endpoint server for the lsarpc pipe
Copyright (C) Andrew Tridgell 2004
- Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2005
+ Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2007
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
-#include "includes.h"
-#include "rpc_server/dcerpc_server.h"
-#include "rpc_server/common/common.h"
-#include "auth/auth.h"
-#include "dsdb/samdb/samdb.h"
-#include "libcli/ldap/ldap.h"
-#include "lib/ldb/include/ldb_errors.h"
-#include "libcli/security/security.h"
-#include "libcli/auth/libcli_auth.h"
-#include "param/secrets.h"
-#include "db_wrap.h"
-#include "librpc/gen_ndr/ndr_dssetup.h"
+#include "rpc_server/lsa/lsa.h"
+#include "util/util_ldb.h"
/*
this type allows us to distinguish handle types
*/
-enum lsa_handle {
- LSA_HANDLE_POLICY,
- LSA_HANDLE_ACCOUNT,
- LSA_HANDLE_SECRET,
- LSA_HANDLE_TRUSTED_DOMAIN
-};
-
-/*
- state associated with a lsa_OpenPolicy() operation
-*/
-struct lsa_policy_state {
- struct dcesrv_handle *handle;
- struct ldb_context *sam_ldb;
- struct sidmap_context *sidmap;
- uint32_t access_mask;
- struct ldb_dn *domain_dn;
- struct ldb_dn *forest_dn;
- struct ldb_dn *builtin_dn;
- struct ldb_dn *system_dn;
- const char *domain_name;
- const char *domain_dns;
- const char *forest_dns;
- struct dom_sid *domain_sid;
- struct GUID domain_guid;
- struct dom_sid *builtin_sid;
- int mixed_domain;
-};
-
/*
state associated with a lsa_OpenAccount() operation
uint32_t access_mask;
struct ldb_dn *secret_dn;
struct ldb_context *sam_ldb;
- BOOL global;
+ bool global;
};
/*
DCESRV_PULL_HANDLE(h, r->in.handle, DCESRV_HANDLE_ANY);
if (h->wire_handle.handle_type == LSA_HANDLE_SECRET) {
struct lsa_secret_state *secret_state = h->data;
- ret = samdb_delete(secret_state->sam_ldb, mem_ctx, secret_state->secret_dn);
+ ret = ldb_delete(secret_state->sam_ldb,
+ secret_state->secret_dn);
talloc_free(h);
if (ret != 0) {
return NT_STATUS_INVALID_HANDLE;
return NT_STATUS_OK;
} else if (h->wire_handle.handle_type == LSA_HANDLE_TRUSTED_DOMAIN) {
struct lsa_trusted_domain_state *trusted_domain_state = h->data;
- ret = samdb_delete(trusted_domain_state->policy->sam_ldb, mem_ctx,
- trusted_domain_state->trusted_domain_dn);
+ ret = ldb_delete(trusted_domain_state->policy->sam_ldb,
+ trusted_domain_state->trusted_domain_dn);
talloc_free(h);
if (ret != 0) {
return NT_STATUS_INVALID_HANDLE;
DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
}
-static NTSTATUS dcesrv_lsa_get_policy_state(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
- struct lsa_policy_state **_state)
-{
- struct lsa_policy_state *state;
- struct ldb_dn *partitions_basedn;
- struct ldb_result *dom_res;
- const char *dom_attrs[] = {
- "objectSid",
- "objectGUID",
- "nTMixedDomain",
- "fSMORoleOwner",
- NULL
- };
- struct ldb_result *ref_res;
- struct ldb_result *forest_ref_res;
- const char *ref_attrs[] = {
- "nETBIOSName",
- "dnsRoot",
- NULL
- };
- int ret;
-
- state = talloc(mem_ctx, struct lsa_policy_state);
- if (!state) {
- return NT_STATUS_NO_MEMORY;
- }
-
- /* make sure the sam database is accessible */
- state->sam_ldb = samdb_connect(state, dce_call->conn->auth_state.session_info);
- if (state->sam_ldb == NULL) {
- return NT_STATUS_INVALID_SYSTEM_SERVICE;
- }
-
- partitions_basedn = samdb_partitions_dn(state->sam_ldb, mem_ctx);
