s3-samr: support some more info levels in samr_SetUserInfo calls.
[ira/wip.git] / source3 / rpc_server / srv_samr_nt.c
1 /*
2  *  Unix SMB/CIFS implementation.
3  *  RPC Pipe client / server routines
4  *  Copyright (C) Andrew Tridgell                   1992-1997,
5  *  Copyright (C) Luke Kenneth Casson Leighton      1996-1997,
6  *  Copyright (C) Paul Ashton                       1997,
7  *  Copyright (C) Marc Jacobsen                     1999,
8  *  Copyright (C) Jeremy Allison                    2001-2008,
9  *  Copyright (C) Jean Fran├žois Micouleau           1998-2001,
10  *  Copyright (C) Jim McDonough <jmcd@us.ibm.com>   2002,
11  *  Copyright (C) Gerald (Jerry) Carter             2003-2004,
12  *  Copyright (C) Simo Sorce                        2003.
13  *  Copyright (C) Volker Lendecke                   2005.
14  *  Copyright (C) Guenther Deschner                 2008.
15  *
16  *  This program is free software; you can redistribute it and/or modify
17  *  it under the terms of the GNU General Public License as published by
18  *  the Free Software Foundation; either version 3 of the License, or
19  *  (at your option) any later version.
20  *
21  *  This program is distributed in the hope that it will be useful,
22  *  but WITHOUT ANY WARRANTY; without even the implied warranty of
23  *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
24  *  GNU General Public License for more details.
25  *
26  *  You should have received a copy of the GNU General Public License
27  *  along with this program; if not, see <http://www.gnu.org/licenses/>.
28  */
29
30 /*
31  * This is the implementation of the SAMR code.
32  */
33
34 #include "includes.h"
35 #include "../libcli/auth/libcli_auth.h"
36
37 #undef DBGC_CLASS
38 #define DBGC_CLASS DBGC_RPC_SRV
39
40 #define SAMR_USR_RIGHTS_WRITE_PW \
41                 ( READ_CONTROL_ACCESS           | \
42                   SAMR_USER_ACCESS_CHANGE_PASSWORD      | \
43                   SAMR_USER_ACCESS_SET_LOC_COM)
44 #define SAMR_USR_RIGHTS_CANT_WRITE_PW \
45                 ( READ_CONTROL_ACCESS | SAMR_USER_ACCESS_SET_LOC_COM )
46
47 #define DISP_INFO_CACHE_TIMEOUT 10
48
49 #define MAX_SAM_ENTRIES_W2K 0x400 /* 1024 */
50 #define MAX_SAM_ENTRIES_W95 50
51
52 struct samr_connect_info {
53         uint8_t dummy;
54 };
55
56 struct samr_domain_info {
57         struct dom_sid sid;
58         struct disp_info *disp_info;
59 };
60
61 struct samr_user_info {
62         struct dom_sid sid;
63 };
64
65 struct samr_group_info {
66         struct dom_sid sid;
67 };
68
69 struct samr_alias_info {
70         struct dom_sid sid;
71 };
72
73 typedef struct disp_info {
74         DOM_SID sid; /* identify which domain this is. */
75         struct pdb_search *users; /* querydispinfo 1 and 4 */
76         struct pdb_search *machines; /* querydispinfo 2 */
77         struct pdb_search *groups; /* querydispinfo 3 and 5, enumgroups */
78         struct pdb_search *aliases; /* enumaliases */
79
80         uint16 enum_acb_mask;
81         struct pdb_search *enum_users; /* enumusers with a mask */
82
83         struct timed_event *cache_timeout_event; /* cache idle timeout
84                                                   * handler. */
85 } DISP_INFO;
86
87 static const struct generic_mapping sam_generic_mapping = {
88         GENERIC_RIGHTS_SAM_READ,
89         GENERIC_RIGHTS_SAM_WRITE,
90         GENERIC_RIGHTS_SAM_EXECUTE,
91         GENERIC_RIGHTS_SAM_ALL_ACCESS};
92 static const struct generic_mapping dom_generic_mapping = {
93         GENERIC_RIGHTS_DOMAIN_READ,
94         GENERIC_RIGHTS_DOMAIN_WRITE,
95         GENERIC_RIGHTS_DOMAIN_EXECUTE,
96         GENERIC_RIGHTS_DOMAIN_ALL_ACCESS};
97 static const struct generic_mapping usr_generic_mapping = {
98         GENERIC_RIGHTS_USER_READ,
99         GENERIC_RIGHTS_USER_WRITE,
100         GENERIC_RIGHTS_USER_EXECUTE,
101         GENERIC_RIGHTS_USER_ALL_ACCESS};
102 static const struct generic_mapping usr_nopwchange_generic_mapping = {
103         GENERIC_RIGHTS_USER_READ,
104         GENERIC_RIGHTS_USER_WRITE,
105         GENERIC_RIGHTS_USER_EXECUTE & ~SAMR_USER_ACCESS_CHANGE_PASSWORD,
106         GENERIC_RIGHTS_USER_ALL_ACCESS};
107 static const struct generic_mapping grp_generic_mapping = {
108         GENERIC_RIGHTS_GROUP_READ,
109         GENERIC_RIGHTS_GROUP_WRITE,
110         GENERIC_RIGHTS_GROUP_EXECUTE,
111         GENERIC_RIGHTS_GROUP_ALL_ACCESS};
112 static const struct generic_mapping ali_generic_mapping = {
113         GENERIC_RIGHTS_ALIAS_READ,
114         GENERIC_RIGHTS_ALIAS_WRITE,
115         GENERIC_RIGHTS_ALIAS_EXECUTE,
116         GENERIC_RIGHTS_ALIAS_ALL_ACCESS};
117
118 /*******************************************************************
119 *******************************************************************/
120
121 static NTSTATUS make_samr_object_sd( TALLOC_CTX *ctx, SEC_DESC **psd, size_t *sd_size,
122                                      const struct generic_mapping *map,
123                                      DOM_SID *sid, uint32 sid_access )
124 {
125         DOM_SID domadmin_sid;
126         SEC_ACE ace[5];         /* at most 5 entries */
127         size_t i = 0;
128
129         SEC_ACL *psa = NULL;
130
131         /* basic access for Everyone */
132
133         init_sec_ace(&ace[i++], &global_sid_World, SEC_ACE_TYPE_ACCESS_ALLOWED,
134                         map->generic_execute | map->generic_read, 0);
135
136         /* add Full Access 'BUILTIN\Administrators' and 'BUILTIN\Account Operators */
137
138         init_sec_ace(&ace[i++], &global_sid_Builtin_Administrators,
139                         SEC_ACE_TYPE_ACCESS_ALLOWED, map->generic_all, 0);
140         init_sec_ace(&ace[i++], &global_sid_Builtin_Account_Operators,
141                         SEC_ACE_TYPE_ACCESS_ALLOWED, map->generic_all, 0);
142
143         /* Add Full Access for Domain Admins if we are a DC */
144
145         if ( IS_DC ) {
146                 sid_copy( &domadmin_sid, get_global_sam_sid() );
147                 sid_append_rid( &domadmin_sid, DOMAIN_GROUP_RID_ADMINS );
148                 init_sec_ace(&ace[i++], &domadmin_sid,
149                         SEC_ACE_TYPE_ACCESS_ALLOWED, map->generic_all, 0);
150         }
151
152         /* if we have a sid, give it some special access */
153
154         if ( sid ) {
155                 init_sec_ace(&ace[i++], sid, SEC_ACE_TYPE_ACCESS_ALLOWED, sid_access, 0);
156         }
157
158         /* create the security descriptor */
159
160         if ((psa = make_sec_acl(ctx, NT4_ACL_REVISION, i, ace)) == NULL)
161                 return NT_STATUS_NO_MEMORY;
162
163         if ((*psd = make_sec_desc(ctx, SECURITY_DESCRIPTOR_REVISION_1,
164                                   SEC_DESC_SELF_RELATIVE, NULL, NULL, NULL,
165                                   psa, sd_size)) == NULL)
166                 return NT_STATUS_NO_MEMORY;
167
168         return NT_STATUS_OK;
169 }
170
171 /*******************************************************************
172  Checks if access to an object should be granted, and returns that
173  level of access for further checks.
174 ********************************************************************/
175
176 static NTSTATUS access_check_samr_object( SEC_DESC *psd, NT_USER_TOKEN *token,
177                                           SE_PRIV *rights, uint32 rights_mask,
178                                           uint32 des_access, uint32 *acc_granted,
179                                           const char *debug )
180 {
181         NTSTATUS status = NT_STATUS_ACCESS_DENIED;
182         uint32 saved_mask = 0;
183
184         /* check privileges; certain SAM access bits should be overridden
185            by privileges (mostly having to do with creating/modifying/deleting
186            users and groups) */
187
188         if ( rights && user_has_any_privilege( token, rights ) ) {
189
190                 saved_mask = (des_access & rights_mask);
191                 des_access &= ~saved_mask;
192
193                 DEBUG(4,("access_check_samr_object: user rights access mask [0x%x]\n",
194                         rights_mask));
195         }
196
197
198         /* check the security descriptor first */
199
200         status = se_access_check(psd, token, des_access, acc_granted);
201         if (NT_STATUS_IS_OK(status)) {
202                 goto done;
203         }
204
205         /* give root a free pass */
206
207         if ( geteuid() == sec_initial_uid() ) {
208
209                 DEBUG(4,("%s: ACCESS should be DENIED  (requested: %#010x)\n", debug, des_access));
210                 DEBUGADD(4,("but overritten by euid == sec_initial_uid()\n"));
211
212                 *acc_granted = des_access;
213
214                 status = NT_STATUS_OK;
215                 goto done;
216         }
217
218
219 done:
220         /* add in any bits saved during the privilege check (only
221            matters is status is ok) */
222
223         *acc_granted |= rights_mask;
224
225         DEBUG(4,("%s: access %s (requested: 0x%08x, granted: 0x%08x)\n",
226                 debug, NT_STATUS_IS_OK(status) ? "GRANTED" : "DENIED",
227                 des_access, *acc_granted));
228
229         return status;
230 }
231
232
233 /*******************************************************************
234  Map any MAXIMUM_ALLOWED_ACCESS request to a valid access set.
235 ********************************************************************/
236
237 static void map_max_allowed_access(const NT_USER_TOKEN *token,
238                                         uint32_t *pacc_requested)
239 {
240         if (!((*pacc_requested) & MAXIMUM_ALLOWED_ACCESS)) {
241                 return;
242         }
243         *pacc_requested &= ~MAXIMUM_ALLOWED_ACCESS;
244
245         /* At least try for generic read. */
246         *pacc_requested = GENERIC_READ_ACCESS;
247
248         /* root gets anything. */
249         if (geteuid() == sec_initial_uid()) {
250                 *pacc_requested |= GENERIC_ALL_ACCESS;
251                 return;
252         }
253
254         /* Full Access for 'BUILTIN\Administrators' and 'BUILTIN\Account Operators */
255
256         if (is_sid_in_token(token, &global_sid_Builtin_Administrators) ||
257                         is_sid_in_token(token, &global_sid_Builtin_Account_Operators)) {
258                 *pacc_requested |= GENERIC_ALL_ACCESS;
259                 return;
260         }
261
262         /* Full access for DOMAIN\Domain Admins. */
263         if ( IS_DC ) {
264                 DOM_SID domadmin_sid;
265                 sid_copy( &domadmin_sid, get_global_sam_sid() );
266                 sid_append_rid( &domadmin_sid, DOMAIN_GROUP_RID_ADMINS );
267                 if (is_sid_in_token(token, &domadmin_sid)) {
268                         *pacc_requested |= GENERIC_ALL_ACCESS;
269                         return;
270                 }
271         }
272         /* TODO ! Check privileges. */
273 }
274
275 /*******************************************************************
276  Fetch or create a dispinfo struct.
277 ********************************************************************/
278
279 static DISP_INFO *get_samr_dispinfo_by_sid(const struct dom_sid *psid)
280 {
281         /*
282          * We do a static cache for DISP_INFO's here. Explanation can be found
283          * in Jeremy's checkin message to r11793:
284          *
285          * Fix the SAMR cache so it works across completely insane
286          * client behaviour (ie.:
287          * open pipe/open SAMR handle/enumerate 0 - 1024
288          * close SAMR handle, close pipe.
289          * open pipe/open SAMR handle/enumerate 1024 - 2048...
290          * close SAMR handle, close pipe.
291          * And on ad-nausium. Amazing.... probably object-oriented
292          * client side programming in action yet again.
293          * This change should *massively* improve performance when
294          * enumerating users from an LDAP database.
295          * Jeremy.
296          *
297          * "Our" and the builtin domain are the only ones where we ever
298          * enumerate stuff, so just cache 2 entries.
299          */
300
301         static struct disp_info *builtin_dispinfo;
302         static struct disp_info *domain_dispinfo;
303
304         /* There are two cases to consider here:
305            1) The SID is a domain SID and we look for an equality match, or
306            2) This is an account SID and so we return the DISP_INFO* for our
307               domain */
308
309         if (psid == NULL) {
310                 return NULL;
311         }
312
313         if (sid_check_is_builtin(psid) || sid_check_is_in_builtin(psid)) {
314                 /*
315                  * Necessary only once, but it does not really hurt.
316                  */
317                 if (builtin_dispinfo == NULL) {
318                         builtin_dispinfo = talloc_zero(
319                                 talloc_autofree_context(), struct disp_info);
320                         if (builtin_dispinfo == NULL) {
321                                 return NULL;
322                         }
323                 }
324                 sid_copy(&builtin_dispinfo->sid, &global_sid_Builtin);
325
326                 return builtin_dispinfo;
327         }
328
329         if (sid_check_is_domain(psid) || sid_check_is_in_our_domain(psid)) {
330                 /*
331                  * Necessary only once, but it does not really hurt.
