17e111d4eac88391980b46feebbc988f1e66e6ac
[samba.git] / source3 / rpc_server / srv_samr_nt.c
1 /*
2  *  Unix SMB/CIFS implementation.
3  *  RPC Pipe client / server routines
4  *  Copyright (C) Andrew Tridgell                   1992-1997,
5  *  Copyright (C) Luke Kenneth Casson Leighton      1996-1997,
6  *  Copyright (C) Paul Ashton                       1997,
7  *  Copyright (C) Marc Jacobsen                     1999,
8  *  Copyright (C) Jeremy Allison                    2001-2008,
9  *  Copyright (C) Jean Fran├žois Micouleau           1998-2001,
10  *  Copyright (C) Jim McDonough <jmcd@us.ibm.com>   2002,
11  *  Copyright (C) Gerald (Jerry) Carter             2003-2004,
12  *  Copyright (C) Simo Sorce                        2003.
13  *  Copyright (C) Volker Lendecke                   2005.
14  *  Copyright (C) Guenther Deschner                 2008.
15  *
16  *  This program is free software; you can redistribute it and/or modify
17  *  it under the terms of the GNU General Public License as published by
18  *  the Free Software Foundation; either version 3 of the License, or
19  *  (at your option) any later version.
20  *
21  *  This program is distributed in the hope that it will be useful,
22  *  but WITHOUT ANY WARRANTY; without even the implied warranty of
23  *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
24  *  GNU General Public License for more details.
25  *
26  *  You should have received a copy of the GNU General Public License
27  *  along with this program; if not, see <http://www.gnu.org/licenses/>.
28  */
29
30 /*
31  * This is the implementation of the SAMR code.
32  */
33
34 #include "includes.h"
35 #include "../libcli/auth/libcli_auth.h"
36
37 #undef DBGC_CLASS
38 #define DBGC_CLASS DBGC_RPC_SRV
39
40 #define SAMR_USR_RIGHTS_WRITE_PW \
41                 ( READ_CONTROL_ACCESS           | \
42                   SAMR_USER_ACCESS_CHANGE_PASSWORD      | \
43                   SAMR_USER_ACCESS_SET_LOC_COM)
44 #define SAMR_USR_RIGHTS_CANT_WRITE_PW \
45                 ( READ_CONTROL_ACCESS | SAMR_USER_ACCESS_SET_LOC_COM )
46
47 #define DISP_INFO_CACHE_TIMEOUT 10
48
49 #define MAX_SAM_ENTRIES_W2K 0x400 /* 1024 */
50 #define MAX_SAM_ENTRIES_W95 50
51
52 struct samr_connect_info {
53         uint8_t dummy;
54 };
55
56 struct samr_domain_info {
57         struct dom_sid sid;
58         struct disp_info *disp_info;
59 };
60
61 struct samr_user_info {
62         struct dom_sid sid;
63 };
64
65 struct samr_group_info {
66         struct dom_sid sid;
67 };
68
69 struct samr_alias_info {
70         struct dom_sid sid;
71 };
72
73 typedef struct disp_info {
74         DOM_SID sid; /* identify which domain this is. */
75         struct pdb_search *users; /* querydispinfo 1 and 4 */
76         struct pdb_search *machines; /* querydispinfo 2 */
77         struct pdb_search *groups; /* querydispinfo 3 and 5, enumgroups */
78         struct pdb_search *aliases; /* enumaliases */
79
80         uint16 enum_acb_mask;
81         struct pdb_search *enum_users; /* enumusers with a mask */
82
83         struct timed_event *cache_timeout_event; /* cache idle timeout
84                                                   * handler. */
85 } DISP_INFO;
86
87 static const struct generic_mapping sam_generic_mapping = {
88         GENERIC_RIGHTS_SAM_READ,
89         GENERIC_RIGHTS_SAM_WRITE,
90         GENERIC_RIGHTS_SAM_EXECUTE,
91         GENERIC_RIGHTS_SAM_ALL_ACCESS};
92 static const struct generic_mapping dom_generic_mapping = {
93         GENERIC_RIGHTS_DOMAIN_READ,
94         GENERIC_RIGHTS_DOMAIN_WRITE,
95         GENERIC_RIGHTS_DOMAIN_EXECUTE,
96         GENERIC_RIGHTS_DOMAIN_ALL_ACCESS};
97 static const struct generic_mapping usr_generic_mapping = {
98         GENERIC_RIGHTS_USER_READ,
99         GENERIC_RIGHTS_USER_WRITE,
100         GENERIC_RIGHTS_USER_EXECUTE,
101         GENERIC_RIGHTS_USER_ALL_ACCESS};
102 static const struct generic_mapping usr_nopwchange_generic_mapping = {
103         GENERIC_RIGHTS_USER_READ,
104         GENERIC_RIGHTS_USER_WRITE,
105         GENERIC_RIGHTS_USER_EXECUTE & ~SAMR_USER_ACCESS_CHANGE_PASSWORD,
106         GENERIC_RIGHTS_USER_ALL_ACCESS};
107 static const struct generic_mapping grp_generic_mapping = {
108         GENERIC_RIGHTS_GROUP_READ,
109         GENERIC_RIGHTS_GROUP_WRITE,
110         GENERIC_RIGHTS_GROUP_EXECUTE,
111         GENERIC_RIGHTS_GROUP_ALL_ACCESS};
112 static const struct generic_mapping ali_generic_mapping = {
113         GENERIC_RIGHTS_ALIAS_READ,
114         GENERIC_RIGHTS_ALIAS_WRITE,
115         GENERIC_RIGHTS_ALIAS_EXECUTE,
116         GENERIC_RIGHTS_ALIAS_ALL_ACCESS};
117
118 /*******************************************************************
119 *******************************************************************/
120
121 static NTSTATUS make_samr_object_sd( TALLOC_CTX *ctx, SEC_DESC **psd, size_t *sd_size,
122                                      const struct generic_mapping *map,
123                                      DOM_SID *sid, uint32 sid_access )
124 {
125         DOM_SID domadmin_sid;
126         SEC_ACE ace[5];         /* at most 5 entries */
127         size_t i = 0;
128
129         SEC_ACL *psa = NULL;
130
131         /* basic access for Everyone */
132
133         init_sec_ace(&ace[i++], &global_sid_World, SEC_ACE_TYPE_ACCESS_ALLOWED,
134                         map->generic_execute | map->generic_read, 0);
135
136         /* add Full Access 'BUILTIN\Administrators' and 'BUILTIN\Account Operators */
137
138         init_sec_ace(&ace[i++], &global_sid_Builtin_Administrators,
139                         SEC_ACE_TYPE_ACCESS_ALLOWED, map->generic_all, 0);
140         init_sec_ace(&ace[i++], &global_sid_Builtin_Account_Operators,
141                         SEC_ACE_TYPE_ACCESS_ALLOWED, map->generic_all, 0);
142
143         /* Add Full Access for Domain Admins if we are a DC */
144
145         if ( IS_DC ) {
146                 sid_copy( &domadmin_sid, get_global_sam_sid() );
147                 sid_append_rid( &domadmin_sid, DOMAIN_GROUP_RID_ADMINS );
148                 init_sec_ace(&ace[i++], &domadmin_sid,
149                         SEC_ACE_TYPE_ACCESS_ALLOWED, map->generic_all, 0);
150         }
151
152         /* if we have a sid, give it some special access */
153
154         if ( sid ) {
155                 init_sec_ace(&ace[i++], sid, SEC_ACE_TYPE_ACCESS_ALLOWED, sid_access, 0);
156         }
157
158         /* create the security descriptor */
159
160         if ((psa = make_sec_acl(ctx, NT4_ACL_REVISION, i, ace)) == NULL)
161                 return NT_STATUS_NO_MEMORY;
162
163         if ((*psd = make_sec_desc(ctx, SECURITY_DESCRIPTOR_REVISION_1,
164                                   SEC_DESC_SELF_RELATIVE, NULL, NULL, NULL,
165                                   psa, sd_size)) == NULL)
166                 return NT_STATUS_NO_MEMORY;
167
168         return NT_STATUS_OK;
169 }
170
171 /*******************************************************************
172  Checks if access to an object should be granted, and returns that
173  level of access for further checks.
174 ********************************************************************/
175
176 static NTSTATUS access_check_samr_object( SEC_DESC *psd, NT_USER_TOKEN *token,
177                                           SE_PRIV *rights, uint32 rights_mask,
178                                           uint32 des_access, uint32 *acc_granted,
179                                           const char *debug )
180 {
181         NTSTATUS status = NT_STATUS_ACCESS_DENIED;
182         uint32 saved_mask = 0;
183
184         /* check privileges; certain SAM access bits should be overridden
185            by privileges (mostly having to do with creating/modifying/deleting
186            users and groups) */
187
188         if ( rights && user_has_any_privilege( token, rights ) ) {
189
190                 saved_mask = (des_access & rights_mask);
191                 des_access &= ~saved_mask;
192
193                 DEBUG(4,("access_check_samr_object: user rights access mask [0x%x]\n",
194                         rights_mask));
195         }
196
197
198         /* check the security descriptor first */
199
200         status = se_access_check(psd, token, des_access, acc_granted);
201         if (NT_STATUS_IS_OK(status)) {
202                 goto done;
203         }
204
205         /* give root a free pass */
206
207         if ( geteuid() == sec_initial_uid() ) {
208
209                 DEBUG(4,("%s: ACCESS should be DENIED  (requested: %#010x)\n", debug, des_access));
210                 DEBUGADD(4,("but overritten by euid == sec_initial_uid()\n"));
211
212                 *acc_granted = des_access;
213
214                 status = NT_STATUS_OK;
215                 goto done;
216         }
217
218
219 done:
220         /* add in any bits saved during the privilege check (only
221            matters is status is ok) */
222
223         *acc_granted |= rights_mask;
224
225         DEBUG(4,("%s: access %s (requested: 0x%08x, granted: 0x%08x)\n",
226                 debug, NT_STATUS_IS_OK(status) ? "GRANTED" : "DENIED",
227                 des_access, *acc_granted));
228
229         return status;
230 }
231
232
233 /*******************************************************************
234  Map any MAXIMUM_ALLOWED_ACCESS request to a valid access set.
235 ********************************************************************/
236
237 static void map_max_allowed_access(const NT_USER_TOKEN *token,
238                                         uint32_t *pacc_requested)
239 {
240         if (!((*pacc_requested) & MAXIMUM_ALLOWED_ACCESS)) {
241                 return;
242         }
243         *pacc_requested &= ~MAXIMUM_ALLOWED_ACCESS;
244
245         /* At least try for generic read. */
246         *pacc_requested = GENERIC_READ_ACCESS;
247
248         /* root gets anything. */
249         if (geteuid() == sec_initial_uid()) {
250                 *pacc_requested |= GENERIC_ALL_ACCESS;
251                 return;
252         }
253
254         /* Full Access for 'BUILTIN\Administrators' and 'BUILTIN\Account Operators */
255
256         if (is_sid_in_token(token, &global_sid_Builtin_Administrators) ||
257                         is_sid_in_token(token, &global_sid_Builtin_Account_Operators)) {
258                 *pacc_requested |= GENERIC_ALL_ACCESS;
259                 return;
260         }
261
262         /* Full access for DOMAIN\Domain Admins. */
263         if ( IS_DC ) {
264                 DOM_SID domadmin_sid;
265                 sid_copy( &domadmin_sid, get_global_sam_sid() );
266                 sid_append_rid( &domadmin_sid, DOMAIN_GROUP_RID_ADMINS );
267                 if (is_sid_in_token(token, &domadmin_sid)) {
268                         *pacc_requested |= GENERIC_ALL_ACCESS;
269                         return;
270                 }
271         }
272         /* TODO ! Check privileges. */
273 }
274
275 /*******************************************************************
276  Fetch or create a dispinfo struct.
277 ********************************************************************/
278
279 static DISP_INFO *get_samr_dispinfo_by_sid(const struct dom_sid *psid)
280 {
281         /*
282          * We do a static cache for DISP_INFO's here. Explanation can be found
283          * in Jeremy's checkin message to r11793:
284          *
285          * Fix the SAMR cache so it works across completely insane
286          * client behaviour (ie.:
287          * open pipe/open SAMR handle/enumerate 0 - 1024
288          * close SAMR handle, close pipe.
289          * open pipe/open SAMR handle/enumerate 1024 - 2048...
290          * close SAMR handle, close pipe.
291          * And on ad-nausium. Amazing.... probably object-oriented
292          * client side programming in action yet again.
293          * This change should *massively* improve performance when
294          * enumerating users from an LDAP database.
295          * Jeremy.
296          *
297          * "Our" and the builtin domain are the only ones where we ever
298          * enumerate stuff, so just cache 2 entries.
299          */
300
301         static struct disp_info *builtin_dispinfo;
302         static struct disp_info *domain_dispinfo;
303
304         /* There are two cases to consider here:
305            1) The SID is a domain SID and we look for an equality match, or
306            2) This is an account SID and so we return the DISP_INFO* for our
307               domain */
308
309         if (psid == NULL) {
310                 return NULL;
311         }
312
313         if (sid_check_is_builtin(psid) || sid_check_is_in_builtin(psid)) {
314                 /*
315                  * Necessary only once, but it does not really hurt.
316                  */
317                 if (builtin_dispinfo == NULL) {
318                         builtin_dispinfo = talloc_zero(
319                                 talloc_autofree_context(), struct disp_info);
320                         if (builtin_dispinfo == NULL) {
321                                 return NULL;
322                         }
323                 }
324                 sid_copy(&builtin_dispinfo->sid, &global_sid_Builtin);
325
326                 return builtin_dispinfo;
327         }
328
329         if (sid_check_is_domain(psid) || sid_check_is_in_our_domain(psid)) {
330                 /*
331                  * Necessary only once, but it does not really hurt.
332                  */
333                 if (domain_dispinfo == NULL) {
334                         domain_dispinfo = talloc_zero(
335                                 talloc_autofree_context(), struct disp_info);
336                         if (domain_dispinfo == NULL) {
337                                 return NULL;
338                         }
339                 }
340                 sid_copy(&domain_dispinfo->sid, get_global_sam_sid());
341
342                 return domain_dispinfo;
343         }
344
345         return NULL;
346 }
347
348 /*******************************************************************
349  Function to free the per SID data.
350  ********************************************************************/
351
352 static void free_samr_cache(DISP_INFO *disp_info)
353 {
354         DEBUG(10, ("free_samr_cache: deleting cache for SID %s\n",
355                    sid_string_dbg(&disp_info->sid)));
356
357         /* We need to become root here because the paged search might have to
358          * tell the LDAP server we're not interested in the rest anymore. */
359
360         become_root();
361
362         TALLOC_FREE(disp_info->users);
363         TALLOC_FREE(disp_info->machines);
364         TALLOC_FREE(disp_info->groups);
365         TALLOC_FREE(disp_info->aliases);
366         TALLOC_FREE(disp_info->enum_users);
367
368         unbecome_root();
369 }
370
371 /*******************************************************************
372  Idle event handler. Throw away the disp info cache.
373  ********************************************************************/
374
375 static void disp_info_cache_idle_timeout_handler(struct event_context *ev_ctx,
376                                                  struct timed_event *te,
377                                                  struct timeval now,
378                                                  void *private_data)
379 {
380         DISP_INFO *disp_info = (DISP_INFO *)private_data;
381
382         TALLOC_FREE(disp_info->cache_timeout_event);
383
384         DEBUG(10, ("disp_info_cache_idle_timeout_handler: caching timed "
385                    "out\n"));
386         free_samr_cache(disp_info);
387 }
388
389 /*******************************************************************
390  Setup cache removal idle event handler.
391  ********************************************************************/
392
393 static void set_disp_info_cache_timeout(DISP_INFO *disp_info, time_t secs_fromnow)
394 {
395         /* Remove any pending timeout and update. */
396
397         TALLOC_FREE(disp_info->cache_timeout_event);
398
399         DEBUG(10,("set_disp_info_cache_timeout: caching enumeration for "
400                   "SID %s for %u seconds\n", sid_string_dbg(&disp_info->sid),
401                   (unsigned int)secs_fromnow ));
402
403         disp_info->cache_timeout_event = event_add_timed(
404                 smbd_event_context(), NULL,
405                 timeval_current_ofs(secs_fromnow, 0),
406                 disp_info_cache_idle_timeout_handler, (void *)disp_info);
407 }
408
409 /*******************************************************************
410  Force flush any cache. We do this on any samr_set_xxx call.
411  We must also remove the timeout handler.
412  ********************************************************************/
413
414 static void force_flush_samr_cache(const struct dom_sid *sid)
415 {
416         struct disp_info *disp_info = get_samr_dispinfo_by_sid(sid);
417
418         if ((disp_info == NULL) || (disp_info->cache_timeout_event == NULL)) {
419                 return;
420         }
421
422         DEBUG(10,("force_flush_samr_cache: clearing idle event\n"));
423         TALLOC_FREE(disp_info->cache_timeout_event);
424         free_samr_cache(disp_info);
