24 +0000 Subject: renaming some functions for consistency (This used to be commit f4ca4aae8ad0496b76c710cf79c791724bdaa4ec) --- source3/rpc_server/srv_samr_nt.c | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index a14c6cd7e8..7f7b5e8d5e 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -1664,10 +1664,10 @@ NTSTATUS _samr_lookup_rids(pipes_struct *p, SAMR_Q_LOOKUP_RIDS *q_u, SAMR_R_LOOK } /******************************************************************* - _api_samr_open_user. Safe - gives out no passwd info. + _samr_open_user. Safe - gives out no passwd info. ********************************************************************/ -NTSTATUS _api_samr_open_user(pipes_struct *p, SAMR_Q_OPEN_USER *q_u, SAMR_R_OPEN_USER *r_u) +NTSTATUS _samr_open_user(pipes_struct *p, SAMR_Q_OPEN_USER *q_u, SAMR_R_OPEN_USER *r_u) { SAM_ACCOUNT *sampass=NULL; DOM_SID sid; @@ -2186,12 +2186,12 @@ NTSTATUS _samr_query_dom_info(pipes_struct *p, SAMR_Q_QUERY_DOMAIN_INFO *q_u, SA } /******************************************************************* - _api_samr_create_user + _samr_create_user Create an account, can be either a normal user or a machine. This funcion will need to be updated for bdc/domain trusts. ********************************************************************/ -NTSTATUS _api_samr_create_user(pipes_struct *p, SAMR_Q_CREATE_USER *q_u, SAMR_R_CREATE_USER *r_u) +NTSTATUS _samr_create_user(pipes_struct *p, SAMR_Q_CREATE_USER *q_u, SAMR_R_CREATE_USER *r_u) { SAM_ACCOUNT *sam_pass=NULL; fstring account; @@ -2305,12 +2305,12 @@ NTSTATUS _api_samr_create_user(pipes_struct *p, SAMR_Q_CREATE_USER *q_u, SAMR_R_ int add_ret; all_string_sub(add_script, "%u", account, sizeof(account)); add_ret = smbrun(add_script,NULL); - DEBUG(3,("_api_samr_create_user: Running the command `%s' gave %d\n", add_script, add_ret)); + DEBUG(3,("_samr_create_user: Running the command `%s' gave %d\n", add_script, add_ret)); } else /* no add user script -- ask winbindd to do it */ { if ( !winbind_create_user( account, &new_rid ) ) { - DEBUG(3,("_api_samr_create_user: winbind_create_user(%s) failed\n", + DEBUG(3,("_samr_create_user: winbind_create_user(%s) failed\n", account)); } } @@ -2620,7 +2620,7 @@ NTSTATUS _samr_enum_domains(pipes_struct *p, SAMR_Q_ENUM_DOMAINS *q_u, SAMR_R_EN api_samr_open_alias ********************************************************************/ -NTSTATUS _api_samr_open_alias(pipes_struct *p, SAMR_Q_OPEN_ALIAS *q_u, SAMR_R_OPEN_ALIAS *r_u) +NTSTATUS _samr_open_alias(pipes_struct *p, SAMR_Q_OPEN_ALIAS *q_u, SAMR_R_OPEN_ALIAS *r_u) { DOM_SID sid; POLICY_HND domain_pol = q_u->dom_pol; -- cgit From 0d9410f61d5482e8dfd51dcf89dda44e125336fb Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Mon, 15 Sep 2003 03:36:04 +0000 Subject: Patch from Gregory Hinton Nietsky , ensure the desired access is read from the incoming RPC request. Jeremy. (This used to be commit fdc5dda44f0190af4e4b0782cb2c5c7de3506d12) --- source3/rpc_server/srv_samr_nt.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 7f7b5e8d5e..261d641ab1 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -4236,7 +4236,7 @@ NTSTATUS _samr_open_group(pipes_struct *p, SAMR_Q_OPEN_GROUP *q_u, SAMR_R_OPEN_G struct samr_info *info; SEC_DESC *psd = NULL; uint32 acc_granted; - uint32 des_access; + uint32 des_access = q_u->access_mask; size_t sd_size; NTSTATUS status; fstring sid_string; -- cgit From 0551426657167c676f1b88443602f9268d21784e Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Fri, 19 Sep 2003 21:57:43 +0000 Subject: Ensure that dup_sec_desc copies the 'type' field correctly. This caused me to expose a type arguement to make_sec_desc(). We weren't copying the SE_DESC_DACL_AUTO_INHERITED flag which could cause errors on auto inherited checks. Jeremy. (This used to be commit 28b315a7501f42928d73efaa75f74146ba95cf2d) --- source3/rpc_server/srv_samr_nt.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 261d641ab1..828e07c1ad 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -467,7 +467,7 @@ static NTSTATUS samr_make_dom_obj_sd(TALLOC_CTX *ctx, SEC_DESC **psd, size_t *sd if ((psa = make_sec_acl(ctx, NT4_ACL_REVISION, 3, ace)) == NULL) return NT_STATUS_NO_MEMORY; - if ((*psd = make_sec_desc(ctx, SEC_DESC_REVISION, NULL, NULL, NULL, psa, sd_size)) == NULL) + if ((*psd = make_sec_desc(ctx, SEC_DESC_REVISION, SEC_DESC_SELF_RELATIVE, NULL, NULL, NULL, psa, sd_size)) == NULL) return NT_STATUS_NO_MEMORY; return NT_STATUS_OK; @@ -510,7 +510,7 @@ static NTSTATUS samr_make_usr_obj_sd(TALLOC_CTX *ctx, SEC_DESC **psd, size_t *sd if ((psa = make_sec_acl(ctx, NT4_ACL_REVISION, 4, ace)) == NULL) return NT_STATUS_NO_MEMORY; - if ((*psd = make_sec_desc(ctx, SEC_DESC_REVISION, NULL, NULL, NULL, psa, sd_size)) == NULL) + if ((*psd = make_sec_desc(ctx, SEC_DESC_REVISION, SEC_DESC_SELF_RELATIVE, NULL, NULL, NULL, psa, sd_size)) == NULL) return NT_STATUS_NO_MEMORY; return NT_STATUS_OK; @@ -549,7 +549,7 @@ static NTSTATUS samr_make_grp_obj_sd(TALLOC_CTX *ctx, SEC_DESC **psd, size_t *sd if ((psa = make_sec_acl(ctx, NT4_ACL_REVISION, 3, ace)) == NULL) return NT_STATUS_NO_MEMORY; - if ((*psd = make_sec_desc(ctx, SEC_DESC_REVISION, NULL, NULL, NULL, psa, sd_size)) == NULL) + if ((*psd = make_sec_desc(ctx, SEC_DESC_REVISION, SEC_DESC_SELF_RELATIVE, NULL, NULL, NULL, psa, sd_size)) == NULL) return NT_STATUS_NO_MEMORY; return NT_STATUS_OK; @@ -588,7 +588,7 @@ static NTSTATUS samr_make_ali_obj_sd(TALLOC_CTX *ctx, SEC_DESC **psd, size_t *sd if ((psa = make_sec_acl(ctx, NT4_ACL_REVISION, 3, ace)) == NULL) return NT_STATUS_NO_MEMORY; - if ((*psd = make_sec_desc(ctx, SEC_DESC_REVISION, NULL, NULL, NULL, psa, sd_size)) == NULL) + if ((*psd = make_sec_desc(ctx, SEC_DESC_REVISION, SEC_DESC_SELF_RELATIVE, NULL, NULL, NULL, psa, sd_size)) == NULL) return NT_STATUS_NO_MEMORY; return NT_STATUS_OK; -- cgit From d3b9384308e4b5130c9455b853edc4702d7af303 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Thu, 25 Sep 2003 21:26:16 +0000 Subject: Fix for #480. Change the interface for init_unistr2 to not take a length but a flags field. We were assuming that 2*strlen(mb_string) == length of ucs2-le string. This is not the case. Count it after conversion. Jeremy. (This used to be commit f82c273a42f930c7152cfab84394781744815e0e) --- source3/rpc_server/srv_samr_nt.c | 23 +++++++++-------------- 1 file changed, 9 insertions(+), 14 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 828e07c1ad..71e5bc7d70 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -719,7 +719,7 @@ static NTSTATUS make_user_sam_entry_list(TALLOC_CTX *ctx, SAM_ENTRY **sam_pp, UN for (i = 0; i < num_entries; i++) { pwd = &disp_user_info[i+start_idx]; temp_name = pdb_get_username(pwd); - init_unistr2(&uni_temp_name, temp_name, strlen(temp_name)+1); + init_unistr2(&uni_temp_name, temp_name, UNI_STR_TERMINATE); user_sid = pdb_get_user_sid(pwd); if (!sid_peek_check_rid(domain_sid, user_sid, &user_rid)) { @@ -731,7 +731,7 @@ static NTSTATUS make_user_sam_entry_list(TALLOC_CTX *ctx, SAM_ENTRY **sam_pp, UN return NT_STATUS_UNSUCCESSFUL; } - init_sam_entry(&sam[i], uni_temp_name.uni_str_len, user_rid); + init_sam_entry(&sam[i], &uni_temp_name, user_rid); copy_unistr2(&uni_name[i], &uni_temp_name); } @@ -865,10 +865,8 @@ static void make_group_sam_entry_list(TALLOC_CTX *ctx, SAM_ENTRY **sam_pp, UNIST /* * JRA. I think this should include the null. TNG does not. */ - int len = strlen(grp[i].name)+1; - - init_sam_entry(&sam[i], len, grp[i].rid); - init_unistr2(&uni_name[i], grp[i].name, len); + init_unistr2(&uni_name[i], grp[i].name, UNI_STR_TERMINATE); + init_sam_entry(&sam[i], &uni_name[i], grp[i].rid); } *sam_pp = sam; @@ -1580,10 +1578,9 @@ static BOOL make_samr_lookup_rids(TALLOC_CTX *ctx, uint32 num_names, fstring nam } for (i = 0; i < num_names; i++) { - int len = names[i] != NULL ? strlen(names[i]) : 0; - DEBUG(10, ("names[%d]:%s\n", i, names[i])); - init_uni_hdr(&hdr_name[i], len); - init_unistr2(&uni_name[i], names[i], len); + DEBUG(10, ("names[%d]:%s\n", i, names[i] ? names[i] : "")); + init_unistr2(&uni_name[i], names[i], UNI_FLAGS_NONE); + init_uni_hdr(&hdr_name[i], &uni_name[i]); } *pp_uni_name = uni_name; @@ -2570,10 +2567,8 @@ static BOOL make_enum_domains(TALLOC_CTX *ctx, SAM_ENTRY **pp_sam, return False; for (i = 0; i < num_sam_entries; i++) { - int len = doms[i] != NULL ? strlen(doms[i]) : 0; - - init_sam_entry(&sam[i], len, 0); - init_unistr2(&uni_name[i], doms[i], len); + init_unistr2(&uni_name[i], doms[i], UNI_FLAGS_NONE); + init_sam_entry(&sam[i], &uni_name[i], 0); } *pp_sam = sam; -- cgit From 5cfe36d09d1de8c6a82152d4941c1563111f4364 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Fri, 7 Nov 2003 18:32:23 +0000 Subject: Handle munged dial string. Patch from Aur?lien Degr?mont with memory leak fixes by me. Jeremy. (This used to be commit e591854eda8568ed1a4ad6b9de64e523c02b4392) --- source3/rpc_server/srv_samr_nt.c | 37 ++++++++++++++++++++++++++++++++++++- 1 file changed, 36 insertions(+), 1 deletion(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 71e5bc7d70..446eff9045 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -2788,6 +2788,38 @@ static BOOL set_unix_primary_group(SAM_ACCOUNT *sampass) } +/******************************************************************* + set_user_info_20 + ********************************************************************/ + +static BOOL set_user_info_20(SAM_USER_INFO_20 *id20, DOM_SID *sid) +{ + SAM_ACCOUNT *pwd = NULL; + + if (id20 == NULL) { + DEBUG(5, ("set_user_info_20: NULL id20\n")); + return False; + } + + pdb_init_sam(&pwd); + + if (!pdb_getsampwsid(pwd, sid)) { + pdb_free_sam(&pwd); + return False; + } + + copy_id20_to_sam_passwd(pwd, id20); + + /* write the change out */ + if(!pdb_update_sam_account(pwd)) { + pdb_free_sam(&pwd); + return False; + } + + pdb_free_sam(&pwd); + + return True; +} /******************************************************************* set_user_info_21 ********************************************************************/ @@ -3091,6 +3123,10 @@ NTSTATUS _samr_set_userinfo2(pipes_struct *p, SAMR_Q_SET_USERINFO2 *q_u, SAMR_R_ if (!set_user_info_21(ctr->info.id21, &sid)) return NT_STATUS_ACCESS_DENIED; break; + case 20: + if (!set_user_info_20(ctr->info.id20, &sid)) + return NT_STATUS_ACCESS_DENIED; + break; case 16: if (!set_user_info_10(ctr->info.id10, &sid)) return NT_STATUS_ACCESS_DENIED; @@ -4537,4 +4573,3 @@ NTSTATUS _samr_set_dom_info(pipes_struct *p, SAMR_Q_SET_DOMAIN_INFO *q_u, SAMR_R return r_u->status; } - -- cgit From 6ebde91c44402f830b5887f11037b6fa625c16bc Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Fri, 7 Nov 2003 23:04:06 +0000 Subject: * only install swat html files once * revert the change that prevent the guest account from being added to a passdb backend since it broke the build farm. * apply patch from Alex Deiter to fix the "smbldap_open: cannot access when not root error" messages when looking up group information (bug 281) (This used to be commit 9b8bf6a950186bd95abe952af4a7d35829b34ff8) --- source3/rpc_server/srv_samr_nt.c | 20 +++++++++++++++++--- 1 file changed, 17 insertions(+), 3 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 446eff9045..b3e6478c88 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -894,7 +894,9 @@ static NTSTATUS get_group_alias_entries(TALLOC_CTX *ctx, DOMAIN_GRP **d_grp, DOM /* well-known aliases */ if (sid_equal(sid, &global_sid_Builtin) && !lp_hide_local_users()) { + become_root(); pdb_enum_group_mapping(SID_NAME_WKN_GRP, &map, (int *)&num_entries, ENUM_ONLY_MAPPED); + unbecome_root(); if (num_entries != 0) { *d_grp=(DOMAIN_GRP *)talloc_zero(ctx, num_entries*sizeof(DOMAIN_GRP)); @@ -914,6 +916,7 @@ static NTSTATUS get_group_alias_entries(TALLOC_CTX *ctx, DOMAIN_GRP **d_grp, DOM struct sys_grent *grp; gid_t winbind_gid_low, winbind_gid_high; BOOL winbind_groups_exist = lp_idmap_gid(&winbind_gid_low, &winbind_gid_high); + BOOL ret; /* local aliases */ /* we return the UNIX groups here. This seems to be the right */ @@ -930,7 +933,10 @@ static NTSTATUS get_group_alias_entries(TALLOC_CTX *ctx, DOMAIN_GRP **d_grp, DOM for (; (num_entries < max_entries) && (grp != NULL); grp = grp->next) { uint32 trid; - if(!pdb_getgrgid(&smap, grp->gr_gid)) + become_root(); + ret = pdb_getgrgid(&smap, grp->gr_gid); + unbecome_root(); + if( !ret ) continue; if (smap.sid_name_use!=SID_NAME_ALIAS) { @@ -4111,6 +4117,7 @@ NTSTATUS _samr_query_groupinfo(pipes_struct *p, SAMR_Q_QUERY_GROUPINFO *q_u, SAM int num_uids=0; GROUP_INFO_CTR *ctr; uint32 acc_granted; + BOOL ret; if (!get_lsa_policy_samr_sid(p, &q_u->pol, &group_sid, &acc_granted)) return NT_STATUS_INVALID_HANDLE; @@ -4119,7 +4126,10 @@ NTSTATUS _samr_query_groupinfo(pipes_struct *p, SAMR_Q_QUERY_GROUPINFO *q_u, SAM return r_u->status; } - if (!get_domain_group_from_sid(group_sid, &map)) + become_root(); + ret = get_domain_group_from_sid(group_sid, &map); + unbecome_root(); + if (!ret) return NT_STATUS_INVALID_HANDLE; ctr=(GROUP_INFO_CTR *)talloc_zero(p->mem_ctx, sizeof(GROUP_INFO_CTR)); @@ -4271,6 +4281,7 @@ NTSTATUS _samr_open_group(pipes_struct *p, SAMR_Q_OPEN_GROUP *q_u, SAMR_R_OPEN_G size_t sd_size; NTSTATUS status; fstring sid_string; + BOOL ret; if (!get_lsa_policy_samr_sid(p, &q_u->domain_pol, &sid, &acc_granted)) return NT_STATUS_INVALID_HANDLE; @@ -4305,7 +4316,10 @@ NTSTATUS _samr_open_group(pipes_struct *p, SAMR_Q_OPEN_GROUP *q_u, SAMR_R_OPEN_G DEBUG(10, ("_samr_open_group:Opening SID: %s\n", sid_string)); /* check if that group really exists */ - if (!get_domain_group_from_sid(info->sid, &map)) + become_root(); + ret = get_domain_group_from_sid(info->sid, &map); + unbecome_root(); + if (!ret) return NT_STATUS_NO_SUCH_GROUP; /* get a (unique) handle. open a policy on it. */ -- cgit From 4097f5ec8dbca0be7b4310c4b30961c0b6835f69 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Mon, 17 Nov 2003 16:06:10 +0000 Subject: * make sure we only enumerate group mapping entries (not /etc/group) even when doing local aliases * remove "hide local users" parameter; we have this behavior built into 3.0 (This used to be commit a7685a069766ac720f0b26fe01b0e17fc388fca3) --- source3/rpc_server/srv_samr_nt.c | 179 ++++++++++----------------------------- 1 file changed, 44 insertions(+), 135 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index b3e6478c88..1cfa8b2853 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -875,140 +875,11 @@ static void make_group_sam_entry_list(TALLOC_CTX *ctx, SAM_ENTRY **sam_pp, UNIST /******************************************************************* Get the group entries - similar to get_sampwd_entries(). - ********************************************************************/ - -static NTSTATUS get_group_alias_entries(TALLOC_CTX *ctx, DOMAIN_GRP **d_grp, DOM_SID *sid, uint32 start_idx, - uint32 *p_num_entries, uint32 max_entries) -{ - fstring sid_str; - uint32 num_entries = 0; - int i; - GROUP_MAP smap; - GROUP_MAP *map = NULL; - - sid_to_string(sid_str, sid); - DEBUG(5, ("get_group_alias_entries: enumerating aliases on SID: %s\n", sid_str)); - - *p_num_entries = 0; - - /* well-known aliases */ - if (sid_equal(sid, &global_sid_Builtin) && !lp_hide_local_users()) { - - become_root(); - pdb_enum_group_mapping(SID_NAME_WKN_GRP, &map, (int *)&num_entries, ENUM_ONLY_MAPPED); - unbecome_root(); - - if (num_entries != 0) { - *d_grp=(DOMAIN_GRP *)talloc_zero(ctx, num_entries*sizeof(DOMAIN_GRP)); - if (*d_grp==NULL) - return NT_STATUS_NO_MEMORY; - - for(i=0; inext) { - uint32 trid; - - become_root(); - ret = pdb_getgrgid(&smap, grp->gr_gid); - unbecome_root(); - if( !ret ) - continue; - - if (smap.sid_name_use!=SID_NAME_ALIAS) { - continue; - } - - sid_split_rid(&smap.sid, &trid); - - if (!sid_equal(sid, &smap.sid)) - continue; - - /* Don't return winbind groups as they are not local! */ - if (winbind_groups_exist && (grp->gr_gid >= winbind_gid_low)&&(grp->gr_gid <= winbind_gid_high)) { - DEBUG(10,("get_group_alias_entries: not returing %s, not local.\n", smap.nt_name )); - continue; - } - - /* Don't return user private groups... */ - - if (Get_Pwnam(smap.nt_name) != 0) { - DEBUG(10,("get_group_alias_entries: not returing %s, clashes with user.\n", smap.nt_name )); - continue; - } - - for( i = 0; i < num_entries; i++) - if ( (*d_grp)[i].rid == trid ) - break; - - if ( i < num_entries ) { - continue; /* rid was there, dup! */ - } - - /* JRA - added this for large group db enumeration... */ - - if (start_idx > 0) { - /* skip the requested number of entries. - not very efficient, but hey... - */ - start_idx--; - continue; - } - - *d_grp=talloc_realloc(ctx,*d_grp, (num_entries+1)*sizeof(DOMAIN_GRP)); - if (*d_grp==NULL) { - grent_free(glist); - return NT_STATUS_NO_MEMORY; - } - - fstrcpy((*d_grp)[num_entries].name, smap.nt_name); - (*d_grp)[num_entries].rid = trid; - num_entries++; - DEBUG(10,("get_group_alias_entries: added entry %d, rid:%d\n", num_entries, trid)); - } - - grent_free(glist); - } - - *p_num_entries = num_entries; - - DEBUG(10,("get_group_alias_entries: returning %d entries\n", *p_num_entries)); - - if (num_entries >= max_entries) - return STATUS_MORE_ENTRIES; - return NT_STATUS_OK; -} - -/******************************************************************* - Get the group entries - similar to get_sampwd_entries(). - ********************************************************************/ + ******************************************************************/ -static NTSTATUS get_group_domain_entries(TALLOC_CTX *ctx, DOMAIN_GRP **d_grp, DOM_SID *sid, uint32 start_idx, - uint32 *p_num_entries, uint32 max_entries) +static NTSTATUS get_group_entries( enum SID_NAME_USE type, TALLOC_CTX *ctx, + DOMAIN_GRP **d_grp, DOM_SID *sid, uint32 start_idx, + uint32 *p_num_entries, uint32 max_entries ) { GROUP_MAP *map=NULL; int i; @@ -1021,7 +892,7 @@ static NTSTATUS get_group_domain_entries(TALLOC_CTX *ctx, DOMAIN_GRP **d_grp, DO needed for some passdb backends to enumerate groups */ become_root(); - pdb_enum_group_mapping(SID_NAME_DOM_GRP, &map, (int *)&group_entries, ENUM_ONLY_MAPPED); + pdb_enum_group_mapping(type, &map, (int *)&group_entries, ENUM_ONLY_MAPPED); unbecome_root(); num_entries=group_entries-start_idx; @@ -1042,13 +913,51 @@ static NTSTATUS get_group_domain_entries(TALLOC_CTX *ctx, DOMAIN_GRP **d_grp, DO fstrcpy((*d_grp)[i].name, map[i+start_idx].nt_name); fstrcpy((*d_grp)[i].comment, map[i+start_idx].comment); sid_split_rid(&map[i+start_idx].sid, &(*d_grp)[i].rid); - (*d_grp)[i].attr=SID_NAME_DOM_GRP; + (*d_grp)[i].attr=type; } SAFE_FREE(map); *p_num_entries = num_entries; + DEBUG(10,("get_group_entries: returning %d entries\n", *p_num_entries)); + + return NT_STATUS_OK; +} + +/******************************************************************* + Wrapper for enuemrating domain groups + ******************************************************************/ + +static NTSTATUS get_group_domain_entries( TALLOC_CTX *ctx, DOMAIN_GRP **d_grp, + DOM_SID *sid, uint32 start_idx, + uint32 *p_num_entries, uint32 max_entries ) +{ + return get_group_entries( SID_NAME_DOM_GRP, ctx, d_grp, sid, start_idx, + p_num_entries, max_entries ); +} + +/******************************************************************* + Wrapper for enumerating local groups + ******************************************************************/ + +static NTSTATUS get_group_alias_entries( TALLOC_CTX *ctx, DOMAIN_GRP **d_grp, + DOM_SID *sid, uint32 start_idx, + uint32 *p_num_entries, uint32 max_entries) +{ + if ( sid_equal(sid, &global_sid_Builtin) ) { + return get_group_entries( SID_NAME_WKN_GRP, ctx, d_grp, + sid, start_idx, p_num_entries, max_entries ); + } + else if ( sid_equal(sid, get_global_sam_sid()) ) { + return get_group_entries( SID_NAME_ALIAS, ctx, d_grp, + sid, start_idx, p_num_entries, max_entries ); + } + + /* can't do anything with this SID */ + + *p_num_entries = 0; + return NT_STATUS_OK; } -- cgit From fcbfc7ad0669009957c65fa61bb20df75a9701b4 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Sat, 22 Nov 2003 13:19:38 +0000 Subject: Changes all over the shop, but all towards: - NTLM2 support in the server - KEY_EXCH support in the server - variable length session keys. In detail: - NTLM2 is an extension of NTLMv1, that is compatible with existing domain controllers (unlike NTLMv2, which requires a DC upgrade). * This is known as 'NTLMv2 session security' * (This is not yet implemented on the RPC pipes however, so there may well still be issues for PDC setups, particuarly around password changes. We do not fully understand the sign/seal implications of NTLM2 on RPC pipes.) This requires modifications to our authentication subsystem, as we must handle the 'challege' input into the challenge-response algorithm being changed. This also needs to be turned off for 'security=server', which does not support this. - KEY_EXCH is another 'security' mechanism, whereby the session key actually used by the server is sent by the client, rather than being the shared-secret directly or indirectly. - As both these methods change the session key, the auth subsystem needed to be changed, to 'override' session keys provided by the backend. - There has also been a major overhaul of the NTLMSSP subsystem, to merge the 'client' and 'server' functions, so they both operate on a single structure. This should help the SPNEGO implementation. - The 'names blob' in NTLMSSP is always in unicode - never in ascii. Don't make an ascii version ever. - The other big change is to allow variable length session keys. We have always assumed that session keys are 16 bytes long - and padded to this length if shorter. However, Kerberos session keys are 8 bytes long, when the krb5 login uses DES. * This fix allows SMB signging on machines not yet running MIT KRB5 1.3.1. * - Add better DEBUG() messages to ntlm_auth, warning administrators of misconfigurations that prevent access to the privileged pipe. This should help reduce some of the 'it just doesn't work' issues. - Fix data_blob_talloc() to behave the same way data_blob() does when passed a NULL data pointer. (just allocate) REMEMBER to make clean after this commit - I have changed plenty of data structures... (This used to be commit f3bbc87b0dac63426cda6fac7a295d3aad810ecc) --- source3/rpc_server/srv_samr_nt.c | 18 +++++++++++++++--- 1 file changed, 15 insertions(+), 3 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 1cfa8b2853..1debf90d23 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -2953,7 +2953,13 @@ NTSTATUS _samr_set_userinfo(pipes_struct *p, SAMR_Q_SET_USERINFO *q_u, SAMR_R_SE break; case 24: - SamOEMhash(ctr->info.id24->pass, p->session_key, 516); + if (p->session_key.length != 16) { + /* we may have no session key at all, + and we don't know how to do the SamOEMhash + for length != 16 */ + return NT_STATUS_NO_USER_SESSION_KEY; + } + SamOEMhash(ctr->info.id24->pass, p->session_key.data, 516); dump_data(100, (char *)ctr->info.id24->pass, 516); @@ -2971,7 +2977,10 @@ NTSTATUS _samr_set_userinfo(pipes_struct *p, SAMR_Q_SET_USERINFO *q_u, SAMR_R_SE * info level and W2K SP2 drops down to level 23... JRA. */ - SamOEMhash(ctr->info.id25->pass, p->session_key, 532); + if (p->session_key.length != 16) { + return NT_STATUS_NO_USER_SESSION_KEY; + } + SamOEMhash(ctr->info.id25->pass, p->session_key.data, 532); dump_data(100, (char *)ctr->info.id25->pass, 532); @@ -2982,7 +2991,10 @@ NTSTATUS _samr_set_userinfo(pipes_struct *p, SAMR_Q_SET_USERINFO *q_u, SAMR_R_SE return NT_STATUS_INVALID_INFO_CLASS; case 23: - SamOEMhash(ctr->info.id23->pass, p->session_key, 516); + if (p->session_key.length != 16) { + return NT_STATUS_NO_USER_SESSION_KEY; + } + SamOEMhash(ctr->info.id23->pass, p->session_key.data, 516); dump_data(100, (char *)ctr->info.id23->pass, 516); -- cgit From 6b81cc2e0bca79f4aa472cd2b1b90d0c51818612 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Sun, 23 Nov 2003 00:04:29 +0000 Subject: Add server-side support for variable-length session keys (as used by DES based krb5 logins). Andrew Bartlett (This used to be commit 240b0d178e1b4a3556207bdf2e342c70155f64ee) --- source3/rpc_server/srv_samr_nt.c | 15 ++++++--------- 1 file changed, 6 insertions(+), 9 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 1debf90d23..6cd5da4892 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -2953,13 +2953,10 @@ NTSTATUS _samr_set_userinfo(pipes_struct *p, SAMR_Q_SET_USERINFO *q_u, SAMR_R_SE break; case 24: - if (p->session_key.length != 16) { - /* we may have no session key at all, - and we don't know how to do the SamOEMhash - for length != 16 */ + if (!p->session_key.length) { return NT_STATUS_NO_USER_SESSION_KEY; } - SamOEMhash(ctr->info.id24->pass, p->session_key.data, 516); + SamOEMhashBlob(ctr->info.id24->pass, 516, &p->session_key); dump_data(100, (char *)ctr->info.id24->pass, 516); @@ -2977,10 +2974,10 @@ NTSTATUS _samr_set_userinfo(pipes_struct *p, SAMR_Q_SET_USERINFO *q_u, SAMR_R_SE * info level and W2K SP2 drops down to level 23... JRA. */ - if (p->session_key.length != 16) { + if (!p->session_key.length) { return NT_STATUS_NO_USER_SESSION_KEY; } - SamOEMhash(ctr->info.id25->pass, p->session_key.data, 532); + SamOEMhashBlob(ctr->info.id25->pass, 532, &p->session_key); dump_data(100, (char *)ctr->info.id25->pass, 532); @@ -2991,10 +2988,10 @@ NTSTATUS _samr_set_userinfo(pipes_struct *p, SAMR_Q_SET_USERINFO *q_u, SAMR_R_SE return NT_STATUS_INVALID_INFO_CLASS; case 23: - if (p->session_key.length != 16) { + if (!p->session_key.length) { return NT_STATUS_NO_USER_SESSION_KEY; } - SamOEMhash(ctr->info.id23->pass, p->session_key.data, 516); + SamOEMhashBlob(ctr->info.id23->pass, 516, &p->session_key); dump_data(100, (char *)ctr->info.id23->pass, 516); -- cgit From c39f5fea4ad7b57ee8ad4d2b115163f76753f853 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Mon, 24 Nov 2003 17:31:38 +0000 Subject: more access fixes for group enumeration in LDAP; bug 281 (This used to be commit 68283407e0f366d8315f4be6caed67eb6fe84b85) --- source3/rpc_server/srv_samr_nt.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 6cd5da4892..d3da830991 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -292,6 +292,7 @@ static NTSTATUS load_group_domain_entries(struct samr_info *info, DOM_SID *sid) uint32 group_entries = 0; uint32 i; TALLOC_CTX *mem_ctx = info->mem_ctx; + BOOL ret; DEBUG(10,("load_group_domain_entries\n")); @@ -303,13 +304,14 @@ static NTSTATUS load_group_domain_entries(struct samr_info *info, DOM_SID *sid) become_root(); - - if (!pdb_enum_group_mapping(SID_NAME_DOM_GRP, &map, (int *)&group_entries, ENUM_ONLY_MAPPED)) { + ret = pdb_enum_group_mapping(SID_NAME_DOM_GRP, &map, (int *)&group_entries, ENUM_ONLY_MAPPED); + unbecome_root(); + + if ( !ret ) { DEBUG(1, ("load_group_domain_entries: pdb_enum_group_mapping() failed!\n")); return NT_STATUS_NO_MEMORY; } - unbecome_root(); info->disp_info.num_group_account=group_entries; -- cgit From 89ebcb185d493051394a381f0195baa2a53abc01 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Tue, 2 Dec 2003 12:48:15 +0000 Subject: Match Win2k and return 'invalid parameter' for creating of a new account with account flags of 0. Andrew Bartlett (This used to be commit 601120f335b69e5b8a003038dfac00f3f234a5c1) --- source3/rpc_server/srv_samr_nt.c | 6 ++++++ 1 file changed, 6 insertions(+) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index d3da830991..de12a7d5c8 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -2134,6 +2134,12 @@ NTSTATUS _samr_create_user(pipes_struct *p, SAMR_Q_CREATE_USER *q_u, SAMR_R_CREA return nt_status; } + if (!acb_info) { + /* Match Win2k, and return NT_STATUS_INVALID_PARAMETER if + this parameter is zero (ie, no user type specified) */ + return NT_STATUS_INVALID_PARAMETER; + } + /* find the account: tell the caller if it exists. lkclXXXX i have *no* idea if this is a problem or not or even if you are supposed to construct a different -- cgit From 3d929b1ce67d945979552fe1ea2c70f6d3925326 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Thu, 4 Dec 2003 03:35:46 +0000 Subject: * fix RemoveSidForeignDomain() ; bug 252 * don't fall back to unmapped UNIX group for get_local_group_from_sid() * remove an extra become/unbecome_root() pair from group enumeration (This used to be commit da12bbdb0dd9179b1ed457fa009679e2da4a8440) --- source3/rpc_server/srv_samr_nt.c | 127 +++++++++++++++++++++++++-------------- 1 file changed, 81 insertions(+), 46 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index de12a7d5c8..7f57a9fc9d 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -1384,8 +1384,6 @@ NTSTATUS _samr_lookup_names(pipes_struct *p, SAMR_Q_LOOKUP_NAMES *q_u, SAMR_R_LO DEBUG(5,("_samr_lookup_names: looking name on SID %s\n", sid_to_string(sid_str, &pol_sid))); - become_root(); /* local_lookup_name can require root privs */ - for (i = 0; i < num_rids; i++) { fstring name; DOM_SID sid; @@ -1421,8 +1419,6 @@ NTSTATUS _samr_lookup_names(pipes_struct *p, SAMR_Q_LOOKUP_NAMES *q_u, SAMR_R_LO } } - unbecome_root(); - init_samr_r_lookup_names(p->mem_ctx, r_u, num_rids, rid, (uint32 *)type, r_u->status); DEBUG(5,("_samr_lookup_names: %d\n", __LINE__)); @@ -4256,75 +4252,114 @@ NTSTATUS _samr_open_group(pipes_struct *p, SAMR_Q_OPEN_GROUP *q_u, SAMR_R_OPEN_G } /********************************************************************* - _samr_remove_user_foreign_domain + _samr_remove_sid_foreign_domain *********************************************************************/ -NTSTATUS _samr_remove_user_foreign_domain(pipes_struct *p, - SAMR_Q_REMOVE_USER_FOREIGN_DOMAIN *q_u, - SAMR_R_REMOVE_USER_FOREIGN_DOMAIN *r_u) +NTSTATUS _samr_remove_sid_foreign_domain(pipes_struct *p, + SAMR_Q_REMOVE_SID_FOREIGN_DOMAIN *q_u, + SAMR_R_REMOVE_SID_FOREIGN_DOMAIN *r_u) { - DOM_SID user_sid, dom_sid; + DOM_SID delete_sid, alias_sid; SAM_ACCOUNT *sam_pass=NULL; uint32 acc_granted; + GROUP_MAP map; + BOOL is_user = False; + NTSTATUS result; + enum SID_NAME_USE type = SID_NAME_UNKNOWN; - sid_copy( &user_sid, &q_u->sid.sid ); + sid_copy( &delete_sid, &q_u->sid.sid ); - DEBUG(5,("_samr_remove_user_foreign_domain: removing user [%s]\n", - sid_string_static(&user_sid))); + DEBUG(5,("_samr_remove_sid_foreign_domain: removing SID [%s]\n", + sid_string_static(&delete_sid))); /* Find the policy handle. Open a policy on it. */ - if (!get_lsa_policy_samr_sid(p, &q_u->dom_pol, &dom_sid, &acc_granted)) + if (!get_lsa_policy_samr_sid(p, &q_u->dom_pol, &alias_sid, &acc_granted)) return NT_STATUS_INVALID_HANDLE; + + result = access_check_samr_function(acc_granted, STD_RIGHT_DELETE_ACCESS, + "_samr_remove_sid_foreign_domain"); - if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, - STD_RIGHT_DELETE_ACCESS, "_samr_remove_user_foreign_domain"))) - { - return r_u->status; - } + if (!NT_STATUS_IS_OK(result)) + return result; + + DEBUG(8, ("_samr_remove_sid_foreign_domain:sid is %s\n", + sid_string_static(&alias_sid))); - if ( !sid_check_is_in_our_domain(&user_sid) ) { - DEBUG(5,("_samr_remove_user_foreign_domain: user not is our domain!\n")); - return NT_STATUS_NO_SUCH_USER; + /* make sure we can handle this */ + + if ( sid_check_is_domain(&alias_sid) ) + type = SID_NAME_DOM_GRP; + else if ( sid_check_is_builtin(&alias_sid) ) + type = SID_NAME_ALIAS; + + if ( type == SID_NAME_UNKNOWN ) { + DEBUG(10, ("_samr_remove_sid_foreign_domain: can't operate on what we don't own!\n")); + return NT_STATUS_OK; } /* check if the user exists before trying to delete */ pdb_init_sam(&sam_pass); - if ( !pdb_getsampwsid(sam_pass, &user_sid) ) { + if ( pdb_getsampwsid(sam_pass, &delete_sid) ) { + is_user = True; + } else { + /* maybe it is a group */ + if( !pdb_getgrsid(&map, delete_sid) ) { + DEBUG(3,("_samr_remove_sid_foreign_domain: %s is not a user or a group!\n", + sid_string_static(&delete_sid))); + result = NT_STATUS_INVALID_SID; + goto done; + } + } - DEBUG(5,("_samr_remove_user_foreign_domain:User %s doesn't exist.\n", - sid_string_static(&user_sid))); - - pdb_free_sam(&sam_pass); + /* we can only delete a user from a group since we don't have + nested groups anyways. So in the latter case, just say OK */ + + if ( is_user ) { + GROUP_MAP *mappings = NULL; + uint32 num_groups, i; + struct group *grp2; - return NT_STATUS_NO_SUCH_USER; - } + if ( pdb_enum_group_mapping(type, &mappings, &num_groups, False) && num_groups>0 ) { + + /* interate over the groups */ + for ( i=0; igr_name) ) + continue; + + smb_delete_user_group(grp2->gr_name, pdb_get_username(sam_pass)); + + if ( user_in_unix_group_list(pdb_get_username(sam_pass), grp2->gr_name) ) { + /* should we fail here ? */ + DEBUG(0,("_samr_remove_sid_foreign_domain: Delete user [%s] from group [%s] failed!\n", + pdb_get_username(sam_pass), grp2->gr_name )); + continue; + } + + DEBUG(10,("_samr_remove_sid_foreign_domain: Removed user [%s] from group [%s]!\n", + pdb_get_username(sam_pass), grp2->gr_name )); + } + + SAFE_FREE(mappings); + } } + result = NT_STATUS_OK; +done: + pdb_free_sam(&sam_pass); - return NT_STATUS_OK; + return result; } /******************************************************************* -- cgit From 87fddf6a988dfcdb3f1d3a715df585b6c6efa9d7 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Wed, 10 Dec 2003 16:40:17 +0000 Subject: more group lookup access fixes on the neverending bug 281 (This used to be commit 9359a6ea80d1228e87ea825a100a2d289c37162d) --- source3/rpc_server/srv_samr_nt.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 7f57a9fc9d..c84e288a4b 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -1246,6 +1246,7 @@ NTSTATUS _samr_query_aliasinfo(pipes_struct *p, SAMR_Q_QUERY_ALIASINFO *q_u, SAM DOM_SID sid; GROUP_MAP map; uint32 acc_granted; + BOOL ret; r_u->status = NT_STATUS_OK; @@ -1262,7 +1263,11 @@ NTSTATUS _samr_query_aliasinfo(pipes_struct *p, SAMR_Q_QUERY_ALIASINFO *q_u, SAM !sid_check_is_in_builtin(&sid)) return NT_STATUS_OBJECT_TYPE_MISMATCH; - if (!pdb_getgrsid(&map, sid)) + become_root(); + ret = pdb_getgrsid(&map, sid); + unbecome_root(); + + if ( !ret ) return NT_STATUS_NO_SUCH_ALIAS; switch (q_u->switch_level) { -- cgit From c763e9548c94cdb526d8e486d1450b70b9d3969e Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Tue, 16 Dec 2003 18:35:23 +0000 Subject: make sure we delete the group mapping before calling the delete group script; patch from Jianliang Lu (This used to be commit 19a8dd523a4ee50ba9066efd60a29cf3ba9ae419) --- source3/rpc_server/srv_samr_nt.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index c84e288a4b..4d4dfed47c 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -3827,6 +3827,10 @@ NTSTATUS _samr_delete_dom_group(pipes_struct *p, SAMR_Q_DELETE_DOM_GROUP *q_u, S if ( (grp=getgrgid(gid)) == NULL) return NT_STATUS_NO_SUCH_GROUP; + /* delete mapping first */ + if(!pdb_delete_group_mapping_entry(group_sid)) + return NT_STATUS_ACCESS_DENIED; + /* we can delete the UNIX group */ smb_delete_group(grp->gr_name); @@ -3834,8 +3838,6 @@ NTSTATUS _samr_delete_dom_group(pipes_struct *p, SAMR_Q_DELETE_DOM_GROUP *q_u, S if ( (grp=getgrgid(gid)) != NULL) return NT_STATUS_ACCESS_DENIED; - if(!pdb_delete_group_mapping_entry(group_sid)) - return NT_STATUS_ACCESS_DENIED; if (!close_policy_hnd(p, &q_u->group_pol)) return NT_STATUS_OBJECT_NAME_INVALID; -- cgit From b4593e92ff75f006982d7f49337a0a94f44d4218 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Fri, 2 Jan 2004 05:32:07 +0000 Subject: JHT came up with a nasty (broken) torture case in preparing examples for his book. This prompted me to look at the code that reads the unix group list. This code did a lot of name -> uid -> name -> sid translations, which caused problems. Instead, we now do just name->sid I also cleaned up some interfaces, and client tools. Andrew Bartlett (This used to be commit f9e59f8bc06fae7e5c8cb0980947f78942dc25c0) --- source3/rpc_server/srv_samr_nt.c | 149 +++++++++++++-------------------------- 1 file changed, 50 insertions(+), 99 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 4d4dfed47c..be5f197198 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -3176,18 +3176,15 @@ NTSTATUS _samr_query_aliasmem(pipes_struct *p, SAMR_Q_QUERY_ALIASMEM *q_u, SAMR_ int i; GROUP_MAP map; - int num_uids = 0; + int num_sids = 0; DOM_SID2 *sid; - uid_t *uid=NULL; + DOM_SID *sids=NULL; DOM_SID alias_sid; DOM_SID als_sid; uint32 alias_rid; fstring alias_sid_str; - DOM_SID temp_sid; - SAM_ACCOUNT *sam_user = NULL; - BOOL check; uint32 acc_granted; /* find the policy handle. open a policy on it. */ @@ -3207,65 +3204,40 @@ NTSTATUS _samr_query_aliasmem(pipes_struct *p, SAMR_Q_QUERY_ALIASMEM *q_u, SAMR_ if (sid_equal(&alias_sid, &global_sid_Builtin)) { DEBUG(10, ("lookup on Builtin SID (S-1-5-32)\n")); - if(!get_builtin_group_from_sid(als_sid, &map)) + if(!get_builtin_group_from_sid(&als_sid, &map)) return NT_STATUS_NO_SUCH_ALIAS; } else { if (sid_equal(&alias_sid, get_global_sam_sid())) { DEBUG(10, ("lookup on Server SID\n")); - if(!get_local_group_from_sid(als_sid, &map)) + if(!get_local_group_from_sid(&als_sid, &map)) { + fstring alias_sid_string; + DEBUG(10, ("Alias %s not found\n", sid_to_string(alias_sid_string, &als_sid))); return NT_STATUS_NO_SUCH_ALIAS; + } } } - if(!get_uid_list_of_group(map.gid, &uid, &num_uids)) + if (!get_sid_list_of_group(map.gid, &sids, &num_sids)) { + fstring alias_sid_string; + DEBUG(10, ("Alias %s found, but member list unavailable\n", sid_to_string(alias_sid_string, &als_sid))); return NT_STATUS_NO_SUCH_ALIAS; + } DEBUG(10, ("sid is %s\n", alias_sid_str)); - sid = (DOM_SID2 *)talloc_zero(p->mem_ctx, sizeof(DOM_SID2) * num_uids); - if (num_uids!=0 && sid == NULL) + sid = (DOM_SID2 *)talloc_zero(p->mem_ctx, sizeof(DOM_SID2) * num_sids); + if (num_sids!=0 && sid == NULL) { + SAFE_FREE(sids); return NT_STATUS_NO_MEMORY; + } - for (i = 0; i < num_uids; i++) { - struct passwd *pass; - uint32 rid; - - sid_copy(&temp_sid, get_global_sam_sid()); - - pass = getpwuid_alloc(uid[i]); - if (!pass) continue; - - if (!NT_STATUS_IS_OK(pdb_init_sam(&sam_user))) { - passwd_free(&pass); - continue; - } - - become_root(); - check = pdb_getsampwnam(sam_user, pass->pw_name); - unbecome_root(); - - if (check != True) { - pdb_free_sam(&sam_user); - passwd_free(&pass); - continue; - } - - rid = pdb_get_user_rid(sam_user); - if (rid == 0) { - pdb_free_sam(&sam_user); - passwd_free(&pass); - continue; - } - - pdb_free_sam(&sam_user); - passwd_free(&pass); - - sid_append_rid(&temp_sid, rid); - - init_dom_sid2(&sid[i], &temp_sid); + for (i = 0; i < num_sids; i++) { + init_dom_sid2(&sid[i], &sids[i]); } DEBUG(10, ("sid is %s\n", alias_sid_str)); - init_samr_r_query_aliasmem(r_u, num_uids, sid, NT_STATUS_OK); + init_samr_r_query_aliasmem(r_u, num_sids, sid, NT_STATUS_OK); + + SAFE_FREE(sids); return NT_STATUS_OK; } @@ -3276,20 +3248,19 @@ NTSTATUS _samr_query_aliasmem(pipes_struct *p, SAMR_Q_QUERY_ALIASMEM *q_u, SAMR_ NTSTATUS _samr_query_groupmem(pipes_struct *p, SAMR_Q_QUERY_GROUPMEM *q_u, SAMR_R_QUERY_GROUPMEM *r_u) { - int num_uids = 0; + int num_sids = 0; + int final_num_sids = 0; int i; DOM_SID group_sid; uint32 group_rid; fstring group_sid_str; - uid_t *uid=NULL; + DOM_SID *sids=NULL; GROUP_MAP map; uint32 *rid=NULL; uint32 *attr=NULL; - SAM_ACCOUNT *sam_user = NULL; - BOOL check; uint32 acc_granted; /* find the policy handle. open a policy on it. */ @@ -3316,52 +3287,32 @@ NTSTATUS _samr_query_groupmem(pipes_struct *p, SAMR_Q_QUERY_GROUPMEM *q_u, SAMR_ if(!get_domain_group_from_sid(group_sid, &map)) return NT_STATUS_NO_SUCH_GROUP; - if(!get_uid_list_of_group(map.gid, &uid, &num_uids)) + if(!get_sid_list_of_group(map.gid, &sids, &num_sids)) return NT_STATUS_NO_SUCH_GROUP; - rid=talloc_zero(p->mem_ctx, sizeof(uint32)*num_uids); - attr=talloc_zero(p->mem_ctx, sizeof(uint32)*num_uids); + rid=talloc_zero(p->mem_ctx, sizeof(uint32)*num_sids); + attr=talloc_zero(p->mem_ctx, sizeof(uint32)*num_sids); - if (num_uids!=0 && (rid==NULL || attr==NULL)) + if (num_sids!=0 && (rid==NULL || attr==NULL)) return NT_STATUS_NO_MEMORY; - for (i=0; ipw_name); - unbecome_root(); - - if (check != True) { - pdb_free_sam(&sam_user); - passwd_free(&pass); - continue; - } - - urid = pdb_get_user_rid(sam_user); - if (urid == 0) { - pdb_free_sam(&sam_user); - passwd_free(&pass); - continue; + + if (sid_peek_check_rid(get_global_sam_sid(), &sids[i], &urid)) { + rid[final_num_sids] = urid; + attr[final_num_sids] = SID_NAME_USER; + final_num_sids++; + } else { + fstring user_sid_str, domain_sid_str; + DEBUG(1, ("_samr_query_groupmem: SID %s in group %s is not in our domain %s\n", + sid_to_string(user_sid_str, &sids[i]), + sid_to_string(group_sid_str, &group_sid), + sid_to_string(domain_sid_str, get_global_sam_sid()))); } - - pdb_free_sam(&sam_user); - passwd_free(&pass); - - rid[i] = urid; - attr[i] = SID_NAME_USER; } - init_samr_r_query_groupmem(r_u, num_uids, rid, attr, NT_STATUS_OK); + init_samr_r_query_groupmem(r_u, final_num_sids, rid, attr, NT_STATUS_OK); return NT_STATUS_OK; } @@ -3397,13 +3348,13 @@ NTSTATUS _samr_add_aliasmem(pipes_struct *p, SAMR_Q_ADD_ALIASMEM *q_u, SAMR_R_AD if (sid_compare(&alias_sid, get_global_sam_sid())>0) { DEBUG(10, ("adding member on Server SID\n")); - if(!get_local_group_from_sid(alias_sid, &map)) + if(!get_local_group_from_sid(&alias_sid, &map)) return NT_STATUS_NO_SUCH_ALIAS; } else { if (sid_compare(&alias_sid, &global_sid_Builtin)>0) { DEBUG(10, ("adding member on BUILTIN SID\n")); - if( !get_local_group_from_sid(alias_sid, &map)) + if( !get_local_group_from_sid(&alias_sid, &map)) return NT_STATUS_NO_SUCH_ALIAS; } else @@ -3494,7 +3445,7 @@ NTSTATUS _samr_del_aliasmem(pipes_struct *p, SAMR_Q_DEL_ALIASMEM *q_u, SAMR_R_DE return NT_STATUS_NO_SUCH_ALIAS; } - if( !get_local_group_from_sid(alias_sid, &map)) + if( !get_local_group_from_sid(&alias_sid, &map)) return NT_STATUS_NO_SUCH_ALIAS; if ((grp=getgrgid(map.gid)) == NULL) @@ -3882,7 +3833,7 @@ NTSTATUS _samr_delete_dom_alias(pipes_struct *p, SAMR_Q_DELETE_DOM_ALIAS *q_u, S DEBUG(10, ("lookup on Local SID\n")); - if(!get_local_group_from_sid(alias_sid, &map)) + if(!get_local_group_from_sid(&alias_sid, &map)) return NT_STATUS_NO_SUCH_ALIAS; gid=map.gid; @@ -4042,8 +3993,8 @@ NTSTATUS _samr_query_groupinfo(pipes_struct *p, SAMR_Q_QUERY_GROUPINFO *q_u, SAM { DOM_SID group_sid; GROUP_MAP map; - uid_t *uid=NULL; - int num_uids=0; + DOM_SID *sids=NULL; + int num_sids=0; GROUP_INFO_CTR *ctr; uint32 acc_granted; BOOL ret; @@ -4068,10 +4019,10 @@ NTSTATUS _samr_query_groupinfo(pipes_struct *p, SAMR_Q_QUERY_GROUPINFO *q_u, SAM switch (q_u->switch_level) { case 1: ctr->switch_value1 = 1; - if(!get_uid_list_of_group(map.gid, &uid, &num_uids)) + if(!get_sid_list_of_group(map.gid, &sids, &num_sids)) return NT_STATUS_NO_SUCH_GROUP; - init_samr_group_info1(&ctr->group.info1, map.nt_name, map.comment, num_uids); - SAFE_FREE(uid); + init_samr_group_info1(&ctr->group.info1, map.nt_name, map.comment, num_sids); + SAFE_FREE(sids); break; case 3: ctr->switch_value1 = 3; @@ -4153,7 +4104,7 @@ NTSTATUS _samr_set_aliasinfo(pipes_struct *p, SAMR_Q_SET_ALIASINFO *q_u, SAMR_R_ return r_u->status; } - if (!get_local_group_from_sid(group_sid, &map)) + if (!get_local_group_from_sid(&group_sid, &map)) return NT_STATUS_NO_SUCH_GROUP; ctr=&q_u->ctr; -- cgit From 8c1d0fb955611896f149b3c46521159a5537ab8e Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Fri, 2 Jan 2004 23:55:44 +0000 Subject: Match Win2k, and return NT_STATUS_INVALID_PARAMETER if this parameter is not an account type Andrew Bartlett (This used to be commit faddf5d8f9821176f4367caaf61844980df9f79c) --- source3/rpc_server/srv_samr_nt.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index be5f197198..bd26ce6849 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -2135,9 +2135,9 @@ NTSTATUS _samr_create_user(pipes_struct *p, SAMR_Q_CREATE_USER *q_u, SAMR_R_CREA return nt_status; } - if (!acb_info) { + if (!(acb_info == ACB_NORMAL || acb_info == ACB_DOMTRUST || acb_info == ACB_WSTRUST || acb_info == ACB_SVRTRUST)) { /* Match Win2k, and return NT_STATUS_INVALID_PARAMETER if - this parameter is zero (ie, no user type specified) */ + this parameter is not an account type */ return NT_STATUS_INVALID_PARAMETER; } -- cgit From 500c28974ded4c4789d9f197de5860b20447e606 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Fri, 9 Jan 2004 14:54:33 +0000 Subject: fix some warnings from the Sun compiler (This used to be commit ebabf72a78f0165521268b73e0fcabe1ea7834fd) --- source3/rpc_server/srv_samr_nt.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index bd26ce6849..b9974cba8a 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -4277,7 +4277,7 @@ NTSTATUS _samr_remove_sid_foreign_domain(pipes_struct *p, if ( is_user ) { GROUP_MAP *mappings = NULL; - uint32 num_groups, i; + int num_groups, i; struct group *grp2; if ( pdb_enum_group_mapping(type, &mappings, &num_groups, False) && num_groups>0 ) { -- cgit From b75b755a2ba78ad323d6a87fdbee78b1829f864f Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Mon, 12 Jan 2004 12:18:11 +0000 Subject: First stab at cracklib support (password quality checking) in Samba 3.0 This adds a configure test, that tries to find out if we have a working cracklib installation, and tries to pick up the debian hints on where the dictionary might be found. Default is per my Fedora Core 1 system - I'm not sure how much it changes. Andrew Bartlett (This used to be commit bc770edb788f0b6f719011cda683f045b76b7ba5) --- source3/rpc_server/srv_samr_nt.c | 17 ++++++++++++++--- 1 file changed, 14 insertions(+), 3 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index b9974cba8a..7edd34c8dd 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -2834,11 +2834,17 @@ static BOOL set_user_info_23(SAM_USER_INFO_23 *id23, DOM_SID *sid) DEBUG(5, ("Changing trust account or non-unix-user password, not updating /etc/passwd\n")); } else { /* update the UNIX password */ - if (lp_unix_password_sync() ) - if(!chgpasswd(pdb_get_username(pwd), "", plaintext_buf, True)) { + if (lp_unix_password_sync() ) { + struct passwd *passwd = Get_Pwnam(pdb_get_username(pwd)); + if (!passwd) { + DEBUG(1, ("chgpasswd: Username does not exist in system !?!\n")); + } + + if(!chgpasswd(pdb_get_username(pwd), passwd, "", plaintext_buf, True)) { pdb_free_sam(&pwd); return False; } + } } ZERO_STRUCT(plaintext_buf); @@ -2899,7 +2905,12 @@ static BOOL set_user_info_pw(char *pass, DOM_SID *sid) } else { /* update the UNIX password */ if (lp_unix_password_sync()) { - if(!chgpasswd(pdb_get_username(pwd), "", plaintext_buf, True)) { + struct passwd *passwd = Get_Pwnam(pdb_get_username(pwd)); + if (!passwd) { + DEBUG(1, ("chgpasswd: Username does not exist in system !?!\n")); + } + + if(!chgpasswd(pdb_get_username(pwd), passwd, "", plaintext_buf, True)) { pdb_free_sam(&pwd); return False; } -- cgit From 1dce4ebed861a6dfbd19da20601d92bc9be3484a Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Wed, 14 Jan 2004 17:34:41 +0000 Subject: revert the cracklib changes until post 3.0.2 (This used to be commit 6202e0fa727a4307f51bf42f5ced401a7c7b8214) --- source3/rpc_server/srv_samr_nt.c | 17 +++-------------- 1 file changed, 3 insertions(+), 14 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 7edd34c8dd..b9974cba8a 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -2834,17 +2834,11 @@ static BOOL set_user_info_23(SAM_USER_INFO_23 *id23, DOM_SID *sid) DEBUG(5, ("Changing trust account or non-unix-user password, not updating /etc/passwd\n")); } else { /* update the UNIX password */ - if (lp_unix_password_sync() ) { - struct passwd *passwd = Get_Pwnam(pdb_get_username(pwd)); - if (!passwd) { - DEBUG(1, ("chgpasswd: Username does not exist in system !?!\n")); - } - - if(!chgpasswd(pdb_get_username(pwd), passwd, "", plaintext_buf, True)) { + if (lp_unix_password_sync() ) + if(!chgpasswd(pdb_get_username(pwd), "", plaintext_buf, True)) { pdb_free_sam(&pwd); return False; } - } } ZERO_STRUCT(plaintext_buf); @@ -2905,12 +2899,7 @@ static BOOL set_user_info_pw(char *pass, DOM_SID *sid) } else { /* update the UNIX password */ if (lp_unix_password_sync()) { - struct passwd *passwd = Get_Pwnam(pdb_get_username(pwd)); - if (!passwd) { - DEBUG(1, ("chgpasswd: Username does not exist in system !?!\n")); - } - - if(!chgpasswd(pdb_get_username(pwd), passwd, "", plaintext_buf, True)) { + if(!chgpasswd(pdb_get_username(pwd), "", plaintext_buf, True)) { pdb_free_sam(&pwd); return False; } -- cgit From 418052559979d350f44f1dd792c720b12f7082ef Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Thu, 15 Jan 2004 20:47:30 +0000 Subject: Bug 381: check builtin (not local) group SID. Patch from Jianliang Lu (This used to be commit 2fd2c07df42df42103e81f5eb39bd1778de6ca0a) --- source3/rpc_server/srv_samr_nt.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index b9974cba8a..f189587e85 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -3354,7 +3354,7 @@ NTSTATUS _samr_add_aliasmem(pipes_struct *p, SAMR_Q_ADD_ALIASMEM *q_u, SAMR_R_AD } else { if (sid_compare(&alias_sid, &global_sid_Builtin)>0) { DEBUG(10, ("adding member on BUILTIN SID\n")); - if( !get_local_group_from_sid(&alias_sid, &map)) + if( !get_builtin_group_from_sid(&alias_sid, &map)) return NT_STATUS_NO_SUCH_ALIAS; } else -- cgit From 784b05c4895fa8d7f5215d4444bc74e91a918114 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Mon, 26 Jan 2004 08:45:02 +0000 Subject: This adds client-side support for the unicode/SAMR password change scheme. As well as avoiding DOS charset issues, this scheme returns useful error codes, that we can map back via the pam interface. This patch also cleans up the interfaces used for password buffers, to avoid duplication of code. Andrew Bartlett (This used to be commit 2a2b1f0c872d154fbcce71a250e23dfad085ba1e) --- source3/rpc_server/srv_samr_nt.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index f189587e85..bcb5b239be 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -2815,7 +2815,7 @@ static BOOL set_user_info_23(SAM_USER_INFO_23 *id23, DOM_SID *sid) acct_ctrl = pdb_get_acct_ctrl(pwd); - if (!decode_pw_buffer((char*)id23->pass, plaintext_buf, 256, &len)) { + if (!decode_pw_buffer((char*)id23->pass, plaintext_buf, 256, &len, STR_UNICODE)) { pdb_free_sam(&pwd); return False; } @@ -2881,7 +2881,7 @@ static BOOL set_user_info_pw(char *pass, DOM_SID *sid) ZERO_STRUCT(plaintext_buf); - if (!decode_pw_buffer(pass, plaintext_buf, 256, &len)) { + if (!decode_pw_buffer(pass, plaintext_buf, 256, &len, STR_UNICODE)) { pdb_free_sam(&pwd); return False; } -- cgit From 19cc1a9f202551fdaca39d67d926bb77e32d085c Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Mon, 2 Feb 2004 00:08:35 +0000 Subject: remerge andrew's cracklib patch from HEAD and fix a compile warnings (This used to be commit b60f6ec30d05e4e5bba9934a416ddc8bc089824f) --- source3/rpc_server/srv_samr_nt.c | 17 ++++++++++++++--- 1 file changed, 14 insertions(+), 3 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index bcb5b239be..b8de24cf39 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -2834,11 +2834,17 @@ static BOOL set_user_info_23(SAM_USER_INFO_23 *id23, DOM_SID *sid) DEBUG(5, ("Changing trust account or non-unix-user password, not updating /etc/passwd\n")); } else { /* update the UNIX password */ - if (lp_unix_password_sync() ) - if(!chgpasswd(pdb_get_username(pwd), "", plaintext_buf, True)) { + if (lp_unix_password_sync() ) { + struct passwd *passwd = Get_Pwnam(pdb_get_username(pwd)); + if (!passwd) { + DEBUG(1, ("chgpasswd: Username does not exist in system !?!\n")); + } + + if(!chgpasswd(pdb_get_username(pwd), passwd, "", plaintext_buf, True)) { pdb_free_sam(&pwd); return False; } + } } ZERO_STRUCT(plaintext_buf); @@ -2899,7 +2905,12 @@ static BOOL set_user_info_pw(char *pass, DOM_SID *sid) } else { /* update the UNIX password */ if (lp_unix_password_sync()) { - if(!chgpasswd(pdb_get_username(pwd), "", plaintext_buf, True)) { + struct passwd *passwd = Get_Pwnam(pdb_get_username(pwd)); + if (!passwd) { + DEBUG(1, ("chgpasswd: Username does not exist in system !?!\n")); + } + + if(!chgpasswd(pdb_get_username(pwd), passwd, "", plaintext_buf, True)) { pdb_free_sam(&pwd); return False; } -- cgit From d2742ac2fc42dc36ae089fd043228b7a41e523aa Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Mon, 16 Feb 2004 14:24:35 +0000 Subject: Cosmetic fix: Use sid_is_in_our_domain instead of doing it per hand. Volker (This used to be commit 04639e8862c360e89faac8b80c63197d514b7455) --- source3/rpc_server/srv_samr_nt.c | 10 +++------- 1 file changed, 3 insertions(+), 7 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index b8de24cf39..3c9adf4129 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -3263,7 +3263,6 @@ NTSTATUS _samr_query_groupmem(pipes_struct *p, SAMR_Q_QUERY_GROUPMEM *q_u, SAMR_ int final_num_sids = 0; int i; DOM_SID group_sid; - uint32 group_rid; fstring group_sid_str; DOM_SID *sids=NULL; @@ -3282,17 +3281,14 @@ NTSTATUS _samr_query_groupmem(pipes_struct *p, SAMR_Q_QUERY_GROUPMEM *q_u, SAMR_ return r_u->status; } - /* todo: change to use sid_compare_front */ - - sid_split_rid(&group_sid, &group_rid); sid_to_string(group_sid_str, &group_sid); DEBUG(10, ("sid is %s\n", group_sid_str)); - /* can we get a query for an SID outside our domain ? */ - if (!sid_equal(&group_sid, get_global_sam_sid())) + if (!sid_check_is_in_our_domain(&group_sid)) { + DEBUG(3, ("sid %s is not in our domain\n", group_sid_str)); return NT_STATUS_NO_SUCH_GROUP; + } - sid_append_rid(&group_sid, group_rid); DEBUG(10, ("lookup on Domain SID\n")); if(!get_domain_group_from_sid(group_sid, &map)) -- cgit From 07892673ff5962ef1bbffbc72bd1588b83e6f777 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Tue, 17 Feb 2004 10:11:53 +0000 Subject: In samr_lookup_names Windows does not return WKN_GRP(5) but ALIAS(4) when you search in BUILTIN. Match that. Volker (This used to be commit 2863b21d8a5933c309c51edb09fbda4e669e4890) --- source3/rpc_server/srv_samr_nt.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 3c9adf4129..c0d352483f 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -1418,7 +1418,12 @@ NTSTATUS _samr_lookup_names(pipes_struct *p, SAMR_Q_LOOKUP_NAMES *q_u, SAMR_R_LO if (sid_equal(&sid, &pol_sid)) { rid[i]=local_rid; - type[i]=local_type; + + /* Windows does not return WKN_GRP here, even + * on lookups in builtin */ + type[i] = (local_type == SID_NAME_WKN_GRP) ? + SID_NAME_ALIAS : local_type; + r_u->status = NT_STATUS_OK; } } -- cgit From 34a9928ee1c141f2cdb498d96bb09e7498cf090f Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Tue, 17 Feb 2004 15:54:57 +0000 Subject: Be able to set alias info for builtin as well. Volker (This used to be commit 7a947ecdf56f2dd02811262372708f8a74bfedad) --- source3/rpc_server/srv_samr_nt.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index c0d352483f..a087e28f09 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -4116,7 +4116,8 @@ NTSTATUS _samr_set_aliasinfo(pipes_struct *p, SAMR_Q_SET_ALIASINFO *q_u, SAMR_R_ return r_u->status; } - if (!get_local_group_from_sid(&group_sid, &map)) + if (!get_local_group_from_sid(&group_sid, &map) && + !get_builtin_group_from_sid(&group_sid, &map)) return NT_STATUS_NO_SUCH_GROUP; ctr=&q_u->ctr; -- cgit From 8ccdcb3f1c6b89b01a5ad067e56e7677e1ba63cd Mon Sep 17 00:00:00 2001 From: Jim McDonough Date: Wed, 25 Feb 2004 15:02:55 +0000 Subject: reset time and duration are set in minutes, not seconds. Works from usrmgr. (This used to be commit 700049d9efefc7f8952cc60bc46ba8aa790a28ba) --- source3/rpc_server/srv_samr_nt.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index a087e28f09..10069abb76 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -4502,8 +4502,8 @@ NTSTATUS _samr_set_dom_info(pipes_struct *p, SAMR_Q_SET_DOMAIN_INFO *q_u, SAMR_R case 0x07: break; case 0x0c: - u_lock_duration=nt_time_to_unix_abs(&q_u->ctr->info.inf12.duration); - u_reset_time=nt_time_to_unix_abs(&q_u->ctr->info.inf12.reset_count); + u_lock_duration=nt_time_to_unix_abs(&q_u->ctr->info.inf12.duration)/60; + u_reset_time=nt_time_to_unix_abs(&q_u->ctr->info.inf12.reset_count)/60; account_policy_set(AP_LOCK_ACCOUNT_DURATION, (int)u_lock_duration); account_policy_set(AP_RESET_COUNT_TIME, (int)u_reset_time); -- cgit From af6f7254a9873a34fb391f1fd78aadadbc796063 Mon Sep 17 00:00:00 2001 From: Jim McDonough Date: Wed, 25 Feb 2004 20:02:47 +0000 Subject: Do the query part of the previous fix...reset time and duration are set in minutes, not seconds. Works from usrmgr. (This used to be commit 98833a82facb0bc25d9ba6f4d4c1200627e98d6d) --- source3/rpc_server/srv_samr_nt.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 10069abb76..58dcd48d8d 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -2081,10 +2081,10 @@ NTSTATUS _samr_query_dom_info(pipes_struct *p, SAMR_Q_QUERY_DOMAIN_INFO *q_u, SA break; case 0x0c: account_policy_get(AP_LOCK_ACCOUNT_DURATION, &account_policy_temp); - u_lock_duration = account_policy_temp; + u_lock_duration = account_policy_temp * 60; account_policy_get(AP_RESET_COUNT_TIME, &account_policy_temp); - u_reset_time = account_policy_temp; + u_reset_time = account_policy_temp * 60; account_policy_get(AP_BAD_ATTEMPT_LOCKOUT, &account_policy_temp); lockout = account_policy_temp; -- cgit From c4877403a04b60619523dfe3fc892564ff41a079 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Sun, 29 Feb 2004 16:34:33 +0000 Subject: net_rpc.c: Don't complain if [add|del]mem was successful. srv_samr_nt.c: Correctly report that a user is not member of an alias. Volker (This used to be commit 540f625036871e7facd094fce49d7317f65f4ffd) --- source3/rpc_server/srv_samr_nt.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 58dcd48d8d..a817627127 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -3477,7 +3477,7 @@ NTSTATUS _samr_del_aliasmem(pipes_struct *p, SAMR_Q_DEL_ALIASMEM *q_u, SAMR_R_DE /* if the user is not in the group */ if(!user_in_unix_group_list(pdb_get_username(sam_pass), grp_name)) { pdb_free_sam(&sam_pass); - return NT_STATUS_MEMBER_IN_ALIAS; + return NT_STATUS_MEMBER_NOT_IN_ALIAS; } smb_delete_user_group(grp_name, pdb_get_username(sam_pass)); -- cgit From b737769a7477351f7f9670e14b06728b9df46389 Mon Sep 17 00:00:00 2001 From: Jim McDonough Date: Wed, 3 Mar 2004 17:44:00 +0000 Subject: more usrmgr fixes: display lockout timers in minutes, not seconds, for samr 2e (This used to be commit 832674c099a3ff9bb747dba6235e47d40a930abd) --- source3/rpc_server/srv_samr_nt.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index a817627127..35a6f37e17 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -4434,10 +4434,10 @@ NTSTATUS _samr_unknown_2e(pipes_struct *p, SAMR_Q_UNKNOWN_2E *q_u, SAMR_R_UNKNOW break; case 0x0c: account_policy_get(AP_LOCK_ACCOUNT_DURATION, &account_policy_temp); - u_lock_duration = account_policy_temp; + u_lock_duration = account_policy_temp * 60; account_policy_get(AP_RESET_COUNT_TIME, &account_policy_temp); - u_reset_time = account_policy_temp; + u_reset_time = account_policy_temp * 60; account_policy_get(AP_BAD_ATTEMPT_LOCKOUT, &account_policy_temp); lockout = account_policy_temp; -- cgit From 51deca6bc9bbf6a07cbf5126cc6b2598484ef29c Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Thu, 4 Mar 2004 17:57:21 +0000 Subject: There's a specific error message NT_STATUS_ALIAS_EXISTS. (This used to be commit f0d99f318c67852ac5bf9b606faa115ad36a5f80) --- source3/rpc_server/srv_samr_nt.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 35a6f37e17..70ae4d170e 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -3964,7 +3964,7 @@ NTSTATUS _samr_create_dom_alias(pipes_struct *p, SAMR_Q_CREATE_DOM_ALIAS *q_u, S /* check if group already exists */ if ( (grp=getgrnam(name)) != NULL) - return NT_STATUS_GROUP_EXISTS; + return NT_STATUS_ALIAS_EXISTS; /* we can create the UNIX group */ if (smb_create_group(name, &gid) != 0) -- cgit From 7af3777ab32ee220700ed3367d07ca18b2bbdd47 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Wed, 7 Apr 2004 12:43:44 +0000 Subject: r116: volker's patch for local group and group nesting (This used to be commit b393469d9581f20e4d4c52633b952ee984cca36f) --- source3/rpc_server/srv_samr_nt.c | 451 ++++++++++++++++----------------------- 1 file changed, 180 insertions(+), 271 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 70ae4d170e..2e5fe295ec 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -879,7 +879,7 @@ static void make_group_sam_entry_list(TALLOC_CTX *ctx, SAM_ENTRY **sam_pp, UNIST Get the group entries - similar to get_sampwd_entries(). ******************************************************************/ -static NTSTATUS get_group_entries( enum SID_NAME_USE type, TALLOC_CTX *ctx, +static NTSTATUS get_group_domain_entries( TALLOC_CTX *ctx, DOMAIN_GRP **d_grp, DOM_SID *sid, uint32 start_idx, uint32 *p_num_entries, uint32 max_entries ) { @@ -894,7 +894,8 @@ static NTSTATUS get_group_entries( enum SID_NAME_USE type, TALLOC_CTX *ctx, needed for some passdb backends to enumerate groups */ become_root(); - pdb_enum_group_mapping(type, &map, (int *)&group_entries, ENUM_ONLY_MAPPED); + pdb_enum_group_mapping(SID_NAME_DOM_GRP, &map, (int *)&group_entries, + ENUM_ONLY_MAPPED); unbecome_root(); num_entries=group_entries-start_idx; @@ -915,51 +916,57 @@ static NTSTATUS get_group_entries( enum SID_NAME_USE type, TALLOC_CTX *ctx, fstrcpy((*d_grp)[i].name, map[i+start_idx].nt_name); fstrcpy((*d_grp)[i].comment, map[i+start_idx].comment); sid_split_rid(&map[i+start_idx].sid, &(*d_grp)[i].rid); - (*d_grp)[i].attr=type; + (*d_grp)[i].attr=SID_NAME_DOM_GRP; } SAFE_FREE(map); *p_num_entries = num_entries; - DEBUG(10,("get_group_entries: returning %d entries\n", *p_num_entries)); + DEBUG(10,("get_group_domain_entries: returning %d entries\n", + *p_num_entries)); return NT_STATUS_OK; } /******************************************************************* - Wrapper for enuemrating domain groups + Wrapper for enumerating local groups ******************************************************************/ -static NTSTATUS get_group_domain_entries( TALLOC_CTX *ctx, DOMAIN_GRP **d_grp, - DOM_SID *sid, uint32 start_idx, - uint32 *p_num_entries, uint32 max_entries ) +static NTSTATUS get_alias_entries( TALLOC_CTX *ctx, DOMAIN_GRP **d_grp, + const DOM_SID *sid, uint32 start_idx, + uint32 *p_num_entries, uint32 max_entries ) { - return get_group_entries( SID_NAME_DOM_GRP, ctx, d_grp, sid, start_idx, - p_num_entries, max_entries ); -} + struct acct_info *info; + int i; + BOOL res; -/******************************************************************* - Wrapper for enumerating local groups - ******************************************************************/ + become_root(); + res = pdb_enum_aliases(sid, start_idx, max_entries, + p_num_entries, &info); + unbecome_root(); -static NTSTATUS get_group_alias_entries( TALLOC_CTX *ctx, DOMAIN_GRP **d_grp, - DOM_SID *sid, uint32 start_idx, - uint32 *p_num_entries, uint32 max_entries) -{ - if ( sid_equal(sid, &global_sid_Builtin) ) { - return get_group_entries( SID_NAME_WKN_GRP, ctx, d_grp, - sid, start_idx, p_num_entries, max_entries ); - } - else if ( sid_equal(sid, get_global_sam_sid()) ) { - return get_group_entries( SID_NAME_ALIAS, ctx, d_grp, - sid, start_idx, p_num_entries, max_entries ); + if (!res) + return NT_STATUS_ACCESS_DENIED; + + if (*p_num_entries == 0) + return NT_STATUS_OK; + + *d_grp = talloc(ctx, sizeof(DOMAIN_GRP) * (*p_num_entries)); + + if (*d_grp == NULL) { + SAFE_FREE(info); + return NT_STATUS_NO_MEMORY; } - /* can't do anything with this SID */ - - *p_num_entries = 0; + for (i=0; i<*p_num_entries; i++) { + fstrcpy((*d_grp)[i].name, info[i].acct_name); + fstrcpy((*d_grp)[i].comment, info[i].acct_desc); + (*d_grp)[i].rid = info[i].rid; + (*d_grp)[i].attr = SID_NAME_ALIAS; + } + SAFE_FREE(info); return NT_STATUS_OK; } @@ -1025,9 +1032,9 @@ NTSTATUS _samr_enum_dom_aliases(pipes_struct *p, SAMR_Q_ENUM_DOM_ALIASES *q_u, S sid_to_string(sid_str, &sid); DEBUG(5,("samr_reply_enum_dom_aliases: sid %s\n", sid_str)); - status = get_group_alias_entries(p->mem_ctx, &grp, &sid, q_u->start_idx, - &num_entries, MAX_SAM_ENTRIES); - if (NT_STATUS_IS_ERR(status)) return status; + status = get_alias_entries(p->mem_ctx, &grp, &sid, q_u->start_idx, + &num_entries, MAX_SAM_ENTRIES); + if (!NT_STATUS_IS_OK(status)) return status; make_group_sam_entry_list(p->mem_ctx, &r_u->sam, &r_u->uni_grp_name, num_entries, grp); @@ -1244,7 +1251,7 @@ NTSTATUS _samr_query_dispinfo(pipes_struct *p, SAMR_Q_QUERY_DISPINFO *q_u, NTSTATUS _samr_query_aliasinfo(pipes_struct *p, SAMR_Q_QUERY_ALIASINFO *q_u, SAMR_R_QUERY_ALIASINFO *r_u) { DOM_SID sid; - GROUP_MAP map; + struct acct_info info; uint32 acc_granted; BOOL ret; @@ -1259,12 +1266,8 @@ NTSTATUS _samr_query_aliasinfo(pipes_struct *p, SAMR_Q_QUERY_ALIASINFO *q_u, SAM return r_u->status; } - if (!sid_check_is_in_our_domain(&sid) && - !sid_check_is_in_builtin(&sid)) - return NT_STATUS_OBJECT_TYPE_MISMATCH; - become_root(); - ret = pdb_getgrsid(&map, sid); + ret = pdb_get_aliasinfo(&sid, &info); unbecome_root(); if ( !ret ) @@ -1274,12 +1277,13 @@ NTSTATUS _samr_query_aliasinfo(pipes_struct *p, SAMR_Q_QUERY_ALIASINFO *q_u, SAM case 1: r_u->ptr = 1; r_u->ctr.switch_value1 = 1; - init_samr_alias_info1(&r_u->ctr.alias.info1, map.nt_name, 1, map.comment); + init_samr_alias_info1(&r_u->ctr.alias.info1, + info.acct_name, 1, info.acct_desc); break; case 3: r_u->ptr = 1; r_u->ctr.switch_value1 = 3; - init_samr_alias_info3(&r_u->ctr.alias.info3, map.comment); + init_samr_alias_info3(&r_u->ctr.alias.info3, info.acct_desc); break; default: return NT_STATUS_INVALID_INFO_CLASS; @@ -3191,15 +3195,11 @@ NTSTATUS _samr_query_aliasmem(pipes_struct *p, SAMR_Q_QUERY_ALIASMEM *q_u, SAMR_ { int i; - GROUP_MAP map; int num_sids = 0; DOM_SID2 *sid; DOM_SID *sids=NULL; DOM_SID alias_sid; - DOM_SID als_sid; - uint32 alias_rid; - fstring alias_sid_str; uint32 acc_granted; @@ -3211,35 +3211,12 @@ NTSTATUS _samr_query_aliasmem(pipes_struct *p, SAMR_Q_QUERY_ALIASMEM *q_u, SAMR_ access_check_samr_function(acc_granted, SA_RIGHT_ALIAS_GET_MEMBERS, "_samr_query_aliasmem"))) { return r_u->status; } - - sid_copy(&als_sid, &alias_sid); - sid_to_string(alias_sid_str, &alias_sid); - sid_split_rid(&alias_sid, &alias_rid); - DEBUG(10, ("sid is %s\n", alias_sid_str)); + DEBUG(10, ("sid is %s\n", sid_string_static(&alias_sid))); - if (sid_equal(&alias_sid, &global_sid_Builtin)) { - DEBUG(10, ("lookup on Builtin SID (S-1-5-32)\n")); - if(!get_builtin_group_from_sid(&als_sid, &map)) - return NT_STATUS_NO_SUCH_ALIAS; - } else { - if (sid_equal(&alias_sid, get_global_sam_sid())) { - DEBUG(10, ("lookup on Server SID\n")); - if(!get_local_group_from_sid(&als_sid, &map)) { - fstring alias_sid_string; - DEBUG(10, ("Alias %s not found\n", sid_to_string(alias_sid_string, &als_sid))); - return NT_STATUS_NO_SUCH_ALIAS; - } - } - } - - if (!get_sid_list_of_group(map.gid, &sids, &num_sids)) { - fstring alias_sid_string; - DEBUG(10, ("Alias %s found, but member list unavailable\n", sid_to_string(alias_sid_string, &als_sid))); + if (!pdb_enum_aliasmem(&alias_sid, &sids, &num_sids)) return NT_STATUS_NO_SUCH_ALIAS; - } - DEBUG(10, ("sid is %s\n", alias_sid_str)); sid = (DOM_SID2 *)talloc_zero(p->mem_ctx, sizeof(DOM_SID2) * num_sids); if (num_sids!=0 && sid == NULL) { SAFE_FREE(sids); @@ -3250,7 +3227,6 @@ NTSTATUS _samr_query_aliasmem(pipes_struct *p, SAMR_Q_QUERY_ALIASMEM *q_u, SAMR_ init_dom_sid2(&sid[i], &sids[i]); } - DEBUG(10, ("sid is %s\n", alias_sid_str)); init_samr_r_query_aliasmem(r_u, num_sids, sid, NT_STATUS_OK); SAFE_FREE(sids); @@ -3258,20 +3234,89 @@ NTSTATUS _samr_query_aliasmem(pipes_struct *p, SAMR_Q_QUERY_ALIASMEM *q_u, SAMR_ return NT_STATUS_OK; } +static void add_uid_to_array_unique(uid_t uid, uid_t **uids, int *num) +{ + int i; + + if ((*num) >= groups_max()) + return; + + for (i=0; i<*num; i++) { + if ((*uids)[i] == uid) + return; + } + + *uids = Realloc(*uids, (*num+1) * sizeof(uid_t)); + + if (*uids == NULL) + return; + + (*uids)[*num] = uid; + *num += 1; +} + + +static BOOL get_memberuids(gid_t gid, uid_t **uids, int *num) +{ + struct group *grp; + char **gr; + struct sys_pwent *userlist, *user; + + *uids = NULL; + *num = 0; + + /* We only look at our own sam, so don't care about imported stuff */ + + winbind_off(); + + if ((grp = getgrgid(gid)) == NULL) { + winbind_on(); + return False; + } + + /* Primary group members */ + + userlist = getpwent_list(); + + for (user = userlist; user != NULL; user = user->next) { + if (user->pw_gid != gid) + continue; + add_uid_to_array_unique(user->pw_uid, uids, num); + } + + pwent_free(userlist); + + /* Secondary group members */ + + gr = grp->gr_mem; + while ((*gr != NULL) && ((*gr)[0] != '\0')) { + struct passwd *pw = getpwnam(*gr); + + if (pw == NULL) + continue; + + add_uid_to_array_unique(pw->pw_uid, uids, num); + + gr += 1; + } + + winbind_on(); + + return True; +} + /********************************************************************* _samr_query_groupmem *********************************************************************/ NTSTATUS _samr_query_groupmem(pipes_struct *p, SAMR_Q_QUERY_GROUPMEM *q_u, SAMR_R_QUERY_GROUPMEM *r_u) { - int num_sids = 0; - int final_num_sids = 0; - int i; + int final_num_rids, i; DOM_SID group_sid; fstring group_sid_str; - DOM_SID *sids=NULL; - - GROUP_MAP map; + uid_t *uids; + int num; + gid_t gid; uint32 *rid=NULL; uint32 *attr=NULL; @@ -3296,35 +3341,46 @@ NTSTATUS _samr_query_groupmem(pipes_struct *p, SAMR_Q_QUERY_GROUPMEM *q_u, SAMR_ DEBUG(10, ("lookup on Domain SID\n")); - if(!get_domain_group_from_sid(group_sid, &map)) + if (!NT_STATUS_IS_OK(sid_to_gid(&group_sid, &gid))) return NT_STATUS_NO_SUCH_GROUP; - if(!get_sid_list_of_group(map.gid, &sids, &num_sids)) + if(!get_memberuids(gid, &uids, &num)) return NT_STATUS_NO_SUCH_GROUP; - rid=talloc_zero(p->mem_ctx, sizeof(uint32)*num_sids); - attr=talloc_zero(p->mem_ctx, sizeof(uint32)*num_sids); + rid=talloc_zero(p->mem_ctx, sizeof(uint32)*num); + attr=talloc_zero(p->mem_ctx, sizeof(uint32)*num); - if (num_sids!=0 && (rid==NULL || attr==NULL)) + if (num!=0 && (rid==NULL || attr==NULL)) return NT_STATUS_NO_MEMORY; - for (i=0; istatus; } - sid_to_string(alias_sid_str, &alias_sid); - DEBUG(10, ("sid is %s\n", alias_sid_str)); - - if (sid_compare(&alias_sid, get_global_sam_sid())>0) { - DEBUG(10, ("adding member on Server SID\n")); - if(!get_local_group_from_sid(&alias_sid, &map)) - return NT_STATUS_NO_SUCH_ALIAS; - - } else { - if (sid_compare(&alias_sid, &global_sid_Builtin)>0) { - DEBUG(10, ("adding member on BUILTIN SID\n")); - if( !get_builtin_group_from_sid(&alias_sid, &map)) - return NT_STATUS_NO_SUCH_ALIAS; - - } else - return NT_STATUS_NO_SUCH_ALIAS; - } + DEBUG(10, ("sid is %s\n", sid_string_static(&alias_sid))); - ret = pdb_init_sam(&sam_user); - if (!NT_STATUS_IS_OK(ret)) - return ret; - - check = pdb_getsampwsid(sam_user, &q_u->sid.sid); - - if (check != True) { - pdb_free_sam(&sam_user); - return NT_STATUS_NO_SUCH_USER; - } - - /* check a real user exist before we run the script to add a user to a group */ - if (!NT_STATUS_IS_OK(sid_to_uid(pdb_get_user_sid(sam_user), &uid))) { - pdb_free_sam(&sam_user); - return NT_STATUS_NO_SUCH_USER; - } - - pdb_free_sam(&sam_user); - - if ((pwd=getpwuid_alloc(uid)) == NULL) { - return NT_STATUS_NO_SUCH_USER; - } - - if ((grp=getgrgid(map.gid)) == NULL) { - passwd_free(&pwd); - return NT_STATUS_NO_SUCH_ALIAS; - } - - /* we need to copy the name otherwise it's overloaded in user_in_group_list */ - fstrcpy(grp_name, grp->gr_name); - - /* if the user is already in the group */ - if(user_in_unix_group_list(pwd->pw_name, grp_name)) { - passwd_free(&pwd); - return NT_STATUS_MEMBER_IN_ALIAS; - } - - /* - * ok, the group exist, the user exist, the user is not in the group, - * we can (finally) add it to the group ! - */ - smb_add_user_group(grp_name, pwd->pw_name); - - /* check if the user has been added then ... */ - if(!user_in_unix_group_list(pwd->pw_name, grp_name)) { - passwd_free(&pwd); - return NT_STATUS_MEMBER_NOT_IN_ALIAS; /* don't know what to reply else */ - } + if (!pdb_add_aliasmem(&alias_sid, &q_u->sid.sid)) + return NT_STATUS_ACCESS_DENIED; - passwd_free(&pwd); return NT_STATUS_OK; } @@ -3433,11 +3417,6 @@ NTSTATUS _samr_add_aliasmem(pipes_struct *p, SAMR_Q_ADD_ALIASMEM *q_u, SAMR_R_AD NTSTATUS _samr_del_aliasmem(pipes_struct *p, SAMR_Q_DEL_ALIASMEM *q_u, SAMR_R_DEL_ALIASMEM *r_u) { DOM_SID alias_sid; - fstring alias_sid_str; - struct group *grp; - fstring grp_name; - GROUP_MAP map; - SAM_ACCOUNT *sam_pass=NULL; uint32 acc_granted; /* Find the policy handle. Open a policy on it. */ @@ -3448,47 +3427,12 @@ NTSTATUS _samr_del_aliasmem(pipes_struct *p, SAMR_Q_DEL_ALIASMEM *q_u, SAMR_R_DE return r_u->status; } - sid_to_string(alias_sid_str, &alias_sid); - DEBUG(10, ("_samr_del_aliasmem:sid is %s\n", alias_sid_str)); - - if (!sid_check_is_in_our_domain(&alias_sid) && - !sid_check_is_in_builtin(&alias_sid)) { - DEBUG(10, ("_samr_del_aliasmem:invalid alias group\n")); - return NT_STATUS_NO_SUCH_ALIAS; - } - - if( !get_local_group_from_sid(&alias_sid, &map)) - return NT_STATUS_NO_SUCH_ALIAS; - - if ((grp=getgrgid(map.gid)) == NULL) - return NT_STATUS_NO_SUCH_ALIAS; - - /* we need to copy the name otherwise it's overloaded in user_in_unix_group_list */ - fstrcpy(grp_name, grp->gr_name); - - /* check if the user exists before trying to remove it from the group */ - pdb_init_sam(&sam_pass); - if(!pdb_getsampwsid(sam_pass, &q_u->sid.sid)) { - DEBUG(5,("_samr_del_aliasmem:User %s doesn't exist.\n", pdb_get_username(sam_pass))); - pdb_free_sam(&sam_pass); - return NT_STATUS_NO_SUCH_USER; - } - - /* if the user is not in the group */ - if(!user_in_unix_group_list(pdb_get_username(sam_pass), grp_name)) { - pdb_free_sam(&sam_pass); - return NT_STATUS_MEMBER_NOT_IN_ALIAS; - } - - smb_delete_user_group(grp_name, pdb_get_username(sam_pass)); - - /* check if the user has been removed then ... */ - if(user_in_unix_group_list(pdb_get_username(sam_pass), grp_name)) { - pdb_free_sam(&sam_pass); - return NT_STATUS_MEMBER_NOT_IN_ALIAS; /* don't know what to reply else */ - } + DEBUG(10, ("_samr_del_aliasmem:sid is %s\n", + sid_string_static(&alias_sid))); - pdb_free_sam(&sam_pass); + if (!pdb_del_aliasmem(&alias_sid, &q_u->sid.sid)) + return NT_STATUS_ACCESS_DENIED; + return NT_STATUS_OK; } @@ -3815,12 +3759,6 @@ NTSTATUS _samr_delete_dom_group(pipes_struct *p, SAMR_Q_DELETE_DOM_GROUP *q_u, S NTSTATUS _samr_delete_dom_alias(pipes_struct *p, SAMR_Q_DELETE_DOM_ALIAS *q_u, SAMR_R_DELETE_DOM_ALIAS *r_u) { DOM_SID alias_sid; - DOM_SID dom_sid; - uint32 alias_rid; - fstring alias_sid_str; - gid_t gid; - struct group *grp; - GROUP_MAP map; uint32 acc_granted; DEBUG(5, ("_samr_delete_dom_alias: %d\n", __LINE__)); @@ -3832,38 +3770,18 @@ NTSTATUS _samr_delete_dom_alias(pipes_struct *p, SAMR_Q_DELETE_DOM_ALIAS *q_u, S if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, STD_RIGHT_DELETE_ACCESS, "_samr_delete_dom_alias"))) { return r_u->status; } - - sid_copy(&dom_sid, &alias_sid); - sid_to_string(alias_sid_str, &dom_sid); - sid_split_rid(&dom_sid, &alias_rid); - DEBUG(10, ("sid is %s\n", alias_sid_str)); + DEBUG(10, ("sid is %s\n", sid_string_static(&alias_sid))); - /* we check if it's our SID before deleting */ - if (!sid_equal(&dom_sid, get_global_sam_sid())) + if (!sid_check_is_in_our_domain(&alias_sid)) return NT_STATUS_NO_SUCH_ALIAS; - + DEBUG(10, ("lookup on Local SID\n")); - if(!get_local_group_from_sid(&alias_sid, &map)) - return NT_STATUS_NO_SUCH_ALIAS; - - gid=map.gid; - - /* check if group really exists */ - if ( (grp=getgrgid(gid)) == NULL) - return NT_STATUS_NO_SUCH_ALIAS; - - /* we can delete the UNIX group */ - smb_delete_group(grp->gr_name); - - /* check if the group has been successfully deleted */ - if ( (grp=getgrgid(gid)) != NULL) + /* Have passdb delete the alias */ + if (!pdb_delete_alias(&alias_sid)) return NT_STATUS_ACCESS_DENIED; - /* don't check if we removed it as it could be an un-mapped group */ - pdb_delete_group_mapping_entry(alias_sid); - if (!close_policy_hnd(p, &q_u->alias_pol)) return NT_STATUS_OBJECT_NAME_INVALID; @@ -3941,7 +3859,6 @@ NTSTATUS _samr_create_dom_alias(pipes_struct *p, SAMR_Q_CREATE_DOM_ALIAS *q_u, S DOM_SID dom_sid; DOM_SID info_sid; fstring name; - fstring sid_string; struct group *grp; struct samr_info *info; uint32 acc_granted; @@ -3962,26 +3879,18 @@ NTSTATUS _samr_create_dom_alias(pipes_struct *p, SAMR_Q_CREATE_DOM_ALIAS *q_u, S unistr2_to_ascii(name, &q_u->uni_acct_desc, sizeof(name)-1); - /* check if group already exists */ - if ( (grp=getgrnam(name)) != NULL) - return NT_STATUS_ALIAS_EXISTS; - - /* we can create the UNIX group */ - if (smb_create_group(name, &gid) != 0) - return NT_STATUS_ACCESS_DENIED; - - /* check if the group has been successfully created */ - if ((grp=getgrgid(gid)) == NULL) + /* Have passdb create the alias */ + if (!pdb_create_alias(name, &r_u->rid)) return NT_STATUS_ACCESS_DENIED; - r_u->rid=pdb_gid_to_group_rid(grp->gr_gid); - sid_copy(&info_sid, get_global_sam_sid()); sid_append_rid(&info_sid, r_u->rid); - sid_to_string(sid_string, &info_sid); - /* add the group to the mapping table */ - if(!add_initial_entry(grp->gr_gid, sid_string, SID_NAME_ALIAS, name, NULL)) + if (!NT_STATUS_IS_OK(sid_to_gid(&info_sid, &gid))) + return NT_STATUS_ACCESS_DENIED; + + /* check if the group has been successfully created */ + if ((grp=getgrgid(gid)) == NULL) return NT_STATUS_ACCESS_DENIED; if ((info = get_samr_info_by_sid(&info_sid)) == NULL) @@ -4006,7 +3915,8 @@ NTSTATUS _samr_query_groupinfo(pipes_struct *p, SAMR_Q_QUERY_GROUPINFO *q_u, SAM DOM_SID group_sid; GROUP_MAP map; DOM_SID *sids=NULL; - int num_sids=0; + uid_t *uids; + int num=0; GROUP_INFO_CTR *ctr; uint32 acc_granted; BOOL ret; @@ -4031,9 +3941,10 @@ NTSTATUS _samr_query_groupinfo(pipes_struct *p, SAMR_Q_QUERY_GROUPINFO *q_u, SAM switch (q_u->switch_level) { case 1: ctr->switch_value1 = 1; - if(!get_sid_list_of_group(map.gid, &sids, &num_sids)) + if(!get_memberuids(map.gid, &uids, &num)) return NT_STATUS_NO_SUCH_GROUP; - init_samr_group_info1(&ctr->group.info1, map.nt_name, map.comment, num_sids); + SAFE_FREE(uids); + init_samr_group_info1(&ctr->group.info1, map.nt_name, map.comment, num); SAFE_FREE(sids); break; case 3: @@ -4105,7 +4016,7 @@ NTSTATUS _samr_set_groupinfo(pipes_struct *p, SAMR_Q_SET_GROUPINFO *q_u, SAMR_R_ NTSTATUS _samr_set_aliasinfo(pipes_struct *p, SAMR_Q_SET_ALIASINFO *q_u, SAMR_R_SET_ALIASINFO *r_u) { DOM_SID group_sid; - GROUP_MAP map; + struct acct_info info; ALIAS_INFO_CTR *ctr; uint32 acc_granted; @@ -4116,22 +4027,20 @@ NTSTATUS _samr_set_aliasinfo(pipes_struct *p, SAMR_Q_SET_ALIASINFO *q_u, SAMR_R_ return r_u->status; } - if (!get_local_group_from_sid(&group_sid, &map) && - !get_builtin_group_from_sid(&group_sid, &map)) - return NT_STATUS_NO_SUCH_GROUP; - ctr=&q_u->ctr; switch (ctr->switch_value1) { case 3: - unistr2_to_ascii(map.comment, &(ctr->alias.info3.uni_acct_desc), sizeof(map.comment)-1); + unistr2_to_ascii(info.acct_desc, + &(ctr->alias.info3.uni_acct_desc), + sizeof(info.acct_desc)-1); break; default: return NT_STATUS_INVALID_INFO_CLASS; } - if(!pdb_update_group_mapping_entry(&map)) { - return NT_STATUS_NO_SUCH_GROUP; + if(!pdb_set_aliasinfo(&group_sid, &info)) { + return NT_STATUS_ACCESS_DENIED; } return NT_STATUS_OK; -- cgit From 69a91df4ed4fc8a8d2105d098e4572e6c0da5ebb Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Sat, 10 Apr 2004 16:09:48 +0000 Subject: r145: pdb_create_alias now returns NTSTATUS. More of this to follow. Volker (This used to be commit 6e18bed17093e0b1792f68817096e64e0e841f26) --- source3/rpc_server/srv_samr_nt.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 2e5fe295ec..f48a334fff 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -3863,6 +3863,7 @@ NTSTATUS _samr_create_dom_alias(pipes_struct *p, SAMR_Q_CREATE_DOM_ALIAS *q_u, S struct samr_info *info; uint32 acc_granted; gid_t gid; + NTSTATUS result; /* Find the policy handle. Open a policy on it. */ if (!get_lsa_policy_samr_sid(p, &q_u->dom_pol, &dom_sid, &acc_granted)) @@ -3880,8 +3881,10 @@ NTSTATUS _samr_create_dom_alias(pipes_struct *p, SAMR_Q_CREATE_DOM_ALIAS *q_u, S unistr2_to_ascii(name, &q_u->uni_acct_desc, sizeof(name)-1); /* Have passdb create the alias */ - if (!pdb_create_alias(name, &r_u->rid)) - return NT_STATUS_ACCESS_DENIED; + result = pdb_create_alias(name, &r_u->rid); + + if (!NT_STATUS_IS_OK(result)) + return result; sid_copy(&info_sid, get_global_sam_sid()); sid_append_rid(&info_sid, r_u->rid); -- cgit From 8ad3d8c9b065f3a2040beff801bdc9dceac868a8 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Tue, 13 Apr 2004 14:39:48 +0000 Subject: r196: merging struct uuid from trunk (This used to be commit 911a28361b9d8dd50597627f245ebfb57c6294fb) --- source3/rpc_server/srv_samr_nt.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index f48a334fff..a8402ab801 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -7,8 +7,8 @@ * Copyright (C) Marc Jacobsen 1999, * Copyright (C) Jeremy Allison 2001-2002, * Copyright (C) Jean François Micouleau 1998-2001, - * Copyright (C) Jim McDonough 2002. - * Copyright (C) Gerald (Jerry) Carter 2003. + * Copyright (C) Jim McDonough 2002, + * Copyright (C) Gerald (Jerry) Carter 2003, * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by -- cgit From 4c34b09a19282295704b0d36dfd570edaf1a8e11 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Thu, 15 Apr 2004 09:07:32 +0000 Subject: r229: Don't list domain groups from BUILTIN. Volker (This used to be commit b4429d97439e511d40901f809e3923945cb52221) --- source3/rpc_server/srv_samr_nt.c | 7 +++++++ 1 file changed, 7 insertions(+) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index a8402ab801..eca0913c1c 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -302,6 +302,13 @@ static NTSTATUS load_group_domain_entries(struct samr_info *info, DOM_SID *sid) return NT_STATUS_OK; } + if (sid_equal(sid, &global_sid_Builtin)) { + /* No domain groups for now in the BUILTIN domain */ + info->disp_info.num_group_account=0; + info->disp_info.disp_group_info=NULL; + info->disp_info.group_dbloaded=True; + return NT_STATUS_OK; + } become_root(); ret = pdb_enum_group_mapping(SID_NAME_DOM_GRP, &map, (int *)&group_entries, ENUM_ONLY_MAPPED); -- cgit From 74a81e6ba61ddc9a473b4c7c15fd7aae553b9b8b Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Fri, 21 May 2004 00:13:16 +0000 Subject: r805: Fix to stop smbd hanging on missing group member from "Jianliang Lu" . Jeremy. (This used to be commit d5fb5ba9df9fc0f9167e76402c59a971f52e1b1f) --- source3/rpc_server/srv_samr_nt.c | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index eca0913c1c..ea631d7c85 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -3295,16 +3295,12 @@ static BOOL get_memberuids(gid_t gid, uid_t **uids, int *num) /* Secondary group members */ - gr = grp->gr_mem; - while ((*gr != NULL) && ((*gr)[0] != '\0')) { + for (gr = grp->gr_mem; (*gr != NULL) && ((*gr)[0] != '\0'); gr += 1) { struct passwd *pw = getpwnam(*gr); if (pw == NULL) continue; - add_uid_to_array_unique(pw->pw_uid, uids, num); - - gr += 1; } winbind_on(); -- cgit From 922d51b522acc06d27cfe37177973513f68c132a Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Sat, 28 Aug 2004 10:12:23 +0000 Subject: r2093: Fix for Bug 1416. This must have been a cut&paste error from add_gid.... Thanks to Jonas Olsson for the bug report & fix. Volker (This used to be commit de0eaf7be7d0c3aaf4e17b63653ca68b4332c982) --- source3/rpc_server/srv_samr_nt.c | 3 --- 1 file changed, 3 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index ea631d7c85..ce6d9dd37e 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -3245,9 +3245,6 @@ static void add_uid_to_array_unique(uid_t uid, uid_t **uids, int *num) { int i; - if ((*num) >= groups_max()) - return; - for (i=0; i<*num; i++) { if ((*uids)[i] == uid) return; -- cgit From 410a6c72eafbb7fb1ecc9bf89310842ea8027494 Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Tue, 14 Sep 2004 00:21:11 +0000 Subject: r2331: check password script code and example from trunk (This used to be commit f836be323a233f3a28cbaa04c532e83ea98ead89) --- source3/rpc_server/srv_samr_nt.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index ce6d9dd37e..74f6030365 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -2240,7 +2240,7 @@ NTSTATUS _samr_create_user(pipes_struct *p, SAMR_Q_CREATE_USER *q_u, SAMR_R_CREA if (*add_script) { int add_ret; - all_string_sub(add_script, "%u", account, sizeof(account)); + all_string_sub(add_script, "%u", account, sizeof(add_script)); add_ret = smbrun(add_script,NULL); DEBUG(3,("_samr_create_user: Running the command `%s' gave %d\n", add_script, add_ret)); } @@ -3626,7 +3626,7 @@ static int smb_delete_user(const char *unix_user) pstrcpy(del_script, lp_deluser_script()); if (! *del_script) return -1; - all_string_sub(del_script, "%u", unix_user, sizeof(pstring)); + all_string_sub(del_script, "%u", unix_user, sizeof(del_script)); ret = smbrun(del_script,NULL); DEBUG(3,("smb_delete_user: Running the command `%s' gave %d\n",del_script,ret)); -- cgit From 3ada1c1a992172b92f695343a8648675583f7719 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Thu, 16 Sep 2004 22:08:26 +0000 Subject: r2369: Fix from Richard Renard to fix usermgr and trust relationships. Jeremy. (This used to be commit b910e530027c19c4e505314a91ffcb72f20d8f09) --- source3/rpc_server/srv_samr_nt.c | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 74f6030365..34fad9b0ed 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -728,7 +728,17 @@ static NTSTATUS make_user_sam_entry_list(TALLOC_CTX *ctx, SAM_ENTRY **sam_pp, UN for (i = 0; i < num_entries; i++) { pwd = &disp_user_info[i+start_idx]; temp_name = pdb_get_username(pwd); - init_unistr2(&uni_temp_name, temp_name, UNI_STR_TERMINATE); + + /* + * usrmgr expects a non-NULL terminated string with + * trust relationships + */ + if (pdb_get_acct_ctrl(pwd) & ACB_DOMTRUST) { + init_unistr2(&uni_temp_name, temp_name, UNI_FLAGS_NONE); + } else { + init_unistr2(&uni_temp_name, temp_name, UNI_STR_TERMINATE); + } + user_sid = pdb_get_user_sid(pwd); if (!sid_peek_check_rid(domain_sid, user_sid, &user_rid)) { -- cgit From 75ea9982fb82b5c20f54910926901057b56acdc5 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Wed, 22 Sep 2004 00:33:09 +0000 Subject: r2481: Patch from Igor Belyi . Ensure pdb user is deleted first before deleting UNIX user (LDAP backend needs this ordering). Jeremy. (This used to be commit 2815b31e013e517a58027ba74f118209caf4d85f) --- source3/rpc_server/srv_samr_nt.c | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 34fad9b0ed..37617db5e8 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -3675,7 +3675,14 @@ NTSTATUS _samr_delete_dom_user(pipes_struct *p, SAMR_Q_DELETE_DOM_USER *q_u, SAM return NT_STATUS_NO_SUCH_USER; } - /* delete the unix side */ + /* First delete the samba side */ + if (!pdb_delete_sam_account(sam_pass)) { + DEBUG(5,("_samr_delete_dom_user:Failed to delete entry for user %s.\n", pdb_get_username(sam_pass))); + pdb_free_sam(&sam_pass); + return NT_STATUS_CANNOT_DELETE; + } + + /* Now delete the unix side */ /* * note: we don't check if the delete really happened * as the script is not necessary present @@ -3683,13 +3690,7 @@ NTSTATUS _samr_delete_dom_user(pipes_struct *p, SAMR_Q_DELETE_DOM_USER *q_u, SAM */ smb_delete_user(pdb_get_username(sam_pass)); - /* and delete the samba side */ - if (!pdb_delete_sam_account(sam_pass)) { - DEBUG(5,("_samr_delete_dom_user:Failed to delete entry for user %s.\n", pdb_get_username(sam_pass))); - pdb_free_sam(&sam_pass); - return NT_STATUS_CANNOT_DELETE; - } - + pdb_free_sam(&sam_pass); if (!close_policy_hnd(p, &q_u->user_pol)) -- cgit From 154d5f913b4ce60f731227eb1bb3650c45fcde93 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Fri, 5 Nov 2004 23:34:00 +0000 Subject: r3566: Completely replace the queryuseraliases call. The previous implementation does not exactly match what you would expect. XP workstations during login actually do this, so we should better become a bit more correct. The LDAP query issued is not really fully optimal, but it is a lot faster and more correct than what was there before. The change in passdb.h makes it possible that queryuseraliases is done with a single ldap query. Volker (This used to be commit 2508d4ed1e16c268fc9f3676b0c6a122e070f93d) --- source3/rpc_server/srv_samr_nt.c | 79 ++++++++++++++++++---------------------- 1 file changed, 35 insertions(+), 44 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 37617db5e8..f4348fc83e 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -3119,31 +3119,19 @@ NTSTATUS _samr_set_userinfo2(pipes_struct *p, SAMR_Q_SET_USERINFO2 *q_u, SAMR_R_ NTSTATUS _samr_query_useraliases(pipes_struct *p, SAMR_Q_QUERY_USERALIASES *q_u, SAMR_R_QUERY_USERALIASES *r_u) { - int num_groups = 0, tmp_num_groups=0; - uint32 *rids=NULL, *new_rids=NULL, *tmp_rids=NULL; + int num_groups = 0; + uint32 *rids=NULL; struct samr_info *info = NULL; - int i,j; + int i; NTSTATUS ntstatus1; NTSTATUS ntstatus2; - /* until i see a real useraliases query, we fack one up */ + DOM_SID *members; + DOM_SID *aliases; + int num_aliases; + BOOL res; - /* I have seen one, JFM 2/12/2001 */ - /* - * Explanation of what this call does: - * for all the SID given in the request: - * return a list of alias (local groups) - * that have those SID as members. - * - * and that's the alias in the domain specified - * in the policy_handle - * - * if the policy handle is on an incorrect sid - * for example a user's sid - * we should reply NT_STATUS_OBJECT_TYPE_MISMATCH - */ - r_u->status = NT_STATUS_OK; DEBUG(5,("_samr_query_useraliases: %d\n", __LINE__)); @@ -3166,40 +3154,43 @@ NTSTATUS _samr_query_useraliases(pipes_struct *p, SAMR_Q_QUERY_USERALIASES *q_u, !sid_check_is_builtin(&info->sid)) return NT_STATUS_OBJECT_TYPE_MISMATCH; + members = talloc(p->mem_ctx, sizeof(DOM_SID) * q_u->num_sids1); - for (i=0; inum_sids1; i++) { + if (members == NULL) + return NT_STATUS_NO_MEMORY; - r_u->status=get_alias_user_groups(p->mem_ctx, &info->sid, &tmp_num_groups, &tmp_rids, &(q_u->sid[i].sid)); + for (i=0; inum_sids1; i++) + sid_copy(&members[i], &q_u->sid[i].sid); - /* - * if there is an error, we just continue as - * it can be an unfound user or group - */ - if (!NT_STATUS_IS_OK(r_u->status)) { - DEBUG(10,("_samr_query_useraliases: an error occured while getting groups\n")); - continue; - } + become_root(); + res = pdb_enum_alias_memberships(members, + q_u->num_sids1, &aliases, + &num_aliases); + unbecome_root(); + + if (!res) + return NT_STATUS_UNSUCCESSFUL; - if (tmp_num_groups==0) { - DEBUG(10,("_samr_query_useraliases: no groups found\n")); + rids = NULL; + num_groups = 0; + + for (i=0; isid, &aliases[i], &rid)) continue; - } - new_rids=(uint32 *)talloc_realloc(p->mem_ctx, rids, (num_groups+tmp_num_groups)*sizeof(uint32)); - if (new_rids==NULL) { - DEBUG(0,("_samr_query_useraliases: could not realloc memory\n")); + rids = talloc_realloc(p->mem_ctx, rids, + sizeof(*rids) * (num_groups+1)); + + if (rids == NULL) return NT_STATUS_NO_MEMORY; - } - rids=new_rids; - for (j=0; j Date: Fri, 12 Nov 2004 15:49:47 +0000 Subject: r3705: Nobody has commented, so I'll take this as an ack... abartlet, I'd like to ask you to take a severe look at this! We have solved the problem to find the global groups a user is in twice: Once in auth_util.c and another time for the corresponding samr call. The attached patch unifies these and sends them through the passdb backend (new function pdb_enum_group_memberships). Thus it gives pdb_ldap.c the chance to further optimize the corresponding call if the samba and posix accounts are unified by issuing a specialized ldap query. The parameter to activate this ldapsam behaviour is ldapsam:trusted = yes Volker (This used to be commit b94838aff1a009f8d8c2c3efd48756a5b8f3f989) --- source3/rpc_server/srv_samr_nt.c | 49 ++++++++++++++++++++++++++++++++++++---- 1 file changed, 44 insertions(+), 5 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index f4348fc83e..0c52e859ca 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -1943,11 +1943,16 @@ NTSTATUS _samr_query_userinfo(pipes_struct *p, SAMR_Q_QUERY_USERINFO *q_u, SAMR_ NTSTATUS _samr_query_usergroups(pipes_struct *p, SAMR_Q_QUERY_USERGROUPS *q_u, SAMR_R_QUERY_USERGROUPS *r_u) { SAM_ACCOUNT *sam_pass=NULL; + struct passwd *passwd; DOM_SID sid; + DOM_SID *sids; DOM_GID *gids = NULL; int num_groups = 0; + gid_t *unix_gids; + int i, num_gids, num_sids; uint32 acc_granted; BOOL ret; + NTSTATUS result; /* * from the SID in the request: @@ -1986,19 +1991,53 @@ NTSTATUS _samr_query_usergroups(pipes_struct *p, SAMR_Q_QUERY_USERGROUPS *q_u, S pdb_free_sam(&sam_pass); return NT_STATUS_NO_SUCH_USER; } - - if(!get_domain_user_groups(p->mem_ctx, &num_groups, &gids, sam_pass)) { + + passwd = getpwnam_alloc(pdb_get_username(sam_pass)); + if (passwd == NULL) { pdb_free_sam(&sam_pass); - return NT_STATUS_NO_SUCH_GROUP; + return NT_STATUS_NO_SUCH_USER; } + + sids = NULL; + num_sids = 0; + + become_root(); + result = pdb_enum_group_memberships(pdb_get_username(sam_pass), + passwd->pw_gid, + &sids, &unix_gids, &num_groups); + unbecome_root(); + + pdb_free_sam(&sam_pass); + passwd_free(&passwd); + + if (!NT_STATUS_IS_OK(result)) + return result; + + SAFE_FREE(unix_gids); + + gids = NULL; + num_gids = 0; + + for (i=0; imem_ctx, gids, + sizeof(*gids) * (num_gids+1)); + gids[num_gids].attr=7; + gids[num_gids].g_rid = rid; + num_gids += 1; + } + SAFE_FREE(sids); /* construct the response. lkclXXXX: gids are not copied! */ init_samr_r_query_usergroups(r_u, num_groups, gids, r_u->status); DEBUG(5,("_samr_query_usergroups: %d\n", __LINE__)); - pdb_free_sam(&sam_pass); - return r_u->status; } -- cgit From acf9d61421faa6c0055d57fdee7db300dc5431aa Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Tue, 7 Dec 2004 18:25:53 +0000 Subject: r4088: Get medieval on our ass about malloc.... :-). Take control of all our allocation functions so we can funnel through some well known functions. Should help greatly with malloc checking. HEAD patch to follow. Jeremy. (This used to be commit 620f2e608f70ba92f032720c031283d295c5c06a) --- source3/rpc_server/srv_samr_nt.c | 81 ++++++++++++++++++---------------------- 1 file changed, 37 insertions(+), 44 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 0c52e859ca..5f74df420a 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -137,7 +137,7 @@ static struct samr_info *get_samr_info_by_sid(DOM_SID *psid) mem_ctx = talloc_init("samr_info for domain sid %s", sid_str); - if ((info = (struct samr_info *)talloc(mem_ctx, sizeof(struct samr_info))) == NULL) + if ((info = TALLOC_P(mem_ctx, struct samr_info)) == NULL) return NULL; ZERO_STRUCTP(info); @@ -255,8 +255,8 @@ static NTSTATUS load_sampwd_entries(struct samr_info *info, uint16 acb_mask, BOO if (info->disp_info.num_user_account % MAX_SAM_ENTRIES == 0) { DEBUG(10,("load_sampwd_entries: allocating more memory\n")); - pwd_array=(SAM_ACCOUNT *)talloc_realloc(mem_ctx, info->disp_info.disp_user_info, - (info->disp_info.num_user_account+MAX_SAM_ENTRIES)*sizeof(SAM_ACCOUNT)); + pwd_array=TALLOC_REALLOC_ARRAY(mem_ctx, info->disp_info.disp_user_info, SAM_ACCOUNT, + info->disp_info.num_user_account+MAX_SAM_ENTRIES); if (pwd_array==NULL) return NT_STATUS_NO_MEMORY; @@ -322,7 +322,7 @@ static NTSTATUS load_group_domain_entries(struct samr_info *info, DOM_SID *sid) info->disp_info.num_group_account=group_entries; - grp_array=(DOMAIN_GRP *)talloc(mem_ctx, info->disp_info.num_group_account*sizeof(DOMAIN_GRP)); + grp_array=TALLOC_ARRAY(mem_ctx, DOMAIN_GRP, info->disp_info.num_group_account); if (group_entries!=0 && grp_array==NULL) { DEBUG(1, ("load_group_domain_entries: talloc() failed for grp_array!\n")); SAFE_FREE(map); @@ -716,9 +716,9 @@ static NTSTATUS make_user_sam_entry_list(TALLOC_CTX *ctx, SAM_ENTRY **sam_pp, UN if (num_entries == 0) return NT_STATUS_OK; - sam = (SAM_ENTRY *)talloc_zero(ctx, sizeof(SAM_ENTRY)*num_entries); + sam = TALLOC_ZERO_ARRAY(ctx, SAM_ENTRY, num_entries); - uni_name = (UNISTR2 *)talloc_zero(ctx, sizeof(UNISTR2)*num_entries); + uni_name = TALLOC_ZERO_ARRAY(ctx, UNISTR2, num_entries); if (sam == NULL || uni_name == NULL) { DEBUG(0, ("make_user_sam_entry_list: talloc_zero failed!\n")); @@ -871,9 +871,8 @@ static void make_group_sam_entry_list(TALLOC_CTX *ctx, SAM_ENTRY **sam_pp, UNIST if (num_sam_entries == 0) return; - sam = (SAM_ENTRY *)talloc_zero(ctx, sizeof(SAM_ENTRY)*num_sam_entries); - - uni_name = (UNISTR2 *)talloc_zero(ctx, sizeof(UNISTR2)*num_sam_entries); + sam = TALLOC_ZERO_ARRAY(ctx, SAM_ENTRY, num_sam_entries); + uni_name = TALLOC_ZERO_ARRAY(ctx, UNISTR2, num_sam_entries); if (sam == NULL || uni_name == NULL) { DEBUG(0, ("NULL pointers in SAMR_R_QUERY_DISPINFO\n")); @@ -923,7 +922,7 @@ static NTSTATUS get_group_domain_entries( TALLOC_CTX *ctx, num_entries=max_entries; } - *d_grp=(DOMAIN_GRP *)talloc_zero(ctx, num_entries*sizeof(DOMAIN_GRP)); + *d_grp=TALLOC_ZERO_ARRAY(ctx, DOMAIN_GRP, num_entries); if (num_entries!=0 && *d_grp==NULL){ SAFE_FREE(map); return NT_STATUS_NO_MEMORY; @@ -969,7 +968,7 @@ static NTSTATUS get_alias_entries( TALLOC_CTX *ctx, DOMAIN_GRP **d_grp, if (*p_num_entries == 0) return NT_STATUS_OK; - *d_grp = talloc(ctx, sizeof(DOMAIN_GRP) * (*p_num_entries)); + *d_grp = TALLOC_ARRAY(ctx, DOMAIN_GRP, *p_num_entries); if (*d_grp == NULL) { SAFE_FREE(info); @@ -1187,7 +1186,7 @@ NTSTATUS _samr_query_dispinfo(pipes_struct *p, SAMR_Q_QUERY_DISPINFO *q_u, DEBUG(5, ("samr_reply_query_dispinfo: buffer size limits to only %d entries\n", max_entries)); } - if (!(ctr = (SAM_DISPINFO_CTR *)talloc_zero(p->mem_ctx,sizeof(SAM_DISPINFO_CTR)))) + if (!(ctr = TALLOC_ZERO_P(p->mem_ctx,SAM_DISPINFO_CTR))) return NT_STATUS_NO_MEMORY; ZERO_STRUCTP(ctr); @@ -1196,7 +1195,7 @@ NTSTATUS _samr_query_dispinfo(pipes_struct *p, SAMR_Q_QUERY_DISPINFO *q_u, switch (q_u->switch_level) { case 0x1: if (max_entries) { - if (!(ctr->sam.info1 = (SAM_DISPINFO_1 *)talloc_zero(p->mem_ctx,max_entries*sizeof(SAM_DISPINFO_1)))) + if (!(ctr->sam.info1 = TALLOC_ZERO_ARRAY(p->mem_ctx,SAM_DISPINFO_1,max_entries))) return NT_STATUS_NO_MEMORY; } disp_ret = init_sam_dispinfo_1(p->mem_ctx, ctr->sam.info1, max_entries, enum_context, @@ -1206,7 +1205,7 @@ NTSTATUS _samr_query_dispinfo(pipes_struct *p, SAMR_Q_QUERY_DISPINFO *q_u, break; case 0x2: if (max_entries) { - if (!(ctr->sam.info2 = (SAM_DISPINFO_2 *)talloc_zero(p->mem_ctx,max_entries*sizeof(SAM_DISPINFO_2)))) + if (!(ctr->sam.info2 = TALLOC_ZERO_ARRAY(p->mem_ctx,SAM_DISPINFO_2,max_entries))) return NT_STATUS_NO_MEMORY; } disp_ret = init_sam_dispinfo_2(p->mem_ctx, ctr->sam.info2, max_entries, enum_context, @@ -1216,7 +1215,7 @@ NTSTATUS _samr_query_dispinfo(pipes_struct *p, SAMR_Q_QUERY_DISPINFO *q_u, break; case 0x3: if (max_entries) { - if (!(ctr->sam.info3 = (SAM_DISPINFO_3 *)talloc_zero(p->mem_ctx,max_entries*sizeof(SAM_DISPINFO_3)))) + if (!(ctr->sam.info3 = TALLOC_ZERO_ARRAY(p->mem_ctx,SAM_DISPINFO_3,max_entries))) return NT_STATUS_NO_MEMORY; } disp_ret = init_sam_dispinfo_3(p->mem_ctx, ctr->sam.info3, max_entries, enum_context, info->disp_info.disp_group_info); @@ -1225,7 +1224,7 @@ NTSTATUS _samr_query_dispinfo(pipes_struct *p, SAMR_Q_QUERY_DISPINFO *q_u, break; case 0x4: if (max_entries) { - if (!(ctr->sam.info4 = (SAM_DISPINFO_4 *)talloc_zero(p->mem_ctx,max_entries*sizeof(SAM_DISPINFO_4)))) + if (!(ctr->sam.info4 = TALLOC_ZERO_ARRAY(p->mem_ctx,SAM_DISPINFO_4,max_entries))) return NT_STATUS_NO_MEMORY; } disp_ret = init_sam_dispinfo_4(p->mem_ctx, ctr->sam.info4, max_entries, enum_context, info->disp_info.disp_user_info); @@ -1234,7 +1233,7 @@ NTSTATUS _samr_query_dispinfo(pipes_struct *p, SAMR_Q_QUERY_DISPINFO *q_u, break; case 0x5: if (max_entries) { - if (!(ctr->sam.info5 = (SAM_DISPINFO_5 *)talloc_zero(p->mem_ctx,max_entries*sizeof(SAM_DISPINFO_5)))) + if (!(ctr->sam.info5 = TALLOC_ZERO_ARRAY(p->mem_ctx,SAM_DISPINFO_5,max_entries))) return NT_STATUS_NO_MEMORY; } disp_ret = init_sam_dispinfo_5(p->mem_ctx, ctr->sam.info5, max_entries, enum_context, info->disp_info.disp_group_info); @@ -1512,11 +1511,11 @@ static BOOL make_samr_lookup_rids(TALLOC_CTX *ctx, uint32 num_names, fstring nam *pp_hdr_name = NULL; if (num_names != 0) { - hdr_name = (UNIHDR *)talloc_zero(ctx, sizeof(UNIHDR)*num_names); + hdr_name = TALLOC_ZERO_ARRAY(ctx, UNIHDR, num_names); if (hdr_name == NULL) return False; - uni_name = (UNISTR2 *)talloc_zero(ctx,sizeof(UNISTR2)*num_names); + uni_name = TALLOC_ZERO_ARRAY(ctx,UNISTR2, num_names); if (uni_name == NULL) return False; } @@ -1562,7 +1561,7 @@ NTSTATUS _samr_lookup_rids(pipes_struct *p, SAMR_Q_LOOKUP_RIDS *q_u, SAMR_R_LOOK } if (num_rids) { - if ((group_attrs = (uint32 *)talloc_zero(p->mem_ctx, num_rids * sizeof(uint32))) == NULL) + if ((group_attrs = TALLOC_ZERO_ARRAY(p->mem_ctx, uint32, num_rids )) == NULL) return NT_STATUS_NO_MEMORY; } @@ -1854,7 +1853,7 @@ NTSTATUS _samr_query_userinfo(pipes_struct *p, SAMR_Q_QUERY_USERINFO *q_u, SAMR_ DEBUG(5,("_samr_query_userinfo: sid:%s\n", sid_string_static(&info->sid))); - ctr = (SAM_USERINFO_CTR *)talloc_zero(p->mem_ctx, sizeof(SAM_USERINFO_CTR)); + ctr = TALLOC_ZERO_P(p->mem_ctx, SAM_USERINFO_CTR); if (!ctr) return NT_STATUS_NO_MEMORY; @@ -1865,7 +1864,7 @@ NTSTATUS _samr_query_userinfo(pipes_struct *p, SAMR_Q_QUERY_USERINFO *q_u, SAMR_ switch (q_u->switch_value) { case 0x10: - ctr->info.id10 = (SAM_USER_INFO_10 *)talloc_zero(p->mem_ctx, sizeof(SAM_USER_INFO_10)); + ctr->info.id10 = TALLOC_ZERO_P(p->mem_ctx, SAM_USER_INFO_10); if (ctr->info.id10 == NULL) return NT_STATUS_NO_MEMORY; @@ -1883,11 +1882,7 @@ NTSTATUS _samr_query_userinfo(pipes_struct *p, SAMR_Q_QUERY_USERINFO *q_u, SAMR_ expire.low = 0xffffffff; expire.high = 0x7fffffff; - ctr->info.id = (SAM_USER_INFO_11 *)talloc_zero(p->mem_ctx, - sizeof - (*ctr-> - info. - id11)); + ctr->info.id = TALLOC_ZERO_P(p->mem_ctx, SAM_USER_INFO_11)); ZERO_STRUCTP(ctr->info.id11); init_sam_user_info11(ctr->info.id11, &expire, "BROOKFIELDS$", /* name */ @@ -1900,7 +1895,7 @@ NTSTATUS _samr_query_userinfo(pipes_struct *p, SAMR_Q_QUERY_USERINFO *q_u, SAMR_ #endif case 0x12: - ctr->info.id12 = (SAM_USER_INFO_12 *)talloc_zero(p->mem_ctx, sizeof(SAM_USER_INFO_12)); + ctr->info.id12 = TALLOC_ZERO_P(p->mem_ctx, SAM_USER_INFO_12); if (ctr->info.id12 == NULL) return NT_STATUS_NO_MEMORY; @@ -1909,7 +1904,7 @@ NTSTATUS _samr_query_userinfo(pipes_struct *p, SAMR_Q_QUERY_USERINFO *q_u, SAMR_ break; case 20: - ctr->info.id20 = (SAM_USER_INFO_20 *)talloc_zero(p->mem_ctx,sizeof(SAM_USER_INFO_20)); + ctr->info.id20 = TALLOC_ZERO_P(p->mem_ctx,SAM_USER_INFO_20); if (ctr->info.id20 == NULL) return NT_STATUS_NO_MEMORY; if (!NT_STATUS_IS_OK(r_u->status = get_user_info_20(p->mem_ctx, ctr->info.id20, &info->sid))) @@ -1917,7 +1912,7 @@ NTSTATUS _samr_query_userinfo(pipes_struct *p, SAMR_Q_QUERY_USERINFO *q_u, SAMR_ break; case 21: - ctr->info.id21 = (SAM_USER_INFO_21 *)talloc_zero(p->mem_ctx,sizeof(SAM_USER_INFO_21)); + ctr->info.id21 = TALLOC_ZERO_P(p->mem_ctx,SAM_USER_INFO_21); if (ctr->info.id21 == NULL) return NT_STATUS_NO_MEMORY; if (!NT_STATUS_IS_OK(r_u->status = get_user_info_21(p->mem_ctx, ctr->info.id21, @@ -2025,8 +2020,7 @@ NTSTATUS _samr_query_usergroups(pipes_struct *p, SAMR_Q_QUERY_USERGROUPS *q_u, S &(sids[i]), &rid)) continue; - gids = talloc_realloc(p->mem_ctx, gids, - sizeof(*gids) * (num_gids+1)); + gids = TALLOC_REALLOC_ARRAY(p->mem_ctx, gids, DOM_GID, num_gids+1); gids[num_gids].attr=7; gids[num_gids].g_rid = rid; num_gids += 1; @@ -2064,7 +2058,7 @@ NTSTATUS _samr_query_dom_info(pipes_struct *p, SAMR_Q_QUERY_DOMAIN_INFO *q_u, SA uint32 num_users=0, num_groups=0, num_aliases=0; - if ((ctr = (SAM_UNK_CTR *)talloc_zero(p->mem_ctx, sizeof(SAM_UNK_CTR))) == NULL) + if ((ctr = TALLOC_ZERO_P(p->mem_ctx, SAM_UNK_CTR)) == NULL) return NT_STATUS_NO_MEMORY; ZERO_STRUCTP(ctr); @@ -2549,8 +2543,8 @@ static BOOL make_enum_domains(TALLOC_CTX *ctx, SAM_ENTRY **pp_sam, if (num_sam_entries == 0) return True; - sam = (SAM_ENTRY *)talloc_zero(ctx, sizeof(SAM_ENTRY)*num_sam_entries); - uni_name = (UNISTR2 *)talloc_zero(ctx, sizeof(UNISTR2)*num_sam_entries); + sam = TALLOC_ZERO_ARRAY(ctx, SAM_ENTRY, num_sam_entries); + uni_name = TALLOC_ZERO_ARRAY(ctx, UNISTR2, num_sam_entries); if (sam == NULL || uni_name == NULL) return False; @@ -3193,7 +3187,7 @@ NTSTATUS _samr_query_useraliases(pipes_struct *p, SAMR_Q_QUERY_USERALIASES *q_u, !sid_check_is_builtin(&info->sid)) return NT_STATUS_OBJECT_TYPE_MISMATCH; - members = talloc(p->mem_ctx, sizeof(DOM_SID) * q_u->num_sids1); + members = TALLOC_ARRAY(p->mem_ctx, DOM_SID, q_u->num_sids1); if (members == NULL) return NT_STATUS_NO_MEMORY; @@ -3219,8 +3213,7 @@ NTSTATUS _samr_query_useraliases(pipes_struct *p, SAMR_Q_QUERY_USERALIASES *q_u, if (!sid_peek_check_rid(&info->sid, &aliases[i], &rid)) continue; - rids = talloc_realloc(p->mem_ctx, rids, - sizeof(*rids) * (num_groups+1)); + rids = TALLOC_REALLOC_ARRAY(p->mem_ctx, rids, uint32, num_groups+1); if (rids == NULL) return NT_STATUS_NO_MEMORY; @@ -3264,7 +3257,7 @@ NTSTATUS _samr_query_aliasmem(pipes_struct *p, SAMR_Q_QUERY_ALIASMEM *q_u, SAMR_ if (!pdb_enum_aliasmem(&alias_sid, &sids, &num_sids)) return NT_STATUS_NO_SUCH_ALIAS; - sid = (DOM_SID2 *)talloc_zero(p->mem_ctx, sizeof(DOM_SID2) * num_sids); + sid = TALLOC_ZERO_ARRAY(p->mem_ctx, DOM_SID2, num_sids); if (num_sids!=0 && sid == NULL) { SAFE_FREE(sids); return NT_STATUS_NO_MEMORY; @@ -3290,7 +3283,7 @@ static void add_uid_to_array_unique(uid_t uid, uid_t **uids, int *num) return; } - *uids = Realloc(*uids, (*num+1) * sizeof(uid_t)); + *uids = SMB_REALLOC_ARRAY(*uids, uid_t, *num+1); if (*uids == NULL) return; @@ -3387,8 +3380,8 @@ NTSTATUS _samr_query_groupmem(pipes_struct *p, SAMR_Q_QUERY_GROUPMEM *q_u, SAMR_ if(!get_memberuids(gid, &uids, &num)) return NT_STATUS_NO_SUCH_GROUP; - rid=talloc_zero(p->mem_ctx, sizeof(uint32)*num); - attr=talloc_zero(p->mem_ctx, sizeof(uint32)*num); + rid=TALLOC_ZERO_ARRAY(p->mem_ctx, uint32, num); + attr=TALLOC_ZERO_ARRAY(p->mem_ctx, uint32, num); if (num!=0 && (rid==NULL || attr==NULL)) return NT_STATUS_NO_MEMORY; @@ -3978,7 +3971,7 @@ NTSTATUS _samr_query_groupinfo(pipes_struct *p, SAMR_Q_QUERY_GROUPINFO *q_u, SAM if (!ret) return NT_STATUS_INVALID_HANDLE; - ctr=(GROUP_INFO_CTR *)talloc_zero(p->mem_ctx, sizeof(GROUP_INFO_CTR)); + ctr=TALLOC_ZERO_P(p->mem_ctx, GROUP_INFO_CTR); if (ctr==NULL) return NT_STATUS_NO_MEMORY; @@ -4309,7 +4302,7 @@ NTSTATUS _samr_unknown_2e(pipes_struct *p, SAMR_Q_UNKNOWN_2E *q_u, SAMR_R_UNKNOW uint32 account_policy_temp; - if ((ctr = (SAM_UNK_CTR *)talloc_zero(p->mem_ctx, sizeof(SAM_UNK_CTR))) == NULL) + if ((ctr = TALLOC_ZERO_P(p->mem_ctx, SAM_UNK_CTR)) == NULL) return NT_STATUS_NO_MEMORY; ZERO_STRUCTP(ctr); -- cgit From 4027c4088b0e5e4d6f87781a44f8703c62f24027 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Wed, 15 Dec 2004 13:13:15 +0000 Subject: r4219: Fix samba3 samr "idl"... According to samba4 idl samr_DomInfo2 contains a comment string and not an unknown 12 byte structure... Found after abartlet's smbtorture extended this string to "Tortured by Samba4: Fri Nov 26 15:40:18 2004 CET" ;-)) Volker (This used to be commit b41d94d8186f66136918432cf32e9dcef5a8bd12) --- source3/rpc_server/srv_samr_nt.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 5f74df420a..b094a5f30b 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -2115,7 +2115,7 @@ NTSTATUS _samr_query_dom_info(pipes_struct *p, SAMR_Q_QUERY_DOMAIN_INFO *q_u, SA free_samr_db(info); /* The time call below is to get a sequence number for the sam. FIXME !!! JRA. */ - init_unk_info2(&ctr->info.inf2, lp_workgroup(), global_myname(), (uint32) time(NULL), + init_unk_info2(&ctr->info.inf2, "", lp_workgroup(), global_myname(), (uint32) time(NULL), num_users, num_groups, num_aliases); break; case 0x03: -- cgit From 390685ca143cb466e7dc13827e951194e35d4a0d Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Wed, 15 Dec 2004 14:23:15 +0000 Subject: r4222: Always compile before commit... (This used to be commit 0f26ba5226fab5b86031a0df6fba16b8e6af6e7d) --- source3/rpc_server/srv_samr_nt.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index b094a5f30b..771e8c71e3 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -4358,7 +4358,7 @@ NTSTATUS _samr_unknown_2e(pipes_struct *p, SAMR_Q_UNKNOWN_2E *q_u, SAMR_R_UNKNOW free_samr_db(info); /* The time call below is to get a sequence number for the sam. FIXME !!! JRA. */ - init_unk_info2(&ctr->info.inf2, lp_workgroup(), global_myname(), (uint32) time(NULL), + init_unk_info2(&ctr->info.inf2, "", lp_workgroup(), global_myname(), (uint32) time(NULL), num_users, num_groups, num_aliases); break; case 0x03: -- cgit From 9aba116607c0b85a371c3556a6483bc662c769a3 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Wed, 22 Dec 2004 16:58:43 +0000 Subject: r4331: Implement SAMR query_dom_info-call info-level 8 server- and client-side, based on samba4-idl. This saves us an enormous amount of totally unnecessary ldap-traffic when several hundreds of winbind-daemons query a Samba3 DC just to get the fake SAM-sequence-number (time(NULL)) by enumerating all users, all groups and all aliases when query-dom-info level 2 is used. Note that we apparently never get the sequence number right (we parse a uint32, although it's a uint64, at least in samba4 idl). For the time being, I would propose to stay with that behaviour. Guenther (This used to be commit f9ab15a986626581000d4b93961184c501f36b93) --- source3/rpc_server/srv_samr_nt.c | 3 +++ 1 file changed, 3 insertions(+) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 771e8c71e3..5d7cd84390 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -2133,6 +2133,9 @@ NTSTATUS _samr_query_dom_info(pipes_struct *p, SAMR_Q_QUERY_DOMAIN_INFO *q_u, SA case 0x07: init_unk_info7(&ctr->info.inf7); break; + case 0x08: + init_unk_info8(&ctr->info.inf8, (uint32) time(NULL)); + break; case 0x0c: account_policy_get(AP_LOCK_ACCOUNT_DURATION, &account_policy_temp); u_lock_duration = account_policy_temp * 60; -- cgit From 8222f958d15256a62712710c9c9a159106746d8b Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Wed, 22 Dec 2004 23:50:31 +0000 Subject: r4336: Apply some other samba4 SAMR idl that is just too obvious. Don't hard set the value "forcibly disconnect remote users from server when logon hours expire" to "no", instead take the value from our account-policy storage. Guenther (This used to be commit e3bd2a22a5cebc4adf6910d3ec31bc6fada8cd35) --- source3/rpc_server/srv_samr_nt.c | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 5d7cd84390..8219e689f0 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -2113,10 +2113,15 @@ NTSTATUS _samr_query_dom_info(pipes_struct *p, SAMR_Q_QUERY_DOMAIN_INFO *q_u, SA } num_groups=info->disp_info.num_group_account; free_samr_db(info); - + + account_policy_get(AP_TIME_TO_LOGOUT, &account_policy_temp); + u_logout = account_policy_temp; + + unix_to_nt_time_abs(&nt_logout, u_logout); + /* The time call below is to get a sequence number for the sam. FIXME !!! JRA. */ init_unk_info2(&ctr->info.inf2, "", lp_workgroup(), global_myname(), (uint32) time(NULL), - num_users, num_groups, num_aliases); + num_users, num_groups, num_aliases, nt_logout); break; case 0x03: account_policy_get(AP_TIME_TO_LOGOUT, (unsigned int *)&u_logout); @@ -4360,9 +4365,14 @@ NTSTATUS _samr_unknown_2e(pipes_struct *p, SAMR_Q_UNKNOWN_2E *q_u, SAMR_R_UNKNOW num_groups=info->disp_info.num_group_account; free_samr_db(info); + account_policy_get(AP_TIME_TO_LOGOUT, &account_policy_temp); + u_logout = account_policy_temp; + + unix_to_nt_time_abs(&nt_logout, u_logout); + /* The time call below is to get a sequence number for the sam. FIXME !!! JRA. */ init_unk_info2(&ctr->info.inf2, "", lp_workgroup(), global_myname(), (uint32) time(NULL), - num_users, num_groups, num_aliases); + num_users, num_groups, num_aliases, nt_logout); break; case 0x03: account_policy_get(AP_TIME_TO_LOGOUT, &account_policy_temp); -- cgit From e15e7a5f1fc8dfc2e49045f63813d29eb73450e5 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Thu, 23 Dec 2004 09:36:49 +0000 Subject: r4343: forgot to add info-level 8 to SAMR_UNKNOWN_2E as well. Guenther (This used to be commit 5e6ce9a6e3d62190da5427ed7b5e2f2ac22a0c34) --- source3/rpc_server/srv_samr_nt.c | 3 +++ 1 file changed, 3 insertions(+) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 8219e689f0..820c8e7a3c 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -4391,6 +4391,9 @@ NTSTATUS _samr_unknown_2e(pipes_struct *p, SAMR_Q_UNKNOWN_2E *q_u, SAMR_R_UNKNOW case 0x07: init_unk_info7(&ctr->info.inf7); break; + case 0x08: + init_unk_info8(&ctr->info.inf8, (uint32) time(NULL)); + break; case 0x0c: account_policy_get(AP_LOCK_ACCOUNT_DURATION, &account_policy_temp); u_lock_duration = account_policy_temp * 60; -- cgit From be606e8eeb0a419189bd8f44975c80e182474993 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Thu, 6 Jan 2005 23:27:28 +0000 Subject: r4579: small changes to allow the members og the Domain Admins group on the Samba DC to join clients to the domain -- needs more testing and security review but does work with initial testing (This used to be commit 9ade9bf49c7125fb29658f943e9ebb6be9496180) --- source3/rpc_server/srv_samr_nt.c | 198 ++++++++++++++++++++++++++------------- 1 file changed, 134 insertions(+), 64 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 820c8e7a3c..e72cf68c74 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -8,7 +8,7 @@ * Copyright (C) Jeremy Allison 2001-2002, * Copyright (C) Jean François Micouleau 1998-2001, * Copyright (C) Jim McDonough 2002, - * Copyright (C) Gerald (Jerry) Carter 2003, + * Copyright (C) Gerald (Jerry) Carter 2003 - 2004, * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by @@ -450,11 +450,10 @@ NTSTATUS _samr_get_usrdom_pwinfo(pipes_struct *p, SAMR_Q_GET_USRDOM_PWINFO *q_u, static NTSTATUS samr_make_dom_obj_sd(TALLOC_CTX *ctx, SEC_DESC **psd, size_t *sd_size) { extern DOM_SID global_sid_World; - DOM_SID adm_sid; - DOM_SID act_sid; - - SEC_ACE ace[3]; + DOM_SID adm_sid, act_sid, domadmin_sid; + SEC_ACE ace[4]; SEC_ACCESS mask; + size_t i = 0; SEC_ACL *psa = NULL; @@ -466,14 +465,24 @@ static NTSTATUS samr_make_dom_obj_sd(TALLOC_CTX *ctx, SEC_DESC **psd, size_t *sd /*basic access for every one*/ init_sec_access(&mask, GENERIC_RIGHTS_DOMAIN_EXECUTE | GENERIC_RIGHTS_DOMAIN_READ); - init_sec_ace(&ace[0], &global_sid_World, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0); + init_sec_ace(&ace[i++], &global_sid_World, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0); /*full access for builtin aliases Administrators and Account Operators*/ + init_sec_access(&mask, GENERIC_RIGHTS_DOMAIN_ALL_ACCESS); - init_sec_ace(&ace[1], &adm_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0); - init_sec_ace(&ace[2], &act_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0); + + init_sec_ace(&ace[i++], &adm_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0); + init_sec_ace(&ace[i++], &act_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0); + + /* add domain admins if we are a DC */ + + if ( IS_DC ) { + sid_copy( &domadmin_sid, get_global_sam_sid() ); + sid_append_rid( &domadmin_sid, DOMAIN_GROUP_RID_ADMINS ); + init_sec_ace(&ace[i++], &domadmin_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0); + } - if ((psa = make_sec_acl(ctx, NT4_ACL_REVISION, 3, ace)) == NULL) + if ((psa = make_sec_acl(ctx, NT4_ACL_REVISION, i, ace)) == NULL) return NT_STATUS_NO_MEMORY; if ((*psd = make_sec_desc(ctx, SEC_DESC_REVISION, SEC_DESC_SELF_RELATIVE, NULL, NULL, NULL, psa, sd_size)) == NULL) @@ -489,10 +498,10 @@ static NTSTATUS samr_make_dom_obj_sd(TALLOC_CTX *ctx, SEC_DESC **psd, size_t *sd static NTSTATUS samr_make_usr_obj_sd(TALLOC_CTX *ctx, SEC_DESC **psd, size_t *sd_size, DOM_SID *usr_sid) { extern DOM_SID global_sid_World; - DOM_SID adm_sid; - DOM_SID act_sid; + DOM_SID adm_sid, act_sid, domadmin_sid; + size_t i = 0; - SEC_ACE ace[4]; + SEC_ACE ace[5]; SEC_ACCESS mask; SEC_ACL *psa = NULL; @@ -504,17 +513,28 @@ static NTSTATUS samr_make_usr_obj_sd(TALLOC_CTX *ctx, SEC_DESC **psd, size_t *sd sid_append_rid(&act_sid, BUILTIN_ALIAS_RID_ACCOUNT_OPS); /*basic access for every one*/ + init_sec_access(&mask, GENERIC_RIGHTS_USER_EXECUTE | GENERIC_RIGHTS_USER_READ); - init_sec_ace(&ace[0], &global_sid_World, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0); + init_sec_ace(&ace[i++], &global_sid_World, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0); /*full access for builtin aliases Administrators and Account Operators*/ + init_sec_access(&mask, GENERIC_RIGHTS_USER_ALL_ACCESS); - init_sec_ace(&ace[1], &adm_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0); - init_sec_ace(&ace[2], &act_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0); + init_sec_ace(&ace[i++], &adm_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0); + init_sec_ace(&ace[i++], &act_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0); + + /* add domain admins if we are a DC */ + + if ( IS_DC ) { + sid_copy( &domadmin_sid, get_global_sam_sid() ); + sid_append_rid( &domadmin_sid, DOMAIN_GROUP_RID_ADMINS ); + init_sec_ace(&ace[i++], &domadmin_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0); + } /*extended access for the user*/ + init_sec_access(&mask,READ_CONTROL_ACCESS | SA_RIGHT_USER_CHANGE_PASSWORD | SA_RIGHT_USER_SET_LOC_COM); - init_sec_ace(&ace[3], usr_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0); + init_sec_ace(&ace[i++], usr_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0); if ((psa = make_sec_acl(ctx, NT4_ACL_REVISION, 4, ace)) == NULL) return NT_STATUS_NO_MEMORY; @@ -2193,6 +2213,7 @@ NTSTATUS _samr_create_user(pipes_struct *p, SAMR_Q_CREATE_USER *q_u, SAMR_R_CREA uint32 new_rid = 0; /* check this, when giving away 'add computer to domain' privs */ uint32 des_access = GENERIC_RIGHTS_USER_ALL_ACCESS; + BOOL is_domain_admin = False; /* Get the domain SID stored in the domain policy */ if (!get_lsa_policy_samr_sid(p, &dom_pol, &sid, &acc_granted)) @@ -2216,6 +2237,13 @@ NTSTATUS _samr_create_user(pipes_struct *p, SAMR_Q_CREATE_USER *q_u, SAMR_R_CREA rpcstr_pull(account, user_account.buffer, sizeof(account), user_account.uni_str_len*2, 0); strlower_m(account); + + /* check to see if we are a domain admin */ + + is_domain_admin = nt_token_check_domain_rid( p->pipe_user.nt_user_token, DOMAIN_GROUP_RID_ADMINS ); + + DEBUG(5, ("_samr_create_user: %s is%s a member of the Domain Admins group\n", + p->pipe_user_name, is_domain_admin ? "" : " not")); pdb_init_sam(&sam_pass); @@ -2235,35 +2263,7 @@ NTSTATUS _samr_create_user(pipes_struct *p, SAMR_Q_CREATE_USER *q_u, SAMR_R_CREA * *NOT* surrounded by a become_root()/unbecome_root() call. This ensures * that only people with write access to the smbpasswd file will be able * to create a user. JRA. - */ - - /* - * add the user in the /etc/passwd file or the unix authority system. - * We don't check if the smb_create_user() function succed or not for 2 reasons: - * a) local_password_change() checks for us if the /etc/passwd account really exists - * b) smb_create_user() would return an error if the account already exists - * and as it could return an error also if it can't create the account, it would be tricky. - * - * So we go the easy way, only check after if the account exists. - * JFM (2/3/2001), to clear any possible bad understanding (-: - * - * We now have seperate script paramaters for adding users/machines so we - * now have some sainity-checking to match. - */ - - DEBUG(10,("checking account %s at pos %lu for $ termination\n",account, (unsigned long)strlen(account)-1)); - - /* - * we used to have code here that made sure the acb_info flags - * matched with the users named (e.g. an account flags as a machine - * trust account ended in '$'). It has been ifdef'd out for a long - * time, so I replaced it with this comment. --jerry - */ - - /* the passdb lookup has failed; check to see if we need to run the - add user/machine script */ - - pw = Get_Pwnam(account); + */ /********************************************************************* * HEADS UP! If we have to create a new user account, we have to get @@ -2276,6 +2276,13 @@ NTSTATUS _samr_create_user(pipes_struct *p, SAMR_Q_CREATE_USER *q_u, SAMR_R_CREA * --jerry (2003-07-10) *********************************************************************/ + pw = Get_Pwnam(account); + + /* ================ BEGIN DOMAIN ADMIN BLOCK ================ */ + + if ( is_domain_admin ) + become_root(); + if ( !pw ) { /* * we can't check both the ending $ and the acb_info. @@ -2307,12 +2314,22 @@ NTSTATUS _samr_create_user(pipes_struct *p, SAMR_Q_CREATE_USER *q_u, SAMR_R_CREA /* implicit call to getpwnam() next. we have a valid SID coming out of this call */ - if ( !NT_STATUS_IS_OK(nt_status = pdb_init_sam_new(&sam_pass, account, new_rid)) ) + if ( !NT_STATUS_IS_OK(nt_status = pdb_init_sam_new(&sam_pass, account, new_rid)) ) { + if ( is_domain_admin ) + unbecome_root(); return nt_status; + } pdb_set_acct_ctrl(sam_pass, acb_info, PDB_CHANGED); - if (!pdb_add_sam_account(sam_pass)) { + ret = pdb_add_sam_account(sam_pass); + + if ( is_domain_admin ) + unbecome_root(); + + /* ================ END DOMAIN ADMIN BLOCK ================ */ + + if ( !ret ) { pdb_free_sam(&sam_pass); DEBUG(0, ("could not add user/computer %s to passdb. Check permissions?\n", account)); @@ -2320,13 +2337,16 @@ NTSTATUS _samr_create_user(pipes_struct *p, SAMR_Q_CREATE_USER *q_u, SAMR_R_CREA } /* Get the user's SID */ + sid_copy(&sid, pdb_get_user_sid(sam_pass)); samr_make_usr_obj_sd(p->mem_ctx, &psd, &sd_size, &sid); se_map_generic(&des_access, &usr_generic_mapping); - if (!NT_STATUS_IS_OK(nt_status = - access_check_samr_object(psd, p->pipe_user.nt_user_token, - des_access, &acc_granted, "_samr_create_user"))) { + + nt_status = access_check_samr_object(psd, p->pipe_user.nt_user_token, + des_access, &acc_granted, "_samr_create_user"); + + if ( !NT_STATUS_IS_OK(nt_status) ) { return nt_status; } @@ -3011,6 +3031,7 @@ NTSTATUS _samr_set_userinfo(pipes_struct *p, SAMR_Q_SET_USERINFO *q_u, SAMR_R_SE SAM_USERINFO_CTR *ctr = q_u->ctr; uint32 acc_granted; uint32 acc_required; + BOOL is_domain_admin; DEBUG(5, ("_samr_set_userinfo: %d\n", __LINE__)); @@ -3020,7 +3041,17 @@ NTSTATUS _samr_set_userinfo(pipes_struct *p, SAMR_Q_SET_USERINFO *q_u, SAMR_R_SE if (!get_lsa_policy_samr_sid(p, pol, &sid, &acc_granted)) return NT_STATUS_INVALID_HANDLE; - acc_required = SA_RIGHT_USER_SET_LOC_COM | SA_RIGHT_USER_SET_ATTRIBUTES; /* This is probably wrong */ + /* the access mask depends on what the caller wants to do */ + + switch (switch_value) { + case 24: + acc_required = SA_RIGHT_USER_SET_PASSWORD | SA_RIGHT_USER_SET_ATTRIBUTES | SA_RIGHT_USER_ACCT_FLAGS_EXPIRY; + break; + default: + acc_required = SA_RIGHT_USER_SET_LOC_COM | SA_RIGHT_USER_SET_ATTRIBUTES; /* This is probably wrong */ + break; + } + if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, acc_required, "_samr_set_userinfo"))) { return r_u->status; } @@ -3032,23 +3063,36 @@ NTSTATUS _samr_set_userinfo(pipes_struct *p, SAMR_Q_SET_USERINFO *q_u, SAMR_R_SE return NT_STATUS_INVALID_INFO_CLASS; } + /* check to see if we are a domain admin */ + + is_domain_admin = nt_token_check_domain_rid( p->pipe_user.nt_user_token, DOMAIN_GROUP_RID_ADMINS ); + + DEBUG(5, ("_samr_create_user: %s is%s a member of the Domain Admins group\n", + p->pipe_user_name, is_domain_admin ? "" : " not")); + + /* ================ BEGIN DOMAIN ADMIN BLOCK ================ */ + + if ( is_domain_admin ) + become_root(); + /* ok! user info levels (lots: see MSDEV help), off we go... */ + switch (switch_value) { case 0x12: if (!set_user_info_12(ctr->info.id12, &sid)) - return NT_STATUS_ACCESS_DENIED; + r_u->status = NT_STATUS_ACCESS_DENIED; break; case 24: if (!p->session_key.length) { - return NT_STATUS_NO_USER_SESSION_KEY; + r_u->status = NT_STATUS_NO_USER_SESSION_KEY; } SamOEMhashBlob(ctr->info.id24->pass, 516, &p->session_key); dump_data(100, (char *)ctr->info.id24->pass, 516); if (!set_user_info_pw((char *)ctr->info.id24->pass, &sid)) - return NT_STATUS_ACCESS_DENIED; + r_u->status = NT_STATUS_ACCESS_DENIED; break; case 25: @@ -3062,34 +3106,41 @@ NTSTATUS _samr_set_userinfo(pipes_struct *p, SAMR_Q_SET_USERINFO *q_u, SAMR_R_SE */ if (!p->session_key.length) { - return NT_STATUS_NO_USER_SESSION_KEY; + r_u->status = NT_STATUS_NO_USER_SESSION_KEY; } SamOEMhashBlob(ctr->info.id25->pass, 532, &p->session_key); dump_data(100, (char *)ctr->info.id25->pass, 532); if (!set_user_info_pw(ctr->info.id25->pass, &sid)) - return NT_STATUS_ACCESS_DENIED; + r_u->status = NT_STATUS_ACCESS_DENIED; break; #endif - return NT_STATUS_INVALID_INFO_CLASS; + r_u->status = NT_STATUS_INVALID_INFO_CLASS; + break; case 23: if (!p->session_key.length) { - return NT_STATUS_NO_USER_SESSION_KEY; + r_u->status = NT_STATUS_NO_USER_SESSION_KEY; } SamOEMhashBlob(ctr->info.id23->pass, 516, &p->session_key); dump_data(100, (char *)ctr->info.id23->pass, 516); if (!set_user_info_23(ctr->info.id23, &sid)) - return NT_STATUS_ACCESS_DENIED; + r_u->status = NT_STATUS_ACCESS_DENIED; break; default: - return NT_STATUS_INVALID_INFO_CLASS; + r_u->status = NT_STATUS_INVALID_INFO_CLASS; } + + if ( is_domain_admin ) + unbecome_root(); + + /* ================ END DOMAIN ADMIN BLOCK ================ */ + return r_u->status; } @@ -3105,6 +3156,7 @@ NTSTATUS _samr_set_userinfo2(pipes_struct *p, SAMR_Q_SET_USERINFO2 *q_u, SAMR_R_ uint16 switch_value = q_u->switch_value; uint32 acc_granted; uint32 acc_required; + BOOL is_domain_admin; DEBUG(5, ("samr_reply_set_userinfo2: %d\n", __LINE__)); @@ -3128,7 +3180,20 @@ NTSTATUS _samr_set_userinfo2(pipes_struct *p, SAMR_Q_SET_USERINFO2 *q_u, SAMR_R_ switch_value=ctr->switch_value; + /* check to see if we are a domain admin */ + + is_domain_admin = nt_token_check_domain_rid( p->pipe_user.nt_user_token, DOMAIN_GROUP_RID_ADMINS ); + + DEBUG(5, ("_samr_create_user: %s is%s a member of the Domain Admins group\n", + p->pipe_user_name, is_domain_admin ? "" : " not")); + + /* ================ BEGIN DOMAIN ADMIN BLOCK ================ */ + + if ( is_domain_admin ) + become_root(); + /* ok! user info levels (lots: see MSDEV help), off we go... */ + switch (switch_value) { case 21: if (!set_user_info_21(ctr->info.id21, &sid)) @@ -3136,21 +3201,26 @@ NTSTATUS _samr_set_userinfo2(pipes_struct *p, SAMR_Q_SET_USERINFO2 *q_u, SAMR_R_ break; case 20: if (!set_user_info_20(ctr->info.id20, &sid)) - return NT_STATUS_ACCESS_DENIED; + r_u->status = NT_STATUS_ACCESS_DENIED; break; case 16: if (!set_user_info_10(ctr->info.id10, &sid)) - return NT_STATUS_ACCESS_DENIED; + r_u->status = NT_STATUS_ACCESS_DENIED; break; case 18: /* Used by AS/U JRA. */ if (!set_user_info_12(ctr->info.id12, &sid)) - return NT_STATUS_ACCESS_DENIED; + r_u->status = NT_STATUS_ACCESS_DENIED; break; default: - return NT_STATUS_INVALID_INFO_CLASS; + r_u->status = NT_STATUS_INVALID_INFO_CLASS; } + if ( is_domain_admin ) + unbecome_root(); + + /* ================ END DOMAIN ADMIN BLOCK ================ */ + return r_u->status; } -- cgit From a9928f0d95670b0e770fc9e8b7673bc863c1253b Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Mon, 10 Jan 2005 15:28:07 +0000 Subject: r4646: Allow Account Lockout with Lockout Duration "forever" (until admin unlocks) to be set and displayed in User Manager. Guenther (This used to be commit 8fd7e26fa12a4102def630efa421fad70f3affb1) --- source3/rpc_server/srv_samr_nt.c | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index e72cf68c74..da1c386fd2 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -2163,7 +2163,9 @@ NTSTATUS _samr_query_dom_info(pipes_struct *p, SAMR_Q_QUERY_DOMAIN_INFO *q_u, SA break; case 0x0c: account_policy_get(AP_LOCK_ACCOUNT_DURATION, &account_policy_temp); - u_lock_duration = account_policy_temp * 60; + u_lock_duration = account_policy_temp; + if (u_lock_duration != -1) + u_lock_duration *= 60; account_policy_get(AP_RESET_COUNT_TIME, &account_policy_temp); u_reset_time = account_policy_temp * 60; @@ -4466,7 +4468,9 @@ NTSTATUS _samr_unknown_2e(pipes_struct *p, SAMR_Q_UNKNOWN_2E *q_u, SAMR_R_UNKNOW break; case 0x0c: account_policy_get(AP_LOCK_ACCOUNT_DURATION, &account_policy_temp); - u_lock_duration = account_policy_temp * 60; + u_lock_duration = account_policy_temp; + if (u_lock_duration != -1) + u_lock_duration *= 60; account_policy_get(AP_RESET_COUNT_TIME, &account_policy_temp); u_reset_time = account_policy_temp * 60; @@ -4534,7 +4538,9 @@ NTSTATUS _samr_set_dom_info(pipes_struct *p, SAMR_Q_SET_DOMAIN_INFO *q_u, SAMR_R case 0x07: break; case 0x0c: - u_lock_duration=nt_time_to_unix_abs(&q_u->ctr->info.inf12.duration)/60; + u_lock_duration=nt_time_to_unix_abs(&q_u->ctr->info.inf12.duration); + if (u_lock_duration != -1) + u_lock_duration /= 60; u_reset_time=nt_time_to_unix_abs(&q_u->ctr->info.inf12.reset_count)/60; account_policy_set(AP_LOCK_ACCOUNT_DURATION, (int)u_lock_duration); -- cgit From d94d87472ca2f3875caa146424caa178ce20274f Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Thu, 13 Jan 2005 18:20:37 +0000 Subject: r4724: Add support for Windows privileges in Samba 3.0 (based on Simo's code in trunk). Rewritten with the following changes: * privilege set is based on a 32-bit mask instead of strings (plans are to extend this to a 64 or 128-bit mask before the next 3.0.11preX release). * Remove the privilege code from the passdb API (replication to come later) * Only support the minimum amount of privileges that make sense. * Rewrite the domain join checks to use the SeMachineAccountPrivilege instead of the 'is a member of "Domain Admins"?' check that started all this. Still todo: * Utilize the SePrintOperatorPrivilege in addition to the 'printer admin' parameter * Utilize the SeAddUserPrivilege for adding users and groups * Fix some of the hard coded _lsa_*() calls * Start work on enough of SAM replication to get privileges from one Samba DC to another. * Come up with some management tool for manipultaing privileges instead of user manager since it is buggy when run on a 2k client (haven't tried xp). Works ok on NT4. (This used to be commit 77c10ff9aa6414a31eece6dfec00793f190a9d6c) --- source3/rpc_server/srv_samr_nt.c | 44 ++++++++++++++++++++-------------------- 1 file changed, 22 insertions(+), 22 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index da1c386fd2..271553f4b2 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -2215,7 +2215,7 @@ NTSTATUS _samr_create_user(pipes_struct *p, SAMR_Q_CREATE_USER *q_u, SAMR_R_CREA uint32 new_rid = 0; /* check this, when giving away 'add computer to domain' privs */ uint32 des_access = GENERIC_RIGHTS_USER_ALL_ACCESS; - BOOL is_domain_admin = False; + BOOL can_add_machines = False; /* Get the domain SID stored in the domain policy */ if (!get_lsa_policy_samr_sid(p, &dom_pol, &sid, &acc_granted)) @@ -2242,10 +2242,10 @@ NTSTATUS _samr_create_user(pipes_struct *p, SAMR_Q_CREATE_USER *q_u, SAMR_R_CREA /* check to see if we are a domain admin */ - is_domain_admin = nt_token_check_domain_rid( p->pipe_user.nt_user_token, DOMAIN_GROUP_RID_ADMINS ); + can_add_machines = user_has_privilege( p->pipe_user.nt_user_token, SE_MACHINE_ACCOUNT ); DEBUG(5, ("_samr_create_user: %s is%s a member of the Domain Admins group\n", - p->pipe_user_name, is_domain_admin ? "" : " not")); + p->pipe_user_name, can_add_machines ? "" : " not")); pdb_init_sam(&sam_pass); @@ -2280,9 +2280,9 @@ NTSTATUS _samr_create_user(pipes_struct *p, SAMR_Q_CREATE_USER *q_u, SAMR_R_CREA pw = Get_Pwnam(account); - /* ================ BEGIN DOMAIN ADMIN BLOCK ================ */ + /* ================ BEGIN SeMachineAccountPrivilege BLOCK ================ */ - if ( is_domain_admin ) + if ( can_add_machines ) become_root(); if ( !pw ) { @@ -2317,7 +2317,7 @@ NTSTATUS _samr_create_user(pipes_struct *p, SAMR_Q_CREATE_USER *q_u, SAMR_R_CREA /* implicit call to getpwnam() next. we have a valid SID coming out of this call */ if ( !NT_STATUS_IS_OK(nt_status = pdb_init_sam_new(&sam_pass, account, new_rid)) ) { - if ( is_domain_admin ) + if ( can_add_machines ) unbecome_root(); return nt_status; } @@ -2326,10 +2326,10 @@ NTSTATUS _samr_create_user(pipes_struct *p, SAMR_Q_CREATE_USER *q_u, SAMR_R_CREA ret = pdb_add_sam_account(sam_pass); - if ( is_domain_admin ) + if ( can_add_machines ) unbecome_root(); - /* ================ END DOMAIN ADMIN BLOCK ================ */ + /* ================ END SeMachineAccountPrivilege BLOCK ================ */ if ( !ret ) { pdb_free_sam(&sam_pass); @@ -3033,7 +3033,7 @@ NTSTATUS _samr_set_userinfo(pipes_struct *p, SAMR_Q_SET_USERINFO *q_u, SAMR_R_SE SAM_USERINFO_CTR *ctr = q_u->ctr; uint32 acc_granted; uint32 acc_required; - BOOL is_domain_admin; + BOOL can_add_machines; DEBUG(5, ("_samr_set_userinfo: %d\n", __LINE__)); @@ -3067,14 +3067,14 @@ NTSTATUS _samr_set_userinfo(pipes_struct *p, SAMR_Q_SET_USERINFO *q_u, SAMR_R_SE /* check to see if we are a domain admin */ - is_domain_admin = nt_token_check_domain_rid( p->pipe_user.nt_user_token, DOMAIN_GROUP_RID_ADMINS ); + can_add_machines = user_has_privilege( p->pipe_user.nt_user_token, SE_MACHINE_ACCOUNT ); DEBUG(5, ("_samr_create_user: %s is%s a member of the Domain Admins group\n", - p->pipe_user_name, is_domain_admin ? "" : " not")); + p->pipe_user_name, can_add_machines ? "" : " not")); - /* ================ BEGIN DOMAIN ADMIN BLOCK ================ */ + /* ================ BEGIN SeMachineAccountPrivilege BLOCK ================ */ - if ( is_domain_admin ) + if ( can_add_machines ) become_root(); /* ok! user info levels (lots: see MSDEV help), off we go... */ @@ -3138,10 +3138,10 @@ NTSTATUS _samr_set_userinfo(pipes_struct *p, SAMR_Q_SET_USERINFO *q_u, SAMR_R_SE } - if ( is_domain_admin ) + if ( can_add_machines ) unbecome_root(); - /* ================ END DOMAIN ADMIN BLOCK ================ */ + /* ================ END SeMachineAccountPrivilege BLOCK ================ */ return r_u->status; } @@ -3158,7 +3158,7 @@ NTSTATUS _samr_set_userinfo2(pipes_struct *p, SAMR_Q_SET_USERINFO2 *q_u, SAMR_R_ uint16 switch_value = q_u->switch_value; uint32 acc_granted; uint32 acc_required; - BOOL is_domain_admin; + BOOL can_add_machines; DEBUG(5, ("samr_reply_set_userinfo2: %d\n", __LINE__)); @@ -3184,14 +3184,14 @@ NTSTATUS _samr_set_userinfo2(pipes_struct *p, SAMR_Q_SET_USERINFO2 *q_u, SAMR_R_ /* check to see if we are a domain admin */ - is_domain_admin = nt_token_check_domain_rid( p->pipe_user.nt_user_token, DOMAIN_GROUP_RID_ADMINS ); + can_add_machines = user_has_privilege( p->pipe_user.nt_user_token, SE_MACHINE_ACCOUNT ); DEBUG(5, ("_samr_create_user: %s is%s a member of the Domain Admins group\n", - p->pipe_user_name, is_domain_admin ? "" : " not")); + p->pipe_user_name, can_add_machines ? "" : " not")); - /* ================ BEGIN DOMAIN ADMIN BLOCK ================ */ + /* ================ BEGIN SeMachineAccountPrivilege BLOCK ================ */ - if ( is_domain_admin ) + if ( can_add_machines ) become_root(); /* ok! user info levels (lots: see MSDEV help), off we go... */ @@ -3218,10 +3218,10 @@ NTSTATUS _samr_set_userinfo2(pipes_struct *p, SAMR_Q_SET_USERINFO2 *q_u, SAMR_R_ r_u->status = NT_STATUS_INVALID_INFO_CLASS; } - if ( is_domain_admin ) + if ( can_add_machines ) unbecome_root(); - /* ================ END DOMAIN ADMIN BLOCK ================ */ + /* ================ END SeMachineAccountPrivilege BLOCK ================ */ return r_u->status; } -- cgit From c3ba8b9a53617c75ffbcfa8ef32044cb1691d693 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Fri, 14 Jan 2005 19:26:13 +0000 Subject: r4736: small set of merges from rtunk to minimize the diffs (This used to be commit 4b351f2fcc365a7b7f8c22b5139c299aa54c9458) --- source3/rpc_server/srv_samr_nt.