2 * Unix SMB/CIFS implementation.
3 * RPC Pipe client / server routines
4 * Copyright (C) Andrew Tridgell 1992-1997,
5 * Copyright (C) Luke Kenneth Casson Leighton 1996-1997,
6 * Copyright (C) Paul Ashton 1997,
7 * Copyright (C) Marc Jacobsen 1999,
8 * Copyright (C) Jeremy Allison 2001-2002,
9 * Copyright (C) Jean François Micouleau 1998-2001,
10 * Copyright (C) Jim McDonough <jmcd@us.ibm.com> 2002.
11 * Copyright (C) Gerald (Jerry) Carter 2003.
13 * This program is free software; you can redistribute it and/or modify
14 * it under the terms of the GNU General Public License as published by
15 * the Free Software Foundation; either version 2 of the License, or
16 * (at your option) any later version.
18 * This program is distributed in the hope that it will be useful,
19 * but WITHOUT ANY WARRANTY; without even the implied warranty of
20 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
21 * GNU General Public License for more details.
23 * You should have received a copy of the GNU General Public License
24 * along with this program; if not, write to the Free Software
25 * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
29 * This is the implementation of the SAMR code.
35 #define DBGC_CLASS DBGC_RPC_SRV
37 extern DOM_SID global_sid_Builtin;
39 extern rid_name domain_group_rids[];
40 extern rid_name domain_alias_rids[];
41 extern rid_name builtin_alias_rids[];
45 typedef struct _disp_info {
47 uint32 num_user_account;
48 SAM_ACCOUNT *disp_user_info;
50 uint32 num_group_account;
51 DOMAIN_GRP *disp_group_info;
55 /* for use by the \PIPE\samr policy */
57 uint32 status; /* some sort of flag. best to record it. comes from opnum 0x39 */
66 struct generic_mapping sam_generic_mapping = {GENERIC_RIGHTS_SAM_READ, GENERIC_RIGHTS_SAM_WRITE, GENERIC_RIGHTS_SAM_EXECUTE, GENERIC_RIGHTS_SAM_ALL_ACCESS};
67 struct generic_mapping dom_generic_mapping = {GENERIC_RIGHTS_DOMAIN_READ, GENERIC_RIGHTS_DOMAIN_WRITE, GENERIC_RIGHTS_DOMAIN_EXECUTE, GENERIC_RIGHTS_DOMAIN_ALL_ACCESS};
68 struct generic_mapping usr_generic_mapping = {GENERIC_RIGHTS_USER_READ, GENERIC_RIGHTS_USER_WRITE, GENERIC_RIGHTS_USER_EXECUTE, GENERIC_RIGHTS_USER_ALL_ACCESS};
69 struct generic_mapping grp_generic_mapping = {GENERIC_RIGHTS_GROUP_READ, GENERIC_RIGHTS_GROUP_WRITE, GENERIC_RIGHTS_GROUP_EXECUTE, GENERIC_RIGHTS_GROUP_ALL_ACCESS};
70 struct generic_mapping ali_generic_mapping = {GENERIC_RIGHTS_ALIAS_READ, GENERIC_RIGHTS_ALIAS_WRITE, GENERIC_RIGHTS_ALIAS_EXECUTE, GENERIC_RIGHTS_ALIAS_ALL_ACCESS};
72 static NTSTATUS samr_make_dom_obj_sd(TALLOC_CTX *ctx, SEC_DESC **psd, size_t *sd_size);
74 /*******************************************************************
75 Checks if access to an object should be granted, and returns that
76 level of access for further checks.
77 ********************************************************************/
79 NTSTATUS access_check_samr_object(SEC_DESC *psd, NT_USER_TOKEN *nt_user_token, uint32 des_access,
80 uint32 *acc_granted, const char *debug)
82 NTSTATUS status = NT_STATUS_ACCESS_DENIED;
84 if (!se_access_check(psd, nt_user_token, des_access, acc_granted, &status)) {
85 *acc_granted = des_access;
86 if (geteuid() == sec_initial_uid()) {
87 DEBUG(4,("%s: ACCESS should be DENIED (requested: %#010x)\n",
89 DEBUGADD(4,("but overritten by euid == sec_initial_uid()\n"));
90 status = NT_STATUS_OK;
93 DEBUG(2,("%s: ACCESS DENIED (requested: %#010x)\n",
100 /*******************************************************************
101 Checks if access to a function can be granted
102 ********************************************************************/
104 NTSTATUS access_check_samr_function(uint32 acc_granted, uint32 acc_required, const char *debug)
106 DEBUG(5,("%s: access check ((granted: %#010x; required: %#010x)\n",
107 debug, acc_granted, acc_required));
108 if ((acc_granted & acc_required) != acc_required) {
109 if (geteuid() == sec_initial_uid()) {
110 DEBUG(4,("%s: ACCESS should be DENIED (granted: %#010x; required: %#010x)\n",
111 debug, acc_granted, acc_required));
112 DEBUGADD(4,("but overwritten by euid == 0\n"));
115 DEBUG(2,("%s: ACCESS DENIED (granted: %#010x; required: %#010x)\n",
116 debug, acc_granted, acc_required));
117 return NT_STATUS_ACCESS_DENIED;
123 /*******************************************************************
124 Create a samr_info struct.
125 ********************************************************************/
127 static struct samr_info *get_samr_info_by_sid(DOM_SID *psid)
129 struct samr_info *info;
134 sid_to_string(sid_str, psid);
136 fstrcpy(sid_str,"(NULL)");
139 mem_ctx = talloc_init("samr_info for domain sid %s", sid_str);
141 if ((info = (struct samr_info *)talloc(mem_ctx, sizeof(struct samr_info))) == NULL)
145 DEBUG(10,("get_samr_info_by_sid: created new info for sid %s\n", sid_str));
147 sid_copy( &info->sid, psid);
149 DEBUG(10,("get_samr_info_by_sid: created new info for NULL sid.\n"));
151 info->mem_ctx = mem_ctx;
155 /*******************************************************************
156 Function to free the per handle data.
157 ********************************************************************/
159 static void free_samr_users(struct samr_info *info)
163 if (info->disp_info.user_dbloaded){
164 for (i=0; i<info->disp_info.num_user_account; i++) {
165 SAM_ACCOUNT *sam = &info->disp_info.disp_user_info[i];
166 /* Not really a free, actually a 'clear' */
170 info->disp_info.user_dbloaded=False;
171 info->disp_info.num_user_account=0;
174 /*******************************************************************
175 Function to free the per handle data.
176 ********************************************************************/
178 static void free_samr_db(struct samr_info *info)
180 /* Groups are talloced */
182 free_samr_users(info);
184 info->disp_info.group_dbloaded=False;
185 info->disp_info.num_group_account=0;
188 static void free_samr_info(void *ptr)
190 struct samr_info *info=(struct samr_info *) ptr;
193 talloc_destroy(info->mem_ctx);
196 /*******************************************************************
197 Ensure password info is never given out. Paranioa... JRA.
198 ********************************************************************/
200 static void samr_clear_sam_passwd(SAM_ACCOUNT *sam_pass)
206 /* These now zero out the old password */
208 pdb_set_lanman_passwd(sam_pass, NULL, PDB_DEFAULT);
209 pdb_set_nt_passwd(sam_pass, NULL, PDB_DEFAULT);
213 static NTSTATUS load_sampwd_entries(struct samr_info *info, uint16 acb_mask, BOOL all_machines)
215 SAM_ACCOUNT *pwd = NULL;
216 SAM_ACCOUNT *pwd_array = NULL;
217 NTSTATUS nt_status = NT_STATUS_OK;
218 TALLOC_CTX *mem_ctx = info->mem_ctx;
220 DEBUG(10,("load_sampwd_entries\n"));
222 /* if the snapshoot is already loaded, return */
223 if ((info->disp_info.user_dbloaded==True)
224 && (info->acb_mask == acb_mask)
225 && (info->all_machines == all_machines)) {
226 DEBUG(10,("load_sampwd_entries: already in memory\n"));
230 free_samr_users(info);
232 if (!pdb_setsampwent(False)) {
233 DEBUG(0, ("load_sampwd_entries: Unable to open passdb.\n"));
234 return NT_STATUS_ACCESS_DENIED;
237 for (; (NT_STATUS_IS_OK(nt_status = pdb_init_sam_talloc(mem_ctx, &pwd)))
238 && pdb_getsampwent(pwd) == True; pwd=NULL) {
241 if (!((pdb_get_acct_ctrl(pwd) & ACB_WSTRUST)
242 || (pdb_get_acct_ctrl(pwd) & ACB_SVRTRUST))) {
243 DEBUG(5,("load_sampwd_entries: '%s' is not a machine account - ACB: %x - skipping\n", pdb_get_username(pwd), acb_mask));
248 if (acb_mask != 0 && !(pdb_get_acct_ctrl(pwd) & acb_mask)) {
250 DEBUG(5,(" acb_mask %x reject\n", acb_mask));
255 /* Realloc some memory for the array of ptr to the SAM_ACCOUNT structs */
256 if (info->disp_info.num_user_account % MAX_SAM_ENTRIES == 0) {
258 DEBUG(10,("load_sampwd_entries: allocating more memory\n"));
259 pwd_array=(SAM_ACCOUNT *)talloc_realloc(mem_ctx, info->disp_info.disp_user_info,
260 (info->disp_info.num_user_account+MAX_SAM_ENTRIES)*sizeof(SAM_ACCOUNT));
263 return NT_STATUS_NO_MEMORY;
265 info->disp_info.disp_user_info=pwd_array;
268 /* Copy the SAM_ACCOUNT into the array */
269 info->disp_info.disp_user_info[info->disp_info.num_user_account]=*pwd;
271 DEBUG(10,("load_sampwd_entries: entry: %d\n", info->disp_info.num_user_account));
273 info->disp_info.num_user_account++;
278 /* the snapshoot is in memory, we're ready to enumerate fast */
280 info->acb_mask = acb_mask;
281 info->all_machines = all_machines;
282 info->disp_info.user_dbloaded=True;
284 DEBUG(10,("load_sampwd_entries: done\n"));
289 static NTSTATUS load_group_domain_entries(struct samr_info *info, DOM_SID *sid)
292 DOMAIN_GRP *grp_array = NULL;
293 uint32 group_entries = 0;
295 TALLOC_CTX *mem_ctx = info->mem_ctx;
298 DEBUG(10,("load_group_domain_entries\n"));
300 /* if the snapshoot is already loaded, return */
301 if (info->disp_info.group_dbloaded==True) {
302 DEBUG(10,("load_group_domain_entries: already in memory\n"));
308 ret = pdb_enum_group_mapping(SID_NAME_DOM_GRP, &map, (int *)&group_entries, ENUM_ONLY_MAPPED);
312 DEBUG(1, ("load_group_domain_entries: pdb_enum_group_mapping() failed!\n"));
313 return NT_STATUS_NO_MEMORY;
317 info->disp_info.num_group_account=group_entries;
319 grp_array=(DOMAIN_GRP *)talloc(mem_ctx, info->disp_info.num_group_account*sizeof(DOMAIN_GRP));
320 if (group_entries!=0 && grp_array==NULL) {
321 DEBUG(1, ("load_group_domain_entries: talloc() failed for grp_array!\n"));
323 return NT_STATUS_NO_MEMORY;
326 info->disp_info.disp_group_info=grp_array;
328 for (i=0; i<group_entries; i++) {
329 fstrcpy(grp_array[i].name, map[i].nt_name);
330 fstrcpy(grp_array[i].comment, map[i].comment);
331 sid_split_rid(&map[i].sid, &grp_array[i].rid);
332 grp_array[i].attr=SID_NAME_DOM_GRP;
337 /* the snapshoot is in memory, we're ready to enumerate fast */
339 info->disp_info.group_dbloaded=True;
341 DEBUG(10,("load_group_domain_entries: done\n"));
347 /*******************************************************************
349 ********************************************************************/
351 NTSTATUS _samr_close_hnd(pipes_struct *p, SAMR_Q_CLOSE_HND *q_u, SAMR_R_CLOSE_HND *r_u)
353 r_u->status = NT_STATUS_OK;
355 /* close the policy handle */
356 if (!close_policy_hnd(p, &q_u->pol))
357 return NT_STATUS_OBJECT_NAME_INVALID;
359 DEBUG(5,("samr_reply_close_hnd: %d\n", __LINE__));
364 /*******************************************************************
365 samr_reply_open_domain
366 ********************************************************************/
368 NTSTATUS _samr_open_domain(pipes_struct *p, SAMR_Q_OPEN_DOMAIN *q_u, SAMR_R_OPEN_DOMAIN *r_u)
370 struct samr_info *info;
371 SEC_DESC *psd = NULL;
373 uint32 des_access = q_u->flags;
377 r_u->status = NT_STATUS_OK;
379 /* find the connection policy handle. */
380 if (!find_policy_by_hnd(p, &q_u->pol, (void**)&info))
381 return NT_STATUS_INVALID_HANDLE;
383 if (!NT_STATUS_IS_OK(status = access_check_samr_function(info->acc_granted, SA_RIGHT_SAM_OPEN_DOMAIN,"_samr_open_domain"))) {
387 /*check if access can be granted as requested by client. */
388 samr_make_dom_obj_sd(p->mem_ctx, &psd, &sd_size);
389 se_map_generic(&des_access,&dom_generic_mapping);
391 if (!NT_STATUS_IS_OK(status =
392 access_check_samr_object(psd, p->pipe_user.nt_user_token,
393 des_access, &acc_granted, "_samr_open_domain"))) {
397 /* associate the domain SID with the (unique) handle. */
398 if ((info = get_samr_info_by_sid(&q_u->dom_sid.sid))==NULL)
399 return NT_STATUS_NO_MEMORY;
400 info->acc_granted = acc_granted;
402 /* get a (unique) handle. open a policy on it. */
403 if (!create_policy_hnd(p, &r_u->domain_pol, free_samr_info, (void *)info))
404 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
406 DEBUG(5,("samr_open_domain: %d\n", __LINE__));
411 /*******************************************************************
412 _samr_get_usrdom_pwinfo
413 ********************************************************************/
415 NTSTATUS _samr_get_usrdom_pwinfo(pipes_struct *p, SAMR_Q_GET_USRDOM_PWINFO *q_u, SAMR_R_GET_USRDOM_PWINFO *r_u)
417 struct samr_info *info = NULL;
419 r_u->status = NT_STATUS_OK;
421 /* find the policy handle. open a policy on it. */
422 if (!find_policy_by_hnd(p, &q_u->user_pol, (void **)&info))
423 return NT_STATUS_INVALID_HANDLE;
425 if (!sid_check_is_in_our_domain(&info->sid))
426 return NT_STATUS_OBJECT_TYPE_MISMATCH;
428 init_samr_r_get_usrdom_pwinfo(r_u, NT_STATUS_OK);
430 DEBUG(5,("_samr_get_usrdom_pwinfo: %d\n", __LINE__));
433 * NT sometimes return NT_STATUS_ACCESS_DENIED
434 * I don't know yet why.
