2 * Unix SMB/CIFS implementation.
3 * RPC Pipe client / server routines
4 * Copyright (C) Andrew Tridgell 1992-1997,
5 * Copyright (C) Luke Kenneth Casson Leighton 1996-1997,
6 * Copyright (C) Paul Ashton 1997,
7 * Copyright (C) Marc Jacobsen 1999,
8 * Copyright (C) Jeremy Allison 2001-2002,
9 * Copyright (C) Jean François Micouleau 1998-2001,
10 * Copyright (C) Jim McDonough <jmcd@us.ibm.com> 2002,
11 * Copyright (C) Gerald (Jerry) Carter 2003-2004,
12 * Copyright (C) Simo Sorce 2003.
14 * This program is free software; you can redistribute it and/or modify
15 * it under the terms of the GNU General Public License as published by
16 * the Free Software Foundation; either version 2 of the License, or
17 * (at your option) any later version.
19 * This program is distributed in the hope that it will be useful,
20 * but WITHOUT ANY WARRANTY; without even the implied warranty of
21 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
22 * GNU General Public License for more details.
24 * You should have received a copy of the GNU General Public License
25 * along with this program; if not, write to the Free Software
26 * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
30 * This is the implementation of the SAMR code.
36 #define DBGC_CLASS DBGC_RPC_SRV
38 #define SAMR_USR_RIGHTS_WRITE_PW \
39 ( READ_CONTROL_ACCESS | \
40 SA_RIGHT_USER_CHANGE_PASSWORD | \
41 SA_RIGHT_USER_SET_LOC_COM )
43 #define DISP_INFO_CACHE_TIMEOUT 10
45 typedef struct disp_info {
46 struct disp_info *next, *prev;
48 DOM_SID sid; /* identify which domain this is. */
49 struct pdb_search *users; /* querydispinfo 1 and 4 */
50 struct pdb_search *machines; /* querydispinfo 2 */
51 struct pdb_search *groups; /* querydispinfo 3 and 5, enumgroups */
52 struct pdb_search *aliases; /* enumaliases */
53 struct pdb_search *builtins; /* enumaliases */
56 struct pdb_search *enum_users; /* enumusers with a mask */
58 smb_event_id_t di_cache_timeout_event; /* cache idle timeout handler. */
61 /* We keep a static list of these by SID as modern clients close down
62 all resources between each request in a complete enumeration. */
64 static DISP_INFO *disp_info_list;
67 /* for use by the \PIPE\samr policy */
69 uint32 status; /* some sort of flag. best to record it. comes from opnum 0x39 */
75 static struct generic_mapping sam_generic_mapping = {
76 GENERIC_RIGHTS_SAM_READ,
77 GENERIC_RIGHTS_SAM_WRITE,
78 GENERIC_RIGHTS_SAM_EXECUTE,
79 GENERIC_RIGHTS_SAM_ALL_ACCESS};
80 static struct generic_mapping dom_generic_mapping = {
81 GENERIC_RIGHTS_DOMAIN_READ,
82 GENERIC_RIGHTS_DOMAIN_WRITE,
83 GENERIC_RIGHTS_DOMAIN_EXECUTE,
84 GENERIC_RIGHTS_DOMAIN_ALL_ACCESS};
85 static struct generic_mapping usr_generic_mapping = {
86 GENERIC_RIGHTS_USER_READ,
87 GENERIC_RIGHTS_USER_WRITE,
88 GENERIC_RIGHTS_USER_EXECUTE,
89 GENERIC_RIGHTS_USER_ALL_ACCESS};
90 static struct generic_mapping grp_generic_mapping = {
91 GENERIC_RIGHTS_GROUP_READ,
92 GENERIC_RIGHTS_GROUP_WRITE,
93 GENERIC_RIGHTS_GROUP_EXECUTE,
94 GENERIC_RIGHTS_GROUP_ALL_ACCESS};
95 static struct generic_mapping ali_generic_mapping = {
96 GENERIC_RIGHTS_ALIAS_READ,
97 GENERIC_RIGHTS_ALIAS_WRITE,
98 GENERIC_RIGHTS_ALIAS_EXECUTE,
99 GENERIC_RIGHTS_ALIAS_ALL_ACCESS};
101 /*******************************************************************
102 *******************************************************************/
104 static NTSTATUS make_samr_object_sd( TALLOC_CTX *ctx, SEC_DESC **psd, size_t *sd_size,
105 struct generic_mapping *map,
106 DOM_SID *sid, uint32 sid_access )
108 DOM_SID domadmin_sid;
109 SEC_ACE ace[5]; /* at most 5 entries */
115 /* basic access for Everyone */
117 init_sec_access(&mask, map->generic_execute | map->generic_read );
118 init_sec_ace(&ace[i++], &global_sid_World, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0);
120 /* add Full Access 'BUILTIN\Administrators' and 'BUILTIN\Account Operators */
122 init_sec_access(&mask, map->generic_all);
124 init_sec_ace(&ace[i++], &global_sid_Builtin_Administrators, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0);
125 init_sec_ace(&ace[i++], &global_sid_Builtin_Account_Operators, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0);
127 /* Add Full Access for Domain Admins if we are a DC */
130 sid_copy( &domadmin_sid, get_global_sam_sid() );
131 sid_append_rid( &domadmin_sid, DOMAIN_GROUP_RID_ADMINS );
132 init_sec_ace(&ace[i++], &domadmin_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0);
135 /* if we have a sid, give it some special access */
138 init_sec_access( &mask, sid_access );
139 init_sec_ace(&ace[i++], sid, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0);
142 /* create the security descriptor */
144 if ((psa = make_sec_acl(ctx, NT4_ACL_REVISION, i, ace)) == NULL)
145 return NT_STATUS_NO_MEMORY;
147 if ((*psd = make_sec_desc(ctx, SEC_DESC_REVISION, SEC_DESC_SELF_RELATIVE, NULL, NULL, NULL, psa, sd_size)) == NULL)
148 return NT_STATUS_NO_MEMORY;
153 /*******************************************************************
154 Checks if access to an object should be granted, and returns that
155 level of access for further checks.
156 ********************************************************************/
158 static NTSTATUS access_check_samr_object( SEC_DESC *psd, NT_USER_TOKEN *token,
159 SE_PRIV *rights, uint32 rights_mask,
160 uint32 des_access, uint32 *acc_granted,
163 NTSTATUS status = NT_STATUS_ACCESS_DENIED;
164 uint32 saved_mask = 0;
166 /* check privileges; certain SAM access bits should be overridden
167 by privileges (mostly having to do with creating/modifying/deleting
170 if ( rights && user_has_any_privilege( token, rights ) ) {
172 saved_mask = (des_access & rights_mask);
173 des_access &= ~saved_mask;
175 DEBUG(4,("access_check_samr_object: user rights access mask [0x%x]\n",
180 /* check the security descriptor first */
182 if ( se_access_check(psd, token, des_access, acc_granted, &status) )
185 /* give root a free pass */
187 if ( geteuid() == sec_initial_uid() ) {
189 DEBUG(4,("%s: ACCESS should be DENIED (requested: %#010x)\n", debug, des_access));
190 DEBUGADD(4,("but overritten by euid == sec_initial_uid()\n"));
192 *acc_granted = des_access;
194 status = NT_STATUS_OK;
200 /* add in any bits saved during the privilege check (only
201 matters is status is ok) */
203 *acc_granted |= rights_mask;
205 DEBUG(4,("%s: access %s (requested: 0x%08x, granted: 0x%08x)\n",
206 debug, NT_STATUS_IS_OK(status) ? "GRANTED" : "DENIED",
207 des_access, *acc_granted));
212 /*******************************************************************
213 Checks if access to a function can be granted
214 ********************************************************************/
216 static NTSTATUS access_check_samr_function(uint32 acc_granted, uint32 acc_required, const char *debug)
218 DEBUG(5,("%s: access check ((granted: %#010x; required: %#010x)\n",
219 debug, acc_granted, acc_required));
221 /* check the security descriptor first */
223 if ( (acc_granted&acc_required) == acc_required )
226 /* give root a free pass */
228 if (geteuid() == sec_initial_uid()) {
230 DEBUG(4,("%s: ACCESS should be DENIED (granted: %#010x; required: %#010x)\n",
231 debug, acc_granted, acc_required));
232 DEBUGADD(4,("but overwritten by euid == 0\n"));
237 DEBUG(2,("%s: ACCESS DENIED (granted: %#010x; required: %#010x)\n",
238 debug, acc_granted, acc_required));
240 return NT_STATUS_ACCESS_DENIED;
243 /*******************************************************************
244 Fetch or create a dispinfo struct.
245 ********************************************************************/
247 static DISP_INFO *get_samr_dispinfo_by_sid(DOM_SID *psid, const char *sid_str)
252 for (dpi = disp_info_list; dpi; dpi = dpi->next) {
253 if (sid_equal(psid, &dpi->sid)) {
258 /* This struct is never free'd - I'm using talloc so we
259 can get a list out of smbd using smbcontrol. There will
260 be one of these per SID we're authorative for. JRA. */
262 mem_ctx = talloc_init("DISP_INFO for domain sid %s", sid_str);
264 if ((dpi = TALLOC_ZERO_P(mem_ctx, DISP_INFO)) == NULL)
267 dpi->mem_ctx = mem_ctx;
269 sid_copy( &dpi->sid, psid);
272 DLIST_ADD(disp_info_list, dpi);
277 /*******************************************************************
278 Create a samr_info struct.
279 ********************************************************************/
281 static struct samr_info *get_samr_info_by_sid(DOM_SID *psid)
283 struct samr_info *info;
288 sid_to_string(sid_str, psid);
290 fstrcpy(sid_str,"(NULL)");
293 mem_ctx = talloc_init("samr_info for domain sid %s", sid_str);
295 if ((info = TALLOC_ZERO_P(mem_ctx, struct samr_info)) == NULL)
298 DEBUG(10,("get_samr_info_by_sid: created new info for sid %s\n", sid_str));
300 sid_copy( &info->sid, psid);
302 DEBUG(10,("get_samr_info_by_sid: created new info for NULL sid.\n"));
304 info->mem_ctx = mem_ctx;
306 info->disp_info = get_samr_dispinfo_by_sid(psid, sid_str);
308 if (!info->disp_info) {
309 talloc_destroy(mem_ctx);
316 /*******************************************************************
317 Function to free the per SID data.
318 ********************************************************************/
320 static void free_samr_cache(DISP_INFO *disp_info, const char *sid_str)
322 DEBUG(10,("free_samr_cache: deleting cache for SID %s\n", sid_str));
324 /* We need to become root here because the paged search might have to
325 * tell the LDAP server we're not interested in the rest anymore. */
329 if (disp_info->users) {
330 DEBUG(10,("free_samr_cache: deleting users cache\n"));
331 pdb_search_destroy(disp_info->users);
332 disp_info->users = NULL;
334 if (disp_info->machines) {
335 DEBUG(10,("free_samr_cache: deleting machines cache\n"));
336 pdb_search_destroy(disp_info->machines);
337 disp_info->machines = NULL;
339 if (disp_info->groups) {
340 DEBUG(10,("free_samr_cache: deleting groups cache\n"));
341 pdb_search_destroy(disp_info->groups);
342 disp_info->groups = NULL;
344 if (disp_info->aliases) {
345 DEBUG(10,("free_samr_cache: deleting aliases cache\n"));
346 pdb_search_destroy(disp_info->aliases);
347 disp_info->aliases = NULL;
349 if (disp_info->builtins) {
350 DEBUG(10,("free_samr_cache: deleting builtins cache\n"));
351 pdb_search_destroy(disp_info->builtins);
352 disp_info->builtins = NULL;
354 if (disp_info->enum_users) {
355 DEBUG(10,("free_samr_cache: deleting enum_users cache\n"));
356 pdb_search_destroy(disp_info->enum_users);
357 disp_info->enum_users = NULL;
359 disp_info->enum_acb_mask = 0;
364 /*******************************************************************
365 Function to free the per handle data.
366 ********************************************************************/
368 static void free_samr_info(void *ptr)
370 struct samr_info *info=(struct samr_info *) ptr;
372 /* Only free the dispinfo cache if no one bothered to set up
375 if (info->disp_info && info->disp_info->di_cache_timeout_event == (smb_event_id_t)0) {
377 sid_to_string(sid_str, &info->disp_info->sid);
378 free_samr_cache(info->disp_info, sid_str);
381 talloc_destroy(info->mem_ctx);
384 /*******************************************************************
385 Idle event handler. Throw away the disp info cache.
386 ********************************************************************/
388 static void disp_info_cache_idle_timeout_handler(void **private_data,
393 DISP_INFO *disp_info = (DISP_INFO *)(*private_data);
395 sid_to_string(sid_str, &disp_info->sid);
397 free_samr_cache(disp_info, sid_str);
399 /* Remove the event. */
400 smb_unregister_idle_event(disp_info->di_cache_timeout_event);
401 disp_info->di_cache_timeout_event = (smb_event_id_t)0;
403 DEBUG(10,("disp_info_cache_idle_timeout_handler: caching timed out for SID %s at %u\n",
404 sid_str, (unsigned int)ev_now));
407 /*******************************************************************
408 Setup cache removal idle event handler.
409 ********************************************************************/
411 static void set_disp_info_cache_timeout(DISP_INFO *disp_info, time_t secs_fromnow)
415 sid_to_string(sid_str, &disp_info->sid);
417 /* Remove any pending timeout and update. */
419 if (disp_info->di_cache_timeout_event) {
420 smb_unregister_idle_event(disp_info->di_cache_timeout_event);
421 disp_info->di_cache_timeout_event = (smb_event_id_t)0;
424 DEBUG(10,("set_disp_info_cache_timeout: caching enumeration for SID %s for %u seconds\n",
425 sid_str, (unsigned int)secs_fromnow ));
427 disp_info->di_cache_timeout_event =
428 smb_register_idle_event(disp_info_cache_idle_timeout_handler,
433 /*******************************************************************
434 Force flush any cache. We do this on any samr_set_xxx call.
435 We must also remove the timeout handler.
436 ********************************************************************/
438 static void force_flush_samr_cache(DISP_INFO *disp_info)
443 sid_to_string(sid_str, &disp_info->sid);
444 if (disp_info->di_cache_timeout_event) {
445 smb_unregister_idle_event(disp_info->di_cache_timeout_event);
446 disp_info->di_cache_timeout_event = (smb_event_id_t)0;
447 DEBUG(10,("force_flush_samr_cache: clearing idle event for SID %s\n",
450 free_samr_cache(disp_info, sid_str);
454 /*******************************************************************
455 Ensure password info is never given out. Paranioa... JRA.
456 ********************************************************************/
458 static void samr_clear_sam_passwd(SAM_ACCOUNT *sam_pass)
464 /* These now zero out the old password */
466 pdb_set_lanman_passwd(sam_pass, NULL, PDB_DEFAULT);
467 pdb_set_nt_passwd(sam_pass, NULL, PDB_DEFAULT);
470 static uint32 count_sam_users(struct disp_info *info, uint16 acct_flags)
472 struct samr_displayentry *entry;
473 if (info->users == NULL) {
474 info->users = pdb_search_users(acct_flags);
475 if (info->users == NULL) {
479 /* Fetch the last possible entry, thus trigger an enumeration */
480 pdb_search_entries(info->users, 0xffffffff, 1, &entry);
482 /* Ensure we cache this enumeration. */
483 set_disp_info_cache_timeout(info, DISP_INFO_CACHE_TIMEOUT);
485 return info->users->num_entries;
488 static uint32 count_sam_groups(struct disp_info *info)
490 struct samr_displayentry *entry;
491 if (info->groups == NULL) {
492 info->groups = pdb_search_groups();
493 if (info->groups == NULL) {
497 /* Fetch the last possible entry, thus trigger an enumeration */
498 pdb_search_entries(info->groups, 0xffffffff, 1, &entry);
500 /* Ensure we cache this enumeration. */
501 set_disp_info_cache_timeout(info, DISP_INFO_CACHE_TIMEOUT);
503 return info->groups->num_entries;
506 /*******************************************************************
508 ********************************************************************/
510 NTSTATUS _samr_close_hnd(pipes_struct *p, SAMR_Q_CLOSE_HND *q_u, SAMR_R_CLOSE_HND *r_u)
512 r_u->status = NT_STATUS_OK;
514 /* close the policy handle */
515 if (!close_policy_hnd(p, &q_u->pol))
516 return NT_STATUS_OBJECT_NAME_INVALID;
518 DEBUG(5,("samr_reply_close_hnd: %d\n", __LINE__));
523 /*******************************************************************
524 samr_reply_open_domain
525 ********************************************************************/
527 NTSTATUS _samr_open_domain(pipes_struct *p, SAMR_Q_OPEN_DOMAIN *q_u, SAMR_R_OPEN_DOMAIN *r_u)
529 struct samr_info *info;
530 SEC_DESC *psd = NULL;
532 uint32 des_access = q_u->flags;
537 r_u->status = NT_STATUS_OK;
539 /* find the connection policy handle. */
541 if ( !find_policy_by_hnd(p, &q_u->pol, (void**)&info) )
542 return NT_STATUS_INVALID_HANDLE;
544 status = access_check_samr_function( info->acc_granted,
545 SA_RIGHT_SAM_OPEN_DOMAIN, "_samr_open_domain" );
547 if ( !NT_STATUS_IS_OK(status) )
550 /*check if access can be granted as requested by client. */
552 make_samr_object_sd( p->mem_ctx, &psd, &sd_size, &dom_generic_mapping, NULL, 0 );
553 se_map_generic( &des_access, &dom_generic_mapping );
555 se_priv_copy( &se_rights, &se_machine_account );
556 se_priv_add( &se_rights, &se_add_users );
558 status = access_check_samr_object( psd, p->pipe_user.nt_user_token,
559 &se_rights, GENERIC_RIGHTS_DOMAIN_WRITE, des_access,
560 &acc_granted, "_samr_open_domain" );
562 if ( !NT_STATUS_IS_OK(status) )
565 /* associate the domain SID with the (unique) handle. */
566 if ((info = get_samr_info_by_sid(&q_u->dom_sid.sid))==NULL)
567 return NT_STATUS_NO_MEMORY;
568 info->acc_granted = acc_granted;
570 /* get a (unique) handle. open a policy on it. */
571 if (!create_policy_hnd(p, &r_u->domain_pol, free_samr_info, (void *)info))
572 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
574 DEBUG(5,("samr_open_domain: %d\n", __LINE__));
579 /*******************************************************************
580 _samr_get_usrdom_pwinfo
581 ********************************************************************/
583 NTSTATUS _samr_get_usrdom_pwinfo(pipes_struct *p, SAMR_Q_GET_USRDOM_PWINFO *q_u, SAMR_R_GET_USRDOM_PWINFO *r_u)
585 struct samr_info *info = NULL;
587 r_u->status = NT_STATUS_OK;
589 /* find the policy handle. open a policy on it. */
590 if (!find_policy_by_hnd(p, &q_u->user_pol, (void **)&info))
591 return NT_STATUS_INVALID_HANDLE;
593 if (!sid_check_is_in_our_domain(&info->sid))
594 return NT_STATUS_OBJECT_TYPE_MISMATCH;
596 init_samr_r_get_usrdom_pwinfo(r_u, NT_STATUS_OK);
598 DEBUG(5,("_samr_get_usrdom_pwinfo: %d\n", __LINE__));
601 * NT sometimes return NT_STATUS_ACCESS_DENIED
602 * I don't know yet why.
