2 * Unix SMB/CIFS implementation.
3 * RPC Pipe client / server routines
4 * Copyright (C) Andrew Tridgell 1992-1997,
5 * Copyright (C) Luke Kenneth Casson Leighton 1996-1997,
6 * Copyright (C) Paul Ashton 1997,
7 * Copyright (C) Marc Jacobsen 1999,
8 * Copyright (C) Jeremy Allison 2001-2005,
9 * Copyright (C) Jean François Micouleau 1998-2001,
10 * Copyright (C) Jim McDonough <jmcd@us.ibm.com> 2002,
11 * Copyright (C) Gerald (Jerry) Carter 2003-2004,
12 * Copyright (C) Simo Sorce 2003.
13 * Copyright (C) Volker Lendecke 2005.
14 * Copyright (C) Guenther Deschner 2008.
16 * This program is free software; you can redistribute it and/or modify
17 * it under the terms of the GNU General Public License as published by
18 * the Free Software Foundation; either version 3 of the License, or
19 * (at your option) any later version.
21 * This program is distributed in the hope that it will be useful,
22 * but WITHOUT ANY WARRANTY; without even the implied warranty of
23 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
24 * GNU General Public License for more details.
26 * You should have received a copy of the GNU General Public License
27 * along with this program; if not, see <http://www.gnu.org/licenses/>.
31 * This is the implementation of the SAMR code.
37 #define DBGC_CLASS DBGC_RPC_SRV
39 #define SAMR_USR_RIGHTS_WRITE_PW \
40 ( READ_CONTROL_ACCESS | \
41 SA_RIGHT_USER_CHANGE_PASSWORD | \
42 SA_RIGHT_USER_SET_LOC_COM )
43 #define SAMR_USR_RIGHTS_CANT_WRITE_PW \
44 ( READ_CONTROL_ACCESS | SA_RIGHT_USER_SET_LOC_COM )
46 #define DISP_INFO_CACHE_TIMEOUT 10
48 typedef struct disp_info {
49 DOM_SID sid; /* identify which domain this is. */
50 bool builtin_domain; /* Quick flag to check if this is the builtin domain. */
51 struct pdb_search *users; /* querydispinfo 1 and 4 */
52 struct pdb_search *machines; /* querydispinfo 2 */
53 struct pdb_search *groups; /* querydispinfo 3 and 5, enumgroups */
54 struct pdb_search *aliases; /* enumaliases */
57 struct pdb_search *enum_users; /* enumusers with a mask */
59 struct timed_event *cache_timeout_event; /* cache idle timeout
63 /* We keep a static list of these by SID as modern clients close down
64 all resources between each request in a complete enumeration. */
67 /* for use by the \PIPE\samr policy */
69 bool builtin_domain; /* Quick flag to check if this is the builtin domain. */
70 uint32 status; /* some sort of flag. best to record it. comes from opnum 0x39 */
76 static const struct generic_mapping sam_generic_mapping = {
77 GENERIC_RIGHTS_SAM_READ,
78 GENERIC_RIGHTS_SAM_WRITE,
79 GENERIC_RIGHTS_SAM_EXECUTE,
80 GENERIC_RIGHTS_SAM_ALL_ACCESS};
81 static const struct generic_mapping dom_generic_mapping = {
82 GENERIC_RIGHTS_DOMAIN_READ,
83 GENERIC_RIGHTS_DOMAIN_WRITE,
84 GENERIC_RIGHTS_DOMAIN_EXECUTE,
85 GENERIC_RIGHTS_DOMAIN_ALL_ACCESS};
86 static const struct generic_mapping usr_generic_mapping = {
87 GENERIC_RIGHTS_USER_READ,
88 GENERIC_RIGHTS_USER_WRITE,
89 GENERIC_RIGHTS_USER_EXECUTE,
90 GENERIC_RIGHTS_USER_ALL_ACCESS};
91 static const struct generic_mapping usr_nopwchange_generic_mapping = {
92 GENERIC_RIGHTS_USER_READ,
93 GENERIC_RIGHTS_USER_WRITE,
94 GENERIC_RIGHTS_USER_EXECUTE & ~SA_RIGHT_USER_CHANGE_PASSWORD,
95 GENERIC_RIGHTS_USER_ALL_ACCESS};
96 static const struct generic_mapping grp_generic_mapping = {
97 GENERIC_RIGHTS_GROUP_READ,
98 GENERIC_RIGHTS_GROUP_WRITE,
99 GENERIC_RIGHTS_GROUP_EXECUTE,
100 GENERIC_RIGHTS_GROUP_ALL_ACCESS};
101 static const struct generic_mapping ali_generic_mapping = {
102 GENERIC_RIGHTS_ALIAS_READ,
103 GENERIC_RIGHTS_ALIAS_WRITE,
104 GENERIC_RIGHTS_ALIAS_EXECUTE,
105 GENERIC_RIGHTS_ALIAS_ALL_ACCESS};
107 /*******************************************************************
108 *******************************************************************/
110 static NTSTATUS make_samr_object_sd( TALLOC_CTX *ctx, SEC_DESC **psd, size_t *sd_size,
111 const struct generic_mapping *map,
112 DOM_SID *sid, uint32 sid_access )
114 DOM_SID domadmin_sid;
115 SEC_ACE ace[5]; /* at most 5 entries */
121 /* basic access for Everyone */
123 init_sec_access(&mask, map->generic_execute | map->generic_read );
124 init_sec_ace(&ace[i++], &global_sid_World, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0);
126 /* add Full Access 'BUILTIN\Administrators' and 'BUILTIN\Account Operators */
128 init_sec_access(&mask, map->generic_all);
130 init_sec_ace(&ace[i++], &global_sid_Builtin_Administrators, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0);
131 init_sec_ace(&ace[i++], &global_sid_Builtin_Account_Operators, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0);
133 /* Add Full Access for Domain Admins if we are a DC */
136 sid_copy( &domadmin_sid, get_global_sam_sid() );
137 sid_append_rid( &domadmin_sid, DOMAIN_GROUP_RID_ADMINS );
138 init_sec_ace(&ace[i++], &domadmin_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0);
141 /* if we have a sid, give it some special access */
144 init_sec_access( &mask, sid_access );
145 init_sec_ace(&ace[i++], sid, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0);
148 /* create the security descriptor */
150 if ((psa = make_sec_acl(ctx, NT4_ACL_REVISION, i, ace)) == NULL)
151 return NT_STATUS_NO_MEMORY;
153 if ((*psd = make_sec_desc(ctx, SECURITY_DESCRIPTOR_REVISION_1,
154 SEC_DESC_SELF_RELATIVE, NULL, NULL, NULL,
155 psa, sd_size)) == NULL)
156 return NT_STATUS_NO_MEMORY;
161 /*******************************************************************
162 Checks if access to an object should be granted, and returns that
163 level of access for further checks.
164 ********************************************************************/
166 static NTSTATUS access_check_samr_object( SEC_DESC *psd, NT_USER_TOKEN *token,
167 SE_PRIV *rights, uint32 rights_mask,
168 uint32 des_access, uint32 *acc_granted,
171 NTSTATUS status = NT_STATUS_ACCESS_DENIED;
172 uint32 saved_mask = 0;
174 /* check privileges; certain SAM access bits should be overridden
175 by privileges (mostly having to do with creating/modifying/deleting
178 if ( rights && user_has_any_privilege( token, rights ) ) {
180 saved_mask = (des_access & rights_mask);
181 des_access &= ~saved_mask;
183 DEBUG(4,("access_check_samr_object: user rights access mask [0x%x]\n",
188 /* check the security descriptor first */
190 if ( se_access_check(psd, token, des_access, acc_granted, &status) )
193 /* give root a free pass */
195 if ( geteuid() == sec_initial_uid() ) {
197 DEBUG(4,("%s: ACCESS should be DENIED (requested: %#010x)\n", debug, des_access));
198 DEBUGADD(4,("but overritten by euid == sec_initial_uid()\n"));
200 *acc_granted = des_access;
202 status = NT_STATUS_OK;
208 /* add in any bits saved during the privilege check (only
209 matters is status is ok) */
211 *acc_granted |= rights_mask;
213 DEBUG(4,("%s: access %s (requested: 0x%08x, granted: 0x%08x)\n",
214 debug, NT_STATUS_IS_OK(status) ? "GRANTED" : "DENIED",
215 des_access, *acc_granted));
220 /*******************************************************************
221 Checks if access to a function can be granted
222 ********************************************************************/
224 static NTSTATUS access_check_samr_function(uint32 acc_granted, uint32 acc_required, const char *debug)
226 DEBUG(5,("%s: access check ((granted: %#010x; required: %#010x)\n",
227 debug, acc_granted, acc_required));
229 /* check the security descriptor first */
231 if ( (acc_granted&acc_required) == acc_required )
234 /* give root a free pass */
236 if (geteuid() == sec_initial_uid()) {
238 DEBUG(4,("%s: ACCESS should be DENIED (granted: %#010x; required: %#010x)\n",
239 debug, acc_granted, acc_required));
240 DEBUGADD(4,("but overwritten by euid == 0\n"));
245 DEBUG(2,("%s: ACCESS DENIED (granted: %#010x; required: %#010x)\n",
246 debug, acc_granted, acc_required));
248 return NT_STATUS_ACCESS_DENIED;
251 /*******************************************************************
252 Fetch or create a dispinfo struct.
253 ********************************************************************/
255 static DISP_INFO *get_samr_dispinfo_by_sid(DOM_SID *psid)
258 * We do a static cache for DISP_INFO's here. Explanation can be found
259 * in Jeremy's checkin message to r11793:
261 * Fix the SAMR cache so it works across completely insane
262 * client behaviour (ie.:
263 * open pipe/open SAMR handle/enumerate 0 - 1024
264 * close SAMR handle, close pipe.
265 * open pipe/open SAMR handle/enumerate 1024 - 2048...
266 * close SAMR handle, close pipe.
267 * And on ad-nausium. Amazing.... probably object-oriented
268 * client side programming in action yet again.
269 * This change should *massively* improve performance when
270 * enumerating users from an LDAP database.
273 * "Our" and the builtin domain are the only ones where we ever
274 * enumerate stuff, so just cache 2 entries.
277 static struct disp_info builtin_dispinfo;
278 static struct disp_info domain_dispinfo;
280 /* There are two cases to consider here:
281 1) The SID is a domain SID and we look for an equality match, or
282 2) This is an account SID and so we return the DISP_INFO* for our
289 if (sid_check_is_builtin(psid) || sid_check_is_in_builtin(psid)) {
291 * Necessary only once, but it does not really hurt.
293 sid_copy(&builtin_dispinfo.sid, &global_sid_Builtin);
295 return &builtin_dispinfo;
298 if (sid_check_is_domain(psid) || sid_check_is_in_our_domain(psid)) {
300 * Necessary only once, but it does not really hurt.
302 sid_copy(&domain_dispinfo.sid, get_global_sam_sid());
304 return &domain_dispinfo;
310 /*******************************************************************
311 Create a samr_info struct.
312 ********************************************************************/
314 static struct samr_info *get_samr_info_by_sid(DOM_SID *psid)
316 struct samr_info *info;
321 sid_to_fstring(sid_str, psid);
323 fstrcpy(sid_str,"(NULL)");
326 mem_ctx = talloc_init("samr_info for domain sid %s", sid_str);
328 if ((info = TALLOC_ZERO_P(mem_ctx, struct samr_info)) == NULL)
331 DEBUG(10,("get_samr_info_by_sid: created new info for sid %s\n", sid_str));
333 sid_copy( &info->sid, psid);
334 info->builtin_domain = sid_check_is_builtin(psid);
336 DEBUG(10,("get_samr_info_by_sid: created new info for NULL sid.\n"));
337 info->builtin_domain = False;
339 info->mem_ctx = mem_ctx;
341 info->disp_info = get_samr_dispinfo_by_sid(psid);
346 /*******************************************************************
347 Function to free the per SID data.
348 ********************************************************************/
350 static void free_samr_cache(DISP_INFO *disp_info)
352 DEBUG(10, ("free_samr_cache: deleting cache for SID %s\n",
353 sid_string_dbg(&disp_info->sid)));
355 /* We need to become root here because the paged search might have to
356 * tell the LDAP server we're not interested in the rest anymore. */
360 if (disp_info->users) {
361 DEBUG(10,("free_samr_cache: deleting users cache\n"));
362 pdb_search_destroy(disp_info->users);
363 disp_info->users = NULL;
365 if (disp_info->machines) {
366 DEBUG(10,("free_samr_cache: deleting machines cache\n"));
367 pdb_search_destroy(disp_info->machines);
368 disp_info->machines = NULL;
370 if (disp_info->groups) {
371 DEBUG(10,("free_samr_cache: deleting groups cache\n"));
372 pdb_search_destroy(disp_info->groups);
373 disp_info->groups = NULL;
375 if (disp_info->aliases) {
376 DEBUG(10,("free_samr_cache: deleting aliases cache\n"));
377 pdb_search_destroy(disp_info->aliases);
378 disp_info->aliases = NULL;
380 if (disp_info->enum_users) {
381 DEBUG(10,("free_samr_cache: deleting enum_users cache\n"));
382 pdb_search_destroy(disp_info->enum_users);
383 disp_info->enum_users = NULL;
385 disp_info->enum_acb_mask = 0;
390 /*******************************************************************
391 Function to free the per handle data.
392 ********************************************************************/
394 static void free_samr_info(void *ptr)
396 struct samr_info *info=(struct samr_info *) ptr;
398 /* Only free the dispinfo cache if no one bothered to set up
401 if (info->disp_info && info->disp_info->cache_timeout_event == NULL) {
402 free_samr_cache(info->disp_info);
405 talloc_destroy(info->mem_ctx);
408 /*******************************************************************
409 Idle event handler. Throw away the disp info cache.
410 ********************************************************************/
412 static void disp_info_cache_idle_timeout_handler(struct event_context *ev_ctx,
413 struct timed_event *te,
414 const struct timeval *now,
417 DISP_INFO *disp_info = (DISP_INFO *)private_data;
419 TALLOC_FREE(disp_info->cache_timeout_event);
421 DEBUG(10, ("disp_info_cache_idle_timeout_handler: caching timed "
423 free_samr_cache(disp_info);
426 /*******************************************************************
427 Setup cache removal idle event handler.
428 ********************************************************************/
430 static void set_disp_info_cache_timeout(DISP_INFO *disp_info, time_t secs_fromnow)
432 /* Remove any pending timeout and update. */
434 TALLOC_FREE(disp_info->cache_timeout_event);
436 DEBUG(10,("set_disp_info_cache_timeout: caching enumeration for "
437 "SID %s for %u seconds\n", sid_string_dbg(&disp_info->sid),
438 (unsigned int)secs_fromnow ));
440 disp_info->cache_timeout_event = event_add_timed(
441 smbd_event_context(), NULL,
442 timeval_current_ofs(secs_fromnow, 0),
443 "disp_info_cache_idle_timeout_handler",
444 disp_info_cache_idle_timeout_handler, (void *)disp_info);
447 /*******************************************************************
448 Force flush any cache. We do this on any samr_set_xxx call.
449 We must also remove the timeout handler.
450 ********************************************************************/
452 static void force_flush_samr_cache(DISP_INFO *disp_info)
454 if ((disp_info == NULL) || (disp_info->cache_timeout_event == NULL)) {
458 DEBUG(10,("force_flush_samr_cache: clearing idle event\n"));
459 TALLOC_FREE(disp_info->cache_timeout_event);
460 free_samr_cache(disp_info);
463 /*******************************************************************
464 Ensure password info is never given out. Paranioa... JRA.
465 ********************************************************************/
467 static void samr_clear_sam_passwd(struct samu *sam_pass)
473 /* These now zero out the old password */
475 pdb_set_lanman_passwd(sam_pass, NULL, PDB_DEFAULT);
476 pdb_set_nt_passwd(sam_pass, NULL, PDB_DEFAULT);
479 static uint32 count_sam_users(struct disp_info *info, uint32 acct_flags)
481 struct samr_displayentry *entry;
483 if (info->builtin_domain) {
484 /* No users in builtin. */
488 if (info->users == NULL) {
489 info->users = pdb_search_users(acct_flags);
490 if (info->users == NULL) {
494 /* Fetch the last possible entry, thus trigger an enumeration */
495 pdb_search_entries(info->users, 0xffffffff, 1, &entry);
497 /* Ensure we cache this enumeration. */
498 set_disp_info_cache_timeout(info, DISP_INFO_CACHE_TIMEOUT);
500 return info->users->num_entries;
503 static uint32 count_sam_groups(struct disp_info *info)
505 struct samr_displayentry *entry;
507 if (info->builtin_domain) {
508 /* No groups in builtin. */
512 if (info->groups == NULL) {
513 info->groups = pdb_search_groups();
514 if (info->groups == NULL) {
518 /* Fetch the last possible entry, thus trigger an enumeration */
519 pdb_search_entries(info->groups, 0xffffffff, 1, &entry);
521 /* Ensure we cache this enumeration. */
522 set_disp_info_cache_timeout(info, DISP_INFO_CACHE_TIMEOUT);
524 return info->groups->num_entries;
527 static uint32 count_sam_aliases(struct disp_info *info)
529 struct samr_displayentry *entry;
531 if (info->aliases == NULL) {
532 info->aliases = pdb_search_aliases(&info->sid);
533 if (info->aliases == NULL) {
537 /* Fetch the last possible entry, thus trigger an enumeration */
538 pdb_search_entries(info->aliases, 0xffffffff, 1, &entry);
540 /* Ensure we cache this enumeration. */
541 set_disp_info_cache_timeout(info, DISP_INFO_CACHE_TIMEOUT);
543 return info->aliases->num_entries;
546 /*******************************************************************
548 ********************************************************************/
550 NTSTATUS _samr_Close(pipes_struct *p, struct samr_Close *r)
552 if (!close_policy_hnd(p, r->in.handle)) {
553 return NT_STATUS_INVALID_HANDLE;
556 ZERO_STRUCTP(r->out.handle);
561 /*******************************************************************
563 ********************************************************************/
565 NTSTATUS _samr_OpenDomain(pipes_struct *p,
566 struct samr_OpenDomain *r)
568 struct samr_info *info;
569 SEC_DESC *psd = NULL;
571 uint32 des_access = r->in.access_mask;
576 /* find the connection policy handle. */
578 if ( !find_policy_by_hnd(p, r->in.connect_handle, (void**)(void *)&info) )
579 return NT_STATUS_INVALID_HANDLE;
581 status = access_check_samr_function(info->acc_granted,
582 SA_RIGHT_SAM_OPEN_DOMAIN,
583 "_samr_OpenDomain" );
585 if ( !NT_STATUS_IS_OK(status) )
588 /*check if access can be granted as requested by client. */
590 make_samr_object_sd( p->mem_ctx, &psd, &sd_size, &dom_generic_mapping, NULL, 0 );
591 se_map_generic( &des_access, &dom_generic_mapping );
593 se_priv_copy( &se_rights, &se_machine_account );
594 se_priv_add( &se_rights, &se_add_users );
596 status = access_check_samr_object( psd, p->pipe_user.nt_user_token,
597 &se_rights, GENERIC_RIGHTS_DOMAIN_WRITE, des_access,
598 &acc_granted, "_samr_OpenDomain" );
600 if ( !NT_STATUS_IS_OK(status) )
603 if (!sid_check_is_domain(r->in.sid) &&
604 !sid_check_is_builtin(r->in.sid)) {
605 return NT_STATUS_NO_SUCH_DOMAIN;
608 /* associate the domain SID with the (unique) handle. */
609 if ((info = get_samr_info_by_sid(r->in.sid))==NULL)
610 return NT_STATUS_NO_MEMORY;
611 info->acc_granted = acc_granted;
613 /* get a (unique) handle. open a policy on it. */
614 if (!create_policy_hnd(p, r->out.domain_handle, free_samr_info, (void *)info))
615 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
617 DEBUG(5,("_samr_OpenDomain: %d\n", __LINE__));
622 /*******************************************************************
624 ********************************************************************/
626 NTSTATUS _samr_GetUserPwInfo(pipes_struct *p,
627 struct samr_GetUserPwInfo *r)
629 struct samr_info *info = NULL;
630 enum lsa_SidType sid_type;
631 uint32_t min_password_length = 0;
632 uint32_t password_properties = 0;
636 DEBUG(5,("_samr_GetUserPwInfo: %d\n", __LINE__));
638 /* find the policy handle. open a policy on it. */
639 if (!find_policy_by_hnd(p, r->in.user_handle, (void **)(void *)&info)) {
640 return NT_STATUS_INVALID_HANDLE;
643 status = access_check_samr_function(info->acc_granted,
644 SAMR_USER_ACCESS_GET_ATTRIBUTES,
645 "_samr_GetUserPwInfo" );
646 if (!NT_STATUS_IS_OK(status)) {
650 if (!sid_check_is_in_our_domain(&info->sid)) {
651 return NT_STATUS_OBJECT_TYPE_MISMATCH;
655 ret = lookup_sid(p->mem_ctx, &info->sid, NULL, NULL, &sid_type);
658 return NT_STATUS_NO_SUCH_USER;
664 pdb_get_account_policy(AP_MIN_PASSWORD_LEN,
665 &min_password_length);
666 pdb_get_account_policy(AP_USER_MUST_LOGON_TO_CHG_PASS,
667 &password_properties);
670 if (lp_check_password_script() && *lp_check_password_script()) {
671 password_properties |= DOMAIN_PASSWORD_COMPLEX;
679 r->out.info->min_password_length = min_password_length;
680 r->out.info->password_properties = password_properties;
682 DEBUG(5,("_samr_GetUserPwInfo: %d\n", __LINE__));
687 /*******************************************************************
688 ********************************************************************/
690 static bool get_lsa_policy_samr_sid( pipes_struct *p, POLICY_HND *pol,
691 DOM_SID *sid, uint32 *acc_granted,
692 DISP_INFO **ppdisp_info)
694 struct samr_info *info = NULL;
696 /* find the policy handle. open a policy on it. */
697 if (!find_policy_by_hnd(p, pol, (void **)(void *)&info))
704 *acc_granted = info->acc_granted;
706 *ppdisp_info = info->disp_info;
712 /*******************************************************************
714 ********************************************************************/
716 NTSTATUS _samr_SetSecurity(pipes_struct *p,
717 struct samr_SetSecurity *r)
720 uint32 acc_granted, i;
723 struct samu *sampass=NULL;
726 if (!get_lsa_policy_samr_sid(p, r->in.handle, &pol_sid, &acc_granted, NULL))
727 return NT_STATUS_INVALID_HANDLE;
729 if (!(sampass = samu_new( p->mem_ctx))) {
730 DEBUG(0,("No memory!\n"));
731 return NT_STATUS_NO_MEMORY;
734 /* get the user record */
736 ret = pdb_getsampwsid(sampass, &pol_sid);
740 DEBUG(4, ("User %s not found\n", sid_string_dbg(&pol_sid)));
741 TALLOC_FREE(sampass);
742 return NT_STATUS_INVALID_HANDLE;
745 dacl = r->in.sdbuf->sd->dacl;
