*/
#include "includes.h"
+#include "smbd/globals.h"
#include "../libcli/auth/libcli_auth.h"
#undef DBGC_CLASS
level of access for further checks.
********************************************************************/
-static NTSTATUS access_check_samr_object( SEC_DESC *psd, NT_USER_TOKEN *token,
+NTSTATUS access_check_object( SEC_DESC *psd, NT_USER_TOKEN *token,
SE_PRIV *rights, uint32 rights_mask,
uint32 des_access, uint32 *acc_granted,
const char *debug )
saved_mask = (des_access & rights_mask);
des_access &= ~saved_mask;
- DEBUG(4,("access_check_samr_object: user rights access mask [0x%x]\n",
+ DEBUG(4,("access_check_object: user rights access mask [0x%x]\n",
rights_mask));
}
Map any MAXIMUM_ALLOWED_ACCESS request to a valid access set.
********************************************************************/
-static void map_max_allowed_access(const NT_USER_TOKEN *token,
+void map_max_allowed_access(const NT_USER_TOKEN *token,
uint32_t *pacc_requested)
{
if (!((*pacc_requested) & MAXIMUM_ALLOWED_ACCESS)) {
}
*pacc_requested &= ~MAXIMUM_ALLOWED_ACCESS;
- /* At least try for generic read. */
- *pacc_requested = GENERIC_READ_ACCESS;
+ /* At least try for generic read|execute - Everyone gets that. */
+ *pacc_requested = GENERIC_READ_ACCESS|GENERIC_EXECUTE_ACCESS;
/* root gets anything. */
if (geteuid() == sec_initial_uid()) {
uint32 des_access = r->in.access_mask;
NTSTATUS status;
size_t sd_size;
+ uint32_t extra_access = SAMR_DOMAIN_ACCESS_CREATE_USER;
SE_PRIV se_rights;
/* find the connection policy handle. */
/*
* Users with SeMachineAccount or SeAddUser get additional
- * SAMR_DOMAIN_ACCESS_CREATE_USER access, but no more.
+ * SAMR_DOMAIN_ACCESS_CREATE_USER access.
*/
se_priv_copy( &se_rights, &se_machine_account );
se_priv_add( &se_rights, &se_add_users );
- status = access_check_samr_object( psd, p->server_info->ptok,
- &se_rights, SAMR_DOMAIN_ACCESS_CREATE_USER, des_access,
+ /*
+ * Users with SeAddUser get the ability to manipulate groups
+ * and aliases.
+ */
+ if (user_has_any_privilege(p->server_info->ptok, &se_add_users)) {
+ extra_access |= (SAMR_DOMAIN_ACCESS_CREATE_GROUP |
+ SAMR_DOMAIN_ACCESS_ENUM_ACCOUNTS |
+ SAMR_DOMAIN_ACCESS_OPEN_ACCOUNT |
+ SAMR_DOMAIN_ACCESS_LOOKUP_ALIAS |
+ SAMR_DOMAIN_ACCESS_CREATE_ALIAS);
+ }
+
+ status = access_check_object( psd, p->server_info->ptok,
+ &se_rights, extra_access, des_access,
&acc_granted, "_samr_OpenDomain" );
if ( !NT_STATUS_IS_OK(status) )
make_group_sam_entry_list(p->mem_ctx, &samr_entries,
num_groups, groups);
+ if (MAX_SAM_ENTRIES <= num_groups) {
+ status = STATUS_MORE_ENTRIES;
+ } else {
+ status = NT_STATUS_OK;
+ }
+
samr_array->count = num_groups;
samr_array->entries = samr_entries;
DEBUG(5,("_samr_EnumDomainAliases: %d\n", __LINE__));
+ if (MAX_SAM_ENTRIES <= num_aliases) {
+ status = STATUS_MORE_ENTRIES;
+ } else {
+ status = NT_STATUS_OK;
+ }
+
samr_array->count = num_aliases;
samr_array->entries = samr_entries;
NTSTATUS _samr_ChangePasswordUser2(pipes_struct *p,
struct samr_ChangePasswordUser2 *r)
{
+ struct smbd_server_connection *sconn = smbd_server_conn;
NTSTATUS status;
fstring user_name;
fstring wks;
* function.
