2 * Unix SMB/CIFS implementation.
3 * RPC Pipe client / server routines
4 * Copyright (C) Andrew Tridgell 1992-1997,
5 * Copyright (C) Luke Kenneth Casson Leighton 1996-1997,
6 * Copyright (C) Paul Ashton 1997,
7 * Copyright (C) Marc Jacobsen 1999,
8 * Copyright (C) Jeremy Allison 2001-2008,
9 * Copyright (C) Jean François Micouleau 1998-2001,
10 * Copyright (C) Jim McDonough <jmcd@us.ibm.com> 2002,
11 * Copyright (C) Gerald (Jerry) Carter 2003-2004,
12 * Copyright (C) Simo Sorce 2003.
13 * Copyright (C) Volker Lendecke 2005.
14 * Copyright (C) Guenther Deschner 2008.
16 * This program is free software; you can redistribute it and/or modify
17 * it under the terms of the GNU General Public License as published by
18 * the Free Software Foundation; either version 3 of the License, or
19 * (at your option) any later version.
21 * This program is distributed in the hope that it will be useful,
22 * but WITHOUT ANY WARRANTY; without even the implied warranty of
23 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
24 * GNU General Public License for more details.
26 * You should have received a copy of the GNU General Public License
27 * along with this program; if not, see <http://www.gnu.org/licenses/>.
31 * This is the implementation of the SAMR code.
37 #define DBGC_CLASS DBGC_RPC_SRV
39 #define SAMR_USR_RIGHTS_WRITE_PW \
40 ( READ_CONTROL_ACCESS | \
41 SAMR_USER_ACCESS_CHANGE_PASSWORD | \
42 SAMR_USER_ACCESS_SET_LOC_COM)
43 #define SAMR_USR_RIGHTS_CANT_WRITE_PW \
44 ( READ_CONTROL_ACCESS | SAMR_USER_ACCESS_SET_LOC_COM )
46 #define DISP_INFO_CACHE_TIMEOUT 10
48 #define MAX_SAM_ENTRIES_W2K 0x400 /* 1024 */
49 #define MAX_SAM_ENTRIES_W95 50
51 typedef struct disp_info {
52 DOM_SID sid; /* identify which domain this is. */
53 bool builtin_domain; /* Quick flag to check if this is the builtin domain. */
54 struct pdb_search *users; /* querydispinfo 1 and 4 */
55 struct pdb_search *machines; /* querydispinfo 2 */
56 struct pdb_search *groups; /* querydispinfo 3 and 5, enumgroups */
57 struct pdb_search *aliases; /* enumaliases */
60 struct pdb_search *enum_users; /* enumusers with a mask */
62 struct timed_event *cache_timeout_event; /* cache idle timeout
66 /* We keep a static list of these by SID as modern clients close down
67 all resources between each request in a complete enumeration. */
70 /* for use by the \PIPE\samr policy */
72 bool builtin_domain; /* Quick flag to check if this is the builtin domain. */
73 uint32 status; /* some sort of flag. best to record it. comes from opnum 0x39 */
79 static const struct generic_mapping sam_generic_mapping = {
80 GENERIC_RIGHTS_SAM_READ,
81 GENERIC_RIGHTS_SAM_WRITE,
82 GENERIC_RIGHTS_SAM_EXECUTE,
83 GENERIC_RIGHTS_SAM_ALL_ACCESS};
84 static const struct generic_mapping dom_generic_mapping = {
85 GENERIC_RIGHTS_DOMAIN_READ,
86 GENERIC_RIGHTS_DOMAIN_WRITE,
87 GENERIC_RIGHTS_DOMAIN_EXECUTE,
88 GENERIC_RIGHTS_DOMAIN_ALL_ACCESS};
89 static const struct generic_mapping usr_generic_mapping = {
90 GENERIC_RIGHTS_USER_READ,
91 GENERIC_RIGHTS_USER_WRITE,
92 GENERIC_RIGHTS_USER_EXECUTE,
93 GENERIC_RIGHTS_USER_ALL_ACCESS};
94 static const struct generic_mapping usr_nopwchange_generic_mapping = {
95 GENERIC_RIGHTS_USER_READ,
96 GENERIC_RIGHTS_USER_WRITE,
97 GENERIC_RIGHTS_USER_EXECUTE & ~SAMR_USER_ACCESS_CHANGE_PASSWORD,
98 GENERIC_RIGHTS_USER_ALL_ACCESS};
99 static const struct generic_mapping grp_generic_mapping = {
100 GENERIC_RIGHTS_GROUP_READ,
101 GENERIC_RIGHTS_GROUP_WRITE,
102 GENERIC_RIGHTS_GROUP_EXECUTE,
103 GENERIC_RIGHTS_GROUP_ALL_ACCESS};
104 static const struct generic_mapping ali_generic_mapping = {
105 GENERIC_RIGHTS_ALIAS_READ,
106 GENERIC_RIGHTS_ALIAS_WRITE,
107 GENERIC_RIGHTS_ALIAS_EXECUTE,
108 GENERIC_RIGHTS_ALIAS_ALL_ACCESS};
110 /*******************************************************************
111 *******************************************************************/
113 static NTSTATUS make_samr_object_sd( TALLOC_CTX *ctx, SEC_DESC **psd, size_t *sd_size,
114 const struct generic_mapping *map,
115 DOM_SID *sid, uint32 sid_access )
117 DOM_SID domadmin_sid;
118 SEC_ACE ace[5]; /* at most 5 entries */
123 /* basic access for Everyone */
125 init_sec_ace(&ace[i++], &global_sid_World, SEC_ACE_TYPE_ACCESS_ALLOWED,
126 map->generic_execute | map->generic_read, 0);
128 /* add Full Access 'BUILTIN\Administrators' and 'BUILTIN\Account Operators */
130 init_sec_ace(&ace[i++], &global_sid_Builtin_Administrators,
131 SEC_ACE_TYPE_ACCESS_ALLOWED, map->generic_all, 0);
132 init_sec_ace(&ace[i++], &global_sid_Builtin_Account_Operators,
133 SEC_ACE_TYPE_ACCESS_ALLOWED, map->generic_all, 0);
135 /* Add Full Access for Domain Admins if we are a DC */
138 sid_copy( &domadmin_sid, get_global_sam_sid() );
139 sid_append_rid( &domadmin_sid, DOMAIN_GROUP_RID_ADMINS );
140 init_sec_ace(&ace[i++], &domadmin_sid,
141 SEC_ACE_TYPE_ACCESS_ALLOWED, map->generic_all, 0);
144 /* if we have a sid, give it some special access */
147 init_sec_ace(&ace[i++], sid, SEC_ACE_TYPE_ACCESS_ALLOWED, sid_access, 0);
150 /* create the security descriptor */
152 if ((psa = make_sec_acl(ctx, NT4_ACL_REVISION, i, ace)) == NULL)
153 return NT_STATUS_NO_MEMORY;
155 if ((*psd = make_sec_desc(ctx, SECURITY_DESCRIPTOR_REVISION_1,
156 SEC_DESC_SELF_RELATIVE, NULL, NULL, NULL,
157 psa, sd_size)) == NULL)
158 return NT_STATUS_NO_MEMORY;
163 /*******************************************************************
164 Checks if access to an object should be granted, and returns that
165 level of access for further checks.
166 ********************************************************************/
168 static NTSTATUS access_check_samr_object( SEC_DESC *psd, NT_USER_TOKEN *token,
169 SE_PRIV *rights, uint32 rights_mask,
170 uint32 des_access, uint32 *acc_granted,
173 NTSTATUS status = NT_STATUS_ACCESS_DENIED;
174 uint32 saved_mask = 0;
176 /* check privileges; certain SAM access bits should be overridden
177 by privileges (mostly having to do with creating/modifying/deleting
180 if ( rights && user_has_any_privilege( token, rights ) ) {
182 saved_mask = (des_access & rights_mask);
183 des_access &= ~saved_mask;
185 DEBUG(4,("access_check_samr_object: user rights access mask [0x%x]\n",
190 /* check the security descriptor first */
192 status = se_access_check(psd, token, des_access, acc_granted);
193 if (NT_STATUS_IS_OK(status)) {
197 /* give root a free pass */
199 if ( geteuid() == sec_initial_uid() ) {
201 DEBUG(4,("%s: ACCESS should be DENIED (requested: %#010x)\n", debug, des_access));
202 DEBUGADD(4,("but overritten by euid == sec_initial_uid()\n"));
204 *acc_granted = des_access;
206 status = NT_STATUS_OK;
212 /* add in any bits saved during the privilege check (only
213 matters is status is ok) */
215 *acc_granted |= rights_mask;
217 DEBUG(4,("%s: access %s (requested: 0x%08x, granted: 0x%08x)\n",
218 debug, NT_STATUS_IS_OK(status) ? "GRANTED" : "DENIED",
219 des_access, *acc_granted));
224 /*******************************************************************
225 Checks if access to a function can be granted
226 ********************************************************************/
228 static NTSTATUS access_check_samr_function(uint32 acc_granted, uint32 acc_required, const char *debug)
230 DEBUG(5,("%s: access check ((granted: %#010x; required: %#010x)\n",
231 debug, acc_granted, acc_required));
233 /* check the security descriptor first */
235 if ( (acc_granted&acc_required) == acc_required )
238 /* give root a free pass */
240 if (geteuid() == sec_initial_uid()) {
242 DEBUG(4,("%s: ACCESS should be DENIED (granted: %#010x; required: %#010x)\n",
243 debug, acc_granted, acc_required));
244 DEBUGADD(4,("but overwritten by euid == 0\n"));
249 DEBUG(2,("%s: ACCESS DENIED (granted: %#010x; required: %#010x)\n",
250 debug, acc_granted, acc_required));
252 return NT_STATUS_ACCESS_DENIED;
255 /*******************************************************************
256 Map any MAXIMUM_ALLOWED_ACCESS request to a valid access set.
257 ********************************************************************/
259 static void map_max_allowed_access(const NT_USER_TOKEN *token,
260 uint32_t *pacc_requested)
262 if (!((*pacc_requested) & MAXIMUM_ALLOWED_ACCESS)) {
265 *pacc_requested &= ~MAXIMUM_ALLOWED_ACCESS;
267 /* At least try for generic read. */
268 *pacc_requested = GENERIC_READ_ACCESS;
270 /* root gets anything. */
271 if (geteuid() == sec_initial_uid()) {
272 *pacc_requested |= GENERIC_ALL_ACCESS;
276 /* Full Access for 'BUILTIN\Administrators' and 'BUILTIN\Account Operators */
278 if (is_sid_in_token(token, &global_sid_Builtin_Administrators) ||
279 is_sid_in_token(token, &global_sid_Builtin_Account_Operators)) {
280 *pacc_requested |= GENERIC_ALL_ACCESS;
284 /* Full access for DOMAIN\Domain Admins. */
286 DOM_SID domadmin_sid;
287 sid_copy( &domadmin_sid, get_global_sam_sid() );
288 sid_append_rid( &domadmin_sid, DOMAIN_GROUP_RID_ADMINS );
289 if (is_sid_in_token(token, &domadmin_sid)) {
290 *pacc_requested |= GENERIC_ALL_ACCESS;
294 /* TODO ! Check privileges. */
297 /*******************************************************************
298 Fetch or create a dispinfo struct.
299 ********************************************************************/
301 static DISP_INFO *get_samr_dispinfo_by_sid(DOM_SID *psid)
304 * We do a static cache for DISP_INFO's here. Explanation can be found
305 * in Jeremy's checkin message to r11793:
307 * Fix the SAMR cache so it works across completely insane
308 * client behaviour (ie.:
309 * open pipe/open SAMR handle/enumerate 0 - 1024
310 * close SAMR handle, close pipe.
311 * open pipe/open SAMR handle/enumerate 1024 - 2048...
312 * close SAMR handle, close pipe.
313 * And on ad-nausium. Amazing.... probably object-oriented
314 * client side programming in action yet again.
315 * This change should *massively* improve performance when
316 * enumerating users from an LDAP database.
319 * "Our" and the builtin domain are the only ones where we ever
320 * enumerate stuff, so just cache 2 entries.
323 static struct disp_info builtin_dispinfo;
324 static struct disp_info domain_dispinfo;
326 /* There are two cases to consider here:
327 1) The SID is a domain SID and we look for an equality match, or
328 2) This is an account SID and so we return the DISP_INFO* for our
335 if (sid_check_is_builtin(psid) || sid_check_is_in_builtin(psid)) {
337 * Necessary only once, but it does not really hurt.
339 sid_copy(&builtin_dispinfo.sid, &global_sid_Builtin);
341 return &builtin_dispinfo;
344 if (sid_check_is_domain(psid) || sid_check_is_in_our_domain(psid)) {
346 * Necessary only once, but it does not really hurt.
348 sid_copy(&domain_dispinfo.sid, get_global_sam_sid());
350 return &domain_dispinfo;
356 /*******************************************************************
357 Create a samr_info struct.
358 ********************************************************************/
360 static struct samr_info *get_samr_info_by_sid(DOM_SID *psid)
362 struct samr_info *info;
367 sid_to_fstring(sid_str, psid);
369 fstrcpy(sid_str,"(NULL)");
372 mem_ctx = talloc_init("samr_info for domain sid %s", sid_str);
374 if ((info = TALLOC_ZERO_P(mem_ctx, struct samr_info)) == NULL)
377 DEBUG(10,("get_samr_info_by_sid: created new info for sid %s\n", sid_str));
379 sid_copy( &info->sid, psid);
380 info->builtin_domain = sid_check_is_builtin(psid);
382 DEBUG(10,("get_samr_info_by_sid: created new info for NULL sid.\n"));
383 info->builtin_domain = False;
385 info->mem_ctx = mem_ctx;
387 info->disp_info = get_samr_dispinfo_by_sid(psid);
392 /*******************************************************************
393 Function to free the per SID data.
394 ********************************************************************/
396 static void free_samr_cache(DISP_INFO *disp_info)
398 DEBUG(10, ("free_samr_cache: deleting cache for SID %s\n",
399 sid_string_dbg(&disp_info->sid)));
401 /* We need to become root here because the paged search might have to
402 * tell the LDAP server we're not interested in the rest anymore. */
406 if (disp_info->users) {
407 DEBUG(10,("free_samr_cache: deleting users cache\n"));
408 pdb_search_destroy(disp_info->users);
409 disp_info->users = NULL;
411 if (disp_info->machines) {
412 DEBUG(10,("free_samr_cache: deleting machines cache\n"));
413 pdb_search_destroy(disp_info->machines);
414 disp_info->machines = NULL;
416 if (disp_info->groups) {
417 DEBUG(10,("free_samr_cache: deleting groups cache\n"));
418 pdb_search_destroy(disp_info->groups);
419 disp_info->groups = NULL;
421 if (disp_info->aliases) {
422 DEBUG(10,("free_samr_cache: deleting aliases cache\n"));
423 pdb_search_destroy(disp_info->aliases);
424 disp_info->aliases = NULL;
426 if (disp_info->enum_users) {
427 DEBUG(10,("free_samr_cache: deleting enum_users cache\n"));
428 pdb_search_destroy(disp_info->enum_users);
429 disp_info->enum_users = NULL;
431 disp_info->enum_acb_mask = 0;
436 /*******************************************************************
437 Function to free the per handle data.
438 ********************************************************************/
440 static void free_samr_info(void *ptr)
442 struct samr_info *info=(struct samr_info *) ptr;
444 /* Only free the dispinfo cache if no one bothered to set up
447 if (info->disp_info && info->disp_info->cache_timeout_event == NULL) {
448 free_samr_cache(info->disp_info);
451 talloc_destroy(info->mem_ctx);
454 /*******************************************************************
455 Idle event handler. Throw away the disp info cache.
456 ********************************************************************/
458 static void disp_info_cache_idle_timeout_handler(struct event_context *ev_ctx,
459 struct timed_event *te,
460 const struct timeval *now,
463 DISP_INFO *disp_info = (DISP_INFO *)private_data;
465 TALLOC_FREE(disp_info->cache_timeout_event);
467 DEBUG(10, ("disp_info_cache_idle_timeout_handler: caching timed "
469 free_samr_cache(disp_info);
472 /*******************************************************************
473 Setup cache removal idle event handler.
474 ********************************************************************/
476 static void set_disp_info_cache_timeout(DISP_INFO *disp_info, time_t secs_fromnow)
478 /* Remove any pending timeout and update. */
480 TALLOC_FREE(disp_info->cache_timeout_event);
482 DEBUG(10,("set_disp_info_cache_timeout: caching enumeration for "
483 "SID %s for %u seconds\n", sid_string_dbg(&disp_info->sid),
484 (unsigned int)secs_fromnow ));
486 disp_info->cache_timeout_event = event_add_timed(
487 smbd_event_context(), NULL,
488 timeval_current_ofs(secs_fromnow, 0),
489 "disp_info_cache_idle_timeout_handler",
490 disp_info_cache_idle_timeout_handler, (void *)disp_info);
493 /*******************************************************************
494 Force flush any cache. We do this on any samr_set_xxx call.
495 We must also remove the timeout handler.
496 ********************************************************************/
498 static void force_flush_samr_cache(DISP_INFO *disp_info)
500 if ((disp_info == NULL) || (disp_info->cache_timeout_event == NULL)) {
504 DEBUG(10,("force_flush_samr_cache: clearing idle event\n"));
505 TALLOC_FREE(disp_info->cache_timeout_event);
506 free_samr_cache(disp_info);
509 /*******************************************************************
510 Ensure password info is never given out. Paranioa... JRA.
511 ********************************************************************/
513 static void samr_clear_sam_passwd(struct samu *sam_pass)
519 /* These now zero out the old password */
521 pdb_set_lanman_passwd(sam_pass, NULL, PDB_DEFAULT);
522 pdb_set_nt_passwd(sam_pass, NULL, PDB_DEFAULT);
525 static uint32 count_sam_users(struct disp_info *info, uint32 acct_flags)
527 struct samr_displayentry *entry;
529 if (info->builtin_domain) {
530 /* No users in builtin. */
534 if (info->users == NULL) {
535 info->users = pdb_search_users(acct_flags);
536 if (info->users == NULL) {
540 /* Fetch the last possible entry, thus trigger an enumeration */
541 pdb_search_entries(info->users, 0xffffffff, 1, &entry);
543 /* Ensure we cache this enumeration. */
544 set_disp_info_cache_timeout(info, DISP_INFO_CACHE_TIMEOUT);
546 return info->users->num_entries;
549 static uint32 count_sam_groups(struct disp_info *info)
551 struct samr_displayentry *entry;
553 if (info->builtin_domain) {
554 /* No groups in builtin. */
558 if (info->groups == NULL) {
559 info->groups = pdb_search_groups();
560 if (info->groups == NULL) {
564 /* Fetch the last possible entry, thus trigger an enumeration */
565 pdb_search_entries(info->groups, 0xffffffff, 1, &entry);
567 /* Ensure we cache this enumeration. */
568 set_disp_info_cache_timeout(info, DISP_INFO_CACHE_TIMEOUT);
570 return info->groups->num_entries;
573 static uint32 count_sam_aliases(struct disp_info *info)
575 struct samr_displayentry *entry;
577 if (info->aliases == NULL) {
578 info->aliases = pdb_search_aliases(&info->sid);
579 if (info->aliases == NULL) {
583 /* Fetch the last possible entry, thus trigger an enumeration */
584 pdb_search_entries(info->aliases, 0xffffffff, 1, &entry);
586 /* Ensure we cache this enumeration. */
587 set_disp_info_cache_timeout(info, DISP_INFO_CACHE_TIMEOUT);
589 return info->aliases->num_entries;
592 /*******************************************************************
594 ********************************************************************/
596 NTSTATUS _samr_Close(pipes_struct *p, struct samr_Close *r)
598 if (!close_policy_hnd(p, r->in.handle)) {
599 return NT_STATUS_INVALID_HANDLE;
602 ZERO_STRUCTP(r->out.handle);
607 /*******************************************************************
609 ********************************************************************/
611 NTSTATUS _samr_OpenDomain(pipes_struct *p,
612 struct samr_OpenDomain *r)
614 struct samr_info *info;
615 SEC_DESC *psd = NULL;
617 uint32 des_access = r->in.access_mask;
622 /* find the connection policy handle. */
624 if ( !find_policy_by_hnd(p, r->in.connect_handle, (void**)(void *)&info) )
625 return NT_STATUS_INVALID_HANDLE;
627 status = access_check_samr_function(info->acc_granted,
628 SAMR_ACCESS_OPEN_DOMAIN,
629 "_samr_OpenDomain" );
631 if ( !NT_STATUS_IS_OK(status) )
634 /*check if access can be granted as requested by client. */
635 map_max_allowed_access(p->pipe_user.nt_user_token, &des_access);
637 make_samr_object_sd( p->mem_ctx, &psd, &sd_size, &dom_generic_mapping, NULL, 0 );
638 se_map_generic( &des_access, &dom_generic_mapping );
640 se_priv_copy( &se_rights, &se_machine_account );
641 se_priv_add( &se_rights, &se_add_users );
643 status = access_check_samr_object( psd, p->pipe_user.nt_user_token,
644 &se_rights, GENERIC_RIGHTS_DOMAIN_WRITE, des_access,
645 &acc_granted, "_samr_OpenDomain" );
647 if ( !NT_STATUS_IS_OK(status) )
650 if (!sid_check_is_domain(r->in.sid) &&
651 !sid_check_is_builtin(r->in.sid)) {
652 return NT_STATUS_NO_SUCH_DOMAIN;
655 /* associate the domain SID with the (unique) handle. */
656 if ((info = get_samr_info_by_sid(r->in.sid))==NULL)
657 return NT_STATUS_NO_MEMORY;
658 info->acc_granted = acc_granted;
660 /* get a (unique) handle. open a policy on it. */
661 if (!create_policy_hnd(p, r->out.domain_handle, free_samr_info, (void *)info))
662 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
664 DEBUG(5,("_samr_OpenDomain: %d\n", __LINE__));
669 /*******************************************************************
671 ********************************************************************/
673 NTSTATUS _samr_GetUserPwInfo(pipes_struct *p,
674 struct samr_GetUserPwInfo *r)
676 struct samr_info *info = NULL;
677 enum lsa_SidType sid_type;
678 uint32_t min_password_length = 0;
679 uint32_t password_properties = 0;
683 DEBUG(5,("_samr_GetUserPwInfo: %d\n", __LINE__));
685 /* find the policy handle. open a policy on it. */
686 if (!find_policy_by_hnd(p, r->in.user_handle, (void **)(void *)&info)) {
687 return NT_STATUS_INVALID_HANDLE;
690 status = access_check_samr_function(info->acc_granted,
691 SAMR_USER_ACCESS_GET_ATTRIBUTES,
692 "_samr_GetUserPwInfo" );
693 if (!NT_STATUS_IS_OK(status)) {
697 if (!sid_check_is_in_our_domain(&info->sid)) {
698 return NT_STATUS_OBJECT_TYPE_MISMATCH;
702 ret = lookup_sid(p->mem_ctx, &info->sid, NULL, NULL, &sid_type);
705 return NT_STATUS_NO_SUCH_USER;
711 pdb_get_account_policy(AP_MIN_PASSWORD_LEN,
712 &min_password_length);
713 pdb_get_account_policy(AP_USER_MUST_LOGON_TO_CHG_PASS,
714 &password_properties);
717 if (lp_check_password_script() && *lp_check_password_script()) {
718 password_properties |= DOMAIN_PASSWORD_COMPLEX;
726 r->out.info->min_password_length = min_password_length;
727 r->out.info->password_properties = password_properties;
729 DEBUG(5,("_samr_GetUserPwInfo: %d\n", __LINE__));
734 /*******************************************************************
735 ********************************************************************/
737 static bool get_lsa_policy_samr_sid( pipes_struct *p, POLICY_HND *pol,
738 DOM_SID *sid, uint32 *acc_granted,
739 DISP_INFO **ppdisp_info)
741 struct samr_info *info = NULL;
743 /* find the policy handle. open a policy on it. */
744 if (!find_policy_by_hnd(p, pol, (void **)(void *)&info))
751 *acc_granted = info->acc_granted;
753 *ppdisp_info = info->disp_info;
759 /*******************************************************************
761 ********************************************************************/
763 NTSTATUS _samr_SetSecurity(pipes_struct *p,
764 struct samr_SetSecurity *r)
767 uint32 acc_granted, i;
770 struct samu *sampass=NULL;
773 if (!get_lsa_policy_samr_sid(p, r->in.handle, &pol_sid, &acc_granted, NULL))
774 return NT_STATUS_INVALID_HANDLE;
776 if (!(sampass = samu_new( p->mem_ctx))) {
777 DEBUG(0,("No memory!\n"));
778 return NT_STATUS_NO_MEMORY;
781 /* get the user record */
783 ret = pdb_getsampwsid(sampass, &pol_sid);
787 DEBUG(4, ("User %s not found\n", sid_string_dbg(&pol_sid)));
788 TALLOC_FREE(sampass);
789 return NT_STATUS_INVALID_HANDLE;
792 dacl = r->in.sdbuf->sd->dacl;
