s3-auth use auth_user_info not netr_SamInfo3 in auth3_session_info

[ira/wip.git] / source3 / rpc_server / lsa / srv_lsa_nt.c

diff --git a/source3/rpc_server/lsa/srv_lsa_nt.c b/source3/rpc_server/lsa/srv_lsa_nt.c
index 0f0bbe159beb5ab6ea2899b06fa004540d9cfe1b..8aea353679e37f9363f7e25ae7162a644c206a33 100644 (file)
--- a/source3/rpc_server/lsa/srv_lsa_nt.c
+++ b/source3/rpc_server/lsa/srv_lsa_nt.c
@@ -30,6 +30,7 @@
 /* This is the implementation of the lsa server code. */
 
 #include "includes.h"
+#include "ntdomain.h"
 #include "../librpc/gen_ndr/srv_lsa.h"
 #include "secrets.h"
 #include "../librpc/gen_ndr/netlogon.h"
@@ -41,6 +42,10 @@
 #include "../lib/crypto/arcfour.h"
 #include "../libcli/security/dom_sid.h"
 #include "../librpc/gen_ndr/ndr_security.h"
+#include "passdb.h"
+#include "auth.h"
+#include "lib/privileges.h"
+#include "rpc_server/srv_access_check.h"
 
 #undef DBGC_CLASS
 #define DBGC_CLASS DBGC_RPC_SRV
@@ -117,7 +122,7 @@ static int init_lsa_ref_domain_list(TALLOC_CTX *mem_ctx,
        ref->count = num + 1;
        ref->max_size = LSA_REF_DOMAIN_LIST_MULTIPLIER;
 
-       ref->domains = TALLOC_REALLOC_ARRAY(mem_ctx, ref->domains,
+       ref->domains = talloc_realloc(mem_ctx, ref->domains,
                                            struct lsa_DomainInfo, ref->count);
        if (!ref->domains) {
                return -1;
@@ -429,7 +434,7 @@ NTSTATUS _lsa_OpenPolicy2(struct pipes_struct *p,
 
        /* Work out max allowed. */
        map_max_allowed_access(p->session_info->security_token,
-                              &p->session_info->utok,
+                              p->session_info->unix_token,
                               &des_access);
 
        /* map the generic bits to the lsa policy ones */
@@ -515,7 +520,7 @@ NTSTATUS _lsa_EnumTrustDom(struct pipes_struct *p,
                return nt_status;
        }
 
-       entries = TALLOC_ZERO_ARRAY(p->mem_ctx, struct lsa_DomainInfo, count);
+       entries = talloc_zero_array(p->mem_ctx, struct lsa_DomainInfo, count);
        if (!entries) {
                return NT_STATUS_NO_MEMORY;
        }
@@ -623,7 +628,7 @@ NTSTATUS _lsa_QueryInfoPolicy(struct pipes_struct *p,
                /* return NT_STATUS_ACCESS_DENIED; */
        }
 
-       info = TALLOC_ZERO_P(p->mem_ctx, union lsa_PolicyInformation);
+       info = talloc_zero(p->mem_ctx, union lsa_PolicyInformation);
        if (!info) {
                return NT_STATUS_NO_MEMORY;
        }
@@ -676,7 +681,7 @@ NTSTATUS _lsa_QueryInfoPolicy(struct pipes_struct *p,
 
                info->audit_events.auditing_mode = true;
                info->audit_events.count = LSA_AUDIT_NUM_CATEGORIES;
-               info->audit_events.settings = TALLOC_ZERO_ARRAY(p->mem_ctx,
+               info->audit_events.settings = talloc_zero_array(p->mem_ctx,
                                                                enum lsa_PolicyAuditPolicy,
                                                                info->audit_events.count);
                if (!info->audit_events.settings) {
@@ -853,8 +858,8 @@ static NTSTATUS _lsa_lookup_sids_internal(struct pipes_struct *p,
                return NT_STATUS_OK;
        }
 
-       sids = TALLOC_ARRAY(p->mem_ctx, const struct dom_sid *, num_sids);
-       ref = TALLOC_ZERO_P(p->mem_ctx, struct lsa_RefDomainList);
+       sids = talloc_array(p->mem_ctx, const struct dom_sid *, num_sids);
+       ref = talloc_zero(p->mem_ctx, struct lsa_RefDomainList);
 
        if (sids == NULL || ref == NULL) {
                return NT_STATUS_NO_MEMORY;
@@ -871,7 +876,7 @@ static NTSTATUS _lsa_lookup_sids_internal(struct pipes_struct *p,
                return status;
        }
 