332                  */
333                 if (domain_dispinfo == NULL) {
334                         domain_dispinfo = talloc_zero(
335                                 talloc_autofree_context(), struct disp_info);
336                         if (domain_dispinfo == NULL) {
337                                 return NULL;
338                         }
339                 }
340                 sid_copy(&domain_dispinfo->sid, get_global_sam_sid());
341
342                 return domain_dispinfo;
343         }
344
345         return NULL;
346 }
347
348 /*******************************************************************
349  Function to free the per SID data.
350  ********************************************************************/
351
352 static void free_samr_cache(DISP_INFO *disp_info)
353 {
354         DEBUG(10, ("free_samr_cache: deleting cache for SID %s\n",
355                    sid_string_dbg(&disp_info->sid)));
356
357         /* We need to become root here because the paged search might have to
358          * tell the LDAP server we're not interested in the rest anymore. */
359
360         become_root();
361
362         TALLOC_FREE(disp_info->users);
363         TALLOC_FREE(disp_info->machines);
364         TALLOC_FREE(disp_info->groups);
365         TALLOC_FREE(disp_info->aliases);
366         TALLOC_FREE(disp_info->enum_users);
367
368         unbecome_root();
369 }
370
371 /*******************************************************************
372  Idle event handler. Throw away the disp info cache.
373  ********************************************************************/
374
375 static void disp_info_cache_idle_timeout_handler(struct event_context *ev_ctx,
376                                                  struct timed_event *te,
377                                                  struct timeval now,
378                                                  void *private_data)
379 {
380         DISP_INFO *disp_info = (DISP_INFO *)private_data;
381
382         TALLOC_FREE(disp_info->cache_timeout_event);
383
384         DEBUG(10, ("disp_info_cache_idle_timeout_handler: caching timed "
385                    "out\n"));
386         free_samr_cache(disp_info);
387 }
388
389 /*******************************************************************
390  Setup cache removal idle event handler.
391  ********************************************************************/
392
393 static void set_disp_info_cache_timeout(DISP_INFO *disp_info, time_t secs_fromnow)
394 {
395         /* Remove any pending timeout and update. */
396
397         TALLOC_FREE(disp_info->cache_timeout_event);
398
399         DEBUG(10,("set_disp_info_cache_timeout: caching enumeration for "
400                   "SID %s for %u seconds\n", sid_string_dbg(&disp_info->sid),
401                   (unsigned int)secs_fromnow ));
402
403         disp_info->cache_timeout_event = event_add_timed(
404                 smbd_event_context(), NULL,
405                 timeval_current_ofs(secs_fromnow, 0),
406                 disp_info_cache_idle_timeout_handler, (void *)disp_info);
407 }
408
409 /*******************************************************************
410  Force flush any cache. We do this on any samr_set_xxx call.
411  We must also remove the timeout handler.
412  ********************************************************************/
413
414 static void force_flush_samr_cache(const struct dom_sid *sid)
415 {
416         struct disp_info *disp_info = get_samr_dispinfo_by_sid(sid);
417
418         if ((disp_info == NULL) || (disp_info->cache_timeout_event == NULL)) {
419                 return;
420         }
421
422         DEBUG(10,("force_flush_samr_cache: clearing idle event\n"));
423         TALLOC_FREE(disp_info->cache_timeout_event);
424         free_samr_cache(disp_info);
425 }
426
427 /*******************************************************************
428  Ensure password info is never given out. Paranioa... JRA.
429  ********************************************************************/
430
431 static void samr_clear_sam_passwd(struct samu *sam_pass)
432 {
433
434         if (!sam_pass)
435                 return;
436
437         /* These now zero out the old password */
438
439         pdb_set_lanman_passwd(sam_pass, NULL, PDB_DEFAULT);
440         pdb_set_nt_passwd(sam_pass, NULL, PDB_DEFAULT);
441 }
442
443 static uint32 count_sam_users(struct disp_info *info, uint32 acct_flags)
444 {
445         struct samr_displayentry *entry;
446
447         if (sid_check_is_builtin(&info->sid)) {
448                 /* No users in builtin. */
449                 return 0;
450         }
451
452         if (info->users == NULL) {
453                 info->users = pdb_search_users(info, acct_flags);
454                 if (info->users == NULL) {
455                         return 0;
456                 }
457         }
458         /* Fetch the last possible entry, thus trigger an enumeration */
459         pdb_search_entries(info->users, 0xffffffff, 1, &entry);
460
461         /* Ensure we cache this enumeration. */
462         set_disp_info_cache_timeout(info, DISP_INFO_CACHE_TIMEOUT);
463
464         return info->users->num_entries;
465 }
466
467 static uint32 count_sam_groups(struct disp_info *info)
468 {
469         struct samr_displayentry *entry;
470
471         if (sid_check_is_builtin(&info->sid)) {
472                 /* No groups in builtin. */
473                 return 0;
474         }
475
476         if (info->groups == NULL) {
477                 info->groups = pdb_search_groups(info);
478                 if (info->groups == NULL) {
479                         return 0;
480                 }
481         }
482         /* Fetch the last possible entry, thus trigger an enumeration */
483         pdb_search_entries(info->groups, 0xffffffff, 1, &entry);
484
485         /* Ensure we cache this enumeration. */
486         set_disp_info_cache_timeout(info, DISP_INFO_CACHE_TIMEOUT);
487
488         return info->groups->num_entries;
489 }
490
491 static uint32 count_sam_aliases(struct disp_info *info)
492 {
493         struct samr_displayentry *entry;
494
495         if (info->aliases == NULL) {
496                 info->aliases = pdb_search_aliases(info, &info->sid);
497                 if (info->aliases == NULL) {
498                         return 0;
499                 }
500         }
501         /* Fetch the last possible entry, thus trigger an enumeration */
502         pdb_search_entries(info->aliases, 0xffffffff, 1, &entry);
503
504         /* Ensure we cache this enumeration. */
505         set_disp_info_cache_timeout(info, DISP_INFO_CACHE_TIMEOUT);
506
507         return info->aliases->num_entries;
508 }
509
510 /*******************************************************************
511  _samr_Close
512  ********************************************************************/
513
514 NTSTATUS _samr_Close(pipes_struct *p, struct samr_Close *r)
515 {
516         if (!close_policy_hnd(p, r->in.handle)) {
517                 return NT_STATUS_INVALID_HANDLE;
518         }
519
520         ZERO_STRUCTP(r->out.handle);
521
522         return NT_STATUS_OK;
523 }
524
525 /*******************************************************************
526  _samr_OpenDomain
527  ********************************************************************/
528
529 NTSTATUS _samr_OpenDomain(pipes_struct *p,
530                           struct samr_OpenDomain *r)
531 {
532         struct samr_connect_info *cinfo;
533         struct samr_domain_info *dinfo;
534         SEC_DESC *psd = NULL;
535         uint32    acc_granted;
536         uint32    des_access = r->in.access_mask;
537         NTSTATUS  status;
538         size_t    sd_size;
539         SE_PRIV se_rights;
540
541         /* find the connection policy handle. */
542
543         cinfo = policy_handle_find(p, r->in.connect_handle, 0, NULL,
544                                    struct samr_connect_info, &status);
545         if (!NT_STATUS_IS_OK(status)) {
546                 return status;
547         }
548
549         /*check if access can be granted as requested by client. */
550         map_max_allowed_access(p->server_info->ptok, &des_access);
551
552         make_samr_object_sd( p->mem_ctx, &psd, &sd_size, &dom_generic_mapping, NULL, 0 );
553         se_map_generic( &des_access, &dom_generic_mapping );
554
555         se_priv_copy( &se_rights, &se_machine_account );
556         se_priv_add( &se_rights, &se_add_users );
557
558         status = access_check_samr_object( psd, p->server_info->ptok,
559                 &se_rights, GENERIC_RIGHTS_DOMAIN_WRITE, des_access,
560                 &acc_granted, "_samr_OpenDomain" );
561
562         if ( !NT_STATUS_IS_OK(status) )
563                 return status;
564
565         if (!sid_check_is_domain(r->in.sid) &&
566             !sid_check_is_builtin(r->in.sid)) {
567                 return NT_STATUS_NO_SUCH_DOMAIN;
568         }
569
570         dinfo = policy_handle_create(p, r->out.domain_handle, acc_granted,
571                                      struct samr_domain_info, &status);
572         if (!NT_STATUS_IS_OK(status)) {
573                 return status;
574         }
575         dinfo->sid = *r->in.sid;
576         dinfo->disp_info = get_samr_dispinfo_by_sid(r->in.sid);
577
578         DEBUG(5,("_samr_OpenDomain: %d\n", __LINE__));
579
580         return NT_STATUS_OK;
581 }
582
583 /*******************************************************************
584  _samr_GetUserPwInfo
585  ********************************************************************/
586
587 NTSTATUS _samr_GetUserPwInfo(pipes_struct *p,
588                              struct samr_GetUserPwInfo *r)
589 {
590         struct samr_user_info *uinfo;
591         enum lsa_SidType sid_type;
592         uint32_t min_password_length = 0;
593         uint32_t password_properties = 0;
594         bool ret = false;
595         NTSTATUS status;
596
597         DEBUG(5,("_samr_GetUserPwInfo: %d\n", __LINE__));
598
599         uinfo = policy_handle_find(p, r->in.user_handle,
600                                    SAMR_USER_ACCESS_GET_ATTRIBUTES, NULL,
601                                    struct samr_user_info, &status);
602         if (!NT_STATUS_IS_OK(status)) {
603                 return status;
604         }
605
606         if (!sid_check_is_in_our_domain(&uinfo->sid)) {
607                 return NT_STATUS_OBJECT_TYPE_MISMATCH;
608         }
609
610         become_root();
611         ret = lookup_sid(p->mem_ctx, &uinfo->sid, NULL, NULL, &sid_type);
612         unbecome_root();
613         if (ret == false) {
614                 return NT_STATUS_NO_SUCH_USER;
615         }
616
617         switch (sid_type) {
618                 case SID_NAME_USER:
619                         become_root();
620                         pdb_get_account_policy(AP_MIN_PASSWORD_LEN,
621                                                &min_password_length);
622                         pdb_get_account_policy(AP_USER_MUST_LOGON_TO_CHG_PASS,
623                                                &password_properties);
624                         unbecome_root();
625
626                         if (lp_check_password_script() && *lp_check_password_script()) {
627                                 password_properties |= DOMAIN_PASSWORD_COMPLEX;
628                         }
629
630                         break;
631                 default:
632                         break;
633         }
634
635         r->out.info->min_password_length = min_password_length;
636         r->out.info->password_properties = password_properties;
637
638         DEBUG(5,("_samr_GetUserPwInfo: %d\n", __LINE__));
639
640         return NT_STATUS_OK;
641 }
642
643 /*******************************************************************
644  _samr_SetSecurity
645  ********************************************************************/
646
647 NTSTATUS _samr_SetSecurity(pipes_struct *p,
648                            struct samr_SetSecurity *r)
649 {
650         struct samr_user_info *uinfo;
651         uint32 i;
652         SEC_ACL *dacl;
653         bool ret;
654         struct samu *sampass=NULL;
655         NTSTATUS status;
656
657         uinfo = policy_handle_find(p, r->in.handle,
658                                    SAMR_USER_ACCESS_SET_ATTRIBUTES, NULL,
659                                    struct samr_user_info, &status);
660         if (!NT_STATUS_IS_OK(status)) {
661                 return status;
662         }
663
664         if (!(sampass = samu_new( p->mem_ctx))) {
665                 DEBUG(0,("No memory!\n"));
666                 return NT_STATUS_NO_MEMORY;
667         }
668
669         /* get the user record */
670         become_root();
671         ret = pdb_getsampwsid(sampass, &uinfo->sid);
672         unbecome_root();
673
674         if (!ret) {
675                 DEBUG(4, ("User %s not found\n",
676                           sid_string_dbg(&uinfo->sid)));
677                 TALLOC_FREE(sampass);
678                 return NT_STATUS_INVALID_HANDLE;
679         }
680
681         dacl = r->in.sdbuf->sd->dacl;
682         for (i=0; i < dacl->num_aces; i++) {
683                 if (sid_equal(&uinfo->sid, &dacl->aces[i].trustee)) {
684                         ret = pdb_set_pass_can_change(sampass,
685                                 (dacl->aces[i].access_mask &
686                                  SAMR_USER_ACCESS_CHANGE_PASSWORD) ?
687                                                       True: False);
688                         break;
689                 }
690         }
691
692         if (!ret) {
693                 TALLOC_FREE(sampass);
694                 return NT_STATUS_ACCESS_DENIED;
695         }
696
697         become_root();
698         status = pdb_update_sam_account(sampass);
699         unbecome_root();
700
701         TALLOC_FREE(sampass);
702
703         return status;
704 }
705
706 /*******************************************************************
707   build correct perms based on policies and password times for _samr_query_sec_obj
708 *******************************************************************/
709 static bool check_change_pw_access(TALLOC_CTX *mem_ctx, DOM_SID *user_sid)
710 {
711         struct samu *sampass=NULL;
712         bool ret;
713
714         if ( !(sampass = samu_new( mem_ctx )) ) {
715                 DEBUG(0,("No memory!\n"));
716                 return False;
717         }
718
719         become_root();
720         ret = pdb_getsampwsid(sampass, user_sid);
721         unbecome_root();
722
723         if (ret == False) {
724                 DEBUG(4,("User %s not found\n", sid_string_dbg(user_sid)));
725                 TALLOC_FREE(sampass);
726                 return False;
727         }
728
729         DEBUG(3,("User:[%s]\n",  pdb_get_username(sampass) ));
730
731         if (pdb_get_pass_can_change(sampass)) {
732                 TALLOC_FREE(sampass);
733                 return True;
734         }
735         TALLOC_FREE(sampass);
736         return False;
737 }
738
739
740 /*******************************************************************
741  _samr_QuerySecurity
742  ********************************************************************/
743
744 NTSTATUS _samr_QuerySecurity(pipes_struct *p,
745                              struct samr_QuerySecurity *r)
746 {
747         struct samr_connect_info *cinfo;
748         struct samr_domain_info *dinfo;
749         struct samr_user_info *uinfo;
750         struct samr_group_info *ginfo;
751         struct samr_alias_info *ainfo;
752         NTSTATUS status;
753         SEC_DESC * psd = NULL;
754         size_t sd_size;
755
756         cinfo = policy_handle_find(p, r->in.handle,
757                                    STD_RIGHT_READ_CONTROL_ACCESS, NULL,
758                                    struct samr_connect_info, &status);
759         if (NT_STATUS_IS_OK(status)) {
760                 DEBUG(5,("_samr_QuerySecurity: querying security on SAM\n"));
761                 status = make_samr_object_sd(p->mem_ctx, &psd, &sd_size,
762                                              &sam_generic_mapping, NULL, 0);
763                 goto done;
764         }
765
766         dinfo = policy_handle_find(p, r->in.handle,
767                                    STD_RIGHT_READ_CONTROL_ACCESS, NULL,
768                                    struct samr_domain_info, &status);
769         if (NT_STATUS_IS_OK(status)) {
770                 DEBUG(5,("_samr_QuerySecurity: querying security on Domain "
771                          "with SID: %s\n", sid_string_dbg(&dinfo->sid)));
772                 /*
773                  * TODO: Builtin probably needs a different SD with restricted
774                  * write access
775                  */
776                 status = make_samr_object_sd(p->mem_ctx, &psd, &sd_size,
777                                              &dom_generic_mapping, NULL, 0);
778                 goto done;
779         }
780
781         uinfo = policy_handle_find(p, r->in.handle,
782                                    STD_RIGHT_READ_CONTROL_ACCESS, NULL,
783                                    struct samr_user_info, &status);
784         if (NT_STATUS_IS_OK(status)) {
785                 DEBUG(10,("_samr_QuerySecurity: querying security on user "
786                           "Object with SID: %s\n",
787                           sid_string_dbg(&uinfo->sid)));
788                 if (check_change_pw_access(p->mem_ctx, &uinfo->sid)) {
789                         status = make_samr_object_sd(
790                                 p->mem_ctx, &psd, &sd_size,
791                                 &usr_generic_mapping,
792                                 &uinfo->sid, SAMR_USR_RIGHTS_WRITE_PW);
793                 } else {
794                         status = make_samr_object_sd(
795                                 p->mem_ctx, &psd, &sd_size,
796                                 &usr_nopwchange_generic_mapping,
797                                 &uinfo->sid, SAMR_USR_RIGHTS_CANT_WRITE_PW);
798                 }
799                 goto done;
800         }
801
802         ginfo = policy_handle_find(p, r->in.handle,
803                                    STD_RIGHT_READ_CONTROL_ACCESS, NULL,
804                                    struct samr_group_info, &status);
805         if (NT_STATUS_IS_OK(status)) {
806                 /*
807                  * TODO: different SDs have to be generated for aliases groups
808                  * and users.  Currently all three get a default user SD
809                  */
810                 DEBUG(10,("_samr_QuerySecurity: querying security on group "
811                           "Object with SID: %s\n",
812                           sid_string_dbg(&ginfo->sid)));
813                 status = make_samr_object_sd(
814                         p->mem_ctx, &psd, &sd_size,
815                         &usr_nopwchange_generic_mapping,
816                         &ginfo->sid, SAMR_USR_RIGHTS_CANT_WRITE_PW);
817                 goto done;
818         }
819
820         ainfo = policy_handle_find(p, r->in.handle,
821                                    STD_RIGHT_READ_CONTROL_ACCESS, NULL,
822                                    struct samr_alias_info, &status);
823         if (NT_STATUS_IS_OK(status)) {
824                 /*
825                  * TODO: different SDs have to be generated for aliases groups
826                  * and users.  Currently all three get a default user SD
827                  */
828                 DEBUG(10,("_samr_QuerySecurity: querying security on alias "
829                           "Object with SID: %s\n",
830                           sid_string_dbg(&ainfo->sid)));
831                 status = make_samr_object_sd(
832                         p->mem_ctx, &psd, &sd_size,
833                         &usr_nopwchange_generic_mapping,
834                         &ainfo->sid, SAMR_USR_RIGHTS_CANT_WRITE_PW);
835                 goto done;
836         }
837
838         return NT_STATUS_OBJECT_TYPE_MISMATCH;
839 done:
840         if ((*r->out.sdbuf = make_sec_desc_buf(p->mem_ctx, sd_size, psd)) == NULL)
841                 return NT_STATUS_NO_MEMORY;
842
843         return status;
844 }
845
846 /*******************************************************************
847 makes a SAM_ENTRY / UNISTR2* structure from a user list.