608 /*******************************************************************
610 ********************************************************************/
612 NTSTATUS _samr_set_sec_obj(pipes_struct *p, SAMR_Q_SET_SEC_OBJ *q_u, SAMR_R_SET_SEC_OBJ *r_u)
614 DEBUG(0,("_samr_set_sec_obj: Not yet implemented!\n"));
615 return NT_STATUS_NOT_IMPLEMENTED;
618 /*******************************************************************
619 ********************************************************************/
621 static BOOL get_lsa_policy_samr_sid( pipes_struct *p, POLICY_HND *pol,
622 DOM_SID *sid, uint32 *acc_granted,
623 DISP_INFO **ppdisp_info)
625 struct samr_info *info = NULL;
627 /* find the policy handle. open a policy on it. */
628 if (!find_policy_by_hnd(p, pol, (void **)&info))
635 *acc_granted = info->acc_granted;
637 *ppdisp_info = info->disp_info;
643 /*******************************************************************
645 ********************************************************************/
647 NTSTATUS _samr_query_sec_obj(pipes_struct *p, SAMR_Q_QUERY_SEC_OBJ *q_u, SAMR_R_QUERY_SEC_OBJ *r_u)
651 SEC_DESC * psd = NULL;
655 r_u->status = NT_STATUS_OK;
658 if (!get_lsa_policy_samr_sid(p, &q_u->user_pol, &pol_sid, &acc_granted, NULL))
659 return NT_STATUS_INVALID_HANDLE;
661 DEBUG(10,("_samr_query_sec_obj: querying security on SID: %s\n", sid_to_string(str_sid, &pol_sid)));
663 /* Check what typ of SID is beeing queried (e.g Domain SID, User SID, Group SID) */
665 /* To query the security of the SAM it self an invalid SID with S-0-0 is passed to this function */
666 if (pol_sid.sid_rev_num == 0) {
667 DEBUG(5,("_samr_query_sec_obj: querying security on SAM\n"));
668 r_u->status = make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &sam_generic_mapping, NULL, 0);
669 } else if (sid_equal(&pol_sid,get_global_sam_sid())) {
670 /* check if it is our domain SID */
671 DEBUG(5,("_samr_query_sec_obj: querying security on Domain with SID: %s\n", sid_to_string(str_sid, &pol_sid)));
672 r_u->status = make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &dom_generic_mapping, NULL, 0);
673 } else if (sid_equal(&pol_sid,&global_sid_Builtin)) {
674 /* check if it is the Builtin Domain */
675 /* TODO: Builtin probably needs a different SD with restricted write access*/
676 DEBUG(5,("_samr_query_sec_obj: querying security on Builtin Domain with SID: %s\n", sid_to_string(str_sid, &pol_sid)));
677 r_u->status = make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &dom_generic_mapping, NULL, 0);
678 } else if (sid_check_is_in_our_domain(&pol_sid) ||
679 sid_check_is_in_builtin(&pol_sid)) {
680 /* TODO: different SDs have to be generated for aliases groups and users.
681 Currently all three get a default user SD */
682 DEBUG(10,("_samr_query_sec_obj: querying security on Object with SID: %s\n", sid_to_string(str_sid, &pol_sid)));
683 r_u->status = make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &usr_generic_mapping, &pol_sid, SAMR_USR_RIGHTS_WRITE_PW);
685 return NT_STATUS_OBJECT_TYPE_MISMATCH;
688 if ((r_u->buf = make_sec_desc_buf(p->mem_ctx, sd_size, psd)) == NULL)
689 return NT_STATUS_NO_MEMORY;
691 if (NT_STATUS_IS_OK(r_u->status))
697 /*******************************************************************
698 makes a SAM_ENTRY / UNISTR2* structure from a user list.
699 ********************************************************************/
701 static NTSTATUS make_user_sam_entry_list(TALLOC_CTX *ctx, SAM_ENTRY **sam_pp,
702 UNISTR2 **uni_name_pp,
703 uint32 num_entries, uint32 start_idx,
704 struct samr_displayentry *entries)
713 if (num_entries == 0)
716 sam = TALLOC_ZERO_ARRAY(ctx, SAM_ENTRY, num_entries);
718 uni_name = TALLOC_ZERO_ARRAY(ctx, UNISTR2, num_entries);
720 if (sam == NULL || uni_name == NULL) {
721 DEBUG(0, ("make_user_sam_entry_list: talloc_zero failed!\n"));
722 return NT_STATUS_NO_MEMORY;
725 for (i = 0; i < num_entries; i++) {
726 UNISTR2 uni_temp_name;
728 * usrmgr expects a non-NULL terminated string with
729 * trust relationships
731 if (entries[i].acct_flags & ACB_DOMTRUST) {
732 init_unistr2(&uni_temp_name, entries[i].account_name,
735 init_unistr2(&uni_temp_name, entries[i].account_name,
739 init_sam_entry(&sam[i], &uni_temp_name, entries[i].rid);
740 copy_unistr2(&uni_name[i], &uni_temp_name);
744 *uni_name_pp = uni_name;
748 /*******************************************************************
749 samr_reply_enum_dom_users
750 ********************************************************************/
752 NTSTATUS _samr_enum_dom_users(pipes_struct *p, SAMR_Q_ENUM_DOM_USERS *q_u,
753 SAMR_R_ENUM_DOM_USERS *r_u)
755 struct samr_info *info = NULL;
757 uint32 enum_context=q_u->start_idx;
758 enum remote_arch_types ra_type = get_remote_arch();
759 int max_sam_entries = (ra_type == RA_WIN95) ? MAX_SAM_ENTRIES_W95 : MAX_SAM_ENTRIES_W2K;
760 uint32 max_entries = max_sam_entries;
761 struct samr_displayentry *entries = NULL;
763 r_u->status = NT_STATUS_OK;
765 /* find the policy handle. open a policy on it. */
766 if (!find_policy_by_hnd(p, &q_u->pol, (void **)&info))
767 return NT_STATUS_INVALID_HANDLE;
769 if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(info->acc_granted,
770 SA_RIGHT_DOMAIN_ENUM_ACCOUNTS,
771 "_samr_enum_dom_users"))) {
775 DEBUG(5,("_samr_enum_dom_users: %d\n", __LINE__));
781 if ((info->disp_info->enum_users != NULL) &&
782 (info->disp_info->enum_acb_mask != q_u->acb_mask)) {
783 pdb_search_destroy(info->disp_info->enum_users);
784 info->disp_info->enum_users = NULL;
787 if (info->disp_info->enum_users == NULL) {
788 info->disp_info->enum_users = pdb_search_users(q_u->acb_mask);
789 info->disp_info->enum_acb_mask = q_u->acb_mask;
792 if (info->disp_info->enum_users == NULL) {
793 /* END AS ROOT !!!! */
795 return NT_STATUS_ACCESS_DENIED;
798 num_account = pdb_search_entries(info->disp_info->enum_users,
799 enum_context, max_entries,
802 /* END AS ROOT !!!! */
806 if (num_account == 0) {
807 DEBUG(5, ("_samr_enum_dom_users: enumeration handle over "
812 r_u->status = make_user_sam_entry_list(p->mem_ctx, &r_u->sam,
814 num_account, enum_context,
817 if (!NT_STATUS_IS_OK(r_u->status))
820 if (max_entries <= num_account) {
821 r_u->status = STATUS_MORE_ENTRIES;
823 r_u->status = NT_STATUS_OK;
826 /* Ensure we cache this enumeration. */
827 set_disp_info_cache_timeout(info->disp_info, DISP_INFO_CACHE_TIMEOUT);
829 DEBUG(5, ("_samr_enum_dom_users: %d\n", __LINE__));
831 init_samr_r_enum_dom_users(r_u, q_u->start_idx + num_account,
834 DEBUG(5,("_samr_enum_dom_users: %d\n", __LINE__));
839 /*******************************************************************
840 makes a SAM_ENTRY / UNISTR2* structure from a group list.
841 ********************************************************************/
843 static void make_group_sam_entry_list(TALLOC_CTX *ctx, SAM_ENTRY **sam_pp,
844 UNISTR2 **uni_name_pp,
845 uint32 num_sam_entries,
846 struct samr_displayentry *entries)
855 if (num_sam_entries == 0)
858 sam = TALLOC_ZERO_ARRAY(ctx, SAM_ENTRY, num_sam_entries);
859 uni_name = TALLOC_ZERO_ARRAY(ctx, UNISTR2, num_sam_entries);
861 if (sam == NULL || uni_name == NULL) {
862 DEBUG(0, ("NULL pointers in SAMR_R_QUERY_DISPINFO\n"));
866 for (i = 0; i < num_sam_entries; i++) {
868 * JRA. I think this should include the null. TNG does not.
870 init_unistr2(&uni_name[i], entries[i].account_name,
872 init_sam_entry(&sam[i], &uni_name[i], entries[i].rid);
876 *uni_name_pp = uni_name;
879 /*******************************************************************
880 samr_reply_enum_dom_groups
881 ********************************************************************/
883 NTSTATUS _samr_enum_dom_groups(pipes_struct *p, SAMR_Q_ENUM_DOM_GROUPS *q_u, SAMR_R_ENUM_DOM_GROUPS *r_u)
885 struct samr_info *info = NULL;
886 struct samr_displayentry *groups;
889 r_u->status = NT_STATUS_OK;
891 /* find the policy handle. open a policy on it. */
892 if (!find_policy_by_hnd(p, &q_u->pol, (void **)&info))
893 return NT_STATUS_INVALID_HANDLE;
895 r_u->status = access_check_samr_function(info->acc_granted,
896 SA_RIGHT_DOMAIN_ENUM_ACCOUNTS,
897 "_samr_enum_dom_groups");
898 if (!NT_STATUS_IS_OK(r_u->status))
901 DEBUG(5,("samr_reply_enum_dom_groups: %d\n", __LINE__));
903 /* the domain group array is being allocated in the function below */
907 if (info->disp_info->groups == NULL) {
908 info->disp_info->groups = pdb_search_groups();
910 if (info->disp_info->groups == NULL) {
912 return NT_STATUS_ACCESS_DENIED;
916 num_groups = pdb_search_entries(info->disp_info->groups, q_u->start_idx,
917 MAX_SAM_ENTRIES, &groups);
920 /* Ensure we cache this enumeration. */
921 set_disp_info_cache_timeout(info->disp_info, DISP_INFO_CACHE_TIMEOUT);
923 make_group_sam_entry_list(p->mem_ctx, &r_u->sam, &r_u->uni_grp_name,
926 init_samr_r_enum_dom_groups(r_u, q_u->start_idx, num_groups);
928 DEBUG(5,("samr_enum_dom_groups: %d\n", __LINE__));
933 /*******************************************************************
934 samr_reply_enum_dom_aliases
935 ********************************************************************/
937 NTSTATUS _samr_enum_dom_aliases(pipes_struct *p, SAMR_Q_ENUM_DOM_ALIASES *q_u, SAMR_R_ENUM_DOM_ALIASES *r_u)
939 struct samr_info *info;
940 struct samr_displayentry *aliases;
941 struct pdb_search **search = NULL;
942 uint32 num_aliases = 0;
944 /* find the policy handle. open a policy on it. */
945 if (!find_policy_by_hnd(p, &q_u->pol, (void **)&info))
946 return NT_STATUS_INVALID_HANDLE;
948 r_u->status = access_check_samr_function(info->acc_granted,
949 SA_RIGHT_DOMAIN_ENUM_ACCOUNTS,
950 "_samr_enum_dom_aliases");
951 if (!NT_STATUS_IS_OK(r_u->status))
954 DEBUG(5,("samr_reply_enum_dom_aliases: sid %s\n",
955 sid_string_static(&info->sid)));
957 if (sid_check_is_domain(&info->sid))
958 search = &info->disp_info->aliases;
959 if (sid_check_is_builtin(&info->sid))
960 search = &info->disp_info->builtins;
963 return NT_STATUS_INVALID_HANDLE;
967 if (*search == NULL) {
968 *search = pdb_search_aliases(&info->sid);
969 if (*search == NULL) {
971 return NT_STATUS_ACCESS_DENIED;
975 num_aliases = pdb_search_entries(*search, q_u->start_idx,
976 MAX_SAM_ENTRIES, &aliases);
979 /* Ensure we cache this enumeration. */
980 set_disp_info_cache_timeout(info->disp_info, DISP_INFO_CACHE_TIMEOUT);
982 make_group_sam_entry_list(p->mem_ctx, &r_u->sam, &r_u->uni_grp_name,
983 num_aliases, aliases);
985 init_samr_r_enum_dom_aliases(r_u, q_u->start_idx + num_aliases,
988 DEBUG(5,("samr_enum_dom_aliases: %d\n", __LINE__));
993 /*******************************************************************
994 samr_reply_query_dispinfo
995 ********************************************************************/
997 NTSTATUS _samr_query_dispinfo(pipes_struct *p, SAMR_Q_QUERY_DISPINFO *q_u,
998 SAMR_R_QUERY_DISPINFO *r_u)
1000 struct samr_info *info = NULL;
1001 uint32 struct_size=0x20; /* W2K always reply that, client doesn't care */
1003 uint32 max_entries=q_u->max_entries;
1004 uint32 enum_context=q_u->start_idx;
1005 uint32 max_size=q_u->max_size;
1007 SAM_DISPINFO_CTR *ctr;
1008 uint32 temp_size=0, total_data_size=0;
1009 NTSTATUS disp_ret = NT_STATUS_UNSUCCESSFUL;
1010 uint32 num_account = 0;
1011 enum remote_arch_types ra_type = get_remote_arch();
1012 int max_sam_entries = (ra_type == RA_WIN95) ? MAX_SAM_ENTRIES_W95 : MAX_SAM_ENTRIES_W2K;
1013 struct samr_displayentry *entries = NULL;
1015 DEBUG(5, ("samr_reply_query_dispinfo: %d\n", __LINE__));
1016 r_u->status = NT_STATUS_UNSUCCESSFUL;
1018 /* find the policy handle. open a policy on it. */
1019 if (!find_policy_by_hnd(p, &q_u->domain_pol, (void **)&info))
1020 return NT_STATUS_INVALID_HANDLE;
1023 * calculate how many entries we will return.
1025 * - the number of entries the client asked
1026 * - our limit on that
1027 * - the starting point (enumeration context)
1028 * - the buffer size the client will accept
1032 * We are a lot more like W2K. Instead of reading the SAM
1033 * each time to find the records we need to send back,
1034 * we read it once and link that copy to the sam handle.
1035 * For large user list (over the MAX_SAM_ENTRIES)
1036 * it's a definitive win.
1037 * second point to notice: between enumerations
1038 * our sam is now the same as it's a snapshoot.
1039 * third point: got rid of the static SAM_USER_21 struct
1040 * no more intermediate.
1041 * con: it uses much more memory, as a full copy is stored
1044 * If you want to change it, think twice and think
1045 * of the second point , that's really important.