-
- state->sidmap = sidmap_open(state);
- if (state->sidmap == NULL) {
- return NT_STATUS_INVALID_SYSTEM_SERVICE;
- }
-
- /* work out the domain_dn - useful for so many calls its worth
- fetching here */
- state->domain_dn = samdb_base_dn(state->sam_ldb);
- if (!state->domain_dn) {
- return NT_STATUS_NO_MEMORY;
- }
-
- /* work out the forest root_dn - useful for so many calls its worth
- fetching here */
- state->forest_dn = samdb_root_dn(state->sam_ldb);
- if (!state->forest_dn) {
- return NT_STATUS_NO_MEMORY;
- }
-
- ret = ldb_search(state->sam_ldb, state->domain_dn, LDB_SCOPE_BASE, NULL, dom_attrs, &dom_res);
-
- if (ret != LDB_SUCCESS) {
- return NT_STATUS_INVALID_SYSTEM_SERVICE;
- }
- talloc_steal(mem_ctx, dom_res);
- if (dom_res->count != 1) {
- return NT_STATUS_NO_SUCH_DOMAIN;
- }
-
- state->domain_sid = samdb_result_dom_sid(state, dom_res->msgs[0], "objectSid");
- if (!state->domain_sid) {
- return NT_STATUS_NO_SUCH_DOMAIN;
- }
-
- state->domain_guid = samdb_result_guid(dom_res->msgs[0], "objectGUID");
- if (!state->domain_sid) {
- return NT_STATUS_NO_SUCH_DOMAIN;
- }
-
- state->mixed_domain = ldb_msg_find_attr_as_uint(dom_res->msgs[0], "nTMixedDomain", 0);
-
- talloc_free(dom_res);
-
- ret = ldb_search_exp_fmt(state->sam_ldb, state, &ref_res,
- partitions_basedn, LDB_SCOPE_SUBTREE, ref_attrs,
- "(&(objectclass=crossRef)(ncName=%s))",
- ldb_dn_get_linearized(state->domain_dn));
-
- if (ret != LDB_SUCCESS) {
- talloc_free(ref_res);
- return NT_STATUS_INVALID_SYSTEM_SERVICE;
- }
- if (ref_res->count != 1) {
- talloc_free(ref_res);
- return NT_STATUS_NO_SUCH_DOMAIN;
- }
-
- state->domain_name = ldb_msg_find_attr_as_string(ref_res->msgs[0], "nETBIOSName", NULL);
- if (!state->domain_name) {
- talloc_free(ref_res);
- return NT_STATUS_NO_SUCH_DOMAIN;
- }
- talloc_steal(state, state->domain_name);
-
- state->domain_dns = ldb_msg_find_attr_as_string(ref_res->msgs[0], "dnsRoot", NULL);
- if (!state->domain_dns) {
- talloc_free(ref_res);
- return NT_STATUS_NO_SUCH_DOMAIN;
- }
- talloc_steal(state, state->domain_dns);
-
- talloc_free(ref_res);
-
- ret = ldb_search_exp_fmt(state->sam_ldb, state, &forest_ref_res,
- partitions_basedn, LDB_SCOPE_SUBTREE, ref_attrs,
- "(&(objectclass=crossRef)(ncName=%s))",
- ldb_dn_get_linearized(state->forest_dn));
-
- if (ret != LDB_SUCCESS) {
- talloc_free(forest_ref_res);
- return NT_STATUS_INVALID_SYSTEM_SERVICE;
- }
- if (forest_ref_res->count != 1) {
- talloc_free(forest_ref_res);
- return NT_STATUS_NO_SUCH_DOMAIN;
- }
-
- state->forest_dns = ldb_msg_find_attr_as_string(forest_ref_res->msgs[0], "dnsRoot", NULL);
- if (!state->forest_dns) {
- talloc_free(forest_ref_res);
- return NT_STATUS_NO_SUCH_DOMAIN;
- }
- talloc_steal(state, state->forest_dns);
-
- talloc_free(forest_ref_res);
-
- /* work out the builtin_dn - useful for so many calls its worth
- fetching here */
- state->builtin_dn = samdb_search_dn(state->sam_ldb, state, state->domain_dn, "(objectClass=builtinDomain)");
- if (!state->builtin_dn) {
- return NT_STATUS_NO_SUCH_DOMAIN;
- }
-
- /* work out the system_dn - useful for so many calls its worth
- fetching here */
- state->system_dn = samdb_search_dn(state->sam_ldb, state,
- state->domain_dn, "(&(objectClass=container)(cn=System))");
- if (!state->system_dn) {
- return NT_STATUS_NO_SUCH_DOMAIN;
