/* Split name into domain and user component */
- full_name = name[i].string;
- if (full_name == NULL) {
- return NT_STATUS_NO_MEMORY;
+ /* follow w2k8 behavior and return the builtin domain when no
+ * input has been passed in */
+
+ if (name[i].string) {
+ full_name = name[i].string;
+ } else {
+ full_name = "BUILTIN";
}
DEBUG(5, ("lookup_lsa_rids: looking up name %s\n", full_name));
dom_idx = -1;
if (type != SID_NAME_UNKNOWN) {
- sid_split_rid(&sid, &rid);
+ if (type == SID_NAME_DOMAIN) {
+ rid = (uint32_t)-1;
+ } else {
+ sid_split_rid(&sid, &rid);
+ }
dom_idx = init_lsa_ref_domain_list(mem_ctx, ref, domain, &sid);
mapped_count++;
}
NTSTATUS status;
/* Work out max allowed. */
- map_max_allowed_access(p->server_info->ptok, &des_access);
+ map_max_allowed_access(p->server_info->ptok,
+ &p->server_info->utok,
+ &des_access);
/* map the generic bits to the lsa policy ones */
se_map_generic(&des_access, &lsa_policy_mapping);
struct lsa_EnumTrustDom *r)
{
struct lsa_info *info;
- uint32 next_idx;
+ uint32_t count;
struct trustdom_info **domains;
- struct lsa_DomainInfo *lsa_domains = NULL;
+ struct lsa_DomainInfo *entries;
int i;
-
- /*
- * preferred length is set to 5 as a "our" preferred length
- * nt sets this parameter to 2
- * update (20.08.2002): it's not preferred length, but preferred size!
- * it needs further investigation how to optimally choose this value
- */
- uint32 max_num_domains =
- r->in.max_size < 5 ? r->in.max_size : 10;
- uint32 num_domains;
NTSTATUS nt_status;
- uint32 num_thistime;
if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
return NT_STATUS_INVALID_HANDLE;
return NT_STATUS_ACCESS_DENIED;
become_root();
- nt_status = pdb_enum_trusteddoms(p->mem_ctx, &num_domains, &domains);
+ nt_status = pdb_enum_trusteddoms(p->mem_ctx, &count, &domains);
unbecome_root();
if (!NT_STATUS_IS_OK(nt_status)) {
return nt_status;
}
- if (*r->in.resume_handle < num_domains) {
- num_thistime = MIN(num_domains, max_num_domains);
-
- nt_status = STATUS_MORE_ENTRIES;
+ entries = TALLOC_ZERO_ARRAY(p->mem_ctx, struct lsa_DomainInfo, count);
+ if (!entries) {
+ return NT_STATUS_NO_MEMORY;
+ }
- if (*r->in.resume_handle + num_thistime > num_domains) {
- num_thistime = num_domains - *r->in.resume_handle;
- nt_status = NT_STATUS_OK;
- }
+ for (i=0; i<count; i++) {
+ init_lsa_StringLarge(&entries[i].name, domains[i]->name);
+ entries[i].sid = &domains[i]->sid;
+ }
- next_idx = *r->in.resume_handle + num_thistime;
- } else {
- num_thistime = 0;
- next_idx = 0xffffffff;
- nt_status = NT_STATUS_NO_MORE_ENTRIES;
+ if (*r->in.resume_handle >= count) {
+ *r->out.resume_handle = -1;
+ TALLOC_FREE(entries);
+ return NT_STATUS_NO_MORE_ENTRIES;
}
- /* set up the lsa_enum_trust_dom response */
+ /* return the rest, limit by max_size. Note that we
+ use the w2k3 element size value of 60 */
+ r->out.domains->count = count - *r->in.resume_handle;
+ r->out.domains->count = MIN(r->out.domains->count,
+ 1+(r->in.max_size/LSA_ENUM_TRUST_DOMAIN_MULTIPLIER));
- lsa_domains = TALLOC_ZERO_ARRAY(p->mem_ctx, struct lsa_DomainInfo,
- num_thistime);
- if (!lsa_domains) {
- return NT_STATUS_NO_MEMORY;
- }
+ r->out.domains->domains = entries + *r->in.resume_handle;
- for (i=0; i<num_thistime; i++) {
- init_lsa_StringLarge(&lsa_domains[i].name, domains[i]->name);
- lsa_domains[i].sid = &domains[i]->sid;
+ if (r->out.domains->count < count - *r->in.resume_handle) {
+ *r->out.resume_handle = *r->in.resume_handle + r->out.domains->count;
+ return STATUS_MORE_ENTRIES;
}
- *r->out.resume_handle = next_idx;
- r->out.domains->count = num_thistime;
- r->out.domains->domains = lsa_domains;
-
- return nt_status;
+ return NT_STATUS_OK;
}
#define LSA_AUDIT_NUM_CATEGORIES_NT4 7
const char *name;
DOM_SID *sid = NULL;
