cef8c08c6403efe9290c81bccef4beba6b5254e8
[ira/wip.git] / source3 / rpc_server / srv_samr_nt.c
1 /*
2  *  Unix SMB/CIFS implementation.
3  *  RPC Pipe client / server routines
4  *  Copyright (C) Andrew Tridgell                   1992-1997,
5  *  Copyright (C) Luke Kenneth Casson Leighton      1996-1997,
6  *  Copyright (C) Paul Ashton                       1997,
7  *  Copyright (C) Marc Jacobsen                     1999,
8  *  Copyright (C) Jeremy Allison                    2001-2008,
9  *  Copyright (C) Jean Fran├žois Micouleau           1998-2001,
10  *  Copyright (C) Jim McDonough <jmcd@us.ibm.com>   2002,
11  *  Copyright (C) Gerald (Jerry) Carter             2003-2004,
12  *  Copyright (C) Simo Sorce                        2003.
13  *  Copyright (C) Volker Lendecke                   2005.
14  *  Copyright (C) Guenther Deschner                 2008.
15  *
16  *  This program is free software; you can redistribute it and/or modify
17  *  it under the terms of the GNU General Public License as published by
18  *  the Free Software Foundation; either version 3 of the License, or
19  *  (at your option) any later version.
20  *
21  *  This program is distributed in the hope that it will be useful,
22  *  but WITHOUT ANY WARRANTY; without even the implied warranty of
23  *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
24  *  GNU General Public License for more details.
25  *
26  *  You should have received a copy of the GNU General Public License
27  *  along with this program; if not, see <http://www.gnu.org/licenses/>.
28  */
29
30 /*
31  * This is the implementation of the SAMR code.
32  */
33
34 #include "includes.h"
35 #include "../libcli/auth/libcli_auth.h"
36
37 #undef DBGC_CLASS
38 #define DBGC_CLASS DBGC_RPC_SRV
39
40 #define SAMR_USR_RIGHTS_WRITE_PW \
41                 ( READ_CONTROL_ACCESS           | \
42                   SAMR_USER_ACCESS_CHANGE_PASSWORD      | \
43                   SAMR_USER_ACCESS_SET_LOC_COM)
44 #define SAMR_USR_RIGHTS_CANT_WRITE_PW \
45                 ( READ_CONTROL_ACCESS | SAMR_USER_ACCESS_SET_LOC_COM )
46
47 #define DISP_INFO_CACHE_TIMEOUT 10
48
49 #define MAX_SAM_ENTRIES_W2K 0x400 /* 1024 */
50 #define MAX_SAM_ENTRIES_W95 50
51
52 struct samr_connect_info {
53         uint8_t dummy;
54 };
55
56 struct samr_domain_info {
57         struct dom_sid sid;
58         struct disp_info *disp_info;
59 };
60
61 struct samr_user_info {
62         struct dom_sid sid;
63 };
64
65 struct samr_group_info {
66         struct dom_sid sid;
67 };
68
69 struct samr_alias_info {
70         struct dom_sid sid;
71 };
72
73 typedef struct disp_info {
74         DOM_SID sid; /* identify which domain this is. */
75         struct pdb_search *users; /* querydispinfo 1 and 4 */
76         struct pdb_search *machines; /* querydispinfo 2 */
77         struct pdb_search *groups; /* querydispinfo 3 and 5, enumgroups */
78         struct pdb_search *aliases; /* enumaliases */
79
80         uint16 enum_acb_mask;
81         struct pdb_search *enum_users; /* enumusers with a mask */
82
83         struct timed_event *cache_timeout_event; /* cache idle timeout
84                                                   * handler. */
85 } DISP_INFO;
86
87 static const struct generic_mapping sam_generic_mapping = {
88         GENERIC_RIGHTS_SAM_READ,
89         GENERIC_RIGHTS_SAM_WRITE,
90         GENERIC_RIGHTS_SAM_EXECUTE,
91         GENERIC_RIGHTS_SAM_ALL_ACCESS};
92 static const struct generic_mapping dom_generic_mapping = {
93         GENERIC_RIGHTS_DOMAIN_READ,
94         GENERIC_RIGHTS_DOMAIN_WRITE,
95         GENERIC_RIGHTS_DOMAIN_EXECUTE,
96         GENERIC_RIGHTS_DOMAIN_ALL_ACCESS};
97 static const struct generic_mapping usr_generic_mapping = {
98         GENERIC_RIGHTS_USER_READ,
99         GENERIC_RIGHTS_USER_WRITE,
100         GENERIC_RIGHTS_USER_EXECUTE,
101         GENERIC_RIGHTS_USER_ALL_ACCESS};
102 static const struct generic_mapping usr_nopwchange_generic_mapping = {
103         GENERIC_RIGHTS_USER_READ,
104         GENERIC_RIGHTS_USER_WRITE,
105         GENERIC_RIGHTS_USER_EXECUTE & ~SAMR_USER_ACCESS_CHANGE_PASSWORD,
106         GENERIC_RIGHTS_USER_ALL_ACCESS};
107 static const struct generic_mapping grp_generic_mapping = {
108         GENERIC_RIGHTS_GROUP_READ,
109         GENERIC_RIGHTS_GROUP_WRITE,
110         GENERIC_RIGHTS_GROUP_EXECUTE,
111         GENERIC_RIGHTS_GROUP_ALL_ACCESS};
112 static const struct generic_mapping ali_generic_mapping = {
113         GENERIC_RIGHTS_ALIAS_READ,
114         GENERIC_RIGHTS_ALIAS_WRITE,
115         GENERIC_RIGHTS_ALIAS_EXECUTE,
116         GENERIC_RIGHTS_ALIAS_ALL_ACCESS};
117
118 /*******************************************************************
119 *******************************************************************/
120
121 static NTSTATUS make_samr_object_sd( TALLOC_CTX *ctx, SEC_DESC **psd, size_t *sd_size,
122                                      const struct generic_mapping *map,
123                                      DOM_SID *sid, uint32 sid_access )
124 {
125         DOM_SID domadmin_sid;
126         SEC_ACE ace[5];         /* at most 5 entries */
127         size_t i = 0;
128
129         SEC_ACL *psa = NULL;
130
131         /* basic access for Everyone */
132
133         init_sec_ace(&ace[i++], &global_sid_World, SEC_ACE_TYPE_ACCESS_ALLOWED,
134                         map->generic_execute | map->generic_read, 0);
135
136         /* add Full Access 'BUILTIN\Administrators' and 'BUILTIN\Account Operators */
137
138         init_sec_ace(&ace[i++], &global_sid_Builtin_Administrators,
139                         SEC_ACE_TYPE_ACCESS_ALLOWED, map->generic_all, 0);
140         init_sec_ace(&ace[i++], &global_sid_Builtin_Account_Operators,
141                         SEC_ACE_TYPE_ACCESS_ALLOWED, map->generic_all, 0);
142
143         /* Add Full Access for Domain Admins if we are a DC */
144
145         if ( IS_DC ) {
146                 sid_copy( &domadmin_sid, get_global_sam_sid() );
147                 sid_append_rid( &domadmin_sid, DOMAIN_GROUP_RID_ADMINS );
148                 init_sec_ace(&ace[i++], &domadmin_sid,
149                         SEC_ACE_TYPE_ACCESS_ALLOWED, map->generic_all, 0);
150         }
151
152         /* if we have a sid, give it some special access */
153
154         if ( sid ) {
155                 init_sec_ace(&ace[i++], sid, SEC_ACE_TYPE_ACCESS_ALLOWED, sid_access, 0);
156         }
157
158         /* create the security descriptor */
159
160         if ((psa = make_sec_acl(ctx, NT4_ACL_REVISION, i, ace)) == NULL)
161                 return NT_STATUS_NO_MEMORY;
162
163         if ((*psd = make_sec_desc(ctx, SECURITY_DESCRIPTOR_REVISION_1,
164                                   SEC_DESC_SELF_RELATIVE, NULL, NULL, NULL,
165                                   psa, sd_size)) == NULL)
166                 return NT_STATUS_NO_MEMORY;
167
168         return NT_STATUS_OK;
169 }
170
171 /*******************************************************************
172  Checks if access to an object should be granted, and returns that
173  level of access for further checks.
174 ********************************************************************/
175
176 static NTSTATUS access_check_samr_object( SEC_DESC *psd, NT_USER_TOKEN *token,
177                                           SE_PRIV *rights, uint32 rights_mask,
178                                           uint32 des_access, uint32 *acc_granted,
179                                           const char *debug )
180 {
181         NTSTATUS status = NT_STATUS_ACCESS_DENIED;
182         uint32 saved_mask = 0;
183
184         /* check privileges; certain SAM access bits should be overridden
185            by privileges (mostly having to do with creating/modifying/deleting
186            users and groups) */
187
188         if ( rights && user_has_any_privilege( token, rights ) ) {
189
190                 saved_mask = (des_access & rights_mask);
191                 des_access &= ~saved_mask;
192
193                 DEBUG(4,("access_check_samr_object: user rights access mask [0x%x]\n",
194                         rights_mask));
195         }
196
197
198         /* check the security descriptor first */
199
200         status = se_access_check(psd, token, des_access, acc_granted);
201         if (NT_STATUS_IS_OK(status)) {
202                 goto done;
203         }
204
205         /* give root a free pass */
206
207         if ( geteuid() == sec_initial_uid() ) {
208
209                 DEBUG(4,("%s: ACCESS should be DENIED  (requested: %#010x)\n", debug, des_access));
210                 DEBUGADD(4,("but overritten by euid == sec_initial_uid()\n"));
211
212                 *acc_granted = des_access;
213
214                 status = NT_STATUS_OK;
215                 goto done;
216         }
217
218
219 done:
220         /* add in any bits saved during the privilege check (only
221            matters is status is ok) */
222
223         *acc_granted |= rights_mask;
224
225         DEBUG(4,("%s: access %s (requested: 0x%08x, granted: 0x%08x)\n",
226                 debug, NT_STATUS_IS_OK(status) ? "GRANTED" : "DENIED",
227                 des_access, *acc_granted));
228
229         return status;
230 }
231
232
233 /*******************************************************************
234  Map any MAXIMUM_ALLOWED_ACCESS request to a valid access set.
235 ********************************************************************/
236
237 static void map_max_allowed_access(const NT_USER_TOKEN *token,
238                                         uint32_t *pacc_requested)
239 {
240         if (!((*pacc_requested) & MAXIMUM_ALLOWED_ACCESS)) {
241                 return;
242         }
243         *pacc_requested &= ~MAXIMUM_ALLOWED_ACCESS;
244
245         /* At least try for generic read. */
246         *pacc_requested = GENERIC_READ_ACCESS;
247
248         /* root gets anything. */
249         if (geteuid() == sec_initial_uid()) {
250                 *pacc_requested |= GENERIC_ALL_ACCESS;
251                 return;
252         }
253
254         /* Full Access for 'BUILTIN\Administrators' and 'BUILTIN\Account Operators */
255
256         if (is_sid_in_token(token, &global_sid_Builtin_Administrators) ||
257                         is_sid_in_token(token, &global_sid_Builtin_Account_Operators)) {
258                 *pacc_requested |= GENERIC_ALL_ACCESS;
259                 return;
260         }
261
262         /* Full access for DOMAIN\Domain Admins. */
263         if ( IS_DC ) {
264                 DOM_SID domadmin_sid;
265                 sid_copy( &domadmin_sid, get_global_sam_sid() );
266                 sid_append_rid( &domadmin_sid, DOMAIN_GROUP_RID_ADMINS );
267                 if (is_sid_in_token(token, &domadmin_sid)) {
268                         *pacc_requested |= GENERIC_ALL_ACCESS;
269                         return;
270                 }
271         }
272         /* TODO ! Check privileges. */
273 }
274
275 /*******************************************************************
276  Fetch or create a dispinfo struct.
277 ********************************************************************/
278
279 static DISP_INFO *get_samr_dispinfo_by_sid(const struct dom_sid *psid)
280 {
281         /*
282          * We do a static cache for DISP_INFO's here. Explanation can be found
283          * in Jeremy's checkin message to r11793:
284          *
285          * Fix the SAMR cache so it works across completely insane
286          * client behaviour (ie.:
287          * open pipe/open SAMR handle/enumerate 0 - 1024
288          * close SAMR handle, close pipe.
289          * open pipe/open SAMR handle/enumerate 1024 - 2048...
290          * close SAMR handle, close pipe.
291          * And on ad-nausium. Amazing.... probably object-oriented
292          * client side programming in action yet again.
293          * This change should *massively* improve performance when
294          * enumerating users from an LDAP database.
295          * Jeremy.
296          *
297          * "Our" and the builtin domain are the only ones where we ever
298          * enumerate stuff, so just cache 2 entries.
299          */
300
301         static struct disp_info *builtin_dispinfo;
302         static struct disp_info *domain_dispinfo;
303
304         /* There are two cases to consider here:
305            1) The SID is a domain SID and we look for an equality match, or
306            2) This is an account SID and so we return the DISP_INFO* for our
307               domain */
308
309         if (psid == NULL) {
310                 return NULL;
311         }
312
313         if (sid_check_is_builtin(psid) || sid_check_is_in_builtin(psid)) {
314                 /*
315                  * Necessary only once, but it does not really hurt.
316                  */
317                 if (builtin_dispinfo == NULL) {
318                         builtin_dispinfo = talloc_zero(
319                                 talloc_autofree_context(), struct disp_info);
320                         if (builtin_dispinfo == NULL) {
321                                 return NULL;
322                         }
323                 }
324                 sid_copy(&builtin_dispinfo->sid, &global_sid_Builtin);
325
326                 return builtin_dispinfo;
327         }
328
329         if (sid_check_is_domain(psid) || sid_check_is_in_our_domain(psid)) {
330                 /*
331                  * Necessary only once, but it does not really hurt.
332                  */
333                 if (domain_dispinfo == NULL) {
334                         domain_dispinfo = talloc_zero(
335                                 talloc_autofree_context(), struct disp_info);
336                         if (domain_dispinfo == NULL) {
337                                 return NULL;
338                         }
339                 }
340                 sid_copy(&domain_dispinfo->sid, get_global_sam_sid());
341
342                 return domain_dispinfo;
343         }
344
345         return NULL;
346 }
347
348 /*******************************************************************
349  Function to free the per SID data.
350  ********************************************************************/
351
352 static void free_samr_cache(DISP_INFO *disp_info)
353 {
354         DEBUG(10, ("free_samr_cache: deleting cache for SID %s\n",
355                    sid_string_dbg(&disp_info->sid)));
356
357         /* We need to become root here because the paged search might have to
358          * tell the LDAP server we're not interested in the rest anymore. */
359
360         become_root();
361
362         TALLOC_FREE(disp_info->users);
363         TALLOC_FREE(disp_info->machines);
364         TALLOC_FREE(disp_info->groups);
365         TALLOC_FREE(disp_info->aliases);
366         TALLOC_FREE(disp_info->enum_users);
367
368         unbecome_root();
369 }
370
371 /*******************************************************************
372  Idle event handler. Throw away the disp info cache.
373  ********************************************************************/
374
375 static void disp_info_cache_idle_timeout_handler(struct event_context *ev_ctx,
376                                                  struct timed_event *te,
377                                                  struct timeval now,
378                                                  void *private_data)
379 {
380         DISP_INFO *disp_info = (DISP_INFO *)private_data;
381
382         TALLOC_FREE(disp_info->cache_timeout_event);
383
384         DEBUG(10, ("disp_info_cache_idle_timeout_handler: caching timed "
385                    "out\n"));
386         free_samr_cache(disp_info);
387 }
388
389 /*******************************************************************
390  Setup cache removal idle event handler.
391  ********************************************************************/
392
393 static void set_disp_info_cache_timeout(DISP_INFO *disp_info, time_t secs_fromnow)
394 {
395         /* Remove any pending timeout and update. */
396
397         TALLOC_FREE(disp_info->cache_timeout_event);
398
399         DEBUG(10,("set_disp_info_cache_timeout: caching enumeration for "
400                   "SID %s for %u seconds\n", sid_string_dbg(&disp_info->sid),
401                   (unsigned int)secs_fromnow ));
402
403         disp_info->cache_timeout_event = event_add_timed(
404                 smbd_event_context(), NULL,
405                 timeval_current_ofs(secs_fromnow, 0),
406                 disp_info_cache_idle_timeout_handler, (void *)disp_info);
407 }
408
409 /*******************************************************************
410  Force flush any cache. We do this on any samr_set_xxx call.
411  We must also remove the timeout handler.
412  ********************************************************************/
413
414 static void force_flush_samr_cache(const struct dom_sid *sid)
415 {
416         struct disp_info *disp_info = get_samr_dispinfo_by_sid(sid);
417
418         if ((disp_info == NULL) || (disp_info->cache_timeout_event == NULL)) {
419                 return;
420         }
421
422         DEBUG(10,("force_flush_samr_cache: clearing idle event\n"));
423         TALLOC_FREE(disp_info->cache_timeout_event);
424         free_samr_cache(disp_info);
