X-Git-Url: http://git.samba.org/?p=samba.git;a=blobdiff_plain;f=source3%2Frpc_server%2Flsa%2Fsrv_lsa_nt.c;h=a120c6e7fe9c5c2e563c44aee7db27ab43192d93;hp=697b287a0f800034b81b9f65faebe7a42393f830;hb=3d15137653a7d1b593a9af2eef12f6e5b9a04c4f;hpb=debd6da27a78620053fb380dfc446de4714c3d0a diff --git a/source3/rpc_server/lsa/srv_lsa_nt.c b/source3/rpc_server/lsa/srv_lsa_nt.c index 697b287a0f8..a120c6e7fe9 100644 --- a/source3/rpc_server/lsa/srv_lsa_nt.c +++ b/source3/rpc_server/lsa/srv_lsa_nt.c @@ -30,6 +30,7 @@ /* This is the implementation of the lsa server code. */ #include "includes.h" +#include "ntdomain.h" #include "../librpc/gen_ndr/srv_lsa.h" #include "secrets.h" #include "../librpc/gen_ndr/netlogon.h" @@ -41,6 +42,10 @@ #include "../lib/crypto/arcfour.h" #include "../libcli/security/dom_sid.h" #include "../librpc/gen_ndr/ndr_security.h" +#include "passdb.h" +#include "auth.h" +#include "lib/privileges.h" +#include "rpc_server/srv_access_check.h" #undef DBGC_CLASS #define DBGC_CLASS DBGC_RPC_SRV @@ -117,7 +122,7 @@ static int init_lsa_ref_domain_list(TALLOC_CTX *mem_ctx, ref->count = num + 1; ref->max_size = LSA_REF_DOMAIN_LIST_MULTIPLIER; - ref->domains = TALLOC_REALLOC_ARRAY(mem_ctx, ref->domains, + ref->domains = talloc_realloc(mem_ctx, ref->domains, struct lsa_DomainInfo, ref->count); if (!ref->domains) { return -1; @@ -184,7 +189,7 @@ static NTSTATUS lookup_lsa_rids(TALLOC_CTX *mem_ctx, int dom_idx; const char *full_name; const char *domain; - enum lsa_SidType type = SID_NAME_UNKNOWN; + enum lsa_SidType type; /* Split name into domain and user component */ @@ -199,11 +204,10 @@ static NTSTATUS lookup_lsa_rids(TALLOC_CTX *mem_ctx, DEBUG(5, ("lookup_lsa_rids: looking up name %s\n", full_name)); - /* We can ignore the result of lookup_name, it will not touch - "type" if it's not successful */ - - lookup_name(mem_ctx, full_name, flags, &domain, NULL, - &sid, &type); + if (!lookup_name(mem_ctx, full_name, flags, &domain, NULL, + &sid, &type)) { + type = SID_NAME_UNKNOWN; + } switch (type) { case SID_NAME_USER: @@ -268,7 +272,7 @@ static NTSTATUS lookup_lsa_sids(TALLOC_CTX *mem_ctx, int dom_idx; const char *full_name; const char *domain; - enum lsa_SidType type = SID_NAME_UNKNOWN; + enum lsa_SidType type; ZERO_STRUCT(sid); @@ -281,11 +285,10 @@ static NTSTATUS lookup_lsa_sids(TALLOC_CTX *mem_ctx, DEBUG(5, ("init_lsa_sids: looking up name %s\n", full_name)); - /* We can ignore the result of lookup_name, it will not touch - "type" if it's not successful */ - - lookup_name(mem_ctx, full_name, flags, &domain, NULL, - &sid, &type); + if (!lookup_name(mem_ctx, full_name, flags, &domain, NULL, + &sid, &type)) { + type = SID_NAME_UNKNOWN; + } switch (type) { case SID_NAME_USER: @@ -430,8 +433,8 @@ NTSTATUS _lsa_OpenPolicy2(struct pipes_struct *p, NTSTATUS status; /* Work out max allowed. */ - map_max_allowed_access(p->server_info->security_token, - &p->server_info->utok, + map_max_allowed_access(p->session_info->security_token, + &p->session_info->utok, &des_access); /* map the generic bits to the lsa policy ones */ @@ -444,7 +447,7 @@ NTSTATUS _lsa_OpenPolicy2(struct pipes_struct *p, return status; } - status = access_check_object(psd, p->server_info->security_token, + status = access_check_object(psd, p->session_info->security_token, SEC_PRIV_INVALID, SEC_PRIV_INVALID, 