440 /*******************************************************************
442 ********************************************************************/
444 static NTSTATUS samr_make_dom_obj_sd(TALLOC_CTX *ctx, SEC_DESC **psd, size_t *sd_size)
446 extern DOM_SID global_sid_World;
455 sid_copy(&adm_sid, &global_sid_Builtin);
456 sid_append_rid(&adm_sid, BUILTIN_ALIAS_RID_ADMINS);
458 sid_copy(&act_sid, &global_sid_Builtin);
459 sid_append_rid(&act_sid, BUILTIN_ALIAS_RID_ACCOUNT_OPS);
461 /*basic access for every one*/
462 init_sec_access(&mask, GENERIC_RIGHTS_DOMAIN_EXECUTE | GENERIC_RIGHTS_DOMAIN_READ);
463 init_sec_ace(&ace[0], &global_sid_World, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0);
465 /*full access for builtin aliases Administrators and Account Operators*/
466 init_sec_access(&mask, GENERIC_RIGHTS_DOMAIN_ALL_ACCESS);
467 init_sec_ace(&ace[1], &adm_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0);
468 init_sec_ace(&ace[2], &act_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0);
470 if ((psa = make_sec_acl(ctx, NT4_ACL_REVISION, 3, ace)) == NULL)
471 return NT_STATUS_NO_MEMORY;
473 if ((*psd = make_sec_desc(ctx, SEC_DESC_REVISION, SEC_DESC_SELF_RELATIVE, NULL, NULL, NULL, psa, sd_size)) == NULL)
474 return NT_STATUS_NO_MEMORY;
479 /*******************************************************************
481 ********************************************************************/
483 static NTSTATUS samr_make_usr_obj_sd(TALLOC_CTX *ctx, SEC_DESC **psd, size_t *sd_size, DOM_SID *usr_sid)
485 extern DOM_SID global_sid_World;
494 sid_copy(&adm_sid, &global_sid_Builtin);
495 sid_append_rid(&adm_sid, BUILTIN_ALIAS_RID_ADMINS);
497 sid_copy(&act_sid, &global_sid_Builtin);
498 sid_append_rid(&act_sid, BUILTIN_ALIAS_RID_ACCOUNT_OPS);
500 /*basic access for every one*/
501 init_sec_access(&mask, GENERIC_RIGHTS_USER_EXECUTE | GENERIC_RIGHTS_USER_READ);
502 init_sec_ace(&ace[0], &global_sid_World, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0);
504 /*full access for builtin aliases Administrators and Account Operators*/
505 init_sec_access(&mask, GENERIC_RIGHTS_USER_ALL_ACCESS);
506 init_sec_ace(&ace[1], &adm_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0);
507 init_sec_ace(&ace[2], &act_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0);
509 /*extended access for the user*/
510 init_sec_access(&mask,READ_CONTROL_ACCESS | SA_RIGHT_USER_CHANGE_PASSWORD | SA_RIGHT_USER_SET_LOC_COM);
511 init_sec_ace(&ace[3], usr_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0);
513 if ((psa = make_sec_acl(ctx, NT4_ACL_REVISION, 4, ace)) == NULL)
514 return NT_STATUS_NO_MEMORY;
516 if ((*psd = make_sec_desc(ctx, SEC_DESC_REVISION, SEC_DESC_SELF_RELATIVE, NULL, NULL, NULL, psa, sd_size)) == NULL)
517 return NT_STATUS_NO_MEMORY;
522 /*******************************************************************
524 ********************************************************************/
526 static NTSTATUS samr_make_grp_obj_sd(TALLOC_CTX *ctx, SEC_DESC **psd, size_t *sd_size)
528 extern DOM_SID global_sid_World;
537 sid_copy(&adm_sid, &global_sid_Builtin);
538 sid_append_rid(&adm_sid, BUILTIN_ALIAS_RID_ADMINS);
540 sid_copy(&act_sid, &global_sid_Builtin);
541 sid_append_rid(&act_sid, BUILTIN_ALIAS_RID_ACCOUNT_OPS);
543 /*basic access for every one*/
544 init_sec_access(&mask, GENERIC_RIGHTS_GROUP_EXECUTE | GENERIC_RIGHTS_GROUP_READ);
545 init_sec_ace(&ace[0], &global_sid_World, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0);
547 /*full access for builtin aliases Administrators and Account Operators*/
548 init_sec_access(&mask, GENERIC_RIGHTS_GROUP_ALL_ACCESS);
549 init_sec_ace(&ace[1], &adm_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0);
550 init_sec_ace(&ace[2], &act_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0);
552 if ((psa = make_sec_acl(ctx, NT4_ACL_REVISION, 3, ace)) == NULL)
553 return NT_STATUS_NO_MEMORY;
555 if ((*psd = make_sec_desc(ctx, SEC_DESC_REVISION, SEC_DESC_SELF_RELATIVE, NULL, NULL, NULL, psa, sd_size)) == NULL)
556 return NT_STATUS_NO_MEMORY;
561 /*******************************************************************
563 ********************************************************************/
565 static NTSTATUS samr_make_ali_obj_sd(TALLOC_CTX *ctx, SEC_DESC **psd, size_t *sd_size)
567 extern DOM_SID global_sid_World;
576 sid_copy(&adm_sid, &global_sid_Builtin);
577 sid_append_rid(&adm_sid, BUILTIN_ALIAS_RID_ADMINS);
579 sid_copy(&act_sid, &global_sid_Builtin);
580 sid_append_rid(&act_sid, BUILTIN_ALIAS_RID_ACCOUNT_OPS);
582 /*basic access for every one*/
583 init_sec_access(&mask, GENERIC_RIGHTS_ALIAS_EXECUTE | GENERIC_RIGHTS_ALIAS_READ);
584 init_sec_ace(&ace[0], &global_sid_World, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0);
586 /*full access for builtin aliases Administrators and Account Operators*/
587 init_sec_access(&mask, GENERIC_RIGHTS_ALIAS_ALL_ACCESS);
588 init_sec_ace(&ace[1], &adm_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0);
589 init_sec_ace(&ace[2], &act_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0);
591 if ((psa = make_sec_acl(ctx, NT4_ACL_REVISION, 3, ace)) == NULL)
592 return NT_STATUS_NO_MEMORY;
594 if ((*psd = make_sec_desc(ctx, SEC_DESC_REVISION, SEC_DESC_SELF_RELATIVE, NULL, NULL, NULL, psa, sd_size)) == NULL)
595 return NT_STATUS_NO_MEMORY;
600 static BOOL get_lsa_policy_samr_sid(pipes_struct *p, POLICY_HND *pol, DOM_SID *sid, uint32 *acc_granted)
602 struct samr_info *info = NULL;
604 /* find the policy handle. open a policy on it. */
605 if (!find_policy_by_hnd(p, pol, (void **)&info))
612 *acc_granted = info->acc_granted;
616 /*******************************************************************
618 ********************************************************************/
620 NTSTATUS _samr_set_sec_obj(pipes_struct *p, SAMR_Q_SET_SEC_OBJ *q_u, SAMR_R_SET_SEC_OBJ *r_u)
622 DEBUG(0,("_samr_set_sec_obj: Not yet implemented!\n"));
623 return NT_STATUS_NOT_IMPLEMENTED;
627 /*******************************************************************
629 ********************************************************************/
631 NTSTATUS _samr_query_sec_obj(pipes_struct *p, SAMR_Q_QUERY_SEC_OBJ *q_u, SAMR_R_QUERY_SEC_OBJ *r_u)
635 SEC_DESC * psd = NULL;
639 r_u->status = NT_STATUS_OK;
642 if (!get_lsa_policy_samr_sid(p, &q_u->user_pol, &pol_sid, &acc_granted))
643 return NT_STATUS_INVALID_HANDLE;
647 DEBUG(10,("_samr_query_sec_obj: querying security on SID: %s\n", sid_to_string(str_sid, &pol_sid)));
649 /* Check what typ of SID is beeing queried (e.g Domain SID, User SID, Group SID) */
651 /* To query the security of the SAM it self an invalid SID with S-0-0 is passed to this function */
652 if (pol_sid.sid_rev_num == 0)
654 DEBUG(5,("_samr_query_sec_obj: querying security on SAM\n"));
655 r_u->status = samr_make_sam_obj_sd(p->mem_ctx, &psd, &sd_size);
657 else if (sid_equal(&pol_sid,get_global_sam_sid())) /* check if it is our domain SID */
660 DEBUG(5,("_samr_query_sec_obj: querying security on Domain with SID: %s\n", sid_to_string(str_sid, &pol_sid)));
661 r_u->status = samr_make_dom_obj_sd(p->mem_ctx, &psd, &sd_size);
663 else if (sid_equal(&pol_sid,&global_sid_Builtin)) /* check if it is the Builtin Domain */
665 /* TODO: Builtin probably needs a different SD with restricted write access*/
666 DEBUG(5,("_samr_query_sec_obj: querying security on Builtin Domain with SID: %s\n", sid_to_string(str_sid, &pol_sid)));
667 r_u->status = samr_make_dom_obj_sd(p->mem_ctx, &psd, &sd_size);
669 else if (sid_check_is_in_our_domain(&pol_sid) ||
670 sid_check_is_in_builtin(&pol_sid))
672 /* TODO: different SDs have to be generated for aliases groups and users.
673 Currently all three get a default user SD */
674 DEBUG(10,("_samr_query_sec_obj: querying security on Object with SID: %s\n", sid_to_string(str_sid, &pol_sid)));
675 r_u->status = samr_make_usr_obj_sd(p->mem_ctx, &psd,&sd_size, &pol_sid);
677 else return NT_STATUS_OBJECT_TYPE_MISMATCH;
679 if ((r_u->buf = make_sec_desc_buf(p->mem_ctx, sd_size, psd)) == NULL)
680 return NT_STATUS_NO_MEMORY;
682 if (NT_STATUS_IS_OK(r_u->status))
688 /*******************************************************************
689 makes a SAM_ENTRY / UNISTR2* structure from a user list.
690 ********************************************************************/
692 static NTSTATUS make_user_sam_entry_list(TALLOC_CTX *ctx, SAM_ENTRY **sam_pp, UNISTR2 **uni_name_pp,
693 uint32 num_entries, uint32 start_idx, SAM_ACCOUNT *disp_user_info,
699 SAM_ACCOUNT *pwd = NULL;
700 UNISTR2 uni_temp_name;
701 const char *temp_name;
702 const DOM_SID *user_sid;
704 fstring user_sid_string;
705 fstring domain_sid_string;
710 if (num_entries == 0)
713 sam = (SAM_ENTRY *)talloc_zero(ctx, sizeof(SAM_ENTRY)*num_entries);
715 uni_name = (UNISTR2 *)talloc_zero(ctx, sizeof(UNISTR2)*num_entries);
717 if (sam == NULL || uni_name == NULL) {
718 DEBUG(0, ("make_user_sam_entry_list: talloc_zero failed!\n"));
719 return NT_STATUS_NO_MEMORY;
722 for (i = 0; i < num_entries; i++) {
723 pwd = &disp_user_info[i+start_idx];
724 temp_name = pdb_get_username(pwd);
725 init_unistr2(&uni_temp_name, temp_name, UNI_STR_TERMINATE);
726 user_sid = pdb_get_user_sid(pwd);
728 if (!sid_peek_check_rid(domain_sid, user_sid, &user_rid)) {
729 DEBUG(0, ("make_user_sam_entry_list: User %s has SID %s, which conflicts with "
730 "the domain sid %s. Failing operation.\n",
732 sid_to_string(user_sid_string, user_sid),
733 sid_to_string(domain_sid_string, domain_sid)));
734 return NT_STATUS_UNSUCCESSFUL;
737 init_sam_entry(&sam[i], &uni_temp_name, user_rid);
738 copy_unistr2(&uni_name[i], &uni_temp_name);
742 *uni_name_pp = uni_name;
746 /*******************************************************************
747 samr_reply_enum_dom_users
748 ********************************************************************/
750 NTSTATUS _samr_enum_dom_users(pipes_struct *p, SAMR_Q_ENUM_DOM_USERS *q_u,
751 SAMR_R_ENUM_DOM_USERS *r_u)
753 struct samr_info *info = NULL;
754 uint32 struct_size=0x20; /* W2K always reply that, client doesn't care */
756 uint32 enum_context=q_u->start_idx;
757 uint32 max_size=q_u->max_size;
759 enum remote_arch_types ra_type = get_remote_arch();
760 int max_sam_entries = (ra_type == RA_WIN95) ? MAX_SAM_ENTRIES_W95 : MAX_SAM_ENTRIES_W2K;
761 uint32 max_entries = max_sam_entries;
764 r_u->status = NT_STATUS_OK;
766 /* find the policy handle. open a policy on it. */
767 if (!find_policy_by_hnd(p, &q_u->pol, (void **)&info))
768 return NT_STATUS_INVALID_HANDLE;
770 domain_sid = info->sid;
772 if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(info->acc_granted,
773 SA_RIGHT_DOMAIN_ENUM_ACCOUNTS,
774 "_samr_enum_dom_users"))) {
778 DEBUG(5,("_samr_enum_dom_users: %d\n", __LINE__));
781 r_u->status=load_sampwd_entries(info, q_u->acb_mask, False);
784 if (!NT_STATUS_IS_OK(r_u->status))
787 num_account = info->disp_info.num_user_account;
789 if (enum_context > num_account) {
790 DEBUG(5, ("_samr_enum_dom_users: enumeration handle over total entries\n"));
794 /* verify we won't overflow */
795 if (max_entries > num_account-enum_context) {
796 max_entries = num_account-enum_context;
797 DEBUG(5, ("_samr_enum_dom_users: only %d entries to return\n", max_entries));
800 /* calculate the size and limit on the number of entries we will return */
801 temp_size=max_entries*struct_size;
803 if (temp_size>max_size) {
804 max_entries=MIN((max_size/struct_size),max_entries);;
805 DEBUG(5, ("_samr_enum_dom_users: buffer size limits to only %d entries\n", max_entries));
809 * Note from JRA. total_entries is not being used here. Currently if there is a
810 * large user base then it looks like NT will enumerate until get_sampwd_entries
811 * returns False due to num_entries being zero. This will cause an access denied
812 * return. I don't think this is right and needs further investigation. Note that
813 * this is also the same in the TNG code (I don't think that has been tested with
814 * a very large user list as MAX_SAM_ENTRIES is set to 600).
816 * I also think that one of the 'num_entries' return parameters is probably
817 * the "max entries" parameter - but in the TNG code they're all currently set to the same
818 * value (again I think this is wrong).
821 r_u->status = make_user_sam_entry_list(p->mem_ctx, &r_u->sam, &r_u->uni_acct_name,
822 max_entries, enum_context,
823 info->disp_info.disp_user_info,
826 if (!NT_STATUS_IS_OK(r_u->status))
829 if (enum_context+max_entries < num_account)
830 r_u->status = STATUS_MORE_ENTRIES;
832 DEBUG(5, ("_samr_enum_dom_users: %d\n", __LINE__));
834 init_samr_r_enum_dom_users(r_u, q_u->start_idx + max_entries, max_entries);
836 DEBUG(5,("_samr_enum_dom_users: %d\n", __LINE__));
841 /*******************************************************************
842 makes a SAM_ENTRY / UNISTR2* structure from a group list.
843 ********************************************************************/
845 static void make_group_sam_entry_list(TALLOC_CTX *ctx, SAM_ENTRY **sam_pp, UNISTR2 **uni_name_pp,
846 uint32 num_sam_entries, DOMAIN_GRP *grp)
855 if (num_sam_entries == 0)
858 sam = (SAM_ENTRY *)talloc_zero(ctx, sizeof(SAM_ENTRY)*num_sam_entries);
860 uni_name = (UNISTR2 *)talloc_zero(ctx, sizeof(UNISTR2)*num_sam_entries);
862 if (sam == NULL || uni_name == NULL) {
863 DEBUG(0, ("NULL pointers in SAMR_R_QUERY_DISPINFO\n"));
867 for (i = 0; i < num_sam_entries; i++) {
869 * JRA. I think this should include the null. TNG does not.
871 init_unistr2(&uni_name[i], grp[i].name, UNI_STR_TERMINATE);
872 init_sam_entry(&sam[i], &uni_name[i], grp[i].rid);
876 *uni_name_pp = uni_name;
879 /*******************************************************************
880 Get the group entries - similar to get_sampwd_entries().
881 ******************************************************************/
883 static NTSTATUS get_group_entries( enum SID_NAME_USE type, TALLOC_CTX *ctx,
884 DOMAIN_GRP **d_grp, DOM_SID *sid, uint32 start_idx,
885 uint32 *p_num_entries, uint32 max_entries )
889 uint32 group_entries = 0;
890 uint32 num_entries = 0;
894 /* access checks for the users were performed higher up. become/unbecome_root()
895 needed for some passdb backends to enumerate groups */
898 pdb_enum_group_mapping(type, &map, (int *)&group_entries, ENUM_ONLY_MAPPED);
901 num_entries=group_entries-start_idx;
903 /* limit the number of entries */
904 if (num_entries>max_entries) {
905 DEBUG(5,("Limiting to %d entries\n", max_entries));
906 num_entries=max_entries;
909 *d_grp=(DOMAIN_GRP *)talloc_zero(ctx, num_entries*sizeof(DOMAIN_GRP));
910 if (num_entries!=0 && *d_grp==NULL){
912 return NT_STATUS_NO_MEMORY;
915 for (i=0; i<num_entries; i++) {
916 fstrcpy((*d_grp)[i].name, map[i+start_idx].nt_name);
917 fstrcpy((*d_grp)[i].comment, map[i+start_idx].comment);
918 sid_split_rid(&map[i+start_idx].sid, &(*d_grp)[i].rid);
919 (*d_grp)[i].attr=type;
924 *p_num_entries = num_entries;
926 DEBUG(10,("get_group_entries: returning %d entries\n", *p_num_entries));
931 /*******************************************************************
932 Wrapper for enuemrating domain groups
933 ******************************************************************/
935 static NTSTATUS get_group_domain_entries( TALLOC_CTX *ctx, DOMAIN_GRP **d_grp,
936 DOM_SID *sid, uint32 start_idx,
937 uint32 *p_num_entries, uint32 max_entries )
939 return get_group_entries( SID_NAME_DOM_GRP, ctx, d_grp, sid, start_idx,
940 p_num_entries, max_entries );
943 /*******************************************************************
944 Wrapper for enumerating local groups
945 ******************************************************************/
947 static NTSTATUS get_group_alias_entries( TALLOC_CTX *ctx, DOMAIN_GRP **d_grp,
948 DOM_SID *sid, uint32 start_idx,
949 uint32 *p_num_entries, uint32 max_entries)
951 if ( sid_equal(sid, &global_sid_Builtin) ) {
952 return get_group_entries( SID_NAME_WKN_GRP, ctx, d_grp,
953 sid, start_idx, p_num_entries, max_entries );
955 else if ( sid_equal(sid, get_global_sam_sid()) ) {
956 return get_group_entries( SID_NAME_ALIAS, ctx, d_grp,
957 sid, start_idx, p_num_entries, max_entries );
960 /* can't do anything with this SID */
967 /*******************************************************************
968 samr_reply_enum_dom_groups
969 ********************************************************************/
971 NTSTATUS _samr_enum_dom_groups(pipes_struct *p, SAMR_Q_ENUM_DOM_GROUPS *q_u, SAMR_R_ENUM_DOM_GROUPS *r_u)
973 DOMAIN_GRP *grp=NULL;
978 r_u->status = NT_STATUS_OK;
980 if (!get_lsa_policy_samr_sid(p, &q_u->pol, &sid, &acc_granted))
981 return NT_STATUS_INVALID_HANDLE;
983 if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, SA_RIGHT_DOMAIN_ENUM_ACCOUNTS, "_samr_enum_dom_groups"))) {
987 DEBUG(5,("samr_reply_enum_dom_groups: %d\n", __LINE__));
989 /* the domain group array is being allocated in the function below */
990 if (!NT_STATUS_IS_OK(r_u->status = get_group_domain_entries(p->mem_ctx, &grp, &sid, q_u->start_idx, &num_entries, MAX_SAM_ENTRIES))) {
994 make_group_sam_entry_list(p->mem_ctx, &r_u->sam, &r_u->uni_grp_name, num_entries, grp);
996 init_samr_r_enum_dom_groups(r_u, q_u->start_idx, num_entries);
998 DEBUG(5,("samr_enum_dom_groups: %d\n", __LINE__));
1004 /*******************************************************************
1005 samr_reply_enum_dom_aliases
1006 ********************************************************************/
1008 NTSTATUS _samr_enum_dom_aliases(pipes_struct *p, SAMR_Q_ENUM_DOM_ALIASES *q_u, SAMR_R_ENUM_DOM_ALIASES *r_u)
1010 DOMAIN_GRP *grp=NULL;
1011 uint32 num_entries = 0;
1017 r_u->status = NT_STATUS_OK;
1019 if (!get_lsa_policy_samr_sid(p, &q_u->pol, &sid, &acc_granted))
1020 return NT_STATUS_INVALID_HANDLE;
1022 if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, SA_RIGHT_DOMAIN_ENUM_ACCOUNTS, "_samr_enum_dom_aliases"))) {
1026 sid_to_string(sid_str, &sid);
1027 DEBUG(5,("samr_reply_enum_dom_aliases: sid %s\n", sid_str));
1029 status = get_group_alias_entries(p->mem_ctx, &grp, &sid, q_u->start_idx,
1030 &num_entries, MAX_SAM_ENTRIES);
1031 if (NT_STATUS_IS_ERR(status)) return status;
1033 make_group_sam_entry_list(p->mem_ctx, &r_u->sam, &r_u->uni_grp_name, num_entries, grp);
1037 init_samr_r_enum_dom_aliases(r_u, q_u->start_idx + num_entries, num_entries);
1039 DEBUG(5,("samr_enum_dom_aliases: %d\n", __LINE__));
1044 /*******************************************************************
1045 samr_reply_query_dispinfo
1046 ********************************************************************/
1048 NTSTATUS _samr_query_dispinfo(pipes_struct *p, SAMR_Q_QUERY_DISPINFO *q_u,
1049 SAMR_R_QUERY_DISPINFO *r_u)
1051 struct samr_info *info = NULL;
1052 uint32 struct_size=0x20; /* W2K always reply that, client doesn't care */
1054 uint32 max_entries=q_u->max_entries;
1055 uint32 enum_context=q_u->start_idx;
1056 uint32 max_size=q_u->max_size;
1058 SAM_DISPINFO_CTR *ctr;
1059 uint32 temp_size=0, total_data_size=0;
1061 uint32 num_account = 0;
1062 enum remote_arch_types ra_type = get_remote_arch();
1063 int max_sam_entries = (ra_type == RA_WIN95) ? MAX_SAM_ENTRIES_W95 : MAX_SAM_ENTRIES_W2K;
1066 DEBUG(5, ("samr_reply_query_dispinfo: %d\n", __LINE__));
1067 r_u->status = NT_STATUS_OK;
1069 /* find the policy handle. open a policy on it. */
1070 if (!find_policy_by_hnd(p, &q_u->domain_pol, (void **)&info))
1071 return NT_STATUS_INVALID_HANDLE;
1073 domain_sid = info->sid;
1076 * calculate how many entries we will return.
1078 * - the number of entries the client asked
1079 * - our limit on that
1080 * - the starting point (enumeration context)
1081 * - the buffer size the client will accept
1085 * We are a lot more like W2K. Instead of reading the SAM
1086 * each time to find the records we need to send back,
1087 * we read it once and link that copy to the sam handle.