848 ********************************************************************/
849
850 static NTSTATUS make_user_sam_entry_list(TALLOC_CTX *ctx,
851                                          struct samr_SamEntry **sam_pp,
852                                          uint32_t num_entries,
853                                          uint32_t start_idx,
854                                          struct samr_displayentry *entries)
855 {
856         uint32_t i;
857         struct samr_SamEntry *sam;
858
859         *sam_pp = NULL;
860
861         if (num_entries == 0) {
862                 return NT_STATUS_OK;
863         }
864
865         sam = TALLOC_ZERO_ARRAY(ctx, struct samr_SamEntry, num_entries);
866         if (sam == NULL) {
867                 DEBUG(0, ("make_user_sam_entry_list: TALLOC_ZERO failed!\n"));
868                 return NT_STATUS_NO_MEMORY;
869         }
870
871         for (i = 0; i < num_entries; i++) {
872 #if 0
873                 /*
874                  * usrmgr expects a non-NULL terminated string with
875                  * trust relationships
876                  */
877                 if (entries[i].acct_flags & ACB_DOMTRUST) {
878                         init_unistr2(&uni_temp_name, entries[i].account_name,
879                                      UNI_FLAGS_NONE);
880                 } else {
881                         init_unistr2(&uni_temp_name, entries[i].account_name,
882                                      UNI_STR_TERMINATE);
883                 }
884 #endif
885                 init_lsa_String(&sam[i].name, entries[i].account_name);
886                 sam[i].idx = entries[i].rid;
887         }
888
889         *sam_pp = sam;
890
891         return NT_STATUS_OK;
892 }
893
894 #define MAX_SAM_ENTRIES MAX_SAM_ENTRIES_W2K
895
896 /*******************************************************************
897  _samr_EnumDomainUsers
898  ********************************************************************/
899
900 NTSTATUS _samr_EnumDomainUsers(pipes_struct *p,
901                                struct samr_EnumDomainUsers *r)
902 {
903         NTSTATUS status;
904         struct samr_domain_info *dinfo;
905         int num_account;
906         uint32 enum_context = *r->in.resume_handle;
907         enum remote_arch_types ra_type = get_remote_arch();
908         int max_sam_entries = (ra_type == RA_WIN95) ? MAX_SAM_ENTRIES_W95 : MAX_SAM_ENTRIES_W2K;
909         uint32 max_entries = max_sam_entries;
910         struct samr_displayentry *entries = NULL;
911         struct samr_SamArray *samr_array = NULL;
912         struct samr_SamEntry *samr_entries = NULL;
913
914         DEBUG(5,("_samr_EnumDomainUsers: %d\n", __LINE__));
915
916         dinfo = policy_handle_find(p, r->in.domain_handle,
917                                    SAMR_DOMAIN_ACCESS_ENUM_ACCOUNTS, NULL,
918                                    struct samr_domain_info, &status);
919         if (!NT_STATUS_IS_OK(status)) {
920                 return status;
921         }
922
923         if (sid_check_is_builtin(&dinfo->sid)) {
924                 /* No users in builtin. */
925                 *r->out.resume_handle = *r->in.resume_handle;
926                 DEBUG(5,("_samr_EnumDomainUsers: No users in BUILTIN\n"));
927                 return status;
928         }
929
930         samr_array = TALLOC_ZERO_P(p->mem_ctx, struct samr_SamArray);
931         if (!samr_array) {
932                 return NT_STATUS_NO_MEMORY;
933         }
934         *r->out.sam = samr_array;
935
936         become_root();
937
938         /* AS ROOT !!!! */
939
940         if ((dinfo->disp_info->enum_users != NULL) &&
941             (dinfo->disp_info->enum_acb_mask != r->in.acct_flags)) {
942                 TALLOC_FREE(dinfo->disp_info->enum_users);
943         }
944
945         if (dinfo->disp_info->enum_users == NULL) {
946                 dinfo->disp_info->enum_users = pdb_search_users(
947                         dinfo->disp_info, r->in.acct_flags);
948                 dinfo->disp_info->enum_acb_mask = r->in.acct_flags;
949         }
950
951         if (dinfo->disp_info->enum_users == NULL) {
952                 /* END AS ROOT !!!! */
953                 unbecome_root();
954                 return NT_STATUS_ACCESS_DENIED;
955         }
956
957         num_account = pdb_search_entries(dinfo->disp_info->enum_users,
958                                          enum_context, max_entries,
959                                          &entries);
960
961         /* END AS ROOT !!!! */
962
963         unbecome_root();
964
965         if (num_account == 0) {
966                 DEBUG(5, ("_samr_EnumDomainUsers: enumeration handle over "
967                           "total entries\n"));
968                 *r->out.resume_handle = *r->in.resume_handle;
969                 return NT_STATUS_OK;
970         }
971
972         status = make_user_sam_entry_list(p->mem_ctx, &samr_entries,
973                                           num_account, enum_context,
974                                           entries);
975         if (!NT_STATUS_IS_OK(status)) {
976                 return status;
977         }
978
979         if (max_entries <= num_account) {
980                 status = STATUS_MORE_ENTRIES;
981         } else {
982                 status = NT_STATUS_OK;
983         }
984
985         /* Ensure we cache this enumeration. */
986         set_disp_info_cache_timeout(dinfo->disp_info, DISP_INFO_CACHE_TIMEOUT);
987
988         DEBUG(5, ("_samr_EnumDomainUsers: %d\n", __LINE__));
989
990         samr_array->count = num_account;
991         samr_array->entries = samr_entries;
992
993         *r->out.resume_handle = *r->in.resume_handle + num_account;
994         *r->out.num_entries = num_account;
995
996         DEBUG(5,("_samr_EnumDomainUsers: %d\n", __LINE__));
997
998         return status;
999 }
1000
1001 /*******************************************************************
1002 makes a SAM_ENTRY / UNISTR2* structure from a group list.
1003 ********************************************************************/
1004
1005 static void make_group_sam_entry_list(TALLOC_CTX *ctx,
1006                                       struct samr_SamEntry **sam_pp,
1007                                       uint32_t num_sam_entries,
1008                                       struct samr_displayentry *entries)
1009 {
1010         struct samr_SamEntry *sam;
1011         uint32_t i;
1012
1013         *sam_pp = NULL;
1014
1015         if (num_sam_entries == 0) {
1016                 return;
1017         }
1018
1019         sam = TALLOC_ZERO_ARRAY(ctx, struct samr_SamEntry, num_sam_entries);
1020         if (sam == NULL) {
1021                 return;
1022         }
1023
1024         for (i = 0; i < num_sam_entries; i++) {
1025                 /*
1026                  * JRA. I think this should include the null. TNG does not.
1027                  */
1028                 init_lsa_String(&sam[i].name, entries[i].account_name);
1029                 sam[i].idx = entries[i].rid;
1030         }
1031
1032         *sam_pp = sam;
1033 }
1034
1035 /*******************************************************************
1036  _samr_EnumDomainGroups
1037  ********************************************************************/
1038
1039 NTSTATUS _samr_EnumDomainGroups(pipes_struct *p,
1040                                 struct samr_EnumDomainGroups *r)
1041 {
1042         NTSTATUS status;
1043         struct samr_domain_info *dinfo;
1044         struct samr_displayentry *groups;
1045         uint32 num_groups;
1046         struct samr_SamArray *samr_array = NULL;
1047         struct samr_SamEntry *samr_entries = NULL;
1048
1049         dinfo = policy_handle_find(p, r->in.domain_handle,
1050                                    SAMR_DOMAIN_ACCESS_ENUM_ACCOUNTS, NULL,
1051                                    struct samr_domain_info, &status);
1052         if (!NT_STATUS_IS_OK(status)) {
1053                 return status;
1054         }
1055
1056         DEBUG(5,("_samr_EnumDomainGroups: %d\n", __LINE__));
1057
1058         if (sid_check_is_builtin(&dinfo->sid)) {
1059                 /* No groups in builtin. */
1060                 *r->out.resume_handle = *r->in.resume_handle;
1061                 DEBUG(5,("_samr_EnumDomainGroups: No groups in BUILTIN\n"));
1062                 return status;
1063         }
1064
1065         samr_array = TALLOC_ZERO_P(p->mem_ctx, struct samr_SamArray);
1066         if (!samr_array) {
1067                 return NT_STATUS_NO_MEMORY;
1068         }
1069
1070         /* the domain group array is being allocated in the function below */
1071
1072         become_root();
1073
1074         if (dinfo->disp_info->groups == NULL) {
1075                 dinfo->disp_info->groups = pdb_search_groups(dinfo->disp_info);
1076
1077                 if (dinfo->disp_info->groups == NULL) {
1078                         unbecome_root();
1079                         return NT_STATUS_ACCESS_DENIED;
1080                 }
1081         }
1082
1083         num_groups = pdb_search_entries(dinfo->disp_info->groups,
1084                                         *r->in.resume_handle,
1085                                         MAX_SAM_ENTRIES, &groups);
1086         unbecome_root();
1087
1088         /* Ensure we cache this enumeration. */
1089         set_disp_info_cache_timeout(dinfo->disp_info, DISP_INFO_CACHE_TIMEOUT);
1090
1091         make_group_sam_entry_list(p->mem_ctx, &samr_entries,
1092                                   num_groups, groups);
1093
1094         samr_array->count = num_groups;
1095         samr_array->entries = samr_entries;
1096
1097         *r->out.sam = samr_array;
1098         *r->out.num_entries = num_groups;
1099         *r->out.resume_handle = num_groups + *r->in.resume_handle;
1100
1101         DEBUG(5,("_samr_EnumDomainGroups: %d\n", __LINE__));
1102
1103         return status;
1104 }
1105
1106 /*******************************************************************
1107  _samr_EnumDomainAliases
1108  ********************************************************************/
1109
1110 NTSTATUS _samr_EnumDomainAliases(pipes_struct *p,
1111                                  struct samr_EnumDomainAliases *r)
1112 {
1113         NTSTATUS status;
1114         struct samr_domain_info *dinfo;
1115         struct samr_displayentry *aliases;
1116         uint32 num_aliases = 0;
1117         struct samr_SamArray *samr_array = NULL;
1118         struct samr_SamEntry *samr_entries = NULL;
1119
1120         dinfo = policy_handle_find(p, r->in.domain_handle,
1121                                    SAMR_DOMAIN_ACCESS_ENUM_ACCOUNTS, NULL,
1122                                    struct samr_domain_info, &status);
1123         if (!NT_STATUS_IS_OK(status)) {
1124                 return status;
1125         }
1126
1127         DEBUG(5,("_samr_EnumDomainAliases: sid %s\n",
1128                  sid_string_dbg(&dinfo->sid)));
1129
1130         samr_array = TALLOC_ZERO_P(p->mem_ctx, struct samr_SamArray);
1131         if (!samr_array) {
1132                 return NT_STATUS_NO_MEMORY;
1133         }
1134
1135         become_root();
1136
1137         if (dinfo->disp_info->aliases == NULL) {
1138                 dinfo->disp_info->aliases = pdb_search_aliases(
1139                         dinfo->disp_info, &dinfo->sid);
1140                 if (dinfo->disp_info->aliases == NULL) {
1141                         unbecome_root();
1142                         return NT_STATUS_ACCESS_DENIED;
1143                 }
1144         }
1145
1146         num_aliases = pdb_search_entries(dinfo->disp_info->aliases,
1147                                          *r->in.resume_handle,
1148                                          MAX_SAM_ENTRIES, &aliases);
1149         unbecome_root();
1150
1151         /* Ensure we cache this enumeration. */
1152         set_disp_info_cache_timeout(dinfo->disp_info, DISP_INFO_CACHE_TIMEOUT);
1153
1154         make_group_sam_entry_list(p->mem_ctx, &samr_entries,
1155                                   num_aliases, aliases);
1156
1157         DEBUG(5,("_samr_EnumDomainAliases: %d\n", __LINE__));
1158
1159         samr_array->count = num_aliases;
1160         samr_array->entries = samr_entries;
1161
1162         *r->out.sam = samr_array;
1163         *r->out.num_entries = num_aliases;
1164         *r->out.resume_handle = num_aliases + *r->in.resume_handle;
1165
1166         return status;
1167 }
1168
1169 /*******************************************************************
1170  inits a samr_DispInfoGeneral structure.
1171 ********************************************************************/
1172
1173 static NTSTATUS init_samr_dispinfo_1(TALLOC_CTX *ctx,
1174                                      struct samr_DispInfoGeneral *r,
1175                                      uint32_t num_entries,
1176                                      uint32_t start_idx,
1177                                      struct samr_displayentry *entries)
1178 {
1179         uint32 i;
1180
1181         DEBUG(10, ("init_samr_dispinfo_1: num_entries: %d\n", num_entries));
1182
1183         if (num_entries == 0) {
1184                 return NT_STATUS_OK;
1185         }
1186
1187         r->count = num_entries;
1188
1189         r->entries = TALLOC_ZERO_ARRAY(ctx, struct samr_DispEntryGeneral, num_entries);
1190         if (!r->entries) {
1191                 return NT_STATUS_NO_MEMORY;
1192         }
1193
1194         for (i = 0; i < num_entries ; i++) {
1195
1196                 init_lsa_String(&r->entries[i].account_name,
1197                                 entries[i].account_name);
1198
1199                 init_lsa_String(&r->entries[i].description,
1200                                 entries[i].description);
1201
1202                 init_lsa_String(&r->entries[i].full_name,
1203                                 entries[i].fullname);
1204
1205                 r->entries[i].rid = entries[i].rid;
1206                 r->entries[i].acct_flags = entries[i].acct_flags;
1207                 r->entries[i].idx = start_idx+i+1;
1208         }
1209
1210         return NT_STATUS_OK;
1211 }
1212
1213 /*******************************************************************
1214  inits a samr_DispInfoFull structure.
1215 ********************************************************************/
1216
1217 static NTSTATUS init_samr_dispinfo_2(TALLOC_CTX *ctx,
1218                                      struct samr_DispInfoFull *r,
1219                                      uint32_t num_entries,
1220                                      uint32_t start_idx,
1221                                      struct samr_displayentry *entries)
1222 {
1223         uint32_t i;
1224
1225         DEBUG(10, ("init_samr_dispinfo_2: num_entries: %d\n", num_entries));
1226
1227         if (num_entries == 0) {
1228                 return NT_STATUS_OK;
1229         }
1230
1231         r->count = num_entries;
1232
1233         r->entries = TALLOC_ZERO_ARRAY(ctx, struct samr_DispEntryFull, num_entries);
1234         if (!r->entries) {
1235                 return NT_STATUS_NO_MEMORY;
1236         }
1237
1238         for (i = 0; i < num_entries ; i++) {
1239
1240                 init_lsa_String(&r->entries[i].account_name,
1241                                 entries[i].account_name);
1242
1243                 init_lsa_String(&r->entries[i].description,
1244                                 entries[i].description);
1245
1246                 r->entries[i].rid = entries[i].rid;
1247                 r->entries[i].acct_flags = entries[i].acct_flags;
1248                 r->entries[i].idx = start_idx+i+1;
1249         }
1250
1251         return NT_STATUS_OK;
1252 }
1253
1254 /*******************************************************************
1255  inits a samr_DispInfoFullGroups structure.
