2 * Unix SMB/CIFS implementation.
3 * RPC Pipe client / server routines
4 * Copyright (C) Andrew Tridgell 1992-1997,
5 * Copyright (C) Luke Kenneth Casson Leighton 1996-1997,
6 * Copyright (C) Paul Ashton 1997,
7 * Copyright (C) Marc Jacobsen 1999,
8 * Copyright (C) Jeremy Allison 2001-2002,
9 * Copyright (C) Jean François Micouleau 1998-2001,
10 * Copyright (C) Jim McDonough <jmcd@us.ibm.com> 2002.
11 * Copyright (C) Gerald (Jerry) Carter 2003.
13 * This program is free software; you can redistribute it and/or modify
14 * it under the terms of the GNU General Public License as published by
15 * the Free Software Foundation; either version 2 of the License, or
16 * (at your option) any later version.
18 * This program is distributed in the hope that it will be useful,
19 * but WITHOUT ANY WARRANTY; without even the implied warranty of
20 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
21 * GNU General Public License for more details.
23 * You should have received a copy of the GNU General Public License
24 * along with this program; if not, write to the Free Software
25 * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
29 * This is the implementation of the SAMR code.
35 #define DBGC_CLASS DBGC_RPC_SRV
37 extern DOM_SID global_sid_Builtin;
39 extern rid_name domain_group_rids[];
40 extern rid_name domain_alias_rids[];
41 extern rid_name builtin_alias_rids[];
44 typedef struct _disp_info {
46 uint32 num_user_account;
47 SAM_ACCOUNT *disp_user_info;
49 uint32 num_group_account;
50 DOMAIN_GRP *disp_group_info;
54 /* for use by the \PIPE\samr policy */
56 uint32 status; /* some sort of flag. best to record it. comes from opnum 0x39 */
65 struct generic_mapping sam_generic_mapping = {GENERIC_RIGHTS_SAM_READ, GENERIC_RIGHTS_SAM_WRITE, GENERIC_RIGHTS_SAM_EXECUTE, GENERIC_RIGHTS_SAM_ALL_ACCESS};
66 struct generic_mapping dom_generic_mapping = {GENERIC_RIGHTS_DOMAIN_READ, GENERIC_RIGHTS_DOMAIN_WRITE, GENERIC_RIGHTS_DOMAIN_EXECUTE, GENERIC_RIGHTS_DOMAIN_ALL_ACCESS};
67 struct generic_mapping usr_generic_mapping = {GENERIC_RIGHTS_USER_READ, GENERIC_RIGHTS_USER_WRITE, GENERIC_RIGHTS_USER_EXECUTE, GENERIC_RIGHTS_USER_ALL_ACCESS};
68 struct generic_mapping grp_generic_mapping = {GENERIC_RIGHTS_GROUP_READ, GENERIC_RIGHTS_GROUP_WRITE, GENERIC_RIGHTS_GROUP_EXECUTE, GENERIC_RIGHTS_GROUP_ALL_ACCESS};
69 struct generic_mapping ali_generic_mapping = {GENERIC_RIGHTS_ALIAS_READ, GENERIC_RIGHTS_ALIAS_WRITE, GENERIC_RIGHTS_ALIAS_EXECUTE, GENERIC_RIGHTS_ALIAS_ALL_ACCESS};
71 static NTSTATUS samr_make_dom_obj_sd(TALLOC_CTX *ctx, SEC_DESC **psd, size_t *sd_size);
73 /*******************************************************************
74 Checks if access to an object should be granted, and returns that
75 level of access for further checks.
76 ********************************************************************/
78 NTSTATUS access_check_samr_object(SEC_DESC *psd, NT_USER_TOKEN *nt_user_token, uint32 des_access,
79 uint32 *acc_granted, const char *debug)
81 NTSTATUS status = NT_STATUS_ACCESS_DENIED;
83 if (!se_access_check(psd, nt_user_token, des_access, acc_granted, &status)) {
84 *acc_granted = des_access;
85 if (geteuid() == sec_initial_uid()) {
86 DEBUG(4,("%s: ACCESS should be DENIED (requested: %#010x)\n",
88 DEBUGADD(4,("but overritten by euid == sec_initial_uid()\n"));
89 status = NT_STATUS_OK;
92 DEBUG(2,("%s: ACCESS DENIED (requested: %#010x)\n",
99 /*******************************************************************
100 Checks if access to a function can be granted
101 ********************************************************************/
103 NTSTATUS access_check_samr_function(uint32 acc_granted, uint32 acc_required, const char *debug)
105 DEBUG(5,("%s: access check ((granted: %#010x; required: %#010x)\n",
106 debug, acc_granted, acc_required));
107 if ((acc_granted & acc_required) != acc_required) {
108 if (geteuid() == sec_initial_uid()) {
109 DEBUG(4,("%s: ACCESS should be DENIED (granted: %#010x; required: %#010x)\n",
110 debug, acc_granted, acc_required));
111 DEBUGADD(4,("but overwritten by euid == 0\n"));
114 DEBUG(2,("%s: ACCESS DENIED (granted: %#010x; required: %#010x)\n",
115 debug, acc_granted, acc_required));
116 return NT_STATUS_ACCESS_DENIED;
122 /*******************************************************************
123 Create a samr_info struct.
124 ********************************************************************/
126 static struct samr_info *get_samr_info_by_sid(DOM_SID *psid)
128 struct samr_info *info;
133 sid_to_string(sid_str, psid);
135 fstrcpy(sid_str,"(NULL)");
138 mem_ctx = talloc_init("samr_info for domain sid %s", sid_str);
140 if ((info = (struct samr_info *)talloc(mem_ctx, sizeof(struct samr_info))) == NULL)
144 DEBUG(10,("get_samr_info_by_sid: created new info for sid %s\n", sid_str));
146 sid_copy( &info->sid, psid);
148 DEBUG(10,("get_samr_info_by_sid: created new info for NULL sid.\n"));
150 info->mem_ctx = mem_ctx;
154 /*******************************************************************
155 Function to free the per handle data.
156 ********************************************************************/
158 static void free_samr_users(struct samr_info *info)
162 if (info->disp_info.user_dbloaded){
163 for (i=0; i<info->disp_info.num_user_account; i++) {
164 SAM_ACCOUNT *sam = &info->disp_info.disp_user_info[i];
165 /* Not really a free, actually a 'clear' */
169 info->disp_info.user_dbloaded=False;
170 info->disp_info.num_user_account=0;
173 /*******************************************************************
174 Function to free the per handle data.
175 ********************************************************************/
177 static void free_samr_db(struct samr_info *info)
179 /* Groups are talloced */
181 free_samr_users(info);
183 info->disp_info.group_dbloaded=False;
184 info->disp_info.num_group_account=0;
187 static void free_samr_info(void *ptr)
189 struct samr_info *info=(struct samr_info *) ptr;
192 talloc_destroy(info->mem_ctx);
195 /*******************************************************************
196 Ensure password info is never given out. Paranioa... JRA.
197 ********************************************************************/
199 static void samr_clear_sam_passwd(SAM_ACCOUNT *sam_pass)
205 /* These now zero out the old password */
207 pdb_set_lanman_passwd(sam_pass, NULL, PDB_DEFAULT);
208 pdb_set_nt_passwd(sam_pass, NULL, PDB_DEFAULT);
212 static NTSTATUS load_sampwd_entries(struct samr_info *info, uint16 acb_mask, BOOL all_machines)
214 SAM_ACCOUNT *pwd = NULL;
215 SAM_ACCOUNT *pwd_array = NULL;
216 NTSTATUS nt_status = NT_STATUS_OK;
217 TALLOC_CTX *mem_ctx = info->mem_ctx;
219 DEBUG(10,("load_sampwd_entries\n"));
221 /* if the snapshoot is already loaded, return */
222 if ((info->disp_info.user_dbloaded==True)
223 && (info->acb_mask == acb_mask)
224 && (info->all_machines == all_machines)) {
225 DEBUG(10,("load_sampwd_entries: already in memory\n"));
229 free_samr_users(info);
231 if (!pdb_setsampwent(False)) {
232 DEBUG(0, ("load_sampwd_entries: Unable to open passdb.\n"));
233 return NT_STATUS_ACCESS_DENIED;
236 for (; (NT_STATUS_IS_OK(nt_status = pdb_init_sam_talloc(mem_ctx, &pwd)))
237 && pdb_getsampwent(pwd) == True; pwd=NULL) {
240 if (!((pdb_get_acct_ctrl(pwd) & ACB_WSTRUST)
241 || (pdb_get_acct_ctrl(pwd) & ACB_SVRTRUST))) {
242 DEBUG(5,("load_sampwd_entries: '%s' is not a machine account - ACB: %x - skipping\n", pdb_get_username(pwd), acb_mask));
247 if (acb_mask != 0 && !(pdb_get_acct_ctrl(pwd) & acb_mask)) {
249 DEBUG(5,(" acb_mask %x reject\n", acb_mask));
254 /* Realloc some memory for the array of ptr to the SAM_ACCOUNT structs */
255 if (info->disp_info.num_user_account % MAX_SAM_ENTRIES == 0) {
257 DEBUG(10,("load_sampwd_entries: allocating more memory\n"));
258 pwd_array=(SAM_ACCOUNT *)talloc_realloc(mem_ctx, info->disp_info.disp_user_info,
259 (info->disp_info.num_user_account+MAX_SAM_ENTRIES)*sizeof(SAM_ACCOUNT));
262 return NT_STATUS_NO_MEMORY;
264 info->disp_info.disp_user_info=pwd_array;
267 /* Copy the SAM_ACCOUNT into the array */
268 info->disp_info.disp_user_info[info->disp_info.num_user_account]=*pwd;
270 DEBUG(10,("load_sampwd_entries: entry: %d\n", info->disp_info.num_user_account));
272 info->disp_info.num_user_account++;
277 /* the snapshoot is in memory, we're ready to enumerate fast */
279 info->acb_mask = acb_mask;
280 info->all_machines = all_machines;
281 info->disp_info.user_dbloaded=True;
283 DEBUG(10,("load_sampwd_entries: done\n"));
288 static NTSTATUS load_group_domain_entries(struct samr_info *info, DOM_SID *sid)
291 DOMAIN_GRP *grp_array = NULL;
292 uint32 group_entries = 0;
294 TALLOC_CTX *mem_ctx = info->mem_ctx;
297 DEBUG(10,("load_group_domain_entries\n"));
299 /* if the snapshoot is already loaded, return */
300 if (info->disp_info.group_dbloaded==True) {
301 DEBUG(10,("load_group_domain_entries: already in memory\n"));
307 ret = pdb_enum_group_mapping(SID_NAME_DOM_GRP, &map, (int *)&group_entries, ENUM_ONLY_MAPPED);
311 DEBUG(1, ("load_group_domain_entries: pdb_enum_group_mapping() failed!\n"));
312 return NT_STATUS_NO_MEMORY;
316 info->disp_info.num_group_account=group_entries;
318 grp_array=(DOMAIN_GRP *)talloc(mem_ctx, info->disp_info.num_group_account*sizeof(DOMAIN_GRP));
319 if (group_entries!=0 && grp_array==NULL) {
320 DEBUG(1, ("load_group_domain_entries: talloc() failed for grp_array!\n"));
322 return NT_STATUS_NO_MEMORY;
325 info->disp_info.disp_group_info=grp_array;
327 for (i=0; i<group_entries; i++) {
328 fstrcpy(grp_array[i].name, map[i].nt_name);
329 fstrcpy(grp_array[i].comment, map[i].comment);
330 sid_split_rid(&map[i].sid, &grp_array[i].rid);
331 grp_array[i].attr=SID_NAME_DOM_GRP;
336 /* the snapshoot is in memory, we're ready to enumerate fast */
338 info->disp_info.group_dbloaded=True;
340 DEBUG(10,("load_group_domain_entries: done\n"));
346 /*******************************************************************
348 ********************************************************************/
350 NTSTATUS _samr_close_hnd(pipes_struct *p, SAMR_Q_CLOSE_HND *q_u, SAMR_R_CLOSE_HND *r_u)
352 r_u->status = NT_STATUS_OK;
354 /* close the policy handle */
355 if (!close_policy_hnd(p, &q_u->pol))
356 return NT_STATUS_OBJECT_NAME_INVALID;
358 DEBUG(5,("samr_reply_close_hnd: %d\n", __LINE__));
363 /*******************************************************************
364 samr_reply_open_domain
365 ********************************************************************/
367 NTSTATUS _samr_open_domain(pipes_struct *p, SAMR_Q_OPEN_DOMAIN *q_u, SAMR_R_OPEN_DOMAIN *r_u)
369 struct samr_info *info;
370 SEC_DESC *psd = NULL;
372 uint32 des_access = q_u->flags;
376 r_u->status = NT_STATUS_OK;
378 /* find the connection policy handle. */
379 if (!find_policy_by_hnd(p, &q_u->pol, (void**)&info))
380 return NT_STATUS_INVALID_HANDLE;
382 if (!NT_STATUS_IS_OK(status = access_check_samr_function(info->acc_granted, SA_RIGHT_SAM_OPEN_DOMAIN,"_samr_open_domain"))) {
386 /*check if access can be granted as requested by client. */
387 samr_make_dom_obj_sd(p->mem_ctx, &psd, &sd_size);
388 se_map_generic(&des_access,&dom_generic_mapping);
390 if (!NT_STATUS_IS_OK(status =
391 access_check_samr_object(psd, p->pipe_user.nt_user_token,
392 des_access, &acc_granted, "_samr_open_domain"))) {
396 /* associate the domain SID with the (unique) handle. */
397 if ((info = get_samr_info_by_sid(&q_u->dom_sid.sid))==NULL)
398 return NT_STATUS_NO_MEMORY;
399 info->acc_granted = acc_granted;
401 /* get a (unique) handle. open a policy on it. */
402 if (!create_policy_hnd(p, &r_u->domain_pol, free_samr_info, (void *)info))
403 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
405 DEBUG(5,("samr_open_domain: %d\n", __LINE__));
410 /*******************************************************************
411 _samr_get_usrdom_pwinfo
412 ********************************************************************/
414 NTSTATUS _samr_get_usrdom_pwinfo(pipes_struct *p, SAMR_Q_GET_USRDOM_PWINFO *q_u, SAMR_R_GET_USRDOM_PWINFO *r_u)
416 struct samr_info *info = NULL;
418 r_u->status = NT_STATUS_OK;
420 /* find the policy handle. open a policy on it. */
421 if (!find_policy_by_hnd(p, &q_u->user_pol, (void **)&info))
422 return NT_STATUS_INVALID_HANDLE;
424 if (!sid_check_is_in_our_domain(&info->sid))
425 return NT_STATUS_OBJECT_TYPE_MISMATCH;
427 init_samr_r_get_usrdom_pwinfo(r_u, NT_STATUS_OK);
429 DEBUG(5,("_samr_get_usrdom_pwinfo: %d\n", __LINE__));
432 * NT sometimes return NT_STATUS_ACCESS_DENIED
433 * I don't know yet why.
