2 * Unix SMB/CIFS implementation.
3 * RPC Pipe client / server routines
4 * Copyright (C) Andrew Tridgell 1992-1997,
5 * Copyright (C) Luke Kenneth Casson Leighton 1996-1997,
6 * Copyright (C) Paul Ashton 1997,
7 * Copyright (C) Marc Jacobsen 1999,
8 * Copyright (C) Jeremy Allison 2001-2008,
9 * Copyright (C) Jean François Micouleau 1998-2001,
10 * Copyright (C) Jim McDonough <jmcd@us.ibm.com> 2002,
11 * Copyright (C) Gerald (Jerry) Carter 2003-2004,
12 * Copyright (C) Simo Sorce 2003.
13 * Copyright (C) Volker Lendecke 2005.
14 * Copyright (C) Guenther Deschner 2008.
16 * This program is free software; you can redistribute it and/or modify
17 * it under the terms of the GNU General Public License as published by
18 * the Free Software Foundation; either version 3 of the License, or
19 * (at your option) any later version.
21 * This program is distributed in the hope that it will be useful,
22 * but WITHOUT ANY WARRANTY; without even the implied warranty of
23 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
24 * GNU General Public License for more details.
26 * You should have received a copy of the GNU General Public License
27 * along with this program; if not, see <http://www.gnu.org/licenses/>.
31 * This is the implementation of the SAMR code.
37 #define DBGC_CLASS DBGC_RPC_SRV
39 #define SAMR_USR_RIGHTS_WRITE_PW \
40 ( READ_CONTROL_ACCESS | \
41 SA_RIGHT_USER_CHANGE_PASSWORD | \
42 SA_RIGHT_USER_SET_LOC_COM )
43 #define SAMR_USR_RIGHTS_CANT_WRITE_PW \
44 ( READ_CONTROL_ACCESS | SA_RIGHT_USER_SET_LOC_COM )
46 #define DISP_INFO_CACHE_TIMEOUT 10
48 typedef struct disp_info {
49 DOM_SID sid; /* identify which domain this is. */
50 bool builtin_domain; /* Quick flag to check if this is the builtin domain. */
51 struct pdb_search *users; /* querydispinfo 1 and 4 */
52 struct pdb_search *machines; /* querydispinfo 2 */
53 struct pdb_search *groups; /* querydispinfo 3 and 5, enumgroups */
54 struct pdb_search *aliases; /* enumaliases */
57 struct pdb_search *enum_users; /* enumusers with a mask */
59 struct timed_event *cache_timeout_event; /* cache idle timeout
63 /* We keep a static list of these by SID as modern clients close down
64 all resources between each request in a complete enumeration. */
67 /* for use by the \PIPE\samr policy */
69 bool builtin_domain; /* Quick flag to check if this is the builtin domain. */
70 uint32 status; /* some sort of flag. best to record it. comes from opnum 0x39 */
76 static const struct generic_mapping sam_generic_mapping = {
77 GENERIC_RIGHTS_SAM_READ,
78 GENERIC_RIGHTS_SAM_WRITE,
79 GENERIC_RIGHTS_SAM_EXECUTE,
80 GENERIC_RIGHTS_SAM_ALL_ACCESS};
81 static const struct generic_mapping dom_generic_mapping = {
82 GENERIC_RIGHTS_DOMAIN_READ,
83 GENERIC_RIGHTS_DOMAIN_WRITE,
84 GENERIC_RIGHTS_DOMAIN_EXECUTE,
85 GENERIC_RIGHTS_DOMAIN_ALL_ACCESS};
86 static const struct generic_mapping usr_generic_mapping = {
87 GENERIC_RIGHTS_USER_READ,
88 GENERIC_RIGHTS_USER_WRITE,
89 GENERIC_RIGHTS_USER_EXECUTE,
90 GENERIC_RIGHTS_USER_ALL_ACCESS};
91 static const struct generic_mapping usr_nopwchange_generic_mapping = {
92 GENERIC_RIGHTS_USER_READ,
93 GENERIC_RIGHTS_USER_WRITE,
94 GENERIC_RIGHTS_USER_EXECUTE & ~SA_RIGHT_USER_CHANGE_PASSWORD,
95 GENERIC_RIGHTS_USER_ALL_ACCESS};
96 static const struct generic_mapping grp_generic_mapping = {
97 GENERIC_RIGHTS_GROUP_READ,
98 GENERIC_RIGHTS_GROUP_WRITE,
99 GENERIC_RIGHTS_GROUP_EXECUTE,
100 GENERIC_RIGHTS_GROUP_ALL_ACCESS};
101 static const struct generic_mapping ali_generic_mapping = {
102 GENERIC_RIGHTS_ALIAS_READ,
103 GENERIC_RIGHTS_ALIAS_WRITE,
104 GENERIC_RIGHTS_ALIAS_EXECUTE,
105 GENERIC_RIGHTS_ALIAS_ALL_ACCESS};
107 /*******************************************************************
108 *******************************************************************/
110 static NTSTATUS make_samr_object_sd( TALLOC_CTX *ctx, SEC_DESC **psd, size_t *sd_size,
111 const struct generic_mapping *map,
112 DOM_SID *sid, uint32 sid_access )
114 DOM_SID domadmin_sid;
115 SEC_ACE ace[5]; /* at most 5 entries */
120 /* basic access for Everyone */
122 init_sec_ace(&ace[i++], &global_sid_World, SEC_ACE_TYPE_ACCESS_ALLOWED,
123 map->generic_execute | map->generic_read, 0);
125 /* add Full Access 'BUILTIN\Administrators' and 'BUILTIN\Account Operators */
127 init_sec_ace(&ace[i++], &global_sid_Builtin_Administrators,
128 SEC_ACE_TYPE_ACCESS_ALLOWED, map->generic_all, 0);
129 init_sec_ace(&ace[i++], &global_sid_Builtin_Account_Operators,
130 SEC_ACE_TYPE_ACCESS_ALLOWED, map->generic_all, 0);
132 /* Add Full Access for Domain Admins if we are a DC */
135 sid_copy( &domadmin_sid, get_global_sam_sid() );
136 sid_append_rid( &domadmin_sid, DOMAIN_GROUP_RID_ADMINS );
137 init_sec_ace(&ace[i++], &domadmin_sid,
138 SEC_ACE_TYPE_ACCESS_ALLOWED, map->generic_all, 0);
141 /* if we have a sid, give it some special access */
144 init_sec_ace(&ace[i++], sid, SEC_ACE_TYPE_ACCESS_ALLOWED, sid_access, 0);
147 /* create the security descriptor */
149 if ((psa = make_sec_acl(ctx, NT4_ACL_REVISION, i, ace)) == NULL)
150 return NT_STATUS_NO_MEMORY;
152 if ((*psd = make_sec_desc(ctx, SECURITY_DESCRIPTOR_REVISION_1,
153 SEC_DESC_SELF_RELATIVE, NULL, NULL, NULL,
154 psa, sd_size)) == NULL)
155 return NT_STATUS_NO_MEMORY;
160 /*******************************************************************
161 Checks if access to an object should be granted, and returns that
162 level of access for further checks.
163 ********************************************************************/
165 static NTSTATUS access_check_samr_object( SEC_DESC *psd, NT_USER_TOKEN *token,
166 SE_PRIV *rights, uint32 rights_mask,
167 uint32 des_access, uint32 *acc_granted,
170 NTSTATUS status = NT_STATUS_ACCESS_DENIED;
171 uint32 saved_mask = 0;
173 /* check privileges; certain SAM access bits should be overridden
174 by privileges (mostly having to do with creating/modifying/deleting
177 if ( rights && user_has_any_privilege( token, rights ) ) {
179 saved_mask = (des_access & rights_mask);
180 des_access &= ~saved_mask;
182 DEBUG(4,("access_check_samr_object: user rights access mask [0x%x]\n",
187 /* check the security descriptor first */
189 if ( se_access_check(psd, token, des_access, acc_granted, &status) )
192 /* give root a free pass */
194 if ( geteuid() == sec_initial_uid() ) {
196 DEBUG(4,("%s: ACCESS should be DENIED (requested: %#010x)\n", debug, des_access));
197 DEBUGADD(4,("but overritten by euid == sec_initial_uid()\n"));
199 *acc_granted = des_access;
201 status = NT_STATUS_OK;
207 /* add in any bits saved during the privilege check (only
208 matters is status is ok) */
210 *acc_granted |= rights_mask;
212 DEBUG(4,("%s: access %s (requested: 0x%08x, granted: 0x%08x)\n",
213 debug, NT_STATUS_IS_OK(status) ? "GRANTED" : "DENIED",
214 des_access, *acc_granted));
219 /*******************************************************************
220 Checks if access to a function can be granted
221 ********************************************************************/
223 static NTSTATUS access_check_samr_function(uint32 acc_granted, uint32 acc_required, const char *debug)
225 DEBUG(5,("%s: access check ((granted: %#010x; required: %#010x)\n",
226 debug, acc_granted, acc_required));
228 /* check the security descriptor first */
230 if ( (acc_granted&acc_required) == acc_required )
233 /* give root a free pass */
235 if (geteuid() == sec_initial_uid()) {
237 DEBUG(4,("%s: ACCESS should be DENIED (granted: %#010x; required: %#010x)\n",
238 debug, acc_granted, acc_required));
239 DEBUGADD(4,("but overwritten by euid == 0\n"));
244 DEBUG(2,("%s: ACCESS DENIED (granted: %#010x; required: %#010x)\n",
245 debug, acc_granted, acc_required));
247 return NT_STATUS_ACCESS_DENIED;
250 /*******************************************************************
251 Map any MAXIMUM_ALLOWED_ACCESS request to a valid access set.
252 ********************************************************************/
254 static void map_max_allowed_access(const NT_USER_TOKEN *token,
255 uint32_t *pacc_requested)
257 if (!((*pacc_requested) & MAXIMUM_ALLOWED_ACCESS)) {
260 *pacc_requested &= ~MAXIMUM_ALLOWED_ACCESS;
262 /* At least try for generic read. */
263 *pacc_requested = GENERIC_READ_ACCESS;
265 /* root gets anything. */
266 if (geteuid() == sec_initial_uid()) {
267 *pacc_requested |= GENERIC_ALL_ACCESS;
271 /* Full Access for 'BUILTIN\Administrators' and 'BUILTIN\Account Operators */
273 if (is_sid_in_token(token, &global_sid_Builtin_Administrators) ||
274 is_sid_in_token(token, &global_sid_Builtin_Account_Operators)) {
275 *pacc_requested |= GENERIC_ALL_ACCESS;
279 /* Full access for DOMAIN\Domain Admins. */
281 DOM_SID domadmin_sid;
282 sid_copy( &domadmin_sid, get_global_sam_sid() );
283 sid_append_rid( &domadmin_sid, DOMAIN_GROUP_RID_ADMINS );
284 if (is_sid_in_token(token, &domadmin_sid)) {
285 *pacc_requested |= GENERIC_ALL_ACCESS;
289 /* TODO ! Check privileges. */
292 /*******************************************************************
293 Fetch or create a dispinfo struct.
294 ********************************************************************/
296 static DISP_INFO *get_samr_dispinfo_by_sid(DOM_SID *psid)
299 * We do a static cache for DISP_INFO's here. Explanation can be found
300 * in Jeremy's checkin message to r11793:
302 * Fix the SAMR cache so it works across completely insane
303 * client behaviour (ie.:
304 * open pipe/open SAMR handle/enumerate 0 - 1024
305 * close SAMR handle, close pipe.
306 * open pipe/open SAMR handle/enumerate 1024 - 2048...
307 * close SAMR handle, close pipe.
308 * And on ad-nausium. Amazing.... probably object-oriented
309 * client side programming in action yet again.
310 * This change should *massively* improve performance when
311 * enumerating users from an LDAP database.
314 * "Our" and the builtin domain are the only ones where we ever
315 * enumerate stuff, so just cache 2 entries.
318 static struct disp_info builtin_dispinfo;
319 static struct disp_info domain_dispinfo;
321 /* There are two cases to consider here:
322 1) The SID is a domain SID and we look for an equality match, or
323 2) This is an account SID and so we return the DISP_INFO* for our
330 if (sid_check_is_builtin(psid) || sid_check_is_in_builtin(psid)) {
332 * Necessary only once, but it does not really hurt.
