2 * Unix SMB/CIFS implementation.
3 * RPC Pipe client / server routines
4 * Copyright (C) Andrew Tridgell 1992-1997,
5 * Copyright (C) Luke Kenneth Casson Leighton 1996-1997,
6 * Copyright (C) Paul Ashton 1997,
7 * Copyright (C) Marc Jacobsen 1999,
8 * Copyright (C) Jeremy Allison 2001-2008,
9 * Copyright (C) Jean François Micouleau 1998-2001,
10 * Copyright (C) Jim McDonough <jmcd@us.ibm.com> 2002,
11 * Copyright (C) Gerald (Jerry) Carter 2003-2004,
12 * Copyright (C) Simo Sorce 2003.
13 * Copyright (C) Volker Lendecke 2005.
14 * Copyright (C) Guenther Deschner 2008.
16 * This program is free software; you can redistribute it and/or modify
17 * it under the terms of the GNU General Public License as published by
18 * the Free Software Foundation; either version 3 of the License, or
19 * (at your option) any later version.
21 * This program is distributed in the hope that it will be useful,
22 * but WITHOUT ANY WARRANTY; without even the implied warranty of
23 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
24 * GNU General Public License for more details.
26 * You should have received a copy of the GNU General Public License
27 * along with this program; if not, see <http://www.gnu.org/licenses/>.
31 * This is the implementation of the SAMR code.
37 #define DBGC_CLASS DBGC_RPC_SRV
39 #define SAMR_USR_RIGHTS_WRITE_PW \
40 ( READ_CONTROL_ACCESS | \
41 SA_RIGHT_USER_CHANGE_PASSWORD | \
42 SA_RIGHT_USER_SET_LOC_COM )
43 #define SAMR_USR_RIGHTS_CANT_WRITE_PW \
44 ( READ_CONTROL_ACCESS | SA_RIGHT_USER_SET_LOC_COM )
46 #define DISP_INFO_CACHE_TIMEOUT 10
48 typedef struct disp_info {
49 DOM_SID sid; /* identify which domain this is. */
50 bool builtin_domain; /* Quick flag to check if this is the builtin domain. */
51 struct pdb_search *users; /* querydispinfo 1 and 4 */
52 struct pdb_search *machines; /* querydispinfo 2 */
53 struct pdb_search *groups; /* querydispinfo 3 and 5, enumgroups */
54 struct pdb_search *aliases; /* enumaliases */
57 struct pdb_search *enum_users; /* enumusers with a mask */
59 struct timed_event *cache_timeout_event; /* cache idle timeout
63 /* We keep a static list of these by SID as modern clients close down
64 all resources between each request in a complete enumeration. */
67 /* for use by the \PIPE\samr policy */
69 bool builtin_domain; /* Quick flag to check if this is the builtin domain. */
70 uint32 status; /* some sort of flag. best to record it. comes from opnum 0x39 */
76 static const struct generic_mapping sam_generic_mapping = {
77 GENERIC_RIGHTS_SAM_READ,
78 GENERIC_RIGHTS_SAM_WRITE,
79 GENERIC_RIGHTS_SAM_EXECUTE,
80 GENERIC_RIGHTS_SAM_ALL_ACCESS};
81 static const struct generic_mapping dom_generic_mapping = {
82 GENERIC_RIGHTS_DOMAIN_READ,
83 GENERIC_RIGHTS_DOMAIN_WRITE,
84 GENERIC_RIGHTS_DOMAIN_EXECUTE,
85 GENERIC_RIGHTS_DOMAIN_ALL_ACCESS};
86 static const struct generic_mapping usr_generic_mapping = {
87 GENERIC_RIGHTS_USER_READ,
88 GENERIC_RIGHTS_USER_WRITE,
89 GENERIC_RIGHTS_USER_EXECUTE,
90 GENERIC_RIGHTS_USER_ALL_ACCESS};
91 static const struct generic_mapping usr_nopwchange_generic_mapping = {
92 GENERIC_RIGHTS_USER_READ,
93 GENERIC_RIGHTS_USER_WRITE,
94 GENERIC_RIGHTS_USER_EXECUTE & ~SA_RIGHT_USER_CHANGE_PASSWORD,
95 GENERIC_RIGHTS_USER_ALL_ACCESS};
96 static const struct generic_mapping grp_generic_mapping = {
97 GENERIC_RIGHTS_GROUP_READ,
98 GENERIC_RIGHTS_GROUP_WRITE,
99 GENERIC_RIGHTS_GROUP_EXECUTE,
100 GENERIC_RIGHTS_GROUP_ALL_ACCESS};
101 static const struct generic_mapping ali_generic_mapping = {
102 GENERIC_RIGHTS_ALIAS_READ,
103 GENERIC_RIGHTS_ALIAS_WRITE,
104 GENERIC_RIGHTS_ALIAS_EXECUTE,
105 GENERIC_RIGHTS_ALIAS_ALL_ACCESS};
107 /*******************************************************************
108 *******************************************************************/
110 static NTSTATUS make_samr_object_sd( TALLOC_CTX *ctx, SEC_DESC **psd, size_t *sd_size,
111 const struct generic_mapping *map,
112 DOM_SID *sid, uint32 sid_access )
114 DOM_SID domadmin_sid;
115 SEC_ACE ace[5]; /* at most 5 entries */
120 /* basic access for Everyone */
122 init_sec_ace(&ace[i++], &global_sid_World, SEC_ACE_TYPE_ACCESS_ALLOWED,
123 map->generic_execute | map->generic_read, 0);
125 /* add Full Access 'BUILTIN\Administrators' and 'BUILTIN\Account Operators */
127 init_sec_ace(&ace[i++], &global_sid_Builtin_Administrators,
128 SEC_ACE_TYPE_ACCESS_ALLOWED, map->generic_all, 0);
129 init_sec_ace(&ace[i++], &global_sid_Builtin_Account_Operators,
130 SEC_ACE_TYPE_ACCESS_ALLOWED, map->generic_all, 0);
132 /* Add Full Access for Domain Admins if we are a DC */
135 sid_copy( &domadmin_sid, get_global_sam_sid() );
136 sid_append_rid( &domadmin_sid, DOMAIN_GROUP_RID_ADMINS );
137 init_sec_ace(&ace[i++], &domadmin_sid,
138 SEC_ACE_TYPE_ACCESS_ALLOWED, map->generic_all, 0);
141 /* if we have a sid, give it some special access */
144 init_sec_ace(&ace[i++], sid, SEC_ACE_TYPE_ACCESS_ALLOWED, sid_access, 0);
147 /* create the security descriptor */
149 if ((psa = make_sec_acl(ctx, NT4_ACL_REVISION, i, ace)) == NULL)
150 return NT_STATUS_NO_MEMORY;
152 if ((*psd = make_sec_desc(ctx, SECURITY_DESCRIPTOR_REVISION_1,
153 SEC_DESC_SELF_RELATIVE, NULL, NULL, NULL,
154 psa, sd_size)) == NULL)
155 return NT_STATUS_NO_MEMORY;
160 /*******************************************************************
161 Checks if access to an object should be granted, and returns that
162 level of access for further checks.
163 ********************************************************************/
165 static NTSTATUS access_check_samr_object( SEC_DESC *psd, NT_USER_TOKEN *token,
166 SE_PRIV *rights, uint32 rights_mask,
167 uint32 des_access, uint32 *acc_granted,
170 NTSTATUS status = NT_STATUS_ACCESS_DENIED;
171 uint32 saved_mask = 0;
173 /* check privileges; certain SAM access bits should be overridden
174 by privileges (mostly having to do with creating/modifying/deleting
177 if ( rights && user_has_any_privilege( token, rights ) ) {
179 saved_mask = (des_access & rights_mask);
180 des_access &= ~saved_mask;
182 DEBUG(4,("access_check_samr_object: user rights access mask [0x%x]\n",
187 /* check the security descriptor first */
189 if ( se_access_check(psd, token, des_access, acc_granted, &status) )
192 /* give root a free pass */
194 if ( geteuid() == sec_initial_uid() ) {
196 DEBUG(4,("%s: ACCESS should be DENIED (requested: %#010x)\n", debug, des_access));
197 DEBUGADD(4,("but overritten by euid == sec_initial_uid()\n"));
199 *acc_granted = des_access;
201 status = NT_STATUS_OK;
207 /* add in any bits saved during the privilege check (only
208 matters is status is ok) */
210 *acc_granted |= rights_mask;
212 DEBUG(4,("%s: access %s (requested: 0x%08x, granted: 0x%08x)\n",
213 debug, NT_STATUS_IS_OK(status) ? "GRANTED" : "DENIED",
214 des_access, *acc_granted));
219 /*******************************************************************
220 Checks if access to a function can be granted
221 ********************************************************************/
223 static NTSTATUS access_check_samr_function(uint32 acc_granted, uint32 acc_required, const char *debug)
225 DEBUG(5,("%s: access check ((granted: %#010x; required: %#010x)\n",
226 debug, acc_granted, acc_required));
228 /* check the security descriptor first */
230 if ( (acc_granted&acc_required) == acc_required )
233 /* give root a free pass */
235 if (geteuid() == sec_initial_uid()) {
237 DEBUG(4,("%s: ACCESS should be DENIED (granted: %#010x; required: %#010x)\n",
238 debug, acc_granted, acc_required));
239 DEBUGADD(4,("but overwritten by euid == 0\n"));
244 DEBUG(2,("%s: ACCESS DENIED (granted: %#010x; required: %#010x)\n",
245 debug, acc_granted, acc_required));
247 return NT_STATUS_ACCESS_DENIED;
250 /*******************************************************************
251 Map any MAXIMUM_ALLOWED_ACCESS request to a valid access set.
252 ********************************************************************/
254 static void map_max_allowed_access(const NT_USER_TOKEN *token,
255 uint32_t *pacc_requested)
257 if (!((*pacc_requested) & MAXIMUM_ALLOWED_ACCESS)) {
260 *pacc_requested &= ~MAXIMUM_ALLOWED_ACCESS;
262 /* At least try for generic read. */
263 *pacc_requested = GENERIC_READ_ACCESS;
265 /* root gets anything. */
266 if (geteuid() == sec_initial_uid()) {
267 *pacc_requested |= GENERIC_ALL_ACCESS;
271 /* Full Access for 'BUILTIN\Administrators' and 'BUILTIN\Account Operators */
273 if (is_sid_in_token(token, &global_sid_Builtin_Administrators) ||
274 is_sid_in_token(token, &global_sid_Builtin_Account_Operators)) {
275 *pacc_requested |= GENERIC_ALL_ACCESS;
279 /* Full access for DOMAIN\Domain Admins. */
281 DOM_SID domadmin_sid;
282 sid_copy( &domadmin_sid, get_global_sam_sid() );
283 sid_append_rid( &domadmin_sid, DOMAIN_GROUP_RID_ADMINS );
284 if (is_sid_in_token(token, &domadmin_sid)) {
285 *pacc_requested |= GENERIC_ALL_ACCESS;
289 /* TODO ! Check privileges. */
292 /*******************************************************************
293 Fetch or create a dispinfo struct.
294 ********************************************************************/
296 static DISP_INFO *get_samr_dispinfo_by_sid(DOM_SID *psid)
299 * We do a static cache for DISP_INFO's here. Explanation can be found
300 * in Jeremy's checkin message to r11793:
302 * Fix the SAMR cache so it works across completely insane
303 * client behaviour (ie.:
304 * open pipe/open SAMR handle/enumerate 0 - 1024
305 * close SAMR handle, close pipe.
306 * open pipe/open SAMR handle/enumerate 1024 - 2048...
307 * close SAMR handle, close pipe.
308 * And on ad-nausium. Amazing.... probably object-oriented
309 * client side programming in action yet again.
310 * This change should *massively* improve performance when
311 * enumerating users from an LDAP database.
314 * "Our" and the builtin domain are the only ones where we ever
315 * enumerate stuff, so just cache 2 entries.
318 static struct disp_info builtin_dispinfo;
319 static struct disp_info domain_dispinfo;
321 /* There are two cases to consider here:
322 1) The SID is a domain SID and we look for an equality match, or
323 2) This is an account SID and so we return the DISP_INFO* for our
330 if (sid_check_is_builtin(psid) || sid_check_is_in_builtin(psid)) {
332 * Necessary only once, but it does not really hurt.
334 sid_copy(&builtin_dispinfo.sid, &global_sid_Builtin);
336 return &builtin_dispinfo;
339 if (sid_check_is_domain(psid) || sid_check_is_in_our_domain(psid)) {
341 * Necessary only once, but it does not really hurt.
343 sid_copy(&domain_dispinfo.sid, get_global_sam_sid());
345 return &domain_dispinfo;
351 /*******************************************************************
352 Create a samr_info struct.
353 ********************************************************************/
355 static struct samr_info *get_samr_info_by_sid(DOM_SID *psid)
357 struct samr_info *info;
362 sid_to_fstring(sid_str, psid);
364 fstrcpy(sid_str,"(NULL)");
367 mem_ctx = talloc_init("samr_info for domain sid %s", sid_str);
369 if ((info = TALLOC_ZERO_P(mem_ctx, struct samr_info)) == NULL)
372 DEBUG(10,("get_samr_info_by_sid: created new info for sid %s\n", sid_str));
374 sid_copy( &info->sid, psid);
375 info->builtin_domain = sid_check_is_builtin(psid);
377 DEBUG(10,("get_samr_info_by_sid: created new info for NULL sid.\n"));
378 info->builtin_domain = False;
380 info->mem_ctx = mem_ctx;
382 info->disp_info = get_samr_dispinfo_by_sid(psid);
387 /*******************************************************************
388 Function to free the per SID data.
389 ********************************************************************/
391 static void free_samr_cache(DISP_INFO *disp_info)
393 DEBUG(10, ("free_samr_cache: deleting cache for SID %s\n",
394 sid_string_dbg(&disp_info->sid)));
396 /* We need to become root here because the paged search might have to
397 * tell the LDAP server we're not interested in the rest anymore. */
401 if (disp_info->users) {
402 DEBUG(10,("free_samr_cache: deleting users cache\n"));
403 pdb_search_destroy(disp_info->users);
404 disp_info->users = NULL;
406 if (disp_info->machines) {
407 DEBUG(10,("free_samr_cache: deleting machines cache\n"));
408 pdb_search_destroy(disp_info->machines);
409 disp_info->machines = NULL;
411 if (disp_info->groups) {
412 DEBUG(10,("free_samr_cache: deleting groups cache\n"));
413 pdb_search_destroy(disp_info->groups);
414 disp_info->groups = NULL;
416 if (disp_info->aliases) {
417 DEBUG(10,("free_samr_cache: deleting aliases cache\n"));
418 pdb_search_destroy(disp_info->aliases);
419 disp_info->aliases = NULL;
421 if (disp_info->enum_users) {
422 DEBUG(10,("free_samr_cache: deleting enum_users cache\n"));
423 pdb_search_destroy(disp_info->enum_users);
424 disp_info->enum_users = NULL;
426 disp_info->enum_acb_mask = 0;
431 /*******************************************************************
432 Function to free the per handle data.
433 ********************************************************************/
435 static void free_samr_info(void *ptr)
437 struct samr_info *info=(struct samr_info *) ptr;
439 /* Only free the dispinfo cache if no one bothered to set up
442 if (info->disp_info && info->disp_info->cache_timeout_event == NULL) {
443 free_samr_cache(info->disp_info);
446 talloc_destroy(info->mem_ctx);
449 /*******************************************************************
450 Idle event handler. Throw away the disp info cache.
451 ********************************************************************/
453 static void disp_info_cache_idle_timeout_handler(struct event_context *ev_ctx,
454 struct timed_event *te,
455 const struct timeval *now,
458 DISP_INFO *disp_info = (DISP_INFO *)private_data;
460 TALLOC_FREE(disp_info->cache_timeout_event);
462 DEBUG(10, ("disp_info_cache_idle_timeout_handler: caching timed "
464 free_samr_cache(disp_info);
467 /*******************************************************************
468 Setup cache removal idle event handler.
469 ********************************************************************/
471 static void set_disp_info_cache_timeout(DISP_INFO *disp_info, time_t secs_fromnow)
473 /* Remove any pending timeout and update. */
475 TALLOC_FREE(disp_info->cache_timeout_event);
477 DEBUG(10,("set_disp_info_cache_timeout: caching enumeration for "
478 "SID %s for %u seconds\n", sid_string_dbg(&disp_info->sid),
479 (unsigned int)secs_fromnow ));
481 disp_info->cache_timeout_event = event_add_timed(
482 smbd_event_context(), NULL,
483 timeval_current_ofs(secs_fromnow, 0),
484 "disp_info_cache_idle_timeout_handler",
485 disp_info_cache_idle_timeout_handler, (void *)disp_info);
488 /*******************************************************************
489 Force flush any cache. We do this on any samr_set_xxx call.
490 We must also remove the timeout handler.
491 ********************************************************************/
493 static void force_flush_samr_cache(DISP_INFO *disp_info)
495 if ((disp_info == NULL) || (disp_info->cache_timeout_event == NULL)) {
499 DEBUG(10,("force_flush_samr_cache: clearing idle event\n"));
500 TALLOC_FREE(disp_info->cache_timeout_event);
501 free_samr_cache(disp_info);
504 /*******************************************************************
505 Ensure password info is never given out. Paranioa... JRA.
506 ********************************************************************/
508 static void samr_clear_sam_passwd(struct samu *sam_pass)
514 /* These now zero out the old password */
516 pdb_set_lanman_passwd(sam_pass, NULL, PDB_DEFAULT);
517 pdb_set_nt_passwd(sam_pass, NULL, PDB_DEFAULT);
520 static uint32 count_sam_users(struct disp_info *info, uint32 acct_flags)
522 struct samr_displayentry *entry;
524 if (info->builtin_domain) {
525 /* No users in builtin. */
529 if (info->users == NULL) {
530 info->users = pdb_search_users(acct_flags);
531 if (info->users == NULL) {
535 /* Fetch the last possible entry, thus trigger an enumeration */
536 pdb_search_entries(info->users, 0xffffffff, 1, &entry);
538 /* Ensure we cache this enumeration. */
539 set_disp_info_cache_timeout(info, DISP_INFO_CACHE_TIMEOUT);
541 return info->users->num_entries;
544 static uint32 count_sam_groups(struct disp_info *info)
546 struct samr_displayentry *entry;
548 if (info->builtin_domain) {
549 /* No groups in builtin. */
553 if (info->groups == NULL) {
554 info->groups = pdb_search_groups();
555 if (info->groups == NULL) {
559 /* Fetch the last possible entry, thus trigger an enumeration */
560 pdb_search_entries(info->groups, 0xffffffff, 1, &entry);
562 /* Ensure we cache this enumeration. */
563 set_disp_info_cache_timeout(info, DISP_INFO_CACHE_TIMEOUT);
565 return info->groups->num_entries;
568 static uint32 count_sam_aliases(struct disp_info *info)
570 struct samr_displayentry *entry;
572 if (info->aliases == NULL) {
573 info->aliases = pdb_search_aliases(&info->sid);
574 if (info->aliases == NULL) {
578 /* Fetch the last possible entry, thus trigger an enumeration */
579 pdb_search_entries(info->aliases, 0xffffffff, 1, &entry);
581 /* Ensure we cache this enumeration. */
582 set_disp_info_cache_timeout(info, DISP_INFO_CACHE_TIMEOUT);
584 return info->aliases->num_entries;
587 /*******************************************************************
589 ********************************************************************/
591 NTSTATUS _samr_Close(pipes_struct *p, struct samr_Close *r)
593 if (!close_policy_hnd(p, r->in.handle)) {
594 return NT_STATUS_INVALID_HANDLE;
597 ZERO_STRUCTP(r->out.handle);
602 /*******************************************************************
604 ********************************************************************/
606 NTSTATUS _samr_OpenDomain(pipes_struct *p,
607 struct samr_OpenDomain *r)
609 struct samr_info *info;
610 SEC_DESC *psd = NULL;
612 uint32 des_access = r->in.access_mask;
617 /* find the connection policy handle. */
619 if ( !find_policy_by_hnd(p, r->in.connect_handle, (void**)(void *)&info) )
620 return NT_STATUS_INVALID_HANDLE;
622 status = access_check_samr_function(info->acc_granted,
623 SA_RIGHT_SAM_OPEN_DOMAIN,
624 "_samr_OpenDomain" );
626 if ( !NT_STATUS_IS_OK(status) )
629 /*check if access can be granted as requested by client. */
630 map_max_allowed_access(p->pipe_user.nt_user_token, &des_access);
632 make_samr_object_sd( p->mem_ctx, &psd, &sd_size, &dom_generic_mapping, NULL, 0 );
633 se_map_generic( &des_access, &dom_generic_mapping );
635 se_priv_copy( &se_rights, &se_machine_account );
636 se_priv_add( &se_rights, &se_add_users );
638 status = access_check_samr_object( psd, p->pipe_user.nt_user_token,
639 &se_rights, GENERIC_RIGHTS_DOMAIN_WRITE, des_access,
640 &acc_granted, "_samr_OpenDomain" );
642 if ( !NT_STATUS_IS_OK(status) )
645 if (!sid_check_is_domain(r->in.sid) &&
646 !sid_check_is_builtin(r->in.sid)) {
647 return NT_STATUS_NO_SUCH_DOMAIN;
650 /* associate the domain SID with the (unique) handle. */
651 if ((info = get_samr_info_by_sid(r->in.sid))==NULL)
652 return NT_STATUS_NO_MEMORY;
653 info->acc_granted = acc_granted;
655 /* get a (unique) handle. open a policy on it. */
656 if (!create_policy_hnd(p, r->out.domain_handle, free_samr_info, (void *)info))
657 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
659 DEBUG(5,("_samr_OpenDomain: %d\n", __LINE__));
664 /*******************************************************************
666 ********************************************************************/
668 NTSTATUS _samr_GetUserPwInfo(pipes_struct *p,
669 struct samr_GetUserPwInfo *r)
671 struct samr_info *info = NULL;
672 enum lsa_SidType sid_type;
673 uint32_t min_password_length = 0;
674 uint32_t password_properties = 0;
678 DEBUG(5,("_samr_GetUserPwInfo: %d\n", __LINE__));
680 /* find the policy handle. open a policy on it. */
681 if (!find_policy_by_hnd(p, r->in.user_handle, (void **)(void *)&info)) {
682 return NT_STATUS_INVALID_HANDLE;
685 status = access_check_samr_function(info->acc_granted,
686 SAMR_USER_ACCESS_GET_ATTRIBUTES,
687 "_samr_GetUserPwInfo" );
688 if (!NT_STATUS_IS_OK(status)) {
692 if (!sid_check_is_in_our_domain(&info->sid)) {
693 return NT_STATUS_OBJECT_TYPE_MISMATCH;
697 ret = lookup_sid(p->mem_ctx, &info->sid, NULL, NULL, &sid_type);
700 return NT_STATUS_NO_SUCH_USER;
706 pdb_get_account_policy(AP_MIN_PASSWORD_LEN,
707 &min_password_length);
708 pdb_get_account_policy(AP_USER_MUST_LOGON_TO_CHG_PASS,
709 &password_properties);
712 if (lp_check_password_script() && *lp_check_password_script()) {
713 password_properties |= DOMAIN_PASSWORD_COMPLEX;
721 r->out.info->min_password_length = min_password_length;
722 r->out.info->password_properties = password_properties;
724 DEBUG(5,("_samr_GetUserPwInfo: %d\n", __LINE__));
729 /*******************************************************************
730 ********************************************************************/
732 static bool get_lsa_policy_samr_sid( pipes_struct *p, POLICY_HND *pol,
733 DOM_SID *sid, uint32 *acc_granted,
734 DISP_INFO **ppdisp_info)
736 struct samr_info *info = NULL;
738 /* find the policy handle. open a policy on it. */
739 if (!find_policy_by_hnd(p, pol, (void **)(void *)&info))
746 *acc_granted = info->acc_granted;
748 *ppdisp_info = info->disp_info;
754 /*******************************************************************
756 ********************************************************************/
758 NTSTATUS _samr_SetSecurity(pipes_struct *p,
759 struct samr_SetSecurity *r)
762 uint32 acc_granted, i;
765 struct samu *sampass=NULL;
768 if (!get_lsa_policy_samr_sid(p, r->in.handle, &pol_sid, &acc_granted, NULL))
769 return NT_STATUS_INVALID_HANDLE;
771 if (!(sampass = samu_new( p->mem_ctx))) {
772 DEBUG(0,("No memory!\n"));
773 return NT_STATUS_NO_MEMORY;
776 /* get the user record */
778 ret = pdb_getsampwsid(sampass, &pol_sid);
782 DEBUG(4, ("User %s not found\n", sid_string_dbg(&pol_sid)));
783 TALLOC_FREE(sampass);
784 return NT_STATUS_INVALID_HANDLE;
787 dacl = r->in.sdbuf->sd->dacl;