1088 * For large user list (over the MAX_SAM_ENTRIES)
1089 * it's a definitive win.
1090 * second point to notice: between enumerations
1091 * our sam is now the same as it's a snapshoot.
1092 * third point: got rid of the static SAM_USER_21 struct
1093 * no more intermediate.
1094 * con: it uses much more memory, as a full copy is stored
1097 * If you want to change it, think twice and think
1098 * of the second point , that's really important.
1103 /* Get what we need from the password database */
1104 switch (q_u->switch_level) {
1106 /* When playing with usrmgr, this is necessary
1107 if you want immediate refresh after editing
1108 a user. I would like to do this after the
1109 setuserinfo2, but we do not have access to
1110 the domain handle in that call, only to the
1111 user handle. Where else does this hurt?
1115 /* We cannot do this here - it kills performace. JRA. */
1116 free_samr_users(info);
1121 /* Level 2 is for all machines, otherwise only 'normal' users */
1122 r_u->status=load_sampwd_entries(info, ACB_NORMAL, q_u->switch_level==2);
1124 if (!NT_STATUS_IS_OK(r_u->status)) {
1125 DEBUG(5, ("_samr_query_dispinfo: load_sampwd_entries failed\n"));
1128 num_account = info->disp_info.num_user_account;
1132 r_u->status = load_group_domain_entries(info, &info->sid);
1133 if (!NT_STATUS_IS_OK(r_u->status))
1135 num_account = info->disp_info.num_group_account;
1138 DEBUG(0,("_samr_query_dispinfo: Unknown info level (%u)\n", (unsigned int)q_u->switch_level ));
1139 return NT_STATUS_INVALID_INFO_CLASS;
1142 /* first limit the number of entries we will return */
1143 if(max_entries > max_sam_entries) {
1144 DEBUG(5, ("samr_reply_query_dispinfo: client requested %d entries, limiting to %d\n", max_entries, max_sam_entries));
1145 max_entries = max_sam_entries;
1148 if (enum_context > num_account) {
1149 DEBUG(5, ("samr_reply_query_dispinfo: enumeration handle over total entries\n"));
1150 return NT_STATUS_NO_MORE_ENTRIES;
1153 /* verify we won't overflow */
1154 if (max_entries > num_account-enum_context) {
1155 max_entries = num_account-enum_context;
1156 DEBUG(5, ("samr_reply_query_dispinfo: only %d entries to return\n", max_entries));
1159 /* calculate the size and limit on the number of entries we will return */
1160 temp_size=max_entries*struct_size;
1162 if (temp_size>max_size) {
1163 max_entries=MIN((max_size/struct_size),max_entries);;
1164 DEBUG(5, ("samr_reply_query_dispinfo: buffer size limits to only %d entries\n", max_entries));
1167 if (!(ctr = (SAM_DISPINFO_CTR *)talloc_zero(p->mem_ctx,sizeof(SAM_DISPINFO_CTR))))
1168 return NT_STATUS_NO_MEMORY;
1172 /* Now create reply structure */
1173 switch (q_u->switch_level) {
1176 if (!(ctr->sam.info1 = (SAM_DISPINFO_1 *)talloc_zero(p->mem_ctx,max_entries*sizeof(SAM_DISPINFO_1))))
1177 return NT_STATUS_NO_MEMORY;
1179 disp_ret = init_sam_dispinfo_1(p->mem_ctx, ctr->sam.info1, max_entries, enum_context,
1180 info->disp_info.disp_user_info, &domain_sid);
1181 if (!NT_STATUS_IS_OK(disp_ret))
1186 if (!(ctr->sam.info2 = (SAM_DISPINFO_2 *)talloc_zero(p->mem_ctx,max_entries*sizeof(SAM_DISPINFO_2))))
1187 return NT_STATUS_NO_MEMORY;
1189 disp_ret = init_sam_dispinfo_2(p->mem_ctx, ctr->sam.info2, max_entries, enum_context,
1190 info->disp_info.disp_user_info, &domain_sid);
1191 if (!NT_STATUS_IS_OK(disp_ret))
1196 if (!(ctr->sam.info3 = (SAM_DISPINFO_3 *)talloc_zero(p->mem_ctx,max_entries*sizeof(SAM_DISPINFO_3))))
1197 return NT_STATUS_NO_MEMORY;
1199 disp_ret = init_sam_dispinfo_3(p->mem_ctx, ctr->sam.info3, max_entries, enum_context, info->disp_info.disp_group_info);
1200 if (!NT_STATUS_IS_OK(disp_ret))
1205 if (!(ctr->sam.info4 = (SAM_DISPINFO_4 *)talloc_zero(p->mem_ctx,max_entries*sizeof(SAM_DISPINFO_4))))
1206 return NT_STATUS_NO_MEMORY;
1208 disp_ret = init_sam_dispinfo_4(p->mem_ctx, ctr->sam.info4, max_entries, enum_context, info->disp_info.disp_user_info);
1209 if (!NT_STATUS_IS_OK(disp_ret))
1214 if (!(ctr->sam.info5 = (SAM_DISPINFO_5 *)talloc_zero(p->mem_ctx,max_entries*sizeof(SAM_DISPINFO_5))))
1215 return NT_STATUS_NO_MEMORY;
1217 disp_ret = init_sam_dispinfo_5(p->mem_ctx, ctr->sam.info5, max_entries, enum_context, info->disp_info.disp_group_info);
1218 if (!NT_STATUS_IS_OK(disp_ret))
1223 ctr->sam.info = NULL;
1224 return NT_STATUS_INVALID_INFO_CLASS;
1227 /* calculate the total size */
1228 total_data_size=num_account*struct_size;
1230 if (enum_context+max_entries < num_account)
1231 r_u->status = STATUS_MORE_ENTRIES;
1233 DEBUG(5, ("_samr_query_dispinfo: %d\n", __LINE__));
1235 init_samr_r_query_dispinfo(r_u, max_entries, total_data_size, temp_size, q_u->switch_level, ctr, r_u->status);
1241 /*******************************************************************
1242 samr_reply_query_aliasinfo
1243 ********************************************************************/
1245 NTSTATUS _samr_query_aliasinfo(pipes_struct *p, SAMR_Q_QUERY_ALIASINFO *q_u, SAMR_R_QUERY_ALIASINFO *r_u)
1252 r_u->status = NT_STATUS_OK;
1254 DEBUG(5,("_samr_query_aliasinfo: %d\n", __LINE__));
1256 /* find the policy handle. open a policy on it. */
1257 if (!get_lsa_policy_samr_sid(p, &q_u->pol, &sid, &acc_granted))
1258 return NT_STATUS_INVALID_HANDLE;
1259 if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, SA_RIGHT_ALIAS_LOOKUP_INFO, "_samr_query_aliasinfo"))) {
1263 if (!sid_check_is_in_our_domain(&sid) &&
1264 !sid_check_is_in_builtin(&sid))
1265 return NT_STATUS_OBJECT_TYPE_MISMATCH;
1268 ret = pdb_getgrsid(&map, sid);
1272 return NT_STATUS_NO_SUCH_ALIAS;
1274 switch (q_u->switch_level) {
1277 r_u->ctr.switch_value1 = 1;
1278 init_samr_alias_info1(&r_u->ctr.alias.info1, map.nt_name, 1, map.comment);
1282 r_u->ctr.switch_value1 = 3;
1283 init_samr_alias_info3(&r_u->ctr.alias.info3, map.comment);
1286 return NT_STATUS_INVALID_INFO_CLASS;
1289 DEBUG(5,("_samr_query_aliasinfo: %d\n", __LINE__));
1295 /*******************************************************************
1296 samr_reply_lookup_ids
1297 ********************************************************************/
1299 uint32 _samr_lookup_ids(pipes_struct *p, SAMR_Q_LOOKUP_IDS *q_u, SAMR_R_LOOKUP_IDS *r_u)
1301 uint32 rid[MAX_SAM_ENTRIES];
1302 int num_rids = q_u->num_sids1;
1304 r_u->status = NT_STATUS_OK;
1306 DEBUG(5,("_samr_lookup_ids: %d\n", __LINE__));
1308 if (num_rids > MAX_SAM_ENTRIES) {
1309 num_rids = MAX_SAM_ENTRIES;
1310 DEBUG(5,("_samr_lookup_ids: truncating entries to %d\n", num_rids));
1315 SMB_ASSERT_ARRAY(q_u->uni_user_name, num_rids);
1317 for (i = 0; i < num_rids && status == 0; i++)
1319 struct sam_passwd *sam_pass;
1323 fstrcpy(user_name, unistrn2(q_u->uni_user_name[i].buffer,
1324 q_u->uni_user_name[i].uni_str_len));
1326 /* find the user account */
1328 sam_pass = get_smb21pwd_entry(user_name, 0);
1331 if (sam_pass == NULL)
1333 status = 0xC0000000 | NT_STATUS_NO_SUCH_USER;
1338 rid[i] = sam_pass->user_rid;
1344 rid[0] = BUILTIN_ALIAS_RID_USERS;
1346 init_samr_r_lookup_ids(&r_u, num_rids, rid, NT_STATUS_OK);
1348 DEBUG(5,("_samr_lookup_ids: %d\n", __LINE__));
1354 /*******************************************************************
1356 ********************************************************************/
1358 NTSTATUS _samr_lookup_names(pipes_struct *p, SAMR_Q_LOOKUP_NAMES *q_u, SAMR_R_LOOKUP_NAMES *r_u)
1360 uint32 rid[MAX_SAM_ENTRIES];
1362 enum SID_NAME_USE type[MAX_SAM_ENTRIES];
1363 enum SID_NAME_USE local_type;
1365 int num_rids = q_u->num_names2;
1370 r_u->status = NT_STATUS_OK;
1372 DEBUG(5,("_samr_lookup_names: %d\n", __LINE__));
1377 if (!get_lsa_policy_samr_sid(p, &q_u->pol, &pol_sid, &acc_granted)) {
1378 init_samr_r_lookup_names(p->mem_ctx, r_u, 0, NULL, NULL, NT_STATUS_OBJECT_TYPE_MISMATCH);
1382 if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, 0, "_samr_lookup_names"))) { /* Don't know the acc_bits yet */
1386 if (num_rids > MAX_SAM_ENTRIES) {
1387 num_rids = MAX_SAM_ENTRIES;
1388 DEBUG(5,("_samr_lookup_names: truncating entries to %d\n", num_rids));
1391 DEBUG(5,("_samr_lookup_names: looking name on SID %s\n", sid_to_string(sid_str, &pol_sid)));
1393 for (i = 0; i < num_rids; i++) {
1398 r_u->status = NT_STATUS_NONE_MAPPED;
1400 rid [i] = 0xffffffff;
1401 type[i] = SID_NAME_UNKNOWN;
1403 ret = rpcstr_pull(name, q_u->uni_name[i].buffer, sizeof(name), q_u->uni_name[i].uni_str_len*2, 0);
1406 * we are only looking for a name
1407 * the SID we get back can be outside
1408 * the scope of the pol_sid
1410 * in clear: it prevents to reply to domain\group: yes
1411 * when only builtin\group exists.
1413 * a cleaner code is to add the sid of the domain we're looking in
1414 * to the local_lookup_name function.
1417 if ((ret > 0) && local_lookup_name(name, &sid, &local_type)) {
1418 sid_split_rid(&sid, &local_rid);
1420 if (sid_equal(&sid, &pol_sid)) {
1423 /* Windows does not return WKN_GRP here, even
1424 * on lookups in builtin */
1425 type[i] = (local_type == SID_NAME_WKN_GRP) ?
1426 SID_NAME_ALIAS : local_type;
1428 r_u->status = NT_STATUS_OK;
1433 init_samr_r_lookup_names(p->mem_ctx, r_u, num_rids, rid, (uint32 *)type, r_u->status);
1435 DEBUG(5,("_samr_lookup_names: %d\n", __LINE__));
1440 /*******************************************************************
1441 _samr_chgpasswd_user
1442 ********************************************************************/
1444 NTSTATUS _samr_chgpasswd_user(pipes_struct *p, SAMR_Q_CHGPASSWD_USER *q_u, SAMR_R_CHGPASSWD_USER *r_u)
1449 DEBUG(5,("_samr_chgpasswd_user: %d\n", __LINE__));
1451 r_u->status = NT_STATUS_OK;
1453 rpcstr_pull(user_name, q_u->uni_user_name.buffer, sizeof(user_name), q_u->uni_user_name.uni_str_len*2, 0);
1454 rpcstr_pull(wks, q_u->uni_dest_host.buffer, sizeof(wks), q_u->uni_dest_host.uni_str_len*2,0);
1456 DEBUG(5,("samr_chgpasswd_user: user: %s wks: %s\n", user_name, wks));
1459 * Pass the user through the NT -> unix user mapping
1463 (void)map_username(user_name);
1466 * UNIX username case mangling not required, pass_oem_change
1467 * is case insensitive.
1470 r_u->status = pass_oem_change(user_name, q_u->lm_newpass.pass, q_u->lm_oldhash.hash,
1471 q_u->nt_newpass.pass, q_u->nt_oldhash.hash);
1473 init_samr_r_chgpasswd_user(r_u, r_u->status);
1475 DEBUG(5,("_samr_chgpasswd_user: %d\n", __LINE__));
1480 /*******************************************************************
1481 makes a SAMR_R_LOOKUP_RIDS structure.
1482 ********************************************************************/
1484 static BOOL make_samr_lookup_rids(TALLOC_CTX *ctx, uint32 num_names, fstring names[],
1485 UNIHDR **pp_hdr_name, UNISTR2 **pp_uni_name)
1488 UNIHDR *hdr_name=NULL;
1489 UNISTR2 *uni_name=NULL;
1491 *pp_uni_name = NULL;
1492 *pp_hdr_name = NULL;
1494 if (num_names != 0) {
1495 hdr_name = (UNIHDR *)talloc_zero(ctx, sizeof(UNIHDR)*num_names);
1496 if (hdr_name == NULL)
1499 uni_name = (UNISTR2 *)talloc_zero(ctx,sizeof(UNISTR2)*num_names);
1500 if (uni_name == NULL)
1504 for (i = 0; i < num_names; i++) {
1505 DEBUG(10, ("names[%d]:%s\n", i, names[i] ? names[i] : ""));
1506 init_unistr2(&uni_name[i], names[i], UNI_FLAGS_NONE);
1507 init_uni_hdr(&hdr_name[i], &uni_name[i]);
1510 *pp_uni_name = uni_name;
1511 *pp_hdr_name = hdr_name;
1516 /*******************************************************************
1518 ********************************************************************/
1520 NTSTATUS _samr_lookup_rids(pipes_struct *p, SAMR_Q_LOOKUP_RIDS *q_u, SAMR_R_LOOKUP_RIDS *r_u)
1522 fstring group_names[MAX_SAM_ENTRIES];
1523 uint32 *group_attrs = NULL;
1524 UNIHDR *hdr_name = NULL;
1525 UNISTR2 *uni_name = NULL;
1527 int num_rids = q_u->num_rids1;
1531 r_u->status = NT_STATUS_OK;
1533 DEBUG(5,("_samr_lookup_rids: %d\n", __LINE__));
1535 /* find the policy handle. open a policy on it. */
1536 if (!get_lsa_policy_samr_sid(p, &q_u->pol, &pol_sid, &acc_granted))
1537 return NT_STATUS_INVALID_HANDLE;
1539 if (num_rids > MAX_SAM_ENTRIES) {
1540 num_rids = MAX_SAM_ENTRIES;
1541 DEBUG(5,("_samr_lookup_rids: truncating entries to %d\n", num_rids));
1545 if ((group_attrs = (uint32 *)talloc_zero(p->mem_ctx, num_rids * sizeof(uint32))) == NULL)
1546 return NT_STATUS_NO_MEMORY;
1549 r_u->status = NT_STATUS_NONE_MAPPED;
1551 become_root(); /* lookup_sid can require root privs */
1553 for (i = 0; i < num_rids; i++) {
1557 enum SID_NAME_USE type;
1559 group_attrs[i] = SID_NAME_UNKNOWN;
1560 *group_names[i] = '\0';
1562 if (sid_equal(&pol_sid, get_global_sam_sid())) {
1563 sid_copy(&sid, &pol_sid);
1564 sid_append_rid(&sid, q_u->rid[i]);
1566 if (lookup_sid(&sid, domname, tmpname, &type)) {
1567 r_u->status = NT_STATUS_OK;
1568 group_attrs[i] = (uint32)type;
1569 fstrcpy(group_names[i],tmpname);
1570 DEBUG(5,("_samr_lookup_rids: %s:%d\n", group_names[i], group_attrs[i]));
1577 if(!make_samr_lookup_rids(p->mem_ctx, num_rids, group_names, &hdr_name, &uni_name))
1578 return NT_STATUS_NO_MEMORY;
1580 init_samr_r_lookup_rids(r_u, num_rids, hdr_name, uni_name, group_attrs);
1582 DEBUG(5,("_samr_lookup_rids: %d\n", __LINE__));
1587 /*******************************************************************
1588 _samr_open_user. Safe - gives out no passwd info.
1589 ********************************************************************/
1591 NTSTATUS _samr_open_user(pipes_struct *p, SAMR_Q_OPEN_USER *q_u, SAMR_R_OPEN_USER *r_u)
1593 SAM_ACCOUNT *sampass=NULL;
1595 POLICY_HND domain_pol = q_u->domain_pol;
1596 POLICY_HND *user_pol = &r_u->user_pol;
1597 struct samr_info *info = NULL;
1598 SEC_DESC *psd = NULL;
1600 uint32 des_access = q_u->access_mask;
1605 r_u->status = NT_STATUS_OK;
1607 /* find the domain policy handle and get domain SID / access bits in the domain policy. */
1608 if (!get_lsa_policy_samr_sid(p, &domain_pol, &sid, &acc_granted))
1609 return NT_STATUS_INVALID_HANDLE;
1611 if (!NT_STATUS_IS_OK(nt_status = access_check_samr_function(acc_granted, SA_RIGHT_DOMAIN_OPEN_ACCOUNT, "_samr_open_user"))) {
1615 nt_status = pdb_init_sam_talloc(p->mem_ctx, &sampass);
1616 if (!NT_STATUS_IS_OK(nt_status)) {
1620 /* append the user's RID to it */
1621 if (!sid_append_rid(&sid, q_u->user_rid))
1622 return NT_STATUS_NO_SUCH_USER;
1624 /* check if access can be granted as requested by client. */
1625 samr_make_usr_obj_sd(p->mem_ctx, &psd, &sd_size, &sid);
1626 se_map_generic(&des_access, &usr_generic_mapping);
1627 if (!NT_STATUS_IS_OK(nt_status =
1628 access_check_samr_object(psd, p->pipe_user.nt_user_token,
1629 des_access, &acc_granted, "_samr_open_user"))) {
1634 ret=pdb_getsampwsid(sampass, &sid);
1637 /* check that the SID exists in our domain. */
1639 return NT_STATUS_NO_SUCH_USER;
1642 pdb_free_sam(&sampass);
1644 /* associate the user's SID and access bits with the new handle. */
1645 if ((info = get_samr_info_by_sid(&sid)) == NULL)
1646 return NT_STATUS_NO_MEMORY;
1647 info->acc_granted = acc_granted;
1649 /* get a (unique) handle. open a policy on it. */
1650 if (!create_policy_hnd(p, user_pol, free_samr_info, (void *)info))
1651 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
1656 /*************************************************************************
1657 get_user_info_10. Safe. Only gives out acb bits.
