*/
#include "includes.h"
+#include "smbd/globals.h"
#include "../libcli/auth/libcli_auth.h"
#undef DBGC_CLASS
level of access for further checks.
********************************************************************/
-static NTSTATUS access_check_samr_object( SEC_DESC *psd, NT_USER_TOKEN *token,
+NTSTATUS access_check_object( SEC_DESC *psd, NT_USER_TOKEN *token,
SE_PRIV *rights, uint32 rights_mask,
uint32 des_access, uint32 *acc_granted,
const char *debug )
saved_mask = (des_access & rights_mask);
des_access &= ~saved_mask;
- DEBUG(4,("access_check_samr_object: user rights access mask [0x%x]\n",
+ DEBUG(4,("access_check_object: user rights access mask [0x%x]\n",
rights_mask));
}
Map any MAXIMUM_ALLOWED_ACCESS request to a valid access set.
********************************************************************/
-static void map_max_allowed_access(const NT_USER_TOKEN *token,
+void map_max_allowed_access(const NT_USER_TOKEN *token,
uint32_t *pacc_requested)
{
if (!((*pacc_requested) & MAXIMUM_ALLOWED_ACCESS)) {
}
*pacc_requested &= ~MAXIMUM_ALLOWED_ACCESS;
- /* At least try for generic read. */
- *pacc_requested = GENERIC_READ_ACCESS;
+ /* At least try for generic read|execute - Everyone gets that. */
+ *pacc_requested = GENERIC_READ_ACCESS|GENERIC_EXECUTE_ACCESS;
/* root gets anything. */
if (geteuid() == sec_initial_uid()) {
uint32 des_access = r->in.access_mask;
NTSTATUS status;
size_t sd_size;
+ uint32_t extra_access = SAMR_DOMAIN_ACCESS_CREATE_USER;
SE_PRIV se_rights;
/* find the connection policy handle. */
/*
* Users with SeMachineAccount or SeAddUser get additional
- * SAMR_DOMAIN_ACCESS_CREATE_USER access, but no more.
+ * SAMR_DOMAIN_ACCESS_CREATE_USER access.
*/
se_priv_copy( &se_rights, &se_machine_account );
se_priv_add( &se_rights, &se_add_users );
- status = access_check_samr_object( psd, p->server_info->ptok,
- &se_rights, SAMR_DOMAIN_ACCESS_CREATE_USER, des_access,
+ /*
+ * Users with SeAddUser get the ability to manipulate groups
+ * and aliases.
+ */
+ if (user_has_any_privilege(p->server_info->ptok, &se_add_users)) {
+ extra_access |= (SAMR_DOMAIN_ACCESS_CREATE_GROUP |
+ SAMR_DOMAIN_ACCESS_ENUM_ACCOUNTS |
+ SAMR_DOMAIN_ACCESS_OPEN_ACCOUNT |
+ SAMR_DOMAIN_ACCESS_LOOKUP_ALIAS |
+ SAMR_DOMAIN_ACCESS_CREATE_ALIAS);
+ }
+
+ status = access_check_object( psd, p->server_info->ptok,
+ &se_rights, extra_access, des_access,
&acc_granted, "_samr_OpenDomain" );
if ( !NT_STATUS_IS_OK(status) )
return status;
}
+ samr_array = TALLOC_ZERO_P(p->mem_ctx, struct samr_SamArray);
+ if (!samr_array) {
+ return NT_STATUS_NO_MEMORY;
+ }
+ *r->out.sam = samr_array;
+
if (sid_check_is_builtin(&dinfo->sid)) {
/* No users in builtin. */
*r->out.resume_handle = *r->in.resume_handle;
return status;
}
- samr_array = TALLOC_ZERO_P(p->mem_ctx, struct samr_SamArray);
- if (!samr_array) {
- return NT_STATUS_NO_MEMORY;
- }
- *r->out.sam = samr_array;
-
become_root();
/* AS ROOT !!!! */
DEBUG(5,("_samr_EnumDomainGroups: %d\n", __LINE__));
+ samr_array = TALLOC_ZERO_P(p->mem_ctx, struct samr_SamArray);
+ if (!samr_array) {