union lsa_PolicyInformation *info = NULL;
+ uint32_t acc_required = 0;
if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle))
return NT_STATUS_INVALID_HANDLE;
return NT_STATUS_INVALID_HANDLE;
}
+ switch (r->in.level) {
+ case LSA_POLICY_INFO_AUDIT_LOG:
+ case LSA_POLICY_INFO_AUDIT_EVENTS:
+ acc_required = LSA_POLICY_VIEW_AUDIT_INFORMATION;
+ break;
+ case LSA_POLICY_INFO_DOMAIN:
+ acc_required = LSA_POLICY_VIEW_LOCAL_INFORMATION;
+ break;
+ case LSA_POLICY_INFO_PD:
+ acc_required = LSA_POLICY_GET_PRIVATE_INFORMATION;
+ break;
+ case LSA_POLICY_INFO_ACCOUNT_DOMAIN:
+ acc_required = LSA_POLICY_VIEW_LOCAL_INFORMATION;
+ break;
+ case LSA_POLICY_INFO_ROLE:
+ case LSA_POLICY_INFO_REPLICA:
+ acc_required = LSA_POLICY_VIEW_LOCAL_INFORMATION;
+ break;
+ case LSA_POLICY_INFO_QUOTA:
+ acc_required = LSA_POLICY_VIEW_LOCAL_INFORMATION;
+ break;
+ case LSA_POLICY_INFO_MOD:
+ case LSA_POLICY_INFO_AUDIT_FULL_SET:
+ /* according to MS-LSAD 3.1.4.4.3 */
+ return NT_STATUS_INVALID_PARAMETER;
+ case LSA_POLICY_INFO_AUDIT_FULL_QUERY:
+ acc_required = LSA_POLICY_VIEW_AUDIT_INFORMATION;
+ break;
+ case LSA_POLICY_INFO_DNS:
+ case LSA_POLICY_INFO_DNS_INT:
+ case LSA_POLICY_INFO_L_ACCOUNT_DOMAIN:
+ acc_required = LSA_POLICY_VIEW_LOCAL_INFORMATION;
+ break;
+ default:
+ break;
+ }
+
+ if (!(handle->access & acc_required)) {
+ /* return NT_STATUS_ACCESS_DENIED; */
+ }
+
info = TALLOC_ZERO_P(p->mem_ctx, union lsa_PolicyInformation);
if (!info) {
return NT_STATUS_NO_MEMORY;
break;
}
break;
- case LSA_POLICY_INFO_DNS: {
+ case LSA_POLICY_INFO_DNS:
+ case LSA_POLICY_INFO_DNS_INT: {
struct pdb_domain_info *dominfo;
if ((pdb_capabilities() & PDB_CAP_ADS) == 0) {
return status;
}
+/***************************************************************************
+ _lsa_QueryInfoPolicy2
+ ***************************************************************************/
+
+NTSTATUS _lsa_QueryInfoPolicy2(pipes_struct *p,
+ struct lsa_QueryInfoPolicy2 *r2)
+{
+ struct lsa_QueryInfoPolicy r;
+
+ if ((pdb_capabilities() & PDB_CAP_ADS) == 0) {
+ p->rng_fault_state = True;
+ return NT_STATUS_NOT_IMPLEMENTED;
+ }
+
+ ZERO_STRUCT(r);
+ r.in.handle = r2->in.handle;
+ r.in.level = r2->in.level;
+ r.out.info = r2->out.info;
+
+ return _lsa_QueryInfoPolicy(p, &r);
+}
+
/***************************************************************************
_lsa_lookup_sids_internal
***************************************************************************/
q.in.handle = NULL;
q.in.sids = r->in.sids;
q.in.level = r->in.level;
- q.in.unknown1 = r->in.unknown1;
- q.in.unknown2 = r->in.unknown2;
+ q.in.lookup_options = r->in.lookup_options;
+ q.in.client_revision = r->in.client_revision;
q.in.names = r->in.names;
q.in.count = r->in.count;
return NT_STATUS_ACCESS_DENIED;
}
- status = privilege_delete_account(&info->sid);
- if (!NT_STATUS_IS_OK(status)) {
- DEBUG(10,("_lsa_DeleteObject: privilege_delete_account gave: %s\n",
- nt_errstr(status)));
+ switch (info->type) {
+ case LSA_HANDLE_ACCOUNT_TYPE:
+ status = privilege_delete_account(&info->sid);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(10,("_lsa_DeleteObject: privilege_delete_account gave: %s\n",
+ nt_errstr(status)));
+ return status;
+ }
+ break;
+ default:
+ return NT_STATUS_INVALID_HANDLE;
}
+ close_policy_hnd(p, r->in.handle);
+ ZERO_STRUCTP(r->out.handle);
+
return status;
}
NTSTATUS _lsa_CreateAccount(pipes_struct *p,
struct lsa_CreateAccount *r)
{
+ NTSTATUS status;
struct lsa_info *handle;
struct lsa_info *info;
+ uint32_t acc_granted;
+ struct security_descriptor *psd;
+ size_t sd_size;
/* find the connection policy handle. */
if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle))
/* check if the user has enough rights */
- /*
- * I don't know if it's the right one. not documented.