1658 *************************************************************************/
1660 static NTSTATUS get_user_info_10(TALLOC_CTX *mem_ctx, SAM_USER_INFO_10 *id10, DOM_SID *user_sid)
1662 SAM_ACCOUNT *smbpass=NULL;
1666 nt_status = pdb_init_sam_talloc(mem_ctx, &smbpass);
1668 if (!NT_STATUS_IS_OK(nt_status)) {
1673 ret = pdb_getsampwsid(smbpass, user_sid);
1677 DEBUG(4,("User %s not found\n", sid_string_static(user_sid)));
1678 return NT_STATUS_NO_SUCH_USER;
1681 DEBUG(3,("User:[%s]\n", pdb_get_username(smbpass) ));
1684 init_sam_user_info10(id10, pdb_get_acct_ctrl(smbpass) );
1686 pdb_free_sam(&smbpass);
1688 return NT_STATUS_OK;
1691 /*************************************************************************
1692 get_user_info_12. OK - this is the killer as it gives out password info.
1693 Ensure that this is only allowed on an encrypted connection with a root
1695 *************************************************************************/
1697 static NTSTATUS get_user_info_12(pipes_struct *p, TALLOC_CTX *mem_ctx, SAM_USER_INFO_12 * id12, DOM_SID *user_sid)
1699 SAM_ACCOUNT *smbpass=NULL;
1703 if (!p->ntlmssp_auth_validated)
1704 return NT_STATUS_ACCESS_DENIED;
1706 if (!(p->ntlmssp_chal_flags & NTLMSSP_NEGOTIATE_SIGN) || !(p->ntlmssp_chal_flags & NTLMSSP_NEGOTIATE_SEAL))
1707 return NT_STATUS_ACCESS_DENIED;
1710 * Do *NOT* do become_root()/unbecome_root() here ! JRA.
1713 nt_status = pdb_init_sam_talloc(mem_ctx, &smbpass);
1715 if (!NT_STATUS_IS_OK(nt_status)) {
1719 ret = pdb_getsampwsid(smbpass, user_sid);
1722 DEBUG(4, ("User %s not found\n", sid_string_static(user_sid)));
1723 pdb_free_sam(&smbpass);
1724 return (geteuid() == (uid_t)0) ? NT_STATUS_NO_SUCH_USER : NT_STATUS_ACCESS_DENIED;
1727 DEBUG(3,("User:[%s] 0x%x\n", pdb_get_username(smbpass), pdb_get_acct_ctrl(smbpass) ));
1729 if ( pdb_get_acct_ctrl(smbpass) & ACB_DISABLED) {
1730 pdb_free_sam(&smbpass);
1731 return NT_STATUS_ACCOUNT_DISABLED;
1735 init_sam_user_info12(id12, pdb_get_lanman_passwd(smbpass), pdb_get_nt_passwd(smbpass));
1737 pdb_free_sam(&smbpass);
1739 return NT_STATUS_OK;
1742 /*************************************************************************
1744 *************************************************************************/
1746 static NTSTATUS get_user_info_20(TALLOC_CTX *mem_ctx, SAM_USER_INFO_20 *id20, DOM_SID *user_sid)
1748 SAM_ACCOUNT *sampass=NULL;
1751 pdb_init_sam_talloc(mem_ctx, &sampass);
1754 ret = pdb_getsampwsid(sampass, user_sid);
1758 DEBUG(4,("User %s not found\n", sid_string_static(user_sid)));
1759 return NT_STATUS_NO_SUCH_USER;
1762 samr_clear_sam_passwd(sampass);
1764 DEBUG(3,("User:[%s]\n", pdb_get_username(sampass) ));
1767 init_sam_user_info20A(id20, sampass);
1769 pdb_free_sam(&sampass);
1771 return NT_STATUS_OK;
1774 /*************************************************************************
1776 *************************************************************************/
1778 static NTSTATUS get_user_info_21(TALLOC_CTX *mem_ctx, SAM_USER_INFO_21 *id21,
1779 DOM_SID *user_sid, DOM_SID *domain_sid)
1781 SAM_ACCOUNT *sampass=NULL;
1785 nt_status = pdb_init_sam_talloc(mem_ctx, &sampass);
1786 if (!NT_STATUS_IS_OK(nt_status)) {
1791 ret = pdb_getsampwsid(sampass, user_sid);
1795 DEBUG(4,("User %s not found\n", sid_string_static(user_sid)));
1796 return NT_STATUS_NO_SUCH_USER;
1799 samr_clear_sam_passwd(sampass);
1801 DEBUG(3,("User:[%s]\n", pdb_get_username(sampass) ));
1804 nt_status = init_sam_user_info21A(id21, sampass, domain_sid);
1806 pdb_free_sam(&sampass);
1808 return NT_STATUS_OK;
1811 /*******************************************************************
1812 _samr_query_userinfo
1813 ********************************************************************/
1815 NTSTATUS _samr_query_userinfo(pipes_struct *p, SAMR_Q_QUERY_USERINFO *q_u, SAMR_R_QUERY_USERINFO *r_u)
1817 SAM_USERINFO_CTR *ctr;
1818 struct samr_info *info = NULL;
1822 r_u->status=NT_STATUS_OK;
1824 /* search for the handle */
1825 if (!find_policy_by_hnd(p, &q_u->pol, (void **)&info))
1826 return NT_STATUS_INVALID_HANDLE;
1828 domain_sid = info->sid;
1830 sid_split_rid(&domain_sid, &rid);
1832 if (!sid_check_is_in_our_domain(&info->sid))
1833 return NT_STATUS_OBJECT_TYPE_MISMATCH;
1835 DEBUG(5,("_samr_query_userinfo: sid:%s\n", sid_string_static(&info->sid)));
1837 ctr = (SAM_USERINFO_CTR *)talloc_zero(p->mem_ctx, sizeof(SAM_USERINFO_CTR));
1839 return NT_STATUS_NO_MEMORY;
1843 /* ok! user info levels (lots: see MSDEV help), off we go... */
1844 ctr->switch_value = q_u->switch_value;
1846 switch (q_u->switch_value) {
1848 ctr->info.id10 = (SAM_USER_INFO_10 *)talloc_zero(p->mem_ctx, sizeof(SAM_USER_INFO_10));
1849 if (ctr->info.id10 == NULL)
1850 return NT_STATUS_NO_MEMORY;
1852 if (!NT_STATUS_IS_OK(r_u->status = get_user_info_10(p->mem_ctx, ctr->info.id10, &info->sid)))
1857 /* whoops - got this wrong. i think. or don't understand what's happening. */
1861 info = (void *)&id11;
1863 expire.low = 0xffffffff;
1864 expire.high = 0x7fffffff;
1866 ctr->info.id = (SAM_USER_INFO_11 *)talloc_zero(p->mem_ctx,
1871 ZERO_STRUCTP(ctr->info.id11);
1872 init_sam_user_info11(ctr->info.id11, &expire,
1873 "BROOKFIELDS$", /* name */
1874 0x03ef, /* user rid */
1875 0x201, /* group rid */
1876 0x0080); /* acb info */
1883 ctr->info.id12 = (SAM_USER_INFO_12 *)talloc_zero(p->mem_ctx, sizeof(SAM_USER_INFO_12));
1884 if (ctr->info.id12 == NULL)
1885 return NT_STATUS_NO_MEMORY;
1887 if (!NT_STATUS_IS_OK(r_u->status = get_user_info_12(p, p->mem_ctx, ctr->info.id12, &info->sid)))
1892 ctr->info.id20 = (SAM_USER_INFO_20 *)talloc_zero(p->mem_ctx,sizeof(SAM_USER_INFO_20));
1893 if (ctr->info.id20 == NULL)
1894 return NT_STATUS_NO_MEMORY;
1895 if (!NT_STATUS_IS_OK(r_u->status = get_user_info_20(p->mem_ctx, ctr->info.id20, &info->sid)))
1900 ctr->info.id21 = (SAM_USER_INFO_21 *)talloc_zero(p->mem_ctx,sizeof(SAM_USER_INFO_21));
1901 if (ctr->info.id21 == NULL)
1902 return NT_STATUS_NO_MEMORY;
1903 if (!NT_STATUS_IS_OK(r_u->status = get_user_info_21(p->mem_ctx, ctr->info.id21,
1904 &info->sid, &domain_sid)))
1909 return NT_STATUS_INVALID_INFO_CLASS;
1912 init_samr_r_query_userinfo(r_u, ctr, r_u->status);
1914 DEBUG(5,("_samr_query_userinfo: %d\n", __LINE__));
1919 /*******************************************************************
1920 samr_reply_query_usergroups
1921 ********************************************************************/
1923 NTSTATUS _samr_query_usergroups(pipes_struct *p, SAMR_Q_QUERY_USERGROUPS *q_u, SAMR_R_QUERY_USERGROUPS *r_u)
1925 SAM_ACCOUNT *sam_pass=NULL;
1927 DOM_GID *gids = NULL;
1933 * from the SID in the request:
1934 * we should send back the list of DOMAIN GROUPS
1935 * the user is a member of
1937 * and only the DOMAIN GROUPS
1938 * no ALIASES !!! neither aliases of the domain
1939 * nor aliases of the builtin SID
1944 r_u->status = NT_STATUS_OK;
1946 DEBUG(5,("_samr_query_usergroups: %d\n", __LINE__));
1948 /* find the policy handle. open a policy on it. */
1949 if (!get_lsa_policy_samr_sid(p, &q_u->pol, &sid, &acc_granted))
1950 return NT_STATUS_INVALID_HANDLE;
1952 if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, SA_RIGHT_USER_GET_GROUPS, "_samr_query_usergroups"))) {
1956 if (!sid_check_is_in_our_domain(&sid))
1957 return NT_STATUS_OBJECT_TYPE_MISMATCH;
1959 pdb_init_sam(&sam_pass);
1962 ret = pdb_getsampwsid(sam_pass, &sid);
1966 pdb_free_sam(&sam_pass);
1967 return NT_STATUS_NO_SUCH_USER;
1970 if(!get_domain_user_groups(p->mem_ctx, &num_groups, &gids, sam_pass)) {
1971 pdb_free_sam(&sam_pass);
1972 return NT_STATUS_NO_SUCH_GROUP;
1975 /* construct the response. lkclXXXX: gids are not copied! */
1976 init_samr_r_query_usergroups(r_u, num_groups, gids, r_u->status);
1978 DEBUG(5,("_samr_query_usergroups: %d\n", __LINE__));
1980 pdb_free_sam(&sam_pass);
1985 /*******************************************************************
1986 _samr_query_dom_info
1987 ********************************************************************/
1989 NTSTATUS _samr_query_dom_info(pipes_struct *p, SAMR_Q_QUERY_DOMAIN_INFO *q_u, SAMR_R_QUERY_DOMAIN_INFO *r_u)
1991 struct samr_info *info = NULL;
1993 uint32 min_pass_len,pass_hist,flag;
1994 time_t u_expire, u_min_age;
1995 NTTIME nt_expire, nt_min_age;
1997 time_t u_lock_duration, u_reset_time;
1998 NTTIME nt_lock_duration, nt_reset_time;
2004 uint32 account_policy_temp;
2006 uint32 num_users=0, num_groups=0, num_aliases=0;
2008 if ((ctr = (SAM_UNK_CTR *)talloc_zero(p->mem_ctx, sizeof(SAM_UNK_CTR))) == NULL)
2009 return NT_STATUS_NO_MEMORY;
2013 r_u->status = NT_STATUS_OK;
2015 DEBUG(5,("_samr_query_dom_info: %d\n", __LINE__));
2017 /* find the policy handle. open a policy on it. */
2018 if (!find_policy_by_hnd(p, &q_u->domain_pol, (void **)&info))
2019 return NT_STATUS_INVALID_HANDLE;
2021 switch (q_u->switch_value) {
2024 account_policy_get(AP_MIN_PASSWORD_LEN, &account_policy_temp);
2025 min_pass_len = account_policy_temp;
2027 account_policy_get(AP_PASSWORD_HISTORY, &account_policy_temp);
2028 pass_hist = account_policy_temp;
2030 account_policy_get(AP_USER_MUST_LOGON_TO_CHG_PASS, &account_policy_temp);
2031 flag = account_policy_temp;
2033 account_policy_get(AP_MAX_PASSWORD_AGE, &account_policy_temp);
2034 u_expire = account_policy_temp;
2036 account_policy_get(AP_MIN_PASSWORD_AGE, &account_policy_temp);
2037 u_min_age = account_policy_temp;
2039 unix_to_nt_time_abs(&nt_expire, u_expire);
2040 unix_to_nt_time_abs(&nt_min_age, u_min_age);
2042 init_unk_info1(&ctr->info.inf1, (uint16)min_pass_len, (uint16)pass_hist,
2043 flag, nt_expire, nt_min_age);
2047 r_u->status=load_sampwd_entries(info, ACB_NORMAL, False);
2049 if (!NT_STATUS_IS_OK(r_u->status)) {
2050 DEBUG(5, ("_samr_query_dispinfo: load_sampwd_entries failed\n"));
2053 num_users=info->disp_info.num_user_account;
2056 r_u->status=load_group_domain_entries(info, get_global_sam_sid());
2057 if (!NT_STATUS_IS_OK(r_u->status)) {
2058 DEBUG(5, ("_samr_query_dispinfo: load_group_domain_entries failed\n"));
2061 num_groups=info->disp_info.num_group_account;
2064 /* The time call below is to get a sequence number for the sam. FIXME !!! JRA. */
2065 init_unk_info2(&ctr->info.inf2, lp_workgroup(), global_myname(), (uint32) time(NULL),
2066 num_users, num_groups, num_aliases);
2069 account_policy_get(AP_TIME_TO_LOGOUT, (unsigned int *)&u_logout);
2070 unix_to_nt_time_abs(&nt_logout, u_logout);
2072 init_unk_info3(&ctr->info.inf3, nt_logout);
2075 init_unk_info5(&ctr->info.inf5, global_myname());
2078 init_unk_info6(&ctr->info.inf6);
2081 init_unk_info7(&ctr->info.inf7);
2084 account_policy_get(AP_LOCK_ACCOUNT_DURATION, &account_policy_temp);
2085 u_lock_duration = account_policy_temp * 60;
2087 account_policy_get(AP_RESET_COUNT_TIME, &account_policy_temp);
2088 u_reset_time = account_policy_temp * 60;
2090 account_policy_get(AP_BAD_ATTEMPT_LOCKOUT, &account_policy_temp);
2091 lockout = account_policy_temp;
2093 unix_to_nt_time_abs(&nt_lock_duration, u_lock_duration);
2094 unix_to_nt_time_abs(&nt_reset_time, u_reset_time);
2096 init_unk_info12(&ctr->info.inf12, nt_lock_duration, nt_reset_time, (uint16)lockout);
2099 return NT_STATUS_INVALID_INFO_CLASS;
2102 init_samr_r_query_dom_info(r_u, q_u->switch_value, ctr, NT_STATUS_OK);
2104 DEBUG(5,("_samr_query_dom_info: %d\n", __LINE__));
2109 /*******************************************************************
2111 Create an account, can be either a normal user or a machine.
2112 This funcion will need to be updated for bdc/domain trusts.
2113 ********************************************************************/
2115 NTSTATUS _samr_create_user(pipes_struct *p, SAMR_Q_CREATE_USER *q_u, SAMR_R_CREATE_USER *r_u)
2117 SAM_ACCOUNT *sam_pass=NULL;
2121 POLICY_HND dom_pol = q_u->domain_pol;
2122 UNISTR2 user_account = q_u->uni_name;
2123 uint16 acb_info = q_u->acb_info;
2124 POLICY_HND *user_pol = &r_u->user_pol;
2125 struct samr_info *info = NULL;
2133 /* check this, when giving away 'add computer to domain' privs */
2134 uint32 des_access = GENERIC_RIGHTS_USER_ALL_ACCESS;
2136 /* Get the domain SID stored in the domain policy */
2137 if (!get_lsa_policy_samr_sid(p, &dom_pol, &sid, &acc_granted))
2138 return NT_STATUS_INVALID_HANDLE;
2140 if (!NT_STATUS_IS_OK(nt_status = access_check_samr_function(acc_granted, SA_RIGHT_DOMAIN_CREATE_USER, "_samr_create_user"))) {
2141 if (NT_STATUS_IS_OK(user_has_privilege(&(p->pipe_user), SE_MACHINE_ACCOUNT))) {
2142 DEBUG(3, ("_samr_create_user: User should be denied access but was overridden by %s\n", privs[SE_MACHINE_ACCOUNT].priv));
2144 if (NT_STATUS_IS_OK(user_has_privilege(&(p->pipe_user), SE_ADD_USERS))) {
2145 DEBUG(3, ("_samr_create_user: User should be denied access but was overridden by %s\n", privs[SE_ADD_USERS].priv));
2152 if (!(acb_info == ACB_NORMAL || acb_info == ACB_DOMTRUST || acb_info == ACB_WSTRUST || acb_info == ACB_SVRTRUST)) {
2153 /* Match Win2k, and return NT_STATUS_INVALID_PARAMETER if
2154 this parameter is not an account type */
2155 return NT_STATUS_INVALID_PARAMETER;
2158 /* find the account: tell the caller if it exists.
2159 lkclXXXX i have *no* idea if this is a problem or not
2160 or even if you are supposed to construct a different
2161 reply if the account already exists...
2164 rpcstr_pull(account, user_account.buffer, sizeof(account), user_account.uni_str_len*2, 0);
2165 strlower_m(account);
2167 pdb_init_sam(&sam_pass);
2170 ret = pdb_getsampwnam(sam_pass, account);
2173 /* this account exists: say so */
2174 pdb_free_sam(&sam_pass);
2175 return NT_STATUS_USER_EXISTS;
2178 pdb_free_sam(&sam_pass);
2181 * NB. VERY IMPORTANT ! This call must be done as the current pipe user,
2182 * *NOT* surrounded by a become_root()/unbecome_root() call. This ensures
2183 * that only people with write access to the smbpasswd file will be able
2184 * to create a user. JRA.
2188 * add the user in the /etc/passwd file or the unix authority system.
2189 * We don't check if the smb_create_user() function succed or not for 2 reasons:
2190 * a) local_password_change() checks for us if the /etc/passwd account really exists
2191 * b) smb_create_user() would return an error if the account already exists
2192 * and as it could return an error also if it can't create the account, it would be tricky.
2194 * So we go the easy way, only check after if the account exists.
2195 * JFM (2/3/2001), to clear any possible bad understanding (-:
2197 * We now have seperate script paramaters for adding users/machines so we
2198 * now have some sainity-checking to match.
2201 DEBUG(10,("checking account %s at pos %lu for $ termination\n",account, (unsigned long)strlen(account)-1));
2204 * we used to have code here that made sure the acb_info flags
2205 * matched with the users named (e.g. an account flags as a machine
2206 * trust account ended in '$'). It has been ifdef'd out for a long
2207 * time, so I replaced it with this comment. --jerry
2210 /* the passdb lookup has failed; check to see if we need to run the
2211 add user/machine script */
2214 * we can't check both the ending $ and the acb_info.