793 for (i=0; i < dacl->num_aces; i++) {
794 if (sid_equal(&pol_sid, &dacl->aces[i].trustee)) {
795 ret = pdb_set_pass_can_change(sampass,
796 (dacl->aces[i].access_mask &
797 SAMR_USER_ACCESS_CHANGE_PASSWORD) ?
804 TALLOC_FREE(sampass);
805 return NT_STATUS_ACCESS_DENIED;
808 status = access_check_samr_function(acc_granted,
809 SAMR_USER_ACCESS_SET_ATTRIBUTES,
810 "_samr_SetSecurity");
811 if (NT_STATUS_IS_OK(status)) {
813 status = pdb_update_sam_account(sampass);
817 TALLOC_FREE(sampass);
822 /*******************************************************************
823 build correct perms based on policies and password times for _samr_query_sec_obj
824 *******************************************************************/
825 static bool check_change_pw_access(TALLOC_CTX *mem_ctx, DOM_SID *user_sid)
827 struct samu *sampass=NULL;
830 if ( !(sampass = samu_new( mem_ctx )) ) {
831 DEBUG(0,("No memory!\n"));
836 ret = pdb_getsampwsid(sampass, user_sid);
840 DEBUG(4,("User %s not found\n", sid_string_dbg(user_sid)));
841 TALLOC_FREE(sampass);
845 DEBUG(3,("User:[%s]\n", pdb_get_username(sampass) ));
847 if (pdb_get_pass_can_change(sampass)) {
848 TALLOC_FREE(sampass);
851 TALLOC_FREE(sampass);
856 /*******************************************************************
858 ********************************************************************/
860 NTSTATUS _samr_QuerySecurity(pipes_struct *p,
861 struct samr_QuerySecurity *r)
865 SEC_DESC * psd = NULL;
870 if (!get_lsa_policy_samr_sid(p, r->in.handle, &pol_sid, &acc_granted, NULL))
871 return NT_STATUS_INVALID_HANDLE;
873 DEBUG(10,("_samr_QuerySecurity: querying security on SID: %s\n",
874 sid_string_dbg(&pol_sid)));
876 status = access_check_samr_function(acc_granted,
877 STD_RIGHT_READ_CONTROL_ACCESS,
878 "_samr_QuerySecurity");
879 if (!NT_STATUS_IS_OK(status)) {
883 /* Check what typ of SID is beeing queried (e.g Domain SID, User SID, Group SID) */
885 /* To query the security of the SAM it self an invalid SID with S-0-0 is passed to this function */
886 if (pol_sid.sid_rev_num == 0) {
887 DEBUG(5,("_samr_QuerySecurity: querying security on SAM\n"));
888 status = make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &sam_generic_mapping, NULL, 0);
889 } else if (sid_equal(&pol_sid,get_global_sam_sid())) {
890 /* check if it is our domain SID */
891 DEBUG(5,("_samr_QuerySecurity: querying security on Domain "
892 "with SID: %s\n", sid_string_dbg(&pol_sid)));
893 status = make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &dom_generic_mapping, NULL, 0);
894 } else if (sid_equal(&pol_sid,&global_sid_Builtin)) {
895 /* check if it is the Builtin Domain */
896 /* TODO: Builtin probably needs a different SD with restricted write access*/
897 DEBUG(5,("_samr_QuerySecurity: querying security on Builtin "
898 "Domain with SID: %s\n", sid_string_dbg(&pol_sid)));
899 status = make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &dom_generic_mapping, NULL, 0);
900 } else if (sid_check_is_in_our_domain(&pol_sid) ||
901 sid_check_is_in_builtin(&pol_sid)) {
902 /* TODO: different SDs have to be generated for aliases groups and users.
903 Currently all three get a default user SD */
904 DEBUG(10,("_samr_QuerySecurity: querying security on Object "
905 "with SID: %s\n", sid_string_dbg(&pol_sid)));
906 if (check_change_pw_access(p->mem_ctx, &pol_sid)) {
907 status = make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &usr_generic_mapping,
908 &pol_sid, SAMR_USR_RIGHTS_WRITE_PW);
910 status = make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &usr_nopwchange_generic_mapping,
911 &pol_sid, SAMR_USR_RIGHTS_CANT_WRITE_PW);
914 return NT_STATUS_OBJECT_TYPE_MISMATCH;
917 if ((*r->out.sdbuf = make_sec_desc_buf(p->mem_ctx, sd_size, psd)) == NULL)
918 return NT_STATUS_NO_MEMORY;
923 /*******************************************************************
924 makes a SAM_ENTRY / UNISTR2* structure from a user list.
925 ********************************************************************/
927 static NTSTATUS make_user_sam_entry_list(TALLOC_CTX *ctx,
928 struct samr_SamEntry **sam_pp,
929 uint32_t num_entries,
931 struct samr_displayentry *entries)
934 struct samr_SamEntry *sam;
938 if (num_entries == 0) {
942 sam = TALLOC_ZERO_ARRAY(ctx, struct samr_SamEntry, num_entries);
944 DEBUG(0, ("make_user_sam_entry_list: TALLOC_ZERO failed!\n"));
945 return NT_STATUS_NO_MEMORY;
948 for (i = 0; i < num_entries; i++) {
951 * usrmgr expects a non-NULL terminated string with
952 * trust relationships
954 if (entries[i].acct_flags & ACB_DOMTRUST) {
955 init_unistr2(&uni_temp_name, entries[i].account_name,
958 init_unistr2(&uni_temp_name, entries[i].account_name,
962 init_lsa_String(&sam[i].name, entries[i].account_name);
963 sam[i].idx = entries[i].rid;
971 #define MAX_SAM_ENTRIES MAX_SAM_ENTRIES_W2K
973 /*******************************************************************
974 _samr_EnumDomainUsers
975 ********************************************************************/
977 NTSTATUS _samr_EnumDomainUsers(pipes_struct *p,
978 struct samr_EnumDomainUsers *r)
981 struct samr_info *info = NULL;
983 uint32 enum_context = *r->in.resume_handle;
984 enum remote_arch_types ra_type = get_remote_arch();
985 int max_sam_entries = (ra_type == RA_WIN95) ? MAX_SAM_ENTRIES_W95 : MAX_SAM_ENTRIES_W2K;
986 uint32 max_entries = max_sam_entries;
987 struct samr_displayentry *entries = NULL;
988 struct samr_SamArray *samr_array = NULL;
989 struct samr_SamEntry *samr_entries = NULL;
991 /* find the policy handle. open a policy on it. */
992 if (!find_policy_by_hnd(p, r->in.domain_handle, (void **)(void *)&info))
993 return NT_STATUS_INVALID_HANDLE;
995 status = access_check_samr_function(info->acc_granted,
996 SAMR_DOMAIN_ACCESS_ENUM_ACCOUNTS,
997 "_samr_EnumDomainUsers");
998 if (!NT_STATUS_IS_OK(status)) {
1002 DEBUG(5,("_samr_EnumDomainUsers: %d\n", __LINE__));
1004 if (info->builtin_domain) {
1005 /* No users in builtin. */
1006 *r->out.resume_handle = *r->in.resume_handle;
1007 DEBUG(5,("_samr_EnumDomainUsers: No users in BUILTIN\n"));
1011 samr_array = TALLOC_ZERO_P(p->mem_ctx, struct samr_SamArray);
1013 return NT_STATUS_NO_MEMORY;
1020 if ((info->disp_info->enum_users != NULL) &&
1021 (info->disp_info->enum_acb_mask != r->in.acct_flags)) {
1022 pdb_search_destroy(info->disp_info->enum_users);
1023 info->disp_info->enum_users = NULL;
1026 if (info->disp_info->enum_users == NULL) {
1027 info->disp_info->enum_users = pdb_search_users(r->in.acct_flags);
1028 info->disp_info->enum_acb_mask = r->in.acct_flags;
1031 if (info->disp_info->enum_users == NULL) {
1032 /* END AS ROOT !!!! */
1034 return NT_STATUS_ACCESS_DENIED;
1037 num_account = pdb_search_entries(info->disp_info->enum_users,
1038 enum_context, max_entries,
1041 /* END AS ROOT !!!! */
1045 if (num_account == 0) {
1046 DEBUG(5, ("_samr_EnumDomainUsers: enumeration handle over "
1047 "total entries\n"));
1048 *r->out.resume_handle = *r->in.resume_handle;
1049 return NT_STATUS_OK;
1052 status = make_user_sam_entry_list(p->mem_ctx, &samr_entries,
1053 num_account, enum_context,
1055 if (!NT_STATUS_IS_OK(status)) {
1059 if (max_entries <= num_account) {
1060 status = STATUS_MORE_ENTRIES;
1062 status = NT_STATUS_OK;
1065 /* Ensure we cache this enumeration. */
1066 set_disp_info_cache_timeout(info->disp_info, DISP_INFO_CACHE_TIMEOUT);
1068 DEBUG(5, ("_samr_EnumDomainUsers: %d\n", __LINE__));
1070 samr_array->count = num_account;
1071 samr_array->entries = samr_entries;
1073 *r->out.resume_handle = *r->in.resume_handle + num_account;
1074 *r->out.sam = samr_array;
1075 *r->out.num_entries = num_account;
1077 DEBUG(5,("_samr_EnumDomainUsers: %d\n", __LINE__));
1082 /*******************************************************************
1083 makes a SAM_ENTRY / UNISTR2* structure from a group list.
1084 ********************************************************************/
1086 static void make_group_sam_entry_list(TALLOC_CTX *ctx,
1087 struct samr_SamEntry **sam_pp,
1088 uint32_t num_sam_entries,
1089 struct samr_displayentry *entries)
1091 struct samr_SamEntry *sam;
1096 if (num_sam_entries == 0) {
1100 sam = TALLOC_ZERO_ARRAY(ctx, struct samr_SamEntry, num_sam_entries);
1105 for (i = 0; i < num_sam_entries; i++) {
1107 * JRA. I think this should include the null. TNG does not.
1109 init_lsa_String(&sam[i].name, entries[i].account_name);
1110 sam[i].idx = entries[i].rid;
1116 /*******************************************************************
1117 _samr_EnumDomainGroups
1118 ********************************************************************/
1120 NTSTATUS _samr_EnumDomainGroups(pipes_struct *p,
1121 struct samr_EnumDomainGroups *r)
1124 struct samr_info *info = NULL;
1125 struct samr_displayentry *groups;
1127 struct samr_SamArray *samr_array = NULL;
1128 struct samr_SamEntry *samr_entries = NULL;
1130 /* find the policy handle. open a policy on it. */
1131 if (!find_policy_by_hnd(p, r->in.domain_handle, (void **)(void *)&info))
1132 return NT_STATUS_INVALID_HANDLE;
1134 status = access_check_samr_function(info->acc_granted,
1135 SAMR_DOMAIN_ACCESS_ENUM_ACCOUNTS,
1136 "_samr_EnumDomainGroups");
1137 if (!NT_STATUS_IS_OK(status)) {
1141 DEBUG(5,("_samr_EnumDomainGroups: %d\n", __LINE__));
1143 if (info->builtin_domain) {
1144 /* No groups in builtin. */
1145 *r->out.resume_handle = *r->in.resume_handle;
1146 DEBUG(5,("_samr_EnumDomainGroups: No groups in BUILTIN\n"));
1150 samr_array = TALLOC_ZERO_P(p->mem_ctx, struct samr_SamArray);
1152 return NT_STATUS_NO_MEMORY;
1155 /* the domain group array is being allocated in the function below */
1159 if (info->disp_info->groups == NULL) {
1160 info->disp_info->groups = pdb_search_groups();
1162 if (info->disp_info->groups == NULL) {
1164 return NT_STATUS_ACCESS_DENIED;
1168 num_groups = pdb_search_entries(info->disp_info->groups,
1169 *r->in.resume_handle,
1170 MAX_SAM_ENTRIES, &groups);
1173 /* Ensure we cache this enumeration. */
1174 set_disp_info_cache_timeout(info->disp_info, DISP_INFO_CACHE_TIMEOUT);
1176 make_group_sam_entry_list(p->mem_ctx, &samr_entries,
1177 num_groups, groups);
1179 samr_array->count = num_groups;
1180 samr_array->entries = samr_entries;
1182 *r->out.sam = samr_array;
1183 *r->out.num_entries = num_groups;
1184 /* this was missing, IMHO:
1185 *r->out.resume_handle = num_groups + *r->in.resume_handle;
1188 DEBUG(5,("_samr_EnumDomainGroups: %d\n", __LINE__));
1193 /*******************************************************************
1194 _samr_EnumDomainAliases
1195 ********************************************************************/
1197 NTSTATUS _samr_EnumDomainAliases(pipes_struct *p,
1198 struct samr_EnumDomainAliases *r)
1201 struct samr_info *info;
1202 struct samr_displayentry *aliases;
1203 uint32 num_aliases = 0;
1204 struct samr_SamArray *samr_array = NULL;
1205 struct samr_SamEntry *samr_entries = NULL;
1207 /* find the policy handle. open a policy on it. */
1208 if (!find_policy_by_hnd(p, r->in.domain_handle, (void **)(void *)&info))
1209 return NT_STATUS_INVALID_HANDLE;
1211 DEBUG(5,("_samr_EnumDomainAliases: sid %s\n",
1212 sid_string_dbg(&info->sid)));
1214 status = access_check_samr_function(info->acc_granted,
1215 SAMR_DOMAIN_ACCESS_ENUM_ACCOUNTS,
1216 "_samr_EnumDomainAliases");
1217 if (!NT_STATUS_IS_OK(status)) {
1221 samr_array = TALLOC_ZERO_P(p->mem_ctx, struct samr_SamArray);
1223 return NT_STATUS_NO_MEMORY;
1228 if (info->disp_info->aliases == NULL) {
1229 info->disp_info->aliases = pdb_search_aliases(&info->sid);
1230 if (info->disp_info->aliases == NULL) {
1232 return NT_STATUS_ACCESS_DENIED;
1236 num_aliases = pdb_search_entries(info->disp_info->aliases,
1237 *r->in.resume_handle,
1238 MAX_SAM_ENTRIES, &aliases);
1241 /* Ensure we cache this enumeration. */
1242 set_disp_info_cache_timeout(info->disp_info, DISP_INFO_CACHE_TIMEOUT);
1244 make_group_sam_entry_list(p->mem_ctx, &samr_entries,
1245 num_aliases, aliases);
1247 DEBUG(5,("_samr_EnumDomainAliases: %d\n", __LINE__));
1249 samr_array->count = num_aliases;
1250 samr_array->entries = samr_entries;
1252 *r->out.sam = samr_array;
1253 *r->out.num_entries = num_aliases;
1254 *r->out.resume_handle = num_aliases + *r->in.resume_handle;
1259 /*******************************************************************
1260 inits a samr_DispInfoGeneral structure.
1261 ********************************************************************/
1263 static NTSTATUS init_samr_dispinfo_1(TALLOC_CTX *ctx,
1264 struct samr_DispInfoGeneral *r,
1265 uint32_t num_entries,
1267 struct samr_displayentry *entries)
1271 DEBUG(10, ("init_samr_dispinfo_1: num_entries: %d\n", num_entries));
1273 if (num_entries == 0) {
1274 return NT_STATUS_OK;
1277 r->count = num_entries;
1279 r->entries = TALLOC_ZERO_ARRAY(ctx, struct samr_DispEntryGeneral, num_entries);
1281 return NT_STATUS_NO_MEMORY;
1284 for (i = 0; i < num_entries ; i++) {
1286 init_lsa_String(&r->entries[i].account_name,
1287 entries[i].account_name);
1289 init_lsa_String(&r->entries[i].description,
1290 entries[i].description);
1292 init_lsa_String(&r->entries[i].full_name,
1293 entries[i].fullname);
1295 r->entries[i].rid = entries[i].rid;
1296 r->entries[i].acct_flags = entries[i].acct_flags;
1297 r->entries[i].idx = start_idx+i+1;
1300 return NT_STATUS_OK;
1303 /*******************************************************************
1304 inits a samr_DispInfoFull structure.
1305 ********************************************************************/
1307 static NTSTATUS init_samr_dispinfo_2(TALLOC_CTX *ctx,
1308 struct samr_DispInfoFull *r,
1309 uint32_t num_entries,
1311 struct samr_displayentry *entries)
1315 DEBUG(10, ("init_samr_dispinfo_2: num_entries: %d\n", num_entries));
1317 if (num_entries == 0) {
1318 return NT_STATUS_OK;
1321 r->count = num_entries;
1323 r->entries = TALLOC_ZERO_ARRAY(ctx, struct samr_DispEntryFull, num_entries);
1325 return NT_STATUS_NO_MEMORY;
1328 for (i = 0; i < num_entries ; i++) {
1330 init_lsa_String(&r->entries[i].account_name,
1331 entries[i].account_name);
1333 init_lsa_String(&r->entries[i].description,
1334 entries[i].description);
1336 r->entries[i].rid = entries[i].rid;
1337 r->entries[i].acct_flags = entries[i].acct_flags;
1338 r->entries[i].idx = start_idx+i+1;
1341 return NT_STATUS_OK;
1344 /*******************************************************************
1345 inits a samr_DispInfoFullGroups structure.
1346 ********************************************************************/
1348 static NTSTATUS init_samr_dispinfo_3(TALLOC_CTX *ctx,
1349 struct samr_DispInfoFullGroups *r,
1350 uint32_t num_entries,
1352 struct samr_displayentry *entries)
1356 DEBUG(5, ("init_samr_dispinfo_3: num_entries: %d\n", num_entries));
1358 if (num_entries == 0) {
1359 return NT_STATUS_OK;
1362 r->count = num_entries;
1364 r->entries = TALLOC_ZERO_ARRAY(ctx, struct samr_DispEntryFullGroup, num_entries);
1366 return NT_STATUS_NO_MEMORY;
1369 for (i = 0; i < num_entries ; i++) {
1371 init_lsa_String(&r->entries[i].account_name,
1372 entries[i].account_name);
1374 init_lsa_String(&r->entries[i].description,
1375 entries[i].description);
1377 r->entries[i].rid = entries[i].rid;
1378 r->entries[i].acct_flags = entries[i].acct_flags;
1379 r->entries[i].idx = start_idx+i+1;
1382 return NT_STATUS_OK;
1385 /*******************************************************************
1386 inits a samr_DispInfoAscii structure.
1387 ********************************************************************/
1389 static NTSTATUS init_samr_dispinfo_4(TALLOC_CTX *ctx,
1390 struct samr_DispInfoAscii *r,
1391 uint32_t num_entries,
1393 struct samr_displayentry *entries)
1397 DEBUG(5, ("init_samr_dispinfo_4: num_entries: %d\n", num_entries));
1399 if (num_entries == 0) {
1400 return NT_STATUS_OK;
1403 r->count = num_entries;
1405 r->entries = TALLOC_ZERO_ARRAY(ctx, struct samr_DispEntryAscii, num_entries);
1407 return NT_STATUS_NO_MEMORY;
1410 for (i = 0; i < num_entries ; i++) {
1412 init_lsa_AsciiStringLarge(&r->entries[i].account_name,
1413 entries[i].account_name);
1415 r->entries[i].idx = start_idx+i+1;
1418 return NT_STATUS_OK;
1421 /*******************************************************************
1422 inits a samr_DispInfoAscii structure.