- * but guessed with rpcclient.
- */
- if (!(handle->access & LSA_POLICY_CREATE_ACCOUNT))
+ if (!(handle->access & LSA_POLICY_CREATE_ACCOUNT)) {
return NT_STATUS_ACCESS_DENIED;
+ }
+
+ /* Work out max allowed. */
+ map_max_allowed_access(p->server_info->ptok,
+ &p->server_info->utok,
+ &r->in.access_mask);
+
+ /* map the generic bits to the lsa policy ones */
+ se_map_generic(&r->in.access_mask, &lsa_account_mapping);
+
+ status = make_lsa_object_sd(p->mem_ctx, &psd, &sd_size,
+ &lsa_account_mapping,
+ r->in.sid, LSA_POLICY_ALL_ACCESS);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+
+ status = access_check_object(psd, p->server_info->ptok,
+ NULL, 0, r->in.access_mask,
+ &acc_granted, "_lsa_CreateAccount");
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
if ( is_privileged_sid( r->in.sid ) )
return NT_STATUS_OBJECT_NAME_COLLISION;
}
info->sid = *r->in.sid;
- info->access = r->in.access_mask;
+ info->access = acc_granted;
info->type = LSA_HANDLE_ACCOUNT_TYPE;
/* get a (unique) handle. open a policy on it. */
* handle - so don't check against policy handle. */
/* Work out max allowed. */
- map_max_allowed_access(p->server_info->ptok, &des_access);
+ map_max_allowed_access(p->server_info->ptok,
+ &p->server_info->utok,
+ &des_access);
/* map the generic bits to the lsa account ones */
se_map_generic(&des_access, &lsa_account_mapping);
return NT_STATUS_OK;
}
+/***************************************************************************
+ _lsa_LookupPrivName
+ ***************************************************************************/
+
+NTSTATUS _lsa_LookupPrivName(pipes_struct *p,
+ struct lsa_LookupPrivName *r)
+{
+ struct lsa_info *info = NULL;
+ const char *name;
+ struct lsa_StringLarge *lsa_name;
+
+ /* find the connection policy handle. */
+ if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info)) {
+ return NT_STATUS_INVALID_HANDLE;
+ }
+
+ if (info->type != LSA_HANDLE_POLICY_TYPE) {
+ return NT_STATUS_INVALID_HANDLE;
+ }
+
+ if (!(info->access & LSA_POLICY_VIEW_LOCAL_INFORMATION)) {
+ return NT_STATUS_ACCESS_DENIED;
+ }
+
+ name = luid_to_privilege_name((LUID *)r->in.luid);
+ if (!name) {
+ return NT_STATUS_NO_SUCH_PRIVILEGE;
+ }
+
+ lsa_name = TALLOC_ZERO_P(p->mem_ctx, struct lsa_StringLarge);
+ if (!lsa_name) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ lsa_name->string = talloc_strdup(lsa_name, name);
+ if (!lsa_name->string) {
+ TALLOC_FREE(lsa_name);
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ *r->out.name = lsa_name;
+
+ return NT_STATUS_OK;
+}
+
/***************************************************************************
_lsa_QuerySecurity
***************************************************************************/
return status;
}
- switch (r->in.sec_info) {
- case 1:
- /* SD contains only the owner */
- if((*r->out.sdbuf = make_sec_desc_buf(p->mem_ctx, sd_size, psd)) == NULL)
- return NT_STATUS_NO_MEMORY;
- break;
- case 4:
- /* SD contains only the ACL */
- if((*r->out.sdbuf = make_sec_desc_buf(p->mem_ctx, sd_size, psd)) == NULL)
- return NT_STATUS_NO_MEMORY;
- break;
- default:
- return NT_STATUS_INVALID_LEVEL;
+ *r->out.sdbuf = make_sec_desc_buf(p->mem_ctx, sd_size, psd);
+ if (!*r->out.sdbuf) {
+ return NT_STATUS_NO_MEMORY;
}
return status;