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 271553f4b2..4c3f95fe6b 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -75,7 +75,7 @@ static NTSTATUS samr_make_dom_obj_sd(TALLOC_CTX *ctx, SEC_DESC **psd, size_t *sd level of access for further checks. ********************************************************************/ -NTSTATUS access_check_samr_object(SEC_DESC *psd, NT_USER_TOKEN *nt_user_token, uint32 des_access, +static NTSTATUS access_check_samr_object(SEC_DESC *psd, NT_USER_TOKEN *nt_user_token, uint32 des_access, uint32 *acc_granted, const char *debug) { NTSTATUS status = NT_STATUS_ACCESS_DENIED; @@ -100,7 +100,7 @@ NTSTATUS access_check_samr_object(SEC_DESC *psd, NT_USER_TOKEN *nt_user_token, u Checks if access to a function can be granted ********************************************************************/ -NTSTATUS access_check_samr_function(uint32 acc_granted, uint32 acc_required, const char *debug) +static NTSTATUS access_check_samr_function(uint32 acc_granted, uint32 acc_required, const char *debug) { DEBUG(5,("%s: access check ((granted: %#010x; required: %#010x)\n", debug, acc_granted, acc_required)); -- cgit From 46e5effea948931509283cb84b27007d34b521c8 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Mon, 17 Jan 2005 15:23:11 +0000 Subject: r4805: Last planned change to the privileges infrastructure: * rewrote the tdb layout of privilege records in account_pol.tdb (allow for 128 bits instead of 32 bit flags) * migrated to using SE_PRIV structure instead of the PRIVILEGE_SET structure. The latter is now used for parsing routines mainly. Still need to incorporate some client support into 'net' so for setting privileges. And make use of the SeAddUserPrivilege right. (This used to be commit 41dc7f7573c6d637e19a01e7ed0e716ac0f1fb15) --- source3/rpc_server/srv_samr_nt.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 4c3f95fe6b..515eefb1fa 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -2216,6 +2216,7 @@ NTSTATUS _samr_create_user(pipes_struct *p, SAMR_Q_CREATE_USER *q_u, SAMR_R_CREA /* check this, when giving away 'add computer to domain' privs */ uint32 des_access = GENERIC_RIGHTS_USER_ALL_ACCESS; BOOL can_add_machines = False; + SE_PRIV se_machineop = SE_MACHINE_ACCOUNT; /* Get the domain SID stored in the domain policy */ if (!get_lsa_policy_samr_sid(p, &dom_pol, &sid, &acc_granted)) @@ -2242,7 +2243,7 @@ NTSTATUS _samr_create_user(pipes_struct *p, SAMR_Q_CREATE_USER *q_u, SAMR_R_CREA /* check to see if we are a domain admin */ - can_add_machines = user_has_privilege( p->pipe_user.nt_user_token, SE_MACHINE_ACCOUNT ); + can_add_machines = user_has_privileges( p->pipe_user.nt_user_token, &se_machineop ); DEBUG(5, ("_samr_create_user: %s is%s a member of the Domain Admins group\n", p->pipe_user_name, can_add_machines ? "" : " not")); @@ -3034,6 +3035,7 @@ NTSTATUS _samr_set_userinfo(pipes_struct *p, SAMR_Q_SET_USERINFO *q_u, SAMR_R_SE uint32 acc_granted; uint32 acc_required; BOOL can_add_machines; + SE_PRIV se_machineop = SE_MACHINE_ACCOUNT; DEBUG(5, ("_samr_set_userinfo: %d\n", __LINE__)); @@ -3067,7 +3069,7 @@ NTSTATUS _samr_set_userinfo(pipes_struct *p, SAMR_Q_SET_USERINFO *q_u, SAMR_R_SE /* check to see if we are a domain admin */ - can_add_machines = user_has_privilege( p->pipe_user.nt_user_token, SE_MACHINE_ACCOUNT ); + can_add_machines = user_has_privileges( p->pipe_user.nt_user_token, &se_machineop ); DEBUG(5, ("_samr_create_user: %s is%s a member of the Domain Admins group\n", p->pipe_user_name, can_add_machines ? "" : " not")); @@ -3159,6 +3161,7 @@ NTSTATUS _samr_set_userinfo2(pipes_struct *p, SAMR_Q_SET_USERINFO2 *q_u, SAMR_R_ uint32 acc_granted; uint32 acc_required; BOOL can_add_machines; + SE_PRIV se_machineop = SE_MACHINE_ACCOUNT; DEBUG(5, ("samr_reply_set_userinfo2: %d\n", __LINE__)); @@ -3184,7 +3187,7 @@ NTSTATUS _samr_set_userinfo2(pipes_struct *p, SAMR_Q_SET_USERINFO2 *q_u, SAMR_R_ /* check to see if we are a domain admin */ - can_add_machines = user_has_privilege( p->pipe_user.nt_user_token, SE_MACHINE_ACCOUNT ); + can_add_machines = user_has_privileges( p->pipe_user.nt_user_token, &se_machineop ); DEBUG(5, ("_samr_create_user: %s is%s a member of the Domain Admins group\n", p->pipe_user_name, can_add_machines ? "" : " not")); -- cgit From 1ed62fde09f382342a396a047975fdeeea7113bb Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Wed, 19 Jan 2005 16:13:26 +0000 Subject: r4847: Hand over a acb_mask to pdb_setsampwent in load_sampwd_entries(). This allows the ldap-backend to search much more effeciently. Machines will be searched in the ldap_machine_suffix and users in the ldap_users_suffix. (Note that we already use the ldap_group_suffix in ldapsam_setsamgrent for quite some time). Using the specific ldap-bases becomes notably important in large domains: On my testmachine "net rpc trustdom list" has to search through 40k accounts just to list 3 interdomain-trust-accounts, similiar effects show up the non-user query_dispinfo-calls, etc. Also renamed all_machines to only_machines in load_sampwd_entries() since that reflects better what is really meant. Guenther (This used to be commit 6394257cc721ca739bda0e320375f04506913533) --- source3/rpc_server/srv_samr_nt.c | 20 +++++++++++++------- 1 file changed, 13 insertions(+), 7 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 515eefb1fa..70c0de7da7 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -56,7 +56,7 @@ struct samr_info { uint32 status; /* some sort of flag. best to record it. comes from opnum 0x39 */ uint32 acc_granted; uint16 acb_mask; - BOOL all_machines; + BOOL only_machines; DISP_INFO disp_info; TALLOC_CTX *mem_ctx; @@ -209,34 +209,40 @@ static void samr_clear_sam_passwd(SAM_ACCOUNT *sam_pass) } -static NTSTATUS load_sampwd_entries(struct samr_info *info, uint16 acb_mask, BOOL all_machines) +static NTSTATUS load_sampwd_entries(struct samr_info *info, uint16 acb_mask, BOOL only_machines) { SAM_ACCOUNT *pwd = NULL; SAM_ACCOUNT *pwd_array = NULL; NTSTATUS nt_status = NT_STATUS_OK; TALLOC_CTX *mem_ctx = info->mem_ctx; + uint16 query_acb_mask = acb_mask; DEBUG(10,("load_sampwd_entries\n")); /* if the snapshoot is already loaded, return */ if ((info->disp_info.user_dbloaded==True) && (info->acb_mask == acb_mask) - && (info->all_machines == all_machines)) { + && (info->only_machines == only_machines)) { DEBUG(10,("load_sampwd_entries: already in memory\n")); return NT_STATUS_OK; } free_samr_users(info); + + if (only_machines) { + query_acb_mask |= ACB_WSTRUST; + query_acb_mask |= ACB_SVRTRUST; + } - if (!pdb_setsampwent(False)) { + if (!pdb_setsampwent(False, query_acb_mask)) { DEBUG(0, ("load_sampwd_entries: Unable to open passdb.\n")); return NT_STATUS_ACCESS_DENIED; } for (; (NT_STATUS_IS_OK(nt_status = pdb_init_sam_talloc(mem_ctx, &pwd))) && pdb_getsampwent(pwd) == True; pwd=NULL) { - - if (all_machines) { + + if (only_machines) { if (!((pdb_get_acct_ctrl(pwd) & ACB_WSTRUST) || (pdb_get_acct_ctrl(pwd) & ACB_SVRTRUST))) { DEBUG(5,("load_sampwd_entries: '%s' is not a machine account - ACB: %x - skipping\n", pdb_get_username(pwd), acb_mask)); @@ -277,7 +283,7 @@ static NTSTATUS load_sampwd_entries(struct samr_info *info, uint16 acb_mask, BOO /* the snapshoot is in memory, we're ready to enumerate fast */ info->acb_mask = acb_mask; - info->all_machines = all_machines; + info->only_machines = only_machines; info->disp_info.user_dbloaded=True; DEBUG(10,("load_sampwd_entries: done\n")); -- cgit From b3757eadf05a4e47a5cd19049ee2c5eecf140c37 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Wed, 19 Jan 2005 16:52:19 +0000 Subject: r4849: * finish SeAddUsers support in srv_samr_nt.c * define some const SE_PRIV structure for use when you need a SE_PRIV* to a privilege * fix an annoying compiler warngin in smbfilter.c * translate SIDs to names in 'net rpc rights list accounts' * fix a seg fault in cli_lsa_enum_account_rights caused by me forgetting the precedence of * vs. [] (This used to be commit d25fc84bc2b14da9fcc0f3c8d7baeca83f0ea708) --- source3/rpc_server/srv_samr_nt.c | 358 ++++++++++++++++++++++++++++----------- 1 file changed, 258 insertions(+), 100 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 70c0de7da7..5fd5137cf1 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -1,14 +1,14 @@ /* * Unix SMB/CIFS implementation. * RPC Pipe client / server routines - * Copyright (C) Andrew Tridgell 1992-1997, - * Copyright (C) Luke Kenneth Casson Leighton 1996-1997, + * Copyright (C) Andrew Tridgell 1992-1997, + * Copyright (C) Luke Kenneth Casson Leighton 1996-1997, * Copyright (C) Paul Ashton 1997, * Copyright (C) Marc Jacobsen 1999, - * Copyright (C) Jeremy Allison 2001-2002, - * Copyright (C) Jean François Micouleau 1998-2001, + * Copyright (C) Jeremy Allison 2001-2002, + * Copyright (C) Jean François Micouleau 1998-2001, * Copyright (C) Jim McDonough 2002, - * Copyright (C) Gerald (Jerry) Carter 2003 - 2004, + * Copyright (C) Gerald (Jerry) Carter 2003-2004, * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by @@ -2221,8 +2221,8 @@ NTSTATUS _samr_create_user(pipes_struct *p, SAMR_Q_CREATE_USER *q_u, SAMR_R_CREA uint32 new_rid = 0; /* check this, when giving away 'add computer to domain' privs */ uint32 des_access = GENERIC_RIGHTS_USER_ALL_ACCESS; - BOOL can_add_machines = False; - SE_PRIV se_machineop = SE_MACHINE_ACCOUNT; + BOOL can_add_account; + SE_PRIV se_rights; /* Get the domain SID stored in the domain policy */ if (!get_lsa_policy_samr_sid(p, &dom_pol, &sid, &acc_granted)) @@ -2246,14 +2246,7 @@ NTSTATUS _samr_create_user(pipes_struct *p, SAMR_Q_CREATE_USER *q_u, SAMR_R_CREA rpcstr_pull(account, user_account.buffer, sizeof(account), user_account.uni_str_len*2, 0); strlower_m(account); - - /* check to see if we are a domain admin */ - - can_add_machines = user_has_privileges( p->pipe_user.nt_user_token, &se_machineop ); - - DEBUG(5, ("_samr_create_user: %s is%s a member of the Domain Admins group\n", - p->pipe_user_name, can_add_machines ? "" : " not")); - + pdb_init_sam(&sam_pass); become_root(); @@ -2266,13 +2259,6 @@ NTSTATUS _samr_create_user(pipes_struct *p, SAMR_Q_CREATE_USER *q_u, SAMR_R_CREA } pdb_free_sam(&sam_pass); - - /* - * NB. VERY IMPORTANT ! This call must be done as the current pipe user, - * *NOT* surrounded by a become_root()/unbecome_root() call. This ensures - * that only people with write access to the smbpasswd file will be able - * to create a user. JRA. - */ /********************************************************************* * HEADS UP! If we have to create a new user account, we have to get @@ -2287,26 +2273,37 @@ NTSTATUS _samr_create_user(pipes_struct *p, SAMR_Q_CREATE_USER *q_u, SAMR_R_CREA pw = Get_Pwnam(account); - /* ================ BEGIN SeMachineAccountPrivilege BLOCK ================ */ + /* + * we can't check both the ending $ and the acb_info. + * + * UserManager creates trust accounts (ending in $, + * normal that hidden accounts) with the acb_info equals to ACB_NORMAL. + * JFM, 11/29/2001 + */ + + if (account[strlen(account)-1] == '$') { + se_priv_copy( &se_rights, &se_machine_account ); + pstrcpy(add_script, lp_addmachine_script()); + } + else { + se_priv_copy( &se_rights, &se_add_users ); + pstrcpy(add_script, lp_adduser_script()); + } + + can_add_account = user_has_privileges( p->pipe_user.nt_user_token, &se_rights ); + + DEBUG(5, ("_samr_create_user: %s can add this account : %s\n", + p->pipe_user_name, can_add_account ? "True":"False" )); + + /********** BEGIN Admin BLOCK **********/ - if ( can_add_machines ) + if ( can_add_account ) become_root(); - + if ( !pw ) { - /* - * we can't check both the ending $ and the acb_info. - * - * UserManager creates trust accounts (ending in $, - * normal that hidden accounts) with the acb_info equals to ACB_NORMAL. - * JFM, 11/29/2001 - */ - if (account[strlen(account)-1] == '$') - pstrcpy(add_script, lp_addmachine_script()); - else - pstrcpy(add_script, lp_adduser_script()); - if (*add_script) { int add_ret; + all_string_sub(add_script, "%u", account, sizeof(add_script)); add_ret = smbrun(add_script,NULL); DEBUG(3,("_samr_create_user: Running the command `%s' gave %d\n", add_script, add_ret)); @@ -2323,28 +2320,32 @@ NTSTATUS _samr_create_user(pipes_struct *p, SAMR_Q_CREATE_USER *q_u, SAMR_R_CREA /* implicit call to getpwnam() next. we have a valid SID coming out of this call */ - if ( !NT_STATUS_IS_OK(nt_status = pdb_init_sam_new(&sam_pass, account, new_rid)) ) { - if ( can_add_machines ) - unbecome_root(); - return nt_status; + nt_status = pdb_init_sam_new(&sam_pass, account, new_rid); + + /* this code is order such that we have no unnecessary retuns + out of the admin block of code */ + + if ( NT_STATUS_IS_OK(nt_status) ) { + pdb_set_acct_ctrl(sam_pass, acb_info, PDB_CHANGED); + + if ( !(ret = pdb_add_sam_account(sam_pass)) ) { + pdb_free_sam(&sam_pass); + DEBUG(0, ("could not add user/computer %s to passdb. Check permissions?\n", + account)); + nt_status = NT_STATUS_ACCESS_DENIED; + } } - pdb_set_acct_ctrl(sam_pass, acb_info, PDB_CHANGED); - - ret = pdb_add_sam_account(sam_pass); - - if ( can_add_machines ) + if ( can_add_account ) unbecome_root(); - - /* ================ END SeMachineAccountPrivilege BLOCK ================ */ - if ( !ret ) { - pdb_free_sam(&sam_pass); - DEBUG(0, ("could not add user/computer %s to passdb. Check permissions?\n", - account)); - return NT_STATUS_ACCESS_DENIED; - } - + /********** END Admin BLOCK **********/ + + /* now check for failure */ + + if ( !NT_STATUS_IS_OK(nt_status) ) + return nt_status; + /* Get the user's SID */ sid_copy(&sid, pdb_get_user_sid(sam_pass)); @@ -3515,6 +3516,10 @@ NTSTATUS _samr_add_aliasmem(pipes_struct *p, SAMR_Q_ADD_ALIASMEM *q_u, SAMR_R_AD { DOM_SID alias_sid; uint32 acc_granted; + SE_PRIV se_rights; + BOOL can_add_accounts; + BOOL ret; + /* Find the policy handle. Open a policy on it. */ if (!get_lsa_policy_samr_sid(p, &q_u->alias_pol, &alias_sid, &acc_granted)) @@ -3525,11 +3530,23 @@ NTSTATUS _samr_add_aliasmem(pipes_struct *p, SAMR_Q_ADD_ALIASMEM *q_u, SAMR_R_AD } DEBUG(10, ("sid is %s\n", sid_string_static(&alias_sid))); + + se_priv_copy( &se_rights, &se_add_users ); + can_add_accounts = user_has_privileges( p->pipe_user.nt_user_token, &se_rights ); - if (!pdb_add_aliasmem(&alias_sid, &q_u->sid.sid)) - return NT_STATUS_ACCESS_DENIED; - - return NT_STATUS_OK; + /******** BEGIN SeAddUsers BLOCK *********/ + + if ( can_add_accounts ) + become_root(); + + ret = pdb_add_aliasmem(&alias_sid, &q_u->sid.sid); + + if ( can_add_accounts ) + unbecome_root(); + + /******** END SeAddUsers BLOCK *********/ + + return ret ? NT_STATUS_OK : NT_STATUS_ACCESS_DENIED; } /********************************************************************* @@ -3540,6 +3557,9 @@ NTSTATUS _samr_del_aliasmem(pipes_struct *p, SAMR_Q_DEL_ALIASMEM *q_u, SAMR_R_DE { DOM_SID alias_sid; uint32 acc_granted; + SE_PRIV se_rights; + BOOL can_add_accounts; + BOOL ret; /* Find the policy handle. Open a policy on it. */ if (!get_lsa_policy_samr_sid(p, &q_u->alias_pol, &alias_sid, &acc_granted)) @@ -3552,10 +3572,22 @@ NTSTATUS _samr_del_aliasmem(pipes_struct *p, SAMR_Q_DEL_ALIASMEM *q_u, SAMR_R_DE DEBUG(10, ("_samr_del_aliasmem:sid is %s\n", sid_string_static(&alias_sid))); - if (!pdb_del_aliasmem(&alias_sid, &q_u->sid.sid)) - return NT_STATUS_ACCESS_DENIED; + se_priv_copy( &se_rights, &se_add_users ); + can_add_accounts = user_has_privileges( p->pipe_user.nt_user_token, &se_rights ); + + /******** BEGIN SeAddUsers BLOCK *********/ - return NT_STATUS_OK; + if ( can_add_accounts ) + become_root(); + + ret = pdb_del_aliasmem(&alias_sid, &q_u->sid.sid); + + if ( can_add_accounts ) + unbecome_root(); + + /******** END SeAddUsers BLOCK *********/ + + return ret ? NT_STATUS_OK : NT_STATUS_ACCESS_DENIED; } /********************************************************************* @@ -3576,6 +3608,8 @@ NTSTATUS _samr_add_groupmem(pipes_struct *p, SAMR_Q_ADD_GROUPMEM *q_u, SAMR_R_AD SAM_ACCOUNT *sam_user=NULL; BOOL check; uint32 acc_granted; + SE_PRIV se_rights; + BOOL can_add_accounts; /* Find the policy handle. Open a policy on it. */ if (!get_lsa_policy_samr_sid(p, &q_u->pol, &group_sid, &acc_granted)) @@ -3636,6 +3670,14 @@ NTSTATUS _samr_add_groupmem(pipes_struct *p, SAMR_Q_ADD_GROUPMEM *q_u, SAMR_R_AD return NT_STATUS_MEMBER_IN_GROUP; } + se_priv_copy( &se_rights, &se_add_users ); + can_add_accounts = user_has_privileges( p->pipe_user.nt_user_token, &se_rights ); + + /******** BEGIN SeAddUsers BLOCK *********/ + + if ( can_add_accounts ) + become_root(); + /* * ok, the group exist, the user exist, the user is not in the group, * @@ -3644,6 +3686,11 @@ NTSTATUS _samr_add_groupmem(pipes_struct *p, SAMR_Q_ADD_GROUPMEM *q_u, SAMR_R_AD smb_add_user_group(grp_name, pwd->pw_name); + if ( can_add_accounts ) + unbecome_root(); + + /******** END SeAddUsers BLOCK *********/ + /* check if the user has been added then ... */ if(!user_in_unix_group_list(pwd->pw_name, grp_name)) { passwd_free(&pwd); @@ -3667,6 +3714,8 @@ NTSTATUS _samr_del_groupmem(pipes_struct *p, SAMR_Q_DEL_GROUPMEM *q_u, SAMR_R_DE fstring grp_name; struct group *grp; uint32 acc_granted; + SE_PRIV se_rights; + BOOL can_add_accounts; /* * delete the group member named q_u->rid @@ -3710,9 +3759,23 @@ NTSTATUS _samr_del_groupmem(pipes_struct *p, SAMR_Q_DEL_GROUPMEM *q_u, SAMR_R_DE pdb_free_sam(&sam_pass); return NT_STATUS_MEMBER_NOT_IN_GROUP; } + + se_priv_copy( &se_rights, &se_add_users ); + can_add_accounts = user_has_privileges( p->pipe_user.nt_user_token, &se_rights ); + + /******** BEGIN SeAddUsers BLOCK *********/ + + if ( can_add_accounts ) + become_root(); + smb_delete_user_group(grp_name, pdb_get_username(sam_pass)); + if ( can_add_accounts ) + unbecome_root(); + + /******** END SeAddUsers BLOCK *********/ + /* check if the user has been removed then ... */ if (user_in_unix_group_list(pdb_get_username(sam_pass), grp_name)) { pdb_free_sam(&sam_pass); @@ -3764,6 +3827,9 @@ NTSTATUS _samr_delete_dom_user(pipes_struct *p, SAMR_Q_DELETE_DOM_USER *q_u, SAM DOM_SID user_sid; SAM_ACCOUNT *sam_pass=NULL; uint32 acc_granted; + SE_PRIV se_rights; + BOOL can_add_accounts; + BOOL ret; DEBUG(5, ("_samr_delete_dom_user: %d\n", __LINE__)); @@ -3786,22 +3852,40 @@ NTSTATUS _samr_delete_dom_user(pipes_struct *p, SAMR_Q_DELETE_DOM_USER *q_u, SAM pdb_free_sam(&sam_pass); return NT_STATUS_NO_SUCH_USER; } + + se_priv_copy( &se_rights, &se_add_users ); + can_add_accounts = user_has_privileges( p->pipe_user.nt_user_token, &se_rights ); - /* First delete the samba side */ - if (!pdb_delete_sam_account(sam_pass)) { + /******** BEGIN SeAddUsers BLOCK *********/ + + if ( can_add_accounts ) + become_root(); + + /* First delete the samba side.... + code is order to prevent unnecessary returns out of the admin + block of code */ + + if ( (ret = pdb_delete_sam_account(sam_pass)) == True ) { + /* + * Now delete the unix side .... + * note: we don't check if the delete really happened + * as the script is not necessary present + * and maybe the sysadmin doesn't want to delete the unix side + */ + smb_delete_user( pdb_get_username(sam_pass) ); + } + + if ( can_add_accounts ) + unbecome_root(); + + /******** END SeAddUsers BLOCK *********/ + + if ( !ret ) { DEBUG(5,("_samr_delete_dom_user:Failed to delete entry for user %s.\n", pdb_get_username(sam_pass))); pdb_free_sam(&sam_pass); return NT_STATUS_CANNOT_DELETE; } - /* Now delete the unix side */ - /* - * note: we don't check if the delete really happened - * as the script is not necessary present - * and maybe the sysadmin doesn't want to delete the unix side - */ - smb_delete_user(pdb_get_username(sam_pass)); - pdb_free_sam(&sam_pass); @@ -3825,6 +3909,9 @@ NTSTATUS _samr_delete_dom_group(pipes_struct *p, SAMR_Q_DELETE_DOM_GROUP *q_u, S struct group *grp; GROUP_MAP map; uint32 acc_granted; + SE_PRIV se_rights; + BOOL can_add_accounts; + BOOL ret; DEBUG(5, ("samr_delete_dom_group: %d\n", __LINE__)); @@ -3857,17 +3944,33 @@ NTSTATUS _samr_delete_dom_group(pipes_struct *p, SAMR_Q_DELETE_DOM_GROUP *q_u, S if ( (grp=getgrgid(gid)) == NULL) return NT_STATUS_NO_SUCH_GROUP; + se_priv_copy( &se_rights, &se_add_users ); + can_add_accounts = user_has_privileges( p->pipe_user.nt_user_token, &se_rights ); + + /******** BEGIN SeAddUsers BLOCK *********/ + + if ( can_add_accounts ) + become_root(); + /* delete mapping first */ - if(!pdb_delete_group_mapping_entry(group_sid)) - return NT_STATUS_ACCESS_DENIED; - - /* we can delete the UNIX group */ - smb_delete_group(grp->gr_name); + + if ( (ret = pdb_delete_group_mapping_entry(group_sid)) == True ) { + smb_delete_group( grp->gr_name ); + } - /* check if the group has been successfully deleted */ - if ( (grp=getgrgid(gid)) != NULL) + if ( can_add_accounts ) + unbecome_root(); + + /******** END SeAddUsers BLOCK *********/ + + if ( !ret ) { + DEBUG(5,("_samr_delete_dom_group: Failed to delete mapping entry for group %s.\n", + group_sid_str)); return NT_STATUS_ACCESS_DENIED; - + } + + /* don't check that the unix group has been deleted. Work like + _samr_delet_dom_user() */ if (!close_policy_hnd(p, &q_u->group_pol)) return NT_STATUS_OBJECT_NAME_INVALID; @@ -3883,6 +3986,9 @@ NTSTATUS _samr_delete_dom_alias(pipes_struct *p, SAMR_Q_DELETE_DOM_ALIAS *q_u, S { DOM_SID alias_sid; uint32 acc_granted; + SE_PRIV se_rights; + BOOL can_add_accounts; + BOOL ret; DEBUG(5, ("_samr_delete_dom_alias: %d\n", __LINE__)); @@ -3901,8 +4007,23 @@ NTSTATUS _samr_delete_dom_alias(pipes_struct *p, SAMR_Q_DELETE_DOM_ALIAS *q_u, S DEBUG(10, ("lookup on Local SID\n")); + se_priv_copy( &se_rights, &se_add_users ); + can_add_accounts = user_has_privileges( p->pipe_user.nt_user_token, &se_rights ); + + /******** BEGIN SeAddUsers BLOCK *********/ + + if ( can_add_accounts ) + become_root(); + /* Have passdb delete the alias */ - if (!pdb_delete_alias(&alias_sid)) + ret = pdb_delete_alias(&alias_sid); + + if ( can_add_accounts ) + unbecome_root(); + + /******** END SeAddUsers BLOCK *********/ + + if ( !ret ) return NT_STATUS_ACCESS_DENIED; if (!close_policy_hnd(p, &q_u->alias_pol)) @@ -3925,6 +4046,9 @@ NTSTATUS _samr_create_dom_group(pipes_struct *p, SAMR_Q_CREATE_DOM_GROUP *q_u, S struct samr_info *info; uint32 acc_granted; gid_t gid; + SE_PRIV se_rights; + BOOL can_add_accounts; + NTSTATUS result; /* Find the policy handle. Open a policy on it. */ if (!get_lsa_policy_samr_sid(p, &q_u->pol, &dom_sid, &acc_granted)) @@ -3937,32 +4061,53 @@ NTSTATUS _samr_create_dom_group(pipes_struct *p, SAMR_Q_CREATE_DOM_GROUP *q_u, S if (!sid_equal(&dom_sid, get_global_sam_sid())) return NT_STATUS_ACCESS_DENIED; - /* TODO: check if allowed to create group and add a become_root/unbecome_root pair.*/ - unistr2_to_ascii(name, &q_u->uni_acct_desc, sizeof(name)-1); /* check if group already exist */ if ((grp=getgrnam(name)) != NULL) return NT_STATUS_GROUP_EXISTS; - /* we can create the UNIX group */ - if (smb_create_group(name, &gid) != 0) - return NT_STATUS_ACCESS_DENIED; - - /* check if the group has been successfully created */ - if ((grp=getgrgid(gid)) == NULL) - return NT_STATUS_ACCESS_DENIED; + se_priv_copy( &se_rights, &se_add_users ); + can_add_accounts = user_has_privileges( p->pipe_user.nt_user_token, &se_rights ); - r_u->rid=pdb_gid_to_group_rid(grp->gr_gid); - - /* add the group to the mapping table */ - sid_copy(&info_sid, get_global_sam_sid()); - sid_append_rid(&info_sid, r_u->rid); - sid_to_string(sid_string, &info_sid); + /******** BEGIN SeAddUsers BLOCK *********/ + + if ( can_add_accounts ) + become_root(); + + /* check that we successfully create the UNIX group */ + + result = NT_STATUS_ACCESS_DENIED; + if ( (smb_create_group(name, &gid) == 0) && ((grp=getgrgid(gid)) != NULL) ) { + + /* so far, so good */ + + result = NT_STATUS_OK; + + r_u->rid = pdb_gid_to_group_rid( grp->gr_gid ); - if(!add_initial_entry(grp->gr_gid, sid_string, SID_NAME_DOM_GRP, name, NULL)) - return NT_STATUS_ACCESS_DENIED; + /* add the group to the mapping table */ + + sid_copy( &info_sid, get_global_sam_sid() ); + sid_append_rid( &info_sid, r_u->rid ); + sid_to_string( sid_string, &info_sid ); + + /* reset the error code if we fail to add the mapping entry */ + + if ( !add_initial_entry(grp->gr_gid, sid_string, SID_NAME_DOM_GRP, name, NULL) ) + result = NT_STATUS_ACCESS_DENIED; + } + if ( can_add_accounts ) + unbecome_root(); + + /******** END SeAddUsers BLOCK *********/ + + /* check if we should bail out here */ + + if ( !NT_STATUS_IS_OK(result) ) + return result; + if ((info = get_samr_info_by_sid(&info_sid)) == NULL) return NT_STATUS_NO_MEMORY; @@ -3987,6 +4132,8 @@ NTSTATUS _samr_create_dom_alias(pipes_struct *p, SAMR_Q_CREATE_DOM_ALIAS *q_u, S uint32 acc_granted; gid_t gid; NTSTATUS result; + SE_PRIV se_rights; + BOOL can_add_accounts; /* Find the policy handle. Open a policy on it. */ if (!get_lsa_policy_samr_sid(p, &q_u->dom_pol, &dom_sid, &acc_granted)) @@ -3999,13 +4146,24 @@ NTSTATUS _samr_create_dom_alias(pipes_struct *p, SAMR_Q_CREATE_DOM_ALIAS *q_u, S if (!sid_equal(&dom_sid, get_global_sam_sid())) return NT_STATUS_ACCESS_DENIED; - /* TODO: check if allowed to create group and add a become_root/unbecome_root pair.*/ - unistr2_to_ascii(name, &q_u->uni_acct_desc, sizeof(name)-1); + se_priv_copy( &se_rights, &se_add_users ); + can_add_accounts = user_has_privileges( p->pipe_user.nt_user_token, &se_rights ); + + /******** BEGIN SeAddUsers BLOCK *********/ + + if ( can_add_accounts ) + become_root(); + /* Have passdb create the alias */ result = pdb_create_alias(name, &r_u->rid); + if ( can_add_accounts ) + unbecome_root(); + + /******** END SeAddUsers BLOCK *********/ + if (!NT_STATUS_IS_OK(result)) return result; -- cgit From 6a6c7cbf9968919fea574e84ad3f1318e10969f2 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Thu, 20 Jan 2005 17:05:10 +0000 Subject: r4871: BUG 603: patch by Daniel Beschorner . Correct access mask check for _samr_lookup_domain() to work with Windows RAS server (This used to be commit 2e7a5608ac6a11f4e9e8bda69abb984fb4f86eb8) --- source3/rpc_server/srv_samr_nt.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 5fd5137cf1..462a646329 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -2541,8 +2541,11 @@ NTSTATUS _samr_lookup_domain(pipes_struct *p, SAMR_Q_LOOKUP_DOMAIN *q_u, SAMR_R_ if (!find_policy_by_hnd(p, &q_u->connect_pol, (void**)&info)) return NT_STATUS_INVALID_HANDLE; + /* win9x user manager likes to use SA_RIGHT_SAM_ENUM_DOMAINS here. + Reverted that change so we will work with RAS servers again */ + if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(info->acc_granted, - SA_RIGHT_SAM_ENUM_DOMAINS, "_samr_lookup_domain"))) + SA_RIGHT_SAM_OPEN_DOMAIN, "_samr_lookup_domain"))) { return r_u->status; } -- cgit From b4afdc08d5336e4a337e453443d7af1d8655a31a Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Sat, 22 Jan 2005 03:37:09 +0000 Subject: r4925: Migrate Account Policies to passdb (esp. replicating ldapsam). Does automated migration from account_policy.tdb v1 and v2 and offers a pdbedit-Migration interface. Jerry, please feel free to revert that if you have other plans. Guenther (This used to be commit 75af83dfcd8ef365b4b1180453060ae5176389f5) --- source3/rpc_server/srv_samr_nt.c | 59 ++++++++++++++++++++-------------------- 1 file changed, 30 insertions(+), 29 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 462a646329..8ee59210eb 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -2100,19 +2100,19 @@ NTSTATUS _samr_query_dom_info(pipes_struct *p, SAMR_Q_QUERY_DOMAIN_INFO *q_u, SA switch (q_u->switch_value) { case 0x01: - account_policy_get(AP_MIN_PASSWORD_LEN, &account_policy_temp); + pdb_get_account_policy(AP_MIN_PASSWORD_LEN, &account_policy_temp); min_pass_len = account_policy_temp; - account_policy_get(AP_PASSWORD_HISTORY, &account_policy_temp); + pdb_get_account_policy(AP_PASSWORD_HISTORY, &account_policy_temp); pass_hist = account_policy_temp; - account_policy_get(AP_USER_MUST_LOGON_TO_CHG_PASS, &account_policy_temp); + pdb_get_account_policy(AP_USER_MUST_LOGON_TO_CHG_PASS, &account_policy_temp); flag = account_policy_temp; - account_policy_get(AP_MAX_PASSWORD_AGE, &account_policy_temp); + pdb_get_account_policy(AP_MAX_PASSWORD_AGE, &account_policy_temp); u_expire = account_policy_temp; - account_policy_get(AP_MIN_PASSWORD_AGE, &account_policy_temp); + pdb_get_account_policy(AP_MIN_PASSWORD_AGE, &account_policy_temp); u_min_age = account_policy_temp; unix_to_nt_time_abs(&nt_expire, u_expire); @@ -2140,7 +2140,7 @@ NTSTATUS _samr_query_dom_info(pipes_struct *p, SAMR_Q_QUERY_DOMAIN_INFO *q_u, SA num_groups=info->disp_info.num_group_account; free_samr_db(info); - account_policy_get(AP_TIME_TO_LOGOUT, &account_policy_temp); + pdb_get_account_policy(AP_TIME_TO_LOGOUT, &account_policy_temp); u_logout = account_policy_temp; unix_to_nt_time_abs(&nt_logout, u_logout); @@ -2150,7 +2150,7 @@ NTSTATUS _samr_query_dom_info(pipes_struct *p, SAMR_Q_QUERY_DOMAIN_INFO *q_u, SA num_users, num_groups, num_aliases, nt_logout); break; case 0x03: - account_policy_get(AP_TIME_TO_LOGOUT, (unsigned int *)&u_logout); + pdb_get_account_policy(AP_TIME_TO_LOGOUT, (unsigned int *)&u_logout); unix_to_nt_time_abs(&nt_logout, u_logout); init_unk_info3(&ctr->info.inf3, nt_logout); @@ -2168,15 +2168,15 @@ NTSTATUS _samr_query_dom_info(pipes_struct *p, SAMR_Q_QUERY_DOMAIN_INFO *q_u, SA init_unk_info8(&ctr->info.inf8, (uint32) time(NULL)); break; case 0x0c: - account_policy_get(AP_LOCK_ACCOUNT_DURATION, &account_policy_temp); + pdb_get_account_policy(AP_LOCK_ACCOUNT_DURATION, &account_policy_temp); u_lock_duration = account_policy_temp; if (u_lock_duration != -1) u_lock_duration *= 60; - account_policy_get(AP_RESET_COUNT_TIME, &account_policy_temp); + pdb_get_account_policy(AP_RESET_COUNT_TIME, &account_policy_temp); u_reset_time = account_policy_temp * 60; - account_policy_get(AP_BAD_ATTEMPT_LOCKOUT, &account_policy_temp); + pdb_get_account_policy(AP_BAD_ATTEMPT_LOCKOUT, &account_policy_temp); lockout = account_policy_temp; unix_to_nt_time_abs(&nt_lock_duration, u_lock_duration); @@ -4567,19 +4567,19 @@ NTSTATUS _samr_unknown_2e(pipes_struct *p, SAMR_Q_UNKNOWN_2E *q_u, SAMR_R_UNKNOW switch (q_u->switch_value) { case 0x01: - account_policy_get(AP_MIN_PASSWORD_LEN, &account_policy_temp); + pdb_get_account_policy(AP_MIN_PASSWORD_LEN, &account_policy_temp); min_pass_len = account_policy_temp; - account_policy_get(AP_PASSWORD_HISTORY, &account_policy_temp); + pdb_get_account_policy(AP_PASSWORD_HISTORY, &account_policy_temp); pass_hist = account_policy_temp; - account_policy_get(AP_USER_MUST_LOGON_TO_CHG_PASS, &account_policy_temp); + pdb_get_account_policy(AP_USER_MUST_LOGON_TO_CHG_PASS, &account_policy_temp); flag = account_policy_temp; - account_policy_get(AP_MAX_PASSWORD_AGE, &account_policy_temp); + pdb_get_account_policy(AP_MAX_PASSWORD_AGE, &account_policy_temp); u_expire = account_policy_temp; - account_policy_get(AP_MIN_PASSWORD_AGE, &account_policy_temp); + pdb_get_account_policy(AP_MIN_PASSWORD_AGE, &account_policy_temp); u_min_age = account_policy_temp; unix_to_nt_time_abs(&nt_expire, u_expire); @@ -4607,7 +4607,7 @@ NTSTATUS _samr_unknown_2e(pipes_struct *p, SAMR_Q_UNKNOWN_2E *q_u, SAMR_R_UNKNOW num_groups=info->disp_info.num_group_account; free_samr_db(info); - account_policy_get(AP_TIME_TO_LOGOUT, &account_policy_temp); + pdb_get_account_policy(AP_TIME_TO_LOGOUT, &account_policy_temp); u_logout = account_policy_temp; unix_to_nt_time_abs(&nt_logout, u_logout); @@ -4617,7 +4617,7 @@ NTSTATUS _samr_unknown_2e(pipes_struct *p, SAMR_Q_UNKNOWN_2E *q_u, SAMR_R_UNKNOW num_users, num_groups, num_aliases, nt_logout); break; case 0x03: - account_policy_get(AP_TIME_TO_LOGOUT, &account_policy_temp); + pdb_get_account_policy(AP_TIME_TO_LOGOUT, &account_policy_temp); u_logout = account_policy_temp; unix_to_nt_time_abs(&nt_logout, u_logout); @@ -4637,15 +4637,15 @@ NTSTATUS _samr_unknown_2e(pipes_struct *p, SAMR_Q_UNKNOWN_2E *q_u, SAMR_R_UNKNOW init_unk_info8(&ctr->info.inf8, (uint32) time(NULL)); break; case 0x0c: - account_policy_get(AP_LOCK_ACCOUNT_DURATION, &account_policy_temp); + pdb_get_account_policy(AP_LOCK_ACCOUNT_DURATION, &account_policy_temp); u_lock_duration = account_policy_temp; if (u_lock_duration != -1) u_lock_duration *= 60; - account_policy_get(AP_RESET_COUNT_TIME, &account_policy_temp); + pdb_get_account_policy(AP_RESET_COUNT_TIME, &account_policy_temp); u_reset_time = account_policy_temp * 60; - account_policy_get(AP_BAD_ATTEMPT_LOCKOUT, &account_policy_temp); + pdb_get_account_policy(AP_BAD_ATTEMPT_LOCKOUT, &account_policy_temp); lockout = account_policy_temp; unix_to_nt_time_abs(&nt_lock_duration, u_lock_duration); @@ -4689,17 +4689,17 @@ NTSTATUS _samr_set_dom_info(pipes_struct *p, SAMR_Q_SET_DOMAIN_INFO *q_u, SAMR_R u_expire=nt_time_to_unix_abs(&q_u->ctr->info.inf1.expire); u_min_age=nt_time_to_unix_abs(&q_u->ctr->info.inf1.min_passwordage); - account_policy_set(AP_MIN_PASSWORD_LEN, (uint32)q_u->ctr->info.inf1.min_length_password); - account_policy_set(AP_PASSWORD_HISTORY, (uint32)q_u->ctr->info.inf1.password_history); - account_policy_set(AP_USER_MUST_LOGON_TO_CHG_PASS, (uint32)q_u->ctr->info.inf1.flag); - account_policy_set(AP_MAX_PASSWORD_AGE, (int)u_expire); - account_policy_set(AP_MIN_PASSWORD_AGE, (int)u_min_age); + pdb_set_account_policy(AP_MIN_PASSWORD_LEN, (uint32)q_u->ctr->info.inf1.min_length_password); + pdb_set_account_policy(AP_PASSWORD_HISTORY, (uint32)q_u->ctr->info.inf1.password_history); + pdb_set_account_policy(AP_USER_MUST_LOGON_TO_CHG_PASS, (uint32)q_u->ctr->info.inf1.flag); + pdb_set_account_policy(AP_MAX_PASSWORD_AGE, (int)u_expire); + pdb_set_account_policy(AP_MIN_PASSWORD_AGE, (int)u_min_age); break; case 0x02: break; case 0x03: u_logout=nt_time_to_unix_abs(&q_u->ctr->info.inf3.logout); - account_policy_set(AP_TIME_TO_LOGOUT, (int)u_logout); + pdb_set_account_policy(AP_TIME_TO_LOGOUT, (int)u_logout); break; case 0x05: break; @@ -4711,11 +4711,12 @@ NTSTATUS _samr_set_dom_info(pipes_struct *p, SAMR_Q_SET_DOMAIN_INFO *q_u, SAMR_R u_lock_duration=nt_time_to_unix_abs(&q_u->ctr->info.inf12.duration); if (u_lock_duration != -1) u_lock_duration /= 60; + u_reset_time=nt_time_to_unix_abs(&q_u->ctr->info.inf12.reset_count)/60; - account_policy_set(AP_LOCK_ACCOUNT_DURATION, (int)u_lock_duration); - account_policy_set(AP_RESET_COUNT_TIME, (int)u_reset_time); - account_policy_set(AP_BAD_ATTEMPT_LOCKOUT, (uint32)q_u->ctr->info.inf12.bad_attempt_lockout); + pdb_set_account_policy(AP_LOCK_ACCOUNT_DURATION, (int)u_lock_duration); + pdb_set_account_policy(AP_RESET_COUNT_TIME, (int)u_reset_time); + pdb_set_account_policy(AP_BAD_ATTEMPT_LOCKOUT, (uint32)q_u->ctr->info.inf12.bad_attempt_lockout); break; default: return NT_STATUS_INVALID_INFO_CLASS; -- cgit From 6e5accde90d9f078fbb3d1b0f11c45cfe391e4ad Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Sat, 22 Jan 2005 11:26:13 +0000 Subject: r4931: Add get_user_info_7 in SAMR. This just gives out the username. (In preparation of adding the ability of renaming users via setuserinfo level 7). Guenther (This used to be commit 6f34ed6c203fa11182640da97581075612d26c0e) --- source3/rpc_server/srv_samr_nt.c | 42 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 42 insertions(+) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 8ee59210eb..612e69a813 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -1698,6 +1698,40 @@ NTSTATUS _samr_open_user(pipes_struct *p, SAMR_Q_OPEN_USER *q_u, SAMR_R_OPEN_USE return r_u->status; } +/************************************************************************* + get_user_info_7. Safe. Only gives out account_name. + *************************************************************************/ + +static NTSTATUS get_user_info_7(TALLOC_CTX *mem_ctx, SAM_USER_INFO_7 *id7, DOM_SID *user_sid) +{ + SAM_ACCOUNT *smbpass=NULL; + BOOL ret; + NTSTATUS nt_status; + + nt_status = pdb_init_sam_talloc(mem_ctx, &smbpass); + + if (!NT_STATUS_IS_OK(nt_status)) { + return nt_status; + } + + become_root(); + ret = pdb_getsampwsid(smbpass, user_sid); + unbecome_root(); + + if (ret==False) { + DEBUG(4,("User %s not found\n", sid_string_static(user_sid))); + return NT_STATUS_NO_SUCH_USER; + } + + DEBUG(3,("User:[%s]\n", pdb_get_username(smbpass) )); + + ZERO_STRUCTP(id7); + init_sam_user_info7(id7, pdb_get_username(smbpass) ); + + pdb_free_sam(&smbpass); + + return NT_STATUS_OK; +} /************************************************************************* get_user_info_10. Safe. Only gives out acb bits. *************************************************************************/ @@ -1889,6 +1923,14 @@ NTSTATUS _samr_query_userinfo(pipes_struct *p, SAMR_Q_QUERY_USERINFO *q_u, SAMR_ ctr->switch_value = q_u->switch_value; switch (q_u->switch_value) { + case 0x07: + ctr->info.id7 = TALLOC_ZERO_P(p->mem_ctx, SAM_USER_INFO_7); + if (ctr->info.id7 == NULL) + return NT_STATUS_NO_MEMORY; + + if (!NT_STATUS_IS_OK(r_u->status = get_user_info_7(p->mem_ctx, ctr->info.id7, &info->sid))) + return r_u->status; + break; case 0x10: ctr->info.id10 = TALLOC_ZERO_P(p->mem_ctx, SAM_USER_INFO_10); if (ctr->info.id10 == NULL) -- cgit From 9b1e5a71180f340a1f6327d53e68bb9b661ec894 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Tue, 25 Jan 2005 01:19:02 +0000 Subject: r4972: Fix a warning and some debugging-outputs. Guenther (This used to be commit 1eabfa050b661168b42892c2d841c7891e59cf5f) --- source3/rpc_server/srv_samr_nt.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 612e69a813..122bde1be5 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -3123,7 +3123,7 @@ NTSTATUS _samr_set_userinfo(pipes_struct *p, SAMR_Q_SET_USERINFO *q_u, SAMR_R_SE can_add_machines = user_has_privileges( p->pipe_user.nt_user_token, &se_machineop ); - DEBUG(5, ("_samr_create_user: %s is%s a member of the Domain Admins group\n", + DEBUG(5, ("_samr_set_userinfo: %s is%s a member of the Domain Admins group\n", p->pipe_user_name, can_add_machines ? "" : " not")); /* ================ BEGIN SeMachineAccountPrivilege BLOCK ================ */ -- cgit From 46d8ff2320a1c195c3b54c57f5bf172c8473a741 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Wed, 26 Jan 2005 20:36:44 +0000 Subject: r5015: (based on abartlet's original patch to restrict password changes) * added SE_PRIV checks to access_check_samr_object() in order to deal with the run-time security descriptor and their interaction with user rights * Reordered original patch in _samr_set_userinfo[2] to still allow root/administrative password changes for users and machines. (This used to be commit f9f9e6039bd9443d54445e41c3783a2be18925fb) --- source3/rpc_server/srv_samr_nt.c | 871 +++++++++++++++++++++------------------ 1 file changed, 471 insertions(+), 400 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 122bde1be5..6815c7147c 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -68,31 +68,240 @@ struct generic_mapping usr_generic_mapping = {GENERIC_RIGHTS_USER_READ, GENERIC_ struct generic_mapping grp_generic_mapping = {GENERIC_RIGHTS_GROUP_READ, GENERIC_RIGHTS_GROUP_WRITE, GENERIC_RIGHTS_GROUP_EXECUTE, GENERIC_RIGHTS_GROUP_ALL_ACCESS}; struct generic_mapping ali_generic_mapping = {GENERIC_RIGHTS_ALIAS_READ, GENERIC_RIGHTS_ALIAS_WRITE, GENERIC_RIGHTS_ALIAS_EXECUTE, GENERIC_RIGHTS_ALIAS_ALL_ACCESS}; -static NTSTATUS samr_make_dom_obj_sd(TALLOC_CTX *ctx, SEC_DESC **psd, size_t *sd_size); +/******************************************************************* + samr_make_dom_obj_sd + ********************************************************************/ + +static NTSTATUS samr_make_dom_obj_sd(TALLOC_CTX *ctx, SEC_DESC **psd, size_t *sd_size) +{ + extern DOM_SID global_sid_World; + DOM_SID adm_sid, act_sid, domadmin_sid; + SEC_ACE ace[4]; + SEC_ACCESS mask; + size_t i = 0; + + SEC_ACL *psa = NULL; + + sid_copy(&adm_sid, &global_sid_Builtin); + sid_append_rid(&adm_sid, BUILTIN_ALIAS_RID_ADMINS); + + sid_copy(&act_sid, &global_sid_Builtin); + sid_append_rid(&act_sid, BUILTIN_ALIAS_RID_ACCOUNT_OPS); + + /*basic access for every one*/ + init_sec_access(&mask, GENERIC_RIGHTS_DOMAIN_EXECUTE | GENERIC_RIGHTS_DOMAIN_READ); + init_sec_ace(&ace[i++], &global_sid_World, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0); + + /*full access for builtin aliases Administrators and Account Operators*/ + + init_sec_access(&mask, GENERIC_RIGHTS_DOMAIN_ALL_ACCESS); + + init_sec_ace(&ace[i++], &adm_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0); + init_sec_ace(&ace[i++], &act_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0); + + /* add domain admins if we are a DC */ + + if ( IS_DC ) { + sid_copy( &domadmin_sid, get_global_sam_sid() ); + sid_append_rid( &domadmin_sid, DOMAIN_GROUP_RID_ADMINS ); + init_sec_ace(&ace[i++], &domadmin_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0); + } + + if ((psa = make_sec_acl(ctx, NT4_ACL_REVISION, i, ace)) == NULL) + return NT_STATUS_NO_MEMORY; + + if ((*psd = make_sec_desc(ctx, SEC_DESC_REVISION, SEC_DESC_SELF_RELATIVE, NULL, NULL, NULL, psa, sd_size)) == NULL) + return NT_STATUS_NO_MEMORY; + + return NT_STATUS_OK; +} + +/******************************************************************* + samr_make_usr_obj_sd + ********************************************************************/ + +static NTSTATUS samr_make_usr_obj_sd(TALLOC_CTX *ctx, SEC_DESC **psd, size_t *sd_size, DOM_SID *usr_sid) +{ + extern DOM_SID global_sid_World; + DOM_SID adm_sid, act_sid, domadmin_sid; + size_t i = 0; + + SEC_ACE ace[5]; + SEC_ACCESS mask; + + SEC_ACL *psa = NULL; + + sid_copy(&adm_sid, &global_sid_Builtin); + sid_append_rid(&adm_sid, BUILTIN_ALIAS_RID_ADMINS); + + sid_copy(&act_sid, &global_sid_Builtin); + sid_append_rid(&act_sid, BUILTIN_ALIAS_RID_ACCOUNT_OPS); + + /*basic access for every one*/ + + init_sec_access(&mask, GENERIC_RIGHTS_USER_EXECUTE | GENERIC_RIGHTS_USER_READ); + init_sec_ace(&ace[i++], &global_sid_World, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0); + + /*full access for builtin aliases Administrators and Account Operators*/ + + init_sec_access(&mask, GENERIC_RIGHTS_USER_ALL_ACCESS); + init_sec_ace(&ace[i++], &adm_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0); + init_sec_ace(&ace[i++], &act_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0); + + /* add domain admins if we are a DC */ + + if ( IS_DC ) { + sid_copy( &domadmin_sid, get_global_sam_sid() ); + sid_append_rid( &domadmin_sid, DOMAIN_GROUP_RID_ADMINS ); + init_sec_ace(&ace[i++], &domadmin_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0); + } + + /*extended access for the user*/ + + init_sec_access(&mask,READ_CONTROL_ACCESS | SA_RIGHT_USER_CHANGE_PASSWORD | SA_RIGHT_USER_SET_LOC_COM); + init_sec_ace(&ace[i++], usr_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0); + + if ((psa = make_sec_acl(ctx, NT4_ACL_REVISION, 4, ace)) == NULL) + return NT_STATUS_NO_MEMORY; + + if ((*psd = make_sec_desc(ctx, SEC_DESC_REVISION, SEC_DESC_SELF_RELATIVE, NULL, NULL, NULL, psa, sd_size)) == NULL) + return NT_STATUS_NO_MEMORY; + + return NT_STATUS_OK; +} + +/******************************************************************* + samr_make_grp_obj_sd + ********************************************************************/ + +static NTSTATUS samr_make_grp_obj_sd(TALLOC_CTX *ctx, SEC_DESC **psd, size_t *sd_size) +{ + extern DOM_SID global_sid_World; + DOM_SID adm_sid; + DOM_SID act_sid; + + SEC_ACE ace[3]; + SEC_ACCESS mask; + + SEC_ACL *psa = NULL; + + sid_copy(&adm_sid, &global_sid_Builtin); + sid_append_rid(&adm_sid, BUILTIN_ALIAS_RID_ADMINS); + + sid_copy(&act_sid, &global_sid_Builtin); + sid_append_rid(&act_sid, BUILTIN_ALIAS_RID_ACCOUNT_OPS); + + /*basic access for every one*/ + init_sec_access(&mask, GENERIC_RIGHTS_GROUP_EXECUTE | GENERIC_RIGHTS_GROUP_READ); + init_sec_ace(&ace[0], &global_sid_World, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0); + + /*full access for builtin aliases Administrators and Account Operators*/ + init_sec_access(&mask, GENERIC_RIGHTS_GROUP_ALL_ACCESS); + init_sec_ace(&ace[1], &adm_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0); + init_sec_ace(&ace[2], &act_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0); + + if ((psa = make_sec_acl(ctx, NT4_ACL_REVISION, 3, ace)) == NULL) + return NT_STATUS_NO_MEMORY; + + if ((*psd = make_sec_desc(ctx, SEC_DESC_REVISION, SEC_DESC_SELF_RELATIVE, NULL, NULL, NULL, psa, sd_size)) == NULL) + return NT_STATUS_NO_MEMORY; + + return NT_STATUS_OK; +} + +/******************************************************************* + samr_make_ali_obj_sd + ********************************************************************/ + +static NTSTATUS samr_make_ali_obj_sd(TALLOC_CTX *ctx, SEC_DESC **psd, size_t *sd_size) +{ + extern DOM_SID global_sid_World; + DOM_SID adm_sid; + DOM_SID act_sid; + + SEC_ACE ace[3]; + SEC_ACCESS mask; + + SEC_ACL *psa = NULL; + + sid_copy(&adm_sid, &global_sid_Builtin); + sid_append_rid(&adm_sid, BUILTIN_ALIAS_RID_ADMINS); + + sid_copy(&act_sid, &global_sid_Builtin); + sid_append_rid(&act_sid, BUILTIN_ALIAS_RID_ACCOUNT_OPS); + + /*basic access for every one*/ + init_sec_access(&mask, GENERIC_RIGHTS_ALIAS_EXECUTE | GENERIC_RIGHTS_ALIAS_READ); + init_sec_ace(&ace[0], &global_sid_World, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0); + + /*full access for builtin aliases Administrators and Account Operators*/ + init_sec_access(&mask, GENERIC_RIGHTS_ALIAS_ALL_ACCESS); + init_sec_ace(&ace[1], &adm_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0); + init_sec_ace(&ace[2], &act_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0); + + if ((psa = make_sec_acl(ctx, NT4_ACL_REVISION, 3, ace)) == NULL) + return NT_STATUS_NO_MEMORY; + + if ((*psd = make_sec_desc(ctx, SEC_DESC_REVISION, SEC_DESC_SELF_RELATIVE, NULL, NULL, NULL, psa, sd_size)) == NULL) + return NT_STATUS_NO_MEMORY; + + return NT_STATUS_OK; +} /******************************************************************* Checks if access to an object should be granted, and returns that level of access for further checks. ********************************************************************/ -static NTSTATUS access_check_samr_object(SEC_DESC *psd, NT_USER_TOKEN *nt_user_token, uint32 des_access, - uint32 *acc_granted, const char *debug) +static NTSTATUS access_check_samr_object( SEC_DESC *psd, NT_USER_TOKEN *token, + SE_PRIV *rights, uint32 rights_mask, + uint32 des_access, uint32 *acc_granted, + const char *debug ) { NTSTATUS status = NT_STATUS_ACCESS_DENIED; + uint32 saved_mask = 0; - if (!se_access_check(psd, nt_user_token, des_access, acc_granted, &status)) { + /* check privileges; certain SAM access bits should be overridden + by privileges (mostly having to do with creating/modifying/deleting + users and groups) */ + + if ( rights && user_has_any_privilege( token, rights ) ) { + + saved_mask = (des_access & rights_mask); + des_access &= ~saved_mask; + + DEBUG(4,("access_check_samr_object: user rights saved access mask [0x%x]\n", + saved_mask)); + } + + + /* check the security descriptor first */ + + if ( se_access_check(psd, token, des_access, acc_granted, &status) ) + goto done; + + /* give root a free pass */ + + if ( geteuid() == sec_initial_uid() ) { + + DEBUG(4,("%s: ACCESS should be DENIED (requested: %#010x)\n", debug, des_access)); + DEBUGADD(4,("but overritten by euid == sec_initial_uid()\n")); + *acc_granted = des_access; - if (geteuid() == sec_initial_uid()) { - DEBUG(4,("%s: ACCESS should be DENIED (requested: %#010x)\n", - debug, des_access)); - DEBUGADD(4,("but overritten by euid == sec_initial_uid()\n")); - status = NT_STATUS_OK; - } - else { - DEBUG(2,("%s: ACCESS DENIED (requested: %#010x)\n", - debug, des_access)); - } + + status = NT_STATUS_OK; + goto done; } + + + DEBUG(2,("%s: ACCESS DENIED (requested: %#010x)\n", debug, des_access)); + +done: + /* add in any bits saved during the privilege check (only + matters is syayus is ok) */ + + *acc_granted |= saved_mask; + return status; } @@ -102,20 +311,29 @@ static NTSTATUS access_check_samr_object(SEC_DESC *psd, NT_USER_TOKEN *nt_user_t static NTSTATUS access_check_samr_function(uint32 acc_granted, uint32 acc_required, const char *debug) { - DEBUG(5,("%s: access check ((granted: %#010x; required: %#010x)\n", - debug, acc_granted, acc_required)); - if ((acc_granted & acc_required) != acc_required) { - if (geteuid() == sec_initial_uid()) { - DEBUG(4,("%s: ACCESS should be DENIED (granted: %#010x; required: %#010x)\n", - debug, acc_granted, acc_required)); - DEBUGADD(4,("but overwritten by euid == 0\n")); - return NT_STATUS_OK; - } - DEBUG(2,("%s: ACCESS DENIED (granted: %#010x; required: %#010x)\n", + DEBUG(5,("%s: access check ((granted: %#010x; required: %#010x)\n", + debug, acc_granted, acc_required)); + + /* check the security descriptor first */ + + if ( (acc_granted&acc_required) == acc_required ) + return NT_STATUS_OK; + + /* give root a free pass */ + + if (geteuid() == sec_initial_uid()) { + + DEBUG(4,("%s: ACCESS should be DENIED (granted: %#010x; required: %#010x)\n", debug, acc_granted, acc_required)); - return NT_STATUS_ACCESS_DENIED; + DEBUGADD(4,("but overwritten by euid == 0\n")); + + return NT_STATUS_OK; } - return NT_STATUS_OK; + + DEBUG(2,("%s: ACCESS DENIED (granted: %#010x; required: %#010x)\n", + debug, acc_granted, acc_required)); + + return NT_STATUS_ACCESS_DENIED; } @@ -355,281 +573,126 @@ static NTSTATUS load_group_domain_entries(struct samr_info *info, DOM_SID *sid) return NT_STATUS_OK; } - -/******************************************************************* - _samr_close_hnd - ********************************************************************/ - -NTSTATUS _samr_close_hnd(pipes_struct *p, SAMR_Q_CLOSE_HND *q_u, SAMR_R_CLOSE_HND *r_u) -{ - r_u->status = NT_STATUS_OK; - - /* close the policy handle */ - if (!close_policy_hnd(p, &q_u->pol)) - return NT_STATUS_OBJECT_NAME_INVALID; - - DEBUG(5,("samr_reply_close_hnd: %d\n", __LINE__)); - - return r_u->status; -} - -/******************************************************************* - samr_reply_open_domain - ********************************************************************/ - -NTSTATUS _samr_open_domain(pipes_struct *p, SAMR_Q_OPEN_DOMAIN *q_u, SAMR_R_OPEN_DOMAIN *r_u) -{ - struct samr_info *info; - SEC_DESC *psd = NULL; - uint32 acc_granted; - uint32 des_access = q_u->flags; - size_t sd_size; - NTSTATUS status; - - r_u->status = NT_STATUS_OK; - - /* find the connection policy handle. */ - if (!find_policy_by_hnd(p, &q_u->pol, (void**)&info)) - return NT_STATUS_INVALID_HANDLE; - - if (!NT_STATUS_IS_OK(status = access_check_samr_function(info->acc_granted, SA_RIGHT_SAM_OPEN_DOMAIN,"_samr_open_domain"))) { - return status; - } - - /*check if access can be granted as requested by client. */ - samr_make_dom_obj_sd(p->mem_ctx, &psd, &sd_size); - se_map_generic(&des_access,&dom_generic_mapping); - - if (!NT_STATUS_IS_OK(status = - access_check_samr_object(psd, p->pipe_user.nt_user_token, - des_access, &acc_granted, "_samr_open_domain"))) { - return status; - } - - /* associate the domain SID with the (unique) handle. */ - if ((info = get_samr_info_by_sid(&q_u->dom_sid.sid))==NULL) - return NT_STATUS_NO_MEMORY; - info->acc_granted = acc_granted; - - /* get a (unique) handle. open a policy on it. */ - if (!create_policy_hnd(p, &r_u->domain_pol, free_samr_info, (void *)info)) - return NT_STATUS_OBJECT_NAME_NOT_FOUND; - - DEBUG(5,("samr_open_domain: %d\n", __LINE__)); - - return r_u->status; -} - -/******************************************************************* - _samr_get_usrdom_pwinfo - ********************************************************************/ - -NTSTATUS _samr_get_usrdom_pwinfo(pipes_struct *p, SAMR_Q_GET_USRDOM_PWINFO *q_u, SAMR_R_GET_USRDOM_PWINFO *r_u) -{ - struct samr_info *info = NULL; - - r_u->status = NT_STATUS_OK; - - /* find the policy handle. open a policy on it. */ - if (!find_policy_by_hnd(p, &q_u->user_pol, (void **)&info)) - return NT_STATUS_INVALID_HANDLE; - - if (!sid_check_is_in_our_domain(&info->sid)) - return NT_STATUS_OBJECT_TYPE_MISMATCH; - - init_samr_r_get_usrdom_pwinfo(r_u, NT_STATUS_OK); - - DEBUG(5,("_samr_get_usrdom_pwinfo: %d\n", __LINE__)); - - /* - * NT sometimes return NT_STATUS_ACCESS_DENIED - * I don't know yet why. - */ - - return r_u->status; -} - -/******************************************************************* - samr_make_dom_obj_sd - ********************************************************************/ - -static NTSTATUS samr_make_dom_obj_sd(TALLOC_CTX *ctx, SEC_DESC **psd, size_t *sd_size) -{ - extern DOM_SID global_sid_World; - DOM_SID adm_sid, act_sid, domadmin_sid; - SEC_ACE ace[4]; - SEC_ACCESS mask; - size_t i = 0; - - SEC_ACL *psa = NULL; - - sid_copy(&adm_sid, &global_sid_Builtin); - sid_append_rid(&adm_sid, BUILTIN_ALIAS_RID_ADMINS); - - sid_copy(&act_sid, &global_sid_Builtin); - sid_append_rid(&act_sid, BUILTIN_ALIAS_RID_ACCOUNT_OPS); - - /*basic access for every one*/ - init_sec_access(&mask, GENERIC_RIGHTS_DOMAIN_EXECUTE | GENERIC_RIGHTS_DOMAIN_READ); - init_sec_ace(&ace[i++], &global_sid_World, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0); - - /*full access for builtin aliases Administrators and Account Operators*/ - - init_sec_access(&mask, GENERIC_RIGHTS_DOMAIN_ALL_ACCESS); - - init_sec_ace(&ace[i++], &adm_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0); - init_sec_ace(&ace[i++], &act_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0); - - /* add domain admins if we are a DC */ - - if ( IS_DC ) { - sid_copy( &domadmin_sid, get_global_sam_sid() ); - sid_append_rid( &domadmin_sid, DOMAIN_GROUP_RID_ADMINS ); - init_sec_ace(&ace[i++], &domadmin_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0); - } - - if ((psa = make_sec_acl(ctx, NT4_ACL_REVISION, i, ace)) == NULL) - return NT_STATUS_NO_MEMORY; - - if ((*psd = make_sec_desc(ctx, SEC_DESC_REVISION, SEC_DESC_SELF_RELATIVE, NULL, NULL, NULL, psa, sd_size)) == NULL) - return NT_STATUS_NO_MEMORY; - - return NT_STATUS_OK; -} - -/******************************************************************* - samr_make_usr_obj_sd - ********************************************************************/ - -static NTSTATUS samr_make_usr_obj_sd(TALLOC_CTX *ctx, SEC_DESC **psd, size_t *sd_size, DOM_SID *usr_sid) -{ - extern DOM_SID global_sid_World; - DOM_SID adm_sid, act_sid, domadmin_sid; - size_t i = 0; - - SEC_ACE ace[5]; - SEC_ACCESS mask; - - SEC_ACL *psa = NULL; - - sid_copy(&adm_sid, &global_sid_Builtin); - sid_append_rid(&adm_sid, BUILTIN_ALIAS_RID_ADMINS); - - sid_copy(&act_sid, &global_sid_Builtin); - sid_append_rid(&act_sid, BUILTIN_ALIAS_RID_ACCOUNT_OPS); - - /*basic access for every one*/ - - init_sec_access(&mask, GENERIC_RIGHTS_USER_EXECUTE | GENERIC_RIGHTS_USER_READ); - init_sec_ace(&ace[i++], &global_sid_World, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0); - - /*full access for builtin aliases Administrators and Account Operators*/ - - init_sec_access(&mask, GENERIC_RIGHTS_USER_ALL_ACCESS); - init_sec_ace(&ace[i++], &adm_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0); - init_sec_ace(&ace[i++], &act_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0); - - /* add domain admins if we are a DC */ - - if ( IS_DC ) { - sid_copy( &domadmin_sid, get_global_sam_sid() ); - sid_append_rid( &domadmin_sid, DOMAIN_GROUP_RID_ADMINS ); - init_sec_ace(&ace[i++], &domadmin_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0); - } - - /*extended access for the user*/ - - init_sec_access(&mask,READ_CONTROL_ACCESS | SA_RIGHT_USER_CHANGE_PASSWORD | SA_RIGHT_USER_SET_LOC_COM); - init_sec_ace(&ace[i++], usr_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0); - - if ((psa = make_sec_acl(ctx, NT4_ACL_REVISION, 4, ace)) == NULL) - return NT_STATUS_NO_MEMORY; - - if ((*psd = make_sec_desc(ctx, SEC_DESC_REVISION, SEC_DESC_SELF_RELATIVE, NULL, NULL, NULL, psa, sd_size)) == NULL) - return NT_STATUS_NO_MEMORY; - - return NT_STATUS_OK; -} - + /******************************************************************* - samr_make_grp_obj_sd + _samr_close_hnd ********************************************************************/ -static NTSTATUS samr_make_grp_obj_sd(TALLOC_CTX *ctx, SEC_DESC **psd, size_t *sd_size) +NTSTATUS _samr_close_hnd(pipes_struct *p, SAMR_Q_CLOSE_HND *q_u, SAMR_R_CLOSE_HND *r_u) { - extern DOM_SID global_sid_World; - DOM_SID adm_sid; - DOM_SID act_sid; + r_u->status = NT_STATUS_OK; - SEC_ACE ace[3]; - SEC_ACCESS mask; + /* close the policy handle */ + if (!close_policy_hnd(p, &q_u->pol)) + return NT_STATUS_OBJECT_NAME_INVALID; - SEC_ACL *psa = NULL; + DEBUG(5,("samr_reply_close_hnd: %d\n", __LINE__)); - sid_copy(&adm_sid, &global_sid_Builtin); - sid_append_rid(&adm_sid, BUILTIN_ALIAS_RID_ADMINS); + return r_u->status; +} - sid_copy(&act_sid, &global_sid_Builtin); - sid_append_rid(&act_sid, BUILTIN_ALIAS_RID_ACCOUNT_OPS); +/******************************************************************* + samr_reply_open_domain + ********************************************************************/ - /*basic access for every one*/ - init_sec_access(&mask, GENERIC_RIGHTS_GROUP_EXECUTE | GENERIC_RIGHTS_GROUP_READ); - init_sec_ace(&ace[0], &global_sid_World, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0); +NTSTATUS _samr_open_domain(pipes_struct *p, SAMR_Q_OPEN_DOMAIN *q_u, SAMR_R_OPEN_DOMAIN *r_u) +{ + struct samr_info *info; + SEC_DESC *psd = NULL; + uint32 acc_granted; + uint32 des_access = q_u->flags; + size_t sd_size; + NTSTATUS status; + SE_PRIV se_rights; - /*full access for builtin aliases Administrators and Account Operators*/ - init_sec_access(&mask, GENERIC_RIGHTS_GROUP_ALL_ACCESS); - init_sec_ace(&ace[1], &adm_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0); - init_sec_ace(&ace[2], &act_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0); + r_u->status = NT_STATUS_OK; - if ((psa = make_sec_acl(ctx, NT4_ACL_REVISION, 3, ace)) == NULL) - return NT_STATUS_NO_MEMORY; + /* find the connection policy handle. */ + + if ( !find_policy_by_hnd(p, &q_u->pol, (void**)&info) ) + return NT_STATUS_INVALID_HANDLE; - if ((*psd = make_sec_desc(ctx, SEC_DESC_REVISION, SEC_DESC_SELF_RELATIVE, NULL, NULL, NULL, psa, sd_size)) == NULL) + status = access_check_samr_function( info->acc_granted, + SA_RIGHT_SAM_OPEN_DOMAIN, "_samr_open_domain" ); + + if ( !NT_STATUS_IS_OK(status) ) + return status; + + /*check if access can be granted as requested by client. */ + + samr_make_dom_obj_sd( p->mem_ctx, &psd, &sd_size ); + se_map_generic( &des_access, &dom_generic_mapping ); + + se_priv_copy( &se_rights, &se_machine_account ); + se_priv_add( &se_rights, &se_add_users ); + + status = access_check_samr_object( psd, p->pipe_user.nt_user_token, + &se_rights, GENERIC_RIGHTS_DOMAIN_WRITE, des_access, + &acc_granted, "_samr_open_domain" ); + + if ( !NT_STATUS_IS_OK(status) ) + return status; + + /* associate the domain SID with the (unique) handle. */ + if ((info = get_samr_info_by_sid(&q_u->dom_sid.sid))==NULL) return NT_STATUS_NO_MEMORY; + info->acc_granted = acc_granted; - return NT_STATUS_OK; + /* get a (unique) handle. open a policy on it. */ + if (!create_policy_hnd(p, &r_u->domain_pol, free_samr_info, (void *)info)) + return NT_STATUS_OBJECT_NAME_NOT_FOUND; + + DEBUG(5,("samr_open_domain: %d\n", __LINE__)); + + return r_u->status; } /******************************************************************* - samr_make_ali_obj_sd + _samr_get_usrdom_pwinfo ********************************************************************/ -static NTSTATUS samr_make_ali_obj_sd(TALLOC_CTX *ctx, SEC_DESC **psd, size_t *sd_size) +NTSTATUS _samr_get_usrdom_pwinfo(pipes_struct *p, SAMR_Q_GET_USRDOM_PWINFO *q_u, SAMR_R_GET_USRDOM_PWINFO *r_u) { - extern DOM_SID global_sid_World; - DOM_SID adm_sid; - DOM_SID act_sid; + struct samr_info *info = NULL; - SEC_ACE ace[3]; - SEC_ACCESS mask; + r_u->status = NT_STATUS_OK; - SEC_ACL *psa = NULL; + /* find the policy handle. open a policy on it. */ + if (!find_policy_by_hnd(p, &q_u->user_pol, (void **)&info)) + return NT_STATUS_INVALID_HANDLE; - sid_copy(&adm_sid, &global_sid_Builtin); - sid_append_rid(&adm_sid, BUILTIN_ALIAS_RID_ADMINS); + if (!sid_check_is_in_our_domain(&info->sid)) + return NT_STATUS_OBJECT_TYPE_MISMATCH; - sid_copy(&act_sid, &global_sid_Builtin); - sid_append_rid(&act_sid, BUILTIN_ALIAS_RID_ACCOUNT_OPS); + init_samr_r_get_usrdom_pwinfo(r_u, NT_STATUS_OK); - /*basic access for every one*/ - init_sec_access(&mask, GENERIC_RIGHTS_ALIAS_EXECUTE | GENERIC_RIGHTS_ALIAS_READ); - init_sec_ace(&ace[0], &global_sid_World, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0); + DEBUG(5,("_samr_get_usrdom_pwinfo: %d\n", __LINE__)); - /*full access for builtin aliases Administrators and Account Operators*/ - init_sec_access(&mask, GENERIC_RIGHTS_ALIAS_ALL_ACCESS); - init_sec_ace(&ace[1], &adm_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0); - init_sec_ace(&ace[2], &act_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0); + /* + * NT sometimes return NT_STATUS_ACCESS_DENIED + * I don't know yet why. + */ - if ((psa = make_sec_acl(ctx, NT4_ACL_REVISION, 3, ace)) == NULL) - return NT_STATUS_NO_MEMORY; + return r_u->status; +} - if ((*psd = make_sec_desc(ctx, SEC_DESC_REVISION, SEC_DESC_SELF_RELATIVE, NULL, NULL, NULL, psa, sd_size)) == NULL) - return NT_STATUS_NO_MEMORY; - return NT_STATUS_OK; +/******************************************************************* + _samr_set_sec_obj + ********************************************************************/ + +NTSTATUS _samr_set_sec_obj(pipes_struct *p, SAMR_Q_SET_SEC_OBJ *q_u, SAMR_R_SET_SEC_OBJ *r_u) +{ + DEBUG(0,("_samr_set_sec_obj: Not yet implemented!\n")); + return NT_STATUS_NOT_IMPLEMENTED; } -static BOOL get_lsa_policy_samr_sid(pipes_struct *p, POLICY_HND *pol, DOM_SID *sid, uint32 *acc_granted) + +/******************************************************************* +********************************************************************/ + +static BOOL get_lsa_policy_samr_sid( pipes_struct *p, POLICY_HND *pol, + DOM_SID *sid, uint32 *acc_granted) { struct samr_info *info = NULL; @@ -645,17 +708,6 @@ static BOOL get_lsa_policy_samr_sid(pipes_struct *p, POLICY_HND *pol, DOM_SID *s return True; } -/******************************************************************* - _samr_set_sec_obj - ********************************************************************/ - -NTSTATUS _samr_set_sec_obj(pipes_struct *p, SAMR_Q_SET_SEC_OBJ *q_u, SAMR_R_SET_SEC_OBJ *r_u) -{ - DEBUG(0,("_samr_set_sec_obj: Not yet implemented!\n")); - return NT_STATUS_NOT_IMPLEMENTED; -} - - /******************************************************************* _samr_query_sec_obj ********************************************************************/ @@ -1646,34 +1698,45 @@ NTSTATUS _samr_open_user(pipes_struct *p, SAMR_Q_OPEN_USER *q_u, SAMR_R_OPEN_USE size_t sd_size; BOOL ret; NTSTATUS nt_status; + SE_PRIV se_rights; r_u->status = NT_STATUS_OK; /* find the domain policy handle and get domain SID / access bits in the domain policy. */ - if (!get_lsa_policy_samr_sid(p, &domain_pol, &sid, &acc_granted)) + + if ( !get_lsa_policy_samr_sid(p, &domain_pol, &sid, &acc_granted) ) return NT_STATUS_INVALID_HANDLE; - if (!NT_STATUS_IS_OK(nt_status = access_check_samr_function(acc_granted, SA_RIGHT_DOMAIN_OPEN_ACCOUNT, "_samr_open_user"))) { + nt_status = access_check_samr_function( acc_granted, + SA_RIGHT_DOMAIN_OPEN_ACCOUNT, "_samr_open_user" ); + + if ( !NT_STATUS_IS_OK(nt_status) ) return nt_status; - } nt_status = pdb_init_sam_talloc(p->mem_ctx, &sampass); - if (!NT_STATUS_IS_OK(nt_status)) { + + if (!NT_STATUS_IS_OK(nt_status)) return nt_status; - } /* append the user's RID to it */ + if (!sid_append_rid(&sid, q_u->user_rid)) return NT_STATUS_NO_SUCH_USER; /* check if access can be granted as requested by client. */ + samr_make_usr_obj_sd(p->mem_ctx, &psd, &sd_size, &sid); se_map_generic(&des_access, &usr_generic_mapping); - if (!NT_STATUS_IS_OK(nt_status = - access_check_samr_object(psd, p->pipe_user.nt_user_token, - des_access, &acc_granted, "_samr_open_user"))) { + + se_priv_copy( &se_rights, &se_machine_account ); + se_priv_add( &se_rights, &se_add_users ); + + nt_status = access_check_samr_object(psd, p->pipe_user.nt_user_token, + &se_rights, GENERIC_RIGHTS_USER_WRITE, des_access, + &acc_granted, "_samr_open_user"); + + if ( !NT_STATUS_IS_OK(nt_status) ) return nt_status; - } become_root(); ret=pdb_getsampwsid(sampass, &sid); @@ -2396,7 +2459,8 @@ NTSTATUS _samr_create_user(pipes_struct *p, SAMR_Q_CREATE_USER *q_u, SAMR_R_CREA se_map_generic(&des_access, &usr_generic_mapping); nt_status = access_check_samr_object(psd, p->pipe_user.nt_user_token, - des_access, &acc_granted, "_samr_create_user"); + &se_rights, GENERIC_RIGHTS_USER_WRITE, des_access, + &acc_granted, "_samr_create_user"); if ( !NT_STATUS_IS_OK(nt_status) ) { return nt_status; @@ -2494,11 +2558,12 @@ NTSTATUS _samr_connect(pipes_struct *p, SAMR_Q_CONNECT *q_u, SAMR_R_CONNECT *r_u samr_make_sam_obj_sd(p->mem_ctx, &psd, &sd_size); se_map_generic(&des_access, &sam_generic_mapping); - if (!NT_STATUS_IS_OK(nt_status = - access_check_samr_object(psd, p->pipe_user.nt_user_token, - des_access, &acc_granted, "_samr_connect"))) { + + nt_status = access_check_samr_object(psd, p->pipe_user.nt_user_token, + NULL, 0, des_access, &acc_granted, "_samr_connect"); + + if ( !NT_STATUS_IS_OK(nt_status) ) return nt_status; - } r_u->status = NT_STATUS_OK; @@ -2544,11 +2609,12 @@ NTSTATUS _samr_connect4(pipes_struct *p, SAMR_Q_CONNECT4 *q_u, SAMR_R_CONNECT4 * samr_make_sam_obj_sd(p->mem_ctx, &psd, &sd_size); se_map_generic(&des_access, &sam_generic_mapping); - if (!NT_STATUS_IS_OK(nt_status = - access_check_samr_object(psd, p->pipe_user.nt_user_token, - des_access, &acc_granted, "_samr_connect"))) { + + nt_status = access_check_samr_object(psd, p->pipe_user.nt_user_token, + NULL, 0, des_access, &acc_granted, "_samr_connect4"); + + if ( !NT_STATUS_IS_OK(nt_status) ) return nt_status; - } r_u->status = NT_STATUS_OK; @@ -2693,29 +2759,40 @@ NTSTATUS _samr_open_alias(pipes_struct *p, SAMR_Q_OPEN_ALIAS *q_u, SAMR_R_OPEN_A uint32 des_access = q_u->access_mask; size_t sd_size; NTSTATUS status; + SE_PRIV se_rights; r_u->status = NT_STATUS_OK; /* find the domain policy and get the SID / access bits stored in the domain policy */ - if (!get_lsa_policy_samr_sid(p, &domain_pol, &sid, &acc_granted)) + + if ( !get_lsa_policy_samr_sid(p, &domain_pol, &sid, &acc_granted) ) return NT_STATUS_INVALID_HANDLE; + + status = access_check_samr_function(acc_granted, + SA_RIGHT_DOMAIN_OPEN_ACCOUNT, "_samr_open_alias"); - if (!NT_STATUS_IS_OK(status = access_check_samr_function(acc_granted, SA_RIGHT_DOMAIN_OPEN_ACCOUNT, "_samr_open_alias"))) { + if ( !NT_STATUS_IS_OK(status) ) return status; - } /* append the alias' RID to it */ + if (!sid_append_rid(&sid, alias_rid)) return NT_STATUS_NO_SUCH_USER; /*check if access can be granted as requested by client. */ + samr_make_ali_obj_sd(p->mem_ctx, &psd, &sd_size); se_map_generic(&des_access,&ali_generic_mapping); - if (!NT_STATUS_IS_OK(status = - access_check_samr_object(psd, p->pipe_user.nt_user_token, - des_access, &acc_granted, "_samr_open_alias"))) { + + se_priv_add( &se_rights, &se_add_users ); + + + status = access_check_samr_object(psd, p->pipe_user.nt_user_token, + &se_rights, GENERIC_RIGHTS_ALIAS_WRITE, des_access, + &acc_granted, "_samr_open_alias"); + + if ( !NT_STATUS_IS_OK(status) ) return status; - } /* * we should check if the rid really exist !!! @@ -2739,20 +2816,8 @@ NTSTATUS _samr_open_alias(pipes_struct *p, SAMR_Q_OPEN_ALIAS *q_u, SAMR_R_OPEN_A set_user_info_10 ********************************************************************/ -static BOOL set_user_info_10(const SAM_USER_INFO_10 *id10, DOM_SID *sid) +static BOOL set_user_info_10(const SAM_USER_INFO_10 *id10, SAM_ACCOUNT *pwd) { - SAM_ACCOUNT *pwd =NULL; - BOOL ret; - - pdb_init_sam(&pwd); - - ret = pdb_getsampwsid(pwd, sid); - - if(ret==False) { - pdb_free_sam(&pwd); - return False; - } - if (id10 == NULL) { DEBUG(5, ("set_user_info_10: NULL id10\n")); pdb_free_sam(&pwd); @@ -2779,16 +2844,8 @@ static BOOL set_user_info_10(const SAM_USER_INFO_10 *id10, DOM_SID *sid) set_user_info_12 ********************************************************************/ -static BOOL set_user_info_12(SAM_USER_INFO_12 *id12, DOM_SID *sid) +static BOOL set_user_info_12(SAM_USER_INFO_12 *id12, SAM_ACCOUNT *pwd) { - SAM_ACCOUNT *pwd = NULL; - - pdb_init_sam(&pwd); - - if(!pdb_getsampwsid(pwd, sid)) { - pdb_free_sam(&pwd); - return False; - } if (id12 == NULL) { DEBUG(2, ("set_user_info_12: id12 is NULL\n")); @@ -2858,22 +2915,13 @@ static BOOL set_unix_primary_group(SAM_ACCOUNT *sampass) set_user_info_20 ********************************************************************/ -static BOOL set_user_info_20(SAM_USER_INFO_20 *id20, DOM_SID *sid) +static BOOL set_user_info_20(SAM_USER_INFO_20 *id20, SAM_ACCOUNT *pwd) { - SAM_ACCOUNT *pwd = NULL; - if (id20 == NULL) { DEBUG(5, ("set_user_info_20: NULL id20\n")); return False; } - pdb_init_sam(&pwd); - - if (!pdb_getsampwsid(pwd, sid)) { - pdb_free_sam(&pwd); - return False; - } - copy_id20_to_sam_passwd(pwd, id20); /* write the change out */ @@ -2890,22 +2938,14 @@ static BOOL set_user_info_20(SAM_USER_INFO_20 *id20, DOM_SID *sid) set_user_info_21 ********************************************************************/ -static BOOL set_user_info_21(SAM_USER_INFO_21 *id21, DOM_SID *sid) +static BOOL set_user_info_21(SAM_USER_INFO_21 *id21, SAM_ACCOUNT *pwd) { - SAM_ACCOUNT *pwd = NULL; if (id21 == NULL) { DEBUG(5, ("set_user_info_21: NULL id21\n")); return False; } - pdb_init_sam(&pwd); - - if (!pdb_getsampwsid(pwd, sid)) { - pdb_free_sam(&pwd); - return False; - } - copy_id21_to_sam_passwd(pwd, id21); /* @@ -2933,9 +2973,8 @@ static BOOL set_user_info_21(SAM_USER_INFO_21 *id21, DOM_SID *sid) set_user_info_23 ********************************************************************/ -static BOOL set_user_info_23(SAM_USER_INFO_23 *id23, DOM_SID *sid) +static BOOL set_user_info_23(SAM_USER_INFO_23 *id23, SAM_ACCOUNT *pwd) { - SAM_ACCOUNT *pwd = NULL; pstring plaintext_buf; uint32 len; uint16 acct_ctrl; @@ -2945,13 +2984,6 @@ static BOOL set_user_info_23(SAM_USER_INFO_23 *id23, DOM_SID *sid) return False; } - pdb_init_sam(&pwd); - - if (!pdb_getsampwsid(pwd, sid)) { - pdb_free_sam(&pwd); - return False; - } - DEBUG(5, ("Attempting administrator password change (level 23) for user %s\n", pdb_get_username(pwd))); @@ -3008,20 +3040,12 @@ static BOOL set_user_info_23(SAM_USER_INFO_23 *id23, DOM_SID *sid) set_user_info_pw ********************************************************************/ -static BOOL set_user_info_pw(char *pass, DOM_SID *sid) +static BOOL set_user_info_pw(char *pass, SAM_ACCOUNT *pwd) { - SAM_ACCOUNT *pwd = NULL; uint32 len; pstring plaintext_buf; uint16 acct_ctrl; - pdb_init_sam(&pwd); - - if (!pdb_getsampwsid(pwd, sid)) { - pdb_free_sam(&pwd); - return False; - } - DEBUG(5, ("Attempting administrator password change for user %s\n", pdb_get_username(pwd))); @@ -3080,14 +3104,16 @@ static BOOL set_user_info_pw(char *pass, DOM_SID *sid) NTSTATUS _samr_set_userinfo(pipes_struct *p, SAMR_Q_SET_USERINFO *q_u, SAMR_R_SET_USERINFO *r_u) { + SAM_ACCOUNT *pwd = NULL; DOM_SID sid; POLICY_HND *pol = &q_u->pol; uint16 switch_value = q_u->switch_value; SAM_USERINFO_CTR *ctr = q_u->ctr; uint32 acc_granted; uint32 acc_required; - BOOL can_add_machines; - SE_PRIV se_machineop = SE_MACHINE_ACCOUNT; + BOOL ret; + BOOL has_enough_rights; + SE_PRIV se_rights; DEBUG(5, ("_samr_set_userinfo: %d\n", __LINE__)); @@ -3118,24 +3144,42 @@ NTSTATUS _samr_set_userinfo(pipes_struct *p, SAMR_Q_SET_USERINFO *q_u, SAMR_R_SE DEBUG(5, ("_samr_set_userinfo: NULL info level\n")); return NT_STATUS_INVALID_INFO_CLASS; } + + pdb_init_sam(&pwd); + + become_root(); + ret = pdb_getsampwsid(pwd, &sid); + unbecome_root(); + + if ( !ret ) { + pdb_free_sam(&pwd); + return NT_STATUS_NO_SUCH_USER; + } + + /* deal with machine password changes differently from userinfo changes */ + + if ( pdb_get_acct_ctrl(pwd) & ACB_WSTRUST ) + se_priv_copy( &se_rights, &se_machine_account ); + else + se_priv_copy( &se_rights, &se_add_users ); - /* check to see if we are a domain admin */ + /* check to see if we have the sufficient rights */ - can_add_machines = user_has_privileges( p->pipe_user.nt_user_token, &se_machineop ); + has_enough_rights = user_has_privileges( p->pipe_user.nt_user_token, &se_rights ); - DEBUG(5, ("_samr_set_userinfo: %s is%s a member of the Domain Admins group\n", - p->pipe_user_name, can_add_machines ? "" : " not")); + DEBUG(5, ("_samr_set_userinfo: %s does%s possess sufficient rights\n", + p->pipe_user_name, has_enough_rights ? "" : " not")); /* ================ BEGIN SeMachineAccountPrivilege BLOCK ================ */ - if ( can_add_machines ) - become_root(); - + if ( has_enough_rights ) + become_root(); + /* ok! user info levels (lots: see MSDEV help), off we go... */ switch (switch_value) { - case 0x12: - if (!set_user_info_12(ctr->info.id12, &sid)) + case 18: + if (!set_user_info_12(ctr->info.id12, pwd)) r_u->status = NT_STATUS_ACCESS_DENIED; break; @@ -3147,7 +3191,7 @@ NTSTATUS _samr_set_userinfo(pipes_struct *p, SAMR_Q_SET_USERINFO *q_u, SAMR_R_SE dump_data(100, (char *)ctr->info.id24->pass, 516); - if (!set_user_info_pw((char *)ctr->info.id24->pass, &sid)) + if (!set_user_info_pw((char *)ctr->info.id24->pass, pwd)) r_u->status = NT_STATUS_ACCESS_DENIED; break; @@ -3183,7 +3227,7 @@ NTSTATUS _samr_set_userinfo(pipes_struct *p, SAMR_Q_SET_USERINFO *q_u, SAMR_R_SE dump_data(100, (char *)ctr->info.id23->pass, 516); - if (!set_user_info_23(ctr->info.id23, &sid)) + if (!set_user_info_23(ctr->info.id23, pwd)) r_u->status = NT_STATUS_ACCESS_DENIED; break; @@ -3192,7 +3236,7 @@ NTSTATUS _samr_set_userinfo(pipes_struct *p, SAMR_Q_SET_USERINFO *q_u, SAMR_R_SE } - if ( can_add_machines ) + if ( has_enough_rights ) unbecome_root(); /* ================ END SeMachineAccountPrivilege BLOCK ================ */ @@ -3206,14 +3250,16 @@ NTSTATUS _samr_set_userinfo(pipes_struct *p, SAMR_Q_SET_USERINFO *q_u, SAMR_R_SE NTSTATUS _samr_set_userinfo2(pipes_struct *p, SAMR_Q_SET_USERINFO2 *q_u, SAMR_R_SET_USERINFO2 *r_u) { + SAM_ACCOUNT *pwd = NULL; DOM_SID sid; SAM_USERINFO_CTR *ctr = q_u->ctr; POLICY_HND *pol = &q_u->pol; uint16 switch_value = q_u->switch_value; uint32 acc_granted; uint32 acc_required; - BOOL can_add_machines; - SE_PRIV se_machineop = SE_MACHINE_ACCOUNT; + BOOL ret; + BOOL has_enough_rights; + SE_PRIV se_rights; DEBUG(5, ("samr_reply_set_userinfo2: %d\n", __LINE__)); @@ -3237,43 +3283,61 @@ NTSTATUS _samr_set_userinfo2(pipes_struct *p, SAMR_Q_SET_USERINFO2 *q_u, SAMR_R_ switch_value=ctr->switch_value; - /* check to see if we are a domain admin */ + pdb_init_sam(&pwd); + + become_root(); + ret = pdb_getsampwsid(pwd, &sid); + unbecome_root(); + + if ( !ret ) { + pdb_free_sam(&pwd); + return NT_STATUS_NO_SUCH_USER; + } + + /* deal with machine password changes differently from userinfo changes */ + + if ( pdb_get_acct_ctrl(pwd) & ACB_WSTRUST ) + se_priv_copy( &se_rights, &se_machine_account ); + else + se_priv_copy( &se_rights, &se_add_users ); + + /* check to see if we have the sufficient rights */ - can_add_machines = user_has_privileges( p->pipe_user.nt_user_token, &se_machineop ); + has_enough_rights = user_has_privileges( p->pipe_user.nt_user_token, &se_rights ); - DEBUG(5, ("_samr_create_user: %s is%s a member of the Domain Admins group\n", - p->pipe_user_name, can_add_machines ? "" : " not")); + DEBUG(5, ("_samr_set_userinfo: %s does%s possess sufficient rights\n", + p->pipe_user_name, has_enough_rights ? "" : " not")); /* ================ BEGIN SeMachineAccountPrivilege BLOCK ================ */ - if ( can_add_machines ) - become_root(); - + if ( has_enough_rights ) + become_root(); + /* ok! user info levels (lots: see MSDEV help), off we go... */ switch (switch_value) { case 21: - if (!set_user_info_21(ctr->info.id21, &sid)) + if (!set_user_info_21(ctr->info.id21, pwd)) return NT_STATUS_ACCESS_DENIED; break; case 20: - if (!set_user_info_20(ctr->info.id20, &sid)) + if (!set_user_info_20(ctr->info.id20, pwd)) r_u->status = NT_STATUS_ACCESS_DENIED; break; case 16: - if (!set_user_info_10(ctr->info.id10, &sid)) + if (!set_user_info_10(ctr->info.id10, pwd)) r_u->status = NT_STATUS_ACCESS_DENIED; break; case 18: /* Used by AS/U JRA. */ - if (!set_user_info_12(ctr->info.id12, &sid)) + if (!set_user_info_12(ctr->info.id12, pwd)) r_u->status = NT_STATUS_ACCESS_DENIED; break; default: r_u->status = NT_STATUS_INVALID_INFO_CLASS; } - if ( can_add_machines ) + if ( has_enough_rights ) unbecome_root(); /* ================ END SeMachineAccountPrivilege BLOCK ================ */ @@ -4413,25 +4477,32 @@ NTSTATUS _samr_open_group(pipes_struct *p, SAMR_Q_OPEN_GROUP *q_u, SAMR_R_OPEN_G NTSTATUS status; fstring sid_string; BOOL ret; + SE_PRIV se_rights; if (!get_lsa_policy_samr_sid(p, &q_u->domain_pol, &sid, &acc_granted)) return NT_STATUS_INVALID_HANDLE; - if (!NT_STATUS_IS_OK(status = access_check_samr_function(acc_granted, SA_RIGHT_DOMAIN_OPEN_ACCOUNT, "_samr_open_group"))) { + status = access_check_samr_function(acc_granted, + SA_RIGHT_DOMAIN_OPEN_ACCOUNT, "_samr_open_group"); + + if ( !NT_STATUS_IS_OK(status) ) return status; - } /*check if access can be granted as requested by client. */ samr_make_grp_obj_sd(p->mem_ctx, &psd, &sd_size); se_map_generic(&des_access,&grp_generic_mapping); - if (!NT_STATUS_IS_OK(status = - access_check_samr_object(psd, p->pipe_user.nt_user_token, - des_access, &acc_granted, "_samr_open_group"))) { - return status; - } + se_priv_copy( &se_rights, &se_add_users ); + + status = access_check_samr_object(psd, p->pipe_user.nt_user_token, + &se_rights, GENERIC_RIGHTS_GROUP_WRITE, des_access, + &acc_granted, "_samr_open_group"); + + if ( !NT_STATUS_IS_OK(status) ) + return status; /* this should not be hard-coded like this */ + if (!sid_equal(&sid, get_global_sam_sid())) return NT_STATUS_ACCESS_DENIED; -- cgit From 091f4bcda5cee113ade6ae64fa892278eb17dd5b Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Thu, 27 Jan 2005 02:16:02 +0000 Subject: r5028: * check acb_info mask in _samr_create_user instead of the last character of the user name * fix some access_mask checks in _samr_set_userinfo2 (getting join from XP without being a member of domain admins working) (This used to be commit 04030534ffd35f8ebc997d9403fd87309403dcbf) --- source3/rpc_server/srv_samr_nt.c | 57 +++++++++++++++------------------------- 1 file changed, 21 insertions(+), 36 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 6815c7147c..43abfdaafa 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -294,13 +294,15 @@ static NTSTATUS access_check_samr_object( SEC_DESC *psd, NT_USER_TOKEN *token, } - DEBUG(2,("%s: ACCESS DENIED (requested: %#010x)\n", debug, des_access)); - done: /* add in any bits saved during the privilege check (only matters is syayus is ok) */ *acc_granted |= saved_mask; + + DEBUG(4,("%s: access %s (requested: 0x%08x, granted: 0x%08x)\n", + debug, NT_STATUS_IS_OK(status) ? "GRANTED" : "DENIED", + des_access, *acc_granted)); return status; } @@ -2343,12 +2345,6 @@ NTSTATUS _samr_create_user(pipes_struct *p, SAMR_Q_CREATE_USER *q_u, SAMR_R_CREA return NT_STATUS_INVALID_PARAMETER; } - /* find the account: tell the caller if it exists. - lkclXXXX i have *no* idea if this is a problem or not - or even if you are supposed to construct a different - reply if the account already exists... - */ - rpcstr_pull(account, user_account.buffer, sizeof(account), user_account.uni_str_len*2, 0); strlower_m(account); @@ -2377,16 +2373,9 @@ NTSTATUS _samr_create_user(pipes_struct *p, SAMR_Q_CREATE_USER *q_u, SAMR_R_CREA *********************************************************************/ pw = Get_Pwnam(account); - - /* - * we can't check both the ending $ and the acb_info. - * - * UserManager creates trust accounts (ending in $, - * normal that hidden accounts) with the acb_info equals to ACB_NORMAL. - * JFM, 11/29/2001 - */ - if (account[strlen(account)-1] == '$') { + /* determine which user right we need to check based on the acb_info */ + if ( acb_info == ACB_WSTRUST ) { se_priv_copy( &se_rights, &se_machine_account ); pstrcpy(add_script, lp_addmachine_script()); } @@ -3122,17 +3111,10 @@ NTSTATUS _samr_set_userinfo(pipes_struct *p, SAMR_Q_SET_USERINFO *q_u, SAMR_R_SE /* find the policy handle. open a policy on it. */ if (!get_lsa_policy_samr_sid(p, pol, &sid, &acc_granted)) return NT_STATUS_INVALID_HANDLE; - - /* the access mask depends on what the caller wants to do */ - switch (switch_value) { - case 24: - acc_required = SA_RIGHT_USER_SET_PASSWORD | SA_RIGHT_USER_SET_ATTRIBUTES | SA_RIGHT_USER_ACCT_FLAGS_EXPIRY; - break; - default: - acc_required = SA_RIGHT_USER_SET_LOC_COM | SA_RIGHT_USER_SET_ATTRIBUTES; /* This is probably wrong */ - break; - } + /* observed when joining an XP client to a Samba domain */ + + acc_required = SA_RIGHT_USER_SET_PASSWORD | SA_RIGHT_USER_SET_ATTRIBUTES | SA_RIGHT_USER_ACCT_FLAGS_EXPIRY; if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, acc_required, "_samr_set_userinfo"))) { return r_u->status; @@ -3268,8 +3250,11 @@ NTSTATUS _samr_set_userinfo2(pipes_struct *p, SAMR_Q_SET_USERINFO2 *q_u, SAMR_R_ /* find the policy handle. open a policy on it. */ if (!get_lsa_policy_samr_sid(p, pol, &sid, &acc_granted)) return NT_STATUS_INVALID_HANDLE; + + /* observed when joining XP client to Samba domain */ + + acc_required = SA_RIGHT_USER_SET_PASSWORD | SA_RIGHT_USER_SET_ATTRIBUTES | SA_RIGHT_USER_ACCT_FLAGS_EXPIRY; - acc_required = SA_RIGHT_USER_SET_LOC_COM | SA_RIGHT_USER_SET_ATTRIBUTES; /* This is probably wrong */ if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, acc_required, "_samr_set_userinfo2"))) { return r_u->status; } @@ -3316,14 +3301,6 @@ NTSTATUS _samr_set_userinfo2(pipes_struct *p, SAMR_Q_SET_USERINFO2 *q_u, SAMR_R_ /* ok! user info levels (lots: see MSDEV help), off we go... */ switch (switch_value) { - case 21: - if (!set_user_info_21(ctr->info.id21, pwd)) - return NT_STATUS_ACCESS_DENIED; - break; - case 20: - if (!set_user_info_20(ctr->info.id20, pwd)) - r_u->status = NT_STATUS_ACCESS_DENIED; - break; case 16: if (!set_user_info_10(ctr->info.id10, pwd)) r_u->status = NT_STATUS_ACCESS_DENIED; @@ -3333,6 +3310,14 @@ NTSTATUS _samr_set_userinfo2(pipes_struct *p, SAMR_Q_SET_USERINFO2 *q_u, SAMR_R_ if (!set_user_info_12(ctr->info.id12, pwd)) r_u->status = NT_STATUS_ACCESS_DENIED; break; + case 20: + if (!set_user_info_20(ctr->info.id20, pwd)) + r_u->status = NT_STATUS_ACCESS_DENIED; + break; + case 21: + if (!set_user_info_21(ctr->info.id21, pwd)) + return NT_STATUS_ACCESS_DENIED; + break; default: r_u->status = NT_STATUS_INVALID_INFO_CLASS; } -- cgit From 962a5c95528932fde64c8c8b70b0a81c382c2905 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Fri, 28 Jan 2005 16:55:09 +0000 Subject: r5056: * correct STANDARD_RIGHTS_WRITE_ACCESS bitmask define * make sure to apply the rights_mask and not just the saved bits from the mask in access_check_samr_object() * allow root to grant/revoke privileges (in addition to Domain Admins) as suggested by Volker. Tested machine joins from XP, 2K, and NT4 with and without pre-existing machine trust accounts. Also tested basic file operations using cmd.exe and explorer.exe after changing the STANDARD_RIGHTS_WRITE_ACCESS bitmask. (This used to be commit c0e7f7ff60a4110809b8f500fdc68a1bf963da36) --- source3/rpc_server/srv_samr_nt.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 43abfdaafa..4d8e2b51cc 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -270,8 +270,8 @@ static NTSTATUS access_check_samr_object( SEC_DESC *psd, NT_USER_TOKEN *token, saved_mask = (des_access & rights_mask); des_access &= ~saved_mask; - DEBUG(4,("access_check_samr_object: user rights saved access mask [0x%x]\n", - saved_mask)); + DEBUG(4,("access_check_samr_object: user rights access mask [0x%x]\n", + rights_mask)); } @@ -296,9 +296,9 @@ static NTSTATUS access_check_samr_object( SEC_DESC *psd, NT_USER_TOKEN *token, done: /* add in any bits saved during the privilege check (only - matters is syayus is ok) */ + matters is status is ok) */ - *acc_granted |= saved_mask; + *acc_granted |= rights_mask; DEBUG(4,("%s: access %s (requested: 0x%08x, granted: 0x%08x)\n", debug, NT_STATUS_IS_OK(status) ? "GRANTED" : "DENIED", -- cgit From f35a9c5af6226b2292dbb49b9c20bf6b4d5f3bdc Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Mon, 31 Jan 2005 22:42:30 +0000 Subject: r5150: consolidate the samr_make.*obj_sd() functions to share code (This used to be commit 5bd03d59263ab619390062c1d023ad1ba54dce6a) --- source3/rpc_server/srv_samr_nt.c | 198 ++++++++------------------------------- 1 file changed, 41 insertions(+), 157 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 4d8e2b51cc..e963fbaa0a 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -34,6 +34,11 @@ #undef DBGC_CLASS #define DBGC_CLASS DBGC_RPC_SRV +#define SAMR_USR_RIGHTS_WRITE_PW \ + ( READ_CONTROL_ACCESS | \ + SA_RIGHT_USER_CHANGE_PASSWORD | \ + SA_RIGHT_USER_SET_LOC_COM ) + extern DOM_SID global_sid_Builtin; extern rid_name domain_group_rids[]; @@ -69,86 +74,39 @@ struct generic_mapping grp_generic_mapping = {GENERIC_RIGHTS_GROUP_READ, GENERIC struct generic_mapping ali_generic_mapping = {GENERIC_RIGHTS_ALIAS_READ, GENERIC_RIGHTS_ALIAS_WRITE, GENERIC_RIGHTS_ALIAS_EXECUTE, GENERIC_RIGHTS_ALIAS_ALL_ACCESS}; /******************************************************************* - samr_make_dom_obj_sd - ********************************************************************/ +*******************************************************************/ -static NTSTATUS samr_make_dom_obj_sd(TALLOC_CTX *ctx, SEC_DESC **psd, size_t *sd_size) +static NTSTATUS make_samr_object_sd( TALLOC_CTX *ctx, SEC_DESC **psd, size_t *sd_size, + struct generic_mapping *map, + DOM_SID *sid, uint32 sid_access ) { extern DOM_SID global_sid_World; DOM_SID adm_sid, act_sid, domadmin_sid; - SEC_ACE ace[4]; + SEC_ACE ace[5]; /* at most 5 entries */ SEC_ACCESS mask; size_t i = 0; SEC_ACL *psa = NULL; - sid_copy(&adm_sid, &global_sid_Builtin); - sid_append_rid(&adm_sid, BUILTIN_ALIAS_RID_ADMINS); - - sid_copy(&act_sid, &global_sid_Builtin); - sid_append_rid(&act_sid, BUILTIN_ALIAS_RID_ACCOUNT_OPS); - - /*basic access for every one*/ - init_sec_access(&mask, GENERIC_RIGHTS_DOMAIN_EXECUTE | GENERIC_RIGHTS_DOMAIN_READ); - init_sec_ace(&ace[i++], &global_sid_World, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0); - - /*full access for builtin aliases Administrators and Account Operators*/ - - init_sec_access(&mask, GENERIC_RIGHTS_DOMAIN_ALL_ACCESS); + /* basic access for Everyone */ - init_sec_ace(&ace[i++], &adm_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0); - init_sec_ace(&ace[i++], &act_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0); + init_sec_access(&mask, map->generic_execute | map->generic_read ); + init_sec_ace(&ace[i++], &global_sid_World, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0); - /* add domain admins if we are a DC */ + /* add Full Access 'BUILTIN\Administrators' and 'BUILTIN\Account Operators */ - if ( IS_DC ) { - sid_copy( &domadmin_sid, get_global_sam_sid() ); - sid_append_rid( &domadmin_sid, DOMAIN_GROUP_RID_ADMINS ); - init_sec_ace(&ace[i++], &domadmin_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0); - } - - if ((psa = make_sec_acl(ctx, NT4_ACL_REVISION, i, ace)) == NULL) - return NT_STATUS_NO_MEMORY; - - if ((*psd = make_sec_desc(ctx, SEC_DESC_REVISION, SEC_DESC_SELF_RELATIVE, NULL, NULL, NULL, psa, sd_size)) == NULL) - return NT_STATUS_NO_MEMORY; - - return NT_STATUS_OK; -} - -/******************************************************************* - samr_make_usr_obj_sd - ********************************************************************/ - -static NTSTATUS samr_make_usr_obj_sd(TALLOC_CTX *ctx, SEC_DESC **psd, size_t *sd_size, DOM_SID *usr_sid) -{ - extern DOM_SID global_sid_World; - DOM_SID adm_sid, act_sid, domadmin_sid; - size_t i = 0; - - SEC_ACE ace[5]; - SEC_ACCESS mask; - - SEC_ACL *psa = NULL; - sid_copy(&adm_sid, &global_sid_Builtin); sid_append_rid(&adm_sid, BUILTIN_ALIAS_RID_ADMINS); sid_copy(&act_sid, &global_sid_Builtin); sid_append_rid(&act_sid, BUILTIN_ALIAS_RID_ACCOUNT_OPS); - - /*basic access for every one*/ - init_sec_access(&mask, GENERIC_RIGHTS_USER_EXECUTE | GENERIC_RIGHTS_USER_READ); - init_sec_ace(&ace[i++], &global_sid_World, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0); - - /*full access for builtin aliases Administrators and Account Operators*/ + init_sec_access(&mask, map->generic_all); - init_sec_access(&mask, GENERIC_RIGHTS_USER_ALL_ACCESS); init_sec_ace(&ace[i++], &adm_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0); init_sec_ace(&ace[i++], &act_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0); - - /* add domain admins if we are a DC */ + + /* Add Full Access for Domain Admins if we are a DC */ if ( IS_DC ) { sid_copy( &domadmin_sid, get_global_sam_sid() ); @@ -156,90 +114,16 @@ static NTSTATUS samr_make_usr_obj_sd(TALLOC_CTX *ctx, SEC_DESC **psd, size_t *sd init_sec_ace(&ace[i++], &domadmin_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0); } - /*extended access for the user*/ + /* if we have a sid, give it some special access */ - init_sec_access(&mask,READ_CONTROL_ACCESS | SA_RIGHT_USER_CHANGE_PASSWORD | SA_RIGHT_USER_SET_LOC_COM); - init_sec_ace(&ace[i++], usr_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0); - - if ((psa = make_sec_acl(ctx, NT4_ACL_REVISION, 4, ace)) == NULL) - return NT_STATUS_NO_MEMORY; - - if ((*psd = make_sec_desc(ctx, SEC_DESC_REVISION, SEC_DESC_SELF_RELATIVE, NULL, NULL, NULL, psa, sd_size)) == NULL) - return NT_STATUS_NO_MEMORY; - - return NT_STATUS_OK; -} - -/******************************************************************* - samr_make_grp_obj_sd - ********************************************************************/ - -static NTSTATUS samr_make_grp_obj_sd(TALLOC_CTX *ctx, SEC_DESC **psd, size_t *sd_size) -{ - extern DOM_SID global_sid_World; - DOM_SID adm_sid; - DOM_SID act_sid; - - SEC_ACE ace[3]; - SEC_ACCESS mask; - - SEC_ACL *psa = NULL; - - sid_copy(&adm_sid, &global_sid_Builtin); - sid_append_rid(&adm_sid, BUILTIN_ALIAS_RID_ADMINS); - - sid_copy(&act_sid, &global_sid_Builtin); - sid_append_rid(&act_sid, BUILTIN_ALIAS_RID_ACCOUNT_OPS); - - /*basic access for every one*/ - init_sec_access(&mask, GENERIC_RIGHTS_GROUP_EXECUTE | GENERIC_RIGHTS_GROUP_READ); - init_sec_ace(&ace[0], &global_sid_World, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0); - - /*full access for builtin aliases Administrators and Account Operators*/ - init_sec_access(&mask, GENERIC_RIGHTS_GROUP_ALL_ACCESS); - init_sec_ace(&ace[1], &adm_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0); - init_sec_ace(&ace[2], &act_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0); - - if ((psa = make_sec_acl(ctx, NT4_ACL_REVISION, 3, ace)) == NULL) - return NT_STATUS_NO_MEMORY; - - if ((*psd = make_sec_desc(ctx, SEC_DESC_REVISION, SEC_DESC_SELF_RELATIVE, NULL, NULL, NULL, psa, sd_size)) == NULL) - return NT_STATUS_NO_MEMORY; - - return NT_STATUS_OK; -} - -/******************************************************************* - samr_make_ali_obj_sd - ********************************************************************/ - -static NTSTATUS samr_make_ali_obj_sd(TALLOC_CTX *ctx, SEC_DESC **psd, size_t *sd_size) -{ - extern DOM_SID global_sid_World; - DOM_SID adm_sid; - DOM_SID act_sid; - - SEC_ACE ace[3]; - SEC_ACCESS mask; - - SEC_ACL *psa = NULL; - - sid_copy(&adm_sid, &global_sid_Builtin); - sid_append_rid(&adm_sid, BUILTIN_ALIAS_RID_ADMINS); - - sid_copy(&act_sid, &global_sid_Builtin); - sid_append_rid(&act_sid, BUILTIN_ALIAS_RID_ACCOUNT_OPS); - - /*basic access for every one*/ - init_sec_access(&mask, GENERIC_RIGHTS_ALIAS_EXECUTE | GENERIC_RIGHTS_ALIAS_READ); - init_sec_ace(&ace[0], &global_sid_World, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0); - - /*full access for builtin aliases Administrators and Account Operators*/ - init_sec_access(&mask, GENERIC_RIGHTS_ALIAS_ALL_ACCESS); - init_sec_ace(&ace[1], &adm_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0); - init_sec_ace(&ace[2], &act_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0); - - if ((psa = make_sec_acl(ctx, NT4_ACL_REVISION, 3, ace)) == NULL) + if ( sid ) { + init_sec_access( &mask, sid_access ); + init_sec_ace(&ace[i++], sid, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0); + } + + /* create the security descriptor */ + + if ((psa = make_sec_acl(ctx, NT4_ACL_REVISION, i, ace)) == NULL) return NT_STATUS_NO_MEMORY; if ((*psd = make_sec_desc(ctx, SEC_DESC_REVISION, SEC_DESC_SELF_RELATIVE, NULL, NULL, NULL, psa, sd_size)) == NULL) @@ -603,8 +487,8 @@ NTSTATUS _samr_open_domain(pipes_struct *p, SAMR_Q_OPEN_DOMAIN *q_u, SAMR_R_OPEN SEC_DESC *psd = NULL; uint32 acc_granted; uint32 des_access = q_u->flags; - size_t sd_size; NTSTATUS status; + size_t sd_size; SE_PRIV se_rights; r_u->status = NT_STATUS_OK; @@ -622,7 +506,7 @@ NTSTATUS _samr_open_domain(pipes_struct *p, SAMR_Q_OPEN_DOMAIN *q_u, SAMR_R_OPEN /*check if access can be granted as requested by client. */ - samr_make_dom_obj_sd( p->mem_ctx, &psd, &sd_size ); + make_samr_object_sd( p->mem_ctx, &psd, &sd_size, &dom_generic_mapping, NULL, 0 ); se_map_generic( &des_access, &dom_generic_mapping ); se_priv_copy( &se_rights, &se_machine_account ); @@ -719,8 +603,8 @@ NTSTATUS _samr_query_sec_obj(pipes_struct *p, SAMR_Q_QUERY_SEC_OBJ *q_u, SAMR_R_ DOM_SID pol_sid; fstring str_sid; SEC_DESC * psd = NULL; - size_t sd_size; uint32 acc_granted; + size_t sd_size; r_u->status = NT_STATUS_OK; @@ -738,19 +622,19 @@ NTSTATUS _samr_query_sec_obj(pipes_struct *p, SAMR_Q_QUERY_SEC_OBJ *q_u, SAMR_R_ if (pol_sid.sid_rev_num == 0) { DEBUG(5,("_samr_query_sec_obj: querying security on SAM\n")); - r_u->status = samr_make_sam_obj_sd(p->mem_ctx, &psd, &sd_size); + r_u->status = make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &sam_generic_mapping, NULL, 0); } else if (sid_equal(&pol_sid,get_global_sam_sid())) /* check if it is our domain SID */ { DEBUG(5,("_samr_query_sec_obj: querying security on Domain with SID: %s\n", sid_to_string(str_sid, &pol_sid))); - r_u->status = samr_make_dom_obj_sd(p->mem_ctx, &psd, &sd_size); + r_u->status = make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &dom_generic_mapping, NULL, 0); } else if (sid_equal(&pol_sid,&global_sid_Builtin)) /* check if it is the Builtin Domain */ { /* TODO: Builtin probably needs a different SD with restricted write access*/ DEBUG(5,("_samr_query_sec_obj: querying security on Builtin Domain with SID: %s\n", sid_to_string(str_sid, &pol_sid))); - r_u->status = samr_make_dom_obj_sd(p->mem_ctx, &psd, &sd_size); + r_u->status = make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &dom_generic_mapping, NULL, 0); } else if (sid_check_is_in_our_domain(&pol_sid) || sid_check_is_in_builtin(&pol_sid)) @@ -758,7 +642,7 @@ NTSTATUS _samr_query_sec_obj(pipes_struct *p, SAMR_Q_QUERY_SEC_OBJ *q_u, SAMR_R_ /* TODO: different SDs have to be generated for aliases groups and users. Currently all three get a default user SD */ DEBUG(10,("_samr_query_sec_obj: querying security on Object with SID: %s\n", sid_to_string(str_sid, &pol_sid))); - r_u->status = samr_make_usr_obj_sd(p->mem_ctx, &psd,&sd_size, &pol_sid); + r_u->status = make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &usr_generic_mapping, &pol_sid, SAMR_USR_RIGHTS_WRITE_PW); } else return NT_STATUS_OBJECT_TYPE_MISMATCH; @@ -1727,7 +1611,7 @@ NTSTATUS _samr_open_user(pipes_struct *p, SAMR_Q_OPEN_USER *q_u, SAMR_R_OPEN_USE /* check if access can be granted as requested by client. */ - samr_make_usr_obj_sd(p->mem_ctx, &psd, &sd_size, &sid); + make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &usr_generic_mapping, &sid, SAMR_USR_RIGHTS_WRITE_PW); se_map_generic(&des_access, &usr_generic_mapping); se_priv_copy( &se_rights, &se_machine_account ); @@ -2444,7 +2328,7 @@ NTSTATUS _samr_create_user(pipes_struct *p, SAMR_Q_CREATE_USER *q_u, SAMR_R_CREA sid_copy(&sid, pdb_get_user_sid(sam_pass)); - samr_make_usr_obj_sd(p->mem_ctx, &psd, &sd_size, &sid); + make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &usr_generic_mapping, &sid, SAMR_USR_RIGHTS_WRITE_PW); se_map_generic(&des_access, &usr_generic_mapping); nt_status = access_check_samr_object(psd, p->pipe_user.nt_user_token, @@ -2531,8 +2415,8 @@ NTSTATUS _samr_connect(pipes_struct *p, SAMR_Q_CONNECT *q_u, SAMR_R_CONNECT *r_u SEC_DESC *psd = NULL; uint32 acc_granted; uint32 des_access = q_u->access_mask; - size_t sd_size; NTSTATUS nt_status; + size_t sd_size; DEBUG(5,("_samr_connect: %d\n", __LINE__)); @@ -2545,7 +2429,7 @@ NTSTATUS _samr_connect(pipes_struct *p, SAMR_Q_CONNECT *q_u, SAMR_R_CONNECT *r_u return r_u->status; } - samr_make_sam_obj_sd(p->mem_ctx, &psd, &sd_size); + make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &sam_generic_mapping, NULL, 0); se_map_generic(&des_access, &sam_generic_mapping); nt_status = access_check_samr_object(psd, p->pipe_user.nt_user_token, @@ -2582,8 +2466,8 @@ NTSTATUS _samr_connect4(pipes_struct *p, SAMR_Q_CONNECT4 *q_u, SAMR_R_CONNECT4 * SEC_DESC *psd = NULL; uint32 acc_granted; uint32 des_access = q_u->access_mask; - size_t sd_size; NTSTATUS nt_status; + size_t sd_size; DEBUG(5,("_samr_connect4: %d\n", __LINE__)); @@ -2596,7 +2480,7 @@ NTSTATUS _samr_connect4(pipes_struct *p, SAMR_Q_CONNECT4 *q_u, SAMR_R_CONNECT4 * return r_u->status; } - samr_make_sam_obj_sd(p->mem_ctx, &psd, &sd_size); + make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &sam_generic_mapping, NULL, 0); se_map_generic(&des_access, &sam_generic_mapping); nt_status = access_check_samr_object(psd, p->pipe_user.nt_user_token, @@ -2770,7 +2654,7 @@ NTSTATUS _samr_open_alias(pipes_struct *p, SAMR_Q_OPEN_ALIAS *q_u, SAMR_R_OPEN_A /*check if access can be granted as requested by client. */ - samr_make_ali_obj_sd(p->mem_ctx, &psd, &sd_size); + make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &ali_generic_mapping, NULL, 0); se_map_generic(&des_access,&ali_generic_mapping); se_priv_add( &se_rights, &se_add_users ); @@ -4474,7 +4358,7 @@ NTSTATUS _samr_open_group(pipes_struct *p, SAMR_Q_OPEN_GROUP *q_u, SAMR_R_OPEN_G return status; /*check if access can be granted as requested by client. */ - samr_make_grp_obj_sd(p->mem_ctx, &psd, &sd_size); + make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &grp_generic_mapping, NULL, 0); se_map_generic(&des_access,&grp_generic_mapping); se_priv_copy( &se_rights, &se_add_users ); -- cgit From 4523bd1446dc411a29b82bdd13e564979b0d5d18 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Wed, 2 Feb 2005 20:11:37 +0000 Subject: r5180: Call the "add machine script" to create all kinds of trust accounts (this restores old behaviour). Fixes #2291. Guenther (This used to be commit 5ca0d1b87cd20f538a13321eb11ef97d00bf5133) --- source3/rpc_server/srv_samr_nt.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index e963fbaa0a..b58111c1b7 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -2259,7 +2259,7 @@ NTSTATUS _samr_create_user(pipes_struct *p, SAMR_Q_CREATE_USER *q_u, SAMR_R_CREA pw = Get_Pwnam(account); /* determine which user right we need to check based on the acb_info */ - if ( acb_info == ACB_WSTRUST ) { + if ( acb_info & (ACB_WSTRUST|ACB_SVRTRUST|ACB_DOMTRUST)) { se_priv_copy( &se_rights, &se_machine_account ); pstrcpy(add_script, lp_addmachine_script()); } -- cgit From a84bb6d1ec0316a39c8b730c40c9215d9d7f959a Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Thu, 3 Feb 2005 15:14:54 +0000 Subject: r5203: additional changes for BUG 2291 to restrict who can join a BDC and add domain trusts (This used to be commit 5ec1faa2ad33772fb48c3863e67d2ce4be726bb2) --- source3/rpc_server/srv_samr_nt.c | 26 ++++++++++++++++++-------- 1 file changed, 18 insertions(+), 8 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index b58111c1b7..83da810444 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -2259,17 +2259,27 @@ NTSTATUS _samr_create_user(pipes_struct *p, SAMR_Q_CREATE_USER *q_u, SAMR_R_CREA pw = Get_Pwnam(account); /* determine which user right we need to check based on the acb_info */ - if ( acb_info & (ACB_WSTRUST|ACB_SVRTRUST|ACB_DOMTRUST)) { - se_priv_copy( &se_rights, &se_machine_account ); + + if ( (acb_info & ACB_WSTRUST) == ACB_WSTRUST ) + { pstrcpy(add_script, lp_addmachine_script()); - } - else { - se_priv_copy( &se_rights, &se_add_users ); + se_priv_copy( &se_rights, &se_machine_account ); + can_add_account = user_has_privileges( p->pipe_user.nt_user_token, &se_rights ); + } + else if ( (acb_info & ACB_WSTRUST) == ACB_NORMAL ) + { pstrcpy(add_script, lp_adduser_script()); + se_priv_copy( &se_rights, &se_add_users ); + can_add_account = user_has_privileges( p->pipe_user.nt_user_token, &se_rights ); + } + else if ( ((acb_info & ACB_SVRTRUST) == ACB_SVRTRUST) || ((acb_info & ACB_DOMTRUST) == ACB_DOMTRUST) ) + { + pstrcpy(add_script, lp_addmachine_script()); + /* only Domain Admins can add a BDC or domain trust */ + se_priv_copy( &se_rights, &se_priv_none ); + can_add_account = nt_token_check_domain_rid( p->pipe_user.nt_user_token, DOMAIN_GROUP_RID_ADMINS ); } - - can_add_account = user_has_privileges( p->pipe_user.nt_user_token, &se_rights ); - + DEBUG(5, ("_samr_create_user: %s can add this account : %s\n", p->pipe_user_name, can_add_account ? "True":"False" )); -- cgit From 8f87dcdcdab52efb0ef907ede71c0920a25b0d7b Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Thu, 3 Feb 2005 16:23:49 +0000 Subject: r5205: more fixups for BUG 2291 (This used to be commit 62e7cc7c3b2fe5187c99e0a1491843579ab997e7) --- source3/rpc_server/srv_samr_nt.c | 57 +++++++++++++++++++++------------------- 1 file changed, 30 insertions(+), 27 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 83da810444..1d4569e39f 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -2260,24 +2260,26 @@ NTSTATUS _samr_create_user(pipes_struct *p, SAMR_Q_CREATE_USER *q_u, SAMR_R_CREA /* determine which user right we need to check based on the acb_info */ - if ( (acb_info & ACB_WSTRUST) == ACB_WSTRUST ) + if ( acb_info & ACB_WSTRUST ) { pstrcpy(add_script, lp_addmachine_script()); se_priv_copy( &se_rights, &se_machine_account ); can_add_account = user_has_privileges( p->pipe_user.nt_user_token, &se_rights ); } - else if ( (acb_info & ACB_WSTRUST) == ACB_NORMAL ) + else if ( acb_info & ACB_NORMAL ) { pstrcpy(add_script, lp_adduser_script()); se_priv_copy( &se_rights, &se_add_users ); can_add_account = user_has_privileges( p->pipe_user.nt_user_token, &se_rights ); } - else if ( ((acb_info & ACB_SVRTRUST) == ACB_SVRTRUST) || ((acb_info & ACB_DOMTRUST) == ACB_DOMTRUST) ) + else if ( acb_info & (ACB_SVRTRUST|ACB_DOMTRUST) ) { pstrcpy(add_script, lp_addmachine_script()); - /* only Domain Admins can add a BDC or domain trust */ - se_priv_copy( &se_rights, &se_priv_none ); - can_add_account = nt_token_check_domain_rid( p->pipe_user.nt_user_token, DOMAIN_GROUP_RID_ADMINS ); + if ( lp_enable_privileges() ) { + /* only Domain Admins can add a BDC or domain trust */ + se_priv_copy( &se_rights, &se_priv_none ); + can_add_account = nt_token_check_domain_rid( p->pipe_user.nt_user_token, DOMAIN_GROUP_RID_ADMINS ); + } } DEBUG(5, ("_samr_create_user: %s can add this account : %s\n", @@ -2996,7 +2998,7 @@ NTSTATUS _samr_set_userinfo(pipes_struct *p, SAMR_Q_SET_USERINFO *q_u, SAMR_R_SE uint32 acc_required; BOOL ret; BOOL has_enough_rights; - SE_PRIV se_rights; + uint32 acb_info; DEBUG(5, ("_samr_set_userinfo: %d\n", __LINE__)); @@ -3033,16 +3035,18 @@ NTSTATUS _samr_set_userinfo(pipes_struct *p, SAMR_Q_SET_USERINFO *q_u, SAMR_R_SE } /* deal with machine password changes differently from userinfo changes */ - - if ( pdb_get_acct_ctrl(pwd) & ACB_WSTRUST ) - se_priv_copy( &se_rights, &se_machine_account ); - else - se_priv_copy( &se_rights, &se_add_users ); - /* check to see if we have the sufficient rights */ - has_enough_rights = user_has_privileges( p->pipe_user.nt_user_token, &se_rights ); - + acb_info = pdb_get_acct_ctrl(pwd); + if ( acb_info & ACB_WSTRUST ) + has_enough_rights = user_has_privileges( p->pipe_user.nt_user_token, &se_machine_account); + else if ( acb_info & ACB_NORMAL ) + has_enough_rights = user_has_privileges( p->pipe_user.nt_user_token, &se_add_users ); + else if ( acb_info & (ACB_SVRTRUST|ACB_DOMTRUST) ) { + if ( lp_enable_privileges() ) + has_enough_rights = nt_token_check_domain_rid( p->pipe_user.nt_user_token, DOMAIN_GROUP_RID_ADMINS ); + } + DEBUG(5, ("_samr_set_userinfo: %s does%s possess sufficient rights\n", p->pipe_user_name, has_enough_rights ? "" : " not")); @@ -3135,7 +3139,7 @@ NTSTATUS _samr_set_userinfo2(pipes_struct *p, SAMR_Q_SET_USERINFO2 *q_u, SAMR_R_ uint32 acc_required; BOOL ret; BOOL has_enough_rights; - SE_PRIV se_rights; + uint32 acb_info; DEBUG(5, ("samr_reply_set_userinfo2: %d\n", __LINE__)); @@ -3173,17 +3177,16 @@ NTSTATUS _samr_set_userinfo2(pipes_struct *p, SAMR_Q_SET_USERINFO2 *q_u, SAMR_R_ return NT_STATUS_NO_SUCH_USER; } - /* deal with machine password changes differently from userinfo changes */ - - if ( pdb_get_acct_ctrl(pwd) & ACB_WSTRUST ) - se_priv_copy( &se_rights, &se_machine_account ); - else - se_priv_copy( &se_rights, &se_add_users ); - - /* check to see if we have the sufficient rights */ - - has_enough_rights = user_has_privileges( p->pipe_user.nt_user_token, &se_rights ); - + acb_info = pdb_get_acct_ctrl(pwd); + if ( acb_info & ACB_WSTRUST ) + has_enough_rights = user_has_privileges( p->pipe_user.nt_user_token, &se_machine_account); + else if ( acb_info & ACB_NORMAL ) + has_enough_rights = user_has_privileges( p->pipe_user.nt_user_token, &se_add_users ); + else if ( acb_info & (ACB_SVRTRUST|ACB_DOMTRUST) ) { + if ( lp_enable_privileges() ) + has_enough_rights = nt_token_check_domain_rid( p->pipe_user.nt_user_token, DOMAIN_GROUP_RID_ADMINS ); + } + DEBUG(5, ("_samr_set_userinfo: %s does%s possess sufficient rights\n", p->pipe_user_name, has_enough_rights ? "" : " not")); -- cgit From e98f56373bca0efc200bc3a4263477e1790a746b Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Mon, 7 Feb 2005 14:14:44 +0000 Subject: r5262: Fix server_role in the samr_query_dom_info calls. When we are a BDC we should not say we are a PDC. Guenther (This used to be commit 6cdf3b97de2c28ac92f972621b0ce04c1c80cea5) --- source3/rpc_server/srv_samr_nt.c | 29 +++++++++++++++++++++++------ 1 file changed, 23 insertions(+), 6 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 1d4569e39f..4e7d239b2c 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -2072,6 +2072,7 @@ NTSTATUS _samr_query_dom_info(pipes_struct *p, SAMR_Q_QUERY_DOMAIN_INFO *q_u, SA NTTIME nt_logout; uint32 account_policy_temp; + uint32 server_role; uint32 num_users=0, num_groups=0, num_aliases=0; @@ -2136,9 +2137,13 @@ NTSTATUS _samr_query_dom_info(pipes_struct *p, SAMR_Q_QUERY_DOMAIN_INFO *q_u, SA unix_to_nt_time_abs(&nt_logout, u_logout); + server_role = ROLE_DOMAIN_PDC; + if (lp_server_role() == ROLE_DOMAIN_BDC) + server_role = ROLE_DOMAIN_BDC; + /* The time call below is to get a sequence number for the sam. FIXME !!! JRA. */ - init_unk_info2(&ctr->info.inf2, "", lp_workgroup(), global_myname(), (uint32) time(NULL), - num_users, num_groups, num_aliases, nt_logout); + init_unk_info2(&ctr->info.inf2, lp_serverstring(), lp_workgroup(), global_myname(), time(NULL), + num_users, num_groups, num_aliases, nt_logout, server_role); break; case 0x03: pdb_get_account_policy(AP_TIME_TO_LOGOUT, (unsigned int *)&u_logout); @@ -2153,7 +2158,11 @@ NTSTATUS _samr_query_dom_info(pipes_struct *p, SAMR_Q_QUERY_DOMAIN_INFO *q_u, SA init_unk_info6(&ctr->info.inf6); break; case 0x07: - init_unk_info7(&ctr->info.inf7); + server_role = ROLE_DOMAIN_PDC; + if (lp_server_role() == ROLE_DOMAIN_BDC) + server_role = ROLE_DOMAIN_BDC; + + init_unk_info7(&ctr->info.inf7, server_role); break; case 0x08: init_unk_info8(&ctr->info.inf8, (uint32) time(NULL)); @@ -4546,6 +4555,7 @@ NTSTATUS _samr_unknown_2e(pipes_struct *p, SAMR_Q_UNKNOWN_2E *q_u, SAMR_R_UNKNOW uint32 num_users=0, num_groups=0, num_aliases=0; uint32 account_policy_temp; + uint32 server_role; if ((ctr = TALLOC_ZERO_P(p->mem_ctx, SAM_UNK_CTR)) == NULL) return NT_STATUS_NO_MEMORY; @@ -4607,9 +4617,13 @@ NTSTATUS _samr_unknown_2e(pipes_struct *p, SAMR_Q_UNKNOWN_2E *q_u, SAMR_R_UNKNOW unix_to_nt_time_abs(&nt_logout, u_logout); + server_role = ROLE_DOMAIN_PDC; + if (lp_server_role() == ROLE_DOMAIN_BDC) + server_role = ROLE_DOMAIN_BDC; + /* The time call below is to get a sequence number for the sam. FIXME !!! JRA. */ - init_unk_info2(&ctr->info.inf2, "", lp_workgroup(), global_myname(), (uint32) time(NULL), - num_users, num_groups, num_aliases, nt_logout); + init_unk_info2(&ctr->info.inf2, lp_serverstring(), lp_workgroup(), global_myname(), time(NULL), + num_users, num_groups, num_aliases, nt_logout, server_role); break; case 0x03: pdb_get_account_policy(AP_TIME_TO_LOGOUT, &account_policy_temp); @@ -4626,7 +4640,10 @@ NTSTATUS _samr_unknown_2e(pipes_struct *p, SAMR_Q_UNKNOWN_2E *q_u, SAMR_R_UNKNOW init_unk_info6(&ctr->info.inf6); break; case 0x07: - init_unk_info7(&ctr->info.inf7); + server_role = ROLE_DOMAIN_PDC; + if (lp_server_role() == ROLE_DOMAIN_BDC) + server_role = ROLE_DOMAIN_BDC; + init_unk_info7(&ctr->info.inf7, server_role); break; case 0x08: init_unk_info8(&ctr->info.inf8, (uint32) time(NULL)); -- cgit From 5f54cc9bd3fa76e62926de0670f832f7b0e3739d Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Mon, 7 Feb 2005 18:20:06 +0000 Subject: r5264: Log with loglevel 0 when account-administration scripts fail. Guenther (This used to be commit 3d391ef149639750db376b05528a27422f8a3321) --- source3/rpc_server/srv_samr_nt.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 4e7d239b2c..9c8a35045f 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -2305,7 +2305,7 @@ NTSTATUS _samr_create_user(pipes_struct *p, SAMR_Q_CREATE_USER *q_u, SAMR_R_CREA all_string_sub(add_script, "%u", account, sizeof(add_script)); add_ret = smbrun(add_script,NULL); - DEBUG(3,("_samr_create_user: Running the command `%s' gave %d\n", add_script, add_ret)); + DEBUG(add_ret ? 0 : 3,("_samr_create_user: Running the command `%s' gave %d\n", add_script, add_ret)); } else /* no add user script -- ask winbindd to do it */ { @@ -3813,7 +3813,7 @@ static int smb_delete_user(const char *unix_user) return -1; all_string_sub(del_script, "%u", unix_user, sizeof(del_script)); ret = smbrun(del_script,NULL); - DEBUG(3,("smb_delete_user: Running the command `%s' gave %d\n",del_script,ret)); + DEBUG(ret ? 0 : 3,("smb_delete_user: Running the command `%s' gave %d\n",del_script,ret)); return ret; } -- cgit From 6c84ecb55657ae28eb739a72164f6d7251dc627f Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Sat, 12 Feb 2005 00:51:31 +0000 Subject: r5349: After talking with Jerry, reverted the addition of account policies to passdb in 3_0 (they are still in trunk). Guenther (This used to be commit fdf9bdbbac1d8d4f3b3e1fc7e49c1e659b9301b1) --- source3/rpc_server/srv_samr_nt.c | 58 ++++++++++++++++++++-------------------- 1 file changed, 29 insertions(+), 29 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 9c8a35045f..291d8713d5 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -2092,19 +2092,19 @@ NTSTATUS _samr_query_dom_info(pipes_struct *p, SAMR_Q_QUERY_DOMAIN_INFO *q_u, SA switch (q_u->switch_value) { case 0x01: - pdb_get_account_policy(AP_MIN_PASSWORD_LEN, &account_policy_temp); + account_policy_get(AP_MIN_PASSWORD_LEN, &account_policy_temp); min_pass_len = account_policy_temp; - pdb_get_account_policy(AP_PASSWORD_HISTORY, &account_policy_temp); + account_policy_get(AP_PASSWORD_HISTORY, &account_policy_temp); pass_hist = account_policy_temp; - pdb_get_account_policy(AP_USER_MUST_LOGON_TO_CHG_PASS, &account_policy_temp); + account_policy_get(AP_USER_MUST_LOGON_TO_CHG_PASS, &account_policy_temp); flag = account_policy_temp; - pdb_get_account_policy(AP_MAX_PASSWORD_AGE, &account_policy_temp); + account_policy_get(AP_MAX_PASSWORD_AGE, &account_policy_temp); u_expire = account_policy_temp; - pdb_get_account_policy(AP_MIN_PASSWORD_AGE, &account_policy_temp); + account_policy_get(AP_MIN_PASSWORD_AGE, &account_policy_temp); u_min_age = account_policy_temp; unix_to_nt_time_abs(&nt_expire, u_expire); @@ -2132,7 +2132,7 @@ NTSTATUS _samr_query_dom_info(pipes_struct *p, SAMR_Q_QUERY_DOMAIN_INFO *q_u, SA num_groups=info->disp_info.num_group_account; free_samr_db(info); - pdb_get_account_policy(AP_TIME_TO_LOGOUT, &account_policy_temp); + account_policy_get(AP_TIME_TO_LOGOUT, &account_policy_temp); u_logout = account_policy_temp; unix_to_nt_time_abs(&nt_logout, u_logout); @@ -2146,7 +2146,7 @@ NTSTATUS _samr_query_dom_info(pipes_struct *p, SAMR_Q_QUERY_DOMAIN_INFO *q_u, SA num_users, num_groups, num_aliases, nt_logout, server_role); break; case 0x03: - pdb_get_account_policy(AP_TIME_TO_LOGOUT, (unsigned int *)&u_logout); + account_policy_get(AP_TIME_TO_LOGOUT, (unsigned int *)&u_logout); unix_to_nt_time_abs(&nt_logout, u_logout); init_unk_info3(&ctr->info.inf3, nt_logout); @@ -2168,15 +2168,15 @@ NTSTATUS _samr_query_dom_info(pipes_struct *p, SAMR_Q_QUERY_DOMAIN_INFO *q_u, SA init_unk_info8(&ctr->info.inf8, (uint32) time(NULL)); break; case 0x0c: - pdb_get_account_policy(AP_LOCK_ACCOUNT_DURATION, &account_policy_temp); + account_policy_get(AP_LOCK_ACCOUNT_DURATION, &account_policy_temp); u_lock_duration = account_policy_temp; if (u_lock_duration != -1) u_lock_duration *= 60; - pdb_get_account_policy(AP_RESET_COUNT_TIME, &account_policy_temp); + account_policy_get(AP_RESET_COUNT_TIME, &account_policy_temp); u_reset_time = account_policy_temp * 60; - pdb_get_account_policy(AP_BAD_ATTEMPT_LOCKOUT, &account_policy_temp); + account_policy_get(AP_BAD_ATTEMPT_LOCKOUT, &account_policy_temp); lockout = account_policy_temp; unix_to_nt_time_abs(&nt_lock_duration, u_lock_duration); @@ -4572,19 +4572,19 @@ NTSTATUS _samr_unknown_2e(pipes_struct *p, SAMR_Q_UNKNOWN_2E *q_u, SAMR_R_UNKNOW switch (q_u->switch_value) { case 0x01: - pdb_get_account_policy(AP_MIN_PASSWORD_LEN, &account_policy_temp); + account_policy_get(AP_MIN_PASSWORD_LEN, &account_policy_temp); min_pass_len = account_policy_temp; - pdb_get_account_policy(AP_PASSWORD_HISTORY, &account_policy_temp); + account_policy_get(AP_PASSWORD_HISTORY, &account_policy_temp); pass_hist = account_policy_temp; - pdb_get_account_policy(AP_USER_MUST_LOGON_TO_CHG_PASS, &account_policy_temp); + account_policy_get(AP_USER_MUST_LOGON_TO_CHG_PASS, &account_policy_temp); flag = account_policy_temp; - pdb_get_account_policy(AP_MAX_PASSWORD_AGE, &account_policy_temp); + account_policy_get(AP_MAX_PASSWORD_AGE, &account_policy_temp); u_expire = account_policy_temp; - pdb_get_account_policy(AP_MIN_PASSWORD_AGE, &account_policy_temp); + account_policy_get(AP_MIN_PASSWORD_AGE, &account_policy_temp); u_min_age = account_policy_temp; unix_to_nt_time_abs(&nt_expire, u_expire); @@ -4612,7 +4612,7 @@ NTSTATUS _samr_unknown_2e(pipes_struct *p, SAMR_Q_UNKNOWN_2E *q_u, SAMR_R_UNKNOW num_groups=info->disp_info.num_group_account; free_samr_db(info); - pdb_get_account_policy(AP_TIME_TO_LOGOUT, &account_policy_temp); + account_policy_get(AP_TIME_TO_LOGOUT, &account_policy_temp); u_logout = account_policy_temp; unix_to_nt_time_abs(&nt_logout, u_logout); @@ -4626,7 +4626,7 @@ NTSTATUS _samr_unknown_2e(pipes_struct *p, SAMR_Q_UNKNOWN_2E *q_u, SAMR_R_UNKNOW num_users, num_groups, num_aliases, nt_logout, server_role); break; case 0x03: - pdb_get_account_policy(AP_TIME_TO_LOGOUT, &account_policy_temp); + account_policy_get(AP_TIME_TO_LOGOUT, &account_policy_temp); u_logout = account_policy_temp; unix_to_nt_time_abs(&nt_logout, u_logout); @@ -4649,15 +4649,15 @@ NTSTATUS _samr_unknown_2e(pipes_struct *p, SAMR_Q_UNKNOWN_2E *q_u, SAMR_R_UNKNOW init_unk_info8(&ctr->info.inf8, (uint32) time(NULL)); break; case 0x0c: - pdb_get_account_policy(AP_LOCK_ACCOUNT_DURATION, &account_policy_temp); + account_policy_get(AP_LOCK_ACCOUNT_DURATION, &account_policy_temp); u_lock_duration = account_policy_temp; if (u_lock_duration != -1) u_lock_duration *= 60; - pdb_get_account_policy(AP_RESET_COUNT_TIME, &account_policy_temp); + account_policy_get(AP_RESET_COUNT_TIME, &account_policy_temp); u_reset_time = account_policy_temp * 60; - pdb_get_account_policy(AP_BAD_ATTEMPT_LOCKOUT, &account_policy_temp); + account_policy_get(AP_BAD_ATTEMPT_LOCKOUT, &account_policy_temp); lockout = account_policy_temp; unix_to_nt_time_abs(&nt_lock_duration, u_lock_duration); @@ -4701,17 +4701,17 @@ NTSTATUS _samr_set_dom_info(pipes_struct *p, SAMR_Q_SET_DOMAIN_INFO *q_u, SAMR_R u_expire=nt_time_to_unix_abs(&q_u->ctr->info.inf1.expire); u_min_age=nt_time_to_unix_abs(&q_u->ctr->info.inf1.min_passwordage); - pdb_set_account_policy(AP_MIN_PASSWORD_LEN, (uint32)q_u->ctr->info.inf1.min_length_password); - pdb_set_account_policy(AP_PASSWORD_HISTORY, (uint32)q_u->ctr->info.inf1.password_history); - pdb_set_account_policy(AP_USER_MUST_LOGON_TO_CHG_PASS, (uint32)q_u->ctr->info.inf1.flag); - pdb_set_account_policy(AP_MAX_PASSWORD_AGE, (int)u_expire); - pdb_set_account_policy(AP_MIN_PASSWORD_AGE, (int)u_min_age); + account_policy_set(AP_MIN_PASSWORD_LEN, (uint32)q_u->ctr->info.inf1.min_length_password); + account_policy_set(AP_PASSWORD_HISTORY, (uint32)q_u->ctr->info.inf1.password_history); + account_policy_set(AP_USER_MUST_LOGON_TO_CHG_PASS, (uint32)q_u->ctr->info.inf1.flag); + account_policy_set(AP_MAX_PASSWORD_AGE, (int)u_expire); + account_policy_set(AP_MIN_PASSWORD_AGE, (int)u_min_age); break; case 0x02: break; case 0x03: u_logout=nt_time_to_unix_abs(&q_u->ctr->info.inf3.logout); - pdb_set_account_policy(AP_TIME_TO_LOGOUT, (int)u_logout); + account_policy_set(AP_TIME_TO_LOGOUT, (int)u_logout); break; case 0x05: break; @@ -4726,9 +4726,9 @@ NTSTATUS _samr_set_dom_info(pipes_struct *p, SAMR_Q_SET_DOMAIN_INFO *q_u, SAMR_R u_reset_time=nt_time_to_unix_abs(&q_u->ctr->info.inf12.reset_count)/60; - pdb_set_account_policy(AP_LOCK_ACCOUNT_DURATION, (int)u_lock_duration); - pdb_set_account_policy(AP_RESET_COUNT_TIME, (int)u_reset_time); - pdb_set_account_policy(AP_BAD_ATTEMPT_LOCKOUT, (uint32)q_u->ctr->info.inf12.bad_attempt_lockout); + account_policy_set(AP_LOCK_ACCOUNT_DURATION, (int)u_lock_duration); + account_policy_set(AP_RESET_COUNT_TIME, (int)u_reset_time); + account_policy_set(AP_BAD_ATTEMPT_LOCKOUT, (uint32)q_u->ctr->info.inf12.bad_attempt_lockout); break; default: return NT_STATUS_INVALID_INFO_CLASS; -- cgit From 96edc93c2373b67ae78adbbde7a68a68daa263e0 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Wed, 16 Feb 2005 19:51:16 +0000 Subject: r5419: Fix some unitialized variable warnings (This used to be commit 9004b7897416d142ab9e3bee60c7bda589f94750) --- source3/rpc_server/srv_samr_nt.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 291d8713d5..ec85981cbe 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -2221,7 +2221,7 @@ NTSTATUS _samr_create_user(pipes_struct *p, SAMR_Q_CREATE_USER *q_u, SAMR_R_CREA uint32 new_rid = 0; /* check this, when giving away 'add computer to domain' privs */ uint32 des_access = GENERIC_RIGHTS_USER_ALL_ACCESS; - BOOL can_add_account; + BOOL can_add_account = False; SE_PRIV se_rights; /* Get the domain SID stored in the domain policy */ @@ -3006,7 +3006,7 @@ NTSTATUS _samr_set_userinfo(pipes_struct *p, SAMR_Q_SET_USERINFO *q_u, SAMR_R_SE uint32 acc_granted; uint32 acc_required; BOOL ret; - BOOL has_enough_rights; + BOOL has_enough_rights = False; uint32 acb_info; DEBUG(5, ("_samr_set_userinfo: %d\n", __LINE__)); @@ -3147,7 +3147,7 @@ NTSTATUS _samr_set_userinfo2(pipes_struct *p, SAMR_Q_SET_USERINFO2 *q_u, SAMR_R_ uint32 acc_granted; uint32 acc_required; BOOL ret; - BOOL has_enough_rights; + BOOL has_enough_rights = False; uint32 acb_info; DEBUG(5, ("samr_reply_set_userinfo2: %d\n", __LINE__)); -- cgit From a90a58ff221a4469d6e87df655cb2201d68e237b Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Sun, 20 Feb 2005 13:47:16 +0000 Subject: r5467: Optimize _samr_query_groupmem with LDAP backend for large domains. Could someone else please look at this patch, verifying that I did not break the ldapsam:trusted = False fallback to the old behaviour? It works fine for me, but you never know. You're certainly free to review the new code as well :-) Thanks, Volker (This used to be commit e1c3ca182b299dc65da1fa39aadb69876b5e16b8) --- source3/rpc_server/srv_samr_nt.c | 52 +++++++++++----------------------------- 1 file changed, 14 insertions(+), 38 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index ec85981cbe..7a436e23e9 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -3434,18 +3434,17 @@ static BOOL get_memberuids(gid_t gid, uid_t **uids, int *num) NTSTATUS _samr_query_groupmem(pipes_struct *p, SAMR_Q_QUERY_GROUPMEM *q_u, SAMR_R_QUERY_GROUPMEM *r_u) { - int final_num_rids, i; DOM_SID group_sid; fstring group_sid_str; - uid_t *uids; - int num; - gid_t gid; + int i, num_members; uint32 *rid=NULL; uint32 *attr=NULL; uint32 acc_granted; + NTSTATUS result; + /* find the policy handle. open a policy on it. */ if (!get_lsa_policy_samr_sid(p, &q_u->group_pol, &group_sid, &acc_granted)) return NT_STATUS_INVALID_HANDLE; @@ -3464,46 +3463,23 @@ NTSTATUS _samr_query_groupmem(pipes_struct *p, SAMR_Q_QUERY_GROUPMEM *q_u, SAMR_ DEBUG(10, ("lookup on Domain SID\n")); - if (!NT_STATUS_IS_OK(sid_to_gid(&group_sid, &gid))) - return NT_STATUS_NO_SUCH_GROUP; + become_root(); + result = pdb_enum_group_members(p->mem_ctx, &group_sid, + &rid, &num_members); + unbecome_root(); - if(!get_memberuids(gid, &uids, &num)) - return NT_STATUS_NO_SUCH_GROUP; + if (!NT_STATUS_IS_OK(result)) + return result; - rid=TALLOC_ZERO_ARRAY(p->mem_ctx, uint32, num); - attr=TALLOC_ZERO_ARRAY(p->mem_ctx, uint32, num); + attr=TALLOC_ZERO_ARRAY(p->mem_ctx, uint32, num_members); - if (num!=0 && (rid==NULL || attr==NULL)) + if ((num_members!