439 /*******************************************************************
441 ********************************************************************/
443 static NTSTATUS samr_make_dom_obj_sd(TALLOC_CTX *ctx, SEC_DESC **psd, size_t *sd_size)
445 extern DOM_SID global_sid_World;
454 sid_copy(&adm_sid, &global_sid_Builtin);
455 sid_append_rid(&adm_sid, BUILTIN_ALIAS_RID_ADMINS);
457 sid_copy(&act_sid, &global_sid_Builtin);
458 sid_append_rid(&act_sid, BUILTIN_ALIAS_RID_ACCOUNT_OPS);
460 /*basic access for every one*/
461 init_sec_access(&mask, GENERIC_RIGHTS_DOMAIN_EXECUTE | GENERIC_RIGHTS_DOMAIN_READ);
462 init_sec_ace(&ace[0], &global_sid_World, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0);
464 /*full access for builtin aliases Administrators and Account Operators*/
465 init_sec_access(&mask, GENERIC_RIGHTS_DOMAIN_ALL_ACCESS);
466 init_sec_ace(&ace[1], &adm_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0);
467 init_sec_ace(&ace[2], &act_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0);
469 if ((psa = make_sec_acl(ctx, NT4_ACL_REVISION, 3, ace)) == NULL)
470 return NT_STATUS_NO_MEMORY;
472 if ((*psd = make_sec_desc(ctx, SEC_DESC_REVISION, SEC_DESC_SELF_RELATIVE, NULL, NULL, NULL, psa, sd_size)) == NULL)
473 return NT_STATUS_NO_MEMORY;
478 /*******************************************************************
480 ********************************************************************/
482 static NTSTATUS samr_make_usr_obj_sd(TALLOC_CTX *ctx, SEC_DESC **psd, size_t *sd_size, DOM_SID *usr_sid)
484 extern DOM_SID global_sid_World;
493 sid_copy(&adm_sid, &global_sid_Builtin);
494 sid_append_rid(&adm_sid, BUILTIN_ALIAS_RID_ADMINS);
496 sid_copy(&act_sid, &global_sid_Builtin);
497 sid_append_rid(&act_sid, BUILTIN_ALIAS_RID_ACCOUNT_OPS);
499 /*basic access for every one*/
500 init_sec_access(&mask, GENERIC_RIGHTS_USER_EXECUTE | GENERIC_RIGHTS_USER_READ);
501 init_sec_ace(&ace[0], &global_sid_World, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0);
503 /*full access for builtin aliases Administrators and Account Operators*/
504 init_sec_access(&mask, GENERIC_RIGHTS_USER_ALL_ACCESS);
505 init_sec_ace(&ace[1], &adm_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0);
506 init_sec_ace(&ace[2], &act_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0);
508 /*extended access for the user*/
509 init_sec_access(&mask,READ_CONTROL_ACCESS | SA_RIGHT_USER_CHANGE_PASSWORD | SA_RIGHT_USER_SET_LOC_COM);
510 init_sec_ace(&ace[3], usr_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0);
512 if ((psa = make_sec_acl(ctx, NT4_ACL_REVISION, 4, ace)) == NULL)
513 return NT_STATUS_NO_MEMORY;
515 if ((*psd = make_sec_desc(ctx, SEC_DESC_REVISION, SEC_DESC_SELF_RELATIVE, NULL, NULL, NULL, psa, sd_size)) == NULL)
516 return NT_STATUS_NO_MEMORY;
521 /*******************************************************************
523 ********************************************************************/
525 static NTSTATUS samr_make_grp_obj_sd(TALLOC_CTX *ctx, SEC_DESC **psd, size_t *sd_size)
527 extern DOM_SID global_sid_World;
536 sid_copy(&adm_sid, &global_sid_Builtin);
537 sid_append_rid(&adm_sid, BUILTIN_ALIAS_RID_ADMINS);
539 sid_copy(&act_sid, &global_sid_Builtin);
540 sid_append_rid(&act_sid, BUILTIN_ALIAS_RID_ACCOUNT_OPS);
542 /*basic access for every one*/
543 init_sec_access(&mask, GENERIC_RIGHTS_GROUP_EXECUTE | GENERIC_RIGHTS_GROUP_READ);
544 init_sec_ace(&ace[0], &global_sid_World, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0);
546 /*full access for builtin aliases Administrators and Account Operators*/
547 init_sec_access(&mask, GENERIC_RIGHTS_GROUP_ALL_ACCESS);
548 init_sec_ace(&ace[1], &adm_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0);
549 init_sec_ace(&ace[2], &act_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0);
551 if ((psa = make_sec_acl(ctx, NT4_ACL_REVISION, 3, ace)) == NULL)
552 return NT_STATUS_NO_MEMORY;
554 if ((*psd = make_sec_desc(ctx, SEC_DESC_REVISION, SEC_DESC_SELF_RELATIVE, NULL, NULL, NULL, psa, sd_size)) == NULL)
555 return NT_STATUS_NO_MEMORY;
560 /*******************************************************************
562 ********************************************************************/
564 static NTSTATUS samr_make_ali_obj_sd(TALLOC_CTX *ctx, SEC_DESC **psd, size_t *sd_size)
566 extern DOM_SID global_sid_World;
575 sid_copy(&adm_sid, &global_sid_Builtin);
576 sid_append_rid(&adm_sid, BUILTIN_ALIAS_RID_ADMINS);
578 sid_copy(&act_sid, &global_sid_Builtin);
579 sid_append_rid(&act_sid, BUILTIN_ALIAS_RID_ACCOUNT_OPS);
581 /*basic access for every one*/
582 init_sec_access(&mask, GENERIC_RIGHTS_ALIAS_EXECUTE | GENERIC_RIGHTS_ALIAS_READ);
583 init_sec_ace(&ace[0], &global_sid_World, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0);
585 /*full access for builtin aliases Administrators and Account Operators*/
586 init_sec_access(&mask, GENERIC_RIGHTS_ALIAS_ALL_ACCESS);
587 init_sec_ace(&ace[1], &adm_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0);
588 init_sec_ace(&ace[2], &act_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0);
590 if ((psa = make_sec_acl(ctx, NT4_ACL_REVISION, 3, ace)) == NULL)
591 return NT_STATUS_NO_MEMORY;
593 if ((*psd = make_sec_desc(ctx, SEC_DESC_REVISION, SEC_DESC_SELF_RELATIVE, NULL, NULL, NULL, psa, sd_size)) == NULL)
594 return NT_STATUS_NO_MEMORY;
599 static BOOL get_lsa_policy_samr_sid(pipes_struct *p, POLICY_HND *pol, DOM_SID *sid, uint32 *acc_granted)
601 struct samr_info *info = NULL;
603 /* find the policy handle. open a policy on it. */
604 if (!find_policy_by_hnd(p, pol, (void **)&info))
611 *acc_granted = info->acc_granted;
615 /*******************************************************************
617 ********************************************************************/
619 NTSTATUS _samr_set_sec_obj(pipes_struct *p, SAMR_Q_SET_SEC_OBJ *q_u, SAMR_R_SET_SEC_OBJ *r_u)
621 DEBUG(0,("_samr_set_sec_obj: Not yet implemented!\n"));
622 return NT_STATUS_NOT_IMPLEMENTED;
626 /*******************************************************************
628 ********************************************************************/
630 NTSTATUS _samr_query_sec_obj(pipes_struct *p, SAMR_Q_QUERY_SEC_OBJ *q_u, SAMR_R_QUERY_SEC_OBJ *r_u)
634 SEC_DESC * psd = NULL;
638 r_u->status = NT_STATUS_OK;
641 if (!get_lsa_policy_samr_sid(p, &q_u->user_pol, &pol_sid, &acc_granted))
642 return NT_STATUS_INVALID_HANDLE;
646 DEBUG(10,("_samr_query_sec_obj: querying security on SID: %s\n", sid_to_string(str_sid, &pol_sid)));
648 /* Check what typ of SID is beeing queried (e.g Domain SID, User SID, Group SID) */
650 /* To query the security of the SAM it self an invalid SID with S-0-0 is passed to this function */
651 if (pol_sid.sid_rev_num == 0)
653 DEBUG(5,("_samr_query_sec_obj: querying security on SAM\n"));
654 r_u->status = samr_make_sam_obj_sd(p->mem_ctx, &psd, &sd_size);
656 else if (sid_equal(&pol_sid,get_global_sam_sid())) /* check if it is our domain SID */
659 DEBUG(5,("_samr_query_sec_obj: querying security on Domain with SID: %s\n", sid_to_string(str_sid, &pol_sid)));
660 r_u->status = samr_make_dom_obj_sd(p->mem_ctx, &psd, &sd_size);
662 else if (sid_equal(&pol_sid,&global_sid_Builtin)) /* check if it is the Builtin Domain */
664 /* TODO: Builtin probably needs a different SD with restricted write access*/
665 DEBUG(5,("_samr_query_sec_obj: querying security on Builtin Domain with SID: %s\n", sid_to_string(str_sid, &pol_sid)));
666 r_u->status = samr_make_dom_obj_sd(p->mem_ctx, &psd, &sd_size);
668 else if (sid_check_is_in_our_domain(&pol_sid) ||
669 sid_check_is_in_builtin(&pol_sid))
671 /* TODO: different SDs have to be generated for aliases groups and users.
672 Currently all three get a default user SD */
673 DEBUG(10,("_samr_query_sec_obj: querying security on Object with SID: %s\n", sid_to_string(str_sid, &pol_sid)));
674 r_u->status = samr_make_usr_obj_sd(p->mem_ctx, &psd,&sd_size, &pol_sid);
676 else return NT_STATUS_OBJECT_TYPE_MISMATCH;
678 if ((r_u->buf = make_sec_desc_buf(p->mem_ctx, sd_size, psd)) == NULL)
679 return NT_STATUS_NO_MEMORY;
681 if (NT_STATUS_IS_OK(r_u->status))
687 /*******************************************************************
688 makes a SAM_ENTRY / UNISTR2* structure from a user list.
689 ********************************************************************/
691 static NTSTATUS make_user_sam_entry_list(TALLOC_CTX *ctx, SAM_ENTRY **sam_pp, UNISTR2 **uni_name_pp,
692 uint32 num_entries, uint32 start_idx, SAM_ACCOUNT *disp_user_info,
698 SAM_ACCOUNT *pwd = NULL;
699 UNISTR2 uni_temp_name;
700 const char *temp_name;
701 const DOM_SID *user_sid;
703 fstring user_sid_string;
704 fstring domain_sid_string;
709 if (num_entries == 0)
712 sam = (SAM_ENTRY *)talloc_zero(ctx, sizeof(SAM_ENTRY)*num_entries);
714 uni_name = (UNISTR2 *)talloc_zero(ctx, sizeof(UNISTR2)*num_entries);
716 if (sam == NULL || uni_name == NULL) {
717 DEBUG(0, ("make_user_sam_entry_list: talloc_zero failed!\n"));
718 return NT_STATUS_NO_MEMORY;
721 for (i = 0; i < num_entries; i++) {
722 pwd = &disp_user_info[i+start_idx];
723 temp_name = pdb_get_username(pwd);
724 init_unistr2(&uni_temp_name, temp_name, UNI_STR_TERMINATE);
725 user_sid = pdb_get_user_sid(pwd);
727 if (!sid_peek_check_rid(domain_sid, user_sid, &user_rid)) {
728 DEBUG(0, ("make_user_sam_entry_list: User %s has SID %s, which conflicts with "
729 "the domain sid %s. Failing operation.\n",
731 sid_to_string(user_sid_string, user_sid),
732 sid_to_string(domain_sid_string, domain_sid)));
733 return NT_STATUS_UNSUCCESSFUL;
736 init_sam_entry(&sam[i], &uni_temp_name, user_rid);
737 copy_unistr2(&uni_name[i], &uni_temp_name);
741 *uni_name_pp = uni_name;
745 /*******************************************************************
746 samr_reply_enum_dom_users
747 ********************************************************************/
749 NTSTATUS _samr_enum_dom_users(pipes_struct *p, SAMR_Q_ENUM_DOM_USERS *q_u,
750 SAMR_R_ENUM_DOM_USERS *r_u)
752 struct samr_info *info = NULL;
753 uint32 struct_size=0x20; /* W2K always reply that, client doesn't care */
755 uint32 enum_context=q_u->start_idx;
756 uint32 max_size=q_u->max_size;
758 enum remote_arch_types ra_type = get_remote_arch();
759 int max_sam_entries = (ra_type == RA_WIN95) ? MAX_SAM_ENTRIES_W95 : MAX_SAM_ENTRIES_W2K;
760 uint32 max_entries = max_sam_entries;
763 r_u->status = NT_STATUS_OK;
765 /* find the policy handle. open a policy on it. */
766 if (!find_policy_by_hnd(p, &q_u->pol, (void **)&info))
767 return NT_STATUS_INVALID_HANDLE;
769 domain_sid = info->sid;
771 if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(info->acc_granted,
772 SA_RIGHT_DOMAIN_ENUM_ACCOUNTS,
773 "_samr_enum_dom_users"))) {
777 DEBUG(5,("_samr_enum_dom_users: %d\n", __LINE__));
780 r_u->status=load_sampwd_entries(info, q_u->acb_mask, False);
783 if (!NT_STATUS_IS_OK(r_u->status))
786 num_account = info->disp_info.num_user_account;
788 if (enum_context > num_account) {
789 DEBUG(5, ("_samr_enum_dom_users: enumeration handle over total entries\n"));
793 /* verify we won't overflow */
794 if (max_entries > num_account-enum_context) {
795 max_entries = num_account-enum_context;
796 DEBUG(5, ("_samr_enum_dom_users: only %d entries to return\n", max_entries));
799 /* calculate the size and limit on the number of entries we will return */
800 temp_size=max_entries*struct_size;
802 if (temp_size>max_size) {
803 max_entries=MIN((max_size/struct_size),max_entries);;
804 DEBUG(5, ("_samr_enum_dom_users: buffer size limits to only %d entries\n", max_entries));
808 * Note from JRA. total_entries is not being used here. Currently if there is a
809 * large user base then it looks like NT will enumerate until get_sampwd_entries
810 * returns False due to num_entries being zero. This will cause an access denied
811 * return. I don't think this is right and needs further investigation. Note that
812 * this is also the same in the TNG code (I don't think that has been tested with
813 * a very large user list as MAX_SAM_ENTRIES is set to 600).
815 * I also think that one of the 'num_entries' return parameters is probably
816 * the "max entries" parameter - but in the TNG code they're all currently set to the same
817 * value (again I think this is wrong).
820 r_u->status = make_user_sam_entry_list(p->mem_ctx, &r_u->sam, &r_u->uni_acct_name,
821 max_entries, enum_context,
822 info->disp_info.disp_user_info,
825 if (!NT_STATUS_IS_OK(r_u->status))
828 if (enum_context+max_entries < num_account)
829 r_u->status = STATUS_MORE_ENTRIES;
831 DEBUG(5, ("_samr_enum_dom_users: %d\n", __LINE__));
833 init_samr_r_enum_dom_users(r_u, q_u->start_idx + max_entries, max_entries);
835 DEBUG(5,("_samr_enum_dom_users: %d\n", __LINE__));
840 /*******************************************************************
841 makes a SAM_ENTRY / UNISTR2* structure from a group list.
842 ********************************************************************/
844 static void make_group_sam_entry_list(TALLOC_CTX *ctx, SAM_ENTRY **sam_pp, UNISTR2 **uni_name_pp,
845 uint32 num_sam_entries, DOMAIN_GRP *grp)
854 if (num_sam_entries == 0)
857 sam = (SAM_ENTRY *)talloc_zero(ctx, sizeof(SAM_ENTRY)*num_sam_entries);
859 uni_name = (UNISTR2 *)talloc_zero(ctx, sizeof(UNISTR2)*num_sam_entries);
861 if (sam == NULL || uni_name == NULL) {
862 DEBUG(0, ("NULL pointers in SAMR_R_QUERY_DISPINFO\n"));
866 for (i = 0; i < num_sam_entries; i++) {
868 * JRA. I think this should include the null. TNG does not.
870 init_unistr2(&uni_name[i], grp[i].name, UNI_STR_TERMINATE);
871 init_sam_entry(&sam[i], &uni_name[i], grp[i].rid);
875 *uni_name_pp = uni_name;
878 /*******************************************************************
879 Get the group entries - similar to get_sampwd_entries().
880 ******************************************************************/
882 static NTSTATUS get_group_entries( enum SID_NAME_USE type, TALLOC_CTX *ctx,
883 DOMAIN_GRP **d_grp, DOM_SID *sid, uint32 start_idx,
884 uint32 *p_num_entries, uint32 max_entries )
888 uint32 group_entries = 0;
889 uint32 num_entries = 0;
893 /* access checks for the users were performed higher up. become/unbecome_root()
894 needed for some passdb backends to enumerate groups */
897 pdb_enum_group_mapping(type, &map, (int *)&group_entries, ENUM_ONLY_MAPPED);
900 num_entries=group_entries-start_idx;
902 /* limit the number of entries */
903 if (num_entries>max_entries) {
904 DEBUG(5,("Limiting to %d entries\n", max_entries));
905 num_entries=max_entries;
908 *d_grp=(DOMAIN_GRP *)talloc_zero(ctx, num_entries*sizeof(DOMAIN_GRP));
909 if (num_entries!=0 && *d_grp==NULL){
911 return NT_STATUS_NO_MEMORY;
914 for (i=0; i<num_entries; i++) {
915 fstrcpy((*d_grp)[i].name, map[i+start_idx].nt_name);
916 fstrcpy((*d_grp)[i].comment, map[i+start_idx].comment);
917 sid_split_rid(&map[i+start_idx].sid, &(*d_grp)[i].rid);
918 (*d_grp)[i].attr=type;
923 *p_num_entries = num_entries;
925 DEBUG(10,("get_group_entries: returning %d entries\n", *p_num_entries));
930 /*******************************************************************
931 Wrapper for enuemrating domain groups
932 ******************************************************************/
934 static NTSTATUS get_group_domain_entries( TALLOC_CTX *ctx, DOMAIN_GRP **d_grp,
935 DOM_SID *sid, uint32 start_idx,
936 uint32 *p_num_entries, uint32 max_entries )
938 return get_group_entries( SID_NAME_DOM_GRP, ctx, d_grp, sid, start_idx,
939 p_num_entries, max_entries );
942 /*******************************************************************
943 Wrapper for enumerating local groups
944 ******************************************************************/
946 static NTSTATUS get_group_alias_entries( TALLOC_CTX *ctx, DOMAIN_GRP **d_grp,
947 DOM_SID *sid, uint32 start_idx,
948 uint32 *p_num_entries, uint32 max_entries)
950 if ( sid_equal(sid, &global_sid_Builtin) ) {
951 return get_group_entries( SID_NAME_WKN_GRP, ctx, d_grp,
952 sid, start_idx, p_num_entries, max_entries );
954 else if ( sid_equal(sid, get_global_sam_sid()) ) {
955 return get_group_entries( SID_NAME_ALIAS, ctx, d_grp,
956 sid, start_idx, p_num_entries, max_entries );
959 /* can't do anything with this SID */
966 /*******************************************************************
967 samr_reply_enum_dom_groups
968 ********************************************************************/
970 NTSTATUS _samr_enum_dom_groups(pipes_struct *p, SAMR_Q_ENUM_DOM_GROUPS *q_u, SAMR_R_ENUM_DOM_GROUPS *r_u)
972 DOMAIN_GRP *grp=NULL;
977 r_u->status = NT_STATUS_OK;
979 if (!get_lsa_policy_samr_sid(p, &q_u->pol, &sid, &acc_granted))
980 return NT_STATUS_INVALID_HANDLE;
982 if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, SA_RIGHT_DOMAIN_ENUM_ACCOUNTS, "_samr_enum_dom_groups"))) {
986 DEBUG(5,("samr_reply_enum_dom_groups: %d\n", __LINE__));
988 /* the domain group array is being allocated in the function below */
989 if (!NT_STATUS_IS_OK(r_u->status = get_group_domain_entries(p->mem_ctx, &grp, &sid, q_u->start_idx, &num_entries, MAX_SAM_ENTRIES))) {
993 make_group_sam_entry_list(p->mem_ctx, &r_u->sam, &r_u->uni_grp_name, num_entries, grp);
995 init_samr_r_enum_dom_groups(r_u, q_u->start_idx, num_entries);
997 DEBUG(5,("samr_enum_dom_groups: %d\n", __LINE__));
1003 /*******************************************************************
1004 samr_reply_enum_dom_aliases
1005 ********************************************************************/
1007 NTSTATUS _samr_enum_dom_aliases(pipes_struct *p, SAMR_Q_ENUM_DOM_ALIASES *q_u, SAMR_R_ENUM_DOM_ALIASES *r_u)
1009 DOMAIN_GRP *grp=NULL;
1010 uint32 num_entries = 0;
1016 r_u->status = NT_STATUS_OK;
1018 if (!get_lsa_policy_samr_sid(p, &q_u->pol, &sid, &acc_granted))
1019 return NT_STATUS_INVALID_HANDLE;
1021 if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, SA_RIGHT_DOMAIN_ENUM_ACCOUNTS, "_samr_enum_dom_aliases"))) {
1025 sid_to_string(sid_str, &sid);
1026 DEBUG(5,("samr_reply_enum_dom_aliases: sid %s\n", sid_str));
1028 status = get_group_alias_entries(p->mem_ctx, &grp, &sid, q_u->start_idx,
1029 &num_entries, MAX_SAM_ENTRIES);
1030 if (NT_STATUS_IS_ERR(status)) return status;
1032 make_group_sam_entry_list(p->mem_ctx, &r_u->sam, &r_u->uni_grp_name, num_entries, grp);
1036 init_samr_r_enum_dom_aliases(r_u, q_u->start_idx + num_entries, num_entries);
1038 DEBUG(5,("samr_enum_dom_aliases: %d\n", __LINE__));
1043 /*******************************************************************
1044 samr_reply_query_dispinfo
1045 ********************************************************************/
1047 NTSTATUS _samr_query_dispinfo(pipes_struct *p, SAMR_Q_QUERY_DISPINFO *q_u,
1048 SAMR_R_QUERY_DISPINFO *r_u)
1050 struct samr_info *info = NULL;
1051 uint32 struct_size=0x20; /* W2K always reply that, client doesn't care */
1053 uint32 max_entries=q_u->max_entries;
1054 uint32 enum_context=q_u->start_idx;
1055 uint32 max_size=q_u->max_size;
1057 SAM_DISPINFO_CTR *ctr;
1058 uint32 temp_size=0, total_data_size=0;
1060 uint32 num_account = 0;
1061 enum remote_arch_types ra_type = get_remote_arch();
1062 int max_sam_entries = (ra_type == RA_WIN95) ? MAX_SAM_ENTRIES_W95 : MAX_SAM_ENTRIES_W2K;
1065 DEBUG(5, ("samr_reply_query_dispinfo: %d\n", __LINE__));
1066 r_u->status = NT_STATUS_OK;
1068 /* find the policy handle. open a policy on it. */
1069 if (!find_policy_by_hnd(p, &q_u->domain_pol, (void **)&info))
1070 return NT_STATUS_INVALID_HANDLE;
1072 domain_sid = info->sid;
1075 * calculate how many entries we will return.