788 for (i=0; i < dacl->num_aces; i++) {
789 if (sid_equal(&pol_sid, &dacl->aces[i].trustee)) {
790 ret = pdb_set_pass_can_change(sampass,
791 (dacl->aces[i].access_mask &
792 SA_RIGHT_USER_CHANGE_PASSWORD) ?
799 TALLOC_FREE(sampass);
800 return NT_STATUS_ACCESS_DENIED;
803 status = access_check_samr_function(acc_granted,
804 SA_RIGHT_USER_SET_ATTRIBUTES,
805 "_samr_SetSecurity");
806 if (NT_STATUS_IS_OK(status)) {
808 status = pdb_update_sam_account(sampass);
812 TALLOC_FREE(sampass);
817 /*******************************************************************
818 build correct perms based on policies and password times for _samr_query_sec_obj
819 *******************************************************************/
820 static bool check_change_pw_access(TALLOC_CTX *mem_ctx, DOM_SID *user_sid)
822 struct samu *sampass=NULL;
825 if ( !(sampass = samu_new( mem_ctx )) ) {
826 DEBUG(0,("No memory!\n"));
831 ret = pdb_getsampwsid(sampass, user_sid);
835 DEBUG(4,("User %s not found\n", sid_string_dbg(user_sid)));
836 TALLOC_FREE(sampass);
840 DEBUG(3,("User:[%s]\n", pdb_get_username(sampass) ));
842 if (pdb_get_pass_can_change(sampass)) {
843 TALLOC_FREE(sampass);
846 TALLOC_FREE(sampass);
851 /*******************************************************************
853 ********************************************************************/
855 NTSTATUS _samr_QuerySecurity(pipes_struct *p,
856 struct samr_QuerySecurity *r)
860 SEC_DESC * psd = NULL;
865 if (!get_lsa_policy_samr_sid(p, r->in.handle, &pol_sid, &acc_granted, NULL))
866 return NT_STATUS_INVALID_HANDLE;
868 DEBUG(10,("_samr_QuerySecurity: querying security on SID: %s\n",
869 sid_string_dbg(&pol_sid)));
871 status = access_check_samr_function(acc_granted,
872 STD_RIGHT_READ_CONTROL_ACCESS,
873 "_samr_QuerySecurity");
874 if (!NT_STATUS_IS_OK(status)) {
878 /* Check what typ of SID is beeing queried (e.g Domain SID, User SID, Group SID) */
880 /* To query the security of the SAM it self an invalid SID with S-0-0 is passed to this function */
881 if (pol_sid.sid_rev_num == 0) {
882 DEBUG(5,("_samr_QuerySecurity: querying security on SAM\n"));
883 status = make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &sam_generic_mapping, NULL, 0);
884 } else if (sid_equal(&pol_sid,get_global_sam_sid())) {
885 /* check if it is our domain SID */
886 DEBUG(5,("_samr_QuerySecurity: querying security on Domain "
887 "with SID: %s\n", sid_string_dbg(&pol_sid)));
888 status = make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &dom_generic_mapping, NULL, 0);
889 } else if (sid_equal(&pol_sid,&global_sid_Builtin)) {
890 /* check if it is the Builtin Domain */
891 /* TODO: Builtin probably needs a different SD with restricted write access*/
892 DEBUG(5,("_samr_QuerySecurity: querying security on Builtin "
893 "Domain with SID: %s\n", sid_string_dbg(&pol_sid)));
894 status = make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &dom_generic_mapping, NULL, 0);
895 } else if (sid_check_is_in_our_domain(&pol_sid) ||
896 sid_check_is_in_builtin(&pol_sid)) {
897 /* TODO: different SDs have to be generated for aliases groups and users.
898 Currently all three get a default user SD */
899 DEBUG(10,("_samr_QuerySecurity: querying security on Object "
900 "with SID: %s\n", sid_string_dbg(&pol_sid)));
901 if (check_change_pw_access(p->mem_ctx, &pol_sid)) {
902 status = make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &usr_generic_mapping,
903 &pol_sid, SAMR_USR_RIGHTS_WRITE_PW);
905 status = make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &usr_nopwchange_generic_mapping,
906 &pol_sid, SAMR_USR_RIGHTS_CANT_WRITE_PW);
909 return NT_STATUS_OBJECT_TYPE_MISMATCH;
912 if ((*r->out.sdbuf = make_sec_desc_buf(p->mem_ctx, sd_size, psd)) == NULL)
913 return NT_STATUS_NO_MEMORY;
918 /*******************************************************************
919 makes a SAM_ENTRY / UNISTR2* structure from a user list.
920 ********************************************************************/
922 static NTSTATUS make_user_sam_entry_list(TALLOC_CTX *ctx,
923 struct samr_SamEntry **sam_pp,
924 uint32_t num_entries,
926 struct samr_displayentry *entries)
929 struct samr_SamEntry *sam;
933 if (num_entries == 0) {
937 sam = TALLOC_ZERO_ARRAY(ctx, struct samr_SamEntry, num_entries);
939 DEBUG(0, ("make_user_sam_entry_list: TALLOC_ZERO failed!\n"));
940 return NT_STATUS_NO_MEMORY;
943 for (i = 0; i < num_entries; i++) {
946 * usrmgr expects a non-NULL terminated string with
947 * trust relationships
949 if (entries[i].acct_flags & ACB_DOMTRUST) {
950 init_unistr2(&uni_temp_name, entries[i].account_name,
953 init_unistr2(&uni_temp_name, entries[i].account_name,
957 init_lsa_String(&sam[i].name, entries[i].account_name);
958 sam[i].idx = entries[i].rid;
966 #define MAX_SAM_ENTRIES MAX_SAM_ENTRIES_W2K
968 /*******************************************************************
969 _samr_EnumDomainUsers
970 ********************************************************************/
972 NTSTATUS _samr_EnumDomainUsers(pipes_struct *p,
973 struct samr_EnumDomainUsers *r)
976 struct samr_info *info = NULL;
978 uint32 enum_context = *r->in.resume_handle;
979 enum remote_arch_types ra_type = get_remote_arch();
980 int max_sam_entries = (ra_type == RA_WIN95) ? MAX_SAM_ENTRIES_W95 : MAX_SAM_ENTRIES_W2K;
981 uint32 max_entries = max_sam_entries;
982 struct samr_displayentry *entries = NULL;
983 struct samr_SamArray *samr_array = NULL;
984 struct samr_SamEntry *samr_entries = NULL;
986 /* find the policy handle. open a policy on it. */
987 if (!find_policy_by_hnd(p, r->in.domain_handle, (void **)(void *)&info))
988 return NT_STATUS_INVALID_HANDLE;
990 status = access_check_samr_function(info->acc_granted,
991 SA_RIGHT_DOMAIN_ENUM_ACCOUNTS,
992 "_samr_EnumDomainUsers");
993 if (!NT_STATUS_IS_OK(status)) {
997 DEBUG(5,("_samr_EnumDomainUsers: %d\n", __LINE__));
999 if (info->builtin_domain) {
1000 /* No users in builtin. */
1001 *r->out.resume_handle = *r->in.resume_handle;
1002 DEBUG(5,("_samr_EnumDomainUsers: No users in BUILTIN\n"));
1006 samr_array = TALLOC_ZERO_P(p->mem_ctx, struct samr_SamArray);
1008 return NT_STATUS_NO_MEMORY;
1015 if ((info->disp_info->enum_users != NULL) &&
1016 (info->disp_info->enum_acb_mask != r->in.acct_flags)) {
1017 pdb_search_destroy(info->disp_info->enum_users);
1018 info->disp_info->enum_users = NULL;
1021 if (info->disp_info->enum_users == NULL) {
1022 info->disp_info->enum_users = pdb_search_users(r->in.acct_flags);
1023 info->disp_info->enum_acb_mask = r->in.acct_flags;
1026 if (info->disp_info->enum_users == NULL) {
1027 /* END AS ROOT !!!! */
1029 return NT_STATUS_ACCESS_DENIED;
1032 num_account = pdb_search_entries(info->disp_info->enum_users,
1033 enum_context, max_entries,
1036 /* END AS ROOT !!!! */
1040 if (num_account == 0) {
1041 DEBUG(5, ("_samr_EnumDomainUsers: enumeration handle over "
1042 "total entries\n"));
1043 *r->out.resume_handle = *r->in.resume_handle;
1044 return NT_STATUS_OK;
1047 status = make_user_sam_entry_list(p->mem_ctx, &samr_entries,
1048 num_account, enum_context,
1050 if (!NT_STATUS_IS_OK(status)) {
1054 if (max_entries <= num_account) {
1055 status = STATUS_MORE_ENTRIES;
1057 status = NT_STATUS_OK;
1060 /* Ensure we cache this enumeration. */
1061 set_disp_info_cache_timeout(info->disp_info, DISP_INFO_CACHE_TIMEOUT);
1063 DEBUG(5, ("_samr_EnumDomainUsers: %d\n", __LINE__));
1065 samr_array->count = num_account;
1066 samr_array->entries = samr_entries;
1068 *r->out.resume_handle = *r->in.resume_handle + num_account;
1069 *r->out.sam = samr_array;
1070 *r->out.num_entries = num_account;
1072 DEBUG(5,("_samr_EnumDomainUsers: %d\n", __LINE__));
1077 /*******************************************************************
1078 makes a SAM_ENTRY / UNISTR2* structure from a group list.
1079 ********************************************************************/
1081 static void make_group_sam_entry_list(TALLOC_CTX *ctx,
1082 struct samr_SamEntry **sam_pp,
1083 uint32_t num_sam_entries,
1084 struct samr_displayentry *entries)
1086 struct samr_SamEntry *sam;
1091 if (num_sam_entries == 0) {
1095 sam = TALLOC_ZERO_ARRAY(ctx, struct samr_SamEntry, num_sam_entries);
1100 for (i = 0; i < num_sam_entries; i++) {
1102 * JRA. I think this should include the null. TNG does not.
1104 init_lsa_String(&sam[i].name, entries[i].account_name);
1105 sam[i].idx = entries[i].rid;
1111 /*******************************************************************
1112 _samr_EnumDomainGroups
1113 ********************************************************************/
1115 NTSTATUS _samr_EnumDomainGroups(pipes_struct *p,
1116 struct samr_EnumDomainGroups *r)
1119 struct samr_info *info = NULL;
1120 struct samr_displayentry *groups;
1122 struct samr_SamArray *samr_array = NULL;
1123 struct samr_SamEntry *samr_entries = NULL;
1125 /* find the policy handle. open a policy on it. */
1126 if (!find_policy_by_hnd(p, r->in.domain_handle, (void **)(void *)&info))
1127 return NT_STATUS_INVALID_HANDLE;
1129 status = access_check_samr_function(info->acc_granted,
1130 SA_RIGHT_DOMAIN_ENUM_ACCOUNTS,
1131 "_samr_EnumDomainGroups");
1132 if (!NT_STATUS_IS_OK(status)) {
1136 DEBUG(5,("_samr_EnumDomainGroups: %d\n", __LINE__));
1138 if (info->builtin_domain) {
1139 /* No groups in builtin. */
1140 *r->out.resume_handle = *r->in.resume_handle;
1141 DEBUG(5,("_samr_EnumDomainGroups: No groups in BUILTIN\n"));
1145 samr_array = TALLOC_ZERO_P(p->mem_ctx, struct samr_SamArray);
1147 return NT_STATUS_NO_MEMORY;
1150 /* the domain group array is being allocated in the function below */
1154 if (info->disp_info->groups == NULL) {
1155 info->disp_info->groups = pdb_search_groups();
1157 if (info->disp_info->groups == NULL) {
1159 return NT_STATUS_ACCESS_DENIED;
1163 num_groups = pdb_search_entries(info->disp_info->groups,
1164 *r->in.resume_handle,
1165 MAX_SAM_ENTRIES, &groups);
1168 /* Ensure we cache this enumeration. */
1169 set_disp_info_cache_timeout(info->disp_info, DISP_INFO_CACHE_TIMEOUT);
1171 make_group_sam_entry_list(p->mem_ctx, &samr_entries,
1172 num_groups, groups);
1174 samr_array->count = num_groups;
1175 samr_array->entries = samr_entries;
1177 *r->out.sam = samr_array;
1178 *r->out.num_entries = num_groups;
1179 /* this was missing, IMHO:
1180 *r->out.resume_handle = num_groups + *r->in.resume_handle;
1183 DEBUG(5,("_samr_EnumDomainGroups: %d\n", __LINE__));
1188 /*******************************************************************
1189 _samr_EnumDomainAliases
1190 ********************************************************************/
1192 NTSTATUS _samr_EnumDomainAliases(pipes_struct *p,
1193 struct samr_EnumDomainAliases *r)
1196 struct samr_info *info;
1197 struct samr_displayentry *aliases;
1198 uint32 num_aliases = 0;
1199 struct samr_SamArray *samr_array = NULL;
1200 struct samr_SamEntry *samr_entries = NULL;
1202 /* find the policy handle. open a policy on it. */
1203 if (!find_policy_by_hnd(p, r->in.domain_handle, (void **)(void *)&info))
1204 return NT_STATUS_INVALID_HANDLE;
1206 DEBUG(5,("_samr_EnumDomainAliases: sid %s\n",
1207 sid_string_dbg(&info->sid)));
1209 status = access_check_samr_function(info->acc_granted,
1210 SA_RIGHT_DOMAIN_ENUM_ACCOUNTS,
1211 "_samr_EnumDomainAliases");
1212 if (!NT_STATUS_IS_OK(status)) {
1216 samr_array = TALLOC_ZERO_P(p->mem_ctx, struct samr_SamArray);
1218 return NT_STATUS_NO_MEMORY;
1223 if (info->disp_info->aliases == NULL) {
1224 info->disp_info->aliases = pdb_search_aliases(&info->sid);
1225 if (info->disp_info->aliases == NULL) {
1227 return NT_STATUS_ACCESS_DENIED;
1231 num_aliases = pdb_search_entries(info->disp_info->aliases,
1232 *r->in.resume_handle,
1233 MAX_SAM_ENTRIES, &aliases);
1236 /* Ensure we cache this enumeration. */
1237 set_disp_info_cache_timeout(info->disp_info, DISP_INFO_CACHE_TIMEOUT);
1239 make_group_sam_entry_list(p->mem_ctx, &samr_entries,
1240 num_aliases, aliases);
1242 DEBUG(5,("_samr_EnumDomainAliases: %d\n", __LINE__));
1244 samr_array->count = num_aliases;
1245 samr_array->entries = samr_entries;
1247 *r->out.sam = samr_array;
1248 *r->out.num_entries = num_aliases;
1249 *r->out.resume_handle = num_aliases + *r->in.resume_handle;
1254 /*******************************************************************
1255 inits a samr_DispInfoGeneral structure.
1256 ********************************************************************/
1258 static NTSTATUS init_samr_dispinfo_1(TALLOC_CTX *ctx,
1259 struct samr_DispInfoGeneral *r,
1260 uint32_t num_entries,
1262 struct samr_displayentry *entries)
1266 DEBUG(10, ("init_samr_dispinfo_1: num_entries: %d\n", num_entries));
1268 if (num_entries == 0) {
1269 return NT_STATUS_OK;
1272 r->count = num_entries;
1274 r->entries = TALLOC_ZERO_ARRAY(ctx, struct samr_DispEntryGeneral, num_entries);
1276 return NT_STATUS_NO_MEMORY;
1279 for (i = 0; i < num_entries ; i++) {
1281 init_lsa_String(&r->entries[i].account_name,
1282 entries[i].account_name);
1284 init_lsa_String(&r->entries[i].description,
1285 entries[i].description);
1287 init_lsa_String(&r->entries[i].full_name,
1288 entries[i].fullname);
1290 r->entries[i].rid = entries[i].rid;
1291 r->entries[i].acct_flags = entries[i].acct_flags;
1292 r->entries[i].idx = start_idx+i+1;
1295 return NT_STATUS_OK;
1298 /*******************************************************************
1299 inits a samr_DispInfoFull structure.
1300 ********************************************************************/
1302 static NTSTATUS init_samr_dispinfo_2(TALLOC_CTX *ctx,
1303 struct samr_DispInfoFull *r,
1304 uint32_t num_entries,
1306 struct samr_displayentry *entries)
1310 DEBUG(10, ("init_samr_dispinfo_2: num_entries: %d\n", num_entries));
1312 if (num_entries == 0) {
1313 return NT_STATUS_OK;
1316 r->count = num_entries;
1318 r->entries = TALLOC_ZERO_ARRAY(ctx, struct samr_DispEntryFull, num_entries);
1320 return NT_STATUS_NO_MEMORY;
1323 for (i = 0; i < num_entries ; i++) {
1325 init_lsa_String(&r->entries[i].account_name,
1326 entries[i].account_name);
1328 init_lsa_String(&r->entries[i].description,
1329 entries[i].description);
1331 r->entries[i].rid = entries[i].rid;
1332 r->entries[i].acct_flags = entries[i].acct_flags;
1333 r->entries[i].idx = start_idx+i+1;
1336 return NT_STATUS_OK;
1339 /*******************************************************************
1340 inits a samr_DispInfoFullGroups structure.
1341 ********************************************************************/
1343 static NTSTATUS init_samr_dispinfo_3(TALLOC_CTX *ctx,
1344 struct samr_DispInfoFullGroups *r,
1345 uint32_t num_entries,
1347 struct samr_displayentry *entries)
1351 DEBUG(5, ("init_samr_dispinfo_3: num_entries: %d\n", num_entries));
1353 if (num_entries == 0) {
1354 return NT_STATUS_OK;
1357 r->count = num_entries;
1359 r->entries = TALLOC_ZERO_ARRAY(ctx, struct samr_DispEntryFullGroup, num_entries);
1361 return NT_STATUS_NO_MEMORY;
1364 for (i = 0; i < num_entries ; i++) {
1366 init_lsa_String(&r->entries[i].account_name,
1367 entries[i].account_name);
1369 init_lsa_String(&r->entries[i].description,
1370 entries[i].description);
1372 r->entries[i].rid = entries[i].rid;
1373 r->entries[i].acct_flags = entries[i].acct_flags;
1374 r->entries[i].idx = start_idx+i+1;
1377 return NT_STATUS_OK;
1380 /*******************************************************************
1381 inits a samr_DispInfoAscii structure.
1382 ********************************************************************/
1384 static NTSTATUS init_samr_dispinfo_4(TALLOC_CTX *ctx,
1385 struct samr_DispInfoAscii *r,
1386 uint32_t num_entries,
1388 struct samr_displayentry *entries)
1392 DEBUG(5, ("init_samr_dispinfo_4: num_entries: %d\n", num_entries));
1394 if (num_entries == 0) {
1395 return NT_STATUS_OK;
1398 r->count = num_entries;
1400 r->entries = TALLOC_ZERO_ARRAY(ctx, struct samr_DispEntryAscii, num_entries);
1402 return NT_STATUS_NO_MEMORY;
1405 for (i = 0; i < num_entries ; i++) {
1407 init_lsa_AsciiStringLarge(&r->entries[i].account_name,
1408 entries[i].account_name);
1410 r->entries[i].idx = start_idx+i+1;
1413 return NT_STATUS_OK;
1416 /*******************************************************************
1417 inits a samr_DispInfoAscii structure.