334 sid_copy(&builtin_dispinfo.sid, &global_sid_Builtin);
336 return &builtin_dispinfo;
339 if (sid_check_is_domain(psid) || sid_check_is_in_our_domain(psid)) {
341 * Necessary only once, but it does not really hurt.
343 sid_copy(&domain_dispinfo.sid, get_global_sam_sid());
345 return &domain_dispinfo;
351 /*******************************************************************
352 Create a samr_info struct.
353 ********************************************************************/
355 static struct samr_info *get_samr_info_by_sid(DOM_SID *psid)
357 struct samr_info *info;
362 sid_to_fstring(sid_str, psid);
364 fstrcpy(sid_str,"(NULL)");
367 mem_ctx = talloc_init("samr_info for domain sid %s", sid_str);
369 if ((info = TALLOC_ZERO_P(mem_ctx, struct samr_info)) == NULL)
372 DEBUG(10,("get_samr_info_by_sid: created new info for sid %s\n", sid_str));
374 sid_copy( &info->sid, psid);
375 info->builtin_domain = sid_check_is_builtin(psid);
377 DEBUG(10,("get_samr_info_by_sid: created new info for NULL sid.\n"));
378 info->builtin_domain = False;
380 info->mem_ctx = mem_ctx;
382 info->disp_info = get_samr_dispinfo_by_sid(psid);
387 /*******************************************************************
388 Function to free the per SID data.
389 ********************************************************************/
391 static void free_samr_cache(DISP_INFO *disp_info)
393 DEBUG(10, ("free_samr_cache: deleting cache for SID %s\n",
394 sid_string_dbg(&disp_info->sid)));
396 /* We need to become root here because the paged search might have to
397 * tell the LDAP server we're not interested in the rest anymore. */
401 if (disp_info->users) {
402 DEBUG(10,("free_samr_cache: deleting users cache\n"));
403 pdb_search_destroy(disp_info->users);
404 disp_info->users = NULL;
406 if (disp_info->machines) {
407 DEBUG(10,("free_samr_cache: deleting machines cache\n"));
408 pdb_search_destroy(disp_info->machines);
409 disp_info->machines = NULL;
411 if (disp_info->groups) {
412 DEBUG(10,("free_samr_cache: deleting groups cache\n"));
413 pdb_search_destroy(disp_info->groups);
414 disp_info->groups = NULL;
416 if (disp_info->aliases) {
417 DEBUG(10,("free_samr_cache: deleting aliases cache\n"));
418 pdb_search_destroy(disp_info->aliases);
419 disp_info->aliases = NULL;
421 if (disp_info->enum_users) {
422 DEBUG(10,("free_samr_cache: deleting enum_users cache\n"));
423 pdb_search_destroy(disp_info->enum_users);
424 disp_info->enum_users = NULL;
426 disp_info->enum_acb_mask = 0;
431 /*******************************************************************
432 Function to free the per handle data.
433 ********************************************************************/
435 static void free_samr_info(void *ptr)
437 struct samr_info *info=(struct samr_info *) ptr;
439 /* Only free the dispinfo cache if no one bothered to set up
442 if (info->disp_info && info->disp_info->cache_timeout_event == NULL) {
443 free_samr_cache(info->disp_info);
446 talloc_destroy(info->mem_ctx);
449 /*******************************************************************
450 Idle event handler. Throw away the disp info cache.
451 ********************************************************************/
453 static void disp_info_cache_idle_timeout_handler(struct event_context *ev_ctx,
454 struct timed_event *te,
455 const struct timeval *now,
458 DISP_INFO *disp_info = (DISP_INFO *)private_data;
460 TALLOC_FREE(disp_info->cache_timeout_event);
462 DEBUG(10, ("disp_info_cache_idle_timeout_handler: caching timed "
464 free_samr_cache(disp_info);
467 /*******************************************************************
468 Setup cache removal idle event handler.
469 ********************************************************************/
471 static void set_disp_info_cache_timeout(DISP_INFO *disp_info, time_t secs_fromnow)
473 /* Remove any pending timeout and update. */
475 TALLOC_FREE(disp_info->cache_timeout_event);
477 DEBUG(10,("set_disp_info_cache_timeout: caching enumeration for "
478 "SID %s for %u seconds\n", sid_string_dbg(&disp_info->sid),
479 (unsigned int)secs_fromnow ));
481 disp_info->cache_timeout_event = event_add_timed(
482 smbd_event_context(), NULL,
483 timeval_current_ofs(secs_fromnow, 0),
484 "disp_info_cache_idle_timeout_handler",
485 disp_info_cache_idle_timeout_handler, (void *)disp_info);
488 /*******************************************************************
489 Force flush any cache. We do this on any samr_set_xxx call.
490 We must also remove the timeout handler.
491 ********************************************************************/
493 static void force_flush_samr_cache(DISP_INFO *disp_info)
495 if ((disp_info == NULL) || (disp_info->cache_timeout_event == NULL)) {
499 DEBUG(10,("force_flush_samr_cache: clearing idle event\n"));
500 TALLOC_FREE(disp_info->cache_timeout_event);
501 free_samr_cache(disp_info);
504 /*******************************************************************
505 Ensure password info is never given out. Paranioa... JRA.
506 ********************************************************************/
508 static void samr_clear_sam_passwd(struct samu *sam_pass)
514 /* These now zero out the old password */
516 pdb_set_lanman_passwd(sam_pass, NULL, PDB_DEFAULT);
517 pdb_set_nt_passwd(sam_pass, NULL, PDB_DEFAULT);
520 static uint32 count_sam_users(struct disp_info *info, uint32 acct_flags)
522 struct samr_displayentry *entry;
524 if (info->builtin_domain) {
525 /* No users in builtin. */
529 if (info->users == NULL) {
530 info->users = pdb_search_users(acct_flags);
531 if (info->users == NULL) {
535 /* Fetch the last possible entry, thus trigger an enumeration */
536 pdb_search_entries(info->users, 0xffffffff, 1, &entry);
538 /* Ensure we cache this enumeration. */
539 set_disp_info_cache_timeout(info, DISP_INFO_CACHE_TIMEOUT);
541 return info->users->num_entries;
544 static uint32 count_sam_groups(struct disp_info *info)
546 struct samr_displayentry *entry;
548 if (info->builtin_domain) {
549 /* No groups in builtin. */
553 if (info->groups == NULL) {
554 info->groups = pdb_search_groups();
555 if (info->groups == NULL) {
559 /* Fetch the last possible entry, thus trigger an enumeration */
560 pdb_search_entries(info->groups, 0xffffffff, 1, &entry);
562 /* Ensure we cache this enumeration. */
563 set_disp_info_cache_timeout(info, DISP_INFO_CACHE_TIMEOUT);
565 return info->groups->num_entries;
568 static uint32 count_sam_aliases(struct disp_info *info)
570 struct samr_displayentry *entry;
572 if (info->aliases == NULL) {
573 info->aliases = pdb_search_aliases(&info->sid);
574 if (info->aliases == NULL) {
578 /* Fetch the last possible entry, thus trigger an enumeration */
579 pdb_search_entries(info->aliases, 0xffffffff, 1, &entry);
581 /* Ensure we cache this enumeration. */
582 set_disp_info_cache_timeout(info, DISP_INFO_CACHE_TIMEOUT);
584 return info->aliases->num_entries;
587 /*******************************************************************
589 ********************************************************************/
591 NTSTATUS _samr_Close(pipes_struct *p, struct samr_Close *r)
593 if (!close_policy_hnd(p, r->in.handle)) {
594 return NT_STATUS_INVALID_HANDLE;
597 ZERO_STRUCTP(r->out.handle);
602 /*******************************************************************
604 ********************************************************************/
606 NTSTATUS _samr_OpenDomain(pipes_struct *p,
607 struct samr_OpenDomain *r)
609 struct samr_info *info;
610 SEC_DESC *psd = NULL;
612 uint32 des_access = r->in.access_mask;
617 /* find the connection policy handle. */
619 if ( !find_policy_by_hnd(p, r->in.connect_handle, (void**)(void *)&info) )
620 return NT_STATUS_INVALID_HANDLE;
622 status = access_check_samr_function(info->acc_granted,
623 SA_RIGHT_SAM_OPEN_DOMAIN,
624 "_samr_OpenDomain" );
626 if ( !NT_STATUS_IS_OK(status) )
629 /*check if access can be granted as requested by client. */
630 map_max_allowed_access(p->pipe_user.nt_user_token, &des_access);
632 make_samr_object_sd( p->mem_ctx, &psd, &sd_size, &dom_generic_mapping, NULL, 0 );
633 se_map_generic( &des_access, &dom_generic_mapping );
635 se_priv_copy( &se_rights, &se_machine_account );
636 se_priv_add( &se_rights, &se_add_users );
638 status = access_check_samr_object( psd, p->pipe_user.nt_user_token,
639 &se_rights, GENERIC_RIGHTS_DOMAIN_WRITE, des_access,
640 &acc_granted, "_samr_OpenDomain" );
642 if ( !NT_STATUS_IS_OK(status) )
645 if (!sid_check_is_domain(r->in.sid) &&
646 !sid_check_is_builtin(r->in.sid)) {
647 return NT_STATUS_NO_SUCH_DOMAIN;
650 /* associate the domain SID with the (unique) handle. */
651 if ((info = get_samr_info_by_sid(r->in.sid))==NULL)
652 return NT_STATUS_NO_MEMORY;
653 info->acc_granted = acc_granted;
655 /* get a (unique) handle. open a policy on it. */
656 if (!create_policy_hnd(p, r->out.domain_handle, free_samr_info, (void *)info))
657 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
659 DEBUG(5,("_samr_OpenDomain: %d\n", __LINE__));
664 /*******************************************************************
666 ********************************************************************/
668 NTSTATUS _samr_GetUserPwInfo(pipes_struct *p,
669 struct samr_GetUserPwInfo *r)
671 struct samr_info *info = NULL;
672 enum lsa_SidType sid_type;
673 uint32_t min_password_length = 0;
674 uint32_t password_properties = 0;
678 DEBUG(5,("_samr_GetUserPwInfo: %d\n", __LINE__));
680 /* find the policy handle. open a policy on it. */
681 if (!find_policy_by_hnd(p, r->in.user_handle, (void **)(void *)&info)) {
682 return NT_STATUS_INVALID_HANDLE;
685 status = access_check_samr_function(info->acc_granted,
686 SAMR_USER_ACCESS_GET_ATTRIBUTES,
687 "_samr_GetUserPwInfo" );
688 if (!NT_STATUS_IS_OK(status)) {
692 if (!sid_check_is_in_our_domain(&info->sid)) {
693 return NT_STATUS_OBJECT_TYPE_MISMATCH;
697 ret = lookup_sid(p->mem_ctx, &info->sid, NULL, NULL, &sid_type);
700 return NT_STATUS_NO_SUCH_USER;
706 pdb_get_account_policy(AP_MIN_PASSWORD_LEN,
707 &min_password_length);
708 pdb_get_account_policy(AP_USER_MUST_LOGON_TO_CHG_PASS,
709 &password_properties);
712 if (lp_check_password_script() && *lp_check_password_script()) {
713 password_properties |= DOMAIN_PASSWORD_COMPLEX;
721 r->out.info->min_password_length = min_password_length;
722 r->out.info->password_properties = password_properties;
724 DEBUG(5,("_samr_GetUserPwInfo: %d\n", __LINE__));
729 /*******************************************************************
730 ********************************************************************/
732 static bool get_lsa_policy_samr_sid( pipes_struct *p, POLICY_HND *pol,
733 DOM_SID *sid, uint32 *acc_granted,
734 DISP_INFO **ppdisp_info)
736 struct samr_info *info = NULL;
738 /* find the policy handle. open a policy on it. */
739 if (!find_policy_by_hnd(p, pol, (void **)(void *)&info))
746 *acc_granted = info->acc_granted;
748 *ppdisp_info = info->disp_info;
754 /*******************************************************************
756 ********************************************************************/
758 NTSTATUS _samr_SetSecurity(pipes_struct *p,
759 struct samr_SetSecurity *r)
762 uint32 acc_granted, i;
765 struct samu *sampass=NULL;
768 if (!get_lsa_policy_samr_sid(p, r->in.handle, &pol_sid, &acc_granted, NULL))
769 return NT_STATUS_INVALID_HANDLE;
771 if (!(sampass = samu_new( p->mem_ctx))) {
772 DEBUG(0,("No memory!\n"));
773 return NT_STATUS_NO_MEMORY;
776 /* get the user record */
778 ret = pdb_getsampwsid(sampass, &pol_sid);
782 DEBUG(4, ("User %s not found\n", sid_string_dbg(&pol_sid)));
783 TALLOC_FREE(sampass);
784 return NT_STATUS_INVALID_HANDLE;
787 dacl = r->in.sdbuf->sd->dacl;