1050 if ((q_u->switch_level < 1) || (q_u->switch_level > 5)) {
1051 DEBUG(0,("_samr_query_dispinfo: Unknown info level (%u)\n",
1052 (unsigned int)q_u->switch_level ));
1053 return NT_STATUS_INVALID_INFO_CLASS;
1056 /* first limit the number of entries we will return */
1057 if(max_entries > max_sam_entries) {
1058 DEBUG(5, ("samr_reply_query_dispinfo: client requested %d "
1059 "entries, limiting to %d\n", max_entries,
1061 max_entries = max_sam_entries;
1064 /* calculate the size and limit on the number of entries we will
1067 temp_size=max_entries*struct_size;
1069 if (temp_size>max_size) {
1070 max_entries=MIN((max_size/struct_size),max_entries);;
1071 DEBUG(5, ("samr_reply_query_dispinfo: buffer size limits to "
1072 "only %d entries\n", max_entries));
1075 if (!(ctr = TALLOC_ZERO_P(p->mem_ctx,SAM_DISPINFO_CTR)))
1076 return NT_STATUS_NO_MEMORY;
1082 /* THe following done as ROOT. Don't return without unbecome_root(). */
1084 switch (q_u->switch_level) {
1087 if (info->disp_info->users == NULL) {
1088 info->disp_info->users = pdb_search_users(ACB_NORMAL);
1089 if (info->disp_info->users == NULL) {
1091 return NT_STATUS_ACCESS_DENIED;
1093 DEBUG(10,("samr_reply_query_dispinfo: starting user enumeration at index %u\n",
1094 (unsigned int)enum_context ));
1096 DEBUG(10,("samr_reply_query_dispinfo: using cached user enumeration at index %u\n",
1097 (unsigned int)enum_context ));
1100 num_account = pdb_search_entries(info->disp_info->users,
1101 enum_context, max_entries,
1105 if (info->disp_info->machines == NULL) {
1106 info->disp_info->machines =
1107 pdb_search_users(ACB_WSTRUST|ACB_SVRTRUST);
1108 if (info->disp_info->machines == NULL) {
1110 return NT_STATUS_ACCESS_DENIED;
1112 DEBUG(10,("samr_reply_query_dispinfo: starting machine enumeration at index %u\n",
1113 (unsigned int)enum_context ));
1115 DEBUG(10,("samr_reply_query_dispinfo: using cached machine enumeration at index %u\n",
1116 (unsigned int)enum_context ));
1119 num_account = pdb_search_entries(info->disp_info->machines,
1120 enum_context, max_entries,
1125 if (info->disp_info->groups == NULL) {
1126 info->disp_info->groups = pdb_search_groups();
1127 if (info->disp_info->groups == NULL) {
1129 return NT_STATUS_ACCESS_DENIED;
1131 DEBUG(10,("samr_reply_query_dispinfo: starting group enumeration at index %u\n",
1132 (unsigned int)enum_context ));
1134 DEBUG(10,("samr_reply_query_dispinfo: using cached group enumeration at index %u\n",
1135 (unsigned int)enum_context ));
1138 num_account = pdb_search_entries(info->disp_info->groups,
1139 enum_context, max_entries,
1144 smb_panic("info class changed");
1149 /* Now create reply structure */
1150 switch (q_u->switch_level) {
1152 disp_ret = init_sam_dispinfo_1(p->mem_ctx, &ctr->sam.info1,
1153 num_account, enum_context,
1157 disp_ret = init_sam_dispinfo_2(p->mem_ctx, &ctr->sam.info2,
1158 num_account, enum_context,
1162 disp_ret = init_sam_dispinfo_3(p->mem_ctx, &ctr->sam.info3,
1163 num_account, enum_context,
1167 disp_ret = init_sam_dispinfo_4(p->mem_ctx, &ctr->sam.info4,
1168 num_account, enum_context,
1172 disp_ret = init_sam_dispinfo_5(p->mem_ctx, &ctr->sam.info5,
1173 num_account, enum_context,
1177 smb_panic("info class changed");
1181 if (!NT_STATUS_IS_OK(disp_ret))
1184 /* calculate the total size */
1185 total_data_size=num_account*struct_size;
1188 r_u->status = STATUS_MORE_ENTRIES;
1190 r_u->status = NT_STATUS_OK;
1193 /* Ensure we cache this enumeration. */
1194 set_disp_info_cache_timeout(info->disp_info, DISP_INFO_CACHE_TIMEOUT);
1196 DEBUG(5, ("_samr_query_dispinfo: %d\n", __LINE__));
1198 init_samr_r_query_dispinfo(r_u, num_account, total_data_size,
1199 temp_size, q_u->switch_level, ctr,
1206 /*******************************************************************
1207 samr_reply_query_aliasinfo
1208 ********************************************************************/
1210 NTSTATUS _samr_query_aliasinfo(pipes_struct *p, SAMR_Q_QUERY_ALIASINFO *q_u, SAMR_R_QUERY_ALIASINFO *r_u)
1213 struct acct_info info;
1217 r_u->status = NT_STATUS_OK;
1219 DEBUG(5,("_samr_query_aliasinfo: %d\n", __LINE__));
1221 /* find the policy handle. open a policy on it. */
1222 if (!get_lsa_policy_samr_sid(p, &q_u->pol, &sid, &acc_granted, NULL))
1223 return NT_STATUS_INVALID_HANDLE;
1224 if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, SA_RIGHT_ALIAS_LOOKUP_INFO, "_samr_query_aliasinfo"))) {
1229 ret = pdb_get_aliasinfo(&sid, &info);
1233 return NT_STATUS_NO_SUCH_ALIAS;
1235 if ( !(r_u->ctr = TALLOC_ZERO_P( p->mem_ctx, ALIAS_INFO_CTR )) )
1236 return NT_STATUS_NO_MEMORY;
1239 switch (q_u->level ) {
1241 r_u->ctr->level = 1;
1242 init_samr_alias_info1(&r_u->ctr->alias.info1, info.acct_name, 1, info.acct_desc);
1245 r_u->ctr->level = 3;
1246 init_samr_alias_info3(&r_u->ctr->alias.info3, info.acct_desc);
1249 return NT_STATUS_INVALID_INFO_CLASS;
1252 DEBUG(5,("_samr_query_aliasinfo: %d\n", __LINE__));
1258 /*******************************************************************
1259 samr_reply_lookup_ids
1260 ********************************************************************/
1262 uint32 _samr_lookup_ids(pipes_struct *p, SAMR_Q_LOOKUP_IDS *q_u, SAMR_R_LOOKUP_IDS *r_u)
1264 uint32 rid[MAX_SAM_ENTRIES];
1265 int num_rids = q_u->num_sids1;
1267 r_u->status = NT_STATUS_OK;
1269 DEBUG(5,("_samr_lookup_ids: %d\n", __LINE__));
1271 if (num_rids > MAX_SAM_ENTRIES) {
1272 num_rids = MAX_SAM_ENTRIES;
1273 DEBUG(5,("_samr_lookup_ids: truncating entries to %d\n", num_rids));
1278 SMB_ASSERT_ARRAY(q_u->uni_user_name, num_rids);
1280 for (i = 0; i < num_rids && status == 0; i++)
1282 struct sam_passwd *sam_pass;
1286 fstrcpy(user_name, unistrn2(q_u->uni_user_name[i].buffer,
1287 q_u->uni_user_name[i].uni_str_len));
1289 /* find the user account */
1291 sam_pass = get_smb21pwd_entry(user_name, 0);
1294 if (sam_pass == NULL)
1296 status = 0xC0000000 | NT_STATUS_NO_SUCH_USER;
1301 rid[i] = sam_pass->user_rid;
1307 rid[0] = BUILTIN_ALIAS_RID_USERS;
1309 init_samr_r_lookup_ids(&r_u, num_rids, rid, NT_STATUS_OK);
1311 DEBUG(5,("_samr_lookup_ids: %d\n", __LINE__));
1317 /*******************************************************************
1319 ********************************************************************/
1321 NTSTATUS _samr_lookup_names(pipes_struct *p, SAMR_Q_LOOKUP_NAMES *q_u, SAMR_R_LOOKUP_NAMES *r_u)
1323 uint32 rid[MAX_SAM_ENTRIES];
1325 enum SID_NAME_USE type[MAX_SAM_ENTRIES];
1326 enum SID_NAME_USE local_type;
1328 int num_rids = q_u->num_names2;
1333 r_u->status = NT_STATUS_OK;
1335 DEBUG(5,("_samr_lookup_names: %d\n", __LINE__));
1340 if (!get_lsa_policy_samr_sid(p, &q_u->pol, &pol_sid, &acc_granted, NULL)) {
1341 init_samr_r_lookup_names(p->mem_ctx, r_u, 0, NULL, NULL, NT_STATUS_OBJECT_TYPE_MISMATCH);
1345 if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, 0, "_samr_lookup_names"))) { /* Don't know the acc_bits yet */
1349 if (num_rids > MAX_SAM_ENTRIES) {
1350 num_rids = MAX_SAM_ENTRIES;
1351 DEBUG(5,("_samr_lookup_names: truncating entries to %d\n", num_rids));
1354 DEBUG(5,("_samr_lookup_names: looking name on SID %s\n", sid_to_string(sid_str, &pol_sid)));
1356 for (i = 0; i < num_rids; i++) {
1361 r_u->status = NT_STATUS_NONE_MAPPED;
1363 rid [i] = 0xffffffff;
1364 type[i] = SID_NAME_UNKNOWN;
1366 ret = rpcstr_pull(name, q_u->uni_name[i].buffer, sizeof(name), q_u->uni_name[i].uni_str_len*2, 0);
1369 * we are only looking for a name
1370 * the SID we get back can be outside
1371 * the scope of the pol_sid
1373 * in clear: it prevents to reply to domain\group: yes
1374 * when only builtin\group exists.
1376 * a cleaner code is to add the sid of the domain we're looking in
1377 * to the local_lookup_name function.
1380 if ((ret > 0) && local_lookup_name(name, &sid, &local_type)) {
1381 sid_split_rid(&sid, &local_rid);
1383 if (sid_equal(&sid, &pol_sid)) {
1386 /* Windows does not return WKN_GRP here, even
1387 * on lookups in builtin */
1388 type[i] = (local_type == SID_NAME_WKN_GRP) ?
1389 SID_NAME_ALIAS : local_type;
1391 r_u->status = NT_STATUS_OK;
1396 init_samr_r_lookup_names(p->mem_ctx, r_u, num_rids, rid, (uint32 *)type, r_u->status);
1398 DEBUG(5,("_samr_lookup_names: %d\n", __LINE__));
1403 /*******************************************************************
1404 _samr_chgpasswd_user
1405 ********************************************************************/
1407 NTSTATUS _samr_chgpasswd_user(pipes_struct *p, SAMR_Q_CHGPASSWD_USER *q_u, SAMR_R_CHGPASSWD_USER *r_u)
1412 DEBUG(5,("_samr_chgpasswd_user: %d\n", __LINE__));
1414 r_u->status = NT_STATUS_OK;
1416 rpcstr_pull(user_name, q_u->uni_user_name.buffer, sizeof(user_name), q_u->uni_user_name.uni_str_len*2, 0);
1417 rpcstr_pull(wks, q_u->uni_dest_host.buffer, sizeof(wks), q_u->uni_dest_host.uni_str_len*2,0);
1419 DEBUG(5,("samr_chgpasswd_user: user: %s wks: %s\n", user_name, wks));
1422 * Pass the user through the NT -> unix user mapping
1426 (void)map_username(user_name);
1429 * UNIX username case mangling not required, pass_oem_change
1430 * is case insensitive.
1433 r_u->status = pass_oem_change(user_name, q_u->lm_newpass.pass, q_u->lm_oldhash.hash,
1434 q_u->nt_newpass.pass, q_u->nt_oldhash.hash);
1436 init_samr_r_chgpasswd_user(r_u, r_u->status);
1438 DEBUG(5,("_samr_chgpasswd_user: %d\n", __LINE__));
1443 /*******************************************************************
1444 makes a SAMR_R_LOOKUP_RIDS structure.
1445 ********************************************************************/
1447 static BOOL make_samr_lookup_rids(TALLOC_CTX *ctx, uint32 num_names,
1448 const char **names, UNIHDR **pp_hdr_name,
1449 UNISTR2 **pp_uni_name)
1452 UNIHDR *hdr_name=NULL;
1453 UNISTR2 *uni_name=NULL;
1455 *pp_uni_name = NULL;
1456 *pp_hdr_name = NULL;
1458 if (num_names != 0) {
1459 hdr_name = TALLOC_ZERO_ARRAY(ctx, UNIHDR, num_names);
1460 if (hdr_name == NULL)
1463 uni_name = TALLOC_ZERO_ARRAY(ctx,UNISTR2, num_names);
1464 if (uni_name == NULL)
1468 for (i = 0; i < num_names; i++) {
1469 DEBUG(10, ("names[%d]:%s\n", i, names[i] && *names[i] ? names[i] : ""));
1470 init_unistr2(&uni_name[i], names[i], UNI_FLAGS_NONE);
1471 init_uni_hdr(&hdr_name[i], &uni_name[i]);
1474 *pp_uni_name = uni_name;
1475 *pp_hdr_name = hdr_name;
1480 /*******************************************************************
1482 ********************************************************************/
1484 NTSTATUS _samr_lookup_rids(pipes_struct *p, SAMR_Q_LOOKUP_RIDS *q_u, SAMR_R_LOOKUP_RIDS *r_u)
1487 uint32 *attrs = NULL;
1488 UNIHDR *hdr_name = NULL;
1489 UNISTR2 *uni_name = NULL;
1491 int num_rids = q_u->num_rids1;
1494 r_u->status = NT_STATUS_OK;
1496 DEBUG(5,("_samr_lookup_rids: %d\n", __LINE__));
1498 /* find the policy handle. open a policy on it. */
1499 if (!get_lsa_policy_samr_sid(p, &q_u->pol, &pol_sid, &acc_granted, NULL))
1500 return NT_STATUS_INVALID_HANDLE;
1502 if (num_rids > 1000) {
1503 DEBUG(0, ("Got asked for %d rids (more than 1000) -- according "
1504 "to samba4 idl this is not possible\n", num_rids));
1505 return NT_STATUS_UNSUCCESSFUL;
1508 names = TALLOC_ZERO_ARRAY(p->mem_ctx, const char *, num_rids);
1509 attrs = TALLOC_ZERO_ARRAY(p->mem_ctx, uint32, num_rids);
1511 if ((num_rids != 0) && ((names == NULL) || (attrs == NULL)))
1512 return NT_STATUS_NO_MEMORY;
1514 if (!sid_equal(&pol_sid, get_global_sam_sid())) {
1515 /* TODO: Sooner or later we need to look up BUILTIN rids as
1520 become_root(); /* lookup_sid can require root privs */
1521 r_u->status = pdb_lookup_rids(p->mem_ctx, &pol_sid, num_rids, q_u->rid,
1527 if(!make_samr_lookup_rids(p->mem_ctx, num_rids, names,
1528 &hdr_name, &uni_name))
1529 return NT_STATUS_NO_MEMORY;
1531 init_samr_r_lookup_rids(r_u, num_rids, hdr_name, uni_name, attrs);
1533 DEBUG(5,("_samr_lookup_rids: %d\n", __LINE__));
1538 /*******************************************************************
1539 _samr_open_user. Safe - gives out no passwd info.
1540 ********************************************************************/
1542 NTSTATUS _samr_open_user(pipes_struct *p, SAMR_Q_OPEN_USER *q_u, SAMR_R_OPEN_USER *r_u)
1544 SAM_ACCOUNT *sampass=NULL;
1546 POLICY_HND domain_pol = q_u->domain_pol;
1547 POLICY_HND *user_pol = &r_u->user_pol;
1548 struct samr_info *info = NULL;
1549 SEC_DESC *psd = NULL;
1551 uint32 des_access = q_u->access_mask;
1557 r_u->status = NT_STATUS_OK;
1559 /* find the domain policy handle and get domain SID / access bits in the domain policy. */
1561 if ( !get_lsa_policy_samr_sid(p, &domain_pol, &sid, &acc_granted, NULL) )
1562 return NT_STATUS_INVALID_HANDLE;
1564 nt_status = access_check_samr_function( acc_granted,
1565 SA_RIGHT_DOMAIN_OPEN_ACCOUNT, "_samr_open_user" );
1567 if ( !NT_STATUS_IS_OK(nt_status) )
1570 nt_status = pdb_init_sam_talloc(p->mem_ctx, &sampass);
1572 if (!NT_STATUS_IS_OK(nt_status))
1575 /* append the user's RID to it */
1577 if (!sid_append_rid(&sid, q_u->user_rid))
1578 return NT_STATUS_NO_SUCH_USER;
1580 /* check if access can be granted as requested by client. */
1582 make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &usr_generic_mapping, &sid, SAMR_USR_RIGHTS_WRITE_PW);
1583 se_map_generic(&des_access, &usr_generic_mapping);
1585 se_priv_copy( &se_rights, &se_machine_account );
1586 se_priv_add( &se_rights, &se_add_users );
1588 nt_status = access_check_samr_object(psd, p->pipe_user.nt_user_token,
1589 &se_rights, GENERIC_RIGHTS_USER_WRITE, des_access,
1590 &acc_granted, "_samr_open_user");
1592 if ( !NT_STATUS_IS_OK(nt_status) )
1596 ret=pdb_getsampwsid(sampass, &sid);
1599 /* check that the SID exists in our domain. */
1601 return NT_STATUS_NO_SUCH_USER;
1604 pdb_free_sam(&sampass);
1606 /* associate the user's SID and access bits with the new handle. */
1607 if ((info = get_samr_info_by_sid(&sid)) == NULL)
1608 return NT_STATUS_NO_MEMORY;
1609 info->acc_granted = acc_granted;
1611 /* get a (unique) handle. open a policy on it. */
1612 if (!create_policy_hnd(p, user_pol, free_samr_info, (void *)info))
1613 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
1618 /*************************************************************************
1619 get_user_info_7. Safe. Only gives out account_name.
1620 *************************************************************************/
1622 static NTSTATUS get_user_info_7(TALLOC_CTX *mem_ctx, SAM_USER_INFO_7 *id7, DOM_SID *user_sid)
1624 SAM_ACCOUNT *smbpass=NULL;
1628 nt_status = pdb_init_sam_talloc(mem_ctx, &smbpass);
1630 if (!NT_STATUS_IS_OK(nt_status)) {
1635 ret = pdb_getsampwsid(smbpass, user_sid);
1639 DEBUG(4,("User %s not found\n", sid_string_static(user_sid)));
1640 return NT_STATUS_NO_SUCH_USER;
1643 DEBUG(3,("User:[%s]\n", pdb_get_username(smbpass) ));
1646 init_sam_user_info7(id7, pdb_get_username(smbpass) );
1648 pdb_free_sam(&smbpass);
1650 return NT_STATUS_OK;
1652 /*************************************************************************
1653 get_user_info_16. Safe. Only gives out acb bits.
1654 *************************************************************************/
1656 static NTSTATUS get_user_info_16(TALLOC_CTX *mem_ctx, SAM_USER_INFO_16 *id16, DOM_SID *user_sid)
1658 SAM_ACCOUNT *smbpass=NULL;
1662 nt_status = pdb_init_sam_talloc(mem_ctx, &smbpass);
1664 if (!NT_STATUS_IS_OK(nt_status)) {
1669 ret = pdb_getsampwsid(smbpass, user_sid);
1673 DEBUG(4,("User %s not found\n", sid_string_static(user_sid)));
1674 return NT_STATUS_NO_SUCH_USER;
1677 DEBUG(3,("User:[%s]\n", pdb_get_username(smbpass) ));
1680 init_sam_user_info16(id16, pdb_get_acct_ctrl(smbpass) );
1682 pdb_free_sam(&smbpass);
1684 return NT_STATUS_OK;
1687 /*************************************************************************
1688 get_user_info_18. OK - this is the killer as it gives out password info.
1689 Ensure that this is only allowed on an encrypted connection with a root
1691 *************************************************************************/
1693 static NTSTATUS get_user_info_18(pipes_struct *p, TALLOC_CTX *mem_ctx, SAM_USER_INFO_18 * id18, DOM_SID *user_sid)
1695 SAM_ACCOUNT *smbpass=NULL;
1699 if (p->auth.auth_type != PIPE_AUTH_TYPE_NTLMSSP || p->auth.auth_type != PIPE_AUTH_TYPE_SPNEGO_NTLMSSP) {
1700 return NT_STATUS_ACCESS_DENIED;
1703 if (p->auth.auth_level != PIPE_AUTH_LEVEL_PRIVACY) {
1704 return NT_STATUS_ACCESS_DENIED;
1708 * Do *NOT* do become_root()/unbecome_root() here ! JRA.