425 }
426
427 /*******************************************************************
428  Ensure password info is never given out. Paranioa... JRA.
429  ********************************************************************/
430
431 static void samr_clear_sam_passwd(struct samu *sam_pass)
432 {
433
434         if (!sam_pass)
435                 return;
436
437         /* These now zero out the old password */
438
439         pdb_set_lanman_passwd(sam_pass, NULL, PDB_DEFAULT);
440         pdb_set_nt_passwd(sam_pass, NULL, PDB_DEFAULT);
441 }
442
443 static uint32 count_sam_users(struct disp_info *info, uint32 acct_flags)
444 {
445         struct samr_displayentry *entry;
446
447         if (sid_check_is_builtin(&info->sid)) {
448                 /* No users in builtin. */
449                 return 0;
450         }
451
452         if (info->users == NULL) {
453                 info->users = pdb_search_users(info, acct_flags);
454                 if (info->users == NULL) {
455                         return 0;
456                 }
457         }
458         /* Fetch the last possible entry, thus trigger an enumeration */
459         pdb_search_entries(info->users, 0xffffffff, 1, &entry);
460
461         /* Ensure we cache this enumeration. */
462         set_disp_info_cache_timeout(info, DISP_INFO_CACHE_TIMEOUT);
463
464         return info->users->num_entries;
465 }
466
467 static uint32 count_sam_groups(struct disp_info *info)
468 {
469         struct samr_displayentry *entry;
470
471         if (sid_check_is_builtin(&info->sid)) {
472                 /* No groups in builtin. */
473                 return 0;
474         }
475
476         if (info->groups == NULL) {
477                 info->groups = pdb_search_groups(info);
478                 if (info->groups == NULL) {
479                         return 0;
480                 }
481         }
482         /* Fetch the last possible entry, thus trigger an enumeration */
483         pdb_search_entries(info->groups, 0xffffffff, 1, &entry);
484
485         /* Ensure we cache this enumeration. */
486         set_disp_info_cache_timeout(info, DISP_INFO_CACHE_TIMEOUT);
487
488         return info->groups->num_entries;
489 }
490
491 static uint32 count_sam_aliases(struct disp_info *info)
492 {
493         struct samr_displayentry *entry;
494
495         if (info->aliases == NULL) {
496                 info->aliases = pdb_search_aliases(info, &info->sid);
497                 if (info->aliases == NULL) {
498                         return 0;
499                 }
500         }
501         /* Fetch the last possible entry, thus trigger an enumeration */
502         pdb_search_entries(info->aliases, 0xffffffff, 1, &entry);
503
504         /* Ensure we cache this enumeration. */
505         set_disp_info_cache_timeout(info, DISP_INFO_CACHE_TIMEOUT);
506
507         return info->aliases->num_entries;
508 }
509
510 /*******************************************************************
511  _samr_Close
512  ********************************************************************/
513
514 NTSTATUS _samr_Close(pipes_struct *p, struct samr_Close *r)
515 {
516         if (!close_policy_hnd(p, r->in.handle)) {
517                 return NT_STATUS_INVALID_HANDLE;
518         }
519
520         ZERO_STRUCTP(r->out.handle);
521
522         return NT_STATUS_OK;
523 }
524
525 /*******************************************************************
526  _samr_OpenDomain
527  ********************************************************************/
528
529 NTSTATUS _samr_OpenDomain(pipes_struct *p,
530                           struct samr_OpenDomain *r)
531 {
532         struct samr_connect_info *cinfo;
533         struct samr_domain_info *dinfo;
534         SEC_DESC *psd = NULL;
535         uint32    acc_granted;
536         uint32    des_access = r->in.access_mask;
537         NTSTATUS  status;
538         size_t    sd_size;
539         SE_PRIV se_rights;
540
541         /* find the connection policy handle. */
542
543         cinfo = policy_handle_find(p, r->in.connect_handle, 0, NULL,
544                                    struct samr_connect_info, &status);
545         if (!NT_STATUS_IS_OK(status)) {
546                 return status;
547         }
548
549         /*check if access can be granted as requested by client. */
550         map_max_allowed_access(p->server_info->ptok, &des_access);
551
552         make_samr_object_sd( p->mem_ctx, &psd, &sd_size, &dom_generic_mapping, NULL, 0 );
553         se_map_generic( &des_access, &dom_generic_mapping );
554
555         se_priv_copy( &se_rights, &se_machine_account );
556         se_priv_add( &se_rights, &se_add_users );
557
558         status = access_check_samr_object( psd, p->server_info->ptok,
559                 &se_rights, GENERIC_RIGHTS_DOMAIN_WRITE, des_access,
560                 &acc_granted, "_samr_OpenDomain" );
561
562         if ( !NT_STATUS_IS_OK(status) )
563                 return status;
564
565         if (!sid_check_is_domain(r->in.sid) &&
566             !sid_check_is_builtin(r->in.sid)) {
567                 return NT_STATUS_NO_SUCH_DOMAIN;
568         }
569
570         dinfo = policy_handle_create(p, r->out.domain_handle, acc_granted,
571                                      struct samr_domain_info, &status);
572         if (!NT_STATUS_IS_OK(status)) {
573                 return status;
574         }
575         dinfo->sid = *r->in.sid;
576         dinfo->disp_info = get_samr_dispinfo_by_sid(r->in.sid);
577
578         DEBUG(5,("_samr_OpenDomain: %d\n", __LINE__));
579
580         return NT_STATUS_OK;
581 }
582
583 /*******************************************************************
584  _samr_GetUserPwInfo
585  ********************************************************************/
586
587 NTSTATUS _samr_GetUserPwInfo(pipes_struct *p,
588                              struct samr_GetUserPwInfo *r)
589 {
590         struct samr_user_info *uinfo;
591         enum lsa_SidType sid_type;
592         uint32_t min_password_length = 0;
593         uint32_t password_properties = 0;
594         bool ret = false;
595         NTSTATUS status;
596
597         DEBUG(5,("_samr_GetUserPwInfo: %d\n", __LINE__));
598
599         uinfo = policy_handle_find(p, r->in.user_handle,
600                                    SAMR_USER_ACCESS_GET_ATTRIBUTES, NULL,
601                                    struct samr_user_info, &status);
602         if (!NT_STATUS_IS_OK(status)) {
603                 return status;
604         }
605
606         if (!sid_check_is_in_our_domain(&uinfo->sid)) {
607                 return NT_STATUS_OBJECT_TYPE_MISMATCH;
608         }
609
610         become_root();
611         ret = lookup_sid(p->mem_ctx, &uinfo->sid, NULL, NULL, &sid_type);
612         unbecome_root();
613         if (ret == false) {
614                 return NT_STATUS_NO_SUCH_USER;
615         }
616
617         switch (sid_type) {
618                 case SID_NAME_USER:
619                         become_root();
620                         pdb_get_account_policy(AP_MIN_PASSWORD_LEN,
621                                                &min_password_length);
622                         pdb_get_account_policy(AP_USER_MUST_LOGON_TO_CHG_PASS,
623                                                &password_properties);
624                         unbecome_root();
625
626                         if (lp_check_password_script() && *lp_check_password_script()) {
627                                 password_properties |= DOMAIN_PASSWORD_COMPLEX;
628                         }
629
630                         break;
631                 default:
632                         break;
633         }
634
635         r->out.info->min_password_length = min_password_length;
636         r->out.info->password_properties = password_properties;
637
638         DEBUG(5,("_samr_GetUserPwInfo: %d\n", __LINE__));
639
640         return NT_STATUS_OK;
641 }
642
643 /*******************************************************************
644  _samr_SetSecurity
645  ********************************************************************/
646
647 NTSTATUS _samr_SetSecurity(pipes_struct *p,
648                            struct samr_SetSecurity *r)
649 {
650         struct samr_user_info *uinfo;
651         uint32 i;
652         SEC_ACL *dacl;
653         bool ret;
654         struct samu *sampass=NULL;
655         NTSTATUS status;
656
657         uinfo = policy_handle_find(p, r->in.handle,
658                                    SAMR_USER_ACCESS_SET_ATTRIBUTES, NULL,
659                                    struct samr_user_info, &status);
660         if (!NT_STATUS_IS_OK(status)) {
661                 return status;
662         }
663
664         if (!(sampass = samu_new( p->mem_ctx))) {
665                 DEBUG(0,("No memory!\n"));
666                 return NT_STATUS_NO_MEMORY;
667         }
668
669         /* get the user record */
670         become_root();
671         ret = pdb_getsampwsid(sampass, &uinfo->sid);
672         unbecome_root();
673
674         if (!ret) {
675                 DEBUG(4, ("User %s not found\n",
676                           sid_string_dbg(&uinfo->sid)));
677                 TALLOC_FREE(sampass);
678                 return NT_STATUS_INVALID_HANDLE;
679         }
680
681         dacl = r->in.sdbuf->sd->dacl;
682         for (i=0; i < dacl->num_aces; i++) {
683                 if (sid_equal(&uinfo->sid, &dacl->aces[i].trustee)) {
684                         ret = pdb_set_pass_can_change(sampass,
685                                 (dacl->aces[i].access_mask &
686                                  SAMR_USER_ACCESS_CHANGE_PASSWORD) ?
687                                                       True: False);
688                         break;
689                 }
690         }
691
692         if (!ret) {
693                 TALLOC_FREE(sampass);
694                 return NT_STATUS_ACCESS_DENIED;
695         }
696
697         become_root();
698         status = pdb_update_sam_account(sampass);
699         unbecome_root();
700
701         TALLOC_FREE(sampass);
702
703         return status;
704 }
705
706 /*******************************************************************
707   build correct perms based on policies and password times for _samr_query_sec_obj
708 *******************************************************************/
709 static bool check_change_pw_access(TALLOC_CTX *mem_ctx, DOM_SID *user_sid)
710 {
711         struct samu *sampass=NULL;
712         bool ret;
713
714         if ( !(sampass = samu_new( mem_ctx )) ) {
715                 DEBUG(0,("No memory!\n"));
716                 return False;
717         }
718
719         become_root();
720         ret = pdb_getsampwsid(sampass, user_sid);
721         unbecome_root();
722
723         if (ret == False) {
724                 DEBUG(4,("User %s not found\n", sid_string_dbg(user_sid)));
725                 TALLOC_FREE(sampass);
726                 return False;
727         }
728
729         DEBUG(3,("User:[%s]\n",  pdb_get_username(sampass) ));
730
731         if (pdb_get_pass_can_change(sampass)) {
732                 TALLOC_FREE(sampass);
733                 return True;
734         }
735         TALLOC_FREE(sampass);
736         return False;
737 }
738
739
740 /*******************************************************************
741  _samr_QuerySecurity
742  ********************************************************************/
743
744 NTSTATUS _samr_QuerySecurity(pipes_struct *p,
745                              struct samr_QuerySecurity *r)
746 {
747         struct samr_connect_info *cinfo;
748         struct samr_domain_info *dinfo;
749         struct samr_user_info *uinfo;
750         struct samr_group_info *ginfo;
751         struct samr_alias_info *ainfo;
752         NTSTATUS status;
753         SEC_DESC * psd = NULL;
754         size_t sd_size;
755
756         cinfo = policy_handle_find(p, r->in.handle,
757                                    STD_RIGHT_READ_CONTROL_ACCESS, NULL,
758                                    struct samr_connect_info, &status);
759         if (NT_STATUS_IS_OK(status)) {
760                 DEBUG(5,("_samr_QuerySecurity: querying security on SAM\n"));
761                 status = make_samr_object_sd(p->mem_ctx, &psd, &sd_size,
762                                              &sam_generic_mapping, NULL, 0);
763                 goto done;
764         }
765
766         dinfo = policy_handle_find(p, r->in.handle,
767                                    STD_RIGHT_READ_CONTROL_ACCESS, NULL,
768                                    struct samr_domain_info, &status);
769         if (NT_STATUS_IS_OK(status)) {
770                 DEBUG(5,("_samr_QuerySecurity: querying security on Domain "
771                          "with SID: %s\n", sid_string_dbg(&dinfo->sid)));
772                 /*
773                  * TODO: Builtin probably needs a different SD with restricted
774                  * write access
775                  */
776                 status = make_samr_object_sd(p->mem_ctx, &psd, &sd_size,
777                                              &dom_generic_mapping, NULL, 0);
778                 goto done;
779         }
780
781         uinfo = policy_handle_find(p, r->in.handle,
782                                    STD_RIGHT_READ_CONTROL_ACCESS, NULL,
783                                    struct samr_user_info, &status);
784         if (NT_STATUS_IS_OK(status)) {
785                 DEBUG(10,("_samr_QuerySecurity: querying security on user "
786                           "Object with SID: %s\n",
787                           sid_string_dbg(&uinfo->sid)));
788                 if (check_change_pw_access(p->mem_ctx, &uinfo->sid)) {
789                         status = make_samr_object_sd(
790                                 p->mem_ctx, &psd, &sd_size,
791                                 &usr_generic_mapping,
792                                 &uinfo->sid, SAMR_USR_RIGHTS_WRITE_PW);
793                 } else {
794                         status = make_samr_object_sd(
795                                 p->mem_ctx, &psd, &sd_size,
796                                 &usr_nopwchange_generic_mapping,
797                                 &uinfo->sid, SAMR_USR_RIGHTS_CANT_WRITE_PW);
798                 }
799                 goto done;
800         }
801
802         ginfo = policy_handle_find(p, r->in.handle,
803                                    STD_RIGHT_READ_CONTROL_ACCESS, NULL,
804                                    struct samr_group_info, &status);
805         if (NT_STATUS_IS_OK(status)) {
806                 /*
807                  * TODO: different SDs have to be generated for aliases groups
808                  * and users.  Currently all three get a default user SD
809                  */
810                 DEBUG(10,("_samr_QuerySecurity: querying security on group "
811                           "Object with SID: %s\n",
812                           sid_string_dbg(&ginfo->sid)));
813                 status = make_samr_object_sd(
814                         p->mem_ctx, &psd, &sd_size,
815                         &usr_nopwchange_generic_mapping,
816                         &ginfo->sid, SAMR_USR_RIGHTS_CANT_WRITE_PW);
817                 goto done;
818         }
819
820         ainfo = policy_handle_find(p, r->in.handle,
821                                    STD_RIGHT_READ_CONTROL_ACCESS, NULL,
822                                    struct samr_alias_info, &status);
823         if (NT_STATUS_IS_OK(status)) {
824                 /*
825                  * TODO: different SDs have to be generated for aliases groups
826                  * and users.  Currently all three get a default user SD
827                  */
828                 DEBUG(10,("_samr_QuerySecurity: querying security on alias "
829                           "Object with SID: %s\n",
830                           sid_string_dbg(&ainfo->sid)));
831                 status = make_samr_object_sd(
832                         p->mem_ctx, &psd, &sd_size,
833                         &usr_nopwchange_generic_mapping,
834                         &ainfo->sid, SAMR_USR_RIGHTS_CANT_WRITE_PW);
835                 goto done;
836         }
837
838         return NT_STATUS_OBJECT_TYPE_MISMATCH;
839 done:
840         if ((*r->out.sdbuf = make_sec_desc_buf(p->mem_ctx, sd_size, psd)) == NULL)
841                 return NT_STATUS_NO_MEMORY;
842
843         return status;
844 }
845
846 /*******************************************************************
847 makes a SAM_ENTRY / UNISTR2* structure from a user list.
848 ********************************************************************/
849
850 static NTSTATUS make_user_sam_entry_list(TALLOC_CTX *ctx,
851                                          struct samr_SamEntry **sam_pp,
852                                          uint32_t num_entries,
853                                          uint32_t start_idx,
854                                          struct samr_displayentry *entries)
855 {
856         uint32_t i;
857         struct samr_SamEntry *sam;
858
859         *sam_pp = NULL;
860
861         if (num_entries == 0) {
862                 return NT_STATUS_OK;
863         }
864
865         sam = TALLOC_ZERO_ARRAY(ctx, struct samr_SamEntry, num_entries);
866         if (sam == NULL) {
867                 DEBUG(0, ("make_user_sam_entry_list: TALLOC_ZERO failed!\n"));
868                 return NT_STATUS_NO_MEMORY;
869         }
870
871         for (i = 0; i < num_entries; i++) {
872 #if 0
873                 /*
874                  * usrmgr expects a non-NULL terminated string with
875                  * trust relationships
876                  */
877                 if (entries[i].acct_flags & ACB_DOMTRUST) {
878                         init_unistr2(&uni_temp_name, entries[i].account_name,
879                                      UNI_FLAGS_NONE);
880                 } else {
881                         init_unistr2(&uni_temp_name, entries[i].account_name,
882                                      UNI_STR_TERMINATE);
883                 }
884 #endif
885                 init_lsa_String(&sam[i].name, entries[i].account_name);
886                 sam[i].idx = entries[i].rid;
887         }
888
889         *sam_pp = sam;
890
891         return NT_STATUS_OK;
892 }
893
894 #define MAX_SAM_ENTRIES MAX_SAM_ENTRIES_W2K
895
896 /*******************************************************************
897  _samr_EnumDomainUsers
898  ********************************************************************/
899
900 NTSTATUS _samr_EnumDomainUsers(pipes_struct *p,
901                                struct samr_EnumDomainUsers *r)
902 {
903         NTSTATUS status;
904         struct samr_domain_info *dinfo;
905         int num_account;
906         uint32 enum_context = *r->in.resume_handle;
907         enum remote_arch_types ra_type = get_remote_arch();
908         int max_sam_entries = (ra_type == RA_WIN95) ? MAX_SAM_ENTRIES_W95 : MAX_SAM_ENTRIES_W2K;
909         uint32 max_entries = max_sam_entries;
910         struct samr_displayentry *entries = NULL;
911         struct samr_SamArray *samr_array = NULL;
912         struct samr_SamEntry *samr_entries = NULL;
913
914         DEBUG(5,("_samr_EnumDomainUsers: %d\n", __LINE__));
915
916         dinfo = policy_handle_find(p, r->in.domain_handle,
917                                    SAMR_DOMAIN_ACCESS_ENUM_ACCOUNTS, NULL,
918                                    struct samr_domain_info, &status);
919         if (!NT_STATUS_IS_OK(status)) {
920                 return status;
921         }
922
923         if (sid_check_is_builtin(&dinfo->sid)) {
924                 /* No users in builtin. */
925                 *r->out.resume_handle = *r->in.resume_handle;
926                 DEBUG(5,("_samr_EnumDomainUsers: No users in BUILTIN\n"));
927                 return status;
928         }
929
930         samr_array = TALLOC_ZERO_P(p->mem_ctx, struct samr_SamArray);
931         if (!samr_array) {
932                 return NT_STATUS_NO_MEMORY;
933         }
934         *r->out.sam = samr_array;
935
936         become_root();
937
938         /* AS ROOT !!!! */
939
940         if ((dinfo->disp_info->enum_users != NULL) &&
941             (dinfo->disp_info->enum_acb_mask != r->in.acct_flags)) {
942                 TALLOC_FREE(dinfo->disp_info->enum_users);
943         }
944
945         if (dinfo->disp_info->enum_users == NULL) {
946                 dinfo->disp_info->enum_users = pdb_search_users(
947                         dinfo->disp_info, r->in.acct_flags);
948                 dinfo->disp_info->enum_acb_mask = r->in.acct_flags;
949         }
950
951         if (dinfo->disp_info->enum_users == NULL) {
952                 /* END AS ROOT !!!! */
953                 unbecome_root();
954                 return NT_STATUS_ACCESS_DENIED;
955         }
956
957         num_account = pdb_search_entries(dinfo->disp_info->enum_users,
958                                          enum_context, max_entries,
959                                          &entries);
960
961         /* END AS ROOT !!!! */
962
963         unbecome_root();
964
965         if (num_account == 0) {
966                 DEBUG(5, ("_samr_EnumDomainUsers: enumeration handle over "
967                           "total entries\n"));
968                 *r->out.resume_handle = *r->in.resume_handle;
969                 return NT_STATUS_OK;
970         }
971
972         status = make_user_sam_entry_list(p->mem_ctx, &samr_entries,
973                                           num_account, enum_context,
974                                           entries);
975         if (!NT_STATUS_IS_OK(status)) {
976                 return status;
977         }
978
979         if (max_entries <= num_account) {
980                 status = STATUS_MORE_ENTRIES;
981         } else {
982                 status = NT_STATUS_OK;
983         }
984
985         /* Ensure we cache this enumeration. */
986         set_disp_info_cache_timeout(dinfo->disp_info, DISP_INFO_CACHE_TIMEOUT);
987
988         DEBUG(5, ("_samr_EnumDomainUsers: %d\n", __LINE__));
989
990         samr_array->count = num_account;
991         samr_array->entries = samr_entries;
992
993         *r->out.resume_handle = *r->in.resume_handle + num_account;
994         *r->out.num_entries = num_account;
995
996         DEBUG(5,("_samr_EnumDomainUsers: %d\n", __LINE__));
997
998         return status;
999 }
1000
1001 /*******************************************************************
1002 makes a SAM_ENTRY / UNISTR2* structure from a group list.