788 for (i=0; i < dacl->num_aces; i++) {
789 if (sid_equal(&pol_sid, &dacl->aces[i].trustee)) {
790 ret = pdb_set_pass_can_change(sampass,
791 (dacl->aces[i].access_mask &
792 SA_RIGHT_USER_CHANGE_PASSWORD) ?
799 TALLOC_FREE(sampass);
800 return NT_STATUS_ACCESS_DENIED;
803 status = access_check_samr_function(acc_granted,
804 SA_RIGHT_USER_SET_ATTRIBUTES,
805 "_samr_SetSecurity");
806 if (NT_STATUS_IS_OK(status)) {
808 status = pdb_update_sam_account(sampass);
812 TALLOC_FREE(sampass);
817 /*******************************************************************
818 build correct perms based on policies and password times for _samr_query_sec_obj
819 *******************************************************************/
820 static bool check_change_pw_access(TALLOC_CTX *mem_ctx, DOM_SID *user_sid)
822 struct samu *sampass=NULL;
825 if ( !(sampass = samu_new( mem_ctx )) ) {
826 DEBUG(0,("No memory!\n"));
831 ret = pdb_getsampwsid(sampass, user_sid);
835 DEBUG(4,("User %s not found\n", sid_string_dbg(user_sid)));
836 TALLOC_FREE(sampass);
840 DEBUG(3,("User:[%s]\n", pdb_get_username(sampass) ));
842 if (pdb_get_pass_can_change(sampass)) {
843 TALLOC_FREE(sampass);
846 TALLOC_FREE(sampass);
851 /*******************************************************************
853 ********************************************************************/
855 NTSTATUS _samr_QuerySecurity(pipes_struct *p,
856 struct samr_QuerySecurity *r)
860 SEC_DESC * psd = NULL;
865 if (!get_lsa_policy_samr_sid(p, r->in.handle, &pol_sid, &acc_granted, NULL))
866 return NT_STATUS_INVALID_HANDLE;
868 DEBUG(10,("_samr_QuerySecurity: querying security on SID: %s\n",
869 sid_string_dbg(&pol_sid)));
871 status = access_check_samr_function(acc_granted,
872 STD_RIGHT_READ_CONTROL_ACCESS,
873 "_samr_QuerySecurity");
874 if (!NT_STATUS_IS_OK(status)) {
878 /* Check what typ of SID is beeing queried (e.g Domain SID, User SID, Group SID) */
880 /* To query the security of the SAM it self an invalid SID with S-0-0 is passed to this function */
881 if (pol_sid.sid_rev_num == 0) {
882 DEBUG(5,("_samr_QuerySecurity: querying security on SAM\n"));
883 status = make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &sam_generic_mapping, NULL, 0);
884 } else if (sid_equal(&pol_sid,get_global_sam_sid())) {
885 /* check if it is our domain SID */
886 DEBUG(5,("_samr_QuerySecurity: querying security on Domain "
887 "with SID: %s\n", sid_string_dbg(&pol_sid)));
888 status = make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &dom_generic_mapping, NULL, 0);
889 } else if (sid_equal(&pol_sid,&global_sid_Builtin)) {
890 /* check if it is the Builtin Domain */
891 /* TODO: Builtin probably needs a different SD with restricted write access*/
892 DEBUG(5,("_samr_QuerySecurity: querying security on Builtin "
893 "Domain with SID: %s\n", sid_string_dbg(&pol_sid)));
894 status = make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &dom_generic_mapping, NULL, 0);
895 } else if (sid_check_is_in_our_domain(&pol_sid) ||
896 sid_check_is_in_builtin(&pol_sid)) {
897 /* TODO: different SDs have to be generated for aliases groups and users.
898 Currently all three get a default user SD */
899 DEBUG(10,("_samr_QuerySecurity: querying security on Object "
900 "with SID: %s\n", sid_string_dbg(&pol_sid)));
901 if (check_change_pw_access(p->mem_ctx, &pol_sid)) {
902 status = make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &usr_generic_mapping,
903 &pol_sid, SAMR_USR_RIGHTS_WRITE_PW);
905 status = make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &usr_nopwchange_generic_mapping,
906 &pol_sid, SAMR_USR_RIGHTS_CANT_WRITE_PW);
909 return NT_STATUS_OBJECT_TYPE_MISMATCH;
912 if ((*r->out.sdbuf = make_sec_desc_buf(p->mem_ctx, sd_size, psd)) == NULL)
913 return NT_STATUS_NO_MEMORY;
918 /*******************************************************************
919 makes a SAM_ENTRY / UNISTR2* structure from a user list.
920 ********************************************************************/
922 static NTSTATUS make_user_sam_entry_list(TALLOC_CTX *ctx,
923 struct samr_SamEntry **sam_pp,
924 uint32_t num_entries,
926 struct samr_displayentry *entries)
929 struct samr_SamEntry *sam;
933 if (num_entries == 0) {
937 sam = TALLOC_ZERO_ARRAY(ctx, struct samr_SamEntry, num_entries);
939 DEBUG(0, ("make_user_sam_entry_list: TALLOC_ZERO failed!\n"));
940 return NT_STATUS_NO_MEMORY;
943 for (i = 0; i < num_entries; i++) {
946 * usrmgr expects a non-NULL terminated string with
947 * trust relationships
949 if (entries[i].acct_flags & ACB_DOMTRUST) {
950 init_unistr2(&uni_temp_name, entries[i].account_name,
953 init_unistr2(&uni_temp_name, entries[i].account_name,
957 init_lsa_String(&sam[i].name, entries[i].account_name);
958 sam[i].idx = entries[i].rid;
966 #define MAX_SAM_ENTRIES MAX_SAM_ENTRIES_W2K
968 /*******************************************************************
969 _samr_EnumDomainUsers
970 ********************************************************************/
972 NTSTATUS _samr_EnumDomainUsers(pipes_struct *p,
973 struct samr_EnumDomainUsers *r)
976 struct samr_info *info = NULL;
978 uint32 enum_context = *r->in.resume_handle;
979 enum remote_arch_types ra_type = get_remote_arch();
980 int max_sam_entries = (ra_type == RA_WIN95) ? MAX_SAM_ENTRIES_W95 : MAX_SAM_ENTRIES_W2K;
981 uint32 max_entries = max_sam_entries;
982 struct samr_displayentry *entries = NULL;
983 struct samr_SamArray *samr_array = NULL;
984 struct samr_SamEntry *samr_entries = NULL;
986 /* find the policy handle. open a policy on it. */
987 if (!find_policy_by_hnd(p, r->in.domain_handle, (void **)(void *)&info))
988 return NT_STATUS_INVALID_HANDLE;
990 status = access_check_samr_function(info->acc_granted,
991 SA_RIGHT_DOMAIN_ENUM_ACCOUNTS,
992 "_samr_EnumDomainUsers");
993 if (!NT_STATUS_IS_OK(status)) {
997 DEBUG(5,("_samr_EnumDomainUsers: %d\n", __LINE__));
999 if (info->builtin_domain) {
1000 /* No users in builtin. */
1001 *r->out.resume_handle = *r->in.resume_handle;
1002 DEBUG(5,("_samr_EnumDomainUsers: No users in BUILTIN\n"));
1006 samr_array = TALLOC_ZERO_P(p->mem_ctx, struct samr_SamArray);
1008 return NT_STATUS_NO_MEMORY;
1015 if ((info->disp_info->enum_users != NULL) &&
1016 (info->disp_info->enum_acb_mask != r->in.acct_flags)) {
1017 pdb_search_destroy(info->disp_info->enum_users);
1018 info->disp_info->enum_users = NULL;
1021 if (info->disp_info->enum_users == NULL) {
1022 info->disp_info->enum_users = pdb_search_users(r->in.acct_flags);
1023 info->disp_info->enum_acb_mask = r->in.acct_flags;
1026 if (info->disp_info->enum_users == NULL) {
1027 /* END AS ROOT !!!! */
1029 return NT_STATUS_ACCESS_DENIED;
1032 num_account = pdb_search_entries(info->disp_info->enum_users,
1033 enum_context, max_entries,
1036 /* END AS ROOT !!!! */
1040 if (num_account == 0) {
1041 DEBUG(5, ("_samr_EnumDomainUsers: enumeration handle over "
1042 "total entries\n"));
1043 *r->out.resume_handle = *r->in.resume_handle;
1044 return NT_STATUS_OK;
1047 status = make_user_sam_entry_list(p->mem_ctx, &samr_entries,
1048 num_account, enum_context,
1050 if (!NT_STATUS_IS_OK(status)) {
1054 if (max_entries <= num_account) {
1055 status = STATUS_MORE_ENTRIES;
1057 status = NT_STATUS_OK;
1060 /* Ensure we cache this enumeration. */
1061 set_disp_info_cache_timeout(info->disp_info, DISP_INFO_CACHE_TIMEOUT);
1063 DEBUG(5, ("_samr_EnumDomainUsers: %d\n", __LINE__));
1065 samr_array->count = num_account;
1066 samr_array->entries = samr_entries;
1068 *r->out.resume_handle = *r->in.resume_handle + num_account;
1069 *r->out.sam = samr_array;
1070 *r->out.num_entries = num_account;
1072 DEBUG(5,("_samr_EnumDomainUsers: %d\n", __LINE__));
1077 /*******************************************************************
1078 makes a SAM_ENTRY / UNISTR2* structure from a group list.
1079 ********************************************************************/
1081 static void make_group_sam_entry_list(TALLOC_CTX *ctx,
1082 struct samr_SamEntry **sam_pp,
1083 uint32_t num_sam_entries,
1084 struct samr_displayentry *entries)
1086 struct samr_SamEntry *sam;
1091 if (num_sam_entries == 0) {
1095 sam = TALLOC_ZERO_ARRAY(ctx, struct samr_SamEntry, num_sam_entries);
1100 for (i = 0; i < num_sam_entries; i++) {
1102 * JRA. I think this should include the null. TNG does not.
