}
-/*******************************************************************
- Function to free the per handle data.
- ********************************************************************/
-
-static void free_lsa_info(void *ptr)
-{
- struct lsa_info *lsa = (struct lsa_info *)ptr;
-
- SAFE_FREE(lsa);
-}
-
/***************************************************************************
initialize a lsa_DomainInfo structure.
***************************************************************************/
mapped_count++;
}
- init_lsa_translated_sid(&prid[i], type, rid, dom_idx);
+ prid[i].sid_type = type;
+ prid[i].rid = rid;
+ prid[i].sid_index = dom_idx;
}
*pmapped_count = mapped_count;
/* get the generic lsa policy SD until we store it */
lsa_get_generic_sd(p->mem_ctx, &psd, &sd_size);
- if(!se_access_check(psd, p->pipe_user.nt_user_token, des_access, &acc_granted, &status)) {
- if (p->pipe_user.ut.uid != sec_initial_uid()) {
+ status = se_access_check(psd, p->server_info->ptok, des_access,
+ &acc_granted);
+ if (!NT_STATUS_IS_OK(status)) {
+ if (p->server_info->utok.uid != sec_initial_uid()) {
return status;
}
DEBUG(4,("ACCESS should be DENIED (granted: %#010x; required: %#010x)\n",
/* This is needed for lsa_open_account and rpcclient .... :-) */
- if (p->pipe_user.ut.uid == sec_initial_uid())
+ if (p->server_info->utok.uid == sec_initial_uid())
acc_granted = LSA_POLICY_ALL_ACCESS;
/* associate the domain SID with the (unique) handle. */
- if ((info = SMB_MALLOC_P(struct lsa_info)) == NULL)
+ info = TALLOC_ZERO_P(p->mem_ctx, struct lsa_info);
+ if (info == NULL) {
return NT_STATUS_NO_MEMORY;
+ }
- ZERO_STRUCTP(info);
sid_copy(&info->sid,get_global_sam_sid());
info->access = acc_granted;
/* set up the LSA QUERY INFO response */
- if (!create_policy_hnd(p, r->out.handle, free_lsa_info, (void *)info))
+ if (!create_policy_hnd(p, r->out.handle, info))
return NT_STATUS_OBJECT_NAME_NOT_FOUND;
return NT_STATUS_OK;
NTSTATUS _lsa_OpenPolicy(pipes_struct *p,
struct lsa_OpenPolicy *r)
{
- struct lsa_info *info;
- SEC_DESC *psd = NULL;
- size_t sd_size;
- uint32 des_access= r->in.access_mask;
- uint32 acc_granted;
- NTSTATUS status;
+ struct lsa_OpenPolicy2 o;
+ o.in.system_name = NULL; /* should be ignored */
+ o.in.attr = r->in.attr;
+ o.in.access_mask = r->in.access_mask;
- /* map the generic bits to the lsa policy ones */
- se_map_generic(&des_access, &lsa_generic_mapping);
-
- /* get the generic lsa policy SD until we store it */
- lsa_get_generic_sd(p->mem_ctx, &psd, &sd_size);
+ o.out.handle = r->out.handle;
- if(!se_access_check(psd, p->pipe_user.nt_user_token, des_access, &acc_granted, &status)) {
- if (p->pipe_user.ut.uid != sec_initial_uid()) {
- return status;
- }
- DEBUG(4,("ACCESS should be DENIED (granted: %#010x; required: %#010x)\n",
- acc_granted, des_access));
- DEBUGADD(4,("but overwritten by euid == 0\n"));
- acc_granted = des_access;
- }
-
- /* associate the domain SID with the (unique) handle. */
- if ((info = SMB_MALLOC_P(struct lsa_info)) == NULL)
- return NT_STATUS_NO_MEMORY;
-
- ZERO_STRUCTP(info);
- sid_copy(&info->sid,get_global_sam_sid());
- info->access = acc_granted;
-
- /* set up the LSA QUERY INFO response */
- if (!create_policy_hnd(p, r->out.handle, free_lsa_info, (void *)info))
- return NT_STATUS_OBJECT_NAME_NOT_FOUND;
-
- return NT_STATUS_OK;
+ return _lsa_OpenPolicy2(p, &o);
}
/***************************************************************************
* only a BDC is a backup controller
* of the domain, it controls.
*/
- info->role.role = 2;
+ info->role.role = LSA_ROLE_BACKUP;
break;
default:
/*
* any other role is a primary
* of the domain, it controls.
*/
- info->role.role = 3;
+ info->role.role = LSA_ROLE_PRIMARY;
break;
}
break;
mapped_count += 1;
}
- init_lsa_translated_name2(&names[i], name->type,
- name->name, name->dom_idx, 0);
+ names[i].sid_type = name->type;
+ names[i].name.string = name->name;
+ names[i].sid_index = name->dom_idx;
+ names[i].unknown = 0;
}
status = NT_STATUS_NONE_MAPPED;
&names,
&mapped_count);
+ /* Only return here when there is a real error.