1418 ********************************************************************/
1420 static NTSTATUS init_samr_dispinfo_5(TALLOC_CTX *ctx,
1421 struct samr_DispInfoAscii *r,
1422 uint32_t num_entries,
1424 struct samr_displayentry *entries)
1428 DEBUG(5, ("init_samr_dispinfo_5: num_entries: %d\n", num_entries));
1430 if (num_entries == 0) {
1431 return NT_STATUS_OK;
1434 r->count = num_entries;
1436 r->entries = TALLOC_ZERO_ARRAY(ctx, struct samr_DispEntryAscii, num_entries);
1438 return NT_STATUS_NO_MEMORY;
1441 for (i = 0; i < num_entries ; i++) {
1443 init_lsa_AsciiStringLarge(&r->entries[i].account_name,
1444 entries[i].account_name);
1446 r->entries[i].idx = start_idx+i+1;
1449 return NT_STATUS_OK;
1452 /*******************************************************************
1453 _samr_QueryDisplayInfo
1454 ********************************************************************/
1456 NTSTATUS _samr_QueryDisplayInfo(pipes_struct *p,
1457 struct samr_QueryDisplayInfo *r)
1460 struct samr_info *info = NULL;
1461 uint32 struct_size=0x20; /* W2K always reply that, client doesn't care */
1463 uint32 max_entries = r->in.max_entries;
1464 uint32 enum_context = r->in.start_idx;
1465 uint32 max_size = r->in.buf_size;
1467 union samr_DispInfo *disp_info = r->out.info;
1469 uint32 temp_size=0, total_data_size=0;
1470 NTSTATUS disp_ret = NT_STATUS_UNSUCCESSFUL;
1471 uint32 num_account = 0;
1472 enum remote_arch_types ra_type = get_remote_arch();
1473 int max_sam_entries = (ra_type == RA_WIN95) ? MAX_SAM_ENTRIES_W95 : MAX_SAM_ENTRIES_W2K;
1474 struct samr_displayentry *entries = NULL;
1476 DEBUG(5,("_samr_QueryDisplayInfo: %d\n", __LINE__));
1478 /* find the policy handle. open a policy on it. */
1479 if (!find_policy_by_hnd(p, r->in.domain_handle, (void **)(void *)&info))
1480 return NT_STATUS_INVALID_HANDLE;
1482 status = access_check_samr_function(info->acc_granted,
1483 SA_RIGHT_DOMAIN_ENUM_ACCOUNTS,
1484 "_samr_QueryDisplayInfo");
1485 if (!NT_STATUS_IS_OK(status)) {
1490 * calculate how many entries we will return.
1492 * - the number of entries the client asked
1493 * - our limit on that
1494 * - the starting point (enumeration context)
1495 * - the buffer size the client will accept
1499 * We are a lot more like W2K. Instead of reading the SAM
1500 * each time to find the records we need to send back,
1501 * we read it once and link that copy to the sam handle.
1502 * For large user list (over the MAX_SAM_ENTRIES)
1503 * it's a definitive win.
1504 * second point to notice: between enumerations
1505 * our sam is now the same as it's a snapshoot.
1506 * third point: got rid of the static SAM_USER_21 struct
1507 * no more intermediate.
1508 * con: it uses much more memory, as a full copy is stored
1511 * If you want to change it, think twice and think
1512 * of the second point , that's really important.
1517 if ((r->in.level < 1) || (r->in.level > 5)) {
1518 DEBUG(0,("_samr_QueryDisplayInfo: Unknown info level (%u)\n",
1519 (unsigned int)r->in.level ));
1520 return NT_STATUS_INVALID_INFO_CLASS;
1523 /* first limit the number of entries we will return */
1524 if(max_entries > max_sam_entries) {
1525 DEBUG(5, ("_samr_QueryDisplayInfo: client requested %d "
1526 "entries, limiting to %d\n", max_entries,
1528 max_entries = max_sam_entries;
1531 /* calculate the size and limit on the number of entries we will
1534 temp_size=max_entries*struct_size;
1536 if (temp_size>max_size) {
1537 max_entries=MIN((max_size/struct_size),max_entries);;
1538 DEBUG(5, ("_samr_QueryDisplayInfo: buffer size limits to "
1539 "only %d entries\n", max_entries));
1544 /* THe following done as ROOT. Don't return without unbecome_root(). */
1546 switch (r->in.level) {
1549 if (info->disp_info->users == NULL) {
1550 info->disp_info->users = pdb_search_users(ACB_NORMAL);
1551 if (info->disp_info->users == NULL) {
1553 return NT_STATUS_ACCESS_DENIED;
1555 DEBUG(10,("_samr_QueryDisplayInfo: starting user enumeration at index %u\n",
1556 (unsigned int)enum_context ));
1558 DEBUG(10,("_samr_QueryDisplayInfo: using cached user enumeration at index %u\n",
1559 (unsigned int)enum_context ));
1562 num_account = pdb_search_entries(info->disp_info->users,
1563 enum_context, max_entries,
1567 if (info->disp_info->machines == NULL) {
1568 info->disp_info->machines =
1569 pdb_search_users(ACB_WSTRUST|ACB_SVRTRUST);
1570 if (info->disp_info->machines == NULL) {
1572 return NT_STATUS_ACCESS_DENIED;
1574 DEBUG(10,("_samr_QueryDisplayInfo: starting machine enumeration at index %u\n",
1575 (unsigned int)enum_context ));
1577 DEBUG(10,("_samr_QueryDisplayInfo: using cached machine enumeration at index %u\n",
1578 (unsigned int)enum_context ));
1581 num_account = pdb_search_entries(info->disp_info->machines,
1582 enum_context, max_entries,
1587 if (info->disp_info->groups == NULL) {
1588 info->disp_info->groups = pdb_search_groups();
1589 if (info->disp_info->groups == NULL) {
1591 return NT_STATUS_ACCESS_DENIED;
1593 DEBUG(10,("_samr_QueryDisplayInfo: starting group enumeration at index %u\n",
1594 (unsigned int)enum_context ));
1596 DEBUG(10,("_samr_QueryDisplayInfo: using cached group enumeration at index %u\n",
1597 (unsigned int)enum_context ));
1600 num_account = pdb_search_entries(info->disp_info->groups,
1601 enum_context, max_entries,
1606 smb_panic("info class changed");
1612 /* Now create reply structure */
1613 switch (r->in.level) {
1615 disp_ret = init_samr_dispinfo_1(p->mem_ctx, &disp_info->info1,
1616 num_account, enum_context,
1620 disp_ret = init_samr_dispinfo_2(p->mem_ctx, &disp_info->info2,
1621 num_account, enum_context,
1625 disp_ret = init_samr_dispinfo_3(p->mem_ctx, &disp_info->info3,
1626 num_account, enum_context,
1630 disp_ret = init_samr_dispinfo_4(p->mem_ctx, &disp_info->info4,
1631 num_account, enum_context,
1635 disp_ret = init_samr_dispinfo_5(p->mem_ctx, &disp_info->info5,
1636 num_account, enum_context,
1640 smb_panic("info class changed");
1644 if (!NT_STATUS_IS_OK(disp_ret))
1647 /* calculate the total size */
1648 total_data_size=num_account*struct_size;
1650 if (max_entries <= num_account) {
1651 status = STATUS_MORE_ENTRIES;
1653 status = NT_STATUS_OK;
1656 /* Ensure we cache this enumeration. */
1657 set_disp_info_cache_timeout(info->disp_info, DISP_INFO_CACHE_TIMEOUT);
1659 DEBUG(5, ("_samr_QueryDisplayInfo: %d\n", __LINE__));
1661 *r->out.total_size = total_data_size;
1662 *r->out.returned_size = temp_size;
1667 /****************************************************************
1668 _samr_QueryDisplayInfo2
1669 ****************************************************************/
1671 NTSTATUS _samr_QueryDisplayInfo2(pipes_struct *p,
1672 struct samr_QueryDisplayInfo2 *r)
1674 struct samr_QueryDisplayInfo q;
1676 q.in.domain_handle = r->in.domain_handle;
1677 q.in.level = r->in.level;
1678 q.in.start_idx = r->in.start_idx;
1679 q.in.max_entries = r->in.max_entries;
1680 q.in.buf_size = r->in.buf_size;
1682 q.out.total_size = r->out.total_size;
1683 q.out.returned_size = r->out.returned_size;
1684 q.out.info = r->out.info;
1686 return _samr_QueryDisplayInfo(p, &q);
1689 /****************************************************************
1690 _samr_QueryDisplayInfo3
1691 ****************************************************************/
1693 NTSTATUS _samr_QueryDisplayInfo3(pipes_struct *p,
1694 struct samr_QueryDisplayInfo3 *r)
1696 struct samr_QueryDisplayInfo q;
1698 q.in.domain_handle = r->in.domain_handle;
1699 q.in.level = r->in.level;
1700 q.in.start_idx = r->in.start_idx;
1701 q.in.max_entries = r->in.max_entries;
1702 q.in.buf_size = r->in.buf_size;
1704 q.out.total_size = r->out.total_size;
1705 q.out.returned_size = r->out.returned_size;
1706 q.out.info = r->out.info;
1708 return _samr_QueryDisplayInfo(p, &q);
1711 /*******************************************************************
1712 _samr_QueryAliasInfo
1713 ********************************************************************/
1715 NTSTATUS _samr_QueryAliasInfo(pipes_struct *p,
1716 struct samr_QueryAliasInfo *r)
1719 struct acct_info info;
1722 union samr_AliasInfo *alias_info = NULL;
1723 const char *alias_name = NULL;
1724 const char *alias_description = NULL;
1726 DEBUG(5,("_samr_QueryAliasInfo: %d\n", __LINE__));
1728 alias_info = TALLOC_ZERO_P(p->mem_ctx, union samr_AliasInfo);
1730 return NT_STATUS_NO_MEMORY;
1733 /* find the policy handle. open a policy on it. */
1734 if (!get_lsa_policy_samr_sid(p, r->in.alias_handle, &sid, &acc_granted, NULL))
1735 return NT_STATUS_INVALID_HANDLE;
1737 status = access_check_samr_function(acc_granted,
1738 SA_RIGHT_ALIAS_LOOKUP_INFO,
1739 "_samr_QueryAliasInfo");
1740 if (!NT_STATUS_IS_OK(status)) {
1745 status = pdb_get_aliasinfo(&sid, &info);
1748 if ( !NT_STATUS_IS_OK(status))
1751 /* FIXME: info contains fstrings */
1752 alias_name = talloc_strdup(r, info.acct_name);
1753 alias_description = talloc_strdup(r, info.acct_desc);
1755 switch (r->in.level) {
1757 init_samr_alias_info1(&alias_info->all,
1762 case ALIASINFODESCRIPTION:
1763 init_samr_alias_info3(&alias_info->description,
1767 return NT_STATUS_INVALID_INFO_CLASS;
1770 *r->out.info = alias_info;
1772 DEBUG(5,("_samr_QueryAliasInfo: %d\n", __LINE__));
1774 return NT_STATUS_OK;
1777 /*******************************************************************
1779 ********************************************************************/
1781 NTSTATUS _samr_LookupNames(pipes_struct *p,
1782 struct samr_LookupNames *r)
1786 enum lsa_SidType *type;
1788 int num_rids = r->in.num_names;
1791 struct samr_Ids rids, types;
1793 DEBUG(5,("_samr_LookupNames: %d\n", __LINE__));
1795 if (!get_lsa_policy_samr_sid(p, r->in.domain_handle, &pol_sid, &acc_granted, NULL)) {
1796 return NT_STATUS_OBJECT_TYPE_MISMATCH;
1799 status = access_check_samr_function(acc_granted,
1800 0, /* Don't know the acc_bits yet */
1801 "_samr_LookupNames");
1802 if (!NT_STATUS_IS_OK(status)) {
1806 if (num_rids > MAX_SAM_ENTRIES) {
1807 num_rids = MAX_SAM_ENTRIES;
1808 DEBUG(5,("_samr_LookupNames: truncating entries to %d\n", num_rids));
1811 rid = talloc_array(p->mem_ctx, uint32, num_rids);
1812 NT_STATUS_HAVE_NO_MEMORY(rid);
1814 type = talloc_array(p->mem_ctx, enum lsa_SidType, num_rids);
1815 NT_STATUS_HAVE_NO_MEMORY(type);
1817 DEBUG(5,("_samr_LookupNames: looking name on SID %s\n",
1818 sid_string_dbg(&pol_sid)));
1820 for (i = 0; i < num_rids; i++) {
1822 status = NT_STATUS_NONE_MAPPED;
1823 type[i] = SID_NAME_UNKNOWN;
1825 rid[i] = 0xffffffff;
1827 if (sid_check_is_builtin(&pol_sid)) {
1828 if (lookup_builtin_name(r->in.names[i].string,
1831 type[i] = SID_NAME_ALIAS;
1834 lookup_global_sam_name(r->in.names[i].string, 0,
1838 if (type[i] != SID_NAME_UNKNOWN) {
1839 status = NT_STATUS_OK;
1843 rids.count = num_rids;
1846 types.count = num_rids;
1849 *r->out.rids = rids;
1850 *r->out.types = types;
1852 DEBUG(5,("_samr_LookupNames: %d\n", __LINE__));
1857 /*******************************************************************
1858 _samr_ChangePasswordUser2
1859 ********************************************************************/
1861 NTSTATUS _samr_ChangePasswordUser2(pipes_struct *p,
1862 struct samr_ChangePasswordUser2 *r)
1868 DEBUG(5,("_samr_ChangePasswordUser2: %d\n", __LINE__));
1870 fstrcpy(user_name, r->in.account->string);
1871 fstrcpy(wks, r->in.server->string);
1873 DEBUG(5,("_samr_ChangePasswordUser2: user: %s wks: %s\n", user_name, wks));
1876 * Pass the user through the NT -> unix user mapping
1880 (void)map_username(user_name);
1883 * UNIX username case mangling not required, pass_oem_change
1884 * is case insensitive.
1887 status = pass_oem_change(user_name,
1888 r->in.lm_password->data,
1889 r->in.lm_verifier->hash,
1890 r->in.nt_password->data,
1891 r->in.nt_verifier->hash,
1894 DEBUG(5,("_samr_ChangePasswordUser2: %d\n", __LINE__));
1899 /*******************************************************************
1900 _samr_ChangePasswordUser3
1901 ********************************************************************/
1903 NTSTATUS _samr_ChangePasswordUser3(pipes_struct *p,
1904 struct samr_ChangePasswordUser3 *r)
1908 const char *wks = NULL;
1909 uint32 reject_reason;
1910 struct samr_DomInfo1 *dominfo = NULL;
1911 struct samr_ChangeReject *reject = NULL;
1913 DEBUG(5,("_samr_ChangePasswordUser3: %d\n", __LINE__));
1915 fstrcpy(user_name, r->in.account->string);
1916 if (r->in.server && r->in.server->string) {
1917 wks = r->in.server->string;
1920 DEBUG(5,("_samr_ChangePasswordUser3: user: %s wks: %s\n", user_name, wks));
1923 * Pass the user through the NT -> unix user mapping
1927 (void)map_username(user_name);
1930 * UNIX username case mangling not required, pass_oem_change
1931 * is case insensitive.
1934 status = pass_oem_change(user_name,
1935 r->in.lm_password->data,
1936 r->in.lm_verifier->hash,
1937 r->in.nt_password->data,
1938 r->in.nt_verifier->hash,
1941 if (NT_STATUS_EQUAL(status, NT_STATUS_PASSWORD_RESTRICTION) ||
1942 NT_STATUS_EQUAL(status, NT_STATUS_ACCOUNT_RESTRICTION)) {
1944 uint32 min_pass_len,pass_hist,password_properties;
1945 time_t u_expire, u_min_age;
1946 NTTIME nt_expire, nt_min_age;
1947 uint32 account_policy_temp;
1949 dominfo = TALLOC_ZERO_P(p->mem_ctx, struct samr_DomInfo1);
1951 return NT_STATUS_NO_MEMORY;
1954 reject = TALLOC_ZERO_P(p->mem_ctx, struct samr_ChangeReject);
1956 return NT_STATUS_NO_MEMORY;
1963 pdb_get_account_policy(AP_MIN_PASSWORD_LEN, &account_policy_temp);
1964 min_pass_len = account_policy_temp;
1966 pdb_get_account_policy(AP_PASSWORD_HISTORY, &account_policy_temp);
1967 pass_hist = account_policy_temp;
1969 pdb_get_account_policy(AP_USER_MUST_LOGON_TO_CHG_PASS, &account_policy_temp);
1970 password_properties = account_policy_temp;
1972 pdb_get_account_policy(AP_MAX_PASSWORD_AGE, &account_policy_temp);
1973 u_expire = account_policy_temp;
1975 pdb_get_account_policy(AP_MIN_PASSWORD_AGE, &account_policy_temp);
1976 u_min_age = account_policy_temp;
1982 unix_to_nt_time_abs(&nt_expire, u_expire);
1983 unix_to_nt_time_abs(&nt_min_age, u_min_age);
1985 if (lp_check_password_script() && *lp_check_password_script()) {
1986 password_properties |= DOMAIN_PASSWORD_COMPLEX;
1989 init_samr_DomInfo1(dominfo,
1992 password_properties,
1996 reject->reason = reject_reason;
1998 *r->out.dominfo = dominfo;
1999 *r->out.reject = reject;
2002 DEBUG(5,("_samr_ChangePasswordUser3: %d\n", __LINE__));
2007 /*******************************************************************
2008 makes a SAMR_R_LOOKUP_RIDS structure.
2009 ********************************************************************/
2011 static bool make_samr_lookup_rids(TALLOC_CTX *ctx, uint32 num_names,
2013 struct lsa_String **lsa_name_array_p)
2015 struct lsa_String *lsa_name_array = NULL;
2018 *lsa_name_array_p = NULL;
2020 if (num_names != 0) {
2021 lsa_name_array = TALLOC_ZERO_ARRAY(ctx, struct lsa_String, num_names);
2022 if (!lsa_name_array) {
2027 for (i = 0; i < num_names; i++) {
2028 DEBUG(10, ("names[%d]:%s\n", i, names[i] && *names[i] ? names[i] : ""));
2029 init_lsa_String(&lsa_name_array[i], names[i]);
2032 *lsa_name_array_p = lsa_name_array;
2037 /*******************************************************************
2039 ********************************************************************/
2041 NTSTATUS _samr_LookupRids(pipes_struct *p,
2042 struct samr_LookupRids *r)
2046 enum lsa_SidType *attrs = NULL;
2047 uint32 *wire_attrs = NULL;
2049 int num_rids = (int)r->in.num_rids;
2052 struct lsa_Strings names_array;
2053 struct samr_Ids types_array;
2054 struct lsa_String *lsa_names = NULL;
2056 DEBUG(5,("_samr_LookupRids: %d\n", __LINE__));
2058 /* find the policy handle. open a policy on it. */
2059 if (!get_lsa_policy_samr_sid(p, r->in.domain_handle, &pol_sid, &acc_granted, NULL))
2060 return NT_STATUS_INVALID_HANDLE;
2062 status = access_check_samr_function(acc_granted,
2063 SA_RIGHT_DOMAIN_ENUM_ACCOUNTS,
2064 "_samr__LookupRids");
2065 if (!NT_STATUS_IS_OK(status)) {
2069 if (num_rids > 1000) {
2070 DEBUG(0, ("Got asked for %d rids (more than 1000) -- according "
2071 "to samba4 idl this is not possible\n", num_rids));
2072 return NT_STATUS_UNSUCCESSFUL;
2076 names = TALLOC_ZERO_ARRAY(p->mem_ctx, const char *, num_rids);
2077 attrs = TALLOC_ZERO_ARRAY(p->mem_ctx, enum lsa_SidType, num_rids);
2078 wire_attrs = TALLOC_ZERO_ARRAY(p->mem_ctx, uint32, num_rids);
2080 if ((names == NULL) || (attrs == NULL) || (wire_attrs==NULL))
2081 return NT_STATUS_NO_MEMORY;
2088 become_root(); /* lookup_sid can require root privs */
2089 status = pdb_lookup_rids(&pol_sid, num_rids, r->in.rids,
2093 if (NT_STATUS_EQUAL(status, NT_STATUS_NONE_MAPPED) && (num_rids == 0)) {
2094 status = NT_STATUS_OK;
2097 if (!make_samr_lookup_rids(p->mem_ctx, num_rids, names,
2099 return NT_STATUS_NO_MEMORY;
2102 /* Convert from enum lsa_SidType to uint32 for wire format. */
2103 for (i = 0; i < num_rids; i++) {
2104 wire_attrs[i] = (uint32)attrs[i];
2107 names_array.count = num_rids;
2108 names_array.names = lsa_names;
2110 types_array.count = num_rids;
2111 types_array.ids = wire_attrs;
2113 *r->out.names = names_array;
2114 *r->out.types = types_array;
2116 DEBUG(5,("_samr_LookupRids: %d\n", __LINE__));
2121 /*******************************************************************
2123 ********************************************************************/
2125 NTSTATUS _samr_OpenUser(pipes_struct *p,
2126 struct samr_OpenUser *r)
2128 struct samu *sampass=NULL;
2130 POLICY_HND domain_pol = *r->in.domain_handle;
2131 POLICY_HND *user_pol = r->out.user_handle;
2132 struct samr_info *info = NULL;
2133 SEC_DESC *psd = NULL;
2135 uint32 des_access = r->in.access_mask;
2141 /* find the domain policy handle and get domain SID / access bits in the domain policy. */
2143 if ( !get_lsa_policy_samr_sid(p, &domain_pol, &sid, &acc_granted, NULL) )
2144 return NT_STATUS_INVALID_HANDLE;
2146 nt_status = access_check_samr_function(acc_granted,
2147 SA_RIGHT_DOMAIN_OPEN_ACCOUNT,
2150 if ( !NT_STATUS_IS_OK(nt_status) )
2153 if ( !(sampass = samu_new( p->mem_ctx )) ) {
2154 return NT_STATUS_NO_MEMORY;
2157 /* append the user's RID to it */
2159 if (!sid_append_rid(&sid, r->in.rid))
2160 return NT_STATUS_NO_SUCH_USER;
2162 /* check if access can be granted as requested by client. */
2164 map_max_allowed_access(p->pipe_user.nt_user_token, &des_access);
2166 make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &usr_generic_mapping, &sid, SAMR_USR_RIGHTS_WRITE_PW);
2167 se_map_generic(&des_access, &usr_generic_mapping);
2169 se_priv_copy( &se_rights, &se_machine_account );
2170 se_priv_add( &se_rights, &se_add_users );
2172 nt_status = access_check_samr_object(psd, p->pipe_user.nt_user_token,
2173 &se_rights, GENERIC_RIGHTS_USER_WRITE, des_access,
2174 &acc_granted, "_samr_OpenUser");
2176 if ( !NT_STATUS_IS_OK(nt_status) )
2180 ret=pdb_getsampwsid(sampass, &sid);
2183 /* check that the SID exists in our domain. */
2185 return NT_STATUS_NO_SUCH_USER;
2188 TALLOC_FREE(sampass);
2190 /* associate the user's SID and access bits with the new handle. */
2191 if ((info = get_samr_info_by_sid(&sid)) == NULL)
2192 return NT_STATUS_NO_MEMORY;
2193 info->acc_granted = acc_granted;
2195 /* get a (unique) handle. open a policy on it. */
2196 if (!create_policy_hnd(p, user_pol, free_samr_info, (void *)info))
2197 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
2199 return NT_STATUS_OK;
2202 /*************************************************************************
2203 *************************************************************************/
2205 static NTSTATUS init_samr_parameters_string(TALLOC_CTX *mem_ctx,
2207 struct lsa_BinaryString **_r)
2209 struct lsa_BinaryString *r;
2212 return NT_STATUS_INVALID_PARAMETER;
2215 r = TALLOC_ZERO_P(mem_ctx, struct lsa_BinaryString);
2217 return NT_STATUS_NO_MEMORY;
2220 r->array = TALLOC_ZERO_ARRAY(mem_ctx, uint16_t, blob->length/2);
2222 return NT_STATUS_NO_MEMORY;
2224 memcpy(r->array, blob->data, blob->length);
2225 r->size = blob->length;
2226 r->length = blob->length;
2229 return NT_STATUS_NO_MEMORY;
2234 return NT_STATUS_OK;
2237 /*************************************************************************
2238 get_user_info_7. Safe. Only gives out account_name.