1423 ********************************************************************/
1425 static NTSTATUS init_samr_dispinfo_5(TALLOC_CTX *ctx,
1426 struct samr_DispInfoAscii *r,
1427 uint32_t num_entries,
1429 struct samr_displayentry *entries)
1433 DEBUG(5, ("init_samr_dispinfo_5: num_entries: %d\n", num_entries));
1435 if (num_entries == 0) {
1436 return NT_STATUS_OK;
1439 r->count = num_entries;
1441 r->entries = TALLOC_ZERO_ARRAY(ctx, struct samr_DispEntryAscii, num_entries);
1443 return NT_STATUS_NO_MEMORY;
1446 for (i = 0; i < num_entries ; i++) {
1448 init_lsa_AsciiStringLarge(&r->entries[i].account_name,
1449 entries[i].account_name);
1451 r->entries[i].idx = start_idx+i+1;
1454 return NT_STATUS_OK;
1457 /*******************************************************************
1458 _samr_QueryDisplayInfo
1459 ********************************************************************/
1461 NTSTATUS _samr_QueryDisplayInfo(pipes_struct *p,
1462 struct samr_QueryDisplayInfo *r)
1465 struct samr_info *info = NULL;
1466 uint32 struct_size=0x20; /* W2K always reply that, client doesn't care */
1468 uint32 max_entries = r->in.max_entries;
1469 uint32 enum_context = r->in.start_idx;
1470 uint32 max_size = r->in.buf_size;
1472 union samr_DispInfo *disp_info = r->out.info;
1474 uint32 temp_size=0, total_data_size=0;
1475 NTSTATUS disp_ret = NT_STATUS_UNSUCCESSFUL;
1476 uint32 num_account = 0;
1477 enum remote_arch_types ra_type = get_remote_arch();
1478 int max_sam_entries = (ra_type == RA_WIN95) ? MAX_SAM_ENTRIES_W95 : MAX_SAM_ENTRIES_W2K;
1479 struct samr_displayentry *entries = NULL;
1481 DEBUG(5,("_samr_QueryDisplayInfo: %d\n", __LINE__));
1483 /* find the policy handle. open a policy on it. */
1484 if (!find_policy_by_hnd(p, r->in.domain_handle, (void **)(void *)&info))
1485 return NT_STATUS_INVALID_HANDLE;
1487 status = access_check_samr_function(info->acc_granted,
1488 SAMR_DOMAIN_ACCESS_ENUM_ACCOUNTS,
1489 "_samr_QueryDisplayInfo");
1490 if (!NT_STATUS_IS_OK(status)) {
1495 * calculate how many entries we will return.
1497 * - the number of entries the client asked
1498 * - our limit on that
1499 * - the starting point (enumeration context)
1500 * - the buffer size the client will accept
1504 * We are a lot more like W2K. Instead of reading the SAM
1505 * each time to find the records we need to send back,
1506 * we read it once and link that copy to the sam handle.
1507 * For large user list (over the MAX_SAM_ENTRIES)
1508 * it's a definitive win.
1509 * second point to notice: between enumerations
1510 * our sam is now the same as it's a snapshoot.
1511 * third point: got rid of the static SAM_USER_21 struct
1512 * no more intermediate.
1513 * con: it uses much more memory, as a full copy is stored
1516 * If you want to change it, think twice and think
1517 * of the second point , that's really important.
1522 if ((r->in.level < 1) || (r->in.level > 5)) {
1523 DEBUG(0,("_samr_QueryDisplayInfo: Unknown info level (%u)\n",
1524 (unsigned int)r->in.level ));
1525 return NT_STATUS_INVALID_INFO_CLASS;
1528 /* first limit the number of entries we will return */
1529 if(max_entries > max_sam_entries) {
1530 DEBUG(5, ("_samr_QueryDisplayInfo: client requested %d "
1531 "entries, limiting to %d\n", max_entries,
1533 max_entries = max_sam_entries;
1536 /* calculate the size and limit on the number of entries we will
1539 temp_size=max_entries*struct_size;
1541 if (temp_size>max_size) {
1542 max_entries=MIN((max_size/struct_size),max_entries);;
1543 DEBUG(5, ("_samr_QueryDisplayInfo: buffer size limits to "
1544 "only %d entries\n", max_entries));
1549 /* THe following done as ROOT. Don't return without unbecome_root(). */
1551 switch (r->in.level) {
1554 if (info->disp_info->users == NULL) {
1555 info->disp_info->users = pdb_search_users(ACB_NORMAL);
1556 if (info->disp_info->users == NULL) {
1558 return NT_STATUS_ACCESS_DENIED;
1560 DEBUG(10,("_samr_QueryDisplayInfo: starting user enumeration at index %u\n",
1561 (unsigned int)enum_context ));
1563 DEBUG(10,("_samr_QueryDisplayInfo: using cached user enumeration at index %u\n",
1564 (unsigned int)enum_context ));
1567 num_account = pdb_search_entries(info->disp_info->users,
1568 enum_context, max_entries,
1572 if (info->disp_info->machines == NULL) {
1573 info->disp_info->machines =
1574 pdb_search_users(ACB_WSTRUST|ACB_SVRTRUST);
1575 if (info->disp_info->machines == NULL) {
1577 return NT_STATUS_ACCESS_DENIED;
1579 DEBUG(10,("_samr_QueryDisplayInfo: starting machine enumeration at index %u\n",
1580 (unsigned int)enum_context ));
1582 DEBUG(10,("_samr_QueryDisplayInfo: using cached machine enumeration at index %u\n",
1583 (unsigned int)enum_context ));
1586 num_account = pdb_search_entries(info->disp_info->machines,
1587 enum_context, max_entries,
1592 if (info->disp_info->groups == NULL) {
1593 info->disp_info->groups = pdb_search_groups();
1594 if (info->disp_info->groups == NULL) {
1596 return NT_STATUS_ACCESS_DENIED;
1598 DEBUG(10,("_samr_QueryDisplayInfo: starting group enumeration at index %u\n",
1599 (unsigned int)enum_context ));
1601 DEBUG(10,("_samr_QueryDisplayInfo: using cached group enumeration at index %u\n",
1602 (unsigned int)enum_context ));
1605 num_account = pdb_search_entries(info->disp_info->groups,
1606 enum_context, max_entries,
1611 smb_panic("info class changed");
1617 /* Now create reply structure */
1618 switch (r->in.level) {
1620 disp_ret = init_samr_dispinfo_1(p->mem_ctx, &disp_info->info1,
1621 num_account, enum_context,
1625 disp_ret = init_samr_dispinfo_2(p->mem_ctx, &disp_info->info2,
1626 num_account, enum_context,
1630 disp_ret = init_samr_dispinfo_3(p->mem_ctx, &disp_info->info3,
1631 num_account, enum_context,
1635 disp_ret = init_samr_dispinfo_4(p->mem_ctx, &disp_info->info4,
1636 num_account, enum_context,
1640 disp_ret = init_samr_dispinfo_5(p->mem_ctx, &disp_info->info5,
1641 num_account, enum_context,
1645 smb_panic("info class changed");
1649 if (!NT_STATUS_IS_OK(disp_ret))
1652 /* calculate the total size */
1653 total_data_size=num_account*struct_size;
1655 if (max_entries <= num_account) {
1656 status = STATUS_MORE_ENTRIES;
1658 status = NT_STATUS_OK;
1661 /* Ensure we cache this enumeration. */
1662 set_disp_info_cache_timeout(info->disp_info, DISP_INFO_CACHE_TIMEOUT);
1664 DEBUG(5, ("_samr_QueryDisplayInfo: %d\n", __LINE__));
1666 *r->out.total_size = total_data_size;
1667 *r->out.returned_size = temp_size;
1672 /****************************************************************
1673 _samr_QueryDisplayInfo2
1674 ****************************************************************/
1676 NTSTATUS _samr_QueryDisplayInfo2(pipes_struct *p,
1677 struct samr_QueryDisplayInfo2 *r)
1679 struct samr_QueryDisplayInfo q;
1681 q.in.domain_handle = r->in.domain_handle;
1682 q.in.level = r->in.level;
1683 q.in.start_idx = r->in.start_idx;
1684 q.in.max_entries = r->in.max_entries;
1685 q.in.buf_size = r->in.buf_size;
1687 q.out.total_size = r->out.total_size;
1688 q.out.returned_size = r->out.returned_size;
1689 q.out.info = r->out.info;
1691 return _samr_QueryDisplayInfo(p, &q);
1694 /****************************************************************
1695 _samr_QueryDisplayInfo3
1696 ****************************************************************/
1698 NTSTATUS _samr_QueryDisplayInfo3(pipes_struct *p,
1699 struct samr_QueryDisplayInfo3 *r)
1701 struct samr_QueryDisplayInfo q;
1703 q.in.domain_handle = r->in.domain_handle;
1704 q.in.level = r->in.level;
1705 q.in.start_idx = r->in.start_idx;
1706 q.in.max_entries = r->in.max_entries;
1707 q.in.buf_size = r->in.buf_size;
1709 q.out.total_size = r->out.total_size;
1710 q.out.returned_size = r->out.returned_size;
1711 q.out.info = r->out.info;
1713 return _samr_QueryDisplayInfo(p, &q);
1716 /*******************************************************************
1717 _samr_QueryAliasInfo
1718 ********************************************************************/
1720 NTSTATUS _samr_QueryAliasInfo(pipes_struct *p,
1721 struct samr_QueryAliasInfo *r)
1724 struct acct_info info;
1727 union samr_AliasInfo *alias_info = NULL;
1728 const char *alias_name = NULL;
1729 const char *alias_description = NULL;
1731 DEBUG(5,("_samr_QueryAliasInfo: %d\n", __LINE__));
1733 alias_info = TALLOC_ZERO_P(p->mem_ctx, union samr_AliasInfo);
1735 return NT_STATUS_NO_MEMORY;
1738 /* find the policy handle. open a policy on it. */
1739 if (!get_lsa_policy_samr_sid(p, r->in.alias_handle, &sid, &acc_granted, NULL))
1740 return NT_STATUS_INVALID_HANDLE;
1742 status = access_check_samr_function(acc_granted,
1743 SAMR_ALIAS_ACCESS_LOOKUP_INFO,
1744 "_samr_QueryAliasInfo");
1745 if (!NT_STATUS_IS_OK(status)) {
1750 status = pdb_get_aliasinfo(&sid, &info);
1753 if ( !NT_STATUS_IS_OK(status))
1756 /* FIXME: info contains fstrings */
1757 alias_name = talloc_strdup(r, info.acct_name);
1758 alias_description = talloc_strdup(r, info.acct_desc);
1760 switch (r->in.level) {
1762 init_samr_alias_info1(&alias_info->all,
1767 case ALIASINFODESCRIPTION:
1768 init_samr_alias_info3(&alias_info->description,
1772 return NT_STATUS_INVALID_INFO_CLASS;
1775 *r->out.info = alias_info;
1777 DEBUG(5,("_samr_QueryAliasInfo: %d\n", __LINE__));
1779 return NT_STATUS_OK;
1782 /*******************************************************************
1784 ********************************************************************/
1786 NTSTATUS _samr_LookupNames(pipes_struct *p,
1787 struct samr_LookupNames *r)
1791 enum lsa_SidType *type;
1793 int num_rids = r->in.num_names;
1796 struct samr_Ids rids, types;
1798 DEBUG(5,("_samr_LookupNames: %d\n", __LINE__));
1800 if (!get_lsa_policy_samr_sid(p, r->in.domain_handle, &pol_sid, &acc_granted, NULL)) {
1801 return NT_STATUS_OBJECT_TYPE_MISMATCH;
1804 status = access_check_samr_function(acc_granted,
1805 0, /* Don't know the acc_bits yet */
1806 "_samr_LookupNames");
1807 if (!NT_STATUS_IS_OK(status)) {
1811 if (num_rids > MAX_SAM_ENTRIES) {
1812 num_rids = MAX_SAM_ENTRIES;
1813 DEBUG(5,("_samr_LookupNames: truncating entries to %d\n", num_rids));
1816 rid = talloc_array(p->mem_ctx, uint32, num_rids);
1817 NT_STATUS_HAVE_NO_MEMORY(rid);
1819 type = talloc_array(p->mem_ctx, enum lsa_SidType, num_rids);
1820 NT_STATUS_HAVE_NO_MEMORY(type);
1822 DEBUG(5,("_samr_LookupNames: looking name on SID %s\n",
1823 sid_string_dbg(&pol_sid)));
1825 for (i = 0; i < num_rids; i++) {
1827 status = NT_STATUS_NONE_MAPPED;
1828 type[i] = SID_NAME_UNKNOWN;
1830 rid[i] = 0xffffffff;
1832 if (sid_check_is_builtin(&pol_sid)) {
1833 if (lookup_builtin_name(r->in.names[i].string,
1836 type[i] = SID_NAME_ALIAS;
1839 lookup_global_sam_name(r->in.names[i].string, 0,
1843 if (type[i] != SID_NAME_UNKNOWN) {
1844 status = NT_STATUS_OK;
1848 rids.count = num_rids;
1851 types.count = num_rids;
1854 *r->out.rids = rids;
1855 *r->out.types = types;
1857 DEBUG(5,("_samr_LookupNames: %d\n", __LINE__));
1862 /*******************************************************************
1863 _samr_ChangePasswordUser2
1864 ********************************************************************/
1866 NTSTATUS _samr_ChangePasswordUser2(pipes_struct *p,
1867 struct samr_ChangePasswordUser2 *r)
1873 DEBUG(5,("_samr_ChangePasswordUser2: %d\n", __LINE__));
1875 fstrcpy(user_name, r->in.account->string);
1876 fstrcpy(wks, r->in.server->string);
1878 DEBUG(5,("_samr_ChangePasswordUser2: user: %s wks: %s\n", user_name, wks));
1881 * Pass the user through the NT -> unix user mapping
1885 (void)map_username(user_name);
1888 * UNIX username case mangling not required, pass_oem_change
1889 * is case insensitive.
1892 status = pass_oem_change(user_name,
1893 r->in.lm_password->data,
1894 r->in.lm_verifier->hash,
1895 r->in.nt_password->data,
1896 r->in.nt_verifier->hash,
1899 DEBUG(5,("_samr_ChangePasswordUser2: %d\n", __LINE__));
1904 /*******************************************************************
1905 _samr_ChangePasswordUser3
1906 ********************************************************************/
1908 NTSTATUS _samr_ChangePasswordUser3(pipes_struct *p,
1909 struct samr_ChangePasswordUser3 *r)
1913 const char *wks = NULL;
1914 uint32 reject_reason;
1915 struct samr_DomInfo1 *dominfo = NULL;
1916 struct samr_ChangeReject *reject = NULL;
1918 DEBUG(5,("_samr_ChangePasswordUser3: %d\n", __LINE__));
1920 fstrcpy(user_name, r->in.account->string);
1921 if (r->in.server && r->in.server->string) {
1922 wks = r->in.server->string;
1925 DEBUG(5,("_samr_ChangePasswordUser3: user: %s wks: %s\n", user_name, wks));
1928 * Pass the user through the NT -> unix user mapping
1932 (void)map_username(user_name);
1935 * UNIX username case mangling not required, pass_oem_change
1936 * is case insensitive.
1939 status = pass_oem_change(user_name,
1940 r->in.lm_password->data,
1941 r->in.lm_verifier->hash,
1942 r->in.nt_password->data,
1943 r->in.nt_verifier->hash,
1946 if (NT_STATUS_EQUAL(status, NT_STATUS_PASSWORD_RESTRICTION) ||
1947 NT_STATUS_EQUAL(status, NT_STATUS_ACCOUNT_RESTRICTION)) {
1949 uint32 min_pass_len,pass_hist,password_properties;
1950 time_t u_expire, u_min_age;
1951 NTTIME nt_expire, nt_min_age;
1952 uint32 account_policy_temp;
1954 dominfo = TALLOC_ZERO_P(p->mem_ctx, struct samr_DomInfo1);
1956 return NT_STATUS_NO_MEMORY;
1959 reject = TALLOC_ZERO_P(p->mem_ctx, struct samr_ChangeReject);
1961 return NT_STATUS_NO_MEMORY;
1968 pdb_get_account_policy(AP_MIN_PASSWORD_LEN, &account_policy_temp);
1969 min_pass_len = account_policy_temp;
1971 pdb_get_account_policy(AP_PASSWORD_HISTORY, &account_policy_temp);
1972 pass_hist = account_policy_temp;
1974 pdb_get_account_policy(AP_USER_MUST_LOGON_TO_CHG_PASS, &account_policy_temp);
1975 password_properties = account_policy_temp;
1977 pdb_get_account_policy(AP_MAX_PASSWORD_AGE, &account_policy_temp);
1978 u_expire = account_policy_temp;
1980 pdb_get_account_policy(AP_MIN_PASSWORD_AGE, &account_policy_temp);
1981 u_min_age = account_policy_temp;
1987 unix_to_nt_time_abs(&nt_expire, u_expire);
1988 unix_to_nt_time_abs(&nt_min_age, u_min_age);
1990 if (lp_check_password_script() && *lp_check_password_script()) {
1991 password_properties |= DOMAIN_PASSWORD_COMPLEX;
1994 init_samr_DomInfo1(dominfo,
1997 password_properties,
2001 reject->reason = reject_reason;
2003 *r->out.dominfo = dominfo;
2004 *r->out.reject = reject;
2007 DEBUG(5,("_samr_ChangePasswordUser3: %d\n", __LINE__));
2012 /*******************************************************************
2013 makes a SAMR_R_LOOKUP_RIDS structure.
2014 ********************************************************************/
2016 static bool make_samr_lookup_rids(TALLOC_CTX *ctx, uint32 num_names,
2018 struct lsa_String **lsa_name_array_p)
2020 struct lsa_String *lsa_name_array = NULL;
2023 *lsa_name_array_p = NULL;
2025 if (num_names != 0) {
2026 lsa_name_array = TALLOC_ZERO_ARRAY(ctx, struct lsa_String, num_names);
2027 if (!lsa_name_array) {
2032 for (i = 0; i < num_names; i++) {
2033 DEBUG(10, ("names[%d]:%s\n", i, names[i] && *names[i] ? names[i] : ""));
2034 init_lsa_String(&lsa_name_array[i], names[i]);
2037 *lsa_name_array_p = lsa_name_array;
2042 /*******************************************************************
2044 ********************************************************************/
2046 NTSTATUS _samr_LookupRids(pipes_struct *p,
2047 struct samr_LookupRids *r)
2051 enum lsa_SidType *attrs = NULL;
2052 uint32 *wire_attrs = NULL;
2054 int num_rids = (int)r->in.num_rids;
2057 struct lsa_Strings names_array;
2058 struct samr_Ids types_array;
2059 struct lsa_String *lsa_names = NULL;
2061 DEBUG(5,("_samr_LookupRids: %d\n", __LINE__));
2063 /* find the policy handle. open a policy on it. */
2064 if (!get_lsa_policy_samr_sid(p, r->in.domain_handle, &pol_sid, &acc_granted, NULL))
2065 return NT_STATUS_INVALID_HANDLE;
2067 status = access_check_samr_function(acc_granted,
2068 SAMR_DOMAIN_ACCESS_ENUM_ACCOUNTS,
2069 "_samr_LookupRids");
2070 if (!NT_STATUS_IS_OK(status)) {
2074 if (num_rids > 1000) {
2075 DEBUG(0, ("Got asked for %d rids (more than 1000) -- according "
2076 "to samba4 idl this is not possible\n", num_rids));
2077 return NT_STATUS_UNSUCCESSFUL;
2081 names = TALLOC_ZERO_ARRAY(p->mem_ctx, const char *, num_rids);
2082 attrs = TALLOC_ZERO_ARRAY(p->mem_ctx, enum lsa_SidType, num_rids);
2083 wire_attrs = TALLOC_ZERO_ARRAY(p->mem_ctx, uint32, num_rids);
2085 if ((names == NULL) || (attrs == NULL) || (wire_attrs==NULL))
2086 return NT_STATUS_NO_MEMORY;
2093 become_root(); /* lookup_sid can require root privs */
2094 status = pdb_lookup_rids(&pol_sid, num_rids, r->in.rids,
2098 if (NT_STATUS_EQUAL(status, NT_STATUS_NONE_MAPPED) && (num_rids == 0)) {
2099 status = NT_STATUS_OK;
2102 if (!make_samr_lookup_rids(p->mem_ctx, num_rids, names,
2104 return NT_STATUS_NO_MEMORY;
2107 /* Convert from enum lsa_SidType to uint32 for wire format. */
2108 for (i = 0; i < num_rids; i++) {
2109 wire_attrs[i] = (uint32)attrs[i];
2112 names_array.count = num_rids;
2113 names_array.names = lsa_names;
2115 types_array.count = num_rids;
2116 types_array.ids = wire_attrs;
2118 *r->out.names = names_array;
2119 *r->out.types = types_array;
2121 DEBUG(5,("_samr_LookupRids: %d\n", __LINE__));
2126 /*******************************************************************
2128 ********************************************************************/
2130 NTSTATUS _samr_OpenUser(pipes_struct *p,
2131 struct samr_OpenUser *r)
2133 struct samu *sampass=NULL;
2135 POLICY_HND domain_pol = *r->in.domain_handle;
2136 POLICY_HND *user_pol = r->out.user_handle;
2137 struct samr_info *info = NULL;
2138 SEC_DESC *psd = NULL;
2140 uint32 des_access = r->in.access_mask;
2146 /* find the domain policy handle and get domain SID / access bits in the domain policy. */
2148 if ( !get_lsa_policy_samr_sid(p, &domain_pol, &sid, &acc_granted, NULL) )
2149 return NT_STATUS_INVALID_HANDLE;
2151 nt_status = access_check_samr_function(acc_granted,
2152 SAMR_DOMAIN_ACCESS_OPEN_ACCOUNT,
2155 if ( !NT_STATUS_IS_OK(nt_status) )
2158 if ( !(sampass = samu_new( p->mem_ctx )) ) {
2159 return NT_STATUS_NO_MEMORY;
2162 /* append the user's RID to it */
2164 if (!sid_append_rid(&sid, r->in.rid))
2165 return NT_STATUS_NO_SUCH_USER;
2167 /* check if access can be granted as requested by client. */
2169 map_max_allowed_access(p->pipe_user.nt_user_token, &des_access);
2171 make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &usr_generic_mapping, &sid, SAMR_USR_RIGHTS_WRITE_PW);
2172 se_map_generic(&des_access, &usr_generic_mapping);
2174 se_priv_copy( &se_rights, &se_machine_account );
2175 se_priv_add( &se_rights, &se_add_users );
2177 nt_status = access_check_samr_object(psd, p->pipe_user.nt_user_token,
2178 &se_rights, GENERIC_RIGHTS_USER_WRITE, des_access,
2179 &acc_granted, "_samr_OpenUser");
2181 if ( !NT_STATUS_IS_OK(nt_status) )
2185 ret=pdb_getsampwsid(sampass, &sid);
2188 /* check that the SID exists in our domain. */
2190 return NT_STATUS_NO_SUCH_USER;
2193 TALLOC_FREE(sampass);
2195 /* associate the user's SID and access bits with the new handle. */
2196 if ((info = get_samr_info_by_sid(&sid)) == NULL)
2197 return NT_STATUS_NO_MEMORY;
2198 info->acc_granted = acc_granted;
2200 /* get a (unique) handle. open a policy on it. */
2201 if (!create_policy_hnd(p, user_pol, free_samr_info, (void *)info))
2202 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
2204 return NT_STATUS_OK;
2207 /*************************************************************************
2208 *************************************************************************/
2210 static NTSTATUS init_samr_parameters_string(TALLOC_CTX *mem_ctx,
2212 struct lsa_BinaryString **_r)
2214 struct lsa_BinaryString *r;
2217 return NT_STATUS_INVALID_PARAMETER;
2220 r = TALLOC_ZERO_P(mem_ctx, struct lsa_BinaryString);
2222 return NT_STATUS_NO_MEMORY;
2225 r->array = TALLOC_ZERO_ARRAY(mem_ctx, uint16_t, blob->length/2);
2227 return NT_STATUS_NO_MEMORY;
2229 memcpy(r->array, blob->data, blob->length);
2230 r->size = blob->length;
2231 r->length = blob->length;
2234 return NT_STATUS_NO_MEMORY;
2239 return NT_STATUS_OK;
2242 /*************************************************************************
2243 get_user_info_7. Safe. Only gives out account_name.