1104 init_lsa_String(&sam[i].name, entries[i].account_name);
1105 sam[i].idx = entries[i].rid;
1111 /*******************************************************************
1112 _samr_EnumDomainGroups
1113 ********************************************************************/
1115 NTSTATUS _samr_EnumDomainGroups(pipes_struct *p,
1116 struct samr_EnumDomainGroups *r)
1119 struct samr_info *info = NULL;
1120 struct samr_displayentry *groups;
1122 struct samr_SamArray *samr_array = NULL;
1123 struct samr_SamEntry *samr_entries = NULL;
1125 /* find the policy handle. open a policy on it. */
1126 if (!find_policy_by_hnd(p, r->in.domain_handle, (void **)(void *)&info))
1127 return NT_STATUS_INVALID_HANDLE;
1129 status = access_check_samr_function(info->acc_granted,
1130 SA_RIGHT_DOMAIN_ENUM_ACCOUNTS,
1131 "_samr_EnumDomainGroups");
1132 if (!NT_STATUS_IS_OK(status)) {
1136 DEBUG(5,("_samr_EnumDomainGroups: %d\n", __LINE__));
1138 if (info->builtin_domain) {
1139 /* No groups in builtin. */
1140 *r->out.resume_handle = *r->in.resume_handle;
1141 DEBUG(5,("_samr_EnumDomainGroups: No groups in BUILTIN\n"));
1145 samr_array = TALLOC_ZERO_P(p->mem_ctx, struct samr_SamArray);
1147 return NT_STATUS_NO_MEMORY;
1150 /* the domain group array is being allocated in the function below */
1154 if (info->disp_info->groups == NULL) {
1155 info->disp_info->groups = pdb_search_groups();
1157 if (info->disp_info->groups == NULL) {
1159 return NT_STATUS_ACCESS_DENIED;
1163 num_groups = pdb_search_entries(info->disp_info->groups,
1164 *r->in.resume_handle,
1165 MAX_SAM_ENTRIES, &groups);
1168 /* Ensure we cache this enumeration. */
1169 set_disp_info_cache_timeout(info->disp_info, DISP_INFO_CACHE_TIMEOUT);
1171 make_group_sam_entry_list(p->mem_ctx, &samr_entries,
1172 num_groups, groups);
1174 samr_array->count = num_groups;
1175 samr_array->entries = samr_entries;
1177 *r->out.sam = samr_array;
1178 *r->out.num_entries = num_groups;
1179 /* this was missing, IMHO:
1180 *r->out.resume_handle = num_groups + *r->in.resume_handle;
1183 DEBUG(5,("_samr_EnumDomainGroups: %d\n", __LINE__));
1188 /*******************************************************************
1189 _samr_EnumDomainAliases
1190 ********************************************************************/
1192 NTSTATUS _samr_EnumDomainAliases(pipes_struct *p,
1193 struct samr_EnumDomainAliases *r)
1196 struct samr_info *info;
1197 struct samr_displayentry *aliases;
1198 uint32 num_aliases = 0;
1199 struct samr_SamArray *samr_array = NULL;
1200 struct samr_SamEntry *samr_entries = NULL;
1202 /* find the policy handle. open a policy on it. */
1203 if (!find_policy_by_hnd(p, r->in.domain_handle, (void **)(void *)&info))
1204 return NT_STATUS_INVALID_HANDLE;
1206 DEBUG(5,("_samr_EnumDomainAliases: sid %s\n",
1207 sid_string_dbg(&info->sid)));
1209 status = access_check_samr_function(info->acc_granted,
1210 SA_RIGHT_DOMAIN_ENUM_ACCOUNTS,
1211 "_samr_EnumDomainAliases");
1212 if (!NT_STATUS_IS_OK(status)) {
1216 samr_array = TALLOC_ZERO_P(p->mem_ctx, struct samr_SamArray);
1218 return NT_STATUS_NO_MEMORY;
1223 if (info->disp_info->aliases == NULL) {
1224 info->disp_info->aliases = pdb_search_aliases(&info->sid);
1225 if (info->disp_info->aliases == NULL) {
1227 return NT_STATUS_ACCESS_DENIED;
1231 num_aliases = pdb_search_entries(info->disp_info->aliases,
1232 *r->in.resume_handle,
1233 MAX_SAM_ENTRIES, &aliases);
1236 /* Ensure we cache this enumeration. */
1237 set_disp_info_cache_timeout(info->disp_info, DISP_INFO_CACHE_TIMEOUT);
1239 make_group_sam_entry_list(p->mem_ctx, &samr_entries,
1240 num_aliases, aliases);
1242 DEBUG(5,("_samr_EnumDomainAliases: %d\n", __LINE__));
1244 samr_array->count = num_aliases;
1245 samr_array->entries = samr_entries;
1247 *r->out.sam = samr_array;
1248 *r->out.num_entries = num_aliases;
1249 *r->out.resume_handle = num_aliases + *r->in.resume_handle;
1254 /*******************************************************************
1255 inits a samr_DispInfoGeneral structure.
1256 ********************************************************************/
1258 static NTSTATUS init_samr_dispinfo_1(TALLOC_CTX *ctx,
1259 struct samr_DispInfoGeneral *r,
1260 uint32_t num_entries,
1262 struct samr_displayentry *entries)
1266 DEBUG(10, ("init_samr_dispinfo_1: num_entries: %d\n", num_entries));
1268 if (num_entries == 0) {
1269 return NT_STATUS_OK;
1272 r->count = num_entries;
1274 r->entries = TALLOC_ZERO_ARRAY(ctx, struct samr_DispEntryGeneral, num_entries);
1276 return NT_STATUS_NO_MEMORY;
1279 for (i = 0; i < num_entries ; i++) {
1281 init_lsa_String(&r->entries[i].account_name,
1282 entries[i].account_name);
1284 init_lsa_String(&r->entries[i].description,
1285 entries[i].description);
1287 init_lsa_String(&r->entries[i].full_name,
1288 entries[i].fullname);
1290 r->entries[i].rid = entries[i].rid;
1291 r->entries[i].acct_flags = entries[i].acct_flags;
1292 r->entries[i].idx = start_idx+i+1;
1295 return NT_STATUS_OK;
1298 /*******************************************************************
1299 inits a samr_DispInfoFull structure.
1300 ********************************************************************/
1302 static NTSTATUS init_samr_dispinfo_2(TALLOC_CTX *ctx,
1303 struct samr_DispInfoFull *r,
1304 uint32_t num_entries,
1306 struct samr_displayentry *entries)
1310 DEBUG(10, ("init_samr_dispinfo_2: num_entries: %d\n", num_entries));
1312 if (num_entries == 0) {
1313 return NT_STATUS_OK;
1316 r->count = num_entries;
1318 r->entries = TALLOC_ZERO_ARRAY(ctx, struct samr_DispEntryFull, num_entries);
1320 return NT_STATUS_NO_MEMORY;
1323 for (i = 0; i < num_entries ; i++) {
1325 init_lsa_String(&r->entries[i].account_name,
1326 entries[i].account_name);
1328 init_lsa_String(&r->entries[i].description,
1329 entries[i].description);
1331 r->entries[i].rid = entries[i].rid;
1332 r->entries[i].acct_flags = entries[i].acct_flags;
1333 r->entries[i].idx = start_idx+i+1;
1336 return NT_STATUS_OK;
1339 /*******************************************************************
1340 inits a samr_DispInfoFullGroups structure.
1341 ********************************************************************/
1343 static NTSTATUS init_samr_dispinfo_3(TALLOC_CTX *ctx,
1344 struct samr_DispInfoFullGroups *r,
1345 uint32_t num_entries,
1347 struct samr_displayentry *entries)
1351 DEBUG(5, ("init_samr_dispinfo_3: num_entries: %d\n", num_entries));
1353 if (num_entries == 0) {
1354 return NT_STATUS_OK;
1357 r->count = num_entries;
1359 r->entries = TALLOC_ZERO_ARRAY(ctx, struct samr_DispEntryFullGroup, num_entries);
1361 return NT_STATUS_NO_MEMORY;
1364 for (i = 0; i < num_entries ; i++) {
1366 init_lsa_String(&r->entries[i].account_name,
1367 entries[i].account_name);
1369 init_lsa_String(&r->entries[i].description,
1370 entries[i].description);
1372 r->entries[i].rid = entries[i].rid;
1373 r->entries[i].acct_flags = entries[i].acct_flags;
1374 r->entries[i].idx = start_idx+i+1;
1377 return NT_STATUS_OK;
1380 /*******************************************************************
1381 inits a samr_DispInfoAscii structure.
1382 ********************************************************************/
1384 static NTSTATUS init_samr_dispinfo_4(TALLOC_CTX *ctx,
1385 struct samr_DispInfoAscii *r,
1386 uint32_t num_entries,
1388 struct samr_displayentry *entries)
1392 DEBUG(5, ("init_samr_dispinfo_4: num_entries: %d\n", num_entries));
1394 if (num_entries == 0) {
1395 return NT_STATUS_OK;
1398 r->count = num_entries;
1400 r->entries = TALLOC_ZERO_ARRAY(ctx, struct samr_DispEntryAscii, num_entries);
1402 return NT_STATUS_NO_MEMORY;
1405 for (i = 0; i < num_entries ; i++) {
1407 init_lsa_AsciiStringLarge(&r->entries[i].account_name,
1408 entries[i].account_name);
1410 r->entries[i].idx = start_idx+i+1;
1413 return NT_STATUS_OK;
1416 /*******************************************************************
1417 inits a samr_DispInfoAscii structure.
1418 ********************************************************************/
1420 static NTSTATUS init_samr_dispinfo_5(TALLOC_CTX *ctx,
1421 struct samr_DispInfoAscii *r,
1422 uint32_t num_entries,
1424 struct samr_displayentry *entries)
1428 DEBUG(5, ("init_samr_dispinfo_5: num_entries: %d\n", num_entries));
1430 if (num_entries == 0) {
1431 return NT_STATUS_OK;
1434 r->count = num_entries;
1436 r->entries = TALLOC_ZERO_ARRAY(ctx, struct samr_DispEntryAscii, num_entries);
1438 return NT_STATUS_NO_MEMORY;
1441 for (i = 0; i < num_entries ; i++) {
1443 init_lsa_AsciiStringLarge(&r->entries[i].account_name,
1444 entries[i].account_name);
1446 r->entries[i].idx = start_idx+i+1;
1449 return NT_STATUS_OK;
1452 /*******************************************************************
1453 _samr_QueryDisplayInfo
1454 ********************************************************************/
1456 NTSTATUS _samr_QueryDisplayInfo(pipes_struct *p,
1457 struct samr_QueryDisplayInfo *r)
1460 struct samr_info *info = NULL;
1461 uint32 struct_size=0x20; /* W2K always reply that, client doesn't care */
1463 uint32 max_entries = r->in.max_entries;
1464 uint32 enum_context = r->in.start_idx;
1465 uint32 max_size = r->in.buf_size;
1467 union samr_DispInfo *disp_info = r->out.info;
1469 uint32 temp_size=0, total_data_size=0;
1470 NTSTATUS disp_ret = NT_STATUS_UNSUCCESSFUL;
1471 uint32 num_account = 0;
1472 enum remote_arch_types ra_type = get_remote_arch();
1473 int max_sam_entries = (ra_type == RA_WIN95) ? MAX_SAM_ENTRIES_W95 : MAX_SAM_ENTRIES_W2K;
1474 struct samr_displayentry *entries = NULL;
1476 DEBUG(5,("_samr_QueryDisplayInfo: %d\n", __LINE__));
1478 /* find the policy handle. open a policy on it. */
1479 if (!find_policy_by_hnd(p, r->in.domain_handle, (void **)(void *)&info))
1480 return NT_STATUS_INVALID_HANDLE;
1482 status = access_check_samr_function(info->acc_granted,
1483 SA_RIGHT_DOMAIN_ENUM_ACCOUNTS,
1484 "_samr_QueryDisplayInfo");
1485 if (!NT_STATUS_IS_OK(status)) {
1490 * calculate how many entries we will return.
1492 * - the number of entries the client asked
1493 * - our limit on that
1494 * - the starting point (enumeration context)
1495 * - the buffer size the client will accept
1499 * We are a lot more like W2K. Instead of reading the SAM
1500 * each time to find the records we need to send back,
1501 * we read it once and link that copy to the sam handle.
1502 * For large user list (over the MAX_SAM_ENTRIES)
1503 * it's a definitive win.
1504 * second point to notice: between enumerations
1505 * our sam is now the same as it's a snapshoot.
1506 * third point: got rid of the static SAM_USER_21 struct
1507 * no more intermediate.
1508 * con: it uses much more memory, as a full copy is stored
1511 * If you want to change it, think twice and think
1512 * of the second point , that's really important.