1077 * - the number of entries the client asked
1078 * - our limit on that
1079 * - the starting point (enumeration context)
1080 * - the buffer size the client will accept
1084 * We are a lot more like W2K. Instead of reading the SAM
1085 * each time to find the records we need to send back,
1086 * we read it once and link that copy to the sam handle.
1087 * For large user list (over the MAX_SAM_ENTRIES)
1088 * it's a definitive win.
1089 * second point to notice: between enumerations
1090 * our sam is now the same as it's a snapshoot.
1091 * third point: got rid of the static SAM_USER_21 struct
1092 * no more intermediate.
1093 * con: it uses much more memory, as a full copy is stored
1096 * If you want to change it, think twice and think
1097 * of the second point , that's really important.
1102 /* Get what we need from the password database */
1103 switch (q_u->switch_level) {
1105 /* When playing with usrmgr, this is necessary
1106 if you want immediate refresh after editing
1107 a user. I would like to do this after the
1108 setuserinfo2, but we do not have access to
1109 the domain handle in that call, only to the
1110 user handle. Where else does this hurt?
1114 /* We cannot do this here - it kills performace. JRA. */
1115 free_samr_users(info);
1120 /* Level 2 is for all machines, otherwise only 'normal' users */
1121 r_u->status=load_sampwd_entries(info, ACB_NORMAL, q_u->switch_level==2);
1123 if (!NT_STATUS_IS_OK(r_u->status)) {
1124 DEBUG(5, ("_samr_query_dispinfo: load_sampwd_entries failed\n"));
1127 num_account = info->disp_info.num_user_account;
1131 r_u->status = load_group_domain_entries(info, &info->sid);
1132 if (!NT_STATUS_IS_OK(r_u->status))
1134 num_account = info->disp_info.num_group_account;
1137 DEBUG(0,("_samr_query_dispinfo: Unknown info level (%u)\n", (unsigned int)q_u->switch_level ));
1138 return NT_STATUS_INVALID_INFO_CLASS;
1141 /* first limit the number of entries we will return */
1142 if(max_entries > max_sam_entries) {
1143 DEBUG(5, ("samr_reply_query_dispinfo: client requested %d entries, limiting to %d\n", max_entries, max_sam_entries));
1144 max_entries = max_sam_entries;
1147 if (enum_context > num_account) {
1148 DEBUG(5, ("samr_reply_query_dispinfo: enumeration handle over total entries\n"));
1149 return NT_STATUS_NO_MORE_ENTRIES;
1152 /* verify we won't overflow */
1153 if (max_entries > num_account-enum_context) {
1154 max_entries = num_account-enum_context;
1155 DEBUG(5, ("samr_reply_query_dispinfo: only %d entries to return\n", max_entries));
1158 /* calculate the size and limit on the number of entries we will return */
1159 temp_size=max_entries*struct_size;
1161 if (temp_size>max_size) {
1162 max_entries=MIN((max_size/struct_size),max_entries);;
1163 DEBUG(5, ("samr_reply_query_dispinfo: buffer size limits to only %d entries\n", max_entries));
1166 if (!(ctr = (SAM_DISPINFO_CTR *)talloc_zero(p->mem_ctx,sizeof(SAM_DISPINFO_CTR))))
1167 return NT_STATUS_NO_MEMORY;
1171 /* Now create reply structure */
1172 switch (q_u->switch_level) {
1175 if (!(ctr->sam.info1 = (SAM_DISPINFO_1 *)talloc_zero(p->mem_ctx,max_entries*sizeof(SAM_DISPINFO_1))))
1176 return NT_STATUS_NO_MEMORY;
1178 disp_ret = init_sam_dispinfo_1(p->mem_ctx, ctr->sam.info1, max_entries, enum_context,
1179 info->disp_info.disp_user_info, &domain_sid);
1180 if (!NT_STATUS_IS_OK(disp_ret))
1185 if (!(ctr->sam.info2 = (SAM_DISPINFO_2 *)talloc_zero(p->mem_ctx,max_entries*sizeof(SAM_DISPINFO_2))))
1186 return NT_STATUS_NO_MEMORY;
1188 disp_ret = init_sam_dispinfo_2(p->mem_ctx, ctr->sam.info2, max_entries, enum_context,
1189 info->disp_info.disp_user_info, &domain_sid);
1190 if (!NT_STATUS_IS_OK(disp_ret))
1195 if (!(ctr->sam.info3 = (SAM_DISPINFO_3 *)talloc_zero(p->mem_ctx,max_entries*sizeof(SAM_DISPINFO_3))))
1196 return NT_STATUS_NO_MEMORY;
1198 disp_ret = init_sam_dispinfo_3(p->mem_ctx, ctr->sam.info3, max_entries, enum_context, info->disp_info.disp_group_info);
1199 if (!NT_STATUS_IS_OK(disp_ret))
1204 if (!(ctr->sam.info4 = (SAM_DISPINFO_4 *)talloc_zero(p->mem_ctx,max_entries*sizeof(SAM_DISPINFO_4))))
1205 return NT_STATUS_NO_MEMORY;
1207 disp_ret = init_sam_dispinfo_4(p->mem_ctx, ctr->sam.info4, max_entries, enum_context, info->disp_info.disp_user_info);
1208 if (!NT_STATUS_IS_OK(disp_ret))
1213 if (!(ctr->sam.info5 = (SAM_DISPINFO_5 *)talloc_zero(p->mem_ctx,max_entries*sizeof(SAM_DISPINFO_5))))
1214 return NT_STATUS_NO_MEMORY;
1216 disp_ret = init_sam_dispinfo_5(p->mem_ctx, ctr->sam.info5, max_entries, enum_context, info->disp_info.disp_group_info);
1217 if (!NT_STATUS_IS_OK(disp_ret))
1222 ctr->sam.info = NULL;
1223 return NT_STATUS_INVALID_INFO_CLASS;
1226 /* calculate the total size */
1227 total_data_size=num_account*struct_size;
1229 if (enum_context+max_entries < num_account)
1230 r_u->status = STATUS_MORE_ENTRIES;
1232 DEBUG(5, ("_samr_query_dispinfo: %d\n", __LINE__));
1234 init_samr_r_query_dispinfo(r_u, max_entries, total_data_size, temp_size, q_u->switch_level, ctr, r_u->status);
1240 /*******************************************************************
1241 samr_reply_query_aliasinfo
1242 ********************************************************************/
1244 NTSTATUS _samr_query_aliasinfo(pipes_struct *p, SAMR_Q_QUERY_ALIASINFO *q_u, SAMR_R_QUERY_ALIASINFO *r_u)
1250 r_u->status = NT_STATUS_OK;
1252 DEBUG(5,("_samr_query_aliasinfo: %d\n", __LINE__));
1254 /* find the policy handle. open a policy on it. */
1255 if (!get_lsa_policy_samr_sid(p, &q_u->pol, &sid, &acc_granted))
1256 return NT_STATUS_INVALID_HANDLE;
1257 if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, SA_RIGHT_ALIAS_LOOKUP_INFO, "_samr_query_aliasinfo"))) {
1261 if (!sid_check_is_in_our_domain(&sid) &&
1262 !sid_check_is_in_builtin(&sid))
1263 return NT_STATUS_OBJECT_TYPE_MISMATCH;
1265 if (!pdb_getgrsid(&map, sid))
1266 return NT_STATUS_NO_SUCH_ALIAS;
1268 switch (q_u->switch_level) {
1271 r_u->ctr.switch_value1 = 1;
1272 init_samr_alias_info1(&r_u->ctr.alias.info1, map.nt_name, 1, map.comment);
1276 r_u->ctr.switch_value1 = 3;
1277 init_samr_alias_info3(&r_u->ctr.alias.info3, map.comment);
1280 return NT_STATUS_INVALID_INFO_CLASS;
1283 DEBUG(5,("_samr_query_aliasinfo: %d\n", __LINE__));
1289 /*******************************************************************
1290 samr_reply_lookup_ids
1291 ********************************************************************/
1293 uint32 _samr_lookup_ids(pipes_struct *p, SAMR_Q_LOOKUP_IDS *q_u, SAMR_R_LOOKUP_IDS *r_u)
1295 uint32 rid[MAX_SAM_ENTRIES];
1296 int num_rids = q_u->num_sids1;
1298 r_u->status = NT_STATUS_OK;
1300 DEBUG(5,("_samr_lookup_ids: %d\n", __LINE__));
1302 if (num_rids > MAX_SAM_ENTRIES) {
1303 num_rids = MAX_SAM_ENTRIES;
1304 DEBUG(5,("_samr_lookup_ids: truncating entries to %d\n", num_rids));
1309 SMB_ASSERT_ARRAY(q_u->uni_user_name, num_rids);
1311 for (i = 0; i < num_rids && status == 0; i++)
1313 struct sam_passwd *sam_pass;
1317 fstrcpy(user_name, unistrn2(q_u->uni_user_name[i].buffer,
1318 q_u->uni_user_name[i].uni_str_len));
1320 /* find the user account */
1322 sam_pass = get_smb21pwd_entry(user_name, 0);
1325 if (sam_pass == NULL)
1327 status = 0xC0000000 | NT_STATUS_NO_SUCH_USER;
1332 rid[i] = sam_pass->user_rid;
1338 rid[0] = BUILTIN_ALIAS_RID_USERS;
1340 init_samr_r_lookup_ids(&r_u, num_rids, rid, NT_STATUS_OK);
1342 DEBUG(5,("_samr_lookup_ids: %d\n", __LINE__));
1348 /*******************************************************************
1350 ********************************************************************/
1352 NTSTATUS _samr_lookup_names(pipes_struct *p, SAMR_Q_LOOKUP_NAMES *q_u, SAMR_R_LOOKUP_NAMES *r_u)
1354 uint32 rid[MAX_SAM_ENTRIES];
1356 enum SID_NAME_USE type[MAX_SAM_ENTRIES];
1357 enum SID_NAME_USE local_type;
1359 int num_rids = q_u->num_names2;
1364 r_u->status = NT_STATUS_OK;
1366 DEBUG(5,("_samr_lookup_names: %d\n", __LINE__));
1371 if (!get_lsa_policy_samr_sid(p, &q_u->pol, &pol_sid, &acc_granted)) {
1372 init_samr_r_lookup_names(p->mem_ctx, r_u, 0, NULL, NULL, NT_STATUS_OBJECT_TYPE_MISMATCH);
1376 if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, 0, "_samr_lookup_names"))) { /* Don't know the acc_bits yet */
1380 if (num_rids > MAX_SAM_ENTRIES) {
1381 num_rids = MAX_SAM_ENTRIES;
1382 DEBUG(5,("_samr_lookup_names: truncating entries to %d\n", num_rids));
1385 DEBUG(5,("_samr_lookup_names: looking name on SID %s\n", sid_to_string(sid_str, &pol_sid)));
1387 for (i = 0; i < num_rids; i++) {
1392 r_u->status = NT_STATUS_NONE_MAPPED;
1394 rid [i] = 0xffffffff;
1395 type[i] = SID_NAME_UNKNOWN;
1397 ret = rpcstr_pull(name, q_u->uni_name[i].buffer, sizeof(name), q_u->uni_name[i].uni_str_len*2, 0);
1400 * we are only looking for a name
1401 * the SID we get back can be outside
1402 * the scope of the pol_sid
1404 * in clear: it prevents to reply to domain\group: yes
1405 * when only builtin\group exists.
1407 * a cleaner code is to add the sid of the domain we're looking in
1408 * to the local_lookup_name function.
1411 if ((ret > 0) && local_lookup_name(name, &sid, &local_type)) {
1412 sid_split_rid(&sid, &local_rid);
1414 if (sid_equal(&sid, &pol_sid)) {
1417 r_u->status = NT_STATUS_OK;
1422 init_samr_r_lookup_names(p->mem_ctx, r_u, num_rids, rid, (uint32 *)type, r_u->status);
1424 DEBUG(5,("_samr_lookup_names: %d\n", __LINE__));
1429 /*******************************************************************
1430 _samr_chgpasswd_user
1431 ********************************************************************/
1433 NTSTATUS _samr_chgpasswd_user(pipes_struct *p, SAMR_Q_CHGPASSWD_USER *q_u, SAMR_R_CHGPASSWD_USER *r_u)
1438 DEBUG(5,("_samr_chgpasswd_user: %d\n", __LINE__));
1440 r_u->status = NT_STATUS_OK;
1442 rpcstr_pull(user_name, q_u->uni_user_name.buffer, sizeof(user_name), q_u->uni_user_name.uni_str_len*2, 0);
1443 rpcstr_pull(wks, q_u->uni_dest_host.buffer, sizeof(wks), q_u->uni_dest_host.uni_str_len*2,0);
1445 DEBUG(5,("samr_chgpasswd_user: user: %s wks: %s\n", user_name, wks));
1448 * Pass the user through the NT -> unix user mapping
1452 (void)map_username(user_name);
1455 * UNIX username case mangling not required, pass_oem_change
1456 * is case insensitive.
1459 r_u->status = pass_oem_change(user_name, q_u->lm_newpass.pass, q_u->lm_oldhash.hash,
1460 q_u->nt_newpass.pass, q_u->nt_oldhash.hash);
1462 init_samr_r_chgpasswd_user(r_u, r_u->status);
1464 DEBUG(5,("_samr_chgpasswd_user: %d\n", __LINE__));
1469 /*******************************************************************
1470 makes a SAMR_R_LOOKUP_RIDS structure.
1471 ********************************************************************/
1473 static BOOL make_samr_lookup_rids(TALLOC_CTX *ctx, uint32 num_names, fstring names[],
1474 UNIHDR **pp_hdr_name, UNISTR2 **pp_uni_name)
1477 UNIHDR *hdr_name=NULL;
1478 UNISTR2 *uni_name=NULL;
1480 *pp_uni_name = NULL;
1481 *pp_hdr_name = NULL;
1483 if (num_names != 0) {
1484 hdr_name = (UNIHDR *)talloc_zero(ctx, sizeof(UNIHDR)*num_names);
1485 if (hdr_name == NULL)
1488 uni_name = (UNISTR2 *)talloc_zero(ctx,sizeof(UNISTR2)*num_names);
1489 if (uni_name == NULL)
1493 for (i = 0; i < num_names; i++) {
1494 DEBUG(10, ("names[%d]:%s\n", i, names[i] ? names[i] : ""));
1495 init_unistr2(&uni_name[i], names[i], UNI_FLAGS_NONE);
1496 init_uni_hdr(&hdr_name[i], &uni_name[i]);
1499 *pp_uni_name = uni_name;
1500 *pp_hdr_name = hdr_name;
1505 /*******************************************************************
1507 ********************************************************************/
1509 NTSTATUS _samr_lookup_rids(pipes_struct *p, SAMR_Q_LOOKUP_RIDS *q_u, SAMR_R_LOOKUP_RIDS *r_u)
1511 fstring group_names[MAX_SAM_ENTRIES];
1512 uint32 *group_attrs = NULL;
1513 UNIHDR *hdr_name = NULL;
1514 UNISTR2 *uni_name = NULL;
1516 int num_rids = q_u->num_rids1;
1520 r_u->status = NT_STATUS_OK;
1522 DEBUG(5,("_samr_lookup_rids: %d\n", __LINE__));
1524 /* find the policy handle. open a policy on it. */
1525 if (!get_lsa_policy_samr_sid(p, &q_u->pol, &pol_sid, &acc_granted))
1526 return NT_STATUS_INVALID_HANDLE;
1528 if (num_rids > MAX_SAM_ENTRIES) {
1529 num_rids = MAX_SAM_ENTRIES;
1530 DEBUG(5,("_samr_lookup_rids: truncating entries to %d\n", num_rids));
1534 if ((group_attrs = (uint32 *)talloc_zero(p->mem_ctx, num_rids * sizeof(uint32))) == NULL)
1535 return NT_STATUS_NO_MEMORY;
1538 r_u->status = NT_STATUS_NONE_MAPPED;
1540 become_root(); /* lookup_sid can require root privs */
1542 for (i = 0; i < num_rids; i++) {
1546 enum SID_NAME_USE type;
1548 group_attrs[i] = SID_NAME_UNKNOWN;
1549 *group_names[i] = '\0';
1551 if (sid_equal(&pol_sid, get_global_sam_sid())) {
1552 sid_copy(&sid, &pol_sid);
1553 sid_append_rid(&sid, q_u->rid[i]);
1555 if (lookup_sid(&sid, domname, tmpname, &type)) {
1556 r_u->status = NT_STATUS_OK;
1557 group_attrs[i] = (uint32)type;
1558 fstrcpy(group_names[i],tmpname);
1559 DEBUG(5,("_samr_lookup_rids: %s:%d\n", group_names[i], group_attrs[i]));
1566 if(!make_samr_lookup_rids(p->mem_ctx, num_rids, group_names, &hdr_name, &uni_name))
1567 return NT_STATUS_NO_MEMORY;
1569 init_samr_r_lookup_rids(r_u, num_rids, hdr_name, uni_name, group_attrs);
1571 DEBUG(5,("_samr_lookup_rids: %d\n", __LINE__));
1576 /*******************************************************************
1577 _samr_open_user. Safe - gives out no passwd info.
1578 ********************************************************************/
1580 NTSTATUS _samr_open_user(pipes_struct *p, SAMR_Q_OPEN_USER *q_u, SAMR_R_OPEN_USER *r_u)
1582 SAM_ACCOUNT *sampass=NULL;
1584 POLICY_HND domain_pol = q_u->domain_pol;
1585 POLICY_HND *user_pol = &r_u->user_pol;
1586 struct samr_info *info = NULL;
1587 SEC_DESC *psd = NULL;
1589 uint32 des_access = q_u->access_mask;
1594 r_u->status = NT_STATUS_OK;
1596 /* find the domain policy handle and get domain SID / access bits in the domain policy. */
1597 if (!get_lsa_policy_samr_sid(p, &domain_pol, &sid, &acc_granted))
1598 return NT_STATUS_INVALID_HANDLE;
1600 if (!NT_STATUS_IS_OK(nt_status = access_check_samr_function(acc_granted, SA_RIGHT_DOMAIN_OPEN_ACCOUNT, "_samr_open_user"))) {
1604 nt_status = pdb_init_sam_talloc(p->mem_ctx, &sampass);
1605 if (!NT_STATUS_IS_OK(nt_status)) {
1609 /* append the user's RID to it */
1610 if (!sid_append_rid(&sid, q_u->user_rid))
1611 return NT_STATUS_NO_SUCH_USER;
1613 /* check if access can be granted as requested by client. */
1614 samr_make_usr_obj_sd(p->mem_ctx, &psd, &sd_size, &sid);
1615 se_map_generic(&des_access, &usr_generic_mapping);
1616 if (!NT_STATUS_IS_OK(nt_status =
1617 access_check_samr_object(psd, p->pipe_user.nt_user_token,
1618 des_access, &acc_granted, "_samr_open_user"))) {
1623 ret=pdb_getsampwsid(sampass, &sid);
1626 /* check that the SID exists in our domain. */
1628 return NT_STATUS_NO_SUCH_USER;
1631 pdb_free_sam(&sampass);
1633 /* associate the user's SID and access bits with the new handle. */
1634 if ((info = get_samr_info_by_sid(&sid)) == NULL)
1635 return NT_STATUS_NO_MEMORY;
1636 info->acc_granted = acc_granted;
1638 /* get a (unique) handle. open a policy on it. */
1639 if (!create_policy_hnd(p, user_pol, free_samr_info, (void *)info))
1640 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
1645 /*************************************************************************
1646 get_user_info_10. Safe. Only gives out acb bits.