+ NT_STATUS_NONE_MAPPED is a special case as it indicates that none of
+ the requested sids could be resolved. Older versions of XP (pre SP3)
+ rely that we return with the string representations of those SIDs in
+ that case. If we don't, XP crashes - Guenther
+ */
+
+ if (NT_STATUS_IS_ERR(status) &&
+ !NT_STATUS_EQUAL(status, NT_STATUS_NONE_MAPPED)) {
+ return status;
+ }
+
/* Convert from lsa_TranslatedName2 to lsa_TranslatedName */
names_out = TALLOC_ARRAY(p->mem_ctx, struct lsa_TranslatedName,
num_sids);
status = _lsa_LookupNames(p, &q);
+ sid_array2->count = sid_array->count;
sid_array2->sids = TALLOC_ARRAY(p->mem_ctx, struct lsa_TranslatedSid2, sid_array->count);
if (!sid_array2->sids) {
return NT_STATUS_NO_MEMORY;
NTSTATUS _lsa_DeleteObject(pipes_struct *p,
struct lsa_DeleteObject *r)
{
- return NT_STATUS_ACCESS_DENIED;
+ NTSTATUS status;
+ struct lsa_info *info = NULL;
+
+ if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info)) {
+ return NT_STATUS_INVALID_HANDLE;
+ }
+
+ /* check to see if the pipe_user is root or a Domain Admin since
+ account_pol.tdb was already opened as root, this is all we have */
+
+ if (p->server_info->utok.uid != sec_initial_uid() &&
+ !nt_token_check_domain_rid(p->server_info->ptok,
+ DOMAIN_GROUP_RID_ADMINS)) {
+ return NT_STATUS_ACCESS_DENIED;
+ }
+
+ status = privilege_delete_account(&info->sid);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(10,("_lsa_DeleteObject: privilege_delete_account gave: %s\n",
+ nt_errstr(status)));
+ }
+
+ return status;
}
/***************************************************************************
sids = TALLOC_ZERO_ARRAY(p->mem_ctx, struct lsa_SidPtr,
num_entries - *r->in.resume_handle);
if (!sids) {
- SAFE_FREE(sid_list);
+ talloc_free(sid_list);
return NT_STATUS_NO_MEMORY;
}
for (i = *r->in.resume_handle, j = 0; i < num_entries; i++, j++) {
sids[j].sid = sid_dup_talloc(p->mem_ctx, &sid_list[i]);
if (!sids[j].sid) {
- SAFE_FREE(sid_list);
+ talloc_free(sid_list);
return NT_STATUS_NO_MEMORY;
}
}
/* check to see if the pipe_user is a Domain Admin since
account_pol.tdb was already opened as root, this is all we have */
- if ( p->pipe_user.ut.uid != sec_initial_uid()
- && !nt_token_check_domain_rid( p->pipe_user.nt_user_token, DOMAIN_GROUP_RID_ADMINS ) )
+ if ( p->server_info->utok.uid != sec_initial_uid()
+ && !nt_token_check_domain_rid( p->server_info->ptok,
+ DOMAIN_GROUP_RID_ADMINS ) )
return NT_STATUS_ACCESS_DENIED;
if ( is_privileged_sid( r->in.sid ) )
/* associate the user/group SID with the (unique) handle. */
- if ((info = SMB_MALLOC_P(struct lsa_info)) == NULL)
+ info = TALLOC_ZERO_P(p->mem_ctx, struct lsa_info);
+ if (info == NULL) {
return NT_STATUS_NO_MEMORY;
+ }
- ZERO_STRUCTP(info);
info->sid = *r->in.sid;
info->access = r->in.access_mask;
/* get a (unique) handle. open a policy on it. */
- if (!create_policy_hnd(p, r->out.acct_handle, free_lsa_info, (void *)info))
+ if (!create_policy_hnd(p, r->out.acct_handle, info))
return NT_STATUS_OBJECT_NAME_NOT_FOUND;
return privilege_create_account( &info->sid );
return NT_STATUS_ACCESS_DENIED;
#endif
/* associate the user/group SID with the (unique) handle. */
- if ((info = SMB_MALLOC_P(struct lsa_info)) == NULL)
+ info = TALLOC_ZERO_P(p->mem_ctx, struct lsa_info);
+ if (info == NULL) {
return NT_STATUS_NO_MEMORY;
+ }
- ZERO_STRUCTP(info);
info->sid = *r->in.sid;
info->access = r->in.access_mask;
/* get a (unique) handle. open a policy on it. */
- if (!create_policy_hnd(p, r->out.acct_handle, free_lsa_info, (void *)info))
+ if (!create_policy_hnd(p, r->out.acct_handle, info))