2239 *************************************************************************/
2241 static NTSTATUS get_user_info_7(TALLOC_CTX *mem_ctx,
2242 struct samr_UserInfo7 *r,
2245 struct samu *smbpass=NULL;
2247 const char *account_name = NULL;
2251 if ( !(smbpass = samu_new( mem_ctx )) ) {
2252 return NT_STATUS_NO_MEMORY;
2256 ret = pdb_getsampwsid(smbpass, user_sid);
2260 DEBUG(4,("User %s not found\n", sid_string_dbg(user_sid)));
2261 return NT_STATUS_NO_SUCH_USER;
2264 account_name = talloc_strdup(mem_ctx, pdb_get_username(smbpass));
2265 if (!account_name) {
2266 TALLOC_FREE(smbpass);
2267 return NT_STATUS_NO_MEMORY;
2269 TALLOC_FREE(smbpass);
2271 DEBUG(3,("User:[%s]\n", account_name));
2273 init_samr_user_info7(r, account_name);
2275 return NT_STATUS_OK;
2278 /*************************************************************************
2279 get_user_info_9. Only gives out primary group SID.
2280 *************************************************************************/
2282 static NTSTATUS get_user_info_9(TALLOC_CTX *mem_ctx,
2283 struct samr_UserInfo9 *r,
2286 struct samu *smbpass=NULL;
2291 if ( !(smbpass = samu_new( mem_ctx )) ) {
2292 return NT_STATUS_NO_MEMORY;
2296 ret = pdb_getsampwsid(smbpass, user_sid);
2300 DEBUG(4,("User %s not found\n", sid_string_dbg(user_sid)));
2301 TALLOC_FREE(smbpass);
2302 return NT_STATUS_NO_SUCH_USER;
2305 DEBUG(3,("User:[%s]\n", pdb_get_username(smbpass) ));
2307 init_samr_user_info9(r, pdb_get_group_rid(smbpass));
2309 TALLOC_FREE(smbpass);
2311 return NT_STATUS_OK;
2314 /*************************************************************************
2315 get_user_info_16. Safe. Only gives out acb bits.
2316 *************************************************************************/
2318 static NTSTATUS get_user_info_16(TALLOC_CTX *mem_ctx,
2319 struct samr_UserInfo16 *r,
2322 struct samu *smbpass=NULL;
2327 if ( !(smbpass = samu_new( mem_ctx )) ) {
2328 return NT_STATUS_NO_MEMORY;
2332 ret = pdb_getsampwsid(smbpass, user_sid);
2336 DEBUG(4,("User %s not found\n", sid_string_dbg(user_sid)));
2337 TALLOC_FREE(smbpass);
2338 return NT_STATUS_NO_SUCH_USER;
2341 DEBUG(3,("User:[%s]\n", pdb_get_username(smbpass) ));
2343 init_samr_user_info16(r, pdb_get_acct_ctrl(smbpass));
2345 TALLOC_FREE(smbpass);
2347 return NT_STATUS_OK;
2350 /*************************************************************************
2351 get_user_info_18. OK - this is the killer as it gives out password info.
2352 Ensure that this is only allowed on an encrypted connection with a root
2354 *************************************************************************/
2356 static NTSTATUS get_user_info_18(pipes_struct *p,
2357 TALLOC_CTX *mem_ctx,
2358 struct samr_UserInfo18 *r,
2361 struct samu *smbpass=NULL;
2366 if (p->auth.auth_type != PIPE_AUTH_TYPE_NTLMSSP || p->auth.auth_type != PIPE_AUTH_TYPE_SPNEGO_NTLMSSP) {
2367 return NT_STATUS_ACCESS_DENIED;
2370 if (p->auth.auth_level != PIPE_AUTH_LEVEL_PRIVACY) {
2371 return NT_STATUS_ACCESS_DENIED;
2375 * Do *NOT* do become_root()/unbecome_root() here ! JRA.
2378 if ( !(smbpass = samu_new( mem_ctx )) ) {
2379 return NT_STATUS_NO_MEMORY;
2382 ret = pdb_getsampwsid(smbpass, user_sid);
2385 DEBUG(4, ("User %s not found\n", sid_string_dbg(user_sid)));
2386 TALLOC_FREE(smbpass);
2387 return (geteuid() == (uid_t)0) ? NT_STATUS_NO_SUCH_USER : NT_STATUS_ACCESS_DENIED;
2390 DEBUG(3,("User:[%s] 0x%x\n", pdb_get_username(smbpass), pdb_get_acct_ctrl(smbpass) ));
2392 if ( pdb_get_acct_ctrl(smbpass) & ACB_DISABLED) {
2393 TALLOC_FREE(smbpass);
2394 return NT_STATUS_ACCOUNT_DISABLED;
2397 init_samr_user_info18(r, pdb_get_lanman_passwd(smbpass),
2398 pdb_get_nt_passwd(smbpass));
2400 TALLOC_FREE(smbpass);
2402 return NT_STATUS_OK;
2405 /*************************************************************************
2407 *************************************************************************/
2409 static NTSTATUS get_user_info_20(TALLOC_CTX *mem_ctx,
2410 struct samr_UserInfo20 *r,
2413 struct samu *sampass=NULL;
2415 const char *munged_dial = NULL;
2418 struct lsa_BinaryString *parameters = NULL;
2422 if ( !(sampass = samu_new( mem_ctx )) ) {
2423 return NT_STATUS_NO_MEMORY;
2427 ret = pdb_getsampwsid(sampass, user_sid);
2431 DEBUG(4,("User %s not found\n", sid_string_dbg(user_sid)));
2432 TALLOC_FREE(sampass);
2433 return NT_STATUS_NO_SUCH_USER;
2436 munged_dial = pdb_get_munged_dial(sampass);
2438 samr_clear_sam_passwd(sampass);
2440 DEBUG(3,("User:[%s] has [%s] (length: %d)\n", pdb_get_username(sampass),
2441 munged_dial, (int)strlen(munged_dial)));
2444 blob = base64_decode_data_blob(munged_dial);
2446 blob = data_blob_string_const_null("");
2449 status = init_samr_parameters_string(mem_ctx, &blob, ¶meters);
2450 data_blob_free(&blob);
2451 TALLOC_FREE(sampass);
2452 if (!NT_STATUS_IS_OK(status)) {
2456 init_samr_user_info20(r, parameters);
2458 return NT_STATUS_OK;
2462 /*************************************************************************
2464 *************************************************************************/
2466 static NTSTATUS get_user_info_21(TALLOC_CTX *mem_ctx,
2467 struct samr_UserInfo21 *r,
2469 DOM_SID *domain_sid)
2472 struct samu *pw = NULL;
2474 const DOM_SID *sid_user, *sid_group;
2475 uint32_t rid, primary_gid;
2476 NTTIME last_logon, last_logoff, last_password_change,
2477 acct_expiry, allow_password_change, force_password_change;
2478 time_t must_change_time;
2479 uint8_t password_expired;
2480 const char *account_name, *full_name, *home_directory, *home_drive,
2481 *logon_script, *profile_path, *description,
2482 *workstations, *comment;
2483 struct samr_LogonHours logon_hours;
2484 struct lsa_BinaryString *parameters = NULL;
2485 const char *munged_dial = NULL;
2490 if (!(pw = samu_new(mem_ctx))) {
2491 return NT_STATUS_NO_MEMORY;
2495 ret = pdb_getsampwsid(pw, user_sid);
2499 DEBUG(4,("User %s not found\n", sid_string_dbg(user_sid)));
2501 return NT_STATUS_NO_SUCH_USER;
2504 samr_clear_sam_passwd(pw);
2506 DEBUG(3,("User:[%s]\n", pdb_get_username(pw)));
2508 sid_user = pdb_get_user_sid(pw);
2510 if (!sid_peek_check_rid(domain_sid, sid_user, &rid)) {
2511 DEBUG(0, ("get_user_info_21: User %s has SID %s, \nwhich conflicts with "
2512 "the domain sid %s. Failing operation.\n",
2513 pdb_get_username(pw), sid_string_dbg(sid_user),
2514 sid_string_dbg(domain_sid)));
2516 return NT_STATUS_UNSUCCESSFUL;
2520 sid_group = pdb_get_group_sid(pw);
2523 if (!sid_peek_check_rid(domain_sid, sid_group, &primary_gid)) {
2524 DEBUG(0, ("get_user_info_21: User %s has Primary Group SID %s, \n"
2525 "which conflicts with the domain sid %s. Failing operation.\n",
2526 pdb_get_username(pw), sid_string_dbg(sid_group),
2527 sid_string_dbg(domain_sid)));
2529 return NT_STATUS_UNSUCCESSFUL;
2532 unix_to_nt_time(&last_logon, pdb_get_logon_time(pw));
2533 unix_to_nt_time(&last_logoff, pdb_get_logoff_time(pw));
2534 unix_to_nt_time(&acct_expiry, pdb_get_kickoff_time(pw));
2535 unix_to_nt_time(&last_password_change, pdb_get_pass_last_set_time(pw));
2536 unix_to_nt_time(&allow_password_change, pdb_get_pass_can_change_time(pw));
2538 must_change_time = pdb_get_pass_must_change_time(pw);
2539 if (must_change_time == get_time_t_max()) {
2540 unix_to_nt_time_abs(&force_password_change, must_change_time);
2542 unix_to_nt_time(&force_password_change, must_change_time);
2545 if (pdb_get_pass_must_change_time(pw) == 0) {
2546 password_expired = PASS_MUST_CHANGE_AT_NEXT_LOGON;
2548 password_expired = 0;
2551 munged_dial = pdb_get_munged_dial(pw);
2553 blob = base64_decode_data_blob(munged_dial);
2555 blob = data_blob_string_const_null("");
2558 status = init_samr_parameters_string(mem_ctx, &blob, ¶meters);
2559 data_blob_free(&blob);
2560 if (!NT_STATUS_IS_OK(status)) {
2565 account_name = talloc_strdup(mem_ctx, pdb_get_username(pw));
2566 full_name = talloc_strdup(mem_ctx, pdb_get_fullname(pw));
2567 home_directory = talloc_strdup(mem_ctx, pdb_get_homedir(pw));
2568 home_drive = talloc_strdup(mem_ctx, pdb_get_dir_drive(pw));
2569 logon_script = talloc_strdup(mem_ctx, pdb_get_logon_script(pw));
2570 profile_path = talloc_strdup(mem_ctx, pdb_get_profile_path(pw));
2571 description = talloc_strdup(mem_ctx, pdb_get_acct_desc(pw));
2572 workstations = talloc_strdup(mem_ctx, pdb_get_workstations(pw));
2573 comment = talloc_strdup(mem_ctx, pdb_get_comment(pw));
2575 logon_hours = get_logon_hours_from_pdb(mem_ctx, pw);
2579 Look at a user on a real NT4 PDC with usrmgr, press
2580 'ok'. Then you will see that fields_present is set to
2581 0x08f827fa. Look at the user immediately after that again,
2582 and you will see that 0x00fffff is returned. This solves
2583 the problem that you get access denied after having looked
2590 init_samr_user_info21(r,
2593 last_password_change,
2595 allow_password_change,
2596 force_password_change,
2609 pdb_get_acct_ctrl(pw),
2610 pdb_build_fields_present(pw),
2612 pdb_get_bad_password_count(pw),
2613 pdb_get_logon_count(pw),
2614 0, /* country_code */
2616 0, /* nt_password_set */
2617 0, /* lm_password_set */
2621 return NT_STATUS_OK;
2624 /*******************************************************************
2626 ********************************************************************/
2628 NTSTATUS _samr_QueryUserInfo(pipes_struct *p,
2629 struct samr_QueryUserInfo *r)
2632 union samr_UserInfo *user_info = NULL;
2633 struct samr_info *info = NULL;
2637 /* search for the handle */
2638 if (!find_policy_by_hnd(p, r->in.user_handle, (void **)(void *)&info))
2639 return NT_STATUS_INVALID_HANDLE;
2641 status = access_check_samr_function(info->acc_granted,
2642 SA_RIGHT_DOMAIN_OPEN_ACCOUNT,
2643 "_samr_QueryUserInfo");
2644 if (!NT_STATUS_IS_OK(status)) {
2648 domain_sid = info->sid;
2650 sid_split_rid(&domain_sid, &rid);
2652 if (!sid_check_is_in_our_domain(&info->sid))
2653 return NT_STATUS_OBJECT_TYPE_MISMATCH;
2655 DEBUG(5,("_samr_QueryUserInfo: sid:%s\n",
2656 sid_string_dbg(&info->sid)));
2658 user_info = TALLOC_ZERO_P(p->mem_ctx, union samr_UserInfo);
2660 return NT_STATUS_NO_MEMORY;
2663 DEBUG(5,("_samr_QueryUserInfo: user info level: %d\n", r->in.level));
2665 switch (r->in.level) {
2667 status = get_user_info_7(p->mem_ctx, &user_info->info7, &info->sid);
2668 if (!NT_STATUS_IS_OK(status)) {
2673 status = get_user_info_9(p->mem_ctx, &user_info->info9, &info->sid);
2674 if (!NT_STATUS_IS_OK(status)) {
2679 status = get_user_info_16(p->mem_ctx, &user_info->info16, &info->sid);
2680 if (!NT_STATUS_IS_OK(status)) {
2686 status = get_user_info_18(p, p->mem_ctx, &user_info->info18, &info->sid);
2687 if (!NT_STATUS_IS_OK(status)) {
2693 status = get_user_info_20(p->mem_ctx, &user_info->info20, &info->sid);
2694 if (!NT_STATUS_IS_OK(status)) {
2700 status = get_user_info_21(p->mem_ctx, &user_info->info21,
2701 &info->sid, &domain_sid);
2702 if (!NT_STATUS_IS_OK(status)) {
2708 return NT_STATUS_INVALID_INFO_CLASS;
2711 *r->out.info = user_info;
2713 DEBUG(5,("_samr_QueryUserInfo: %d\n", __LINE__));
2718 /*******************************************************************
2719 _samr_GetGroupsForUser
2720 ********************************************************************/
2722 NTSTATUS _samr_GetGroupsForUser(pipes_struct *p,
2723 struct samr_GetGroupsForUser *r)
2725 struct samu *sam_pass=NULL;
2728 struct samr_RidWithAttribute dom_gid;
2729 struct samr_RidWithAttribute *gids = NULL;
2730 uint32 primary_group_rid;
2731 size_t num_groups = 0;
2737 bool success = False;
2739 struct samr_RidWithAttributeArray *rids = NULL;
2742 * from the SID in the request:
2743 * we should send back the list of DOMAIN GROUPS
2744 * the user is a member of
2746 * and only the DOMAIN GROUPS
2747 * no ALIASES !!! neither aliases of the domain
2748 * nor aliases of the builtin SID
2753 DEBUG(5,("_samr_GetGroupsForUser: %d\n", __LINE__));
2755 rids = TALLOC_ZERO_P(p->mem_ctx, struct samr_RidWithAttributeArray);
2757 return NT_STATUS_NO_MEMORY;
2760 /* find the policy handle. open a policy on it. */
2761 if (!get_lsa_policy_samr_sid(p, r->in.user_handle, &sid, &acc_granted, NULL))
2762 return NT_STATUS_INVALID_HANDLE;
2764 result = access_check_samr_function(acc_granted,
2765 SA_RIGHT_USER_GET_GROUPS,
2766 "_samr_GetGroupsForUser");
2767 if (!NT_STATUS_IS_OK(result)) {
2771 if (!sid_check_is_in_our_domain(&sid))
2772 return NT_STATUS_OBJECT_TYPE_MISMATCH;
2774 if ( !(sam_pass = samu_new( p->mem_ctx )) ) {
2775 return NT_STATUS_NO_MEMORY;
2779 ret = pdb_getsampwsid(sam_pass, &sid);
2783 DEBUG(10, ("pdb_getsampwsid failed for %s\n",
2784 sid_string_dbg(&sid)));
2785 return NT_STATUS_NO_SUCH_USER;
2790 /* make both calls inside the root block */
2792 result = pdb_enum_group_memberships(p->mem_ctx, sam_pass,
2793 &sids, &unix_gids, &num_groups);
2794 if ( NT_STATUS_IS_OK(result) ) {
2795 success = sid_peek_check_rid(get_global_sam_sid(),
2796 pdb_get_group_sid(sam_pass),
2797 &primary_group_rid);
2801 if (!NT_STATUS_IS_OK(result)) {
2802 DEBUG(10, ("pdb_enum_group_memberships failed for %s\n",
2803 sid_string_dbg(&sid)));
2808 DEBUG(5, ("Group sid %s for user %s not in our domain\n",
2809 sid_string_dbg(pdb_get_group_sid(sam_pass)),
2810 pdb_get_username(sam_pass)));
2811 TALLOC_FREE(sam_pass);
2812 return NT_STATUS_INTERNAL_DB_CORRUPTION;
2818 dom_gid.attributes = (SE_GROUP_MANDATORY|SE_GROUP_ENABLED_BY_DEFAULT|
2820 dom_gid.rid = primary_group_rid;
2821 ADD_TO_ARRAY(p->mem_ctx, struct samr_RidWithAttribute, dom_gid, &gids, &num_gids);
2823 for (i=0; i<num_groups; i++) {
2825 if (!sid_peek_check_rid(get_global_sam_sid(),
2826 &(sids[i]), &dom_gid.rid)) {
2827 DEBUG(10, ("Found sid %s not in our domain\n",
2828 sid_string_dbg(&sids[i])));
2832 if (dom_gid.rid == primary_group_rid) {
2833 /* We added the primary group directly from the
2834 * sam_account. The other SIDs are unique from
2835 * enum_group_memberships */
2839 ADD_TO_ARRAY(p->mem_ctx, struct samr_RidWithAttribute, dom_gid, &gids, &num_gids);
2842 rids->count = num_gids;
2845 *r->out.rids = rids;
2847 DEBUG(5,("_samr_GetGroupsForUser: %d\n", __LINE__));
2852 /*******************************************************************
2853 _samr_QueryDomainInfo
2854 ********************************************************************/
2856 NTSTATUS _samr_QueryDomainInfo(pipes_struct *p,
2857 struct samr_QueryDomainInfo *r)
2859 NTSTATUS status = NT_STATUS_OK;
2860 struct samr_info *info = NULL;
2861 union samr_DomainInfo *dom_info;
2862 uint32 min_pass_len,pass_hist,password_properties;
2863 time_t u_expire, u_min_age;
2864 NTTIME nt_expire, nt_min_age;
2866 time_t u_lock_duration, u_reset_time;
2867 NTTIME nt_lock_duration, nt_reset_time;
2872 uint32 account_policy_temp;
2877 uint32 num_users=0, num_groups=0, num_aliases=0;