- }
-
- state->builtin_sid = dom_sid_parse_talloc(state, SID_BUILTIN);
- if (!state->builtin_sid) {
- return NT_STATUS_NO_SUCH_DOMAIN;
- }
-
- *_state = state;
-
- return NT_STATUS_OK;
-}
-
/*
dssetup_DsRoleGetPrimaryDomainInformation
ZERO_STRUCT(domain_guid);
- switch (lp_server_role()) {
+ switch (lp_server_role(global_loadparm)) {
case ROLE_STANDALONE:
role = DS_ROLE_STANDALONE_SERVER;
break;
break;
}
- switch (lp_server_role()) {
+ switch (lp_server_role(global_loadparm)) {
case ROLE_STANDALONE:
- domain = talloc_strdup(mem_ctx, lp_workgroup());
+ domain = talloc_strdup(mem_ctx, lp_workgroup(global_loadparm));
W_ERROR_HAVE_NO_MEMORY(domain);
break;
case ROLE_DOMAIN_MEMBER:
- domain = talloc_strdup(mem_ctx, lp_workgroup());
+ domain = talloc_strdup(mem_ctx, lp_workgroup(global_loadparm));
W_ERROR_HAVE_NO_MEMORY(domain);
/* TODO: what is with dns_domain and forest and guid? */
break;
return WERR_INVALID_PARAM;
}
-/*
- lsa_OpenPolicy2
-*/
-static NTSTATUS dcesrv_lsa_OpenPolicy2(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
- struct lsa_OpenPolicy2 *r)
-{
- NTSTATUS status;
- struct lsa_policy_state *state;
- struct dcesrv_handle *handle;
-
- ZERO_STRUCTP(r->out.handle);
-
- status = dcesrv_lsa_get_policy_state(dce_call, mem_ctx, &state);
- if (!NT_STATUS_IS_OK(status)) {
- return status;
- }
-
- handle = dcesrv_handle_new(dce_call->context, LSA_HANDLE_POLICY);
- if (!handle) {
- return NT_STATUS_NO_MEMORY;
- }
-
- handle->data = talloc_steal(handle, state);
-
- state->access_mask = r->in.access_mask;
- state->handle = handle;
- *r->out.handle = handle->wire_handle;
-
- /* note that we have completely ignored the attr element of
- the OpenPolicy. As far as I can tell, this is what w2k3
- does */
-
- return NT_STATUS_OK;
-}
-
-/*
- lsa_OpenPolicy
- a wrapper around lsa_OpenPolicy2
-*/
-static NTSTATUS dcesrv_lsa_OpenPolicy(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
- struct lsa_OpenPolicy *r)
-{
- struct lsa_OpenPolicy2 r2;
-
- r2.in.system_name = NULL;
- r2.in.attr = r->in.attr;
- r2.in.access_mask = r->in.access_mask;
- r2.out.handle = r->out.handle;
-
- return dcesrv_lsa_OpenPolicy2(dce_call, mem_ctx, &r2);
-}
-
-
-
/*
fill in the AccountDomain info
case LSA_POLICY_INFO_DNS:
return dcesrv_lsa_info_DNS(state, mem_ctx, &r->out.info->dns);
+ case LSA_POLICY_INFO_DB:
+ case LSA_POLICY_INFO_AUDIT_FULL_SET:
+ case LSA_POLICY_INFO_AUDIT_FULL_QUERY:
+ return NT_STATUS_INVALID_PARAMETER;
}
return NT_STATUS_INVALID_INFO_CLASS;
}
-/*
- return the authority name and authority sid, given a sid
-*/
-static NTSTATUS dcesrv_lsa_authority_name(struct lsa_policy_state *state,
- TALLOC_CTX *mem_ctx, struct dom_sid *sid,
- const char **authority_name,
- struct dom_sid **authority_sid)
-{
- if (dom_sid_in_domain(state->domain_sid, sid)) {
- *authority_name = state->domain_name;
- *authority_sid = state->domain_sid;
- return NT_STATUS_OK;
- }
-
- if (dom_sid_in_domain(state->builtin_sid, sid)) {
- *authority_name = "BUILTIN";
- *authority_sid = state->builtin_sid;
- return NT_STATUS_OK;
- }
-
- *authority_sid = dom_sid_dup(mem_ctx, sid);
- if (*authority_sid == NULL) {
- return NT_STATUS_NO_MEMORY;
- }
- (*authority_sid)->num_auths = 0;
- *authority_name = dom_sid_string(mem_ctx, *authority_sid);
- if (*authority_name == NULL) {