1256 ********************************************************************/
1257
1258 static NTSTATUS init_samr_dispinfo_3(TALLOC_CTX *ctx,
1259                                      struct samr_DispInfoFullGroups *r,
1260                                      uint32_t num_entries,
1261                                      uint32_t start_idx,
1262                                      struct samr_displayentry *entries)
1263 {
1264         uint32_t i;
1265
1266         DEBUG(5, ("init_samr_dispinfo_3: num_entries: %d\n", num_entries));
1267
1268         if (num_entries == 0) {
1269                 return NT_STATUS_OK;
1270         }
1271
1272         r->count = num_entries;
1273
1274         r->entries = TALLOC_ZERO_ARRAY(ctx, struct samr_DispEntryFullGroup, num_entries);
1275         if (!r->entries) {
1276                 return NT_STATUS_NO_MEMORY;
1277         }
1278
1279         for (i = 0; i < num_entries ; i++) {
1280
1281                 init_lsa_String(&r->entries[i].account_name,
1282                                 entries[i].account_name);
1283
1284                 init_lsa_String(&r->entries[i].description,
1285                                 entries[i].description);
1286
1287                 r->entries[i].rid = entries[i].rid;
1288                 r->entries[i].acct_flags = entries[i].acct_flags;
1289                 r->entries[i].idx = start_idx+i+1;
1290         }
1291
1292         return NT_STATUS_OK;
1293 }
1294
1295 /*******************************************************************
1296  inits a samr_DispInfoAscii structure.
1297 ********************************************************************/
1298
1299 static NTSTATUS init_samr_dispinfo_4(TALLOC_CTX *ctx,
1300                                      struct samr_DispInfoAscii *r,
1301                                      uint32_t num_entries,
1302                                      uint32_t start_idx,
1303                                      struct samr_displayentry *entries)
1304 {
1305         uint32_t i;
1306
1307         DEBUG(5, ("init_samr_dispinfo_4: num_entries: %d\n", num_entries));
1308
1309         if (num_entries == 0) {
1310                 return NT_STATUS_OK;
1311         }
1312
1313         r->count = num_entries;
1314
1315         r->entries = TALLOC_ZERO_ARRAY(ctx, struct samr_DispEntryAscii, num_entries);
1316         if (!r->entries) {
1317                 return NT_STATUS_NO_MEMORY;
1318         }
1319
1320         for (i = 0; i < num_entries ; i++) {
1321
1322                 init_lsa_AsciiStringLarge(&r->entries[i].account_name,
1323                                           entries[i].account_name);
1324
1325                 r->entries[i].idx = start_idx+i+1;
1326         }
1327
1328         return NT_STATUS_OK;
1329 }
1330
1331 /*******************************************************************
1332  inits a samr_DispInfoAscii structure.
1333 ********************************************************************/
1334
1335 static NTSTATUS init_samr_dispinfo_5(TALLOC_CTX *ctx,
1336                                      struct samr_DispInfoAscii *r,
1337                                      uint32_t num_entries,
1338                                      uint32_t start_idx,
1339                                      struct samr_displayentry *entries)
1340 {
1341         uint32_t i;
1342
1343         DEBUG(5, ("init_samr_dispinfo_5: num_entries: %d\n", num_entries));
1344
1345         if (num_entries == 0) {
1346                 return NT_STATUS_OK;
1347         }
1348
1349         r->count = num_entries;
1350
1351         r->entries = TALLOC_ZERO_ARRAY(ctx, struct samr_DispEntryAscii, num_entries);
1352         if (!r->entries) {
1353                 return NT_STATUS_NO_MEMORY;
1354         }
1355
1356         for (i = 0; i < num_entries ; i++) {
1357
1358                 init_lsa_AsciiStringLarge(&r->entries[i].account_name,
1359                                           entries[i].account_name);
1360
1361                 r->entries[i].idx = start_idx+i+1;
1362         }
1363
1364         return NT_STATUS_OK;
1365 }
1366
1367 /*******************************************************************
1368  _samr_QueryDisplayInfo
1369  ********************************************************************/
1370
1371 NTSTATUS _samr_QueryDisplayInfo(pipes_struct *p,
1372                                 struct samr_QueryDisplayInfo *r)
1373 {
1374         NTSTATUS status;
1375         struct samr_domain_info *dinfo;
1376         uint32 struct_size=0x20; /* W2K always reply that, client doesn't care */
1377
1378         uint32 max_entries = r->in.max_entries;
1379         uint32 enum_context = r->in.start_idx;
1380         uint32 max_size = r->in.buf_size;
1381
1382         union samr_DispInfo *disp_info = r->out.info;
1383
1384         uint32 temp_size=0, total_data_size=0;
1385         NTSTATUS disp_ret = NT_STATUS_UNSUCCESSFUL;
1386         uint32 num_account = 0;
1387         enum remote_arch_types ra_type = get_remote_arch();
1388         int max_sam_entries = (ra_type == RA_WIN95) ? MAX_SAM_ENTRIES_W95 : MAX_SAM_ENTRIES_W2K;
1389         struct samr_displayentry *entries = NULL;
1390
1391         DEBUG(5,("_samr_QueryDisplayInfo: %d\n", __LINE__));
1392
1393         dinfo = policy_handle_find(p, r->in.domain_handle,
1394                                    SAMR_DOMAIN_ACCESS_ENUM_ACCOUNTS, NULL,
1395                                    struct samr_domain_info, &status);
1396         if (!NT_STATUS_IS_OK(status)) {
1397                 return status;
1398         }
1399
1400         /*
1401          * calculate how many entries we will return.
1402          * based on
1403          * - the number of entries the client asked
1404          * - our limit on that
1405          * - the starting point (enumeration context)
1406          * - the buffer size the client will accept
1407          */
1408
1409         /*
1410          * We are a lot more like W2K. Instead of reading the SAM
1411          * each time to find the records we need to send back,
1412          * we read it once and link that copy to the sam handle.
1413          * For large user list (over the MAX_SAM_ENTRIES)
1414          * it's a definitive win.
1415          * second point to notice: between enumerations
1416          * our sam is now the same as it's a snapshoot.
1417          * third point: got rid of the static SAM_USER_21 struct
1418          * no more intermediate.
1419          * con: it uses much more memory, as a full copy is stored
1420          * in memory.
1421          *
1422          * If you want to change it, think twice and think
1423          * of the second point , that's really important.
1424          *
1425          * JFM, 12/20/2001
1426          */
1427
1428         if ((r->in.level < 1) || (r->in.level > 5)) {
1429                 DEBUG(0,("_samr_QueryDisplayInfo: Unknown info level (%u)\n",
1430                          (unsigned int)r->in.level ));
1431                 return NT_STATUS_INVALID_INFO_CLASS;
1432         }
1433
1434         /* first limit the number of entries we will return */
1435         if(max_entries > max_sam_entries) {
1436                 DEBUG(5, ("_samr_QueryDisplayInfo: client requested %d "
1437                           "entries, limiting to %d\n", max_entries,
1438                           max_sam_entries));
1439                 max_entries = max_sam_entries;
1440         }
1441
1442         /* calculate the size and limit on the number of entries we will
1443          * return */
1444
1445         temp_size=max_entries*struct_size;
1446
1447         if (temp_size>max_size) {
1448                 max_entries=MIN((max_size/struct_size),max_entries);;
1449                 DEBUG(5, ("_samr_QueryDisplayInfo: buffer size limits to "
1450                           "only %d entries\n", max_entries));
1451         }
1452
1453         become_root();
1454
1455         /* THe following done as ROOT. Don't return without unbecome_root(). */
1456
1457         switch (r->in.level) {
1458         case 0x1:
1459         case 0x4:
1460                 if (dinfo->disp_info->users == NULL) {
1461                         dinfo->disp_info->users = pdb_search_users(
1462                                 dinfo->disp_info, ACB_NORMAL);
1463                         if (dinfo->disp_info->users == NULL) {
1464                                 unbecome_root();
1465                                 return NT_STATUS_ACCESS_DENIED;
1466                         }
1467                         DEBUG(10,("_samr_QueryDisplayInfo: starting user enumeration at index %u\n",
1468                                 (unsigned  int)enum_context ));
1469                 } else {
1470                         DEBUG(10,("_samr_QueryDisplayInfo: using cached user enumeration at index %u\n",
1471                                 (unsigned  int)enum_context ));
1472                 }
1473
1474                 num_account = pdb_search_entries(dinfo->disp_info->users,
1475                                                  enum_context, max_entries,
1476                                                  &entries);
1477                 break;
1478         case 0x2:
1479                 if (dinfo->disp_info->machines == NULL) {
1480                         dinfo->disp_info->machines = pdb_search_users(
1481                                 dinfo->disp_info, ACB_WSTRUST|ACB_SVRTRUST);
1482                         if (dinfo->disp_info->machines == NULL) {
1483                                 unbecome_root();
1484                                 return NT_STATUS_ACCESS_DENIED;
1485                         }
1486                         DEBUG(10,("_samr_QueryDisplayInfo: starting machine enumeration at index %u\n",
1487                                 (unsigned  int)enum_context ));
1488                 } else {
1489                         DEBUG(10,("_samr_QueryDisplayInfo: using cached machine enumeration at index %u\n",
1490                                 (unsigned  int)enum_context ));
1491                 }
1492
1493                 num_account = pdb_search_entries(dinfo->disp_info->machines,
1494                                                  enum_context, max_entries,
1495                                                  &entries);
1496                 break;
1497         case 0x3:
1498         case 0x5:
1499                 if (dinfo->disp_info->groups == NULL) {
1500                         dinfo->disp_info->groups = pdb_search_groups(
1501                                 dinfo->disp_info);
1502                         if (dinfo->disp_info->groups == NULL) {
1503                                 unbecome_root();
1504                                 return NT_STATUS_ACCESS_DENIED;
1505                         }
1506                         DEBUG(10,("_samr_QueryDisplayInfo: starting group enumeration at index %u\n",
1507                                 (unsigned  int)enum_context ));
1508                 } else {
1509                         DEBUG(10,("_samr_QueryDisplayInfo: using cached group enumeration at index %u\n",
1510                                 (unsigned  int)enum_context ));
1511                 }
1512
1513                 num_account = pdb_search_entries(dinfo->disp_info->groups,
1514                                                  enum_context, max_entries,
1515                                                  &entries);
1516                 break;
1517         default:
1518                 unbecome_root();
1519                 smb_panic("info class changed");
1520                 break;
1521         }
1522         unbecome_root();
1523
1524
1525         /* Now create reply structure */
1526         switch (r->in.level) {
1527         case 0x1:
1528                 disp_ret = init_samr_dispinfo_1(p->mem_ctx, &disp_info->info1,
1529                                                 num_account, enum_context,
1530                                                 entries);
1531                 break;
1532         case 0x2:
1533                 disp_ret = init_samr_dispinfo_2(p->mem_ctx, &disp_info->info2,
1534                                                 num_account, enum_context,
1535                                                 entries);
1536                 break;
1537         case 0x3:
1538                 disp_ret = init_samr_dispinfo_3(p->mem_ctx, &disp_info->info3,
1539                                                 num_account, enum_context,
1540                                                 entries);
1541                 break;
1542         case 0x4:
1543                 disp_ret = init_samr_dispinfo_4(p->mem_ctx, &disp_info->info4,
1544                                                 num_account, enum_context,
1545                                                 entries);
1546                 break;
1547         case 0x5:
1548                 disp_ret = init_samr_dispinfo_5(p->mem_ctx, &disp_info->info5,
1549                                                 num_account, enum_context,
1550                                                 entries);
1551                 break;
1552         default:
1553                 smb_panic("info class changed");
1554                 break;
1555         }
1556
1557         if (!NT_STATUS_IS_OK(disp_ret))
1558                 return disp_ret;
1559
1560         /* calculate the total size */
1561         total_data_size=num_account*struct_size;
1562
1563         if (max_entries <= num_account) {
1564                 status = STATUS_MORE_ENTRIES;
1565         } else {
1566                 status = NT_STATUS_OK;
1567         }
1568
1569         /* Ensure we cache this enumeration. */
1570         set_disp_info_cache_timeout(dinfo->disp_info, DISP_INFO_CACHE_TIMEOUT);
1571
1572         DEBUG(5, ("_samr_QueryDisplayInfo: %d\n", __LINE__));
1573
1574         *r->out.total_size = total_data_size;
1575         *r->out.returned_size = temp_size;
1576
1577         return status;
1578 }
1579
1580 /****************************************************************
1581  _samr_QueryDisplayInfo2
1582 ****************************************************************/
1583
1584 NTSTATUS _samr_QueryDisplayInfo2(pipes_struct *p,
1585                                  struct samr_QueryDisplayInfo2 *r)
1586 {
1587         struct samr_QueryDisplayInfo q;
1588
1589         q.in.domain_handle      = r->in.domain_handle;
1590         q.in.level              = r->in.level;
1591         q.in.start_idx          = r->in.start_idx;
1592         q.in.max_entries        = r->in.max_entries;
1593         q.in.buf_size           = r->in.buf_size;
1594
1595         q.out.total_size        = r->out.total_size;
1596         q.out.returned_size     = r->out.returned_size;
1597         q.out.info              = r->out.info;
1598
1599         return _samr_QueryDisplayInfo(p, &q);
1600 }
1601
1602 /****************************************************************
1603  _samr_QueryDisplayInfo3
1604 ****************************************************************/
1605
1606 NTSTATUS _samr_QueryDisplayInfo3(pipes_struct *p,
1607                                  struct samr_QueryDisplayInfo3 *r)
1608 {
1609         struct samr_QueryDisplayInfo q;
1610
1611         q.in.domain_handle      = r->in.domain_handle;
1612         q.in.level              = r->in.level;
1613         q.in.start_idx          = r->in.start_idx;
1614         q.in.max_entries        = r->in.max_entries;
1615         q.in.buf_size           = r->in.buf_size;
1616
1617         q.out.total_size        = r->out.total_size;
1618         q.out.returned_size     = r->out.returned_size;
1619         q.out.info              = r->out.info;
1620
1621         return _samr_QueryDisplayInfo(p, &q);
1622 }
1623
1624 /*******************************************************************
1625  _samr_QueryAliasInfo
1626  ********************************************************************/
1627
1628 NTSTATUS _samr_QueryAliasInfo(pipes_struct *p,
1629                               struct samr_QueryAliasInfo *r)
1630 {
1631         struct samr_alias_info *ainfo;
1632         struct acct_info info;
1633         NTSTATUS status;
1634         union samr_AliasInfo *alias_info = NULL;
1635         const char *alias_name = NULL;
1636         const char *alias_description = NULL;
1637
1638         DEBUG(5,("_samr_QueryAliasInfo: %d\n", __LINE__));
1639
1640         ainfo = policy_handle_find(p, r->in.alias_handle,
1641                                    SAMR_ALIAS_ACCESS_LOOKUP_INFO, NULL,
1642                                    struct samr_alias_info, &status);
1643         if (!NT_STATUS_IS_OK(status)) {
1644                 return status;
1645         }
1646
1647         alias_info = TALLOC_ZERO_P(p->mem_ctx, union samr_AliasInfo);
1648         if (!alias_info) {
1649                 return NT_STATUS_NO_MEMORY;
1650         }
1651
1652         become_root();
1653         status = pdb_get_aliasinfo(&ainfo->sid, &info);
1654         unbecome_root();
1655
1656         if ( !NT_STATUS_IS_OK(status))
1657                 return status;
1658
1659         /* FIXME: info contains fstrings */
1660         alias_name = talloc_strdup(r, info.acct_name);
1661         alias_description = talloc_strdup(r, info.acct_desc);
1662
1663         switch (r->in.level) {
1664         case ALIASINFOALL:
1665                 alias_info->all.name.string             = alias_name;
1666                 alias_info->all.num_members             = 1; /* ??? */
1667                 alias_info->all.description.string      = alias_description;
1668                 break;
1669         case ALIASINFODESCRIPTION:
1670                 alias_info->description.string          = alias_description;
1671                 break;
1672         default:
1673                 return NT_STATUS_INVALID_INFO_CLASS;
1674         }
1675
1676         *r->out.info = alias_info;
1677
1678         DEBUG(5,("_samr_QueryAliasInfo: %d\n", __LINE__));
1679
1680         return NT_STATUS_OK;
1681 }
1682
1683 /*******************************************************************
1684  _samr_LookupNames
1685  ********************************************************************/
1686
1687 NTSTATUS _samr_LookupNames(pipes_struct *p,
1688                            struct samr_LookupNames *r)
1689 {
1690         struct samr_domain_info *dinfo;
1691         NTSTATUS status;
1692         uint32 *rid;
1693         enum lsa_SidType *type;
1694         int i;
1695         int num_rids = r->in.num_names;
1696         struct samr_Ids rids, types;
1697         uint32_t num_mapped = 0;
1698
1699         DEBUG(5,("_samr_LookupNames: %d\n", __LINE__));
1700
1701         dinfo = policy_handle_find(p, r->in.domain_handle,
1702                                    0 /* Don't know the acc_bits yet */, NULL,
1703                                    struct samr_domain_info, &status);
1704         if (!NT_STATUS_IS_OK(status)) {
1705                 return status;
1706         }
1707
1708         if (num_rids > MAX_SAM_ENTRIES) {
1709                 num_rids = MAX_SAM_ENTRIES;
1710                 DEBUG(5,("_samr_LookupNames: truncating entries to %d\n", num_rids));
1711         }
1712
1713         rid = talloc_array(p->mem_ctx, uint32, num_rids);
1714         NT_STATUS_HAVE_NO_MEMORY(rid);
1715
1716         type = talloc_array(p->mem_ctx, enum lsa_SidType, num_rids);
1717         NT_STATUS_HAVE_NO_MEMORY(type);
1718
1719         DEBUG(5,("_samr_LookupNames: looking name on SID %s\n",
1720                  sid_string_dbg(&dinfo->sid)));
1721
1722         for (i = 0; i < num_rids; i++) {
1723
1724                 status = NT_STATUS_NONE_MAPPED;
1725                 type[i] = SID_NAME_UNKNOWN;
1726
1727                 rid[i] = 0xffffffff;
1728
1729                 if (sid_check_is_builtin(&dinfo->sid)) {
1730                         if (lookup_builtin_name(r->in.names[i].string,
1731                                                 &rid[i]))
1732                         {
1733                                 type[i] = SID_NAME_ALIAS;
1734                         }
1735                 } else {
1736                         lookup_global_sam_name(r->in.names[i].string, 0,
1737                                                &rid[i], &type[i]);
1738                 }
1739
1740                 if (type[i] != SID_NAME_UNKNOWN) {
1741                         num_mapped++;
1742                 }
1743         }
1744
1745         if (num_mapped == num_rids) {
1746                 status = NT_STATUS_OK;
1747         } else if (num_mapped == 0) {
1748                 status = NT_STATUS_NONE_MAPPED;
1749         } else {
1750                 status = STATUS_SOME_UNMAPPED;
1751         }
1752
1753         rids.count = num_rids;
1754         rids.ids = rid;
1755
1756         types.count = num_rids;
1757         types.ids = type;
1758
1759         *r->out.rids = rids;
1760         *r->out.types = types;
1761
1762         DEBUG(5,("_samr_LookupNames: %d\n", __LINE__));
1763
1764         return status;
1765 }
1766
1767 /*******************************************************************
1768  _samr_ChangePasswordUser2
1769  ********************************************************************/
1770
1771 NTSTATUS _samr_ChangePasswordUser2(pipes_struct *p,
1772                                    struct samr_ChangePasswordUser2 *r)
1773 {
1774         NTSTATUS status;
1775         fstring user_name;
1776         fstring wks;
1777
1778         DEBUG(5,("_samr_ChangePasswordUser2: %d\n", __LINE__));
1779
1780         fstrcpy(user_name, r->in.account->string);
1781         fstrcpy(wks, r->in.server->string);
1782
1783         DEBUG(5,("_samr_ChangePasswordUser2: user: %s wks: %s\n", user_name, wks));
1784
1785         /*
1786          * Pass the user through the NT -> unix user mapping
1787          * function.
1788          */
1789
1790         (void)map_username(user_name);
1791
1792         /*
1793          * UNIX username case mangling not required, pass_oem_change
1794          * is case insensitive.
1795          */
1796
1797         status = pass_oem_change(user_name,
1798                                  r->in.lm_password->data,
1799                                  r->in.lm_verifier->hash,
1800                                  r->in.nt_password->data,
1801                                  r->in.nt_verifier->hash,
1802                                  NULL);
1803
1804         DEBUG(5,("_samr_ChangePasswordUser2: %d\n", __LINE__));
1805
1806         return status;
1807 }
1808
1809 /*******************************************************************
1810  _samr_ChangePasswordUser3
1811  ********************************************************************/
1812
1813 NTSTATUS _samr_ChangePasswordUser3(pipes_struct *p,
1814                                    struct samr_ChangePasswordUser3 *r)
1815 {
1816         NTSTATUS status;
1817         fstring user_name;
1818         const char *wks = NULL;
1819         uint32 reject_reason;
1820         struct samr_DomInfo1 *dominfo = NULL;
1821         struct samr_ChangeReject *reject = NULL;
1822         uint32_t tmp;
1823
1824         DEBUG(5,("_samr_ChangePasswordUser3: %d\n", __LINE__));
1825
1826         fstrcpy(user_name, r->in.account->string);
1827         if (r->in.server && r->in.server->string) {
1828                 wks = r->in.server->string;
1829         }
1830
1831         DEBUG(5,("_samr_ChangePasswordUser3: user: %s wks: %s\n", user_name, wks));
1832
1833         /*
1834          * Pass the user through the NT -> unix user mapping
1835          * function.
1836          */
1837
1838         (void)map_username(user_name);
1839
1840         /*
1841          * UNIX username case mangling not required, pass_oem_change
1842          * is case insensitive.
1843          */
1844
1845         status = pass_oem_change(user_name,
1846                                  r->in.lm_password->data,
1847                                  r->in.lm_verifier->hash,
1848                                  r->in.nt_password->data,
1849                                  r->in.nt_verifier->hash,
1850                                  &reject_reason);
1851
1852         if (NT_STATUS_EQUAL(status, NT_STATUS_PASSWORD_RESTRICTION) ||
1853             NT_STATUS_EQUAL(status, NT_STATUS_ACCOUNT_RESTRICTION)) {
1854
1855                 time_t u_expire, u_min_age;
1856                 uint32 account_policy_temp;
1857
1858                 dominfo = TALLOC_ZERO_P(p->mem_ctx, struct samr_DomInfo1);
1859                 if (!dominfo) {
1860                         return NT_STATUS_NO_MEMORY;
1861                 }
1862
1863                 reject = TALLOC_ZERO_P(p->mem_ctx, struct samr_ChangeReject);
1864                 if (!reject) {
1865                         return NT_STATUS_NO_MEMORY;
1866                 }
1867
1868                 become_root();
1869
1870                 /* AS ROOT !!! */
1871
1872                 pdb_get_account_policy(AP_MIN_PASSWORD_LEN, &tmp);
1873                 dominfo->min_password_length = tmp;
1874
1875                 pdb_get_account_policy(AP_PASSWORD_HISTORY, &tmp);
1876                 dominfo->password_history_length = tmp;
1877
1878                 pdb_get_account_policy(AP_USER_MUST_LOGON_TO_CHG_PASS,
1879                                        &dominfo->password_properties);
1880
1881                 pdb_get_account_policy(AP_MAX_PASSWORD_AGE, &account_policy_temp);
1882                 u_expire = account_policy_temp;
1883
1884                 pdb_get_account_policy(AP_MIN_PASSWORD_AGE, &account_policy_temp);
1885                 u_min_age = account_policy_temp;
1886
1887                 /* !AS ROOT */
1888
1889                 unbecome_root();
1890
1891                 unix_to_nt_time_abs((NTTIME *)&dominfo->max_password_age, u_expire);
1892                 unix_to_nt_time_abs((NTTIME *)&dominfo->min_password_age, u_min_age);
1893
1894                 if (lp_check_password_script() && *lp_check_password_script()) {
1895                         dominfo->password_properties |= DOMAIN_PASSWORD_COMPLEX;
1896                 }
1897
1898                 reject->reason = reject_reason;
1899
1900                 *r->out.dominfo = dominfo;
1901                 *r->out.reject = reject;
1902         }
1903
1904         DEBUG(5,("_samr_ChangePasswordUser3: %d\n", __LINE__));
1905
1906         return status;
1907 }
1908
1909 /*******************************************************************
1910 makes a SAMR_R_LOOKUP_RIDS structure.
1911 ********************************************************************/
1912
1913 static bool make_samr_lookup_rids(TALLOC_CTX *ctx, uint32 num_names,
1914                                   const char **names,
1915                                   struct lsa_String **lsa_name_array_p)
1916 {
1917         struct lsa_String *lsa_name_array = NULL;
1918         uint32_t i;
1919
1920         *lsa_name_array_p = NULL;
1921
1922         if (num_names != 0) {
1923                 lsa_name_array = TALLOC_ZERO_ARRAY(ctx, struct lsa_String, num_names);
1924                 if (!lsa_name_array) {
1925                         return false;
1926                 }
1927         }
1928
1929         for (i = 0; i < num_names; i++) {
1930                 DEBUG(10, ("names[%d]:%s\n", i, names[i] && *names[i] ? names[i] : ""));
1931                 init_lsa_String(&lsa_name_array[i], names[i]);
1932         }
1933
1934         *lsa_name_array_p = lsa_name_array;
1935
1936         return true;
1937 }
1938
1939 /*******************************************************************
1940  _samr_LookupRids
1941  ********************************************************************/
1942
1943 NTSTATUS _samr_LookupRids(pipes_struct *p,
1944                           struct samr_LookupRids *r)
1945 {
1946         struct samr_domain_info *dinfo;
1947         NTSTATUS status;
1948         const char **names;
1949         enum lsa_SidType *attrs = NULL;
1950         uint32 *wire_attrs = NULL;
1951         int num_rids = (int)r->in.num_rids;
1952         int i;
1953         struct lsa_Strings names_array;
1954         struct samr_Ids types_array;
1955         struct lsa_String *lsa_names = NULL;
1956
1957         DEBUG(5,("_samr_LookupRids: %d\n", __LINE__));
1958
1959         dinfo = policy_handle_find(p, r->in.domain_handle,
1960                                    0 /* Don't know the acc_bits yet */, NULL,
1961                                    struct samr_domain_info, &status);
1962         if (!NT_STATUS_IS_OK(status)) {
1963                 return status;
1964         }
1965
1966         if (num_rids > 1000) {
1967                 DEBUG(0, ("Got asked for %d rids (more than 1000) -- according "
1968                           "to samba4 idl this is not possible\n", num_rids));
1969                 return NT_STATUS_UNSUCCESSFUL;
1970         }
1971
1972         if (num_rids) {
1973                 names = TALLOC_ZERO_ARRAY(p->mem_ctx, const char *, num_rids);
1974                 attrs = TALLOC_ZERO_ARRAY(p->mem_ctx, enum lsa_SidType, num_rids);
1975                 wire_attrs = TALLOC_ZERO_ARRAY(p->mem_ctx, uint32, num_rids);
1976
1977                 if ((names == NULL) || (attrs == NULL) || (wire_attrs==NULL))
1978                         return NT_STATUS_NO_MEMORY;
1979         } else {
1980                 names = NULL;
1981                 attrs = NULL;
1982                 wire_attrs = NULL;
1983         }
1984
1985         become_root();  /* lookup_sid can require root privs */
1986         status = pdb_lookup_rids(&dinfo->sid, num_rids, r->in.rids,
1987                                  names, attrs);
1988         unbecome_root();
1989
1990         if (NT_STATUS_EQUAL(status, NT_STATUS_NONE_MAPPED) && (num_rids == 0)) {
1991                 status = NT_STATUS_OK;
1992         }
1993
1994         if (!make_samr_lookup_rids(p->mem_ctx, num_rids, names,
1995                                    &lsa_names)) {
1996                 return NT_STATUS_NO_MEMORY;
1997         }
1998
1999         /* Convert from enum lsa_SidType to uint32 for wire format. */
2000         for (i = 0; i < num_rids; i++) {
2001                 wire_attrs[i] = (uint32)attrs[i];
2002         }
2003
2004         names_array.count = num_rids;
2005         names_array.names = lsa_names;
2006
2007         types_array.count = num_rids;
2008         types_array.ids = wire_attrs;
2009
2010         *r->out.names = names_array;
2011         *r->out.types = types_array;
2012
2013         DEBUG(5,("_samr_LookupRids: %d\n", __LINE__));
2014
2015         return status;
2016 }
2017
2018 /*******************************************************************
2019  _samr_OpenUser
2020 ********************************************************************/
2021
2022 NTSTATUS _samr_OpenUser(pipes_struct *p,
2023                         struct samr_OpenUser *r)
2024 {
2025         struct samu *sampass=NULL;
2026         DOM_SID sid;
2027         struct samr_domain_info *dinfo;
2028         struct samr_user_info *uinfo;
2029         SEC_DESC *psd = NULL;
2030         uint32    acc_granted;
2031         uint32    des_access = r->in.access_mask;
2032         size_t    sd_size;
2033         bool ret;
2034         NTSTATUS nt_status;
2035         SE_PRIV se_rights;
2036         NTSTATUS status;
2037
2038         dinfo = policy_handle_find(p, r->in.domain_handle,
2039                                    SAMR_DOMAIN_ACCESS_OPEN_ACCOUNT, NULL,
2040                                    struct samr_domain_info, &status);
2041         if (!NT_STATUS_IS_OK(status)) {
2042                 return status;
2043         }
2044
2045         if ( !(sampass = samu_new( p->mem_ctx )) ) {
2046                 return NT_STATUS_NO_MEMORY;
2047         }
2048
2049         /* append the user's RID to it */
2050
2051         if (!sid_compose(&sid, &dinfo->sid, r->in.rid))
2052                 return NT_STATUS_NO_SUCH_USER;
2053
2054         /* check if access can be granted as requested by client. */
2055
2056         map_max_allowed_access(p->server_info->ptok, &des_access);
2057
2058         make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &usr_generic_mapping, &sid, SAMR_USR_RIGHTS_WRITE_PW);
2059         se_map_generic(&des_access, &usr_generic_mapping);
2060
2061         se_priv_copy( &se_rights, &se_machine_account );
2062         se_priv_add( &se_rights, &se_add_users );
2063
2064         nt_status = access_check_samr_object(psd, p->server_info->ptok,
2065                 &se_rights, GENERIC_RIGHTS_USER_WRITE, des_access,
2066                 &acc_granted, "_samr_OpenUser");
2067
2068         if ( !NT_STATUS_IS_OK(nt_status) )
2069                 return nt_status;
2070
2071         become_root();
2072         ret=pdb_getsampwsid(sampass, &sid);
2073         unbecome_root();
2074
2075         /* check that the SID exists in our domain. */
2076         if (ret == False) {
2077                 return NT_STATUS_NO_SUCH_USER;
2078         }
2079
2080         TALLOC_FREE(sampass);
2081
2082         uinfo = policy_handle_create(p, r->out.user_handle, acc_granted,
2083                                      struct samr_user_info, &nt_status);
2084         if (!NT_STATUS_IS_OK(nt_status)) {
2085                 return nt_status;
2086         }
2087         uinfo->sid = sid;
2088
2089         return NT_STATUS_OK;
2090 }
2091
2092 /*************************************************************************
2093  *************************************************************************/
2094
2095 static NTSTATUS init_samr_parameters_string(TALLOC_CTX *mem_ctx,
2096                                             DATA_BLOB *blob,
2097                                             struct lsa_BinaryString **_r)
2098 {
2099         struct lsa_BinaryString *r;
2100
2101         if (!blob || !_r) {
2102                 return NT_STATUS_INVALID_PARAMETER;
2103         }
2104
2105         r = TALLOC_ZERO_P(mem_ctx, struct lsa_BinaryString);
2106         if (!r) {
2107                 return NT_STATUS_NO_MEMORY;
2108         }
2109
2110         r->array = TALLOC_ZERO_ARRAY(mem_ctx, uint16_t, blob->length/2);
2111         if (!r->array) {
2112                 return NT_STATUS_NO_MEMORY;
2113         }
2114         memcpy(r->array, blob->data, blob->length);
2115         r->size = blob->length;
2116         r->length = blob->length;
2117
2118         if (!r->array) {
2119                 return NT_STATUS_NO_MEMORY;
2120         }
2121
2122         *_r = r;
2123
2124         return NT_STATUS_OK;
2125 }
2126
2127 /*************************************************************************
2128  get_user_info_1.