2216 * UserManager creates trust accounts (ending in $,
2217 * normal that hidden accounts) with the acb_info equals to ACB_NORMAL.
2220 if (account[strlen(account)-1] == '$') {
2221 if (NT_STATUS_IS_OK(user_has_privilege(&(p->pipe_user), SE_MACHINE_ACCOUNT)) || geteuid() == 0) {
2222 DEBUG(3, ("user [%s] has been granted Add Machines privilege!\n", p->user_name));
2224 pstrcpy(add_script, lp_addmachine_script());
2226 DEBUG(3, ("user [%s] doesn't have Add Machines privilege!\n", p->user_name));
2227 return NT_STATUS_ACCESS_DENIED;
2230 if (NT_STATUS_IS_OK(user_has_privilege(&(p->pipe_user), SE_ADD_USERS)) || geteuid() == 0) {
2231 DEBUG(3, ("user [%s] has been granted Add Users privilege!\n", p->user_name));
2233 pstrcpy(add_script, lp_adduser_script());
2235 DEBUG(3, ("user [%s] doesn't have Add Users privilege!\n", p->user_name));
2236 return NT_STATUS_ACCESS_DENIED;
2240 pw = Get_Pwnam(account);
2242 /*********************************************************************
2243 * HEADS UP! If we have to create a new user account, we have to get
2244 * a new RID from somewhere. This used to be done by the passdb
2245 * backend. It has been moved into idmap now. Since idmap is now
2246 * wrapped up behind winbind, this means you have to run winbindd if you
2247 * want new accounts to get a new RID when "enable rid algorithm = no".
2248 * Tough. We now have a uniform way of allocating RIDs regardless
2249 * of what ever passdb backend people may use.
2250 * --jerry (2003-07-10)
2251 *********************************************************************/
2257 all_string_sub(add_script, "%u", account, sizeof(account));
2258 add_ret = smbrun(add_script,NULL);
2259 DEBUG(3,("_samr_create_user: Running the command `%s' gave %d\n", add_script, add_ret));
2261 else /* no add user script -- ask winbindd to do it */
2263 if (!winbind_create_user(account, &new_rid)) {
2264 DEBUG(3,("_samr_create_user: winbind_create_user(%s) failed\n",
2271 /* implicit call to getpwnam() next. we have a valid SID coming out of this call */
2273 if ( !NT_STATUS_IS_OK(nt_status = pdb_init_sam_new(&sam_pass, account, new_rid)) )
2276 pdb_set_acct_ctrl(sam_pass, acb_info, PDB_CHANGED);
2278 if (!pdb_add_sam_account(sam_pass)) {
2279 pdb_free_sam(&sam_pass);
2280 DEBUG(0, ("could not add user/computer %s to passdb !?\n",
2282 nt_status = NT_STATUS_ACCESS_DENIED;
2286 /* Get the user's SID */
2287 sid_copy(&sid, pdb_get_user_sid(sam_pass));
2289 samr_make_usr_obj_sd(p->mem_ctx, &psd, &sd_size, &sid);
2290 se_map_generic(&des_access, &usr_generic_mapping);
2291 if (!NT_STATUS_IS_OK(nt_status =
2292 access_check_samr_object(psd, p->pipe_user.nt_user_token,
2293 des_access, &acc_granted, "_samr_create_user"))) {
2297 /* associate the user's SID with the new handle. */
2298 if ((info = get_samr_info_by_sid(&sid)) == NULL) {
2299 pdb_free_sam(&sam_pass);
2300 nt_status = NT_STATUS_NO_MEMORY;
2306 info->acc_granted = acc_granted;
2308 /* get a (unique) handle. open a policy on it. */
2309 if (!create_policy_hnd(p, user_pol, free_samr_info, (void *)info)) {
2310 pdb_free_sam(&sam_pass);
2311 nt_status = NT_STATUS_OBJECT_NAME_NOT_FOUND;
2315 r_u->user_rid=pdb_get_user_rid(sam_pass);
2317 r_u->access_granted = acc_granted;
2319 pdb_free_sam(&sam_pass);
2321 nt_status = NT_STATUS_OK;
2328 /*******************************************************************
2329 samr_reply_connect_anon
2330 ********************************************************************/
2332 NTSTATUS _samr_connect_anon(pipes_struct *p, SAMR_Q_CONNECT_ANON *q_u, SAMR_R_CONNECT_ANON *r_u)
2334 struct samr_info *info = NULL;
2335 uint32 des_access = q_u->access_mask;
2339 if (!pipe_access_check(p)) {
2340 DEBUG(3, ("access denied to samr_connect_anon\n"));
2341 r_u->status = NT_STATUS_ACCESS_DENIED;
2345 /* set up the SAMR connect_anon response */
2347 r_u->status = NT_STATUS_OK;
2349 /* associate the user's SID with the new handle. */
2350 if ((info = get_samr_info_by_sid(NULL)) == NULL)
2351 return NT_STATUS_NO_MEMORY;
2353 /* don't give away the farm but this is probably ok. The SA_RIGHT_SAM_ENUM_DOMAINS
2354 was observed from a win98 client trying to enumerate users (when configured
2355 user level access control on shares) --jerry */
2357 se_map_generic( &des_access, &sam_generic_mapping );
2358 info->acc_granted = des_access & (SA_RIGHT_SAM_ENUM_DOMAINS|SA_RIGHT_SAM_OPEN_DOMAIN);
2360 info->status = q_u->unknown_0;
2362 /* get a (unique) handle. open a policy on it. */
2363 if (!create_policy_hnd(p, &r_u->connect_pol, free_samr_info, (void *)info))
2364 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
2369 /*******************************************************************
2371 ********************************************************************/
2373 NTSTATUS _samr_connect(pipes_struct *p, SAMR_Q_CONNECT *q_u, SAMR_R_CONNECT *r_u)
2375 struct samr_info *info = NULL;
2376 SEC_DESC *psd = NULL;
2378 uint32 des_access = q_u->access_mask;
2383 DEBUG(5,("_samr_connect: %d\n", __LINE__));
2387 if (!pipe_access_check(p)) {
2388 DEBUG(3, ("access denied to samr_connect\n"));
2389 r_u->status = NT_STATUS_ACCESS_DENIED;
2393 samr_make_sam_obj_sd(p->mem_ctx, &psd, &sd_size);
2394 se_map_generic(&des_access, &sam_generic_mapping);
2395 if (!NT_STATUS_IS_OK(nt_status =
2396 access_check_samr_object(psd, p->pipe_user.nt_user_token,
2397 des_access, &acc_granted, "_samr_connect"))) {
2401 r_u->status = NT_STATUS_OK;
2403 /* associate the user's SID and access granted with the new handle. */
2404 if ((info = get_samr_info_by_sid(NULL)) == NULL)
2405 return NT_STATUS_NO_MEMORY;
2407 info->acc_granted = acc_granted;
2408 info->status = q_u->access_mask;
2410 /* get a (unique) handle. open a policy on it. */
2411 if (!create_policy_hnd(p, &r_u->connect_pol, free_samr_info, (void *)info))
2412 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
2414 DEBUG(5,("_samr_connect: %d\n", __LINE__));
2419 /*******************************************************************
2421 ********************************************************************/
2423 NTSTATUS _samr_connect4(pipes_struct *p, SAMR_Q_CONNECT4 *q_u, SAMR_R_CONNECT4 *r_u)
2425 struct samr_info *info = NULL;
2426 SEC_DESC *psd = NULL;
2428 uint32 des_access = q_u->access_mask;
2433 DEBUG(5,("_samr_connect4: %d\n", __LINE__));
2437 if (!pipe_access_check(p)) {
2438 DEBUG(3, ("access denied to samr_connect4\n"));
2439 r_u->status = NT_STATUS_ACCESS_DENIED;
2443 samr_make_sam_obj_sd(p->mem_ctx, &psd, &sd_size);
2444 se_map_generic(&des_access, &sam_generic_mapping);
2445 if (!NT_STATUS_IS_OK(nt_status =
2446 access_check_samr_object(psd, p->pipe_user.nt_user_token,
2447 des_access, &acc_granted, "_samr_connect"))) {
2451 r_u->status = NT_STATUS_OK;
2453 /* associate the user's SID and access granted with the new handle. */
2454 if ((info = get_samr_info_by_sid(NULL)) == NULL)
2455 return NT_STATUS_NO_MEMORY;
2457 info->acc_granted = acc_granted;
2458 info->status = q_u->access_mask;
2460 /* get a (unique) handle. open a policy on it. */
2461 if (!create_policy_hnd(p, &r_u->connect_pol, free_samr_info, (void *)info))
2462 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
2464 DEBUG(5,("_samr_connect: %d\n", __LINE__));
2469 /**********************************************************************
2470 api_samr_lookup_domain
2471 **********************************************************************/
2473 NTSTATUS _samr_lookup_domain(pipes_struct *p, SAMR_Q_LOOKUP_DOMAIN *q_u, SAMR_R_LOOKUP_DOMAIN *r_u)
2475 struct samr_info *info;
2476 fstring domain_name;
2479 r_u->status = NT_STATUS_OK;
2481 if (!find_policy_by_hnd(p, &q_u->connect_pol, (void**)&info))
2482 return NT_STATUS_INVALID_HANDLE;
2484 if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(info->acc_granted,
2485 SA_RIGHT_SAM_ENUM_DOMAINS, "_samr_lookup_domain")))
2490 rpcstr_pull(domain_name, q_u->uni_domain.buffer, sizeof(domain_name), q_u->uni_domain.uni_str_len*2, 0);
2494 if (!secrets_fetch_domain_sid(domain_name, &sid)) {
2495 r_u->status = NT_STATUS_NO_SUCH_DOMAIN;
2498 DEBUG(2,("Returning domain sid for domain %s -> %s\n", domain_name, sid_string_static(&sid)));
2500 init_samr_r_lookup_domain(r_u, &sid, r_u->status);
2505 /******************************************************************
2506 makes a SAMR_R_ENUM_DOMAINS structure.
2507 ********************************************************************/
2509 static BOOL make_enum_domains(TALLOC_CTX *ctx, SAM_ENTRY **pp_sam,
2510 UNISTR2 **pp_uni_name, uint32 num_sam_entries, fstring doms[])
2516 DEBUG(5, ("make_enum_domains\n"));
2519 *pp_uni_name = NULL;
2521 if (num_sam_entries == 0)
2524 sam = (SAM_ENTRY *)talloc_zero(ctx, sizeof(SAM_ENTRY)*num_sam_entries);
2525 uni_name = (UNISTR2 *)talloc_zero(ctx, sizeof(UNISTR2)*num_sam_entries);
2527 if (sam == NULL || uni_name == NULL)
2530 for (i = 0; i < num_sam_entries; i++) {
2531 init_unistr2(&uni_name[i], doms[i], UNI_FLAGS_NONE);
2532 init_sam_entry(&sam[i], &uni_name[i], 0);
2536 *pp_uni_name = uni_name;
2541 /**********************************************************************
2542 api_samr_enum_domains
2543 **********************************************************************/
2545 NTSTATUS _samr_enum_domains(pipes_struct *p, SAMR_Q_ENUM_DOMAINS *q_u, SAMR_R_ENUM_DOMAINS *r_u)
2547 struct samr_info *info;
2548 uint32 num_entries = 2;
2552 r_u->status = NT_STATUS_OK;
2554 if (!find_policy_by_hnd(p, &q_u->pol, (void**)&info))
2555 return NT_STATUS_INVALID_HANDLE;
2557 if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(info->acc_granted, SA_RIGHT_SAM_ENUM_DOMAINS, "_samr_enum_domains"))) {
2561 name = get_global_sam_name();
2563 fstrcpy(dom[0],name);
2565 fstrcpy(dom[1],"Builtin");
2567 if (!make_enum_domains(p->mem_ctx, &r_u->sam, &r_u->uni_dom_name, num_entries, dom))
2568 return NT_STATUS_NO_MEMORY;
2570 init_samr_r_enum_domains(r_u, q_u->start_idx + num_entries, num_entries);
2575 /*******************************************************************
2577 ********************************************************************/
2579 NTSTATUS _samr_open_alias(pipes_struct *p, SAMR_Q_OPEN_ALIAS *q_u, SAMR_R_OPEN_ALIAS *r_u)
2582 POLICY_HND domain_pol = q_u->dom_pol;
2583 uint32 alias_rid = q_u->rid_alias;
2584 POLICY_HND *alias_pol = &r_u->pol;
2585 struct samr_info *info = NULL;
2586 SEC_DESC *psd = NULL;
2588 uint32 des_access = q_u->access_mask;
2592 r_u->status = NT_STATUS_OK;
2594 /* find the domain policy and get the SID / access bits stored in the domain policy */
2595 if (!get_lsa_policy_samr_sid(p, &domain_pol, &sid, &acc_granted))
2596 return NT_STATUS_INVALID_HANDLE;
2598 if (!NT_STATUS_IS_OK(status = access_check_samr_function(acc_granted, SA_RIGHT_DOMAIN_OPEN_ACCOUNT, "_samr_open_alias"))) {
2602 /* append the alias' RID to it */
2603 if (!sid_append_rid(&sid, alias_rid))
2604 return NT_STATUS_NO_SUCH_USER;
2606 /*check if access can be granted as requested by client. */
2607 samr_make_ali_obj_sd(p->mem_ctx, &psd, &sd_size);
2608 se_map_generic(&des_access,&ali_generic_mapping);
2609 if (!NT_STATUS_IS_OK(status =
2610 access_check_samr_object(psd, p->pipe_user.nt_user_token,
2611 des_access, &acc_granted, "_samr_open_alias"))) {
2616 * we should check if the rid really exist !!!
2620 /* associate the user's SID with the new handle. */
2621 if ((info = get_samr_info_by_sid(&sid)) == NULL)
2622 return NT_STATUS_NO_MEMORY;
2624 info->acc_granted = acc_granted;
2626 /* get a (unique) handle. open a policy on it. */
2627 if (!create_policy_hnd(p, alias_pol, free_samr_info, (void *)info))
2628 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
2633 /*******************************************************************
2635 ********************************************************************/
2637 static BOOL set_user_info_10(const SAM_USER_INFO_10 *id10, DOM_SID *sid)
2639 SAM_ACCOUNT *pwd =NULL;
2644 ret = pdb_getsampwsid(pwd, sid);
2652 DEBUG(5, ("set_user_info_10: NULL id10\n"));
2657 /* FIX ME: check if the value is really changed --metze */
2658 if (!pdb_set_acct_ctrl(pwd, id10->acb_info, PDB_CHANGED)) {
2663 if(!pdb_update_sam_account(pwd)) {
2673 /*******************************************************************
2675 ********************************************************************/
2677 static BOOL set_user_info_12(SAM_USER_INFO_12 *id12, DOM_SID *sid)