1003 ********************************************************************/
1004
1005 static void make_group_sam_entry_list(TALLOC_CTX *ctx,
1006                                       struct samr_SamEntry **sam_pp,
1007                                       uint32_t num_sam_entries,
1008                                       struct samr_displayentry *entries)
1009 {
1010         struct samr_SamEntry *sam;
1011         uint32_t i;
1012
1013         *sam_pp = NULL;
1014
1015         if (num_sam_entries == 0) {
1016                 return;
1017         }
1018
1019         sam = TALLOC_ZERO_ARRAY(ctx, struct samr_SamEntry, num_sam_entries);
1020         if (sam == NULL) {
1021                 return;
1022         }
1023
1024         for (i = 0; i < num_sam_entries; i++) {
1025                 /*
1026                  * JRA. I think this should include the null. TNG does not.
1027                  */
1028                 init_lsa_String(&sam[i].name, entries[i].account_name);
1029                 sam[i].idx = entries[i].rid;
1030         }
1031
1032         *sam_pp = sam;
1033 }
1034
1035 /*******************************************************************
1036  _samr_EnumDomainGroups
1037  ********************************************************************/
1038
1039 NTSTATUS _samr_EnumDomainGroups(pipes_struct *p,
1040                                 struct samr_EnumDomainGroups *r)
1041 {
1042         NTSTATUS status;
1043         struct samr_domain_info *dinfo;
1044         struct samr_displayentry *groups;
1045         uint32 num_groups;
1046         struct samr_SamArray *samr_array = NULL;
1047         struct samr_SamEntry *samr_entries = NULL;
1048
1049         dinfo = policy_handle_find(p, r->in.domain_handle,
1050                                    SAMR_DOMAIN_ACCESS_ENUM_ACCOUNTS, NULL,
1051                                    struct samr_domain_info, &status);
1052         if (!NT_STATUS_IS_OK(status)) {
1053                 return status;
1054         }
1055
1056         DEBUG(5,("_samr_EnumDomainGroups: %d\n", __LINE__));
1057
1058         if (sid_check_is_builtin(&dinfo->sid)) {
1059                 /* No groups in builtin. */
1060                 *r->out.resume_handle = *r->in.resume_handle;
1061                 DEBUG(5,("_samr_EnumDomainGroups: No groups in BUILTIN\n"));
1062                 return status;
1063         }
1064
1065         samr_array = TALLOC_ZERO_P(p->mem_ctx, struct samr_SamArray);
1066         if (!samr_array) {
1067                 return NT_STATUS_NO_MEMORY;
1068         }
1069
1070         /* the domain group array is being allocated in the function below */
1071
1072         become_root();
1073
1074         if (dinfo->disp_info->groups == NULL) {
1075                 dinfo->disp_info->groups = pdb_search_groups(dinfo->disp_info);
1076
1077                 if (dinfo->disp_info->groups == NULL) {
1078                         unbecome_root();
1079                         return NT_STATUS_ACCESS_DENIED;
1080                 }
1081         }
1082
1083         num_groups = pdb_search_entries(dinfo->disp_info->groups,
1084                                         *r->in.resume_handle,
1085                                         MAX_SAM_ENTRIES, &groups);
1086         unbecome_root();
1087
1088         /* Ensure we cache this enumeration. */
1089         set_disp_info_cache_timeout(dinfo->disp_info, DISP_INFO_CACHE_TIMEOUT);
1090
1091         make_group_sam_entry_list(p->mem_ctx, &samr_entries,
1092                                   num_groups, groups);
1093
1094         samr_array->count = num_groups;
1095         samr_array->entries = samr_entries;
1096
1097         *r->out.sam = samr_array;
1098         *r->out.num_entries = num_groups;
1099         *r->out.resume_handle = num_groups + *r->in.resume_handle;
1100
1101         DEBUG(5,("_samr_EnumDomainGroups: %d\n", __LINE__));
1102
1103         return status;
1104 }
1105
1106 /*******************************************************************
1107  _samr_EnumDomainAliases
1108  ********************************************************************/
1109
1110 NTSTATUS _samr_EnumDomainAliases(pipes_struct *p,
1111                                  struct samr_EnumDomainAliases *r)
1112 {
1113         NTSTATUS status;
1114         struct samr_domain_info *dinfo;
1115         struct samr_displayentry *aliases;
1116         uint32 num_aliases = 0;
1117         struct samr_SamArray *samr_array = NULL;
1118         struct samr_SamEntry *samr_entries = NULL;
1119
1120         dinfo = policy_handle_find(p, r->in.domain_handle,
1121                                    SAMR_DOMAIN_ACCESS_ENUM_ACCOUNTS, NULL,
1122                                    struct samr_domain_info, &status);
1123         if (!NT_STATUS_IS_OK(status)) {
1124                 return status;
1125         }
1126
1127         DEBUG(5,("_samr_EnumDomainAliases: sid %s\n",
1128                  sid_string_dbg(&dinfo->sid)));
1129
1130         samr_array = TALLOC_ZERO_P(p->mem_ctx, struct samr_SamArray);
1131         if (!samr_array) {
1132                 return NT_STATUS_NO_MEMORY;
1133         }
1134
1135         become_root();
1136
1137         if (dinfo->disp_info->aliases == NULL) {
1138                 dinfo->disp_info->aliases = pdb_search_aliases(
1139                         dinfo->disp_info, &dinfo->sid);
1140                 if (dinfo->disp_info->aliases == NULL) {
1141                         unbecome_root();
1142                         return NT_STATUS_ACCESS_DENIED;
1143                 }
1144         }
1145
1146         num_aliases = pdb_search_entries(dinfo->disp_info->aliases,
1147                                          *r->in.resume_handle,
1148                                          MAX_SAM_ENTRIES, &aliases);
1149         unbecome_root();
1150
1151         /* Ensure we cache this enumeration. */
1152         set_disp_info_cache_timeout(dinfo->disp_info, DISP_INFO_CACHE_TIMEOUT);
1153
1154         make_group_sam_entry_list(p->mem_ctx, &samr_entries,
1155                                   num_aliases, aliases);
1156
1157         DEBUG(5,("_samr_EnumDomainAliases: %d\n", __LINE__));
1158
1159         samr_array->count = num_aliases;
1160         samr_array->entries = samr_entries;
1161
1162         *r->out.sam = samr_array;
1163         *r->out.num_entries = num_aliases;
1164         *r->out.resume_handle = num_aliases + *r->in.resume_handle;
1165
1166         return status;
1167 }
1168
1169 /*******************************************************************
1170  inits a samr_DispInfoGeneral structure.
1171 ********************************************************************/
1172
1173 static NTSTATUS init_samr_dispinfo_1(TALLOC_CTX *ctx,
1174                                      struct samr_DispInfoGeneral *r,
1175                                      uint32_t num_entries,
1176                                      uint32_t start_idx,
1177                                      struct samr_displayentry *entries)
1178 {
1179         uint32 i;
1180
1181         DEBUG(10, ("init_samr_dispinfo_1: num_entries: %d\n", num_entries));
1182
1183         if (num_entries == 0) {
1184                 return NT_STATUS_OK;
1185         }
1186
1187         r->count = num_entries;
1188
1189         r->entries = TALLOC_ZERO_ARRAY(ctx, struct samr_DispEntryGeneral, num_entries);
1190         if (!r->entries) {
1191                 return NT_STATUS_NO_MEMORY;
1192         }
1193
1194         for (i = 0; i < num_entries ; i++) {
1195
1196                 init_lsa_String(&r->entries[i].account_name,
1197                                 entries[i].account_name);
1198
1199                 init_lsa_String(&r->entries[i].description,
1200                                 entries[i].description);
1201
1202                 init_lsa_String(&r->entries[i].full_name,
1203                                 entries[i].fullname);
1204
1205                 r->entries[i].rid = entries[i].rid;
1206                 r->entries[i].acct_flags = entries[i].acct_flags;
1207                 r->entries[i].idx = start_idx+i+1;
1208         }
1209
1210         return NT_STATUS_OK;
1211 }
1212
1213 /*******************************************************************
1214  inits a samr_DispInfoFull structure.
1215 ********************************************************************/
1216
1217 static NTSTATUS init_samr_dispinfo_2(TALLOC_CTX *ctx,
1218                                      struct samr_DispInfoFull *r,
1219                                      uint32_t num_entries,
1220                                      uint32_t start_idx,
1221                                      struct samr_displayentry *entries)
1222 {
1223         uint32_t i;
1224
1225         DEBUG(10, ("init_samr_dispinfo_2: num_entries: %d\n", num_entries));
1226
1227         if (num_entries == 0) {
1228                 return NT_STATUS_OK;
1229         }
1230
1231         r->count = num_entries;
1232
1233         r->entries = TALLOC_ZERO_ARRAY(ctx, struct samr_DispEntryFull, num_entries);
1234         if (!r->entries) {
1235                 return NT_STATUS_NO_MEMORY;
1236         }
1237
1238         for (i = 0; i < num_entries ; i++) {
1239
1240                 init_lsa_String(&r->entries[i].account_name,
1241                                 entries[i].account_name);
1242
1243                 init_lsa_String(&r->entries[i].description,
1244                                 entries[i].description);
1245
1246                 r->entries[i].rid = entries[i].rid;
1247                 r->entries[i].acct_flags = entries[i].acct_flags;
1248                 r->entries[i].idx = start_idx+i+1;
1249         }
1250
1251         return NT_STATUS_OK;
1252 }
1253
1254 /*******************************************************************
1255  inits a samr_DispInfoFullGroups structure.
1256 ********************************************************************/
1257
1258 static NTSTATUS init_samr_dispinfo_3(TALLOC_CTX *ctx,
1259                                      struct samr_DispInfoFullGroups *r,
1260                                      uint32_t num_entries,
1261                                      uint32_t start_idx,
1262                                      struct samr_displayentry *entries)
1263 {
1264         uint32_t i;
1265
1266         DEBUG(5, ("init_samr_dispinfo_3: num_entries: %d\n", num_entries));
1267
1268         if (num_entries == 0) {
1269                 return NT_STATUS_OK;
1270         }
1271
1272         r->count = num_entries;
1273
1274         r->entries = TALLOC_ZERO_ARRAY(ctx, struct samr_DispEntryFullGroup, num_entries);
1275         if (!r->entries) {
1276                 return NT_STATUS_NO_MEMORY;
1277         }
1278
1279         for (i = 0; i < num_entries ; i++) {
1280
1281                 init_lsa_String(&r->entries[i].account_name,
1282                                 entries[i].account_name);
1283
1284                 init_lsa_String(&r->entries[i].description,
1285                                 entries[i].description);
1286
1287                 r->entries[i].rid = entries[i].rid;
1288                 r->entries[i].acct_flags = entries[i].acct_flags;
1289                 r->entries[i].idx = start_idx+i+1;
1290         }
1291
1292         return NT_STATUS_OK;
1293 }
1294
1295 /*******************************************************************
1296  inits a samr_DispInfoAscii structure.
1297 ********************************************************************/
1298
1299 static NTSTATUS init_samr_dispinfo_4(TALLOC_CTX *ctx,
1300                                      struct samr_DispInfoAscii *r,
1301                                      uint32_t num_entries,
1302                                      uint32_t start_idx,
1303                                      struct samr_displayentry *entries)
1304 {
1305         uint32_t i;
1306
1307         DEBUG(5, ("init_samr_dispinfo_4: num_entries: %d\n", num_entries));
1308
1309         if (num_entries == 0) {
1310                 return NT_STATUS_OK;
1311         }
1312
1313         r->count = num_entries;
1314
1315         r->entries = TALLOC_ZERO_ARRAY(ctx, struct samr_DispEntryAscii, num_entries);
1316         if (!r->entries) {
1317                 return NT_STATUS_NO_MEMORY;
1318         }
1319
1320         for (i = 0; i < num_entries ; i++) {
1321
1322                 init_lsa_AsciiStringLarge(&r->entries[i].account_name,
1323                                           entries[i].account_name);
1324
1325                 r->entries[i].idx = start_idx+i+1;
1326         }
1327
1328         return NT_STATUS_OK;
1329 }
1330
1331 /*******************************************************************
1332  inits a samr_DispInfoAscii structure.
1333 ********************************************************************/
1334
1335 static NTSTATUS init_samr_dispinfo_5(TALLOC_CTX *ctx,
1336                                      struct samr_DispInfoAscii *r,
1337                                      uint32_t num_entries,
1338                                      uint32_t start_idx,
1339                                      struct samr_displayentry *entries)
1340 {
1341         uint32_t i;
1342
1343         DEBUG(5, ("init_samr_dispinfo_5: num_entries: %d\n", num_entries));
1344
1345         if (num_entries == 0) {
1346                 return NT_STATUS_OK;
1347         }
1348
1349         r->count = num_entries;
1350
1351         r->entries = TALLOC_ZERO_ARRAY(ctx, struct samr_DispEntryAscii, num_entries);
1352         if (!r->entries) {
1353                 return NT_STATUS_NO_MEMORY;
1354         }
1355
1356         for (i = 0; i < num_entries ; i++) {
1357
1358                 init_lsa_AsciiStringLarge(&r->entries[i].account_name,
1359                                           entries[i].account_name);
1360
1361                 r->entries[i].idx = start_idx+i+1;
1362         }
1363
1364         return NT_STATUS_OK;
1365 }
1366
1367 /*******************************************************************
1368  _samr_QueryDisplayInfo
1369  ********************************************************************/
1370
1371 NTSTATUS _samr_QueryDisplayInfo(pipes_struct *p,
1372                                 struct samr_QueryDisplayInfo *r)
1373 {
1374         NTSTATUS status;
1375         struct samr_domain_info *dinfo;
1376         uint32 struct_size=0x20; /* W2K always reply that, client doesn't care */
1377
1378         uint32 max_entries = r->in.max_entries;
1379         uint32 enum_context = r->in.start_idx;
1380         uint32 max_size = r->in.buf_size;
1381
1382         union samr_DispInfo *disp_info = r->out.info;
1383
1384         uint32 temp_size=0, total_data_size=0;
1385         NTSTATUS disp_ret = NT_STATUS_UNSUCCESSFUL;
1386         uint32 num_account = 0;
1387         enum remote_arch_types ra_type = get_remote_arch();
1388         int max_sam_entries = (ra_type == RA_WIN95) ? MAX_SAM_ENTRIES_W95 : MAX_SAM_ENTRIES_W2K;
1389         struct samr_displayentry *entries = NULL;
1390
1391         DEBUG(5,("_samr_QueryDisplayInfo: %d\n", __LINE__));
1392
1393         dinfo = policy_handle_find(p, r->in.domain_handle,
1394                                    SAMR_DOMAIN_ACCESS_ENUM_ACCOUNTS, NULL,
1395                                    struct samr_domain_info, &status);
1396         if (!NT_STATUS_IS_OK(status)) {
1397                 return status;
1398         }
1399
1400         if (sid_check_is_builtin(&dinfo->sid)) {
1401                 DEBUG(5,("_samr_QueryDisplayInfo: no users in BUILTIN\n"));
1402                 return NT_STATUS_OK;
1403         }
1404
1405         /*
1406          * calculate how many entries we will return.
1407          * based on
1408          * - the number of entries the client asked
1409          * - our limit on that
1410          * - the starting point (enumeration context)
1411          * - the buffer size the client will accept
1412          */
1413
1414         /*
1415          * We are a lot more like W2K. Instead of reading the SAM
1416          * each time to find the records we need to send back,
1417          * we read it once and link that copy to the sam handle.
1418          * For large user list (over the MAX_SAM_ENTRIES)
1419          * it's a definitive win.
1420          * second point to notice: between enumerations
1421          * our sam is now the same as it's a snapshoot.
1422          * third point: got rid of the static SAM_USER_21 struct
1423          * no more intermediate.
1424          * con: it uses much more memory, as a full copy is stored
1425          * in memory.
1426          *
1427          * If you want to change it, think twice and think
1428          * of the second point , that's really important.