return NT_STATUS_OK;
}
+/***************************************************************************
+ _lsa_EnumAccountsWithUserRight
+ ***************************************************************************/
+
+NTSTATUS _lsa_EnumAccountsWithUserRight(pipes_struct *p,
+ struct lsa_EnumAccountsWithUserRight *r)
+{
+ NTSTATUS status;
+ struct lsa_info *info = NULL;
+ struct dom_sid *sids = NULL;
+ int num_sids = 0;
+ uint32_t i;
+ SE_PRIV mask;
+
+ if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info)) {
+ return NT_STATUS_INVALID_HANDLE;
+ }
+
+ if (info->type != LSA_HANDLE_POLICY_TYPE) {
+ return NT_STATUS_INVALID_HANDLE;
+ }
+
+ if (!(info->access & LSA_POLICY_LOOKUP_NAMES)) {
+ return NT_STATUS_ACCESS_DENIED;
+ }
+
+ if (!r->in.name || !r->in.name->string) {
+ return NT_STATUS_NO_SUCH_PRIVILEGE;
+ }
+
+ if (!se_priv_from_name(r->in.name->string, &mask)) {
+ return NT_STATUS_NO_SUCH_PRIVILEGE;
+ }
+
+ status = privilege_enum_sids(&mask, p->mem_ctx,
+ &sids, &num_sids);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+
+ r->out.sids->num_sids = num_sids;
+ r->out.sids->sids = talloc_array(p->mem_ctx, struct lsa_SidPtr,
+ r->out.sids->num_sids);
+
+ for (i=0; i < r->out.sids->num_sids; i++) {
+ r->out.sids->sids[i].sid = sid_dup_talloc(r->out.sids->sids,
+ &sids[i]);
+ if (!r->out.sids->sids[i].sid) {
+ TALLOC_FREE(r->out.sids->sids);
+ r->out.sids->num_sids = 0;
+ return NT_STATUS_NO_MEMORY;
+ }
+ }
+
+ return NT_STATUS_OK;
+}
+
+/***************************************************************************
+ _lsa_Delete
+ ***************************************************************************/
+
+NTSTATUS _lsa_Delete(pipes_struct *p,
+ struct lsa_Delete *r)
+{
+ return NT_STATUS_NOT_SUPPORTED;
+}
+
/*
* From here on the server routines are just dummy ones to make smbd link with
* librpc/gen_ndr/srv_lsa.c. These routines are actually never called, we are
* pulling the server stubs across one by one.
*/
-NTSTATUS _lsa_Delete(pipes_struct *p, struct lsa_Delete *r)
-{
- p->rng_fault_state = True;
- return NT_STATUS_NOT_IMPLEMENTED;
-}
-
NTSTATUS _lsa_SetSecObj(pipes_struct *p, struct lsa_SetSecObj *r)
{
p->rng_fault_state = True;
return NT_STATUS_NOT_IMPLEMENTED;
}
-NTSTATUS _lsa_LookupPrivName(pipes_struct *p, struct lsa_LookupPrivName *r)
-{
- p->rng_fault_state = True;
- return NT_STATUS_NOT_IMPLEMENTED;
-}
-
-NTSTATUS _lsa_EnumAccountsWithUserRight(pipes_struct *p, struct lsa_EnumAccountsWithUserRight *r)
-{
- p->rng_fault_state = True;
- return NT_STATUS_NOT_IMPLEMENTED;
-}
-
NTSTATUS _lsa_QueryTrustedDomainInfoBySid(pipes_struct *p, struct lsa_QueryTrustedDomainInfoBySid *r)
{
p->rng_fault_state = True;
return NT_STATUS_NOT_IMPLEMENTED;
}
-NTSTATUS _lsa_QueryInfoPolicy2(pipes_struct *p,
- struct lsa_QueryInfoPolicy2 *r2)
-{
- struct lsa_QueryInfoPolicy r;
-
- if ((pdb_capabilities() & PDB_CAP_ADS) == 0) {
- p->rng_fault_state = True;
- return NT_STATUS_NOT_IMPLEMENTED;
- }
-
- ZERO_STRUCT(r);
- r.in.handle = r2->in.handle;
- r.in.level = r2->in.level;
- r.out.info = r2->out.info;
-
- return _lsa_QueryInfoPolicy(p, &r);
-}
-
NTSTATUS _lsa_SetInfoPolicy2(pipes_struct *p, struct lsa_SetInfoPolicy2 *r)
{
p->rng_fault_state = True;
git.samba.org / ira / wip.git / blobdiff