2679 SAM_ACCOUNT *pwd = NULL;
2683 if(!pdb_getsampwsid(pwd, sid)) {
2689 DEBUG(2, ("set_user_info_12: id12 is NULL\n"));
2694 if (!pdb_set_lanman_passwd (pwd, id12->lm_pwd, PDB_CHANGED)) {
2698 if (!pdb_set_nt_passwd (pwd, id12->nt_pwd, PDB_CHANGED)) {
2702 if (!pdb_set_pass_changed_now (pwd)) {
2707 if(!pdb_update_sam_account(pwd)) {
2716 /*******************************************************************
2717 The GROUPSID field in the SAM_ACCOUNT changed. Try to tell unix.
2718 ********************************************************************/
2719 static BOOL set_unix_primary_group(SAM_ACCOUNT *sampass)
2724 if (!NT_STATUS_IS_OK(sid_to_gid(pdb_get_group_sid(sampass),
2726 DEBUG(2,("Could not get gid for primary group of "
2727 "user %s\n", pdb_get_username(sampass)));
2731 grp = getgrgid(gid);
2734 DEBUG(2,("Could not find primary group %lu for "
2735 "user %s\n", (unsigned long)gid,
2736 pdb_get_username(sampass)));
2740 if (smb_set_primary_group(grp->gr_name,
2741 pdb_get_username(sampass)) != 0) {
2742 DEBUG(2,("Could not set primary group for user %s to "
2744 pdb_get_username(sampass), grp->gr_name));
2752 /*******************************************************************
2754 ********************************************************************/
2756 static BOOL set_user_info_20(SAM_USER_INFO_20 *id20, DOM_SID *sid)
2758 SAM_ACCOUNT *pwd = NULL;
2761 DEBUG(5, ("set_user_info_20: NULL id20\n"));
2767 if (!pdb_getsampwsid(pwd, sid)) {
2772 copy_id20_to_sam_passwd(pwd, id20);
2774 /* write the change out */
2775 if(!pdb_update_sam_account(pwd)) {
2784 /*******************************************************************
2786 ********************************************************************/
2788 static BOOL set_user_info_21(SAM_USER_INFO_21 *id21, DOM_SID *sid)
2790 SAM_ACCOUNT *pwd = NULL;
2793 DEBUG(5, ("set_user_info_21: NULL id21\n"));
2799 if (!pdb_getsampwsid(pwd, sid)) {
2804 copy_id21_to_sam_passwd(pwd, id21);
2807 * The funny part about the previous two calls is
2808 * that pwd still has the password hashes from the
2809 * passdb entry. These have not been updated from
2810 * id21. I don't know if they need to be set. --jerry
2813 if (IS_SAM_CHANGED(pwd, PDB_GROUPSID))
2814 set_unix_primary_group(pwd);
2816 /* write the change out */
2817 if(!pdb_update_sam_account(pwd)) {
2827 /*******************************************************************
2829 ********************************************************************/
2831 static BOOL set_user_info_23(SAM_USER_INFO_23 *id23, DOM_SID *sid)
2833 SAM_ACCOUNT *pwd = NULL;
2834 pstring plaintext_buf;
2839 DEBUG(5, ("set_user_info_23: NULL id23\n"));
2845 if (!pdb_getsampwsid(pwd, sid)) {
2850 DEBUG(5, ("Attempting administrator password change (level 23) for user %s\n",
2851 pdb_get_username(pwd)));
2853 acct_ctrl = pdb_get_acct_ctrl(pwd);
2855 if (!decode_pw_buffer((char*)id23->pass, plaintext_buf, 256, &len, STR_UNICODE)) {
2860 if (!pdb_set_plaintext_passwd (pwd, plaintext_buf)) {
2865 copy_id23_to_sam_passwd(pwd, id23);
2867 /* if it's a trust account, don't update /etc/passwd */
2868 if ( ( (acct_ctrl & ACB_DOMTRUST) == ACB_DOMTRUST ) ||
2869 ( (acct_ctrl & ACB_WSTRUST) == ACB_WSTRUST) ||
2870 ( (acct_ctrl & ACB_SVRTRUST) == ACB_SVRTRUST) ) {
2871 DEBUG(5, ("Changing trust account or non-unix-user password, not updating /etc/passwd\n"));
2873 /* update the UNIX password */
2874 if (lp_unix_password_sync() ) {
2875 struct passwd *passwd = Get_Pwnam(pdb_get_username(pwd));
2877 DEBUG(1, ("chgpasswd: Username does not exist in system !?!\n"));
2880 if(!chgpasswd(pdb_get_username(pwd), passwd, "", plaintext_buf, True)) {
2887 ZERO_STRUCT(plaintext_buf);
2889 if (IS_SAM_CHANGED(pwd, PDB_GROUPSID))
2890 set_unix_primary_group(pwd);
2892 if(!pdb_update_sam_account(pwd)) {
2902 /*******************************************************************
2904 ********************************************************************/
2906 static BOOL set_user_info_pw(char *pass, DOM_SID *sid)
2908 SAM_ACCOUNT *pwd = NULL;
2910 pstring plaintext_buf;
2915 if (!pdb_getsampwsid(pwd, sid)) {
2920 DEBUG(5, ("Attempting administrator password change for user %s\n",
2921 pdb_get_username(pwd)));
2923 acct_ctrl = pdb_get_acct_ctrl(pwd);
2925 ZERO_STRUCT(plaintext_buf);
2927 if (!decode_pw_buffer(pass, plaintext_buf, 256, &len, STR_UNICODE)) {
2932 if (!pdb_set_plaintext_passwd (pwd, plaintext_buf)) {
2937 /* if it's a trust account, don't update /etc/passwd */
2938 if ( ( (acct_ctrl & ACB_DOMTRUST) == ACB_DOMTRUST ) ||
2939 ( (acct_ctrl & ACB_WSTRUST) == ACB_WSTRUST) ||
2940 ( (acct_ctrl & ACB_SVRTRUST) == ACB_SVRTRUST) ) {
2941 DEBUG(5, ("Changing trust account or non-unix-user password, not updating /etc/passwd\n"));
2943 /* update the UNIX password */
2944 if (lp_unix_password_sync()) {
2945 struct passwd *passwd = Get_Pwnam(pdb_get_username(pwd));
2947 DEBUG(1, ("chgpasswd: Username does not exist in system !?!\n"));
2950 if(!chgpasswd(pdb_get_username(pwd), passwd, "", plaintext_buf, True)) {
2957 ZERO_STRUCT(plaintext_buf);
2959 DEBUG(5,("set_user_info_pw: pdb_update_pwd()\n"));
2961 /* update the SAMBA password */
2962 if(!pdb_update_sam_account(pwd)) {
2972 /*******************************************************************
2973 samr_reply_set_userinfo
2974 ********************************************************************/
2976 NTSTATUS _samr_set_userinfo(pipes_struct *p, SAMR_Q_SET_USERINFO *q_u, SAMR_R_SET_USERINFO *r_u)
2979 POLICY_HND *pol = &q_u->pol;
2980 uint16 switch_value = q_u->switch_value;
2981 SAM_USERINFO_CTR *ctr = q_u->ctr;
2983 uint32 acc_required;
2985 DEBUG(5, ("_samr_set_userinfo: %d\n", __LINE__));
2987 r_u->status = NT_STATUS_OK;
2989 /* find the policy handle. open a policy on it. */
2990 if (!get_lsa_policy_samr_sid(p, pol, &sid, &acc_granted))
2991 return NT_STATUS_INVALID_HANDLE;
2993 acc_required = SA_RIGHT_USER_SET_LOC_COM | SA_RIGHT_USER_SET_ATTRIBUTES; /* This is probably wrong */
2994 if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, acc_required, "_samr_set_userinfo"))) {
2998 DEBUG(5, ("_samr_set_userinfo: sid:%s, level:%d\n", sid_string_static(&sid), switch_value));
3001 DEBUG(5, ("_samr_set_userinfo: NULL info level\n"));
3002 return NT_STATUS_INVALID_INFO_CLASS;
3005 /* ok! user info levels (lots: see MSDEV help), off we go... */
3006 switch (switch_value) {
3008 if (!set_user_info_12(ctr->info.id12, &sid))
3009 return NT_STATUS_ACCESS_DENIED;
3013 if (!p->session_key.length) {
3014 return NT_STATUS_NO_USER_SESSION_KEY;
3016 SamOEMhashBlob(ctr->info.id24->pass, 516, &p->session_key);
3018 dump_data(100, (char *)ctr->info.id24->pass, 516);
3020 if (!set_user_info_pw((char *)ctr->info.id24->pass, &sid))
3021 return NT_STATUS_ACCESS_DENIED;
3027 * Currently we don't really know how to unmarshall
3028 * the level 25 struct, and the password encryption
3029 * is different. This is a placeholder for when we
3030 * do understand it. In the meantime just return INVALID
3031 * info level and W2K SP2 drops down to level 23... JRA.
3034 if (!p->session_key.length) {
3035 return NT_STATUS_NO_USER_SESSION_KEY;
3037 SamOEMhashBlob(ctr->info.id25->pass, 532, &p->session_key);
3039 dump_data(100, (char *)ctr->info.id25->pass, 532);
3041 if (!set_user_info_pw(ctr->info.id25->pass, &sid))
3042 return NT_STATUS_ACCESS_DENIED;
3045 return NT_STATUS_INVALID_INFO_CLASS;
3048 if (!p->session_key.length) {
3049 return NT_STATUS_NO_USER_SESSION_KEY;
3051 SamOEMhashBlob(ctr->info.id23->pass, 516, &p->session_key);
3053 dump_data(100, (char *)ctr->info.id23->pass, 516);
3055 if (!set_user_info_23(ctr->info.id23, &sid))
3056 return NT_STATUS_ACCESS_DENIED;
3060 return NT_STATUS_INVALID_INFO_CLASS;
3066 /*******************************************************************
3067 samr_reply_set_userinfo2
3068 ********************************************************************/
3070 NTSTATUS _samr_set_userinfo2(pipes_struct *p, SAMR_Q_SET_USERINFO2 *q_u, SAMR_R_SET_USERINFO2 *r_u)
3073 SAM_USERINFO_CTR *ctr = q_u->ctr;
3074 POLICY_HND *pol = &q_u->pol;
3075 uint16 switch_value = q_u->switch_value;
3077 uint32 acc_required;
3079 DEBUG(5, ("samr_reply_set_userinfo2: %d\n", __LINE__));
3081 r_u->status = NT_STATUS_OK;
3083 /* find the policy handle. open a policy on it. */
3084 if (!get_lsa_policy_samr_sid(p, pol, &sid, &acc_granted))
3085 return NT_STATUS_INVALID_HANDLE;
3087 acc_required = SA_RIGHT_USER_SET_LOC_COM | SA_RIGHT_USER_SET_ATTRIBUTES; /* This is probably wrong */
3088 if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, acc_required, "_samr_set_userinfo2"))) {
3092 DEBUG(5, ("samr_reply_set_userinfo2: sid:%s\n", sid_string_static(&sid)));
3095 DEBUG(5, ("samr_reply_set_userinfo2: NULL info level\n"));
3096 return NT_STATUS_INVALID_INFO_CLASS;
3099 switch_value=ctr->switch_value;
3101 /* ok! user info levels (lots: see MSDEV help), off we go... */
3102 switch (switch_value) {
3104 if (!set_user_info_21(ctr->info.id21, &sid))
3105 return NT_STATUS_ACCESS_DENIED;
3108 if (!set_user_info_20(ctr->info.id20, &sid))
3109 return NT_STATUS_ACCESS_DENIED;
3112 if (!set_user_info_10(ctr->info.id10, &sid))
3113 return NT_STATUS_ACCESS_DENIED;
3116 /* Used by AS/U JRA. */
3117 if (!set_user_info_12(ctr->info.id12, &sid))
3118 return NT_STATUS_ACCESS_DENIED;
3121 return NT_STATUS_INVALID_INFO_CLASS;
3127 /*********************************************************************
3128 _samr_query_aliasmem
3129 *********************************************************************/
3131 NTSTATUS _samr_query_useraliases(pipes_struct *p, SAMR_Q_QUERY_USERALIASES *q_u, SAMR_R_QUERY_USERALIASES *r_u)
3133 int num_groups = 0, tmp_num_groups=0;
3134 uint32 *rids=NULL, *new_rids=NULL, *tmp_rids=NULL;
3135 struct samr_info *info = NULL;
3141 /* until i see a real useraliases query, we fack one up */
3143 /* I have seen one, JFM 2/12/2001 */
3145 * Explanation of what this call does:
3146 * for all the SID given in the request:
3147 * return a list of alias (local groups)
3148 * that have those SID as members.
3150 * and that's the alias in the domain specified
3151 * in the policy_handle
3153 * if the policy handle is on an incorrect sid
3154 * for example a user's sid
3155 * we should reply NT_STATUS_OBJECT_TYPE_MISMATCH
3158 r_u->status = NT_STATUS_OK;
3160 DEBUG(5,("_samr_query_useraliases: %d\n", __LINE__));
3162 /* find the policy handle. open a policy on it. */
3163 if (!find_policy_by_hnd(p, &q_u->pol, (void **)&info))
3164 return NT_STATUS_INVALID_HANDLE;
3166 ntstatus1 = access_check_samr_function(info->acc_granted, SA_RIGHT_DOMAIN_LOOKUP_ALIAS_BY_MEM, "_samr_query_useraliases");
3167 ntstatus2 = access_check_samr_function(info->acc_granted, SA_RIGHT_DOMAIN_OPEN_ACCOUNT, "_samr_query_useraliases");
3169 if (!NT_STATUS_IS_OK(ntstatus1) || !NT_STATUS_IS_OK(ntstatus2)) {
3170 if (!(NT_STATUS_EQUAL(ntstatus1,NT_STATUS_ACCESS_DENIED) && NT_STATUS_IS_OK(ntstatus2)) &&
3171 !(NT_STATUS_EQUAL(ntstatus1,NT_STATUS_ACCESS_DENIED) && NT_STATUS_IS_OK(ntstatus1))) {
3172 return (NT_STATUS_IS_OK(ntstatus1)) ? ntstatus2 : ntstatus1;
3176 if (!sid_check_is_domain(&info->sid) &&
3177 !sid_check_is_builtin(&info->sid))
3178 return NT_STATUS_OBJECT_TYPE_MISMATCH;
3181 for (i=0; i<q_u->num_sids1; i++) {
3183 r_u->status=get_alias_user_groups(p->mem_ctx, &info->sid, &tmp_num_groups, &tmp_rids, &(q_u->sid[i].sid));
3186 * if there is an error, we just continue as
3187 * it can be an unfound user or group
3189 if (!NT_STATUS_IS_OK(r_u->status)) {
3190 DEBUG(10,("_samr_query_useraliases: an error occured while getting groups\n"));
3194 if (tmp_num_groups==0) {
3195 DEBUG(10,("_samr_query_useraliases: no groups found\n"));
3199 new_rids=(uint32 *)talloc_realloc(p->mem_ctx, rids, (num_groups+tmp_num_groups)*sizeof(uint32));
3200 if (new_rids==NULL) {
3201 DEBUG(0,("_samr_query_useraliases: could not realloc memory\n"));
3202 return NT_STATUS_NO_MEMORY;
3206 for (j=0; j<tmp_num_groups; j++)
3207 rids[j+num_groups]=tmp_rids[j];
3209 safe_free(tmp_rids);
3211 num_groups+=tmp_num_groups;
3214 init_samr_r_query_useraliases(r_u, num_groups, rids, NT_STATUS_OK);
3215 return NT_STATUS_OK;
3218 /*********************************************************************
3219 _samr_query_aliasmem
3220 *********************************************************************/
3222 NTSTATUS _samr_query_aliasmem(pipes_struct *p, SAMR_Q_QUERY_ALIASMEM *q_u, SAMR_R_QUERY_ALIASMEM *r_u)
3234 fstring alias_sid_str;
3238 /* find the policy handle. open a policy on it. */
3239 if (!get_lsa_policy_samr_sid(p, &q_u->alias_pol, &alias_sid, &acc_granted))
3240 return NT_STATUS_INVALID_HANDLE;
3242 if (!NT_STATUS_IS_OK(r_u->status =
3243 access_check_samr_function(acc_granted, SA_RIGHT_ALIAS_GET_MEMBERS, "_samr_query_aliasmem"))) {
3247 sid_copy(&als_sid, &alias_sid);
3248 sid_to_string(alias_sid_str, &alias_sid);
3249 sid_split_rid(&alias_sid, &alias_rid);
3251 DEBUG(10, ("sid is %s\n", alias_sid_str));
3253 if (sid_equal(&alias_sid, &global_sid_Builtin)) {
3254 DEBUG(10, ("lookup on Builtin SID (S-1-5-32)\n"));
3255 if(!get_builtin_group_from_sid(&als_sid, &map))
3256 return NT_STATUS_NO_SUCH_ALIAS;
3258 if (sid_equal(&alias_sid, get_global_sam_sid())) {
3259 DEBUG(10, ("lookup on Server SID\n"));
3260 if(!get_local_group_from_sid(&als_sid, &map)) {
3261 fstring alias_sid_string;
3262 DEBUG(10, ("Alias %s not found\n", sid_to_string(alias_sid_string, &als_sid)));
3263 return NT_STATUS_NO_SUCH_ALIAS;
3268 if (!get_sid_list_of_group(map.gid, &sids, &num_sids)) {
3269 fstring alias_sid_string;
3270 DEBUG(10, ("Alias %s found, but member list unavailable\n", sid_to_string(alias_sid_string, &als_sid)));
3271 return NT_STATUS_NO_SUCH_ALIAS;
3274 DEBUG(10, ("sid is %s\n", alias_sid_str));
3275 sid = (DOM_SID2 *)talloc_zero(p->mem_ctx, sizeof(DOM_SID2) * num_sids);
3276 if (num_sids!=0 && sid == NULL) {
3278 return NT_STATUS_NO_MEMORY;
3281 for (i = 0; i < num_sids; i++) {
3282 init_dom_sid2(&sid[i], &sids[i]);
3285 DEBUG(10, ("sid is %s\n", alias_sid_str));
3286 init_samr_r_query_aliasmem(r_u, num_sids, sid, NT_STATUS_OK);
3290 return NT_STATUS_OK;
3293 /*********************************************************************
3294 _samr_query_groupmem
3295 *********************************************************************/
3297 NTSTATUS _samr_query_groupmem(pipes_struct *p, SAMR_Q_QUERY_GROUPMEM *q_u, SAMR_R_QUERY_GROUPMEM *r_u)
3300 int final_num_sids = 0;
3303 fstring group_sid_str;
3313 /* find the policy handle. open a policy on it. */
3314 if (!get_lsa_policy_samr_sid(p, &q_u->group_pol, &group_sid, &acc_granted))
3315 return NT_STATUS_INVALID_HANDLE;
3317 if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, SA_RIGHT_GROUP_GET_MEMBERS, "_samr_query_groupmem"))) {
3321 sid_to_string(group_sid_str, &group_sid);
3322 DEBUG(10, ("sid is %s\n", group_sid_str));
3324 if (!sid_check_is_in_our_domain(&group_sid)) {
3325 DEBUG(3, ("sid %s is not in our domain\n", group_sid_str));
3326 return NT_STATUS_NO_SUCH_GROUP;
3329 DEBUG(10, ("lookup on Domain SID\n"));
3331 if(!get_domain_group_from_sid(group_sid, &map))
3332 return NT_STATUS_NO_SUCH_GROUP;
3334 if(!get_sid_list_of_group(map.gid, &sids, &num_sids))
3335 return NT_STATUS_NO_SUCH_GROUP;
3337 rid=talloc_zero(p->mem_ctx, sizeof(uint32)*num_sids);
3338 attr=talloc_zero(p->mem_ctx, sizeof(uint32)*num_sids);
3340 if (num_sids!=0 && (rid==NULL || attr==NULL))
3341 return NT_STATUS_NO_MEMORY;
3343 for (i=0; i<num_sids; i++) {
3346 if (sid_peek_check_rid(get_global_sam_sid(), &sids[i], &urid)) {
3347 rid[final_num_sids] = urid;
3348 attr[final_num_sids] = SID_NAME_USER;
3351 fstring user_sid_str, domain_sid_str;
3352 DEBUG(1, ("_samr_query_groupmem: SID %s in group %s is not in our domain %s\n",
3353 sid_to_string(user_sid_str, &sids[i]),
3354 sid_to_string(group_sid_str, &group_sid),
3355 sid_to_string(domain_sid_str, get_global_sam_sid())));
3359 init_samr_r_query_groupmem(r_u, final_num_sids, rid, attr, NT_STATUS_OK);
3361 return NT_STATUS_OK;
3364 /*********************************************************************
3366 *********************************************************************/
3368 NTSTATUS _samr_add_aliasmem(pipes_struct *p, SAMR_Q_ADD_ALIASMEM *q_u, SAMR_R_ADD_ALIASMEM *r_u)
3371 fstring alias_sid_str;
3378 SAM_ACCOUNT *sam_user = NULL;
3382 /* Find the policy handle. Open a policy on it. */
3383 if (!get_lsa_policy_samr_sid(p, &q_u->alias_pol, &alias_sid, &acc_granted))
3384 return NT_STATUS_INVALID_HANDLE;
3386 if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, SA_RIGHT_ALIAS_ADD_MEMBER, "_samr_add_aliasmem"))) {
3390 sid_to_string(alias_sid_str, &alias_sid);
3391 DEBUG(10, ("sid is %s\n", alias_sid_str));
3393 if (sid_compare(&alias_sid, get_global_sam_sid())>0) {
3394 DEBUG(10, ("adding member on Server SID\n"));
3395 if(!get_local_group_from_sid(&alias_sid, &map))
3396 return NT_STATUS_NO_SUCH_ALIAS;
3399 if (sid_compare(&alias_sid, &global_sid_Builtin)>0) {
3400 DEBUG(10, ("adding member on BUILTIN SID\n"));
3401 if( !get_builtin_group_from_sid(&alias_sid, &map))
3402 return NT_STATUS_NO_SUCH_ALIAS;
3405 return NT_STATUS_NO_SUCH_ALIAS;
3408 ret = pdb_init_sam(&sam_user);
3409 if (!NT_STATUS_IS_OK(ret))
3412 check = pdb_getsampwsid(sam_user, &q_u->sid.sid);
3414 if (check != True) {
3415 pdb_free_sam(&sam_user);
3416 return pdb_add_aliasmem(&alias_sid, &q_u->sid.sid) ?
3417 NT_STATUS_OK : NT_STATUS_UNSUCCESSFUL;
3420 /* check a real user exist before we run the script to add a user to a group */
3421 if (!NT_STATUS_IS_OK(sid_to_uid(pdb_get_user_sid(sam_user), &uid))) {
3422 pdb_free_sam(&sam_user);
3423 return NT_STATUS_NO_SUCH_USER;
3426 pdb_free_sam(&sam_user);
3428 if ((pwd=getpwuid_alloc(uid)) == NULL) {
3429 return NT_STATUS_NO_SUCH_USER;
3432 if ((grp=getgrgid(map.gid)) == NULL) {
3434 return NT_STATUS_NO_SUCH_ALIAS;
3437 /* we need to copy the name otherwise it's overloaded in user_in_group_list */
3438 fstrcpy(grp_name, grp->gr_name);
3440 /* if the user is already in the group */
3441 if(user_in_unix_group_list(pwd->pw_name, grp_name)) {
3443 return NT_STATUS_MEMBER_IN_ALIAS;
3447 * ok, the group exist, the user exist, the user is not in the group,
3448 * we can (finally) add it to the group !