746 for (i=0; i < dacl->num_aces; i++) {
747 if (sid_equal(&pol_sid, &dacl->aces[i].trustee)) {
748 ret = pdb_set_pass_can_change(sampass,
749 (dacl->aces[i].access_mask &
750 SA_RIGHT_USER_CHANGE_PASSWORD) ?
757 TALLOC_FREE(sampass);
758 return NT_STATUS_ACCESS_DENIED;
761 status = access_check_samr_function(acc_granted,
762 SA_RIGHT_USER_SET_ATTRIBUTES,
763 "_samr_SetSecurity");
764 if (NT_STATUS_IS_OK(status)) {
766 status = pdb_update_sam_account(sampass);
770 TALLOC_FREE(sampass);
775 /*******************************************************************
776 build correct perms based on policies and password times for _samr_query_sec_obj
777 *******************************************************************/
778 static bool check_change_pw_access(TALLOC_CTX *mem_ctx, DOM_SID *user_sid)
780 struct samu *sampass=NULL;
783 if ( !(sampass = samu_new( mem_ctx )) ) {
784 DEBUG(0,("No memory!\n"));
789 ret = pdb_getsampwsid(sampass, user_sid);
793 DEBUG(4,("User %s not found\n", sid_string_dbg(user_sid)));
794 TALLOC_FREE(sampass);
798 DEBUG(3,("User:[%s]\n", pdb_get_username(sampass) ));
800 if (pdb_get_pass_can_change(sampass)) {
801 TALLOC_FREE(sampass);
804 TALLOC_FREE(sampass);
809 /*******************************************************************
811 ********************************************************************/
813 NTSTATUS _samr_QuerySecurity(pipes_struct *p,
814 struct samr_QuerySecurity *r)
818 SEC_DESC * psd = NULL;
823 if (!get_lsa_policy_samr_sid(p, r->in.handle, &pol_sid, &acc_granted, NULL))
824 return NT_STATUS_INVALID_HANDLE;
826 DEBUG(10,("_samr_QuerySecurity: querying security on SID: %s\n",
827 sid_string_dbg(&pol_sid)));
829 status = access_check_samr_function(acc_granted,
830 STD_RIGHT_READ_CONTROL_ACCESS,
831 "_samr_QuerySecurity");
832 if (NT_STATUS_IS_OK(status)) {
836 /* Check what typ of SID is beeing queried (e.g Domain SID, User SID, Group SID) */
838 /* To query the security of the SAM it self an invalid SID with S-0-0 is passed to this function */
839 if (pol_sid.sid_rev_num == 0) {
840 DEBUG(5,("_samr_QuerySecurity: querying security on SAM\n"));
841 status = make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &sam_generic_mapping, NULL, 0);
842 } else if (sid_equal(&pol_sid,get_global_sam_sid())) {
843 /* check if it is our domain SID */
844 DEBUG(5,("_samr_QuerySecurity: querying security on Domain "
845 "with SID: %s\n", sid_string_dbg(&pol_sid)));
846 status = make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &dom_generic_mapping, NULL, 0);
847 } else if (sid_equal(&pol_sid,&global_sid_Builtin)) {
848 /* check if it is the Builtin Domain */
849 /* TODO: Builtin probably needs a different SD with restricted write access*/
850 DEBUG(5,("_samr_QuerySecurity: querying security on Builtin "
851 "Domain with SID: %s\n", sid_string_dbg(&pol_sid)));
852 status = make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &dom_generic_mapping, NULL, 0);
853 } else if (sid_check_is_in_our_domain(&pol_sid) ||
854 sid_check_is_in_builtin(&pol_sid)) {
855 /* TODO: different SDs have to be generated for aliases groups and users.
856 Currently all three get a default user SD */
857 DEBUG(10,("_samr_QuerySecurity: querying security on Object "
858 "with SID: %s\n", sid_string_dbg(&pol_sid)));
859 if (check_change_pw_access(p->mem_ctx, &pol_sid)) {
860 status = make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &usr_generic_mapping,
861 &pol_sid, SAMR_USR_RIGHTS_WRITE_PW);
863 status = make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &usr_nopwchange_generic_mapping,
864 &pol_sid, SAMR_USR_RIGHTS_CANT_WRITE_PW);
867 return NT_STATUS_OBJECT_TYPE_MISMATCH;
870 if ((*r->out.sdbuf = make_sec_desc_buf(p->mem_ctx, sd_size, psd)) == NULL)
871 return NT_STATUS_NO_MEMORY;
876 /*******************************************************************
877 makes a SAM_ENTRY / UNISTR2* structure from a user list.
878 ********************************************************************/
880 static NTSTATUS make_user_sam_entry_list(TALLOC_CTX *ctx,
881 struct samr_SamEntry **sam_pp,
882 uint32_t num_entries,
884 struct samr_displayentry *entries)
887 struct samr_SamEntry *sam;
891 if (num_entries == 0) {
895 sam = TALLOC_ZERO_ARRAY(ctx, struct samr_SamEntry, num_entries);
897 DEBUG(0, ("make_user_sam_entry_list: TALLOC_ZERO failed!\n"));
898 return NT_STATUS_NO_MEMORY;
901 for (i = 0; i < num_entries; i++) {
904 * usrmgr expects a non-NULL terminated string with
905 * trust relationships
907 if (entries[i].acct_flags & ACB_DOMTRUST) {
908 init_unistr2(&uni_temp_name, entries[i].account_name,
911 init_unistr2(&uni_temp_name, entries[i].account_name,
915 init_lsa_String(&sam[i].name, entries[i].account_name);
916 sam[i].idx = entries[i].rid;
924 #define MAX_SAM_ENTRIES MAX_SAM_ENTRIES_W2K
926 /*******************************************************************
927 _samr_EnumDomainUsers
928 ********************************************************************/
930 NTSTATUS _samr_EnumDomainUsers(pipes_struct *p,
931 struct samr_EnumDomainUsers *r)
934 struct samr_info *info = NULL;
936 uint32 enum_context = *r->in.resume_handle;
937 enum remote_arch_types ra_type = get_remote_arch();
938 int max_sam_entries = (ra_type == RA_WIN95) ? MAX_SAM_ENTRIES_W95 : MAX_SAM_ENTRIES_W2K;
939 uint32 max_entries = max_sam_entries;
940 struct samr_displayentry *entries = NULL;
941 struct samr_SamArray *samr_array = NULL;
942 struct samr_SamEntry *samr_entries = NULL;
944 /* find the policy handle. open a policy on it. */
945 if (!find_policy_by_hnd(p, r->in.domain_handle, (void **)(void *)&info))
946 return NT_STATUS_INVALID_HANDLE;
948 status = access_check_samr_function(info->acc_granted,
949 SA_RIGHT_DOMAIN_ENUM_ACCOUNTS,
950 "_samr_EnumDomainUsers");
951 if (!NT_STATUS_IS_OK(status)) {
955 DEBUG(5,("_samr_EnumDomainUsers: %d\n", __LINE__));
957 if (info->builtin_domain) {
958 /* No users in builtin. */
959 *r->out.resume_handle = *r->in.resume_handle;
960 DEBUG(5,("_samr_EnumDomainUsers: No users in BUILTIN\n"));
964 samr_array = TALLOC_ZERO_P(p->mem_ctx, struct samr_SamArray);
966 return NT_STATUS_NO_MEMORY;
973 if ((info->disp_info->enum_users != NULL) &&
974 (info->disp_info->enum_acb_mask != r->in.acct_flags)) {
975 pdb_search_destroy(info->disp_info->enum_users);
976 info->disp_info->enum_users = NULL;
979 if (info->disp_info->enum_users == NULL) {
980 info->disp_info->enum_users = pdb_search_users(r->in.acct_flags);
981 info->disp_info->enum_acb_mask = r->in.acct_flags;
984 if (info->disp_info->enum_users == NULL) {
985 /* END AS ROOT !!!! */
987 return NT_STATUS_ACCESS_DENIED;
990 num_account = pdb_search_entries(info->disp_info->enum_users,
991 enum_context, max_entries,
994 /* END AS ROOT !!!! */
998 if (num_account == 0) {
999 DEBUG(5, ("_samr_EnumDomainUsers: enumeration handle over "
1000 "total entries\n"));
1001 *r->out.resume_handle = *r->in.resume_handle;
1002 return NT_STATUS_OK;
1005 status = make_user_sam_entry_list(p->mem_ctx, &samr_entries,
1006 num_account, enum_context,
1008 if (!NT_STATUS_IS_OK(status)) {
1012 if (max_entries <= num_account) {
1013 status = STATUS_MORE_ENTRIES;
1015 status = NT_STATUS_OK;
1018 /* Ensure we cache this enumeration. */
1019 set_disp_info_cache_timeout(info->disp_info, DISP_INFO_CACHE_TIMEOUT);
1021 DEBUG(5, ("_samr_EnumDomainUsers: %d\n", __LINE__));
1023 samr_array->count = num_account;
1024 samr_array->entries = samr_entries;
1026 *r->out.resume_handle = *r->in.resume_handle + num_account;
1027 *r->out.sam = samr_array;
1028 *r->out.num_entries = num_account;
1030 DEBUG(5,("_samr_EnumDomainUsers: %d\n", __LINE__));
1035 /*******************************************************************
1036 makes a SAM_ENTRY / UNISTR2* structure from a group list.
1037 ********************************************************************/
1039 static void make_group_sam_entry_list(TALLOC_CTX *ctx,
1040 struct samr_SamEntry **sam_pp,
1041 uint32_t num_sam_entries,
1042 struct samr_displayentry *entries)
1044 struct samr_SamEntry *sam;
1049 if (num_sam_entries == 0) {
1053 sam = TALLOC_ZERO_ARRAY(ctx, struct samr_SamEntry, num_sam_entries);
1058 for (i = 0; i < num_sam_entries; i++) {
1060 * JRA. I think this should include the null. TNG does not.
1062 init_lsa_String(&sam[i].name, entries[i].account_name);
1063 sam[i].idx = entries[i].rid;
1069 /*******************************************************************
1070 _samr_EnumDomainGroups
1071 ********************************************************************/
1073 NTSTATUS _samr_EnumDomainGroups(pipes_struct *p,
1074 struct samr_EnumDomainGroups *r)
1077 struct samr_info *info = NULL;
1078 struct samr_displayentry *groups;
1080 struct samr_SamArray *samr_array = NULL;
1081 struct samr_SamEntry *samr_entries = NULL;
1083 /* find the policy handle. open a policy on it. */
1084 if (!find_policy_by_hnd(p, r->in.domain_handle, (void **)(void *)&info))
1085 return NT_STATUS_INVALID_HANDLE;
1087 status = access_check_samr_function(info->acc_granted,
1088 SA_RIGHT_DOMAIN_ENUM_ACCOUNTS,
1089 "_samr_EnumDomainGroups");
1090 if (!NT_STATUS_IS_OK(status)) {
1094 DEBUG(5,("_samr_EnumDomainGroups: %d\n", __LINE__));
1096 if (info->builtin_domain) {
1097 /* No groups in builtin. */
1098 *r->out.resume_handle = *r->in.resume_handle;
1099 DEBUG(5,("_samr_EnumDomainGroups: No groups in BUILTIN\n"));
1103 samr_array = TALLOC_ZERO_P(p->mem_ctx, struct samr_SamArray);
1105 return NT_STATUS_NO_MEMORY;
1108 /* the domain group array is being allocated in the function below */
1112 if (info->disp_info->groups == NULL) {
1113 info->disp_info->groups = pdb_search_groups();
1115 if (info->disp_info->groups == NULL) {
1117 return NT_STATUS_ACCESS_DENIED;
1121 num_groups = pdb_search_entries(info->disp_info->groups,
1122 *r->in.resume_handle,
1123 MAX_SAM_ENTRIES, &groups);
1126 /* Ensure we cache this enumeration. */
1127 set_disp_info_cache_timeout(info->disp_info, DISP_INFO_CACHE_TIMEOUT);
1129 make_group_sam_entry_list(p->mem_ctx, &samr_entries,
1130 num_groups, groups);
1132 samr_array->count = num_groups;
1133 samr_array->entries = samr_entries;
1135 *r->out.sam = samr_array;
1136 *r->out.num_entries = num_groups;
1137 /* this was missing, IMHO:
1138 *r->out.resume_handle = num_groups + *r->in.resume_handle;
1141 DEBUG(5,("_samr_EnumDomainGroups: %d\n", __LINE__));
1146 /*******************************************************************
1147 _samr_EnumDomainAliases
1148 ********************************************************************/
1150 NTSTATUS _samr_EnumDomainAliases(pipes_struct *p,
1151 struct samr_EnumDomainAliases *r)
1154 struct samr_info *info;
1155 struct samr_displayentry *aliases;
1156 uint32 num_aliases = 0;
1157 struct samr_SamArray *samr_array = NULL;
1158 struct samr_SamEntry *samr_entries = NULL;
1160 /* find the policy handle. open a policy on it. */
1161 if (!find_policy_by_hnd(p, r->in.domain_handle, (void **)(void *)&info))
1162 return NT_STATUS_INVALID_HANDLE;
1164 DEBUG(5,("_samr_EnumDomainAliases: sid %s\n",
1165 sid_string_dbg(&info->sid)));
1167 status = access_check_samr_function(info->acc_granted,
1168 SA_RIGHT_DOMAIN_ENUM_ACCOUNTS,
1169 "_samr_EnumDomainAliases");
1170 if (!NT_STATUS_IS_OK(status)) {
1174 samr_array = TALLOC_ZERO_P(p->mem_ctx, struct samr_SamArray);
1176 return NT_STATUS_NO_MEMORY;
1181 if (info->disp_info->aliases == NULL) {
1182 info->disp_info->aliases = pdb_search_aliases(&info->sid);
1183 if (info->disp_info->aliases == NULL) {
1185 return NT_STATUS_ACCESS_DENIED;
1189 num_aliases = pdb_search_entries(info->disp_info->aliases,
1190 *r->in.resume_handle,
1191 MAX_SAM_ENTRIES, &aliases);
1194 /* Ensure we cache this enumeration. */
1195 set_disp_info_cache_timeout(info->disp_info, DISP_INFO_CACHE_TIMEOUT);
1197 make_group_sam_entry_list(p->mem_ctx, &samr_entries,
1198 num_aliases, aliases);
1200 DEBUG(5,("_samr_EnumDomainAliases: %d\n", __LINE__));
1202 samr_array->count = num_aliases;
1203 samr_array->entries = samr_entries;
1205 *r->out.sam = samr_array;
1206 *r->out.num_entries = num_aliases;
1207 *r->out.resume_handle = num_aliases + *r->in.resume_handle;
1212 /*******************************************************************
1213 inits a samr_DispInfoGeneral structure.
1214 ********************************************************************/
1216 static NTSTATUS init_samr_dispinfo_1(TALLOC_CTX *ctx,
1217 struct samr_DispInfoGeneral *r,
1218 uint32_t num_entries,
1220 struct samr_displayentry *entries)
1224 DEBUG(10, ("init_samr_dispinfo_1: num_entries: %d\n", num_entries));
1226 if (num_entries == 0) {
1227 return NT_STATUS_OK;
1230 r->count = num_entries;
1232 r->entries = TALLOC_ZERO_ARRAY(ctx, struct samr_DispEntryGeneral, num_entries);
1234 return NT_STATUS_NO_MEMORY;
1237 for (i = 0; i < num_entries ; i++) {
1239 init_lsa_String(&r->entries[i].account_name,
1240 entries[i].account_name);
1242 init_lsa_String(&r->entries[i].description,
1243 entries[i].description);
1245 init_lsa_String(&r->entries[i].full_name,
1246 entries[i].fullname);
1248 r->entries[i].rid = entries[i].rid;
1249 r->entries[i].acct_flags = entries[i].acct_flags;
1250 r->entries[i].idx = start_idx+i+1;
1253 return NT_STATUS_OK;
1256 /*******************************************************************
1257 inits a samr_DispInfoFull structure.
1258 ********************************************************************/
1260 static NTSTATUS init_samr_dispinfo_2(TALLOC_CTX *ctx,
1261 struct samr_DispInfoFull *r,
1262 uint32_t num_entries,
1264 struct samr_displayentry *entries)
1268 DEBUG(10, ("init_samr_dispinfo_2: num_entries: %d\n", num_entries));
1270 if (num_entries == 0) {
1271 return NT_STATUS_OK;
1274 r->count = num_entries;
1276 r->entries = TALLOC_ZERO_ARRAY(ctx, struct samr_DispEntryFull, num_entries);
1278 return NT_STATUS_NO_MEMORY;
1281 for (i = 0; i < num_entries ; i++) {
1283 init_lsa_String(&r->entries[i].account_name,
1284 entries[i].account_name);
1286 init_lsa_String(&r->entries[i].description,
1287 entries[i].description);
1289 r->entries[i].rid = entries[i].rid;
1290 r->entries[i].acct_flags = entries[i].acct_flags;
1291 r->entries[i].idx = start_idx+i+1;
1294 return NT_STATUS_OK;
1297 /*******************************************************************
1298 inits a samr_DispInfoFullGroups structure.
1299 ********************************************************************/
1301 static NTSTATUS init_samr_dispinfo_3(TALLOC_CTX *ctx,
1302 struct samr_DispInfoFullGroups *r,
1303 uint32_t num_entries,
1305 struct samr_displayentry *entries)
1309 DEBUG(5, ("init_samr_dispinfo_3: num_entries: %d\n", num_entries));
1311 if (num_entries == 0) {
1312 return NT_STATUS_OK;
1315 r->count = num_entries;
1317 r->entries = TALLOC_ZERO_ARRAY(ctx, struct samr_DispEntryFullGroup, num_entries);
1319 return NT_STATUS_NO_MEMORY;
1322 for (i = 0; i < num_entries ; i++) {
1324 init_lsa_String(&r->entries[i].account_name,
1325 entries[i].account_name);
1327 init_lsa_String(&r->entries[i].description,
1328 entries[i].description);
1330 r->entries[i].rid = entries[i].rid;
1331 r->entries[i].acct_flags = entries[i].acct_flags;
1332 r->entries[i].idx = start_idx+i+1;
1335 return NT_STATUS_OK;
1338 /*******************************************************************
1339 inits a samr_DispInfoAscii structure.
1340 ********************************************************************/
1342 static NTSTATUS init_samr_dispinfo_4(TALLOC_CTX *ctx,
1343 struct samr_DispInfoAscii *r,
1344 uint32_t num_entries,
1346 struct samr_displayentry *entries)
1350 DEBUG(5, ("init_samr_dispinfo_4: num_entries: %d\n", num_entries));
1352 if (num_entries == 0) {
1353 return NT_STATUS_OK;
1356 r->count = num_entries;
1358 r->entries = TALLOC_ZERO_ARRAY(ctx, struct samr_DispEntryAscii, num_entries);
1360 return NT_STATUS_NO_MEMORY;
1363 for (i = 0; i < num_entries ; i++) {
1365 init_lsa_AsciiStringLarge(&r->entries[i].account_name,
1366 entries[i].account_name);
1368 r->entries[i].idx = start_idx+i+1;
1371 return NT_STATUS_OK;
1374 /*******************************************************************
1375 inits a samr_DispInfoAscii structure.
1376 ********************************************************************/
1378 static NTSTATUS init_samr_dispinfo_5(TALLOC_CTX *ctx,
1379 struct samr_DispInfoAscii *r,
1380 uint32_t num_entries,
1382 struct samr_displayentry *entries)
1386 DEBUG(5, ("init_samr_dispinfo_5: num_entries: %d\n", num_entries));
1388 if (num_entries == 0) {
1389 return NT_STATUS_OK;
1392 r->count = num_entries;
1394 r->entries = TALLOC_ZERO_ARRAY(ctx, struct samr_DispEntryAscii, num_entries);
1396 return NT_STATUS_NO_MEMORY;
1399 for (i = 0; i < num_entries ; i++) {
1401 init_lsa_AsciiStringLarge(&r->entries[i].account_name,
1402 entries[i].account_name);
1404 r->entries[i].idx = start_idx+i+1;
1407 return NT_STATUS_OK;
1410 /*******************************************************************
1411 _samr_QueryDisplayInfo
1412 ********************************************************************/
1414 NTSTATUS _samr_QueryDisplayInfo(pipes_struct *p,
1415 struct samr_QueryDisplayInfo *r)
1418 struct samr_info *info = NULL;
1419 uint32 struct_size=0x20; /* W2K always reply that, client doesn't care */
1421 uint32 max_entries = r->in.max_entries;
1422 uint32 enum_context = r->in.start_idx;
1423 uint32 max_size = r->in.buf_size;
1425 union samr_DispInfo *disp_info = r->out.info;
1427 uint32 temp_size=0, total_data_size=0;
1428 NTSTATUS disp_ret = NT_STATUS_UNSUCCESSFUL;
1429 uint32 num_account = 0;
1430 enum remote_arch_types ra_type = get_remote_arch();
1431 int max_sam_entries = (ra_type == RA_WIN95) ? MAX_SAM_ENTRIES_W95 : MAX_SAM_ENTRIES_W2K;
1432 struct samr_displayentry *entries = NULL;
1434 DEBUG(5,("_samr_QueryDisplayInfo: %d\n", __LINE__));
1436 /* find the policy handle. open a policy on it. */
1437 if (!find_policy_by_hnd(p, r->in.domain_handle, (void **)(void *)&info))
1438 return NT_STATUS_INVALID_HANDLE;
1440 status = access_check_samr_function(info->acc_granted,
1441 SA_RIGHT_DOMAIN_ENUM_ACCOUNTS,
1442 "_samr_QueryDisplayInfo");
1443 if (!NT_STATUS_IS_OK(status)) {
1448 * calculate how many entries we will return.