0, des_access, &acc_granted, "_lsa_OpenPolicy2" ); if (!NT_STATUS_IS_OK(status)) { @@ -855,7 +858,7 @@ static NTSTATUS _lsa_lookup_sids_internal(struct pipes_struct *p, return NT_STATUS_OK; } - sids = TALLOC_ARRAY(p->mem_ctx, const struct dom_sid *, num_sids); + sids = talloc_array(p->mem_ctx, const struct dom_sid *, num_sids); ref = TALLOC_ZERO_P(p->mem_ctx, struct lsa_RefDomainList); if (sids == NULL || ref == NULL) { @@ -873,7 +876,7 @@ static NTSTATUS _lsa_lookup_sids_internal(struct pipes_struct *p, return status; } - names = TALLOC_ARRAY(p->mem_ctx, struct lsa_TranslatedName2, num_sids); + names = talloc_array(p->mem_ctx, struct lsa_TranslatedName2, num_sids); if (names == NULL) { return NT_STATUS_NO_MEMORY; } @@ -897,7 +900,6 @@ static NTSTATUS _lsa_lookup_sids_internal(struct pipes_struct *p, struct lsa_name_info *name = &name_infos[i]; if (name->type == SID_NAME_UNKNOWN) { - fstring tmp; name->dom_idx = -1; /* Unknown sids should return the string * representation of the SID. Windows 2003 behaves @@ -905,9 +907,7 @@ static NTSTATUS _lsa_lookup_sids_internal(struct pipes_struct *p, * RID as 8 bytes hex, in others it returns the full * SID. We (Jerry/VL) could not figure out which the * hard cases are, so leave it with the SID. */ - name->name = talloc_asprintf(p->mem_ctx, "%s", - sid_to_fstring(tmp, - sids[i])); + name->name = dom_sid_string(p->mem_ctx, sids[i]); if (name->name == NULL) { return NT_STATUS_NO_MEMORY; } @@ -998,7 +998,7 @@ NTSTATUS _lsa_LookupSids(struct pipes_struct *p, } /* Convert from lsa_TranslatedName2 to lsa_TranslatedName */ - names_out = TALLOC_ARRAY(p->mem_ctx, struct lsa_TranslatedName, + names_out = talloc_array(p->mem_ctx, struct lsa_TranslatedName, num_sids); if (!names_out) { return NT_STATUS_NO_MEMORY; @@ -1257,7 +1257,7 @@ NTSTATUS _lsa_LookupNames2(struct pipes_struct *p, status = _lsa_LookupNames(p, &q); sid_array2->count = sid_array->count; - sid_array2->sids = TALLOC_ARRAY(p->mem_ctx, struct lsa_TranslatedSid2, sid_array->count); + sid_array2->sids = talloc_array(p->mem_ctx, struct lsa_TranslatedSid2, sid_array->count); if (!sid_array2->sids) { return NT_STATUS_NO_MEMORY; } @@ -1503,8 +1503,8 @@ static NTSTATUS _lsa_OpenTrustedDomain_base(struct pipes_struct *p, * handle - so don't check against policy handle. */ /* Work out max allowed. */ - map_max_allowed_access(p->server_info->security_token, - &p->server_info->utok, + map_max_allowed_access(p->session_info->security_token, + &p->session_info->utok, &access_mask); /* map the generic bits to the lsa account ones */ @@ -1518,7 +1518,7 @@ static NTSTATUS _lsa_OpenTrustedDomain_base(struct pipes_struct *p, return status; } - status = access_check_object(psd, p->server_info->security_token, + status = access_check_object(psd, p->session_info->security_token, SEC_PRIV_INVALID, SEC_PRIV_INVALID, 0, access_mask, &acc_granted, "_lsa_OpenTrustedDomain"); @@ -1603,7 +1603,7 @@ NTSTATUS _lsa_OpenTrustedDomainByName(struct pipes_struct *p, static NTSTATUS add_trusted_domain_user(TALLOC_CTX *mem_ctx, const char *netbios_name, const char *domain_name, - struct trustDomainPasswords auth_struct) + const struct trustDomainPasswords *auth_struct) { NTSTATUS status; struct samu *sam_acct; @@ -1643,17 +1643,16 @@ static NTSTATUS add_trusted_domain_user(TALLOC_CTX *mem_ctx, return NT_STATUS_UNSUCCESSFUL; } - for (i = 0; i < auth_struct.incoming.count; i++) { - switch (auth_struct.incoming.current.array[i].AuthType) { + for (i = 0; i < auth_struct->incoming.count; i++) { + switch (auth_struct->incoming.current.array[i].AuthType) { case TRUST_AUTH_TYPE_CLEAR: if (!convert_string_talloc(mem_ctx, CH_UTF16LE, CH_UNIX, - auth_struct.incoming.current.array[i].AuthInfo.clear.password, - auth_struct.incoming.current.array[i].AuthInfo.clear.size, + auth_struct->incoming.current.array[i].AuthInfo.clear.password, + auth_struct->incoming.current.array[i].AuthInfo.clear.size, &dummy, - &dummy_size, - false)) { + &dummy_size)) { return NT_STATUS_UNSUCCESSFUL; } if (!pdb_set_plaintext_passwd(sam_acct, dummy)) { @@ -1702,14 +1701,14 @@ NTSTATUS _lsa_CreateTrustedDomainEx2(struct pipes_struct *p, return NT_STATUS_ACCESS_DENIED; } - if (p->server_info->utok.uid != sec_initial_uid() && - !nt_token_check_domain_rid(p->server_info->security_token, DOMAIN_RID_ADMINS)) { + if (p->session_info->utok.uid != sec_initial_uid() && + !nt_token_check_domain_rid(p->session_info->security_token, DOMAIN_RID_ADMINS)) { return NT_STATUS_ACCESS_DENIED; } /* Work out max allowed. */ - map_max_allowed_access(p->server_info->security_token, - &p->server_info->utok, + map_max_allowed_access(p->session_info->security_token, + &p->session_info->utok, &r->in.access_mask); /* map the generic bits to the lsa policy ones */ @@ -1722,7 +1721,7 @@ NTSTATUS _lsa_CreateTrustedDomainEx2(struct pipes_struct *p, return status; } - status = access_check_object(psd, p->server_info->security_token, + status = access_check_object(psd, p->session_info->security_token, SEC_PRIV_INVALID, SEC_PRIV_INVALID, 0, r->in.access_mask, &acc_granted, "_lsa_CreateTrustedDomainEx2"); @@ -1752,7 +1751,7 @@ NTSTATUS _lsa_CreateTrustedDomainEx2(struct pipes_struct *p, auth_blob.data = r->in.auth_info->auth_blob.data; arcfour_crypt_blob(auth_blob.data, auth_blob.length, - &p->server_info->user_session_key); + &p->session_info->session_key); ndr_err = ndr_pull_struct_blob(&auth_blob, p->mem_ctx, &auth_struct, @@ -1790,7 +1789,7 @@ NTSTATUS _lsa_CreateTrustedDomainEx2(struct pipes_struct *p, status = add_trusted_domain_user(p->mem_ctx, r->in.info->netbios_name.string, r->in.info->domain_name.string, - auth_struct); + &auth_struct); if (!NT_STATUS_IS_OK(status)) { return status; } @@ -2398,7 +2397,7 @@ NTSTATUS _lsa_GetUserName(struct pipes_struct *p, return NT_STATUS_INVALID_PARAMETER; } - if (p->server_info->guest) { + if (p->session_info->guest) { /* * I'm 99% sure this is not the right place to do this, * global_sid_Anonymous should probably be put into the token @@ -2409,8 +2408,8 @@ NTSTATUS _lsa_GetUserName(struct pipes_struct *p, return NT_STATUS_NO_MEMORY; } } else { - username = p->server_info->sanitized_username; - domname = p->server_info->info3->base.domain.string; + username = p->session_info->sanitized_username; + domname = p->session_info->info3->base.domain.string; } account_name = TALLOC_P(p->mem_ctx, struct lsa_String); @@ -2463,8 +2462,8 @@ NTSTATUS _lsa_CreateAccount(struct pipes_struct *p, } /* Work out max allowed. */ - map_max_allowed_access(p->server_info->security_token, - &p->server_info->utok, + map_max_allowed_access(p->session_info->security_token, + &p->session_info->utok, &r->in.access_mask); /* map