1429          *
1430          * JFM, 12/20/2001
1431          */
1432
1433         if ((r->in.level < 1) || (r->in.level > 5)) {
1434                 DEBUG(0,("_samr_QueryDisplayInfo: Unknown info level (%u)\n",
1435                          (unsigned int)r->in.level ));
1436                 return NT_STATUS_INVALID_INFO_CLASS;
1437         }
1438
1439         /* first limit the number of entries we will return */
1440         if(max_entries > max_sam_entries) {
1441                 DEBUG(5, ("_samr_QueryDisplayInfo: client requested %d "
1442                           "entries, limiting to %d\n", max_entries,
1443                           max_sam_entries));
1444                 max_entries = max_sam_entries;
1445         }
1446
1447         /* calculate the size and limit on the number of entries we will
1448          * return */
1449
1450         temp_size=max_entries*struct_size;
1451
1452         if (temp_size>max_size) {
1453                 max_entries=MIN((max_size/struct_size),max_entries);;
1454                 DEBUG(5, ("_samr_QueryDisplayInfo: buffer size limits to "
1455                           "only %d entries\n", max_entries));
1456         }
1457
1458         become_root();
1459
1460         /* THe following done as ROOT. Don't return without unbecome_root(). */
1461
1462         switch (r->in.level) {
1463         case 0x1:
1464         case 0x4:
1465                 if (dinfo->disp_info->users == NULL) {
1466                         dinfo->disp_info->users = pdb_search_users(
1467                                 dinfo->disp_info, ACB_NORMAL);
1468                         if (dinfo->disp_info->users == NULL) {
1469                                 unbecome_root();
1470                                 return NT_STATUS_ACCESS_DENIED;
1471                         }
1472                         DEBUG(10,("_samr_QueryDisplayInfo: starting user enumeration at index %u\n",
1473                                 (unsigned  int)enum_context ));
1474                 } else {
1475                         DEBUG(10,("_samr_QueryDisplayInfo: using cached user enumeration at index %u\n",
1476                                 (unsigned  int)enum_context ));
1477                 }
1478
1479                 num_account = pdb_search_entries(dinfo->disp_info->users,
1480                                                  enum_context, max_entries,
1481                                                  &entries);
1482                 break;
1483         case 0x2:
1484                 if (dinfo->disp_info->machines == NULL) {
1485                         dinfo->disp_info->machines = pdb_search_users(
1486                                 dinfo->disp_info, ACB_WSTRUST|ACB_SVRTRUST);
1487                         if (dinfo->disp_info->machines == NULL) {
1488                                 unbecome_root();
1489                                 return NT_STATUS_ACCESS_DENIED;
1490                         }
1491                         DEBUG(10,("_samr_QueryDisplayInfo: starting machine enumeration at index %u\n",
1492                                 (unsigned  int)enum_context ));
1493                 } else {
1494                         DEBUG(10,("_samr_QueryDisplayInfo: using cached machine enumeration at index %u\n",
1495                                 (unsigned  int)enum_context ));
1496                 }
1497
1498                 num_account = pdb_search_entries(dinfo->disp_info->machines,
1499                                                  enum_context, max_entries,
1500                                                  &entries);
1501                 break;
1502         case 0x3:
1503         case 0x5:
1504                 if (dinfo->disp_info->groups == NULL) {
1505                         dinfo->disp_info->groups = pdb_search_groups(
1506                                 dinfo->disp_info);
1507                         if (dinfo->disp_info->groups == NULL) {
1508                                 unbecome_root();
1509                                 return NT_STATUS_ACCESS_DENIED;
1510                         }
1511                         DEBUG(10,("_samr_QueryDisplayInfo: starting group enumeration at index %u\n",
1512                                 (unsigned  int)enum_context ));
1513                 } else {
1514                         DEBUG(10,("_samr_QueryDisplayInfo: using cached group enumeration at index %u\n",
1515                                 (unsigned  int)enum_context ));
1516                 }
1517
1518                 num_account = pdb_search_entries(dinfo->disp_info->groups,
1519                                                  enum_context, max_entries,
1520                                                  &entries);
1521                 break;
1522         default:
1523                 unbecome_root();
1524                 smb_panic("info class changed");
1525                 break;
1526         }
1527         unbecome_root();
1528
1529
1530         /* Now create reply structure */
1531         switch (r->in.level) {
1532         case 0x1:
1533                 disp_ret = init_samr_dispinfo_1(p->mem_ctx, &disp_info->info1,
1534                                                 num_account, enum_context,
1535                                                 entries);
1536                 break;
1537         case 0x2:
1538                 disp_ret = init_samr_dispinfo_2(p->mem_ctx, &disp_info->info2,
1539                                                 num_account, enum_context,
1540                                                 entries);
1541                 break;
1542         case 0x3:
1543                 disp_ret = init_samr_dispinfo_3(p->mem_ctx, &disp_info->info3,
1544                                                 num_account, enum_context,
1545                                                 entries);
1546                 break;
1547         case 0x4:
1548                 disp_ret = init_samr_dispinfo_4(p->mem_ctx, &disp_info->info4,
1549                                                 num_account, enum_context,
1550                                                 entries);
1551                 break;
1552         case 0x5:
1553                 disp_ret = init_samr_dispinfo_5(p->mem_ctx, &disp_info->info5,
1554                                                 num_account, enum_context,
1555                                                 entries);
1556                 break;
1557         default:
1558                 smb_panic("info class changed");
1559                 break;
1560         }
1561
1562         if (!NT_STATUS_IS_OK(disp_ret))
1563                 return disp_ret;
1564
1565         /* calculate the total size */
1566         total_data_size=num_account*struct_size;
1567
1568         if (max_entries <= num_account) {
1569                 status = STATUS_MORE_ENTRIES;
1570         } else {
1571                 status = NT_STATUS_OK;
1572         }
1573
1574         /* Ensure we cache this enumeration. */
1575         set_disp_info_cache_timeout(dinfo->disp_info, DISP_INFO_CACHE_TIMEOUT);
1576
1577         DEBUG(5, ("_samr_QueryDisplayInfo: %d\n", __LINE__));
1578
1579         *r->out.total_size = total_data_size;
1580         *r->out.returned_size = temp_size;
1581
1582         return status;
1583 }
1584
1585 /****************************************************************
1586  _samr_QueryDisplayInfo2
1587 ****************************************************************/
1588
1589 NTSTATUS _samr_QueryDisplayInfo2(pipes_struct *p,
1590                                  struct samr_QueryDisplayInfo2 *r)
1591 {
1592         struct samr_QueryDisplayInfo q;
1593
1594         q.in.domain_handle      = r->in.domain_handle;
1595         q.in.level              = r->in.level;
1596         q.in.start_idx          = r->in.start_idx;
1597         q.in.max_entries        = r->in.max_entries;
1598         q.in.buf_size           = r->in.buf_size;
1599
1600         q.out.total_size        = r->out.total_size;
1601         q.out.returned_size     = r->out.returned_size;
1602         q.out.info              = r->out.info;
1603
1604         return _samr_QueryDisplayInfo(p, &q);
1605 }
1606
1607 /****************************************************************
1608  _samr_QueryDisplayInfo3
1609 ****************************************************************/
1610
1611 NTSTATUS _samr_QueryDisplayInfo3(pipes_struct *p,
1612                                  struct samr_QueryDisplayInfo3 *r)
1613 {
1614         struct samr_QueryDisplayInfo q;
1615
1616         q.in.domain_handle      = r->in.domain_handle;
1617         q.in.level              = r->in.level;
1618         q.in.start_idx          = r->in.start_idx;
1619         q.in.max_entries        = r->in.max_entries;
1620         q.in.buf_size           = r->in.buf_size;
1621
1622         q.out.total_size        = r->out.total_size;
1623         q.out.returned_size     = r->out.returned_size;
1624         q.out.info              = r->out.info;
1625
1626         return _samr_QueryDisplayInfo(p, &q);
1627 }
1628
1629 /*******************************************************************
1630  _samr_QueryAliasInfo
1631  ********************************************************************/
1632
1633 NTSTATUS _samr_QueryAliasInfo(pipes_struct *p,
1634                               struct samr_QueryAliasInfo *r)
1635 {
1636         struct samr_alias_info *ainfo;
1637         struct acct_info info;
1638         NTSTATUS status;
1639         union samr_AliasInfo *alias_info = NULL;
1640         const char *alias_name = NULL;
1641         const char *alias_description = NULL;
1642
1643         DEBUG(5,("_samr_QueryAliasInfo: %d\n", __LINE__));
1644
1645         ainfo = policy_handle_find(p, r->in.alias_handle,
1646                                    SAMR_ALIAS_ACCESS_LOOKUP_INFO, NULL,
1647                                    struct samr_alias_info, &status);
1648         if (!NT_STATUS_IS_OK(status)) {
1649                 return status;
1650         }
1651
1652         alias_info = TALLOC_ZERO_P(p->mem_ctx, union samr_AliasInfo);
1653         if (!alias_info) {
1654                 return NT_STATUS_NO_MEMORY;
1655         }
1656
1657         become_root();
1658         status = pdb_get_aliasinfo(&ainfo->sid, &info);
1659         unbecome_root();
1660
1661         if ( !NT_STATUS_IS_OK(status))
1662                 return status;
1663
1664         /* FIXME: info contains fstrings */
1665         alias_name = talloc_strdup(r, info.acct_name);
1666         alias_description = talloc_strdup(r, info.acct_desc);
1667
1668         switch (r->in.level) {
1669         case ALIASINFOALL:
1670                 alias_info->all.name.string             = alias_name;
1671                 alias_info->all.num_members             = 1; /* ??? */
1672                 alias_info->all.description.string      = alias_description;
1673                 break;
1674         case ALIASINFONAME:
1675                 alias_info->name.string                 = alias_name;
1676                 break;
1677         case ALIASINFODESCRIPTION:
1678                 alias_info->description.string          = alias_description;
1679                 break;
1680         default:
1681                 return NT_STATUS_INVALID_INFO_CLASS;
1682         }
1683
1684         *r->out.info = alias_info;
1685
1686         DEBUG(5,("_samr_QueryAliasInfo: %d\n", __LINE__));
1687
1688         return NT_STATUS_OK;
1689 }
1690
1691 /*******************************************************************
1692  _samr_LookupNames
1693  ********************************************************************/
1694
1695 NTSTATUS _samr_LookupNames(pipes_struct *p,
1696                            struct samr_LookupNames *r)
1697 {
1698         struct samr_domain_info *dinfo;
1699         NTSTATUS status;
1700         uint32 *rid;
1701         enum lsa_SidType *type;
1702         int i;
1703         int num_rids = r->in.num_names;
1704         struct samr_Ids rids, types;
1705         uint32_t num_mapped = 0;
1706
1707         DEBUG(5,("_samr_LookupNames: %d\n", __LINE__));
1708
1709         dinfo = policy_handle_find(p, r->in.domain_handle,
1710                                    0 /* Don't know the acc_bits yet */, NULL,
1711                                    struct samr_domain_info, &status);
1712         if (!NT_STATUS_IS_OK(status)) {
1713                 return status;
1714         }
1715
1716         if (num_rids > MAX_SAM_ENTRIES) {
1717                 num_rids = MAX_SAM_ENTRIES;
1718                 DEBUG(5,("_samr_LookupNames: truncating entries to %d\n", num_rids));
1719         }
1720
1721         rid = talloc_array(p->mem_ctx, uint32, num_rids);
1722         NT_STATUS_HAVE_NO_MEMORY(rid);
1723
1724         type = talloc_array(p->mem_ctx, enum lsa_SidType, num_rids);
1725         NT_STATUS_HAVE_NO_MEMORY(type);
1726
1727         DEBUG(5,("_samr_LookupNames: looking name on SID %s\n",
1728                  sid_string_dbg(&dinfo->sid)));
1729
1730         for (i = 0; i < num_rids; i++) {
1731
1732                 status = NT_STATUS_NONE_MAPPED;
1733                 type[i] = SID_NAME_UNKNOWN;
1734
1735                 rid[i] = 0xffffffff;
1736
1737                 if (sid_check_is_builtin(&dinfo->sid)) {
1738                         if (lookup_builtin_name(r->in.names[i].string,
1739                                                 &rid[i]))
1740                         {
1741                                 type[i] = SID_NAME_ALIAS;
1742                         }
1743                 } else {
1744                         lookup_global_sam_name(r->in.names[i].string, 0,
1745                                                &rid[i], &type[i]);
1746                 }
1747
1748                 if (type[i] != SID_NAME_UNKNOWN) {
1749                         num_mapped++;
1750                 }
1751         }
1752
1753         if (num_mapped == num_rids) {
1754                 status = NT_STATUS_OK;
1755         } else if (num_mapped == 0) {
1756                 status = NT_STATUS_NONE_MAPPED;
1757         } else {
1758                 status = STATUS_SOME_UNMAPPED;
1759         }
1760
1761         rids.count = num_rids;
1762         rids.ids = rid;
1763
1764         types.count = num_rids;
1765         types.ids = type;
1766
1767         *r->out.rids = rids;
1768         *r->out.types = types;
1769
1770         DEBUG(5,("_samr_LookupNames: %d\n", __LINE__));
1771
1772         return status;
1773 }
1774
1775 /****************************************************************
1776  _samr_ChangePasswordUser
1777 ****************************************************************/
1778
1779 NTSTATUS _samr_ChangePasswordUser(pipes_struct *p,
1780                                   struct samr_ChangePasswordUser *r)
1781 {
1782         NTSTATUS status;
1783         bool ret = false;
1784         struct samr_user_info *uinfo;
1785         struct samu *pwd;
1786         struct samr_Password new_lmPwdHash, new_ntPwdHash, checkHash;
1787         struct samr_Password lm_pwd, nt_pwd;
1788
1789         uinfo = policy_handle_find(p, r->in.user_handle,
1790                                    SAMR_USER_ACCESS_SET_PASSWORD, NULL,
1791                                    struct samr_user_info, &status);
1792         if (!NT_STATUS_IS_OK(status)) {
1793                 return status;
1794         }
1795
1796         DEBUG(5,("_samr_ChangePasswordUser: sid:%s\n",
1797                   sid_string_dbg(&uinfo->sid)));
1798
1799         if (!(pwd = samu_new(NULL))) {
1800                 return NT_STATUS_NO_MEMORY;
1801         }
1802
1803         become_root();
1804         ret = pdb_getsampwsid(pwd, &uinfo->sid);
1805         unbecome_root();
1806
1807         if (!ret) {
1808                 TALLOC_FREE(pwd);
1809                 return NT_STATUS_WRONG_PASSWORD;
1810         }
1811
1812         {
1813                 const uint8_t *lm_pass, *nt_pass;
1814
1815                 lm_pass = pdb_get_lanman_passwd(pwd);
1816                 nt_pass = pdb_get_nt_passwd(pwd);
1817
1818                 if (!lm_pass || !nt_pass) {
1819                         status = NT_STATUS_WRONG_PASSWORD;
1820                         goto out;
1821                 }
1822
1823                 memcpy(&lm_pwd.hash, lm_pass, sizeof(lm_pwd.hash));
1824                 memcpy(&nt_pwd.hash, nt_pass, sizeof(nt_pwd.hash));
1825         }
1826
1827         /* basic sanity checking on parameters.  Do this before any database ops */
1828         if (!r->in.lm_present || !r->in.nt_present ||
1829             !r->in.old_lm_crypted || !r->in.new_lm_crypted ||
1830             !r->in.old_nt_crypted || !r->in.new_nt_crypted) {
1831                 /* we should really handle a change with lm not
1832                    present */
1833                 status = NT_STATUS_INVALID_PARAMETER_MIX;
1834                 goto out;
1835         }
1836
1837         /* decrypt and check the new lm hash */
1838         D_P16(lm_pwd.hash, r->in.new_lm_crypted->hash, new_lmPwdHash.hash);
1839         D_P16(new_lmPwdHash.hash, r->in.old_lm_crypted->hash, checkHash.hash);
1840         if (memcmp(checkHash.hash, lm_pwd.hash, 16) != 0) {
1841                 status = NT_STATUS_WRONG_PASSWORD;
1842                 goto out;
1843         }
1844
1845         /* decrypt and check the new nt hash */
1846         D_P16(nt_pwd.hash, r->in.new_nt_crypted->hash, new_ntPwdHash.hash);
1847         D_P16(new_ntPwdHash.hash, r->in.old_nt_crypted->hash, checkHash.hash);
1848         if (memcmp(checkHash.hash, nt_pwd.hash, 16) != 0) {
1849                 status = NT_STATUS_WRONG_PASSWORD;
1850                 goto out;
1851         }
1852
1853         /* The NT Cross is not required by Win2k3 R2, but if present
1854            check the nt cross hash */
1855         if (r->in.cross1_present && r->in.nt_cross) {
1856                 D_P16(lm_pwd.hash, r->in.nt_cross->hash, checkHash.hash);
1857                 if (memcmp(checkHash.hash, new_ntPwdHash.hash, 16) != 0) {
1858                         status = NT_STATUS_WRONG_PASSWORD;
1859                         goto out;
1860                 }
1861         }
1862
1863         /* The LM Cross is not required by Win2k3 R2, but if present
1864            check the lm cross hash */
1865         if (r->in.cross2_present && r->in.lm_cross) {
1866                 D_P16(nt_pwd.hash, r->in.lm_cross->hash, checkHash.hash);
1867                 if (memcmp(checkHash.hash, new_lmPwdHash.hash, 16) != 0) {
1868                         status = NT_STATUS_WRONG_PASSWORD;
1869                         goto out;
1870                 }
1871         }
1872
1873         if (!pdb_set_nt_passwd(pwd, new_ntPwdHash.hash, PDB_CHANGED) ||
1874             !pdb_set_lanman_passwd(pwd, new_lmPwdHash.hash, PDB_CHANGED)) {
1875                 status = NT_STATUS_ACCESS_DENIED;
1876                 goto out;
1877         }
1878
1879         status = pdb_update_sam_account(pwd);
1880  out:
1881         TALLOC_FREE(pwd);
1882
1883         return status;
1884 }
1885
1886 /*******************************************************************
1887  _samr_ChangePasswordUser2
1888  ********************************************************************/
1889
1890 NTSTATUS _samr_ChangePasswordUser2(pipes_struct *p,
1891                                    struct samr_ChangePasswordUser2 *r)
1892 {
1893         NTSTATUS status;
1894         fstring user_name;
1895         fstring wks;
1896
1897         DEBUG(5,("_samr_ChangePasswordUser2: %d\n", __LINE__));
1898
1899         fstrcpy(user_name, r->in.account->string);
1900         fstrcpy(wks, r->in.server->string);
1901
1902         DEBUG(5,("_samr_ChangePasswordUser2: user: %s wks: %s\n", user_name, wks));
1903
1904         /*
1905          * Pass the user through the NT -> unix user mapping
1906          * function.
1907          */
1908
1909         (void)map_username(user_name);
1910
1911         /*
1912          * UNIX username case mangling not required, pass_oem_change
1913          * is case insensitive.
1914          */
1915
1916         status = pass_oem_change(user_name,
1917                                  r->in.lm_password->data,
1918                                  r->in.lm_verifier->hash,
1919                                  r->in.nt_password->data,
1920                                  r->in.nt_verifier->hash,
1921                                  NULL);
1922
1923         DEBUG(5,("_samr_ChangePasswordUser2: %d\n", __LINE__));
1924
1925         if (NT_STATUS_EQUAL(status, NT_STATUS_NO_SUCH_USER)) {
1926                 return NT_STATUS_WRONG_PASSWORD;
1927         }
1928
1929         return status;
1930 }
1931
1932 /****************************************************************
1933  _samr_OemChangePasswordUser2
1934 ****************************************************************/
1935
1936 NTSTATUS _samr_OemChangePasswordUser2(pipes_struct *p,
1937                                       struct samr_OemChangePasswordUser2 *r)
1938 {
1939         NTSTATUS status;
1940         fstring user_name;
1941         const char *wks = NULL;
1942
1943         DEBUG(5,("_samr_OemChangePasswordUser2: %d\n", __LINE__));
1944
1945         fstrcpy(user_name, r->in.account->string);
1946         if (r->in.server && r->in.server->string) {
1947                 wks = r->in.server->string;
1948         }
1949
1950         DEBUG(5,("_samr_OemChangePasswordUser2: user: %s wks: %s\n", user_name, wks));
1951
1952         /*
1953          * Pass the user through the NT -> unix user mapping
1954          * function.
1955          */
1956
1957         (void)map_username(user_name);
1958
1959         /*
1960          * UNIX username case mangling not required, pass_oem_change
1961          * is case insensitive.