- return NT_STATUS_NO_MEMORY;
- }
-
- return NT_STATUS_OK;
-}
-
-/*
- add to the lsa_RefDomainList for LookupSids and LookupNames
-*/
-static NTSTATUS dcesrv_lsa_authority_list(struct lsa_policy_state *state, TALLOC_CTX *mem_ctx,
- struct dom_sid *sid,
- struct lsa_RefDomainList *domains,
- uint32_t *sid_index)
-{
- NTSTATUS status;
- const char *authority_name;
- struct dom_sid *authority_sid;
- int i;
-
- /* work out the authority name */
- status = dcesrv_lsa_authority_name(state, mem_ctx, sid,
- &authority_name, &authority_sid);
- if (!NT_STATUS_IS_OK(status)) {
- return status;
- }
-
- /* see if we've already done this authority name */
- for (i=0;i<domains->count;i++) {
- if (strcmp(authority_name, domains->domains[i].name.string) == 0) {
- *sid_index = i;
- return NT_STATUS_OK;
- }
- }
-
- domains->domains = talloc_realloc(domains,
- domains->domains,
- struct lsa_DomainInfo,
- domains->count+1);
- if (domains->domains == NULL) {
- return NT_STATUS_NO_MEMORY;
- }
- domains->domains[i].name.string = authority_name;
- domains->domains[i].sid = authority_sid;
- domains->count++;
- domains->max_size = LSA_REF_DOMAIN_LIST_MULTIPLIER * domains->count;
- *sid_index = i;
-
- return NT_STATUS_OK;
-}
-
-/*
- lookup a name for 1 SID
-*/
-static NTSTATUS dcesrv_lsa_lookup_sid(struct lsa_policy_state *state, TALLOC_CTX *mem_ctx,
- struct dom_sid *sid, const char *sid_str,
- const char **name, uint32_t *atype)
-{
- int ret;
- struct ldb_message **res;
- const char * const attrs[] = { "sAMAccountName", "sAMAccountType", "name", NULL};
- NTSTATUS status;
-
- ret = gendb_search(state->sam_ldb, mem_ctx, NULL, &res, attrs,
- "objectSid=%s", ldap_encode_ndr_dom_sid(mem_ctx, sid));
- if (ret == 1) {
- *name = ldb_msg_find_attr_as_string(res[0], "sAMAccountName", NULL);
- if (!*name) {
- *name = ldb_msg_find_attr_as_string(res[0], "name", NULL);
- if (!*name) {
- *name = talloc_strdup(mem_ctx, sid_str);
- NT_STATUS_HAVE_NO_MEMORY(*name);
- }
- }
-
- *atype = samdb_result_uint(res[0], "sAMAccountType", 0);
-
- return NT_STATUS_OK;
- }
-
- status = sidmap_allocated_sid_lookup(state->sidmap, mem_ctx, sid, name, atype);
-
- return status;
-}
-
-
-/*
- lsa_LookupSids2
-*/
-static NTSTATUS dcesrv_lsa_LookupSids2(struct dcesrv_call_state *dce_call,
- TALLOC_CTX *mem_ctx,
- struct lsa_LookupSids2 *r)
-{
- struct lsa_policy_state *state;
- int i;
- NTSTATUS status = NT_STATUS_OK;
-
- r->out.domains = NULL;
-
- status = dcesrv_lsa_get_policy_state(dce_call, mem_ctx, &state);
- if (!NT_STATUS_IS_OK(status)) {
- return status;
- }
-
- r->out.domains = talloc_zero(mem_ctx, struct lsa_RefDomainList);
- if (r->out.domains == NULL) {
- return NT_STATUS_NO_MEMORY;
- }
-
- r->out.names = talloc_zero(mem_ctx, struct lsa_TransNameArray2);
- if (r->out.names == NULL) {
- return NT_STATUS_NO_MEMORY;
- }
-
- *r->out.count = 0;
-
- r->out.names->names = talloc_array(r->out.names, struct lsa_TranslatedName2,
- r->in.sids->num_sids);
- if (r->out.names->names == NULL) {
- return NT_STATUS_NO_MEMORY;
- }
-
- for (i=0;i<r->in.sids->num_sids;i++) {
- struct dom_sid *sid = r->in.sids->sids[i].sid;
- char *sid_str = dom_sid_string(mem_ctx, sid);
- const char *name;
- uint32_t atype, rtype, sid_index;
- NTSTATUS status2;
-
- r->out.names->count++;
- (*r->out.count)++;
-