=0) && (rid==NULL)) return NT_STATUS_NO_MEMORY; - final_num_rids = 0; - - for (i=0; i Date: Sun, 20 Feb 2005 14:26:58 +0000 Subject: r5469: Fix error codes of samr_lookup_rids: There's also STATUS_SOME_UNMAPPED. Thanks, Volker (This used to be commit 43dcf0f5cb5dc2dd37ab3cdc2905970d9cc50ba4) --- source3/rpc_server/srv_samr_nt.c | 37 ++++++++++++++++++++++++++----------- 1 file changed, 26 insertions(+), 11 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 7a436e23e9..1881bc6e48 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -1510,7 +1510,9 @@ NTSTATUS _samr_lookup_rids(pipes_struct *p, SAMR_Q_LOOKUP_RIDS *q_u, SAMR_R_LOOK int num_rids = q_u->num_rids1; int i; uint32 acc_granted; - + BOOL have_mapped = False; + BOOL have_unmapped = False; + r_u->status = NT_STATUS_OK; DEBUG(5,("_samr_lookup_rids: %d\n", __LINE__)); @@ -1529,7 +1531,11 @@ NTSTATUS _samr_lookup_rids(pipes_struct *p, SAMR_Q_LOOKUP_RIDS *q_u, SAMR_R_LOOK return NT_STATUS_NO_MEMORY; } - r_u->status = NT_STATUS_NONE_MAPPED; + if (!sid_equal(&pol_sid, get_global_sam_sid())) { + /* TODO: Sooner or later we need to look up BUILTIN rids as + * well. -- vl */ + goto done; + } become_root(); /* lookup_sid can require root privs */ @@ -1542,21 +1548,30 @@ NTSTATUS _samr_lookup_rids(pipes_struct *p, SAMR_Q_LOOKUP_RIDS *q_u, SAMR_R_LOOK group_attrs[i] = SID_NAME_UNKNOWN; *group_names[i] = '\0'; - if (sid_equal(&pol_sid, get_global_sam_sid())) { - sid_copy(&sid, &pol_sid); - sid_append_rid(&sid, q_u->rid[i]); + sid_copy(&sid, &pol_sid); + sid_append_rid(&sid, q_u->rid[i]); - if (lookup_sid(&sid, domname, tmpname, &type)) { - r_u->status = NT_STATUS_OK; - group_attrs[i] = (uint32)type; - fstrcpy(group_names[i],tmpname); - DEBUG(5,("_samr_lookup_rids: %s:%d\n", group_names[i], group_attrs[i])); - } + if (lookup_sid(&sid, domname, tmpname, &type)) { + group_attrs[i] = (uint32)type; + fstrcpy(group_names[i],tmpname); + DEBUG(5,("_samr_lookup_rids: %s:%d\n", group_names[i], + group_attrs[i])); + have_mapped = True; + } else { + have_unmapped = True; } } unbecome_root(); + done: + + r_u->status = NT_STATUS_NONE_MAPPED; + + if (have_mapped) + r_u->status = + have_unmapped ? STATUS_SOME_UNMAPPED : NT_STATUS_OK; + if(!make_samr_lookup_rids(p->mem_ctx, num_rids, group_names, &hdr_name, &uni_name)) return NT_STATUS_NO_MEMORY; -- cgit From dc0ec444833be678c5f8cdcf861a46ebe3d2955c Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Sun, 20 Feb 2005 15:15:33 +0000 Subject: r5471: In cli_samr_lookup_rids, flags is not a flags but an array size. W2k3 rejects everything but 1000 here, so there's no point in exposing that to the caller. Thanks, Volker (This used to be commit 03ec1bd9e54b065c0494bc57a3d78ac0ae28e234) --- source3/rpc_server/srv_samr_nt.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 1881bc6e48..8a10fa6d2d 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -1521,9 +1521,10 @@ NTSTATUS _samr_lookup_rids(pipes_struct *p, SAMR_Q_LOOKUP_RIDS *q_u, SAMR_R_LOOK if (!get_lsa_policy_samr_sid(p, &q_u->pol, &pol_sid, &acc_granted)) return NT_STATUS_INVALID_HANDLE; - if (num_rids > MAX_SAM_ENTRIES) { - num_rids = MAX_SAM_ENTRIES; - DEBUG(5,("_samr_lookup_rids: truncating entries to %d\n", num_rids)); + if (num_rids > 1000) { + DEBUG(0, ("Got asked for %d rids (more than 1000) -- according " + "to samba4 idl this is not possible\n", num_rids)); + return NT_STATUS_UNSUCCESSFUL; } if (num_rids) { -- cgit From 140752fd35bd5701b3078abf695f811d933fe893 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Thu, 3 Mar 2005 16:52:44 +0000 Subject: r5647: Caches are good for performance, but you get a consistency problem. Fix bug # 2401. Volker (This used to be commit eb4ef94f244d28fe531d0b9f724a66ed3834b687) --- source3/rpc_server/srv_samr_nt.c | 2 ++ 1 file changed, 2 insertions(+) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 8a10fa6d2d..139960f661 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -2335,6 +2335,7 @@ NTSTATUS _samr_create_user(pipes_struct *p, SAMR_Q_CREATE_USER *q_u, SAMR_R_CREA /* implicit call to getpwnam() next. we have a valid SID coming out of this call */ + flush_pwnam_cache(); nt_status = pdb_init_sam_new(&sam_pass, account, new_rid); /* this code is order such that we have no unnecessary retuns @@ -3805,6 +3806,7 @@ static int smb_delete_user(const char *unix_user) return -1; all_string_sub(del_script, "%u", unix_user, sizeof(del_script)); ret = smbrun(del_script,NULL); + flush_pwnam_cache(); DEBUG(ret ? 0 : 3,("smb_delete_user: Running the command `%s' gave %d\n",del_script,ret)); return ret; -- cgit From 43f4930ed3210910b2a1f1ff0c04d9c8ed9f238d Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Tue, 22 Mar 2005 14:20:25 +0000 Subject: r5943: remove unneccessary se_priv_copy() (This used to be commit 2db04a90c4197a3950bbc322948468cb306b3557) --- source3/rpc_server/srv_samr_nt.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 139960f661..9e75dd6f7c 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -3821,7 +3821,6 @@ NTSTATUS _samr_delete_dom_user(pipes_struct *p, SAMR_Q_DELETE_DOM_USER *q_u, SAM DOM_SID user_sid; SAM_ACCOUNT *sam_pass=NULL; uint32 acc_granted; - SE_PRIV se_rights; BOOL can_add_accounts; BOOL ret; @@ -3847,8 +3846,7 @@ NTSTATUS _samr_delete_dom_user(pipes_struct *p, SAMR_Q_DELETE_DOM_USER *q_u, SAM return NT_STATUS_NO_SUCH_USER; } - se_priv_copy( &se_rights, &se_add_users ); - can_add_accounts = user_has_privileges( p->pipe_user.nt_user_token, &se_rights ); + can_add_accounts = user_has_privileges( p->pipe_user.nt_user_token, &se_add_users ); /******** BEGIN SeAddUsers BLOCK *********/ -- cgit From 9b38ced168d4db50126c4259b31cb15e2ee2231b Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Tue, 22 Mar 2005 14:54:12 +0000 Subject: r5950: more compiler warning's from Jason Mader (This used to be commit 27c6e85ad59a86ab45ae3297c7445c4ff15546c8) --- source3/rpc_server/srv_samr_nt.c | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 9e75dd6f7c..b96e160156 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -1977,7 +1977,7 @@ NTSTATUS _samr_query_usergroups(pipes_struct *p, SAMR_Q_QUERY_USERGROUPS *q_u, S DOM_GID *gids = NULL; int num_groups = 0; gid_t *unix_gids; - int i, num_gids, num_sids; + int i, num_gids; uint32 acc_granted; BOOL ret; NTSTATUS result; @@ -2027,7 +2027,6 @@ NTSTATUS _samr_query_usergroups(pipes_struct *p, SAMR_Q_QUERY_USERGROUPS *q_u, S } sids = NULL; - num_sids = 0; become_root(); result = pdb_enum_group_memberships(pdb_get_username(sam_pass), @@ -4119,7 +4118,6 @@ NTSTATUS _samr_create_dom_alias(pipes_struct *p, SAMR_Q_CREATE_DOM_ALIAS *q_u, S DOM_SID dom_sid; DOM_SID info_sid; fstring name; - struct group *grp; struct samr_info *info; uint32 acc_granted; gid_t gid; @@ -4166,7 +4164,7 @@ NTSTATUS _samr_create_dom_alias(pipes_struct *p, SAMR_Q_CREATE_DOM_ALIAS *q_u, S return NT_STATUS_ACCESS_DENIED; /* check if the group has been successfully created */ - if ((grp=getgrgid(gid)) == NULL) + if ( getgrgid(gid) == NULL ) return NT_STATUS_ACCESS_DENIED; if ((info = get_samr_info_by_sid(&info_sid)) == NULL) -- cgit From 93e04e941e15034c8e7aa1faedc74ce536049153 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Tue, 22 Mar 2005 18:07:58 +0000 Subject: r5961: final round of compiler warning fixes based on feedback from Jason Mader (This used to be commit 9e77da9320c900b3e437d534e31fa5ff81e9acfd) --- source3/rpc_server/srv_samr_nt.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index b96e160156..19989838c7 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -2899,7 +2899,7 @@ static BOOL set_user_info_23(SAM_USER_INFO_23 *id23, SAM_ACCOUNT *pwd) acct_ctrl = pdb_get_acct_ctrl(pwd); - if (!decode_pw_buffer((char*)id23->pass, plaintext_buf, 256, &len, STR_UNICODE)) { + if (!decode_pw_buffer(id23->pass, plaintext_buf, 256, &len, STR_UNICODE)) { pdb_free_sam(&pwd); return False; } @@ -2950,7 +2950,7 @@ static BOOL set_user_info_23(SAM_USER_INFO_23 *id23, SAM_ACCOUNT *pwd) set_user_info_pw ********************************************************************/ -static BOOL set_user_info_pw(char *pass, SAM_ACCOUNT *pwd) +static BOOL set_user_info_pw(uint8 *pass, SAM_ACCOUNT *pwd) { uint32 len; pstring plaintext_buf; @@ -3096,7 +3096,7 @@ NTSTATUS _samr_set_userinfo(pipes_struct *p, SAMR_Q_SET_USERINFO *q_u, SAMR_R_SE dump_data(100, (char *)ctr->info.id24->pass, 516); - if (!set_user_info_pw((char *)ctr->info.id24->pass, pwd)) + if (!set_user_info_pw(ctr->info.id24->pass, pwd)) r_u->status = NT_STATUS_ACCESS_DENIED; break; -- cgit From cf7d098b2c1032b51b8f5d439b29c8d20d0991ee Mon Sep 17 00:00:00 2001 From: Jim McDonough Date: Tue, 22 Mar 2005 20:50:29 +0000 Subject: r5965: Apply Volker's patch for "ldapsam trusted = yes" for samr_lookup_rids. Gives us again up to ~6x improvement on group membership lookups. (This used to be commit e2117bcb09cbd21df3b6621c2794a006418c1d9e) --- source3/rpc_server/srv_samr_nt.c | 62 +++++++++++----------------------------- 1 file changed, 17 insertions(+), 45 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 19989838c7..001da3f3ea 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -1464,8 +1464,9 @@ NTSTATUS _samr_chgpasswd_user(pipes_struct *p, SAMR_Q_CHGPASSWD_USER *q_u, SAMR_ makes a SAMR_R_LOOKUP_RIDS structure. ********************************************************************/ -static BOOL make_samr_lookup_rids(TALLOC_CTX *ctx, uint32 num_names, fstring names[], - UNIHDR **pp_hdr_name, UNISTR2 **pp_uni_name) +static BOOL make_samr_lookup_rids(TALLOC_CTX *ctx, uint32 num_names, + const char **names, UNIHDR **pp_hdr_name, + UNISTR2 **pp_uni_name) { uint32 i; UNIHDR *hdr_name=NULL; @@ -1485,7 +1486,7 @@ static BOOL make_samr_lookup_rids(TALLOC_CTX *ctx, uint32 num_names, fstring nam } for (i = 0; i < num_names; i++) { - DEBUG(10, ("names[%d]:%s\n", i, names[i] ? names[i] : "")); + DEBUG(10, ("names[%d]:%s\n", i, *names[i] ? names[i] : "")); init_unistr2(&uni_name[i], names[i], UNI_FLAGS_NONE); init_uni_hdr(&hdr_name[i], &uni_name[i]); } @@ -1502,16 +1503,13 @@ static BOOL make_samr_lookup_rids(TALLOC_CTX *ctx, uint32 num_names, fstring nam NTSTATUS _samr_lookup_rids(pipes_struct *p, SAMR_Q_LOOKUP_RIDS *q_u, SAMR_R_LOOKUP_RIDS *r_u) { - fstring group_names[MAX_SAM_ENTRIES]; - uint32 *group_attrs = NULL; + const char **names; + uint32 *attrs = NULL; UNIHDR *hdr_name = NULL; UNISTR2 *uni_name = NULL; DOM_SID pol_sid; int num_rids = q_u->num_rids1; - int i; uint32 acc_granted; - BOOL have_mapped = False; - BOOL have_unmapped = False; r_u->status = NT_STATUS_OK; @@ -1527,11 +1525,12 @@ NTSTATUS _samr_lookup_rids(pipes_struct *p, SAMR_Q_LOOKUP_RIDS *q_u, SAMR_R_LOOK return NT_STATUS_UNSUCCESSFUL; } - if (num_rids) { - if ((group_attrs = TALLOC_ZERO_ARRAY(p->mem_ctx, uint32, num_rids )) == NULL) - return NT_STATUS_NO_MEMORY; - } - + names = TALLOC_ZERO_ARRAY(p->mem_ctx, const char *, num_rids); + attrs = TALLOC_ZERO_ARRAY(p->mem_ctx, uint32, num_rids); + + if ((num_rids != 0) && ((names == NULL) || (attrs == NULL))) + return NT_STATUS_NO_MEMORY; + if (!sid_equal(&pol_sid, get_global_sam_sid())) { /* TODO: Sooner or later we need to look up BUILTIN rids as * well. -- vl */ @@ -1539,44 +1538,17 @@ NTSTATUS _samr_lookup_rids(pipes_struct *p, SAMR_Q_LOOKUP_RIDS *q_u, SAMR_R_LOOK } become_root(); /* lookup_sid can require root privs */ - - for (i = 0; i < num_rids; i++) { - fstring tmpname; - fstring domname; - DOM_SID sid; - enum SID_NAME_USE type; - - group_attrs[i] = SID_NAME_UNKNOWN; - *group_names[i] = '\0'; - - sid_copy(&sid, &pol_sid); - sid_append_rid(&sid, q_u->rid[i]); - - if (lookup_sid(&sid, domname, tmpname, &type)) { - group_attrs[i] = (uint32)type; - fstrcpy(group_names[i],tmpname); - DEBUG(5,("_samr_lookup_rids: %s:%d\n", group_names[i], - group_attrs[i])); - have_mapped = True; - } else { - have_unmapped = True; - } - } - + r_u->status = pdb_lookup_rids(p->mem_ctx, &pol_sid, num_rids, q_u->rid, + &names, &attrs); unbecome_root(); done: - r_u->status = NT_STATUS_NONE_MAPPED; - - if (have_mapped) - r_u->status = - have_unmapped ? STATUS_SOME_UNMAPPED : NT_STATUS_OK; - - if(!make_samr_lookup_rids(p->mem_ctx, num_rids, group_names, &hdr_name, &uni_name)) + if(!make_samr_lookup_rids(p->mem_ctx, num_rids, names, + &hdr_name, &uni_name)) return NT_STATUS_NO_MEMORY; - init_samr_r_lookup_rids(r_u, num_rids, hdr_name, uni_name, group_attrs); + init_samr_r_lookup_rids(r_u, num_rids, hdr_name, uni_name, attrs); DEBUG(5,("_samr_lookup_rids: %d\n", __LINE__)); -- cgit From e84ead0cfdc5e45a577387cc54dceb4c3f32948a Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Sun, 27 Mar 2005 16:33:04 +0000 Subject: r6080: Port some of the non-critical changes from HEAD to 3_0. The main one is the change in pdb_enum_alias_memberships to match samr.idl a bit closer. Volker (This used to be commit 3a6786516957d9f67af6d53a3167c88aa272972f) --- source3/rpc_server/srv_samr_nt.c | 37 ++++++++++--------------------------- 1 file changed, 10 insertions(+), 27 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 001da3f3ea..7294a46d75 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -3230,8 +3230,8 @@ NTSTATUS _samr_set_userinfo2(pipes_struct *p, SAMR_Q_SET_USERINFO2 *q_u, SAMR_R_ NTSTATUS _samr_query_useraliases(pipes_struct *p, SAMR_Q_QUERY_USERALIASES *q_u, SAMR_R_QUERY_USERALIASES *r_u) { - int num_groups = 0; - uint32 *rids=NULL; + int num_alias_rids; + uint32 *alias_rids; struct samr_info *info = NULL; int i; @@ -3239,8 +3239,6 @@ NTSTATUS _samr_query_useraliases(pipes_struct *p, SAMR_Q_QUERY_USERALIASES *q_u, NTSTATUS ntstatus2; DOM_SID *members; - DOM_SID *aliases; - int num_aliases; BOOL res; r_u->status = NT_STATUS_OK; @@ -3273,35 +3271,20 @@ NTSTATUS _samr_query_useraliases(pipes_struct *p, SAMR_Q_QUERY_USERALIASES *q_u, for (i=0; inum_sids1; i++) sid_copy(&members[i], &q_u->sid[i].sid); + alias_rids = NULL; + num_alias_rids = 0; + become_root(); - res = pdb_enum_alias_memberships(members, - q_u->num_sids1, &aliases, - &num_aliases); + res = pdb_enum_alias_memberships(p->mem_ctx, &info->sid, members, + q_u->num_sids1, + &alias_rids, &num_alias_rids); unbecome_root(); if (!res) return NT_STATUS_UNSUCCESSFUL; - rids = NULL; - num_groups = 0; - - for (i=0; isid, &aliases[i], &rid)) - continue; - - rids = TALLOC_REALLOC_ARRAY(p->mem_ctx, rids, uint32, num_groups+1); - - if (rids == NULL) - return NT_STATUS_NO_MEMORY; - - rids[num_groups] = rid; - num_groups += 1; - } - SAFE_FREE(aliases); - - init_samr_r_query_useraliases(r_u, num_groups, rids, NT_STATUS_OK); + init_samr_r_query_useraliases(r_u, num_alias_rids, alias_rids, + NT_STATUS_OK); return NT_STATUS_OK; } -- cgit From 978ca8486031e43754a3c23757f361bf3a85f335 Mon Sep 17 00:00:00 2001 From: Herb Lewis Date: Wed, 6 Apr 2005 16:28:04 +0000 Subject: r6225: get rid of warnings from my compiler about nested externs (This used to be commit efea76ac71412f8622cd233912309e91b9ea52da) --- source3/rpc_server/srv_samr_nt.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 7294a46d75..24ff6f1f2c 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -39,6 +39,7 @@ SA_RIGHT_USER_CHANGE_PASSWORD | \ SA_RIGHT_USER_SET_LOC_COM ) +extern DOM_SID global_sid_World; extern DOM_SID global_sid_Builtin; extern rid_name domain_group_rids[]; @@ -80,7 +81,6 @@ static NTSTATUS make_samr_object_sd( TALLOC_CTX *ctx, SEC_DESC **psd, size_t *sd struct generic_mapping *map, DOM_SID *sid, uint32 sid_access ) { - extern DOM_SID global_sid_World; DOM_SID adm_sid, act_sid, domadmin_sid; SEC_ACE ace[5]; /* at most 5 entries */ SEC_ACCESS mask; -- cgit From 83e11ba86c2401ece3c845fd10c22b84e6be7811 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Sat, 9 Apr 2005 11:46:40 +0000 Subject: r6263: Get rid of generate_wellknown_sids, they are const static and initializable statically. Volker (This used to be commit 3493d9f383567d286e69c0e60c0708ed400a04d9) --- source3/rpc_server/srv_samr_nt.c | 3 --- 1 file changed, 3 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 24ff6f1f2c..2384ddb9d3 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -39,9 +39,6 @@ SA_RIGHT_USER_CHANGE_PASSWORD | \ SA_RIGHT_USER_SET_LOC_COM ) -extern DOM_SID global_sid_World; -extern DOM_SID global_sid_Builtin; - extern rid_name domain_group_rids[]; extern rid_name domain_alias_rids[]; extern rid_name builtin_alias_rids[]; -- cgit From 110d86876eef65c838105f7365e50c77c3a02a30 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Sun, 10 Apr 2005 17:12:25 +0000 Subject: r6282: Before converting enum_dom_groups, better get the previous version a bit closer to being correct. 'svn blame' shows CVSIN, but somehow I get the feeling this is my code... Volker (This used to be commit 5d34bd617535a26ae121a72add41dc7b8cec4580) --- source3/rpc_server/srv_samr_nt.c | 18 +++++++++++++----- 1 file changed, 13 insertions(+), 5 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 2384ddb9d3..84c78eab64 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -864,6 +864,7 @@ static NTSTATUS get_group_domain_entries( TALLOC_CTX *ctx, int i; uint32 group_entries = 0; uint32 num_entries = 0; + NTSTATUS result = NT_STATUS_OK; *p_num_entries = 0; @@ -881,6 +882,7 @@ static NTSTATUS get_group_domain_entries( TALLOC_CTX *ctx, if (num_entries>max_entries) { DEBUG(5,("Limiting to %d entries\n", max_entries)); num_entries=max_entries; + result = STATUS_MORE_ENTRIES; } *d_grp=TALLOC_ZERO_ARRAY(ctx, DOMAIN_GRP, num_entries); @@ -903,7 +905,7 @@ static NTSTATUS get_group_domain_entries( TALLOC_CTX *ctx, DEBUG(10,("get_group_domain_entries: returning %d entries\n", *p_num_entries)); - return NT_STATUS_OK; + return result; } /******************************************************************* @@ -970,13 +972,19 @@ NTSTATUS _samr_enum_dom_groups(pipes_struct *p, SAMR_Q_ENUM_DOM_GROUPS *q_u, SAM DEBUG(5,("samr_reply_enum_dom_groups: %d\n", __LINE__)); /* the domain group array is being allocated in the function below */ - if (!NT_STATUS_IS_OK(r_u->status = get_group_domain_entries(p->mem_ctx, &grp, &sid, q_u->start_idx, &num_entries, MAX_SAM_ENTRIES))) { + r_u->status = get_group_domain_entries(p->mem_ctx, &grp, &sid, + q_u->start_idx, &num_entries, + MAX_SAM_ENTRIES); + + if (!NT_STATUS_IS_OK(r_u->status) && + !NT_STATUS_EQUAL(r_u->status, STATUS_MORE_ENTRIES)) return r_u->status; - } - make_group_sam_entry_list(p->mem_ctx, &r_u->sam, &r_u->uni_grp_name, num_entries, grp); + make_group_sam_entry_list(p->mem_ctx, &r_u->sam, &r_u->uni_grp_name, + num_entries, grp); - init_samr_r_enum_dom_groups(r_u, q_u->start_idx, num_entries); + init_samr_r_enum_dom_groups(r_u, q_u->start_idx+num_entries, + num_entries); DEBUG(5,("samr_enum_dom_groups: %d\n", __LINE__)); -- cgit From d3d6126d94d55a69c45b2f7a63a7fa9b561baf48 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Fri, 15 Apr 2005 13:41:49 +0000 Subject: r6351: This is quite a large and intrusive patch, but there are not many pieces that can be taken out of it, so I decided to commit this in one lump. It changes the passdb enumerating functions to use ldap paged results where possible. In particular the samr calls querydispinfo, enumdomusers and friends have undergone significant internal changes. I have tested this extensively with rpcclient and a bit with usrmgr.exe. More tests and the merge to trunk will follow later. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The code is based on a first implementation by Günther Deschner, but has evolved quite a bit since then. Volker (This used to be commit f0bb44ac58e190e19eb4e92928979b0446e611c9) --- source3/rpc_server/srv_samr_nt.c | 818 ++++++++++++--------------------------- 1 file changed, 238 insertions(+), 580 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 84c78eab64..fe54476cc9 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -43,14 +43,12 @@ extern rid_name domain_group_rids[]; extern rid_name domain_alias_rids[]; extern rid_name builtin_alias_rids[]; - -typedef struct _disp_info { - BOOL user_dbloaded; - uint32 num_user_account; - SAM_ACCOUNT *disp_user_info; - BOOL group_dbloaded; - uint32 num_group_account; - DOMAIN_GRP *disp_group_info; +typedef struct disp_info { + struct pdb_search *users; + struct pdb_search *machines; + struct pdb_search *groups; + struct pdb_search *aliases; + struct pdb_search *builtins; } DISP_INFO; struct samr_info { @@ -238,10 +236,9 @@ static struct samr_info *get_samr_info_by_sid(DOM_SID *psid) mem_ctx = talloc_init("samr_info for domain sid %s", sid_str); - if ((info = TALLOC_P(mem_ctx, struct samr_info)) == NULL) + if ((info = TALLOC_ZERO_P(mem_ctx, struct samr_info)) == NULL) return NULL; - ZERO_STRUCTP(info); DEBUG(10,("get_samr_info_by_sid: created new info for sid %s\n", sid_str)); if (psid) { sid_copy( &info->sid, psid); @@ -256,33 +253,22 @@ static struct samr_info *get_samr_info_by_sid(DOM_SID *psid) Function to free the per handle data. ********************************************************************/ -static void free_samr_users(struct samr_info *info) -{ - int i; - - if (info->disp_info.user_dbloaded){ - for (i=0; idisp_info.num_user_account; i++) { - SAM_ACCOUNT *sam = &info->disp_info.disp_user_info[i]; - /* Not really a free, actually a 'clear' */ - pdb_free_sam(&sam); - } - } - info->disp_info.user_dbloaded=False; - info->disp_info.num_user_account=0; -} - /******************************************************************* Function to free the per handle data. ********************************************************************/ static void free_samr_db(struct samr_info *info) { - /* Groups are talloced */ - - free_samr_users(info); - - info->disp_info.group_dbloaded=False; - info->disp_info.num_group_account=0; + pdb_search_destroy(info->disp_info.users); + info->disp_info.users = NULL; + pdb_search_destroy(info->disp_info.machines); + info->disp_info.machines = NULL; + pdb_search_destroy(info->disp_info.groups); + info->disp_info.groups = NULL; + pdb_search_destroy(info->disp_info.aliases); + info->disp_info.aliases = NULL; + pdb_search_destroy(info->disp_info.builtins); + info->disp_info.builtins = NULL; } static void free_samr_info(void *ptr) @@ -309,154 +295,30 @@ static void samr_clear_sam_passwd(SAM_ACCOUNT *sam_pass) pdb_set_nt_passwd(sam_pass, NULL, PDB_DEFAULT); } - -static NTSTATUS load_sampwd_entries(struct samr_info *info, uint16 acb_mask, BOOL only_machines) +static uint32 count_sam_users(struct disp_info *info, uint16 acct_flags) { - SAM_ACCOUNT *pwd = NULL; - SAM_ACCOUNT *pwd_array = NULL; - NTSTATUS nt_status = NT_STATUS_OK; - TALLOC_CTX *mem_ctx = info->mem_ctx; - uint16 query_acb_mask = acb_mask; - - DEBUG(10,("load_sampwd_entries\n")); - - /* if the snapshoot is already loaded, return */ - if ((info->disp_info.user_dbloaded==True) - && (info->acb_mask == acb_mask) - && (info->only_machines == only_machines)) { - DEBUG(10,("load_sampwd_entries: already in memory\n")); - return NT_STATUS_OK; - } - - free_samr_users(info); - - if (only_machines) { - query_acb_mask |= ACB_WSTRUST; - query_acb_mask |= ACB_SVRTRUST; - } - - if (!pdb_setsampwent(False, query_acb_mask)) { - DEBUG(0, ("load_sampwd_entries: Unable to open passdb.\n")); - return NT_STATUS_ACCESS_DENIED; - } - - for (; (NT_STATUS_IS_OK(nt_status = pdb_init_sam_talloc(mem_ctx, &pwd))) - && pdb_getsampwent(pwd) == True; pwd=NULL) { - - if (only_machines) { - if (!((pdb_get_acct_ctrl(pwd) & ACB_WSTRUST) - || (pdb_get_acct_ctrl(pwd) & ACB_SVRTRUST))) { - DEBUG(5,("load_sampwd_entries: '%s' is not a machine account - ACB: %x - skipping\n", pdb_get_username(pwd), acb_mask)); - pdb_free_sam(&pwd); - continue; - } - } else { - if (acb_mask != 0 && !(pdb_get_acct_ctrl(pwd) & acb_mask)) { - pdb_free_sam(&pwd); - DEBUG(5,(" acb_mask %x reject\n", acb_mask)); - continue; - } - } - - /* Realloc some memory for the array of ptr to the SAM_ACCOUNT structs */ - if (info->disp_info.num_user_account % MAX_SAM_ENTRIES == 0) { - - DEBUG(10,("load_sampwd_entries: allocating more memory\n")); - pwd_array=TALLOC_REALLOC_ARRAY(mem_ctx, info->disp_info.disp_user_info, SAM_ACCOUNT, - info->disp_info.num_user_account+MAX_SAM_ENTRIES); - - if (pwd_array==NULL) - return NT_STATUS_NO_MEMORY; - - info->disp_info.disp_user_info=pwd_array; - } - - /* Copy the SAM_ACCOUNT into the array */ - info->disp_info.disp_user_info[info->disp_info.num_user_account]=*pwd; - - DEBUG(10,("load_sampwd_entries: entry: %d\n", info->disp_info.num_user_account)); - - info->disp_info.num_user_account++; - } - - pdb_endsampwent(); - - /* the snapshoot is in memory, we're ready to enumerate fast */ - - info->acb_mask = acb_mask; - info->only_machines = only_machines; - info->disp_info.user_dbloaded=True; - - DEBUG(10,("load_sampwd_entries: done\n")); - - return nt_status; + struct samr_displayentry *entry; + if (info->users == NULL) + info->users = pdb_search_users(acct_flags); + if (info->users == NULL) + return 0; + /* Fetch the last possible entry, thus trigger an enumeration */ + pdb_search_entries(info->users, 0xffffffff, 1, &entry); + return info->users->num_entries; } -static NTSTATUS load_group_domain_entries(struct samr_info *info, DOM_SID *sid) +static uint32 count_sam_groups(struct disp_info *info) { - GROUP_MAP *map=NULL; - DOMAIN_GRP *grp_array = NULL; - uint32 group_entries = 0; - uint32 i; - TALLOC_CTX *mem_ctx = info->mem_ctx; - BOOL ret; - - DEBUG(10,("load_group_domain_entries\n")); - - /* if the snapshoot is already loaded, return */ - if (info->disp_info.group_dbloaded==True) { - DEBUG(10,("load_group_domain_entries: already in memory\n")); - return NT_STATUS_OK; - } - - if (sid_equal(sid, &global_sid_Builtin)) { - /* No domain groups for now in the BUILTIN domain */ - info->disp_info.num_group_account=0; - info->disp_info.disp_group_info=NULL; - info->disp_info.group_dbloaded=True; - return NT_STATUS_OK; - } - - become_root(); - ret = pdb_enum_group_mapping(SID_NAME_DOM_GRP, &map, (int *)&group_entries, ENUM_ONLY_MAPPED); - unbecome_root(); - - if ( !ret ) { - DEBUG(1, ("load_group_domain_entries: pdb_enum_group_mapping() failed!\n")); - return NT_STATUS_NO_MEMORY; - } - - - info->disp_info.num_group_account=group_entries; - - grp_array=TALLOC_ARRAY(mem_ctx, DOMAIN_GRP, info->disp_info.num_group_account); - if (group_entries!=0 && grp_array==NULL) { - DEBUG(1, ("load_group_domain_entries: talloc() failed for grp_array!\n")); - SAFE_FREE(map); - return NT_STATUS_NO_MEMORY; - } - - info->disp_info.disp_group_info=grp_array; - - for (i=0; idisp_info.group_dbloaded=True; - - DEBUG(10,("load_group_domain_entries: done\n")); - - return NT_STATUS_OK; + struct samr_displayentry *entry; + if (info->groups == NULL) + info->groups = pdb_search_groups(); + if (info->groups == NULL) + return 0; + /* Fetch the last possible entry, thus trigger an enumeration */ + pdb_search_entries(info->groups, 0xffffffff, 1, &entry); + return info->groups->num_entries; } - /******************************************************************* _samr_close_hnd ********************************************************************/ @@ -656,20 +518,14 @@ NTSTATUS _samr_query_sec_obj(pipes_struct *p, SAMR_Q_QUERY_SEC_OBJ *q_u, SAMR_R_ makes a SAM_ENTRY / UNISTR2* structure from a user list. ********************************************************************/ -static NTSTATUS make_user_sam_entry_list(TALLOC_CTX *ctx, SAM_ENTRY **sam_pp, UNISTR2 **uni_name_pp, - uint32 num_entries, uint32 start_idx, SAM_ACCOUNT *disp_user_info, - DOM_SID *domain_sid) +static NTSTATUS make_user_sam_entry_list(TALLOC_CTX *ctx, SAM_ENTRY **sam_pp, + UNISTR2 **uni_name_pp, + uint32 num_entries, uint32 start_idx, + struct samr_displayentry *entries) { uint32 i; SAM_ENTRY *sam; UNISTR2 *uni_name; - SAM_ACCOUNT *pwd = NULL; - UNISTR2 uni_temp_name; - const char *temp_name; - const DOM_SID *user_sid; - uint32 user_rid; - fstring user_sid_string; - fstring domain_sid_string; *sam_pp = NULL; *uni_name_pp = NULL; @@ -687,31 +543,20 @@ static NTSTATUS make_user_sam_entry_list(TALLOC_CTX *ctx, SAM_ENTRY **sam_pp, UN } for (i = 0; i < num_entries; i++) { - pwd = &disp_user_info[i+start_idx]; - temp_name = pdb_get_username(pwd); - + UNISTR2 uni_temp_name; /* * usrmgr expects a non-NULL terminated string with * trust relationships */ - if (pdb_get_acct_ctrl(pwd) & ACB_DOMTRUST) { - init_unistr2(&uni_temp_name, temp_name, UNI_FLAGS_NONE); + if (entries[i].acct_flags & ACB_DOMTRUST) { + init_unistr2(&uni_temp_name, entries[i].account_name, + UNI_FLAGS_NONE); } else { - init_unistr2(&uni_temp_name, temp_name, UNI_STR_TERMINATE); + init_unistr2(&uni_temp_name, entries[i].account_name, + UNI_STR_TERMINATE); } - user_sid = pdb_get_user_sid(pwd); - - if (!sid_peek_check_rid(domain_sid, user_sid, &user_rid)) { - DEBUG(0, ("make_user_sam_entry_list: User %s has SID %s, which conflicts with " - "the domain sid %s. Failing operation.\n", - temp_name, - sid_to_string(user_sid_string, user_sid), - sid_to_string(domain_sid_string, domain_sid))); - return NT_STATUS_UNSUCCESSFUL; - } - - init_sam_entry(&sam[i], &uni_temp_name, user_rid); + init_sam_entry(&sam[i], &uni_temp_name, entries[i].rid); copy_unistr2(&uni_name[i], &uni_temp_name); } @@ -728,15 +573,12 @@ NTSTATUS _samr_enum_dom_users(pipes_struct *p, SAMR_Q_ENUM_DOM_USERS *q_u, SAMR_R_ENUM_DOM_USERS *r_u) { struct samr_info *info = NULL; - uint32 struct_size=0x20; /* W2K always reply that, client doesn't care */ int num_account; uint32 enum_context=q_u->start_idx; - uint32 max_size=q_u->max_size; - uint32 temp_size; enum remote_arch_types ra_type = get_remote_arch(); int max_sam_entries = (ra_type == RA_WIN95) ? MAX_SAM_ENTRIES_W95 : MAX_SAM_ENTRIES_W2K; uint32 max_entries = max_sam_entries; - DOM_SID domain_sid; + struct samr_displayentry *entries = NULL; r_u->status = NT_STATUS_OK; @@ -744,8 +586,6 @@ NTSTATUS _samr_enum_dom_users(pipes_struct *p, SAMR_Q_ENUM_DOM_USERS *q_u, if (!find_policy_by_hnd(p, &q_u->pol, (void **)&info)) return NT_STATUS_INVALID_HANDLE; - domain_sid = info->sid; - if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(info->acc_granted, SA_RIGHT_DOMAIN_ENUM_ACCOUNTS, "_samr_enum_dom_users"))) { @@ -755,60 +595,36 @@ NTSTATUS _samr_enum_dom_users(pipes_struct *p, SAMR_Q_ENUM_DOM_USERS *q_u, DEBUG(5,("_samr_enum_dom_users: %d\n", __LINE__)); become_root(); - r_u->status=load_sampwd_entries(info, q_u->acb_mask, False); + if (info->disp_info.users == NULL) + info->disp_info.users = pdb_search_users(q_u->acb_mask); + if (info->disp_info.users == NULL) + return NT_STATUS_ACCESS_DENIED; + num_account = pdb_search_entries(info->disp_info.users, + enum_context, max_entries, + &entries); unbecome_root(); - - if (!NT_STATUS_IS_OK(r_u->status)) - return r_u->status; - - num_account = info->disp_info.num_user_account; - if (enum_context > num_account) { - DEBUG(5, ("_samr_enum_dom_users: enumeration handle over total entries\n")); + if (num_account == 0) { + DEBUG(5, ("_samr_enum_dom_users: enumeration handle over " + "total entries\n")); return NT_STATUS_OK; } - /* verify we won't overflow */ - if (max_entries > num_account-enum_context) { - max_entries = num_account-enum_context; - DEBUG(5, ("_samr_enum_dom_users: only %d entries to return\n", max_entries)); - } - - /* calculate the size and limit on the number of entries we will return */ - temp_size=max_entries*struct_size; - - if (temp_size>max_size) { - max_entries=MIN((max_size/struct_size),max_entries);; - DEBUG(5, ("_samr_enum_dom_users: buffer size limits to only %d entries\n", max_entries)); - } - - /* - * Note from JRA. total_entries is not being used here. Currently if there is a - * large user base then it looks like NT will enumerate until get_sampwd_entries - * returns False due to num_entries being zero. This will cause an access denied - * return. I don't think this is right and needs further investigation. Note that - * this is also the same in the TNG code (I don't think that has been tested with - * a very large user list as MAX_SAM_ENTRIES is set to 600). - * - * I also think that one of the 'num_entries' return parameters is probably - * the "max entries" parameter - but in the TNG code they're all currently set to the same - * value (again I think this is wrong). - */ - - r_u->status = make_user_sam_entry_list(p->mem_ctx, &r_u->sam, &r_u->uni_acct_name, - max_entries, enum_context, - info->disp_info.disp_user_info, - &domain_sid); + r_u->status = make_user_sam_entry_list(p->mem_ctx, &r_u->sam, + &r_u->uni_acct_name, + num_account, enum_context, + entries); if (!NT_STATUS_IS_OK(r_u->status)) return r_u->status; - if (enum_context+max_entries < num_account) + if (max_entries <= num_account) r_u->status = STATUS_MORE_ENTRIES; DEBUG(5, ("_samr_enum_dom_users: %d\n", __LINE__)); - init_samr_r_enum_dom_users(r_u, q_u->start_idx + max_entries, max_entries); + init_samr_r_enum_dom_users(r_u, q_u->start_idx + num_account, + num_account); DEBUG(5,("_samr_enum_dom_users: %d\n", __LINE__)); @@ -819,8 +635,10 @@ NTSTATUS _samr_enum_dom_users(pipes_struct *p, SAMR_Q_ENUM_DOM_USERS *q_u, makes a SAM_ENTRY / UNISTR2* structure from a group list. ********************************************************************/ -static void make_group_sam_entry_list(TALLOC_CTX *ctx, SAM_ENTRY **sam_pp, UNISTR2 **uni_name_pp, - uint32 num_sam_entries, DOMAIN_GRP *grp) +static void make_group_sam_entry_list(TALLOC_CTX *ctx, SAM_ENTRY **sam_pp, + UNISTR2 **uni_name_pp, + uint32 num_sam_entries, + struct samr_displayentry *entries) { uint32 i; SAM_ENTRY *sam; @@ -844,188 +662,117 @@ static void make_group_sam_entry_list(TALLOC_CTX *ctx, SAM_ENTRY **sam_pp, UNIST /* * JRA. I think this should include the null. TNG does not. */ - init_unistr2(&uni_name[i], grp[i].name, UNI_STR_TERMINATE); - init_sam_entry(&sam[i], &uni_name[i], grp[i].rid); + init_unistr2(&uni_name[i], entries[i].account_name, + UNI_STR_TERMINATE); + init_sam_entry(&sam[i], &uni_name[i], entries[i].rid); } *sam_pp = sam; *uni_name_pp = uni_name; } -/******************************************************************* - Get the group entries - similar to get_sampwd_entries(). - ******************************************************************/ - -static NTSTATUS get_group_domain_entries( TALLOC_CTX *ctx, - DOMAIN_GRP **d_grp, DOM_SID *sid, uint32 start_idx, - uint32 *p_num_entries, uint32 max_entries ) -{ - GROUP_MAP *map=NULL; - int i; - uint32 group_entries = 0; - uint32 num_entries = 0; - NTSTATUS result = NT_STATUS_OK; - - *p_num_entries = 0; - - /* access checks for the users were performed higher up. become/unbecome_root() - needed for some passdb backends to enumerate groups */ - - become_root(); - pdb_enum_group_mapping(SID_NAME_DOM_GRP, &map, (int *)&group_entries, - ENUM_ONLY_MAPPED); - unbecome_root(); - - num_entries=group_entries-start_idx; - - /* limit the number of entries */ - if (num_entries>max_entries) { - DEBUG(5,("Limiting to %d entries\n", max_entries)); - num_entries=max_entries; - result = STATUS_MORE_ENTRIES; - } - - *d_grp=TALLOC_ZERO_ARRAY(ctx, DOMAIN_GRP, num_entries); - if (num_entries!=0 && *d_grp==NULL){ - SAFE_FREE(map); - return NT_STATUS_NO_MEMORY; - } - - for (i=0; istatus = NT_STATUS_OK; - if (!get_lsa_policy_samr_sid(p, &q_u->pol, &sid, &acc_granted)) + /* find the policy handle. open a policy on it. */ + if (!find_policy_by_hnd(p, &q_u->pol, (void **)&info)) return NT_STATUS_INVALID_HANDLE; - - if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, SA_RIGHT_DOMAIN_ENUM_ACCOUNTS, "_samr_enum_dom_groups"))) { + + r_u->status = access_check_samr_function(info->acc_granted, + SA_RIGHT_DOMAIN_ENUM_ACCOUNTS, + "_samr_enum_dom_groups"); + if (!NT_STATUS_IS_OK(r_u->status)) return r_u->status; - } DEBUG(5,("samr_reply_enum_dom_groups: %d\n", __LINE__)); /* the domain group array is being allocated in the function below */ - r_u->status = get_group_domain_entries(p->mem_ctx, &grp, &sid, - q_u->start_idx, &num_entries, - MAX_SAM_ENTRIES); - if (!NT_STATUS_IS_OK(r_u->status) && - !NT_STATUS_EQUAL(r_u->status, STATUS_MORE_ENTRIES)) - return r_u->status; + become_root(); + if (info->disp_info.groups == NULL) + info->disp_info.groups = pdb_search_groups(); + unbecome_root(); + if (info->disp_info.groups == NULL) + return NT_STATUS_ACCESS_DENIED; + + become_root(); + num_groups = pdb_search_entries(info->disp_info.groups, q_u->start_idx, + MAX_SAM_ENTRIES, &groups); + unbecome_root(); + make_group_sam_entry_list(p->mem_ctx, &r_u->sam, &r_u->uni_grp_name, - num_entries, grp); + num_groups, groups); - init_samr_r_enum_dom_groups(r_u, q_u->start_idx+num_entries, - num_entries); + init_samr_r_enum_dom_groups(r_u, q_u->start_idx, num_groups); DEBUG(5,("samr_enum_dom_groups: %d\n", __LINE__)); return r_u->status; } - /******************************************************************* samr_reply_enum_dom_aliases ********************************************************************/ NTSTATUS _samr_enum_dom_aliases(pipes_struct *p, SAMR_Q_ENUM_DOM_ALIASES *q_u, SAMR_R_ENUM_DOM_ALIASES *r_u) { - DOMAIN_GRP *grp=NULL; - uint32 num_entries = 0; - fstring sid_str; - DOM_SID sid; + struct samr_info *info; + struct samr_displayentry *aliases; + struct pdb_search **search = NULL; + uint32 num_aliases = 0; NTSTATUS status; - uint32 acc_granted; - + r_u->status = NT_STATUS_OK; - if (!get_lsa_policy_samr_sid(p, &q_u->pol, &sid, &acc_granted)) + /* find the policy handle. open a policy on it. */ + if (!find_policy_by_hnd(p, &q_u->pol, (void **)&info)) return NT_STATUS_INVALID_HANDLE; - if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, SA_RIGHT_DOMAIN_ENUM_ACCOUNTS, "_samr_enum_dom_aliases"))) { + r_u->status = access_check_samr_function(info->acc_granted, + SA_RIGHT_DOMAIN_ENUM_ACCOUNTS, + "_samr_enum_dom_aliases"); + if (!NT_STATUS_IS_OK(r_u->status)) return r_u->status; - } - - sid_to_string(sid_str, &sid); - DEBUG(5,("samr_reply_enum_dom_aliases: sid %s\n", sid_str)); - status = get_alias_entries(p->mem_ctx, &grp, &sid, q_u->start_idx, - &num_entries, MAX_SAM_ENTRIES); - if (!NT_STATUS_IS_OK(status)) return status; + DEBUG(5,("samr_reply_enum_dom_aliases: sid %s\n", + sid_string_static(&info->sid))); + + if (sid_check_is_domain(&info->sid)) + search = &info->disp_info.aliases; + if (sid_check_is_builtin(&info->sid)) + search = &info->disp_info.builtins; + + if (search == NULL) return NT_STATUS_INVALID_HANDLE; + + become_root(); + if (*search == NULL) + *search = pdb_search_aliases(&info->sid); + unbecome_root(); + + if (*search == NULL) return NT_STATUS_ACCESS_DENIED; - make_group_sam_entry_list(p->mem_ctx, &r_u->sam, &r_u->uni_grp_name, num_entries, grp); + become_root(); + num_aliases = pdb_search_entries(*search, q_u->start_idx, + MAX_SAM_ENTRIES, &aliases); + unbecome_root(); + + make_group_sam_entry_list(p->mem_ctx, &r_u->sam, &r_u->uni_grp_name, + num_aliases, aliases); - /*safe_free(grp);*/ + if (!NT_STATUS_IS_OK(status)) return status; - init_samr_r_enum_dom_aliases(r_u, q_u->start_idx + num_entries, num_entries); + init_samr_r_enum_dom_aliases(r_u, q_u->start_idx + num_aliases, + num_aliases); DEBUG(5,("samr_enum_dom_aliases: %d\n", __LINE__)); @@ -1053,6 +800,7 @@ NTSTATUS _samr_query_dispinfo(pipes_struct *p, SAMR_Q_QUERY_DISPINFO *q_u, enum remote_arch_types ra_type = get_remote_arch(); int max_sam_entries = (ra_type == RA_WIN95) ? MAX_SAM_ENTRIES_W95 : MAX_SAM_ENTRIES_W2K; DOM_SID domain_sid; + struct samr_displayentry *entries = NULL; DEBUG(5, ("samr_reply_query_dispinfo: %d\n", __LINE__)); r_u->status = NT_STATUS_OK; @@ -1091,68 +839,29 @@ NTSTATUS _samr_query_dispinfo(pipes_struct *p, SAMR_Q_QUERY_DISPINFO *q_u, * JFM, 12/20/2001 */ - /* Get what we need from the password database */ - switch (q_u->switch_level) { - case 0x1: - /* When playing with usrmgr, this is necessary - if you want immediate refresh after editing - a user. I would like to do this after the - setuserinfo2, but we do not have access to - the domain handle in that call, only to the - user handle. Where else does this hurt? - -- Volker - */ -#if 0 - /* We cannot do this here - it kills performace. JRA. */ - free_samr_users(info); -#endif - case 0x2: - case 0x4: - become_root(); - /* Level 2 is for all machines, otherwise only 'normal' users */ - r_u->status=load_sampwd_entries(info, ACB_NORMAL, q_u->switch_level==2); - unbecome_root(); - if (!NT_STATUS_IS_OK(r_u->status)) { - DEBUG(5, ("_samr_query_dispinfo: load_sampwd_entries failed\n")); - return r_u->status; - } - num_account = info->disp_info.num_user_account; - break; - case 0x3: - case 0x5: - r_u->status = load_group_domain_entries(info, &info->sid); - if (!NT_STATUS_IS_OK(r_u->status)) - return r_u->status; - num_account = info->disp_info.num_group_account; - break; - default: - DEBUG(0,("_samr_query_dispinfo: Unknown info level (%u)\n", (unsigned int)q_u->switch_level )); - return NT_STATUS_INVALID_INFO_CLASS; + if ((q_u->switch_level < 1) || (q_u->switch_level > 5)) { + DEBUG(0,("_samr_query_dispinfo: Unknown info level (%u)\n", + (unsigned int)q_u->switch_level )); + return NT_STATUS_INVALID_INFO_CLASS; } /* first limit the number of entries we will return */ if(max_entries > max_sam_entries) { - DEBUG(5, ("samr_reply_query_dispinfo: client requested %d entries, limiting to %d\n", max_entries, max_sam_entries)); + DEBUG(5, ("samr_reply_query_dispinfo: client requested %d " + "entries, limiting to %d\n", max_entries, + max_sam_entries)); max_entries = max_sam_entries; } - if (enum_context > num_account) { - DEBUG(5, ("samr_reply_query_dispinfo: enumeration handle over total entries\n")); - return NT_STATUS_NO_MORE_ENTRIES; - } - - /* verify we won't overflow */ - if (max_entries > num_account-enum_context) { - max_entries = num_account-enum_context; - DEBUG(5, ("samr_reply_query_dispinfo: only %d entries to return\n", max_entries)); - } + /* calculate the size and limit on the number of entries we will + * return */ - /* calculate the size and limit on the number of entries we will return */ temp_size=max_entries*struct_size; if (temp_size>max_size) { max_entries=MIN((max_size/struct_size),max_entries);; - DEBUG(5, ("samr_reply_query_dispinfo: buffer size limits to only %d entries\n", max_entries)); + DEBUG(5, ("samr_reply_query_dispinfo: buffer size limits to " + "only %d entries\n", max_entries)); } if (!(ctr = TALLOC_ZERO_P(p->mem_ctx,SAM_DISPINFO_CTR))) @@ -1160,61 +869,80 @@ NTSTATUS _samr_query_dispinfo(pipes_struct *p, SAMR_Q_QUERY_DISPINFO *q_u, ZERO_STRUCTP(ctr); + become_root(); + + switch (q_u->switch_level) { + case 0x1: + case 0x4: + if (info->disp_info.users == NULL) + info->disp_info.users = pdb_search_users(ACB_NORMAL); + if (info->disp_info.users == NULL) + return NT_STATUS_ACCESS_DENIED; + num_account = pdb_search_entries(info->disp_info.users, + enum_context, max_entries, + &entries); + break; + case 0x2: + if (info->disp_info.machines == NULL) + info->disp_info.machines = + pdb_search_users(ACB_WSTRUST|ACB_SVRTRUST); + if (info->disp_info.machines == NULL) + return NT_STATUS_ACCESS_DENIED; + num_account = pdb_search_entries(info->disp_info.machines, + enum_context, max_entries, + &entries); + break; + case 0x3: + case 0x5: + if (info->disp_info.groups == NULL) + info->disp_info.groups = pdb_search_groups(); + if (info->disp_info.groups == NULL) + return NT_STATUS_ACCESS_DENIED; + num_account = pdb_search_entries(info->disp_info.groups, + enum_context, max_entries, + &entries); + break; + default: + smb_panic("info class changed"); + break; + } + unbecome_root(); + /* Now create reply structure */ switch (q_u->switch_level) { case 0x1: - if (max_entries) { - if (!(ctr->sam.info1 = TALLOC_ZERO_ARRAY(p->mem_ctx,SAM_DISPINFO_1,max_entries))) - return NT_STATUS_NO_MEMORY; - } - disp_ret = init_sam_dispinfo_1(p->mem_ctx, ctr->sam.info1, max_entries, enum_context, - info->disp_info.disp_user_info, &domain_sid); - if (!NT_STATUS_IS_OK(disp_ret)) - return disp_ret; + disp_ret = init_sam_dispinfo_1(p->mem_ctx, &ctr->sam.info1, + num_account, enum_context, + entries); break; case 0x2: - if (max_entries) { - if (!(ctr->sam.info2 = TALLOC_ZERO_ARRAY(p->mem_ctx,SAM_DISPINFO_2,max_entries))) - return NT_STATUS_NO_MEMORY; - } - disp_ret = init_sam_dispinfo_2(p->mem_ctx, ctr->sam.info2, max_entries, enum_context, - info->disp_info.disp_user_info, &domain_sid); - if (!NT_STATUS_IS_OK(disp_ret)) - return disp_ret; + disp_ret = init_sam_dispinfo_2(p->mem_ctx, &ctr->sam.info2, + num_account, enum_context, + entries); break; case 0x3: - if (max_entries) { - if (!(ctr->sam.info3 = TALLOC_ZERO_ARRAY(p->mem_ctx,SAM_DISPINFO_3,max_entries))) - return NT_STATUS_NO_MEMORY; - } - disp_ret = init_sam_dispinfo_3(p->mem_ctx, ctr->sam.info3, max_entries, enum_context, info->disp_info.disp_group_info); - if (!NT_STATUS_IS_OK(disp_ret)) - return disp_ret; + disp_ret = init_sam_dispinfo_3(p->mem_ctx, &ctr->sam.info3, + num_account, enum_context, + entries); break; case 0x4: - if (max_entries) { - if (!(ctr->sam.info4 = TALLOC_ZERO_ARRAY(p->mem_ctx,SAM_DISPINFO_4,max_entries))) - return NT_STATUS_NO_MEMORY; - } - disp_ret = init_sam_dispinfo_4(p->mem_ctx, ctr->sam.info4, max_entries, enum_context, info->disp_info.disp_user_info); - if (!NT_STATUS_IS_OK(disp_ret)) - return disp_ret; + disp_ret = init_sam_dispinfo_4(p->mem_ctx, &ctr->sam.info4, + num_account, enum_context, + entries); break; case 0x5: - if (max_entries) { - if (!(ctr->sam.info5 = TALLOC_ZERO_ARRAY(p->mem_ctx,SAM_DISPINFO_5,max_entries))) - return NT_STATUS_NO_MEMORY; - } - disp_ret = init_sam_dispinfo_5(p->mem_ctx, ctr->sam.info5, max_entries, enum_context, info->disp_info.disp_group_info); - if (!NT_STATUS_IS_OK(disp_ret)) - return disp_ret; + disp_ret = init_sam_dispinfo_5(p->mem_ctx, &ctr->sam.info5, + num_account, enum_context, + entries); break; - default: - ctr->sam.info = NULL; - return NT_STATUS_INVALID_INFO_CLASS; + smb_panic("info class changed"); + break; } + if (!NT_STATUS_IS_OK(disp_ret)) + return disp_ret; + /* calculate the total size */ total_data_size=num_account*struct_size; @@ -1223,7 +951,9 @@ NTSTATUS _samr_query_dispinfo(pipes_struct *p, SAMR_Q_QUERY_DISPINFO *q_u, DEBUG(5, ("_samr_query_dispinfo: %d\n", __LINE__)); - init_samr_r_query_dispinfo(r_u, max_entries, total_data_size, temp_size, q_u->switch_level, ctr, r_u->status); + init_samr_r_query_dispinfo(r_u, num_account, total_data_size, + temp_size, q_u->switch_level, ctr, + r_u->status); return r_u->status; @@ -2106,23 +1836,11 @@ NTSTATUS _samr_query_dom_info(pipes_struct *p, SAMR_Q_QUERY_DOMAIN_INFO *q_u, SA flag, nt_expire, nt_min_age); break; case 0x02: - become_root(); - r_u->status=load_sampwd_entries(info, ACB_NORMAL, False); + become_root(); + num_users=count_sam_users(&info->disp_info, + ACB_NORMAL); + num_groups=count_sam_groups(&info->disp_info); unbecome_root(); - if (!NT_STATUS_IS_OK(r_u->status)) { - DEBUG(5, ("_samr_query_dispinfo: load_sampwd_entries failed\n")); - return r_u->status; - } - num_users=info->disp_info.num_user_account; - free_samr_db(info); - - r_u->status=load_group_domain_entries(info, get_global_sam_sid()); - if (!NT_STATUS_IS_OK(r_u->status)) { - DEBUG(5, ("_samr_query_dispinfo: load_group_domain_entries failed\n")); - return r_u->status; - } - num_groups=info->disp_info.num_group_account; - free_samr_db(info); account_policy_get(AP_TIME_TO_LOGOUT, &account_policy_temp); u_logout = account_policy_temp; @@ -4380,13 +4098,9 @@ NTSTATUS _samr_remove_sid_foreign_domain(pipes_struct *p, SAMR_Q_REMOVE_SID_FOREIGN_DOMAIN *q_u, SAMR_R_REMOVE_SID_FOREIGN_DOMAIN *r_u) { - DOM_SID delete_sid, alias_sid; - SAM_ACCOUNT *sam_pass=NULL; + DOM_SID delete_sid, domain_sid; uint32 acc_granted; - GROUP_MAP map; - BOOL is_user = False; NTSTATUS result; - enum SID_NAME_USE type = SID_NAME_UNKNOWN; sid_copy( &delete_sid, &q_u->sid.sid ); @@ -4395,7 +4109,8 @@ NTSTATUS _samr_remove_sid_foreign_domain(pipes_struct *p, /* Find the policy handle. Open a policy on it. */ - if (!get_lsa_policy_samr_sid(p, &q_u->dom_pol, &alias_sid, &acc_granted)) + if (!get_lsa_policy_samr_sid(p, &q_u->dom_pol, &domain_sid, + &acc_granted)) return NT_STATUS_INVALID_HANDLE; result = access_check_samr_function(acc_granted, STD_RIGHT_DELETE_ACCESS, @@ -4405,80 +4120,33 @@ NTSTATUS _samr_remove_sid_foreign_domain(pipes_struct *p, return result; DEBUG(8, ("_samr_remove_sid_foreign_domain:sid is %s\n", - sid_string_static(&alias_sid))); - - /* make sure we can handle this */ - - if ( sid_check_is_domain(&alias_sid) ) - type = SID_NAME_DOM_GRP; - else if ( sid_check_is_builtin(&alias_sid) ) - type = SID_NAME_ALIAS; - - if ( type == SID_NAME_UNKNOWN ) { - DEBUG(10, ("_samr_remove_sid_foreign_domain: can't operate on what we don't own!\n")); - return NT_STATUS_OK; - } + sid_string_static(&domain_sid))); - /* check if the user exists before trying to delete */ - - pdb_init_sam(&sam_pass); - - if ( pdb_getsampwsid(sam_pass, &delete_sid) ) { - is_user = True; - } else { - /* maybe it is a group */ - if( !pdb_getgrsid(&map, delete_sid) ) { - DEBUG(3,("_samr_remove_sid_foreign_domain: %s is not a user or a group!\n", - sid_string_static(&delete_sid))); - result = NT_STATUS_INVALID_SID; - goto done; - } - } - /* we can only delete a user from a group since we don't have nested groups anyways. So in the latter case, just say OK */ - - if ( is_user ) { - GROUP_MAP *mappings = NULL; - int num_groups, i; - struct group *grp2; - - if ( pdb_enum_group_mapping(type, &mappings, &num_groups, False) && num_groups>0 ) { - - /* interate over the groups */ - for ( i=0; igr_name) ) - continue; - - smb_delete_user_group(grp2->gr_name, pdb_get_username(sam_pass)); - - if ( user_in_unix_group_list(pdb_get_username(sam_pass), grp2->gr_name) ) { - /* should we fail here ? */ - DEBUG(0,("_samr_remove_sid_foreign_domain: Delete user [%s] from group [%s] failed!\n", - pdb_get_username(sam_pass), grp2->gr_name )); - continue; - } - - DEBUG(10,("_samr_remove_sid_foreign_domain: Removed user [%s] from group [%s]!\n", - pdb_get_username(sam_pass), grp2->gr_name )); - } - - SAFE_FREE(mappings); - } + /* TODO: The above comment nowadays is bogus. Since we have nested + * groups now, and aliases members are never reported out of the unix + * group membership, the "just say OK" makes this call a no-op. For + * us. This needs fixing however. */ + + /* I've only ever seen this in the wild when deleting a user from + * usrmgr.exe. domain_sid is the builtin domain, and the sid to delete + * is the user about to be deleted. I very much suspect this is the + * only application of this call. To verify this, let people report + * other cases. */ + + if (!sid_check_is_builtin(&domain_sid)) { + DEBUG(1,("_samr_remove_sid_foreign_domain: domain_sid = %s, " + "global_sam_sid() = %s\n", + sid_string_static(&domain_sid), + sid_string_static(get_global_sam_sid()))); + DEBUGADD(1,("please report to samba-technical@samba.org!\n")); + return NT_STATUS_OK; } - - result = NT_STATUS_OK; -done: - pdb_free_sam(&sam_pass); + + result = NT_STATUS_OK; return result; } @@ -4545,21 +4213,11 @@ NTSTATUS _samr_unknown_2e(pipes_struct *p, SAMR_Q_UNKNOWN_2E *q_u, SAMR_R_UNKNOW break; case 0x02: become_root(); - r_u->status=load_sampwd_entries(info, ACB_NORMAL, False); + num_users = count_sam_users(&info->disp_info, + ACB_NORMAL); + num_groups = count_sam_groups(&info->disp_info); unbecome_root(); - if (!NT_STATUS_IS_OK(r_u->status)) { - DEBUG(5, ("_samr_unknown_2e: load_sampwd_entries failed\n")); - return r_u->status; - } - num_users=info->disp_info.num_user_account; - free_samr_db(info); - - r_u->status=load_group_domain_entries(info, get_global_sam_sid()); - if (NT_STATUS_IS_ERR(r_u->status)) { - DEBUG(5, ("_samr_unknown_2e: load_group_domain_entries failed\n")); - return r_u->status; - } - num_groups=info->disp_info.num_group_account; + free_samr_db(info); account_policy_get(AP_TIME_TO_LOGOUT, &account_policy_temp); -- cgit From 57eb9f47d058cc3c841aca11404bae2fed5367e4 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Thu, 21 Apr 2005 17:13:50 +0000 Subject: r6421: use add machine script when creating a user (ACB_NORMAL) who has a name ending in '$' (usrmgr.exe does this for domain trusts (that's was jfm's original comment I think). avoid an assert() call in libldap. (This used to be commit 0ac57ae94202190ddbe538f7180a0443463b48cf) --- source3/rpc_server/srv_samr_nt.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index fe54476cc9..89cb49c05c 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -1985,13 +1985,15 @@ NTSTATUS _samr_create_user(pipes_struct *p, SAMR_Q_CREATE_USER *q_u, SAMR_R_CREA se_priv_copy( &se_rights, &se_machine_account ); can_add_account = user_has_privileges( p->pipe_user.nt_user_token, &se_rights ); } - else if ( acb_info & ACB_NORMAL ) + /* usrmgr.exe (and net rpc trustdom grant) creates a normal user + account for domain trusts and changes the ACB flags later */ + else if ( acb_info & ACB_NORMAL && (account[strlen(account)-1] != '$') ) { pstrcpy(add_script, lp_adduser_script()); se_priv_copy( &se_rights, &se_add_users ); can_add_account = user_has_privileges( p->pipe_user.nt_user_token, &se_rights ); } - else if ( acb_info & (ACB_SVRTRUST|ACB_DOMTRUST) ) + else /* implicit assumption of a BDC or domain trust account here (we already check the flags earlier) */ { pstrcpy(add_script, lp_addmachine_script()); if ( lp_enable_privileges() ) { -- cgit From a7145e26c99c43a39b24bbf16587b2ea1cd1ef9c Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Sun, 1 May 2005 20:05:16 +0000 Subject: r6566: fix a couple of local group bugs. * ensure that we set full access on the handle returned from _samr_create_dom_alias() so that future set_alias commands succeed * fix bug when looking for internal domains in winbindd (caused winbindd_getgrgid() for local groups to fail). (This used to be commit 4615c96ccb8906af4eb1fbe6d0cbf6bb3bcc3fcf) --- source3/rpc_server/srv_samr_nt.c | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 89cb49c05c..040d4e7dea 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -730,9 +730,6 @@ NTSTATUS _samr_enum_dom_aliases(pipes_struct *p, SAMR_Q_ENUM_DOM_ALIASES *q_u, S struct samr_displayentry *aliases; struct pdb_search **search = NULL; uint32 num_aliases = 0; - NTSTATUS status; - - r_u->status = NT_STATUS_OK; /* find the policy handle. open a policy on it. */ if (!find_policy_by_hnd(p, &q_u->pol, (void **)&info)) @@ -752,14 +749,16 @@ NTSTATUS _samr_enum_dom_aliases(pipes_struct *p, SAMR_Q_ENUM_DOM_ALIASES *q_u, S if (sid_check_is_builtin(&info->sid)) search = &info->disp_info.builtins; - if (search == NULL) return NT_STATUS_INVALID_HANDLE; + if (search == NULL) + return NT_STATUS_INVALID_HANDLE; become_root(); if (*search == NULL) *search = pdb_search_aliases(&info->sid); unbecome_root(); - if (*search == NULL) return NT_STATUS_ACCESS_DENIED; + if (*search == NULL) + return NT_STATUS_ACCESS_DENIED; become_root(); num_aliases = pdb_search_entries(*search, q_u->start_idx, @@ -769,8 +768,6 @@ NTSTATUS _samr_enum_dom_aliases(pipes_struct *p, SAMR_Q_ENUM_DOM_ALIASES *q_u, S make_group_sam_entry_list(p->mem_ctx, &r_u->sam, &r_u->uni_grp_name, num_aliases, aliases); - if (!NT_STATUS_IS_OK(status)) return status; - init_samr_r_enum_dom_aliases(r_u, q_u->start_idx + num_aliases, num_aliases); @@ -3850,6 +3847,10 @@ NTSTATUS _samr_create_dom_alias(pipes_struct *p, SAMR_Q_CREATE_DOM_ALIAS *q_u, S if ((info = get_samr_info_by_sid(&info_sid)) == NULL) return NT_STATUS_NO_MEMORY; + /* they created it; let the user do what he wants with it */ + + info->acc_granted = GENERIC_RIGHTS_ALIAS_ALL_ACCESS; + /* get a (unique) handle. open a policy on it. */ if (!create_policy_hnd(p, &r_u->alias_pol, free_samr_info, (void *)info)) return NT_STATUS_OBJECT_NAME_NOT_FOUND; -- cgit From 28824fb1971afd398739723ee7c65427bd086d4b Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Tue, 3 May 2005 14:01:39 +0000 Subject: r6601: fixing query and set alias info calls (level 1 from the MMC manage computer plugin. (This used to be commit c43c1ec80cb52569ccabcdf95e4004386ecb29d6) --- source3/rpc_server/srv_samr_nt.c | 27 +++++++++++++++------------ 1 file changed, 15 insertions(+), 12 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 040d4e7dea..54012d57a9 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -985,17 +985,18 @@ NTSTATUS _samr_query_aliasinfo(pipes_struct *p, SAMR_Q_QUERY_ALIASINFO *q_u, SAM if ( !ret ) return NT_STATUS_NO_SUCH_ALIAS; - switch (q_u->switch_level) { + if ( !(r_u->ctr = TALLOC_ZERO_P( p->mem_ctx, ALIAS_INFO_CTR )) ) + return NT_STATUS_NO_MEMORY; + + + switch (q_u->level ) { case 1: - r_u->ptr = 1; - r_u->ctr.switch_value1 = 1; - init_samr_alias_info1(&r_u->ctr.alias.info1, - info.acct_name, 1, info.acct_desc); + r_u->ctr->level = 1; + init_samr_alias_info1(&r_u->ctr->alias.info1, info.acct_name, 1, info.acct_desc); break; case 3: - r_u->ptr = 1; - r_u->ctr.switch_value1 = 3; - init_samr_alias_info3(&r_u->ctr.alias.info3, info.acct_desc); + r_u->ctr->level = 3; + init_samr_alias_info3(&r_u->ctr->alias.info3, info.acct_desc); break; default: return NT_STATUS_INVALID_INFO_CLASS; @@ -3984,11 +3985,13 @@ NTSTATUS _samr_set_aliasinfo(pipes_struct *p, SAMR_Q_SET_ALIASINFO *q_u, SAMR_R_ ctr=&q_u->ctr; - switch (ctr->switch_value1) { + switch (ctr->level) { case 3: - unistr2_to_ascii(info.acct_desc, - &(ctr->alias.info3.uni_acct_desc), - sizeof(info.acct_desc)-1); + if ( ctr->alias.info3.description.string ) { + unistr2_to_ascii( info.acct_desc, + ctr->alias.info3.description.string, + sizeof(info.acct_desc)-1 ); + } break; default: return NT_STATUS_INVALID_INFO_CLASS; -- cgit From 03377b2a21af510da78a964b125ebceba13f2bb1 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Sat, 7 May 2005 14:55:44 +0000 Subject: r6642: BUG 2686: shouold fix the group_setinfo() failures; similar to alias_setinfo() patch from last week (This used to be commit 611cca473ef6c50aeeda79c323f55e8e3402b1b1) --- source3/rpc_server/srv_samr_nt.c | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 54012d57a9..69298bcd5d 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -3780,6 +3780,11 @@ NTSTATUS _samr_create_dom_group(pipes_struct *p, SAMR_Q_CREATE_DOM_GROUP *q_u, S if ((info = get_samr_info_by_sid(&info_sid)) == NULL) return NT_STATUS_NO_MEMORY; + + /* they created it; let the user do what he wants with it */ + + info->acc_granted = GENERIC_RIGHTS_GROUP_ALL_ACCESS; + /* get a (unique) handle. open a policy on it. */ if (!create_policy_hnd(p, &r_u->pol, free_samr_info, (void *)info)) return NT_STATUS_OBJECT_NAME_NOT_FOUND; -- cgit From 0e5aa494dd57a598ce1ac6e7141273fbe7bcf113 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Fri, 13 May 2005 09:18:50 +0000 Subject: r6772: Fix a valgrind error for samr_open_alias uncovered by one of John's test. Jerry, in query_aliasmem, set_aliasinfo and set_groupinfo (and possibly others) need become_root()/unbecome_root() around the pdb calls. I'm not sure I would do the access checks correctly, I would much rather leave that to you. Volker (This used to be commit 88a67e96d1c54fddadbb6a33e4bc5fba884e58e6) --- source3/rpc_server/srv_samr_nt.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 69298bcd5d..e4588b2e61 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -2389,7 +2389,7 @@ NTSTATUS _samr_open_alias(pipes_struct *p, SAMR_Q_OPEN_ALIAS *q_u, SAMR_R_OPEN_A make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &ali_generic_mapping, NULL, 0); se_map_generic(&des_access,&ali_generic_mapping); - se_priv_add( &se_rights, &se_add_users ); + se_priv_copy( &se_rights, &se_add_users ); status = access_check_samr_object(psd, p->pipe_user.nt_user_token, -- cgit From 450e8d5749504f8392c0cfe8b79218f03b88076a Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Tue, 31 May 2005 02:23:47 +0000 Subject: r7130: remove 'winbind enable local accounts' code from the 3.0 tree (This used to be commit 318c3db4cb1c85be40b2f812f781bcf5f1da5c19) --- source3/rpc_server/srv_samr_nt.c | 20 -------------------- 1 file changed, 20 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index e4588b2e61..73ea575ec5 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -2017,14 +2017,6 @@ NTSTATUS _samr_create_user(pipes_struct *p, SAMR_Q_CREATE_USER *q_u, SAMR_R_CREA add_ret = smbrun(add_script,NULL); DEBUG(add_ret ? 0 : 3,("_samr_create_user: Running the command `%s' gave %d\n", add_script, add_ret)); } - else /* no add user script -- ask winbindd to do it */ - { - if ( !winbind_create_user( account, &new_rid ) ) { - DEBUG(3,("_samr_create_user: winbind_create_user(%s) failed\n", - account)); - } - } - } /* implicit call to getpwnam() next. we have a valid SID coming out of this call */ @@ -3466,18 +3458,6 @@ static int smb_delete_user(const char *unix_user) pstring del_script; int ret; - /* try winbindd first since it is impossible to determine where - a user came from via NSS. Try the delete user script if this fails - meaning the user did not exist in winbindd's list of accounts */ - - if ( winbind_delete_user( unix_user ) ) { - DEBUG(3,("winbind_delete_user: removed user (%s)\n", unix_user)); - return 0; - } - - - /* fall back to 'delete user script' */ - pstrcpy(del_script, lp_deluser_script()); if (! *del_script) return -1; -- cgit From 6109b8ad9dd586dad508658c65e33d012cad42b1 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Tue, 14 Jun 2005 18:38:15 +0000 Subject: r7578: use global well known DOM_SID objects when possible (This used to be commit 643dc05eb5a8e41cf9cb1768ef42f5dbc0320846) --- source3/rpc_server/srv_samr_nt.c | 15 ++++++--------- 1 file changed, 6 insertions(+), 9 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 73ea575ec5..7c6e9f4d92 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -9,6 +9,7 @@ * Copyright (C) Jean François Micouleau 1998-2001, * Copyright (C) Jim McDonough 2002, * Copyright (C) Gerald (Jerry) Carter 2003-2004, + * Copyright (C) Simo Sorce 2003. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by @@ -76,7 +77,7 @@ static NTSTATUS make_samr_object_sd( TALLOC_CTX *ctx, SEC_DESC **psd, size_t *sd struct generic_mapping *map, DOM_SID *sid, uint32 sid_access ) { - DOM_SID adm_sid, act_sid, domadmin_sid; + DOM_SID domadmin_sid; SEC_ACE ace[5]; /* at most 5 entries */ SEC_ACCESS mask; size_t i = 0; @@ -90,16 +91,10 @@ static NTSTATUS make_samr_object_sd( TALLOC_CTX *ctx, SEC_DESC **psd, size_t *sd /* add Full Access 'BUILTIN\Administrators' and 'BUILTIN\Account Operators */ - sid_copy(&adm_sid, &global_sid_Builtin); - sid_append_rid(&adm_sid, BUILTIN_ALIAS_RID_ADMINS); - - sid_copy(&act_sid, &global_sid_Builtin); - sid_append_rid(&act_sid, BUILTIN_ALIAS_RID_ACCOUNT_OPS); - init_sec_access(&mask, map->generic_all); - init_sec_ace(&ace[i++], &adm_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0); - init_sec_ace(&ace[i++], &act_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0); + init_sec_ace(&ace[i++], &global_sid_Builtin_Administrators, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0); + init_sec_ace(&ace[i++], &global_sid_Builtin_Account_Operators, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0); /* Add Full Access for Domain Admins if we are a DC */ @@ -768,6 +763,8 @@ NTSTATUS _samr_enum_dom_aliases(pipes_struct *p, SAMR_Q_ENUM_DOM_ALIASES *q_u, S make_group_sam_entry_list(p->mem_ctx, &r_u->sam, &r_u->uni_grp_name, num_aliases, aliases); + if (!NT_STATUS_IS_OK(status)) return status; + init_samr_r_enum_dom_aliases(r_u, q_u->start_idx + num_aliases, num_aliases); -- cgit From cfe893375473f6d12fd806347827baa615f0cd0a Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Tue, 14 Jun 2005 19:04:39 +0000 Subject: r7581: fix bad merge (This used to be commit 55d08311032b75724b525d8e0df506de3e988b15) --- source3/rpc_server/srv_samr_nt.c | 2 -- 1 file changed, 2 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 7c6e9f4d92..e510f69cc8 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -763,8 +763,6 @@ NTSTATUS _samr_enum_dom_aliases(pipes_struct *p, SAMR_Q_ENUM_DOM_ALIASES *q_u, S make_group_sam_entry_list(p->mem_ctx, &r_u->sam, &r_u->uni_grp_name, num_aliases, aliases); - if (!NT_STATUS_IS_OK(status)) return status; - init_samr_r_enum_dom_aliases(r_u, q_u->start_idx + num_aliases, num_aliases); -- cgit From 864ca4f0510da95cadf5ad449b2ec818a78d8c17 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Wed, 22 Jun 2005 14:16:10 +0000 Subject: r7836: Fix the bug where users show up as trusting domains. Volker (This used to be commit 61585fa56b4f838f416815598f4a301aa9ee12d7) --- source3/rpc_server/srv_samr_nt.c | 31 ++++++++++++++++++++++--------- 1 file changed, 22 insertions(+), 9 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index e510f69cc8..9b98d4cb16 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -45,11 +45,14 @@ extern rid_name domain_alias_rids[]; extern rid_name builtin_alias_rids[]; typedef struct disp_info { - struct pdb_search *users; - struct pdb_search *machines; - struct pdb_search *groups; - struct pdb_search *aliases; - struct pdb_search *builtins; + struct pdb_search *users; /* querydispinfo 1 and 4 */ + struct pdb_search *machines; /* querydispinfo 2 */ + struct pdb_search *groups; /* querydispinfo 3 and 5, enumgroups */ + struct pdb_search *aliases; /* enumaliases */ + struct pdb_search *builtins; /* enumaliases */ + + uint16 enum_acb_mask; + struct pdb_search *enum_users; /* enumusers with a mask */ } DISP_INFO; struct samr_info { @@ -264,6 +267,8 @@ static void free_samr_db(struct samr_info *info) info->disp_info.aliases = NULL; pdb_search_destroy(info->disp_info.builtins); info->disp_info.builtins = NULL; + pdb_search_destroy(info->disp_info.enum_users); + info->disp_info.enum_users = NULL; } static void free_samr_info(void *ptr) @@ -590,11 +595,19 @@ NTSTATUS _samr_enum_dom_users(pipes_struct *p, SAMR_Q_ENUM_DOM_USERS *q_u, DEBUG(5,("_samr_enum_dom_users: %d\n", __LINE__)); become_root(); - if (info->disp_info.users == NULL) - info->disp_info.users = pdb_search_users(q_u->acb_mask); - if (info->disp_info.users == NULL) + if ((info->disp_info.enum_users != NULL) && + (info->disp_info.enum_acb_mask != q_u->acb_mask)) { + pdb_search_destroy(info->disp_info.enum_users); + info->disp_info.enum_users = NULL; + } + + if (info->disp_info.enum_users == NULL) { + info->disp_info.enum_users = pdb_search_users(q_u->acb_mask); + info->disp_info.enum_acb_mask = q_u->acb_mask; + } + if (info->disp_info.enum_users == NULL) return NT_STATUS_ACCESS_DENIED; - num_account = pdb_search_entries(info->disp_info.users, + num_account = pdb_search_entries(info->disp_info.enum_users, enum_context, max_entries, &entries); unbecome_root(); -- cgit From 263a51cd62815b568d0d2053ee29cdd77428ba31 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Tue, 19 Jul 2005 00:59:25 +0000 Subject: r8564: Sometimes we're too dumb to live... Fix samr calls where we were using USER_INFO_XX structs and functions where XX was sometimes in hex and sometimes in decimal. Now it's all in decimal (should be no functionality change). Jeremy. (This used to be commit 84651aca04cbcbf50ab2e78333cc9d9e49dd92f5) --- source3/rpc_server/srv_samr_nt.c | 70 ++++++++++++++++++++-------------------- 1 file changed, 35 insertions(+), 35 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 9b98d4cb16..2e73db2807 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -1411,10 +1411,10 @@ static NTSTATUS get_user_info_7(TALLOC_CTX *mem_ctx, SAM_USER_INFO_7 *id7, DOM_S return NT_STATUS_OK; } /************************************************************************* - get_user_info_10. Safe. Only gives out acb bits. + get_user_info_16. Safe. Only gives out acb bits. *************************************************************************/ -static NTSTATUS get_user_info_10(TALLOC_CTX *mem_ctx, SAM_USER_INFO_10 *id10, DOM_SID *user_sid) +static NTSTATUS get_user_info_16(TALLOC_CTX *mem_ctx, SAM_USER_INFO_16 *id16, DOM_SID *user_sid) { SAM_ACCOUNT *smbpass=NULL; BOOL ret; @@ -1437,8 +1437,8 @@ static NTSTATUS get_user_info_10(TALLOC_CTX *mem_ctx, SAM_USER_INFO_10 *id10, DO DEBUG(3,("User:[%s]\n", pdb_get_username(smbpass) )); - ZERO_STRUCTP(id10); - init_sam_user_info10(id10, pdb_get_acct_ctrl(smbpass) ); + ZERO_STRUCTP(id16); + init_sam_user_info16(id16, pdb_get_acct_ctrl(smbpass) ); pdb_free_sam(&smbpass); @@ -1446,12 +1446,12 @@ static NTSTATUS get_user_info_10(TALLOC_CTX *mem_ctx, SAM_USER_INFO_10 *id10, DO } /************************************************************************* - get_user_info_12. OK - this is the killer as it gives out password info. + get_user_info_18. OK - this is the killer as it gives out password info. Ensure that this is only allowed on an encrypted connection with a root user. JRA. *************************************************************************/ -static NTSTATUS get_user_info_12(pipes_struct *p, TALLOC_CTX *mem_ctx, SAM_USER_INFO_12 * id12, DOM_SID *user_sid) +static NTSTATUS get_user_info_18(pipes_struct *p, TALLOC_CTX *mem_ctx, SAM_USER_INFO_18 * id18, DOM_SID *user_sid) { SAM_ACCOUNT *smbpass=NULL; BOOL ret; @@ -1488,8 +1488,8 @@ static NTSTATUS get_user_info_12(pipes_struct *p, TALLOC_CTX *mem_ctx, SAM_USER_ return NT_STATUS_ACCOUNT_DISABLED; } - ZERO_STRUCTP(id12); - init_sam_user_info12(id12, pdb_get_lanman_passwd(smbpass), pdb_get_nt_passwd(smbpass)); + ZERO_STRUCTP(id18); + init_sam_user_info18(id18, pdb_get_lanman_passwd(smbpass), pdb_get_nt_passwd(smbpass)); pdb_free_sam(&smbpass); @@ -1601,7 +1601,7 @@ NTSTATUS _samr_query_userinfo(pipes_struct *p, SAMR_Q_QUERY_USERINFO *q_u, SAMR_ ctr->switch_value = q_u->switch_value; switch (q_u->switch_value) { - case 0x07: + case 7: ctr->info.id7 = TALLOC_ZERO_P(p->mem_ctx, SAM_USER_INFO_7); if (ctr->info.id7 == NULL) return NT_STATUS_NO_MEMORY; @@ -1609,18 +1609,18 @@ NTSTATUS _samr_query_userinfo(pipes_struct *p, SAMR_Q_QUERY_USERINFO *q_u, SAMR_ if (!NT_STATUS_IS_OK(r_u->status = get_user_info_7(p->mem_ctx, ctr->info.id7, &info->sid))) return r_u->status; break; - case 0x10: - ctr->info.id10 = TALLOC_ZERO_P(p->mem_ctx, SAM_USER_INFO_10); - if (ctr->info.id10 == NULL) + case 16: + ctr->info.id16 = TALLOC_ZERO_P(p->mem_ctx, SAM_USER_INFO_16); + if (ctr->info.id16 == NULL) return NT_STATUS_NO_MEMORY; - if (!NT_STATUS_IS_OK(r_u->status = get_user_info_10(p->mem_ctx, ctr->info.id10, &info->sid))) + if (!NT_STATUS_IS_OK(r_u->status = get_user_info_16(p->mem_ctx, ctr->info.id16, &info->sid))) return r_u->status; break; #if 0 /* whoops - got this wrong. i think. or don't understand what's happening. */ - case 0x11: + case 17: { NTTIME expire; info = (void *)&id11; @@ -1628,9 +1628,9 @@ NTSTATUS _samr_query_userinfo(pipes_struct *p, SAMR_Q_QUERY_USERINFO *q_u, SAMR_ expire.low = 0xffffffff; expire.high = 0x7fffffff; - ctr->info.id = TALLOC_ZERO_P(p->mem_ctx, SAM_USER_INFO_11)); - ZERO_STRUCTP(ctr->info.id11); - init_sam_user_info11(ctr->info.id11, &expire, + ctr->info.id = TALLOC_ZERO_P(p->mem_ctx, SAM_USER_INFO_17)); + ZERO_STRUCTP(ctr->info.id17); + init_sam_user_info17(ctr->info.id17, &expire, "BROOKFIELDS$", /* name */ 0x03ef, /* user rid */ 0x201, /* group rid */ @@ -1640,12 +1640,12 @@ NTSTATUS _samr_query_userinfo(pipes_struct *p, SAMR_Q_QUERY_USERINFO *q_u, SAMR_ } #endif - case 0x12: - ctr->info.id12 = TALLOC_ZERO_P(p->mem_ctx, SAM_USER_INFO_12); - if (ctr->info.id12 == NULL) + case 18: + ctr->info.id18 = TALLOC_ZERO_P(p->mem_ctx, SAM_USER_INFO_18); + if (ctr->info.id18 == NULL) return NT_STATUS_NO_MEMORY; - if (!NT_STATUS_IS_OK(r_u->status = get_user_info_12(p, p->mem_ctx, ctr->info.id12, &info->sid))) + if (!NT_STATUS_IS_OK(r_u->status = get_user_info_18(p, p->mem_ctx, ctr->info.id18, &info->sid))) return r_u->status; break; @@ -2418,19 +2418,19 @@ NTSTATUS _samr_open_alias(pipes_struct *p, SAMR_Q_OPEN_ALIAS *q_u, SAMR_R_OPEN_A } /******************************************************************* - set_user_info_10 + set_user_info_16 ********************************************************************/ -static BOOL set_user_info_10(const SAM_USER_INFO_10 *id10, SAM_ACCOUNT *pwd) +static BOOL set_user_info_16(const SAM_USER_INFO_16 *id16, SAM_ACCOUNT *pwd) { - if (id10 == NULL) { - DEBUG(5, ("set_user_info_10: NULL id10\n")); + if (id16 == NULL) { + DEBUG(5, ("set_user_info_16: NULL id16\n")); pdb_free_sam(&pwd); return False; } /* FIX ME: check if the value is really changed --metze */ - if (!pdb_set_acct_ctrl(pwd, id10->acb_info, PDB_CHANGED)) { + if (!pdb_set_acct_ctrl(pwd, id16->acb_info, PDB_CHANGED)) { pdb_free_sam(&pwd); return False; } @@ -2446,23 +2446,23 @@ static BOOL set_user_info_10(const SAM_USER_INFO_10 *id10, SAM_ACCOUNT *pwd) } /******************************************************************* - set_user_info_12 + set_user_info_18 ********************************************************************/ -static BOOL set_user_info_12(SAM_USER_INFO_12 *id12, SAM_ACCOUNT *pwd) +static BOOL set_user_info_18(SAM_USER_INFO_18 *id18, SAM_ACCOUNT *pwd) { - if (id12 == NULL) { - DEBUG(2, ("set_user_info_12: id12 is NULL\n")); + if (id18 == NULL) { + DEBUG(2, ("set_user_info_18: id18 is NULL\n")); pdb_free_sam(&pwd); return False; } - if (!pdb_set_lanman_passwd (pwd, id12->lm_pwd, PDB_CHANGED)) { + if (!pdb_set_lanman_passwd (pwd, id18->lm_pwd, PDB_CHANGED)) { pdb_free_sam(&pwd); return False; } - if (!pdb_set_nt_passwd (pwd, id12->nt_pwd, PDB_CHANGED)) { + if (!pdb_set_nt_passwd (pwd, id18->nt_pwd, PDB_CHANGED)) { pdb_free_sam(&pwd); return False; } @@ -2779,7 +2779,7 @@ NTSTATUS _samr_set_userinfo(pipes_struct *p, SAMR_Q_SET_USERINFO *q_u, SAMR_R_SE switch (switch_value) { case 18: - if (!set_user_info_12(ctr->info.id12, pwd)) + if (!set_user_info_18(ctr->info.id18, pwd)) r_u->status = NT_STATUS_ACCESS_DENIED; break; @@ -2919,12 +2919,12 @@ NTSTATUS _samr_set_userinfo2(pipes_struct *p, SAMR_Q_SET_USERINFO2 *q_u, SAMR_R_ switch (switch_value) { case 16: - if (!set_user_info_10(ctr->info.id10, pwd)) + if (!set_user_info_16(ctr->info.id16, pwd)) r_u->status = NT_STATUS_ACCESS_DENIED; break; case 18: /* Used by AS/U JRA. */ - if (!set_user_info_12(ctr->info.id12, pwd)) + if (!set_user_info_18(ctr->info.id18, pwd)) r_u->status = NT_STATUS_ACCESS_DENIED; break; case 20: -- cgit From 3ada346cbea6a3710cdb6d0ce81a9d95edca156e Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Wed, 3 Aug 2005 01:08:42 +0000 Subject: r8971: Fix querydispinfo (still need to look at enumdomusers) to allow to list more then 511 users. After the rewrite, the old NT_STATUS-semantics didn't fit any longer. Guenther (This used to be commit 690da51d835fd780b16d8ce6521957146c90da78) --- source3/rpc_server/srv_samr_nt.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 2e73db2807..431c672dd4 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -808,7 +808,7 @@ NTSTATUS _samr_query_dispinfo(pipes_struct *p, SAMR_Q_QUERY_DISPINFO *q_u, struct samr_displayentry *entries = NULL; DEBUG(5, ("samr_reply_query_dispinfo: %d\n", __LINE__)); - r_u->status = NT_STATUS_OK; + r_u->status = NT_STATUS_UNSUCCESSFUL; /* find the policy handle. open a policy on it. */ if (!find_policy_by_hnd(p, &q_u->domain_pol, (void **)&info)) @@ -951,8 +951,10 @@ NTSTATUS _samr_query_dispinfo(pipes_struct *p, SAMR_Q_QUERY_DISPINFO *q_u, /* calculate the total size */ total_data_size=num_account*struct_size; - if (enum_context+max_entries < num_account) + if (num_account) r_u->status = STATUS_MORE_ENTRIES; + else + r_u->status = NT_STATUS_OK; DEBUG(5, ("_samr_query_dispinfo: %d\n", __LINE__)); -- cgit From 6014bb000e77e2522cb35110af881b9b0ccc9ed5 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Fri, 5 Aug 2005 04:48:02 +0000 Subject: r9098: fix another usrmgr.exe crash when viewing user properties at debuglevel 10 (This used to be commit f5756c2611df5a026d78f8acb229d7c25f1fd383) --- source3/rpc_server/srv_samr_nt.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 431c672dd4..1eb4b1236d 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -1229,7 +1229,7 @@ static BOOL make_samr_lookup_rids(TALLOC_CTX *ctx, uint32 num_names, } for (i = 0; i < num_names; i++) { - DEBUG(10, ("names[%d]:%s\n", i, *names[i] ? names[i] : "")); + DEBUG(10, ("names[%d]:%s\n", i, names[i] && *names[i] ? names[i] : "")); init_unistr2(&uni_name[i], names[i], UNI_FLAGS_NONE); init_uni_hdr(&hdr_name[i], &uni_name[i]); } -- cgit From 36115e7ebcb344000149cf3ec9a458529bbb64d2 Mon Sep 17 00:00:00 2001 From: Tim Potter Date: Fri, 12 Aug 2005 21:35:21 +0000 Subject: r9275: Remove some dead code. Bugzilla #2982. (This used to be commit e1fc7d89c26b671e77c7cb14e03690091b671b1d) --- source3/rpc_server/srv_samr_nt.c | 3 --- 1 file changed, 3 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 1eb4b1236d..1f79ce5c14 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -804,7 +804,6 @@ NTSTATUS _samr_query_dispinfo(pipes_struct *p, SAMR_Q_QUERY_DISPINFO *q_u, uint32 num_account = 0; enum remote_arch_types ra_type = get_remote_arch(); int max_sam_entries = (ra_type == RA_WIN95) ? MAX_SAM_ENTRIES_W95 : MAX_SAM_ENTRIES_W2K; - DOM_SID domain_sid; struct samr_displayentry *entries = NULL; DEBUG(5, ("samr_reply_query_dispinfo: %d\n", __LINE__)); @@ -814,8 +813,6 @@ NTSTATUS _samr_query_dispinfo(pipes_struct *p, SAMR_Q_QUERY_DISPINFO *q_u, if (!find_policy_by_hnd(p, &q_u->domain_pol, (void **)&info)) return NT_STATUS_INVALID_HANDLE; - domain_sid = info->sid; - /* * calculate how many entries we will return. * based on -- cgit From e76107dd9b3f53009466f0067aed843905819e4e Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Wed, 24 Aug 2005 19:21:00 +0000 Subject: r9594: return the mapped name in enum_dom_groups() (This used to be commit a769aaec88257ae006c61f0fcfd98efd4b639268) --- source3/rpc_server/srv_samr_nt.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 1f79ce5c14..05aa6fe484 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -670,7 +670,7 @@ static void make_group_sam_entry_list(TALLOC_CTX *ctx, SAM_ENTRY **sam_pp, /* * JRA. I think this should include the null. TNG does not. */ - init_unistr2(&uni_name[i], entries[i].account_name, + init_unistr2(&uni_name[i], entries[i].fullname, UNI_STR_TERMINATE); init_sam_entry(&sam[i], &uni_name[i], entries[i].rid); } -- cgit From be0f3f159f6c210cc3f9c6054dc7e1d079f2c611 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Fri, 26 Aug 2005 18:57:32 +0000 Subject: r9660: real fix for group enumeration bug in 3.0.20; only affected the ldapsam code (This used to be commit 62f9fb5e3a9bce539c9fedc5fdec1b8741a922c7) --- source3/rpc_server/srv_samr_nt.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 05aa6fe484..1f79ce5c14 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -670,7 +670,7 @@ static void make_group_sam_entry_list(TALLOC_CTX *ctx, SAM_ENTRY **sam_pp, /* * JRA. I think this should include the null. TNG does not. */ - init_unistr2(&uni_name[i], entries[i].fullname, + init_unistr2(&uni_name[i], entries[i].account_name, UNI_STR_TERMINATE); init_sam_entry(&sam[i], &uni_name[i], entries[i].rid); } -- cgit From d4f2df5d5cfe50de71eadbb14cf920c6af29bc39 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Fri, 2 Sep 2005 13:42:56 +0000 Subject: r9956: Ensure accounts with the SeAddUsersPrivilege can modify domain and local group attributes (posted to samba ml and confirmed fix) (This used to be commit 005d4cb3c636383ccf70c4891cd7cc4bd3b48ad2) --- source3/rpc_server/srv_samr_nt.c | 40 ++++++++++++++++++++++++++++++++-------- 1 file changed, 32 insertions(+), 8 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 1f79ce5c14..656241a73f 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -3924,6 +3924,8 @@ NTSTATUS _samr_set_groupinfo(pipes_struct *p, SAMR_Q_SET_GROUPINFO *q_u, SAMR_R_ GROUP_MAP map; GROUP_INFO_CTR *ctr; uint32 acc_granted; + BOOL ret; + BOOL can_mod_accounts; if (!get_lsa_policy_samr_sid(p, &q_u->pol, &group_sid, &acc_granted)) return NT_STATUS_INVALID_HANDLE; @@ -3948,11 +3950,21 @@ NTSTATUS _samr_set_groupinfo(pipes_struct *p, SAMR_Q_SET_GROUPINFO *q_u, SAMR_R_ return NT_STATUS_INVALID_INFO_CLASS; } - if(!pdb_update_group_mapping_entry(&map)) { - return NT_STATUS_NO_SUCH_GROUP; - } + can_mod_accounts = user_has_privileges( p->pipe_user.nt_user_token, &se_add_users ); - return NT_STATUS_OK; + /******** BEGIN SeAddUsers BLOCK *********/ + + if ( can_mod_accounts ) + become_root(); + + ret = pdb_update_group_mapping_entry(&map); + + if ( can_mod_accounts ) + unbecome_root(); + + /******** End SeAddUsers BLOCK *********/ + + return ret ? NT_STATUS_OK : NT_STATUS_ACCESS_DENIED; } /********************************************************************* @@ -3967,6 +3979,8 @@ NTSTATUS _samr_set_aliasinfo(pipes_struct *p, SAMR_Q_SET_ALIASINFO *q_u, SAMR_R_ struct acct_info info; ALIAS_INFO_CTR *ctr; uint32 acc_granted; + BOOL ret; + BOOL can_mod_accounts; if (!get_lsa_policy_samr_sid(p, &q_u->alias_pol, &group_sid, &acc_granted)) return NT_STATUS_INVALID_HANDLE; @@ -3989,11 +4003,21 @@ NTSTATUS _samr_set_aliasinfo(pipes_struct *p, SAMR_Q_SET_ALIASINFO *q_u, SAMR_R_ return NT_STATUS_INVALID_INFO_CLASS; } - if(!pdb_set_aliasinfo(&group_sid, &info)) { - return NT_STATUS_ACCESS_DENIED; - } + can_mod_accounts = user_has_privileges( p->pipe_user.nt_user_token, &se_add_users ); - return NT_STATUS_OK; + /******** BEGIN SeAddUsers BLOCK *********/ + + if ( can_mod_accounts ) + become_root(); + + ret = pdb_set_aliasinfo( &group_sid, &info ); + + if ( can_mod_accounts ) + unbecome_root(); + + /******** End SeAddUsers BLOCK *********/ + + return ret ? NT_STATUS_OK : NT_STATUS_ACCESS_DENIED; } /********************************************************************* -- cgit From 54abd2aa66069e6baf7769c496f46d9dba18db39 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Fri, 30 Sep 2005 17:13:37 +0000 Subject: r10656: BIG merge from trunk. Features not copied over * \PIPE\unixinfo * winbindd's {group,alias}membership new functions * winbindd's lookupsids() functionality * swat (trunk changes to be reverted as per discussion with Deryck) (This used to be commit 939c3cb5d78e3a2236209b296aa8aba8bdce32d3) --- source3/rpc_server/srv_samr_nt.c | 153 +++++++++++++++++++++------------------ 1 file changed, 84 insertions(+), 69 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 656241a73f..b69f03a3a2 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -6,7 +6,7 @@ * Copyright (C) Paul Ashton 1997, * Copyright (C) Marc Jacobsen 1999, * Copyright (C) Jeremy Allison 2001-2002, - * Copyright (C) Jean François Micouleau 1998-2001, + * Copyright (C) Jean François Micouleau 1998-2001, * Copyright (C) Jim McDonough 2002, * Copyright (C) Gerald (Jerry) Carter 2003-2004, * Copyright (C) Simo Sorce 2003. @@ -88,17 +88,17 @@ static NTSTATUS make_samr_object_sd( TALLOC_CTX *ctx, SEC_DESC **psd, size_t *sd SEC_ACL *psa = NULL; /* basic access for Everyone */ - + init_sec_access(&mask, map->generic_execute | map->generic_read ); init_sec_ace(&ace[i++], &global_sid_World, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0); - + /* add Full Access 'BUILTIN\Administrators' and 'BUILTIN\Account Operators */ - + init_sec_access(&mask, map->generic_all); init_sec_ace(&ace[i++], &global_sid_Builtin_Administrators, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0); init_sec_ace(&ace[i++], &global_sid_Builtin_Account_Operators, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0); - + /* Add Full Access for Domain Admins if we are a DC */ if ( IS_DC ) { @@ -108,14 +108,14 @@ static NTSTATUS make_samr_object_sd( TALLOC_CTX *ctx, SEC_DESC **psd, size_t *sd } /* if we have a sid, give it some special access */ - + if ( sid ) { init_sec_access( &mask, sid_access ); init_sec_ace(&ace[i++], sid, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0); - } - +} + /* create the security descriptor */ - + if ((psa = make_sec_acl(ctx, NT4_ACL_REVISION, i, ace)) == NULL) return NT_STATUS_NO_MEMORY; @@ -347,7 +347,7 @@ NTSTATUS _samr_open_domain(pipes_struct *p, SAMR_Q_OPEN_DOMAIN *q_u, SAMR_R_OPEN uint32 acc_granted; uint32 des_access = q_u->flags; NTSTATUS status; - size_t sd_size; + size_t sd_size; SE_PRIV se_rights; r_u->status = NT_STATUS_OK; @@ -421,7 +421,6 @@ NTSTATUS _samr_get_usrdom_pwinfo(pipes_struct *p, SAMR_Q_GET_USRDOM_PWINFO *q_u, return r_u->status; } - /******************************************************************* _samr_set_sec_obj ********************************************************************/ @@ -1456,11 +1455,13 @@ static NTSTATUS get_user_info_18(pipes_struct *p, TALLOC_CTX *mem_ctx, SAM_USER_ BOOL ret; NTSTATUS nt_status; - if (!p->ntlmssp_auth_validated) + if (p->auth.auth_type != PIPE_AUTH_TYPE_NTLMSSP || p->auth.auth_type != PIPE_AUTH_TYPE_SPNEGO_NTLMSSP) { return NT_STATUS_ACCESS_DENIED; + } - if (!(p->ntlmssp_chal_flags & NTLMSSP_NEGOTIATE_SIGN) || !(p->ntlmssp_chal_flags & NTLMSSP_NEGOTIATE_SEAL)) + if (p->auth.auth_level != PIPE_AUTH_LEVEL_PRIVACY) { return NT_STATUS_ACCESS_DENIED; + } /* * Do *NOT* do become_root()/unbecome_root() here ! JRA. @@ -1794,11 +1795,12 @@ NTSTATUS _samr_query_dom_info(pipes_struct *p, SAMR_Q_QUERY_DOMAIN_INFO *q_u, SA time_t u_lock_duration, u_reset_time; NTTIME nt_lock_duration, nt_reset_time; uint32 lockout; - time_t u_logout; NTTIME nt_logout; uint32 account_policy_temp; + + time_t seq_num; uint32 server_role; uint32 num_users=0, num_groups=0, num_aliases=0; @@ -1819,19 +1821,19 @@ NTSTATUS _samr_query_dom_info(pipes_struct *p, SAMR_Q_QUERY_DOMAIN_INFO *q_u, SA switch (q_u->switch_value) { case 0x01: - account_policy_get(AP_MIN_PASSWORD_LEN, &account_policy_temp); + pdb_get_account_policy(AP_MIN_PASSWORD_LEN, &account_policy_temp); min_pass_len = account_policy_temp; - account_policy_get(AP_PASSWORD_HISTORY, &account_policy_temp); + pdb_get_account_policy(AP_PASSWORD_HISTORY, &account_policy_temp); pass_hist = account_policy_temp; - account_policy_get(AP_USER_MUST_LOGON_TO_CHG_PASS, &account_policy_temp); + pdb_get_account_policy(AP_USER_MUST_LOGON_TO_CHG_PASS, &account_policy_temp); flag = account_policy_temp; - account_policy_get(AP_MAX_PASSWORD_AGE, &account_policy_temp); + pdb_get_account_policy(AP_MAX_PASSWORD_AGE, &account_policy_temp); u_expire = account_policy_temp; - account_policy_get(AP_MIN_PASSWORD_AGE, &account_policy_temp); + pdb_get_account_policy(AP_MIN_PASSWORD_AGE, &account_policy_temp); u_min_age = account_policy_temp; unix_to_nt_time_abs(&nt_expire, u_expire); @@ -1847,21 +1849,23 @@ NTSTATUS _samr_query_dom_info(pipes_struct *p, SAMR_Q_QUERY_DOMAIN_INFO *q_u, SA num_groups=count_sam_groups(&info->disp_info); unbecome_root(); - account_policy_get(AP_TIME_TO_LOGOUT, &account_policy_temp); + pdb_get_account_policy(AP_TIME_TO_LOGOUT, &account_policy_temp); u_logout = account_policy_temp; unix_to_nt_time_abs(&nt_logout, u_logout); + if (!pdb_get_seq_num(&seq_num)) + seq_num = time(NULL); + server_role = ROLE_DOMAIN_PDC; if (lp_server_role() == ROLE_DOMAIN_BDC) server_role = ROLE_DOMAIN_BDC; - /* The time call below is to get a sequence number for the sam. FIXME !!! JRA. */ - init_unk_info2(&ctr->info.inf2, lp_serverstring(), lp_workgroup(), global_myname(), time(NULL), + init_unk_info2(&ctr->info.inf2, lp_serverstring(), lp_workgroup(), global_myname(), seq_num, num_users, num_groups, num_aliases, nt_logout, server_role); break; case 0x03: - account_policy_get(AP_TIME_TO_LOGOUT, (unsigned int *)&u_logout); + pdb_get_account_policy(AP_TIME_TO_LOGOUT, (unsigned int *)&u_logout); unix_to_nt_time_abs(&nt_logout, u_logout); init_unk_info3(&ctr->info.inf3, nt_logout); @@ -1880,18 +1884,21 @@ NTSTATUS _samr_query_dom_info(pipes_struct *p, SAMR_Q_QUERY_DOMAIN_INFO *q_u, SA init_unk_info7(&ctr->info.inf7, server_role); break; case 0x08: - init_unk_info8(&ctr->info.inf8, (uint32) time(NULL)); + if (!pdb_get_seq_num(&seq_num)) + seq_num = time(NULL); + + init_unk_info8(&ctr->info.inf8, (uint32) seq_num); break; case 0x0c: - account_policy_get(AP_LOCK_ACCOUNT_DURATION, &account_policy_temp); + pdb_get_account_policy(AP_LOCK_ACCOUNT_DURATION, &account_policy_temp); u_lock_duration = account_policy_temp; if (u_lock_duration != -1) u_lock_duration *= 60; - account_policy_get(AP_RESET_COUNT_TIME, &account_policy_temp); + pdb_get_account_policy(AP_RESET_COUNT_TIME, &account_policy_temp); u_reset_time = account_policy_temp * 60; - account_policy_get(AP_BAD_ATTEMPT_LOCKOUT, &account_policy_temp); + pdb_get_account_policy(AP_BAD_ATTEMPT_LOCKOUT, &account_policy_temp); lockout = account_policy_temp; unix_to_nt_time_abs(&nt_lock_duration, u_lock_duration); @@ -1955,7 +1962,7 @@ NTSTATUS _samr_create_user(pipes_struct *p, SAMR_Q_CREATE_USER *q_u, SAMR_R_CREA rpcstr_pull(account, user_account.buffer, sizeof(account), user_account.uni_str_len*2, 0); strlower_m(account); - + pdb_init_sam(&sam_pass); become_root(); @@ -1968,7 +1975,7 @@ NTSTATUS _samr_create_user(pipes_struct *p, SAMR_Q_CREATE_USER *q_u, SAMR_R_CREA } pdb_free_sam(&sam_pass); - + /********************************************************************* * HEADS UP! If we have to create a new user account, we have to get * a new RID from somewhere. This used to be done by the passdb @@ -1979,7 +1986,7 @@ NTSTATUS _samr_create_user(pipes_struct *p, SAMR_Q_CREATE_USER *q_u, SAMR_R_CREA * of what ever passdb backend people may use. * --jerry (2003-07-10) *********************************************************************/ - + pw = Get_Pwnam(account); /* determine which user right we need to check based on the acb_info */ @@ -2005,27 +2012,27 @@ NTSTATUS _samr_create_user(pipes_struct *p, SAMR_Q_CREATE_USER *q_u, SAMR_R_CREA /* only Domain Admins can add a BDC or domain trust */ se_priv_copy( &se_rights, &se_priv_none ); can_add_account = nt_token_check_domain_rid( p->pipe_user.nt_user_token, DOMAIN_GROUP_RID_ADMINS ); - } } - + } + DEBUG(5, ("_samr_create_user: %s can add this account : %s\n", p->pipe_user_name, can_add_account ? "True":"False" )); /********** BEGIN Admin BLOCK **********/ - + if ( can_add_account ) become_root(); - + if ( !pw ) { if (*add_script) { - int add_ret; - - all_string_sub(add_script, "%u", account, sizeof(add_script)); - add_ret = smbrun(add_script,NULL); - DEBUG(add_ret ? 0 : 3,("_samr_create_user: Running the command `%s' gave %d\n", add_script, add_ret)); - } + int add_ret; + + all_string_sub(add_script, "%u", account, sizeof(add_script)); + add_ret = smbrun(add_script,NULL); + DEBUG(add_ret ? 0 : 3,("_samr_create_user: Running the command `%s' gave %d\n", add_script, add_ret)); + } } - + /* implicit call to getpwnam() next. we have a valid SID coming out of this call */ flush_pwnam_cache(); @@ -2147,7 +2154,7 @@ NTSTATUS _samr_connect(pipes_struct *p, SAMR_Q_CONNECT *q_u, SAMR_R_CONNECT *r_u uint32 acc_granted; uint32 des_access = q_u->access_mask; NTSTATUS nt_status; - size_t sd_size; + size_t sd_size; DEBUG(5,("_samr_connect: %d\n", __LINE__)); @@ -2198,7 +2205,7 @@ NTSTATUS _samr_connect4(pipes_struct *p, SAMR_Q_CONNECT4 *q_u, SAMR_R_CONNECT4 * uint32 acc_granted; uint32 des_access = q_u->access_mask; NTSTATUS nt_status; - size_t sd_size; + size_t sd_size; DEBUG(5,("_samr_connect4: %d\n", __LINE__)); @@ -2734,7 +2741,7 @@ NTSTATUS _samr_set_userinfo(pipes_struct *p, SAMR_Q_SET_USERINFO *q_u, SAMR_R_SE if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, acc_required, "_samr_set_userinfo"))) { return r_u->status; } - + DEBUG(5, ("_samr_set_userinfo: sid:%s, level:%d\n", sid_string_static(&sid), switch_value)); if (ctr == NULL) { @@ -2765,7 +2772,7 @@ NTSTATUS _samr_set_userinfo(pipes_struct *p, SAMR_Q_SET_USERINFO *q_u, SAMR_R_SE if ( lp_enable_privileges() ) has_enough_rights = nt_token_check_domain_rid( p->pipe_user.nt_user_token, DOMAIN_GROUP_RID_ADMINS ); } - + DEBUG(5, ("_samr_set_userinfo: %s does%s possess sufficient rights\n", p->pipe_user_name, has_enough_rights ? "" : " not")); @@ -2905,7 +2912,7 @@ NTSTATUS _samr_set_userinfo2(pipes_struct *p, SAMR_Q_SET_USERINFO2 *q_u, SAMR_R_ if ( lp_enable_privileges() ) has_enough_rights = nt_token_check_domain_rid( p->pipe_user.nt_user_token, DOMAIN_GROUP_RID_ADMINS ); } - + DEBUG(5, ("_samr_set_userinfo: %s does%s possess sufficient rights\n", p->pipe_user_name, has_enough_rights ? "" : " not")); @@ -3597,7 +3604,7 @@ NTSTATUS _samr_delete_dom_group(pipes_struct *p, SAMR_Q_DELETE_DOM_GROUP *q_u, S gid=map.gid; /* check if group really exists */ - if ( (grp=getgrgid(gid)) == NULL) + if ( (grp=getgrgid(gid)) == NULL) return NT_STATUS_NO_SUCH_GROUP; se_priv_copy( &se_rights, &se_add_users ); @@ -4195,6 +4202,8 @@ NTSTATUS _samr_unknown_2e(pipes_struct *p, SAMR_Q_UNKNOWN_2E *q_u, SAMR_R_UNKNOW uint32 num_users=0, num_groups=0, num_aliases=0; uint32 account_policy_temp; + + time_t seq_num; uint32 server_role; if ((ctr = TALLOC_ZERO_P(p->mem_ctx, SAM_UNK_CTR)) == NULL) @@ -4212,19 +4221,19 @@ NTSTATUS _samr_unknown_2e(pipes_struct *p, SAMR_Q_UNKNOWN_2E *q_u, SAMR_R_UNKNOW switch (q_u->switch_value) { case 0x01: - account_policy_get(AP_MIN_PASSWORD_LEN, &account_policy_temp); + pdb_get_account_policy(AP_MIN_PASSWORD_LEN, &account_policy_temp); min_pass_len = account_policy_temp; - account_policy_get(AP_PASSWORD_HISTORY, &account_policy_temp); + pdb_get_account_policy(AP_PASSWORD_HISTORY, &account_policy_temp); pass_hist = account_policy_temp; - account_policy_get(AP_USER_MUST_LOGON_TO_CHG_PASS, &account_policy_temp); + pdb_get_account_policy(AP_USER_MUST_LOGON_TO_CHG_PASS, &account_policy_temp); flag = account_policy_temp; - account_policy_get(AP_MAX_PASSWORD_AGE, &account_policy_temp); + pdb_get_account_policy(AP_MAX_PASSWORD_AGE, &account_policy_temp); u_expire = account_policy_temp; - account_policy_get(AP_MIN_PASSWORD_AGE, &account_policy_temp); + pdb_get_account_policy(AP_MIN_PASSWORD_AGE, &account_policy_temp); u_min_age = account_policy_temp; unix_to_nt_time_abs(&nt_expire, u_expire); @@ -4242,21 +4251,23 @@ NTSTATUS _samr_unknown_2e(pipes_struct *p, SAMR_Q_UNKNOWN_2E *q_u, SAMR_R_UNKNOW free_samr_db(info); - account_policy_get(AP_TIME_TO_LOGOUT, &account_policy_temp); + pdb_get_account_policy(AP_TIME_TO_LOGOUT, &account_policy_temp); u_logout = account_policy_temp; unix_to_nt_time_abs(&nt_logout, u_logout); + if (!pdb_get_seq_num(&seq_num)) + seq_num = time(NULL); + server_role = ROLE_DOMAIN_PDC; if (lp_server_role() == ROLE_DOMAIN_BDC) server_role = ROLE_DOMAIN_BDC; - /* The time call below is to get a sequence number for the sam. FIXME !!! JRA. */ - init_unk_info2(&ctr->info.inf2, lp_serverstring(), lp_workgroup(), global_myname(), time(NULL), + init_unk_info2(&ctr->info.inf2, lp_serverstring(), lp_workgroup(), global_myname(), seq_num, num_users, num_groups, num_aliases, nt_logout, server_role); break; case 0x03: - account_policy_get(AP_TIME_TO_LOGOUT, &account_policy_temp); + pdb_get_account_policy(AP_TIME_TO_LOGOUT, &account_policy_temp); u_logout = account_policy_temp; unix_to_nt_time_abs(&nt_logout, u_logout); @@ -4273,21 +4284,25 @@ NTSTATUS _samr_unknown_2e(pipes_struct *p, SAMR_Q_UNKNOWN_2E *q_u, SAMR_R_UNKNOW server_role = ROLE_DOMAIN_PDC; if (lp_server_role() == ROLE_DOMAIN_BDC) server_role = ROLE_DOMAIN_BDC; + init_unk_info7(&ctr->info.inf7, server_role); break; case 0x08: - init_unk_info8(&ctr->info.inf8, (uint32) time(NULL)); + if (!pdb_get_seq_num(&seq_num)) + seq_num = time(NULL); + + init_unk_info8(&ctr->info.inf8, (uint32) seq_num); break; case 0x0c: - account_policy_get(AP_LOCK_ACCOUNT_DURATION, &account_policy_temp); + pdb_get_account_policy(AP_LOCK_ACCOUNT_DURATION, &account_policy_temp); u_lock_duration = account_policy_temp; if (u_lock_duration != -1) u_lock_duration *= 60; - account_policy_get(AP_RESET_COUNT_TIME, &account_policy_temp); + pdb_get_account_policy(AP_RESET_COUNT_TIME, &account_policy_temp); u_reset_time = account_policy_temp * 60; - account_policy_get(AP_BAD_ATTEMPT_LOCKOUT, &account_policy_temp); + pdb_get_account_policy(AP_BAD_ATTEMPT_LOCKOUT, &account_policy_temp); lockout = account_policy_temp; unix_to_nt_time_abs(&nt_lock_duration, u_lock_duration); @@ -4331,17 +4346,17 @@ NTSTATUS _samr_set_dom_info(pipes_struct *p, SAMR_Q_SET_DOMAIN_INFO *q_u, SAMR_R u_expire=nt_time_to_unix_abs(&q_u->ctr->info.inf1.expire); u_min_age=nt_time_to_unix_abs(&q_u->ctr->info.inf1.min_passwordage); - account_policy_set(AP_MIN_PASSWORD_LEN, (uint32)q_u->ctr->info.inf1.min_length_password); - account_policy_set(AP_PASSWORD_HISTORY, (uint32)q_u->ctr->info.inf1.password_history); - account_policy_set(AP_USER_MUST_LOGON_TO_CHG_PASS, (uint32)q_u->ctr->info.inf1.flag); - account_policy_set(AP_MAX_PASSWORD_AGE, (int)u_expire); - account_policy_set(AP_MIN_PASSWORD_AGE, (int)u_min_age); + pdb_set_account_policy(AP_MIN_PASSWORD_LEN, (uint32)q_u->ctr->info.inf1.min_length_password); + pdb_set_account_policy(AP_PASSWORD_HISTORY, (uint32)q_u->ctr->info.inf1.password_history); + pdb_set_account_policy(AP_USER_MUST_LOGON_TO_CHG_PASS, (uint32)q_u->ctr->info.inf1.flag); + pdb_set_account_policy(AP_MAX_PASSWORD_AGE, (int)u_expire); + pdb_set_account_policy(AP_MIN_PASSWORD_AGE, (int)u_min_age); break; case 0x02: break; case 0x03: u_logout=nt_time_to_unix_abs(&q_u->ctr->info.inf3.logout); - account_policy_set(AP_TIME_TO_LOGOUT, (int)u_logout); + pdb_set_account_policy(AP_TIME_TO_LOGOUT, (int)u_logout); break; case 0x05: break; @@ -4356,9 +4371,9 @@ NTSTATUS _samr_set_dom_info(pipes_struct *p, SAMR_Q_SET_DOMAIN_INFO *q_u, SAMR_R u_reset_time=nt_time_to_unix_abs(&q_u->ctr->info.inf12.reset_count)/60; - account_policy_set(AP_LOCK_ACCOUNT_DURATION, (int)u_lock_duration); - account_policy_set(AP_RESET_COUNT_TIME, (int)u_reset_time); - account_policy_set(AP_BAD_ATTEMPT_LOCKOUT, (uint32)q_u->ctr->info.inf12.bad_attempt_lockout); + pdb_set_account_policy(AP_LOCK_ACCOUNT_DURATION, (int)u_lock_duration); + pdb_set_account_policy(AP_RESET_COUNT_TIME, (int)u_reset_time); + pdb_set_account_policy(AP_BAD_ATTEMPT_LOCKOUT, (uint32)q_u->ctr->info.inf12.bad_attempt_lockout); break; default: return NT_STATUS_INVALID_INFO_CLASS; -- cgit From 254938c636b6062630d54a598b2975d7a984f70d Mon Sep 17 00:00:00 2001 From: Jim McDonough Date: Tue, 11 Oct 2005 20:14:04 +0000 Subject: r10911: part of #2861: add rename support for usrmgr.exe when using tdbsam This gets it working before replacing tdb with the samba4 version. (This used to be commit 8210b0503a050e12ee1b4335fa6e50d10ad06577) --- source3/rpc_server/srv_samr_nt.c | 29 +++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index b69f03a3a2..26a691e9b4 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -2423,6 +2423,32 @@ NTSTATUS _samr_open_alias(pipes_struct *p, SAMR_Q_OPEN_ALIAS *q_u, SAMR_R_OPEN_A return r_u->status; } +/******************************************************************* + set_user_info_7 + ********************************************************************/ +static NTSTATUS set_user_info_7(const SAM_USER_INFO_7 *id7, SAM_ACCOUNT *pwd) +{ + fstring new_name; + NTSTATUS rc; + + if (id7 == NULL) { + DEBUG(5, ("set_user_info_7: NULL id7\n")); + pdb_free_sam(&pwd); + return NT_STATUS_ACCESS_DENIED; + } + + if(!rpcstr_pull(new_name, id7->uni_name.buffer, sizeof(new_name), id7->uni_name.uni_str_len*2, 0)) { + DEBUG(5, ("set_user_info_7: failed to get new username\n")); + pdb_free_sam(&pwd); + return NT_STATUS_ACCESS_DENIED; + } + + rc = pdb_rename_sam_account(pwd, new_name); + + pdb_free_sam(&pwd); + return rc; +} + /******************************************************************* set_user_info_16 ********************************************************************/ @@ -2924,6 +2950,9 @@ NTSTATUS _samr_set_userinfo2(pipes_struct *p, SAMR_Q_SET_USERINFO2 *q_u, SAMR_R_ /* ok! user info levels (lots: see MSDEV help), off we go... */ switch (switch_value) { + case 7: + r_u->status = set_user_info_7(ctr->info.id7, pwd); + break; case 16: if (!set_user_info_16(ctr->info.id16, pwd)) r_u->status = NT_STATUS_ACCESS_DENIED; -- cgit From 8d7c88667190fe286971ac4fffb64ee5bd9eeeb0 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Tue, 18 Oct 2005 03:24:00 +0000 Subject: r11137: Compile with only 2 warnings (I'm still working on that code) on a gcc4 x86_64 box. Jeremy. (This used to be commit d720867a788c735e56d53d63265255830ec21208) --- source3/rpc_server/srv_samr_nt.c | 15 +++++++-------- 1 file changed, 7 insertions(+), 8 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 26a691e9b4..45a77197ee 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -1688,9 +1688,9 @@ NTSTATUS _samr_query_usergroups(pipes_struct *p, SAMR_Q_QUERY_USERGROUPS *q_u, S DOM_SID sid; DOM_SID *sids; DOM_GID *gids = NULL; - int num_groups = 0; + size_t num_groups = 0; gid_t *unix_gids; - int i, num_gids; + size_t i, num_gids; uint32 acc_granted; BOOL ret; NTSTATUS result; @@ -2988,10 +2988,10 @@ NTSTATUS _samr_set_userinfo2(pipes_struct *p, SAMR_Q_SET_USERINFO2 *q_u, SAMR_R_ NTSTATUS _samr_query_useraliases(pipes_struct *p, SAMR_Q_QUERY_USERALIASES *q_u, SAMR_R_QUERY_USERALIASES *r_u) { - int num_alias_rids; + size_t num_alias_rids; uint32 *alias_rids; struct samr_info *info = NULL; - int i; + size_t i; NTSTATUS ntstatus1; NTSTATUS ntstatus2; @@ -3052,9 +3052,8 @@ NTSTATUS _samr_query_useraliases(pipes_struct *p, SAMR_Q_QUERY_USERALIASES *q_u, NTSTATUS _samr_query_aliasmem(pipes_struct *p, SAMR_Q_QUERY_ALIASMEM *q_u, SAMR_R_QUERY_ALIASMEM *r_u) { - int i; - - int num_sids = 0; + size_t i; + size_t num_sids = 0; DOM_SID2 *sid; DOM_SID *sids=NULL; @@ -3165,7 +3164,7 @@ NTSTATUS _samr_query_groupmem(pipes_struct *p, SAMR_Q_QUERY_GROUPMEM *q_u, SAMR_ { DOM_SID group_sid; fstring group_sid_str; - int i, num_members; + size_t i, num_members; uint32 *rid=NULL; uint32 *attr=NULL; -- cgit From 1113cad9c0c81e9ecec3a0f4317c950943cfc62a Mon Sep 17 00:00:00 2001 From: Jim McDonough Date: Thu, 20 Oct 2005 20:40:47 +0000 Subject: r11236: Implement user rename for smbpasswd and ldap backends. Some cleanup on tdb as well to make naming consistent. (This used to be commit ee91eb9a39cc5e3edd9e97eb040e7557930e4e62) --- source3/rpc_server/srv_samr_nt.c | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 45a77197ee..598f9db1da 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -2429,7 +2429,9 @@ NTSTATUS _samr_open_alias(pipes_struct *p, SAMR_Q_OPEN_ALIAS *q_u, SAMR_R_OPEN_A static NTSTATUS set_user_info_7(const SAM_USER_INFO_7 *id7, SAM_ACCOUNT *pwd) { fstring new_name; + SAM_ACCOUNT *check_acct = NULL; NTSTATUS rc; + BOOL check_rc; if (id7 == NULL) { DEBUG(5, ("set_user_info_7: NULL id7\n")); @@ -2443,6 +2445,24 @@ static NTSTATUS set_user_info_7(const SAM_USER_INFO_7 *id7, SAM_ACCOUNT *pwd) return NT_STATUS_ACCESS_DENIED; } + /* check to see if the new username already exists. Note: we can't + reliably lock all backends, so there is potentially the + possibility that a user can be created in between this check and + the rename. The rename should fail, but may not get the + exact same failure status code. I think this is small enough + of a window for this type of operation and the results are + simply that the rename fails with a slightly different status + code (like UNSUCCESSFUL instead of ALREADY_EXISTS). */ + + pdb_init_sam(&check_acct); + check_rc = pdb_getsampwnam(check_acct, new_name); + pdb_free_sam(&check_acct); + + if (check_rc == True) { + /* this account exists: say so */ + return NT_STATUS_USER_EXISTS; + } + rc = pdb_rename_sam_account(pwd, new_name); pdb_free_sam(&pwd); -- cgit From a656626d0f63d74dbfe6d42201c751df56c6f5a0 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Mon, 31 Oct 2005 23:47:57 +0000 Subject: r11433: Fix for bug #3223 - ensure we're root before doing any potential lib/smbldap.c calls. Jeremy. (This used to be commit 915cfb48f08b3748e22e68ed028eaca6d558cbad) --- source3/rpc_server/srv_samr_nt.c | 58 ++++++++++++++++++++++++++++++++++++---- 1 file changed, 53 insertions(+), 5 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 598f9db1da..d1d751d8ae 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -1805,8 +1805,9 @@ NTSTATUS _samr_query_dom_info(pipes_struct *p, SAMR_Q_QUERY_DOMAIN_INFO *q_u, SA uint32 num_users=0, num_groups=0, num_aliases=0; - if ((ctr = TALLOC_ZERO_P(p->mem_ctx, SAM_UNK_CTR)) == NULL) + if ((ctr = TALLOC_ZERO_P(p->mem_ctx, SAM_UNK_CTR)) == NULL) { return NT_STATUS_NO_MEMORY; + } ZERO_STRUCTP(ctr); @@ -1815,12 +1816,17 @@ NTSTATUS _samr_query_dom_info(pipes_struct *p, SAMR_Q_QUERY_DOMAIN_INFO *q_u, SA DEBUG(5,("_samr_query_dom_info: %d\n", __LINE__)); /* find the policy handle. open a policy on it. */ - if (!find_policy_by_hnd(p, &q_u->domain_pol, (void **)&info)) + if (!find_policy_by_hnd(p, &q_u->domain_pol, (void **)&info)) { return NT_STATUS_INVALID_HANDLE; + } switch (q_u->switch_value) { case 0x01: + become_root(); + + /* AS ROOT !!! */ + pdb_get_account_policy(AP_MIN_PASSWORD_LEN, &account_policy_temp); min_pass_len = account_policy_temp; @@ -1835,7 +1841,11 @@ NTSTATUS _samr_query_dom_info(pipes_struct *p, SAMR_Q_QUERY_DOMAIN_INFO *q_u, SA pdb_get_account_policy(AP_MIN_PASSWORD_AGE, &account_policy_temp); u_min_age = account_policy_temp; + + /* !AS ROOT */ + unbecome_root(); + unix_to_nt_time_abs(&nt_expire, u_expire); unix_to_nt_time_abs(&nt_min_age, u_min_age); @@ -1843,11 +1853,14 @@ NTSTATUS _samr_query_dom_info(pipes_struct *p, SAMR_Q_QUERY_DOMAIN_INFO *q_u, SA flag, nt_expire, nt_min_age); break; case 0x02: + become_root(); + + /* AS ROOT !!! */ + num_users=count_sam_users(&info->disp_info, ACB_NORMAL); num_groups=count_sam_groups(&info->disp_info); - unbecome_root(); pdb_get_account_policy(AP_TIME_TO_LOGOUT, &account_policy_temp); u_logout = account_policy_temp; @@ -1857,6 +1870,10 @@ NTSTATUS _samr_query_dom_info(pipes_struct *p, SAMR_Q_QUERY_DOMAIN_INFO *q_u, SA if (!pdb_get_seq_num(&seq_num)) seq_num = time(NULL); + /* !AS ROOT */ + + unbecome_root(); + server_role = ROLE_DOMAIN_PDC; if (lp_server_role() == ROLE_DOMAIN_BDC) server_role = ROLE_DOMAIN_BDC; @@ -1865,7 +1882,17 @@ NTSTATUS _samr_query_dom_info(pipes_struct *p, SAMR_Q_QUERY_DOMAIN_INFO *q_u, SA num_users, num_groups, num_aliases, nt_logout, server_role); break; case 0x03: + + become_root(); + + /* AS ROOT !!! */ + pdb_get_account_policy(AP_TIME_TO_LOGOUT, (unsigned int *)&u_logout); + + /* !AS ROOT */ + + unbecome_root(); + unix_to_nt_time_abs(&nt_logout, u_logout); init_unk_info3(&ctr->info.inf3, nt_logout); @@ -1884,16 +1911,32 @@ NTSTATUS _samr_query_dom_info(pipes_struct *p, SAMR_Q_QUERY_DOMAIN_INFO *q_u, SA init_unk_info7(&ctr->info.inf7, server_role); break; case 0x08: - if (!pdb_get_seq_num(&seq_num)) + + become_root(); + + /* AS ROOT !!! */ + + if (!pdb_get_seq_num(&seq_num)) { seq_num = time(NULL); + } + + /* !AS ROOT */ + + unbecome_root(); init_unk_info8(&ctr->info.inf8, (uint32) seq_num); break; case 0x0c: + + become_root(); + + /* AS ROOT !!! */ + pdb_get_account_policy(AP_LOCK_ACCOUNT_DURATION, &account_policy_temp); u_lock_duration = account_policy_temp; - if (u_lock_duration != -1) + if (u_lock_duration != -1) { u_lock_duration *= 60; + } pdb_get_account_policy(AP_RESET_COUNT_TIME, &account_policy_temp); u_reset_time = account_policy_temp * 60; @@ -1901,6 +1944,10 @@ NTSTATUS _samr_query_dom_info(pipes_struct *p, SAMR_Q_QUERY_DOMAIN_INFO *q_u, SA pdb_get_account_policy(AP_BAD_ATTEMPT_LOCKOUT, &account_policy_temp); lockout = account_policy_temp; + /* !AS ROOT */ + + unbecome_root(); + unix_to_nt_time_abs(&nt_lock_duration, u_lock_duration); unix_to_nt_time_abs(&nt_reset_time, u_reset_time); @@ -1910,6 +1957,7 @@ NTSTATUS _samr_query_dom_info(pipes_struct *p, SAMR_Q_QUERY_DOMAIN_INFO *q_u, SA return NT_STATUS_INVALID_INFO_CLASS; } + init_samr_r_query_dom_info(r_u, q_u->switch_value, ctr, NT_STATUS_OK); DEBUG(5,("_samr_query_dom_info: %d\n", __LINE__)); -- cgit From c9effb004cb4bb9baa87fb429f22c834226708bb Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Wed, 2 Nov 2005 00:19:26 +0000 Subject: r11451: Fix -O1 "might be using uninitialized" errors. Jeremy. (This used to be commit cab76c3c33883aad444eefb6562ab1b27d9ca88a) --- source3/rpc_server/srv_samr_nt.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index d1d751d8ae..71272a9a98 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -799,7 +799,7 @@ NTSTATUS _samr_query_dispinfo(pipes_struct *p, SAMR_Q_QUERY_DISPINFO *q_u, SAM_DISPINFO_CTR *ctr; uint32 temp_size=0, total_data_size=0; - NTSTATUS disp_ret; + NTSTATUS disp_ret = NT_STATUS_UNSUCCESSFUL; uint32 num_account = 0; enum remote_arch_types ra_type = get_remote_arch(); int max_sam_entries = (ra_type == RA_WIN95) ? MAX_SAM_ENTRIES_W95 : MAX_SAM_ENTRIES_W2K; -- cgit From d09beee040b62d9b783869bc9af7f17301e3f5e0 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Thu, 17 Nov 2005 22:40:10 +0000 Subject: r11769: Looking at a performance problem enumerating accounts, wondered if changing to support samr_connect5 might help so quickly coded it up. No it doesn't :-(. Don't merge this for 3.0.21 please. Jeremy. (This used to be commit bff1df678a8948d382f4555e83a1df23146a4b12) --- source3/rpc_server/srv_samr_nt.c | 54 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 54 insertions(+) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 71272a9a98..bfc96ea0f6 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -2293,6 +2293,60 @@ NTSTATUS _samr_connect4(pipes_struct *p, SAMR_Q_CONNECT4 *q_u, SAMR_R_CONNECT4 * return r_u->status; } +/******************************************************************* + samr_connect5 + ********************************************************************/ + +NTSTATUS _samr_connect5(pipes_struct *p, SAMR_Q_CONNECT5 *q_u, SAMR_R_CONNECT5 *r_u) +{ + struct samr_info *info = NULL; + SEC_DESC *psd = NULL; + uint32 acc_granted; + uint32 des_access = q_u->access_mask; + NTSTATUS nt_status; + POLICY_HND pol; + size_t sd_size; + + + DEBUG(5,("_samr_connect5: %d\n", __LINE__)); + + ZERO_STRUCTP(r_u); + + /* Access check */ + + if (!pipe_access_check(p)) { + DEBUG(3, ("access denied to samr_connect5\n")); + r_u->status = NT_STATUS_ACCESS_DENIED; + return r_u->status; + } + + make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &sam_generic_mapping, NULL, 0); + se_map_generic(&des_access, &sam_generic_mapping); + + nt_status = access_check_samr_object(psd, p->pipe_user.nt_user_token, + NULL, 0, des_access, &acc_granted, "_samr_connect5"); + + if ( !NT_STATUS_IS_OK(nt_status) ) + return nt_status; + + /* associate the user's SID and access granted with the new handle. */ + if ((info = get_samr_info_by_sid(NULL)) == NULL) + return NT_STATUS_NO_MEMORY; + + info->acc_granted = acc_granted; + info->status = q_u->access_mask; + + /* get a (unique) handle. open a policy on it. */ + if (!create_policy_hnd(p, &pol, free_samr_info, (void *)info)) + return NT_STATUS_OBJECT_NAME_NOT_FOUND; + + DEBUG(5,("_samr_connect: %d\n", __LINE__)); + + init_samr_r_connect5(r_u, &pol, NT_STATUS_OK); + + return r_u->status; +} + /********************************************************************** api_samr_lookup_domain **********************************************************************/ -- cgit From 9be0ce442285a0f63e6c226f6cf07d05a3f20021 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Fri, 18 Nov 2005 23:15:47 +0000 Subject: r11793: Fix the SAMR cache so it works across completely insane client behaviour (ie.: open pipe/open SAMR handle/enumerate 0 - 1024 close SAMR handle, close pipe. open pipe/open SAMR handle/enumerate 1024 - 2048... close SAMR handle, close pipe. And on ad-nausium. Amazing.... probably object-oriented client side programming in action yet again. This change should *massively* improve performance when enumerating users from an LDAP database. Jeremy. (This used to be commit 8ce705d9cc1b6a79d710a10ff38f72a0f1006dda) --- source3/rpc_server/srv_samr_nt.c | 522 +++++++++++++++++++++++++++++---------- 1 file changed, 397 insertions(+), 125 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index bfc96ea0f6..563c3f864f 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -40,11 +40,16 @@ SA_RIGHT_USER_CHANGE_PASSWORD | \ SA_RIGHT_USER_SET_LOC_COM ) +#define DISP_INFO_CACHE_TIMEOUT 30 + extern rid_name domain_group_rids[]; extern rid_name domain_alias_rids[]; extern rid_name builtin_alias_rids[]; typedef struct disp_info { + struct disp_info *next, *prev; + TALLOC_CTX *mem_ctx; + DOM_SID sid; /* identify which domain this is. */ struct pdb_search *users; /* querydispinfo 1 and 4 */ struct pdb_search *machines; /* querydispinfo 2 */ struct pdb_search *groups; /* querydispinfo 3 and 5, enumgroups */ @@ -53,8 +58,15 @@ typedef struct disp_info { uint16 enum_acb_mask; struct pdb_search *enum_users; /* enumusers with a mask */ + + smb_event_id_t di_cache_timeout_event; /* cache idle timeout handler. */ } DISP_INFO; +/* We keep a static list of these by SID as modern clients close down + all resources between each request in a complete enumeration. */ + +static DISP_INFO *disp_info_list; + struct samr_info { /* for use by the \PIPE\samr policy */ DOM_SID sid; @@ -62,8 +74,7 @@ struct samr_info { uint32 acc_granted; uint16 acb_mask; BOOL only_machines; - DISP_INFO disp_info; - + DISP_INFO *disp_info; TALLOC_CTX *mem_ctx; }; @@ -215,6 +226,39 @@ static NTSTATUS access_check_samr_function(uint32 acc_granted, uint32 acc_requir return NT_STATUS_ACCESS_DENIED; } +/******************************************************************* + Fetch or create a dispinfo struct. +********************************************************************/ + +static DISP_INFO *get_samr_dispinfo_by_sid(DOM_SID *psid, const char *sid_str) +{ + TALLOC_CTX *mem_ctx; + DISP_INFO *dpi; + + for (dpi = disp_info_list; dpi; dpi = dpi->next) { + if (sid_equal(psid, &dpi->sid)) { + return dpi; + } + } + + /* This struct is never free'd - I'm using talloc so we + can get a list out of smbd using smbcontrol. There will + be one of these per SID we're authorative for. JRA. */ + + mem_ctx = talloc_init("DISP_INFO for domain sid %s", sid_str); + + if ((dpi = TALLOC_ZERO_P(mem_ctx, DISP_INFO)) == NULL) + return NULL; + + dpi->mem_ctx = mem_ctx; + if (psid) { + sid_copy( &dpi->sid, psid); + } + + DLIST_ADD(disp_info_list, dpi); + + return dpi; +} /******************************************************************* Create a samr_info struct. @@ -244,41 +288,143 @@ static struct samr_info *get_samr_info_by_sid(DOM_SID *psid) DEBUG(10,("get_samr_info_by_sid: created new info for NULL sid.\n")); } info->mem_ctx = mem_ctx; + + info->disp_info = get_samr_dispinfo_by_sid(psid, sid_str); + + if (!info->disp_info) { + talloc_destroy(mem_ctx); + return NULL; + } + return info; } /******************************************************************* - Function to free the per handle data. + Function to free the per SID data. ********************************************************************/ +static void free_samr_cache(DISP_INFO *disp_info) +{ + DEBUG(10,("free_samr_cache: deleting cache\n")); + + if (disp_info->users) { + DEBUG(10,("free_samr_cache: deleting users cache\n")); + pdb_search_destroy(disp_info->users); + disp_info->users = NULL; + } + if (disp_info->machines) { + DEBUG(10,("free_samr_cache: deleting machines cache\n")); + pdb_search_destroy(disp_info->machines); + disp_info->machines = NULL; + } + if (disp_info->groups) { + DEBUG(10,("free_samr_cache: deleting groups cache\n")); + pdb_search_destroy(disp_info->groups); + disp_info->groups = NULL; + } + if (disp_info->aliases) { + DEBUG(10,("free_samr_cache: deleting aliases cache\n")); + pdb_search_destroy(disp_info->aliases); + disp_info->aliases = NULL; + } + if (disp_info->builtins) { + DEBUG(10,("free_samr_cache: deleting builtins cache\n")); + pdb_search_destroy(disp_info->builtins); + disp_info->builtins = NULL; + } + if (disp_info->enum_users) { + DEBUG(10,("free_samr_cache: deleting enum_users cache\n")); + pdb_search_destroy(disp_info->enum_users); + disp_info->enum_users = NULL; + } + disp_info->enum_acb_mask = 0; +} + /******************************************************************* Function to free the per handle data. ********************************************************************/ -static void free_samr_db(struct samr_info *info) -{ - pdb_search_destroy(info->disp_info.users); - info->disp_info.users = NULL; - pdb_search_destroy(info->disp_info.machines); - info->disp_info.machines = NULL; - pdb_search_destroy(info->disp_info.groups); - info->disp_info.groups = NULL; - pdb_search_destroy(info->disp_info.aliases); - info->disp_info.aliases = NULL; - pdb_search_destroy(info->disp_info.builtins); - info->disp_info.builtins = NULL; - pdb_search_destroy(info->disp_info.enum_users); - info->disp_info.enum_users = NULL; -} - static void free_samr_info(void *ptr) { struct samr_info *info=(struct samr_info *) ptr; - free_samr_db(info); + /* Only free the dispinfo cache if no one bothered to set up + a timeout. */ + + if (info->disp_info && info->disp_info->di_cache_timeout_event == (smb_event_id_t)0) { + free_samr_cache(info->disp_info); + } + talloc_destroy(info->mem_ctx); } +/******************************************************************* + Idle event handler. Throw away the disp info cache. + ********************************************************************/ + +static void disp_info_cache_idle_timeout_handler(void **private_data, + time_t *ev_interval, + time_t ev_now) +{ + DISP_INFO *disp_info = (DISP_INFO *)(*private_data); + + free_samr_cache(disp_info); + + /* Remove the event. */ + smb_unregister_idle_event(disp_info->di_cache_timeout_event); + disp_info->di_cache_timeout_event = (smb_event_id_t)0; + + DEBUG(10,("disp_info_cache_idle_timeout_handler: caching timed out at %u\n", + (unsigned int)ev_now)); +} + +/******************************************************************* + Setup cache removal idle event handler. + ********************************************************************/ + +static void set_disp_info_cache_timeout(DISP_INFO *disp_info, time_t secs_fromnow) +{ + /* Remove any pending timeout and update. */ + + if (disp_info->di_cache_timeout_event) { + smb_unregister_idle_event(disp_info->di_cache_timeout_event); + disp_info->di_cache_timeout_event = (smb_event_id_t)0; + } + + DEBUG(10,("set_disp_info_cache_timeout: caching enumeration for %u seconds\n", + (unsigned int)secs_fromnow )); + + disp_info->di_cache_timeout_event = + smb_register_idle_event(disp_info_cache_idle_timeout_handler, + disp_info, + secs_fromnow); +} + +/******************************************************************* + Remove the cache removal idle event handler. + ********************************************************************/ + +static void clear_disp_info_cache_timeout(DISP_INFO *disp_info) +{ + if (disp_info->di_cache_timeout_event) { + smb_unregister_idle_event(disp_info->di_cache_timeout_event); + disp_info->di_cache_timeout_event = (smb_event_id_t)0; + DEBUG(10,("clear_disp_info_cache_timeout: clearing idle event.