*/
#include "includes.h"
-#include "smbd/globals.h"
+#include "system/passwd.h"
#include "../libcli/auth/libcli_auth.h"
+#include "ntdomain.h"
#include "../librpc/gen_ndr/srv_samr.h"
#include "rpc_server/samr/srv_samr_util.h"
#include "../lib/crypto/arcfour.h"
#include "secrets.h"
#include "rpc_client/init_lsa.h"
#include "../libcli/security/security.h"
+#include "passdb.h"
+#include "auth.h"
+#include "rpc_server/srv_access_check.h"
+#include "../lib/tsocket/tsocket.h"
#undef DBGC_CLASS
#define DBGC_CLASS DBGC_RPC_SRV
return NT_STATUS_OK;
}
-/*******************************************************************
- Checks if access to an object should be granted, and returns that
- level of access for further checks.
-
- If the user has either of needed_priv_1 or needed_priv_2 then they
- get the rights in rights_mask in addition to any calulated rights.
-
- This handles the unusual case where we need to allow two different
- privileges to obtain exactly the same rights, which occours only in
- SAMR.
-********************************************************************/
-
-NTSTATUS access_check_object( struct security_descriptor *psd, struct security_token *token,
- enum sec_privilege needed_priv_1, enum sec_privilege needed_priv_2,
- uint32 rights_mask,
- uint32 des_access, uint32 *acc_granted,
- const char *debug )
-{
- NTSTATUS status = NT_STATUS_ACCESS_DENIED;
- uint32 saved_mask = 0;
-
- /* check privileges; certain SAM access bits should be overridden
- by privileges (mostly having to do with creating/modifying/deleting
- users and groups) */
-
- if ((needed_priv_1 != SEC_PRIV_INVALID && security_token_has_privilege(token, needed_priv_1)) ||
- (needed_priv_2 != SEC_PRIV_INVALID && security_token_has_privilege(token, needed_priv_2))) {
- saved_mask = (des_access & rights_mask);
- des_access &= ~saved_mask;
-
- DEBUG(4,("access_check_object: user rights access mask [0x%x]\n",
- rights_mask));
- }
-
-
- /* check the security descriptor first */
-
- status = se_access_check(psd, token, des_access, acc_granted);
- if (NT_STATUS_IS_OK(status)) {
- goto done;
- }
-
- /* give root a free pass */
-
- if ( geteuid() == sec_initial_uid() ) {
-
- DEBUG(4,("%s: ACCESS should be DENIED (requested: %#010x)\n", debug, des_access));
- DEBUGADD(4,("but overritten by euid == sec_initial_uid()\n"));
-
- *acc_granted = des_access;
-
- status = NT_STATUS_OK;
- goto done;
- }
-
-
-done:
- /* add in any bits saved during the privilege check (only
- matters is status is ok) */
-
- *acc_granted |= rights_mask;
-
- DEBUG(4,("%s: access %s (requested: 0x%08x, granted: 0x%08x)\n",
- debug, NT_STATUS_IS_OK(status) ? "GRANTED" : "DENIED",
- des_access, *acc_granted));
-
- return status;
-}
-
-
-/*******************************************************************
- Map any MAXIMUM_ALLOWED_ACCESS request to a valid access set.
-********************************************************************/
-
-void map_max_allowed_access(const struct security_token *nt_token,
- const struct unix_user_token *unix_token,
- uint32_t *pacc_requested)
-{
- if (!((*pacc_requested) & MAXIMUM_ALLOWED_ACCESS)) {
- return;
- }
- *pacc_requested &= ~MAXIMUM_ALLOWED_ACCESS;
-
- /* At least try for generic read|execute - Everyone gets that. */
- *pacc_requested = GENERIC_READ_ACCESS|GENERIC_EXECUTE_ACCESS;
-
- /* root gets anything. */
- if (unix_token->uid == sec_initial_uid()) {
- *pacc_requested |= GENERIC_ALL_ACCESS;
- return;
- }
-
- /* Full Access for 'BUILTIN\Administrators' and 'BUILTIN\Account Operators */
-
- if (security_token_has_sid(nt_token, &global_sid_Builtin_Administrators) ||
- security_token_has_sid(nt_token, &global_sid_Builtin_Account_Operators)) {
- *pacc_requested |= GENERIC_ALL_ACCESS;
- return;
- }
-
- /* Full access for DOMAIN\Domain Admins. */
- if ( IS_DC ) {
- struct dom_sid domadmin_sid;
- sid_compose(&domadmin_sid, get_global_sam_sid(),
- DOMAIN_RID_ADMINS);
- if (security_token_has_sid(nt_token, &domadmin_sid)) {
- *pacc_requested |= GENERIC_ALL_ACCESS;
- return;
- }
- }
- /* TODO ! Check privileges. */
-}
-
/*******************************************************************
Fetch or create a dispinfo struct.
********************************************************************/
return builtin_dispinfo;
}
- if (sid_check_is_domain(psid) || sid_check_is_in_our_domain(psid)) {
+ if (sid_check_is_our_sam(psid) || sid_check_is_in_our_domain(psid)) {
/*
* Necessary only once, but it does not really hurt.