*/
- (void)map_username(user_name);
+ (void)map_username(sconn, user_name);
/*
* UNIX username case mangling not required, pass_oem_change
NTSTATUS _samr_OemChangePasswordUser2(pipes_struct *p,
struct samr_OemChangePasswordUser2 *r)
{
+ struct smbd_server_connection *sconn = smbd_server_conn;
NTSTATUS status;
fstring user_name;
const char *wks = NULL;
* function.
*/
- (void)map_username(user_name);
+ (void)map_username(sconn, user_name);
/*
* UNIX username case mangling not required, pass_oem_change
NTSTATUS _samr_ChangePasswordUser3(pipes_struct *p,
struct samr_ChangePasswordUser3 *r)
{
+ struct smbd_server_connection *sconn = smbd_server_conn;
NTSTATUS status;
fstring user_name;
const char *wks = NULL;
* function.
*/
- (void)map_username(user_name);
+ (void)map_username(sconn, user_name);
/*
* UNIX username case mangling not required, pass_oem_change
TALLOC_FREE(sampass);
- nt_status = access_check_samr_object(psd, p->server_info->ptok,
+ nt_status = access_check_object(psd, p->server_info->ptok,
&se_rights, GENERIC_RIGHTS_USER_WRITE, des_access,
&acc_granted, "_samr_OpenUser");
static NTSTATUS get_user_info_21(TALLOC_CTX *mem_ctx,
struct samr_UserInfo21 *r,
struct samu *pw,
- DOM_SID *domain_sid)
+ DOM_SID *domain_sid,
+ uint32_t acc_granted)
{
NTSTATUS status;
const DOM_SID *sid_user, *sid_group;
uint32 rid;
bool ret = false;
struct samu *pwd = NULL;
+ uint32_t acc_required, acc_granted;
+
+ switch (r->in.level) {
+ case 1: /* UserGeneralInformation */
+ /* USER_READ_GENERAL */
+ acc_required = SAMR_USER_ACCESS_GET_NAME_ETC;
+ break;
+ case 2: /* UserPreferencesInformation */
+ /* USER_READ_PREFERENCES | USER_READ_GENERAL */
+ acc_required = SAMR_USER_ACCESS_GET_LOCALE |
+ SAMR_USER_ACCESS_GET_NAME_ETC;
+ break;
+ case 3: /* UserLogonInformation */
+ /* USER_READ_GENERAL | USER_READ_PREFERENCES | USER_READ_LOGON | USER_READ_ACCOUNT */
+ acc_required = SAMR_USER_ACCESS_GET_NAME_ETC |
+ SAMR_USER_ACCESS_GET_LOCALE |
+ SAMR_USER_ACCESS_GET_LOGONINFO |
+ SAMR_USER_ACCESS_GET_ATTRIBUTES;
+ break;
+ case 4: /* UserLogonHoursInformation */
+ /* USER_READ_LOGON */
+ acc_required = SAMR_USER_ACCESS_GET_LOGONINFO;
+ break;
+ case 5: /* UserAccountInformation */
+ /* USER_READ_GENERAL | USER_READ_PREFERENCES | USER_READ_LOGON | USER_READ_ACCOUNT */
+ acc_required = SAMR_USER_ACCESS_GET_NAME_ETC |
+ SAMR_USER_ACCESS_GET_LOCALE |
+ SAMR_USER_ACCESS_GET_LOGONINFO |
+ SAMR_USER_ACCESS_GET_ATTRIBUTES;
+ break;
+ case 6: /* UserNameInformation */
+ case 7: /* UserAccountNameInformation */
+ case 8: /* UserFullNameInformation */
+ case 9: /* UserPrimaryGroupInformation */
+ case 13: /* UserAdminCommentInformation */
+ /* USER_READ_GENERAL */
+ acc_required = SAMR_USER_ACCESS_GET_NAME_ETC;
+ break;
+ case 10: /* UserHomeInformation */
+ case 11: /* UserScriptInformation */
+ case 12: /* UserProfileInformation */
+ case 14: /* UserWorkStationsInformation */
+ /* USER_READ_LOGON */
+ acc_required = SAMR_USER_ACCESS_GET_LOGONINFO;
+ break;
+ case 16: /* UserControlInformation */
+ case 17: /* UserExpiresInformation */
+ case 20: /* UserParametersInformation */