\n")); + } +} + +/******************************************************************* + Force flush any cache. We do this on any samr_set_xxx call. + ********************************************************************/ + +static void force_flush_samr_cache(DISP_INFO *disp_info) +{ + if (disp_info) { + clear_disp_info_cache_timeout(disp_info); + free_samr_cache(disp_info); + } +} + /******************************************************************* Ensure password info is never given out. Paranioa... JRA. ********************************************************************/ @@ -298,24 +444,36 @@ static void samr_clear_sam_passwd(SAM_ACCOUNT *sam_pass) static uint32 count_sam_users(struct disp_info *info, uint16 acct_flags) { struct samr_displayentry *entry; - if (info->users == NULL) + if (info->users == NULL) { info->users = pdb_search_users(acct_flags); - if (info->users == NULL) - return 0; + if (info->users == NULL) { + return 0; + } + } /* Fetch the last possible entry, thus trigger an enumeration */ pdb_search_entries(info->users, 0xffffffff, 1, &entry); + + /* Ensure we cache this enumeration. */ + set_disp_info_cache_timeout(info, DISP_INFO_CACHE_TIMEOUT); + return info->users->num_entries; } static uint32 count_sam_groups(struct disp_info *info) { struct samr_displayentry *entry; - if (info->groups == NULL) + if (info->groups == NULL) { info->groups = pdb_search_groups(); - if (info->groups == NULL) - return 0; + if (info->groups == NULL) { + return 0; + } + } /* Fetch the last possible entry, thus trigger an enumeration */ pdb_search_entries(info->groups, 0xffffffff, 1, &entry); + + /* Ensure we cache this enumeration. */ + set_disp_info_cache_timeout(info, DISP_INFO_CACHE_TIMEOUT); + return info->groups->num_entries; } @@ -431,12 +589,12 @@ NTSTATUS _samr_set_sec_obj(pipes_struct *p, SAMR_Q_SET_SEC_OBJ *q_u, SAMR_R_SET_ return NT_STATUS_NOT_IMPLEMENTED; } - /******************************************************************* ********************************************************************/ static BOOL get_lsa_policy_samr_sid( pipes_struct *p, POLICY_HND *pol, - DOM_SID *sid, uint32 *acc_granted) + DOM_SID *sid, uint32 *acc_granted, + DISP_INFO **ppdisp_info) { struct samr_info *info = NULL; @@ -449,6 +607,10 @@ static BOOL get_lsa_policy_samr_sid( pipes_struct *p, POLICY_HND *pol, *sid = info->sid; *acc_granted = info->acc_granted; + if (ppdisp_info) { + *ppdisp_info = info->disp_info; + } + return True; } @@ -467,42 +629,35 @@ NTSTATUS _samr_query_sec_obj(pipes_struct *p, SAMR_Q_QUERY_SEC_OBJ *q_u, SAMR_R_ r_u->status = NT_STATUS_OK; /* Get the SID. */ - if (!get_lsa_policy_samr_sid(p, &q_u->user_pol, &pol_sid, &acc_granted)) + if (!get_lsa_policy_samr_sid(p, &q_u->user_pol, &pol_sid, &acc_granted, NULL)) return NT_STATUS_INVALID_HANDLE; - - DEBUG(10,("_samr_query_sec_obj: querying security on SID: %s\n", sid_to_string(str_sid, &pol_sid))); /* Check what typ of SID is beeing queried (e.g Domain SID, User SID, Group SID) */ /* To query the security of the SAM it self an invalid SID with S-0-0 is passed to this function */ - if (pol_sid.sid_rev_num == 0) - { + if (pol_sid.sid_rev_num == 0) { DEBUG(5,("_samr_query_sec_obj: querying security on SAM\n")); r_u->status = make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &sam_generic_mapping, NULL, 0); - } - else if (sid_equal(&pol_sid,get_global_sam_sid())) /* check if it is our domain SID */ - - { + } else if (sid_equal(&pol_sid,get_global_sam_sid())) { + /* check if it is our domain SID */ DEBUG(5,("_samr_query_sec_obj: querying security on Domain with SID: %s\n", sid_to_string(str_sid, &pol_sid))); r_u->status = make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &dom_generic_mapping, NULL, 0); - } - else if (sid_equal(&pol_sid,&global_sid_Builtin)) /* check if it is the Builtin Domain */ - { + } else if (sid_equal(&pol_sid,&global_sid_Builtin)) { + /* check if it is the Builtin Domain */ /* TODO: Builtin probably needs a different SD with restricted write access*/ DEBUG(5,("_samr_query_sec_obj: querying security on Builtin Domain with SID: %s\n", sid_to_string(str_sid, &pol_sid))); r_u->status = make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &dom_generic_mapping, NULL, 0); - } - else if (sid_check_is_in_our_domain(&pol_sid) || - sid_check_is_in_builtin(&pol_sid)) - { + } else if (sid_check_is_in_our_domain(&pol_sid) || + sid_check_is_in_builtin(&pol_sid)) { /* TODO: different SDs have to be generated for aliases groups and users. Currently all three get a default user SD */ DEBUG(10,("_samr_query_sec_obj: querying security on Object with SID: %s\n", sid_to_string(str_sid, &pol_sid))); r_u->status = make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &usr_generic_mapping, &pol_sid, SAMR_USR_RIGHTS_WRITE_PW); + } else { + return NT_STATUS_OBJECT_TYPE_MISMATCH; } - else return NT_STATUS_OBJECT_TYPE_MISMATCH; if ((r_u->buf = make_sec_desc_buf(p->mem_ctx, sd_size, psd)) == NULL) return NT_STATUS_NO_MEMORY; @@ -594,21 +749,32 @@ NTSTATUS _samr_enum_dom_users(pipes_struct *p, SAMR_Q_ENUM_DOM_USERS *q_u, DEBUG(5,("_samr_enum_dom_users: %d\n", __LINE__)); become_root(); - if ((info->disp_info.enum_users != NULL) && - (info->disp_info.enum_acb_mask != q_u->acb_mask)) { - pdb_search_destroy(info->disp_info.enum_users); - info->disp_info.enum_users = NULL; + + /* AS ROOT !!!! */ + + if ((info->disp_info->enum_users != NULL) && + (info->disp_info->enum_acb_mask != q_u->acb_mask)) { + pdb_search_destroy(info->disp_info->enum_users); + info->disp_info->enum_users = NULL; } - if (info->disp_info.enum_users == NULL) { - info->disp_info.enum_users = pdb_search_users(q_u->acb_mask); - info->disp_info.enum_acb_mask = q_u->acb_mask; + if (info->disp_info->enum_users == NULL) { + info->disp_info->enum_users = pdb_search_users(q_u->acb_mask); + info->disp_info->enum_acb_mask = q_u->acb_mask; } - if (info->disp_info.enum_users == NULL) + + if (info->disp_info->enum_users == NULL) { + /* END AS ROOT !!!! */ + unbecome_root(); return NT_STATUS_ACCESS_DENIED; - num_account = pdb_search_entries(info->disp_info.enum_users, + } + + num_account = pdb_search_entries(info->disp_info->enum_users, enum_context, max_entries, &entries); + + /* END AS ROOT !!!! */ + unbecome_root(); if (num_account == 0) { @@ -625,8 +791,13 @@ NTSTATUS _samr_enum_dom_users(pipes_struct *p, SAMR_Q_ENUM_DOM_USERS *q_u, if (!NT_STATUS_IS_OK(r_u->status)) return r_u->status; - if (max_entries <= num_account) + if (max_entries <= num_account) { + /* Ensure we cache this enumeration. */ + set_disp_info_cache_timeout(info->disp_info, DISP_INFO_CACHE_TIMEOUT); r_u->status = STATUS_MORE_ENTRIES; + } else { + clear_disp_info_cache_timeout(info->disp_info); + } DEBUG(5, ("_samr_enum_dom_users: %d\n", __LINE__)); @@ -705,18 +876,23 @@ NTSTATUS _samr_enum_dom_groups(pipes_struct *p, SAMR_Q_ENUM_DOM_GROUPS *q_u, SAM /* the domain group array is being allocated in the function below */ become_root(); - if (info->disp_info.groups == NULL) - info->disp_info.groups = pdb_search_groups(); - unbecome_root(); - if (info->disp_info.groups == NULL) - return NT_STATUS_ACCESS_DENIED; + if (info->disp_info->groups == NULL) { + info->disp_info->groups = pdb_search_groups(); - become_root(); - num_groups = pdb_search_entries(info->disp_info.groups, q_u->start_idx, + if (info->disp_info->groups == NULL) { + unbecome_root(); + return NT_STATUS_ACCESS_DENIED; + } + } + + num_groups = pdb_search_entries(info->disp_info->groups, q_u->start_idx, MAX_SAM_ENTRIES, &groups); unbecome_root(); + /* Ensure we cache this enumeration. */ + set_disp_info_cache_timeout(info->disp_info, DISP_INFO_CACHE_TIMEOUT); + make_group_sam_entry_list(p->mem_ctx, &r_u->sam, &r_u->uni_grp_name, num_groups, groups); @@ -752,26 +928,30 @@ NTSTATUS _samr_enum_dom_aliases(pipes_struct *p, SAMR_Q_ENUM_DOM_ALIASES *q_u, S sid_string_static(&info->sid))); if (sid_check_is_domain(&info->sid)) - search = &info->disp_info.aliases; + search = &info->disp_info->aliases; if (sid_check_is_builtin(&info->sid)) - search = &info->disp_info.builtins; + search = &info->disp_info->builtins; if (search == NULL) return NT_STATUS_INVALID_HANDLE; become_root(); - if (*search == NULL) - *search = pdb_search_aliases(&info->sid); - unbecome_root(); - if (*search == NULL) - return NT_STATUS_ACCESS_DENIED; + if (*search == NULL) { + *search = pdb_search_aliases(&info->sid); + if (*search == NULL) { + unbecome_root(); + return NT_STATUS_ACCESS_DENIED; + } + } - become_root(); num_aliases = pdb_search_entries(*search, q_u->start_idx, MAX_SAM_ENTRIES, &aliases); unbecome_root(); + /* Ensure we cache this enumeration. */ + set_disp_info_cache_timeout(info->disp_info, DISP_INFO_CACHE_TIMEOUT); + make_group_sam_entry_list(p->mem_ctx, &r_u->sam, &r_u->uni_grp_name, num_aliases, aliases); @@ -872,38 +1052,68 @@ NTSTATUS _samr_query_dispinfo(pipes_struct *p, SAMR_Q_QUERY_DISPINFO *q_u, become_root(); + /* THe following done as ROOT. Don't return without unbecome_root(). */ + switch (q_u->switch_level) { case 0x1: case 0x4: - if (info->disp_info.users == NULL) - info->disp_info.users = pdb_search_users(ACB_NORMAL); - if (info->disp_info.users == NULL) - return NT_STATUS_ACCESS_DENIED; - num_account = pdb_search_entries(info->disp_info.users, + if (info->disp_info->users == NULL) { + info->disp_info->users = pdb_search_users(ACB_NORMAL); + if (info->disp_info->users == NULL) { + unbecome_root(); + return NT_STATUS_ACCESS_DENIED; + } + DEBUG(10,("samr_reply_query_dispinfo: starting user enumeration at index %u\n", + (unsigned int)enum_context )); + } else { + DEBUG(10,("samr_reply_query_dispinfo: using cached user enumeration at index %u\n", + (unsigned int)enum_context )); + } + + num_account = pdb_search_entries(info->disp_info->users, enum_context, max_entries, &entries); break; case 0x2: - if (info->disp_info.machines == NULL) - info->disp_info.machines = + if (info->disp_info->machines == NULL) { + info->disp_info->machines = pdb_search_users(ACB_WSTRUST|ACB_SVRTRUST); - if (info->disp_info.machines == NULL) - return NT_STATUS_ACCESS_DENIED; - num_account = pdb_search_entries(info->disp_info.machines, + if (info->disp_info->machines == NULL) { + unbecome_root(); + return NT_STATUS_ACCESS_DENIED; + } + DEBUG(10,("samr_reply_query_dispinfo: starting machine enumeration at index %u\n", + (unsigned int)enum_context )); + } else { + DEBUG(10,("samr_reply_query_dispinfo: using cached machine enumeration at index %u\n", + (unsigned int)enum_context )); + } + + num_account = pdb_search_entries(info->disp_info->machines, enum_context, max_entries, &entries); break; case 0x3: case 0x5: - if (info->disp_info.groups == NULL) - info->disp_info.groups = pdb_search_groups(); - if (info->disp_info.groups == NULL) - return NT_STATUS_ACCESS_DENIED; - num_account = pdb_search_entries(info->disp_info.groups, + if (info->disp_info->groups == NULL) { + info->disp_info->groups = pdb_search_groups(); + if (info->disp_info->groups == NULL) { + unbecome_root(); + return NT_STATUS_ACCESS_DENIED; + } + DEBUG(10,("samr_reply_query_dispinfo: starting group enumeration at index %u\n", + (unsigned int)enum_context )); + } else { + DEBUG(10,("samr_reply_query_dispinfo: using cached group enumeration at index %u\n", + (unsigned int)enum_context )); + } + + num_account = pdb_search_entries(info->disp_info->groups, enum_context, max_entries, &entries); break; default: + unbecome_root(); smb_panic("info class changed"); break; } @@ -947,10 +1157,14 @@ NTSTATUS _samr_query_dispinfo(pipes_struct *p, SAMR_Q_QUERY_DISPINFO *q_u, /* calculate the total size */ total_data_size=num_account*struct_size; - if (num_account) + if (num_account) { + /* Ensure we cache this enumeration. */ + set_disp_info_cache_timeout(info->disp_info, DISP_INFO_CACHE_TIMEOUT); r_u->status = STATUS_MORE_ENTRIES; - else + } else { + clear_disp_info_cache_timeout(info->disp_info); r_u->status = NT_STATUS_OK; + } DEBUG(5, ("_samr_query_dispinfo: %d\n", __LINE__)); @@ -978,7 +1192,7 @@ NTSTATUS _samr_query_aliasinfo(pipes_struct *p, SAMR_Q_QUERY_ALIASINFO *q_u, SAM DEBUG(5,("_samr_query_aliasinfo: %d\n", __LINE__)); /* find the policy handle. open a policy on it. */ - if (!get_lsa_policy_samr_sid(p, &q_u->pol, &sid, &acc_granted)) + if (!get_lsa_policy_samr_sid(p, &q_u->pol, &sid, &acc_granted, NULL)) return NT_STATUS_INVALID_HANDLE; if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, SA_RIGHT_ALIAS_LOOKUP_INFO, "_samr_query_aliasinfo"))) { return r_u->status; @@ -1096,7 +1310,7 @@ NTSTATUS _samr_lookup_names(pipes_struct *p, SAMR_Q_LOOKUP_NAMES *q_u, SAMR_R_LO ZERO_ARRAY(rid); ZERO_ARRAY(type); - if (!get_lsa_policy_samr_sid(p, &q_u->pol, &pol_sid, &acc_granted)) { + if (!get_lsa_policy_samr_sid(p, &q_u->pol, &pol_sid, &acc_granted, NULL)) { init_samr_r_lookup_names(p->mem_ctx, r_u, 0, NULL, NULL, NT_STATUS_OBJECT_TYPE_MISMATCH); return r_u->status; } @@ -1255,7 +1469,7 @@ NTSTATUS _samr_lookup_rids(pipes_struct *p, SAMR_Q_LOOKUP_RIDS *q_u, SAMR_R_LOOK DEBUG(5,("_samr_lookup_rids: %d\n", __LINE__)); /* find the policy handle. open a policy on it. */ - if (!get_lsa_policy_samr_sid(p, &q_u->pol, &pol_sid, &acc_granted)) + if (!get_lsa_policy_samr_sid(p, &q_u->pol, &pol_sid, &acc_granted, NULL)) return NT_STATUS_INVALID_HANDLE; if (num_rids > 1000) { @@ -1317,7 +1531,7 @@ NTSTATUS _samr_open_user(pipes_struct *p, SAMR_Q_OPEN_USER *q_u, SAMR_R_OPEN_USE /* find the domain policy handle and get domain SID / access bits in the domain policy. */ - if ( !get_lsa_policy_samr_sid(p, &domain_pol, &sid, &acc_granted) ) + if ( !get_lsa_policy_samr_sid(p, &domain_pol, &sid, &acc_granted, NULL) ) return NT_STATUS_INVALID_HANDLE; nt_status = access_check_samr_function( acc_granted, @@ -1712,7 +1926,7 @@ NTSTATUS _samr_query_usergroups(pipes_struct *p, SAMR_Q_QUERY_USERGROUPS *q_u, S DEBUG(5,("_samr_query_usergroups: %d\n", __LINE__)); /* find the policy handle. open a policy on it. */ - if (!get_lsa_policy_samr_sid(p, &q_u->pol, &sid, &acc_granted)) + if (!get_lsa_policy_samr_sid(p, &q_u->pol, &sid, &acc_granted, NULL)) return NT_STATUS_INVALID_HANDLE; if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, SA_RIGHT_USER_GET_GROUPS, "_samr_query_usergroups"))) { @@ -1858,9 +2072,9 @@ NTSTATUS _samr_query_dom_info(pipes_struct *p, SAMR_Q_QUERY_DOMAIN_INFO *q_u, SA /* AS ROOT !!! */ - num_users=count_sam_users(&info->disp_info, + num_users=count_sam_users(info->disp_info, ACB_NORMAL); - num_groups=count_sam_groups(&info->disp_info); + num_groups=count_sam_groups(info->disp_info); pdb_get_account_policy(AP_TIME_TO_LOGOUT, &account_policy_temp); u_logout = account_policy_temp; @@ -1993,9 +2207,10 @@ NTSTATUS _samr_create_user(pipes_struct *p, SAMR_Q_CREATE_USER *q_u, SAMR_R_CREA uint32 des_access = GENERIC_RIGHTS_USER_ALL_ACCESS; BOOL can_add_account = False; SE_PRIV se_rights; + DISP_INFO *disp_info = NULL; /* Get the domain SID stored in the domain policy */ - if (!get_lsa_policy_samr_sid(p, &dom_pol, &sid, &acc_granted)) + if (!get_lsa_policy_samr_sid(p, &dom_pol, &sid, &acc_granted, &disp_info)) return NT_STATUS_INVALID_HANDLE; if (!NT_STATUS_IS_OK(nt_status = access_check_samr_function(acc_granted, SA_RIGHT_DOMAIN_CREATE_USER, "_samr_create_user"))) { @@ -2141,6 +2356,9 @@ NTSTATUS _samr_create_user(pipes_struct *p, SAMR_Q_CREATE_USER *q_u, SAMR_R_CREA return NT_STATUS_OBJECT_NAME_NOT_FOUND; } + /* After a "set" ensure we have no cached display info. */ + force_flush_samr_cache(info->disp_info); + r_u->user_rid=pdb_get_user_rid(sam_pass); r_u->access_granted = acc_granted; @@ -2478,7 +2696,7 @@ NTSTATUS _samr_open_alias(pipes_struct *p, SAMR_Q_OPEN_ALIAS *q_u, SAMR_R_OPEN_A /* find the domain policy and get the SID / access bits stored in the domain policy */ - if ( !get_lsa_policy_samr_sid(p, &domain_pol, &sid, &acc_granted) ) + if ( !get_lsa_policy_samr_sid(p, &domain_pol, &sid, &acc_granted, NULL) ) return NT_STATUS_INVALID_HANDLE; status = access_check_samr_function(acc_granted, @@ -2873,13 +3091,14 @@ NTSTATUS _samr_set_userinfo(pipes_struct *p, SAMR_Q_SET_USERINFO *q_u, SAMR_R_SE BOOL ret; BOOL has_enough_rights = False; uint32 acb_info; + DISP_INFO *disp_info = NULL; DEBUG(5, ("_samr_set_userinfo: %d\n", __LINE__)); r_u->status = NT_STATUS_OK; /* find the policy handle. open a policy on it. */ - if (!get_lsa_policy_samr_sid(p, pol, &sid, &acc_granted)) + if (!get_lsa_policy_samr_sid(p, pol, &sid, &acc_granted, &disp_info)) return NT_STATUS_INVALID_HANDLE; /* observed when joining an XP client to a Samba domain */ @@ -2995,6 +3214,10 @@ NTSTATUS _samr_set_userinfo(pipes_struct *p, SAMR_Q_SET_USERINFO *q_u, SAMR_R_SE /* ================ END SeMachineAccountPrivilege BLOCK ================ */ + if (NT_STATUS_IS_OK(r_u->status)) { + force_flush_samr_cache(disp_info); + } + return r_u->status; } @@ -3014,13 +3237,14 @@ NTSTATUS _samr_set_userinfo2(pipes_struct *p, SAMR_Q_SET_USERINFO2 *q_u, SAMR_R_ BOOL ret; BOOL has_enough_rights = False; uint32 acb_info; + DISP_INFO *disp_info = NULL; DEBUG(5, ("samr_reply_set_userinfo2: %d\n", __LINE__)); r_u->status = NT_STATUS_OK; /* find the policy handle. open a policy on it. */ - if (!get_lsa_policy_samr_sid(p, pol, &sid, &acc_granted)) + if (!get_lsa_policy_samr_sid(p, pol, &sid, &acc_granted, &disp_info)) return NT_STATUS_INVALID_HANDLE; /* observed when joining XP client to Samba domain */ @@ -3101,6 +3325,10 @@ NTSTATUS _samr_set_userinfo2(pipes_struct *p, SAMR_Q_SET_USERINFO2 *q_u, SAMR_R_ /* ================ END SeMachineAccountPrivilege BLOCK ================ */ + if (NT_STATUS_IS_OK(r_u->status)) { + force_flush_samr_cache(disp_info); + } + return r_u->status; } @@ -3184,7 +3412,7 @@ NTSTATUS _samr_query_aliasmem(pipes_struct *p, SAMR_Q_QUERY_ALIASMEM *q_u, SAMR_ uint32 acc_granted; /* find the policy handle. open a policy on it. */ - if (!get_lsa_policy_samr_sid(p, &q_u->alias_pol, &alias_sid, &acc_granted)) + if (!get_lsa_policy_samr_sid(p, &q_u->alias_pol, &alias_sid, &acc_granted, NULL)) return NT_STATUS_INVALID_HANDLE; if (!NT_STATUS_IS_OK(r_u->status = @@ -3296,7 +3524,7 @@ NTSTATUS _samr_query_groupmem(pipes_struct *p, SAMR_Q_QUERY_GROUPMEM *q_u, SAMR_ NTSTATUS result; /* find the policy handle. open a policy on it. */ - if (!get_lsa_policy_samr_sid(p, &q_u->group_pol, &group_sid, &acc_granted)) + if (!get_lsa_policy_samr_sid(p, &q_u->group_pol, &group_sid, &acc_granted, NULL)) return NT_STATUS_INVALID_HANDLE; if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, SA_RIGHT_GROUP_GET_MEMBERS, "_samr_query_groupmem"))) { @@ -3345,10 +3573,10 @@ NTSTATUS _samr_add_aliasmem(pipes_struct *p, SAMR_Q_ADD_ALIASMEM *q_u, SAMR_R_AD SE_PRIV se_rights; BOOL can_add_accounts; BOOL ret; - + DISP_INFO *disp_info = NULL; /* Find the policy handle. Open a policy on it. */ - if (!get_lsa_policy_samr_sid(p, &q_u->alias_pol, &alias_sid, &acc_granted)) + if (!get_lsa_policy_samr_sid(p, &q_u->alias_pol, &alias_sid, &acc_granted, &disp_info)) return NT_STATUS_INVALID_HANDLE; if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, SA_RIGHT_ALIAS_ADD_MEMBER, "_samr_add_aliasmem"))) { @@ -3372,6 +3600,10 @@ NTSTATUS _samr_add_aliasmem(pipes_struct *p, SAMR_Q_ADD_ALIASMEM *q_u, SAMR_R_AD /******** END SeAddUsers BLOCK *********/ + if (ret) { + force_flush_samr_cache(disp_info); + } + return ret ? NT_STATUS_OK : NT_STATUS_ACCESS_DENIED; } @@ -3386,9 +3618,10 @@ NTSTATUS _samr_del_aliasmem(pipes_struct *p, SAMR_Q_DEL_ALIASMEM *q_u, SAMR_R_DE SE_PRIV se_rights; BOOL can_add_accounts; BOOL ret; + DISP_INFO *disp_info = NULL; /* Find the policy handle. Open a policy on it. */ - if (!get_lsa_policy_samr_sid(p, &q_u->alias_pol, &alias_sid, &acc_granted)) + if (!get_lsa_policy_samr_sid(p, &q_u->alias_pol, &alias_sid, &acc_granted, &disp_info)) return NT_STATUS_INVALID_HANDLE; if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, SA_RIGHT_ALIAS_REMOVE_MEMBER, "_samr_del_aliasmem"))) { @@ -3413,6 +3646,10 @@ NTSTATUS _samr_del_aliasmem(pipes_struct *p, SAMR_Q_DEL_ALIASMEM *q_u, SAMR_R_DE /******** END SeAddUsers BLOCK *********/ + if (ret) { + force_flush_samr_cache(disp_info); + } + return ret ? NT_STATUS_OK : NT_STATUS_ACCESS_DENIED; } @@ -3436,9 +3673,10 @@ NTSTATUS _samr_add_groupmem(pipes_struct *p, SAMR_Q_ADD_GROUPMEM *q_u, SAMR_R_AD uint32 acc_granted; SE_PRIV se_rights; BOOL can_add_accounts; + DISP_INFO *disp_info = NULL; /* Find the policy handle. Open a policy on it. */ - if (!get_lsa_policy_samr_sid(p, &q_u->pol, &group_sid, &acc_granted)) + if (!get_lsa_policy_samr_sid(p, &q_u->pol, &group_sid, &acc_granted, &disp_info)) return NT_STATUS_INVALID_HANDLE; if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, SA_RIGHT_GROUP_ADD_MEMBER, "_samr_add_groupmem"))) { @@ -3524,6 +3762,9 @@ NTSTATUS _samr_add_groupmem(pipes_struct *p, SAMR_Q_ADD_GROUPMEM *q_u, SAMR_R_AD } passwd_free(&pwd); + + force_flush_samr_cache(disp_info); + return NT_STATUS_OK; } @@ -3542,6 +3783,7 @@ NTSTATUS _samr_del_groupmem(pipes_struct *p, SAMR_Q_DEL_GROUPMEM *q_u, SAMR_R_DE uint32 acc_granted; SE_PRIV se_rights; BOOL can_add_accounts; + DISP_INFO *disp_info = NULL; /* * delete the group member named q_u->rid @@ -3550,7 +3792,7 @@ NTSTATUS _samr_del_groupmem(pipes_struct *p, SAMR_Q_DEL_GROUPMEM *q_u, SAMR_R_DE */ /* Find the policy handle. Open a policy on it. */ - if (!get_lsa_policy_samr_sid(p, &q_u->pol, &group_sid, &acc_granted)) + if (!get_lsa_policy_samr_sid(p, &q_u->pol, &group_sid, &acc_granted, &disp_info)) return NT_STATUS_INVALID_HANDLE; if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, SA_RIGHT_GROUP_REMOVE_MEMBER, "_samr_del_groupmem"))) { @@ -3609,6 +3851,9 @@ NTSTATUS _samr_del_groupmem(pipes_struct *p, SAMR_Q_DEL_GROUPMEM *q_u, SAMR_R_DE } pdb_free_sam(&sam_pass); + + force_flush_samr_cache(disp_info); + return NT_STATUS_OK; } @@ -3644,11 +3889,12 @@ NTSTATUS _samr_delete_dom_user(pipes_struct *p, SAMR_Q_DELETE_DOM_USER *q_u, SAM uint32 acc_granted; BOOL can_add_accounts; BOOL ret; + DISP_INFO *disp_info = NULL; DEBUG(5, ("_samr_delete_dom_user: %d\n", __LINE__)); /* Find the policy handle. Open a policy on it. */ - if (!get_lsa_policy_samr_sid(p, &q_u->user_pol, &user_sid, &acc_granted)) + if (!get_lsa_policy_samr_sid(p, &q_u->user_pol, &user_sid, &acc_granted, &disp_info)) return NT_STATUS_INVALID_HANDLE; if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, STD_RIGHT_DELETE_ACCESS, "_samr_delete_dom_user"))) { @@ -3705,6 +3951,8 @@ NTSTATUS _samr_delete_dom_user(pipes_struct *p, SAMR_Q_DELETE_DOM_USER *q_u, SAM if (!close_policy_hnd(p, &q_u->user_pol)) return NT_STATUS_OBJECT_NAME_INVALID; + force_flush_samr_cache(disp_info); + return NT_STATUS_OK; } @@ -3725,11 +3973,12 @@ NTSTATUS _samr_delete_dom_group(pipes_struct *p, SAMR_Q_DELETE_DOM_GROUP *q_u, S SE_PRIV se_rights; BOOL can_add_accounts; BOOL ret; + DISP_INFO *disp_info = NULL; DEBUG(5, ("samr_delete_dom_group: %d\n", __LINE__)); /* Find the policy handle. Open a policy on it. */ - if (!get_lsa_policy_samr_sid(p, &q_u->group_pol, &group_sid, &acc_granted)) + if (!get_lsa_policy_samr_sid(p, &q_u->group_pol, &group_sid, &acc_granted, &disp_info)) return NT_STATUS_INVALID_HANDLE; if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, STD_RIGHT_DELETE_ACCESS, "_samr_delete_dom_group"))) { @@ -3788,6 +4037,8 @@ NTSTATUS _samr_delete_dom_group(pipes_struct *p, SAMR_Q_DELETE_DOM_GROUP *q_u, S if (!close_policy_hnd(p, &q_u->group_pol)) return NT_STATUS_OBJECT_NAME_INVALID; + force_flush_samr_cache(disp_info); + return NT_STATUS_OK; } @@ -3802,11 +4053,12 @@ NTSTATUS _samr_delete_dom_alias(pipes_struct *p, SAMR_Q_DELETE_DOM_ALIAS *q_u, S SE_PRIV se_rights; BOOL can_add_accounts; BOOL ret; + DISP_INFO *disp_info = NULL; DEBUG(5, ("_samr_delete_dom_alias: %d\n", __LINE__)); /* Find the policy handle. Open a policy on it. */ - if (!get_lsa_policy_samr_sid(p, &q_u->alias_pol, &alias_sid, &acc_granted)) + if (!get_lsa_policy_samr_sid(p, &q_u->alias_pol, &alias_sid, &acc_granted, &disp_info)) return NT_STATUS_INVALID_HANDLE; if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, STD_RIGHT_DELETE_ACCESS, "_samr_delete_dom_alias"))) { @@ -3842,6 +4094,8 @@ NTSTATUS _samr_delete_dom_alias(pipes_struct *p, SAMR_Q_DELETE_DOM_ALIAS *q_u, S if (!close_policy_hnd(p, &q_u->alias_pol)) return NT_STATUS_OBJECT_NAME_INVALID; + force_flush_samr_cache(disp_info); + return NT_STATUS_OK; } @@ -3862,9 +4116,10 @@ NTSTATUS _samr_create_dom_group(pipes_struct *p, SAMR_Q_CREATE_DOM_GROUP *q_u, S SE_PRIV se_rights; BOOL can_add_accounts; NTSTATUS result; + DISP_INFO *disp_info = NULL; /* Find the policy handle. Open a policy on it. */ - if (!get_lsa_policy_samr_sid(p, &q_u->pol, &dom_sid, &acc_granted)) + if (!get_lsa_policy_samr_sid(p, &q_u->pol, &dom_sid, &acc_granted, &disp_info)) return NT_STATUS_INVALID_HANDLE; if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, SA_RIGHT_DOMAIN_CREATE_GROUP, "_samr_create_dom_group"))) { @@ -3933,6 +4188,8 @@ NTSTATUS _samr_create_dom_group(pipes_struct *p, SAMR_Q_CREATE_DOM_GROUP *q_u, S if (!create_policy_hnd(p, &r_u->pol, free_samr_info, (void *)info)) return NT_STATUS_OBJECT_NAME_NOT_FOUND; + force_flush_samr_cache(disp_info); + return NT_STATUS_OK; } @@ -3951,9 +4208,10 @@ NTSTATUS _samr_create_dom_alias(pipes_struct *p, SAMR_Q_CREATE_DOM_ALIAS *q_u, S NTSTATUS result; SE_PRIV se_rights; BOOL can_add_accounts; + DISP_INFO *disp_info = NULL; /* Find the policy handle. Open a policy on it. */ - if (!get_lsa_policy_samr_sid(p, &q_u->dom_pol, &dom_sid, &acc_granted)) + if (!get_lsa_policy_samr_sid(p, &q_u->dom_pol, &dom_sid, &acc_granted, &disp_info)) return NT_STATUS_INVALID_HANDLE; if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, SA_RIGHT_DOMAIN_CREATE_ALIAS, "_samr_create_alias"))) { @@ -4005,6 +4263,8 @@ NTSTATUS _samr_create_dom_alias(pipes_struct *p, SAMR_Q_CREATE_DOM_ALIAS *q_u, S if (!create_policy_hnd(p, &r_u->alias_pol, free_samr_info, (void *)info)) return NT_STATUS_OBJECT_NAME_NOT_FOUND; + force_flush_samr_cache(disp_info); + return NT_STATUS_OK; } @@ -4026,7 +4286,7 @@ NTSTATUS _samr_query_groupinfo(pipes_struct *p, SAMR_Q_QUERY_GROUPINFO *q_u, SAM uint32 acc_granted; BOOL ret; - if (!get_lsa_policy_samr_sid(p, &q_u->pol, &group_sid, &acc_granted)) + if (!get_lsa_policy_samr_sid(p, &q_u->pol, &group_sid, &acc_granted, NULL)) return NT_STATUS_INVALID_HANDLE; if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, SA_RIGHT_GROUP_LOOKUP_INFO, "_samr_query_groupinfo"))) { @@ -4083,8 +4343,9 @@ NTSTATUS _samr_set_groupinfo(pipes_struct *p, SAMR_Q_SET_GROUPINFO *q_u, SAMR_R_ uint32 acc_granted; BOOL ret; BOOL can_mod_accounts; + DISP_INFO *disp_info = NULL; - if (!get_lsa_policy_samr_sid(p, &q_u->pol, &group_sid, &acc_granted)) + if (!get_lsa_policy_samr_sid(p, &q_u->pol, &group_sid, &acc_granted, &disp_info)) return NT_STATUS_INVALID_HANDLE; if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, SA_RIGHT_GROUP_SET_INFO, "_samr_set_groupinfo"))) { @@ -4121,6 +4382,10 @@ NTSTATUS _samr_set_groupinfo(pipes_struct *p, SAMR_Q_SET_GROUPINFO *q_u, SAMR_R_ /******** End SeAddUsers BLOCK *********/ + if (ret) { + force_flush_samr_cache(disp_info); + } + return ret ? NT_STATUS_OK : NT_STATUS_ACCESS_DENIED; } @@ -4138,8 +4403,9 @@ NTSTATUS _samr_set_aliasinfo(pipes_struct *p, SAMR_Q_SET_ALIASINFO *q_u, SAMR_R_ uint32 acc_granted; BOOL ret; BOOL can_mod_accounts; + DISP_INFO *disp_info = NULL; - if (!get_lsa_policy_samr_sid(p, &q_u->alias_pol, &group_sid, &acc_granted)) + if (!get_lsa_policy_samr_sid(p, &q_u->alias_pol, &group_sid, &acc_granted, &disp_info)) return NT_STATUS_INVALID_HANDLE; if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, SA_RIGHT_ALIAS_SET_INFO, "_samr_set_aliasinfo"))) { @@ -4174,6 +4440,10 @@ NTSTATUS _samr_set_aliasinfo(pipes_struct *p, SAMR_Q_SET_ALIASINFO *q_u, SAMR_R_ /******** End SeAddUsers BLOCK *********/ + if (ret) { + force_flush_samr_cache(disp_info); + } + return ret ? NT_STATUS_OK : NT_STATUS_ACCESS_DENIED; } @@ -4217,7 +4487,7 @@ NTSTATUS _samr_open_group(pipes_struct *p, SAMR_Q_OPEN_GROUP *q_u, SAMR_R_OPEN_G BOOL ret; SE_PRIV se_rights; - if (!get_lsa_policy_samr_sid(p, &q_u->domain_pol, &sid, &acc_granted)) + if (!get_lsa_policy_samr_sid(p, &q_u->domain_pol, &sid, &acc_granted, NULL)) return NT_STATUS_INVALID_HANDLE; status = access_check_samr_function(acc_granted, @@ -4280,7 +4550,8 @@ NTSTATUS _samr_remove_sid_foreign_domain(pipes_struct *p, DOM_SID delete_sid, domain_sid; uint32 acc_granted; NTSTATUS result; - + DISP_INFO *disp_info = NULL; + sid_copy( &delete_sid, &q_u->sid.sid ); DEBUG(5,("_samr_remove_sid_foreign_domain: removing SID [%s]\n", @@ -4289,7 +4560,7 @@ NTSTATUS _samr_remove_sid_foreign_domain(pipes_struct *p, /* Find the policy handle. Open a policy on it. */ if (!get_lsa_policy_samr_sid(p, &q_u->dom_pol, &domain_sid, - &acc_granted)) + &acc_granted, &disp_info)) return NT_STATUS_INVALID_HANDLE; result = access_check_samr_function(acc_granted, STD_RIGHT_DELETE_ACCESS, @@ -4324,6 +4595,7 @@ NTSTATUS _samr_remove_sid_foreign_domain(pipes_struct *p, return NT_STATUS_OK; } + force_flush_samr_cache(disp_info); result = NT_STATUS_OK; @@ -4331,10 +4603,12 @@ NTSTATUS _samr_remove_sid_foreign_domain(pipes_struct *p, } /******************************************************************* - _samr_unknown_2e + _samr_query_domain_info2 ********************************************************************/ -NTSTATUS _samr_unknown_2e(pipes_struct *p, SAMR_Q_UNKNOWN_2E *q_u, SAMR_R_UNKNOWN_2E *r_u) +NTSTATUS _samr_query_domain_info2(pipes_struct *p, + SAMR_Q_QUERY_DOMAIN_INFO2 *q_u, + SAMR_R_QUERY_DOMAIN_INFO2 *r_u) { struct samr_info *info = NULL; SAM_UNK_CTR *ctr; @@ -4363,7 +4637,7 @@ NTSTATUS _samr_unknown_2e(pipes_struct *p, SAMR_Q_UNKNOWN_2E *q_u, SAMR_R_UNKNOW r_u->status = NT_STATUS_OK; - DEBUG(5,("_samr_unknown_2e: %d\n", __LINE__)); + DEBUG(5,("_samr_query_domain_info2: %d\n", __LINE__)); /* find the policy handle. open a policy on it. */ if (!find_policy_by_hnd(p, &q_u->domain_pol, (void **)&info)) @@ -4394,13 +4668,11 @@ NTSTATUS _samr_unknown_2e(pipes_struct *p, SAMR_Q_UNKNOWN_2E *q_u, SAMR_R_UNKNOW break; case 0x02: become_root(); - num_users = count_sam_users(&info->disp_info, + num_users = count_sam_users(info->disp_info, ACB_NORMAL); - num_groups = count_sam_groups(&info->disp_info); + num_groups = count_sam_groups(info->disp_info); unbecome_root(); - free_samr_db(info); - pdb_get_account_policy(AP_TIME_TO_LOGOUT, &account_policy_temp); u_logout = account_policy_temp; @@ -4464,9 +4736,9 @@ NTSTATUS _samr_unknown_2e(pipes_struct *p, SAMR_Q_UNKNOWN_2E *q_u, SAMR_R_UNKNOW return NT_STATUS_INVALID_INFO_CLASS; } - init_samr_r_samr_unknown_2e(r_u, q_u->switch_value, ctr, NT_STATUS_OK); + init_samr_r_samr_query_domain_info2(r_u, q_u->switch_value, ctr, NT_STATUS_OK); - DEBUG(5,("_samr_unknown_2e: %d\n", __LINE__)); + DEBUG(5,("_samr_query_domain_info2: %d\n", __LINE__)); return r_u->status; } -- cgit From 2770e98aec8bcf462f1619a6506385cb4cfbc256 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Tue, 22 Nov 2005 14:29:14 +0000 Subject: r11856: Replace unknown1 with group_attr. Can anyone remember why we initialize groups only with 0x03 instead of 0x07 ? Guenther (This used to be commit 3282c7c458d390547fbaca44821eff376e8f9aaa) --- source3/rpc_server/srv_samr_nt.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 563c3f864f..34779348a4 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -1980,7 +1980,7 @@ NTSTATUS _samr_query_usergroups(pipes_struct *p, SAMR_Q_QUERY_USERGROUPS *q_u, S continue; gids = TALLOC_REALLOC_ARRAY(p->mem_ctx, gids, DOM_GID, num_gids+1); - gids[num_gids].attr=7; + gids[num_gids].attr= (SE_GROUP_MANDATORY|SE_GROUP_ENABLED_BY_DEFAULT|SE_GROUP_ENABLED); gids[num_gids].g_rid = rid; num_gids += 1; } -- cgit From a509c20eb69b57ba6fca49260b8a9b86b2fc5ced Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Tue, 22 Nov 2005 20:26:23 +0000 Subject: r11865: The only way to stop multiple LDAP searches is to agressively cache results. We now cache them for 10 seconds, down from 30 seconds (however each re-use will refresh the idle timeout). Any set calls will flush the cache. Jeremy. (This used to be commit c9a0720f552719eb77a2c72fc2e942de52fbf1d6) --- source3/rpc_server/srv_samr_nt.c | 66 ++++++++++++++++++++++------------------ 1 file changed, 36 insertions(+), 30 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 34779348a4..00c8a9956c 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -40,7 +40,7 @@ SA_RIGHT_USER_CHANGE_PASSWORD | \ SA_RIGHT_USER_SET_LOC_COM ) -#define DISP_INFO_CACHE_TIMEOUT 30 +#define DISP_INFO_CACHE_TIMEOUT 10 extern rid_name domain_group_rids[]; extern rid_name domain_alias_rids[]; @@ -303,9 +303,9 @@ static struct samr_info *get_samr_info_by_sid(DOM_SID *psid) Function to free the per SID data. ********************************************************************/ -static void free_samr_cache(DISP_INFO *disp_info) +static void free_samr_cache(DISP_INFO *disp_info, const char *sid_str) { - DEBUG(10,("free_samr_cache: deleting cache\n")); + DEBUG(10,("free_samr_cache: deleting cache for SID %s\n", sid_str)); if (disp_info->users) { DEBUG(10,("free_samr_cache: deleting users cache\n")); @@ -352,7 +352,9 @@ static void free_samr_info(void *ptr) a timeout. */ if (info->disp_info && info->disp_info->di_cache_timeout_event == (smb_event_id_t)0) { - free_samr_cache(info->disp_info); + fstring sid_str; + sid_to_string(sid_str, &info->disp_info->sid); + free_samr_cache(info->disp_info, sid_str); } talloc_destroy(info->mem_ctx); @@ -366,16 +368,19 @@ static void disp_info_cache_idle_timeout_handler(void **private_data, time_t *ev_interval, time_t ev_now) { + fstring sid_str; DISP_INFO *disp_info = (DISP_INFO *)(*private_data); - free_samr_cache(disp_info); + sid_to_string(sid_str, &disp_info->sid); + + free_samr_cache(disp_info, sid_str); /* Remove the event. */ smb_unregister_idle_event(disp_info->di_cache_timeout_event); disp_info->di_cache_timeout_event = (smb_event_id_t)0; - DEBUG(10,("disp_info_cache_idle_timeout_handler: caching timed out at %u\n", - (unsigned int)ev_now)); + DEBUG(10,("disp_info_cache_idle_timeout_handler: caching timed out for SID %s at %u\n", + sid_str, (unsigned int)ev_now)); } /******************************************************************* @@ -384,6 +389,10 @@ static void disp_info_cache_idle_timeout_handler(void **private_data, static void set_disp_info_cache_timeout(DISP_INFO *disp_info, time_t secs_fromnow) { + fstring sid_str; + + sid_to_string(sid_str, &disp_info->sid); + /* Remove any pending timeout and update. */ if (disp_info->di_cache_timeout_event) { @@ -391,8 +400,8 @@ static void set_disp_info_cache_timeout(DISP_INFO *disp_info, time_t secs_fromno disp_info->di_cache_timeout_event = (smb_event_id_t)0; } - DEBUG(10,("set_disp_info_cache_timeout: caching enumeration for %u seconds\n", - (unsigned int)secs_fromnow )); + DEBUG(10,("set_disp_info_cache_timeout: caching enumeration for SID %s for %u seconds\n", + sid_str, (unsigned int)secs_fromnow )); disp_info->di_cache_timeout_event = smb_register_idle_event(disp_info_cache_idle_timeout_handler, @@ -400,28 +409,24 @@ static void set_disp_info_cache_timeout(DISP_INFO *disp_info, time_t secs_fromno secs_fromnow); } -/******************************************************************* - Remove the cache removal idle event handler. - ********************************************************************/ - -static void clear_disp_info_cache_timeout(DISP_INFO *disp_info) -{ - if (disp_info->di_cache_timeout_event) { - smb_unregister_idle_event(disp_info->di_cache_timeout_event); - disp_info->di_cache_timeout_event = (smb_event_id_t)0; - DEBUG(10,("clear_disp_info_cache_timeout: clearing idle event.\n")); - } -} - /******************************************************************* Force flush any cache. We do this on any samr_set_xxx call. + We must also remove the timeout handler. ********************************************************************/ static void force_flush_samr_cache(DISP_INFO *disp_info) { if (disp_info) { - clear_disp_info_cache_timeout(disp_info); - free_samr_cache(disp_info); + fstring sid_str; + + sid_to_string(sid_str, &disp_info->sid); + if (disp_info->di_cache_timeout_event) { + smb_unregister_idle_event(disp_info->di_cache_timeout_event); + disp_info->di_cache_timeout_event = (smb_event_id_t)0; + DEBUG(10,("force_flush_samr_cache: clearing idle event for SID %s\n", + sid_str)); + } + free_samr_cache(disp_info, sid_str); } } @@ -792,13 +797,14 @@ NTSTATUS _samr_enum_dom_users(pipes_struct *p, SAMR_Q_ENUM_DOM_USERS *q_u, return r_u->status; if (max_entries <= num_account) { - /* Ensure we cache this enumeration. */ - set_disp_info_cache_timeout(info->disp_info, DISP_INFO_CACHE_TIMEOUT); r_u->status = STATUS_MORE_ENTRIES; } else { - clear_disp_info_cache_timeout(info->disp_info); + r_u->status = NT_STATUS_OK; } + /* Ensure we cache this enumeration. */ + set_disp_info_cache_timeout(info->disp_info, DISP_INFO_CACHE_TIMEOUT); + DEBUG(5, ("_samr_enum_dom_users: %d\n", __LINE__)); init_samr_r_enum_dom_users(r_u, q_u->start_idx + num_account, @@ -1158,14 +1164,14 @@ NTSTATUS _samr_query_dispinfo(pipes_struct *p, SAMR_Q_QUERY_DISPINFO *q_u, total_data_size=num_account*struct_size; if (num_account) { - /* Ensure we cache this enumeration. */ - set_disp_info_cache_timeout(info->disp_info, DISP_INFO_CACHE_TIMEOUT); r_u->status = STATUS_MORE_ENTRIES; } else { - clear_disp_info_cache_timeout(info->disp_info); r_u->status = NT_STATUS_OK; } + /* Ensure we cache this enumeration. */ + set_disp_info_cache_timeout(info->disp_info, DISP_INFO_CACHE_TIMEOUT); + DEBUG(5, ("_samr_query_dispinfo: %d\n", __LINE__)); init_samr_r_query_dispinfo(r_u, num_account, total_data_size, -- cgit From ed6936598ef73f1fc46801fd5dc7765d65032fa1 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Fri, 25 Nov 2005 10:19:24 +0000 Subject: r11898: Add a missing become_root(). Volker (This used to be commit efb7576d4e970e3cbb4621ebd754d329eec58b5a) --- source3/rpc_server/srv_samr_nt.c | 7 +++++++ 1 file changed, 7 insertions(+) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 00c8a9956c..b0472d287a 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -307,6 +307,11 @@ static void free_samr_cache(DISP_INFO *disp_info, const char *sid_str) { DEBUG(10,("free_samr_cache: deleting cache for SID %s\n", sid_str)); + /* We need to become root here because the paged search might have to + * tell the LDAP server we're not interested in the rest anymore. */ + + become_root(); + if (disp_info->users) { DEBUG(10,("free_samr_cache: deleting users cache\n")); pdb_search_destroy(disp_info->users); @@ -338,6 +343,8 @@ static void free_samr_cache(DISP_INFO *disp_info, const char *sid_str) disp_info->enum_users = NULL; } disp_info->enum_acb_mask = 0; + + unbecome_root(); } /******************************************************************* -- cgit From 3088a85c62e1475747496199d18137ee89f914a5 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Sat, 26 Nov 2005 17:54:24 +0000 Subject: r11915: Remove unused extern declarations (This used to be commit 3c35fb642a187b785816bb8cbb3573df9612a9f8) --- source3/rpc_server/srv_samr_nt.c | 4 ---- 1 file changed, 4 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index b0472d287a..2bb8078f78 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -42,10 +42,6 @@ #define DISP_INFO_CACHE_TIMEOUT 10 -extern rid_name domain_group_rids[]; -extern rid_name domain_alias_rids[]; -extern rid_name builtin_alias_rids[]; - typedef struct disp_info { struct disp_info *next, *prev; TALLOC_CTX *mem_ctx; -- cgit From 5976053f05c20fd2d010ec7949202e365fb701ee Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Sat, 26 Nov 2005 19:22:17 +0000 Subject: r11918: Remove two unused variables (This used to be commit 5524d662954165eef3fdd15986fe0b4de09180d7) --- source3/rpc_server/srv_samr_nt.c | 2 -- 1 file changed, 2 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 2bb8078f78..9a09b5f544 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -68,8 +68,6 @@ struct samr_info { DOM_SID sid; uint32 status; /* some sort of flag. best to record it. comes from opnum 0x39 */ uint32 acc_granted; - uint16 acb_mask; - BOOL only_machines; DISP_INFO *disp_info; TALLOC_CTX *mem_ctx; }; -- cgit From add1493a86d62c298f4a9e0686e8e81deab70c57 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Sat, 26 Nov 2005 20:28:12 +0000 Subject: r11919: The generic mappings in srv_samr_nt.c are only used there -- make them static. One long overdue simplification: Change local_lookup_sid to local_lookup_rid its responsible for "our" domain only, in fact it checked for it. Volker (This used to be commit 35ba5e083cddfa5ddba5ad84233262fadfbe87b2) --- source3/rpc_server/srv_samr_nt.c | 30 +++++++++++++++++++++++++----- 1 file changed, 25 insertions(+), 5 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 9a09b5f544..ec2bc3fe4a 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -72,11 +72,31 @@ struct samr_info { TALLOC_CTX *mem_ctx; }; -struct generic_mapping sam_generic_mapping = {GENERIC_RIGHTS_SAM_READ, GENERIC_RIGHTS_SAM_WRITE, GENERIC_RIGHTS_SAM_EXECUTE, GENERIC_RIGHTS_SAM_ALL_ACCESS}; -struct generic_mapping dom_generic_mapping = {GENERIC_RIGHTS_DOMAIN_READ, GENERIC_RIGHTS_DOMAIN_WRITE, GENERIC_RIGHTS_DOMAIN_EXECUTE, GENERIC_RIGHTS_DOMAIN_ALL_ACCESS}; -struct generic_mapping usr_generic_mapping = {GENERIC_RIGHTS_USER_READ, GENERIC_RIGHTS_USER_WRITE, GENERIC_RIGHTS_USER_EXECUTE, GENERIC_RIGHTS_USER_ALL_ACCESS}; -struct generic_mapping grp_generic_mapping = {GENERIC_RIGHTS_GROUP_READ, GENERIC_RIGHTS_GROUP_WRITE, GENERIC_RIGHTS_GROUP_EXECUTE, GENERIC_RIGHTS_GROUP_ALL_ACCESS}; -struct generic_mapping ali_generic_mapping = {GENERIC_RIGHTS_ALIAS_READ, GENERIC_RIGHTS_ALIAS_WRITE, GENERIC_RIGHTS_ALIAS_EXECUTE, GENERIC_RIGHTS_ALIAS_ALL_ACCESS}; +static struct generic_mapping sam_generic_mapping = { + GENERIC_RIGHTS_SAM_READ, + GENERIC_RIGHTS_SAM_WRITE, + GENERIC_RIGHTS_SAM_EXECUTE, + GENERIC_RIGHTS_SAM_ALL_ACCESS}; +static struct generic_mapping dom_generic_mapping = { + GENERIC_RIGHTS_DOMAIN_READ, + GENERIC_RIGHTS_DOMAIN_WRITE, + GENERIC_RIGHTS_DOMAIN_EXECUTE, + GENERIC_RIGHTS_DOMAIN_ALL_ACCESS}; +static struct generic_mapping usr_generic_mapping = { + GENERIC_RIGHTS_USER_READ, + GENERIC_RIGHTS_USER_WRITE, + GENERIC_RIGHTS_USER_EXECUTE, + GENERIC_RIGHTS_USER_ALL_ACCESS}; +static struct generic_mapping grp_generic_mapping = { + GENERIC_RIGHTS_GROUP_READ, + GENERIC_RIGHTS_GROUP_WRITE, + GENERIC_RIGHTS_GROUP_EXECUTE, + GENERIC_RIGHTS_GROUP_ALL_ACCESS}; +static struct generic_mapping ali_generic_mapping = { + GENERIC_RIGHTS_ALIAS_READ, + GENERIC_RIGHTS_ALIAS_WRITE, + GENERIC_RIGHTS_ALIAS_EXECUTE, + GENERIC_RIGHTS_ALIAS_ALL_ACCESS}; /******************************************************************* *******************************************************************/ -- cgit From fcf14ebee21378064187dd4389c01d8eaea3ca2a Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Sat, 26 Nov 2005 21:35:43 +0000 Subject: r11921: samr_open_domain can only open "our" domain and BUILTIN. Volker (This used to be commit 049920ce4f78723bc884c46b2ee4ef22f25c482c) --- source3/rpc_server/srv_samr_nt.c | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index ec2bc3fe4a..ac774355a7 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -562,6 +562,11 @@ NTSTATUS _samr_open_domain(pipes_struct *p, SAMR_Q_OPEN_DOMAIN *q_u, SAMR_R_OPEN if ( !NT_STATUS_IS_OK(status) ) return status; + if (!sid_check_is_domain(&q_u->dom_sid.sid) && + !sid_check_is_builtin(&q_u->dom_sid.sid)) { + return NT_STATUS_NO_SUCH_DOMAIN; + } + /* associate the domain SID with the (unique) handle. */ if ((info = get_samr_info_by_sid(&q_u->dom_sid.sid))==NULL) return NT_STATUS_NO_MEMORY; -- cgit From 046a8873b9001662eff7bbdf549d2a511216c092 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Sat, 26 Nov 2005 22:04:28 +0000 Subject: r11922: Looks bigger than it is: There's no point in allocating arrays in samr_lookup_rids twice. It was done in the srv_samr_nt.c code as well as in the pdb module. Remove the latter, this might happen more often. Volker (This used to be commit 57f0cf8cdd6928f4759036e5dd53d41736aa910d) --- source3/rpc_server/srv_samr_nt.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index ac774355a7..65bb0ef1ab 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -1523,8 +1523,8 @@ NTSTATUS _samr_lookup_rids(pipes_struct *p, SAMR_Q_LOOKUP_RIDS *q_u, SAMR_R_LOOK } become_root(); /* lookup_sid can require root privs */ - r_u->status = pdb_lookup_rids(p->mem_ctx, &pol_sid, num_rids, q_u->rid, - &names, &attrs); + r_u->status = pdb_lookup_rids(&pol_sid, num_rids, q_u->rid, + names, attrs); unbecome_root(); done: -- cgit From 10bc204efb9a56d1f1f53326d4354e39851e635a Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Sat, 26 Nov 2005 22:28:41 +0000 Subject: r11923: Add samr_lookup_rids for the builtin domain. Doing it this way feels a bit wrong, but so far we don't have proper multi-domain support in passdb yet... Volker (This used to be commit c917cfc320f0250d23fda3525a7632bc01643707) --- source3/rpc_server/srv_samr_nt.c | 8 -------- 1 file changed, 8 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 65bb0ef1ab..b4d699188a 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -1516,19 +1516,11 @@ NTSTATUS _samr_lookup_rids(pipes_struct *p, SAMR_Q_LOOKUP_RIDS *q_u, SAMR_R_LOOK if ((num_rids != 0) && ((names == NULL) || (attrs == NULL))) return NT_STATUS_NO_MEMORY; - if (!sid_equal(&pol_sid, get_global_sam_sid())) { - /* TODO: Sooner or later we need to look up BUILTIN rids as - * well. -- vl */ - goto done; - } - become_root(); /* lookup_sid can require root privs */ r_u->status = pdb_lookup_rids(&pol_sid, num_rids, q_u->rid, names, attrs); unbecome_root(); - done: - if(!make_samr_lookup_rids(p->mem_ctx, num_rids, names, &hdr_name, &uni_name)) return NT_STATUS_NO_MEMORY; -- cgit From 48c2f9fc72afaf5d7817bfb12f0acef9ab26faf0 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Sun, 27 Nov 2005 01:17:24 +0000 Subject: r11924: Added Volkers's (C) to srv_samr_nt.c, removed separate "builtin" search enumeration, fixed count of groups and users to return zero if we're getting domain info on the builtin domain (need to fix the enumgroup and enumuser calls also). Added count_sam_aliases to return the correct alias count. Need to push the SID arg down into the group mapping interface so we only return the correct aliases. Upped passdb version numer for Volkers changes. SAM-MYSQL guys - you will need to fix your backend now. More tests needed. Jeremy. (This used to be commit b53d5cd565b05b0595979efba6176d0cafc8cb03) --- source3/rpc_server/srv_samr_nt.c | 76 +++++++++++++++++++++++++++------------- 1 file changed, 51 insertions(+), 25 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index b4d699188a..f10597055e 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -5,11 +5,12 @@ * Copyright (C) Luke Kenneth Casson Leighton 1996-1997, * Copyright (C) Paul Ashton 1997, * Copyright (C) Marc Jacobsen 1999, - * Copyright (C) Jeremy Allison 2001-2002, + * Copyright (C) Jeremy Allison 2001-2005, * Copyright (C) Jean François Micouleau 1998-2001, * Copyright (C) Jim McDonough 2002, * Copyright (C) Gerald (Jerry) Carter 2003-2004, * Copyright (C) Simo Sorce 2003. + * Copyright (C) Volker Lendecke 2005. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by @@ -46,15 +47,16 @@ typedef struct disp_info { struct disp_info *next, *prev; TALLOC_CTX *mem_ctx; DOM_SID sid; /* identify which domain this is. */ + BOOL builtin_domain; /* Quick flag to check if this is the builtin domain. */ struct pdb_search *users; /* querydispinfo 1 and 4 */ struct pdb_search *machines; /* querydispinfo 2 */ struct pdb_search *groups; /* querydispinfo 3 and 5, enumgroups */ struct pdb_search *aliases; /* enumaliases */ - struct pdb_search *builtins; /* enumaliases */ uint16 enum_acb_mask; struct pdb_search *enum_users; /* enumusers with a mask */ + smb_event_id_t di_cache_timeout_event; /* cache idle timeout handler. */ } DISP_INFO; @@ -66,6 +68,7 @@ static DISP_INFO *disp_info_list; struct samr_info { /* for use by the \PIPE\samr policy */ DOM_SID sid; + BOOL builtin_domain; /* Quick flag to check if this is the builtin domain. */ uint32 status; /* some sort of flag. best to record it. comes from opnum 0x39 */ uint32 acc_granted; DISP_INFO *disp_info; @@ -265,8 +268,12 @@ static DISP_INFO *get_samr_dispinfo_by_sid(DOM_SID *psid, const char *sid_str) return NULL; dpi->mem_ctx = mem_ctx; + if (psid) { sid_copy( &dpi->sid, psid); + dpi->builtin_domain = sid_check_is_builtin(psid); + } else { + dpi->builtin_domain = False; } DLIST_ADD(disp_info_list, dpi); @@ -298,8 +305,10 @@ static struct samr_info *get_samr_info_by_sid(DOM_SID *psid) DEBUG(10,("get_samr_info_by_sid: created new info for sid %s\n", sid_str)); if (psid) { sid_copy( &info->sid, psid); + info->builtin_domain = sid_check_is_builtin(psid); } else { DEBUG(10,("get_samr_info_by_sid: created new info for NULL sid.\n")); + info->builtin_domain = False; } info->mem_ctx = mem_ctx; @@ -346,11 +355,6 @@ static void free_samr_cache(DISP_INFO *disp_info, const char *sid_str) pdb_search_destroy(disp_info->aliases); disp_info->aliases = NULL; } - if (disp_info->builtins) { - DEBUG(10,("free_samr_cache: deleting builtins cache\n")); - pdb_search_destroy(disp_info->builtins); - disp_info->builtins = NULL; - } if (disp_info->enum_users) { DEBUG(10,("free_samr_cache: deleting enum_users cache\n")); pdb_search_destroy(disp_info->enum_users); @@ -470,6 +474,12 @@ static void samr_clear_sam_passwd(SAM_ACCOUNT *sam_pass) static uint32 count_sam_users(struct disp_info *info, uint16 acct_flags) { struct samr_displayentry *entry; + + if (info->builtin_domain) { + /* No users in builtin. */ + return 0; + } + if (info->users == NULL) { info->users = pdb_search_users(acct_flags); if (info->users == NULL) { @@ -488,6 +498,12 @@ static uint32 count_sam_users(struct disp_info *info, uint16 acct_flags) static uint32 count_sam_groups(struct disp_info *info) { struct samr_displayentry *entry; + + if (info->builtin_domain) { + /* No groups in builtin. */ + return 0; + } + if (info->groups == NULL) { info->groups = pdb_search_groups(); if (info->groups == NULL) { @@ -503,6 +519,25 @@ static uint32 count_sam_groups(struct disp_info *info) return info->groups->num_entries; } +static uint32 count_sam_aliases(struct disp_info *info) +{ + struct samr_displayentry *entry; + + if (info->aliases == NULL) { + info->aliases = pdb_search_aliases(&info->sid); + if (info->aliases == NULL) { + return 0; + } + } + /* Fetch the last possible entry, thus trigger an enumeration */ + pdb_search_entries(info->aliases, 0xffffffff, 1, &entry); + + /* Ensure we cache this enumeration. */ + set_disp_info_cache_timeout(info, DISP_INFO_CACHE_TIMEOUT); + + return info->aliases->num_entries; +} + /******************************************************************* _samr_close_hnd ********************************************************************/ @@ -943,7 +978,6 @@ NTSTATUS _samr_enum_dom_aliases(pipes_struct *p, SAMR_Q_ENUM_DOM_ALIASES *q_u, S { struct samr_info *info; struct samr_displayentry *aliases; - struct pdb_search **search = NULL; uint32 num_aliases = 0; /* find the policy handle. open a policy on it. */ @@ -959,25 +993,17 @@ NTSTATUS _samr_enum_dom_aliases(pipes_struct *p, SAMR_Q_ENUM_DOM_ALIASES *q_u, S DEBUG(5,("samr_reply_enum_dom_aliases: sid %s\n", sid_string_static(&info->sid))); - if (sid_check_is_domain(&info->sid)) - search = &info->disp_info->aliases; - if (sid_check_is_builtin(&info->sid)) - search = &info->disp_info->builtins; - - if (search == NULL) - return NT_STATUS_INVALID_HANDLE; - become_root(); - if (*search == NULL) { - *search = pdb_search_aliases(&info->sid); - if (*search == NULL) { + if (info->disp_info->aliases == NULL) { + info->disp_info->aliases = pdb_search_aliases(&info->sid); + if (info->disp_info->aliases == NULL) { unbecome_root(); return NT_STATUS_ACCESS_DENIED; } } - num_aliases = pdb_search_entries(*search, q_u->start_idx, + num_aliases = pdb_search_entries(info->disp_info->aliases, q_u->start_idx, MAX_SAM_ENTRIES, &aliases); unbecome_root(); @@ -2096,9 +2122,9 @@ NTSTATUS _samr_query_dom_info(pipes_struct *p, SAMR_Q_QUERY_DOMAIN_INFO *q_u, SA /* AS ROOT !!! */ - num_users=count_sam_users(info->disp_info, - ACB_NORMAL); - num_groups=count_sam_groups(info->disp_info); + num_users = count_sam_users(info->disp_info, ACB_NORMAL); + num_groups = count_sam_groups(info->disp_info); + num_aliases = count_sam_aliases(info->disp_info); pdb_get_account_policy(AP_TIME_TO_LOGOUT, &account_policy_temp); u_logout = account_policy_temp; @@ -4692,9 +4718,9 @@ NTSTATUS _samr_query_domain_info2(pipes_struct *p, break; case 0x02: become_root(); - num_users = count_sam_users(info->disp_info, - ACB_NORMAL); + num_users = count_sam_users(info->disp_info, ACB_NORMAL); num_groups = count_sam_groups(info->disp_info); + num_aliases = count_sam_aliases(info->disp_info); unbecome_root(); pdb_get_account_policy(AP_TIME_TO_LOGOUT, &account_policy_temp); -- cgit From d9f26f78f6325651b79f21e11fb1781c9cfafd78 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Sun, 27 Nov 2005 01:26:52 +0000 Subject: r11927: No users or groups to return in BUILTIN domain. Jeremy. (This used to be commit 908e671c75f78b87fe0ee9129f0aca004565c407) --- source3/rpc_server/srv_samr_nt.c | 14 ++++++++++++++ 1 file changed, 14 insertions(+) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index f10597055e..6ad5ec7706 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -814,6 +814,13 @@ NTSTATUS _samr_enum_dom_users(pipes_struct *p, SAMR_Q_ENUM_DOM_USERS *q_u, DEBUG(5,("_samr_enum_dom_users: %d\n", __LINE__)); + if (info->builtin_domain) { + /* No users in builtin. */ + init_samr_r_enum_dom_users(r_u, q_u->start_idx, 0); + DEBUG(5,("_samr_enum_dom_users: No users in BUILTIN\n")); + return r_u->status; + } + become_root(); /* AS ROOT !!!! */ @@ -940,6 +947,13 @@ NTSTATUS _samr_enum_dom_groups(pipes_struct *p, SAMR_Q_ENUM_DOM_GROUPS *q_u, SAM DEBUG(5,("samr_reply_enum_dom_groups: %d\n", __LINE__)); + if (info->builtin_domain) { + /* No groups in builtin. */ + init_samr_r_enum_dom_groups(r_u, q_u->start_idx, 0); + DEBUG(5,("_samr_enum_dom_users: No groups in BUILTIN\n")); + return r_u->status; + } + /* the domain group array is being allocated in the function below */ become_root(); -- cgit From 6ffd82ea7794747619e4d5eab20100f019eef2da Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Tue, 29 Nov 2005 23:40:01 +0000 Subject: r11964: rename flag to password_properties in SAM_UNK_INFO_1 because that's what it is. (SAM_UNK_INFO_1 should get a better name as well). Guenther (This used to be commit d94aaeb625c39b6205fe61c274aed57b1399bafc) --- source3/rpc_server/srv_samr_nt.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 6ad5ec7706..52b78d5e8d 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -4834,7 +4834,7 @@ NTSTATUS _samr_set_dom_info(pipes_struct *p, SAMR_Q_SET_DOMAIN_INFO *q_u, SAMR_R pdb_set_account_policy(AP_MIN_PASSWORD_LEN, (uint32)q_u->ctr->info.inf1.min_length_password); pdb_set_account_policy(AP_PASSWORD_HISTORY, (uint32)q_u->ctr->info.inf1.password_history); - pdb_set_account_policy(AP_USER_MUST_LOGON_TO_CHG_PASS, (uint32)q_u->ctr->info.inf1.flag); + pdb_set_account_policy(AP_USER_MUST_LOGON_TO_CHG_PASS, (uint32)q_u->ctr->info.inf1.password_properties); pdb_set_account_policy(AP_MAX_PASSWORD_AGE, (int)u_expire); pdb_set_account_policy(AP_MIN_PASSWORD_AGE, (int)u_min_age); break; -- cgit From d1f91f7c723733113b4e9792042101c80dfc064c Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Sat, 3 Dec 2005 06:46:46 +0000 Subject: r12043: It's amazing the warnings you find when compiling on a 64-bit box with gcc4 and -O6... Fix a bunch of C99 dereferencing type-punned pointer will break strict-aliasing rules errors. Also added prs_int32 (not uint32...) as it's needed in one place. Find places where prs_uint32 was being used to marshall/unmarshall a time_t (a big no no on 64-bits). More warning fixes to come. Thanks to Volker for nudging me to compile like this. Jeremy. (This used to be commit c65b752604f8f58abc4e7ae8514dc2c7f086271c) --- source3/rpc_server/srv_samr_nt.c | 32 ++++++++++++++++++-------------- 1 file changed, 18 insertions(+), 14 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 52b78d5e8d..635d870762 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -573,7 +573,7 @@ NTSTATUS _samr_open_domain(pipes_struct *p, SAMR_Q_OPEN_DOMAIN *q_u, SAMR_R_OPEN /* find the connection policy handle. */ - if ( !find_policy_by_hnd(p, &q_u->pol, (void**)&info) ) + if ( !find_policy_by_hnd(p, &q_u->pol, (void**)(void *)&info) ) return NT_STATUS_INVALID_HANDLE; status = access_check_samr_function( info->acc_granted, @@ -627,7 +627,7 @@ NTSTATUS _samr_get_usrdom_pwinfo(pipes_struct *p, SAMR_Q_GET_USRDOM_PWINFO *q_u, r_u->status = NT_STATUS_OK; /* find the policy handle. open a policy on it. */ - if (!find_policy_by_hnd(p, &q_u->user_pol, (void **)&info)) + if (!find_policy_by_hnd(p, &q_u->user_pol, (void **)(void *)&info)) return NT_STATUS_INVALID_HANDLE; if (!sid_check_is_in_our_domain(&info->sid)) @@ -665,7 +665,7 @@ static BOOL get_lsa_policy_samr_sid( pipes_struct *p, POLICY_HND *pol, struct samr_info *info = NULL; /* find the policy handle. open a policy on it. */ - if (!find_policy_by_hnd(p, pol, (void **)&info)) + if (!find_policy_by_hnd(p, pol, (void **)(void *)&info)) return False; if (!info) @@ -803,7 +803,7 @@ NTSTATUS _samr_enum_dom_users(pipes_struct *p, SAMR_Q_ENUM_DOM_USERS *q_u, r_u->status = NT_STATUS_OK; /* find the policy handle. open a policy on it. */ - if (!find_policy_by_hnd(p, &q_u->pol, (void **)&info)) + if (!find_policy_by_hnd(p, &q_u->pol, (void **)(void *)&info)) return NT_STATUS_INVALID_HANDLE; if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(info->acc_granted, @@ -936,7 +936,7 @@ NTSTATUS _samr_enum_dom_groups(pipes_struct *p, SAMR_Q_ENUM_DOM_GROUPS *q_u, SAM r_u->status = NT_STATUS_OK; /* find the policy handle. open a policy on it. */ - if (!find_policy_by_hnd(p, &q_u->pol, (void **)&info)) + if (!find_policy_by_hnd(p, &q_u->pol, (void **)(void *)&info)) return NT_STATUS_INVALID_HANDLE; r_u->status = access_check_samr_function(info->acc_granted, @@ -995,7 +995,7 @@ NTSTATUS _samr_enum_dom_aliases(pipes_struct *p, SAMR_Q_ENUM_DOM_ALIASES *q_u, S uint32 num_aliases = 0; /* find the policy handle. open a policy on it. */ - if (!find_policy_by_hnd(p, &q_u->pol, (void **)&info)) + if (!find_policy_by_hnd(p, &q_u->pol, (void **)(void *)&info)) return NT_STATUS_INVALID_HANDLE; r_u->status = access_check_samr_function(info->acc_granted, @@ -1061,7 +1061,7 @@ NTSTATUS _samr_query_dispinfo(pipes_struct *p, SAMR_Q_QUERY_DISPINFO *q_u, r_u->status = NT_STATUS_UNSUCCESSFUL; /* find the policy handle. open a policy on it. */ - if (!find_policy_by_hnd(p, &q_u->domain_pol, (void **)&info)) + if (!find_policy_by_hnd(p, &q_u->domain_pol, (void **)(void *)&info)) return NT_STATUS_INVALID_HANDLE; /* @@ -1857,7 +1857,7 @@ NTSTATUS _samr_query_userinfo(pipes_struct *p, SAMR_Q_QUERY_USERINFO *q_u, SAMR_ r_u->status=NT_STATUS_OK; /* search for the handle */ - if (!find_policy_by_hnd(p, &q_u->pol, (void **)&info)) + if (!find_policy_by_hnd(p, &q_u->pol, (void **)(void *)&info)) return NT_STATUS_INVALID_HANDLE; domain_sid = info->sid; @@ -2094,7 +2094,7 @@ NTSTATUS _samr_query_dom_info(pipes_struct *p, SAMR_Q_QUERY_DOMAIN_INFO *q_u, SA DEBUG(5,("_samr_query_dom_info: %d\n", __LINE__)); /* find the policy handle. open a policy on it. */ - if (!find_policy_by_hnd(p, &q_u->domain_pol, (void **)&info)) { + if (!find_policy_by_hnd(p, &q_u->domain_pol, (void **)(void *)&info)) { return NT_STATUS_INVALID_HANDLE; } @@ -2165,7 +2165,11 @@ NTSTATUS _samr_query_dom_info(pipes_struct *p, SAMR_Q_QUERY_DOMAIN_INFO *q_u, SA /* AS ROOT !!! */ - pdb_get_account_policy(AP_TIME_TO_LOGOUT, (unsigned int *)&u_logout); + { + uint32 ul; + pdb_get_account_policy(AP_TIME_TO_LOGOUT, &ul); + u_logout = (time_t)ul; + } /* !AS ROOT */ @@ -2641,7 +2645,7 @@ NTSTATUS _samr_lookup_domain(pipes_struct *p, SAMR_Q_LOOKUP_DOMAIN *q_u, SAMR_R_ r_u->status = NT_STATUS_OK; - if (!find_policy_by_hnd(p, &q_u->connect_pol, (void**)&info)) + if (!find_policy_by_hnd(p, &q_u->connect_pol, (void**)(void *)&info)) return NT_STATUS_INVALID_HANDLE; /* win9x user manager likes to use SA_RIGHT_SAM_ENUM_DOMAINS here. @@ -2717,7 +2721,7 @@ NTSTATUS _samr_enum_domains(pipes_struct *p, SAMR_Q_ENUM_DOMAINS *q_u, SAMR_R_EN r_u->status = NT_STATUS_OK; - if (!find_policy_by_hnd(p, &q_u->pol, (void**)&info)) + if (!find_policy_by_hnd(p, &q_u->pol, (void**)(void *)&info)) return NT_STATUS_INVALID_HANDLE; if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(info->acc_granted, SA_RIGHT_SAM_ENUM_DOMAINS, "_samr_enum_domains"))) { @@ -3418,7 +3422,7 @@ NTSTATUS _samr_query_useraliases(pipes_struct *p, SAMR_Q_QUERY_USERALIASES *q_u, DEBUG(5,("_samr_query_useraliases: %d\n", __LINE__)); /* find the policy handle. open a policy on it. */ - if (!find_policy_by_hnd(p, &q_u->pol, (void **)&info)) + if (!find_policy_by_hnd(p, &q_u->pol, (void **)(void *)&info)) return NT_STATUS_INVALID_HANDLE; ntstatus1 = access_check_samr_function(info->acc_granted, SA_RIGHT_DOMAIN_LOOKUP_ALIAS_BY_MEM, "_samr_query_useraliases"); @@ -4704,7 +4708,7 @@ NTSTATUS _samr_query_domain_info2(pipes_struct *p, DEBUG(5,("_samr_query_domain_info2: %d\n", __LINE__)); /* find the policy handle. open a policy on it. */ - if (!find_policy_by_hnd(p, &q_u->domain_pol, (void **)&info)) + if (!find_policy_by_hnd(p, &q_u->domain_pol, (void **)(void *)&info)) return NT_STATUS_INVALID_HANDLE; switch (q_u->switch_value) { -- cgit From 05ac2de0df78d22ad5afb42ea5c72ba17bef8395 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Sat, 3 Dec 2005 18:34:13 +0000 Subject: r12051: Merge across the lookup_name and lookup_sid work. Lets see how the build farm reacts :-) Volker (This used to be commit 9f99d04a54588cd9d1a1ab163ebb304437f932f7) --- source3/rpc_server/srv_samr_nt.c | 144 +++++++++++++++++++++++---------------- 1 file changed, 84 insertions(+), 60 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 635d870762..13f3a3284b 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -1366,9 +1366,7 @@ NTSTATUS _samr_query_aliasinfo(pipes_struct *p, SAMR_Q_QUERY_ALIASINFO *q_u, SAM NTSTATUS _samr_lookup_names(pipes_struct *p, SAMR_Q_LOOKUP_NAMES *q_u, SAMR_R_LOOKUP_NAMES *r_u) { uint32 rid[MAX_SAM_ENTRIES]; - uint32 local_rid; enum SID_NAME_USE type[MAX_SAM_ENTRIES]; - enum SID_NAME_USE local_type; int i; int num_rids = q_u->num_names2; DOM_SID pol_sid; @@ -1400,42 +1398,30 @@ NTSTATUS _samr_lookup_names(pipes_struct *p, SAMR_Q_LOOKUP_NAMES *q_u, SAMR_R_LO for (i = 0; i < num_rids; i++) { fstring name; - DOM_SID sid; int ret; r_u->status = NT_STATUS_NONE_MAPPED; + type[i] = SID_NAME_UNKNOWN; rid [i] = 0xffffffff; - type[i] = SID_NAME_UNKNOWN; ret = rpcstr_pull(name, q_u->uni_name[i].buffer, sizeof(name), q_u->uni_name[i].uni_str_len*2, 0); - /* - * we are only looking for a name - * the SID we get back can be outside - * the scope of the pol_sid - * - * in clear: it prevents to reply to domain\group: yes - * when only builtin\group exists. - * - * a cleaner code is to add the sid of the domain we're looking in - * to the local_lookup_name function. - */ - - if ((ret > 0) && local_lookup_name(name, &sid, &local_type)) { - sid_split_rid(&sid, &local_rid); - - if (sid_equal(&sid, &pol_sid)) { - rid[i]=local_rid; - - /* Windows does not return WKN_GRP here, even - * on lookups in builtin */ - type[i] = (local_type == SID_NAME_WKN_GRP) ? - SID_NAME_ALIAS : local_type; - - r_u->status = NT_STATUS_OK; + if (ret <= 0) { + continue; + } + + if (sid_check_is_builtin(&pol_sid)) { + if (lookup_builtin_name(name, &rid[i])) { + type[i] = SID_NAME_ALIAS; } - } + } else { + lookup_global_sam_name(name, &rid[i], &type[i]); + } + + if (type[i] != SID_NAME_UNKNOWN) { + r_u->status = NT_STATUS_OK; + } } init_samr_r_lookup_names(p->mem_ctx, r_u, num_rids, rid, (uint32 *)type, r_u->status); @@ -2247,6 +2233,41 @@ NTSTATUS _samr_query_dom_info(pipes_struct *p, SAMR_Q_QUERY_DOMAIN_INFO *q_u, SA return r_u->status; } +/* W2k3 seems to use the same check for all 3 objects that can be created via + * SAMR, if you try to create for example "Dialup" as an alias it says + * "NT_STATUS_USER_EXISTS". This is racy, but we can't really lock the user + * database. */ + +static NTSTATUS can_create(TALLOC_CTX *mem_ctx, const char *new_name) +{ + enum SID_NAME_USE type; + BOOL result; + + become_root(); + /* Lookup in our local databases (only LOOKUP_NAME_ISOLATED set) + * whether the name already exists */ + result = lookup_name(mem_ctx, new_name, LOOKUP_NAME_ISOLATED, + NULL, NULL, NULL, &type); + unbecome_root(); + + if (!result) { + return NT_STATUS_OK; + } + + DEBUG(5, ("trying to create %s, exists as %s\n", + new_name, sid_type_lookup(type))); + + if (type == SID_NAME_DOM_GRP) { + return NT_STATUS_GROUP_EXISTS; + } + if (type == SID_NAME_ALIAS) { + return NT_STATUS_ALIAS_EXISTS; + } + + /* Yes, the default is NT_STATUS_USER_EXISTS */ + return NT_STATUS_USER_EXISTS; +} + /******************************************************************* _samr_create_user Create an account, can be either a normal user or a machine. @@ -2294,19 +2315,11 @@ NTSTATUS _samr_create_user(pipes_struct *p, SAMR_Q_CREATE_USER *q_u, SAMR_R_CREA rpcstr_pull(account, user_account.buffer, sizeof(account), user_account.uni_str_len*2, 0); strlower_m(account); - pdb_init_sam(&sam_pass); - - become_root(); - ret = pdb_getsampwnam(sam_pass, account); - unbecome_root(); - if (ret == True) { - /* this account exists: say so */ - pdb_free_sam(&sam_pass); - return NT_STATUS_USER_EXISTS; + nt_status = can_create(p->mem_ctx, account); + if (!NT_STATUS_IS_OK(nt_status)) { + return nt_status; } - pdb_free_sam(&sam_pass); - /********************************************************************* * HEADS UP! If we have to create a new user account, we have to get * a new RID from somewhere. This used to be done by the passdb @@ -2776,7 +2789,7 @@ NTSTATUS _samr_open_alias(pipes_struct *p, SAMR_Q_OPEN_ALIAS *q_u, SAMR_R_OPEN_A /* append the alias' RID to it */ if (!sid_append_rid(&sid, alias_rid)) - return NT_STATUS_NO_SUCH_USER; + return NT_STATUS_NO_SUCH_ALIAS; /*check if access can be granted as requested by client. */ @@ -2793,12 +2806,21 @@ NTSTATUS _samr_open_alias(pipes_struct *p, SAMR_Q_OPEN_ALIAS *q_u, SAMR_R_OPEN_A if ( !NT_STATUS_IS_OK(status) ) return status; - /* - * we should check if the rid really exist !!! - * JFM. - */ + { + /* Check we actually have the requested alias */ + enum SID_NAME_USE type; + BOOL result; - /* associate the user's SID with the new handle. */ + become_root(); + result = lookup_sid(NULL, &sid, NULL, NULL, &type); + unbecome_root(); + + if (!result || (type != SID_NAME_ALIAS)) { + return NT_STATUS_NO_SUCH_ALIAS; + } + } + + /* associate the alias SID with the new handle. */ if ((info = get_samr_info_by_sid(&sid)) == NULL) return NT_STATUS_NO_MEMORY; @@ -2814,12 +2836,11 @@ NTSTATUS _samr_open_alias(pipes_struct *p, SAMR_Q_OPEN_ALIAS *q_u, SAMR_R_OPEN_A /******************************************************************* set_user_info_7 ********************************************************************/ -static NTSTATUS set_user_info_7(const SAM_USER_INFO_7 *id7, SAM_ACCOUNT *pwd) +static NTSTATUS set_user_info_7(TALLOC_CTX *mem_ctx, + const SAM_USER_INFO_7 *id7, SAM_ACCOUNT *pwd) { fstring new_name; - SAM_ACCOUNT *check_acct = NULL; NTSTATUS rc; - BOOL check_rc; if (id7 == NULL) { DEBUG(5, ("set_user_info_7: NULL id7\n")); @@ -2842,13 +2863,9 @@ static NTSTATUS set_user_info_7(const SAM_USER_INFO_7 *id7, SAM_ACCOUNT *pwd) simply that the rename fails with a slightly different status code (like UNSUCCESSFUL instead of ALREADY_EXISTS). */ - pdb_init_sam(&check_acct); - check_rc = pdb_getsampwnam(check_acct, new_name); - pdb_free_sam(&check_acct); - - if (check_rc == True) { - /* this account exists: say so */ - return NT_STATUS_USER_EXISTS; + rc = can_create(mem_ctx, new_name); + if (!NT_STATUS_IS_OK(rc)) { + return rc; } rc = pdb_rename_sam_account(pwd, new_name); @@ -3365,7 +3382,8 @@ NTSTATUS _samr_set_userinfo2(pipes_struct *p, SAMR_Q_SET_USERINFO2 *q_u, SAMR_R_ switch (switch_value) { case 7: - r_u->status = set_user_info_7(ctr->info.id7, pwd); + r_u->status = set_user_info_7(p->mem_ctx, + ctr->info.id7, pwd); break; case 16: if (!set_user_info_16(ctr->info.id16, pwd)) @@ -4199,9 +4217,10 @@ NTSTATUS _samr_create_dom_group(pipes_struct *p, SAMR_Q_CREATE_DOM_GROUP *q_u, S unistr2_to_ascii(name, &q_u->uni_acct_desc, sizeof(name)-1); - /* check if group already exist */ - if ((grp=getgrnam(name)) != NULL) - return NT_STATUS_GROUP_EXISTS; + r_u->status = can_create(p->mem_ctx, name); + if (!NT_STATUS_IS_OK(r_u->status)) { + return r_u->status; + } se_priv_copy( &se_rights, &se_add_users ); can_add_accounts = user_has_privileges( p->pipe_user.nt_user_token, &se_rights ); @@ -4289,6 +4308,11 @@ NTSTATUS _samr_create_dom_alias(pipes_struct *p, SAMR_Q_CREATE_DOM_ALIAS *q_u, S if (!sid_equal(&dom_sid, get_global_sam_sid())) return NT_STATUS_ACCESS_DENIED; + r_u->status = can_create(p->mem_ctx, name); + if (!NT_STATUS_IS_OK(r_u->status)) { + return r_u->status; + } + unistr2_to_ascii(name, &q_u->uni_acct_desc, sizeof(name)-1); se_priv_copy( &se_rights, &se_add_users ); -- cgit From 6a92f418ea36eb12b247e11656b3e8bbe367f394 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Thu, 8 Dec 2005 19:34:22 +0000 Subject: r12133: Fix an uninitialized variable in new code in rpc_server/srv_samr_nt.c. Fix winbind_lookup_name for the local domain, ie for aliases on a member server. Volker (This used to be commit 4ba50c823e8d61f87ab5627f15e826e73e45ffcc) --- source3/rpc_server/srv_samr_nt.c | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 13f3a3284b..880e1db388 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -2243,6 +2243,8 @@ static NTSTATUS can_create(TALLOC_CTX *mem_ctx, const char *new_name) enum SID_NAME_USE type; BOOL result; + DEBUG(10, ("Checking whether [%s] can be created\n", new_name)); + become_root(); /* Lookup in our local databases (only LOOKUP_NAME_ISOLATED set) * whether the name already exists */ @@ -2251,6 +2253,7 @@ static NTSTATUS can_create(TALLOC_CTX *mem_ctx, const char *new_name) unbecome_root(); if (!result) { + DEBUG(10, ("%s does not exist, can create it\n", new_name)); return NT_STATUS_OK; } @@ -4308,16 +4311,16 @@ NTSTATUS _samr_create_dom_alias(pipes_struct *p, SAMR_Q_CREATE_DOM_ALIAS *q_u, S if (!sid_equal(&dom_sid, get_global_sam_sid())) return NT_STATUS_ACCESS_DENIED; - r_u->status = can_create(p->mem_ctx, name); - if (!NT_STATUS_IS_OK(r_u->status)) { - return r_u->status; - } - unistr2_to_ascii(name, &q_u->uni_acct_desc, sizeof(name)-1); se_priv_copy( &se_rights, &se_add_users ); can_add_accounts = user_has_privileges( p->pipe_user.nt_user_token, &se_rights ); + result = can_create(p->mem_ctx, name); + if (!NT_STATUS_IS_OK(result)) { + return result; + } + /******** BEGIN SeAddUsers BLOCK *********/ if ( can_add_accounts ) -- cgit From 6f91e3a8629de97468357339f68d789ab01814ce Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Thu, 15 Dec 2005 18:39:28 +0000 Subject: r12262: * patch from Brian Moran to fix segv in eventlogadm when not eventlogs are listed in smb.conf * initialize the local group description in set_alias_info() (This used to be commit 58f8b42069a69c0b61da2609e5706a6c0d512e09) --- source3/rpc_server/srv_samr_nt.c | 2 ++ 1 file changed, 2 insertions(+) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 880e1db388..c90b4d3660 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -4516,6 +4516,8 @@ NTSTATUS _samr_set_aliasinfo(pipes_struct *p, SAMR_Q_SET_ALIASINFO *q_u, SAMR_R_ ctr->alias.info3.description.string, sizeof(info.acct_desc)-1 ); } + else + fstrcpy( info.acct_desc, "" ); break; default: return NT_STATUS_INVALID_INFO_CLASS; -- cgit From a02415bf363e3c1b6863b135bdae3b2e2708db3b Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy Date: Sat, 14 Jan 2006 12:37:25 +0000 Subject: r12935: After discussion with Volker fix bug #3397 using a variant of the patch by Alex Deiter (tiamat@komi.mts.ru). Introduces level 9 of getuserinfo and allows to successfully install MS SMS2003 on a member of a Samba domain. Also added support for this level in rpcclient. The code for infolevel 9 is modelled upon Samba-TNG by Alex Deiter. Jerry, we need this in 3.0.21b. (This used to be commit 93461646ce2ad6e2f8b11d40ce98722d56a83b43) --- source3/rpc_server/srv_samr_nt.c | 53 ++++++++++++++++++++++++++++++++++++++-- 1 file changed, 51 insertions(+), 2 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index c90b4d3660..8f8c035c9c 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -1672,6 +1672,41 @@ static NTSTATUS get_user_info_7(TALLOC_CTX *mem_ctx, SAM_USER_INFO_7 *id7, DOM_S return NT_STATUS_OK; } + +/************************************************************************* + get_user_info_9. Only gives out primary group SID. + *************************************************************************/ +static NTSTATUS get_user_info_9(TALLOC_CTX *mem_ctx, SAM_USER_INFO_9 * id9, DOM_SID *user_sid) +{ + SAM_ACCOUNT *smbpass=NULL; + BOOL ret; + NTSTATUS nt_status; + + nt_status = pdb_init_sam_talloc(mem_ctx, &smbpass); + + if (!NT_STATUS_IS_OK(nt_status)) { + return nt_status; + } + + become_root(); + ret = pdb_getsampwsid(smbpass, user_sid); + unbecome_root(); + + if (ret==False) { + DEBUG(4,("User %s not found\n", sid_string_static(user_sid))); + return NT_STATUS_NO_SUCH_USER; + } + + DEBUG(3,("User:[%s]\n", pdb_get_username(smbpass) )); + + ZERO_STRUCTP(id9); + init_sam_user_info9(id9, pdb_get_group_rid(smbpass) ); + + pdb_free_sam(&smbpass); + + return NT_STATUS_OK; +} + /************************************************************************* get_user_info_16. Safe. Only gives out acb bits. *************************************************************************/ @@ -1864,6 +1899,8 @@ NTSTATUS _samr_query_userinfo(pipes_struct *p, SAMR_Q_QUERY_USERINFO *q_u, SAMR_ /* ok! user info levels (lots: see MSDEV help), off we go... */ ctr->switch_value = q_u->switch_value; + DEBUG(5,("_samr_query_userinfo: user info level: %d\n", q_u->switch_value)); + switch (q_u->switch_value) { case 7: ctr->info.id7 = TALLOC_ZERO_P(p->mem_ctx, SAM_USER_INFO_7); @@ -1873,6 +1910,14 @@ NTSTATUS _samr_query_userinfo(pipes_struct *p, SAMR_Q_QUERY_USERINFO *q_u, SAMR_ if (!NT_STATUS_IS_OK(r_u->status = get_user_info_7(p->mem_ctx, ctr->info.id7, &info->sid))) return r_u->status; break; + case 9: + ctr->info.id9 = TALLOC_ZERO_P(p->mem_ctx, SAM_USER_INFO_9); + if (ctr->info.id9 == NULL) + return NT_STATUS_NO_MEMORY; + + if (!NT_STATUS_IS_OK(r_u->status = get_user_info_9(p->mem_ctx, ctr->info.id9, &info->sid))) + return r_u->status; + break; case 16: ctr->info.id16 = TALLOC_ZERO_P(p->mem_ctx, SAM_USER_INFO_16); if (ctr->info.id16 == NULL) @@ -2677,8 +2722,12 @@ NTSTATUS _samr_lookup_domain(pipes_struct *p, SAMR_Q_LOOKUP_DOMAIN *q_u, SAMR_R_ ZERO_STRUCT(sid); - if (!secrets_fetch_domain_sid(domain_name, &sid)) { - r_u->status = NT_STATUS_NO_SUCH_DOMAIN; + if (strequal(domain_name, builtin_domain_name())) { + sid_copy(&sid, &global_sid_Builtin); + } else { + if (!secrets_fetch_domain_sid(domain_name, &sid)) { + r_u->status = NT_STATUS_NO_SUCH_DOMAIN; + } } DEBUG(2,("Returning domain sid for domain %s -> %s\n", domain_name, sid_string_static(&sid))); -- cgit From 77965f6cf6997a6af7fe3cb225b3fb5ced9acd4a Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Wed, 25 Jan 2006 21:29:36 +0000 Subject: r13138: old fix I forgot to commit need to access info when using the ldap backend (This used to be commit 80c0625667f28253e9b6f1ac1a5c88aa8261f9b0) --- source3/rpc_server/srv_samr_nt.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 8f8c035c9c..2f9d494a26 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -4495,8 +4495,11 @@ NTSTATUS _samr_set_groupinfo(pipes_struct *p, SAMR_Q_SET_GROUPINFO *q_u, SAMR_R_ if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, SA_RIGHT_GROUP_SET_INFO, "_samr_set_groupinfo"))) { return r_u->status; } - - if (!get_domain_group_from_sid(group_sid, &map)) + + become_root(); + ret = get_domain_group_from_sid(group_sid, &map); + unbecome_root(); + if (!ret) return NT_STATUS_NO_SUCH_GROUP; ctr=q_u->ctr; -- cgit From 0af1500fc0bafe61019f1b2ab1d9e1d369221240 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Fri, 3 Feb 2006 22:19:41 +0000 Subject: r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f) --- source3/rpc_server/srv_samr_nt.c | 279 +++++++++++++++++++++------------------ 1 file changed, 153 insertions(+), 126 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 2f9d494a26..81344cdc1e 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -140,7 +140,7 @@ static NTSTATUS make_samr_object_sd( TALLOC_CTX *ctx, SEC_DESC **psd, size_t *sd if ( sid ) { init_sec_access( &mask, sid_access ); init_sec_ace(&ace[i++], sid, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0); -} + } /* create the security descriptor */ @@ -1416,7 +1416,7 @@ NTSTATUS _samr_lookup_names(pipes_struct *p, SAMR_Q_LOOKUP_NAMES *q_u, SAMR_R_LO type[i] = SID_NAME_ALIAS; } } else { - lookup_global_sam_name(name, &rid[i], &type[i]); + lookup_global_sam_name(name, 0, &rid[i], &type[i]); } if (type[i] != SID_NAME_UNKNOWN) { @@ -1927,28 +1927,6 @@ NTSTATUS _samr_query_userinfo(pipes_struct *p, SAMR_Q_QUERY_USERINFO *q_u, SAMR_ return r_u->status; break; -#if 0 -/* whoops - got this wrong. i think. or don't understand what's happening. */ - case 17: - { - NTTIME expire; - info = (void *)&id11; - - expire.low = 0xffffffff; - expire.high = 0x7fffffff; - - ctr->info.id = TALLOC_ZERO_P(p->mem_ctx, SAM_USER_INFO_17)); - ZERO_STRUCTP(ctr->info.id17); - init_sam_user_info17(ctr->info.id17, &expire, - "BROOKFIELDS$", /* name */ - 0x03ef, /* user rid */ - 0x201, /* group rid */ - 0x0080); /* acb info */ - - break; - } -#endif - case 18: ctr->info.id18 = TALLOC_ZERO_P(p->mem_ctx, SAM_USER_INFO_18); if (ctr->info.id18 == NULL) @@ -1993,10 +1971,11 @@ NTSTATUS _samr_query_userinfo(pipes_struct *p, SAMR_Q_QUERY_USERINFO *q_u, SAMR_ NTSTATUS _samr_query_usergroups(pipes_struct *p, SAMR_Q_QUERY_USERGROUPS *q_u, SAMR_R_QUERY_USERGROUPS *r_u) { SAM_ACCOUNT *sam_pass=NULL; - struct passwd *passwd; DOM_SID sid; DOM_SID *sids; + DOM_GID dom_gid; DOM_GID *gids = NULL; + uint32 primary_group_rid; size_t num_groups = 0; gid_t *unix_gids; size_t i, num_gids; @@ -2031,58 +2010,72 @@ NTSTATUS _samr_query_usergroups(pipes_struct *p, SAMR_Q_QUERY_USERGROUPS *q_u, S if (!sid_check_is_in_our_domain(&sid)) return NT_STATUS_OBJECT_TYPE_MISMATCH; - pdb_init_sam(&sam_pass); + pdb_init_sam_talloc(p->mem_ctx, &sam_pass); become_root(); ret = pdb_getsampwsid(sam_pass, &sid); unbecome_root(); - if (ret == False) { - pdb_free_sam(&sam_pass); - return NT_STATUS_NO_SUCH_USER; - } - - passwd = getpwnam_alloc(pdb_get_username(sam_pass)); - if (passwd == NULL) { - pdb_free_sam(&sam_pass); + if (!ret) { + DEBUG(10, ("pdb_getsampwsid failed for %s\n", + sid_string_static(&sid))); return NT_STATUS_NO_SUCH_USER; } sids = NULL; become_root(); - result = pdb_enum_group_memberships(pdb_get_username(sam_pass), - passwd->pw_gid, + result = pdb_enum_group_memberships(p->mem_ctx, sam_pass, &sids, &unix_gids, &num_groups); unbecome_root(); - pdb_free_sam(&sam_pass); - passwd_free(&passwd); - - if (!NT_STATUS_IS_OK(result)) + if (!NT_STATUS_IS_OK(result)) { + DEBUG(10, ("pdb_enum_group_memberships failed for %s\n", + sid_string_static(&sid))); return result; - - SAFE_FREE(unix_gids); + } gids = NULL; num_gids = 0; + dom_gid.attr = (SE_GROUP_MANDATORY|SE_GROUP_ENABLED_BY_DEFAULT| + SE_GROUP_ENABLED); + + if (!sid_peek_check_rid(get_global_sam_sid(), + pdb_get_group_sid(sam_pass), + &primary_group_rid)) { + DEBUG(5, ("Group sid %s for user %s not in our domain\n", + sid_string_static(pdb_get_group_sid(sam_pass)), + pdb_get_username(sam_pass))); + pdb_free_sam(&sam_pass); + return NT_STATUS_INTERNAL_DB_CORRUPTION; + } + + dom_gid.g_rid = primary_group_rid; + + ADD_TO_ARRAY(p->mem_ctx, DOM_GID, dom_gid, &gids, &num_gids); + for (i=0; imem_ctx, gids, DOM_GID, num_gids+1); - gids[num_gids].attr= (SE_GROUP_MANDATORY|SE_GROUP_ENABLED_BY_DEFAULT|SE_GROUP_ENABLED); - gids[num_gids].g_rid = rid; - num_gids += 1; + if (dom_gid.g_rid == primary_group_rid) { + /* We added the primary group directly from the + * sam_account. The other SIDs are unique from + * enum_group_memberships */ + continue; + } + + ADD_TO_ARRAY(p->mem_ctx, DOM_GID, dom_gid, &gids, &num_gids); } - SAFE_FREE(sids); /* construct the response. lkclXXXX: gids are not copied! */ - init_samr_r_query_usergroups(r_u, num_groups, gids, r_u->status); + init_samr_r_query_usergroups(r_u, num_gids, gids, r_u->status); DEBUG(5,("_samr_query_usergroups: %d\n", __LINE__)); @@ -2322,7 +2315,8 @@ static NTSTATUS can_create(TALLOC_CTX *mem_ctx, const char *new_name) This funcion will need to be updated for bdc/domain trusts. ********************************************************************/ -NTSTATUS _samr_create_user(pipes_struct *p, SAMR_Q_CREATE_USER *q_u, SAMR_R_CREATE_USER *r_u) +NTSTATUS _samr_create_user(pipes_struct *p, SAMR_Q_CREATE_USER *q_u, + SAMR_R_CREATE_USER *r_u) { SAM_ACCOUNT *sam_pass=NULL; fstring account; @@ -2339,7 +2333,6 @@ NTSTATUS _samr_create_user(pipes_struct *p, SAMR_Q_CREATE_USER *q_u, SAMR_R_CREA uint32 acc_granted; SEC_DESC *psd; size_t sd_size; - uint32 new_rid = 0; /* check this, when giving away 'add computer to domain' privs */ uint32 des_access = GENERIC_RIGHTS_USER_ALL_ACCESS; BOOL can_add_account = False; @@ -2347,20 +2340,26 @@ NTSTATUS _samr_create_user(pipes_struct *p, SAMR_Q_CREATE_USER *q_u, SAMR_R_CREA DISP_INFO *disp_info = NULL; /* Get the domain SID stored in the domain policy */ - if (!get_lsa_policy_samr_sid(p, &dom_pol, &sid, &acc_granted, &disp_info)) + if (!get_lsa_policy_samr_sid(p, &dom_pol, &sid, &acc_granted, + &disp_info)) return NT_STATUS_INVALID_HANDLE; - if (!NT_STATUS_IS_OK(nt_status = access_check_samr_function(acc_granted, SA_RIGHT_DOMAIN_CREATE_USER, "_samr_create_user"))) { + nt_status = access_check_samr_function(acc_granted, + SA_RIGHT_DOMAIN_CREATE_USER, + "_samr_create_user"); + if (!NT_STATUS_IS_OK(nt_status)) { return nt_status; } - if (!(acb_info == ACB_NORMAL || acb_info == ACB_DOMTRUST || acb_info == ACB_WSTRUST || acb_info == ACB_SVRTRUST)) { + if (!(acb_info == ACB_NORMAL || acb_info == ACB_DOMTRUST || + acb_info == ACB_WSTRUST || acb_info == ACB_SVRTRUST)) { /* Match Win2k, and return NT_STATUS_INVALID_PARAMETER if this parameter is not an account type */ return NT_STATUS_INVALID_PARAMETER; } - rpcstr_pull(account, user_account.buffer, sizeof(account), user_account.uni_str_len*2, 0); + rpcstr_pull(account, user_account.buffer, sizeof(account), + user_account.uni_str_len*2, 0); strlower_m(account); nt_status = can_create(p->mem_ctx, account); @@ -2369,14 +2368,14 @@ NTSTATUS _samr_create_user(pipes_struct *p, SAMR_Q_CREATE_USER *q_u, SAMR_R_CREA } /********************************************************************* - * HEADS UP! If we have to create a new user account, we have to get - * a new RID from somewhere. This used to be done by the passdb - * backend. It has been moved into idmap now. Since idmap is now - * wrapped up behind winbind, this means you have to run winbindd if you - * want new accounts to get a new RID when "enable rid algorithm = no". - * Tough. We now have a uniform way of allocating RIDs regardless - * of what ever passdb backend people may use. - * --jerry (2003-07-10) + * HEADS UP! If we have to create a new user account, we have to get + * a new RID from somewhere. This used to be done by the passdb + * backend. It has been moved into idmap now. Since idmap is now + * wrapped up behind winbind, this means you have to run winbindd if + * you want new accounts to get a new RID when "enable rid algorithm = + * no". Tough. We now have a uniform way of allocating RIDs + * regardless of what ever passdb backend people may use. --jerry + * (2003-07-10) *********************************************************************/ pw = Get_Pwnam(account); @@ -2387,24 +2386,30 @@ NTSTATUS _samr_create_user(pipes_struct *p, SAMR_Q_CREATE_USER *q_u, SAMR_R_CREA { pstrcpy(add_script, lp_addmachine_script()); se_priv_copy( &se_rights, &se_machine_account ); - can_add_account = user_has_privileges( p->pipe_user.nt_user_token, &se_rights ); + can_add_account = user_has_privileges( + p->pipe_user.nt_user_token, &se_rights ); } /* usrmgr.exe (and net rpc trustdom grant) creates a normal user account for domain trusts and changes the ACB flags later */ - else if ( acb_info & ACB_NORMAL && (account[strlen(account)-1] != '$') ) + else if ( acb_info & ACB_NORMAL && + (account[strlen(account)-1] != '$') ) { pstrcpy(add_script, lp_adduser_script()); se_priv_copy( &se_rights, &se_add_users ); - can_add_account = user_has_privileges( p->pipe_user.nt_user_token, &se_rights ); + can_add_account = user_has_privileges( + p->pipe_user.nt_user_token, &se_rights ); } - else /* implicit assumption of a BDC or domain trust account here (we already check the flags earlier) */ + else /* implicit assumption of a BDC or domain trust account here + * (we already check the flags earlier) */ { pstrcpy(add_script, lp_addmachine_script()); if ( lp_enable_privileges() ) { /* only Domain Admins can add a BDC or domain trust */ se_priv_copy( &se_rights, &se_priv_none ); - can_add_account = nt_token_check_domain_rid( p->pipe_user.nt_user_token, DOMAIN_GROUP_RID_ADMINS ); - } + can_add_account = nt_token_check_domain_rid( + p->pipe_user.nt_user_token, + DOMAIN_GROUP_RID_ADMINS ); + } } DEBUG(5, ("_samr_create_user: %s can add this account : %s\n", @@ -2419,16 +2424,20 @@ NTSTATUS _samr_create_user(pipes_struct *p, SAMR_Q_CREATE_USER *q_u, SAMR_R_CREA if (*add_script) { int add_ret; - all_string_sub(add_script, "%u", account, sizeof(add_script)); + all_string_sub(add_script, "%u", account, + sizeof(add_script)); add_ret = smbrun(add_script,NULL); - DEBUG(add_ret ? 0 : 3,("_samr_create_user: Running the command `%s' gave %d\n", add_script, add_ret)); + DEBUG(add_ret ? 0 : 3,("_samr_create_user: Running " + "the command `%s' gave %d\n", + add_script, add_ret)); } } - /* implicit call to getpwnam() next. we have a valid SID coming out of this call */ + /* implicit call to getpwnam() next. we have a valid SID coming out + * of this call */ flush_pwnam_cache(); - nt_status = pdb_init_sam_new(&sam_pass, account, new_rid); + nt_status = pdb_init_sam_new(&sam_pass, account); /* this code is order such that we have no unnecessary retuns out of the admin block of code */ @@ -2438,7 +2447,8 @@ NTSTATUS _samr_create_user(pipes_struct *p, SAMR_Q_CREATE_USER *q_u, SAMR_R_CREA if ( !(ret = pdb_add_sam_account(sam_pass)) ) { pdb_free_sam(&sam_pass); - DEBUG(0, ("could not add user/computer %s to passdb. Check permissions?\n", + DEBUG(0, ("could not add user/computer %s to passdb. " + "Check permissions?\n", account)); nt_status = NT_STATUS_ACCESS_DENIED; } @@ -2458,7 +2468,8 @@ NTSTATUS _samr_create_user(pipes_struct *p, SAMR_Q_CREATE_USER *q_u, SAMR_R_CREA sid_copy(&sid, pdb_get_user_sid(sam_pass)); - make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &usr_generic_mapping, &sid, SAMR_USR_RIGHTS_WRITE_PW); + make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &usr_generic_mapping, + &sid, SAMR_USR_RIGHTS_WRITE_PW); se_map_generic(&des_access, &usr_generic_mapping); nt_status = access_check_samr_object(psd, p->pipe_user.nt_user_token, @@ -2944,7 +2955,7 @@ static BOOL set_user_info_16(const SAM_USER_INFO_16 *id16, SAM_ACCOUNT *pwd) return False; } - if(!pdb_update_sam_account(pwd)) { + if(!NT_STATUS_IS_OK(pdb_update_sam_account(pwd))) { pdb_free_sam(&pwd); return False; } @@ -2980,7 +2991,7 @@ static BOOL set_user_info_18(SAM_USER_INFO_18 *id18, SAM_ACCOUNT *pwd) return False; } - if(!pdb_update_sam_account(pwd)) { + if(!NT_STATUS_IS_OK(pdb_update_sam_account(pwd))) { pdb_free_sam(&pwd); return False; } @@ -2997,8 +3008,7 @@ static BOOL set_unix_primary_group(SAM_ACCOUNT *sampass) struct group *grp; gid_t gid; - if (!NT_STATUS_IS_OK(sid_to_gid(pdb_get_group_sid(sampass), - &gid))) { + if (!sid_to_gid(pdb_get_group_sid(sampass), &gid)) { DEBUG(2,("Could not get gid for primary group of " "user %s\n", pdb_get_username(sampass))); return False; @@ -3039,7 +3049,7 @@ static BOOL set_user_info_20(SAM_USER_INFO_20 *id20, SAM_ACCOUNT *pwd) copy_id20_to_sam_passwd(pwd, id20); /* write the change out */ - if(!pdb_update_sam_account(pwd)) { + if(!NT_STATUS_IS_OK(pdb_update_sam_account(pwd))) { pdb_free_sam(&pwd); return False; } @@ -3073,7 +3083,7 @@ static BOOL set_user_info_21(SAM_USER_INFO_21 *id21, SAM_ACCOUNT *pwd) set_unix_primary_group(pwd); /* write the change out */ - if(!pdb_update_sam_account(pwd)) { + if(!NT_STATUS_IS_OK(pdb_update_sam_account(pwd))) { pdb_free_sam(&pwd); return False; } @@ -3140,7 +3150,7 @@ static BOOL set_user_info_23(SAM_USER_INFO_23 *id23, SAM_ACCOUNT *pwd) if (IS_SAM_CHANGED(pwd, PDB_GROUPSID)) set_unix_primary_group(pwd); - if(!pdb_update_sam_account(pwd)) { + if(!NT_STATUS_IS_OK(pdb_update_sam_account(pwd))) { pdb_free_sam(&pwd); return False; } @@ -3202,7 +3212,7 @@ static BOOL set_user_info_pw(uint8 *pass, SAM_ACCOUNT *pwd) DEBUG(5,("set_user_info_pw: pdb_update_pwd()\n")); /* update the SAMBA password */ - if(!pdb_update_sam_account(pwd)) { + if(!NT_STATUS_IS_OK(pdb_update_sam_account(pwd))) { pdb_free_sam(&pwd); return False; } @@ -3485,7 +3495,6 @@ NTSTATUS _samr_query_useraliases(pipes_struct *p, SAMR_Q_QUERY_USERALIASES *q_u, NTSTATUS ntstatus2; DOM_SID *members; - BOOL res; r_u->status = NT_STATUS_OK; @@ -3521,13 +3530,14 @@ NTSTATUS _samr_query_useraliases(pipes_struct *p, SAMR_Q_QUERY_USERALIASES *q_u, num_alias_rids = 0; become_root(); - res = pdb_enum_alias_memberships(p->mem_ctx, &info->sid, members, - q_u->num_sids1, - &alias_rids, &num_alias_rids); + ntstatus1 = pdb_enum_alias_memberships(p->mem_ctx, &info->sid, members, + q_u->num_sids1, + &alias_rids, &num_alias_rids); unbecome_root(); - if (!res) - return NT_STATUS_UNSUCCESSFUL; + if (!NT_STATUS_IS_OK(ntstatus1)) { + return ntstatus1; + } init_samr_r_query_useraliases(r_u, num_alias_rids, alias_rids, NT_STATUS_OK); @@ -3540,6 +3550,7 @@ NTSTATUS _samr_query_useraliases(pipes_struct *p, SAMR_Q_QUERY_USERALIASES *q_u, NTSTATUS _samr_query_aliasmem(pipes_struct *p, SAMR_Q_QUERY_ALIASMEM *q_u, SAMR_R_QUERY_ALIASMEM *r_u) { + NTSTATUS status; size_t i; size_t num_sids = 0; DOM_SID2 *sid; @@ -3560,8 +3571,11 @@ NTSTATUS _samr_query_aliasmem(pipes_struct *p, SAMR_Q_QUERY_ALIASMEM *q_u, SAMR_ DEBUG(10, ("sid is %s\n", sid_string_static(&alias_sid))); - if (!pdb_enum_aliasmem(&alias_sid, &sids, &num_sids)) - return NT_STATUS_NO_SUCH_ALIAS; + status = pdb_enum_aliasmem(&alias_sid, &sids, &num_sids); + + if (!NT_STATUS_IS_OK(status)) { + return status; + } sid = TALLOC_ZERO_ARRAY(p->mem_ctx, DOM_SID2, num_sids); if (num_sids!=0 && sid == NULL) { @@ -3710,7 +3724,7 @@ NTSTATUS _samr_add_aliasmem(pipes_struct *p, SAMR_Q_ADD_ALIASMEM *q_u, SAMR_R_AD uint32 acc_granted; SE_PRIV se_rights; BOOL can_add_accounts; - BOOL ret; + NTSTATUS ret; DISP_INFO *disp_info = NULL; /* Find the policy handle. Open a policy on it. */ @@ -3738,11 +3752,11 @@ NTSTATUS _samr_add_aliasmem(pipes_struct *p, SAMR_Q_ADD_ALIASMEM *q_u, SAMR_R_AD /******** END SeAddUsers BLOCK *********/ - if (ret) { + if (NT_STATUS_IS_OK(ret)) { force_flush_samr_cache(disp_info); } - return ret ? NT_STATUS_OK : NT_STATUS_ACCESS_DENIED; + return ret; } /********************************************************************* @@ -3755,7 +3769,7 @@ NTSTATUS _samr_del_aliasmem(pipes_struct *p, SAMR_Q_DEL_ALIASMEM *q_u, SAMR_R_DE uint32 acc_granted; SE_PRIV se_rights; BOOL can_add_accounts; - BOOL ret; + NTSTATUS ret; DISP_INFO *disp_info = NULL; /* Find the policy handle. Open a policy on it. */ @@ -3784,11 +3798,11 @@ NTSTATUS _samr_del_aliasmem(pipes_struct *p, SAMR_Q_DEL_ALIASMEM *q_u, SAMR_R_DE /******** END SeAddUsers BLOCK *********/ - if (ret) { + if (NT_STATUS_IS_OK(ret)) { force_flush_samr_cache(disp_info); } - return ret ? NT_STATUS_OK : NT_STATUS_ACCESS_DENIED; + return ret; } /********************************************************************* @@ -3847,19 +3861,18 @@ NTSTATUS _samr_add_groupmem(pipes_struct *p, SAMR_Q_ADD_GROUPMEM *q_u, SAMR_R_AD } /* check a real user exist before we run the script to add a user to a group */ - if (!NT_STATUS_IS_OK(sid_to_uid(pdb_get_user_sid(sam_user), &uid))) { + if (!sid_to_uid(pdb_get_user_sid(sam_user), &uid)) { pdb_free_sam(&sam_user); return NT_STATUS_NO_SUCH_USER; } pdb_free_sam(&sam_user); - if ((pwd=getpwuid_alloc(uid)) == NULL) { + if ((pwd=getpwuid_alloc(p->mem_ctx, uid)) == NULL) { return NT_STATUS_NO_SUCH_USER; } if ((grp=getgrgid(map.gid)) == NULL) { - passwd_free(&pwd); return NT_STATUS_NO_SUCH_GROUP; } @@ -3867,8 +3880,7 @@ NTSTATUS _samr_add_groupmem(pipes_struct *p, SAMR_Q_ADD_GROUPMEM *q_u, SAMR_R_AD fstrcpy(grp_name, grp->gr_name); /* if the user is already in the group */ - if(user_in_unix_group_list(pwd->pw_name, grp_name)) { - passwd_free(&pwd); + if(user_in_unix_group(pwd->pw_name, grp_name)) { return NT_STATUS_MEMBER_IN_GROUP; } @@ -3894,13 +3906,10 @@ NTSTATUS _samr_add_groupmem(pipes_struct *p, SAMR_Q_ADD_GROUPMEM *q_u, SAMR_R_AD /******** END SeAddUsers BLOCK *********/ /* check if the user has been added then ... */ - if(!user_in_unix_group_list(pwd->pw_name, grp_name)) { - passwd_free(&pwd); + if(!user_in_unix_group(pwd->pw_name, grp_name)) { return NT_STATUS_MEMBER_NOT_IN_GROUP; /* don't know what to reply else */ } - passwd_free(&pwd); - force_flush_samr_cache(disp_info); return NT_STATUS_OK; @@ -3961,7 +3970,7 @@ NTSTATUS _samr_del_groupmem(pipes_struct *p, SAMR_Q_DEL_GROUPMEM *q_u, SAMR_R_DE } /* if the user is not in the group */ - if (!user_in_unix_group_list(pdb_get_username(sam_pass), grp_name)) { + if (!user_in_unix_group(pdb_get_username(sam_pass), grp_name)) { pdb_free_sam(&sam_pass); return NT_STATUS_MEMBER_NOT_IN_GROUP; } @@ -3983,7 +3992,7 @@ NTSTATUS _samr_del_groupmem(pipes_struct *p, SAMR_Q_DEL_GROUPMEM *q_u, SAMR_R_DE /******** END SeAddUsers BLOCK *********/ /* check if the user has been removed then ... */ - if (user_in_unix_group_list(pdb_get_username(sam_pass), grp_name)) { + if (user_in_unix_group(pdb_get_username(sam_pass), grp_name)) { pdb_free_sam(&sam_pass); return NT_STATUS_ACCESS_DENIED; /* don't know what to reply else */ } @@ -4290,19 +4299,28 @@ NTSTATUS _samr_create_dom_group(pipes_struct *p, SAMR_Q_CREATE_DOM_GROUP *q_u, S /* so far, so good */ result = NT_STATUS_OK; - - r_u->rid = pdb_gid_to_group_rid( grp->gr_gid ); - /* add the group to the mapping table */ + if (pdb_rid_algorithm()) { + r_u->rid = pdb_gid_to_group_rid( grp->gr_gid ); + } else { + if (!pdb_new_rid(&r_u->rid)) { + result = NT_STATUS_ACCESS_DENIED; + } + } + + if (NT_STATUS_IS_OK(result)) { + + /* add the group to the mapping table */ - sid_copy( &info_sid, get_global_sam_sid() ); - sid_append_rid( &info_sid, r_u->rid ); - sid_to_string( sid_string, &info_sid ); + sid_copy( &info_sid, get_global_sam_sid() ); + sid_append_rid( &info_sid, r_u->rid ); + sid_to_string( sid_string, &info_sid ); - /* reset the error code if we fail to add the mapping entry */ + /* reset the error code if we fail to add the mapping entry */ - if ( !add_initial_entry(grp->gr_gid, sid_string, SID_NAME_DOM_GRP, name, NULL) ) - result = NT_STATUS_ACCESS_DENIED; + if ( !add_initial_entry(grp->gr_gid, sid_string, SID_NAME_DOM_GRP, name, NULL) ) + result = NT_STATUS_ACCESS_DENIED; + } } if ( can_add_accounts ) @@ -4383,18 +4401,26 @@ NTSTATUS _samr_create_dom_alias(pipes_struct *p, SAMR_Q_CREATE_DOM_ALIAS *q_u, S /******** END SeAddUsers BLOCK *********/ - if (!NT_STATUS_IS_OK(result)) + if (!NT_STATUS_IS_OK(result)) { + DEBUG(10, ("pdb_create_alias failed: %s\n", + nt_errstr(result))); return result; + } sid_copy(&info_sid, get_global_sam_sid()); sid_append_rid(&info_sid, r_u->rid); - if (!NT_STATUS_IS_OK(sid_to_gid(&info_sid, &gid))) + if (!sid_to_gid(&info_sid, &gid)) { + DEBUG(10, ("Could not find alias just created\n")); return NT_STATUS_ACCESS_DENIED; + } /* check if the group has been successfully created */ - if ( getgrgid(gid) == NULL ) + if ( getgrgid(gid) == NULL ) { + DEBUG(10, ("getgrgid(%d) of just created alias failed\n", + gid)); return NT_STATUS_ACCESS_DENIED; + } if ((info = get_samr_info_by_sid(&info_sid)) == NULL) return NT_STATUS_NO_MEMORY; @@ -4485,7 +4511,8 @@ NTSTATUS _samr_set_groupinfo(pipes_struct *p, SAMR_Q_SET_GROUPINFO *q_u, SAMR_R_ GROUP_MAP map; GROUP_INFO_CTR *ctr; uint32 acc_granted; - BOOL ret; + NTSTATUS ret; + BOOL result; BOOL can_mod_accounts; DISP_INFO *disp_info = NULL; @@ -4497,9 +4524,9 @@ NTSTATUS _samr_set_groupinfo(pipes_struct *p, SAMR_Q_SET_GROUPINFO *q_u, SAMR_R_ } become_root(); - ret = get_domain_group_from_sid(group_sid, &map); + result = get_domain_group_from_sid(group_sid, &map); unbecome_root(); - if (!ret) + if (!result) return NT_STATUS_NO_SUCH_GROUP; ctr=q_u->ctr; @@ -4529,11 +4556,11 @@ NTSTATUS _samr_set_groupinfo(pipes_struct *p, SAMR_Q_SET_GROUPINFO *q_u, SAMR_R_ /******** End SeAddUsers BLOCK *********/ - if (ret) { + if (NT_STATUS_IS_OK(ret)) { force_flush_samr_cache(disp_info); } - return ret ? NT_STATUS_OK : NT_STATUS_ACCESS_DENIED; + return ret; } /********************************************************************* -- cgit From 86358fc10bb02bd3069736bedb120f52fa3f6494 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Wed, 8 Feb 2006 22:16:03 +0000 Subject: r13396: Add in userinfo26, re-enable userinfo25 - took the knowledge from Samba4 on how to decode the 532 byte password buffers. Getting closer to passing samba4 RPC-SCHANNEL test. Jeremy. (This used to be commit 205db6968a26c43dec64c14d8053d8e66807086f) --- source3/rpc_server/srv_samr_nt.c | 50 +++++++++++++++++++++++++++++----------- 1 file changed, 36 insertions(+), 14 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 81344cdc1e..52f922b924 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -3316,27 +3316,27 @@ NTSTATUS _samr_set_userinfo(pipes_struct *p, SAMR_Q_SET_USERINFO *q_u, SAMR_R_SE break; case 25: -#if 0 - /* - * Currently we don't really know how to unmarshall - * the level 25 struct, and the password encryption - * is different. This is a placeholder for when we - * do understand it. In the meantime just return INVALID - * info level and W2K SP2 drops down to level 23... JRA. - */ - if (!p->session_key.length) { r_u->status = NT_STATUS_NO_USER_SESSION_KEY; } - SamOEMhashBlob(ctr->info.id25->pass, 532, &p->session_key); + encode_or_decode_arc4_passwd_buffer(ctr->info.id25->pass, &p->session_key); dump_data(100, (char *)ctr->info.id25->pass, 532); - if (!set_user_info_pw(ctr->info.id25->pass, &sid)) + if (!set_user_info_pw(ctr->info.id25->pass, pwd)) r_u->status = NT_STATUS_ACCESS_DENIED; break; -#endif - r_u->status = NT_STATUS_INVALID_INFO_CLASS; + + case 26: + if (!p->session_key.length) { + r_u->status = NT_STATUS_NO_USER_SESSION_KEY; + } + encode_or_decode_arc4_passwd_buffer(ctr->info.id26->pass, &p->session_key); + + dump_data(100, (char *)ctr->info.id26->pass, 516); + + if (!set_user_info_pw(ctr->info.id26->pass, pwd)) + r_u->status = NT_STATUS_ACCESS_DENIED; break; case 23: @@ -3432,7 +3432,7 @@ NTSTATUS _samr_set_userinfo2(pipes_struct *p, SAMR_Q_SET_USERINFO2 *q_u, SAMR_R_ has_enough_rights = nt_token_check_domain_rid( p->pipe_user.nt_user_token, DOMAIN_GROUP_RID_ADMINS ); } - DEBUG(5, ("_samr_set_userinfo: %s does%s possess sufficient rights\n", + DEBUG(5, ("_samr_set_userinfo2: %s does%s possess sufficient rights\n", p->pipe_user_name, has_enough_rights ? "" : " not")); /* ================ BEGIN SeMachineAccountPrivilege BLOCK ================ */ @@ -3464,6 +3464,28 @@ NTSTATUS _samr_set_userinfo2(pipes_struct *p, SAMR_Q_SET_USERINFO2 *q_u, SAMR_R_ if (!set_user_info_21(ctr->info.id21, pwd)) return NT_STATUS_ACCESS_DENIED; break; + case 23: + if (!p->session_key.length) { + r_u->status = NT_STATUS_NO_USER_SESSION_KEY; + } + SamOEMhashBlob(ctr->info.id23->pass, 516, &p->session_key); + + dump_data(100, (char *)ctr->info.id23->pass, 516); + + if (!set_user_info_23(ctr->info.id23, pwd)) + r_u->status = NT_STATUS_ACCESS_DENIED; + break; + case 26: + if (!p->session_key.length) { + r_u->status = NT_STATUS_NO_USER_SESSION_KEY; + } + encode_or_decode_arc4_passwd_buffer(ctr->info.id26->pass, &p->session_key); + + dump_data(100, (char *)ctr->info.id26->pass, 516); + + if (!set_user_info_pw(ctr->info.id26->pass, pwd)) + r_u->status = NT_STATUS_ACCESS_DENIED; + break; default: r_u->status = NT_STATUS_INVALID_INFO_CLASS; } -- cgit From cf7c47aac990f67e1829a7e4b9d3550b7e93739b Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Thu, 9 Feb 2006 00:23:40 +0000 Subject: r13399: Get closer to passing RPC-SCHANNEL test. Jeremy. (This used to be commit 8ae70122b79fbe682c227ec2c4e5a72bf58d76de) --- source3/rpc_server/srv_samr_nt.c | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 52f922b924..bf0e2ba070 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -2537,6 +2537,11 @@ NTSTATUS _samr_connect_anon(pipes_struct *p, SAMR_Q_CONNECT_ANON *q_u, SAMR_R_CO was observed from a win98 client trying to enumerate users (when configured user level access control on shares) --jerry */ + if (des_access == MAXIMUM_ALLOWED_ACCESS) { + /* Map to max possible knowing we're filtered below. */ + des_access = GENERIC_ALL_ACCESS; + } + se_map_generic( &des_access, &sam_generic_mapping ); info->acc_granted = des_access & (SA_RIGHT_SAM_ENUM_DOMAINS|SA_RIGHT_SAM_OPEN_DOMAIN); -- cgit From e83c7d0141c0726a74c7be48914e94bac7167ab1 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Fri, 10 Feb 2006 23:09:00 +0000 Subject: r13442: Implement samr_chgpasswd_user3 server-side. Guenther (This used to be commit f60eddc0a4dfe623e5f115533a62c03810fd5f38) --- source3/rpc_server/srv_samr_nt.c | 105 ++++++++++++++++++++++++++++++++++++--- 1 file changed, 98 insertions(+), 7 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index bf0e2ba070..75a72fa028 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -1462,7 +1462,7 @@ NTSTATUS _samr_chgpasswd_user(pipes_struct *p, SAMR_Q_CHGPASSWD_USER *q_u, SAMR_ */ r_u->status = pass_oem_change(user_name, q_u->lm_newpass.pass, q_u->lm_oldhash.hash, - q_u->nt_newpass.pass, q_u->nt_oldhash.hash); + q_u->nt_newpass.pass, q_u->nt_oldhash.hash, NULL); init_samr_r_chgpasswd_user(r_u, r_u->status); @@ -1471,6 +1471,97 @@ NTSTATUS _samr_chgpasswd_user(pipes_struct *p, SAMR_Q_CHGPASSWD_USER *q_u, SAMR_ return r_u->status; } +/******************************************************************* + _samr_chgpasswd_user3 + ********************************************************************/ + +NTSTATUS _samr_chgpasswd_user3(pipes_struct *p, SAMR_Q_CHGPASSWD_USER3 *q_u, SAMR_R_CHGPASSWD_USER3 *r_u) +{ + fstring user_name; + fstring wks; + uint32 reject_reason; + SAM_UNK_INFO_1 *info = NULL; + SAMR_CHANGE_REJECT *reject = NULL; + + DEBUG(5,("_samr_chgpasswd_user3: %d\n", __LINE__)); + + rpcstr_pull(user_name, q_u->uni_user_name.buffer, sizeof(user_name), q_u->uni_user_name.uni_str_len*2, 0); + rpcstr_pull(wks, q_u->uni_dest_host.buffer, sizeof(wks), q_u->uni_dest_host.uni_str_len*2,0); + + DEBUG(5,("_samr_chgpasswd_user3: user: %s wks: %s\n", user_name, wks)); + + /* + * Pass the user through the NT -> unix user mapping + * function. + */ + + (void)map_username(user_name); + + /* + * UNIX username case mangling not required, pass_oem_change + * is case insensitive. + */ + + r_u->status = pass_oem_change(user_name, q_u->lm_newpass.pass, q_u->lm_oldhash.hash, + q_u->nt_newpass.pass, q_u->nt_oldhash.hash, &reject_reason); + + if (NT_STATUS_EQUAL(r_u->status, NT_STATUS_PASSWORD_RESTRICTION)) { + + uint32 min_pass_len,pass_hist,password_properties; + time_t u_expire, u_min_age; + NTTIME nt_expire, nt_min_age; + uint32 account_policy_temp; + + if ((info = TALLOC_ZERO_P(p->mem_ctx, SAM_UNK_INFO_1)) == NULL) { + return NT_STATUS_NO_MEMORY; + } + + if ((reject = TALLOC_ZERO_P(p->mem_ctx, SAMR_CHANGE_REJECT)) == NULL) { + return NT_STATUS_NO_MEMORY; + } + + ZERO_STRUCTP(info); + ZERO_STRUCTP(reject); + + become_root(); + + /* AS ROOT !!! */ + + pdb_get_account_policy(AP_MIN_PASSWORD_LEN, &account_policy_temp); + min_pass_len = account_policy_temp; + + pdb_get_account_policy(AP_PASSWORD_HISTORY, &account_policy_temp); + pass_hist = account_policy_temp; + + pdb_get_account_policy(AP_USER_MUST_LOGON_TO_CHG_PASS, &account_policy_temp); + password_properties = account_policy_temp; + + pdb_get_account_policy(AP_MAX_PASSWORD_AGE, &account_policy_temp); + u_expire = account_policy_temp; + + pdb_get_account_policy(AP_MIN_PASSWORD_AGE, &account_policy_temp); + u_min_age = account_policy_temp; + + /* !AS ROOT */ + + unbecome_root(); + + unix_to_nt_time_abs(&nt_expire, u_expire); + unix_to_nt_time_abs(&nt_min_age, u_min_age); + + init_unk_info1(info, (uint16)min_pass_len, (uint16)pass_hist, + password_properties, nt_expire, nt_min_age); + + reject->reject_reason = reject_reason; + } + + init_samr_r_chgpasswd_user3(r_u, r_u->status, reject, info); + + DEBUG(5,("_samr_chgpasswd_user3: %d\n", __LINE__)); + + return r_u->status; +} + /******************************************************************* makes a SAMR_R_LOOKUP_RIDS structure. ********************************************************************/ @@ -2090,7 +2181,7 @@ NTSTATUS _samr_query_dom_info(pipes_struct *p, SAMR_Q_QUERY_DOMAIN_INFO *q_u, SA { struct samr_info *info = NULL; SAM_UNK_CTR *ctr; - uint32 min_pass_len,pass_hist,flag; + uint32 min_pass_len,pass_hist,password_properties; time_t u_expire, u_min_age; NTTIME nt_expire, nt_min_age; @@ -2136,7 +2227,7 @@ NTSTATUS _samr_query_dom_info(pipes_struct *p, SAMR_Q_QUERY_DOMAIN_INFO *q_u, SA pass_hist = account_policy_temp; pdb_get_account_policy(AP_USER_MUST_LOGON_TO_CHG_PASS, &account_policy_temp); - flag = account_policy_temp; + password_properties = account_policy_temp; pdb_get_account_policy(AP_MAX_PASSWORD_AGE, &account_policy_temp); u_expire = account_policy_temp; @@ -2152,7 +2243,7 @@ NTSTATUS _samr_query_dom_info(pipes_struct *p, SAMR_Q_QUERY_DOMAIN_INFO *q_u, SA unix_to_nt_time_abs(&nt_min_age, u_min_age); init_unk_info1(&ctr->info.inf1, (uint16)min_pass_len, (uint16)pass_hist, - flag, nt_expire, nt_min_age); + password_properties, nt_expire, nt_min_age); break; case 0x02: @@ -4815,7 +4906,7 @@ NTSTATUS _samr_query_domain_info2(pipes_struct *p, { struct samr_info *info = NULL; SAM_UNK_CTR *ctr; - uint32 min_pass_len,pass_hist,flag; + uint32 min_pass_len,pass_hist,password_properties; time_t u_expire, u_min_age; NTTIME nt_expire, nt_min_age; @@ -4855,7 +4946,7 @@ NTSTATUS _samr_query_domain_info2(pipes_struct *p, pass_hist = account_policy_temp; pdb_get_account_policy(AP_USER_MUST_LOGON_TO_CHG_PASS, &account_policy_temp); - flag = account_policy_temp; + password_properties = account_policy_temp; pdb_get_account_policy(AP_MAX_PASSWORD_AGE, &account_policy_temp); u_expire = account_policy_temp; @@ -4867,7 +4958,7 @@ NTSTATUS _samr_query_domain_info2(pipes_struct *p, unix_to_nt_time_abs(&nt_min_age, u_min_age); init_unk_info1(&ctr->info.inf1, (uint16)min_pass_len, (uint16)pass_hist, - flag, nt_expire, nt_min_age); + password_properties, nt_expire, nt_min_age); break; case 0x02: become_root(); -- cgit From 72b30eba6463cd4479b4f2c5076209bf77e4fc57 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Fri, 10 Feb 2006 23:41:41 +0000 Subject: r13444: Add REJECT_REASON_OTHER for samr_chgpasswd_user3 Guenther (This used to be commit 58baf718be90d750f51cf51a25714fcdcd5679b7) --- source3/rpc_server/srv_samr_nt.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 75a72fa028..b3be0cccc1 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -1505,7 +1505,8 @@ NTSTATUS _samr_chgpasswd_user3(pipes_struct *p, SAMR_Q_CHGPASSWD_USER3 *q_u, SAM r_u->status = pass_oem_change(user_name, q_u->lm_newpass.pass, q_u->lm_oldhash.hash, q_u->nt_newpass.pass, q_u->nt_oldhash.hash, &reject_reason); - if (NT_STATUS_EQUAL(r_u->status, NT_STATUS_PASSWORD_RESTRICTION)) { + if (NT_STATUS_EQUAL(r_u->status, NT_STATUS_PASSWORD_RESTRICTION) || + NT_STATUS_EQUAL(r_u->status, NT_STATUS_ACCOUNT_RESTRICTION)) { uint32 min_pass_len,pass_hist,password_properties; time_t u_expire, u_min_age; -- cgit From 301d51e13a1aa4e633e2da161b0dd260a8a499cd Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Mon, 13 Feb 2006 17:08:25 +0000 Subject: r13494: Merge the stuff I've done in head the last days. Volker (This used to be commit bb40e544de68f01a6e774753f508e69373b39899) --- source3/rpc_server/srv_samr_nt.c | 527 ++++++++------------------------------- 1 file changed, 103 insertions(+), 424 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index b3be0cccc1..133178bd0d 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -2410,18 +2410,13 @@ static NTSTATUS can_create(TALLOC_CTX *mem_ctx, const char *new_name) NTSTATUS _samr_create_user(pipes_struct *p, SAMR_Q_CREATE_USER *q_u, SAMR_R_CREATE_USER *r_u) { - SAM_ACCOUNT *sam_pass=NULL; - fstring account; + char *account; DOM_SID sid; - pstring add_script; POLICY_HND dom_pol = q_u->domain_pol; - UNISTR2 user_account = q_u->uni_name; uint16 acb_info = q_u->acb_info; POLICY_HND *user_pol = &r_u->user_pol; struct samr_info *info = NULL; - BOOL ret; NTSTATUS nt_status; - struct passwd *pw; uint32 acc_granted; SEC_DESC *psd; size_t sd_size; @@ -2450,33 +2445,20 @@ NTSTATUS _samr_create_user(pipes_struct *p, SAMR_Q_CREATE_USER *q_u, return NT_STATUS_INVALID_PARAMETER; } - rpcstr_pull(account, user_account.buffer, sizeof(account), - user_account.uni_str_len*2, 0); - strlower_m(account); + account = rpcstr_pull_unistr2_talloc(p->mem_ctx, &q_u->uni_name); + if (account == NULL) { + return NT_STATUS_NO_MEMORY; + } nt_status = can_create(p->mem_ctx, account); if (!NT_STATUS_IS_OK(nt_status)) { return nt_status; } - /********************************************************************* - * HEADS UP! If we have to create a new user account, we have to get - * a new RID from somewhere. This used to be done by the passdb - * backend. It has been moved into idmap now. Since idmap is now - * wrapped up behind winbind, this means you have to run winbindd if - * you want new accounts to get a new RID when "enable rid algorithm = - * no". Tough. We now have a uniform way of allocating RIDs - * regardless of what ever passdb backend people may use. --jerry - * (2003-07-10) - *********************************************************************/ - - pw = Get_Pwnam(account); - /* determine which user right we need to check based on the acb_info */ if ( acb_info & ACB_WSTRUST ) { - pstrcpy(add_script, lp_addmachine_script()); se_priv_copy( &se_rights, &se_machine_account ); can_add_account = user_has_privileges( p->pipe_user.nt_user_token, &se_rights ); @@ -2486,7 +2468,6 @@ NTSTATUS _samr_create_user(pipes_struct *p, SAMR_Q_CREATE_USER *q_u, else if ( acb_info & ACB_NORMAL && (account[strlen(account)-1] != '$') ) { - pstrcpy(add_script, lp_adduser_script()); se_priv_copy( &se_rights, &se_add_users ); can_add_account = user_has_privileges( p->pipe_user.nt_user_token, &se_rights ); @@ -2494,7 +2475,6 @@ NTSTATUS _samr_create_user(pipes_struct *p, SAMR_Q_CREATE_USER *q_u, else /* implicit assumption of a BDC or domain trust account here * (we already check the flags earlier) */ { - pstrcpy(add_script, lp_addmachine_script()); if ( lp_enable_privileges() ) { /* only Domain Admins can add a BDC or domain trust */ se_priv_copy( &se_rights, &se_priv_none ); @@ -2512,40 +2492,9 @@ NTSTATUS _samr_create_user(pipes_struct *p, SAMR_Q_CREATE_USER *q_u, if ( can_add_account ) become_root(); - if ( !pw ) { - if (*add_script) { - int add_ret; - - all_string_sub(add_script, "%u", account, - sizeof(add_script)); - add_ret = smbrun(add_script,NULL); - DEBUG(add_ret ? 0 : 3,("_samr_create_user: Running " - "the command `%s' gave %d\n", - add_script, add_ret)); - } - } - - /* implicit call to getpwnam() next. we have a valid SID coming out - * of this call */ + nt_status = pdb_create_user(p->mem_ctx, account, acb_info, + &r_u->user_rid); - flush_pwnam_cache(); - nt_status = pdb_init_sam_new(&sam_pass, account); - - /* this code is order such that we have no unnecessary retuns - out of the admin block of code */ - - if ( NT_STATUS_IS_OK(nt_status) ) { - pdb_set_acct_ctrl(sam_pass, acb_info, PDB_CHANGED); - - if ( !(ret = pdb_add_sam_account(sam_pass)) ) { - pdb_free_sam(&sam_pass); - DEBUG(0, ("could not add user/computer %s to passdb. " - "Check permissions?\n", - account)); - nt_status = NT_STATUS_ACCESS_DENIED; - } - } - if ( can_add_account ) unbecome_root(); @@ -2557,8 +2506,8 @@ NTSTATUS _samr_create_user(pipes_struct *p, SAMR_Q_CREATE_USER *q_u, return nt_status; /* Get the user's SID */ - - sid_copy(&sid, pdb_get_user_sid(sam_pass)); + + sid_compose(&sid, get_global_sam_sid(), r_u->user_rid); make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &usr_generic_mapping, &sid, SAMR_USR_RIGHTS_WRITE_PW); @@ -2574,7 +2523,6 @@ NTSTATUS _samr_create_user(pipes_struct *p, SAMR_Q_CREATE_USER *q_u, /* associate the user's SID with the new handle. */ if ((info = get_samr_info_by_sid(&sid)) == NULL) { - pdb_free_sam(&sam_pass); return NT_STATUS_NO_MEMORY; } @@ -2584,19 +2532,14 @@ NTSTATUS _samr_create_user(pipes_struct *p, SAMR_Q_CREATE_USER *q_u, /* get a (unique) handle. open a policy on it. */ if (!create_policy_hnd(p, user_pol, free_samr_info, (void *)info)) { - pdb_free_sam(&sam_pass); return NT_STATUS_OBJECT_NAME_NOT_FOUND; } /* After a "set" ensure we have no cached display info. */ force_flush_samr_cache(info->disp_info); - r_u->user_rid=pdb_get_user_rid(sam_pass); - r_u->access_granted = acc_granted; - pdb_free_sam(&sam_pass); - return NT_STATUS_OK; } @@ -3097,41 +3040,6 @@ static BOOL set_user_info_18(SAM_USER_INFO_18 *id18, SAM_ACCOUNT *pwd) return True; } -/******************************************************************* - The GROUPSID field in the SAM_ACCOUNT changed. Try to tell unix. - ********************************************************************/ -static BOOL set_unix_primary_group(SAM_ACCOUNT *sampass) -{ - struct group *grp; - gid_t gid; - - if (!sid_to_gid(pdb_get_group_sid(sampass), &gid)) { - DEBUG(2,("Could not get gid for primary group of " - "user %s\n", pdb_get_username(sampass))); - return False; - } - - grp = getgrgid(gid); - - if (grp == NULL) { - DEBUG(2,("Could not find primary group %lu for " - "user %s\n", (unsigned long)gid, - pdb_get_username(sampass))); - return False; - } - - if (smb_set_primary_group(grp->gr_name, - pdb_get_username(sampass)) != 0) { - DEBUG(2,("Could not set primary group for user %s to " - "%s\n", - pdb_get_username(sampass), grp->gr_name)); - return False; - } - - return True; -} - - /******************************************************************* set_user_info_20 ********************************************************************/ @@ -3159,12 +3067,14 @@ static BOOL set_user_info_20(SAM_USER_INFO_20 *id20, SAM_ACCOUNT *pwd) set_user_info_21 ********************************************************************/ -static BOOL set_user_info_21(SAM_USER_INFO_21 *id21, SAM_ACCOUNT *pwd) +static NTSTATUS set_user_info_21(TALLOC_CTX *mem_ctx, SAM_USER_INFO_21 *id21, + SAM_ACCOUNT *pwd) { - + NTSTATUS status; + if (id21 == NULL) { DEBUG(5, ("set_user_info_21: NULL id21\n")); - return False; + return NT_STATUS_INVALID_PARAMETER; } copy_id21_to_sam_passwd(pwd, id21); @@ -3176,33 +3086,38 @@ static BOOL set_user_info_21(SAM_USER_INFO_21 *id21, SAM_ACCOUNT *pwd) * id21. I don't know if they need to be set. --jerry */ - if (IS_SAM_CHANGED(pwd, PDB_GROUPSID)) - set_unix_primary_group(pwd); + if (IS_SAM_CHANGED(pwd, PDB_GROUPSID) && + !NT_STATUS_IS_OK(status = pdb_set_unix_primary_group(mem_ctx, + pwd))) { + return status; + } /* write the change out */ - if(!NT_STATUS_IS_OK(pdb_update_sam_account(pwd))) { + if(!NT_STATUS_IS_OK(status = pdb_update_sam_account(pwd))) { pdb_free_sam(&pwd); - return False; + return status; } pdb_free_sam(&pwd); - return True; + return NT_STATUS_OK; } /******************************************************************* set_user_info_23 ********************************************************************/ -static BOOL set_user_info_23(SAM_USER_INFO_23 *id23, SAM_ACCOUNT *pwd) +static NTSTATUS set_user_info_23(TALLOC_CTX *mem_ctx, SAM_USER_INFO_23 *id23, + SAM_ACCOUNT *pwd) { pstring plaintext_buf; uint32 len; uint16 acct_ctrl; + NTSTATUS status; if (id23 == NULL) { DEBUG(5, ("set_user_info_23: NULL id23\n")); - return False; + return NT_STATUS_INVALID_PARAMETER; } DEBUG(5, ("Attempting administrator password change (level 23) for user %s\n", @@ -3212,12 +3127,12 @@ static BOOL set_user_info_23(SAM_USER_INFO_23 *id23, SAM_ACCOUNT *pwd) if (!decode_pw_buffer(id23->pass, plaintext_buf, 256, &len, STR_UNICODE)) { pdb_free_sam(&pwd); - return False; + return NT_STATUS_INVALID_PARAMETER; } if (!pdb_set_plaintext_passwd (pwd, plaintext_buf)) { pdb_free_sam(&pwd); - return False; + return NT_STATUS_ACCESS_DENIED; } copy_id23_to_sam_passwd(pwd, id23); @@ -3237,24 +3152,28 @@ static BOOL set_user_info_23(SAM_USER_INFO_23 *id23, SAM_ACCOUNT *pwd) if(!chgpasswd(pdb_get_username(pwd), passwd, "", plaintext_buf, True)) { pdb_free_sam(&pwd); - return False; + return NT_STATUS_ACCESS_DENIED; } } } ZERO_STRUCT(plaintext_buf); - if (IS_SAM_CHANGED(pwd, PDB_GROUPSID)) - set_unix_primary_group(pwd); + if (IS_SAM_CHANGED(pwd, PDB_GROUPSID) && + (!NT_STATUS_IS_OK(status = pdb_set_unix_primary_group(mem_ctx, + pwd)))) { + pdb_free_sam(&pwd); + return status; + } - if(!NT_STATUS_IS_OK(pdb_update_sam_account(pwd))) { + if(!NT_STATUS_IS_OK(status = pdb_update_sam_account(pwd))) { pdb_free_sam(&pwd); - return False; + return status; } pdb_free_sam(&pwd); - return True; + return NT_STATUS_OK; } /******************************************************************* @@ -3444,8 +3363,8 @@ NTSTATUS _samr_set_userinfo(pipes_struct *p, SAMR_Q_SET_USERINFO *q_u, SAMR_R_SE dump_data(100, (char *)ctr->info.id23->pass, 516); - if (!set_user_info_23(ctr->info.id23, pwd)) - r_u->status = NT_STATUS_ACCESS_DENIED; + r_u->status = set_user_info_23(p->mem_ctx, + ctr->info.id23, pwd); break; default: @@ -3558,8 +3477,8 @@ NTSTATUS _samr_set_userinfo2(pipes_struct *p, SAMR_Q_SET_USERINFO2 *q_u, SAMR_R_ r_u->status = NT_STATUS_ACCESS_DENIED; break; case 21: - if (!set_user_info_21(ctr->info.id21, pwd)) - return NT_STATUS_ACCESS_DENIED; + r_u->status = set_user_info_21(p->mem_ctx, + ctr->info.id21, pwd); break; case 23: if (!p->session_key.length) { @@ -3569,8 +3488,8 @@ NTSTATUS _samr_set_userinfo2(pipes_struct *p, SAMR_Q_SET_USERINFO2 *q_u, SAMR_R_ dump_data(100, (char *)ctr->info.id23->pass, 516); - if (!set_user_info_23(ctr->info.id23, pwd)) - r_u->status = NT_STATUS_ACCESS_DENIED; + r_u->status = set_user_info_23(p->mem_ctx, + ctr->info.id23, pwd); break; case 26: if (!p->session_key.length) { @@ -3713,70 +3632,6 @@ NTSTATUS _samr_query_aliasmem(pipes_struct *p, SAMR_Q_QUERY_ALIASMEM *q_u, SAMR_ return NT_STATUS_OK; } -static void add_uid_to_array_unique(uid_t uid, uid_t **uids, int *num) -{ - int i; - - for (i=0; i<*num; i++) { - if ((*uids)[i] == uid) - return; - } - - *uids = SMB_REALLOC_ARRAY(*uids, uid_t, *num+1); - - if (*uids == NULL) - return; - - (*uids)[*num] = uid; - *num += 1; -} - - -static BOOL get_memberuids(gid_t gid, uid_t **uids, int *num) -{ - struct group *grp; - char **gr; - struct sys_pwent *userlist, *user; - - *uids = NULL; - *num = 0; - - /* We only look at our own sam, so don't care about imported stuff */ - - winbind_off(); - - if ((grp = getgrgid(gid)) == NULL) { - winbind_on(); - return False; - } - - /* Primary group members */ - - userlist = getpwent_list(); - - for (user = userlist; user != NULL; user = user->next) { - if (user->pw_gid != gid) - continue; - add_uid_to_array_unique(user->pw_uid, uids, num); - } - - pwent_free(userlist); - - /* Secondary group members */ - - for (gr = grp->gr_mem; (*gr != NULL) && ((*gr)[0] != '\0'); gr += 1) { - struct passwd *pw = getpwnam(*gr); - - if (pw == NULL) - continue; - add_uid_to_array_unique(pw->pw_uid, uids, num); - } - - winbind_on(); - - return True; -} - /********************************************************************* _samr_query_groupmem *********************************************************************/ @@ -3931,16 +3786,7 @@ NTSTATUS _samr_del_aliasmem(pipes_struct *p, SAMR_Q_DEL_ALIASMEM *q_u, SAMR_R_DE NTSTATUS _samr_add_groupmem(pipes_struct *p, SAMR_Q_ADD_GROUPMEM *q_u, SAMR_R_ADD_GROUPMEM *r_u) { DOM_SID group_sid; - DOM_SID user_sid; - fstring group_sid_str; - uid_t uid; - struct passwd *pwd; - struct group *grp; - fstring grp_name; - GROUP_MAP map; - NTSTATUS ret; - SAM_ACCOUNT *sam_user=NULL; - BOOL check; + uint32 group_rid; uint32 acc_granted; SE_PRIV se_rights; BOOL can_add_accounts; @@ -3954,53 +3800,11 @@ NTSTATUS _samr_add_groupmem(pipes_struct *p, SAMR_Q_ADD_GROUPMEM *q_u, SAMR_R_AD return r_u->status; } - sid_to_string(group_sid_str, &group_sid); - DEBUG(10, ("sid is %s\n", group_sid_str)); - - if (sid_compare(&group_sid, get_global_sam_sid())<=0) - return NT_STATUS_NO_SUCH_GROUP; - - DEBUG(10, ("lookup on Domain SID\n")); - - if(!get_domain_group_from_sid(group_sid, &map)) - return NT_STATUS_NO_SUCH_GROUP; - - sid_copy(&user_sid, get_global_sam_sid()); - sid_append_rid(&user_sid, q_u->rid); - - ret = pdb_init_sam(&sam_user); - if (!NT_STATUS_IS_OK(ret)) - return ret; - - check = pdb_getsampwsid(sam_user, &user_sid); - - if (check != True) { - pdb_free_sam(&sam_user); - return NT_STATUS_NO_SUCH_USER; - } + DEBUG(10, ("sid is %s\n", sid_string_static(&group_sid))); - /* check a real user exist before we run the script to add a user to a group */ - if (!sid_to_uid(pdb_get_user_sid(sam_user), &uid)) { - pdb_free_sam(&sam_user); - return NT_STATUS_NO_SUCH_USER; - } - - pdb_free_sam(&sam_user); - - if ((pwd=getpwuid_alloc(p->mem_ctx, uid)) == NULL) { - return NT_STATUS_NO_SUCH_USER; - } - - if ((grp=getgrgid(map.gid)) == NULL) { - return NT_STATUS_NO_SUCH_GROUP; - } - - /* we need to copy the name otherwise it's overloaded in user_in_unix_group_list */ - fstrcpy(grp_name, grp->gr_name); - - /* if the user is already in the group */ - if(user_in_unix_group(pwd->pw_name, grp_name)) { - return NT_STATUS_MEMBER_IN_GROUP; + if (!sid_peek_check_rid(get_global_sam_sid(), &group_sid, + &group_rid)) { + return NT_STATUS_INVALID_HANDLE; } se_priv_copy( &se_rights, &se_add_users ); @@ -4010,28 +3814,17 @@ NTSTATUS _samr_add_groupmem(pipes_struct *p, SAMR_Q_ADD_GROUPMEM *q_u, SAMR_R_AD if ( can_add_accounts ) become_root(); - - /* - * ok, the group exist, the user exist, the user is not in the group, - * - * we can (finally) add it to the group ! - */ - - smb_add_user_group(grp_name, pwd->pw_name); + r_u->status = pdb_add_groupmem(p->mem_ctx, group_rid, q_u->rid); + if ( can_add_accounts ) unbecome_root(); /******** END SeAddUsers BLOCK *********/ - /* check if the user has been added then ... */ - if(!user_in_unix_group(pwd->pw_name, grp_name)) { - return NT_STATUS_MEMBER_NOT_IN_GROUP; /* don't know what to reply else */ - } - force_flush_samr_cache(disp_info); - return NT_STATUS_OK; + return r_u->status; } /********************************************************************* @@ -4041,11 +3834,7 @@ NTSTATUS _samr_add_groupmem(pipes_struct *p, SAMR_Q_ADD_GROUPMEM *q_u, SAMR_R_AD NTSTATUS _samr_del_groupmem(pipes_struct *p, SAMR_Q_DEL_GROUPMEM *q_u, SAMR_R_DEL_GROUPMEM *r_u) { DOM_SID group_sid; - DOM_SID user_sid; - SAM_ACCOUNT *sam_pass=NULL; - GROUP_MAP map; - fstring grp_name; - struct group *grp; + uint32 group_rid; uint32 acc_granted; SE_PRIV se_rights; BOOL can_add_accounts; @@ -4064,36 +3853,11 @@ NTSTATUS _samr_del_groupmem(pipes_struct *p, SAMR_Q_DEL_GROUPMEM *q_u, SAMR_R_DE if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, SA_RIGHT_GROUP_REMOVE_MEMBER, "_samr_del_groupmem"))) { return r_u->status; } - - if (!sid_check_is_in_our_domain(&group_sid)) - return NT_STATUS_NO_SUCH_GROUP; - - sid_copy(&user_sid, get_global_sam_sid()); - sid_append_rid(&user_sid, q_u->rid); - - if (!get_domain_group_from_sid(group_sid, &map)) - return NT_STATUS_NO_SUCH_GROUP; - - if ((grp=getgrgid(map.gid)) == NULL) - return NT_STATUS_NO_SUCH_GROUP; - - /* we need to copy the name otherwise it's overloaded in user_in_group_list */ - fstrcpy(grp_name, grp->gr_name); - - /* check if the user exists before trying to remove it from the group */ - pdb_init_sam(&sam_pass); - if (!pdb_getsampwsid(sam_pass, &user_sid)) { - DEBUG(5,("User %s doesn't exist.\n", pdb_get_username(sam_pass))); - pdb_free_sam(&sam_pass); - return NT_STATUS_NO_SUCH_USER; - } - /* if the user is not in the group */ - if (!user_in_unix_group(pdb_get_username(sam_pass), grp_name)) { - pdb_free_sam(&sam_pass); - return NT_STATUS_MEMBER_NOT_IN_GROUP; + if (!sid_peek_check_rid(get_global_sam_sid(), &group_sid, + &group_rid)) { + return NT_STATUS_INVALID_HANDLE; } - se_priv_copy( &se_rights, &se_add_users ); can_add_accounts = user_has_privileges( p->pipe_user.nt_user_token, &se_rights ); @@ -4103,45 +3867,16 @@ NTSTATUS _samr_del_groupmem(pipes_struct *p, SAMR_Q_DEL_GROUPMEM *q_u, SAMR_R_DE if ( can_add_accounts ) become_root(); - smb_delete_user_group(grp_name, pdb_get_username(sam_pass)); + r_u->status = pdb_del_groupmem(p->mem_ctx, group_rid, q_u->rid); if ( can_add_accounts ) unbecome_root(); /******** END SeAddUsers BLOCK *********/ - /* check if the user has been removed then ... */ - if (user_in_unix_group(pdb_get_username(sam_pass), grp_name)) { - pdb_free_sam(&sam_pass); - return NT_STATUS_ACCESS_DENIED; /* don't know what to reply else */ - } - - pdb_free_sam(&sam_pass); - force_flush_samr_cache(disp_info); - return NT_STATUS_OK; - -} - -/**************************************************************************** - Delete a UNIX user on demand. -****************************************************************************/ - -static int smb_delete_user(const char *unix_user) -{ - pstring del_script; - int ret; - - pstrcpy(del_script, lp_deluser_script()); - if (! *del_script) - return -1; - all_string_sub(del_script, "%u", unix_user, sizeof(del_script)); - ret = smbrun(del_script,NULL); - flush_pwnam_cache(); - DEBUG(ret ? 0 : 3,("smb_delete_user: Running the command `%s' gave %d\n",del_script,ret)); - - return ret; + return r_u->status; } /********************************************************************* @@ -4154,7 +3889,6 @@ NTSTATUS _samr_delete_dom_user(pipes_struct *p, SAMR_Q_DELETE_DOM_USER *q_u, SAM SAM_ACCOUNT *sam_pass=NULL; uint32 acc_granted; BOOL can_add_accounts; - BOOL ret; DISP_INFO *disp_info = NULL; DEBUG(5, ("_samr_delete_dom_user: %d\n", __LINE__)); @@ -4186,29 +3920,19 @@ NTSTATUS _samr_delete_dom_user(pipes_struct *p, SAMR_Q_DELETE_DOM_USER *q_u, SAM if ( can_add_accounts ) become_root(); - /* First delete the samba side.... - code is order to prevent unnecessary returns out of the admin - block of code */ - - if ( (ret = pdb_delete_sam_account(sam_pass)) == True ) { - /* - * Now delete the unix side .... - * note: we don't check if the delete really happened - * as the script is not necessary present - * and maybe the sysadmin doesn't want to delete the unix side - */ - smb_delete_user( pdb_get_username(sam_pass) ); - } - + r_u->status = pdb_delete_user(p->mem_ctx, sam_pass); + if ( can_add_accounts ) unbecome_root(); /******** END SeAddUsers BLOCK *********/ - if ( !ret ) { - DEBUG(5,("_samr_delete_dom_user:Failed to delete entry for user %s.\n", pdb_get_username(sam_pass))); + if ( !NT_STATUS_IS_OK(r_u->status) ) { + DEBUG(5,("_samr_delete_dom_user: Failed to delete entry for " + "user %s: %s.\n", pdb_get_username(sam_pass), + nt_errstr(r_u->status))); pdb_free_sam(&sam_pass); - return NT_STATUS_CANNOT_DELETE; + return r_u->status; } @@ -4229,16 +3953,10 @@ NTSTATUS _samr_delete_dom_user(pipes_struct *p, SAMR_Q_DELETE_DOM_USER *q_u, SAM NTSTATUS _samr_delete_dom_group(pipes_struct *p, SAMR_Q_DELETE_DOM_GROUP *q_u, SAMR_R_DELETE_DOM_GROUP *r_u) { DOM_SID group_sid; - DOM_SID dom_sid; uint32 group_rid; - fstring group_sid_str; - gid_t gid; - struct group *grp; - GROUP_MAP map; uint32 acc_granted; SE_PRIV se_rights; BOOL can_add_accounts; - BOOL ret; DISP_INFO *disp_info = NULL; DEBUG(5, ("samr_delete_dom_group: %d\n", __LINE__)); @@ -4250,27 +3968,13 @@ NTSTATUS _samr_delete_dom_group(pipes_struct *p, SAMR_Q_DELETE_DOM_GROUP *q_u, S if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, STD_RIGHT_DELETE_ACCESS, "_samr_delete_dom_group"))) { return r_u->status; } - - sid_copy(&dom_sid, &group_sid); - sid_to_string(group_sid_str, &dom_sid); - sid_split_rid(&dom_sid, &group_rid); - DEBUG(10, ("sid is %s\n", group_sid_str)); + DEBUG(10, ("sid is %s\n", sid_string_static(&group_sid))); - /* we check if it's our SID before deleting */ - if (!sid_equal(&dom_sid, get_global_sam_sid())) - return NT_STATUS_NO_SUCH_GROUP; - - DEBUG(10, ("lookup on Domain SID\n")); - - if(!get_domain_group_from_sid(group_sid, &map)) - return NT_STATUS_NO_SUCH_GROUP; - - gid=map.gid; - - /* check if group really exists */ - if ( (grp=getgrgid(gid)) == NULL) + if (!sid_peek_check_rid(get_global_sam_sid(), &group_sid, + &group_rid)) { return NT_STATUS_NO_SUCH_GROUP; + } se_priv_copy( &se_rights, &se_add_users ); can_add_accounts = user_has_privileges( p->pipe_user.nt_user_token, &se_rights ); @@ -4280,26 +3984,21 @@ NTSTATUS _samr_delete_dom_group(pipes_struct *p, SAMR_Q_DELETE_DOM_GROUP *q_u, S if ( can_add_accounts ) become_root(); - /* delete mapping first */ - - if ( (ret = pdb_delete_group_mapping_entry(group_sid)) == True ) { - smb_delete_group( grp->gr_name ); - } + r_u->status = pdb_delete_dom_group(p->mem_ctx, group_rid); if ( can_add_accounts ) unbecome_root(); /******** END SeAddUsers BLOCK *********/ - if ( !ret ) { - DEBUG(5,("_samr_delete_dom_group: Failed to delete mapping entry for group %s.\n", - group_sid_str)); - return NT_STATUS_ACCESS_DENIED; + if ( !NT_STATUS_IS_OK(r_u->status) ) { + DEBUG(5,("_samr_delete_dom_group: Failed to delete mapping " + "entry for group %s: %s\n", + sid_string_static(&group_sid), + nt_errstr(r_u->status))); + return r_u->status; } - /* don't check that the unix group has been deleted. Work like - _samr_delet_dom_user() */ - if (!close_policy_hnd(p, &q_u->group_pol)) return NT_STATUS_OBJECT_NAME_INVALID; @@ -4373,15 +4072,11 @@ NTSTATUS _samr_create_dom_group(pipes_struct *p, SAMR_Q_CREATE_DOM_GROUP *q_u, S { DOM_SID dom_sid; DOM_SID info_sid; - fstring name; - fstring sid_string; - struct group *grp; + const char *name; struct samr_info *info; uint32 acc_granted; - gid_t gid; SE_PRIV se_rights; BOOL can_add_accounts; - NTSTATUS result; DISP_INFO *disp_info = NULL; /* Find the policy handle. Open a policy on it. */ @@ -4395,7 +4090,10 @@ NTSTATUS _samr_create_dom_group(pipes_struct *p, SAMR_Q_CREATE_DOM_GROUP *q_u, S if (!sid_equal(&dom_sid, get_global_sam_sid())) return NT_STATUS_ACCESS_DENIED; - unistr2_to_ascii(name, &q_u->uni_acct_desc, sizeof(name)-1); + name = rpcstr_pull_unistr2_talloc(p->mem_ctx, &q_u->uni_acct_desc); + if (name == NULL) { + return NT_STATUS_NO_MEMORY; + } r_u->status = can_create(p->mem_ctx, name); if (!NT_STATUS_IS_OK(r_u->status)) { @@ -4412,35 +4110,7 @@ NTSTATUS _samr_create_dom_group(pipes_struct *p, SAMR_Q_CREATE_DOM_GROUP *q_u, S /* check that we successfully create the UNIX group */ - result = NT_STATUS_ACCESS_DENIED; - if ( (smb_create_group(name, &gid) == 0) && ((grp=getgrgid(gid)) != NULL) ) { - - /* so far, so good */ - - result = NT_STATUS_OK; - - if (pdb_rid_algorithm()) { - r_u->rid = pdb_gid_to_group_rid( grp->gr_gid ); - } else { - if (!pdb_new_rid(&r_u->rid)) { - result = NT_STATUS_ACCESS_DENIED; - } - } - - if (NT_STATUS_IS_OK(result)) { - - /* add the group to the mapping table */ - - sid_copy( &info_sid, get_global_sam_sid() ); - sid_append_rid( &info_sid, r_u->rid ); - sid_to_string( sid_string, &info_sid ); - - /* reset the error code if we fail to add the mapping entry */ - - if ( !add_initial_entry(grp->gr_gid, sid_string, SID_NAME_DOM_GRP, name, NULL) ) - result = NT_STATUS_ACCESS_DENIED; - } - } + r_u->status = pdb_create_dom_group(p->mem_ctx, name, &r_u->rid); if ( can_add_accounts ) unbecome_root(); @@ -4449,13 +4119,14 @@ NTSTATUS _samr_create_dom_group(pipes_struct *p, SAMR_Q_CREATE_DOM_GROUP *q_u, S /* check if we should bail out here */ - if ( !NT_STATUS_IS_OK(result) ) - return result; + if ( !NT_STATUS_IS_OK(r_u->status) ) + return r_u->status; + + sid_compose(&info_sid, get_global_sam_sid(), r_u->rid); if ((info = get_samr_info_by_sid(&info_sid)) == NULL) return NT_STATUS_NO_MEMORY; - /* they created it; let the user do what he wants with it */ info->acc_granted = GENERIC_RIGHTS_GROUP_ALL_ACCESS; @@ -4568,9 +4239,6 @@ NTSTATUS _samr_query_groupinfo(pipes_struct *p, SAMR_Q_QUERY_GROUPINFO *q_u, SAM { DOM_SID group_sid; GROUP_MAP map; - DOM_SID *sids=NULL; - uid_t *uids; - int num=0; GROUP_INFO_CTR *ctr; uint32 acc_granted; BOOL ret; @@ -4593,14 +4261,25 @@ NTSTATUS _samr_query_groupinfo(pipes_struct *p, SAMR_Q_QUERY_GROUPINFO *q_u, SAM return NT_STATUS_NO_MEMORY; switch (q_u->switch_level) { - case 1: + case 1: { + uint32 *members; + size_t num_members; + ctr->switch_value1 = 1; - if(!get_memberuids(map.gid, &uids, &num)) - return NT_STATUS_NO_SUCH_GROUP; - SAFE_FREE(uids); - init_samr_group_info1(&ctr->group.info1, map.nt_name, map.comment, num); - SAFE_FREE(sids); + + become_root(); + r_u->status = pdb_enum_group_members( + p->mem_ctx, &group_sid, &members, &num_members); + unbecome_root(); + + if (!NT_STATUS_IS_OK(r_u->status)) { + return r_u->status; + } + + init_samr_group_info1(&ctr->group.info1, map.nt_name, + map.comment, num_members); break; + } case 3: ctr->switch_value1 = 3; init_samr_group_info3(&ctr->group.info3); -- cgit From 87d23f263fdc370afcb2a1a45889514a57e2cedd Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Wed, 15 Feb 2006 18:24:16 +0000 Subject: r13511: Fix bug in the samr dispinfo enumeration code. Make sure to associate the DOMAIN dispinfo cache with a User/Group SAMR handle (not the SID of the user or group). Ensure that enumeration after deleting a user works. (This used to be commit 7967f89caa17ea93cb7e9d8695f1904ccb9a2864) --- source3/rpc_server/srv_samr_nt.c | 11 +++++++++++ 1 file changed, 11 insertions(+) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 133178bd0d..bc73c9ef87 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -252,6 +252,17 @@ static DISP_INFO *get_samr_dispinfo_by_sid(DOM_SID *psid, const char *sid_str) TALLOC_CTX *mem_ctx; DISP_INFO *dpi; + /* There are two cases to consider here: + 1) The SID is a domain SID and we look for an equality match, or + 2) This is an account SID and so we return the DISP_INFO* for our + domain */ + + if ( psid && sid_check_is_in_our_domain( psid ) ) { + DEBUG(10,("get_samr_dispinfo_by_sid: Replacing %s with our domain SID\n", + sid_str)); + psid = get_global_sam_sid(); + } + for (dpi = disp_info_list; dpi; dpi = dpi->next) { if (sid_equal(psid, &dpi->sid)) { return dpi; -- cgit From 2203bed32c84c63737f402accf73452efb76b483 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Mon, 20 Feb 2006 20:09:36 +0000 Subject: r13576: This is the beginnings of moving the SAM_ACCOUNT data structure to make full use of the new talloc() interface. Discussed with Volker and Jeremy. * remove the internal mem_ctx and simply use the talloc() structure as the context. * replace the internal free_fn() with a talloc_destructor() function * remove the unnecessary private nested structure * rename SAM_ACCOUNT to 'struct samu' to indicate the current an upcoming changes. Groups will most likely be replaced with a 'struct samg' in the future. Note that there are now passbd API changes. And for the most part, the wrapper functions remain the same. While this code has been tested on tdb and ldap based Samba PDC's as well as Samba member servers, there are probably still some bugs. The code also needs more testing under valgrind to ensure it's not leaking memory. But it's a start...... (This used to be commit 19b7593972480540283c5bf02c02e5ecd8d2c3f0) --- source3/rpc_server/srv_samr_nt.c | 124 +++++++++++++++++++-------------------- 1 file changed, 62 insertions(+), 62 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index bc73c9ef87..f9a28f1272 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -470,7 +470,7 @@ static void force_flush_samr_cache(DISP_INFO *disp_info) Ensure password info is never given out. Paranioa... JRA. ********************************************************************/ -static void samr_clear_sam_passwd(SAM_ACCOUNT *sam_pass) +static void samr_clear_sam_passwd(struct samu *sam_pass) { if (!sam_pass) @@ -1667,7 +1667,7 @@ NTSTATUS _samr_lookup_rids(pipes_struct *p, SAMR_Q_LOOKUP_RIDS *q_u, SAMR_R_LOOK NTSTATUS _samr_open_user(pipes_struct *p, SAMR_Q_OPEN_USER *q_u, SAMR_R_OPEN_USER *r_u) { - SAM_ACCOUNT *sampass=NULL; + struct samu *sampass=NULL; DOM_SID sid; POLICY_HND domain_pol = q_u->domain_pol; POLICY_HND *user_pol = &r_u->user_pol; @@ -1727,7 +1727,7 @@ NTSTATUS _samr_open_user(pipes_struct *p, SAMR_Q_OPEN_USER *q_u, SAMR_R_OPEN_USE return NT_STATUS_NO_SUCH_USER; } - pdb_free_sam(&sampass); + TALLOC_FREE(sampass); /* associate the user's SID and access bits with the new handle. */ if ((info = get_samr_info_by_sid(&sid)) == NULL) @@ -1747,7 +1747,7 @@ NTSTATUS _samr_open_user(pipes_struct *p, SAMR_Q_OPEN_USER *q_u, SAMR_R_OPEN_USE static NTSTATUS get_user_info_7(TALLOC_CTX *mem_ctx, SAM_USER_INFO_7 *id7, DOM_SID *user_sid) { - SAM_ACCOUNT *smbpass=NULL; + struct samu *smbpass=NULL; BOOL ret; NTSTATUS nt_status; @@ -1771,7 +1771,7 @@ static NTSTATUS get_user_info_7(TALLOC_CTX *mem_ctx, SAM_USER_INFO_7 *id7, DOM_S ZERO_STRUCTP(id7); init_sam_user_info7(id7, pdb_get_username(smbpass) ); - pdb_free_sam(&smbpass); + TALLOC_FREE(smbpass); return NT_STATUS_OK; } @@ -1781,7 +1781,7 @@ static NTSTATUS get_user_info_7(TALLOC_CTX *mem_ctx, SAM_USER_INFO_7 *id7, DOM_S *************************************************************************/ static NTSTATUS get_user_info_9(TALLOC_CTX *mem_ctx, SAM_USER_INFO_9 * id9, DOM_SID *user_sid) { - SAM_ACCOUNT *smbpass=NULL; + struct samu *smbpass=NULL; BOOL ret; NTSTATUS nt_status; @@ -1805,7 +1805,7 @@ static NTSTATUS get_user_info_9(TALLOC_CTX *mem_ctx, SAM_USER_INFO_9 * id9, DOM_ ZERO_STRUCTP(id9); init_sam_user_info9(id9, pdb_get_group_rid(smbpass) ); - pdb_free_sam(&smbpass); + TALLOC_FREE(smbpass); return NT_STATUS_OK; } @@ -1816,7 +1816,7 @@ static NTSTATUS get_user_info_9(TALLOC_CTX *mem_ctx, SAM_USER_INFO_9 * id9, DOM_ static NTSTATUS get_user_info_16(TALLOC_CTX *mem_ctx, SAM_USER_INFO_16 *id16, DOM_SID *user_sid) { - SAM_ACCOUNT *smbpass=NULL; + struct samu *smbpass=NULL; BOOL ret; NTSTATUS nt_status; @@ -1840,7 +1840,7 @@ static NTSTATUS get_user_info_16(TALLOC_CTX *mem_ctx, SAM_USER_INFO_16 *id16, DO ZERO_STRUCTP(id16); init_sam_user_info16(id16, pdb_get_acct_ctrl(smbpass) ); - pdb_free_sam(&smbpass); + TALLOC_FREE(smbpass); return NT_STATUS_OK; } @@ -1853,7 +1853,7 @@ static NTSTATUS get_user_info_16(TALLOC_CTX *mem_ctx, SAM_USER_INFO_16 *id16, DO static NTSTATUS get_user_info_18(pipes_struct *p, TALLOC_CTX *mem_ctx, SAM_USER_INFO_18 * id18, DOM_SID *user_sid) { - SAM_ACCOUNT *smbpass=NULL; + struct samu *smbpass=NULL; BOOL ret; NTSTATUS nt_status; @@ -1879,21 +1879,21 @@ static NTSTATUS get_user_info_18(pipes_struct *p, TALLOC_CTX *mem_ctx, SAM_USER_ if (ret == False) { DEBUG(4, ("User %s not found\n", sid_string_static(user_sid))); - pdb_free_sam(&smbpass); + TALLOC_FREE(smbpass); return (geteuid() == (uid_t)0) ? NT_STATUS_NO_SUCH_USER : NT_STATUS_ACCESS_DENIED; } DEBUG(3,("User:[%s] 0x%x\n", pdb_get_username(smbpass), pdb_get_acct_ctrl(smbpass) )); if ( pdb_get_acct_ctrl(smbpass) & ACB_DISABLED) { - pdb_free_sam(&smbpass); + TALLOC_FREE(smbpass); return NT_STATUS_ACCOUNT_DISABLED; } ZERO_STRUCTP(id18); init_sam_user_info18(id18, pdb_get_lanman_passwd(smbpass), pdb_get_nt_passwd(smbpass)); - pdb_free_sam(&smbpass); + TALLOC_FREE(smbpass); return NT_STATUS_OK; } @@ -1904,7 +1904,7 @@ static NTSTATUS get_user_info_18(pipes_struct *p, TALLOC_CTX *mem_ctx, SAM_USER_ static NTSTATUS get_user_info_20(TALLOC_CTX *mem_ctx, SAM_USER_INFO_20 *id20, DOM_SID *user_sid) { - SAM_ACCOUNT *sampass=NULL; + struct samu *sampass=NULL; BOOL ret; pdb_init_sam_talloc(mem_ctx, &sampass); @@ -1925,7 +1925,7 @@ static NTSTATUS get_user_info_20(TALLOC_CTX *mem_ctx, SAM_USER_INFO_20 *id20, DO ZERO_STRUCTP(id20); init_sam_user_info20A(id20, sampass); - pdb_free_sam(&sampass); + TALLOC_FREE(sampass); return NT_STATUS_OK; } @@ -1937,7 +1937,7 @@ static NTSTATUS get_user_info_20(TALLOC_CTX *mem_ctx, SAM_USER_INFO_20 *id20, DO static NTSTATUS get_user_info_21(TALLOC_CTX *mem_ctx, SAM_USER_INFO_21 *id21, DOM_SID *user_sid, DOM_SID *domain_sid) { - SAM_ACCOUNT *sampass=NULL; + struct samu *sampass=NULL; BOOL ret; NTSTATUS nt_status; @@ -1962,7 +1962,7 @@ static NTSTATUS get_user_info_21(TALLOC_CTX *mem_ctx, SAM_USER_INFO_21 *id21, ZERO_STRUCTP(id21); nt_status = init_sam_user_info21A(id21, sampass, domain_sid); - pdb_free_sam(&sampass); + TALLOC_FREE(sampass); return NT_STATUS_OK; } @@ -2073,7 +2073,7 @@ NTSTATUS _samr_query_userinfo(pipes_struct *p, SAMR_Q_QUERY_USERINFO *q_u, SAMR_ NTSTATUS _samr_query_usergroups(pipes_struct *p, SAMR_Q_QUERY_USERGROUPS *q_u, SAMR_R_QUERY_USERGROUPS *r_u) { - SAM_ACCOUNT *sam_pass=NULL; + struct samu *sam_pass=NULL; DOM_SID sid; DOM_SID *sids; DOM_GID dom_gid; @@ -2150,7 +2150,7 @@ NTSTATUS _samr_query_usergroups(pipes_struct *p, SAMR_Q_QUERY_USERGROUPS *q_u, S DEBUG(5, ("Group sid %s for user %s not in our domain\n", sid_string_static(pdb_get_group_sid(sam_pass)), pdb_get_username(sam_pass))); - pdb_free_sam(&sam_pass); + TALLOC_FREE(sam_pass); return NT_STATUS_INTERNAL_DB_CORRUPTION; } @@ -2951,20 +2951,20 @@ NTSTATUS _samr_open_alias(pipes_struct *p, SAMR_Q_OPEN_ALIAS *q_u, SAMR_R_OPEN_A set_user_info_7 ********************************************************************/ static NTSTATUS set_user_info_7(TALLOC_CTX *mem_ctx, - const SAM_USER_INFO_7 *id7, SAM_ACCOUNT *pwd) + const SAM_USER_INFO_7 *id7, struct samu *pwd) { fstring new_name; NTSTATUS rc; if (id7 == NULL) { DEBUG(5, ("set_user_info_7: NULL id7\n")); - pdb_free_sam(&pwd); + TALLOC_FREE(pwd); return NT_STATUS_ACCESS_DENIED; } if(!rpcstr_pull(new_name, id7->uni_name.buffer, sizeof(new_name), id7->uni_name.uni_str_len*2, 0)) { DEBUG(5, ("set_user_info_7: failed to get new username\n")); - pdb_free_sam(&pwd); + TALLOC_FREE(pwd); return NT_STATUS_ACCESS_DENIED; } @@ -2984,7 +2984,7 @@ static NTSTATUS set_user_info_7(TALLOC_CTX *mem_ctx, rc = pdb_rename_sam_account(pwd, new_name); - pdb_free_sam(&pwd); + TALLOC_FREE(pwd); return rc; } @@ -2992,26 +2992,26 @@ static NTSTATUS set_user_info_7(TALLOC_CTX *mem_ctx, set_user_info_16 ********************************************************************/ -static BOOL set_user_info_16(const SAM_USER_INFO_16 *id16, SAM_ACCOUNT *pwd) +static BOOL set_user_info_16(const SAM_USER_INFO_16 *id16, struct samu *pwd) { if (id16 == NULL) { DEBUG(5, ("set_user_info_16: NULL id16\n")); - pdb_free_sam(&pwd); + TALLOC_FREE(pwd); return False; } /* FIX ME: check if the value is really changed --metze */ if (!pdb_set_acct_ctrl(pwd, id16->acb_info, PDB_CHANGED)) { - pdb_free_sam(&pwd); + TALLOC_FREE(pwd); return False; } if(!NT_STATUS_IS_OK(pdb_update_sam_account(pwd))) { - pdb_free_sam(&pwd); + TALLOC_FREE(pwd); return False; } - pdb_free_sam(&pwd); + TALLOC_FREE(pwd); return True; } @@ -3020,34 +3020,34 @@ static BOOL set_user_info_16(const SAM_USER_INFO_16 *id16, SAM_ACCOUNT *pwd) set_user_info_18 ********************************************************************/ -static BOOL set_user_info_18(SAM_USER_INFO_18 *id18, SAM_ACCOUNT *pwd) +static BOOL set_user_info_18(SAM_USER_INFO_18 *id18, struct samu *pwd) { if (id18 == NULL) { DEBUG(2, ("set_user_info_18: id18 is NULL\n")); - pdb_free_sam(&pwd); + TALLOC_FREE(pwd); return False; } if (!pdb_set_lanman_passwd (pwd, id18->lm_pwd, PDB_CHANGED)) { - pdb_free_sam(&pwd); + TALLOC_FREE(pwd); return False; } if (!pdb_set_nt_passwd (pwd, id18->nt_pwd, PDB_CHANGED)) { - pdb_free_sam(&pwd); + TALLOC_FREE(pwd); return False; } if (!pdb_set_pass_changed_now (pwd)) { - pdb_free_sam(&pwd); + TALLOC_FREE(pwd); return False; } if(!NT_STATUS_IS_OK(pdb_update_sam_account(pwd))) { - pdb_free_sam(&pwd); + TALLOC_FREE(pwd); return False; } - pdb_free_sam(&pwd); + TALLOC_FREE(pwd); return True; } @@ -3055,7 +3055,7 @@ static BOOL set_user_info_18(SAM_USER_INFO_18 *id18, SAM_ACCOUNT *pwd) set_user_info_20 ********************************************************************/ -static BOOL set_user_info_20(SAM_USER_INFO_20 *id20, SAM_ACCOUNT *pwd) +static BOOL set_user_info_20(SAM_USER_INFO_20 *id20, struct samu *pwd) { if (id20 == NULL) { DEBUG(5, ("set_user_info_20: NULL id20\n")); @@ -3066,11 +3066,11 @@ static BOOL set_user_info_20(SAM_USER_INFO_20 *id20, SAM_ACCOUNT *pwd) /* write the change out */ if(!NT_STATUS_IS_OK(pdb_update_sam_account(pwd))) { - pdb_free_sam(&pwd); + TALLOC_FREE(pwd); return False; } - pdb_free_sam(&pwd); + TALLOC_FREE(pwd); return True; } @@ -3079,7 +3079,7 @@ static BOOL set_user_info_20(SAM_USER_INFO_20 *id20, SAM_ACCOUNT *pwd) ********************************************************************/ static NTSTATUS set_user_info_21(TALLOC_CTX *mem_ctx, SAM_USER_INFO_21 *id21, - SAM_ACCOUNT *pwd) + struct samu *pwd) { NTSTATUS status; @@ -3105,11 +3105,11 @@ static NTSTATUS set_user_info_21(TALLOC_CTX *mem_ctx, SAM_USER_INFO_21 *id21, /* write the change out */ if(!NT_STATUS_IS_OK(status = pdb_update_sam_account(pwd))) { - pdb_free_sam(&pwd); + TALLOC_FREE(pwd); return status; } - pdb_free_sam(&pwd); + TALLOC_FREE(pwd); return NT_STATUS_OK; } @@ -3119,7 +3119,7 @@ static NTSTATUS set_user_info_21(TALLOC_CTX *mem_ctx, SAM_USER_INFO_21 *id21, ********************************************************************/ static NTSTATUS set_user_info_23(TALLOC_CTX *mem_ctx, SAM_USER_INFO_23 *id23, - SAM_ACCOUNT *pwd) + struct samu *pwd) { pstring plaintext_buf; uint32 len; @@ -3137,12 +3137,12 @@ static NTSTATUS set_user_info_23(TALLOC_CTX *mem_ctx, SAM_USER_INFO_23 *id23, acct_ctrl = pdb_get_acct_ctrl(pwd); if (!decode_pw_buffer(id23->pass, plaintext_buf, 256, &len, STR_UNICODE)) { - pdb_free_sam(&pwd); + TALLOC_FREE(pwd); return NT_STATUS_INVALID_PARAMETER; } if (!pdb_set_plaintext_passwd (pwd, plaintext_buf)) { - pdb_free_sam(&pwd); + TALLOC_FREE(pwd); return NT_STATUS_ACCESS_DENIED; } @@ -3162,7 +3162,7 @@ static NTSTATUS set_user_info_23(TALLOC_CTX *mem_ctx, SAM_USER_INFO_23 *id23, } if(!chgpasswd(pdb_get_username(pwd), passwd, "", plaintext_buf, True)) { - pdb_free_sam(&pwd); + TALLOC_FREE(pwd); return NT_STATUS_ACCESS_DENIED; } } @@ -3173,16 +3173,16 @@ static NTSTATUS set_user_info_23(TALLOC_CTX *mem_ctx, SAM_USER_INFO_23 *id23, if (IS_SAM_CHANGED(pwd, PDB_GROUPSID) && (!NT_STATUS_IS_OK(status = pdb_set_unix_primary_group(mem_ctx, pwd)))) { - pdb_free_sam(&pwd); + TALLOC_FREE(pwd); return status; } if(!NT_STATUS_IS_OK(status = pdb_update_sam_account(pwd))) { - pdb_free_sam(&pwd); + TALLOC_FREE(pwd); return status; } - pdb_free_sam(&pwd); + TALLOC_FREE(pwd); return NT_STATUS_OK; } @@ -3191,7 +3191,7 @@ static NTSTATUS set_user_info_23(TALLOC_CTX *mem_ctx, SAM_USER_INFO_23 *id23, set_user_info_pw ********************************************************************/ -static BOOL set_user_info_pw(uint8 *pass, SAM_ACCOUNT *pwd) +static BOOL set_user_info_pw(uint8 *pass, struct samu *pwd) { uint32 len; pstring plaintext_buf; @@ -3205,12 +3205,12 @@ static BOOL set_user_info_pw(uint8 *pass, SAM_ACCOUNT *pwd) ZERO_STRUCT(plaintext_buf); if (!decode_pw_buffer(pass, plaintext_buf, 256, &len, STR_UNICODE)) { - pdb_free_sam(&pwd); + TALLOC_FREE(pwd); return False; } if (!pdb_set_plaintext_passwd (pwd, plaintext_buf)) { - pdb_free_sam(&pwd); + TALLOC_FREE(pwd); return False; } @@ -3228,7 +3228,7 @@ static BOOL set_user_info_pw(uint8 *pass, SAM_ACCOUNT *pwd) } if(!chgpasswd(pdb_get_username(pwd), passwd, "", plaintext_buf, True)) { - pdb_free_sam(&pwd); + TALLOC_FREE(pwd); return False; } } @@ -3240,11 +3240,11 @@ static BOOL set_user_info_pw(uint8 *pass, SAM_ACCOUNT *pwd) /* update the SAMBA password */ if(!NT_STATUS_IS_OK(pdb_update_sam_account(pwd))) { - pdb_free_sam(&pwd); + TALLOC_FREE(pwd); return False; } - pdb_free_sam(&pwd); + TALLOC_FREE(pwd); return True; } @@ -3255,7 +3255,7 @@ static BOOL set_user_info_pw(uint8 *pass, SAM_ACCOUNT *pwd) NTSTATUS _samr_set_userinfo(pipes_struct *p, SAMR_Q_SET_USERINFO *q_u, SAMR_R_SET_USERINFO *r_u) { - SAM_ACCOUNT *pwd = NULL; + struct samu *pwd = NULL; DOM_SID sid; POLICY_HND *pol = &q_u->pol; uint16 switch_value = q_u->switch_value; @@ -3297,7 +3297,7 @@ NTSTATUS _samr_set_userinfo(pipes_struct *p, SAMR_Q_SET_USERINFO *q_u, SAMR_R_SE unbecome_root(); if ( !ret ) { - pdb_free_sam(&pwd); + TALLOC_FREE(pwd); return NT_STATUS_NO_SUCH_USER; } @@ -3401,7 +3401,7 @@ NTSTATUS _samr_set_userinfo(pipes_struct *p, SAMR_Q_SET_USERINFO *q_u, SAMR_R_SE NTSTATUS _samr_set_userinfo2(pipes_struct *p, SAMR_Q_SET_USERINFO2 *q_u, SAMR_R_SET_USERINFO2 *r_u) { - SAM_ACCOUNT *pwd = NULL; + struct samu *pwd = NULL; DOM_SID sid; SAM_USERINFO_CTR *ctr = q_u->ctr; POLICY_HND *pol = &q_u->pol; @@ -3445,7 +3445,7 @@ NTSTATUS _samr_set_userinfo2(pipes_struct *p, SAMR_Q_SET_USERINFO2 *q_u, SAMR_R_ unbecome_root(); if ( !ret ) { - pdb_free_sam(&pwd); + TALLOC_FREE(pwd); return NT_STATUS_NO_SUCH_USER; } @@ -3897,7 +3897,7 @@ NTSTATUS _samr_del_groupmem(pipes_struct *p, SAMR_Q_DEL_GROUPMEM *q_u, SAMR_R_DE NTSTATUS _samr_delete_dom_user(pipes_struct *p, SAMR_Q_DELETE_DOM_USER *q_u, SAMR_R_DELETE_DOM_USER *r_u ) { DOM_SID user_sid; - SAM_ACCOUNT *sam_pass=NULL; + struct samu *sam_pass=NULL; uint32 acc_granted; BOOL can_add_accounts; DISP_INFO *disp_info = NULL; @@ -3920,7 +3920,7 @@ NTSTATUS _samr_delete_dom_user(pipes_struct *p, SAMR_Q_DELETE_DOM_USER *q_u, SAM if(!pdb_getsampwsid(sam_pass, &user_sid)) { DEBUG(5,("_samr_delete_dom_user:User %s doesn't exist.