*/
NTSTATUS _samr_OpenDomain(struct pipes_struct *p,
struct samr_OpenDomain *r)
{
- struct samr_connect_info *cinfo;
struct samr_domain_info *dinfo;
struct security_descriptor *psd = NULL;
uint32 acc_granted;
/* find the connection policy handle. */
- cinfo = policy_handle_find(p, r->in.connect_handle, 0, NULL,
+ (void)policy_handle_find(p, r->in.connect_handle, 0, NULL,
struct samr_connect_info, &status);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
/*check if access can be granted as requested by client. */
- map_max_allowed_access(p->server_info->security_token,
- &p->server_info->utok,
+ map_max_allowed_access(p->session_info->security_token,
+ p->session_info->unix_token,
&des_access);
make_samr_object_sd( p->mem_ctx, &psd, &sd_size, &dom_generic_mapping, NULL, 0 );
* Users with SeAddUser get the ability to manipulate groups
* and aliases.
*/
- if (security_token_has_privilege(p->server_info->security_token, SEC_PRIV_ADD_USERS)) {
+ if (security_token_has_privilege(p->session_info->security_token, SEC_PRIV_ADD_USERS)) {
extra_access |= (SAMR_DOMAIN_ACCESS_CREATE_GROUP |
SAMR_DOMAIN_ACCESS_ENUM_ACCOUNTS |
SAMR_DOMAIN_ACCESS_OPEN_ACCOUNT |
* SAMR_DOMAIN_ACCESS_CREATE_USER access.
*/
- status = access_check_object( psd, p->server_info->security_token,
+ status = access_check_object( psd, p->session_info->security_token,
SEC_PRIV_MACHINE_ACCOUNT, SEC_PRIV_ADD_USERS,
extra_access, des_access,
&acc_granted, "_samr_OpenDomain" );
if ( !NT_STATUS_IS_OK(status) )
return status;
- if (!sid_check_is_domain(r->in.sid) &&
+ if (!sid_check_is_our_sam(r->in.sid) &&
!sid_check_is_builtin(r->in.sid)) {
return NT_STATUS_NO_SUCH_DOMAIN;
}
NTSTATUS _samr_QuerySecurity(struct pipes_struct *p,
struct samr_QuerySecurity *r)
{
- struct samr_connect_info *cinfo;
struct samr_domain_info *dinfo;
struct samr_user_info *uinfo;
struct samr_group_info *ginfo;
struct security_descriptor * psd = NULL;
size_t sd_size = 0;
- cinfo = policy_handle_find(p, r->in.handle,
+ (void)policy_handle_find(p, r->in.handle,
SEC_STD_READ_CONTROL, NULL,
struct samr_connect_info, &status);
if (NT_STATUS_IS_OK(status)) {
return NT_STATUS_OK;
}
- sam = TALLOC_ZERO_ARRAY(ctx, struct samr_SamEntry, num_entries);
+ sam = talloc_zero_array(ctx, struct samr_SamEntry, num_entries);
if (sam == NULL) {
DEBUG(0, ("make_user_sam_entry_list: TALLOC_ZERO failed!\n"));
return NT_STATUS_NO_MEMORY;
return status;
}
- samr_array = TALLOC_ZERO_P(p->mem_ctx, struct samr_SamArray);
+ samr_array = talloc_zero(p->mem_ctx, struct samr_SamArray);
if (!samr_array) {
return NT_STATUS_NO_MEMORY;
}
return;
}
- sam = TALLOC_ZERO_ARRAY(ctx, struct samr_SamEntry, num_sam_entries);
+ sam = talloc_zero_array(ctx, struct samr_SamEntry, num_sam_entries);
if (sam == NULL) {
return;
}
DEBUG(5,("_samr_EnumDomainGroups: %d\n", __LINE__));
- samr_array = TALLOC_ZERO_P(p->mem_ctx, struct samr_SamArray);
+ samr_array = talloc_zero(p->mem_ctx, struct samr_SamArray);
if (!samr_array) {
return NT_STATUS_NO_MEMORY;
}
DEBUG(5,("_samr_EnumDomainAliases: sid %s\n",
sid_string_dbg(&dinfo->sid)));
- samr_array = TALLOC_ZERO_P(p->mem_ctx, struct samr_SamArray);
+ samr_array = talloc_zero(p->mem_ctx, struct samr_SamArray);
if (!samr_array) {
return NT_STATUS_NO_MEMORY;
}
r->count = num_entries;
- r->entries = TALLOC_ZERO_ARRAY(ctx, struct samr_DispEntryGeneral, num_entries);
+ r->entries = talloc_zero_array(ctx, struct samr_DispEntryGeneral, num_entries);
if (!r->entries) {
return NT_STATUS_NO_MEMORY;
}
r->count = num_entries;
- r->entries = TALLOC_ZERO_ARRAY(ctx, struct samr_DispEntryFull, num_entries);
+ r->entries = talloc_zero_array(ctx, struct samr_DispEntryFull, num_entries);
if (!r->entries) {
return NT_STATUS_NO_MEMORY;
}
r->count = num_entries;
- r->entries = TALLOC_ZERO_ARRAY(ctx, struct samr_DispEntryFullGroup, num_entries);
+ r->entries = talloc_zero_array(ctx, struct samr_DispEntryFullGroup, num_entries);
if (!r->entries) {
return NT_STATUS_NO_MEMORY;
}
r->count = num_entries;
- r->entries = TALLOC_ZERO_ARRAY(ctx, struct samr_DispEntryAscii, num_entries);
+ r->entries = talloc_zero_array(ctx, struct samr_DispEntryAscii, num_entries);
if (!r->entries) {
return NT_STATUS_NO_MEMORY;
}
r->count = num_entries;
- r->entries = TALLOC_ZERO_ARRAY(ctx, struct samr_DispEntryAscii, num_entries);
+ r->entries = talloc_zero_array(ctx, struct samr_DispEntryAscii, num_entries);
if (!r->entries) {
return NT_STATUS_NO_MEMORY;
}