425 }
426
427 /*******************************************************************
428  Ensure password info is never given out. Paranioa... JRA.
429  ********************************************************************/
430
431 static void samr_clear_sam_passwd(struct samu *sam_pass)
432 {
433
434         if (!sam_pass)
435                 return;
436
437         /* These now zero out the old password */
438
439         pdb_set_lanman_passwd(sam_pass, NULL, PDB_DEFAULT);
440         pdb_set_nt_passwd(sam_pass, NULL, PDB_DEFAULT);
441 }
442
443 static uint32 count_sam_users(struct disp_info *info, uint32 acct_flags)
444 {
445         struct samr_displayentry *entry;
446
447         if (sid_check_is_builtin(&info->sid)) {
448                 /* No users in builtin. */
449                 return 0;
450         }
451
452         if (info->users == NULL) {
453                 info->users = pdb_search_users(info, acct_flags);
454                 if (info->users == NULL) {
455                         return 0;
456                 }
457         }
458         /* Fetch the last possible entry, thus trigger an enumeration */
459         pdb_search_entries(info->users, 0xffffffff, 1, &entry);
460
461         /* Ensure we cache this enumeration. */
462         set_disp_info_cache_timeout(info, DISP_INFO_CACHE_TIMEOUT);
463
464         return info->users->num_entries;
465 }
466
467 static uint32 count_sam_groups(struct disp_info *info)
468 {
469         struct samr_displayentry *entry;
470
471         if (sid_check_is_builtin(&info->sid)) {
472                 /* No groups in builtin. */
473                 return 0;
474         }
475
476         if (info->groups == NULL) {
477                 info->groups = pdb_search_groups(info);
478                 if (info->groups == NULL) {
479                         return 0;
480                 }
481         }
482         /* Fetch the last possible entry, thus trigger an enumeration */
483         pdb_search_entries(info->groups, 0xffffffff, 1, &entry);
484
485         /* Ensure we cache this enumeration. */
486         set_disp_info_cache_timeout(info, DISP_INFO_CACHE_TIMEOUT);
487
488         return info->groups->num_entries;
489 }
490
491 static uint32 count_sam_aliases(struct disp_info *info)
492 {
493         struct samr_displayentry *entry;
494
495         if (info->aliases == NULL) {
496                 info->aliases = pdb_search_aliases(info, &info->sid);
497                 if (info->aliases == NULL) {
498                         return 0;
499                 }
500         }
501         /* Fetch the last possible entry, thus trigger an enumeration */
502         pdb_search_entries(info->aliases, 0xffffffff, 1, &entry);
503
504         /* Ensure we cache this enumeration. */
505         set_disp_info_cache_timeout(info, DISP_INFO_CACHE_TIMEOUT);
506
507         return info->aliases->num_entries;
508 }
509
510 /*******************************************************************
511  _samr_Close
512  ********************************************************************/
513
514 NTSTATUS _samr_Close(pipes_struct *p, struct samr_Close *r)
515 {
516         if (!close_policy_hnd(p, r->in.handle)) {
517                 return NT_STATUS_INVALID_HANDLE;
518         }
519
520         ZERO_STRUCTP(r->out.handle);
521
522         return NT_STATUS_OK;
523 }
524
525 /*******************************************************************
526  _samr_OpenDomain
527  ********************************************************************/
528
529 NTSTATUS _samr_OpenDomain(pipes_struct *p,
530                           struct samr_OpenDomain *r)
531 {
532         struct samr_connect_info *cinfo;
533         struct samr_domain_info *dinfo;
534         SEC_DESC *psd = NULL;
535         uint32    acc_granted;
536         uint32    des_access = r->in.access_mask;
537         NTSTATUS  status;
538         size_t    sd_size;
539         SE_PRIV se_rights;
540
541         /* find the connection policy handle. */
542
543         cinfo = policy_handle_find(p, r->in.connect_handle, 0, NULL,
544                                    struct samr_connect_info, &status);
545         if (!NT_STATUS_IS_OK(status)) {
546                 return status;
547         }
548
549         /*check if access can be granted as requested by client. */
550         map_max_allowed_access(p->server_info->ptok, &des_access);
551
552         make_samr_object_sd( p->mem_ctx, &psd, &sd_size, &dom_generic_mapping, NULL, 0 );
553         se_map_generic( &des_access, &dom_generic_mapping );
554
555         se_priv_copy( &se_rights, &se_machine_account );
556         se_priv_add( &se_rights, &se_add_users );
557
558         status = access_check_samr_object( psd, p->server_info->ptok,
559                 &se_rights, GENERIC_RIGHTS_DOMAIN_WRITE, des_access,
560                 &acc_granted, "_samr_OpenDomain" );
561
562         if ( !NT_STATUS_IS_OK(status) )
563                 return status;
564
565         if (!sid_check_is_domain(r->in.sid) &&
566             !sid_check_is_builtin(r->in.sid)) {
567                 return NT_STATUS_NO_SUCH_DOMAIN;
568         }
569
570         dinfo = policy_handle_create(p, r->out.domain_handle, acc_granted,
571                                      struct samr_domain_info, &status);
572         if (!NT_STATUS_IS_OK(status)) {
573                 return status;
574         }
575         dinfo->sid = *r->in.sid;
576         dinfo->disp_info = get_samr_dispinfo_by_sid(r->in.sid);
577
578         DEBUG(5,("_samr_OpenDomain: %d\n", __LINE__));
579
580         return NT_STATUS_OK;
581 }
582
583 /*******************************************************************
584  _samr_GetUserPwInfo
585  ********************************************************************/
586
587 NTSTATUS _samr_GetUserPwInfo(pipes_struct *p,
588                              struct samr_GetUserPwInfo *r)
589 {
590         struct samr_user_info *uinfo;
591         enum lsa_SidType sid_type;
592         uint32_t min_password_length = 0;
593         uint32_t password_properties = 0;
594         bool ret = false;
595         NTSTATUS status;
596
597         DEBUG(5,("_samr_GetUserPwInfo: %d\n", __LINE__));
598
599         uinfo = policy_handle_find(p, r->in.user_handle,
600                                    SAMR_USER_ACCESS_GET_ATTRIBUTES, NULL,
601                                    struct samr_user_info, &status);
602         if (!NT_STATUS_IS_OK(status)) {
603                 return status;
604         }
605
606         if (!sid_check_is_in_our_domain(&uinfo->sid)) {
607                 return NT_STATUS_OBJECT_TYPE_MISMATCH;
608         }
609
610         become_root();
611         ret = lookup_sid(p->mem_ctx, &uinfo->sid, NULL, NULL, &sid_type);
612         unbecome_root();
613         if (ret == false) {
614                 return NT_STATUS_NO_SUCH_USER;
615         }
616
617         switch (sid_type) {
618                 case SID_NAME_USER:
619                         become_root();
620                         pdb_get_account_policy(AP_MIN_PASSWORD_LEN,
621                                                &min_password_length);
622                         pdb_get_account_policy(AP_USER_MUST_LOGON_TO_CHG_PASS,
623                                                &password_properties);
624                         unbecome_root();
625
626                         if (lp_check_password_script() && *lp_check_password_script()) {
627                                 password_properties |= DOMAIN_PASSWORD_COMPLEX;
628                         }
629
630                         break;
631                 default:
632                         break;
633         }
634
635         r->out.info->min_password_length = min_password_length;
636         r->out.info->password_properties = password_properties;
637
638         DEBUG(5,("_samr_GetUserPwInfo: %d\n", __LINE__));
639
640         return NT_STATUS_OK;
641 }
642
643 /*******************************************************************
644  _samr_SetSecurity
645  ********************************************************************/
646
647 NTSTATUS _samr_SetSecurity(pipes_struct *p,
648                            struct samr_SetSecurity *r)
649 {
650         struct samr_user_info *uinfo;
651         uint32 i;
652         SEC_ACL *dacl;
653         bool ret;
654         struct samu *sampass=NULL;
655         NTSTATUS status;
656
657         uinfo = policy_handle_find(p, r->in.handle,
658                                    SAMR_USER_ACCESS_SET_ATTRIBUTES, NULL,
659                                    struct samr_user_info, &status);
660         if (!NT_STATUS_IS_OK(status)) {
661                 return status;
662         }
663
664         if (!(sampass = samu_new( p->mem_ctx))) {
665                 DEBUG(0,("No memory!\n"));
666                 return NT_STATUS_NO_MEMORY;
667         }
668
669         /* get the user record */
670         become_root();
671         ret = pdb_getsampwsid(sampass, &uinfo->sid);
672         unbecome_root();
673
674         if (!ret) {
675                 DEBUG(4, ("User %s not found\n",
676                           sid_string_dbg(&uinfo->sid)));
677                 TALLOC_FREE(sampass);
678                 return NT_STATUS_INVALID_HANDLE;
679         }
680
681         dacl = r->in.sdbuf->sd->dacl;
682         for (i=0; i < dacl->num_aces; i++) {
683                 if (sid_equal(&uinfo->sid, &dacl->aces[i].trustee)) {
684                         ret = pdb_set_pass_can_change(sampass,
685                                 (dacl->aces[i].access_mask &
686                                  SAMR_USER_ACCESS_CHANGE_PASSWORD) ?
687                                                       True: False);
688                         break;
689                 }
690         }
691
692         if (!ret) {
693                 TALLOC_FREE(sampass);
694                 return NT_STATUS_ACCESS_DENIED;
695         }
696
697         become_root();
698         status = pdb_update_sam_account(sampass);
699         unbecome_root();
700
701         TALLOC_FREE(sampass);
702
703         return status;
704 }
705
706 /*******************************************************************
707   build correct perms based on policies and password times for _samr_query_sec_obj
708 *******************************************************************/
709 static bool check_change_pw_access(TALLOC_CTX *mem_ctx, DOM_SID *user_sid)
710 {
711         struct samu *sampass=NULL;
712         bool ret;
713
714         if ( !(sampass = samu_new( mem_ctx )) ) {
715                 DEBUG(0,("No memory!\n"));
716                 return False;
717         }
718
719         become_root();
720         ret = pdb_getsampwsid(sampass, user_sid);
721         unbecome_root();
722
723         if (ret == False) {
724                 DEBUG(4,("User %s not found\n", sid_string_dbg(user_sid)));
725                 TALLOC_FREE(sampass);
726                 return False;
727         }
728
729         DEBUG(3,("User:[%s]\n",  pdb_get_username(sampass) ));
730
731         if (pdb_get_pass_can_change(sampass)) {
732                 TALLOC_FREE(sampass);
733                 return True;
734         }
735         TALLOC_FREE(sampass);
736         return False;
737 }
738
739
740 /*******************************************************************
741  _samr_QuerySecurity
742  ********************************************************************/
743
744 NTSTATUS _samr_QuerySecurity(pipes_struct *p,
745                              struct samr_QuerySecurity *r)
746 {
747         struct samr_connect_info *cinfo;
748         struct samr_domain_info *dinfo;
749         struct samr_user_info *uinfo;
750         struct samr_group_info *ginfo;
751         struct samr_alias_info *ainfo;
752         NTSTATUS status;
753         SEC_DESC * psd = NULL;
754         size_t sd_size;
755
756         cinfo = policy_handle_find(p, r->in.handle,
757                                    STD_RIGHT_READ_CONTROL_ACCESS, NULL,
758                                    struct samr_connect_info, &status);
759         if (NT_STATUS_IS_OK(status)) {
760                 DEBUG(5,("_samr_QuerySecurity: querying security on SAM\n"));
761                 status = make_samr_object_sd(p->mem_ctx, &psd, &sd_size,
762                                              &sam_generic_mapping, NULL, 0);
763                 goto done;
764         }
765
766         dinfo = policy_handle_find(p, r->in.handle,
767                                    STD_RIGHT_READ_CONTROL_ACCESS, NULL,
768                                    struct samr_domain_info, &status);
769         if (NT_STATUS_IS_OK(status)) {
770                 DEBUG(5,("_samr_QuerySecurity: querying security on Domain "
771                          "with SID: %s\n", sid_string_dbg(&dinfo->sid)));
772                 /*
773                  * TODO: Builtin probably needs a different SD with restricted
774                  * write access
775                  */
776                 status = make_samr_object_sd(p->mem_ctx, &psd, &sd_size,
777                                              &dom_generic_mapping, NULL, 0);
778                 goto done;
779         }
780
781         uinfo = policy_handle_find(p, r->in.handle,
782                                    STD_RIGHT_READ_CONTROL_ACCESS, NULL,
783                                    struct samr_user_info, &status);
784         if (NT_STATUS_IS_OK(status)) {
785                 DEBUG(10,("_samr_QuerySecurity: querying security on user "
786                           "Object with SID: %s\n",
787                           sid_string_dbg(&uinfo->sid)));
788                 if (check_change_pw_access(p->mem_ctx, &uinfo->sid)) {
789                         status = make_samr_object_sd(
790                                 p->mem_ctx, &psd, &sd_size,
791                                 &usr_generic_mapping,
792                                 &uinfo->sid, SAMR_USR_RIGHTS_WRITE_PW);
793                 } else {
794                         status = make_samr_object_sd(
795                                 p->mem_ctx, &psd, &sd_size,
796                                 &usr_nopwchange_generic_mapping,
797                                 &uinfo->sid, SAMR_USR_RIGHTS_CANT_WRITE_PW);
798                 }
799                 goto done;
800         }
801
802         ginfo = policy_handle_find(p, r->in.handle,
803                                    STD_RIGHT_READ_CONTROL_ACCESS, NULL,
804                                    struct samr_group_info, &status);
805         if (NT_STATUS_IS_OK(status)) {
806                 /*
807                  * TODO: different SDs have to be generated for aliases groups
808                  * and users.  Currently all three get a default user SD
809                  */
810                 DEBUG(10,("_samr_QuerySecurity: querying security on group "
811                           "Object with SID: %s\n",
812                           sid_string_dbg(&ginfo->sid)));
813                 status = make_samr_object_sd(
814                         p->mem_ctx, &psd, &sd_size,
815                         &usr_nopwchange_generic_mapping,
816                         &ginfo->sid, SAMR_USR_RIGHTS_CANT_WRITE_PW);
817                 goto done;
818         }
819
820         ainfo = policy_handle_find(p, r->in.handle,
821                                    STD_RIGHT_READ_CONTROL_ACCESS, NULL,
822                                    struct samr_alias_info, &status);
823         if (NT_STATUS_IS_OK(status)) {
824                 /*
825                  * TODO: different SDs have to be generated for aliases groups
826                  * and users.  Currently all three get a default user SD
827                  */
828                 DEBUG(10,("_samr_QuerySecurity: querying security on alias "
829                           "Object with SID: %s\n",
830                           sid_string_dbg(&ainfo->sid)));
831                 status = make_samr_object_sd(
832                         p->mem_ctx, &psd, &sd_size,
833                         &usr_nopwchange_generic_mapping,
834                         &ainfo->sid, SAMR_USR_RIGHTS_CANT_WRITE_PW);
835                 goto done;
836         }
837
838         return NT_STATUS_OBJECT_TYPE_MISMATCH;
839 done:
840         if ((*r->out.sdbuf = make_sec_desc_buf(p->mem_ctx, sd_size, psd)) == NULL)
841                 return NT_STATUS_NO_MEMORY;
842
843         return status;
844 }
845
846 /*******************************************************************
847 makes a SAM_ENTRY / UNISTR2* structure from a user list.
848 ********************************************************************/
849
850 static NTSTATUS make_user_sam_entry_list(TALLOC_CTX *ctx,
851                                          struct samr_SamEntry **sam_pp,
852                                          uint32_t num_entries,
853                                          uint32_t start_idx,
854                                          struct samr_displayentry *entries)
855 {
856         uint32_t i;
857         struct samr_SamEntry *sam;
858
859         *sam_pp = NULL;
860
861         if (num_entries == 0) {
862                 return NT_STATUS_OK;
863         }
864
865         sam = TALLOC_ZERO_ARRAY(ctx, struct samr_SamEntry, num_entries);
866         if (sam == NULL) {
867                 DEBUG(0, ("make_user_sam_entry_list: TALLOC_ZERO failed!\n"));
868                 return NT_STATUS_NO_MEMORY;
869         }
870
871         for (i = 0; i < num_entries; i++) {
872 #if 0
873                 /*
874                  * usrmgr expects a non-NULL terminated string with
875                  * trust relationships
876                  */
877                 if (entries[i].acct_flags & ACB_DOMTRUST) {
878                         init_unistr2(&uni_temp_name, entries[i].account_name,
879                                      UNI_FLAGS_NONE);
880                 } else {
881                         init_unistr2(&uni_temp_name, entries[i].account_name,
882                                      UNI_STR_TERMINATE);
883                 }
884 #endif
885                 init_lsa_String(&sam[i].name, entries[i].account_name);
886                 sam[i].idx = entries[i].rid;
887         }
888
889         *sam_pp = sam;
890
891         return NT_STATUS_OK;
892 }
893
894 #define MAX_SAM_ENTRIES MAX_SAM_ENTRIES_W2K
895
896 /*******************************************************************
897  _samr_EnumDomainUsers
898  ********************************************************************/
899
900 NTSTATUS _samr_EnumDomainUsers(pipes_struct *p,
901                                struct samr_EnumDomainUsers *r)
902 {
903         NTSTATUS status;
904         struct samr_domain_info *dinfo;
905         int num_account;
906         uint32 enum_context = *r->in.resume_handle;
907         enum remote_arch_types ra_type = get_remote_arch();
908         int max_sam_entries = (ra_type == RA_WIN95) ? MAX_SAM_ENTRIES_W95 : MAX_SAM_ENTRIES_W2K;
909         uint32 max_entries = max_sam_entries;
910         struct samr_displayentry *entries = NULL;
911         struct samr_SamArray *samr_array = NULL;
912         struct samr_SamEntry *samr_entries = NULL;
913
914         DEBUG(5,("_samr_EnumDomainUsers: %d\n", __LINE__));
915
916         dinfo = policy_handle_find(p, r->in.domain_handle,
917                                    SAMR_DOMAIN_ACCESS_ENUM_ACCOUNTS, NULL,
918                                    struct samr_domain_info, &status);
919         if (!NT_STATUS_IS_OK(status)) {
920                 return status;
921         }
922
923         if (sid_check_is_builtin(&dinfo->sid)) {
924                 /* No users in builtin. */
925                 *r->out.resume_handle = *r->in.resume_handle;
926                 DEBUG(5,("_samr_EnumDomainUsers: No users in BUILTIN\n"));
927                 return status;
928         }
929
930         samr_array = TALLOC_ZERO_P(p->mem_ctx, struct samr_SamArray);
931         if (!samr_array) {
932                 return NT_STATUS_NO_MEMORY;
933         }
934         *r->out.sam = samr_array;
935
936         become_root();
937
938         /* AS ROOT !!!! */
939
940         if ((dinfo->disp_info->enum_users != NULL) &&
941             (dinfo->disp_info->enum_acb_mask != r->in.acct_flags)) {
942                 TALLOC_FREE(dinfo->disp_info->enum_users);
943         }
944
945         if (dinfo->disp_info->enum_users == NULL) {
946                 dinfo->disp_info->enum_users = pdb_search_users(
947                         dinfo->disp_info, r->in.acct_flags);
948                 dinfo->disp_info->enum_acb_mask = r->in.acct_flags;
949         }
950
951         if (dinfo->disp_info->enum_users == NULL) {
952                 /* END AS ROOT !!!! */
953                 unbecome_root();
954                 return NT_STATUS_ACCESS_DENIED;
955         }
956
957         num_account = pdb_search_entries(dinfo->disp_info->enum_users,
958                                          enum_context, max_entries,
959                                          &entries);
960
961         /* END AS ROOT !!!! */
962
963         unbecome_root();
964
965         if (num_account == 0) {
966                 DEBUG(5, ("_samr_EnumDomainUsers: enumeration handle over "
967                           "total entries\n"));
968                 *r->out.resume_handle = *r->in.resume_handle;
969                 return NT_STATUS_OK;
970         }
971
972         status = make_user_sam_entry_list(p->mem_ctx, &samr_entries,
973                                           num_account, enum_context,
974                                           entries);
975         if (!NT_STATUS_IS_OK(status)) {
976                 return status;
977         }
978
979         if (max_entries <= num_account) {
980                 status = STATUS_MORE_ENTRIES;
981         } else {
982                 status = NT_STATUS_OK;
983         }
984
985         /* Ensure we cache this enumeration. */
986         set_disp_info_cache_timeout(dinfo->disp_info, DISP_INFO_CACHE_TIMEOUT);
987
988         DEBUG(5, ("_samr_EnumDomainUsers: %d\n", __LINE__));
989
990         samr_array->count = num_account;
991         samr_array->entries = samr_entries;
992
993         *r->out.resume_handle = *r->in.resume_handle + num_account;
994         *r->out.num_entries = num_account;
995
996         DEBUG(5,("_samr_EnumDomainUsers: %d\n", __LINE__));
997
998         return status;
999 }
1000
1001 /*******************************************************************
1002 makes a SAM_ENTRY / UNISTR2* structure from a group list.