1711 nt_status = pdb_init_sam_talloc(mem_ctx, &smbpass);
1713 if (!NT_STATUS_IS_OK(nt_status)) {
1717 ret = pdb_getsampwsid(smbpass, user_sid);
1720 DEBUG(4, ("User %s not found\n", sid_string_static(user_sid)));
1721 pdb_free_sam(&smbpass);
1722 return (geteuid() == (uid_t)0) ? NT_STATUS_NO_SUCH_USER : NT_STATUS_ACCESS_DENIED;
1725 DEBUG(3,("User:[%s] 0x%x\n", pdb_get_username(smbpass), pdb_get_acct_ctrl(smbpass) ));
1727 if ( pdb_get_acct_ctrl(smbpass) & ACB_DISABLED) {
1728 pdb_free_sam(&smbpass);
1729 return NT_STATUS_ACCOUNT_DISABLED;
1733 init_sam_user_info18(id18, pdb_get_lanman_passwd(smbpass), pdb_get_nt_passwd(smbpass));
1735 pdb_free_sam(&smbpass);
1737 return NT_STATUS_OK;
1740 /*************************************************************************
1742 *************************************************************************/
1744 static NTSTATUS get_user_info_20(TALLOC_CTX *mem_ctx, SAM_USER_INFO_20 *id20, DOM_SID *user_sid)
1746 SAM_ACCOUNT *sampass=NULL;
1749 pdb_init_sam_talloc(mem_ctx, &sampass);
1752 ret = pdb_getsampwsid(sampass, user_sid);
1756 DEBUG(4,("User %s not found\n", sid_string_static(user_sid)));
1757 return NT_STATUS_NO_SUCH_USER;
1760 samr_clear_sam_passwd(sampass);
1762 DEBUG(3,("User:[%s]\n", pdb_get_username(sampass) ));
1765 init_sam_user_info20A(id20, sampass);
1767 pdb_free_sam(&sampass);
1769 return NT_STATUS_OK;
1772 /*************************************************************************
1774 *************************************************************************/
1776 static NTSTATUS get_user_info_21(TALLOC_CTX *mem_ctx, SAM_USER_INFO_21 *id21,
1777 DOM_SID *user_sid, DOM_SID *domain_sid)
1779 SAM_ACCOUNT *sampass=NULL;
1783 nt_status = pdb_init_sam_talloc(mem_ctx, &sampass);
1784 if (!NT_STATUS_IS_OK(nt_status)) {
1789 ret = pdb_getsampwsid(sampass, user_sid);
1793 DEBUG(4,("User %s not found\n", sid_string_static(user_sid)));
1794 return NT_STATUS_NO_SUCH_USER;
1797 samr_clear_sam_passwd(sampass);
1799 DEBUG(3,("User:[%s]\n", pdb_get_username(sampass) ));
1802 nt_status = init_sam_user_info21A(id21, sampass, domain_sid);
1804 pdb_free_sam(&sampass);
1806 return NT_STATUS_OK;
1809 /*******************************************************************
1810 _samr_query_userinfo
1811 ********************************************************************/
1813 NTSTATUS _samr_query_userinfo(pipes_struct *p, SAMR_Q_QUERY_USERINFO *q_u, SAMR_R_QUERY_USERINFO *r_u)
1815 SAM_USERINFO_CTR *ctr;
1816 struct samr_info *info = NULL;
1820 r_u->status=NT_STATUS_OK;
1822 /* search for the handle */
1823 if (!find_policy_by_hnd(p, &q_u->pol, (void **)&info))
1824 return NT_STATUS_INVALID_HANDLE;
1826 domain_sid = info->sid;
1828 sid_split_rid(&domain_sid, &rid);
1830 if (!sid_check_is_in_our_domain(&info->sid))
1831 return NT_STATUS_OBJECT_TYPE_MISMATCH;
1833 DEBUG(5,("_samr_query_userinfo: sid:%s\n", sid_string_static(&info->sid)));
1835 ctr = TALLOC_ZERO_P(p->mem_ctx, SAM_USERINFO_CTR);
1837 return NT_STATUS_NO_MEMORY;
1841 /* ok! user info levels (lots: see MSDEV help), off we go... */
1842 ctr->switch_value = q_u->switch_value;
1844 switch (q_u->switch_value) {
1846 ctr->info.id7 = TALLOC_ZERO_P(p->mem_ctx, SAM_USER_INFO_7);
1847 if (ctr->info.id7 == NULL)
1848 return NT_STATUS_NO_MEMORY;
1850 if (!NT_STATUS_IS_OK(r_u->status = get_user_info_7(p->mem_ctx, ctr->info.id7, &info->sid)))
1854 ctr->info.id16 = TALLOC_ZERO_P(p->mem_ctx, SAM_USER_INFO_16);
1855 if (ctr->info.id16 == NULL)
1856 return NT_STATUS_NO_MEMORY;
1858 if (!NT_STATUS_IS_OK(r_u->status = get_user_info_16(p->mem_ctx, ctr->info.id16, &info->sid)))
1863 /* whoops - got this wrong. i think. or don't understand what's happening. */
1867 info = (void *)&id11;
1869 expire.low = 0xffffffff;
1870 expire.high = 0x7fffffff;
1872 ctr->info.id = TALLOC_ZERO_P(p->mem_ctx, SAM_USER_INFO_17));
1873 ZERO_STRUCTP(ctr->info.id17);
1874 init_sam_user_info17(ctr->info.id17, &expire,
1875 "BROOKFIELDS$", /* name */
1876 0x03ef, /* user rid */
1877 0x201, /* group rid */
1878 0x0080); /* acb info */
1885 ctr->info.id18 = TALLOC_ZERO_P(p->mem_ctx, SAM_USER_INFO_18);
1886 if (ctr->info.id18 == NULL)
1887 return NT_STATUS_NO_MEMORY;
1889 if (!NT_STATUS_IS_OK(r_u->status = get_user_info_18(p, p->mem_ctx, ctr->info.id18, &info->sid)))
1894 ctr->info.id20 = TALLOC_ZERO_P(p->mem_ctx,SAM_USER_INFO_20);
1895 if (ctr->info.id20 == NULL)
1896 return NT_STATUS_NO_MEMORY;
1897 if (!NT_STATUS_IS_OK(r_u->status = get_user_info_20(p->mem_ctx, ctr->info.id20, &info->sid)))
1902 ctr->info.id21 = TALLOC_ZERO_P(p->mem_ctx,SAM_USER_INFO_21);
1903 if (ctr->info.id21 == NULL)
1904 return NT_STATUS_NO_MEMORY;
1905 if (!NT_STATUS_IS_OK(r_u->status = get_user_info_21(p->mem_ctx, ctr->info.id21,
1906 &info->sid, &domain_sid)))
1911 return NT_STATUS_INVALID_INFO_CLASS;
1914 init_samr_r_query_userinfo(r_u, ctr, r_u->status);
1916 DEBUG(5,("_samr_query_userinfo: %d\n", __LINE__));
1921 /*******************************************************************
1922 samr_reply_query_usergroups
1923 ********************************************************************/
1925 NTSTATUS _samr_query_usergroups(pipes_struct *p, SAMR_Q_QUERY_USERGROUPS *q_u, SAMR_R_QUERY_USERGROUPS *r_u)
1927 SAM_ACCOUNT *sam_pass=NULL;
1928 struct passwd *passwd;
1931 DOM_GID *gids = NULL;
1932 size_t num_groups = 0;
1940 * from the SID in the request:
1941 * we should send back the list of DOMAIN GROUPS
1942 * the user is a member of
1944 * and only the DOMAIN GROUPS
1945 * no ALIASES !!! neither aliases of the domain
1946 * nor aliases of the builtin SID
1951 r_u->status = NT_STATUS_OK;
1953 DEBUG(5,("_samr_query_usergroups: %d\n", __LINE__));
1955 /* find the policy handle. open a policy on it. */
1956 if (!get_lsa_policy_samr_sid(p, &q_u->pol, &sid, &acc_granted, NULL))
1957 return NT_STATUS_INVALID_HANDLE;
1959 if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, SA_RIGHT_USER_GET_GROUPS, "_samr_query_usergroups"))) {
1963 if (!sid_check_is_in_our_domain(&sid))
1964 return NT_STATUS_OBJECT_TYPE_MISMATCH;
1966 pdb_init_sam(&sam_pass);
1969 ret = pdb_getsampwsid(sam_pass, &sid);
1973 pdb_free_sam(&sam_pass);
1974 return NT_STATUS_NO_SUCH_USER;
1977 passwd = getpwnam_alloc(pdb_get_username(sam_pass));
1978 if (passwd == NULL) {
1979 pdb_free_sam(&sam_pass);
1980 return NT_STATUS_NO_SUCH_USER;
1986 result = pdb_enum_group_memberships(pdb_get_username(sam_pass),
1988 &sids, &unix_gids, &num_groups);
1991 pdb_free_sam(&sam_pass);
1992 passwd_free(&passwd);
1994 if (!NT_STATUS_IS_OK(result))
1997 SAFE_FREE(unix_gids);
2002 for (i=0; i<num_groups; i++) {
2005 if (!sid_peek_check_rid(get_global_sam_sid(),
2009 gids = TALLOC_REALLOC_ARRAY(p->mem_ctx, gids, DOM_GID, num_gids+1);
2010 gids[num_gids].attr= (SE_GROUP_MANDATORY|SE_GROUP_ENABLED_BY_DEFAULT|SE_GROUP_ENABLED);
2011 gids[num_gids].g_rid = rid;
2016 /* construct the response. lkclXXXX: gids are not copied! */
2017 init_samr_r_query_usergroups(r_u, num_groups, gids, r_u->status);
2019 DEBUG(5,("_samr_query_usergroups: %d\n", __LINE__));
2024 /*******************************************************************
2025 _samr_query_dom_info
2026 ********************************************************************/
2028 NTSTATUS _samr_query_dom_info(pipes_struct *p, SAMR_Q_QUERY_DOMAIN_INFO *q_u, SAMR_R_QUERY_DOMAIN_INFO *r_u)
2030 struct samr_info *info = NULL;
2032 uint32 min_pass_len,pass_hist,flag;
2033 time_t u_expire, u_min_age;
2034 NTTIME nt_expire, nt_min_age;
2036 time_t u_lock_duration, u_reset_time;
2037 NTTIME nt_lock_duration, nt_reset_time;
2042 uint32 account_policy_temp;
2047 uint32 num_users=0, num_groups=0, num_aliases=0;
2049 if ((ctr = TALLOC_ZERO_P(p->mem_ctx, SAM_UNK_CTR)) == NULL) {
2050 return NT_STATUS_NO_MEMORY;
2055 r_u->status = NT_STATUS_OK;
2057 DEBUG(5,("_samr_query_dom_info: %d\n", __LINE__));
2059 /* find the policy handle. open a policy on it. */
2060 if (!find_policy_by_hnd(p, &q_u->domain_pol, (void **)&info)) {
2061 return NT_STATUS_INVALID_HANDLE;
2064 switch (q_u->switch_value) {
2071 pdb_get_account_policy(AP_MIN_PASSWORD_LEN, &account_policy_temp);
2072 min_pass_len = account_policy_temp;
2074 pdb_get_account_policy(AP_PASSWORD_HISTORY, &account_policy_temp);
2075 pass_hist = account_policy_temp;
2077 pdb_get_account_policy(AP_USER_MUST_LOGON_TO_CHG_PASS, &account_policy_temp);
2078 flag = account_policy_temp;
2080 pdb_get_account_policy(AP_MAX_PASSWORD_AGE, &account_policy_temp);
2081 u_expire = account_policy_temp;
2083 pdb_get_account_policy(AP_MIN_PASSWORD_AGE, &account_policy_temp);
2084 u_min_age = account_policy_temp;
2090 unix_to_nt_time_abs(&nt_expire, u_expire);
2091 unix_to_nt_time_abs(&nt_min_age, u_min_age);
2093 init_unk_info1(&ctr->info.inf1, (uint16)min_pass_len, (uint16)pass_hist,
2094 flag, nt_expire, nt_min_age);
2102 num_users=count_sam_users(info->disp_info,
2104 num_groups=count_sam_groups(info->disp_info);
2106 pdb_get_account_policy(AP_TIME_TO_LOGOUT, &account_policy_temp);
2107 u_logout = account_policy_temp;
2109 unix_to_nt_time_abs(&nt_logout, u_logout);
2111 if (!pdb_get_seq_num(&seq_num))
2112 seq_num = time(NULL);
2118 server_role = ROLE_DOMAIN_PDC;
2119 if (lp_server_role() == ROLE_DOMAIN_BDC)
2120 server_role = ROLE_DOMAIN_BDC;
2122 init_unk_info2(&ctr->info.inf2, lp_serverstring(), lp_workgroup(), global_myname(), seq_num,
2123 num_users, num_groups, num_aliases, nt_logout, server_role);
2131 pdb_get_account_policy(AP_TIME_TO_LOGOUT, (unsigned int *)&u_logout);
2137 unix_to_nt_time_abs(&nt_logout, u_logout);
2139 init_unk_info3(&ctr->info.inf3, nt_logout);
2142 init_unk_info5(&ctr->info.inf5, global_myname());
2145 init_unk_info6(&ctr->info.inf6);
2148 server_role = ROLE_DOMAIN_PDC;
2149 if (lp_server_role() == ROLE_DOMAIN_BDC)
2150 server_role = ROLE_DOMAIN_BDC;
2152 init_unk_info7(&ctr->info.inf7, server_role);
2160 if (!pdb_get_seq_num(&seq_num)) {
2161 seq_num = time(NULL);
2168 init_unk_info8(&ctr->info.inf8, (uint32) seq_num);
2176 pdb_get_account_policy(AP_LOCK_ACCOUNT_DURATION, &account_policy_temp);
2177 u_lock_duration = account_policy_temp;
2178 if (u_lock_duration != -1) {
2179 u_lock_duration *= 60;
2182 pdb_get_account_policy(AP_RESET_COUNT_TIME, &account_policy_temp);
2183 u_reset_time = account_policy_temp * 60;
2185 pdb_get_account_policy(AP_BAD_ATTEMPT_LOCKOUT, &account_policy_temp);
2186 lockout = account_policy_temp;
2192 unix_to_nt_time_abs(&nt_lock_duration, u_lock_duration);
2193 unix_to_nt_time_abs(&nt_reset_time, u_reset_time);
2195 init_unk_info12(&ctr->info.inf12, nt_lock_duration, nt_reset_time, (uint16)lockout);
2198 return NT_STATUS_INVALID_INFO_CLASS;
2202 init_samr_r_query_dom_info(r_u, q_u->switch_value, ctr, NT_STATUS_OK);
2204 DEBUG(5,("_samr_query_dom_info: %d\n", __LINE__));
2209 /*******************************************************************
2211 Create an account, can be either a normal user or a machine.
2212 This funcion will need to be updated for bdc/domain trusts.
2213 ********************************************************************/
2215 NTSTATUS _samr_create_user(pipes_struct *p, SAMR_Q_CREATE_USER *q_u, SAMR_R_CREATE_USER *r_u)
2217 SAM_ACCOUNT *sam_pass=NULL;
2221 POLICY_HND dom_pol = q_u->domain_pol;
2222 UNISTR2 user_account = q_u->uni_name;
2223 uint16 acb_info = q_u->acb_info;
2224 POLICY_HND *user_pol = &r_u->user_pol;
2225 struct samr_info *info = NULL;
2233 /* check this, when giving away 'add computer to domain' privs */
2234 uint32 des_access = GENERIC_RIGHTS_USER_ALL_ACCESS;
2235 BOOL can_add_account = False;
2237 DISP_INFO *disp_info = NULL;
2239 /* Get the domain SID stored in the domain policy */
2240 if (!get_lsa_policy_samr_sid(p, &dom_pol, &sid, &acc_granted, &disp_info))
2241 return NT_STATUS_INVALID_HANDLE;
2243 if (!NT_STATUS_IS_OK(nt_status = access_check_samr_function(acc_granted, SA_RIGHT_DOMAIN_CREATE_USER, "_samr_create_user"))) {
2247 if (!(acb_info == ACB_NORMAL || acb_info == ACB_DOMTRUST || acb_info == ACB_WSTRUST || acb_info == ACB_SVRTRUST)) {
2248 /* Match Win2k, and return NT_STATUS_INVALID_PARAMETER if
2249 this parameter is not an account type */
2250 return NT_STATUS_INVALID_PARAMETER;
2253 rpcstr_pull(account, user_account.buffer, sizeof(account), user_account.uni_str_len*2, 0);
2254 strlower_m(account);
2256 pdb_init_sam(&sam_pass);
2259 ret = pdb_getsampwnam(sam_pass, account);
2262 /* this account exists: say so */
2263 pdb_free_sam(&sam_pass);
2264 return NT_STATUS_USER_EXISTS;
2267 pdb_free_sam(&sam_pass);
2269 /*********************************************************************
2270 * HEADS UP! If we have to create a new user account, we have to get
2271 * a new RID from somewhere. This used to be done by the passdb
2272 * backend. It has been moved into idmap now. Since idmap is now
2273 * wrapped up behind winbind, this means you have to run winbindd if you
2274 * want new accounts to get a new RID when "enable rid algorithm = no".
2275 * Tough. We now have a uniform way of allocating RIDs regardless
2276 * of what ever passdb backend people may use.