1450 * - the number of entries the client asked
1451 * - our limit on that
1452 * - the starting point (enumeration context)
1453 * - the buffer size the client will accept
1457 * We are a lot more like W2K. Instead of reading the SAM
1458 * each time to find the records we need to send back,
1459 * we read it once and link that copy to the sam handle.
1460 * For large user list (over the MAX_SAM_ENTRIES)
1461 * it's a definitive win.
1462 * second point to notice: between enumerations
1463 * our sam is now the same as it's a snapshoot.
1464 * third point: got rid of the static SAM_USER_21 struct
1465 * no more intermediate.
1466 * con: it uses much more memory, as a full copy is stored
1469 * If you want to change it, think twice and think
1470 * of the second point , that's really important.
1475 if ((r->in.level < 1) || (r->in.level > 5)) {
1476 DEBUG(0,("_samr_QueryDisplayInfo: Unknown info level (%u)\n",
1477 (unsigned int)r->in.level ));
1478 return NT_STATUS_INVALID_INFO_CLASS;
1481 /* first limit the number of entries we will return */
1482 if(max_entries > max_sam_entries) {
1483 DEBUG(5, ("_samr_QueryDisplayInfo: client requested %d "
1484 "entries, limiting to %d\n", max_entries,
1486 max_entries = max_sam_entries;
1489 /* calculate the size and limit on the number of entries we will
1492 temp_size=max_entries*struct_size;
1494 if (temp_size>max_size) {
1495 max_entries=MIN((max_size/struct_size),max_entries);;
1496 DEBUG(5, ("_samr_QueryDisplayInfo: buffer size limits to "
1497 "only %d entries\n", max_entries));
1502 /* THe following done as ROOT. Don't return without unbecome_root(). */
1504 switch (r->in.level) {
1507 if (info->disp_info->users == NULL) {
1508 info->disp_info->users = pdb_search_users(ACB_NORMAL);
1509 if (info->disp_info->users == NULL) {
1511 return NT_STATUS_ACCESS_DENIED;
1513 DEBUG(10,("_samr_QueryDisplayInfo: starting user enumeration at index %u\n",
1514 (unsigned int)enum_context ));
1516 DEBUG(10,("_samr_QueryDisplayInfo: using cached user enumeration at index %u\n",
1517 (unsigned int)enum_context ));
1520 num_account = pdb_search_entries(info->disp_info->users,
1521 enum_context, max_entries,
1525 if (info->disp_info->machines == NULL) {
1526 info->disp_info->machines =
1527 pdb_search_users(ACB_WSTRUST|ACB_SVRTRUST);
1528 if (info->disp_info->machines == NULL) {
1530 return NT_STATUS_ACCESS_DENIED;
1532 DEBUG(10,("_samr_QueryDisplayInfo: starting machine enumeration at index %u\n",
1533 (unsigned int)enum_context ));
1535 DEBUG(10,("_samr_QueryDisplayInfo: using cached machine enumeration at index %u\n",
1536 (unsigned int)enum_context ));
1539 num_account = pdb_search_entries(info->disp_info->machines,
1540 enum_context, max_entries,
1545 if (info->disp_info->groups == NULL) {
1546 info->disp_info->groups = pdb_search_groups();
1547 if (info->disp_info->groups == NULL) {
1549 return NT_STATUS_ACCESS_DENIED;
1551 DEBUG(10,("_samr_QueryDisplayInfo: starting group enumeration at index %u\n",
1552 (unsigned int)enum_context ));
1554 DEBUG(10,("_samr_QueryDisplayInfo: using cached group enumeration at index %u\n",
1555 (unsigned int)enum_context ));
1558 num_account = pdb_search_entries(info->disp_info->groups,
1559 enum_context, max_entries,
1564 smb_panic("info class changed");
1570 /* Now create reply structure */
1571 switch (r->in.level) {
1573 disp_ret = init_samr_dispinfo_1(p->mem_ctx, &disp_info->info1,
1574 num_account, enum_context,
1578 disp_ret = init_samr_dispinfo_2(p->mem_ctx, &disp_info->info2,
1579 num_account, enum_context,
1583 disp_ret = init_samr_dispinfo_3(p->mem_ctx, &disp_info->info3,
1584 num_account, enum_context,
1588 disp_ret = init_samr_dispinfo_4(p->mem_ctx, &disp_info->info4,
1589 num_account, enum_context,
1593 disp_ret = init_samr_dispinfo_5(p->mem_ctx, &disp_info->info5,
1594 num_account, enum_context,
1598 smb_panic("info class changed");
1602 if (!NT_STATUS_IS_OK(disp_ret))
1605 /* calculate the total size */
1606 total_data_size=num_account*struct_size;
1609 status = STATUS_MORE_ENTRIES;
1611 status = NT_STATUS_OK;
1614 /* Ensure we cache this enumeration. */
1615 set_disp_info_cache_timeout(info->disp_info, DISP_INFO_CACHE_TIMEOUT);
1617 DEBUG(5, ("_samr_QueryDisplayInfo: %d\n", __LINE__));
1619 *r->out.total_size = total_data_size;
1620 *r->out.returned_size = temp_size;
1625 /****************************************************************
1626 _samr_QueryDisplayInfo2
1627 ****************************************************************/
1629 NTSTATUS _samr_QueryDisplayInfo2(pipes_struct *p,
1630 struct samr_QueryDisplayInfo2 *r)
1632 struct samr_QueryDisplayInfo q;
1634 q.in.domain_handle = r->in.domain_handle;
1635 q.in.level = r->in.level;
1636 q.in.start_idx = r->in.start_idx;
1637 q.in.max_entries = r->in.max_entries;
1638 q.in.buf_size = r->in.buf_size;
1640 q.out.total_size = r->out.total_size;
1641 q.out.returned_size = r->out.returned_size;
1642 q.out.info = r->out.info;
1644 return _samr_QueryDisplayInfo(p, &q);
1647 /****************************************************************
1648 _samr_QueryDisplayInfo3
1649 ****************************************************************/
1651 NTSTATUS _samr_QueryDisplayInfo3(pipes_struct *p,
1652 struct samr_QueryDisplayInfo3 *r)
1654 struct samr_QueryDisplayInfo q;
1656 q.in.domain_handle = r->in.domain_handle;
1657 q.in.level = r->in.level;
1658 q.in.start_idx = r->in.start_idx;
1659 q.in.max_entries = r->in.max_entries;
1660 q.in.buf_size = r->in.buf_size;
1662 q.out.total_size = r->out.total_size;
1663 q.out.returned_size = r->out.returned_size;
1664 q.out.info = r->out.info;
1666 return _samr_QueryDisplayInfo(p, &q);
1669 /*******************************************************************
1670 _samr_QueryAliasInfo
1671 ********************************************************************/
1673 NTSTATUS _samr_QueryAliasInfo(pipes_struct *p,
1674 struct samr_QueryAliasInfo *r)
1677 struct acct_info info;
1680 union samr_AliasInfo *alias_info = NULL;
1681 const char *alias_name = NULL;
1682 const char *alias_description = NULL;
1684 DEBUG(5,("_samr_QueryAliasInfo: %d\n", __LINE__));
1686 alias_info = TALLOC_ZERO_P(p->mem_ctx, union samr_AliasInfo);
1688 return NT_STATUS_NO_MEMORY;
1691 /* find the policy handle. open a policy on it. */
1692 if (!get_lsa_policy_samr_sid(p, r->in.alias_handle, &sid, &acc_granted, NULL))
1693 return NT_STATUS_INVALID_HANDLE;
1695 status = access_check_samr_function(acc_granted,
1696 SA_RIGHT_ALIAS_LOOKUP_INFO,
1697 "_samr_QueryAliasInfo");
1698 if (!NT_STATUS_IS_OK(status)) {
1703 status = pdb_get_aliasinfo(&sid, &info);
1706 if ( !NT_STATUS_IS_OK(status))
1709 /* FIXME: info contains fstrings */
1710 alias_name = talloc_strdup(r, info.acct_name);
1711 alias_description = talloc_strdup(r, info.acct_desc);
1713 switch (r->in.level) {
1715 init_samr_alias_info1(&alias_info->all,
1720 case ALIASINFODESCRIPTION:
1721 init_samr_alias_info3(&alias_info->description,
1725 return NT_STATUS_INVALID_INFO_CLASS;
1728 *r->out.info = alias_info;
1730 DEBUG(5,("_samr_QueryAliasInfo: %d\n", __LINE__));
1732 return NT_STATUS_OK;
1736 /*******************************************************************
1737 samr_reply_lookup_ids
1738 ********************************************************************/
1740 uint32 _samr_lookup_ids(pipes_struct *p, SAMR_Q_LOOKUP_IDS *q_u, SAMR_R_LOOKUP_IDS *r_u)
1742 uint32 rid[MAX_SAM_ENTRIES];
1743 int num_rids = q_u->num_sids1;
1745 r_u->status = NT_STATUS_OK;
1747 DEBUG(5,("_samr_lookup_ids: %d\n", __LINE__));
1749 if (num_rids > MAX_SAM_ENTRIES) {
1750 num_rids = MAX_SAM_ENTRIES;
1751 DEBUG(5,("_samr_lookup_ids: truncating entries to %d\n", num_rids));
1756 SMB_ASSERT_ARRAY(q_u->uni_user_name, num_rids);
1758 for (i = 0; i < num_rids && status == 0; i++)
1760 struct sam_passwd *sam_pass;
1764 fstrcpy(user_name, unistrn2(q_u->uni_user_name[i].buffer,
1765 q_u->uni_user_name[i].uni_str_len));
1767 /* find the user account */
1769 sam_pass = get_smb21pwd_entry(user_name, 0);
1772 if (sam_pass == NULL)
1774 status = 0xC0000000 | NT_STATUS_NO_SUCH_USER;
1779 rid[i] = sam_pass->user_rid;
1785 rid[0] = BUILTIN_ALIAS_RID_USERS;
1787 init_samr_r_lookup_ids(&r_u, num_rids, rid, NT_STATUS_OK);
1789 DEBUG(5,("_samr_lookup_ids: %d\n", __LINE__));
1795 /*******************************************************************
1797 ********************************************************************/
1799 NTSTATUS _samr_LookupNames(pipes_struct *p,
1800 struct samr_LookupNames *r)
1804 enum lsa_SidType *type;
1806 int num_rids = r->in.num_names;
1809 struct samr_Ids rids, types;
1811 DEBUG(5,("_samr_LookupNames: %d\n", __LINE__));
1813 if (!get_lsa_policy_samr_sid(p, r->in.domain_handle, &pol_sid, &acc_granted, NULL)) {
1814 return NT_STATUS_OBJECT_TYPE_MISMATCH;
1817 status = access_check_samr_function(acc_granted,
1818 0, /* Don't know the acc_bits yet */
1819 "_samr_LookupNames");
1820 if (!NT_STATUS_IS_OK(status)) {
1824 if (num_rids > MAX_SAM_ENTRIES) {
1825 num_rids = MAX_SAM_ENTRIES;
1826 DEBUG(5,("_samr_LookupNames: truncating entries to %d\n", num_rids));
1829 rid = talloc_array(p->mem_ctx, uint32, num_rids);
1830 NT_STATUS_HAVE_NO_MEMORY(rid);
1832 type = talloc_array(p->mem_ctx, enum lsa_SidType, num_rids);
1833 NT_STATUS_HAVE_NO_MEMORY(type);
1835 DEBUG(5,("_samr_LookupNames: looking name on SID %s\n",
1836 sid_string_dbg(&pol_sid)));
1838 for (i = 0; i < num_rids; i++) {
1840 status = NT_STATUS_NONE_MAPPED;
1841 type[i] = SID_NAME_UNKNOWN;
1843 rid[i] = 0xffffffff;
1845 if (sid_check_is_builtin(&pol_sid)) {
1846 if (lookup_builtin_name(r->in.names[i].string,
1849 type[i] = SID_NAME_ALIAS;
1852 lookup_global_sam_name(r->in.names[i].string, 0,
1856 if (type[i] != SID_NAME_UNKNOWN) {
1857 status = NT_STATUS_OK;
1861 rids.count = num_rids;
1864 types.count = num_rids;
1867 *r->out.rids = rids;
1868 *r->out.types = types;
1870 DEBUG(5,("_samr_LookupNames: %d\n", __LINE__));
1875 /*******************************************************************
1876 _samr_ChangePasswordUser2
1877 ********************************************************************/
1879 NTSTATUS _samr_ChangePasswordUser2(pipes_struct *p,
1880 struct samr_ChangePasswordUser2 *r)
1886 DEBUG(5,("_samr_ChangePasswordUser2: %d\n", __LINE__));
1888 fstrcpy(user_name, r->in.account->string);
1889 fstrcpy(wks, r->in.server->string);
1891 DEBUG(5,("_samr_ChangePasswordUser2: user: %s wks: %s\n", user_name, wks));
1894 * Pass the user through the NT -> unix user mapping
1898 (void)map_username(user_name);
1901 * UNIX username case mangling not required, pass_oem_change
1902 * is case insensitive.
1905 status = pass_oem_change(user_name,
1906 r->in.lm_password->data,
1907 r->in.lm_verifier->hash,
1908 r->in.nt_password->data,
1909 r->in.nt_verifier->hash,
1912 DEBUG(5,("_samr_ChangePasswordUser2: %d\n", __LINE__));
1917 /*******************************************************************
1918 _samr_ChangePasswordUser3
1919 ********************************************************************/
1921 NTSTATUS _samr_ChangePasswordUser3(pipes_struct *p,
1922 struct samr_ChangePasswordUser3 *r)
1926 const char *wks = NULL;
1927 uint32 reject_reason;
1928 struct samr_DomInfo1 *dominfo = NULL;
1929 struct samr_ChangeReject *reject = NULL;
1931 DEBUG(5,("_samr_ChangePasswordUser3: %d\n", __LINE__));
1933 fstrcpy(user_name, r->in.account->string);
1934 if (r->in.server && r->in.server->string) {
1935 wks = r->in.server->string;
1938 DEBUG(5,("_samr_ChangePasswordUser3: user: %s wks: %s\n", user_name, wks));
1941 * Pass the user through the NT -> unix user mapping
1945 (void)map_username(user_name);
1948 * UNIX username case mangling not required, pass_oem_change
1949 * is case insensitive.
1952 status = pass_oem_change(user_name,
1953 r->in.lm_password->data,
1954 r->in.lm_verifier->hash,
1955 r->in.nt_password->data,
1956 r->in.nt_verifier->hash,
1959 if (NT_STATUS_EQUAL(status, NT_STATUS_PASSWORD_RESTRICTION) ||
1960 NT_STATUS_EQUAL(status, NT_STATUS_ACCOUNT_RESTRICTION)) {
1962 uint32 min_pass_len,pass_hist,password_properties;
1963 time_t u_expire, u_min_age;
1964 NTTIME nt_expire, nt_min_age;
1965 uint32 account_policy_temp;
1967 dominfo = TALLOC_ZERO_P(p->mem_ctx, struct samr_DomInfo1);
1969 return NT_STATUS_NO_MEMORY;
1972 reject = TALLOC_ZERO_P(p->mem_ctx, struct samr_ChangeReject);
1974 return NT_STATUS_NO_MEMORY;
1981 pdb_get_account_policy(AP_MIN_PASSWORD_LEN, &account_policy_temp);
1982 min_pass_len = account_policy_temp;
1984 pdb_get_account_policy(AP_PASSWORD_HISTORY, &account_policy_temp);
1985 pass_hist = account_policy_temp;
1987 pdb_get_account_policy(AP_USER_MUST_LOGON_TO_CHG_PASS, &account_policy_temp);
1988 password_properties = account_policy_temp;
1990 pdb_get_account_policy(AP_MAX_PASSWORD_AGE, &account_policy_temp);
1991 u_expire = account_policy_temp;
1993 pdb_get_account_policy(AP_MIN_PASSWORD_AGE, &account_policy_temp);
1994 u_min_age = account_policy_temp;
2000 unix_to_nt_time_abs(&nt_expire, u_expire);
2001 unix_to_nt_time_abs(&nt_min_age, u_min_age);
2003 if (lp_check_password_script() && *lp_check_password_script()) {
2004 password_properties |= DOMAIN_PASSWORD_COMPLEX;
2007 init_samr_DomInfo1(dominfo,
2010 password_properties,
2014 reject->reason = reject_reason;
2016 *r->out.dominfo = dominfo;
2017 *r->out.reject = reject;
2020 DEBUG(5,("_samr_ChangePasswordUser3: %d\n", __LINE__));
2025 /*******************************************************************
2026 makes a SAMR_R_LOOKUP_RIDS structure.
2027 ********************************************************************/
2029 static bool make_samr_lookup_rids(TALLOC_CTX *ctx, uint32 num_names,
2031 struct lsa_String **lsa_name_array_p)
2033 struct lsa_String *lsa_name_array = NULL;
2036 *lsa_name_array_p = NULL;
2038 if (num_names != 0) {
2039 lsa_name_array = TALLOC_ZERO_ARRAY(ctx, struct lsa_String, num_names);
2040 if (!lsa_name_array) {
2045 for (i = 0; i < num_names; i++) {
2046 DEBUG(10, ("names[%d]:%s\n", i, names[i] && *names[i] ? names[i] : ""));
2047 init_lsa_String(&lsa_name_array[i], names[i]);
2050 *lsa_name_array_p = lsa_name_array;
2055 /*******************************************************************
2057 ********************************************************************/
2059 NTSTATUS _samr_LookupRids(pipes_struct *p,
2060 struct samr_LookupRids *r)
2064 enum lsa_SidType *attrs = NULL;
2065 uint32 *wire_attrs = NULL;
2067 int num_rids = (int)r->in.num_rids;
2070 struct lsa_Strings names_array;
2071 struct samr_Ids types_array;
2072 struct lsa_String *lsa_names = NULL;
2074 DEBUG(5,("_samr_LookupRids: %d\n", __LINE__));
2076 /* find the policy handle. open a policy on it. */
2077 if (!get_lsa_policy_samr_sid(p, r->in.domain_handle, &pol_sid, &acc_granted, NULL))
2078 return NT_STATUS_INVALID_HANDLE;
2080 status = access_check_samr_function(acc_granted,
2081 SA_RIGHT_DOMAIN_ENUM_ACCOUNTS,
2082 "_samr__LookupRids");
2083 if (!NT_STATUS_IS_OK(status)) {
2087 if (num_rids > 1000) {
2088 DEBUG(0, ("Got asked for %d rids (more than 1000) -- according "
2089 "to samba4 idl this is not possible\n", num_rids));
2090 return NT_STATUS_UNSUCCESSFUL;
2094 names = TALLOC_ZERO_ARRAY(p->mem_ctx, const char *, num_rids);
2095 attrs = TALLOC_ZERO_ARRAY(p->mem_ctx, enum lsa_SidType, num_rids);
2096 wire_attrs = TALLOC_ZERO_ARRAY(p->mem_ctx, uint32, num_rids);
2098 if ((names == NULL) || (attrs == NULL) || (wire_attrs==NULL))
2099 return NT_STATUS_NO_MEMORY;
2106 become_root(); /* lookup_sid can require root privs */
2107 status = pdb_lookup_rids(&pol_sid, num_rids, r->in.rids,
2111 if (NT_STATUS_EQUAL(status, NT_STATUS_NONE_MAPPED) && (num_rids == 0)) {
2112 status = NT_STATUS_OK;
2115 if (!make_samr_lookup_rids(p->mem_ctx, num_rids, names,
2117 return NT_STATUS_NO_MEMORY;
2120 /* Convert from enum lsa_SidType to uint32 for wire format. */
2121 for (i = 0; i < num_rids; i++) {
2122 wire_attrs[i] = (uint32)attrs[i];
2125 names_array.count = num_rids;
2126 names_array.names = lsa_names;
2128 types_array.count = num_rids;
2129 types_array.ids = wire_attrs;
2131 *r->out.names = names_array;
2132 *r->out.types = types_array;
2134 DEBUG(5,("_samr_LookupRids: %d\n", __LINE__));
2139 /*******************************************************************
2141 ********************************************************************/
2143 NTSTATUS _samr_OpenUser(pipes_struct *p,
2144 struct samr_OpenUser *r)
2146 struct samu *sampass=NULL;
2148 POLICY_HND domain_pol = *r->in.domain_handle;
2149 POLICY_HND *user_pol = r->out.user_handle;
2150 struct samr_info *info = NULL;
2151 SEC_DESC *psd = NULL;
2153 uint32 des_access = r->in.access_mask;
2159 /* find the domain policy handle and get domain SID / access bits in the domain policy. */
2161 if ( !get_lsa_policy_samr_sid(p, &domain_pol, &sid, &acc_granted, NULL) )
2162 return NT_STATUS_INVALID_HANDLE;
2164 nt_status = access_check_samr_function(acc_granted,
2165 SA_RIGHT_DOMAIN_OPEN_ACCOUNT,
2168 if ( !NT_STATUS_IS_OK(nt_status) )
2171 if ( !(sampass = samu_new( p->mem_ctx )) ) {
2172 return NT_STATUS_NO_MEMORY;
2175 /* append the user's RID to it */
2177 if (!sid_append_rid(&sid, r->in.rid))
2178 return NT_STATUS_NO_SUCH_USER;
2180 /* check if access can be granted as requested by client. */
2182 make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &usr_generic_mapping, &sid, SAMR_USR_RIGHTS_WRITE_PW);
2183 se_map_generic(&des_access, &usr_generic_mapping);
2185 se_priv_copy( &se_rights, &se_machine_account );
2186 se_priv_add( &se_rights, &se_add_users );
2188 nt_status = access_check_samr_object(psd, p->pipe_user.nt_user_token,
2189 &se_rights, GENERIC_RIGHTS_USER_WRITE, des_access,
2190 &acc_granted, "_samr_OpenUser");
2192 if ( !NT_STATUS_IS_OK(nt_status) )
2196 ret=pdb_getsampwsid(sampass, &sid);
2199 /* check that the SID exists in our domain. */
2201 return NT_STATUS_NO_SUCH_USER;
2204 TALLOC_FREE(sampass);
2206 /* associate the user's SID and access bits with the new handle. */
2207 if ((info = get_samr_info_by_sid(&sid)) == NULL)
2208 return NT_STATUS_NO_MEMORY;
2209 info->acc_granted = acc_granted;
2211 /* get a (unique) handle. open a policy on it. */
2212 if (!create_policy_hnd(p, user_pol, free_samr_info, (void *)info))
2213 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
2215 return NT_STATUS_OK;
2218 /*************************************************************************
2219 *************************************************************************/
2221 static NTSTATUS init_samr_parameters_string(TALLOC_CTX *mem_ctx,
2223 struct lsa_BinaryString **_r)
2225 struct lsa_BinaryString *r;
2228 return NT_STATUS_INVALID_PARAMETER;
2231 r = TALLOC_ZERO_P(mem_ctx, struct lsa_BinaryString);
2233 return NT_STATUS_NO_MEMORY;
2236 r->array = TALLOC_ZERO_ARRAY(mem_ctx, uint16_t, blob->length/2);
2238 return NT_STATUS_NO_MEMORY;
2240 memcpy(r->array, blob->data, blob->length);
2241 r->size = blob->length;
2242 r->length = blob->length;
2245 return NT_STATUS_NO_MEMORY;
2250 return NT_STATUS_OK;
2253 /*************************************************************************
2254 get_user_info_7. Safe. Only gives out account_name.