1003 ********************************************************************/
1004
1005 static void make_group_sam_entry_list(TALLOC_CTX *ctx,
1006                                       struct samr_SamEntry **sam_pp,
1007                                       uint32_t num_sam_entries,
1008                                       struct samr_displayentry *entries)
1009 {
1010         struct samr_SamEntry *sam;
1011         uint32_t i;
1012
1013         *sam_pp = NULL;
1014
1015         if (num_sam_entries == 0) {
1016                 return;
1017         }
1018
1019         sam = TALLOC_ZERO_ARRAY(ctx, struct samr_SamEntry, num_sam_entries);
1020         if (sam == NULL) {
1021                 return;
1022         }
1023
1024         for (i = 0; i < num_sam_entries; i++) {
1025                 /*
1026                  * JRA. I think this should include the null. TNG does not.
1027                  */
1028                 init_lsa_String(&sam[i].name, entries[i].account_name);
1029                 sam[i].idx = entries[i].rid;
1030         }
1031
1032         *sam_pp = sam;
1033 }
1034
1035 /*******************************************************************
1036  _samr_EnumDomainGroups
1037  ********************************************************************/
1038
1039 NTSTATUS _samr_EnumDomainGroups(pipes_struct *p,
1040                                 struct samr_EnumDomainGroups *r)
1041 {
1042         NTSTATUS status;
1043         struct samr_domain_info *dinfo;
1044         struct samr_displayentry *groups;
1045         uint32 num_groups;
1046         struct samr_SamArray *samr_array = NULL;
1047         struct samr_SamEntry *samr_entries = NULL;
1048
1049         dinfo = policy_handle_find(p, r->in.domain_handle,
1050                                    SAMR_DOMAIN_ACCESS_ENUM_ACCOUNTS, NULL,
1051                                    struct samr_domain_info, &status);
1052         if (!NT_STATUS_IS_OK(status)) {
1053                 return status;
1054         }
1055
1056         DEBUG(5,("_samr_EnumDomainGroups: %d\n", __LINE__));
1057
1058         if (sid_check_is_builtin(&dinfo->sid)) {
1059                 /* No groups in builtin. */
1060                 *r->out.resume_handle = *r->in.resume_handle;
1061                 DEBUG(5,("_samr_EnumDomainGroups: No groups in BUILTIN\n"));
1062                 return status;
1063         }
1064
1065         samr_array = TALLOC_ZERO_P(p->mem_ctx, struct samr_SamArray);
1066         if (!samr_array) {
1067                 return NT_STATUS_NO_MEMORY;
1068         }
1069
1070         /* the domain group array is being allocated in the function below */
1071
1072         become_root();
1073
1074         if (dinfo->disp_info->groups == NULL) {
1075                 dinfo->disp_info->groups = pdb_search_groups(dinfo->disp_info);
1076
1077                 if (dinfo->disp_info->groups == NULL) {
1078                         unbecome_root();
1079                         return NT_STATUS_ACCESS_DENIED;
1080                 }
1081         }
1082
1083         num_groups = pdb_search_entries(dinfo->disp_info->groups,
1084                                         *r->in.resume_handle,
1085                                         MAX_SAM_ENTRIES, &groups);
1086         unbecome_root();
1087
1088         /* Ensure we cache this enumeration. */
1089         set_disp_info_cache_timeout(dinfo->disp_info, DISP_INFO_CACHE_TIMEOUT);
1090
1091         make_group_sam_entry_list(p->mem_ctx, &samr_entries,
1092                                   num_groups, groups);
1093
1094         samr_array->count = num_groups;
1095         samr_array->entries = samr_entries;
1096
1097         *r->out.sam = samr_array;
1098         *r->out.num_entries = num_groups;
1099         *r->out.resume_handle = num_groups + *r->in.resume_handle;
1100
1101         DEBUG(5,("_samr_EnumDomainGroups: %d\n", __LINE__));
1102
1103         return status;
1104 }
1105
1106 /*******************************************************************
1107  _samr_EnumDomainAliases
1108  ********************************************************************/
1109
1110 NTSTATUS _samr_EnumDomainAliases(pipes_struct *p,
1111                                  struct samr_EnumDomainAliases *r)
1112 {
1113         NTSTATUS status;
1114         struct samr_domain_info *dinfo;
1115         struct samr_displayentry *aliases;
1116         uint32 num_aliases = 0;
1117         struct samr_SamArray *samr_array = NULL;
1118         struct samr_SamEntry *samr_entries = NULL;
1119
1120         dinfo = policy_handle_find(p, r->in.domain_handle,
1121                                    SAMR_DOMAIN_ACCESS_ENUM_ACCOUNTS, NULL,
1122                                    struct samr_domain_info, &status);
1123         if (!NT_STATUS_IS_OK(status)) {
1124                 return status;
1125         }
1126
1127         DEBUG(5,("_samr_EnumDomainAliases: sid %s\n",
1128                  sid_string_dbg(&dinfo->sid)));
1129
1130         samr_array = TALLOC_ZERO_P(p->mem_ctx, struct samr_SamArray);
1131         if (!samr_array) {
1132                 return NT_STATUS_NO_MEMORY;
1133         }
1134
1135         become_root();
1136
1137         if (dinfo->disp_info->aliases == NULL) {
1138                 dinfo->disp_info->aliases = pdb_search_aliases(
1139                         dinfo->disp_info, &dinfo->sid);
1140                 if (dinfo->disp_info->aliases == NULL) {
1141                         unbecome_root();
1142                         return NT_STATUS_ACCESS_DENIED;
1143                 }
1144         }
1145
1146         num_aliases = pdb_search_entries(dinfo->disp_info->aliases,
1147                                          *r->in.resume_handle,
1148                                          MAX_SAM_ENTRIES, &aliases);
1149         unbecome_root();
1150
1151         /* Ensure we cache this enumeration. */
1152         set_disp_info_cache_timeout(dinfo->disp_info, DISP_INFO_CACHE_TIMEOUT);
1153
1154         make_group_sam_entry_list(p->mem_ctx, &samr_entries,
1155                                   num_aliases, aliases);
1156
1157         DEBUG(5,("_samr_EnumDomainAliases: %d\n", __LINE__));
1158
1159         samr_array->count = num_aliases;
1160         samr_array->entries = samr_entries;
1161
1162         *r->out.sam = samr_array;
1163         *r->out.num_entries = num_aliases;
1164         *r->out.resume_handle = num_aliases + *r->in.resume_handle;
1165
1166         return status;
1167 }
1168
1169 /*******************************************************************
1170  inits a samr_DispInfoGeneral structure.
1171 ********************************************************************/
1172
1173 static NTSTATUS init_samr_dispinfo_1(TALLOC_CTX *ctx,
1174                                      struct samr_DispInfoGeneral *r,
1175                                      uint32_t num_entries,
1176                                      uint32_t start_idx,
1177                                      struct samr_displayentry *entries)
1178 {
1179         uint32 i;
1180
1181         DEBUG(10, ("init_samr_dispinfo_1: num_entries: %d\n", num_entries));
1182
1183         if (num_entries == 0) {
1184                 return NT_STATUS_OK;
1185         }
1186
1187         r->count = num_entries;
1188
1189         r->entries = TALLOC_ZERO_ARRAY(ctx, struct samr_DispEntryGeneral, num_entries);
1190         if (!r->entries) {
1191                 return NT_STATUS_NO_MEMORY;
1192         }
1193
1194         for (i = 0; i < num_entries ; i++) {
1195
1196                 init_lsa_String(&r->entries[i].account_name,
1197                                 entries[i].account_name);
1198
1199                 init_lsa_String(&r->entries[i].description,
1200                                 entries[i].description);
1201
1202                 init_lsa_String(&r->entries[i].full_name,
1203                                 entries[i].fullname);
1204
1205                 r->entries[i].rid = entries[i].rid;
1206                 r->entries[i].acct_flags = entries[i].acct_flags;
1207                 r->entries[i].idx = start_idx+i+1;
1208         }
1209
1210         return NT_STATUS_OK;
1211 }
1212
1213 /*******************************************************************
1214  inits a samr_DispInfoFull structure.
1215 ********************************************************************/
1216
1217 static NTSTATUS init_samr_dispinfo_2(TALLOC_CTX *ctx,
1218                                      struct samr_DispInfoFull *r,
1219                                      uint32_t num_entries,
1220                                      uint32_t start_idx,
1221                                      struct samr_displayentry *entries)
1222 {
1223         uint32_t i;
1224
1225         DEBUG(10, ("init_samr_dispinfo_2: num_entries: %d\n", num_entries));
1226
1227         if (num_entries == 0) {
1228                 return NT_STATUS_OK;
1229         }
1230
1231         r->count = num_entries;
1232
1233         r->entries = TALLOC_ZERO_ARRAY(ctx, struct samr_DispEntryFull, num_entries);
1234         if (!r->entries) {
1235                 return NT_STATUS_NO_MEMORY;
1236         }
1237
1238         for (i = 0; i < num_entries ; i++) {
1239
1240                 init_lsa_String(&r->entries[i].account_name,
1241                                 entries[i].account_name);
1242
1243                 init_lsa_String(&r->entries[i].description,
1244                                 entries[i].description);
1245
1246                 r->entries[i].rid = entries[i].rid;
1247                 r->entries[i].acct_flags = entries[i].acct_flags;
1248                 r->entries[i].idx = start_idx+i+1;
1249         }
1250
1251         return NT_STATUS_OK;
1252 }
1253
1254 /*******************************************************************
1255  inits a samr_DispInfoFullGroups structure.
1256 ********************************************************************/
1257
1258 static NTSTATUS init_samr_dispinfo_3(TALLOC_CTX *ctx,
1259                                      struct samr_DispInfoFullGroups *r,
1260                                      uint32_t num_entries,
1261                                      uint32_t start_idx,
1262                                      struct samr_displayentry *entries)
1263 {
1264         uint32_t i;
1265
1266         DEBUG(5, ("init_samr_dispinfo_3: num_entries: %d\n", num_entries));
1267
1268         if (num_entries == 0) {
1269                 return NT_STATUS_OK;
1270         }
1271
1272         r->count = num_entries;
1273
1274         r->entries = TALLOC_ZERO_ARRAY(ctx, struct samr_DispEntryFullGroup, num_entries);
1275         if (!r->entries) {
1276                 return NT_STATUS_NO_MEMORY;
1277         }
1278
1279         for (i = 0; i < num_entries ; i++) {
1280
1281                 init_lsa_String(&r->entries[i].account_name,
1282                                 entries[i].account_name);
1283
1284                 init_lsa_String(&r->entries[i].description,
1285                                 entries[i].description);
1286
1287                 r->entries[i].rid = entries[i].rid;
1288                 r->entries[i].acct_flags = entries[i].acct_flags;
1289                 r->entries[i].idx = start_idx+i+1;
1290         }
1291
1292         return NT_STATUS_OK;
1293 }
1294
1295 /*******************************************************************
1296  inits a samr_DispInfoAscii structure.
1297 ********************************************************************/
1298
1299 static NTSTATUS init_samr_dispinfo_4(TALLOC_CTX *ctx,
1300                                      struct samr_DispInfoAscii *r,
1301                                      uint32_t num_entries,
1302                                      uint32_t start_idx,
1303                                      struct samr_displayentry *entries)
1304 {
1305         uint32_t i;
1306
1307         DEBUG(5, ("init_samr_dispinfo_4: num_entries: %d\n", num_entries));
1308
1309         if (num_entries == 0) {
1310                 return NT_STATUS_OK;
1311         }
1312
1313         r->count = num_entries;
1314
1315         r->entries = TALLOC_ZERO_ARRAY(ctx, struct samr_DispEntryAscii, num_entries);
1316         if (!r->entries) {
1317                 return NT_STATUS_NO_MEMORY;
1318         }
1319
1320         for (i = 0; i < num_entries ; i++) {
1321
1322                 init_lsa_AsciiStringLarge(&r->entries[i].account_name,
1323                                           entries[i].account_name);
1324
1325                 r->entries[i].idx = start_idx+i+1;
1326         }
1327
1328         return NT_STATUS_OK;
1329 }
1330
1331 /*******************************************************************
1332  inits a samr_DispInfoAscii structure.
1333 ********************************************************************/
1334
1335 static NTSTATUS init_samr_dispinfo_5(TALLOC_CTX *ctx,
1336                                      struct samr_DispInfoAscii *r,
1337                                      uint32_t num_entries,
1338                                      uint32_t start_idx,
1339                                      struct samr_displayentry *entries)
1340 {
1341         uint32_t i;
1342
1343         DEBUG(5, ("init_samr_dispinfo_5: num_entries: %d\n", num_entries));
1344
1345         if (num_entries == 0) {
1346                 return NT_STATUS_OK;
1347         }
1348
1349         r->count = num_entries;
1350
1351         r->entries = TALLOC_ZERO_ARRAY(ctx, struct samr_DispEntryAscii, num_entries);
1352         if (!r->entries) {
1353                 return NT_STATUS_NO_MEMORY;
1354         }
1355
1356         for (i = 0; i < num_entries ; i++) {
1357
1358                 init_lsa_AsciiStringLarge(&r->entries[i].account_name,
1359                                           entries[i].account_name);
1360
1361                 r->entries[i].idx = start_idx+i+1;
1362         }
1363
1364         return NT_STATUS_OK;
1365 }
1366
1367 /*******************************************************************
1368  _samr_QueryDisplayInfo
1369  ********************************************************************/
1370
1371 NTSTATUS _samr_QueryDisplayInfo(pipes_struct *p,
1372                                 struct samr_QueryDisplayInfo *r)
1373 {
1374         NTSTATUS status;
1375         struct samr_domain_info *dinfo;
1376         uint32 struct_size=0x20; /* W2K always reply that, client doesn't care */
1377
1378         uint32 max_entries = r->in.max_entries;
1379         uint32 enum_context = r->in.start_idx;
1380         uint32 max_size = r->in.buf_size;
1381
1382         union samr_DispInfo *disp_info = r->out.info;
1383
1384         uint32 temp_size=0, total_data_size=0;
1385         NTSTATUS disp_ret = NT_STATUS_UNSUCCESSFUL;
1386         uint32 num_account = 0;
1387         enum remote_arch_types ra_type = get_remote_arch();
1388         int max_sam_entries = (ra_type == RA_WIN95) ? MAX_SAM_ENTRIES_W95 : MAX_SAM_ENTRIES_W2K;
1389         struct samr_displayentry *entries = NULL;
1390
1391         DEBUG(5,("_samr_QueryDisplayInfo: %d\n", __LINE__));
1392
1393         dinfo = policy_handle_find(p, r->in.domain_handle,
1394                                    SAMR_DOMAIN_ACCESS_ENUM_ACCOUNTS, NULL,
1395                                    struct samr_domain_info, &status);
1396         if (!NT_STATUS_IS_OK(status)) {
1397                 return status;
1398         }
1399
1400         if (sid_check_is_builtin(&dinfo->sid)) {
1401                 DEBUG(5,("_samr_QueryDisplayInfo: no users in BUILTIN\n"));
1402                 return NT_STATUS_OK;
1403         }
1404
1405         /*
1406          * calculate how many entries we will return.
1407          * based on
1408          * - the number of entries the client asked
1409          * - our limit on that
1410          * - the starting point (enumeration context)
1411          * - the buffer size the client will accept
1412          */
1413
1414         /*
1415          * We are a lot more like W2K. Instead of reading the SAM
1416          * each time to find the records we need to send back,
1417          * we read it once and link that copy to the sam handle.
1418          * For large user list (over the MAX_SAM_ENTRIES)
1419          * it's a definitive win.
1420          * second point to notice: between enumerations
1421          * our sam is now the same as it's a snapshoot.
1422          * third point: got rid of the static SAM_USER_21 struct
1423          * no more intermediate.
1424          * con: it uses much more memory, as a full copy is stored
1425          * in memory.
1426          *
1427          * If you want to change it, think twice and think
1428          * of the second point , that's really important.
