struct lsa_policy_state **_state)
{
struct lsa_policy_state *state;
- struct ldb_dn *partitions_basedn;
struct ldb_result *dom_res;
const char *dom_attrs[] = {
"objectSid",
"fSMORoleOwner",
NULL
};
- struct ldb_result *ref_res;
- struct ldb_result *forest_ref_res;
- const char *ref_attrs[] = {
- "nETBIOSName",
- "dnsRoot",
- NULL
- };
+ char *p;
int ret;
state = talloc(mem_ctx, struct lsa_policy_state);
}
/* make sure the sam database is accessible */
- state->sam_ldb = samdb_connect(state, dce_call->event_ctx, dce_call->conn->dce_ctx->lp_ctx, dce_call->conn->auth_state.session_info);
+ state->sam_ldb = samdb_connect(state, dce_call->event_ctx, dce_call->conn->dce_ctx->lp_ctx, dce_call->conn->auth_state.session_info, 0);
if (state->sam_ldb == NULL) {
return NT_STATUS_INVALID_SYSTEM_SERVICE;
}
- partitions_basedn = samdb_partitions_dn(state->sam_ldb, mem_ctx);
+ /* and the privilege database */
+ state->pdb = privilege_connect(state, dce_call->conn->dce_ctx->lp_ctx);
+ if (state->pdb == NULL) {
+ return NT_STATUS_INVALID_SYSTEM_SERVICE;
+ }
/* work out the domain_dn - useful for so many calls its worth
fetching here */
- state->domain_dn = samdb_base_dn(state->sam_ldb);
+ state->domain_dn = ldb_get_default_basedn(state->sam_ldb);
if (!state->domain_dn) {
return NT_STATUS_NO_MEMORY;
}
/* work out the forest root_dn - useful for so many calls its worth
fetching here */
- state->forest_dn = samdb_root_dn(state->sam_ldb);
+ state->forest_dn = ldb_get_root_basedn(state->sam_ldb);
if (!state->forest_dn) {
return NT_STATUS_NO_MEMORY;
}
- ret = ldb_search(state->sam_ldb, state->domain_dn, LDB_SCOPE_BASE, NULL, dom_attrs, &dom_res);
-
+ ret = ldb_search(state->sam_ldb, mem_ctx, &dom_res,
+ state->domain_dn, LDB_SCOPE_BASE, dom_attrs, NULL);
if (ret != LDB_SUCCESS) {
return NT_STATUS_INVALID_SYSTEM_SERVICE;
}
- talloc_steal(mem_ctx, dom_res);
if (dom_res->count != 1) {
return NT_STATUS_NO_SUCH_DOMAIN;
}
}
state->domain_guid = samdb_result_guid(dom_res->msgs[0], "objectGUID");
- if (!state->domain_sid) {
- return NT_STATUS_NO_SUCH_DOMAIN;
- }
state->mixed_domain = ldb_msg_find_attr_as_uint(dom_res->msgs[0], "nTMixedDomain", 0);
talloc_free(dom_res);
- ret = ldb_search_exp_fmt(state->sam_ldb, state, &ref_res,
- partitions_basedn, LDB_SCOPE_SUBTREE, ref_attrs,
- "(&(objectclass=crossRef)(ncName=%s))",
- ldb_dn_get_linearized(state->domain_dn));
-
- if (ret != LDB_SUCCESS) {
- talloc_free(ref_res);
- return NT_STATUS_INVALID_SYSTEM_SERVICE;
- }
- if (ref_res->count != 1) {
- talloc_free(ref_res);
- return NT_STATUS_NO_SUCH_DOMAIN;
- }
-
- state->domain_name = ldb_msg_find_attr_as_string(ref_res->msgs[0], "nETBIOSName", NULL);
- if (!state->domain_name) {
- talloc_free(ref_res);
- return NT_STATUS_NO_SUCH_DOMAIN;
- }
- talloc_steal(state, state->domain_name);
+ state->domain_name = lpcfg_sam_name(dce_call->conn->dce_ctx->lp_ctx);
- state->domain_dns = ldb_msg_find_attr_as_string(ref_res->msgs[0], "dnsRoot", NULL);
+ state->domain_dns = ldb_dn_canonical_string(state, state->domain_dn);
if (!state->domain_dns) {
- talloc_free(ref_res);
return NT_STATUS_NO_SUCH_DOMAIN;
}
- talloc_steal(state, state->domain_dns);
-
- talloc_free(ref_res);
-
- ret = ldb_search_exp_fmt(state->sam_ldb, state, &forest_ref_res,
- partitions_basedn, LDB_SCOPE_SUBTREE, ref_attrs,
- "(&(objectclass=crossRef)(ncName=%s))",
- ldb_dn_get_linearized(state->forest_dn));
-
- if (ret != LDB_SUCCESS) {
- talloc_free(forest_ref_res);
- return NT_STATUS_INVALID_SYSTEM_SERVICE;
- }
- if (forest_ref_res->count != 1) {
- talloc_free(forest_ref_res);
- return NT_STATUS_NO_SUCH_DOMAIN;
+ p = strchr(state->domain_dns, '/');
+ if (p) {
+ *p = '\0';
}
- state->forest_dns = ldb_msg_find_attr_as_string(forest_ref_res->msgs[0], "dnsRoot", NULL);
+ state->forest_dns = ldb_dn_canonical_string(state, state->forest_dn);
if (!state->forest_dns) {
- talloc_free(forest_ref_res);
return NT_STATUS_NO_SUCH_DOMAIN;
}
- talloc_steal(state, state->forest_dns);
-
- talloc_free(forest_ref_res);
+ p = strchr(state->forest_dns, '/');
+ if (p) {
+ *p = '\0';
+ }
/* work out the builtin_dn - useful for so many calls its worth
fetching here */
NTSTATUS dcesrv_lsa_OpenPolicy2(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
struct lsa_OpenPolicy2 *r)
{
+ enum dcerpc_transport_t transport = dce_call->conn->endpoint->ep_description->transport;
NTSTATUS status;
struct lsa_policy_state *state;
struct dcesrv_handle *handle;
+ if (transport != NCACN_NP && transport != NCALRPC) {
+ DCESRV_FAULT(DCERPC_FAULT_ACCESS_DENIED);
+ }
+
ZERO_STRUCTP(r->out.handle);
+ if (r->in.attr != NULL &&
+ r->in.attr->root_dir != NULL) {
+ /* MS-LSAD 3.1.4.4.1 */
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
status = dcesrv_lsa_get_policy_state(dce_call, mem_ctx, &state);
if (!NT_STATUS_IS_OK(status)) {
return status;
handle->data = talloc_steal(handle, state);
+ /* need to check the access mask against - need ACLs - fails
+ WSPP test */
state->access_mask = r->in.access_mask;
state->handle = handle;
*r->out.handle = handle->wire_handle;
NTSTATUS dcesrv_lsa_OpenPolicy(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
struct lsa_OpenPolicy *r)
{
+ enum dcerpc_transport_t transport = dce_call->conn->endpoint->ep_description->transport;
struct lsa_OpenPolicy2 r2;
+ if (transport != NCACN_NP && transport != NCALRPC) {
+ DCESRV_FAULT(DCERPC_FAULT_ACCESS_DENIED);
+ }
+
r2.in.system_name = NULL;
r2.in.attr = r->in.attr;
r2.in.access_mask = r->in.access_mask;