2255 *************************************************************************/
2257 static NTSTATUS get_user_info_7(TALLOC_CTX *mem_ctx,
2258 struct samr_UserInfo7 *r,
2261 struct samu *smbpass=NULL;
2263 const char *account_name = NULL;
2267 if ( !(smbpass = samu_new( mem_ctx )) ) {
2268 return NT_STATUS_NO_MEMORY;
2272 ret = pdb_getsampwsid(smbpass, user_sid);
2276 DEBUG(4,("User %s not found\n", sid_string_dbg(user_sid)));
2277 return NT_STATUS_NO_SUCH_USER;
2280 account_name = talloc_strdup(mem_ctx, pdb_get_username(smbpass));
2281 if (!account_name) {
2282 TALLOC_FREE(smbpass);
2283 return NT_STATUS_NO_MEMORY;
2285 TALLOC_FREE(smbpass);
2287 DEBUG(3,("User:[%s]\n", account_name));
2289 init_samr_user_info7(r, account_name);
2291 return NT_STATUS_OK;
2294 /*************************************************************************
2295 get_user_info_9. Only gives out primary group SID.
2296 *************************************************************************/
2298 static NTSTATUS get_user_info_9(TALLOC_CTX *mem_ctx,
2299 struct samr_UserInfo9 *r,
2302 struct samu *smbpass=NULL;
2307 if ( !(smbpass = samu_new( mem_ctx )) ) {
2308 return NT_STATUS_NO_MEMORY;
2312 ret = pdb_getsampwsid(smbpass, user_sid);
2316 DEBUG(4,("User %s not found\n", sid_string_dbg(user_sid)));
2317 TALLOC_FREE(smbpass);
2318 return NT_STATUS_NO_SUCH_USER;
2321 DEBUG(3,("User:[%s]\n", pdb_get_username(smbpass) ));
2323 init_samr_user_info9(r, pdb_get_group_rid(smbpass));
2325 TALLOC_FREE(smbpass);
2327 return NT_STATUS_OK;
2330 /*************************************************************************
2331 get_user_info_16. Safe. Only gives out acb bits.
2332 *************************************************************************/
2334 static NTSTATUS get_user_info_16(TALLOC_CTX *mem_ctx,
2335 struct samr_UserInfo16 *r,
2338 struct samu *smbpass=NULL;
2343 if ( !(smbpass = samu_new( mem_ctx )) ) {
2344 return NT_STATUS_NO_MEMORY;
2348 ret = pdb_getsampwsid(smbpass, user_sid);
2352 DEBUG(4,("User %s not found\n", sid_string_dbg(user_sid)));
2353 TALLOC_FREE(smbpass);
2354 return NT_STATUS_NO_SUCH_USER;
2357 DEBUG(3,("User:[%s]\n", pdb_get_username(smbpass) ));
2359 init_samr_user_info16(r, pdb_get_acct_ctrl(smbpass));
2361 TALLOC_FREE(smbpass);
2363 return NT_STATUS_OK;
2366 /*************************************************************************
2367 get_user_info_18. OK - this is the killer as it gives out password info.
2368 Ensure that this is only allowed on an encrypted connection with a root
2370 *************************************************************************/
2372 static NTSTATUS get_user_info_18(pipes_struct *p,
2373 TALLOC_CTX *mem_ctx,
2374 struct samr_UserInfo18 *r,
2377 struct samu *smbpass=NULL;
2382 if (p->auth.auth_type != PIPE_AUTH_TYPE_NTLMSSP || p->auth.auth_type != PIPE_AUTH_TYPE_SPNEGO_NTLMSSP) {
2383 return NT_STATUS_ACCESS_DENIED;
2386 if (p->auth.auth_level != PIPE_AUTH_LEVEL_PRIVACY) {
2387 return NT_STATUS_ACCESS_DENIED;
2391 * Do *NOT* do become_root()/unbecome_root() here ! JRA.
2394 if ( !(smbpass = samu_new( mem_ctx )) ) {
2395 return NT_STATUS_NO_MEMORY;
2398 ret = pdb_getsampwsid(smbpass, user_sid);
2401 DEBUG(4, ("User %s not found\n", sid_string_dbg(user_sid)));
2402 TALLOC_FREE(smbpass);
2403 return (geteuid() == (uid_t)0) ? NT_STATUS_NO_SUCH_USER : NT_STATUS_ACCESS_DENIED;
2406 DEBUG(3,("User:[%s] 0x%x\n", pdb_get_username(smbpass), pdb_get_acct_ctrl(smbpass) ));
2408 if ( pdb_get_acct_ctrl(smbpass) & ACB_DISABLED) {
2409 TALLOC_FREE(smbpass);
2410 return NT_STATUS_ACCOUNT_DISABLED;
2413 init_samr_user_info18(r, pdb_get_lanman_passwd(smbpass),
2414 pdb_get_nt_passwd(smbpass));
2416 TALLOC_FREE(smbpass);
2418 return NT_STATUS_OK;
2421 /*************************************************************************
2423 *************************************************************************/
2425 static NTSTATUS get_user_info_20(TALLOC_CTX *mem_ctx,
2426 struct samr_UserInfo20 *r,
2429 struct samu *sampass=NULL;
2431 const char *munged_dial = NULL;
2434 struct lsa_BinaryString *parameters = NULL;
2438 if ( !(sampass = samu_new( mem_ctx )) ) {
2439 return NT_STATUS_NO_MEMORY;
2443 ret = pdb_getsampwsid(sampass, user_sid);
2447 DEBUG(4,("User %s not found\n", sid_string_dbg(user_sid)));
2448 TALLOC_FREE(sampass);
2449 return NT_STATUS_NO_SUCH_USER;
2452 munged_dial = pdb_get_munged_dial(sampass);
2454 samr_clear_sam_passwd(sampass);
2456 DEBUG(3,("User:[%s] has [%s] (length: %d)\n", pdb_get_username(sampass),
2457 munged_dial, (int)strlen(munged_dial)));
2460 blob = base64_decode_data_blob(munged_dial);
2462 blob = data_blob_string_const("");
2465 status = init_samr_parameters_string(mem_ctx, &blob, ¶meters);
2466 data_blob_free(&blob);
2467 TALLOC_FREE(sampass);
2468 if (!NT_STATUS_IS_OK(status)) {
2472 init_samr_user_info20(r, parameters);
2474 return NT_STATUS_OK;
2478 /*************************************************************************
2480 *************************************************************************/
2482 static NTSTATUS get_user_info_21(TALLOC_CTX *mem_ctx,
2483 struct samr_UserInfo21 *r,
2485 DOM_SID *domain_sid)
2488 struct samu *pw = NULL;
2490 const DOM_SID *sid_user, *sid_group;
2491 uint32_t rid, primary_gid;
2492 NTTIME last_logon, last_logoff, last_password_change,
2493 acct_expiry, allow_password_change, force_password_change;
2494 time_t must_change_time;
2495 uint8_t password_expired;
2496 const char *account_name, *full_name, *home_directory, *home_drive,
2497 *logon_script, *profile_path, *description,
2498 *workstations, *comment;
2499 struct samr_LogonHours logon_hours;
2500 struct lsa_BinaryString *parameters = NULL;
2501 const char *munged_dial = NULL;
2506 if (!(pw = samu_new(mem_ctx))) {
2507 return NT_STATUS_NO_MEMORY;
2511 ret = pdb_getsampwsid(pw, user_sid);
2515 DEBUG(4,("User %s not found\n", sid_string_dbg(user_sid)));
2517 return NT_STATUS_NO_SUCH_USER;
2520 samr_clear_sam_passwd(pw);
2522 DEBUG(3,("User:[%s]\n", pdb_get_username(pw)));
2524 sid_user = pdb_get_user_sid(pw);
2526 if (!sid_peek_check_rid(domain_sid, sid_user, &rid)) {
2527 DEBUG(0, ("get_user_info_21: User %s has SID %s, \nwhich conflicts with "
2528 "the domain sid %s. Failing operation.\n",
2529 pdb_get_username(pw), sid_string_dbg(sid_user),
2530 sid_string_dbg(domain_sid)));
2532 return NT_STATUS_UNSUCCESSFUL;
2536 sid_group = pdb_get_group_sid(pw);
2539 if (!sid_peek_check_rid(domain_sid, sid_group, &primary_gid)) {
2540 DEBUG(0, ("get_user_info_21: User %s has Primary Group SID %s, \n"
2541 "which conflicts with the domain sid %s. Failing operation.\n",
2542 pdb_get_username(pw), sid_string_dbg(sid_group),
2543 sid_string_dbg(domain_sid)));
2545 return NT_STATUS_UNSUCCESSFUL;
2548 unix_to_nt_time(&last_logon, pdb_get_logon_time(pw));
2549 unix_to_nt_time(&last_logoff, pdb_get_logoff_time(pw));
2550 unix_to_nt_time(&acct_expiry, pdb_get_kickoff_time(pw));
2551 unix_to_nt_time(&last_password_change, pdb_get_pass_last_set_time(pw));
2552 unix_to_nt_time(&allow_password_change, pdb_get_pass_can_change_time(pw));
2554 must_change_time = pdb_get_pass_must_change_time(pw);
2555 if (must_change_time == get_time_t_max()) {
2556 unix_to_nt_time_abs(&force_password_change, must_change_time);
2558 unix_to_nt_time(&force_password_change, must_change_time);
2561 if (pdb_get_pass_must_change_time(pw) == 0) {
2562 password_expired = PASS_MUST_CHANGE_AT_NEXT_LOGON;
2564 password_expired = 0;
2567 munged_dial = pdb_get_munged_dial(pw);
2569 blob = base64_decode_data_blob(munged_dial);
2571 blob = data_blob_string_const("");
2574 status = init_samr_parameters_string(mem_ctx, &blob, ¶meters);
2575 data_blob_free(&blob);
2576 if (!NT_STATUS_IS_OK(status)) {
2581 account_name = talloc_strdup(mem_ctx, pdb_get_username(pw));
2582 full_name = talloc_strdup(mem_ctx, pdb_get_fullname(pw));
2583 home_directory = talloc_strdup(mem_ctx, pdb_get_homedir(pw));
2584 home_drive = talloc_strdup(mem_ctx, pdb_get_dir_drive(pw));
2585 logon_script = talloc_strdup(mem_ctx, pdb_get_logon_script(pw));
2586 profile_path = talloc_strdup(mem_ctx, pdb_get_profile_path(pw));
2587 description = talloc_strdup(mem_ctx, pdb_get_acct_desc(pw));
2588 workstations = talloc_strdup(mem_ctx, pdb_get_workstations(pw));
2589 comment = talloc_strdup(mem_ctx, pdb_get_comment(pw));
2591 logon_hours = get_logon_hours_from_pdb(mem_ctx, pw);
2595 Look at a user on a real NT4 PDC with usrmgr, press
2596 'ok'. Then you will see that fields_present is set to
2597 0x08f827fa. Look at the user immediately after that again,
2598 and you will see that 0x00fffff is returned. This solves
2599 the problem that you get access denied after having looked
2606 init_samr_user_info21(r,
2609 last_password_change,
2611 allow_password_change,
2612 force_password_change,
2625 pdb_get_acct_ctrl(pw),
2626 pdb_build_fields_present(pw),
2628 pdb_get_bad_password_count(pw),
2629 pdb_get_logon_count(pw),
2630 0, /* country_code */
2632 0, /* nt_password_set */
2633 0, /* lm_password_set */
2637 return NT_STATUS_OK;
2640 /*******************************************************************
2642 ********************************************************************/
2644 NTSTATUS _samr_QueryUserInfo(pipes_struct *p,
2645 struct samr_QueryUserInfo *r)
2648 union samr_UserInfo *user_info = NULL;
2649 struct samr_info *info = NULL;
2653 /* search for the handle */
2654 if (!find_policy_by_hnd(p, r->in.user_handle, (void **)(void *)&info))
2655 return NT_STATUS_INVALID_HANDLE;
2657 status = access_check_samr_function(info->acc_granted,
2658 SA_RIGHT_DOMAIN_OPEN_ACCOUNT,
2659 "_samr_QueryUserInfo");
2660 if (!NT_STATUS_IS_OK(status)) {
2664 domain_sid = info->sid;
2666 sid_split_rid(&domain_sid, &rid);
2668 if (!sid_check_is_in_our_domain(&info->sid))
2669 return NT_STATUS_OBJECT_TYPE_MISMATCH;
2671 DEBUG(5,("_samr_QueryUserInfo: sid:%s\n",
2672 sid_string_dbg(&info->sid)));
2674 user_info = TALLOC_ZERO_P(p->mem_ctx, union samr_UserInfo);
2676 return NT_STATUS_NO_MEMORY;
2679 DEBUG(5,("_samr_QueryUserInfo: user info level: %d\n", r->in.level));
2681 switch (r->in.level) {
2683 status = get_user_info_7(p->mem_ctx, &user_info->info7, &info->sid);
2684 if (!NT_STATUS_IS_OK(status)) {
2689 status = get_user_info_9(p->mem_ctx, &user_info->info9, &info->sid);
2690 if (!NT_STATUS_IS_OK(status)) {
2695 status = get_user_info_16(p->mem_ctx, &user_info->info16, &info->sid);
2696 if (!NT_STATUS_IS_OK(status)) {
2702 status = get_user_info_18(p, p->mem_ctx, &user_info->info18, &info->sid);
2703 if (!NT_STATUS_IS_OK(status)) {
2709 status = get_user_info_20(p->mem_ctx, &user_info->info20, &info->sid);
2710 if (!NT_STATUS_IS_OK(status)) {
2716 status = get_user_info_21(p->mem_ctx, &user_info->info21,
2717 &info->sid, &domain_sid);
2718 if (!NT_STATUS_IS_OK(status)) {
2724 return NT_STATUS_INVALID_INFO_CLASS;
2727 *r->out.info = user_info;
2729 DEBUG(5,("_samr_QueryUserInfo: %d\n", __LINE__));
2734 /*******************************************************************
2735 _samr_GetGroupsForUser
2736 ********************************************************************/
2738 NTSTATUS _samr_GetGroupsForUser(pipes_struct *p,
2739 struct samr_GetGroupsForUser *r)
2741 struct samu *sam_pass=NULL;
2744 struct samr_RidWithAttribute dom_gid;
2745 struct samr_RidWithAttribute *gids = NULL;
2746 uint32 primary_group_rid;
2747 size_t num_groups = 0;
2753 bool success = False;
2755 struct samr_RidWithAttributeArray *rids = NULL;
2758 * from the SID in the request:
2759 * we should send back the list of DOMAIN GROUPS
2760 * the user is a member of
2762 * and only the DOMAIN GROUPS
2763 * no ALIASES !!! neither aliases of the domain
2764 * nor aliases of the builtin SID
2769 DEBUG(5,("_samr_GetGroupsForUser: %d\n", __LINE__));
2771 rids = TALLOC_ZERO_P(p->mem_ctx, struct samr_RidWithAttributeArray);
2773 return NT_STATUS_NO_MEMORY;
2776 /* find the policy handle. open a policy on it. */
2777 if (!get_lsa_policy_samr_sid(p, r->in.user_handle, &sid, &acc_granted, NULL))
2778 return NT_STATUS_INVALID_HANDLE;
2780 result = access_check_samr_function(acc_granted,
2781 SA_RIGHT_USER_GET_GROUPS,
2782 "_samr_GetGroupsForUser");
2783 if (!NT_STATUS_IS_OK(result)) {
2787 if (!sid_check_is_in_our_domain(&sid))
2788 return NT_STATUS_OBJECT_TYPE_MISMATCH;
2790 if ( !(sam_pass = samu_new( p->mem_ctx )) ) {
2791 return NT_STATUS_NO_MEMORY;
2795 ret = pdb_getsampwsid(sam_pass, &sid);
2799 DEBUG(10, ("pdb_getsampwsid failed for %s\n",
2800 sid_string_dbg(&sid)));
2801 return NT_STATUS_NO_SUCH_USER;
2806 /* make both calls inside the root block */
2808 result = pdb_enum_group_memberships(p->mem_ctx, sam_pass,
2809 &sids, &unix_gids, &num_groups);
2810 if ( NT_STATUS_IS_OK(result) ) {
2811 success = sid_peek_check_rid(get_global_sam_sid(),
2812 pdb_get_group_sid(sam_pass),
2813 &primary_group_rid);
2817 if (!NT_STATUS_IS_OK(result)) {
2818 DEBUG(10, ("pdb_enum_group_memberships failed for %s\n",
2819 sid_string_dbg(&sid)));
2824 DEBUG(5, ("Group sid %s for user %s not in our domain\n",
2825 sid_string_dbg(pdb_get_group_sid(sam_pass)),
2826 pdb_get_username(sam_pass)));
2827 TALLOC_FREE(sam_pass);
2828 return NT_STATUS_INTERNAL_DB_CORRUPTION;
2834 dom_gid.attributes = (SE_GROUP_MANDATORY|SE_GROUP_ENABLED_BY_DEFAULT|
2836 dom_gid.rid = primary_group_rid;
2837 ADD_TO_ARRAY(p->mem_ctx, struct samr_RidWithAttribute, dom_gid, &gids, &num_gids);
2839 for (i=0; i<num_groups; i++) {
2841 if (!sid_peek_check_rid(get_global_sam_sid(),
2842 &(sids[i]), &dom_gid.rid)) {
2843 DEBUG(10, ("Found sid %s not in our domain\n",
2844 sid_string_dbg(&sids[i])));
2848 if (dom_gid.rid == primary_group_rid) {
2849 /* We added the primary group directly from the
2850 * sam_account. The other SIDs are unique from
2851 * enum_group_memberships */
2855 ADD_TO_ARRAY(p->mem_ctx, struct samr_RidWithAttribute, dom_gid, &gids, &num_gids);
2858 rids->count = num_gids;
2861 *r->out.rids = rids;
2863 DEBUG(5,("_samr_GetGroupsForUser: %d\n", __LINE__));
2868 /*******************************************************************
2869 samr_QueryDomainInfo_internal
2870 ********************************************************************/
2872 static NTSTATUS samr_QueryDomainInfo_internal(const char *fn_name,
2874 struct policy_handle *handle,
2876 union samr_DomainInfo **dom_info_ptr)
2878 NTSTATUS status = NT_STATUS_OK;
2879 struct samr_info *info = NULL;
2880 union samr_DomainInfo *dom_info;
2881 uint32 min_pass_len,pass_hist,password_properties;
2882 time_t u_expire, u_min_age;
2883 NTTIME nt_expire, nt_min_age;
2885 time_t u_lock_duration, u_reset_time;
2886 NTTIME nt_lock_duration, nt_reset_time;
2891 uint32 account_policy_temp;