1647 *************************************************************************/
1649 static NTSTATUS get_user_info_10(TALLOC_CTX *mem_ctx, SAM_USER_INFO_10 *id10, DOM_SID *user_sid)
1651 SAM_ACCOUNT *smbpass=NULL;
1655 nt_status = pdb_init_sam_talloc(mem_ctx, &smbpass);
1657 if (!NT_STATUS_IS_OK(nt_status)) {
1662 ret = pdb_getsampwsid(smbpass, user_sid);
1666 DEBUG(4,("User %s not found\n", sid_string_static(user_sid)));
1667 return NT_STATUS_NO_SUCH_USER;
1670 DEBUG(3,("User:[%s]\n", pdb_get_username(smbpass) ));
1673 init_sam_user_info10(id10, pdb_get_acct_ctrl(smbpass) );
1675 pdb_free_sam(&smbpass);
1677 return NT_STATUS_OK;
1680 /*************************************************************************
1681 get_user_info_12. OK - this is the killer as it gives out password info.
1682 Ensure that this is only allowed on an encrypted connection with a root
1684 *************************************************************************/
1686 static NTSTATUS get_user_info_12(pipes_struct *p, TALLOC_CTX *mem_ctx, SAM_USER_INFO_12 * id12, DOM_SID *user_sid)
1688 SAM_ACCOUNT *smbpass=NULL;
1692 if (!p->ntlmssp_auth_validated)
1693 return NT_STATUS_ACCESS_DENIED;
1695 if (!(p->ntlmssp_chal_flags & NTLMSSP_NEGOTIATE_SIGN) || !(p->ntlmssp_chal_flags & NTLMSSP_NEGOTIATE_SEAL))
1696 return NT_STATUS_ACCESS_DENIED;
1699 * Do *NOT* do become_root()/unbecome_root() here ! JRA.
1702 nt_status = pdb_init_sam_talloc(mem_ctx, &smbpass);
1704 if (!NT_STATUS_IS_OK(nt_status)) {
1708 ret = pdb_getsampwsid(smbpass, user_sid);
1711 DEBUG(4, ("User %s not found\n", sid_string_static(user_sid)));
1712 pdb_free_sam(&smbpass);
1713 return (geteuid() == (uid_t)0) ? NT_STATUS_NO_SUCH_USER : NT_STATUS_ACCESS_DENIED;
1716 DEBUG(3,("User:[%s] 0x%x\n", pdb_get_username(smbpass), pdb_get_acct_ctrl(smbpass) ));
1718 if ( pdb_get_acct_ctrl(smbpass) & ACB_DISABLED) {
1719 pdb_free_sam(&smbpass);
1720 return NT_STATUS_ACCOUNT_DISABLED;
1724 init_sam_user_info12(id12, pdb_get_lanman_passwd(smbpass), pdb_get_nt_passwd(smbpass));
1726 pdb_free_sam(&smbpass);
1728 return NT_STATUS_OK;
1731 /*************************************************************************
1733 *************************************************************************/
1735 static NTSTATUS get_user_info_20(TALLOC_CTX *mem_ctx, SAM_USER_INFO_20 *id20, DOM_SID *user_sid)
1737 SAM_ACCOUNT *sampass=NULL;
1740 pdb_init_sam_talloc(mem_ctx, &sampass);
1743 ret = pdb_getsampwsid(sampass, user_sid);
1747 DEBUG(4,("User %s not found\n", sid_string_static(user_sid)));
1748 return NT_STATUS_NO_SUCH_USER;
1751 samr_clear_sam_passwd(sampass);
1753 DEBUG(3,("User:[%s]\n", pdb_get_username(sampass) ));
1756 init_sam_user_info20A(id20, sampass);
1758 pdb_free_sam(&sampass);
1760 return NT_STATUS_OK;
1763 /*************************************************************************
1765 *************************************************************************/
1767 static NTSTATUS get_user_info_21(TALLOC_CTX *mem_ctx, SAM_USER_INFO_21 *id21,
1768 DOM_SID *user_sid, DOM_SID *domain_sid)
1770 SAM_ACCOUNT *sampass=NULL;
1774 nt_status = pdb_init_sam_talloc(mem_ctx, &sampass);
1775 if (!NT_STATUS_IS_OK(nt_status)) {
1780 ret = pdb_getsampwsid(sampass, user_sid);
1784 DEBUG(4,("User %s not found\n", sid_string_static(user_sid)));
1785 return NT_STATUS_NO_SUCH_USER;
1788 samr_clear_sam_passwd(sampass);
1790 DEBUG(3,("User:[%s]\n", pdb_get_username(sampass) ));
1793 nt_status = init_sam_user_info21A(id21, sampass, domain_sid);
1795 pdb_free_sam(&sampass);
1797 return NT_STATUS_OK;
1800 /*******************************************************************
1801 _samr_query_userinfo
1802 ********************************************************************/
1804 NTSTATUS _samr_query_userinfo(pipes_struct *p, SAMR_Q_QUERY_USERINFO *q_u, SAMR_R_QUERY_USERINFO *r_u)
1806 SAM_USERINFO_CTR *ctr;
1807 struct samr_info *info = NULL;
1811 r_u->status=NT_STATUS_OK;
1813 /* search for the handle */
1814 if (!find_policy_by_hnd(p, &q_u->pol, (void **)&info))
1815 return NT_STATUS_INVALID_HANDLE;
1817 domain_sid = info->sid;
1819 sid_split_rid(&domain_sid, &rid);
1821 if (!sid_check_is_in_our_domain(&info->sid))
1822 return NT_STATUS_OBJECT_TYPE_MISMATCH;
1824 DEBUG(5,("_samr_query_userinfo: sid:%s\n", sid_string_static(&info->sid)));
1826 ctr = (SAM_USERINFO_CTR *)talloc_zero(p->mem_ctx, sizeof(SAM_USERINFO_CTR));
1828 return NT_STATUS_NO_MEMORY;
1832 /* ok! user info levels (lots: see MSDEV help), off we go... */
1833 ctr->switch_value = q_u->switch_value;
1835 switch (q_u->switch_value) {
1837 ctr->info.id10 = (SAM_USER_INFO_10 *)talloc_zero(p->mem_ctx, sizeof(SAM_USER_INFO_10));
1838 if (ctr->info.id10 == NULL)
1839 return NT_STATUS_NO_MEMORY;
1841 if (!NT_STATUS_IS_OK(r_u->status = get_user_info_10(p->mem_ctx, ctr->info.id10, &info->sid)))
1846 /* whoops - got this wrong. i think. or don't understand what's happening. */
1850 info = (void *)&id11;
1852 expire.low = 0xffffffff;
1853 expire.high = 0x7fffffff;
1855 ctr->info.id = (SAM_USER_INFO_11 *)talloc_zero(p->mem_ctx,
1860 ZERO_STRUCTP(ctr->info.id11);
1861 init_sam_user_info11(ctr->info.id11, &expire,
1862 "BROOKFIELDS$", /* name */
1863 0x03ef, /* user rid */
1864 0x201, /* group rid */
1865 0x0080); /* acb info */
1872 ctr->info.id12 = (SAM_USER_INFO_12 *)talloc_zero(p->mem_ctx, sizeof(SAM_USER_INFO_12));
1873 if (ctr->info.id12 == NULL)
1874 return NT_STATUS_NO_MEMORY;
1876 if (!NT_STATUS_IS_OK(r_u->status = get_user_info_12(p, p->mem_ctx, ctr->info.id12, &info->sid)))
1881 ctr->info.id20 = (SAM_USER_INFO_20 *)talloc_zero(p->mem_ctx,sizeof(SAM_USER_INFO_20));
1882 if (ctr->info.id20 == NULL)
1883 return NT_STATUS_NO_MEMORY;
1884 if (!NT_STATUS_IS_OK(r_u->status = get_user_info_20(p->mem_ctx, ctr->info.id20, &info->sid)))
1889 ctr->info.id21 = (SAM_USER_INFO_21 *)talloc_zero(p->mem_ctx,sizeof(SAM_USER_INFO_21));
1890 if (ctr->info.id21 == NULL)
1891 return NT_STATUS_NO_MEMORY;
1892 if (!NT_STATUS_IS_OK(r_u->status = get_user_info_21(p->mem_ctx, ctr->info.id21,
1893 &info->sid, &domain_sid)))
1898 return NT_STATUS_INVALID_INFO_CLASS;
1901 init_samr_r_query_userinfo(r_u, ctr, r_u->status);
1903 DEBUG(5,("_samr_query_userinfo: %d\n", __LINE__));
1908 /*******************************************************************
1909 samr_reply_query_usergroups
1910 ********************************************************************/
1912 NTSTATUS _samr_query_usergroups(pipes_struct *p, SAMR_Q_QUERY_USERGROUPS *q_u, SAMR_R_QUERY_USERGROUPS *r_u)
1914 SAM_ACCOUNT *sam_pass=NULL;
1916 DOM_GID *gids = NULL;
1922 * from the SID in the request:
1923 * we should send back the list of DOMAIN GROUPS
1924 * the user is a member of
1926 * and only the DOMAIN GROUPS
1927 * no ALIASES !!! neither aliases of the domain
1928 * nor aliases of the builtin SID
1933 r_u->status = NT_STATUS_OK;
1935 DEBUG(5,("_samr_query_usergroups: %d\n", __LINE__));
1937 /* find the policy handle. open a policy on it. */
1938 if (!get_lsa_policy_samr_sid(p, &q_u->pol, &sid, &acc_granted))
1939 return NT_STATUS_INVALID_HANDLE;
1941 if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, SA_RIGHT_USER_GET_GROUPS, "_samr_query_usergroups"))) {
1945 if (!sid_check_is_in_our_domain(&sid))
1946 return NT_STATUS_OBJECT_TYPE_MISMATCH;
1948 pdb_init_sam(&sam_pass);
1951 ret = pdb_getsampwsid(sam_pass, &sid);
1955 pdb_free_sam(&sam_pass);
1956 return NT_STATUS_NO_SUCH_USER;
1959 if(!get_domain_user_groups(p->mem_ctx, &num_groups, &gids, sam_pass)) {
1960 pdb_free_sam(&sam_pass);
1961 return NT_STATUS_NO_SUCH_GROUP;
1964 /* construct the response. lkclXXXX: gids are not copied! */
1965 init_samr_r_query_usergroups(r_u, num_groups, gids, r_u->status);
1967 DEBUG(5,("_samr_query_usergroups: %d\n", __LINE__));
1969 pdb_free_sam(&sam_pass);
1974 /*******************************************************************
1975 _samr_query_dom_info
1976 ********************************************************************/
1978 NTSTATUS _samr_query_dom_info(pipes_struct *p, SAMR_Q_QUERY_DOMAIN_INFO *q_u, SAMR_R_QUERY_DOMAIN_INFO *r_u)
1980 struct samr_info *info = NULL;
1982 uint32 min_pass_len,pass_hist,flag;
1983 time_t u_expire, u_min_age;
1984 NTTIME nt_expire, nt_min_age;
1986 time_t u_lock_duration, u_reset_time;
1987 NTTIME nt_lock_duration, nt_reset_time;
1993 uint32 account_policy_temp;
1995 uint32 num_users=0, num_groups=0, num_aliases=0;
1997 if ((ctr = (SAM_UNK_CTR *)talloc_zero(p->mem_ctx, sizeof(SAM_UNK_CTR))) == NULL)
1998 return NT_STATUS_NO_MEMORY;
2002 r_u->status = NT_STATUS_OK;
2004 DEBUG(5,("_samr_query_dom_info: %d\n", __LINE__));
2006 /* find the policy handle. open a policy on it. */
2007 if (!find_policy_by_hnd(p, &q_u->domain_pol, (void **)&info))
2008 return NT_STATUS_INVALID_HANDLE;
2010 switch (q_u->switch_value) {
2013 account_policy_get(AP_MIN_PASSWORD_LEN, &account_policy_temp);
2014 min_pass_len = account_policy_temp;
2016 account_policy_get(AP_PASSWORD_HISTORY, &account_policy_temp);
2017 pass_hist = account_policy_temp;
2019 account_policy_get(AP_USER_MUST_LOGON_TO_CHG_PASS, &account_policy_temp);
2020 flag = account_policy_temp;
2022 account_policy_get(AP_MAX_PASSWORD_AGE, &account_policy_temp);
2023 u_expire = account_policy_temp;
2025 account_policy_get(AP_MIN_PASSWORD_AGE, &account_policy_temp);
2026 u_min_age = account_policy_temp;
2028 unix_to_nt_time_abs(&nt_expire, u_expire);
2029 unix_to_nt_time_abs(&nt_min_age, u_min_age);
2031 init_unk_info1(&ctr->info.inf1, (uint16)min_pass_len, (uint16)pass_hist,
2032 flag, nt_expire, nt_min_age);
2036 r_u->status=load_sampwd_entries(info, ACB_NORMAL, False);
2038 if (!NT_STATUS_IS_OK(r_u->status)) {
2039 DEBUG(5, ("_samr_query_dispinfo: load_sampwd_entries failed\n"));
2042 num_users=info->disp_info.num_user_account;
2045 r_u->status=load_group_domain_entries(info, get_global_sam_sid());
2046 if (!NT_STATUS_IS_OK(r_u->status)) {
2047 DEBUG(5, ("_samr_query_dispinfo: load_group_domain_entries failed\n"));
2050 num_groups=info->disp_info.num_group_account;
2053 /* The time call below is to get a sequence number for the sam. FIXME !!! JRA. */
2054 init_unk_info2(&ctr->info.inf2, lp_workgroup(), global_myname(), (uint32) time(NULL),
2055 num_users, num_groups, num_aliases);
2058 account_policy_get(AP_TIME_TO_LOGOUT, (unsigned int *)&u_logout);
2059 unix_to_nt_time_abs(&nt_logout, u_logout);
2061 init_unk_info3(&ctr->info.inf3, nt_logout);
2064 init_unk_info5(&ctr->info.inf5, global_myname());
2067 init_unk_info6(&ctr->info.inf6);
2070 init_unk_info7(&ctr->info.inf7);
2073 account_policy_get(AP_LOCK_ACCOUNT_DURATION, &account_policy_temp);
2074 u_lock_duration = account_policy_temp;
2076 account_policy_get(AP_RESET_COUNT_TIME, &account_policy_temp);
2077 u_reset_time = account_policy_temp;
2079 account_policy_get(AP_BAD_ATTEMPT_LOCKOUT, &account_policy_temp);
2080 lockout = account_policy_temp;
2082 unix_to_nt_time_abs(&nt_lock_duration, u_lock_duration);
2083 unix_to_nt_time_abs(&nt_reset_time, u_reset_time);
2085 init_unk_info12(&ctr->info.inf12, nt_lock_duration, nt_reset_time, (uint16)lockout);
2088 return NT_STATUS_INVALID_INFO_CLASS;
2091 init_samr_r_query_dom_info(r_u, q_u->switch_value, ctr, NT_STATUS_OK);
2093 DEBUG(5,("_samr_query_dom_info: %d\n", __LINE__));
2098 /*******************************************************************
2100 Create an account, can be either a normal user or a machine.
2101 This funcion will need to be updated for bdc/domain trusts.
2102 ********************************************************************/
2104 NTSTATUS _samr_create_user(pipes_struct *p, SAMR_Q_CREATE_USER *q_u, SAMR_R_CREATE_USER *r_u)
2106 SAM_ACCOUNT *sam_pass=NULL;
2110 POLICY_HND dom_pol = q_u->domain_pol;
2111 UNISTR2 user_account = q_u->uni_name;
2112 uint16 acb_info = q_u->acb_info;
2113 POLICY_HND *user_pol = &r_u->user_pol;
2114 struct samr_info *info = NULL;
2122 /* check this, when giving away 'add computer to domain' privs */
2123 uint32 des_access = GENERIC_RIGHTS_USER_ALL_ACCESS;
2125 /* Get the domain SID stored in the domain policy */
2126 if (!get_lsa_policy_samr_sid(p, &dom_pol, &sid, &acc_granted))
2127 return NT_STATUS_INVALID_HANDLE;
2129 if (!NT_STATUS_IS_OK(nt_status = access_check_samr_function(acc_granted, SA_RIGHT_DOMAIN_CREATE_USER, "_samr_create_user"))) {
2134 /* Match Win2k, and return NT_STATUS_INVALID_PARAMETER if
2135 this parameter is zero (ie, no user type specified) */
2136 return NT_STATUS_INVALID_PARAMETER;
2139 /* find the account: tell the caller if it exists.
2140 lkclXXXX i have *no* idea if this is a problem or not
2141 or even if you are supposed to construct a different
2142 reply if the account already exists...
2145 rpcstr_pull(account, user_account.buffer, sizeof(account), user_account.uni_str_len*2, 0);
2146 strlower_m(account);
2148 pdb_init_sam(&sam_pass);
2151 ret = pdb_getsampwnam(sam_pass, account);
2154 /* this account exists: say so */
2155 pdb_free_sam(&sam_pass);
2156 return NT_STATUS_USER_EXISTS;
2159 pdb_free_sam(&sam_pass);
2162 * NB. VERY IMPORTANT ! This call must be done as the current pipe user,
2163 * *NOT* surrounded by a become_root()/unbecome_root() call. This ensures
2164 * that only people with write access to the smbpasswd file will be able
2165 * to create a user. JRA.
2169 * add the user in the /etc/passwd file or the unix authority system.
2170 * We don't check if the smb_create_user() function succed or not for 2 reasons:
2171 * a) local_password_change() checks for us if the /etc/passwd account really exists
2172 * b) smb_create_user() would return an error if the account already exists
2173 * and as it could return an error also if it can't create the account, it would be tricky.
2175 * So we go the easy way, only check after if the account exists.
2176 * JFM (2/3/2001), to clear any possible bad understanding (-:
2178 * We now have seperate script paramaters for adding users/machines so we
2179 * now have some sainity-checking to match.