-       names = TALLOC_ARRAY(p->mem_ctx, struct lsa_TranslatedName2, num_sids);
+       names = talloc_array(p->mem_ctx, struct lsa_TranslatedName2, num_sids);
        if (names == NULL) {
                return NT_STATUS_NO_MEMORY;
        }
@@ -993,7 +998,7 @@ NTSTATUS _lsa_LookupSids(struct pipes_struct *p,
        }
 
        /* Convert from lsa_TranslatedName2 to lsa_TranslatedName */
-       names_out = TALLOC_ARRAY(p->mem_ctx, struct lsa_TranslatedName,
+       names_out = talloc_array(p->mem_ctx, struct lsa_TranslatedName,
                                 num_sids);
        if (!names_out) {
                return NT_STATUS_NO_MEMORY;
@@ -1163,13 +1168,13 @@ NTSTATUS _lsa_LookupNames(struct pipes_struct *p,
 
        flags = lsa_lookup_level_to_flags(r->in.level);
 
-       domains = TALLOC_ZERO_P(p->mem_ctx, struct lsa_RefDomainList);
+       domains = talloc_zero(p->mem_ctx, struct lsa_RefDomainList);
        if (!domains) {
                return NT_STATUS_NO_MEMORY;
        }
 
        if (num_entries) {
-               rids = TALLOC_ZERO_ARRAY(p->mem_ctx, struct lsa_TranslatedSid,
+               rids = talloc_zero_array(p->mem_ctx, struct lsa_TranslatedSid,
                                         num_entries);
                if (!rids) {
                        return NT_STATUS_NO_MEMORY;
@@ -1230,7 +1235,7 @@ NTSTATUS _lsa_LookupNames2(struct pipes_struct *p,
        struct lsa_TransSidArray *sid_array = NULL;
        uint32_t i;
 
-       sid_array = TALLOC_ZERO_P(p->mem_ctx, struct lsa_TransSidArray);
+       sid_array = talloc_zero(p->mem_ctx, struct lsa_TransSidArray);
        if (!sid_array) {
                return NT_STATUS_NO_MEMORY;
        }
@@ -1252,7 +1257,7 @@ NTSTATUS _lsa_LookupNames2(struct pipes_struct *p,
        status = _lsa_LookupNames(p, &q);
 
        sid_array2->count = sid_array->count;
-       sid_array2->sids = TALLOC_ARRAY(p->mem_ctx, struct lsa_TranslatedSid2, sid_array->count);
+       sid_array2->sids = talloc_array(p->mem_ctx, struct lsa_TranslatedSid2, sid_array->count);
        if (!sid_array2->sids) {
                return NT_STATUS_NO_MEMORY;
        }
@@ -1305,13 +1310,13 @@ NTSTATUS _lsa_LookupNames3(struct pipes_struct *p,
                flags = LOOKUP_NAME_ALL;
        }
 
-       domains = TALLOC_ZERO_P(p->mem_ctx, struct lsa_RefDomainList);
+       domains = talloc_zero(p->mem_ctx, struct lsa_RefDomainList);
        if (!domains) {
                return NT_STATUS_NO_MEMORY;
        }
 
        if (num_entries) {
-               trans_sids = TALLOC_ZERO_ARRAY(p->mem_ctx, struct lsa_TranslatedSid3,
+               trans_sids = talloc_zero_array(p->mem_ctx, struct lsa_TranslatedSid3,
                                               num_entries);
                if (!trans_sids) {
                        return NT_STATUS_NO_MEMORY;
@@ -1499,7 +1504,7 @@ static NTSTATUS _lsa_OpenTrustedDomain_base(struct pipes_struct *p,
 
        /* Work out max allowed. */
        map_max_allowed_access(p->session_info->security_token,
-                              &p->session_info->utok,
+                              p->session_info->unix_token,
                               &access_mask);
 