\n", sid_string_static(&user_sid))); - pdb_free_sam(&sam_pass); + TALLOC_FREE(sam_pass); return NT_STATUS_NO_SUCH_USER; } @@ -3942,12 +3942,12 @@ NTSTATUS _samr_delete_dom_user(pipes_struct *p, SAMR_Q_DELETE_DOM_USER *q_u, SAM DEBUG(5,("_samr_delete_dom_user: Failed to delete entry for " "user %s: %s.\n", pdb_get_username(sam_pass), nt_errstr(r_u->status))); - pdb_free_sam(&sam_pass); + TALLOC_FREE(sam_pass); return r_u->status; } - pdb_free_sam(&sam_pass); + TALLOC_FREE(sam_pass); if (!close_policy_hnd(p, &q_u->user_pol)) return NT_STATUS_OBJECT_NAME_INVALID; -- cgit From cd559192633d78a9f06e239c6a448955f6ea0842 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Tue, 21 Feb 2006 14:34:11 +0000 Subject: r13590: * replace all pdb_init_sam[_talloc]() calls with samu_new() * replace all pdb_{init,fill}_sam_pw() calls with samu_set_unix() (This used to be commit 6f1afa4acc93a07d0ee9940822d7715acaae634f) --- source3/rpc_server/srv_samr_nt.c | 69 +++++++++++++++++++--------------------- 1 file changed, 33 insertions(+), 36 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index f9a28f1272..5c2950b491 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -1693,10 +1693,9 @@ NTSTATUS _samr_open_user(pipes_struct *p, SAMR_Q_OPEN_USER *q_u, SAMR_R_OPEN_USE if ( !NT_STATUS_IS_OK(nt_status) ) return nt_status; - nt_status = pdb_init_sam_talloc(p->mem_ctx, &sampass); - - if (!NT_STATUS_IS_OK(nt_status)) - return nt_status; + if ( !(sampass = samu_new( p->mem_ctx )) ) { + return NT_STATUS_NO_MEMORY; + } /* append the user's RID to it */ @@ -1749,19 +1748,16 @@ static NTSTATUS get_user_info_7(TALLOC_CTX *mem_ctx, SAM_USER_INFO_7 *id7, DOM_S { struct samu *smbpass=NULL; BOOL ret; - NTSTATUS nt_status; - nt_status = pdb_init_sam_talloc(mem_ctx, &smbpass); - - if (!NT_STATUS_IS_OK(nt_status)) { - return nt_status; + if ( !(smbpass = samu_new( mem_ctx )) ) { + return NT_STATUS_NO_MEMORY; } - + become_root(); ret = pdb_getsampwsid(smbpass, user_sid); unbecome_root(); - if (ret==False) { + if ( !ret ) { DEBUG(4,("User %s not found\n", sid_string_static(user_sid))); return NT_STATUS_NO_SUCH_USER; } @@ -1783,12 +1779,9 @@ static NTSTATUS get_user_info_9(TALLOC_CTX *mem_ctx, SAM_USER_INFO_9 * id9, DOM_ { struct samu *smbpass=NULL; BOOL ret; - NTSTATUS nt_status; - - nt_status = pdb_init_sam_talloc(mem_ctx, &smbpass); - if (!NT_STATUS_IS_OK(nt_status)) { - return nt_status; + if ( !(smbpass = samu_new( mem_ctx )) ) { + return NT_STATUS_NO_MEMORY; } become_root(); @@ -1818,12 +1811,9 @@ static NTSTATUS get_user_info_16(TALLOC_CTX *mem_ctx, SAM_USER_INFO_16 *id16, DO { struct samu *smbpass=NULL; BOOL ret; - NTSTATUS nt_status; - nt_status = pdb_init_sam_talloc(mem_ctx, &smbpass); - - if (!NT_STATUS_IS_OK(nt_status)) { - return nt_status; + if ( !(smbpass = samu_new( mem_ctx )) ) { + return NT_STATUS_NO_MEMORY; } become_root(); @@ -1855,7 +1845,6 @@ static NTSTATUS get_user_info_18(pipes_struct *p, TALLOC_CTX *mem_ctx, SAM_USER_ { struct samu *smbpass=NULL; BOOL ret; - NTSTATUS nt_status; if (p->auth.auth_type != PIPE_AUTH_TYPE_NTLMSSP || p->auth.auth_type != PIPE_AUTH_TYPE_SPNEGO_NTLMSSP) { return NT_STATUS_ACCESS_DENIED; @@ -1869,10 +1858,8 @@ static NTSTATUS get_user_info_18(pipes_struct *p, TALLOC_CTX *mem_ctx, SAM_USER_ * Do *NOT* do become_root()/unbecome_root() here ! JRA. */ - nt_status = pdb_init_sam_talloc(mem_ctx, &smbpass); - - if (!NT_STATUS_IS_OK(nt_status)) { - return nt_status; + if ( !(smbpass = samu_new( mem_ctx )) ) { + return NT_STATUS_NO_MEMORY; } ret = pdb_getsampwsid(smbpass, user_sid); @@ -1907,7 +1894,9 @@ static NTSTATUS get_user_info_20(TALLOC_CTX *mem_ctx, SAM_USER_INFO_20 *id20, DO struct samu *sampass=NULL; BOOL ret; - pdb_init_sam_talloc(mem_ctx, &sampass); + if ( !(sampass = samu_new( mem_ctx )) ) { + return NT_STATUS_NO_MEMORY; + } become_root(); ret = pdb_getsampwsid(sampass, user_sid); @@ -1941,9 +1930,8 @@ static NTSTATUS get_user_info_21(TALLOC_CTX *mem_ctx, SAM_USER_INFO_21 *id21, BOOL ret; NTSTATUS nt_status; - nt_status = pdb_init_sam_talloc(mem_ctx, &sampass); - if (!NT_STATUS_IS_OK(nt_status)) { - return nt_status; + if ( !(sampass = samu_new( mem_ctx )) ) { + return NT_STATUS_NO_MEMORY; } become_root(); @@ -2113,8 +2101,10 @@ NTSTATUS _samr_query_usergroups(pipes_struct *p, SAMR_Q_QUERY_USERGROUPS *q_u, S if (!sid_check_is_in_our_domain(&sid)) return NT_STATUS_OBJECT_TYPE_MISMATCH; - pdb_init_sam_talloc(p->mem_ctx, &sam_pass); - + if ( !(sam_pass = samu_new( p->mem_ctx )) ) { + return NT_STATUS_NO_MEMORY; + } + become_root(); ret = pdb_getsampwsid(sam_pass, &sid); unbecome_root(); @@ -3290,7 +3280,9 @@ NTSTATUS _samr_set_userinfo(pipes_struct *p, SAMR_Q_SET_USERINFO *q_u, SAMR_R_SE return NT_STATUS_INVALID_INFO_CLASS; } - pdb_init_sam(&pwd); + if ( !(pwd = samu_new( NULL )) ) { + return NT_STATUS_NO_MEMORY; + } become_root(); ret = pdb_getsampwsid(pwd, &sid); @@ -3438,8 +3430,10 @@ NTSTATUS _samr_set_userinfo2(pipes_struct *p, SAMR_Q_SET_USERINFO2 *q_u, SAMR_R_ switch_value=ctr->switch_value; - pdb_init_sam(&pwd); - + if ( !(pwd = samu_new( NULL )) ) { + return NT_STATUS_NO_MEMORY; + } + become_root(); ret = pdb_getsampwsid(pwd, &sid); unbecome_root(); @@ -3916,7 +3910,10 @@ NTSTATUS _samr_delete_dom_user(pipes_struct *p, SAMR_Q_DELETE_DOM_USER *q_u, SAM return NT_STATUS_CANNOT_DELETE; /* check if the user exists before trying to delete */ - pdb_init_sam(&sam_pass); + if ( !(sam_pass = samu_new( NULL )) ) { + return NT_STATUS_NO_MEMORY; + } + if(!pdb_getsampwsid(sam_pass, &user_sid)) { DEBUG(5,("_samr_delete_dom_user:User %s doesn't exist.\n", sid_string_static(&user_sid))); -- cgit From cab298856ab1179cdaec2ef89121f7c66c6b6d76 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Wed, 22 Feb 2006 10:28:02 +0000 Subject: r13622: Allow to rename machine accounts in a Samba Domain. This still uses the "rename user script" to do the rename of the posix machine account (this might be changed later). Fixes #2331. Guenther (This used to be commit b2eac2e6eb6ddd1bcb4ed5172e7cd64144c18d16) --- source3/rpc_server/srv_samr_nt.c | 38 ++++++++++++++++++++++++++++++++++++-- 1 file changed, 36 insertions(+), 2 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 5c2950b491..33de292d22 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -3071,13 +3071,47 @@ static BOOL set_user_info_20(SAM_USER_INFO_20 *id20, struct samu *pwd) static NTSTATUS set_user_info_21(TALLOC_CTX *mem_ctx, SAM_USER_INFO_21 *id21, struct samu *pwd) { + fstring new_name; NTSTATUS status; - + if (id21 == NULL) { DEBUG(5, ("set_user_info_21: NULL id21\n")); return NT_STATUS_INVALID_PARAMETER; } - + + /* we need to separately check for an account rename first */ + if (rpcstr_pull(new_name, id21->uni_user_name.buffer, + sizeof(new_name), id21->uni_user_name.uni_str_len*2, 0) && + (!strequal(new_name, pdb_get_username(pwd)))) { + + /* check to see if the new username already exists. Note: we can't + reliably lock all backends, so there is potentially the + possibility that a user can be created in between this check and + the rename. The rename should fail, but may not get the + exact same failure status code. I think this is small enough + of a window for this type of operation and the results are + simply that the rename fails with a slightly different status + code (like UNSUCCESSFUL instead of ALREADY_EXISTS). */ + + status = can_create(mem_ctx, new_name); + if (!NT_STATUS_IS_OK(status)) { + return status; + } + + status = pdb_rename_sam_account(pwd, new_name); + + if (!NT_STATUS_IS_OK(status)) { + DEBUG(0,("set_user_info_21: failed to rename account: %s\n", + nt_errstr(status))); + TALLOC_FREE(pwd); + return status; + } + + /* set the new username so that later + functions can work on the new account */ + pdb_set_username(pwd, new_name, PDB_SET); + } + copy_id21_to_sam_passwd(pwd, id21); /* -- cgit From d95e13e68f3c7ac517a45877b351849ef4a99b93 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Fri, 24 Feb 2006 21:36:40 +0000 Subject: r13679: Commiting the rm_primary_group.patch posted on samba-technical * ignore the primary group SID attribute from struct samu* * generate the primary group SID strictlky from the Unix primary group when dealing with passdb users * Fix memory leak in original patch caused by failing to free a talloc * * add wrapper around samu_set_unix() to prevent exposing the create BOOL to callers. Wrappers are samu_set_unix() and samu-allic_rid_unix() (This used to be commit bcf269e2ec6630b78d909010fabd3b69dd6dda84) --- source3/rpc_server/srv_samr_nt.c | 19 +++++++++---------- 1 file changed, 9 insertions(+), 10 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 33de292d22..47e1a31535 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -3121,17 +3121,16 @@ static NTSTATUS set_user_info_21(TALLOC_CTX *mem_ctx, SAM_USER_INFO_21 *id21, * id21. I don't know if they need to be set. --jerry */ - if (IS_SAM_CHANGED(pwd, PDB_GROUPSID) && - !NT_STATUS_IS_OK(status = pdb_set_unix_primary_group(mem_ctx, - pwd))) { - return status; + if ( IS_SAM_CHANGED(pwd, PDB_GROUPSID) ) { + status = pdb_set_unix_primary_group(mem_ctx, pwd); + if ( !NT_STATUS_IS_OK(status) ) { + return status; + } } - - /* write the change out */ - if(!NT_STATUS_IS_OK(status = pdb_update_sam_account(pwd))) { - TALLOC_FREE(pwd); - return status; - } + + /* Don't worry about writing out the user account since the + primary group SID is generated solely from the user's Unix + primary group. */ TALLOC_FREE(pwd); -- cgit From e54786b53543b4667288c64abb55478fddd95061 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Mon, 27 Feb 2006 10:32:45 +0000 Subject: r13711: * Correctly handle acb_info/acct_flags as uint32 not as uint16. * Fix a couple of related parsing issues. * in the info3 reply in a samlogon, return the ACB-flags (instead of returning zero) Guenther (This used to be commit 5b89e8bc24f0fdc8b52d5c9e849aba723df34ea7) --- source3/rpc_server/srv_samr_nt.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 47e1a31535..fa5b080634 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -482,7 +482,7 @@ static void samr_clear_sam_passwd(struct samu *sam_pass) pdb_set_nt_passwd(sam_pass, NULL, PDB_DEFAULT); } -static uint32 count_sam_users(struct disp_info *info, uint16 acct_flags) +static uint32 count_sam_users(struct disp_info *info, uint32 acct_flags) { struct samr_displayentry *entry; @@ -3218,7 +3218,7 @@ static BOOL set_user_info_pw(uint8 *pass, struct samu *pwd) { uint32 len; pstring plaintext_buf; - uint16 acct_ctrl; + uint32 acct_ctrl; DEBUG(5, ("Attempting administrator password change for user %s\n", pdb_get_username(pwd))); -- cgit From aec8de1703cd034a253b06b26e849c01d8ce131f Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Mon, 27 Feb 2006 14:45:27 +0000 Subject: r13715: Put back the code that actually modify the account, removed, I presume by mistake, by Jerry in the recent patch the removes the primary group SID stuff. set_user_info_21 is called to update many other things like the description of a user for example (that's what failed on me). Jerry, please review this one. (This used to be commit 239a37d201168d095f600042b1ffcd047f18ba8a) --- source3/rpc_server/srv_samr_nt.c | 6 ++++++ 1 file changed, 6 insertions(+) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index fa5b080634..de6c28a38d 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -3132,6 +3132,12 @@ static NTSTATUS set_user_info_21(TALLOC_CTX *mem_ctx, SAM_USER_INFO_21 *id21, primary group SID is generated solely from the user's Unix primary group. */ + /* write the change out */ + if(!NT_STATUS_IS_OK(status = pdb_update_sam_account(pwd))) { + TALLOC_FREE(pwd); + return status; + } + TALLOC_FREE(pwd); return NT_STATUS_OK; -- cgit From 1b456f2894fc663a9b6edbc51fe1b107ede196d8 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Wed, 1 Mar 2006 21:56:59 +0000 Subject: r13778: When deleting machine accounts it's the SeMachineAccountPrivilege that counts. Jeremy. (This used to be commit aa85ba4f3799ffbe5c6f84f768f03a4c68d879dc) --- source3/rpc_server/srv_samr_nt.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index de6c28a38d..e4dc92c08d 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -3933,6 +3933,7 @@ NTSTATUS _samr_delete_dom_user(pipes_struct *p, SAMR_Q_DELETE_DOM_USER *q_u, SAM struct samu *sam_pass=NULL; uint32 acc_granted; BOOL can_add_accounts; + uint32 acb_info; DISP_INFO *disp_info = NULL; DEBUG(5, ("_samr_delete_dom_user: %d\n", __LINE__)); @@ -3960,7 +3961,14 @@ NTSTATUS _samr_delete_dom_user(pipes_struct *p, SAMR_Q_DELETE_DOM_USER *q_u, SAM return NT_STATUS_NO_SUCH_USER; } - can_add_accounts = user_has_privileges( p->pipe_user.nt_user_token, &se_add_users ); + acb_info = pdb_get_acct_ctrl(sam_pass); + + /* For machine accounts it's the SeMachineAccountPrivilege that counts. */ + if ( acb_info & ACB_WSTRUST ) { + can_add_accounts = user_has_privileges( p->pipe_user.nt_user_token, &se_machine_account ); + } else { + can_add_accounts = user_has_privileges( p->pipe_user.nt_user_token, &se_add_users ); + } /******** BEGIN SeAddUsers BLOCK *********/ -- cgit From 0ce53f8ba5110381ad6f910abe581a69019135b8 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Wed, 15 Mar 2006 00:10:38 +0000 Subject: r14403: * modifies create_local_nt_token() to create a BUILTIN\Administrators group IFF sid_to_gid(S-1-5-32-544) fails and 'winbind nested groups = yes' * Add a SID domain to the group mapping enumeration passdb call to fix the checks for local and builtin groups. The SID can be NULL if you want the old semantics for internal maintenance. I only updated the tdb group mapping code. * remove any group mapping from the tdb that have a gid of -1 for better consistency with pdb_ldap.c. The fixes the problem with calling add_group_map() in the tdb code for unmapped groups which might have had a record present. * Ensure that we distinguish between groups in the BUILTIN and local machine domains via getgrnam() Other wise BUILTIN\Administrators & SERVER\Administrators would resolve to the same gid. * Doesn't strip the global_sam_name() from groups in the local machine's domain (this is required to work with 'winbind default domain' code) Still todo. * Fix fallback Administrators membership for root and domain Admins if nested groups = no or winbindd is not running * issues with "su - user -c 'groups'" command * There are a few outstanding issues with BUILTIN\Users that Windows apparently tends to assume. I worked around this presently with a manual group mapping but I do not think this is a good solution. So I'll probably add some similar as I did for Administrators. (This used to be commit 612979476aef62e8e8eef632fa6be7d30282bb83) --- source3/rpc_server/srv_samr_nt.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index e4dc92c08d..6a4c9f7133 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -1650,6 +1650,10 @@ NTSTATUS _samr_lookup_rids(pipes_struct *p, SAMR_Q_LOOKUP_RIDS *q_u, SAMR_R_LOOK names, attrs); unbecome_root(); + if ( NT_STATUS_EQUAL(r_u->status, NT_STATUS_NONE_MAPPED) && (num_rids == 0) ) { + r_u->status = NT_STATUS_OK; + } + if(!make_samr_lookup_rids(p->mem_ctx, num_rids, names, &hdr_name, &uni_name)) return NT_STATUS_NO_MEMORY; @@ -2914,6 +2918,7 @@ NTSTATUS _samr_open_alias(pipes_struct *p, SAMR_Q_OPEN_ALIAS *q_u, SAMR_R_OPEN_A /* Check we actually have the requested alias */ enum SID_NAME_USE type; BOOL result; + gid_t gid; become_root(); result = lookup_sid(NULL, &sid, NULL, NULL, &type); @@ -2922,6 +2927,13 @@ NTSTATUS _samr_open_alias(pipes_struct *p, SAMR_Q_OPEN_ALIAS *q_u, SAMR_R_OPEN_A if (!result || (type != SID_NAME_ALIAS)) { return NT_STATUS_NO_SUCH_ALIAS; } + + /* make sure there is a mapping */ + + if ( !sid_to_gid( &sid, &gid ) ) { + return NT_STATUS_NO_SUCH_ALIAS; + } + } /* associate the alias SID with the new handle. */ -- cgit From 1839b4be14e905428257eb999def184d73dcf08f Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Wed, 22 Mar 2006 08:04:13 +0000 Subject: r14634: Many bug fixes thanks to train rides and overnight stays in airports * Finally fix parsing idmap uid/gid ranges not to break with spaces surrounding the '-' * Allow local groups to renamed by adding info level 2 to _samr_set_aliasinfo() * Fix parsing bug in _samr_del_dom_alias() reply * Prevent root from being deleted via Samba * Prevent builting groups from being renamed or deleted * Fix bug in pdb_tdb that broke renaming user accounts * Make sure winbindd is running when trying to create the Administrators and Users BUILTIN groups automatically from smbd (and not just check the winbind nexted groups parameter value). * Have the top level rid allocator verify that the RID it is about to grant is not already assigned in our own SAM (retries up to 250 times). This fixes passdb with existing SIDs assigned to users from the RID algorithm but not monotonically allocating the RIDs from passdb. (This used to be commit db1162241f79c2af8afb7d8c26e8ed1c4a4b476f) --- source3/rpc_server/srv_samr_nt.c | 40 +++++++++++++++++++++++++++++++++++++++- 1 file changed, 39 insertions(+), 1 deletion(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 6a4c9f7133..dc17977041 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -3464,9 +3464,14 @@ NTSTATUS _samr_set_userinfo2(pipes_struct *p, SAMR_Q_SET_USERINFO2 *q_u, SAMR_R_ if (!get_lsa_policy_samr_sid(p, pol, &sid, &acc_granted, &disp_info)) return NT_STATUS_INVALID_HANDLE; - /* observed when joining XP client to Samba domain */ +#if 0 /* this really should be applied on a per info level basis --jerry */ + + /* observed when joining XP client to Samba domain */ acc_required = SA_RIGHT_USER_SET_PASSWORD | SA_RIGHT_USER_SET_ATTRIBUTES | SA_RIGHT_USER_ACCT_FLAGS_EXPIRY; +#else + acc_required = SA_RIGHT_USER_SET_ATTRIBUTES; +#endif if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, acc_required, "_samr_set_userinfo2"))) { return r_u->status; @@ -4093,12 +4098,22 @@ NTSTATUS _samr_delete_dom_alias(pipes_struct *p, SAMR_Q_DELETE_DOM_ALIAS *q_u, S if (!get_lsa_policy_samr_sid(p, &q_u->alias_pol, &alias_sid, &acc_granted, &disp_info)) return NT_STATUS_INVALID_HANDLE; + /* copy the handle to the outgoing reply */ + + memcpy( &r_u->pol, &q_u->alias_pol, sizeof(r_u->pol) ); + if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, STD_RIGHT_DELETE_ACCESS, "_samr_delete_dom_alias"))) { return r_u->status; } DEBUG(10, ("sid is %s\n", sid_string_static(&alias_sid))); + /* Don't let Windows delete builtin groups */ + + if ( sid_check_is_in_builtin( &alias_sid ) ) { + return NT_STATUS_SPECIAL_ACCOUNT; + } + if (!sid_check_is_in_our_domain(&alias_sid)) return NT_STATUS_NO_SUCH_ALIAS; @@ -4453,7 +4468,30 @@ NTSTATUS _samr_set_aliasinfo(pipes_struct *p, SAMR_Q_SET_ALIASINFO *q_u, SAMR_R_ ctr=&q_u->ctr; + /* get the current group information */ + + if ( !pdb_get_aliasinfo( &group_sid, &info ) ) { + return NT_STATUS_NO_SUCH_ALIAS; + } + switch (ctr->level) { + case 2: + /* We currently do not support renaming groups in the + the BUILTIN domain. Refer to util_builtin.c to understand + why. The eventually needs to be fixed to be like Windows + where you can rename builtin groups, just not delete them */ + + if ( sid_check_is_in_builtin( &group_sid ) ) { + return NT_STATUS_SPECIAL_ACCOUNT; + } + + if ( ctr->alias.info2.name.string ) { + unistr2_to_ascii( info.acct_name, ctr->alias.info2.name.string, + sizeof(info.acct_name)-1 ); + } + else + fstrcpy( info.acct_name, "" ); + break; case 3: if ( ctr->alias.info3.description.string ) { unistr2_to_ascii( info.acct_desc, -- cgit From 20204ab040247d431060b9a53ca6437024d76d6c Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Wed, 22 Mar 2006 15:00:42 +0000 Subject: r14646: Adding samr querygroup infolevels 2 & 5. Guenther (This used to be commit 6c4fe819c69f281915ad0f4c3bde4dfb194aa33a) --- source3/rpc_server/srv_samr_nt.c | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index dc17977041..c4b3d3512c 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -4362,6 +4362,10 @@ NTSTATUS _samr_query_groupinfo(pipes_struct *p, SAMR_Q_QUERY_GROUPINFO *q_u, SAM map.comment, num_members); break; } + case 2: + ctr->switch_value1 = 2; + init_samr_group_info2(&ctr->group.info2, map.nt_name); + break; case 3: ctr->switch_value1 = 3; init_samr_group_info3(&ctr->group.info3); @@ -4370,6 +4374,28 @@ NTSTATUS _samr_query_groupinfo(pipes_struct *p, SAMR_Q_QUERY_GROUPINFO *q_u, SAM ctr->switch_value1 = 4; init_samr_group_info4(&ctr->group.info4, map.comment); break; + case 5: { + /* + uint32 *members; + size_t num_members; + */ + + ctr->switch_value1 = 5; + + /* + become_root(); + r_u->status = pdb_enum_group_members( + p->mem_ctx, &group_sid, &members, &num_members); + unbecome_root(); + + if (!NT_STATUS_IS_OK(r_u->status)) { + return r_u->status; + } + */ + init_samr_group_info5(&ctr->group.info5, map.nt_name, + map.comment, 0 /* num_members */); /* in w2k3 this is always 0 */ + break; + } default: return NT_STATUS_INVALID_INFO_CLASS; } -- cgit From 52e778e6f85c5affbcc40e5ce629792e6f16b553 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Thu, 4 May 2006 17:28:05 +0000 Subject: r15438: Fix samrQueryDomainInfo level 5 where we returned our netbios name eversince instead of the domain name when we are a DC. Yes, there are applications relying on this call to be correct. Guenther (This used to be commit 26dd22c9af8caf3db236984e4683ba210376ca59) --- source3/rpc_server/srv_samr_nt.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index c4b3d3512c..d672ab4a5b 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -2301,7 +2301,7 @@ NTSTATUS _samr_query_dom_info(pipes_struct *p, SAMR_Q_QUERY_DOMAIN_INFO *q_u, SA init_unk_info3(&ctr->info.inf3, nt_logout); break; case 0x05: - init_unk_info5(&ctr->info.inf5, global_myname()); + init_unk_info5(&ctr->info.inf5, get_global_sam_name()); break; case 0x06: init_unk_info6(&ctr->info.inf6); @@ -4802,7 +4802,7 @@ NTSTATUS _samr_query_domain_info2(pipes_struct *p, init_unk_info3(&ctr->info.inf3, nt_logout); break; case 0x05: - init_unk_info5(&ctr->info.inf5, global_myname()); + init_unk_info5(&ctr->info.inf5, get_global_sam_name()); break; case 0x06: init_unk_info6(&ctr->info.inf6); -- cgit From 0fe21ac5609940be815148a2f73e1e456b7c3cce Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Thu, 4 May 2006 19:01:11 +0000 Subject: r15442: Add some more client rpc for the querydominfo calls (from samba4 idl). Also return the hostname for the level 6 call (to be consistent with the server name in level 2). Guenther (This used to be commit 41b72e77ae70c96de4659af6b4b6bd842dd67981) --- source3/rpc_server/srv_samr_nt.c | 16 +++++++++++----- 1 file changed, 11 insertions(+), 5 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index d672ab4a5b..035f838048 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -2304,7 +2304,10 @@ NTSTATUS _samr_query_dom_info(pipes_struct *p, SAMR_Q_QUERY_DOMAIN_INFO *q_u, SA init_unk_info5(&ctr->info.inf5, get_global_sam_name()); break; case 0x06: - init_unk_info6(&ctr->info.inf6); + /* NT returns its own name when a PDC. win2k and later + * only the name of the PDC if itself is a BDC (samba4 + * idl) */ + init_unk_info6(&ctr->info.inf6, global_myname()); break; case 0x07: server_role = ROLE_DOMAIN_PDC; @@ -4712,8 +4715,8 @@ NTSTATUS _samr_remove_sid_foreign_domain(pipes_struct *p, ********************************************************************/ NTSTATUS _samr_query_domain_info2(pipes_struct *p, - SAMR_Q_QUERY_DOMAIN_INFO2 *q_u, - SAMR_R_QUERY_DOMAIN_INFO2 *r_u) + SAMR_Q_QUERY_DOMAIN_INFO2 *q_u, + SAMR_R_QUERY_DOMAIN_INFO2 *r_u) { struct samr_info *info = NULL; SAM_UNK_CTR *ctr; @@ -4805,7 +4808,10 @@ NTSTATUS _samr_query_domain_info2(pipes_struct *p, init_unk_info5(&ctr->info.inf5, get_global_sam_name()); break; case 0x06: - init_unk_info6(&ctr->info.inf6); + /* NT returns its own name when a PDC. win2k and later + * only the name of the PDC if itself is a BDC (samba4 + * idl) */ + init_unk_info6(&ctr->info.inf6, global_myname()); break; case 0x07: server_role = ROLE_DOMAIN_PDC; @@ -4849,7 +4855,7 @@ NTSTATUS _samr_query_domain_info2(pipes_struct *p, } /******************************************************************* - _samr_ + _samr_set_dom_info ********************************************************************/ NTSTATUS _samr_set_dom_info(pipes_struct *p, SAMR_Q_SET_DOMAIN_INFO *q_u, SAMR_R_SET_DOMAIN_INFO *r_u) -- cgit From c5e28047622aba53c8d009df77ce4d230d4d6637 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Fri, 5 May 2006 08:04:28 +0000 Subject: r15452: Again purely cosmetic reformat of the samr query domain info calls. Guenther (This used to be commit 6ed7d7fa70e3f750f921192c0f75594d608875b7) --- source3/rpc_server/srv_samr_nt.c | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 035f838048..d2a8447786 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -2180,10 +2180,12 @@ NTSTATUS _samr_query_usergroups(pipes_struct *p, SAMR_Q_QUERY_USERGROUPS *q_u, S } /******************************************************************* - _samr_query_dom_info + _samr_query_domain_info ********************************************************************/ -NTSTATUS _samr_query_dom_info(pipes_struct *p, SAMR_Q_QUERY_DOMAIN_INFO *q_u, SAMR_R_QUERY_DOMAIN_INFO *r_u) +NTSTATUS _samr_query_domain_info(pipes_struct *p, + SAMR_Q_QUERY_DOMAIN_INFO *q_u, + SAMR_R_QUERY_DOMAIN_INFO *r_u) { struct samr_info *info = NULL; SAM_UNK_CTR *ctr; @@ -2212,7 +2214,7 @@ NTSTATUS _samr_query_dom_info(pipes_struct *p, SAMR_Q_QUERY_DOMAIN_INFO *q_u, SA r_u->status = NT_STATUS_OK; - DEBUG(5,("_samr_query_dom_info: %d\n", __LINE__)); + DEBUG(5,("_samr_query_domain_info: %d\n", __LINE__)); /* find the policy handle. open a policy on it. */ if (!find_policy_by_hnd(p, &q_u->domain_pol, (void **)(void *)&info)) { @@ -2364,9 +2366,9 @@ NTSTATUS _samr_query_dom_info(pipes_struct *p, SAMR_Q_QUERY_DOMAIN_INFO *q_u, SA } - init_samr_r_query_dom_info(r_u, q_u->switch_value, ctr, NT_STATUS_OK); + init_samr_r_query_domain_info(r_u, q_u->switch_value, ctr, NT_STATUS_OK); - DEBUG(5,("_samr_query_dom_info: %d\n", __LINE__)); + DEBUG(5,("_samr_query_domain_info: %d\n", __LINE__)); return r_u->status; } @@ -4847,7 +4849,7 @@ NTSTATUS _samr_query_domain_info2(pipes_struct *p, return NT_STATUS_INVALID_INFO_CLASS; } - init_samr_r_samr_query_domain_info2(r_u, q_u->switch_value, ctr, NT_STATUS_OK); + init_samr_r_query_domain_info2(r_u, q_u->switch_value, ctr, NT_STATUS_OK); DEBUG(5,("_samr_query_domain_info2: %d\n", __LINE__)); -- cgit From 212b832e4a3a368d14f061aeffcc034650e247da Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Fri, 5 May 2006 08:22:50 +0000 Subject: r15454: As testing, documentation and samba4 idl indicate that there is no known difference between samr_query_domain_info and samr_query_domain_info2, wrap the info2 call around the info call. There have been various "could not access LDAP when not root" bugs lurking around in samr_query_domain_info2 anyway. Guenther (This used to be commit 3e181b46bea87797d654d57a6c8231cba6ff5a7b) --- source3/rpc_server/srv_samr_nt.c | 136 +++------------------------------------ 1 file changed, 10 insertions(+), 126 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index d2a8447786..4507c1c88b 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -4720,138 +4720,22 @@ NTSTATUS _samr_query_domain_info2(pipes_struct *p, SAMR_Q_QUERY_DOMAIN_INFO2 *q_u, SAMR_R_QUERY_DOMAIN_INFO2 *r_u) { - struct samr_info *info = NULL; - SAM_UNK_CTR *ctr; - uint32 min_pass_len,pass_hist,password_properties; - time_t u_expire, u_min_age; - NTTIME nt_expire, nt_min_age; - - time_t u_lock_duration, u_reset_time; - NTTIME nt_lock_duration, nt_reset_time; - uint32 lockout; - - time_t u_logout; - NTTIME nt_logout; + SAMR_Q_QUERY_DOMAIN_INFO q; + SAMR_R_QUERY_DOMAIN_INFO r; - uint32 num_users=0, num_groups=0, num_aliases=0; - - uint32 account_policy_temp; - - time_t seq_num; - uint32 server_role; - - if ((ctr = TALLOC_ZERO_P(p->mem_ctx, SAM_UNK_CTR)) == NULL) - return NT_STATUS_NO_MEMORY; - - ZERO_STRUCTP(ctr); - - r_u->status = NT_STATUS_OK; + ZERO_STRUCT(q); + ZERO_STRUCT(r); DEBUG(5,("_samr_query_domain_info2: %d\n", __LINE__)); - /* find the policy handle. open a policy on it. */ - if (!find_policy_by_hnd(p, &q_u->domain_pol, (void **)(void *)&info)) - return NT_STATUS_INVALID_HANDLE; - - switch (q_u->switch_value) { - case 0x01: - pdb_get_account_policy(AP_MIN_PASSWORD_LEN, &account_policy_temp); - min_pass_len = account_policy_temp; - - pdb_get_account_policy(AP_PASSWORD_HISTORY, &account_policy_temp); - pass_hist = account_policy_temp; - - pdb_get_account_policy(AP_USER_MUST_LOGON_TO_CHG_PASS, &account_policy_temp); - password_properties = account_policy_temp; - - pdb_get_account_policy(AP_MAX_PASSWORD_AGE, &account_policy_temp); - u_expire = account_policy_temp; - - pdb_get_account_policy(AP_MIN_PASSWORD_AGE, &account_policy_temp); - u_min_age = account_policy_temp; + q.domain_pol = q_u->domain_pol; + q.switch_value = q_u->switch_value; - unix_to_nt_time_abs(&nt_expire, u_expire); - unix_to_nt_time_abs(&nt_min_age, u_min_age); + r_u->status = _samr_query_domain_info(p, &q, &r); - init_unk_info1(&ctr->info.inf1, (uint16)min_pass_len, (uint16)pass_hist, - password_properties, nt_expire, nt_min_age); - break; - case 0x02: - become_root(); - num_users = count_sam_users(info->disp_info, ACB_NORMAL); - num_groups = count_sam_groups(info->disp_info); - num_aliases = count_sam_aliases(info->disp_info); - unbecome_root(); - - pdb_get_account_policy(AP_TIME_TO_LOGOUT, &account_policy_temp); - u_logout = account_policy_temp; - - unix_to_nt_time_abs(&nt_logout, u_logout); - - if (!pdb_get_seq_num(&seq_num)) - seq_num = time(NULL); - - server_role = ROLE_DOMAIN_PDC; - if (lp_server_role() == ROLE_DOMAIN_BDC) - server_role = ROLE_DOMAIN_BDC; - - init_unk_info2(&ctr->info.inf2, lp_serverstring(), lp_workgroup(), global_myname(), seq_num, - num_users, num_groups, num_aliases, nt_logout, server_role); - break; - case 0x03: - pdb_get_account_policy(AP_TIME_TO_LOGOUT, &account_policy_temp); - u_logout = account_policy_temp; - - unix_to_nt_time_abs(&nt_logout, u_logout); - - init_unk_info3(&ctr->info.inf3, nt_logout); - break; - case 0x05: - init_unk_info5(&ctr->info.inf5, get_global_sam_name()); - break; - case 0x06: - /* NT returns its own name when a PDC. win2k and later - * only the name of the PDC if itself is a BDC (samba4 - * idl) */ - init_unk_info6(&ctr->info.inf6, global_myname()); - break; - case 0x07: - server_role = ROLE_DOMAIN_PDC; - if (lp_server_role() == ROLE_DOMAIN_BDC) - server_role = ROLE_DOMAIN_BDC; - - init_unk_info7(&ctr->info.inf7, server_role); - break; - case 0x08: - if (!pdb_get_seq_num(&seq_num)) - seq_num = time(NULL); - - init_unk_info8(&ctr->info.inf8, (uint32) seq_num); - break; - case 0x0c: - pdb_get_account_policy(AP_LOCK_ACCOUNT_DURATION, &account_policy_temp); - u_lock_duration = account_policy_temp; - if (u_lock_duration != -1) - u_lock_duration *= 60; - - pdb_get_account_policy(AP_RESET_COUNT_TIME, &account_policy_temp); - u_reset_time = account_policy_temp * 60; - - pdb_get_account_policy(AP_BAD_ATTEMPT_LOCKOUT, &account_policy_temp); - lockout = account_policy_temp; - - unix_to_nt_time_abs(&nt_lock_duration, u_lock_duration); - unix_to_nt_time_abs(&nt_reset_time, u_reset_time); - - init_unk_info12(&ctr->info.inf12, nt_lock_duration, nt_reset_time, (uint16)lockout); - break; - default: - return NT_STATUS_INVALID_INFO_CLASS; - } - - init_samr_r_query_domain_info2(r_u, q_u->switch_value, ctr, NT_STATUS_OK); - - DEBUG(5,("_samr_query_domain_info2: %d\n", __LINE__)); + r_u->ptr_0 = r.ptr_0; + r_u->switch_value = r.switch_value; + r_u->ctr = r.ctr; return r_u->status; } -- cgit From 4137c63d0236d429c33b718674b365c6efcba695 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Fri, 5 May 2006 08:26:34 +0000 Subject: r15455: Add rpccli_samr_query_dom_info2() and return the comment string in samr_query_domain_info(2) for consistency reasons. Guenther (This used to be commit 870495e2c8628deee0498e68cc1d93abfbc56da4) --- source3/rpc_server/srv_samr_nt.c | 3 +++ 1 file changed, 3 insertions(+) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 4507c1c88b..c9e6b552c8 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -2302,6 +2302,9 @@ NTSTATUS _samr_query_domain_info(pipes_struct *p, init_unk_info3(&ctr->info.inf3, nt_logout); break; + case 0x04: + init_unk_info4(&ctr->info.inf4, lp_serverstring()); + break; case 0x05: init_unk_info5(&ctr->info.inf5, get_global_sam_name()); break; -- cgit From c594a5519d459730252a9692200a849b84b4e96a Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Tue, 6 Jun 2006 14:18:12 +0000 Subject: r16060: This is one of the more dirty patches I've put in lately. Parse enough of SetUserInfo level 25 to survive the join method XP uses if the user did not exist before. For good taste this contains way too much cut&paste, but for a real fix there is just not enough time. Up to 3.0.22 we completely ignored that a full level 21 is being sent together with level 25, but we got away with that because on creation we did not set the "disabled" flag on the workstation account. Now we correctly follow W2k3 in this regard, and we end up with a disabled workstation after join. Man, I hate rpc_parse/. The correct fix would be to import PIDL generated samr parsing, but this is would probably be a bit too much for .23... Thanks to Tom Bork for finding this one. Volker (This used to be commit 5a37aba10551456042266443cc0a92f28f8c3d0d) --- source3/rpc_server/srv_samr_nt.c | 52 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 52 insertions(+) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index c9e6b552c8..7a06e562ef 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -3298,6 +3298,52 @@ static BOOL set_user_info_pw(uint8 *pass, struct samu *pwd) return True; } +/******************************************************************* + set_user_info_25 + ********************************************************************/ + +static NTSTATUS set_user_info_25(TALLOC_CTX *mem_ctx, SAM_USER_INFO_25 *id25, + struct samu *pwd) +{ + NTSTATUS status; + + if (id25 == NULL) { + DEBUG(5, ("set_user_info_25: NULL id25\n")); + return NT_STATUS_INVALID_PARAMETER; + } + + copy_id25_to_sam_passwd(pwd, id25); + + /* + * The funny part about the previous two calls is + * that pwd still has the password hashes from the + * passdb entry. These have not been updated from + * id21. I don't know if they need to be set. --jerry + */ + + if ( IS_SAM_CHANGED(pwd, PDB_GROUPSID) ) { + status = pdb_set_unix_primary_group(mem_ctx, pwd); + if ( !NT_STATUS_IS_OK(status) ) { + return status; + } + } + + /* Don't worry about writing out the user account since the + primary group SID is generated solely from the user's Unix + primary group. */ + + /* write the change out */ + if(!NT_STATUS_IS_OK(status = pdb_update_sam_account(pwd))) { + TALLOC_FREE(pwd); + return status; + } + + /* WARNING: No TALLOC_FREE(pwd), we are about to set the password + * hereafter! */ + + return NT_STATUS_OK; +} + /******************************************************************* samr_reply_set_userinfo ********************************************************************/ @@ -3401,6 +3447,11 @@ NTSTATUS _samr_set_userinfo(pipes_struct *p, SAMR_Q_SET_USERINFO *q_u, SAMR_R_SE dump_data(100, (char *)ctr->info.id25->pass, 532); + r_u->status = set_user_info_25(p->mem_ctx, + ctr->info.id25, pwd); + if (!NT_STATUS_IS_OK(r_u->status)) { + goto done; + } if (!set_user_info_pw(ctr->info.id25->pass, pwd)) r_u->status = NT_STATUS_ACCESS_DENIED; break; @@ -3433,6 +3484,7 @@ NTSTATUS _samr_set_userinfo(pipes_struct *p, SAMR_Q_SET_USERINFO *q_u, SAMR_R_SE r_u->status = NT_STATUS_INVALID_INFO_CLASS; } + done: if ( has_enough_rights ) unbecome_root(); -- cgit From efdc5b72fd5c154172a94eb2e1ffa22cbbd7aacf Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Tue, 6 Jun 2006 20:34:26 +0000 Subject: r16065: Re-add a strlower_m(account) in samr_create_user that was dropped for no reason but to increase fidelity with W2k3. Tom Bork has raised valid concerns that Unix scripts might rely on the account names being lower-case, so keep that. We might later decide to only lower-case the unix name passed to 'add [user|group] script' but keep the passdb entry upper-case. But there are enough user-visible changes in 3_0 already so that we should push this off to a later date. Tom, waiting for more bug reports from you ;-)) Thanks for insisting! Volker (This used to be commit bc78cca290559c5ca7623b9f6d9933e32668b9c4) --- source3/rpc_server/srv_samr_nt.c | 2 ++ 1 file changed, 2 insertions(+) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 7a06e562ef..5e82ecd0ca 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -2463,6 +2463,8 @@ NTSTATUS _samr_create_user(pipes_struct *p, SAMR_Q_CREATE_USER *q_u, return NT_STATUS_NO_MEMORY; } + strlower_m(account); + nt_status = can_create(p->mem_ctx, account); if (!NT_STATUS_IS_OK(nt_status)) { return nt_status; -- cgit From 3c34f6085af1e168a1fe7602ae01ba643a7781bd Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Tue, 20 Jun 2006 09:16:53 +0000 Subject: r16409: Fix Klocwork ID's. 1177 In reg_perfcount.c: 1200 1202 1203 1204 In regfio.c: 1243 1245 1246 1247 1251 Jerry, the reg_perfcount and regfio.c ones, can you take a look please? This is really your code, and I'm not sure I did the right thing to return an error. smbcacls.c: 1377 srv_eventlog_nt.c: 1415 1416 1417 srv_lsa_nt.c: 1420 1421 srv_netlog_nt.c: 1429 srv_samr_nt: 1458 1459 1460 Volker Volker (This used to be commit d6547d12b1c9f9454876665a5bdb010f46b9f5ff) --- source3/rpc_server/srv_samr_nt.c | 23 ++++++++++++++++++----- 1 file changed, 18 insertions(+), 5 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 5e82ecd0ca..bfae47ef25 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -3207,8 +3207,14 @@ static NTSTATUS set_user_info_23(TALLOC_CTX *mem_ctx, SAM_USER_INFO_23 *id23, } else { /* update the UNIX password */ if (lp_unix_password_sync() ) { - struct passwd *passwd = Get_Pwnam(pdb_get_username(pwd)); - if (!passwd) { + struct passwd *passwd; + if (pdb_get_username(pwd) == NULL) { + DEBUG(1, ("chgpasswd: User without name???\n")); + TALLOC_FREE(pwd); + return NT_STATUS_ACCESS_DENIED; + } + + if ((passwd = Get_Pwnam(pdb_get_username(pwd))) == NULL) { DEBUG(1, ("chgpasswd: Username does not exist in system !?!\n")); } @@ -3273,8 +3279,15 @@ static BOOL set_user_info_pw(uint8 *pass, struct samu *pwd) } else { /* update the UNIX password */ if (lp_unix_password_sync()) { - struct passwd *passwd = Get_Pwnam(pdb_get_username(pwd)); - if (!passwd) { + struct passwd *passwd; + + if (pdb_get_username(pwd) == NULL) { + DEBUG(1, ("chgpasswd: User without name???\n")); + TALLOC_FREE(pwd); + return False; + } + + if ((passwd = Get_Pwnam(pdb_get_username(pwd))) == NULL) { DEBUG(1, ("chgpasswd: Username does not exist in system !?!\n")); } @@ -3800,7 +3813,7 @@ NTSTATUS _samr_query_groupmem(pipes_struct *p, SAMR_Q_QUERY_GROUPMEM *q_u, SAMR_ attr=TALLOC_ZERO_ARRAY(p->mem_ctx, uint32, num_members); - if ((num_members!=0) && (rid==NULL)) + if ((num_members!=0) && (attr==NULL)) return NT_STATUS_NO_MEMORY; for (i=0; i Date: Tue, 27 Jun 2006 00:49:14 +0000 Subject: r16544: Fix bug #3864 reported by jason@ncac.gwu.edu. Jeremy. (This used to be commit 16e42b446bea171c3ad848aefaa92c7404aade42) --- source3/rpc_server/srv_samr_nt.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index bfae47ef25..da2bb8c3b5 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -1956,7 +1956,7 @@ static NTSTATUS get_user_info_21(TALLOC_CTX *mem_ctx, SAM_USER_INFO_21 *id21, TALLOC_FREE(sampass); - return NT_STATUS_OK; + return nt_status; } /******************************************************************* -- cgit From 45bc56c27b16e7d50f3f6e6ba8d6eb2e4a5abb52 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Wed, 28 Jun 2006 21:33:52 +0000 Subject: r16646: Fix bug #3888 reported by Jason Mader . Jeremy. (This used to be commit 433d7a1bc91ff479934a256ff84e6866e16d1f85) --- source3/rpc_server/srv_samr_nt.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index da2bb8c3b5..2786a740ff 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -1618,7 +1618,7 @@ static BOOL make_samr_lookup_rids(TALLOC_CTX *ctx, uint32 num_names, NTSTATUS _samr_lookup_rids(pipes_struct *p, SAMR_Q_LOOKUP_RIDS *q_u, SAMR_R_LOOKUP_RIDS *r_u) { const char **names; - uint32 *attrs = NULL; + enum SID_NAME_USE *attrs = NULL; UNIHDR *hdr_name = NULL; UNISTR2 *uni_name = NULL; DOM_SID pol_sid; -- cgit From b85c276e95208f16d089402e7c43c8ff3fe39b3f Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Thu, 29 Jun 2006 17:03:19 +0000 Subject: r16678: Fix bug #3898 reported by jason@ncac.gwu.edu. Jeremy. (This used to be commit 5c5ea3152f8dbdfd7717b65e035191ffed3ec548) --- source3/rpc_server/srv_samr_nt.c | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 2786a740ff..e045de5639 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -1619,12 +1619,14 @@ NTSTATUS _samr_lookup_rids(pipes_struct *p, SAMR_Q_LOOKUP_RIDS *q_u, SAMR_R_LOOK { const char **names; enum SID_NAME_USE *attrs = NULL; + uint32 *wire_attrs = NULL; UNIHDR *hdr_name = NULL; UNISTR2 *uni_name = NULL; DOM_SID pol_sid; int num_rids = q_u->num_rids1; uint32 acc_granted; - + int i; + r_u->status = NT_STATUS_OK; DEBUG(5,("_samr_lookup_rids: %d\n", __LINE__)); @@ -1640,9 +1642,10 @@ NTSTATUS _samr_lookup_rids(pipes_struct *p, SAMR_Q_LOOKUP_RIDS *q_u, SAMR_R_LOOK } names = TALLOC_ZERO_ARRAY(p->mem_ctx, const char *, num_rids); - attrs = TALLOC_ZERO_ARRAY(p->mem_ctx, uint32, num_rids); + attrs = TALLOC_ZERO_ARRAY(p->mem_ctx, enum SID_NAME_USE, num_rids); + wire_attrs = TALLOC_ZERO_ARRAY(p->mem_ctx, uint32, num_rids); - if ((num_rids != 0) && ((names == NULL) || (attrs == NULL))) + if ((num_rids != 0) && ((names == NULL) || (attrs == NULL) || wire_attrs)) return NT_STATUS_NO_MEMORY; become_root(); /* lookup_sid can require root privs */ @@ -1658,7 +1661,12 @@ NTSTATUS _samr_lookup_rids(pipes_struct *p, SAMR_Q_LOOKUP_RIDS *q_u, SAMR_R_LOOK &hdr_name, &uni_name)) return NT_STATUS_NO_MEMORY; - init_samr_r_lookup_rids(r_u, num_rids, hdr_name, uni_name, attrs); + /* Convert from enum SID_NAME_USE to uint32 for wire format. */ + for (i = 0; i < num_rids; i++) { + wire_attrs[i] = (uint32)attrs[i]; + } + + init_samr_r_lookup_rids(r_u, num_rids, hdr_name, uni_name, wire_attrs); DEBUG(5,("_samr_lookup_rids: %d\n", __LINE__)); -- cgit From fbdcf2663b56007a438ac4f0d8d82436b1bfe688 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Tue, 11 Jul 2006 18:01:26 +0000 Subject: r16945: Sync trunk -> 3.0 for 3.0.24 code. Still need to do the upper layer directories but this is what everyone is waiting for.... Jeremy. (This used to be commit 9dafb7f48ca3e7af956b0a7d1720c2546fc4cfb8) --- source3/rpc_server/srv_samr_nt.c | 17 +++++++++++------ 1 file changed, 11 insertions(+), 6 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index e045de5639..2e0b355db5 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -1435,7 +1435,7 @@ NTSTATUS _samr_lookup_names(pipes_struct *p, SAMR_Q_LOOKUP_NAMES *q_u, SAMR_R_LO } } - init_samr_r_lookup_names(p->mem_ctx, r_u, num_rids, rid, (uint32 *)type, r_u->status); + init_samr_r_lookup_names(p->mem_ctx, r_u, num_rids, rid, type, r_u->status); DEBUG(5,("_samr_lookup_names: %d\n", __LINE__)); @@ -2508,7 +2508,8 @@ NTSTATUS _samr_create_user(pipes_struct *p, SAMR_Q_CREATE_USER *q_u, } DEBUG(5, ("_samr_create_user: %s can add this account : %s\n", - p->pipe_user_name, can_add_account ? "True":"False" )); + uidtoname(p->pipe_user.ut.uid), + can_add_account ? "True":"False" )); /********** BEGIN Admin BLOCK **********/ @@ -3110,9 +3111,11 @@ static NTSTATUS set_user_info_21(TALLOC_CTX *mem_ctx, SAM_USER_INFO_21 *id21, } /* we need to separately check for an account rename first */ + if (rpcstr_pull(new_name, id21->uni_user_name.buffer, - sizeof(new_name), id21->uni_user_name.uni_str_len*2, 0) && - (!strequal(new_name, pdb_get_username(pwd)))) { + sizeof(new_name), id21->uni_user_name.uni_str_len*2, 0) + && (!strequal(new_name, pdb_get_username(pwd)))) + { /* check to see if the new username already exists. Note: we can't reliably lock all backends, so there is potentially the @@ -3435,7 +3438,8 @@ NTSTATUS _samr_set_userinfo(pipes_struct *p, SAMR_Q_SET_USERINFO *q_u, SAMR_R_SE } DEBUG(5, ("_samr_set_userinfo: %s does%s possess sufficient rights\n", - p->pipe_user_name, has_enough_rights ? "" : " not")); + uidtoname(p->pipe_user.ut.uid), + has_enough_rights ? "" : " not")); /* ================ BEGIN SeMachineAccountPrivilege BLOCK ================ */ @@ -3593,7 +3597,8 @@ NTSTATUS _samr_set_userinfo2(pipes_struct *p, SAMR_Q_SET_USERINFO2 *q_u, SAMR_R_ } DEBUG(5, ("_samr_set_userinfo2: %s does%s possess sufficient rights\n", - p->pipe_user_name, has_enough_rights ? "" : " not")); + uidtoname(p->pipe_user.ut.uid), + has_enough_rights ? "" : " not")); /* ================ BEGIN SeMachineAccountPrivilege BLOCK ================ */ -- cgit From 7c1f79143b4f28e6eff0cf914defd0a008372055 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Tue, 11 Jul 2006 20:02:22 +0000 Subject: r16953: Don't allow groups to be renamed to an existing user or other group (This used to be commit 7d619f127ee70fdd486ffaab4546a53d76a2288c) --- source3/rpc_server/srv_samr_nt.c | 27 ++++++++++++++++++++++----- 1 file changed, 22 insertions(+), 5 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 2e0b355db5..66f196ae3a 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -4590,6 +4590,10 @@ NTSTATUS _samr_set_aliasinfo(pipes_struct *p, SAMR_Q_SET_ALIASINFO *q_u, SAMR_R_ switch (ctr->level) { case 2: + { + fstring group_name; + enum SID_NAME_USE type; + /* We currently do not support renaming groups in the the BUILTIN domain. Refer to util_builtin.c to understand why. The eventually needs to be fixed to be like Windows @@ -4599,13 +4603,26 @@ NTSTATUS _samr_set_aliasinfo(pipes_struct *p, SAMR_Q_SET_ALIASINFO *q_u, SAMR_R_ return NT_STATUS_SPECIAL_ACCOUNT; } - if ( ctr->alias.info2.name.string ) { - unistr2_to_ascii( info.acct_name, ctr->alias.info2.name.string, - sizeof(info.acct_name)-1 ); + /* There has to be a valid name */ + if ( !ctr->alias.info2.name.string ) + return NT_STATUS_INVALID_PARAMETER; + + unistr2_to_ascii( info.acct_name, ctr->alias.info2.name.string, + sizeof(info.acct_name)-1 ); + + /* make sure the name doesn't already exist as a user + or local group */ + + fstr_sprintf( group_name, "%s\\%s", global_myname(), info.acct_name ); + if ( lookup_name( p->mem_ctx, group_name, 0, NULL, NULL, NULL, &type) ) { + if ( type == SID_NAME_USER ) { + return NT_STATUS_USER_EXISTS; + } + + return NT_STATUS_ALIAS_EXISTS; } - else - fstrcpy( info.acct_name, "" ); break; + } case 3: if ( ctr->alias.info3.description.string ) { unistr2_to_ascii( info.acct_desc, -- cgit From 751ad5753402749c1e1638ba4d07aed0d76c52bc Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Tue, 11 Jul 2006 20:31:13 +0000 Subject: r16954: Volker reminded me we already have code to do this check. Reuse can_create() to prevent renameing a group to an existing user or group. (This used to be commit ce7091fda1eb3c7ea0900f455cec48c3b95a17f6) --- source3/rpc_server/srv_samr_nt.c | 12 ++++-------- 1 file changed, 4 insertions(+), 8 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 66f196ae3a..9c453b04a4 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -4592,7 +4592,7 @@ NTSTATUS _samr_set_aliasinfo(pipes_struct *p, SAMR_Q_SET_ALIASINFO *q_u, SAMR_R_ case 2: { fstring group_name; - enum SID_NAME_USE type; + NTSTATUS status; /* We currently do not support renaming groups in the the BUILTIN domain. Refer to util_builtin.c to understand @@ -4614,13 +4614,9 @@ NTSTATUS _samr_set_aliasinfo(pipes_struct *p, SAMR_Q_SET_ALIASINFO *q_u, SAMR_R_ or local group */ fstr_sprintf( group_name, "%s\\%s", global_myname(), info.acct_name ); - if ( lookup_name( p->mem_ctx, group_name, 0, NULL, NULL, NULL, &type) ) { - if ( type == SID_NAME_USER ) { - return NT_STATUS_USER_EXISTS; - } - - return NT_STATUS_ALIAS_EXISTS; - } + status = can_create( p->mem_ctx, group_name ); + if ( !NT_STATUS_IS_OK( status ) ) + return status; break; } case 3: -- cgit From 9f6fb43eeefb18578040a0f3b5af941460ec5ca9 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Wed, 19 Jul 2006 20:59:04 +0000 Subject: r17150: MMC User & group plugins fixes: * Make sure to lower case all usernames before calling the create, delete, or rename hooks. * Preserve case for usernames in passdb * Flush the getpwnam cache after renaming a user * Add become/unbecome root block in _samr_delete_dom_user() when trying to verify the account's existence. (This used to be commit bbe11b7a950e7d85001f042bbd1ea3bf33ecda7b) --- source3/rpc_server/srv_samr_nt.c | 32 +++++++++++++++++++++++++------- 1 file changed, 25 insertions(+), 7 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 9c453b04a4..3a70c93a1c 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -2471,8 +2471,6 @@ NTSTATUS _samr_create_user(pipes_struct *p, SAMR_Q_CREATE_USER *q_u, return NT_STATUS_NO_MEMORY; } - strlower_m(account); - nt_status = can_create(p->mem_ctx, account); if (!NT_STATUS_IS_OK(nt_status)) { return nt_status; @@ -3214,7 +3212,7 @@ static NTSTATUS set_user_info_23(TALLOC_CTX *mem_ctx, SAM_USER_INFO_23 *id23, if ( ( (acct_ctrl & ACB_DOMTRUST) == ACB_DOMTRUST ) || ( (acct_ctrl & ACB_WSTRUST) == ACB_WSTRUST) || ( (acct_ctrl & ACB_SVRTRUST) == ACB_SVRTRUST) ) { - DEBUG(5, ("Changing trust account or non-unix-user password, not updating /etc/passwd\n")); + DEBUG(5, ("Changing trust account. Not updating /etc/passwd\n")); } else { /* update the UNIX password */ if (lp_unix_password_sync() ) { @@ -3396,10 +3394,25 @@ NTSTATUS _samr_set_userinfo(pipes_struct *p, SAMR_Q_SET_USERINFO *q_u, SAMR_R_SE if (!get_lsa_policy_samr_sid(p, pol, &sid, &acc_granted, &disp_info)) return NT_STATUS_INVALID_HANDLE; - /* observed when joining an XP client to a Samba domain */ + /* This is tricky. A WinXP domain join sets + (SA_RIGHT_USER_SET_PASSWORD|SA_RIGHT_USER_SET_ATTRIBUTES|SA_RIGHT_USER_ACCT_FLAGS_EXPIRY) + The MMC lusrmgr plugin includes these perms and more in the SamrOpenUser(). But the + standard Win32 API calls just ask for SA_RIGHT_USER_SET_PASSWORD in the SamrOpenUser(). + This should be enough for levels 18, 24, 25,& 26. Info level 23 can set more so + we'll use the set from the WinXP join as the basis. */ + + switch (switch_value) { + case 18: + case 24: + case 25: + case 26: + acc_required = SA_RIGHT_USER_SET_PASSWORD; + break; + default: + acc_required = SA_RIGHT_USER_SET_PASSWORD | SA_RIGHT_USER_SET_ATTRIBUTES | SA_RIGHT_USER_ACCT_FLAGS_EXPIRY; + break; + } - acc_required = SA_RIGHT_USER_SET_PASSWORD | SA_RIGHT_USER_SET_ATTRIBUTES | SA_RIGHT_USER_ACCT_FLAGS_EXPIRY; - if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, acc_required, "_samr_set_userinfo"))) { return r_u->status; } @@ -4040,6 +4053,7 @@ NTSTATUS _samr_delete_dom_user(pipes_struct *p, SAMR_Q_DELETE_DOM_USER *q_u, SAM BOOL can_add_accounts; uint32 acb_info; DISP_INFO *disp_info = NULL; + BOOL ret; DEBUG(5, ("_samr_delete_dom_user: %d\n", __LINE__)); @@ -4059,7 +4073,11 @@ NTSTATUS _samr_delete_dom_user(pipes_struct *p, SAMR_Q_DELETE_DOM_USER *q_u, SAM return NT_STATUS_NO_MEMORY; } - if(!pdb_getsampwsid(sam_pass, &user_sid)) { + become_root(); + ret = pdb_getsampwsid(sam_pass, &user_sid); + unbecome_root(); + + if( !ret ) { DEBUG(5,("_samr_delete_dom_user:User %s doesn't exist.\n", sid_string_static(&user_sid))); TALLOC_FREE(sam_pass); -- cgit From 8cc35cc8da75f1e831f0b84fc667ec0c9bff6b4b Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Mon, 24 Jul 2006 12:05:20 +0000 Subject: r17217: Fix a couple of "smbldap_open(): Cannot open when not root" bugs when viewing or modifying local group membership. (This used to be commit 41e30a9666e1fb736cd2ba8a5ad9285fcde50d47) --- source3/rpc_server/srv_samr_nt.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 3a70c93a1c..bb5e7dbce4 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -3771,7 +3771,9 @@ NTSTATUS _samr_query_aliasmem(pipes_struct *p, SAMR_Q_QUERY_ALIASMEM *q_u, SAMR_ DEBUG(10, ("sid is %s\n", sid_string_static(&alias_sid))); + become_root(); status = pdb_enum_aliasmem(&alias_sid, &sids, &num_sids); + unbecome_root(); if (!NT_STATUS_IS_OK(status)) { return status; @@ -4602,7 +4604,11 @@ NTSTATUS _samr_set_aliasinfo(pipes_struct *p, SAMR_Q_SET_ALIASINFO *q_u, SAMR_R_ /* get the current group information */ - if ( !pdb_get_aliasinfo( &group_sid, &info ) ) { + become_root(); + ret = pdb_get_aliasinfo( &group_sid, &info ); + unbecome_root(); + + if ( !ret ) { return NT_STATUS_NO_SUCH_ALIAS; } -- cgit From 8eebd925b26c4592eba1773a94379f891ead6144 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Tue, 1 Aug 2006 14:46:08 +0000 Subject: r17364: Another NT4 join bug: The idealx tools set the primary group sid, and if we do an update_sam_account later on, we want to also set it using the delete/add method. As the idealx tools use the replace method, they don't care about what has been in there before. Jerry, this is a likely 3.0.23b candidate. Not merging, it's your call :-) Volker (This used to be commit f002a3633892fc040f0a6d076723c660bb82a41a) --- source3/rpc_server/srv_samr_nt.c | 27 ++++++++++++--------------- 1 file changed, 12 insertions(+), 15 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index bb5e7dbce4..ec3630ec26 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -3338,13 +3338,20 @@ static NTSTATUS set_user_info_25(TALLOC_CTX *mem_ctx, SAM_USER_INFO_25 *id25, copy_id25_to_sam_passwd(pwd, id25); + /* write the change out */ + if(!NT_STATUS_IS_OK(status = pdb_update_sam_account(pwd))) { + TALLOC_FREE(pwd); + return status; + } + /* - * The funny part about the previous two calls is - * that pwd still has the password hashes from the - * passdb entry. These have not been updated from - * id21. I don't know if they need to be set. --jerry + * We need to "pdb_update_sam_account" before the unix primary group + * is set, because the idealx scripts would also change the + * sambaPrimaryGroupSid using the ldap replace method. pdb_ldap uses + * the delete explicit / add explicit, which would then fail to find + * the previous primaryGroupSid value. */ - + if ( IS_SAM_CHANGED(pwd, PDB_GROUPSID) ) { status = pdb_set_unix_primary_group(mem_ctx, pwd); if ( !NT_STATUS_IS_OK(status) ) { @@ -3352,16 +3359,6 @@ static NTSTATUS set_user_info_25(TALLOC_CTX *mem_ctx, SAM_USER_INFO_25 *id25, } } - /* Don't worry about writing out the user account since the - primary group SID is generated solely from the user's Unix - primary group. */ - - /* write the change out */ - if(!NT_STATUS_IS_OK(status = pdb_update_sam_account(pwd))) { - TALLOC_FREE(pwd); - return status; - } - /* WARNING: No TALLOC_FREE(pwd), we are about to set the password * hereafter! */ -- cgit From 6cab0fbb8b8bc1aadbc4c76d9759983eeb18b9fb Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Mon, 7 Aug 2006 15:41:43 +0000 Subject: r17439: Fix logic error in checking TALLOC return. Spotted by Volker. Jeremy. (This used to be commit 06aea05c52ee770a2dd6465e9e2fcd0ccd8c811d) --- source3/rpc_server/srv_samr_nt.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index ec3630ec26..31e434cbfb 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -1645,7 +1645,7 @@ NTSTATUS _samr_lookup_rids(pipes_struct *p, SAMR_Q_LOOKUP_RIDS *q_u, SAMR_R_LOOK attrs = TALLOC_ZERO_ARRAY(p->mem_ctx, enum SID_NAME_USE, num_rids); wire_attrs = TALLOC_ZERO_ARRAY(p->mem_ctx, uint32, num_rids); - if ((num_rids != 0) && ((names == NULL) || (attrs == NULL) || wire_attrs)) + if ((num_rids != 0) && ((names == NULL) || (attrs == NULL) || (wire_attrs==NULL))) return NT_STATUS_NO_MEMORY; become_root(); /* lookup_sid can require root privs */ -- cgit From ff7c0a7c357ab8a0ff9de6d18988933e0b398780 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Tue, 8 Aug 2006 08:26:40 +0000 Subject: r17451: Change pdb_getgrsid not to take a DOM_SID but a const DOM_SID * as an argument. Volker (This used to be commit 873a5a1211d185fd50e7167d88cbc869f70dfd3f) --- source3/rpc_server/srv_samr_nt.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 31e434cbfb..0835da4908 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -4438,7 +4438,7 @@ NTSTATUS _samr_query_groupinfo(pipes_struct *p, SAMR_Q_QUERY_GROUPINFO *q_u, SAM } become_root(); - ret = get_domain_group_from_sid(group_sid, &map); + ret = get_domain_group_from_sid(&group_sid, &map); unbecome_root(); if (!ret) return NT_STATUS_INVALID_HANDLE; @@ -4535,7 +4535,7 @@ NTSTATUS _samr_set_groupinfo(pipes_struct *p, SAMR_Q_SET_GROUPINFO *q_u, SAMR_R_ } become_root(); - result = get_domain_group_from_sid(group_sid, &map); + result = get_domain_group_from_sid(&group_sid, &map); unbecome_root(); if (!result) return NT_STATUS_NO_SUCH_GROUP; @@ -4754,7 +4754,7 @@ NTSTATUS _samr_open_group(pipes_struct *p, SAMR_Q_OPEN_GROUP *q_u, SAMR_R_OPEN_G /* check if that group really exists */ become_root(); - ret = get_domain_group_from_sid(info->sid, &map); + ret = get_domain_group_from_sid(&info->sid, &map); unbecome_root(); if (!ret) return NT_STATUS_NO_SUCH_GROUP; -- cgit From 76362d0d33892df39c0a370f1f64c8581daaf166 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Wed, 9 Aug 2006 15:25:26 +0000 Subject: r17468: To minimize the diff later on, pre-commit some changes independently: Change internal mapping.c functions to return NTSTATUS instead of BOOL. Volker (This used to be commit 4ebfc30a28a6f48613098176c5acdfdafbd2941a) --- source3/rpc_server/srv_samr_nt.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 0835da4908..a70a49652e 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -4438,7 +4438,7 @@ NTSTATUS _samr_query_groupinfo(pipes_struct *p, SAMR_Q_QUERY_GROUPINFO *q_u, SAM } become_root(); - ret = get_domain_group_from_sid(&group_sid, &map); + ret = NT_STATUS_IS_OK(get_domain_group_from_sid(&group_sid, &map)); unbecome_root(); if (!ret) return NT_STATUS_INVALID_HANDLE; @@ -4535,7 +4535,7 @@ NTSTATUS _samr_set_groupinfo(pipes_struct *p, SAMR_Q_SET_GROUPINFO *q_u, SAMR_R_ } become_root(); - result = get_domain_group_from_sid(&group_sid, &map); + result = NT_STATUS_IS_OK(get_domain_group_from_sid(&group_sid, &map)); unbecome_root(); if (!result) return NT_STATUS_NO_SUCH_GROUP; @@ -4754,7 +4754,7 @@ NTSTATUS _samr_open_group(pipes_struct *p, SAMR_Q_OPEN_GROUP *q_u, SAMR_R_OPEN_G /* check if that group really exists */ become_root(); - ret = get_domain_group_from_sid(&info->sid, &map); + ret = NT_STATUS_IS_OK(get_domain_group_from_sid(&info->sid, &map)); unbecome_root(); if (!ret) return NT_STATUS_NO_SUCH_GROUP; -- cgit From 03e3cd1d5a005ad5fd2bc97f9863abf675efd09f Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Tue, 15 Aug 2006 14:07:15 +0000 Subject: r17554: Cleanup (This used to be commit 761cbd52f0cff6b864c506ec03c94039b6101ef9) --- source3/rpc_server/srv_samr_nt.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index a70a49652e..31e434cbfb 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -4438,7 +4438,7 @@ NTSTATUS _samr_query_groupinfo(pipes_struct *p, SAMR_Q_QUERY_GROUPINFO *q_u, SAM } become_root(); - ret = NT_STATUS_IS_OK(get_domain_group_from_sid(&group_sid, &map)); + ret = get_domain_group_from_sid(group_sid, &map); unbecome_root(); if (!ret) return NT_STATUS_INVALID_HANDLE; @@ -4535,7 +4535,7 @@ NTSTATUS _samr_set_groupinfo(pipes_struct *p, SAMR_Q_SET_GROUPINFO *q_u, SAMR_R_ } become_root(); - result = NT_STATUS_IS_OK(get_domain_group_from_sid(&group_sid, &map)); + result = get_domain_group_from_sid(group_sid, &map); unbecome_root(); if (!result) return NT_STATUS_NO_SUCH_GROUP; @@ -4754,7 +4754,7 @@ NTSTATUS _samr_open_group(pipes_struct *p, SAMR_Q_OPEN_GROUP *q_u, SAMR_R_OPEN_G /* check if that group really exists */ become_root(); - ret = NT_STATUS_IS_OK(get_domain_group_from_sid(&info->sid, &map)); + ret = get_domain_group_from_sid(info->sid, &map); unbecome_root(); if (!ret) return NT_STATUS_NO_SUCH_GROUP; -- cgit From 6717e0d467bea50cb7712e6b5278ddb403fdf828 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Thu, 24 Aug 2006 12:49:18 +0000 Subject: r17797: Just say "ok" when trying to rename a local group to its same name. (This used to be commit e6e54125003373f83e6900668ceb9981e8620776) --- source3/rpc_server/srv_samr_nt.c | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 31e434cbfb..67fa7f283c 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -4612,7 +4612,7 @@ NTSTATUS _samr_set_aliasinfo(pipes_struct *p, SAMR_Q_SET_ALIASINFO *q_u, SAMR_R_ switch (ctr->level) { case 2: { - fstring group_name; + fstring group_name, acct_name; NTSTATUS status; /* We currently do not support renaming groups in the @@ -4624,12 +4624,19 @@ NTSTATUS _samr_set_aliasinfo(pipes_struct *p, SAMR_Q_SET_ALIASINFO *q_u, SAMR_R_ return NT_STATUS_SPECIAL_ACCOUNT; } - /* There has to be a valid name */ + /* There has to be a valid name (and it has to be different) */ + if ( !ctr->alias.info2.name.string ) return NT_STATUS_INVALID_PARAMETER; - unistr2_to_ascii( info.acct_name, ctr->alias.info2.name.string, - sizeof(info.acct_name)-1 ); + unistr2_to_ascii( acct_name, ctr->alias.info2.name.string, + sizeof(acct_name)-1 ); + + /* If the name is the same just reply "ok". Yes this + doesn't allow you to change the case of a group name. */ + + if ( strequal( acct_name, info.acct_name ) ) + return NT_STATUS_OK; /* make sure the name doesn't already exist as a user or local group */ -- cgit From 2b27c93a9a8471693d7dcb5fdbe8afe65b22ff66 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Fri, 8 Sep 2006 14:28:06 +0000 Subject: r18271: Big change: * autogenerate lsa ndr code * rename 'enum SID_NAME_USE' to 'enum lsa_SidType' * merge a log more security descriptor functions from gen_ndr/ndr_security.c in SAMBA_4_0 The most embarassing thing is the "#define strlen_m strlen" We need a real implementation in SAMBA_3_0 which I'll work on after this code is in. (This used to be commit 3da9f80c28b1e75ef6d46d38fbb81ade6b9fa951) --- source3/rpc_server/srv_samr_nt.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 67fa7f283c..a0b6d4763a 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -1377,7 +1377,7 @@ NTSTATUS _samr_query_aliasinfo(pipes_struct *p, SAMR_Q_QUERY_ALIASINFO *q_u, SAM NTSTATUS _samr_lookup_names(pipes_struct *p, SAMR_Q_LOOKUP_NAMES *q_u, SAMR_R_LOOKUP_NAMES *r_u) { uint32 rid[MAX_SAM_ENTRIES]; - enum SID_NAME_USE type[MAX_SAM_ENTRIES]; + enum lsa_SidType type[MAX_SAM_ENTRIES]; int i; int num_rids = q_u->num_names2; DOM_SID pol_sid; @@ -1618,7 +1618,7 @@ static BOOL make_samr_lookup_rids(TALLOC_CTX *ctx, uint32 num_names, NTSTATUS _samr_lookup_rids(pipes_struct *p, SAMR_Q_LOOKUP_RIDS *q_u, SAMR_R_LOOKUP_RIDS *r_u) { const char **names; - enum SID_NAME_USE *attrs = NULL; + enum lsa_SidType *attrs = NULL; uint32 *wire_attrs = NULL; UNIHDR *hdr_name = NULL; UNISTR2 *uni_name = NULL; @@ -1642,7 +1642,7 @@ NTSTATUS _samr_lookup_rids(pipes_struct *p, SAMR_Q_LOOKUP_RIDS *q_u, SAMR_R_LOOK } names = TALLOC_ZERO_ARRAY(p->mem_ctx, const char *, num_rids); - attrs = TALLOC_ZERO_ARRAY(p->mem_ctx, enum SID_NAME_USE, num_rids); + attrs = TALLOC_ZERO_ARRAY(p->mem_ctx, enum lsa_SidType, num_rids); wire_attrs = TALLOC_ZERO_ARRAY(p->mem_ctx, uint32, num_rids); if ((num_rids != 0) && ((names == NULL) || (attrs == NULL) || (wire_attrs==NULL))) @@ -1661,7 +1661,7 @@ NTSTATUS _samr_lookup_rids(pipes_struct *p, SAMR_Q_LOOKUP_RIDS *q_u, SAMR_R_LOOK &hdr_name, &uni_name)) return NT_STATUS_NO_MEMORY; - /* Convert from enum SID_NAME_USE to uint32 for wire format. */ + /* Convert from enum lsa_SidType to uint32 for wire format. */ for (i = 0; i < num_rids; i++) { wire_attrs[i] = (uint32)attrs[i]; } @@ -2391,7 +2391,7 @@ NTSTATUS _samr_query_domain_info(pipes_struct *p, static NTSTATUS can_create(TALLOC_CTX *mem_ctx, const char *new_name) { - enum SID_NAME_USE type; + enum lsa_SidType type; BOOL result; DEBUG(10, ("Checking whether [%s] can be created\n", new_name)); @@ -2933,7 +2933,7 @@ NTSTATUS _samr_open_alias(pipes_struct *p, SAMR_Q_OPEN_ALIAS *q_u, SAMR_R_OPEN_A { /* Check we actually have the requested alias */ - enum SID_NAME_USE type; + enum lsa_SidType type; BOOL result; gid_t gid; -- cgit From bad8c0d6f15990b8de6e9ff6dc79628c67eba187 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Tue, 12 Sep 2006 18:02:33 +0000 Subject: r18429: fix a regression renaming local group introduced by trying to handle renames to the same name (This used to be commit 4faa5004fb7e5814bf8a97cfe8d0b443f0acdb8d) --- source3/rpc_server/srv_samr_nt.c | 2 ++ 1 file changed, 2 insertions(+) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index a0b6d4763a..822a6a2ab7 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -4638,6 +4638,8 @@ NTSTATUS _samr_set_aliasinfo(pipes_struct *p, SAMR_Q_SET_ALIASINFO *q_u, SAMR_R_ if ( strequal( acct_name, info.acct_name ) ) return NT_STATUS_OK; + fstrcpy( info.acct_name, acct_name ); + /* make sure the name doesn't already exist as a user or local group */ -- cgit From dc1f0804dd8177d3c3a0b2db993855d5679e9565 Mon Sep 17 00:00:00 2001 From: Jim McDonough Date: Tue, 3 Oct 2006 17:14:18 +0000 Subject: r19058: Implement "user cannot change password", and complete "user must change password at next logon" code. The "password last set time" of zero now means "user must change password", because that's how windows seems to use it. The "can change" and "must change" times are now calculated based on the "last set" time and policies. We use the "can change" field now to indicate that a user cannot change a password by putting MAX_TIME_T in it (so long as "last set" time isn't zero). Based on this, we set the password-can-change bit in the faked secdesc. (This used to be commit 21abbeaee9b7f7cff1d34d048463c30cda44a2e3) --- source3/rpc_server/srv_samr_nt.c | 118 +++++++++++++++++++++++++++++++++++---- 1 file changed, 106 insertions(+), 12 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 822a6a2ab7..5c0f50699e 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -40,6 +40,8 @@ ( READ_CONTROL_ACCESS | \ SA_RIGHT_USER_CHANGE_PASSWORD | \ SA_RIGHT_USER_SET_LOC_COM ) +#define SAMR_USR_RIGHTS_CANT_WRITE_PW \ + ( READ_CONTROL_ACCESS | SA_RIGHT_USER_SET_LOC_COM ) #define DISP_INFO_CACHE_TIMEOUT 10 @@ -90,6 +92,11 @@ static struct generic_mapping usr_generic_mapping = { GENERIC_RIGHTS_USER_WRITE, GENERIC_RIGHTS_USER_EXECUTE, GENERIC_RIGHTS_USER_ALL_ACCESS}; +static struct generic_mapping usr_nopwchange_generic_mapping = { + GENERIC_RIGHTS_USER_READ, + GENERIC_RIGHTS_USER_WRITE, + GENERIC_RIGHTS_USER_EXECUTE & ~SA_RIGHT_USER_CHANGE_PASSWORD, + GENERIC_RIGHTS_USER_ALL_ACCESS}; static struct generic_mapping grp_generic_mapping = { GENERIC_RIGHTS_GROUP_READ, GENERIC_RIGHTS_GROUP_WRITE, @@ -656,16 +663,6 @@ NTSTATUS _samr_get_usrdom_pwinfo(pipes_struct *p, SAMR_Q_GET_USRDOM_PWINFO *q_u, return r_u->status; } -/******************************************************************* - _samr_set_sec_obj - ********************************************************************/ - -NTSTATUS _samr_set_sec_obj(pipes_struct *p, SAMR_Q_SET_SEC_OBJ *q_u, SAMR_R_SET_SEC_OBJ *r_u) -{ - DEBUG(0,("_samr_set_sec_obj: Not yet implemented!\n")); - return NT_STATUS_NOT_IMPLEMENTED; -} - /******************************************************************* ********************************************************************/ @@ -691,6 +688,97 @@ static BOOL get_lsa_policy_samr_sid( pipes_struct *p, POLICY_HND *pol, return True; } +/******************************************************************* + _samr_set_sec_obj + ********************************************************************/ + +NTSTATUS _samr_set_sec_obj(pipes_struct *p, SAMR_Q_SET_SEC_OBJ *q_u, SAMR_R_SET_SEC_OBJ *r_u) +{ + DOM_SID pol_sid; + uint32 acc_granted, i; + SEC_ACL *dacl; + BOOL ret; + struct samu *sampass=NULL; + NTSTATUS status; + + r_u->status = NT_STATUS_OK; + + if (!get_lsa_policy_samr_sid(p, &q_u->pol, &pol_sid, &acc_granted, NULL)) + return NT_STATUS_INVALID_HANDLE; + + if (!(sampass = samu_new( p->mem_ctx))) { + DEBUG(0,("No memory!\n")); + return NT_STATUS_NO_MEMORY; + } + + /* get the user record */ + become_root(); + ret = pdb_getsampwsid(sampass, &pol_sid); + unbecome_root(); + + if (!ret) { + DEBUG(4, ("User %s not found\n", sid_string_static(&pol_sid))); + TALLOC_FREE(sampass); + return NT_STATUS_INVALID_HANDLE; + } + + dacl = q_u->buf->sd->dacl; + for (i=0; i < dacl->num_aces; i++) { + if (sid_equal(&pol_sid, &dacl->aces[i].trustee)) { + ret = pdb_set_pass_can_change(sampass, + (dacl->aces[i].access_mask & + SA_RIGHT_USER_CHANGE_PASSWORD) ? + True: False); + break; + } + } + + if (!ret) { + TALLOC_FREE(sampass); + return NT_STATUS_ACCESS_DENIED; + } + + status = pdb_update_sam_account(sampass); + + TALLOC_FREE(sampass); + + return status; +} + +/******************************************************************* + build correct perms based on policies and password times for _samr_query_sec_obj +*******************************************************************/ +static BOOL check_change_pw_access(TALLOC_CTX *mem_ctx, DOM_SID *user_sid) +{ + struct samu *sampass=NULL; + BOOL ret; + + if ( !(sampass = samu_new( mem_ctx )) ) { + DEBUG(0,("No memory!\n")); + return False; + } + + become_root(); + ret = pdb_getsampwsid(sampass, user_sid); + unbecome_root(); + + if (ret == False) { + DEBUG(4,("User %s not found\n", sid_string_static(user_sid))); + TALLOC_FREE(sampass); + return False; + } + + DEBUG(3,("User:[%s]\n", pdb_get_username(sampass) )); + + if (pdb_get_pass_can_change(sampass)) { + TALLOC_FREE(sampass); + return True; + } + TALLOC_FREE(sampass); + return False; +} + + /******************************************************************* _samr_query_sec_obj ********************************************************************/ @@ -731,7 +819,13 @@ NTSTATUS _samr_query_sec_obj(pipes_struct *p, SAMR_Q_QUERY_SEC_OBJ *q_u, SAMR_R_ /* TODO: different SDs have to be generated for aliases groups and users. Currently all three get a default user SD */ DEBUG(10,("_samr_query_sec_obj: querying security on Object with SID: %s\n", sid_to_string(str_sid, &pol_sid))); - r_u->status = make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &usr_generic_mapping, &pol_sid, SAMR_USR_RIGHTS_WRITE_PW); + if (check_change_pw_access(p->mem_ctx, &pol_sid)) { + r_u->status = make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &usr_generic_mapping, + &pol_sid, SAMR_USR_RIGHTS_WRITE_PW); + } else { + r_u->status = make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &usr_nopwchange_generic_mapping, + &pol_sid, SAMR_USR_RIGHTS_CANT_WRITE_PW); + } } else { return NT_STATUS_OBJECT_TYPE_MISMATCH; } @@ -3056,7 +3150,7 @@ static BOOL set_user_info_18(SAM_USER_INFO_18 *id18, struct samu *pwd) TALLOC_FREE(pwd); return False; } - if (!pdb_set_pass_changed_now (pwd)) { + if (!pdb_set_pass_last_set_time (pwd, time(NULL), PDB_CHANGED)) { TALLOC_FREE(pwd); return False; } -- cgit From 2b52e35770270959d5029fa84932d436652c7193 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Thu, 22 Feb 2007 20:52:27 +0000 Subject: r21507: Fix some "cannot access LDAP when no root" bugs. The two culprits were * pdb_get_account_policy() * pdb_get_group_sid() (This used to be commit 6a69caf6907fad01b13aa4358ce5c62506f98495) --- source3/rpc_server/srv_samr_nt.c | 23 +++++++++++++---------- 1 file changed, 13 insertions(+), 10 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 5c0f50699e..d35d97f2a0 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -2179,6 +2179,7 @@ NTSTATUS _samr_query_usergroups(pipes_struct *p, SAMR_Q_QUERY_USERGROUPS *q_u, S uint32 acc_granted; BOOL ret; NTSTATUS result; + BOOL success = False; /* * from the SID in the request: @@ -2223,9 +2224,15 @@ NTSTATUS _samr_query_usergroups(pipes_struct *p, SAMR_Q_QUERY_USERGROUPS *q_u, S sids = NULL; + /* make both calls inside the root block */ become_root(); result = pdb_enum_group_memberships(p->mem_ctx, sam_pass, &sids, &unix_gids, &num_groups); + if ( NT_STATUS_IS_OK(result) ) { + success = sid_peek_check_rid(get_global_sam_sid(), + pdb_get_group_sid(sam_pass), + &primary_group_rid); + } unbecome_root(); if (!NT_STATUS_IS_OK(result)) { @@ -2234,15 +2241,7 @@ NTSTATUS _samr_query_usergroups(pipes_struct *p, SAMR_Q_QUERY_USERGROUPS *q_u, S return result; } - gids = NULL; - num_gids = 0; - - dom_gid.attr = (SE_GROUP_MANDATORY|SE_GROUP_ENABLED_BY_DEFAULT| - SE_GROUP_ENABLED); - - if (!sid_peek_check_rid(get_global_sam_sid(), - pdb_get_group_sid(sam_pass), - &primary_group_rid)) { + if ( !success ) { DEBUG(5, ("Group sid %s for user %s not in our domain\n", sid_string_static(pdb_get_group_sid(sam_pass)), pdb_get_username(sam_pass))); @@ -2250,8 +2249,12 @@ NTSTATUS _samr_query_usergroups(pipes_struct *p, SAMR_Q_QUERY_USERGROUPS *q_u, S return NT_STATUS_INTERNAL_DB_CORRUPTION; } - dom_gid.g_rid = primary_group_rid; + gids = NULL; + num_gids = 0; + dom_gid.attr = (SE_GROUP_MANDATORY|SE_GROUP_ENABLED_BY_DEFAULT| + SE_GROUP_ENABLED); + dom_gid.g_rid = primary_group_rid; ADD_TO_ARRAY(p->mem_ctx, DOM_GID, dom_gid, &gids, &num_gids); for (i=0; i Date: Mon, 26 Feb 2007 22:44:24 +0000 Subject: r21549: Only create DISP_INFO structs for domain handles, the others don't need them. It just does not make sense to do a querydispinfo on an alias handle... This fixes a memleak: Every samr_connect*() call leaked a DISP_INFO for the (NULL) sid. More cleanup pending: Essentially, we only need the DISP_INFO cache for the get_global_sam_sid() domain. BUILTIN is fixed and small enough, and there are no other domains around where enumerations could happen. This also removes the explicit builtin_domain flags. I don't think this is worth it. If this makes a significant difference, then we have a *VERY* tuned RPC layer... Jeremy, please check this. If it's ok, we might want to merge it across. Volker (This used to be commit 0aceda68a825788895759e79de55b080ad3f971d) --- source3/rpc_server/srv_samr_nt.c | 82 +++++++++++++++++++++++----------------- 1 file changed, 47 insertions(+), 35 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index d35d97f2a0..f59ab61509 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -49,7 +49,6 @@ typedef struct disp_info { struct disp_info *next, *prev; TALLOC_CTX *mem_ctx; DOM_SID sid; /* identify which domain this is. */ - BOOL builtin_domain; /* Quick flag to check if this is the builtin domain. */ struct pdb_search *users; /* querydispinfo 1 and 4 */ struct pdb_search *machines; /* querydispinfo 2 */ struct pdb_search *groups; /* querydispinfo 3 and 5, enumgroups */ @@ -70,7 +69,6 @@ static DISP_INFO *disp_info_list; struct samr_info { /* for use by the \PIPE\samr policy */ DOM_SID sid; - BOOL builtin_domain; /* Quick flag to check if this is the builtin domain. */ uint32 status; /* some sort of flag. best to record it. comes from opnum 0x39 */ uint32 acc_granted; DISP_INFO *disp_info; @@ -254,22 +252,11 @@ static NTSTATUS access_check_samr_function(uint32 acc_granted, uint32 acc_requir Fetch or create a dispinfo struct. ********************************************************************/ -static DISP_INFO *get_samr_dispinfo_by_sid(DOM_SID *psid, const char *sid_str) +static DISP_INFO *get_samr_dispinfo_by_sid(DOM_SID *psid) { TALLOC_CTX *mem_ctx; DISP_INFO *dpi; - /* There are two cases to consider here: - 1) The SID is a domain SID and we look for an equality match, or - 2) This is an account SID and so we return the DISP_INFO* for our - domain */ - - if ( psid && sid_check_is_in_our_domain( psid ) ) { - DEBUG(10,("get_samr_dispinfo_by_sid: Replacing %s with our domain SID\n", - sid_str)); - psid = get_global_sam_sid(); - } - for (dpi = disp_info_list; dpi; dpi = dpi->next) { if (sid_equal(psid, &dpi->sid)) { return dpi; @@ -280,19 +267,18 @@ static DISP_INFO *get_samr_dispinfo_by_sid(DOM_SID *psid, const char *sid_str) can get a list out of smbd using smbcontrol. There will be one of these per SID we're authorative for. JRA. */ - mem_ctx = talloc_init("DISP_INFO for domain sid %s", sid_str); + mem_ctx = talloc_init("DISP_INFO for domain sid %s", + sid_string_static(psid)); - if ((dpi = TALLOC_ZERO_P(mem_ctx, DISP_INFO)) == NULL) + if ((dpi = TALLOC_ZERO_P(mem_ctx, DISP_INFO)) == NULL) { + DEBUG(0, ("talloc failed\n")); + TALLOC_FREE(mem_ctx); return NULL; + } dpi->mem_ctx = mem_ctx; - if (psid) { - sid_copy( &dpi->sid, psid); - dpi->builtin_domain = sid_check_is_builtin(psid); - } else { - dpi->builtin_domain = False; - } + sid_copy( &dpi->sid, psid); DLIST_ADD(disp_info_list, dpi); @@ -323,20 +309,11 @@ static struct samr_info *get_samr_info_by_sid(DOM_SID *psid) DEBUG(10,("get_samr_info_by_sid: created new info for sid %s\n", sid_str)); if (psid) { sid_copy( &info->sid, psid); - info->builtin_domain = sid_check_is_builtin(psid); } else { DEBUG(10,("get_samr_info_by_sid: created new info for NULL sid.\n")); - info->builtin_domain = False; } info->mem_ctx = mem_ctx; - info->disp_info = get_samr_dispinfo_by_sid(psid, sid_str); - - if (!info->disp_info) { - talloc_destroy(mem_ctx); - return NULL; - } - return info; } @@ -493,7 +470,7 @@ static uint32 count_sam_users(struct disp_info *info, uint32 acct_flags) { struct samr_displayentry *entry; - if (info->builtin_domain) { + if (sid_check_is_builtin(&info->sid)) { /* No users in builtin. */ return 0; } @@ -517,7 +494,7 @@ static uint32 count_sam_groups(struct disp_info *info) { struct samr_displayentry *entry; - if (info->builtin_domain) { + if (sid_check_is_builtin(&info->sid)) { /* No groups in builtin. */ return 0; } @@ -625,6 +602,11 @@ NTSTATUS _samr_open_domain(pipes_struct *p, SAMR_Q_OPEN_DOMAIN *q_u, SAMR_R_OPEN return NT_STATUS_NO_MEMORY; info->acc_granted = acc_granted; + if (!(info->disp_info = get_samr_dispinfo_by_sid(&q_u->dom_sid.sid))) { + TALLOC_FREE(info->mem_ctx); + return NT_STATUS_NO_MEMORY; + } + /* get a (unique) handle. open a policy on it. */ if (!create_policy_hnd(p, &r_u->domain_pol, free_samr_info, (void *)info)) return NT_STATUS_OBJECT_NAME_NOT_FOUND; @@ -679,6 +661,11 @@ static BOOL get_lsa_policy_samr_sid( pipes_struct *p, POLICY_HND *pol, if (!info) return False; + if (!info->disp_info) { + /* Not a domain */ + return False; + } + *sid = info->sid; *acc_granted = info->acc_granted; if (ppdisp_info) { @@ -911,6 +898,11 @@ NTSTATUS _samr_enum_dom_users(pipes_struct *p, SAMR_Q_ENUM_DOM_USERS *q_u, if (!find_policy_by_hnd(p, &q_u->pol, (void **)(void *)&info)) return NT_STATUS_INVALID_HANDLE; + if (!info->disp_info) { + /* not a domain */ + return NT_STATUS_INVALID_HANDLE; + } + if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(info->acc_granted, SA_RIGHT_DOMAIN_ENUM_ACCOUNTS, "_samr_enum_dom_users"))) { @@ -919,7 +911,7 @@ NTSTATUS _samr_enum_dom_users(pipes_struct *p, SAMR_Q_ENUM_DOM_USERS *q_u, DEBUG(5,("_samr_enum_dom_users: %d\n", __LINE__)); - if (info->builtin_domain) { + if (sid_check_is_builtin(&info->sid)) { /* No users in builtin. */ init_samr_r_enum_dom_users(r_u, q_u->start_idx, 0); DEBUG(5,("_samr_enum_dom_users: No users in BUILTIN\n")); @@ -1044,6 +1036,11 @@ NTSTATUS _samr_enum_dom_groups(pipes_struct *p, SAMR_Q_ENUM_DOM_GROUPS *q_u, SAM if (!find_policy_by_hnd(p, &q_u->pol, (void **)(void *)&info)) return NT_STATUS_INVALID_HANDLE; + if (!info->disp_info) { + /* not a domain */ + return NT_STATUS_INVALID_HANDLE; + } + r_u->status = access_check_samr_function(info->acc_granted, SA_RIGHT_DOMAIN_ENUM_ACCOUNTS, "_samr_enum_dom_groups"); @@ -1052,7 +1049,7 @@ NTSTATUS _samr_enum_dom_groups(pipes_struct *p, SAMR_Q_ENUM_DOM_GROUPS *q_u, SAM DEBUG(5,("samr_reply_enum_dom_groups: %d\n", __LINE__)); - if (info->builtin_domain) { + if (sid_check_is_builtin(&info->sid)) { /* No groups in builtin. */ init_samr_r_enum_dom_groups(r_u, q_u->start_idx, 0); DEBUG(5,("_samr_enum_dom_users: No groups in BUILTIN\n")); @@ -1103,6 +1100,11 @@ NTSTATUS _samr_enum_dom_aliases(pipes_struct *p, SAMR_Q_ENUM_DOM_ALIASES *q_u, S if (!find_policy_by_hnd(p, &q_u->pol, (void **)(void *)&info)) return NT_STATUS_INVALID_HANDLE; + if (!info->disp_info) { + /* not a domain */ + return NT_STATUS_INVALID_HANDLE; + } + r_u->status = access_check_samr_function(info->acc_granted, SA_RIGHT_DOMAIN_ENUM_ACCOUNTS, "_samr_enum_dom_aliases"); @@ -1169,6 +1171,11 @@ NTSTATUS _samr_query_dispinfo(pipes_struct *p, SAMR_Q_QUERY_DISPINFO *q_u, if (!find_policy_by_hnd(p, &q_u->domain_pol, (void **)(void *)&info)) return NT_STATUS_INVALID_HANDLE; + if (!info->disp_info) { + /* not a domain */ + return NT_STATUS_INVALID_HANDLE; + } + /* * calculate how many entries we will return. * based on @@ -2325,6 +2332,11 @@ NTSTATUS _samr_query_domain_info(pipes_struct *p, if (!find_policy_by_hnd(p, &q_u->domain_pol, (void **)(void *)&info)) { return NT_STATUS_INVALID_HANDLE; } + + if (!info->disp_info) { + /* not a domain */ + return NT_STATUS_INVALID_HANDLE; + } switch (q_u->switch_value) { case 0x01: -- cgit From ab6a1df7a6f75637a0f25e02e16847d2441dee6d Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Mon, 26 Feb 2007 22:48:42 +0000 Subject: r21550: make disp_info_list static to get_samr_dispinfo_by_sid(), add a comment :-) (This used to be commit fad2ee8aa3e99c31a0632a80b4a64dedb6e01495) --- source3/rpc_server/srv_samr_nt.c | 20 ++++++++++++++++++-- 1 file changed, 18 insertions(+), 2 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index f59ab61509..b7a45267a3 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -64,8 +64,6 @@ typedef struct disp_info { /* We keep a static list of these by SID as modern clients close down all resources between each request in a complete enumeration. */ -static DISP_INFO *disp_info_list; - struct samr_info { /* for use by the \PIPE\samr policy */ DOM_SID sid; @@ -254,6 +252,24 @@ static NTSTATUS access_check_samr_function(uint32 acc_granted, uint32 acc_requir static DISP_INFO *get_samr_dispinfo_by_sid(DOM_SID *psid) { + /* + * We do a static cache for DISP_INFO's here. Explanation can be found + * in Jeremy's checkin message to r11793: + * + * Fix the SAMR cache so it works across completely insane + * client behaviour (ie.: + * open pipe/open SAMR handle/enumerate 0 - 1024 + * close SAMR handle, close pipe. + * open pipe/open SAMR handle/enumerate 1024 - 2048... + * close SAMR handle, close pipe. + * And on ad-nausium. Amazing.... probably object-oriented + * client side programming in action yet again. + * This change should *massively* improve performance when + * enumerating users from an LDAP database. + * Jeremy. + */ + + static DISP_INFO *disp_info_list; TALLOC_CTX *mem_ctx; DISP_INFO *dpi; -- cgit From f4a008424f227c1da388e4aa4ac303fc86c460ce Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Mon, 26 Feb 2007 23:06:17 +0000 Subject: r21551: Ok, this is more subtle. More tomorrow :-) (This used to be commit f63189907efe857ef51ff91470ddb8d21b9a41fa) --- source3/rpc_server/srv_samr_nt.c | 102 ++++++++++++++------------------------- 1 file changed, 37 insertions(+), 65 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index b7a45267a3..d35d97f2a0 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -49,6 +49,7 @@ typedef struct disp_info { struct disp_info *next, *prev; TALLOC_CTX *mem_ctx; DOM_SID sid; /* identify which domain this is. */ + BOOL builtin_domain; /* Quick flag to check if this is the builtin domain. */ struct pdb_search *users; /* querydispinfo 1 and 4 */ struct pdb_search *machines; /* querydispinfo 2 */ struct pdb_search *groups; /* querydispinfo 3 and 5, enumgroups */ @@ -64,9 +65,12 @@ typedef struct disp_info { /* We keep a static list of these by SID as modern clients close down all resources between each request in a complete enumeration. */ +static DISP_INFO *disp_info_list; + struct samr_info { /* for use by the \PIPE\samr policy */ DOM_SID sid; + BOOL builtin_domain; /* Quick flag to check if this is the builtin domain. */ uint32 status; /* some sort of flag. best to record it. comes from opnum 0x39 */ uint32 acc_granted; DISP_INFO *disp_info; @@ -250,29 +254,22 @@ static NTSTATUS access_check_samr_function(uint32 acc_granted, uint32 acc_requir Fetch or create a dispinfo struct. ********************************************************************/ -static DISP_INFO *get_samr_dispinfo_by_sid(DOM_SID *psid) +static DISP_INFO *get_samr_dispinfo_by_sid(DOM_SID *psid, const char *sid_str) { - /* - * We do a static cache for DISP_INFO's here. Explanation can be found - * in Jeremy's checkin message to r11793: - * - * Fix the SAMR cache so it works across completely insane - * client behaviour (ie.: - * open pipe/open SAMR handle/enumerate 0 - 1024 - * close SAMR handle, close pipe. - * open pipe/open SAMR handle/enumerate 1024 - 2048... - * close SAMR handle, close pipe. - * And on ad-nausium. Amazing.... probably object-oriented - * client side programming in action yet again. - * This change should *massively* improve performance when - * enumerating users from an LDAP database. - * Jeremy. - */ - - static DISP_INFO *disp_info_list; TALLOC_CTX *mem_ctx; DISP_INFO *dpi; + /* There are two cases to consider here: + 1) The SID is a domain SID and we look for an equality match, or + 2) This is an account SID and so we return the DISP_INFO* for our + domain */ + + if ( psid && sid_check_is_in_our_domain( psid ) ) { + DEBUG(10,("get_samr_dispinfo_by_sid: Replacing %s with our domain SID\n", + sid_str)); + psid = get_global_sam_sid(); + } + for (dpi = disp_info_list; dpi; dpi = dpi->next) { if (sid_equal(psid, &dpi->sid)) { return dpi; @@ -283,18 +280,19 @@ static DISP_INFO *get_samr_dispinfo_by_sid(DOM_SID *psid) can get a list out of smbd using smbcontrol. There will be one of these per SID we're authorative for. JRA. */ - mem_ctx = talloc_init("DISP_INFO for domain sid %s", - sid_string_static(psid)); + mem_ctx = talloc_init("DISP_INFO for domain sid %s", sid_str); - if ((dpi = TALLOC_ZERO_P(mem_ctx, DISP_INFO)) == NULL) { - DEBUG(0, ("talloc failed\n")); - TALLOC_FREE(mem_ctx); + if ((dpi = TALLOC_ZERO_P(mem_ctx, DISP_INFO)) == NULL) return NULL; - } dpi->mem_ctx = mem_ctx; - sid_copy( &dpi->sid, psid); + if (psid) { + sid_copy( &dpi->sid, psid); + dpi->builtin_domain = sid_check_is_builtin(psid); + } else { + dpi->builtin_domain = False; + } DLIST_ADD(disp_info_list, dpi); @@ -325,11 +323,20 @@ static struct samr_info *get_samr_info_by_sid(DOM_SID *psid) DEBUG(10,("get_samr_info_by_sid: created new info for sid %s\n", sid_str)); if (psid) { sid_copy( &info->sid, psid); + info->builtin_domain = sid_check_is_builtin(psid); } else { DEBUG(10,("get_samr_info_by_sid: created new info for NULL sid.\n")); + info->builtin_domain = False; } info->mem_ctx = mem_ctx; + info->disp_info = get_samr_dispinfo_by_sid(psid, sid_str); + + if (!info->disp_info) { + talloc_destroy(mem_ctx); + return NULL; + } + return info; } @@ -486,7 +493,7 @@ static uint32 count_sam_users(struct disp_info *info, uint32 acct_flags) { struct samr_displayentry *entry; - if (sid_check_is_builtin(&info->sid)) { + if (info->builtin_domain) { /* No users in builtin. */ return 0; } @@ -510,7 +517,7 @@ static uint32 count_sam_groups(struct disp_info *info) { struct samr_displayentry *entry; - if (sid_check_is_builtin(&info->sid)) { + if (info->builtin_domain) { /* No groups in builtin. */ return 0; } @@ -618,11 +625,6 @@ NTSTATUS _samr_open_domain(pipes_struct *p, SAMR_Q_OPEN_DOMAIN *q_u, SAMR_R_OPEN return NT_STATUS_NO_MEMORY; info->acc_granted = acc_granted; - if (!(info->disp_info = get_samr_dispinfo_by_sid(&q_u->dom_sid.sid))) { - TALLOC_FREE(info->mem_ctx); - return NT_STATUS_NO_MEMORY; - } - /* get a (unique) handle. open a policy on it. */ if (!create_policy_hnd(p, &r_u->domain_pol, free_samr_info, (void *)info)) return NT_STATUS_OBJECT_NAME_NOT_FOUND; @@ -677,11 +679,6 @@ static BOOL get_lsa_policy_samr_sid( pipes_struct *p, POLICY_HND *pol, if (!info) return False; - if (!info->disp_info) { - /* Not a domain */ - return False; - } - *sid = info->sid; *acc_granted = info->acc_granted; if (ppdisp_info) { @@ -914,11 +911,6 @@ NTSTATUS _samr_enum_dom_users(pipes_struct *p, SAMR_Q_ENUM_DOM_USERS *q_u, if (!find_policy_by_hnd(p, &q_u->pol, (void **)(void *)&info)) return NT_STATUS_INVALID_HANDLE; - if (!info->disp_info) { - /* not a domain */ - return NT_STATUS_INVALID_HANDLE; - } - if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(info->acc_granted, SA_RIGHT_DOMAIN_ENUM_ACCOUNTS, "_samr_enum_dom_users"))) { @@ -927,7 +919,7 @@ NTSTATUS _samr_enum_dom_users(pipes_struct *p, SAMR_Q_ENUM_DOM_USERS *q_u, DEBUG(5,("_samr_enum_dom_users: %d\n", __LINE__)); - if (sid_check_is_builtin(&info->sid)) { + if (info->builtin_domain) { /* No users in builtin. */ init_samr_r_enum_dom_users(r_u, q_u->start_idx, 0); DEBUG(5,("_samr_enum_dom_users: No users in BUILTIN\n")); @@ -1052,11 +1044,6 @@ NTSTATUS _samr_enum_dom_groups(pipes_struct *p, SAMR_Q_ENUM_DOM_GROUPS *q_u, SAM if (!find_policy_by_hnd(p, &q_u->pol, (void **)(void *)&info)) return NT_STATUS_INVALID_HANDLE; - if (!info->disp_info) { - /* not a domain */ - return NT_STATUS_INVALID_HANDLE; - } - r_u->status = access_check_samr_function(info->acc_granted, SA_RIGHT_DOMAIN_ENUM_ACCOUNTS, "_samr_enum_dom_groups"); @@ -1065,7 +1052,7 @@ NTSTATUS _samr_enum_dom_groups(pipes_struct *p, SAMR_Q_ENUM_DOM_GROUPS *q_u, SAM DEBUG(5,("samr_reply_enum_dom_groups: %d\n", __LINE__)); - if (sid_check_is_builtin(&info->sid)) { + if (info->builtin_domain) { /* No groups in builtin. */ init_samr_r_enum_dom_groups(r_u, q_u->start_idx, 0); DEBUG(5,("_samr_enum_dom_users: No groups in BUILTIN\n")); @@ -1116,11 +1103,6 @@ NTSTATUS _samr_enum_dom_aliases(pipes_struct *p, SAMR_Q_ENUM_DOM_ALIASES *q_u, S if (!find_policy_by_hnd(p, &q_u->pol, (void **)(void *)&info)) return NT_STATUS_INVALID_HANDLE; - if (!info->disp_info) { - /* not a domain */ - return NT_STATUS_INVALID_HANDLE; - } - r_u->status = access_check_samr_function(info->acc_granted, SA_RIGHT_DOMAIN_ENUM_ACCOUNTS, "_samr_enum_dom_aliases"); @@ -1187,11 +1169,6 @@ NTSTATUS _samr_query_dispinfo(pipes_struct *p, SAMR_Q_QUERY_DISPINFO *q_u, if (!find_policy_by_hnd(p, &q_u->domain_pol, (void **)(void *)&info)) return NT_STATUS_INVALID_HANDLE; - if (!info->disp_info) { - /* not a domain */ - return NT_STATUS_INVALID_HANDLE; - } - /* * calculate how many entries we will return. * based on @@ -2348,11 +2325,6 @@ NTSTATUS _samr_query_domain_info(pipes_struct *p, if (!find_policy_by_hnd(p, &q_u->domain_pol, (void **)(void *)&info)) { return NT_STATUS_INVALID_HANDLE; } - - if (!info->disp_info) { - /* not a domain */ - return NT_STATUS_INVALID_HANDLE; - } switch (q_u->switch_value) { case 0x01: -- cgit From 2838d7499cbd5b7ebade52321985244aee9a9f70 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Tue, 27 Feb 2007 17:21:21 +0000 Subject: r21563: Fix a memleak: We only need dispinfo structs for "our" and for the builtin domain. Without this patch we leaked a DISPINFO for the (NULL) domain per samr_connect*() call. Volker (This used to be commit 4423880ff47a94074c625a4f4f81c3b516faa644) --- source3/rpc_server/srv_samr_nt.c | 81 ++++++++++++++++++++-------------------- 1 file changed, 41 insertions(+), 40 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index d35d97f2a0..7cf75bcd40 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -46,8 +46,6 @@ #define DISP_INFO_CACHE_TIMEOUT 10 typedef struct disp_info { - struct disp_info *next, *prev; - TALLOC_CTX *mem_ctx; DOM_SID sid; /* identify which domain this is. */ BOOL builtin_domain; /* Quick flag to check if this is the builtin domain. */ struct pdb_search *users; /* querydispinfo 1 and 4 */ @@ -65,8 +63,6 @@ typedef struct disp_info { /* We keep a static list of these by SID as modern clients close down all resources between each request in a complete enumeration. */ -static DISP_INFO *disp_info_list; - struct samr_info { /* for use by the \PIPE\samr policy */ DOM_SID sid; @@ -254,49 +250,59 @@ static NTSTATUS access_check_samr_function(uint32 acc_granted, uint32 acc_requir Fetch or create a dispinfo struct. ********************************************************************/ -static DISP_INFO *get_samr_dispinfo_by_sid(DOM_SID *psid, const char *sid_str) +static DISP_INFO *get_samr_dispinfo_by_sid(DOM_SID *psid) { - TALLOC_CTX *mem_ctx; - DISP_INFO *dpi; + /* + * We do a static cache for DISP_INFO's here. Explanation can be found + * in Jeremy's checkin message to r11793: + * + * Fix the SAMR cache so it works across completely insane + * client behaviour (ie.: + * open pipe/open SAMR handle/enumerate 0 - 1024 + * close SAMR handle, close pipe. + * open pipe/open SAMR handle/enumerate 1024 - 2048... + * close SAMR handle, close pipe. + * And on ad-nausium. Amazing.... probably object-oriented + * client side programming in action yet again. + * This change should *massively* improve performance when + * enumerating users from an LDAP database. + * Jeremy. + * + * "Our" and the builtin domain are the only ones where we ever + * enumerate stuff, so just cache 2 entries. + */ + + static struct disp_info builtin_dispinfo; + static struct disp_info domain_dispinfo; /* There are two cases to consider here: 1) The SID is a domain SID and we look for an equality match, or 2) This is an account SID and so we return the DISP_INFO* for our domain */ - if ( psid && sid_check_is_in_our_domain( psid ) ) { - DEBUG(10,("get_samr_dispinfo_by_sid: Replacing %s with our domain SID\n", - sid_str)); - psid = get_global_sam_sid(); - } - - for (dpi = disp_info_list; dpi; dpi = dpi->next) { - if (sid_equal(psid, &dpi->sid)) { - return dpi; - } - } - - /* This struct is never free'd - I'm using talloc so we - can get a list out of smbd using smbcontrol. There will - be one of these per SID we're authorative for. JRA. */ - - mem_ctx = talloc_init("DISP_INFO for domain sid %s", sid_str); - - if ((dpi = TALLOC_ZERO_P(mem_ctx, DISP_INFO)) == NULL) + if (psid == NULL) { return NULL; + } - dpi->mem_ctx = mem_ctx; + if (sid_check_is_builtin(psid) || sid_check_is_in_builtin(psid)) { + /* + * Necessary only once, but it does not really hurt. + */ + sid_copy(&builtin_dispinfo.sid, &global_sid_Builtin); - if (psid) { - sid_copy( &dpi->sid, psid); - dpi->builtin_domain = sid_check_is_builtin(psid); - } else { - dpi->builtin_domain = False; + return &builtin_dispinfo; } + + if (sid_check_is_domain(psid) || sid_check_is_in_our_domain(psid)) { + /* + * Necessary only once, but it does not really hurt. + */ + sid_copy(&domain_dispinfo.sid, get_global_sam_sid()); - DLIST_ADD(disp_info_list, dpi); + return &domain_dispinfo; + } - return dpi; + return NULL; } /******************************************************************* @@ -330,12 +336,7 @@ static struct samr_info *get_samr_info_by_sid(DOM_SID *psid) } info->mem_ctx = mem_ctx; - info->disp_info = get_samr_dispinfo_by_sid(psid, sid_str); - - if (!info->disp_info) { - talloc_destroy(mem_ctx); - return NULL; - } + info->disp_info = get_samr_dispinfo_by_sid(psid); return info; } -- cgit From 742a853875045e5f38b5c82b963dabc928141304 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Thu, 1 Mar 2007 18:48:52 +0000 Subject: r21635: Don't free talloc()'d memory. I wish people would check the callers when changing how memory is allocated. (This used to be commit 78bf4042dd22bf063846c58729d5b64be3fce8a8) --- source3/rpc_server/srv_samr_nt.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 7cf75bcd40..56f2344247 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -3886,7 +3886,7 @@ NTSTATUS _samr_query_aliasmem(pipes_struct *p, SAMR_Q_QUERY_ALIASMEM *q_u, SAMR_ init_samr_r_query_aliasmem(r_u, num_sids, sid, NT_STATUS_OK); - SAFE_FREE(sids); + TALLOC_FREE(sids); return NT_STATUS_OK; } -- cgit From 0d91334fe799f6b50a8265f9dc097411c3a29e18 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Sun, 11 Mar 2007 16:49:16 +0000 Subject: r21784: Replace smb_register_idle_event() with event_add_timed(). This fixes winbind who did not run the idle events to drop ldap connections. Volker (This used to be commit af3308ce5a21220ff4c510de356dbaa6cf9ff997) --- source3/rpc_server/srv_samr_nt.c | 79 ++++++++++++++++------------------------ 1 file changed, 32 insertions(+), 47 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 56f2344247..ca7185f527 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -56,8 +56,8 @@ typedef struct disp_info { uint16 enum_acb_mask; struct pdb_search *enum_users; /* enumusers with a mask */ - - smb_event_id_t di_cache_timeout_event; /* cache idle timeout handler. */ + struct timed_event *cache_timeout_event; /* cache idle timeout + * handler. */ } DISP_INFO; /* We keep a static list of these by SID as modern clients close down @@ -345,9 +345,10 @@ static struct samr_info *get_samr_info_by_sid(DOM_SID *psid) Function to free the per SID data. ********************************************************************/ -static void free_samr_cache(DISP_INFO *disp_info, const char *sid_str) +static void free_samr_cache(DISP_INFO *disp_info) { - DEBUG(10,("free_samr_cache: deleting cache for SID %s\n", sid_str)); + DEBUG(10, ("free_samr_cache: deleting cache for SID %s\n", + sid_string_static(&disp_info->sid))); /* We need to become root here because the paged search might have to * tell the LDAP server we're not interested in the rest anymore. */ @@ -395,10 +396,8 @@ static void free_samr_info(void *ptr) /* Only free the dispinfo cache if no one bothered to set up a timeout. */ - if (info->disp_info && info->disp_info->di_cache_timeout_event == (smb_event_id_t)0) { - fstring sid_str; - sid_to_string(sid_str, &info->disp_info->sid); - free_samr_cache(info->disp_info, sid_str); + if (info->disp_info && info->disp_info->cache_timeout_event == NULL) { + free_samr_cache(info->disp_info); } talloc_destroy(info->mem_ctx); @@ -408,23 +407,18 @@ static void free_samr_info(void *ptr) Idle event handler. Throw away the disp info cache. ********************************************************************/ -static void disp_info_cache_idle_timeout_handler(void **private_data, - time_t *ev_interval, - time_t ev_now) +static void disp_info_cache_idle_timeout_handler(struct event_context *ev_ctx, + struct timed_event *te, + const struct timeval *now, + void *private_data) { - fstring sid_str; - DISP_INFO *disp_info = (DISP_INFO *)(*private_data); - - sid_to_string(sid_str, &disp_info->sid); + DISP_INFO *disp_info = (DISP_INFO *)private_data; - free_samr_cache(disp_info, sid_str); + TALLOC_FREE(disp_info->cache_timeout_event); - /* Remove the event. */ - smb_unregister_idle_event(disp_info->di_cache_timeout_event); - disp_info->di_cache_timeout_event = (smb_event_id_t)0; - - DEBUG(10,("disp_info_cache_idle_timeout_handler: caching timed out for SID %s at %u\n", - sid_str, (unsigned int)ev_now)); + DEBUG(10, ("disp_info_cache_idle_timeout_handler: caching timed " + "out\n")); + free_samr_cache(disp_info); } /******************************************************************* @@ -433,24 +427,20 @@ static void disp_info_cache_idle_timeout_handler(void **private_data, static void set_disp_info_cache_timeout(DISP_INFO *disp_info, time_t secs_fromnow) { - fstring sid_str; - - sid_to_string(sid_str, &disp_info->sid); - /* Remove any pending timeout and update. */ - if (disp_info->di_cache_timeout_event) { - smb_unregister_idle_event(disp_info->di_cache_timeout_event); - disp_info->di_cache_timeout_event = (smb_event_id_t)0; - } + TALLOC_FREE(disp_info->cache_timeout_event); - DEBUG(10,("set_disp_info_cache_timeout: caching enumeration for SID %s for %u seconds\n", - sid_str, (unsigned int)secs_fromnow )); + DEBUG(10,("set_disp_info_cache_timeout: caching enumeration for " + "SID %s for %u seconds\n", + sid_string_static(&disp_info->sid), + (unsigned int)secs_fromnow )); - disp_info->di_cache_timeout_event = - smb_register_idle_event(disp_info_cache_idle_timeout_handler, - disp_info, - secs_fromnow); + disp_info->cache_timeout_event = event_add_timed( + smbd_event_context(), NULL, + timeval_current_ofs(secs_fromnow, 0), + "disp_info_cache_idle_timeout_handler", + disp_info_cache_idle_timeout_handler, (void *)disp_info); } /******************************************************************* @@ -460,18 +450,13 @@ static void set_disp_info_cache_timeout(DISP_INFO *disp_info, time_t secs_fromno static void force_flush_samr_cache(DISP_INFO *disp_info) { - if (disp_info) { - fstring sid_str; - - sid_to_string(sid_str, &disp_info->sid); - if (disp_info->di_cache_timeout_event) { - smb_unregister_idle_event(disp_info->di_cache_timeout_event); - disp_info->di_cache_timeout_event = (smb_event_id_t)0; - DEBUG(10,("force_flush_samr_cache: clearing idle event for SID %s\n", - sid_str)); - } - free_samr_cache(disp_info, sid_str); + if ((disp_info == NULL) || (disp_info->cache_timeout_event == NULL)) { + return; } + + DEBUG(10,("force_flush_samr_cache: clearing idle event\n")); + TALLOC_FREE(disp_info->cache_timeout_event); + free_samr_cache(disp_info); } /******************************************************************* -- cgit From 56ba44766854ed7cda265bdaf85913f2a1008282 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Wed, 28 Mar 2007 13:34:59 +0000 Subject: r22001: change prototype of dump_data(), so that it takes unsigned char * now, which matches what samba4 has. also fix all the callers to prevent compiler warnings metze (This used to be commit fa322f0cc9c26a9537ba3f0a7d4e4a25941317e7) --- source3/rpc_server/srv_samr_nt.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index ca7185f527..c743e68530 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -3553,7 +3553,7 @@ NTSTATUS _samr_set_userinfo(pipes_struct *p, SAMR_Q_SET_USERINFO *q_u, SAMR_R_SE } SamOEMhashBlob(ctr->info.id24->pass, 516, &p->session_key); - dump_data(100, (char *)ctr->info.id24->pass, 516); + dump_data(100, ctr->info.id24->pass, 516); if (!set_user_info_pw(ctr->info.id24->pass, pwd)) r_u->status = NT_STATUS_ACCESS_DENIED; @@ -3565,7 +3565,7 @@ NTSTATUS _samr_set_userinfo(pipes_struct *p, SAMR_Q_SET_USERINFO *q_u, SAMR_R_SE } encode_or_decode_arc4_passwd_buffer(ctr->info.id25->pass, &p->session_key); - dump_data(100, (char *)ctr->info.id25->pass, 532); + dump_data(100, ctr->info.id25->pass, 532); r_u->status = set_user_info_25(p->mem_ctx, ctr->info.id25, pwd); @@ -3582,7 +3582,7 @@ NTSTATUS _samr_set_userinfo(pipes_struct *p, SAMR_Q_SET_USERINFO *q_u, SAMR_R_SE } encode_or_decode_arc4_passwd_buffer(ctr->info.id26->pass, &p->session_key); - dump_data(100, (char *)ctr->info.id26->pass, 516); + dump_data(100, ctr->info.id26->pass, 516); if (!set_user_info_pw(ctr->info.id26->pass, pwd)) r_u->status = NT_STATUS_ACCESS_DENIED; @@ -3594,7 +3594,7 @@ NTSTATUS _samr_set_userinfo(pipes_struct *p, SAMR_Q_SET_USERINFO *q_u, SAMR_R_SE } SamOEMhashBlob(ctr->info.id23->pass, 516, &p->session_key); - dump_data(100, (char *)ctr->info.id23->pass, 516); + dump_data(100, ctr->info.id23->pass, 516); r_u->status = set_user_info_23(p->mem_ctx, ctr->info.id23, pwd); @@ -3728,7 +3728,7 @@ NTSTATUS _samr_set_userinfo2(pipes_struct *p, SAMR_Q_SET_USERINFO2 *q_u, SAMR_R_ } SamOEMhashBlob(ctr->info.id23->pass, 516, &p->session_key); - dump_data(100, (char *)ctr->info.id23->pass, 516); + dump_data(100, ctr->info.id23->pass, 516); r_u->status = set_user_info_23(p->mem_ctx, ctr->info.id23, pwd); @@ -3739,7 +3739,7 @@ NTSTATUS _samr_set_userinfo2(pipes_struct *p, SAMR_Q_SET_USERINFO2 *q_u, SAMR_R_ } encode_or_decode_arc4_passwd_buffer(ctr->info.id26->pass, &p->session_key); - dump_data(100, (char *)ctr->info.id26->pass, 516); + dump_data(100, ctr->info.id26->pass, 516); if (!set_user_info_pw(ctr->info.id26->pass, pwd)) r_u->status = NT_STATUS_ACCESS_DENIED; -- cgit From 70806db06adb1dafd4de8728bb7b367b84f3740a Mon Sep 17 00:00:00 2001 From: Jim McDonough Date: Tue, 24 Apr 2007 15:56:02 +0000 Subject: r22504: Fix bug Jerry found during his tutorial. Sorry :-( Allows authorized users (e.g. BUILTIN\Administrators members) to set attributes on an account, particularly "user cannot change password". add become_root() around updating attributes, after checking that access has been granted. (This used to be commit b1ab360519a1f67f50446ca8599e5b7aa58e7db3) --- source3/rpc_server/srv_samr_nt.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index c743e68530..be73b33265 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -724,7 +724,12 @@ NTSTATUS _samr_set_sec_obj(pipes_struct *p, SAMR_Q_SET_SEC_OBJ *q_u, SAMR_R_SET_ return NT_STATUS_ACCESS_DENIED; } - status = pdb_update_sam_account(sampass); + status = access_check_samr_function(acc_granted, SA_RIGHT_USER_SET_ATTRIBUTES, "_samr_set_sec_obj"); + if NT_STATUS_IS_OK(status) { + become_root(); + status = pdb_update_sam_account(sampass); + unbecome_root(); + } TALLOC_FREE(sampass); -- cgit From f4affb4382d4895589d0eceda765ae5bdc1df855 Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy Date: Tue, 24 Apr 2007 18:01:46 +0000 Subject: r22505: Fix build (This used to be commit cc38ffb9a45b008ab7bbc3299610bd0dfec13aa9) --- source3/rpc_server/srv_samr_nt.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index be73b33265..a128757ad0 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -725,7 +725,7 @@ NTSTATUS _samr_set_sec_obj(pipes_struct *p, SAMR_Q_SET_SEC_OBJ *q_u, SAMR_R_SET_ } status = access_check_samr_function(acc_granted, SA_RIGHT_USER_SET_ATTRIBUTES, "_samr_set_sec_obj"); - if NT_STATUS_IS_OK(status) { + if (NT_STATUS_IS_OK(status)) { become_root(); status = pdb_update_sam_account(sampass); unbecome_root(); -- cgit From 12ba88574bf91bdcc4447bfc3d429b799064bfd9 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Fri, 27 Apr 2007 23:18:41 +0000 Subject: r22542: Move over to using the _strict varients of the talloc calls. No functional changes. Looks bigger than it is :-). Jeremy. (This used to be commit f6fa3080fee1b20df9f1968500840a88cf0ee592) --- source3/rpc_server/srv_samr_nt.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index a128757ad0..80b1b93a50 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -854,7 +854,7 @@ static NTSTATUS make_user_sam_entry_list(TALLOC_CTX *ctx, SAM_ENTRY **sam_pp, uni_name = TALLOC_ZERO_ARRAY(ctx, UNISTR2, num_entries); if (sam == NULL || uni_name == NULL) { - DEBUG(0, ("make_user_sam_entry_list: talloc_zero failed!\n")); + DEBUG(0, ("make_user_sam_entry_list: TALLOC_ZERO failed!\n")); return NT_STATUS_NO_MEMORY; } -- cgit From 6b605a9cd783451072e0bb9f63eb0e29d7969cd4 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Mon, 30 Apr 2007 00:53:17 +0000 Subject: r22586: Add a modified version of Simo's patch. Jeremy. (This used to be commit 18f47f999d28af56e205cd20d10c72ff6f0a3846) --- source3/rpc_server/srv_samr_nt.c | 41 +++++++++++++++++++++++++++------------- 1 file changed, 28 insertions(+), 13 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 80b1b93a50..8f7bfd6b01 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -949,6 +949,7 @@ NTSTATUS _samr_enum_dom_users(pipes_struct *p, SAMR_Q_ENUM_DOM_USERS *q_u, if (num_account == 0) { DEBUG(5, ("_samr_enum_dom_users: enumeration handle over " "total entries\n")); + init_samr_r_enum_dom_users(r_u, q_u->start_idx, 0); return NT_STATUS_OK; } @@ -1708,7 +1709,7 @@ NTSTATUS _samr_lookup_rids(pipes_struct *p, SAMR_Q_LOOKUP_RIDS *q_u, SAMR_R_LOOK UNIHDR *hdr_name = NULL; UNISTR2 *uni_name = NULL; DOM_SID pol_sid; - int num_rids = q_u->num_rids1; + int num_rids = (int)q_u->num_rids1; uint32 acc_granted; int i; @@ -1726,12 +1727,18 @@ NTSTATUS _samr_lookup_rids(pipes_struct *p, SAMR_Q_LOOKUP_RIDS *q_u, SAMR_R_LOOK return NT_STATUS_UNSUCCESSFUL; } - names = TALLOC_ZERO_ARRAY(p->mem_ctx, const char *, num_rids); - attrs = TALLOC_ZERO_ARRAY(p->mem_ctx, enum lsa_SidType, num_rids); - wire_attrs = TALLOC_ZERO_ARRAY(p->mem_ctx, uint32, num_rids); + if (num_rids) { + names = TALLOC_ZERO_ARRAY(p->mem_ctx, const char *, num_rids); + attrs = TALLOC_ZERO_ARRAY(p->mem_ctx, enum lsa_SidType, num_rids); + wire_attrs = TALLOC_ZERO_ARRAY(p->mem_ctx, uint32, num_rids); - if ((num_rids != 0) && ((names == NULL) || (attrs == NULL) || (wire_attrs==NULL))) - return NT_STATUS_NO_MEMORY; + if ((names == NULL) || (attrs == NULL) || (wire_attrs==NULL)) + return NT_STATUS_NO_MEMORY; + } else { + names = NULL; + attrs = NULL; + wire_attrs = NULL; + } become_root(); /* lookup_sid can require root privs */ r_u->status = pdb_lookup_rids(&pol_sid, num_rids, q_u->rid, @@ -3803,10 +3810,14 @@ NTSTATUS _samr_query_useraliases(pipes_struct *p, SAMR_Q_QUERY_USERALIASES *q_u, !sid_check_is_builtin(&info->sid)) return NT_STATUS_OBJECT_TYPE_MISMATCH; - members = TALLOC_ARRAY(p->mem_ctx, DOM_SID, q_u->num_sids1); + if (q_u->num_sids1) { + members = TALLOC_ARRAY(p->mem_ctx, DOM_SID, q_u->num_sids1); - if (members == NULL) - return NT_STATUS_NO_MEMORY; + if (members == NULL) + return NT_STATUS_NO_MEMORY; + } else { + members = NULL; + } for (i=0; inum_sids1; i++) sid_copy(&members[i], &q_u->sid[i].sid); @@ -3864,10 +3875,14 @@ NTSTATUS _samr_query_aliasmem(pipes_struct *p, SAMR_Q_QUERY_ALIASMEM *q_u, SAMR_ return status; } - sid = TALLOC_ZERO_ARRAY(p->mem_ctx, DOM_SID2, num_sids); - if (num_sids!=0 && sid == NULL) { - SAFE_FREE(sids); - return NT_STATUS_NO_MEMORY; + if (num_sids) { + sid = TALLOC_ZERO_ARRAY(p->mem_ctx, DOM_SID2, num_sids); + if (sid == NULL) { + SAFE_FREE(sids); + return NT_STATUS_NO_MEMORY; + } + } else { + sid = NULL; } for (i = 0; i < num_sids; i++) { -- cgit From 1e362c0e7fff603cffa32863a5b07ecbc50f8a2d Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Mon, 30 Apr 2007 01:17:34 +0000 Subject: r22587: Ensure TALLOC_ZERO_ARRAY is consistent. Jeremy. (This used to be commit c3df5d08dd6a983f9d53dc6628a50e571d322e8d) --- source3/rpc_server/srv_samr_nt.c | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 8f7bfd6b01..1b9a8c375b 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -3939,10 +3939,14 @@ NTSTATUS _samr_query_groupmem(pipes_struct *p, SAMR_Q_QUERY_GROUPMEM *q_u, SAMR_ if (!NT_STATUS_IS_OK(result)) return result; - attr=TALLOC_ZERO_ARRAY(p->mem_ctx, uint32, num_members); - - if ((num_members!=0) && (attr==NULL)) - return NT_STATUS_NO_MEMORY; + if (num_members) { + attr=TALLOC_ZERO_ARRAY(p->mem_ctx, uint32, num_members); + if (attr == NULL) { + return NT_STATUS_NO_MEMORY; + } + } else { + attr = NULL; + } for (i=0; i Date: Wed, 9 May 2007 11:39:55 +0000 Subject: r22766: Merge from 3_0: r22412 | obnox | 2007-04-20 14:23:36 +0200 (Fr, 20 Apr 2007) | 5 lines Add a "deletelocalgroup" subcommand to net sam. Thanks to Karolin Seeger . (This used to be commit fb6ac8a5b247a961963a9b6a95cd6608c5b53d09) --- source3/rpc_server/srv_samr_nt.c | 33 +++++++++++++++------------------ 1 file changed, 15 insertions(+), 18 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 1b9a8c375b..b392f289a8 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -1354,7 +1354,7 @@ NTSTATUS _samr_query_aliasinfo(pipes_struct *p, SAMR_Q_QUERY_ALIASINFO *q_u, SAM DOM_SID sid; struct acct_info info; uint32 acc_granted; - BOOL ret; + NTSTATUS status; r_u->status = NT_STATUS_OK; @@ -1368,11 +1368,11 @@ NTSTATUS _samr_query_aliasinfo(pipes_struct *p, SAMR_Q_QUERY_ALIASINFO *q_u, SAM } become_root(); - ret = pdb_get_aliasinfo(&sid, &info); + status = pdb_get_aliasinfo(&sid, &info); unbecome_root(); - if ( !ret ) - return NT_STATUS_NO_SUCH_ALIAS; + if ( !NT_STATUS_IS_OK(status)) + return status; if ( !(r_u->ctr = TALLOC_ZERO_P( p->mem_ctx, ALIAS_INFO_CTR )) ) return NT_STATUS_NO_MEMORY; @@ -4301,7 +4301,7 @@ NTSTATUS _samr_delete_dom_alias(pipes_struct *p, SAMR_Q_DELETE_DOM_ALIAS *q_u, S uint32 acc_granted; SE_PRIV se_rights; BOOL can_add_accounts; - BOOL ret; + NTSTATUS status; DISP_INFO *disp_info = NULL; DEBUG(5, ("_samr_delete_dom_alias: %d\n", __LINE__)); @@ -4340,15 +4340,15 @@ NTSTATUS _samr_delete_dom_alias(pipes_struct *p, SAMR_Q_DELETE_DOM_ALIAS *q_u, S become_root(); /* Have passdb delete the alias */ - ret = pdb_delete_alias(&alias_sid); + status = pdb_delete_alias(&alias_sid); if ( can_add_accounts ) unbecome_root(); /******** END SeAddUsers BLOCK *********/ - if ( !ret ) - return NT_STATUS_ACCESS_DENIED; + if ( !NT_STATUS_IS_OK(status)) + return status; if (!close_policy_hnd(p, &q_u->alias_pol)) return NT_STATUS_OBJECT_NAME_INVALID; @@ -4693,8 +4693,8 @@ NTSTATUS _samr_set_aliasinfo(pipes_struct *p, SAMR_Q_SET_ALIASINFO *q_u, SAMR_R_ struct acct_info info; ALIAS_INFO_CTR *ctr; uint32 acc_granted; - BOOL ret; BOOL can_mod_accounts; + NTSTATUS status; DISP_INFO *disp_info = NULL; if (!get_lsa_policy_samr_sid(p, &q_u->alias_pol, &group_sid, &acc_granted, &disp_info)) @@ -4709,18 +4709,16 @@ NTSTATUS _samr_set_aliasinfo(pipes_struct *p, SAMR_Q_SET_ALIASINFO *q_u, SAMR_R_ /* get the current group information */ become_root(); - ret = pdb_get_aliasinfo( &group_sid, &info ); + status = pdb_get_aliasinfo( &group_sid, &info ); unbecome_root(); - if ( !ret ) { - return NT_STATUS_NO_SUCH_ALIAS; - } + if ( !NT_STATUS_IS_OK(status)) + return status; switch (ctr->level) { case 2: { fstring group_name, acct_name; - NTSTATUS status; /* We currently do not support renaming groups in the the BUILTIN domain. Refer to util_builtin.c to understand @@ -4776,18 +4774,17 @@ NTSTATUS _samr_set_aliasinfo(pipes_struct *p, SAMR_Q_SET_ALIASINFO *q_u, SAMR_R_ if ( can_mod_accounts ) become_root(); - ret = pdb_set_aliasinfo( &group_sid, &info ); + status = pdb_set_aliasinfo( &group_sid, &info ); if ( can_mod_accounts ) unbecome_root(); /******** End SeAddUsers BLOCK *********/ - if (ret) { + if (NT_STATUS_IS_OK(status)) force_flush_samr_cache(disp_info); - } - return ret ? NT_STATUS_OK : NT_STATUS_ACCESS_DENIED; + return status; } /********************************************************************* -- cgit From a0f9db7a169886914b4e5323c61e127011a2d16b Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Wed, 9 May 2007 11:40:48 +0000 Subject: r22767: Argl. Typed in 'svn ci' in the wrong branch. Revert. (This used to be commit 2c5b951eba509e826a29775db992aca474476484) --- source3/rpc_server/srv_samr_nt.c | 33 ++++++++++++++++++--------------- 1 file changed, 18 insertions(+), 15 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index b392f289a8..1b9a8c375b 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -1354,7 +1354,7 @@ NTSTATUS _samr_query_aliasinfo(pipes_struct *p, SAMR_Q_QUERY_ALIASINFO *q_u, SAM DOM_SID sid; struct acct_info info; uint32 acc_granted; - NTSTATUS status; + BOOL ret; r_u->status = NT_STATUS_OK; @@ -1368,11 +1368,11 @@ NTSTATUS _samr_query_aliasinfo(pipes_struct *p, SAMR_Q_QUERY_ALIASINFO *q_u, SAM } become_root(); - status = pdb_get_aliasinfo(&sid, &info); + ret = pdb_get_aliasinfo(&sid, &info); unbecome_root(); - if ( !NT_STATUS_IS_OK(status)) - return status; + if ( !ret ) + return NT_STATUS_NO_SUCH_ALIAS; if ( !(r_u->ctr = TALLOC_ZERO_P( p->mem_ctx, ALIAS_INFO_CTR )) ) return NT_STATUS_NO_MEMORY; @@ -4301,7 +4301,7 @@ NTSTATUS _samr_delete_dom_alias(pipes_struct *p, SAMR_Q_DELETE_DOM_ALIAS *q_u, S uint32 acc_granted; SE_PRIV se_rights; BOOL can_add_accounts; - NTSTATUS status; + BOOL ret; DISP_INFO *disp_info = NULL; DEBUG(5, ("_samr_delete_dom_alias: %d\n", __LINE__)); @@ -4340,15 +4340,15 @@ NTSTATUS _samr_delete_dom_alias(pipes_struct *p, SAMR_Q_DELETE_DOM_ALIAS *q_u, S become_root(); /* Have passdb delete the alias */ - status = pdb_delete_alias(&alias_sid); + ret = pdb_delete_alias(&alias_sid); if ( can_add_accounts ) unbecome_root(); /******** END SeAddUsers BLOCK *********/ - if ( !NT_STATUS_IS_OK(status)) - return status; + if ( !ret ) + return NT_STATUS_ACCESS_DENIED; if (!close_policy_hnd(p, &q_u->alias_pol)) return NT_STATUS_OBJECT_NAME_INVALID; @@ -4693,8 +4693,8 @@ NTSTATUS _samr_set_aliasinfo(pipes_struct *p, SAMR_Q_SET_ALIASINFO *q_u, SAMR_R_ struct acct_info info; ALIAS_INFO_CTR *ctr; uint32 acc_granted; + BOOL ret; BOOL can_mod_accounts; - NTSTATUS status; DISP_INFO *disp_info = NULL; if (!get_lsa_policy_samr_sid(p, &q_u->alias_pol, &group_sid, &acc_granted, &disp_info)) @@ -4709,16 +4709,18 @@ NTSTATUS _samr_set_aliasinfo(pipes_struct *p, SAMR_Q_SET_ALIASINFO *q_u, SAMR_R_ /* get the current group information */ become_root(); - status = pdb_get_aliasinfo( &group_sid, &info ); + ret = pdb_get_aliasinfo( &group_sid, &info ); unbecome_root(); - if ( !NT_STATUS_IS_OK(status)) - return status; + if ( !ret ) { + return NT_STATUS_NO_SUCH_ALIAS; + } switch (ctr->level) { case 2: { fstring group_name, acct_name; + NTSTATUS status; /* We currently do not support renaming groups in the the BUILTIN domain. Refer to util_builtin.c to understand @@ -4774,17 +4776,18 @@ NTSTATUS _samr_set_aliasinfo(pipes_struct *p, SAMR_Q_SET_ALIASINFO *q_u, SAMR_R_ if ( can_mod_accounts ) become_root(); - status = pdb_set_aliasinfo( &group_sid, &info ); + ret = pdb_set_aliasinfo( &group_sid, &info ); if ( can_mod_accounts ) unbecome_root(); /******** End SeAddUsers BLOCK *********/ - if (NT_STATUS_IS_OK(status)) + if (ret) { force_flush_samr_cache(disp_info); + } - return status; + return ret ? NT_STATUS_OK : NT_STATUS_ACCESS_DENIED; } /********************************************************************* -- cgit From 9e30a76c04d0da0bc14f7a0605db7ad51e5cfcd9 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Fri, 11 May 2007 08:46:54 +0000 Subject: r22786: Some cleanup by Karolin Seeger: Remove unused pdb_find_alias, and change return values of some alias-releated pdb functions from BOOL to NTSTATUS Thanks :-) (This used to be commit 590d2164b3a33250410338771e160f6ebd1aa89d) --- source3/rpc_server/srv_samr_nt.c | 33 +++++++++++++++------------------ 1 file changed, 15 insertions(+), 18 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 1b9a8c375b..b392f289a8 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -1354,7 +1354,7 @@ NTSTATUS _samr_query_aliasinfo(pipes_struct *p, SAMR_Q_QUERY_ALIASINFO *q_u, SAM DOM_SID sid; struct acct_info info; uint32 acc_granted; - BOOL ret; + NTSTATUS status; r_u->status = NT_STATUS_OK; @@ -1368,11 +1368,11 @@ NTSTATUS _samr_query_aliasinfo(pipes_struct *p, SAMR_Q_QUERY_ALIASINFO *q_u, SAM } become_root(); - ret = pdb_get_aliasinfo(&sid, &info); + status = pdb_get_aliasinfo(&sid, &info); unbecome_root(); - if ( !ret ) - return NT_STATUS_NO_SUCH_ALIAS; + if ( !NT_STATUS_IS_OK(status)) + return status; if ( !