1962          */
1963
1964         if (!r->in.hash || !r->in.password) {
1965                 return NT_STATUS_INVALID_PARAMETER;
1966         }
1967
1968         status = pass_oem_change(user_name,
1969                                  r->in.password->data,
1970                                  r->in.hash->hash,
1971                                  0,
1972                                  0,
1973                                  NULL);
1974
1975         if (NT_STATUS_EQUAL(status, NT_STATUS_NO_SUCH_USER)) {
1976                 return NT_STATUS_WRONG_PASSWORD;
1977         }
1978
1979         DEBUG(5,("_samr_OemChangePasswordUser2: %d\n", __LINE__));
1980
1981         return status;
1982 }
1983
1984 /*******************************************************************
1985  _samr_ChangePasswordUser3
1986  ********************************************************************/
1987
1988 NTSTATUS _samr_ChangePasswordUser3(pipes_struct *p,
1989                                    struct samr_ChangePasswordUser3 *r)
1990 {
1991         NTSTATUS status;
1992         fstring user_name;
1993         const char *wks = NULL;
1994         uint32 reject_reason;
1995         struct samr_DomInfo1 *dominfo = NULL;
1996         struct samr_ChangeReject *reject = NULL;
1997         uint32_t tmp;
1998
1999         DEBUG(5,("_samr_ChangePasswordUser3: %d\n", __LINE__));
2000
2001         fstrcpy(user_name, r->in.account->string);
2002         if (r->in.server && r->in.server->string) {
2003                 wks = r->in.server->string;
2004         }
2005
2006         DEBUG(5,("_samr_ChangePasswordUser3: user: %s wks: %s\n", user_name, wks));
2007
2008         /*
2009          * Pass the user through the NT -> unix user mapping
2010          * function.
2011          */
2012
2013         (void)map_username(user_name);
2014
2015         /*
2016          * UNIX username case mangling not required, pass_oem_change
2017          * is case insensitive.
2018          */
2019
2020         status = pass_oem_change(user_name,
2021                                  r->in.lm_password->data,
2022                                  r->in.lm_verifier->hash,
2023                                  r->in.nt_password->data,
2024                                  r->in.nt_verifier->hash,
2025                                  &reject_reason);
2026         if (NT_STATUS_EQUAL(status, NT_STATUS_NO_SUCH_USER)) {
2027                 return NT_STATUS_WRONG_PASSWORD;
2028         }
2029
2030         if (NT_STATUS_EQUAL(status, NT_STATUS_PASSWORD_RESTRICTION) ||
2031             NT_STATUS_EQUAL(status, NT_STATUS_ACCOUNT_RESTRICTION)) {
2032
2033                 time_t u_expire, u_min_age;
2034                 uint32 account_policy_temp;
2035
2036                 dominfo = TALLOC_ZERO_P(p->mem_ctx, struct samr_DomInfo1);
2037                 if (!dominfo) {
2038                         return NT_STATUS_NO_MEMORY;
2039                 }
2040
2041                 reject = TALLOC_ZERO_P(p->mem_ctx, struct samr_ChangeReject);
2042                 if (!reject) {
2043                         return NT_STATUS_NO_MEMORY;
2044                 }
2045
2046                 become_root();
2047
2048                 /* AS ROOT !!! */
2049
2050                 pdb_get_account_policy(AP_MIN_PASSWORD_LEN, &tmp);
2051                 dominfo->min_password_length = tmp;
2052
2053                 pdb_get_account_policy(AP_PASSWORD_HISTORY, &tmp);
2054                 dominfo->password_history_length = tmp;
2055
2056                 pdb_get_account_policy(AP_USER_MUST_LOGON_TO_CHG_PASS,
2057                                        &dominfo->password_properties);
2058
2059                 pdb_get_account_policy(AP_MAX_PASSWORD_AGE, &account_policy_temp);
2060                 u_expire = account_policy_temp;
2061
2062                 pdb_get_account_policy(AP_MIN_PASSWORD_AGE, &account_policy_temp);
2063                 u_min_age = account_policy_temp;
2064
2065                 /* !AS ROOT */
2066
2067                 unbecome_root();
2068
2069                 unix_to_nt_time_abs((NTTIME *)&dominfo->max_password_age, u_expire);
2070                 unix_to_nt_time_abs((NTTIME *)&dominfo->min_password_age, u_min_age);
2071
2072                 if (lp_check_password_script() && *lp_check_password_script()) {
2073                         dominfo->password_properties |= DOMAIN_PASSWORD_COMPLEX;
2074                 }
2075
2076                 reject->reason = reject_reason;
2077
2078                 *r->out.dominfo = dominfo;
2079                 *r->out.reject = reject;
2080         }
2081
2082         DEBUG(5,("_samr_ChangePasswordUser3: %d\n", __LINE__));
2083
2084         return status;
2085 }
2086
2087 /*******************************************************************
2088 makes a SAMR_R_LOOKUP_RIDS structure.
2089 ********************************************************************/
2090
2091 static bool make_samr_lookup_rids(TALLOC_CTX *ctx, uint32 num_names,
2092                                   const char **names,
2093                                   struct lsa_String **lsa_name_array_p)
2094 {
2095         struct lsa_String *lsa_name_array = NULL;
2096         uint32_t i;
2097
2098         *lsa_name_array_p = NULL;
2099
2100         if (num_names != 0) {
2101                 lsa_name_array = TALLOC_ZERO_ARRAY(ctx, struct lsa_String, num_names);
2102                 if (!lsa_name_array) {
2103                         return false;
2104                 }
2105         }
2106
2107         for (i = 0; i < num_names; i++) {
2108                 DEBUG(10, ("names[%d]:%s\n", i, names[i] && *names[i] ? names[i] : ""));
2109                 init_lsa_String(&lsa_name_array[i], names[i]);
2110         }
2111
2112         *lsa_name_array_p = lsa_name_array;
2113
2114         return true;
2115 }
2116
2117 /*******************************************************************
2118  _samr_LookupRids
2119  ********************************************************************/
2120
2121 NTSTATUS _samr_LookupRids(pipes_struct *p,
2122                           struct samr_LookupRids *r)
2123 {
2124         struct samr_domain_info *dinfo;
2125         NTSTATUS status;
2126         const char **names;
2127         enum lsa_SidType *attrs = NULL;
2128         uint32 *wire_attrs = NULL;
2129         int num_rids = (int)r->in.num_rids;
2130         int i;
2131         struct lsa_Strings names_array;
2132         struct samr_Ids types_array;
2133         struct lsa_String *lsa_names = NULL;
2134
2135         DEBUG(5,("_samr_LookupRids: %d\n", __LINE__));
2136
2137         dinfo = policy_handle_find(p, r->in.domain_handle,
2138                                    0 /* Don't know the acc_bits yet */, NULL,
2139                                    struct samr_domain_info, &status);
2140         if (!NT_STATUS_IS_OK(status)) {
2141                 return status;
2142         }
2143
2144         if (num_rids > 1000) {
2145                 DEBUG(0, ("Got asked for %d rids (more than 1000) -- according "
2146                           "to samba4 idl this is not possible\n", num_rids));
2147                 return NT_STATUS_UNSUCCESSFUL;
2148         }
2149
2150         if (num_rids) {
2151                 names = TALLOC_ZERO_ARRAY(p->mem_ctx, const char *, num_rids);
2152                 attrs = TALLOC_ZERO_ARRAY(p->mem_ctx, enum lsa_SidType, num_rids);
2153                 wire_attrs = TALLOC_ZERO_ARRAY(p->mem_ctx, uint32, num_rids);
2154
2155                 if ((names == NULL) || (attrs == NULL) || (wire_attrs==NULL))
2156                         return NT_STATUS_NO_MEMORY;
2157         } else {
2158                 names = NULL;
2159                 attrs = NULL;
2160                 wire_attrs = NULL;
2161         }
2162
2163         become_root();  /* lookup_sid can require root privs */
2164         status = pdb_lookup_rids(&dinfo->sid, num_rids, r->in.rids,
2165                                  names, attrs);
2166         unbecome_root();
2167
2168         if (NT_STATUS_EQUAL(status, NT_STATUS_NONE_MAPPED) && (num_rids == 0)) {
2169                 status = NT_STATUS_OK;
2170         }
2171
2172         if (!make_samr_lookup_rids(p->mem_ctx, num_rids, names,
2173                                    &lsa_names)) {
2174                 return NT_STATUS_NO_MEMORY;
2175         }
2176
2177         /* Convert from enum lsa_SidType to uint32 for wire format. */
2178         for (i = 0; i < num_rids; i++) {
2179                 wire_attrs[i] = (uint32)attrs[i];
2180         }
2181
2182         names_array.count = num_rids;
2183         names_array.names = lsa_names;
2184
2185         types_array.count = num_rids;
2186         types_array.ids = wire_attrs;
2187
2188         *r->out.names = names_array;
2189         *r->out.types = types_array;
2190
2191         DEBUG(5,("_samr_LookupRids: %d\n", __LINE__));
2192
2193         return status;
2194 }
2195
2196 /*******************************************************************
2197  _samr_OpenUser
2198 ********************************************************************/
2199
2200 NTSTATUS _samr_OpenUser(pipes_struct *p,
2201                         struct samr_OpenUser *r)
2202 {
2203         struct samu *sampass=NULL;
2204         DOM_SID sid;
2205         struct samr_domain_info *dinfo;
2206         struct samr_user_info *uinfo;
2207         SEC_DESC *psd = NULL;
2208         uint32    acc_granted;
2209         uint32    des_access = r->in.access_mask;
2210         size_t    sd_size;
2211         bool ret;
2212         NTSTATUS nt_status;
2213         SE_PRIV se_rights;
2214         NTSTATUS status;
2215
2216         dinfo = policy_handle_find(p, r->in.domain_handle,
2217                                    SAMR_DOMAIN_ACCESS_OPEN_ACCOUNT, NULL,
2218                                    struct samr_domain_info, &status);
2219         if (!NT_STATUS_IS_OK(status)) {
2220                 return status;
2221         }
2222
2223         if ( !(sampass = samu_new( p->mem_ctx )) ) {
2224                 return NT_STATUS_NO_MEMORY;
2225         }
2226
2227         /* append the user's RID to it */
2228
2229         if (!sid_compose(&sid, &dinfo->sid, r->in.rid))
2230                 return NT_STATUS_NO_SUCH_USER;
2231
2232         /* check if access can be granted as requested by client. */
2233
2234         map_max_allowed_access(p->server_info->ptok, &des_access);
2235
2236         make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &usr_generic_mapping, &sid, SAMR_USR_RIGHTS_WRITE_PW);
2237         se_map_generic(&des_access, &usr_generic_mapping);
2238
2239         se_priv_copy( &se_rights, &se_machine_account );
2240         se_priv_add( &se_rights, &se_add_users );
2241
2242         nt_status = access_check_samr_object(psd, p->server_info->ptok,
2243                 &se_rights, GENERIC_RIGHTS_USER_WRITE, des_access,
2244                 &acc_granted, "_samr_OpenUser");
2245
2246         if ( !NT_STATUS_IS_OK(nt_status) )
2247                 return nt_status;
2248
2249         become_root();
2250         ret=pdb_getsampwsid(sampass, &sid);
2251         unbecome_root();
2252
2253         /* check that the SID exists in our domain. */
2254         if (ret == False) {
2255                 return NT_STATUS_NO_SUCH_USER;
2256         }
2257
2258         TALLOC_FREE(sampass);
2259
2260         uinfo = policy_handle_create(p, r->out.user_handle, acc_granted,
2261                                      struct samr_user_info, &nt_status);
2262         if (!NT_STATUS_IS_OK(nt_status)) {
2263                 return nt_status;
2264         }
2265         uinfo->sid = sid;
2266
2267         return NT_STATUS_OK;
2268 }
2269
2270 /*************************************************************************
2271  *************************************************************************/
2272
2273 static NTSTATUS init_samr_parameters_string(TALLOC_CTX *mem_ctx,
2274                                             DATA_BLOB *blob,
2275                                             struct lsa_BinaryString **_r)
2276 {
2277         struct lsa_BinaryString *r;
2278
2279         if (!blob || !_r) {
2280                 return NT_STATUS_INVALID_PARAMETER;
2281         }
2282
2283         r = TALLOC_ZERO_P(mem_ctx, struct lsa_BinaryString);
2284         if (!r) {
2285                 return NT_STATUS_NO_MEMORY;
2286         }
2287
2288         r->array = TALLOC_ZERO_ARRAY(mem_ctx, uint16_t, blob->length/2);
2289         if (!r->array) {
2290                 return NT_STATUS_NO_MEMORY;
2291         }
2292         memcpy(r->array, blob->data, blob->length);
2293         r->size = blob->length;
2294         r->length = blob->length;
2295
2296         if (!r->array) {
2297                 return NT_STATUS_NO_MEMORY;
2298         }
2299
2300         *_r = r;
2301
2302         return NT_STATUS_OK;
2303 }
2304
2305 /*************************************************************************
2306  get_user_info_1.
2307  *************************************************************************/
2308
2309 static NTSTATUS get_user_info_1(TALLOC_CTX *mem_ctx,
2310                                 struct samr_UserInfo1 *r,
2311                                 struct samu *pw,
2312                                 DOM_SID *domain_sid)
2313 {
2314         const DOM_SID *sid_group;
2315         uint32_t primary_gid;
2316
2317         become_root();
2318         sid_group = pdb_get_group_sid(pw);
2319         unbecome_root();
2320
2321         if (!sid_peek_check_rid(domain_sid, sid_group, &primary_gid)) {
2322                 DEBUG(0, ("get_user_info_1: User %s has Primary Group SID %s, \n"
2323                           "which conflicts with the domain sid %s.  Failing operation.\n",
2324                           pdb_get_username(pw), sid_string_dbg(sid_group),
2325                           sid_string_dbg(domain_sid)));
2326                 return NT_STATUS_UNSUCCESSFUL;
2327         }
2328
2329         r->account_name.string          = talloc_strdup(mem_ctx, pdb_get_username(pw));
2330         r->full_name.string             = talloc_strdup(mem_ctx, pdb_get_fullname(pw));
2331         r->primary_gid                  = primary_gid;
2332         r->description.string           = talloc_strdup(mem_ctx, pdb_get_acct_desc(pw));
2333         r->comment.string               = talloc_strdup(mem_ctx, pdb_get_comment(pw));
2334
2335         return NT_STATUS_OK;
2336 }
2337
2338 /*************************************************************************
2339  get_user_info_2.
2340  *************************************************************************/
2341
2342 static NTSTATUS get_user_info_2(TALLOC_CTX *mem_ctx,
2343                                 struct samr_UserInfo2 *r,
2344                                 struct samu *pw)
2345 {
2346         r->comment.string               = talloc_strdup(mem_ctx, pdb_get_comment(pw));
2347         r->unknown.string               = NULL;
2348         r->country_code                 = 0;
2349         r->code_page                    = 0;
2350
2351         return NT_STATUS_OK;
2352 }
2353
2354 /*************************************************************************
2355  get_user_info_3.
2356  *************************************************************************/
2357
2358 static NTSTATUS get_user_info_3(TALLOC_CTX *mem_ctx,
2359                                 struct samr_UserInfo3 *r,
2360                                 struct samu *pw,
2361                                 DOM_SID *domain_sid)
2362 {
2363         const DOM_SID *sid_user, *sid_group;
2364         uint32_t rid, primary_gid;
2365
2366         sid_user = pdb_get_user_sid(pw);
2367
2368         if (!sid_peek_check_rid(domain_sid, sid_user, &rid)) {
2369                 DEBUG(0, ("get_user_info_3: User %s has SID %s, \nwhich conflicts with "
2370                           "the domain sid %s.  Failing operation.\n",
2371                           pdb_get_username(pw), sid_string_dbg(sid_user),
2372                           sid_string_dbg(domain_sid)));
2373                 return NT_STATUS_UNSUCCESSFUL;
2374         }
2375
2376         become_root();
2377         sid_group = pdb_get_group_sid(pw);
2378         unbecome_root();
2379
2380         if (!sid_peek_check_rid(domain_sid, sid_group, &primary_gid)) {
2381                 DEBUG(0, ("get_user_info_3: User %s has Primary Group SID %s, \n"
2382                           "which conflicts with the domain sid %s.  Failing operation.\n",
2383                           pdb_get_username(pw), sid_string_dbg(sid_group),
2384                           sid_string_dbg(domain_sid)));
2385                 return NT_STATUS_UNSUCCESSFUL;
2386         }
2387
2388         unix_to_nt_time(&r->last_logon, pdb_get_logon_time(pw));
2389         unix_to_nt_time(&r->last_logoff, pdb_get_logoff_time(pw));
2390         unix_to_nt_time(&r->last_password_change, pdb_get_pass_last_set_time(pw));
2391         unix_to_nt_time(&r->allow_password_change, pdb_get_pass_can_change_time(pw));
2392         unix_to_nt_time(&r->force_password_change, pdb_get_pass_must_change_time(pw));
2393
2394         r->account_name.string  = talloc_strdup(mem_ctx, pdb_get_username(pw));
2395         r->full_name.string     = talloc_strdup(mem_ctx, pdb_get_fullname(pw));
2396         r->home_directory.string= talloc_strdup(mem_ctx, pdb_get_homedir(pw));
2397         r->home_drive.string    = talloc_strdup(mem_ctx, pdb_get_dir_drive(pw));
2398         r->logon_script.string  = talloc_strdup(mem_ctx, pdb_get_logon_script(pw));
2399         r->profile_path.string  = talloc_strdup(mem_ctx, pdb_get_profile_path(pw));
2400         r->workstations.string  = talloc_strdup(mem_ctx, pdb_get_workstations(pw));
2401
2402         r->logon_hours          = get_logon_hours_from_pdb(mem_ctx, pw);
2403         r->rid                  = rid;
2404         r->primary_gid          = primary_gid;
2405         r->acct_flags           = pdb_get_acct_ctrl(pw);
2406         r->bad_password_count   = pdb_get_bad_password_count(pw);
2407         r->logon_count          = pdb_get_logon_count(pw);
2408
2409         return NT_STATUS_OK;
2410 }
2411
2412 /*************************************************************************
2413  get_user_info_4.
2414  *************************************************************************/
2415
2416 static NTSTATUS get_user_info_4(TALLOC_CTX *mem_ctx,
2417                                 struct samr_UserInfo4 *r,
2418                                 struct samu *pw)
2419 {
2420         r->logon_hours          = get_logon_hours_from_pdb(mem_ctx, pw);
2421
2422         return NT_STATUS_OK;
2423 }
2424
2425 /*************************************************************************
2426  get_user_info_5.