        /* map the generic bits to the lsa account ones */
@@ -1598,7 +1603,7 @@ NTSTATUS _lsa_OpenTrustedDomainByName(struct pipes_struct *p,
 static NTSTATUS add_trusted_domain_user(TALLOC_CTX *mem_ctx,
                                        const char *netbios_name,
                                        const char *domain_name,
-                                       struct trustDomainPasswords auth_struct)
+                                       const struct trustDomainPasswords *auth_struct)
 {
        NTSTATUS status;
        struct samu *sam_acct;
@@ -1638,17 +1643,16 @@ static NTSTATUS add_trusted_domain_user(TALLOC_CTX *mem_ctx,
                return NT_STATUS_UNSUCCESSFUL;
        }
 
-       for (i = 0; i < auth_struct.incoming.count; i++) {
-               switch (auth_struct.incoming.current.array[i].AuthType) {
+       for (i = 0; i < auth_struct->incoming.count; i++) {
+               switch (auth_struct->incoming.current.array[i].AuthType) {
                        case TRUST_AUTH_TYPE_CLEAR:
                                if (!convert_string_talloc(mem_ctx,
                                                           CH_UTF16LE,
                                                           CH_UNIX,
-                                                          auth_struct.incoming.current.array[i].AuthInfo.clear.password,
-                                                          auth_struct.incoming.current.array[i].AuthInfo.clear.size,
+                                                          auth_struct->incoming.current.array[i].AuthInfo.clear.password,
+                                                          auth_struct->incoming.current.array[i].AuthInfo.clear.size,
                                                           &dummy,
-                                                          &dummy_size,
-                                                          false)) {
+                                                          &dummy_size)) {
                                        return NT_STATUS_UNSUCCESSFUL;
                                }
                                if (!pdb_set_plaintext_passwd(sam_acct, dummy)) {
@@ -1697,14 +1701,14 @@ NTSTATUS _lsa_CreateTrustedDomainEx2(struct pipes_struct *p,
                return NT_STATUS_ACCESS_DENIED;
        }
 
-       if (p->session_info->utok.uid != sec_initial_uid() &&
+       if (p->session_info->unix_token->uid != sec_initial_uid() &&
            !nt_token_check_domain_rid(p->session_info->security_token, DOMAIN_RID_ADMINS)) {
                return NT_STATUS_ACCESS_DENIED;
        }
 
        /* Work out max allowed. */
        map_max_allowed_access(p->session_info->security_token,
-                              &p->session_info->utok,
+                              p->session_info->unix_token,
                               &r->in.access_mask);
 
        /* map the generic bits to the lsa policy ones */
@@ -1742,12 +1746,12 @@ NTSTATUS _lsa_CreateTrustedDomainEx2(struct pipes_struct *p,
        td.trust_type = r->in.info->trust_type;
        td.trust_attributes = r->in.info->trust_attributes;
 
-       if (r->in.auth_info->auth_blob.size != 0) {
-               auth_blob.length = r->in.auth_info->auth_blob.size;
-               auth_blob.data = r->in.auth_info->auth_blob.data;
+       if (r->in.auth_info_internal->auth_blob.size != 0) {
+               auth_blob.length = r->in.auth_info_internal->auth_blob.size;
+               auth_blob.data = r->in.auth_info_internal->auth_blob.data;
 
                arcfour_crypt_blob(auth_blob.data, auth_blob.length,
-                                  &p->session_info->user_session_key);
+                                  &p->session_info->session_key);
 
                ndr_err = ndr_pull_struct_blob(&auth_blob, p->mem_ctx,
                                               &auth_struct,
@@ -1785,7 +1789,7 @@ NTSTATUS _lsa_CreateTrustedDomainEx2(struct pipes_struct *p,
                status = add_trusted_domain_user(p->mem_ctx,
                                                 r->in.info->netbios_name.string,
                                                 r->in.info->domain_name.string,
-                                                auth_struct);
+                                                &auth_struct);
                if (!NT_STATUS_IS_OK(status)) {
                        return status;
                }
@@ -1814,10 +1818,13 @@ NTSTATUS _lsa_CreateTrustedDomainEx(struct pipes_struct *p,
                                    struct lsa_CreateTrustedDomainEx *r)
 {
        struct lsa_CreateTrustedDomainEx2 q;
+       struct lsa_TrustDomainInfoAuthInfoInternal auth_info;
+
+       ZERO_STRUCT(auth_info);
 
        q.in.policy_handle      = r->in.policy_handle;
        q.in.info               = r->in.info;
-       q.in.auth_info          = r->in.auth_info;
+       q.in.auth_info_internal = &auth_info;
        q.in.access_mask        = r->in.access_mask;
        q.out.trustdom_handle   = r->out.trustdom_handle;
 