1429          *
1430          * JFM, 12/20/2001
1431          */
1432
1433         if ((r->in.level < 1) || (r->in.level > 5)) {
1434                 DEBUG(0,("_samr_QueryDisplayInfo: Unknown info level (%u)\n",
1435                          (unsigned int)r->in.level ));
1436                 return NT_STATUS_INVALID_INFO_CLASS;
1437         }
1438
1439         /* first limit the number of entries we will return */
1440         if(max_entries > max_sam_entries) {
1441                 DEBUG(5, ("_samr_QueryDisplayInfo: client requested %d "
1442                           "entries, limiting to %d\n", max_entries,
1443                           max_sam_entries));
1444                 max_entries = max_sam_entries;
1445         }
1446
1447         /* calculate the size and limit on the number of entries we will
1448          * return */
1449
1450         temp_size=max_entries*struct_size;
1451
1452         if (temp_size>max_size) {
1453                 max_entries=MIN((max_size/struct_size),max_entries);;
1454                 DEBUG(5, ("_samr_QueryDisplayInfo: buffer size limits to "
1455                           "only %d entries\n", max_entries));
1456         }
1457
1458         become_root();
1459
1460         /* THe following done as ROOT. Don't return without unbecome_root(). */
1461
1462         switch (r->in.level) {
1463         case 0x1:
1464         case 0x4:
1465                 if (dinfo->disp_info->users == NULL) {
1466                         dinfo->disp_info->users = pdb_search_users(
1467                                 dinfo->disp_info, ACB_NORMAL);
1468                         if (dinfo->disp_info->users == NULL) {
1469                                 unbecome_root();
1470                                 return NT_STATUS_ACCESS_DENIED;
1471                         }
1472                         DEBUG(10,("_samr_QueryDisplayInfo: starting user enumeration at index %u\n",
1473                                 (unsigned  int)enum_context ));
1474                 } else {
1475                         DEBUG(10,("_samr_QueryDisplayInfo: using cached user enumeration at index %u\n",
1476                                 (unsigned  int)enum_context ));
1477                 }
1478
1479                 num_account = pdb_search_entries(dinfo->disp_info->users,
1480                                                  enum_context, max_entries,
1481                                                  &entries);
1482                 break;
1483         case 0x2:
1484                 if (dinfo->disp_info->machines == NULL) {
1485                         dinfo->disp_info->machines = pdb_search_users(
1486                                 dinfo->disp_info, ACB_WSTRUST|ACB_SVRTRUST);
1487                         if (dinfo->disp_info->machines == NULL) {
1488                                 unbecome_root();
1489                                 return NT_STATUS_ACCESS_DENIED;
1490                         }
1491                         DEBUG(10,("_samr_QueryDisplayInfo: starting machine enumeration at index %u\n",
1492                                 (unsigned  int)enum_context ));
1493                 } else {
1494                         DEBUG(10,("_samr_QueryDisplayInfo: using cached machine enumeration at index %u\n",
1495                                 (unsigned  int)enum_context ));
1496                 }
1497
1498                 num_account = pdb_search_entries(dinfo->disp_info->machines,
1499                                                  enum_context, max_entries,
1500                                                  &entries);
1501                 break;
1502         case 0x3:
1503         case 0x5:
1504                 if (dinfo->disp_info->groups == NULL) {
1505                         dinfo->disp_info->groups = pdb_search_groups(
1506                                 dinfo->disp_info);
1507                         if (dinfo->disp_info->groups == NULL) {
1508                                 unbecome_root();
1509                                 return NT_STATUS_ACCESS_DENIED;
1510                         }
1511                         DEBUG(10,("_samr_QueryDisplayInfo: starting group enumeration at index %u\n",
1512                                 (unsigned  int)enum_context ));
1513                 } else {
1514                         DEBUG(10,("_samr_QueryDisplayInfo: using cached group enumeration at index %u\n",
1515                                 (unsigned  int)enum_context ));
1516                 }
1517
1518                 num_account = pdb_search_entries(dinfo->disp_info->groups,
1519                                                  enum_context, max_entries,
1520                                                  &entries);
1521                 break;
1522         default:
1523                 unbecome_root();
1524                 smb_panic("info class changed");
1525                 break;
1526         }
1527         unbecome_root();
1528
1529
1530         /* Now create reply structure */
1531         switch (r->in.level) {
1532         case 0x1:
1533                 disp_ret = init_samr_dispinfo_1(p->mem_ctx, &disp_info->info1,
1534                                                 num_account, enum_context,
1535                                                 entries);
1536                 break;
1537         case 0x2:
1538                 disp_ret = init_samr_dispinfo_2(p->mem_ctx, &disp_info->info2,
1539                                                 num_account, enum_context,
1540                                                 entries);
1541                 break;
1542         case 0x3:
1543                 disp_ret = init_samr_dispinfo_3(p->mem_ctx, &disp_info->info3,
1544                                                 num_account, enum_context,
1545                                                 entries);
1546                 break;
1547         case 0x4:
1548                 disp_ret = init_samr_dispinfo_4(p->mem_ctx, &disp_info->info4,
1549                                                 num_account, enum_context,
1550                                                 entries);
1551                 break;
1552         case 0x5:
1553                 disp_ret = init_samr_dispinfo_5(p->mem_ctx, &disp_info->info5,
1554                                                 num_account, enum_context,
1555                                                 entries);
1556                 break;
1557         default:
1558                 smb_panic("info class changed");
1559                 break;
1560         }
1561
1562         if (!NT_STATUS_IS_OK(disp_ret))
1563                 return disp_ret;
1564
1565         /* calculate the total size */
1566         total_data_size=num_account*struct_size;
1567
1568         if (max_entries <= num_account) {
1569                 status = STATUS_MORE_ENTRIES;
1570         } else {
1571                 status = NT_STATUS_OK;
1572         }
1573
1574         /* Ensure we cache this enumeration. */
1575         set_disp_info_cache_timeout(dinfo->disp_info, DISP_INFO_CACHE_TIMEOUT);
1576
1577         DEBUG(5, ("_samr_QueryDisplayInfo: %d\n", __LINE__));
1578
1579         *r->out.total_size = total_data_size;
1580         *r->out.returned_size = temp_size;
1581
1582         return status;
1583 }
1584
1585 /****************************************************************
1586  _samr_QueryDisplayInfo2
1587 ****************************************************************/
1588
1589 NTSTATUS _samr_QueryDisplayInfo2(pipes_struct *p,
1590                                  struct samr_QueryDisplayInfo2 *r)
1591 {
1592         struct samr_QueryDisplayInfo q;
1593
1594         q.in.domain_handle      = r->in.domain_handle;
1595         q.in.level              = r->in.level;
1596         q.in.start_idx          = r->in.start_idx;
1597         q.in.max_entries        = r->in.max_entries;
1598         q.in.buf_size           = r->in.buf_size;
1599
1600         q.out.total_size        = r->out.total_size;
1601         q.out.returned_size     = r->out.returned_size;
1602         q.out.info              = r->out.info;
1603
1604         return _samr_QueryDisplayInfo(p, &q);
1605 }
1606
1607 /****************************************************************
1608  _samr_QueryDisplayInfo3
1609 ****************************************************************/
1610
1611 NTSTATUS _samr_QueryDisplayInfo3(pipes_struct *p,
1612                                  struct samr_QueryDisplayInfo3 *r)
1613 {
1614         struct samr_QueryDisplayInfo q;
1615
1616         q.in.domain_handle      = r->in.domain_handle;
1617         q.in.level              = r->in.level;
1618         q.in.start_idx          = r->in.start_idx;
1619         q.in.max_entries        = r->in.max_entries;
1620         q.in.buf_size           = r->in.buf_size;
1621
1622         q.out.total_size        = r->out.total_size;
1623         q.out.returned_size     = r->out.returned_size;
1624         q.out.info              = r->out.info;
1625
1626         return _samr_QueryDisplayInfo(p, &q);
1627 }
1628
1629 /*******************************************************************
1630  _samr_QueryAliasInfo
1631  ********************************************************************/
1632
1633 NTSTATUS _samr_QueryAliasInfo(pipes_struct *p,
1634                               struct samr_QueryAliasInfo *r)
1635 {
1636         struct samr_alias_info *ainfo;
1637         struct acct_info info;
1638         NTSTATUS status;
1639         union samr_AliasInfo *alias_info = NULL;
1640         const char *alias_name = NULL;
1641         const char *alias_description = NULL;
1642
1643         DEBUG(5,("_samr_QueryAliasInfo: %d\n", __LINE__));
1644
1645         ainfo = policy_handle_find(p, r->in.alias_handle,
1646                                    SAMR_ALIAS_ACCESS_LOOKUP_INFO, NULL,
1647                                    struct samr_alias_info, &status);
1648         if (!NT_STATUS_IS_OK(status)) {
1649                 return status;
1650         }
1651
1652         alias_info = TALLOC_ZERO_P(p->mem_ctx, union samr_AliasInfo);
1653         if (!alias_info) {
1654                 return NT_STATUS_NO_MEMORY;
1655         }
1656
1657         become_root();
1658         status = pdb_get_aliasinfo(&ainfo->sid, &info);
1659         unbecome_root();
1660
1661         if ( !NT_STATUS_IS_OK(status))
1662                 return status;
1663
1664         /* FIXME: info contains fstrings */
1665         alias_name = talloc_strdup(r, info.acct_name);
1666         alias_description = talloc_strdup(r, info.acct_desc);
1667
1668         switch (r->in.level) {
1669         case ALIASINFOALL:
1670                 alias_info->all.name.string             = alias_name;
1671                 alias_info->all.num_members             = 1; /* ??? */
1672                 alias_info->all.description.string      = alias_description;
1673                 break;
1674         case ALIASINFODESCRIPTION:
1675                 alias_info->description.string          = alias_description;
1676                 break;
1677         default:
1678                 return NT_STATUS_INVALID_INFO_CLASS;
1679         }
1680
1681         *r->out.info = alias_info;
1682
1683         DEBUG(5,("_samr_QueryAliasInfo: %d\n", __LINE__));
1684
1685         return NT_STATUS_OK;
1686 }
1687
1688 /*******************************************************************
1689  _samr_LookupNames
1690  ********************************************************************/
1691
1692 NTSTATUS _samr_LookupNames(pipes_struct *p,
1693                            struct samr_LookupNames *r)
1694 {
1695         struct samr_domain_info *dinfo;
1696         NTSTATUS status;
1697         uint32 *rid;
1698         enum lsa_SidType *type;
1699         int i;
1700         int num_rids = r->in.num_names;
1701         struct samr_Ids rids, types;
1702         uint32_t num_mapped = 0;
1703
1704         DEBUG(5,("_samr_LookupNames: %d\n", __LINE__));
1705
1706         dinfo = policy_handle_find(p, r->in.domain_handle,
1707                                    0 /* Don't know the acc_bits yet */, NULL,
1708                                    struct samr_domain_info, &status);
1709         if (!NT_STATUS_IS_OK(status)) {
1710                 return status;
1711         }
1712
1713         if (num_rids > MAX_SAM_ENTRIES) {
1714                 num_rids = MAX_SAM_ENTRIES;
1715                 DEBUG(5,("_samr_LookupNames: truncating entries to %d\n", num_rids));
1716         }
1717
1718         rid = talloc_array(p->mem_ctx, uint32, num_rids);
1719         NT_STATUS_HAVE_NO_MEMORY(rid);
1720
1721         type = talloc_array(p->mem_ctx, enum lsa_SidType, num_rids);
1722         NT_STATUS_HAVE_NO_MEMORY(type);
1723
1724         DEBUG(5,("_samr_LookupNames: looking name on SID %s\n",
1725                  sid_string_dbg(&dinfo->sid)));
1726
1727         for (i = 0; i < num_rids; i++) {
1728
1729                 status = NT_STATUS_NONE_MAPPED;
1730                 type[i] = SID_NAME_UNKNOWN;
1731
1732                 rid[i] = 0xffffffff;
1733
1734                 if (sid_check_is_builtin(&dinfo->sid)) {
1735                         if (lookup_builtin_name(r->in.names[i].string,
1736                                                 &rid[i]))
1737                         {
1738                                 type[i] = SID_NAME_ALIAS;
1739                         }
1740                 } else {
1741                         lookup_global_sam_name(r->in.names[i].string, 0,
1742                                                &rid[i], &type[i]);
1743                 }
1744
1745                 if (type[i] != SID_NAME_UNKNOWN) {
1746                         num_mapped++;
1747                 }
1748         }
1749
1750         if (num_mapped == num_rids) {
1751                 status = NT_STATUS_OK;
1752         } else if (num_mapped == 0) {
1753                 status = NT_STATUS_NONE_MAPPED;
1754         } else {
1755                 status = STATUS_SOME_UNMAPPED;
1756         }
1757
1758         rids.count = num_rids;
1759         rids.ids = rid;
1760
1761         types.count = num_rids;
1762         types.ids = type;
1763
1764         *r->out.rids = rids;
1765         *r->out.types = types;
1766
1767         DEBUG(5,("_samr_LookupNames: %d\n", __LINE__));
1768
1769         return status;
1770 }
1771
1772 /*******************************************************************
1773  _samr_ChangePasswordUser2
1774  ********************************************************************/
1775
1776 NTSTATUS _samr_ChangePasswordUser2(pipes_struct *p,
1777                                    struct samr_ChangePasswordUser2 *r)
1778 {
1779         NTSTATUS status;
1780         fstring user_name;
1781         fstring wks;
1782
1783         DEBUG(5,("_samr_ChangePasswordUser2: %d\n", __LINE__));
1784
1785         fstrcpy(user_name, r->in.account->string);
1786         fstrcpy(wks, r->in.server->string);
1787
1788         DEBUG(5,("_samr_ChangePasswordUser2: user: %s wks: %s\n", user_name, wks));
1789
1790         /*
1791          * Pass the user through the NT -> unix user mapping
1792          * function.
1793          */
1794
1795         (void)map_username(user_name);
1796
1797         /*
1798          * UNIX username case mangling not required, pass_oem_change
1799          * is case insensitive.
1800          */
1801
1802         status = pass_oem_change(user_name,
1803                                  r->in.lm_password->data,
1804                                  r->in.lm_verifier->hash,
1805                                  r->in.nt_password->data,
1806                                  r->in.nt_verifier->hash,
1807                                  NULL);
1808
1809         DEBUG(5,("_samr_ChangePasswordUser2: %d\n", __LINE__));
1810
1811         return status;
1812 }
1813
1814 /****************************************************************
1815  _samr_OemChangePasswordUser2
1816 ****************************************************************/
1817
1818 NTSTATUS _samr_OemChangePasswordUser2(pipes_struct *p,
1819                                       struct samr_OemChangePasswordUser2 *r)
1820 {
1821         NTSTATUS status;
1822         fstring user_name;
1823         const char *wks = NULL;
1824
1825         DEBUG(5,("_samr_OemChangePasswordUser2: %d\n", __LINE__));
1826
1827         fstrcpy(user_name, r->in.account->string);
1828         if (r->in.server && r->in.server->string) {
1829                 wks = r->in.server->string;
1830         }
1831
1832         DEBUG(5,("_samr_OemChangePasswordUser2: user: %s wks: %s\n", user_name, wks));
1833
1834         /*
1835          * Pass the user through the NT -> unix user mapping
1836          * function.
1837          */
1838
1839         (void)map_username(user_name);
1840
1841         /*
1842          * UNIX username case mangling not required, pass_oem_change
1843          * is case insensitive.
1844          */
1845
1846         if (!r->in.hash || !r->in.password) {
1847                 return NT_STATUS_INVALID_PARAMETER;
1848         }
1849
1850         status = pass_oem_change(user_name,
1851                                  r->in.password->data,
1852                                  r->in.hash->hash,
1853                                  0,
1854                                  0,
1855                                  NULL);
1856
1857         DEBUG(5,("_samr_OemChangePasswordUser2: %d\n", __LINE__));
1858
1859         return status;
1860 }
1861
1862 /*******************************************************************
1863  _samr_ChangePasswordUser3
1864  ********************************************************************/
1865
1866 NTSTATUS _samr_ChangePasswordUser3(pipes_struct *p,
1867                                    struct samr_ChangePasswordUser3 *r)
1868 {
1869         NTSTATUS status;
1870         fstring user_name;
1871         const char *wks = NULL;
1872         uint32 reject_reason;
1873         struct samr_DomInfo1 *dominfo = NULL;
1874         struct samr_ChangeReject *reject = NULL;
1875         uint32_t tmp;
1876
1877         DEBUG(5,("_samr_ChangePasswordUser3: %d\n", __LINE__));
1878
1879         fstrcpy(user_name, r->in.account->string);
1880         if (r->in.server && r->in.server->string) {
1881                 wks = r->in.server->string;
1882         }
1883
1884         DEBUG(5,("_samr_ChangePasswordUser3: user: %s wks: %s\n", user_name, wks));
1885
1886         /*
1887          * Pass the user through the NT -> unix user mapping
1888          * function.
1889          */
1890
1891         (void)map_username(user_name);
1892
1893         /*
1894          * UNIX username case mangling not required, pass_oem_change
1895          * is case insensitive.