2896 uint32 num_users=0, num_groups=0, num_aliases=0;
2898 DEBUG(5,("%s: %d\n", fn_name, __LINE__));
2900 dom_info = TALLOC_ZERO_P(p->mem_ctx, union samr_DomainInfo);
2902 return NT_STATUS_NO_MEMORY;
2905 *dom_info_ptr = dom_info;
2907 /* find the policy handle. open a policy on it. */
2908 if (!find_policy_by_hnd(p, handle, (void **)(void *)&info)) {
2909 return NT_STATUS_INVALID_HANDLE;
2912 status = access_check_samr_function(info->acc_granted,
2913 SA_RIGHT_SAM_OPEN_DOMAIN,
2914 "_samr_QueryDomainInfo_internal" );
2916 if ( !NT_STATUS_IS_OK(status) )
2926 pdb_get_account_policy(AP_MIN_PASSWORD_LEN, &account_policy_temp);
2927 min_pass_len = account_policy_temp;
2929 pdb_get_account_policy(AP_PASSWORD_HISTORY, &account_policy_temp);
2930 pass_hist = account_policy_temp;
2932 pdb_get_account_policy(AP_USER_MUST_LOGON_TO_CHG_PASS, &account_policy_temp);
2933 password_properties = account_policy_temp;
2935 pdb_get_account_policy(AP_MAX_PASSWORD_AGE, &account_policy_temp);
2936 u_expire = account_policy_temp;
2938 pdb_get_account_policy(AP_MIN_PASSWORD_AGE, &account_policy_temp);
2939 u_min_age = account_policy_temp;
2945 unix_to_nt_time_abs(&nt_expire, u_expire);
2946 unix_to_nt_time_abs(&nt_min_age, u_min_age);
2948 init_samr_DomInfo1(&dom_info->info1,
2949 (uint16)min_pass_len,
2951 password_properties,
2961 num_users = count_sam_users(info->disp_info, ACB_NORMAL);
2962 num_groups = count_sam_groups(info->disp_info);
2963 num_aliases = count_sam_aliases(info->disp_info);
2965 pdb_get_account_policy(AP_TIME_TO_LOGOUT, &account_policy_temp);
2966 u_logout = account_policy_temp;
2968 unix_to_nt_time_abs(&nt_logout, u_logout);
2970 if (!pdb_get_seq_num(&seq_num))
2971 seq_num = time(NULL);
2977 server_role = ROLE_DOMAIN_PDC;
2978 if (lp_server_role() == ROLE_DOMAIN_BDC)
2979 server_role = ROLE_DOMAIN_BDC;
2981 init_samr_DomInfo2(&dom_info->info2,
3002 pdb_get_account_policy(AP_TIME_TO_LOGOUT, &ul);
3003 u_logout = (time_t)ul;
3010 unix_to_nt_time_abs(&nt_logout, u_logout);
3012 init_samr_DomInfo3(&dom_info->info3,
3017 init_samr_DomInfo4(&dom_info->info4,
3021 init_samr_DomInfo5(&dom_info->info5,
3022 get_global_sam_name());
3025 /* NT returns its own name when a PDC. win2k and later
3026 * only the name of the PDC if itself is a BDC (samba4
3028 init_samr_DomInfo6(&dom_info->info6,
3032 server_role = ROLE_DOMAIN_PDC;
3033 if (lp_server_role() == ROLE_DOMAIN_BDC)
3034 server_role = ROLE_DOMAIN_BDC;
3036 init_samr_DomInfo7(&dom_info->info7,
3045 if (!pdb_get_seq_num(&seq_num)) {
3046 seq_num = time(NULL);
3053 init_samr_DomInfo8(&dom_info->info8,
3063 pdb_get_account_policy(AP_LOCK_ACCOUNT_DURATION, &account_policy_temp);
3064 u_lock_duration = account_policy_temp;
3065 if (u_lock_duration != -1) {
3066 u_lock_duration *= 60;
3069 pdb_get_account_policy(AP_RESET_COUNT_TIME, &account_policy_temp);
3070 u_reset_time = account_policy_temp * 60;
3072 pdb_get_account_policy(AP_BAD_ATTEMPT_LOCKOUT, &account_policy_temp);
3073 lockout = account_policy_temp;
3079 unix_to_nt_time_abs(&nt_lock_duration, u_lock_duration);
3080 unix_to_nt_time_abs(&nt_reset_time, u_reset_time);
3082 init_samr_DomInfo12(&dom_info->info12,
3088 return NT_STATUS_INVALID_INFO_CLASS;
3091 DEBUG(5,("%s: %d\n", fn_name, __LINE__));
3096 /*******************************************************************
3097 _samr_QueryDomainInfo
3098 ********************************************************************/
3100 NTSTATUS _samr_QueryDomainInfo(pipes_struct *p,
3101 struct samr_QueryDomainInfo *r)
3103 return samr_QueryDomainInfo_internal("_samr_QueryDomainInfo",
3105 r->in.domain_handle,
3110 /* W2k3 seems to use the same check for all 3 objects that can be created via
3111 * SAMR, if you try to create for example "Dialup" as an alias it says
3112 * "NT_STATUS_USER_EXISTS". This is racy, but we can't really lock the user
3115 static NTSTATUS can_create(TALLOC_CTX *mem_ctx, const char *new_name)
3117 enum lsa_SidType type;
3120 DEBUG(10, ("Checking whether [%s] can be created\n", new_name));
3123 /* Lookup in our local databases (LOOKUP_NAME_REMOTE not set)
3124 * whether the name already exists */
3125 result = lookup_name(mem_ctx, new_name, LOOKUP_NAME_LOCAL,
3126 NULL, NULL, NULL, &type);
3130 DEBUG(10, ("%s does not exist, can create it\n", new_name));
3131 return NT_STATUS_OK;
3134 DEBUG(5, ("trying to create %s, exists as %s\n",
3135 new_name, sid_type_lookup(type)));
3137 if (type == SID_NAME_DOM_GRP) {
3138 return NT_STATUS_GROUP_EXISTS;
3140 if (type == SID_NAME_ALIAS) {
3141 return NT_STATUS_ALIAS_EXISTS;
3144 /* Yes, the default is NT_STATUS_USER_EXISTS */
3145 return NT_STATUS_USER_EXISTS;
3148 /*******************************************************************
3150 ********************************************************************/
3152 NTSTATUS _samr_CreateUser2(pipes_struct *p,
3153 struct samr_CreateUser2 *r)
3155 const char *account = NULL;
3157 POLICY_HND dom_pol = *r->in.domain_handle;
3158 uint32_t acb_info = r->in.acct_flags;
3159 POLICY_HND *user_pol = r->out.user_handle;
3160 struct samr_info *info = NULL;
3165 /* check this, when giving away 'add computer to domain' privs */
3166 uint32 des_access = GENERIC_RIGHTS_USER_ALL_ACCESS;
3167 bool can_add_account = False;
3169 DISP_INFO *disp_info = NULL;
3171 /* Get the domain SID stored in the domain policy */
3172 if (!get_lsa_policy_samr_sid(p, &dom_pol, &sid, &acc_granted,
3174 return NT_STATUS_INVALID_HANDLE;
3176 nt_status = access_check_samr_function(acc_granted,
3177 SA_RIGHT_DOMAIN_CREATE_USER,
3178 "_samr_CreateUser2");
3179 if (!NT_STATUS_IS_OK(nt_status)) {
3183 if (!(acb_info == ACB_NORMAL || acb_info == ACB_DOMTRUST ||
3184 acb_info == ACB_WSTRUST || acb_info == ACB_SVRTRUST)) {
3185 /* Match Win2k, and return NT_STATUS_INVALID_PARAMETER if
3186 this parameter is not an account type */
3187 return NT_STATUS_INVALID_PARAMETER;
3190 account = r->in.account_name->string;
3191 if (account == NULL) {
3192 return NT_STATUS_NO_MEMORY;
3195 nt_status = can_create(p->mem_ctx, account);
3196 if (!NT_STATUS_IS_OK(nt_status)) {
3200 /* determine which user right we need to check based on the acb_info */
3202 if ( acb_info & ACB_WSTRUST )
3204 se_priv_copy( &se_rights, &se_machine_account );
3205 can_add_account = user_has_privileges(
3206 p->pipe_user.nt_user_token, &se_rights );
3208 /* usrmgr.exe (and net rpc trustdom grant) creates a normal user
3209 account for domain trusts and changes the ACB flags later */
3210 else if ( acb_info & ACB_NORMAL &&
3211 (account[strlen(account)-1] != '$') )
3213 se_priv_copy( &se_rights, &se_add_users );
3214 can_add_account = user_has_privileges(
3215 p->pipe_user.nt_user_token, &se_rights );
3217 else /* implicit assumption of a BDC or domain trust account here
3218 * (we already check the flags earlier) */
3220 if ( lp_enable_privileges() ) {
3221 /* only Domain Admins can add a BDC or domain trust */
3222 se_priv_copy( &se_rights, &se_priv_none );
3223 can_add_account = nt_token_check_domain_rid(
3224 p->pipe_user.nt_user_token,
3225 DOMAIN_GROUP_RID_ADMINS );
3229 DEBUG(5, ("_samr_CreateUser2: %s can add this account : %s\n",
3230 uidtoname(p->pipe_user.ut.uid),
3231 can_add_account ? "True":"False" ));
3233 /********** BEGIN Admin BLOCK **********/
3235 if ( can_add_account )
3238 nt_status = pdb_create_user(p->mem_ctx, account, acb_info,
3241 if ( can_add_account )
3244 /********** END Admin BLOCK **********/
3246 /* now check for failure */
3248 if ( !NT_STATUS_IS_OK(nt_status) )
3251 /* Get the user's SID */
3253 sid_compose(&sid, get_global_sam_sid(), *r->out.rid);
3255 make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &usr_generic_mapping,
3256 &sid, SAMR_USR_RIGHTS_WRITE_PW);
3257 se_map_generic(&des_access, &usr_generic_mapping);
3259 nt_status = access_check_samr_object(psd, p->pipe_user.nt_user_token,
3260 &se_rights, GENERIC_RIGHTS_USER_WRITE, des_access,
3261 &acc_granted, "_samr_CreateUser2");
3263 if ( !NT_STATUS_IS_OK(nt_status) ) {
3267 /* associate the user's SID with the new handle. */
3268 if ((info = get_samr_info_by_sid(&sid)) == NULL) {
3269 return NT_STATUS_NO_MEMORY;
3274 info->acc_granted = acc_granted;
3276 /* get a (unique) handle. open a policy on it. */
3277 if (!create_policy_hnd(p, user_pol, free_samr_info, (void *)info)) {
3278 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
3281 /* After a "set" ensure we have no cached display info. */
3282 force_flush_samr_cache(info->disp_info);
3284 *r->out.access_granted = acc_granted;
3286 return NT_STATUS_OK;
3289 /*******************************************************************
3291 ********************************************************************/
3293 NTSTATUS _samr_Connect(pipes_struct *p,
3294 struct samr_Connect *r)
3296 struct samr_info *info = NULL;
3297 uint32 des_access = r->in.access_mask;
3301 if (!pipe_access_check(p)) {
3302 DEBUG(3, ("access denied to _samr_Connect\n"));
3303 return NT_STATUS_ACCESS_DENIED;
3306 /* set up the SAMR connect_anon response */
3308 /* associate the user's SID with the new handle. */
3309 if ((info = get_samr_info_by_sid(NULL)) == NULL)
3310 return NT_STATUS_NO_MEMORY;
3312 /* don't give away the farm but this is probably ok. The SA_RIGHT_SAM_ENUM_DOMAINS
3313 was observed from a win98 client trying to enumerate users (when configured
3314 user level access control on shares) --jerry */
3316 if (des_access == MAXIMUM_ALLOWED_ACCESS) {
3317 /* Map to max possible knowing we're filtered below. */
3318 des_access = GENERIC_ALL_ACCESS;
3321 se_map_generic( &des_access, &sam_generic_mapping );
3322 info->acc_granted = des_access & (SA_RIGHT_SAM_ENUM_DOMAINS|SA_RIGHT_SAM_OPEN_DOMAIN);
3324 /* get a (unique) handle. open a policy on it. */
3325 if (!create_policy_hnd(p, r->out.connect_handle, free_samr_info, (void *)info))
3326 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
3328 return NT_STATUS_OK;
3331 /*******************************************************************
3333 ********************************************************************/
3335 NTSTATUS _samr_Connect2(pipes_struct *p,
3336 struct samr_Connect2 *r)
3338 struct samr_info *info = NULL;
3339 SEC_DESC *psd = NULL;
3341 uint32 des_access = r->in.access_mask;
3346 DEBUG(5,("_samr_Connect2: %d\n", __LINE__));
3350 if (!pipe_access_check(p)) {
3351 DEBUG(3, ("access denied to _samr_Connect2\n"));
3352 return NT_STATUS_ACCESS_DENIED;
3355 make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &sam_generic_mapping, NULL, 0);
3356 se_map_generic(&des_access, &sam_generic_mapping);
3358 nt_status = access_check_samr_object(psd, p->pipe_user.nt_user_token,
3359 NULL, 0, des_access, &acc_granted, "_samr_Connect2");
3361 if ( !NT_STATUS_IS_OK(nt_status) )
3364 /* associate the user's SID and access granted with the new handle. */
3365 if ((info = get_samr_info_by_sid(NULL)) == NULL)
3366 return NT_STATUS_NO_MEMORY;
3368 info->acc_granted = acc_granted;
3369 info->status = r->in.access_mask; /* this looks so wrong... - gd */
3371 /* get a (unique) handle. open a policy on it. */
3372 if (!create_policy_hnd(p, r->out.connect_handle, free_samr_info, (void *)info))
3373 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
3375 DEBUG(5,("_samr_Connect2: %d\n", __LINE__));
3380 /*******************************************************************
3382 ********************************************************************/
3384 NTSTATUS _samr_Connect4(pipes_struct *p,
3385 struct samr_Connect4 *r)
3387 struct samr_info *info = NULL;
3388 SEC_DESC *psd = NULL;
3390 uint32 des_access = r->in.access_mask;
3395 DEBUG(5,("_samr_Connect4: %d\n", __LINE__));
3399 if (!pipe_access_check(p)) {
3400 DEBUG(3, ("access denied to samr_Connect4\n"));
3401 return NT_STATUS_ACCESS_DENIED;
3404 make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &sam_generic_mapping, NULL, 0);
3405 se_map_generic(&des_access, &sam_generic_mapping);
3407 nt_status = access_check_samr_object(psd, p->pipe_user.nt_user_token,
3408 NULL, 0, des_access, &acc_granted, "_samr_Connect4");
3410 if ( !NT_STATUS_IS_OK(nt_status) )
3413 /* associate the user's SID and access granted with the new handle. */
3414 if ((info = get_samr_info_by_sid(NULL)) == NULL)
3415 return NT_STATUS_NO_MEMORY;
3417 info->acc_granted = acc_granted;
3418 info->status = r->in.access_mask; /* ??? */
3420 /* get a (unique) handle. open a policy on it. */
3421 if (!create_policy_hnd(p, r->out.connect_handle, free_samr_info, (void *)info))
3422 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
3424 DEBUG(5,("_samr_Connect4: %d\n", __LINE__));
3426 return NT_STATUS_OK;
3429 /*******************************************************************
3431 ********************************************************************/
3433 NTSTATUS _samr_Connect5(pipes_struct *p,
3434 struct samr_Connect5 *r)
3436 struct samr_info *info = NULL;
3437 SEC_DESC *psd = NULL;
3439 uint32 des_access = r->in.access_mask;
3442 struct samr_ConnectInfo1 info1;
3444 DEBUG(5,("_samr_Connect5: %d\n", __LINE__));
3448 if (!pipe_access_check(p)) {
3449 DEBUG(3, ("access denied to samr_Connect5\n"));
3450 return NT_STATUS_ACCESS_DENIED;
3453 make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &sam_generic_mapping, NULL, 0);
3454 se_map_generic(&des_access, &sam_generic_mapping);
3456 nt_status = access_check_samr_object(psd, p->pipe_user.nt_user_token,
3457 NULL, 0, des_access, &acc_granted, "_samr_Connect5");
3459 if ( !NT_STATUS_IS_OK(nt_status) )
3462 /* associate the user's SID and access granted with the new handle. */
3463 if ((info = get_samr_info_by_sid(NULL)) == NULL)
3464 return NT_STATUS_NO_MEMORY;
3466 info->acc_granted = acc_granted;
3467 info->status = r->in.access_mask; /* ??? */
3469 /* get a (unique) handle. open a policy on it. */
3470 if (!create_policy_hnd(p, r->out.connect_handle, free_samr_info, (void *)info))
3471 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
3473 DEBUG(5,("_samr_Connect5: %d\n", __LINE__));
3475 info1.client_version = SAMR_CONNECT_AFTER_W2K;
3478 *r->out.level_out = 1;
3479 r->out.info_out->info1 = info1;
3481 return NT_STATUS_OK;
3484 /**********************************************************************
3486 **********************************************************************/
3488 NTSTATUS _samr_LookupDomain(pipes_struct *p,
3489 struct samr_LookupDomain *r)
3491 NTSTATUS status = NT_STATUS_OK;
3492 struct samr_info *info;
3493 const char *domain_name;
3494 DOM_SID *sid = NULL;
3496 if (!find_policy_by_hnd(p, r->in.connect_handle, (void**)(void *)&info))
3497 return NT_STATUS_INVALID_HANDLE;
3499 /* win9x user manager likes to use SA_RIGHT_SAM_ENUM_DOMAINS here.