2277 * --jerry (2003-07-10)
2278 *********************************************************************/
2280 pw = Get_Pwnam(account);
2282 /* determine which user right we need to check based on the acb_info */
2284 if ( acb_info & ACB_WSTRUST )
2286 pstrcpy(add_script, lp_addmachine_script());
2287 se_priv_copy( &se_rights, &se_machine_account );
2288 can_add_account = user_has_privileges( p->pipe_user.nt_user_token, &se_rights );
2290 /* usrmgr.exe (and net rpc trustdom grant) creates a normal user
2291 account for domain trusts and changes the ACB flags later */
2292 else if ( acb_info & ACB_NORMAL && (account[strlen(account)-1] != '$') )
2294 pstrcpy(add_script, lp_adduser_script());
2295 se_priv_copy( &se_rights, &se_add_users );
2296 can_add_account = user_has_privileges( p->pipe_user.nt_user_token, &se_rights );
2298 else /* implicit assumption of a BDC or domain trust account here (we already check the flags earlier) */
2300 pstrcpy(add_script, lp_addmachine_script());
2301 if ( lp_enable_privileges() ) {
2302 /* only Domain Admins can add a BDC or domain trust */
2303 se_priv_copy( &se_rights, &se_priv_none );
2304 can_add_account = nt_token_check_domain_rid( p->pipe_user.nt_user_token, DOMAIN_GROUP_RID_ADMINS );
2308 DEBUG(5, ("_samr_create_user: %s can add this account : %s\n",
2309 p->pipe_user_name, can_add_account ? "True":"False" ));
2311 /********** BEGIN Admin BLOCK **********/
2313 if ( can_add_account )
2320 all_string_sub(add_script, "%u", account, sizeof(add_script));
2321 add_ret = smbrun(add_script,NULL);
2322 DEBUG(add_ret ? 0 : 3,("_samr_create_user: Running the command `%s' gave %d\n", add_script, add_ret));
2326 /* implicit call to getpwnam() next. we have a valid SID coming out of this call */
2328 flush_pwnam_cache();
2329 nt_status = pdb_init_sam_new(&sam_pass, account, new_rid);
2331 /* this code is order such that we have no unnecessary retuns
2332 out of the admin block of code */
2334 if ( NT_STATUS_IS_OK(nt_status) ) {
2335 pdb_set_acct_ctrl(sam_pass, acb_info, PDB_CHANGED);
2337 if ( !(ret = pdb_add_sam_account(sam_pass)) ) {
2338 pdb_free_sam(&sam_pass);
2339 DEBUG(0, ("could not add user/computer %s to passdb. Check permissions?\n",
2341 nt_status = NT_STATUS_ACCESS_DENIED;
2345 if ( can_add_account )
2348 /********** END Admin BLOCK **********/
2350 /* now check for failure */
2352 if ( !NT_STATUS_IS_OK(nt_status) )
2355 /* Get the user's SID */
2357 sid_copy(&sid, pdb_get_user_sid(sam_pass));
2359 make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &usr_generic_mapping, &sid, SAMR_USR_RIGHTS_WRITE_PW);
2360 se_map_generic(&des_access, &usr_generic_mapping);
2362 nt_status = access_check_samr_object(psd, p->pipe_user.nt_user_token,
2363 &se_rights, GENERIC_RIGHTS_USER_WRITE, des_access,
2364 &acc_granted, "_samr_create_user");
2366 if ( !NT_STATUS_IS_OK(nt_status) ) {
2370 /* associate the user's SID with the new handle. */
2371 if ((info = get_samr_info_by_sid(&sid)) == NULL) {
2372 pdb_free_sam(&sam_pass);
2373 return NT_STATUS_NO_MEMORY;
2378 info->acc_granted = acc_granted;
2380 /* get a (unique) handle. open a policy on it. */
2381 if (!create_policy_hnd(p, user_pol, free_samr_info, (void *)info)) {
2382 pdb_free_sam(&sam_pass);
2383 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
2386 /* After a "set" ensure we have no cached display info. */
2387 force_flush_samr_cache(info->disp_info);
2389 r_u->user_rid=pdb_get_user_rid(sam_pass);
2391 r_u->access_granted = acc_granted;
2393 pdb_free_sam(&sam_pass);
2395 return NT_STATUS_OK;
2398 /*******************************************************************
2399 samr_reply_connect_anon
2400 ********************************************************************/
2402 NTSTATUS _samr_connect_anon(pipes_struct *p, SAMR_Q_CONNECT_ANON *q_u, SAMR_R_CONNECT_ANON *r_u)
2404 struct samr_info *info = NULL;
2405 uint32 des_access = q_u->access_mask;
2409 if (!pipe_access_check(p)) {
2410 DEBUG(3, ("access denied to samr_connect_anon\n"));
2411 r_u->status = NT_STATUS_ACCESS_DENIED;
2415 /* set up the SAMR connect_anon response */
2417 r_u->status = NT_STATUS_OK;
2419 /* associate the user's SID with the new handle. */
2420 if ((info = get_samr_info_by_sid(NULL)) == NULL)
2421 return NT_STATUS_NO_MEMORY;
2423 /* don't give away the farm but this is probably ok. The SA_RIGHT_SAM_ENUM_DOMAINS
2424 was observed from a win98 client trying to enumerate users (when configured
2425 user level access control on shares) --jerry */
2427 se_map_generic( &des_access, &sam_generic_mapping );
2428 info->acc_granted = des_access & (SA_RIGHT_SAM_ENUM_DOMAINS|SA_RIGHT_SAM_OPEN_DOMAIN);
2430 info->status = q_u->unknown_0;
2432 /* get a (unique) handle. open a policy on it. */
2433 if (!create_policy_hnd(p, &r_u->connect_pol, free_samr_info, (void *)info))
2434 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
2439 /*******************************************************************
2441 ********************************************************************/
2443 NTSTATUS _samr_connect(pipes_struct *p, SAMR_Q_CONNECT *q_u, SAMR_R_CONNECT *r_u)
2445 struct samr_info *info = NULL;
2446 SEC_DESC *psd = NULL;
2448 uint32 des_access = q_u->access_mask;
2453 DEBUG(5,("_samr_connect: %d\n", __LINE__));
2457 if (!pipe_access_check(p)) {
2458 DEBUG(3, ("access denied to samr_connect\n"));
2459 r_u->status = NT_STATUS_ACCESS_DENIED;
2463 make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &sam_generic_mapping, NULL, 0);
2464 se_map_generic(&des_access, &sam_generic_mapping);
2466 nt_status = access_check_samr_object(psd, p->pipe_user.nt_user_token,
2467 NULL, 0, des_access, &acc_granted, "_samr_connect");
2469 if ( !NT_STATUS_IS_OK(nt_status) )
2472 r_u->status = NT_STATUS_OK;
2474 /* associate the user's SID and access granted with the new handle. */
2475 if ((info = get_samr_info_by_sid(NULL)) == NULL)
2476 return NT_STATUS_NO_MEMORY;
2478 info->acc_granted = acc_granted;
2479 info->status = q_u->access_mask;
2481 /* get a (unique) handle. open a policy on it. */
2482 if (!create_policy_hnd(p, &r_u->connect_pol, free_samr_info, (void *)info))
2483 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
2485 DEBUG(5,("_samr_connect: %d\n", __LINE__));
2490 /*******************************************************************
2492 ********************************************************************/
2494 NTSTATUS _samr_connect4(pipes_struct *p, SAMR_Q_CONNECT4 *q_u, SAMR_R_CONNECT4 *r_u)
2496 struct samr_info *info = NULL;
2497 SEC_DESC *psd = NULL;
2499 uint32 des_access = q_u->access_mask;
2504 DEBUG(5,("_samr_connect4: %d\n", __LINE__));
2508 if (!pipe_access_check(p)) {
2509 DEBUG(3, ("access denied to samr_connect4\n"));
2510 r_u->status = NT_STATUS_ACCESS_DENIED;
2514 make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &sam_generic_mapping, NULL, 0);
2515 se_map_generic(&des_access, &sam_generic_mapping);
2517 nt_status = access_check_samr_object(psd, p->pipe_user.nt_user_token,
2518 NULL, 0, des_access, &acc_granted, "_samr_connect4");
2520 if ( !NT_STATUS_IS_OK(nt_status) )
2523 r_u->status = NT_STATUS_OK;
2525 /* associate the user's SID and access granted with the new handle. */
2526 if ((info = get_samr_info_by_sid(NULL)) == NULL)
2527 return NT_STATUS_NO_MEMORY;
2529 info->acc_granted = acc_granted;
2530 info->status = q_u->access_mask;
2532 /* get a (unique) handle. open a policy on it. */
2533 if (!create_policy_hnd(p, &r_u->connect_pol, free_samr_info, (void *)info))
2534 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
2536 DEBUG(5,("_samr_connect: %d\n", __LINE__));
2541 /*******************************************************************
2543 ********************************************************************/
2545 NTSTATUS _samr_connect5(pipes_struct *p, SAMR_Q_CONNECT5 *q_u, SAMR_R_CONNECT5 *r_u)
2547 struct samr_info *info = NULL;
2548 SEC_DESC *psd = NULL;
2550 uint32 des_access = q_u->access_mask;
2556 DEBUG(5,("_samr_connect5: %d\n", __LINE__));
2562 if (!pipe_access_check(p)) {
2563 DEBUG(3, ("access denied to samr_connect5\n"));
2564 r_u->status = NT_STATUS_ACCESS_DENIED;
2568 make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &sam_generic_mapping, NULL, 0);
2569 se_map_generic(&des_access, &sam_generic_mapping);
2571 nt_status = access_check_samr_object(psd, p->pipe_user.nt_user_token,
2572 NULL, 0, des_access, &acc_granted, "_samr_connect5");
2574 if ( !NT_STATUS_IS_OK(nt_status) )
2577 /* associate the user's SID and access granted with the new handle. */
2578 if ((info = get_samr_info_by_sid(NULL)) == NULL)
2579 return NT_STATUS_NO_MEMORY;
2581 info->acc_granted = acc_granted;
2582 info->status = q_u->access_mask;
2584 /* get a (unique) handle. open a policy on it. */
2585 if (!create_policy_hnd(p, &pol, free_samr_info, (void *)info))
2586 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
2588 DEBUG(5,("_samr_connect: %d\n", __LINE__));
2590 init_samr_r_connect5(r_u, &pol, NT_STATUS_OK);
2595 /**********************************************************************
2596 api_samr_lookup_domain
2597 **********************************************************************/
2599 NTSTATUS _samr_lookup_domain(pipes_struct *p, SAMR_Q_LOOKUP_DOMAIN *q_u, SAMR_R_LOOKUP_DOMAIN *r_u)
2601 struct samr_info *info;
2602 fstring domain_name;
2605 r_u->status = NT_STATUS_OK;
2607 if (!find_policy_by_hnd(p, &q_u->connect_pol, (void**)&info))
2608 return NT_STATUS_INVALID_HANDLE;
2610 /* win9x user manager likes to use SA_RIGHT_SAM_ENUM_DOMAINS here.
2611 Reverted that change so we will work with RAS servers again */
2613 if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(info->acc_granted,
2614 SA_RIGHT_SAM_OPEN_DOMAIN, "_samr_lookup_domain")))
2619 rpcstr_pull(domain_name, q_u->uni_domain.buffer, sizeof(domain_name), q_u->uni_domain.uni_str_len*2, 0);
2623 if (!secrets_fetch_domain_sid(domain_name, &sid)) {
2624 r_u->status = NT_STATUS_NO_SUCH_DOMAIN;
2627 DEBUG(2,("Returning domain sid for domain %s -> %s\n", domain_name, sid_string_static(&sid)));
2629 init_samr_r_lookup_domain(r_u, &sid, r_u->status);
2634 /******************************************************************
2635 makes a SAMR_R_ENUM_DOMAINS structure.
2636 ********************************************************************/
2638 static BOOL make_enum_domains(TALLOC_CTX *ctx, SAM_ENTRY **pp_sam,
2639 UNISTR2 **pp_uni_name, uint32 num_sam_entries, fstring doms[])
2645 DEBUG(5, ("make_enum_domains\n"));
2648 *pp_uni_name = NULL;
2650 if (num_sam_entries == 0)
2653 sam = TALLOC_ZERO_ARRAY(ctx, SAM_ENTRY, num_sam_entries);
2654 uni_name = TALLOC_ZERO_ARRAY(ctx, UNISTR2, num_sam_entries);
2656 if (sam == NULL || uni_name == NULL)
2659 for (i = 0; i < num_sam_entries; i++) {
2660 init_unistr2(&uni_name[i], doms[i], UNI_FLAGS_NONE);
2661 init_sam_entry(&sam[i], &uni_name[i], 0);
2665 *pp_uni_name = uni_name;
2670 /**********************************************************************
2671 api_samr_enum_domains
2672 **********************************************************************/
2674 NTSTATUS _samr_enum_domains(pipes_struct *p, SAMR_Q_ENUM_DOMAINS *q_u, SAMR_R_ENUM_DOMAINS *r_u)
2676 struct samr_info *info;
2677 uint32 num_entries = 2;
2681 r_u->status = NT_STATUS_OK;
2683 if (!find_policy_by_hnd(p, &q_u->pol, (void**)&info))
2684 return NT_STATUS_INVALID_HANDLE;
2686 if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(info->acc_granted, SA_RIGHT_SAM_ENUM_DOMAINS, "_samr_enum_domains"))) {
2690 name = get_global_sam_name();
2692 fstrcpy(dom[0],name);
2694 fstrcpy(dom[1],"Builtin");
2696 if (!make_enum_domains(p->mem_ctx, &r_u->sam, &r_u->uni_dom_name, num_entries, dom))
2697 return NT_STATUS_NO_MEMORY;
2699 init_samr_r_enum_domains(r_u, q_u->start_idx + num_entries, num_entries);
2704 /*******************************************************************
2706 ********************************************************************/
2708 NTSTATUS _samr_open_alias(pipes_struct *p, SAMR_Q_OPEN_ALIAS *q_u, SAMR_R_OPEN_ALIAS *r_u)
2711 POLICY_HND domain_pol = q_u->dom_pol;
2712 uint32 alias_rid = q_u->rid_alias;
2713 POLICY_HND *alias_pol = &r_u->pol;
2714 struct samr_info *info = NULL;
2715 SEC_DESC *psd = NULL;
2717 uint32 des_access = q_u->access_mask;
2722 r_u->status = NT_STATUS_OK;
2724 /* find the domain policy and get the SID / access bits stored in the domain policy */
2726 if ( !get_lsa_policy_samr_sid(p, &domain_pol, &sid, &acc_granted, NULL) )
2727 return NT_STATUS_INVALID_HANDLE;
2729 status = access_check_samr_function(acc_granted,
2730 SA_RIGHT_DOMAIN_OPEN_ACCOUNT, "_samr_open_alias");
2732 if ( !NT_STATUS_IS_OK(status) )
2735 /* append the alias' RID to it */
2737 if (!sid_append_rid(&sid, alias_rid))
2738 return NT_STATUS_NO_SUCH_USER;
2740 /*check if access can be granted as requested by client. */
2742 make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &ali_generic_mapping, NULL, 0);
2743 se_map_generic(&des_access,&ali_generic_mapping);
2745 se_priv_copy( &se_rights, &se_add_users );
2748 status = access_check_samr_object(psd, p->pipe_user.nt_user_token,
2749 &se_rights, GENERIC_RIGHTS_ALIAS_WRITE, des_access,
2750 &acc_granted, "_samr_open_alias");
2752 if ( !NT_STATUS_IS_OK(status) )
2756 * we should check if the rid really exist !!!
2760 /* associate the user's SID with the new handle. */
2761 if ((info = get_samr_info_by_sid(&sid)) == NULL)
2762 return NT_STATUS_NO_MEMORY;
2764 info->acc_granted = acc_granted;
2766 /* get a (unique) handle. open a policy on it. */
2767 if (!create_policy_hnd(p, alias_pol, free_samr_info, (void *)info))
2768 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
2773 /*******************************************************************
2775 ********************************************************************/
2776 static NTSTATUS set_user_info_7(const SAM_USER_INFO_7 *id7, SAM_ACCOUNT *pwd)
2779 SAM_ACCOUNT *check_acct = NULL;
2784 DEBUG(5, ("set_user_info_7: NULL id7\n"));
2786 return NT_STATUS_ACCESS_DENIED;
2789 if(!rpcstr_pull(new_name, id7->uni_name.buffer, sizeof(new_name), id7->uni_name.uni_str_len*2, 0)) {
2790 DEBUG(5, ("set_user_info_7: failed to get new username\n"));
2792 return NT_STATUS_ACCESS_DENIED;
2795 /* check to see if the new username already exists. Note: we can't
2796 reliably lock all backends, so there is potentially the
2797 possibility that a user can be created in between this check and
2798 the rename. The rename should fail, but may not get the
2799 exact same failure status code. I think this is small enough
2800 of a window for this type of operation and the results are
2801 simply that the rename fails with a slightly different status
2802 code (like UNSUCCESSFUL instead of ALREADY_EXISTS). */
2804 pdb_init_sam(&check_acct);
2805 check_rc = pdb_getsampwnam(check_acct, new_name);
2806 pdb_free_sam(&check_acct);
2808 if (check_rc == True) {
2809 /* this account exists: say so */
2810 return NT_STATUS_USER_EXISTS;
2813 rc = pdb_rename_sam_account(pwd, new_name);
2819 /*******************************************************************
2821 ********************************************************************/
2823 static BOOL set_user_info_16(const SAM_USER_INFO_16 *id16, SAM_ACCOUNT *pwd)
2826 DEBUG(5, ("set_user_info_16: NULL id16\n"));
2831 /* FIX ME: check if the value is really changed --metze */
2832 if (!pdb_set_acct_ctrl(pwd, id16->acb_info, PDB_CHANGED)) {
2837 if(!pdb_update_sam_account(pwd)) {
2847 /*******************************************************************
2849 ********************************************************************/
2851 static BOOL set_user_info_18(SAM_USER_INFO_18 *id18, SAM_ACCOUNT *pwd)
2855 DEBUG(2, ("set_user_info_18: id18 is NULL\n"));
2860 if (!pdb_set_lanman_passwd (pwd, id18->lm_pwd, PDB_CHANGED)) {
2864 if (!pdb_set_nt_passwd (pwd, id18->nt_pwd, PDB_CHANGED)) {
2868 if (!pdb_set_pass_changed_now (pwd)) {
2873 if(!pdb_update_sam_account(pwd)) {
2882 /*******************************************************************
2883 The GROUPSID field in the SAM_ACCOUNT changed. Try to tell unix.
2884 ********************************************************************/
2885 static BOOL set_unix_primary_group(SAM_ACCOUNT *sampass)
2890 if (!NT_STATUS_IS_OK(sid_to_gid(pdb_get_group_sid(sampass),
2892 DEBUG(2,("Could not get gid for primary group of "
2893 "user %s\n", pdb_get_username(sampass)));
2897 grp = getgrgid(gid);
2900 DEBUG(2,("Could not find primary group %lu for "
2901 "user %s\n", (unsigned long)gid,
2902 pdb_get_username(sampass)));
2906 if (smb_set_primary_group(grp->gr_name,
2907 pdb_get_username(sampass)) != 0) {
2908 DEBUG(2,("Could not set primary group for user %s to "
2910 pdb_get_username(sampass), grp->gr_name));
2918 /*******************************************************************
2920 ********************************************************************/
2922 static BOOL set_user_info_20(SAM_USER_INFO_20 *id20, SAM_ACCOUNT *pwd)
2925 DEBUG(5, ("set_user_info_20: NULL id20\n"));
2929 copy_id20_to_sam_passwd(pwd, id20);
2931 /* write the change out */
2932 if(!pdb_update_sam_account(pwd)) {
2941 /*******************************************************************
2943 ********************************************************************/
2945 static BOOL set_user_info_21(SAM_USER_INFO_21 *id21, SAM_ACCOUNT *pwd)
2949 DEBUG(5, ("set_user_info_21: NULL id21\n"));
2953 copy_id21_to_sam_passwd(pwd, id21);
2956 * The funny part about the previous two calls is
2957 * that pwd still has the password hashes from the
2958 * passdb entry. These have not been updated from
2959 * id21. I don't know if they need to be set. --jerry
2962 if (IS_SAM_CHANGED(pwd, PDB_GROUPSID))
2963 set_unix_primary_group(pwd);
2965 /* write the change out */
2966 if(!pdb_update_sam_account(pwd)) {
2976 /*******************************************************************
2978 ********************************************************************/
2980 static BOOL set_user_info_23(SAM_USER_INFO_23 *id23, SAM_ACCOUNT *pwd)
2982 pstring plaintext_buf;
2987 DEBUG(5, ("set_user_info_23: NULL id23\n"));
2991 DEBUG(5, ("Attempting administrator password change (level 23) for user %s\n",
2992 pdb_get_username(pwd)));
2994 acct_ctrl = pdb_get_acct_ctrl(pwd);
2996 if (!decode_pw_buffer(id23->pass, plaintext_buf, 256, &len, STR_UNICODE)) {
3001 if (!pdb_set_plaintext_passwd (pwd, plaintext_buf)) {
3006 copy_id23_to_sam_passwd(pwd, id23);
3008 /* if it's a trust account, don't update /etc/passwd */
3009 if ( ( (acct_ctrl & ACB_DOMTRUST) == ACB_DOMTRUST ) ||
3010 ( (acct_ctrl & ACB_WSTRUST) == ACB_WSTRUST) ||
3011 ( (acct_ctrl & ACB_SVRTRUST) == ACB_SVRTRUST) ) {
3012 DEBUG(5, ("Changing trust account or non-unix-user password, not updating /etc/passwd\n"));
3014 /* update the UNIX password */
3015 if (lp_unix_password_sync() ) {
3016 struct passwd *passwd = Get_Pwnam(pdb_get_username(pwd));
3018 DEBUG(1, ("chgpasswd: Username does not exist in system !?!\n"));
3021 if(!chgpasswd(pdb_get_username(pwd), passwd, "", plaintext_buf, True)) {
3028 ZERO_STRUCT(plaintext_buf);
3030 if (IS_SAM_CHANGED(pwd, PDB_GROUPSID))
3031 set_unix_primary_group(pwd);
3033 if(!pdb_update_sam_account(pwd)) {
3043 /*******************************************************************
3045 ********************************************************************/
3047 static BOOL set_user_info_pw(uint8 *pass, SAM_ACCOUNT *pwd)
3050 pstring plaintext_buf;
3053 DEBUG(5, ("Attempting administrator password change for user %s\n",
3054 pdb_get_username(pwd)));
3056 acct_ctrl = pdb_get_acct_ctrl(pwd);
3058 ZERO_STRUCT(plaintext_buf);
3060 if (!decode_pw_buffer(pass, plaintext_buf, 256, &len, STR_UNICODE)) {
3065 if (!pdb_set_plaintext_passwd (pwd, plaintext_buf)) {
3070 /* if it's a trust account, don't update /etc/passwd */
3071 if ( ( (acct_ctrl & ACB_DOMTRUST) == ACB_DOMTRUST ) ||
3072 ( (acct_ctrl & ACB_WSTRUST) == ACB_WSTRUST) ||
3073 ( (acct_ctrl & ACB_SVRTRUST) == ACB_SVRTRUST) ) {
3074 DEBUG(5, ("Changing trust account or non-unix-user password, not updating /etc/passwd\n"));
3076 /* update the UNIX password */
3077 if (lp_unix_password_sync()) {
3078 struct passwd *passwd = Get_Pwnam(pdb_get_username(pwd));
3080 DEBUG(1, ("chgpasswd: Username does not exist in system !?!\n"));
3083 if(!chgpasswd(pdb_get_username(pwd), passwd, "", plaintext_buf, True)) {
3090 ZERO_STRUCT(plaintext_buf);
3092 DEBUG(5,("set_user_info_pw: pdb_update_pwd()\n"));
3094 /* update the SAMBA password */
3095 if(!pdb_update_sam_account(pwd)) {
3105 /*******************************************************************
3106 samr_reply_set_userinfo
3107 ********************************************************************/
3109 NTSTATUS _samr_set_userinfo(pipes_struct *p, SAMR_Q_SET_USERINFO *q_u, SAMR_R_SET_USERINFO *r_u)
3111 SAM_ACCOUNT *pwd = NULL;
3113 POLICY_HND *pol = &q_u->pol;
3114 uint16 switch_value = q_u->switch_value;
3115 SAM_USERINFO_CTR *ctr = q_u->ctr;
3117 uint32 acc_required;
3119 BOOL has_enough_rights = False;
3121 DISP_INFO *disp_info = NULL;
3123 DEBUG(5, ("_samr_set_userinfo: %d\n", __LINE__));
3125 r_u->status = NT_STATUS_OK;
3127 /* find the policy handle. open a policy on it. */
3128 if (!get_lsa_policy_samr_sid(p, pol, &sid, &acc_granted, &disp_info))
3129 return NT_STATUS_INVALID_HANDLE;
3131 /* observed when joining an XP client to a Samba domain */
3133 acc_required = SA_RIGHT_USER_SET_PASSWORD | SA_RIGHT_USER_SET_ATTRIBUTES | SA_RIGHT_USER_ACCT_FLAGS_EXPIRY;
3135 if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, acc_required, "_samr_set_userinfo"))) {
3139 DEBUG(5, ("_samr_set_userinfo: sid:%s, level:%d\n", sid_string_static(&sid), switch_value));
3142 DEBUG(5, ("_samr_set_userinfo: NULL info level\n"));
3143 return NT_STATUS_INVALID_INFO_CLASS;
3149 ret = pdb_getsampwsid(pwd, &sid);
3154 return NT_STATUS_NO_SUCH_USER;
3157 /* deal with machine password changes differently from userinfo changes */
3158 /* check to see if we have the sufficient rights */
3160 acb_info = pdb_get_acct_ctrl(pwd);
3161 if ( acb_info & ACB_WSTRUST )
3162 has_enough_rights = user_has_privileges( p->pipe_user.nt_user_token, &se_machine_account);
3163 else if ( acb_info & ACB_NORMAL )
3164 has_enough_rights = user_has_privileges( p->pipe_user.nt_user_token, &se_add_users );
3165 else if ( acb_info & (ACB_SVRTRUST|ACB_DOMTRUST) ) {
3166 if ( lp_enable_privileges() )
3167 has_enough_rights = nt_token_check_domain_rid( p->pipe_user.nt_user_token, DOMAIN_GROUP_RID_ADMINS );
3170 DEBUG(5, ("_samr_set_userinfo: %s does%s possess sufficient rights\n",
3171 p->pipe_user_name, has_enough_rights ? "" : " not"));
3173 /* ================ BEGIN SeMachineAccountPrivilege BLOCK ================ */
3175 if ( has_enough_rights )
3178 /* ok! user info levels (lots: see MSDEV help), off we go... */
3180 switch (switch_value) {
3182 if (!set_user_info_18(ctr->info.id18, pwd))
3183 r_u->status = NT_STATUS_ACCESS_DENIED;
3187 if (!p->session_key.length) {
3188 r_u->status = NT_STATUS_NO_USER_SESSION_KEY;
3190 SamOEMhashBlob(ctr->info.id24->pass, 516, &p->session_key);
3192 dump_data(100, (char *)ctr->info.id24->pass, 516);
3194 if (!set_user_info_pw(ctr->info.id24->pass, pwd))
3195 r_u->status = NT_STATUS_ACCESS_DENIED;
3201 * Currently we don't really know how to unmarshall
3202 * the level 25 struct, and the password encryption
3203 * is different. This is a placeholder for when we
3204 * do understand it. In the meantime just return INVALID
3205 * info level and W2K SP2 drops down to level 23... JRA.