@@ -1846,7 +1853,7 @@ NTSTATUS _lsa_CreateTrustedDomain(struct pipes_struct *p,
 
        c.in.policy_handle      = r->in.policy_handle;
        c.in.info               = &info;
-       c.in.auth_info          = &auth_info;
+       c.in.auth_info_internal = &auth_info;
        c.in.access_mask        = r->in.access_mask;
        c.out.trustdom_handle   = r->out.trustdom_handle;
 
@@ -2008,7 +2015,7 @@ NTSTATUS _lsa_QueryTrustedDomainInfo(struct pipes_struct *p,
                return status;
        }
 
-       info = TALLOC_ZERO_P(p->mem_ctx, union lsa_TrustedDomainInfo);
+       info = talloc_zero(p->mem_ctx, union lsa_TrustedDomainInfo);
        if (!info) {
                return NT_STATUS_NO_MEMORY;
        }
@@ -2226,7 +2233,7 @@ NTSTATUS _lsa_EnumPrivs(struct pipes_struct *p,
                return NT_STATUS_ACCESS_DENIED;
 
        if (num_privs) {
-               entries = TALLOC_ZERO_ARRAY(p->mem_ctx, struct lsa_PrivEntry, num_privs);
+               entries = talloc_zero_array(p->mem_ctx, struct lsa_PrivEntry, num_privs);
                if (!entries) {
                        return NT_STATUS_NO_MEMORY;
                }
@@ -2295,7 +2302,7 @@ NTSTATUS _lsa_LookupPrivDisplayName(struct pipes_struct *p,
 
        DEBUG(10,("_lsa_LookupPrivDisplayName: display name = %s\n", description));
 
-       lsa_name = TALLOC_ZERO_P(p->mem_ctx, struct lsa_StringLarge);
+       lsa_name = talloc_zero(p->mem_ctx, struct lsa_StringLarge);
        if (!lsa_name) {
                return NT_STATUS_NO_MEMORY;
        }
@@ -2347,7 +2354,7 @@ NTSTATUS _lsa_EnumAccounts(struct pipes_struct *p,
        }
 
        if (num_entries - *r->in.resume_handle) {
-               sids = TALLOC_ZERO_ARRAY(p->mem_ctx, struct lsa_SidPtr,
+               sids = talloc_zero_array(p->mem_ctx, struct lsa_SidPtr,
                                         num_entries - *r->in.resume_handle);
                if (!sids) {
                        talloc_free(sid_list);
@@ -2393,7 +2400,7 @@ NTSTATUS _lsa_GetUserName(struct pipes_struct *p,
                return NT_STATUS_INVALID_PARAMETER;
        }
 
-       if (p->session_info->guest) {
+       if (p->session_info->unix_info->guest) {
                /*
                 * I'm 99% sure this is not the right place to do this,
                 * global_sid_Anonymous should probably be put into the token
@@ -2404,18 +2411,18 @@ NTSTATUS _lsa_GetUserName(struct pipes_struct *p,
                        return NT_STATUS_NO_MEMORY;
                }
        } else {
-               username = p->session_info->sanitized_username;
-               domname = p->session_info->info3->base.domain.string;
+               username = p->session_info->unix_info->sanitized_username;
+               domname = p->session_info->info->domain_name;
        }
 
-       account_name = TALLOC_P(p->mem_ctx, struct lsa_String);
+       account_name = talloc(p->mem_ctx, struct lsa_String);
        if (!account_name) {
                return NT_STATUS_NO_MEMORY;
        }
        init_lsa_String(account_name, username);
 
        if (r->out.authority_name) {
-               authority_name = TALLOC_P(p->mem_ctx, struct lsa_String);
+               authority_name = talloc(p->mem_ctx, struct lsa_String);
                if (!authority_name) {
                        return NT_STATUS_NO_MEMORY;
                }
@@ -2459,7 +2466,7 @@ NTSTATUS _lsa_CreateAccount(struct pipes_struct *p,
 
        /* Work out max allowed. */
        map_max_allowed_access(p->session_info->security_token,
-                              &p->session_info->utok,
+                              p->session_info->unix_token,
                               &r->in.access_mask);
 
        /* map the generic bits to the lsa policy ones */
@@ -2523,7 +2530,7 @@ NTSTATUS _lsa_OpenAccount(struct pipes_struct *p,
 