3500 Reverted that change so we will work with RAS servers again */
3502 status = access_check_samr_function(info->acc_granted,
3503 SA_RIGHT_SAM_OPEN_DOMAIN,
3504 "_samr_LookupDomain");
3505 if (!NT_STATUS_IS_OK(status)) {
3509 domain_name = r->in.domain_name->string;
3511 sid = TALLOC_ZERO_P(p->mem_ctx, struct dom_sid2);
3513 return NT_STATUS_NO_MEMORY;
3516 if (strequal(domain_name, builtin_domain_name())) {
3517 sid_copy(sid, &global_sid_Builtin);
3519 if (!secrets_fetch_domain_sid(domain_name, sid)) {
3520 status = NT_STATUS_NO_SUCH_DOMAIN;
3524 DEBUG(2,("Returning domain sid for domain %s -> %s\n", domain_name,
3525 sid_string_dbg(sid)));
3532 /**********************************************************************
3534 **********************************************************************/
3536 NTSTATUS _samr_EnumDomains(pipes_struct *p,
3537 struct samr_EnumDomains *r)
3540 struct samr_info *info;
3541 uint32_t num_entries = 2;
3542 struct samr_SamEntry *entry_array = NULL;
3543 struct samr_SamArray *sam;
3545 if (!find_policy_by_hnd(p, r->in.connect_handle, (void**)(void *)&info))
3546 return NT_STATUS_INVALID_HANDLE;
3548 status = access_check_samr_function(info->acc_granted,
3549 SA_RIGHT_SAM_ENUM_DOMAINS,
3550 "_samr_EnumDomains");
3551 if (!NT_STATUS_IS_OK(status)) {
3555 sam = TALLOC_ZERO_P(p->mem_ctx, struct samr_SamArray);
3557 return NT_STATUS_NO_MEMORY;
3560 entry_array = TALLOC_ZERO_ARRAY(p->mem_ctx,
3561 struct samr_SamEntry,
3564 return NT_STATUS_NO_MEMORY;
3567 entry_array[0].idx = 0;
3568 init_lsa_String(&entry_array[0].name, get_global_sam_name());
3570 entry_array[1].idx = 1;
3571 init_lsa_String(&entry_array[1].name, "Builtin");
3573 sam->count = num_entries;
3574 sam->entries = entry_array;
3577 *r->out.num_entries = num_entries;
3582 /*******************************************************************
3584 ********************************************************************/
3586 NTSTATUS _samr_OpenAlias(pipes_struct *p,
3587 struct samr_OpenAlias *r)
3590 POLICY_HND domain_pol = *r->in.domain_handle;
3591 uint32 alias_rid = r->in.rid;
3592 POLICY_HND *alias_pol = r->out.alias_handle;
3593 struct samr_info *info = NULL;
3594 SEC_DESC *psd = NULL;
3596 uint32 des_access = r->in.access_mask;
3601 /* find the domain policy and get the SID / access bits stored in the domain policy */
3603 if ( !get_lsa_policy_samr_sid(p, &domain_pol, &sid, &acc_granted, NULL) )
3604 return NT_STATUS_INVALID_HANDLE;
3606 status = access_check_samr_function(acc_granted,
3607 SA_RIGHT_DOMAIN_OPEN_ACCOUNT,
3610 if ( !NT_STATUS_IS_OK(status) )
3613 /* append the alias' RID to it */
3615 if (!sid_append_rid(&sid, alias_rid))
3616 return NT_STATUS_NO_SUCH_ALIAS;
3618 /*check if access can be granted as requested by client. */
3620 make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &ali_generic_mapping, NULL, 0);
3621 se_map_generic(&des_access,&ali_generic_mapping);
3623 se_priv_copy( &se_rights, &se_add_users );
3626 status = access_check_samr_object(psd, p->pipe_user.nt_user_token,
3627 &se_rights, GENERIC_RIGHTS_ALIAS_WRITE, des_access,
3628 &acc_granted, "_samr_OpenAlias");
3630 if ( !NT_STATUS_IS_OK(status) )
3634 /* Check we actually have the requested alias */
3635 enum lsa_SidType type;
3640 result = lookup_sid(NULL, &sid, NULL, NULL, &type);
3643 if (!result || (type != SID_NAME_ALIAS)) {
3644 return NT_STATUS_NO_SUCH_ALIAS;
3647 /* make sure there is a mapping */
3649 if ( !sid_to_gid( &sid, &gid ) ) {
3650 return NT_STATUS_NO_SUCH_ALIAS;
3655 /* associate the alias SID with the new handle. */
3656 if ((info = get_samr_info_by_sid(&sid)) == NULL)
3657 return NT_STATUS_NO_MEMORY;
3659 info->acc_granted = acc_granted;
3661 /* get a (unique) handle. open a policy on it. */
3662 if (!create_policy_hnd(p, alias_pol, free_samr_info, (void *)info))
3663 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
3665 return NT_STATUS_OK;
3668 /*******************************************************************
3670 ********************************************************************/
3672 static NTSTATUS set_user_info_7(TALLOC_CTX *mem_ctx,
3673 struct samr_UserInfo7 *id7,
3679 DEBUG(5, ("set_user_info_7: NULL id7\n"));
3681 return NT_STATUS_ACCESS_DENIED;
3684 if (!id7->account_name.string) {
3685 DEBUG(5, ("set_user_info_7: failed to get new username\n"));
3687 return NT_STATUS_ACCESS_DENIED;
3690 /* check to see if the new username already exists. Note: we can't
3691 reliably lock all backends, so there is potentially the
3692 possibility that a user can be created in between this check and
3693 the rename. The rename should fail, but may not get the
3694 exact same failure status code. I think this is small enough
3695 of a window for this type of operation and the results are
3696 simply that the rename fails with a slightly different status
3697 code (like UNSUCCESSFUL instead of ALREADY_EXISTS). */
3699 rc = can_create(mem_ctx, id7->account_name.string);
3700 if (!NT_STATUS_IS_OK(rc)) {
3704 rc = pdb_rename_sam_account(pwd, id7->account_name.string);
3710 /*******************************************************************
3712 ********************************************************************/
3714 static bool set_user_info_16(struct samr_UserInfo16 *id16,
3718 DEBUG(5, ("set_user_info_16: NULL id16\n"));
3723 /* FIX ME: check if the value is really changed --metze */
3724 if (!pdb_set_acct_ctrl(pwd, id16->acct_flags, PDB_CHANGED)) {
3729 if(!NT_STATUS_IS_OK(pdb_update_sam_account(pwd))) {
3739 /*******************************************************************
3741 ********************************************************************/
3743 static bool set_user_info_18(struct samr_UserInfo18 *id18,
3747 DEBUG(2, ("set_user_info_18: id18 is NULL\n"));
3752 if (!pdb_set_lanman_passwd (pwd, id18->lm_pwd.hash, PDB_CHANGED)) {
3756 if (!pdb_set_nt_passwd (pwd, id18->nt_pwd.hash, PDB_CHANGED)) {
3760 if (!pdb_set_pass_last_set_time (pwd, time(NULL), PDB_CHANGED)) {
3765 if(!NT_STATUS_IS_OK(pdb_update_sam_account(pwd))) {
3774 /*******************************************************************
3776 ********************************************************************/
3778 static bool set_user_info_20(struct samr_UserInfo20 *id20,
3782 DEBUG(5, ("set_user_info_20: NULL id20\n"));
3786 copy_id20_to_sam_passwd(pwd, id20);
3788 /* write the change out */
3789 if(!NT_STATUS_IS_OK(pdb_update_sam_account(pwd))) {
3799 /*******************************************************************
3801 ********************************************************************/
3803 static NTSTATUS set_user_info_21(TALLOC_CTX *mem_ctx,
3804 struct samr_UserInfo21 *id21,
3810 DEBUG(5, ("set_user_info_21: NULL id21\n"));
3811 return NT_STATUS_INVALID_PARAMETER;
3814 /* we need to separately check for an account rename first */
3816 if (id21->account_name.string &&
3817 (!strequal(id21->account_name.string, pdb_get_username(pwd))))
3820 /* check to see if the new username already exists. Note: we can't
3821 reliably lock all backends, so there is potentially the
3822 possibility that a user can be created in between this check and
3823 the rename. The rename should fail, but may not get the
3824 exact same failure status code. I think this is small enough
3825 of a window for this type of operation and the results are
3826 simply that the rename fails with a slightly different status
3827 code (like UNSUCCESSFUL instead of ALREADY_EXISTS). */
3829 status = can_create(mem_ctx, id21->account_name.string);
3830 if (!NT_STATUS_IS_OK(status)) {
3834 status = pdb_rename_sam_account(pwd, id21->account_name.string);
3836 if (!NT_STATUS_IS_OK(status)) {
3837 DEBUG(0,("set_user_info_21: failed to rename account: %s\n",
3838 nt_errstr(status)));
3843 /* set the new username so that later
3844 functions can work on the new account */
3845 pdb_set_username(pwd, id21->account_name.string, PDB_SET);
3848 copy_id21_to_sam_passwd("INFO_21", pwd, id21);
3851 * The funny part about the previous two calls is
3852 * that pwd still has the password hashes from the
3853 * passdb entry. These have not been updated from
3854 * id21. I don't know if they need to be set. --jerry
3857 if ( IS_SAM_CHANGED(pwd, PDB_GROUPSID) ) {
3858 status = pdb_set_unix_primary_group(mem_ctx, pwd);
3859 if ( !NT_STATUS_IS_OK(status) ) {
3864 /* Don't worry about writing out the user account since the
3865 primary group SID is generated solely from the user's Unix
3868 /* write the change out */
3869 if(!NT_STATUS_IS_OK(status = pdb_update_sam_account(pwd))) {
3876 return NT_STATUS_OK;
3879 /*******************************************************************
3881 ********************************************************************/
3883 static NTSTATUS set_user_info_23(TALLOC_CTX *mem_ctx,
3884 struct samr_UserInfo23 *id23,
3887 char *plaintext_buf = NULL;
3893 DEBUG(5, ("set_user_info_23: NULL id23\n"));
3894 return NT_STATUS_INVALID_PARAMETER;
3897 DEBUG(5, ("Attempting administrator password change (level 23) for user %s\n",
3898 pdb_get_username(pwd)));
3900 acct_ctrl = pdb_get_acct_ctrl(pwd);
3902 if (!decode_pw_buffer(mem_ctx,
3903 id23->password.data,
3908 return NT_STATUS_INVALID_PARAMETER;
3911 if (!pdb_set_plaintext_passwd (pwd, plaintext_buf)) {
3913 return NT_STATUS_ACCESS_DENIED;
3916 copy_id23_to_sam_passwd(pwd, id23);
3918 /* if it's a trust account, don't update /etc/passwd */
3919 if ( ( (acct_ctrl & ACB_DOMTRUST) == ACB_DOMTRUST ) ||
3920 ( (acct_ctrl & ACB_WSTRUST) == ACB_WSTRUST) ||
3921 ( (acct_ctrl & ACB_SVRTRUST) == ACB_SVRTRUST) ) {
3922 DEBUG(5, ("Changing trust account. Not updating /etc/passwd\n"));
3924 /* update the UNIX password */
3925 if (lp_unix_password_sync() ) {
3926 struct passwd *passwd;
3927 if (pdb_get_username(pwd) == NULL) {
3928 DEBUG(1, ("chgpasswd: User without name???\n"));
3930 return NT_STATUS_ACCESS_DENIED;
3933 passwd = Get_Pwnam_alloc(pwd, pdb_get_username(pwd));
3934 if (passwd == NULL) {
3935 DEBUG(1, ("chgpasswd: Username does not exist in system !?!\n"));
3938 if(!chgpasswd(pdb_get_username(pwd), passwd, "", plaintext_buf, True)) {
3940 return NT_STATUS_ACCESS_DENIED;
3942 TALLOC_FREE(passwd);
3946 memset(plaintext_buf, '\0', strlen(plaintext_buf));
3948 if (IS_SAM_CHANGED(pwd, PDB_GROUPSID) &&
3949 (!NT_STATUS_IS_OK(status = pdb_set_unix_primary_group(mem_ctx,
3955 if(!NT_STATUS_IS_OK(status = pdb_update_sam_account(pwd))) {
3962 return NT_STATUS_OK;
3965 /*******************************************************************
3967 ********************************************************************/
3969 static bool set_user_info_pw(uint8 *pass, struct samu *pwd,
3973 char *plaintext_buf = NULL;
3975 time_t last_set_time;
3976 enum pdb_value_state last_set_state;
3978 DEBUG(5, ("Attempting administrator password change for user %s\n",
3979 pdb_get_username(pwd)));
3981 acct_ctrl = pdb_get_acct_ctrl(pwd);
3982 /* we need to know if it's expired, because this is an admin change, not a
3983 user change, so it's still expired when we're done */
3984 last_set_state = pdb_get_init_flags(pwd, PDB_PASSLASTSET);
3985 last_set_time = pdb_get_pass_last_set_time(pwd);
3987 if (!decode_pw_buffer(talloc_tos(),
3996 if (!pdb_set_plaintext_passwd (pwd, plaintext_buf)) {
4001 /* if it's a trust account, don't update /etc/passwd */
4002 if ( ( (acct_ctrl & ACB_DOMTRUST) == ACB_DOMTRUST ) ||
4003 ( (acct_ctrl & ACB_WSTRUST) == ACB_WSTRUST) ||
4004 ( (acct_ctrl & ACB_SVRTRUST) == ACB_SVRTRUST) ) {
4005 DEBUG(5, ("Changing trust account or non-unix-user password, not updating /etc/passwd\n"));
4007 /* update the UNIX password */
4008 if (lp_unix_password_sync()) {
4009 struct passwd *passwd;
4011 if (pdb_get_username(pwd) == NULL) {
4012 DEBUG(1, ("chgpasswd: User without name???\n"));
4017 passwd = Get_Pwnam_alloc(pwd, pdb_get_username(pwd));
4018 if (passwd == NULL) {
4019 DEBUG(1, ("chgpasswd: Username does not exist in system !?!\n"));
4022 if(!chgpasswd(pdb_get_username(pwd), passwd, "", plaintext_buf, True)) {
4026 TALLOC_FREE(passwd);
4030 memset(plaintext_buf, '\0', strlen(plaintext_buf));
4033 * A level 25 change does reset the pwdlastset field, a level 24
4034 * change does not. I know this is probably not the full story, but
4035 * it is needed to make XP join LDAP correctly, without it the later
4036 * auth2 check can fail with PWD_MUST_CHANGE.
4040 * restore last set time as this is an admin change, not a
4043 pdb_set_pass_last_set_time (pwd, last_set_time,
4047 DEBUG(5,("set_user_info_pw: pdb_update_pwd()\n"));
4049 /* update the SAMBA password */
4050 if(!NT_STATUS_IS_OK(pdb_update_sam_account(pwd))) {
4060 /*******************************************************************
4062 ********************************************************************/
4064 static NTSTATUS set_user_info_25(TALLOC_CTX *mem_ctx,
4065 struct samr_UserInfo25 *id25,
4071 DEBUG(5, ("set_user_info_25: NULL id25\n"));
4072 return NT_STATUS_INVALID_PARAMETER;
4075 copy_id25_to_sam_passwd(pwd, id25);
4077 /* write the change out */
4078 if(!NT_STATUS_IS_OK(status = pdb_update_sam_account(pwd))) {
4084 * We need to "pdb_update_sam_account" before the unix primary group
4085 * is set, because the idealx scripts would also change the
4086 * sambaPrimaryGroupSid using the ldap replace method. pdb_ldap uses
4087 * the delete explicit / add explicit, which would then fail to find
4088 * the previous primaryGroupSid value.
4091 if ( IS_SAM_CHANGED(pwd, PDB_GROUPSID) ) {
4092 status = pdb_set_unix_primary_group(mem_ctx, pwd);
4093 if ( !NT_STATUS_IS_OK(status) ) {
4098 /* WARNING: No TALLOC_FREE(pwd), we are about to set the password
4101 return NT_STATUS_OK;
4104 /*******************************************************************
4105 samr_SetUserInfo_internal
4106 ********************************************************************/
4108 static NTSTATUS samr_SetUserInfo_internal(const char *fn_name,
4110 struct policy_handle *user_handle,
4112 union samr_UserInfo *info)
4115 struct samu *pwd = NULL;
4117 POLICY_HND *pol = user_handle;
4118 uint16_t switch_value = level;
4119 uint32_t acc_granted;
4120 uint32_t acc_required;
4122 bool has_enough_rights = False;
4124 DISP_INFO *disp_info = NULL;
4126 DEBUG(5,("%s: %d\n", fn_name, __LINE__));
4128 /* find the policy handle. open a policy on it. */
4129 if (!get_lsa_policy_samr_sid(p, pol, &sid, &acc_granted, &disp_info)) {
4130 return NT_STATUS_INVALID_HANDLE;
4133 /* This is tricky. A WinXP domain join sets
4134 (SA_RIGHT_USER_SET_PASSWORD|SA_RIGHT_USER_SET_ATTRIBUTES|SA_RIGHT_USER_ACCT_FLAGS_EXPIRY)
4135 The MMC lusrmgr plugin includes these perms and more in the SamrOpenUser(). But the
4136 standard Win32 API calls just ask for SA_RIGHT_USER_SET_PASSWORD in the SamrOpenUser().
4137 This should be enough for levels 18, 24, 25,& 26. Info level 23 can set more so
4138 we'll use the set from the WinXP join as the basis. */
4140 switch (switch_value) {
4145 acc_required = SA_RIGHT_USER_SET_PASSWORD;
4148 acc_required = SA_RIGHT_USER_SET_PASSWORD |
4149 SA_RIGHT_USER_SET_ATTRIBUTES |
4150 SA_RIGHT_USER_ACCT_FLAGS_EXPIRY;
4154 status = access_check_samr_function(acc_granted,
4157 if (!NT_STATUS_IS_OK(status)) {
4161 DEBUG(5, ("%s: sid:%s, level:%d\n",
4162 fn_name, sid_string_dbg(&sid), switch_value));
4165 DEBUG(5, ("%s: NULL info level\n", fn_name));
4166 return NT_STATUS_INVALID_INFO_CLASS;
4169 if (!(pwd = samu_new(NULL))) {
4170 return NT_STATUS_NO_MEMORY;
4174 ret = pdb_getsampwsid(pwd, &sid);
4179 return NT_STATUS_NO_SUCH_USER;
4182 /* deal with machine password changes differently from userinfo changes */
4183 /* check to see if we have the sufficient rights */
4185 acb_info = pdb_get_acct_ctrl(pwd);
4186 if (acb_info & ACB_WSTRUST)
4187 has_enough_rights = user_has_privileges(p->pipe_user.nt_user_token,
4188 &se_machine_account);
4189 else if (acb_info & ACB_NORMAL)
4190 has_enough_rights = user_has_privileges(p->pipe_user.nt_user_token,
4192 else if (acb_info & (ACB_SVRTRUST|ACB_DOMTRUST)) {
4193 if (lp_enable_privileges()) {
4194 has_enough_rights = nt_token_check_domain_rid(p->pipe_user.nt_user_token,
4195 DOMAIN_GROUP_RID_ADMINS);
4199 DEBUG(5, ("%s: %s does%s possess sufficient rights\n",
4201 uidtoname(p->pipe_user.ut.uid),
4202 has_enough_rights ? "" : " not"));
4204 /* ================ BEGIN SeMachineAccountPrivilege BLOCK ================ */
4206 if (has_enough_rights) {
4210 /* ok! user info levels (lots: see MSDEV help), off we go... */
4212 switch (switch_value) {
4215 status = set_user_info_7(p->mem_ctx,
4220 if (!set_user_info_16(&info->info16, pwd)) {
4221 status = NT_STATUS_ACCESS_DENIED;
4226 /* Used by AS/U JRA. */
4227 if (!set_user_info_18(&info->info18, pwd)) {
4228 status = NT_STATUS_ACCESS_DENIED;
4233 if (!set_user_info_20(&info->info20, pwd)) {
4234 status = NT_STATUS_ACCESS_DENIED;
4239 status = set_user_info_21(p->mem_ctx,
4240 &info->info21, pwd);
4244 if (!p->session_key.length) {
4245 status = NT_STATUS_NO_USER_SESSION_KEY;
4247 SamOEMhashBlob(info->info23.password.data, 516,
4250 dump_data(100, info->info23.password.data, 516);
4252 status = set_user_info_23(p->mem_ctx,
4253 &info->info23, pwd);
4257 if (!p->session_key.length) {
4258 status = NT_STATUS_NO_USER_SESSION_KEY;
4260 SamOEMhashBlob(info->info24.password.data,
4264 dump_data(100, info->info24.password.data, 516);
4266 if (!set_user_info_pw(info->info24.password.data, pwd,
4268 status = NT_STATUS_ACCESS_DENIED;
4273 if (!p->session_key.length) {
4274 status = NT_STATUS_NO_USER_SESSION_KEY;
4276 encode_or_decode_arc4_passwd_buffer(info->info25.password.data,
4279 dump_data(100, info->info25.password.data, 532);
4281 status = set_user_info_25(p->mem_ctx,
4282 &info->info25, pwd);
4283 if (!NT_STATUS_IS_OK(status)) {
4286 if (!set_user_info_pw(info->info25.password.data, pwd,
4288 status = NT_STATUS_ACCESS_DENIED;
4293 if (!p->session_key.length) {
4294 status = NT_STATUS_NO_USER_SESSION_KEY;
4296 encode_or_decode_arc4_passwd_buffer(info->info26.password.data,
4299 dump_data(100, info->info26.password.data, 516);
4301 if (!set_user_info_pw(info->info26.password.data, pwd,
4303 status = NT_STATUS_ACCESS_DENIED;
4308 status = NT_STATUS_INVALID_INFO_CLASS;
4313 if (has_enough_rights) {
4317 /* ================ END SeMachineAccountPrivilege BLOCK ================ */
4319 if (NT_STATUS_IS_OK(status)) {
4320 force_flush_samr_cache(disp_info);
4326 /*******************************************************************
4328 ********************************************************************/
4330 NTSTATUS _samr_SetUserInfo(pipes_struct *p,
4331 struct samr_SetUserInfo *r)
4333 return samr_SetUserInfo_internal("_samr_SetUserInfo",
4340 /*******************************************************************
4342 ********************************************************************/
4344 NTSTATUS _samr_SetUserInfo2(pipes_struct *p,
4345 struct samr_SetUserInfo2 *r)
4347 return samr_SetUserInfo_internal("_samr_SetUserInfo2",
4354 /*********************************************************************
4355 _samr_GetAliasMembership
4356 *********************************************************************/
4358 NTSTATUS _samr_GetAliasMembership(pipes_struct *p,
4359 struct samr_GetAliasMembership *r)
4361 size_t num_alias_rids;
4363 struct samr_info *info = NULL;
4371 DEBUG(5,("_samr_GetAliasMembership: %d\n", __LINE__));
4373 /* find the policy handle. open a policy on it. */
4374 if (!find_policy_by_hnd(p, r->in.domain_handle, (void **)(void *)&info))
4375 return NT_STATUS_INVALID_HANDLE;
4377 ntstatus1 = access_check_samr_function(info->acc_granted,
4378 SA_RIGHT_DOMAIN_LOOKUP_ALIAS_BY_MEM,
4379 "_samr_GetAliasMembership");
4380 ntstatus2 = access_check_samr_function(info->acc_granted,
4381 SA_RIGHT_DOMAIN_OPEN_ACCOUNT,
4382 "_samr_GetAliasMembership");
4384 if (!NT_STATUS_IS_OK(ntstatus1) || !NT_STATUS_IS_OK(ntstatus2)) {
4385 if (!(NT_STATUS_EQUAL(ntstatus1,NT_STATUS_ACCESS_DENIED) && NT_STATUS_IS_OK(ntstatus2)) &&
4386 !(NT_STATUS_EQUAL(ntstatus1,NT_STATUS_ACCESS_DENIED) && NT_STATUS_IS_OK(ntstatus1))) {
4387 return (NT_STATUS_IS_OK(ntstatus1)) ? ntstatus2 : ntstatus1;
4391 if (!sid_check_is_domain(&info->sid) &&
4392 !sid_check_is_builtin(&info->sid))
4393 return NT_STATUS_OBJECT_TYPE_MISMATCH;
4395 if (r->in.sids->num_sids) {
4396 members = TALLOC_ARRAY(p->mem_ctx, DOM_SID, r->in.sids->num_sids);
4398 if (members == NULL)
4399 return NT_STATUS_NO_MEMORY;
4404 for (i=0; i<r->in.sids->num_sids; i++)
4405 sid_copy(&members[i], r->in.sids->sids[i].sid);
4411 ntstatus1 = pdb_enum_alias_memberships(p->mem_ctx, &info->sid, members,
4412 r->in.sids->num_sids,
4413 &alias_rids, &num_alias_rids);
4416 if (!NT_STATUS_IS_OK(ntstatus1)) {
4420 r->out.rids->count = num_alias_rids;
4421 r->out.rids->ids = alias_rids;
4423 return NT_STATUS_OK;
4426 /*********************************************************************
4427 _samr_GetMembersInAlias
4428 *********************************************************************/
4430 NTSTATUS _samr_GetMembersInAlias(pipes_struct *p,
4431 struct samr_GetMembersInAlias *r)
4435 size_t num_sids = 0;
4436 struct lsa_SidPtr *sids = NULL;
4437 DOM_SID *pdb_sids = NULL;
4443 /* find the policy handle. open a policy on it. */
4444 if (!get_lsa_policy_samr_sid(p, r->in.alias_handle, &alias_sid, &acc_granted, NULL))
4445 return NT_STATUS_INVALID_HANDLE;
4447 status = access_check_samr_function(acc_granted,
4448 SA_RIGHT_ALIAS_GET_MEMBERS,
4449 "_samr_GetMembersInAlias");
4450 if (!NT_STATUS_IS_OK(status)) {
4454 DEBUG(10, ("sid is %s\n", sid_string_dbg(&alias_sid)));
4457 status = pdb_enum_aliasmem(&alias_sid, &pdb_sids, &num_sids);
4460 if (!NT_STATUS_IS_OK(status)) {
4465 sids = TALLOC_ZERO_ARRAY(p->mem_ctx, struct lsa_SidPtr, num_sids);
4467 TALLOC_FREE(pdb_sids);
4468 return NT_STATUS_NO_MEMORY;
4472 for (i = 0; i < num_sids; i++) {
4473 sids[i].sid = sid_dup_talloc(p->mem_ctx, &pdb_sids[i]);
4475 TALLOC_FREE(pdb_sids);
4476 return NT_STATUS_NO_MEMORY;
4480 r->out.sids->num_sids = num_sids;
4481 r->out.sids->sids = sids;
4483 TALLOC_FREE(pdb_sids);
4485 return NT_STATUS_OK;
4488 /*********************************************************************
4489 _samr_QueryGroupMember
4490 *********************************************************************/
4492 NTSTATUS _samr_QueryGroupMember(pipes_struct *p,
4493 struct samr_QueryGroupMember *r)
4496 size_t i, num_members;
4504 struct samr_RidTypeArray *rids = NULL;
4506 rids = TALLOC_ZERO_P(p->mem_ctx, struct samr_RidTypeArray);
4508 return NT_STATUS_NO_MEMORY;
4511 /* find the policy handle. open a policy on it. */
4512 if (!get_lsa_policy_samr_sid(p, r->in.group_handle, &group_sid, &acc_granted, NULL))
4513 return NT_STATUS_INVALID_HANDLE;
4515 status = access_check_samr_function(acc_granted,
4516 SA_RIGHT_GROUP_GET_MEMBERS,
4517 "_samr_QueryGroupMember");
4518 if (!NT_STATUS_IS_OK(status)) {
4522 DEBUG(10, ("sid is %s\n", sid_string_dbg(&group_sid)));
4524 if (!sid_check_is_in_our_domain(&group_sid)) {
4525 DEBUG(3, ("sid %s is not in our domain\n",
4526 sid_string_dbg(&group_sid)));
4527 return NT_STATUS_NO_SUCH_GROUP;
4530 DEBUG(10, ("lookup on Domain SID\n"));
4533 status = pdb_enum_group_members(p->mem_ctx, &group_sid,
4534 &rid, &num_members);
4537 if (!NT_STATUS_IS_OK(status))
4541 attr=TALLOC_ZERO_ARRAY(p->mem_ctx, uint32, num_members);
4543 return NT_STATUS_NO_MEMORY;
4549 for (i=0; i<num_members; i++)
4550 attr[i] = SID_NAME_USER;
4552 rids->count = num_members;
4556 *r->out.rids = rids;
4558 return NT_STATUS_OK;
4561 /*********************************************************************
4562 _samr_AddAliasMember
4563 *********************************************************************/
4565 NTSTATUS _samr_AddAliasMember(pipes_struct *p,
4566 struct samr_AddAliasMember *r)
4571 bool can_add_accounts;
4573 DISP_INFO *disp_info = NULL;
4575 /* Find the policy handle. Open a policy on it. */
4576 if (!get_lsa_policy_samr_sid(p, r->in.alias_handle, &alias_sid, &acc_granted, &disp_info))
4577 return NT_STATUS_INVALID_HANDLE;
4579 status = access_check_samr_function(acc_granted,
4580 SA_RIGHT_ALIAS_ADD_MEMBER,
4581 "_samr_AddAliasMember");
4582 if (!NT_STATUS_IS_OK(status)) {
4586 DEBUG(10, ("sid is %s\n", sid_string_dbg(&alias_sid)));
4588 se_priv_copy( &se_rights, &se_add_users );
4589 can_add_accounts = user_has_privileges( p->pipe_user.nt_user_token, &se_rights );
4591 /******** BEGIN SeAddUsers BLOCK *********/
4593 if ( can_add_accounts )
4596 status = pdb_add_aliasmem(&alias_sid, r->in.sid);
4598 if ( can_add_accounts )
4601 /******** END SeAddUsers BLOCK *********/
4603 if (NT_STATUS_IS_OK(status)) {
4604 force_flush_samr_cache(disp_info);
4610 /*********************************************************************
4611 _samr_DeleteAliasMember
4612 *********************************************************************/
4614 NTSTATUS _samr_DeleteAliasMember(pipes_struct *p,
4615 struct samr_DeleteAliasMember *r)
4620 bool can_add_accounts;
4622 DISP_INFO *disp_info = NULL;
4624 /* Find the policy handle. Open a policy on it. */
4625 if (!get_lsa_policy_samr_sid(p, r->in.alias_handle, &alias_sid, &acc_granted, &disp_info))
4626 return NT_STATUS_INVALID_HANDLE;
4628 status = access_check_samr_function(acc_granted,
4629 SA_RIGHT_ALIAS_REMOVE_MEMBER,
4630 "_samr_DeleteAliasMember");
4631 if (!NT_STATUS_IS_OK(status)) {
4635 DEBUG(10, ("_samr_del_aliasmem:sid is %s\n",
4636 sid_string_dbg(&alias_sid)));
4638 se_priv_copy( &se_rights, &se_add_users );
4639 can_add_accounts = user_has_privileges( p->pipe_user.nt_user_token, &se_rights );
4641 /******** BEGIN SeAddUsers BLOCK *********/
4643 if ( can_add_accounts )
4646 status = pdb_del_aliasmem(&alias_sid, r->in.sid);
4648 if ( can_add_accounts )
4651 /******** END SeAddUsers BLOCK *********/
4653 if (NT_STATUS_IS_OK(status)) {
4654 force_flush_samr_cache(disp_info);
4660 /*********************************************************************
4661 _samr_AddGroupMember
4662 *********************************************************************/
4664 NTSTATUS _samr_AddGroupMember(pipes_struct *p,
4665 struct samr_AddGroupMember *r)
4672 bool can_add_accounts;
4673 DISP_INFO *disp_info = NULL;
4675 /* Find the policy handle. Open a policy on it. */
4676 if (!get_lsa_policy_samr_sid(p, r->in.group_handle, &group_sid, &acc_granted, &disp_info))
4677 return NT_STATUS_INVALID_HANDLE;
4679 status = access_check_samr_function(acc_granted,
4680 SA_RIGHT_GROUP_ADD_MEMBER,
4681 "_samr_AddGroupMember");
4682 if (!NT_STATUS_IS_OK(status)) {
4686 DEBUG(10, ("sid is %s\n", sid_string_dbg(&group_sid)));
4688 if (!sid_peek_check_rid(get_global_sam_sid(), &group_sid,
4690 return NT_STATUS_INVALID_HANDLE;
4693 se_priv_copy( &se_rights, &se_add_users );
4694 can_add_accounts = user_has_privileges( p->pipe_user.nt_user_token, &se_rights );
4696 /******** BEGIN SeAddUsers BLOCK *********/
4698 if ( can_add_accounts )
4701 status = pdb_add_groupmem(p->mem_ctx, group_rid, r->in.rid);
4703 if ( can_add_accounts )
4706 /******** END SeAddUsers BLOCK *********/
4708 force_flush_samr_cache(disp_info);
4713 /*********************************************************************
4714 _samr_DeleteGroupMember
4715 *********************************************************************/
4717 NTSTATUS _samr_DeleteGroupMember(pipes_struct *p,
4718 struct samr_DeleteGroupMember *r)
4726 bool can_add_accounts;
4727 DISP_INFO *disp_info = NULL;
4730 * delete the group member named r->in.rid
4731 * who is a member of the sid associated with the handle
4732 * the rid is a user's rid as the group is a domain group.