3208 if (!p->session_key.length) {
3209 r_u->status = NT_STATUS_NO_USER_SESSION_KEY;
3211 SamOEMhashBlob(ctr->info.id25->pass, 532, &p->session_key);
3213 dump_data(100, (char *)ctr->info.id25->pass, 532);
3215 if (!set_user_info_pw(ctr->info.id25->pass, &sid))
3216 r_u->status = NT_STATUS_ACCESS_DENIED;
3219 r_u->status = NT_STATUS_INVALID_INFO_CLASS;
3223 if (!p->session_key.length) {
3224 r_u->status = NT_STATUS_NO_USER_SESSION_KEY;
3226 SamOEMhashBlob(ctr->info.id23->pass, 516, &p->session_key);
3228 dump_data(100, (char *)ctr->info.id23->pass, 516);
3230 if (!set_user_info_23(ctr->info.id23, pwd))
3231 r_u->status = NT_STATUS_ACCESS_DENIED;
3235 r_u->status = NT_STATUS_INVALID_INFO_CLASS;
3239 if ( has_enough_rights )
3242 /* ================ END SeMachineAccountPrivilege BLOCK ================ */
3244 if (NT_STATUS_IS_OK(r_u->status)) {
3245 force_flush_samr_cache(disp_info);
3251 /*******************************************************************
3252 samr_reply_set_userinfo2
3253 ********************************************************************/
3255 NTSTATUS _samr_set_userinfo2(pipes_struct *p, SAMR_Q_SET_USERINFO2 *q_u, SAMR_R_SET_USERINFO2 *r_u)
3257 SAM_ACCOUNT *pwd = NULL;
3259 SAM_USERINFO_CTR *ctr = q_u->ctr;
3260 POLICY_HND *pol = &q_u->pol;
3261 uint16 switch_value = q_u->switch_value;
3263 uint32 acc_required;
3265 BOOL has_enough_rights = False;
3267 DISP_INFO *disp_info = NULL;
3269 DEBUG(5, ("samr_reply_set_userinfo2: %d\n", __LINE__));
3271 r_u->status = NT_STATUS_OK;
3273 /* find the policy handle. open a policy on it. */
3274 if (!get_lsa_policy_samr_sid(p, pol, &sid, &acc_granted, &disp_info))
3275 return NT_STATUS_INVALID_HANDLE;
3277 /* observed when joining XP client to Samba domain */
3279 acc_required = SA_RIGHT_USER_SET_PASSWORD | SA_RIGHT_USER_SET_ATTRIBUTES | SA_RIGHT_USER_ACCT_FLAGS_EXPIRY;
3281 if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, acc_required, "_samr_set_userinfo2"))) {
3285 DEBUG(5, ("samr_reply_set_userinfo2: sid:%s\n", sid_string_static(&sid)));
3288 DEBUG(5, ("samr_reply_set_userinfo2: NULL info level\n"));
3289 return NT_STATUS_INVALID_INFO_CLASS;
3292 switch_value=ctr->switch_value;
3297 ret = pdb_getsampwsid(pwd, &sid);
3302 return NT_STATUS_NO_SUCH_USER;
3305 acb_info = pdb_get_acct_ctrl(pwd);
3306 if ( acb_info & ACB_WSTRUST )
3307 has_enough_rights = user_has_privileges( p->pipe_user.nt_user_token, &se_machine_account);
3308 else if ( acb_info & ACB_NORMAL )
3309 has_enough_rights = user_has_privileges( p->pipe_user.nt_user_token, &se_add_users );
3310 else if ( acb_info & (ACB_SVRTRUST|ACB_DOMTRUST) ) {
3311 if ( lp_enable_privileges() )
3312 has_enough_rights = nt_token_check_domain_rid( p->pipe_user.nt_user_token, DOMAIN_GROUP_RID_ADMINS );
3315 DEBUG(5, ("_samr_set_userinfo: %s does%s possess sufficient rights\n",
3316 p->pipe_user_name, has_enough_rights ? "" : " not"));
3318 /* ================ BEGIN SeMachineAccountPrivilege BLOCK ================ */
3320 if ( has_enough_rights )
3323 /* ok! user info levels (lots: see MSDEV help), off we go... */
3325 switch (switch_value) {
3327 r_u->status = set_user_info_7(ctr->info.id7, pwd);
3330 if (!set_user_info_16(ctr->info.id16, pwd))
3331 r_u->status = NT_STATUS_ACCESS_DENIED;
3334 /* Used by AS/U JRA. */
3335 if (!set_user_info_18(ctr->info.id18, pwd))
3336 r_u->status = NT_STATUS_ACCESS_DENIED;
3339 if (!set_user_info_20(ctr->info.id20, pwd))
3340 r_u->status = NT_STATUS_ACCESS_DENIED;
3343 if (!set_user_info_21(ctr->info.id21, pwd))
3344 return NT_STATUS_ACCESS_DENIED;
3347 r_u->status = NT_STATUS_INVALID_INFO_CLASS;
3350 if ( has_enough_rights )
3353 /* ================ END SeMachineAccountPrivilege BLOCK ================ */
3355 if (NT_STATUS_IS_OK(r_u->status)) {
3356 force_flush_samr_cache(disp_info);
3362 /*********************************************************************
3363 _samr_query_aliasmem
3364 *********************************************************************/
3366 NTSTATUS _samr_query_useraliases(pipes_struct *p, SAMR_Q_QUERY_USERALIASES *q_u, SAMR_R_QUERY_USERALIASES *r_u)
3368 size_t num_alias_rids;
3370 struct samr_info *info = NULL;
3379 r_u->status = NT_STATUS_OK;
3381 DEBUG(5,("_samr_query_useraliases: %d\n", __LINE__));
3383 /* find the policy handle. open a policy on it. */
3384 if (!find_policy_by_hnd(p, &q_u->pol, (void **)&info))
3385 return NT_STATUS_INVALID_HANDLE;
3387 ntstatus1 = access_check_samr_function(info->acc_granted, SA_RIGHT_DOMAIN_LOOKUP_ALIAS_BY_MEM, "_samr_query_useraliases");
3388 ntstatus2 = access_check_samr_function(info->acc_granted, SA_RIGHT_DOMAIN_OPEN_ACCOUNT, "_samr_query_useraliases");
3390 if (!NT_STATUS_IS_OK(ntstatus1) || !NT_STATUS_IS_OK(ntstatus2)) {
3391 if (!(NT_STATUS_EQUAL(ntstatus1,NT_STATUS_ACCESS_DENIED) && NT_STATUS_IS_OK(ntstatus2)) &&
3392 !(NT_STATUS_EQUAL(ntstatus1,NT_STATUS_ACCESS_DENIED) && NT_STATUS_IS_OK(ntstatus1))) {
3393 return (NT_STATUS_IS_OK(ntstatus1)) ? ntstatus2 : ntstatus1;
3397 if (!sid_check_is_domain(&info->sid) &&
3398 !sid_check_is_builtin(&info->sid))
3399 return NT_STATUS_OBJECT_TYPE_MISMATCH;
3401 members = TALLOC_ARRAY(p->mem_ctx, DOM_SID, q_u->num_sids1);
3403 if (members == NULL)
3404 return NT_STATUS_NO_MEMORY;
3406 for (i=0; i<q_u->num_sids1; i++)
3407 sid_copy(&members[i], &q_u->sid[i].sid);
3413 res = pdb_enum_alias_memberships(p->mem_ctx, &info->sid, members,
3415 &alias_rids, &num_alias_rids);
3419 return NT_STATUS_UNSUCCESSFUL;
3421 init_samr_r_query_useraliases(r_u, num_alias_rids, alias_rids,
3423 return NT_STATUS_OK;
3426 /*********************************************************************
3427 _samr_query_aliasmem
3428 *********************************************************************/
3430 NTSTATUS _samr_query_aliasmem(pipes_struct *p, SAMR_Q_QUERY_ALIASMEM *q_u, SAMR_R_QUERY_ALIASMEM *r_u)
3433 size_t num_sids = 0;
3441 /* find the policy handle. open a policy on it. */
3442 if (!get_lsa_policy_samr_sid(p, &q_u->alias_pol, &alias_sid, &acc_granted, NULL))
3443 return NT_STATUS_INVALID_HANDLE;
3445 if (!NT_STATUS_IS_OK(r_u->status =
3446 access_check_samr_function(acc_granted, SA_RIGHT_ALIAS_GET_MEMBERS, "_samr_query_aliasmem"))) {
3450 DEBUG(10, ("sid is %s\n", sid_string_static(&alias_sid)));
3452 if (!pdb_enum_aliasmem(&alias_sid, &sids, &num_sids))
3453 return NT_STATUS_NO_SUCH_ALIAS;
3455 sid = TALLOC_ZERO_ARRAY(p->mem_ctx, DOM_SID2, num_sids);
3456 if (num_sids!=0 && sid == NULL) {
3458 return NT_STATUS_NO_MEMORY;
3461 for (i = 0; i < num_sids; i++) {
3462 init_dom_sid2(&sid[i], &sids[i]);
3465 init_samr_r_query_aliasmem(r_u, num_sids, sid, NT_STATUS_OK);
3469 return NT_STATUS_OK;
3472 static void add_uid_to_array_unique(uid_t uid, uid_t **uids, int *num)
3476 for (i=0; i<*num; i++) {
3477 if ((*uids)[i] == uid)
3481 *uids = SMB_REALLOC_ARRAY(*uids, uid_t, *num+1);
3486 (*uids)[*num] = uid;
3491 static BOOL get_memberuids(gid_t gid, uid_t **uids, int *num)
3495 struct sys_pwent *userlist, *user;
3500 /* We only look at our own sam, so don't care about imported stuff */
3504 if ((grp = getgrgid(gid)) == NULL) {
3509 /* Primary group members */
3511 userlist = getpwent_list();
3513 for (user = userlist; user != NULL; user = user->next) {
3514 if (user->pw_gid != gid)
3516 add_uid_to_array_unique(user->pw_uid, uids, num);
3519 pwent_free(userlist);
3521 /* Secondary group members */
3523 for (gr = grp->gr_mem; (*gr != NULL) && ((*gr)[0] != '\0'); gr += 1) {
3524 struct passwd *pw = getpwnam(*gr);
3528 add_uid_to_array_unique(pw->pw_uid, uids, num);
3536 /*********************************************************************
3537 _samr_query_groupmem
3538 *********************************************************************/
3540 NTSTATUS _samr_query_groupmem(pipes_struct *p, SAMR_Q_QUERY_GROUPMEM *q_u, SAMR_R_QUERY_GROUPMEM *r_u)
3543 fstring group_sid_str;
3544 size_t i, num_members;
3553 /* find the policy handle. open a policy on it. */
3554 if (!get_lsa_policy_samr_sid(p, &q_u->group_pol, &group_sid, &acc_granted, NULL))
3555 return NT_STATUS_INVALID_HANDLE;
3557 if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, SA_RIGHT_GROUP_GET_MEMBERS, "_samr_query_groupmem"))) {
3561 sid_to_string(group_sid_str, &group_sid);
3562 DEBUG(10, ("sid is %s\n", group_sid_str));
3564 if (!sid_check_is_in_our_domain(&group_sid)) {
3565 DEBUG(3, ("sid %s is not in our domain\n", group_sid_str));
3566 return NT_STATUS_NO_SUCH_GROUP;
3569 DEBUG(10, ("lookup on Domain SID\n"));
3572 result = pdb_enum_group_members(p->mem_ctx, &group_sid,
3573 &rid, &num_members);
3576 if (!NT_STATUS_IS_OK(result))
3579 attr=TALLOC_ZERO_ARRAY(p->mem_ctx, uint32, num_members);
3581 if ((num_members!=0) && (rid==NULL))
3582 return NT_STATUS_NO_MEMORY;
3584 for (i=0; i<num_members; i++)
3585 attr[i] = SID_NAME_USER;
3587 init_samr_r_query_groupmem(r_u, num_members, rid, attr, NT_STATUS_OK);
3589 return NT_STATUS_OK;
3592 /*********************************************************************
3594 *********************************************************************/
3596 NTSTATUS _samr_add_aliasmem(pipes_struct *p, SAMR_Q_ADD_ALIASMEM *q_u, SAMR_R_ADD_ALIASMEM *r_u)
3601 BOOL can_add_accounts;
3603 DISP_INFO *disp_info = NULL;
3605 /* Find the policy handle. Open a policy on it. */
3606 if (!get_lsa_policy_samr_sid(p, &q_u->alias_pol, &alias_sid, &acc_granted, &disp_info))
3607 return NT_STATUS_INVALID_HANDLE;
3609 if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, SA_RIGHT_ALIAS_ADD_MEMBER, "_samr_add_aliasmem"))) {
3613 DEBUG(10, ("sid is %s\n", sid_string_static(&alias_sid)));
3615 se_priv_copy( &se_rights, &se_add_users );
3616 can_add_accounts = user_has_privileges( p->pipe_user.nt_user_token, &se_rights );
3618 /******** BEGIN SeAddUsers BLOCK *********/
3620 if ( can_add_accounts )
3623 ret = pdb_add_aliasmem(&alias_sid, &q_u->sid.sid);
3625 if ( can_add_accounts )
3628 /******** END SeAddUsers BLOCK *********/
3631 force_flush_samr_cache(disp_info);
3634 return ret ? NT_STATUS_OK : NT_STATUS_ACCESS_DENIED;
3637 /*********************************************************************
3639 *********************************************************************/
3641 NTSTATUS _samr_del_aliasmem(pipes_struct *p, SAMR_Q_DEL_ALIASMEM *q_u, SAMR_R_DEL_ALIASMEM *r_u)
3646 BOOL can_add_accounts;
3648 DISP_INFO *disp_info = NULL;
3650 /* Find the policy handle. Open a policy on it. */
3651 if (!get_lsa_policy_samr_sid(p, &q_u->alias_pol, &alias_sid, &acc_granted, &disp_info))
3652 return NT_STATUS_INVALID_HANDLE;
3654 if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, SA_RIGHT_ALIAS_REMOVE_MEMBER, "_samr_del_aliasmem"))) {
3658 DEBUG(10, ("_samr_del_aliasmem:sid is %s\n",
3659 sid_string_static(&alias_sid)));
3661 se_priv_copy( &se_rights, &se_add_users );
3662 can_add_accounts = user_has_privileges( p->pipe_user.nt_user_token, &se_rights );
3664 /******** BEGIN SeAddUsers BLOCK *********/
3666 if ( can_add_accounts )
3669 ret = pdb_del_aliasmem(&alias_sid, &q_u->sid.sid);
3671 if ( can_add_accounts )
3674 /******** END SeAddUsers BLOCK *********/
3677 force_flush_samr_cache(disp_info);
3680 return ret ? NT_STATUS_OK : NT_STATUS_ACCESS_DENIED;
3683 /*********************************************************************
3685 *********************************************************************/
3687 NTSTATUS _samr_add_groupmem(pipes_struct *p, SAMR_Q_ADD_GROUPMEM *q_u, SAMR_R_ADD_GROUPMEM *r_u)
3691 fstring group_sid_str;
3698 SAM_ACCOUNT *sam_user=NULL;
3702 BOOL can_add_accounts;
3703 DISP_INFO *disp_info = NULL;
3705 /* Find the policy handle. Open a policy on it. */
3706 if (!get_lsa_policy_samr_sid(p, &q_u->pol, &group_sid, &acc_granted, &disp_info))
3707 return NT_STATUS_INVALID_HANDLE;
3709 if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, SA_RIGHT_GROUP_ADD_MEMBER, "_samr_add_groupmem"))) {
3713 sid_to_string(group_sid_str, &group_sid);
3714 DEBUG(10, ("sid is %s\n", group_sid_str));
3716 if (sid_compare(&group_sid, get_global_sam_sid())<=0)
3717 return NT_STATUS_NO_SUCH_GROUP;
3719 DEBUG(10, ("lookup on Domain SID\n"));
3721 if(!get_domain_group_from_sid(group_sid, &map))
3722 return NT_STATUS_NO_SUCH_GROUP;
3724 sid_copy(&user_sid, get_global_sam_sid());
3725 sid_append_rid(&user_sid, q_u->rid);
3727 ret = pdb_init_sam(&sam_user);
3728 if (!NT_STATUS_IS_OK(ret))
3731 check = pdb_getsampwsid(sam_user, &user_sid);
3733 if (check != True) {
3734 pdb_free_sam(&sam_user);
3735 return NT_STATUS_NO_SUCH_USER;
3738 /* check a real user exist before we run the script to add a user to a group */
3739 if (!NT_STATUS_IS_OK(sid_to_uid(pdb_get_user_sid(sam_user), &uid))) {
3740 pdb_free_sam(&sam_user);
3741 return NT_STATUS_NO_SUCH_USER;
3744 pdb_free_sam(&sam_user);
3746 if ((pwd=getpwuid_alloc(uid)) == NULL) {
3747 return NT_STATUS_NO_SUCH_USER;
3750 if ((grp=getgrgid(map.gid)) == NULL) {
3752 return NT_STATUS_NO_SUCH_GROUP;
3755 /* we need to copy the name otherwise it's overloaded in user_in_unix_group_list */
3756 fstrcpy(grp_name, grp->gr_name);
3758 /* if the user is already in the group */
3759 if(user_in_unix_group_list(pwd->pw_name, grp_name)) {
3761 return NT_STATUS_MEMBER_IN_GROUP;
3764 se_priv_copy( &se_rights, &se_add_users );
3765 can_add_accounts = user_has_privileges( p->pipe_user.nt_user_token, &se_rights );
3767 /******** BEGIN SeAddUsers BLOCK *********/
3769 if ( can_add_accounts )
3773 * ok, the group exist, the user exist, the user is not in the group,
3775 * we can (finally) add it to the group !