(r_u->ctr = TALLOC_ZERO_P( p->mem_ctx, ALIAS_INFO_CTR )) ) return NT_STATUS_NO_MEMORY; @@ -4301,7 +4301,7 @@ NTSTATUS _samr_delete_dom_alias(pipes_struct *p, SAMR_Q_DELETE_DOM_ALIAS *q_u, S uint32 acc_granted; SE_PRIV se_rights; BOOL can_add_accounts; - BOOL ret; + NTSTATUS status; DISP_INFO *disp_info = NULL; DEBUG(5, ("_samr_delete_dom_alias: %d\n", __LINE__)); @@ -4340,15 +4340,15 @@ NTSTATUS _samr_delete_dom_alias(pipes_struct *p, SAMR_Q_DELETE_DOM_ALIAS *q_u, S become_root(); /* Have passdb delete the alias */ - ret = pdb_delete_alias(&alias_sid); + status = pdb_delete_alias(&alias_sid); if ( can_add_accounts ) unbecome_root(); /******** END SeAddUsers BLOCK *********/ - if ( !ret ) - return NT_STATUS_ACCESS_DENIED; + if ( !NT_STATUS_IS_OK(status)) + return status; if (!close_policy_hnd(p, &q_u->alias_pol)) return NT_STATUS_OBJECT_NAME_INVALID; @@ -4693,8 +4693,8 @@ NTSTATUS _samr_set_aliasinfo(pipes_struct *p, SAMR_Q_SET_ALIASINFO *q_u, SAMR_R_ struct acct_info info; ALIAS_INFO_CTR *ctr; uint32 acc_granted; - BOOL ret; BOOL can_mod_accounts; + NTSTATUS status; DISP_INFO *disp_info = NULL; if (!get_lsa_policy_samr_sid(p, &q_u->alias_pol, &group_sid, &acc_granted, &disp_info)) @@ -4709,18 +4709,16 @@ NTSTATUS _samr_set_aliasinfo(pipes_struct *p, SAMR_Q_SET_ALIASINFO *q_u, SAMR_R_ /* get the current group information */ become_root(); - ret = pdb_get_aliasinfo( &group_sid, &info ); + status = pdb_get_aliasinfo( &group_sid, &info ); unbecome_root(); - if ( !ret ) { - return NT_STATUS_NO_SUCH_ALIAS; - } + if ( !NT_STATUS_IS_OK(status)) + return status; switch (ctr->level) { case 2: { fstring group_name, acct_name; - NTSTATUS status; /* We currently do not support renaming groups in the the BUILTIN domain. Refer to util_builtin.c to understand @@ -4776,18 +4774,17 @@ NTSTATUS _samr_set_aliasinfo(pipes_struct *p, SAMR_Q_SET_ALIASINFO *q_u, SAMR_R_ if ( can_mod_accounts ) become_root(); - ret = pdb_set_aliasinfo( &group_sid, &info ); + status = pdb_set_aliasinfo( &group_sid, &info ); if ( can_mod_accounts ) unbecome_root(); /******** End SeAddUsers BLOCK *********/ - if (ret) { + if (NT_STATUS_IS_OK(status)) force_flush_samr_cache(disp_info); - } - return ret ? NT_STATUS_OK : NT_STATUS_ACCESS_DENIED; + return status; } /********************************************************************* -- cgit From 9c3db7adf3efb7e485ac0a7301f31a1ab6338435 Mon Sep 17 00:00:00 2001 From: Jim McDonough Date: Tue, 26 Jun 2007 20:09:41 +0000 Subject: r23616: Fix bugzilla #4719: must change password is not set from usrmgr.exe. This was only affecting the newer versions of usrmgr.exe, because they use a user_info_25 struct. The password is getting set separately inside that code, so the password last set time was getting set from the password change logic. We also were not parsing a number of fields (like logon hours) from the user_info_25. That should also be fixed. (This used to be commit afabd68b6ae874aceba708dc36808ed007ad496c) --- source3/rpc_server/srv_samr_nt.c | 9 +++++++++ 1 file changed, 9 insertions(+) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index b392f289a8..e28fc59136 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -3357,11 +3357,17 @@ static BOOL set_user_info_pw(uint8 *pass, struct samu *pwd) uint32 len; pstring plaintext_buf; uint32 acct_ctrl; + time_t last_set_time; + enum pdb_value_state last_set_state; DEBUG(5, ("Attempting administrator password change for user %s\n", pdb_get_username(pwd))); acct_ctrl = pdb_get_acct_ctrl(pwd); + /* we need to know if it's expired, because this is an admin change, not a + user change, so it's still expired when we're done */ + last_set_state = pdb_get_init_flags(pwd, PDB_PASSLASTSET); + last_set_time = pdb_get_pass_last_set_time(pwd); ZERO_STRUCT(plaintext_buf); @@ -3404,6 +3410,9 @@ static BOOL set_user_info_pw(uint8 *pass, struct samu *pwd) ZERO_STRUCT(plaintext_buf); + /* restore last set time as this is an admin change, not a user pw change */ + pdb_set_pass_last_set_time (pwd, last_set_time, last_set_state); + DEBUG(5,("set_user_info_pw: pdb_update_pwd()\n")); /* update the SAMBA password */ -- cgit From d824b98f80ba186030cbb70b3a1e5daf80469ecd Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Mon, 9 Jul 2007 19:25:36 +0000 Subject: r23779: Change from v2 or later to v3 or later. Jeremy. (This used to be commit 407e6e695b8366369b7c76af1ff76869b45347b3) --- source3/rpc_server/srv_samr_nt.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index e28fc59136..ed165e56b0 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -14,7 +14,7 @@ * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or + * the Free Software Foundation; either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, -- cgit From 153cfb9c83534b09f15cc16205d7adb19b394928 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Tue, 10 Jul 2007 05:23:25 +0000 Subject: r23801: The FSF has moved around a lot. This fixes their Mass Ave address. (This used to be commit 87c91e4362c51819032bfbebbb273c52e203b227) --- source3/rpc_server/srv_samr_nt.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index ed165e56b0..e95fd0c7f9 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -23,8 +23,7 @@ * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License - * along with this program; if not, write to the Free Software - * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. + * along with this program; if not, see . */ /* -- cgit From c97fe37ea3d92a631e8da17c21dafae1db15e97b Mon Sep 17 00:00:00 2001 From: Michael Adam Date: Fri, 21 Sep 2007 14:37:35 +0000 Subject: r25294: Tidy up callers of unistr2_to_ascii() to pass sizeof(target_area) to the maxeln parameter instead of sizeof(target_area) - 1 (or even sizeof(fstring) - 1 in some places. I hope these were really all there were. Michael (This used to be commit 9a28be220df622322857dfe102fa35e108f932dc) --- source3/rpc_server/srv_samr_nt.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index e95fd0c7f9..950a186e03 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -4470,7 +4470,7 @@ NTSTATUS _samr_create_dom_alias(pipes_struct *p, SAMR_Q_CREATE_DOM_ALIAS *q_u, S if (!sid_equal(&dom_sid, get_global_sam_sid())) return NT_STATUS_ACCESS_DENIED; - unistr2_to_ascii(name, &q_u->uni_acct_desc, sizeof(name)-1); + unistr2_to_ascii(name, &q_u->uni_acct_desc, sizeof(name)); se_priv_copy( &se_rights, &se_add_users ); can_add_accounts = user_has_privileges( p->pipe_user.nt_user_token, &se_rights ); @@ -4659,10 +4659,10 @@ NTSTATUS _samr_set_groupinfo(pipes_struct *p, SAMR_Q_SET_GROUPINFO *q_u, SAMR_R_ switch (ctr->switch_value1) { case 1: - unistr2_to_ascii(map.comment, &(ctr->group.info1.uni_acct_desc), sizeof(map.comment)-1); + unistr2_to_ascii(map.comment, &(ctr->group.info1.uni_acct_desc), sizeof(map.comment)); break; case 4: - unistr2_to_ascii(map.comment, &(ctr->group.info4.uni_acct_desc), sizeof(map.comment)-1); + unistr2_to_ascii(map.comment, &(ctr->group.info4.uni_acct_desc), sizeof(map.comment)); break; default: return NT_STATUS_INVALID_INFO_CLASS; @@ -4743,7 +4743,7 @@ NTSTATUS _samr_set_aliasinfo(pipes_struct *p, SAMR_Q_SET_ALIASINFO *q_u, SAMR_R_ return NT_STATUS_INVALID_PARAMETER; unistr2_to_ascii( acct_name, ctr->alias.info2.name.string, - sizeof(acct_name)-1 ); + sizeof(acct_name)); /* If the name is the same just reply "ok". Yes this doesn't allow you to change the case of a group name. */ @@ -4766,7 +4766,7 @@ NTSTATUS _samr_set_aliasinfo(pipes_struct *p, SAMR_Q_SET_ALIASINFO *q_u, SAMR_R_ if ( ctr->alias.info3.description.string ) { unistr2_to_ascii( info.acct_desc, ctr->alias.info3.description.string, - sizeof(info.acct_desc)-1 ); + sizeof(info.acct_desc)); } else fstrcpy( info.acct_desc, "" ); -- cgit From 0ebab65706e7e2ef82d8af81225db05a5f78b5c4 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Fri, 5 Oct 2007 21:41:17 +0000 Subject: r25534: Apply some const Why? It moves these structs from the data into the text segment, so they will never been copy-on-write copied. Not much, but as in German you say "Kleinvieh macht auch Mist...." (This used to be commit 0141e64ad4972232de867137064d0dae62da22ee) --- source3/rpc_server/srv_samr_nt.c | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 950a186e03..bec288730a 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -72,32 +72,32 @@ struct samr_info { TALLOC_CTX *mem_ctx; }; -static struct generic_mapping sam_generic_mapping = { +static const struct generic_mapping sam_generic_mapping = { GENERIC_RIGHTS_SAM_READ, GENERIC_RIGHTS_SAM_WRITE, GENERIC_RIGHTS_SAM_EXECUTE, GENERIC_RIGHTS_SAM_ALL_ACCESS}; -static struct generic_mapping dom_generic_mapping = { +static const struct generic_mapping dom_generic_mapping = { GENERIC_RIGHTS_DOMAIN_READ, GENERIC_RIGHTS_DOMAIN_WRITE, GENERIC_RIGHTS_DOMAIN_EXECUTE, GENERIC_RIGHTS_DOMAIN_ALL_ACCESS}; -static struct generic_mapping usr_generic_mapping = { +static const struct generic_mapping usr_generic_mapping = { GENERIC_RIGHTS_USER_READ, GENERIC_RIGHTS_USER_WRITE, GENERIC_RIGHTS_USER_EXECUTE, GENERIC_RIGHTS_USER_ALL_ACCESS}; -static struct generic_mapping usr_nopwchange_generic_mapping = { +static const struct generic_mapping usr_nopwchange_generic_mapping = { GENERIC_RIGHTS_USER_READ, GENERIC_RIGHTS_USER_WRITE, GENERIC_RIGHTS_USER_EXECUTE & ~SA_RIGHT_USER_CHANGE_PASSWORD, GENERIC_RIGHTS_USER_ALL_ACCESS}; -static struct generic_mapping grp_generic_mapping = { +static const struct generic_mapping grp_generic_mapping = { GENERIC_RIGHTS_GROUP_READ, GENERIC_RIGHTS_GROUP_WRITE, GENERIC_RIGHTS_GROUP_EXECUTE, GENERIC_RIGHTS_GROUP_ALL_ACCESS}; -static struct generic_mapping ali_generic_mapping = { +static const struct generic_mapping ali_generic_mapping = { GENERIC_RIGHTS_ALIAS_READ, GENERIC_RIGHTS_ALIAS_WRITE, GENERIC_RIGHTS_ALIAS_EXECUTE, @@ -107,7 +107,7 @@ static struct generic_mapping ali_generic_mapping = { *******************************************************************/ static NTSTATUS make_samr_object_sd( TALLOC_CTX *ctx, SEC_DESC **psd, size_t *sd_size, - struct generic_mapping *map, + const struct generic_mapping *map, DOM_SID *sid, uint32 sid_access ) { DOM_SID domadmin_sid; -- cgit From 30191d1a5704ad2b158386b511558972d539ce47 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Thu, 18 Oct 2007 17:40:25 -0700 Subject: RIP BOOL. Convert BOOL -> bool. I found a few interesting bugs in various places whilst doing this (places that assumed BOOL == int). I also need to fix the Samba4 pidl generation (next checkin). Jeremy. (This used to be commit f35a266b3cbb3e5fa6a86be60f34fe340a3ca71f) --- source3/rpc_server/srv_samr_nt.c | 86 ++++++++++++++++++++-------------------- 1 file changed, 43 insertions(+), 43 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index bec288730a..9aabaf08ca 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -46,7 +46,7 @@ typedef struct disp_info { DOM_SID sid; /* identify which domain this is. */ - BOOL builtin_domain; /* Quick flag to check if this is the builtin domain. */ + bool builtin_domain; /* Quick flag to check if this is the builtin domain. */ struct pdb_search *users; /* querydispinfo 1 and 4 */ struct pdb_search *machines; /* querydispinfo 2 */ struct pdb_search *groups; /* querydispinfo 3 and 5, enumgroups */ @@ -65,7 +65,7 @@ typedef struct disp_info { struct samr_info { /* for use by the \PIPE\samr policy */ DOM_SID sid; - BOOL builtin_domain; /* Quick flag to check if this is the builtin domain. */ + bool builtin_domain; /* Quick flag to check if this is the builtin domain. */ uint32 status; /* some sort of flag. best to record it. comes from opnum 0x39 */ uint32 acc_granted; DISP_INFO *disp_info; @@ -651,7 +651,7 @@ NTSTATUS _samr_get_usrdom_pwinfo(pipes_struct *p, SAMR_Q_GET_USRDOM_PWINFO *q_u, /******************************************************************* ********************************************************************/ -static BOOL get_lsa_policy_samr_sid( pipes_struct *p, POLICY_HND *pol, +static bool get_lsa_policy_samr_sid( pipes_struct *p, POLICY_HND *pol, DOM_SID *sid, uint32 *acc_granted, DISP_INFO **ppdisp_info) { @@ -682,7 +682,7 @@ NTSTATUS _samr_set_sec_obj(pipes_struct *p, SAMR_Q_SET_SEC_OBJ *q_u, SAMR_R_SET_ DOM_SID pol_sid; uint32 acc_granted, i; SEC_ACL *dacl; - BOOL ret; + bool ret; struct samu *sampass=NULL; NTSTATUS status; @@ -738,10 +738,10 @@ NTSTATUS _samr_set_sec_obj(pipes_struct *p, SAMR_Q_SET_SEC_OBJ *q_u, SAMR_R_SET_ /******************************************************************* build correct perms based on policies and password times for _samr_query_sec_obj *******************************************************************/ -static BOOL check_change_pw_access(TALLOC_CTX *mem_ctx, DOM_SID *user_sid) +static bool check_change_pw_access(TALLOC_CTX *mem_ctx, DOM_SID *user_sid) { struct samu *sampass=NULL; - BOOL ret; + bool ret; if ( !(sampass = samu_new( mem_ctx )) ) { DEBUG(0,("No memory!\n")); @@ -1663,7 +1663,7 @@ NTSTATUS _samr_chgpasswd_user3(pipes_struct *p, SAMR_Q_CHGPASSWD_USER3 *q_u, SAM makes a SAMR_R_LOOKUP_RIDS structure. ********************************************************************/ -static BOOL make_samr_lookup_rids(TALLOC_CTX *ctx, uint32 num_names, +static bool make_samr_lookup_rids(TALLOC_CTX *ctx, uint32 num_names, const char **names, UNIHDR **pp_hdr_name, UNISTR2 **pp_uni_name) { @@ -1779,7 +1779,7 @@ NTSTATUS _samr_open_user(pipes_struct *p, SAMR_Q_OPEN_USER *q_u, SAMR_R_OPEN_USE uint32 acc_granted; uint32 des_access = q_u->access_mask; size_t sd_size; - BOOL ret; + bool ret; NTSTATUS nt_status; SE_PRIV se_rights; @@ -1850,7 +1850,7 @@ NTSTATUS _samr_open_user(pipes_struct *p, SAMR_Q_OPEN_USER *q_u, SAMR_R_OPEN_USE static NTSTATUS get_user_info_7(TALLOC_CTX *mem_ctx, SAM_USER_INFO_7 *id7, DOM_SID *user_sid) { struct samu *smbpass=NULL; - BOOL ret; + bool ret; if ( !(smbpass = samu_new( mem_ctx )) ) { return NT_STATUS_NO_MEMORY; @@ -1881,7 +1881,7 @@ static NTSTATUS get_user_info_7(TALLOC_CTX *mem_ctx, SAM_USER_INFO_7 *id7, DOM_S static NTSTATUS get_user_info_9(TALLOC_CTX *mem_ctx, SAM_USER_INFO_9 * id9, DOM_SID *user_sid) { struct samu *smbpass=NULL; - BOOL ret; + bool ret; if ( !(smbpass = samu_new( mem_ctx )) ) { return NT_STATUS_NO_MEMORY; @@ -1913,7 +1913,7 @@ static NTSTATUS get_user_info_9(TALLOC_CTX *mem_ctx, SAM_USER_INFO_9 * id9, DOM_ static NTSTATUS get_user_info_16(TALLOC_CTX *mem_ctx, SAM_USER_INFO_16 *id16, DOM_SID *user_sid) { struct samu *smbpass=NULL; - BOOL ret; + bool ret; if ( !(smbpass = samu_new( mem_ctx )) ) { return NT_STATUS_NO_MEMORY; @@ -1947,7 +1947,7 @@ static NTSTATUS get_user_info_16(TALLOC_CTX *mem_ctx, SAM_USER_INFO_16 *id16, DO static NTSTATUS get_user_info_18(pipes_struct *p, TALLOC_CTX *mem_ctx, SAM_USER_INFO_18 * id18, DOM_SID *user_sid) { struct samu *smbpass=NULL; - BOOL ret; + bool ret; if (p->auth.auth_type != PIPE_AUTH_TYPE_NTLMSSP || p->auth.auth_type != PIPE_AUTH_TYPE_SPNEGO_NTLMSSP) { return NT_STATUS_ACCESS_DENIED; @@ -1995,7 +1995,7 @@ static NTSTATUS get_user_info_18(pipes_struct *p, TALLOC_CTX *mem_ctx, SAM_USER_ static NTSTATUS get_user_info_20(TALLOC_CTX *mem_ctx, SAM_USER_INFO_20 *id20, DOM_SID *user_sid) { struct samu *sampass=NULL; - BOOL ret; + bool ret; if ( !(sampass = samu_new( mem_ctx )) ) { return NT_STATUS_NO_MEMORY; @@ -2030,7 +2030,7 @@ static NTSTATUS get_user_info_21(TALLOC_CTX *mem_ctx, SAM_USER_INFO_21 *id21, DOM_SID *user_sid, DOM_SID *domain_sid) { struct samu *sampass=NULL; - BOOL ret; + bool ret; NTSTATUS nt_status; if ( !(sampass = samu_new( mem_ctx )) ) { @@ -2174,9 +2174,9 @@ NTSTATUS _samr_query_usergroups(pipes_struct *p, SAMR_Q_QUERY_USERGROUPS *q_u, S gid_t *unix_gids; size_t i, num_gids; uint32 acc_granted; - BOOL ret; + bool ret; NTSTATUS result; - BOOL success = False; + bool success = False; /* * from the SID in the request: @@ -2486,7 +2486,7 @@ NTSTATUS _samr_query_domain_info(pipes_struct *p, static NTSTATUS can_create(TALLOC_CTX *mem_ctx, const char *new_name) { enum lsa_SidType type; - BOOL result; + bool result; DEBUG(10, ("Checking whether [%s] can be created\n", new_name)); @@ -2537,7 +2537,7 @@ NTSTATUS _samr_create_user(pipes_struct *p, SAMR_Q_CREATE_USER *q_u, size_t sd_size; /* check this, when giving away 'add computer to domain' privs */ uint32 des_access = GENERIC_RIGHTS_USER_ALL_ACCESS; - BOOL can_add_account = False; + bool can_add_account = False; SE_PRIV se_rights; DISP_INFO *disp_info = NULL; @@ -2908,7 +2908,7 @@ NTSTATUS _samr_lookup_domain(pipes_struct *p, SAMR_Q_LOOKUP_DOMAIN *q_u, SAMR_R_ makes a SAMR_R_ENUM_DOMAINS structure. ********************************************************************/ -static BOOL make_enum_domains(TALLOC_CTX *ctx, SAM_ENTRY **pp_sam, +static bool make_enum_domains(TALLOC_CTX *ctx, SAM_ENTRY **pp_sam, UNISTR2 **pp_uni_name, uint32 num_sam_entries, fstring doms[]) { uint32 i; @@ -3028,7 +3028,7 @@ NTSTATUS _samr_open_alias(pipes_struct *p, SAMR_Q_OPEN_ALIAS *q_u, SAMR_R_OPEN_A { /* Check we actually have the requested alias */ enum lsa_SidType type; - BOOL result; + bool result; gid_t gid; become_root(); @@ -3105,7 +3105,7 @@ static NTSTATUS set_user_info_7(TALLOC_CTX *mem_ctx, set_user_info_16 ********************************************************************/ -static BOOL set_user_info_16(const SAM_USER_INFO_16 *id16, struct samu *pwd) +static bool set_user_info_16(const SAM_USER_INFO_16 *id16, struct samu *pwd) { if (id16 == NULL) { DEBUG(5, ("set_user_info_16: NULL id16\n")); @@ -3133,7 +3133,7 @@ static BOOL set_user_info_16(const SAM_USER_INFO_16 *id16, struct samu *pwd) set_user_info_18 ********************************************************************/ -static BOOL set_user_info_18(SAM_USER_INFO_18 *id18, struct samu *pwd) +static bool set_user_info_18(SAM_USER_INFO_18 *id18, struct samu *pwd) { if (id18 == NULL) { @@ -3168,7 +3168,7 @@ static BOOL set_user_info_18(SAM_USER_INFO_18 *id18, struct samu *pwd) set_user_info_20 ********************************************************************/ -static BOOL set_user_info_20(SAM_USER_INFO_20 *id20, struct samu *pwd) +static bool set_user_info_20(SAM_USER_INFO_20 *id20, struct samu *pwd) { if (id20 == NULL) { DEBUG(5, ("set_user_info_20: NULL id20\n")); @@ -3351,7 +3351,7 @@ static NTSTATUS set_user_info_23(TALLOC_CTX *mem_ctx, SAM_USER_INFO_23 *id23, set_user_info_pw ********************************************************************/ -static BOOL set_user_info_pw(uint8 *pass, struct samu *pwd) +static bool set_user_info_pw(uint8 *pass, struct samu *pwd) { uint32 len; pstring plaintext_buf; @@ -3481,8 +3481,8 @@ NTSTATUS _samr_set_userinfo(pipes_struct *p, SAMR_Q_SET_USERINFO *q_u, SAMR_R_SE SAM_USERINFO_CTR *ctr = q_u->ctr; uint32 acc_granted; uint32 acc_required; - BOOL ret; - BOOL has_enough_rights = False; + bool ret; + bool has_enough_rights = False; uint32 acb_info; DISP_INFO *disp_info = NULL; @@ -3651,8 +3651,8 @@ NTSTATUS _samr_set_userinfo2(pipes_struct *p, SAMR_Q_SET_USERINFO2 *q_u, SAMR_R_ uint16 switch_value = q_u->switch_value; uint32 acc_granted; uint32 acc_required; - BOOL ret; - BOOL has_enough_rights = False; + bool ret; + bool has_enough_rights = False; uint32 acb_info; DISP_INFO *disp_info = NULL; @@ -3973,7 +3973,7 @@ NTSTATUS _samr_add_aliasmem(pipes_struct *p, SAMR_Q_ADD_ALIASMEM *q_u, SAMR_R_AD DOM_SID alias_sid; uint32 acc_granted; SE_PRIV se_rights; - BOOL can_add_accounts; + bool can_add_accounts; NTSTATUS ret; DISP_INFO *disp_info = NULL; @@ -4018,7 +4018,7 @@ NTSTATUS _samr_del_aliasmem(pipes_struct *p, SAMR_Q_DEL_ALIASMEM *q_u, SAMR_R_DE DOM_SID alias_sid; uint32 acc_granted; SE_PRIV se_rights; - BOOL can_add_accounts; + bool can_add_accounts; NTSTATUS ret; DISP_INFO *disp_info = NULL; @@ -4065,7 +4065,7 @@ NTSTATUS _samr_add_groupmem(pipes_struct *p, SAMR_Q_ADD_GROUPMEM *q_u, SAMR_R_AD uint32 group_rid; uint32 acc_granted; SE_PRIV se_rights; - BOOL can_add_accounts; + bool can_add_accounts; DISP_INFO *disp_info = NULL; /* Find the policy handle. Open a policy on it. */ @@ -4113,7 +4113,7 @@ NTSTATUS _samr_del_groupmem(pipes_struct *p, SAMR_Q_DEL_GROUPMEM *q_u, SAMR_R_DE uint32 group_rid; uint32 acc_granted; SE_PRIV se_rights; - BOOL can_add_accounts; + bool can_add_accounts; DISP_INFO *disp_info = NULL; /* @@ -4164,10 +4164,10 @@ NTSTATUS _samr_delete_dom_user(pipes_struct *p, SAMR_Q_DELETE_DOM_USER *q_u, SAM DOM_SID user_sid; struct samu *sam_pass=NULL; uint32 acc_granted; - BOOL can_add_accounts; + bool can_add_accounts; uint32 acb_info; DISP_INFO *disp_info = NULL; - BOOL ret; + bool ret; DEBUG(5, ("_samr_delete_dom_user: %d\n", __LINE__)); @@ -4248,7 +4248,7 @@ NTSTATUS _samr_delete_dom_group(pipes_struct *p, SAMR_Q_DELETE_DOM_GROUP *q_u, S uint32 group_rid; uint32 acc_granted; SE_PRIV se_rights; - BOOL can_add_accounts; + bool can_add_accounts; DISP_INFO *disp_info = NULL; DEBUG(5, ("samr_delete_dom_group: %d\n", __LINE__)); @@ -4308,7 +4308,7 @@ NTSTATUS _samr_delete_dom_alias(pipes_struct *p, SAMR_Q_DELETE_DOM_ALIAS *q_u, S DOM_SID alias_sid; uint32 acc_granted; SE_PRIV se_rights; - BOOL can_add_accounts; + bool can_add_accounts; NTSTATUS status; DISP_INFO *disp_info = NULL; @@ -4378,7 +4378,7 @@ NTSTATUS _samr_create_dom_group(pipes_struct *p, SAMR_Q_CREATE_DOM_GROUP *q_u, S struct samr_info *info; uint32 acc_granted; SE_PRIV se_rights; - BOOL can_add_accounts; + bool can_add_accounts; DISP_INFO *disp_info = NULL; /* Find the policy handle. Open a policy on it. */ @@ -4456,7 +4456,7 @@ NTSTATUS _samr_create_dom_alias(pipes_struct *p, SAMR_Q_CREATE_DOM_ALIAS *q_u, S gid_t gid; NTSTATUS result; SE_PRIV se_rights; - BOOL can_add_accounts; + bool can_add_accounts; DISP_INFO *disp_info = NULL; /* Find the policy handle. Open a policy on it. */ @@ -4543,7 +4543,7 @@ NTSTATUS _samr_query_groupinfo(pipes_struct *p, SAMR_Q_QUERY_GROUPINFO *q_u, SAM GROUP_MAP map; GROUP_INFO_CTR *ctr; uint32 acc_granted; - BOOL ret; + bool ret; if (!get_lsa_policy_samr_sid(p, &q_u->pol, &group_sid, &acc_granted, NULL)) return NT_STATUS_INVALID_HANDLE; @@ -4638,8 +4638,8 @@ NTSTATUS _samr_set_groupinfo(pipes_struct *p, SAMR_Q_SET_GROUPINFO *q_u, SAMR_R_ GROUP_INFO_CTR *ctr; uint32 acc_granted; NTSTATUS ret; - BOOL result; - BOOL can_mod_accounts; + bool result; + bool can_mod_accounts; DISP_INFO *disp_info = NULL; if (!get_lsa_policy_samr_sid(p, &q_u->pol, &group_sid, &acc_granted, &disp_info)) @@ -4701,7 +4701,7 @@ NTSTATUS _samr_set_aliasinfo(pipes_struct *p, SAMR_Q_SET_ALIASINFO *q_u, SAMR_R_ struct acct_info info; ALIAS_INFO_CTR *ctr; uint32 acc_granted; - BOOL can_mod_accounts; + bool can_mod_accounts; NTSTATUS status; DISP_INFO *disp_info = NULL; @@ -4832,7 +4832,7 @@ NTSTATUS _samr_open_group(pipes_struct *p, SAMR_Q_OPEN_GROUP *q_u, SAMR_R_OPEN_G size_t sd_size; NTSTATUS status; fstring sid_string; - BOOL ret; + bool ret; SE_PRIV se_rights; if (!get_lsa_policy_samr_sid(p, &q_u->domain_pol, &sid, &acc_granted, NULL)) -- cgit From 79266500cd3f84c74b2f89ceeb15c23cedacc2b5 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Mon, 12 Nov 2007 15:02:50 -0800 Subject: Remove all pstrings from smbd/chgpasswd.c. Jeremy. (This used to be commit eaf14c701b08e9eff5b94bf57af68cb29142d7fc) --- source3/rpc_server/srv_samr_nt.c | 58 ++++++++++++++++++++++------------------ 1 file changed, 32 insertions(+), 26 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 9aabaf08ca..3cc8f01d2c 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -3275,33 +3275,37 @@ static NTSTATUS set_user_info_21(TALLOC_CTX *mem_ctx, SAM_USER_INFO_21 *id21, static NTSTATUS set_user_info_23(TALLOC_CTX *mem_ctx, SAM_USER_INFO_23 *id23, struct samu *pwd) { - pstring plaintext_buf; - uint32 len; + char *plaintext_buf = NULL; + uint32 len = 0; uint16 acct_ctrl; NTSTATUS status; - + if (id23 == NULL) { DEBUG(5, ("set_user_info_23: NULL id23\n")); return NT_STATUS_INVALID_PARAMETER; } - + DEBUG(5, ("Attempting administrator password change (level 23) for user %s\n", pdb_get_username(pwd))); acct_ctrl = pdb_get_acct_ctrl(pwd); - if (!decode_pw_buffer(id23->pass, plaintext_buf, 256, &len, STR_UNICODE)) { + if (!decode_pw_buffer(mem_ctx, + id23->pass, + &plaintext_buf, + &len, + STR_UNICODE)) { TALLOC_FREE(pwd); return NT_STATUS_INVALID_PARAMETER; } - + if (!pdb_set_plaintext_passwd (pwd, plaintext_buf)) { TALLOC_FREE(pwd); return NT_STATUS_ACCESS_DENIED; } - + copy_id23_to_sam_passwd(pwd, id23); - + /* if it's a trust account, don't update /etc/passwd */ if ( ( (acct_ctrl & ACB_DOMTRUST) == ACB_DOMTRUST ) || ( (acct_ctrl & ACB_WSTRUST) == ACB_WSTRUST) || @@ -3320,16 +3324,16 @@ static NTSTATUS set_user_info_23(TALLOC_CTX *mem_ctx, SAM_USER_INFO_23 *id23, if ((passwd = Get_Pwnam(pdb_get_username(pwd))) == NULL) { DEBUG(1, ("chgpasswd: Username does not exist in system !?!\n")); } - + if(!chgpasswd(pdb_get_username(pwd), passwd, "", plaintext_buf, True)) { TALLOC_FREE(pwd); return NT_STATUS_ACCESS_DENIED; } } } - - ZERO_STRUCT(plaintext_buf); - + + memset(plaintext_buf, '\0', strlen(plaintext_buf)); + if (IS_SAM_CHANGED(pwd, PDB_GROUPSID) && (!NT_STATUS_IS_OK(status = pdb_set_unix_primary_group(mem_ctx, pwd)))) { @@ -3341,7 +3345,7 @@ static NTSTATUS set_user_info_23(TALLOC_CTX *mem_ctx, SAM_USER_INFO_23 *id23, TALLOC_FREE(pwd); return status; } - + TALLOC_FREE(pwd); return NT_STATUS_OK; @@ -3353,12 +3357,12 @@ static NTSTATUS set_user_info_23(TALLOC_CTX *mem_ctx, SAM_USER_INFO_23 *id23, static bool set_user_info_pw(uint8 *pass, struct samu *pwd) { - uint32 len; - pstring plaintext_buf; + uint32 len = 0; + char *plaintext_buf = NULL; uint32 acct_ctrl; time_t last_set_time; enum pdb_value_state last_set_state; - + DEBUG(5, ("Attempting administrator password change for user %s\n", pdb_get_username(pwd))); @@ -3368,9 +3372,11 @@ static bool set_user_info_pw(uint8 *pass, struct samu *pwd) last_set_state = pdb_get_init_flags(pwd, PDB_PASSLASTSET); last_set_time = pdb_get_pass_last_set_time(pwd); - ZERO_STRUCT(plaintext_buf); - - if (!decode_pw_buffer(pass, plaintext_buf, 256, &len, STR_UNICODE)) { + if (!decode_pw_buffer(talloc_tos(), + pass, + &plaintext_buf, + &len, + STR_UNICODE)) { TALLOC_FREE(pwd); return False; } @@ -3379,7 +3385,7 @@ static bool set_user_info_pw(uint8 *pass, struct samu *pwd) TALLOC_FREE(pwd); return False; } - + /* if it's a trust account, don't update /etc/passwd */ if ( ( (acct_ctrl & ACB_DOMTRUST) == ACB_DOMTRUST ) || ( (acct_ctrl & ACB_WSTRUST) == ACB_WSTRUST) || @@ -3399,21 +3405,21 @@ static bool set_user_info_pw(uint8 *pass, struct samu *pwd) if ((passwd = Get_Pwnam(pdb_get_username(pwd))) == NULL) { DEBUG(1, ("chgpasswd: Username does not exist in system !?!\n")); } - + if(!chgpasswd(pdb_get_username(pwd), passwd, "", plaintext_buf, True)) { TALLOC_FREE(pwd); return False; } } } - - ZERO_STRUCT(plaintext_buf); - + + memset(plaintext_buf, '\0', strlen(plaintext_buf)); + /* restore last set time as this is an admin change, not a user pw change */ pdb_set_pass_last_set_time (pwd, last_set_time, last_set_state); - + DEBUG(5,("set_user_info_pw: pdb_update_pwd()\n")); - + /* update the SAMBA password */ if(!NT_STATUS_IS_OK(pdb_update_sam_account(pwd))) { TALLOC_FREE(pwd); -- cgit From 900288a2b86abd247f9eb4cd15dc5617a17cfef1 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Sat, 15 Dec 2007 21:11:36 +0100 Subject: Replace sid_string_static by sid_string_dbg in DEBUGs (This used to be commit bb35e794ec129805e874ceba882bcc1e84791a09) --- source3/rpc_server/srv_samr_nt.c | 99 +++++++++++++++++++++------------------- 1 file changed, 52 insertions(+), 47 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 3cc8f01d2c..d013ec8f03 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -347,7 +347,7 @@ static struct samr_info *get_samr_info_by_sid(DOM_SID *psid) static void free_samr_cache(DISP_INFO *disp_info) { DEBUG(10, ("free_samr_cache: deleting cache for SID %s\n", - sid_string_static(&disp_info->sid))); + sid_string_dbg(&disp_info->sid))); /* We need to become root here because the paged search might have to * tell the LDAP server we're not interested in the rest anymore. */ @@ -431,8 +431,7 @@ static void set_disp_info_cache_timeout(DISP_INFO *disp_info, time_t secs_fromno TALLOC_FREE(disp_info->cache_timeout_event); DEBUG(10,("set_disp_info_cache_timeout: caching enumeration for " - "SID %s for %u seconds\n", - sid_string_static(&disp_info->sid), + "SID %s for %u seconds\n", sid_string_dbg(&disp_info->sid), (unsigned int)secs_fromnow )); disp_info->cache_timeout_event = event_add_timed( @@ -702,7 +701,7 @@ NTSTATUS _samr_set_sec_obj(pipes_struct *p, SAMR_Q_SET_SEC_OBJ *q_u, SAMR_R_SET_ unbecome_root(); if (!ret) { - DEBUG(4, ("User %s not found\n", sid_string_static(&pol_sid))); + DEBUG(4, ("User %s not found\n", sid_string_dbg(&pol_sid))); TALLOC_FREE(sampass); return NT_STATUS_INVALID_HANDLE; } @@ -753,7 +752,7 @@ static bool check_change_pw_access(TALLOC_CTX *mem_ctx, DOM_SID *user_sid) unbecome_root(); if (ret == False) { - DEBUG(4,("User %s not found\n", sid_string_static(user_sid))); + DEBUG(4,("User %s not found\n", sid_string_dbg(user_sid))); TALLOC_FREE(sampass); return False; } @@ -776,7 +775,6 @@ static bool check_change_pw_access(TALLOC_CTX *mem_ctx, DOM_SID *user_sid) NTSTATUS _samr_query_sec_obj(pipes_struct *p, SAMR_Q_QUERY_SEC_OBJ *q_u, SAMR_R_QUERY_SEC_OBJ *r_u) { DOM_SID pol_sid; - fstring str_sid; SEC_DESC * psd = NULL; uint32 acc_granted; size_t sd_size; @@ -787,7 +785,8 @@ NTSTATUS _samr_query_sec_obj(pipes_struct *p, SAMR_Q_QUERY_SEC_OBJ *q_u, SAMR_R_ if (!get_lsa_policy_samr_sid(p, &q_u->user_pol, &pol_sid, &acc_granted, NULL)) return NT_STATUS_INVALID_HANDLE; - DEBUG(10,("_samr_query_sec_obj: querying security on SID: %s\n", sid_to_string(str_sid, &pol_sid))); + DEBUG(10,("_samr_query_sec_obj: querying security on SID: %s\n", + sid_string_dbg(&pol_sid))); /* Check what typ of SID is beeing queried (e.g Domain SID, User SID, Group SID) */ @@ -797,18 +796,21 @@ NTSTATUS _samr_query_sec_obj(pipes_struct *p, SAMR_Q_QUERY_SEC_OBJ *q_u, SAMR_R_ r_u->status = make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &sam_generic_mapping, NULL, 0); } else if (sid_equal(&pol_sid,get_global_sam_sid())) { /* check if it is our domain SID */ - DEBUG(5,("_samr_query_sec_obj: querying security on Domain with SID: %s\n", sid_to_string(str_sid, &pol_sid))); + DEBUG(5,("_samr_query_sec_obj: querying security on Domain " + "with SID: %s\n", sid_string_dbg(&pol_sid))); r_u->status = make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &dom_generic_mapping, NULL, 0); } else if (sid_equal(&pol_sid,&global_sid_Builtin)) { /* check if it is the Builtin Domain */ /* TODO: Builtin probably needs a different SD with restricted write access*/ - DEBUG(5,("_samr_query_sec_obj: querying security on Builtin Domain with SID: %s\n", sid_to_string(str_sid, &pol_sid))); + DEBUG(5,("_samr_query_sec_obj: querying security on Builtin " + "Domain with SID: %s\n", sid_string_dbg(&pol_sid))); r_u->status = make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &dom_generic_mapping, NULL, 0); } else if (sid_check_is_in_our_domain(&pol_sid) || sid_check_is_in_builtin(&pol_sid)) { /* TODO: different SDs have to be generated for aliases groups and users. Currently all three get a default user SD */ - DEBUG(10,("_samr_query_sec_obj: querying security on Object with SID: %s\n", sid_to_string(str_sid, &pol_sid))); + DEBUG(10,("_samr_query_sec_obj: querying security on Object " + "with SID: %s\n", sid_string_dbg(&pol_sid))); if (check_change_pw_access(p->mem_ctx, &pol_sid)) { r_u->status = make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &usr_generic_mapping, &pol_sid, SAMR_USR_RIGHTS_WRITE_PW); @@ -1101,7 +1103,7 @@ NTSTATUS _samr_enum_dom_aliases(pipes_struct *p, SAMR_Q_ENUM_DOM_ALIASES *q_u, S return r_u->status; DEBUG(5,("samr_reply_enum_dom_aliases: sid %s\n", - sid_string_static(&info->sid))); + sid_string_dbg(&info->sid))); become_root(); @@ -1466,7 +1468,6 @@ NTSTATUS _samr_lookup_names(pipes_struct *p, SAMR_Q_LOOKUP_NAMES *q_u, SAMR_R_LO int i; int num_rids = q_u->num_names2; DOM_SID pol_sid; - fstring sid_str; uint32 acc_granted; r_u->status = NT_STATUS_OK; @@ -1490,7 +1491,8 @@ NTSTATUS _samr_lookup_names(pipes_struct *p, SAMR_Q_LOOKUP_NAMES *q_u, SAMR_R_LO DEBUG(5,("_samr_lookup_names: truncating entries to %d\n", num_rids)); } - DEBUG(5,("_samr_lookup_names: looking name on SID %s\n", sid_to_string(sid_str, &pol_sid))); + DEBUG(5,("_samr_lookup_names: looking name on SID %s\n", + sid_string_dbg(&pol_sid))); for (i = 0; i < num_rids; i++) { fstring name; @@ -1861,7 +1863,7 @@ static NTSTATUS get_user_info_7(TALLOC_CTX *mem_ctx, SAM_USER_INFO_7 *id7, DOM_S unbecome_root(); if ( !ret ) { - DEBUG(4,("User %s not found\n", sid_string_static(user_sid))); + DEBUG(4,("User %s not found\n", sid_string_dbg(user_sid))); return NT_STATUS_NO_SUCH_USER; } @@ -1892,7 +1894,7 @@ static NTSTATUS get_user_info_9(TALLOC_CTX *mem_ctx, SAM_USER_INFO_9 * id9, DOM_ unbecome_root(); if (ret==False) { - DEBUG(4,("User %s not found\n", sid_string_static(user_sid))); + DEBUG(4,("User %s not found\n", sid_string_dbg(user_sid))); return NT_STATUS_NO_SUCH_USER; } @@ -1924,7 +1926,7 @@ static NTSTATUS get_user_info_16(TALLOC_CTX *mem_ctx, SAM_USER_INFO_16 *id16, DO unbecome_root(); if (ret==False) { - DEBUG(4,("User %s not found\n", sid_string_static(user_sid))); + DEBUG(4,("User %s not found\n", sid_string_dbg(user_sid))); return NT_STATUS_NO_SUCH_USER; } @@ -1968,7 +1970,7 @@ static NTSTATUS get_user_info_18(pipes_struct *p, TALLOC_CTX *mem_ctx, SAM_USER_ ret = pdb_getsampwsid(smbpass, user_sid); if (ret == False) { - DEBUG(4, ("User %s not found\n", sid_string_static(user_sid))); + DEBUG(4, ("User %s not found\n", sid_string_dbg(user_sid))); TALLOC_FREE(smbpass); return (geteuid() == (uid_t)0) ? NT_STATUS_NO_SUCH_USER : NT_STATUS_ACCESS_DENIED; } @@ -2006,7 +2008,7 @@ static NTSTATUS get_user_info_20(TALLOC_CTX *mem_ctx, SAM_USER_INFO_20 *id20, DO unbecome_root(); if (ret == False) { - DEBUG(4,("User %s not found\n", sid_string_static(user_sid))); + DEBUG(4,("User %s not found\n", sid_string_dbg(user_sid))); return NT_STATUS_NO_SUCH_USER; } @@ -2042,7 +2044,7 @@ static NTSTATUS get_user_info_21(TALLOC_CTX *mem_ctx, SAM_USER_INFO_21 *id21, unbecome_root(); if (ret == False) { - DEBUG(4,("User %s not found\n", sid_string_static(user_sid))); + DEBUG(4,("User %s not found\n", sid_string_dbg(user_sid))); return NT_STATUS_NO_SUCH_USER; } @@ -2082,7 +2084,8 @@ NTSTATUS _samr_query_userinfo(pipes_struct *p, SAMR_Q_QUERY_USERINFO *q_u, SAMR_ if (!sid_check_is_in_our_domain(&info->sid)) return NT_STATUS_OBJECT_TYPE_MISMATCH; - DEBUG(5,("_samr_query_userinfo: sid:%s\n", sid_string_static(&info->sid))); + DEBUG(5,("_samr_query_userinfo: sid:%s\n", + sid_string_dbg(&info->sid))); ctr = TALLOC_ZERO_P(p->mem_ctx, SAM_USERINFO_CTR); if (!ctr) @@ -2215,7 +2218,7 @@ NTSTATUS _samr_query_usergroups(pipes_struct *p, SAMR_Q_QUERY_USERGROUPS *q_u, S if (!ret) { DEBUG(10, ("pdb_getsampwsid failed for %s\n", - sid_string_static(&sid))); + sid_string_dbg(&sid))); return NT_STATUS_NO_SUCH_USER; } @@ -2234,13 +2237,13 @@ NTSTATUS _samr_query_usergroups(pipes_struct *p, SAMR_Q_QUERY_USERGROUPS *q_u, S if (!NT_STATUS_IS_OK(result)) { DEBUG(10, ("pdb_enum_group_memberships failed for %s\n", - sid_string_static(&sid))); + sid_string_dbg(&sid))); return result; } if ( !success ) { DEBUG(5, ("Group sid %s for user %s not in our domain\n", - sid_string_static(pdb_get_group_sid(sam_pass)), + sid_string_dbg(pdb_get_group_sid(sam_pass)), pdb_get_username(sam_pass))); TALLOC_FREE(sam_pass); return NT_STATUS_INTERNAL_DB_CORRUPTION; @@ -2259,7 +2262,7 @@ NTSTATUS _samr_query_usergroups(pipes_struct *p, SAMR_Q_QUERY_USERGROUPS *q_u, S if (!sid_peek_check_rid(get_global_sam_sid(), &(sids[i]), &dom_gid.g_rid)) { DEBUG(10, ("Found sid %s not in our domain\n", - sid_string_static(&sids[i]))); + sid_string_dbg(&sids[i]))); continue; } @@ -2897,7 +2900,8 @@ NTSTATUS _samr_lookup_domain(pipes_struct *p, SAMR_Q_LOOKUP_DOMAIN *q_u, SAMR_R_ } } - DEBUG(2,("Returning domain sid for domain %s -> %s\n", domain_name, sid_string_static(&sid))); + DEBUG(2,("Returning domain sid for domain %s -> %s\n", domain_name, + sid_string_dbg(&sid))); init_samr_r_lookup_domain(r_u, &sid, r_u->status); @@ -3523,7 +3527,8 @@ NTSTATUS _samr_set_userinfo(pipes_struct *p, SAMR_Q_SET_USERINFO *q_u, SAMR_R_SE return r_u->status; } - DEBUG(5, ("_samr_set_userinfo: sid:%s, level:%d\n", sid_string_static(&sid), switch_value)); + DEBUG(5, ("_samr_set_userinfo: sid:%s, level:%d\n", + sid_string_dbg(&sid), switch_value)); if (ctr == NULL) { DEBUG(5, ("_samr_set_userinfo: NULL info level\n")); @@ -3683,7 +3688,8 @@ NTSTATUS _samr_set_userinfo2(pipes_struct *p, SAMR_Q_SET_USERINFO2 *q_u, SAMR_R_ return r_u->status; } - DEBUG(5, ("samr_reply_set_userinfo2: sid:%s\n", sid_string_static(&sid))); + DEBUG(5, ("samr_reply_set_userinfo2: sid:%s\n", + sid_string_dbg(&sid))); if (ctr == NULL) { DEBUG(5, ("samr_reply_set_userinfo2: NULL info level\n")); @@ -3879,7 +3885,7 @@ NTSTATUS _samr_query_aliasmem(pipes_struct *p, SAMR_Q_QUERY_ALIASMEM *q_u, SAMR_ return r_u->status; } - DEBUG(10, ("sid is %s\n", sid_string_static(&alias_sid))); + DEBUG(10, ("sid is %s\n", sid_string_dbg(&alias_sid))); become_root(); status = pdb_enum_aliasmem(&alias_sid, &sids, &num_sids); @@ -3917,7 +3923,6 @@ NTSTATUS _samr_query_aliasmem(pipes_struct *p, SAMR_Q_QUERY_ALIASMEM *q_u, SAMR_ NTSTATUS _samr_query_groupmem(pipes_struct *p, SAMR_Q_QUERY_GROUPMEM *q_u, SAMR_R_QUERY_GROUPMEM *r_u) { DOM_SID group_sid; - fstring group_sid_str; size_t i, num_members; uint32 *rid=NULL; @@ -3935,11 +3940,11 @@ NTSTATUS _samr_query_groupmem(pipes_struct *p, SAMR_Q_QUERY_GROUPMEM *q_u, SAMR_ return r_u->status; } - sid_to_string(group_sid_str, &group_sid); - DEBUG(10, ("sid is %s\n", group_sid_str)); + DEBUG(10, ("sid is %s\n", sid_string_dbg(&group_sid))); if (!sid_check_is_in_our_domain(&group_sid)) { - DEBUG(3, ("sid %s is not in our domain\n", group_sid_str)); + DEBUG(3, ("sid %s is not in our domain\n", + sid_string_dbg(&group_sid))); return NT_STATUS_NO_SUCH_GROUP; } @@ -3991,7 +3996,7 @@ NTSTATUS _samr_add_aliasmem(pipes_struct *p, SAMR_Q_ADD_ALIASMEM *q_u, SAMR_R_AD return r_u->status; } - DEBUG(10, ("sid is %s\n", sid_string_static(&alias_sid))); + DEBUG(10, ("sid is %s\n", sid_string_dbg(&alias_sid))); se_priv_copy( &se_rights, &se_add_users ); can_add_accounts = user_has_privileges( p->pipe_user.nt_user_token, &se_rights ); @@ -4037,7 +4042,7 @@ NTSTATUS _samr_del_aliasmem(pipes_struct *p, SAMR_Q_DEL_ALIASMEM *q_u, SAMR_R_DE } DEBUG(10, ("_samr_del_aliasmem:sid is %s\n", - sid_string_static(&alias_sid))); + sid_string_dbg(&alias_sid))); se_priv_copy( &se_rights, &se_add_users ); can_add_accounts = user_has_privileges( p->pipe_user.nt_user_token, &se_rights ); @@ -4082,7 +4087,7 @@ NTSTATUS _samr_add_groupmem(pipes_struct *p, SAMR_Q_ADD_GROUPMEM *q_u, SAMR_R_AD return r_u->status; } - DEBUG(10, ("sid is %s\n", sid_string_static(&group_sid))); + DEBUG(10, ("sid is %s\n", sid_string_dbg(&group_sid))); if (!sid_peek_check_rid(get_global_sam_sid(), &group_sid, &group_rid)) { @@ -4199,7 +4204,7 @@ NTSTATUS _samr_delete_dom_user(pipes_struct *p, SAMR_Q_DELETE_DOM_USER *q_u, SAM if( !ret ) { DEBUG(5,("_samr_delete_dom_user:User %s doesn't exist.\n", - sid_string_static(&user_sid))); + sid_string_dbg(&user_sid))); TALLOC_FREE(sam_pass); return NT_STATUS_NO_SUCH_USER; } @@ -4267,7 +4272,7 @@ NTSTATUS _samr_delete_dom_group(pipes_struct *p, SAMR_Q_DELETE_DOM_GROUP *q_u, S return r_u->status; } - DEBUG(10, ("sid is %s\n", sid_string_static(&group_sid))); + DEBUG(10, ("sid is %s\n", sid_string_dbg(&group_sid))); if (!sid_peek_check_rid(get_global_sam_sid(), &group_sid, &group_rid)) { @@ -4292,7 +4297,7 @@ NTSTATUS _samr_delete_dom_group(pipes_struct *p, SAMR_Q_DELETE_DOM_GROUP *q_u, S if ( !NT_STATUS_IS_OK(r_u->status) ) { DEBUG(5,("_samr_delete_dom_group: Failed to delete mapping " "entry for group %s: %s\n", - sid_string_static(&group_sid), + sid_string_dbg(&group_sid), nt_errstr(r_u->status))); return r_u->status; } @@ -4332,7 +4337,7 @@ NTSTATUS _samr_delete_dom_alias(pipes_struct *p, SAMR_Q_DELETE_DOM_ALIAS *q_u, S return r_u->status; } - DEBUG(10, ("sid is %s\n", sid_string_static(&alias_sid))); + DEBUG(10, ("sid is %s\n", sid_string_dbg(&alias_sid))); /* Don't let Windows delete builtin groups */ @@ -4907,12 +4912,12 @@ NTSTATUS _samr_remove_sid_foreign_domain(pipes_struct *p, DISP_INFO *disp_info = NULL; sid_copy( &delete_sid, &q_u->sid.sid ); - + DEBUG(5,("_samr_remove_sid_foreign_domain: removing SID [%s]\n", - sid_string_static(&delete_sid))); - + sid_string_dbg(&delete_sid))); + /* Find the policy handle. Open a policy on it. */ - + if (!get_lsa_policy_samr_sid(p, &q_u->dom_pol, &domain_sid, &acc_granted, &disp_info)) return NT_STATUS_INVALID_HANDLE; @@ -4923,8 +4928,8 @@ NTSTATUS _samr_remove_sid_foreign_domain(pipes_struct *p, if (!NT_STATUS_IS_OK(result)) return result; - DEBUG(8, ("_samr_remove_sid_foreign_domain:sid is %s\n", - sid_string_static(&domain_sid))); + DEBUG(8, ("_samr_remove_sid_foreign_domain:sid is %s\n", + sid_string_dbg(&domain_sid))); /* we can only delete a user from a group since we don't have nested groups anyways. So in the latter case, just say OK */ @@ -4943,8 +4948,8 @@ NTSTATUS _samr_remove_sid_foreign_domain(pipes_struct *p, if (!sid_check_is_builtin(&domain_sid)) { DEBUG(1,("_samr_remove_sid_foreign_domain: domain_sid = %s, " "global_sam_sid() = %s\n", - sid_string_static(&domain_sid), - sid_string_static(get_global_sam_sid()))); + sid_string_dbg(&domain_sid), + sid_string_dbg(get_global_sam_sid()))); DEBUGADD(1,("please report to samba-technical@samba.org!\n")); return NT_STATUS_OK; } -- cgit From 2e07c2ade89f4ff281c61f74cb88e09990cf5f46 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Sat, 15 Dec 2007 22:47:30 +0100 Subject: s/sid_to_string/sid_to_fstring/ least surprise for callers (This used to be commit eb523ba77697346a365589101aac379febecd546) --- source3/rpc_server/srv_samr_nt.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index d013ec8f03..1af41228a7 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -315,7 +315,7 @@ static struct samr_info *get_samr_info_by_sid(DOM_SID *psid) TALLOC_CTX *mem_ctx; if (psid) { - sid_to_string(sid_str, psid); + sid_to_fstring(sid_str, psid); } else { fstrcpy(sid_str,"(NULL)"); } @@ -4875,7 +4875,7 @@ NTSTATUS _samr_open_group(pipes_struct *p, SAMR_Q_OPEN_GROUP *q_u, SAMR_R_OPEN_G sid_copy(&info_sid, get_global_sam_sid()); sid_append_rid(&info_sid, q_u->rid_group); - sid_to_string(sid_string, &info_sid); + sid_to_fstring(sid_string, &info_sid); if ((info = get_samr_info_by_sid(&info_sid)) == NULL) return NT_STATUS_NO_MEMORY; -- cgit From 4c8a7082880e1c7ffff32f2567bc768d908a3699 Mon Sep 17 00:00:00 2001 From: Michael Adam Date: Mon, 17 Dec 2007 11:32:21 +0100 Subject: Fix flags in call of lookup_name() in srv_samr_nt.c: can_create(). Use LOOKUP_NAME_LOCAL instead of LOOKUP_NAME_ISOLATED. Michael (This used to be commit 1d4e0ad1142c61de402c925306f02f5de2c872f6) --- source3/rpc_server/srv_samr_nt.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 1af41228a7..cc4b4f330f 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -2494,9 +2494,9 @@ static NTSTATUS can_create(TALLOC_CTX *mem_ctx, const char *new_name) DEBUG(10, ("Checking whether [%s] can be created\n", new_name)); become_root(); - /* Lookup in our local databases (only LOOKUP_NAME_ISOLATED set) + /* Lookup in our local databases (LOOKUP_NAME_REMOTE not set) * whether the name already exists */ - result = lookup_name(mem_ctx, new_name, LOOKUP_NAME_ISOLATED, + result = lookup_name(mem_ctx, new_name, LOOKUP_NAME_LOCAL, NULL, NULL, NULL, &type); unbecome_root(); -- cgit From e518e19bc0000019f131354f55e9f5b55f6a2c5e Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Wed, 19 Dec 2007 15:02:59 +0100 Subject: Remove Get_Pwnam and its associated static variable All callers are replaced by Get_Pwnam_alloc (This used to be commit 735f59315497113aebadcf9ad387e3dbfffa284a) --- source3/rpc_server/srv_samr_nt.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index cc4b4f330f..1d69cb320e 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -3325,7 +3325,8 @@ static NTSTATUS set_user_info_23(TALLOC_CTX *mem_ctx, SAM_USER_INFO_23 *id23, return NT_STATUS_ACCESS_DENIED; } - if ((passwd = Get_Pwnam(pdb_get_username(pwd))) == NULL) { + passwd = Get_Pwnam_alloc(pwd, pdb_get_username(pwd)); + if (passwd == NULL) { DEBUG(1, ("chgpasswd: Username does not exist in system !?!\n")); } @@ -3333,6 +3334,7 @@ static NTSTATUS set_user_info_23(TALLOC_CTX *mem_ctx, SAM_USER_INFO_23 *id23, TALLOC_FREE(pwd); return NT_STATUS_ACCESS_DENIED; } + TALLOC_FREE(passwd); } } @@ -3406,7 +3408,8 @@ static bool set_user_info_pw(uint8 *pass, struct samu *pwd) return False; } - if ((passwd = Get_Pwnam(pdb_get_username(pwd))) == NULL) { + passwd = Get_Pwnam_alloc(pwd, pdb_get_username(pwd)); + if (passwd == NULL) { DEBUG(1, ("chgpasswd: Username does not exist in system !?!\n")); } @@ -3414,6 +3417,7 @@ static bool set_user_info_pw(uint8 *pass, struct samu *pwd) TALLOC_FREE(pwd); return False; } + TALLOC_FREE(passwd); } } -- cgit From 99b86e4a266b99634f6a65015f6df115c421d3e5 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Thu, 20 Dec 2007 22:27:01 +0100 Subject: Some C++ fixes (This used to be commit 5c392c4c6e277a24d0d477902dc7856b2b46ee53) --- source3/rpc_server/srv_samr_nt.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 1d69cb320e..01ce932afa 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -149,7 +149,9 @@ static NTSTATUS make_samr_object_sd( TALLOC_CTX *ctx, SEC_DESC **psd, size_t *sd if ((psa = make_sec_acl(ctx, NT4_ACL_REVISION, i, ace)) == NULL) return NT_STATUS_NO_MEMORY; - if ((*psd = make_sec_desc(ctx, SEC_DESC_REVISION, SEC_DESC_SELF_RELATIVE, NULL, NULL, NULL, psa, sd_size)) == NULL) + if ((*psd = make_sec_desc(ctx, SECURITY_DESCRIPTOR_REVISION_1, + SEC_DESC_SELF_RELATIVE, NULL, NULL, NULL, + psa, sd_size)) == NULL) return NT_STATUS_NO_MEMORY; return NT_STATUS_OK; -- cgit From 3d507a2fcab9da3d9ba928fbe1d30f2642ab4e93 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Wed, 30 Jan 2008 12:53:09 +0100 Subject: Let _samr_Close() use pidl generated server code. Guenther (This used to be commit 2df3408079fc382d00d01a0b82b0b8e1ffeba6e4) --- source3/rpc_server/srv_samr_nt.c | 686 ++++++++++++++++++++++++++++++++++++++- 1 file changed, 677 insertions(+), 9 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 01ce932afa..e80327367b 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -543,20 +543,18 @@ static uint32 count_sam_aliases(struct disp_info *info) } /******************************************************************* - _samr_close_hnd + _samr_Close ********************************************************************/ -NTSTATUS _samr_close_hnd(pipes_struct *p, SAMR_Q_CLOSE_HND *q_u, SAMR_R_CLOSE_HND *r_u) +NTSTATUS _samr_Close(pipes_struct *p, struct samr_Close *r) { - r_u->status = NT_STATUS_OK; - - /* close the policy handle */ - if (!close_policy_hnd(p, &q_u->pol)) - return NT_STATUS_OBJECT_NAME_INVALID; + if (!close_policy_hnd(p, r->in.handle)) { + return NT_STATUS_INVALID_HANDLE; + } - DEBUG(5,("samr_reply_close_hnd: %d\n", __LINE__)); + ZERO_STRUCT(r->out.handle); - return r_u->status; + return NT_STATUS_OK; } /******************************************************************* @@ -5059,3 +5057,673 @@ NTSTATUS _samr_set_dom_info(pipes_struct *p, SAMR_Q_SET_DOMAIN_INFO *q_u, SAMR_R return r_u->status; } + +/**************************************************************** +****************************************************************/ + +NTSTATUS _samr_Connect(pipes_struct *p, + struct samr_Connect *r) +{ + p->rng_fault_state = true; + return NT_STATUS_NOT_IMPLEMENTED; +} + +/**************************************************************** +****************************************************************/ + +NTSTATUS _samr_SetSecurity(pipes_struct *p, + struct samr_SetSecurity *r) +{ + p->rng_fault_state = true; + return NT_STATUS_NOT_IMPLEMENTED; +} + +/**************************************************************** +****************************************************************/ + +NTSTATUS _samr_QuerySecurity(pipes_struct *p, + struct samr_QuerySecurity *r) +{ + p->rng_fault_state = true; + return NT_STATUS_NOT_IMPLEMENTED; +} + +/**************************************************************** +****************************************************************/ + +NTSTATUS _samr_Shutdown(pipes_struct *p, + struct samr_Shutdown *r) +{ + p->rng_fault_state = true; + return NT_STATUS_NOT_IMPLEMENTED; +} + +/**************************************************************** +****************************************************************/ + +NTSTATUS _samr_LookupDomain(pipes_struct *p, + struct samr_LookupDomain *r) +{ + p->rng_fault_state = true; + return NT_STATUS_NOT_IMPLEMENTED; +} + +/**************************************************************** +****************************************************************/ + +NTSTATUS _samr_EnumDomains(pipes_struct *p, + struct samr_EnumDomains *r) +{ + p->rng_fault_state = true; + return NT_STATUS_NOT_IMPLEMENTED; +} + +/**************************************************************** +****************************************************************/ + +NTSTATUS _samr_OpenDomain(pipes_struct *p, + struct samr_OpenDomain *r) +{ + p->rng_fault_state = true; + return NT_STATUS_NOT_IMPLEMENTED; +} + +/**************************************************************** +****************************************************************/ + +NTSTATUS _samr_QueryDomainInfo(pipes_struct *p, + struct samr_QueryDomainInfo *r) +{ + p->rng_fault_state = true; + return NT_STATUS_NOT_IMPLEMENTED; +} + +/**************************************************************** +****************************************************************/ + +NTSTATUS _samr_SetDomainInfo(pipes_struct *p, + struct samr_SetDomainInfo *r) +{ + p->rng_fault_state = true; + return NT_STATUS_NOT_IMPLEMENTED; +} + +/**************************************************************** +****************************************************************/ + +NTSTATUS _samr_CreateDomainGroup(pipes_struct *p, + struct samr_CreateDomainGroup *r) +{ + p->rng_fault_state = true; + return NT_STATUS_NOT_IMPLEMENTED; +} + +/**************************************************************** +****************************************************************/ + +NTSTATUS _samr_EnumDomainGroups(pipes_struct *p, + struct samr_EnumDomainGroups *r) +{ + p->rng_fault_state = true; + return NT_STATUS_NOT_IMPLEMENTED; +} + +/**************************************************************** +****************************************************************/ + +NTSTATUS _samr_CreateUser(pipes_struct *p, + struct samr_CreateUser *r) +{ + p->rng_fault_state = true; + return NT_STATUS_NOT_IMPLEMENTED; +} + +/**************************************************************** +****************************************************************/ + +NTSTATUS _samr_EnumDomainUsers(pipes_struct *p, + struct samr_EnumDomainUsers *r) +{ + p->rng_fault_state = true; + return NT_STATUS_NOT_IMPLEMENTED; +} + +/**************************************************************** +****************************************************************/ + +NTSTATUS _samr_CreateDomAlias(pipes_struct *p, + struct samr_CreateDomAlias *r) +{ + p->rng_fault_state = true; + return NT_STATUS_NOT_IMPLEMENTED; +} + +/**************************************************************** +****************************************************************/ + +NTSTATUS _samr_EnumDomainAliases(pipes_struct *p, + struct samr_EnumDomainAliases *r) +{ + p->rng_fault_state = true; + return NT_STATUS_NOT_IMPLEMENTED; +} + +/**************************************************************** +****************************************************************/ + +NTSTATUS _samr_GetAliasMembership(pipes_struct *p, + struct samr_GetAliasMembership *r) +{ + p->rng_fault_state = true; + return NT_STATUS_NOT_IMPLEMENTED; +} + +/**************************************************************** +****************************************************************/ + +NTSTATUS _samr_LookupNames(pipes_struct *p, + struct samr_LookupNames *r) +{ + p->rng_fault_state = true; + return NT_STATUS_NOT_IMPLEMENTED; +} + +/**************************************************************** +****************************************************************/ + +NTSTATUS _samr_LookupRids(pipes_struct *p, + struct samr_LookupRids *r) +{ + p->rng_fault_state = true; + return NT_STATUS_NOT_IMPLEMENTED; +} + +/**************************************************************** +****************************************************************/ + +NTSTATUS _samr_OpenGroup(pipes_struct *p, + struct samr_OpenGroup *r) +{ + p->rng_fault_state = true; + return NT_STATUS_NOT_IMPLEMENTED; +} + +/**************************************************************** +****************************************************************/ + +NTSTATUS _samr_QueryGroupInfo(pipes_struct *p, + struct samr_QueryGroupInfo *r) +{ + p->rng_fault_state = true; + return NT_STATUS_NOT_IMPLEMENTED; +} + +/**************************************************************** +****************************************************************/ + +NTSTATUS _samr_SetGroupInfo(pipes_struct *p, + struct samr_SetGroupInfo *r) +{ + p->rng_fault_state = true; + return NT_STATUS_NOT_IMPLEMENTED; +} + +/**************************************************************** +****************************************************************/ + +NTSTATUS _samr_AddGroupMember(pipes_struct *p, + struct samr_AddGroupMember *r) +{ + p->rng_fault_state = true; + return NT_STATUS_NOT_IMPLEMENTED; +} + +/**************************************************************** +****************************************************************/ + +NTSTATUS _samr_DeleteDomainGroup(pipes_struct *p, + struct samr_DeleteDomainGroup *r) +{ + p->rng_fault_state = true; + return NT_STATUS_NOT_IMPLEMENTED; +} + +/**************************************************************** +****************************************************************/ + +NTSTATUS _samr_DeleteGroupMember(pipes_struct *p, + struct samr_DeleteGroupMember *r) +{ + p->rng_fault_state = true; + return NT_STATUS_NOT_IMPLEMENTED; +} + +/**************************************************************** +****************************************************************/ + +NTSTATUS _samr_QueryGroupMember(pipes_struct *p, + struct samr_QueryGroupMember *r) +{ + p->rng_fault_state = true; + return NT_STATUS_NOT_IMPLEMENTED; +} + +/**************************************************************** +****************************************************************/ + +NTSTATUS _samr_SetMemberAttributesOfGroup(pipes_struct *p, + struct samr_SetMemberAttributesOfGroup *r) +{ + p->rng_fault_state = true; + return NT_STATUS_NOT_IMPLEMENTED; +} + +/**************************************************************** +****************************************************************/ + +NTSTATUS _samr_OpenAlias(pipes_struct *p, + struct samr_OpenAlias *r) +{ + p->rng_fault_state = true; + return NT_STATUS_NOT_IMPLEMENTED; +} + +/**************************************************************** +****************************************************************/ + +NTSTATUS _samr_QueryAliasInfo(pipes_struct *p, + struct samr_QueryAliasInfo *r) +{ + p->rng_fault_state = true; + return NT_STATUS_NOT_IMPLEMENTED; +} + +/**************************************************************** +****************************************************************/ + +NTSTATUS _samr_SetAliasInfo(pipes_struct *p, + struct samr_SetAliasInfo *r) +{ + p->rng_fault_state = true; + return NT_STATUS_NOT_IMPLEMENTED; +} + +/**************************************************************** +****************************************************************/ + +NTSTATUS _samr_DeleteDomAlias(pipes_struct *p, + struct samr_DeleteDomAlias *r) +{ + p->rng_fault_state = true; + return NT_STATUS_NOT_IMPLEMENTED; +} + +/**************************************************************** +****************************************************************/ + +NTSTATUS _samr_AddAliasMember(pipes_struct *p, + struct samr_AddAliasMember *r) +{ + p->rng_fault_state = true; + return NT_STATUS_NOT_IMPLEMENTED; +} + +/**************************************************************** +****************************************************************/ + +NTSTATUS _samr_DeleteAliasMember(pipes_struct *p, + struct samr_DeleteAliasMember *r) +{ + p->rng_fault_state = true; + return NT_STATUS_NOT_IMPLEMENTED; +} + +/**************************************************************** +****************************************************************/ + +NTSTATUS _samr_GetMembersInAlias(pipes_struct *p, + struct samr_GetMembersInAlias *r) +{ + p->rng_fault_state = true; + return NT_STATUS_NOT_IMPLEMENTED; +} + +/**************************************************************** +****************************************************************/ + +NTSTATUS _samr_OpenUser(pipes_struct *p, + struct samr_OpenUser *r) +{ + p->rng_fault_state = true; + return NT_STATUS_NOT_IMPLEMENTED; +} + +/**************************************************************** +****************************************************************/ + +NTSTATUS _samr_DeleteUser(pipes_struct *p, + struct samr_DeleteUser *r) +{ + p->rng_fault_state = true; + return NT_STATUS_NOT_IMPLEMENTED; +} + +/**************************************************************** +****************************************************************/ + +NTSTATUS _samr_QueryUserInfo(pipes_struct *p, + struct samr_QueryUserInfo *r) +{ + p->rng_fault_state = true; + return NT_STATUS_NOT_IMPLEMENTED; +} + +/**************************************************************** +****************************************************************/ + +NTSTATUS _samr_SetUserInfo(pipes_struct *p, + struct samr_SetUserInfo *r) +{ + p->rng_fault_state = true; + return NT_STATUS_NOT_IMPLEMENTED; +} + +/**************************************************************** +****************************************************************/ + +NTSTATUS _samr_ChangePasswordUser(pipes_struct *p, + struct samr_ChangePasswordUser *r) +{ + p->rng_fault_state = true; + return NT_STATUS_NOT_IMPLEMENTED; +} + +/**************************************************************** +****************************************************************/ + +NTSTATUS _samr_GetGroupsForUser(pipes_struct *p, + struct samr_GetGroupsForUser *r) +{ + p->rng_fault_state = true; + return NT_STATUS_NOT_IMPLEMENTED; +} + +/**************************************************************** +****************************************************************/ + +NTSTATUS _samr_QueryDisplayInfo(pipes_struct *p, + struct samr_QueryDisplayInfo *r) +{ + p->rng_fault_state = true; + return NT_STATUS_NOT_IMPLEMENTED; +} + +/**************************************************************** +****************************************************************/ + +NTSTATUS _samr_GetDisplayEnumerationIndex(pipes_struct *p, + struct samr_GetDisplayEnumerationIndex *r) +{ + p->rng_fault_state = true; + return NT_STATUS_NOT_IMPLEMENTED; +} + +/**************************************************************** +****************************************************************/ + +NTSTATUS _samr_TestPrivateFunctionsDomain(pipes_struct *p, + struct samr_TestPrivateFunctionsDomain *r) +{ + p->rng_fault_state = true; + return NT_STATUS_NOT_IMPLEMENTED; +} + +/**************************************************************** +****************************************************************/ + +NTSTATUS _samr_TestPrivateFunctionsUser(pipes_struct *p, + struct samr_TestPrivateFunctionsUser *r) +{ + p->rng_fault_state = true; + return NT_STATUS_NOT_IMPLEMENTED; +} + +/**************************************************************** +****************************************************************/ + +NTSTATUS _samr_GetUserPwInfo(pipes_struct *p, + struct samr_GetUserPwInfo *r) +{ + p->rng_fault_state = true; + return NT_STATUS_NOT_IMPLEMENTED; +} + +/**************************************************************** +****************************************************************/ + +NTSTATUS _samr_RemoveMemberFromForeignDomain(pipes_struct *p, + struct samr_RemoveMemberFromForeignDomain *r) +{ + p->rng_fault_state = true; + return NT_STATUS_NOT_IMPLEMENTED; +} + +/**************************************************************** +****************************************************************/ + +NTSTATUS _samr_QueryDomainInfo2(pipes_struct *p, + struct samr_QueryDomainInfo2 *r) +{ + p->rng_fault_state = true; + return NT_STATUS_NOT_IMPLEMENTED; +} + +/**************************************************************** +****************************************************************/ + +NTSTATUS _samr_QueryUserInfo2(pipes_struct *p, + struct samr_QueryUserInfo2 *r) +{ + p->rng_fault_state = true; + return NT_STATUS_NOT_IMPLEMENTED; +} + +/**************************************************************** +****************************************************************/ + +NTSTATUS _samr_QueryDisplayInfo2(pipes_struct *p, + struct samr_QueryDisplayInfo2 *r) +{ + p->rng_fault_state = true; + return NT_STATUS_NOT_IMPLEMENTED; +} + +/**************************************************************** +****************************************************************/ + +NTSTATUS _samr_GetDisplayEnumerationIndex2(pipes_struct *p, + struct samr_GetDisplayEnumerationIndex2 *r) +{ + p->rng_fault_state = true; + return NT_STATUS_NOT_IMPLEMENTED; +} + +/**************************************************************** +****************************************************************/ + +NTSTATUS _samr_CreateUser2(pipes_struct *p, + struct samr_CreateUser2 *r) +{ + p->rng_fault_state = true; + return NT_STATUS_NOT_IMPLEMENTED; +} + +/**************************************************************** +****************************************************************/ + +NTSTATUS _samr_QueryDisplayInfo3(pipes_struct *p, + struct samr_QueryDisplayInfo3 *r) +{ + p->rng_fault_state = true; + return NT_STATUS_NOT_IMPLEMENTED; +} + +/**************************************************************** +****************************************************************/ + +NTSTATUS _samr_AddMultipleMembersToAlias(pipes_struct *p, + struct samr_AddMultipleMembersToAlias *r) +{ + p->rng_fault_state = true; + return NT_STATUS_NOT_IMPLEMENTED; +} + +/**************************************************************** +****************************************************************/ + +NTSTATUS _samr_RemoveMultipleMembersFromAlias(pipes_struct *p, + struct samr_RemoveMultipleMembersFromAlias *r) +{ + p->rng_fault_state = true; + return NT_STATUS_NOT_IMPLEMENTED; +} + +/**************************************************************** +****************************************************************/ + +NTSTATUS _samr_OemChangePasswordUser2(pipes_struct *p, + struct samr_OemChangePasswordUser2 *r) +{ + p->rng_fault_state = true; + return NT_STATUS_NOT_IMPLEMENTED; +} + +/**************************************************************** +****************************************************************/ + +NTSTATUS _samr_ChangePasswordUser2(pipes_struct *p, + struct samr_ChangePasswordUser2 *r) +{ + p->rng_fault_state = true; + return NT_STATUS_NOT_IMPLEMENTED; +} + +/**************************************************************** +****************************************************************/ + +NTSTATUS _samr_GetDomPwInfo(pipes_struct *p, + struct samr_GetDomPwInfo *r) +{ + p->rng_fault_state = true; + return NT_STATUS_NOT_IMPLEMENTED; +} + +/**************************************************************** +****************************************************************/ + +NTSTATUS _samr_Connect2(pipes_struct *p, + struct samr_Connect2 *r) +{ + p->rng_fault_state = true; + return NT_STATUS_NOT_IMPLEMENTED; +} + +/**************************************************************** +****************************************************************/ + +NTSTATUS _samr_SetUserInfo2(pipes_struct *p, + struct samr_SetUserInfo2 *r) +{ + p->rng_fault_state = true; + return NT_STATUS_NOT_IMPLEMENTED; +} + +/**************************************************************** +****************************************************************/ + +NTSTATUS _samr_SetBootKeyInformation(pipes_struct *p, + struct samr_SetBootKeyInformation *r) +{ + p->rng_fault_state = true; + return NT_STATUS_NOT_IMPLEMENTED; +} + +/**************************************************************** +****************************************************************/ + +NTSTATUS _samr_GetBootKeyInformation(pipes_struct *p, + struct samr_GetBootKeyInformation *r) +{ + p->rng_fault_state = true; + return NT_STATUS_NOT_IMPLEMENTED; +} + +/**************************************************************** +****************************************************************/ + +NTSTATUS _samr_Connect3(pipes_struct *p, + struct samr_Connect3 *r) +{ + p->rng_fault_state = true; + return NT_STATUS_NOT_IMPLEMENTED; +} + +/**************************************************************** +****************************************************************/ + +NTSTATUS _samr_Connect4(pipes_struct *p, + struct samr_Connect4 *r) +{ + p->rng_fault_state = true; + return NT_STATUS_NOT_IMPLEMENTED; +} + +/**************************************************************** +****************************************************************/ + +NTSTATUS _samr_ChangePasswordUser3(pipes_struct *p, + struct samr_ChangePasswordUser3 *r) +{ + p->rng_fault_state = true; + return NT_STATUS_NOT_IMPLEMENTED; +} + +/**************************************************************** +****************************************************************/ + +NTSTATUS _samr_Connect5(pipes_struct *p, + struct samr_Connect5 *r) +{ + p->rng_fault_state = true; + return NT_STATUS_NOT_IMPLEMENTED; +} + +/**************************************************************** +****************************************************************/ + +NTSTATUS _samr_RidToSid(pipes_struct *p, + struct samr_RidToSid *r) +{ + p->rng_fault_state = true; + return NT_STATUS_NOT_IMPLEMENTED; +} + +/**************************************************************** +****************************************************************/ + +NTSTATUS _samr_SetDsrmPassword(pipes_struct *p, + struct samr_SetDsrmPassword *r) +{ + p->rng_fault_state = true; + return NT_STATUS_NOT_IMPLEMENTED; +} + +/**************************************************************** +****************************************************************/ + +NTSTATUS _samr_ValidatePassword(pipes_struct *p, + struct samr_ValidatePassword *r) +{ + p->rng_fault_state = true; + return NT_STATUS_NOT_IMPLEMENTED; +} -- cgit From 2e2fa2c66ed8cd1ada68bc22ff257490495a29f0 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Wed, 30 Jan 2008 21:55:03 +0100 Subject: Use pidl for samr_GetDomPwInfo() server-side. Guenther (This used to be commit 60fe8ade74d24d49f0fed0aae360a3b00edcd2b4) --- source3/rpc_server/srv_samr_nt.c | 25 ++++++++----------------- 1 file changed, 8 insertions(+), 17 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index e80327367b..986fe9a62e 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -4810,23 +4810,24 @@ NTSTATUS _samr_set_aliasinfo(pipes_struct *p, SAMR_Q_SET_ALIASINFO *q_u, SAMR_R_ return status; } -/********************************************************************* - _samr_get_dom_pwinfo -*********************************************************************/ +/**************************************************************** + _samr_GetDomPwInfo +****************************************************************/ -NTSTATUS _samr_get_dom_pwinfo(pipes_struct *p, SAMR_Q_GET_DOM_PWINFO *q_u, SAMR_R_GET_DOM_PWINFO *r_u) +NTSTATUS _samr_GetDomPwInfo(pipes_struct *p, + struct samr_GetDomPwInfo *r) { /* Perform access check. Since this rpc does not require a policy handle it will not be caught by the access checks on SAMR_CONNECT or SAMR_CONNECT_ANON. */ if (!pipe_access_check(p)) { - DEBUG(3, ("access denied to samr_get_dom_pwinfo\n")); - r_u->status = NT_STATUS_ACCESS_DENIED; - return r_u->status; + DEBUG(3, ("access denied to _samr_GetDomPwInfo\n")); + return NT_STATUS_ACCESS_DENIED; } /* Actually, returning zeros here works quite well :-). */ + ZERO_STRUCTP(r->out.info); return NT_STATUS_OK; } @@ -5611,16 +5612,6 @@ NTSTATUS _samr_ChangePasswordUser2(pipes_struct *p, /**************************************************************** ****************************************************************/ -NTSTATUS _samr_GetDomPwInfo(pipes_struct *p, - struct samr_GetDomPwInfo *r) -{ - p->rng_fault_state = true; - return NT_STATUS_NOT_IMPLEMENTED; -} - -/**************************************************************** -****************************************************************/ - NTSTATUS _samr_Connect2(pipes_struct *p, struct samr_Connect2 *r) { -- cgit From 8d8d955b98039d48e1aca6396bbdbc11d9141c21 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Thu, 31 Jan 2008 14:24:33 +0100 Subject: Fix _samr_Close(). A good example that work in this area needs very careful testing :) Guenther (This used to be commit 7d369906ec37caebaa4e2097874997fa257f1a31) --- source3/rpc_server/srv_samr_nt.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 986fe9a62e..cf5e1a9ead 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -552,7 +552,7 @@ NTSTATUS _samr_Close(pipes_struct *p, struct samr_Close *r) return NT_STATUS_INVALID_HANDLE; } - ZERO_STRUCT(r->out.handle); + ZERO_STRUCTP(r->out.handle); return NT_STATUS_OK; } -- cgit From fd15e9dd1c784220f8666083e2fa0bb9c75e7755 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Fri, 1 Feb 2008 00:23:50 +0100 Subject: Use pidl for _samr_OpenDomain(). Guenther (This used to be commit 15801832ecd59bdb35ed33696944fe5beb08bf3f) --- source3/rpc_server/srv_samr_nt.c | 37 +++++++++++++------------------------ 1 file changed, 13 insertions(+), 24 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index cf5e1a9ead..05c0cc69cf 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -558,28 +558,27 @@ NTSTATUS _samr_Close(pipes_struct *p, struct samr_Close *r) } /******************************************************************* - samr_reply_open_domain + _samr_OpenDomain ********************************************************************/ -NTSTATUS _samr_open_domain(pipes_struct *p, SAMR_Q_OPEN_DOMAIN *q_u, SAMR_R_OPEN_DOMAIN *r_u) +NTSTATUS _samr_OpenDomain(pipes_struct *p, + struct samr_OpenDomain *r) { struct samr_info *info; SEC_DESC *psd = NULL; uint32 acc_granted; - uint32 des_access = q_u->flags; + uint32 des_access = r->in.access_mask; NTSTATUS status; size_t sd_size; SE_PRIV se_rights; - r_u->status = NT_STATUS_OK; - /* find the connection policy handle. */ - if ( !find_policy_by_hnd(p, &q_u->pol, (void**)(void *)&info) ) + if ( !find_policy_by_hnd(p, r->in.connect_handle, (void**)(void *)&info) ) return NT_STATUS_INVALID_HANDLE; status = access_check_samr_function( info->acc_granted, - SA_RIGHT_SAM_OPEN_DOMAIN, "_samr_open_domain" ); + SA_RIGHT_SAM_OPEN_DOMAIN, "_samr_OpenDomain" ); if ( !NT_STATUS_IS_OK(status) ) return status; @@ -594,28 +593,28 @@ NTSTATUS _samr_open_domain(pipes_struct *p, SAMR_Q_OPEN_DOMAIN *q_u, SAMR_R_OPEN status = access_check_samr_object( psd, p->pipe_user.nt_user_token, &se_rights, GENERIC_RIGHTS_DOMAIN_WRITE, des_access, - &acc_granted, "_samr_open_domain" ); + &acc_granted, "_samr_OpenDomain" ); if ( !NT_STATUS_IS_OK(status) ) return status; - if (!sid_check_is_domain(&q_u->dom_sid.sid) && - !sid_check_is_builtin(&q_u->dom_sid.sid)) { + if (!sid_check_is_domain(r->in.sid) && + !sid_check_is_builtin(r->in.sid)) { return NT_STATUS_NO_SUCH_DOMAIN; } /* associate the domain SID with the (unique) handle. */ - if ((info = get_samr_info_by_sid(&q_u->dom_sid.sid))==NULL) + if ((info = get_samr_info_by_sid(r->in.sid))==NULL) return NT_STATUS_NO_MEMORY; info->acc_granted = acc_granted; /* get a (unique) handle. open a policy on it. */ - if (!create_policy_hnd(p, &r_u->domain_pol, free_samr_info, (void *)info)) + if (!create_policy_hnd(p, r->out.domain_handle, free_samr_info, (void *)info)) return NT_STATUS_OBJECT_NAME_NOT_FOUND; - DEBUG(5,("samr_open_domain: %d\n", __LINE__)); + DEBUG(5,("_samr_OpenDomain: %d\n", __LINE__)); - return r_u->status; + return NT_STATUS_OK; } /******************************************************************* @@ -5122,16 +5121,6 @@ NTSTATUS _samr_EnumDomains(pipes_struct *p, /**************************************************************** ****************************************************************/ -NTSTATUS _samr_OpenDomain(pipes_struct *p, - struct samr_OpenDomain *r) -{ - p->rng_fault_state = true; - return NT_STATUS_NOT_IMPLEMENTED; -} - -/**************************************************************** -****************************************************************/ - NTSTATUS _samr_QueryDomainInfo(pipes_struct *p, struct samr_QueryDomainInfo *r) { -- cgit From 645559990f03c4ca702c472f9344343e78b4385f Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Fri, 1 Feb 2008 00:39:06 +0100 Subject: Use pidl for _samr_OpenUser(). Guenther (This used to be commit ea3a096bcdc42fd4a86be5df3e8f9745e99970ff) --- source3/rpc_server/srv_samr_nt.c | 33 +++++++++++---------------------- 1 file changed, 11 insertions(+), 22 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 05c0cc69cf..b677876270 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -1766,33 +1766,32 @@ NTSTATUS _samr_lookup_rids(pipes_struct *p, SAMR_Q_LOOKUP_RIDS *q_u, SAMR_R_LOOK } /******************************************************************* - _samr_open_user. Safe - gives out no passwd info. - ********************************************************************/ + _samr_OpenUser +********************************************************************/ -NTSTATUS _samr_open_user(pipes_struct *p, SAMR_Q_OPEN_USER *q_u, SAMR_R_OPEN_USER *r_u) +NTSTATUS _samr_OpenUser(pipes_struct *p, + struct samr_OpenUser *r) { struct samu *sampass=NULL; DOM_SID sid; - POLICY_HND domain_pol = q_u->domain_pol; - POLICY_HND *user_pol = &r_u->user_pol; + POLICY_HND domain_pol = *r->in.domain_handle; + POLICY_HND *user_pol = r->out.user_handle; struct samr_info *info = NULL; SEC_DESC *psd = NULL; uint32 acc_granted; - uint32 des_access = q_u->access_mask; + uint32 des_access = r->in.access_mask; size_t sd_size; bool ret; NTSTATUS nt_status; SE_PRIV se_rights; - r_u->status = NT_STATUS_OK; - /* find the domain policy handle and get domain SID / access bits in the domain policy. */ if ( !get_lsa_policy_samr_sid(p, &domain_pol, &sid, &acc_granted, NULL) ) return NT_STATUS_INVALID_HANDLE; nt_status = access_check_samr_function( acc_granted, - SA_RIGHT_DOMAIN_OPEN_ACCOUNT, "_samr_open_user" ); + SA_RIGHT_DOMAIN_OPEN_ACCOUNT, "_samr_OpenUser" ); if ( !NT_STATUS_IS_OK(nt_status) ) return nt_status; @@ -1803,7 +1802,7 @@ NTSTATUS _samr_open_user(pipes_struct *p, SAMR_Q_OPEN_USER *q_u, SAMR_R_OPEN_USE /* append the user's RID to it */ - if (!sid_append_rid(&sid, q_u->user_rid)) + if (!sid_append_rid(&sid, r->in.rid)) return NT_STATUS_NO_SUCH_USER; /* check if access can be granted as requested by client. */ @@ -1816,7 +1815,7 @@ NTSTATUS _samr_open_user(pipes_struct *p, SAMR_Q_OPEN_USER *q_u, SAMR_R_OPEN_USE nt_status = access_check_samr_object(psd, p->pipe_user.nt_user_token, &se_rights, GENERIC_RIGHTS_USER_WRITE, des_access, - &acc_granted, "_samr_open_user"); + &acc_granted, "_samr_OpenUser"); if ( !NT_STATUS_IS_OK(nt_status) ) return nt_status; @@ -1841,7 +1840,7 @@ NTSTATUS _samr_open_user(pipes_struct *p, SAMR_Q_OPEN_USER *q_u, SAMR_R_OPEN_USE if (!create_policy_hnd(p, user_pol, free_samr_info, (void *)info)) return NT_STATUS_OBJECT_NAME_NOT_FOUND; - return r_u->status; + return NT_STATUS_OK; } /************************************************************************* @@ -5381,16 +5380,6 @@ NTSTATUS _samr_GetMembersInAlias(pipes_struct *p, /**************************************************************** ****************************************************************/ -NTSTATUS _samr_OpenUser(pipes_struct *p, - struct samr_OpenUser *r) -{ - p->rng_fault_state = true; - return NT_STATUS_NOT_IMPLEMENTED; -} - -/**************************************************************** -****************************************************************/ - NTSTATUS _samr_DeleteUser(pipes_struct *p, struct samr_DeleteUser *r) { -- cgit From ecaa48925f166f9b3295dc95edba23faf4df50f6 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Fri, 1 Feb 2008 00:48:40 +0100 Subject: Use pidl for _samr_OpenAlias(). Guenther (This used to be commit 1a98282d2c61e45645c68941631eb0499baa4cbb) --- source3/rpc_server/srv_samr_nt.c | 31 ++++++++++--------------------- 1 file changed, 10 insertions(+), 21 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index b677876270..e5e22d2b57 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -2977,32 +2977,31 @@ NTSTATUS _samr_enum_domains(pipes_struct *p, SAMR_Q_ENUM_DOMAINS *q_u, SAMR_R_EN } /******************************************************************* - api_samr_open_alias + _samr_OpenAlias ********************************************************************/ -NTSTATUS _samr_open_alias(pipes_struct *p, SAMR_Q_OPEN_ALIAS *q_u, SAMR_R_OPEN_ALIAS *r_u) +NTSTATUS _samr_OpenAlias(pipes_struct *p, + struct samr_OpenAlias *r) { DOM_SID sid; - POLICY_HND domain_pol = q_u->dom_pol; - uint32 alias_rid = q_u->rid_alias; - POLICY_HND *alias_pol = &r_u->pol; + POLICY_HND domain_pol = *r->in.domain_handle; + uint32 alias_rid = r->in.rid; + POLICY_HND *alias_pol = r->out.alias_handle; struct samr_info *info = NULL; SEC_DESC *psd = NULL; uint32 acc_granted; - uint32 des_access = q_u->access_mask; + uint32 des_access = r->in.access_mask; size_t sd_size; NTSTATUS status; SE_PRIV se_rights; - r_u->status = NT_STATUS_OK; - /* find the domain policy and get the SID / access bits stored in the domain policy */ if ( !get_lsa_policy_samr_sid(p, &domain_pol, &sid, &acc_granted, NULL) ) return NT_STATUS_INVALID_HANDLE; status = access_check_samr_function(acc_granted, - SA_RIGHT_DOMAIN_OPEN_ACCOUNT, "_samr_open_alias"); + SA_RIGHT_DOMAIN_OPEN_ACCOUNT, "_samr_OpenAlias"); if ( !NT_STATUS_IS_OK(status) ) return status; @@ -3022,7 +3021,7 @@ NTSTATUS _samr_open_alias(pipes_struct *p, SAMR_Q_OPEN_ALIAS *q_u, SAMR_R_OPEN_A status = access_check_samr_object(psd, p->pipe_user.nt_user_token, &se_rights, GENERIC_RIGHTS_ALIAS_WRITE, des_access, - &acc_granted, "_samr_open_alias"); + &acc_granted, "_samr_OpenAlias"); if ( !NT_STATUS_IS_OK(status) ) return status; @@ -3059,7 +3058,7 @@ NTSTATUS _samr_open_alias(pipes_struct *p, SAMR_Q_OPEN_ALIAS *q_u, SAMR_R_OPEN_A if (!create_policy_hnd(p, alias_pol, free_samr_info, (void *)info)) return NT_STATUS_OBJECT_NAME_NOT_FOUND; - return r_u->status; + return NT_STATUS_OK; } /******************************************************************* @@ -5310,16 +5309,6 @@ NTSTATUS _samr_SetMemberAttributesOfGroup(pipes_struct *p, /**************************************************************** ****************************************************************/ -NTSTATUS _samr_OpenAlias(pipes_struct *p, - struct samr_OpenAlias *r) -{ - p->rng_fault_state = true; - return NT_STATUS_NOT_IMPLEMENTED; -} - -/**************************************************************** -****************************************************************/ - NTSTATUS _samr_QueryAliasInfo(pipes_struct *p, struct samr_QueryAliasInfo *r) { -- cgit From 846c3a30016444850a1fb24d5fccd6345e8a60a0 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Fri, 1 Feb 2008 00:49:32 +0100 Subject: Use pidl for _samr_OpenGroup(). Guenther (This used to be commit e74ad425ff3a139fa12c0320e4a292dcb0991888) --- source3/rpc_server/srv_samr_nt.c | 30 +++++++++++------------------- 1 file changed, 11 insertions(+), 19 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index e5e22d2b57..2fd1c98be8 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -4830,10 +4830,12 @@ NTSTATUS _samr_GetDomPwInfo(pipes_struct *p, } /********************************************************************* - _samr_open_group + _samr_OpenGroup *********************************************************************/ -NTSTATUS _samr_open_group(pipes_struct *p, SAMR_Q_OPEN_GROUP *q_u, SAMR_R_OPEN_GROUP *r_u) +NTSTATUS _samr_OpenGroup(pipes_struct *p, + struct samr_OpenGroup *r) + { DOM_SID sid; DOM_SID info_sid; @@ -4841,18 +4843,18 @@ NTSTATUS _samr_open_group(pipes_struct *p, SAMR_Q_OPEN_GROUP *q_u, SAMR_R_OPEN_G struct samr_info *info; SEC_DESC *psd = NULL; uint32 acc_granted; - uint32 des_access = q_u->access_mask; + uint32 des_access = r->in.access_mask; size_t sd_size; NTSTATUS status; fstring sid_string; bool ret; SE_PRIV se_rights; - if (!get_lsa_policy_samr_sid(p, &q_u->domain_pol, &sid, &acc_granted, NULL)) + if (!get_lsa_policy_samr_sid(p, r->in.domain_handle, &sid, &acc_granted, NULL)) return NT_STATUS_INVALID_HANDLE; status = access_check_samr_function(acc_granted, - SA_RIGHT_DOMAIN_OPEN_ACCOUNT, "_samr_open_group"); + SA_RIGHT_DOMAIN_OPEN_ACCOUNT, "_samr_OpenGroup"); if ( !NT_STATUS_IS_OK(status) ) return status; @@ -4865,7 +4867,7 @@ NTSTATUS _samr_open_group(pipes_struct *p, SAMR_Q_OPEN_GROUP *q_u, SAMR_R_OPEN_G status = access_check_samr_object(psd, p->pipe_user.nt_user_token, &se_rights, GENERIC_RIGHTS_GROUP_WRITE, des_access, - &acc_granted, "_samr_open_group"); + &acc_granted, "_samr_OpenGroup"); if ( !NT_STATUS_IS_OK(status) ) return status; @@ -4876,7 +4878,7 @@ NTSTATUS _samr_open_group(pipes_struct *p, SAMR_Q_OPEN_GROUP *q_u, SAMR_R_OPEN_G return NT_STATUS_ACCESS_DENIED; sid_copy(&info_sid, get_global_sam_sid()); - sid_append_rid(&info_sid, q_u->rid_group); + sid_append_rid(&info_sid, r->in.rid); sid_to_fstring(sid_string, &info_sid); if ((info = get_samr_info_by_sid(&info_sid)) == NULL) @@ -4884,7 +4886,7 @@ NTSTATUS _samr_open_group(pipes_struct *p, SAMR_Q_OPEN_GROUP *q_u, SAMR_R_OPEN_G info->acc_granted = acc_granted; - DEBUG(10, ("_samr_open_group:Opening SID: %s\n", sid_string)); + DEBUG(10, ("_samr_OpenGroup:Opening SID: %s\n", sid_string)); /* check if that group really exists */ become_root(); @@ -4894,7 +4896,7 @@ NTSTATUS _samr_open_group(pipes_struct *p, SAMR_Q_OPEN_GROUP *q_u, SAMR_R_OPEN_G return NT_STATUS_NO_SUCH_GROUP; /* get a (unique) handle. open a policy on it. */ - if (!create_policy_hnd(p, &r_u->pol, free_samr_info, (void *)info)) + if (!create_policy_hnd(p, r->out.group_handle, free_samr_info, (void *)info)) return NT_STATUS_OBJECT_NAME_NOT_FOUND; return NT_STATUS_OK; @@ -5229,16 +5231,6 @@ NTSTATUS _samr_LookupRids(pipes_struct *p, /**************************************************************** ****************************************************************/ -NTSTATUS _samr_OpenGroup(pipes_struct *p, - struct samr_OpenGroup *r) -{ - p->rng_fault_state = true; - return NT_STATUS_NOT_IMPLEMENTED; -} - -/**************************************************************** -****************************************************************/ - NTSTATUS _samr_QueryGroupInfo(pipes_struct *p, struct samr_QueryGroupInfo *r) { -- cgit From 145ff9a4b4a8240b4214b866d7412d4a125a8ab6 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Fri, 1 Feb 2008 01:30:50 +0100 Subject: Use pidl for _samr_DeleteUser(). Guenther (This used to be commit 86827e374469421e2204598712225fb19d4af64b) --- source3/rpc_server/srv_samr_nt.c | 39 ++++++++++++++++----------------------- 1 file changed, 16 insertions(+), 23 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 2fd1c98be8..e464066d23 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -4168,11 +4168,13 @@ NTSTATUS _samr_del_groupmem(pipes_struct *p, SAMR_Q_DEL_GROUPMEM *q_u, SAMR_R_DE } /********************************************************************* - _samr_delete_dom_user + _samr_DeleteUser *********************************************************************/ -NTSTATUS _samr_delete_dom_user(pipes_struct *p, SAMR_Q_DELETE_DOM_USER *q_u, SAMR_R_DELETE_DOM_USER *r_u ) +NTSTATUS _samr_DeleteUser(pipes_struct *p, + struct samr_DeleteUser *r) { + NTSTATUS status; DOM_SID user_sid; struct samu *sam_pass=NULL; uint32 acc_granted; @@ -4181,14 +4183,15 @@ NTSTATUS _samr_delete_dom_user(pipes_struct *p, SAMR_Q_DELETE_DOM_USER *q_u, SAM DISP_INFO *disp_info = NULL; bool ret; - DEBUG(5, ("_samr_delete_dom_user: %d\n", __LINE__)); + DEBUG(5, ("_samr_DeleteUser: %d\n", __LINE__)); /* Find the policy handle. Open a policy on it. */ - if (!get_lsa_policy_samr_sid(p, &q_u->user_pol, &user_sid, &acc_granted, &disp_info)) + if (!get_lsa_policy_samr_sid(p, r->in.user_handle, &user_sid, &acc_granted, &disp_info)) return NT_STATUS_INVALID_HANDLE; - if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, STD_RIGHT_DELETE_ACCESS, "_samr_delete_dom_user"))) { - return r_u->status; + status = access_check_samr_function(acc_granted, STD_RIGHT_DELETE_ACCESS, "_samr_DeleteUser"); + if (!NT_STATUS_IS_OK(status)) { + return status; } if (!sid_check_is_in_our_domain(&user_sid)) @@ -4204,7 +4207,7 @@ NTSTATUS _samr_delete_dom_user(pipes_struct *p, SAMR_Q_DELETE_DOM_USER *q_u, SAM unbecome_root(); if( !ret ) { - DEBUG(5,("_samr_delete_dom_user:User %s doesn't exist.\n", + DEBUG(5,("_samr_DeleteUser: User %s doesn't exist.\n", sid_string_dbg(&user_sid))); TALLOC_FREE(sam_pass); return NT_STATUS_NO_SUCH_USER; @@ -4224,25 +4227,25 @@ NTSTATUS _samr_delete_dom_user(pipes_struct *p, SAMR_Q_DELETE_DOM_USER *q_u, SAM if ( can_add_accounts ) become_root(); - r_u->status = pdb_delete_user(p->mem_ctx, sam_pass); + status = pdb_delete_user(p->mem_ctx, sam_pass); if ( can_add_accounts ) unbecome_root(); /******** END SeAddUsers BLOCK *********/ - if ( !NT_STATUS_IS_OK(r_u->status) ) { - DEBUG(5,("_samr_delete_dom_user: Failed to delete entry for " + if ( !NT_STATUS_IS_OK(status) ) { + DEBUG(5,("_samr_DeleteUser: Failed to delete entry for " "user %s: %s.\n", pdb_get_username(sam_pass), - nt_errstr(r_u->status))); + nt_errstr(status))); TALLOC_FREE(sam_pass); - return r_u->status; + return status; } TALLOC_FREE(sam_pass); - if (!close_policy_hnd(p, &q_u->user_pol)) + if (!close_policy_hnd(p, r->in.user_handle)) return NT_STATUS_OBJECT_NAME_INVALID; force_flush_samr_cache(disp_info); @@ -5361,16 +5364,6 @@ NTSTATUS _samr_GetMembersInAlias(pipes_struct *p, /**************************************************************** ****************************************************************/ -NTSTATUS _samr_DeleteUser(pipes_struct *p, - struct samr_DeleteUser *r) -{ - p->rng_fault_state = true; - return NT_STATUS_NOT_IMPLEMENTED; -} - -/**************************************************************** -****************************************************************/ - NTSTATUS _samr_QueryUserInfo(pipes_struct *p, struct samr_QueryUserInfo *r) { -- cgit From b36ad1d59b07456b300775f51914af3183aac428 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Fri, 1 Feb 2008 01:31:45 +0100 Subject: Use pidl for _samr_DeleteDomainGroup(). Guenther (This used to be commit b8bf051bdda221dda15598e16bb8dbec68bc7df7) --- source3/rpc_server/srv_samr_nt.c | 39 ++++++++++++++++----------------------- 1 file changed, 16 insertions(+), 23 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index e464066d23..23c289a3ed 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -4254,11 +4254,13 @@ NTSTATUS _samr_DeleteUser(pipes_struct *p, } /********************************************************************* - _samr_delete_dom_group + _samr_DeleteDomainGroup *********************************************************************/ -NTSTATUS _samr_delete_dom_group(pipes_struct *p, SAMR_Q_DELETE_DOM_GROUP *q_u, SAMR_R_DELETE_DOM_GROUP *r_u) +NTSTATUS _samr_DeleteDomainGroup(pipes_struct *p, + struct samr_DeleteDomainGroup *r) { + NTSTATUS status; DOM_SID group_sid; uint32 group_rid; uint32 acc_granted; @@ -4266,14 +4268,15 @@ NTSTATUS _samr_delete_dom_group(pipes_struct *p, SAMR_Q_DELETE_DOM_GROUP *q_u, S bool can_add_accounts; DISP_INFO *disp_info = NULL; - DEBUG(5, ("samr_delete_dom_group: %d\n", __LINE__)); + DEBUG(5, ("samr_DeleteDomainGroup: %d\n", __LINE__)); /* Find the policy handle. Open a policy on it. */ - if (!get_lsa_policy_samr_sid(p, &q_u->group_pol, &group_sid, &acc_granted, &disp_info)) + if (!get_lsa_policy_samr_sid(p, r->in.group_handle, &group_sid, &acc_granted, &disp_info)) return NT_STATUS_INVALID_HANDLE; - - if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, STD_RIGHT_DELETE_ACCESS, "_samr_delete_dom_group"))) { - return r_u->status; + + status = access_check_samr_function(acc_granted, STD_RIGHT_DELETE_ACCESS, "_samr_DeleteDomainGroup"); + if (!NT_STATUS_IS_OK(status)) { + return status; } DEBUG(10, ("sid is %s\n", sid_string_dbg(&group_sid))); @@ -4291,22 +4294,22 @@ NTSTATUS _samr_delete_dom_group(pipes_struct *p, SAMR_Q_DELETE_DOM_GROUP *q_u, S if ( can_add_accounts ) become_root(); - r_u->status = pdb_delete_dom_group(p->mem_ctx, group_rid); + status = pdb_delete_dom_group(p->mem_ctx, group_rid); if ( can_add_accounts ) unbecome_root(); /******** END SeAddUsers BLOCK *********/ - if ( !NT_STATUS_IS_OK(r_u->status) ) { - DEBUG(5,("_samr_delete_dom_group: Failed to delete mapping " + if ( !NT_STATUS_IS_OK(status) ) { + DEBUG(5,("_samr_DeleteDomainGroup: Failed to delete mapping " "entry for group %s: %s\n", sid_string_dbg(&group_sid), - nt_errstr(r_u->status))); - return r_u->status; + nt_errstr(status))); + return status; } - if (!close_policy_hnd(p, &q_u->group_pol)) + if (!close_policy_hnd(p, r->in.group_handle)) return NT_STATUS_OBJECT_NAME_INVALID; force_flush_samr_cache(disp_info); @@ -5264,16 +5267,6 @@ NTSTATUS _samr_AddGroupMember(pipes_struct *p, /**************************************************************** ****************************************************************/ -NTSTATUS _samr_DeleteDomainGroup(pipes_struct *p, - struct samr_DeleteDomainGroup *r) -{ - p->rng_fault_state = true; - return NT_STATUS_NOT_IMPLEMENTED; -} - -/**************************************************************** -****************************************************************/ - NTSTATUS _samr_DeleteGroupMember(pipes_struct *p, struct samr_DeleteGroupMember *r) { -- cgit From 1921a6d67e704ac009695885e6954596e278a681 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Fri, 1 Feb 2008 01:32:18 +0100 Subject: Use pidl for _samr_DeleteDomAlias(). Guenther (This used to be commit 31d5a3aaa42c18319fd751aba65f435348b1e83e) --- source3/rpc_server/srv_samr_nt.c | 28 ++++++++++------------------ 1 file changed, 10 insertions(+), 18 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 23c289a3ed..23a0185ebb 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -4318,10 +4318,11 @@ NTSTATUS _samr_DeleteDomainGroup(pipes_struct *p, } /********************************************************************* - _samr_delete_dom_alias + _samr_DeleteDomAlias *********************************************************************/ -NTSTATUS _samr_delete_dom_alias(pipes_struct *p, SAMR_Q_DELETE_DOM_ALIAS *q_u, SAMR_R_DELETE_DOM_ALIAS *r_u) +NTSTATUS _samr_DeleteDomAlias(pipes_struct *p, + struct samr_DeleteDomAlias *r) { DOM_SID alias_sid; uint32 acc_granted; @@ -4330,18 +4331,19 @@ NTSTATUS _samr_delete_dom_alias(pipes_struct *p, SAMR_Q_DELETE_DOM_ALIAS *q_u, S NTSTATUS status; DISP_INFO *disp_info = NULL; - DEBUG(5, ("_samr_delete_dom_alias: %d\n", __LINE__)); + DEBUG(5, ("_samr_DeleteDomAlias: %d\n", __LINE__)); /* Find the policy handle. Open a policy on it. */ - if (!get_lsa_policy_samr_sid(p, &q_u->alias_pol, &alias_sid, &acc_granted, &disp_info)) + if (!get_lsa_policy_samr_sid(p, r->in.alias_handle, &alias_sid, &acc_granted, &disp_info)) return NT_STATUS_INVALID_HANDLE; /* copy the handle to the outgoing reply */ - memcpy( &r_u->pol, &q_u->alias_pol, sizeof(r_u->pol) ); + memcpy(r->out.alias_handle, r->in.alias_handle, sizeof(r->out.alias_handle)); - if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, STD_RIGHT_DELETE_ACCESS, "_samr_delete_dom_alias"))) { - return r_u->status; + status = access_check_samr_function(acc_granted, STD_RIGHT_DELETE_ACCESS, "_samr_DeleteDomAlias"); + if (!NT_STATUS_IS_OK(status)) { + return status; } DEBUG(10, ("sid is %s\n", sid_string_dbg(&alias_sid))); @@ -4376,7 +4378,7 @@ NTSTATUS _samr_delete_dom_alias(pipes_struct *p, SAMR_Q_DELETE_DOM_ALIAS *q_u, S if ( !NT_STATUS_IS_OK(status)) return status; - if (!close_policy_hnd(p, &q_u->alias_pol)) + if (!close_policy_hnd(p, r->in.alias_handle)) return NT_STATUS_OBJECT_NAME_INVALID; force_flush_samr_cache(disp_info); @@ -5317,16 +5319,6 @@ NTSTATUS _samr_SetAliasInfo(pipes_struct *p, /**************************************************************** ****************************************************************/ -NTSTATUS _samr_DeleteDomAlias(pipes_struct *p, - struct samr_DeleteDomAlias *r) -{ - p->rng_fault_state = true; - return NT_STATUS_NOT_IMPLEMENTED; -} - -/**************************************************************** -****************************************************************/ - NTSTATUS _samr_AddAliasMember(pipes_struct *p, struct samr_AddAliasMember *r) { -- cgit From 3e67d648a1d164b67cf390ae33e83fc9362e3179 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Fri, 1 Feb 2008 14:48:42 +0100 Subject: Use pidl for _samr_CreateDomAlias(). Guenther (This used to be commit 622d529c45aaa6d8ddd3a38a2fa4fc5e1ad53fe9) --- source3/rpc_server/srv_samr_nt.c | 32 ++++++++++++-------------------- 1 file changed, 12 insertions(+), 20 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 23a0185ebb..650e59d116 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -4463,14 +4463,15 @@ NTSTATUS _samr_create_dom_group(pipes_struct *p, SAMR_Q_CREATE_DOM_GROUP *q_u, S } /********************************************************************* - _samr_create_dom_alias + _samr_CreateDomAlias *********************************************************************/ -NTSTATUS _samr_create_dom_alias(pipes_struct *p, SAMR_Q_CREATE_DOM_ALIAS *q_u, SAMR_R_CREATE_DOM_ALIAS *r_u) +NTSTATUS _samr_CreateDomAlias(pipes_struct *p, + struct samr_CreateDomAlias *r) { DOM_SID dom_sid; DOM_SID info_sid; - fstring name; + const char *name = NULL; struct samr_info *info; uint32 acc_granted; gid_t gid; @@ -4480,17 +4481,18 @@ NTSTATUS _samr_create_dom_alias(pipes_struct *p, SAMR_Q_CREATE_DOM_ALIAS *q_u, S DISP_INFO *disp_info = NULL; /* Find the policy handle. Open a policy on it. */ - if (!get_lsa_policy_samr_sid(p, &q_u->dom_pol, &dom_sid, &acc_granted, &disp_info)) + if (!get_lsa_policy_samr_sid(p, r->in.domain_handle, &dom_sid, &acc_granted, &disp_info)) return NT_STATUS_INVALID_HANDLE; - if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, SA_RIGHT_DOMAIN_CREATE_ALIAS, "_samr_create_alias"))) { - return r_u->status; + result = access_check_samr_function(acc_granted, SA_RIGHT_DOMAIN_CREATE_ALIAS, "_samr_CreateDomAlias"); + if (!NT_STATUS_IS_OK(result)) { + return result; } if (!sid_equal(&dom_sid, get_global_sam_sid())) return NT_STATUS_ACCESS_DENIED; - unistr2_to_ascii(name, &q_u->uni_acct_desc, sizeof(name)); + name = r->in.alias_name->string; se_priv_copy( &se_rights, &se_add_users ); can_add_accounts = user_has_privileges( p->pipe_user.nt_user_token, &se_rights ); @@ -4506,7 +4508,7 @@ NTSTATUS _samr_create_dom_alias(pipes_struct *p, SAMR_Q_CREATE_DOM_ALIAS *q_u, S become_root(); /* Have passdb create the alias */ - result = pdb_create_alias(name, &r_u->rid); + result = pdb_create_alias(name, r->out.rid); if ( can_add_accounts ) unbecome_root(); @@ -4520,7 +4522,7 @@ NTSTATUS _samr_create_dom_alias(pipes_struct *p, SAMR_Q_CREATE_DOM_ALIAS *q_u, S } sid_copy(&info_sid, get_global_sam_sid()); - sid_append_rid(&info_sid, r_u->rid); + sid_append_rid(&info_sid, *r->out.rid); if (!sid_to_gid(&info_sid, &gid)) { DEBUG(10, ("Could not find alias just created\n")); @@ -4542,7 +4544,7 @@ NTSTATUS _samr_create_dom_alias(pipes_struct *p, SAMR_Q_CREATE_DOM_ALIAS *q_u, S info->acc_granted = GENERIC_RIGHTS_ALIAS_ALL_ACCESS; /* get a (unique) handle. open a policy on it. */ - if (!create_policy_hnd(p, &r_u->alias_pol, free_samr_info, (void *)info)) + if (!create_policy_hnd(p, r->out.alias_handle, free_samr_info, (void *)info)) return NT_STATUS_OBJECT_NAME_NOT_FOUND; force_flush_samr_cache(disp_info); @@ -5189,16 +5191,6 @@ NTSTATUS _samr_EnumDomainUsers(pipes_struct *p, /**************************************************************** ****************************************************************/ -NTSTATUS _samr_CreateDomAlias(pipes_struct *p, - struct samr_CreateDomAlias *r) -{ - p->rng_fault_state = true; - return NT_STATUS_NOT_IMPLEMENTED; -} - -/**************************************************************** -****************************************************************/ - NTSTATUS _samr_EnumDomainAliases(pipes_struct *p, struct samr_EnumDomainAliases *r) { -- cgit From 6e74a5dba33f8be671fddce367ef341c9c2fe6bc Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Fri, 1 Feb 2008 14:49:23 +0100 Subject: Use pidl for _samr_CreateDomainGroup(). Guenther (This used to be commit c53bfd74251398924a1fae0fd8d9020dba958ba1) --- source3/rpc_server/srv_samr_nt.c | 42 +++++++++++++++++----------------------- 1 file changed, 18 insertions(+), 24 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 650e59d116..690f76ee72 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -4387,11 +4387,14 @@ NTSTATUS _samr_DeleteDomAlias(pipes_struct *p, } /********************************************************************* - _samr_create_dom_group + _samr_CreateDomainGroup *********************************************************************/ -NTSTATUS _samr_create_dom_group(pipes_struct *p, SAMR_Q_CREATE_DOM_GROUP *q_u, SAMR_R_CREATE_DOM_GROUP *r_u) +NTSTATUS _samr_CreateDomainGroup(pipes_struct *p, + struct samr_CreateDomainGroup *r) + { + NTSTATUS status; DOM_SID dom_sid; DOM_SID info_sid; const char *name; @@ -4402,24 +4405,25 @@ NTSTATUS _samr_create_dom_group(pipes_struct *p, SAMR_Q_CREATE_DOM_GROUP *q_u, S DISP_INFO *disp_info = NULL; /* Find the policy handle. Open a policy on it. */ - if (!get_lsa_policy_samr_sid(p, &q_u->pol, &dom_sid, &acc_granted, &disp_info)) + if (!get_lsa_policy_samr_sid(p, r->in.domain_handle, &dom_sid, &acc_granted, &disp_info)) return NT_STATUS_INVALID_HANDLE; - if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, SA_RIGHT_DOMAIN_CREATE_GROUP, "_samr_create_dom_group"))) { - return r_u->status; + status = access_check_samr_function(acc_granted, SA_RIGHT_DOMAIN_CREATE_GROUP, "_samr_CreateDomainGroup"); + if (!NT_STATUS_IS_OK(status)) { + return status; } if (!sid_equal(&dom_sid, get_global_sam_sid())) return NT_STATUS_ACCESS_DENIED; - name = rpcstr_pull_unistr2_talloc(p->mem_ctx, &q_u->uni_acct_desc); + name = r->in.name->string; if (name == NULL) { return NT_STATUS_NO_MEMORY; } - r_u->status = can_create(p->mem_ctx, name); - if (!NT_STATUS_IS_OK(r_u->status)) { - return r_u->status; + status = can_create(p->mem_ctx, name); + if (!NT_STATUS_IS_OK(status)) { + return status; } se_priv_copy( &se_rights, &se_add_users ); @@ -4432,7 +4436,7 @@ NTSTATUS _samr_create_dom_group(pipes_struct *p, SAMR_Q_CREATE_DOM_GROUP *q_u, S /* check that we successfully create the UNIX group */ - r_u->status = pdb_create_dom_group(p->mem_ctx, name, &r_u->rid); + status = pdb_create_dom_group(p->mem_ctx, name, r->out.rid); if ( can_add_accounts ) unbecome_root(); @@ -4441,10 +4445,10 @@ NTSTATUS _samr_create_dom_group(pipes_struct *p, SAMR_Q_CREATE_DOM_GROUP *q_u, S /* check if we should bail out here */ - if ( !NT_STATUS_IS_OK(r_u->status) ) - return r_u->status; + if ( !NT_STATUS_IS_OK(status) ) + return status; - sid_compose(&info_sid, get_global_sam_sid(), r_u->rid); + sid_compose(&info_sid, get_global_sam_sid(), *r->out.rid); if ((info = get_samr_info_by_sid(&info_sid)) == NULL) return NT_STATUS_NO_MEMORY; @@ -4454,7 +4458,7 @@ NTSTATUS _samr_create_dom_group(pipes_struct *p, SAMR_Q_CREATE_DOM_GROUP *q_u, S info->acc_granted = GENERIC_RIGHTS_GROUP_ALL_ACCESS; /* get a (unique) handle. open a policy on it. */ - if (!create_policy_hnd(p, &r_u->pol, free_samr_info, (void *)info)) + if (!create_policy_hnd(p, r->out.group_handle, free_samr_info, (void *)info)) return NT_STATUS_OBJECT_NAME_NOT_FOUND; force_flush_samr_cache(disp_info); @@ -5151,16 +5155,6 @@ NTSTATUS _samr_SetDomainInfo(pipes_struct *p, /**************************************************************** ****************************************************************/ -NTSTATUS _samr_CreateDomainGroup(pipes_struct *p, - struct samr_CreateDomainGroup *r) -{ - p->rng_fault_state = true; - return NT_STATUS_NOT_IMPLEMENTED; -} - -/**************************************************************** -****************************************************************/ - NTSTATUS _samr_EnumDomainGroups(pipes_struct *p, struct samr_EnumDomainGroups *r) { -- cgit From f0438acfda7ae28a68d20be3cd05cdaeff9ac82b Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Fri, 1 Feb 2008 14:50:33 +0100 Subject: Use pidl for _samr_CreateUser2(). Guenther (This used to be commit 36f52b631c013f885ed25ea741a52f763d27198b) --- source3/rpc_server/srv_samr_nt.c | 40 ++++++++++++++-------------------------- 1 file changed, 14 insertions(+), 26 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 690f76ee72..3f2022c9ed 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -2518,19 +2518,17 @@ static NTSTATUS can_create(TALLOC_CTX *mem_ctx, const char *new_name) } /******************************************************************* - _samr_create_user - Create an account, can be either a normal user or a machine. - This funcion will need to be updated for bdc/domain trusts. + _samr_CreateUser2 ********************************************************************/ -NTSTATUS _samr_create_user(pipes_struct *p, SAMR_Q_CREATE_USER *q_u, - SAMR_R_CREATE_USER *r_u) +NTSTATUS _samr_CreateUser2(pipes_struct *p, + struct samr_CreateUser2 *r) { - char *account; + const char *account = NULL; DOM_SID sid; - POLICY_HND dom_pol = q_u->domain_pol; - uint16 acb_info = q_u->acb_info; - POLICY_HND *user_pol = &r_u->user_pol; + POLICY_HND dom_pol = *r->in.domain_handle; + uint32_t acb_info = r->in.acct_flags; + POLICY_HND *user_pol = r->out.user_handle; struct samr_info *info = NULL; NTSTATUS nt_status; uint32 acc_granted; @@ -2549,7 +2547,7 @@ NTSTATUS _samr_create_user(pipes_struct *p, SAMR_Q_CREATE_USER *q_u, nt_status = access_check_samr_function(acc_granted, SA_RIGHT_DOMAIN_CREATE_USER, - "_samr_create_user"); + "_samr_CreateUser2"); if (!NT_STATUS_IS_OK(nt_status)) { return nt_status; } @@ -2561,7 +2559,7 @@ NTSTATUS _samr_create_user(pipes_struct *p, SAMR_Q_CREATE_USER *q_u, return NT_STATUS_INVALID_PARAMETER; } - account = rpcstr_pull_unistr2_talloc(p->mem_ctx, &q_u->uni_name); + account = r->in.account_name->string; if (account == NULL) { return NT_STATUS_NO_MEMORY; } @@ -2600,7 +2598,7 @@ NTSTATUS _samr_create_user(pipes_struct *p, SAMR_Q_CREATE_USER *q_u, } } - DEBUG(5, ("_samr_create_user: %s can add this account : %s\n", + DEBUG(5, ("_samr_CreateUser2: %s can add this account : %s\n", uidtoname(p->pipe_user.ut.uid), can_add_account ? "True":"False" )); @@ -2610,7 +2608,7 @@ NTSTATUS _samr_create_user(pipes_struct *p, SAMR_Q_CREATE_USER *q_u, become_root(); nt_status = pdb_create_user(p->mem_ctx, account, acb_info, - &r_u->user_rid); + r->out.rid); if ( can_add_account ) unbecome_root(); @@ -2624,7 +2622,7 @@ NTSTATUS _samr_create_user(pipes_struct *p, SAMR_Q_CREATE_USER *q_u, /* Get the user's SID */ - sid_compose(&sid, get_global_sam_sid(), r_u->user_rid); + sid_compose(&sid, get_global_sam_sid(), *r->out.rid); make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &usr_generic_mapping, &sid, SAMR_USR_RIGHTS_WRITE_PW); @@ -2632,7 +2630,7 @@ NTSTATUS _samr_create_user(pipes_struct *p, SAMR_Q_CREATE_USER *q_u, nt_status = access_check_samr_object(psd, p->pipe_user.nt_user_token, &se_rights, GENERIC_RIGHTS_USER_WRITE, des_access, - &acc_granted, "_samr_create_user"); + &acc_granted, "_samr_CreateUser2"); if ( !NT_STATUS_IS_OK(nt_status) ) { return nt_status; @@ -2655,7 +2653,7 @@ NTSTATUS _samr_create_user(pipes_struct *p, SAMR_Q_CREATE_USER *q_u, /* After a "set" ensure we have no cached display info. */ force_flush_samr_cache(info->disp_info); - r_u->access_granted = acc_granted; + *r->out.access_granted = acc_granted; return NT_STATUS_OK; } @@ -5475,16 +5473,6 @@ NTSTATUS _samr_GetDisplayEnumerationIndex2(pipes_struct *p, /**************************************************************** ****************************************************************/ -NTSTATUS _samr_CreateUser2(pipes_struct *p, - struct samr_CreateUser2 *r) -{ - p->rng_fault_state = true; - return NT_STATUS_NOT_IMPLEMENTED; -} - -/**************************************************************** -****************************************************************/ - NTSTATUS _samr_QueryDisplayInfo3(pipes_struct *p, struct samr_QueryDisplayInfo3 *r) { -- cgit From e7a82edd3557ce0da11c56231bf3f51b3e686061 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Fri, 1 Feb 2008 23:06:43 +0100 Subject: Use pidl for _samr_ChangePasswordUser2(). Guenther (This used to be commit a142fe21e386233af658024b5a194eee0bc5c4ba) --- source3/rpc_server/srv_samr_nt.c | 36 ++++++++++++------------------------ 1 file changed, 12 insertions(+), 24 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 3f2022c9ed..2ccb202aed 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -1529,22 +1529,22 @@ NTSTATUS _samr_lookup_names(pipes_struct *p, SAMR_Q_LOOKUP_NAMES *q_u, SAMR_R_LO } /******************************************************************* - _samr_chgpasswd_user + _samr_ChangePasswordUser2 ********************************************************************/ +NTSTATUS _samr_ChangePasswordUser2(pipes_struct *p, + struct samr_ChangePasswordUser2 *r) -NTSTATUS _samr_chgpasswd_user(pipes_struct *p, SAMR_Q_CHGPASSWD_USER *q_u, SAMR_R_CHGPASSWD_USER *r_u) { + NTSTATUS status; fstring user_name; fstring wks; - DEBUG(5,("_samr_chgpasswd_user: %d\n", __LINE__)); + DEBUG(5,("_samr_ChangePasswordUser2: %d\n", __LINE__)); - r_u->status = NT_STATUS_OK; + fstrcpy(user_name, r->in.account->string); + fstrcpy(wks, r->in.server->string); - rpcstr_pull(user_name, q_u->uni_user_name.buffer, sizeof(user_name), q_u->uni_user_name.uni_str_len*2, 0); - rpcstr_pull(wks, q_u->uni_dest_host.buffer, sizeof(wks), q_u->uni_dest_host.uni_str_len*2,0); - - DEBUG(5,("samr_chgpasswd_user: user: %s wks: %s\n", user_name, wks)); + DEBUG(5,("_samr_ChangePasswordUser2: user: %s wks: %s\n", user_name, wks)); /* * Pass the user through the NT -> unix user mapping @@ -1558,14 +1558,12 @@ NTSTATUS _samr_chgpasswd_user(pipes_struct *p, SAMR_Q_CHGPASSWD_USER *q_u, SAMR_ * is case insensitive. */ - r_u->status = pass_oem_change(user_name, q_u->lm_newpass.pass, q_u->lm_oldhash.hash, - q_u->nt_newpass.pass, q_u->nt_oldhash.hash, NULL); - - init_samr_r_chgpasswd_user(r_u, r_u->status); + status = pass_oem_change(user_name, r->in.lm_password->data, r->in.lm_verifier->hash, + r->in.nt_password->data, r->in.nt_verifier->hash, NULL); - DEBUG(5,("_samr_chgpasswd_user: %d\n", __LINE__)); + DEBUG(5,("_samr_ChangePasswordUser2: %d\n", __LINE__)); - return r_u->status; + return status; } /******************************************************************* @@ -5513,16 +5511,6 @@ NTSTATUS _samr_OemChangePasswordUser2(pipes_struct *p, /**************************************************************** ****************************************************************/ -NTSTATUS _samr_ChangePasswordUser2(pipes_struct *p, - struct samr_ChangePasswordUser2 *r) -{ - p->rng_fault_state = true; - return NT_STATUS_NOT_IMPLEMENTED; -} - -/**************************************************************** -****************************************************************/ - NTSTATUS _samr_Connect2(pipes_struct *p, struct samr_Connect2 *r) { -- cgit From f965f324f599e50e701c91f1c45c70499ee5f037 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Fri, 1 Feb 2008 17:28:01 +0100 Subject: Use pidl for _samr_QuerySecurity(). Guenther (This used to be commit c61cba97268f198ad7e25acc3cb0b166e897299d) --- source3/rpc_server/srv_samr_nt.c | 47 +++++++++++++++------------------------- 1 file changed, 17 insertions(+), 30 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 2ccb202aed..e688b6ae7f 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -768,66 +768,63 @@ static bool check_change_pw_access(TALLOC_CTX *mem_ctx, DOM_SID *user_sid) /******************************************************************* - _samr_query_sec_obj + _samr_QuerySecurity ********************************************************************/ -NTSTATUS _samr_query_sec_obj(pipes_struct *p, SAMR_Q_QUERY_SEC_OBJ *q_u, SAMR_R_QUERY_SEC_OBJ *r_u) +NTSTATUS _samr_QuerySecurity(pipes_struct *p, + struct samr_QuerySecurity *r) { + NTSTATUS status; DOM_SID pol_sid; SEC_DESC * psd = NULL; uint32 acc_granted; size_t sd_size; - r_u->status = NT_STATUS_OK; - /* Get the SID. */ - if (!get_lsa_policy_samr_sid(p, &q_u->user_pol, &pol_sid, &acc_granted, NULL)) + if (!get_lsa_policy_samr_sid(p, r->in.handle, &pol_sid, &acc_granted, NULL)) return NT_STATUS_INVALID_HANDLE; - DEBUG(10,("_samr_query_sec_obj: querying security on SID: %s\n", + DEBUG(10,("_samr_QuerySecurity: querying security on SID: %s\n", sid_string_dbg(&pol_sid))); /* Check what typ of SID is beeing queried (e.g Domain SID, User SID, Group SID) */ /* To query the security of the SAM it self an invalid SID with S-0-0 is passed to this function */ if (pol_sid.sid_rev_num == 0) { - DEBUG(5,("_samr_query_sec_obj: querying security on SAM\n")); - r_u->status = make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &sam_generic_mapping, NULL, 0); + DEBUG(5,("_samr_QuerySecurity: querying security on SAM\n")); + status = make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &sam_generic_mapping, NULL, 0); } else if (sid_equal(&pol_sid,get_global_sam_sid())) { /* check if it is our domain SID */ - DEBUG(5,("_samr_query_sec_obj: querying security on Domain " + DEBUG(5,("_samr_QuerySecurity: querying security on Domain " "with SID: %s\n", sid_string_dbg(&pol_sid))); - r_u->status = make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &dom_generic_mapping, NULL, 0); + status = make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &dom_generic_mapping, NULL, 0); } else if (sid_equal(&pol_sid,&global_sid_Builtin)) { /* check if it is the Builtin Domain */ /* TODO: Builtin probably needs a different SD with restricted write access*/ - DEBUG(5,("_samr_query_sec_obj: querying security on Builtin " + DEBUG(5,("_samr_QuerySecurity: querying security on Builtin " "Domain with SID: %s\n", sid_string_dbg(&pol_sid))); - r_u->status = make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &dom_generic_mapping, NULL, 0); + status = make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &dom_generic_mapping, NULL, 0); } else if (sid_check_is_in_our_domain(&pol_sid) || sid_check_is_in_builtin(&pol_sid)) { /* TODO: different SDs have to be generated for aliases groups and users. Currently all three get a default user SD */ - DEBUG(10,("_samr_query_sec_obj: querying security on Object " + DEBUG(10,("_samr_QuerySecurity: querying security on Object " "with SID: %s\n", sid_string_dbg(&pol_sid))); if (check_change_pw_access(p->mem_ctx, &pol_sid)) { - r_u->status = make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &usr_generic_mapping, + status = make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &usr_generic_mapping, &pol_sid, SAMR_USR_RIGHTS_WRITE_PW); } else { - r_u->status = make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &usr_nopwchange_generic_mapping, + status = make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &usr_nopwchange_generic_mapping, &pol_sid, SAMR_USR_RIGHTS_CANT_WRITE_PW); } } else { return NT_STATUS_OBJECT_TYPE_MISMATCH; } - if ((r_u->buf = make_sec_desc_buf(p->mem_ctx, sd_size, psd)) == NULL) + if ((*r->out.sdbuf = make_sec_desc_buf(p->mem_ctx, sd_size, psd)) == NULL) return NT_STATUS_NO_MEMORY; - if (NT_STATUS_IS_OK(r_u->status)) - r_u->ptr = 1; - - return r_u->status; + return status; } /******************************************************************* @@ -5091,16 +5088,6 @@ NTSTATUS _samr_SetSecurity(pipes_struct *p, /**************************************************************** ****************************************************************/ -NTSTATUS _samr_QuerySecurity(pipes_struct *p, - struct samr_QuerySecurity *r) -{ - p->rng_fault_state = true; - return NT_STATUS_NOT_IMPLEMENTED; -} - -/**************************************************************** -****************************************************************/ - NTSTATUS _samr_Shutdown(pipes_struct *p, struct samr_Shutdown *r) { -- cgit From 65172ba6b8efd6757c392d0957876d5d81f04348 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Fri, 1 Feb 2008 17:29:03 +0100 Subject: Use pidl for _samr_SetSecurity(). Guenther (This used to be commit 6bfd76002f083f07b3d9d5c1f16e67614e7eb972) --- source3/rpc_server/srv_samr_nt.c | 23 ++++++----------------- 1 file changed, 6 insertions(+), 17 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index e688b6ae7f..c51aa39042 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -672,10 +672,11 @@ static bool get_lsa_policy_samr_sid( pipes_struct *p, POLICY_HND *pol, } /******************************************************************* - _samr_set_sec_obj + _samr_SetSecurity ********************************************************************/ -NTSTATUS _samr_set_sec_obj(pipes_struct *p, SAMR_Q_SET_SEC_OBJ *q_u, SAMR_R_SET_SEC_OBJ *r_u) +NTSTATUS _samr_SetSecurity(pipes_struct *p, + struct samr_SetSecurity *r) { DOM_SID pol_sid; uint32 acc_granted, i; @@ -684,9 +685,7 @@ NTSTATUS _samr_set_sec_obj(pipes_struct *p, SAMR_Q_SET_SEC_OBJ *q_u, SAMR_R_SET_ struct samu *sampass=NULL; NTSTATUS status; - r_u->status = NT_STATUS_OK; - - if (!get_lsa_policy_samr_sid(p, &q_u->pol, &pol_sid, &acc_granted, NULL)) + if (!get_lsa_policy_samr_sid(p, r->in.handle, &pol_sid, &acc_granted, NULL)) return NT_STATUS_INVALID_HANDLE; if (!