struct samr_QueryAliasInfo *r)
{
struct samr_alias_info *ainfo;
- struct acct_info info;
+ struct acct_info *info;
NTSTATUS status;
union samr_AliasInfo *alias_info = NULL;
const char *alias_name = NULL;
return status;
}
- alias_info = TALLOC_ZERO_P(p->mem_ctx, union samr_AliasInfo);
+ alias_info = talloc_zero(p->mem_ctx, union samr_AliasInfo);
if (!alias_info) {
return NT_STATUS_NO_MEMORY;
}
+ info = talloc_zero(p->mem_ctx, struct acct_info);
+ if (!info) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
become_root();
- status = pdb_get_aliasinfo(&ainfo->sid, &info);
+ status = pdb_get_aliasinfo(&ainfo->sid, info);
unbecome_root();
- if ( !NT_STATUS_IS_OK(status))
+ if (!NT_STATUS_IS_OK(status)) {
+ TALLOC_FREE(info);
return status;
+ }
- /* FIXME: info contains fstrings */
- alias_name = talloc_strdup(r, info.acct_name);
- alias_description = talloc_strdup(r, info.acct_desc);
+ alias_name = talloc_steal(r, info->acct_name);
+ alias_description = talloc_steal(r, info->acct_desc);
+ TALLOC_FREE(info);
switch (r->in.level) {
case ALIASINFOALL:
{
NTSTATUS status;
char *user_name = NULL;
- fstring wks;
+ char *rhost;
+ const char *wks = NULL;
DEBUG(5,("_samr_ChangePasswordUser2: %d\n", __LINE__));
if (!r->in.account->string) {
return NT_STATUS_INVALID_PARAMETER;
}
- fstrcpy(wks, r->in.server->string);
+ if (r->in.server && r->in.server->string) {
+ wks = r->in.server->string;
+ }
DEBUG(5,("_samr_ChangePasswordUser2: user: %s wks: %s\n", user_name, wks));
return NT_STATUS_NO_MEMORY;
}
+ rhost = tsocket_address_inet_addr_string(p->remote_address,
+ talloc_tos());
+ if (rhost == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
/*
* UNIX username case mangling not required, pass_oem_change
* is case insensitive.
*/
status = pass_oem_change(user_name,
- p->client_id->name,
+ rhost,
r->in.lm_password->data,
r->in.lm_verifier->hash,
r->in.nt_password->data,
NTSTATUS status;
char *user_name = NULL;
const char *wks = NULL;
+ char *rhost;
DEBUG(5,("_samr_OemChangePasswordUser2: %d\n", __LINE__));
return NT_STATUS_INVALID_PARAMETER;
}
+ rhost = tsocket_address_inet_addr_string(p->remote_address,
+ talloc_tos());
+ if (rhost == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
status = pass_oem_change(user_name,
- p->client_id->name,
+ rhost,
r->in.password->data,
r->in.hash->hash,
0,
struct samr_DomInfo1 *dominfo = NULL;
struct userPwdChangeFailureInformation *reject = NULL;
uint32_t tmp;
+ char *rhost;
DEBUG(5,("_samr_ChangePasswordUser3: %d\n", __LINE__));
return NT_STATUS_NO_MEMORY;
}
+ rhost = tsocket_address_inet_addr_string(p->remote_address,
+ talloc_tos());
+ if (rhost == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
/*
* UNIX username case mangling not required, pass_oem_change
* is case insensitive.
*/
status = pass_oem_change(user_name,
- p->client_id->name,
+ rhost,
r->in.lm_password->data,
r->in.lm_verifier->hash,
r->in.nt_password->data,
time_t u_expire, u_min_age;
uint32 account_policy_temp;
- dominfo = TALLOC_ZERO_P(p->mem_ctx, struct samr_DomInfo1);
+ dominfo = talloc_zero(p->mem_ctx, struct samr_DomInfo1);
if (!dominfo) {
return NT_STATUS_NO_MEMORY;
}
- reject = TALLOC_ZERO_P(p->mem_ctx,
+ reject = talloc_zero(p->mem_ctx,
struct userPwdChangeFailureInformation);
if (!reject) {
return NT_STATUS_NO_MEMORY;
*lsa_name_array_p = NULL;
if (num_names != 0) {
- lsa_name_array = TALLOC_ZERO_ARRAY(ctx, struct lsa_String, num_names);
+ lsa_name_array = talloc_zero_array(ctx, struct lsa_String, num_names);
if (!lsa_name_array) {
return false;
}
}
if (num_rids) {
- names = TALLOC_ZERO_ARRAY(p->mem_ctx, const char *, num_rids);
- attrs = TALLOC_ZERO_ARRAY(p->mem_ctx, enum lsa_SidType, num_rids);
- wire_attrs = TALLOC_ZERO_ARRAY(p->mem_ctx, uint32, num_rids);
+ names = talloc_zero_array(p->mem_ctx, const char *, num_rids);
+ attrs = talloc_zero_array(p->mem_ctx, enum lsa_SidType, num_rids);
+ wire_attrs = talloc_zero_array(p->mem_ctx, uint32, num_rids);
if ((names == NULL) || (attrs == NULL) || (wire_attrs==NULL))
return NT_STATUS_NO_MEMORY;
return NT_STATUS_NO_SUCH_USER;
/* check if access can be granted as requested by client. */
- map_max_allowed_access(p->server_info->security_token,
- &p->server_info->utok,
+ map_max_allowed_access(p->session_info->security_token,
+ p->session_info->unix_token,
&des_access);
make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &usr_generic_mapping, &sid, SAMR_USR_RIGHTS_WRITE_PW);
* DOMAIN_RID_ADMINS.