2879 DEBUG(5,("_samr_QueryDomainInfo: %d\n", __LINE__));
2881 dom_info = TALLOC_ZERO_P(p->mem_ctx, union samr_DomainInfo);
2883 return NT_STATUS_NO_MEMORY;
2886 /* find the policy handle. open a policy on it. */
2887 if (!find_policy_by_hnd(p, r->in.domain_handle, (void **)(void *)&info)) {
2888 return NT_STATUS_INVALID_HANDLE;
2891 status = access_check_samr_function(info->acc_granted,
2892 SA_RIGHT_SAM_OPEN_DOMAIN,
2893 "_samr_QueryDomainInfo" );
2895 if ( !NT_STATUS_IS_OK(status) )
2898 switch (r->in.level) {
2905 pdb_get_account_policy(AP_MIN_PASSWORD_LEN, &account_policy_temp);
2906 min_pass_len = account_policy_temp;
2908 pdb_get_account_policy(AP_PASSWORD_HISTORY, &account_policy_temp);
2909 pass_hist = account_policy_temp;
2911 pdb_get_account_policy(AP_USER_MUST_LOGON_TO_CHG_PASS, &account_policy_temp);
2912 password_properties = account_policy_temp;
2914 pdb_get_account_policy(AP_MAX_PASSWORD_AGE, &account_policy_temp);
2915 u_expire = account_policy_temp;
2917 pdb_get_account_policy(AP_MIN_PASSWORD_AGE, &account_policy_temp);
2918 u_min_age = account_policy_temp;
2924 unix_to_nt_time_abs(&nt_expire, u_expire);
2925 unix_to_nt_time_abs(&nt_min_age, u_min_age);
2927 if (lp_check_password_script() && *lp_check_password_script()) {
2928 password_properties |= DOMAIN_PASSWORD_COMPLEX;
2931 init_samr_DomInfo1(&dom_info->info1,
2932 (uint16)min_pass_len,
2934 password_properties,
2944 num_users = count_sam_users(info->disp_info, ACB_NORMAL);
2945 num_groups = count_sam_groups(info->disp_info);
2946 num_aliases = count_sam_aliases(info->disp_info);
2948 pdb_get_account_policy(AP_TIME_TO_LOGOUT, &account_policy_temp);
2949 u_logout = account_policy_temp;
2951 unix_to_nt_time_abs(&nt_logout, u_logout);
2953 if (!pdb_get_seq_num(&seq_num))
2954 seq_num = time(NULL);
2960 server_role = ROLE_DOMAIN_PDC;
2961 if (lp_server_role() == ROLE_DOMAIN_BDC)
2962 server_role = ROLE_DOMAIN_BDC;
2964 init_samr_DomGeneralInformation(&dom_info->general,
2985 pdb_get_account_policy(AP_TIME_TO_LOGOUT, &ul);
2986 u_logout = (time_t)ul;
2993 unix_to_nt_time_abs(&nt_logout, u_logout);
2995 init_samr_DomInfo3(&dom_info->info3,
3000 init_samr_DomOEMInformation(&dom_info->oem,
3004 init_samr_DomInfo5(&dom_info->info5,
3005 get_global_sam_name());
3008 /* NT returns its own name when a PDC. win2k and later
3009 * only the name of the PDC if itself is a BDC (samba4
3011 init_samr_DomInfo6(&dom_info->info6,
3015 server_role = ROLE_DOMAIN_PDC;
3016 if (lp_server_role() == ROLE_DOMAIN_BDC)
3017 server_role = ROLE_DOMAIN_BDC;
3019 init_samr_DomInfo7(&dom_info->info7,
3028 if (!pdb_get_seq_num(&seq_num)) {
3029 seq_num = time(NULL);
3036 init_samr_DomInfo8(&dom_info->info8,
3046 pdb_get_account_policy(AP_LOCK_ACCOUNT_DURATION, &account_policy_temp);
3047 u_lock_duration = account_policy_temp;
3048 if (u_lock_duration != -1) {
3049 u_lock_duration *= 60;
3052 pdb_get_account_policy(AP_RESET_COUNT_TIME, &account_policy_temp);
3053 u_reset_time = account_policy_temp * 60;
3055 pdb_get_account_policy(AP_BAD_ATTEMPT_LOCKOUT, &account_policy_temp);
3056 lockout = account_policy_temp;
3062 unix_to_nt_time_abs(&nt_lock_duration, u_lock_duration);
3063 unix_to_nt_time_abs(&nt_reset_time, u_reset_time);
3065 init_samr_DomInfo12(&dom_info->info12,
3071 return NT_STATUS_INVALID_INFO_CLASS;
3074 *r->out.info = dom_info;
3076 DEBUG(5,("_samr_QueryDomainInfo: %d\n", __LINE__));
3081 /* W2k3 seems to use the same check for all 3 objects that can be created via
3082 * SAMR, if you try to create for example "Dialup" as an alias it says
3083 * "NT_STATUS_USER_EXISTS". This is racy, but we can't really lock the user
3086 static NTSTATUS can_create(TALLOC_CTX *mem_ctx, const char *new_name)
3088 enum lsa_SidType type;
3091 DEBUG(10, ("Checking whether [%s] can be created\n", new_name));
3094 /* Lookup in our local databases (LOOKUP_NAME_REMOTE not set)
3095 * whether the name already exists */
3096 result = lookup_name(mem_ctx, new_name, LOOKUP_NAME_LOCAL,
3097 NULL, NULL, NULL, &type);
3101 DEBUG(10, ("%s does not exist, can create it\n", new_name));
3102 return NT_STATUS_OK;
3105 DEBUG(5, ("trying to create %s, exists as %s\n",
3106 new_name, sid_type_lookup(type)));
3108 if (type == SID_NAME_DOM_GRP) {
3109 return NT_STATUS_GROUP_EXISTS;
3111 if (type == SID_NAME_ALIAS) {
3112 return NT_STATUS_ALIAS_EXISTS;
3115 /* Yes, the default is NT_STATUS_USER_EXISTS */
3116 return NT_STATUS_USER_EXISTS;
3119 /*******************************************************************
3121 ********************************************************************/
3123 NTSTATUS _samr_CreateUser2(pipes_struct *p,
3124 struct samr_CreateUser2 *r)
3126 const char *account = NULL;
3128 POLICY_HND dom_pol = *r->in.domain_handle;
3129 uint32_t acb_info = r->in.acct_flags;
3130 POLICY_HND *user_pol = r->out.user_handle;
3131 struct samr_info *info = NULL;
3136 /* check this, when giving away 'add computer to domain' privs */
3137 uint32 des_access = GENERIC_RIGHTS_USER_ALL_ACCESS;
3138 bool can_add_account = False;
3140 DISP_INFO *disp_info = NULL;
3142 /* Get the domain SID stored in the domain policy */
3143 if (!get_lsa_policy_samr_sid(p, &dom_pol, &sid, &acc_granted,
3145 return NT_STATUS_INVALID_HANDLE;
3147 nt_status = access_check_samr_function(acc_granted,
3148 SA_RIGHT_DOMAIN_CREATE_USER,
3149 "_samr_CreateUser2");
3150 if (!NT_STATUS_IS_OK(nt_status)) {
3154 if (!(acb_info == ACB_NORMAL || acb_info == ACB_DOMTRUST ||
3155 acb_info == ACB_WSTRUST || acb_info == ACB_SVRTRUST)) {
3156 /* Match Win2k, and return NT_STATUS_INVALID_PARAMETER if
3157 this parameter is not an account type */
3158 return NT_STATUS_INVALID_PARAMETER;
3161 account = r->in.account_name->string;
3162 if (account == NULL) {
3163 return NT_STATUS_NO_MEMORY;
3166 nt_status = can_create(p->mem_ctx, account);
3167 if (!NT_STATUS_IS_OK(nt_status)) {
3171 /* determine which user right we need to check based on the acb_info */
3173 if ( acb_info & ACB_WSTRUST )
3175 se_priv_copy( &se_rights, &se_machine_account );
3176 can_add_account = user_has_privileges(
3177 p->pipe_user.nt_user_token, &se_rights );
3179 /* usrmgr.exe (and net rpc trustdom grant) creates a normal user
3180 account for domain trusts and changes the ACB flags later */
3181 else if ( acb_info & ACB_NORMAL &&
3182 (account[strlen(account)-1] != '$') )
3184 se_priv_copy( &se_rights, &se_add_users );
3185 can_add_account = user_has_privileges(
3186 p->pipe_user.nt_user_token, &se_rights );
3188 else /* implicit assumption of a BDC or domain trust account here
3189 * (we already check the flags earlier) */
3191 if ( lp_enable_privileges() ) {
3192 /* only Domain Admins can add a BDC or domain trust */
3193 se_priv_copy( &se_rights, &se_priv_none );
3194 can_add_account = nt_token_check_domain_rid(
3195 p->pipe_user.nt_user_token,
3196 DOMAIN_GROUP_RID_ADMINS );
3200 DEBUG(5, ("_samr_CreateUser2: %s can add this account : %s\n",
3201 uidtoname(p->pipe_user.ut.uid),
3202 can_add_account ? "True":"False" ));
3204 /********** BEGIN Admin BLOCK **********/
3206 if ( can_add_account )
3209 nt_status = pdb_create_user(p->mem_ctx, account, acb_info,
3212 if ( can_add_account )
3215 /********** END Admin BLOCK **********/
3217 /* now check for failure */
3219 if ( !NT_STATUS_IS_OK(nt_status) )
3222 /* Get the user's SID */
3224 sid_compose(&sid, get_global_sam_sid(), *r->out.rid);
3226 map_max_allowed_access(p->pipe_user.nt_user_token, &des_access);
3228 make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &usr_generic_mapping,
3229 &sid, SAMR_USR_RIGHTS_WRITE_PW);
3230 se_map_generic(&des_access, &usr_generic_mapping);
3232 nt_status = access_check_samr_object(psd, p->pipe_user.nt_user_token,
3233 &se_rights, GENERIC_RIGHTS_USER_WRITE, des_access,
3234 &acc_granted, "_samr_CreateUser2");
3236 if ( !NT_STATUS_IS_OK(nt_status) ) {
3240 /* associate the user's SID with the new handle. */
3241 if ((info = get_samr_info_by_sid(&sid)) == NULL) {
3242 return NT_STATUS_NO_MEMORY;
3247 info->acc_granted = acc_granted;
3249 /* get a (unique) handle. open a policy on it. */
3250 if (!create_policy_hnd(p, user_pol, free_samr_info, (void *)info)) {
3251 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
3254 /* After a "set" ensure we have no cached display info. */
3255 force_flush_samr_cache(info->disp_info);
3257 *r->out.access_granted = acc_granted;
3259 return NT_STATUS_OK;
3262 /*******************************************************************
3264 ********************************************************************/
3266 NTSTATUS _samr_Connect(pipes_struct *p,
3267 struct samr_Connect *r)
3269 struct samr_info *info = NULL;
3270 uint32 des_access = r->in.access_mask;
3274 if (!pipe_access_check(p)) {
3275 DEBUG(3, ("access denied to _samr_Connect\n"));
3276 return NT_STATUS_ACCESS_DENIED;
3279 /* set up the SAMR connect_anon response */
3281 /* associate the user's SID with the new handle. */
3282 if ((info = get_samr_info_by_sid(NULL)) == NULL)
3283 return NT_STATUS_NO_MEMORY;
3285 /* don't give away the farm but this is probably ok. The SA_RIGHT_SAM_ENUM_DOMAINS
3286 was observed from a win98 client trying to enumerate users (when configured
3287 user level access control on shares) --jerry */
3289 map_max_allowed_access(p->pipe_user.nt_user_token, &des_access);
3291 se_map_generic( &des_access, &sam_generic_mapping );
3292 info->acc_granted = des_access & (SA_RIGHT_SAM_ENUM_DOMAINS|SA_RIGHT_SAM_OPEN_DOMAIN);
3294 /* get a (unique) handle. open a policy on it. */
3295 if (!create_policy_hnd(p, r->out.connect_handle, free_samr_info, (void *)info))
3296 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
3298 return NT_STATUS_OK;
3301 /*******************************************************************
3303 ********************************************************************/
3305 NTSTATUS _samr_Connect2(pipes_struct *p,
3306 struct samr_Connect2 *r)
3308 struct samr_info *info = NULL;
3309 SEC_DESC *psd = NULL;
3311 uint32 des_access = r->in.access_mask;
3316 DEBUG(5,("_samr_Connect2: %d\n", __LINE__));
3320 if (!pipe_access_check(p)) {
3321 DEBUG(3, ("access denied to _samr_Connect2\n"));
3322 return NT_STATUS_ACCESS_DENIED;
3325 map_max_allowed_access(p->pipe_user.nt_user_token, &des_access);
3327 make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &sam_generic_mapping, NULL, 0);
3328 se_map_generic(&des_access, &sam_generic_mapping);
3330 nt_status = access_check_samr_object(psd, p->pipe_user.nt_user_token,
3331 NULL, 0, des_access, &acc_granted, "_samr_Connect2");
3333 if ( !NT_STATUS_IS_OK(nt_status) )
3336 /* associate the user's SID and access granted with the new handle. */
3337 if ((info = get_samr_info_by_sid(NULL)) == NULL)
3338 return NT_STATUS_NO_MEMORY;
3340 info->acc_granted = acc_granted;
3341 info->status = r->in.access_mask; /* this looks so wrong... - gd */
3343 /* get a (unique) handle. open a policy on it. */
3344 if (!create_policy_hnd(p, r->out.connect_handle, free_samr_info, (void *)info))
3345 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
3347 DEBUG(5,("_samr_Connect2: %d\n", __LINE__));
3352 /*******************************************************************
3354 ********************************************************************/
3356 NTSTATUS _samr_Connect4(pipes_struct *p,
3357 struct samr_Connect4 *r)
3359 struct samr_info *info = NULL;
3360 SEC_DESC *psd = NULL;
3362 uint32 des_access = r->in.access_mask;
3367 DEBUG(5,("_samr_Connect4: %d\n", __LINE__));
3371 if (!pipe_access_check(p)) {
3372 DEBUG(3, ("access denied to samr_Connect4\n"));
3373 return NT_STATUS_ACCESS_DENIED;
3376 map_max_allowed_access(p->pipe_user.nt_user_token, &des_access);
3378 make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &sam_generic_mapping, NULL, 0);
3379 se_map_generic(&des_access, &sam_generic_mapping);
3381 nt_status = access_check_samr_object(psd, p->pipe_user.nt_user_token,
3382 NULL, 0, des_access, &acc_granted, "_samr_Connect4");
3384 if ( !NT_STATUS_IS_OK(nt_status) )
3387 /* associate the user's SID and access granted with the new handle. */
3388 if ((info = get_samr_info_by_sid(NULL)) == NULL)
3389 return NT_STATUS_NO_MEMORY;
3391 info->acc_granted = acc_granted;
3392 info->status = r->in.access_mask; /* ??? */
3394 /* get a (unique) handle. open a policy on it. */
3395 if (!create_policy_hnd(p, r->out.connect_handle, free_samr_info, (void *)info))
3396 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
3398 DEBUG(5,("_samr_Connect4: %d\n", __LINE__));
3400 return NT_STATUS_OK;
3403 /*******************************************************************
3405 ********************************************************************/
3407 NTSTATUS _samr_Connect5(pipes_struct *p,
3408 struct samr_Connect5 *r)
3410 struct samr_info *info = NULL;
3411 SEC_DESC *psd = NULL;
3413 uint32 des_access = r->in.access_mask;
3416 struct samr_ConnectInfo1 info1;
3418 DEBUG(5,("_samr_Connect5: %d\n", __LINE__));
3422 if (!pipe_access_check(p)) {
3423 DEBUG(3, ("access denied to samr_Connect5\n"));
3424 return NT_STATUS_ACCESS_DENIED;
3427 map_max_allowed_access(p->pipe_user.nt_user_token, &des_access);
3429 make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &sam_generic_mapping, NULL, 0);
3430 se_map_generic(&des_access, &sam_generic_mapping);
3432 nt_status = access_check_samr_object(psd, p->pipe_user.nt_user_token,
3433 NULL, 0, des_access, &acc_granted, "_samr_Connect5");
3435 if ( !NT_STATUS_IS_OK(nt_status) )
3438 /* associate the user's SID and access granted with the new handle. */
3439 if ((info = get_samr_info_by_sid(NULL)) == NULL)
3440 return NT_STATUS_NO_MEMORY;
3442 info->acc_granted = acc_granted;
3443 info->status = r->in.access_mask; /* ??? */
3445 /* get a (unique) handle. open a policy on it. */
3446 if (!create_policy_hnd(p, r->out.connect_handle, free_samr_info, (void *)info))
3447 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
3449 DEBUG(5,("_samr_Connect5: %d\n", __LINE__));
3451 info1.client_version = SAMR_CONNECT_AFTER_W2K;
3454 *r->out.level_out = 1;
3455 r->out.info_out->info1 = info1;
3457 return NT_STATUS_OK;
3460 /**********************************************************************
3462 **********************************************************************/
3464 NTSTATUS _samr_LookupDomain(pipes_struct *p,
3465 struct samr_LookupDomain *r)
3467 NTSTATUS status = NT_STATUS_OK;
3468 struct samr_info *info;
3469 const char *domain_name;
3470 DOM_SID *sid = NULL;
3472 if (!find_policy_by_hnd(p, r->in.connect_handle, (void**)(void *)&info))
3473 return NT_STATUS_INVALID_HANDLE;
3475 /* win9x user manager likes to use SA_RIGHT_SAM_ENUM_DOMAINS here.