(sampass = samu_new( p->mem_ctx))) { @@ -705,7 +704,7 @@ NTSTATUS _samr_set_sec_obj(pipes_struct *p, SAMR_Q_SET_SEC_OBJ *q_u, SAMR_R_SET_ return NT_STATUS_INVALID_HANDLE; } - dacl = q_u->buf->sd->dacl; + dacl = r->in.sdbuf->sd->dacl; for (i=0; i < dacl->num_aces; i++) { if (sid_equal(&pol_sid, &dacl->aces[i].trustee)) { ret = pdb_set_pass_can_change(sampass, @@ -721,7 +720,7 @@ NTSTATUS _samr_set_sec_obj(pipes_struct *p, SAMR_Q_SET_SEC_OBJ *q_u, SAMR_R_SET_ return NT_STATUS_ACCESS_DENIED; } - status = access_check_samr_function(acc_granted, SA_RIGHT_USER_SET_ATTRIBUTES, "_samr_set_sec_obj"); + status = access_check_samr_function(acc_granted, SA_RIGHT_USER_SET_ATTRIBUTES, "_samr_SetSecurity"); if (NT_STATUS_IS_OK(status)) { become_root(); status = pdb_update_sam_account(sampass); @@ -5078,16 +5077,6 @@ NTSTATUS _samr_Connect(pipes_struct *p, /**************************************************************** ****************************************************************/ -NTSTATUS _samr_SetSecurity(pipes_struct *p, - struct samr_SetSecurity *r) -{ - p->rng_fault_state = true; - return NT_STATUS_NOT_IMPLEMENTED; -} - -/**************************************************************** -****************************************************************/ - NTSTATUS _samr_Shutdown(pipes_struct *p, struct samr_Shutdown *r) { -- cgit From 2730ce999707be0e2308c07568fe38e3a07df41f Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Mon, 4 Feb 2008 16:17:20 +0100 Subject: Use pidl for _samr_Connect(). Guenther (This used to be commit 79c3aa6588c6d79a2127153dc0bcc75ecc468de8) --- source3/rpc_server/srv_samr_nt.c | 30 ++++++++---------------------- 1 file changed, 8 insertions(+), 22 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index c51aa39042..b4eab90996 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -2653,26 +2653,24 @@ NTSTATUS _samr_CreateUser2(pipes_struct *p, } /******************************************************************* - samr_reply_connect_anon + _samr_Connect ********************************************************************/ -NTSTATUS _samr_connect_anon(pipes_struct *p, SAMR_Q_CONNECT_ANON *q_u, SAMR_R_CONNECT_ANON *r_u) +NTSTATUS _samr_Connect(pipes_struct *p, + struct samr_Connect *r) { struct samr_info *info = NULL; - uint32 des_access = q_u->access_mask; + uint32 des_access = r->in.access_mask; /* Access check */ if (!pipe_access_check(p)) { - DEBUG(3, ("access denied to samr_connect_anon\n")); - r_u->status = NT_STATUS_ACCESS_DENIED; - return r_u->status; + DEBUG(3, ("access denied to _samr_Connect\n")); + return NT_STATUS_ACCESS_DENIED; } /* set up the SAMR connect_anon response */ - r_u->status = NT_STATUS_OK; - /* associate the user's SID with the new handle. */ if ((info = get_samr_info_by_sid(NULL)) == NULL) return NT_STATUS_NO_MEMORY; @@ -2688,14 +2686,12 @@ NTSTATUS _samr_connect_anon(pipes_struct *p, SAMR_Q_CONNECT_ANON *q_u, SAMR_R_CO se_map_generic( &des_access, &sam_generic_mapping ); info->acc_granted = des_access & (SA_RIGHT_SAM_ENUM_DOMAINS|SA_RIGHT_SAM_OPEN_DOMAIN); - - info->status = q_u->unknown_0; /* get a (unique) handle. open a policy on it. */ - if (!create_policy_hnd(p, &r_u->connect_pol, free_samr_info, (void *)info)) + if (!create_policy_hnd(p, r->out.connect_handle, free_samr_info, (void *)info)) return NT_STATUS_OBJECT_NAME_NOT_FOUND; - return r_u->status; + return NT_STATUS_OK; } /******************************************************************* @@ -5067,16 +5063,6 @@ NTSTATUS _samr_set_dom_info(pipes_struct *p, SAMR_Q_SET_DOMAIN_INFO *q_u, SAMR_R /**************************************************************** ****************************************************************/ -NTSTATUS _samr_Connect(pipes_struct *p, - struct samr_Connect *r) -{ - p->rng_fault_state = true; - return NT_STATUS_NOT_IMPLEMENTED; -} - -/**************************************************************** -****************************************************************/ - NTSTATUS _samr_Shutdown(pipes_struct *p, struct samr_Shutdown *r) { -- cgit From 390746afeac135e29801ed16cad80553fcdd5c78 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Mon, 4 Feb 2008 16:23:46 +0100 Subject: Use pidl for _samr_Connect2(). Guenther (This used to be commit 35a691c2595883a7f15d039839de11798b9a7ceb) --- source3/rpc_server/srv_samr_nt.c | 36 ++++++++++++------------------------ 1 file changed, 12 insertions(+), 24 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index b4eab90996..d69e2d1cdc 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -2695,54 +2695,52 @@ NTSTATUS _samr_Connect(pipes_struct *p, } /******************************************************************* - samr_reply_connect + _samr_Connect2 ********************************************************************/ -NTSTATUS _samr_connect(pipes_struct *p, SAMR_Q_CONNECT *q_u, SAMR_R_CONNECT *r_u) +NTSTATUS _samr_Connect2(pipes_struct *p, + struct samr_Connect2 *r) { struct samr_info *info = NULL; SEC_DESC *psd = NULL; uint32 acc_granted; - uint32 des_access = q_u->access_mask; + uint32 des_access = r->in.access_mask; NTSTATUS nt_status; size_t sd_size; - DEBUG(5,("_samr_connect: %d\n", __LINE__)); + DEBUG(5,("_samr_Connect2: %d\n", __LINE__)); /* Access check */ if (!pipe_access_check(p)) { - DEBUG(3, ("access denied to samr_connect\n")); - r_u->status = NT_STATUS_ACCESS_DENIED; - return r_u->status; + DEBUG(3, ("access denied to _samr_Connect2\n")); + return NT_STATUS_ACCESS_DENIED; } make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &sam_generic_mapping, NULL, 0); se_map_generic(&des_access, &sam_generic_mapping); nt_status = access_check_samr_object(psd, p->pipe_user.nt_user_token, - NULL, 0, des_access, &acc_granted, "_samr_connect"); + NULL, 0, des_access, &acc_granted, "_samr_Connect2"); if ( !NT_STATUS_IS_OK(nt_status) ) return nt_status; - r_u->status = NT_STATUS_OK; - /* associate the user's SID and access granted with the new handle. */ if ((info = get_samr_info_by_sid(NULL)) == NULL) return NT_STATUS_NO_MEMORY; info->acc_granted = acc_granted; - info->status = q_u->access_mask; + info->status = r->in.access_mask; /* this looks so wrong... - gd */ /* get a (unique) handle. open a policy on it. */ - if (!create_policy_hnd(p, &r_u->connect_pol, free_samr_info, (void *)info)) + if (!create_policy_hnd(p, r->out.connect_handle, free_samr_info, (void *)info)) return NT_STATUS_OBJECT_NAME_NOT_FOUND; - DEBUG(5,("_samr_connect: %d\n", __LINE__)); + DEBUG(5,("_samr_Connect2: %d\n", __LINE__)); - return r_u->status; + return nt_status; } /******************************************************************* @@ -5473,16 +5471,6 @@ NTSTATUS _samr_OemChangePasswordUser2(pipes_struct *p, /**************************************************************** ****************************************************************/ -NTSTATUS _samr_Connect2(pipes_struct *p, - struct samr_Connect2 *r) -{ - p->rng_fault_state = true; - return NT_STATUS_NOT_IMPLEMENTED; -} - -/**************************************************************** -****************************************************************/ - NTSTATUS _samr_SetUserInfo2(pipes_struct *p, struct samr_SetUserInfo2 *r) { -- cgit From 867edaa33f7fb152447712bc405380ad6669781b Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Mon, 4 Feb 2008 16:35:32 +0100 Subject: Use pidl for _samr_Connect4(). Guenther (This used to be commit ceb3b6a0a3ed15c04bdb518a28167531403cc928) --- source3/rpc_server/srv_samr_nt.c | 36 ++++++++++++------------------------ 1 file changed, 12 insertions(+), 24 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index d69e2d1cdc..3531001a58 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -2744,54 +2744,52 @@ NTSTATUS _samr_Connect2(pipes_struct *p, } /******************************************************************* - samr_connect4 + _samr_Connect4 ********************************************************************/ -NTSTATUS _samr_connect4(pipes_struct *p, SAMR_Q_CONNECT4 *q_u, SAMR_R_CONNECT4 *r_u) +NTSTATUS _samr_Connect4(pipes_struct *p, + struct samr_Connect4 *r) { struct samr_info *info = NULL; SEC_DESC *psd = NULL; uint32 acc_granted; - uint32 des_access = q_u->access_mask; + uint32 des_access = r->in.access_mask; NTSTATUS nt_status; size_t sd_size; - DEBUG(5,("_samr_connect4: %d\n", __LINE__)); + DEBUG(5,("_samr_Connect4: %d\n", __LINE__)); /* Access check */ if (!pipe_access_check(p)) { - DEBUG(3, ("access denied to samr_connect4\n")); - r_u->status = NT_STATUS_ACCESS_DENIED; - return r_u->status; + DEBUG(3, ("access denied to samr_Connect4\n")); + return NT_STATUS_ACCESS_DENIED; } make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &sam_generic_mapping, NULL, 0); se_map_generic(&des_access, &sam_generic_mapping); nt_status = access_check_samr_object(psd, p->pipe_user.nt_user_token, - NULL, 0, des_access, &acc_granted, "_samr_connect4"); + NULL, 0, des_access, &acc_granted, "_samr_Connect4"); if ( !NT_STATUS_IS_OK(nt_status) ) return nt_status; - r_u->status = NT_STATUS_OK; - /* associate the user's SID and access granted with the new handle. */ if ((info = get_samr_info_by_sid(NULL)) == NULL) return NT_STATUS_NO_MEMORY; info->acc_granted = acc_granted; - info->status = q_u->access_mask; + info->status = r->in.access_mask; /* ??? */ /* get a (unique) handle. open a policy on it. */ - if (!create_policy_hnd(p, &r_u->connect_pol, free_samr_info, (void *)info)) + if (!create_policy_hnd(p, r->out.connect_handle, free_samr_info, (void *)info)) return NT_STATUS_OBJECT_NAME_NOT_FOUND; - DEBUG(5,("_samr_connect: %d\n", __LINE__)); + DEBUG(5,("_samr_Connect4: %d\n", __LINE__)); - return r_u->status; + return NT_STATUS_OK; } /******************************************************************* @@ -5511,16 +5509,6 @@ NTSTATUS _samr_Connect3(pipes_struct *p, /**************************************************************** ****************************************************************/ -NTSTATUS _samr_Connect4(pipes_struct *p, - struct samr_Connect4 *r) -{ - p->rng_fault_state = true; - return NT_STATUS_NOT_IMPLEMENTED; -} - -/**************************************************************** -****************************************************************/ - NTSTATUS _samr_ChangePasswordUser3(pipes_struct *p, struct samr_ChangePasswordUser3 *r) { -- cgit From e1e8ab30f712d389a353cf32cbf8cf1083360b2a Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Mon, 4 Feb 2008 17:10:16 +0100 Subject: Use pidl for _samr_Connect5(). Guenther (This used to be commit ca233bfe0e5350cb699312e4937c6bd1cb43f7c1) --- source3/rpc_server/srv_samr_nt.c | 45 ++++++++++++++++------------------------ 1 file changed, 18 insertions(+), 27 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 3531001a58..4e0487f7ff 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -2793,37 +2793,34 @@ NTSTATUS _samr_Connect4(pipes_struct *p, } /******************************************************************* - samr_connect5 + _samr_Connect5 ********************************************************************/ -NTSTATUS _samr_connect5(pipes_struct *p, SAMR_Q_CONNECT5 *q_u, SAMR_R_CONNECT5 *r_u) +NTSTATUS _samr_Connect5(pipes_struct *p, + struct samr_Connect5 *r) { struct samr_info *info = NULL; SEC_DESC *psd = NULL; uint32 acc_granted; - uint32 des_access = q_u->access_mask; + uint32 des_access = r->in.access_mask; NTSTATUS nt_status; - POLICY_HND pol; size_t sd_size; + struct samr_ConnectInfo1 info1; - - DEBUG(5,("_samr_connect5: %d\n", __LINE__)); - - ZERO_STRUCTP(r_u); + DEBUG(5,("_samr_Connect5: %d\n", __LINE__)); /* Access check */ if (!pipe_access_check(p)) { - DEBUG(3, ("access denied to samr_connect5\n")); - r_u->status = NT_STATUS_ACCESS_DENIED; - return r_u->status; + DEBUG(3, ("access denied to samr_Connect5\n")); + return NT_STATUS_ACCESS_DENIED; } make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &sam_generic_mapping, NULL, 0); se_map_generic(&des_access, &sam_generic_mapping); nt_status = access_check_samr_object(psd, p->pipe_user.nt_user_token, - NULL, 0, des_access, &acc_granted, "_samr_connect5"); + NULL, 0, des_access, &acc_granted, "_samr_Connect5"); if ( !NT_STATUS_IS_OK(nt_status) ) return nt_status; @@ -2833,17 +2830,21 @@ NTSTATUS _samr_connect5(pipes_struct *p, SAMR_Q_CONNECT5 *q_u, SAMR_R_CONNECT5 * return NT_STATUS_NO_MEMORY; info->acc_granted = acc_granted; - info->status = q_u->access_mask; + info->status = r->in.access_mask; /* ??? */ /* get a (unique) handle. open a policy on it. */ - if (!create_policy_hnd(p, &pol, free_samr_info, (void *)info)) + if (!create_policy_hnd(p, r->out.connect_handle, free_samr_info, (void *)info)) return NT_STATUS_OBJECT_NAME_NOT_FOUND; - DEBUG(5,("_samr_connect: %d\n", __LINE__)); + DEBUG(5,("_samr_Connect5: %d\n", __LINE__)); - init_samr_r_connect5(r_u, &pol, NT_STATUS_OK); + info1.unknown1 = 3; + info1.unknown2 = 0; - return r_u->status; + *r->out.level_out = 1; + r->out.info_out->info1 = info1; + + return NT_STATUS_OK; } /********************************************************************** @@ -5519,16 +5520,6 @@ NTSTATUS _samr_ChangePasswordUser3(pipes_struct *p, /**************************************************************** ****************************************************************/ -NTSTATUS _samr_Connect5(pipes_struct *p, - struct samr_Connect5 *r) -{ - p->rng_fault_state = true; - return NT_STATUS_NOT_IMPLEMENTED; -} - -/**************************************************************** -****************************************************************/ - NTSTATUS _samr_RidToSid(pipes_struct *p, struct samr_RidToSid *r) { -- cgit From 4906b5037d09beceee67a455177269215c140206 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Mon, 4 Feb 2008 18:09:35 +0100 Subject: Use pidl for _samr_DeleteGroupMember(). Guenther (This used to be commit 94d6536809266ea3a12cd255fb7f2f7a70c42da3) --- source3/rpc_server/srv_samr_nt.c | 30 ++++++++++++------------------ 1 file changed, 12 insertions(+), 18 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 4e0487f7ff..e394dc1d57 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -4101,11 +4101,14 @@ NTSTATUS _samr_add_groupmem(pipes_struct *p, SAMR_Q_ADD_GROUPMEM *q_u, SAMR_R_AD } /********************************************************************* - _samr_del_groupmem + _samr_DeleteGroupMember *********************************************************************/ -NTSTATUS _samr_del_groupmem(pipes_struct *p, SAMR_Q_DEL_GROUPMEM *q_u, SAMR_R_DEL_GROUPMEM *r_u) +NTSTATUS _samr_DeleteGroupMember(pipes_struct *p, + struct samr_DeleteGroupMember *r) + { + NTSTATUS status; DOM_SID group_sid; uint32 group_rid; uint32 acc_granted; @@ -4114,17 +4117,18 @@ NTSTATUS _samr_del_groupmem(pipes_struct *p, SAMR_Q_DEL_GROUPMEM *q_u, SAMR_R_DE DISP_INFO *disp_info = NULL; /* - * delete the group member named q_u->rid + * delete the group member named r->in.rid * who is a member of the sid associated with the handle * the rid is a user's rid as the group is a domain group. */ /* Find the policy handle. Open a policy on it. */ - if (!get_lsa_policy_samr_sid(p, &q_u->pol, &group_sid, &acc_granted, &disp_info)) + if (!get_lsa_policy_samr_sid(p, r->in.group_handle, &group_sid, &acc_granted, &disp_info)) return NT_STATUS_INVALID_HANDLE; - if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, SA_RIGHT_GROUP_REMOVE_MEMBER, "_samr_del_groupmem"))) { - return r_u->status; + status = access_check_samr_function(acc_granted, SA_RIGHT_GROUP_REMOVE_MEMBER, "_samr_DeleteGroupMember"); + if (!NT_STATUS_IS_OK(status)) { + return status; } if (!sid_peek_check_rid(get_global_sam_sid(), &group_sid, @@ -4140,7 +4144,7 @@ NTSTATUS _samr_del_groupmem(pipes_struct *p, SAMR_Q_DEL_GROUPMEM *q_u, SAMR_R_DE if ( can_add_accounts ) become_root(); - r_u->status = pdb_del_groupmem(p->mem_ctx, group_rid, q_u->rid); + status = pdb_del_groupmem(p->mem_ctx, group_rid, r->in.rid); if ( can_add_accounts ) unbecome_root(); @@ -4149,7 +4153,7 @@ NTSTATUS _samr_del_groupmem(pipes_struct *p, SAMR_Q_DEL_GROUPMEM *q_u, SAMR_R_DE force_flush_samr_cache(disp_info); - return r_u->status; + return status; } /********************************************************************* @@ -5210,16 +5214,6 @@ NTSTATUS _samr_AddGroupMember(pipes_struct *p, /**************************************************************** ****************************************************************/ -NTSTATUS _samr_DeleteGroupMember(pipes_struct *p, - struct samr_DeleteGroupMember *r) -{ - p->rng_fault_state = true; - return NT_STATUS_NOT_IMPLEMENTED; -} - -/**************************************************************** -****************************************************************/ - NTSTATUS _samr_QueryGroupMember(pipes_struct *p, struct samr_QueryGroupMember *r) { -- cgit From 062820eaee624ac1c02e695d26b5ad4a0b0f66d9 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Mon, 4 Feb 2008 18:36:44 +0100 Subject: Use pidl for _samr_AddGroupMember(). Guenther (This used to be commit 4f923d970eac5841d1f67dbb8fc0c1dd1fda95a3) --- source3/rpc_server/srv_samr_nt.c | 31 ++++++++++++------------------- 1 file changed, 12 insertions(+), 19 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index e394dc1d57..95c31ebc8b 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -4053,11 +4053,13 @@ NTSTATUS _samr_del_aliasmem(pipes_struct *p, SAMR_Q_DEL_ALIASMEM *q_u, SAMR_R_DE } /********************************************************************* - _samr_add_groupmem + _samr_AddGroupMember *********************************************************************/ -NTSTATUS _samr_add_groupmem(pipes_struct *p, SAMR_Q_ADD_GROUPMEM *q_u, SAMR_R_ADD_GROUPMEM *r_u) +NTSTATUS _samr_AddGroupMember(pipes_struct *p, + struct samr_AddGroupMember *r) { + NTSTATUS status; DOM_SID group_sid; uint32 group_rid; uint32 acc_granted; @@ -4066,11 +4068,12 @@ NTSTATUS _samr_add_groupmem(pipes_struct *p, SAMR_Q_ADD_GROUPMEM *q_u, SAMR_R_AD DISP_INFO *disp_info = NULL; /* Find the policy handle. Open a policy on it. */ - if (!get_lsa_policy_samr_sid(p, &q_u->pol, &group_sid, &acc_granted, &disp_info)) + if (!get_lsa_policy_samr_sid(p, r->in.group_handle, &group_sid, &acc_granted, &disp_info)) return NT_STATUS_INVALID_HANDLE; - - if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, SA_RIGHT_GROUP_ADD_MEMBER, "_samr_add_groupmem"))) { - return r_u->status; + + status = access_check_samr_function(acc_granted, SA_RIGHT_GROUP_ADD_MEMBER, "_samr_AddGroupMember"); + if (!NT_STATUS_IS_OK(status)) { + return status; } DEBUG(10, ("sid is %s\n", sid_string_dbg(&group_sid))); @@ -4088,8 +4091,8 @@ NTSTATUS _samr_add_groupmem(pipes_struct *p, SAMR_Q_ADD_GROUPMEM *q_u, SAMR_R_AD if ( can_add_accounts ) become_root(); - r_u->status = pdb_add_groupmem(p->mem_ctx, group_rid, q_u->rid); - + status = pdb_add_groupmem(p->mem_ctx, group_rid, r->in.rid); + if ( can_add_accounts ) unbecome_root(); @@ -4097,7 +4100,7 @@ NTSTATUS _samr_add_groupmem(pipes_struct *p, SAMR_Q_ADD_GROUPMEM *q_u, SAMR_R_AD force_flush_samr_cache(disp_info); - return r_u->status; + return status; } /********************************************************************* @@ -5204,16 +5207,6 @@ NTSTATUS _samr_SetGroupInfo(pipes_struct *p, /**************************************************************** ****************************************************************/ -NTSTATUS _samr_AddGroupMember(pipes_struct *p, - struct samr_AddGroupMember *r) -{ - p->rng_fault_state = true; - return NT_STATUS_NOT_IMPLEMENTED; -} - -/**************************************************************** -****************************************************************/ - NTSTATUS _samr_QueryGroupMember(pipes_struct *p, struct samr_QueryGroupMember *r) { -- cgit From b04a5e09f7b50e5b9c589e43c5df91f4913e3ab0 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Mon, 4 Feb 2008 22:53:03 +0100 Subject: Use pidl for _samr_GetUserPwInfo(). Guenther (This used to be commit 4e7236c10e5a1cbea2e961e196729603c66f37d6) --- source3/rpc_server/srv_samr_nt.c | 27 ++++++++------------------- 1 file changed, 8 insertions(+), 19 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 95c31ebc8b..bb83bda3da 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -618,32 +618,31 @@ NTSTATUS _samr_OpenDomain(pipes_struct *p, } /******************************************************************* - _samr_get_usrdom_pwinfo + _samr_GetUserPwInfo ********************************************************************/ -NTSTATUS _samr_get_usrdom_pwinfo(pipes_struct *p, SAMR_Q_GET_USRDOM_PWINFO *q_u, SAMR_R_GET_USRDOM_PWINFO *r_u) +NTSTATUS _samr_GetUserPwInfo(pipes_struct *p, + struct samr_GetUserPwInfo *r) { struct samr_info *info = NULL; - r_u->status = NT_STATUS_OK; - /* find the policy handle. open a policy on it. */ - if (!find_policy_by_hnd(p, &q_u->user_pol, (void **)(void *)&info)) + if (!find_policy_by_hnd(p, r->in.user_handle, (void **)(void *)&info)) return NT_STATUS_INVALID_HANDLE; if (!sid_check_is_in_our_domain(&info->sid)) return NT_STATUS_OBJECT_TYPE_MISMATCH; - init_samr_r_get_usrdom_pwinfo(r_u, NT_STATUS_OK); + ZERO_STRUCTP(r->out.info); - DEBUG(5,("_samr_get_usrdom_pwinfo: %d\n", __LINE__)); + DEBUG(5,("_samr_GetUserPwInfo: %d\n", __LINE__)); - /* + /* * NT sometimes return NT_STATUS_ACCESS_DENIED * I don't know yet why. */ - return r_u->status; + return NT_STATUS_OK; } /******************************************************************* @@ -5357,16 +5356,6 @@ NTSTATUS _samr_TestPrivateFunctionsUser(pipes_struct *p, /**************************************************************** ****************************************************************/ -NTSTATUS _samr_GetUserPwInfo(pipes_struct *p, - struct samr_GetUserPwInfo *r) -{ - p->rng_fault_state = true; - return NT_STATUS_NOT_IMPLEMENTED; -} - -/**************************************************************** -****************************************************************/ - NTSTATUS _samr_RemoveMemberFromForeignDomain(pipes_struct *p, struct samr_RemoveMemberFromForeignDomain *r) { -- cgit From 0bdb2d42bba0c7b88a71bf9f049bed21c050eab7 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Mon, 4 Feb 2008 23:27:22 +0100 Subject: Use pidl for _samr_DeleteAliasMember(). Guenther (This used to be commit 51f5bcfd39b169866a13bb5b7878f99dc2b89462) --- source3/rpc_server/srv_samr_nt.c | 30 +++++++++++------------------- 1 file changed, 11 insertions(+), 19 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index bb83bda3da..e748d677c4 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -4006,24 +4006,26 @@ NTSTATUS _samr_add_aliasmem(pipes_struct *p, SAMR_Q_ADD_ALIASMEM *q_u, SAMR_R_AD } /********************************************************************* - _samr_del_aliasmem + _samr_DeleteAliasMember *********************************************************************/ -NTSTATUS _samr_del_aliasmem(pipes_struct *p, SAMR_Q_DEL_ALIASMEM *q_u, SAMR_R_DEL_ALIASMEM *r_u) +NTSTATUS _samr_DeleteAliasMember(pipes_struct *p, + struct samr_DeleteAliasMember *r) { DOM_SID alias_sid; uint32 acc_granted; SE_PRIV se_rights; bool can_add_accounts; - NTSTATUS ret; + NTSTATUS status; DISP_INFO *disp_info = NULL; /* Find the policy handle. Open a policy on it. */ - if (!get_lsa_policy_samr_sid(p, &q_u->alias_pol, &alias_sid, &acc_granted, &disp_info)) + if (!get_lsa_policy_samr_sid(p, r->in.alias_handle, &alias_sid, &acc_granted, &disp_info)) return NT_STATUS_INVALID_HANDLE; - if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, SA_RIGHT_ALIAS_REMOVE_MEMBER, "_samr_del_aliasmem"))) { - return r_u->status; + status = access_check_samr_function(acc_granted, SA_RIGHT_ALIAS_REMOVE_MEMBER, "_samr_DeleteAliasMember"); + if (!NT_STATUS_IS_OK(status)) { + return status; } DEBUG(10, ("_samr_del_aliasmem:sid is %s\n", @@ -4037,18 +4039,18 @@ NTSTATUS _samr_del_aliasmem(pipes_struct *p, SAMR_Q_DEL_ALIASMEM *q_u, SAMR_R_DE if ( can_add_accounts ) become_root(); - ret = pdb_del_aliasmem(&alias_sid, &q_u->sid.sid); + status = pdb_del_aliasmem(&alias_sid, r->in.sid); if ( can_add_accounts ) unbecome_root(); /******** END SeAddUsers BLOCK *********/ - if (NT_STATUS_IS_OK(ret)) { + if (NT_STATUS_IS_OK(status)) { force_flush_samr_cache(disp_info); } - return ret; + return status; } /********************************************************************* @@ -5256,16 +5258,6 @@ NTSTATUS _samr_AddAliasMember(pipes_struct *p, /**************************************************************** ****************************************************************/ -NTSTATUS _samr_DeleteAliasMember(pipes_struct *p, - struct samr_DeleteAliasMember *r) -{ - p->rng_fault_state = true; - return NT_STATUS_NOT_IMPLEMENTED; -} - -/**************************************************************** -****************************************************************/ - NTSTATUS _samr_GetMembersInAlias(pipes_struct *p, struct samr_GetMembersInAlias *r) { -- cgit From 5bae7a4bec9f4e2f71edb881847ed98597b4637a Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Mon, 4 Feb 2008 23:40:19 +0100 Subject: Use pidl for _samr_AddAliasMember(). Guenther (This used to be commit 98d8482bae0c9500ab4a1f6c07acd327b894af66) --- source3/rpc_server/srv_samr_nt.c | 34 +++++++++++++--------------------- 1 file changed, 13 insertions(+), 21 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index e748d677c4..c62fc7829f 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -3961,26 +3961,28 @@ NTSTATUS _samr_query_groupmem(pipes_struct *p, SAMR_Q_QUERY_GROUPMEM *q_u, SAMR_ } /********************************************************************* - _samr_add_aliasmem + _samr_AddAliasMember *********************************************************************/ -NTSTATUS _samr_add_aliasmem(pipes_struct *p, SAMR_Q_ADD_ALIASMEM *q_u, SAMR_R_ADD_ALIASMEM *r_u) +NTSTATUS _samr_AddAliasMember(pipes_struct *p, + struct samr_AddAliasMember *r) { DOM_SID alias_sid; uint32 acc_granted; SE_PRIV se_rights; bool can_add_accounts; - NTSTATUS ret; + NTSTATUS status; DISP_INFO *disp_info = NULL; /* Find the policy handle. Open a policy on it. */ - if (!get_lsa_policy_samr_sid(p, &q_u->alias_pol, &alias_sid, &acc_granted, &disp_info)) + if (!get_lsa_policy_samr_sid(p, r->in.alias_handle, &alias_sid, &acc_granted, &disp_info)) return NT_STATUS_INVALID_HANDLE; - - if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, SA_RIGHT_ALIAS_ADD_MEMBER, "_samr_add_aliasmem"))) { - return r_u->status; + + status = access_check_samr_function(acc_granted, SA_RIGHT_ALIAS_ADD_MEMBER, "_samr_AddAliasMember"); + if (!NT_STATUS_IS_OK(status)) { + return status; } - + DEBUG(10, ("sid is %s\n", sid_string_dbg(&alias_sid))); se_priv_copy( &se_rights, &se_add_users ); @@ -3991,18 +3993,18 @@ NTSTATUS _samr_add_aliasmem(pipes_struct *p, SAMR_Q_ADD_ALIASMEM *q_u, SAMR_R_AD if ( can_add_accounts ) become_root(); - ret = pdb_add_aliasmem(&alias_sid, &q_u->sid.sid); + status = pdb_add_aliasmem(&alias_sid, r->in.sid); if ( can_add_accounts ) unbecome_root(); /******** END SeAddUsers BLOCK *********/ - if (NT_STATUS_IS_OK(ret)) { + if (NT_STATUS_IS_OK(status)) { force_flush_samr_cache(disp_info); } - return ret; + return status; } /********************************************************************* @@ -5248,16 +5250,6 @@ NTSTATUS _samr_SetAliasInfo(pipes_struct *p, /**************************************************************** ****************************************************************/ -NTSTATUS _samr_AddAliasMember(pipes_struct *p, - struct samr_AddAliasMember *r) -{ - p->rng_fault_state = true; - return NT_STATUS_NOT_IMPLEMENTED; -} - -/**************************************************************** -****************************************************************/ - NTSTATUS _samr_GetMembersInAlias(pipes_struct *p, struct samr_GetMembersInAlias *r) { -- cgit From 5bec586b424d2325bd76683a821629b5635c69f1 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Tue, 5 Feb 2008 00:29:11 +0100 Subject: Use pidl for _samr_GetMembersInAlias(). Guenther (This used to be commit f6db8a51c8858e48567a819f18a7215e7ad8f6b4) --- source3/rpc_server/srv_samr_nt.c | 50 ++++++++++++++++++---------------------- 1 file changed, 22 insertions(+), 28 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index c62fc7829f..08df3c6e07 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -3846,34 +3846,35 @@ NTSTATUS _samr_query_useraliases(pipes_struct *p, SAMR_Q_QUERY_USERALIASES *q_u, } /********************************************************************* - _samr_query_aliasmem + _samr_GetMembersInAlias *********************************************************************/ -NTSTATUS _samr_query_aliasmem(pipes_struct *p, SAMR_Q_QUERY_ALIASMEM *q_u, SAMR_R_QUERY_ALIASMEM *r_u) +NTSTATUS _samr_GetMembersInAlias(pipes_struct *p, + struct samr_GetMembersInAlias *r) { NTSTATUS status; size_t i; size_t num_sids = 0; - DOM_SID2 *sid; - DOM_SID *sids=NULL; + struct lsa_SidPtr *sids = NULL; + DOM_SID *pdb_sids = NULL; DOM_SID alias_sid; uint32 acc_granted; /* find the policy handle. open a policy on it. */ - if (!get_lsa_policy_samr_sid(p, &q_u->alias_pol, &alias_sid, &acc_granted, NULL)) + if (!get_lsa_policy_samr_sid(p, r->in.alias_handle, &alias_sid, &acc_granted, NULL)) return NT_STATUS_INVALID_HANDLE; - - if (!NT_STATUS_IS_OK(r_u->status = - access_check_samr_function(acc_granted, SA_RIGHT_ALIAS_GET_MEMBERS, "_samr_query_aliasmem"))) { - return r_u->status; + + status = access_check_samr_function(acc_granted, SA_RIGHT_ALIAS_GET_MEMBERS, "_samr_GetMembersInAlias"); + if (!NT_STATUS_IS_OK(status)) { + return status; } DEBUG(10, ("sid is %s\n", sid_string_dbg(&alias_sid))); become_root(); - status = pdb_enum_aliasmem(&alias_sid, &sids, &num_sids); + status = pdb_enum_aliasmem(&alias_sid, &pdb_sids, &num_sids); unbecome_root(); if (!NT_STATUS_IS_OK(status)) { @@ -3881,22 +3882,25 @@ NTSTATUS _samr_query_aliasmem(pipes_struct *p, SAMR_Q_QUERY_ALIASMEM *q_u, SAMR_ } if (num_sids) { - sid = TALLOC_ZERO_ARRAY(p->mem_ctx, DOM_SID2, num_sids); - if (sid == NULL) { - SAFE_FREE(sids); + sids = TALLOC_ZERO_ARRAY(p->mem_ctx, struct lsa_SidPtr, num_sids); + if (sids == NULL) { + TALLOC_FREE(pdb_sids); return NT_STATUS_NO_MEMORY; } - } else { - sid = NULL; } for (i = 0; i < num_sids; i++) { - init_dom_sid2(&sid[i], &sids[i]); + sids[i].sid = sid_dup_talloc(p->mem_ctx, &pdb_sids[i]); + if (!sids[i].sid) { + TALLOC_FREE(pdb_sids); + return NT_STATUS_NO_MEMORY; + } } - init_samr_r_query_aliasmem(r_u, num_sids, sid, NT_STATUS_OK); + r->out.sids->num_sids = num_sids; + r->out.sids->sids = sids; - TALLOC_FREE(sids); + TALLOC_FREE(pdb_sids); return NT_STATUS_OK; } @@ -5250,16 +5254,6 @@ NTSTATUS _samr_SetAliasInfo(pipes_struct *p, /**************************************************************** ****************************************************************/ -NTSTATUS _samr_GetMembersInAlias(pipes_struct *p, - struct samr_GetMembersInAlias *r) -{ - p->rng_fault_state = true; - return NT_STATUS_NOT_IMPLEMENTED; -} - -/**************************************************************** -****************************************************************/ - NTSTATUS _samr_QueryUserInfo(pipes_struct *p, struct samr_QueryUserInfo *r) { -- cgit From 1dbfc38b28d44fe8f6e66b6c95db813bd577be29 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Tue, 5 Feb 2008 01:29:49 +0100 Subject: Use pidl for _samr_LookupDomain(). Guenther (This used to be commit 9bc106ba56d3a965a5fcd76ce18ccd30baa06eb4) --- source3/rpc_server/srv_samr_nt.c | 53 +++++++++++++++++----------------------- 1 file changed, 23 insertions(+), 30 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 08df3c6e07..10a32675e2 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -2847,47 +2847,50 @@ NTSTATUS _samr_Connect5(pipes_struct *p, } /********************************************************************** - api_samr_lookup_domain + _samr_LookupDomain **********************************************************************/ - -NTSTATUS _samr_lookup_domain(pipes_struct *p, SAMR_Q_LOOKUP_DOMAIN *q_u, SAMR_R_LOOKUP_DOMAIN *r_u) +NTSTATUS _samr_LookupDomain(pipes_struct *p, + struct samr_LookupDomain *r) { + NTSTATUS status = NT_STATUS_OK; struct samr_info *info; - fstring domain_name; - DOM_SID sid; - - r_u->status = NT_STATUS_OK; + const char *domain_name; + DOM_SID *sid = NULL; - if (!find_policy_by_hnd(p, &q_u->connect_pol, (void**)(void *)&info)) + if (!find_policy_by_hnd(p, r->in.connect_handle, (void**)(void *)&info)) return NT_STATUS_INVALID_HANDLE; /* win9x user manager likes to use SA_RIGHT_SAM_ENUM_DOMAINS here. Reverted that change so we will work with RAS servers again */ - if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(info->acc_granted, - SA_RIGHT_SAM_OPEN_DOMAIN, "_samr_lookup_domain"))) - { - return r_u->status; + status = access_check_samr_function(info->acc_granted, + SA_RIGHT_SAM_OPEN_DOMAIN, + "_samr_LookupDomain"); + if (!NT_STATUS_IS_OK(status)) { + return status; } - rpcstr_pull(domain_name, q_u->uni_domain.buffer, sizeof(domain_name), q_u->uni_domain.uni_str_len*2, 0); + domain_name = r->in.domain_name->string; - ZERO_STRUCT(sid); + sid = TALLOC_ZERO_P(p->mem_ctx, struct dom_sid2); + if (!sid) { + return NT_STATUS_NO_MEMORY; + } if (strequal(domain_name, builtin_domain_name())) { - sid_copy(&sid, &global_sid_Builtin); + sid_copy(sid, &global_sid_Builtin); } else { - if (!secrets_fetch_domain_sid(domain_name, &sid)) { - r_u->status = NT_STATUS_NO_SUCH_DOMAIN; + if (!secrets_fetch_domain_sid(domain_name, sid)) { + status = NT_STATUS_NO_SUCH_DOMAIN; } } DEBUG(2,("Returning domain sid for domain %s -> %s\n", domain_name, - sid_string_dbg(&sid))); + sid_string_dbg(sid))); - init_samr_r_lookup_domain(r_u, &sid, r_u->status); + *r->out.sid = sid; - return r_u->status; + return status; } /****************************************************************** @@ -5084,16 +5087,6 @@ NTSTATUS _samr_Shutdown(pipes_struct *p, /**************************************************************** ****************************************************************/ -NTSTATUS _samr_LookupDomain(pipes_struct *p, - struct samr_LookupDomain *r) -{ - p->rng_fault_state = true; - return NT_STATUS_NOT_IMPLEMENTED; -} - -/**************************************************************** -****************************************************************/ - NTSTATUS _samr_EnumDomains(pipes_struct *p, struct samr_EnumDomains *r) { -- cgit From f3d5f695646ef498889405c3b49c6b220df9d004 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Tue, 5 Feb 2008 02:04:56 +0100 Subject: Use pidl for _samr_GetAliasMembership(). Guenther (This used to be commit b573f677239fbf176468796bb05c4b43dce47262) --- source3/rpc_server/srv_samr_nt.c | 44 ++++++++++++++++------------------------ 1 file changed, 17 insertions(+), 27 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 10a32675e2..2f852702b2 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -3781,10 +3781,11 @@ NTSTATUS _samr_set_userinfo2(pipes_struct *p, SAMR_Q_SET_USERINFO2 *q_u, SAMR_R_ } /********************************************************************* - _samr_query_aliasmem + _samr_GetAliasMembership *********************************************************************/ -NTSTATUS _samr_query_useraliases(pipes_struct *p, SAMR_Q_QUERY_USERALIASES *q_u, SAMR_R_QUERY_USERALIASES *r_u) +NTSTATUS _samr_GetAliasMembership(pipes_struct *p, + struct samr_GetAliasMembership *r) { size_t num_alias_rids; uint32 *alias_rids; @@ -3796,17 +3797,15 @@ NTSTATUS _samr_query_useraliases(pipes_struct *p, SAMR_Q_QUERY_USERALIASES *q_u, DOM_SID *members; - r_u->status = NT_STATUS_OK; - - DEBUG(5,("_samr_query_useraliases: %d\n", __LINE__)); + DEBUG(5,("_samr_GetAliasMembership: %d\n", __LINE__)); /* find the policy handle. open a policy on it. */ - if (!find_policy_by_hnd(p, &q_u->pol, (void **)(void *)&info)) + if (!find_policy_by_hnd(p, r->in.domain_handle, (void **)(void *)&info)) return NT_STATUS_INVALID_HANDLE; - - ntstatus1 = access_check_samr_function(info->acc_granted, SA_RIGHT_DOMAIN_LOOKUP_ALIAS_BY_MEM, "_samr_query_useraliases"); - ntstatus2 = access_check_samr_function(info->acc_granted, SA_RIGHT_DOMAIN_OPEN_ACCOUNT, "_samr_query_useraliases"); - + + ntstatus1 = access_check_samr_function(info->acc_granted, SA_RIGHT_DOMAIN_LOOKUP_ALIAS_BY_MEM, "_samr_GetAliasMembership"); + ntstatus2 = access_check_samr_function(info->acc_granted, SA_RIGHT_DOMAIN_OPEN_ACCOUNT, "_samr_GetAliasMembership"); + if (!NT_STATUS_IS_OK(ntstatus1) || !NT_STATUS_IS_OK(ntstatus2)) { if (!(NT_STATUS_EQUAL(ntstatus1,NT_STATUS_ACCESS_DENIED) && NT_STATUS_IS_OK(ntstatus2)) && !(NT_STATUS_EQUAL(ntstatus1,NT_STATUS_ACCESS_DENIED) && NT_STATUS_IS_OK(ntstatus1))) { @@ -3818,8 +3817,8 @@ NTSTATUS _samr_query_useraliases(pipes_struct *p, SAMR_Q_QUERY_USERALIASES *q_u, !sid_check_is_builtin(&info->sid)) return NT_STATUS_OBJECT_TYPE_MISMATCH; - if (q_u->num_sids1) { - members = TALLOC_ARRAY(p->mem_ctx, DOM_SID, q_u->num_sids1); + if (r->in.sids->num_sids) { + members = TALLOC_ARRAY(p->mem_ctx, DOM_SID, r->in.sids->num_sids); if (members == NULL) return NT_STATUS_NO_MEMORY; @@ -3827,15 +3826,15 @@ NTSTATUS _samr_query_useraliases(pipes_struct *p, SAMR_Q_QUERY_USERALIASES *q_u, members = NULL; } - for (i=0; inum_sids1; i++) - sid_copy(&members[i], &q_u->sid[i].sid); + for (i=0; iin.sids->num_sids; i++) + sid_copy(&members[i], r->in.sids->sids[i].sid); alias_rids = NULL; num_alias_rids = 0; become_root(); ntstatus1 = pdb_enum_alias_memberships(p->mem_ctx, &info->sid, members, - q_u->num_sids1, + r->in.sids->num_sids, &alias_rids, &num_alias_rids); unbecome_root(); @@ -3843,8 +3842,9 @@ NTSTATUS _samr_query_useraliases(pipes_struct *p, SAMR_Q_QUERY_USERALIASES *q_u, return ntstatus1; } - init_samr_r_query_useraliases(r_u, num_alias_rids, alias_rids, - NT_STATUS_OK); + r->out.rids->count = num_alias_rids; + r->out.rids->ids = alias_rids; + return NT_STATUS_OK; } @@ -5157,16 +5157,6 @@ NTSTATUS _samr_EnumDomainAliases(pipes_struct *p, /**************************************************************** ****************************************************************/ -NTSTATUS _samr_GetAliasMembership(pipes_struct *p, - struct samr_GetAliasMembership *r) -{ - p->rng_fault_state = true; - return NT_STATUS_NOT_IMPLEMENTED; -} - -/**************************************************************** -****************************************************************/ - NTSTATUS _samr_LookupNames(pipes_struct *p, struct samr_LookupNames *r) { -- cgit From 01a9964e8220edbc5be618408e83b4fad27792e4 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Tue, 5 Feb 2008 03:17:12 +0100 Subject: Use idl for _samr_QueryGroupMember(). Guenther (This used to be commit 4b068954671143a7c94884e169f1d0ba420dccb7) --- source3/rpc_server/srv_samr_nt.c | 46 +++++++++++++++++++++------------------- 1 file changed, 24 insertions(+), 22 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 2f852702b2..0c9547edc1 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -3909,10 +3909,11 @@ NTSTATUS _samr_GetMembersInAlias(pipes_struct *p, } /********************************************************************* - _samr_query_groupmem + _samr_QueryGroupMember *********************************************************************/ -NTSTATUS _samr_query_groupmem(pipes_struct *p, SAMR_Q_QUERY_GROUPMEM *q_u, SAMR_R_QUERY_GROUPMEM *r_u) +NTSTATUS _samr_QueryGroupMember(pipes_struct *p, + struct samr_QueryGroupMember *r) { DOM_SID group_sid; size_t i, num_members; @@ -3922,16 +3923,23 @@ NTSTATUS _samr_query_groupmem(pipes_struct *p, SAMR_Q_QUERY_GROUPMEM *q_u, SAMR_ uint32 acc_granted; - NTSTATUS result; + NTSTATUS status; + struct samr_RidTypeArray *rids = NULL; + + rids = TALLOC_ZERO_P(p->mem_ctx, struct samr_RidTypeArray); + if (!rids) { + return NT_STATUS_NO_MEMORY; + } /* find the policy handle. open a policy on it. */ - if (!get_lsa_policy_samr_sid(p, &q_u->group_pol, &group_sid, &acc_granted, NULL)) + if (!get_lsa_policy_samr_sid(p, r->in.group_handle, &group_sid, &acc_granted, NULL)) return NT_STATUS_INVALID_HANDLE; - - if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, SA_RIGHT_GROUP_GET_MEMBERS, "_samr_query_groupmem"))) { - return r_u->status; + + status = access_check_samr_function(acc_granted, SA_RIGHT_GROUP_GET_MEMBERS, "_samr_QueryGroupMember"); + if (!NT_STATUS_IS_OK(status)) { + return status; } - + DEBUG(10, ("sid is %s\n", sid_string_dbg(&group_sid))); if (!sid_check_is_in_our_domain(&group_sid)) { @@ -3943,12 +3951,12 @@ NTSTATUS _samr_query_groupmem(pipes_struct *p, SAMR_Q_QUERY_GROUPMEM *q_u, SAMR_ DEBUG(10, ("lookup on Domain SID\n")); become_root(); - result = pdb_enum_group_members(p->mem_ctx, &group_sid, + status = pdb_enum_group_members(p->mem_ctx, &group_sid, &rid, &num_members); unbecome_root(); - if (!NT_STATUS_IS_OK(result)) - return result; + if (!NT_STATUS_IS_OK(status)) + return status; if (num_members) { attr=TALLOC_ZERO_ARRAY(p->mem_ctx, uint32, num_members); @@ -3962,7 +3970,11 @@ NTSTATUS _samr_query_groupmem(pipes_struct *p, SAMR_Q_QUERY_GROUPMEM *q_u, SAMR_ for (i=0; icount = num_members; + rids->types = attr; + rids->rids = rid; + + *r->out.rids = rids; return NT_STATUS_OK; } @@ -5197,16 +5209,6 @@ NTSTATUS _samr_SetGroupInfo(pipes_struct *p, /**************************************************************** ****************************************************************/ -NTSTATUS _samr_QueryGroupMember(pipes_struct *p, - struct samr_QueryGroupMember *r) -{ - p->rng_fault_state = true; - return NT_STATUS_NOT_IMPLEMENTED; -} - -/**************************************************************** -****************************************************************/ - NTSTATUS _samr_SetMemberAttributesOfGroup(pipes_struct *p, struct samr_SetMemberAttributesOfGroup *r) { -- cgit From f9447d248faec8d80df13c0d8ea6caf7dc40b2dd Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Tue, 5 Feb 2008 12:54:19 +0100 Subject: Remove trailing while space, just couldn't resist. No code change. Guenther (This used to be commit efb6d24e97e489e44991091b10196b6ac582485b) --- source3/rpc_server/srv_samr_nt.c | 652 +++++++++++++++++++-------------------- 1 file changed, 326 insertions(+), 326 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 0c9547edc1..586d2225e2 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -125,12 +125,12 @@ static NTSTATUS make_samr_object_sd( TALLOC_CTX *ctx, SEC_DESC **psd, size_t *sd /* add Full Access 'BUILTIN\Administrators' and 'BUILTIN\Account Operators */ init_sec_access(&mask, map->generic_all); - + init_sec_ace(&ace[i++], &global_sid_Builtin_Administrators, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0); init_sec_ace(&ace[i++], &global_sid_Builtin_Account_Operators, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0); /* Add Full Access for Domain Admins if we are a DC */ - + if ( IS_DC ) { sid_copy( &domadmin_sid, get_global_sam_sid() ); sid_append_rid( &domadmin_sid, DOMAIN_GROUP_RID_ADMINS ); @@ -162,57 +162,57 @@ static NTSTATUS make_samr_object_sd( TALLOC_CTX *ctx, SEC_DESC **psd, size_t *sd level of access for further checks. ********************************************************************/ -static NTSTATUS access_check_samr_object( SEC_DESC *psd, NT_USER_TOKEN *token, +static NTSTATUS access_check_samr_object( SEC_DESC *psd, NT_USER_TOKEN *token, SE_PRIV *rights, uint32 rights_mask, - uint32 des_access, uint32 *acc_granted, + uint32 des_access, uint32 *acc_granted, const char *debug ) { NTSTATUS status = NT_STATUS_ACCESS_DENIED; uint32 saved_mask = 0; - /* check privileges; certain SAM access bits should be overridden - by privileges (mostly having to do with creating/modifying/deleting + /* check privileges; certain SAM access bits should be overridden + by privileges (mostly having to do with creating/modifying/deleting users and groups) */ - + if ( rights && user_has_any_privilege( token, rights ) ) { - + saved_mask = (des_access & rights_mask); des_access &= ~saved_mask; - + DEBUG(4,("access_check_samr_object: user rights access mask [0x%x]\n", rights_mask)); } - - + + /* check the security descriptor first */ - + if ( se_access_check(psd, token, des_access, acc_granted, &status) ) goto done; - + /* give root a free pass */ - + if ( geteuid() == sec_initial_uid() ) { - + DEBUG(4,("%s: ACCESS should be DENIED (requested: %#010x)\n", debug, des_access)); DEBUGADD(4,("but overritten by euid == sec_initial_uid()\n")); - + *acc_granted = des_access; - + status = NT_STATUS_OK; goto done; } - - + + done: - /* add in any bits saved during the privilege check (only + /* add in any bits saved during the privilege check (only matters is status is ok) */ - + *acc_granted |= rights_mask; - DEBUG(4,("%s: access %s (requested: 0x%08x, granted: 0x%08x)\n", - debug, NT_STATUS_IS_OK(status) ? "GRANTED" : "DENIED", + DEBUG(4,("%s: access %s (requested: 0x%08x, granted: 0x%08x)\n", + debug, NT_STATUS_IS_OK(status) ? "GRANTED" : "DENIED", des_access, *acc_granted)); - + return status; } @@ -222,28 +222,28 @@ done: static NTSTATUS access_check_samr_function(uint32 acc_granted, uint32 acc_required, const char *debug) { - DEBUG(5,("%s: access check ((granted: %#010x; required: %#010x)\n", + DEBUG(5,("%s: access check ((granted: %#010x; required: %#010x)\n", debug, acc_granted, acc_required)); /* check the security descriptor first */ - + if ( (acc_granted&acc_required) == acc_required ) return NT_STATUS_OK; - + /* give root a free pass */ if (geteuid() == sec_initial_uid()) { - + DEBUG(4,("%s: ACCESS should be DENIED (granted: %#010x; required: %#010x)\n", debug, acc_granted, acc_required)); DEBUGADD(4,("but overwritten by euid == 0\n")); - + return NT_STATUS_OK; } - - DEBUG(2,("%s: ACCESS DENIED (granted: %#010x; required: %#010x)\n", + + DEBUG(2,("%s: ACCESS DENIED (granted: %#010x; required: %#010x)\n", debug, acc_granted, acc_required)); - + return NT_STATUS_ACCESS_DENIED; } @@ -278,7 +278,7 @@ static DISP_INFO *get_samr_dispinfo_by_sid(DOM_SID *psid) /* There are two cases to consider here: 1) The SID is a domain SID and we look for an equality match, or - 2) This is an account SID and so we return the DISP_INFO* for our + 2) This is an account SID and so we return the DISP_INFO* for our domain */ if (psid == NULL) { @@ -293,7 +293,7 @@ static DISP_INFO *get_samr_dispinfo_by_sid(DOM_SID *psid) return &builtin_dispinfo; } - + if (sid_check_is_domain(psid) || sid_check_is_in_our_domain(psid)) { /* * Necessary only once, but it does not really hurt. @@ -315,7 +315,7 @@ static struct samr_info *get_samr_info_by_sid(DOM_SID *psid) struct samr_info *info; fstring sid_str; TALLOC_CTX *mem_ctx; - + if (psid) { sid_to_fstring(sid_str, psid); } else { @@ -465,7 +465,7 @@ static void force_flush_samr_cache(DISP_INFO *disp_info) static void samr_clear_sam_passwd(struct samu *sam_pass) { - + if (!sam_pass) return; @@ -573,28 +573,28 @@ NTSTATUS _samr_OpenDomain(pipes_struct *p, SE_PRIV se_rights; /* find the connection policy handle. */ - + if ( !find_policy_by_hnd(p, r->in.connect_handle, (void**)(void *)&info) ) return NT_STATUS_INVALID_HANDLE; - status = access_check_samr_function( info->acc_granted, + status = access_check_samr_function( info->acc_granted, SA_RIGHT_SAM_OPEN_DOMAIN, "_samr_OpenDomain" ); - + if ( !NT_STATUS_IS_OK(status) ) return status; /*check if access can be granted as requested by client. */ - + make_samr_object_sd( p->mem_ctx, &psd, &sd_size, &dom_generic_mapping, NULL, 0 ); se_map_generic( &des_access, &dom_generic_mapping ); - + se_priv_copy( &se_rights, &se_machine_account ); se_priv_add( &se_rights, &se_add_users ); - status = access_check_samr_object( psd, p->pipe_user.nt_user_token, - &se_rights, GENERIC_RIGHTS_DOMAIN_WRITE, des_access, + status = access_check_samr_object( psd, p->pipe_user.nt_user_token, + &se_rights, GENERIC_RIGHTS_DOMAIN_WRITE, des_access, &acc_granted, "_samr_OpenDomain" ); - + if ( !NT_STATUS_IS_OK(status) ) return status; @@ -648,7 +648,7 @@ NTSTATUS _samr_GetUserPwInfo(pipes_struct *p, /******************************************************************* ********************************************************************/ -static bool get_lsa_policy_samr_sid( pipes_struct *p, POLICY_HND *pol, +static bool get_lsa_policy_samr_sid( pipes_struct *p, POLICY_HND *pol, DOM_SID *sid, uint32 *acc_granted, DISP_INFO **ppdisp_info) { @@ -706,9 +706,9 @@ NTSTATUS _samr_SetSecurity(pipes_struct *p, dacl = r->in.sdbuf->sd->dacl; for (i=0; i < dacl->num_aces; i++) { if (sid_equal(&pol_sid, &dacl->aces[i].trustee)) { - ret = pdb_set_pass_can_change(sampass, - (dacl->aces[i].access_mask & - SA_RIGHT_USER_CHANGE_PASSWORD) ? + ret = pdb_set_pass_can_change(sampass, + (dacl->aces[i].access_mask & + SA_RIGHT_USER_CHANGE_PASSWORD) ? True: False); break; } @@ -791,7 +791,7 @@ NTSTATUS _samr_QuerySecurity(pipes_struct *p, if (pol_sid.sid_rev_num == 0) { DEBUG(5,("_samr_QuerySecurity: querying security on SAM\n")); status = make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &sam_generic_mapping, NULL, 0); - } else if (sid_equal(&pol_sid,get_global_sam_sid())) { + } else if (sid_equal(&pol_sid,get_global_sam_sid())) { /* check if it is our domain SID */ DEBUG(5,("_samr_QuerySecurity: querying security on Domain " "with SID: %s\n", sid_string_dbg(&pol_sid))); @@ -837,7 +837,7 @@ static NTSTATUS make_user_sam_entry_list(TALLOC_CTX *ctx, SAM_ENTRY **sam_pp, uint32 i; SAM_ENTRY *sam; UNISTR2 *uni_name; - + *sam_pp = NULL; *uni_name_pp = NULL; @@ -880,7 +880,7 @@ static NTSTATUS make_user_sam_entry_list(TALLOC_CTX *ctx, SAM_ENTRY **sam_pp, samr_reply_enum_dom_users ********************************************************************/ -NTSTATUS _samr_enum_dom_users(pipes_struct *p, SAMR_Q_ENUM_DOM_USERS *q_u, +NTSTATUS _samr_enum_dom_users(pipes_struct *p, SAMR_Q_ENUM_DOM_USERS *q_u, SAMR_R_ENUM_DOM_USERS *r_u) { struct samr_info *info = NULL; @@ -890,19 +890,19 @@ NTSTATUS _samr_enum_dom_users(pipes_struct *p, SAMR_Q_ENUM_DOM_USERS *q_u, int max_sam_entries = (ra_type == RA_WIN95) ? MAX_SAM_ENTRIES_W95 : MAX_SAM_ENTRIES_W2K; uint32 max_entries = max_sam_entries; struct samr_displayentry *entries = NULL; - + r_u->status = NT_STATUS_OK; /* find the policy handle. open a policy on it. */ if (!find_policy_by_hnd(p, &q_u->pol, (void **)(void *)&info)) return NT_STATUS_INVALID_HANDLE; - if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(info->acc_granted, - SA_RIGHT_DOMAIN_ENUM_ACCOUNTS, + if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(info->acc_granted, + SA_RIGHT_DOMAIN_ENUM_ACCOUNTS, "_samr_enum_dom_users"))) { return r_u->status; } - + DEBUG(5,("_samr_enum_dom_users: %d\n", __LINE__)); if (info->builtin_domain) { @@ -949,7 +949,7 @@ NTSTATUS _samr_enum_dom_users(pipes_struct *p, SAMR_Q_ENUM_DOM_USERS *q_u, } r_u->status = make_user_sam_entry_list(p->mem_ctx, &r_u->sam, - &r_u->uni_acct_name, + &r_u->uni_acct_name, num_account, enum_context, entries); @@ -1062,7 +1062,7 @@ NTSTATUS _samr_enum_dom_groups(pipes_struct *p, SAMR_Q_ENUM_DOM_GROUPS *q_u, SAM num_groups = pdb_search_entries(info->disp_info->groups, q_u->start_idx, MAX_SAM_ENTRIES, &groups); unbecome_root(); - + /* Ensure we cache this enumeration. */ set_disp_info_cache_timeout(info->disp_info, DISP_INFO_CACHE_TIMEOUT); @@ -1112,7 +1112,7 @@ NTSTATUS _samr_enum_dom_aliases(pipes_struct *p, SAMR_Q_ENUM_DOM_ALIASES *q_u, S num_aliases = pdb_search_entries(info->disp_info->aliases, q_u->start_idx, MAX_SAM_ENTRIES, &aliases); unbecome_root(); - + /* Ensure we cache this enumeration. */ set_disp_info_cache_timeout(info->disp_info, DISP_INFO_CACHE_TIMEOUT); @@ -1131,12 +1131,12 @@ NTSTATUS _samr_enum_dom_aliases(pipes_struct *p, SAMR_Q_ENUM_DOM_ALIASES *q_u, S samr_reply_query_dispinfo ********************************************************************/ -NTSTATUS _samr_query_dispinfo(pipes_struct *p, SAMR_Q_QUERY_DISPINFO *q_u, +NTSTATUS _samr_query_dispinfo(pipes_struct *p, SAMR_Q_QUERY_DISPINFO *q_u, SAMR_R_QUERY_DISPINFO *r_u) { struct samr_info *info = NULL; uint32 struct_size=0x20; /* W2K always reply that, client doesn't care */ - + uint32 max_entries=q_u->max_entries; uint32 enum_context=q_u->start_idx; uint32 max_size=q_u->max_size; @@ -1158,7 +1158,7 @@ NTSTATUS _samr_query_dispinfo(pipes_struct *p, SAMR_Q_QUERY_DISPINFO *q_u, /* * calculate how many entries we will return. - * based on + * based on * - the number of entries the client asked * - our limit on that * - the starting point (enumeration context) @@ -1202,7 +1202,7 @@ NTSTATUS _samr_query_dispinfo(pipes_struct *p, SAMR_Q_QUERY_DISPINFO *q_u, * return */ temp_size=max_entries*struct_size; - + if (temp_size>max_size) { max_entries=MIN((max_size/struct_size),max_entries);; DEBUG(5, ("samr_reply_query_dispinfo: buffer size limits to " @@ -1365,11 +1365,11 @@ NTSTATUS _samr_query_aliasinfo(pipes_struct *p, SAMR_Q_QUERY_ALIASINFO *q_u, SAM become_root(); status = pdb_get_aliasinfo(&sid, &info); unbecome_root(); - + if ( !NT_STATUS_IS_OK(status)) return status; - if ( !(r_u->ctr = TALLOC_ZERO_P( p->mem_ctx, ALIAS_INFO_CTR )) ) + if ( !(r_u->ctr = TALLOC_ZERO_P( p->mem_ctx, ALIAS_INFO_CTR )) ) return NT_STATUS_NO_MEMORY; @@ -1475,7 +1475,7 @@ NTSTATUS _samr_lookup_names(pipes_struct *p, SAMR_Q_LOOKUP_NAMES *q_u, SAMR_R_LO init_samr_r_lookup_names(p->mem_ctx, r_u, 0, NULL, NULL, NT_STATUS_OBJECT_TYPE_MISMATCH); return r_u->status; } - + if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, 0, "_samr_lookup_names"))) { /* Don't know the acc_bits yet */ return r_u->status; } @@ -1487,7 +1487,7 @@ NTSTATUS _samr_lookup_names(pipes_struct *p, SAMR_Q_LOOKUP_NAMES *q_u, SAMR_R_LO DEBUG(5,("_samr_lookup_names: looking name on SID %s\n", sid_string_dbg(&pol_sid))); - + for (i = 0; i < num_rids; i++) { fstring name; int ret; @@ -1545,11 +1545,11 @@ NTSTATUS _samr_ChangePasswordUser2(pipes_struct *p, * Pass the user through the NT -> unix user mapping * function. */ - + (void)map_username(user_name); - + /* - * UNIX username case mangling not required, pass_oem_change + * UNIX username case mangling not required, pass_oem_change * is case insensitive. */ @@ -1584,18 +1584,18 @@ NTSTATUS _samr_chgpasswd_user3(pipes_struct *p, SAMR_Q_CHGPASSWD_USER3 *q_u, SAM * Pass the user through the NT -> unix user mapping * function. */ - + (void)map_username(user_name); - + /* - * UNIX username case mangling not required, pass_oem_change + * UNIX username case mangling not required, pass_oem_change * is case insensitive. */ r_u->status = pass_oem_change(user_name, q_u->lm_newpass.pass, q_u->lm_oldhash.hash, q_u->nt_newpass.pass, q_u->nt_oldhash.hash, &reject_reason); - if (NT_STATUS_EQUAL(r_u->status, NT_STATUS_PASSWORD_RESTRICTION) || + if (NT_STATUS_EQUAL(r_u->status, NT_STATUS_PASSWORD_RESTRICTION) || NT_STATUS_EQUAL(r_u->status, NT_STATUS_ACCOUNT_RESTRICTION)) { uint32 min_pass_len,pass_hist,password_properties; @@ -1634,18 +1634,18 @@ NTSTATUS _samr_chgpasswd_user3(pipes_struct *p, SAMR_Q_CHGPASSWD_USER3 *q_u, SAM u_min_age = account_policy_temp; /* !AS ROOT */ - + unbecome_root(); unix_to_nt_time_abs(&nt_expire, u_expire); unix_to_nt_time_abs(&nt_min_age, u_min_age); - init_unk_info1(info, (uint16)min_pass_len, (uint16)pass_hist, + init_unk_info1(info, (uint16)min_pass_len, (uint16)pass_hist, password_properties, nt_expire, nt_min_age); reject->reject_reason = reject_reason; } - + init_samr_r_chgpasswd_user3(r_u, r_u->status, reject, info); DEBUG(5,("_samr_chgpasswd_user3: %d\n", __LINE__)); @@ -1779,13 +1779,13 @@ NTSTATUS _samr_OpenUser(pipes_struct *p, SE_PRIV se_rights; /* find the domain policy handle and get domain SID / access bits in the domain policy. */ - + if ( !get_lsa_policy_samr_sid(p, &domain_pol, &sid, &acc_granted, NULL) ) return NT_STATUS_INVALID_HANDLE; - - nt_status = access_check_samr_function( acc_granted, + + nt_status = access_check_samr_function( acc_granted, SA_RIGHT_DOMAIN_OPEN_ACCOUNT, "_samr_OpenUser" ); - + if ( !NT_STATUS_IS_OK(nt_status) ) return nt_status; @@ -1794,22 +1794,22 @@ NTSTATUS _samr_OpenUser(pipes_struct *p, } /* append the user's RID to it */ - + if (!sid_append_rid(&sid, r->in.rid)) return NT_STATUS_NO_SUCH_USER; - + /* check if access can be granted as requested by client. */ - + make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &usr_generic_mapping, &sid, SAMR_USR_RIGHTS_WRITE_PW); se_map_generic(&des_access, &usr_generic_mapping); - + se_priv_copy( &se_rights, &se_machine_account ); se_priv_add( &se_rights, &se_add_users ); - - nt_status = access_check_samr_object(psd, p->pipe_user.nt_user_token, - &se_rights, GENERIC_RIGHTS_USER_WRITE, des_access, + + nt_status = access_check_samr_object(psd, p->pipe_user.nt_user_token, + &se_rights, GENERIC_RIGHTS_USER_WRITE, des_access, &acc_granted, "_samr_OpenUser"); - + if ( !NT_STATUS_IS_OK(nt_status) ) return nt_status; @@ -1848,7 +1848,7 @@ static NTSTATUS get_user_info_7(TALLOC_CTX *mem_ctx, SAM_USER_INFO_7 *id7, DOM_S if ( !(smbpass = samu_new( mem_ctx )) ) { return NT_STATUS_NO_MEMORY; } - + become_root(); ret = pdb_getsampwsid(smbpass, user_sid); unbecome_root(); @@ -1934,7 +1934,7 @@ static NTSTATUS get_user_info_16(TALLOC_CTX *mem_ctx, SAM_USER_INFO_16 *id16, DO /************************************************************************* get_user_info_18. OK - this is the killer as it gives out password info. Ensure that this is only allowed on an encrypted connection with a root - user. JRA. + user. JRA. *************************************************************************/ static NTSTATUS get_user_info_18(pipes_struct *p, TALLOC_CTX *mem_ctx, SAM_USER_INFO_18 * id18, DOM_SID *user_sid) @@ -1975,7 +1975,7 @@ static NTSTATUS get_user_info_18(pipes_struct *p, TALLOC_CTX *mem_ctx, SAM_USER_ ZERO_STRUCTP(id18); init_sam_user_info18(id18, pdb_get_lanman_passwd(smbpass), pdb_get_nt_passwd(smbpass)); - + TALLOC_FREE(smbpass); return NT_STATUS_OK; @@ -2009,7 +2009,7 @@ static NTSTATUS get_user_info_20(TALLOC_CTX *mem_ctx, SAM_USER_INFO_20 *id20, DO ZERO_STRUCTP(id20); init_sam_user_info20A(id20, sampass); - + TALLOC_FREE(sampass); return NT_STATUS_OK; @@ -2019,7 +2019,7 @@ static NTSTATUS get_user_info_20(TALLOC_CTX *mem_ctx, SAM_USER_INFO_20 *id20, DO get_user_info_21 *************************************************************************/ -static NTSTATUS get_user_info_21(TALLOC_CTX *mem_ctx, SAM_USER_INFO_21 *id21, +static NTSTATUS get_user_info_21(TALLOC_CTX *mem_ctx, SAM_USER_INFO_21 *id21, DOM_SID *user_sid, DOM_SID *domain_sid) { struct samu *sampass=NULL; @@ -2045,7 +2045,7 @@ static NTSTATUS get_user_info_21(TALLOC_CTX *mem_ctx, SAM_USER_INFO_21 *id21, ZERO_STRUCTP(id21); nt_status = init_sam_user_info21A(id21, sampass, domain_sid); - + TALLOC_FREE(sampass); return nt_status; @@ -2061,7 +2061,7 @@ NTSTATUS _samr_query_userinfo(pipes_struct *p, SAMR_Q_QUERY_USERINFO *q_u, SAMR_ struct samr_info *info = NULL; DOM_SID domain_sid; uint32 rid; - + r_u->status=NT_STATUS_OK; /* search for the handle */ @@ -2123,7 +2123,7 @@ NTSTATUS _samr_query_userinfo(pipes_struct *p, SAMR_Q_QUERY_USERINFO *q_u, SAMR_ if (!NT_STATUS_IS_OK(r_u->status = get_user_info_18(p, p->mem_ctx, ctr->info.id18, &info->sid))) return r_u->status; break; - + case 20: ctr->info.id20 = TALLOC_ZERO_P(p->mem_ctx,SAM_USER_INFO_20); if (ctr->info.id20 == NULL) @@ -2136,7 +2136,7 @@ NTSTATUS _samr_query_userinfo(pipes_struct *p, SAMR_Q_QUERY_USERINFO *q_u, SAMR_ ctr->info.id21 = TALLOC_ZERO_P(p->mem_ctx,SAM_USER_INFO_21); if (ctr->info.id21 == NULL) return NT_STATUS_NO_MEMORY; - if (!NT_STATUS_IS_OK(r_u->status = get_user_info_21(p->mem_ctx, ctr->info.id21, + if (!NT_STATUS_IS_OK(r_u->status = get_user_info_21(p->mem_ctx, ctr->info.id21, &info->sid, &domain_sid))) return r_u->status; break; @@ -2148,7 +2148,7 @@ NTSTATUS _samr_query_userinfo(pipes_struct *p, SAMR_Q_QUERY_USERINFO *q_u, SAMR_ init_samr_r_query_userinfo(r_u, ctr, r_u->status); DEBUG(5,("_samr_query_userinfo: %d\n", __LINE__)); - + return r_u->status; } @@ -2191,7 +2191,7 @@ NTSTATUS _samr_query_usergroups(pipes_struct *p, SAMR_Q_QUERY_USERGROUPS *q_u, S /* find the policy handle. open a policy on it. */ if (!get_lsa_policy_samr_sid(p, &q_u->pol, &sid, &acc_granted, NULL)) return NT_STATUS_INVALID_HANDLE; - + if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, SA_RIGHT_USER_GET_GROUPS, "_samr_query_usergroups"))) { return r_u->status; } @@ -2220,7 +2220,7 @@ NTSTATUS _samr_query_usergroups(pipes_struct *p, SAMR_Q_QUERY_USERGROUPS *q_u, S result = pdb_enum_group_memberships(p->mem_ctx, sam_pass, &sids, &unix_gids, &num_groups); if ( NT_STATUS_IS_OK(result) ) { - success = sid_peek_check_rid(get_global_sam_sid(), + success = sid_peek_check_rid(get_global_sam_sid(), pdb_get_group_sid(sam_pass), &primary_group_rid); } @@ -2266,12 +2266,12 @@ NTSTATUS _samr_query_usergroups(pipes_struct *p, SAMR_Q_QUERY_USERGROUPS *q_u, S ADD_TO_ARRAY(p->mem_ctx, DOM_GID, dom_gid, &gids, &num_gids); } - + /* construct the response. lkclXXXX: gids are not copied! */ init_samr_r_query_usergroups(r_u, num_gids, gids, r_u->status); - + DEBUG(5,("_samr_query_usergroups: %d\n", __LINE__)); - + return r_u->status; } @@ -2279,8 +2279,8 @@ NTSTATUS _samr_query_usergroups(pipes_struct *p, SAMR_Q_QUERY_USERGROUPS *q_u, S _samr_query_domain_info ********************************************************************/ -NTSTATUS _samr_query_domain_info(pipes_struct *p, - SAMR_Q_QUERY_DOMAIN_INFO *q_u, +NTSTATUS _samr_query_domain_info(pipes_struct *p, + SAMR_Q_QUERY_DOMAIN_INFO *q_u, SAMR_R_QUERY_DOMAIN_INFO *r_u) { struct samr_info *info = NULL; @@ -2309,17 +2309,17 @@ NTSTATUS _samr_query_domain_info(pipes_struct *p, ZERO_STRUCTP(ctr); r_u->status = NT_STATUS_OK; - + DEBUG(5,("_samr_query_domain_info: %d\n", __LINE__)); - + /* find the policy handle. open a policy on it. */ if (!find_policy_by_hnd(p, &q_u->domain_pol, (void **)(void *)&info)) { return NT_STATUS_INVALID_HANDLE; } - + switch (q_u->switch_value) { case 0x01: - + become_root(); /* AS ROOT !!! */ @@ -2340,13 +2340,13 @@ NTSTATUS _samr_query_domain_info(pipes_struct *p, u_min_age = account_policy_temp; /* !AS ROOT */ - + unbecome_root(); unix_to_nt_time_abs(&nt_expire, u_expire); unix_to_nt_time_abs(&nt_min_age, u_min_age); - init_unk_info1(&ctr->info.inf1, (uint16)min_pass_len, (uint16)pass_hist, + init_unk_info1(&ctr->info.inf1, (uint16)min_pass_len, (uint16)pass_hist, password_properties, nt_expire, nt_min_age); break; case 0x02: @@ -2368,14 +2368,14 @@ NTSTATUS _samr_query_domain_info(pipes_struct *p, seq_num = time(NULL); /* !AS ROOT */ - + unbecome_root(); server_role = ROLE_DOMAIN_PDC; if (lp_server_role() == ROLE_DOMAIN_BDC) server_role = ROLE_DOMAIN_BDC; - init_unk_info2(&ctr->info.inf2, lp_serverstring(), lp_workgroup(), global_myname(), seq_num, + init_unk_info2(&ctr->info.inf2, lp_serverstring(), lp_workgroup(), global_myname(), seq_num, num_users, num_groups, num_aliases, nt_logout, server_role); break; case 0x03: @@ -2391,11 +2391,11 @@ NTSTATUS _samr_query_domain_info(pipes_struct *p, } /* !AS ROOT */ - + unbecome_root(); unix_to_nt_time_abs(&nt_logout, u_logout); - + init_unk_info3(&ctr->info.inf3, nt_logout); break; case 0x04: @@ -2428,7 +2428,7 @@ NTSTATUS _samr_query_domain_info(pipes_struct *p, } /* !AS ROOT */ - + unbecome_root(); init_unk_info8(&ctr->info.inf8, (uint32) seq_num); @@ -2452,23 +2452,23 @@ NTSTATUS _samr_query_domain_info(pipes_struct *p, lockout = account_policy_temp; /* !AS ROOT */ - + unbecome_root(); unix_to_nt_time_abs(&nt_lock_duration, u_lock_duration); unix_to_nt_time_abs(&nt_reset_time, u_reset_time); - + init_unk_info12(&ctr->info.inf12, nt_lock_duration, nt_reset_time, (uint16)lockout); break; default: return NT_STATUS_INVALID_INFO_CLASS; } - + init_samr_r_query_domain_info(r_u, q_u->switch_value, ctr, NT_STATUS_OK); - + DEBUG(5,("_samr_query_domain_info: %d\n", __LINE__)); - + return r_u->status; } @@ -2546,8 +2546,8 @@ NTSTATUS _samr_CreateUser2(pipes_struct *p, } if (!(acb_info == ACB_NORMAL || acb_info == ACB_DOMTRUST || - acb_info == ACB_WSTRUST || acb_info == ACB_SVRTRUST)) { - /* Match Win2k, and return NT_STATUS_INVALID_PARAMETER if + acb_info == ACB_WSTRUST || acb_info == ACB_SVRTRUST)) { + /* Match Win2k, and return NT_STATUS_INVALID_PARAMETER if this parameter is not an account type */ return NT_STATUS_INVALID_PARAMETER; } @@ -2563,14 +2563,14 @@ NTSTATUS _samr_CreateUser2(pipes_struct *p, } /* determine which user right we need to check based on the acb_info */ - + if ( acb_info & ACB_WSTRUST ) { se_priv_copy( &se_rights, &se_machine_account ); can_add_account = user_has_privileges( p->pipe_user.nt_user_token, &se_rights ); - } - /* usrmgr.exe (and net rpc trustdom grant) creates a normal user + } + /* usrmgr.exe (and net rpc trustdom grant) creates a normal user account for domain trusts and changes the ACB flags later */ else if ( acb_info & ACB_NORMAL && (account[strlen(account)-1] != '$') ) @@ -2578,7 +2578,7 @@ NTSTATUS _samr_CreateUser2(pipes_struct *p, se_priv_copy( &se_rights, &se_add_users ); can_add_account = user_has_privileges( p->pipe_user.nt_user_token, &se_rights ); - } + } else /* implicit assumption of a BDC or domain trust account here * (we already check the flags earlier) */ { @@ -2590,11 +2590,11 @@ NTSTATUS _samr_CreateUser2(pipes_struct *p, DOMAIN_GROUP_RID_ADMINS ); } } - + DEBUG(5, ("_samr_CreateUser2: %s can add this account : %s\n", uidtoname(p->pipe_user.ut.uid), can_add_account ? "True":"False" )); - + /********** BEGIN Admin BLOCK **********/ if ( can_add_account ) @@ -2607,24 +2607,24 @@ NTSTATUS _samr_CreateUser2(pipes_struct *p, unbecome_root(); /********** END Admin BLOCK **********/ - + /* now check for failure */ - + if ( !NT_STATUS_IS_OK(nt_status) ) return nt_status; - + /* Get the user's SID */ sid_compose(&sid, get_global_sam_sid(), *r->out.rid); - + make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &usr_generic_mapping, &sid, SAMR_USR_RIGHTS_WRITE_PW); se_map_generic(&des_access, &usr_generic_mapping); - - nt_status = access_check_samr_object(psd, p->pipe_user.nt_user_token, - &se_rights, GENERIC_RIGHTS_USER_WRITE, des_access, + + nt_status = access_check_samr_object(psd, p->pipe_user.nt_user_token, + &se_rights, GENERIC_RIGHTS_USER_WRITE, des_access, &acc_granted, "_samr_CreateUser2"); - + if ( !NT_STATUS_IS_OK(nt_status) ) { return nt_status; } @@ -2675,9 +2675,9 @@ NTSTATUS _samr_Connect(pipes_struct *p, return NT_STATUS_NO_MEMORY; /* don't give away the farm but this is probably ok. The SA_RIGHT_SAM_ENUM_DOMAINS - was observed from a win98 client trying to enumerate users (when configured + was observed from a win98 client trying to enumerate users (when configured user level access control on shares) --jerry */ - + if (des_access == MAXIMUM_ALLOWED_ACCESS) { /* Map to max possible knowing we're filtered below. */ des_access = GENERIC_ALL_ACCESS; @@ -2719,11 +2719,11 @@ NTSTATUS _samr_Connect2(pipes_struct *p, make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &sam_generic_mapping, NULL, 0); se_map_generic(&des_access, &sam_generic_mapping); - - nt_status = access_check_samr_object(psd, p->pipe_user.nt_user_token, + + nt_status = access_check_samr_object(psd, p->pipe_user.nt_user_token, NULL, 0, des_access, &acc_granted, "_samr_Connect2"); - - if ( !NT_STATUS_IS_OK(nt_status) ) + + if ( !NT_STATUS_IS_OK(nt_status) ) return nt_status; /* associate the user's SID and access granted with the new handle. */ @@ -2768,11 +2768,11 @@ NTSTATUS _samr_Connect4(pipes_struct *p, make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &sam_generic_mapping, NULL, 0); se_map_generic(&des_access, &sam_generic_mapping); - - nt_status = access_check_samr_object(psd, p->pipe_user.nt_user_token, + + nt_status = access_check_samr_object(psd, p->pipe_user.nt_user_token, NULL, 0, des_access, &acc_granted, "_samr_Connect4"); - - if ( !NT_STATUS_IS_OK(nt_status) ) + + if ( !NT_STATUS_IS_OK(nt_status) ) return nt_status; /* associate the user's SID and access granted with the new handle. */ @@ -2817,11 +2817,11 @@ NTSTATUS _samr_Connect5(pipes_struct *p, make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &sam_generic_mapping, NULL, 0); se_map_generic(&des_access, &sam_generic_mapping); - - nt_status = access_check_samr_object(psd, p->pipe_user.nt_user_token, + + nt_status = access_check_samr_object(psd, p->pipe_user.nt_user_token, NULL, 0, des_access, &acc_granted, "_samr_Connect5"); - - if ( !NT_STATUS_IS_OK(nt_status) ) + + if ( !NT_STATUS_IS_OK(nt_status) ) return nt_status; /* associate the user's SID and access granted with the new handle. */ @@ -2860,7 +2860,7 @@ NTSTATUS _samr_LookupDomain(pipes_struct *p, if (!find_policy_by_hnd(p, r->in.connect_handle, (void**)(void *)&info)) return NT_STATUS_INVALID_HANDLE; - /* win9x user manager likes to use SA_RIGHT_SAM_ENUM_DOMAINS here. + /* win9x user manager likes to use SA_RIGHT_SAM_ENUM_DOMAINS here. Reverted that change so we will work with RAS servers again */ status = access_check_samr_function(info->acc_granted, @@ -2941,10 +2941,10 @@ NTSTATUS _samr_enum_domains(pipes_struct *p, SAMR_Q_ENUM_DOMAINS *q_u, SAMR_R_EN const char *name; r_u->status = NT_STATUS_OK; - + if (!find_policy_by_hnd(p, &q_u->pol, (void**)(void *)&info)) return NT_STATUS_INVALID_HANDLE; - + if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(info->acc_granted, SA_RIGHT_SAM_ENUM_DOMAINS, "_samr_enum_domains"))) { return r_u->status; } @@ -2983,33 +2983,33 @@ NTSTATUS _samr_OpenAlias(pipes_struct *p, SE_PRIV se_rights; /* find the domain policy and get the SID / access bits stored in the domain policy */ - + if ( !get_lsa_policy_samr_sid(p, &domain_pol, &sid, &acc_granted, NULL) ) return NT_STATUS_INVALID_HANDLE; - - status = access_check_samr_function(acc_granted, + + status = access_check_samr_function(acc_granted, SA_RIGHT_DOMAIN_OPEN_ACCOUNT, "_samr_OpenAlias"); - - if ( !NT_STATUS_IS_OK(status) ) + + if ( !NT_STATUS_IS_OK(status) ) return status; /* append the alias' RID to it */ - + if (!sid_append_rid(&sid, alias_rid)) return NT_STATUS_NO_SUCH_ALIAS; - + /*check if access can be granted as requested by client. */ - + make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &ali_generic_mapping, NULL, 0); se_map_generic(&des_access,&ali_generic_mapping); - + se_priv_copy( &se_rights, &se_add_users ); - - - status = access_check_samr_object(psd, p->pipe_user.nt_user_token, - &se_rights, GENERIC_RIGHTS_ALIAS_WRITE, des_access, + + + status = access_check_samr_object(psd, p->pipe_user.nt_user_token, + &se_rights, GENERIC_RIGHTS_ALIAS_WRITE, des_access, &acc_granted, "_samr_OpenAlias"); - + if ( !NT_STATUS_IS_OK(status) ) return status; @@ -3028,7 +3028,7 @@ NTSTATUS _samr_OpenAlias(pipes_struct *p, } /* make sure there is a mapping */ - + if ( !sid_to_gid( &sid, &gid ) ) { return NT_STATUS_NO_SUCH_ALIAS; } @@ -3038,7 +3038,7 @@ NTSTATUS _samr_OpenAlias(pipes_struct *p, /* associate the alias SID with the new handle. */ if ((info = get_samr_info_by_sid(&sid)) == NULL) return NT_STATUS_NO_MEMORY; - + info->acc_granted = acc_granted; /* get a (unique) handle. open a policy on it. */ @@ -3070,7 +3070,7 @@ static NTSTATUS set_user_info_7(TALLOC_CTX *mem_ctx, } /* check to see if the new username already exists. Note: we can't - reliably lock all backends, so there is potentially the + reliably lock all backends, so there is potentially the possibility that a user can be created in between this check and the rename. The rename should fail, but may not get the exact same failure status code. I think this is small enough @@ -3100,7 +3100,7 @@ static bool set_user_info_16(const SAM_USER_INFO_16 *id16, struct samu *pwd) TALLOC_FREE(pwd); return False; } - + /* FIX ME: check if the value is really changed --metze */ if (!pdb_set_acct_ctrl(pwd, id16->acb_info, PDB_CHANGED)) { TALLOC_FREE(pwd); @@ -3129,7 +3129,7 @@ static bool set_user_info_18(SAM_USER_INFO_18 *id18, struct samu *pwd) TALLOC_FREE(pwd); return False; } - + if (!pdb_set_lanman_passwd (pwd, id18->lm_pwd, PDB_CHANGED)) { TALLOC_FREE(pwd); return False; @@ -3140,9 +3140,9 @@ static bool set_user_info_18(SAM_USER_INFO_18 *id18, struct samu *pwd) } if (!pdb_set_pass_last_set_time (pwd, time(NULL), PDB_CHANGED)) { TALLOC_FREE(pwd); - return False; + return False; } - + if(!NT_STATUS_IS_OK(pdb_update_sam_account(pwd))) { TALLOC_FREE(pwd); return False; @@ -3162,7 +3162,7 @@ static bool set_user_info_20(SAM_USER_INFO_20 *id20, struct samu *pwd) DEBUG(5, ("set_user_info_20: NULL id20\n")); return False; } - + copy_id20_to_sam_passwd(pwd, id20); /* write the change out */ @@ -3184,21 +3184,21 @@ static NTSTATUS set_user_info_21(TALLOC_CTX *mem_ctx, SAM_USER_INFO_21 *id21, { fstring new_name; NTSTATUS status; - + if (id21 == NULL) { DEBUG(5, ("set_user_info_21: NULL id21\n")); return NT_STATUS_INVALID_PARAMETER; } /* we need to separately check for an account rename first */ - - if (rpcstr_pull(new_name, id21->uni_user_name.buffer, - sizeof(new_name), id21->uni_user_name.uni_str_len*2, 0) - && (!strequal(new_name, pdb_get_username(pwd)))) + + if (rpcstr_pull(new_name, id21->uni_user_name.buffer, + sizeof(new_name), id21->uni_user_name.uni_str_len*2, 0) + && (!strequal(new_name, pdb_get_username(pwd)))) { /* check to see if the new username already exists. Note: we can't - reliably lock all backends, so there is potentially the + reliably lock all backends, so there is potentially the possibility that a user can be created in between this check and the rename. The rename should fail, but may not get the exact same failure status code. I think this is small enough @@ -3214,35 +3214,35 @@ static NTSTATUS set_user_info_21(TALLOC_CTX *mem_ctx, SAM_USER_INFO_21 *id21, status = pdb_rename_sam_account(pwd, new_name); if (!NT_STATUS_IS_OK(status)) { - DEBUG(0,("set_user_info_21: failed to rename account: %s\n", + DEBUG(0,("set_user_info_21: failed to rename account: %s\n", nt_errstr(status))); TALLOC_FREE(pwd); return status; } - /* set the new username so that later + /* set the new username so that later functions can work on the new account */ pdb_set_username(pwd, new_name, PDB_SET); } copy_id21_to_sam_passwd(pwd, id21); - + /* * The funny part about the previous two calls is * that pwd still has the password hashes from the * passdb entry. These have not been updated from * id21. I don't know if they need to be set. --jerry */ - + if ( IS_SAM_CHANGED(pwd, PDB_GROUPSID) ) { status = pdb_set_unix_primary_group(mem_ctx, pwd); if ( !NT_STATUS_IS_OK(status) ) { return status; } } - + /* Don't worry about writing out the user account since the - primary group SID is generated solely from the user's Unix + primary group SID is generated solely from the user's Unix primary group. */ /* write the change out */ @@ -3431,14 +3431,14 @@ static NTSTATUS set_user_info_25(TALLOC_CTX *mem_ctx, SAM_USER_INFO_25 *id25, struct samu *pwd) { NTSTATUS status; - + if (id25 == NULL) { DEBUG(5, ("set_user_info_25: NULL id25\n")); return NT_STATUS_INVALID_PARAMETER; } copy_id25_to_sam_passwd(pwd, id25); - + /* write the change out */ if(!NT_STATUS_IS_OK(status = pdb_update_sam_account(pwd))) { TALLOC_FREE(pwd); @@ -3459,7 +3459,7 @@ static NTSTATUS set_user_info_25(TALLOC_CTX *mem_ctx, SAM_USER_INFO_25 *id25, return status; } } - + /* WARNING: No TALLOC_FREE(pwd), we are about to set the password * hereafter! */ @@ -3492,13 +3492,13 @@ NTSTATUS _samr_set_userinfo(pipes_struct *p, SAMR_Q_SET_USERINFO *q_u, SAMR_R_SE if (!get_lsa_policy_samr_sid(p, pol, &sid, &acc_granted, &disp_info)) return NT_STATUS_INVALID_HANDLE; - /* This is tricky. A WinXP domain join sets + /* This is tricky. A WinXP domain join sets (SA_RIGHT_USER_SET_PASSWORD|SA_RIGHT_USER_SET_ATTRIBUTES|SA_RIGHT_USER_ACCT_FLAGS_EXPIRY) - The MMC lusrmgr plugin includes these perms and more in the SamrOpenUser(). But the - standard Win32 API calls just ask for SA_RIGHT_USER_SET_PASSWORD in the SamrOpenUser(). - This should be enough for levels 18, 24, 25,& 26. Info level 23 can set more so + The MMC lusrmgr plugin includes these perms and more in the SamrOpenUser(). But the + standard Win32 API calls just ask for SA_RIGHT_USER_SET_PASSWORD in the SamrOpenUser(). + This should be enough for levels 18, 24, 25,& 26. Info level 23 can set more so we'll use the set from the WinXP join as the basis. */ - + switch (switch_value) { case 18: case 24: @@ -3510,7 +3510,7 @@ NTSTATUS _samr_set_userinfo(pipes_struct *p, SAMR_Q_SET_USERINFO *q_u, SAMR_R_SE acc_required = SA_RIGHT_USER_SET_PASSWORD | SA_RIGHT_USER_SET_ATTRIBUTES | SA_RIGHT_USER_ACCT_FLAGS_EXPIRY; break; } - + if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, acc_required, "_samr_set_userinfo"))) { return r_u->status; } @@ -3522,25 +3522,25 @@ NTSTATUS _samr_set_userinfo(pipes_struct *p, SAMR_Q_SET_USERINFO *q_u, SAMR_R_SE DEBUG(5, ("_samr_set_userinfo: NULL info level\n")); return NT_STATUS_INVALID_INFO_CLASS; } - + if ( !(pwd = samu_new( NULL )) ) { return NT_STATUS_NO_MEMORY; } - + become_root(); ret = pdb_getsampwsid(pwd, &sid); unbecome_root(); - + if ( !ret ) { TALLOC_FREE(pwd); return NT_STATUS_NO_SUCH_USER; } - + /* deal with machine password changes differently from userinfo changes */ /* check to see if we have the sufficient rights */ - + acb_info = pdb_get_acct_ctrl(pwd); - if ( acb_info & ACB_WSTRUST ) + if ( acb_info & ACB_WSTRUST ) has_enough_rights = user_has_privileges( p->pipe_user.nt_user_token, &se_machine_account); else if ( acb_info & ACB_NORMAL ) has_enough_rights = user_has_privileges( p->pipe_user.nt_user_token, &se_add_users ); @@ -3548,16 +3548,16 @@ NTSTATUS _samr_set_userinfo(pipes_struct *p, SAMR_Q_SET_USERINFO *q_u, SAMR_R_SE if ( lp_enable_privileges() ) has_enough_rights = nt_token_check_domain_rid( p->pipe_user.nt_user_token, DOMAIN_GROUP_RID_ADMINS ); } - + DEBUG(5, ("_samr_set_userinfo: %s does%s possess sufficient rights\n", uidtoname(p->pipe_user.ut.uid), has_enough_rights ? "" : " not")); /* ================ BEGIN SeMachineAccountPrivilege BLOCK ================ */ - - if ( has_enough_rights ) - become_root(); - + + if ( has_enough_rights ) + become_root(); + /* ok! user info levels (lots: see MSDEV help), off we go... */ switch (switch_value) { @@ -3624,10 +3624,10 @@ NTSTATUS _samr_set_userinfo(pipes_struct *p, SAMR_Q_SET_USERINFO *q_u, SAMR_R_SE } done: - - if ( has_enough_rights ) + + if ( has_enough_rights ) unbecome_root(); - + /* ================ END SeMachineAccountPrivilege BLOCK ================ */ if (NT_STATUS_IS_OK(r_u->status)) { @@ -3663,7 +3663,7 @@ NTSTATUS _samr_set_userinfo2(pipes_struct *p, SAMR_Q_SET_USERINFO2 *q_u, SAMR_R_ if (!get_lsa_policy_samr_sid(p, pol, &sid, &acc_granted, &disp_info)) return NT_STATUS_INVALID_HANDLE; - + #if 0 /* this really should be applied on a per info level basis --jerry */ /* observed when joining XP client to Samba domain */ @@ -3671,7 +3671,7 @@ NTSTATUS _samr_set_userinfo2(pipes_struct *p, SAMR_Q_SET_USERINFO2 *q_u, SAMR_R_ #else acc_required = SA_RIGHT_USER_SET_ATTRIBUTES; #endif - + if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, acc_required, "_samr_set_userinfo2"))) { return r_u->status; } @@ -3693,14 +3693,14 @@ NTSTATUS _samr_set_userinfo2(pipes_struct *p, SAMR_Q_SET_USERINFO2 *q_u, SAMR_R_ become_root(); ret = pdb_getsampwsid(pwd, &sid); unbecome_root(); - + if ( !ret ) { TALLOC_FREE(pwd); return NT_STATUS_NO_SUCH_USER; } - + acb_info = pdb_get_acct_ctrl(pwd); - if ( acb_info & ACB_WSTRUST ) + if ( acb_info & ACB_WSTRUST ) has_enough_rights = user_has_privileges( p->pipe_user.nt_user_token, &se_machine_account); else if ( acb_info & ACB_NORMAL ) has_enough_rights = user_has_privileges( p->pipe_user.nt_user_token, &se_add_users ); @@ -3708,18 +3708,18 @@ NTSTATUS _samr_set_userinfo2(pipes_struct *p, SAMR_Q_SET_USERINFO2 *q_u, SAMR_R_ if ( lp_enable_privileges() ) has_enough_rights = nt_token_check_domain_rid( p->pipe_user.nt_user_token, DOMAIN_GROUP_RID_ADMINS ); } - + DEBUG(5, ("_samr_set_userinfo2: %s does%s possess sufficient rights\n", uidtoname(p->pipe_user.ut.uid), has_enough_rights ? "" : " not")); /* ================ BEGIN SeMachineAccountPrivilege BLOCK ================ */ - - if ( has_enough_rights ) - become_root(); - + + if ( has_enough_rights ) + become_root(); + /* ok! user info levels (lots: see MSDEV help), off we go... */ - + switch (switch_value) { case 7: r_u->status = set_user_info_7(p->mem_ctx, @@ -3768,9 +3768,9 @@ NTSTATUS _samr_set_userinfo2(pipes_struct *p, SAMR_Q_SET_USERINFO2 *q_u, SAMR_R_ r_u->status = NT_STATUS_INVALID_INFO_CLASS; } - if ( has_enough_rights ) + if ( has_enough_rights ) unbecome_root(); - + /* ================ END SeMachineAccountPrivilege BLOCK ================ */ if (NT_STATUS_IS_OK(r_u->status)) { @@ -3791,7 +3791,7 @@ NTSTATUS _samr_GetAliasMembership(pipes_struct *p, uint32 *alias_rids; struct samr_info *info = NULL; size_t i; - + NTSTATUS ntstatus1; NTSTATUS ntstatus2; @@ -3811,7 +3811,7 @@ NTSTATUS _samr_GetAliasMembership(pipes_struct *p, !(NT_STATUS_EQUAL(ntstatus1,NT_STATUS_ACCESS_DENIED) && NT_STATUS_IS_OK(ntstatus1))) { return (NT_STATUS_IS_OK(ntstatus1)) ? ntstatus2 : ntstatus1; } - } + } if (!sid_check_is_domain(&info->sid) && !sid_check_is_builtin(&info->sid)) @@ -3932,7 +3932,7 @@ NTSTATUS _samr_QueryGroupMember(pipes_struct *p, } /* find the policy handle. open a policy on it. */ - if (!get_lsa_policy_samr_sid(p, r->in.group_handle, &group_sid, &acc_granted, NULL)) + if (!get_lsa_policy_samr_sid(p, r->in.group_handle, &group_sid, &acc_granted, NULL)) return NT_STATUS_INVALID_HANDLE; status = access_check_samr_function(acc_granted, SA_RIGHT_GROUP_GET_MEMBERS, "_samr_QueryGroupMember"); @@ -3966,7 +3966,7 @@ NTSTATUS _samr_QueryGroupMember(pipes_struct *p, } else { attr = NULL; } - + for (i=0; ipipe_user.nt_user_token, &se_rights ); /******** BEGIN SeAddUsers BLOCK *********/ - + if ( can_add_accounts ) become_root(); - + status = pdb_add_aliasmem(&alias_sid, r->in.sid); - + if ( can_add_accounts ) unbecome_root(); - + /******** END SeAddUsers BLOCK *********/ - + if (NT_STATUS_IS_OK(status)) { force_flush_samr_cache(disp_info); } @@ -4041,14 +4041,14 @@ NTSTATUS _samr_DeleteAliasMember(pipes_struct *p, DISP_INFO *disp_info = NULL; /* Find the policy handle. Open a policy on it. */ - if (!get_lsa_policy_samr_sid(p, r->in.alias_handle, &alias_sid, &acc_granted, &disp_info)) + if (!get_lsa_policy_samr_sid(p, r->in.alias_handle, &alias_sid, &acc_granted, &disp_info)) return NT_STATUS_INVALID_HANDLE; - + status = access_check_samr_function(acc_granted, SA_RIGHT_ALIAS_REMOVE_MEMBER, "_samr_DeleteAliasMember"); if (!NT_STATUS_IS_OK(status)) { return status; } - + DEBUG(10, ("_samr_del_aliasmem:sid is %s\n", sid_string_dbg(&alias_sid))); @@ -4056,17 +4056,17 @@ NTSTATUS _samr_DeleteAliasMember(pipes_struct *p, can_add_accounts = user_has_privileges( p->pipe_user.nt_user_token, &se_rights ); /******** BEGIN SeAddUsers BLOCK *********/ - + if ( can_add_accounts ) become_root(); status = pdb_del_aliasmem(&alias_sid, r->in.sid); - + if ( can_add_accounts ) unbecome_root(); - + /******** END SeAddUsers BLOCK *********/ - + if (NT_STATUS_IS_OK(status)) { force_flush_samr_cache(disp_info); } @@ -4109,7 +4109,7 @@ NTSTATUS _samr_AddGroupMember(pipes_struct *p, can_add_accounts = user_has_privileges( p->pipe_user.nt_user_token, &se_rights ); /******** BEGIN SeAddUsers BLOCK *********/ - + if ( can_add_accounts ) become_root(); @@ -4117,9 +4117,9 @@ NTSTATUS _samr_AddGroupMember(pipes_struct *p, if ( can_add_accounts ) unbecome_root(); - + /******** END SeAddUsers BLOCK *********/ - + force_flush_samr_cache(disp_info); return status; @@ -4148,9 +4148,9 @@ NTSTATUS _samr_DeleteGroupMember(pipes_struct *p, */ /* Find the policy handle. Open a policy on it. */ - if (!get_lsa_policy_samr_sid(p, r->in.group_handle, &group_sid, &acc_granted, &disp_info)) + if (!get_lsa_policy_samr_sid(p, r->in.group_handle, &group_sid, &acc_granted, &disp_info)) return NT_STATUS_INVALID_HANDLE; - + status = access_check_samr_function(acc_granted, SA_RIGHT_GROUP_REMOVE_MEMBER, "_samr_DeleteGroupMember"); if (!NT_STATUS_IS_OK(status)) { return status; @@ -4165,17 +4165,17 @@ NTSTATUS _samr_DeleteGroupMember(pipes_struct *p, can_add_accounts = user_has_privileges( p->pipe_user.nt_user_token, &se_rights ); /******** BEGIN SeAddUsers BLOCK *********/ - + if ( can_add_accounts ) become_root(); - + status = pdb_del_groupmem(p->mem_ctx, group_rid, r->in.rid); if ( can_add_accounts ) unbecome_root(); - + /******** END SeAddUsers BLOCK *********/ - + force_flush_samr_cache(disp_info); return status; @@ -4200,14 +4200,14 @@ NTSTATUS _samr_DeleteUser(pipes_struct *p, DEBUG(5, ("_samr_DeleteUser: %d\n", __LINE__)); /* Find the policy handle. Open a policy on it. */ - if (!get_lsa_policy_samr_sid(p, r->in.user_handle, &user_sid, &acc_granted, &disp_info)) + if (!get_lsa_policy_samr_sid(p, r->in.user_handle, &user_sid, &acc_granted, &disp_info)) return NT_STATUS_INVALID_HANDLE; - + status = access_check_samr_function(acc_granted, STD_RIGHT_DELETE_ACCESS, "_samr_DeleteUser"); if (!NT_STATUS_IS_OK(status)) { return status; } - + if (!sid_check_is_in_our_domain(&user_sid)) return NT_STATUS_CANNOT_DELETE; @@ -4221,12 +4221,12 @@ NTSTATUS _samr_DeleteUser(pipes_struct *p, unbecome_root(); if( !ret ) { - DEBUG(5,("_samr_DeleteUser: User %s doesn't exist.\n", + DEBUG(5,("_samr_DeleteUser: User %s doesn't exist.\n", sid_string_dbg(&user_sid))); TALLOC_FREE(sam_pass); return NT_STATUS_NO_SUCH_USER; } - + acb_info = pdb_get_acct_ctrl(sam_pass); /* For machine accounts it's the SeMachineAccountPrivilege that counts. */ @@ -4234,10 +4234,10 @@ NTSTATUS _samr_DeleteUser(pipes_struct *p, can_add_accounts = user_has_privileges( p->pipe_user.nt_user_token, &se_machine_account ); } else { can_add_accounts = user_has_privileges( p->pipe_user.nt_user_token, &se_add_users ); - } + } /******** BEGIN SeAddUsers BLOCK *********/ - + if ( can_add_accounts ) become_root(); @@ -4245,9 +4245,9 @@ NTSTATUS _samr_DeleteUser(pipes_struct *p, if ( can_add_accounts ) unbecome_root(); - + /******** END SeAddUsers BLOCK *********/ - + if ( !NT_STATUS_IS_OK(status) ) { DEBUG(5,("_samr_DeleteUser: Failed to delete entry for " "user %s: %s.\n", pdb_get_username(sam_pass), @@ -4285,7 +4285,7 @@ NTSTATUS _samr_DeleteDomainGroup(pipes_struct *p, DEBUG(5, ("samr_DeleteDomainGroup: %d\n", __LINE__)); /* Find the policy handle. Open a policy on it. */ - if (!get_lsa_policy_samr_sid(p, r->in.group_handle, &group_sid, &acc_granted, &disp_info)) + if (!get_lsa_policy_samr_sid(p, r->in.group_handle, &group_sid, &acc_granted, &disp_info)) return NT_STATUS_INVALID_HANDLE; status = access_check_samr_function(acc_granted, STD_RIGHT_DELETE_ACCESS, "_samr_DeleteDomainGroup"); @@ -4304,7 +4304,7 @@ NTSTATUS _samr_DeleteDomainGroup(pipes_struct *p, can_add_accounts = user_has_privileges( p->pipe_user.nt_user_token, &se_rights ); /******** BEGIN SeAddUsers BLOCK *********/ - + if ( can_add_accounts ) become_root(); @@ -4312,9 +4312,9 @@ NTSTATUS _samr_DeleteDomainGroup(pipes_struct *p, if ( can_add_accounts ) unbecome_root(); - + /******** END SeAddUsers BLOCK *********/ - + if ( !NT_STATUS_IS_OK(status) ) { DEBUG(5,("_samr_DeleteDomainGroup: Failed to delete mapping " "entry for group %s: %s\n", @@ -4322,7 +4322,7 @@ NTSTATUS _samr_DeleteDomainGroup(pipes_struct *p, nt_errstr(status))); return status; } - + if (!close_policy_hnd(p, r->in.group_handle)) return NT_STATUS_OBJECT_NAME_INVALID; @@ -4348,9 +4348,9 @@ NTSTATUS _samr_DeleteDomAlias(pipes_struct *p, DEBUG(5, ("_samr_DeleteDomAlias: %d\n", __LINE__)); /* Find the policy handle. Open a policy on it. */ - if (!get_lsa_policy_samr_sid(p, r->in.alias_handle, &alias_sid, &acc_granted, &disp_info)) + if (!get_lsa_policy_samr_sid(p, r->in.alias_handle, &alias_sid, &acc_granted, &disp_info)) return NT_STATUS_INVALID_HANDLE; - + /* copy the handle to the outgoing reply */ memcpy(r->out.alias_handle, r->in.alias_handle, sizeof(r->out.alias_handle)); @@ -4370,23 +4370,23 @@ NTSTATUS _samr_DeleteDomAlias(pipes_struct *p, if (!sid_check_is_in_our_domain(&alias_sid)) return NT_STATUS_NO_SUCH_ALIAS; - + DEBUG(10, ("lookup on Local SID\n")); se_priv_copy( &se_rights, &se_add_users ); can_add_accounts = user_has_privileges( p->pipe_user.nt_user_token, &se_rights ); /******** BEGIN SeAddUsers BLOCK *********/ - + if ( can_add_accounts ) become_root(); /* Have passdb delete the alias */ status = pdb_delete_alias(&alias_sid); - + if ( can_add_accounts ) unbecome_root(); - + /******** END SeAddUsers BLOCK *********/ if ( !NT_STATUS_IS_OK(status)) @@ -4419,14 +4419,14 @@ NTSTATUS _samr_CreateDomainGroup(pipes_struct *p, DISP_INFO *disp_info = NULL; /* Find the policy handle. Open a policy on it. */ - if (!get_lsa_policy_samr_sid(p, r->in.domain_handle, &dom_sid, &acc_granted, &disp_info)) + if (!get_lsa_policy_samr_sid(p, r->in.domain_handle, &dom_sid, &acc_granted, &disp_info)) return NT_STATUS_INVALID_HANDLE; - + status = access_check_samr_function(acc_granted, SA_RIGHT_DOMAIN_CREATE_GROUP, "_samr_CreateDomainGroup"); if (!NT_STATUS_IS_OK(status)) { return status; } - + if (!sid_equal(&dom_sid, get_global_sam_sid())) return NT_STATUS_ACCESS_DENIED; @@ -4444,26 +4444,26 @@ NTSTATUS _samr_CreateDomainGroup(pipes_struct *p, can_add_accounts = user_has_privileges( p->pipe_user.nt_user_token, &se_rights ); /******** BEGIN SeAddUsers BLOCK *********/ - + if ( can_add_accounts ) become_root(); - + /* check that we successfully create the UNIX group */ - + status = pdb_create_dom_group(p->mem_ctx, name, r->out.rid); if ( can_add_accounts ) unbecome_root(); - + /******** END SeAddUsers BLOCK *********/ - + /* check if we should bail out here */ - + if ( !NT_STATUS_IS_OK(status) ) return status; sid_compose(&info_sid, get_global_sam_sid(), *r->out.rid); - + if ((info = get_samr_info_by_sid(&info_sid)) == NULL) return NT_STATUS_NO_MEMORY; @@ -4499,14 +4499,14 @@ NTSTATUS _samr_CreateDomAlias(pipes_struct *p, DISP_INFO *disp_info = NULL; /* Find the policy handle. Open a policy on it. */ - if (!get_lsa_policy_samr_sid(p, r->in.domain_handle, &dom_sid, &acc_granted, &disp_info)) + if (!get_lsa_policy_samr_sid(p, r->in.domain_handle, &dom_sid, &acc_granted, &disp_info)) return NT_STATUS_INVALID_HANDLE; - + result = access_check_samr_function(acc_granted, SA_RIGHT_DOMAIN_CREATE_ALIAS, "_samr_CreateDomAlias"); if (!NT_STATUS_IS_OK(result)) { return result; } - + if (!sid_equal(&dom_sid, get_global_sam_sid())) return NT_STATUS_ACCESS_DENIED; @@ -4521,7 +4521,7 @@ NTSTATUS _samr_CreateDomAlias(pipes_struct *p, } /******** BEGIN SeAddUsers BLOCK *********/ - + if ( can_add_accounts ) become_root(); @@ -4530,7 +4530,7 @@ NTSTATUS _samr_CreateDomAlias(pipes_struct *p, if ( can_add_accounts ) unbecome_root(); - + /******** END SeAddUsers BLOCK *********/ if (!NT_STATUS_IS_OK(result)) { @@ -4585,13 +4585,13 @@ NTSTATUS _samr_query_groupinfo(pipes_struct *p, SAMR_Q_QUERY_GROUPINFO *q_u, SAM uint32 acc_granted; bool ret; - if (!get_lsa_policy_samr_sid(p, &q_u->pol, &group_sid, &acc_granted, NULL)) + if (!get_lsa_policy_samr_sid(p, &q_u->pol, &group_sid, &acc_granted, NULL)) return NT_STATUS_INVALID_HANDLE; - + if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, SA_RIGHT_GROUP_LOOKUP_INFO, "_samr_query_groupinfo"))) { return r_u->status; } - + become_root(); ret = get_domain_group_from_sid(group_sid, &map); unbecome_root(); @@ -4613,7 +4613,7 @@ NTSTATUS _samr_query_groupinfo(pipes_struct *p, SAMR_Q_QUERY_GROUPINFO *q_u, SAM r_u->status = pdb_enum_group_members( p->mem_ctx, &group_sid, &members, &num_members); unbecome_root(); - + if (!NT_STATUS_IS_OK(r_u->status)) { return r_u->status; } @@ -4647,7 +4647,7 @@ NTSTATUS _samr_query_groupinfo(pipes_struct *p, SAMR_Q_QUERY_GROUPINFO *q_u, SAM r_u->status = pdb_enum_group_members( p->mem_ctx, &group_sid, &members, &num_members); unbecome_root(); - + if (!NT_STATUS_IS_OK(r_u->status)) { return r_u->status; } @@ -4667,7 +4667,7 @@ NTSTATUS _samr_query_groupinfo(pipes_struct *p, SAMR_Q_QUERY_GROUPINFO *q_u, SAM /********************************************************************* _samr_set_groupinfo - + update a domain group's comment. *********************************************************************/ @@ -4684,7 +4684,7 @@ NTSTATUS _samr_set_groupinfo(pipes_struct *p, SAMR_Q_SET_GROUPINFO *q_u, SAMR_R_ if (!get_lsa_policy_samr_sid(p, &q_u->pol, &group_sid, &acc_granted, &disp_info)) return NT_STATUS_INVALID_HANDLE; - + if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, SA_RIGHT_GROUP_SET_INFO, "_samr_set_groupinfo"))) { return r_u->status; } @@ -4694,7 +4694,7 @@ NTSTATUS _samr_set_groupinfo(pipes_struct *p, SAMR_Q_SET_GROUPINFO *q_u, SAMR_R_ unbecome_root(); if (!result) return NT_STATUS_NO_SUCH_GROUP; - + ctr=q_u->ctr; switch (ctr->switch_value1) { @@ -4714,7 +4714,7 @@ NTSTATUS _samr_set_groupinfo(pipes_struct *p, SAMR_Q_SET_GROUPINFO *q_u, SAMR_R_ if ( can_mod_accounts ) become_root(); - + ret = pdb_update_group_mapping_entry(&map); if ( can_mod_accounts ) @@ -4731,7 +4731,7 @@ NTSTATUS _samr_set_groupinfo(pipes_struct *p, SAMR_Q_SET_GROUPINFO *q_u, SAMR_R_ /********************************************************************* _samr_set_aliasinfo - + update an alias's comment. *********************************************************************/ @@ -4747,11 +4747,11 @@ NTSTATUS _samr_set_aliasinfo(pipes_struct *p, SAMR_Q_SET_ALIASINFO *q_u, SAMR_R_ if (!get_lsa_policy_samr_sid(p, &q_u->alias_pol, &group_sid, &acc_granted, &disp_info)) return NT_STATUS_INVALID_HANDLE; - + if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, SA_RIGHT_ALIAS_SET_INFO, "_samr_set_aliasinfo"))) { return r_u->status; } - + ctr=&q_u->ctr; /* get the current group information */ @@ -4769,7 +4769,7 @@ NTSTATUS _samr_set_aliasinfo(pipes_struct *p, SAMR_Q_SET_ALIASINFO *q_u, SAMR_R_ fstring group_name, acct_name; /* We currently do not support renaming groups in the - the BUILTIN domain. Refer to util_builtin.c to understand + the BUILTIN domain. Refer to util_builtin.c to understand why. The eventually needs to be fixed to be like Windows where you can rename builtin groups, just not delete them */ @@ -4779,10 +4779,10 @@ NTSTATUS _samr_set_aliasinfo(pipes_struct *p, SAMR_Q_SET_ALIASINFO *q_u, SAMR_R_ /* There has to be a valid name (and it has to be different) */ - if ( !ctr->alias.info2.name.string ) + if ( !ctr->alias.info2.name.string ) return NT_STATUS_INVALID_PARAMETER; - unistr2_to_ascii( acct_name, ctr->alias.info2.name.string, + unistr2_to_ascii( acct_name, ctr->alias.info2.name.string, sizeof(acct_name)); /* If the name is the same just reply "ok". Yes this @@ -4793,19 +4793,19 @@ NTSTATUS _samr_set_aliasinfo(pipes_struct *p, SAMR_Q_SET_ALIASINFO *q_u, SAMR_R_ fstrcpy( info.acct_name, acct_name ); - /* make sure the name doesn't already exist as a user + /* make sure the name doesn't already exist as a user or local group */ fstr_sprintf( group_name, "%s\\%s", global_myname(), info.acct_name ); status = can_create( p->mem_ctx, group_name ); - if ( !NT_STATUS_IS_OK( status ) ) + if ( !NT_STATUS_IS_OK( status ) ) return status; break; } case 3: if ( ctr->alias.info3.description.string ) { - unistr2_to_ascii( info.acct_desc, - ctr->alias.info3.description.string, + unistr2_to_ascii( info.acct_desc, + ctr->alias.info3.description.string, sizeof(info.acct_desc)); } else @@ -4878,30 +4878,30 @@ NTSTATUS _samr_OpenGroup(pipes_struct *p, bool ret; SE_PRIV se_rights; - if (!get_lsa_policy_samr_sid(p, r->in.domain_handle, &sid, &acc_granted, NULL)) + if (!get_lsa_policy_samr_sid(p, r->in.domain_handle, &sid, &acc_granted, NULL)) return NT_STATUS_INVALID_HANDLE; - - status = access_check_samr_function(acc_granted, + + status = access_check_samr_function(acc_granted, SA_RIGHT_DOMAIN_OPEN_ACCOUNT, "_samr_OpenGroup"); - + if ( !NT_STATUS_IS_OK(status) ) return status; - + /*check if access can be granted as requested by client. */ make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &grp_generic_mapping, NULL, 0); se_map_generic(&des_access,&grp_generic_mapping); se_priv_copy( &se_rights, &se_add_users ); - status = access_check_samr_object(psd, p->pipe_user.nt_user_token, - &se_rights, GENERIC_RIGHTS_GROUP_WRITE, des_access, + status = access_check_samr_object(psd, p->pipe_user.nt_user_token, + &se_rights, GENERIC_RIGHTS_GROUP_WRITE, des_access, &acc_granted, "_samr_OpenGroup"); - - if ( !NT_STATUS_IS_OK(status) ) + + if ( !NT_STATUS_IS_OK(status) ) return status; /* this should not be hard-coded like this */ - + if (!sid_equal(&sid, get_global_sam_sid())) return NT_STATUS_ACCESS_DENIED; @@ -4911,7 +4911,7 @@ NTSTATUS _samr_OpenGroup(pipes_struct *p, if ((info = get_samr_info_by_sid(&info_sid)) == NULL) return NT_STATUS_NO_MEMORY; - + info->acc_granted = acc_granted; DEBUG(10, ("_samr_OpenGroup:Opening SID: %s\n", sid_string)); @@ -4934,8 +4934,8 @@ NTSTATUS _samr_OpenGroup(pipes_struct *p, _samr_remove_sid_foreign_domain *********************************************************************/ -NTSTATUS _samr_remove_sid_foreign_domain(pipes_struct *p, - SAMR_Q_REMOVE_SID_FOREIGN_DOMAIN *q_u, +NTSTATUS _samr_remove_sid_foreign_domain(pipes_struct *p, + SAMR_Q_REMOVE_SID_FOREIGN_DOMAIN *q_u, SAMR_R_REMOVE_SID_FOREIGN_DOMAIN *r_u) { DOM_SID delete_sid, domain_sid; @@ -4951,19 +4951,19 @@ NTSTATUS _samr_remove_sid_foreign_domain(pipes_struct *p, /* Find the policy handle. Open a policy on it. */ if (!get_lsa_policy_samr_sid(p, &q_u->dom_pol, &domain_sid, - &acc_granted, &disp_info)) + &acc_granted, &disp_info)) return NT_STATUS_INVALID_HANDLE; - - result = access_check_samr_function(acc_granted, STD_RIGHT_DELETE_ACCESS, + + result = access_check_samr_function(acc_granted, STD_RIGHT_DELETE_ACCESS, "_samr_remove_sid_foreign_domain"); - - if (!NT_STATUS_IS_OK(result)) + + if (!NT_STATUS_IS_OK(result)) return result; - + DEBUG(8, ("_samr_remove_sid_foreign_domain:sid is %s\n", sid_string_dbg(&domain_sid))); - /* we can only delete a user from a group since we don't have + /* we can only delete a user from a group since we don't have nested groups anyways. So in the latter case, just say OK */ /* TODO: The above comment nowadays is bogus. Since we have nested @@ -5045,7 +5045,7 @@ NTSTATUS _samr_set_dom_info(pipes_struct *p, SAMR_Q_SET_DOMAIN_INFO *q_u, SAMR_R case 0x01: u_expire=nt_time_to_unix_abs(&q_u->ctr->info.inf1.expire); u_min_age=nt_time_to_unix_abs(&q_u->ctr->info.inf1.min_passwordage); - + pdb_set_account_policy(AP_MIN_PASSWORD_LEN, (uint32)q_u->ctr->info.inf1.min_length_password); pdb_set_account_policy(AP_PASSWORD_HISTORY, (uint32)q_u->ctr->info.inf1.password_history); pdb_set_account_policy(AP_USER_MUST_LOGON_TO_CHG_PASS, (uint32)q_u->ctr->info.inf1.password_properties); @@ -5070,7 +5070,7 @@ NTSTATUS _samr_set_dom_info(pipes_struct *p, SAMR_Q_SET_DOMAIN_INFO *q_u, SAMR_R u_lock_duration /= 60; u_reset_time=nt_time_to_unix_abs(&q_u->ctr->info.inf12.reset_count)/60; - + pdb_set_account_policy(AP_LOCK_ACCOUNT_DURATION, (int)u_lock_duration); pdb_set_account_policy(AP_RESET_COUNT_TIME, (int)u_reset_time); pdb_set_account_policy(AP_BAD_ATTEMPT_LOCKOUT, (uint32)q_u->ctr->info.inf12.bad_attempt_lockout); -- cgit From ca772c8b18db3bbe0ef6ff9be0c29d3ac732fbe7 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Tue, 5 Feb 2008 11:16:58 +0100 Subject: Use pidl for _samr_RemoveMemberFromForeignDomain(). Guenther (This used to be commit ab344dea9689ffc191110de0eca0d43b7221f7ee) --- source3/rpc_server/srv_samr_nt.c | 29 +++++++++-------------------- 1 file changed, 9 insertions(+), 20 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 586d2225e2..e321d75626 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -4931,36 +4931,35 @@ NTSTATUS _samr_OpenGroup(pipes_struct *p, } /********************************************************************* - _samr_remove_sid_foreign_domain + _samr_RemoveMemberFromForeignDomain *********************************************************************/ -NTSTATUS _samr_remove_sid_foreign_domain(pipes_struct *p, - SAMR_Q_REMOVE_SID_FOREIGN_DOMAIN *q_u, - SAMR_R_REMOVE_SID_FOREIGN_DOMAIN *r_u) +NTSTATUS _samr_RemoveMemberFromForeignDomain(pipes_struct *p, + struct samr_RemoveMemberFromForeignDomain *r) { DOM_SID delete_sid, domain_sid; uint32 acc_granted; NTSTATUS result; DISP_INFO *disp_info = NULL; - sid_copy( &delete_sid, &q_u->sid.sid ); + sid_copy( &delete_sid, r->in.sid ); - DEBUG(5,("_samr_remove_sid_foreign_domain: removing SID [%s]\n", + DEBUG(5,("_samr_RemoveMemberFromForeignDomain: removing SID [%s]\n", sid_string_dbg(&delete_sid))); /* Find the policy handle. Open a policy on it. */ - if (!get_lsa_policy_samr_sid(p, &q_u->dom_pol, &domain_sid, + if (!get_lsa_policy_samr_sid(p, r->in.domain_handle, &domain_sid, &acc_granted, &disp_info)) return NT_STATUS_INVALID_HANDLE; result = access_check_samr_function(acc_granted, STD_RIGHT_DELETE_ACCESS, - "_samr_remove_sid_foreign_domain"); + "_samr_RemoveMemberFromForeignDomain"); if (!NT_STATUS_IS_OK(result)) return result; - DEBUG(8, ("_samr_remove_sid_foreign_domain:sid is %s\n", + DEBUG(8, ("_samr_RemoveMemberFromForeignDomain: sid is %s\n", sid_string_dbg(&domain_sid))); /* we can only delete a user from a group since we don't have @@ -4978,7 +4977,7 @@ NTSTATUS _samr_remove_sid_foreign_domain(pipes_struct *p, * other cases. */ if (!sid_check_is_builtin(&domain_sid)) { - DEBUG(1,("_samr_remove_sid_foreign_domain: domain_sid = %s, " + DEBUG(1,("_samr_RemoveMemberFromForeignDomain: domain_sid = %s, " "global_sam_sid() = %s\n", sid_string_dbg(&domain_sid), sid_string_dbg(get_global_sam_sid()))); @@ -5319,16 +5318,6 @@ NTSTATUS _samr_TestPrivateFunctionsUser(pipes_struct *p, /**************************************************************** ****************************************************************/ -NTSTATUS _samr_RemoveMemberFromForeignDomain(pipes_struct *p, - struct samr_RemoveMemberFromForeignDomain *r) -{ - p->rng_fault_state = true; - return NT_STATUS_NOT_IMPLEMENTED; -} - -/**************************************************************** -****************************************************************/ - NTSTATUS _samr_QueryDomainInfo2(pipes_struct *p, struct samr_QueryDomainInfo2 *r) { -- cgit From 4a8010012a59b1771665290d53e4c966a231507b Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Tue, 5 Feb 2008 13:38:48 +0100 Subject: Fix _samr_Connect5(). Yes we do pretend to be > w2k all the time :) Guenther (This used to be commit a407feb65301408f91a346ca9c01c511f95556c9) --- source3/rpc_server/srv_samr_nt.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index e321d75626..ff50f5d225 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -2837,7 +2837,7 @@ NTSTATUS _samr_Connect5(pipes_struct *p, DEBUG(5,("_samr_Connect5: %d\n", __LINE__)); - info1.unknown1 = 3; + info1.client_version = SAMR_CONNECT_AFTER_W2K; info1.unknown2 = 0; *r->out.level_out = 1; -- cgit From 3028c76fb57352148b7bd8f1f9dd3c34cf1f7c06 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Tue, 5 Feb 2008 15:03:54 +0100 Subject: Use pidl for _samr_QueryDomainInfo() and _samr_QueryDomainInfo2(). Guenther (This used to be commit 1ac767b0d8b42d2f804b0a7e93e5e859f9c25aae) --- source3/rpc_server/srv_samr_nt.c | 144 ++++++++++++++++++++------------------- 1 file changed, 74 insertions(+), 70 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index ff50f5d225..16b706453f 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -2276,15 +2276,18 @@ NTSTATUS _samr_query_usergroups(pipes_struct *p, SAMR_Q_QUERY_USERGROUPS *q_u, S } /******************************************************************* - _samr_query_domain_info + samr_QueryDomainInfo_internal ********************************************************************/ -NTSTATUS _samr_query_domain_info(pipes_struct *p, - SAMR_Q_QUERY_DOMAIN_INFO *q_u, - SAMR_R_QUERY_DOMAIN_INFO *r_u) +static NTSTATUS samr_QueryDomainInfo_internal(const char *fn_name, + pipes_struct *p, + struct policy_handle *handle, + uint32_t level, + union samr_DomainInfo **dom_info_ptr) { + NTSTATUS status = NT_STATUS_OK; struct samr_info *info = NULL; - SAM_UNK_CTR *ctr; + union samr_DomainInfo *dom_info; uint32 min_pass_len,pass_hist,password_properties; time_t u_expire, u_min_age; NTTIME nt_expire, nt_min_age; @@ -2302,22 +2305,21 @@ NTSTATUS _samr_query_domain_info(pipes_struct *p, uint32 num_users=0, num_groups=0, num_aliases=0; - if ((ctr = TALLOC_ZERO_P(p->mem_ctx, SAM_UNK_CTR)) == NULL) { + DEBUG(5,("%s: %d\n", fn_name, __LINE__)); + + dom_info = TALLOC_ZERO_P(p->mem_ctx, union samr_DomainInfo); + if (!dom_info) { return NT_STATUS_NO_MEMORY; } - ZERO_STRUCTP(ctr); - - r_u->status = NT_STATUS_OK; - - DEBUG(5,("_samr_query_domain_info: %d\n", __LINE__)); + *dom_info_ptr = dom_info; /* find the policy handle. open a policy on it. */ - if (!find_policy_by_hnd(p, &q_u->domain_pol, (void **)(void *)&info)) { + if (!find_policy_by_hnd(p, handle, (void **)(void *)&info)) { return NT_STATUS_INVALID_HANDLE; } - switch (q_u->switch_value) { + switch (level) { case 0x01: become_root(); @@ -2346,8 +2348,12 @@ NTSTATUS _samr_query_domain_info(pipes_struct *p, unix_to_nt_time_abs(&nt_expire, u_expire); unix_to_nt_time_abs(&nt_min_age, u_min_age); - init_unk_info1(&ctr->info.inf1, (uint16)min_pass_len, (uint16)pass_hist, - password_properties, nt_expire, nt_min_age); + init_samr_DomInfo1(&dom_info->info1, + (uint16)min_pass_len, + (uint16)pass_hist, + password_properties, + nt_expire, + nt_min_age); break; case 0x02: @@ -2375,8 +2381,18 @@ NTSTATUS _samr_query_domain_info(pipes_struct *p, if (lp_server_role() == ROLE_DOMAIN_BDC) server_role = ROLE_DOMAIN_BDC; - init_unk_info2(&ctr->info.inf2, lp_serverstring(), lp_workgroup(), global_myname(), seq_num, - num_users, num_groups, num_aliases, nt_logout, server_role); + init_samr_DomInfo2(&dom_info->info2, + nt_logout, + lp_serverstring(), + lp_workgroup(), + global_myname(), + seq_num, + 1, + server_role, + 1, + num_users, + num_groups, + num_aliases); break; case 0x03: @@ -2396,26 +2412,32 @@ NTSTATUS _samr_query_domain_info(pipes_struct *p, unix_to_nt_time_abs(&nt_logout, u_logout); - init_unk_info3(&ctr->info.inf3, nt_logout); + init_samr_DomInfo3(&dom_info->info3, + nt_logout); + break; case 0x04: - init_unk_info4(&ctr->info.inf4, lp_serverstring()); + init_samr_DomInfo4(&dom_info->info4, + lp_serverstring()); break; case 0x05: - init_unk_info5(&ctr->info.inf5, get_global_sam_name()); + init_samr_DomInfo5(&dom_info->info5, + get_global_sam_name()); break; case 0x06: /* NT returns its own name when a PDC. win2k and later * only the name of the PDC if itself is a BDC (samba4 * idl) */ - init_unk_info6(&ctr->info.inf6, global_myname()); + init_samr_DomInfo6(&dom_info->info6, + global_myname()); break; case 0x07: server_role = ROLE_DOMAIN_PDC; if (lp_server_role() == ROLE_DOMAIN_BDC) server_role = ROLE_DOMAIN_BDC; - init_unk_info7(&ctr->info.inf7, server_role); + init_samr_DomInfo7(&dom_info->info7, + server_role); break; case 0x08: @@ -2431,7 +2453,9 @@ NTSTATUS _samr_query_domain_info(pipes_struct *p, unbecome_root(); - init_unk_info8(&ctr->info.inf8, (uint32) seq_num); + init_samr_DomInfo8(&dom_info->info8, + seq_num, + 0); break; case 0x0c: @@ -2458,18 +2482,32 @@ NTSTATUS _samr_query_domain_info(pipes_struct *p, unix_to_nt_time_abs(&nt_lock_duration, u_lock_duration); unix_to_nt_time_abs(&nt_reset_time, u_reset_time); - init_unk_info12(&ctr->info.inf12, nt_lock_duration, nt_reset_time, (uint16)lockout); + init_samr_DomInfo12(&dom_info->info12, + nt_lock_duration, + nt_reset_time, + (uint16)lockout); break; default: return NT_STATUS_INVALID_INFO_CLASS; - } + } + DEBUG(5,("%s: %d\n", fn_name, __LINE__)); - init_samr_r_query_domain_info(r_u, q_u->switch_value, ctr, NT_STATUS_OK); + return status; +} - DEBUG(5,("_samr_query_domain_info: %d\n", __LINE__)); +/******************************************************************* + _samr_QueryDomainInfo + ********************************************************************/ - return r_u->status; +NTSTATUS _samr_QueryDomainInfo(pipes_struct *p, + struct samr_QueryDomainInfo *r) +{ + return samr_QueryDomainInfo_internal("_samr_QueryDomainInfo", + p, + r->in.domain_handle, + r->in.level, + r->out.info); } /* W2k3 seems to use the same check for all 3 objects that can be created via @@ -4993,31 +5031,17 @@ NTSTATUS _samr_RemoveMemberFromForeignDomain(pipes_struct *p, } /******************************************************************* - _samr_query_domain_info2 + _samr_QueryDomainInfo2 ********************************************************************/ -NTSTATUS _samr_query_domain_info2(pipes_struct *p, - SAMR_Q_QUERY_DOMAIN_INFO2 *q_u, - SAMR_R_QUERY_DOMAIN_INFO2 *r_u) +NTSTATUS _samr_QueryDomainInfo2(pipes_struct *p, + struct samr_QueryDomainInfo2 *r) { - SAMR_Q_QUERY_DOMAIN_INFO q; - SAMR_R_QUERY_DOMAIN_INFO r; - - ZERO_STRUCT(q); - ZERO_STRUCT(r); - - DEBUG(5,("_samr_query_domain_info2: %d\n", __LINE__)); - - q.domain_pol = q_u->domain_pol; - q.switch_value = q_u->switch_value; - - r_u->status = _samr_query_domain_info(p, &q, &r); - - r_u->ptr_0 = r.ptr_0; - r_u->switch_value = r.switch_value; - r_u->ctr = r.ctr; - - return r_u->status; + return samr_QueryDomainInfo_internal("_samr_QueryDomainInfo2", + p, + r->in.domain_handle, + r->in.level, + r->out.info); } /******************************************************************* @@ -5108,16 +5132,6 @@ NTSTATUS _samr_EnumDomains(pipes_struct *p, /**************************************************************** ****************************************************************/ -NTSTATUS _samr_QueryDomainInfo(pipes_struct *p, - struct samr_QueryDomainInfo *r) -{ - p->rng_fault_state = true; - return NT_STATUS_NOT_IMPLEMENTED; -} - -/**************************************************************** -****************************************************************/ - NTSTATUS _samr_SetDomainInfo(pipes_struct *p, struct samr_SetDomainInfo *r) { @@ -5318,16 +5332,6 @@ NTSTATUS _samr_TestPrivateFunctionsUser(pipes_struct *p, /**************************************************************** ****************************************************************/ -NTSTATUS _samr_QueryDomainInfo2(pipes_struct *p, - struct samr_QueryDomainInfo2 *r) -{ - p->rng_fault_state = true; - return NT_STATUS_NOT_IMPLEMENTED; -} - -/**************************************************************** -****************************************************************/ - NTSTATUS _samr_QueryUserInfo2(pipes_struct *p, struct samr_QueryUserInfo2 *r) { -- cgit From 3dbbb4a6a04652a1d1dd4d76af58f6c7852d7c44 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Tue, 5 Feb 2008 15:08:31 +0100 Subject: Use pidl for _samr_SetDomainInfo(). Guenther (This used to be commit 370973c101a59546bb50dcc82ae4419da2119279) --- source3/rpc_server/srv_samr_nt.c | 50 +++++++++++++++------------------------- 1 file changed, 18 insertions(+), 32 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 16b706453f..652f66cf61 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -5045,40 +5045,38 @@ NTSTATUS _samr_QueryDomainInfo2(pipes_struct *p, } /******************************************************************* - _samr_set_dom_info + _samr_SetDomainInfo ********************************************************************/ -NTSTATUS _samr_set_dom_info(pipes_struct *p, SAMR_Q_SET_DOMAIN_INFO *q_u, SAMR_R_SET_DOMAIN_INFO *r_u) +NTSTATUS _samr_SetDomainInfo(pipes_struct *p, + struct samr_SetDomainInfo *r) { time_t u_expire, u_min_age; time_t u_logout; time_t u_lock_duration, u_reset_time; - r_u->status = NT_STATUS_OK; - - DEBUG(5,("_samr_set_dom_info: %d\n", __LINE__)); + DEBUG(5,("_samr_SetDomainInfo: %d\n", __LINE__)); /* find the policy handle. open a policy on it. */ - if (!find_policy_by_hnd(p, &q_u->domain_pol, NULL)) + if (!find_policy_by_hnd(p, r->in.domain_handle, NULL)) return NT_STATUS_INVALID_HANDLE; - DEBUG(5,("_samr_set_dom_info: switch_value: %d\n", q_u->switch_value)); + DEBUG(5,("_samr_SetDomainInfo: level: %d\n", r->in.level)); - switch (q_u->switch_value) { + switch (r->in.level) { case 0x01: - u_expire=nt_time_to_unix_abs(&q_u->ctr->info.inf1.expire); - u_min_age=nt_time_to_unix_abs(&q_u->ctr->info.inf1.min_passwordage); - - pdb_set_account_policy(AP_MIN_PASSWORD_LEN, (uint32)q_u->ctr->info.inf1.min_length_password); - pdb_set_account_policy(AP_PASSWORD_HISTORY, (uint32)q_u->ctr->info.inf1.password_history); - pdb_set_account_policy(AP_USER_MUST_LOGON_TO_CHG_PASS, (uint32)q_u->ctr->info.inf1.password_properties); + u_expire=nt_time_to_unix_abs((NTTIME *)&r->in.info->info1.max_password_age); + u_min_age=nt_time_to_unix_abs((NTTIME *)&r->in.info->info1.min_password_age); + pdb_set_account_policy(AP_MIN_PASSWORD_LEN, (uint32)r->in.info->info1.min_password_length); + pdb_set_account_policy(AP_PASSWORD_HISTORY, (uint32)r->in.info->info1.password_history_length); + pdb_set_account_policy(AP_USER_MUST_LOGON_TO_CHG_PASS, (uint32)r->in.info->info1.password_properties); pdb_set_account_policy(AP_MAX_PASSWORD_AGE, (int)u_expire); pdb_set_account_policy(AP_MIN_PASSWORD_AGE, (int)u_min_age); break; case 0x02: break; case 0x03: - u_logout=nt_time_to_unix_abs(&q_u->ctr->info.inf3.logout); + u_logout=nt_time_to_unix_abs((NTTIME *)&r->in.info->info3.force_logoff_time); pdb_set_account_policy(AP_TIME_TO_LOGOUT, (int)u_logout); break; case 0x05: @@ -5088,25 +5086,23 @@ NTSTATUS _samr_set_dom_info(pipes_struct *p, SAMR_Q_SET_DOMAIN_INFO *q_u, SAMR_R case 0x07: break; case 0x0c: - u_lock_duration=nt_time_to_unix_abs(&q_u->ctr->info.inf12.duration); + u_lock_duration=nt_time_to_unix_abs((NTTIME *)&r->in.info->info12.lockout_duration); if (u_lock_duration != -1) u_lock_duration /= 60; - u_reset_time=nt_time_to_unix_abs(&q_u->ctr->info.inf12.reset_count)/60; + u_reset_time=nt_time_to_unix_abs((NTTIME *)&r->in.info->info12.lockout_window)/60; pdb_set_account_policy(AP_LOCK_ACCOUNT_DURATION, (int)u_lock_duration); pdb_set_account_policy(AP_RESET_COUNT_TIME, (int)u_reset_time); - pdb_set_account_policy(AP_BAD_ATTEMPT_LOCKOUT, (uint32)q_u->ctr->info.inf12.bad_attempt_lockout); + pdb_set_account_policy(AP_BAD_ATTEMPT_LOCKOUT, (uint32)r->in.info->info12.lockout_threshold); break; default: return NT_STATUS_INVALID_INFO_CLASS; } - init_samr_r_set_domain_info(r_u, NT_STATUS_OK); - - DEBUG(5,("_samr_set_dom_info: %d\n", __LINE__)); + DEBUG(5,("_samr_SetDomainInfo: %d\n", __LINE__)); - return r_u->status; + return NT_STATUS_OK; } /**************************************************************** @@ -5132,16 +5128,6 @@ NTSTATUS _samr_EnumDomains(pipes_struct *p, /**************************************************************** ****************************************************************/ -NTSTATUS _samr_SetDomainInfo(pipes_struct *p, - struct samr_SetDomainInfo *r) -{ - p->rng_fault_state = true; - return NT_STATUS_NOT_IMPLEMENTED; -} - -/**************************************************************** -****************************************************************/ - NTSTATUS _samr_EnumDomainGroups(pipes_struct *p, struct samr_EnumDomainGroups *r) { -- cgit From 1b35cc2e08e3e4fc4e29dc333387db9945cabba8 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Tue, 5 Feb 2008 18:44:30 +0100 Subject: Use pidl for _samr_ChangePasswordUser3(). Guenther (This used to be commit 07c28f308624207c0c8a75d2f1783aa1d1aae05a) --- source3/rpc_server/srv_samr_nt.c | 76 ++++++++++++++++++++++------------------ 1 file changed, 41 insertions(+), 35 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 652f66cf61..bb957c632f 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -1562,23 +1562,27 @@ NTSTATUS _samr_ChangePasswordUser2(pipes_struct *p, } /******************************************************************* - _samr_chgpasswd_user3 + _samr_ChangePasswordUser3 ********************************************************************/ -NTSTATUS _samr_chgpasswd_user3(pipes_struct *p, SAMR_Q_CHGPASSWD_USER3 *q_u, SAMR_R_CHGPASSWD_USER3 *r_u) +NTSTATUS _samr_ChangePasswordUser3(pipes_struct *p, + struct samr_ChangePasswordUser3 *r) { + NTSTATUS status; fstring user_name; - fstring wks; + const char *wks = NULL; uint32 reject_reason; - SAM_UNK_INFO_1 *info = NULL; - SAMR_CHANGE_REJECT *reject = NULL; + struct samr_DomInfo1 *dominfo = NULL; + struct samr_ChangeReject *reject = NULL; - DEBUG(5,("_samr_chgpasswd_user3: %d\n", __LINE__)); + DEBUG(5,("_samr_ChangePasswordUser3: %d\n", __LINE__)); - rpcstr_pull(user_name, q_u->uni_user_name.buffer, sizeof(user_name), q_u->uni_user_name.uni_str_len*2, 0); - rpcstr_pull(wks, q_u->uni_dest_host.buffer, sizeof(wks), q_u->uni_dest_host.uni_str_len*2,0); + fstrcpy(user_name, r->in.account->string); + if (r->in.server && r->in.server->string) { + wks = r->in.server->string; + } - DEBUG(5,("_samr_chgpasswd_user3: user: %s wks: %s\n", user_name, wks)); + DEBUG(5,("_samr_ChangePasswordUser3: user: %s wks: %s\n", user_name, wks)); /* * Pass the user through the NT -> unix user mapping @@ -1592,28 +1596,31 @@ NTSTATUS _samr_chgpasswd_user3(pipes_struct *p, SAMR_Q_CHGPASSWD_USER3 *q_u, SAM * is case insensitive. */ - r_u->status = pass_oem_change(user_name, q_u->lm_newpass.pass, q_u->lm_oldhash.hash, - q_u->nt_newpass.pass, q_u->nt_oldhash.hash, &reject_reason); + status = pass_oem_change(user_name, + r->in.lm_password->data, + r->in.lm_verifier->hash, + r->in.nt_password->data, + r->in.nt_verifier->hash, + &reject_reason); - if (NT_STATUS_EQUAL(r_u->status, NT_STATUS_PASSWORD_RESTRICTION) || - NT_STATUS_EQUAL(r_u->status, NT_STATUS_ACCOUNT_RESTRICTION)) { + if (NT_STATUS_EQUAL(status, NT_STATUS_PASSWORD_RESTRICTION) || + NT_STATUS_EQUAL(status, NT_STATUS_ACCOUNT_RESTRICTION)) { uint32 min_pass_len,pass_hist,password_properties; time_t u_expire, u_min_age; NTTIME nt_expire, nt_min_age; uint32 account_policy_temp; - if ((info = TALLOC_ZERO_P(p->mem_ctx, SAM_UNK_INFO_1)) == NULL) { + dominfo = TALLOC_ZERO_P(p->mem_ctx, struct samr_DomInfo1); + if (!dominfo) { return NT_STATUS_NO_MEMORY; } - if ((reject = TALLOC_ZERO_P(p->mem_ctx, SAMR_CHANGE_REJECT)) == NULL) { + reject = TALLOC_ZERO_P(p->mem_ctx, struct samr_ChangeReject); + if (!reject) { return NT_STATUS_NO_MEMORY; } - ZERO_STRUCTP(info); - ZERO_STRUCTP(reject); - become_root(); /* AS ROOT !!! */ @@ -1640,17 +1647,26 @@ NTSTATUS _samr_chgpasswd_user3(pipes_struct *p, SAMR_Q_CHGPASSWD_USER3 *q_u, SAM unix_to_nt_time_abs(&nt_expire, u_expire); unix_to_nt_time_abs(&nt_min_age, u_min_age); - init_unk_info1(info, (uint16)min_pass_len, (uint16)pass_hist, - password_properties, nt_expire, nt_min_age); + if (lp_check_password_script() && *lp_check_password_script()) { + password_properties |= DOMAIN_PASSWORD_COMPLEX; + } - reject->reject_reason = reject_reason; - } + init_samr_DomInfo1(dominfo, + min_pass_len, + pass_hist, + password_properties, + u_expire, + u_min_age); - init_samr_r_chgpasswd_user3(r_u, r_u->status, reject, info); + reject->reason = reject_reason; - DEBUG(5,("_samr_chgpasswd_user3: %d\n", __LINE__)); + *r->out.dominfo = dominfo; + *r->out.reject = reject; + } - return r_u->status; + DEBUG(5,("_samr_ChangePasswordUser3: %d\n", __LINE__)); + + return status; } /******************************************************************* @@ -5428,16 +5444,6 @@ NTSTATUS _samr_Connect3(pipes_struct *p, /**************************************************************** ****************************************************************/ -NTSTATUS _samr_ChangePasswordUser3(pipes_struct *p, - struct samr_ChangePasswordUser3 *r) -{ - p->rng_fault_state = true; - return NT_STATUS_NOT_IMPLEMENTED; -} - -/**************************************************************** -****************************************************************/ - NTSTATUS _samr_RidToSid(pipes_struct *p, struct samr_RidToSid *r) { -- cgit From c56cb9d0dc84264e0d887d01afb0c28320d70454 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Wed, 6 Feb 2008 12:53:43 +0100 Subject: Use pidl for _samr_SetAliasInfo(). Guenther (This used to be commit f483797c688ee1a5c5f7e183cdf7c1b700b7db31) --- source3/rpc_server/srv_samr_nt.c | 57 +++++++++++++++------------------------- 1 file changed, 21 insertions(+), 36 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index bb957c632f..a06977eed7 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -4784,30 +4784,29 @@ NTSTATUS _samr_set_groupinfo(pipes_struct *p, SAMR_Q_SET_GROUPINFO *q_u, SAMR_R_ } /********************************************************************* - _samr_set_aliasinfo - - update an alias's comment. + _samr_SetAliasInfo *********************************************************************/ -NTSTATUS _samr_set_aliasinfo(pipes_struct *p, SAMR_Q_SET_ALIASINFO *q_u, SAMR_R_SET_ALIASINFO *r_u) +NTSTATUS _samr_SetAliasInfo(pipes_struct *p, + struct samr_SetAliasInfo *r) { DOM_SID group_sid; struct acct_info info; - ALIAS_INFO_CTR *ctr; uint32 acc_granted; bool can_mod_accounts; NTSTATUS status; DISP_INFO *disp_info = NULL; - if (!get_lsa_policy_samr_sid(p, &q_u->alias_pol, &group_sid, &acc_granted, &disp_info)) + if (!get_lsa_policy_samr_sid(p, r->in.alias_handle, &group_sid, &acc_granted, &disp_info)) return NT_STATUS_INVALID_HANDLE; - if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, SA_RIGHT_ALIAS_SET_INFO, "_samr_set_aliasinfo"))) { - return r_u->status; + status = access_check_samr_function(acc_granted, + SA_RIGHT_ALIAS_SET_INFO, + "_samr_SetAliasInfo"); + if (!NT_STATUS_IS_OK(status)) { + return status; } - ctr=&q_u->ctr; - /* get the current group information */ become_root(); @@ -4817,10 +4816,10 @@ NTSTATUS _samr_set_aliasinfo(pipes_struct *p, SAMR_Q_SET_ALIASINFO *q_u, SAMR_R_ if ( !NT_STATUS_IS_OK(status)) return status; - switch (ctr->level) { - case 2: + switch (r->in.level) { + case ALIASINFONAME: { - fstring group_name, acct_name; + fstring group_name; /* We currently do not support renaming groups in the the BUILTIN domain. Refer to util_builtin.c to understand @@ -4833,19 +4832,16 @@ NTSTATUS _samr_set_aliasinfo(pipes_struct *p, SAMR_Q_SET_ALIASINFO *q_u, SAMR_R_ /* There has to be a valid name (and it has to be different) */ - if ( !ctr->alias.info2.name.string ) + if ( !r->in.info->name.string ) return NT_STATUS_INVALID_PARAMETER; - unistr2_to_ascii( acct_name, ctr->alias.info2.name.string, - sizeof(acct_name)); - /* If the name is the same just reply "ok". Yes this doesn't allow you to change the case of a group name. */ - if ( strequal( acct_name, info.acct_name ) ) + if ( strequal( r->in.info->name.string, info.acct_name ) ) return NT_STATUS_OK; - fstrcpy( info.acct_name, acct_name ); + fstrcpy( info.acct_name, r->in.info->name.string); /* make sure the name doesn't already exist as a user or local group */ @@ -4856,14 +4852,13 @@ NTSTATUS _samr_set_aliasinfo(pipes_struct *p, SAMR_Q_SET_ALIASINFO *q_u, SAMR_R_ return status; break; } - case 3: - if ( ctr->alias.info3.description.string ) { - unistr2_to_ascii( info.acct_desc, - ctr->alias.info3.description.string, - sizeof(info.acct_desc)); - } - else + case ALIASINFODESCRIPTION: + if (r->in.info->description.string) { + fstrcpy(info.acct_desc, + r->in.info->description.string); + } else { fstrcpy( info.acct_desc, "" ); + } break; default: return NT_STATUS_INVALID_INFO_CLASS; @@ -5244,16 +5239,6 @@ NTSTATUS _samr_QueryAliasInfo(pipes_struct *p, /**************************************************************** ****************************************************************/ -NTSTATUS _samr_SetAliasInfo(pipes_struct *p, - struct samr_SetAliasInfo *r) -{ - p->rng_fault_state = true; - return NT_STATUS_NOT_IMPLEMENTED; -} - -/**************************************************************** -****************************************************************/ - NTSTATUS _samr_QueryUserInfo(pipes_struct *p, struct samr_QueryUserInfo *r) { -- cgit From cdb5f49849270b2e1f687fd5cfcbc1461dfd2672 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Wed, 6 Feb 2008 12:57:59 +0100 Subject: Use pidl for _samr_SetGroupInfo(). Guenther (This used to be commit a576d9e80dffb15e29c3bf4da225bbe34f77053c) --- source3/rpc_server/srv_samr_nt.c | 49 ++++++++++++++++------------------------ 1 file changed, 19 insertions(+), 30 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index a06977eed7..092624d29e 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -4720,43 +4720,42 @@ NTSTATUS _samr_query_groupinfo(pipes_struct *p, SAMR_Q_QUERY_GROUPINFO *q_u, SAM } /********************************************************************* - _samr_set_groupinfo - - update a domain group's comment. + _samr_SetGroupInfo *********************************************************************/ -NTSTATUS _samr_set_groupinfo(pipes_struct *p, SAMR_Q_SET_GROUPINFO *q_u, SAMR_R_SET_GROUPINFO *r_u) +NTSTATUS _samr_SetGroupInfo(pipes_struct *p, + struct samr_SetGroupInfo *r) { DOM_SID group_sid; GROUP_MAP map; - GROUP_INFO_CTR *ctr; uint32 acc_granted; - NTSTATUS ret; - bool result; + NTSTATUS status; + bool ret; bool can_mod_accounts; DISP_INFO *disp_info = NULL; - if (!get_lsa_policy_samr_sid(p, &q_u->pol, &group_sid, &acc_granted, &disp_info)) + if (!get_lsa_policy_samr_sid(p, r->in.group_handle, &group_sid, &acc_granted, &disp_info)) return NT_STATUS_INVALID_HANDLE; - if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, SA_RIGHT_GROUP_SET_INFO, "_samr_set_groupinfo"))) { - return r_u->status; + status = access_check_samr_function(acc_granted, + SA_RIGHT_GROUP_SET_INFO, + "_samr_SetGroupInfo"); + if (!NT_STATUS_IS_OK(status)) { + return status; } become_root(); - result = get_domain_group_from_sid(group_sid, &map); + ret = get_domain_group_from_sid(group_sid, &map); unbecome_root(); - if (!result) + if (!ret) return NT_STATUS_NO_SUCH_GROUP; - ctr=q_u->ctr; - - switch (ctr->switch_value1) { + switch (r->in.level) { case 1: - unistr2_to_ascii(map.comment, &(ctr->group.info1.uni_acct_desc), sizeof(map.comment)); + fstrcpy(map.comment, r->in.info->all.description.string); break; case 4: - unistr2_to_ascii(map.comment, &(ctr->group.info4.uni_acct_desc), sizeof(map.comment)); + fstrcpy(map.comment, r->in.info->description.string); break; default: return NT_STATUS_INVALID_INFO_CLASS; @@ -4769,18 +4768,18 @@ NTSTATUS _samr_set_groupinfo(pipes_struct *p, SAMR_Q_SET_GROUPINFO *q_u, SAMR_R_ if ( can_mod_accounts ) become_root(); - ret = pdb_update_group_mapping_entry(&map); + status = pdb_update_group_mapping_entry(&map); if ( can_mod_accounts ) unbecome_root(); /******** End SeAddUsers BLOCK *********/ - if (NT_STATUS_IS_OK(ret)) { + if (NT_STATUS_IS_OK(status)) { force_flush_samr_cache(disp_info); } - return ret; + return status; } /********************************************************************* @@ -5209,16 +5208,6 @@ NTSTATUS _samr_QueryGroupInfo(pipes_struct *p, /**************************************************************** ****************************************************************/ -NTSTATUS _samr_SetGroupInfo(pipes_struct *p, - struct samr_SetGroupInfo *r) -{ - p->rng_fault_state = true; - return NT_STATUS_NOT_IMPLEMENTED; -} - -/**************************************************************** -****************************************************************/ - NTSTATUS _samr_SetMemberAttributesOfGroup(pipes_struct *p, struct samr_SetMemberAttributesOfGroup *r) { -- cgit From f7ad51084c87e5063e231c9bf024a354349d6a21 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Thu, 7 Feb 2008 13:14:40 +0100 Subject: Use pidl for _samr_QueryAliasInfo(). Guenther (This used to be commit 62dacea87ad2323870e5356a348d1d192b3fa888) --- source3/rpc_server/srv_samr_nt.c | 63 ++++++++++++++++++++++------------------ 1 file changed, 34 insertions(+), 29 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 092624d29e..836ff3574f 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -1341,25 +1341,36 @@ NTSTATUS _samr_query_dispinfo(pipes_struct *p, SAMR_Q_QUERY_DISPINFO *q_u, } /******************************************************************* - samr_reply_query_aliasinfo + _samr_QueryAliasInfo ********************************************************************/ -NTSTATUS _samr_query_aliasinfo(pipes_struct *p, SAMR_Q_QUERY_ALIASINFO *q_u, SAMR_R_QUERY_ALIASINFO *r_u) +NTSTATUS _samr_QueryAliasInfo(pipes_struct *p, + struct samr_QueryAliasInfo *r) { DOM_SID sid; struct acct_info info; uint32 acc_granted; NTSTATUS status; + union samr_AliasInfo *alias_info = NULL; + const char *alias_name = NULL; + const char *alias_description = NULL; - r_u->status = NT_STATUS_OK; + DEBUG(5,("_samr_QueryAliasInfo: %d\n", __LINE__)); - DEBUG(5,("_samr_query_aliasinfo: %d\n", __LINE__)); + alias_info = TALLOC_ZERO_P(p->mem_ctx, union samr_AliasInfo); + if (!alias_info) { + return NT_STATUS_NO_MEMORY; + } /* find the policy handle. open a policy on it. */ - if (!get_lsa_policy_samr_sid(p, &q_u->pol, &sid, &acc_granted, NULL)) + if (!get_lsa_policy_samr_sid(p, r->in.alias_handle, &sid, &acc_granted, NULL)) return NT_STATUS_INVALID_HANDLE; - if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, SA_RIGHT_ALIAS_LOOKUP_INFO, "_samr_query_aliasinfo"))) { - return r_u->status; + + status = access_check_samr_function(acc_granted, + SA_RIGHT_ALIAS_LOOKUP_INFO, + "_samr_QueryAliasInfo"); + if (!NT_STATUS_IS_OK(status)) { + return status; } become_root(); @@ -1369,26 +1380,30 @@ NTSTATUS _samr_query_aliasinfo(pipes_struct *p, SAMR_Q_QUERY_ALIASINFO *q_u, SAM if ( !NT_STATUS_IS_OK(status)) return status; - if ( !(r_u->ctr = TALLOC_ZERO_P( p->mem_ctx, ALIAS_INFO_CTR )) ) - return NT_STATUS_NO_MEMORY; - + /* FIXME: info contains fstrings */ + alias_name = talloc_strdup(r, info.acct_name); + alias_description = talloc_strdup(r, info.acct_desc); - switch (q_u->level ) { - case 1: - r_u->ctr->level = 1; - init_samr_alias_info1(&r_u->ctr->alias.info1, info.acct_name, 1, info.acct_desc); + switch (r->in.level) { + case ALIASINFOALL: + init_samr_alias_info1(&alias_info->all, + alias_name, + 1, + alias_description); break; - case 3: - r_u->ctr->level = 3; - init_samr_alias_info3(&r_u->ctr->alias.info3, info.acct_desc); + case ALIASINFODESCRIPTION: + init_samr_alias_info3(&alias_info->description, + alias_description); break; default: return NT_STATUS_INVALID_INFO_CLASS; } - DEBUG(5,("_samr_query_aliasinfo: %d\n", __LINE__)); + *r->out.info = alias_info; - return r_u->status; + DEBUG(5,("_samr_QueryAliasInfo: %d\n", __LINE__)); + + return NT_STATUS_OK; } #if 0 @@ -5218,16 +5233,6 @@ NTSTATUS _samr_SetMemberAttributesOfGroup(pipes_struct *p, /**************************************************************** ****************************************************************/ -NTSTATUS _samr_QueryAliasInfo(pipes_struct *p, - struct samr_QueryAliasInfo *r) -{ - p->rng_fault_state = true; - return NT_STATUS_NOT_IMPLEMENTED; -} - -/**************************************************************** -****************************************************************/ - NTSTATUS _samr_QueryUserInfo(pipes_struct *p, struct samr_QueryUserInfo *r) { -- cgit From 28124ad6670df42b5312d99838250191295f40d2 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Thu, 7 Feb 2008 13:58:53 +0100 Subject: Use pidl for _samr_QueryGroupInfo(). Guenther (This used to be commit e80852426972fbf9996561aabdde7ed7b2c78b39) --- source3/rpc_server/srv_samr_nt.c | 91 +++++++++++++++++++++------------------- 1 file changed, 48 insertions(+), 43 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 836ff3574f..5081565a5a 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -4640,25 +4640,32 @@ NTSTATUS _samr_CreateDomAlias(pipes_struct *p, } /********************************************************************* - _samr_query_groupinfo - -sends the name/comment pair of a domain group -level 1 send also the number of users of that group + _samr_QueryGroupInfo *********************************************************************/ -NTSTATUS _samr_query_groupinfo(pipes_struct *p, SAMR_Q_QUERY_GROUPINFO *q_u, SAMR_R_QUERY_GROUPINFO *r_u) +NTSTATUS _samr_QueryGroupInfo(pipes_struct *p, + struct samr_QueryGroupInfo *r) { + NTSTATUS status; DOM_SID group_sid; GROUP_MAP map; - GROUP_INFO_CTR *ctr; + union samr_GroupInfo *info = NULL; uint32 acc_granted; bool ret; + uint32_t attributes = SE_GROUP_MANDATORY | + SE_GROUP_ENABLED_BY_DEFAULT | + SE_GROUP_ENABLED; + const char *group_name = NULL; + const char *group_description = NULL; - if (!get_lsa_policy_samr_sid(p, &q_u->pol, &group_sid, &acc_granted, NULL)) + if (!get_lsa_policy_samr_sid(p, r->in.group_handle, &group_sid, &acc_granted, NULL)) return NT_STATUS_INVALID_HANDLE; - if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, SA_RIGHT_GROUP_LOOKUP_INFO, "_samr_query_groupinfo"))) { - return r_u->status; + status = access_check_samr_function(acc_granted, + SA_RIGHT_GROUP_LOOKUP_INFO, + "_samr_QueryGroupInfo"); + if (!NT_STATUS_IS_OK(status)) { + return status; } become_root(); @@ -4667,41 +4674,47 @@ NTSTATUS _samr_query_groupinfo(pipes_struct *p, SAMR_Q_QUERY_GROUPINFO *q_u, SAM if (!ret) return NT_STATUS_INVALID_HANDLE; - ctr=TALLOC_ZERO_P(p->mem_ctx, GROUP_INFO_CTR); - if (ctr==NULL) + /* FIXME: map contains fstrings */ + group_name = talloc_strdup(r, map.nt_name); + group_description = talloc_strdup(r, map.comment); + + info = TALLOC_ZERO_P(p->mem_ctx, union samr_GroupInfo); + if (!info) { return NT_STATUS_NO_MEMORY; + } - switch (q_u->switch_level) { + switch (r->in.level) { case 1: { uint32 *members; size_t num_members; - ctr->switch_value1 = 1; - become_root(); - r_u->status = pdb_enum_group_members( + status = pdb_enum_group_members( p->mem_ctx, &group_sid, &members, &num_members); unbecome_root(); - if (!NT_STATUS_IS_OK(r_u->status)) { - return r_u->status; + if (!NT_STATUS_IS_OK(status)) { + return status; } - init_samr_group_info1(&ctr->group.info1, map.nt_name, - map.comment, num_members); + init_samr_group_info1(&info->all, + group_name, + attributes, + num_members, + group_description); break; } case 2: - ctr->switch_value1 = 2; - init_samr_group_info2(&ctr->group.info2, map.nt_name); + init_samr_group_info2(&info->name, + group_name); break; case 3: - ctr->switch_value1 = 3; - init_samr_group_info3(&ctr->group.info3); + init_samr_group_info3(&info->attributes, + attributes); break; case 4: - ctr->switch_value1 = 4; - init_samr_group_info4(&ctr->group.info4, map.comment); + init_samr_group_info4(&info->description, + group_description); break; case 5: { /* @@ -4709,27 +4722,29 @@ NTSTATUS _samr_query_groupinfo(pipes_struct *p, SAMR_Q_QUERY_GROUPINFO *q_u, SAM size_t num_members; */ - ctr->switch_value1 = 5; - /* become_root(); - r_u->status = pdb_enum_group_members( + status = pdb_enum_group_members( p->mem_ctx, &group_sid, &members, &num_members); unbecome_root(); - if (!NT_STATUS_IS_OK(r_u->status)) { - return r_u->status; + if (!NT_STATUS_IS_OK(status)) { + return status; } */ - init_samr_group_info5(&ctr->group.info5, map.nt_name, - map.comment, 0 /* num_members */); /* in w2k3 this is always 0 */ + init_samr_group_info5(&info->all2, + group_name, + attributes, + 0, /* num_members - in w2k3 this is always 0 */ + group_description); + break; } default: return NT_STATUS_INVALID_INFO_CLASS; } - init_samr_r_query_groupinfo(r_u, ctr, NT_STATUS_OK); + *r->out.info = info; return NT_STATUS_OK; } @@ -5213,16 +5228,6 @@ NTSTATUS _samr_LookupRids(pipes_struct *p, /**************************************************************** ****************************************************************/ -NTSTATUS _samr_QueryGroupInfo(pipes_struct *p, - struct samr_QueryGroupInfo *r) -{ - p->rng_fault_state = true; - return NT_STATUS_NOT_IMPLEMENTED; -} - -/**************************************************************** -****************************************************************/ - NTSTATUS _samr_SetMemberAttributesOfGroup(pipes_struct *p, struct samr_SetMemberAttributesOfGroup *r) { -- cgit From cce7e93d842833e7f44254d80de59cc35e8f2af7 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Wed, 6 Feb 2008 16:06:04 +0100 Subject: Use pidl for _samr_GetGroupsForUser(). Guenther (This used to be commit 3a3feb376116b4ebc5be7b149c187b49bc6b390d) --- source3/rpc_server/srv_samr_nt.c | 61 ++++++++++++++++++++-------------------- 1 file changed, 31 insertions(+), 30 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 5081565a5a..36860f9182 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -2184,16 +2184,17 @@ NTSTATUS _samr_query_userinfo(pipes_struct *p, SAMR_Q_QUERY_USERINFO *q_u, SAMR_ } /******************************************************************* - samr_reply_query_usergroups + _samr_GetGroupsForUser ********************************************************************/ -NTSTATUS _samr_query_usergroups(pipes_struct *p, SAMR_Q_QUERY_USERGROUPS *q_u, SAMR_R_QUERY_USERGROUPS *r_u) +NTSTATUS _samr_GetGroupsForUser(pipes_struct *p, + struct samr_GetGroupsForUser *r) { struct samu *sam_pass=NULL; DOM_SID sid; DOM_SID *sids; - DOM_GID dom_gid; - DOM_GID *gids = NULL; + struct samr_RidWithAttribute dom_gid; + struct samr_RidWithAttribute *gids = NULL; uint32 primary_group_rid; size_t num_groups = 0; gid_t *unix_gids; @@ -2203,6 +2204,8 @@ NTSTATUS _samr_query_usergroups(pipes_struct *p, SAMR_Q_QUERY_USERGROUPS *q_u, S NTSTATUS result; bool success = False; + struct samr_RidWithAttributeArray *rids = NULL; + /* * from the SID in the request: * we should send back the list of DOMAIN GROUPS @@ -2215,16 +2218,22 @@ NTSTATUS _samr_query_usergroups(pipes_struct *p, SAMR_Q_QUERY_USERGROUPS *q_u, S * JFM, 12/2/2001 */ - r_u->status = NT_STATUS_OK; + DEBUG(5,("_samr_GetGroupsForUser: %d\n", __LINE__)); - DEBUG(5,("_samr_query_usergroups: %d\n", __LINE__)); + rids = TALLOC_ZERO_P(p->mem_ctx, struct samr_RidWithAttributeArray); + if (!rids) { + return NT_STATUS_NO_MEMORY; + } /* find the policy handle. open a policy on it. */ - if (!get_lsa_policy_samr_sid(p, &q_u->pol, &sid, &acc_granted, NULL)) + if (!get_lsa_policy_samr_sid(p, r->in.user_handle, &sid, &acc_granted, NULL)) return NT_STATUS_INVALID_HANDLE; - if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, SA_RIGHT_USER_GET_GROUPS, "_samr_query_usergroups"))) { - return r_u->status; + result = access_check_samr_function(acc_granted, + SA_RIGHT_USER_GET_GROUPS, + "_samr_GetGroupsForUser"); + if (!NT_STATUS_IS_OK(result)) { + return result; } if (!sid_check_is_in_our_domain(&sid)) @@ -2274,36 +2283,38 @@ NTSTATUS _samr_query_usergroups(pipes_struct *p, SAMR_Q_QUERY_USERGROUPS *q_u, S gids = NULL; num_gids = 0; - dom_gid.attr = (SE_GROUP_MANDATORY|SE_GROUP_ENABLED_BY_DEFAULT| - SE_GROUP_ENABLED); - dom_gid.g_rid = primary_group_rid; - ADD_TO_ARRAY(p->mem_ctx, DOM_GID, dom_gid, &gids, &num_gids); + dom_gid.attributes = (SE_GROUP_MANDATORY|SE_GROUP_ENABLED_BY_DEFAULT| + SE_GROUP_ENABLED); + dom_gid.rid = primary_group_rid; + ADD_TO_ARRAY(p->mem_ctx, struct samr_RidWithAttribute, dom_gid, &gids, &num_gids); for (i=0; imem_ctx, DOM_GID, dom_gid, &gids, &num_gids); + ADD_TO_ARRAY(p->mem_ctx, struct samr_RidWithAttribute, dom_gid, &gids, &num_gids); } - /* construct the response. lkclXXXX: gids are not copied! */ - init_samr_r_query_usergroups(r_u, num_gids, gids, r_u->status); + rids->count = num_gids; + rids->rids = gids; - DEBUG(5,("_samr_query_usergroups: %d\n", __LINE__)); + *r->out.rids = rids; - return r_u->status; + DEBUG(5,("_samr_GetGroupsForUser: %d\n", __LINE__)); + + return result; } /******************************************************************* @@ -5268,16 +5279,6 @@ NTSTATUS _samr_ChangePasswordUser(pipes_struct *p, /**************************************************************** ****************************************************************/ -NTSTATUS _samr_GetGroupsForUser(pipes_struct *p, - struct samr_GetGroupsForUser *r) -{ - p->rng_fault_state = true; - return NT_STATUS_NOT_IMPLEMENTED; -} - -/**************************************************************** -****************************************************************/ - NTSTATUS _samr_QueryDisplayInfo(pipes_struct *p, struct samr_QueryDisplayInfo *r) { -- cgit From f27a5561aa95051ef4ccffd661601c242281e450 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Thu, 7 Feb 2008 17:57:20 +0100 Subject: Use pidl for _samr_QueryDisplayInfo(). Guenther (This used to be commit b6d1283121359091683ea4d5e834a7139d891930) --- source3/rpc_server/srv_samr_nt.c | 87 +++++++++++++++++----------------------- 1 file changed, 36 insertions(+), 51 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 36860f9182..f7af95a2bf 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -1128,20 +1128,22 @@ NTSTATUS _samr_enum_dom_aliases(pipes_struct *p, SAMR_Q_ENUM_DOM_ALIASES *q_u, S } /******************************************************************* - samr_reply_query_dispinfo + _samr_QueryDisplayInfo ********************************************************************/ -NTSTATUS _samr_query_dispinfo(pipes_struct *p, SAMR_Q_QUERY_DISPINFO *q_u, - SAMR_R_QUERY_DISPINFO *r_u) +NTSTATUS _samr_QueryDisplayInfo(pipes_struct *p, + struct samr_QueryDisplayInfo *r) { + NTSTATUS status; struct samr_info *info = NULL; uint32 struct_size=0x20; /* W2K always reply that, client doesn't care */ - uint32 max_entries=q_u->max_entries; - uint32 enum_context=q_u->start_idx; - uint32 max_size=q_u->max_size; + uint32 max_entries = r->in.max_entries; + uint32 enum_context = r->in.start_idx; + uint32 max_size = r->in.buf_size; + + union samr_DispInfo *disp_info = r->out.info; - SAM_DISPINFO_CTR *ctr; uint32 temp_size=0, total_data_size=0; NTSTATUS disp_ret = NT_STATUS_UNSUCCESSFUL; uint32 num_account = 0; @@ -1149,11 +1151,10 @@ NTSTATUS _samr_query_dispinfo(pipes_struct *p, SAMR_Q_QUERY_DISPINFO *q_u, int max_sam_entries = (ra_type == RA_WIN95) ? MAX_SAM_ENTRIES_W95 : MAX_SAM_ENTRIES_W2K; struct samr_displayentry *entries = NULL; - DEBUG(5, ("samr_reply_query_dispinfo: %d\n", __LINE__)); - r_u->status = NT_STATUS_UNSUCCESSFUL; + DEBUG(5,("_samr_QueryDisplayInfo: %d\n", __LINE__)); /* find the policy handle. open a policy on it. */ - if (!find_policy_by_hnd(p, &q_u->domain_pol, (void **)(void *)&info)) + if (!find_policy_by_hnd(p, r->in.domain_handle, (void **)(void *)&info)) return NT_STATUS_INVALID_HANDLE; /* @@ -1184,15 +1185,15 @@ NTSTATUS _samr_query_dispinfo(pipes_struct *p, SAMR_Q_QUERY_DISPINFO *q_u, * JFM, 12/20/2001 */ - if ((q_u->switch_level < 1) || (q_u->switch_level > 5)) { - DEBUG(0,("_samr_query_dispinfo: Unknown info level (%u)\n", - (unsigned int)q_u->switch_level )); + if ((r->in.level < 1) || (r->in.level > 5)) { + DEBUG(0,("_samr_QueryDisplayInfo: Unknown info level (%u)\n", + (unsigned int)r->in.level )); return NT_STATUS_INVALID_INFO_CLASS; } /* first limit the number of entries we will return */ if(max_entries > max_sam_entries) { - DEBUG(5, ("samr_reply_query_dispinfo: client requested %d " + DEBUG(5, ("_samr_QueryDisplayInfo: client requested %d " "entries, limiting to %d\n", max_entries, max_sam_entries)); max_entries = max_sam_entries; @@ -1205,20 +1206,15 @@ NTSTATUS _samr_query_dispinfo(pipes_struct *p, SAMR_Q_QUERY_DISPINFO *q_u, if (temp_size>max_size) { max_entries=MIN((max_size/struct_size),max_entries);; - DEBUG(5, ("samr_reply_query_dispinfo: buffer size limits to " + DEBUG(5, ("_samr_QueryDisplayInfo: buffer size limits to " "only %d entries\n", max_entries)); } - if (!