2427  *************************************************************************/
2428
2429 static NTSTATUS get_user_info_5(TALLOC_CTX *mem_ctx,
2430                                 struct samr_UserInfo5 *r,
2431                                 struct samu *pw,
2432                                 DOM_SID *domain_sid)
2433 {
2434         const DOM_SID *sid_user, *sid_group;
2435         uint32_t rid, primary_gid;
2436
2437         sid_user = pdb_get_user_sid(pw);
2438
2439         if (!sid_peek_check_rid(domain_sid, sid_user, &rid)) {
2440                 DEBUG(0, ("get_user_info_5: User %s has SID %s, \nwhich conflicts with "
2441                           "the domain sid %s.  Failing operation.\n",
2442                           pdb_get_username(pw), sid_string_dbg(sid_user),
2443                           sid_string_dbg(domain_sid)));
2444                 return NT_STATUS_UNSUCCESSFUL;
2445         }
2446
2447         become_root();
2448         sid_group = pdb_get_group_sid(pw);
2449         unbecome_root();
2450
2451         if (!sid_peek_check_rid(domain_sid, sid_group, &primary_gid)) {
2452                 DEBUG(0, ("get_user_info_5: User %s has Primary Group SID %s, \n"
2453                           "which conflicts with the domain sid %s.  Failing operation.\n",
2454                           pdb_get_username(pw), sid_string_dbg(sid_group),
2455                           sid_string_dbg(domain_sid)));
2456                 return NT_STATUS_UNSUCCESSFUL;
2457         }
2458
2459         unix_to_nt_time(&r->last_logon, pdb_get_logon_time(pw));
2460         unix_to_nt_time(&r->last_logoff, pdb_get_logoff_time(pw));
2461         unix_to_nt_time(&r->acct_expiry, pdb_get_kickoff_time(pw));
2462         unix_to_nt_time(&r->last_password_change, pdb_get_pass_last_set_time(pw));
2463
2464         r->account_name.string  = talloc_strdup(mem_ctx, pdb_get_username(pw));
2465         r->full_name.string     = talloc_strdup(mem_ctx, pdb_get_fullname(pw));
2466         r->home_directory.string= talloc_strdup(mem_ctx, pdb_get_homedir(pw));
2467         r->home_drive.string    = talloc_strdup(mem_ctx, pdb_get_dir_drive(pw));
2468         r->logon_script.string  = talloc_strdup(mem_ctx, pdb_get_logon_script(pw));
2469         r->profile_path.string  = talloc_strdup(mem_ctx, pdb_get_profile_path(pw));
2470         r->description.string   = talloc_strdup(mem_ctx, pdb_get_acct_desc(pw));
2471         r->workstations.string  = talloc_strdup(mem_ctx, pdb_get_workstations(pw));
2472
2473         r->logon_hours          = get_logon_hours_from_pdb(mem_ctx, pw);
2474         r->rid                  = rid;
2475         r->primary_gid          = primary_gid;
2476         r->acct_flags           = pdb_get_acct_ctrl(pw);
2477         r->bad_password_count   = pdb_get_bad_password_count(pw);
2478         r->logon_count          = pdb_get_logon_count(pw);
2479
2480         return NT_STATUS_OK;
2481 }
2482
2483 /*************************************************************************
2484  get_user_info_6.
2485  *************************************************************************/
2486
2487 static NTSTATUS get_user_info_6(TALLOC_CTX *mem_ctx,
2488                                 struct samr_UserInfo6 *r,
2489                                 struct samu *pw)
2490 {
2491         r->account_name.string  = talloc_strdup(mem_ctx, pdb_get_username(pw));
2492         r->full_name.string     = talloc_strdup(mem_ctx, pdb_get_fullname(pw));
2493
2494         return NT_STATUS_OK;
2495 }
2496
2497 /*************************************************************************
2498  get_user_info_7. Safe. Only gives out account_name.
2499  *************************************************************************/
2500
2501 static NTSTATUS get_user_info_7(TALLOC_CTX *mem_ctx,
2502                                 struct samr_UserInfo7 *r,
2503                                 struct samu *smbpass)
2504 {
2505         r->account_name.string = talloc_strdup(mem_ctx, pdb_get_username(smbpass));
2506         if (!r->account_name.string) {
2507                 return NT_STATUS_NO_MEMORY;
2508         }
2509
2510         return NT_STATUS_OK;
2511 }
2512
2513 /*************************************************************************
2514  get_user_info_8.
2515  *************************************************************************/
2516
2517 static NTSTATUS get_user_info_8(TALLOC_CTX *mem_ctx,
2518                                 struct samr_UserInfo8 *r,
2519                                 struct samu *pw)
2520 {
2521         r->full_name.string     = talloc_strdup(mem_ctx, pdb_get_fullname(pw));
2522
2523         return NT_STATUS_OK;
2524 }
2525
2526 /*************************************************************************
2527  get_user_info_9. Only gives out primary group SID.
2528  *************************************************************************/
2529
2530 static NTSTATUS get_user_info_9(TALLOC_CTX *mem_ctx,
2531                                 struct samr_UserInfo9 *r,
2532                                 struct samu *smbpass)
2533 {
2534         r->primary_gid = pdb_get_group_rid(smbpass);
2535
2536         return NT_STATUS_OK;
2537 }
2538
2539 /*************************************************************************
2540  get_user_info_10.
2541  *************************************************************************/
2542
2543 static NTSTATUS get_user_info_10(TALLOC_CTX *mem_ctx,
2544                                  struct samr_UserInfo10 *r,
2545                                  struct samu *pw)
2546 {
2547         r->home_directory.string= talloc_strdup(mem_ctx, pdb_get_homedir(pw));
2548         r->home_drive.string    = talloc_strdup(mem_ctx, pdb_get_dir_drive(pw));
2549
2550         return NT_STATUS_OK;
2551 }
2552
2553 /*************************************************************************
2554  get_user_info_11.
2555  *************************************************************************/
2556
2557 static NTSTATUS get_user_info_11(TALLOC_CTX *mem_ctx,
2558                                  struct samr_UserInfo11 *r,
2559                                  struct samu *pw)
2560 {
2561         r->logon_script.string  = talloc_strdup(mem_ctx, pdb_get_logon_script(pw));
2562
2563         return NT_STATUS_OK;
2564 }
2565
2566 /*************************************************************************
2567  get_user_info_12.
2568  *************************************************************************/
2569
2570 static NTSTATUS get_user_info_12(TALLOC_CTX *mem_ctx,
2571                                  struct samr_UserInfo12 *r,
2572                                  struct samu *pw)
2573 {
2574         r->profile_path.string  = talloc_strdup(mem_ctx, pdb_get_profile_path(pw));
2575
2576         return NT_STATUS_OK;
2577 }
2578
2579 /*************************************************************************
2580  get_user_info_13.
2581  *************************************************************************/
2582
2583 static NTSTATUS get_user_info_13(TALLOC_CTX *mem_ctx,
2584                                  struct samr_UserInfo13 *r,
2585                                  struct samu *pw)
2586 {
2587         r->description.string   = talloc_strdup(mem_ctx, pdb_get_acct_desc(pw));
2588
2589         return NT_STATUS_OK;
2590 }
2591
2592 /*************************************************************************
2593  get_user_info_14.
2594  *************************************************************************/
2595
2596 static NTSTATUS get_user_info_14(TALLOC_CTX *mem_ctx,
2597                                  struct samr_UserInfo14 *r,
2598                                  struct samu *pw)
2599 {
2600         r->workstations.string  = talloc_strdup(mem_ctx, pdb_get_workstations(pw));
2601
2602         return NT_STATUS_OK;
2603 }
2604
2605 /*************************************************************************
2606  get_user_info_16. Safe. Only gives out acb bits.
2607  *************************************************************************/
2608
2609 static NTSTATUS get_user_info_16(TALLOC_CTX *mem_ctx,
2610                                  struct samr_UserInfo16 *r,
2611                                  struct samu *smbpass)
2612 {
2613         r->acct_flags = pdb_get_acct_ctrl(smbpass);
2614
2615         return NT_STATUS_OK;
2616 }
2617
2618 /*************************************************************************
2619  get_user_info_17.
2620  *************************************************************************/
2621
2622 static NTSTATUS get_user_info_17(TALLOC_CTX *mem_ctx,
2623                                  struct samr_UserInfo17 *r,
2624                                  struct samu *pw)
2625 {
2626         unix_to_nt_time(&r->acct_expiry, pdb_get_kickoff_time(pw));
2627
2628         return NT_STATUS_OK;
2629 }
2630
2631 /*************************************************************************
2632  get_user_info_18. OK - this is the killer as it gives out password info.
2633  Ensure that this is only allowed on an encrypted connection with a root
2634  user. JRA.
2635  *************************************************************************/
2636
2637 static NTSTATUS get_user_info_18(pipes_struct *p,
2638                                  TALLOC_CTX *mem_ctx,
2639                                  struct samr_UserInfo18 *r,
2640                                  DOM_SID *user_sid)
2641 {
2642         struct samu *smbpass=NULL;
2643         bool ret;
2644
2645         ZERO_STRUCTP(r);
2646
2647         if (p->auth.auth_type != PIPE_AUTH_TYPE_NTLMSSP || p->auth.auth_type != PIPE_AUTH_TYPE_SPNEGO_NTLMSSP) {
2648                 return NT_STATUS_ACCESS_DENIED;
2649         }
2650
2651         if (p->auth.auth_level != PIPE_AUTH_LEVEL_PRIVACY) {
2652                 return NT_STATUS_ACCESS_DENIED;
2653         }
2654
2655         /*
2656          * Do *NOT* do become_root()/unbecome_root() here ! JRA.
2657          */
2658
2659         if ( !(smbpass = samu_new( mem_ctx )) ) {
2660                 return NT_STATUS_NO_MEMORY;
2661         }
2662
2663         ret = pdb_getsampwsid(smbpass, user_sid);
2664
2665         if (ret == False) {
2666                 DEBUG(4, ("User %s not found\n", sid_string_dbg(user_sid)));
2667                 TALLOC_FREE(smbpass);
2668                 return (geteuid() == (uid_t)0) ? NT_STATUS_NO_SUCH_USER : NT_STATUS_ACCESS_DENIED;
2669         }
2670
2671         DEBUG(3,("User:[%s] 0x%x\n", pdb_get_username(smbpass), pdb_get_acct_ctrl(smbpass) ));
2672
2673         if ( pdb_get_acct_ctrl(smbpass) & ACB_DISABLED) {
2674                 TALLOC_FREE(smbpass);
2675                 return NT_STATUS_ACCOUNT_DISABLED;
2676         }
2677
2678         r->lm_pwd_active = true;
2679         r->nt_pwd_active = true;
2680         memcpy(r->lm_pwd.hash, pdb_get_lanman_passwd(smbpass), 16);
2681         memcpy(r->nt_pwd.hash, pdb_get_nt_passwd(smbpass), 16);
2682         r->password_expired = 0; /* FIXME */
2683
2684         TALLOC_FREE(smbpass);
2685
2686         return NT_STATUS_OK;
2687 }
2688
2689 /*************************************************************************
2690  get_user_info_20
2691  *************************************************************************/
2692
2693 static NTSTATUS get_user_info_20(TALLOC_CTX *mem_ctx,
2694                                  struct samr_UserInfo20 *r,
2695                                  struct samu *sampass)
2696 {
2697         const char *munged_dial = NULL;
2698         DATA_BLOB blob;
2699         NTSTATUS status;
2700         struct lsa_BinaryString *parameters = NULL;
2701
2702         ZERO_STRUCTP(r);
2703
2704         munged_dial = pdb_get_munged_dial(sampass);
2705
2706         DEBUG(3,("User:[%s] has [%s] (length: %d)\n", pdb_get_username(sampass),
2707                 munged_dial, (int)strlen(munged_dial)));
2708
2709         if (munged_dial) {
2710                 blob = base64_decode_data_blob(munged_dial);
2711         } else {
2712                 blob = data_blob_string_const_null("");
2713         }
2714
2715         status = init_samr_parameters_string(mem_ctx, &blob, &parameters);
2716         data_blob_free(&blob);
2717         if (!NT_STATUS_IS_OK(status)) {
2718                 return status;
2719         }
2720
2721         r->parameters = *parameters;
2722
2723         return NT_STATUS_OK;
2724 }
2725
2726
2727 /*************************************************************************
2728  get_user_info_21
2729  *************************************************************************/
2730
2731 static NTSTATUS get_user_info_21(TALLOC_CTX *mem_ctx,
2732                                  struct samr_UserInfo21 *r,
2733                                  struct samu *pw,
2734                                  DOM_SID *domain_sid)
2735 {
2736         NTSTATUS status;
2737         const DOM_SID *sid_user, *sid_group;
2738         uint32_t rid, primary_gid;
2739         NTTIME force_password_change;
2740         time_t must_change_time;
2741         struct lsa_BinaryString *parameters = NULL;
2742         const char *munged_dial = NULL;
2743         DATA_BLOB blob;
2744
2745         ZERO_STRUCTP(r);
2746
2747         sid_user = pdb_get_user_sid(pw);
2748
2749         if (!sid_peek_check_rid(domain_sid, sid_user, &rid)) {
2750                 DEBUG(0, ("get_user_info_21: User %s has SID %s, \nwhich conflicts with "
2751                           "the domain sid %s.  Failing operation.\n",
2752                           pdb_get_username(pw), sid_string_dbg(sid_user),
2753                           sid_string_dbg(domain_sid)));
2754                 return NT_STATUS_UNSUCCESSFUL;
2755         }
2756
2757         become_root();
2758         sid_group = pdb_get_group_sid(pw);
2759         unbecome_root();
2760
2761         if (!sid_peek_check_rid(domain_sid, sid_group, &primary_gid)) {
2762                 DEBUG(0, ("get_user_info_21: User %s has Primary Group SID %s, \n"
2763                           "which conflicts with the domain sid %s.  Failing operation.\n",
2764                           pdb_get_username(pw), sid_string_dbg(sid_group),
2765                           sid_string_dbg(domain_sid)));
2766                 return NT_STATUS_UNSUCCESSFUL;
2767         }
2768
2769         unix_to_nt_time(&r->last_logon, pdb_get_logon_time(pw));
2770         unix_to_nt_time(&r->last_logoff, pdb_get_logoff_time(pw));
2771         unix_to_nt_time(&r->acct_expiry, pdb_get_kickoff_time(pw));
2772         unix_to_nt_time(&r->last_password_change, pdb_get_pass_last_set_time(pw));
2773         unix_to_nt_time(&r->allow_password_change, pdb_get_pass_can_change_time(pw));
2774
2775         must_change_time = pdb_get_pass_must_change_time(pw);
2776         if (must_change_time == get_time_t_max()) {
2777                 unix_to_nt_time_abs(&force_password_change, must_change_time);
2778         } else {
2779                 unix_to_nt_time(&force_password_change, must_change_time);
2780         }
2781
2782         munged_dial = pdb_get_munged_dial(pw);
2783         if (munged_dial) {
2784                 blob = base64_decode_data_blob(munged_dial);
2785         } else {
2786                 blob = data_blob_string_const_null("");
2787         }
2788
2789         status = init_samr_parameters_string(mem_ctx, &blob, &parameters);
2790         data_blob_free(&blob);
2791         if (!NT_STATUS_IS_OK(status)) {
2792                 return status;
2793         }
2794
2795         r->force_password_change        = force_password_change;
2796
2797         r->account_name.string          = talloc_strdup(mem_ctx, pdb_get_username(pw));
2798         r->full_name.string             = talloc_strdup(mem_ctx, pdb_get_fullname(pw));
2799         r->home_directory.string        = talloc_strdup(mem_ctx, pdb_get_homedir(pw));
2800         r->home_drive.string            = talloc_strdup(mem_ctx, pdb_get_dir_drive(pw));
2801         r->logon_script.string          = talloc_strdup(mem_ctx, pdb_get_logon_script(pw));
2802         r->profile_path.string          = talloc_strdup(mem_ctx, pdb_get_profile_path(pw));
2803         r->description.string           = talloc_strdup(mem_ctx, pdb_get_acct_desc(pw));
2804         r->workstations.string          = talloc_strdup(mem_ctx, pdb_get_workstations(pw));
2805         r->comment.string               = talloc_strdup(mem_ctx, pdb_get_comment(pw));
2806
2807         r->logon_hours                  = get_logon_hours_from_pdb(mem_ctx, pw);
2808         r->parameters                   = *parameters;
2809         r->rid                          = rid;
2810         r->primary_gid                  = primary_gid;
2811         r->acct_flags                   = pdb_get_acct_ctrl(pw);
2812         r->bad_password_count           = pdb_get_bad_password_count(pw);
2813         r->logon_count                  = pdb_get_logon_count(pw);
2814         r->fields_present               = pdb_build_fields_present(pw);
2815         r->password_expired             = (pdb_get_pass_must_change_time(pw) == 0) ?
2816                                                 PASS_MUST_CHANGE_AT_NEXT_LOGON : 0;
2817         r->country_code                 = 0;
2818         r->code_page                    = 0;
2819         r->lm_password_set              = 0;
2820         r->nt_password_set              = 0;
2821
2822 #if 0
2823
2824         /*
2825           Look at a user on a real NT4 PDC with usrmgr, press
2826           'ok'. Then you will see that fields_present is set to
2827           0x08f827fa. Look at the user immediately after that again,
2828           and you will see that 0x00fffff is returned. This solves
2829           the problem that you get access denied after having looked
2830           at the user.