+ return NT_STATUS_NO_MEMORY;
+ }
+ *r->out.sam = samr_array;
+
if (sid_check_is_builtin(&dinfo->sid)) {
/* No groups in builtin. */
*r->out.resume_handle = *r->in.resume_handle;
return status;
}
- samr_array = TALLOC_ZERO_P(p->mem_ctx, struct samr_SamArray);
- if (!samr_array) {
- return NT_STATUS_NO_MEMORY;
- }
-
/* the domain group array is being allocated in the function below */
become_root();
make_group_sam_entry_list(p->mem_ctx, &samr_entries,
num_groups, groups);
+ if (MAX_SAM_ENTRIES <= num_groups) {
+ status = STATUS_MORE_ENTRIES;
+ } else {
+ status = NT_STATUS_OK;
+ }
+
samr_array->count = num_groups;
samr_array->entries = samr_entries;
- *r->out.sam = samr_array;
*r->out.num_entries = num_groups;
*r->out.resume_handle = num_groups + *r->in.resume_handle;
DEBUG(5,("_samr_EnumDomainAliases: %d\n", __LINE__));
+ if (MAX_SAM_ENTRIES <= num_aliases) {
+ status = STATUS_MORE_ENTRIES;
+ } else {
+ status = NT_STATUS_OK;
+ }
+
samr_array->count = num_aliases;
samr_array->entries = samr_entries;
uint32 struct_size=0x20; /* W2K always reply that, client doesn't care */
uint32 max_entries = r->in.max_entries;
- uint32 enum_context = r->in.start_idx;
- uint32 max_size = r->in.buf_size;
union samr_DispInfo *disp_info = r->out.info;
- uint32 temp_size=0, total_data_size=0;
+ uint32 temp_size=0;
NTSTATUS disp_ret = NT_STATUS_UNSUCCESSFUL;
uint32 num_account = 0;
enum remote_arch_types ra_type = get_remote_arch();
}
/* first limit the number of entries we will return */
- if(max_entries > max_sam_entries) {
+ if (r->in.max_entries > max_sam_entries) {
DEBUG(5, ("_samr_QueryDisplayInfo: client requested %d "
- "entries, limiting to %d\n", max_entries,
+ "entries, limiting to %d\n", r->in.max_entries,
max_sam_entries));
max_entries = max_sam_entries;
}
temp_size=max_entries*struct_size;
- if (temp_size>max_size) {
- max_entries=MIN((max_size/struct_size),max_entries);;
+ if (temp_size > r->in.buf_size) {
+ max_entries = MIN((r->in.buf_size / struct_size),max_entries);;
DEBUG(5, ("_samr_QueryDisplayInfo: buffer size limits to "
"only %d entries\n", max_entries));
}
return NT_STATUS_ACCESS_DENIED;
}
DEBUG(10,("_samr_QueryDisplayInfo: starting user enumeration at index %u\n",
- (unsigned int)enum_context ));
+ (unsigned int)r->in.start_idx));
} else {
DEBUG(10,("_samr_QueryDisplayInfo: using cached user enumeration at index %u\n",
- (unsigned int)enum_context ));
+ (unsigned int)r->in.start_idx));
}
num_account = pdb_search_entries(dinfo->disp_info->users,
- enum_context, max_entries,
+ r->in.start_idx, max_entries,
&entries);
break;
case 2:
return NT_STATUS_ACCESS_DENIED;
}
DEBUG(10,("_samr_QueryDisplayInfo: starting machine enumeration at index %u\n",
- (unsigned int)enum_context ));
+ (unsigned int)r->in.start_idx));
} else {
DEBUG(10,("_samr_QueryDisplayInfo: using cached machine enumeration at index %u\n",
- (unsigned int)enum_context ));
+ (unsigned int)r->in.start_idx));
}
num_account = pdb_search_entries(dinfo->disp_info->machines,
- enum_context, max_entries,
+ r->in.start_idx, max_entries,
&entries);
break;
case 3:
return NT_STATUS_ACCESS_DENIED;
}
DEBUG(10,("_samr_QueryDisplayInfo: starting group enumeration at index %u\n",
- (unsigned int)enum_context ));
+ (unsigned int)r->in.start_idx));
} else {
DEBUG(10,("_samr_QueryDisplayInfo: using cached group enumeration at index %u\n",
- (unsigned int)enum_context ));
+ (unsigned int)r->in.start_idx));
}
num_account = pdb_search_entries(dinfo->disp_info->groups,
- enum_context, max_entries,
+ r->in.start_idx, max_entries,
&entries);
break;
default:
switch (r->in.level) {
case 1:
disp_ret = init_samr_dispinfo_1(p->mem_ctx, &disp_info->info1,
- num_account, enum_context,
+ num_account, r->in.start_idx,
entries);
break;
case 2:
disp_ret = init_samr_dispinfo_2(p->mem_ctx, &disp_info->info2,
- num_account, enum_context,
+ num_account, r->in.start_idx,
entries);
break;
case 3:
disp_ret = init_samr_dispinfo_3(p->mem_ctx, &disp_info->info3,
- num_account, enum_context,
+ num_account, r->in.start_idx,
entries);
break;
case 4:
disp_ret = init_samr_dispinfo_4(p->mem_ctx, &disp_info->info4,
- num_account, enum_context,
+ num_account, r->in.start_idx,
entries);
break;
case 5:
disp_ret = init_samr_dispinfo_5(p->mem_ctx, &disp_info->info5,
- num_account, enum_context,
+ num_account, r->in.start_idx,
entries);
break;
default:
if (!NT_STATUS_IS_OK(disp_ret))
return disp_ret;
- /* calculate the total size */
- total_data_size=num_account*struct_size;
-
if (max_entries <= num_account) {
status = STATUS_MORE_ENTRIES;
} else {
DEBUG(5, ("_samr_QueryDisplayInfo: %d\n", __LINE__));
- *r->out.total_size = total_data_size;
- *r->out.returned_size = temp_size;
+ *r->out.total_size = num_account * struct_size;
+ *r->out.returned_size = num_account ? temp_size : 0;
return status;
}
NTSTATUS _samr_ChangePasswordUser2(pipes_struct *p,
struct samr_ChangePasswordUser2 *r)
{
+ struct smbd_server_connection *sconn = smbd_server_conn;
NTSTATUS status;
fstring user_name;
fstring wks;
* function.
*/
- (void)map_username(user_name);
+ (void)map_username(sconn, user_name);
/*
* UNIX username case mangling not required, pass_oem_change
NTSTATUS _samr_OemChangePasswordUser2(pipes_struct *p,
struct samr_OemChangePasswordUser2 *r)
{
+ struct smbd_server_connection *sconn = smbd_server_conn;
NTSTATUS status;
fstring user_name;
const char *wks = NULL;
* function.
*/
- (void)map_username(user_name);
+ (void)map_username(sconn, user_name);
/*
* UNIX username case mangling not required, pass_oem_change
NTSTATUS _samr_ChangePasswordUser3(pipes_struct *p,
struct samr_ChangePasswordUser3 *r)
{
+ struct smbd_server_connection *sconn = smbd_server_conn;
NTSTATUS status;
fstring user_name;
const char *wks = NULL;
* function.
*/
- (void)map_username(user_name);
+ (void)map_username(sconn, user_name);
/*
* UNIX username case mangling not required, pass_oem_change
TALLOC_FREE(sampass);
- nt_status = access_check_samr_object(psd, p->server_info->ptok,
+ nt_status = access_check_object(psd, p->server_info->ptok,
&se_rights, GENERIC_RIGHTS_USER_WRITE, des_access,
&acc_granted, "_samr_OpenUser");
* just assume we have all the rights we need ?