2182 DEBUG(10,("checking account %s at pos %lu for $ termination\n",account, (unsigned long)strlen(account)-1));
2185 * we used to have code here that made sure the acb_info flags
2186 * matched with the users named (e.g. an account flags as a machine
2187 * trust account ended in '$'). It has been ifdef'd out for a long
2188 * time, so I replaced it with this comment. --jerry
2191 /* the passdb lookup has failed; check to see if we need to run the
2192 add user/machine script */
2194 pw = Get_Pwnam(account);
2196 /*********************************************************************
2197 * HEADS UP! If we have to create a new user account, we have to get
2198 * a new RID from somewhere. This used to be done by the passdb
2199 * backend. It has been moved into idmap now. Since idmap is now
2200 * wrapped up behind winbind, this means you have to run winbindd if you
2201 * want new accounts to get a new RID when "enable rid algorithm = no".
2202 * Tough. We now have a uniform way of allocating RIDs regardless
2203 * of what ever passdb backend people may use.
2204 * --jerry (2003-07-10)
2205 *********************************************************************/
2209 * we can't check both the ending $ and the acb_info.
2211 * UserManager creates trust accounts (ending in $,
2212 * normal that hidden accounts) with the acb_info equals to ACB_NORMAL.
2215 if (account[strlen(account)-1] == '$')
2216 pstrcpy(add_script, lp_addmachine_script());
2218 pstrcpy(add_script, lp_adduser_script());
2222 all_string_sub(add_script, "%u", account, sizeof(account));
2223 add_ret = smbrun(add_script,NULL);
2224 DEBUG(3,("_samr_create_user: Running the command `%s' gave %d\n", add_script, add_ret));
2226 else /* no add user script -- ask winbindd to do it */
2228 if ( !winbind_create_user( account, &new_rid ) ) {
2229 DEBUG(3,("_samr_create_user: winbind_create_user(%s) failed\n",
2236 /* implicit call to getpwnam() next. we have a valid SID coming out of this call */
2238 if ( !NT_STATUS_IS_OK(nt_status = pdb_init_sam_new(&sam_pass, account, new_rid)) )
2241 pdb_set_acct_ctrl(sam_pass, acb_info, PDB_CHANGED);
2243 if (!pdb_add_sam_account(sam_pass)) {
2244 pdb_free_sam(&sam_pass);
2245 DEBUG(0, ("could not add user/computer %s to passdb. Check permissions?\n",
2247 return NT_STATUS_ACCESS_DENIED;
2250 /* Get the user's SID */
2251 sid_copy(&sid, pdb_get_user_sid(sam_pass));
2253 samr_make_usr_obj_sd(p->mem_ctx, &psd, &sd_size, &sid);
2254 se_map_generic(&des_access, &usr_generic_mapping);
2255 if (!NT_STATUS_IS_OK(nt_status =
2256 access_check_samr_object(psd, p->pipe_user.nt_user_token,
2257 des_access, &acc_granted, "_samr_create_user"))) {
2261 /* associate the user's SID with the new handle. */
2262 if ((info = get_samr_info_by_sid(&sid)) == NULL) {
2263 pdb_free_sam(&sam_pass);
2264 return NT_STATUS_NO_MEMORY;
2269 info->acc_granted = acc_granted;
2271 /* get a (unique) handle. open a policy on it. */
2272 if (!create_policy_hnd(p, user_pol, free_samr_info, (void *)info)) {
2273 pdb_free_sam(&sam_pass);
2274 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
2277 r_u->user_rid=pdb_get_user_rid(sam_pass);
2279 r_u->access_granted = acc_granted;
2281 pdb_free_sam(&sam_pass);
2283 return NT_STATUS_OK;
2286 /*******************************************************************
2287 samr_reply_connect_anon
2288 ********************************************************************/
2290 NTSTATUS _samr_connect_anon(pipes_struct *p, SAMR_Q_CONNECT_ANON *q_u, SAMR_R_CONNECT_ANON *r_u)
2292 struct samr_info *info = NULL;
2293 uint32 des_access = q_u->access_mask;
2297 if (!pipe_access_check(p)) {
2298 DEBUG(3, ("access denied to samr_connect_anon\n"));
2299 r_u->status = NT_STATUS_ACCESS_DENIED;
2303 /* set up the SAMR connect_anon response */
2305 r_u->status = NT_STATUS_OK;
2307 /* associate the user's SID with the new handle. */
2308 if ((info = get_samr_info_by_sid(NULL)) == NULL)
2309 return NT_STATUS_NO_MEMORY;
2311 /* don't give away the farm but this is probably ok. The SA_RIGHT_SAM_ENUM_DOMAINS
2312 was observed from a win98 client trying to enumerate users (when configured
2313 user level access control on shares) --jerry */
2315 se_map_generic( &des_access, &sam_generic_mapping );
2316 info->acc_granted = des_access & (SA_RIGHT_SAM_ENUM_DOMAINS|SA_RIGHT_SAM_OPEN_DOMAIN);
2318 info->status = q_u->unknown_0;
2320 /* get a (unique) handle. open a policy on it. */
2321 if (!create_policy_hnd(p, &r_u->connect_pol, free_samr_info, (void *)info))
2322 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
2327 /*******************************************************************
2329 ********************************************************************/
2331 NTSTATUS _samr_connect(pipes_struct *p, SAMR_Q_CONNECT *q_u, SAMR_R_CONNECT *r_u)
2333 struct samr_info *info = NULL;
2334 SEC_DESC *psd = NULL;
2336 uint32 des_access = q_u->access_mask;
2341 DEBUG(5,("_samr_connect: %d\n", __LINE__));
2345 if (!pipe_access_check(p)) {
2346 DEBUG(3, ("access denied to samr_connect\n"));
2347 r_u->status = NT_STATUS_ACCESS_DENIED;
2351 samr_make_sam_obj_sd(p->mem_ctx, &psd, &sd_size);
2352 se_map_generic(&des_access, &sam_generic_mapping);
2353 if (!NT_STATUS_IS_OK(nt_status =
2354 access_check_samr_object(psd, p->pipe_user.nt_user_token,
2355 des_access, &acc_granted, "_samr_connect"))) {
2359 r_u->status = NT_STATUS_OK;
2361 /* associate the user's SID and access granted with the new handle. */
2362 if ((info = get_samr_info_by_sid(NULL)) == NULL)
2363 return NT_STATUS_NO_MEMORY;
2365 info->acc_granted = acc_granted;
2366 info->status = q_u->access_mask;
2368 /* get a (unique) handle. open a policy on it. */
2369 if (!create_policy_hnd(p, &r_u->connect_pol, free_samr_info, (void *)info))
2370 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
2372 DEBUG(5,("_samr_connect: %d\n", __LINE__));
2377 /*******************************************************************
2379 ********************************************************************/
2381 NTSTATUS _samr_connect4(pipes_struct *p, SAMR_Q_CONNECT4 *q_u, SAMR_R_CONNECT4 *r_u)
2383 struct samr_info *info = NULL;
2384 SEC_DESC *psd = NULL;
2386 uint32 des_access = q_u->access_mask;
2391 DEBUG(5,("_samr_connect4: %d\n", __LINE__));
2395 if (!pipe_access_check(p)) {
2396 DEBUG(3, ("access denied to samr_connect4\n"));
2397 r_u->status = NT_STATUS_ACCESS_DENIED;
2401 samr_make_sam_obj_sd(p->mem_ctx, &psd, &sd_size);
2402 se_map_generic(&des_access, &sam_generic_mapping);
2403 if (!NT_STATUS_IS_OK(nt_status =
2404 access_check_samr_object(psd, p->pipe_user.nt_user_token,
2405 des_access, &acc_granted, "_samr_connect"))) {
2409 r_u->status = NT_STATUS_OK;
2411 /* associate the user's SID and access granted with the new handle. */
2412 if ((info = get_samr_info_by_sid(NULL)) == NULL)
2413 return NT_STATUS_NO_MEMORY;
2415 info->acc_granted = acc_granted;
2416 info->status = q_u->access_mask;
2418 /* get a (unique) handle. open a policy on it. */
2419 if (!create_policy_hnd(p, &r_u->connect_pol, free_samr_info, (void *)info))
2420 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
2422 DEBUG(5,("_samr_connect: %d\n", __LINE__));
2427 /**********************************************************************
2428 api_samr_lookup_domain
2429 **********************************************************************/
2431 NTSTATUS _samr_lookup_domain(pipes_struct *p, SAMR_Q_LOOKUP_DOMAIN *q_u, SAMR_R_LOOKUP_DOMAIN *r_u)
2433 struct samr_info *info;
2434 fstring domain_name;
2437 r_u->status = NT_STATUS_OK;
2439 if (!find_policy_by_hnd(p, &q_u->connect_pol, (void**)&info))
2440 return NT_STATUS_INVALID_HANDLE;
2442 if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(info->acc_granted,
2443 SA_RIGHT_SAM_ENUM_DOMAINS, "_samr_lookup_domain")))
2448 rpcstr_pull(domain_name, q_u->uni_domain.buffer, sizeof(domain_name), q_u->uni_domain.uni_str_len*2, 0);
2452 if (!secrets_fetch_domain_sid(domain_name, &sid)) {
2453 r_u->status = NT_STATUS_NO_SUCH_DOMAIN;
2456 DEBUG(2,("Returning domain sid for domain %s -> %s\n", domain_name, sid_string_static(&sid)));
2458 init_samr_r_lookup_domain(r_u, &sid, r_u->status);
2463 /******************************************************************
2464 makes a SAMR_R_ENUM_DOMAINS structure.
2465 ********************************************************************/
2467 static BOOL make_enum_domains(TALLOC_CTX *ctx, SAM_ENTRY **pp_sam,
2468 UNISTR2 **pp_uni_name, uint32 num_sam_entries, fstring doms[])
2474 DEBUG(5, ("make_enum_domains\n"));
2477 *pp_uni_name = NULL;
2479 if (num_sam_entries == 0)
2482 sam = (SAM_ENTRY *)talloc_zero(ctx, sizeof(SAM_ENTRY)*num_sam_entries);
2483 uni_name = (UNISTR2 *)talloc_zero(ctx, sizeof(UNISTR2)*num_sam_entries);
2485 if (sam == NULL || uni_name == NULL)
2488 for (i = 0; i < num_sam_entries; i++) {
2489 init_unistr2(&uni_name[i], doms[i], UNI_FLAGS_NONE);
2490 init_sam_entry(&sam[i], &uni_name[i], 0);
2494 *pp_uni_name = uni_name;
2499 /**********************************************************************
2500 api_samr_enum_domains
2501 **********************************************************************/
2503 NTSTATUS _samr_enum_domains(pipes_struct *p, SAMR_Q_ENUM_DOMAINS *q_u, SAMR_R_ENUM_DOMAINS *r_u)
2505 struct samr_info *info;
2506 uint32 num_entries = 2;
2510 r_u->status = NT_STATUS_OK;
2512 if (!find_policy_by_hnd(p, &q_u->pol, (void**)&info))
2513 return NT_STATUS_INVALID_HANDLE;
2515 if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(info->acc_granted, SA_RIGHT_SAM_ENUM_DOMAINS, "_samr_enum_domains"))) {
2519 name = get_global_sam_name();
2521 fstrcpy(dom[0],name);
2523 fstrcpy(dom[1],"Builtin");
2525 if (!make_enum_domains(p->mem_ctx, &r_u->sam, &r_u->uni_dom_name, num_entries, dom))
2526 return NT_STATUS_NO_MEMORY;
2528 init_samr_r_enum_domains(r_u, q_u->start_idx + num_entries, num_entries);
2533 /*******************************************************************
2535 ********************************************************************/
2537 NTSTATUS _samr_open_alias(pipes_struct *p, SAMR_Q_OPEN_ALIAS *q_u, SAMR_R_OPEN_ALIAS *r_u)
2540 POLICY_HND domain_pol = q_u->dom_pol;
2541 uint32 alias_rid = q_u->rid_alias;
2542 POLICY_HND *alias_pol = &r_u->pol;
2543 struct samr_info *info = NULL;
2544 SEC_DESC *psd = NULL;
2546 uint32 des_access = q_u->access_mask;
2550 r_u->status = NT_STATUS_OK;
2552 /* find the domain policy and get the SID / access bits stored in the domain policy */
2553 if (!get_lsa_policy_samr_sid(p, &domain_pol, &sid, &acc_granted))
2554 return NT_STATUS_INVALID_HANDLE;
2556 if (!NT_STATUS_IS_OK(status = access_check_samr_function(acc_granted, SA_RIGHT_DOMAIN_OPEN_ACCOUNT, "_samr_open_alias"))) {
2560 /* append the alias' RID to it */
2561 if (!sid_append_rid(&sid, alias_rid))
2562 return NT_STATUS_NO_SUCH_USER;
2564 /*check if access can be granted as requested by client. */
2565 samr_make_ali_obj_sd(p->mem_ctx, &psd, &sd_size);
2566 se_map_generic(&des_access,&ali_generic_mapping);
2567 if (!NT_STATUS_IS_OK(status =
2568 access_check_samr_object(psd, p->pipe_user.nt_user_token,
2569 des_access, &acc_granted, "_samr_open_alias"))) {
2574 * we should check if the rid really exist !!!
2578 /* associate the user's SID with the new handle. */
2579 if ((info = get_samr_info_by_sid(&sid)) == NULL)
2580 return NT_STATUS_NO_MEMORY;
2582 info->acc_granted = acc_granted;
2584 /* get a (unique) handle. open a policy on it. */
2585 if (!create_policy_hnd(p, alias_pol, free_samr_info, (void *)info))
2586 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
2591 /*******************************************************************
2593 ********************************************************************/
2595 static BOOL set_user_info_10(const SAM_USER_INFO_10 *id10, DOM_SID *sid)
2597 SAM_ACCOUNT *pwd =NULL;
2602 ret = pdb_getsampwsid(pwd, sid);
2610 DEBUG(5, ("set_user_info_10: NULL id10\n"));
2615 /* FIX ME: check if the value is really changed --metze */
2616 if (!pdb_set_acct_ctrl(pwd, id10->acb_info, PDB_CHANGED)) {
2621 if(!pdb_update_sam_account(pwd)) {
2631 /*******************************************************************
2633 ********************************************************************/
2635 static BOOL set_user_info_12(SAM_USER_INFO_12 *id12, DOM_SID *sid)
2637 SAM_ACCOUNT *pwd = NULL;
2641 if(!pdb_getsampwsid(pwd, sid)) {
2647 DEBUG(2, ("set_user_info_12: id12 is NULL\n"));
2652 if (!pdb_set_lanman_passwd (pwd, id12->lm_pwd, PDB_CHANGED)) {
2656 if (!pdb_set_nt_passwd (pwd, id12->nt_pwd, PDB_CHANGED)) {
2660 if (!pdb_set_pass_changed_now (pwd)) {
2665 if(!pdb_update_sam_account(pwd)) {
2674 /*******************************************************************
2675 The GROUPSID field in the SAM_ACCOUNT changed. Try to tell unix.
2676 ********************************************************************/
2677 static BOOL set_unix_primary_group(SAM_ACCOUNT *sampass)
2682 if (!NT_STATUS_IS_OK(sid_to_gid(pdb_get_group_sid(sampass),
2684 DEBUG(2,("Could not get gid for primary group of "
2685 "user %s\n", pdb_get_username(sampass)));
2689 grp = getgrgid(gid);
2692 DEBUG(2,("Could not find primary group %lu for "
2693 "user %s\n", (unsigned long)gid,
2694 pdb_get_username(sampass)));
2698 if (smb_set_primary_group(grp->gr_name,
2699 pdb_get_username(sampass)) != 0) {
2700 DEBUG(2,("Could not set primary group for user %s to "
2702 pdb_get_username(sampass), grp->gr_name));
2710 /*******************************************************************
2712 ********************************************************************/
2714 static BOOL set_user_info_20(SAM_USER_INFO_20 *id20, DOM_SID *sid)
2716 SAM_ACCOUNT *pwd = NULL;
2719 DEBUG(5, ("set_user_info_20: NULL id20\n"));
2725 if (!pdb_getsampwsid(pwd, sid)) {
2730 copy_id20_to_sam_passwd(pwd, id20);
2732 /* write the change out */
2733 if(!pdb_update_sam_account(pwd)) {
2742 /*******************************************************************
2744 ********************************************************************/
2746 static BOOL set_user_info_21(SAM_USER_INFO_21 *id21, DOM_SID *sid)
2748 SAM_ACCOUNT *pwd = NULL;
2751 DEBUG(5, ("set_user_info_21: NULL id21\n"));
2757 if (!pdb_getsampwsid(pwd, sid)) {
2762 copy_id21_to_sam_passwd(pwd, id21);
2765 * The funny part about the previous two calls is
2766 * that pwd still has the password hashes from the
2767 * passdb entry. These have not been updated from
2768 * id21. I don't know if they need to be set. --jerry
2771 if (IS_SAM_CHANGED(pwd, PDB_GROUPSID))
2772 set_unix_primary_group(pwd);
2774 /* write the change out */
2775 if(!pdb_update_sam_account(pwd)) {
2785 /*******************************************************************
2787 ********************************************************************/
2789 static BOOL set_user_info_23(SAM_USER_INFO_23 *id23, DOM_SID *sid)
2791 SAM_ACCOUNT *pwd = NULL;
2792 pstring plaintext_buf;
2797 DEBUG(5, ("set_user_info_23: NULL id23\n"));
2803 if (!pdb_getsampwsid(pwd, sid)) {
2808 DEBUG(5, ("Attempting administrator password change (level 23) for user %s\n",
2809 pdb_get_username(pwd)));
2811 acct_ctrl = pdb_get_acct_ctrl(pwd);
2813 if (!decode_pw_buffer((char*)id23->pass, plaintext_buf, 256, &len)) {
2818 if (!pdb_set_plaintext_passwd (pwd, plaintext_buf)) {
2823 copy_id23_to_sam_passwd(pwd, id23);
2825 /* if it's a trust account, don't update /etc/passwd */
2826 if ( ( (acct_ctrl & ACB_DOMTRUST) == ACB_DOMTRUST ) ||
2827 ( (acct_ctrl & ACB_WSTRUST) == ACB_WSTRUST) ||
2828 ( (acct_ctrl & ACB_SVRTRUST) == ACB_SVRTRUST) ) {
2829 DEBUG(5, ("Changing trust account or non-unix-user password, not updating /etc/passwd\n"));
2831 /* update the UNIX password */
2832 if (lp_unix_password_sync() )
2833 if(!chgpasswd(pdb_get_username(pwd), "", plaintext_buf, True)) {
2839 ZERO_STRUCT(plaintext_buf);
2841 if (IS_SAM_CHANGED(pwd, PDB_GROUPSID))
2842 set_unix_primary_group(pwd);
2844 if(!pdb_update_sam_account(pwd)) {
2854 /*******************************************************************
2856 ********************************************************************/
2858 static BOOL set_user_info_pw(char *pass, DOM_SID *sid)
2860 SAM_ACCOUNT *pwd = NULL;
2862 pstring plaintext_buf;
2867 if (!pdb_getsampwsid(pwd, sid)) {
2872 DEBUG(5, ("Attempting administrator password change for user %s\n",
2873 pdb_get_username(pwd)));
2875 acct_ctrl = pdb_get_acct_ctrl(pwd);
2877 ZERO_STRUCT(plaintext_buf);
2879 if (!decode_pw_buffer(pass, plaintext_buf, 256, &len)) {
2884 if (!pdb_set_plaintext_passwd (pwd, plaintext_buf)) {
2889 /* if it's a trust account, don't update /etc/passwd */
2890 if ( ( (acct_ctrl & ACB_DOMTRUST) == ACB_DOMTRUST ) ||
2891 ( (acct_ctrl & ACB_WSTRUST) == ACB_WSTRUST) ||
2892 ( (acct_ctrl & ACB_SVRTRUST) == ACB_SVRTRUST) ) {
2893 DEBUG(5, ("Changing trust account or non-unix-user password, not updating /etc/passwd\n"));
2895 /* update the UNIX password */
2896 if (lp_unix_password_sync()) {
2897 if(!chgpasswd(pdb_get_username(pwd), "", plaintext_buf, True)) {
2904 ZERO_STRUCT(plaintext_buf);
2906 DEBUG(5,("set_user_info_pw: pdb_update_pwd()\n"));
2908 /* update the SAMBA password */
2909 if(!pdb_update_sam_account(pwd)) {
2919 /*******************************************************************
2920 samr_reply_set_userinfo
2921 ********************************************************************/
2923 NTSTATUS _samr_set_userinfo(pipes_struct *p, SAMR_Q_SET_USERINFO *q_u, SAMR_R_SET_USERINFO *r_u)
2926 POLICY_HND *pol = &q_u->pol;
2927 uint16 switch_value = q_u->switch_value;
2928 SAM_USERINFO_CTR *ctr = q_u->ctr;
2930 uint32 acc_required;
2932 DEBUG(5, ("_samr_set_userinfo: %d\n", __LINE__));
2934 r_u->status = NT_STATUS_OK;
2936 /* find the policy handle. open a policy on it. */
2937 if (!get_lsa_policy_samr_sid(p, pol, &sid, &acc_granted))
2938 return NT_STATUS_INVALID_HANDLE;
2940 acc_required = SA_RIGHT_USER_SET_LOC_COM | SA_RIGHT_USER_SET_ATTRIBUTES; /* This is probably wrong */
2941 if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, acc_required, "_samr_set_userinfo"))) {
2945 DEBUG(5, ("_samr_set_userinfo: sid:%s, level:%d\n", sid_string_static(&sid), switch_value));
2948 DEBUG(5, ("_samr_set_userinfo: NULL info level\n"));
2949 return NT_STATUS_INVALID_INFO_CLASS;
2952 /* ok! user info levels (lots: see MSDEV help), off we go... */
2953 switch (switch_value) {
2955 if (!set_user_info_12(ctr->info.id12, &sid))
2956 return NT_STATUS_ACCESS_DENIED;
2960 if (!p->session_key.length) {
2961 return NT_STATUS_NO_USER_SESSION_KEY;
2963 SamOEMhashBlob(ctr->info.id24->pass, 516, &p->session_key);
2965 dump_data(100, (char *)ctr->info.id24->pass, 516);
2967 if (!set_user_info_pw((char *)ctr->info.id24->pass, &sid))
2968 return NT_STATUS_ACCESS_DENIED;
2974 * Currently we don't really know how to unmarshall
2975 * the level 25 struct, and the password encryption
2976 * is different. This is a placeholder for when we
2977 * do understand it. In the meantime just return INVALID
2978 * info level and W2K SP2 drops down to level 23... JRA.