2244 *************************************************************************/
2246 static NTSTATUS get_user_info_7(TALLOC_CTX *mem_ctx,
2247 struct samr_UserInfo7 *r,
2250 struct samu *smbpass=NULL;
2252 const char *account_name = NULL;
2256 if ( !(smbpass = samu_new( mem_ctx )) ) {
2257 return NT_STATUS_NO_MEMORY;
2261 ret = pdb_getsampwsid(smbpass, user_sid);
2265 DEBUG(4,("User %s not found\n", sid_string_dbg(user_sid)));
2266 return NT_STATUS_NO_SUCH_USER;
2269 account_name = talloc_strdup(mem_ctx, pdb_get_username(smbpass));
2270 if (!account_name) {
2271 TALLOC_FREE(smbpass);
2272 return NT_STATUS_NO_MEMORY;
2274 TALLOC_FREE(smbpass);
2276 DEBUG(3,("User:[%s]\n", account_name));
2278 init_samr_user_info7(r, account_name);
2280 return NT_STATUS_OK;
2283 /*************************************************************************
2284 get_user_info_9. Only gives out primary group SID.
2285 *************************************************************************/
2287 static NTSTATUS get_user_info_9(TALLOC_CTX *mem_ctx,
2288 struct samr_UserInfo9 *r,
2291 struct samu *smbpass=NULL;
2296 if ( !(smbpass = samu_new( mem_ctx )) ) {
2297 return NT_STATUS_NO_MEMORY;
2301 ret = pdb_getsampwsid(smbpass, user_sid);
2305 DEBUG(4,("User %s not found\n", sid_string_dbg(user_sid)));
2306 TALLOC_FREE(smbpass);
2307 return NT_STATUS_NO_SUCH_USER;
2310 DEBUG(3,("User:[%s]\n", pdb_get_username(smbpass) ));
2312 init_samr_user_info9(r, pdb_get_group_rid(smbpass));
2314 TALLOC_FREE(smbpass);
2316 return NT_STATUS_OK;
2319 /*************************************************************************
2320 get_user_info_16. Safe. Only gives out acb bits.
2321 *************************************************************************/
2323 static NTSTATUS get_user_info_16(TALLOC_CTX *mem_ctx,
2324 struct samr_UserInfo16 *r,
2327 struct samu *smbpass=NULL;
2332 if ( !(smbpass = samu_new( mem_ctx )) ) {
2333 return NT_STATUS_NO_MEMORY;
2337 ret = pdb_getsampwsid(smbpass, user_sid);
2341 DEBUG(4,("User %s not found\n", sid_string_dbg(user_sid)));
2342 TALLOC_FREE(smbpass);
2343 return NT_STATUS_NO_SUCH_USER;
2346 DEBUG(3,("User:[%s]\n", pdb_get_username(smbpass) ));
2348 init_samr_user_info16(r, pdb_get_acct_ctrl(smbpass));
2350 TALLOC_FREE(smbpass);
2352 return NT_STATUS_OK;
2355 /*************************************************************************
2356 get_user_info_18. OK - this is the killer as it gives out password info.
2357 Ensure that this is only allowed on an encrypted connection with a root
2359 *************************************************************************/
2361 static NTSTATUS get_user_info_18(pipes_struct *p,
2362 TALLOC_CTX *mem_ctx,
2363 struct samr_UserInfo18 *r,
2366 struct samu *smbpass=NULL;
2371 if (p->auth.auth_type != PIPE_AUTH_TYPE_NTLMSSP || p->auth.auth_type != PIPE_AUTH_TYPE_SPNEGO_NTLMSSP) {
2372 return NT_STATUS_ACCESS_DENIED;
2375 if (p->auth.auth_level != PIPE_AUTH_LEVEL_PRIVACY) {
2376 return NT_STATUS_ACCESS_DENIED;
2380 * Do *NOT* do become_root()/unbecome_root() here ! JRA.
2383 if ( !(smbpass = samu_new( mem_ctx )) ) {
2384 return NT_STATUS_NO_MEMORY;
2387 ret = pdb_getsampwsid(smbpass, user_sid);
2390 DEBUG(4, ("User %s not found\n", sid_string_dbg(user_sid)));
2391 TALLOC_FREE(smbpass);
2392 return (geteuid() == (uid_t)0) ? NT_STATUS_NO_SUCH_USER : NT_STATUS_ACCESS_DENIED;
2395 DEBUG(3,("User:[%s] 0x%x\n", pdb_get_username(smbpass), pdb_get_acct_ctrl(smbpass) ));
2397 if ( pdb_get_acct_ctrl(smbpass) & ACB_DISABLED) {
2398 TALLOC_FREE(smbpass);
2399 return NT_STATUS_ACCOUNT_DISABLED;
2402 init_samr_user_info18(r, pdb_get_lanman_passwd(smbpass),
2403 pdb_get_nt_passwd(smbpass));
2405 TALLOC_FREE(smbpass);
2407 return NT_STATUS_OK;
2410 /*************************************************************************
2412 *************************************************************************/
2414 static NTSTATUS get_user_info_20(TALLOC_CTX *mem_ctx,
2415 struct samr_UserInfo20 *r,
2418 struct samu *sampass=NULL;
2420 const char *munged_dial = NULL;
2423 struct lsa_BinaryString *parameters = NULL;
2427 if ( !(sampass = samu_new( mem_ctx )) ) {
2428 return NT_STATUS_NO_MEMORY;
2432 ret = pdb_getsampwsid(sampass, user_sid);
2436 DEBUG(4,("User %s not found\n", sid_string_dbg(user_sid)));
2437 TALLOC_FREE(sampass);
2438 return NT_STATUS_NO_SUCH_USER;
2441 munged_dial = pdb_get_munged_dial(sampass);
2443 samr_clear_sam_passwd(sampass);
2445 DEBUG(3,("User:[%s] has [%s] (length: %d)\n", pdb_get_username(sampass),
2446 munged_dial, (int)strlen(munged_dial)));
2449 blob = base64_decode_data_blob(munged_dial);
2451 blob = data_blob_string_const_null("");
2454 status = init_samr_parameters_string(mem_ctx, &blob, ¶meters);
2455 data_blob_free(&blob);
2456 TALLOC_FREE(sampass);
2457 if (!NT_STATUS_IS_OK(status)) {
2461 init_samr_user_info20(r, parameters);
2463 return NT_STATUS_OK;
2467 /*************************************************************************
2469 *************************************************************************/
2471 static NTSTATUS get_user_info_21(TALLOC_CTX *mem_ctx,
2472 struct samr_UserInfo21 *r,
2474 DOM_SID *domain_sid)
2477 struct samu *pw = NULL;
2479 const DOM_SID *sid_user, *sid_group;
2480 uint32_t rid, primary_gid;
2481 NTTIME last_logon, last_logoff, last_password_change,
2482 acct_expiry, allow_password_change, force_password_change;
2483 time_t must_change_time;
2484 uint8_t password_expired;
2485 const char *account_name, *full_name, *home_directory, *home_drive,
2486 *logon_script, *profile_path, *description,
2487 *workstations, *comment;
2488 struct samr_LogonHours logon_hours;
2489 struct lsa_BinaryString *parameters = NULL;
2490 const char *munged_dial = NULL;
2495 if (!(pw = samu_new(mem_ctx))) {
2496 return NT_STATUS_NO_MEMORY;
2500 ret = pdb_getsampwsid(pw, user_sid);
2504 DEBUG(4,("User %s not found\n", sid_string_dbg(user_sid)));
2506 return NT_STATUS_NO_SUCH_USER;
2509 samr_clear_sam_passwd(pw);
2511 DEBUG(3,("User:[%s]\n", pdb_get_username(pw)));
2513 sid_user = pdb_get_user_sid(pw);
2515 if (!sid_peek_check_rid(domain_sid, sid_user, &rid)) {
2516 DEBUG(0, ("get_user_info_21: User %s has SID %s, \nwhich conflicts with "
2517 "the domain sid %s. Failing operation.\n",
2518 pdb_get_username(pw), sid_string_dbg(sid_user),
2519 sid_string_dbg(domain_sid)));
2521 return NT_STATUS_UNSUCCESSFUL;
2525 sid_group = pdb_get_group_sid(pw);
2528 if (!sid_peek_check_rid(domain_sid, sid_group, &primary_gid)) {
2529 DEBUG(0, ("get_user_info_21: User %s has Primary Group SID %s, \n"
2530 "which conflicts with the domain sid %s. Failing operation.\n",
2531 pdb_get_username(pw), sid_string_dbg(sid_group),
2532 sid_string_dbg(domain_sid)));
2534 return NT_STATUS_UNSUCCESSFUL;
2537 unix_to_nt_time(&last_logon, pdb_get_logon_time(pw));
2538 unix_to_nt_time(&last_logoff, pdb_get_logoff_time(pw));
2539 unix_to_nt_time(&acct_expiry, pdb_get_kickoff_time(pw));
2540 unix_to_nt_time(&last_password_change, pdb_get_pass_last_set_time(pw));
2541 unix_to_nt_time(&allow_password_change, pdb_get_pass_can_change_time(pw));
2543 must_change_time = pdb_get_pass_must_change_time(pw);
2544 if (must_change_time == get_time_t_max()) {
2545 unix_to_nt_time_abs(&force_password_change, must_change_time);
2547 unix_to_nt_time(&force_password_change, must_change_time);
2550 if (pdb_get_pass_must_change_time(pw) == 0) {
2551 password_expired = PASS_MUST_CHANGE_AT_NEXT_LOGON;
2553 password_expired = 0;
2556 munged_dial = pdb_get_munged_dial(pw);
2558 blob = base64_decode_data_blob(munged_dial);
2560 blob = data_blob_string_const_null("");
2563 status = init_samr_parameters_string(mem_ctx, &blob, ¶meters);
2564 data_blob_free(&blob);
2565 if (!NT_STATUS_IS_OK(status)) {
2570 account_name = talloc_strdup(mem_ctx, pdb_get_username(pw));
2571 full_name = talloc_strdup(mem_ctx, pdb_get_fullname(pw));
2572 home_directory = talloc_strdup(mem_ctx, pdb_get_homedir(pw));
2573 home_drive = talloc_strdup(mem_ctx, pdb_get_dir_drive(pw));
2574 logon_script = talloc_strdup(mem_ctx, pdb_get_logon_script(pw));
2575 profile_path = talloc_strdup(mem_ctx, pdb_get_profile_path(pw));
2576 description = talloc_strdup(mem_ctx, pdb_get_acct_desc(pw));
2577 workstations = talloc_strdup(mem_ctx, pdb_get_workstations(pw));
2578 comment = talloc_strdup(mem_ctx, pdb_get_comment(pw));
2580 logon_hours = get_logon_hours_from_pdb(mem_ctx, pw);
2584 Look at a user on a real NT4 PDC with usrmgr, press
2585 'ok'. Then you will see that fields_present is set to
2586 0x08f827fa. Look at the user immediately after that again,
2587 and you will see that 0x00fffff is returned. This solves
2588 the problem that you get access denied after having looked
2595 init_samr_user_info21(r,
2598 last_password_change,
2600 allow_password_change,
2601 force_password_change,
2614 pdb_get_acct_ctrl(pw),
2615 pdb_build_fields_present(pw),
2617 pdb_get_bad_password_count(pw),
2618 pdb_get_logon_count(pw),
2619 0, /* country_code */
2621 0, /* nt_password_set */
2622 0, /* lm_password_set */
2626 return NT_STATUS_OK;
2629 /*******************************************************************
2631 ********************************************************************/
2633 NTSTATUS _samr_QueryUserInfo(pipes_struct *p,
2634 struct samr_QueryUserInfo *r)
2637 union samr_UserInfo *user_info = NULL;
2638 struct samr_info *info = NULL;
2642 /* search for the handle */
2643 if (!find_policy_by_hnd(p, r->in.user_handle, (void **)(void *)&info))
2644 return NT_STATUS_INVALID_HANDLE;
2646 status = access_check_samr_function(info->acc_granted,
2647 SAMR_DOMAIN_ACCESS_OPEN_ACCOUNT,
2648 "_samr_QueryUserInfo");
2649 if (!NT_STATUS_IS_OK(status)) {
2653 domain_sid = info->sid;
2655 sid_split_rid(&domain_sid, &rid);
2657 if (!sid_check_is_in_our_domain(&info->sid))
2658 return NT_STATUS_OBJECT_TYPE_MISMATCH;
2660 DEBUG(5,("_samr_QueryUserInfo: sid:%s\n",
2661 sid_string_dbg(&info->sid)));
2663 user_info = TALLOC_ZERO_P(p->mem_ctx, union samr_UserInfo);
2665 return NT_STATUS_NO_MEMORY;
2668 DEBUG(5,("_samr_QueryUserInfo: user info level: %d\n", r->in.level));
2670 switch (r->in.level) {
2672 status = get_user_info_7(p->mem_ctx, &user_info->info7, &info->sid);
2673 if (!NT_STATUS_IS_OK(status)) {
2678 status = get_user_info_9(p->mem_ctx, &user_info->info9, &info->sid);
2679 if (!NT_STATUS_IS_OK(status)) {
2684 status = get_user_info_16(p->mem_ctx, &user_info->info16, &info->sid);
2685 if (!NT_STATUS_IS_OK(status)) {
2691 status = get_user_info_18(p, p->mem_ctx, &user_info->info18, &info->sid);
2692 if (!NT_STATUS_IS_OK(status)) {
2698 status = get_user_info_20(p->mem_ctx, &user_info->info20, &info->sid);
2699 if (!NT_STATUS_IS_OK(status)) {
2705 status = get_user_info_21(p->mem_ctx, &user_info->info21,
2706 &info->sid, &domain_sid);
2707 if (!NT_STATUS_IS_OK(status)) {
2713 return NT_STATUS_INVALID_INFO_CLASS;
2716 *r->out.info = user_info;
2718 DEBUG(5,("_samr_QueryUserInfo: %d\n", __LINE__));
2723 /*******************************************************************
2724 _samr_GetGroupsForUser
2725 ********************************************************************/
2727 NTSTATUS _samr_GetGroupsForUser(pipes_struct *p,
2728 struct samr_GetGroupsForUser *r)
2730 struct samu *sam_pass=NULL;
2733 struct samr_RidWithAttribute dom_gid;
2734 struct samr_RidWithAttribute *gids = NULL;
2735 uint32 primary_group_rid;
2736 size_t num_groups = 0;
2742 bool success = False;
2744 struct samr_RidWithAttributeArray *rids = NULL;
2747 * from the SID in the request:
2748 * we should send back the list of DOMAIN GROUPS
2749 * the user is a member of
2751 * and only the DOMAIN GROUPS
2752 * no ALIASES !!! neither aliases of the domain
2753 * nor aliases of the builtin SID
2758 DEBUG(5,("_samr_GetGroupsForUser: %d\n", __LINE__));
2760 rids = TALLOC_ZERO_P(p->mem_ctx, struct samr_RidWithAttributeArray);
2762 return NT_STATUS_NO_MEMORY;
2765 /* find the policy handle. open a policy on it. */
2766 if (!get_lsa_policy_samr_sid(p, r->in.user_handle, &sid, &acc_granted, NULL))
2767 return NT_STATUS_INVALID_HANDLE;
2769 result = access_check_samr_function(acc_granted,
2770 SAMR_USER_ACCESS_GET_GROUPS,
2771 "_samr_GetGroupsForUser");
2772 if (!NT_STATUS_IS_OK(result)) {
2776 if (!sid_check_is_in_our_domain(&sid))
2777 return NT_STATUS_OBJECT_TYPE_MISMATCH;
2779 if ( !(sam_pass = samu_new( p->mem_ctx )) ) {
2780 return NT_STATUS_NO_MEMORY;
2784 ret = pdb_getsampwsid(sam_pass, &sid);
2788 DEBUG(10, ("pdb_getsampwsid failed for %s\n",
2789 sid_string_dbg(&sid)));
2790 return NT_STATUS_NO_SUCH_USER;
2795 /* make both calls inside the root block */
2797 result = pdb_enum_group_memberships(p->mem_ctx, sam_pass,
2798 &sids, &unix_gids, &num_groups);
2799 if ( NT_STATUS_IS_OK(result) ) {
2800 success = sid_peek_check_rid(get_global_sam_sid(),
2801 pdb_get_group_sid(sam_pass),
2802 &primary_group_rid);
2806 if (!NT_STATUS_IS_OK(result)) {
2807 DEBUG(10, ("pdb_enum_group_memberships failed for %s\n",
2808 sid_string_dbg(&sid)));
2813 DEBUG(5, ("Group sid %s for user %s not in our domain\n",
2814 sid_string_dbg(pdb_get_group_sid(sam_pass)),
2815 pdb_get_username(sam_pass)));
2816 TALLOC_FREE(sam_pass);
2817 return NT_STATUS_INTERNAL_DB_CORRUPTION;
2823 dom_gid.attributes = (SE_GROUP_MANDATORY|SE_GROUP_ENABLED_BY_DEFAULT|
2825 dom_gid.rid = primary_group_rid;
2826 ADD_TO_ARRAY(p->mem_ctx, struct samr_RidWithAttribute, dom_gid, &gids, &num_gids);
2828 for (i=0; i<num_groups; i++) {
2830 if (!sid_peek_check_rid(get_global_sam_sid(),
2831 &(sids[i]), &dom_gid.rid)) {
2832 DEBUG(10, ("Found sid %s not in our domain\n",
2833 sid_string_dbg(&sids[i])));
2837 if (dom_gid.rid == primary_group_rid) {
2838 /* We added the primary group directly from the
2839 * sam_account. The other SIDs are unique from
2840 * enum_group_memberships */
2844 ADD_TO_ARRAY(p->mem_ctx, struct samr_RidWithAttribute, dom_gid, &gids, &num_gids);
2847 rids->count = num_gids;
2850 *r->out.rids = rids;
2852 DEBUG(5,("_samr_GetGroupsForUser: %d\n", __LINE__));
2857 /*******************************************************************
2858 _samr_QueryDomainInfo
2859 ********************************************************************/
2861 NTSTATUS _samr_QueryDomainInfo(pipes_struct *p,
2862 struct samr_QueryDomainInfo *r)
2864 NTSTATUS status = NT_STATUS_OK;
2865 struct samr_info *info = NULL;
2866 union samr_DomainInfo *dom_info;
2867 uint32 min_pass_len,pass_hist,password_properties;
2868 time_t u_expire, u_min_age;
2869 NTTIME nt_expire, nt_min_age;
2871 time_t u_lock_duration, u_reset_time;
2872 NTTIME nt_lock_duration, nt_reset_time;
2877 uint32 account_policy_temp;
2882 uint32 num_users=0, num_groups=0, num_aliases=0;