2129  *************************************************************************/
2130
2131 static NTSTATUS get_user_info_1(TALLOC_CTX *mem_ctx,
2132                                 struct samr_UserInfo1 *r,
2133                                 struct samu *pw,
2134                                 DOM_SID *domain_sid)
2135 {
2136         const DOM_SID *sid_group;
2137         uint32_t primary_gid;
2138
2139         become_root();
2140         sid_group = pdb_get_group_sid(pw);
2141         unbecome_root();
2142
2143         if (!sid_peek_check_rid(domain_sid, sid_group, &primary_gid)) {
2144                 DEBUG(0, ("get_user_info_1: User %s has Primary Group SID %s, \n"
2145                           "which conflicts with the domain sid %s.  Failing operation.\n",
2146                           pdb_get_username(pw), sid_string_dbg(sid_group),
2147                           sid_string_dbg(domain_sid)));
2148                 return NT_STATUS_UNSUCCESSFUL;
2149         }
2150
2151         r->account_name.string          = talloc_strdup(mem_ctx, pdb_get_username(pw));
2152         r->full_name.string             = talloc_strdup(mem_ctx, pdb_get_fullname(pw));
2153         r->primary_gid                  = primary_gid;
2154         r->description.string           = talloc_strdup(mem_ctx, pdb_get_acct_desc(pw));
2155         r->comment.string               = talloc_strdup(mem_ctx, pdb_get_comment(pw));
2156
2157         return NT_STATUS_OK;
2158 }
2159
2160 /*************************************************************************
2161  get_user_info_2.
2162  *************************************************************************/
2163
2164 static NTSTATUS get_user_info_2(TALLOC_CTX *mem_ctx,
2165                                 struct samr_UserInfo2 *r,
2166                                 struct samu *pw)
2167 {
2168         r->comment.string               = talloc_strdup(mem_ctx, pdb_get_comment(pw));
2169         r->unknown.string               = NULL;
2170         r->country_code                 = 0;
2171         r->code_page                    = 0;
2172
2173         return NT_STATUS_OK;
2174 }
2175
2176 /*************************************************************************
2177  get_user_info_3.
2178  *************************************************************************/
2179
2180 static NTSTATUS get_user_info_3(TALLOC_CTX *mem_ctx,
2181                                 struct samr_UserInfo3 *r,
2182                                 struct samu *pw,
2183                                 DOM_SID *domain_sid)
2184 {
2185         const DOM_SID *sid_user, *sid_group;
2186         uint32_t rid, primary_gid;
2187
2188         sid_user = pdb_get_user_sid(pw);
2189
2190         if (!sid_peek_check_rid(domain_sid, sid_user, &rid)) {
2191                 DEBUG(0, ("get_user_info_3: User %s has SID %s, \nwhich conflicts with "
2192                           "the domain sid %s.  Failing operation.\n",
2193                           pdb_get_username(pw), sid_string_dbg(sid_user),
2194                           sid_string_dbg(domain_sid)));
2195                 return NT_STATUS_UNSUCCESSFUL;
2196         }
2197
2198         become_root();
2199         sid_group = pdb_get_group_sid(pw);
2200         unbecome_root();
2201
2202         if (!sid_peek_check_rid(domain_sid, sid_group, &primary_gid)) {
2203                 DEBUG(0, ("get_user_info_3: User %s has Primary Group SID %s, \n"
2204                           "which conflicts with the domain sid %s.  Failing operation.\n",
2205                           pdb_get_username(pw), sid_string_dbg(sid_group),
2206                           sid_string_dbg(domain_sid)));
2207                 return NT_STATUS_UNSUCCESSFUL;
2208         }
2209
2210         unix_to_nt_time(&r->last_logon, pdb_get_logon_time(pw));
2211         unix_to_nt_time(&r->last_logoff, pdb_get_logoff_time(pw));
2212         unix_to_nt_time(&r->last_password_change, pdb_get_pass_last_set_time(pw));
2213         unix_to_nt_time(&r->allow_password_change, pdb_get_pass_can_change_time(pw));
2214         unix_to_nt_time(&r->force_password_change, pdb_get_pass_must_change_time(pw));
2215
2216         r->account_name.string  = talloc_strdup(mem_ctx, pdb_get_username(pw));
2217         r->full_name.string     = talloc_strdup(mem_ctx, pdb_get_fullname(pw));
2218         r->home_directory.string= talloc_strdup(mem_ctx, pdb_get_homedir(pw));
2219         r->home_drive.string    = talloc_strdup(mem_ctx, pdb_get_dir_drive(pw));
2220         r->logon_script.string  = talloc_strdup(mem_ctx, pdb_get_logon_script(pw));
2221         r->profile_path.string  = talloc_strdup(mem_ctx, pdb_get_profile_path(pw));
2222         r->workstations.string  = talloc_strdup(mem_ctx, pdb_get_workstations(pw));
2223
2224         r->logon_hours          = get_logon_hours_from_pdb(mem_ctx, pw);
2225         r->rid                  = rid;
2226         r->primary_gid          = primary_gid;
2227         r->acct_flags           = pdb_get_acct_ctrl(pw);
2228         r->bad_password_count   = pdb_get_bad_password_count(pw);
2229         r->logon_count          = pdb_get_logon_count(pw);
2230
2231         return NT_STATUS_OK;
2232 }
2233
2234 /*************************************************************************
2235  get_user_info_4.
2236  *************************************************************************/
2237
2238 static NTSTATUS get_user_info_4(TALLOC_CTX *mem_ctx,
2239                                 struct samr_UserInfo4 *r,
2240                                 struct samu *pw)
2241 {
2242         r->logon_hours          = get_logon_hours_from_pdb(mem_ctx, pw);
2243
2244         return NT_STATUS_OK;
2245 }
2246
2247 /*************************************************************************
2248  get_user_info_5.
2249  *************************************************************************/
2250
2251 static NTSTATUS get_user_info_5(TALLOC_CTX *mem_ctx,
2252                                 struct samr_UserInfo5 *r,
2253                                 struct samu *pw,
2254                                 DOM_SID *domain_sid)
2255 {
2256         const DOM_SID *sid_user, *sid_group;
2257         uint32_t rid, primary_gid;
2258
2259         sid_user = pdb_get_user_sid(pw);
2260
2261         if (!sid_peek_check_rid(domain_sid, sid_user, &rid)) {
2262                 DEBUG(0, ("get_user_info_5: User %s has SID %s, \nwhich conflicts with "
2263                           "the domain sid %s.  Failing operation.\n",
2264                           pdb_get_username(pw), sid_string_dbg(sid_user),
2265                           sid_string_dbg(domain_sid)));
2266                 return NT_STATUS_UNSUCCESSFUL;
2267         }
2268
2269         become_root();
2270         sid_group = pdb_get_group_sid(pw);
2271         unbecome_root();
2272
2273         if (!sid_peek_check_rid(domain_sid, sid_group, &primary_gid)) {
2274                 DEBUG(0, ("get_user_info_5: User %s has Primary Group SID %s, \n"
2275                           "which conflicts with the domain sid %s.  Failing operation.\n",
2276                           pdb_get_username(pw), sid_string_dbg(sid_group),
2277                           sid_string_dbg(domain_sid)));
2278                 return NT_STATUS_UNSUCCESSFUL;
2279         }
2280
2281         unix_to_nt_time(&r->last_logon, pdb_get_logon_time(pw));
2282         unix_to_nt_time(&r->last_logoff, pdb_get_logoff_time(pw));
2283         unix_to_nt_time(&r->acct_expiry, pdb_get_kickoff_time(pw));
2284         unix_to_nt_time(&r->last_password_change, pdb_get_pass_last_set_time(pw));
2285
2286         r->account_name.string  = talloc_strdup(mem_ctx, pdb_get_username(pw));
2287         r->full_name.string     = talloc_strdup(mem_ctx, pdb_get_fullname(pw));
2288         r->home_directory.string= talloc_strdup(mem_ctx, pdb_get_homedir(pw));
2289         r->home_drive.string    = talloc_strdup(mem_ctx, pdb_get_dir_drive(pw));
2290         r->logon_script.string  = talloc_strdup(mem_ctx, pdb_get_logon_script(pw));
2291         r->profile_path.string  = talloc_strdup(mem_ctx, pdb_get_profile_path(pw));
2292         r->description.string   = talloc_strdup(mem_ctx, pdb_get_acct_desc(pw));
2293         r->workstations.string  = talloc_strdup(mem_ctx, pdb_get_workstations(pw));
2294
2295         r->logon_hours          = get_logon_hours_from_pdb(mem_ctx, pw);
2296         r->rid                  = rid;
2297         r->primary_gid          = primary_gid;
2298         r->acct_flags           = pdb_get_acct_ctrl(pw);
2299         r->bad_password_count   = pdb_get_bad_password_count(pw);
2300         r->logon_count          = pdb_get_logon_count(pw);
2301
2302         return NT_STATUS_OK;
2303 }
2304
2305 /*************************************************************************
2306  get_user_info_6.
2307  *************************************************************************/
2308
2309 static NTSTATUS get_user_info_6(TALLOC_CTX *mem_ctx,
2310                                 struct samr_UserInfo6 *r,
2311                                 struct samu *pw)
2312 {
2313         r->account_name.string  = talloc_strdup(mem_ctx, pdb_get_username(pw));
2314         r->full_name.string     = talloc_strdup(mem_ctx, pdb_get_fullname(pw));
2315
2316         return NT_STATUS_OK;
2317 }
2318
2319 /*************************************************************************
2320  get_user_info_7. Safe. Only gives out account_name.
2321  *************************************************************************/
2322
2323 static NTSTATUS get_user_info_7(TALLOC_CTX *mem_ctx,
2324                                 struct samr_UserInfo7 *r,
2325                                 struct samu *smbpass)
2326 {
2327         r->account_name.string = talloc_strdup(mem_ctx, pdb_get_username(smbpass));
2328         if (!r->account_name.string) {
2329                 return NT_STATUS_NO_MEMORY;
2330         }
2331
2332         return NT_STATUS_OK;
2333 }
2334
2335 /*************************************************************************
2336  get_user_info_8.
2337  *************************************************************************/
2338
2339 static NTSTATUS get_user_info_8(TALLOC_CTX *mem_ctx,
2340                                 struct samr_UserInfo8 *r,
2341                                 struct samu *pw)
2342 {
2343         r->full_name.string     = talloc_strdup(mem_ctx, pdb_get_fullname(pw));
2344
2345         return NT_STATUS_OK;
2346 }
2347
2348 /*************************************************************************
2349  get_user_info_9. Only gives out primary group SID.
2350  *************************************************************************/
2351
2352 static NTSTATUS get_user_info_9(TALLOC_CTX *mem_ctx,
2353                                 struct samr_UserInfo9 *r,
2354                                 struct samu *smbpass)
2355 {
2356         r->primary_gid = pdb_get_group_rid(smbpass);
2357
2358         return NT_STATUS_OK;
2359 }
2360
2361 /*************************************************************************
2362  get_user_info_10.
2363  *************************************************************************/
2364
2365 static NTSTATUS get_user_info_10(TALLOC_CTX *mem_ctx,
2366                                  struct samr_UserInfo10 *r,
2367                                  struct samu *pw)
2368 {
2369         r->home_directory.string= talloc_strdup(mem_ctx, pdb_get_homedir(pw));
2370         r->home_drive.string    = talloc_strdup(mem_ctx, pdb_get_dir_drive(pw));
2371
2372         return NT_STATUS_OK;
2373 }
2374
2375 /*************************************************************************
2376  get_user_info_11.
2377  *************************************************************************/
2378
2379 static NTSTATUS get_user_info_11(TALLOC_CTX *mem_ctx,
2380                                  struct samr_UserInfo11 *r,
2381                                  struct samu *pw)
2382 {
2383         r->logon_script.string  = talloc_strdup(mem_ctx, pdb_get_logon_script(pw));
2384
2385         return NT_STATUS_OK;
2386 }
2387
2388 /*************************************************************************
2389  get_user_info_12.
2390  *************************************************************************/
2391
2392 static NTSTATUS get_user_info_12(TALLOC_CTX *mem_ctx,
2393                                  struct samr_UserInfo12 *r,
2394                                  struct samu *pw)
2395 {
2396         r->profile_path.string  = talloc_strdup(mem_ctx, pdb_get_profile_path(pw));
2397
2398         return NT_STATUS_OK;
2399 }
2400
2401 /*************************************************************************
2402  get_user_info_13.
2403  *************************************************************************/
2404
2405 static NTSTATUS get_user_info_13(TALLOC_CTX *mem_ctx,
2406                                  struct samr_UserInfo13 *r,
2407                                  struct samu *pw)
2408 {
2409         r->description.string   = talloc_strdup(mem_ctx, pdb_get_acct_desc(pw));
2410
2411         return NT_STATUS_OK;
2412 }
2413
2414 /*************************************************************************
2415  get_user_info_14.
2416  *************************************************************************/
2417
2418 static NTSTATUS get_user_info_14(TALLOC_CTX *mem_ctx,
2419                                  struct samr_UserInfo14 *r,
2420                                  struct samu *pw)
2421 {
2422         r->workstations.string  = talloc_strdup(mem_ctx, pdb_get_workstations(pw));
2423
2424         return NT_STATUS_OK;
2425 }
2426
2427 /*************************************************************************
2428  get_user_info_16. Safe. Only gives out acb bits.
2429  *************************************************************************/
2430
2431 static NTSTATUS get_user_info_16(TALLOC_CTX *mem_ctx,
2432                                  struct samr_UserInfo16 *r,
2433                                  struct samu *smbpass)
2434 {
2435         r->acct_flags = pdb_get_acct_ctrl(smbpass);
2436
2437         return NT_STATUS_OK;
2438 }
2439
2440 /*************************************************************************
2441  get_user_info_17.