3778 smb_add_user_group(grp_name, pwd->pw_name);
3780 if ( can_add_accounts )
3783 /******** END SeAddUsers BLOCK *********/
3785 /* check if the user has been added then ... */
3786 if(!user_in_unix_group_list(pwd->pw_name, grp_name)) {
3788 return NT_STATUS_MEMBER_NOT_IN_GROUP; /* don't know what to reply else */
3793 force_flush_samr_cache(disp_info);
3795 return NT_STATUS_OK;
3798 /*********************************************************************
3800 *********************************************************************/
3802 NTSTATUS _samr_del_groupmem(pipes_struct *p, SAMR_Q_DEL_GROUPMEM *q_u, SAMR_R_DEL_GROUPMEM *r_u)
3806 SAM_ACCOUNT *sam_pass=NULL;
3812 BOOL can_add_accounts;
3813 DISP_INFO *disp_info = NULL;
3816 * delete the group member named q_u->rid
3817 * who is a member of the sid associated with the handle
3818 * the rid is a user's rid as the group is a domain group.
3821 /* Find the policy handle. Open a policy on it. */
3822 if (!get_lsa_policy_samr_sid(p, &q_u->pol, &group_sid, &acc_granted, &disp_info))
3823 return NT_STATUS_INVALID_HANDLE;
3825 if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, SA_RIGHT_GROUP_REMOVE_MEMBER, "_samr_del_groupmem"))) {
3829 if (!sid_check_is_in_our_domain(&group_sid))
3830 return NT_STATUS_NO_SUCH_GROUP;
3832 sid_copy(&user_sid, get_global_sam_sid());
3833 sid_append_rid(&user_sid, q_u->rid);
3835 if (!get_domain_group_from_sid(group_sid, &map))
3836 return NT_STATUS_NO_SUCH_GROUP;
3838 if ((grp=getgrgid(map.gid)) == NULL)
3839 return NT_STATUS_NO_SUCH_GROUP;
3841 /* we need to copy the name otherwise it's overloaded in user_in_group_list */
3842 fstrcpy(grp_name, grp->gr_name);
3844 /* check if the user exists before trying to remove it from the group */
3845 pdb_init_sam(&sam_pass);
3846 if (!pdb_getsampwsid(sam_pass, &user_sid)) {
3847 DEBUG(5,("User %s doesn't exist.\n", pdb_get_username(sam_pass)));
3848 pdb_free_sam(&sam_pass);
3849 return NT_STATUS_NO_SUCH_USER;
3852 /* if the user is not in the group */
3853 if (!user_in_unix_group_list(pdb_get_username(sam_pass), grp_name)) {
3854 pdb_free_sam(&sam_pass);
3855 return NT_STATUS_MEMBER_NOT_IN_GROUP;
3859 se_priv_copy( &se_rights, &se_add_users );
3860 can_add_accounts = user_has_privileges( p->pipe_user.nt_user_token, &se_rights );
3862 /******** BEGIN SeAddUsers BLOCK *********/
3864 if ( can_add_accounts )
3867 smb_delete_user_group(grp_name, pdb_get_username(sam_pass));
3869 if ( can_add_accounts )
3872 /******** END SeAddUsers BLOCK *********/
3874 /* check if the user has been removed then ... */
3875 if (user_in_unix_group_list(pdb_get_username(sam_pass), grp_name)) {
3876 pdb_free_sam(&sam_pass);
3877 return NT_STATUS_ACCESS_DENIED; /* don't know what to reply else */
3880 pdb_free_sam(&sam_pass);
3882 force_flush_samr_cache(disp_info);
3884 return NT_STATUS_OK;
3888 /****************************************************************************
3889 Delete a UNIX user on demand.
3890 ****************************************************************************/
3892 static int smb_delete_user(const char *unix_user)
3897 pstrcpy(del_script, lp_deluser_script());
3900 all_string_sub(del_script, "%u", unix_user, sizeof(del_script));
3901 ret = smbrun(del_script,NULL);
3902 flush_pwnam_cache();
3903 DEBUG(ret ? 0 : 3,("smb_delete_user: Running the command `%s' gave %d\n",del_script,ret));
3908 /*********************************************************************
3909 _samr_delete_dom_user
3910 *********************************************************************/
3912 NTSTATUS _samr_delete_dom_user(pipes_struct *p, SAMR_Q_DELETE_DOM_USER *q_u, SAMR_R_DELETE_DOM_USER *r_u )
3915 SAM_ACCOUNT *sam_pass=NULL;
3917 BOOL can_add_accounts;
3919 DISP_INFO *disp_info = NULL;
3921 DEBUG(5, ("_samr_delete_dom_user: %d\n", __LINE__));
3923 /* Find the policy handle. Open a policy on it. */
3924 if (!get_lsa_policy_samr_sid(p, &q_u->user_pol, &user_sid, &acc_granted, &disp_info))
3925 return NT_STATUS_INVALID_HANDLE;
3927 if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, STD_RIGHT_DELETE_ACCESS, "_samr_delete_dom_user"))) {
3931 if (!sid_check_is_in_our_domain(&user_sid))
3932 return NT_STATUS_CANNOT_DELETE;
3934 /* check if the user exists before trying to delete */
3935 pdb_init_sam(&sam_pass);
3936 if(!pdb_getsampwsid(sam_pass, &user_sid)) {
3937 DEBUG(5,("_samr_delete_dom_user:User %s doesn't exist.\n",
3938 sid_string_static(&user_sid)));
3939 pdb_free_sam(&sam_pass);
3940 return NT_STATUS_NO_SUCH_USER;
3943 can_add_accounts = user_has_privileges( p->pipe_user.nt_user_token, &se_add_users );
3945 /******** BEGIN SeAddUsers BLOCK *********/
3947 if ( can_add_accounts )
3950 /* First delete the samba side....
3951 code is order to prevent unnecessary returns out of the admin
3954 if ( (ret = pdb_delete_sam_account(sam_pass)) == True ) {
3956 * Now delete the unix side ....
3957 * note: we don't check if the delete really happened
3958 * as the script is not necessary present
3959 * and maybe the sysadmin doesn't want to delete the unix side
3961 smb_delete_user( pdb_get_username(sam_pass) );
3964 if ( can_add_accounts )
3967 /******** END SeAddUsers BLOCK *********/
3970 DEBUG(5,("_samr_delete_dom_user:Failed to delete entry for user %s.\n", pdb_get_username(sam_pass)));
3971 pdb_free_sam(&sam_pass);
3972 return NT_STATUS_CANNOT_DELETE;
3976 pdb_free_sam(&sam_pass);
3978 if (!close_policy_hnd(p, &q_u->user_pol))
3979 return NT_STATUS_OBJECT_NAME_INVALID;
3981 force_flush_samr_cache(disp_info);
3983 return NT_STATUS_OK;
3986 /*********************************************************************
3987 _samr_delete_dom_group
3988 *********************************************************************/
3990 NTSTATUS _samr_delete_dom_group(pipes_struct *p, SAMR_Q_DELETE_DOM_GROUP *q_u, SAMR_R_DELETE_DOM_GROUP *r_u)
3995 fstring group_sid_str;
4001 BOOL can_add_accounts;
4003 DISP_INFO *disp_info = NULL;
4005 DEBUG(5, ("samr_delete_dom_group: %d\n", __LINE__));
4007 /* Find the policy handle. Open a policy on it. */
4008 if (!get_lsa_policy_samr_sid(p, &q_u->group_pol, &group_sid, &acc_granted, &disp_info))
4009 return NT_STATUS_INVALID_HANDLE;
4011 if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, STD_RIGHT_DELETE_ACCESS, "_samr_delete_dom_group"))) {
4015 sid_copy(&dom_sid, &group_sid);
4016 sid_to_string(group_sid_str, &dom_sid);
4017 sid_split_rid(&dom_sid, &group_rid);
4019 DEBUG(10, ("sid is %s\n", group_sid_str));
4021 /* we check if it's our SID before deleting */
4022 if (!sid_equal(&dom_sid, get_global_sam_sid()))
4023 return NT_STATUS_NO_SUCH_GROUP;
4025 DEBUG(10, ("lookup on Domain SID\n"));
4027 if(!get_domain_group_from_sid(group_sid, &map))
4028 return NT_STATUS_NO_SUCH_GROUP;
4032 /* check if group really exists */
4033 if ( (grp=getgrgid(gid)) == NULL)
4034 return NT_STATUS_NO_SUCH_GROUP;
4036 se_priv_copy( &se_rights, &se_add_users );
4037 can_add_accounts = user_has_privileges( p->pipe_user.nt_user_token, &se_rights );
4039 /******** BEGIN SeAddUsers BLOCK *********/
4041 if ( can_add_accounts )
4044 /* delete mapping first */
4046 if ( (ret = pdb_delete_group_mapping_entry(group_sid)) == True ) {
4047 smb_delete_group( grp->gr_name );
4050 if ( can_add_accounts )
4053 /******** END SeAddUsers BLOCK *********/
4056 DEBUG(5,("_samr_delete_dom_group: Failed to delete mapping entry for group %s.\n",
4058 return NT_STATUS_ACCESS_DENIED;
4061 /* don't check that the unix group has been deleted. Work like
4062 _samr_delet_dom_user() */
4064 if (!close_policy_hnd(p, &q_u->group_pol))
4065 return NT_STATUS_OBJECT_NAME_INVALID;
4067 force_flush_samr_cache(disp_info);
4069 return NT_STATUS_OK;
4072 /*********************************************************************
4073 _samr_delete_dom_alias
4074 *********************************************************************/
4076 NTSTATUS _samr_delete_dom_alias(pipes_struct *p, SAMR_Q_DELETE_DOM_ALIAS *q_u, SAMR_R_DELETE_DOM_ALIAS *r_u)
4081 BOOL can_add_accounts;
4083 DISP_INFO *disp_info = NULL;
4085 DEBUG(5, ("_samr_delete_dom_alias: %d\n", __LINE__));
4087 /* Find the policy handle. Open a policy on it. */
4088 if (!get_lsa_policy_samr_sid(p, &q_u->alias_pol, &alias_sid, &acc_granted, &disp_info))
4089 return NT_STATUS_INVALID_HANDLE;
4091 if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, STD_RIGHT_DELETE_ACCESS, "_samr_delete_dom_alias"))) {
4095 DEBUG(10, ("sid is %s\n", sid_string_static(&alias_sid)));
4097 if (!sid_check_is_in_our_domain(&alias_sid))
4098 return NT_STATUS_NO_SUCH_ALIAS;
4100 DEBUG(10, ("lookup on Local SID\n"));
4102 se_priv_copy( &se_rights, &se_add_users );
4103 can_add_accounts = user_has_privileges( p->pipe_user.nt_user_token, &se_rights );
4105 /******** BEGIN SeAddUsers BLOCK *********/
4107 if ( can_add_accounts )
4110 /* Have passdb delete the alias */
4111 ret = pdb_delete_alias(&alias_sid);
4113 if ( can_add_accounts )
4116 /******** END SeAddUsers BLOCK *********/
4119 return NT_STATUS_ACCESS_DENIED;
4121 if (!close_policy_hnd(p, &q_u->alias_pol))
4122 return NT_STATUS_OBJECT_NAME_INVALID;
4124 force_flush_samr_cache(disp_info);
4126 return NT_STATUS_OK;
4129 /*********************************************************************
4130 _samr_create_dom_group
4131 *********************************************************************/
4133 NTSTATUS _samr_create_dom_group(pipes_struct *p, SAMR_Q_CREATE_DOM_GROUP *q_u, SAMR_R_CREATE_DOM_GROUP *r_u)
4140 struct samr_info *info;
4144 BOOL can_add_accounts;
4146 DISP_INFO *disp_info = NULL;
4148 /* Find the policy handle. Open a policy on it. */
4149 if (!get_lsa_policy_samr_sid(p, &q_u->pol, &dom_sid, &acc_granted, &disp_info))
4150 return NT_STATUS_INVALID_HANDLE;
4152 if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, SA_RIGHT_DOMAIN_CREATE_GROUP, "_samr_create_dom_group"))) {
4156 if (!sid_equal(&dom_sid, get_global_sam_sid()))
4157 return NT_STATUS_ACCESS_DENIED;
4159 unistr2_to_ascii(name, &q_u->uni_acct_desc, sizeof(name)-1);
4161 /* check if group already exist */
4162 if ((grp=getgrnam(name)) != NULL)
4163 return NT_STATUS_GROUP_EXISTS;
4165 se_priv_copy( &se_rights, &se_add_users );
4166 can_add_accounts = user_has_privileges( p->pipe_user.nt_user_token, &se_rights );
4168 /******** BEGIN SeAddUsers BLOCK *********/
4170 if ( can_add_accounts )
4173 /* check that we successfully create the UNIX group */
4175 result = NT_STATUS_ACCESS_DENIED;
4176 if ( (smb_create_group(name, &gid) == 0) && ((grp=getgrgid(gid)) != NULL) ) {
4178 /* so far, so good */
4180 result = NT_STATUS_OK;
4182 r_u->rid = pdb_gid_to_group_rid( grp->gr_gid );
4184 /* add the group to the mapping table */
4186 sid_copy( &info_sid, get_global_sam_sid() );
4187 sid_append_rid( &info_sid, r_u->rid );
4188 sid_to_string( sid_string, &info_sid );
4190 /* reset the error code if we fail to add the mapping entry */
4192 if ( !add_initial_entry(grp->gr_gid, sid_string, SID_NAME_DOM_GRP, name, NULL) )
4193 result = NT_STATUS_ACCESS_DENIED;
4196 if ( can_add_accounts )
4199 /******** END SeAddUsers BLOCK *********/
4201 /* check if we should bail out here */
4203 if ( !NT_STATUS_IS_OK(result) )
4206 if ((info = get_samr_info_by_sid(&info_sid)) == NULL)
4207 return NT_STATUS_NO_MEMORY;
4210 /* they created it; let the user do what he wants with it */
4212 info->acc_granted = GENERIC_RIGHTS_GROUP_ALL_ACCESS;
4214 /* get a (unique) handle. open a policy on it. */
4215 if (!create_policy_hnd(p, &r_u->pol, free_samr_info, (void *)info))
4216 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
4218 force_flush_samr_cache(disp_info);
4220 return NT_STATUS_OK;
4223 /*********************************************************************
4224 _samr_create_dom_alias
4225 *********************************************************************/
4227 NTSTATUS _samr_create_dom_alias(pipes_struct *p, SAMR_Q_CREATE_DOM_ALIAS *q_u, SAMR_R_CREATE_DOM_ALIAS *r_u)
4232 struct samr_info *info;
4237 BOOL can_add_accounts;
4238 DISP_INFO *disp_info = NULL;
4240 /* Find the policy handle. Open a policy on it. */
4241 if (!get_lsa_policy_samr_sid(p, &q_u->dom_pol, &dom_sid, &acc_granted, &disp_info))
4242 return NT_STATUS_INVALID_HANDLE;
4244 if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, SA_RIGHT_DOMAIN_CREATE_ALIAS, "_samr_create_alias"))) {
4248 if (!sid_equal(&dom_sid, get_global_sam_sid()))
4249 return NT_STATUS_ACCESS_DENIED;
4251 unistr2_to_ascii(name, &q_u->uni_acct_desc, sizeof(name)-1);
4253 se_priv_copy( &se_rights, &se_add_users );
4254 can_add_accounts = user_has_privileges( p->pipe_user.nt_user_token, &se_rights );
4256 /******** BEGIN SeAddUsers BLOCK *********/
4258 if ( can_add_accounts )
4261 /* Have passdb create the alias */
4262 result = pdb_create_alias(name, &r_u->rid);
4264 if ( can_add_accounts )
4267 /******** END SeAddUsers BLOCK *********/
4269 if (!NT_STATUS_IS_OK(result))
4272 sid_copy(&info_sid, get_global_sam_sid());
4273 sid_append_rid(&info_sid, r_u->rid);
4275 if (!NT_STATUS_IS_OK(sid_to_gid(&info_sid, &gid)))
4276 return NT_STATUS_ACCESS_DENIED;
4278 /* check if the group has been successfully created */
4279 if ( getgrgid(gid) == NULL )
4280 return NT_STATUS_ACCESS_DENIED;
4282 if ((info = get_samr_info_by_sid(&info_sid)) == NULL)
4283 return NT_STATUS_NO_MEMORY;
4285 /* they created it; let the user do what he wants with it */
4287 info->acc_granted = GENERIC_RIGHTS_ALIAS_ALL_ACCESS;
4289 /* get a (unique) handle. open a policy on it. */
4290 if (!create_policy_hnd(p, &r_u->alias_pol, free_samr_info, (void *)info))
4291 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
4293 force_flush_samr_cache(disp_info);
4295 return NT_STATUS_OK;
4298 /*********************************************************************
4299 _samr_query_groupinfo
4301 sends the name/comment pair of a domain group
4302 level 1 send also the number of users of that group
4303 *********************************************************************/
4305 NTSTATUS _samr_query_groupinfo(pipes_struct *p, SAMR_Q_QUERY_GROUPINFO *q_u, SAMR_R_QUERY_GROUPINFO *r_u)
4312 GROUP_INFO_CTR *ctr;
4316 if (!get_lsa_policy_samr_sid(p, &q_u->pol, &group_sid, &acc_granted, NULL))
4317 return NT_STATUS_INVALID_HANDLE;
4319 if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, SA_RIGHT_GROUP_LOOKUP_INFO, "_samr_query_groupinfo"))) {
4324 ret = get_domain_group_from_sid(group_sid, &map);
4327 return NT_STATUS_INVALID_HANDLE;
4329 ctr=TALLOC_ZERO_P(p->mem_ctx, GROUP_INFO_CTR);
4331 return NT_STATUS_NO_MEMORY;
4333 switch (q_u->switch_level) {
4335 ctr->switch_value1 = 1;
4336 if(!get_memberuids(map.gid, &uids, &num))
4337 return NT_STATUS_NO_SUCH_GROUP;
4339 init_samr_group_info1(&ctr->group.info1, map.nt_name, map.comment, num);
4343 ctr->switch_value1 = 3;
4344 init_samr_group_info3(&ctr->group.info3);
4347 ctr->switch_value1 = 4;
4348 init_samr_group_info4(&ctr->group.info4, map.comment);
4351 return NT_STATUS_INVALID_INFO_CLASS;
4354 init_samr_r_query_groupinfo(r_u, ctr, NT_STATUS_OK);
4356 return NT_STATUS_OK;
4359 /*********************************************************************
4362 update a domain group's comment.
