2 * Unix SMB/CIFS implementation.
3 * RPC Pipe client / server routines
4 * Copyright (C) Andrew Tridgell 1992-1997,
5 * Copyright (C) Luke Kenneth Casson Leighton 1996-1997,
6 * Copyright (C) Paul Ashton 1997,
7 * Copyright (C) Marc Jacobsen 1999,
8 * Copyright (C) Jeremy Allison 2001-2002,
9 * Copyright (C) Jean François Micouleau 1998-2001,
10 * Copyright (C) Jim McDonough <jmcd@us.ibm.com> 2002.
11 * Copyright (C) Gerald (Jerry) Carter 2003.
13 * This program is free software; you can redistribute it and/or modify
14 * it under the terms of the GNU General Public License as published by
15 * the Free Software Foundation; either version 2 of the License, or
16 * (at your option) any later version.
18 * This program is distributed in the hope that it will be useful,
19 * but WITHOUT ANY WARRANTY; without even the implied warranty of
20 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
21 * GNU General Public License for more details.
23 * You should have received a copy of the GNU General Public License
24 * along with this program; if not, write to the Free Software
25 * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
29 * This is the implementation of the SAMR code.
35 #define DBGC_CLASS DBGC_RPC_SRV
37 extern DOM_SID global_sid_Builtin;
39 extern rid_name domain_group_rids[];
40 extern rid_name domain_alias_rids[];
41 extern rid_name builtin_alias_rids[];
44 typedef struct _disp_info {
46 uint32 num_user_account;
47 SAM_ACCOUNT *disp_user_info;
49 uint32 num_group_account;
50 DOMAIN_GRP *disp_group_info;
54 /* for use by the \PIPE\samr policy */
56 uint32 status; /* some sort of flag. best to record it. comes from opnum 0x39 */
65 struct generic_mapping sam_generic_mapping = {GENERIC_RIGHTS_SAM_READ, GENERIC_RIGHTS_SAM_WRITE, GENERIC_RIGHTS_SAM_EXECUTE, GENERIC_RIGHTS_SAM_ALL_ACCESS};
66 struct generic_mapping dom_generic_mapping = {GENERIC_RIGHTS_DOMAIN_READ, GENERIC_RIGHTS_DOMAIN_WRITE, GENERIC_RIGHTS_DOMAIN_EXECUTE, GENERIC_RIGHTS_DOMAIN_ALL_ACCESS};
67 struct generic_mapping usr_generic_mapping = {GENERIC_RIGHTS_USER_READ, GENERIC_RIGHTS_USER_WRITE, GENERIC_RIGHTS_USER_EXECUTE, GENERIC_RIGHTS_USER_ALL_ACCESS};
68 struct generic_mapping grp_generic_mapping = {GENERIC_RIGHTS_GROUP_READ, GENERIC_RIGHTS_GROUP_WRITE, GENERIC_RIGHTS_GROUP_EXECUTE, GENERIC_RIGHTS_GROUP_ALL_ACCESS};
69 struct generic_mapping ali_generic_mapping = {GENERIC_RIGHTS_ALIAS_READ, GENERIC_RIGHTS_ALIAS_WRITE, GENERIC_RIGHTS_ALIAS_EXECUTE, GENERIC_RIGHTS_ALIAS_ALL_ACCESS};
71 static NTSTATUS samr_make_dom_obj_sd(TALLOC_CTX *ctx, SEC_DESC **psd, size_t *sd_size);
73 /*******************************************************************
74 Checks if access to an object should be granted, and returns that
75 level of access for further checks.
76 ********************************************************************/
78 NTSTATUS access_check_samr_object(SEC_DESC *psd, NT_USER_TOKEN *nt_user_token, uint32 des_access,
79 uint32 *acc_granted, const char *debug)
81 NTSTATUS status = NT_STATUS_ACCESS_DENIED;
83 if (!se_access_check(psd, nt_user_token, des_access, acc_granted, &status)) {
84 *acc_granted = des_access;
85 if (geteuid() == sec_initial_uid()) {
86 DEBUG(4,("%s: ACCESS should be DENIED (requested: %#010x)\n",
88 DEBUGADD(4,("but overritten by euid == sec_initial_uid()\n"));
89 status = NT_STATUS_OK;
92 DEBUG(2,("%s: ACCESS DENIED (requested: %#010x)\n",
99 /*******************************************************************
100 Checks if access to a function can be granted
101 ********************************************************************/
103 NTSTATUS access_check_samr_function(uint32 acc_granted, uint32 acc_required, const char *debug)
105 DEBUG(5,("%s: access check ((granted: %#010x; required: %#010x)\n",
106 debug, acc_granted, acc_required));
107 if ((acc_granted & acc_required) != acc_required) {
108 if (geteuid() == sec_initial_uid()) {
109 DEBUG(4,("%s: ACCESS should be DENIED (granted: %#010x; required: %#010x)\n",
110 debug, acc_granted, acc_required));
111 DEBUGADD(4,("but overwritten by euid == 0\n"));
114 DEBUG(2,("%s: ACCESS DENIED (granted: %#010x; required: %#010x)\n",
115 debug, acc_granted, acc_required));
116 return NT_STATUS_ACCESS_DENIED;
122 /*******************************************************************
123 Create a samr_info struct.
124 ********************************************************************/
126 static struct samr_info *get_samr_info_by_sid(DOM_SID *psid)
128 struct samr_info *info;
133 sid_to_string(sid_str, psid);
135 fstrcpy(sid_str,"(NULL)");
138 mem_ctx = talloc_init("samr_info for domain sid %s", sid_str);
140 if ((info = (struct samr_info *)talloc(mem_ctx, sizeof(struct samr_info))) == NULL)
144 DEBUG(10,("get_samr_info_by_sid: created new info for sid %s\n", sid_str));
146 sid_copy( &info->sid, psid);
148 DEBUG(10,("get_samr_info_by_sid: created new info for NULL sid.\n"));
150 info->mem_ctx = mem_ctx;
154 /*******************************************************************
155 Function to free the per handle data.
156 ********************************************************************/
158 static void free_samr_users(struct samr_info *info)
162 if (info->disp_info.user_dbloaded){
163 for (i=0; i<info->disp_info.num_user_account; i++) {
164 SAM_ACCOUNT *sam = &info->disp_info.disp_user_info[i];
165 /* Not really a free, actually a 'clear' */
169 info->disp_info.user_dbloaded=False;
170 info->disp_info.num_user_account=0;
173 /*******************************************************************
174 Function to free the per handle data.
175 ********************************************************************/
177 static void free_samr_db(struct samr_info *info)
179 /* Groups are talloced */
181 free_samr_users(info);
183 info->disp_info.group_dbloaded=False;
184 info->disp_info.num_group_account=0;
187 static void free_samr_info(void *ptr)
189 struct samr_info *info=(struct samr_info *) ptr;
192 talloc_destroy(info->mem_ctx);
195 /*******************************************************************
196 Ensure password info is never given out. Paranioa... JRA.
197 ********************************************************************/
199 static void samr_clear_sam_passwd(SAM_ACCOUNT *sam_pass)
205 /* These now zero out the old password */
207 pdb_set_lanman_passwd(sam_pass, NULL, PDB_DEFAULT);
208 pdb_set_nt_passwd(sam_pass, NULL, PDB_DEFAULT);
212 static NTSTATUS load_sampwd_entries(struct samr_info *info, uint16 acb_mask, BOOL all_machines)
214 SAM_ACCOUNT *pwd = NULL;
215 SAM_ACCOUNT *pwd_array = NULL;
216 NTSTATUS nt_status = NT_STATUS_OK;
217 TALLOC_CTX *mem_ctx = info->mem_ctx;
219 DEBUG(10,("load_sampwd_entries\n"));
221 /* if the snapshoot is already loaded, return */
222 if ((info->disp_info.user_dbloaded==True)
223 && (info->acb_mask == acb_mask)
224 && (info->all_machines == all_machines)) {
225 DEBUG(10,("load_sampwd_entries: already in memory\n"));
229 free_samr_users(info);
231 if (!pdb_setsampwent(False)) {
232 DEBUG(0, ("load_sampwd_entries: Unable to open passdb.\n"));
233 return NT_STATUS_ACCESS_DENIED;
236 for (; (NT_STATUS_IS_OK(nt_status = pdb_init_sam_talloc(mem_ctx, &pwd)))
237 && pdb_getsampwent(pwd) == True; pwd=NULL) {
240 if (!((pdb_get_acct_ctrl(pwd) & ACB_WSTRUST)
241 || (pdb_get_acct_ctrl(pwd) & ACB_SVRTRUST))) {
242 DEBUG(5,("load_sampwd_entries: '%s' is not a machine account - ACB: %x - skipping\n", pdb_get_username(pwd), acb_mask));
247 if (acb_mask != 0 && !(pdb_get_acct_ctrl(pwd) & acb_mask)) {
249 DEBUG(5,(" acb_mask %x reject\n", acb_mask));
254 /* Realloc some memory for the array of ptr to the SAM_ACCOUNT structs */
255 if (info->disp_info.num_user_account % MAX_SAM_ENTRIES == 0) {
257 DEBUG(10,("load_sampwd_entries: allocating more memory\n"));
258 pwd_array=(SAM_ACCOUNT *)talloc_realloc(mem_ctx, info->disp_info.disp_user_info,
259 (info->disp_info.num_user_account+MAX_SAM_ENTRIES)*sizeof(SAM_ACCOUNT));
262 return NT_STATUS_NO_MEMORY;
264 info->disp_info.disp_user_info=pwd_array;
267 /* Copy the SAM_ACCOUNT into the array */
268 info->disp_info.disp_user_info[info->disp_info.num_user_account]=*pwd;
270 DEBUG(10,("load_sampwd_entries: entry: %d\n", info->disp_info.num_user_account));
272 info->disp_info.num_user_account++;
277 /* the snapshoot is in memory, we're ready to enumerate fast */
279 info->acb_mask = acb_mask;
280 info->all_machines = all_machines;
281 info->disp_info.user_dbloaded=True;
283 DEBUG(10,("load_sampwd_entries: done\n"));
288 static NTSTATUS load_group_domain_entries(struct samr_info *info, DOM_SID *sid)
291 DOMAIN_GRP *grp_array = NULL;
292 uint32 group_entries = 0;
294 TALLOC_CTX *mem_ctx = info->mem_ctx;
296 DEBUG(10,("load_group_domain_entries\n"));
298 /* if the snapshoot is already loaded, return */
299 if (info->disp_info.group_dbloaded==True) {
300 DEBUG(10,("load_group_domain_entries: already in memory\n"));
307 if (!pdb_enum_group_mapping(SID_NAME_DOM_GRP, &map, (int *)&group_entries, ENUM_ONLY_MAPPED)) {
308 DEBUG(1, ("load_group_domain_entries: pdb_enum_group_mapping() failed!\n"));
309 return NT_STATUS_NO_MEMORY;
314 info->disp_info.num_group_account=group_entries;
316 grp_array=(DOMAIN_GRP *)talloc(mem_ctx, info->disp_info.num_group_account*sizeof(DOMAIN_GRP));
317 if (group_entries!=0 && grp_array==NULL) {
318 DEBUG(1, ("load_group_domain_entries: talloc() failed for grp_array!\n"));
320 return NT_STATUS_NO_MEMORY;
323 info->disp_info.disp_group_info=grp_array;
325 for (i=0; i<group_entries; i++) {
326 fstrcpy(grp_array[i].name, map[i].nt_name);
327 fstrcpy(grp_array[i].comment, map[i].comment);
328 sid_split_rid(&map[i].sid, &grp_array[i].rid);
329 grp_array[i].attr=SID_NAME_DOM_GRP;
334 /* the snapshoot is in memory, we're ready to enumerate fast */
336 info->disp_info.group_dbloaded=True;
338 DEBUG(10,("load_group_domain_entries: done\n"));
344 /*******************************************************************
346 ********************************************************************/
348 NTSTATUS _samr_close_hnd(pipes_struct *p, SAMR_Q_CLOSE_HND *q_u, SAMR_R_CLOSE_HND *r_u)
350 r_u->status = NT_STATUS_OK;
352 /* close the policy handle */
353 if (!close_policy_hnd(p, &q_u->pol))
354 return NT_STATUS_OBJECT_NAME_INVALID;
356 DEBUG(5,("samr_reply_close_hnd: %d\n", __LINE__));
361 /*******************************************************************
362 samr_reply_open_domain
363 ********************************************************************/
365 NTSTATUS _samr_open_domain(pipes_struct *p, SAMR_Q_OPEN_DOMAIN *q_u, SAMR_R_OPEN_DOMAIN *r_u)
367 struct samr_info *info;
368 SEC_DESC *psd = NULL;
370 uint32 des_access = q_u->flags;
374 r_u->status = NT_STATUS_OK;
376 /* find the connection policy handle. */
377 if (!find_policy_by_hnd(p, &q_u->pol, (void**)&info))
378 return NT_STATUS_INVALID_HANDLE;
380 if (!NT_STATUS_IS_OK(status = access_check_samr_function(info->acc_granted, SA_RIGHT_SAM_OPEN_DOMAIN,"_samr_open_domain"))) {
384 /*check if access can be granted as requested by client. */
385 samr_make_dom_obj_sd(p->mem_ctx, &psd, &sd_size);
386 se_map_generic(&des_access,&dom_generic_mapping);
388 if (!NT_STATUS_IS_OK(status =
389 access_check_samr_object(psd, p->pipe_user.nt_user_token,
390 des_access, &acc_granted, "_samr_open_domain"))) {
394 /* associate the domain SID with the (unique) handle. */
395 if ((info = get_samr_info_by_sid(&q_u->dom_sid.sid))==NULL)
396 return NT_STATUS_NO_MEMORY;
397 info->acc_granted = acc_granted;
399 /* get a (unique) handle. open a policy on it. */
400 if (!create_policy_hnd(p, &r_u->domain_pol, free_samr_info, (void *)info))
401 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
403 DEBUG(5,("samr_open_domain: %d\n", __LINE__));
408 /*******************************************************************
409 _samr_get_usrdom_pwinfo
410 ********************************************************************/
412 NTSTATUS _samr_get_usrdom_pwinfo(pipes_struct *p, SAMR_Q_GET_USRDOM_PWINFO *q_u, SAMR_R_GET_USRDOM_PWINFO *r_u)
414 struct samr_info *info = NULL;
416 r_u->status = NT_STATUS_OK;
418 /* find the policy handle. open a policy on it. */
419 if (!find_policy_by_hnd(p, &q_u->user_pol, (void **)&info))
420 return NT_STATUS_INVALID_HANDLE;
422 if (!sid_check_is_in_our_domain(&info->sid))
423 return NT_STATUS_OBJECT_TYPE_MISMATCH;
425 init_samr_r_get_usrdom_pwinfo(r_u, NT_STATUS_OK);
427 DEBUG(5,("_samr_get_usrdom_pwinfo: %d\n", __LINE__));
430 * NT sometimes return NT_STATUS_ACCESS_DENIED
431 * I don't know yet why.