3476 Reverted that change so we will work with RAS servers again */
3478 status = access_check_samr_function(info->acc_granted,
3479 SA_RIGHT_SAM_OPEN_DOMAIN,
3480 "_samr_LookupDomain");
3481 if (!NT_STATUS_IS_OK(status)) {
3485 domain_name = r->in.domain_name->string;
3487 sid = TALLOC_ZERO_P(p->mem_ctx, struct dom_sid2);
3489 return NT_STATUS_NO_MEMORY;
3492 if (strequal(domain_name, builtin_domain_name())) {
3493 sid_copy(sid, &global_sid_Builtin);
3495 if (!secrets_fetch_domain_sid(domain_name, sid)) {
3496 status = NT_STATUS_NO_SUCH_DOMAIN;
3500 DEBUG(2,("Returning domain sid for domain %s -> %s\n", domain_name,
3501 sid_string_dbg(sid)));
3508 /**********************************************************************
3510 **********************************************************************/
3512 NTSTATUS _samr_EnumDomains(pipes_struct *p,
3513 struct samr_EnumDomains *r)
3516 struct samr_info *info;
3517 uint32_t num_entries = 2;
3518 struct samr_SamEntry *entry_array = NULL;
3519 struct samr_SamArray *sam;
3521 if (!find_policy_by_hnd(p, r->in.connect_handle, (void**)(void *)&info))
3522 return NT_STATUS_INVALID_HANDLE;
3524 status = access_check_samr_function(info->acc_granted,
3525 SA_RIGHT_SAM_ENUM_DOMAINS,
3526 "_samr_EnumDomains");
3527 if (!NT_STATUS_IS_OK(status)) {
3531 sam = TALLOC_ZERO_P(p->mem_ctx, struct samr_SamArray);
3533 return NT_STATUS_NO_MEMORY;
3536 entry_array = TALLOC_ZERO_ARRAY(p->mem_ctx,
3537 struct samr_SamEntry,
3540 return NT_STATUS_NO_MEMORY;
3543 entry_array[0].idx = 0;
3544 init_lsa_String(&entry_array[0].name, get_global_sam_name());
3546 entry_array[1].idx = 1;
3547 init_lsa_String(&entry_array[1].name, "Builtin");
3549 sam->count = num_entries;
3550 sam->entries = entry_array;
3553 *r->out.num_entries = num_entries;
3558 /*******************************************************************
3560 ********************************************************************/
3562 NTSTATUS _samr_OpenAlias(pipes_struct *p,
3563 struct samr_OpenAlias *r)
3566 POLICY_HND domain_pol = *r->in.domain_handle;
3567 uint32 alias_rid = r->in.rid;
3568 POLICY_HND *alias_pol = r->out.alias_handle;
3569 struct samr_info *info = NULL;
3570 SEC_DESC *psd = NULL;
3572 uint32 des_access = r->in.access_mask;
3577 /* find the domain policy and get the SID / access bits stored in the domain policy */
3579 if ( !get_lsa_policy_samr_sid(p, &domain_pol, &sid, &acc_granted, NULL) )
3580 return NT_STATUS_INVALID_HANDLE;
3582 status = access_check_samr_function(acc_granted,
3583 SA_RIGHT_DOMAIN_OPEN_ACCOUNT,
3586 if ( !NT_STATUS_IS_OK(status) )
3589 /* append the alias' RID to it */
3591 if (!sid_append_rid(&sid, alias_rid))
3592 return NT_STATUS_NO_SUCH_ALIAS;
3594 /*check if access can be granted as requested by client. */
3596 map_max_allowed_access(p->pipe_user.nt_user_token, &des_access);
3598 make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &ali_generic_mapping, NULL, 0);
3599 se_map_generic(&des_access,&ali_generic_mapping);
3601 se_priv_copy( &se_rights, &se_add_users );
3604 status = access_check_samr_object(psd, p->pipe_user.nt_user_token,
3605 &se_rights, GENERIC_RIGHTS_ALIAS_WRITE, des_access,
3606 &acc_granted, "_samr_OpenAlias");
3608 if ( !NT_STATUS_IS_OK(status) )
3612 /* Check we actually have the requested alias */
3613 enum lsa_SidType type;
3618 result = lookup_sid(NULL, &sid, NULL, NULL, &type);
3621 if (!result || (type != SID_NAME_ALIAS)) {
3622 return NT_STATUS_NO_SUCH_ALIAS;
3625 /* make sure there is a mapping */
3627 if ( !sid_to_gid( &sid, &gid ) ) {
3628 return NT_STATUS_NO_SUCH_ALIAS;
3633 /* associate the alias SID with the new handle. */
3634 if ((info = get_samr_info_by_sid(&sid)) == NULL)
3635 return NT_STATUS_NO_MEMORY;
3637 info->acc_granted = acc_granted;
3639 /* get a (unique) handle. open a policy on it. */
3640 if (!create_policy_hnd(p, alias_pol, free_samr_info, (void *)info))
3641 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
3643 return NT_STATUS_OK;
3646 /*******************************************************************
3648 ********************************************************************/
3650 static NTSTATUS set_user_info_7(TALLOC_CTX *mem_ctx,
3651 struct samr_UserInfo7 *id7,
3657 DEBUG(5, ("set_user_info_7: NULL id7\n"));
3659 return NT_STATUS_ACCESS_DENIED;
3662 if (!id7->account_name.string) {
3663 DEBUG(5, ("set_user_info_7: failed to get new username\n"));
3665 return NT_STATUS_ACCESS_DENIED;
3668 /* check to see if the new username already exists. Note: we can't
3669 reliably lock all backends, so there is potentially the
3670 possibility that a user can be created in between this check and
3671 the rename. The rename should fail, but may not get the
3672 exact same failure status code. I think this is small enough
3673 of a window for this type of operation and the results are
3674 simply that the rename fails with a slightly different status
3675 code (like UNSUCCESSFUL instead of ALREADY_EXISTS). */
3677 rc = can_create(mem_ctx, id7->account_name.string);
3678 if (!NT_STATUS_IS_OK(rc)) {
3682 rc = pdb_rename_sam_account(pwd, id7->account_name.string);
3688 /*******************************************************************
3690 ********************************************************************/
3692 static bool set_user_info_16(struct samr_UserInfo16 *id16,
3696 DEBUG(5, ("set_user_info_16: NULL id16\n"));
3701 /* FIX ME: check if the value is really changed --metze */
3702 if (!pdb_set_acct_ctrl(pwd, id16->acct_flags, PDB_CHANGED)) {
3707 if(!NT_STATUS_IS_OK(pdb_update_sam_account(pwd))) {
3717 /*******************************************************************
3719 ********************************************************************/
3721 static bool set_user_info_18(struct samr_UserInfo18 *id18,
3725 DEBUG(2, ("set_user_info_18: id18 is NULL\n"));
3730 if (!pdb_set_lanman_passwd (pwd, id18->lm_pwd.hash, PDB_CHANGED)) {
3734 if (!pdb_set_nt_passwd (pwd, id18->nt_pwd.hash, PDB_CHANGED)) {
3738 if (!pdb_set_pass_last_set_time (pwd, time(NULL), PDB_CHANGED)) {
3743 if(!NT_STATUS_IS_OK(pdb_update_sam_account(pwd))) {
3752 /*******************************************************************
3754 ********************************************************************/
3756 static bool set_user_info_20(struct samr_UserInfo20 *id20,
3760 DEBUG(5, ("set_user_info_20: NULL id20\n"));
3764 copy_id20_to_sam_passwd(pwd, id20);
3766 /* write the change out */
3767 if(!NT_STATUS_IS_OK(pdb_update_sam_account(pwd))) {
3777 /*******************************************************************
3779 ********************************************************************/
3781 static NTSTATUS set_user_info_21(TALLOC_CTX *mem_ctx,
3782 struct samr_UserInfo21 *id21,
3788 DEBUG(5, ("set_user_info_21: NULL id21\n"));
3789 return NT_STATUS_INVALID_PARAMETER;
3792 /* we need to separately check for an account rename first */
3794 if (id21->account_name.string &&
3795 (!strequal(id21->account_name.string, pdb_get_username(pwd))))
3798 /* check to see if the new username already exists. Note: we can't
3799 reliably lock all backends, so there is potentially the
3800 possibility that a user can be created in between this check and
3801 the rename. The rename should fail, but may not get the
3802 exact same failure status code. I think this is small enough
3803 of a window for this type of operation and the results are
3804 simply that the rename fails with a slightly different status
3805 code (like UNSUCCESSFUL instead of ALREADY_EXISTS). */
3807 status = can_create(mem_ctx, id21->account_name.string);
3808 if (!NT_STATUS_IS_OK(status)) {
3812 status = pdb_rename_sam_account(pwd, id21->account_name.string);
3814 if (!NT_STATUS_IS_OK(status)) {
3815 DEBUG(0,("set_user_info_21: failed to rename account: %s\n",
3816 nt_errstr(status)));
3821 /* set the new username so that later
3822 functions can work on the new account */
3823 pdb_set_username(pwd, id21->account_name.string, PDB_SET);
3826 copy_id21_to_sam_passwd("INFO_21", pwd, id21);
3829 * The funny part about the previous two calls is
3830 * that pwd still has the password hashes from the
3831 * passdb entry. These have not been updated from
3832 * id21. I don't know if they need to be set. --jerry
3835 if ( IS_SAM_CHANGED(pwd, PDB_GROUPSID) ) {
3836 status = pdb_set_unix_primary_group(mem_ctx, pwd);
3837 if ( !NT_STATUS_IS_OK(status) ) {
3842 /* Don't worry about writing out the user account since the
3843 primary group SID is generated solely from the user's Unix
3846 /* write the change out */
3847 if(!NT_STATUS_IS_OK(status = pdb_update_sam_account(pwd))) {
3854 return NT_STATUS_OK;
3857 /*******************************************************************
3859 ********************************************************************/
3861 static NTSTATUS set_user_info_23(TALLOC_CTX *mem_ctx,
3862 struct samr_UserInfo23 *id23,
3865 char *plaintext_buf = NULL;
3871 DEBUG(5, ("set_user_info_23: NULL id23\n"));
3872 return NT_STATUS_INVALID_PARAMETER;
3875 DEBUG(5, ("Attempting administrator password change (level 23) for user %s\n",
3876 pdb_get_username(pwd)));
3878 acct_ctrl = pdb_get_acct_ctrl(pwd);
3880 if (!decode_pw_buffer(mem_ctx,
3881 id23->password.data,
3886 return NT_STATUS_INVALID_PARAMETER;
3889 if (!pdb_set_plaintext_passwd (pwd, plaintext_buf)) {
3891 return NT_STATUS_ACCESS_DENIED;
3894 copy_id23_to_sam_passwd(pwd, id23);
3896 /* if it's a trust account, don't update /etc/passwd */
3897 if ( ( (acct_ctrl & ACB_DOMTRUST) == ACB_DOMTRUST ) ||
3898 ( (acct_ctrl & ACB_WSTRUST) == ACB_WSTRUST) ||
3899 ( (acct_ctrl & ACB_SVRTRUST) == ACB_SVRTRUST) ) {
3900 DEBUG(5, ("Changing trust account. Not updating /etc/passwd\n"));
3902 /* update the UNIX password */
3903 if (lp_unix_password_sync() ) {
3904 struct passwd *passwd;
3905 if (pdb_get_username(pwd) == NULL) {
3906 DEBUG(1, ("chgpasswd: User without name???\n"));
3908 return NT_STATUS_ACCESS_DENIED;
3911 passwd = Get_Pwnam_alloc(pwd, pdb_get_username(pwd));
3912 if (passwd == NULL) {
3913 DEBUG(1, ("chgpasswd: Username does not exist in system !?!\n"));
3916 if(!chgpasswd(pdb_get_username(pwd), passwd, "", plaintext_buf, True)) {
3918 return NT_STATUS_ACCESS_DENIED;
3920 TALLOC_FREE(passwd);
3924 memset(plaintext_buf, '\0', strlen(plaintext_buf));
3926 if (IS_SAM_CHANGED(pwd, PDB_GROUPSID) &&
3927 (!NT_STATUS_IS_OK(status = pdb_set_unix_primary_group(mem_ctx,
3933 if(!NT_STATUS_IS_OK(status = pdb_update_sam_account(pwd))) {
3940 return NT_STATUS_OK;
3943 /*******************************************************************
3945 ********************************************************************/
3947 static bool set_user_info_pw(uint8 *pass, struct samu *pwd,
3951 char *plaintext_buf = NULL;
3953 time_t last_set_time;
3954 enum pdb_value_state last_set_state;
3956 DEBUG(5, ("Attempting administrator password change for user %s\n",
3957 pdb_get_username(pwd)));
3959 acct_ctrl = pdb_get_acct_ctrl(pwd);
3960 /* we need to know if it's expired, because this is an admin change, not a
3961 user change, so it's still expired when we're done */
3962 last_set_state = pdb_get_init_flags(pwd, PDB_PASSLASTSET);
3963 last_set_time = pdb_get_pass_last_set_time(pwd);
3965 if (!decode_pw_buffer(talloc_tos(),
3974 if (!pdb_set_plaintext_passwd (pwd, plaintext_buf)) {
3979 /* if it's a trust account, don't update /etc/passwd */
3980 if ( ( (acct_ctrl & ACB_DOMTRUST) == ACB_DOMTRUST ) ||
3981 ( (acct_ctrl & ACB_WSTRUST) == ACB_WSTRUST) ||
3982 ( (acct_ctrl & ACB_SVRTRUST) == ACB_SVRTRUST) ) {
3983 DEBUG(5, ("Changing trust account or non-unix-user password, not updating /etc/passwd\n"));
3985 /* update the UNIX password */
3986 if (lp_unix_password_sync()) {
3987 struct passwd *passwd;
3989 if (pdb_get_username(pwd) == NULL) {
3990 DEBUG(1, ("chgpasswd: User without name???\n"));
3995 passwd = Get_Pwnam_alloc(pwd, pdb_get_username(pwd));
3996 if (passwd == NULL) {
3997 DEBUG(1, ("chgpasswd: Username does not exist in system !?!\n"));
4000 if(!chgpasswd(pdb_get_username(pwd), passwd, "", plaintext_buf, True)) {
4004 TALLOC_FREE(passwd);
4008 memset(plaintext_buf, '\0', strlen(plaintext_buf));
4011 * A level 25 change does reset the pwdlastset field, a level 24
4012 * change does not. I know this is probably not the full story, but
4013 * it is needed to make XP join LDAP correctly, without it the later
4014 * auth2 check can fail with PWD_MUST_CHANGE.
4018 * restore last set time as this is an admin change, not a
4021 pdb_set_pass_last_set_time (pwd, last_set_time,
4025 DEBUG(5,("set_user_info_pw: pdb_update_pwd()\n"));
4027 /* update the SAMBA password */
4028 if(!NT_STATUS_IS_OK(pdb_update_sam_account(pwd))) {
4038 /*******************************************************************
4040 ********************************************************************/
4042 static NTSTATUS set_user_info_25(TALLOC_CTX *mem_ctx,
4043 struct samr_UserInfo25 *id25,
4049 DEBUG(5, ("set_user_info_25: NULL id25\n"));
4050 return NT_STATUS_INVALID_PARAMETER;
4053 copy_id25_to_sam_passwd(pwd, id25);
4055 /* write the change out */
4056 if(!NT_STATUS_IS_OK(status = pdb_update_sam_account(pwd))) {
4062 * We need to "pdb_update_sam_account" before the unix primary group
4063 * is set, because the idealx scripts would also change the
4064 * sambaPrimaryGroupSid using the ldap replace method. pdb_ldap uses
4065 * the delete explicit / add explicit, which would then fail to find
4066 * the previous primaryGroupSid value.
4069 if ( IS_SAM_CHANGED(pwd, PDB_GROUPSID) ) {
4070 status = pdb_set_unix_primary_group(mem_ctx, pwd);
4071 if ( !NT_STATUS_IS_OK(status) ) {
4076 /* WARNING: No TALLOC_FREE(pwd), we are about to set the password
4079 return NT_STATUS_OK;
4082 /*******************************************************************
4084 ********************************************************************/
4086 NTSTATUS _samr_SetUserInfo(pipes_struct *p,
4087 struct samr_SetUserInfo *r)
4090 struct samu *pwd = NULL;
4092 POLICY_HND *pol = r->in.user_handle;
4093 union samr_UserInfo *info = r->in.info;
4094 uint16_t switch_value = r->in.level;
4095 uint32_t acc_granted;
4096 uint32_t acc_required;
4098 bool has_enough_rights = False;
4100 DISP_INFO *disp_info = NULL;
4102 DEBUG(5,("_samr_SetUserInfo: %d\n", __LINE__));
4104 /* find the policy handle. open a policy on it. */
4105 if (!get_lsa_policy_samr_sid(p, pol, &sid, &acc_granted, &disp_info)) {
4106 return NT_STATUS_INVALID_HANDLE;
4109 /* This is tricky. A WinXP domain join sets
4110 (SA_RIGHT_USER_SET_PASSWORD|SA_RIGHT_USER_SET_ATTRIBUTES|SA_RIGHT_USER_ACCT_FLAGS_EXPIRY)
4111 The MMC lusrmgr plugin includes these perms and more in the SamrOpenUser(). But the
4112 standard Win32 API calls just ask for SA_RIGHT_USER_SET_PASSWORD in the SamrOpenUser().
4113 This should be enough for levels 18, 24, 25,& 26. Info level 23 can set more so
4114 we'll use the set from the WinXP join as the basis. */
4116 switch (switch_value) {
4121 acc_required = SA_RIGHT_USER_SET_PASSWORD;
4124 acc_required = SA_RIGHT_USER_SET_PASSWORD |
4125 SA_RIGHT_USER_SET_ATTRIBUTES |
4126 SA_RIGHT_USER_ACCT_FLAGS_EXPIRY;
4130 status = access_check_samr_function(acc_granted,
4132 "_samr_SetUserInfo");
4133 if (!NT_STATUS_IS_OK(status)) {
4137 DEBUG(5, ("_samr_SetUserInfo: sid:%s, level:%d\n",
4138 sid_string_dbg(&sid), switch_value));
4141 DEBUG(5, ("_samr_SetUserInfo: NULL info level\n"));
4142 return NT_STATUS_INVALID_INFO_CLASS;
4145 if (!(pwd = samu_new(NULL))) {
4146 return NT_STATUS_NO_MEMORY;
4150 ret = pdb_getsampwsid(pwd, &sid);
4155 return NT_STATUS_NO_SUCH_USER;
4158 /* deal with machine password changes differently from userinfo changes */
4159 /* check to see if we have the sufficient rights */
4161 acb_info = pdb_get_acct_ctrl(pwd);
4162 if (acb_info & ACB_WSTRUST)
4163 has_enough_rights = user_has_privileges(p->pipe_user.nt_user_token,
4164 &se_machine_account);
4165 else if (acb_info & ACB_NORMAL)
4166 has_enough_rights = user_has_privileges(p->pipe_user.nt_user_token,
4168 else if (acb_info & (ACB_SVRTRUST|ACB_DOMTRUST)) {
4169 if (lp_enable_privileges()) {
4170 has_enough_rights = nt_token_check_domain_rid(p->pipe_user.nt_user_token,
4171 DOMAIN_GROUP_RID_ADMINS);
4175 DEBUG(5, ("_samr_SetUserInfo: %s does%s possess sufficient rights\n",
4176 uidtoname(p->pipe_user.ut.uid),
4177 has_enough_rights ? "" : " not"));
4179 /* ================ BEGIN SeMachineAccountPrivilege BLOCK ================ */
4181 if (has_enough_rights) {
4185 /* ok! user info levels (lots: see MSDEV help), off we go... */
4187 switch (switch_value) {
4190 status = set_user_info_7(p->mem_ctx,
4195 if (!set_user_info_16(&info->info16, pwd)) {
4196 status = NT_STATUS_ACCESS_DENIED;
4201 /* Used by AS/U JRA. */
4202 if (!set_user_info_18(&info->info18, pwd)) {
4203 status = NT_STATUS_ACCESS_DENIED;
4208 if (!set_user_info_20(&info->info20, pwd)) {
4209 status = NT_STATUS_ACCESS_DENIED;
4214 status = set_user_info_21(p->mem_ctx,
4215 &info->info21, pwd);
4219 if (!p->server_info->user_session_key.length) {
4220 status = NT_STATUS_NO_USER_SESSION_KEY;
4222 SamOEMhashBlob(info->info23.password.data, 516,
4223 &p->server_info->user_session_key);
4225 dump_data(100, info->info23.password.data, 516);
4227 status = set_user_info_23(p->mem_ctx,
4228 &info->info23, pwd);
4232 if (!p->server_info->user_session_key.length) {
4233 status = NT_STATUS_NO_USER_SESSION_KEY;
4235 SamOEMhashBlob(info->info24.password.data,
4237 &p->server_info->user_session_key);
4239 dump_data(100, info->info24.password.data, 516);
4241 if (!set_user_info_pw(info->info24.password.data, pwd,
4243 status = NT_STATUS_ACCESS_DENIED;
4248 if (!p->server_info->user_session_key.length) {
4249 status = NT_STATUS_NO_USER_SESSION_KEY;
4251 encode_or_decode_arc4_passwd_buffer(
4252 info->info25.password.data,
4253 &p->server_info->user_session_key);
4255 dump_data(100, info->info25.password.data, 532);
4257 status = set_user_info_25(p->mem_ctx,
4258 &info->info25, pwd);
4259 if (!NT_STATUS_IS_OK(status)) {
4262 if (!set_user_info_pw(info->info25.password.data, pwd,
4264 status = NT_STATUS_ACCESS_DENIED;
4269 if (!p->server_info->user_session_key.length) {
4270 status = NT_STATUS_NO_USER_SESSION_KEY;
4272 encode_or_decode_arc4_passwd_buffer(
4273 info->info26.password.data,
4274 &p->server_info->user_session_key);
4276 dump_data(100, info->info26.password.data, 516);
4278 if (!set_user_info_pw(info->info26.password.data, pwd,
4280 status = NT_STATUS_ACCESS_DENIED;
4285 status = NT_STATUS_INVALID_INFO_CLASS;
4290 if (has_enough_rights) {
4294 /* ================ END SeMachineAccountPrivilege BLOCK ================ */
4296 if (NT_STATUS_IS_OK(status)) {
4297 force_flush_samr_cache(disp_info);
4303 /*******************************************************************
4305 ********************************************************************/
4307 NTSTATUS _samr_SetUserInfo2(pipes_struct *p,
4308 struct samr_SetUserInfo2 *r)
4310 struct samr_SetUserInfo q;
4312 q.in.user_handle = r->in.user_handle;
4313 q.in.level = r->in.level;
4314 q.in.info = r->in.info;
4316 return _samr_SetUserInfo(p, &q);
4319 /*********************************************************************
4320 _samr_GetAliasMembership
4321 *********************************************************************/
4323 NTSTATUS _samr_GetAliasMembership(pipes_struct *p,
4324 struct samr_GetAliasMembership *r)
4326 size_t num_alias_rids;
4328 struct samr_info *info = NULL;
4336 DEBUG(5,("_samr_GetAliasMembership: %d\n", __LINE__));
4338 /* find the policy handle. open a policy on it. */
4339 if (!find_policy_by_hnd(p, r->in.domain_handle, (void **)(void *)&info))
4340 return NT_STATUS_INVALID_HANDLE;
4342 ntstatus1 = access_check_samr_function(info->acc_granted,
4343 SA_RIGHT_DOMAIN_LOOKUP_ALIAS_BY_MEM,
4344 "_samr_GetAliasMembership");
4345 ntstatus2 = access_check_samr_function(info->acc_granted,
4346 SA_RIGHT_DOMAIN_OPEN_ACCOUNT,
4347 "_samr_GetAliasMembership");
4349 if (!NT_STATUS_IS_OK(ntstatus1) || !NT_STATUS_IS_OK(ntstatus2)) {
4350 if (!(NT_STATUS_EQUAL(ntstatus1,NT_STATUS_ACCESS_DENIED) && NT_STATUS_IS_OK(ntstatus2)) &&
4351 !(NT_STATUS_EQUAL(ntstatus1,NT_STATUS_ACCESS_DENIED) && NT_STATUS_IS_OK(ntstatus1))) {
4352 return (NT_STATUS_IS_OK(ntstatus1)) ? ntstatus2 : ntstatus1;
4356 if (!sid_check_is_domain(&info->sid) &&
4357 !sid_check_is_builtin(&info->sid))
4358 return NT_STATUS_OBJECT_TYPE_MISMATCH;
4360 if (r->in.sids->num_sids) {
4361 members = TALLOC_ARRAY(p->mem_ctx, DOM_SID, r->in.sids->num_sids);
4363 if (members == NULL)
4364 return NT_STATUS_NO_MEMORY;
4369 for (i=0; i<r->in.sids->num_sids; i++)
4370 sid_copy(&members[i], r->in.sids->sids[i].sid);
4376 ntstatus1 = pdb_enum_alias_memberships(p->mem_ctx, &info->sid, members,
4377 r->in.sids->num_sids,
4378 &alias_rids, &num_alias_rids);
4381 if (!NT_STATUS_IS_OK(ntstatus1)) {
4385 r->out.rids->count = num_alias_rids;
4386 r->out.rids->ids = alias_rids;
4388 return NT_STATUS_OK;
4391 /*********************************************************************
4392 _samr_GetMembersInAlias
4393 *********************************************************************/
4395 NTSTATUS _samr_GetMembersInAlias(pipes_struct *p,
4396 struct samr_GetMembersInAlias *r)
4400 size_t num_sids = 0;
4401 struct lsa_SidPtr *sids = NULL;
4402 DOM_SID *pdb_sids = NULL;
4408 /* find the policy handle. open a policy on it. */
4409 if (!get_lsa_policy_samr_sid(p, r->in.alias_handle, &alias_sid, &acc_granted, NULL))
4410 return NT_STATUS_INVALID_HANDLE;
4412 status = access_check_samr_function(acc_granted,
4413 SA_RIGHT_ALIAS_GET_MEMBERS,
4414 "_samr_GetMembersInAlias");
4415 if (!NT_STATUS_IS_OK(status)) {
4419 DEBUG(10, ("sid is %s\n", sid_string_dbg(&alias_sid)));
4422 status = pdb_enum_aliasmem(&alias_sid, &pdb_sids, &num_sids);
4425 if (!NT_STATUS_IS_OK(status)) {
4430 sids = TALLOC_ZERO_ARRAY(p->mem_ctx, struct lsa_SidPtr, num_sids);
4432 TALLOC_FREE(pdb_sids);
4433 return NT_STATUS_NO_MEMORY;
4437 for (i = 0; i < num_sids; i++) {
4438 sids[i].sid = sid_dup_talloc(p->mem_ctx, &pdb_sids[i]);
4440 TALLOC_FREE(pdb_sids);
4441 return NT_STATUS_NO_MEMORY;
4445 r->out.sids->num_sids = num_sids;
4446 r->out.sids->sids = sids;
4448 TALLOC_FREE(pdb_sids);
4450 return NT_STATUS_OK;
4453 /*********************************************************************
4454 _samr_QueryGroupMember
4455 *********************************************************************/
4457 NTSTATUS _samr_QueryGroupMember(pipes_struct *p,
4458 struct samr_QueryGroupMember *r)
4461 size_t i, num_members;
4469 struct samr_RidTypeArray *rids = NULL;
4471 rids = TALLOC_ZERO_P(p->mem_ctx, struct samr_RidTypeArray);
4473 return NT_STATUS_NO_MEMORY;
4476 /* find the policy handle. open a policy on it. */
4477 if (!get_lsa_policy_samr_sid(p, r->in.group_handle, &group_sid, &acc_granted, NULL))
4478 return NT_STATUS_INVALID_HANDLE;
4480 status = access_check_samr_function(acc_granted,
4481 SA_RIGHT_GROUP_GET_MEMBERS,
4482 "_samr_QueryGroupMember");
4483 if (!NT_STATUS_IS_OK(status)) {
4487 DEBUG(10, ("sid is %s\n", sid_string_dbg(&group_sid)));
4489 if (!sid_check_is_in_our_domain(&group_sid)) {
4490 DEBUG(3, ("sid %s is not in our domain\n",
4491 sid_string_dbg(&group_sid)));
4492 return NT_STATUS_NO_SUCH_GROUP;
4495 DEBUG(10, ("lookup on Domain SID\n"));
4498 status = pdb_enum_group_members(p->mem_ctx, &group_sid,
4499 &rid, &num_members);
4502 if (!NT_STATUS_IS_OK(status))
4506 attr=TALLOC_ZERO_ARRAY(p->mem_ctx, uint32, num_members);
4508 return NT_STATUS_NO_MEMORY;
4514 for (i=0; i<num_members; i++)
4515 attr[i] = SID_NAME_USER;
4517 rids->count = num_members;
4521 *r->out.rids = rids;
4523 return NT_STATUS_OK;
4526 /*********************************************************************
4527 _samr_AddAliasMember
4528 *********************************************************************/
4530 NTSTATUS _samr_AddAliasMember(pipes_struct *p,
4531 struct samr_AddAliasMember *r)
4536 bool can_add_accounts;
4538 DISP_INFO *disp_info = NULL;
4540 /* Find the policy handle. Open a policy on it. */
4541 if (!get_lsa_policy_samr_sid(p, r->in.alias_handle, &alias_sid, &acc_granted, &disp_info))
4542 return NT_STATUS_INVALID_HANDLE;
4544 status = access_check_samr_function(acc_granted,
4545 SA_RIGHT_ALIAS_ADD_MEMBER,
4546 "_samr_AddAliasMember");
4547 if (!NT_STATUS_IS_OK(status)) {
4551 DEBUG(10, ("sid is %s\n", sid_string_dbg(&alias_sid)));
4553 se_priv_copy( &se_rights, &se_add_users );
4554 can_add_accounts = user_has_privileges( p->pipe_user.nt_user_token, &se_rights );
4556 /******** BEGIN SeAddUsers BLOCK *********/
4558 if ( can_add_accounts )
4561 status = pdb_add_aliasmem(&alias_sid, r->in.sid);
4563 if ( can_add_accounts )
4566 /******** END SeAddUsers BLOCK *********/
4568 if (NT_STATUS_IS_OK(status)) {
4569 force_flush_samr_cache(disp_info);
4575 /*********************************************************************
4576 _samr_DeleteAliasMember
4577 *********************************************************************/
4579 NTSTATUS _samr_DeleteAliasMember(pipes_struct *p,
4580 struct samr_DeleteAliasMember *r)
4585 bool can_add_accounts;
4587 DISP_INFO *disp_info = NULL;
4589 /* Find the policy handle. Open a policy on it. */
4590 if (!get_lsa_policy_samr_sid(p, r->in.alias_handle, &alias_sid, &acc_granted, &disp_info))
4591 return NT_STATUS_INVALID_HANDLE;
4593 status = access_check_samr_function(acc_granted,
4594 SA_RIGHT_ALIAS_REMOVE_MEMBER,
4595 "_samr_DeleteAliasMember");
4596 if (!NT_STATUS_IS_OK(status)) {
4600 DEBUG(10, ("_samr_del_aliasmem:sid is %s\n",
4601 sid_string_dbg(&alias_sid)));
4603 se_priv_copy( &se_rights, &se_add_users );
4604 can_add_accounts = user_has_privileges( p->pipe_user.nt_user_token, &se_rights );
4606 /******** BEGIN SeAddUsers BLOCK *********/
4608 if ( can_add_accounts )
4611 status = pdb_del_aliasmem(&alias_sid, r->in.sid);
4613 if ( can_add_accounts )
4616 /******** END SeAddUsers BLOCK *********/
4618 if (NT_STATUS_IS_OK(status)) {
4619 force_flush_samr_cache(disp_info);
4625 /*********************************************************************
4626 _samr_AddGroupMember
4627 *********************************************************************/
4629 NTSTATUS _samr_AddGroupMember(pipes_struct *p,
4630 struct samr_AddGroupMember *r)
4637 bool can_add_accounts;
4638 DISP_INFO *disp_info = NULL;
4640 /* Find the policy handle. Open a policy on it. */
4641 if (!get_lsa_policy_samr_sid(p, r->in.group_handle, &group_sid, &acc_granted, &disp_info))
4642 return NT_STATUS_INVALID_HANDLE;
4644 status = access_check_samr_function(acc_granted,
4645 SA_RIGHT_GROUP_ADD_MEMBER,
4646 "_samr_AddGroupMember");
4647 if (!NT_STATUS_IS_OK(status)) {
4651 DEBUG(10, ("sid is %s\n", sid_string_dbg(&group_sid)));
4653 if (!sid_peek_check_rid(get_global_sam_sid(), &group_sid,
4655 return NT_STATUS_INVALID_HANDLE;
4658 se_priv_copy( &se_rights, &se_add_users );
4659 can_add_accounts = user_has_privileges( p->pipe_user.nt_user_token, &se_rights );
4661 /******** BEGIN SeAddUsers BLOCK *********/
4663 if ( can_add_accounts )
4666 status = pdb_add_groupmem(p->mem_ctx, group_rid, r->in.rid);
4668 if ( can_add_accounts )
4671 /******** END SeAddUsers BLOCK *********/
4673 force_flush_samr_cache(disp_info);
4678 /*********************************************************************
4679 _samr_DeleteGroupMember
4680 *********************************************************************/
4682 NTSTATUS _samr_DeleteGroupMember(pipes_struct *p,
4683 struct samr_DeleteGroupMember *r)
4691 bool can_add_accounts;
4692 DISP_INFO *disp_info = NULL;
4695 * delete the group member named r->in.rid
4696 * who is a member of the sid associated with the handle
4697 * the rid is a user's rid as the group is a domain group.