+ /* USER_READ_ACCOUNT */
+ acc_required = SAMR_USER_ACCESS_GET_ATTRIBUTES;
+ break;
+ case 21: /* UserAllInformation */
+ /* FIXME! - gd */
+ acc_required = SAMR_USER_ACCESS_GET_ATTRIBUTES;
+ break;
+ case 18: /* UserInternal1Information */
+ /* FIXME! - gd */
+ acc_required = SAMR_USER_ACCESS_GET_ATTRIBUTES;
+ break;
+ case 23: /* UserInternal4Information */
+ case 24: /* UserInternal4InformationNew */
+ case 25: /* UserInternal4InformationNew */
+ case 26: /* UserInternal5InformationNew */
+ default:
+ return NT_STATUS_INVALID_INFO_CLASS;
+ break;
+ }
uinfo = policy_handle_find(p, r->in.user_handle,
- SAMR_USER_ACCESS_GET_ATTRIBUTES, NULL,
+ acc_required, &acc_granted,
struct samr_user_info, &status);
if (!NT_STATUS_IS_OK(status)) {
return status;
status = get_user_info_20(p->mem_ctx, &user_info->info20, pwd);
break;
case 21:
- status = get_user_info_21(p->mem_ctx, &user_info->info21, pwd, &domain_sid);
+ status = get_user_info_21(p->mem_ctx, &user_info->info21, pwd, &domain_sid, acc_granted);
break;
default:
status = NT_STATUS_INVALID_INFO_CLASS;
break;
}
- TALLOC_FREE(pwd);
+ if (!NT_STATUS_IS_OK(status)) {
+ goto done;
+ }
*r->out.info = user_info;
+ done:
+ TALLOC_FREE(pwd);
+
DEBUG(5,("_samr_QueryUserInfo: %d\n", __LINE__));
return status;
* just assume we have all the rights we need ?
*/
- nt_status = access_check_samr_object(psd, p->server_info->ptok,
+ nt_status = access_check_object(psd, p->server_info->ptok,
&se_rights, GENERIC_RIGHTS_USER_WRITE, des_access,
&acc_granted, "_samr_CreateUser2");
make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &sam_generic_mapping, NULL, 0);
se_map_generic(&des_access, &sam_generic_mapping);
- nt_status = access_check_samr_object(psd, p->server_info->ptok,
+ nt_status = access_check_object(psd, p->server_info->ptok,
NULL, 0, des_access, &acc_granted, fn);
if ( !NT_STATUS_IS_OK(nt_status) )
se_priv_copy( &se_rights, &se_add_users );
- status = access_check_samr_object(psd, p->server_info->ptok,
- &se_rights, SAMR_ALIAS_ACCESS_ADD_MEMBER,
+ status = access_check_object(psd, p->server_info->ptok,
+ &se_rights, GENERIC_RIGHTS_ALIAS_ALL_ACCESS,
des_access, &acc_granted, "_samr_OpenAlias");
if ( !NT_STATUS_IS_OK(status) )
return NT_STATUS_OK;
}
+/*************************************************************
+**************************************************************/
+
+static uint32_t samr_set_user_info_map_fields_to_access_mask(uint32_t fields)
+{
+ uint32_t acc_required = 0;
+
+ /* USER_ALL_USERNAME */
+ if (fields & SAMR_FIELD_ACCOUNT_NAME)
+ acc_required |= SAMR_USER_ACCESS_SET_ATTRIBUTES;
+ /* USER_ALL_FULLNAME */
+ if (fields & SAMR_FIELD_FULL_NAME)
+ acc_required |= SAMR_USER_ACCESS_SET_ATTRIBUTES;
+ /* USER_ALL_PRIMARYGROUPID */
+ if (fields & SAMR_FIELD_PRIMARY_GID)
+ acc_required |= SAMR_USER_ACCESS_SET_ATTRIBUTES;
+ /* USER_ALL_HOMEDIRECTORY */
+ if (fields & SAMR_FIELD_HOME_DIRECTORY)
+ acc_required |= SAMR_USER_ACCESS_SET_ATTRIBUTES;
+ /* USER_ALL_HOMEDIRECTORYDRIVE */
+ if (fields & SAMR_FIELD_HOME_DRIVE)
+ acc_required |= SAMR_USER_ACCESS_SET_ATTRIBUTES;