return NT_STATUS_OBJECT_NAME_NOT_FOUND;
return NT_STATUS_OK;
NTSTATUS _lsa_GetSystemAccessAccount(pipes_struct *p,
struct lsa_GetSystemAccessAccount *r)
{
- struct lsa_info *info=NULL;
+ NTSTATUS status;
+ struct lsa_info *info = NULL;
+ struct lsa_EnumPrivsAccount e;
+ struct lsa_PrivilegeSet *privset;
/* find the connection policy handle. */
if (!(info->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
return NT_STATUS_ACCESS_DENIED;
- if (!lookup_sid(p->mem_ctx, &info->sid, NULL, NULL, NULL))
- return NT_STATUS_ACCESS_DENIED;
+ privset = talloc_zero(p->mem_ctx, struct lsa_PrivilegeSet);
+ if (!privset) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ e.in.handle = r->in.handle;
+ e.out.privs = &privset;
+
+ status = _lsa_EnumPrivsAccount(p, &e);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(10,("_lsa_GetSystemAccessAccount: "
+ "failed to call _lsa_EnumPrivsAccount(): %s\n",
+ nt_errstr(status)));
+ return status;
+ }
+
+ /* Samba4 would iterate over the privset to merge the policy mode bits,
+ * not sure samba3 can do the same here, so just return what we did in
+ * the past - gd */
/*
0x01 -> Log on locally
they can be ORed together
*/
- *r->out.access_mask = PR_LOG_ON_LOCALLY | PR_ACCESS_FROM_NETWORK;
+ *r->out.access_mask = LSA_POLICY_MODE_INTERACTIVE |
+ LSA_POLICY_MODE_NETWORK;
return NT_STATUS_OK;
}
/* check to see if the pipe_user is a Domain Admin since
account_pol.tdb was already opened as root, this is all we have */
- if ( p->pipe_user.ut.uid != sec_initial_uid()
- && !nt_token_check_domain_rid( p->pipe_user.nt_user_token, DOMAIN_GROUP_RID_ADMINS ) )
+ if ( p->server_info->utok.uid != sec_initial_uid()
+ && !nt_token_check_domain_rid( p->server_info->ptok,
+ DOMAIN_GROUP_RID_ADMINS ) )
return NT_STATUS_ACCESS_DENIED;
if (!pdb_getgrsid(&map, info->sid))
/* check to see if the pipe_user is root or a Domain Admin since
account_pol.tdb was already opened as root, this is all we have */
- if ( p->pipe_user.ut.uid != sec_initial_uid()
- && !nt_token_check_domain_rid( p->pipe_user.nt_user_token, DOMAIN_GROUP_RID_ADMINS ) )
+ if ( p->server_info->utok.uid != sec_initial_uid()
+ && !nt_token_check_domain_rid( p->server_info->ptok,
+ DOMAIN_GROUP_RID_ADMINS ) )
{
return NT_STATUS_ACCESS_DENIED;
}
/* check to see if the pipe_user is root or a Domain Admin since
account_pol.tdb was already opened as root, this is all we have */
- if ( p->pipe_user.ut.uid != sec_initial_uid()
- && !nt_token_check_domain_rid( p->pipe_user.nt_user_token, DOMAIN_GROUP_RID_ADMINS ) )
+ if ( p->server_info->utok.uid != sec_initial_uid()
+ && !nt_token_check_domain_rid( p->server_info->ptok,
+ DOMAIN_GROUP_RID_ADMINS ) )
{
return NT_STATUS_ACCESS_DENIED;
}
/* check to see if the pipe_user is a Domain Admin since
account_pol.tdb was already opened as root, this is all we have */
- if ( p->pipe_user.ut.uid != sec_initial_uid()
- && !nt_token_check_domain_rid( p->pipe_user.nt_user_token, DOMAIN_GROUP_RID_ADMINS ) )
+ if ( p->server_info->utok.uid != sec_initial_uid()
+ && !nt_token_check_domain_rid( p->server_info->ptok,
+ DOMAIN_GROUP_RID_ADMINS ) )
{
return NT_STATUS_ACCESS_DENIED;
}
/* check to see if the pipe_user is a Domain Admin since
account_pol.tdb was already opened as root, this is all we have */
- if ( p->pipe_user.ut.uid != sec_initial_uid()
- && !nt_token_check_domain_rid( p->pipe_user.nt_user_token, DOMAIN_GROUP_RID_ADMINS ) )
+ if ( p->server_info->utok.uid != sec_initial_uid()
+ && !nt_token_check_domain_rid( p->server_info->ptok,
+ DOMAIN_GROUP_RID_ADMINS ) )
{
return NT_STATUS_ACCESS_DENIED;
}