*/
if (acb_info & (ACB_SVRTRUST|ACB_DOMTRUST)) {
- if (lp_enable_privileges() && nt_token_check_domain_rid(p->server_info->security_token,
+ if (lp_enable_privileges() && nt_token_check_domain_rid(p->session_info->security_token,
DOMAIN_RID_ADMINS)) {
des_access &= ~GENERIC_RIGHTS_USER_WRITE;
extra_access = GENERIC_RIGHTS_USER_WRITE;
TALLOC_FREE(sampass);
- nt_status = access_check_object(psd, p->server_info->security_token,
+ nt_status = access_check_object(psd, p->session_info->security_token,
needed_priv_1, needed_priv_2,
GENERIC_RIGHTS_USER_WRITE, des_access,
&acc_granted, "_samr_OpenUser");
return NT_STATUS_INVALID_PARAMETER;
}
- r = TALLOC_ZERO_P(mem_ctx, struct lsa_BinaryString);
+ r = talloc_zero(mem_ctx, struct lsa_BinaryString);
if (!r) {
return NT_STATUS_NO_MEMORY;
}
- r->array = TALLOC_ZERO_ARRAY(mem_ctx, uint16_t, blob->length/2);
+ r->array = talloc_zero_array(mem_ctx, uint16_t, blob->length/2);
if (!r->array) {
return NT_STATUS_NO_MEMORY;
}
ZERO_STRUCTP(r);
- if (p->server_info->system) {
+ if (security_token_is_system(p->session_info->security_token)) {
goto query;
}
unix_to_nt_time(&r->allow_password_change, pdb_get_pass_can_change_time(pw));
must_change_time = pdb_get_pass_must_change_time(pw);
- if (must_change_time == get_time_t_max()) {
+ if (pdb_is_password_change_time_max(must_change_time)) {
unix_to_nt_time_abs(&force_password_change, must_change_time);
} else {
unix_to_nt_time(&force_password_change, must_change_time);
DEBUG(5,("_samr_QueryUserInfo: sid:%s\n",
sid_string_dbg(&uinfo->sid)));
- user_info = TALLOC_ZERO_P(p->mem_ctx, union samr_UserInfo);
+ user_info = talloc_zero(p->mem_ctx, union samr_UserInfo);
if (!user_info) {
return NT_STATUS_NO_MEMORY;
}
struct samr_RidWithAttribute dom_gid;
struct samr_RidWithAttribute *gids = NULL;
uint32 primary_group_rid;
- size_t num_groups = 0;
+ uint32_t num_groups = 0;
gid_t *unix_gids;
- size_t i, num_gids;
+ uint32_t i, num_gids;
bool ret;
NTSTATUS result;
bool success = False;
return result;
}
- rids = TALLOC_ZERO_P(p->mem_ctx, struct samr_RidWithAttributeArray);
+ rids = talloc_zero(p->mem_ctx, struct samr_RidWithAttributeArray);
if (!rids) {
return NT_STATUS_NO_MEMORY;
}
r->oem_information.string = lp_serverstring();
r->domain_name.string = lp_workgroup();
- r->primary.string = global_myname();
+ r->primary.string = lp_netbios_name();
r->sequence_num = seq_num;
r->domain_server_state = DOMAIN_SERVER_ENABLED;
r->role = (enum samr_Role) samr_get_server_role();
/* NT returns its own name when a PDC. win2k and later
* only the name of the PDC if itself is a BDC (samba4
* idl) */
- r->primary.string = global_myname();
+ r->primary.string = lp_netbios_name();
return NT_STATUS_OK;
}
return status;
}
- dom_info = TALLOC_ZERO_P(p->mem_ctx, union samr_DomainInfo);
+ dom_info = talloc_zero(p->mem_ctx, union samr_DomainInfo);
if (!dom_info) {
return NT_STATUS_NO_MEMORY;
}
can_add_account = true;
} else if (acb_info & ACB_WSTRUST) {
needed_priv = SEC_PRIV_MACHINE_ACCOUNT;
- can_add_account = security_token_has_privilege(p->server_info->security_token, SEC_PRIV_MACHINE_ACCOUNT);
+ can_add_account = security_token_has_privilege(p->session_info->security_token, SEC_PRIV_MACHINE_ACCOUNT);
} else if (acb_info & ACB_NORMAL &&
(account[strlen(account)-1] != '$')) {
/* usrmgr.exe (and net rpc trustdom grant) creates a normal user
account for domain trusts and changes the ACB flags later */
needed_priv = SEC_PRIV_ADD_USERS;
- can_add_account = security_token_has_privilege(p->server_info->security_token, SEC_PRIV_ADD_USERS);
+ can_add_account = security_token_has_privilege(p->session_info->security_token, SEC_PRIV_ADD_USERS);
} else if (lp_enable_privileges()) {
/* implicit assumption of a BDC or domain trust account here
* (we already check the flags earlier) */
/* only Domain Admins can add a BDC or domain trust */
can_add_account = nt_token_check_domain_rid(
- p->server_info->security_token,
+ p->session_info->security_token,
DOMAIN_RID_ADMINS );
}
DEBUG(5, ("_samr_CreateUser2: %s can add this account : %s\n",
- uidtoname(p->server_info->utok.uid),
+ uidtoname(p->session_info->unix_token->uid),
can_add_account ? "True":"False" ));
if (!can_add_account) {
sid_compose(&sid, get_global_sam_sid(), *r->out.rid);
- map_max_allowed_access(p->server_info->security_token,
- &p->server_info->utok,
+ map_max_allowed_access(p->session_info->security_token,
+ p->session_info->unix_token,
&des_access);
make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &usr_generic_mapping,
* just assume we have all the rights we need ?