2981 if (!p->session_key.length) {
2982 return NT_STATUS_NO_USER_SESSION_KEY;
2984 SamOEMhashBlob(ctr->info.id25->pass, 532, &p->session_key);
2986 dump_data(100, (char *)ctr->info.id25->pass, 532);
2988 if (!set_user_info_pw(ctr->info.id25->pass, &sid))
2989 return NT_STATUS_ACCESS_DENIED;
2992 return NT_STATUS_INVALID_INFO_CLASS;
2995 if (!p->session_key.length) {
2996 return NT_STATUS_NO_USER_SESSION_KEY;
2998 SamOEMhashBlob(ctr->info.id23->pass, 516, &p->session_key);
3000 dump_data(100, (char *)ctr->info.id23->pass, 516);
3002 if (!set_user_info_23(ctr->info.id23, &sid))
3003 return NT_STATUS_ACCESS_DENIED;
3007 return NT_STATUS_INVALID_INFO_CLASS;
3013 /*******************************************************************
3014 samr_reply_set_userinfo2
3015 ********************************************************************/
3017 NTSTATUS _samr_set_userinfo2(pipes_struct *p, SAMR_Q_SET_USERINFO2 *q_u, SAMR_R_SET_USERINFO2 *r_u)
3020 SAM_USERINFO_CTR *ctr = q_u->ctr;
3021 POLICY_HND *pol = &q_u->pol;
3022 uint16 switch_value = q_u->switch_value;
3024 uint32 acc_required;
3026 DEBUG(5, ("samr_reply_set_userinfo2: %d\n", __LINE__));
3028 r_u->status = NT_STATUS_OK;
3030 /* find the policy handle. open a policy on it. */
3031 if (!get_lsa_policy_samr_sid(p, pol, &sid, &acc_granted))
3032 return NT_STATUS_INVALID_HANDLE;
3034 acc_required = SA_RIGHT_USER_SET_LOC_COM | SA_RIGHT_USER_SET_ATTRIBUTES; /* This is probably wrong */
3035 if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, acc_required, "_samr_set_userinfo2"))) {
3039 DEBUG(5, ("samr_reply_set_userinfo2: sid:%s\n", sid_string_static(&sid)));
3042 DEBUG(5, ("samr_reply_set_userinfo2: NULL info level\n"));
3043 return NT_STATUS_INVALID_INFO_CLASS;
3046 switch_value=ctr->switch_value;
3048 /* ok! user info levels (lots: see MSDEV help), off we go... */
3049 switch (switch_value) {
3051 if (!set_user_info_21(ctr->info.id21, &sid))
3052 return NT_STATUS_ACCESS_DENIED;
3055 if (!set_user_info_20(ctr->info.id20, &sid))
3056 return NT_STATUS_ACCESS_DENIED;
3059 if (!set_user_info_10(ctr->info.id10, &sid))
3060 return NT_STATUS_ACCESS_DENIED;
3063 /* Used by AS/U JRA. */
3064 if (!set_user_info_12(ctr->info.id12, &sid))
3065 return NT_STATUS_ACCESS_DENIED;
3068 return NT_STATUS_INVALID_INFO_CLASS;
3074 /*********************************************************************
3075 _samr_query_aliasmem
3076 *********************************************************************/
3078 NTSTATUS _samr_query_useraliases(pipes_struct *p, SAMR_Q_QUERY_USERALIASES *q_u, SAMR_R_QUERY_USERALIASES *r_u)
3080 int num_groups = 0, tmp_num_groups=0;
3081 uint32 *rids=NULL, *new_rids=NULL, *tmp_rids=NULL;
3082 struct samr_info *info = NULL;
3088 /* until i see a real useraliases query, we fack one up */
3090 /* I have seen one, JFM 2/12/2001 */
3092 * Explanation of what this call does:
3093 * for all the SID given in the request:
3094 * return a list of alias (local groups)
3095 * that have those SID as members.
3097 * and that's the alias in the domain specified
3098 * in the policy_handle
3100 * if the policy handle is on an incorrect sid
3101 * for example a user's sid
3102 * we should reply NT_STATUS_OBJECT_TYPE_MISMATCH
3105 r_u->status = NT_STATUS_OK;
3107 DEBUG(5,("_samr_query_useraliases: %d\n", __LINE__));
3109 /* find the policy handle. open a policy on it. */
3110 if (!find_policy_by_hnd(p, &q_u->pol, (void **)&info))
3111 return NT_STATUS_INVALID_HANDLE;
3113 ntstatus1 = access_check_samr_function(info->acc_granted, SA_RIGHT_DOMAIN_LOOKUP_ALIAS_BY_MEM, "_samr_query_useraliases");
3114 ntstatus2 = access_check_samr_function(info->acc_granted, SA_RIGHT_DOMAIN_OPEN_ACCOUNT, "_samr_query_useraliases");
3116 if (!NT_STATUS_IS_OK(ntstatus1) || !NT_STATUS_IS_OK(ntstatus2)) {
3117 if (!(NT_STATUS_EQUAL(ntstatus1,NT_STATUS_ACCESS_DENIED) && NT_STATUS_IS_OK(ntstatus2)) &&
3118 !(NT_STATUS_EQUAL(ntstatus1,NT_STATUS_ACCESS_DENIED) && NT_STATUS_IS_OK(ntstatus1))) {
3119 return (NT_STATUS_IS_OK(ntstatus1)) ? ntstatus2 : ntstatus1;
3123 if (!sid_check_is_domain(&info->sid) &&
3124 !sid_check_is_builtin(&info->sid))
3125 return NT_STATUS_OBJECT_TYPE_MISMATCH;
3128 for (i=0; i<q_u->num_sids1; i++) {
3130 r_u->status=get_alias_user_groups(p->mem_ctx, &info->sid, &tmp_num_groups, &tmp_rids, &(q_u->sid[i].sid));
3133 * if there is an error, we just continue as
3134 * it can be an unfound user or group
3136 if (!NT_STATUS_IS_OK(r_u->status)) {
3137 DEBUG(10,("_samr_query_useraliases: an error occured while getting groups\n"));
3141 if (tmp_num_groups==0) {
3142 DEBUG(10,("_samr_query_useraliases: no groups found\n"));
3146 new_rids=(uint32 *)talloc_realloc(p->mem_ctx, rids, (num_groups+tmp_num_groups)*sizeof(uint32));
3147 if (new_rids==NULL) {
3148 DEBUG(0,("_samr_query_useraliases: could not realloc memory\n"));
3149 return NT_STATUS_NO_MEMORY;
3153 for (j=0; j<tmp_num_groups; j++)
3154 rids[j+num_groups]=tmp_rids[j];
3156 safe_free(tmp_rids);
3158 num_groups+=tmp_num_groups;
3161 init_samr_r_query_useraliases(r_u, num_groups, rids, NT_STATUS_OK);
3162 return NT_STATUS_OK;
3165 /*********************************************************************
3166 _samr_query_aliasmem
3167 *********************************************************************/
3169 NTSTATUS _samr_query_aliasmem(pipes_struct *p, SAMR_Q_QUERY_ALIASMEM *q_u, SAMR_R_QUERY_ALIASMEM *r_u)
3181 fstring alias_sid_str;
3184 SAM_ACCOUNT *sam_user = NULL;
3188 /* find the policy handle. open a policy on it. */
3189 if (!get_lsa_policy_samr_sid(p, &q_u->alias_pol, &alias_sid, &acc_granted))
3190 return NT_STATUS_INVALID_HANDLE;
3192 if (!NT_STATUS_IS_OK(r_u->status =
3193 access_check_samr_function(acc_granted, SA_RIGHT_ALIAS_GET_MEMBERS, "_samr_query_aliasmem"))) {
3197 sid_copy(&als_sid, &alias_sid);
3198 sid_to_string(alias_sid_str, &alias_sid);
3199 sid_split_rid(&alias_sid, &alias_rid);
3201 DEBUG(10, ("sid is %s\n", alias_sid_str));
3203 if (sid_equal(&alias_sid, &global_sid_Builtin)) {
3204 DEBUG(10, ("lookup on Builtin SID (S-1-5-32)\n"));
3205 if(!get_builtin_group_from_sid(als_sid, &map))
3206 return NT_STATUS_NO_SUCH_ALIAS;
3208 if (sid_equal(&alias_sid, get_global_sam_sid())) {
3209 DEBUG(10, ("lookup on Server SID\n"));
3210 if(!get_local_group_from_sid(als_sid, &map))
3211 return NT_STATUS_NO_SUCH_ALIAS;
3215 if(!get_uid_list_of_group(map.gid, &uid, &num_uids))
3216 return NT_STATUS_NO_SUCH_ALIAS;
3218 DEBUG(10, ("sid is %s\n", alias_sid_str));
3219 sid = (DOM_SID2 *)talloc_zero(p->mem_ctx, sizeof(DOM_SID2) * num_uids);
3220 if (num_uids!=0 && sid == NULL)
3221 return NT_STATUS_NO_MEMORY;
3223 for (i = 0; i < num_uids; i++) {
3224 struct passwd *pass;
3227 sid_copy(&temp_sid, get_global_sam_sid());
3229 pass = getpwuid_alloc(uid[i]);
3230 if (!pass) continue;
3232 if (!NT_STATUS_IS_OK(pdb_init_sam(&sam_user))) {
3238 check = pdb_getsampwnam(sam_user, pass->pw_name);
3241 if (check != True) {
3242 pdb_free_sam(&sam_user);
3247 rid = pdb_get_user_rid(sam_user);
3249 pdb_free_sam(&sam_user);
3254 pdb_free_sam(&sam_user);
3257 sid_append_rid(&temp_sid, rid);
3259 init_dom_sid2(&sid[i], &temp_sid);
3262 DEBUG(10, ("sid is %s\n", alias_sid_str));
3263 init_samr_r_query_aliasmem(r_u, num_uids, sid, NT_STATUS_OK);
3265 return NT_STATUS_OK;
3268 /*********************************************************************
3269 _samr_query_groupmem
3270 *********************************************************************/
3272 NTSTATUS _samr_query_groupmem(pipes_struct *p, SAMR_Q_QUERY_GROUPMEM *q_u, SAMR_R_QUERY_GROUPMEM *r_u)
3278 fstring group_sid_str;
3286 SAM_ACCOUNT *sam_user = NULL;
3290 /* find the policy handle. open a policy on it. */
3291 if (!get_lsa_policy_samr_sid(p, &q_u->group_pol, &group_sid, &acc_granted))
3292 return NT_STATUS_INVALID_HANDLE;
3294 if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, SA_RIGHT_GROUP_GET_MEMBERS, "_samr_query_groupmem"))) {
3298 /* todo: change to use sid_compare_front */
3300 sid_split_rid(&group_sid, &group_rid);
3301 sid_to_string(group_sid_str, &group_sid);
3302 DEBUG(10, ("sid is %s\n", group_sid_str));
3304 /* can we get a query for an SID outside our domain ? */
3305 if (!sid_equal(&group_sid, get_global_sam_sid()))
3306 return NT_STATUS_NO_SUCH_GROUP;
3308 sid_append_rid(&group_sid, group_rid);
3309 DEBUG(10, ("lookup on Domain SID\n"));
3311 if(!get_domain_group_from_sid(group_sid, &map))
3312 return NT_STATUS_NO_SUCH_GROUP;
3314 if(!get_uid_list_of_group(map.gid, &uid, &num_uids))
3315 return NT_STATUS_NO_SUCH_GROUP;
3317 rid=talloc_zero(p->mem_ctx, sizeof(uint32)*num_uids);
3318 attr=talloc_zero(p->mem_ctx, sizeof(uint32)*num_uids);
3320 if (num_uids!=0 && (rid==NULL || attr==NULL))
3321 return NT_STATUS_NO_MEMORY;
3323 for (i=0; i<num_uids; i++) {
3324 struct passwd *pass;
3327 pass = getpwuid_alloc(uid[i]);
3328 if (!pass) continue;
3330 if (!NT_STATUS_IS_OK(pdb_init_sam(&sam_user))) {
3336 check = pdb_getsampwnam(sam_user, pass->pw_name);
3339 if (check != True) {
3340 pdb_free_sam(&sam_user);
3345 urid = pdb_get_user_rid(sam_user);
3347 pdb_free_sam(&sam_user);
3352 pdb_free_sam(&sam_user);
3356 attr[i] = SID_NAME_USER;
3359 init_samr_r_query_groupmem(r_u, num_uids, rid, attr, NT_STATUS_OK);
3361 return NT_STATUS_OK;
3364 /*********************************************************************
3366 *********************************************************************/
3368 NTSTATUS _samr_add_aliasmem(pipes_struct *p, SAMR_Q_ADD_ALIASMEM *q_u, SAMR_R_ADD_ALIASMEM *r_u)
3371 fstring alias_sid_str;
3378 SAM_ACCOUNT *sam_user = NULL;
3382 /* Find the policy handle. Open a policy on it. */
3383 if (!get_lsa_policy_samr_sid(p, &q_u->alias_pol, &alias_sid, &acc_granted))
3384 return NT_STATUS_INVALID_HANDLE;
3386 if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, SA_RIGHT_ALIAS_ADD_MEMBER, "_samr_add_aliasmem"))) {
3390 sid_to_string(alias_sid_str, &alias_sid);
3391 DEBUG(10, ("sid is %s\n", alias_sid_str));
3393 if (sid_compare(&alias_sid, get_global_sam_sid())>0) {
3394 DEBUG(10, ("adding member on Server SID\n"));
3395 if(!get_local_group_from_sid(alias_sid, &map))
3396 return NT_STATUS_NO_SUCH_ALIAS;
3399 if (sid_compare(&alias_sid, &global_sid_Builtin)>0) {
3400 DEBUG(10, ("adding member on BUILTIN SID\n"));
3401 if( !get_local_group_from_sid(alias_sid, &map))
3402 return NT_STATUS_NO_SUCH_ALIAS;
3405 return NT_STATUS_NO_SUCH_ALIAS;
3408 ret = pdb_init_sam(&sam_user);
3409 if (!NT_STATUS_IS_OK(ret))
3412 check = pdb_getsampwsid(sam_user, &q_u->sid.sid);
3414 if (check != True) {
3415 pdb_free_sam(&sam_user);
3416 return NT_STATUS_NO_SUCH_USER;
3419 /* check a real user exist before we run the script to add a user to a group */
3420 if (!NT_STATUS_IS_OK(sid_to_uid(pdb_get_user_sid(sam_user), &uid))) {
3421 pdb_free_sam(&sam_user);
3422 return NT_STATUS_NO_SUCH_USER;
3425 pdb_free_sam(&sam_user);
3427 if ((pwd=getpwuid_alloc(uid)) == NULL) {
3428 return NT_STATUS_NO_SUCH_USER;
3431 if ((grp=getgrgid(map.gid)) == NULL) {
3433 return NT_STATUS_NO_SUCH_ALIAS;
3436 /* we need to copy the name otherwise it's overloaded in user_in_group_list */
3437 fstrcpy(grp_name, grp->gr_name);
3439 /* if the user is already in the group */
3440 if(user_in_unix_group_list(pwd->pw_name, grp_name)) {
3442 return NT_STATUS_MEMBER_IN_ALIAS;
3446 * ok, the group exist, the user exist, the user is not in the group,
3447 * we can (finally) add it to the group !
