/* This is the implementation of the lsa server code. */
#include "includes.h"
+#include "ntdomain.h"
#include "../librpc/gen_ndr/srv_lsa.h"
#include "secrets.h"
#include "../librpc/gen_ndr/netlogon.h"
#include "../lib/crypto/arcfour.h"
#include "../libcli/security/dom_sid.h"
#include "../librpc/gen_ndr/ndr_security.h"
+#include "passdb.h"
+#include "auth.h"
+#include "lib/privileges.h"
+#include "rpc_server/srv_access_check.h"
#undef DBGC_CLASS
#define DBGC_CLASS DBGC_RPC_SRV
ref->count = num + 1;
ref->max_size = LSA_REF_DOMAIN_LIST_MULTIPLIER;
- ref->domains = TALLOC_REALLOC_ARRAY(mem_ctx, ref->domains,
+ ref->domains = talloc_realloc(mem_ctx, ref->domains,
struct lsa_DomainInfo, ref->count);
if (!ref->domains) {
return -1;
/* Work out max allowed. */
map_max_allowed_access(p->session_info->security_token,
- &p->session_info->utok,
+ p->session_info->unix_token,
&des_access);
/* map the generic bits to the lsa policy ones */
return nt_status;
}
- entries = TALLOC_ZERO_ARRAY(p->mem_ctx, struct lsa_DomainInfo, count);
+ entries = talloc_zero_array(p->mem_ctx, struct lsa_DomainInfo, count);
if (!entries) {
return NT_STATUS_NO_MEMORY;
}
/* return NT_STATUS_ACCESS_DENIED; */
}
- info = TALLOC_ZERO_P(p->mem_ctx, union lsa_PolicyInformation);
+ info = talloc_zero(p->mem_ctx, union lsa_PolicyInformation);
if (!info) {
return NT_STATUS_NO_MEMORY;
}
info->audit_events.auditing_mode = true;
info->audit_events.count = LSA_AUDIT_NUM_CATEGORIES;
- info->audit_events.settings = TALLOC_ZERO_ARRAY(p->mem_ctx,
+ info->audit_events.settings = talloc_zero_array(p->mem_ctx,
enum lsa_PolicyAuditPolicy,
info->audit_events.count);
if (!info->audit_events.settings) {
return NT_STATUS_OK;
}
- sids = TALLOC_ARRAY(p->mem_ctx, const struct dom_sid *, num_sids);
- ref = TALLOC_ZERO_P(p->mem_ctx, struct lsa_RefDomainList);
+ sids = talloc_array(p->mem_ctx, const struct dom_sid *, num_sids);
+ ref = talloc_zero(p->mem_ctx, struct lsa_RefDomainList);
if (sids == NULL || ref == NULL) {
return NT_STATUS_NO_MEMORY;
return status;
}
- names = TALLOC_ARRAY(p->mem_ctx, struct lsa_TranslatedName2, num_sids);
+ names = talloc_array(p->mem_ctx, struct lsa_TranslatedName2, num_sids);
if (names == NULL) {
return NT_STATUS_NO_MEMORY;
}
}
/* Convert from lsa_TranslatedName2 to lsa_TranslatedName */
- names_out = TALLOC_ARRAY(p->mem_ctx, struct lsa_TranslatedName,
+ names_out = talloc_array(p->mem_ctx, struct lsa_TranslatedName,
num_sids);
if (!names_out) {
return NT_STATUS_NO_MEMORY;
flags = lsa_lookup_level_to_flags(r->in.level);
- domains = TALLOC_ZERO_P(p->mem_ctx, struct lsa_RefDomainList);
+ domains = talloc_zero(p->mem_ctx, struct lsa_RefDomainList);
if (!domains) {
return NT_STATUS_NO_MEMORY;
}
if (num_entries) {
- rids = TALLOC_ZERO_ARRAY(p->mem_ctx, struct lsa_TranslatedSid,
+ rids = talloc_zero_array(p->mem_ctx, struct lsa_TranslatedSid,
num_entries);
if (!rids) {
return NT_STATUS_NO_MEMORY;
struct lsa_TransSidArray *sid_array = NULL;
uint32_t i;
- sid_array = TALLOC_ZERO_P(p->mem_ctx, struct lsa_TransSidArray);
+ sid_array = talloc_zero(p->mem_ctx, struct lsa_TransSidArray);
if (!sid_array) {
return NT_STATUS_NO_MEMORY;
}
status = _lsa_LookupNames(p, &q);
sid_array2->count = sid_array->count;
- sid_array2->sids = TALLOC_ARRAY(p->mem_ctx, struct lsa_TranslatedSid2, sid_array->count);
+ sid_array2->sids = talloc_array(p->mem_ctx, struct lsa_TranslatedSid2, sid_array->count);
if (!sid_array2->sids) {
return NT_STATUS_NO_MEMORY;
}
flags = LOOKUP_NAME_ALL;
}
- domains = TALLOC_ZERO_P(p->mem_ctx, struct lsa_RefDomainList);
+ domains = talloc_zero(p->mem_ctx, struct lsa_RefDomainList);
if (!domains) {
return NT_STATUS_NO_MEMORY;
}