- r->out.names->names[i].sid_type = SID_NAME_UNKNOWN;
- r->out.names->names[i].name.string = sid_str;
- r->out.names->names[i].sid_index = 0xFFFFFFFF;
- r->out.names->names[i].unknown = 0;
-
- if (sid_str == NULL) {
- r->out.names->names[i].name.string = "(SIDERROR)";
- status = STATUS_SOME_UNMAPPED;
- continue;
- }
-
- /* work out the authority name */
- status2 = dcesrv_lsa_authority_list(state, mem_ctx, sid, r->out.domains, &sid_index);
- if (!NT_STATUS_IS_OK(status2)) {
- return status2;
- }
-
- status2 = dcesrv_lsa_lookup_sid(state, mem_ctx, sid, sid_str,
- &name, &atype);
- if (!NT_STATUS_IS_OK(status2)) {
- status = STATUS_SOME_UNMAPPED;
- continue;
- }
-
- rtype = samdb_atype_map(atype);
- if (rtype == SID_NAME_UNKNOWN) {
- status = STATUS_SOME_UNMAPPED;
- continue;
- }
-
- r->out.names->names[i].sid_type = rtype;
- r->out.names->names[i].name.string = name;
- r->out.names->names[i].sid_index = sid_index;
- r->out.names->names[i].unknown = 0;
- }
-
- return status;
-}
-
-
-/*
- lsa_LookupSids3
-
- Identical to LookupSids2, but doesn't take a policy handle
-
-*/
-static NTSTATUS dcesrv_lsa_LookupSids3(struct dcesrv_call_state *dce_call,
- TALLOC_CTX *mem_ctx,
- struct lsa_LookupSids3 *r)
-{
- struct lsa_LookupSids2 r2;
- struct lsa_OpenPolicy2 pol;
- NTSTATUS status;
- struct dcesrv_handle *h;
-
- /* No policy handle on the wire, so make one up here */
- r2.in.handle = talloc(mem_ctx, struct policy_handle);
- if (!r2.in.handle) {
- return NT_STATUS_NO_MEMORY;
- }
-
- pol.out.handle = r2.in.handle;
- pol.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
- pol.in.attr = NULL;
- pol.in.system_name = NULL;
- status = dcesrv_lsa_OpenPolicy2(dce_call, mem_ctx, &pol);
- if (!NT_STATUS_IS_OK(status)) {
- return status;
- }
-
- /* ensure this handle goes away at the end of this call */
- DCESRV_PULL_HANDLE(h, r2.in.handle, LSA_HANDLE_POLICY);
- talloc_steal(mem_ctx, h);
-
- r2.in.sids = r->in.sids;
- r2.in.names = r->in.names;
- r2.in.level = r->in.level;
- r2.in.count = r->in.count;
- r2.in.unknown1 = r->in.unknown1;
- r2.in.unknown2 = r->in.unknown2;
- r2.out.count = r->out.count;
- r2.out.names = r->out.names;
-
- status = dcesrv_lsa_LookupSids2(dce_call, mem_ctx, &r2);
- if (dce_call->fault_code != 0) {
- return status;
- }
-
- r->out.domains = r2.out.domains;
- r->out.names = r2.out.names;
- r->out.count = r2.out.count;
-
- return status;
-}
-
-
-/*
- lsa_LookupSids
-*/
-static NTSTATUS dcesrv_lsa_LookupSids(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
- struct lsa_LookupSids *r)
-{
- struct lsa_LookupSids2 r2;
- NTSTATUS status;
- int i;
-
- r2.in.handle = r->in.handle;
- r2.in.sids = r->in.sids;
- r2.in.names = NULL;
- r2.in.level = r->in.level;
- r2.in.count = r->in.count;
- r2.in.unknown1 = 0;
- r2.in.unknown2 = 0;
- r2.out.count = r->out.count;
- r2.out.names = NULL;
-
- status = dcesrv_lsa_LookupSids2(dce_call, mem_ctx, &r2);
- if (dce_call->fault_code != 0) {
- return status;
- }
-
- r->out.domains = r2.out.domains;
- if (!r2.out.names) {
- r->out.names = NULL;
- return status;
- }
-
- r->out.names = talloc(mem_ctx, struct lsa_TransNameArray);
- if (r->out.names == NULL) {
- return NT_STATUS_NO_MEMORY;
- }
- r->out.names->count = r2.out.names->count;
- r->out.names->names = talloc_array(r->out.names, struct lsa_TranslatedName,