1517 if ((r->in.level < 1) || (r->in.level > 5)) {
1518 DEBUG(0,("_samr_QueryDisplayInfo: Unknown info level (%u)\n",
1519 (unsigned int)r->in.level ));
1520 return NT_STATUS_INVALID_INFO_CLASS;
1523 /* first limit the number of entries we will return */
1524 if(max_entries > max_sam_entries) {
1525 DEBUG(5, ("_samr_QueryDisplayInfo: client requested %d "
1526 "entries, limiting to %d\n", max_entries,
1528 max_entries = max_sam_entries;
1531 /* calculate the size and limit on the number of entries we will
1534 temp_size=max_entries*struct_size;
1536 if (temp_size>max_size) {
1537 max_entries=MIN((max_size/struct_size),max_entries);;
1538 DEBUG(5, ("_samr_QueryDisplayInfo: buffer size limits to "
1539 "only %d entries\n", max_entries));
1544 /* THe following done as ROOT. Don't return without unbecome_root(). */
1546 switch (r->in.level) {
1549 if (info->disp_info->users == NULL) {
1550 info->disp_info->users = pdb_search_users(ACB_NORMAL);
1551 if (info->disp_info->users == NULL) {
1553 return NT_STATUS_ACCESS_DENIED;
1555 DEBUG(10,("_samr_QueryDisplayInfo: starting user enumeration at index %u\n",
1556 (unsigned int)enum_context ));
1558 DEBUG(10,("_samr_QueryDisplayInfo: using cached user enumeration at index %u\n",
1559 (unsigned int)enum_context ));
1562 num_account = pdb_search_entries(info->disp_info->users,
1563 enum_context, max_entries,
1567 if (info->disp_info->machines == NULL) {
1568 info->disp_info->machines =
1569 pdb_search_users(ACB_WSTRUST|ACB_SVRTRUST);
1570 if (info->disp_info->machines == NULL) {
1572 return NT_STATUS_ACCESS_DENIED;
1574 DEBUG(10,("_samr_QueryDisplayInfo: starting machine enumeration at index %u\n",
1575 (unsigned int)enum_context ));
1577 DEBUG(10,("_samr_QueryDisplayInfo: using cached machine enumeration at index %u\n",
1578 (unsigned int)enum_context ));
1581 num_account = pdb_search_entries(info->disp_info->machines,
1582 enum_context, max_entries,
1587 if (info->disp_info->groups == NULL) {
1588 info->disp_info->groups = pdb_search_groups();
1589 if (info->disp_info->groups == NULL) {
1591 return NT_STATUS_ACCESS_DENIED;
1593 DEBUG(10,("_samr_QueryDisplayInfo: starting group enumeration at index %u\n",
1594 (unsigned int)enum_context ));
1596 DEBUG(10,("_samr_QueryDisplayInfo: using cached group enumeration at index %u\n",
1597 (unsigned int)enum_context ));
1600 num_account = pdb_search_entries(info->disp_info->groups,
1601 enum_context, max_entries,
1606 smb_panic("info class changed");
1612 /* Now create reply structure */
1613 switch (r->in.level) {
1615 disp_ret = init_samr_dispinfo_1(p->mem_ctx, &disp_info->info1,
1616 num_account, enum_context,
1620 disp_ret = init_samr_dispinfo_2(p->mem_ctx, &disp_info->info2,
1621 num_account, enum_context,
1625 disp_ret = init_samr_dispinfo_3(p->mem_ctx, &disp_info->info3,
1626 num_account, enum_context,
1630 disp_ret = init_samr_dispinfo_4(p->mem_ctx, &disp_info->info4,
1631 num_account, enum_context,
1635 disp_ret = init_samr_dispinfo_5(p->mem_ctx, &disp_info->info5,
1636 num_account, enum_context,
1640 smb_panic("info class changed");
1644 if (!NT_STATUS_IS_OK(disp_ret))
1647 /* calculate the total size */
1648 total_data_size=num_account*struct_size;
1650 if (max_entries <= num_account) {
1651 status = STATUS_MORE_ENTRIES;
1653 status = NT_STATUS_OK;
1656 /* Ensure we cache this enumeration. */
1657 set_disp_info_cache_timeout(info->disp_info, DISP_INFO_CACHE_TIMEOUT);
1659 DEBUG(5, ("_samr_QueryDisplayInfo: %d\n", __LINE__));
1661 *r->out.total_size = total_data_size;
1662 *r->out.returned_size = temp_size;
1667 /****************************************************************
1668 _samr_QueryDisplayInfo2
1669 ****************************************************************/
1671 NTSTATUS _samr_QueryDisplayInfo2(pipes_struct *p,
1672 struct samr_QueryDisplayInfo2 *r)
1674 struct samr_QueryDisplayInfo q;
1676 q.in.domain_handle = r->in.domain_handle;
1677 q.in.level = r->in.level;
1678 q.in.start_idx = r->in.start_idx;
1679 q.in.max_entries = r->in.max_entries;
1680 q.in.buf_size = r->in.buf_size;
1682 q.out.total_size = r->out.total_size;
1683 q.out.returned_size = r->out.returned_size;
1684 q.out.info = r->out.info;
1686 return _samr_QueryDisplayInfo(p, &q);
1689 /****************************************************************
1690 _samr_QueryDisplayInfo3
1691 ****************************************************************/
1693 NTSTATUS _samr_QueryDisplayInfo3(pipes_struct *p,
1694 struct samr_QueryDisplayInfo3 *r)
1696 struct samr_QueryDisplayInfo q;
1698 q.in.domain_handle = r->in.domain_handle;
1699 q.in.level = r->in.level;
1700 q.in.start_idx = r->in.start_idx;
1701 q.in.max_entries = r->in.max_entries;
1702 q.in.buf_size = r->in.buf_size;
1704 q.out.total_size = r->out.total_size;
1705 q.out.returned_size = r->out.returned_size;
1706 q.out.info = r->out.info;
1708 return _samr_QueryDisplayInfo(p, &q);
1711 /*******************************************************************
1712 _samr_QueryAliasInfo
1713 ********************************************************************/
1715 NTSTATUS _samr_QueryAliasInfo(pipes_struct *p,
1716 struct samr_QueryAliasInfo *r)
1719 struct acct_info info;
1722 union samr_AliasInfo *alias_info = NULL;
1723 const char *alias_name = NULL;
1724 const char *alias_description = NULL;
1726 DEBUG(5,("_samr_QueryAliasInfo: %d\n", __LINE__));
1728 alias_info = TALLOC_ZERO_P(p->mem_ctx, union samr_AliasInfo);
1730 return NT_STATUS_NO_MEMORY;
1733 /* find the policy handle. open a policy on it. */
1734 if (!get_lsa_policy_samr_sid(p, r->in.alias_handle, &sid, &acc_granted, NULL))
1735 return NT_STATUS_INVALID_HANDLE;
1737 status = access_check_samr_function(acc_granted,
1738 SA_RIGHT_ALIAS_LOOKUP_INFO,
1739 "_samr_QueryAliasInfo");
1740 if (!NT_STATUS_IS_OK(status)) {
1745 status = pdb_get_aliasinfo(&sid, &info);
1748 if ( !NT_STATUS_IS_OK(status))
1751 /* FIXME: info contains fstrings */
1752 alias_name = talloc_strdup(r, info.acct_name);
1753 alias_description = talloc_strdup(r, info.acct_desc);
1755 switch (r->in.level) {
1757 init_samr_alias_info1(&alias_info->all,
1762 case ALIASINFODESCRIPTION:
1763 init_samr_alias_info3(&alias_info->description,
1767 return NT_STATUS_INVALID_INFO_CLASS;
1770 *r->out.info = alias_info;
1772 DEBUG(5,("_samr_QueryAliasInfo: %d\n", __LINE__));
1774 return NT_STATUS_OK;
1778 /*******************************************************************
1779 samr_reply_lookup_ids
1780 ********************************************************************/
1782 uint32 _samr_lookup_ids(pipes_struct *p, SAMR_Q_LOOKUP_IDS *q_u, SAMR_R_LOOKUP_IDS *r_u)
1784 uint32 rid[MAX_SAM_ENTRIES];
1785 int num_rids = q_u->num_sids1;
1787 r_u->status = NT_STATUS_OK;
1789 DEBUG(5,("_samr_lookup_ids: %d\n", __LINE__));
1791 if (num_rids > MAX_SAM_ENTRIES) {
1792 num_rids = MAX_SAM_ENTRIES;
1793 DEBUG(5,("_samr_lookup_ids: truncating entries to %d\n", num_rids));
1798 SMB_ASSERT_ARRAY(q_u->uni_user_name, num_rids);
1800 for (i = 0; i < num_rids && status == 0; i++)
1802 struct sam_passwd *sam_pass;
1806 fstrcpy(user_name, unistrn2(q_u->uni_user_name[i].buffer,
1807 q_u->uni_user_name[i].uni_str_len));
1809 /* find the user account */
1811 sam_pass = get_smb21pwd_entry(user_name, 0);
1814 if (sam_pass == NULL)
1816 status = 0xC0000000 | NT_STATUS_NO_SUCH_USER;
1821 rid[i] = sam_pass->user_rid;
1827 rid[0] = BUILTIN_ALIAS_RID_USERS;
1829 init_samr_r_lookup_ids(&r_u, num_rids, rid, NT_STATUS_OK);
1831 DEBUG(5,("_samr_lookup_ids: %d\n", __LINE__));
1837 /*******************************************************************
1839 ********************************************************************/
1841 NTSTATUS _samr_LookupNames(pipes_struct *p,
1842 struct samr_LookupNames *r)
1846 enum lsa_SidType *type;
1848 int num_rids = r->in.num_names;
1851 struct samr_Ids rids, types;
1853 DEBUG(5,("_samr_LookupNames: %d\n", __LINE__));
1855 if (!get_lsa_policy_samr_sid(p, r->in.domain_handle, &pol_sid, &acc_granted, NULL)) {
1856 return NT_STATUS_OBJECT_TYPE_MISMATCH;
1859 status = access_check_samr_function(acc_granted,
1860 0, /* Don't know the acc_bits yet */
1861 "_samr_LookupNames");
1862 if (!NT_STATUS_IS_OK(status)) {
1866 if (num_rids > MAX_SAM_ENTRIES) {
1867 num_rids = MAX_SAM_ENTRIES;
1868 DEBUG(5,("_samr_LookupNames: truncating entries to %d\n", num_rids));
1871 rid = talloc_array(p->mem_ctx, uint32, num_rids);
1872 NT_STATUS_HAVE_NO_MEMORY(rid);
1874 type = talloc_array(p->mem_ctx, enum lsa_SidType, num_rids);
1875 NT_STATUS_HAVE_NO_MEMORY(type);
1877 DEBUG(5,("_samr_LookupNames: looking name on SID %s\n",
1878 sid_string_dbg(&pol_sid)));
1880 for (i = 0; i < num_rids; i++) {
1882 status = NT_STATUS_NONE_MAPPED;
1883 type[i] = SID_NAME_UNKNOWN;
1885 rid[i] = 0xffffffff;
1887 if (sid_check_is_builtin(&pol_sid)) {
1888 if (lookup_builtin_name(r->in.names[i].string,
1891 type[i] = SID_NAME_ALIAS;
1894 lookup_global_sam_name(r->in.names[i].string, 0,
1898 if (type[i] != SID_NAME_UNKNOWN) {
1899 status = NT_STATUS_OK;
1903 rids.count = num_rids;
1906 types.count = num_rids;
1909 *r->out.rids = rids;
1910 *r->out.types = types;
1912 DEBUG(5,("_samr_LookupNames: %d\n", __LINE__));
1917 /*******************************************************************
1918 _samr_ChangePasswordUser2
1919 ********************************************************************/
1921 NTSTATUS _samr_ChangePasswordUser2(pipes_struct *p,
1922 struct samr_ChangePasswordUser2 *r)
1928 DEBUG(5,("_samr_ChangePasswordUser2: %d\n", __LINE__));
1930 fstrcpy(user_name, r->in.account->string);
1931 fstrcpy(wks, r->in.server->string);
1933 DEBUG(5,("_samr_ChangePasswordUser2: user: %s wks: %s\n", user_name, wks));
1936 * Pass the user through the NT -> unix user mapping
1940 (void)map_username(user_name);
1943 * UNIX username case mangling not required, pass_oem_change
1944 * is case insensitive.
1947 status = pass_oem_change(user_name,
1948 r->in.lm_password->data,
1949 r->in.lm_verifier->hash,
1950 r->in.nt_password->data,
1951 r->in.nt_verifier->hash,
1954 DEBUG(5,("_samr_ChangePasswordUser2: %d\n", __LINE__));
1959 /*******************************************************************
1960 _samr_ChangePasswordUser3
1961 ********************************************************************/
1963 NTSTATUS _samr_ChangePasswordUser3(pipes_struct *p,
1964 struct samr_ChangePasswordUser3 *r)
1968 const char *wks = NULL;
1969 uint32 reject_reason;
1970 struct samr_DomInfo1 *dominfo = NULL;
1971 struct samr_ChangeReject *reject = NULL;
1973 DEBUG(5,("_samr_ChangePasswordUser3: %d\n", __LINE__));
1975 fstrcpy(user_name, r->in.account->string);
1976 if (r->in.server && r->in.server->string) {
1977 wks = r->in.server->string;
1980 DEBUG(5,("_samr_ChangePasswordUser3: user: %s wks: %s\n", user_name, wks));
1983 * Pass the user through the NT -> unix user mapping
1987 (void)map_username(user_name);
1990 * UNIX username case mangling not required, pass_oem_change
1991 * is case insensitive.