2884 DEBUG(5,("_samr_QueryDomainInfo: %d\n", __LINE__));
2886 dom_info = TALLOC_ZERO_P(p->mem_ctx, union samr_DomainInfo);
2888 return NT_STATUS_NO_MEMORY;
2891 /* find the policy handle. open a policy on it. */
2892 if (!find_policy_by_hnd(p, r->in.domain_handle, (void **)(void *)&info)) {
2893 return NT_STATUS_INVALID_HANDLE;
2896 status = access_check_samr_function(info->acc_granted,
2897 SAMR_ACCESS_OPEN_DOMAIN,
2898 "_samr_QueryDomainInfo" );
2900 if ( !NT_STATUS_IS_OK(status) )
2903 switch (r->in.level) {
2910 pdb_get_account_policy(AP_MIN_PASSWORD_LEN, &account_policy_temp);
2911 min_pass_len = account_policy_temp;
2913 pdb_get_account_policy(AP_PASSWORD_HISTORY, &account_policy_temp);
2914 pass_hist = account_policy_temp;
2916 pdb_get_account_policy(AP_USER_MUST_LOGON_TO_CHG_PASS, &account_policy_temp);
2917 password_properties = account_policy_temp;
2919 pdb_get_account_policy(AP_MAX_PASSWORD_AGE, &account_policy_temp);
2920 u_expire = account_policy_temp;
2922 pdb_get_account_policy(AP_MIN_PASSWORD_AGE, &account_policy_temp);
2923 u_min_age = account_policy_temp;
2929 unix_to_nt_time_abs(&nt_expire, u_expire);
2930 unix_to_nt_time_abs(&nt_min_age, u_min_age);
2932 if (lp_check_password_script() && *lp_check_password_script()) {
2933 password_properties |= DOMAIN_PASSWORD_COMPLEX;
2936 init_samr_DomInfo1(&dom_info->info1,
2937 (uint16)min_pass_len,
2939 password_properties,
2949 num_users = count_sam_users(info->disp_info, ACB_NORMAL);
2950 num_groups = count_sam_groups(info->disp_info);
2951 num_aliases = count_sam_aliases(info->disp_info);
2953 pdb_get_account_policy(AP_TIME_TO_LOGOUT, &account_policy_temp);
2954 u_logout = account_policy_temp;
2956 unix_to_nt_time_abs(&nt_logout, u_logout);
2958 if (!pdb_get_seq_num(&seq_num))
2959 seq_num = time(NULL);
2965 server_role = ROLE_DOMAIN_PDC;
2966 if (lp_server_role() == ROLE_DOMAIN_BDC)
2967 server_role = ROLE_DOMAIN_BDC;
2969 init_samr_DomGeneralInformation(&dom_info->general,
2990 pdb_get_account_policy(AP_TIME_TO_LOGOUT, &ul);
2991 u_logout = (time_t)ul;
2998 unix_to_nt_time_abs(&nt_logout, u_logout);
3000 init_samr_DomInfo3(&dom_info->info3,
3005 init_samr_DomOEMInformation(&dom_info->oem,
3009 init_samr_DomInfo5(&dom_info->info5,
3010 get_global_sam_name());
3013 /* NT returns its own name when a PDC. win2k and later
3014 * only the name of the PDC if itself is a BDC (samba4
3016 init_samr_DomInfo6(&dom_info->info6,
3020 server_role = ROLE_DOMAIN_PDC;
3021 if (lp_server_role() == ROLE_DOMAIN_BDC)
3022 server_role = ROLE_DOMAIN_BDC;
3024 init_samr_DomInfo7(&dom_info->info7,
3033 if (!pdb_get_seq_num(&seq_num)) {
3034 seq_num = time(NULL);
3041 init_samr_DomInfo8(&dom_info->info8,
3051 pdb_get_account_policy(AP_LOCK_ACCOUNT_DURATION, &account_policy_temp);
3052 u_lock_duration = account_policy_temp;
3053 if (u_lock_duration != -1) {
3054 u_lock_duration *= 60;
3057 pdb_get_account_policy(AP_RESET_COUNT_TIME, &account_policy_temp);
3058 u_reset_time = account_policy_temp * 60;
3060 pdb_get_account_policy(AP_BAD_ATTEMPT_LOCKOUT, &account_policy_temp);
3061 lockout = account_policy_temp;
3067 unix_to_nt_time_abs(&nt_lock_duration, u_lock_duration);
3068 unix_to_nt_time_abs(&nt_reset_time, u_reset_time);
3070 init_samr_DomInfo12(&dom_info->info12,
3076 return NT_STATUS_INVALID_INFO_CLASS;
3079 *r->out.info = dom_info;
3081 DEBUG(5,("_samr_QueryDomainInfo: %d\n", __LINE__));
3086 /* W2k3 seems to use the same check for all 3 objects that can be created via
3087 * SAMR, if you try to create for example "Dialup" as an alias it says
3088 * "NT_STATUS_USER_EXISTS". This is racy, but we can't really lock the user
3091 static NTSTATUS can_create(TALLOC_CTX *mem_ctx, const char *new_name)
3093 enum lsa_SidType type;
3096 DEBUG(10, ("Checking whether [%s] can be created\n", new_name));
3099 /* Lookup in our local databases (LOOKUP_NAME_REMOTE not set)
3100 * whether the name already exists */
3101 result = lookup_name(mem_ctx, new_name, LOOKUP_NAME_LOCAL,
3102 NULL, NULL, NULL, &type);
3106 DEBUG(10, ("%s does not exist, can create it\n", new_name));
3107 return NT_STATUS_OK;
3110 DEBUG(5, ("trying to create %s, exists as %s\n",
3111 new_name, sid_type_lookup(type)));
3113 if (type == SID_NAME_DOM_GRP) {
3114 return NT_STATUS_GROUP_EXISTS;
3116 if (type == SID_NAME_ALIAS) {
3117 return NT_STATUS_ALIAS_EXISTS;
3120 /* Yes, the default is NT_STATUS_USER_EXISTS */
3121 return NT_STATUS_USER_EXISTS;
3124 /*******************************************************************
3126 ********************************************************************/
3128 NTSTATUS _samr_CreateUser2(pipes_struct *p,
3129 struct samr_CreateUser2 *r)
3131 const char *account = NULL;
3133 POLICY_HND dom_pol = *r->in.domain_handle;
3134 uint32_t acb_info = r->in.acct_flags;
3135 POLICY_HND *user_pol = r->out.user_handle;
3136 struct samr_info *info = NULL;
3141 /* check this, when giving away 'add computer to domain' privs */
3142 uint32 des_access = GENERIC_RIGHTS_USER_ALL_ACCESS;
3143 bool can_add_account = False;
3145 DISP_INFO *disp_info = NULL;
3147 /* Get the domain SID stored in the domain policy */
3148 if (!get_lsa_policy_samr_sid(p, &dom_pol, &sid, &acc_granted,
3150 return NT_STATUS_INVALID_HANDLE;
3152 nt_status = access_check_samr_function(acc_granted,
3153 SAMR_DOMAIN_ACCESS_CREATE_USER,
3154 "_samr_CreateUser2");
3155 if (!NT_STATUS_IS_OK(nt_status)) {
3159 if (!(acb_info == ACB_NORMAL || acb_info == ACB_DOMTRUST ||
3160 acb_info == ACB_WSTRUST || acb_info == ACB_SVRTRUST)) {
3161 /* Match Win2k, and return NT_STATUS_INVALID_PARAMETER if
3162 this parameter is not an account type */
3163 return NT_STATUS_INVALID_PARAMETER;
3166 account = r->in.account_name->string;
3167 if (account == NULL) {
3168 return NT_STATUS_NO_MEMORY;
3171 nt_status = can_create(p->mem_ctx, account);
3172 if (!NT_STATUS_IS_OK(nt_status)) {
3176 /* determine which user right we need to check based on the acb_info */
3178 if ( acb_info & ACB_WSTRUST )
3180 se_priv_copy( &se_rights, &se_machine_account );
3181 can_add_account = user_has_privileges(
3182 p->pipe_user.nt_user_token, &se_rights );
3184 /* usrmgr.exe (and net rpc trustdom grant) creates a normal user
3185 account for domain trusts and changes the ACB flags later */
3186 else if ( acb_info & ACB_NORMAL &&
3187 (account[strlen(account)-1] != '$') )
3189 se_priv_copy( &se_rights, &se_add_users );
3190 can_add_account = user_has_privileges(
3191 p->pipe_user.nt_user_token, &se_rights );
3193 else /* implicit assumption of a BDC or domain trust account here
3194 * (we already check the flags earlier) */
3196 if ( lp_enable_privileges() ) {
3197 /* only Domain Admins can add a BDC or domain trust */
3198 se_priv_copy( &se_rights, &se_priv_none );
3199 can_add_account = nt_token_check_domain_rid(
3200 p->pipe_user.nt_user_token,
3201 DOMAIN_GROUP_RID_ADMINS );
3205 DEBUG(5, ("_samr_CreateUser2: %s can add this account : %s\n",
3206 uidtoname(p->pipe_user.ut.uid),
3207 can_add_account ? "True":"False" ));
3209 /********** BEGIN Admin BLOCK **********/
3211 if ( can_add_account )
3214 nt_status = pdb_create_user(p->mem_ctx, account, acb_info,
3217 if ( can_add_account )
3220 /********** END Admin BLOCK **********/
3222 /* now check for failure */
3224 if ( !NT_STATUS_IS_OK(nt_status) )
3227 /* Get the user's SID */
3229 sid_compose(&sid, get_global_sam_sid(), *r->out.rid);
3231 map_max_allowed_access(p->pipe_user.nt_user_token, &des_access);
3233 make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &usr_generic_mapping,
3234 &sid, SAMR_USR_RIGHTS_WRITE_PW);
3235 se_map_generic(&des_access, &usr_generic_mapping);
3237 nt_status = access_check_samr_object(psd, p->pipe_user.nt_user_token,
3238 &se_rights, GENERIC_RIGHTS_USER_WRITE, des_access,
3239 &acc_granted, "_samr_CreateUser2");
3241 if ( !NT_STATUS_IS_OK(nt_status) ) {
3245 /* associate the user's SID with the new handle. */
3246 if ((info = get_samr_info_by_sid(&sid)) == NULL) {
3247 return NT_STATUS_NO_MEMORY;
3252 info->acc_granted = acc_granted;
3254 /* get a (unique) handle. open a policy on it. */
3255 if (!create_policy_hnd(p, user_pol, free_samr_info, (void *)info)) {
3256 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
3259 /* After a "set" ensure we have no cached display info. */
3260 force_flush_samr_cache(info->disp_info);
3262 *r->out.access_granted = acc_granted;
3264 return NT_STATUS_OK;
3267 /*******************************************************************
3269 ********************************************************************/
3271 NTSTATUS _samr_Connect(pipes_struct *p,
3272 struct samr_Connect *r)
3274 struct samr_info *info = NULL;
3275 uint32 des_access = r->in.access_mask;
3279 if (!pipe_access_check(p)) {
3280 DEBUG(3, ("access denied to _samr_Connect\n"));
3281 return NT_STATUS_ACCESS_DENIED;
3284 /* set up the SAMR connect_anon response */
3286 /* associate the user's SID with the new handle. */
3287 if ((info = get_samr_info_by_sid(NULL)) == NULL)
3288 return NT_STATUS_NO_MEMORY;
3290 /* don't give away the farm but this is probably ok. The SAMR_ACCESS_ENUM_DOMAINS
3291 was observed from a win98 client trying to enumerate users (when configured
3292 user level access control on shares) --jerry */
3294 map_max_allowed_access(p->pipe_user.nt_user_token, &des_access);
3296 se_map_generic( &des_access, &sam_generic_mapping );
3297 info->acc_granted = des_access & (SAMR_ACCESS_ENUM_DOMAINS|SAMR_ACCESS_OPEN_DOMAIN);
3299 /* get a (unique) handle. open a policy on it. */
3300 if (!create_policy_hnd(p, r->out.connect_handle, free_samr_info, (void *)info))
3301 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
3303 return NT_STATUS_OK;
3306 /*******************************************************************
3308 ********************************************************************/
3310 NTSTATUS _samr_Connect2(pipes_struct *p,
3311 struct samr_Connect2 *r)
3313 struct samr_info *info = NULL;
3314 SEC_DESC *psd = NULL;
3316 uint32 des_access = r->in.access_mask;
3321 DEBUG(5,("_samr_Connect2: %d\n", __LINE__));
3325 if (!pipe_access_check(p)) {
3326 DEBUG(3, ("access denied to _samr_Connect2\n"));
3327 return NT_STATUS_ACCESS_DENIED;
3330 map_max_allowed_access(p->pipe_user.nt_user_token, &des_access);
3332 make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &sam_generic_mapping, NULL, 0);
3333 se_map_generic(&des_access, &sam_generic_mapping);
3335 nt_status = access_check_samr_object(psd, p->pipe_user.nt_user_token,
3336 NULL, 0, des_access, &acc_granted, "_samr_Connect2");
3338 if ( !NT_STATUS_IS_OK(nt_status) )
3341 /* associate the user's SID and access granted with the new handle. */
3342 if ((info = get_samr_info_by_sid(NULL)) == NULL)
3343 return NT_STATUS_NO_MEMORY;
3345 info->acc_granted = acc_granted;
3346 info->status = r->in.access_mask; /* this looks so wrong... - gd */
3348 /* get a (unique) handle. open a policy on it. */
3349 if (!create_policy_hnd(p, r->out.connect_handle, free_samr_info, (void *)info))
3350 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
3352 DEBUG(5,("_samr_Connect2: %d\n", __LINE__));
3357 /*******************************************************************
3359 ********************************************************************/
3361 NTSTATUS _samr_Connect4(pipes_struct *p,
3362 struct samr_Connect4 *r)
3364 struct samr_info *info = NULL;
3365 SEC_DESC *psd = NULL;
3367 uint32 des_access = r->in.access_mask;
3372 DEBUG(5,("_samr_Connect4: %d\n", __LINE__));
3376 if (!pipe_access_check(p)) {
3377 DEBUG(3, ("access denied to samr_Connect4\n"));
3378 return NT_STATUS_ACCESS_DENIED;
3381 map_max_allowed_access(p->pipe_user.nt_user_token, &des_access);
3383 make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &sam_generic_mapping, NULL, 0);
3384 se_map_generic(&des_access, &sam_generic_mapping);
3386 nt_status = access_check_samr_object(psd, p->pipe_user.nt_user_token,
3387 NULL, 0, des_access, &acc_granted, "_samr_Connect4");
3389 if ( !NT_STATUS_IS_OK(nt_status) )
3392 /* associate the user's SID and access granted with the new handle. */
3393 if ((info = get_samr_info_by_sid(NULL)) == NULL)
3394 return NT_STATUS_NO_MEMORY;
3396 info->acc_granted = acc_granted;
3397 info->status = r->in.access_mask; /* ??? */
3399 /* get a (unique) handle. open a policy on it. */
3400 if (!create_policy_hnd(p, r->out.connect_handle, free_samr_info, (void *)info))
3401 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
3403 DEBUG(5,("_samr_Connect4: %d\n", __LINE__));
3405 return NT_STATUS_OK;
3408 /*******************************************************************
3410 ********************************************************************/
3412 NTSTATUS _samr_Connect5(pipes_struct *p,
3413 struct samr_Connect5 *r)
3415 struct samr_info *info = NULL;
3416 SEC_DESC *psd = NULL;
3418 uint32 des_access = r->in.access_mask;
3421 struct samr_ConnectInfo1 info1;
3423 DEBUG(5,("_samr_Connect5: %d\n", __LINE__));
3427 if (!pipe_access_check(p)) {
3428 DEBUG(3, ("access denied to samr_Connect5\n"));
3429 return NT_STATUS_ACCESS_DENIED;
3432 map_max_allowed_access(p->pipe_user.nt_user_token, &des_access);
3434 make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &sam_generic_mapping, NULL, 0);
3435 se_map_generic(&des_access, &sam_generic_mapping);
3437 nt_status = access_check_samr_object(psd, p->pipe_user.nt_user_token,
3438 NULL, 0, des_access, &acc_granted, "_samr_Connect5");
3440 if ( !NT_STATUS_IS_OK(nt_status) )
3443 /* associate the user's SID and access granted with the new handle. */
3444 if ((info = get_samr_info_by_sid(NULL)) == NULL)
3445 return NT_STATUS_NO_MEMORY;
3447 info->acc_granted = acc_granted;
3448 info->status = r->in.access_mask; /* ??? */
3450 /* get a (unique) handle. open a policy on it. */
3451 if (!create_policy_hnd(p, r->out.connect_handle, free_samr_info, (void *)info))
3452 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
3454 DEBUG(5,("_samr_Connect5: %d\n", __LINE__));
3456 info1.client_version = SAMR_CONNECT_AFTER_W2K;
3459 *r->out.level_out = 1;
3460 r->out.info_out->info1 = info1;
3462 return NT_STATUS_OK;
3465 /**********************************************************************
3467 **********************************************************************/
3469 NTSTATUS _samr_LookupDomain(pipes_struct *p,
3470 struct samr_LookupDomain *r)
3472 NTSTATUS status = NT_STATUS_OK;
3473 struct samr_info *info;
3474 const char *domain_name;
3475 DOM_SID *sid = NULL;
3477 if (!find_policy_by_hnd(p, r->in.connect_handle, (void**)(void *)&info))
3478 return NT_STATUS_INVALID_HANDLE;
3480 /* win9x user manager likes to use SAMR_ACCESS_ENUM_DOMAINS here.