437 /*******************************************************************
439 ********************************************************************/
441 static NTSTATUS samr_make_dom_obj_sd(TALLOC_CTX *ctx, SEC_DESC **psd, size_t *sd_size)
443 extern DOM_SID global_sid_World;
452 sid_copy(&adm_sid, &global_sid_Builtin);
453 sid_append_rid(&adm_sid, BUILTIN_ALIAS_RID_ADMINS);
455 sid_copy(&act_sid, &global_sid_Builtin);
456 sid_append_rid(&act_sid, BUILTIN_ALIAS_RID_ACCOUNT_OPS);
458 /*basic access for every one*/
459 init_sec_access(&mask, GENERIC_RIGHTS_DOMAIN_EXECUTE | GENERIC_RIGHTS_DOMAIN_READ);
460 init_sec_ace(&ace[0], &global_sid_World, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0);
462 /*full access for builtin aliases Administrators and Account Operators*/
463 init_sec_access(&mask, GENERIC_RIGHTS_DOMAIN_ALL_ACCESS);
464 init_sec_ace(&ace[1], &adm_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0);
465 init_sec_ace(&ace[2], &act_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0);
467 if ((psa = make_sec_acl(ctx, NT4_ACL_REVISION, 3, ace)) == NULL)
468 return NT_STATUS_NO_MEMORY;
470 if ((*psd = make_sec_desc(ctx, SEC_DESC_REVISION, SEC_DESC_SELF_RELATIVE, NULL, NULL, NULL, psa, sd_size)) == NULL)
471 return NT_STATUS_NO_MEMORY;
476 /*******************************************************************
478 ********************************************************************/
480 static NTSTATUS samr_make_usr_obj_sd(TALLOC_CTX *ctx, SEC_DESC **psd, size_t *sd_size, DOM_SID *usr_sid)
482 extern DOM_SID global_sid_World;
491 sid_copy(&adm_sid, &global_sid_Builtin);
492 sid_append_rid(&adm_sid, BUILTIN_ALIAS_RID_ADMINS);
494 sid_copy(&act_sid, &global_sid_Builtin);
495 sid_append_rid(&act_sid, BUILTIN_ALIAS_RID_ACCOUNT_OPS);
497 /*basic access for every one*/
498 init_sec_access(&mask, GENERIC_RIGHTS_USER_EXECUTE | GENERIC_RIGHTS_USER_READ);
499 init_sec_ace(&ace[0], &global_sid_World, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0);
501 /*full access for builtin aliases Administrators and Account Operators*/
502 init_sec_access(&mask, GENERIC_RIGHTS_USER_ALL_ACCESS);
503 init_sec_ace(&ace[1], &adm_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0);
504 init_sec_ace(&ace[2], &act_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0);
506 /*extended access for the user*/
507 init_sec_access(&mask,READ_CONTROL_ACCESS | SA_RIGHT_USER_CHANGE_PASSWORD | SA_RIGHT_USER_SET_LOC_COM);
508 init_sec_ace(&ace[3], usr_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0);
510 if ((psa = make_sec_acl(ctx, NT4_ACL_REVISION, 4, ace)) == NULL)
511 return NT_STATUS_NO_MEMORY;
513 if ((*psd = make_sec_desc(ctx, SEC_DESC_REVISION, SEC_DESC_SELF_RELATIVE, NULL, NULL, NULL, psa, sd_size)) == NULL)
514 return NT_STATUS_NO_MEMORY;
519 /*******************************************************************
521 ********************************************************************/
523 static NTSTATUS samr_make_grp_obj_sd(TALLOC_CTX *ctx, SEC_DESC **psd, size_t *sd_size)
525 extern DOM_SID global_sid_World;
534 sid_copy(&adm_sid, &global_sid_Builtin);
535 sid_append_rid(&adm_sid, BUILTIN_ALIAS_RID_ADMINS);
537 sid_copy(&act_sid, &global_sid_Builtin);
538 sid_append_rid(&act_sid, BUILTIN_ALIAS_RID_ACCOUNT_OPS);
540 /*basic access for every one*/
541 init_sec_access(&mask, GENERIC_RIGHTS_GROUP_EXECUTE | GENERIC_RIGHTS_GROUP_READ);
542 init_sec_ace(&ace[0], &global_sid_World, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0);
544 /*full access for builtin aliases Administrators and Account Operators*/
545 init_sec_access(&mask, GENERIC_RIGHTS_GROUP_ALL_ACCESS);
546 init_sec_ace(&ace[1], &adm_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0);
547 init_sec_ace(&ace[2], &act_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0);
549 if ((psa = make_sec_acl(ctx, NT4_ACL_REVISION, 3, ace)) == NULL)
550 return NT_STATUS_NO_MEMORY;
552 if ((*psd = make_sec_desc(ctx, SEC_DESC_REVISION, SEC_DESC_SELF_RELATIVE, NULL, NULL, NULL, psa, sd_size)) == NULL)
553 return NT_STATUS_NO_MEMORY;
558 /*******************************************************************
560 ********************************************************************/
562 static NTSTATUS samr_make_ali_obj_sd(TALLOC_CTX *ctx, SEC_DESC **psd, size_t *sd_size)
564 extern DOM_SID global_sid_World;
573 sid_copy(&adm_sid, &global_sid_Builtin);
574 sid_append_rid(&adm_sid, BUILTIN_ALIAS_RID_ADMINS);
576 sid_copy(&act_sid, &global_sid_Builtin);
577 sid_append_rid(&act_sid, BUILTIN_ALIAS_RID_ACCOUNT_OPS);
579 /*basic access for every one*/
580 init_sec_access(&mask, GENERIC_RIGHTS_ALIAS_EXECUTE | GENERIC_RIGHTS_ALIAS_READ);
581 init_sec_ace(&ace[0], &global_sid_World, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0);
583 /*full access for builtin aliases Administrators and Account Operators*/
584 init_sec_access(&mask, GENERIC_RIGHTS_ALIAS_ALL_ACCESS);
585 init_sec_ace(&ace[1], &adm_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0);
586 init_sec_ace(&ace[2], &act_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0);
588 if ((psa = make_sec_acl(ctx, NT4_ACL_REVISION, 3, ace)) == NULL)
589 return NT_STATUS_NO_MEMORY;
591 if ((*psd = make_sec_desc(ctx, SEC_DESC_REVISION, SEC_DESC_SELF_RELATIVE, NULL, NULL, NULL, psa, sd_size)) == NULL)
592 return NT_STATUS_NO_MEMORY;
597 static BOOL get_lsa_policy_samr_sid(pipes_struct *p, POLICY_HND *pol, DOM_SID *sid, uint32 *acc_granted)
599 struct samr_info *info = NULL;
601 /* find the policy handle. open a policy on it. */
602 if (!find_policy_by_hnd(p, pol, (void **)&info))
609 *acc_granted = info->acc_granted;
613 /*******************************************************************
615 ********************************************************************/
617 NTSTATUS _samr_set_sec_obj(pipes_struct *p, SAMR_Q_SET_SEC_OBJ *q_u, SAMR_R_SET_SEC_OBJ *r_u)
619 DEBUG(0,("_samr_set_sec_obj: Not yet implemented!\n"));
620 return NT_STATUS_NOT_IMPLEMENTED;
624 /*******************************************************************
626 ********************************************************************/
628 NTSTATUS _samr_query_sec_obj(pipes_struct *p, SAMR_Q_QUERY_SEC_OBJ *q_u, SAMR_R_QUERY_SEC_OBJ *r_u)
632 SEC_DESC * psd = NULL;
636 r_u->status = NT_STATUS_OK;
639 if (!get_lsa_policy_samr_sid(p, &q_u->user_pol, &pol_sid, &acc_granted))
640 return NT_STATUS_INVALID_HANDLE;
644 DEBUG(10,("_samr_query_sec_obj: querying security on SID: %s\n", sid_to_string(str_sid, &pol_sid)));
646 /* Check what typ of SID is beeing queried (e.g Domain SID, User SID, Group SID) */
648 /* To query the security of the SAM it self an invalid SID with S-0-0 is passed to this function */
649 if (pol_sid.sid_rev_num == 0)
651 DEBUG(5,("_samr_query_sec_obj: querying security on SAM\n"));
652 r_u->status = samr_make_sam_obj_sd(p->mem_ctx, &psd, &sd_size);
654 else if (sid_equal(&pol_sid,get_global_sam_sid())) /* check if it is our domain SID */
657 DEBUG(5,("_samr_query_sec_obj: querying security on Domain with SID: %s\n", sid_to_string(str_sid, &pol_sid)));
658 r_u->status = samr_make_dom_obj_sd(p->mem_ctx, &psd, &sd_size);
660 else if (sid_equal(&pol_sid,&global_sid_Builtin)) /* check if it is the Builtin Domain */
662 /* TODO: Builtin probably needs a different SD with restricted write access*/
663 DEBUG(5,("_samr_query_sec_obj: querying security on Builtin Domain with SID: %s\n", sid_to_string(str_sid, &pol_sid)));
664 r_u->status = samr_make_dom_obj_sd(p->mem_ctx, &psd, &sd_size);
666 else if (sid_check_is_in_our_domain(&pol_sid) ||
667 sid_check_is_in_builtin(&pol_sid))
669 /* TODO: different SDs have to be generated for aliases groups and users.
670 Currently all three get a default user SD */
671 DEBUG(10,("_samr_query_sec_obj: querying security on Object with SID: %s\n", sid_to_string(str_sid, &pol_sid)));
672 r_u->status = samr_make_usr_obj_sd(p->mem_ctx, &psd,&sd_size, &pol_sid);
674 else return NT_STATUS_OBJECT_TYPE_MISMATCH;
676 if ((r_u->buf = make_sec_desc_buf(p->mem_ctx, sd_size, psd)) == NULL)
677 return NT_STATUS_NO_MEMORY;
679 if (NT_STATUS_IS_OK(r_u->status))
685 /*******************************************************************
686 makes a SAM_ENTRY / UNISTR2* structure from a user list.
687 ********************************************************************/
689 static NTSTATUS make_user_sam_entry_list(TALLOC_CTX *ctx, SAM_ENTRY **sam_pp, UNISTR2 **uni_name_pp,
690 uint32 num_entries, uint32 start_idx, SAM_ACCOUNT *disp_user_info,
696 SAM_ACCOUNT *pwd = NULL;
697 UNISTR2 uni_temp_name;
698 const char *temp_name;
699 const DOM_SID *user_sid;
701 fstring user_sid_string;
702 fstring domain_sid_string;
707 if (num_entries == 0)
710 sam = (SAM_ENTRY *)talloc_zero(ctx, sizeof(SAM_ENTRY)*num_entries);
712 uni_name = (UNISTR2 *)talloc_zero(ctx, sizeof(UNISTR2)*num_entries);
714 if (sam == NULL || uni_name == NULL) {
715 DEBUG(0, ("make_user_sam_entry_list: talloc_zero failed!\n"));
716 return NT_STATUS_NO_MEMORY;
719 for (i = 0; i < num_entries; i++) {
720 pwd = &disp_user_info[i+start_idx];
721 temp_name = pdb_get_username(pwd);
722 init_unistr2(&uni_temp_name, temp_name, UNI_STR_TERMINATE);
723 user_sid = pdb_get_user_sid(pwd);
725 if (!sid_peek_check_rid(domain_sid, user_sid, &user_rid)) {
726 DEBUG(0, ("make_user_sam_entry_list: User %s has SID %s, which conflicts with "
727 "the domain sid %s. Failing operation.\n",
729 sid_to_string(user_sid_string, user_sid),
730 sid_to_string(domain_sid_string, domain_sid)));
731 return NT_STATUS_UNSUCCESSFUL;
734 init_sam_entry(&sam[i], &uni_temp_name, user_rid);
735 copy_unistr2(&uni_name[i], &uni_temp_name);
739 *uni_name_pp = uni_name;
743 /*******************************************************************
744 samr_reply_enum_dom_users
745 ********************************************************************/
747 NTSTATUS _samr_enum_dom_users(pipes_struct *p, SAMR_Q_ENUM_DOM_USERS *q_u,
748 SAMR_R_ENUM_DOM_USERS *r_u)
750 struct samr_info *info = NULL;
751 uint32 struct_size=0x20; /* W2K always reply that, client doesn't care */
753 uint32 enum_context=q_u->start_idx;
754 uint32 max_size=q_u->max_size;
756 enum remote_arch_types ra_type = get_remote_arch();
757 int max_sam_entries = (ra_type == RA_WIN95) ? MAX_SAM_ENTRIES_W95 : MAX_SAM_ENTRIES_W2K;
758 uint32 max_entries = max_sam_entries;
761 r_u->status = NT_STATUS_OK;
763 /* find the policy handle. open a policy on it. */
764 if (!find_policy_by_hnd(p, &q_u->pol, (void **)&info))
765 return NT_STATUS_INVALID_HANDLE;
767 domain_sid = info->sid;
769 if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(info->acc_granted,
770 SA_RIGHT_DOMAIN_ENUM_ACCOUNTS,
771 "_samr_enum_dom_users"))) {
775 DEBUG(5,("_samr_enum_dom_users: %d\n", __LINE__));
778 r_u->status=load_sampwd_entries(info, q_u->acb_mask, False);
781 if (!NT_STATUS_IS_OK(r_u->status))
784 num_account = info->disp_info.num_user_account;
786 if (enum_context > num_account) {
787 DEBUG(5, ("_samr_enum_dom_users: enumeration handle over total entries\n"));
791 /* verify we won't overflow */
792 if (max_entries > num_account-enum_context) {
793 max_entries = num_account-enum_context;
794 DEBUG(5, ("_samr_enum_dom_users: only %d entries to return\n", max_entries));
797 /* calculate the size and limit on the number of entries we will return */
798 temp_size=max_entries*struct_size;
800 if (temp_size>max_size) {
801 max_entries=MIN((max_size/struct_size),max_entries);;
802 DEBUG(5, ("_samr_enum_dom_users: buffer size limits to only %d entries\n", max_entries));
806 * Note from JRA. total_entries is not being used here. Currently if there is a
807 * large user base then it looks like NT will enumerate until get_sampwd_entries
808 * returns False due to num_entries being zero. This will cause an access denied
809 * return. I don't think this is right and needs further investigation. Note that
810 * this is also the same in the TNG code (I don't think that has been tested with
811 * a very large user list as MAX_SAM_ENTRIES is set to 600).
813 * I also think that one of the 'num_entries' return parameters is probably
814 * the "max entries" parameter - but in the TNG code they're all currently set to the same
815 * value (again I think this is wrong).
818 r_u->status = make_user_sam_entry_list(p->mem_ctx, &r_u->sam, &r_u->uni_acct_name,
819 max_entries, enum_context,
820 info->disp_info.disp_user_info,
823 if (!NT_STATUS_IS_OK(r_u->status))
826 if (enum_context+max_entries < num_account)
827 r_u->status = STATUS_MORE_ENTRIES;
829 DEBUG(5, ("_samr_enum_dom_users: %d\n", __LINE__));
831 init_samr_r_enum_dom_users(r_u, q_u->start_idx + max_entries, max_entries);
833 DEBUG(5,("_samr_enum_dom_users: %d\n", __LINE__));
838 /*******************************************************************
839 makes a SAM_ENTRY / UNISTR2* structure from a group list.
840 ********************************************************************/
842 static void make_group_sam_entry_list(TALLOC_CTX *ctx, SAM_ENTRY **sam_pp, UNISTR2 **uni_name_pp,
843 uint32 num_sam_entries, DOMAIN_GRP *grp)
852 if (num_sam_entries == 0)
855 sam = (SAM_ENTRY *)talloc_zero(ctx, sizeof(SAM_ENTRY)*num_sam_entries);
857 uni_name = (UNISTR2 *)talloc_zero(ctx, sizeof(UNISTR2)*num_sam_entries);
859 if (sam == NULL || uni_name == NULL) {
860 DEBUG(0, ("NULL pointers in SAMR_R_QUERY_DISPINFO\n"));
864 for (i = 0; i < num_sam_entries; i++) {
866 * JRA. I think this should include the null. TNG does not.
868 init_unistr2(&uni_name[i], grp[i].name, UNI_STR_TERMINATE);
869 init_sam_entry(&sam[i], &uni_name[i], grp[i].rid);
873 *uni_name_pp = uni_name;
876 /*******************************************************************
877 Get the group entries - similar to get_sampwd_entries().
878 ******************************************************************/
880 static NTSTATUS get_group_entries( enum SID_NAME_USE type, TALLOC_CTX *ctx,
881 DOMAIN_GRP **d_grp, DOM_SID *sid, uint32 start_idx,
882 uint32 *p_num_entries, uint32 max_entries )
886 uint32 group_entries = 0;
887 uint32 num_entries = 0;
891 /* access checks for the users were performed higher up. become/unbecome_root()
892 needed for some passdb backends to enumerate groups */
895 pdb_enum_group_mapping(type, &map, (int *)&group_entries, ENUM_ONLY_MAPPED);
898 num_entries=group_entries-start_idx;
900 /* limit the number of entries */
901 if (num_entries>max_entries) {
902 DEBUG(5,("Limiting to %d entries\n", max_entries));
903 num_entries=max_entries;
906 *d_grp=(DOMAIN_GRP *)talloc_zero(ctx, num_entries*sizeof(DOMAIN_GRP));
907 if (num_entries!=0 && *d_grp==NULL){
909 return NT_STATUS_NO_MEMORY;
912 for (i=0; i<num_entries; i++) {
913 fstrcpy((*d_grp)[i].name, map[i+start_idx].nt_name);
914 fstrcpy((*d_grp)[i].comment, map[i+start_idx].comment);
915 sid_split_rid(&map[i+start_idx].sid, &(*d_grp)[i].rid);
916 (*d_grp)[i].attr=type;
921 *p_num_entries = num_entries;
923 DEBUG(10,("get_group_entries: returning %d entries\n", *p_num_entries));
928 /*******************************************************************
929 Wrapper for enuemrating domain groups
930 ******************************************************************/
932 static NTSTATUS get_group_domain_entries( TALLOC_CTX *ctx, DOMAIN_GRP **d_grp,
933 DOM_SID *sid, uint32 start_idx,
934 uint32 *p_num_entries, uint32 max_entries )
936 return get_group_entries( SID_NAME_DOM_GRP, ctx, d_grp, sid, start_idx,
937 p_num_entries, max_entries );
940 /*******************************************************************
941 Wrapper for enumerating local groups
942 ******************************************************************/
944 static NTSTATUS get_group_alias_entries( TALLOC_CTX *ctx, DOMAIN_GRP **d_grp,
945 DOM_SID *sid, uint32 start_idx,
946 uint32 *p_num_entries, uint32 max_entries)
948 if ( sid_equal(sid, &global_sid_Builtin) ) {
949 return get_group_entries( SID_NAME_WKN_GRP, ctx, d_grp,
950 sid, start_idx, p_num_entries, max_entries );
952 else if ( sid_equal(sid, get_global_sam_sid()) ) {
953 return get_group_entries( SID_NAME_ALIAS, ctx, d_grp,
954 sid, start_idx, p_num_entries, max_entries );
957 /* can't do anything with this SID */
964 /*******************************************************************
965 samr_reply_enum_dom_groups
966 ********************************************************************/
968 NTSTATUS _samr_enum_dom_groups(pipes_struct *p, SAMR_Q_ENUM_DOM_GROUPS *q_u, SAMR_R_ENUM_DOM_GROUPS *r_u)
970 DOMAIN_GRP *grp=NULL;
975 r_u->status = NT_STATUS_OK;
977 if (!get_lsa_policy_samr_sid(p, &q_u->pol, &sid, &acc_granted))
978 return NT_STATUS_INVALID_HANDLE;
980 if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, SA_RIGHT_DOMAIN_ENUM_ACCOUNTS, "_samr_enum_dom_groups"))) {
984 DEBUG(5,("samr_reply_enum_dom_groups: %d\n", __LINE__));
986 /* the domain group array is being allocated in the function below */
987 if (!NT_STATUS_IS_OK(r_u->status = get_group_domain_entries(p->mem_ctx, &grp, &sid, q_u->start_idx, &num_entries, MAX_SAM_ENTRIES))) {
991 make_group_sam_entry_list(p->mem_ctx, &r_u->sam, &r_u->uni_grp_name, num_entries, grp);
993 init_samr_r_enum_dom_groups(r_u, q_u->start_idx, num_entries);
995 DEBUG(5,("samr_enum_dom_groups: %d\n", __LINE__));
1001 /*******************************************************************
1002 samr_reply_enum_dom_aliases
1003 ********************************************************************/
1005 NTSTATUS _samr_enum_dom_aliases(pipes_struct *p, SAMR_Q_ENUM_DOM_ALIASES *q_u, SAMR_R_ENUM_DOM_ALIASES *r_u)
1007 DOMAIN_GRP *grp=NULL;
1008 uint32 num_entries = 0;
1014 r_u->status = NT_STATUS_OK;
1016 if (!get_lsa_policy_samr_sid(p, &q_u->pol, &sid, &acc_granted))
1017 return NT_STATUS_INVALID_HANDLE;
1019 if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, SA_RIGHT_DOMAIN_ENUM_ACCOUNTS, "_samr_enum_dom_aliases"))) {
1023 sid_to_string(sid_str, &sid);
1024 DEBUG(5,("samr_reply_enum_dom_aliases: sid %s\n", sid_str));
1026 status = get_group_alias_entries(p->mem_ctx, &grp, &sid, q_u->start_idx,
1027 &num_entries, MAX_SAM_ENTRIES);
1028 if (NT_STATUS_IS_ERR(status)) return status;
1030 make_group_sam_entry_list(p->mem_ctx, &r_u->sam, &r_u->uni_grp_name, num_entries, grp);
1034 init_samr_r_enum_dom_aliases(r_u, q_u->start_idx + num_entries, num_entries);
1036 DEBUG(5,("samr_enum_dom_aliases: %d\n", __LINE__));
1041 /*******************************************************************
1042 samr_reply_query_dispinfo
1043 ********************************************************************/
1045 NTSTATUS _samr_query_dispinfo(pipes_struct *p, SAMR_Q_QUERY_DISPINFO *q_u,
1046 SAMR_R_QUERY_DISPINFO *r_u)
1048 struct samr_info *info = NULL;
1049 uint32 struct_size=0x20; /* W2K always reply that, client doesn't care */
1051 uint32 max_entries=q_u->max_entries;
1052 uint32 enum_context=q_u->start_idx;
1053 uint32 max_size=q_u->max_size;
1055 SAM_DISPINFO_CTR *ctr;
1056 uint32 temp_size=0, total_data_size=0;
1058 uint32 num_account = 0;
1059 enum remote_arch_types ra_type = get_remote_arch();
1060 int max_sam_entries = (ra_type == RA_WIN95) ? MAX_SAM_ENTRIES_W95 : MAX_SAM_ENTRIES_W2K;
1063 DEBUG(5, ("samr_reply_query_dispinfo: %d\n", __LINE__));
1064 r_u->status = NT_STATUS_OK;
1066 /* find the policy handle. open a policy on it. */
1067 if (!find_policy_by_hnd(p, &q_u->domain_pol, (void **)&info))
1068 return NT_STATUS_INVALID_HANDLE;
1070 domain_sid = info->sid;
1073 * calculate how many entries we will return.