4700 /* Find the policy handle. Open a policy on it. */
4701 if (!get_lsa_policy_samr_sid(p, r->in.group_handle, &group_sid, &acc_granted, &disp_info))
4702 return NT_STATUS_INVALID_HANDLE;
4704 status = access_check_samr_function(acc_granted,
4705 SA_RIGHT_GROUP_REMOVE_MEMBER,
4706 "_samr_DeleteGroupMember");
4707 if (!NT_STATUS_IS_OK(status)) {
4711 if (!sid_peek_check_rid(get_global_sam_sid(), &group_sid,
4713 return NT_STATUS_INVALID_HANDLE;
4716 se_priv_copy( &se_rights, &se_add_users );
4717 can_add_accounts = user_has_privileges( p->pipe_user.nt_user_token, &se_rights );
4719 /******** BEGIN SeAddUsers BLOCK *********/
4721 if ( can_add_accounts )
4724 status = pdb_del_groupmem(p->mem_ctx, group_rid, r->in.rid);
4726 if ( can_add_accounts )
4729 /******** END SeAddUsers BLOCK *********/
4731 force_flush_samr_cache(disp_info);
4736 /*********************************************************************
4738 *********************************************************************/
4740 NTSTATUS _samr_DeleteUser(pipes_struct *p,
4741 struct samr_DeleteUser *r)
4745 struct samu *sam_pass=NULL;
4747 bool can_add_accounts;
4749 DISP_INFO *disp_info = NULL;
4752 DEBUG(5, ("_samr_DeleteUser: %d\n", __LINE__));
4754 /* Find the policy handle. Open a policy on it. */
4755 if (!get_lsa_policy_samr_sid(p, r->in.user_handle, &user_sid, &acc_granted, &disp_info))
4756 return NT_STATUS_INVALID_HANDLE;
4758 status = access_check_samr_function(acc_granted,
4759 STD_RIGHT_DELETE_ACCESS,
4760 "_samr_DeleteUser");
4761 if (!NT_STATUS_IS_OK(status)) {
4765 if (!sid_check_is_in_our_domain(&user_sid))
4766 return NT_STATUS_CANNOT_DELETE;
4768 /* check if the user exists before trying to delete */
4769 if ( !(sam_pass = samu_new( NULL )) ) {
4770 return NT_STATUS_NO_MEMORY;
4774 ret = pdb_getsampwsid(sam_pass, &user_sid);
4778 DEBUG(5,("_samr_DeleteUser: User %s doesn't exist.\n",
4779 sid_string_dbg(&user_sid)));
4780 TALLOC_FREE(sam_pass);
4781 return NT_STATUS_NO_SUCH_USER;
4784 acb_info = pdb_get_acct_ctrl(sam_pass);
4786 /* For machine accounts it's the SeMachineAccountPrivilege that counts. */
4787 if ( acb_info & ACB_WSTRUST ) {
4788 can_add_accounts = user_has_privileges( p->pipe_user.nt_user_token, &se_machine_account );
4790 can_add_accounts = user_has_privileges( p->pipe_user.nt_user_token, &se_add_users );
4793 /******** BEGIN SeAddUsers BLOCK *********/
4795 if ( can_add_accounts )
4798 status = pdb_delete_user(p->mem_ctx, sam_pass);
4800 if ( can_add_accounts )
4803 /******** END SeAddUsers BLOCK *********/
4805 if ( !NT_STATUS_IS_OK(status) ) {
4806 DEBUG(5,("_samr_DeleteUser: Failed to delete entry for "
4807 "user %s: %s.\n", pdb_get_username(sam_pass),
4808 nt_errstr(status)));
4809 TALLOC_FREE(sam_pass);
4814 TALLOC_FREE(sam_pass);
4816 if (!close_policy_hnd(p, r->in.user_handle))
4817 return NT_STATUS_OBJECT_NAME_INVALID;
4819 ZERO_STRUCTP(r->out.user_handle);
4821 force_flush_samr_cache(disp_info);
4823 return NT_STATUS_OK;
4826 /*********************************************************************
4827 _samr_DeleteDomainGroup
4828 *********************************************************************/
4830 NTSTATUS _samr_DeleteDomainGroup(pipes_struct *p,
4831 struct samr_DeleteDomainGroup *r)
4838 bool can_add_accounts;
4839 DISP_INFO *disp_info = NULL;
4841 DEBUG(5, ("samr_DeleteDomainGroup: %d\n", __LINE__));
4843 /* Find the policy handle. Open a policy on it. */
4844 if (!get_lsa_policy_samr_sid(p, r->in.group_handle, &group_sid, &acc_granted, &disp_info))
4845 return NT_STATUS_INVALID_HANDLE;
4847 status = access_check_samr_function(acc_granted,
4848 STD_RIGHT_DELETE_ACCESS,
4849 "_samr_DeleteDomainGroup");
4850 if (!NT_STATUS_IS_OK(status)) {
4854 DEBUG(10, ("sid is %s\n", sid_string_dbg(&group_sid)));
4856 if (!sid_peek_check_rid(get_global_sam_sid(), &group_sid,
4858 return NT_STATUS_NO_SUCH_GROUP;
4861 se_priv_copy( &se_rights, &se_add_users );
4862 can_add_accounts = user_has_privileges( p->pipe_user.nt_user_token, &se_rights );
4864 /******** BEGIN SeAddUsers BLOCK *********/
4866 if ( can_add_accounts )
4869 status = pdb_delete_dom_group(p->mem_ctx, group_rid);
4871 if ( can_add_accounts )
4874 /******** END SeAddUsers BLOCK *********/
4876 if ( !NT_STATUS_IS_OK(status) ) {
4877 DEBUG(5,("_samr_DeleteDomainGroup: Failed to delete mapping "
4878 "entry for group %s: %s\n",
4879 sid_string_dbg(&group_sid),
4880 nt_errstr(status)));
4884 if (!close_policy_hnd(p, r->in.group_handle))
4885 return NT_STATUS_OBJECT_NAME_INVALID;
4887 force_flush_samr_cache(disp_info);
4889 return NT_STATUS_OK;
4892 /*********************************************************************
4893 _samr_DeleteDomAlias
4894 *********************************************************************/
4896 NTSTATUS _samr_DeleteDomAlias(pipes_struct *p,
4897 struct samr_DeleteDomAlias *r)
4902 bool can_add_accounts;
4904 DISP_INFO *disp_info = NULL;
4906 DEBUG(5, ("_samr_DeleteDomAlias: %d\n", __LINE__));
4908 /* Find the policy handle. Open a policy on it. */
4909 if (!get_lsa_policy_samr_sid(p, r->in.alias_handle, &alias_sid, &acc_granted, &disp_info))
4910 return NT_STATUS_INVALID_HANDLE;
4912 /* copy the handle to the outgoing reply */
4914 memcpy(r->out.alias_handle, r->in.alias_handle, sizeof(r->out.alias_handle));
4916 status = access_check_samr_function(acc_granted,
4917 STD_RIGHT_DELETE_ACCESS,
4918 "_samr_DeleteDomAlias");
4919 if (!NT_STATUS_IS_OK(status)) {
4923 DEBUG(10, ("sid is %s\n", sid_string_dbg(&alias_sid)));
4925 /* Don't let Windows delete builtin groups */
4927 if ( sid_check_is_in_builtin( &alias_sid ) ) {
4928 return NT_STATUS_SPECIAL_ACCOUNT;
4931 if (!sid_check_is_in_our_domain(&alias_sid))
4932 return NT_STATUS_NO_SUCH_ALIAS;
4934 DEBUG(10, ("lookup on Local SID\n"));
4936 se_priv_copy( &se_rights, &se_add_users );
4937 can_add_accounts = user_has_privileges( p->pipe_user.nt_user_token, &se_rights );
4939 /******** BEGIN SeAddUsers BLOCK *********/
4941 if ( can_add_accounts )
4944 /* Have passdb delete the alias */
4945 status = pdb_delete_alias(&alias_sid);
4947 if ( can_add_accounts )
4950 /******** END SeAddUsers BLOCK *********/
4952 if ( !NT_STATUS_IS_OK(status))
4955 if (!close_policy_hnd(p, r->in.alias_handle))
4956 return NT_STATUS_OBJECT_NAME_INVALID;
4958 force_flush_samr_cache(disp_info);
4960 return NT_STATUS_OK;
4963 /*********************************************************************
4964 _samr_CreateDomainGroup
4965 *********************************************************************/
4967 NTSTATUS _samr_CreateDomainGroup(pipes_struct *p,
4968 struct samr_CreateDomainGroup *r)
4975 struct samr_info *info;
4978 bool can_add_accounts;
4979 DISP_INFO *disp_info = NULL;
4981 /* Find the policy handle. Open a policy on it. */
4982 if (!get_lsa_policy_samr_sid(p, r->in.domain_handle, &dom_sid, &acc_granted, &disp_info))
4983 return NT_STATUS_INVALID_HANDLE;
4985 status = access_check_samr_function(acc_granted,
4986 SA_RIGHT_DOMAIN_CREATE_GROUP,
4987 "_samr_CreateDomainGroup");
4988 if (!NT_STATUS_IS_OK(status)) {
4992 if (!sid_equal(&dom_sid, get_global_sam_sid()))
4993 return NT_STATUS_ACCESS_DENIED;
4995 name = r->in.name->string;
4997 return NT_STATUS_NO_MEMORY;
5000 status = can_create(p->mem_ctx, name);
5001 if (!NT_STATUS_IS_OK(status)) {
5005 se_priv_copy( &se_rights, &se_add_users );
5006 can_add_accounts = user_has_privileges( p->pipe_user.nt_user_token, &se_rights );
5008 /******** BEGIN SeAddUsers BLOCK *********/
5010 if ( can_add_accounts )
5013 /* check that we successfully create the UNIX group */
5015 status = pdb_create_dom_group(p->mem_ctx, name, r->out.rid);
5017 if ( can_add_accounts )
5020 /******** END SeAddUsers BLOCK *********/
5022 /* check if we should bail out here */
5024 if ( !NT_STATUS_IS_OK(status) )
5027 sid_compose(&info_sid, get_global_sam_sid(), *r->out.rid);
5029 if ((info = get_samr_info_by_sid(&info_sid)) == NULL)
5030 return NT_STATUS_NO_MEMORY;
5032 /* they created it; let the user do what he wants with it */
5034 info->acc_granted = GENERIC_RIGHTS_GROUP_ALL_ACCESS;
5036 /* get a (unique) handle. open a policy on it. */
5037 if (!create_policy_hnd(p, r->out.group_handle, free_samr_info, (void *)info))
5038 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
5040 force_flush_samr_cache(disp_info);
5042 return NT_STATUS_OK;
5045 /*********************************************************************
5046 _samr_CreateDomAlias
5047 *********************************************************************/
5049 NTSTATUS _samr_CreateDomAlias(pipes_struct *p,
5050 struct samr_CreateDomAlias *r)
5054 const char *name = NULL;
5055 struct samr_info *info;
5060 bool can_add_accounts;
5061 DISP_INFO *disp_info = NULL;
5063 /* Find the policy handle. Open a policy on it. */
5064 if (!get_lsa_policy_samr_sid(p, r->in.domain_handle, &dom_sid, &acc_granted, &disp_info))
5065 return NT_STATUS_INVALID_HANDLE;
5067 result = access_check_samr_function(acc_granted,
5068 SA_RIGHT_DOMAIN_CREATE_ALIAS,
5069 "_samr_CreateDomAlias");
5070 if (!NT_STATUS_IS_OK(result)) {
5074 if (!sid_equal(&dom_sid, get_global_sam_sid()))
5075 return NT_STATUS_ACCESS_DENIED;
5077 name = r->in.alias_name->string;
5079 se_priv_copy( &se_rights, &se_add_users );
5080 can_add_accounts = user_has_privileges( p->pipe_user.nt_user_token, &se_rights );
5082 result = can_create(p->mem_ctx, name);
5083 if (!NT_STATUS_IS_OK(result)) {
5087 /******** BEGIN SeAddUsers BLOCK *********/
5089 if ( can_add_accounts )
5092 /* Have passdb create the alias */
5093 result = pdb_create_alias(name, r->out.rid);
5095 if ( can_add_accounts )
5098 /******** END SeAddUsers BLOCK *********/
5100 if (!NT_STATUS_IS_OK(result)) {
5101 DEBUG(10, ("pdb_create_alias failed: %s\n",
5102 nt_errstr(result)));
5106 sid_copy(&info_sid, get_global_sam_sid());
5107 sid_append_rid(&info_sid, *r->out.rid);
5109 if (!sid_to_gid(&info_sid, &gid)) {
5110 DEBUG(10, ("Could not find alias just created\n"));
5111 return NT_STATUS_ACCESS_DENIED;
5114 /* check if the group has been successfully created */
5115 if ( getgrgid(gid) == NULL ) {
5116 DEBUG(10, ("getgrgid(%d) of just created alias failed\n",
5118 return NT_STATUS_ACCESS_DENIED;
5121 if ((info = get_samr_info_by_sid(&info_sid)) == NULL)
5122 return NT_STATUS_NO_MEMORY;
5124 /* they created it; let the user do what he wants with it */
5126 info->acc_granted = GENERIC_RIGHTS_ALIAS_ALL_ACCESS;
5128 /* get a (unique) handle. open a policy on it. */
5129 if (!create_policy_hnd(p, r->out.alias_handle, free_samr_info, (void *)info))
5130 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
5132 force_flush_samr_cache(disp_info);
5134 return NT_STATUS_OK;
5137 /*********************************************************************
5138 _samr_QueryGroupInfo
5139 *********************************************************************/
5141 NTSTATUS _samr_QueryGroupInfo(pipes_struct *p,
5142 struct samr_QueryGroupInfo *r)
5147 union samr_GroupInfo *info = NULL;
5150 uint32_t attributes = SE_GROUP_MANDATORY |
5151 SE_GROUP_ENABLED_BY_DEFAULT |
5153 const char *group_name = NULL;
5154 const char *group_description = NULL;
5156 if (!get_lsa_policy_samr_sid(p, r->in.group_handle, &group_sid, &acc_granted, NULL))
5157 return NT_STATUS_INVALID_HANDLE;
5159 status = access_check_samr_function(acc_granted,
5160 SA_RIGHT_GROUP_LOOKUP_INFO,
5161 "_samr_QueryGroupInfo");
5162 if (!NT_STATUS_IS_OK(status)) {
5167 ret = get_domain_group_from_sid(group_sid, &map);
5170 return NT_STATUS_INVALID_HANDLE;
5172 /* FIXME: map contains fstrings */
5173 group_name = talloc_strdup(r, map.nt_name);
5174 group_description = talloc_strdup(r, map.comment);
5176 info = TALLOC_ZERO_P(p->mem_ctx, union samr_GroupInfo);
5178 return NT_STATUS_NO_MEMORY;
5181 switch (r->in.level) {
5187 status = pdb_enum_group_members(
5188 p->mem_ctx, &group_sid, &members, &num_members);
5191 if (!NT_STATUS_IS_OK(status)) {
5195 init_samr_group_info1(&info->all,
5203 init_samr_group_info2(&info->name,
5207 init_samr_group_info3(&info->attributes,
5211 init_samr_group_info4(&info->description,
5222 status = pdb_enum_group_members(
5223 p->mem_ctx, &group_sid, &members, &num_members);
5226 if (!NT_STATUS_IS_OK(status)) {
5230 init_samr_group_info5(&info->all2,
5233 0, /* num_members - in w2k3 this is always 0 */
5239 return NT_STATUS_INVALID_INFO_CLASS;
5242 *r->out.info = info;
5244 return NT_STATUS_OK;
5247 /*********************************************************************
5249 *********************************************************************/
5251 NTSTATUS _samr_SetGroupInfo(pipes_struct *p,
5252 struct samr_SetGroupInfo *r)
5259 bool can_mod_accounts;
5260 DISP_INFO *disp_info = NULL;
5262 if (!get_lsa_policy_samr_sid(p, r->in.group_handle, &group_sid, &acc_granted, &disp_info))
5263 return NT_STATUS_INVALID_HANDLE;
5265 status = access_check_samr_function(acc_granted,
5266 SA_RIGHT_GROUP_SET_INFO,
5267 "_samr_SetGroupInfo");
5268 if (!NT_STATUS_IS_OK(status)) {
5273 ret = get_domain_group_from_sid(group_sid, &map);
5276 return NT_STATUS_NO_SUCH_GROUP;
5278 switch (r->in.level) {
5280 fstrcpy(map.comment, r->in.info->all.description.string);
5283 /* group rename is not supported yet */
5284 return NT_STATUS_NOT_SUPPORTED;
5286 fstrcpy(map.comment, r->in.info->description.string);
5289 return NT_STATUS_INVALID_INFO_CLASS;
5292 can_mod_accounts = user_has_privileges( p->pipe_user.nt_user_token, &se_add_users );
5294 /******** BEGIN SeAddUsers BLOCK *********/
5296 if ( can_mod_accounts )
5299 status = pdb_update_group_mapping_entry(&map);
5301 if ( can_mod_accounts )
5304 /******** End SeAddUsers BLOCK *********/
5306 if (NT_STATUS_IS_OK(status)) {
5307 force_flush_samr_cache(disp_info);
5313 /*********************************************************************
5315 *********************************************************************/
5317 NTSTATUS _samr_SetAliasInfo(pipes_struct *p,
5318 struct samr_SetAliasInfo *r)
5321 struct acct_info info;
5323 bool can_mod_accounts;
5325 DISP_INFO *disp_info = NULL;
5327 if (!get_lsa_policy_samr_sid(p, r->in.alias_handle, &group_sid, &acc_granted, &disp_info))
5328 return NT_STATUS_INVALID_HANDLE;
5330 status = access_check_samr_function(acc_granted,
5331 SA_RIGHT_ALIAS_SET_INFO,
5332 "_samr_SetAliasInfo");
5333 if (!NT_STATUS_IS_OK(status)) {
5337 /* get the current group information */
5340 status = pdb_get_aliasinfo( &group_sid, &info );
5343 if ( !NT_STATUS_IS_OK(status))
5346 switch (r->in.level) {
5351 /* We currently do not support renaming groups in the
5352 the BUILTIN domain. Refer to util_builtin.c to understand
5353 why. The eventually needs to be fixed to be like Windows
5354 where you can rename builtin groups, just not delete them */
5356 if ( sid_check_is_in_builtin( &group_sid ) ) {
5357 return NT_STATUS_SPECIAL_ACCOUNT;
5360 /* There has to be a valid name (and it has to be different) */
5362 if ( !r->in.info->name.string )
5363 return NT_STATUS_INVALID_PARAMETER;
5365 /* If the name is the same just reply "ok". Yes this
5366 doesn't allow you to change the case of a group name. */
5368 if ( strequal( r->in.info->name.string, info.acct_name ) )
5369 return NT_STATUS_OK;
5371 fstrcpy( info.acct_name, r->in.info->name.string);
5373 /* make sure the name doesn't already exist as a user
5376 fstr_sprintf( group_name, "%s\\%s", global_myname(), info.acct_name );
5377 status = can_create( p->mem_ctx, group_name );
5378 if ( !NT_STATUS_IS_OK( status ) )
5382 case ALIASINFODESCRIPTION:
5383 if (r->in.info->description.string) {
5384 fstrcpy(info.acct_desc,
5385 r->in.info->description.string);
5387 fstrcpy( info.acct_desc, "" );
5391 return NT_STATUS_INVALID_INFO_CLASS;
5394 can_mod_accounts = user_has_privileges( p->pipe_user.nt_user_token, &se_add_users );
5396 /******** BEGIN SeAddUsers BLOCK *********/
5398 if ( can_mod_accounts )
5401 status = pdb_set_aliasinfo( &group_sid, &info );
5403 if ( can_mod_accounts )
5406 /******** End SeAddUsers BLOCK *********/
5408 if (NT_STATUS_IS_OK(status))
5409 force_flush_samr_cache(disp_info);
5414 /****************************************************************
5416 ****************************************************************/
5418 NTSTATUS _samr_GetDomPwInfo(pipes_struct *p,
5419 struct samr_GetDomPwInfo *r)
5421 uint32_t min_password_length = 0;
5422 uint32_t password_properties = 0;
5424 /* Perform access check. Since this rpc does not require a
5425 policy handle it will not be caught by the access checks on