2442  *************************************************************************/
2443
2444 static NTSTATUS get_user_info_17(TALLOC_CTX *mem_ctx,
2445                                  struct samr_UserInfo17 *r,
2446                                  struct samu *pw)
2447 {
2448         unix_to_nt_time(&r->acct_expiry, pdb_get_kickoff_time(pw));
2449
2450         return NT_STATUS_OK;
2451 }
2452
2453 /*************************************************************************
2454  get_user_info_18. OK - this is the killer as it gives out password info.
2455  Ensure that this is only allowed on an encrypted connection with a root
2456  user. JRA.
2457  *************************************************************************/
2458
2459 static NTSTATUS get_user_info_18(pipes_struct *p,
2460                                  TALLOC_CTX *mem_ctx,
2461                                  struct samr_UserInfo18 *r,
2462                                  DOM_SID *user_sid)
2463 {
2464         struct samu *smbpass=NULL;
2465         bool ret;
2466
2467         ZERO_STRUCTP(r);
2468
2469         if (p->auth.auth_type != PIPE_AUTH_TYPE_NTLMSSP || p->auth.auth_type != PIPE_AUTH_TYPE_SPNEGO_NTLMSSP) {
2470                 return NT_STATUS_ACCESS_DENIED;
2471         }
2472
2473         if (p->auth.auth_level != PIPE_AUTH_LEVEL_PRIVACY) {
2474                 return NT_STATUS_ACCESS_DENIED;
2475         }
2476
2477         /*
2478          * Do *NOT* do become_root()/unbecome_root() here ! JRA.
2479          */
2480
2481         if ( !(smbpass = samu_new( mem_ctx )) ) {
2482                 return NT_STATUS_NO_MEMORY;
2483         }
2484
2485         ret = pdb_getsampwsid(smbpass, user_sid);
2486
2487         if (ret == False) {
2488                 DEBUG(4, ("User %s not found\n", sid_string_dbg(user_sid)));
2489                 TALLOC_FREE(smbpass);
2490                 return (geteuid() == (uid_t)0) ? NT_STATUS_NO_SUCH_USER : NT_STATUS_ACCESS_DENIED;
2491         }
2492
2493         DEBUG(3,("User:[%s] 0x%x\n", pdb_get_username(smbpass), pdb_get_acct_ctrl(smbpass) ));
2494
2495         if ( pdb_get_acct_ctrl(smbpass) & ACB_DISABLED) {
2496                 TALLOC_FREE(smbpass);
2497                 return NT_STATUS_ACCOUNT_DISABLED;
2498         }
2499
2500         r->lm_pwd_active = true;
2501         r->nt_pwd_active = true;
2502         memcpy(r->lm_pwd.hash, pdb_get_lanman_passwd(smbpass), 16);
2503         memcpy(r->nt_pwd.hash, pdb_get_nt_passwd(smbpass), 16);
2504         r->password_expired = 0; /* FIXME */
2505
2506         TALLOC_FREE(smbpass);
2507
2508         return NT_STATUS_OK;
2509 }
2510
2511 /*************************************************************************
2512  get_user_info_20
2513  *************************************************************************/
2514
2515 static NTSTATUS get_user_info_20(TALLOC_CTX *mem_ctx,
2516                                  struct samr_UserInfo20 *r,
2517                                  struct samu *sampass)
2518 {
2519         const char *munged_dial = NULL;
2520         DATA_BLOB blob;
2521         NTSTATUS status;
2522         struct lsa_BinaryString *parameters = NULL;
2523
2524         ZERO_STRUCTP(r);
2525
2526         munged_dial = pdb_get_munged_dial(sampass);
2527
2528         DEBUG(3,("User:[%s] has [%s] (length: %d)\n", pdb_get_username(sampass),
2529                 munged_dial, (int)strlen(munged_dial)));
2530
2531         if (munged_dial) {
2532                 blob = base64_decode_data_blob(munged_dial);
2533         } else {
2534                 blob = data_blob_string_const_null("");
2535         }
2536
2537         status = init_samr_parameters_string(mem_ctx, &blob, &parameters);
2538         data_blob_free(&blob);
2539         if (!NT_STATUS_IS_OK(status)) {
2540                 return status;
2541         }
2542
2543         r->parameters = *parameters;
2544
2545         return NT_STATUS_OK;
2546 }
2547
2548
2549 /*************************************************************************
2550  get_user_info_21
2551  *************************************************************************/
2552
2553 static NTSTATUS get_user_info_21(TALLOC_CTX *mem_ctx,
2554                                  struct samr_UserInfo21 *r,
2555                                  struct samu *pw,
2556                                  DOM_SID *domain_sid)
2557 {
2558         NTSTATUS status;
2559         const DOM_SID *sid_user, *sid_group;
2560         uint32_t rid, primary_gid;
2561         NTTIME force_password_change;
2562         time_t must_change_time;
2563         struct lsa_BinaryString *parameters = NULL;
2564         const char *munged_dial = NULL;
2565         DATA_BLOB blob;
2566
2567         ZERO_STRUCTP(r);
2568
2569         sid_user = pdb_get_user_sid(pw);
2570
2571         if (!sid_peek_check_rid(domain_sid, sid_user, &rid)) {
2572                 DEBUG(0, ("get_user_info_21: User %s has SID %s, \nwhich conflicts with "
2573                           "the domain sid %s.  Failing operation.\n",
2574                           pdb_get_username(pw), sid_string_dbg(sid_user),
2575                           sid_string_dbg(domain_sid)));
2576                 return NT_STATUS_UNSUCCESSFUL;
2577         }
2578
2579         become_root();
2580         sid_group = pdb_get_group_sid(pw);
2581         unbecome_root();
2582
2583         if (!sid_peek_check_rid(domain_sid, sid_group, &primary_gid)) {
2584                 DEBUG(0, ("get_user_info_21: User %s has Primary Group SID %s, \n"
2585                           "which conflicts with the domain sid %s.  Failing operation.\n",
2586                           pdb_get_username(pw), sid_string_dbg(sid_group),
2587                           sid_string_dbg(domain_sid)));
2588                 return NT_STATUS_UNSUCCESSFUL;
2589         }
2590
2591         unix_to_nt_time(&r->last_logon, pdb_get_logon_time(pw));
2592         unix_to_nt_time(&r->last_logoff, pdb_get_logoff_time(pw));
2593         unix_to_nt_time(&r->acct_expiry, pdb_get_kickoff_time(pw));
2594         unix_to_nt_time(&r->last_password_change, pdb_get_pass_last_set_time(pw));
2595         unix_to_nt_time(&r->allow_password_change, pdb_get_pass_can_change_time(pw));
2596
2597         must_change_time = pdb_get_pass_must_change_time(pw);
2598         if (must_change_time == get_time_t_max()) {
2599                 unix_to_nt_time_abs(&force_password_change, must_change_time);
2600         } else {
2601                 unix_to_nt_time(&force_password_change, must_change_time);
2602         }
2603
2604         munged_dial = pdb_get_munged_dial(pw);
2605         if (munged_dial) {
2606                 blob = base64_decode_data_blob(munged_dial);
2607         } else {
2608                 blob = data_blob_string_const_null("");
2609         }
2610
2611         status = init_samr_parameters_string(mem_ctx, &blob, &parameters);
2612         data_blob_free(&blob);
2613         if (!NT_STATUS_IS_OK(status)) {
2614                 return status;
2615         }
2616
2617         r->force_password_change        = force_password_change;
2618
2619         r->account_name.string          = talloc_strdup(mem_ctx, pdb_get_username(pw));
2620         r->full_name.string             = talloc_strdup(mem_ctx, pdb_get_fullname(pw));
2621         r->home_directory.string        = talloc_strdup(mem_ctx, pdb_get_homedir(pw));
2622         r->home_drive.string            = talloc_strdup(mem_ctx, pdb_get_dir_drive(pw));
2623         r->logon_script.string          = talloc_strdup(mem_ctx, pdb_get_logon_script(pw));
2624         r->profile_path.string          = talloc_strdup(mem_ctx, pdb_get_profile_path(pw));
2625         r->description.string           = talloc_strdup(mem_ctx, pdb_get_acct_desc(pw));
2626         r->workstations.string          = talloc_strdup(mem_ctx, pdb_get_workstations(pw));
2627         r->comment.string               = talloc_strdup(mem_ctx, pdb_get_comment(pw));
2628
2629         r->logon_hours                  = get_logon_hours_from_pdb(mem_ctx, pw);
2630         r->parameters                   = *parameters;
2631         r->rid                          = rid;
2632         r->primary_gid                  = primary_gid;
2633         r->acct_flags                   = pdb_get_acct_ctrl(pw);
2634         r->bad_password_count           = pdb_get_bad_password_count(pw);
2635         r->logon_count                  = pdb_get_logon_count(pw);
2636         r->fields_present               = pdb_build_fields_present(pw);
2637         r->password_expired             = (pdb_get_pass_must_change_time(pw) == 0) ?
2638                                                 PASS_MUST_CHANGE_AT_NEXT_LOGON : 0;
2639         r->country_code                 = 0;
2640         r->code_page                    = 0;
2641         r->lm_password_set              = 0;
2642         r->nt_password_set              = 0;
2643
2644 #if 0
2645
2646         /*
2647           Look at a user on a real NT4 PDC with usrmgr, press
2648           'ok'. Then you will see that fields_present is set to
2649           0x08f827fa. Look at the user immediately after that again,
2650           and you will see that 0x00fffff is returned. This solves
2651           the problem that you get access denied after having looked
2652           at the user.
2653           -- Volker
2654         */
2655
2656 #endif
2657
2658
2659         return NT_STATUS_OK;
2660 }
2661
2662 /*******************************************************************
2663  _samr_QueryUserInfo
2664  ********************************************************************/
2665
2666 NTSTATUS _samr_QueryUserInfo(pipes_struct *p,
2667                              struct samr_QueryUserInfo *r)
2668 {
2669         NTSTATUS status;
2670         union samr_UserInfo *user_info = NULL;
2671         struct samr_user_info *uinfo;
2672         DOM_SID domain_sid;
2673         uint32 rid;
2674         bool ret = false;
2675         struct samu *pwd = NULL;
2676
2677         uinfo = policy_handle_find(p, r->in.user_handle,
2678                                    SAMR_USER_ACCESS_GET_ATTRIBUTES, NULL,
2679                                    struct samr_user_info, &status);
2680         if (!NT_STATUS_IS_OK(status)) {
2681                 return status;
2682         }
2683
2684         domain_sid = uinfo->sid;
2685
2686         sid_split_rid(&domain_sid, &rid);
2687
2688         if (!sid_check_is_in_our_domain(&uinfo->sid))
2689                 return NT_STATUS_OBJECT_TYPE_MISMATCH;
2690
2691         DEBUG(5,("_samr_QueryUserInfo: sid:%s\n",
2692                  sid_string_dbg(&uinfo->sid)));
2693
2694         user_info = TALLOC_ZERO_P(p->mem_ctx, union samr_UserInfo);
2695         if (!user_info) {
2696                 return NT_STATUS_NO_MEMORY;
2697         }
2698
2699         DEBUG(5,("_samr_QueryUserInfo: user info level: %d\n", r->in.level));
2700
2701         if (!(pwd = samu_new(p->mem_ctx))) {
2702                 return NT_STATUS_NO_MEMORY;
2703         }
2704
2705         become_root();
2706         ret = pdb_getsampwsid(pwd, &uinfo->sid);
2707         unbecome_root();
2708
2709         if (ret == false) {
2710                 DEBUG(4,("User %s not found\n", sid_string_dbg(&uinfo->sid)));
2711                 TALLOC_FREE(pwd);
2712                 return NT_STATUS_NO_SUCH_USER;
2713         }
2714
2715         DEBUG(3,("User:[%s]\n", pdb_get_username(pwd)));
2716
2717         samr_clear_sam_passwd(pwd);
2718
2719         switch (r->in.level) {
2720         case 1:
2721                 status = get_user_info_1(p->mem_ctx, &user_info->info1, pwd, &domain_sid);
2722                 break;
2723         case 2:
2724                 status = get_user_info_2(p->mem_ctx, &user_info->info2, pwd);
2725                 break;
2726         case 3:
2727                 status = get_user_info_3(p->mem_ctx, &user_info->info3, pwd, &domain_sid);
2728                 break;
2729         case 4:
2730                 status = get_user_info_4(p->mem_ctx, &user_info->info4, pwd);
2731                 break;
2732         case 5:
2733                 status = get_user_info_5(p->mem_ctx, &user_info->info5, pwd, &domain_sid);
2734                 break;
2735         case 6:
2736                 status = get_user_info_6(p->mem_ctx, &user_info->info6, pwd);
2737                 break;
2738         case 7:
2739                 status = get_user_info_7(p->mem_ctx, &user_info->info7, pwd);
2740                 break;
2741         case 8:
2742                 status = get_user_info_8(p->mem_ctx, &user_info->info8, pwd);
2743                 break;
2744         case 9:
2745                 status = get_user_info_9(p->mem_ctx, &user_info->info9, pwd);
2746                 break;
2747         case 10:
2748                 status = get_user_info_10(p->mem_ctx, &user_info->info10, pwd);
2749                 break;
2750         case 11:
2751                 status = get_user_info_11(p->mem_ctx, &user_info->info11, pwd);
2752                 break;
2753         case 12:
2754                 status = get_user_info_12(p->mem_ctx, &user_info->info12, pwd);
2755                 break;
2756         case 13:
2757                 status = get_user_info_13(p->mem_ctx, &user_info->info13, pwd);
2758                 break;
2759         case 14:
2760                 status = get_user_info_14(p->mem_ctx, &user_info->info14, pwd);
2761                 break;
2762         case 16:
2763                 status = get_user_info_16(p->mem_ctx, &user_info->info16, pwd);
2764                 break;
2765         case 17:
2766                 status = get_user_info_17(p->mem_ctx, &user_info->info17, pwd);
2767                 break;
2768         case 18:
2769                 /* level 18 is special */
2770                 status = get_user_info_18(p, p->mem_ctx, &user_info->info18,
2771                                           &uinfo->sid);
2772                 break;
2773         case 20:
2774                 status = get_user_info_20(p->mem_ctx, &user_info->info20, pwd);
2775                 break;
2776         case 21:
2777                 status = get_user_info_21(p->mem_ctx, &user_info->info21, pwd, &domain_sid);
2778                 break;
2779         default:
2780                 status = NT_STATUS_INVALID_INFO_CLASS;
2781                 break;
2782         }
2783
2784         TALLOC_FREE(pwd);
2785
2786         *r->out.info = user_info;
2787
2788         DEBUG(5,("_samr_QueryUserInfo: %d\n", __LINE__));
2789
2790         return status;
2791 }
2792
2793 /****************************************************************
2794 ****************************************************************/
2795
2796 NTSTATUS _samr_QueryUserInfo2(pipes_struct *p,
2797                               struct samr_QueryUserInfo2 *r)
2798 {
2799         struct samr_QueryUserInfo u;
2800
2801         u.in.user_handle        = r->in.user_handle;
2802         u.in.level              = r->in.level;
2803         u.out.info              = r->out.info;
2804
2805         return _samr_QueryUserInfo(p, &u);
2806 }
2807
2808 /*******************************************************************
2809  _samr_GetGroupsForUser
2810  ********************************************************************/
2811
2812 NTSTATUS _samr_GetGroupsForUser(pipes_struct *p,
2813                                 struct samr_GetGroupsForUser *r)
2814 {
2815         struct samr_user_info *uinfo;
2816         struct samu *sam_pass=NULL;
2817         DOM_SID *sids;
2818         struct samr_RidWithAttribute dom_gid;
2819         struct samr_RidWithAttribute *gids = NULL;
2820         uint32 primary_group_rid;
2821         size_t num_groups = 0;
2822         gid_t *unix_gids;
2823         size_t i, num_gids;
2824         bool ret;
2825         NTSTATUS result;
2826         bool success = False;
2827
2828         struct samr_RidWithAttributeArray *rids = NULL;
2829
2830         /*
2831          * from the SID in the request:
2832          * we should send back the list of DOMAIN GROUPS