1075 * - the number of entries the client asked
1076 * - our limit on that
1077 * - the starting point (enumeration context)
1078 * - the buffer size the client will accept
1082 * We are a lot more like W2K. Instead of reading the SAM
1083 * each time to find the records we need to send back,
1084 * we read it once and link that copy to the sam handle.
1085 * For large user list (over the MAX_SAM_ENTRIES)
1086 * it's a definitive win.
1087 * second point to notice: between enumerations
1088 * our sam is now the same as it's a snapshoot.
1089 * third point: got rid of the static SAM_USER_21 struct
1090 * no more intermediate.
1091 * con: it uses much more memory, as a full copy is stored
1094 * If you want to change it, think twice and think
1095 * of the second point , that's really important.
1100 /* Get what we need from the password database */
1101 switch (q_u->switch_level) {
1103 /* When playing with usrmgr, this is necessary
1104 if you want immediate refresh after editing
1105 a user. I would like to do this after the
1106 setuserinfo2, but we do not have access to
1107 the domain handle in that call, only to the
1108 user handle. Where else does this hurt?
1112 /* We cannot do this here - it kills performace. JRA. */
1113 free_samr_users(info);
1118 /* Level 2 is for all machines, otherwise only 'normal' users */
1119 r_u->status=load_sampwd_entries(info, ACB_NORMAL, q_u->switch_level==2);
1121 if (!NT_STATUS_IS_OK(r_u->status)) {
1122 DEBUG(5, ("_samr_query_dispinfo: load_sampwd_entries failed\n"));
1125 num_account = info->disp_info.num_user_account;
1129 r_u->status = load_group_domain_entries(info, &info->sid);
1130 if (!NT_STATUS_IS_OK(r_u->status))
1132 num_account = info->disp_info.num_group_account;
1135 DEBUG(0,("_samr_query_dispinfo: Unknown info level (%u)\n", (unsigned int)q_u->switch_level ));
1136 return NT_STATUS_INVALID_INFO_CLASS;
1139 /* first limit the number of entries we will return */
1140 if(max_entries > max_sam_entries) {
1141 DEBUG(5, ("samr_reply_query_dispinfo: client requested %d entries, limiting to %d\n", max_entries, max_sam_entries));
1142 max_entries = max_sam_entries;
1145 if (enum_context > num_account) {
1146 DEBUG(5, ("samr_reply_query_dispinfo: enumeration handle over total entries\n"));
1147 return NT_STATUS_NO_MORE_ENTRIES;
1150 /* verify we won't overflow */
1151 if (max_entries > num_account-enum_context) {
1152 max_entries = num_account-enum_context;
1153 DEBUG(5, ("samr_reply_query_dispinfo: only %d entries to return\n", max_entries));
1156 /* calculate the size and limit on the number of entries we will return */
1157 temp_size=max_entries*struct_size;
1159 if (temp_size>max_size) {
1160 max_entries=MIN((max_size/struct_size),max_entries);;
1161 DEBUG(5, ("samr_reply_query_dispinfo: buffer size limits to only %d entries\n", max_entries));
1164 if (!(ctr = (SAM_DISPINFO_CTR *)talloc_zero(p->mem_ctx,sizeof(SAM_DISPINFO_CTR))))
1165 return NT_STATUS_NO_MEMORY;
1169 /* Now create reply structure */
1170 switch (q_u->switch_level) {
1173 if (!(ctr->sam.info1 = (SAM_DISPINFO_1 *)talloc_zero(p->mem_ctx,max_entries*sizeof(SAM_DISPINFO_1))))
1174 return NT_STATUS_NO_MEMORY;
1176 disp_ret = init_sam_dispinfo_1(p->mem_ctx, ctr->sam.info1, max_entries, enum_context,
1177 info->disp_info.disp_user_info, &domain_sid);
1178 if (!NT_STATUS_IS_OK(disp_ret))
1183 if (!(ctr->sam.info2 = (SAM_DISPINFO_2 *)talloc_zero(p->mem_ctx,max_entries*sizeof(SAM_DISPINFO_2))))
1184 return NT_STATUS_NO_MEMORY;
1186 disp_ret = init_sam_dispinfo_2(p->mem_ctx, ctr->sam.info2, max_entries, enum_context,
1187 info->disp_info.disp_user_info, &domain_sid);
1188 if (!NT_STATUS_IS_OK(disp_ret))
1193 if (!(ctr->sam.info3 = (SAM_DISPINFO_3 *)talloc_zero(p->mem_ctx,max_entries*sizeof(SAM_DISPINFO_3))))
1194 return NT_STATUS_NO_MEMORY;
1196 disp_ret = init_sam_dispinfo_3(p->mem_ctx, ctr->sam.info3, max_entries, enum_context, info->disp_info.disp_group_info);
1197 if (!NT_STATUS_IS_OK(disp_ret))
1202 if (!(ctr->sam.info4 = (SAM_DISPINFO_4 *)talloc_zero(p->mem_ctx,max_entries*sizeof(SAM_DISPINFO_4))))
1203 return NT_STATUS_NO_MEMORY;
1205 disp_ret = init_sam_dispinfo_4(p->mem_ctx, ctr->sam.info4, max_entries, enum_context, info->disp_info.disp_user_info);
1206 if (!NT_STATUS_IS_OK(disp_ret))
1211 if (!(ctr->sam.info5 = (SAM_DISPINFO_5 *)talloc_zero(p->mem_ctx,max_entries*sizeof(SAM_DISPINFO_5))))
1212 return NT_STATUS_NO_MEMORY;
1214 disp_ret = init_sam_dispinfo_5(p->mem_ctx, ctr->sam.info5, max_entries, enum_context, info->disp_info.disp_group_info);
1215 if (!NT_STATUS_IS_OK(disp_ret))
1220 ctr->sam.info = NULL;
1221 return NT_STATUS_INVALID_INFO_CLASS;
1224 /* calculate the total size */
1225 total_data_size=num_account*struct_size;
1227 if (enum_context+max_entries < num_account)
1228 r_u->status = STATUS_MORE_ENTRIES;
1230 DEBUG(5, ("_samr_query_dispinfo: %d\n", __LINE__));
1232 init_samr_r_query_dispinfo(r_u, max_entries, total_data_size, temp_size, q_u->switch_level, ctr, r_u->status);
1238 /*******************************************************************
1239 samr_reply_query_aliasinfo
1240 ********************************************************************/
1242 NTSTATUS _samr_query_aliasinfo(pipes_struct *p, SAMR_Q_QUERY_ALIASINFO *q_u, SAMR_R_QUERY_ALIASINFO *r_u)
1248 r_u->status = NT_STATUS_OK;
1250 DEBUG(5,("_samr_query_aliasinfo: %d\n", __LINE__));
1252 /* find the policy handle. open a policy on it. */
1253 if (!get_lsa_policy_samr_sid(p, &q_u->pol, &sid, &acc_granted))
1254 return NT_STATUS_INVALID_HANDLE;
1255 if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, SA_RIGHT_ALIAS_LOOKUP_INFO, "_samr_query_aliasinfo"))) {
1259 if (!sid_check_is_in_our_domain(&sid) &&
1260 !sid_check_is_in_builtin(&sid))
1261 return NT_STATUS_OBJECT_TYPE_MISMATCH;
1263 if (!pdb_getgrsid(&map, sid))
1264 return NT_STATUS_NO_SUCH_ALIAS;
1266 switch (q_u->switch_level) {
1269 r_u->ctr.switch_value1 = 1;
1270 init_samr_alias_info1(&r_u->ctr.alias.info1, map.nt_name, 1, map.comment);
1274 r_u->ctr.switch_value1 = 3;
1275 init_samr_alias_info3(&r_u->ctr.alias.info3, map.comment);
1278 return NT_STATUS_INVALID_INFO_CLASS;
1281 DEBUG(5,("_samr_query_aliasinfo: %d\n", __LINE__));
1287 /*******************************************************************
1288 samr_reply_lookup_ids
1289 ********************************************************************/
1291 uint32 _samr_lookup_ids(pipes_struct *p, SAMR_Q_LOOKUP_IDS *q_u, SAMR_R_LOOKUP_IDS *r_u)
1293 uint32 rid[MAX_SAM_ENTRIES];
1294 int num_rids = q_u->num_sids1;
1296 r_u->status = NT_STATUS_OK;
1298 DEBUG(5,("_samr_lookup_ids: %d\n", __LINE__));
1300 if (num_rids > MAX_SAM_ENTRIES) {
1301 num_rids = MAX_SAM_ENTRIES;
1302 DEBUG(5,("_samr_lookup_ids: truncating entries to %d\n", num_rids));
1307 SMB_ASSERT_ARRAY(q_u->uni_user_name, num_rids);
1309 for (i = 0; i < num_rids && status == 0; i++)
1311 struct sam_passwd *sam_pass;
1315 fstrcpy(user_name, unistrn2(q_u->uni_user_name[i].buffer,
1316 q_u->uni_user_name[i].uni_str_len));
1318 /* find the user account */
1320 sam_pass = get_smb21pwd_entry(user_name, 0);
1323 if (sam_pass == NULL)
1325 status = 0xC0000000 | NT_STATUS_NO_SUCH_USER;
1330 rid[i] = sam_pass->user_rid;
1336 rid[0] = BUILTIN_ALIAS_RID_USERS;
1338 init_samr_r_lookup_ids(&r_u, num_rids, rid, NT_STATUS_OK);
1340 DEBUG(5,("_samr_lookup_ids: %d\n", __LINE__));
1346 /*******************************************************************
1348 ********************************************************************/
1350 NTSTATUS _samr_lookup_names(pipes_struct *p, SAMR_Q_LOOKUP_NAMES *q_u, SAMR_R_LOOKUP_NAMES *r_u)
1352 uint32 rid[MAX_SAM_ENTRIES];
1354 enum SID_NAME_USE type[MAX_SAM_ENTRIES];
1355 enum SID_NAME_USE local_type;
1357 int num_rids = q_u->num_names2;
1362 r_u->status = NT_STATUS_OK;
1364 DEBUG(5,("_samr_lookup_names: %d\n", __LINE__));
1369 if (!get_lsa_policy_samr_sid(p, &q_u->pol, &pol_sid, &acc_granted)) {
1370 init_samr_r_lookup_names(p->mem_ctx, r_u, 0, NULL, NULL, NT_STATUS_OBJECT_TYPE_MISMATCH);
1374 if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, 0, "_samr_lookup_names"))) { /* Don't know the acc_bits yet */
1378 if (num_rids > MAX_SAM_ENTRIES) {
1379 num_rids = MAX_SAM_ENTRIES;
1380 DEBUG(5,("_samr_lookup_names: truncating entries to %d\n", num_rids));
1383 DEBUG(5,("_samr_lookup_names: looking name on SID %s\n", sid_to_string(sid_str, &pol_sid)));
1385 become_root(); /* local_lookup_name can require root privs */
1387 for (i = 0; i < num_rids; i++) {
1392 r_u->status = NT_STATUS_NONE_MAPPED;
1394 rid [i] = 0xffffffff;
1395 type[i] = SID_NAME_UNKNOWN;
1397 ret = rpcstr_pull(name, q_u->uni_name[i].buffer, sizeof(name), q_u->uni_name[i].uni_str_len*2, 0);
1400 * we are only looking for a name
1401 * the SID we get back can be outside
1402 * the scope of the pol_sid
1404 * in clear: it prevents to reply to domain\group: yes
1405 * when only builtin\group exists.
1407 * a cleaner code is to add the sid of the domain we're looking in
1408 * to the local_lookup_name function.
1411 if ((ret > 0) && local_lookup_name(name, &sid, &local_type)) {
1412 sid_split_rid(&sid, &local_rid);
1414 if (sid_equal(&sid, &pol_sid)) {
1417 r_u->status = NT_STATUS_OK;
1424 init_samr_r_lookup_names(p->mem_ctx, r_u, num_rids, rid, (uint32 *)type, r_u->status);
1426 DEBUG(5,("_samr_lookup_names: %d\n", __LINE__));
1431 /*******************************************************************
1432 _samr_chgpasswd_user
1433 ********************************************************************/
1435 NTSTATUS _samr_chgpasswd_user(pipes_struct *p, SAMR_Q_CHGPASSWD_USER *q_u, SAMR_R_CHGPASSWD_USER *r_u)
1440 DEBUG(5,("_samr_chgpasswd_user: %d\n", __LINE__));
1442 r_u->status = NT_STATUS_OK;
1444 rpcstr_pull(user_name, q_u->uni_user_name.buffer, sizeof(user_name), q_u->uni_user_name.uni_str_len*2, 0);
1445 rpcstr_pull(wks, q_u->uni_dest_host.buffer, sizeof(wks), q_u->uni_dest_host.uni_str_len*2,0);
1447 DEBUG(5,("samr_chgpasswd_user: user: %s wks: %s\n", user_name, wks));
1450 * Pass the user through the NT -> unix user mapping
1454 (void)map_username(user_name);
1457 * UNIX username case mangling not required, pass_oem_change
1458 * is case insensitive.
1461 r_u->status = pass_oem_change(user_name, q_u->lm_newpass.pass, q_u->lm_oldhash.hash,
1462 q_u->nt_newpass.pass, q_u->nt_oldhash.hash);
1464 init_samr_r_chgpasswd_user(r_u, r_u->status);
1466 DEBUG(5,("_samr_chgpasswd_user: %d\n", __LINE__));
1471 /*******************************************************************
1472 makes a SAMR_R_LOOKUP_RIDS structure.
1473 ********************************************************************/
1475 static BOOL make_samr_lookup_rids(TALLOC_CTX *ctx, uint32 num_names, fstring names[],
1476 UNIHDR **pp_hdr_name, UNISTR2 **pp_uni_name)
1479 UNIHDR *hdr_name=NULL;
1480 UNISTR2 *uni_name=NULL;
1482 *pp_uni_name = NULL;
1483 *pp_hdr_name = NULL;
1485 if (num_names != 0) {
1486 hdr_name = (UNIHDR *)talloc_zero(ctx, sizeof(UNIHDR)*num_names);
1487 if (hdr_name == NULL)
1490 uni_name = (UNISTR2 *)talloc_zero(ctx,sizeof(UNISTR2)*num_names);
1491 if (uni_name == NULL)
1495 for (i = 0; i < num_names; i++) {
1496 DEBUG(10, ("names[%d]:%s\n", i, names[i] ? names[i] : ""));
1497 init_unistr2(&uni_name[i], names[i], UNI_FLAGS_NONE);
1498 init_uni_hdr(&hdr_name[i], &uni_name[i]);
1501 *pp_uni_name = uni_name;
1502 *pp_hdr_name = hdr_name;
1507 /*******************************************************************
1509 ********************************************************************/
1511 NTSTATUS _samr_lookup_rids(pipes_struct *p, SAMR_Q_LOOKUP_RIDS *q_u, SAMR_R_LOOKUP_RIDS *r_u)
1513 fstring group_names[MAX_SAM_ENTRIES];
1514 uint32 *group_attrs = NULL;
1515 UNIHDR *hdr_name = NULL;
1516 UNISTR2 *uni_name = NULL;
1518 int num_rids = q_u->num_rids1;
1522 r_u->status = NT_STATUS_OK;
1524 DEBUG(5,("_samr_lookup_rids: %d\n", __LINE__));
1526 /* find the policy handle. open a policy on it. */
1527 if (!get_lsa_policy_samr_sid(p, &q_u->pol, &pol_sid, &acc_granted))
1528 return NT_STATUS_INVALID_HANDLE;
1530 if (num_rids > MAX_SAM_ENTRIES) {
1531 num_rids = MAX_SAM_ENTRIES;
1532 DEBUG(5,("_samr_lookup_rids: truncating entries to %d\n", num_rids));
1536 if ((group_attrs = (uint32 *)talloc_zero(p->mem_ctx, num_rids * sizeof(uint32))) == NULL)
1537 return NT_STATUS_NO_MEMORY;
1540 r_u->status = NT_STATUS_NONE_MAPPED;
1542 become_root(); /* lookup_sid can require root privs */
1544 for (i = 0; i < num_rids; i++) {
1548 enum SID_NAME_USE type;
1550 group_attrs[i] = SID_NAME_UNKNOWN;
1551 *group_names[i] = '\0';
1553 if (sid_equal(&pol_sid, get_global_sam_sid())) {
1554 sid_copy(&sid, &pol_sid);
1555 sid_append_rid(&sid, q_u->rid[i]);
1557 if (lookup_sid(&sid, domname, tmpname, &type)) {
1558 r_u->status = NT_STATUS_OK;
1559 group_attrs[i] = (uint32)type;
1560 fstrcpy(group_names[i],tmpname);
1561 DEBUG(5,("_samr_lookup_rids: %s:%d\n", group_names[i], group_attrs[i]));
1568 if(!make_samr_lookup_rids(p->mem_ctx, num_rids, group_names, &hdr_name, &uni_name))
1569 return NT_STATUS_NO_MEMORY;
1571 init_samr_r_lookup_rids(r_u, num_rids, hdr_name, uni_name, group_attrs);
1573 DEBUG(5,("_samr_lookup_rids: %d\n", __LINE__));
1578 /*******************************************************************
1579 _samr_open_user. Safe - gives out no passwd info.