if (num_entries) {
- trans_sids = TALLOC_ZERO_ARRAY(p->mem_ctx, struct lsa_TranslatedSid3,
+ trans_sids = talloc_zero_array(p->mem_ctx, struct lsa_TranslatedSid3,
num_entries);
if (!trans_sids) {
return NT_STATUS_NO_MEMORY;
/* Work out max allowed. */
map_max_allowed_access(p->session_info->security_token,
- &p->session_info->utok,
+ p->session_info->unix_token,
&access_mask);
/* map the generic bits to the lsa account ones */
static NTSTATUS add_trusted_domain_user(TALLOC_CTX *mem_ctx,
const char *netbios_name,
const char *domain_name,
- struct trustDomainPasswords auth_struct)
+ const struct trustDomainPasswords *auth_struct)
{
NTSTATUS status;
struct samu *sam_acct;
return NT_STATUS_UNSUCCESSFUL;
}
- for (i = 0; i < auth_struct.incoming.count; i++) {
- switch (auth_struct.incoming.current.array[i].AuthType) {
+ for (i = 0; i < auth_struct->incoming.count; i++) {
+ switch (auth_struct->incoming.current.array[i].AuthType) {
case TRUST_AUTH_TYPE_CLEAR:
if (!convert_string_talloc(mem_ctx,
CH_UTF16LE,
CH_UNIX,
- auth_struct.incoming.current.array[i].AuthInfo.clear.password,
- auth_struct.incoming.current.array[i].AuthInfo.clear.size,
+ auth_struct->incoming.current.array[i].AuthInfo.clear.password,
+ auth_struct->incoming.current.array[i].AuthInfo.clear.size,
&dummy,
- &dummy_size,
- false)) {
+ &dummy_size)) {
return NT_STATUS_UNSUCCESSFUL;
}
if (!pdb_set_plaintext_passwd(sam_acct, dummy)) {
return NT_STATUS_ACCESS_DENIED;
}
- if (p->session_info->utok.uid != sec_initial_uid() &&
+ if (p->session_info->unix_token->uid != sec_initial_uid() &&
!nt_token_check_domain_rid(p->session_info->security_token, DOMAIN_RID_ADMINS)) {
return NT_STATUS_ACCESS_DENIED;
}
/* Work out max allowed. */
map_max_allowed_access(p->session_info->security_token,
- &p->session_info->utok,
+ p->session_info->unix_token,
&r->in.access_mask);
/* map the generic bits to the lsa policy ones */
td.trust_type = r->in.info->trust_type;
td.trust_attributes = r->in.info->trust_attributes;
- if (r->in.auth_info->auth_blob.size != 0) {
- auth_blob.length = r->in.auth_info->auth_blob.size;
- auth_blob.data = r->in.auth_info->auth_blob.data;
+ if (r->in.auth_info_internal->auth_blob.size != 0) {
+ auth_blob.length = r->in.auth_info_internal->auth_blob.size;
+ auth_blob.data = r->in.auth_info_internal->auth_blob.data;
arcfour_crypt_blob(auth_blob.data, auth_blob.length,
- &p->session_info->user_session_key);
+ &p->session_info->session_key);
ndr_err = ndr_pull_struct_blob(&auth_blob, p->mem_ctx,
&auth_struct,
status = add_trusted_domain_user(p->mem_ctx,
r->in.info->netbios_name.string,
r->in.info->domain_name.string,
- auth_struct);
+ &auth_struct);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
struct lsa_CreateTrustedDomainEx *r)
{
struct lsa_CreateTrustedDomainEx2 q;
+ struct lsa_TrustDomainInfoAuthInfoInternal auth_info;
+
+ ZERO_STRUCT(auth_info);
q.in.policy_handle = r->in.policy_handle;
q.in.info = r->in.info;
- q.in.auth_info = r->in.auth_info;
+ q.in.auth_info_internal = &auth_info;
q.in.access_mask = r->in.access_mask;
q.out.trustdom_handle = r->out.trustdom_handle;
c.in.policy_handle = r->in.policy_handle;
c.in.info = &info;
- c.in.auth_info = &auth_info;
+ c.in.auth_info_internal = &auth_info;
c.in.access_mask = r->in.access_mask;
c.out.trustdom_handle = r->out.trustdom_handle;
return status;
}
- info = TALLOC_ZERO_P(p->mem_ctx, union lsa_TrustedDomainInfo);
+ info = talloc_zero(p->mem_ctx, union lsa_TrustedDomainInfo);
if (!info) {
return NT_STATUS_NO_MEMORY;
}
return NT_STATUS_ACCESS_DENIED;
if (num_privs) {
- entries = TALLOC_ZERO_ARRAY(p->mem_ctx, struct lsa_PrivEntry, num_privs);