3449 smb_add_user_group(grp_name, pwd->pw_name);
3451 /* check if the user has been added then ... */
3452 if(!user_in_unix_group_list(pwd->pw_name, grp_name)) {
3454 return NT_STATUS_MEMBER_NOT_IN_ALIAS; /* don't know what to reply else */
3458 return NT_STATUS_OK;
3461 /*********************************************************************
3463 *********************************************************************/
3465 NTSTATUS _samr_del_aliasmem(pipes_struct *p, SAMR_Q_DEL_ALIASMEM *q_u, SAMR_R_DEL_ALIASMEM *r_u)
3468 fstring alias_sid_str;
3472 SAM_ACCOUNT *sam_pass=NULL;
3475 /* Find the policy handle. Open a policy on it. */
3476 if (!get_lsa_policy_samr_sid(p, &q_u->alias_pol, &alias_sid, &acc_granted))
3477 return NT_STATUS_INVALID_HANDLE;
3479 if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, SA_RIGHT_ALIAS_REMOVE_MEMBER, "_samr_del_aliasmem"))) {
3483 sid_to_string(alias_sid_str, &alias_sid);
3484 DEBUG(10, ("_samr_del_aliasmem:sid is %s\n", alias_sid_str));
3486 if (!sid_check_is_in_our_domain(&alias_sid) &&
3487 !sid_check_is_in_builtin(&alias_sid)) {
3488 DEBUG(10, ("_samr_del_aliasmem:invalid alias group\n"));
3489 return NT_STATUS_NO_SUCH_ALIAS;
3492 if( !get_local_group_from_sid(alias_sid, &map))
3493 return NT_STATUS_NO_SUCH_ALIAS;
3495 if ((grp=getgrgid(map.gid)) == NULL)
3496 return NT_STATUS_NO_SUCH_ALIAS;
3498 /* we need to copy the name otherwise it's overloaded in user_in_unix_group_list */
3499 fstrcpy(grp_name, grp->gr_name);
3501 /* check if the user exists before trying to remove it from the group */
3502 pdb_init_sam(&sam_pass);
3503 if(!pdb_getsampwsid(sam_pass, &q_u->sid.sid)) {
3504 DEBUG(5,("_samr_del_aliasmem:User %s doesn't exist.\n", pdb_get_username(sam_pass)));
3505 pdb_free_sam(&sam_pass);
3506 return NT_STATUS_NO_SUCH_USER;
3509 /* if the user is not in the group */
3510 if(!user_in_unix_group_list(pdb_get_username(sam_pass), grp_name)) {
3511 pdb_free_sam(&sam_pass);
3512 return NT_STATUS_MEMBER_IN_ALIAS;
3515 smb_delete_user_group(grp_name, pdb_get_username(sam_pass));
3517 /* check if the user has been removed then ... */
3518 if(user_in_unix_group_list(pdb_get_username(sam_pass), grp_name)) {
3519 pdb_free_sam(&sam_pass);
3520 return NT_STATUS_MEMBER_NOT_IN_ALIAS; /* don't know what to reply else */
3523 pdb_free_sam(&sam_pass);
3524 return NT_STATUS_OK;
3527 /*********************************************************************
3529 *********************************************************************/
3531 NTSTATUS _samr_add_groupmem(pipes_struct *p, SAMR_Q_ADD_GROUPMEM *q_u, SAMR_R_ADD_GROUPMEM *r_u)
3535 fstring group_sid_str;
3542 SAM_ACCOUNT *sam_user=NULL;
3546 /* Find the policy handle. Open a policy on it. */
3547 if (!get_lsa_policy_samr_sid(p, &q_u->pol, &group_sid, &acc_granted))
3548 return NT_STATUS_INVALID_HANDLE;
3550 if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, SA_RIGHT_GROUP_ADD_MEMBER, "_samr_add_groupmem"))) {
3554 sid_to_string(group_sid_str, &group_sid);
3555 DEBUG(10, ("sid is %s\n", group_sid_str));
3557 if (sid_compare(&group_sid, get_global_sam_sid())<=0)
3558 return NT_STATUS_NO_SUCH_GROUP;
3560 DEBUG(10, ("lookup on Domain SID\n"));
3562 if(!get_domain_group_from_sid(group_sid, &map))
3563 return NT_STATUS_NO_SUCH_GROUP;
3565 sid_copy(&user_sid, get_global_sam_sid());
3566 sid_append_rid(&user_sid, q_u->rid);
3568 ret = pdb_init_sam(&sam_user);
3569 if (!NT_STATUS_IS_OK(ret))
3572 check = pdb_getsampwsid(sam_user, &user_sid);
3574 if (check != True) {
3575 pdb_free_sam(&sam_user);
3576 return NT_STATUS_NO_SUCH_USER;
3579 /* check a real user exist before we run the script to add a user to a group */
3580 if (!NT_STATUS_IS_OK(sid_to_uid(pdb_get_user_sid(sam_user), &uid))) {
3581 pdb_free_sam(&sam_user);
3582 return NT_STATUS_NO_SUCH_USER;
3585 pdb_free_sam(&sam_user);
3587 if ((pwd=getpwuid_alloc(uid)) == NULL) {
3588 return NT_STATUS_NO_SUCH_USER;
3591 if ((grp=getgrgid(map.gid)) == NULL) {
3593 return NT_STATUS_NO_SUCH_GROUP;
3596 /* we need to copy the name otherwise it's overloaded in user_in_unix_group_list */
3597 fstrcpy(grp_name, grp->gr_name);
3599 /* if the user is already in the group */
3600 if(user_in_unix_group_list(pwd->pw_name, grp_name)) {
3602 return NT_STATUS_MEMBER_IN_GROUP;
3606 * ok, the group exist, the user exist, the user is not in the group,
3608 * we can (finally) add it to the group !
3611 smb_add_user_group(grp_name, pwd->pw_name);
3613 /* check if the user has been added then ... */
3614 if(!user_in_unix_group_list(pwd->pw_name, grp_name)) {
3616 return NT_STATUS_MEMBER_NOT_IN_GROUP; /* don't know what to reply else */
3620 return NT_STATUS_OK;
3623 /*********************************************************************
3625 *********************************************************************/
3627 NTSTATUS _samr_del_groupmem(pipes_struct *p, SAMR_Q_DEL_GROUPMEM *q_u, SAMR_R_DEL_GROUPMEM *r_u)
3631 SAM_ACCOUNT *sam_pass=NULL;
3638 * delete the group member named q_u->rid
3639 * who is a member of the sid associated with the handle
3640 * the rid is a user's rid as the group is a domain group.
3643 /* Find the policy handle. Open a policy on it. */
3644 if (!get_lsa_policy_samr_sid(p, &q_u->pol, &group_sid, &acc_granted))
3645 return NT_STATUS_INVALID_HANDLE;
3647 if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, SA_RIGHT_GROUP_REMOVE_MEMBER, "_samr_del_groupmem"))) {
3651 if (!sid_check_is_in_our_domain(&group_sid))
3652 return NT_STATUS_NO_SUCH_GROUP;
3654 sid_copy(&user_sid, get_global_sam_sid());
3655 sid_append_rid(&user_sid, q_u->rid);
3657 if (!get_domain_group_from_sid(group_sid, &map))
3658 return NT_STATUS_NO_SUCH_GROUP;
3660 if ((grp=getgrgid(map.gid)) == NULL)
3661 return NT_STATUS_NO_SUCH_GROUP;
3663 /* we need to copy the name otherwise it's overloaded in user_in_group_list */
3664 fstrcpy(grp_name, grp->gr_name);
3666 /* check if the user exists before trying to remove it from the group */
3667 pdb_init_sam(&sam_pass);
3668 if (!pdb_getsampwsid(sam_pass, &user_sid)) {
3669 DEBUG(5,("User %s doesn't exist.\n", pdb_get_username(sam_pass)));
3670 pdb_free_sam(&sam_pass);
3671 return NT_STATUS_NO_SUCH_USER;
3674 /* if the user is not in the group */
3675 if (!user_in_unix_group_list(pdb_get_username(sam_pass), grp_name)) {
3676 pdb_free_sam(&sam_pass);
3677 return NT_STATUS_MEMBER_NOT_IN_GROUP;
3680 smb_delete_user_group(grp_name, pdb_get_username(sam_pass));
3682 /* check if the user has been removed then ... */
3683 if (user_in_unix_group_list(pdb_get_username(sam_pass), grp_name)) {
3684 pdb_free_sam(&sam_pass);
3685 return NT_STATUS_ACCESS_DENIED; /* don't know what to reply else */
3688 pdb_free_sam(&sam_pass);
3689 return NT_STATUS_OK;
3693 /****************************************************************************
3694 Delete a UNIX user on demand.
3695 ****************************************************************************/
3697 static int smb_delete_user(const char *unix_user)
3702 /* try winbindd first since it is impossible to determine where
3703 a user came from via NSS. Try the delete user script if this fails
3704 meaning the user did not exist in winbindd's list of accounts */
3706 if ( winbind_delete_user( unix_user ) ) {
3707 DEBUG(3,("winbind_delete_user: removed user (%s)\n", unix_user));
3712 /* fall back to 'delete user script' */
3714 pstrcpy(del_script, lp_deluser_script());
3717 all_string_sub(del_script, "%u", unix_user, sizeof(pstring));
3718 ret = smbrun(del_script,NULL);
3719 DEBUG(3,("smb_delete_user: Running the command `%s' gave %d\n",del_script,ret));
3724 /*********************************************************************
3725 _samr_delete_dom_user
3726 *********************************************************************/
3728 NTSTATUS _samr_delete_dom_user(pipes_struct *p, SAMR_Q_DELETE_DOM_USER *q_u, SAMR_R_DELETE_DOM_USER *r_u )
3731 SAM_ACCOUNT *sam_pass=NULL;
3734 DEBUG(5, ("_samr_delete_dom_user: %d\n", __LINE__));
3736 /* Find the policy handle. Open a policy on it. */
3737 if (!get_lsa_policy_samr_sid(p, &q_u->user_pol, &user_sid, &acc_granted))
3738 return NT_STATUS_INVALID_HANDLE;
3740 if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, STD_RIGHT_DELETE_ACCESS, "_samr_delete_dom_user"))) {
3744 if (!sid_check_is_in_our_domain(&user_sid))
3745 return NT_STATUS_CANNOT_DELETE;
3747 /* check if the user exists before trying to delete */
3748 pdb_init_sam(&sam_pass);
3749 if(!pdb_getsampwsid(sam_pass, &user_sid)) {
3750 DEBUG(5,("_samr_delete_dom_user:User %s doesn't exist.\n",
3751 sid_string_static(&user_sid)));
3752 pdb_free_sam(&sam_pass);
3753 return NT_STATUS_NO_SUCH_USER;
3756 /* delete the unix side */
3758 * note: we don't check if the delete really happened
3759 * as the script is not necessary present
3760 * and maybe the sysadmin doesn't want to delete the unix side
3762 smb_delete_user(pdb_get_username(sam_pass));
3764 /* and delete the samba side */
3765 if (!pdb_delete_sam_account(sam_pass)) {
3766 DEBUG(5,("_samr_delete_dom_user:Failed to delete entry for user %s.\n", pdb_get_username(sam_pass)));
3767 pdb_free_sam(&sam_pass);
3768 return NT_STATUS_CANNOT_DELETE;
3771 pdb_free_sam(&sam_pass);
3773 if (!close_policy_hnd(p, &q_u->user_pol))
3774 return NT_STATUS_OBJECT_NAME_INVALID;
3776 return NT_STATUS_OK;
3779 /*********************************************************************
3780 _samr_delete_dom_group
3781 *********************************************************************/
3783 NTSTATUS _samr_delete_dom_group(pipes_struct *p, SAMR_Q_DELETE_DOM_GROUP *q_u, SAMR_R_DELETE_DOM_GROUP *r_u)
3788 fstring group_sid_str;
3794 DEBUG(5, ("samr_delete_dom_group: %d\n", __LINE__));
3796 /* Find the policy handle. Open a policy on it. */
3797 if (!get_lsa_policy_samr_sid(p, &q_u->group_pol, &group_sid, &acc_granted))
3798 return NT_STATUS_INVALID_HANDLE;
3800 if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, STD_RIGHT_DELETE_ACCESS, "_samr_delete_dom_group"))) {
3804 sid_copy(&dom_sid, &group_sid);
3805 sid_to_string(group_sid_str, &dom_sid);
3806 sid_split_rid(&dom_sid, &group_rid);
3808 DEBUG(10, ("sid is %s\n", group_sid_str));
3810 /* we check if it's our SID before deleting */
3811 if (!sid_equal(&dom_sid, get_global_sam_sid()))
3812 return NT_STATUS_NO_SUCH_GROUP;
3814 DEBUG(10, ("lookup on Domain SID\n"));
3816 if(!get_domain_group_from_sid(group_sid, &map))
3817 return NT_STATUS_NO_SUCH_GROUP;
3821 /* check if group really exists */
3822 if ( (grp=getgrgid(gid)) == NULL)
3823 return NT_STATUS_NO_SUCH_GROUP;
3825 /* we can delete the UNIX group */
3826 smb_delete_group(grp->gr_name);
3828 /* check if the group has been successfully deleted */
3829 if ( (grp=getgrgid(gid)) != NULL)
3830 return NT_STATUS_ACCESS_DENIED;
3832 if(!pdb_delete_group_mapping_entry(group_sid))
3833 return NT_STATUS_ACCESS_DENIED;
3835 if (!close_policy_hnd(p, &q_u->group_pol))
3836 return NT_STATUS_OBJECT_NAME_INVALID;
3838 return NT_STATUS_OK;
3841 /*********************************************************************
3842 _samr_delete_dom_alias
3843 *********************************************************************/
3845 NTSTATUS _samr_delete_dom_alias(pipes_struct *p, SAMR_Q_DELETE_DOM_ALIAS *q_u, SAMR_R_DELETE_DOM_ALIAS *r_u)
3850 fstring alias_sid_str;
3856 DEBUG(5, ("_samr_delete_dom_alias: %d\n", __LINE__));
3858 /* Find the policy handle. Open a policy on it. */
3859 if (!get_lsa_policy_samr_sid(p, &q_u->alias_pol, &alias_sid, &acc_granted))
3860 return NT_STATUS_INVALID_HANDLE;
3862 if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, STD_RIGHT_DELETE_ACCESS, "_samr_delete_dom_alias"))) {
3866 sid_copy(&dom_sid, &alias_sid);
3867 sid_to_string(alias_sid_str, &dom_sid);
3868 sid_split_rid(&dom_sid, &alias_rid);
3870 DEBUG(10, ("sid is %s\n", alias_sid_str));
3872 /* we check if it's our SID before deleting */
3873 if (!sid_equal(&dom_sid, get_global_sam_sid()))
3874 return NT_STATUS_NO_SUCH_ALIAS;
3876 DEBUG(10, ("lookup on Local SID\n"));
3878 if(!get_local_group_from_sid(alias_sid, &map))
3879 return NT_STATUS_NO_SUCH_ALIAS;
3883 /* check if group really exists */
3884 if ( (grp=getgrgid(gid)) == NULL)
3885 return NT_STATUS_NO_SUCH_ALIAS;
3887 /* we can delete the UNIX group */
3888 smb_delete_group(grp->gr_name);
3890 /* check if the group has been successfully deleted */
3891 if ( (grp=getgrgid(gid)) != NULL)
3892 return NT_STATUS_ACCESS_DENIED;
3894 /* don't check if we removed it as it could be an un-mapped group */
3895 pdb_delete_group_mapping_entry(alias_sid);
3897 if (!close_policy_hnd(p, &q_u->alias_pol))
3898 return NT_STATUS_OBJECT_NAME_INVALID;
3900 return NT_STATUS_OK;
3903 /*********************************************************************
3904 _samr_create_dom_group
3905 *********************************************************************/
3907 NTSTATUS _samr_create_dom_group(pipes_struct *p, SAMR_Q_CREATE_DOM_GROUP *q_u, SAMR_R_CREATE_DOM_GROUP *r_u)
3914 struct samr_info *info;
3918 /* Find the policy handle. Open a policy on it. */
3919 if (!get_lsa_policy_samr_sid(p, &q_u->pol, &dom_sid, &acc_granted))
3920 return NT_STATUS_INVALID_HANDLE;
3922 if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, SA_RIGHT_DOMAIN_CREATE_GROUP, "_samr_create_dom_group"))) {
3926 if (!sid_equal(&dom_sid, get_global_sam_sid()))
3927 return NT_STATUS_ACCESS_DENIED;
3929 /* TODO: check if allowed to create group and add a become_root/unbecome_root pair.*/
3931 unistr2_to_ascii(name, &q_u->uni_acct_desc, sizeof(name)-1);
3933 /* check if group already exist */
3934 if ((grp=getgrnam(name)) != NULL)
3935 return NT_STATUS_GROUP_EXISTS;
3937 /* we can create the UNIX group */
3938 if (smb_create_group(name, &gid) != 0)
3939 return NT_STATUS_ACCESS_DENIED;
3941 /* check if the group has been successfully created */
3942 if ((grp=getgrgid(gid)) == NULL)
3943 return NT_STATUS_ACCESS_DENIED;
3945 r_u->rid=pdb_gid_to_group_rid(grp->gr_gid);
3947 /* add the group to the mapping table */
3948 sid_copy(&info_sid, get_global_sam_sid());
3949 sid_append_rid(&info_sid, r_u->rid);
3950 sid_to_string(sid_string, &info_sid);
3952 if(!add_initial_entry(grp->gr_gid, sid_string, SID_NAME_DOM_GRP, name, NULL))
3953 return NT_STATUS_ACCESS_DENIED;
3955 if ((info = get_samr_info_by_sid(&info_sid)) == NULL)
3956 return NT_STATUS_NO_MEMORY;
3958 /* get a (unique) handle. open a policy on it. */
3959 if (!create_policy_hnd(p, &r_u->pol, free_samr_info, (void *)info))
3960 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
3962 return NT_STATUS_OK;
3965 /*********************************************************************
3966 _samr_create_dom_alias
3967 *********************************************************************/
3969 NTSTATUS _samr_create_dom_alias(pipes_struct *p, SAMR_Q_CREATE_DOM_ALIAS *q_u, SAMR_R_CREATE_DOM_ALIAS *r_u)
3976 struct samr_info *info;
3980 /* Find the policy handle. Open a policy on it. */
3981 if (!get_lsa_policy_samr_sid(p, &q_u->dom_pol, &dom_sid, &acc_granted))
3982 return NT_STATUS_INVALID_HANDLE;
3984 if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, SA_RIGHT_DOMAIN_CREATE_ALIAS, "_samr_create_alias"))) {
3988 if (!sid_equal(&dom_sid, get_global_sam_sid()))
3989 return NT_STATUS_ACCESS_DENIED;
3991 /* TODO: check if allowed to create group and add a become_root/unbecome_root pair.*/
3993 unistr2_to_ascii(name, &q_u->uni_acct_desc, sizeof(name)-1);
3995 /* check if group already exists */
3996 if ( (grp=getgrnam(name)) != NULL)
3997 return NT_STATUS_GROUP_EXISTS;
3999 /* we can create the UNIX group */
4000 if (smb_create_group(name, &gid) != 0)
4001 return NT_STATUS_ACCESS_DENIED;
4003 /* check if the group has been successfully created */
4004 if ((grp=getgrgid(gid)) == NULL)
4005 return NT_STATUS_ACCESS_DENIED;
4007 r_u->rid=pdb_gid_to_group_rid(grp->gr_gid);
4009 sid_copy(&info_sid, get_global_sam_sid());
4010 sid_append_rid(&info_sid, r_u->rid);
4011 sid_to_string(sid_string, &info_sid);
4013 /* add the group to the mapping table */
4014 if(!add_initial_entry(grp->gr_gid, sid_string, SID_NAME_ALIAS, name, NULL))
4015 return NT_STATUS_ACCESS_DENIED;
4017 if ((info = get_samr_info_by_sid(&info_sid)) == NULL)
4018 return NT_STATUS_NO_MEMORY;
4020 /* get a (unique) handle. open a policy on it. */
4021 if (!create_policy_hnd(p, &r_u->alias_pol, free_samr_info, (void *)info))
4022 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
4024 return NT_STATUS_OK;
4027 /*********************************************************************
4028 _samr_query_groupinfo
4030 sends the name/comment pair of a domain group
4031 level 1 send also the number of users of that group
4032 *********************************************************************/
4034 NTSTATUS _samr_query_groupinfo(pipes_struct *p, SAMR_Q_QUERY_GROUPINFO *q_u, SAMR_R_QUERY_GROUPINFO *r_u)
4040 GROUP_INFO_CTR *ctr;
4044 if (!get_lsa_policy_samr_sid(p, &q_u->pol, &group_sid, &acc_granted))
4045 return NT_STATUS_INVALID_HANDLE;
4047 if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, SA_RIGHT_GROUP_LOOKUP_INFO, "_samr_query_groupinfo"))) {
4052 ret = get_domain_group_from_sid(group_sid, &map);
4055 return NT_STATUS_INVALID_HANDLE;
4057 ctr=(GROUP_INFO_CTR *)talloc_zero(p->mem_ctx, sizeof(GROUP_INFO_CTR));
4059 return NT_STATUS_NO_MEMORY;
4061 switch (q_u->switch_level) {
4063 ctr->switch_value1 = 1;
4064 if(!get_uid_list_of_group(map.gid, &uid, &num_uids))
4065 return NT_STATUS_NO_SUCH_GROUP;
4066 init_samr_group_info1(&ctr->group.info1, map.nt_name, map.comment, num_uids);
4070 ctr->switch_value1 = 3;
4071 init_samr_group_info3(&ctr->group.info3);
4074 ctr->switch_value1 = 4;
4075 init_samr_group_info4(&ctr->group.info4, map.comment);
4078 return NT_STATUS_INVALID_INFO_CLASS;
4081 init_samr_r_query_groupinfo(r_u, ctr, NT_STATUS_OK);
4083 return NT_STATUS_OK;
4086 /*********************************************************************
4089 update a domain group's comment.