*/
- nt_status = access_check_object(psd, p->server_info->security_token,
+ nt_status = access_check_object(psd, p->session_info->security_token,
needed_priv, SEC_PRIV_INVALID,
GENERIC_RIGHTS_USER_WRITE, des_access,
&acc_granted, "_samr_CreateUser2");
NTSTATUS _samr_Connect(struct pipes_struct *p,
struct samr_Connect *r)
{
- struct samr_connect_info *info;
uint32_t acc_granted;
struct policy_handle hnd;
uint32 des_access = r->in.access_mask;
was observed from a win98 client trying to enumerate users (when configured
user level access control on shares) --jerry */
- map_max_allowed_access(p->server_info->security_token,
- &p->server_info->utok,
+ map_max_allowed_access(p->session_info->security_token,
+ p->session_info->unix_token,
&des_access);
se_map_generic( &des_access, &sam_generic_mapping );
/* set up the SAMR connect_anon response */
- info = policy_handle_create(p, &hnd, acc_granted,
+ (void)policy_handle_create(p, &hnd, acc_granted,
struct samr_connect_info,
&status);
if (!NT_STATUS_IS_OK(status)) {
NTSTATUS _samr_Connect2(struct pipes_struct *p,
struct samr_Connect2 *r)
{
- struct samr_connect_info *info = NULL;
struct policy_handle hnd;
struct security_descriptor *psd = NULL;
uint32 acc_granted;
return NT_STATUS_ACCESS_DENIED;
}
- map_max_allowed_access(p->server_info->security_token,
- &p->server_info->utok,
+ map_max_allowed_access(p->session_info->security_token,
+ p->session_info->unix_token,
&des_access);
make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &sam_generic_mapping, NULL, 0);
se_map_generic(&des_access, &sam_generic_mapping);
- nt_status = access_check_object(psd, p->server_info->security_token,
+ nt_status = access_check_object(psd, p->session_info->security_token,
SEC_PRIV_INVALID, SEC_PRIV_INVALID,
0, des_access, &acc_granted, fn);
if ( !NT_STATUS_IS_OK(nt_status) )
return nt_status;
- info = policy_handle_create(p, &hnd, acc_granted,
+ (void)policy_handle_create(p, &hnd, acc_granted,
struct samr_connect_info, &nt_status);
if (!NT_STATUS_IS_OK(nt_status)) {
return nt_status;
struct samr_LookupDomain *r)
{
NTSTATUS status;
- struct samr_connect_info *info;
const char *domain_name;
struct dom_sid *sid = NULL;
/* win9x user manager likes to use SAMR_ACCESS_ENUM_DOMAINS here.
Reverted that change so we will work with RAS servers again */
- info = policy_handle_find(p, r->in.connect_handle,
+ (void)policy_handle_find(p, r->in.connect_handle,
SAMR_ACCESS_LOOKUP_DOMAIN, NULL,
struct samr_connect_info,
&status);
return NT_STATUS_INVALID_PARAMETER;
}
- sid = TALLOC_ZERO_P(p->mem_ctx, struct dom_sid2);
+ sid = talloc_zero(p->mem_ctx, struct dom_sid2);
if (!sid) {
return NT_STATUS_NO_MEMORY;
}
struct samr_EnumDomains *r)
{
NTSTATUS status;
- struct samr_connect_info *info;
uint32_t num_entries = 2;
struct samr_SamEntry *entry_array = NULL;
struct samr_SamArray *sam;
- info = policy_handle_find(p, r->in.connect_handle,
+ (void)policy_handle_find(p, r->in.connect_handle,
SAMR_ACCESS_ENUM_DOMAINS, NULL,
struct samr_connect_info, &status);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
- sam = TALLOC_ZERO_P(p->mem_ctx, struct samr_SamArray);
+ sam = talloc_zero(p->mem_ctx, struct samr_SamArray);
if (!sam) {
return NT_STATUS_NO_MEMORY;
}
- entry_array = TALLOC_ZERO_ARRAY(p->mem_ctx,
+ entry_array = talloc_zero_array(p->mem_ctx,
struct samr_SamEntry,
num_entries);
if (!entry_array) {
/*check if access can be granted as requested by client. */
- map_max_allowed_access(p->server_info->security_token,
- &p->server_info->utok,
+ map_max_allowed_access(p->session_info->security_token,
+ p->session_info->unix_token,
&des_access);
make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &ali_generic_mapping, NULL, 0);
se_map_generic(&des_access,&ali_generic_mapping);
- status = access_check_object(psd, p->server_info->security_token,
+ status = access_check_object(psd, p->session_info->security_token,
SEC_PRIV_ADD_USERS, SEC_PRIV_INVALID,
GENERIC_RIGHTS_ALIAS_ALL_ACCESS,
des_access, &acc_granted, "_samr_OpenAlias");
uint32_t acc_required = 0;
uint32_t fields = 0;
bool ret;
+ char *rhost;
+ DATA_BLOB session_key;