2831           -- Volker
2832         */
2833
2834 #endif
2835
2836
2837         return NT_STATUS_OK;
2838 }
2839
2840 /*******************************************************************
2841  _samr_QueryUserInfo
2842  ********************************************************************/
2843
2844 NTSTATUS _samr_QueryUserInfo(pipes_struct *p,
2845                              struct samr_QueryUserInfo *r)
2846 {
2847         NTSTATUS status;
2848         union samr_UserInfo *user_info = NULL;
2849         struct samr_user_info *uinfo;
2850         DOM_SID domain_sid;
2851         uint32 rid;
2852         bool ret = false;
2853         struct samu *pwd = NULL;
2854
2855         uinfo = policy_handle_find(p, r->in.user_handle,
2856                                    SAMR_USER_ACCESS_GET_ATTRIBUTES, NULL,
2857                                    struct samr_user_info, &status);
2858         if (!NT_STATUS_IS_OK(status)) {
2859                 return status;
2860         }
2861
2862         domain_sid = uinfo->sid;
2863
2864         sid_split_rid(&domain_sid, &rid);
2865
2866         if (!sid_check_is_in_our_domain(&uinfo->sid))
2867                 return NT_STATUS_OBJECT_TYPE_MISMATCH;
2868
2869         DEBUG(5,("_samr_QueryUserInfo: sid:%s\n",
2870                  sid_string_dbg(&uinfo->sid)));
2871
2872         user_info = TALLOC_ZERO_P(p->mem_ctx, union samr_UserInfo);
2873         if (!user_info) {
2874                 return NT_STATUS_NO_MEMORY;
2875         }
2876
2877         DEBUG(5,("_samr_QueryUserInfo: user info level: %d\n", r->in.level));
2878
2879         if (!(pwd = samu_new(p->mem_ctx))) {
2880                 return NT_STATUS_NO_MEMORY;
2881         }
2882
2883         become_root();
2884         ret = pdb_getsampwsid(pwd, &uinfo->sid);
2885         unbecome_root();
2886
2887         if (ret == false) {
2888                 DEBUG(4,("User %s not found\n", sid_string_dbg(&uinfo->sid)));
2889                 TALLOC_FREE(pwd);
2890                 return NT_STATUS_NO_SUCH_USER;
2891         }
2892
2893         DEBUG(3,("User:[%s]\n", pdb_get_username(pwd)));
2894
2895         samr_clear_sam_passwd(pwd);
2896
2897         switch (r->in.level) {
2898         case 1:
2899                 status = get_user_info_1(p->mem_ctx, &user_info->info1, pwd, &domain_sid);
2900                 break;
2901         case 2:
2902                 status = get_user_info_2(p->mem_ctx, &user_info->info2, pwd);
2903                 break;
2904         case 3:
2905                 status = get_user_info_3(p->mem_ctx, &user_info->info3, pwd, &domain_sid);
2906                 break;
2907         case 4:
2908                 status = get_user_info_4(p->mem_ctx, &user_info->info4, pwd);
2909                 break;
2910         case 5:
2911                 status = get_user_info_5(p->mem_ctx, &user_info->info5, pwd, &domain_sid);
2912                 break;
2913         case 6:
2914                 status = get_user_info_6(p->mem_ctx, &user_info->info6, pwd);
2915                 break;
2916         case 7:
2917                 status = get_user_info_7(p->mem_ctx, &user_info->info7, pwd);
2918                 break;
2919         case 8:
2920                 status = get_user_info_8(p->mem_ctx, &user_info->info8, pwd);
2921                 break;
2922         case 9:
2923                 status = get_user_info_9(p->mem_ctx, &user_info->info9, pwd);
2924                 break;
2925         case 10:
2926                 status = get_user_info_10(p->mem_ctx, &user_info->info10, pwd);
2927                 break;
2928         case 11:
2929                 status = get_user_info_11(p->mem_ctx, &user_info->info11, pwd);
2930                 break;
2931         case 12:
2932                 status = get_user_info_12(p->mem_ctx, &user_info->info12, pwd);
2933                 break;
2934         case 13:
2935                 status = get_user_info_13(p->mem_ctx, &user_info->info13, pwd);
2936                 break;
2937         case 14:
2938                 status = get_user_info_14(p->mem_ctx, &user_info->info14, pwd);
2939                 break;
2940         case 16:
2941                 status = get_user_info_16(p->mem_ctx, &user_info->info16, pwd);
2942                 break;
2943         case 17:
2944                 status = get_user_info_17(p->mem_ctx, &user_info->info17, pwd);
2945                 break;
2946         case 18:
2947                 /* level 18 is special */
2948                 status = get_user_info_18(p, p->mem_ctx, &user_info->info18,
2949                                           &uinfo->sid);
2950                 break;
2951         case 20:
2952                 status = get_user_info_20(p->mem_ctx, &user_info->info20, pwd);
2953                 break;
2954         case 21:
2955                 status = get_user_info_21(p->mem_ctx, &user_info->info21, pwd, &domain_sid);
2956                 break;
2957         default:
2958                 status = NT_STATUS_INVALID_INFO_CLASS;
2959                 break;
2960         }
2961
2962         TALLOC_FREE(pwd);
2963
2964         *r->out.info = user_info;
2965
2966         DEBUG(5,("_samr_QueryUserInfo: %d\n", __LINE__));
2967
2968         return status;
2969 }
2970
2971 /****************************************************************
2972 ****************************************************************/
2973
2974 NTSTATUS _samr_QueryUserInfo2(pipes_struct *p,
2975                               struct samr_QueryUserInfo2 *r)
2976 {
2977         struct samr_QueryUserInfo u;
2978
2979         u.in.user_handle        = r->in.user_handle;
2980         u.in.level              = r->in.level;
2981         u.out.info              = r->out.info;
2982
2983         return _samr_QueryUserInfo(p, &u);
2984 }
2985
2986 /*******************************************************************
2987  _samr_GetGroupsForUser
2988  ********************************************************************/
2989
2990 NTSTATUS _samr_GetGroupsForUser(pipes_struct *p,
2991                                 struct samr_GetGroupsForUser *r)
2992 {
2993         struct samr_user_info *uinfo;
2994         struct samu *sam_pass=NULL;
2995         DOM_SID *sids;
2996         struct samr_RidWithAttribute dom_gid;
2997         struct samr_RidWithAttribute *gids = NULL;
2998         uint32 primary_group_rid;
2999         size_t num_groups = 0;
3000         gid_t *unix_gids;
3001         size_t i, num_gids;
3002         bool ret;
3003         NTSTATUS result;
3004         bool success = False;
3005
3006         struct samr_RidWithAttributeArray *rids = NULL;
3007
3008         /*
3009          * from the SID in the request:
3010          * we should send back the list of DOMAIN GROUPS
3011          * the user is a member of
3012          *
3013          * and only the DOMAIN GROUPS
3014          * no ALIASES !!! neither aliases of the domain
3015          * nor aliases of the builtin SID
3016          *
3017          * JFM, 12/2/2001
3018          */
3019
3020         DEBUG(5,("_samr_GetGroupsForUser: %d\n", __LINE__));
3021
3022         uinfo = policy_handle_find(p, r->in.user_handle,
3023                                    SAMR_USER_ACCESS_GET_GROUPS, NULL,
3024                                    struct samr_user_info, &result);
3025         if (!NT_STATUS_IS_OK(result)) {
3026                 return result;
3027         }
3028
3029         rids = TALLOC_ZERO_P(p->mem_ctx, struct samr_RidWithAttributeArray);
3030         if (!rids) {
3031                 return NT_STATUS_NO_MEMORY;
3032         }
3033
3034         if (!sid_check_is_in_our_domain(&uinfo->sid))
3035                 return NT_STATUS_OBJECT_TYPE_MISMATCH;
3036
3037         if ( !(sam_pass = samu_new( p->mem_ctx )) ) {
3038                 return NT_STATUS_NO_MEMORY;
3039         }
3040
3041         become_root();
3042         ret = pdb_getsampwsid(sam_pass, &uinfo->sid);
3043         unbecome_root();
3044
3045         if (!ret) {
3046                 DEBUG(10, ("pdb_getsampwsid failed for %s\n",
3047                            sid_string_dbg(&uinfo->sid)));
3048                 return NT_STATUS_NO_SUCH_USER;
3049         }
3050
3051         sids = NULL;
3052
3053         /* make both calls inside the root block */
3054         become_root();
3055         result = pdb_enum_group_memberships(p->mem_ctx, sam_pass,
3056                                             &sids, &unix_gids, &num_groups);
3057         if ( NT_STATUS_IS_OK(result) ) {
3058                 success = sid_peek_check_rid(get_global_sam_sid(),
3059                                              pdb_get_group_sid(sam_pass),
3060                                              &primary_group_rid);
3061         }
3062         unbecome_root();
3063
3064         if (!NT_STATUS_IS_OK(result)) {
3065                 DEBUG(10, ("pdb_enum_group_memberships failed for %s\n",
3066                            sid_string_dbg(&uinfo->sid)));
3067                 return result;
3068         }
3069
3070         if ( !success ) {
3071                 DEBUG(5, ("Group sid %s for user %s not in our domain\n",
3072                           sid_string_dbg(pdb_get_group_sid(sam_pass)),
3073                           pdb_get_username(sam_pass)));
3074                 TALLOC_FREE(sam_pass);
3075                 return NT_STATUS_INTERNAL_DB_CORRUPTION;
3076         }
3077
3078         gids = NULL;
3079         num_gids = 0;
3080
3081         dom_gid.attributes = (SE_GROUP_MANDATORY|SE_GROUP_ENABLED_BY_DEFAULT|
3082                               SE_GROUP_ENABLED);
3083         dom_gid.rid = primary_group_rid;
3084         ADD_TO_ARRAY(p->mem_ctx, struct samr_RidWithAttribute, dom_gid, &gids, &num_gids);
3085
3086         for (i=0; i<num_groups; i++) {
3087
3088                 if (!sid_peek_check_rid(get_global_sam_sid(),
3089                                         &(sids[i]), &dom_gid.rid)) {
3090                         DEBUG(10, ("Found sid %s not in our domain\n",
3091                                    sid_string_dbg(&sids[i])));
3092                         continue;
3093                 }
3094
3095                 if (dom_gid.rid == primary_group_rid) {
3096                         /* We added the primary group directly from the
3097                          * sam_account. The other SIDs are unique from
3098                          * enum_group_memberships */
3099                         continue;
3100                 }
3101
3102                 ADD_TO_ARRAY(p->mem_ctx, struct samr_RidWithAttribute, dom_gid, &gids, &num_gids);
3103         }
3104
3105         rids->count = num_gids;
3106         rids->rids = gids;
3107
3108         *r->out.rids = rids;
3109
3110         DEBUG(5,("_samr_GetGroupsForUser: %d\n", __LINE__));
3111
3112         return result;
3113 }
3114
3115 /*******************************************************************
3116  _samr_QueryDomainInfo
3117  ********************************************************************/
3118
3119 NTSTATUS _samr_QueryDomainInfo(pipes_struct *p,
3120                                struct samr_QueryDomainInfo *r)
3121 {
3122         NTSTATUS status = NT_STATUS_OK;
3123         struct samr_domain_info *dinfo;
3124         union samr_DomainInfo *dom_info;
3125         time_t u_expire, u_min_age;
3126
3127         time_t u_lock_duration, u_reset_time;
3128         uint32_t u_logout;
3129
3130         uint32 account_policy_temp;
3131
3132         time_t seq_num;
3133         uint32 server_role;
3134
3135         DEBUG(5,("_samr_QueryDomainInfo: %d\n", __LINE__));
3136
3137         dinfo = policy_handle_find(p, r->in.domain_handle,
3138                                    SAMR_ACCESS_LOOKUP_DOMAIN, NULL,
3139                                    struct samr_domain_info, &status);
3140         if (!NT_STATUS_IS_OK(status)) {
3141                 return status;
3142         }
3143
3144         dom_info = TALLOC_ZERO_P(p->mem_ctx, union samr_DomainInfo);
3145         if (!dom_info) {
3146                 return NT_STATUS_NO_MEMORY;
3147         }
3148
3149         switch (r->in.level) {
3150                 case 0x01:
3151
3152                         become_root();
3153
3154                         /* AS ROOT !!! */
3155
3156                         pdb_get_account_policy(AP_MIN_PASSWORD_LEN,
3157                                                &account_policy_temp);
3158                         dom_info->info1.min_password_length = account_policy_temp;
3159
3160                         pdb_get_account_policy(AP_PASSWORD_HISTORY, &account_policy_temp);
3161                         dom_info->info1.password_history_length = account_policy_temp;
3162
3163                         pdb_get_account_policy(AP_USER_MUST_LOGON_TO_CHG_PASS,
3164                                 &dom_info->info1.password_properties);
3165
3166                         pdb_get_account_policy(AP_MAX_PASSWORD_AGE, &account_policy_temp);
3167                         u_expire = account_policy_temp;
3168
3169                         pdb_get_account_policy(AP_MIN_PASSWORD_AGE, &account_policy_temp);
3170                         u_min_age = account_policy_temp;
3171
3172                         /* !AS ROOT */
3173
3174                         unbecome_root();
3175
3176                         unix_to_nt_time_abs((NTTIME *)&dom_info->info1.max_password_age, u_expire);
3177                         unix_to_nt_time_abs((NTTIME *)&dom_info->info1.min_password_age, u_min_age);
3178
3179                         if (lp_check_password_script() && *lp_check_password_script()) {
3180                                 dom_info->info1.password_properties |= DOMAIN_PASSWORD_COMPLEX;
3181                         }
3182
3183                         break;
3184                 case 0x02:
3185
3186                         become_root();
3187
3188                         /* AS ROOT !!! */
3189
3190                         dom_info->general.num_users     = count_sam_users(
3191                                 dinfo->disp_info, ACB_NORMAL);
3192                         dom_info->general.num_groups    = count_sam_groups(
3193                                 dinfo->disp_info);
3194                         dom_info->general.num_aliases   = count_sam_aliases(
3195                                 dinfo->disp_info);
3196
3197                         pdb_get_account_policy(AP_TIME_TO_LOGOUT, &u_logout);
3198
3199                         unix_to_nt_time_abs(&dom_info->general.force_logoff_time, u_logout);
3200
3201                         if (!pdb_get_seq_num(&seq_num))
3202                                 seq_num = time(NULL);
3203
3204                         /* !AS ROOT */
3205
3206                         unbecome_root();
3207
3208                         server_role = ROLE_DOMAIN_PDC;
3209                         if (lp_server_role() == ROLE_DOMAIN_BDC)
3210                                 server_role = ROLE_DOMAIN_BDC;
3211
3212                         dom_info->general.oem_information.string        = lp_serverstring();
3213                         dom_info->general.domain_name.string            = lp_workgroup();
3214                         dom_info->general.primary.string                = global_myname();
3215                         dom_info->general.sequence_num                  = seq_num;
3216                         dom_info->general.domain_server_state           = DOMAIN_SERVER_ENABLED;
3217                         dom_info->general.role                          = server_role;
3218                         dom_info->general.unknown3                      = 1;
3219
3220                         break;
3221                 case 0x03:
3222
3223                         become_root();
3224
3225                         /* AS ROOT !!! */
3226
3227                         {
3228                                 uint32 ul;
3229                                 pdb_get_account_policy(AP_TIME_TO_LOGOUT, &ul);
3230                                 u_logout = (time_t)ul;
3231                         }
3232
3233                         /* !AS ROOT */
3234
3235                         unbecome_root();
3236
3237                         unix_to_nt_time_abs(&dom_info->info3.force_logoff_time, u_logout);
3238
3239                         break;
3240                 case 0x04:
3241                         dom_info->oem.oem_information.string = lp_serverstring();
3242                         break;
3243                 case 0x05:
3244                         dom_info->info5.domain_name.string = get_global_sam_name();
3245                         break;
3246                 case 0x06:
3247                         /* NT returns its own name when a PDC. win2k and later
3248                          * only the name of the PDC if itself is a BDC (samba4
3249                          * idl) */
3250                         dom_info->info6.primary.string = global_myname();
3251                         break;
3252                 case 0x07:
3253                         server_role = ROLE_DOMAIN_PDC;
3254                         if (lp_server_role() == ROLE_DOMAIN_BDC)
3255                                 server_role = ROLE_DOMAIN_BDC;
3256
3257                         dom_info->info7.role = server_role;
3258                         break;
3259                 case 0x08:
3260
3261                         become_root();
3262
3263                         /* AS ROOT !!! */
3264
3265                         if (!pdb_get_seq_num(&seq_num)) {
3266                                 seq_num = time(NULL);
3267                         }
3268
3269                         /* !AS ROOT */
3270
3271                         unbecome_root();
3272
3273                         dom_info->info8.sequence_num = seq_num;
3274                         dom_info->info8.domain_create_time = 0;
3275
3276                         break;
3277                 case 0x09:
3278
3279                         dom_info->info9.domain_server_state             = DOMAIN_SERVER_ENABLED;
3280
3281                         break;
3282                 case 0x0b:
3283
3284                         /* AS ROOT !!! */
3285
3286                         become_root();
3287
3288                         dom_info->general2.general.num_users    = count_sam_users(
3289                                 dinfo->disp_info, ACB_NORMAL);
3290                         dom_info->general2.general.num_groups   = count_sam_groups(
3291                                 dinfo->disp_info);
3292                         dom_info->general2.general.num_aliases  = count_sam_aliases(
3293                                 dinfo->disp_info);
3294
3295                         pdb_get_account_policy(AP_TIME_TO_LOGOUT, &u_logout);
3296
3297                         unix_to_nt_time_abs(&dom_info->general2.general.force_logoff_time, u_logout);
3298
3299                         if (!pdb_get_seq_num(&seq_num))
3300                                 seq_num = time(NULL);
3301
3302                         pdb_get_account_policy(AP_LOCK_ACCOUNT_DURATION, &account_policy_temp);
3303                         u_lock_duration = account_policy_temp;
3304                         if (u_lock_duration != -1) {
3305                                 u_lock_duration *= 60;
3306                         }
3307
3308                         pdb_get_account_policy(AP_RESET_COUNT_TIME, &account_policy_temp);
3309                         u_reset_time = account_policy_temp * 60;
3310
3311                         pdb_get_account_policy(AP_BAD_ATTEMPT_LOCKOUT,
3312                                                &account_policy_temp);
3313                         dom_info->general2.lockout_threshold = account_policy_temp;
3314
3315                         /* !AS ROOT */
3316
3317                         unbecome_root();
3318
3319                         server_role = ROLE_DOMAIN_PDC;
3320                         if (lp_server_role() == ROLE_DOMAIN_BDC)
3321                                 server_role = ROLE_DOMAIN_BDC;
3322
3323                         dom_info->general2.general.oem_information.string       = lp_serverstring();
3324                         dom_info->general2.general.domain_name.string           = lp_workgroup();
3325                         dom_info->general2.general.primary.string               = global_myname();
3326                         dom_info->general2.general.sequence_num                 = seq_num;
3327                         dom_info->general2.general.domain_server_state          = DOMAIN_SERVER_ENABLED;
3328                         dom_info->general2.general.role                         = server_role;
3329                         dom_info->general2.general.unknown3                     = 1;
3330
3331                         unix_to_nt_time_abs(&dom_info->general2.lockout_duration,
3332                                             u_lock_duration);
3333                         unix_to_nt_time_abs(&dom_info->general2.lockout_window,
3334                                             u_reset_time);
3335
3336                         break;
3337                 case 0x0c:
3338
3339                         become_root();
3340
3341                         /* AS ROOT !!! */
3342
3343                         pdb_get_account_policy(AP_LOCK_ACCOUNT_DURATION, &account_policy_temp);
3344                         u_lock_duration = account_policy_temp;