- r->out.names->count);
- if (r->out.names->names == NULL) {
- return NT_STATUS_NO_MEMORY;
- }
- for (i=0;i<r->out.names->count;i++) {
- r->out.names->names[i].sid_type = r2.out.names->names[i].sid_type;
- r->out.names->names[i].name.string = r2.out.names->names[i].name.string;
- r->out.names->names[i].sid_index = r2.out.names->names[i].sid_index;
- }
-
- return status;
-}
-
-
/*
lsa_OpenAccount
*/
return NT_STATUS_OK;
}
- ret = samdb_modify(state->sam_ldb, mem_ctx, msg);
+ ret = ldb_modify(state->sam_ldb, msg);
if (ret != 0) {
if (ldb_flag == LDB_FLAG_MOD_DELETE && ret == LDB_ERR_NO_SUCH_ATTRIBUTE) {
return NT_STATUS_OBJECT_NAME_NOT_FOUND;
const char *name2;
name = &r->in.name.string[2];
secret_state->sam_ldb = talloc_reference(secret_state, policy_state->sam_ldb);
- secret_state->global = True;
+ secret_state->global = true;
if (strlen(name) < 1) {
return NT_STATUS_INVALID_PARAMETER;
samdb_msg_add_string(secret_state->sam_ldb, mem_ctx, msg, "cn", name2);
} else {
- secret_state->global = False;
+ secret_state->global = false;
name = r->in.name.string;
if (strlen(name) < 1) {
return NT_STATUS_INVALID_PARAMETER;
}
- secret_state->sam_ldb = talloc_reference(secret_state, secrets_db_connect(mem_ctx));
+ secret_state->sam_ldb = talloc_reference(secret_state, secrets_db_connect(mem_ctx,
+ global_loadparm));
/* search for the secret record */
ret = gendb_search(secret_state->sam_ldb, mem_ctx,
ldb_dn_new(mem_ctx, secret_state->sam_ldb, "cn=LSA Secrets"),
secret_state->secret_dn = talloc_reference(secret_state, msg->dn);
/* create the secret */
- ret = samdb_add(secret_state->sam_ldb, mem_ctx, msg);
+ ret = ldb_add(secret_state->sam_ldb, msg);
if (ret != 0) {
DEBUG(0,("Failed to create secret record %s: %s\n",
ldb_dn_get_linearized(msg->dn),
if (strncmp("G$", r->in.name.string, 2) == 0) {
name = &r->in.name.string[2];
secret_state->sam_ldb = talloc_reference(secret_state, policy_state->sam_ldb);
- secret_state->global = True;
+ secret_state->global = true;
if (strlen(name) < 1) {
return NT_STATUS_INVALID_PARAMETER;
}
} else {
- secret_state->sam_ldb = talloc_reference(secret_state, secrets_db_connect(mem_ctx));
+ secret_state->sam_ldb = talloc_reference(secret_state,
+ secrets_db_connect(mem_ctx, global_loadparm));
- secret_state->global = False;
+ secret_state->global = false;
name = r->in.name.string;
if (strlen(name) < 1) {
return NT_STATUS_INVALID_PARAMETER;
DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
}
-/*
- lookup a SID for 1 name
-*/
-static NTSTATUS dcesrv_lsa_lookup_name(struct lsa_policy_state *state, TALLOC_CTX *mem_ctx,
- const char *name, struct dom_sid **sid, uint32_t *atype)
-{
- int ret;
- struct ldb_message **res;
- const char * const attrs[] = { "objectSid", "sAMAccountType", NULL};
- const char *p;
-
- p = strchr_m(name, '\\');
- if (p != NULL) {
- /* TODO: properly parse the domain prefix here, and use it to
- limit the search */
- name = p + 1;
- }
-
- ret = gendb_search(state->sam_ldb, mem_ctx, NULL, &res, attrs, "sAMAccountName=%s", ldb_binary_encode_string(mem_ctx, name));
- if (ret == 1) {
- *sid = samdb_result_dom_sid(mem_ctx, res[0], "objectSid");
- if (*sid == NULL) {
- return NT_STATUS_INVALID_SID;
- }
-
- *atype = samdb_result_uint(res[0], "sAMAccountType", 0);
-
- return NT_STATUS_OK;
- }
-