3450 smb_add_user_group(grp_name, pwd->pw_name);
3452 /* check if the user has been added then ... */
3453 if(!user_in_unix_group_list(pwd->pw_name, grp_name)) {
3455 return NT_STATUS_MEMBER_NOT_IN_ALIAS; /* don't know what to reply else */
3459 return NT_STATUS_OK;
3462 /*********************************************************************
3464 *********************************************************************/
3466 NTSTATUS _samr_del_aliasmem(pipes_struct *p, SAMR_Q_DEL_ALIASMEM *q_u, SAMR_R_DEL_ALIASMEM *r_u)
3469 fstring alias_sid_str;
3473 SAM_ACCOUNT *sam_pass=NULL;
3476 /* Find the policy handle. Open a policy on it. */
3477 if (!get_lsa_policy_samr_sid(p, &q_u->alias_pol, &alias_sid, &acc_granted))
3478 return NT_STATUS_INVALID_HANDLE;
3480 if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, SA_RIGHT_ALIAS_REMOVE_MEMBER, "_samr_del_aliasmem"))) {
3484 sid_to_string(alias_sid_str, &alias_sid);
3485 DEBUG(10, ("_samr_del_aliasmem:sid is %s\n", alias_sid_str));
3487 if (!sid_check_is_in_our_domain(&alias_sid) &&
3488 !sid_check_is_in_builtin(&alias_sid)) {
3489 DEBUG(10, ("_samr_del_aliasmem:invalid alias group\n"));
3490 return NT_STATUS_NO_SUCH_ALIAS;
3493 if( !get_local_group_from_sid(&alias_sid, &map) &&
3494 !get_builtin_group_from_sid(&alias_sid, &map) )
3495 return NT_STATUS_NO_SUCH_ALIAS;
3497 if ((grp=getgrgid(map.gid)) == NULL)
3498 return NT_STATUS_NO_SUCH_ALIAS;
3500 /* we need to copy the name otherwise it's overloaded in user_in_unix_group_list */
3501 fstrcpy(grp_name, grp->gr_name);
3503 /* check if the user exists before trying to remove it from the group */
3504 pdb_init_sam(&sam_pass);
3505 if(!pdb_getsampwsid(sam_pass, &q_u->sid.sid)) {
3506 DEBUG(5,("_samr_del_aliasmem:User %s doesn't exist.\n", pdb_get_username(sam_pass)));
3507 pdb_free_sam(&sam_pass);
3508 return pdb_del_aliasmem(&alias_sid, &q_u->sid.sid) ?
3509 NT_STATUS_OK : NT_STATUS_UNSUCCESSFUL;
3512 /* if the user is not in the group */
3513 if(!user_in_unix_group_list(pdb_get_username(sam_pass), grp_name)) {
3514 pdb_free_sam(&sam_pass);
3515 return NT_STATUS_MEMBER_NOT_IN_ALIAS;
3518 smb_delete_user_group(grp_name, pdb_get_username(sam_pass));
3520 /* check if the user has been removed then ... */
3521 if(user_in_unix_group_list(pdb_get_username(sam_pass), grp_name)) {
3522 pdb_free_sam(&sam_pass);
3523 return NT_STATUS_MEMBER_NOT_IN_ALIAS; /* don't know what to reply else */
3526 pdb_free_sam(&sam_pass);
3527 return NT_STATUS_OK;
3530 /*********************************************************************
3532 *********************************************************************/
3534 NTSTATUS _samr_add_groupmem(pipes_struct *p, SAMR_Q_ADD_GROUPMEM *q_u, SAMR_R_ADD_GROUPMEM *r_u)
3538 fstring group_sid_str;
3545 SAM_ACCOUNT *sam_user=NULL;
3549 /* Find the policy handle. Open a policy on it. */
3550 if (!get_lsa_policy_samr_sid(p, &q_u->pol, &group_sid, &acc_granted))
3551 return NT_STATUS_INVALID_HANDLE;
3553 if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, SA_RIGHT_GROUP_ADD_MEMBER, "_samr_add_groupmem"))) {
3557 sid_to_string(group_sid_str, &group_sid);
3558 DEBUG(10, ("sid is %s\n", group_sid_str));
3560 if (sid_compare(&group_sid, get_global_sam_sid())<=0)
3561 return NT_STATUS_NO_SUCH_GROUP;
3563 DEBUG(10, ("lookup on Domain SID\n"));
3565 if(!get_domain_group_from_sid(group_sid, &map))
3566 return NT_STATUS_NO_SUCH_GROUP;
3568 sid_copy(&user_sid, get_global_sam_sid());
3569 sid_append_rid(&user_sid, q_u->rid);
3571 ret = pdb_init_sam(&sam_user);
3572 if (!NT_STATUS_IS_OK(ret))
3575 check = pdb_getsampwsid(sam_user, &user_sid);
3577 if (check != True) {
3578 pdb_free_sam(&sam_user);
3579 return NT_STATUS_NO_SUCH_USER;
3582 /* check a real user exist before we run the script to add a user to a group */
3583 if (!NT_STATUS_IS_OK(sid_to_uid(pdb_get_user_sid(sam_user), &uid))) {
3584 pdb_free_sam(&sam_user);
3585 return NT_STATUS_NO_SUCH_USER;
3588 pdb_free_sam(&sam_user);
3590 if ((pwd=getpwuid_alloc(uid)) == NULL) {
3591 return NT_STATUS_NO_SUCH_USER;
3594 if ((grp=getgrgid(map.gid)) == NULL) {
3596 return NT_STATUS_NO_SUCH_GROUP;
3599 /* we need to copy the name otherwise it's overloaded in user_in_unix_group_list */
3600 fstrcpy(grp_name, grp->gr_name);
3602 /* if the user is already in the group */
3603 if(user_in_unix_group_list(pwd->pw_name, grp_name)) {
3605 return NT_STATUS_MEMBER_IN_GROUP;
3609 * ok, the group exist, the user exist, the user is not in the group,
3611 * we can (finally) add it to the group !
3614 smb_add_user_group(grp_name, pwd->pw_name);
3616 /* check if the user has been added then ... */
3617 if(!user_in_unix_group_list(pwd->pw_name, grp_name)) {
3619 return NT_STATUS_MEMBER_NOT_IN_GROUP; /* don't know what to reply else */
3623 return NT_STATUS_OK;
3626 /*********************************************************************
3628 *********************************************************************/
3630 NTSTATUS _samr_del_groupmem(pipes_struct *p, SAMR_Q_DEL_GROUPMEM *q_u, SAMR_R_DEL_GROUPMEM *r_u)
3634 SAM_ACCOUNT *sam_pass=NULL;
3641 * delete the group member named q_u->rid
3642 * who is a member of the sid associated with the handle
3643 * the rid is a user's rid as the group is a domain group.
3646 /* Find the policy handle. Open a policy on it. */
3647 if (!get_lsa_policy_samr_sid(p, &q_u->pol, &group_sid, &acc_granted))
3648 return NT_STATUS_INVALID_HANDLE;
3650 if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, SA_RIGHT_GROUP_REMOVE_MEMBER, "_samr_del_groupmem"))) {
3654 if (!sid_check_is_in_our_domain(&group_sid))
3655 return NT_STATUS_NO_SUCH_GROUP;
3657 sid_copy(&user_sid, get_global_sam_sid());
3658 sid_append_rid(&user_sid, q_u->rid);
3660 if (!get_domain_group_from_sid(group_sid, &map))
3661 return NT_STATUS_NO_SUCH_GROUP;
3663 if ((grp=getgrgid(map.gid)) == NULL)
3664 return NT_STATUS_NO_SUCH_GROUP;
3666 /* we need to copy the name otherwise it's overloaded in user_in_group_list */
3667 fstrcpy(grp_name, grp->gr_name);
3669 /* check if the user exists before trying to remove it from the group */
3670 pdb_init_sam(&sam_pass);
3671 if (!pdb_getsampwsid(sam_pass, &user_sid)) {
3672 DEBUG(5,("User %s doesn't exist.\n", pdb_get_username(sam_pass)));
3673 pdb_free_sam(&sam_pass);
3674 return NT_STATUS_NO_SUCH_USER;
3677 /* if the user is not in the group */
3678 if (!user_in_unix_group_list(pdb_get_username(sam_pass), grp_name)) {
3679 pdb_free_sam(&sam_pass);
3680 return NT_STATUS_MEMBER_NOT_IN_GROUP;
3683 smb_delete_user_group(grp_name, pdb_get_username(sam_pass));
3685 /* check if the user has been removed then ... */
3686 if (user_in_unix_group_list(pdb_get_username(sam_pass), grp_name)) {
3687 pdb_free_sam(&sam_pass);
3688 return NT_STATUS_ACCESS_DENIED; /* don't know what to reply else */
3691 pdb_free_sam(&sam_pass);
3692 return NT_STATUS_OK;
3696 /****************************************************************************
3697 Delete a UNIX user on demand.
3698 ****************************************************************************/
3700 static int smb_delete_user(const char *unix_user)
3705 /* try winbindd first since it is impossible to determine where
3706 a user came from via NSS. Try the delete user script if this fails
3707 meaning the user did not exist in winbindd's list of accounts */
3709 if ( winbind_delete_user( unix_user ) ) {
3710 DEBUG(3,("winbind_delete_user: removed user (%s)\n", unix_user));
3715 /* fall back to 'delete user script' */
3717 pstrcpy(del_script, lp_deluser_script());
3720 all_string_sub(del_script, "%u", unix_user, sizeof(pstring));
3721 ret = smbrun(del_script,NULL);
3722 DEBUG(3,("smb_delete_user: Running the command `%s' gave %d\n",del_script,ret));
3727 /*********************************************************************
3728 _samr_delete_dom_user
3729 *********************************************************************/
3731 NTSTATUS _samr_delete_dom_user(pipes_struct *p, SAMR_Q_DELETE_DOM_USER *q_u, SAMR_R_DELETE_DOM_USER *r_u )
3734 SAM_ACCOUNT *sam_pass=NULL;
3737 DEBUG(5, ("_samr_delete_dom_user: %d\n", __LINE__));
3739 /* Find the policy handle. Open a policy on it. */
3740 if (!get_lsa_policy_samr_sid(p, &q_u->user_pol, &user_sid, &acc_granted))
3741 return NT_STATUS_INVALID_HANDLE;
3743 if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, STD_RIGHT_DELETE_ACCESS, "_samr_delete_dom_user"))) {
3747 if (!sid_check_is_in_our_domain(&user_sid))
3748 return NT_STATUS_CANNOT_DELETE;
3750 /* check if the user exists before trying to delete */
3751 pdb_init_sam(&sam_pass);
3752 if(!pdb_getsampwsid(sam_pass, &user_sid)) {
3753 DEBUG(5,("_samr_delete_dom_user:User %s doesn't exist.\n",
3754 sid_string_static(&user_sid)));
3755 pdb_free_sam(&sam_pass);
3756 return NT_STATUS_NO_SUCH_USER;
3759 /* delete the unix side */
3761 * note: we don't check if the delete really happened
3762 * as the script is not necessary present
3763 * and maybe the sysadmin doesn't want to delete the unix side
3765 smb_delete_user(pdb_get_username(sam_pass));
3767 /* and delete the samba side */
3768 if (!pdb_delete_sam_account(sam_pass)) {
3769 DEBUG(5,("_samr_delete_dom_user:Failed to delete entry for user %s.\n", pdb_get_username(sam_pass)));
3770 pdb_free_sam(&sam_pass);
3771 return NT_STATUS_CANNOT_DELETE;
3774 pdb_free_sam(&sam_pass);
3776 if (!close_policy_hnd(p, &q_u->user_pol))
3777 return NT_STATUS_OBJECT_NAME_INVALID;
3779 return NT_STATUS_OK;
3782 /*********************************************************************
3783 _samr_delete_dom_group
3784 *********************************************************************/
3786 NTSTATUS _samr_delete_dom_group(pipes_struct *p, SAMR_Q_DELETE_DOM_GROUP *q_u, SAMR_R_DELETE_DOM_GROUP *r_u)
3791 fstring group_sid_str;
3797 DEBUG(5, ("samr_delete_dom_group: %d\n", __LINE__));
3799 /* Find the policy handle. Open a policy on it. */
3800 if (!get_lsa_policy_samr_sid(p, &q_u->group_pol, &group_sid, &acc_granted))
3801 return NT_STATUS_INVALID_HANDLE;
3803 if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, STD_RIGHT_DELETE_ACCESS, "_samr_delete_dom_group"))) {
3807 sid_copy(&dom_sid, &group_sid);
3808 sid_to_string(group_sid_str, &dom_sid);
3809 sid_split_rid(&dom_sid, &group_rid);
3811 DEBUG(10, ("sid is %s\n", group_sid_str));
3813 /* we check if it's our SID before deleting */
3814 if (!sid_equal(&dom_sid, get_global_sam_sid()))
3815 return NT_STATUS_NO_SUCH_GROUP;
3817 DEBUG(10, ("lookup on Domain SID\n"));
3819 if(!get_domain_group_from_sid(group_sid, &map))
3820 return NT_STATUS_NO_SUCH_GROUP;
3824 /* check if group really exists */
3825 if ( (grp=getgrgid(gid)) == NULL)
3826 return NT_STATUS_NO_SUCH_GROUP;
3828 /* delete mapping first */
3829 if(!pdb_delete_group_mapping_entry(group_sid))
3830 return NT_STATUS_ACCESS_DENIED;
3832 /* we can delete the UNIX group */
3833 smb_delete_group(grp->gr_name);
3835 /* check if the group has been successfully deleted */
3836 if ( (grp=getgrgid(gid)) != NULL)
3837 return NT_STATUS_ACCESS_DENIED;
3840 if (!close_policy_hnd(p, &q_u->group_pol))
3841 return NT_STATUS_OBJECT_NAME_INVALID;
3843 return NT_STATUS_OK;
3846 /*********************************************************************
3847 _samr_delete_dom_alias
3848 *********************************************************************/
3850 NTSTATUS _samr_delete_dom_alias(pipes_struct *p, SAMR_Q_DELETE_DOM_ALIAS *q_u, SAMR_R_DELETE_DOM_ALIAS *r_u)
3855 fstring alias_sid_str;
3861 DEBUG(5, ("_samr_delete_dom_alias: %d\n", __LINE__));
3863 /* Find the policy handle. Open a policy on it. */
3864 if (!get_lsa_policy_samr_sid(p, &q_u->alias_pol, &alias_sid, &acc_granted))
3865 return NT_STATUS_INVALID_HANDLE;
3867 if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, STD_RIGHT_DELETE_ACCESS, "_samr_delete_dom_alias"))) {
3871 sid_copy(&dom_sid, &alias_sid);
3872 sid_to_string(alias_sid_str, &dom_sid);
3873 sid_split_rid(&dom_sid, &alias_rid);
3875 DEBUG(10, ("sid is %s\n", alias_sid_str));
3877 /* we check if it's our SID before deleting */
3878 if (!sid_equal(&dom_sid, get_global_sam_sid()))
3879 return NT_STATUS_NO_SUCH_ALIAS;
3881 DEBUG(10, ("lookup on Local SID\n"));
3883 if(!get_local_group_from_sid(&alias_sid, &map))
3884 return NT_STATUS_NO_SUCH_ALIAS;
3888 /* check if group really exists */
3889 if ( (grp=getgrgid(gid)) == NULL)
3890 return NT_STATUS_NO_SUCH_ALIAS;
3892 /* we can delete the UNIX group */
3893 smb_delete_group(grp->gr_name);
3895 /* check if the group has been successfully deleted */
3896 if ( (grp=getgrgid(gid)) != NULL)
3897 return NT_STATUS_ACCESS_DENIED;
3899 /* don't check if we removed it as it could be an un-mapped group */
3900 pdb_delete_group_mapping_entry(alias_sid);
3902 if (!close_policy_hnd(p, &q_u->alias_pol))
3903 return NT_STATUS_OBJECT_NAME_INVALID;
3905 return NT_STATUS_OK;
3908 /*********************************************************************
3909 _samr_create_dom_group
3910 *********************************************************************/
3912 NTSTATUS _samr_create_dom_group(pipes_struct *p, SAMR_Q_CREATE_DOM_GROUP *q_u, SAMR_R_CREATE_DOM_GROUP *r_u)
3919 struct samr_info *info;
3923 /* Find the policy handle. Open a policy on it. */
3924 if (!get_lsa_policy_samr_sid(p, &q_u->pol, &dom_sid, &acc_granted))
3925 return NT_STATUS_INVALID_HANDLE;
3927 if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, SA_RIGHT_DOMAIN_CREATE_GROUP, "_samr_create_dom_group"))) {
3931 if (!sid_equal(&dom_sid, get_global_sam_sid()))
3932 return NT_STATUS_ACCESS_DENIED;
3934 /* TODO: check if allowed to create group and add a become_root/unbecome_root pair.*/
3936 unistr2_to_ascii(name, &q_u->uni_acct_desc, sizeof(name)-1);
3938 /* check if group already exist */
3939 if ((grp=getgrnam(name)) != NULL)
3940 return NT_STATUS_GROUP_EXISTS;
3942 /* we can create the UNIX group */
3943 if (smb_create_group(name, &gid) != 0)
3944 return NT_STATUS_ACCESS_DENIED;
3946 /* check if the group has been successfully created */
3947 if ((grp=getgrgid(gid)) == NULL)
3948 return NT_STATUS_ACCESS_DENIED;
3950 r_u->rid=pdb_gid_to_group_rid(grp->gr_gid);
3952 /* add the group to the mapping table */
3953 sid_copy(&info_sid, get_global_sam_sid());
3954 sid_append_rid(&info_sid, r_u->rid);
3955 sid_to_string(sid_string, &info_sid);
3957 if(!add_initial_entry(grp->gr_gid, sid_string, SID_NAME_DOM_GRP, name, NULL))
3958 return NT_STATUS_ACCESS_DENIED;
3960 if ((info = get_samr_info_by_sid(&info_sid)) == NULL)
3961 return NT_STATUS_NO_MEMORY;
3963 /* get a (unique) handle. open a policy on it. */
3964 if (!create_policy_hnd(p, &r_u->pol, free_samr_info, (void *)info))
3965 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
3967 return NT_STATUS_OK;
3970 /*********************************************************************
3971 _samr_create_dom_alias
3972 *********************************************************************/
3974 NTSTATUS _samr_create_dom_alias(pipes_struct *p, SAMR_Q_CREATE_DOM_ALIAS *q_u, SAMR_R_CREATE_DOM_ALIAS *r_u)
3981 struct samr_info *info;
3985 /* Find the policy handle. Open a policy on it. */
3986 if (!get_lsa_policy_samr_sid(p, &q_u->dom_pol, &dom_sid, &acc_granted))
3987 return NT_STATUS_INVALID_HANDLE;
3989 if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, SA_RIGHT_DOMAIN_CREATE_ALIAS, "_samr_create_alias"))) {
3993 if (!sid_equal(&dom_sid, get_global_sam_sid()))
3994 return NT_STATUS_ACCESS_DENIED;
3996 /* TODO: check if allowed to create group and add a become_root/unbecome_root pair.*/
3998 unistr2_to_ascii(name, &q_u->uni_acct_desc, sizeof(name)-1);
4000 /* check if group already exists */
4001 if ( (grp=getgrnam(name)) != NULL)
4002 return NT_STATUS_GROUP_EXISTS;
4004 /* we can create the UNIX group */
4005 if (smb_create_group(name, &gid) != 0)
4006 return NT_STATUS_ACCESS_DENIED;
4008 /* check if the group has been successfully created */
4009 if ((grp=getgrgid(gid)) == NULL)
4010 return NT_STATUS_ACCESS_DENIED;
4012 r_u->rid=pdb_gid_to_group_rid(grp->gr_gid);
4014 sid_copy(&info_sid, get_global_sam_sid());
4015 sid_append_rid(&info_sid, r_u->rid);
4016 sid_to_string(sid_string, &info_sid);
4018 /* add the group to the mapping table */
4019 if(!add_initial_entry(grp->gr_gid, sid_string, SID_NAME_ALIAS, name, NULL))
4020 return NT_STATUS_ACCESS_DENIED;
4022 if ((info = get_samr_info_by_sid(&info_sid)) == NULL)
4023 return NT_STATUS_NO_MEMORY;
4025 /* get a (unique) handle. open a policy on it. */
4026 if (!create_policy_hnd(p, &r_u->alias_pol, free_samr_info, (void *)info))
4027 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
4029 return NT_STATUS_OK;
4032 /*********************************************************************
4033 _samr_query_groupinfo
4035 sends the name/comment pair of a domain group
4036 level 1 send also the number of users of that group
4037 *********************************************************************/
4039 NTSTATUS _samr_query_groupinfo(pipes_struct *p, SAMR_Q_QUERY_GROUPINFO *q_u, SAMR_R_QUERY_GROUPINFO *r_u)
4045 GROUP_INFO_CTR *ctr;
4049 if (!get_lsa_policy_samr_sid(p, &q_u->pol, &group_sid, &acc_granted))
4050 return NT_STATUS_INVALID_HANDLE;
4052 if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, SA_RIGHT_GROUP_LOOKUP_INFO, "_samr_query_groupinfo"))) {
4057 ret = get_domain_group_from_sid(group_sid, &map);
4060 return NT_STATUS_INVALID_HANDLE;
4062 ctr=(GROUP_INFO_CTR *)talloc_zero(p->mem_ctx, sizeof(GROUP_INFO_CTR));
4064 return NT_STATUS_NO_MEMORY;
4066 switch (q_u->switch_level) {
4068 ctr->switch_value1 = 1;
4069 if(!get_sid_list_of_group(map.gid, &sids, &num_sids))
4070 return NT_STATUS_NO_SUCH_GROUP;
4071 init_samr_group_info1(&ctr->group.info1, map.nt_name, map.comment, num_sids);
4075 ctr->switch_value1 = 3;
4076 init_samr_group_info3(&ctr->group.info3);
4079 ctr->switch_value1 = 4;
4080 init_samr_group_info4(&ctr->group.info4, map.comment);
4083 return NT_STATUS_INVALID_INFO_CLASS;
4086 init_samr_r_query_groupinfo(r_u, ctr, NT_STATUS_OK);
4088 return NT_STATUS_OK;
4091 /*********************************************************************
4094 update a domain group's comment.