(ctr = TALLOC_ZERO_P(p->mem_ctx,SAM_DISPINFO_CTR))) - return NT_STATUS_NO_MEMORY; - - ZERO_STRUCTP(ctr); - become_root(); /* THe following done as ROOT. Don't return without unbecome_root(). */ - switch (q_u->switch_level) { + switch (r->in.level) { case 0x1: case 0x4: if (info->disp_info->users == NULL) { @@ -1227,10 +1223,10 @@ NTSTATUS _samr_query_dispinfo(pipes_struct *p, SAMR_Q_QUERY_DISPINFO *q_u, unbecome_root(); return NT_STATUS_ACCESS_DENIED; } - DEBUG(10,("samr_reply_query_dispinfo: starting user enumeration at index %u\n", + DEBUG(10,("_samr_QueryDisplayInfo: starting user enumeration at index %u\n", (unsigned int)enum_context )); } else { - DEBUG(10,("samr_reply_query_dispinfo: using cached user enumeration at index %u\n", + DEBUG(10,("_samr_QueryDisplayInfo: using cached user enumeration at index %u\n", (unsigned int)enum_context )); } @@ -1246,10 +1242,10 @@ NTSTATUS _samr_query_dispinfo(pipes_struct *p, SAMR_Q_QUERY_DISPINFO *q_u, unbecome_root(); return NT_STATUS_ACCESS_DENIED; } - DEBUG(10,("samr_reply_query_dispinfo: starting machine enumeration at index %u\n", + DEBUG(10,("_samr_QueryDisplayInfo: starting machine enumeration at index %u\n", (unsigned int)enum_context )); } else { - DEBUG(10,("samr_reply_query_dispinfo: using cached machine enumeration at index %u\n", + DEBUG(10,("_samr_QueryDisplayInfo: using cached machine enumeration at index %u\n", (unsigned int)enum_context )); } @@ -1265,10 +1261,10 @@ NTSTATUS _samr_query_dispinfo(pipes_struct *p, SAMR_Q_QUERY_DISPINFO *q_u, unbecome_root(); return NT_STATUS_ACCESS_DENIED; } - DEBUG(10,("samr_reply_query_dispinfo: starting group enumeration at index %u\n", + DEBUG(10,("_samr_QueryDisplayInfo: starting group enumeration at index %u\n", (unsigned int)enum_context )); } else { - DEBUG(10,("samr_reply_query_dispinfo: using cached group enumeration at index %u\n", + DEBUG(10,("_samr_QueryDisplayInfo: using cached group enumeration at index %u\n", (unsigned int)enum_context )); } @@ -1283,30 +1279,31 @@ NTSTATUS _samr_query_dispinfo(pipes_struct *p, SAMR_Q_QUERY_DISPINFO *q_u, } unbecome_root(); + /* Now create reply structure */ - switch (q_u->switch_level) { + switch (r->in.level) { case 0x1: - disp_ret = init_sam_dispinfo_1(p->mem_ctx, &ctr->sam.info1, + disp_ret = init_sam_dispinfo_1(p->mem_ctx, &disp_info->info1, num_account, enum_context, entries); break; case 0x2: - disp_ret = init_sam_dispinfo_2(p->mem_ctx, &ctr->sam.info2, + disp_ret = init_sam_dispinfo_2(p->mem_ctx, &disp_info->info2, num_account, enum_context, entries); break; case 0x3: - disp_ret = init_sam_dispinfo_3(p->mem_ctx, &ctr->sam.info3, + disp_ret = init_sam_dispinfo_3(p->mem_ctx, &disp_info->info3, num_account, enum_context, entries); break; case 0x4: - disp_ret = init_sam_dispinfo_4(p->mem_ctx, &ctr->sam.info4, + disp_ret = init_sam_dispinfo_4(p->mem_ctx, &disp_info->info4, num_account, enum_context, entries); break; case 0x5: - disp_ret = init_sam_dispinfo_5(p->mem_ctx, &ctr->sam.info5, + disp_ret = init_sam_dispinfo_5(p->mem_ctx, &disp_info->info5, num_account, enum_context, entries); break; @@ -1322,22 +1319,20 @@ NTSTATUS _samr_query_dispinfo(pipes_struct *p, SAMR_Q_QUERY_DISPINFO *q_u, total_data_size=num_account*struct_size; if (num_account) { - r_u->status = STATUS_MORE_ENTRIES; + status = STATUS_MORE_ENTRIES; } else { - r_u->status = NT_STATUS_OK; + status = NT_STATUS_OK; } /* Ensure we cache this enumeration. */ set_disp_info_cache_timeout(info->disp_info, DISP_INFO_CACHE_TIMEOUT); - DEBUG(5, ("_samr_query_dispinfo: %d\n", __LINE__)); - - init_samr_r_query_dispinfo(r_u, num_account, total_data_size, - temp_size, q_u->switch_level, ctr, - r_u->status); + DEBUG(5, ("_samr_QueryDisplayInfo: %d\n", __LINE__)); - return r_u->status; + *r->out.total_size = total_data_size; + *r->out.returned_size = temp_size; + return status; } /******************************************************************* @@ -5279,16 +5274,6 @@ NTSTATUS _samr_ChangePasswordUser(pipes_struct *p, /**************************************************************** ****************************************************************/ -NTSTATUS _samr_QueryDisplayInfo(pipes_struct *p, - struct samr_QueryDisplayInfo *r) -{ - p->rng_fault_state = true; - return NT_STATUS_NOT_IMPLEMENTED; -} - -/**************************************************************** -****************************************************************/ - NTSTATUS _samr_GetDisplayEnumerationIndex(pipes_struct *p, struct samr_GetDisplayEnumerationIndex *r) { -- cgit From d69a0b9f14b02c42d08c60dd50ba2da611a31d02 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Wed, 6 Feb 2008 21:29:17 +0100 Subject: Use pidl for _samr_LookupRids(). Guenther (This used to be commit fe3a02d44c4051ef84a182bdeb4130548d98db38) --- source3/rpc_server/srv_samr_nt.c | 95 ++++++++++++++++++++-------------------- 1 file changed, 48 insertions(+), 47 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index f7af95a2bf..6d3bca8ab9 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -103,6 +103,15 @@ static const struct generic_mapping ali_generic_mapping = { GENERIC_RIGHTS_ALIAS_EXECUTE, GENERIC_RIGHTS_ALIAS_ALL_ACCESS}; +/******************************************************************* + inits a structure. +********************************************************************/ + +static void init_lsa_String(struct lsa_String *name, const char *s) +{ + name->string = s; +} + /******************************************************************* *******************************************************************/ @@ -1684,60 +1693,54 @@ makes a SAMR_R_LOOKUP_RIDS structure. ********************************************************************/ static bool make_samr_lookup_rids(TALLOC_CTX *ctx, uint32 num_names, - const char **names, UNIHDR **pp_hdr_name, - UNISTR2 **pp_uni_name) + const char **names, + struct lsa_String **lsa_name_array_p) { - uint32 i; - UNIHDR *hdr_name=NULL; - UNISTR2 *uni_name=NULL; + struct lsa_String *lsa_name_array = NULL; + uint32_t i; - *pp_uni_name = NULL; - *pp_hdr_name = NULL; + *lsa_name_array_p = NULL; if (num_names != 0) { - hdr_name = TALLOC_ZERO_ARRAY(ctx, UNIHDR, num_names); - if (hdr_name == NULL) - return False; - - uni_name = TALLOC_ZERO_ARRAY(ctx,UNISTR2, num_names); - if (uni_name == NULL) - return False; + lsa_name_array = TALLOC_ZERO_ARRAY(ctx, struct lsa_String, num_names); + if (!lsa_name_array) { + return false; + } } for (i = 0; i < num_names; i++) { DEBUG(10, ("names[%d]:%s\n", i, names[i] && *names[i] ? names[i] : "")); - init_unistr2(&uni_name[i], names[i], UNI_FLAGS_NONE); - init_uni_hdr(&hdr_name[i], &uni_name[i]); + init_lsa_String(&lsa_name_array[i], names[i]); } - *pp_uni_name = uni_name; - *pp_hdr_name = hdr_name; + *lsa_name_array_p = lsa_name_array; - return True; + return true; } /******************************************************************* - _samr_lookup_rids + _samr_LookupRids ********************************************************************/ -NTSTATUS _samr_lookup_rids(pipes_struct *p, SAMR_Q_LOOKUP_RIDS *q_u, SAMR_R_LOOKUP_RIDS *r_u) +NTSTATUS _samr_LookupRids(pipes_struct *p, + struct samr_LookupRids *r) { + NTSTATUS status; const char **names; enum lsa_SidType *attrs = NULL; uint32 *wire_attrs = NULL; - UNIHDR *hdr_name = NULL; - UNISTR2 *uni_name = NULL; DOM_SID pol_sid; - int num_rids = (int)q_u->num_rids1; + int num_rids = (int)r->in.num_rids; uint32 acc_granted; int i; + struct lsa_Strings names_array; + struct samr_Ids types_array; + struct lsa_String *lsa_names = NULL; - r_u->status = NT_STATUS_OK; - - DEBUG(5,("_samr_lookup_rids: %d\n", __LINE__)); + DEBUG(5,("_samr_LookupRids: %d\n", __LINE__)); /* find the policy handle. open a policy on it. */ - if (!get_lsa_policy_samr_sid(p, &q_u->pol, &pol_sid, &acc_granted, NULL)) + if (!get_lsa_policy_samr_sid(p, r->in.domain_handle, &pol_sid, &acc_granted, NULL)) return NT_STATUS_INVALID_HANDLE; if (num_rids > 1000) { @@ -1760,28 +1763,36 @@ NTSTATUS _samr_lookup_rids(pipes_struct *p, SAMR_Q_LOOKUP_RIDS *q_u, SAMR_R_LOOK } become_root(); /* lookup_sid can require root privs */ - r_u->status = pdb_lookup_rids(&pol_sid, num_rids, q_u->rid, - names, attrs); + status = pdb_lookup_rids(&pol_sid, num_rids, r->in.rids, + names, attrs); unbecome_root(); - if ( NT_STATUS_EQUAL(r_u->status, NT_STATUS_NONE_MAPPED) && (num_rids == 0) ) { - r_u->status = NT_STATUS_OK; + if (NT_STATUS_EQUAL(status, NT_STATUS_NONE_MAPPED) && (num_rids == 0)) { + status = NT_STATUS_OK; } - if(!make_samr_lookup_rids(p->mem_ctx, num_rids, names, - &hdr_name, &uni_name)) + if (!make_samr_lookup_rids(p->mem_ctx, num_rids, names, + &lsa_names)) { return NT_STATUS_NO_MEMORY; + } /* Convert from enum lsa_SidType to uint32 for wire format. */ for (i = 0; i < num_rids; i++) { wire_attrs[i] = (uint32)attrs[i]; } - init_samr_r_lookup_rids(r_u, num_rids, hdr_name, uni_name, wire_attrs); + names_array.count = num_rids; + names_array.names = lsa_names; - DEBUG(5,("_samr_lookup_rids: %d\n", __LINE__)); + types_array.count = num_rids; + types_array.ids = wire_attrs; - return r_u->status; + *r->out.names = names_array; + *r->out.types = types_array; + + DEBUG(5,("_samr_LookupRids: %d\n", __LINE__)); + + return status; } /******************************************************************* @@ -5224,16 +5235,6 @@ NTSTATUS _samr_LookupNames(pipes_struct *p, /**************************************************************** ****************************************************************/ -NTSTATUS _samr_LookupRids(pipes_struct *p, - struct samr_LookupRids *r) -{ - p->rng_fault_state = true; - return NT_STATUS_NOT_IMPLEMENTED; -} - -/**************************************************************** -****************************************************************/ - NTSTATUS _samr_SetMemberAttributesOfGroup(pipes_struct *p, struct samr_SetMemberAttributesOfGroup *r) { -- cgit From fddbd6ec1cfda5d77c5c11d6f165b8ac5bff039e Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Fri, 8 Feb 2008 13:29:01 +0100 Subject: Use pidl for _samr_LookupNames(). Guenther (This used to be commit 325bf05592c4d2e7c760de64f8869a44f7315ce9) --- source3/rpc_server/srv_samr_nt.c | 73 +++++++++++++++++++--------------------- 1 file changed, 34 insertions(+), 39 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 6d3bca8ab9..9ed7014bff 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -1471,75 +1471,80 @@ NTSTATUS _samr_QueryAliasInfo(pipes_struct *p, #endif /******************************************************************* - _samr_lookup_names + _samr_LookupNames ********************************************************************/ -NTSTATUS _samr_lookup_names(pipes_struct *p, SAMR_Q_LOOKUP_NAMES *q_u, SAMR_R_LOOKUP_NAMES *r_u) +NTSTATUS _samr_LookupNames(pipes_struct *p, + struct samr_LookupNames *r) { + NTSTATUS status; uint32 rid[MAX_SAM_ENTRIES]; enum lsa_SidType type[MAX_SAM_ENTRIES]; int i; - int num_rids = q_u->num_names2; + int num_rids = r->in.num_names; DOM_SID pol_sid; uint32 acc_granted; + struct samr_Ids rids, types; - r_u->status = NT_STATUS_OK; - - DEBUG(5,("_samr_lookup_names: %d\n", __LINE__)); + DEBUG(5,("_samr_LookupNames: %d\n", __LINE__)); ZERO_ARRAY(rid); ZERO_ARRAY(type); - if (!get_lsa_policy_samr_sid(p, &q_u->pol, &pol_sid, &acc_granted, NULL)) { - init_samr_r_lookup_names(p->mem_ctx, r_u, 0, NULL, NULL, NT_STATUS_OBJECT_TYPE_MISMATCH); - return r_u->status; + if (!get_lsa_policy_samr_sid(p, r->in.domain_handle, &pol_sid, &acc_granted, NULL)) { + return NT_STATUS_OBJECT_TYPE_MISMATCH; } - if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, 0, "_samr_lookup_names"))) { /* Don't know the acc_bits yet */ - return r_u->status; + status = access_check_samr_function(acc_granted, + 0, /* Don't know the acc_bits yet */ + "_samr_LookupNames"); + if (!NT_STATUS_IS_OK(status)) { + return status; } if (num_rids > MAX_SAM_ENTRIES) { num_rids = MAX_SAM_ENTRIES; - DEBUG(5,("_samr_lookup_names: truncating entries to %d\n", num_rids)); + DEBUG(5,("_samr_LookupNames: truncating entries to %d\n", num_rids)); } - DEBUG(5,("_samr_lookup_names: looking name on SID %s\n", + DEBUG(5,("_samr_LookupNames: looking name on SID %s\n", sid_string_dbg(&pol_sid))); for (i = 0; i < num_rids; i++) { - fstring name; - int ret; - r_u->status = NT_STATUS_NONE_MAPPED; + status = NT_STATUS_NONE_MAPPED; type[i] = SID_NAME_UNKNOWN; - rid [i] = 0xffffffff; - - ret = rpcstr_pull(name, q_u->uni_name[i].buffer, sizeof(name), q_u->uni_name[i].uni_str_len*2, 0); - - if (ret <= 0) { - continue; - } + rid[i] = 0xffffffff; if (sid_check_is_builtin(&pol_sid)) { - if (lookup_builtin_name(name, &rid[i])) { + if (lookup_builtin_name(r->in.names[i].string, + &rid[i])) + { type[i] = SID_NAME_ALIAS; } } else { - lookup_global_sam_name(name, 0, &rid[i], &type[i]); + lookup_global_sam_name(r->in.names[i].string, 0, + &rid[i], &type[i]); } if (type[i] != SID_NAME_UNKNOWN) { - r_u->status = NT_STATUS_OK; + status = NT_STATUS_OK; } } - init_samr_r_lookup_names(p->mem_ctx, r_u, num_rids, rid, type, r_u->status); + rids.count = num_rids; + rids.ids = rid; - DEBUG(5,("_samr_lookup_names: %d\n", __LINE__)); + types.count = num_rids; + types.ids = type; - return r_u->status; + *r->out.rids = rids; + *r->out.types = types; + + DEBUG(5,("_samr_LookupNames: %d\n", __LINE__)); + + return status; } /******************************************************************* @@ -5225,16 +5230,6 @@ NTSTATUS _samr_EnumDomainAliases(pipes_struct *p, /**************************************************************** ****************************************************************/ -NTSTATUS _samr_LookupNames(pipes_struct *p, - struct samr_LookupNames *r) -{ - p->rng_fault_state = true; - return NT_STATUS_NOT_IMPLEMENTED; -} - -/**************************************************************** -****************************************************************/ - NTSTATUS _samr_SetMemberAttributesOfGroup(pipes_struct *p, struct samr_SetMemberAttributesOfGroup *r) { -- cgit From f621c1a9ab2344cd8548c676e1e15d6d04915b82 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Fri, 8 Feb 2008 19:42:23 +0100 Subject: Pure cosmetics, breaking some very long lines. Guenther (This used to be commit 25c030136f62e48471acc0492907ac44e4316e19) --- source3/rpc_server/srv_samr_nt.c | 88 ++++++++++++++++++++++++++++------------ 1 file changed, 63 insertions(+), 25 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 9ed7014bff..4c242dc323 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -586,8 +586,9 @@ NTSTATUS _samr_OpenDomain(pipes_struct *p, if ( !find_policy_by_hnd(p, r->in.connect_handle, (void**)(void *)&info) ) return NT_STATUS_INVALID_HANDLE; - status = access_check_samr_function( info->acc_granted, - SA_RIGHT_SAM_OPEN_DOMAIN, "_samr_OpenDomain" ); + status = access_check_samr_function(info->acc_granted, + SA_RIGHT_SAM_OPEN_DOMAIN, + "_samr_OpenDomain" ); if ( !NT_STATUS_IS_OK(status) ) return status; @@ -728,7 +729,9 @@ NTSTATUS _samr_SetSecurity(pipes_struct *p, return NT_STATUS_ACCESS_DENIED; } - status = access_check_samr_function(acc_granted, SA_RIGHT_USER_SET_ATTRIBUTES, "_samr_SetSecurity"); + status = access_check_samr_function(acc_granted, + SA_RIGHT_USER_SET_ATTRIBUTES, + "_samr_SetSecurity"); if (NT_STATUS_IS_OK(status)) { become_root(); status = pdb_update_sam_account(sampass); @@ -1550,9 +1553,9 @@ NTSTATUS _samr_LookupNames(pipes_struct *p, /******************************************************************* _samr_ChangePasswordUser2 ********************************************************************/ + NTSTATUS _samr_ChangePasswordUser2(pipes_struct *p, struct samr_ChangePasswordUser2 *r) - { NTSTATUS status; fstring user_name; @@ -1577,8 +1580,12 @@ NTSTATUS _samr_ChangePasswordUser2(pipes_struct *p, * is case insensitive. */ - status = pass_oem_change(user_name, r->in.lm_password->data, r->in.lm_verifier->hash, - r->in.nt_password->data, r->in.nt_verifier->hash, NULL); + status = pass_oem_change(user_name, + r->in.lm_password->data, + r->in.lm_verifier->hash, + r->in.nt_password->data, + r->in.nt_verifier->hash, + NULL); DEBUG(5,("_samr_ChangePasswordUser2: %d\n", __LINE__)); @@ -1825,8 +1832,9 @@ NTSTATUS _samr_OpenUser(pipes_struct *p, if ( !get_lsa_policy_samr_sid(p, &domain_pol, &sid, &acc_granted, NULL) ) return NT_STATUS_INVALID_HANDLE; - nt_status = access_check_samr_function( acc_granted, - SA_RIGHT_DOMAIN_OPEN_ACCOUNT, "_samr_OpenUser" ); + nt_status = access_check_samr_function(acc_granted, + SA_RIGHT_DOMAIN_OPEN_ACCOUNT, + "_samr_OpenUser" ); if ( !NT_STATUS_IS_OK(nt_status) ) return nt_status; @@ -2940,6 +2948,7 @@ NTSTATUS _samr_Connect5(pipes_struct *p, /********************************************************************** _samr_LookupDomain **********************************************************************/ + NTSTATUS _samr_LookupDomain(pipes_struct *p, struct samr_LookupDomain *r) { @@ -3079,7 +3088,8 @@ NTSTATUS _samr_OpenAlias(pipes_struct *p, return NT_STATUS_INVALID_HANDLE; status = access_check_samr_function(acc_granted, - SA_RIGHT_DOMAIN_OPEN_ACCOUNT, "_samr_OpenAlias"); + SA_RIGHT_DOMAIN_OPEN_ACCOUNT, + "_samr_OpenAlias"); if ( !NT_STATUS_IS_OK(status) ) return status; @@ -3894,8 +3904,12 @@ NTSTATUS _samr_GetAliasMembership(pipes_struct *p, if (!find_policy_by_hnd(p, r->in.domain_handle, (void **)(void *)&info)) return NT_STATUS_INVALID_HANDLE; - ntstatus1 = access_check_samr_function(info->acc_granted, SA_RIGHT_DOMAIN_LOOKUP_ALIAS_BY_MEM, "_samr_GetAliasMembership"); - ntstatus2 = access_check_samr_function(info->acc_granted, SA_RIGHT_DOMAIN_OPEN_ACCOUNT, "_samr_GetAliasMembership"); + ntstatus1 = access_check_samr_function(info->acc_granted, + SA_RIGHT_DOMAIN_LOOKUP_ALIAS_BY_MEM, + "_samr_GetAliasMembership"); + ntstatus2 = access_check_samr_function(info->acc_granted, + SA_RIGHT_DOMAIN_OPEN_ACCOUNT, + "_samr_GetAliasMembership"); if (!NT_STATUS_IS_OK(ntstatus1) || !NT_STATUS_IS_OK(ntstatus2)) { if (!(NT_STATUS_EQUAL(ntstatus1,NT_STATUS_ACCESS_DENIED) && NT_STATUS_IS_OK(ntstatus2)) && @@ -3960,7 +3974,9 @@ NTSTATUS _samr_GetMembersInAlias(pipes_struct *p, if (!get_lsa_policy_samr_sid(p, r->in.alias_handle, &alias_sid, &acc_granted, NULL)) return NT_STATUS_INVALID_HANDLE; - status = access_check_samr_function(acc_granted, SA_RIGHT_ALIAS_GET_MEMBERS, "_samr_GetMembersInAlias"); + status = access_check_samr_function(acc_granted, + SA_RIGHT_ALIAS_GET_MEMBERS, + "_samr_GetMembersInAlias"); if (!NT_STATUS_IS_OK(status)) { return status; } @@ -4026,7 +4042,9 @@ NTSTATUS _samr_QueryGroupMember(pipes_struct *p, if (!get_lsa_policy_samr_sid(p, r->in.group_handle, &group_sid, &acc_granted, NULL)) return NT_STATUS_INVALID_HANDLE; - status = access_check_samr_function(acc_granted, SA_RIGHT_GROUP_GET_MEMBERS, "_samr_QueryGroupMember"); + status = access_check_samr_function(acc_granted, + SA_RIGHT_GROUP_GET_MEMBERS, + "_samr_QueryGroupMember"); if (!NT_STATUS_IS_OK(status)) { return status; } @@ -4088,7 +4106,9 @@ NTSTATUS _samr_AddAliasMember(pipes_struct *p, if (!get_lsa_policy_samr_sid(p, r->in.alias_handle, &alias_sid, &acc_granted, &disp_info)) return NT_STATUS_INVALID_HANDLE; - status = access_check_samr_function(acc_granted, SA_RIGHT_ALIAS_ADD_MEMBER, "_samr_AddAliasMember"); + status = access_check_samr_function(acc_granted, + SA_RIGHT_ALIAS_ADD_MEMBER, + "_samr_AddAliasMember"); if (!NT_STATUS_IS_OK(status)) { return status; } @@ -4135,7 +4155,9 @@ NTSTATUS _samr_DeleteAliasMember(pipes_struct *p, if (!get_lsa_policy_samr_sid(p, r->in.alias_handle, &alias_sid, &acc_granted, &disp_info)) return NT_STATUS_INVALID_HANDLE; - status = access_check_samr_function(acc_granted, SA_RIGHT_ALIAS_REMOVE_MEMBER, "_samr_DeleteAliasMember"); + status = access_check_samr_function(acc_granted, + SA_RIGHT_ALIAS_REMOVE_MEMBER, + "_samr_DeleteAliasMember"); if (!NT_STATUS_IS_OK(status)) { return status; } @@ -4184,7 +4206,9 @@ NTSTATUS _samr_AddGroupMember(pipes_struct *p, if (!get_lsa_policy_samr_sid(p, r->in.group_handle, &group_sid, &acc_granted, &disp_info)) return NT_STATUS_INVALID_HANDLE; - status = access_check_samr_function(acc_granted, SA_RIGHT_GROUP_ADD_MEMBER, "_samr_AddGroupMember"); + status = access_check_samr_function(acc_granted, + SA_RIGHT_GROUP_ADD_MEMBER, + "_samr_AddGroupMember"); if (!NT_STATUS_IS_OK(status)) { return status; } @@ -4242,7 +4266,9 @@ NTSTATUS _samr_DeleteGroupMember(pipes_struct *p, if (!get_lsa_policy_samr_sid(p, r->in.group_handle, &group_sid, &acc_granted, &disp_info)) return NT_STATUS_INVALID_HANDLE; - status = access_check_samr_function(acc_granted, SA_RIGHT_GROUP_REMOVE_MEMBER, "_samr_DeleteGroupMember"); + status = access_check_samr_function(acc_granted, + SA_RIGHT_GROUP_REMOVE_MEMBER, + "_samr_DeleteGroupMember"); if (!NT_STATUS_IS_OK(status)) { return status; } @@ -4294,7 +4320,9 @@ NTSTATUS _samr_DeleteUser(pipes_struct *p, if (!get_lsa_policy_samr_sid(p, r->in.user_handle, &user_sid, &acc_granted, &disp_info)) return NT_STATUS_INVALID_HANDLE; - status = access_check_samr_function(acc_granted, STD_RIGHT_DELETE_ACCESS, "_samr_DeleteUser"); + status = access_check_samr_function(acc_granted, + STD_RIGHT_DELETE_ACCESS, + "_samr_DeleteUser"); if (!NT_STATUS_IS_OK(status)) { return status; } @@ -4379,7 +4407,9 @@ NTSTATUS _samr_DeleteDomainGroup(pipes_struct *p, if (!get_lsa_policy_samr_sid(p, r->in.group_handle, &group_sid, &acc_granted, &disp_info)) return NT_STATUS_INVALID_HANDLE; - status = access_check_samr_function(acc_granted, STD_RIGHT_DELETE_ACCESS, "_samr_DeleteDomainGroup"); + status = access_check_samr_function(acc_granted, + STD_RIGHT_DELETE_ACCESS, + "_samr_DeleteDomainGroup"); if (!NT_STATUS_IS_OK(status)) { return status; } @@ -4446,7 +4476,9 @@ NTSTATUS _samr_DeleteDomAlias(pipes_struct *p, memcpy(r->out.alias_handle, r->in.alias_handle, sizeof(r->out.alias_handle)); - status = access_check_samr_function(acc_granted, STD_RIGHT_DELETE_ACCESS, "_samr_DeleteDomAlias"); + status = access_check_samr_function(acc_granted, + STD_RIGHT_DELETE_ACCESS, + "_samr_DeleteDomAlias"); if (!NT_STATUS_IS_OK(status)) { return status; } @@ -4513,7 +4545,9 @@ NTSTATUS _samr_CreateDomainGroup(pipes_struct *p, if (!get_lsa_policy_samr_sid(p, r->in.domain_handle, &dom_sid, &acc_granted, &disp_info)) return NT_STATUS_INVALID_HANDLE; - status = access_check_samr_function(acc_granted, SA_RIGHT_DOMAIN_CREATE_GROUP, "_samr_CreateDomainGroup"); + status = access_check_samr_function(acc_granted, + SA_RIGHT_DOMAIN_CREATE_GROUP, + "_samr_CreateDomainGroup"); if (!NT_STATUS_IS_OK(status)) { return status; } @@ -4593,7 +4627,9 @@ NTSTATUS _samr_CreateDomAlias(pipes_struct *p, if (!get_lsa_policy_samr_sid(p, r->in.domain_handle, &dom_sid, &acc_granted, &disp_info)) return NT_STATUS_INVALID_HANDLE; - result = access_check_samr_function(acc_granted, SA_RIGHT_DOMAIN_CREATE_ALIAS, "_samr_CreateDomAlias"); + result = access_check_samr_function(acc_granted, + SA_RIGHT_DOMAIN_CREATE_ALIAS, + "_samr_CreateDomAlias"); if (!NT_STATUS_IS_OK(result)) { return result; } @@ -4982,7 +5018,8 @@ NTSTATUS _samr_OpenGroup(pipes_struct *p, return NT_STATUS_INVALID_HANDLE; status = access_check_samr_function(acc_granted, - SA_RIGHT_DOMAIN_OPEN_ACCOUNT, "_samr_OpenGroup"); + SA_RIGHT_DOMAIN_OPEN_ACCOUNT, + "_samr_OpenGroup"); if ( !NT_STATUS_IS_OK(status) ) return status; @@ -5053,8 +5090,9 @@ NTSTATUS _samr_RemoveMemberFromForeignDomain(pipes_struct *p, &acc_granted, &disp_info)) return NT_STATUS_INVALID_HANDLE; - result = access_check_samr_function(acc_granted, STD_RIGHT_DELETE_ACCESS, - "_samr_RemoveMemberFromForeignDomain"); + result = access_check_samr_function(acc_granted, + STD_RIGHT_DELETE_ACCESS, + "_samr_RemoveMemberFromForeignDomain"); if (!NT_STATUS_IS_OK(result)) return result; -- cgit From 67536ed68fa184496c1a27dc3bd7ff6a2720f0ef Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Sat, 9 Feb 2008 01:55:49 +0100 Subject: Use pidl for _samr_EnumDomains(). Guenther (This used to be commit 2d5e2abc2715acaddd2d05c9d0b634a3595143f1) --- source3/rpc_server/srv_samr_nt.c | 98 ++++++++++++++-------------------------- 1 file changed, 34 insertions(+), 64 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 4c242dc323..6619e0651e 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -2993,74 +2993,54 @@ NTSTATUS _samr_LookupDomain(pipes_struct *p, return status; } -/****************************************************************** -makes a SAMR_R_ENUM_DOMAINS structure. -********************************************************************/ - -static bool make_enum_domains(TALLOC_CTX *ctx, SAM_ENTRY **pp_sam, - UNISTR2 **pp_uni_name, uint32 num_sam_entries, fstring doms[]) -{ - uint32 i; - SAM_ENTRY *sam; - UNISTR2 *uni_name; - - DEBUG(5, ("make_enum_domains\n")); - - *pp_sam = NULL; - *pp_uni_name = NULL; - - if (num_sam_entries == 0) - return True; - - sam = TALLOC_ZERO_ARRAY(ctx, SAM_ENTRY, num_sam_entries); - uni_name = TALLOC_ZERO_ARRAY(ctx, UNISTR2, num_sam_entries); - - if (sam == NULL || uni_name == NULL) - return False; - - for (i = 0; i < num_sam_entries; i++) { - init_unistr2(&uni_name[i], doms[i], UNI_FLAGS_NONE); - init_sam_entry(&sam[i], &uni_name[i], 0); - } - - *pp_sam = sam; - *pp_uni_name = uni_name; - - return True; -} - /********************************************************************** - api_samr_enum_domains + _samr_EnumDomains **********************************************************************/ -NTSTATUS _samr_enum_domains(pipes_struct *p, SAMR_Q_ENUM_DOMAINS *q_u, SAMR_R_ENUM_DOMAINS *r_u) +NTSTATUS _samr_EnumDomains(pipes_struct *p, + struct samr_EnumDomains *r) { + NTSTATUS status; struct samr_info *info; - uint32 num_entries = 2; - fstring dom[2]; - const char *name; - - r_u->status = NT_STATUS_OK; + uint32_t num_entries = 2; + struct samr_SamEntry *entry_array = NULL; + struct samr_SamArray *sam; - if (!find_policy_by_hnd(p, &q_u->pol, (void**)(void *)&info)) + if (!find_policy_by_hnd(p, r->in.connect_handle, (void**)(void *)&info)) return NT_STATUS_INVALID_HANDLE; - if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(info->acc_granted, SA_RIGHT_SAM_ENUM_DOMAINS, "_samr_enum_domains"))) { - return r_u->status; + status = access_check_samr_function(info->acc_granted, + SA_RIGHT_SAM_ENUM_DOMAINS, + "_samr_EnumDomains"); + if (!NT_STATUS_IS_OK(status)) { + return status; } - name = get_global_sam_name(); - - fstrcpy(dom[0],name); - strupper_m(dom[0]); - fstrcpy(dom[1],"Builtin"); + sam = TALLOC_ZERO_P(p->mem_ctx, struct samr_SamArray); + if (!sam) { + return NT_STATUS_NO_MEMORY; + } - if (!make_enum_domains(p->mem_ctx, &r_u->sam, &r_u->uni_dom_name, num_entries, dom)) + entry_array = TALLOC_ZERO_ARRAY(p->mem_ctx, + struct samr_SamEntry, + num_entries); + if (!entry_array) { return NT_STATUS_NO_MEMORY; + } - init_samr_r_enum_domains(r_u, q_u->start_idx + num_entries, num_entries); + entry_array[0].idx = 0; + init_lsa_String(&entry_array[0].name, get_global_sam_name()); - return r_u->status; + entry_array[1].idx = 1; + init_lsa_String(&entry_array[1].name, "Builtin"); + + sam->count = num_entries; + sam->entries = entry_array; + + *r->out.sam = sam; + *r->out.num_entries = num_entries; + + return status; } /******************************************************************* @@ -5218,16 +5198,6 @@ NTSTATUS _samr_Shutdown(pipes_struct *p, /**************************************************************** ****************************************************************/ -NTSTATUS _samr_EnumDomains(pipes_struct *p, - struct samr_EnumDomains *r) -{ - p->rng_fault_state = true; - return NT_STATUS_NOT_IMPLEMENTED; -} - -/**************************************************************** -****************************************************************/ - NTSTATUS _samr_EnumDomainGroups(pipes_struct *p, struct samr_EnumDomainGroups *r) { -- cgit From 6bb6af65abfced64576d990b5f734d61130b3d77 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Mon, 11 Feb 2008 21:09:21 +0100 Subject: Use pidl for _samr_SetUserInfo and _samr_SetUserInfo2. Guenther (This used to be commit d148ffbc955aa62e42ab480e41d3a9b8c63117cd) --- source3/rpc_server/srv_samr_nt.c | 239 +++++++++++++++++++-------------------- 1 file changed, 115 insertions(+), 124 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 6619e0651e..cb5bfe5440 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -3132,10 +3132,11 @@ NTSTATUS _samr_OpenAlias(pipes_struct *p, /******************************************************************* set_user_info_7 ********************************************************************/ + static NTSTATUS set_user_info_7(TALLOC_CTX *mem_ctx, - const SAM_USER_INFO_7 *id7, struct samu *pwd) + struct samr_UserInfo7 *id7, + struct samu *pwd) { - fstring new_name; NTSTATUS rc; if (id7 == NULL) { @@ -3144,7 +3145,7 @@ static NTSTATUS set_user_info_7(TALLOC_CTX *mem_ctx, return NT_STATUS_ACCESS_DENIED; } - if(!rpcstr_pull(new_name, id7->uni_name.buffer, sizeof(new_name), id7->uni_name.uni_str_len*2, 0)) { + if (!id7->account_name.string) { DEBUG(5, ("set_user_info_7: failed to get new username\n")); TALLOC_FREE(pwd); return NT_STATUS_ACCESS_DENIED; @@ -3159,12 +3160,12 @@ static NTSTATUS set_user_info_7(TALLOC_CTX *mem_ctx, simply that the rename fails with a slightly different status code (like UNSUCCESSFUL instead of ALREADY_EXISTS). */ - rc = can_create(mem_ctx, new_name); + rc = can_create(mem_ctx, id7->account_name.string); if (!NT_STATUS_IS_OK(rc)) { return rc; } - rc = pdb_rename_sam_account(pwd, new_name); + rc = pdb_rename_sam_account(pwd, id7->account_name.string); TALLOC_FREE(pwd); return rc; @@ -3174,7 +3175,8 @@ static NTSTATUS set_user_info_7(TALLOC_CTX *mem_ctx, set_user_info_16 ********************************************************************/ -static bool set_user_info_16(const SAM_USER_INFO_16 *id16, struct samu *pwd) +static bool set_user_info_16(struct samr_UserInfo16 *id16, + struct samu *pwd) { if (id16 == NULL) { DEBUG(5, ("set_user_info_16: NULL id16\n")); @@ -3183,7 +3185,7 @@ static bool set_user_info_16(const SAM_USER_INFO_16 *id16, struct samu *pwd) } /* FIX ME: check if the value is really changed --metze */ - if (!pdb_set_acct_ctrl(pwd, id16->acb_info, PDB_CHANGED)) { + if (!pdb_set_acct_ctrl(pwd, id16->acct_flags, PDB_CHANGED)) { TALLOC_FREE(pwd); return False; } @@ -3202,20 +3204,20 @@ static bool set_user_info_16(const SAM_USER_INFO_16 *id16, struct samu *pwd) set_user_info_18 ********************************************************************/ -static bool set_user_info_18(SAM_USER_INFO_18 *id18, struct samu *pwd) +static bool set_user_info_18(struct samr_UserInfo18 *id18, + struct samu *pwd) { - if (id18 == NULL) { DEBUG(2, ("set_user_info_18: id18 is NULL\n")); TALLOC_FREE(pwd); return False; } - if (!pdb_set_lanman_passwd (pwd, id18->lm_pwd, PDB_CHANGED)) { + if (!pdb_set_lanman_passwd (pwd, id18->lm_pwd.hash, PDB_CHANGED)) { TALLOC_FREE(pwd); return False; } - if (!pdb_set_nt_passwd (pwd, id18->nt_pwd, PDB_CHANGED)) { + if (!pdb_set_nt_passwd (pwd, id18->nt_pwd.hash, PDB_CHANGED)) { TALLOC_FREE(pwd); return False; } @@ -3237,7 +3239,8 @@ static bool set_user_info_18(SAM_USER_INFO_18 *id18, struct samu *pwd) set_user_info_20 ********************************************************************/ -static bool set_user_info_20(SAM_USER_INFO_20 *id20, struct samu *pwd) +static bool set_user_info_20(struct samr_UserInfo20 *id20, + struct samu *pwd) { if (id20 == NULL) { DEBUG(5, ("set_user_info_20: NULL id20\n")); @@ -3256,14 +3259,15 @@ static bool set_user_info_20(SAM_USER_INFO_20 *id20, struct samu *pwd) return True; } + /******************************************************************* set_user_info_21 ********************************************************************/ -static NTSTATUS set_user_info_21(TALLOC_CTX *mem_ctx, SAM_USER_INFO_21 *id21, +static NTSTATUS set_user_info_21(TALLOC_CTX *mem_ctx, + struct samr_UserInfo21 *id21, struct samu *pwd) { - fstring new_name; NTSTATUS status; if (id21 == NULL) { @@ -3273,9 +3277,8 @@ static NTSTATUS set_user_info_21(TALLOC_CTX *mem_ctx, SAM_USER_INFO_21 *id21, /* we need to separately check for an account rename first */ - if (rpcstr_pull(new_name, id21->uni_user_name.buffer, - sizeof(new_name), id21->uni_user_name.uni_str_len*2, 0) - && (!strequal(new_name, pdb_get_username(pwd)))) + if (id21->account_name.string && + (!strequal(id21->account_name.string, pdb_get_username(pwd)))) { /* check to see if the new username already exists. Note: we can't @@ -3287,12 +3290,12 @@ static NTSTATUS set_user_info_21(TALLOC_CTX *mem_ctx, SAM_USER_INFO_21 *id21, simply that the rename fails with a slightly different status code (like UNSUCCESSFUL instead of ALREADY_EXISTS). */ - status = can_create(mem_ctx, new_name); + status = can_create(mem_ctx, id21->account_name.string); if (!NT_STATUS_IS_OK(status)) { return status; } - status = pdb_rename_sam_account(pwd, new_name); + status = pdb_rename_sam_account(pwd, id21->account_name.string); if (!NT_STATUS_IS_OK(status)) { DEBUG(0,("set_user_info_21: failed to rename account: %s\n", @@ -3303,7 +3306,7 @@ static NTSTATUS set_user_info_21(TALLOC_CTX *mem_ctx, SAM_USER_INFO_21 *id21, /* set the new username so that later functions can work on the new account */ - pdb_set_username(pwd, new_name, PDB_SET); + pdb_set_username(pwd, id21->account_name.string, PDB_SET); } copy_id21_to_sam_passwd(pwd, id21); @@ -3341,7 +3344,8 @@ static NTSTATUS set_user_info_21(TALLOC_CTX *mem_ctx, SAM_USER_INFO_21 *id21, set_user_info_23 ********************************************************************/ -static NTSTATUS set_user_info_23(TALLOC_CTX *mem_ctx, SAM_USER_INFO_23 *id23, +static NTSTATUS set_user_info_23(TALLOC_CTX *mem_ctx, + struct samr_UserInfo23 *id23, struct samu *pwd) { char *plaintext_buf = NULL; @@ -3360,7 +3364,7 @@ static NTSTATUS set_user_info_23(TALLOC_CTX *mem_ctx, SAM_USER_INFO_23 *id23, acct_ctrl = pdb_get_acct_ctrl(pwd); if (!decode_pw_buffer(mem_ctx, - id23->pass, + id23->password.data, &plaintext_buf, &len, STR_UNICODE)) { @@ -3508,7 +3512,8 @@ static bool set_user_info_pw(uint8 *pass, struct samu *pwd) set_user_info_25 ********************************************************************/ -static NTSTATUS set_user_info_25(TALLOC_CTX *mem_ctx, SAM_USER_INFO_25 *id25, +static NTSTATUS set_user_info_25(TALLOC_CTX *mem_ctx, + struct samr_UserInfo25 *id25, struct samu *pwd) { NTSTATUS status; @@ -3548,16 +3553,18 @@ static NTSTATUS set_user_info_25(TALLOC_CTX *mem_ctx, SAM_USER_INFO_25 *id25, } /******************************************************************* - samr_reply_set_userinfo + _samr_SetUserInfo ********************************************************************/ -NTSTATUS _samr_set_userinfo(pipes_struct *p, SAMR_Q_SET_USERINFO *q_u, SAMR_R_SET_USERINFO *r_u) +NTSTATUS _samr_SetUserInfo(pipes_struct *p, + struct samr_SetUserInfo *r) { + NTSTATUS status; struct samu *pwd = NULL; DOM_SID sid; - POLICY_HND *pol = &q_u->pol; - uint16 switch_value = q_u->switch_value; - SAM_USERINFO_CTR *ctr = q_u->ctr; + POLICY_HND *pol = r->in.user_handle; + uint16 switch_value = r->in.level; + union samr_UserInfo *info = r->in.info; uint32 acc_granted; uint32 acc_required; bool ret; @@ -3565,9 +3572,7 @@ NTSTATUS _samr_set_userinfo(pipes_struct *p, SAMR_Q_SET_USERINFO *q_u, SAMR_R_SE uint32 acb_info; DISP_INFO *disp_info = NULL; - DEBUG(5, ("_samr_set_userinfo: %d\n", __LINE__)); - - r_u->status = NT_STATUS_OK; + DEBUG(5, ("_samr_SetUserInfo: %d\n", __LINE__)); /* find the policy handle. open a policy on it. */ if (!get_lsa_policy_samr_sid(p, pol, &sid, &acc_granted, &disp_info)) @@ -3592,15 +3597,18 @@ NTSTATUS _samr_set_userinfo(pipes_struct *p, SAMR_Q_SET_USERINFO *q_u, SAMR_R_SE break; } - if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, acc_required, "_samr_set_userinfo"))) { - return r_u->status; + status = access_check_samr_function(acc_granted, + acc_required, + "_samr_SetUserInfo"); + if (!NT_STATUS_IS_OK(status)) { + return status; } - DEBUG(5, ("_samr_set_userinfo: sid:%s, level:%d\n", + DEBUG(5, ("_samr_SetUserInfo: sid:%s, level:%d\n", sid_string_dbg(&sid), switch_value)); - if (ctr == NULL) { - DEBUG(5, ("_samr_set_userinfo: NULL info level\n")); + if (info == NULL) { + DEBUG(5, ("_samr_SetUserInfo: NULL info level\n")); return NT_STATUS_INVALID_INFO_CLASS; } @@ -3630,7 +3638,7 @@ NTSTATUS _samr_set_userinfo(pipes_struct *p, SAMR_Q_SET_USERINFO *q_u, SAMR_R_SE has_enough_rights = nt_token_check_domain_rid( p->pipe_user.nt_user_token, DOMAIN_GROUP_RID_ADMINS ); } - DEBUG(5, ("_samr_set_userinfo: %s does%s possess sufficient rights\n", + DEBUG(5, ("_samr_SetUserInfo: %s does%s possess sufficient rights\n", uidtoname(p->pipe_user.ut.uid), has_enough_rights ? "" : " not")); @@ -3643,65 +3651,67 @@ NTSTATUS _samr_set_userinfo(pipes_struct *p, SAMR_Q_SET_USERINFO *q_u, SAMR_R_SE switch (switch_value) { case 18: - if (!set_user_info_18(ctr->info.id18, pwd)) - r_u->status = NT_STATUS_ACCESS_DENIED; + if (!set_user_info_18(&info->info18, pwd)) + status = NT_STATUS_ACCESS_DENIED; break; case 24: if (!p->session_key.length) { - r_u->status = NT_STATUS_NO_USER_SESSION_KEY; + status = NT_STATUS_NO_USER_SESSION_KEY; } - SamOEMhashBlob(ctr->info.id24->pass, 516, &p->session_key); + SamOEMhashBlob(info->info24.password.data, + 516, + &p->session_key); - dump_data(100, ctr->info.id24->pass, 516); + dump_data(100, info->info24.password.data, 516); - if (!set_user_info_pw(ctr->info.id24->pass, pwd)) - r_u->status = NT_STATUS_ACCESS_DENIED; + if (!set_user_info_pw(info->info24.password.data, pwd)) + status = NT_STATUS_ACCESS_DENIED; break; case 25: if (!p->session_key.length) { - r_u->status = NT_STATUS_NO_USER_SESSION_KEY; + status = NT_STATUS_NO_USER_SESSION_KEY; } - encode_or_decode_arc4_passwd_buffer(ctr->info.id25->pass, &p->session_key); + encode_or_decode_arc4_passwd_buffer(info->info25.password.data, &p->session_key); - dump_data(100, ctr->info.id25->pass, 532); + dump_data(100, info->info25.password.data, 532); - r_u->status = set_user_info_25(p->mem_ctx, - ctr->info.id25, pwd); - if (!NT_STATUS_IS_OK(r_u->status)) { + status = set_user_info_25(p->mem_ctx, + &info->info25, pwd); + if (!NT_STATUS_IS_OK(status)) { goto done; } - if (!set_user_info_pw(ctr->info.id25->pass, pwd)) - r_u->status = NT_STATUS_ACCESS_DENIED; + if (!set_user_info_pw(info->info25.password.data, pwd)) + status = NT_STATUS_ACCESS_DENIED; break; case 26: if (!p->session_key.length) { - r_u->status = NT_STATUS_NO_USER_SESSION_KEY; + status = NT_STATUS_NO_USER_SESSION_KEY; } - encode_or_decode_arc4_passwd_buffer(ctr->info.id26->pass, &p->session_key); + encode_or_decode_arc4_passwd_buffer(info->info26.password.data, &p->session_key); - dump_data(100, ctr->info.id26->pass, 516); + dump_data(100, info->info26.password.data, 516); - if (!set_user_info_pw(ctr->info.id26->pass, pwd)) - r_u->status = NT_STATUS_ACCESS_DENIED; + if (!set_user_info_pw(info->info26.password.data, pwd)) + status = NT_STATUS_ACCESS_DENIED; break; case 23: if (!p->session_key.length) { - r_u->status = NT_STATUS_NO_USER_SESSION_KEY; + status = NT_STATUS_NO_USER_SESSION_KEY; } - SamOEMhashBlob(ctr->info.id23->pass, 516, &p->session_key); + SamOEMhashBlob(info->info23.password.data, 516, &p->session_key); - dump_data(100, ctr->info.id23->pass, 516); + dump_data(100, info->info23.password.data, 516); - r_u->status = set_user_info_23(p->mem_ctx, - ctr->info.id23, pwd); + status = set_user_info_23(p->mem_ctx, + &info->info23, pwd); break; default: - r_u->status = NT_STATUS_INVALID_INFO_CLASS; + status = NT_STATUS_INVALID_INFO_CLASS; } done: @@ -3711,24 +3721,26 @@ NTSTATUS _samr_set_userinfo(pipes_struct *p, SAMR_Q_SET_USERINFO *q_u, SAMR_R_SE /* ================ END SeMachineAccountPrivilege BLOCK ================ */ - if (NT_STATUS_IS_OK(r_u->status)) { + if (NT_STATUS_IS_OK(status)) { force_flush_samr_cache(disp_info); } - return r_u->status; + return status; } /******************************************************************* - samr_reply_set_userinfo2 + _samr_SetUserInfo2 ********************************************************************/ -NTSTATUS _samr_set_userinfo2(pipes_struct *p, SAMR_Q_SET_USERINFO2 *q_u, SAMR_R_SET_USERINFO2 *r_u) +NTSTATUS _samr_SetUserInfo2(pipes_struct *p, + struct samr_SetUserInfo2 *r) { + NTSTATUS status; struct samu *pwd = NULL; DOM_SID sid; - SAM_USERINFO_CTR *ctr = q_u->ctr; - POLICY_HND *pol = &q_u->pol; - uint16 switch_value = q_u->switch_value; + union samr_UserInfo *info = r->in.info; + POLICY_HND *pol = r->in.user_handle; + uint16 switch_value = r->in.level; uint32 acc_granted; uint32 acc_required; bool ret; @@ -3736,9 +3748,7 @@ NTSTATUS _samr_set_userinfo2(pipes_struct *p, SAMR_Q_SET_USERINFO2 *q_u, SAMR_R_ uint32 acb_info; DISP_INFO *disp_info = NULL; - DEBUG(5, ("samr_reply_set_userinfo2: %d\n", __LINE__)); - - r_u->status = NT_STATUS_OK; + DEBUG(5, ("_samr_SetUserInfo2: %d\n", __LINE__)); /* find the policy handle. open a policy on it. */ if (!get_lsa_policy_samr_sid(p, pol, &sid, &acc_granted, &disp_info)) @@ -3753,20 +3763,21 @@ NTSTATUS _samr_set_userinfo2(pipes_struct *p, SAMR_Q_SET_USERINFO2 *q_u, SAMR_R_ acc_required = SA_RIGHT_USER_SET_ATTRIBUTES; #endif - if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, acc_required, "_samr_set_userinfo2"))) { - return r_u->status; + status = access_check_samr_function(acc_granted, + acc_required, + "_samr_SetUserInfo2"); + if (!NT_STATUS_IS_OK(status)) { + return status; } - DEBUG(5, ("samr_reply_set_userinfo2: sid:%s\n", + DEBUG(5,("_samr_SetUserInfo2: sid:%s\n", sid_string_dbg(&sid))); - if (ctr == NULL) { - DEBUG(5, ("samr_reply_set_userinfo2: NULL info level\n")); + if (info == NULL) { + DEBUG(5,("_samr_SetUserInfo2: NULL info level\n")); return NT_STATUS_INVALID_INFO_CLASS; } - switch_value=ctr->switch_value; - if ( !(pwd = samu_new( NULL )) ) { return NT_STATUS_NO_MEMORY; } @@ -3790,7 +3801,7 @@ NTSTATUS _samr_set_userinfo2(pipes_struct *p, SAMR_Q_SET_USERINFO2 *q_u, SAMR_R_ has_enough_rights = nt_token_check_domain_rid( p->pipe_user.nt_user_token, DOMAIN_GROUP_RID_ADMINS ); } - DEBUG(5, ("_samr_set_userinfo2: %s does%s possess sufficient rights\n", + DEBUG(5, ("_samr_SetUserInfo2: %s does%s possess sufficient rights\n", uidtoname(p->pipe_user.ut.uid), has_enough_rights ? "" : " not")); @@ -3803,50 +3814,50 @@ NTSTATUS _samr_set_userinfo2(pipes_struct *p, SAMR_Q_SET_USERINFO2 *q_u, SAMR_R_ switch (switch_value) { case 7: - r_u->status = set_user_info_7(p->mem_ctx, - ctr->info.id7, pwd); + status = set_user_info_7(p->mem_ctx, + &info->info7, pwd); break; case 16: - if (!set_user_info_16(ctr->info.id16, pwd)) - r_u->status = NT_STATUS_ACCESS_DENIED; + if (!set_user_info_16(&info->info16, pwd)) + status = NT_STATUS_ACCESS_DENIED; break; case 18: /* Used by AS/U JRA. */ - if (!set_user_info_18(ctr->info.id18, pwd)) - r_u->status = NT_STATUS_ACCESS_DENIED; + if (!set_user_info_18(&info->info18, pwd)) + status = NT_STATUS_ACCESS_DENIED; break; case 20: - if (!set_user_info_20(ctr->info.id20, pwd)) - r_u->status = NT_STATUS_ACCESS_DENIED; + if (!set_user_info_20(&info->info20, pwd)) + status = NT_STATUS_ACCESS_DENIED; break; case 21: - r_u->status = set_user_info_21(p->mem_ctx, - ctr->info.id21, pwd); + status = set_user_info_21(p->mem_ctx, + &info->info21, pwd); break; case 23: if (!p->session_key.length) { - r_u->status = NT_STATUS_NO_USER_SESSION_KEY; + status = NT_STATUS_NO_USER_SESSION_KEY; } - SamOEMhashBlob(ctr->info.id23->pass, 516, &p->session_key); + SamOEMhashBlob(info->info23.password.data, 516, &p->session_key); - dump_data(100, ctr->info.id23->pass, 516); + dump_data(100, info->info23.password.data, 516); - r_u->status = set_user_info_23(p->mem_ctx, - ctr->info.id23, pwd); + status = set_user_info_23(p->mem_ctx, + &info->info23, pwd); break; case 26: if (!p->session_key.length) { - r_u->status = NT_STATUS_NO_USER_SESSION_KEY; + status = NT_STATUS_NO_USER_SESSION_KEY; } - encode_or_decode_arc4_passwd_buffer(ctr->info.id26->pass, &p->session_key); + encode_or_decode_arc4_passwd_buffer(info->info26.password.data, &p->session_key); - dump_data(100, ctr->info.id26->pass, 516); + dump_data(100, info->info26.password.data, 516); - if (!set_user_info_pw(ctr->info.id26->pass, pwd)) - r_u->status = NT_STATUS_ACCESS_DENIED; + if (!set_user_info_pw(info->info26.password.data, pwd)) + status = NT_STATUS_ACCESS_DENIED; break; default: - r_u->status = NT_STATUS_INVALID_INFO_CLASS; + status = NT_STATUS_INVALID_INFO_CLASS; } if ( has_enough_rights ) @@ -3854,11 +3865,11 @@ NTSTATUS _samr_set_userinfo2(pipes_struct *p, SAMR_Q_SET_USERINFO2 *q_u, SAMR_R_ /* ================ END SeMachineAccountPrivilege BLOCK ================ */ - if (NT_STATUS_IS_OK(r_u->status)) { + if (NT_STATUS_IS_OK(status)) { force_flush_samr_cache(disp_info); } - return r_u->status; + return status; } /********************************************************************* @@ -5258,16 +5269,6 @@ NTSTATUS _samr_QueryUserInfo(pipes_struct *p, /**************************************************************** ****************************************************************/ -NTSTATUS _samr_SetUserInfo(pipes_struct *p, - struct samr_SetUserInfo *r) -{ - p->rng_fault_state = true; - return NT_STATUS_NOT_IMPLEMENTED; -} - -/**************************************************************** -****************************************************************/ - NTSTATUS _samr_ChangePasswordUser(pipes_struct *p, struct samr_ChangePasswordUser *r) { @@ -5378,16 +5379,6 @@ NTSTATUS _samr_OemChangePasswordUser2(pipes_struct *p, /**************************************************************** ****************************************************************/ -NTSTATUS _samr_SetUserInfo2(pipes_struct *p, - struct samr_SetUserInfo2 *r) -{ - p->rng_fault_state = true; - return NT_STATUS_NOT_IMPLEMENTED; -} - -/**************************************************************** -****************************************************************/ - NTSTATUS _samr_SetBootKeyInformation(pipes_struct *p, struct samr_SetBootKeyInformation *r) { -- cgit From 326477e522b99eaa2b6bd636582d4fece6906d62 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Mon, 11 Feb 2008 22:47:49 +0100 Subject: Allow to set correct info level log prefix in duplicates of copy_id21_to_sam_passwd. Guenther (This used to be commit 118e166c003a931884c662423e1e280a5be3eb48) --- source3/rpc_server/srv_samr_nt.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index cb5bfe5440..6efea1a754 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -3309,7 +3309,7 @@ static NTSTATUS set_user_info_21(TALLOC_CTX *mem_ctx, pdb_set_username(pwd, id21->account_name.string, PDB_SET); } - copy_id21_to_sam_passwd(pwd, id21); + copy_id21_to_sam_passwd("INFO_21", pwd, id21); /* * The funny part about the previous two calls is -- cgit From fff3f99b5ab53d489b0cccf1b14a2e0725272b5b Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Tue, 12 Feb 2008 03:15:03 +0100 Subject: Use pidl for _samr_EnumDomainGroups() and _samr_EnumDomainAliases(). Guenther (This used to be commit 327cdb05af80a884517e7baf97300da0a635a451) --- source3/rpc_server/srv_samr_nt.c | 147 ++++++++++++++++++++------------------- 1 file changed, 76 insertions(+), 71 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 6efea1a754..e458fce6de 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -991,26 +991,22 @@ NTSTATUS _samr_enum_dom_users(pipes_struct *p, SAMR_Q_ENUM_DOM_USERS *q_u, makes a SAM_ENTRY / UNISTR2* structure from a group list. ********************************************************************/ -static void make_group_sam_entry_list(TALLOC_CTX *ctx, SAM_ENTRY **sam_pp, - UNISTR2 **uni_name_pp, - uint32 num_sam_entries, +static void make_group_sam_entry_list(TALLOC_CTX *ctx, + struct samr_SamEntry **sam_pp, + uint32_t num_sam_entries, struct samr_displayentry *entries) { - uint32 i; - SAM_ENTRY *sam; - UNISTR2 *uni_name; + struct samr_SamEntry *sam; + uint32_t i; *sam_pp = NULL; - *uni_name_pp = NULL; - if (num_sam_entries == 0) + if (num_sam_entries == 0) { return; + } - sam = TALLOC_ZERO_ARRAY(ctx, SAM_ENTRY, num_sam_entries); - uni_name = TALLOC_ZERO_ARRAY(ctx, UNISTR2, num_sam_entries); - - if (sam == NULL || uni_name == NULL) { - DEBUG(0, ("NULL pointers in SAMR_R_QUERY_DISPINFO\n")); + sam = TALLOC_ZERO_ARRAY(ctx, struct samr_SamEntry, num_sam_entries); + if (sam == NULL) { return; } @@ -1018,44 +1014,50 @@ static void make_group_sam_entry_list(TALLOC_CTX *ctx, SAM_ENTRY **sam_pp, /* * JRA. I think this should include the null. TNG does not. */ - init_unistr2(&uni_name[i], entries[i].account_name, - UNI_STR_TERMINATE); - init_sam_entry(&sam[i], &uni_name[i], entries[i].rid); + init_lsa_String(&sam[i].name, entries[i].account_name); + sam[i].idx = entries[i].rid; } *sam_pp = sam; - *uni_name_pp = uni_name; } /******************************************************************* - samr_reply_enum_dom_groups + _samr_EnumDomainGroups ********************************************************************/ -NTSTATUS _samr_enum_dom_groups(pipes_struct *p, SAMR_Q_ENUM_DOM_GROUPS *q_u, SAMR_R_ENUM_DOM_GROUPS *r_u) +NTSTATUS _samr_EnumDomainGroups(pipes_struct *p, + struct samr_EnumDomainGroups *r) { + NTSTATUS status; struct samr_info *info = NULL; struct samr_displayentry *groups; uint32 num_groups; - - r_u->status = NT_STATUS_OK; + struct samr_SamArray *samr_array = NULL; + struct samr_SamEntry *samr_entries = NULL; /* find the policy handle. open a policy on it. */ - if (!find_policy_by_hnd(p, &q_u->pol, (void **)(void *)&info)) + if (!find_policy_by_hnd(p, r->in.domain_handle, (void **)(void *)&info)) return NT_STATUS_INVALID_HANDLE; - r_u->status = access_check_samr_function(info->acc_granted, - SA_RIGHT_DOMAIN_ENUM_ACCOUNTS, - "_samr_enum_dom_groups"); - if (!NT_STATUS_IS_OK(r_u->status)) - return r_u->status; + status = access_check_samr_function(info->acc_granted, + SA_RIGHT_DOMAIN_ENUM_ACCOUNTS, + "_samr_EnumDomainGroups"); + if (!NT_STATUS_IS_OK(status)) { + return status; + } - DEBUG(5,("samr_reply_enum_dom_groups: %d\n", __LINE__)); + DEBUG(5,("_samr_EnumDomainGroups: %d\n", __LINE__)); if (info->builtin_domain) { /* No groups in builtin. */ - init_samr_r_enum_dom_groups(r_u, q_u->start_idx, 0); - DEBUG(5,("_samr_enum_dom_users: No groups in BUILTIN\n")); - return r_u->status; + *r->out.resume_handle = *r->in.resume_handle; + DEBUG(5,("_samr_EnumDomainGroups: No groups in BUILTIN\n")); + return status; + } + + samr_array = TALLOC_ZERO_P(p->mem_ctx, struct samr_SamArray); + if (!samr_array) { + return NT_STATUS_NO_MEMORY; } /* the domain group array is being allocated in the function below */ @@ -1071,46 +1073,64 @@ NTSTATUS _samr_enum_dom_groups(pipes_struct *p, SAMR_Q_ENUM_DOM_GROUPS *q_u, SAM } } - num_groups = pdb_search_entries(info->disp_info->groups, q_u->start_idx, + num_groups = pdb_search_entries(info->disp_info->groups, + *r->in.resume_handle, MAX_SAM_ENTRIES, &groups); unbecome_root(); /* Ensure we cache this enumeration. */ set_disp_info_cache_timeout(info->disp_info, DISP_INFO_CACHE_TIMEOUT); - make_group_sam_entry_list(p->mem_ctx, &r_u->sam, &r_u->uni_grp_name, + make_group_sam_entry_list(p->mem_ctx, &samr_entries, num_groups, groups); - init_samr_r_enum_dom_groups(r_u, q_u->start_idx, num_groups); + samr_array->count = num_groups; + samr_array->entries = samr_entries; - DEBUG(5,("samr_enum_dom_groups: %d\n", __LINE__)); + *r->out.sam = samr_array; + *r->out.num_entries = num_groups; + /* this was missing, IMHO: + *r->out.resume_handle = num_groups + *r->in.resume_handle; + */ - return r_u->status; + DEBUG(5,("_samr_EnumDomainGroups: %d\n", __LINE__)); + + return status; } /******************************************************************* - samr_reply_enum_dom_aliases + _samr_EnumDomainAliases ********************************************************************/ -NTSTATUS _samr_enum_dom_aliases(pipes_struct *p, SAMR_Q_ENUM_DOM_ALIASES *q_u, SAMR_R_ENUM_DOM_ALIASES *r_u) +NTSTATUS _samr_EnumDomainAliases(pipes_struct *p, + struct samr_EnumDomainAliases *r) { + NTSTATUS status; struct samr_info *info; struct samr_displayentry *aliases; uint32 num_aliases = 0; + struct samr_SamArray *samr_array = NULL; + struct samr_SamEntry *samr_entries = NULL; /* find the policy handle. open a policy on it. */ - if (!find_policy_by_hnd(p, &q_u->pol, (void **)(void *)&info)) + if (!find_policy_by_hnd(p, r->in.domain_handle, (void **)(void *)&info)) return NT_STATUS_INVALID_HANDLE; - r_u->status = access_check_samr_function(info->acc_granted, - SA_RIGHT_DOMAIN_ENUM_ACCOUNTS, - "_samr_enum_dom_aliases"); - if (!NT_STATUS_IS_OK(r_u->status)) - return r_u->status; + status = access_check_samr_function(info->acc_granted, + SA_RIGHT_DOMAIN_ENUM_ACCOUNTS, + "_samr_EnumDomainAliases"); + if (!NT_STATUS_IS_OK(status)) { + return status; + } - DEBUG(5,("samr_reply_enum_dom_aliases: sid %s\n", + DEBUG(5,("_samr_EnumDomainAliases: sid %s\n", sid_string_dbg(&info->sid))); + samr_array = TALLOC_ZERO_P(p->mem_ctx, struct samr_SamArray); + if (!samr_array) { + return NT_STATUS_NO_MEMORY; + } + become_root(); if (info->disp_info->aliases == NULL) { @@ -1121,22 +1141,27 @@ NTSTATUS _samr_enum_dom_aliases(pipes_struct *p, SAMR_Q_ENUM_DOM_ALIASES *q_u, S } } - num_aliases = pdb_search_entries(info->disp_info->aliases, q_u->start_idx, + num_aliases = pdb_search_entries(info->disp_info->aliases, + *r->in.resume_handle, MAX_SAM_ENTRIES, &aliases); unbecome_root(); /* Ensure we cache this enumeration. */ set_disp_info_cache_timeout(info->disp_info, DISP_INFO_CACHE_TIMEOUT); - make_group_sam_entry_list(p->mem_ctx, &r_u->sam, &r_u->uni_grp_name, + make_group_sam_entry_list(p->mem_ctx, &samr_entries, num_aliases, aliases); - init_samr_r_enum_dom_aliases(r_u, q_u->start_idx + num_aliases, - num_aliases); + DEBUG(5,("_samr_EnumDomainAliases: %d\n", __LINE__)); - DEBUG(5,("samr_enum_dom_aliases: %d\n", __LINE__)); + samr_array->count = num_aliases; + samr_array->entries = samr_entries; - return r_u->status; + *r->out.sam = samr_array; + *r->out.num_entries = num_aliases; + *r->out.resume_handle = num_aliases + *r->in.resume_handle; + + return status; } /******************************************************************* @@ -5209,16 +5234,6 @@ NTSTATUS _samr_Shutdown(pipes_struct *p, /**************************************************************** ****************************************************************/ -NTSTATUS _samr_EnumDomainGroups(pipes_struct *p, - struct samr_EnumDomainGroups *r) -{ - p->rng_fault_state = true; - return NT_STATUS_NOT_IMPLEMENTED; -} - -/**************************************************************** -****************************************************************/ - NTSTATUS _samr_CreateUser(pipes_struct *p, struct samr_CreateUser *r) { @@ -5239,16 +5254,6 @@ NTSTATUS _samr_EnumDomainUsers(pipes_struct *p, /**************************************************************** ****************************************************************/ -NTSTATUS _samr_EnumDomainAliases(pipes_struct *p, - struct samr_EnumDomainAliases *r) -{ - p->rng_fault_state = true; - return NT_STATUS_NOT_IMPLEMENTED; -} - -/**************************************************************** -****************************************************************/ - NTSTATUS _samr_SetMemberAttributesOfGroup(pipes_struct *p, struct samr_SetMemberAttributesOfGroup *r) { -- cgit From 8b02303c904b9a5e342094325448d28cbe9ed5b4 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Tue, 12 Feb 2008 03:33:41 +0100 Subject: Use pidl for _samr_EnumDomainUsers(). Guenther (This used to be commit 54e884add2c5c836e78dfdd247dd93d754b70178) --- source3/rpc_server/srv_samr_nt.c | 121 +++++++++++++++++++-------------------- 1 file changed, 59 insertions(+), 62 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index e458fce6de..fb01357f67 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -841,32 +841,29 @@ NTSTATUS _samr_QuerySecurity(pipes_struct *p, makes a SAM_ENTRY / UNISTR2* structure from a user list. ********************************************************************/ -static NTSTATUS make_user_sam_entry_list(TALLOC_CTX *ctx, SAM_ENTRY **sam_pp, - UNISTR2 **uni_name_pp, - uint32 num_entries, uint32 start_idx, +static NTSTATUS make_user_sam_entry_list(TALLOC_CTX *ctx, + struct samr_SamEntry **sam_pp, + uint32_t num_entries, + uint32_t start_idx, struct samr_displayentry *entries) { - uint32 i; - SAM_ENTRY *sam; - UNISTR2 *uni_name; + uint32_t i; + struct samr_SamEntry *sam; *sam_pp = NULL; - *uni_name_pp = NULL; - if (num_entries == 0) + if (num_entries == 0) { return NT_STATUS_OK; + } - sam = TALLOC_ZERO_ARRAY(ctx, SAM_ENTRY, num_entries); - - uni_name = TALLOC_ZERO_ARRAY(ctx, UNISTR2, num_entries); - - if (sam == NULL || uni_name == NULL) { + sam = TALLOC_ZERO_ARRAY(ctx, struct samr_SamEntry, num_entries); + if (sam == NULL) { DEBUG(0, ("make_user_sam_entry_list: TALLOC_ZERO failed!\n")); return NT_STATUS_NO_MEMORY; } for (i = 0; i < num_entries; i++) { - UNISTR2 uni_temp_name; +#if 0 /* * usrmgr expects a non-NULL terminated string with * trust relationships @@ -878,50 +875,57 @@ static NTSTATUS make_user_sam_entry_list(TALLOC_CTX *ctx, SAM_ENTRY **sam_pp, init_unistr2(&uni_temp_name, entries[i].account_name, UNI_STR_TERMINATE); } - - init_sam_entry(&sam[i], &uni_temp_name, entries[i].rid); - copy_unistr2(&uni_name[i], &uni_temp_name); +#endif + init_lsa_String(&sam[i].name, entries[i].account_name); + sam[i].idx = entries[i].rid; } *sam_pp = sam; - *uni_name_pp = uni_name; + return NT_STATUS_OK; } /******************************************************************* - samr_reply_enum_dom_users + _samr_EnumDomainUsers ********************************************************************/ -NTSTATUS _samr_enum_dom_users(pipes_struct *p, SAMR_Q_ENUM_DOM_USERS *q_u, - SAMR_R_ENUM_DOM_USERS *r_u) +NTSTATUS _samr_EnumDomainUsers(pipes_struct *p, + struct samr_EnumDomainUsers *r) { + NTSTATUS status; struct samr_info *info = NULL; int num_account; - uint32 enum_context=q_u->start_idx; + uint32 enum_context = *r->in.resume_handle; enum remote_arch_types ra_type = get_remote_arch(); int max_sam_entries = (ra_type == RA_WIN95) ? MAX_SAM_ENTRIES_W95 : MAX_SAM_ENTRIES_W2K; uint32 max_entries = max_sam_entries; struct samr_displayentry *entries = NULL; - - r_u->status = NT_STATUS_OK; + struct samr_SamArray *samr_array = NULL; + struct samr_SamEntry *samr_entries = NULL; /* find the policy handle. open a policy on it. */ - if (!find_policy_by_hnd(p, &q_u->pol, (void **)(void *)&info)) + if (!find_policy_by_hnd(p, r->in.domain_handle, (void **)(void *)&info)) return NT_STATUS_INVALID_HANDLE; - if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(info->acc_granted, - SA_RIGHT_DOMAIN_ENUM_ACCOUNTS, - "_samr_enum_dom_users"))) { - return r_u->status; + status = access_check_samr_function(info->acc_granted, + SA_RIGHT_DOMAIN_ENUM_ACCOUNTS, + "_samr_EnumDomainUsers"); + if (!NT_STATUS_IS_OK(status)) { + return status; } - DEBUG(5,("_samr_enum_dom_users: %d\n", __LINE__)); + DEBUG(5,("_samr_EnumDomainUsers: %d\n", __LINE__)); if (info->builtin_domain) { /* No users in builtin. */ - init_samr_r_enum_dom_users(r_u, q_u->start_idx, 0); - DEBUG(5,("_samr_enum_dom_users: No users in BUILTIN\n")); - return r_u->status; + *r->out.resume_handle = *r->in.resume_handle; + DEBUG(5,("_samr_EnumDomainUsers: No users in BUILTIN\n")); + return status; + } + + samr_array = TALLOC_ZERO_P(p->mem_ctx, struct samr_SamArray); + if (!samr_array) { + return NT_STATUS_NO_MEMORY; } become_root(); @@ -929,14 +933,14 @@ NTSTATUS _samr_enum_dom_users(pipes_struct *p, SAMR_Q_ENUM_DOM_USERS *q_u, /* AS ROOT !!!! */ if ((info->disp_info->enum_users != NULL) && - (info->disp_info->enum_acb_mask != q_u->acb_mask)) { + (info->disp_info->enum_acb_mask != r->in.acct_flags)) { pdb_search_destroy(info->disp_info->enum_users); info->disp_info->enum_users = NULL; } if (info->disp_info->enum_users == NULL) { - info->disp_info->enum_users = pdb_search_users(q_u->acb_mask); - info->disp_info->enum_acb_mask = q_u->acb_mask; + info->disp_info->enum_users = pdb_search_users(r->in.acct_flags); + info->disp_info->enum_acb_mask = r->in.acct_flags; } if (info->disp_info->enum_users == NULL) { @@ -954,37 +958,40 @@ NTSTATUS _samr_enum_dom_users(pipes_struct *p, SAMR_Q_ENUM_DOM_USERS *q_u, unbecome_root(); if (num_account == 0) { - DEBUG(5, ("_samr_enum_dom_users: enumeration handle over " + DEBUG(5, ("_samr_EnumDomainUsers: enumeration handle over " "total entries\n")); - init_samr_r_enum_dom_users(r_u, q_u->start_idx, 0); + *r->out.resume_handle = *r->in.resume_handle; return NT_STATUS_OK; } - r_u->status = make_user_sam_entry_list(p->mem_ctx, &r_u->sam, - &r_u->uni_acct_name, - num_account, enum_context, - entries); - - if (!NT_STATUS_IS_OK(r_u->status)) - return r_u->status; + status = make_user_sam_entry_list(p->mem_ctx, &samr_entries, + num_account, enum_context, + entries); + if (!NT_STATUS_IS_OK(status)) { + return status; + } if (max_entries <= num_account) { - r_u->status = STATUS_MORE_ENTRIES; + status = STATUS_MORE_ENTRIES; } else { - r_u->status = NT_STATUS_OK; + status = NT_STATUS_OK; } /* Ensure we cache this enumeration. */ set_disp_info_cache_timeout(info->disp_info, DISP_INFO_CACHE_TIMEOUT); - DEBUG(5, ("_samr_enum_dom_users: %d\n", __LINE__)); + DEBUG(5, ("_samr_EnumDomainUsers: %d\n", __LINE__)); + + samr_array->count = num_account; + samr_array->entries = samr_entries; - init_samr_r_enum_dom_users(r_u, q_u->start_idx + num_account, - num_account); + *r->out.resume_handle = *r->in.resume_handle + num_account; + *r->out.sam = samr_array; + *r->out.num_entries = num_account; - DEBUG(5,("_samr_enum_dom_users: %d\n", __LINE__)); + DEBUG(5,("_samr_EnumDomainUsers: %d\n", __LINE__)); - return r_u->status; + return status; } /******************************************************************* @@ -5244,16 +5251,6 @@ NTSTATUS _samr_CreateUser(pipes_struct *p, /**************************************************************** ****************************************************************/ -NTSTATUS _samr_EnumDomainUsers(pipes_struct *p, - struct samr_EnumDomainUsers *r) -{ - p->rng_fault_state = true; - return NT_STATUS_NOT_IMPLEMENTED; -} - -/**************************************************************** -****************************************************************/ - NTSTATUS _samr_SetMemberAttributesOfGroup(pipes_struct *p, struct samr_SetMemberAttributesOfGroup *r) { -- cgit From 50019747fc44e0181309e36ee260fbf67ac3ce08 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Tue, 12 Feb 2008 10:07:50 +0100 Subject: Cosmetics: remove new whitespace, sorry. Guenther (This used to be commit d82b66b96958bb0696ad316326bb2f1ac4102801) --- source3/rpc_server/srv_samr_nt.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index fb01357f67..e493496720 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -907,11 +907,11 @@ NTSTATUS _samr_EnumDomainUsers(pipes_struct *p, if (!find_policy_by_hnd(p, r->in.domain_handle, (void **)(void *)&info)) return NT_STATUS_INVALID_HANDLE; - status = access_check_samr_function(info->acc_granted, + status = access_check_samr_function(info->acc_granted, SA_RIGHT_DOMAIN_ENUM_ACCOUNTS, "_samr_EnumDomainUsers"); if (!NT_STATUS_IS_OK(status)) { - return status; + return status; } DEBUG(5,("_samr_EnumDomainUsers: %d\n", __LINE__)); -- cgit From 6aa84ad8c5a535fc45cc9014fdc36867b6c76be9 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Tue, 12 Feb 2008 12:16:02 +0100 Subject: Move some samr init functions around (to allow easier identification of new calls). Guenther (This used to be commit c51c126049bd251a04dfae7ca6c3d0d3f823a503) --- source3/rpc_server/srv_samr_nt.c | 237 ++++++++++++++++++++++++++++++++++++--- 1 file changed, 222 insertions(+), 15 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index e493496720..e87d43dec4 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -1171,6 +1171,213 @@ NTSTATUS _samr_EnumDomainAliases(pipes_struct *p, return status; } +/******************************************************************* + inits a structure. +********************************************************************/ + +static void init_lsa_AsciiString(struct lsa_AsciiString *name, const char *s) +{ + name->string = s; +} + +/******************************************************************* + inits a samr_DispInfoGeneral structure. +********************************************************************/ + +static NTSTATUS init_samr_dispinfo_1(TALLOC_CTX *ctx, + struct samr_DispInfoGeneral *r, + uint32_t num_entries, + uint32_t start_idx, + struct samr_displayentry *entries) +{ + uint32 i; + + DEBUG(10, ("init_samr_dispinfo_1: num_entries: %d\n", num_entries)); + + if (num_entries == 0) { + return NT_STATUS_OK; + } + + r->count = num_entries; + + r->entries = TALLOC_ZERO_ARRAY(ctx, struct samr_DispEntryGeneral, num_entries); + if (!r->entries) { + return NT_STATUS_NO_MEMORY; + } + + for (i = 0; i < num_entries ; i++) { + + init_lsa_String(&r->entries[i].account_name, + entries[i].account_name); + + init_lsa_String(&r->entries[i].description, + entries[i].description); + + init_lsa_String(&r->entries[i].full_name, + entries[i].fullname); + + r->entries[i].rid = entries[i].rid; + r->entries[i].acct_flags = entries[i].acct_flags; + r->entries[i].idx = start_idx+i+1; + } + + return NT_STATUS_OK; +} + +/******************************************************************* + inits a samr_DispInfoFull structure. +********************************************************************/ + +static NTSTATUS init_samr_dispinfo_2(TALLOC_CTX *ctx, + struct samr_DispInfoFull *r, + uint32_t num_entries, + uint32_t start_idx, + struct samr_displayentry *entries) +{ + uint32_t i; + + DEBUG(10, ("init_samr_dispinfo_2: num_entries: %d\n", num_entries)); + + if (num_entries == 0) { + return NT_STATUS_OK; + } + + r->count = num_entries; + + r->entries = TALLOC_ZERO_ARRAY(ctx, struct samr_DispEntryFull, num_entries); + if (!r->entries) { + return NT_STATUS_NO_MEMORY; + } + + for (i = 0; i < num_entries ; i++) { + + init_lsa_String(&r->entries[i].account_name, + entries[i].account_name); + + init_lsa_String(&r->entries[i].description, + entries[i].description); + + r->entries[i].rid = entries[i].rid; + r->entries[i].acct_flags = entries[i].acct_flags; + r->entries[i].idx = start_idx+i+1; + } + + return NT_STATUS_OK; +} + +/******************************************************************* + inits a samr_DispInfoFullGroups structure. +********************************************************************/ + +static NTSTATUS init_samr_dispinfo_3(TALLOC_CTX *ctx, + struct samr_DispInfoFullGroups *r, + uint32_t num_entries, + uint32_t start_idx, + struct samr_displayentry *entries) +{ + uint32_t i; + + DEBUG(5, ("init_samr_dispinfo_3: num_entries: %d\n", num_entries)); + + if (num_entries == 0) { + return NT_STATUS_OK; + } + + r->count = num_entries; + + r->entries = TALLOC_ZERO_ARRAY(ctx, struct samr_DispEntryFullGroup, num_entries); + if (!r->entries) { + return NT_STATUS_NO_MEMORY; + } + + for (i = 0; i < num_entries ; i++) { + + init_lsa_String(&r->entries[i].account_name, + entries[i].account_name); + + init_lsa_String(&r->entries[i].description, + entries[i].description); + + r->entries[i].rid = entries[i].rid; + r->entries[i].acct_flags = entries[i].acct_flags; + r->entries[i].idx = start_idx+i+1; + } + + return NT_STATUS_OK; +} + +/******************************************************************* + inits a samr_DispInfoAscii structure. +********************************************************************/ + +static NTSTATUS init_samr_dispinfo_4(TALLOC_CTX *ctx, + struct samr_DispInfoAscii *r, + uint32_t num_entries, + uint32_t start_idx, + struct samr_displayentry *entries) +{ + uint32_t i; + + DEBUG(5, ("init_samr_dispinfo_4: num_entries: %d\n", num_entries)); + + if (num_entries == 0) { + return NT_STATUS_OK; + } + + r->count = num_entries; + + r->entries = TALLOC_ZERO_ARRAY(ctx, struct samr_DispEntryAscii, num_entries); + if (!r->entries) { + return NT_STATUS_NO_MEMORY; + } + + for (i = 0; i < num_entries ; i++) { + + init_lsa_AsciiString(&r->entries[i].account_name, + entries[i].account_name); + + r->entries[i].idx = start_idx+i+1; + } + + return NT_STATUS_OK; +} + +/******************************************************************* + inits a samr_DispInfoAscii structure. +********************************************************************/ + +static NTSTATUS init_samr_dispinfo_5(TALLOC_CTX *ctx, + struct samr_DispInfoAscii *r, + uint32_t num_entries, + uint32_t start_idx, + struct samr_displayentry *entries) +{ + uint32_t i; + + DEBUG(5, ("init_samr_dispinfo_5: num_entries: %d\n", num_entries)); + + if (num_entries == 0) { + return NT_STATUS_OK; + } + + r->count = num_entries; + + r->entries = TALLOC_ZERO_ARRAY(ctx, struct samr_DispEntryAscii, num_entries); + if (!r->entries) { + return NT_STATUS_NO_MEMORY; + } + + for (i = 0; i < num_entries ; i++) { + + init_lsa_AsciiString(&r->entries[i].account_name, + entries[i].account_name); + + r->entries[i].idx = start_idx+i+1; + } + + return NT_STATUS_OK; +} + /******************************************************************* _samr_QueryDisplayInfo ********************************************************************/ @@ -1327,29 +1534,29 @@ NTSTATUS _samr_QueryDisplayInfo(pipes_struct *p, /* Now create reply structure */ switch (r->in.level) { case 0x1: - disp_ret = init_sam_dispinfo_1(p->mem_ctx, &disp_info->info1, - num_account, enum_context, - entries); + disp_ret = init_samr_dispinfo_1(p->mem_ctx, &disp_info->info1, + num_account, enum_context, + entries); break; case 0x2: - disp_ret = init_sam_dispinfo_2(p->mem_ctx, &disp_info->info2, - num_account, enum_context, - entries); + disp_ret = init_samr_dispinfo_2(p->mem_ctx, &disp_info->info2, + num_account, enum_context, + entries); break; case 0x3: - disp_ret = init_sam_dispinfo_3(p->mem_ctx, &disp_info->info3, - num_account, enum_context, - entries); + disp_ret = init_samr_dispinfo_3(p->mem_ctx, &disp_info->info3, + num_account, enum_context, + entries); break; case 0x4: - disp_ret = init_sam_dispinfo_4(p->mem_ctx, &disp_info->info4, - num_account, enum_context, - entries); + disp_ret = init_samr_dispinfo_4(p->mem_ctx, &disp_info->info4, + num_account, enum_context, + entries); break; case 0x5: - disp_ret = init_sam_dispinfo_5(p->mem_ctx, &disp_info->info5, - num_account, enum_context, - entries); + disp_ret = init_samr_dispinfo_5(p->mem_ctx, &disp_info->info5, + num_account, enum_context, + entries); break; default: smb_panic("info class changed"); -- cgit From 4867e1ff93cae13b6d03bf0a0526c5655100a098 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Tue, 12 Feb 2008 02:10:40 +0100 Subject: Merge _samr_SetUserInfo and _samr_SetUserInfo2 into one call. Guenther (This used to be commit 8ee7dfad2e3a40e378398ea20158d3c7e7168cba) --- source3/rpc_server/srv_samr_nt.c | 287 +++++++++++++++------------------------ 1 file changed, 107 insertions(+), 180 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index e87d43dec4..412aa9df91 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -3792,30 +3792,33 @@ static NTSTATUS set_user_info_25(TALLOC_CTX *mem_ctx, } /******************************************************************* - _samr_SetUserInfo + samr_SetUserInfo_internal ********************************************************************/ -NTSTATUS _samr_SetUserInfo(pipes_struct *p, - struct samr_SetUserInfo *r) +static NTSTATUS samr_SetUserInfo_internal(const char *fn_name, + pipes_struct *p, + struct policy_handle *user_handle, + uint16_t level, + union samr_UserInfo *info) { NTSTATUS status; struct samu *pwd = NULL; DOM_SID sid; - POLICY_HND *pol = r->in.user_handle; - uint16 switch_value = r->in.level; - union samr_UserInfo *info = r->in.info; - uint32 acc_granted; - uint32 acc_required; + POLICY_HND *pol = user_handle; + uint16_t switch_value = level; + uint32_t acc_granted; + uint32_t acc_required; bool ret; bool has_enough_rights = False; - uint32 acb_info; + uint32_t acb_info; DISP_INFO *disp_info = NULL; - DEBUG(5, ("_samr_SetUserInfo: %d\n", __LINE__)); + DEBUG(5,("%s: %d\n", fn_name, __LINE__)); /* find the policy handle. open a policy on it. */ - if (!get_lsa_policy_samr_sid(p, pol, &sid, &acc_granted, &disp_info)) + if (!get_lsa_policy_samr_sid(p, pol, &sid, &acc_granted, &disp_info)) { return NT_STATUS_INVALID_HANDLE; + } /* This is tricky. A WinXP domain join sets (SA_RIGHT_USER_SET_PASSWORD|SA_RIGHT_USER_SET_ATTRIBUTES|SA_RIGHT_USER_ACCT_FLAGS_EXPIRY) @@ -3832,26 +3835,28 @@ NTSTATUS _samr_SetUserInfo(pipes_struct *p, acc_required = SA_RIGHT_USER_SET_PASSWORD; break; default: - acc_required = SA_RIGHT_USER_SET_PASSWORD | SA_RIGHT_USER_SET_ATTRIBUTES | SA_RIGHT_USER_ACCT_FLAGS_EXPIRY; + acc_required = SA_RIGHT_USER_SET_PASSWORD | + SA_RIGHT_USER_SET_ATTRIBUTES | + SA_RIGHT_USER_ACCT_FLAGS_EXPIRY; break; } status = access_check_samr_function(acc_granted, acc_required, - "_samr_SetUserInfo"); + fn_name); if (!NT_STATUS_IS_OK(status)) { return status; } - DEBUG(5, ("_samr_SetUserInfo: sid:%s, level:%d\n", - sid_string_dbg(&sid), switch_value)); + DEBUG(5, ("%s: sid:%s, level:%d\n", + fn_name, sid_string_dbg(&sid), switch_value)); if (info == NULL) { - DEBUG(5, ("_samr_SetUserInfo: NULL info level\n")); + DEBUG(5, ("%s: NULL info level\n", fn_name)); return NT_STATUS_INVALID_INFO_CLASS; } - if ( !(pwd = samu_new( NULL )) ) { + if (!(pwd = samu_new(NULL))) { return NT_STATUS_NO_MEMORY; } @@ -3859,7 +3864,7 @@ NTSTATUS _samr_SetUserInfo(pipes_struct *p, ret = pdb_getsampwsid(pwd, &sid); unbecome_root(); - if ( !ret ) { + if (!ret) { TALLOC_FREE(pwd); return NT_STATUS_NO_SUCH_USER; } @@ -3868,30 +3873,74 @@ NTSTATUS _samr_SetUserInfo(pipes_struct *p, /* check to see if we have the sufficient rights */ acb_info = pdb_get_acct_ctrl(pwd); - if ( acb_info & ACB_WSTRUST ) - has_enough_rights = user_has_privileges( p->pipe_user.nt_user_token, &se_machine_account); - else if ( acb_info & ACB_NORMAL ) - has_enough_rights = user_has_privileges( p->pipe_user.nt_user_token, &se_add_users ); - else if ( acb_info & (ACB_SVRTRUST|ACB_DOMTRUST) ) { - if ( lp_enable_privileges() ) - has_enough_rights = nt_token_check_domain_rid( p->pipe_user.nt_user_token, DOMAIN_GROUP_RID_ADMINS ); + if (acb_info & ACB_WSTRUST) + has_enough_rights = user_has_privileges(p->pipe_user.nt_user_token, + &se_machine_account); + else if (acb_info & ACB_NORMAL) + has_enough_rights = user_has_privileges(p->pipe_user.nt_user_token, + &se_add_users); + else if (acb_info & (ACB_SVRTRUST|ACB_DOMTRUST)) { + if (lp_enable_privileges()) { + has_enough_rights = nt_token_check_domain_rid(p->pipe_user.nt_user_token, + DOMAIN_GROUP_RID_ADMINS); + } } - DEBUG(5, ("_samr_SetUserInfo: %s does%s possess sufficient rights\n", + DEBUG(5, ("%s: %s does%s possess sufficient rights\n", + fn_name, uidtoname(p->pipe_user.ut.uid), has_enough_rights ? "" : " not")); /* ================ BEGIN SeMachineAccountPrivilege BLOCK ================ */ - if ( has_enough_rights ) + if (has_enough_rights) { become_root(); + } /* ok! user info levels (lots: see MSDEV help), off we go... */ switch (switch_value) { + + case 7: + status = set_user_info_7(p->mem_ctx, + &info->info7, pwd); + break; + + case 16: + if (!set_user_info_16(&info->info16, pwd)) { + status = NT_STATUS_ACCESS_DENIED; + } + break; + case 18: - if (!set_user_info_18(&info->info18, pwd)) + /* Used by AS/U JRA. */ + if (!set_user_info_18(&info->info18, pwd)) { status = NT_STATUS_ACCESS_DENIED; + } + break; + + case 20: + if (!set_user_info_20(&info->info20, pwd)) { + status = NT_STATUS_ACCESS_DENIED; + } + break; + + case 21: + status = set_user_info_21(p->mem_ctx, + &info->info21, pwd); + break; + + case 23: + if (!p->session_key.length) { + status = NT_STATUS_NO_USER_SESSION_KEY; + } + SamOEMhashBlob(info->info23.password.data, 516, + &p->session_key); + + dump_data(100, info->info23.password.data, 516); + + status = set_user_info_23(p->mem_ctx, + &info->info23, pwd); break; case 24: @@ -3904,15 +3953,17 @@ NTSTATUS _samr_SetUserInfo(pipes_struct *p, dump_data(100, info->info24.password.data, 516); - if (!set_user_info_pw(info->info24.password.data, pwd)) + if (!set_user_info_pw(info->info24.password.data, pwd)) { status = NT_STATUS_ACCESS_DENIED; + } break; case 25: if (!p->session_key.length) { status = NT_STATUS_NO_USER_SESSION_KEY; } - encode_or_decode_arc4_passwd_buffer(info->info25.password.data, &p->session_key); + encode_or_decode_arc4_passwd_buffer(info->info25.password.data, + &p->session_key); dump_data(100, info->info25.password.data, 532); @@ -3921,32 +3972,23 @@ NTSTATUS _samr_SetUserInfo(pipes_struct *p, if (!NT_STATUS_IS_OK(status)) { goto done; } - if (!set_user_info_pw(info->info25.password.data, pwd)) + if (!set_user_info_pw(info->info25.password.data, pwd)) { status = NT_STATUS_ACCESS_DENIED; + } break; case 26: if (!p->session_key.length) { status = NT_STATUS_NO_USER_SESSION_KEY; } - encode_or_decode_arc4_passwd_buffer(info->info26.password.data, &p->session_key); + encode_or_decode_arc4_passwd_buffer(info->info26.password.data, + &p->session_key); dump_data(100, info->info26.password.data, 516); - if (!set_user_info_pw(info->info26.password.data, pwd)) + if (!set_user_info_pw(info->info26.password.data, pwd)) { status = NT_STATUS_ACCESS_DENIED; - break; - - case 23: - if (!p->session_key.length) { - status = NT_STATUS_NO_USER_SESSION_KEY; } - SamOEMhashBlob(info->info23.password.data, 516, &p->session_key); - - dump_data(100, info->info23.password.data, 516); - - status = set_user_info_23(p->mem_ctx, - &info->info23, pwd); break; default: @@ -3955,8 +3997,9 @@ NTSTATUS _samr_SetUserInfo(pipes_struct *p, done: - if ( has_enough_rights ) + if (has_enough_rights) { unbecome_root(); + } /* ================ END SeMachineAccountPrivilege BLOCK ================ */ @@ -3967,6 +4010,20 @@ NTSTATUS _samr_SetUserInfo(pipes_struct *p, return status; } +/******************************************************************* + _samr_SetUserInfo + ********************************************************************/ + +NTSTATUS _samr_SetUserInfo(pipes_struct *p, + struct samr_SetUserInfo *r) +{ + return samr_SetUserInfo_internal("_samr_SetUserInfo", + p, + r->in.user_handle, + r->in.level, + r->in.info); +} + /******************************************************************* _samr_SetUserInfo2 ********************************************************************/ @@ -3974,141 +4031,11 @@ NTSTATUS _samr_SetUserInfo(pipes_struct *p, NTSTATUS _samr_SetUserInfo2(pipes_struct *p, struct samr_SetUserInfo2 *r) { - NTSTATUS status; - struct samu *pwd = NULL; - DOM_SID sid; - union samr_UserInfo *info = r->in.info; - POLICY_HND *pol = r->in.user_handle; - uint16 switch_value = r->in.level; - uint32 acc_granted; - uint32 acc_required; - bool ret; - bool has_enough_rights = False; - uint32 acb_info; - DISP_INFO *disp_info = NULL; - - DEBUG(5, ("_samr_SetUserInfo2: %d\n", __LINE__)); - - /* find the policy handle. open a policy on it. */ - if (!get_lsa_policy_samr_sid(p, pol, &sid, &acc_granted, &disp_info)) - return NT_STATUS_INVALID_HANDLE; - - -#if 0 /* this really should be applied on a per info level basis --jerry */ - - /* observed when joining XP client to Samba domain */ - acc_required = SA_RIGHT_USER_SET_PASSWORD | SA_RIGHT_USER_SET_ATTRIBUTES | SA_RIGHT_USER_ACCT_FLAGS_EXPIRY; -#else - acc_required = SA_RIGHT_USER_SET_ATTRIBUTES; -#endif - - status = access_check_samr_function(acc_granted, - acc_required, - "_samr_SetUserInfo2"); - if (!NT_STATUS_IS_OK(status)) { - return status; - } - - DEBUG(5,("_samr_SetUserInfo2: sid:%s\n", - sid_string_dbg(&sid))); - - if (info == NULL) { - DEBUG(5,("_samr_SetUserInfo2: NULL info level\n")); - return NT_STATUS_INVALID_INFO_CLASS; - } - - if ( !(pwd = samu_new( NULL )) ) { - return NT_STATUS_NO_MEMORY; - } - - become_root(); - ret = pdb_getsampwsid(pwd, &sid); - unbecome_root(); - - if ( !ret ) { - TALLOC_FREE(pwd); - return NT_STATUS_NO_SUCH_USER; - } - - acb_info = pdb_get_acct_ctrl(pwd); - if ( acb_info & ACB_WSTRUST ) - has_enough_rights = user_has_privileges( p->pipe_user.nt_user_token, &se_machine_account); - else if ( acb_info & ACB_NORMAL ) - has_enough_rights = user_has_privileges( p->pipe_user.nt_user_token, &se_add_users ); - else if ( acb_info & (ACB_SVRTRUST|ACB_DOMTRUST) ) { - if ( lp_enable_privileges() ) - has_enough_rights = nt_token_check_domain_rid( p->pipe_user.nt_user_token, DOMAIN_GROUP_RID_ADMINS ); - } - - DEBUG(5, ("_samr_SetUserInfo2: %s does%s possess sufficient rights\n", - uidtoname(p->pipe_user.ut.uid), - has_enough_rights ? "" : " not")); - - /* ================ BEGIN SeMachineAccountPrivilege BLOCK ================ */ - - if ( has_enough_rights ) - become_root(); - - /* ok! user info levels (lots: see MSDEV help), off we go... */ - - switch (switch_value) { - case 7: - status = set_user_info_7(p->mem_ctx, - &info->info7, pwd); - break; - case 16: - if (!set_user_info_16(&info->info16, pwd)) - status = NT_STATUS_ACCESS_DENIED; - break; - case 18: - /* Used by AS/U JRA. */ - if (!set_user_info_18(&info->info18, pwd)) - status = NT_STATUS_ACCESS_DENIED; - break; - case 20: - if (!set_user_info_20(&info->info20, pwd)) - status = NT_STATUS_ACCESS_DENIED; - break; - case 21: - status = set_user_info_21(p->mem_ctx, - &info->info21, pwd); - break; - case 23: - if (!p->session_key.length) { - status = NT_STATUS_NO_USER_SESSION_KEY; - } - SamOEMhashBlob(info->info23.password.data, 516, &p->session_key); - - dump_data(100, info->info23.password.data, 516); - - status = set_user_info_23(p->mem_ctx, - &info->info23, pwd); - break; - case 26: - if (!p->session_key.length) { - status = NT_STATUS_NO_USER_SESSION_KEY; - } - encode_or_decode_arc4_passwd_buffer(info->info26.password.data, &p->session_key); - - dump_data(100, info->info26.password.data, 516); - - if (!set_user_info_pw(info->info26.password.data, pwd)) - status = NT_STATUS_ACCESS_DENIED; - break; - default: - status = NT_STATUS_INVALID_INFO_CLASS; - } - - if ( has_enough_rights ) - unbecome_root(); - - /* ================ END SeMachineAccountPrivilege BLOCK ================ */ - - if (NT_STATUS_IS_OK(status)) { - force_flush_samr_cache(disp_info); - } - - return status; + return samr_SetUserInfo_internal("_samr_SetUserInfo2", + p, + r->in.user_handle, + r->in.level, + r->in.info); } /********************************************************************* -- cgit From 4974200f308229f8d7d1637ef9a33bcd921e138f Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Tue, 12 Feb 2008 12:58:47 +0100 Subject: Use pidl for _samr_QueryUserInfo. Guenther (This used to be commit 53dc913b2d01aeea2a7490c5ef1292e6c6eff5e7) --- source3/rpc_server/srv_samr_nt.c | 341 ++++++++++++++++++++++++++++----------- 1 file changed, 247 insertions(+), 94 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 412aa9df91..ac10754493 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -2129,10 +2129,15 @@ NTSTATUS _samr_OpenUser(pipes_struct *p, get_user_info_7. Safe. Only gives out account_name. *************************************************************************/ -static NTSTATUS get_user_info_7(TALLOC_CTX *mem_ctx, SAM_USER_INFO_7 *id7, DOM_SID *user_sid) +static NTSTATUS get_user_info_7(TALLOC_CTX *mem_ctx, + struct samr_UserInfo7 *r, + DOM_SID *user_sid) { struct samu *smbpass=NULL; bool ret; + const char *account_name = NULL; + + ZERO_STRUCTP(r); if ( !(smbpass = samu_new( mem_ctx )) ) { return NT_STATUS_NO_MEMORY; @@ -2147,12 +2152,16 @@ static NTSTATUS get_user_info_7(TALLOC_CTX *mem_ctx, SAM_USER_INFO_7 *id7, DOM_S return NT_STATUS_NO_SUCH_USER; } - DEBUG(3,("User:[%s]\n", pdb_get_username(smbpass) )); + account_name = talloc_strdup(mem_ctx, pdb_get_username(smbpass)); + if (!account_name) { + TALLOC_FREE(smbpass); + return NT_STATUS_NO_MEMORY; + } + TALLOC_FREE(smbpass); - ZERO_STRUCTP(id7); - init_sam_user_info7(id7, pdb_get_username(smbpass) ); + DEBUG(3,("User:[%s]\n", account_name)); - TALLOC_FREE(smbpass); + init_samr_user_info7(r, account_name); return NT_STATUS_OK; } @@ -2160,11 +2169,16 @@ static NTSTATUS get_user_info_7(TALLOC_CTX *mem_ctx, SAM_USER_INFO_7 *id7, DOM_S /************************************************************************* get_user_info_9. Only gives out primary group SID. *************************************************************************/ -static NTSTATUS get_user_info_9(TALLOC_CTX *mem_ctx, SAM_USER_INFO_9 * id9, DOM_SID *user_sid) + +static NTSTATUS get_user_info_9(TALLOC_CTX *mem_ctx, + struct samr_UserInfo9 *r, + DOM_SID *user_sid) { struct samu *smbpass=NULL; bool ret; + ZERO_STRUCTP(r); + if ( !(smbpass = samu_new( mem_ctx )) ) { return NT_STATUS_NO_MEMORY; } @@ -2175,13 +2189,13 @@ static NTSTATUS get_user_info_9(TALLOC_CTX *mem_ctx, SAM_USER_INFO_9 * id9, DOM_ if (ret==False) { DEBUG(4,("User %s not found\n", sid_string_dbg(user_sid))); + TALLOC_FREE(smbpass); return NT_STATUS_NO_SUCH_USER; } DEBUG(3,("User:[%s]\n", pdb_get_username(smbpass) )); - ZERO_STRUCTP(id9); - init_sam_user_info9(id9, pdb_get_group_rid(smbpass) ); + init_samr_user_info9(r, pdb_get_group_rid(smbpass)); TALLOC_FREE(smbpass); @@ -2192,11 +2206,15 @@ static NTSTATUS get_user_info_9(TALLOC_CTX *mem_ctx, SAM_USER_INFO_9 * id9, DOM_ get_user_info_16. Safe. Only gives out acb bits. *************************************************************************/ -static NTSTATUS get_user_info_16(TALLOC_CTX *mem_ctx, SAM_USER_INFO_16 *id16, DOM_SID *user_sid) +static NTSTATUS get_user_info_16(TALLOC_CTX *mem_ctx, + struct samr_UserInfo16 *r, + DOM_SID *user_sid) { struct samu *smbpass=NULL; bool ret; + ZERO_STRUCTP(r); + if ( !(smbpass = samu_new( mem_ctx )) ) { return NT_STATUS_NO_MEMORY; } @@ -2207,13 +2225,13 @@ static NTSTATUS get_user_info_16(TALLOC_CTX *mem_ctx, SAM_USER_INFO_16 *id16, DO if (ret==False) { DEBUG(4,("User %s not found\n", sid_string_dbg(user_sid))); + TALLOC_FREE(smbpass); return NT_STATUS_NO_SUCH_USER; } DEBUG(3,("User:[%s]\n", pdb_get_username(smbpass) )); - ZERO_STRUCTP(id16); - init_sam_user_info16(id16, pdb_get_acct_ctrl(smbpass) ); + init_samr_user_info16(r, pdb_get_acct_ctrl(smbpass)); TALLOC_FREE(smbpass); @@ -2226,11 +2244,16 @@ static NTSTATUS get_user_info_16(TALLOC_CTX *mem_ctx, SAM_USER_INFO_16 *id16, DO user. JRA. *************************************************************************/ -static NTSTATUS get_user_info_18(pipes_struct *p, TALLOC_CTX *mem_ctx, SAM_USER_INFO_18 * id18, DOM_SID *user_sid) +static NTSTATUS get_user_info_18(pipes_struct *p, + TALLOC_CTX *mem_ctx, + struct samr_UserInfo18 *r, + DOM_SID *user_sid) { struct samu *smbpass=NULL; bool ret; + ZERO_STRUCTP(r); + if (p->auth.auth_type != PIPE_AUTH_TYPE_NTLMSSP || p->auth.auth_type != PIPE_AUTH_TYPE_SPNEGO_NTLMSSP) { return NT_STATUS_ACCESS_DENIED; } @@ -2262,8 +2285,8 @@ static NTSTATUS get_user_info_18(pipes_struct *p, TALLOC_CTX *mem_ctx, SAM_USER_ return NT_STATUS_ACCOUNT_DISABLED; } - ZERO_STRUCTP(id18); - init_sam_user_info18(id18, pdb_get_lanman_passwd(smbpass), pdb_get_nt_passwd(smbpass)); + init_samr_user_info18(r, pdb_get_lanman_passwd(smbpass), + pdb_get_nt_passwd(smbpass)); TALLOC_FREE(smbpass); @@ -2274,10 +2297,17 @@ static NTSTATUS get_user_info_18(pipes_struct *p, TALLOC_CTX *mem_ctx, SAM_USER_ get_user_info_20 *************************************************************************/ -static NTSTATUS get_user_info_20(TALLOC_CTX *mem_ctx, SAM_USER_INFO_20 *id20, DOM_SID *user_sid) +static NTSTATUS get_user_info_20(TALLOC_CTX *mem_ctx, + struct samr_UserInfo20 *r, + DOM_SID *user_sid) { struct samu *sampass=NULL; bool ret; + const char *munged_dial = NULL; + const char *munged_dial_decoded = NULL; + DATA_BLOB blob; + + ZERO_STRUCTP(r); if ( !(sampass = samu_new( mem_ctx )) ) { return NT_STATUS_NO_MEMORY; @@ -2289,72 +2319,219 @@ static NTSTATUS get_user_info_20(TALLOC_CTX *mem_ctx, SAM_USER_INFO_20 *id20, DO if (ret == False) { DEBUG(4,("User %s not found\n", sid_string_dbg(user_sid))); + TALLOC_FREE(sampass); return NT_STATUS_NO_SUCH_USER; } + munged_dial = pdb_get_munged_dial(sampass); + samr_clear_sam_passwd(sampass); DEBUG(3,("User:[%s]\n", pdb_get_username(sampass) )); - ZERO_STRUCTP(id20); - init_sam_user_info20A(id20, sampass); + if (munged_dial) { + blob = base64_decode_data_blob(munged_dial); + munged_dial_decoded = talloc_strndup(mem_ctx, + (const char *)blob.data, + blob.length); + data_blob_free(&blob); + if (!munged_dial_decoded) { + TALLOC_FREE(sampass); + return NT_STATUS_NO_MEMORY; + } + } + +#if 0 + init_unistr2_from_datablob(&usr->uni_munged_dial, &blob); + init_uni_hdr(&usr->hdr_munged_dial, &usr->uni_munged_dial); + data_blob_free(&blob); +#endif + init_samr_user_info20(r, munged_dial_decoded); TALLOC_FREE(sampass); return NT_STATUS_OK; } + /************************************************************************* get_user_info_21 *************************************************************************/ -static NTSTATUS get_user_info_21(TALLOC_CTX *mem_ctx, SAM_USER_INFO_21 *id21, - DOM_SID *user_sid, DOM_SID *domain_sid) +static NTSTATUS get_user_info_21(TALLOC_CTX *mem_ctx, + struct samr_UserInfo21 *r, + DOM_SID *user_sid, + DOM_SID *domain_sid) { - struct samu *sampass=NULL; + struct samu *pw = NULL; bool ret; - NTSTATUS nt_status; - - if ( !(sampass = samu_new( mem_ctx )) ) { + const DOM_SID *sid_user, *sid_group; + uint32_t rid, primary_gid; + NTTIME last_logon, last_logoff, last_password_change, + acct_expiry, allow_password_change, force_password_change; + time_t must_change_time; + uint8_t password_expired; + const char *account_name, *full_name, *home_directory, *home_drive, + *logon_script, *profile_path, *description, + *workstations, *comment, *parameters; + struct samr_LogonHours logon_hours; + const char *munged_dial = NULL; + DATA_BLOB blob; + + ZERO_STRUCTP(r); + + if (!(pw = samu_new(mem_ctx))) { return NT_STATUS_NO_MEMORY; } become_root(); - ret = pdb_getsampwsid(sampass, user_sid); + ret = pdb_getsampwsid(pw, user_sid); unbecome_root(); if (ret == False) { DEBUG(4,("User %s not found\n", sid_string_dbg(user_sid))); + TALLOC_FREE(pw); return NT_STATUS_NO_SUCH_USER; } - samr_clear_sam_passwd(sampass); + samr_clear_sam_passwd(pw); - DEBUG(3,("User:[%s]\n", pdb_get_username(sampass) )); + DEBUG(3,("User:[%s]\n", pdb_get_username(pw))); - ZERO_STRUCTP(id21); - nt_status = init_sam_user_info21A(id21, sampass, domain_sid); + sid_user = pdb_get_user_sid(pw); - TALLOC_FREE(sampass); + if (!sid_peek_check_rid(domain_sid, sid_user, &rid)) { + DEBUG(0, ("get_user_info_21: User %s has SID %s, \nwhich conflicts with " + "the domain sid %s. Failing operation.\n", + pdb_get_username(pw), sid_string_dbg(sid_user), + sid_string_dbg(domain_sid))); + TALLOC_FREE(pw); + return NT_STATUS_UNSUCCESSFUL; + } - return nt_status; + become_root(); + sid_group = pdb_get_group_sid(pw); + unbecome_root(); + + if (!sid_peek_check_rid(domain_sid, sid_group, &primary_gid)) { + DEBUG(0, ("get_user_info_21: User %s has Primary Group SID %s, \n" + "which conflicts with the domain sid %s. Failing operation.\n", + pdb_get_username(pw), sid_string_dbg(sid_group), + sid_string_dbg(domain_sid))); + TALLOC_FREE(pw); + return NT_STATUS_UNSUCCESSFUL; + } + + unix_to_nt_time(&last_logon, pdb_get_logon_time(pw)); + unix_to_nt_time(&last_logoff, pdb_get_logoff_time(pw)); + unix_to_nt_time(&acct_expiry, pdb_get_kickoff_time(pw)); + unix_to_nt_time(&last_password_change, pdb_get_pass_last_set_time(pw)); + unix_to_nt_time(&allow_password_change, pdb_get_pass_can_change_time(pw)); + + must_change_time = pdb_get_pass_must_change_time(pw); + if (must_change_time == get_time_t_max()) { + unix_to_nt_time_abs(&force_password_change, must_change_time); + } else { + unix_to_nt_time(&force_password_change, must_change_time); + } + + if (pdb_get_pass_must_change_time(pw) == 0) { + password_expired = PASS_MUST_CHANGE_AT_NEXT_LOGON; + } else { + password_expired = 0; + } + + munged_dial = pdb_get_munged_dial(pw); + if (munged_dial) { + blob = base64_decode_data_blob(munged_dial); + parameters = talloc_strndup(mem_ctx, (const char *)blob.data, blob.length); + data_blob_free(&blob); + if (!parameters) { + TALLOC_FREE(pw); + return NT_STATUS_NO_MEMORY; + } + } + + + account_name = talloc_strdup(mem_ctx, pdb_get_username(pw)); + full_name = talloc_strdup(mem_ctx, pdb_get_fullname(pw)); + home_directory = talloc_strdup(mem_ctx, pdb_get_homedir(pw)); + home_drive = talloc_strdup(mem_ctx, pdb_get_dir_drive(pw)); + logon_script = talloc_strdup(mem_ctx, pdb_get_logon_script(pw)); + profile_path = talloc_strdup(mem_ctx, pdb_get_profile_path(pw)); + description = talloc_strdup(mem_ctx, pdb_get_acct_desc(pw)); + workstations = talloc_strdup(mem_ctx, pdb_get_workstations(pw)); + comment = talloc_strdup(mem_ctx, pdb_get_comment(pw)); + + logon_hours = get_logon_hours_from_pdb(mem_ctx, pw); +#if 0 + + /* + Look at a user on a real NT4 PDC with usrmgr, press + 'ok'. Then you will see that fields_present is set to + 0x08f827fa. Look at the user immediately after that again, + and you will see that 0x00fffff is returned. This solves + the problem that you get access denied after having looked + at the user. + -- Volker + */ + +#if 0 + init_unistr2_from_datablob(&usr->uni_munged_dial, &munged_dial_blob); + init_uni_hdr(&usr->hdr_munged_dial, &usr->uni_munged_dial); + data_blob_free(&munged_dial_blob); +#endif +#endif + + init_samr_user_info21(r, + last_logon, + last_logoff, + last_password_change, + acct_expiry, + allow_password_change, + force_password_change, + account_name, + full_name, + home_directory, + home_drive, + logon_script, + profile_path, + description, + workstations, + comment, + parameters, + rid, + primary_gid, + pdb_get_acct_ctrl(pw), + pdb_build_fields_present(pw), + logon_hours, + pdb_get_bad_password_count(pw), + pdb_get_logon_count(pw), + 0, //country_code, + 0, //code_page, + 0, //nt_password_set, + 0, //lm_password_set, + password_expired); + TALLOC_FREE(pw); + + return NT_STATUS_OK; } /******************************************************************* - _samr_query_userinfo + _samr_QueryUserInfo ********************************************************************/ -NTSTATUS _samr_query_userinfo(pipes_struct *p, SAMR_Q_QUERY_USERINFO *q_u, SAMR_R_QUERY_USERINFO *r_u) +NTSTATUS _samr_QueryUserInfo(pipes_struct *p, + struct samr_QueryUserInfo *r) { - SAM_USERINFO_CTR *ctr; + NTSTATUS status; + union samr_UserInfo *user_info = NULL; struct samr_info *info = NULL; DOM_SID domain_sid; uint32 rid; - r_u->status=NT_STATUS_OK; - /* search for the handle */ - if (!find_policy_by_hnd(p, &q_u->pol, (void **)(void *)&info)) + if (!find_policy_by_hnd(p, r->in.user_handle, (void **)(void *)&info)) return NT_STATUS_INVALID_HANDLE; domain_sid = info->sid; @@ -2364,81 +2541,67 @@ NTSTATUS _samr_query_userinfo(pipes_struct *p, SAMR_Q_QUERY_USERINFO *q_u, SAMR_ if (!sid_check_is_in_our_domain(&info->sid)) return NT_STATUS_OBJECT_TYPE_MISMATCH; - DEBUG(5,("_samr_query_userinfo: sid:%s\n", + DEBUG(5,("_samr_QueryUserInfo: sid:%s\n", sid_string_dbg(&info->sid))); - ctr = TALLOC_ZERO_P(p->mem_ctx, SAM_USERINFO_CTR); - if (!ctr) + user_info = TALLOC_ZERO_P(p->mem_ctx, union samr_UserInfo); + if (!user_info) { return NT_STATUS_NO_MEMORY; + } - ZERO_STRUCTP(ctr); - - /* ok! user info levels (lots: see MSDEV help), off we go... */ - ctr->switch_value = q_u->switch_value; - - DEBUG(5,("_samr_query_userinfo: user info level: %d\n", q_u->switch_value)); + DEBUG(5,("_samr_QueryUserInfo: user info level: %d\n", r->in.level)); - switch (q_u->switch_value) { + switch (r->in.level) { case 7: - ctr->info.id7 = TALLOC_ZERO_P(p->mem_ctx, SAM_USER_INFO_7); - if (ctr->info.id7 == NULL) - return NT_STATUS_NO_MEMORY; - - if (!NT_STATUS_IS_OK(r_u->status = get_user_info_7(p->mem_ctx, ctr->info.id7, &info->sid))) - return r_u->status; + status = get_user_info_7(p->mem_ctx, &user_info->info7, &info->sid); + if (!NT_STATUS_IS_OK(status)) { + return status; + } break; case 9: - ctr->info.id9 = TALLOC_ZERO_P(p->mem_ctx, SAM_USER_INFO_9); - if (ctr->info.id9 == NULL) - return NT_STATUS_NO_MEMORY; - - if (!NT_STATUS_IS_OK(r_u->status = get_user_info_9(p->mem_ctx, ctr->info.id9, &info->sid))) - return r_u->status; + status = get_user_info_9(p->mem_ctx, &user_info->info9, &info->sid); + if (!NT_STATUS_IS_OK(status)) { + return status; + } break; case 16: - ctr->info.id16 = TALLOC_ZERO_P(p->mem_ctx, SAM_USER_INFO_16); - if (ctr->info.id16 == NULL) - return NT_STATUS_NO_MEMORY; - - if (!NT_STATUS_IS_OK(r_u->status = get_user_info_16(p->mem_ctx, ctr->info.id16, &info->sid))) - return r_u->status; + status = get_user_info_16(p->mem_ctx, &user_info->info16, &info->sid); + if (!NT_STATUS_IS_OK(status)) { + return status; + } break; case 18: - ctr->info.id18 = TALLOC_ZERO_P(p->mem_ctx, SAM_USER_INFO_18); - if (ctr->info.id18 == NULL) - return NT_STATUS_NO_MEMORY; - - if (!NT_STATUS_IS_OK(r_u->status = get_user_info_18(p, p->mem_ctx, ctr->info.id18, &info->sid))) - return r_u->status; + status = get_user_info_18(p, p->mem_ctx, &user_info->info18, &info->sid); + if (!NT_STATUS_IS_OK(status)) { + return status; + } break; case 20: - ctr->info.id20 = TALLOC_ZERO_P(p->mem_ctx,SAM_USER_INFO_20); - if (ctr->info.id20 == NULL) - return NT_STATUS_NO_MEMORY; - if (!NT_STATUS_IS_OK(r_u->status = get_user_info_20(p->mem_ctx, ctr->info.id20, &info->sid))) - return r_u->status; + status = get_user_info_20(p->mem_ctx, &user_info->info20, &info->sid); + if (!NT_STATUS_IS_OK(status)) { + return status; + } break; case 21: - ctr->info.id21 = TALLOC_ZERO_P(p->mem_ctx,SAM_USER_INFO_21); - if (ctr->info.id21 == NULL) - return NT_STATUS_NO_MEMORY; - if (!NT_STATUS_IS_OK(r_u->status = get_user_info_21(p->mem_ctx, ctr->info.id21, - &info->sid, &domain_sid))) - return r_u->status; + status = get_user_info_21(p->mem_ctx, &user_info->info21, + &info->sid, &domain_sid); + if (!NT_STATUS_IS_OK(status)) { + return status; + } break; default: return NT_STATUS_INVALID_INFO_CLASS; } - init_samr_r_query_userinfo(r_u, ctr, r_u->status); + *r->out.info = user_info; - DEBUG(5,("_samr_query_userinfo: %d\n", __LINE__)); + DEBUG(5,("_samr_QueryUserInfo: %d\n", __LINE__)); - return r_u->status; + return status; } /******************************************************************* @@ -5395,16 +5558,6 @@ NTSTATUS _samr_SetMemberAttributesOfGroup(pipes_struct *p, /**************************************************************** ****************************************************************/ -NTSTATUS _samr_QueryUserInfo(pipes_struct *p, - struct samr_QueryUserInfo *r) -{ - p->rng_fault_state = true; - return NT_STATUS_NOT_IMPLEMENTED; -} - -/**************************************************************** -****************************************************************/ - NTSTATUS _samr_ChangePasswordUser(pipes_struct *p, struct samr_ChangePasswordUser *r) { -- cgit From befc71c942c044c9edc31d166f7b2ad6630fdb7c Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Tue, 12 Feb 2008 16:39:02 +0100 Subject: Re-add support for samr_QueryDisplayInfo2/samr_QueryDisplayInfo3. (This used to be commit cac740d87f729c1b48654ef4f51f37a81e8a0d54) --- source3/rpc_server/srv_samr_nt.c | 64 +++++++++++++++++++++++++++------------- 1 file changed, 44 insertions(+), 20 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index ac10754493..3e88f24ea2 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -1586,6 +1586,50 @@ NTSTATUS _samr_QueryDisplayInfo(pipes_struct *p, return status; } +/**************************************************************** + _samr_QueryDisplayInfo2 +****************************************************************/ + +NTSTATUS _samr_QueryDisplayInfo2(pipes_struct *p, + struct samr_QueryDisplayInfo2 *r) +{ + struct samr_QueryDisplayInfo q; + + q.in.domain_handle = r->in.domain_handle; + q.in.level = r->in.level; + q.in.start_idx = r->in.start_idx; + q.in.max_entries = r->in.max_entries; + q.in.buf_size = r->in.buf_size; + + q.out.total_size = r->out.total_size; + q.out.returned_size = r->out.returned_size; + q.out.info = r->out.info; + + return _samr_QueryDisplayInfo(p, &q); +} + +/**************************************************************** + _samr_QueryDisplayInfo3 +****************************************************************/ + +NTSTATUS _samr_QueryDisplayInfo3(pipes_struct *p, + struct samr_QueryDisplayInfo3 *r) +{ + struct samr_QueryDisplayInfo q; + + q.in.domain_handle = r->in.domain_handle; + q.in.level = r->in.level; + q.in.start_idx = r->in.start_idx; + q.in.max_entries = r->in.max_entries; + q.in.buf_size = r->in.buf_size; + + q.out.total_size = r->out.total_size; + q.out.returned_size = r->out.returned_size; + q.out.info = r->out.info; + + return _samr_QueryDisplayInfo(p, &q); +} + /******************************************************************* _samr_QueryAliasInfo ********************************************************************/ @@ -5608,16 +5652,6 @@ NTSTATUS _samr_QueryUserInfo2(pipes_struct *p, /**************************************************************** ****************************************************************/ -NTSTATUS _samr_QueryDisplayInfo2(pipes_struct *p, - struct samr_QueryDisplayInfo2 *r) -{ - p->rng_fault_state = true; - return NT_STATUS_NOT_IMPLEMENTED; -} - -/**************************************************************** -****************************************************************/ - NTSTATUS _samr_GetDisplayEnumerationIndex2(pipes_struct *p, struct samr_GetDisplayEnumerationIndex2 *r) { @@ -5628,16 +5662,6 @@ NTSTATUS _samr_GetDisplayEnumerationIndex2(pipes_struct *p, /**************************************************************** ****************************************************************/ -NTSTATUS _samr_QueryDisplayInfo3(pipes_struct *p, - struct samr_QueryDisplayInfo3 *r) -{ - p->rng_fault_state = true; - return NT_STATUS_NOT_IMPLEMENTED; -} - -/**************************************************************** -****************************************************************/ - NTSTATUS _samr_AddMultipleMembersToAlias(pipes_struct *p, struct samr_AddMultipleMembersToAlias *r) { -- cgit From e2b3aad8174daede0248ce96df624e575867cfd8 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Tue, 12 Feb 2008 22:05:39 +0100 Subject: Collect all init_lsa_string varients in one place. Guenther (This used to be commit f4581e9f4482566fba9436d5ae058b8d840fa394) --- source3/rpc_server/srv_samr_nt.c | 18 ------------------ 1 file changed, 18 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 3e88f24ea2..3637560a7f 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -103,15 +103,6 @@ static const struct generic_mapping ali_generic_mapping = { GENERIC_RIGHTS_ALIAS_EXECUTE, GENERIC_RIGHTS_ALIAS_ALL_ACCESS}; -/******************************************************************* - inits a structure. -********************************************************************/ - -static void init_lsa_String(struct lsa_String *name, const char *s) -{ - name->string = s; -} - /******************************************************************* *******************************************************************/ @@ -1171,15 +1162,6 @@ NTSTATUS _samr_EnumDomainAliases(pipes_struct *p, return status; } -/******************************************************************* - inits a structure. -********************************************************************/ - -static void init_lsa_AsciiString(struct lsa_AsciiString *name, const char *s) -{ - name->string = s; -} - /******************************************************************* inits a samr_DispInfoGeneral structure. ********************************************************************/ -- cgit From a6997bb2ffbca8f38d40f2631066c23b0472e13c Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Tue, 12 Feb 2008 17:21:17 -0800 Subject: Prevent "parameters" being used without initialization. Jeremy. (This used to be commit f0195e937d5d42a8d92e9d861199538fd44a3c9b) --- source3/rpc_server/srv_samr_nt.c | 2 ++ 1 file changed, 2 insertions(+) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 3637560a7f..0db74c2a1b 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -2476,6 +2476,8 @@ static NTSTATUS get_user_info_21(TALLOC_CTX *mem_ctx, TALLOC_FREE(pw); return NT_STATUS_NO_MEMORY; } + } else { + parameters = NULL; } -- cgit From 2cd374db8d53cf9727da6c99a7fc48f4dd09fd4b Mon Sep 17 00:00:00 2001 From: Tim Potter Date: Mon, 18 Feb 2008 10:21:17 +1100 Subject: Replace C++-style comments with C. (This used to be commit a1d07469236c06b65f14a59a27d7f7abcb106b5e) --- source3/rpc_server/srv_samr_nt.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 0db74c2a1b..df7bb9b206 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -2535,10 +2535,10 @@ static NTSTATUS get_user_info_21(TALLOC_CTX *mem_ctx, logon_hours, pdb_get_bad_password_count(pw), pdb_get_logon_count(pw), - 0, //country_code, - 0, //code_page, - 0, //nt_password_set, - 0, //lm_password_set, + 0, /* country_code */ + 0, /* code_page */ + 0, /* nt_password_set */ + 0, /* lm_password_set */ password_expired); TALLOC_FREE(pw); -- cgit From d61831dcd414e0279dfd576a8c85a83a37bf2699 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Wed, 27 Feb 2008 16:52:39 +0100 Subject: Move MAX_SAM_ENTRIES defines to samr rpc_server and to samr.idl. Guenther (This used to be commit 6c6455157317049d65a9012f4e339b7e86fb0af6) --- source3/rpc_server/srv_samr_nt.c | 2 ++ 1 file changed, 2 insertions(+) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index df7bb9b206..8289440d6e 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -876,6 +876,8 @@ static NTSTATUS make_user_sam_entry_list(TALLOC_CTX *ctx, return NT_STATUS_OK; } +#define MAX_SAM_ENTRIES MAX_SAM_ENTRIES_W2K + /******************************************************************* _samr_EnumDomainUsers ********************************************************************/ -- cgit From 7269a504fdd06fbbe24c2df8e084b41382d71269 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Wed, 27 Feb 2008 19:38:48 +0100 Subject: Add my copyright. Guenther (This used to be commit d078a8757182d84dfd3307a2e1b751cf173aaa97) --- source3/rpc_server/srv_samr_nt.c | 1 + 1 file changed, 1 insertion(+) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 8289440d6e..f8b953904f 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -11,6 +11,7 @@ * Copyright (C) Gerald (Jerry) Carter 2003-2004, * Copyright (C) Simo Sorce 2003. * Copyright (C) Volker Lendecke 2005. + * Copyright (C) Guenther Deschner 2008. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by -- cgit From 700438dbbd45c8e097a74b98a56a0c97e241fa34 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Thu, 28 Feb 2008 23:37:47 +0100 Subject: Fix samr querydispinfo w.r.t. lsa_AsciiStringLarge. Thanks metze for the fix. Guenther (This used to be commit dcffb885bc5d16e795b71d95e0790d3d7d70cf3c) --- source3/rpc_server/srv_samr_nt.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index f8b953904f..f38a8fcfc0 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -1318,8 +1318,8 @@ static NTSTATUS init_samr_dispinfo_4(TALLOC_CTX *ctx, for (i = 0; i < num_entries ; i++) { - init_lsa_AsciiString(&r->entries[i].account_name, - entries[i].account_name); + init_lsa_AsciiStringLarge(&r->entries[i].account_name, + entries[i].account_name); r->entries[i].idx = start_idx+i+1; } @@ -1354,8 +1354,8 @@ static NTSTATUS init_samr_dispinfo_5(TALLOC_CTX *ctx, for (i = 0; i < num_entries ; i++) { - init_lsa_AsciiString(&r->entries[i].account_name, - entries[i].account_name); + init_lsa_AsciiStringLarge(&r->entries[i].account_name, + entries[i].account_name); r->entries[i].idx = start_idx+i+1; } -- cgit From dd80c452a2fd794823f1ccb6a391bb78681213f4 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Thu, 20 Mar 2008 21:58:39 +0100 Subject: A level 25 setuserinfo does change the pwdlastset (This used to be commit f65cb5d4b51e2e7b9b16b73e47cd2a8d55d5d4b0) --- source3/rpc_server/srv_samr_nt.c | 28 ++++++++++++++++++++++------ 1 file changed, 22 insertions(+), 6 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index f38a8fcfc0..eeb3e400dd 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -3863,7 +3863,8 @@ static NTSTATUS set_user_info_23(TALLOC_CTX *mem_ctx, set_user_info_pw ********************************************************************/ -static bool set_user_info_pw(uint8 *pass, struct samu *pwd) +static bool set_user_info_pw(uint8 *pass, struct samu *pwd, + int level) { uint32 len = 0; char *plaintext_buf = NULL; @@ -3925,8 +3926,20 @@ static bool set_user_info_pw(uint8 *pass, struct samu *pwd) memset(plaintext_buf, '\0', strlen(plaintext_buf)); - /* restore last set time as this is an admin change, not a user pw change */ - pdb_set_pass_last_set_time (pwd, last_set_time, last_set_state); + /* + * A level 25 change does reset the pwdlastset field, a level 24 + * change does not. I know this is probably not the full story, but + * it is needed to make XP join LDAP correctly, without it the later + * auth2 check can fail with PWD_MUST_CHANGE. + */ + if (level != 25) { + /* + * restore last set time as this is an admin change, not a + * user pw change + */ + pdb_set_pass_last_set_time (pwd, last_set_time, + last_set_state); + } DEBUG(5,("set_user_info_pw: pdb_update_pwd()\n")); @@ -4147,7 +4160,8 @@ static NTSTATUS samr_SetUserInfo_internal(const char *fn_name, dump_data(100, info->info24.password.data, 516); - if (!set_user_info_pw(info->info24.password.data, pwd)) { + if (!set_user_info_pw(info->info24.password.data, pwd, + switch_value)) { status = NT_STATUS_ACCESS_DENIED; } break; @@ -4166,7 +4180,8 @@ static NTSTATUS samr_SetUserInfo_internal(const char *fn_name, if (!NT_STATUS_IS_OK(status)) { goto done; } - if (!set_user_info_pw(info->info25.password.data, pwd)) { + if (!set_user_info_pw(info->info25.password.data, pwd, + switch_value)) { status = NT_STATUS_ACCESS_DENIED; } break; @@ -4180,7 +4195,8 @@ static NTSTATUS samr_SetUserInfo_internal(const char *fn_name, dump_data(100, info->info26.password.data, 516); - if (!set_user_info_pw(info->info26.password.data, pwd)) { + if (!set_user_info_pw(info->info26.password.data, pwd, + switch_value)) { status = NT_STATUS_ACCESS_DENIED; } break; -- cgit From e8775623bdf40dab976c4540771e5078d632fe01 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Mon, 31 Mar 2008 20:40:16 +0200 Subject: Add init_samr_parameters_string(). Guenther (This used to be commit 8f6f0d1601cb93af51f8d493382cd707c3eb0cdf) --- source3/rpc_server/srv_samr_nt.c | 35 +++++++++++++++++++++++++++++++++++ 1 file changed, 35 insertions(+) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index eeb3e400dd..034392ed21 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -2154,6 +2154,41 @@ NTSTATUS _samr_OpenUser(pipes_struct *p, return NT_STATUS_OK; } +/************************************************************************* + *************************************************************************/ + +static NTSTATUS init_samr_parameters_string(TALLOC_CTX *mem_ctx, + DATA_BLOB *blob, + struct lsa_BinaryString **_r) +{ + struct lsa_BinaryString *r; + + if (!blob || !_r) { + return NT_STATUS_INVALID_PARAMETER; + } + + r = TALLOC_ZERO_P(mem_ctx, struct lsa_BinaryString); + if (!r) { + return NT_STATUS_NO_MEMORY; + } + + r->array = TALLOC_ZERO_ARRAY(mem_ctx, uint16_t, blob->length/2); + if (!r->array) { + return NT_STATUS_NO_MEMORY; + } + memcpy(r->array, blob->data, blob->length); + r->size = blob->length; + r->length = blob->length; + + if (!r->array) { + return NT_STATUS_NO_MEMORY; + } + + *_r = r; + + return NT_STATUS_OK; +} + /************************************************************************* get_user_info_7. Safe. Only gives out account_name. *************************************************************************/ -- cgit From 4369c14a66060021259308d1c42372e75455953f Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Mon, 31 Mar 2008 20:43:18 +0200 Subject: Re-add support for the samr parameters string. (dialin settings, terminal server settings, etc.) Guenther (This used to be commit c4f248df8e34c6a028bf8d789fe9763b0ea063fe) --- source3/rpc_server/srv_samr_nt.c | 51 +++++++++++++++++----------------------- 1 file changed, 22 insertions(+), 29 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 034392ed21..0f4a5b9ae1 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -2368,8 +2368,9 @@ static NTSTATUS get_user_info_20(TALLOC_CTX *mem_ctx, struct samu *sampass=NULL; bool ret; const char *munged_dial = NULL; - const char *munged_dial_decoded = NULL; DATA_BLOB blob; + NTSTATUS status; + struct lsa_BinaryString *parameters = NULL; ZERO_STRUCTP(r); @@ -2391,28 +2392,23 @@ static NTSTATUS get_user_info_20(TALLOC_CTX *mem_ctx, samr_clear_sam_passwd(sampass); - DEBUG(3,("User:[%s]\n", pdb_get_username(sampass) )); + DEBUG(3,("User:[%s] has [%s] (length: %d)\n", pdb_get_username(sampass), + munged_dial, strlen(munged_dial))); if (munged_dial) { blob = base64_decode_data_blob(munged_dial); - munged_dial_decoded = talloc_strndup(mem_ctx, - (const char *)blob.data, - blob.length); - data_blob_free(&blob); - if (!munged_dial_decoded) { - TALLOC_FREE(sampass); - return NT_STATUS_NO_MEMORY; - } + } else { + blob = data_blob_string_const(""); } -#if 0 - init_unistr2_from_datablob(&usr->uni_munged_dial, &blob); - init_uni_hdr(&usr->hdr_munged_dial, &usr->uni_munged_dial); + status = init_samr_parameters_string(mem_ctx, &blob, ¶meters); data_blob_free(&blob); -#endif - init_samr_user_info20(r, munged_dial_decoded); - TALLOC_FREE(sampass); + if (!NT_STATUS_IS_OK(status)) { + return status; + } + + init_samr_user_info20(r, parameters); return NT_STATUS_OK; } @@ -2427,6 +2423,7 @@ static NTSTATUS get_user_info_21(TALLOC_CTX *mem_ctx, DOM_SID *user_sid, DOM_SID *domain_sid) { + NTSTATUS status; struct samu *pw = NULL; bool ret; const DOM_SID *sid_user, *sid_group; @@ -2437,8 +2434,9 @@ static NTSTATUS get_user_info_21(TALLOC_CTX *mem_ctx, uint8_t password_expired; const char *account_name, *full_name, *home_directory, *home_drive, *logon_script, *profile_path, *description, - *workstations, *comment, *parameters; + *workstations, *comment; struct samr_LogonHours logon_hours; + struct lsa_BinaryString *parameters = NULL; const char *munged_dial = NULL; DATA_BLOB blob; @@ -2508,16 +2506,16 @@ static NTSTATUS get_user_info_21(TALLOC_CTX *mem_ctx, munged_dial = pdb_get_munged_dial(pw); if (munged_dial) { blob = base64_decode_data_blob(munged_dial); - parameters = talloc_strndup(mem_ctx, (const char *)blob.data, blob.length); - data_blob_free(&blob); - if (!parameters) { - TALLOC_FREE(pw); - return NT_STATUS_NO_MEMORY; - } } else { - parameters = NULL; + blob = data_blob_string_const(""); } + status = init_samr_parameters_string(mem_ctx, &blob, ¶meters); + data_blob_free(&blob); + if (!NT_STATUS_IS_OK(status)) { + TALLOC_FREE(pw); + return status; + } account_name = talloc_strdup(mem_ctx, pdb_get_username(pw)); full_name = talloc_strdup(mem_ctx, pdb_get_fullname(pw)); @@ -2542,11 +2540,6 @@ static NTSTATUS get_user_info_21(TALLOC_CTX *mem_ctx, -- Volker */ -#if 0 - init_unistr2_from_datablob(&usr->uni_munged_dial, &munged_dial_blob); - init_uni_hdr(&usr->hdr_munged_dial, &usr->uni_munged_dial); - data_blob_free(&munged_dial_blob); -#endif #endif init_samr_user_info21(r, -- cgit From edcbb657deea1fd177bd66bd1bc653e15b1b99d9 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Tue, 1 Apr 2008 00:14:00 +0200 Subject: Fix build warning. Guenther (This used to be commit c40522cfe97c4e5eedccc9c56f47f9d4a8bcdaaf) --- source3/rpc_server/srv_samr_nt.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 0f4a5b9ae1..62632d08c5 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -2393,7 +2393,7 @@ static NTSTATUS get_user_info_20(TALLOC_CTX *mem_ctx, samr_clear_sam_passwd(sampass); DEBUG(3,("User:[%s] has [%s] (length: %d)\n", pdb_get_username(sampass), - munged_dial, strlen(munged_dial))); + munged_dial, (int)strlen(munged_dial))); if (munged_dial) { blob = base64_decode_data_blob(munged_dial); -- cgit From 8c9d6322dea2243e9bc15032af399264c6678c1b Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Fri, 4 Apr 2008 11:59:32 +0200 Subject: Fix _samr_GetDomPwInfo (to return more then zeros). Guenther (This used to be commit 1cde9579f10ab8c43c25dfd6e5c658c7653f9a37) --- source3/rpc_server/srv_samr_nt.c | 18 ++++++++++++++++-- 1 file changed, 16 insertions(+), 2 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 62632d08c5..bcb4acbf15 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -5373,6 +5373,9 @@ NTSTATUS _samr_SetAliasInfo(pipes_struct *p, NTSTATUS _samr_GetDomPwInfo(pipes_struct *p, struct samr_GetDomPwInfo *r) { + uint32_t min_password_length = 0; + uint32_t password_properties = 0; + /* Perform access check. Since this rpc does not require a policy handle it will not be caught by the access checks on SAMR_CONNECT or SAMR_CONNECT_ANON. */ @@ -5382,8 +5385,19 @@ NTSTATUS _samr_GetDomPwInfo(pipes_struct *p, return NT_STATUS_ACCESS_DENIED; } - /* Actually, returning zeros here works quite well :-). */ - ZERO_STRUCTP(r->out.info); + become_root(); + pdb_get_account_policy(AP_MIN_PASSWORD_LEN, + &min_password_length); + pdb_get_account_policy(AP_USER_MUST_LOGON_TO_CHG_PASS, + &password_properties); + unbecome_root(); + + if (lp_check_password_script() && *lp_check_password_script()) { + password_properties |= DOMAIN_PASSWORD_COMPLEX; + } + + r->out.info->min_password_length = min_password_length; + r->out.info->password_properties = password_properties; return NT_STATUS_OK; } -- cgit From 833729125093b884a528057b0aa03891efb9e9b5 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Fri, 4 Apr 2008 12:00:26 +0200 Subject: Fix _samr_GetUserPwInfo() (to return more then just zeros). Guenther (This used to be commit 624371ce32a7c0816963745059e743e5b3e92e2a) --- source3/rpc_server/srv_samr_nt.c | 53 ++++++++++++++++++++++++++++++++++------ 1 file changed, 45 insertions(+), 8 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index bcb4acbf15..0d9dd554c6 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -627,22 +627,59 @@ NTSTATUS _samr_GetUserPwInfo(pipes_struct *p, struct samr_GetUserPwInfo *r) { struct samr_info *info = NULL; + enum lsa_SidType sid_type; + uint32_t min_password_length = 0; + uint32_t password_properties = 0; + bool ret = false; + NTSTATUS status; + + DEBUG(5,("_samr_GetUserPwInfo: %d\n", __LINE__)); /* find the policy handle. open a policy on it. */ - if (!find_policy_by_hnd(p, r->in.user_handle, (void **)(void *)&info)) + if (!find_policy_by_hnd(p, r->in.user_handle, (void **)(void *)&info)) { return NT_STATUS_INVALID_HANDLE; + } - if (!sid_check_is_in_our_domain(&info->sid)) + status = access_check_samr_function(info->acc_granted, + SAMR_USER_ACCESS_GET_ATTRIBUTES, + "_samr_GetUserPwInfo" ); + if (!NT_STATUS_IS_OK(status)) { + return status; + } + + if (!sid_check_is_in_our_domain(&info->sid)) { return NT_STATUS_OBJECT_TYPE_MISMATCH; + } + + become_root(); + ret = lookup_sid(p->mem_ctx, &info->sid, NULL, NULL, &sid_type); + unbecome_root(); + if (ret == false) { + return NT_STATUS_NO_SUCH_USER; + } - ZERO_STRUCTP(r->out.info); + switch (sid_type) { + case SID_NAME_USER: + become_root(); + pdb_get_account_policy(AP_MIN_PASSWORD_LEN, + &min_password_length); + pdb_get_account_policy(AP_USER_MUST_LOGON_TO_CHG_PASS, + &password_properties); + unbecome_root(); - DEBUG(5,("_samr_GetUserPwInfo: %d\n", __LINE__)); + if (lp_check_password_script() && *lp_check_password_script()) { + password_properties |= DOMAIN_PASSWORD_COMPLEX; + } - /* - * NT sometimes return NT_STATUS_ACCESS_DENIED - * I don't know yet why. - */ + break; + default: + break; + } + + r->out.info->min_password_length = min_password_length; + r->out.info->password_properties = password_properties; + + DEBUG(5,("_samr_GetUserPwInfo: %d\n", __LINE__)); return NT_STATUS_OK; } -- cgit From 08971abdad82ce6b57a85ce77a8cb7906b0dab2f Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Fri, 16 May 2008 13:24:15 +0200 Subject: Fix Bug #5461 and implement a very basic _samr_GetDisplayEnumerationIndex(). Citrix PM cannot use a Samba DC when having more then 900 groups as citrix insists on calling _samr_GetDisplayEnumerationIndex() after receiving the first 900 groups via _samr_QueryDisplayInfo() to get the continuation index. Guenther (This used to be commit 1c4adc8dda68eae9839bdff843aadf8c98dd9e87) --- source3/rpc_server/srv_samr_nt.c | 159 ++++++++++++++++++++++++++++++++++----- 1 file changed, 139 insertions(+), 20 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 0d9dd554c6..f28c771d3e 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -5651,6 +5651,145 @@ NTSTATUS _samr_SetDomainInfo(pipes_struct *p, return NT_STATUS_OK; } +/**************************************************************** + _samr_GetDisplayEnumerationIndex +****************************************************************/ + +NTSTATUS _samr_GetDisplayEnumerationIndex(pipes_struct *p, + struct samr_GetDisplayEnumerationIndex *r) +{ + struct samr_info *info = NULL; + uint32_t max_entries = (uint32_t) -1; + uint32_t enum_context = 0; + int i; + uint32_t num_account = 0; + struct samr_displayentry *entries = NULL; + + DEBUG(5,("_samr_GetDisplayEnumerationIndex: %d\n", __LINE__)); + + /* find the policy handle. open a policy on it. */ + if (!find_policy_by_hnd(p, r->in.domain_handle, (void **)(void *)&info)) { + return NT_STATUS_INVALID_HANDLE; + } + + if ((r->in.level < 1) || (r->in.level > 3)) { + DEBUG(0,("_samr_GetDisplayEnumerationIndex: " + "Unknown info level (%u)\n", + r->in.level)); + return NT_STATUS_INVALID_INFO_CLASS; + } + + become_root(); + + /* The following done as ROOT. Don't return without unbecome_root(). */ + + switch (r->in.level) { + case 1: + if (info->disp_info->users == NULL) { + info->disp_info->users = pdb_search_users(ACB_NORMAL); + if (info->disp_info->users == NULL) { + unbecome_root(); + return NT_STATUS_ACCESS_DENIED; + } + DEBUG(10,("_samr_GetDisplayEnumerationIndex: " + "starting user enumeration at index %u\n", + (unsigned int)enum_context)); + } else { + DEBUG(10,("_samr_GetDisplayEnumerationIndex: " + "using cached user enumeration at index %u\n", + (unsigned int)enum_context)); + } + num_account = pdb_search_entries(info->disp_info->users, + enum_context, max_entries, + &entries); + break; + case 2: + if (info->disp_info->machines == NULL) { + info->disp_info->machines = + pdb_search_users(ACB_WSTRUST|ACB_SVRTRUST); + if (info->disp_info->machines == NULL) { + unbecome_root(); + return NT_STATUS_ACCESS_DENIED; + } + DEBUG(10,("_samr_GetDisplayEnumerationIndex: " + "starting machine enumeration at index %u\n", + (unsigned int)enum_context)); + } else { + DEBUG(10,("_samr_GetDisplayEnumerationIndex: " + "using cached machine enumeration at index %u\n", + (unsigned int)enum_context)); + } + num_account = pdb_search_entries(info->disp_info->machines, + enum_context, max_entries, + &entries); + break; + case 3: + if (info->disp_info->groups == NULL) { + info->disp_info->groups = pdb_search_groups(); + if (info->disp_info->groups == NULL) { + unbecome_root(); + return NT_STATUS_ACCESS_DENIED; + } + DEBUG(10,("_samr_GetDisplayEnumerationIndex: " + "starting group enumeration at index %u\n", + (unsigned int)enum_context)); + } else { + DEBUG(10,("_samr_GetDisplayEnumerationIndex: " + "using cached group enumeration at index %u\n", + (unsigned int)enum_context)); + } + num_account = pdb_search_entries(info->disp_info->groups, + enum_context, max_entries, + &entries); + break; + default: + unbecome_root(); + smb_panic("info class changed"); + break; + } + + unbecome_root(); + + /* Ensure we cache this enumeration. */ + set_disp_info_cache_timeout(info->disp_info, DISP_INFO_CACHE_TIMEOUT); + + DEBUG(10,("_samr_GetDisplayEnumerationIndex: looking for :%s\n", + r->in.name->string)); + + for (i=0; iin.name->string)) { + DEBUG(10,("_samr_GetDisplayEnumerationIndex: " + "found %s at idx %d\n", + r->in.name->string, i)); + *r->out.idx = i; + return NT_STATUS_OK; + } + } + + /* assuming account_name lives at the very end */ + *r->out.idx = num_account; + + return NT_STATUS_NO_MORE_ENTRIES; +} + +/**************************************************************** + _samr_GetDisplayEnumerationIndex2 +****************************************************************/ + +NTSTATUS _samr_GetDisplayEnumerationIndex2(pipes_struct *p, + struct samr_GetDisplayEnumerationIndex2 *r) +{ + struct samr_GetDisplayEnumerationIndex q; + + q.in.domain_handle = r->in.domain_handle; + q.in.level = r->in.level; + q.in.name = r->in.name; + + q.out.idx = r->out.idx; + + return _samr_GetDisplayEnumerationIndex(p, &q); +} + /**************************************************************** ****************************************************************/ @@ -5694,16 +5833,6 @@ NTSTATUS _samr_ChangePasswordUser(pipes_struct *p, /**************************************************************** ****************************************************************/ -NTSTATUS _samr_GetDisplayEnumerationIndex(pipes_struct *p, - struct samr_GetDisplayEnumerationIndex *r) -{ - p->rng_fault_state = true; - return NT_STATUS_NOT_IMPLEMENTED; -} - -/**************************************************************** -****************************************************************/ - NTSTATUS _samr_TestPrivateFunctionsDomain(pipes_struct *p, struct samr_TestPrivateFunctionsDomain *r) { @@ -5734,16 +5863,6 @@ NTSTATUS _samr_QueryUserInfo2(pipes_struct *p, /**************************************************************** ****************************************************************/ -NTSTATUS _samr_GetDisplayEnumerationIndex2(pipes_struct *p, - struct samr_GetDisplayEnumerationIndex2 *r) -{ - p->rng_fault_state = true; - return NT_STATUS_NOT_IMPLEMENTED; -} - -/**************************************************************** -****************************************************************/ - NTSTATUS _samr_AddMultipleMembersToAlias(pipes_struct *p, struct samr_AddMultipleMembersToAlias *r) { -- cgit From 6a286a7bf4375038ad4dffe0a436a1a743f6aad6 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Tue, 20 May 2008 17:29:40 +0200 Subject: Fix a valgrind error in _samr_LookupNames (cherry picked from commit fb0a25d59ddd28ea1d5af33ec7d9f817fac3fb9d) (This used to be commit 89f87efa2394e99802ca23307e712fc5820a5fc6) --- source3/rpc_server/srv_samr_nt.c | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index f28c771d3e..42431bd482 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -1786,8 +1786,8 @@ NTSTATUS _samr_LookupNames(pipes_struct *p, struct samr_LookupNames *r) { NTSTATUS status; - uint32 rid[MAX_SAM_ENTRIES]; - enum lsa_SidType type[MAX_SAM_ENTRIES]; + uint32 *rid; + enum lsa_SidType *type; int i; int num_rids = r->in.num_names; DOM_SID pol_sid; @@ -1796,9 +1796,6 @@ NTSTATUS _samr_LookupNames(pipes_struct *p, DEBUG(5,("_samr_LookupNames: %d\n", __LINE__)); - ZERO_ARRAY(rid); - ZERO_ARRAY(type); - if (!get_lsa_policy_samr_sid(p, r->in.domain_handle, &pol_sid, &acc_granted, NULL)) { return NT_STATUS_OBJECT_TYPE_MISMATCH; } @@ -1815,6 +1812,12 @@ NTSTATUS _samr_LookupNames(pipes_struct *p, DEBUG(5,("_samr_LookupNames: truncating entries to %d\n", num_rids)); } + rid = talloc_array(p->mem_ctx, uint32, num_rids); + NT_STATUS_HAVE_NO_MEMORY(rid); + + type = talloc_array(p->mem_ctx, enum lsa_SidType, num_rids); + NT_STATUS_HAVE_NO_MEMORY(rid); + DEBUG(5,("_samr_LookupNames: looking name on SID %s\n", sid_string_dbg(&pol_sid))); -- cgit From 7aa839bba0b4ae408f87a29e4e3a48607bfee275 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Tue, 20 May 2008 17:48:39 +0200 Subject: Fix typo. Guenther (cherry picked from commit d3dd7ea5a77414c0d802668ab5bfbe3487b66926) (This used to be commit 68d6b0053f3ce63747bc26a2bebb1fb0b46c8ca0) --- source3/rpc_server/srv_samr_nt.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 42431bd482..a89e00f1ec 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -1816,7 +1816,7 @@ NTSTATUS _samr_LookupNames(pipes_struct *p, NT_STATUS_HAVE_NO_MEMORY(rid); type = talloc_array(p->mem_ctx, enum lsa_SidType, num_rids); - NT_STATUS_HAVE_NO_MEMORY(rid); + NT_STATUS_HAVE_NO_MEMORY(type); DEBUG(5,("_samr_LookupNames: looking name on SID %s\n", sid_string_dbg(&pol_sid))); -- cgit From 747a5809528cffc40f46d7e27a96ce0c559056b4 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Tue, 24 Jun 2008 14:33:31 +0200 Subject: Now that we have p->server_info, use p->server_info->user_session_key (This used to be commit aefad64e3a5c86d2f988d47e6215ed2085b8fc47) --- source3/rpc_server/srv_samr_nt.c | 22 ++++++++++++---------- 1 file changed, 12 insertions(+), 10 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index a89e00f1ec..1b1e98c049 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -4206,11 +4206,11 @@ static NTSTATUS samr_SetUserInfo_internal(const char *fn_name, break; case 23: - if (!p->session_key.length) { + if (!p->server_info->user_session_key.length) { status = NT_STATUS_NO_USER_SESSION_KEY; } SamOEMhashBlob(info->info23.password.data, 516, - &p->session_key); + &p->server_info->user_session_key); dump_data(100, info->info23.password.data, 516); @@ -4219,12 +4219,12 @@ static NTSTATUS samr_SetUserInfo_internal(const char *fn_name, break; case 24: - if (!p->session_key.length) { + if (!p->server_info->user_session_key.length) { status = NT_STATUS_NO_USER_SESSION_KEY; } SamOEMhashBlob(info->info24.password.data, 516, - &p->session_key); + &p->server_info->user_session_key); dump_data(100, info->info24.password.data, 516); @@ -4235,11 +4235,12 @@ static NTSTATUS samr_SetUserInfo_internal(const char *fn_name, break; case 25: - if (!p->session_key.length) { + if (!p->server_info->user_session_key.length) { status = NT_STATUS_NO_USER_SESSION_KEY; } - encode_or_decode_arc4_passwd_buffer(info->info25.password.data, - &p->session_key); + encode_or_decode_arc4_passwd_buffer( + info->info25.password.data, + &p->server_info->user_session_key); dump_data(100, info->info25.password.data, 532); @@ -4255,11 +4256,12 @@ static NTSTATUS samr_SetUserInfo_internal(const char *fn_name, break; case 26: - if (!p->session_key.length) { + if (!p->server_info->user_session_key.length) { status = NT_STATUS_NO_USER_SESSION_KEY; } - encode_or_decode_arc4_passwd_buffer(info->info26.password.data, - &p->session_key); + encode_or_decode_arc4_passwd_buffer( + info->info26.password.data, + &p->server_info->user_session_key); dump_data(100, info->info26.password.data, 516); -- cgit