4363 *********************************************************************/
4365 NTSTATUS _samr_set_groupinfo(pipes_struct *p, SAMR_Q_SET_GROUPINFO *q_u, SAMR_R_SET_GROUPINFO *r_u)
4369 GROUP_INFO_CTR *ctr;
4372 BOOL can_mod_accounts;
4373 DISP_INFO *disp_info = NULL;
4375 if (!get_lsa_policy_samr_sid(p, &q_u->pol, &group_sid, &acc_granted, &disp_info))
4376 return NT_STATUS_INVALID_HANDLE;
4378 if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, SA_RIGHT_GROUP_SET_INFO, "_samr_set_groupinfo"))) {
4382 if (!get_domain_group_from_sid(group_sid, &map))
4383 return NT_STATUS_NO_SUCH_GROUP;
4387 switch (ctr->switch_value1) {
4389 unistr2_to_ascii(map.comment, &(ctr->group.info1.uni_acct_desc), sizeof(map.comment)-1);
4392 unistr2_to_ascii(map.comment, &(ctr->group.info4.uni_acct_desc), sizeof(map.comment)-1);
4395 return NT_STATUS_INVALID_INFO_CLASS;
4398 can_mod_accounts = user_has_privileges( p->pipe_user.nt_user_token, &se_add_users );
4400 /******** BEGIN SeAddUsers BLOCK *********/
4402 if ( can_mod_accounts )
4405 ret = pdb_update_group_mapping_entry(&map);
4407 if ( can_mod_accounts )
4410 /******** End SeAddUsers BLOCK *********/
4413 force_flush_samr_cache(disp_info);
4416 return ret ? NT_STATUS_OK : NT_STATUS_ACCESS_DENIED;
4419 /*********************************************************************
4422 update an alias's comment.
4423 *********************************************************************/
4425 NTSTATUS _samr_set_aliasinfo(pipes_struct *p, SAMR_Q_SET_ALIASINFO *q_u, SAMR_R_SET_ALIASINFO *r_u)
4428 struct acct_info info;
4429 ALIAS_INFO_CTR *ctr;
4432 BOOL can_mod_accounts;
4433 DISP_INFO *disp_info = NULL;
4435 if (!get_lsa_policy_samr_sid(p, &q_u->alias_pol, &group_sid, &acc_granted, &disp_info))
4436 return NT_STATUS_INVALID_HANDLE;
4438 if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, SA_RIGHT_ALIAS_SET_INFO, "_samr_set_aliasinfo"))) {
4444 switch (ctr->level) {
4446 if ( ctr->alias.info3.description.string ) {
4447 unistr2_to_ascii( info.acct_desc,
4448 ctr->alias.info3.description.string,
4449 sizeof(info.acct_desc)-1 );
4453 return NT_STATUS_INVALID_INFO_CLASS;
4456 can_mod_accounts = user_has_privileges( p->pipe_user.nt_user_token, &se_add_users );
4458 /******** BEGIN SeAddUsers BLOCK *********/
4460 if ( can_mod_accounts )
4463 ret = pdb_set_aliasinfo( &group_sid, &info );
4465 if ( can_mod_accounts )
4468 /******** End SeAddUsers BLOCK *********/
4471 force_flush_samr_cache(disp_info);
4474 return ret ? NT_STATUS_OK : NT_STATUS_ACCESS_DENIED;
4477 /*********************************************************************
4478 _samr_get_dom_pwinfo
4479 *********************************************************************/
4481 NTSTATUS _samr_get_dom_pwinfo(pipes_struct *p, SAMR_Q_GET_DOM_PWINFO *q_u, SAMR_R_GET_DOM_PWINFO *r_u)
4483 /* Perform access check. Since this rpc does not require a
4484 policy handle it will not be caught by the access checks on
4485 SAMR_CONNECT or SAMR_CONNECT_ANON. */
4487 if (!pipe_access_check(p)) {
4488 DEBUG(3, ("access denied to samr_get_dom_pwinfo\n"));
4489 r_u->status = NT_STATUS_ACCESS_DENIED;
4493 /* Actually, returning zeros here works quite well :-). */
4495 return NT_STATUS_OK;
4498 /*********************************************************************
4500 *********************************************************************/
4502 NTSTATUS _samr_open_group(pipes_struct *p, SAMR_Q_OPEN_GROUP *q_u, SAMR_R_OPEN_GROUP *r_u)
4507 struct samr_info *info;
4508 SEC_DESC *psd = NULL;
4510 uint32 des_access = q_u->access_mask;
4517 if (!get_lsa_policy_samr_sid(p, &q_u->domain_pol, &sid, &acc_granted, NULL))
4518 return NT_STATUS_INVALID_HANDLE;
4520 status = access_check_samr_function(acc_granted,
4521 SA_RIGHT_DOMAIN_OPEN_ACCOUNT, "_samr_open_group");
4523 if ( !NT_STATUS_IS_OK(status) )
4526 /*check if access can be granted as requested by client. */
4527 make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &grp_generic_mapping, NULL, 0);
4528 se_map_generic(&des_access,&grp_generic_mapping);
4530 se_priv_copy( &se_rights, &se_add_users );
4532 status = access_check_samr_object(psd, p->pipe_user.nt_user_token,
4533 &se_rights, GENERIC_RIGHTS_GROUP_WRITE, des_access,
4534 &acc_granted, "_samr_open_group");
4536 if ( !NT_STATUS_IS_OK(status) )
4539 /* this should not be hard-coded like this */
4541 if (!sid_equal(&sid, get_global_sam_sid()))
4542 return NT_STATUS_ACCESS_DENIED;
4544 sid_copy(&info_sid, get_global_sam_sid());
4545 sid_append_rid(&info_sid, q_u->rid_group);
4546 sid_to_string(sid_string, &info_sid);
4548 if ((info = get_samr_info_by_sid(&info_sid)) == NULL)
4549 return NT_STATUS_NO_MEMORY;
4551 info->acc_granted = acc_granted;
4553 DEBUG(10, ("_samr_open_group:Opening SID: %s\n", sid_string));
4555 /* check if that group really exists */
4557 ret = get_domain_group_from_sid(info->sid, &map);
4560 return NT_STATUS_NO_SUCH_GROUP;
4562 /* get a (unique) handle. open a policy on it. */
4563 if (!create_policy_hnd(p, &r_u->pol, free_samr_info, (void *)info))
4564 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
4566 return NT_STATUS_OK;
4569 /*********************************************************************
4570 _samr_remove_sid_foreign_domain
4571 *********************************************************************/
4573 NTSTATUS _samr_remove_sid_foreign_domain(pipes_struct *p,
4574 SAMR_Q_REMOVE_SID_FOREIGN_DOMAIN *q_u,
4575 SAMR_R_REMOVE_SID_FOREIGN_DOMAIN *r_u)
4577 DOM_SID delete_sid, domain_sid;
4580 DISP_INFO *disp_info = NULL;
4582 sid_copy( &delete_sid, &q_u->sid.sid );
4584 DEBUG(5,("_samr_remove_sid_foreign_domain: removing SID [%s]\n",
4585 sid_string_static(&delete_sid)));
4587 /* Find the policy handle. Open a policy on it. */
4589 if (!get_lsa_policy_samr_sid(p, &q_u->dom_pol, &domain_sid,
4590 &acc_granted, &disp_info))
4591 return NT_STATUS_INVALID_HANDLE;
4593 result = access_check_samr_function(acc_granted, STD_RIGHT_DELETE_ACCESS,
4594 "_samr_remove_sid_foreign_domain");
4596 if (!NT_STATUS_IS_OK(result))
4599 DEBUG(8, ("_samr_remove_sid_foreign_domain:sid is %s\n",
4600 sid_string_static(&domain_sid)));
4602 /* we can only delete a user from a group since we don't have
4603 nested groups anyways. So in the latter case, just say OK */
4605 /* TODO: The above comment nowadays is bogus. Since we have nested
4606 * groups now, and aliases members are never reported out of the unix
4607 * group membership, the "just say OK" makes this call a no-op. For
4608 * us. This needs fixing however. */
4610 /* I've only ever seen this in the wild when deleting a user from
4611 * usrmgr.exe. domain_sid is the builtin domain, and the sid to delete
4612 * is the user about to be deleted. I very much suspect this is the
4613 * only application of this call. To verify this, let people report
4616 if (!sid_check_is_builtin(&domain_sid)) {
4617 DEBUG(1,("_samr_remove_sid_foreign_domain: domain_sid = %s, "
4618 "global_sam_sid() = %s\n",
4619 sid_string_static(&domain_sid),
4620 sid_string_static(get_global_sam_sid())));
4621 DEBUGADD(1,("please report to samba-technical@samba.org!\n"));
4622 return NT_STATUS_OK;
4625 force_flush_samr_cache(disp_info);
4627 result = NT_STATUS_OK;
4632 /*******************************************************************
4633 _samr_query_domain_info2
4634 ********************************************************************/
4636 NTSTATUS _samr_query_domain_info2(pipes_struct *p,
4637 SAMR_Q_QUERY_DOMAIN_INFO2 *q_u,
4638 SAMR_R_QUERY_DOMAIN_INFO2 *r_u)
4640 struct samr_info *info = NULL;
4642 uint32 min_pass_len,pass_hist,flag;
4643 time_t u_expire, u_min_age;
4644 NTTIME nt_expire, nt_min_age;
4646 time_t u_lock_duration, u_reset_time;
4647 NTTIME nt_lock_duration, nt_reset_time;
4653 uint32 num_users=0, num_groups=0, num_aliases=0;
4655 uint32 account_policy_temp;
4660 if ((ctr = TALLOC_ZERO_P(p->mem_ctx, SAM_UNK_CTR)) == NULL)
4661 return NT_STATUS_NO_MEMORY;
4665 r_u->status = NT_STATUS_OK;
4667 DEBUG(5,("_samr_query_domain_info2: %d\n", __LINE__));
4669 /* find the policy handle. open a policy on it. */
4670 if (!find_policy_by_hnd(p, &q_u->domain_pol, (void **)&info))
4671 return NT_STATUS_INVALID_HANDLE;
4673 switch (q_u->switch_value) {
4675 pdb_get_account_policy(AP_MIN_PASSWORD_LEN, &account_policy_temp);
4676 min_pass_len = account_policy_temp;
4678 pdb_get_account_policy(AP_PASSWORD_HISTORY, &account_policy_temp);
4679 pass_hist = account_policy_temp;
4681 pdb_get_account_policy(AP_USER_MUST_LOGON_TO_CHG_PASS, &account_policy_temp);
4682 flag = account_policy_temp;
4684 pdb_get_account_policy(AP_MAX_PASSWORD_AGE, &account_policy_temp);
4685 u_expire = account_policy_temp;
4687 pdb_get_account_policy(AP_MIN_PASSWORD_AGE, &account_policy_temp);
4688 u_min_age = account_policy_temp;
4690 unix_to_nt_time_abs(&nt_expire, u_expire);
4691 unix_to_nt_time_abs(&nt_min_age, u_min_age);
4693 init_unk_info1(&ctr->info.inf1, (uint16)min_pass_len, (uint16)pass_hist,
4694 flag, nt_expire, nt_min_age);
4698 num_users = count_sam_users(info->disp_info,
4700 num_groups = count_sam_groups(info->disp_info);
4703 pdb_get_account_policy(AP_TIME_TO_LOGOUT, &account_policy_temp);
4704 u_logout = account_policy_temp;
4706 unix_to_nt_time_abs(&nt_logout, u_logout);
4708 if (!pdb_get_seq_num(&seq_num))
4709 seq_num = time(NULL);
4711 server_role = ROLE_DOMAIN_PDC;
4712 if (lp_server_role() == ROLE_DOMAIN_BDC)
4713 server_role = ROLE_DOMAIN_BDC;
4715 init_unk_info2(&ctr->info.inf2, lp_serverstring(), lp_workgroup(), global_myname(), seq_num,
4716 num_users, num_groups, num_aliases, nt_logout, server_role);
4719 pdb_get_account_policy(AP_TIME_TO_LOGOUT, &account_policy_temp);
4720 u_logout = account_policy_temp;
4722 unix_to_nt_time_abs(&nt_logout, u_logout);
4724 init_unk_info3(&ctr->info.inf3, nt_logout);
4727 init_unk_info5(&ctr->info.inf5, global_myname());
4730 init_unk_info6(&ctr->info.inf6);
4733 server_role = ROLE_DOMAIN_PDC;
4734 if (lp_server_role() == ROLE_DOMAIN_BDC)
4735 server_role = ROLE_DOMAIN_BDC;
4737 init_unk_info7(&ctr->info.inf7, server_role);
4740 if (!pdb_get_seq_num(&seq_num))
4741 seq_num = time(NULL);
4743 init_unk_info8(&ctr->info.inf8, (uint32) seq_num);
4746 pdb_get_account_policy(AP_LOCK_ACCOUNT_DURATION, &account_policy_temp);
4747 u_lock_duration = account_policy_temp;
4748 if (u_lock_duration != -1)
4749 u_lock_duration *= 60;
4751 pdb_get_account_policy(AP_RESET_COUNT_TIME, &account_policy_temp);
4752 u_reset_time = account_policy_temp * 60;
4754 pdb_get_account_policy(AP_BAD_ATTEMPT_LOCKOUT, &account_policy_temp);
4755 lockout = account_policy_temp;
4757 unix_to_nt_time_abs(&nt_lock_duration, u_lock_duration);
4758 unix_to_nt_time_abs(&nt_reset_time, u_reset_time);
4760 init_unk_info12(&ctr->info.inf12, nt_lock_duration, nt_reset_time, (uint16)lockout);
4763 return NT_STATUS_INVALID_INFO_CLASS;
4766 init_samr_r_samr_query_domain_info2(r_u, q_u->switch_value, ctr, NT_STATUS_OK);
4768 DEBUG(5,("_samr_query_domain_info2: %d\n", __LINE__));
4773 /*******************************************************************
4775 ********************************************************************/
4777 NTSTATUS _samr_set_dom_info(pipes_struct *p, SAMR_Q_SET_DOMAIN_INFO *q_u, SAMR_R_SET_DOMAIN_INFO *r_u)
4779 time_t u_expire, u_min_age;
4781 time_t u_lock_duration, u_reset_time;
4783 r_u->status = NT_STATUS_OK;
4785 DEBUG(5,("_samr_set_dom_info: %d\n", __LINE__));
4787 /* find the policy handle. open a policy on it. */
4788 if (!find_policy_by_hnd(p, &q_u->domain_pol, NULL))
4789 return NT_STATUS_INVALID_HANDLE;
4791 DEBUG(5,("_samr_set_dom_info: switch_value: %d\n", q_u->switch_value));
4793 switch (q_u->switch_value) {
4795 u_expire=nt_time_to_unix_abs(&q_u->ctr->info.inf1.expire);
4796 u_min_age=nt_time_to_unix_abs(&q_u->ctr->info.inf1.min_passwordage);
4798 pdb_set_account_policy(AP_MIN_PASSWORD_LEN, (uint32)q_u->ctr->info.inf1.min_length_password);
4799 pdb_set_account_policy(AP_PASSWORD_HISTORY, (uint32)q_u->ctr->info.inf1.password_history);
4800 pdb_set_account_policy(AP_USER_MUST_LOGON_TO_CHG_PASS, (uint32)q_u->ctr->info.inf1.flag);
4801 pdb_set_account_policy(AP_MAX_PASSWORD_AGE, (int)u_expire);
4802 pdb_set_account_policy(AP_MIN_PASSWORD_AGE, (int)u_min_age);
4807 u_logout=nt_time_to_unix_abs(&q_u->ctr->info.inf3.logout);
4808 pdb_set_account_policy(AP_TIME_TO_LOGOUT, (int)u_logout);
4817 u_lock_duration=nt_time_to_unix_abs(&q_u->ctr->info.inf12.duration);
4818 if (u_lock_duration != -1)
4819 u_lock_duration /= 60;
4821 u_reset_time=nt_time_to_unix_abs(&q_u->ctr->info.inf12.reset_count)/60;
4823 pdb_set_account_policy(AP_LOCK_ACCOUNT_DURATION, (int)u_lock_duration);
4824 pdb_set_account_policy(AP_RESET_COUNT_TIME, (int)u_reset_time);
4825 pdb_set_account_policy(AP_BAD_ATTEMPT_LOCKOUT, (uint32)q_u->ctr->info.inf12.bad_attempt_lockout);
4828 return NT_STATUS_INVALID_INFO_CLASS;
4831 init_samr_r_set_domain_info(r_u, NT_STATUS_OK);
4833 DEBUG(5,("_samr_set_dom_info: %d\n", __LINE__));