DEBUG(5,("_samr_SetUserInfo: %d\n", __LINE__));
return NT_STATUS_NO_SUCH_USER;
}
+ rhost = tsocket_address_inet_addr_string(p->remote_address,
+ talloc_tos());
+ if (rhost == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
/* ================ BEGIN Privilege BLOCK ================ */
become_root();
break;
case 18:
+ status = session_extract_session_key(p->session_info, &session_key, KEY_USE_16BYTES);
+ if(!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
/* Used by AS/U JRA. */
status = set_user_info_18(&info->info18,
p->mem_ctx,
- &p->server_info->user_session_key,
+ &session_key,
pwd);
break;
break;
case 21:
+ status = session_extract_session_key(p->session_info, &session_key, KEY_USE_16BYTES);
+ if(!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
status = set_user_info_21(&info->info21,
p->mem_ctx,
- &p->server_info->user_session_key,
+ &session_key,
pwd);
break;
case 23:
- if (!p->server_info->user_session_key.length) {
- status = NT_STATUS_NO_USER_SESSION_KEY;
- }
+ status = session_extract_session_key(p->session_info, &session_key, KEY_USE_16BYTES);
arcfour_crypt_blob(info->info23.password.data, 516,
- &p->server_info->user_session_key);
+ &session_key);
dump_data(100, info->info23.password.data, 516);
status = set_user_info_23(p->mem_ctx,
&info->info23,
- p->client_id->name,
+ rhost,
pwd);
break;
case 24:
- if (!p->server_info->user_session_key.length) {
- status = NT_STATUS_NO_USER_SESSION_KEY;
- }
+ status = session_extract_session_key(p->session_info, &session_key, KEY_USE_16BYTES);
arcfour_crypt_blob(info->info24.password.data,
516,
- &p->server_info->user_session_key);
+ &session_key);
dump_data(100, info->info24.password.data, 516);
status = set_user_info_24(p->mem_ctx,
- p->client_id->name,
+ rhost,
&info->info24, pwd);
break;
case 25:
- if (!p->server_info->user_session_key.length) {
- status = NT_STATUS_NO_USER_SESSION_KEY;
- }
+ status = session_extract_session_key(p->session_info, &session_key, KEY_USE_16BYTES);
encode_or_decode_arc4_passwd_buffer(
info->info25.password.data,
- &p->server_info->user_session_key);
+ &session_key);
dump_data(100, info->info25.password.data, 532);
status = set_user_info_25(p->mem_ctx,
- p->client_id->name,
+ rhost,
&info->info25, pwd);
break;
case 26:
- if (!p->server_info->user_session_key.length) {
- status = NT_STATUS_NO_USER_SESSION_KEY;
- }
+ status = session_extract_session_key(p->session_info, &session_key, KEY_USE_16BYTES);
encode_or_decode_arc4_passwd_buffer(
info->info26.password.data,
- &p->server_info->user_session_key);
+ &session_key);
dump_data(100, info->info26.password.data, 516);
status = set_user_info_26(p->mem_ctx,
- p->client_id->name,
+ rhost,
&info->info26, pwd);
break;
return status;
}
- if (!sid_check_is_domain(&dinfo->sid) &&
+ if (!sid_check_is_our_sam(&dinfo->sid) &&
!sid_check_is_builtin(&dinfo->sid))
return NT_STATUS_OBJECT_TYPE_MISMATCH;
if (r->in.sids->num_sids) {
- members = TALLOC_ARRAY(p->mem_ctx, struct dom_sid, r->in.sids->num_sids);
+ members = talloc_array(p->mem_ctx, struct dom_sid, r->in.sids->num_sids);
if (members == NULL)
return NT_STATUS_NO_MEMORY;
}
if (num_sids) {
- sids = TALLOC_ZERO_ARRAY(p->mem_ctx, struct lsa_SidPtr, num_sids);
+ sids = talloc_zero_array(p->mem_ctx, struct lsa_SidPtr, num_sids);
if (sids == NULL) {
TALLOC_FREE(pdb_sids);
return NT_STATUS_NO_MEMORY;
return status;
}
- rids = TALLOC_ZERO_P(p->mem_ctx, struct samr_RidAttrArray);
+ rids = talloc_zero(p->mem_ctx, struct samr_RidAttrArray);
if (!rids) {
return NT_STATUS_NO_MEMORY;
}
return status;
if (num_members) {
- attr=TALLOC_ZERO_ARRAY(p->mem_ctx, uint32, num_members);
+ attr=talloc_zero_array(p->mem_ctx, uint32, num_members);
if (attr == NULL) {
return NT_STATUS_NO_MEMORY;
}
return status;
}
- if (!sid_check_is_domain(&dinfo->sid)) {
+ if (!sid_check_is_our_sam(&dinfo->sid)) {
return NT_STATUS_ACCESS_DENIED;
}
return result;
}
- if (!sid_check_is_domain(&dinfo->sid)) {
+ if (!sid_check_is_our_sam(&dinfo->sid)) {
return NT_STATUS_ACCESS_DENIED;
}
/* check if the group has been successfully created */
if ( getgrgid(gid) == NULL ) {
- DEBUG(10, ("getgrgid(%u) of just created alias failed\n",