1896          */
1897
1898         status = pass_oem_change(user_name,
1899                                  r->in.lm_password->data,
1900                                  r->in.lm_verifier->hash,
1901                                  r->in.nt_password->data,
1902                                  r->in.nt_verifier->hash,
1903                                  &reject_reason);
1904
1905         if (NT_STATUS_EQUAL(status, NT_STATUS_PASSWORD_RESTRICTION) ||
1906             NT_STATUS_EQUAL(status, NT_STATUS_ACCOUNT_RESTRICTION)) {
1907
1908                 time_t u_expire, u_min_age;
1909                 uint32 account_policy_temp;
1910
1911                 dominfo = TALLOC_ZERO_P(p->mem_ctx, struct samr_DomInfo1);
1912                 if (!dominfo) {
1913                         return NT_STATUS_NO_MEMORY;
1914                 }
1915
1916                 reject = TALLOC_ZERO_P(p->mem_ctx, struct samr_ChangeReject);
1917                 if (!reject) {
1918                         return NT_STATUS_NO_MEMORY;
1919                 }
1920
1921                 become_root();
1922
1923                 /* AS ROOT !!! */
1924
1925                 pdb_get_account_policy(AP_MIN_PASSWORD_LEN, &tmp);
1926                 dominfo->min_password_length = tmp;
1927
1928                 pdb_get_account_policy(AP_PASSWORD_HISTORY, &tmp);
1929                 dominfo->password_history_length = tmp;
1930
1931                 pdb_get_account_policy(AP_USER_MUST_LOGON_TO_CHG_PASS,
1932                                        &dominfo->password_properties);
1933
1934                 pdb_get_account_policy(AP_MAX_PASSWORD_AGE, &account_policy_temp);
1935                 u_expire = account_policy_temp;
1936
1937                 pdb_get_account_policy(AP_MIN_PASSWORD_AGE, &account_policy_temp);
1938                 u_min_age = account_policy_temp;
1939
1940                 /* !AS ROOT */
1941
1942                 unbecome_root();
1943
1944                 unix_to_nt_time_abs((NTTIME *)&dominfo->max_password_age, u_expire);
1945                 unix_to_nt_time_abs((NTTIME *)&dominfo->min_password_age, u_min_age);
1946
1947                 if (lp_check_password_script() && *lp_check_password_script()) {
1948                         dominfo->password_properties |= DOMAIN_PASSWORD_COMPLEX;
1949                 }
1950
1951                 reject->reason = reject_reason;
1952
1953                 *r->out.dominfo = dominfo;
1954                 *r->out.reject = reject;
1955         }
1956
1957         DEBUG(5,("_samr_ChangePasswordUser3: %d\n", __LINE__));
1958
1959         return status;
1960 }
1961
1962 /*******************************************************************
1963 makes a SAMR_R_LOOKUP_RIDS structure.
1964 ********************************************************************/
1965
1966 static bool make_samr_lookup_rids(TALLOC_CTX *ctx, uint32 num_names,
1967                                   const char **names,
1968                                   struct lsa_String **lsa_name_array_p)
1969 {
1970         struct lsa_String *lsa_name_array = NULL;
1971         uint32_t i;
1972
1973         *lsa_name_array_p = NULL;
1974
1975         if (num_names != 0) {
1976                 lsa_name_array = TALLOC_ZERO_ARRAY(ctx, struct lsa_String, num_names);
1977                 if (!lsa_name_array) {
1978                         return false;
1979                 }
1980         }
1981
1982         for (i = 0; i < num_names; i++) {
1983                 DEBUG(10, ("names[%d]:%s\n", i, names[i] && *names[i] ? names[i] : ""));
1984                 init_lsa_String(&lsa_name_array[i], names[i]);
1985         }
1986
1987         *lsa_name_array_p = lsa_name_array;
1988
1989         return true;
1990 }
1991
1992 /*******************************************************************
1993  _samr_LookupRids
1994  ********************************************************************/
1995
1996 NTSTATUS _samr_LookupRids(pipes_struct *p,
1997                           struct samr_LookupRids *r)
1998 {
1999         struct samr_domain_info *dinfo;
2000         NTSTATUS status;
2001         const char **names;
2002         enum lsa_SidType *attrs = NULL;
2003         uint32 *wire_attrs = NULL;
2004         int num_rids = (int)r->in.num_rids;
2005         int i;
2006         struct lsa_Strings names_array;
2007         struct samr_Ids types_array;
2008         struct lsa_String *lsa_names = NULL;
2009
2010         DEBUG(5,("_samr_LookupRids: %d\n", __LINE__));
2011
2012         dinfo = policy_handle_find(p, r->in.domain_handle,
2013                                    0 /* Don't know the acc_bits yet */, NULL,
2014                                    struct samr_domain_info, &status);
2015         if (!NT_STATUS_IS_OK(status)) {
2016                 return status;
2017         }
2018
2019         if (num_rids > 1000) {
2020                 DEBUG(0, ("Got asked for %d rids (more than 1000) -- according "
2021                           "to samba4 idl this is not possible\n", num_rids));
2022                 return NT_STATUS_UNSUCCESSFUL;
2023         }
2024
2025         if (num_rids) {
2026                 names = TALLOC_ZERO_ARRAY(p->mem_ctx, const char *, num_rids);
2027                 attrs = TALLOC_ZERO_ARRAY(p->mem_ctx, enum lsa_SidType, num_rids);
2028                 wire_attrs = TALLOC_ZERO_ARRAY(p->mem_ctx, uint32, num_rids);
2029
2030                 if ((names == NULL) || (attrs == NULL) || (wire_attrs==NULL))
2031                         return NT_STATUS_NO_MEMORY;
2032         } else {
2033                 names = NULL;
2034                 attrs = NULL;
2035                 wire_attrs = NULL;
2036         }
2037
2038         become_root();  /* lookup_sid can require root privs */
2039         status = pdb_lookup_rids(&dinfo->sid, num_rids, r->in.rids,
2040                                  names, attrs);
2041         unbecome_root();
2042
2043         if (NT_STATUS_EQUAL(status, NT_STATUS_NONE_MAPPED) && (num_rids == 0)) {
2044                 status = NT_STATUS_OK;
2045         }
2046
2047         if (!make_samr_lookup_rids(p->mem_ctx, num_rids, names,
2048                                    &lsa_names)) {
2049                 return NT_STATUS_NO_MEMORY;
2050         }
2051
2052         /* Convert from enum lsa_SidType to uint32 for wire format. */
2053         for (i = 0; i < num_rids; i++) {
2054                 wire_attrs[i] = (uint32)attrs[i];
2055         }
2056
2057         names_array.count = num_rids;
2058         names_array.names = lsa_names;
2059
2060         types_array.count = num_rids;
2061         types_array.ids = wire_attrs;
2062
2063         *r->out.names = names_array;
2064         *r->out.types = types_array;
2065
2066         DEBUG(5,("_samr_LookupRids: %d\n", __LINE__));
2067
2068         return status;
2069 }
2070
2071 /*******************************************************************
2072  _samr_OpenUser
2073 ********************************************************************/
2074
2075 NTSTATUS _samr_OpenUser(pipes_struct *p,
2076                         struct samr_OpenUser *r)
2077 {
2078         struct samu *sampass=NULL;
2079         DOM_SID sid;
2080         struct samr_domain_info *dinfo;
2081         struct samr_user_info *uinfo;
2082         SEC_DESC *psd = NULL;
2083         uint32    acc_granted;
2084         uint32    des_access = r->in.access_mask;
2085         size_t    sd_size;
2086         bool ret;
2087         NTSTATUS nt_status;
2088         SE_PRIV se_rights;
2089         NTSTATUS status;
2090
2091         dinfo = policy_handle_find(p, r->in.domain_handle,
2092                                    SAMR_DOMAIN_ACCESS_OPEN_ACCOUNT, NULL,
2093                                    struct samr_domain_info, &status);
2094         if (!NT_STATUS_IS_OK(status)) {
2095                 return status;
2096         }
2097
2098         if ( !(sampass = samu_new( p->mem_ctx )) ) {
2099                 return NT_STATUS_NO_MEMORY;
2100         }
2101
2102         /* append the user's RID to it */
2103
2104         if (!sid_compose(&sid, &dinfo->sid, r->in.rid))
2105                 return NT_STATUS_NO_SUCH_USER;
2106
2107         /* check if access can be granted as requested by client. */
2108
2109         map_max_allowed_access(p->server_info->ptok, &des_access);
2110
2111         make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &usr_generic_mapping, &sid, SAMR_USR_RIGHTS_WRITE_PW);
2112         se_map_generic(&des_access, &usr_generic_mapping);
2113
2114         se_priv_copy( &se_rights, &se_machine_account );
2115         se_priv_add( &se_rights, &se_add_users );
2116
2117         nt_status = access_check_samr_object(psd, p->server_info->ptok,
2118                 &se_rights, GENERIC_RIGHTS_USER_WRITE, des_access,
2119                 &acc_granted, "_samr_OpenUser");
2120
2121         if ( !NT_STATUS_IS_OK(nt_status) )
2122                 return nt_status;
2123
2124         become_root();
2125         ret=pdb_getsampwsid(sampass, &sid);
2126         unbecome_root();
2127
2128         /* check that the SID exists in our domain. */
2129         if (ret == False) {
2130                 return NT_STATUS_NO_SUCH_USER;
2131         }
2132
2133         TALLOC_FREE(sampass);
2134
2135         uinfo = policy_handle_create(p, r->out.user_handle, acc_granted,
2136                                      struct samr_user_info, &nt_status);
2137         if (!NT_STATUS_IS_OK(nt_status)) {
2138                 return nt_status;
2139         }
2140         uinfo->sid = sid;
2141
2142         return NT_STATUS_OK;
2143 }
2144
2145 /*************************************************************************
2146  *************************************************************************/
2147
2148 static NTSTATUS init_samr_parameters_string(TALLOC_CTX *mem_ctx,
2149                                             DATA_BLOB *blob,
2150                                             struct lsa_BinaryString **_r)
2151 {
2152         struct lsa_BinaryString *r;
2153
2154         if (!blob || !_r) {
2155                 return NT_STATUS_INVALID_PARAMETER;
2156         }
2157
2158         r = TALLOC_ZERO_P(mem_ctx, struct lsa_BinaryString);
2159         if (!r) {
2160                 return NT_STATUS_NO_MEMORY;
2161         }
2162
2163         r->array = TALLOC_ZERO_ARRAY(mem_ctx, uint16_t, blob->length/2);
2164         if (!r->array) {
2165                 return NT_STATUS_NO_MEMORY;
2166         }
2167         memcpy(r->array, blob->data, blob->length);
2168         r->size = blob->length;
2169         r->length = blob->length;
2170
2171         if (!r->array) {
2172                 return NT_STATUS_NO_MEMORY;
2173         }
2174
2175         *_r = r;
2176
2177         return NT_STATUS_OK;
2178 }
2179
2180 /*************************************************************************
2181  get_user_info_1.
2182  *************************************************************************/
2183
2184 static NTSTATUS get_user_info_1(TALLOC_CTX *mem_ctx,
2185                                 struct samr_UserInfo1 *r,
2186                                 struct samu *pw,
2187                                 DOM_SID *domain_sid)
2188 {
2189         const DOM_SID *sid_group;
2190         uint32_t primary_gid;
2191
2192         become_root();
2193         sid_group = pdb_get_group_sid(pw);
2194         unbecome_root();
2195
2196         if (!sid_peek_check_rid(domain_sid, sid_group, &primary_gid)) {
2197                 DEBUG(0, ("get_user_info_1: User %s has Primary Group SID %s, \n"
2198                           "which conflicts with the domain sid %s.  Failing operation.\n",
2199                           pdb_get_username(pw), sid_string_dbg(sid_group),
2200                           sid_string_dbg(domain_sid)));
2201                 return NT_STATUS_UNSUCCESSFUL;
2202         }
2203
2204         r->account_name.string          = talloc_strdup(mem_ctx, pdb_get_username(pw));
2205         r->full_name.string             = talloc_strdup(mem_ctx, pdb_get_fullname(pw));
2206         r->primary_gid                  = primary_gid;
2207         r->description.string           = talloc_strdup(mem_ctx, pdb_get_acct_desc(pw));
2208         r->comment.string               = talloc_strdup(mem_ctx, pdb_get_comment(pw));
2209
2210         return NT_STATUS_OK;
2211 }
2212
2213 /*************************************************************************
2214  get_user_info_2.
2215  *************************************************************************/
2216
2217 static NTSTATUS get_user_info_2(TALLOC_CTX *mem_ctx,
2218                                 struct samr_UserInfo2 *r,
2219                                 struct samu *pw)
2220 {
2221         r->comment.string               = talloc_strdup(mem_ctx, pdb_get_comment(pw));
2222         r->unknown.string               = NULL;
2223         r->country_code                 = 0;
2224         r->code_page                    = 0;
2225
2226         return NT_STATUS_OK;
2227 }
2228
2229 /*************************************************************************
2230  get_user_info_3.
2231  *************************************************************************/
2232
2233 static NTSTATUS get_user_info_3(TALLOC_CTX *mem_ctx,
2234                                 struct samr_UserInfo3 *r,
2235                                 struct samu *pw,
2236                                 DOM_SID *domain_sid)
2237 {
2238         const DOM_SID *sid_user, *sid_group;
2239         uint32_t rid, primary_gid;
2240
2241         sid_user = pdb_get_user_sid(pw);
2242
2243         if (!sid_peek_check_rid(domain_sid, sid_user, &rid)) {
2244                 DEBUG(0, ("get_user_info_3: User %s has SID %s, \nwhich conflicts with "
2245                           "the domain sid %s.  Failing operation.\n",
2246                           pdb_get_username(pw), sid_string_dbg(sid_user),
2247                           sid_string_dbg(domain_sid)));
2248                 return NT_STATUS_UNSUCCESSFUL;
2249         }
2250
2251         become_root();
2252         sid_group = pdb_get_group_sid(pw);
2253         unbecome_root();
2254
2255         if (!sid_peek_check_rid(domain_sid, sid_group, &primary_gid)) {
2256                 DEBUG(0, ("get_user_info_3: User %s has Primary Group SID %s, \n"
2257                           "which conflicts with the domain sid %s.  Failing operation.\n",
2258                           pdb_get_username(pw), sid_string_dbg(sid_group),
2259                           sid_string_dbg(domain_sid)));
2260                 return NT_STATUS_UNSUCCESSFUL;
2261         }
2262
2263         unix_to_nt_time(&r->last_logon, pdb_get_logon_time(pw));
2264         unix_to_nt_time(&r->last_logoff, pdb_get_logoff_time(pw));
2265         unix_to_nt_time(&r->last_password_change, pdb_get_pass_last_set_time(pw));
2266         unix_to_nt_time(&r->allow_password_change, pdb_get_pass_can_change_time(pw));
2267         unix_to_nt_time(&r->force_password_change, pdb_get_pass_must_change_time(pw));
2268
2269         r->account_name.string  = talloc_strdup(mem_ctx, pdb_get_username(pw));
2270         r->full_name.string     = talloc_strdup(mem_ctx, pdb_get_fullname(pw));
2271         r->home_directory.string= talloc_strdup(mem_ctx, pdb_get_homedir(pw));
2272         r->home_drive.string    = talloc_strdup(mem_ctx, pdb_get_dir_drive(pw));
2273         r->logon_script.string  = talloc_strdup(mem_ctx, pdb_get_logon_script(pw));
2274         r->profile_path.string  = talloc_strdup(mem_ctx, pdb_get_profile_path(pw));
2275         r->workstations.string  = talloc_strdup(mem_ctx, pdb_get_workstations(pw));
2276
2277         r->logon_hours          = get_logon_hours_from_pdb(mem_ctx, pw);
2278         r->rid                  = rid;
2279         r->primary_gid          = primary_gid;
2280         r->acct_flags           = pdb_get_acct_ctrl(pw);
2281         r->bad_password_count   = pdb_get_bad_password_count(pw);
2282         r->logon_count          = pdb_get_logon_count(pw);
2283
2284         return NT_STATUS_OK;
2285 }
2286
2287 /*************************************************************************
2288  get_user_info_4.
2289  *************************************************************************/
2290
2291 static NTSTATUS get_user_info_4(TALLOC_CTX *mem_ctx,
2292                                 struct samr_UserInfo4 *r,
2293                                 struct samu *pw)
2294 {
2295         r->logon_hours          = get_logon_hours_from_pdb(mem_ctx, pw);
2296
2297         return NT_STATUS_OK;
2298 }
2299
2300 /*************************************************************************
2301  get_user_info_5.
2302  *************************************************************************/
2303
2304 static NTSTATUS get_user_info_5(TALLOC_CTX *mem_ctx,
2305                                 struct samr_UserInfo5 *r,
2306                                 struct samu *pw,
2307                                 DOM_SID *domain_sid)
2308 {
2309         const DOM_SID *sid_user, *sid_group;
2310         uint32_t rid, primary_gid;
2311
2312         sid_user = pdb_get_user_sid(pw);
2313
2314         if (!sid_peek_check_rid(domain_sid, sid_user, &rid)) {
2315                 DEBUG(0, ("get_user_info_5: User %s has SID %s, \nwhich conflicts with "
2316                           "the domain sid %s.  Failing operation.\n",
2317                           pdb_get_username(pw), sid_string_dbg(sid_user),
2318                           sid_string_dbg(domain_sid)));
2319                 return NT_STATUS_UNSUCCESSFUL;
2320         }
2321
2322         become_root();
2323         sid_group = pdb_get_group_sid(pw);
2324         unbecome_root();
2325
2326         if (!sid_peek_check_rid(domain_sid, sid_group, &primary_gid)) {
2327                 DEBUG(0, ("get_user_info_5: User %s has Primary Group SID %s, \n"
2328                           "which conflicts with the domain sid %s.  Failing operation.\n",
2329                           pdb_get_username(pw), sid_string_dbg(sid_group),
2330                           sid_string_dbg(domain_sid)));
2331                 return NT_STATUS_UNSUCCESSFUL;
2332         }
2333
2334         unix_to_nt_time(&r->last_logon, pdb_get_logon_time(pw));
2335         unix_to_nt_time(&r->last_logoff, pdb_get_logoff_time(pw));
2336         unix_to_nt_time(&r->acct_expiry, pdb_get_kickoff_time(pw));
2337         unix_to_nt_time(&r->last_password_change, pdb_get_pass_last_set_time(pw));
2338
2339         r->account_name.string  = talloc_strdup(mem_ctx, pdb_get_username(pw));
2340         r->full_name.string     = talloc_strdup(mem_ctx, pdb_get_fullname(pw));
2341         r->home_directory.string= talloc_strdup(mem_ctx, pdb_get_homedir(pw));
2342         r->home_drive.string    = talloc_strdup(mem_ctx, pdb_get_dir_drive(pw));
2343         r->logon_script.string  = talloc_strdup(mem_ctx, pdb_get_logon_script(pw));
2344         r->profile_path.string  = talloc_strdup(mem_ctx, pdb_get_profile_path(pw));
2345         r->description.string   = talloc_strdup(mem_ctx, pdb_get_acct_desc(pw));
2346         r->workstations.string  = talloc_strdup(mem_ctx, pdb_get_workstations(pw));
2347
2348         r->logon_hours          = get_logon_hours_from_pdb(mem_ctx, pw);
2349         r->rid                  = rid;
2350         r->primary_gid          = primary_gid;
2351         r->acct_flags           = pdb_get_acct_ctrl(pw);
2352         r->bad_password_count   = pdb_get_bad_password_count(pw);
2353         r->logon_count          = pdb_get_logon_count(pw);
2354
2355         return NT_STATUS_OK;
2356 }
2357
2358 /*************************************************************************
2359  get_user_info_6.