4095 *********************************************************************/
4097 NTSTATUS _samr_set_groupinfo(pipes_struct *p, SAMR_Q_SET_GROUPINFO *q_u, SAMR_R_SET_GROUPINFO *r_u)
4101 GROUP_INFO_CTR *ctr;
4104 if (!get_lsa_policy_samr_sid(p, &q_u->pol, &group_sid, &acc_granted))
4105 return NT_STATUS_INVALID_HANDLE;
4107 if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, SA_RIGHT_GROUP_SET_INFO, "_samr_set_groupinfo"))) {
4111 if (!get_domain_group_from_sid(group_sid, &map))
4112 return NT_STATUS_NO_SUCH_GROUP;
4116 switch (ctr->switch_value1) {
4118 unistr2_to_ascii(map.comment, &(ctr->group.info1.uni_acct_desc), sizeof(map.comment)-1);
4121 unistr2_to_ascii(map.comment, &(ctr->group.info4.uni_acct_desc), sizeof(map.comment)-1);
4124 return NT_STATUS_INVALID_INFO_CLASS;
4127 if(!pdb_update_group_mapping_entry(&map)) {
4128 return NT_STATUS_NO_SUCH_GROUP;
4131 return NT_STATUS_OK;
4134 /*********************************************************************
4137 update an alias's comment.
4138 *********************************************************************/
4140 NTSTATUS _samr_set_aliasinfo(pipes_struct *p, SAMR_Q_SET_ALIASINFO *q_u, SAMR_R_SET_ALIASINFO *r_u)
4144 ALIAS_INFO_CTR *ctr;
4147 if (!get_lsa_policy_samr_sid(p, &q_u->alias_pol, &group_sid, &acc_granted))
4148 return NT_STATUS_INVALID_HANDLE;
4150 if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, SA_RIGHT_ALIAS_SET_INFO, "_samr_set_aliasinfo"))) {
4154 if (!get_local_group_from_sid(&group_sid, &map) &&
4155 !get_builtin_group_from_sid(&group_sid, &map))
4156 return NT_STATUS_NO_SUCH_GROUP;
4160 switch (ctr->switch_value1) {
4162 unistr2_to_ascii(map.comment, &(ctr->alias.info3.uni_acct_desc), sizeof(map.comment)-1);
4165 return NT_STATUS_INVALID_INFO_CLASS;
4168 if(!pdb_update_group_mapping_entry(&map)) {
4169 return NT_STATUS_NO_SUCH_GROUP;
4172 return NT_STATUS_OK;
4175 /*********************************************************************
4176 _samr_get_dom_pwinfo
4177 *********************************************************************/
4179 NTSTATUS _samr_get_dom_pwinfo(pipes_struct *p, SAMR_Q_GET_DOM_PWINFO *q_u, SAMR_R_GET_DOM_PWINFO *r_u)
4181 /* Perform access check. Since this rpc does not require a
4182 policy handle it will not be caught by the access checks on
4183 SAMR_CONNECT or SAMR_CONNECT_ANON. */
4185 if (!pipe_access_check(p)) {
4186 DEBUG(3, ("access denied to samr_get_dom_pwinfo\n"));
4187 r_u->status = NT_STATUS_ACCESS_DENIED;
4191 /* Actually, returning zeros here works quite well :-). */
4193 return NT_STATUS_OK;
4196 /*********************************************************************
4198 *********************************************************************/
4200 NTSTATUS _samr_open_group(pipes_struct *p, SAMR_Q_OPEN_GROUP *q_u, SAMR_R_OPEN_GROUP *r_u)
4205 struct samr_info *info;
4206 SEC_DESC *psd = NULL;
4208 uint32 des_access = q_u->access_mask;
4214 if (!get_lsa_policy_samr_sid(p, &q_u->domain_pol, &sid, &acc_granted))
4215 return NT_STATUS_INVALID_HANDLE;
4217 if (!NT_STATUS_IS_OK(status = access_check_samr_function(acc_granted, SA_RIGHT_DOMAIN_OPEN_ACCOUNT, "_samr_open_group"))) {
4221 /*check if access can be granted as requested by client. */
4222 samr_make_grp_obj_sd(p->mem_ctx, &psd, &sd_size);
4223 se_map_generic(&des_access,&grp_generic_mapping);
4224 if (!NT_STATUS_IS_OK(status =
4225 access_check_samr_object(psd, p->pipe_user.nt_user_token,
4226 des_access, &acc_granted, "_samr_open_group"))) {
4231 /* this should not be hard-coded like this */
4232 if (!sid_equal(&sid, get_global_sam_sid()))
4233 return NT_STATUS_ACCESS_DENIED;
4235 sid_copy(&info_sid, get_global_sam_sid());
4236 sid_append_rid(&info_sid, q_u->rid_group);
4237 sid_to_string(sid_string, &info_sid);
4239 if ((info = get_samr_info_by_sid(&info_sid)) == NULL)
4240 return NT_STATUS_NO_MEMORY;
4242 info->acc_granted = acc_granted;
4244 DEBUG(10, ("_samr_open_group:Opening SID: %s\n", sid_string));
4246 /* check if that group really exists */
4248 ret = get_domain_group_from_sid(info->sid, &map);
4251 return NT_STATUS_NO_SUCH_GROUP;
4253 /* get a (unique) handle. open a policy on it. */
4254 if (!create_policy_hnd(p, &r_u->pol, free_samr_info, (void *)info))
4255 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
4257 return NT_STATUS_OK;
4260 /*********************************************************************
4261 _samr_remove_sid_foreign_domain
4262 *********************************************************************/
4264 NTSTATUS _samr_remove_sid_foreign_domain(pipes_struct *p,
4265 SAMR_Q_REMOVE_SID_FOREIGN_DOMAIN *q_u,
4266 SAMR_R_REMOVE_SID_FOREIGN_DOMAIN *r_u)
4268 DOM_SID delete_sid, alias_sid;
4269 SAM_ACCOUNT *sam_pass=NULL;
4272 BOOL is_user = False;
4274 enum SID_NAME_USE type = SID_NAME_UNKNOWN;
4276 sid_copy( &delete_sid, &q_u->sid.sid );
4278 DEBUG(5,("_samr_remove_sid_foreign_domain: removing SID [%s]\n",
4279 sid_string_static(&delete_sid)));
4281 /* Find the policy handle. Open a policy on it. */
4283 if (!get_lsa_policy_samr_sid(p, &q_u->dom_pol, &alias_sid, &acc_granted))
4284 return NT_STATUS_INVALID_HANDLE;
4286 result = access_check_samr_function(acc_granted, STD_RIGHT_DELETE_ACCESS,
4287 "_samr_remove_sid_foreign_domain");
4289 if (!NT_STATUS_IS_OK(result))
4292 DEBUG(8, ("_samr_remove_sid_foreign_domain:sid is %s\n",
4293 sid_string_static(&alias_sid)));
4295 /* make sure we can handle this */
4297 if ( sid_check_is_domain(&alias_sid) )
4298 type = SID_NAME_DOM_GRP;
4299 else if ( sid_check_is_builtin(&alias_sid) )
4300 type = SID_NAME_ALIAS;
4302 if ( type == SID_NAME_UNKNOWN ) {
4303 DEBUG(10, ("_samr_remove_sid_foreign_domain: can't operate on what we don't own!\n"));
4304 return NT_STATUS_OK;
4307 /* check if the user exists before trying to delete */
4309 pdb_init_sam(&sam_pass);
4311 if ( pdb_getsampwsid(sam_pass, &delete_sid) ) {
4314 /* maybe it is a group */
4315 if( !pdb_getgrsid(&map, delete_sid) ) {
4316 DEBUG(3,("_samr_remove_sid_foreign_domain: %s is not a user or a group!\n",
4317 sid_string_static(&delete_sid)));
4318 result = NT_STATUS_INVALID_SID;
4323 /* we can only delete a user from a group since we don't have
4324 nested groups anyways. So in the latter case, just say OK */
4327 GROUP_MAP *mappings = NULL;
4331 if ( pdb_enum_group_mapping(type, &mappings, &num_groups, False) && num_groups>0 ) {
4333 /* interate over the groups */
4334 for ( i=0; i<num_groups; i++ ) {
4336 grp2 = getgrgid(mappings[i].gid);
4339 DEBUG(0,("_samr_remove_sid_foreign_domain: group mapping without UNIX group!\n"));
4343 if ( !user_in_unix_group_list(pdb_get_username(sam_pass), grp2->gr_name) )
4346 smb_delete_user_group(grp2->gr_name, pdb_get_username(sam_pass));
4348 if ( user_in_unix_group_list(pdb_get_username(sam_pass), grp2->gr_name) ) {
4349 /* should we fail here ? */
4350 DEBUG(0,("_samr_remove_sid_foreign_domain: Delete user [%s] from group [%s] failed!\n",
4351 pdb_get_username(sam_pass), grp2->gr_name ));
4355 DEBUG(10,("_samr_remove_sid_foreign_domain: Removed user [%s] from group [%s]!\n",
4356 pdb_get_username(sam_pass), grp2->gr_name ));
4359 SAFE_FREE(mappings);
4363 result = NT_STATUS_OK;
4366 pdb_free_sam(&sam_pass);
4371 /*******************************************************************
4373 ********************************************************************/
4375 NTSTATUS _samr_unknown_2e(pipes_struct *p, SAMR_Q_UNKNOWN_2E *q_u, SAMR_R_UNKNOWN_2E *r_u)
4377 struct samr_info *info = NULL;
4379 uint32 min_pass_len,pass_hist,flag;
4380 time_t u_expire, u_min_age;
4381 NTTIME nt_expire, nt_min_age;
4383 time_t u_lock_duration, u_reset_time;
4384 NTTIME nt_lock_duration, nt_reset_time;
4390 uint32 num_users=0, num_groups=0, num_aliases=0;
4392 uint32 account_policy_temp;
4394 if ((ctr = (SAM_UNK_CTR *)talloc_zero(p->mem_ctx, sizeof(SAM_UNK_CTR))) == NULL)
4395 return NT_STATUS_NO_MEMORY;
4399 r_u->status = NT_STATUS_OK;
4401 DEBUG(5,("_samr_unknown_2e: %d\n", __LINE__));
4403 /* find the policy handle. open a policy on it. */
4404 if (!find_policy_by_hnd(p, &q_u->domain_pol, (void **)&info))
4405 return NT_STATUS_INVALID_HANDLE;
4407 switch (q_u->switch_value) {
4409 account_policy_get(AP_MIN_PASSWORD_LEN, &account_policy_temp);
4410 min_pass_len = account_policy_temp;
4412 account_policy_get(AP_PASSWORD_HISTORY, &account_policy_temp);
4413 pass_hist = account_policy_temp;
4415 account_policy_get(AP_USER_MUST_LOGON_TO_CHG_PASS, &account_policy_temp);
4416 flag = account_policy_temp;
4418 account_policy_get(AP_MAX_PASSWORD_AGE, &account_policy_temp);
4419 u_expire = account_policy_temp;
4421 account_policy_get(AP_MIN_PASSWORD_AGE, &account_policy_temp);
4422 u_min_age = account_policy_temp;
4424 unix_to_nt_time_abs(&nt_expire, u_expire);
4425 unix_to_nt_time_abs(&nt_min_age, u_min_age);
4427 init_unk_info1(&ctr->info.inf1, (uint16)min_pass_len, (uint16)pass_hist,
4428 flag, nt_expire, nt_min_age);
4432 r_u->status=load_sampwd_entries(info, ACB_NORMAL, False);
4434 if (!NT_STATUS_IS_OK(r_u->status)) {
4435 DEBUG(5, ("_samr_unknown_2e: load_sampwd_entries failed\n"));
4438 num_users=info->disp_info.num_user_account;
4441 r_u->status=load_group_domain_entries(info, get_global_sam_sid());
4442 if (NT_STATUS_IS_ERR(r_u->status)) {
4443 DEBUG(5, ("_samr_unknown_2e: load_group_domain_entries failed\n"));
4446 num_groups=info->disp_info.num_group_account;
4449 /* The time call below is to get a sequence number for the sam. FIXME !!! JRA. */
4450 init_unk_info2(&ctr->info.inf2, lp_workgroup(), global_myname(), (uint32) time(NULL),
4451 num_users, num_groups, num_aliases);
4454 account_policy_get(AP_TIME_TO_LOGOUT, &account_policy_temp);
4455 u_logout = account_policy_temp;
4457 unix_to_nt_time_abs(&nt_logout, u_logout);
4459 init_unk_info3(&ctr->info.inf3, nt_logout);
4462 init_unk_info5(&ctr->info.inf5, global_myname());
4465 init_unk_info6(&ctr->info.inf6);
4468 init_unk_info7(&ctr->info.inf7);
4471 account_policy_get(AP_LOCK_ACCOUNT_DURATION, &account_policy_temp);
4472 u_lock_duration = account_policy_temp;
4474 account_policy_get(AP_RESET_COUNT_TIME, &account_policy_temp);
4475 u_reset_time = account_policy_temp;
4477 account_policy_get(AP_BAD_ATTEMPT_LOCKOUT, &account_policy_temp);
4478 lockout = account_policy_temp;
4480 unix_to_nt_time_abs(&nt_lock_duration, u_lock_duration);
4481 unix_to_nt_time_abs(&nt_reset_time, u_reset_time);
4483 init_unk_info12(&ctr->info.inf12, nt_lock_duration, nt_reset_time, (uint16)lockout);
4486 return NT_STATUS_INVALID_INFO_CLASS;
4489 init_samr_r_samr_unknown_2e(r_u, q_u->switch_value, ctr, NT_STATUS_OK);
4491 DEBUG(5,("_samr_unknown_2e: %d\n", __LINE__));
4496 /*******************************************************************
4498 ********************************************************************/
4500 NTSTATUS _samr_set_dom_info(pipes_struct *p, SAMR_Q_SET_DOMAIN_INFO *q_u, SAMR_R_SET_DOMAIN_INFO *r_u)
4502 time_t u_expire, u_min_age;
4504 time_t u_lock_duration, u_reset_time;
4506 r_u->status = NT_STATUS_OK;
4508 DEBUG(5,("_samr_set_dom_info: %d\n", __LINE__));
4510 /* find the policy handle. open a policy on it. */
4511 if (!find_policy_by_hnd(p, &q_u->domain_pol, NULL))
4512 return NT_STATUS_INVALID_HANDLE;
4514 DEBUG(5,("_samr_set_dom_info: switch_value: %d\n", q_u->switch_value));
4516 switch (q_u->switch_value) {
4518 u_expire=nt_time_to_unix_abs(&q_u->ctr->info.inf1.expire);
4519 u_min_age=nt_time_to_unix_abs(&q_u->ctr->info.inf1.min_passwordage);
4521 account_policy_set(AP_MIN_PASSWORD_LEN, (uint32)q_u->ctr->info.inf1.min_length_password);
4522 account_policy_set(AP_PASSWORD_HISTORY, (uint32)q_u->ctr->info.inf1.password_history);
4523 account_policy_set(AP_USER_MUST_LOGON_TO_CHG_PASS, (uint32)q_u->ctr->info.inf1.flag);
4524 account_policy_set(AP_MAX_PASSWORD_AGE, (int)u_expire);
4525 account_policy_set(AP_MIN_PASSWORD_AGE, (int)u_min_age);
4530 u_logout=nt_time_to_unix_abs(&q_u->ctr->info.inf3.logout);
4531 account_policy_set(AP_TIME_TO_LOGOUT, (int)u_logout);
4540 u_lock_duration=nt_time_to_unix_abs(&q_u->ctr->info.inf12.duration)/60;
4541 u_reset_time=nt_time_to_unix_abs(&q_u->ctr->info.inf12.reset_count)/60;
4543 account_policy_set(AP_LOCK_ACCOUNT_DURATION, (int)u_lock_duration);
4544 account_policy_set(AP_RESET_COUNT_TIME, (int)u_reset_time);
4545 account_policy_set(AP_BAD_ATTEMPT_LOCKOUT, (uint32)q_u->ctr->info.inf12.bad_attempt_lockout);
4548 return NT_STATUS_INVALID_INFO_CLASS;
4551 init_samr_r_set_domain_info(r_u, NT_STATUS_OK);
4553 DEBUG(5,("_samr_set_dom_info: %d\n", __LINE__));