3481 Reverted that change so we will work with RAS servers again */
3483 status = access_check_samr_function(info->acc_granted,
3484 SAMR_ACCESS_OPEN_DOMAIN,
3485 "_samr_LookupDomain");
3486 if (!NT_STATUS_IS_OK(status)) {
3490 domain_name = r->in.domain_name->string;
3492 sid = TALLOC_ZERO_P(p->mem_ctx, struct dom_sid2);
3494 return NT_STATUS_NO_MEMORY;
3497 if (strequal(domain_name, builtin_domain_name())) {
3498 sid_copy(sid, &global_sid_Builtin);
3500 if (!secrets_fetch_domain_sid(domain_name, sid)) {
3501 status = NT_STATUS_NO_SUCH_DOMAIN;
3505 DEBUG(2,("Returning domain sid for domain %s -> %s\n", domain_name,
3506 sid_string_dbg(sid)));
3513 /**********************************************************************
3515 **********************************************************************/
3517 NTSTATUS _samr_EnumDomains(pipes_struct *p,
3518 struct samr_EnumDomains *r)
3521 struct samr_info *info;
3522 uint32_t num_entries = 2;
3523 struct samr_SamEntry *entry_array = NULL;
3524 struct samr_SamArray *sam;
3526 if (!find_policy_by_hnd(p, r->in.connect_handle, (void**)(void *)&info))
3527 return NT_STATUS_INVALID_HANDLE;
3529 status = access_check_samr_function(info->acc_granted,
3530 SAMR_ACCESS_ENUM_DOMAINS,
3531 "_samr_EnumDomains");
3532 if (!NT_STATUS_IS_OK(status)) {
3536 sam = TALLOC_ZERO_P(p->mem_ctx, struct samr_SamArray);
3538 return NT_STATUS_NO_MEMORY;
3541 entry_array = TALLOC_ZERO_ARRAY(p->mem_ctx,
3542 struct samr_SamEntry,
3545 return NT_STATUS_NO_MEMORY;
3548 entry_array[0].idx = 0;
3549 init_lsa_String(&entry_array[0].name, get_global_sam_name());
3551 entry_array[1].idx = 1;
3552 init_lsa_String(&entry_array[1].name, "Builtin");
3554 sam->count = num_entries;
3555 sam->entries = entry_array;
3558 *r->out.num_entries = num_entries;
3563 /*******************************************************************
3565 ********************************************************************/
3567 NTSTATUS _samr_OpenAlias(pipes_struct *p,
3568 struct samr_OpenAlias *r)
3571 POLICY_HND domain_pol = *r->in.domain_handle;
3572 uint32 alias_rid = r->in.rid;
3573 POLICY_HND *alias_pol = r->out.alias_handle;
3574 struct samr_info *info = NULL;
3575 SEC_DESC *psd = NULL;
3577 uint32 des_access = r->in.access_mask;
3582 /* find the domain policy and get the SID / access bits stored in the domain policy */
3584 if ( !get_lsa_policy_samr_sid(p, &domain_pol, &sid, &acc_granted, NULL) )
3585 return NT_STATUS_INVALID_HANDLE;
3587 status = access_check_samr_function(acc_granted,
3588 SAMR_DOMAIN_ACCESS_OPEN_ACCOUNT,
3591 if ( !NT_STATUS_IS_OK(status) )
3594 /* append the alias' RID to it */
3596 if (!sid_append_rid(&sid, alias_rid))
3597 return NT_STATUS_NO_SUCH_ALIAS;
3599 /*check if access can be granted as requested by client. */
3601 map_max_allowed_access(p->pipe_user.nt_user_token, &des_access);
3603 make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &ali_generic_mapping, NULL, 0);
3604 se_map_generic(&des_access,&ali_generic_mapping);
3606 se_priv_copy( &se_rights, &se_add_users );
3609 status = access_check_samr_object(psd, p->pipe_user.nt_user_token,
3610 &se_rights, GENERIC_RIGHTS_ALIAS_WRITE, des_access,
3611 &acc_granted, "_samr_OpenAlias");
3613 if ( !NT_STATUS_IS_OK(status) )
3617 /* Check we actually have the requested alias */
3618 enum lsa_SidType type;
3623 result = lookup_sid(NULL, &sid, NULL, NULL, &type);
3626 if (!result || (type != SID_NAME_ALIAS)) {
3627 return NT_STATUS_NO_SUCH_ALIAS;
3630 /* make sure there is a mapping */
3632 if ( !sid_to_gid( &sid, &gid ) ) {
3633 return NT_STATUS_NO_SUCH_ALIAS;
3638 /* associate the alias SID with the new handle. */
3639 if ((info = get_samr_info_by_sid(&sid)) == NULL)
3640 return NT_STATUS_NO_MEMORY;
3642 info->acc_granted = acc_granted;
3644 /* get a (unique) handle. open a policy on it. */
3645 if (!create_policy_hnd(p, alias_pol, free_samr_info, (void *)info))
3646 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
3648 return NT_STATUS_OK;
3651 /*******************************************************************
3653 ********************************************************************/
3655 static NTSTATUS set_user_info_7(TALLOC_CTX *mem_ctx,
3656 struct samr_UserInfo7 *id7,
3662 DEBUG(5, ("set_user_info_7: NULL id7\n"));
3664 return NT_STATUS_ACCESS_DENIED;
3667 if (!id7->account_name.string) {
3668 DEBUG(5, ("set_user_info_7: failed to get new username\n"));
3670 return NT_STATUS_ACCESS_DENIED;
3673 /* check to see if the new username already exists. Note: we can't
3674 reliably lock all backends, so there is potentially the
3675 possibility that a user can be created in between this check and
3676 the rename. The rename should fail, but may not get the
3677 exact same failure status code. I think this is small enough
3678 of a window for this type of operation and the results are
3679 simply that the rename fails with a slightly different status
3680 code (like UNSUCCESSFUL instead of ALREADY_EXISTS). */
3682 rc = can_create(mem_ctx, id7->account_name.string);
3683 if (!NT_STATUS_IS_OK(rc)) {
3687 rc = pdb_rename_sam_account(pwd, id7->account_name.string);
3693 /*******************************************************************
3695 ********************************************************************/
3697 static bool set_user_info_16(struct samr_UserInfo16 *id16,
3701 DEBUG(5, ("set_user_info_16: NULL id16\n"));
3706 /* FIX ME: check if the value is really changed --metze */
3707 if (!pdb_set_acct_ctrl(pwd, id16->acct_flags, PDB_CHANGED)) {
3712 if(!NT_STATUS_IS_OK(pdb_update_sam_account(pwd))) {
3722 /*******************************************************************
3724 ********************************************************************/
3726 static bool set_user_info_18(struct samr_UserInfo18 *id18,
3730 DEBUG(2, ("set_user_info_18: id18 is NULL\n"));
3735 if (!pdb_set_lanman_passwd (pwd, id18->lm_pwd.hash, PDB_CHANGED)) {
3739 if (!pdb_set_nt_passwd (pwd, id18->nt_pwd.hash, PDB_CHANGED)) {
3743 if (!pdb_set_pass_last_set_time (pwd, time(NULL), PDB_CHANGED)) {
3748 if(!NT_STATUS_IS_OK(pdb_update_sam_account(pwd))) {
3757 /*******************************************************************
3759 ********************************************************************/
3761 static bool set_user_info_20(struct samr_UserInfo20 *id20,
3765 DEBUG(5, ("set_user_info_20: NULL id20\n"));
3769 copy_id20_to_sam_passwd(pwd, id20);
3771 /* write the change out */
3772 if(!NT_STATUS_IS_OK(pdb_update_sam_account(pwd))) {
3782 /*******************************************************************
3784 ********************************************************************/
3786 static NTSTATUS set_user_info_21(TALLOC_CTX *mem_ctx,
3787 struct samr_UserInfo21 *id21,
3793 DEBUG(5, ("set_user_info_21: NULL id21\n"));
3794 return NT_STATUS_INVALID_PARAMETER;
3797 /* we need to separately check for an account rename first */
3799 if (id21->account_name.string &&
3800 (!strequal(id21->account_name.string, pdb_get_username(pwd))))
3803 /* check to see if the new username already exists. Note: we can't
3804 reliably lock all backends, so there is potentially the
3805 possibility that a user can be created in between this check and
3806 the rename. The rename should fail, but may not get the
3807 exact same failure status code. I think this is small enough
3808 of a window for this type of operation and the results are
3809 simply that the rename fails with a slightly different status
3810 code (like UNSUCCESSFUL instead of ALREADY_EXISTS). */
3812 status = can_create(mem_ctx, id21->account_name.string);
3813 if (!NT_STATUS_IS_OK(status)) {
3817 status = pdb_rename_sam_account(pwd, id21->account_name.string);
3819 if (!NT_STATUS_IS_OK(status)) {
3820 DEBUG(0,("set_user_info_21: failed to rename account: %s\n",
3821 nt_errstr(status)));
3826 /* set the new username so that later
3827 functions can work on the new account */
3828 pdb_set_username(pwd, id21->account_name.string, PDB_SET);
3831 copy_id21_to_sam_passwd("INFO_21", pwd, id21);
3834 * The funny part about the previous two calls is
3835 * that pwd still has the password hashes from the
3836 * passdb entry. These have not been updated from
3837 * id21. I don't know if they need to be set. --jerry
3840 if ( IS_SAM_CHANGED(pwd, PDB_GROUPSID) ) {
3841 status = pdb_set_unix_primary_group(mem_ctx, pwd);
3842 if ( !NT_STATUS_IS_OK(status) ) {
3847 /* Don't worry about writing out the user account since the
3848 primary group SID is generated solely from the user's Unix
3851 /* write the change out */
3852 if(!NT_STATUS_IS_OK(status = pdb_update_sam_account(pwd))) {
3859 return NT_STATUS_OK;
3862 /*******************************************************************
3864 ********************************************************************/
3866 static NTSTATUS set_user_info_23(TALLOC_CTX *mem_ctx,
3867 struct samr_UserInfo23 *id23,
3870 char *plaintext_buf = NULL;
3876 DEBUG(5, ("set_user_info_23: NULL id23\n"));
3877 return NT_STATUS_INVALID_PARAMETER;
3880 DEBUG(5, ("Attempting administrator password change (level 23) for user %s\n",
3881 pdb_get_username(pwd)));
3883 acct_ctrl = pdb_get_acct_ctrl(pwd);
3885 if (!decode_pw_buffer(mem_ctx,
3886 id23->password.data,
3891 return NT_STATUS_INVALID_PARAMETER;
3894 if (!pdb_set_plaintext_passwd (pwd, plaintext_buf)) {
3896 return NT_STATUS_ACCESS_DENIED;
3899 copy_id23_to_sam_passwd(pwd, id23);
3901 /* if it's a trust account, don't update /etc/passwd */
3902 if ( ( (acct_ctrl & ACB_DOMTRUST) == ACB_DOMTRUST ) ||
3903 ( (acct_ctrl & ACB_WSTRUST) == ACB_WSTRUST) ||
3904 ( (acct_ctrl & ACB_SVRTRUST) == ACB_SVRTRUST) ) {
3905 DEBUG(5, ("Changing trust account. Not updating /etc/passwd\n"));
3907 /* update the UNIX password */
3908 if (lp_unix_password_sync() ) {
3909 struct passwd *passwd;
3910 if (pdb_get_username(pwd) == NULL) {
3911 DEBUG(1, ("chgpasswd: User without name???\n"));
3913 return NT_STATUS_ACCESS_DENIED;
3916 passwd = Get_Pwnam_alloc(pwd, pdb_get_username(pwd));
3917 if (passwd == NULL) {
3918 DEBUG(1, ("chgpasswd: Username does not exist in system !?!\n"));
3921 if(!chgpasswd(pdb_get_username(pwd), passwd, "", plaintext_buf, True)) {
3923 return NT_STATUS_ACCESS_DENIED;
3925 TALLOC_FREE(passwd);
3929 memset(plaintext_buf, '\0', strlen(plaintext_buf));
3931 if (IS_SAM_CHANGED(pwd, PDB_GROUPSID) &&
3932 (!NT_STATUS_IS_OK(status = pdb_set_unix_primary_group(mem_ctx,
3938 if(!NT_STATUS_IS_OK(status = pdb_update_sam_account(pwd))) {
3945 return NT_STATUS_OK;
3948 /*******************************************************************
3950 ********************************************************************/
3952 static bool set_user_info_pw(uint8 *pass, struct samu *pwd,
3956 char *plaintext_buf = NULL;
3958 time_t last_set_time;
3959 enum pdb_value_state last_set_state;
3961 DEBUG(5, ("Attempting administrator password change for user %s\n",
3962 pdb_get_username(pwd)));
3964 acct_ctrl = pdb_get_acct_ctrl(pwd);
3965 /* we need to know if it's expired, because this is an admin change, not a
3966 user change, so it's still expired when we're done */
3967 last_set_state = pdb_get_init_flags(pwd, PDB_PASSLASTSET);
3968 last_set_time = pdb_get_pass_last_set_time(pwd);
3970 if (!decode_pw_buffer(talloc_tos(),
3979 if (!pdb_set_plaintext_passwd (pwd, plaintext_buf)) {
3984 /* if it's a trust account, don't update /etc/passwd */
3985 if ( ( (acct_ctrl & ACB_DOMTRUST) == ACB_DOMTRUST ) ||
3986 ( (acct_ctrl & ACB_WSTRUST) == ACB_WSTRUST) ||
3987 ( (acct_ctrl & ACB_SVRTRUST) == ACB_SVRTRUST) ) {
3988 DEBUG(5, ("Changing trust account or non-unix-user password, not updating /etc/passwd\n"));
3990 /* update the UNIX password */
3991 if (lp_unix_password_sync()) {
3992 struct passwd *passwd;
3994 if (pdb_get_username(pwd) == NULL) {
3995 DEBUG(1, ("chgpasswd: User without name???\n"));
4000 passwd = Get_Pwnam_alloc(pwd, pdb_get_username(pwd));
4001 if (passwd == NULL) {
4002 DEBUG(1, ("chgpasswd: Username does not exist in system !?!\n"));
4005 if(!chgpasswd(pdb_get_username(pwd), passwd, "", plaintext_buf, True)) {
4009 TALLOC_FREE(passwd);
4013 memset(plaintext_buf, '\0', strlen(plaintext_buf));
4016 * A level 25 change does reset the pwdlastset field, a level 24
4017 * change does not. I know this is probably not the full story, but
4018 * it is needed to make XP join LDAP correctly, without it the later
4019 * auth2 check can fail with PWD_MUST_CHANGE.
4023 * restore last set time as this is an admin change, not a
4026 pdb_set_pass_last_set_time (pwd, last_set_time,
4030 DEBUG(5,("set_user_info_pw: pdb_update_pwd()\n"));
4032 /* update the SAMBA password */
4033 if(!NT_STATUS_IS_OK(pdb_update_sam_account(pwd))) {
4043 /*******************************************************************
4045 ********************************************************************/
4047 static NTSTATUS set_user_info_25(TALLOC_CTX *mem_ctx,
4048 struct samr_UserInfo25 *id25,
4054 DEBUG(5, ("set_user_info_25: NULL id25\n"));
4055 return NT_STATUS_INVALID_PARAMETER;
4058 copy_id25_to_sam_passwd(pwd, id25);
4060 /* write the change out */
4061 if(!NT_STATUS_IS_OK(status = pdb_update_sam_account(pwd))) {
4067 * We need to "pdb_update_sam_account" before the unix primary group
4068 * is set, because the idealx scripts would also change the
4069 * sambaPrimaryGroupSid using the ldap replace method. pdb_ldap uses
4070 * the delete explicit / add explicit, which would then fail to find
4071 * the previous primaryGroupSid value.
4074 if ( IS_SAM_CHANGED(pwd, PDB_GROUPSID) ) {
4075 status = pdb_set_unix_primary_group(mem_ctx, pwd);
4076 if ( !NT_STATUS_IS_OK(status) ) {
4081 /* WARNING: No TALLOC_FREE(pwd), we are about to set the password
4084 return NT_STATUS_OK;
4087 /*******************************************************************
4089 ********************************************************************/
4091 NTSTATUS _samr_SetUserInfo(pipes_struct *p,
4092 struct samr_SetUserInfo *r)
4095 struct samu *pwd = NULL;
4097 POLICY_HND *pol = r->in.user_handle;
4098 union samr_UserInfo *info = r->in.info;
4099 uint16_t switch_value = r->in.level;
4100 uint32_t acc_granted;
4101 uint32_t acc_required;
4103 bool has_enough_rights = False;
4105 DISP_INFO *disp_info = NULL;
4107 DEBUG(5,("_samr_SetUserInfo: %d\n", __LINE__));
4109 /* find the policy handle. open a policy on it. */
4110 if (!get_lsa_policy_samr_sid(p, pol, &sid, &acc_granted, &disp_info)) {
4111 return NT_STATUS_INVALID_HANDLE;
4114 /* This is tricky. A WinXP domain join sets
4115 (SAMR_USER_ACCESS_SET_PASSWORD|SAMR_USER_ACCESS_SET_ATTRIBUTES|SAMR_USER_ACCESS_GET_ATTRIBUTES)
4116 The MMC lusrmgr plugin includes these perms and more in the SamrOpenUser(). But the
4117 standard Win32 API calls just ask for SAMR_USER_ACCESS_SET_PASSWORD in the SamrOpenUser().
4118 This should be enough for levels 18, 24, 25,& 26. Info level 23 can set more so
4119 we'll use the set from the WinXP join as the basis. */
4121 switch (switch_value) {
4126 acc_required = SAMR_USER_ACCESS_SET_PASSWORD;
4129 acc_required = SAMR_USER_ACCESS_SET_PASSWORD |
4130 SAMR_USER_ACCESS_SET_ATTRIBUTES |
4131 SAMR_USER_ACCESS_GET_ATTRIBUTES;
4135 status = access_check_samr_function(acc_granted,
4137 "_samr_SetUserInfo");
4138 if (!NT_STATUS_IS_OK(status)) {
4142 DEBUG(5, ("_samr_SetUserInfo: sid:%s, level:%d\n",
4143 sid_string_dbg(&sid), switch_value));
4146 DEBUG(5, ("_samr_SetUserInfo: NULL info level\n"));
4147 return NT_STATUS_INVALID_INFO_CLASS;
4150 if (!(pwd = samu_new(NULL))) {
4151 return NT_STATUS_NO_MEMORY;
4155 ret = pdb_getsampwsid(pwd, &sid);
4160 return NT_STATUS_NO_SUCH_USER;
4163 /* deal with machine password changes differently from userinfo changes */
4164 /* check to see if we have the sufficient rights */
4166 acb_info = pdb_get_acct_ctrl(pwd);
4167 if (acb_info & ACB_WSTRUST)
4168 has_enough_rights = user_has_privileges(p->pipe_user.nt_user_token,
4169 &se_machine_account);
4170 else if (acb_info & ACB_NORMAL)
4171 has_enough_rights = user_has_privileges(p->pipe_user.nt_user_token,
4173 else if (acb_info & (ACB_SVRTRUST|ACB_DOMTRUST)) {
4174 if (lp_enable_privileges()) {
4175 has_enough_rights = nt_token_check_domain_rid(p->pipe_user.nt_user_token,
4176 DOMAIN_GROUP_RID_ADMINS);
4180 DEBUG(5, ("_samr_SetUserInfo: %s does%s possess sufficient rights\n",
4181 uidtoname(p->pipe_user.ut.uid),
4182 has_enough_rights ? "" : " not"));
4184 /* ================ BEGIN SeMachineAccountPrivilege BLOCK ================ */
4186 if (has_enough_rights) {
4190 /* ok! user info levels (lots: see MSDEV help), off we go... */
4192 switch (switch_value) {
4195 status = set_user_info_7(p->mem_ctx,
4200 if (!set_user_info_16(&info->info16, pwd)) {
4201 status = NT_STATUS_ACCESS_DENIED;
4206 /* Used by AS/U JRA. */
4207 if (!set_user_info_18(&info->info18, pwd)) {
4208 status = NT_STATUS_ACCESS_DENIED;
4213 if (!set_user_info_20(&info->info20, pwd)) {
4214 status = NT_STATUS_ACCESS_DENIED;
4219 status = set_user_info_21(p->mem_ctx,
4220 &info->info21, pwd);
4224 if (!p->server_info->user_session_key.length) {
4225 status = NT_STATUS_NO_USER_SESSION_KEY;
4227 SamOEMhashBlob(info->info23.password.data, 516,
4228 &p->server_info->user_session_key);
4230 dump_data(100, info->info23.password.data, 516);
4232 status = set_user_info_23(p->mem_ctx,
4233 &info->info23, pwd);
4237 if (!p->server_info->user_session_key.length) {
4238 status = NT_STATUS_NO_USER_SESSION_KEY;
4240 SamOEMhashBlob(info->info24.password.data,
4242 &p->server_info->user_session_key);
4244 dump_data(100, info->info24.password.data, 516);
4246 if (!set_user_info_pw(info->info24.password.data, pwd,
4248 status = NT_STATUS_ACCESS_DENIED;
4253 if (!p->server_info->user_session_key.length) {
4254 status = NT_STATUS_NO_USER_SESSION_KEY;
4256 encode_or_decode_arc4_passwd_buffer(
4257 info->info25.password.data,
4258 &p->server_info->user_session_key);
4260 dump_data(100, info->info25.password.data, 532);
4262 status = set_user_info_25(p->mem_ctx,
4263 &info->info25, pwd);
4264 if (!NT_STATUS_IS_OK(status)) {
4267 if (!set_user_info_pw(info->info25.password.data, pwd,
4269 status = NT_STATUS_ACCESS_DENIED;
4274 if (!p->server_info->user_session_key.length) {
4275 status = NT_STATUS_NO_USER_SESSION_KEY;
4277 encode_or_decode_arc4_passwd_buffer(
4278 info->info26.password.data,
4279 &p->server_info->user_session_key);
4281 dump_data(100, info->info26.password.data, 516);
4283 if (!set_user_info_pw(info->info26.password.data, pwd,
4285 status = NT_STATUS_ACCESS_DENIED;
4290 status = NT_STATUS_INVALID_INFO_CLASS;
4295 if (has_enough_rights) {
4299 /* ================ END SeMachineAccountPrivilege BLOCK ================ */
4301 if (NT_STATUS_IS_OK(status)) {
4302 force_flush_samr_cache(disp_info);
4308 /*******************************************************************
4310 ********************************************************************/
4312 NTSTATUS _samr_SetUserInfo2(pipes_struct *p,
4313 struct samr_SetUserInfo2 *r)
4315 struct samr_SetUserInfo q;
4317 q.in.user_handle = r->in.user_handle;
4318 q.in.level = r->in.level;
4319 q.in.info = r->in.info;
4321 return _samr_SetUserInfo(p, &q);
4324 /*********************************************************************
4325 _samr_GetAliasMembership
4326 *********************************************************************/
4328 NTSTATUS _samr_GetAliasMembership(pipes_struct *p,
4329 struct samr_GetAliasMembership *r)
4331 size_t num_alias_rids;
4333 struct samr_info *info = NULL;
4341 DEBUG(5,("_samr_GetAliasMembership: %d\n", __LINE__));
4343 /* find the policy handle. open a policy on it. */
4344 if (!find_policy_by_hnd(p, r->in.domain_handle, (void **)(void *)&info))
4345 return NT_STATUS_INVALID_HANDLE;
4347 ntstatus1 = access_check_samr_function(info->acc_granted,
4348 SAMR_DOMAIN_ACCESS_LOOKUP_ALIAS,
4349 "_samr_GetAliasMembership");
4350 ntstatus2 = access_check_samr_function(info->acc_granted,
4351 SAMR_DOMAIN_ACCESS_OPEN_ACCOUNT,
4352 "_samr_GetAliasMembership");
4354 if (!NT_STATUS_IS_OK(ntstatus1) || !NT_STATUS_IS_OK(ntstatus2)) {
4355 if (!(NT_STATUS_EQUAL(ntstatus1,NT_STATUS_ACCESS_DENIED) && NT_STATUS_IS_OK(ntstatus2)) &&
4356 !(NT_STATUS_EQUAL(ntstatus1,NT_STATUS_ACCESS_DENIED) && NT_STATUS_IS_OK(ntstatus1))) {
4357 return (NT_STATUS_IS_OK(ntstatus1)) ? ntstatus2 : ntstatus1;
4361 if (!sid_check_is_domain(&info->sid) &&
4362 !sid_check_is_builtin(&info->sid))
4363 return NT_STATUS_OBJECT_TYPE_MISMATCH;
4365 if (r->in.sids->num_sids) {
4366 members = TALLOC_ARRAY(p->mem_ctx, DOM_SID, r->in.sids->num_sids);
4368 if (members == NULL)
4369 return NT_STATUS_NO_MEMORY;
4374 for (i=0; i<r->in.sids->num_sids; i++)
4375 sid_copy(&members[i], r->in.sids->sids[i].sid);
4381 ntstatus1 = pdb_enum_alias_memberships(p->mem_ctx, &info->sid, members,
4382 r->in.sids->num_sids,
4383 &alias_rids, &num_alias_rids);
4386 if (!NT_STATUS_IS_OK(ntstatus1)) {
4390 r->out.rids->count = num_alias_rids;
4391 r->out.rids->ids = alias_rids;
4393 return NT_STATUS_OK;
4396 /*********************************************************************
4397 _samr_GetMembersInAlias
4398 *********************************************************************/
4400 NTSTATUS _samr_GetMembersInAlias(pipes_struct *p,
4401 struct samr_GetMembersInAlias *r)
4405 size_t num_sids = 0;
4406 struct lsa_SidPtr *sids = NULL;
4407 DOM_SID *pdb_sids = NULL;
4413 /* find the policy handle. open a policy on it. */
4414 if (!get_lsa_policy_samr_sid(p, r->in.alias_handle, &alias_sid, &acc_granted, NULL))
4415 return NT_STATUS_INVALID_HANDLE;
4417 status = access_check_samr_function(acc_granted,
4418 SAMR_ALIAS_ACCESS_GET_MEMBERS,
4419 "_samr_GetMembersInAlias");
4420 if (!NT_STATUS_IS_OK(status)) {
4424 DEBUG(10, ("sid is %s\n", sid_string_dbg(&alias_sid)));
4427 status = pdb_enum_aliasmem(&alias_sid, &pdb_sids, &num_sids);
4430 if (!NT_STATUS_IS_OK(status)) {
4435 sids = TALLOC_ZERO_ARRAY(p->mem_ctx, struct lsa_SidPtr, num_sids);
4437 TALLOC_FREE(pdb_sids);
4438 return NT_STATUS_NO_MEMORY;
4442 for (i = 0; i < num_sids; i++) {
4443 sids[i].sid = sid_dup_talloc(p->mem_ctx, &pdb_sids[i]);
4445 TALLOC_FREE(pdb_sids);
4446 return NT_STATUS_NO_MEMORY;
4450 r->out.sids->num_sids = num_sids;
4451 r->out.sids->sids = sids;
4453 TALLOC_FREE(pdb_sids);
4455 return NT_STATUS_OK;
4458 /*********************************************************************
4459 _samr_QueryGroupMember
4460 *********************************************************************/
4462 NTSTATUS _samr_QueryGroupMember(pipes_struct *p,
4463 struct samr_QueryGroupMember *r)
4466 size_t i, num_members;
4474 struct samr_RidTypeArray *rids = NULL;
4476 rids = TALLOC_ZERO_P(p->mem_ctx, struct samr_RidTypeArray);
4478 return NT_STATUS_NO_MEMORY;
4481 /* find the policy handle. open a policy on it. */
4482 if (!get_lsa_policy_samr_sid(p, r->in.group_handle, &group_sid, &acc_granted, NULL))
4483 return NT_STATUS_INVALID_HANDLE;
4485 status = access_check_samr_function(acc_granted,
4486 SAMR_GROUP_ACCESS_GET_MEMBERS,
4487 "_samr_QueryGroupMember");
4488 if (!NT_STATUS_IS_OK(status)) {
4492 DEBUG(10, ("sid is %s\n", sid_string_dbg(&group_sid)));
4494 if (!sid_check_is_in_our_domain(&group_sid)) {
4495 DEBUG(3, ("sid %s is not in our domain\n",
4496 sid_string_dbg(&group_sid)));
4497 return NT_STATUS_NO_SUCH_GROUP;
4500 DEBUG(10, ("lookup on Domain SID\n"));
4503 status = pdb_enum_group_members(p->mem_ctx, &group_sid,
4504 &rid, &num_members);
4507 if (!NT_STATUS_IS_OK(status))
4511 attr=TALLOC_ZERO_ARRAY(p->mem_ctx, uint32, num_members);
4513 return NT_STATUS_NO_MEMORY;
4519 for (i=0; i<num_members; i++)
4520 attr[i] = SID_NAME_USER;
4522 rids->count = num_members;
4526 *r->out.rids = rids;
4528 return NT_STATUS_OK;
4531 /*********************************************************************
4532 _samr_AddAliasMember
4533 *********************************************************************/
4535 NTSTATUS _samr_AddAliasMember(pipes_struct *p,
4536 struct samr_AddAliasMember *r)
4541 bool can_add_accounts;
4543 DISP_INFO *disp_info = NULL;
4545 /* Find the policy handle. Open a policy on it. */
4546 if (!get_lsa_policy_samr_sid(p, r->in.alias_handle, &alias_sid, &acc_granted, &disp_info))
4547 return NT_STATUS_INVALID_HANDLE;
4549 status = access_check_samr_function(acc_granted,
4550 SAMR_ALIAS_ACCESS_ADD_MEMBER,
4551 "_samr_AddAliasMember");
4552 if (!NT_STATUS_IS_OK(status)) {
4556 DEBUG(10, ("sid is %s\n", sid_string_dbg(&alias_sid)));
4558 se_priv_copy( &se_rights, &se_add_users );
4559 can_add_accounts = user_has_privileges( p->pipe_user.nt_user_token, &se_rights );
4561 /******** BEGIN SeAddUsers BLOCK *********/
4563 if ( can_add_accounts )
4566 status = pdb_add_aliasmem(&alias_sid, r->in.sid);
4568 if ( can_add_accounts )
4571 /******** END SeAddUsers BLOCK *********/
4573 if (NT_STATUS_IS_OK(status)) {
4574 force_flush_samr_cache(disp_info);
4580 /*********************************************************************
4581 _samr_DeleteAliasMember
4582 *********************************************************************/
4584 NTSTATUS _samr_DeleteAliasMember(pipes_struct *p,
4585 struct samr_DeleteAliasMember *r)
4590 bool can_add_accounts;
4592 DISP_INFO *disp_info = NULL;
4594 /* Find the policy handle. Open a policy on it. */
4595 if (!get_lsa_policy_samr_sid(p, r->in.alias_handle, &alias_sid, &acc_granted, &disp_info))
4596 return NT_STATUS_INVALID_HANDLE;
4598 status = access_check_samr_function(acc_granted,
4599 SAMR_ALIAS_ACCESS_REMOVE_MEMBER,
4600 "_samr_DeleteAliasMember");
4601 if (!NT_STATUS_IS_OK(status)) {
4605 DEBUG(10, ("_samr_del_aliasmem:sid is %s\n",
4606 sid_string_dbg(&alias_sid)));
4608 se_priv_copy( &se_rights, &se_add_users );
4609 can_add_accounts = user_has_privileges( p->pipe_user.nt_user_token, &se_rights );
4611 /******** BEGIN SeAddUsers BLOCK *********/
4613 if ( can_add_accounts )
4616 status = pdb_del_aliasmem(&alias_sid, r->in.sid);
4618 if ( can_add_accounts )
4621 /******** END SeAddUsers BLOCK *********/
4623 if (NT_STATUS_IS_OK(status)) {
4624 force_flush_samr_cache(disp_info);
4630 /*********************************************************************
4631 _samr_AddGroupMember
4632 *********************************************************************/
4634 NTSTATUS _samr_AddGroupMember(pipes_struct *p,
4635 struct samr_AddGroupMember *r)
4642 bool can_add_accounts;
4643 DISP_INFO *disp_info = NULL;
4645 /* Find the policy handle. Open a policy on it. */
4646 if (!get_lsa_policy_samr_sid(p, r->in.group_handle, &group_sid, &acc_granted, &disp_info))
4647 return NT_STATUS_INVALID_HANDLE;
4649 status = access_check_samr_function(acc_granted,
4650 SAMR_GROUP_ACCESS_ADD_MEMBER,
4651 "_samr_AddGroupMember");
4652 if (!NT_STATUS_IS_OK(status)) {
4656 DEBUG(10, ("sid is %s\n", sid_string_dbg(&group_sid)));
4658 if (!sid_peek_check_rid(get_global_sam_sid(), &group_sid,
4660 return NT_STATUS_INVALID_HANDLE;
4663 se_priv_copy( &se_rights, &se_add_users );
4664 can_add_accounts = user_has_privileges( p->pipe_user.nt_user_token, &se_rights );
4666 /******** BEGIN SeAddUsers BLOCK *********/
4668 if ( can_add_accounts )
4671 status = pdb_add_groupmem(p->mem_ctx, group_rid, r->in.rid);
4673 if ( can_add_accounts )
4676 /******** END SeAddUsers BLOCK *********/
4678 force_flush_samr_cache(disp_info);
4683 /*********************************************************************
4684 _samr_DeleteGroupMember
4685 *********************************************************************/
4687 NTSTATUS _samr_DeleteGroupMember(pipes_struct *p,
4688 struct samr_DeleteGroupMember *r)
4696 bool can_add_accounts;
4697 DISP_INFO *disp_info = NULL;
4700 * delete the group member named r->in.rid
4701 * who is a member of the sid associated with the handle
4702 * the rid is a user's rid as the group is a domain group.