2360  *************************************************************************/
2361
2362 static NTSTATUS get_user_info_6(TALLOC_CTX *mem_ctx,
2363                                 struct samr_UserInfo6 *r,
2364                                 struct samu *pw)
2365 {
2366         r->account_name.string  = talloc_strdup(mem_ctx, pdb_get_username(pw));
2367         r->full_name.string     = talloc_strdup(mem_ctx, pdb_get_fullname(pw));
2368
2369         return NT_STATUS_OK;
2370 }
2371
2372 /*************************************************************************
2373  get_user_info_7. Safe. Only gives out account_name.
2374  *************************************************************************/
2375
2376 static NTSTATUS get_user_info_7(TALLOC_CTX *mem_ctx,
2377                                 struct samr_UserInfo7 *r,
2378                                 struct samu *smbpass)
2379 {
2380         r->account_name.string = talloc_strdup(mem_ctx, pdb_get_username(smbpass));
2381         if (!r->account_name.string) {
2382                 return NT_STATUS_NO_MEMORY;
2383         }
2384
2385         return NT_STATUS_OK;
2386 }
2387
2388 /*************************************************************************
2389  get_user_info_8.
2390  *************************************************************************/
2391
2392 static NTSTATUS get_user_info_8(TALLOC_CTX *mem_ctx,
2393                                 struct samr_UserInfo8 *r,
2394                                 struct samu *pw)
2395 {
2396         r->full_name.string     = talloc_strdup(mem_ctx, pdb_get_fullname(pw));
2397
2398         return NT_STATUS_OK;
2399 }
2400
2401 /*************************************************************************
2402  get_user_info_9. Only gives out primary group SID.
2403  *************************************************************************/
2404
2405 static NTSTATUS get_user_info_9(TALLOC_CTX *mem_ctx,
2406                                 struct samr_UserInfo9 *r,
2407                                 struct samu *smbpass)
2408 {
2409         r->primary_gid = pdb_get_group_rid(smbpass);
2410
2411         return NT_STATUS_OK;
2412 }
2413
2414 /*************************************************************************
2415  get_user_info_10.
2416  *************************************************************************/
2417
2418 static NTSTATUS get_user_info_10(TALLOC_CTX *mem_ctx,
2419                                  struct samr_UserInfo10 *r,
2420                                  struct samu *pw)
2421 {
2422         r->home_directory.string= talloc_strdup(mem_ctx, pdb_get_homedir(pw));
2423         r->home_drive.string    = talloc_strdup(mem_ctx, pdb_get_dir_drive(pw));
2424
2425         return NT_STATUS_OK;
2426 }
2427
2428 /*************************************************************************
2429  get_user_info_11.
2430  *************************************************************************/
2431
2432 static NTSTATUS get_user_info_11(TALLOC_CTX *mem_ctx,
2433                                  struct samr_UserInfo11 *r,
2434                                  struct samu *pw)
2435 {
2436         r->logon_script.string  = talloc_strdup(mem_ctx, pdb_get_logon_script(pw));
2437
2438         return NT_STATUS_OK;
2439 }
2440
2441 /*************************************************************************
2442  get_user_info_12.
2443  *************************************************************************/
2444
2445 static NTSTATUS get_user_info_12(TALLOC_CTX *mem_ctx,
2446                                  struct samr_UserInfo12 *r,
2447                                  struct samu *pw)
2448 {
2449         r->profile_path.string  = talloc_strdup(mem_ctx, pdb_get_profile_path(pw));
2450
2451         return NT_STATUS_OK;
2452 }
2453
2454 /*************************************************************************
2455  get_user_info_13.
2456  *************************************************************************/
2457
2458 static NTSTATUS get_user_info_13(TALLOC_CTX *mem_ctx,
2459                                  struct samr_UserInfo13 *r,
2460                                  struct samu *pw)
2461 {
2462         r->description.string   = talloc_strdup(mem_ctx, pdb_get_acct_desc(pw));
2463
2464         return NT_STATUS_OK;
2465 }
2466
2467 /*************************************************************************
2468  get_user_info_14.
2469  *************************************************************************/
2470
2471 static NTSTATUS get_user_info_14(TALLOC_CTX *mem_ctx,
2472                                  struct samr_UserInfo14 *r,
2473                                  struct samu *pw)
2474 {
2475         r->workstations.string  = talloc_strdup(mem_ctx, pdb_get_workstations(pw));
2476
2477         return NT_STATUS_OK;
2478 }
2479
2480 /*************************************************************************
2481  get_user_info_16. Safe. Only gives out acb bits.
2482  *************************************************************************/
2483
2484 static NTSTATUS get_user_info_16(TALLOC_CTX *mem_ctx,
2485                                  struct samr_UserInfo16 *r,
2486                                  struct samu *smbpass)
2487 {
2488         r->acct_flags = pdb_get_acct_ctrl(smbpass);
2489
2490         return NT_STATUS_OK;
2491 }
2492
2493 /*************************************************************************
2494  get_user_info_17.
2495  *************************************************************************/
2496
2497 static NTSTATUS get_user_info_17(TALLOC_CTX *mem_ctx,
2498                                  struct samr_UserInfo17 *r,
2499                                  struct samu *pw)
2500 {
2501         unix_to_nt_time(&r->acct_expiry, pdb_get_kickoff_time(pw));
2502
2503         return NT_STATUS_OK;
2504 }
2505
2506 /*************************************************************************
2507  get_user_info_18. OK - this is the killer as it gives out password info.
2508  Ensure that this is only allowed on an encrypted connection with a root
2509  user. JRA.
2510  *************************************************************************/
2511
2512 static NTSTATUS get_user_info_18(pipes_struct *p,
2513                                  TALLOC_CTX *mem_ctx,
2514                                  struct samr_UserInfo18 *r,
2515                                  DOM_SID *user_sid)
2516 {
2517         struct samu *smbpass=NULL;
2518         bool ret;
2519
2520         ZERO_STRUCTP(r);
2521
2522         if (p->auth.auth_type != PIPE_AUTH_TYPE_NTLMSSP || p->auth.auth_type != PIPE_AUTH_TYPE_SPNEGO_NTLMSSP) {
2523                 return NT_STATUS_ACCESS_DENIED;
2524         }
2525
2526         if (p->auth.auth_level != PIPE_AUTH_LEVEL_PRIVACY) {
2527                 return NT_STATUS_ACCESS_DENIED;
2528         }
2529
2530         /*
2531          * Do *NOT* do become_root()/unbecome_root() here ! JRA.
2532          */
2533
2534         if ( !(smbpass = samu_new( mem_ctx )) ) {
2535                 return NT_STATUS_NO_MEMORY;
2536         }
2537
2538         ret = pdb_getsampwsid(smbpass, user_sid);
2539
2540         if (ret == False) {
2541                 DEBUG(4, ("User %s not found\n", sid_string_dbg(user_sid)));
2542                 TALLOC_FREE(smbpass);
2543                 return (geteuid() == (uid_t)0) ? NT_STATUS_NO_SUCH_USER : NT_STATUS_ACCESS_DENIED;
2544         }
2545
2546         DEBUG(3,("User:[%s] 0x%x\n", pdb_get_username(smbpass), pdb_get_acct_ctrl(smbpass) ));
2547
2548         if ( pdb_get_acct_ctrl(smbpass) & ACB_DISABLED) {
2549                 TALLOC_FREE(smbpass);
2550                 return NT_STATUS_ACCOUNT_DISABLED;
2551         }
2552
2553         r->lm_pwd_active = true;
2554         r->nt_pwd_active = true;
2555         memcpy(r->lm_pwd.hash, pdb_get_lanman_passwd(smbpass), 16);
2556         memcpy(r->nt_pwd.hash, pdb_get_nt_passwd(smbpass), 16);
2557         r->password_expired = 0; /* FIXME */
2558
2559         TALLOC_FREE(smbpass);
2560
2561         return NT_STATUS_OK;
2562 }
2563
2564 /*************************************************************************
2565  get_user_info_20
2566  *************************************************************************/
2567
2568 static NTSTATUS get_user_info_20(TALLOC_CTX *mem_ctx,
2569                                  struct samr_UserInfo20 *r,
2570                                  struct samu *sampass)
2571 {
2572         const char *munged_dial = NULL;
2573         DATA_BLOB blob;
2574         NTSTATUS status;
2575         struct lsa_BinaryString *parameters = NULL;
2576
2577         ZERO_STRUCTP(r);
2578
2579         munged_dial = pdb_get_munged_dial(sampass);
2580
2581         DEBUG(3,("User:[%s] has [%s] (length: %d)\n", pdb_get_username(sampass),
2582                 munged_dial, (int)strlen(munged_dial)));
2583
2584         if (munged_dial) {
2585                 blob = base64_decode_data_blob(munged_dial);
2586         } else {
2587                 blob = data_blob_string_const_null("");
2588         }
2589
2590         status = init_samr_parameters_string(mem_ctx, &blob, &parameters);
2591         data_blob_free(&blob);
2592         if (!NT_STATUS_IS_OK(status)) {
2593                 return status;
2594         }
2595
2596         r->parameters = *parameters;
2597
2598         return NT_STATUS_OK;
2599 }
2600
2601
2602 /*************************************************************************
2603  get_user_info_21
2604  *************************************************************************/
2605
2606 static NTSTATUS get_user_info_21(TALLOC_CTX *mem_ctx,
2607                                  struct samr_UserInfo21 *r,
2608                                  struct samu *pw,
2609                                  DOM_SID *domain_sid)
2610 {
2611         NTSTATUS status;
2612         const DOM_SID *sid_user, *sid_group;
2613         uint32_t rid, primary_gid;
2614         NTTIME force_password_change;
2615         time_t must_change_time;
2616         struct lsa_BinaryString *parameters = NULL;
2617         const char *munged_dial = NULL;
2618         DATA_BLOB blob;
2619
2620         ZERO_STRUCTP(r);
2621
2622         sid_user = pdb_get_user_sid(pw);
2623
2624         if (!sid_peek_check_rid(domain_sid, sid_user, &rid)) {
2625                 DEBUG(0, ("get_user_info_21: User %s has SID %s, \nwhich conflicts with "
2626                           "the domain sid %s.  Failing operation.\n",
2627                           pdb_get_username(pw), sid_string_dbg(sid_user),
2628                           sid_string_dbg(domain_sid)));
2629                 return NT_STATUS_UNSUCCESSFUL;
2630         }
2631
2632         become_root();
2633         sid_group = pdb_get_group_sid(pw);
2634         unbecome_root();
2635
2636         if (!sid_peek_check_rid(domain_sid, sid_group, &primary_gid)) {
2637                 DEBUG(0, ("get_user_info_21: User %s has Primary Group SID %s, \n"
2638                           "which conflicts with the domain sid %s.  Failing operation.\n",
2639                           pdb_get_username(pw), sid_string_dbg(sid_group),
2640                           sid_string_dbg(domain_sid)));
2641                 return NT_STATUS_UNSUCCESSFUL;
2642         }
2643
2644         unix_to_nt_time(&r->last_logon, pdb_get_logon_time(pw));
2645         unix_to_nt_time(&r->last_logoff, pdb_get_logoff_time(pw));
2646         unix_to_nt_time(&r->acct_expiry, pdb_get_kickoff_time(pw));
2647         unix_to_nt_time(&r->last_password_change, pdb_get_pass_last_set_time(pw));
2648         unix_to_nt_time(&r->allow_password_change, pdb_get_pass_can_change_time(pw));
2649
2650         must_change_time = pdb_get_pass_must_change_time(pw);
2651         if (must_change_time == get_time_t_max()) {
2652                 unix_to_nt_time_abs(&force_password_change, must_change_time);
2653         } else {
2654                 unix_to_nt_time(&force_password_change, must_change_time);
2655         }
2656
2657         munged_dial = pdb_get_munged_dial(pw);
2658         if (munged_dial) {
2659                 blob = base64_decode_data_blob(munged_dial);
2660         } else {
2661                 blob = data_blob_string_const_null("");
2662         }
2663
2664         status = init_samr_parameters_string(mem_ctx, &blob, &parameters);
2665         data_blob_free(&blob);
2666         if (!NT_STATUS_IS_OK(status)) {
2667                 return status;
2668         }
2669
2670         r->force_password_change        = force_password_change;
2671
2672         r->account_name.string          = talloc_strdup(mem_ctx, pdb_get_username(pw));
2673         r->full_name.string             = talloc_strdup(mem_ctx, pdb_get_fullname(pw));
2674         r->home_directory.string        = talloc_strdup(mem_ctx, pdb_get_homedir(pw));
2675         r->home_drive.string            = talloc_strdup(mem_ctx, pdb_get_dir_drive(pw));
2676         r->logon_script.string          = talloc_strdup(mem_ctx, pdb_get_logon_script(pw));
2677         r->profile_path.string          = talloc_strdup(mem_ctx, pdb_get_profile_path(pw));
2678         r->description.string           = talloc_strdup(mem_ctx, pdb_get_acct_desc(pw));
2679         r->workstations.string          = talloc_strdup(mem_ctx, pdb_get_workstations(pw));
2680         r->comment.string               = talloc_strdup(mem_ctx, pdb_get_comment(pw));
2681
2682         r->logon_hours                  = get_logon_hours_from_pdb(mem_ctx, pw);
2683         r->parameters                   = *parameters;
2684         r->rid                          = rid;
2685         r->primary_gid                  = primary_gid;
2686         r->acct_flags                   = pdb_get_acct_ctrl(pw);
2687         r->bad_password_count           = pdb_get_bad_password_count(pw);
2688         r->logon_count                  = pdb_get_logon_count(pw);
2689         r->fields_present               = pdb_build_fields_present(pw);
2690         r->password_expired             = (pdb_get_pass_must_change_time(pw) == 0) ?
2691                                                 PASS_MUST_CHANGE_AT_NEXT_LOGON : 0;
2692         r->country_code                 = 0;
2693         r->code_page                    = 0;
2694         r->lm_password_set              = 0;
2695         r->nt_password_set              = 0;
2696
2697 #if 0
2698
2699         /*
2700           Look at a user on a real NT4 PDC with usrmgr, press
2701           'ok'. Then you will see that fields_present is set to
2702           0x08f827fa. Look at the user immediately after that again,
2703           and you will see that 0x00fffff is returned. This solves
2704           the problem that you get access denied after having looked
2705           at the user.