4735 /* Find the policy handle. Open a policy on it. */
4736 if (!get_lsa_policy_samr_sid(p, r->in.group_handle, &group_sid, &acc_granted, &disp_info))
4737 return NT_STATUS_INVALID_HANDLE;
4739 status = access_check_samr_function(acc_granted,
4740 SA_RIGHT_GROUP_REMOVE_MEMBER,
4741 "_samr_DeleteGroupMember");
4742 if (!NT_STATUS_IS_OK(status)) {
4746 if (!sid_peek_check_rid(get_global_sam_sid(), &group_sid,
4748 return NT_STATUS_INVALID_HANDLE;
4751 se_priv_copy( &se_rights, &se_add_users );
4752 can_add_accounts = user_has_privileges( p->pipe_user.nt_user_token, &se_rights );
4754 /******** BEGIN SeAddUsers BLOCK *********/
4756 if ( can_add_accounts )
4759 status = pdb_del_groupmem(p->mem_ctx, group_rid, r->in.rid);
4761 if ( can_add_accounts )
4764 /******** END SeAddUsers BLOCK *********/
4766 force_flush_samr_cache(disp_info);
4771 /*********************************************************************
4773 *********************************************************************/
4775 NTSTATUS _samr_DeleteUser(pipes_struct *p,
4776 struct samr_DeleteUser *r)
4780 struct samu *sam_pass=NULL;
4782 bool can_add_accounts;
4784 DISP_INFO *disp_info = NULL;
4787 DEBUG(5, ("_samr_DeleteUser: %d\n", __LINE__));
4789 /* Find the policy handle. Open a policy on it. */
4790 if (!get_lsa_policy_samr_sid(p, r->in.user_handle, &user_sid, &acc_granted, &disp_info))
4791 return NT_STATUS_INVALID_HANDLE;
4793 status = access_check_samr_function(acc_granted,
4794 STD_RIGHT_DELETE_ACCESS,
4795 "_samr_DeleteUser");
4796 if (!NT_STATUS_IS_OK(status)) {
4800 if (!sid_check_is_in_our_domain(&user_sid))
4801 return NT_STATUS_CANNOT_DELETE;
4803 /* check if the user exists before trying to delete */
4804 if ( !(sam_pass = samu_new( NULL )) ) {
4805 return NT_STATUS_NO_MEMORY;
4809 ret = pdb_getsampwsid(sam_pass, &user_sid);
4813 DEBUG(5,("_samr_DeleteUser: User %s doesn't exist.\n",
4814 sid_string_dbg(&user_sid)));
4815 TALLOC_FREE(sam_pass);
4816 return NT_STATUS_NO_SUCH_USER;
4819 acb_info = pdb_get_acct_ctrl(sam_pass);
4821 /* For machine accounts it's the SeMachineAccountPrivilege that counts. */
4822 if ( acb_info & ACB_WSTRUST ) {
4823 can_add_accounts = user_has_privileges( p->pipe_user.nt_user_token, &se_machine_account );
4825 can_add_accounts = user_has_privileges( p->pipe_user.nt_user_token, &se_add_users );
4828 /******** BEGIN SeAddUsers BLOCK *********/
4830 if ( can_add_accounts )
4833 status = pdb_delete_user(p->mem_ctx, sam_pass);
4835 if ( can_add_accounts )
4838 /******** END SeAddUsers BLOCK *********/
4840 if ( !NT_STATUS_IS_OK(status) ) {
4841 DEBUG(5,("_samr_DeleteUser: Failed to delete entry for "
4842 "user %s: %s.\n", pdb_get_username(sam_pass),
4843 nt_errstr(status)));
4844 TALLOC_FREE(sam_pass);
4849 TALLOC_FREE(sam_pass);
4851 if (!close_policy_hnd(p, r->in.user_handle))
4852 return NT_STATUS_OBJECT_NAME_INVALID;
4854 force_flush_samr_cache(disp_info);
4856 return NT_STATUS_OK;
4859 /*********************************************************************
4860 _samr_DeleteDomainGroup
4861 *********************************************************************/
4863 NTSTATUS _samr_DeleteDomainGroup(pipes_struct *p,
4864 struct samr_DeleteDomainGroup *r)
4871 bool can_add_accounts;
4872 DISP_INFO *disp_info = NULL;
4874 DEBUG(5, ("samr_DeleteDomainGroup: %d\n", __LINE__));
4876 /* Find the policy handle. Open a policy on it. */
4877 if (!get_lsa_policy_samr_sid(p, r->in.group_handle, &group_sid, &acc_granted, &disp_info))
4878 return NT_STATUS_INVALID_HANDLE;
4880 status = access_check_samr_function(acc_granted,
4881 STD_RIGHT_DELETE_ACCESS,
4882 "_samr_DeleteDomainGroup");
4883 if (!NT_STATUS_IS_OK(status)) {
4887 DEBUG(10, ("sid is %s\n", sid_string_dbg(&group_sid)));
4889 if (!sid_peek_check_rid(get_global_sam_sid(), &group_sid,
4891 return NT_STATUS_NO_SUCH_GROUP;
4894 se_priv_copy( &se_rights, &se_add_users );
4895 can_add_accounts = user_has_privileges( p->pipe_user.nt_user_token, &se_rights );
4897 /******** BEGIN SeAddUsers BLOCK *********/
4899 if ( can_add_accounts )
4902 status = pdb_delete_dom_group(p->mem_ctx, group_rid);
4904 if ( can_add_accounts )
4907 /******** END SeAddUsers BLOCK *********/
4909 if ( !NT_STATUS_IS_OK(status) ) {
4910 DEBUG(5,("_samr_DeleteDomainGroup: Failed to delete mapping "
4911 "entry for group %s: %s\n",
4912 sid_string_dbg(&group_sid),
4913 nt_errstr(status)));
4917 if (!close_policy_hnd(p, r->in.group_handle))
4918 return NT_STATUS_OBJECT_NAME_INVALID;
4920 force_flush_samr_cache(disp_info);
4922 return NT_STATUS_OK;
4925 /*********************************************************************
4926 _samr_DeleteDomAlias
4927 *********************************************************************/
4929 NTSTATUS _samr_DeleteDomAlias(pipes_struct *p,
4930 struct samr_DeleteDomAlias *r)
4935 bool can_add_accounts;
4937 DISP_INFO *disp_info = NULL;
4939 DEBUG(5, ("_samr_DeleteDomAlias: %d\n", __LINE__));
4941 /* Find the policy handle. Open a policy on it. */
4942 if (!get_lsa_policy_samr_sid(p, r->in.alias_handle, &alias_sid, &acc_granted, &disp_info))
4943 return NT_STATUS_INVALID_HANDLE;
4945 /* copy the handle to the outgoing reply */
4947 memcpy(r->out.alias_handle, r->in.alias_handle, sizeof(r->out.alias_handle));
4949 status = access_check_samr_function(acc_granted,
4950 STD_RIGHT_DELETE_ACCESS,
4951 "_samr_DeleteDomAlias");
4952 if (!NT_STATUS_IS_OK(status)) {
4956 DEBUG(10, ("sid is %s\n", sid_string_dbg(&alias_sid)));
4958 /* Don't let Windows delete builtin groups */
4960 if ( sid_check_is_in_builtin( &alias_sid ) ) {
4961 return NT_STATUS_SPECIAL_ACCOUNT;
4964 if (!sid_check_is_in_our_domain(&alias_sid))
4965 return NT_STATUS_NO_SUCH_ALIAS;
4967 DEBUG(10, ("lookup on Local SID\n"));
4969 se_priv_copy( &se_rights, &se_add_users );
4970 can_add_accounts = user_has_privileges( p->pipe_user.nt_user_token, &se_rights );
4972 /******** BEGIN SeAddUsers BLOCK *********/
4974 if ( can_add_accounts )
4977 /* Have passdb delete the alias */
4978 status = pdb_delete_alias(&alias_sid);
4980 if ( can_add_accounts )
4983 /******** END SeAddUsers BLOCK *********/
4985 if ( !NT_STATUS_IS_OK(status))
4988 if (!close_policy_hnd(p, r->in.alias_handle))
4989 return NT_STATUS_OBJECT_NAME_INVALID;
4991 force_flush_samr_cache(disp_info);
4993 return NT_STATUS_OK;
4996 /*********************************************************************
4997 _samr_CreateDomainGroup
4998 *********************************************************************/
5000 NTSTATUS _samr_CreateDomainGroup(pipes_struct *p,
5001 struct samr_CreateDomainGroup *r)
5008 struct samr_info *info;
5011 bool can_add_accounts;
5012 DISP_INFO *disp_info = NULL;
5014 /* Find the policy handle. Open a policy on it. */
5015 if (!get_lsa_policy_samr_sid(p, r->in.domain_handle, &dom_sid, &acc_granted, &disp_info))
5016 return NT_STATUS_INVALID_HANDLE;
5018 status = access_check_samr_function(acc_granted,
5019 SA_RIGHT_DOMAIN_CREATE_GROUP,
5020 "_samr_CreateDomainGroup");
5021 if (!NT_STATUS_IS_OK(status)) {
5025 if (!sid_equal(&dom_sid, get_global_sam_sid()))
5026 return NT_STATUS_ACCESS_DENIED;
5028 name = r->in.name->string;
5030 return NT_STATUS_NO_MEMORY;
5033 status = can_create(p->mem_ctx, name);
5034 if (!NT_STATUS_IS_OK(status)) {
5038 se_priv_copy( &se_rights, &se_add_users );
5039 can_add_accounts = user_has_privileges( p->pipe_user.nt_user_token, &se_rights );
5041 /******** BEGIN SeAddUsers BLOCK *********/
5043 if ( can_add_accounts )
5046 /* check that we successfully create the UNIX group */
5048 status = pdb_create_dom_group(p->mem_ctx, name, r->out.rid);
5050 if ( can_add_accounts )
5053 /******** END SeAddUsers BLOCK *********/
5055 /* check if we should bail out here */
5057 if ( !NT_STATUS_IS_OK(status) )
5060 sid_compose(&info_sid, get_global_sam_sid(), *r->out.rid);
5062 if ((info = get_samr_info_by_sid(&info_sid)) == NULL)
5063 return NT_STATUS_NO_MEMORY;
5065 /* they created it; let the user do what he wants with it */
5067 info->acc_granted = GENERIC_RIGHTS_GROUP_ALL_ACCESS;
5069 /* get a (unique) handle. open a policy on it. */
5070 if (!create_policy_hnd(p, r->out.group_handle, free_samr_info, (void *)info))
5071 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
5073 force_flush_samr_cache(disp_info);
5075 return NT_STATUS_OK;
5078 /*********************************************************************
5079 _samr_CreateDomAlias
5080 *********************************************************************/
5082 NTSTATUS _samr_CreateDomAlias(pipes_struct *p,
5083 struct samr_CreateDomAlias *r)
5087 const char *name = NULL;
5088 struct samr_info *info;
5093 bool can_add_accounts;
5094 DISP_INFO *disp_info = NULL;
5096 /* Find the policy handle. Open a policy on it. */
5097 if (!get_lsa_policy_samr_sid(p, r->in.domain_handle, &dom_sid, &acc_granted, &disp_info))
5098 return NT_STATUS_INVALID_HANDLE;
5100 result = access_check_samr_function(acc_granted,
5101 SA_RIGHT_DOMAIN_CREATE_ALIAS,
5102 "_samr_CreateDomAlias");
5103 if (!NT_STATUS_IS_OK(result)) {
5107 if (!sid_equal(&dom_sid, get_global_sam_sid()))
5108 return NT_STATUS_ACCESS_DENIED;
5110 name = r->in.alias_name->string;
5112 se_priv_copy( &se_rights, &se_add_users );
5113 can_add_accounts = user_has_privileges( p->pipe_user.nt_user_token, &se_rights );
5115 result = can_create(p->mem_ctx, name);
5116 if (!NT_STATUS_IS_OK(result)) {
5120 /******** BEGIN SeAddUsers BLOCK *********/
5122 if ( can_add_accounts )
5125 /* Have passdb create the alias */
5126 result = pdb_create_alias(name, r->out.rid);
5128 if ( can_add_accounts )
5131 /******** END SeAddUsers BLOCK *********/
5133 if (!NT_STATUS_IS_OK(result)) {
5134 DEBUG(10, ("pdb_create_alias failed: %s\n",
5135 nt_errstr(result)));
5139 sid_copy(&info_sid, get_global_sam_sid());
5140 sid_append_rid(&info_sid, *r->out.rid);
5142 if (!sid_to_gid(&info_sid, &gid)) {
5143 DEBUG(10, ("Could not find alias just created\n"));
5144 return NT_STATUS_ACCESS_DENIED;
5147 /* check if the group has been successfully created */
5148 if ( getgrgid(gid) == NULL ) {
5149 DEBUG(10, ("getgrgid(%d) of just created alias failed\n",
5151 return NT_STATUS_ACCESS_DENIED;
5154 if ((info = get_samr_info_by_sid(&info_sid)) == NULL)
5155 return NT_STATUS_NO_MEMORY;
5157 /* they created it; let the user do what he wants with it */
5159 info->acc_granted = GENERIC_RIGHTS_ALIAS_ALL_ACCESS;
5161 /* get a (unique) handle. open a policy on it. */
5162 if (!create_policy_hnd(p, r->out.alias_handle, free_samr_info, (void *)info))
5163 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
5165 force_flush_samr_cache(disp_info);
5167 return NT_STATUS_OK;
5170 /*********************************************************************
5171 _samr_QueryGroupInfo
5172 *********************************************************************/
5174 NTSTATUS _samr_QueryGroupInfo(pipes_struct *p,
5175 struct samr_QueryGroupInfo *r)
5180 union samr_GroupInfo *info = NULL;
5183 uint32_t attributes = SE_GROUP_MANDATORY |
5184 SE_GROUP_ENABLED_BY_DEFAULT |
5186 const char *group_name = NULL;
5187 const char *group_description = NULL;
5189 if (!get_lsa_policy_samr_sid(p, r->in.group_handle, &group_sid, &acc_granted, NULL))
5190 return NT_STATUS_INVALID_HANDLE;
5192 status = access_check_samr_function(acc_granted,
5193 SA_RIGHT_GROUP_LOOKUP_INFO,
5194 "_samr_QueryGroupInfo");
5195 if (!NT_STATUS_IS_OK(status)) {
5200 ret = get_domain_group_from_sid(group_sid, &map);
5203 return NT_STATUS_INVALID_HANDLE;
5205 /* FIXME: map contains fstrings */
5206 group_name = talloc_strdup(r, map.nt_name);
5207 group_description = talloc_strdup(r, map.comment);
5209 info = TALLOC_ZERO_P(p->mem_ctx, union samr_GroupInfo);
5211 return NT_STATUS_NO_MEMORY;
5214 switch (r->in.level) {
5220 status = pdb_enum_group_members(
5221 p->mem_ctx, &group_sid, &members, &num_members);
5224 if (!NT_STATUS_IS_OK(status)) {
5228 init_samr_group_info1(&info->all,
5236 init_samr_group_info2(&info->name,
5240 init_samr_group_info3(&info->attributes,
5244 init_samr_group_info4(&info->description,
5255 status = pdb_enum_group_members(
5256 p->mem_ctx, &group_sid, &members, &num_members);
5259 if (!NT_STATUS_IS_OK(status)) {
5263 init_samr_group_info5(&info->all2,
5266 0, /* num_members - in w2k3 this is always 0 */
5272 return NT_STATUS_INVALID_INFO_CLASS;
5275 *r->out.info = info;
5277 return NT_STATUS_OK;
5280 /*********************************************************************
5282 *********************************************************************/
5284 NTSTATUS _samr_SetGroupInfo(pipes_struct *p,
5285 struct samr_SetGroupInfo *r)
5292 bool can_mod_accounts;
5293 DISP_INFO *disp_info = NULL;
5295 if (!get_lsa_policy_samr_sid(p, r->in.group_handle, &group_sid, &acc_granted, &disp_info))
5296 return NT_STATUS_INVALID_HANDLE;
5298 status = access_check_samr_function(acc_granted,
5299 SA_RIGHT_GROUP_SET_INFO,
5300 "_samr_SetGroupInfo");
5301 if (!NT_STATUS_IS_OK(status)) {
5306 ret = get_domain_group_from_sid(group_sid, &map);
5309 return NT_STATUS_NO_SUCH_GROUP;
5311 switch (r->in.level) {
5313 fstrcpy(map.comment, r->in.info->all.description.string);
5316 fstrcpy(map.comment, r->in.info->description.string);
5319 return NT_STATUS_INVALID_INFO_CLASS;
5322 can_mod_accounts = user_has_privileges( p->pipe_user.nt_user_token, &se_add_users );
5324 /******** BEGIN SeAddUsers BLOCK *********/
5326 if ( can_mod_accounts )
5329 status = pdb_update_group_mapping_entry(&map);
5331 if ( can_mod_accounts )
5334 /******** End SeAddUsers BLOCK *********/
5336 if (NT_STATUS_IS_OK(status)) {
5337 force_flush_samr_cache(disp_info);
5343 /*********************************************************************
5345 *********************************************************************/
5347 NTSTATUS _samr_SetAliasInfo(pipes_struct *p,
5348 struct samr_SetAliasInfo *r)
5351 struct acct_info info;
5353 bool can_mod_accounts;
5355 DISP_INFO *disp_info = NULL;
5357 if (!get_lsa_policy_samr_sid(p, r->in.alias_handle, &group_sid, &acc_granted, &disp_info))
5358 return NT_STATUS_INVALID_HANDLE;
5360 status = access_check_samr_function(acc_granted,
5361 SA_RIGHT_ALIAS_SET_INFO,
5362 "_samr_SetAliasInfo");
5363 if (!NT_STATUS_IS_OK(status)) {
5367 /* get the current group information */
5370 status = pdb_get_aliasinfo( &group_sid, &info );
5373 if ( !NT_STATUS_IS_OK(status))
5376 switch (r->in.level) {
5381 /* We currently do not support renaming groups in the
5382 the BUILTIN domain. Refer to util_builtin.c to understand
5383 why. The eventually needs to be fixed to be like Windows
5384 where you can rename builtin groups, just not delete them */
5386 if ( sid_check_is_in_builtin( &group_sid ) ) {
5387 return NT_STATUS_SPECIAL_ACCOUNT;
5390 /* There has to be a valid name (and it has to be different) */
5392 if ( !r->in.info->name.string )
5393 return NT_STATUS_INVALID_PARAMETER;
5395 /* If the name is the same just reply "ok". Yes this
5396 doesn't allow you to change the case of a group name. */
5398 if ( strequal( r->in.info->name.string, info.acct_name ) )
5399 return NT_STATUS_OK;
5401 fstrcpy( info.acct_name, r->in.info->name.string);
5403 /* make sure the name doesn't already exist as a user
5406 fstr_sprintf( group_name, "%s\\%s", global_myname(), info.acct_name );
5407 status = can_create( p->mem_ctx, group_name );
5408 if ( !NT_STATUS_IS_OK( status ) )
5412 case ALIASINFODESCRIPTION:
5413 if (r->in.info->description.string) {
5414 fstrcpy(info.acct_desc,
5415 r->in.info->description.string);
5417 fstrcpy( info.acct_desc, "" );
5421 return NT_STATUS_INVALID_INFO_CLASS;
5424 can_mod_accounts = user_has_privileges( p->pipe_user.nt_user_token, &se_add_users );
5426 /******** BEGIN SeAddUsers BLOCK *********/
5428 if ( can_mod_accounts )
5431 status = pdb_set_aliasinfo( &group_sid, &info );
5433 if ( can_mod_accounts )
5436 /******** End SeAddUsers BLOCK *********/
5438 if (NT_STATUS_IS_OK(status))
5439 force_flush_samr_cache(disp_info);
5444 /****************************************************************
5446 ****************************************************************/
5448 NTSTATUS _samr_GetDomPwInfo(pipes_struct *p,
5449 struct samr_GetDomPwInfo *r)
5451 uint32_t min_password_length = 0;
5452 uint32_t password_properties = 0;
5454 /* Perform access check. Since this rpc does not require a
5455 policy handle it will not be caught by the access checks on