1994 status = pass_oem_change(user_name,
1995 r->in.lm_password->data,
1996 r->in.lm_verifier->hash,
1997 r->in.nt_password->data,
1998 r->in.nt_verifier->hash,
2001 if (NT_STATUS_EQUAL(status, NT_STATUS_PASSWORD_RESTRICTION) ||
2002 NT_STATUS_EQUAL(status, NT_STATUS_ACCOUNT_RESTRICTION)) {
2004 uint32 min_pass_len,pass_hist,password_properties;
2005 time_t u_expire, u_min_age;
2006 NTTIME nt_expire, nt_min_age;
2007 uint32 account_policy_temp;
2009 dominfo = TALLOC_ZERO_P(p->mem_ctx, struct samr_DomInfo1);
2011 return NT_STATUS_NO_MEMORY;
2014 reject = TALLOC_ZERO_P(p->mem_ctx, struct samr_ChangeReject);
2016 return NT_STATUS_NO_MEMORY;
2023 pdb_get_account_policy(AP_MIN_PASSWORD_LEN, &account_policy_temp);
2024 min_pass_len = account_policy_temp;
2026 pdb_get_account_policy(AP_PASSWORD_HISTORY, &account_policy_temp);
2027 pass_hist = account_policy_temp;
2029 pdb_get_account_policy(AP_USER_MUST_LOGON_TO_CHG_PASS, &account_policy_temp);
2030 password_properties = account_policy_temp;
2032 pdb_get_account_policy(AP_MAX_PASSWORD_AGE, &account_policy_temp);
2033 u_expire = account_policy_temp;
2035 pdb_get_account_policy(AP_MIN_PASSWORD_AGE, &account_policy_temp);
2036 u_min_age = account_policy_temp;
2042 unix_to_nt_time_abs(&nt_expire, u_expire);
2043 unix_to_nt_time_abs(&nt_min_age, u_min_age);
2045 if (lp_check_password_script() && *lp_check_password_script()) {
2046 password_properties |= DOMAIN_PASSWORD_COMPLEX;
2049 init_samr_DomInfo1(dominfo,
2052 password_properties,
2056 reject->reason = reject_reason;
2058 *r->out.dominfo = dominfo;
2059 *r->out.reject = reject;
2062 DEBUG(5,("_samr_ChangePasswordUser3: %d\n", __LINE__));
2067 /*******************************************************************
2068 makes a SAMR_R_LOOKUP_RIDS structure.
2069 ********************************************************************/
2071 static bool make_samr_lookup_rids(TALLOC_CTX *ctx, uint32 num_names,
2073 struct lsa_String **lsa_name_array_p)
2075 struct lsa_String *lsa_name_array = NULL;
2078 *lsa_name_array_p = NULL;
2080 if (num_names != 0) {
2081 lsa_name_array = TALLOC_ZERO_ARRAY(ctx, struct lsa_String, num_names);
2082 if (!lsa_name_array) {
2087 for (i = 0; i < num_names; i++) {
2088 DEBUG(10, ("names[%d]:%s\n", i, names[i] && *names[i] ? names[i] : ""));
2089 init_lsa_String(&lsa_name_array[i], names[i]);
2092 *lsa_name_array_p = lsa_name_array;
2097 /*******************************************************************
2099 ********************************************************************/
2101 NTSTATUS _samr_LookupRids(pipes_struct *p,
2102 struct samr_LookupRids *r)
2106 enum lsa_SidType *attrs = NULL;
2107 uint32 *wire_attrs = NULL;
2109 int num_rids = (int)r->in.num_rids;
2112 struct lsa_Strings names_array;
2113 struct samr_Ids types_array;
2114 struct lsa_String *lsa_names = NULL;
2116 DEBUG(5,("_samr_LookupRids: %d\n", __LINE__));
2118 /* find the policy handle. open a policy on it. */
2119 if (!get_lsa_policy_samr_sid(p, r->in.domain_handle, &pol_sid, &acc_granted, NULL))
2120 return NT_STATUS_INVALID_HANDLE;
2122 status = access_check_samr_function(acc_granted,
2123 SA_RIGHT_DOMAIN_ENUM_ACCOUNTS,
2124 "_samr__LookupRids");
2125 if (!NT_STATUS_IS_OK(status)) {
2129 if (num_rids > 1000) {
2130 DEBUG(0, ("Got asked for %d rids (more than 1000) -- according "
2131 "to samba4 idl this is not possible\n", num_rids));
2132 return NT_STATUS_UNSUCCESSFUL;
2136 names = TALLOC_ZERO_ARRAY(p->mem_ctx, const char *, num_rids);
2137 attrs = TALLOC_ZERO_ARRAY(p->mem_ctx, enum lsa_SidType, num_rids);
2138 wire_attrs = TALLOC_ZERO_ARRAY(p->mem_ctx, uint32, num_rids);
2140 if ((names == NULL) || (attrs == NULL) || (wire_attrs==NULL))
2141 return NT_STATUS_NO_MEMORY;
2148 become_root(); /* lookup_sid can require root privs */
2149 status = pdb_lookup_rids(&pol_sid, num_rids, r->in.rids,
2153 if (NT_STATUS_EQUAL(status, NT_STATUS_NONE_MAPPED) && (num_rids == 0)) {
2154 status = NT_STATUS_OK;
2157 if (!make_samr_lookup_rids(p->mem_ctx, num_rids, names,
2159 return NT_STATUS_NO_MEMORY;
2162 /* Convert from enum lsa_SidType to uint32 for wire format. */
2163 for (i = 0; i < num_rids; i++) {
2164 wire_attrs[i] = (uint32)attrs[i];
2167 names_array.count = num_rids;
2168 names_array.names = lsa_names;
2170 types_array.count = num_rids;
2171 types_array.ids = wire_attrs;
2173 *r->out.names = names_array;
2174 *r->out.types = types_array;
2176 DEBUG(5,("_samr_LookupRids: %d\n", __LINE__));
2181 /*******************************************************************
2183 ********************************************************************/
2185 NTSTATUS _samr_OpenUser(pipes_struct *p,
2186 struct samr_OpenUser *r)
2188 struct samu *sampass=NULL;
2190 POLICY_HND domain_pol = *r->in.domain_handle;
2191 POLICY_HND *user_pol = r->out.user_handle;
2192 struct samr_info *info = NULL;
2193 SEC_DESC *psd = NULL;
2195 uint32 des_access = r->in.access_mask;
2201 /* find the domain policy handle and get domain SID / access bits in the domain policy. */
2203 if ( !get_lsa_policy_samr_sid(p, &domain_pol, &sid, &acc_granted, NULL) )
2204 return NT_STATUS_INVALID_HANDLE;
2206 nt_status = access_check_samr_function(acc_granted,
2207 SA_RIGHT_DOMAIN_OPEN_ACCOUNT,
2210 if ( !NT_STATUS_IS_OK(nt_status) )
2213 if ( !(sampass = samu_new( p->mem_ctx )) ) {
2214 return NT_STATUS_NO_MEMORY;
2217 /* append the user's RID to it */
2219 if (!sid_append_rid(&sid, r->in.rid))
2220 return NT_STATUS_NO_SUCH_USER;
2222 /* check if access can be granted as requested by client. */
2224 map_max_allowed_access(p->pipe_user.nt_user_token, &des_access);
2226 make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &usr_generic_mapping, &sid, SAMR_USR_RIGHTS_WRITE_PW);
2227 se_map_generic(&des_access, &usr_generic_mapping);
2229 se_priv_copy( &se_rights, &se_machine_account );
2230 se_priv_add( &se_rights, &se_add_users );
2232 nt_status = access_check_samr_object(psd, p->pipe_user.nt_user_token,
2233 &se_rights, GENERIC_RIGHTS_USER_WRITE, des_access,
2234 &acc_granted, "_samr_OpenUser");
2236 if ( !NT_STATUS_IS_OK(nt_status) )
2240 ret=pdb_getsampwsid(sampass, &sid);
2243 /* check that the SID exists in our domain. */
2245 return NT_STATUS_NO_SUCH_USER;
2248 TALLOC_FREE(sampass);
2250 /* associate the user's SID and access bits with the new handle. */
2251 if ((info = get_samr_info_by_sid(&sid)) == NULL)
2252 return NT_STATUS_NO_MEMORY;
2253 info->acc_granted = acc_granted;
2255 /* get a (unique) handle. open a policy on it. */
2256 if (!create_policy_hnd(p, user_pol, free_samr_info, (void *)info))
2257 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
2259 return NT_STATUS_OK;
2262 /*************************************************************************
2263 *************************************************************************/
2265 static NTSTATUS init_samr_parameters_string(TALLOC_CTX *mem_ctx,
2267 struct lsa_BinaryString **_r)
2269 struct lsa_BinaryString *r;
2272 return NT_STATUS_INVALID_PARAMETER;
2275 r = TALLOC_ZERO_P(mem_ctx, struct lsa_BinaryString);
2277 return NT_STATUS_NO_MEMORY;
2280 r->array = TALLOC_ZERO_ARRAY(mem_ctx, uint16_t, blob->length/2);
2282 return NT_STATUS_NO_MEMORY;
2284 memcpy(r->array, blob->data, blob->length);
2285 r->size = blob->length;
2286 r->length = blob->length;
2289 return NT_STATUS_NO_MEMORY;
2294 return NT_STATUS_OK;
2297 /*************************************************************************
2298 get_user_info_7. Safe. Only gives out account_name.
2299 *************************************************************************/
2301 static NTSTATUS get_user_info_7(TALLOC_CTX *mem_ctx,
2302 struct samr_UserInfo7 *r,
2305 struct samu *smbpass=NULL;
2307 const char *account_name = NULL;
2311 if ( !(smbpass = samu_new( mem_ctx )) ) {
2312 return NT_STATUS_NO_MEMORY;
2316 ret = pdb_getsampwsid(smbpass, user_sid);
2320 DEBUG(4,("User %s not found\n", sid_string_dbg(user_sid)));
2321 return NT_STATUS_NO_SUCH_USER;
2324 account_name = talloc_strdup(mem_ctx, pdb_get_username(smbpass));
2325 if (!account_name) {
2326 TALLOC_FREE(smbpass);
2327 return NT_STATUS_NO_MEMORY;
2329 TALLOC_FREE(smbpass);
2331 DEBUG(3,("User:[%s]\n", account_name));
2333 init_samr_user_info7(r, account_name);
2335 return NT_STATUS_OK;
2338 /*************************************************************************
2339 get_user_info_9. Only gives out primary group SID.
2340 *************************************************************************/
2342 static NTSTATUS get_user_info_9(TALLOC_CTX *mem_ctx,
2343 struct samr_UserInfo9 *r,
2346 struct samu *smbpass=NULL;
2351 if ( !(smbpass = samu_new( mem_ctx )) ) {
2352 return NT_STATUS_NO_MEMORY;
2356 ret = pdb_getsampwsid(smbpass, user_sid);
2360 DEBUG(4,("User %s not found\n", sid_string_dbg(user_sid)));
2361 TALLOC_FREE(smbpass);
2362 return NT_STATUS_NO_SUCH_USER;
2365 DEBUG(3,("User:[%s]\n", pdb_get_username(smbpass) ));
2367 init_samr_user_info9(r, pdb_get_group_rid(smbpass));
2369 TALLOC_FREE(smbpass);
2371 return NT_STATUS_OK;
2374 /*************************************************************************
2375 get_user_info_16. Safe. Only gives out acb bits.
2376 *************************************************************************/
2378 static NTSTATUS get_user_info_16(TALLOC_CTX *mem_ctx,
2379 struct samr_UserInfo16 *r,
2382 struct samu *smbpass=NULL;
2387 if ( !(smbpass = samu_new( mem_ctx )) ) {
2388 return NT_STATUS_NO_MEMORY;
2392 ret = pdb_getsampwsid(smbpass, user_sid);
2396 DEBUG(4,("User %s not found\n", sid_string_dbg(user_sid)));
2397 TALLOC_FREE(smbpass);
2398 return NT_STATUS_NO_SUCH_USER;
2401 DEBUG(3,("User:[%s]\n", pdb_get_username(smbpass) ));
2403 init_samr_user_info16(r, pdb_get_acct_ctrl(smbpass));
2405 TALLOC_FREE(smbpass);
2407 return NT_STATUS_OK;
2410 /*************************************************************************
2411 get_user_info_18. OK - this is the killer as it gives out password info.
2412 Ensure that this is only allowed on an encrypted connection with a root
2414 *************************************************************************/
2416 static NTSTATUS get_user_info_18(pipes_struct *p,
2417 TALLOC_CTX *mem_ctx,
2418 struct samr_UserInfo18 *r,
2421 struct samu *smbpass=NULL;
2426 if (p->auth.auth_type != PIPE_AUTH_TYPE_NTLMSSP || p->auth.auth_type != PIPE_AUTH_TYPE_SPNEGO_NTLMSSP) {
2427 return NT_STATUS_ACCESS_DENIED;
2430 if (p->auth.auth_level != PIPE_AUTH_LEVEL_PRIVACY) {
2431 return NT_STATUS_ACCESS_DENIED;
2435 * Do *NOT* do become_root()/unbecome_root() here ! JRA.