+ /* USER_ALL_SCRIPTPATH */
+ if (fields & SAMR_FIELD_LOGON_SCRIPT)
+ acc_required |= SAMR_USER_ACCESS_SET_ATTRIBUTES;
+ /* USER_ALL_PROFILEPATH */
+ if (fields & SAMR_FIELD_PROFILE_PATH)
+ acc_required |= SAMR_USER_ACCESS_SET_ATTRIBUTES;
+ /* USER_ALL_ADMINCOMMENT */
+ if (fields & SAMR_FIELD_COMMENT)
+ acc_required |= SAMR_USER_ACCESS_SET_ATTRIBUTES;
+ /* USER_ALL_WORKSTATIONS */
+ if (fields & SAMR_FIELD_WORKSTATIONS)
+ acc_required |= SAMR_USER_ACCESS_SET_ATTRIBUTES;
+ /* USER_ALL_LOGONHOURS */
+ if (fields & SAMR_FIELD_LOGON_HOURS)
+ acc_required |= SAMR_USER_ACCESS_SET_ATTRIBUTES;
+ /* USER_ALL_ACCOUNTEXPIRES */
+ if (fields & SAMR_FIELD_ACCT_EXPIRY)
+ acc_required |= SAMR_USER_ACCESS_SET_ATTRIBUTES;
+ /* USER_ALL_USERACCOUNTCONTROL */
+ if (fields & SAMR_FIELD_ACCT_FLAGS)
+ acc_required |= SAMR_USER_ACCESS_SET_ATTRIBUTES;
+ /* USER_ALL_PARAMETERS */
+ if (fields & SAMR_FIELD_PARAMETERS)
+ acc_required |= SAMR_USER_ACCESS_SET_ATTRIBUTES;
+ /* USER_ALL_USERCOMMENT */
+ if (fields & SAMR_FIELD_COMMENT)
+ acc_required |= SAMR_USER_ACCESS_SET_LOC_COM;
+ /* USER_ALL_COUNTRYCODE */
+ if (fields & SAMR_FIELD_COUNTRY_CODE)
+ acc_required |= SAMR_USER_ACCESS_SET_LOC_COM;
+ /* USER_ALL_CODEPAGE */
+ if (fields & SAMR_FIELD_CODE_PAGE)
+ acc_required |= SAMR_USER_ACCESS_SET_LOC_COM;
+ /* USER_ALL_NTPASSWORDPRESENT */
+ if (fields & SAMR_FIELD_NT_PASSWORD_PRESENT)
+ acc_required |= SAMR_USER_ACCESS_SET_PASSWORD;
+ /* USER_ALL_LMPASSWORDPRESENT */
+ if (fields & SAMR_FIELD_LM_PASSWORD_PRESENT)
+ acc_required |= SAMR_USER_ACCESS_SET_PASSWORD;
+ /* USER_ALL_PASSWORDEXPIRED */
+ if (fields & SAMR_FIELD_EXPIRED_FLAG)
+ acc_required |= SAMR_USER_ACCESS_SET_PASSWORD;
+
+ return acc_required;
+}
/*******************************************************************
samr_SetUserInfo
NTSTATUS status;
struct samu *pwd = NULL;
union samr_UserInfo *info = r->in.info;
- uint16_t switch_value = r->in.level;
- uint32_t acc_required;
+ uint32_t acc_required = 0;
+ uint32_t fields = 0;
bool ret;
DEBUG(5,("_samr_SetUserInfo: %d\n", __LINE__));
This should be enough for levels 18, 24, 25,& 26. Info level 23 can set more so
we'll use the set from the WinXP join as the basis. */
- switch (switch_value) {
- case 7:
+ switch (r->in.level) {
+ case 2: /* UserPreferencesInformation */
+ /* USER_WRITE_ACCOUNT | USER_WRITE_PREFERENCES */
+ acc_required = SAMR_USER_ACCESS_SET_ATTRIBUTES | SAMR_USER_ACCESS_SET_LOC_COM;
+ break;
+ case 4: /* UserLogonHoursInformation */
+ case 6: /* UserNameInformation */
+ case 7: /* UserAccountNameInformation */
+ case 8: /* UserFullNameInformation */
+ case 9: /* UserPrimaryGroupInformation */
+ case 10: /* UserHomeInformation */
+ case 11: /* UserScriptInformation */
+ case 12: /* UserProfileInformation */
+ case 13: /* UserAdminCommentInformation */
+ case 14: /* UserWorkStationsInformation */
+ case 16: /* UserControlInformation */
+ case 17: /* UserExpiresInformation */
+ case 20: /* UserParametersInformation */
+ /* USER_WRITE_ACCOUNT */
acc_required = SAMR_USER_ACCESS_SET_ATTRIBUTES;
break;
- case 18:
- case 24:
- case 25:
- case 26:
+ case 18: /* UserInternal1Information */
+ /* FIXME: gd, this is a guess */
acc_required = SAMR_USER_ACCESS_SET_PASSWORD;
break;
- default:
- acc_required = SAMR_USER_ACCESS_SET_PASSWORD |
- SAMR_USER_ACCESS_SET_ATTRIBUTES |
- SAMR_USER_ACCESS_GET_ATTRIBUTES;
+ case 21: /* UserAllInformation */
+ fields = info->info21.fields_present;
+ acc_required = samr_set_user_info_map_fields_to_access_mask(fields);
+ break;
+ case 23: /* UserInternal4Information */
+ fields = info->info23.info.fields_present;
+ acc_required = samr_set_user_info_map_fields_to_access_mask(fields);
+ break;
+ case 25: /* UserInternal4InformationNew */
+ fields = info->info25.info.fields_present;
+ acc_required = samr_set_user_info_map_fields_to_access_mask(fields);
+ break;
+ case 24: /* UserInternal5Information */
+ case 26: /* UserInternal5InformationNew */
+ acc_required = SAMR_USER_ACCESS_SET_PASSWORD;
break;
+ default:
+ return NT_STATUS_INVALID_INFO_CLASS;
}
uinfo = policy_handle_find(p, r->in.user_handle, acc_required, NULL,
}
DEBUG(5, ("_samr_SetUserInfo: sid:%s, level:%d\n",
- sid_string_dbg(&uinfo->sid), switch_value));
+ sid_string_dbg(&uinfo->sid), r->in.level));
if (info == NULL) {
DEBUG(5, ("_samr_SetUserInfo: NULL info level\n"));
/* ok! user info levels (lots: see MSDEV help), off we go... */
- switch (switch_value) {
+ switch (r->in.level) {
case 2:
status = set_user_info_2(p->mem_ctx,
struct samr_user_info *uinfo;
NTSTATUS status;
struct samu *sam_pass=NULL;
- bool can_del_accounts = false;
- uint32 acb_info = 0;
bool ret;
DEBUG(5, ("_samr_DeleteUser: %d\n", __LINE__));
ret = pdb_getsampwsid(sam_pass, &uinfo->sid);
unbecome_root();
- if (ret) {
- acb_info = pdb_get_acct_ctrl(sam_pass);
- }
-
- /* For machine accounts it's the SeMachineAccountPrivilege that counts. */
- if (geteuid() == sec_initial_uid()) {
- can_del_accounts = true;
- } else if (acb_info & ACB_WSTRUST) {
- can_del_accounts = user_has_privileges( p->server_info->ptok, &se_machine_account );
- } else {
- can_del_accounts = user_has_privileges( p->server_info->ptok, &se_add_users );
- }
-
- if (!can_del_accounts) {
- TALLOC_FREE(sam_pass);
- return NT_STATUS_ACCESS_DENIED;
- }
-
if(!ret) {
DEBUG(5,("_samr_DeleteUser: User %s doesn't exist.\n",
sid_string_dbg(&uinfo->sid)));
se_priv_copy( &se_rights, &se_add_users );
- status = access_check_samr_object(psd, p->server_info->ptok,
- &se_rights, SAMR_GROUP_ACCESS_ADD_MEMBER,
+ status = access_check_object(psd, p->server_info->ptok,
+ &se_rights, GENERIC_RIGHTS_GROUP_ALL_ACCESS,
des_access, &acc_granted, "_samr_OpenGroup");
if ( !NT_STATUS_IS_OK(status) )
return NT_STATUS_NO_SUCH_GROUP;
ginfo = policy_handle_create(p, r->out.group_handle,
- GENERIC_RIGHTS_GROUP_ALL_ACCESS,
+ acc_granted,
struct samr_group_info, &status);
if (!NT_STATUS_IS_OK(status)) {
return status;
/* Find the policy handle. Open a policy on it. */
dinfo = policy_handle_find(p, r->in.domain_handle,
- STD_RIGHT_DELETE_ACCESS, NULL,
+ SAMR_DOMAIN_ACCESS_OPEN_ACCOUNT, NULL,
struct samr_domain_info, &result);
if (!NT_STATUS_IS_OK(result)) {
return result;