5426 SAMR_CONNECT or SAMR_CONNECT_ANON. */
5428 if (!pipe_access_check(p)) {
5429 DEBUG(3, ("access denied to _samr_GetDomPwInfo\n"));
5430 return NT_STATUS_ACCESS_DENIED;
5434 pdb_get_account_policy(AP_MIN_PASSWORD_LEN,
5435 &min_password_length);
5436 pdb_get_account_policy(AP_USER_MUST_LOGON_TO_CHG_PASS,
5437 &password_properties);
5440 if (lp_check_password_script() && *lp_check_password_script()) {
5441 password_properties |= DOMAIN_PASSWORD_COMPLEX;
5444 r->out.info->min_password_length = min_password_length;
5445 r->out.info->password_properties = password_properties;
5447 return NT_STATUS_OK;
5450 /*********************************************************************
5452 *********************************************************************/
5454 NTSTATUS _samr_OpenGroup(pipes_struct *p,
5455 struct samr_OpenGroup *r)
5461 struct samr_info *info;
5462 SEC_DESC *psd = NULL;
5464 uint32 des_access = r->in.access_mask;
5471 if (!get_lsa_policy_samr_sid(p, r->in.domain_handle, &sid, &acc_granted, NULL))
5472 return NT_STATUS_INVALID_HANDLE;
5474 status = access_check_samr_function(acc_granted,
5475 SA_RIGHT_DOMAIN_OPEN_ACCOUNT,
5478 if ( !NT_STATUS_IS_OK(status) )
5481 /*check if access can be granted as requested by client. */
5482 map_max_allowed_access(p->pipe_user.nt_user_token, &des_access);
5484 make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &grp_generic_mapping, NULL, 0);
5485 se_map_generic(&des_access,&grp_generic_mapping);
5487 se_priv_copy( &se_rights, &se_add_users );
5489 status = access_check_samr_object(psd, p->pipe_user.nt_user_token,
5490 &se_rights, GENERIC_RIGHTS_GROUP_WRITE, des_access,
5491 &acc_granted, "_samr_OpenGroup");
5493 if ( !NT_STATUS_IS_OK(status) )
5496 /* this should not be hard-coded like this */
5498 if (!sid_equal(&sid, get_global_sam_sid()))
5499 return NT_STATUS_ACCESS_DENIED;
5501 sid_copy(&info_sid, get_global_sam_sid());
5502 sid_append_rid(&info_sid, r->in.rid);
5503 sid_to_fstring(sid_string, &info_sid);
5505 if ((info = get_samr_info_by_sid(&info_sid)) == NULL)
5506 return NT_STATUS_NO_MEMORY;
5508 info->acc_granted = acc_granted;
5510 DEBUG(10, ("_samr_OpenGroup:Opening SID: %s\n", sid_string));
5512 /* check if that group really exists */
5514 ret = get_domain_group_from_sid(info->sid, &map);
5517 return NT_STATUS_NO_SUCH_GROUP;
5519 /* get a (unique) handle. open a policy on it. */
5520 if (!create_policy_hnd(p, r->out.group_handle, free_samr_info, (void *)info))
5521 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
5523 return NT_STATUS_OK;
5526 /*********************************************************************
5527 _samr_RemoveMemberFromForeignDomain
5528 *********************************************************************/
5530 NTSTATUS _samr_RemoveMemberFromForeignDomain(pipes_struct *p,
5531 struct samr_RemoveMemberFromForeignDomain *r)
5533 DOM_SID delete_sid, domain_sid;
5536 DISP_INFO *disp_info = NULL;
5538 sid_copy( &delete_sid, r->in.sid );
5540 DEBUG(5,("_samr_RemoveMemberFromForeignDomain: removing SID [%s]\n",
5541 sid_string_dbg(&delete_sid)));
5543 /* Find the policy handle. Open a policy on it. */
5545 if (!get_lsa_policy_samr_sid(p, r->in.domain_handle, &domain_sid,
5546 &acc_granted, &disp_info))
5547 return NT_STATUS_INVALID_HANDLE;
5549 result = access_check_samr_function(acc_granted,
5550 STD_RIGHT_DELETE_ACCESS,
5551 "_samr_RemoveMemberFromForeignDomain");
5553 if (!NT_STATUS_IS_OK(result))
5556 DEBUG(8, ("_samr_RemoveMemberFromForeignDomain: sid is %s\n",
5557 sid_string_dbg(&domain_sid)));
5559 /* we can only delete a user from a group since we don't have
5560 nested groups anyways. So in the latter case, just say OK */
5562 /* TODO: The above comment nowadays is bogus. Since we have nested
5563 * groups now, and aliases members are never reported out of the unix
5564 * group membership, the "just say OK" makes this call a no-op. For
5565 * us. This needs fixing however. */
5567 /* I've only ever seen this in the wild when deleting a user from
5568 * usrmgr.exe. domain_sid is the builtin domain, and the sid to delete
5569 * is the user about to be deleted. I very much suspect this is the
5570 * only application of this call. To verify this, let people report
5573 if (!sid_check_is_builtin(&domain_sid)) {
5574 DEBUG(1,("_samr_RemoveMemberFromForeignDomain: domain_sid = %s, "
5575 "global_sam_sid() = %s\n",
5576 sid_string_dbg(&domain_sid),
5577 sid_string_dbg(get_global_sam_sid())));
5578 DEBUGADD(1,("please report to samba-technical@samba.org!\n"));
5579 return NT_STATUS_OK;
5582 force_flush_samr_cache(disp_info);
5584 result = NT_STATUS_OK;
5589 /*******************************************************************
5590 _samr_QueryDomainInfo2
5591 ********************************************************************/
5593 NTSTATUS _samr_QueryDomainInfo2(pipes_struct *p,
5594 struct samr_QueryDomainInfo2 *r)
5596 struct samr_QueryDomainInfo q;
5598 q.in.domain_handle = r->in.domain_handle;
5599 q.in.level = r->in.level;
5601 q.out.info = r->out.info;
5603 return _samr_QueryDomainInfo(p, &q);
5606 /*******************************************************************
5608 ********************************************************************/
5610 NTSTATUS _samr_SetDomainInfo(pipes_struct *p,
5611 struct samr_SetDomainInfo *r)
5613 struct samr_info *info = NULL;
5614 time_t u_expire, u_min_age;
5616 time_t u_lock_duration, u_reset_time;
5619 DEBUG(5,("_samr_SetDomainInfo: %d\n", __LINE__));
5621 /* find the policy handle. open a policy on it. */
5622 if (!find_policy_by_hnd(p, r->in.domain_handle, (void **)(void *)&info))
5623 return NT_STATUS_INVALID_HANDLE;
5625 /* We do have different access bits for info
5626 * levels here, but we're really just looking for
5627 * GENERIC_RIGHTS_DOMAIN_WRITE access. Unfortunately
5628 * this maps to different specific bits. So
5629 * assume if we have SA_RIGHT_DOMAIN_SET_INFO_1
5632 result = access_check_samr_function(info->acc_granted,
5633 SA_RIGHT_DOMAIN_SET_INFO_1,
5634 "_samr_SetDomainInfo");
5636 if (!NT_STATUS_IS_OK(result))
5639 DEBUG(5,("_samr_SetDomainInfo: level: %d\n", r->in.level));
5641 switch (r->in.level) {
5643 u_expire=nt_time_to_unix_abs((NTTIME *)&r->in.info->info1.max_password_age);
5644 u_min_age=nt_time_to_unix_abs((NTTIME *)&r->in.info->info1.min_password_age);
5645 pdb_set_account_policy(AP_MIN_PASSWORD_LEN, (uint32)r->in.info->info1.min_password_length);
5646 pdb_set_account_policy(AP_PASSWORD_HISTORY, (uint32)r->in.info->info1.password_history_length);
5647 pdb_set_account_policy(AP_USER_MUST_LOGON_TO_CHG_PASS, (uint32)r->in.info->info1.password_properties);
5648 pdb_set_account_policy(AP_MAX_PASSWORD_AGE, (int)u_expire);
5649 pdb_set_account_policy(AP_MIN_PASSWORD_AGE, (int)u_min_age);
5654 u_logout=nt_time_to_unix_abs((NTTIME *)&r->in.info->info3.force_logoff_time);
5655 pdb_set_account_policy(AP_TIME_TO_LOGOUT, (int)u_logout);
5664 u_lock_duration=nt_time_to_unix_abs((NTTIME *)&r->in.info->info12.lockout_duration);
5665 if (u_lock_duration != -1)
5666 u_lock_duration /= 60;
5668 u_reset_time=nt_time_to_unix_abs((NTTIME *)&r->in.info->info12.lockout_window)/60;
5670 pdb_set_account_policy(AP_LOCK_ACCOUNT_DURATION, (int)u_lock_duration);
5671 pdb_set_account_policy(AP_RESET_COUNT_TIME, (int)u_reset_time);
5672 pdb_set_account_policy(AP_BAD_ATTEMPT_LOCKOUT, (uint32)r->in.info->info12.lockout_threshold);
5675 return NT_STATUS_INVALID_INFO_CLASS;
5678 DEBUG(5,("_samr_SetDomainInfo: %d\n", __LINE__));
5680 return NT_STATUS_OK;
5683 /****************************************************************
5684 _samr_GetDisplayEnumerationIndex
5685 ****************************************************************/
5687 NTSTATUS _samr_GetDisplayEnumerationIndex(pipes_struct *p,
5688 struct samr_GetDisplayEnumerationIndex *r)
5690 struct samr_info *info = NULL;
5691 uint32_t max_entries = (uint32_t) -1;
5692 uint32_t enum_context = 0;
5694 uint32_t num_account = 0;
5695 struct samr_displayentry *entries = NULL;
5698 DEBUG(5,("_samr_GetDisplayEnumerationIndex: %d\n", __LINE__));
5700 /* find the policy handle. open a policy on it. */
5701 if (!find_policy_by_hnd(p, r->in.domain_handle, (void **)(void *)&info)) {
5702 return NT_STATUS_INVALID_HANDLE;
5705 status = access_check_samr_function(info->acc_granted,
5706 SA_RIGHT_DOMAIN_ENUM_ACCOUNTS,
5707 "_samr_GetDisplayEnumerationIndex");
5708 if (!NT_STATUS_IS_OK(status)) {
5712 if ((r->in.level < 1) || (r->in.level > 3)) {
5713 DEBUG(0,("_samr_GetDisplayEnumerationIndex: "
5714 "Unknown info level (%u)\n",
5716 return NT_STATUS_INVALID_INFO_CLASS;
5721 /* The following done as ROOT. Don't return without unbecome_root(). */
5723 switch (r->in.level) {
5725 if (info->disp_info->users == NULL) {
5726 info->disp_info->users = pdb_search_users(ACB_NORMAL);
5727 if (info->disp_info->users == NULL) {
5729 return NT_STATUS_ACCESS_DENIED;
5731 DEBUG(10,("_samr_GetDisplayEnumerationIndex: "
5732 "starting user enumeration at index %u\n",
5733 (unsigned int)enum_context));
5735 DEBUG(10,("_samr_GetDisplayEnumerationIndex: "
5736 "using cached user enumeration at index %u\n",
5737 (unsigned int)enum_context));
5739 num_account = pdb_search_entries(info->disp_info->users,
5740 enum_context, max_entries,
5744 if (info->disp_info->machines == NULL) {
5745 info->disp_info->machines =
5746 pdb_search_users(ACB_WSTRUST|ACB_SVRTRUST);
5747 if (info->disp_info->machines == NULL) {
5749 return NT_STATUS_ACCESS_DENIED;
5751 DEBUG(10,("_samr_GetDisplayEnumerationIndex: "
5752 "starting machine enumeration at index %u\n",
5753 (unsigned int)enum_context));
5755 DEBUG(10,("_samr_GetDisplayEnumerationIndex: "
5756 "using cached machine enumeration at index %u\n",
5757 (unsigned int)enum_context));
5759 num_account = pdb_search_entries(info->disp_info->machines,
5760 enum_context, max_entries,
5764 if (info->disp_info->groups == NULL) {
5765 info->disp_info->groups = pdb_search_groups();
5766 if (info->disp_info->groups == NULL) {
5768 return NT_STATUS_ACCESS_DENIED;
5770 DEBUG(10,("_samr_GetDisplayEnumerationIndex: "
5771 "starting group enumeration at index %u\n",
5772 (unsigned int)enum_context));
5774 DEBUG(10,("_samr_GetDisplayEnumerationIndex: "
5775 "using cached group enumeration at index %u\n",
5776 (unsigned int)enum_context));
5778 num_account = pdb_search_entries(info->disp_info->groups,
5779 enum_context, max_entries,
5784 smb_panic("info class changed");
5790 /* Ensure we cache this enumeration. */
5791 set_disp_info_cache_timeout(info->disp_info, DISP_INFO_CACHE_TIMEOUT);
5793 DEBUG(10,("_samr_GetDisplayEnumerationIndex: looking for :%s\n",
5794 r->in.name->string));
5796 for (i=0; i<num_account; i++) {
5797 if (strequal(entries[i].account_name, r->in.name->string)) {
5798 DEBUG(10,("_samr_GetDisplayEnumerationIndex: "
5799 "found %s at idx %d\n",
5800 r->in.name->string, i));
5802 return NT_STATUS_OK;
5806 /* assuming account_name lives at the very end */
5807 *r->out.idx = num_account;
5809 return NT_STATUS_NO_MORE_ENTRIES;
5812 /****************************************************************
5813 _samr_GetDisplayEnumerationIndex2
5814 ****************************************************************/
5816 NTSTATUS _samr_GetDisplayEnumerationIndex2(pipes_struct *p,
5817 struct samr_GetDisplayEnumerationIndex2 *r)
5819 struct samr_GetDisplayEnumerationIndex q;
5821 q.in.domain_handle = r->in.domain_handle;
5822 q.in.level = r->in.level;
5823 q.in.name = r->in.name;
5825 q.out.idx = r->out.idx;
5827 return _samr_GetDisplayEnumerationIndex(p, &q);
5830 /****************************************************************
5831 ****************************************************************/
5833 NTSTATUS _samr_Shutdown(pipes_struct *p,
5834 struct samr_Shutdown *r)
5836 p->rng_fault_state = true;
5837 return NT_STATUS_NOT_IMPLEMENTED;
5840 /****************************************************************
5841 ****************************************************************/
5843 NTSTATUS _samr_CreateUser(pipes_struct *p,
5844 struct samr_CreateUser *r)
5846 p->rng_fault_state = true;
5847 return NT_STATUS_NOT_IMPLEMENTED;
5850 /****************************************************************
5851 ****************************************************************/
5853 NTSTATUS _samr_SetMemberAttributesOfGroup(pipes_struct *p,
5854 struct samr_SetMemberAttributesOfGroup *r)
5856 p->rng_fault_state = true;
5857 return NT_STATUS_NOT_IMPLEMENTED;
5860 /****************************************************************
5861 ****************************************************************/
5863 NTSTATUS _samr_ChangePasswordUser(pipes_struct *p,
5864 struct samr_ChangePasswordUser *r)
5866 p->rng_fault_state = true;
5867 return NT_STATUS_NOT_IMPLEMENTED;
5870 /****************************************************************
5871 ****************************************************************/
5873 NTSTATUS _samr_TestPrivateFunctionsDomain(pipes_struct *p,
5874 struct samr_TestPrivateFunctionsDomain *r)
5876 p->rng_fault_state = true;
5877 return NT_STATUS_NOT_IMPLEMENTED;
5880 /****************************************************************
5881 ****************************************************************/
5883 NTSTATUS _samr_TestPrivateFunctionsUser(pipes_struct *p,
5884 struct samr_TestPrivateFunctionsUser *r)
5886 p->rng_fault_state = true;
5887 return NT_STATUS_NOT_IMPLEMENTED;
5890 /****************************************************************
5891 ****************************************************************/
5893 NTSTATUS _samr_QueryUserInfo2(pipes_struct *p,
5894 struct samr_QueryUserInfo2 *r)
5896 p->rng_fault_state = true;
5897 return NT_STATUS_NOT_IMPLEMENTED;
5900 /****************************************************************
5901 ****************************************************************/
5903 NTSTATUS _samr_AddMultipleMembersToAlias(pipes_struct *p,
5904 struct samr_AddMultipleMembersToAlias *r)
5906 p->rng_fault_state = true;
5907 return NT_STATUS_NOT_IMPLEMENTED;
5910 /****************************************************************
5911 ****************************************************************/
5913 NTSTATUS _samr_RemoveMultipleMembersFromAlias(pipes_struct *p,
5914 struct samr_RemoveMultipleMembersFromAlias *r)
5916 p->rng_fault_state = true;
5917 return NT_STATUS_NOT_IMPLEMENTED;
5920 /****************************************************************
5921 ****************************************************************/
5923 NTSTATUS _samr_OemChangePasswordUser2(pipes_struct *p,
5924 struct samr_OemChangePasswordUser2 *r)
5926 p->rng_fault_state = true;
5927 return NT_STATUS_NOT_IMPLEMENTED;
5930 /****************************************************************
5931 ****************************************************************/
5933 NTSTATUS _samr_SetBootKeyInformation(pipes_struct *p,
5934 struct samr_SetBootKeyInformation *r)
5936 p->rng_fault_state = true;
5937 return NT_STATUS_NOT_IMPLEMENTED;
5940 /****************************************************************
5941 ****************************************************************/
5943 NTSTATUS _samr_GetBootKeyInformation(pipes_struct *p,
5944 struct samr_GetBootKeyInformation *r)
5946 p->rng_fault_state = true;
5947 return NT_STATUS_NOT_IMPLEMENTED;
5950 /****************************************************************
5951 ****************************************************************/
5953 NTSTATUS _samr_Connect3(pipes_struct *p,
5954 struct samr_Connect3 *r)
5956 p->rng_fault_state = true;
5957 return NT_STATUS_NOT_IMPLEMENTED;
5960 /****************************************************************
5961 ****************************************************************/
5963 NTSTATUS _samr_RidToSid(pipes_struct *p,
5964 struct samr_RidToSid *r)
5966 p->rng_fault_state = true;
5967 return NT_STATUS_NOT_IMPLEMENTED;
5970 /****************************************************************
5971 ****************************************************************/
5973 NTSTATUS _samr_SetDsrmPassword(pipes_struct *p,
5974 struct samr_SetDsrmPassword *r)
5976 p->rng_fault_state = true;
5977 return NT_STATUS_NOT_IMPLEMENTED;
5980 /****************************************************************
5981 ****************************************************************/
5983 NTSTATUS _samr_ValidatePassword(pipes_struct *p,
5984 struct samr_ValidatePassword *r)
5986 p->rng_fault_state = true;
5987 return NT_STATUS_NOT_IMPLEMENTED;