+ entries = talloc_zero_array(p->mem_ctx, struct lsa_PrivEntry, num_privs);
if (!entries) {
return NT_STATUS_NO_MEMORY;
}
DEBUG(10,("_lsa_LookupPrivDisplayName: display name = %s\n", description));
- lsa_name = TALLOC_ZERO_P(p->mem_ctx, struct lsa_StringLarge);
+ lsa_name = talloc_zero(p->mem_ctx, struct lsa_StringLarge);
if (!lsa_name) {
return NT_STATUS_NO_MEMORY;
}
}
if (num_entries - *r->in.resume_handle) {
- sids = TALLOC_ZERO_ARRAY(p->mem_ctx, struct lsa_SidPtr,
+ sids = talloc_zero_array(p->mem_ctx, struct lsa_SidPtr,
num_entries - *r->in.resume_handle);
if (!sids) {
talloc_free(sid_list);
return NT_STATUS_INVALID_PARAMETER;
}
- if (p->session_info->guest) {
+ if (p->session_info->unix_info->guest) {
/*
* I'm 99% sure this is not the right place to do this,
* global_sid_Anonymous should probably be put into the token
return NT_STATUS_NO_MEMORY;
}
} else {
- username = p->session_info->sanitized_username;
- domname = p->session_info->info3->base.domain.string;
+ username = p->session_info->unix_info->sanitized_username;
+ domname = p->session_info->info->domain_name;
}
- account_name = TALLOC_P(p->mem_ctx, struct lsa_String);
+ account_name = talloc(p->mem_ctx, struct lsa_String);
if (!account_name) {
return NT_STATUS_NO_MEMORY;
}
init_lsa_String(account_name, username);
if (r->out.authority_name) {
- authority_name = TALLOC_P(p->mem_ctx, struct lsa_String);
+ authority_name = talloc(p->mem_ctx, struct lsa_String);
if (!authority_name) {
return NT_STATUS_NO_MEMORY;
}
/* Work out max allowed. */
map_max_allowed_access(p->session_info->security_token,
- &p->session_info->utok,
+ p->session_info->unix_token,
&r->in.access_mask);
/* map the generic bits to the lsa policy ones */
/* Work out max allowed. */
map_max_allowed_access(p->session_info->security_token,
- &p->session_info->utok,
+ p->session_info->unix_token,
&des_access);
/* map the generic bits to the lsa account ones */
return status;
}
- *r->out.privs = priv_set = TALLOC_ZERO_P(p->mem_ctx, struct lsa_PrivilegeSet);
+ *r->out.privs = priv_set = talloc_zero(p->mem_ctx, struct lsa_PrivilegeSet);
if (!priv_set) {
return NT_STATUS_NO_MEMORY;
}
return NT_STATUS_NO_SUCH_PRIVILEGE;
}
- lsa_name = TALLOC_ZERO_P(p->mem_ctx, struct lsa_StringLarge);
+ lsa_name = talloc_zero(p->mem_ctx, struct lsa_StringLarge);
if (!lsa_name) {
return NT_STATUS_NO_MEMORY;
}
if (num_priv) {
- r->names = TALLOC_ZERO_ARRAY(mem_ctx, struct lsa_StringLarge,
+ r->names = talloc_zero_array(mem_ctx, struct lsa_StringLarge,
num_priv);
if (!r->names) {
return NT_STATUS_NO_MEMORY;
return nt_status;
}
- entries = TALLOC_ZERO_ARRAY(p->mem_ctx, struct lsa_TrustDomainInfoInfoEx,
+ entries = talloc_zero_array(p->mem_ctx, struct lsa_TrustDomainInfoInfoEx,
count);
if (!entries) {
return NT_STATUS_NO_MEMORY;
int cret;
if (l1 == l2) {
- if (StrCaseCmp(s1, s2) == 0) {
+ if (strcasecmp_m(s1, s2) == 0) {
return DNS_CMP_MATCH;
}
return DNS_CMP_NO_MATCH;
return DNS_CMP_NO_MATCH;
}
- if (StrCaseCmp(&p1[t1 - t2], p2) == 0) {
+ if (strcasecmp_m(&p1[t1 - t2], p2) == 0) {
return cret;
}
ex_rule = false;
tname = trec->data.info.dns_name.string;
tlen = trec->data.info.dns_name.size;
+ break;
+ default:
+ return NT_STATUS_INVALID_PARAMETER;
}
ret = dns_cmp(dns_name, dns_len, tname, tlen);
switch (ret) {
sid_conflict = true;
}
if (!(trec->flags & LSA_NB_DISABLED_ADMIN) &&
- StrCaseCmp(trec->data.info.netbios_name.string,
+ strcasecmp_m(trec->data.info.netbios_name.string,
nb_name) == 0) {
nb_conflict = true;
}
if (domains[i]->domain_name == NULL) {
return NT_STATUS_INVALID_DOMAIN_STATE;
}
- if (StrCaseCmp(domains[i]->domain_name,
+ if (strcasecmp_m(domains[i]->domain_name,
r->in.trusted_domain_name->string) == 0) {
break;
}