        /* Work out max allowed. */
        map_max_allowed_access(p->session_info->security_token,
-                              &p->session_info->utok,
+                              p->session_info->unix_token,
                               &des_access);
 
        /* map the generic bits to the lsa account ones */
@@ -2593,7 +2600,7 @@ NTSTATUS _lsa_EnumPrivsAccount(struct pipes_struct *p,
                return status;
        }
 
-       *r->out.privs = priv_set = TALLOC_ZERO_P(p->mem_ctx, struct lsa_PrivilegeSet);
+       *r->out.privs = priv_set = talloc_zero(p->mem_ctx, struct lsa_PrivilegeSet);
        if (!priv_set) {
                return NT_STATUS_NO_MEMORY;
        }
@@ -2797,7 +2804,7 @@ NTSTATUS _lsa_LookupPrivName(struct pipes_struct *p,
                return NT_STATUS_NO_SUCH_PRIVILEGE;
        }
 
-       lsa_name = TALLOC_ZERO_P(p->mem_ctx, struct lsa_StringLarge);
+       lsa_name = talloc_zero(p->mem_ctx, struct lsa_StringLarge);
        if (!lsa_name) {
                return NT_STATUS_NO_MEMORY;
        }
@@ -3026,7 +3033,7 @@ static NTSTATUS init_lsa_right_set(TALLOC_CTX *mem_ctx,
 
        if (num_priv) {
 
-               r->names = TALLOC_ZERO_ARRAY(mem_ctx, struct lsa_StringLarge,
+               r->names = talloc_zero_array(mem_ctx, struct lsa_StringLarge,
                                             num_priv);
                if (!r->names) {
                        return NT_STATUS_NO_MEMORY;
@@ -3319,7 +3326,7 @@ NTSTATUS _lsa_EnumTrustedDomainsEx(struct pipes_struct *p,
                return nt_status;
        }
 
-       entries = TALLOC_ZERO_ARRAY(p->mem_ctx, struct lsa_TrustDomainInfoInfoEx,
+       entries = talloc_zero_array(p->mem_ctx, struct lsa_TrustDomainInfoInfoEx,
                                    count);
        if (!entries) {
                return NT_STATUS_NO_MEMORY;
@@ -3484,7 +3491,7 @@ static int dns_cmp(const char *s1, size_t l1,
        int cret;
 
        if (l1 == l2) {
-               if (StrCaseCmp(s1, s2) == 0) {
+               if (strcasecmp_m(s1, s2) == 0) {
                        return DNS_CMP_MATCH;
                }
                return DNS_CMP_NO_MATCH;
@@ -3508,7 +3515,7 @@ static int dns_cmp(const char *s1, size_t l1,
                return DNS_CMP_NO_MATCH;
        }
 
-       if (StrCaseCmp(&p1[t1 - t2], p2) == 0) {
+       if (strcasecmp_m(&p1[t1 - t2], p2) == 0) {
                return cret;
        }
 
@@ -3660,6 +3667,9 @@ static NTSTATUS check_ft_info(TALLOC_CTX *mem_ctx,
                                ex_rule = false;
                                tname = trec->data.info.dns_name.string;
                                tlen = trec->data.info.dns_name.size;
+                               break;
+                       default:
+                               return NT_STATUS_INVALID_PARAMETER;
                        }
                        ret = dns_cmp(dns_name, dns_len, tname, tlen);
                        switch (ret) {
@@ -3694,7 +3704,7 @@ static NTSTATUS check_ft_info(TALLOC_CTX *mem_ctx,
                                sid_conflict = true;
                        }
                        if (!(trec->flags & LSA_NB_DISABLED_ADMIN) &&
-                           StrCaseCmp(trec->data.info.netbios_name.string,
+                           strcasecmp_m(trec->data.info.netbios_name.string,
                                       nb_name) == 0) {
                                nb_conflict = true;
                        }
@@ -3869,7 +3879,7 @@ NTSTATUS _lsa_lsaRSetForestTrustInformation(struct pipes_struct *p,
                if (domains[i]->domain_name == NULL) {
                        return NT_STATUS_INVALID_DOMAIN_STATE;
                }
-               if (StrCaseCmp(domains[i]->domain_name,
+               if (strcasecmp_m(domains[i]->domain_name,
                               r->in.trusted_domain_name->string) == 0) {
                        break;
                }