2438 if ( !(smbpass = samu_new( mem_ctx )) ) {
2439 return NT_STATUS_NO_MEMORY;
2442 ret = pdb_getsampwsid(smbpass, user_sid);
2445 DEBUG(4, ("User %s not found\n", sid_string_dbg(user_sid)));
2446 TALLOC_FREE(smbpass);
2447 return (geteuid() == (uid_t)0) ? NT_STATUS_NO_SUCH_USER : NT_STATUS_ACCESS_DENIED;
2450 DEBUG(3,("User:[%s] 0x%x\n", pdb_get_username(smbpass), pdb_get_acct_ctrl(smbpass) ));
2452 if ( pdb_get_acct_ctrl(smbpass) & ACB_DISABLED) {
2453 TALLOC_FREE(smbpass);
2454 return NT_STATUS_ACCOUNT_DISABLED;
2457 init_samr_user_info18(r, pdb_get_lanman_passwd(smbpass),
2458 pdb_get_nt_passwd(smbpass));
2460 TALLOC_FREE(smbpass);
2462 return NT_STATUS_OK;
2465 /*************************************************************************
2467 *************************************************************************/
2469 static NTSTATUS get_user_info_20(TALLOC_CTX *mem_ctx,
2470 struct samr_UserInfo20 *r,
2473 struct samu *sampass=NULL;
2475 const char *munged_dial = NULL;
2478 struct lsa_BinaryString *parameters = NULL;
2482 if ( !(sampass = samu_new( mem_ctx )) ) {
2483 return NT_STATUS_NO_MEMORY;
2487 ret = pdb_getsampwsid(sampass, user_sid);
2491 DEBUG(4,("User %s not found\n", sid_string_dbg(user_sid)));
2492 TALLOC_FREE(sampass);
2493 return NT_STATUS_NO_SUCH_USER;
2496 munged_dial = pdb_get_munged_dial(sampass);
2498 samr_clear_sam_passwd(sampass);
2500 DEBUG(3,("User:[%s] has [%s] (length: %d)\n", pdb_get_username(sampass),
2501 munged_dial, (int)strlen(munged_dial)));
2504 blob = base64_decode_data_blob(munged_dial);
2506 blob = data_blob_string_const_null("");
2509 status = init_samr_parameters_string(mem_ctx, &blob, ¶meters);
2510 data_blob_free(&blob);
2511 TALLOC_FREE(sampass);
2512 if (!NT_STATUS_IS_OK(status)) {
2516 init_samr_user_info20(r, parameters);
2518 return NT_STATUS_OK;
2522 /*************************************************************************
2524 *************************************************************************/
2526 static NTSTATUS get_user_info_21(TALLOC_CTX *mem_ctx,
2527 struct samr_UserInfo21 *r,
2529 DOM_SID *domain_sid)
2532 struct samu *pw = NULL;
2534 const DOM_SID *sid_user, *sid_group;
2535 uint32_t rid, primary_gid;
2536 NTTIME last_logon, last_logoff, last_password_change,
2537 acct_expiry, allow_password_change, force_password_change;
2538 time_t must_change_time;
2539 uint8_t password_expired;
2540 const char *account_name, *full_name, *home_directory, *home_drive,
2541 *logon_script, *profile_path, *description,
2542 *workstations, *comment;
2543 struct samr_LogonHours logon_hours;
2544 struct lsa_BinaryString *parameters = NULL;
2545 const char *munged_dial = NULL;
2550 if (!(pw = samu_new(mem_ctx))) {
2551 return NT_STATUS_NO_MEMORY;
2555 ret = pdb_getsampwsid(pw, user_sid);
2559 DEBUG(4,("User %s not found\n", sid_string_dbg(user_sid)));
2561 return NT_STATUS_NO_SUCH_USER;
2564 samr_clear_sam_passwd(pw);
2566 DEBUG(3,("User:[%s]\n", pdb_get_username(pw)));
2568 sid_user = pdb_get_user_sid(pw);
2570 if (!sid_peek_check_rid(domain_sid, sid_user, &rid)) {
2571 DEBUG(0, ("get_user_info_21: User %s has SID %s, \nwhich conflicts with "
2572 "the domain sid %s. Failing operation.\n",
2573 pdb_get_username(pw), sid_string_dbg(sid_user),
2574 sid_string_dbg(domain_sid)));
2576 return NT_STATUS_UNSUCCESSFUL;
2580 sid_group = pdb_get_group_sid(pw);
2583 if (!sid_peek_check_rid(domain_sid, sid_group, &primary_gid)) {
2584 DEBUG(0, ("get_user_info_21: User %s has Primary Group SID %s, \n"
2585 "which conflicts with the domain sid %s. Failing operation.\n",
2586 pdb_get_username(pw), sid_string_dbg(sid_group),
2587 sid_string_dbg(domain_sid)));
2589 return NT_STATUS_UNSUCCESSFUL;
2592 unix_to_nt_time(&last_logon, pdb_get_logon_time(pw));
2593 unix_to_nt_time(&last_logoff, pdb_get_logoff_time(pw));
2594 unix_to_nt_time(&acct_expiry, pdb_get_kickoff_time(pw));
2595 unix_to_nt_time(&last_password_change, pdb_get_pass_last_set_time(pw));
2596 unix_to_nt_time(&allow_password_change, pdb_get_pass_can_change_time(pw));
2598 must_change_time = pdb_get_pass_must_change_time(pw);
2599 if (must_change_time == get_time_t_max()) {
2600 unix_to_nt_time_abs(&force_password_change, must_change_time);
2602 unix_to_nt_time(&force_password_change, must_change_time);
2605 if (pdb_get_pass_must_change_time(pw) == 0) {
2606 password_expired = PASS_MUST_CHANGE_AT_NEXT_LOGON;
2608 password_expired = 0;
2611 munged_dial = pdb_get_munged_dial(pw);
2613 blob = base64_decode_data_blob(munged_dial);
2615 blob = data_blob_string_const_null("");
2618 status = init_samr_parameters_string(mem_ctx, &blob, ¶meters);
2619 data_blob_free(&blob);
2620 if (!NT_STATUS_IS_OK(status)) {
2625 account_name = talloc_strdup(mem_ctx, pdb_get_username(pw));
2626 full_name = talloc_strdup(mem_ctx, pdb_get_fullname(pw));
2627 home_directory = talloc_strdup(mem_ctx, pdb_get_homedir(pw));
2628 home_drive = talloc_strdup(mem_ctx, pdb_get_dir_drive(pw));
2629 logon_script = talloc_strdup(mem_ctx, pdb_get_logon_script(pw));
2630 profile_path = talloc_strdup(mem_ctx, pdb_get_profile_path(pw));
2631 description = talloc_strdup(mem_ctx, pdb_get_acct_desc(pw));
2632 workstations = talloc_strdup(mem_ctx, pdb_get_workstations(pw));
2633 comment = talloc_strdup(mem_ctx, pdb_get_comment(pw));
2635 logon_hours = get_logon_hours_from_pdb(mem_ctx, pw);
2639 Look at a user on a real NT4 PDC with usrmgr, press
2640 'ok'. Then you will see that fields_present is set to
2641 0x08f827fa. Look at the user immediately after that again,
2642 and you will see that 0x00fffff is returned. This solves
2643 the problem that you get access denied after having looked
2650 init_samr_user_info21(r,
2653 last_password_change,
2655 allow_password_change,
2656 force_password_change,
2669 pdb_get_acct_ctrl(pw),
2670 pdb_build_fields_present(pw),
2672 pdb_get_bad_password_count(pw),
2673 pdb_get_logon_count(pw),
2674 0, /* country_code */
2676 0, /* nt_password_set */
2677 0, /* lm_password_set */
2681 return NT_STATUS_OK;
2684 /*******************************************************************
2686 ********************************************************************/
2688 NTSTATUS _samr_QueryUserInfo(pipes_struct *p,
2689 struct samr_QueryUserInfo *r)
2692 union samr_UserInfo *user_info = NULL;
2693 struct samr_info *info = NULL;
2697 /* search for the handle */
2698 if (!find_policy_by_hnd(p, r->in.user_handle, (void **)(void *)&info))
2699 return NT_STATUS_INVALID_HANDLE;
2701 status = access_check_samr_function(info->acc_granted,
2702 SA_RIGHT_DOMAIN_OPEN_ACCOUNT,
2703 "_samr_QueryUserInfo");
2704 if (!NT_STATUS_IS_OK(status)) {
2708 domain_sid = info->sid;
2710 sid_split_rid(&domain_sid, &rid);
2712 if (!sid_check_is_in_our_domain(&info->sid))
2713 return NT_STATUS_OBJECT_TYPE_MISMATCH;
2715 DEBUG(5,("_samr_QueryUserInfo: sid:%s\n",
2716 sid_string_dbg(&info->sid)));
2718 user_info = TALLOC_ZERO_P(p->mem_ctx, union samr_UserInfo);
2720 return NT_STATUS_NO_MEMORY;
2723 DEBUG(5,("_samr_QueryUserInfo: user info level: %d\n", r->in.level));
2725 switch (r->in.level) {
2727 status = get_user_info_7(p->mem_ctx, &user_info->info7, &info->sid);
2728 if (!NT_STATUS_IS_OK(status)) {
2733 status = get_user_info_9(p->mem_ctx, &user_info->info9, &info->sid);
2734 if (!NT_STATUS_IS_OK(status)) {
2739 status = get_user_info_16(p->mem_ctx, &user_info->info16, &info->sid);
2740 if (!NT_STATUS_IS_OK(status)) {
2746 status = get_user_info_18(p, p->mem_ctx, &user_info->info18, &info->sid);
2747 if (!NT_STATUS_IS_OK(status)) {
2753 status = get_user_info_20(p->mem_ctx, &user_info->info20, &info->sid);
2754 if (!NT_STATUS_IS_OK(status)) {
2760 status = get_user_info_21(p->mem_ctx, &user_info->info21,
2761 &info->sid, &domain_sid);
2762 if (!NT_STATUS_IS_OK(status)) {
2768 return NT_STATUS_INVALID_INFO_CLASS;
2771 *r->out.info = user_info;
2773 DEBUG(5,("_samr_QueryUserInfo: %d\n", __LINE__));
2778 /*******************************************************************
2779 _samr_GetGroupsForUser
2780 ********************************************************************/
2782 NTSTATUS _samr_GetGroupsForUser(pipes_struct *p,
2783 struct samr_GetGroupsForUser *r)
2785 struct samu *sam_pass=NULL;
2788 struct samr_RidWithAttribute dom_gid;
2789 struct samr_RidWithAttribute *gids = NULL;
2790 uint32 primary_group_rid;
2791 size_t num_groups = 0;
2797 bool success = False;
2799 struct samr_RidWithAttributeArray *rids = NULL;
2802 * from the SID in the request:
2803 * we should send back the list of DOMAIN GROUPS
2804 * the user is a member of
2806 * and only the DOMAIN GROUPS
2807 * no ALIASES !!! neither aliases of the domain
2808 * nor aliases of the builtin SID
2813 DEBUG(5,("_samr_GetGroupsForUser: %d\n", __LINE__));
2815 rids = TALLOC_ZERO_P(p->mem_ctx, struct samr_RidWithAttributeArray);
2817 return NT_STATUS_NO_MEMORY;
2820 /* find the policy handle. open a policy on it. */
2821 if (!get_lsa_policy_samr_sid(p, r->in.user_handle, &sid, &acc_granted, NULL))
2822 return NT_STATUS_INVALID_HANDLE;
2824 result = access_check_samr_function(acc_granted,
2825 SA_RIGHT_USER_GET_GROUPS,
2826 "_samr_GetGroupsForUser");
2827 if (!NT_STATUS_IS_OK(result)) {
2831 if (!sid_check_is_in_our_domain(&sid))
2832 return NT_STATUS_OBJECT_TYPE_MISMATCH;
2834 if ( !(sam_pass = samu_new( p->mem_ctx )) ) {
2835 return NT_STATUS_NO_MEMORY;
2839 ret = pdb_getsampwsid(sam_pass, &sid);
2843 DEBUG(10, ("pdb_getsampwsid failed for %s\n",
2844 sid_string_dbg(&sid)));
2845 return NT_STATUS_NO_SUCH_USER;