*/
- nt_status = access_check_samr_object(psd, p->server_info->ptok,
+ nt_status = access_check_object(psd, p->server_info->ptok,
&se_rights, GENERIC_RIGHTS_USER_WRITE, des_access,
&acc_granted, "_samr_CreateUser2");
make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &sam_generic_mapping, NULL, 0);
se_map_generic(&des_access, &sam_generic_mapping);
- nt_status = access_check_samr_object(psd, p->server_info->ptok,
+ nt_status = access_check_object(psd, p->server_info->ptok,
NULL, 0, des_access, &acc_granted, fn);
if ( !NT_STATUS_IS_OK(nt_status) )
se_priv_copy( &se_rights, &se_add_users );
- status = access_check_samr_object(psd, p->server_info->ptok,
- &se_rights, SAMR_ALIAS_ACCESS_ADD_MEMBER,
+ status = access_check_object(psd, p->server_info->ptok,
+ &se_rights, GENERIC_RIGHTS_ALIAS_ALL_ACCESS,
des_access, &acc_granted, "_samr_OpenAlias");
if ( !NT_STATUS_IS_OK(status) )
struct samr_user_info *uinfo;
NTSTATUS status;
struct samu *sam_pass=NULL;
- bool can_del_accounts = false;
- uint32 acb_info = 0;
bool ret;
DEBUG(5, ("_samr_DeleteUser: %d\n", __LINE__));
ret = pdb_getsampwsid(sam_pass, &uinfo->sid);
unbecome_root();
- if (ret) {
- acb_info = pdb_get_acct_ctrl(sam_pass);
- }
-
- /* For machine accounts it's the SeMachineAccountPrivilege that counts. */
- if (geteuid() == sec_initial_uid()) {
- can_del_accounts = true;
- } else if (acb_info & ACB_WSTRUST) {
- can_del_accounts = user_has_privileges( p->server_info->ptok, &se_machine_account );
- } else {
- can_del_accounts = user_has_privileges( p->server_info->ptok, &se_add_users );
- }
-
- if (!can_del_accounts) {
- TALLOC_FREE(sam_pass);
- return NT_STATUS_ACCESS_DENIED;
- }
-
if(!ret) {
DEBUG(5,("_samr_DeleteUser: User %s doesn't exist.\n",
sid_string_dbg(&uinfo->sid)));
return NT_STATUS_NO_SUCH_GROUP;
switch (r->in.level) {
- case 1:
- fstrcpy(map.comment, r->in.info->all.description.string);
- break;
case 2:
/* group rename is not supported yet */
return NT_STATUS_NOT_SUPPORTED;
+ case 3:
+ break;
case 4:
fstrcpy(map.comment, r->in.info->description.string);
break;
se_priv_copy( &se_rights, &se_add_users );
- status = access_check_samr_object(psd, p->server_info->ptok,
- &se_rights, SAMR_GROUP_ACCESS_ADD_MEMBER,
+ status = access_check_object(psd, p->server_info->ptok,
+ &se_rights, GENERIC_RIGHTS_GROUP_ALL_ACCESS,
des_access, &acc_granted, "_samr_OpenGroup");
if ( !NT_STATUS_IS_OK(status) )
return NT_STATUS_NO_SUCH_GROUP;
ginfo = policy_handle_create(p, r->out.group_handle,
- GENERIC_RIGHTS_GROUP_ALL_ACCESS,
+ acc_granted,
struct samr_group_info, &status);
if (!NT_STATUS_IS_OK(status)) {
return status;
/* Find the policy handle. Open a policy on it. */
dinfo = policy_handle_find(p, r->in.domain_handle,
- STD_RIGHT_DELETE_ACCESS, NULL,
+ SAMR_DOMAIN_ACCESS_OPEN_ACCOUNT, NULL,
struct samr_domain_info, &result);
if (!NT_STATUS_IS_OK(result)) {
return result;