1580 ********************************************************************/
1582 NTSTATUS _samr_open_user(pipes_struct *p, SAMR_Q_OPEN_USER *q_u, SAMR_R_OPEN_USER *r_u)
1584 SAM_ACCOUNT *sampass=NULL;
1586 POLICY_HND domain_pol = q_u->domain_pol;
1587 POLICY_HND *user_pol = &r_u->user_pol;
1588 struct samr_info *info = NULL;
1589 SEC_DESC *psd = NULL;
1591 uint32 des_access = q_u->access_mask;
1596 r_u->status = NT_STATUS_OK;
1598 /* find the domain policy handle and get domain SID / access bits in the domain policy. */
1599 if (!get_lsa_policy_samr_sid(p, &domain_pol, &sid, &acc_granted))
1600 return NT_STATUS_INVALID_HANDLE;
1602 if (!NT_STATUS_IS_OK(nt_status = access_check_samr_function(acc_granted, SA_RIGHT_DOMAIN_OPEN_ACCOUNT, "_samr_open_user"))) {
1606 nt_status = pdb_init_sam_talloc(p->mem_ctx, &sampass);
1607 if (!NT_STATUS_IS_OK(nt_status)) {
1611 /* append the user's RID to it */
1612 if (!sid_append_rid(&sid, q_u->user_rid))
1613 return NT_STATUS_NO_SUCH_USER;
1615 /* check if access can be granted as requested by client. */
1616 samr_make_usr_obj_sd(p->mem_ctx, &psd, &sd_size, &sid);
1617 se_map_generic(&des_access, &usr_generic_mapping);
1618 if (!NT_STATUS_IS_OK(nt_status =
1619 access_check_samr_object(psd, p->pipe_user.nt_user_token,
1620 des_access, &acc_granted, "_samr_open_user"))) {
1625 ret=pdb_getsampwsid(sampass, &sid);
1628 /* check that the SID exists in our domain. */
1630 return NT_STATUS_NO_SUCH_USER;
1633 pdb_free_sam(&sampass);
1635 /* associate the user's SID and access bits with the new handle. */
1636 if ((info = get_samr_info_by_sid(&sid)) == NULL)
1637 return NT_STATUS_NO_MEMORY;
1638 info->acc_granted = acc_granted;
1640 /* get a (unique) handle. open a policy on it. */
1641 if (!create_policy_hnd(p, user_pol, free_samr_info, (void *)info))
1642 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
1647 /*************************************************************************
1648 get_user_info_10. Safe. Only gives out acb bits.
1649 *************************************************************************/
1651 static NTSTATUS get_user_info_10(TALLOC_CTX *mem_ctx, SAM_USER_INFO_10 *id10, DOM_SID *user_sid)
1653 SAM_ACCOUNT *smbpass=NULL;
1657 nt_status = pdb_init_sam_talloc(mem_ctx, &smbpass);
1659 if (!NT_STATUS_IS_OK(nt_status)) {
1664 ret = pdb_getsampwsid(smbpass, user_sid);
1668 DEBUG(4,("User %s not found\n", sid_string_static(user_sid)));
1669 return NT_STATUS_NO_SUCH_USER;
1672 DEBUG(3,("User:[%s]\n", pdb_get_username(smbpass) ));
1675 init_sam_user_info10(id10, pdb_get_acct_ctrl(smbpass) );
1677 pdb_free_sam(&smbpass);
1679 return NT_STATUS_OK;
1682 /*************************************************************************
1683 get_user_info_12. OK - this is the killer as it gives out password info.
1684 Ensure that this is only allowed on an encrypted connection with a root
1686 *************************************************************************/
1688 static NTSTATUS get_user_info_12(pipes_struct *p, TALLOC_CTX *mem_ctx, SAM_USER_INFO_12 * id12, DOM_SID *user_sid)
1690 SAM_ACCOUNT *smbpass=NULL;
1694 if (!p->ntlmssp_auth_validated)
1695 return NT_STATUS_ACCESS_DENIED;
1697 if (!(p->ntlmssp_chal_flags & NTLMSSP_NEGOTIATE_SIGN) || !(p->ntlmssp_chal_flags & NTLMSSP_NEGOTIATE_SEAL))
1698 return NT_STATUS_ACCESS_DENIED;
1701 * Do *NOT* do become_root()/unbecome_root() here ! JRA.
1704 nt_status = pdb_init_sam_talloc(mem_ctx, &smbpass);
1706 if (!NT_STATUS_IS_OK(nt_status)) {
1710 ret = pdb_getsampwsid(smbpass, user_sid);
1713 DEBUG(4, ("User %s not found\n", sid_string_static(user_sid)));
1714 pdb_free_sam(&smbpass);
1715 return (geteuid() == (uid_t)0) ? NT_STATUS_NO_SUCH_USER : NT_STATUS_ACCESS_DENIED;
1718 DEBUG(3,("User:[%s] 0x%x\n", pdb_get_username(smbpass), pdb_get_acct_ctrl(smbpass) ));
1720 if ( pdb_get_acct_ctrl(smbpass) & ACB_DISABLED) {
1721 pdb_free_sam(&smbpass);
1722 return NT_STATUS_ACCOUNT_DISABLED;
1726 init_sam_user_info12(id12, pdb_get_lanman_passwd(smbpass), pdb_get_nt_passwd(smbpass));
1728 pdb_free_sam(&smbpass);
1730 return NT_STATUS_OK;
1733 /*************************************************************************
1735 *************************************************************************/
1737 static NTSTATUS get_user_info_20(TALLOC_CTX *mem_ctx, SAM_USER_INFO_20 *id20, DOM_SID *user_sid)
1739 SAM_ACCOUNT *sampass=NULL;
1742 pdb_init_sam_talloc(mem_ctx, &sampass);
1745 ret = pdb_getsampwsid(sampass, user_sid);
1749 DEBUG(4,("User %s not found\n", sid_string_static(user_sid)));
1750 return NT_STATUS_NO_SUCH_USER;
1753 samr_clear_sam_passwd(sampass);
1755 DEBUG(3,("User:[%s]\n", pdb_get_username(sampass) ));
1758 init_sam_user_info20A(id20, sampass);
1760 pdb_free_sam(&sampass);
1762 return NT_STATUS_OK;
1765 /*************************************************************************
1767 *************************************************************************/
1769 static NTSTATUS get_user_info_21(TALLOC_CTX *mem_ctx, SAM_USER_INFO_21 *id21,
1770 DOM_SID *user_sid, DOM_SID *domain_sid)
1772 SAM_ACCOUNT *sampass=NULL;
1776 nt_status = pdb_init_sam_talloc(mem_ctx, &sampass);
1777 if (!NT_STATUS_IS_OK(nt_status)) {
1782 ret = pdb_getsampwsid(sampass, user_sid);
1786 DEBUG(4,("User %s not found\n", sid_string_static(user_sid)));
1787 return NT_STATUS_NO_SUCH_USER;
1790 samr_clear_sam_passwd(sampass);
1792 DEBUG(3,("User:[%s]\n", pdb_get_username(sampass) ));
1795 nt_status = init_sam_user_info21A(id21, sampass, domain_sid);
1797 pdb_free_sam(&sampass);
1799 return NT_STATUS_OK;
1802 /*******************************************************************
1803 _samr_query_userinfo
1804 ********************************************************************/
1806 NTSTATUS _samr_query_userinfo(pipes_struct *p, SAMR_Q_QUERY_USERINFO *q_u, SAMR_R_QUERY_USERINFO *r_u)
1808 SAM_USERINFO_CTR *ctr;
1809 struct samr_info *info = NULL;
1813 r_u->status=NT_STATUS_OK;
1815 /* search for the handle */
1816 if (!find_policy_by_hnd(p, &q_u->pol, (void **)&info))
1817 return NT_STATUS_INVALID_HANDLE;
1819 domain_sid = info->sid;
1821 sid_split_rid(&domain_sid, &rid);
1823 if (!sid_check_is_in_our_domain(&info->sid))
1824 return NT_STATUS_OBJECT_TYPE_MISMATCH;
1826 DEBUG(5,("_samr_query_userinfo: sid:%s\n", sid_string_static(&info->sid)));
1828 ctr = (SAM_USERINFO_CTR *)talloc_zero(p->mem_ctx, sizeof(SAM_USERINFO_CTR));
1830 return NT_STATUS_NO_MEMORY;
1834 /* ok! user info levels (lots: see MSDEV help), off we go... */
1835 ctr->switch_value = q_u->switch_value;
1837 switch (q_u->switch_value) {
1839 ctr->info.id10 = (SAM_USER_INFO_10 *)talloc_zero(p->mem_ctx, sizeof(SAM_USER_INFO_10));
1840 if (ctr->info.id10 == NULL)
1841 return NT_STATUS_NO_MEMORY;
1843 if (!NT_STATUS_IS_OK(r_u->status = get_user_info_10(p->mem_ctx, ctr->info.id10, &info->sid)))
1848 /* whoops - got this wrong. i think. or don't understand what's happening. */
1852 info = (void *)&id11;
1854 expire.low = 0xffffffff;
1855 expire.high = 0x7fffffff;
1857 ctr->info.id = (SAM_USER_INFO_11 *)talloc_zero(p->mem_ctx,
1862 ZERO_STRUCTP(ctr->info.id11);
1863 init_sam_user_info11(ctr->info.id11, &expire,
1864 "BROOKFIELDS$", /* name */
1865 0x03ef, /* user rid */
1866 0x201, /* group rid */
1867 0x0080); /* acb info */
1874 ctr->info.id12 = (SAM_USER_INFO_12 *)talloc_zero(p->mem_ctx, sizeof(SAM_USER_INFO_12));
1875 if (ctr->info.id12 == NULL)
1876 return NT_STATUS_NO_MEMORY;
1878 if (!NT_STATUS_IS_OK(r_u->status = get_user_info_12(p, p->mem_ctx, ctr->info.id12, &info->sid)))
1883 ctr->info.id20 = (SAM_USER_INFO_20 *)talloc_zero(p->mem_ctx,sizeof(SAM_USER_INFO_20));
1884 if (ctr->info.id20 == NULL)
1885 return NT_STATUS_NO_MEMORY;
1886 if (!NT_STATUS_IS_OK(r_u->status = get_user_info_20(p->mem_ctx, ctr->info.id20, &info->sid)))
1891 ctr->info.id21 = (SAM_USER_INFO_21 *)talloc_zero(p->mem_ctx,sizeof(SAM_USER_INFO_21));
1892 if (ctr->info.id21 == NULL)
1893 return NT_STATUS_NO_MEMORY;
1894 if (!NT_STATUS_IS_OK(r_u->status = get_user_info_21(p->mem_ctx, ctr->info.id21,
1895 &info->sid, &domain_sid)))
1900 return NT_STATUS_INVALID_INFO_CLASS;
1903 init_samr_r_query_userinfo(r_u, ctr, r_u->status);
1905 DEBUG(5,("_samr_query_userinfo: %d\n", __LINE__));
1910 /*******************************************************************
1911 samr_reply_query_usergroups
1912 ********************************************************************/
1914 NTSTATUS _samr_query_usergroups(pipes_struct *p, SAMR_Q_QUERY_USERGROUPS *q_u, SAMR_R_QUERY_USERGROUPS *r_u)
1916 SAM_ACCOUNT *sam_pass=NULL;
1918 DOM_GID *gids = NULL;
1924 * from the SID in the request:
1925 * we should send back the list of DOMAIN GROUPS
1926 * the user is a member of
1928 * and only the DOMAIN GROUPS
1929 * no ALIASES !!! neither aliases of the domain
1930 * nor aliases of the builtin SID
1935 r_u->status = NT_STATUS_OK;
1937 DEBUG(5,("_samr_query_usergroups: %d\n", __LINE__));
1939 /* find the policy handle. open a policy on it. */
1940 if (!get_lsa_policy_samr_sid(p, &q_u->pol, &sid, &acc_granted))
1941 return NT_STATUS_INVALID_HANDLE;
1943 if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, SA_RIGHT_USER_GET_GROUPS, "_samr_query_usergroups"))) {
1947 if (!sid_check_is_in_our_domain(&sid))
1948 return NT_STATUS_OBJECT_TYPE_MISMATCH;
1950 pdb_init_sam(&sam_pass);
1953 ret = pdb_getsampwsid(sam_pass, &sid);
1957 pdb_free_sam(&sam_pass);
1958 return NT_STATUS_NO_SUCH_USER;
1961 if(!get_domain_user_groups(p->mem_ctx, &num_groups, &gids, sam_pass)) {
1962 pdb_free_sam(&sam_pass);
1963 return NT_STATUS_NO_SUCH_GROUP;
1966 /* construct the response. lkclXXXX: gids are not copied! */
1967 init_samr_r_query_usergroups(r_u, num_groups, gids, r_u->status);
1969 DEBUG(5,("_samr_query_usergroups: %d\n", __LINE__));
1971 pdb_free_sam(&sam_pass);
1976 /*******************************************************************
1977 _samr_query_dom_info
1978 ********************************************************************/
1980 NTSTATUS _samr_query_dom_info(pipes_struct *p, SAMR_Q_QUERY_DOMAIN_INFO *q_u, SAMR_R_QUERY_DOMAIN_INFO *r_u)
1982 struct samr_info *info = NULL;
1984 uint32 min_pass_len,pass_hist,flag;
1985 time_t u_expire, u_min_age;
1986 NTTIME nt_expire, nt_min_age;
1988 time_t u_lock_duration, u_reset_time;
1989 NTTIME nt_lock_duration, nt_reset_time;
1995 uint32 account_policy_temp;
1997 uint32 num_users=0, num_groups=0, num_aliases=0;
1999 if ((ctr = (SAM_UNK_CTR *)talloc_zero(p->mem_ctx, sizeof(SAM_UNK_CTR))) == NULL)
2000 return NT_STATUS_NO_MEMORY;
2004 r_u->status = NT_STATUS_OK;
2006 DEBUG(5,("_samr_query_dom_info: %d\n", __LINE__));
2008 /* find the policy handle. open a policy on it. */
2009 if (!find_policy_by_hnd(p, &q_u->domain_pol, (void **)&info))
2010 return NT_STATUS_INVALID_HANDLE;
2012 switch (q_u->switch_value) {
2015 account_policy_get(AP_MIN_PASSWORD_LEN, &account_policy_temp);
2016 min_pass_len = account_policy_temp;
2018 account_policy_get(AP_PASSWORD_HISTORY, &account_policy_temp);
2019 pass_hist = account_policy_temp;
2021 account_policy_get(AP_USER_MUST_LOGON_TO_CHG_PASS, &account_policy_temp);
2022 flag = account_policy_temp;
2024 account_policy_get(AP_MAX_PASSWORD_AGE, &account_policy_temp);
2025 u_expire = account_policy_temp;
2027 account_policy_get(AP_MIN_PASSWORD_AGE, &account_policy_temp);
2028 u_min_age = account_policy_temp;
2030 unix_to_nt_time_abs(&nt_expire, u_expire);
2031 unix_to_nt_time_abs(&nt_min_age, u_min_age);
2033 init_unk_info1(&ctr->info.inf1, (uint16)min_pass_len, (uint16)pass_hist,
2034 flag, nt_expire, nt_min_age);
2038 r_u->status=load_sampwd_entries(info, ACB_NORMAL, False);
2040 if (!NT_STATUS_IS_OK(r_u->status)) {
2041 DEBUG(5, ("_samr_query_dispinfo: load_sampwd_entries failed\n"));
2044 num_users=info->disp_info.num_user_account;
2047 r_u->status=load_group_domain_entries(info, get_global_sam_sid());
2048 if (!NT_STATUS_IS_OK(r_u->status)) {
2049 DEBUG(5, ("_samr_query_dispinfo: load_group_domain_entries failed\n"));
2052 num_groups=info->disp_info.num_group_account;
2055 /* The time call below is to get a sequence number for the sam. FIXME !!! JRA. */
2056 init_unk_info2(&ctr->info.inf2, lp_workgroup(), global_myname(), (uint32) time(NULL),
2057 num_users, num_groups, num_aliases);
2060 account_policy_get(AP_TIME_TO_LOGOUT, (unsigned int *)&u_logout);
2061 unix_to_nt_time_abs(&nt_logout, u_logout);
2063 init_unk_info3(&ctr->info.inf3, nt_logout);
2066 init_unk_info5(&ctr->info.inf5, global_myname());
2069 init_unk_info6(&ctr->info.inf6);
2072 init_unk_info7(&ctr->info.inf7);
2075 account_policy_get(AP_LOCK_ACCOUNT_DURATION, &account_policy_temp);
2076 u_lock_duration = account_policy_temp;
2078 account_policy_get(AP_RESET_COUNT_TIME, &account_policy_temp);
2079 u_reset_time = account_policy_temp;
2081 account_policy_get(AP_BAD_ATTEMPT_LOCKOUT, &account_policy_temp);
2082 lockout = account_policy_temp;
2084 unix_to_nt_time_abs(&nt_lock_duration, u_lock_duration);
2085 unix_to_nt_time_abs(&nt_reset_time, u_reset_time);
2087 init_unk_info12(&ctr->info.inf12, nt_lock_duration, nt_reset_time, (uint16)lockout);
2090 return NT_STATUS_INVALID_INFO_CLASS;
2093 init_samr_r_query_dom_info(r_u, q_u->switch_value, ctr, NT_STATUS_OK);
2095 DEBUG(5,("_samr_query_dom_info: %d\n", __LINE__));
2100 /*******************************************************************
2102 Create an account, can be either a normal user or a machine.
2103 This funcion will need to be updated for bdc/domain trusts.
2104 ********************************************************************/
2106 NTSTATUS _samr_create_user(pipes_struct *p, SAMR_Q_CREATE_USER *q_u, SAMR_R_CREATE_USER *r_u)
2108 SAM_ACCOUNT *sam_pass=NULL;
2112 POLICY_HND dom_pol = q_u->domain_pol;
2113 UNISTR2 user_account = q_u->uni_name;
2114 uint16 acb_info = q_u->acb_info;
2115 POLICY_HND *user_pol = &r_u->user_pol;
2116 struct samr_info *info = NULL;
2124 /* check this, when giving away 'add computer to domain' privs */
2125 uint32 des_access = GENERIC_RIGHTS_USER_ALL_ACCESS;
2127 /* Get the domain SID stored in the domain policy */
2128 if (!get_lsa_policy_samr_sid(p, &dom_pol, &sid, &acc_granted))
2129 return NT_STATUS_INVALID_HANDLE;
2131 if (!NT_STATUS_IS_OK(nt_status = access_check_samr_function(acc_granted, SA_RIGHT_DOMAIN_CREATE_USER, "_samr_create_user"))) {
2135 /* find the account: tell the caller if it exists.
2136 lkclXXXX i have *no* idea if this is a problem or not
2137 or even if you are supposed to construct a different
2138 reply if the account already exists...
2141 rpcstr_pull(account, user_account.buffer, sizeof(account), user_account.uni_str_len*2, 0);
2142 strlower_m(account);
2144 pdb_init_sam(&sam_pass);
2147 ret = pdb_getsampwnam(sam_pass, account);
2150 /* this account exists: say so */
2151 pdb_free_sam(&sam_pass);
2152 return NT_STATUS_USER_EXISTS;
2155 pdb_free_sam(&sam_pass);
2158 * NB. VERY IMPORTANT ! This call must be done as the current pipe user,
2159 * *NOT* surrounded by a become_root()/unbecome_root() call. This ensures
2160 * that only people with write access to the smbpasswd file will be able
2161 * to create a user. JRA.
2165 * add the user in the /etc/passwd file or the unix authority system.
2166 * We don't check if the smb_create_user() function succed or not for 2 reasons:
2167 * a) local_password_change() checks for us if the /etc/passwd account really exists
2168 * b) smb_create_user() would return an error if the account already exists
2169 * and as it could return an error also if it can't create the account, it would be tricky.