4090 *********************************************************************/
4092 NTSTATUS _samr_set_groupinfo(pipes_struct *p, SAMR_Q_SET_GROUPINFO *q_u, SAMR_R_SET_GROUPINFO *r_u)
4096 GROUP_INFO_CTR *ctr;
4099 if (!get_lsa_policy_samr_sid(p, &q_u->pol, &group_sid, &acc_granted))
4100 return NT_STATUS_INVALID_HANDLE;
4102 if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, SA_RIGHT_GROUP_SET_INFO, "_samr_set_groupinfo"))) {
4106 if (!get_domain_group_from_sid(group_sid, &map))
4107 return NT_STATUS_NO_SUCH_GROUP;
4111 switch (ctr->switch_value1) {
4113 unistr2_to_ascii(map.comment, &(ctr->group.info1.uni_acct_desc), sizeof(map.comment)-1);
4116 unistr2_to_ascii(map.comment, &(ctr->group.info4.uni_acct_desc), sizeof(map.comment)-1);
4119 return NT_STATUS_INVALID_INFO_CLASS;
4122 if(!pdb_update_group_mapping_entry(&map)) {
4123 return NT_STATUS_NO_SUCH_GROUP;
4126 return NT_STATUS_OK;
4129 /*********************************************************************
4132 update an alias's comment.
4133 *********************************************************************/
4135 NTSTATUS _samr_set_aliasinfo(pipes_struct *p, SAMR_Q_SET_ALIASINFO *q_u, SAMR_R_SET_ALIASINFO *r_u)
4139 ALIAS_INFO_CTR *ctr;
4142 if (!get_lsa_policy_samr_sid(p, &q_u->alias_pol, &group_sid, &acc_granted))
4143 return NT_STATUS_INVALID_HANDLE;
4145 if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, SA_RIGHT_ALIAS_SET_INFO, "_samr_set_aliasinfo"))) {
4149 if (!get_local_group_from_sid(group_sid, &map))
4150 return NT_STATUS_NO_SUCH_GROUP;
4154 switch (ctr->switch_value1) {
4156 unistr2_to_ascii(map.comment, &(ctr->alias.info3.uni_acct_desc), sizeof(map.comment)-1);
4159 return NT_STATUS_INVALID_INFO_CLASS;
4162 if(!pdb_update_group_mapping_entry(&map)) {
4163 return NT_STATUS_NO_SUCH_GROUP;
4166 return NT_STATUS_OK;
4169 /*********************************************************************
4170 _samr_get_dom_pwinfo
4171 *********************************************************************/
4173 NTSTATUS _samr_get_dom_pwinfo(pipes_struct *p, SAMR_Q_GET_DOM_PWINFO *q_u, SAMR_R_GET_DOM_PWINFO *r_u)
4175 /* Perform access check. Since this rpc does not require a
4176 policy handle it will not be caught by the access checks on
4177 SAMR_CONNECT or SAMR_CONNECT_ANON. */
4179 if (!pipe_access_check(p)) {
4180 DEBUG(3, ("access denied to samr_get_dom_pwinfo\n"));
4181 r_u->status = NT_STATUS_ACCESS_DENIED;
4185 /* Actually, returning zeros here works quite well :-). */
4187 return NT_STATUS_OK;
4190 /*********************************************************************
4192 *********************************************************************/
4194 NTSTATUS _samr_open_group(pipes_struct *p, SAMR_Q_OPEN_GROUP *q_u, SAMR_R_OPEN_GROUP *r_u)
4199 struct samr_info *info;
4200 SEC_DESC *psd = NULL;
4202 uint32 des_access = q_u->access_mask;
4208 if (!get_lsa_policy_samr_sid(p, &q_u->domain_pol, &sid, &acc_granted))
4209 return NT_STATUS_INVALID_HANDLE;
4211 if (!NT_STATUS_IS_OK(status = access_check_samr_function(acc_granted, SA_RIGHT_DOMAIN_OPEN_ACCOUNT, "_samr_open_group"))) {
4215 /*check if access can be granted as requested by client. */
4216 samr_make_grp_obj_sd(p->mem_ctx, &psd, &sd_size);
4217 se_map_generic(&des_access,&grp_generic_mapping);
4218 if (!NT_STATUS_IS_OK(status =
4219 access_check_samr_object(psd, p->pipe_user.nt_user_token,
4220 des_access, &acc_granted, "_samr_open_group"))) {
4225 /* this should not be hard-coded like this */
4226 if (!sid_equal(&sid, get_global_sam_sid()))
4227 return NT_STATUS_ACCESS_DENIED;
4229 sid_copy(&info_sid, get_global_sam_sid());
4230 sid_append_rid(&info_sid, q_u->rid_group);
4231 sid_to_string(sid_string, &info_sid);
4233 if ((info = get_samr_info_by_sid(&info_sid)) == NULL)
4234 return NT_STATUS_NO_MEMORY;
4236 info->acc_granted = acc_granted;
4238 DEBUG(10, ("_samr_open_group:Opening SID: %s\n", sid_string));
4240 /* check if that group really exists */
4242 ret = get_domain_group_from_sid(info->sid, &map);
4245 return NT_STATUS_NO_SUCH_GROUP;
4247 /* get a (unique) handle. open a policy on it. */
4248 if (!create_policy_hnd(p, &r_u->pol, free_samr_info, (void *)info))
4249 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
4251 return NT_STATUS_OK;
4254 /*********************************************************************
4255 _samr_remove_sid_foreign_domain
4256 *********************************************************************/
4258 NTSTATUS _samr_remove_sid_foreign_domain(pipes_struct *p,
4259 SAMR_Q_REMOVE_SID_FOREIGN_DOMAIN *q_u,
4260 SAMR_R_REMOVE_SID_FOREIGN_DOMAIN *r_u)
4262 DOM_SID delete_sid, alias_sid;
4263 SAM_ACCOUNT *sam_pass=NULL;
4266 BOOL is_user = False;
4268 enum SID_NAME_USE type = SID_NAME_UNKNOWN;
4270 sid_copy( &delete_sid, &q_u->sid.sid );
4272 DEBUG(5,("_samr_remove_sid_foreign_domain: removing SID [%s]\n",
4273 sid_string_static(&delete_sid)));
4275 /* Find the policy handle. Open a policy on it. */
4277 if (!get_lsa_policy_samr_sid(p, &q_u->dom_pol, &alias_sid, &acc_granted))
4278 return NT_STATUS_INVALID_HANDLE;
4280 result = access_check_samr_function(acc_granted, STD_RIGHT_DELETE_ACCESS,
4281 "_samr_remove_sid_foreign_domain");
4283 if (!NT_STATUS_IS_OK(result))
4286 DEBUG(8, ("_samr_remove_sid_foreign_domain:sid is %s\n",
4287 sid_string_static(&alias_sid)));
4289 /* make sure we can handle this */
4291 if ( sid_check_is_domain(&alias_sid) )
4292 type = SID_NAME_DOM_GRP;
4293 else if ( sid_check_is_builtin(&alias_sid) )
4294 type = SID_NAME_ALIAS;
4296 if ( type == SID_NAME_UNKNOWN ) {
4297 DEBUG(10, ("_samr_remove_sid_foreign_domain: can't operate on what we don't own!\n"));
4298 return NT_STATUS_OK;
4301 /* check if the user exists before trying to delete */
4303 pdb_init_sam(&sam_pass);
4305 if ( pdb_getsampwsid(sam_pass, &delete_sid) ) {
4308 /* maybe it is a group */
4309 if( !pdb_getgrsid(&map, delete_sid) ) {
4310 DEBUG(3,("_samr_remove_sid_foreign_domain: %s is not a user or a group!\n",
4311 sid_string_static(&delete_sid)));
4312 result = NT_STATUS_INVALID_SID;
4317 /* we can only delete a user from a group since we don't have
4318 nested groups anyways. So in the latter case, just say OK */
4321 GROUP_MAP *mappings = NULL;
4322 uint32 num_groups, i;
4325 if ( pdb_enum_group_mapping(type, &mappings, &num_groups, False) && num_groups>0 ) {
4327 /* interate over the groups */
4328 for ( i=0; i<num_groups; i++ ) {
4330 grp2 = getgrgid(mappings[i].gid);
4333 DEBUG(0,("_samr_remove_sid_foreign_domain: group mapping without UNIX group!\n"));
4337 if ( !user_in_unix_group_list(pdb_get_username(sam_pass), grp2->gr_name) )
4340 smb_delete_user_group(grp2->gr_name, pdb_get_username(sam_pass));
4342 if ( user_in_unix_group_list(pdb_get_username(sam_pass), grp2->gr_name) ) {
4343 /* should we fail here ? */
4344 DEBUG(0,("_samr_remove_sid_foreign_domain: Delete user [%s] from group [%s] failed!\n",
4345 pdb_get_username(sam_pass), grp2->gr_name ));
4349 DEBUG(10,("_samr_remove_sid_foreign_domain: Removed user [%s] from group [%s]!\n",
4350 pdb_get_username(sam_pass), grp2->gr_name ));
4353 SAFE_FREE(mappings);
4357 result = NT_STATUS_OK;
4360 pdb_free_sam(&sam_pass);
4365 /*******************************************************************
4367 ********************************************************************/
4369 NTSTATUS _samr_unknown_2e(pipes_struct *p, SAMR_Q_UNKNOWN_2E *q_u, SAMR_R_UNKNOWN_2E *r_u)
4371 struct samr_info *info = NULL;
4373 uint32 min_pass_len,pass_hist,flag;
4374 time_t u_expire, u_min_age;
4375 NTTIME nt_expire, nt_min_age;
4377 time_t u_lock_duration, u_reset_time;
4378 NTTIME nt_lock_duration, nt_reset_time;
4384 uint32 num_users=0, num_groups=0, num_aliases=0;
4386 uint32 account_policy_temp;
4388 if ((ctr = (SAM_UNK_CTR *)talloc_zero(p->mem_ctx, sizeof(SAM_UNK_CTR))) == NULL)
4389 return NT_STATUS_NO_MEMORY;
4393 r_u->status = NT_STATUS_OK;
4395 DEBUG(5,("_samr_unknown_2e: %d\n", __LINE__));
4397 /* find the policy handle. open a policy on it. */
4398 if (!find_policy_by_hnd(p, &q_u->domain_pol, (void **)&info))
4399 return NT_STATUS_INVALID_HANDLE;
4401 switch (q_u->switch_value) {
4403 account_policy_get(AP_MIN_PASSWORD_LEN, &account_policy_temp);
4404 min_pass_len = account_policy_temp;
4406 account_policy_get(AP_PASSWORD_HISTORY, &account_policy_temp);
4407 pass_hist = account_policy_temp;
4409 account_policy_get(AP_USER_MUST_LOGON_TO_CHG_PASS, &account_policy_temp);
4410 flag = account_policy_temp;
4412 account_policy_get(AP_MAX_PASSWORD_AGE, &account_policy_temp);
4413 u_expire = account_policy_temp;
4415 account_policy_get(AP_MIN_PASSWORD_AGE, &account_policy_temp);
4416 u_min_age = account_policy_temp;
4418 unix_to_nt_time_abs(&nt_expire, u_expire);
4419 unix_to_nt_time_abs(&nt_min_age, u_min_age);
4421 init_unk_info1(&ctr->info.inf1, (uint16)min_pass_len, (uint16)pass_hist,
4422 flag, nt_expire, nt_min_age);
4426 r_u->status=load_sampwd_entries(info, ACB_NORMAL, False);
4428 if (!NT_STATUS_IS_OK(r_u->status)) {
4429 DEBUG(5, ("_samr_unknown_2e: load_sampwd_entries failed\n"));
4432 num_users=info->disp_info.num_user_account;
4435 r_u->status=load_group_domain_entries(info, get_global_sam_sid());
4436 if (NT_STATUS_IS_ERR(r_u->status)) {
4437 DEBUG(5, ("_samr_unknown_2e: load_group_domain_entries failed\n"));
4440 num_groups=info->disp_info.num_group_account;
4443 /* The time call below is to get a sequence number for the sam. FIXME !!! JRA. */
4444 init_unk_info2(&ctr->info.inf2, lp_workgroup(), global_myname(), (uint32) time(NULL),
4445 num_users, num_groups, num_aliases);
4448 account_policy_get(AP_TIME_TO_LOGOUT, &account_policy_temp);
4449 u_logout = account_policy_temp;
4451 unix_to_nt_time_abs(&nt_logout, u_logout);
4453 init_unk_info3(&ctr->info.inf3, nt_logout);
4456 init_unk_info5(&ctr->info.inf5, global_myname());
4459 init_unk_info6(&ctr->info.inf6);
4462 init_unk_info7(&ctr->info.inf7);
4465 account_policy_get(AP_LOCK_ACCOUNT_DURATION, &account_policy_temp);
4466 u_lock_duration = account_policy_temp;
4468 account_policy_get(AP_RESET_COUNT_TIME, &account_policy_temp);
4469 u_reset_time = account_policy_temp;
4471 account_policy_get(AP_BAD_ATTEMPT_LOCKOUT, &account_policy_temp);
4472 lockout = account_policy_temp;
4474 unix_to_nt_time_abs(&nt_lock_duration, u_lock_duration);
4475 unix_to_nt_time_abs(&nt_reset_time, u_reset_time);
4477 init_unk_info12(&ctr->info.inf12, nt_lock_duration, nt_reset_time, (uint16)lockout);
4480 return NT_STATUS_INVALID_INFO_CLASS;
4483 init_samr_r_samr_unknown_2e(r_u, q_u->switch_value, ctr, NT_STATUS_OK);
4485 DEBUG(5,("_samr_unknown_2e: %d\n", __LINE__));
4490 /*******************************************************************
4492 ********************************************************************/
4494 NTSTATUS _samr_set_dom_info(pipes_struct *p, SAMR_Q_SET_DOMAIN_INFO *q_u, SAMR_R_SET_DOMAIN_INFO *r_u)
4496 time_t u_expire, u_min_age;
4498 time_t u_lock_duration, u_reset_time;
4500 r_u->status = NT_STATUS_OK;
4502 DEBUG(5,("_samr_set_dom_info: %d\n", __LINE__));
4504 /* find the policy handle. open a policy on it. */
4505 if (!find_policy_by_hnd(p, &q_u->domain_pol, NULL))
4506 return NT_STATUS_INVALID_HANDLE;
4508 DEBUG(5,("_samr_set_dom_info: switch_value: %d\n", q_u->switch_value));
4510 switch (q_u->switch_value) {
4512 u_expire=nt_time_to_unix_abs(&q_u->ctr->info.inf1.expire);
4513 u_min_age=nt_time_to_unix_abs(&q_u->ctr->info.inf1.min_passwordage);
4515 account_policy_set(AP_MIN_PASSWORD_LEN, (uint32)q_u->ctr->info.inf1.min_length_password);
4516 account_policy_set(AP_PASSWORD_HISTORY, (uint32)q_u->ctr->info.inf1.password_history);
4517 account_policy_set(AP_USER_MUST_LOGON_TO_CHG_PASS, (uint32)q_u->ctr->info.inf1.flag);
4518 account_policy_set(AP_MAX_PASSWORD_AGE, (int)u_expire);
4519 account_policy_set(AP_MIN_PASSWORD_AGE, (int)u_min_age);
4524 u_logout=nt_time_to_unix_abs(&q_u->ctr->info.inf3.logout);
4525 account_policy_set(AP_TIME_TO_LOGOUT, (int)u_logout);
4534 u_lock_duration=nt_time_to_unix_abs(&q_u->ctr->info.inf12.duration);
4535 u_reset_time=nt_time_to_unix_abs(&q_u->ctr->info.inf12.reset_count);
4537 account_policy_set(AP_LOCK_ACCOUNT_DURATION, (int)u_lock_duration);
4538 account_policy_set(AP_RESET_COUNT_TIME, (int)u_reset_time);
4539 account_policy_set(AP_BAD_ATTEMPT_LOCKOUT, (uint32)q_u->ctr->info.inf12.bad_attempt_lockout);
4542 return NT_STATUS_INVALID_INFO_CLASS;
4545 init_samr_r_set_domain_info(r_u, NT_STATUS_OK);
4547 DEBUG(5,("_samr_set_dom_info: %d\n", __LINE__));