- /* need to add a call into sidmap to check for a allocated sid */
-
- return NT_STATUS_INVALID_SID;
-}
-
-
-/*
- lsa_LookupNames3
-*/
-static NTSTATUS dcesrv_lsa_LookupNames3(struct dcesrv_call_state *dce_call,
- TALLOC_CTX *mem_ctx,
- struct lsa_LookupNames3 *r)
-{
- struct lsa_policy_state *policy_state;
- struct dcesrv_handle *policy_handle;
- int i;
- NTSTATUS status = NT_STATUS_OK;
-
- DCESRV_PULL_HANDLE(policy_handle, r->in.handle, LSA_HANDLE_POLICY);
-
- policy_state = policy_handle->data;
-
- r->out.domains = NULL;
-
- r->out.domains = talloc_zero(mem_ctx, struct lsa_RefDomainList);
- if (r->out.domains == NULL) {
- return NT_STATUS_NO_MEMORY;
- }
-
- r->out.sids = talloc_zero(mem_ctx, struct lsa_TransSidArray3);
- if (r->out.sids == NULL) {
- return NT_STATUS_NO_MEMORY;
- }
-
- *r->out.count = 0;
-
- r->out.sids->sids = talloc_array(r->out.sids, struct lsa_TranslatedSid3,
- r->in.num_names);
- if (r->out.sids->sids == NULL) {
- return NT_STATUS_NO_MEMORY;
- }
-
- for (i=0;i<r->in.num_names;i++) {
- const char *name = r->in.names[i].string;
- struct dom_sid *sid;
- uint32_t atype, rtype, sid_index;
- NTSTATUS status2;
-
- r->out.sids->count++;
- (*r->out.count)++;
-
- r->out.sids->sids[i].sid_type = SID_NAME_UNKNOWN;
- r->out.sids->sids[i].sid = NULL;
- r->out.sids->sids[i].sid_index = 0xFFFFFFFF;
- r->out.sids->sids[i].unknown = 0;
-
- status2 = dcesrv_lsa_lookup_name(policy_state, mem_ctx, name, &sid, &atype);
- if (!NT_STATUS_IS_OK(status2) || sid->num_auths == 0) {
- status = STATUS_SOME_UNMAPPED;
- continue;
- }
-
- rtype = samdb_atype_map(atype);
- if (rtype == SID_NAME_UNKNOWN) {
- status = STATUS_SOME_UNMAPPED;
- continue;
- }
-
- status2 = dcesrv_lsa_authority_list(policy_state, mem_ctx, sid, r->out.domains, &sid_index);
- if (!NT_STATUS_IS_OK(status2)) {
- return status2;
- }
-
- r->out.sids->sids[i].sid_type = rtype;
- r->out.sids->sids[i].sid = sid;
- r->out.sids->sids[i].sid_index = sid_index;
- r->out.sids->sids[i].unknown = 0;
- }
-
- return status;
-}
-
-/*
- lsa_LookupNames4
-
- Identical to LookupNames3, but doesn't take a policy handle
-
-*/
-static NTSTATUS dcesrv_lsa_LookupNames4(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
- struct lsa_LookupNames4 *r)
-{
- struct lsa_LookupNames3 r2;
- struct lsa_OpenPolicy2 pol;
- NTSTATUS status;
- struct dcesrv_handle *h;
-
- /* No policy handle on the wire, so make one up here */
- r2.in.handle = talloc(mem_ctx, struct policy_handle);
- if (!r2.in.handle) {
- return NT_STATUS_NO_MEMORY;
- }
-
- pol.out.handle = r2.in.handle;
- pol.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
- pol.in.attr = NULL;
- pol.in.system_name = NULL;
- status = dcesrv_lsa_OpenPolicy2(dce_call, mem_ctx, &pol);
- if (!NT_STATUS_IS_OK(status)) {
- return status;
- }
-
- /* ensure this handle goes away at the end of this call */
- DCESRV_PULL_HANDLE(h, r2.in.handle, LSA_HANDLE_POLICY);
- talloc_steal(mem_ctx, h);
-
- r2.in.num_names = r->in.num_names;
- r2.in.names = r->in.names;
- r2.in.sids = r->in.sids;
- r2.in.count = r->in.count;
- r2.in.unknown1 = r->in.unknown1;
- r2.in.unknown2 = r->in.unknown2;
- r2.out.domains = r->out.domains;
- r2.out.sids = r->out.sids;
- r2.out.count = r->out.count;
-
- status = dcesrv_lsa_LookupNames3(dce_call, mem_ctx, &r2);
- if (dce_call->fault_code != 0) {