2171 * So we go the easy way, only check after if the account exists.
2172 * JFM (2/3/2001), to clear any possible bad understanding (-:
2174 * We now have seperate script paramaters for adding users/machines so we
2175 * now have some sainity-checking to match.
2178 DEBUG(10,("checking account %s at pos %lu for $ termination\n",account, (unsigned long)strlen(account)-1));
2181 * we used to have code here that made sure the acb_info flags
2182 * matched with the users named (e.g. an account flags as a machine
2183 * trust account ended in '$'). It has been ifdef'd out for a long
2184 * time, so I replaced it with this comment. --jerry
2187 /* the passdb lookup has failed; check to see if we need to run the
2188 add user/machine script */
2190 pw = Get_Pwnam(account);
2192 /*********************************************************************
2193 * HEADS UP! If we have to create a new user account, we have to get
2194 * a new RID from somewhere. This used to be done by the passdb
2195 * backend. It has been moved into idmap now. Since idmap is now
2196 * wrapped up behind winbind, this means you have to run winbindd if you
2197 * want new accounts to get a new RID when "enable rid algorithm = no".
2198 * Tough. We now have a uniform way of allocating RIDs regardless
2199 * of what ever passdb backend people may use.
2200 * --jerry (2003-07-10)
2201 *********************************************************************/
2205 * we can't check both the ending $ and the acb_info.
2207 * UserManager creates trust accounts (ending in $,
2208 * normal that hidden accounts) with the acb_info equals to ACB_NORMAL.
2211 if (account[strlen(account)-1] == '$')
2212 pstrcpy(add_script, lp_addmachine_script());
2214 pstrcpy(add_script, lp_adduser_script());
2218 all_string_sub(add_script, "%u", account, sizeof(account));
2219 add_ret = smbrun(add_script,NULL);
2220 DEBUG(3,("_samr_create_user: Running the command `%s' gave %d\n", add_script, add_ret));
2222 else /* no add user script -- ask winbindd to do it */
2224 if ( !winbind_create_user( account, &new_rid ) ) {
2225 DEBUG(3,("_samr_create_user: winbind_create_user(%s) failed\n",
2232 /* implicit call to getpwnam() next. we have a valid SID coming out of this call */
2234 if ( !NT_STATUS_IS_OK(nt_status = pdb_init_sam_new(&sam_pass, account, new_rid)) )
2237 pdb_set_acct_ctrl(sam_pass, acb_info, PDB_CHANGED);
2239 if (!pdb_add_sam_account(sam_pass)) {
2240 pdb_free_sam(&sam_pass);
2241 DEBUG(0, ("could not add user/computer %s to passdb. Check permissions?\n",
2243 return NT_STATUS_ACCESS_DENIED;
2246 /* Get the user's SID */
2247 sid_copy(&sid, pdb_get_user_sid(sam_pass));
2249 samr_make_usr_obj_sd(p->mem_ctx, &psd, &sd_size, &sid);
2250 se_map_generic(&des_access, &usr_generic_mapping);
2251 if (!NT_STATUS_IS_OK(nt_status =
2252 access_check_samr_object(psd, p->pipe_user.nt_user_token,
2253 des_access, &acc_granted, "_samr_create_user"))) {
2257 /* associate the user's SID with the new handle. */
2258 if ((info = get_samr_info_by_sid(&sid)) == NULL) {
2259 pdb_free_sam(&sam_pass);
2260 return NT_STATUS_NO_MEMORY;
2265 info->acc_granted = acc_granted;
2267 /* get a (unique) handle. open a policy on it. */
2268 if (!create_policy_hnd(p, user_pol, free_samr_info, (void *)info)) {
2269 pdb_free_sam(&sam_pass);
2270 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
2273 r_u->user_rid=pdb_get_user_rid(sam_pass);
2275 r_u->access_granted = acc_granted;
2277 pdb_free_sam(&sam_pass);
2279 return NT_STATUS_OK;
2282 /*******************************************************************
2283 samr_reply_connect_anon
2284 ********************************************************************/
2286 NTSTATUS _samr_connect_anon(pipes_struct *p, SAMR_Q_CONNECT_ANON *q_u, SAMR_R_CONNECT_ANON *r_u)
2288 struct samr_info *info = NULL;
2289 uint32 des_access = q_u->access_mask;
2293 if (!pipe_access_check(p)) {
2294 DEBUG(3, ("access denied to samr_connect_anon\n"));
2295 r_u->status = NT_STATUS_ACCESS_DENIED;
2299 /* set up the SAMR connect_anon response */
2301 r_u->status = NT_STATUS_OK;
2303 /* associate the user's SID with the new handle. */
2304 if ((info = get_samr_info_by_sid(NULL)) == NULL)
2305 return NT_STATUS_NO_MEMORY;
2307 /* don't give away the farm but this is probably ok. The SA_RIGHT_SAM_ENUM_DOMAINS
2308 was observed from a win98 client trying to enumerate users (when configured
2309 user level access control on shares) --jerry */
2311 se_map_generic( &des_access, &sam_generic_mapping );
2312 info->acc_granted = des_access & (SA_RIGHT_SAM_ENUM_DOMAINS|SA_RIGHT_SAM_OPEN_DOMAIN);
2314 info->status = q_u->unknown_0;
2316 /* get a (unique) handle. open a policy on it. */
2317 if (!create_policy_hnd(p, &r_u->connect_pol, free_samr_info, (void *)info))
2318 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
2323 /*******************************************************************
2325 ********************************************************************/
2327 NTSTATUS _samr_connect(pipes_struct *p, SAMR_Q_CONNECT *q_u, SAMR_R_CONNECT *r_u)
2329 struct samr_info *info = NULL;
2330 SEC_DESC *psd = NULL;
2332 uint32 des_access = q_u->access_mask;
2337 DEBUG(5,("_samr_connect: %d\n", __LINE__));
2341 if (!pipe_access_check(p)) {
2342 DEBUG(3, ("access denied to samr_connect\n"));
2343 r_u->status = NT_STATUS_ACCESS_DENIED;
2347 samr_make_sam_obj_sd(p->mem_ctx, &psd, &sd_size);
2348 se_map_generic(&des_access, &sam_generic_mapping);
2349 if (!NT_STATUS_IS_OK(nt_status =
2350 access_check_samr_object(psd, p->pipe_user.nt_user_token,
2351 des_access, &acc_granted, "_samr_connect"))) {
2355 r_u->status = NT_STATUS_OK;
2357 /* associate the user's SID and access granted with the new handle. */
2358 if ((info = get_samr_info_by_sid(NULL)) == NULL)
2359 return NT_STATUS_NO_MEMORY;
2361 info->acc_granted = acc_granted;
2362 info->status = q_u->access_mask;
2364 /* get a (unique) handle. open a policy on it. */
2365 if (!create_policy_hnd(p, &r_u->connect_pol, free_samr_info, (void *)info))
2366 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
2368 DEBUG(5,("_samr_connect: %d\n", __LINE__));
2373 /*******************************************************************
2375 ********************************************************************/
2377 NTSTATUS _samr_connect4(pipes_struct *p, SAMR_Q_CONNECT4 *q_u, SAMR_R_CONNECT4 *r_u)
2379 struct samr_info *info = NULL;
2380 SEC_DESC *psd = NULL;
2382 uint32 des_access = q_u->access_mask;
2387 DEBUG(5,("_samr_connect4: %d\n", __LINE__));
2391 if (!pipe_access_check(p)) {
2392 DEBUG(3, ("access denied to samr_connect4\n"));
2393 r_u->status = NT_STATUS_ACCESS_DENIED;
2397 samr_make_sam_obj_sd(p->mem_ctx, &psd, &sd_size);
2398 se_map_generic(&des_access, &sam_generic_mapping);
2399 if (!NT_STATUS_IS_OK(nt_status =
2400 access_check_samr_object(psd, p->pipe_user.nt_user_token,
2401 des_access, &acc_granted, "_samr_connect"))) {
2405 r_u->status = NT_STATUS_OK;
2407 /* associate the user's SID and access granted with the new handle. */
2408 if ((info = get_samr_info_by_sid(NULL)) == NULL)
2409 return NT_STATUS_NO_MEMORY;
2411 info->acc_granted = acc_granted;
2412 info->status = q_u->access_mask;
2414 /* get a (unique) handle. open a policy on it. */
2415 if (!create_policy_hnd(p, &r_u->connect_pol, free_samr_info, (void *)info))
2416 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
2418 DEBUG(5,("_samr_connect: %d\n", __LINE__));
2423 /**********************************************************************
2424 api_samr_lookup_domain
2425 **********************************************************************/
2427 NTSTATUS _samr_lookup_domain(pipes_struct *p, SAMR_Q_LOOKUP_DOMAIN *q_u, SAMR_R_LOOKUP_DOMAIN *r_u)
2429 struct samr_info *info;
2430 fstring domain_name;
2433 r_u->status = NT_STATUS_OK;
2435 if (!find_policy_by_hnd(p, &q_u->connect_pol, (void**)&info))
2436 return NT_STATUS_INVALID_HANDLE;
2438 if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(info->acc_granted,
2439 SA_RIGHT_SAM_ENUM_DOMAINS, "_samr_lookup_domain")))
2444 rpcstr_pull(domain_name, q_u->uni_domain.buffer, sizeof(domain_name), q_u->uni_domain.uni_str_len*2, 0);
2448 if (!secrets_fetch_domain_sid(domain_name, &sid)) {
2449 r_u->status = NT_STATUS_NO_SUCH_DOMAIN;
2452 DEBUG(2,("Returning domain sid for domain %s -> %s\n", domain_name, sid_string_static(&sid)));
2454 init_samr_r_lookup_domain(r_u, &sid, r_u->status);
2459 /******************************************************************
2460 makes a SAMR_R_ENUM_DOMAINS structure.
2461 ********************************************************************/
2463 static BOOL make_enum_domains(TALLOC_CTX *ctx, SAM_ENTRY **pp_sam,
2464 UNISTR2 **pp_uni_name, uint32 num_sam_entries, fstring doms[])
2470 DEBUG(5, ("make_enum_domains\n"));
2473 *pp_uni_name = NULL;
2475 if (num_sam_entries == 0)
2478 sam = (SAM_ENTRY *)talloc_zero(ctx, sizeof(SAM_ENTRY)*num_sam_entries);
2479 uni_name = (UNISTR2 *)talloc_zero(ctx, sizeof(UNISTR2)*num_sam_entries);
2481 if (sam == NULL || uni_name == NULL)
2484 for (i = 0; i < num_sam_entries; i++) {
2485 init_unistr2(&uni_name[i], doms[i], UNI_FLAGS_NONE);
2486 init_sam_entry(&sam[i], &uni_name[i], 0);
2490 *pp_uni_name = uni_name;
2495 /**********************************************************************
2496 api_samr_enum_domains
2497 **********************************************************************/
2499 NTSTATUS _samr_enum_domains(pipes_struct *p, SAMR_Q_ENUM_DOMAINS *q_u, SAMR_R_ENUM_DOMAINS *r_u)
2501 struct samr_info *info;
2502 uint32 num_entries = 2;
2506 r_u->status = NT_STATUS_OK;
2508 if (!find_policy_by_hnd(p, &q_u->pol, (void**)&info))
2509 return NT_STATUS_INVALID_HANDLE;
2511 if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(info->acc_granted, SA_RIGHT_SAM_ENUM_DOMAINS, "_samr_enum_domains"))) {
2515 name = get_global_sam_name();
2517 fstrcpy(dom[0],name);
2519 fstrcpy(dom[1],"Builtin");
2521 if (!make_enum_domains(p->mem_ctx, &r_u->sam, &r_u->uni_dom_name, num_entries, dom))
2522 return NT_STATUS_NO_MEMORY;
2524 init_samr_r_enum_domains(r_u, q_u->start_idx + num_entries, num_entries);
2529 /*******************************************************************
2531 ********************************************************************/
2533 NTSTATUS _samr_open_alias(pipes_struct *p, SAMR_Q_OPEN_ALIAS *q_u, SAMR_R_OPEN_ALIAS *r_u)
2536 POLICY_HND domain_pol = q_u->dom_pol;
2537 uint32 alias_rid = q_u->rid_alias;
2538 POLICY_HND *alias_pol = &r_u->pol;
2539 struct samr_info *info = NULL;
2540 SEC_DESC *psd = NULL;
2542 uint32 des_access = q_u->access_mask;
2546 r_u->status = NT_STATUS_OK;
2548 /* find the domain policy and get the SID / access bits stored in the domain policy */
2549 if (!get_lsa_policy_samr_sid(p, &domain_pol, &sid, &acc_granted))
2550 return NT_STATUS_INVALID_HANDLE;
2552 if (!NT_STATUS_IS_OK(status = access_check_samr_function(acc_granted, SA_RIGHT_DOMAIN_OPEN_ACCOUNT, "_samr_open_alias"))) {
2556 /* append the alias' RID to it */
2557 if (!sid_append_rid(&sid, alias_rid))
2558 return NT_STATUS_NO_SUCH_USER;
2560 /*check if access can be granted as requested by client. */
2561 samr_make_ali_obj_sd(p->mem_ctx, &psd, &sd_size);
2562 se_map_generic(&des_access,&ali_generic_mapping);
2563 if (!NT_STATUS_IS_OK(status =
2564 access_check_samr_object(psd, p->pipe_user.nt_user_token,
2565 des_access, &acc_granted, "_samr_open_alias"))) {
2570 * we should check if the rid really exist !!!
2574 /* associate the user's SID with the new handle. */
2575 if ((info = get_samr_info_by_sid(&sid)) == NULL)
2576 return NT_STATUS_NO_MEMORY;
2578 info->acc_granted = acc_granted;
2580 /* get a (unique) handle. open a policy on it. */
2581 if (!create_policy_hnd(p, alias_pol, free_samr_info, (void *)info))
2582 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
2587 /*******************************************************************
2589 ********************************************************************/
2591 static BOOL set_user_info_10(const SAM_USER_INFO_10 *id10, DOM_SID *sid)
2593 SAM_ACCOUNT *pwd =NULL;
2598 ret = pdb_getsampwsid(pwd, sid);
2606 DEBUG(5, ("set_user_info_10: NULL id10\n"));
2611 /* FIX ME: check if the value is really changed --metze */
2612 if (!pdb_set_acct_ctrl(pwd, id10->acb_info, PDB_CHANGED)) {
2617 if(!pdb_update_sam_account(pwd)) {
2627 /*******************************************************************
2629 ********************************************************************/
2631 static BOOL set_user_info_12(SAM_USER_INFO_12 *id12, DOM_SID *sid)