+ DEBUG(1, ("getgrgid(%u) of just created alias failed\n",
(unsigned int)gid));
return NT_STATUS_ACCESS_DENIED;
}
{
struct samr_group_info *ginfo;
NTSTATUS status;
- GROUP_MAP map;
+ GROUP_MAP *map;
union samr_GroupInfo *info = NULL;
bool ret;
uint32_t attributes = SE_GROUP_MANDATORY |
return status;
}
+ map = talloc_zero(p->mem_ctx, GROUP_MAP);
+ if (!map) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
become_root();
- ret = get_domain_group_from_sid(ginfo->sid, &map);
+ ret = get_domain_group_from_sid(ginfo->sid, map);
unbecome_root();
if (!ret)
return NT_STATUS_INVALID_HANDLE;
- /* FIXME: map contains fstrings */
- group_name = talloc_strdup(r, map.nt_name);
- group_description = talloc_strdup(r, map.comment);
+ group_name = talloc_move(r, &map->nt_name);
+ group_description = talloc_move(r, &map->comment);
+
+ TALLOC_FREE(map);
- info = TALLOC_ZERO_P(p->mem_ctx, union samr_GroupInfo);
+ info = talloc_zero(p->mem_ctx, union samr_GroupInfo);
if (!info) {
return NT_STATUS_NO_MEMORY;
}
struct samr_SetGroupInfo *r)
{
struct samr_group_info *ginfo;
- GROUP_MAP map;
+ GROUP_MAP *map;
NTSTATUS status;
bool ret;
return status;
}
+ map = talloc_zero(p->mem_ctx, GROUP_MAP);
+ if (!map) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
become_root();
- ret = get_domain_group_from_sid(ginfo->sid, &map);
+ ret = get_domain_group_from_sid(ginfo->sid, map);
unbecome_root();
if (!ret)
return NT_STATUS_NO_SUCH_GROUP;
switch (r->in.level) {
case 2:
- fstrcpy(map.nt_name, r->in.info->name.string);
+ map->nt_name = talloc_strdup(map,
+ r->in.info->name.string);
+ if (!map->nt_name) {
+ return NT_STATUS_NO_MEMORY;
+ }
break;
case 3:
break;
case 4:
- fstrcpy(map.comment, r->in.info->description.string);
+ map->comment = talloc_strdup(map,
+ r->in.info->description.string);
+ if (!map->comment) {
+ return NT_STATUS_NO_MEMORY;
+ }
break;
default:
return NT_STATUS_INVALID_INFO_CLASS;
/******** BEGIN SeAddUsers BLOCK *********/
become_root();
- status = pdb_update_group_mapping_entry(&map);
+ status = pdb_update_group_mapping_entry(map);
unbecome_root();
/******** End SeAddUsers BLOCK *********/
+ TALLOC_FREE(map);
+
if (NT_STATUS_IS_OK(status)) {
force_flush_samr_cache(&ginfo->sid);
}
struct samr_SetAliasInfo *r)
{
struct samr_alias_info *ainfo;
- struct acct_info info;
+ struct acct_info *info;
NTSTATUS status;
ainfo = policy_handle_find(p, r->in.alias_handle,
return status;
}
+ info = talloc_zero(p->mem_ctx, struct acct_info);
+ if (!info) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
/* get the current group information */
become_root();
- status = pdb_get_aliasinfo( &ainfo->sid, &info );
+ status = pdb_get_aliasinfo(&ainfo->sid, info);
unbecome_root();
if ( !NT_STATUS_IS_OK(status))
switch (r->in.level) {
case ALIASINFONAME:
{
- fstring group_name;
+ char *group_name;
/* We currently do not support renaming groups in the
the BUILTIN domain. Refer to util_builtin.c to understand
/* If the name is the same just reply "ok". Yes this
doesn't allow you to change the case of a group name. */
- if ( strequal( r->in.info->name.string, info.acct_name ) )
+ if (strequal(r->in.info->name.string, info->acct_name)) {
return NT_STATUS_OK;
+ }
- fstrcpy( info.acct_name, r->in.info->name.string);
+ talloc_free(info->acct_name);
+ info->acct_name = talloc_strdup(info, r->in.info->name.string);
+ if (!info->acct_name) {
+ return NT_STATUS_NO_MEMORY;
+ }
/* make sure the name doesn't already exist as a user
or local group */
- fstr_sprintf( group_name, "%s\\%s", global_myname(), info.acct_name );
+ group_name = talloc_asprintf(p->mem_ctx,
+ "%s\\%s",
+ lp_netbios_name(),
+ info->acct_name);
+ if (group_name == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
status = can_create( p->mem_ctx, group_name );
+ talloc_free(group_name);
if ( !NT_STATUS_IS_OK( status ) )
return status;
break;
}
case ALIASINFODESCRIPTION:
+ TALLOC_FREE(info->acct_desc);
if (r->in.info->description.string) {
- fstrcpy(info.acct_desc,
- r->in.info->description.string);
+ info->acct_desc = talloc_strdup(info,
+ r->in.info->description.string);
} else {