2706           -- Volker
2707         */
2708
2709 #endif
2710
2711
2712         return NT_STATUS_OK;
2713 }
2714
2715 /*******************************************************************
2716  _samr_QueryUserInfo
2717  ********************************************************************/
2718
2719 NTSTATUS _samr_QueryUserInfo(pipes_struct *p,
2720                              struct samr_QueryUserInfo *r)
2721 {
2722         NTSTATUS status;
2723         union samr_UserInfo *user_info = NULL;
2724         struct samr_user_info *uinfo;
2725         DOM_SID domain_sid;
2726         uint32 rid;
2727         bool ret = false;
2728         struct samu *pwd = NULL;
2729
2730         uinfo = policy_handle_find(p, r->in.user_handle,
2731                                    SAMR_USER_ACCESS_GET_ATTRIBUTES, NULL,
2732                                    struct samr_user_info, &status);
2733         if (!NT_STATUS_IS_OK(status)) {
2734                 return status;
2735         }
2736
2737         domain_sid = uinfo->sid;
2738
2739         sid_split_rid(&domain_sid, &rid);
2740
2741         if (!sid_check_is_in_our_domain(&uinfo->sid))
2742                 return NT_STATUS_OBJECT_TYPE_MISMATCH;
2743
2744         DEBUG(5,("_samr_QueryUserInfo: sid:%s\n",
2745                  sid_string_dbg(&uinfo->sid)));
2746
2747         user_info = TALLOC_ZERO_P(p->mem_ctx, union samr_UserInfo);
2748         if (!user_info) {
2749                 return NT_STATUS_NO_MEMORY;
2750         }
2751
2752         DEBUG(5,("_samr_QueryUserInfo: user info level: %d\n", r->in.level));
2753
2754         if (!(pwd = samu_new(p->mem_ctx))) {
2755                 return NT_STATUS_NO_MEMORY;
2756         }
2757
2758         become_root();
2759         ret = pdb_getsampwsid(pwd, &uinfo->sid);
2760         unbecome_root();
2761
2762         if (ret == false) {
2763                 DEBUG(4,("User %s not found\n", sid_string_dbg(&uinfo->sid)));
2764                 TALLOC_FREE(pwd);
2765                 return NT_STATUS_NO_SUCH_USER;
2766         }
2767
2768         DEBUG(3,("User:[%s]\n", pdb_get_username(pwd)));
2769
2770         samr_clear_sam_passwd(pwd);
2771
2772         switch (r->in.level) {
2773         case 1:
2774                 status = get_user_info_1(p->mem_ctx, &user_info->info1, pwd, &domain_sid);
2775                 break;
2776         case 2:
2777                 status = get_user_info_2(p->mem_ctx, &user_info->info2, pwd);
2778                 break;
2779         case 3:
2780                 status = get_user_info_3(p->mem_ctx, &user_info->info3, pwd, &domain_sid);
2781                 break;
2782         case 4:
2783                 status = get_user_info_4(p->mem_ctx, &user_info->info4, pwd);
2784                 break;
2785         case 5:
2786                 status = get_user_info_5(p->mem_ctx, &user_info->info5, pwd, &domain_sid);
2787                 break;
2788         case 6:
2789                 status = get_user_info_6(p->mem_ctx, &user_info->info6, pwd);
2790                 break;
2791         case 7:
2792                 status = get_user_info_7(p->mem_ctx, &user_info->info7, pwd);
2793                 break;
2794         case 8:
2795                 status = get_user_info_8(p->mem_ctx, &user_info->info8, pwd);
2796                 break;
2797         case 9:
2798                 status = get_user_info_9(p->mem_ctx, &user_info->info9, pwd);
2799                 break;
2800         case 10:
2801                 status = get_user_info_10(p->mem_ctx, &user_info->info10, pwd);
2802                 break;
2803         case 11:
2804                 status = get_user_info_11(p->mem_ctx, &user_info->info11, pwd);
2805                 break;
2806         case 12:
2807                 status = get_user_info_12(p->mem_ctx, &user_info->info12, pwd);
2808                 break;
2809         case 13:
2810                 status = get_user_info_13(p->mem_ctx, &user_info->info13, pwd);
2811                 break;
2812         case 14:
2813                 status = get_user_info_14(p->mem_ctx, &user_info->info14, pwd);
2814                 break;
2815         case 16:
2816                 status = get_user_info_16(p->mem_ctx, &user_info->info16, pwd);
2817                 break;
2818         case 17:
2819                 status = get_user_info_17(p->mem_ctx, &user_info->info17, pwd);
2820                 break;
2821         case 18:
2822                 /* level 18 is special */
2823                 status = get_user_info_18(p, p->mem_ctx, &user_info->info18,
2824                                           &uinfo->sid);
2825                 break;
2826         case 20:
2827                 status = get_user_info_20(p->mem_ctx, &user_info->info20, pwd);
2828                 break;
2829         case 21:
2830                 status = get_user_info_21(p->mem_ctx, &user_info->info21, pwd, &domain_sid);
2831                 break;
2832         default:
2833                 status = NT_STATUS_INVALID_INFO_CLASS;
2834                 break;
2835         }
2836
2837         TALLOC_FREE(pwd);
2838
2839         *r->out.info = user_info;
2840
2841         DEBUG(5,("_samr_QueryUserInfo: %d\n", __LINE__));
2842
2843         return status;
2844 }
2845
2846 /****************************************************************
2847 ****************************************************************/
2848
2849 NTSTATUS _samr_QueryUserInfo2(pipes_struct *p,
2850                               struct samr_QueryUserInfo2 *r)
2851 {
2852         struct samr_QueryUserInfo u;
2853
2854         u.in.user_handle        = r->in.user_handle;
2855         u.in.level              = r->in.level;
2856         u.out.info              = r->out.info;
2857
2858         return _samr_QueryUserInfo(p, &u);
2859 }
2860
2861 /*******************************************************************
2862  _samr_GetGroupsForUser
2863  ********************************************************************/
2864
2865 NTSTATUS _samr_GetGroupsForUser(pipes_struct *p,
2866                                 struct samr_GetGroupsForUser *r)
2867 {
2868         struct samr_user_info *uinfo;
2869         struct samu *sam_pass=NULL;
2870         DOM_SID *sids;
2871         struct samr_RidWithAttribute dom_gid;
2872         struct samr_RidWithAttribute *gids = NULL;
2873         uint32 primary_group_rid;
2874         size_t num_groups = 0;
2875         gid_t *unix_gids;
2876         size_t i, num_gids;
2877         bool ret;
2878         NTSTATUS result;
2879         bool success = False;
2880
2881         struct samr_RidWithAttributeArray *rids = NULL;
2882
2883         /*
2884          * from the SID in the request:
2885          * we should send back the list of DOMAIN GROUPS
2886          * the user is a member of
2887          *
2888          * and only the DOMAIN GROUPS
2889          * no ALIASES !!! neither aliases of the domain
2890          * nor aliases of the builtin SID
2891          *
2892          * JFM, 12/2/2001
2893          */
2894
2895         DEBUG(5,("_samr_GetGroupsForUser: %d\n", __LINE__));
2896
2897         uinfo = policy_handle_find(p, r->in.user_handle,
2898                                    SAMR_USER_ACCESS_GET_GROUPS, NULL,
2899                                    struct samr_user_info, &result);
2900         if (!NT_STATUS_IS_OK(result)) {
2901                 return result;
2902         }
2903
2904         rids = TALLOC_ZERO_P(p->mem_ctx, struct samr_RidWithAttributeArray);
2905         if (!rids) {
2906                 return NT_STATUS_NO_MEMORY;
2907         }
2908
2909         if (!sid_check_is_in_our_domain(&uinfo->sid))
2910                 return NT_STATUS_OBJECT_TYPE_MISMATCH;
2911
2912         if ( !(sam_pass = samu_new( p->mem_ctx )) ) {
2913                 return NT_STATUS_NO_MEMORY;
2914         }
2915
2916         become_root();
2917         ret = pdb_getsampwsid(sam_pass, &uinfo->sid);
2918         unbecome_root();
2919
2920         if (!ret) {
2921                 DEBUG(10, ("pdb_getsampwsid failed for %s\n",
2922                            sid_string_dbg(&uinfo->sid)));
2923                 return NT_STATUS_NO_SUCH_USER;
2924         }
2925
2926         sids = NULL;
2927
2928         /* make both calls inside the root block */
2929         become_root();
2930         result = pdb_enum_group_memberships(p->mem_ctx, sam_pass,
2931                                             &sids, &unix_gids, &num_groups);
2932         if ( NT_STATUS_IS_OK(result) ) {
2933                 success = sid_peek_check_rid(get_global_sam_sid(),
2934                                              pdb_get_group_sid(sam_pass),
2935                                              &primary_group_rid);
2936         }
2937         unbecome_root();
2938
2939         if (!NT_STATUS_IS_OK(result)) {
2940                 DEBUG(10, ("pdb_enum_group_memberships failed for %s\n",
2941                            sid_string_dbg(&uinfo->sid)));
2942                 return result;
2943         }
2944
2945         if ( !success ) {
2946                 DEBUG(5, ("Group sid %s for user %s not in our domain\n",
2947                           sid_string_dbg(pdb_get_group_sid(sam_pass)),
2948                           pdb_get_username(sam_pass)));
2949                 TALLOC_FREE(sam_pass);
2950                 return NT_STATUS_INTERNAL_DB_CORRUPTION;
2951         }
2952
2953         gids = NULL;
2954         num_gids = 0;
2955
2956         dom_gid.attributes = (SE_GROUP_MANDATORY|SE_GROUP_ENABLED_BY_DEFAULT|
2957                               SE_GROUP_ENABLED);
2958         dom_gid.rid = primary_group_rid;
2959         ADD_TO_ARRAY(p->mem_ctx, struct samr_RidWithAttribute, dom_gid, &gids, &num_gids);
2960
2961         for (i=0; i<num_groups; i++) {
2962
2963                 if (!sid_peek_check_rid(get_global_sam_sid(),
2964                                         &(sids[i]), &dom_gid.rid)) {
2965                         DEBUG(10, ("Found sid %s not in our domain\n",
2966                                    sid_string_dbg(&sids[i])));
2967                         continue;
2968                 }
2969
2970                 if (dom_gid.rid == primary_group_rid) {
2971                         /* We added the primary group directly from the
2972                          * sam_account. The other SIDs are unique from
2973                          * enum_group_memberships */
2974                         continue;
2975                 }
2976
2977                 ADD_TO_ARRAY(p->mem_ctx, struct samr_RidWithAttribute, dom_gid, &gids, &num_gids);
2978         }
2979
2980         rids->count = num_gids;
2981         rids->rids = gids;
2982
2983         *r->out.rids = rids;
2984
2985         DEBUG(5,("_samr_GetGroupsForUser: %d\n", __LINE__));
2986
2987         return result;
2988 }
2989
2990 /*******************************************************************
2991  _samr_QueryDomainInfo
2992  ********************************************************************/
2993
2994 NTSTATUS _samr_QueryDomainInfo(pipes_struct *p,
2995                                struct samr_QueryDomainInfo *r)
2996 {
2997         NTSTATUS status = NT_STATUS_OK;
2998         struct samr_domain_info *dinfo;
2999         union samr_DomainInfo *dom_info;
3000         time_t u_expire, u_min_age;
3001
3002         time_t u_lock_duration, u_reset_time;
3003         uint32_t u_logout;
3004
3005         uint32 account_policy_temp;
3006
3007         time_t seq_num;
3008         uint32 server_role;
3009
3010         DEBUG(5,("_samr_QueryDomainInfo: %d\n", __LINE__));
3011
3012         dinfo = policy_handle_find(p, r->in.domain_handle,
3013                                    SAMR_ACCESS_LOOKUP_DOMAIN, NULL,
3014                                    struct samr_domain_info, &status);
3015         if (!NT_STATUS_IS_OK(status)) {
3016                 return status;
3017         }
3018
3019         dom_info = TALLOC_ZERO_P(p->mem_ctx, union samr_DomainInfo);
3020         if (!dom_info) {
3021                 return NT_STATUS_NO_MEMORY;
3022         }
3023
3024         switch (r->in.level) {
3025                 case 0x01:
3026
3027                         become_root();
3028
3029                         /* AS ROOT !!! */
3030
3031                         pdb_get_account_policy(AP_MIN_PASSWORD_LEN,
3032                                                &account_policy_temp);
3033                         dom_info->info1.min_password_length = account_policy_temp;
3034
3035                         pdb_get_account_policy(AP_PASSWORD_HISTORY, &account_policy_temp);
3036                         dom_info->info1.password_history_length = account_policy_temp;
3037
3038                         pdb_get_account_policy(AP_USER_MUST_LOGON_TO_CHG_PASS,
3039                                 &dom_info->info1.password_properties);
3040
3041                         pdb_get_account_policy(AP_MAX_PASSWORD_AGE, &account_policy_temp);
3042                         u_expire = account_policy_temp;
3043
3044                         pdb_get_account_policy(AP_MIN_PASSWORD_AGE, &account_policy_temp);
3045                         u_min_age = account_policy_temp;
3046
3047                         /* !AS ROOT */
3048
3049                         unbecome_root();
3050
3051                         unix_to_nt_time_abs((NTTIME *)&dom_info->info1.max_password_age, u_expire);
3052                         unix_to_nt_time_abs((NTTIME *)&dom_info->info1.min_password_age, u_min_age);
3053
3054                         if (lp_check_password_script() && *lp_check_password_script()) {
3055                                 dom_info->info1.password_properties |= DOMAIN_PASSWORD_COMPLEX;
3056                         }
3057
3058                         break;
3059                 case 0x02:
3060
3061                         become_root();
3062
3063                         /* AS ROOT !!! */
3064
3065                         dom_info->general.num_users     = count_sam_users(
3066                                 dinfo->disp_info, ACB_NORMAL);
3067                         dom_info->general.num_groups    = count_sam_groups(
3068                                 dinfo->disp_info);
3069                         dom_info->general.num_aliases   = count_sam_aliases(
3070                                 dinfo->disp_info);
3071
3072                         pdb_get_account_policy(AP_TIME_TO_LOGOUT, &u_logout);
3073
3074                         unix_to_nt_time_abs(&dom_info->general.force_logoff_time, u_logout);
3075
3076                         if (!pdb_get_seq_num(&seq_num))
3077                                 seq_num = time(NULL);
3078
3079                         /* !AS ROOT */
3080
3081                         unbecome_root();
3082
3083                         server_role = ROLE_DOMAIN_PDC;
3084                         if (lp_server_role() == ROLE_DOMAIN_BDC)
3085                                 server_role = ROLE_DOMAIN_BDC;
3086
3087                         dom_info->general.oem_information.string        = lp_serverstring();
3088                         dom_info->general.domain_name.string            = lp_workgroup();
3089                         dom_info->general.primary.string                = global_myname();
3090                         dom_info->general.sequence_num                  = seq_num;
3091                         dom_info->general.domain_server_state           = DOMAIN_SERVER_ENABLED;
3092                         dom_info->general.role                          = server_role;
3093                         dom_info->general.unknown3                      = 1;
3094
3095                         break;
3096                 case 0x03:
3097
3098                         become_root();
3099
3100                         /* AS ROOT !!! */
3101
3102                         {
3103                                 uint32 ul;
3104                                 pdb_get_account_policy(AP_TIME_TO_LOGOUT, &ul);
3105                                 u_logout = (time_t)ul;
3106                         }
3107
3108                         /* !AS ROOT */
3109
3110                         unbecome_root();
3111
3112                         unix_to_nt_time_abs(&dom_info->info3.force_logoff_time, u_logout);
3113
3114                         break;
3115                 case 0x04:
3116                         dom_info->oem.oem_information.string = lp_serverstring();
3117                         break;
3118                 case 0x05:
3119                         dom_info->info5.domain_name.string = get_global_sam_name();
3120                         break;
3121                 case 0x06:
3122                         /* NT returns its own name when a PDC. win2k and later
3123                          * only the name of the PDC if itself is a BDC (samba4
3124                          * idl) */
3125                         dom_info->info6.primary.string = global_myname();
3126                         break;
3127                 case 0x07:
3128                         server_role = ROLE_DOMAIN_PDC;
3129                         if (lp_server_role() == ROLE_DOMAIN_BDC)
3130                                 server_role = ROLE_DOMAIN_BDC;
3131
3132                         dom_info->info7.role = server_role;
3133                         break;
3134                 case 0x08:
3135
3136                         become_root();
3137
3138                         /* AS ROOT !!! */
3139
3140                         if (!pdb_get_seq_num(&seq_num)) {
3141                                 seq_num = time(NULL);
3142                         }
3143
3144                         /* !AS ROOT */
3145
3146                         unbecome_root();
3147
3148                         dom_info->info8.sequence_num = seq_num;
3149                         dom_info->info8.domain_create_time = 0;
3150
3151                         break;
3152                 case 0x0c:
3153
3154                         become_root();
3155
3156                         /* AS ROOT !!! */
3157
3158                         pdb_get_account_policy(AP_LOCK_ACCOUNT_DURATION, &account_policy_temp);
3159                         u_lock_duration = account_policy_temp;
3160                         if (u_lock_duration != -1) {
3161                                 u_lock_duration *= 60;
3162                         }
3163
3164                         pdb_get_account_policy(AP_RESET_COUNT_TIME, &account_policy_temp);
3165                         u_reset_time = account_policy_temp * 60;
3166
3167                         pdb_get_account_policy(AP_BAD_ATTEMPT_LOCKOUT,
3168                                                &account_policy_temp);
3169                         dom_info->info12.lockout_threshold = account_policy_temp;
3170
3171                         /* !AS ROOT */
3172
3173                         unbecome_root();
3174
3175                         unix_to_nt_time_abs(&dom_info->info12.lockout_duration,
3176                                             u_lock_duration);
3177                         unix_to_nt_time_abs(&dom_info->info12.lockout_window,
3178                                             u_reset_time);
3179
3180                         break;
3181                 default:
3182                         return NT_STATUS_INVALID_INFO_CLASS;
3183         }
3184
3185         *r->out.info = dom_info;
3186
3187         DEBUG(5,("_samr_QueryDomainInfo: %d\n", __LINE__));
3188
3189         return status;
3190 }
3191
3192 /* W2k3 seems to use the same check for all 3 objects that can be created via
3193  * SAMR, if you try to create for example "Dialup" as an alias it says
3194  * "NT_STATUS_USER_EXISTS". This is racy, but we can't really lock the user
3195  * database. */
3196
3197 static NTSTATUS can_create(TALLOC_CTX *mem_ctx, const char *new_name)
3198 {
3199         enum lsa_SidType type;
3200         bool result;
3201
3202         DEBUG(10, ("Checking whether [%s] can be created\n", new_name));
3203
3204         become_root();
3205         /* Lookup in our local databases (LOOKUP_NAME_REMOTE not set)
3206          * whether the name already exists */
3207         result = lookup_name(mem_ctx, new_name, LOOKUP_NAME_LOCAL,
3208                              NULL, NULL, NULL, &type);
3209         unbecome_root();
3210
3211         if (!result) {
3212                 DEBUG(10, ("%s does not exist, can create it\n", new_name));