- return status;
- }
-
- r->out.domains = r2.out.domains;
- r->out.sids = r2.out.sids;
- r->out.count = r2.out.count;
- return status;
-}
-
-/*
- lsa_LookupNames2
-*/
-static NTSTATUS dcesrv_lsa_LookupNames2(struct dcesrv_call_state *dce_call,
- TALLOC_CTX *mem_ctx,
- struct lsa_LookupNames2 *r)
-{
- struct lsa_policy_state *state;
- struct dcesrv_handle *h;
- int i;
- NTSTATUS status = NT_STATUS_OK;
-
- r->out.domains = NULL;
-
- DCESRV_PULL_HANDLE(h, r->in.handle, LSA_HANDLE_POLICY);
-
- state = h->data;
-
- r->out.domains = talloc_zero(mem_ctx, struct lsa_RefDomainList);
- if (r->out.domains == NULL) {
- return NT_STATUS_NO_MEMORY;
- }
-
- r->out.sids = talloc_zero(mem_ctx, struct lsa_TransSidArray2);
- if (r->out.sids == NULL) {
- return NT_STATUS_NO_MEMORY;
- }
-
- *r->out.count = 0;
-
- r->out.sids->sids = talloc_array(r->out.sids, struct lsa_TranslatedSid2,
- r->in.num_names);
- if (r->out.sids->sids == NULL) {
- return NT_STATUS_NO_MEMORY;
- }
-
- for (i=0;i<r->in.num_names;i++) {
- const char *name = r->in.names[i].string;
- struct dom_sid *sid;
- uint32_t atype, rtype, sid_index;
- NTSTATUS status2;
-
- r->out.sids->count++;
- (*r->out.count)++;
-
- r->out.sids->sids[i].sid_type = SID_NAME_UNKNOWN;
- r->out.sids->sids[i].rid = 0xFFFFFFFF;
- r->out.sids->sids[i].sid_index = 0xFFFFFFFF;
- r->out.sids->sids[i].unknown = 0;
-
- status2 = dcesrv_lsa_lookup_name(state, mem_ctx, name, &sid, &atype);
- if (!NT_STATUS_IS_OK(status2) || sid->num_auths == 0) {
- status = STATUS_SOME_UNMAPPED;
- continue;
- }
-
- rtype = samdb_atype_map(atype);
- if (rtype == SID_NAME_UNKNOWN) {
- status = STATUS_SOME_UNMAPPED;
- continue;
- }
-
- status2 = dcesrv_lsa_authority_list(state, mem_ctx, sid, r->out.domains, &sid_index);
- if (!NT_STATUS_IS_OK(status2)) {
- return status2;
- }
-
- r->out.sids->sids[i].sid_type = rtype;
- r->out.sids->sids[i].rid = sid->sub_auths[sid->num_auths-1];
- r->out.sids->sids[i].sid_index = sid_index;
- r->out.sids->sids[i].unknown = 0;
- }
-
- return status;
-}
-
-/*
- lsa_LookupNames
-*/
-static NTSTATUS dcesrv_lsa_LookupNames(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
- struct lsa_LookupNames *r)
-{
- struct lsa_LookupNames2 r2;
- NTSTATUS status;
- int i;
-
- r2.in.handle = r->in.handle;
- r2.in.num_names = r->in.num_names;
- r2.in.names = r->in.names;
- r2.in.sids = NULL;
- r2.in.level = r->in.level;
- r2.in.count = r->in.count;
- r2.in.unknown1 = 0;
- r2.in.unknown2 = 0;
- r2.out.count = r->out.count;
-
- status = dcesrv_lsa_LookupNames2(dce_call, mem_ctx, &r2);
- if (dce_call->fault_code != 0) {
- return status;
- }
-
- r->out.domains = r2.out.domains;
- r->out.sids = talloc(mem_ctx, struct lsa_TransSidArray);
- if (r->out.sids == NULL) {
- return NT_STATUS_NO_MEMORY;
- }
- r->out.sids->count = r2.out.sids->count;
- r->out.sids->sids = talloc_array(r->out.sids, struct lsa_TranslatedSid,
- r->out.sids->count);
- if (r->out.sids->sids == NULL) {
- return NT_STATUS_NO_MEMORY;
- }
- for (i=0;i<r->out.sids->count;i++) {
- r->out.sids->sids[i].sid_type = r2.out.sids->sids[i].sid_type;
- r->out.sids->sids[i].rid = r2.out.sids->sids[i].rid;
- r->out.sids->sids[i].sid_index = r2.out.sids->sids[i].sid_index;
- }
-
- return status;
-}
-
/*
lsa_CREDRWRITE
*/
git.samba.org / jelmer / samba4-debian.git / blobdiff