4705 /* Find the policy handle. Open a policy on it. */
4706 if (!get_lsa_policy_samr_sid(p, r->in.group_handle, &group_sid, &acc_granted, &disp_info))
4707 return NT_STATUS_INVALID_HANDLE;
4709 status = access_check_samr_function(acc_granted,
4710 SAMR_GROUP_ACCESS_REMOVE_MEMBER,
4711 "_samr_DeleteGroupMember");
4712 if (!NT_STATUS_IS_OK(status)) {
4716 if (!sid_peek_check_rid(get_global_sam_sid(), &group_sid,
4718 return NT_STATUS_INVALID_HANDLE;
4721 se_priv_copy( &se_rights, &se_add_users );
4722 can_add_accounts = user_has_privileges( p->pipe_user.nt_user_token, &se_rights );
4724 /******** BEGIN SeAddUsers BLOCK *********/
4726 if ( can_add_accounts )
4729 status = pdb_del_groupmem(p->mem_ctx, group_rid, r->in.rid);
4731 if ( can_add_accounts )
4734 /******** END SeAddUsers BLOCK *********/
4736 force_flush_samr_cache(disp_info);
4741 /*********************************************************************
4743 *********************************************************************/
4745 NTSTATUS _samr_DeleteUser(pipes_struct *p,
4746 struct samr_DeleteUser *r)
4750 struct samu *sam_pass=NULL;
4752 bool can_add_accounts;
4754 DISP_INFO *disp_info = NULL;
4757 DEBUG(5, ("_samr_DeleteUser: %d\n", __LINE__));
4759 /* Find the policy handle. Open a policy on it. */
4760 if (!get_lsa_policy_samr_sid(p, r->in.user_handle, &user_sid, &acc_granted, &disp_info))
4761 return NT_STATUS_INVALID_HANDLE;
4763 status = access_check_samr_function(acc_granted,
4764 STD_RIGHT_DELETE_ACCESS,
4765 "_samr_DeleteUser");
4766 if (!NT_STATUS_IS_OK(status)) {
4770 if (!sid_check_is_in_our_domain(&user_sid))
4771 return NT_STATUS_CANNOT_DELETE;
4773 /* check if the user exists before trying to delete */
4774 if ( !(sam_pass = samu_new( NULL )) ) {
4775 return NT_STATUS_NO_MEMORY;
4779 ret = pdb_getsampwsid(sam_pass, &user_sid);
4783 DEBUG(5,("_samr_DeleteUser: User %s doesn't exist.\n",
4784 sid_string_dbg(&user_sid)));
4785 TALLOC_FREE(sam_pass);
4786 return NT_STATUS_NO_SUCH_USER;
4789 acb_info = pdb_get_acct_ctrl(sam_pass);
4791 /* For machine accounts it's the SeMachineAccountPrivilege that counts. */
4792 if ( acb_info & ACB_WSTRUST ) {
4793 can_add_accounts = user_has_privileges( p->pipe_user.nt_user_token, &se_machine_account );
4795 can_add_accounts = user_has_privileges( p->pipe_user.nt_user_token, &se_add_users );
4798 /******** BEGIN SeAddUsers BLOCK *********/
4800 if ( can_add_accounts )
4803 status = pdb_delete_user(p->mem_ctx, sam_pass);
4805 if ( can_add_accounts )
4808 /******** END SeAddUsers BLOCK *********/
4810 if ( !NT_STATUS_IS_OK(status) ) {
4811 DEBUG(5,("_samr_DeleteUser: Failed to delete entry for "
4812 "user %s: %s.\n", pdb_get_username(sam_pass),
4813 nt_errstr(status)));
4814 TALLOC_FREE(sam_pass);
4819 TALLOC_FREE(sam_pass);
4821 if (!close_policy_hnd(p, r->in.user_handle))
4822 return NT_STATUS_OBJECT_NAME_INVALID;
4824 ZERO_STRUCTP(r->out.user_handle);
4826 force_flush_samr_cache(disp_info);
4828 return NT_STATUS_OK;
4831 /*********************************************************************
4832 _samr_DeleteDomainGroup
4833 *********************************************************************/
4835 NTSTATUS _samr_DeleteDomainGroup(pipes_struct *p,
4836 struct samr_DeleteDomainGroup *r)
4843 bool can_add_accounts;
4844 DISP_INFO *disp_info = NULL;
4846 DEBUG(5, ("samr_DeleteDomainGroup: %d\n", __LINE__));
4848 /* Find the policy handle. Open a policy on it. */
4849 if (!get_lsa_policy_samr_sid(p, r->in.group_handle, &group_sid, &acc_granted, &disp_info))
4850 return NT_STATUS_INVALID_HANDLE;
4852 status = access_check_samr_function(acc_granted,
4853 STD_RIGHT_DELETE_ACCESS,
4854 "_samr_DeleteDomainGroup");
4855 if (!NT_STATUS_IS_OK(status)) {
4859 DEBUG(10, ("sid is %s\n", sid_string_dbg(&group_sid)));
4861 if (!sid_peek_check_rid(get_global_sam_sid(), &group_sid,
4863 return NT_STATUS_NO_SUCH_GROUP;
4866 se_priv_copy( &se_rights, &se_add_users );
4867 can_add_accounts = user_has_privileges( p->pipe_user.nt_user_token, &se_rights );
4869 /******** BEGIN SeAddUsers BLOCK *********/
4871 if ( can_add_accounts )
4874 status = pdb_delete_dom_group(p->mem_ctx, group_rid);
4876 if ( can_add_accounts )
4879 /******** END SeAddUsers BLOCK *********/
4881 if ( !NT_STATUS_IS_OK(status) ) {
4882 DEBUG(5,("_samr_DeleteDomainGroup: Failed to delete mapping "
4883 "entry for group %s: %s\n",
4884 sid_string_dbg(&group_sid),
4885 nt_errstr(status)));
4889 if (!close_policy_hnd(p, r->in.group_handle))
4890 return NT_STATUS_OBJECT_NAME_INVALID;
4892 force_flush_samr_cache(disp_info);
4894 return NT_STATUS_OK;
4897 /*********************************************************************
4898 _samr_DeleteDomAlias
4899 *********************************************************************/
4901 NTSTATUS _samr_DeleteDomAlias(pipes_struct *p,
4902 struct samr_DeleteDomAlias *r)
4907 bool can_add_accounts;
4909 DISP_INFO *disp_info = NULL;
4911 DEBUG(5, ("_samr_DeleteDomAlias: %d\n", __LINE__));
4913 /* Find the policy handle. Open a policy on it. */
4914 if (!get_lsa_policy_samr_sid(p, r->in.alias_handle, &alias_sid, &acc_granted, &disp_info))
4915 return NT_STATUS_INVALID_HANDLE;
4917 /* copy the handle to the outgoing reply */
4919 memcpy(r->out.alias_handle, r->in.alias_handle, sizeof(r->out.alias_handle));
4921 status = access_check_samr_function(acc_granted,
4922 STD_RIGHT_DELETE_ACCESS,
4923 "_samr_DeleteDomAlias");
4924 if (!NT_STATUS_IS_OK(status)) {
4928 DEBUG(10, ("sid is %s\n", sid_string_dbg(&alias_sid)));
4930 /* Don't let Windows delete builtin groups */
4932 if ( sid_check_is_in_builtin( &alias_sid ) ) {
4933 return NT_STATUS_SPECIAL_ACCOUNT;
4936 if (!sid_check_is_in_our_domain(&alias_sid))
4937 return NT_STATUS_NO_SUCH_ALIAS;
4939 DEBUG(10, ("lookup on Local SID\n"));
4941 se_priv_copy( &se_rights, &se_add_users );
4942 can_add_accounts = user_has_privileges( p->pipe_user.nt_user_token, &se_rights );
4944 /******** BEGIN SeAddUsers BLOCK *********/
4946 if ( can_add_accounts )
4949 /* Have passdb delete the alias */
4950 status = pdb_delete_alias(&alias_sid);
4952 if ( can_add_accounts )
4955 /******** END SeAddUsers BLOCK *********/
4957 if ( !NT_STATUS_IS_OK(status))
4960 if (!close_policy_hnd(p, r->in.alias_handle))
4961 return NT_STATUS_OBJECT_NAME_INVALID;
4963 force_flush_samr_cache(disp_info);
4965 return NT_STATUS_OK;
4968 /*********************************************************************
4969 _samr_CreateDomainGroup
4970 *********************************************************************/
4972 NTSTATUS _samr_CreateDomainGroup(pipes_struct *p,
4973 struct samr_CreateDomainGroup *r)
4980 struct samr_info *info;
4983 bool can_add_accounts;
4984 DISP_INFO *disp_info = NULL;
4986 /* Find the policy handle. Open a policy on it. */
4987 if (!get_lsa_policy_samr_sid(p, r->in.domain_handle, &dom_sid, &acc_granted, &disp_info))
4988 return NT_STATUS_INVALID_HANDLE;
4990 status = access_check_samr_function(acc_granted,
4991 SAMR_DOMAIN_ACCESS_CREATE_GROUP,
4992 "_samr_CreateDomainGroup");
4993 if (!NT_STATUS_IS_OK(status)) {
4997 if (!sid_equal(&dom_sid, get_global_sam_sid()))
4998 return NT_STATUS_ACCESS_DENIED;
5000 name = r->in.name->string;
5002 return NT_STATUS_NO_MEMORY;
5005 status = can_create(p->mem_ctx, name);
5006 if (!NT_STATUS_IS_OK(status)) {
5010 se_priv_copy( &se_rights, &se_add_users );
5011 can_add_accounts = user_has_privileges( p->pipe_user.nt_user_token, &se_rights );
5013 /******** BEGIN SeAddUsers BLOCK *********/
5015 if ( can_add_accounts )
5018 /* check that we successfully create the UNIX group */
5020 status = pdb_create_dom_group(p->mem_ctx, name, r->out.rid);
5022 if ( can_add_accounts )
5025 /******** END SeAddUsers BLOCK *********/
5027 /* check if we should bail out here */
5029 if ( !NT_STATUS_IS_OK(status) )
5032 sid_compose(&info_sid, get_global_sam_sid(), *r->out.rid);
5034 if ((info = get_samr_info_by_sid(&info_sid)) == NULL)
5035 return NT_STATUS_NO_MEMORY;
5037 /* they created it; let the user do what he wants with it */
5039 info->acc_granted = GENERIC_RIGHTS_GROUP_ALL_ACCESS;
5041 /* get a (unique) handle. open a policy on it. */
5042 if (!create_policy_hnd(p, r->out.group_handle, free_samr_info, (void *)info))
5043 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
5045 force_flush_samr_cache(disp_info);
5047 return NT_STATUS_OK;
5050 /*********************************************************************
5051 _samr_CreateDomAlias
5052 *********************************************************************/
5054 NTSTATUS _samr_CreateDomAlias(pipes_struct *p,
5055 struct samr_CreateDomAlias *r)
5059 const char *name = NULL;
5060 struct samr_info *info;
5065 bool can_add_accounts;
5066 DISP_INFO *disp_info = NULL;
5068 /* Find the policy handle. Open a policy on it. */
5069 if (!get_lsa_policy_samr_sid(p, r->in.domain_handle, &dom_sid, &acc_granted, &disp_info))
5070 return NT_STATUS_INVALID_HANDLE;
5072 result = access_check_samr_function(acc_granted,
5073 SAMR_DOMAIN_ACCESS_CREATE_ALIAS,
5074 "_samr_CreateDomAlias");
5075 if (!NT_STATUS_IS_OK(result)) {
5079 if (!sid_equal(&dom_sid, get_global_sam_sid()))
5080 return NT_STATUS_ACCESS_DENIED;
5082 name = r->in.alias_name->string;
5084 se_priv_copy( &se_rights, &se_add_users );
5085 can_add_accounts = user_has_privileges( p->pipe_user.nt_user_token, &se_rights );
5087 result = can_create(p->mem_ctx, name);
5088 if (!NT_STATUS_IS_OK(result)) {
5092 /******** BEGIN SeAddUsers BLOCK *********/
5094 if ( can_add_accounts )
5097 /* Have passdb create the alias */
5098 result = pdb_create_alias(name, r->out.rid);
5100 if ( can_add_accounts )
5103 /******** END SeAddUsers BLOCK *********/
5105 if (!NT_STATUS_IS_OK(result)) {
5106 DEBUG(10, ("pdb_create_alias failed: %s\n",
5107 nt_errstr(result)));
5111 sid_copy(&info_sid, get_global_sam_sid());
5112 sid_append_rid(&info_sid, *r->out.rid);
5114 if (!sid_to_gid(&info_sid, &gid)) {
5115 DEBUG(10, ("Could not find alias just created\n"));
5116 return NT_STATUS_ACCESS_DENIED;
5119 /* check if the group has been successfully created */
5120 if ( getgrgid(gid) == NULL ) {
5121 DEBUG(10, ("getgrgid(%d) of just created alias failed\n",
5123 return NT_STATUS_ACCESS_DENIED;
5126 if ((info = get_samr_info_by_sid(&info_sid)) == NULL)
5127 return NT_STATUS_NO_MEMORY;
5129 /* they created it; let the user do what he wants with it */
5131 info->acc_granted = GENERIC_RIGHTS_ALIAS_ALL_ACCESS;
5133 /* get a (unique) handle. open a policy on it. */
5134 if (!create_policy_hnd(p, r->out.alias_handle, free_samr_info, (void *)info))
5135 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
5137 force_flush_samr_cache(disp_info);
5139 return NT_STATUS_OK;
5142 /*********************************************************************
5143 _samr_QueryGroupInfo
5144 *********************************************************************/
5146 NTSTATUS _samr_QueryGroupInfo(pipes_struct *p,
5147 struct samr_QueryGroupInfo *r)
5152 union samr_GroupInfo *info = NULL;
5155 uint32_t attributes = SE_GROUP_MANDATORY |
5156 SE_GROUP_ENABLED_BY_DEFAULT |
5158 const char *group_name = NULL;
5159 const char *group_description = NULL;
5161 if (!get_lsa_policy_samr_sid(p, r->in.group_handle, &group_sid, &acc_granted, NULL))
5162 return NT_STATUS_INVALID_HANDLE;
5164 status = access_check_samr_function(acc_granted,
5165 SAMR_GROUP_ACCESS_LOOKUP_INFO,
5166 "_samr_QueryGroupInfo");
5167 if (!NT_STATUS_IS_OK(status)) {
5172 ret = get_domain_group_from_sid(group_sid, &map);
5175 return NT_STATUS_INVALID_HANDLE;
5177 /* FIXME: map contains fstrings */
5178 group_name = talloc_strdup(r, map.nt_name);
5179 group_description = talloc_strdup(r, map.comment);
5181 info = TALLOC_ZERO_P(p->mem_ctx, union samr_GroupInfo);
5183 return NT_STATUS_NO_MEMORY;
5186 switch (r->in.level) {
5192 status = pdb_enum_group_members(
5193 p->mem_ctx, &group_sid, &members, &num_members);
5196 if (!NT_STATUS_IS_OK(status)) {
5200 init_samr_group_info1(&info->all,
5208 init_samr_group_info2(&info->name,
5212 init_samr_group_info3(&info->attributes,
5216 init_samr_group_info4(&info->description,
5227 status = pdb_enum_group_members(
5228 p->mem_ctx, &group_sid, &members, &num_members);
5231 if (!NT_STATUS_IS_OK(status)) {
5235 init_samr_group_info5(&info->all2,
5238 0, /* num_members - in w2k3 this is always 0 */
5244 return NT_STATUS_INVALID_INFO_CLASS;
5247 *r->out.info = info;
5249 return NT_STATUS_OK;
5252 /*********************************************************************
5254 *********************************************************************/
5256 NTSTATUS _samr_SetGroupInfo(pipes_struct *p,
5257 struct samr_SetGroupInfo *r)
5264 bool can_mod_accounts;
5265 DISP_INFO *disp_info = NULL;
5267 if (!get_lsa_policy_samr_sid(p, r->in.group_handle, &group_sid, &acc_granted, &disp_info))
5268 return NT_STATUS_INVALID_HANDLE;
5270 status = access_check_samr_function(acc_granted,
5271 SAMR_GROUP_ACCESS_SET_INFO,
5272 "_samr_SetGroupInfo");
5273 if (!NT_STATUS_IS_OK(status)) {
5278 ret = get_domain_group_from_sid(group_sid, &map);
5281 return NT_STATUS_NO_SUCH_GROUP;
5283 switch (r->in.level) {
5285 fstrcpy(map.comment, r->in.info->all.description.string);
5288 /* group rename is not supported yet */
5289 return NT_STATUS_NOT_SUPPORTED;
5291 fstrcpy(map.comment, r->in.info->description.string);
5294 return NT_STATUS_INVALID_INFO_CLASS;
5297 can_mod_accounts = user_has_privileges( p->pipe_user.nt_user_token, &se_add_users );
5299 /******** BEGIN SeAddUsers BLOCK *********/
5301 if ( can_mod_accounts )
5304 status = pdb_update_group_mapping_entry(&map);
5306 if ( can_mod_accounts )
5309 /******** End SeAddUsers BLOCK *********/
5311 if (NT_STATUS_IS_OK(status)) {
5312 force_flush_samr_cache(disp_info);
5318 /*********************************************************************
5320 *********************************************************************/
5322 NTSTATUS _samr_SetAliasInfo(pipes_struct *p,
5323 struct samr_SetAliasInfo *r)
5326 struct acct_info info;
5328 bool can_mod_accounts;
5330 DISP_INFO *disp_info = NULL;
5332 if (!get_lsa_policy_samr_sid(p, r->in.alias_handle, &group_sid, &acc_granted, &disp_info))
5333 return NT_STATUS_INVALID_HANDLE;
5335 status = access_check_samr_function(acc_granted,
5336 SAMR_ALIAS_ACCESS_SET_INFO,
5337 "_samr_SetAliasInfo");
5338 if (!NT_STATUS_IS_OK(status)) {
5342 /* get the current group information */
5345 status = pdb_get_aliasinfo( &group_sid, &info );
5348 if ( !NT_STATUS_IS_OK(status))
5351 switch (r->in.level) {
5356 /* We currently do not support renaming groups in the
5357 the BUILTIN domain. Refer to util_builtin.c to understand
5358 why. The eventually needs to be fixed to be like Windows
5359 where you can rename builtin groups, just not delete them */
5361 if ( sid_check_is_in_builtin( &group_sid ) ) {
5362 return NT_STATUS_SPECIAL_ACCOUNT;
5365 /* There has to be a valid name (and it has to be different) */
5367 if ( !r->in.info->name.string )
5368 return NT_STATUS_INVALID_PARAMETER;
5370 /* If the name is the same just reply "ok". Yes this
5371 doesn't allow you to change the case of a group name. */
5373 if ( strequal( r->in.info->name.string, info.acct_name ) )
5374 return NT_STATUS_OK;
5376 fstrcpy( info.acct_name, r->in.info->name.string);
5378 /* make sure the name doesn't already exist as a user
5381 fstr_sprintf( group_name, "%s\\%s", global_myname(), info.acct_name );
5382 status = can_create( p->mem_ctx, group_name );
5383 if ( !NT_STATUS_IS_OK( status ) )
5387 case ALIASINFODESCRIPTION:
5388 if (r->in.info->description.string) {
5389 fstrcpy(info.acct_desc,
5390 r->in.info->description.string);
5392 fstrcpy( info.acct_desc, "" );
5396 return NT_STATUS_INVALID_INFO_CLASS;
5399 can_mod_accounts = user_has_privileges( p->pipe_user.nt_user_token, &se_add_users );
5401 /******** BEGIN SeAddUsers BLOCK *********/
5403 if ( can_mod_accounts )
5406 status = pdb_set_aliasinfo( &group_sid, &info );
5408 if ( can_mod_accounts )
5411 /******** End SeAddUsers BLOCK *********/
5413 if (NT_STATUS_IS_OK(status))
5414 force_flush_samr_cache(disp_info);
5419 /****************************************************************
5421 ****************************************************************/
5423 NTSTATUS _samr_GetDomPwInfo(pipes_struct *p,
5424 struct samr_GetDomPwInfo *r)
5426 uint32_t min_password_length = 0;
5427 uint32_t password_properties = 0;
5429 /* Perform access check. Since this rpc does not require a
5430 policy handle it will not be caught by the access checks on