2633 SAM_ACCOUNT *pwd = NULL;
2637 if(!pdb_getsampwsid(pwd, sid)) {
2643 DEBUG(2, ("set_user_info_12: id12 is NULL\n"));
2648 if (!pdb_set_lanman_passwd (pwd, id12->lm_pwd, PDB_CHANGED)) {
2652 if (!pdb_set_nt_passwd (pwd, id12->nt_pwd, PDB_CHANGED)) {
2656 if (!pdb_set_pass_changed_now (pwd)) {
2661 if(!pdb_update_sam_account(pwd)) {
2670 /*******************************************************************
2671 The GROUPSID field in the SAM_ACCOUNT changed. Try to tell unix.
2672 ********************************************************************/
2673 static BOOL set_unix_primary_group(SAM_ACCOUNT *sampass)
2678 if (!NT_STATUS_IS_OK(sid_to_gid(pdb_get_group_sid(sampass),
2680 DEBUG(2,("Could not get gid for primary group of "
2681 "user %s\n", pdb_get_username(sampass)));
2685 grp = getgrgid(gid);
2688 DEBUG(2,("Could not find primary group %lu for "
2689 "user %s\n", (unsigned long)gid,
2690 pdb_get_username(sampass)));
2694 if (smb_set_primary_group(grp->gr_name,
2695 pdb_get_username(sampass)) != 0) {
2696 DEBUG(2,("Could not set primary group for user %s to "
2698 pdb_get_username(sampass), grp->gr_name));
2706 /*******************************************************************
2708 ********************************************************************/
2710 static BOOL set_user_info_20(SAM_USER_INFO_20 *id20, DOM_SID *sid)
2712 SAM_ACCOUNT *pwd = NULL;
2715 DEBUG(5, ("set_user_info_20: NULL id20\n"));
2721 if (!pdb_getsampwsid(pwd, sid)) {
2726 copy_id20_to_sam_passwd(pwd, id20);
2728 /* write the change out */
2729 if(!pdb_update_sam_account(pwd)) {
2738 /*******************************************************************
2740 ********************************************************************/
2742 static BOOL set_user_info_21(SAM_USER_INFO_21 *id21, DOM_SID *sid)
2744 SAM_ACCOUNT *pwd = NULL;
2747 DEBUG(5, ("set_user_info_21: NULL id21\n"));
2753 if (!pdb_getsampwsid(pwd, sid)) {
2758 copy_id21_to_sam_passwd(pwd, id21);
2761 * The funny part about the previous two calls is
2762 * that pwd still has the password hashes from the
2763 * passdb entry. These have not been updated from
2764 * id21. I don't know if they need to be set. --jerry
2767 if (IS_SAM_CHANGED(pwd, PDB_GROUPSID))
2768 set_unix_primary_group(pwd);
2770 /* write the change out */
2771 if(!pdb_update_sam_account(pwd)) {
2781 /*******************************************************************
2783 ********************************************************************/
2785 static BOOL set_user_info_23(SAM_USER_INFO_23 *id23, DOM_SID *sid)
2787 SAM_ACCOUNT *pwd = NULL;
2788 pstring plaintext_buf;
2793 DEBUG(5, ("set_user_info_23: NULL id23\n"));
2799 if (!pdb_getsampwsid(pwd, sid)) {
2804 DEBUG(5, ("Attempting administrator password change (level 23) for user %s\n",
2805 pdb_get_username(pwd)));
2807 acct_ctrl = pdb_get_acct_ctrl(pwd);
2809 if (!decode_pw_buffer((char*)id23->pass, plaintext_buf, 256, &len)) {
2814 if (!pdb_set_plaintext_passwd (pwd, plaintext_buf)) {
2819 copy_id23_to_sam_passwd(pwd, id23);
2821 /* if it's a trust account, don't update /etc/passwd */
2822 if ( ( (acct_ctrl & ACB_DOMTRUST) == ACB_DOMTRUST ) ||
2823 ( (acct_ctrl & ACB_WSTRUST) == ACB_WSTRUST) ||
2824 ( (acct_ctrl & ACB_SVRTRUST) == ACB_SVRTRUST) ) {
2825 DEBUG(5, ("Changing trust account or non-unix-user password, not updating /etc/passwd\n"));
2827 /* update the UNIX password */
2828 if (lp_unix_password_sync() )
2829 if(!chgpasswd(pdb_get_username(pwd), "", plaintext_buf, True)) {
2835 ZERO_STRUCT(plaintext_buf);
2837 if (IS_SAM_CHANGED(pwd, PDB_GROUPSID))
2838 set_unix_primary_group(pwd);
2840 if(!pdb_update_sam_account(pwd)) {
2850 /*******************************************************************
2852 ********************************************************************/
2854 static BOOL set_user_info_pw(char *pass, DOM_SID *sid)
2856 SAM_ACCOUNT *pwd = NULL;
2858 pstring plaintext_buf;
2863 if (!pdb_getsampwsid(pwd, sid)) {
2868 DEBUG(5, ("Attempting administrator password change for user %s\n",
2869 pdb_get_username(pwd)));
2871 acct_ctrl = pdb_get_acct_ctrl(pwd);
2873 ZERO_STRUCT(plaintext_buf);
2875 if (!decode_pw_buffer(pass, plaintext_buf, 256, &len)) {
2880 if (!pdb_set_plaintext_passwd (pwd, plaintext_buf)) {
2885 /* if it's a trust account, don't update /etc/passwd */
2886 if ( ( (acct_ctrl & ACB_DOMTRUST) == ACB_DOMTRUST ) ||
2887 ( (acct_ctrl & ACB_WSTRUST) == ACB_WSTRUST) ||
2888 ( (acct_ctrl & ACB_SVRTRUST) == ACB_SVRTRUST) ) {
2889 DEBUG(5, ("Changing trust account or non-unix-user password, not updating /etc/passwd\n"));
2891 /* update the UNIX password */
2892 if (lp_unix_password_sync()) {
2893 if(!chgpasswd(pdb_get_username(pwd), "", plaintext_buf, True)) {
2900 ZERO_STRUCT(plaintext_buf);
2902 DEBUG(5,("set_user_info_pw: pdb_update_pwd()\n"));
2904 /* update the SAMBA password */
2905 if(!pdb_update_sam_account(pwd)) {
2915 /*******************************************************************
2916 samr_reply_set_userinfo
2917 ********************************************************************/
2919 NTSTATUS _samr_set_userinfo(pipes_struct *p, SAMR_Q_SET_USERINFO *q_u, SAMR_R_SET_USERINFO *r_u)
2922 POLICY_HND *pol = &q_u->pol;
2923 uint16 switch_value = q_u->switch_value;
2924 SAM_USERINFO_CTR *ctr = q_u->ctr;
2926 uint32 acc_required;
2928 DEBUG(5, ("_samr_set_userinfo: %d\n", __LINE__));
2930 r_u->status = NT_STATUS_OK;
2932 /* find the policy handle. open a policy on it. */
2933 if (!get_lsa_policy_samr_sid(p, pol, &sid, &acc_granted))
2934 return NT_STATUS_INVALID_HANDLE;
2936 acc_required = SA_RIGHT_USER_SET_LOC_COM | SA_RIGHT_USER_SET_ATTRIBUTES; /* This is probably wrong */
2937 if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, acc_required, "_samr_set_userinfo"))) {
2941 DEBUG(5, ("_samr_set_userinfo: sid:%s, level:%d\n", sid_string_static(&sid), switch_value));
2944 DEBUG(5, ("_samr_set_userinfo: NULL info level\n"));
2945 return NT_STATUS_INVALID_INFO_CLASS;
2948 /* ok! user info levels (lots: see MSDEV help), off we go... */
2949 switch (switch_value) {
2951 if (!set_user_info_12(ctr->info.id12, &sid))
2952 return NT_STATUS_ACCESS_DENIED;
2956 if (p->session_key.length != 16) {
2957 /* we may have no session key at all,
2958 and we don't know how to do the SamOEMhash
2960 return NT_STATUS_NO_USER_SESSION_KEY;
2962 SamOEMhash(ctr->info.id24->pass, p->session_key.data, 516);
2964 dump_data(100, (char *)ctr->info.id24->pass, 516);
2966 if (!set_user_info_pw((char *)ctr->info.id24->pass, &sid))
2967 return NT_STATUS_ACCESS_DENIED;
2973 * Currently we don't really know how to unmarshall
2974 * the level 25 struct, and the password encryption
2975 * is different. This is a placeholder for when we
2976 * do understand it. In the meantime just return INVALID
2977 * info level and W2K SP2 drops down to level 23... JRA.
2980 if (p->session_key.length != 16) {
2981 return NT_STATUS_NO_USER_SESSION_KEY;
2983 SamOEMhash(ctr->info.id25->pass, p->session_key.data, 532);
2985 dump_data(100, (char *)ctr->info.id25->pass, 532);
2987 if (!set_user_info_pw(ctr->info.id25->pass, &sid))
2988 return NT_STATUS_ACCESS_DENIED;
2991 return NT_STATUS_INVALID_INFO_CLASS;
2994 if (p->session_key.length != 16) {
2995 return NT_STATUS_NO_USER_SESSION_KEY;
2997 SamOEMhash(ctr->info.id23->pass, p->session_key.data, 516);
2999 dump_data(100, (char *)ctr->info.id23->pass, 516);
3001 if (!set_user_info_23(ctr->info.id23, &sid))
3002 return NT_STATUS_ACCESS_DENIED;
3006 return NT_STATUS_INVALID_INFO_CLASS;
3012 /*******************************************************************
3013 samr_reply_set_userinfo2
3014 ********************************************************************/
3016 NTSTATUS _samr_set_userinfo2(pipes_struct *p, SAMR_Q_SET_USERINFO2 *q_u, SAMR_R_SET_USERINFO2 *r_u)
3019 SAM_USERINFO_CTR *ctr = q_u->ctr;
3020 POLICY_HND *pol = &q_u->pol;
3021 uint16 switch_value = q_u->switch_value;
3023 uint32 acc_required;
3025 DEBUG(5, ("samr_reply_set_userinfo2: %d\n", __LINE__));
3027 r_u->status = NT_STATUS_OK;
3029 /* find the policy handle. open a policy on it. */
3030 if (!get_lsa_policy_samr_sid(p, pol, &sid, &acc_granted))
3031 return NT_STATUS_INVALID_HANDLE;
3033 acc_required = SA_RIGHT_USER_SET_LOC_COM | SA_RIGHT_USER_SET_ATTRIBUTES; /* This is probably wrong */
3034 if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, acc_required, "_samr_set_userinfo2"))) {
3038 DEBUG(5, ("samr_reply_set_userinfo2: sid:%s\n", sid_string_static(&sid)));
3041 DEBUG(5, ("samr_reply_set_userinfo2: NULL info level\n"));
3042 return NT_STATUS_INVALID_INFO_CLASS;
3045 switch_value=ctr->switch_value;
3047 /* ok! user info levels (lots: see MSDEV help), off we go... */
3048 switch (switch_value) {
3050 if (!set_user_info_21(ctr->info.id21, &sid))
3051 return NT_STATUS_ACCESS_DENIED;
3054 if (!set_user_info_20(ctr->info.id20, &sid))
3055 return NT_STATUS_ACCESS_DENIED;
3058 if (!set_user_info_10(ctr->info.id10, &sid))
3059 return NT_STATUS_ACCESS_DENIED;
3062 /* Used by AS/U JRA. */
3063 if (!set_user_info_12(ctr->info.id12, &sid))
3064 return NT_STATUS_ACCESS_DENIED;
3067 return NT_STATUS_INVALID_INFO_CLASS;
3073 /*********************************************************************
3074 _samr_query_aliasmem
3075 *********************************************************************/
3077 NTSTATUS _samr_query_useraliases(pipes_struct *p, SAMR_Q_QUERY_USERALIASES *q_u, SAMR_R_QUERY_USERALIASES *r_u)
3079 int num_groups = 0, tmp_num_groups=0;
3080 uint32 *rids=NULL, *new_rids=NULL, *tmp_rids=NULL;
3081 struct samr_info *info = NULL;
3087 /* until i see a real useraliases query, we fack one up */
3089 /* I have seen one, JFM 2/12/2001 */
3091 * Explanation of what this call does:
3092 * for all the SID given in the request:
3093 * return a list of alias (local groups)
3094 * that have those SID as members.
3096 * and that's the alias in the domain specified
3097 * in the policy_handle
3099 * if the policy handle is on an incorrect sid
3100 * for example a user's sid
3101 * we should reply NT_STATUS_OBJECT_TYPE_MISMATCH
3104 r_u->status = NT_STATUS_OK;
3106 DEBUG(5,("_samr_query_useraliases: %d\n", __LINE__));
3108 /* find the policy handle. open a policy on it. */
3109 if (!find_policy_by_hnd(p, &q_u->pol, (void **)&info))
3110 return NT_STATUS_INVALID_HANDLE;
3112 ntstatus1 = access_check_samr_function(info->acc_granted, SA_RIGHT_DOMAIN_LOOKUP_ALIAS_BY_MEM, "_samr_query_useraliases");
3113 ntstatus2 = access_check_samr_function(info->acc_granted, SA_RIGHT_DOMAIN_OPEN_ACCOUNT, "_samr_query_useraliases");
3115 if (!NT_STATUS_IS_OK(ntstatus1) || !NT_STATUS_IS_OK(ntstatus2)) {
3116 if (!(NT_STATUS_EQUAL(ntstatus1,NT_STATUS_ACCESS_DENIED) && NT_STATUS_IS_OK(ntstatus2)) &&
3117 !(NT_STATUS_EQUAL(ntstatus1,NT_STATUS_ACCESS_DENIED) && NT_STATUS_IS_OK(ntstatus1))) {
3118 return (NT_STATUS_IS_OK(ntstatus1)) ? ntstatus2 : ntstatus1;
3122 if (!sid_check_is_domain(&info->sid) &&
3123 !sid_check_is_builtin(&info->sid))
3124 return NT_STATUS_OBJECT_TYPE_MISMATCH;
3127 for (i=0; i<q_u->num_sids1; i++) {
3129 r_u->status=get_alias_user_groups(p->mem_ctx, &info->sid, &tmp_num_groups, &tmp_rids, &(q_u->sid[i].sid));
3132 * if there is an error, we just continue as
3133 * it can be an unfound user or group
3135 if (!NT_STATUS_IS_OK(r_u->status)) {
3136 DEBUG(10,("_samr_query_useraliases: an error occured while getting groups\n"));
3140 if (tmp_num_groups==0) {
3141 DEBUG(10,("_samr_query_useraliases: no groups found\n"));
3145 new_rids=(uint32 *)talloc_realloc(p->mem_ctx, rids, (num_groups+tmp_num_groups)*sizeof(uint32));
3146 if (new_rids==NULL) {
3147 DEBUG(0,("_samr_query_useraliases: could not realloc memory\n"));
3148 return NT_STATUS_NO_MEMORY;
3152 for (j=0; j<tmp_num_groups; j++)
3153 rids[j+num_groups]=tmp_rids[j];
3155 safe_free(tmp_rids);
3157 num_groups+=tmp_num_groups;
3160 init_samr_r_query_useraliases(r_u, num_groups, rids, NT_STATUS_OK);
3161 return NT_STATUS_OK;
3164 /*********************************************************************
3165 _samr_query_aliasmem
3166 *********************************************************************/
3168 NTSTATUS _samr_query_aliasmem(pipes_struct *p, SAMR_Q_QUERY_ALIASMEM *q_u, SAMR_R_QUERY_ALIASMEM *r_u)
3180 fstring alias_sid_str;
3183 SAM_ACCOUNT *sam_user = NULL;
3187 /* find the policy handle. open a policy on it. */
3188 if (!get_lsa_policy_samr_sid(p, &q_u->alias_pol, &alias_sid, &acc_granted))
3189 return NT_STATUS_INVALID_HANDLE;
3191 if (!NT_STATUS_IS_OK(r_u->status =
3192 access_check_samr_function(acc_granted, SA_RIGHT_ALIAS_GET_MEMBERS, "_samr_query_aliasmem"))) {
3196 sid_copy(&als_sid, &alias_sid);
3197 sid_to_string(alias_sid_str, &alias_sid);
3198 sid_split_rid(&alias_sid, &alias_rid);
3200 DEBUG(10, ("sid is %s\n", alias_sid_str));
3202 if (sid_equal(&alias_sid, &global_sid_Builtin)) {
3203 DEBUG(10, ("lookup on Builtin SID (S-1-5-32)\n"));
3204 if(!get_builtin_group_from_sid(als_sid, &map))
3205 return NT_STATUS_NO_SUCH_ALIAS;
3207 if (sid_equal(&alias_sid, get_global_sam_sid())) {
3208 DEBUG(10, ("lookup on Server SID\n"));
3209 if(!get_local_group_from_sid(als_sid, &map))
3210 return NT_STATUS_NO_SUCH_ALIAS;
3214 if(!get_uid_list_of_group(map.gid, &uid, &num_uids))
3215 return NT_STATUS_NO_SUCH_ALIAS;
3217 DEBUG(10, ("sid is %s\n", alias_sid_str));
3218 sid = (DOM_SID2 *)talloc_zero(p->mem_ctx, sizeof(DOM_SID2) * num_uids);
3219 if (num_uids!=0 && sid == NULL)
3220 return NT_STATUS_NO_MEMORY;
3222 for (i = 0; i < num_uids; i++) {
3223 struct passwd *pass;
3226 sid_copy(&temp_sid, get_global_sam_sid());
3228 pass = getpwuid_alloc(uid[i]);
3229 if (!pass) continue;
3231 if (!NT_STATUS_IS_OK(pdb_init_sam(&sam_user))) {
3237 check = pdb_getsampwnam(sam_user, pass->pw_name);
3240 if (check != True) {
3241 pdb_free_sam(&sam_user);
3246 rid = pdb_get_user_rid(sam_user);
3248 pdb_free_sam(&sam_user);
3253 pdb_free_sam(&sam_user);
3256 sid_append_rid(&temp_sid, rid);
3258 init_dom_sid2(&sid[i], &temp_sid);
3261 DEBUG(10, ("sid is %s\n", alias_sid_str));
3262 init_samr_r_query_aliasmem(r_u, num_uids, sid, NT_STATUS_OK);
3264 return NT_STATUS_OK;
3267 /*********************************************************************
3268 _samr_query_groupmem
3269 *********************************************************************/
3271 NTSTATUS _samr_query_groupmem(pipes_struct *p, SAMR_Q_QUERY_GROUPMEM *q_u, SAMR_R_QUERY_GROUPMEM *r_u)
3277 fstring group_sid_str;
3285 SAM_ACCOUNT *sam_user = NULL;
3289 /* find the policy handle. open a policy on it. */
3290 if (!get_lsa_policy_samr_sid(p, &q_u->group_pol, &group_sid, &acc_granted))
3291 return NT_STATUS_INVALID_HANDLE;
3293 if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, SA_RIGHT_GROUP_GET_MEMBERS, "_samr_query_groupmem"))) {
3297 /* todo: change to use sid_compare_front */
3299 sid_split_rid(&group_sid, &group_rid);
3300 sid_to_string(group_sid_str, &group_sid);
3301 DEBUG(10, ("sid is %s\n", group_sid_str));
3303 /* can we get a query for an SID outside our domain ? */
3304 if (!sid_equal(&group_sid, get_global_sam_sid()))
3305 return NT_STATUS_NO_SUCH_GROUP;
3307 sid_append_rid(&group_sid, group_rid);
3308 DEBUG(10, ("lookup on Domain SID\n"));
3310 if(!get_domain_group_from_sid(group_sid, &map))
3311 return NT_STATUS_NO_SUCH_GROUP;
3313 if(!get_uid_list_of_group(map.gid, &uid, &num_uids))
3314 return NT_STATUS_NO_SUCH_GROUP;
3316 rid=talloc_zero(p->mem_ctx, sizeof(uint32)*num_uids);
3317 attr=talloc_zero(p->mem_ctx, sizeof(uint32)*num_uids);
3319 if (num_uids!=0 && (rid==NULL || attr==NULL))
3320 return NT_STATUS_NO_MEMORY;
3322 for (i=0; i<num_uids; i++) {
3323 struct passwd *pass;
3326 pass = getpwuid_alloc(uid[i]);
3327 if (!pass) continue;
3329 if (!NT_STATUS_IS_OK(pdb_init_sam(&sam_user))) {
3335 check = pdb_getsampwnam(sam_user, pass->pw_name);
3338 if (check != True) {
3339 pdb_free_sam(&sam_user);
3344 urid = pdb_get_user_rid(sam_user);
3346 pdb_free_sam(&sam_user);
3351 pdb_free_sam(&sam_user);
3355 attr[i] = SID_NAME_USER;
3358 init_samr_r_query_groupmem(r_u, num_uids, rid, attr, NT_STATUS_OK);
3360 return NT_STATUS_OK;
3363 /*********************************************************************
3365 *********************************************************************/
3367 NTSTATUS _samr_add_aliasmem(pipes_struct *p, SAMR_Q_ADD_ALIASMEM *q_u, SAMR_R_ADD_ALIASMEM *r_u)
3370 fstring alias_sid_str;
3377 SAM_ACCOUNT *sam_user = NULL;
3381 /* Find the policy handle. Open a policy on it. */
3382 if (!get_lsa_policy_samr_sid(p, &q_u->alias_pol, &alias_sid, &acc_granted))
3383 return NT_STATUS_INVALID_HANDLE;
3385 if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, SA_RIGHT_ALIAS_ADD_MEMBER, "_samr_add_aliasmem"))) {
3389 sid_to_string(alias_sid_str, &alias_sid);
3390 DEBUG(10, ("sid is %s\n", alias_sid_str));
3392 if (sid_compare(&alias_sid, get_global_sam_sid())>0) {
3393 DEBUG(10, ("adding member on Server SID\n"));
3394 if(!get_local_group_from_sid(alias_sid, &map))
3395 return NT_STATUS_NO_SUCH_ALIAS;
3398 if (sid_compare(&alias_sid, &global_sid_Builtin)>0) {
3399 DEBUG(10, ("adding member on BUILTIN SID\n"));
3400 if( !get_local_group_from_sid(alias_sid, &map))
3401 return NT_STATUS_NO_SUCH_ALIAS;
3404 return NT_STATUS_NO_SUCH_ALIAS;
3407 ret = pdb_init_sam(&sam_user);
3408 if (!NT_STATUS_IS_OK(ret))
3411 check = pdb_getsampwsid(sam_user, &q_u->sid.sid);
3413 if (check != True) {
3414 pdb_free_sam(&sam_user);
3415 return NT_STATUS_NO_SUCH_USER;
3418 /* check a real user exist before we run the script to add a user to a group */
3419 if (!NT_STATUS_IS_OK(sid_to_uid(pdb_get_user_sid(sam_user), &uid))) {
3420 pdb_free_sam(&sam_user);
3421 return NT_STATUS_NO_SUCH_USER;
3424 pdb_free_sam(&sam_user);
3426 if ((pwd=getpwuid_alloc(uid)) == NULL) {
3427 return NT_STATUS_NO_SUCH_USER;
3430 if ((grp=getgrgid(map.gid)) == NULL) {
3432 return NT_STATUS_NO_SUCH_ALIAS;
3435 /* we need to copy the name otherwise it's overloaded in user_in_group_list */
3436 fstrcpy(grp_name, grp->gr_name);
3438 /* if the user is already in the group */
3439 if(user_in_unix_group_list(pwd->pw_name, grp_name)) {
3441 return NT_STATUS_MEMBER_IN_ALIAS;
3445 * ok, the group exist, the user exist, the user is not in the group,
3446 * we can (finally) add it to the group !
