From 43a460075a39148060d4193fcb9c62bfa4acc737 Mon Sep 17 00:00:00 2001 From: Luke Leighton Date: Thu, 25 Mar 1999 13:54:31 +0000 Subject: SAM database "set user info". ---------------------------- - removed DOM_RID4 - removed SAMR_UNKNOWN_32 - added SAMR_SET_USERINFO (opcode 0x32) - added level 0x1 to SAMR_QUERY_DOM_INFO (needed for create user) - fixed pwdb_gethexpwd() it was failing on XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX - added mod_sam21pwd_entry() - preparing to call mod_sam21pwd_entry() - added "user session key" to user_struct.dc. this is md4(nt#) and is needed to decode user's clear-text passwords in SAMR_SET_USERINFO. - split code out in chgpasswd.c to decode 516 byte password buffers. (This used to be commit 2e58ed742435befe419aa366c4052019fede8c23) --- source3/rpc_server/srv_pipe.c | 10 +- source3/rpc_server/srv_pipe_hnd.c | 2 +- source3/rpc_server/srv_samr.c | 244 ++++++++++++++++++++++++++++++-------- 3 files changed, 204 insertions(+), 52 deletions(-) (limited to 'source3/rpc_server') diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c index ec5b547c86..54d26650e9 100644 --- a/source3/rpc_server/srv_pipe.c +++ b/source3/rpc_server/srv_pipe.c @@ -211,8 +211,16 @@ static BOOL api_pipe_ntlmssp_verify(pipes_struct *p) uchar nt_owf[24]; struct smb_passwd *smb_pass = NULL; + user_struct *vuser = get_valid_user_struct(p->vuid); + DEBUG(5,("api_pipe_ntlmssp_verify: checking user details\n")); + if (vuser == NULL) + { + DEBUG(0,("get user struct %d failed\n", p->vuid)); + return False; + } + if (p->ntlmssp_resp.hdr_lm_resp.str_str_len == 0) return False; if (p->ntlmssp_resp.hdr_nt_resp.str_str_len == 0) return False; if (p->ntlmssp_resp.hdr_usr .str_str_len == 0) return False; @@ -256,7 +264,7 @@ static BOOL api_pipe_ntlmssp_verify(pipes_struct *p) become_root(True); p->ntlmssp_validated = pass_check_smb(p->user_name, p->domain, (uchar*)p->ntlmssp_chal.challenge, - lm_owf, nt_owf, NULL); + lm_owf, nt_owf, NULL, vuser->dc.user_sess_key); smb_pass = getsmbpwnam(p->user_name); unbecome_root(True); diff --git a/source3/rpc_server/srv_pipe_hnd.c b/source3/rpc_server/srv_pipe_hnd.c index 531fcf6add..4361c0772e 100644 --- a/source3/rpc_server/srv_pipe_hnd.c +++ b/source3/rpc_server/srv_pipe_hnd.c @@ -140,7 +140,7 @@ pipes_struct *open_rpc_pipe_p(char *pipe_name, p->ntlmssp_auth = False; fstrcpy(p->name, pipe_name); - + DEBUG(4,("Opened pipe %s with handle %x (pipes_open=%d)\n", pipe_name, i, pipes_open)); diff --git a/source3/rpc_server/srv_samr.c b/source3/rpc_server/srv_samr.c index 2dd7801e81..2437163f2b 100644 --- a/source3/rpc_server/srv_samr.c +++ b/source3/rpc_server/srv_samr.c @@ -1943,6 +1943,27 @@ static void samr_reply_query_userinfo(SAMR_Q_QUERY_USERINFO *q_u, } +/******************************************************************* + set_user_info_23 + ********************************************************************/ +static BOOL set_user_info_23(SAM_USER_INFO_23 *id23, uint32 rid) +{ + static struct sam_passwd *pwd; + fstring new_pw; + if (!decode_pw_buffer(id23->pass, new_pw, sizeof(new_pw), True)) + { + return False; + } +#ifdef DEBUG_PASSWORD + DEBUG(0,("New Password: %s\n", new_pw)); +#endif +#if 0 + return mod_sam21pwd_entry(&pwd, True); +#else + return True; +#endif +} + /******************************************************************* api_samr_query_userinfo ********************************************************************/ @@ -1954,6 +1975,87 @@ static void api_samr_query_userinfo( uint16 vuid, prs_struct *data, prs_struct * } +/******************************************************************* + samr_reply_set_userinfo + ********************************************************************/ +static void samr_reply_set_userinfo(SAMR_Q_SET_USERINFO *q_u, + prs_struct *rdata, uchar user_sess_key[16]) +{ + SAMR_R_SET_USERINFO r_u; + + uint32 status = 0x0; + uint32 rid = 0x0; + + DEBUG(5,("samr_reply_set_userinfo: %d\n", __LINE__)); + + /* search for the handle */ + if (status == 0x0 && (find_lsa_policy_by_hnd(&(q_u->pol)) == -1)) + { + status = 0xC0000000 | NT_STATUS_INVALID_HANDLE; + } + + /* find the user's rid */ + if (status == 0x0 && (rid = get_lsa_policy_samr_rid(&(q_u->pol))) == 0xffffffff) + { + status = 0xC0000000 | NT_STATUS_OBJECT_TYPE_MISMATCH; + } + + DEBUG(5,("samr_reply_set_userinfo: rid:0x%x\n", rid)); + + /* ok! user info levels (there are lots: see MSDEV help), off we go... */ + if (status == 0x0) + { + switch (q_u->switch_value) + { + case 23: + { + SAM_USER_INFO_23 *id23 = q_u->info.id23; + SamOEMhash(id23->pass, user_sess_key, True); + status = set_user_info_23(id23, rid) ? 0 : (0xC0000000 | NT_STATUS_ACCESS_DENIED); + break; + } + + default: + { + status = 0xC0000000 | NT_STATUS_INVALID_INFO_CLASS; + + break; + } + } + } + + make_samr_r_set_userinfo(&r_u, status); + + /* store the response in the SMB stream */ + samr_io_r_set_userinfo("", &r_u, rdata, 0); + + DEBUG(5,("samr_reply_set_userinfo: %d\n", __LINE__)); + +} + +/******************************************************************* + api_samr_set_userinfo + ********************************************************************/ +static void api_samr_set_userinfo( uint16 vuid, prs_struct *data, prs_struct *rdata) +{ + user_struct *vuser = get_valid_user_struct(vuid); + SAMR_Q_SET_USERINFO q_u; + ZERO_STRUCT(q_u); + +#ifdef DEBUG_PASSWORD + DEBUG(100,("set user info: sess_key: ")); + dump_data(100, vuser->dc.user_sess_key, 16); +#endif + samr_io_q_set_userinfo("", &q_u, data, 0); + samr_reply_set_userinfo(&q_u, rdata, vuser->dc.user_sess_key); + + if (q_u.info.id != NULL) + { + free(q_u.info.id); + } +} + + /******************************************************************* samr_reply_query_usergroups ********************************************************************/ @@ -2310,6 +2412,13 @@ static void samr_reply_query_dom_info(SAMR_Q_QUERY_DOMAIN_INFO *q_u, break; } + case 0x01: + { + switch_value = 0x1; + make_unk_info1(&ctr.info.inf1); + + break; + } default: { status = 0xC0000000 | NT_STATUS_INVALID_INFO_CLASS; @@ -2340,50 +2449,19 @@ static void api_samr_query_dom_info( uint16 vuid, prs_struct *data, prs_struct * /******************************************************************* - samr_reply_unknown_32 + samr_reply_create_user ********************************************************************/ -static void samr_reply_unknown_32(SAMR_Q_UNKNOWN_32 *q_u, - prs_struct *rdata, - int status) -{ - int i; - SAMR_R_UNKNOWN_32 r_u; - - /* set up the SAMR unknown_32 response */ - bzero(r_u.pol.data, POL_HND_SIZE); - if (status == 0) - { - for (i = 4; i < POL_HND_SIZE; i++) - { - r_u.pol.data[i] = i+1; - } - } - - make_dom_rid4(&(r_u.rid4), 0x0030, 0, 0); - r_u.status = status; - - DEBUG(5,("samr_unknown_32: %d\n", __LINE__)); - - /* store the response in the SMB stream */ - samr_io_r_unknown_32("", &r_u, rdata, 0); - - DEBUG(5,("samr_unknown_32: %d\n", __LINE__)); - -} - -/******************************************************************* - api_samr_unknown_32 - ********************************************************************/ -static void api_samr_unknown_32( uint16 vuid, prs_struct *data, prs_struct *rdata) +static void samr_reply_create_user(SAMR_Q_CREATE_USER *q_u, + prs_struct *rdata) { - uint32 status = 0; struct sam_passwd *sam_pass; - fstring mach_acct; - - SAMR_Q_UNKNOWN_32 q_u; + fstring user_name; - /* grab the samr unknown 32 */ - samr_io_q_unknown_32("", &q_u, data, 0); + SAMR_R_CREATE_USER r_u; + POLICY_HND pol; + uint32 status = 0x0; + uint32 user_rid = 0xffffffff; + BOOL pol_open = False; /* find the machine account: tell the caller if it exists. lkclXXXX i have *no* idea if this is a problem or not @@ -2391,26 +2469,91 @@ static void api_samr_unknown_32( uint16 vuid, prs_struct *data, prs_struct *rdat reply if the account already exists... */ - unistr2_to_ascii(mach_acct, &q_u.uni_mach_acct, sizeof(mach_acct)-1); + /* find the policy handle. open a policy on it. */ + if (status == 0x0 && (find_lsa_policy_by_hnd(&(q_u->domain_pol)) == -1)) + { + status = 0xC0000000 | NT_STATUS_INVALID_HANDLE; + } - become_root(True); - sam_pass = getsam21pwntnam(mach_acct); - unbecome_root(True); + /* get a (unique) handle. open a policy on it. */ + if (status == 0x0 && !(pol_open = open_lsa_policy_hnd(&pol))) + { + status = 0xC0000000 | NT_STATUS_OBJECT_NAME_NOT_FOUND; + } + + unistr2_to_ascii(user_name, &q_u->uni_name, sizeof(user_name)-1); + + sam_pass = getsam21pwntnam(user_name); if (sam_pass != NULL) { - /* machine account exists: say so */ + /* account exists: say so */ status = 0xC0000000 | NT_STATUS_USER_EXISTS; } else { - /* this could cause trouble... */ - DEBUG(0,("trouble!\n")); - status = 0; + pstring err_str; + pstring msg_str; + + if (!local_password_change(user_name, True, + q_u->acb_info | ACB_DISABLED, 0xffff, + NULL, + err_str, sizeof(err_str), + msg_str, sizeof(msg_str))) + { + DEBUG(0,("%s\n", err_str)); + status = 0xC0000000 | NT_STATUS_ACCESS_DENIED; + } + else + { + sam_pass = getsam21pwntnam(user_name); + if (sam_pass == NULL) + { + /* account doesn't exist: say so */ + status = 0xC0000000 | NT_STATUS_ACCESS_DENIED; + } + else + { + user_rid = sam_pass->user_rid; + } + } + } + + /* associate the RID with the (unique) handle. */ + if (status == 0x0 && !set_lsa_policy_samr_rid(&pol, user_rid)) + { + /* oh, whoops. don't know what error message to return, here */ + status = 0xC0000000 | NT_STATUS_OBJECT_NAME_NOT_FOUND; + } + + if (status != 0 && pol_open) + { + close_lsa_policy_hnd(&pol); } + DEBUG(5,("samr_create_user: %d\n", __LINE__)); + + make_samr_r_create_user(&r_u, &pol, 0x000703ff, user_rid, status); + + /* store the response in the SMB stream */ + samr_io_r_create_user("", &r_u, rdata, 0); + + DEBUG(5,("samr_create_user: %d\n", __LINE__)); + +} + +/******************************************************************* + api_samr_create_user + ********************************************************************/ +static void api_samr_create_user( uint16 vuid, prs_struct *data, prs_struct *rdata) +{ + SAMR_Q_CREATE_USER q_u; + + /* grab the samr unknown 32 */ + samr_io_q_create_user("", &q_u, data, 0); + /* construct reply. */ - samr_reply_unknown_32(&q_u, rdata, status); + samr_reply_create_user(&q_u, rdata); } @@ -2709,6 +2852,7 @@ static struct api_struct api_samr_cmds [] = { "SAMR_LOOKUP_NAMES" , SAMR_LOOKUP_NAMES , api_samr_lookup_names }, { "SAMR_OPEN_USER" , SAMR_OPEN_USER , api_samr_open_user }, { "SAMR_QUERY_USERINFO" , SAMR_QUERY_USERINFO , api_samr_query_userinfo }, + { "SAMR_SET_USERINFO" , SAMR_SET_USERINFO , api_samr_set_userinfo }, { "SAMR_QUERY_DOMAIN_INFO", SAMR_QUERY_DOMAIN_INFO, api_samr_query_dom_info }, { "SAMR_QUERY_USERGROUPS" , SAMR_QUERY_USERGROUPS , api_samr_query_usergroups }, { "SAMR_QUERY_DISPINFO" , SAMR_QUERY_DISPINFO , api_samr_query_dispinfo }, @@ -2716,7 +2860,7 @@ static struct api_struct api_samr_cmds [] = { "SAMR_QUERY_DISPINFO4" , SAMR_QUERY_DISPINFO4 , api_samr_query_dispinfo }, { "SAMR_QUERY_ALIASINFO" , SAMR_QUERY_ALIASINFO , api_samr_query_aliasinfo }, { "SAMR_QUERY_GROUPINFO" , SAMR_QUERY_GROUPINFO , api_samr_query_groupinfo }, - { "SAMR_0x32" , SAMR_UNKNOWN_32 , api_samr_unknown_32 }, + { "SAMR_CREATE_USER" , SAMR_CREATE_USER , api_samr_create_user }, { "SAMR_LOOKUP_RIDS" , SAMR_LOOKUP_RIDS , api_samr_lookup_rids }, { "SAMR_UNKNOWN_38" , SAMR_UNKNOWN_38 , api_samr_unknown_38 }, { "SAMR_CHGPASSWD_USER" , SAMR_CHGPASSWD_USER , api_samr_chgpasswd_user }, -- cgit