5431 SAMR_CONNECT or SAMR_CONNECT_ANON. */
5433 if (!pipe_access_check(p)) {
5434 DEBUG(3, ("access denied to _samr_GetDomPwInfo\n"));
5435 return NT_STATUS_ACCESS_DENIED;
5439 pdb_get_account_policy(AP_MIN_PASSWORD_LEN,
5440 &min_password_length);
5441 pdb_get_account_policy(AP_USER_MUST_LOGON_TO_CHG_PASS,
5442 &password_properties);
5445 if (lp_check_password_script() && *lp_check_password_script()) {
5446 password_properties |= DOMAIN_PASSWORD_COMPLEX;
5449 r->out.info->min_password_length = min_password_length;
5450 r->out.info->password_properties = password_properties;
5452 return NT_STATUS_OK;
5455 /*********************************************************************
5457 *********************************************************************/
5459 NTSTATUS _samr_OpenGroup(pipes_struct *p,
5460 struct samr_OpenGroup *r)
5466 struct samr_info *info;
5467 SEC_DESC *psd = NULL;
5469 uint32 des_access = r->in.access_mask;
5476 if (!get_lsa_policy_samr_sid(p, r->in.domain_handle, &sid, &acc_granted, NULL))
5477 return NT_STATUS_INVALID_HANDLE;
5479 status = access_check_samr_function(acc_granted,
5480 SAMR_DOMAIN_ACCESS_OPEN_ACCOUNT,
5483 if ( !NT_STATUS_IS_OK(status) )
5486 /*check if access can be granted as requested by client. */
5487 map_max_allowed_access(p->pipe_user.nt_user_token, &des_access);
5489 make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &grp_generic_mapping, NULL, 0);
5490 se_map_generic(&des_access,&grp_generic_mapping);
5492 se_priv_copy( &se_rights, &se_add_users );
5494 status = access_check_samr_object(psd, p->pipe_user.nt_user_token,
5495 &se_rights, GENERIC_RIGHTS_GROUP_WRITE, des_access,
5496 &acc_granted, "_samr_OpenGroup");
5498 if ( !NT_STATUS_IS_OK(status) )
5501 /* this should not be hard-coded like this */
5503 if (!sid_equal(&sid, get_global_sam_sid()))
5504 return NT_STATUS_ACCESS_DENIED;
5506 sid_copy(&info_sid, get_global_sam_sid());
5507 sid_append_rid(&info_sid, r->in.rid);
5508 sid_to_fstring(sid_string, &info_sid);
5510 if ((info = get_samr_info_by_sid(&info_sid)) == NULL)
5511 return NT_STATUS_NO_MEMORY;
5513 info->acc_granted = acc_granted;
5515 DEBUG(10, ("_samr_OpenGroup:Opening SID: %s\n", sid_string));
5517 /* check if that group really exists */
5519 ret = get_domain_group_from_sid(info->sid, &map);
5522 return NT_STATUS_NO_SUCH_GROUP;
5524 /* get a (unique) handle. open a policy on it. */
5525 if (!create_policy_hnd(p, r->out.group_handle, free_samr_info, (void *)info))
5526 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
5528 return NT_STATUS_OK;
5531 /*********************************************************************
5532 _samr_RemoveMemberFromForeignDomain
5533 *********************************************************************/
5535 NTSTATUS _samr_RemoveMemberFromForeignDomain(pipes_struct *p,
5536 struct samr_RemoveMemberFromForeignDomain *r)
5538 DOM_SID delete_sid, domain_sid;
5541 DISP_INFO *disp_info = NULL;
5543 sid_copy( &delete_sid, r->in.sid );
5545 DEBUG(5,("_samr_RemoveMemberFromForeignDomain: removing SID [%s]\n",
5546 sid_string_dbg(&delete_sid)));
5548 /* Find the policy handle. Open a policy on it. */
5550 if (!get_lsa_policy_samr_sid(p, r->in.domain_handle, &domain_sid,
5551 &acc_granted, &disp_info))
5552 return NT_STATUS_INVALID_HANDLE;
5554 result = access_check_samr_function(acc_granted,
5555 STD_RIGHT_DELETE_ACCESS,
5556 "_samr_RemoveMemberFromForeignDomain");
5558 if (!NT_STATUS_IS_OK(result))
5561 DEBUG(8, ("_samr_RemoveMemberFromForeignDomain: sid is %s\n",
5562 sid_string_dbg(&domain_sid)));
5564 /* we can only delete a user from a group since we don't have
5565 nested groups anyways. So in the latter case, just say OK */
5567 /* TODO: The above comment nowadays is bogus. Since we have nested
5568 * groups now, and aliases members are never reported out of the unix
5569 * group membership, the "just say OK" makes this call a no-op. For
5570 * us. This needs fixing however. */
5572 /* I've only ever seen this in the wild when deleting a user from
5573 * usrmgr.exe. domain_sid is the builtin domain, and the sid to delete
5574 * is the user about to be deleted. I very much suspect this is the
5575 * only application of this call. To verify this, let people report
5578 if (!sid_check_is_builtin(&domain_sid)) {
5579 DEBUG(1,("_samr_RemoveMemberFromForeignDomain: domain_sid = %s, "
5580 "global_sam_sid() = %s\n",
5581 sid_string_dbg(&domain_sid),
5582 sid_string_dbg(get_global_sam_sid())));
5583 DEBUGADD(1,("please report to samba-technical@samba.org!\n"));
5584 return NT_STATUS_OK;
5587 force_flush_samr_cache(disp_info);
5589 result = NT_STATUS_OK;
5594 /*******************************************************************
5595 _samr_QueryDomainInfo2
5596 ********************************************************************/
5598 NTSTATUS _samr_QueryDomainInfo2(pipes_struct *p,
5599 struct samr_QueryDomainInfo2 *r)
5601 struct samr_QueryDomainInfo q;
5603 q.in.domain_handle = r->in.domain_handle;
5604 q.in.level = r->in.level;
5606 q.out.info = r->out.info;
5608 return _samr_QueryDomainInfo(p, &q);
5611 /*******************************************************************
5613 ********************************************************************/
5615 NTSTATUS _samr_SetDomainInfo(pipes_struct *p,
5616 struct samr_SetDomainInfo *r)
5618 struct samr_info *info = NULL;
5619 time_t u_expire, u_min_age;
5621 time_t u_lock_duration, u_reset_time;
5624 DEBUG(5,("_samr_SetDomainInfo: %d\n", __LINE__));
5626 /* find the policy handle. open a policy on it. */
5627 if (!find_policy_by_hnd(p, r->in.domain_handle, (void **)(void *)&info))
5628 return NT_STATUS_INVALID_HANDLE;
5630 /* We do have different access bits for info
5631 * levels here, but we're really just looking for
5632 * GENERIC_RIGHTS_DOMAIN_WRITE access. Unfortunately
5633 * this maps to different specific bits. So
5634 * assume if we have SAMR_DOMAIN_ACCESS_SET_INFO_1
5637 result = access_check_samr_function(info->acc_granted,
5638 SAMR_DOMAIN_ACCESS_SET_INFO_1,
5639 "_samr_SetDomainInfo");
5641 if (!NT_STATUS_IS_OK(result))
5644 DEBUG(5,("_samr_SetDomainInfo: level: %d\n", r->in.level));
5646 switch (r->in.level) {
5648 u_expire=nt_time_to_unix_abs((NTTIME *)&r->in.info->info1.max_password_age);
5649 u_min_age=nt_time_to_unix_abs((NTTIME *)&r->in.info->info1.min_password_age);
5650 pdb_set_account_policy(AP_MIN_PASSWORD_LEN, (uint32)r->in.info->info1.min_password_length);
5651 pdb_set_account_policy(AP_PASSWORD_HISTORY, (uint32)r->in.info->info1.password_history_length);
5652 pdb_set_account_policy(AP_USER_MUST_LOGON_TO_CHG_PASS, (uint32)r->in.info->info1.password_properties);
5653 pdb_set_account_policy(AP_MAX_PASSWORD_AGE, (int)u_expire);
5654 pdb_set_account_policy(AP_MIN_PASSWORD_AGE, (int)u_min_age);
5659 u_logout=nt_time_to_unix_abs((NTTIME *)&r->in.info->info3.force_logoff_time);
5660 pdb_set_account_policy(AP_TIME_TO_LOGOUT, (int)u_logout);
5669 u_lock_duration=nt_time_to_unix_abs((NTTIME *)&r->in.info->info12.lockout_duration);
5670 if (u_lock_duration != -1)
5671 u_lock_duration /= 60;
5673 u_reset_time=nt_time_to_unix_abs((NTTIME *)&r->in.info->info12.lockout_window)/60;
5675 pdb_set_account_policy(AP_LOCK_ACCOUNT_DURATION, (int)u_lock_duration);
5676 pdb_set_account_policy(AP_RESET_COUNT_TIME, (int)u_reset_time);
5677 pdb_set_account_policy(AP_BAD_ATTEMPT_LOCKOUT, (uint32)r->in.info->info12.lockout_threshold);
5680 return NT_STATUS_INVALID_INFO_CLASS;
5683 DEBUG(5,("_samr_SetDomainInfo: %d\n", __LINE__));
5685 return NT_STATUS_OK;
5688 /****************************************************************
5689 _samr_GetDisplayEnumerationIndex
5690 ****************************************************************/
5692 NTSTATUS _samr_GetDisplayEnumerationIndex(pipes_struct *p,
5693 struct samr_GetDisplayEnumerationIndex *r)
5695 struct samr_info *info = NULL;
5696 uint32_t max_entries = (uint32_t) -1;
5697 uint32_t enum_context = 0;
5699 uint32_t num_account = 0;
5700 struct samr_displayentry *entries = NULL;
5703 DEBUG(5,("_samr_GetDisplayEnumerationIndex: %d\n", __LINE__));
5705 /* find the policy handle. open a policy on it. */
5706 if (!find_policy_by_hnd(p, r->in.domain_handle, (void **)(void *)&info)) {
5707 return NT_STATUS_INVALID_HANDLE;
5710 status = access_check_samr_function(info->acc_granted,
5711 SAMR_DOMAIN_ACCESS_ENUM_ACCOUNTS,
5712 "_samr_GetDisplayEnumerationIndex");
5713 if (!NT_STATUS_IS_OK(status)) {
5717 if ((r->in.level < 1) || (r->in.level > 3)) {
5718 DEBUG(0,("_samr_GetDisplayEnumerationIndex: "
5719 "Unknown info level (%u)\n",
5721 return NT_STATUS_INVALID_INFO_CLASS;
5726 /* The following done as ROOT. Don't return without unbecome_root(). */
5728 switch (r->in.level) {
5730 if (info->disp_info->users == NULL) {
5731 info->disp_info->users = pdb_search_users(ACB_NORMAL);
5732 if (info->disp_info->users == NULL) {
5734 return NT_STATUS_ACCESS_DENIED;
5736 DEBUG(10,("_samr_GetDisplayEnumerationIndex: "
5737 "starting user enumeration at index %u\n",
5738 (unsigned int)enum_context));
5740 DEBUG(10,("_samr_GetDisplayEnumerationIndex: "
5741 "using cached user enumeration at index %u\n",
5742 (unsigned int)enum_context));
5744 num_account = pdb_search_entries(info->disp_info->users,
5745 enum_context, max_entries,
5749 if (info->disp_info->machines == NULL) {
5750 info->disp_info->machines =
5751 pdb_search_users(ACB_WSTRUST|ACB_SVRTRUST);
5752 if (info->disp_info->machines == NULL) {
5754 return NT_STATUS_ACCESS_DENIED;
5756 DEBUG(10,("_samr_GetDisplayEnumerationIndex: "
5757 "starting machine enumeration at index %u\n",
5758 (unsigned int)enum_context));
5760 DEBUG(10,("_samr_GetDisplayEnumerationIndex: "
5761 "using cached machine enumeration at index %u\n",
5762 (unsigned int)enum_context));
5764 num_account = pdb_search_entries(info->disp_info->machines,
5765 enum_context, max_entries,
5769 if (info->disp_info->groups == NULL) {
5770 info->disp_info->groups = pdb_search_groups();
5771 if (info->disp_info->groups == NULL) {
5773 return NT_STATUS_ACCESS_DENIED;
5775 DEBUG(10,("_samr_GetDisplayEnumerationIndex: "
5776 "starting group enumeration at index %u\n",
5777 (unsigned int)enum_context));
5779 DEBUG(10,("_samr_GetDisplayEnumerationIndex: "
5780 "using cached group enumeration at index %u\n",
5781 (unsigned int)enum_context));
5783 num_account = pdb_search_entries(info->disp_info->groups,
5784 enum_context, max_entries,
5789 smb_panic("info class changed");
5795 /* Ensure we cache this enumeration. */
5796 set_disp_info_cache_timeout(info->disp_info, DISP_INFO_CACHE_TIMEOUT);
5798 DEBUG(10,("_samr_GetDisplayEnumerationIndex: looking for :%s\n",
5799 r->in.name->string));
5801 for (i=0; i<num_account; i++) {
5802 if (strequal(entries[i].account_name, r->in.name->string)) {
5803 DEBUG(10,("_samr_GetDisplayEnumerationIndex: "
5804 "found %s at idx %d\n",
5805 r->in.name->string, i));
5807 return NT_STATUS_OK;
5811 /* assuming account_name lives at the very end */
5812 *r->out.idx = num_account;
5814 return NT_STATUS_NO_MORE_ENTRIES;
5817 /****************************************************************
5818 _samr_GetDisplayEnumerationIndex2
5819 ****************************************************************/
5821 NTSTATUS _samr_GetDisplayEnumerationIndex2(pipes_struct *p,
5822 struct samr_GetDisplayEnumerationIndex2 *r)
5824 struct samr_GetDisplayEnumerationIndex q;
5826 q.in.domain_handle = r->in.domain_handle;
5827 q.in.level = r->in.level;
5828 q.in.name = r->in.name;
5830 q.out.idx = r->out.idx;
5832 return _samr_GetDisplayEnumerationIndex(p, &q);
5835 /****************************************************************
5836 ****************************************************************/
5838 NTSTATUS _samr_Shutdown(pipes_struct *p,
5839 struct samr_Shutdown *r)
5841 p->rng_fault_state = true;
5842 return NT_STATUS_NOT_IMPLEMENTED;
5845 /****************************************************************
5846 ****************************************************************/
5848 NTSTATUS _samr_CreateUser(pipes_struct *p,
5849 struct samr_CreateUser *r)
5851 p->rng_fault_state = true;
5852 return NT_STATUS_NOT_IMPLEMENTED;
5855 /****************************************************************
5856 ****************************************************************/
5858 NTSTATUS _samr_SetMemberAttributesOfGroup(pipes_struct *p,
5859 struct samr_SetMemberAttributesOfGroup *r)
5861 p->rng_fault_state = true;
5862 return NT_STATUS_NOT_IMPLEMENTED;
5865 /****************************************************************
5866 ****************************************************************/
5868 NTSTATUS _samr_ChangePasswordUser(pipes_struct *p,
5869 struct samr_ChangePasswordUser *r)
5871 p->rng_fault_state = true;
5872 return NT_STATUS_NOT_IMPLEMENTED;
5875 /****************************************************************
5876 ****************************************************************/
5878 NTSTATUS _samr_TestPrivateFunctionsDomain(pipes_struct *p,
5879 struct samr_TestPrivateFunctionsDomain *r)
5881 p->rng_fault_state = true;
5882 return NT_STATUS_NOT_IMPLEMENTED;
5885 /****************************************************************
5886 ****************************************************************/
5888 NTSTATUS _samr_TestPrivateFunctionsUser(pipes_struct *p,
5889 struct samr_TestPrivateFunctionsUser *r)
5891 p->rng_fault_state = true;
5892 return NT_STATUS_NOT_IMPLEMENTED;
5895 /****************************************************************
5896 ****************************************************************/
5898 NTSTATUS _samr_QueryUserInfo2(pipes_struct *p,
5899 struct samr_QueryUserInfo2 *r)
5901 p->rng_fault_state = true;
5902 return NT_STATUS_NOT_IMPLEMENTED;
5905 /****************************************************************
5906 ****************************************************************/
5908 NTSTATUS _samr_AddMultipleMembersToAlias(pipes_struct *p,
5909 struct samr_AddMultipleMembersToAlias *r)
5911 p->rng_fault_state = true;
5912 return NT_STATUS_NOT_IMPLEMENTED;
5915 /****************************************************************
5916 ****************************************************************/
5918 NTSTATUS _samr_RemoveMultipleMembersFromAlias(pipes_struct *p,
5919 struct samr_RemoveMultipleMembersFromAlias *r)
5921 p->rng_fault_state = true;
5922 return NT_STATUS_NOT_IMPLEMENTED;
5925 /****************************************************************
5926 ****************************************************************/
5928 NTSTATUS _samr_OemChangePasswordUser2(pipes_struct *p,
5929 struct samr_OemChangePasswordUser2 *r)
5931 p->rng_fault_state = true;
5932 return NT_STATUS_NOT_IMPLEMENTED;
5935 /****************************************************************
5936 ****************************************************************/
5938 NTSTATUS _samr_SetBootKeyInformation(pipes_struct *p,
5939 struct samr_SetBootKeyInformation *r)
5941 p->rng_fault_state = true;
5942 return NT_STATUS_NOT_IMPLEMENTED;
5945 /****************************************************************
5946 ****************************************************************/
5948 NTSTATUS _samr_GetBootKeyInformation(pipes_struct *p,
5949 struct samr_GetBootKeyInformation *r)
5951 p->rng_fault_state = true;
5952 return NT_STATUS_NOT_IMPLEMENTED;
5955 /****************************************************************
5956 ****************************************************************/
5958 NTSTATUS _samr_Connect3(pipes_struct *p,
5959 struct samr_Connect3 *r)
5961 p->rng_fault_state = true;
5962 return NT_STATUS_NOT_IMPLEMENTED;
5965 /****************************************************************
5966 ****************************************************************/
5968 NTSTATUS _samr_RidToSid(pipes_struct *p,
5969 struct samr_RidToSid *r)
5971 p->rng_fault_state = true;
5972 return NT_STATUS_NOT_IMPLEMENTED;
5975 /****************************************************************
5976 ****************************************************************/
5978 NTSTATUS _samr_SetDsrmPassword(pipes_struct *p,
5979 struct samr_SetDsrmPassword *r)
5981 p->rng_fault_state = true;
5982 return NT_STATUS_NOT_IMPLEMENTED;
5985 /****************************************************************
5986 ****************************************************************/
5988 NTSTATUS _samr_ValidatePassword(pipes_struct *p,
5989 struct samr_ValidatePassword *r)
5991 p->rng_fault_state = true;
5992 return NT_STATUS_NOT_IMPLEMENTED;