5456 SAMR_CONNECT or SAMR_CONNECT_ANON. */
5458 if (!pipe_access_check(p)) {
5459 DEBUG(3, ("access denied to _samr_GetDomPwInfo\n"));
5460 return NT_STATUS_ACCESS_DENIED;
5464 pdb_get_account_policy(AP_MIN_PASSWORD_LEN,
5465 &min_password_length);
5466 pdb_get_account_policy(AP_USER_MUST_LOGON_TO_CHG_PASS,
5467 &password_properties);
5470 if (lp_check_password_script() && *lp_check_password_script()) {
5471 password_properties |= DOMAIN_PASSWORD_COMPLEX;
5474 r->out.info->min_password_length = min_password_length;
5475 r->out.info->password_properties = password_properties;
5477 return NT_STATUS_OK;
5480 /*********************************************************************
5482 *********************************************************************/
5484 NTSTATUS _samr_OpenGroup(pipes_struct *p,
5485 struct samr_OpenGroup *r)
5491 struct samr_info *info;
5492 SEC_DESC *psd = NULL;
5494 uint32 des_access = r->in.access_mask;
5501 if (!get_lsa_policy_samr_sid(p, r->in.domain_handle, &sid, &acc_granted, NULL))
5502 return NT_STATUS_INVALID_HANDLE;
5504 status = access_check_samr_function(acc_granted,
5505 SA_RIGHT_DOMAIN_OPEN_ACCOUNT,
5508 if ( !NT_STATUS_IS_OK(status) )
5511 /*check if access can be granted as requested by client. */
5512 make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &grp_generic_mapping, NULL, 0);
5513 se_map_generic(&des_access,&grp_generic_mapping);
5515 se_priv_copy( &se_rights, &se_add_users );
5517 status = access_check_samr_object(psd, p->pipe_user.nt_user_token,
5518 &se_rights, GENERIC_RIGHTS_GROUP_WRITE, des_access,
5519 &acc_granted, "_samr_OpenGroup");
5521 if ( !NT_STATUS_IS_OK(status) )
5524 /* this should not be hard-coded like this */
5526 if (!sid_equal(&sid, get_global_sam_sid()))
5527 return NT_STATUS_ACCESS_DENIED;
5529 sid_copy(&info_sid, get_global_sam_sid());
5530 sid_append_rid(&info_sid, r->in.rid);
5531 sid_to_fstring(sid_string, &info_sid);
5533 if ((info = get_samr_info_by_sid(&info_sid)) == NULL)
5534 return NT_STATUS_NO_MEMORY;
5536 info->acc_granted = acc_granted;
5538 DEBUG(10, ("_samr_OpenGroup:Opening SID: %s\n", sid_string));
5540 /* check if that group really exists */
5542 ret = get_domain_group_from_sid(info->sid, &map);
5545 return NT_STATUS_NO_SUCH_GROUP;
5547 /* get a (unique) handle. open a policy on it. */
5548 if (!create_policy_hnd(p, r->out.group_handle, free_samr_info, (void *)info))
5549 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
5551 return NT_STATUS_OK;
5554 /*********************************************************************
5555 _samr_RemoveMemberFromForeignDomain
5556 *********************************************************************/
5558 NTSTATUS _samr_RemoveMemberFromForeignDomain(pipes_struct *p,
5559 struct samr_RemoveMemberFromForeignDomain *r)
5561 DOM_SID delete_sid, domain_sid;
5564 DISP_INFO *disp_info = NULL;
5566 sid_copy( &delete_sid, r->in.sid );
5568 DEBUG(5,("_samr_RemoveMemberFromForeignDomain: removing SID [%s]\n",
5569 sid_string_dbg(&delete_sid)));
5571 /* Find the policy handle. Open a policy on it. */
5573 if (!get_lsa_policy_samr_sid(p, r->in.domain_handle, &domain_sid,
5574 &acc_granted, &disp_info))
5575 return NT_STATUS_INVALID_HANDLE;
5577 result = access_check_samr_function(acc_granted,
5578 STD_RIGHT_DELETE_ACCESS,
5579 "_samr_RemoveMemberFromForeignDomain");
5581 if (!NT_STATUS_IS_OK(result))
5584 DEBUG(8, ("_samr_RemoveMemberFromForeignDomain: sid is %s\n",
5585 sid_string_dbg(&domain_sid)));
5587 /* we can only delete a user from a group since we don't have
5588 nested groups anyways. So in the latter case, just say OK */
5590 /* TODO: The above comment nowadays is bogus. Since we have nested
5591 * groups now, and aliases members are never reported out of the unix
5592 * group membership, the "just say OK" makes this call a no-op. For
5593 * us. This needs fixing however. */
5595 /* I've only ever seen this in the wild when deleting a user from
5596 * usrmgr.exe. domain_sid is the builtin domain, and the sid to delete
5597 * is the user about to be deleted. I very much suspect this is the
5598 * only application of this call. To verify this, let people report
5601 if (!sid_check_is_builtin(&domain_sid)) {
5602 DEBUG(1,("_samr_RemoveMemberFromForeignDomain: domain_sid = %s, "
5603 "global_sam_sid() = %s\n",
5604 sid_string_dbg(&domain_sid),
5605 sid_string_dbg(get_global_sam_sid())));
5606 DEBUGADD(1,("please report to samba-technical@samba.org!\n"));
5607 return NT_STATUS_OK;
5610 force_flush_samr_cache(disp_info);
5612 result = NT_STATUS_OK;
5617 /*******************************************************************
5618 _samr_QueryDomainInfo2
5619 ********************************************************************/
5621 NTSTATUS _samr_QueryDomainInfo2(pipes_struct *p,
5622 struct samr_QueryDomainInfo2 *r)
5624 return samr_QueryDomainInfo_internal("_samr_QueryDomainInfo2",
5626 r->in.domain_handle,
5631 /*******************************************************************
5633 ********************************************************************/
5635 NTSTATUS _samr_SetDomainInfo(pipes_struct *p,
5636 struct samr_SetDomainInfo *r)
5638 struct samr_info *info = NULL;
5639 time_t u_expire, u_min_age;
5641 time_t u_lock_duration, u_reset_time;
5644 DEBUG(5,("_samr_SetDomainInfo: %d\n", __LINE__));
5646 /* find the policy handle. open a policy on it. */
5647 if (!find_policy_by_hnd(p, r->in.domain_handle, (void **)(void *)&info))
5648 return NT_STATUS_INVALID_HANDLE;
5650 /* We do have different access bits for info
5651 * levels here, but we're really just looking for
5652 * GENERIC_RIGHTS_DOMAIN_WRITE access. Unfortunately
5653 * this maps to different specific bits. So
5654 * assume if we have SA_RIGHT_DOMAIN_SET_INFO_1
5657 result = access_check_samr_function(info->acc_granted,
5658 SA_RIGHT_DOMAIN_SET_INFO_1,
5659 "_samr_SetDomainInfo");
5661 if (!NT_STATUS_IS_OK(result))
5664 DEBUG(5,("_samr_SetDomainInfo: level: %d\n", r->in.level));
5666 switch (r->in.level) {
5668 u_expire=nt_time_to_unix_abs((NTTIME *)&r->in.info->info1.max_password_age);
5669 u_min_age=nt_time_to_unix_abs((NTTIME *)&r->in.info->info1.min_password_age);
5670 pdb_set_account_policy(AP_MIN_PASSWORD_LEN, (uint32)r->in.info->info1.min_password_length);
5671 pdb_set_account_policy(AP_PASSWORD_HISTORY, (uint32)r->in.info->info1.password_history_length);
5672 pdb_set_account_policy(AP_USER_MUST_LOGON_TO_CHG_PASS, (uint32)r->in.info->info1.password_properties);
5673 pdb_set_account_policy(AP_MAX_PASSWORD_AGE, (int)u_expire);
5674 pdb_set_account_policy(AP_MIN_PASSWORD_AGE, (int)u_min_age);
5679 u_logout=nt_time_to_unix_abs((NTTIME *)&r->in.info->info3.force_logoff_time);
5680 pdb_set_account_policy(AP_TIME_TO_LOGOUT, (int)u_logout);
5689 u_lock_duration=nt_time_to_unix_abs((NTTIME *)&r->in.info->info12.lockout_duration);
5690 if (u_lock_duration != -1)
5691 u_lock_duration /= 60;
5693 u_reset_time=nt_time_to_unix_abs((NTTIME *)&r->in.info->info12.lockout_window)/60;
5695 pdb_set_account_policy(AP_LOCK_ACCOUNT_DURATION, (int)u_lock_duration);
5696 pdb_set_account_policy(AP_RESET_COUNT_TIME, (int)u_reset_time);
5697 pdb_set_account_policy(AP_BAD_ATTEMPT_LOCKOUT, (uint32)r->in.info->info12.lockout_threshold);
5700 return NT_STATUS_INVALID_INFO_CLASS;
5703 DEBUG(5,("_samr_SetDomainInfo: %d\n", __LINE__));
5705 return NT_STATUS_OK;
5708 /****************************************************************
5709 _samr_GetDisplayEnumerationIndex
5710 ****************************************************************/
5712 NTSTATUS _samr_GetDisplayEnumerationIndex(pipes_struct *p,
5713 struct samr_GetDisplayEnumerationIndex *r)
5715 struct samr_info *info = NULL;
5716 uint32_t max_entries = (uint32_t) -1;
5717 uint32_t enum_context = 0;
5719 uint32_t num_account = 0;
5720 struct samr_displayentry *entries = NULL;
5723 DEBUG(5,("_samr_GetDisplayEnumerationIndex: %d\n", __LINE__));
5725 /* find the policy handle. open a policy on it. */
5726 if (!find_policy_by_hnd(p, r->in.domain_handle, (void **)(void *)&info)) {
5727 return NT_STATUS_INVALID_HANDLE;
5730 status = access_check_samr_function(info->acc_granted,
5731 SA_RIGHT_DOMAIN_ENUM_ACCOUNTS,
5732 "_samr_GetDisplayEnumerationIndex");
5733 if (!NT_STATUS_IS_OK(status)) {
5737 if ((r->in.level < 1) || (r->in.level > 3)) {
5738 DEBUG(0,("_samr_GetDisplayEnumerationIndex: "
5739 "Unknown info level (%u)\n",
5741 return NT_STATUS_INVALID_INFO_CLASS;
5746 /* The following done as ROOT. Don't return without unbecome_root(). */
5748 switch (r->in.level) {
5750 if (info->disp_info->users == NULL) {
5751 info->disp_info->users = pdb_search_users(ACB_NORMAL);
5752 if (info->disp_info->users == NULL) {
5754 return NT_STATUS_ACCESS_DENIED;
5756 DEBUG(10,("_samr_GetDisplayEnumerationIndex: "
5757 "starting user enumeration at index %u\n",
5758 (unsigned int)enum_context));
5760 DEBUG(10,("_samr_GetDisplayEnumerationIndex: "
5761 "using cached user enumeration at index %u\n",
5762 (unsigned int)enum_context));
5764 num_account = pdb_search_entries(info->disp_info->users,
5765 enum_context, max_entries,
5769 if (info->disp_info->machines == NULL) {
5770 info->disp_info->machines =
5771 pdb_search_users(ACB_WSTRUST|ACB_SVRTRUST);
5772 if (info->disp_info->machines == NULL) {
5774 return NT_STATUS_ACCESS_DENIED;
5776 DEBUG(10,("_samr_GetDisplayEnumerationIndex: "
5777 "starting machine enumeration at index %u\n",
5778 (unsigned int)enum_context));
5780 DEBUG(10,("_samr_GetDisplayEnumerationIndex: "
5781 "using cached machine enumeration at index %u\n",
5782 (unsigned int)enum_context));
5784 num_account = pdb_search_entries(info->disp_info->machines,
5785 enum_context, max_entries,
5789 if (info->disp_info->groups == NULL) {
5790 info->disp_info->groups = pdb_search_groups();
5791 if (info->disp_info->groups == NULL) {
5793 return NT_STATUS_ACCESS_DENIED;
5795 DEBUG(10,("_samr_GetDisplayEnumerationIndex: "
5796 "starting group enumeration at index %u\n",
5797 (unsigned int)enum_context));
5799 DEBUG(10,("_samr_GetDisplayEnumerationIndex: "
5800 "using cached group enumeration at index %u\n",
5801 (unsigned int)enum_context));
5803 num_account = pdb_search_entries(info->disp_info->groups,
5804 enum_context, max_entries,
5809 smb_panic("info class changed");
5815 /* Ensure we cache this enumeration. */
5816 set_disp_info_cache_timeout(info->disp_info, DISP_INFO_CACHE_TIMEOUT);
5818 DEBUG(10,("_samr_GetDisplayEnumerationIndex: looking for :%s\n",
5819 r->in.name->string));
5821 for (i=0; i<num_account; i++) {
5822 if (strequal(entries[i].account_name, r->in.name->string)) {
5823 DEBUG(10,("_samr_GetDisplayEnumerationIndex: "
5824 "found %s at idx %d\n",
5825 r->in.name->string, i));
5827 return NT_STATUS_OK;
5831 /* assuming account_name lives at the very end */
5832 *r->out.idx = num_account;
5834 return NT_STATUS_NO_MORE_ENTRIES;
5837 /****************************************************************
5838 _samr_GetDisplayEnumerationIndex2
5839 ****************************************************************/
5841 NTSTATUS _samr_GetDisplayEnumerationIndex2(pipes_struct *p,
5842 struct samr_GetDisplayEnumerationIndex2 *r)
5844 struct samr_GetDisplayEnumerationIndex q;
5846 q.in.domain_handle = r->in.domain_handle;
5847 q.in.level = r->in.level;
5848 q.in.name = r->in.name;
5850 q.out.idx = r->out.idx;
5852 return _samr_GetDisplayEnumerationIndex(p, &q);
5855 /****************************************************************
5856 ****************************************************************/
5858 NTSTATUS _samr_Shutdown(pipes_struct *p,
5859 struct samr_Shutdown *r)
5861 p->rng_fault_state = true;
5862 return NT_STATUS_NOT_IMPLEMENTED;
5865 /****************************************************************
5866 ****************************************************************/
5868 NTSTATUS _samr_CreateUser(pipes_struct *p,
5869 struct samr_CreateUser *r)
5871 p->rng_fault_state = true;
5872 return NT_STATUS_NOT_IMPLEMENTED;
5875 /****************************************************************
5876 ****************************************************************/
5878 NTSTATUS _samr_SetMemberAttributesOfGroup(pipes_struct *p,
5879 struct samr_SetMemberAttributesOfGroup *r)
5881 p->rng_fault_state = true;
5882 return NT_STATUS_NOT_IMPLEMENTED;
5885 /****************************************************************
5886 ****************************************************************/
5888 NTSTATUS _samr_ChangePasswordUser(pipes_struct *p,
5889 struct samr_ChangePasswordUser *r)
5891 p->rng_fault_state = true;
5892 return NT_STATUS_NOT_IMPLEMENTED;
5895 /****************************************************************
5896 ****************************************************************/
5898 NTSTATUS _samr_TestPrivateFunctionsDomain(pipes_struct *p,
5899 struct samr_TestPrivateFunctionsDomain *r)
5901 p->rng_fault_state = true;
5902 return NT_STATUS_NOT_IMPLEMENTED;
5905 /****************************************************************
5906 ****************************************************************/
5908 NTSTATUS _samr_TestPrivateFunctionsUser(pipes_struct *p,
5909 struct samr_TestPrivateFunctionsUser *r)
5911 p->rng_fault_state = true;
5912 return NT_STATUS_NOT_IMPLEMENTED;
5915 /****************************************************************
5916 ****************************************************************/
5918 NTSTATUS _samr_QueryUserInfo2(pipes_struct *p,
5919 struct samr_QueryUserInfo2 *r)
5921 p->rng_fault_state = true;
5922 return NT_STATUS_NOT_IMPLEMENTED;
5925 /****************************************************************
5926 ****************************************************************/
5928 NTSTATUS _samr_AddMultipleMembersToAlias(pipes_struct *p,
5929 struct samr_AddMultipleMembersToAlias *r)
5931 p->rng_fault_state = true;
5932 return NT_STATUS_NOT_IMPLEMENTED;
5935 /****************************************************************
5936 ****************************************************************/
5938 NTSTATUS _samr_RemoveMultipleMembersFromAlias(pipes_struct *p,
5939 struct samr_RemoveMultipleMembersFromAlias *r)
5941 p->rng_fault_state = true;
5942 return NT_STATUS_NOT_IMPLEMENTED;
5945 /****************************************************************
5946 ****************************************************************/
5948 NTSTATUS _samr_OemChangePasswordUser2(pipes_struct *p,
5949 struct samr_OemChangePasswordUser2 *r)
5951 p->rng_fault_state = true;
5952 return NT_STATUS_NOT_IMPLEMENTED;
5955 /****************************************************************
5956 ****************************************************************/
5958 NTSTATUS _samr_SetBootKeyInformation(pipes_struct *p,
5959 struct samr_SetBootKeyInformation *r)
5961 p->rng_fault_state = true;
5962 return NT_STATUS_NOT_IMPLEMENTED;
5965 /****************************************************************
5966 ****************************************************************/
5968 NTSTATUS _samr_GetBootKeyInformation(pipes_struct *p,
5969 struct samr_GetBootKeyInformation *r)
5971 p->rng_fault_state = true;
5972 return NT_STATUS_NOT_IMPLEMENTED;
5975 /****************************************************************
5976 ****************************************************************/
5978 NTSTATUS _samr_Connect3(pipes_struct *p,
5979 struct samr_Connect3 *r)
5981 p->rng_fault_state = true;
5982 return NT_STATUS_NOT_IMPLEMENTED;
5985 /****************************************************************
5986 ****************************************************************/
5988 NTSTATUS _samr_RidToSid(pipes_struct *p,
5989 struct samr_RidToSid *r)
5991 p->rng_fault_state = true;
5992 return NT_STATUS_NOT_IMPLEMENTED;
5995 /****************************************************************
5996 ****************************************************************/
5998 NTSTATUS _samr_SetDsrmPassword(pipes_struct *p,
5999 struct samr_SetDsrmPassword *r)
6001 p->rng_fault_state = true;
6002 return NT_STATUS_NOT_IMPLEMENTED;
6005 /****************************************************************
6006 ****************************************************************/
6008 NTSTATUS _samr_ValidatePassword(pipes_struct *p,
6009 struct samr_ValidatePassword *r)
6011 p->rng_fault_state = true;
6012 return NT_STATUS_NOT_IMPLEMENTED;