2833          * the user is a member of
2834          *
2835          * and only the DOMAIN GROUPS
2836          * no ALIASES !!! neither aliases of the domain
2837          * nor aliases of the builtin SID
2838          *
2839          * JFM, 12/2/2001
2840          */
2841
2842         DEBUG(5,("_samr_GetGroupsForUser: %d\n", __LINE__));
2843
2844         uinfo = policy_handle_find(p, r->in.user_handle,
2845                                    SAMR_USER_ACCESS_GET_GROUPS, NULL,
2846                                    struct samr_user_info, &result);
2847         if (!NT_STATUS_IS_OK(result)) {
2848                 return result;
2849         }
2850
2851         rids = TALLOC_ZERO_P(p->mem_ctx, struct samr_RidWithAttributeArray);
2852         if (!rids) {
2853                 return NT_STATUS_NO_MEMORY;
2854         }
2855
2856         if (!sid_check_is_in_our_domain(&uinfo->sid))
2857                 return NT_STATUS_OBJECT_TYPE_MISMATCH;
2858
2859         if ( !(sam_pass = samu_new( p->mem_ctx )) ) {
2860                 return NT_STATUS_NO_MEMORY;
2861         }
2862
2863         become_root();
2864         ret = pdb_getsampwsid(sam_pass, &uinfo->sid);
2865         unbecome_root();
2866
2867         if (!ret) {
2868                 DEBUG(10, ("pdb_getsampwsid failed for %s\n",
2869                            sid_string_dbg(&uinfo->sid)));
2870                 return NT_STATUS_NO_SUCH_USER;
2871         }
2872
2873         sids = NULL;
2874
2875         /* make both calls inside the root block */
2876         become_root();
2877         result = pdb_enum_group_memberships(p->mem_ctx, sam_pass,
2878                                             &sids, &unix_gids, &num_groups);
2879         if ( NT_STATUS_IS_OK(result) ) {
2880                 success = sid_peek_check_rid(get_global_sam_sid(),
2881                                              pdb_get_group_sid(sam_pass),
2882                                              &primary_group_rid);
2883         }
2884         unbecome_root();
2885
2886         if (!NT_STATUS_IS_OK(result)) {
2887                 DEBUG(10, ("pdb_enum_group_memberships failed for %s\n",
2888                            sid_string_dbg(&uinfo->sid)));
2889                 return result;
2890         }
2891
2892         if ( !success ) {
2893                 DEBUG(5, ("Group sid %s for user %s not in our domain\n",
2894                           sid_string_dbg(pdb_get_group_sid(sam_pass)),
2895                           pdb_get_username(sam_pass)));
2896                 TALLOC_FREE(sam_pass);
2897                 return NT_STATUS_INTERNAL_DB_CORRUPTION;
2898         }
2899
2900         gids = NULL;
2901         num_gids = 0;
2902
2903         dom_gid.attributes = (SE_GROUP_MANDATORY|SE_GROUP_ENABLED_BY_DEFAULT|
2904                               SE_GROUP_ENABLED);
2905         dom_gid.rid = primary_group_rid;
2906         ADD_TO_ARRAY(p->mem_ctx, struct samr_RidWithAttribute, dom_gid, &gids, &num_gids);
2907
2908         for (i=0; i<num_groups; i++) {
2909
2910                 if (!sid_peek_check_rid(get_global_sam_sid(),
2911                                         &(sids[i]), &dom_gid.rid)) {
2912                         DEBUG(10, ("Found sid %s not in our domain\n",
2913                                    sid_string_dbg(&sids[i])));
2914                         continue;
2915                 }
2916
2917                 if (dom_gid.rid == primary_group_rid) {
2918                         /* We added the primary group directly from the
2919                          * sam_account. The other SIDs are unique from
2920                          * enum_group_memberships */
2921                         continue;
2922                 }
2923
2924                 ADD_TO_ARRAY(p->mem_ctx, struct samr_RidWithAttribute, dom_gid, &gids, &num_gids);
2925         }
2926
2927         rids->count = num_gids;
2928         rids->rids = gids;
2929
2930         *r->out.rids = rids;
2931
2932         DEBUG(5,("_samr_GetGroupsForUser: %d\n", __LINE__));
2933
2934         return result;
2935 }
2936
2937 /*******************************************************************
2938  _samr_QueryDomainInfo
2939  ********************************************************************/
2940
2941 NTSTATUS _samr_QueryDomainInfo(pipes_struct *p,
2942                                struct samr_QueryDomainInfo *r)
2943 {
2944         NTSTATUS status = NT_STATUS_OK;
2945         struct samr_domain_info *dinfo;
2946         union samr_DomainInfo *dom_info;
2947         time_t u_expire, u_min_age;
2948
2949         time_t u_lock_duration, u_reset_time;
2950         uint32_t u_logout;
2951
2952         uint32 account_policy_temp;
2953
2954         time_t seq_num;
2955         uint32 server_role;
2956
2957         DEBUG(5,("_samr_QueryDomainInfo: %d\n", __LINE__));
2958
2959         dinfo = policy_handle_find(p, r->in.domain_handle,
2960                                    SAMR_ACCESS_LOOKUP_DOMAIN, NULL,
2961                                    struct samr_domain_info, &status);
2962         if (!NT_STATUS_IS_OK(status)) {
2963                 return status;
2964         }
2965
2966         dom_info = TALLOC_ZERO_P(p->mem_ctx, union samr_DomainInfo);
2967         if (!dom_info) {
2968                 return NT_STATUS_NO_MEMORY;
2969         }
2970
2971         switch (r->in.level) {
2972                 case 0x01:
2973
2974                         become_root();
2975
2976                         /* AS ROOT !!! */
2977
2978                         pdb_get_account_policy(AP_MIN_PASSWORD_LEN,
2979                                                &account_policy_temp);
2980                         dom_info->info1.min_password_length = account_policy_temp;
2981
2982                         pdb_get_account_policy(AP_PASSWORD_HISTORY, &account_policy_temp);
2983                         dom_info->info1.password_history_length = account_policy_temp;
2984
2985                         pdb_get_account_policy(AP_USER_MUST_LOGON_TO_CHG_PASS,
2986                                 &dom_info->info1.password_properties);
2987
2988                         pdb_get_account_policy(AP_MAX_PASSWORD_AGE, &account_policy_temp);
2989                         u_expire = account_policy_temp;
2990
2991                         pdb_get_account_policy(AP_MIN_PASSWORD_AGE, &account_policy_temp);
2992                         u_min_age = account_policy_temp;
2993
2994                         /* !AS ROOT */
2995
2996                         unbecome_root();
2997
2998                         unix_to_nt_time_abs((NTTIME *)&dom_info->info1.max_password_age, u_expire);
2999                         unix_to_nt_time_abs((NTTIME *)&dom_info->info1.min_password_age, u_min_age);
3000
3001                         if (lp_check_password_script() && *lp_check_password_script()) {
3002                                 dom_info->info1.password_properties |= DOMAIN_PASSWORD_COMPLEX;
3003                         }
3004
3005                         break;
3006                 case 0x02:
3007
3008                         become_root();
3009
3010                         /* AS ROOT !!! */
3011
3012                         dom_info->general.num_users     = count_sam_users(
3013                                 dinfo->disp_info, ACB_NORMAL);
3014                         dom_info->general.num_groups    = count_sam_groups(
3015                                 dinfo->disp_info);
3016                         dom_info->general.num_aliases   = count_sam_aliases(
3017                                 dinfo->disp_info);
3018
3019                         pdb_get_account_policy(AP_TIME_TO_LOGOUT, &u_logout);
3020
3021                         unix_to_nt_time_abs(&dom_info->general.force_logoff_time, u_logout);
3022
3023                         if (!pdb_get_seq_num(&seq_num))
3024                                 seq_num = time(NULL);
3025
3026                         /* !AS ROOT */
3027
3028                         unbecome_root();
3029
3030                         server_role = ROLE_DOMAIN_PDC;
3031                         if (lp_server_role() == ROLE_DOMAIN_BDC)
3032                                 server_role = ROLE_DOMAIN_BDC;
3033
3034                         dom_info->general.oem_information.string        = lp_serverstring();
3035                         dom_info->general.domain_name.string            = lp_workgroup();
3036                         dom_info->general.primary.string                = global_myname();
3037                         dom_info->general.sequence_num                  = seq_num;
3038                         dom_info->general.domain_server_state           = DOMAIN_SERVER_ENABLED;
3039                         dom_info->general.role                          = server_role;
3040                         dom_info->general.unknown3                      = 1;
3041
3042                         break;
3043                 case 0x03:
3044
3045                         become_root();
3046
3047                         /* AS ROOT !!! */
3048
3049                         {
3050                                 uint32 ul;
3051                                 pdb_get_account_policy(AP_TIME_TO_LOGOUT, &ul);
3052                                 u_logout = (time_t)ul;
3053                         }
3054
3055                         /* !AS ROOT */
3056
3057                         unbecome_root();
3058
3059                         unix_to_nt_time_abs(&dom_info->info3.force_logoff_time, u_logout);
3060
3061                         break;
3062                 case 0x04:
3063                         dom_info->oem.oem_information.string = lp_serverstring();
3064                         break;
3065                 case 0x05:
3066                         dom_info->info5.domain_name.string = get_global_sam_name();
3067                         break;
3068                 case 0x06:
3069                         /* NT returns its own name when a PDC. win2k and later
3070                          * only the name of the PDC if itself is a BDC (samba4
3071                          * idl) */
3072                         dom_info->info6.primary.string = global_myname();
3073                         break;
3074                 case 0x07:
3075                         server_role = ROLE_DOMAIN_PDC;
3076                         if (lp_server_role() == ROLE_DOMAIN_BDC)
3077                                 server_role = ROLE_DOMAIN_BDC;
3078
3079                         dom_info->info7.role = server_role;
3080                         break;
3081                 case 0x08:
3082
3083                         become_root();
3084
3085                         /* AS ROOT !!! */
3086
3087                         if (!pdb_get_seq_num(&seq_num)) {
3088                                 seq_num = time(NULL);
3089                         }
3090
3091                         /* !AS ROOT */
3092
3093                         unbecome_root();
3094
3095                         dom_info->info8.sequence_num = seq_num;
3096                         dom_info->info8.domain_create_time = 0;
3097
3098                         break;
3099                 case 0x0c:
3100
3101                         become_root();
3102
3103                         /* AS ROOT !!! */
3104
3105                         pdb_get_account_policy(AP_LOCK_ACCOUNT_DURATION, &account_policy_temp);
3106                         u_lock_duration = account_policy_temp;
3107                         if (u_lock_duration != -1) {
3108                                 u_lock_duration *= 60;
3109                         }
3110
3111                         pdb_get_account_policy(AP_RESET_COUNT_TIME, &account_policy_temp);
3112                         u_reset_time = account_policy_temp * 60;
3113
3114                         pdb_get_account_policy(AP_BAD_ATTEMPT_LOCKOUT,
3115                                                &account_policy_temp);
3116                         dom_info->info12.lockout_threshold = account_policy_temp;
3117
3118                         /* !AS ROOT */
3119
3120                         unbecome_root();
3121
3122                         unix_to_nt_time_abs(&dom_info->info12.lockout_duration,
3123                                             u_lock_duration);
3124                         unix_to_nt_time_abs(&dom_info->info12.lockout_window,
3125                                             u_reset_time);
3126
3127                         break;
3128                 default:
3129                         return NT_STATUS_INVALID_INFO_CLASS;
3130         }
3131
3132         *r->out.info = dom_info;
3133
3134         DEBUG(5,("_samr_QueryDomainInfo: %d\n", __LINE__));
3135
3136         return status;
3137 }
3138
3139 /* W2k3 seems to use the same check for all 3 objects that can be created via
3140  * SAMR, if you try to create for example "Dialup" as an alias it says
3141  * "NT_STATUS_USER_EXISTS". This is racy, but we can't really lock the user
3142  * database. */
3143
3144 static NTSTATUS can_create(TALLOC_CTX *mem_ctx, const char *new_name)
3145 {
3146         enum lsa_SidType type;
3147         bool result;
3148
3149         DEBUG(10, ("Checking whether [%s] can be created\n", new_name));
3150
3151         become_root();
3152         /* Lookup in our local databases (LOOKUP_NAME_REMOTE not set)
3153          * whether the name already exists */
3154         result = lookup_name(mem_ctx, new_name, LOOKUP_NAME_LOCAL,
3155                              NULL, NULL, NULL, &type);
3156         unbecome_root();
3157
3158         if (!result) {
3159                 DEBUG(10, ("%s does not exist, can create it\n", new_name));
3160                 return NT_STATUS_OK;
3161         }
3162
3163         DEBUG(5, ("trying to create %s, exists as %s\n",
3164                   new_name, sid_type_lookup(type)));
3165
3166         if (type == SID_NAME_DOM_GRP) {
3167                 return NT_STATUS_GROUP_EXISTS;
3168         }
3169         if (type == SID_NAME_ALIAS) {
3170                 return NT_STATUS_ALIAS_EXISTS;
3171         }
3172
3173         /* Yes, the default is NT_STATUS_USER_EXISTS */
3174         return NT_STATUS_USER_EXISTS;
3175 }
3176
3177 /*******************************************************************
3178  _samr_CreateUser2
3179  ********************************************************************/
3180
3181 NTSTATUS _samr_CreateUser2(pipes_struct *p,
3182                            struct samr_CreateUser2 *r)
3183 {
3184         const char *account = NULL;
3185         DOM_SID sid;
3186         uint32_t acb_info = r->in.acct_flags;
3187         struct samr_domain_info *dinfo;
3188         struct samr_user_info *uinfo;
3189         NTSTATUS nt_status;
3190         uint32 acc_granted;
3191         SEC_DESC *psd;
3192         size_t    sd_size;
3193         /* check this, when giving away 'add computer to domain' privs */
3194         uint32    des_access = GENERIC_RIGHTS_USER_ALL_ACCESS;
3195         bool can_add_account = False;
3196         SE_PRIV se_rights;
3197
3198         dinfo = policy_handle_find(p, r->in.domain_handle,
3199                                    SAMR_DOMAIN_ACCESS_CREATE_USER, NULL,
3200                                    struct samr_domain_info, &nt_status);
3201         if (!NT_STATUS_IS_OK(nt_status)) {
3202                 return nt_status;
3203         }
3204
3205         if (sid_check_is_builtin(&dinfo->sid)) {
3206                 DEBUG(5,("_samr_CreateUser2: Refusing user create in BUILTIN\n"));
3207                 return NT_STATUS_ACCESS_DENIED;
3208         }
3209
3210         if (!(acb_info == ACB_NORMAL || acb_info == ACB_DOMTRUST ||
3211               acb_info == ACB_WSTRUST || acb_info == ACB_SVRTRUST)) {
3212                 /* Match Win2k, and return NT_STATUS_INVALID_PARAMETER if
3213                    this parameter is not an account type */
3214                 return NT_STATUS_INVALID_PARAMETER;
3215         }
3216
3217         account = r->in.account_name->string;
3218         if (account == NULL) {
3219                 return