3448 smb_add_user_group(grp_name, pwd->pw_name);
3450 /* check if the user has been added then ... */
3451 if(!user_in_unix_group_list(pwd->pw_name, grp_name)) {
3453 return NT_STATUS_MEMBER_NOT_IN_ALIAS; /* don't know what to reply else */
3457 return NT_STATUS_OK;
3460 /*********************************************************************
3462 *********************************************************************/
3464 NTSTATUS _samr_del_aliasmem(pipes_struct *p, SAMR_Q_DEL_ALIASMEM *q_u, SAMR_R_DEL_ALIASMEM *r_u)
3467 fstring alias_sid_str;
3471 SAM_ACCOUNT *sam_pass=NULL;
3474 /* Find the policy handle. Open a policy on it. */
3475 if (!get_lsa_policy_samr_sid(p, &q_u->alias_pol, &alias_sid, &acc_granted))
3476 return NT_STATUS_INVALID_HANDLE;
3478 if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, SA_RIGHT_ALIAS_REMOVE_MEMBER, "_samr_del_aliasmem"))) {
3482 sid_to_string(alias_sid_str, &alias_sid);
3483 DEBUG(10, ("_samr_del_aliasmem:sid is %s\n", alias_sid_str));
3485 if (!sid_check_is_in_our_domain(&alias_sid) &&
3486 !sid_check_is_in_builtin(&alias_sid)) {
3487 DEBUG(10, ("_samr_del_aliasmem:invalid alias group\n"));
3488 return NT_STATUS_NO_SUCH_ALIAS;
3491 if( !get_local_group_from_sid(alias_sid, &map))
3492 return NT_STATUS_NO_SUCH_ALIAS;
3494 if ((grp=getgrgid(map.gid)) == NULL)
3495 return NT_STATUS_NO_SUCH_ALIAS;
3497 /* we need to copy the name otherwise it's overloaded in user_in_unix_group_list */
3498 fstrcpy(grp_name, grp->gr_name);
3500 /* check if the user exists before trying to remove it from the group */
3501 pdb_init_sam(&sam_pass);
3502 if(!pdb_getsampwsid(sam_pass, &q_u->sid.sid)) {
3503 DEBUG(5,("_samr_del_aliasmem:User %s doesn't exist.\n", pdb_get_username(sam_pass)));
3504 pdb_free_sam(&sam_pass);
3505 return NT_STATUS_NO_SUCH_USER;
3508 /* if the user is not in the group */
3509 if(!user_in_unix_group_list(pdb_get_username(sam_pass), grp_name)) {
3510 pdb_free_sam(&sam_pass);
3511 return NT_STATUS_MEMBER_IN_ALIAS;
3514 smb_delete_user_group(grp_name, pdb_get_username(sam_pass));
3516 /* check if the user has been removed then ... */
3517 if(user_in_unix_group_list(pdb_get_username(sam_pass), grp_name)) {
3518 pdb_free_sam(&sam_pass);
3519 return NT_STATUS_MEMBER_NOT_IN_ALIAS; /* don't know what to reply else */
3522 pdb_free_sam(&sam_pass);
3523 return NT_STATUS_OK;
3526 /*********************************************************************
3528 *********************************************************************/
3530 NTSTATUS _samr_add_groupmem(pipes_struct *p, SAMR_Q_ADD_GROUPMEM *q_u, SAMR_R_ADD_GROUPMEM *r_u)
3534 fstring group_sid_str;
3541 SAM_ACCOUNT *sam_user=NULL;
3545 /* Find the policy handle. Open a policy on it. */
3546 if (!get_lsa_policy_samr_sid(p, &q_u->pol, &group_sid, &acc_granted))
3547 return NT_STATUS_INVALID_HANDLE;
3549 if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, SA_RIGHT_GROUP_ADD_MEMBER, "_samr_add_groupmem"))) {
3553 sid_to_string(group_sid_str, &group_sid);
3554 DEBUG(10, ("sid is %s\n", group_sid_str));
3556 if (sid_compare(&group_sid, get_global_sam_sid())<=0)
3557 return NT_STATUS_NO_SUCH_GROUP;
3559 DEBUG(10, ("lookup on Domain SID\n"));
3561 if(!get_domain_group_from_sid(group_sid, &map))
3562 return NT_STATUS_NO_SUCH_GROUP;
3564 sid_copy(&user_sid, get_global_sam_sid());
3565 sid_append_rid(&user_sid, q_u->rid);
3567 ret = pdb_init_sam(&sam_user);
3568 if (!NT_STATUS_IS_OK(ret))
3571 check = pdb_getsampwsid(sam_user, &user_sid);
3573 if (check != True) {
3574 pdb_free_sam(&sam_user);
3575 return NT_STATUS_NO_SUCH_USER;
3578 /* check a real user exist before we run the script to add a user to a group */
3579 if (!NT_STATUS_IS_OK(sid_to_uid(pdb_get_user_sid(sam_user), &uid))) {
3580 pdb_free_sam(&sam_user);
3581 return NT_STATUS_NO_SUCH_USER;
3584 pdb_free_sam(&sam_user);
3586 if ((pwd=getpwuid_alloc(uid)) == NULL) {
3587 return NT_STATUS_NO_SUCH_USER;
3590 if ((grp=getgrgid(map.gid)) == NULL) {
3592 return NT_STATUS_NO_SUCH_GROUP;
3595 /* we need to copy the name otherwise it's overloaded in user_in_unix_group_list */
3596 fstrcpy(grp_name, grp->gr_name);
3598 /* if the user is already in the group */
3599 if(user_in_unix_group_list(pwd->pw_name, grp_name)) {
3601 return NT_STATUS_MEMBER_IN_GROUP;
3605 * ok, the group exist, the user exist, the user is not in the group,
3607 * we can (finally) add it to the group !
3610 smb_add_user_group(grp_name, pwd->pw_name);
3612 /* check if the user has been added then ... */
3613 if(!user_in_unix_group_list(pwd->pw_name, grp_name)) {
3615 return NT_STATUS_MEMBER_NOT_IN_GROUP; /* don't know what to reply else */
3619 return NT_STATUS_OK;
3622 /*********************************************************************
3624 *********************************************************************/
3626 NTSTATUS _samr_del_groupmem(pipes_struct *p, SAMR_Q_DEL_GROUPMEM *q_u, SAMR_R_DEL_GROUPMEM *r_u)
3630 SAM_ACCOUNT *sam_pass=NULL;
3637 * delete the group member named q_u->rid
3638 * who is a member of the sid associated with the handle
3639 * the rid is a user's rid as the group is a domain group.
3642 /* Find the policy handle. Open a policy on it. */
3643 if (!get_lsa_policy_samr_sid(p, &q_u->pol, &group_sid, &acc_granted))
3644 return NT_STATUS_INVALID_HANDLE;
3646 if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, SA_RIGHT_GROUP_REMOVE_MEMBER, "_samr_del_groupmem"))) {
3650 if (!sid_check_is_in_our_domain(&group_sid))
3651 return NT_STATUS_NO_SUCH_GROUP;
3653 sid_copy(&user_sid, get_global_sam_sid());
3654 sid_append_rid(&user_sid, q_u->rid);
3656 if (!get_domain_group_from_sid(group_sid, &map))
3657 return NT_STATUS_NO_SUCH_GROUP;
3659 if ((grp=getgrgid(map.gid)) == NULL)
3660 return NT_STATUS_NO_SUCH_GROUP;
3662 /* we need to copy the name otherwise it's overloaded in user_in_group_list */
3663 fstrcpy(grp_name, grp->gr_name);
3665 /* check if the user exists before trying to remove it from the group */
3666 pdb_init_sam(&sam_pass);
3667 if (!pdb_getsampwsid(sam_pass, &user_sid)) {
3668 DEBUG(5,("User %s doesn't exist.\n", pdb_get_username(sam_pass)));
3669 pdb_free_sam(&sam_pass);
3670 return NT_STATUS_NO_SUCH_USER;
3673 /* if the user is not in the group */
3674 if (!user_in_unix_group_list(pdb_get_username(sam_pass), grp_name)) {
3675 pdb_free_sam(&sam_pass);
3676 return NT_STATUS_MEMBER_NOT_IN_GROUP;
3679 smb_delete_user_group(grp_name, pdb_get_username(sam_pass));
3681 /* check if the user has been removed then ... */
3682 if (user_in_unix_group_list(pdb_get_username(sam_pass), grp_name)) {
3683 pdb_free_sam(&sam_pass);
3684 return NT_STATUS_ACCESS_DENIED; /* don't know what to reply else */
3687 pdb_free_sam(&sam_pass);
3688 return NT_STATUS_OK;
3692 /****************************************************************************
3693 Delete a UNIX user on demand.
3694 ****************************************************************************/
3696 static int smb_delete_user(const char *unix_user)
3701 /* try winbindd first since it is impossible to determine where
3702 a user came from via NSS. Try the delete user script if this fails
3703 meaning the user did not exist in winbindd's list of accounts */
3705 if ( winbind_delete_user( unix_user ) ) {
3706 DEBUG(3,("winbind_delete_user: removed user (%s)\n", unix_user));
3711 /* fall back to 'delete user script' */
3713 pstrcpy(del_script, lp_deluser_script());
3716 all_string_sub(del_script, "%u", unix_user, sizeof(pstring));
3717 ret = smbrun(del_script,NULL);
3718 DEBUG(3,("smb_delete_user: Running the command `%s' gave %d\n",del_script,ret));
3723 /*********************************************************************
3724 _samr_delete_dom_user
3725 *********************************************************************/
3727 NTSTATUS _samr_delete_dom_user(pipes_struct *p, SAMR_Q_DELETE_DOM_USER *q_u, SAMR_R_DELETE_DOM_USER *r_u )
3730 SAM_ACCOUNT *sam_pass=NULL;
3733 DEBUG(5, ("_samr_delete_dom_user: %d\n", __LINE__));
3735 /* Find the policy handle. Open a policy on it. */
3736 if (!get_lsa_policy_samr_sid(p, &q_u->user_pol, &user_sid, &acc_granted))
3737 return NT_STATUS_INVALID_HANDLE;
3739 if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, STD_RIGHT_DELETE_ACCESS, "_samr_delete_dom_user"))) {
3743 if (!sid_check_is_in_our_domain(&user_sid))
3744 return NT_STATUS_CANNOT_DELETE;
3746 /* check if the user exists before trying to delete */
3747 pdb_init_sam(&sam_pass);
3748 if(!pdb_getsampwsid(sam_pass, &user_sid)) {
3749 DEBUG(5,("_samr_delete_dom_user:User %s doesn't exist.\n",
3750 sid_string_static(&user_sid)));
3751 pdb_free_sam(&sam_pass);
3752 return NT_STATUS_NO_SUCH_USER;
3755 /* delete the unix side */
3757 * note: we don't check if the delete really happened
3758 * as the script is not necessary present
3759 * and maybe the sysadmin doesn't want to delete the unix side
3761 smb_delete_user(pdb_get_username(sam_pass));
3763 /* and delete the samba side */
3764 if (!pdb_delete_sam_account(sam_pass)) {
3765 DEBUG(5,("_samr_delete_dom_user:Failed to delete entry for user %s.\n", pdb_get_username(sam_pass)));
3766 pdb_free_sam(&sam_pass);
3767 return NT_STATUS_CANNOT_DELETE;
3770 pdb_free_sam(&sam_pass);
3772 if (!close_policy_hnd(p, &q_u->user_pol))
3773 return NT_STATUS_OBJECT_NAME_INVALID;
3775 return NT_STATUS_OK;
3778 /*********************************************************************
3779 _samr_delete_dom_group
3780 *********************************************************************/
3782 NTSTATUS _samr_delete_dom_group(pipes_struct *p, SAMR_Q_DELETE_DOM_GROUP *q_u, SAMR_R_DELETE_DOM_GROUP *r_u)
3787 fstring group_sid_str;
3793 DEBUG(5, ("samr_delete_dom_group: %d\n", __LINE__));
3795 /* Find the policy handle. Open a policy on it. */
3796 if (!get_lsa_policy_samr_sid(p, &q_u->group_pol, &group_sid, &acc_granted))
3797 return NT_STATUS_INVALID_HANDLE;
3799 if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, STD_RIGHT_DELETE_ACCESS, "_samr_delete_dom_group"))) {
3803 sid_copy(&dom_sid, &group_sid);
3804 sid_to_string(group_sid_str, &dom_sid);
3805 sid_split_rid(&dom_sid, &group_rid);
3807 DEBUG(10, ("sid is %s\n", group_sid_str));
3809 /* we check if it's our SID before deleting */
3810 if (!sid_equal(&dom_sid, get_global_sam_sid()))
3811 return NT_STATUS_NO_SUCH_GROUP;
3813 DEBUG(10, ("lookup on Domain SID\n"));
3815 if(!get_domain_group_from_sid(group_sid, &map))
3816 return NT_STATUS_NO_SUCH_GROUP;
3820 /* check if group really exists */
3821 if ( (grp=getgrgid(gid)) == NULL)
3822 return NT_STATUS_NO_SUCH_GROUP;
3824 /* we can delete the UNIX group */
3825 smb_delete_group(grp->gr_name);
3827 /* check if the group has been successfully deleted */
3828 if ( (grp=getgrgid(gid)) != NULL)
3829 return NT_STATUS_ACCESS_DENIED;
3831 if(!pdb_delete_group_mapping_entry(group_sid))
3832 return NT_STATUS_ACCESS_DENIED;
3834 if (!close_policy_hnd(p, &q_u->group_pol))
3835 return NT_STATUS_OBJECT_NAME_INVALID;
3837 return NT_STATUS_OK;
3840 /*********************************************************************
3841 _samr_delete_dom_alias
3842 *********************************************************************/
3844 NTSTATUS _samr_delete_dom_alias(pipes_struct *p, SAMR_Q_DELETE_DOM_ALIAS *q_u, SAMR_R_DELETE_DOM_ALIAS *r_u)
3849 fstring alias_sid_str;
3855 DEBUG(5, ("_samr_delete_dom_alias: %d\n", __LINE__));
3857 /* Find the policy handle. Open a policy on it. */
3858 if (!get_lsa_policy_samr_sid(p, &q_u->alias_pol, &alias_sid, &acc_granted))
3859 return NT_STATUS_INVALID_HANDLE;
3861 if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, STD_RIGHT_DELETE_ACCESS, "_samr_delete_dom_alias"))) {
3865 sid_copy(&dom_sid, &alias_sid);
3866 sid_to_string(alias_sid_str, &dom_sid);
3867 sid_split_rid(&dom_sid, &alias_rid);
3869 DEBUG(10, ("sid is %s\n", alias_sid_str));
3871 /* we check if it's our SID before deleting */
3872 if (!sid_equal(&dom_sid, get_global_sam_sid()))
3873 return NT_STATUS_NO_SUCH_ALIAS;
3875 DEBUG(10, ("lookup on Local SID\n"));
3877 if(!get_local_group_from_sid(alias_sid, &map))
3878 return NT_STATUS_NO_SUCH_ALIAS;
3882 /* check if group really exists */
3883 if ( (grp=getgrgid(gid)) == NULL)
3884 return NT_STATUS_NO_SUCH_ALIAS;
3886 /* we can delete the UNIX group */
3887 smb_delete_group(grp->gr_name);
3889 /* check if the group has been successfully deleted */
3890 if ( (grp=getgrgid(gid)) != NULL)
3891 return NT_STATUS_ACCESS_DENIED;
3893 /* don't check if we removed it as it could be an un-mapped group */
3894 pdb_delete_group_mapping_entry(alias_sid);
3896 if (!close_policy_hnd(p, &q_u->alias_pol))
3897 return NT_STATUS_OBJECT_NAME_INVALID;
3899 return NT_STATUS_OK;
3902 /*********************************************************************
3903 _samr_create_dom_group
3904 *********************************************************************/
3906 NTSTATUS _samr_create_dom_group(pipes_struct *p, SAMR_Q_CREATE_DOM_GROUP *q_u, SAMR_R_CREATE_DOM_GROUP *r_u)
3913 struct samr_info *info;
3917 /* Find the policy handle. Open a policy on it. */
3918 if (!get_lsa_policy_samr_sid(p, &q_u->pol, &dom_sid, &acc_granted))
3919 return NT_STATUS_INVALID_HANDLE;
3921 if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, SA_RIGHT_DOMAIN_CREATE_GROUP, "_samr_create_dom_group"))) {
3925 if (!sid_equal(&dom_sid, get_global_sam_sid()))
3926 return NT_STATUS_ACCESS_DENIED;
3928 /* TODO: check if allowed to create group and add a become_root/unbecome_root pair.*/
3930 unistr2_to_ascii(name, &q_u->uni_acct_desc, sizeof(name)-1);
3932 /* check if group already exist */
3933 if ((grp=getgrnam(name)) != NULL)
3934 return NT_STATUS_GROUP_EXISTS;
3936 /* we can create the UNIX group */
3937 if (smb_create_group(name, &gid) != 0)
3938 return NT_STATUS_ACCESS_DENIED;
3940 /* check if the group has been successfully created */
3941 if ((grp=getgrgid(gid)) == NULL)
3942 return NT_STATUS_ACCESS_DENIED;
3944 r_u->rid=pdb_gid_to_group_rid(grp->gr_gid);
3946 /* add the group to the mapping table */
3947 sid_copy(&info_sid, get_global_sam_sid());
3948 sid_append_rid(&info_sid, r_u->rid);
3949 sid_to_string(sid_string, &info_sid);
3951 if(!add_initial_entry(grp->gr_gid, sid_string, SID_NAME_DOM_GRP, name, NULL))
3952 return NT_STATUS_ACCESS_DENIED;
3954 if ((info = get_samr_info_by_sid(&info_sid)) == NULL)
3955 return NT_STATUS_NO_MEMORY;
3957 /* get a (unique) handle. open a policy on it. */
3958 if (!create_policy_hnd(p, &r_u->pol, free_samr_info, (void *)info))
3959 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
3961 return NT_STATUS_OK;
3964 /*********************************************************************
3965 _samr_create_dom_alias
3966 *********************************************************************/
3968 NTSTATUS _samr_create_dom_alias(pipes_struct *p, SAMR_Q_CREATE_DOM_ALIAS *q_u, SAMR_R_CREATE_DOM_ALIAS *r_u)
3975 struct samr_info *info;
3979 /* Find the policy handle. Open a policy on it. */
3980 if (!get_lsa_policy_samr_sid(p, &q_u->dom_pol, &dom_sid, &acc_granted))
3981 return NT_STATUS_INVALID_HANDLE;
3983 if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, SA_RIGHT_DOMAIN_CREATE_ALIAS, "_samr_create_alias"))) {
3987 if (!sid_equal(&dom_sid, get_global_sam_sid()))
3988 return NT_STATUS_ACCESS_DENIED;
3990 /* TODO: check if allowed to create group and add a become_root/unbecome_root pair.*/
3992 unistr2_to_ascii(name, &q_u->uni_acct_desc, sizeof(name)-1);
3994 /* check if group already exists */
3995 if ( (grp=getgrnam(name)) != NULL)
3996 return NT_STATUS_GROUP_EXISTS;
3998 /* we can create the UNIX group */
3999 if (smb_create_group(name, &gid) != 0)
4000 return NT_STATUS_ACCESS_DENIED;
4002 /* check if the group has been successfully created */
4003 if ((grp=getgrgid(gid)) == NULL)
4004 return NT_STATUS_ACCESS_DENIED;
4006 r_u->rid=pdb_gid_to_group_rid(grp->gr_gid);
4008 sid_copy(&info_sid, get_global_sam_sid());
4009 sid_append_rid(&info_sid, r_u->rid);
4010 sid_to_string(sid_string, &info_sid);
4012 /* add the group to the mapping table */
4013 if(!add_initial_entry(grp->gr_gid, sid_string, SID_NAME_ALIAS, name, NULL))
4014 return NT_STATUS_ACCESS_DENIED;
4016 if ((info = get_samr_info_by_sid(&info_sid)) == NULL)
4017 return NT_STATUS_NO_MEMORY;
4019 /* get a (unique) handle. open a policy on it. */
4020 if (!create_policy_hnd(p, &r_u->alias_pol, free_samr_info, (void *)info))
4021 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
4023 return NT_STATUS_OK;
4026 /*********************************************************************
4027 _samr_query_groupinfo
4029 sends the name/comment pair of a domain group
4030 level 1 send also the number of users of that group
4031 *********************************************************************/
4033 NTSTATUS _samr_query_groupinfo(pipes_struct *p, SAMR_Q_QUERY_GROUPINFO *q_u, SAMR_R_QUERY_GROUPINFO *r_u)
4039 GROUP_INFO_CTR *ctr;
4043 if (!get_lsa_policy_samr_sid(p, &q_u->pol, &group_sid, &acc_granted))
4044 return NT_STATUS_INVALID_HANDLE;
4046 if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, SA_RIGHT_GROUP_LOOKUP_INFO, "_samr_query_groupinfo"))) {
4051 ret = get_domain_group_from_sid(group_sid, &map);
4054 return NT_STATUS_INVALID_HANDLE;
4056 ctr=(GROUP_INFO_CTR *)talloc_zero(p->mem_ctx, sizeof(GROUP_INFO_CTR));
4058 return NT_STATUS_NO_MEMORY;
4060 switch (q_u->switch_level) {
4062 ctr->switch_value1 = 1;
4063 if(!get_uid_list_of_group(map.gid, &uid, &num_uids))
4064 return NT_STATUS_NO_SUCH_GROUP;
4065 init_samr_group_info1(&ctr->group.info1, map.nt_name, map.comment, num_uids);
4069 ctr->switch_value1 = 3;
4070 init_samr_group_info3(&ctr->group.info3);
4073 ctr->switch_value1 = 4;
4074 init_samr_group_info4(&ctr->group.info4, map.comment);
4077 return NT_STATUS_INVALID_INFO_CLASS;
4080 init_samr_r_query_groupinfo(r_u, ctr, NT_STATUS_OK);
4082 return NT_STATUS_OK;
4085 /*********************************************************************
4088 update a domain group's comment.