the generic bits to the lsa policy ones */ @@ -2477,7 +2476,7 @@ NTSTATUS _lsa_CreateAccount(struct pipes_struct *p, return status; } - status = access_check_object(psd, p->server_info->security_token, + status = access_check_object(psd, p->session_info->security_token, SEC_PRIV_INVALID, SEC_PRIV_INVALID, 0, r->in.access_mask, &acc_granted, "_lsa_CreateAccount"); if (!NT_STATUS_IS_OK(status)) { @@ -2527,8 +2526,8 @@ NTSTATUS _lsa_OpenAccount(struct pipes_struct *p, * handle - so don't check against policy handle. */ /* Work out max allowed. */ - map_max_allowed_access(p->server_info->security_token, - &p->server_info->utok, + map_max_allowed_access(p->session_info->security_token, + &p->session_info->utok, &des_access); /* map the generic bits to the lsa account ones */ @@ -2542,7 +2541,7 @@ NTSTATUS _lsa_OpenAccount(struct pipes_struct *p, return status; } - status = access_check_object(psd, p->server_info->security_token, + status = access_check_object(psd, p->session_info->security_token, SEC_PRIV_INVALID, SEC_PRIV_INVALID, 0, des_access, &acc_granted, "_lsa_OpenAccount" ); if (!NT_STATUS_IS_OK(status)) { @@ -2897,7 +2896,7 @@ NTSTATUS _lsa_AddAccountRights(struct pipes_struct *p, * on the account sid. We don't check here so just use the latter. JRA. */ - status = access_check_object(psd, p->server_info->security_token, + status = access_check_object(psd, p->session_info->security_token, SEC_PRIV_INVALID, SEC_PRIV_INVALID, 0, LSA_ACCOUNT_ADJUST_PRIVILEGES|LSA_ACCOUNT_ADJUST_SYSTEM_ACCESS|LSA_ACCOUNT_VIEW, &acc_granted, "_lsa_AddAccountRights" ); @@ -2967,7 +2966,7 @@ NTSTATUS _lsa_RemoveAccountRights(struct pipes_struct *p, * and DELETE on the account sid. */ - status = access_check_object(psd, p->server_info->security_token, + status = access_check_object(psd, p->session_info->security_token, SEC_PRIV_INVALID, SEC_PRIV_INVALID, 0, LSA_ACCOUNT_ADJUST_PRIVILEGES|LSA_ACCOUNT_ADJUST_SYSTEM_ACCESS| LSA_ACCOUNT_VIEW|SEC_STD_DELETE, @@ -3489,7 +3488,7 @@ static int dns_cmp(const char *s1, size_t l1, int cret; if (l1 == l2) { - if (StrCaseCmp(s1, s2) == 0) { + if (strcasecmp_m(s1, s2) == 0) { return DNS_CMP_MATCH; } return DNS_CMP_NO_MATCH; @@ -3513,7 +3512,7 @@ static int dns_cmp(const char *s1, size_t l1, return DNS_CMP_NO_MATCH; } - if (StrCaseCmp(&p1[t1 - t2], p2) == 0) { + if (strcasecmp_m(&p1[t1 - t2], p2) == 0) { return cret; } @@ -3665,6 +3664,9 @@ static NTSTATUS check_ft_info(TALLOC_CTX *mem_ctx, ex_rule = false; tname = trec->data.info.dns_name.string; tlen = trec->data.info.dns_name.size; + break; + default: + return NT_STATUS_INVALID_PARAMETER; } ret = dns_cmp(dns_name, dns_len, tname, tlen); switch (ret) { @@ -3699,7 +3701,7 @@ static NTSTATUS check_ft_info(TALLOC_CTX *mem_ctx, sid_conflict = true; } if (!(trec->flags & LSA_NB_DISABLED_ADMIN) && - StrCaseCmp(trec->data.info.netbios_name.string, + strcasecmp_m(trec->data.info.netbios_name.string, nb_name) == 0) { nb_conflict = true; } @@ -3874,7 +3876,7 @@ NTSTATUS _lsa_lsaRSetForestTrustInformation(struct pipes_struct *p, if (domains[i]->domain_name == NULL) { return NT_STATUS_INVALID_DOMAIN_STATE; } - if (StrCaseCmp(domains[i]->domain_name, + if (strcasecmp_m(domains[i]->domain_name, r->in.trusted_domain_name->string) == 0) { break; }