- fstrcpy( info.acct_desc, "" );
+ info->acct_desc = talloc_strdup(info, "");
+ }
+ if (!info->acct_desc) {
+ return NT_STATUS_NO_MEMORY;
}
break;
default:
/******** BEGIN SeAddUsers BLOCK *********/
become_root();
- status = pdb_set_aliasinfo( &ainfo->sid, &info );
+ status = pdb_set_aliasinfo(&ainfo->sid, info);
unbecome_root();
/******** End SeAddUsers BLOCK *********/
{
struct dom_sid info_sid;
- GROUP_MAP map;
+ GROUP_MAP *map;
struct samr_domain_info *dinfo;
struct samr_group_info *ginfo;
struct security_descriptor *psd = NULL;
}
/*check if access can be granted as requested by client. */
- map_max_allowed_access(p->server_info->security_token,
- &p->server_info->utok,
+ map_max_allowed_access(p->session_info->security_token,
+ p->session_info->unix_token,
&des_access);
make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &grp_generic_mapping, NULL, 0);
se_map_generic(&des_access,&grp_generic_mapping);
- status = access_check_object(psd, p->server_info->security_token,
+ status = access_check_object(psd, p->session_info->security_token,
SEC_PRIV_ADD_USERS, SEC_PRIV_INVALID, GENERIC_RIGHTS_GROUP_ALL_ACCESS,
des_access, &acc_granted, "_samr_OpenGroup");
/* this should not be hard-coded like this */
- if (!sid_check_is_domain(&dinfo->sid)) {
+ if (!sid_check_is_our_sam(&dinfo->sid)) {
return NT_STATUS_ACCESS_DENIED;
}
DEBUG(10, ("_samr_OpenGroup:Opening SID: %s\n",
sid_string_dbg(&info_sid)));
+ map = talloc_zero(p->mem_ctx, GROUP_MAP);
+ if (!map) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
/* check if that group really exists */
become_root();
- ret = get_domain_group_from_sid(info_sid, &map);
+ ret = get_domain_group_from_sid(info_sid, map);
unbecome_root();
if (!ret)
return NT_STATUS_NO_SUCH_GROUP;
+ TALLOC_FREE(map);
+
ginfo = policy_handle_create(p, r->out.group_handle,
acc_granted,
struct samr_group_info, &status);
NTSTATUS _samr_SetDomainInfo(struct pipes_struct *p,
struct samr_SetDomainInfo *r)
{
- struct samr_domain_info *dinfo;
NTSTATUS status;
uint32_t acc_required = 0;
return NT_STATUS_INVALID_INFO_CLASS;
}
- dinfo = policy_handle_find(p, r->in.domain_handle,
+ (void)policy_handle_find(p, r->in.domain_handle,
acc_required, NULL,
struct samr_domain_info, &status);
if (!NT_STATUS_IS_OK(status)) {
NTSTATUS _samr_Shutdown(struct pipes_struct *p,
struct samr_Shutdown *r)
{
- p->rng_fault_state = true;
+ p->fault_state = DCERPC_FAULT_OP_RNG_ERROR;
return NT_STATUS_NOT_IMPLEMENTED;
}
NTSTATUS _samr_SetMemberAttributesOfGroup(struct pipes_struct *p,
struct samr_SetMemberAttributesOfGroup *r)
{
- p->rng_fault_state = true;
+ p->fault_state = DCERPC_FAULT_OP_RNG_ERROR;
return NT_STATUS_NOT_IMPLEMENTED;
}
NTSTATUS _samr_TestPrivateFunctionsDomain(struct pipes_struct *p,
struct samr_TestPrivateFunctionsDomain *r)
{
+ p->fault_state = DCERPC_FAULT_OP_RNG_ERROR;
return NT_STATUS_NOT_IMPLEMENTED;
}
NTSTATUS _samr_TestPrivateFunctionsUser(struct pipes_struct *p,
struct samr_TestPrivateFunctionsUser *r)
{
+ p->fault_state = DCERPC_FAULT_OP_RNG_ERROR;
return NT_STATUS_NOT_IMPLEMENTED;
}
NTSTATUS _samr_AddMultipleMembersToAlias(struct pipes_struct *p,
struct samr_AddMultipleMembersToAlias *r)
{
- p->rng_fault_state = true;
+ p->fault_state = DCERPC_FAULT_OP_RNG_ERROR;
return NT_STATUS_NOT_IMPLEMENTED;
}
NTSTATUS _samr_RemoveMultipleMembersFromAlias(struct pipes_struct *p,
struct samr_RemoveMultipleMembersFromAlias *r)
{
- p->rng_fault_state = true;
+ p->fault_state = DCERPC_FAULT_OP_RNG_ERROR;
return NT_STATUS_NOT_IMPLEMENTED;
}
NTSTATUS _samr_SetBootKeyInformation(struct pipes_struct *p,
struct samr_SetBootKeyInformation *r)
{
- p->rng_fault_state = true;
+ p->fault_state = DCERPC_FAULT_OP_RNG_ERROR;
return NT_STATUS_NOT_IMPLEMENTED;
}
NTSTATUS _samr_GetBootKeyInformation(struct pipes_struct *p,
struct samr_GetBootKeyInformation *r)
{
- p->rng_fault_state = true;
+ p->fault_state = DCERPC_FAULT_OP_RNG_ERROR;
return NT_STATUS_NOT_IMPLEMENTED;
}
NTSTATUS _samr_SetDsrmPassword(struct pipes_struct *p,
struct samr_SetDsrmPassword *r)
{
- p->rng_fault_state = true;
+ p->fault_state = DCERPC_FAULT_OP_RNG_ERROR;
return NT_STATUS_NOT_IMPLEMENTED;
}