4089 *********************************************************************/
4091 NTSTATUS _samr_set_groupinfo(pipes_struct *p, SAMR_Q_SET_GROUPINFO *q_u, SAMR_R_SET_GROUPINFO *r_u)
4095 GROUP_INFO_CTR *ctr;
4098 if (!get_lsa_policy_samr_sid(p, &q_u->pol, &group_sid, &acc_granted))
4099 return NT_STATUS_INVALID_HANDLE;
4101 if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, SA_RIGHT_GROUP_SET_INFO, "_samr_set_groupinfo"))) {
4105 if (!get_domain_group_from_sid(group_sid, &map))
4106 return NT_STATUS_NO_SUCH_GROUP;
4110 switch (ctr->switch_value1) {
4112 unistr2_to_ascii(map.comment, &(ctr->group.info1.uni_acct_desc), sizeof(map.comment)-1);
4115 unistr2_to_ascii(map.comment, &(ctr->group.info4.uni_acct_desc), sizeof(map.comment)-1);
4118 return NT_STATUS_INVALID_INFO_CLASS;
4121 if(!pdb_update_group_mapping_entry(&map)) {
4122 return NT_STATUS_NO_SUCH_GROUP;
4125 return NT_STATUS_OK;
4128 /*********************************************************************
4131 update an alias's comment.
4132 *********************************************************************/
4134 NTSTATUS _samr_set_aliasinfo(pipes_struct *p, SAMR_Q_SET_ALIASINFO *q_u, SAMR_R_SET_ALIASINFO *r_u)
4138 ALIAS_INFO_CTR *ctr;
4141 if (!get_lsa_policy_samr_sid(p, &q_u->alias_pol, &group_sid, &acc_granted))
4142 return NT_STATUS_INVALID_HANDLE;
4144 if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, SA_RIGHT_ALIAS_SET_INFO, "_samr_set_aliasinfo"))) {
4148 if (!get_local_group_from_sid(group_sid, &map))
4149 return NT_STATUS_NO_SUCH_GROUP;
4153 switch (ctr->switch_value1) {
4155 unistr2_to_ascii(map.comment, &(ctr->alias.info3.uni_acct_desc), sizeof(map.comment)-1);
4158 return NT_STATUS_INVALID_INFO_CLASS;
4161 if(!pdb_update_group_mapping_entry(&map)) {
4162 return NT_STATUS_NO_SUCH_GROUP;
4165 return NT_STATUS_OK;
4168 /*********************************************************************
4169 _samr_get_dom_pwinfo
4170 *********************************************************************/
4172 NTSTATUS _samr_get_dom_pwinfo(pipes_struct *p, SAMR_Q_GET_DOM_PWINFO *q_u, SAMR_R_GET_DOM_PWINFO *r_u)
4174 /* Perform access check. Since this rpc does not require a
4175 policy handle it will not be caught by the access checks on
4176 SAMR_CONNECT or SAMR_CONNECT_ANON. */
4178 if (!pipe_access_check(p)) {
4179 DEBUG(3, ("access denied to samr_get_dom_pwinfo\n"));
4180 r_u->status = NT_STATUS_ACCESS_DENIED;
4184 /* Actually, returning zeros here works quite well :-). */
4186 return NT_STATUS_OK;
4189 /*********************************************************************
4191 *********************************************************************/
4193 NTSTATUS _samr_open_group(pipes_struct *p, SAMR_Q_OPEN_GROUP *q_u, SAMR_R_OPEN_GROUP *r_u)
4198 struct samr_info *info;
4199 SEC_DESC *psd = NULL;
4201 uint32 des_access = q_u->access_mask;
4207 if (!get_lsa_policy_samr_sid(p, &q_u->domain_pol, &sid, &acc_granted))
4208 return NT_STATUS_INVALID_HANDLE;
4210 if (!NT_STATUS_IS_OK(status = access_check_samr_function(acc_granted, SA_RIGHT_DOMAIN_OPEN_ACCOUNT, "_samr_open_group"))) {
4214 /*check if access can be granted as requested by client. */
4215 samr_make_grp_obj_sd(p->mem_ctx, &psd, &sd_size);
4216 se_map_generic(&des_access,&grp_generic_mapping);
4217 if (!NT_STATUS_IS_OK(status =
4218 access_check_samr_object(psd, p->pipe_user.nt_user_token,
4219 des_access, &acc_granted, "_samr_open_group"))) {
4224 /* this should not be hard-coded like this */
4225 if (!sid_equal(&sid, get_global_sam_sid()))
4226 return NT_STATUS_ACCESS_DENIED;
4228 sid_copy(&info_sid, get_global_sam_sid());
4229 sid_append_rid(&info_sid, q_u->rid_group);
4230 sid_to_string(sid_string, &info_sid);
4232 if ((info = get_samr_info_by_sid(&info_sid)) == NULL)
4233 return NT_STATUS_NO_MEMORY;
4235 info->acc_granted = acc_granted;
4237 DEBUG(10, ("_samr_open_group:Opening SID: %s\n", sid_string));
4239 /* check if that group really exists */
4241 ret = get_domain_group_from_sid(info->sid, &map);
4244 return NT_STATUS_NO_SUCH_GROUP;
4246 /* get a (unique) handle. open a policy on it. */
4247 if (!create_policy_hnd(p, &r_u->pol, free_samr_info, (void *)info))
4248 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
4250 return NT_STATUS_OK;
4253 /*********************************************************************
4254 _samr_remove_user_foreign_domain
4255 *********************************************************************/
4257 NTSTATUS _samr_remove_user_foreign_domain(pipes_struct *p,
4258 SAMR_Q_REMOVE_USER_FOREIGN_DOMAIN *q_u,
4259 SAMR_R_REMOVE_USER_FOREIGN_DOMAIN *r_u)
4261 DOM_SID user_sid, dom_sid;
4262 SAM_ACCOUNT *sam_pass=NULL;
4265 sid_copy( &user_sid, &q_u->sid.sid );
4267 DEBUG(5,("_samr_remove_user_foreign_domain: removing user [%s]\n",
4268 sid_string_static(&user_sid)));
4270 /* Find the policy handle. Open a policy on it. */
4272 if (!get_lsa_policy_samr_sid(p, &q_u->dom_pol, &dom_sid, &acc_granted))
4273 return NT_STATUS_INVALID_HANDLE;
4275 if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted,
4276 STD_RIGHT_DELETE_ACCESS, "_samr_remove_user_foreign_domain")))
4281 if ( !sid_check_is_in_our_domain(&user_sid) ) {
4282 DEBUG(5,("_samr_remove_user_foreign_domain: user not is our domain!\n"));
4283 return NT_STATUS_NO_SUCH_USER;
4286 /* check if the user exists before trying to delete */
4288 pdb_init_sam(&sam_pass);
4290 if ( !pdb_getsampwsid(sam_pass, &user_sid) ) {
4292 DEBUG(5,("_samr_remove_user_foreign_domain:User %s doesn't exist.\n",
4293 sid_string_static(&user_sid)));
4295 pdb_free_sam(&sam_pass);
4297 return NT_STATUS_NO_SUCH_USER;
4301 * delete the unix side
4303 * note: we don't check if the delete really happened
4304 * as the script is not necessary present
4305 * and maybe the sysadmin doesn't want to delete the unix side
4308 smb_delete_user(pdb_get_username(sam_pass));
4310 /* and delete the samba side */
4312 if ( !pdb_delete_sam_account(sam_pass) ) {
4314 DEBUG(5,("_samr_delete_dom_user:Failed to delete entry for user %s.\n", pdb_get_username(sam_pass)));
4315 pdb_free_sam(&sam_pass);
4317 return NT_STATUS_CANNOT_DELETE;
4320 pdb_free_sam(&sam_pass);
4322 return NT_STATUS_OK;
4325 /*******************************************************************
4327 ********************************************************************/
4329 NTSTATUS _samr_unknown_2e(pipes_struct *p, SAMR_Q_UNKNOWN_2E *q_u, SAMR_R_UNKNOWN_2E *r_u)
4331 struct samr_info *info = NULL;
4333 uint32 min_pass_len,pass_hist,flag;
4334 time_t u_expire, u_min_age;
4335 NTTIME nt_expire, nt_min_age;
4337 time_t u_lock_duration, u_reset_time;
4338 NTTIME nt_lock_duration, nt_reset_time;
4344 uint32 num_users=0, num_groups=0, num_aliases=0;
4346 uint32 account_policy_temp;
4348 if ((ctr = (SAM_UNK_CTR *)talloc_zero(p->mem_ctx, sizeof(SAM_UNK_CTR))) == NULL)
4349 return NT_STATUS_NO_MEMORY;
4353 r_u->status = NT_STATUS_OK;
4355 DEBUG(5,("_samr_unknown_2e: %d\n", __LINE__));
4357 /* find the policy handle. open a policy on it. */
4358 if (!find_policy_by_hnd(p, &q_u->domain_pol, (void **)&info))
4359 return NT_STATUS_INVALID_HANDLE;
4361 switch (q_u->switch_value) {
4363 account_policy_get(AP_MIN_PASSWORD_LEN, &account_policy_temp);
4364 min_pass_len = account_policy_temp;
4366 account_policy_get(AP_PASSWORD_HISTORY, &account_policy_temp);
4367 pass_hist = account_policy_temp;
4369 account_policy_get(AP_USER_MUST_LOGON_TO_CHG_PASS, &account_policy_temp);
4370 flag = account_policy_temp;
4372 account_policy_get(AP_MAX_PASSWORD_AGE, &account_policy_temp);
4373 u_expire = account_policy_temp;
4375 account_policy_get(AP_MIN_PASSWORD_AGE, &account_policy_temp);
4376 u_min_age = account_policy_temp;
4378 unix_to_nt_time_abs(&nt_expire, u_expire);
4379 unix_to_nt_time_abs(&nt_min_age, u_min_age);
4381 init_unk_info1(&ctr->info.inf1, (uint16)min_pass_len, (uint16)pass_hist,
4382 flag, nt_expire, nt_min_age);
4386 r_u->status=load_sampwd_entries(info, ACB_NORMAL, False);
4388 if (!NT_STATUS_IS_OK(r_u->status)) {
4389 DEBUG(5, ("_samr_unknown_2e: load_sampwd_entries failed\n"));
4392 num_users=info->disp_info.num_user_account;
4395 r_u->status=load_group_domain_entries(info, get_global_sam_sid());
4396 if (NT_STATUS_IS_ERR(r_u->status)) {
4397 DEBUG(5, ("_samr_unknown_2e: load_group_domain_entries failed\n"));
4400 num_groups=info->disp_info.num_group_account;
4403 /* The time call below is to get a sequence number for the sam. FIXME !!! JRA. */
4404 init_unk_info2(&ctr->info.inf2, lp_workgroup(), global_myname(), (uint32) time(NULL),
4405 num_users, num_groups, num_aliases);
4408 account_policy_get(AP_TIME_TO_LOGOUT, &account_policy_temp);
4409 u_logout = account_policy_temp;
4411 unix_to_nt_time_abs(&nt_logout, u_logout);
4413 init_unk_info3(&ctr->info.inf3, nt_logout);
4416 init_unk_info5(&ctr->info.inf5, global_myname());
4419 init_unk_info6(&ctr->info.inf6);
4422 init_unk_info7(&ctr->info.inf7);
4425 account_policy_get(AP_LOCK_ACCOUNT_DURATION, &account_policy_temp);
4426 u_lock_duration = account_policy_temp;
4428 account_policy_get(AP_RESET_COUNT_TIME, &account_policy_temp);
4429 u_reset_time = account_policy_temp;
4431 account_policy_get(AP_BAD_ATTEMPT_LOCKOUT, &account_policy_temp);
4432 lockout = account_policy_temp;
4434 unix_to_nt_time_abs(&nt_lock_duration, u_lock_duration);
4435 unix_to_nt_time_abs(&nt_reset_time, u_reset_time);
4437 init_unk_info12(&ctr->info.inf12, nt_lock_duration, nt_reset_time, (uint16)lockout);
4440 return NT_STATUS_INVALID_INFO_CLASS;
4443 init_samr_r_samr_unknown_2e(r_u, q_u->switch_value, ctr, NT_STATUS_OK);
4445 DEBUG(5,("_samr_unknown_2e: %d\n", __LINE__));
4450 /*******************************************************************
4452 ********************************************************************/
4454 NTSTATUS _samr_set_dom_info(pipes_struct *p, SAMR_Q_SET_DOMAIN_INFO *q_u, SAMR_R_SET_DOMAIN_INFO *r_u)
4456 time_t u_expire, u_min_age;
4458 time_t u_lock_duration, u_reset_time;
4460 r_u->status = NT_STATUS_OK;
4462 DEBUG(5,("_samr_set_dom_info: %d\n", __LINE__));
4464 /* find the policy handle. open a policy on it. */
4465 if (!find_policy_by_hnd(p, &q_u->domain_pol, NULL))
4466 return NT_STATUS_INVALID_HANDLE;
4468 DEBUG(5,("_samr_set_dom_info: switch_value: %d\n", q_u->switch_value));
4470 switch (q_u->switch_value) {
4472 u_expire=nt_time_to_unix_abs(&q_u->ctr->info.inf1.expire);
4473 u_min_age=nt_time_to_unix_abs(&q_u->ctr->info.inf1.min_passwordage);
4475 account_policy_set(AP_MIN_PASSWORD_LEN, (uint32)q_u->ctr->info.inf1.min_length_password);
4476 account_policy_set(AP_PASSWORD_HISTORY, (uint32)q_u->ctr->info.inf1.password_history);
4477 account_policy_set(AP_USER_MUST_LOGON_TO_CHG_PASS, (uint32)q_u->ctr->info.inf1.flag);
4478 account_policy_set(AP_MAX_PASSWORD_AGE, (int)u_expire);
4479 account_policy_set(AP_MIN_PASSWORD_AGE, (int)u_min_age);
4484 u_logout=nt_time_to_unix_abs(&q_u->ctr->info.inf3.logout);
4485 account_policy_set(AP_TIME_TO_LOGOUT, (int)u_logout);
4494 u_lock_duration=nt_time_to_unix_abs(&q_u->ctr->info.inf12.duration);
4495 u_reset_time=nt_time_to_unix_abs(&q_u->ctr->info.inf12.reset_count);
4497 account_policy_set(AP_LOCK_ACCOUNT_DURATION, (int)u_lock_duration);
4498 account_policy_set(AP_RESET_COUNT_TIME, (int)u_reset_time);
4499 account_policy_set(AP_BAD_ATTEMPT_LOCKOUT, (uint32)q_u->ctr->info.inf12.bad_attempt_lockout);
4502 return NT_STATUS_INVALID_INFO_CLASS;
4505 init_samr_r_set_domain_info(r_u, NT_STATUS_OK);
4507 DEBUG(5,("_samr_set_dom_info: %d\n", __LINE__));