3345                         if (u_lock_duration != -1) {
3346                                 u_lock_duration *= 60;
3347                         }
3348
3349                         pdb_get_account_policy(AP_RESET_COUNT_TIME, &account_policy_temp);
3350                         u_reset_time = account_policy_temp * 60;
3351
3352                         pdb_get_account_policy(AP_BAD_ATTEMPT_LOCKOUT,
3353                                                &account_policy_temp);
3354                         dom_info->info12.lockout_threshold = account_policy_temp;
3355
3356                         /* !AS ROOT */
3357
3358                         unbecome_root();
3359
3360                         unix_to_nt_time_abs(&dom_info->info12.lockout_duration,
3361                                             u_lock_duration);
3362                         unix_to_nt_time_abs(&dom_info->info12.lockout_window,
3363                                             u_reset_time);
3364
3365                         break;
3366                 case 0x0d:
3367
3368                         become_root();
3369
3370                         /* AS ROOT !!! */
3371
3372                         if (!pdb_get_seq_num(&seq_num)) {
3373                                 seq_num = time(NULL);
3374                         }
3375
3376                         /* !AS ROOT */
3377
3378                         unbecome_root();
3379
3380                         dom_info->info13.sequence_num = seq_num;
3381                         dom_info->info13.domain_create_time = 0;
3382                         dom_info->info13.modified_count_at_last_promotion = 0;
3383
3384                         break;
3385                 default:
3386                         return NT_STATUS_INVALID_INFO_CLASS;
3387         }
3388
3389         *r->out.info = dom_info;
3390
3391         DEBUG(5,("_samr_QueryDomainInfo: %d\n", __LINE__));
3392
3393         return status;
3394 }
3395
3396 /* W2k3 seems to use the same check for all 3 objects that can be created via
3397  * SAMR, if you try to create for example "Dialup" as an alias it says
3398  * "NT_STATUS_USER_EXISTS". This is racy, but we can't really lock the user
3399  * database. */
3400
3401 static NTSTATUS can_create(TALLOC_CTX *mem_ctx, const char *new_name)
3402 {
3403         enum lsa_SidType type;
3404         bool result;
3405
3406         DEBUG(10, ("Checking whether [%s] can be created\n", new_name));
3407
3408         become_root();
3409         /* Lookup in our local databases (LOOKUP_NAME_REMOTE not set)
3410          * whether the name already exists */
3411         result = lookup_name(mem_ctx, new_name, LOOKUP_NAME_LOCAL,
3412                              NULL, NULL, NULL, &type);
3413         unbecome_root();
3414
3415         if (!result) {
3416                 DEBUG(10, ("%s does not exist, can create it\n", new_name));
3417                 return NT_STATUS_OK;
3418         }
3419
3420         DEBUG(5, ("trying to create %s, exists as %s\n",
3421                   new_name, sid_type_lookup(type)));
3422
3423         if (type == SID_NAME_DOM_GRP) {
3424                 return NT_STATUS_GROUP_EXISTS;
3425         }
3426         if (type == SID_NAME_ALIAS) {
3427                 return NT_STATUS_ALIAS_EXISTS;
3428         }
3429
3430         /* Yes, the default is NT_STATUS_USER_EXISTS */
3431         return NT_STATUS_USER_EXISTS;
3432 }
3433
3434 /*******************************************************************
3435  _samr_CreateUser2
3436  ********************************************************************/
3437
3438 NTSTATUS _samr_CreateUser2(pipes_struct *p,
3439                            struct samr_CreateUser2 *r)
3440 {
3441         const char *account = NULL;
3442         DOM_SID sid;
3443         uint32_t acb_info = r->in.acct_flags;
3444         struct samr_domain_info *dinfo;
3445         struct samr_user_info *uinfo;
3446         NTSTATUS nt_status;
3447         uint32 acc_granted;
3448         SEC_DESC *psd;
3449         size_t    sd_size;
3450         /* check this, when giving away 'add computer to domain' privs */
3451         uint32    des_access = GENERIC_RIGHTS_USER_ALL_ACCESS;
3452         bool can_add_account = False;
3453         SE_PRIV se_rights;
3454
3455         dinfo = policy_handle_find(p, r->in.domain_handle,
3456                                    SAMR_DOMAIN_ACCESS_CREATE_USER, NULL,
3457                                    struct samr_domain_info, &nt_status);
3458         if (!NT_STATUS_IS_OK(nt_status)) {
3459                 return nt_status;
3460         }
3461
3462         if (sid_check_is_builtin(&dinfo->sid)) {
3463                 DEBUG(5,("_samr_CreateUser2: Refusing user create in BUILTIN\n"));
3464                 return NT_STATUS_ACCESS_DENIED;
3465         }
3466
3467         if (!(acb_info == ACB_NORMAL || acb_info == ACB_DOMTRUST ||
3468               acb_info == ACB_WSTRUST || acb_info == ACB_SVRTRUST)) {
3469                 /* Match Win2k, and return NT_STATUS_INVALID_PARAMETER if
3470                    this parameter is not an account type */
3471                 return NT_STATUS_INVALID_PARAMETER;
3472         }
3473
3474         account = r->in.account_name->string;
3475         if (account == NULL) {
3476                 return NT_STATUS_NO_MEMORY;
3477         }
3478
3479         nt_status = can_create(p->mem_ctx, account);
3480         if (!NT_STATUS_IS_OK(nt_status)) {
3481                 return nt_status;
3482         }
3483
3484         /* determine which user right we need to check based on the acb_info */
3485
3486         if ( acb_info & ACB_WSTRUST )
3487         {
3488                 se_priv_copy( &se_rights, &se_machine_account );
3489                 can_add_account = user_has_privileges(
3490                         p->server_info->ptok, &se_rights );
3491         }
3492         /* usrmgr.exe (and net rpc trustdom grant) creates a normal user
3493            account for domain trusts and changes the ACB flags later */
3494         else if ( acb_info & ACB_NORMAL &&
3495                   (account[strlen(account)-1] != '$') )
3496         {
3497                 se_priv_copy( &se_rights, &se_add_users );
3498                 can_add_account = user_has_privileges(
3499                         p->server_info->ptok, &se_rights );
3500         }
3501         else    /* implicit assumption of a BDC or domain trust account here
3502                  * (we already check the flags earlier) */
3503         {
3504                 if ( lp_enable_privileges() ) {
3505                         /* only Domain Admins can add a BDC or domain trust */
3506                         se_priv_copy( &se_rights, &se_priv_none );
3507                         can_add_account = nt_token_check_domain_rid(
3508                                 p->server_info->ptok,
3509                                 DOMAIN_GROUP_RID_ADMINS );
3510                 }
3511         }
3512
3513         DEBUG(5, ("_samr_CreateUser2: %s can add this account : %s\n",
3514                   uidtoname(p->server_info->utok.uid),
3515                   can_add_account ? "True":"False" ));
3516
3517         /********** BEGIN Admin BLOCK **********/
3518
3519         if ( can_add_account )
3520                 become_root();
3521
3522         nt_status = pdb_create_user(p->mem_ctx, account, acb_info,
3523                                     r->out.rid);
3524
3525         if ( can_add_account )
3526                 unbecome_root();
3527
3528         /********** END Admin BLOCK **********/
3529
3530         /* now check for failure */
3531
3532         if ( !NT_STATUS_IS_OK(nt_status) )
3533                 return nt_status;
3534
3535         /* Get the user's SID */
3536
3537         sid_compose(&sid, get_global_sam_sid(), *r->out.rid);
3538
3539         map_max_allowed_access(p->server_info->ptok, &des_access);
3540
3541         make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &usr_generic_mapping,
3542                             &sid, SAMR_USR_RIGHTS_WRITE_PW);
3543         se_map_generic(&des_access, &usr_generic_mapping);
3544
3545         nt_status = access_check_samr_object(psd, p->server_info->ptok,
3546                 &se_rights, GENERIC_RIGHTS_USER_WRITE, des_access,
3547                 &acc_granted, "_samr_CreateUser2");
3548
3549         if ( !NT_STATUS_IS_OK(nt_status) ) {
3550                 return nt_status;
3551         }
3552
3553         uinfo = policy_handle_create(p, r->out.user_handle, acc_granted,
3554                                      struct samr_user_info, &nt_status);
3555         if (!NT_STATUS_IS_OK(nt_status)) {
3556                 return nt_status;
3557         }
3558         uinfo->sid = sid;
3559
3560         /* After a "set" ensure we have no cached display info. */
3561         force_flush_samr_cache(&sid);
3562
3563         *r->out.access_granted = acc_granted;
3564
3565         return NT_STATUS_OK;
3566 }
3567
3568 /****************************************************************
3569 ****************************************************************/
3570
3571 NTSTATUS _samr_CreateUser(pipes_struct *p,
3572                           struct samr_CreateUser *r)
3573 {
3574         struct samr_CreateUser2 c;
3575         uint32_t access_granted;
3576
3577         c.in.domain_handle      = r->in.domain_handle;
3578         c.in.account_name       = r->in.account_name;
3579         c.in.acct_flags         = ACB_NORMAL;
3580         c.in.access_mask        = r->in.access_mask;
3581         c.out.user_handle       = r->out.user_handle;
3582         c.out.access_granted    = &access_granted;
3583         c.out.rid               = r->out.rid;
3584
3585         return _samr_CreateUser2(p, &c);
3586 }
3587
3588 /*******************************************************************
3589  _samr_Connect
3590  ********************************************************************/
3591
3592 NTSTATUS _samr_Connect(pipes_struct *p,
3593                        struct samr_Connect *r)
3594 {
3595         struct samr_connect_info *info;
3596         uint32_t acc_granted;
3597         struct policy_handle hnd;
3598         uint32    des_access = r->in.access_mask;
3599         NTSTATUS status;
3600
3601         /* Access check */
3602
3603         if (!pipe_access_check(p)) {
3604                 DEBUG(3, ("access denied to _samr_Connect\n"));
3605                 return NT_STATUS_ACCESS_DENIED;
3606         }
3607
3608         /* don't give away the farm but this is probably ok.  The SAMR_ACCESS_ENUM_DOMAINS
3609            was observed from a win98 client trying to enumerate users (when configured
3610            user level access control on shares)   --jerry */
3611
3612         map_max_allowed_access(p->server_info->ptok, &des_access);
3613
3614         se_map_generic( &des_access, &sam_generic_mapping );
3615
3616         acc_granted = des_access & (SAMR_ACCESS_ENUM_DOMAINS
3617                                     |SAMR_ACCESS_LOOKUP_DOMAIN);
3618
3619         /* set up the SAMR connect_anon response */
3620
3621         info = policy_handle_create(p, &hnd, acc_granted,
3622                                     struct samr_connect_info,
3623                                     &status);
3624         if (!NT_STATUS_IS_OK(status)) {
3625                 return status;
3626         }
3627
3628         *r->out.connect_handle = hnd;
3629         return NT_STATUS_OK;
3630 }
3631
3632 /*******************************************************************
3633  _samr_Connect2
3634  ********************************************************************/
3635
3636 NTSTATUS _samr_Connect2(pipes_struct *p,
3637                         struct samr_Connect2 *r)
3638 {
3639         struct samr_connect_info *info = NULL;
3640         struct policy_handle hnd;
3641         SEC_DESC *psd = NULL;
3642         uint32    acc_granted;
3643         uint32    des_access = r->in.access_mask;
3644         NTSTATUS  nt_status;
3645         size_t    sd_size;
3646         const char *fn = "_samr_Connect2";
3647
3648         switch (p->hdr_req.opnum) {
3649         case NDR_SAMR_CONNECT2:
3650                 fn = "_samr_Connect2";
3651                 break;
3652         case NDR_SAMR_CONNECT3:
3653                 fn = "_samr_Connect3";
3654                 break;
3655         case NDR_SAMR_CONNECT4:
3656                 fn = "_samr_Connect4";
3657                 break;
3658         case NDR_SAMR_CONNECT5:
3659                 fn = "_samr_Connect5";
3660                 break;
3661         }
3662
3663         DEBUG(5,("%s: %d\n", fn, __LINE__));
3664
3665         /* Access check */
3666
3667         if (!pipe_access_check(p)) {
3668                 DEBUG(3, ("access denied to %s\n", fn));
3669                 return NT_STATUS_ACCESS_DENIED;
3670         }
3671
3672         map_max_allowed_access(p->server_info->ptok, &des_access);
3673
3674         make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &sam_generic_mapping, NULL, 0);
3675         se_map_generic(&des_access, &sam_generic_mapping);
3676
3677         nt_status = access_check_samr_object(psd, p->server_info->ptok,
3678                 NULL, 0, des_access, &acc_granted, fn);
3679
3680         if ( !NT_STATUS_IS_OK(nt_status) )
3681                 return nt_status;
3682
3683         info = policy_handle_create(p, &hnd, acc_granted,
3684                                     struct samr_connect_info, &nt_status);
3685         if (!NT_STATUS_IS_OK(nt_status)) {
3686                 return nt_status;
3687         }
3688
3689         DEBUG(5,("%s: %d\n", fn, __LINE__));
3690
3691         *r->out.connect_handle = hnd;
3692         return NT_STATUS_OK;
3693 }
3694
3695 /****************************************************************
3696  _samr_Connect3
3697 ****************************************************************/
3698
3699 NTSTATUS _samr_Connect3(pipes_struct *p,
3700                         struct samr_Connect3 *r)
3701 {
3702         struct samr_Connect2 c;
3703
3704         c.in.system_name        = r->in.system_name;
3705         c.in.access_mask        = r->in.access_mask;
3706         c.out.connect_handle    = r->out.connect_handle;
3707
3708         return _samr_Connect2(p, &c);
3709 }
3710
3711 /*******************************************************************
3712  _samr_Connect4
3713  ********************************************************************/
3714
3715 NTSTATUS _samr_Connect4(pipes_struct *p,
3716                         struct samr_Connect4 *r)
3717 {
3718         struct samr_Connect2 c;
3719
3720         c.in.system_name        = r->in.system_name;
3721         c.in.access_mask        = r->in.access_mask;
3722         c.out.connect_handle    = r->out.connect_handle;
3723
3724         return _samr_Connect2(p, &c);
3725 }
3726
3727 /*******************************************************************
3728  _samr_Connect5
3729  ********************************************************************/
3730
3731 NTSTATUS _samr_Connect5(pipes_struct *p,
3732                         struct samr_Connect5 *r)
3733 {
3734         NTSTATUS status;
3735         struct samr_Connect2 c;
3736         struct samr_ConnectInfo1 info1;
3737
3738         info1.client_version = SAMR_CONNECT_AFTER_W2K;
3739         info1.unknown2 = 0;
3740
3741         c.in.system_name        = r->in.system_name;
3742         c.in.access_mask        = r->in.access_mask;
3743         c.out.connect_handle    = r->out.connect_handle;
3744
3745         *r->out.level_out = 1;
3746
3747         status = _samr_Connect2(p, &c);
3748         if (!NT_STATUS_IS_OK(status)) {
3749                 return status;
3750         }
3751
3752         r->out.info_out->info1 = info1;
3753
3754         return NT_STATUS_OK;
3755 }
3756
3757 /**********************************************************************
3758  _samr_LookupDomain
3759  **********************************************************************/
3760
3761 NTSTATUS _samr_LookupDomain(pipes_struct *p,
3762                             struct samr_LookupDomain *r)
3763 {
3764         NTSTATUS status;
3765         struct samr_connect_info *info;
3766         const char *domain_name;
3767         DOM_SID *sid = NULL;
3768
3769         /* win9x user manager likes to use SAMR_ACCESS_ENUM_DOMAINS here.
3770            Reverted that change so we will work with RAS servers again */
3771
3772         info = policy_handle_find(p, r->in.connect_handle,
3773                                   SAMR_ACCESS_LOOKUP_DOMAIN, NULL,
3774                                   struct samr_connect_info,
3775                                   &status);
3776         if (!NT_STATUS_IS_OK(status)) {
3777                 return status;
3778         }
3779
3780         domain_name = r->in.domain_name->string;
3781         if (!domain_name) {
3782                 return NT_STATUS_INVALID_PARAMETER;
3783         }
3784
3785         sid = TALLOC_ZERO_P(p->mem_ctx, struct dom_sid2);
3786         if (!sid) {
3787                 return NT_STATUS_NO_MEMORY;
3788         }
3789
3790         if (strequal(domain_name, builtin_domain_name())) {
3791                 sid_copy(sid, &global_sid_Builtin);
3792         } else {
3793                 if (!secrets_fetch_domain_sid(domain_name, sid)) {
3794                         status = NT_STATUS_NO_SUCH_DOMAIN;
3795                 }
3796         }
3797
3798         DEBUG(2,("Returning domain sid for domain %s -> %s\n", domain_name,
3799                  sid_string_dbg(sid)));
3800
3801         *r->out.sid = sid;
3802
3803         return status;
3804 }
3805
3806 /**********************************************************************
3807  _samr_EnumDomains
3808  **********************************************************************/
3809
3810 NTSTATUS _samr_EnumDomains(pipes_struct *p,
3811                            struct samr_EnumDomains *r)
3812 {
3813         NTSTATUS status;
3814         struct samr_connect_info *info;
3815         uint32_t num_entries = 2;
3816         struct samr_SamEntry *entry_array = NULL;
3817         struct samr_SamArray *sam;
3818
3819         info = policy_handle_find(p, r->in.connect_handle,
3820                                   SAMR_ACCESS_ENUM_DOMAINS, NULL,
3821                                   struct samr_connect_info, &status);
3822         if (!NT_STATUS_IS_OK(status)) {
3823                 return status;
3824         }
3825
3826         sam = TALLOC_ZERO_P(p->mem_ctx, struct samr_SamArray);
3827         if (!sam) {
3828                 return NT_STATUS_NO_MEMORY;
3829         }
3830
3831         entry_array = TALLOC_ZERO_ARRAY(p->mem_ctx,
3832                                         struct samr_SamEntry,
3833                                         num_entries);
3834         if (!entry_array) {
3835                 return NT_STATUS_NO_MEMORY;
3836         }
3837
3838         entry_array[0].idx = 0;
3839         init_lsa_String(&entry_array[0].name, get_global_sam_name());
3840
3841         entry_array[1].idx = 1;
3842         init_lsa_String(&entry_array[1].name, "Builtin");
3843
3844         sam->count = num_entries;
3845         sam->entries = entry_array;
3846
3847         *r->out.sam = sam;
3848         *r->out.num_entries = num_entries;
3849
3850         return status;
3851 }
3852
3853 /*******************************************************************
3854  _samr_OpenAlias
3855  ********************************************************************/
3856
3857 NTSTATUS _samr_OpenAlias(pipes_struct *p,
3858                          struct samr_OpenAlias *r)
3859 {
3860         DOM_SID sid;
3861         uint32 alias_rid = r->in.rid;
3862         struct samr_alias_info *ainfo;
3863         struct samr_domain_info *dinfo;
3864         SEC_DESC *psd = NULL;
3865         uint32    acc_granted;
3866         uint32    des_access = r->in.access_mask;
3867         size_t    sd_size;
3868         NTSTATUS  status;
3869         SE_PRIV se_rights;
3870
3871         dinfo = policy_handle_find(p, r->in.domain_handle,
3872                                    SAMR_DOMAIN_ACCESS_OPEN_ACCOUNT, NULL,
3873                                    struct samr_domain_info, &status);
3874         if (!NT_STATUS_IS_OK(status)) {
3875                 return status;
3876         }
3877
3878         /* append the alias' RID to it */
3879
3880         if (!sid_compose(&sid, &dinfo->sid, alias_rid))
3881                 return NT_STATUS_NO_SUCH_ALIAS;
3882
3883         /*check if access can be granted as requested by client. */
3884
3885         map_max_allowed_access(p->server_info->ptok, &des_access);
3886
3887         make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &ali_generic_mapping, NULL, 0);
3888         se_map_generic(&des_access,&ali_generic_mapping);
3889
3890         se_priv_copy( &se_rights, &se_add_users );
3891
3892
3893         status = access_check_samr_object(psd, p->server_info->ptok,
3894                 &se_rights, GENERIC_RIGHTS_ALIAS_WRITE, des_access,
3895                 &acc_granted, "_samr_OpenAlias");
3896
3897         if ( !NT_STATUS_IS_OK(status) )
3898                 return status;
3899
3900         {
3901                 /* Check we actually have the requested alias */
3902                 enum lsa_SidType type;
3903  &n