3213                 return NT_STATUS_OK;
3214         }
3215
3216         DEBUG(5, ("trying to create %s, exists as %s\n",
3217                   new_name, sid_type_lookup(type)));
3218
3219         if (type == SID_NAME_DOM_GRP) {
3220                 return NT_STATUS_GROUP_EXISTS;
3221         }
3222         if (type == SID_NAME_ALIAS) {
3223                 return NT_STATUS_ALIAS_EXISTS;
3224         }
3225
3226         /* Yes, the default is NT_STATUS_USER_EXISTS */
3227         return NT_STATUS_USER_EXISTS;
3228 }
3229
3230 /*******************************************************************
3231  _samr_CreateUser2
3232  ********************************************************************/
3233
3234 NTSTATUS _samr_CreateUser2(pipes_struct *p,
3235                            struct samr_CreateUser2 *r)
3236 {
3237         const char *account = NULL;
3238         DOM_SID sid;
3239         uint32_t acb_info = r->in.acct_flags;
3240         struct samr_domain_info *dinfo;
3241         struct samr_user_info *uinfo;
3242         NTSTATUS nt_status;
3243         uint32 acc_granted;
3244         SEC_DESC *psd;
3245         size_t    sd_size;
3246         /* check this, when giving away 'add computer to domain' privs */
3247         uint32    des_access = GENERIC_RIGHTS_USER_ALL_ACCESS;
3248         bool can_add_account = False;
3249         SE_PRIV se_rights;
3250
3251         dinfo = policy_handle_find(p, r->in.domain_handle,
3252                                    SAMR_DOMAIN_ACCESS_CREATE_USER, NULL,
3253                                    struct samr_domain_info, &nt_status);
3254         if (!NT_STATUS_IS_OK(nt_status)) {
3255                 return nt_status;
3256         }
3257
3258         if (sid_check_is_builtin(&dinfo->sid)) {
3259                 DEBUG(5,("_samr_CreateUser2: Refusing user create in BUILTIN\n"));
3260                 return NT_STATUS_ACCESS_DENIED;
3261         }
3262
3263         if (!(acb_info == ACB_NORMAL || acb_info == ACB_DOMTRUST ||
3264               acb_info == ACB_WSTRUST || acb_info == ACB_SVRTRUST)) {
3265                 /* Match Win2k, and return NT_STATUS_INVALID_PARAMETER if
3266                    this parameter is not an account type */
3267                 return NT_STATUS_INVALID_PARAMETER;
3268         }
3269
3270         account = r->in.account_name->string;
3271         if (account == NULL) {
3272                 return NT_STATUS_NO_MEMORY;
3273         }
3274
3275         nt_status = can_create(p->mem_ctx, account);
3276         if (!NT_STATUS_IS_OK(nt_status)) {
3277                 return nt_status;
3278         }
3279
3280         /* determine which user right we need to check based on the acb_info */
3281
3282         if ( acb_info & ACB_WSTRUST )
3283         {
3284                 se_priv_copy( &se_rights, &se_machine_account );
3285                 can_add_account = user_has_privileges(
3286                         p->server_info->ptok, &se_rights );
3287         }
3288         /* usrmgr.exe (and net rpc trustdom grant) creates a normal user
3289            account for domain trusts and changes the ACB flags later */
3290         else if ( acb_info & ACB_NORMAL &&
3291                   (account[strlen(account)-1] != '$') )
3292         {
3293                 se_priv_copy( &se_rights, &se_add_users );
3294                 can_add_account = user_has_privileges(
3295                         p->server_info->ptok, &se_rights );
3296         }
3297         else    /* implicit assumption of a BDC or domain trust account here
3298                  * (we already check the flags earlier) */
3299         {
3300                 if ( lp_enable_privileges() ) {
3301                         /* only Domain Admins can add a BDC or domain trust */
3302                         se_priv_copy( &se_rights, &se_priv_none );
3303                         can_add_account = nt_token_check_domain_rid(
3304                                 p->server_info->ptok,
3305                                 DOMAIN_GROUP_RID_ADMINS );
3306                 }
3307         }
3308
3309         DEBUG(5, ("_samr_CreateUser2: %s can add this account : %s\n",
3310                   uidtoname(p->server_info->utok.uid),
3311                   can_add_account ? "True":"False" ));
3312
3313         /********** BEGIN Admin BLOCK **********/
3314
3315         if ( can_add_account )
3316                 become_root();
3317
3318         nt_status = pdb_create_user(p->mem_ctx, account, acb_info,
3319                                     r->out.rid);
3320
3321         if ( can_add_account )
3322                 unbecome_root();
3323
3324         /********** END Admin BLOCK **********/
3325
3326         /* now check for failure */
3327
3328         if ( !NT_STATUS_IS_OK(nt_status) )
3329                 return nt_status;
3330
3331         /* Get the user's SID */
3332
3333         sid_compose(&sid, get_global_sam_sid(), *r->out.rid);
3334
3335         map_max_allowed_access(p->server_info->ptok, &des_access);
3336
3337         make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &usr_generic_mapping,
3338                             &sid, SAMR_USR_RIGHTS_WRITE_PW);
3339         se_map_generic(&des_access, &usr_generic_mapping);
3340
3341         nt_status = access_check_samr_object(psd, p->server_info->ptok,
3342                 &se_rights, GENERIC_RIGHTS_USER_WRITE, des_access,
3343                 &acc_granted, "_samr_CreateUser2");
3344
3345         if ( !NT_STATUS_IS_OK(nt_status) ) {
3346                 return nt_status;
3347         }
3348
3349         uinfo = policy_handle_create(p, r->out.user_handle, acc_granted,
3350                                      struct samr_user_info, &nt_status);
3351         if (!NT_STATUS_IS_OK(nt_status)) {
3352                 return nt_status;
3353         }
3354         uinfo->sid = sid;
3355
3356         /* After a "set" ensure we have no cached display info. */
3357         force_flush_samr_cache(&sid);
3358
3359         *r->out.access_granted = acc_granted;
3360
3361         return NT_STATUS_OK;
3362 }
3363
3364 /****************************************************************
3365 ****************************************************************/
3366
3367 NTSTATUS _samr_CreateUser(pipes_struct *p,
3368                           struct samr_CreateUser *r)
3369 {
3370         struct samr_CreateUser2 c;
3371         uint32_t access_granted;
3372
3373         c.in.domain_handle      = r->in.domain_handle;
3374         c.in.account_name       = r->in.account_name;
3375         c.in.acct_flags         = ACB_NORMAL;
3376         c.in.access_mask        = r->in.access_mask;
3377         c.out.user_handle       = r->out.user_handle;
3378         c.out.access_granted    = &access_granted;
3379         c.out.rid               = r->out.rid;
3380
3381         return _samr_CreateUser2(p, &c);
3382 }
3383
3384 /*******************************************************************
3385  _samr_Connect
3386  ********************************************************************/
3387
3388 NTSTATUS _samr_Connect(pipes_struct *p,
3389                        struct samr_Connect *r)
3390 {
3391         struct samr_connect_info *info;
3392         uint32_t acc_granted;
3393         struct policy_handle hnd;
3394         uint32    des_access = r->in.access_mask;
3395         NTSTATUS status;
3396
3397         /* Access check */
3398
3399         if (!pipe_access_check(p)) {
3400                 DEBUG(3, ("access denied to _samr_Connect\n"));
3401                 return NT_STATUS_ACCESS_DENIED;
3402         }
3403
3404         /* don't give away the farm but this is probably ok.  The SAMR_ACCESS_ENUM_DOMAINS
3405            was observed from a win98 client trying to enumerate users (when configured
3406            user level access control on shares)   --jerry */
3407
3408         map_max_allowed_access(p->server_info->ptok, &des_access);
3409
3410         se_map_generic( &des_access, &sam_generic_mapping );
3411
3412         acc_granted = des_access & (SAMR_ACCESS_ENUM_DOMAINS
3413                                     |SAMR_ACCESS_LOOKUP_DOMAIN);
3414
3415         /* set up the SAMR connect_anon response */
3416
3417         info = policy_handle_create(p, &hnd, acc_granted,
3418                                     struct samr_connect_info,
3419                                     &status);
3420         if (!NT_STATUS_IS_OK(status)) {
3421                 return status;
3422         }
3423
3424         *r->out.connect_handle = hnd;
3425         return NT_STATUS_OK;
3426 }
3427
3428 /*******************************************************************
3429  _samr_Connect2
3430  ********************************************************************/
3431
3432 NTSTATUS _samr_Connect2(pipes_struct *p,
3433                         struct samr_Connect2 *r)
3434 {
3435         struct samr_connect_info *info = NULL;
3436         struct policy_handle hnd;
3437         SEC_DESC *psd = NULL;
3438         uint32    acc_granted;
3439         uint32    des_access = r->in.access_mask;
3440         NTSTATUS  nt_status;
3441         size_t    sd_size;
3442         const char *fn = "_samr_Connect2";
3443
3444         switch (p->hdr_req.opnum) {
3445         case NDR_SAMR_CONNECT2:
3446                 fn = "_samr_Connect2";
3447                 break;
3448         case NDR_SAMR_CONNECT3:
3449                 fn = "_samr_Connect3";
3450                 break;
3451         case NDR_SAMR_CONNECT4:
3452                 fn = "_samr_Connect4";
3453                 break;
3454         case NDR_SAMR_CONNECT5:
3455                 fn = "_samr_Connect5";
3456                 break;
3457         }
3458
3459         DEBUG(5,("%s: %d\n", fn, __LINE__));
3460
3461         /* Access check */
3462
3463         if (!pipe_access_check(p)) {
3464                 DEBUG(3, ("access denied to %s\n", fn));
3465                 return NT_STATUS_ACCESS_DENIED;
3466         }
3467
3468         map_max_allowed_access(p->server_info->ptok, &des_access);
3469
3470         make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &sam_generic_mapping, NULL, 0);
3471         se_map_generic(&des_access, &sam_generic_mapping);
3472
3473         nt_status = access_check_samr_object(psd, p->server_info->ptok,
3474                 NULL, 0, des_access, &acc_granted, fn);
3475
3476         if ( !NT_STATUS_IS_OK(nt_status) )
3477                 return nt_status;
3478
3479         info = policy_handle_create(p, &hnd, acc_granted,
3480                                     struct samr_connect_info, &nt_status);
3481         if (!NT_STATUS_IS_OK(nt_status)) {
3482                 return nt_status;
3483         }
3484
3485         DEBUG(5,("%s: %d\n", fn, __LINE__));
3486
3487         *r->out.connect_handle = hnd;
3488         return NT_STATUS_OK;
3489 }
3490
3491 /****************************************************************
3492  _samr_Connect3
3493 ****************************************************************/
3494
3495 NTSTATUS _samr_Connect3(pipes_struct *p,
3496                         struct samr_Connect3 *r)
3497 {
3498         struct samr_Connect2 c;
3499
3500         c.in.system_name        = r->in.system_name;
3501         c.in.access_mask        = r->in.access_mask;
3502         c.out.connect_handle    = r->out.connect_handle;
3503
3504         return _samr_Connect2(p, &c);
3505 }
3506
3507 /*******************************************************************
3508  _samr_Connect4
3509  ********************************************************************/
3510
3511 NTSTATUS _samr_Connect4(pipes_struct *p,
3512                         struct samr_Connect4 *r)
3513 {
3514         struct samr_Connect2 c;
3515
3516         c.in.system_name        = r->in.system_name;
3517         c.in.access_mask        = r->in.access_mask;
3518         c.out.connect_handle    = r->out.connect_handle;
3519
3520         return _samr_Connect2(p, &c);
3521 }
3522
3523 /*******************************************************************
3524  _samr_Connect5
3525  ********************************************************************/
3526
3527 NTSTATUS _samr_Connect5(pipes_struct *p,
3528                         struct samr_Connect5 *r)
3529 {
3530         NTSTATUS status;
3531         struct samr_Connect2 c;
3532         struct samr_ConnectInfo1 info1;
3533
3534         info1.client_version = SAMR_CONNECT_AFTER_W2K;
3535         info1.unknown2 = 0;
3536
3537         c.in.system_name        = r->in.system_name;
3538         c.in.access_mask        = r->in.access_mask;
3539         c.out.connect_handle    = r->out.connect_handle;
3540
3541         *r->out.level_out = 1;
3542
3543         status = _samr_Connect2(p, &c);
3544         if (!NT_STATUS_IS_OK(status)) {
3545                 return status;
3546         }
3547
3548         r->out.info_out->info1 = info1;
3549
3550         return NT_STATUS_OK;
3551 }
3552
3553 /**********************************************************************
3554  _samr_LookupDomain
3555  **********************************************************************/
3556
3557 NTSTATUS _samr_LookupDomain(pipes_struct *p,
3558                             struct samr_LookupDomain *r)
3559 {
3560         NTSTATUS status;
3561         struct samr_connect_info *info;
3562         const char *domain_name;
3563         DOM_SID *sid = NULL;
3564
3565         /* win9x user manager likes to use SAMR_ACCESS_ENUM_DOMAINS here.
3566            Reverted that change so we will work with RAS servers again */
3567
3568         info = policy_handle_find(p, r->in.connect_handle,
3569                                   SAMR_ACCESS_LOOKUP_DOMAIN, NULL,
3570                                   struct samr_connect_info,
3571                                   &status);
3572         if (!NT_STATUS_IS_OK(status)) {
3573                 return status;
3574         }
3575
3576         domain_name = r->in.domain_name->string;
3577         if (!domain_name) {
3578                 return NT_STATUS_INVALID_PARAMETER;
3579         }
3580
3581         sid = TALLOC_ZERO_P(p->mem_ctx, struct dom_sid2);
3582         if (!sid) {
3583                 return NT_STATUS_NO_MEMORY;
3584         }
3585
3586         if (strequal(domain_name, builtin_domain_name())) {
3587                 sid_copy(sid, &global_sid_Builtin);
3588         } else {
3589                 if (!secrets_fetch_domain_sid(domain_name, sid)) {
3590                         status = NT_STATUS_NO_SUCH_DOMAIN;
3591                 }
3592         }
3593
3594         DEBUG(2,("Returning domain sid for domain %s -> %s\n", domain_name,
3595                  sid_string_dbg(sid)));
3596
3597         *r->out.sid = sid;
3598
3599         return status;
3600 }
3601
3602 /**********************************************************************
3603  _samr_EnumDomains
3604  **********************************************************************/
3605
3606 NTSTATUS _samr_EnumDomains(pipes_struct *p,
3607                            struct samr_EnumDomains *r)
3608 {
3609         NTSTATUS status;
3610         struct samr_connect_info *info;
3611         uint32_t num_entries = 2;
3612         struct samr_SamEntry *entry_array = NULL;
3613         struct samr_SamArray *sam;
3614
3615         info = policy_handle_find(p, r->in.connect_handle,
3616                                   SAMR_ACCESS_ENUM_DOMAINS, NULL,
3617                                   struct samr_connect_info, &status);
3618         if (!NT_STATUS_IS_OK(status)) {
3619                 return status;
3620         }
3621
3622         sam = TALLOC_ZERO_P(p->mem_ctx, struct samr_SamArray);
3623         if (!sam) {
3624                 return NT_STATUS_NO_MEMORY;
3625         }
3626
3627         entry_array = TALLOC_ZERO_ARRAY(p->mem_ctx,
3628                                         struct samr_SamEntry,
3629                                         num_entries);
3630         if (!entry_array) {
3631                 return NT_STATUS_NO_MEMORY;
3632         }
3633
3634         entry_array[0].idx = 0;
3635         init_lsa_String(&entry_array[0].name, get_global_sam_name());
3636
3637         entry_array[1].idx = 1;
3638         init_lsa_String(&entry_array[1].name, "Builtin");
3639
3640         sam->count = num_entries;
3641         sam->entries = entry_array;
3642
3643         *r->out.sam = sam;
3644         *r->out.num_entries = num_entries;
3645
3646         return status;
3647 }
3648
3649 /*******************************************************************
3650  _samr_OpenAlias
3651  ********************************************************************/
3652
3653 NTSTATUS _samr_OpenAlias(pipes_struct *p,
3654                          struct samr_OpenAlias *r)
3655 {
3656         DOM_SID sid;
3657         uint32 alias_rid = r->in.rid;
3658         struct samr_alias_info *ainfo;
3659         struct samr_domain_info *dinfo;
3660         SEC_DESC *psd = NULL;
3661         uint32    acc_granted;
3662         uint32    des_access = r->in.access_mask;
3663         size_t    sd_size;
3664         NTSTATUS  status;
3665         SE_PRIV se_rights;
3666
3667         dinfo = policy_handle_find(p, r->in.domain_handle,
3668                                    SAMR_DOMAIN_ACCESS_OPEN_ACCOUNT, NULL,
3669                                    struct samr_domain_info, &status);
3670         if (!NT_STATUS_IS_OK(status)) {
3671                 return status;
3672         }
3673
3674         /* append the alias' RID to it */
3675
3676         if (!sid_compose(&sid, &dinfo->sid, alias_rid))
3677                 return NT_STATUS_NO_SUCH_ALIAS;
3678
3679         /*check if access can be granted as requested by client. */
3680
3681         map_max_allowed_access(p->server_info->ptok, &des_access);
3682
3683         make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &ali_generic_mapping, NULL, 0);
3684         se_map_generic(&des_access,&ali_generic_mapping);
3685
3686         se_priv_copy( &se_rights, &se_add_users );
3687
3688
3689         status = access_check_samr_object(psd, p->server_info->ptok,
3690                 &se_rights, GENERIC_RIGHTS_ALIAS_WRITE, des_access,
3691                 &acc_granted, "_samr_OpenAlias");
3692
3693         if ( !NT_STATUS_IS_OK(status) )
3694                 return status;
3695
3696         {
3697                 /* Check we actually have the requested alias */
3698                 enum lsa_SidType type;
3699                 bool result;
3700                 gid_t gid;
3701
3702                 become_root();
3703                 result = lookup_sid(NULL, &sid, NULL, NULL, &type);
3704                 unbecome_root();
3705
3706                 if (!result || (type != SID_NAME_ALIAS)) {
3707                         return NT_STATUS_NO_SUCH_ALIAS;
3708                 }
3709
3710                 /* make sure there is a mapping */
3711
3712                 if ( !sid_to_gid( &sid, &gid ) ) {
3713                         return NT_STATUS_NO_SUCH_ALIAS;
3714                 }
3715
3716         }
3717
3718         ainfo = policy_handle_create(p, r->out.alias_handle, acc_granted,
3719                                      struct samr_alias_info, &status);
3720         if (!NT_STATUS_IS_OK(status)) {
3721                 return status;
3722         }
3723         ainfo->sid = sid;
3724
3725         return NT_STATUS_OK;
3726 }
3727
3728 /*******************************************************************
3729  set_user_info_2
3730  ********************************************************************/
3731
3732 static NTSTATUS set_user_info_2(TALLOC_CTX *mem_ctx,
3733                                 struct samr_UserInfo2 *id2,
3734                                 struct samu *pwd)
3735 {
3736         if (id2 == NULL) {
3737                 DEBUG(5,("set_user_info_2: NULL id2\n"));
3738                 return NT_STATUS_ACCESS_DENIED;
3739         }
3740
3741         copy_id2_to_sam_passwd(pwd, id2);
3742
3743         return pdb_update_sam_account(pwd);
3744 }
3745
3746 /*******************************************************************
3747  set_user_info_4
3748  ********************************************************************/
3749
3750 static NTSTATUS set_user_info_4(TALLOC_CTX *mem_ctx,
3751                                 struct samr_UserInfo4 *id4,
3752                                 struct samu *pwd)