2850 /* make both calls inside the root block */
2852 result = pdb_enum_group_memberships(p->mem_ctx, sam_pass,
2853 &sids, &unix_gids, &num_groups);
2854 if ( NT_STATUS_IS_OK(result) ) {
2855 success = sid_peek_check_rid(get_global_sam_sid(),
2856 pdb_get_group_sid(sam_pass),
2857 &primary_group_rid);
2861 if (!NT_STATUS_IS_OK(result)) {
2862 DEBUG(10, ("pdb_enum_group_memberships failed for %s\n",
2863 sid_string_dbg(&sid)));
2868 DEBUG(5, ("Group sid %s for user %s not in our domain\n",
2869 sid_string_dbg(pdb_get_group_sid(sam_pass)),
2870 pdb_get_username(sam_pass)));
2871 TALLOC_FREE(sam_pass);
2872 return NT_STATUS_INTERNAL_DB_CORRUPTION;
2878 dom_gid.attributes = (SE_GROUP_MANDATORY|SE_GROUP_ENABLED_BY_DEFAULT|
2880 dom_gid.rid = primary_group_rid;
2881 ADD_TO_ARRAY(p->mem_ctx, struct samr_RidWithAttribute, dom_gid, &gids, &num_gids);
2883 for (i=0; i<num_groups; i++) {
2885 if (!sid_peek_check_rid(get_global_sam_sid(),
2886 &(sids[i]), &dom_gid.rid)) {
2887 DEBUG(10, ("Found sid %s not in our domain\n",
2888 sid_string_dbg(&sids[i])));
2892 if (dom_gid.rid == primary_group_rid) {
2893 /* We added the primary group directly from the
2894 * sam_account. The other SIDs are unique from
2895 * enum_group_memberships */
2899 ADD_TO_ARRAY(p->mem_ctx, struct samr_RidWithAttribute, dom_gid, &gids, &num_gids);
2902 rids->count = num_gids;
2905 *r->out.rids = rids;
2907 DEBUG(5,("_samr_GetGroupsForUser: %d\n", __LINE__));
2912 /*******************************************************************
2913 _samr_QueryDomainInfo
2914 ********************************************************************/
2916 NTSTATUS _samr_QueryDomainInfo(pipes_struct *p,
2917 struct samr_QueryDomainInfo *r)
2919 NTSTATUS status = NT_STATUS_OK;
2920 struct samr_info *info = NULL;
2921 union samr_DomainInfo *dom_info;
2922 uint32 min_pass_len,pass_hist,password_properties;
2923 time_t u_expire, u_min_age;
2924 NTTIME nt_expire, nt_min_age;
2926 time_t u_lock_duration, u_reset_time;
2927 NTTIME nt_lock_duration, nt_reset_time;
2932 uint32 account_policy_temp;
2937 uint32 num_users=0, num_groups=0, num_aliases=0;
2939 DEBUG(5,("_samr_QueryDomainInfo: %d\n", __LINE__));
2941 dom_info = TALLOC_ZERO_P(p->mem_ctx, union samr_DomainInfo);
2943 return NT_STATUS_NO_MEMORY;
2946 /* find the policy handle. open a policy on it. */
2947 if (!find_policy_by_hnd(p, r->in.domain_handle, (void **)(void *)&info)) {
2948 return NT_STATUS_INVALID_HANDLE;
2951 status = access_check_samr_function(info->acc_granted,
2952 SA_RIGHT_SAM_OPEN_DOMAIN,
2953 "_samr_QueryDomainInfo" );
2955 if ( !NT_STATUS_IS_OK(status) )
2958 switch (r->in.level) {
2965 pdb_get_account_policy(AP_MIN_PASSWORD_LEN, &account_policy_temp);
2966 min_pass_len = account_policy_temp;
2968 pdb_get_account_policy(AP_PASSWORD_HISTORY, &account_policy_temp);
2969 pass_hist = account_policy_temp;
2971 pdb_get_account_policy(AP_USER_MUST_LOGON_TO_CHG_PASS, &account_policy_temp);
2972 password_properties = account_policy_temp;
2974 pdb_get_account_policy(AP_MAX_PASSWORD_AGE, &account_policy_temp);
2975 u_expire = account_policy_temp;
2977 pdb_get_account_policy(AP_MIN_PASSWORD_AGE, &account_policy_temp);
2978 u_min_age = account_policy_temp;
2984 unix_to_nt_time_abs(&nt_expire, u_expire);
2985 unix_to_nt_time_abs(&nt_min_age, u_min_age);
2987 if (lp_check_password_script() && *lp_check_password_script()) {
2988 password_properties |= DOMAIN_PASSWORD_COMPLEX;
2991 init_samr_DomInfo1(&dom_info->info1,
2992 (uint16)min_pass_len,
2994 password_properties,
3004 num_users = count_sam_users(info->disp_info, ACB_NORMAL);
3005 num_groups = count_sam_groups(info->disp_info);
3006 num_aliases = count_sam_aliases(info->disp_info);
3008 pdb_get_account_policy(AP_TIME_TO_LOGOUT, &account_policy_temp);
3009 u_logout = account_policy_temp;
3011 unix_to_nt_time_abs(&nt_logout, u_logout);
3013 if (!pdb_get_seq_num(&seq_num))
3014 seq_num = time(NULL);
3020 server_role = ROLE_DOMAIN_PDC;
3021 if (lp_server_role() == ROLE_DOMAIN_BDC)
3022 server_role = ROLE_DOMAIN_BDC;
3024 init_samr_DomGeneralInformation(&dom_info->general,
3045 pdb_get_account_policy(AP_TIME_TO_LOGOUT, &ul);
3046 u_logout = (time_t)ul;
3053 unix_to_nt_time_abs(&nt_logout, u_logout);
3055 init_samr_DomInfo3(&dom_info->info3,
3060 init_samr_DomOEMInformation(&dom_info->oem,
3064 init_samr_DomInfo5(&dom_info->info5,
3065 get_global_sam_name());
3068 /* NT returns its own name when a PDC. win2k and later
3069 * only the name of the PDC if itself is a BDC (samba4
3071 init_samr_DomInfo6(&dom_info->info6,
3075 server_role = ROLE_DOMAIN_PDC;
3076 if (lp_server_role() == ROLE_DOMAIN_BDC)
3077 server_role = ROLE_DOMAIN_BDC;
3079 init_samr_DomInfo7(&dom_info->info7,
3088 if (!pdb_get_seq_num(&seq_num)) {
3089 seq_num = time(NULL);
3096 init_samr_DomInfo8(&dom_info->info8,
3106 pdb_get_account_policy(AP_LOCK_ACCOUNT_DURATION, &account_policy_temp);
3107 u_lock_duration = account_policy_temp;
3108 if (u_lock_duration != -1) {
3109 u_lock_duration *= 60;
3112 pdb_get_account_policy(AP_RESET_COUNT_TIME, &account_policy_temp);
3113 u_reset_time = account_policy_temp * 60;
3115 pdb_get_account_policy(AP_BAD_ATTEMPT_LOCKOUT, &account_policy_temp);
3116 lockout = account_policy_temp;
3122 unix_to_nt_time_abs(&nt_lock_duration, u_lock_duration);
3123 unix_to_nt_time_abs(&nt_reset_time, u_reset_time);
3125 init_samr_DomInfo12(&dom_info->info12,
3131 return NT_STATUS_INVALID_INFO_CLASS;
3134 *r->out.info = dom_info;
3136 DEBUG(5,("_samr_QueryDomainInfo: %d\n", __LINE__));
3141 /* W2k3 seems to use the same check for all 3 objects that can be created via
3142 * SAMR, if you try to create for example "Dialup" as an alias it says
3143 * "NT_STATUS_USER_EXISTS". This is racy, but we can't really lock the user
3146 static NTSTATUS can_create(TALLOC_CTX *mem_ctx, const char *new_name)
3148 enum lsa_SidType type;
3151 DEBUG(10, ("Checking whether [%s] can be created\n", new_name));
3154 /* Lookup in our local databases (LOOKUP_NAME_REMOTE not set)
3155 * whether the name already exists */
3156 result = lookup_name(mem_ctx, new_name, LOOKUP_NAME_LOCAL,
3157 NULL, NULL, NULL, &type);
3161 DEBUG(10, ("%s does not exist, can create it\n", new_name));
3162 return NT_STATUS_OK;
3165 DEBUG(5, ("trying to create %s, exists as %s\n",
3166 new_name, sid_type_lookup(type)));
3168 if (type == SID_NAME_DOM_GRP) {
3169 return NT_STATUS_GROUP_EXISTS;
3171 if (type == SID_NAME_ALIAS) {
3172 return NT_STATUS_ALIAS_EXISTS;
3175 /* Yes, the default is NT_STATUS_USER_EXISTS */
3176 return NT_STATUS_USER_EXISTS;
3179 /*******************************************************************
3181 ********************************************************************/
3183 NTSTATUS _samr_CreateUser2(pipes_struct *p,
3184 struct samr_CreateUser2 *r)
3186 const char *account = NULL;
3188 POLICY_HND dom_pol = *r->in.domain_handle;
3189 uint32_t acb_info = r->in.acct_flags;
3190 POLICY_HND *user_pol = r->out.user_handle;
3191 struct samr_info *info = NULL;
3196 /* check this, when giving away 'add computer to domain' privs */
3197 uint32 des_access = GENERIC_RIGHTS_USER_ALL_ACCESS;
3198 bool can_add_account = False;
3200 DISP_INFO *disp_info = NULL;
3202 /* Get the domain SID stored in the domain policy */
3203 if (!get_lsa_policy_samr_sid(p, &dom_pol, &sid, &acc_granted,
3205 return NT_STATUS_INVALID_HANDLE;
3207 nt_status = access_check_samr_function(acc_granted,
3208 SA_RIGHT_DOMAIN_CREATE_USER,
3209 "_samr_CreateUser2");
3210 if (!NT_STATUS_IS_OK(nt_status)) {
3214 if (!(acb_info == ACB_NORMAL || acb_info == ACB_DOMTRUST ||
3215 acb_info == ACB_WSTRUST || acb_info == ACB_SVRTRUST)) {
3216 /* Match Win2k, and return NT_STATUS_INVALID_PARAMETER if
3217 this parameter is not an account type */
3218 return NT_STATUS_INVALID_PARAMETER;
3221 account = r->in.account_name->string;
3222 if (account == NULL) {
3223 return NT_STATUS_NO_MEMORY;
3226 nt_status = can_create(p->mem_ctx, account);
3227 if (!NT_STATUS_IS_OK(nt_status)) {
3231 /* determine which user right we need to check based on the acb_info */
3233 if ( acb_info & ACB_WSTRUST )
3235 se_priv_copy( &se_rights, &se_machine_account );
3236 can_add_account = user_has_privileges(
3237 p->pipe_user.nt_user_token, &se_rights );
3239 /* usrmgr.exe (and net rpc trustdom grant) creates a normal user
3240 account for domain trusts and changes the ACB flags later */
3241 else if ( acb_info & ACB_NORMAL &&
3242 (account[strlen(account)-1] != '$') )
3244 se_priv_copy( &se_rights, &se_add_users );
3245 can_add_account = user_has_privileges(
3246 p->pipe_user.nt_user_token, &se_rights );
3248 else /* implicit assumption of a BDC or domain trust account here
3249 * (we already check the flags earlier) */
3251 if ( lp_enable_privileges() ) {
3252 /* only Domain Admins can add a BDC or domain trust */
3253 se_priv_copy( &se_rights, &se_priv_none );
3254 can_add_account = nt_token_check_domain_rid(
3255 p->pipe_user.nt_user_token,
3256 DOMAIN_GROUP_RID_ADMINS );
3260 DEBUG(5, ("_samr_CreateUser2: %s can add this account : %s\n",
3261 uidtoname(p->pipe_user.ut.uid),
3262 can_add_account ? "True":"False" ));
3264 /********** BEGIN Admin BLOCK **********/
3266 if ( can_add_account )
3269 nt_status = pdb_create_user(p->mem_ctx, account, acb_info,
3272 if ( can_add_account )
3275 /********** END Admin BLOCK **********/
3277 /* now check for failure */
3279 if ( !NT_STATUS_IS_OK(nt_status) )
3282 /* Get the user's SID */
3284 sid_compose(&sid, get_global_sam_sid(), *r->out.rid);
3286 map_max_allowed_access(p->pipe_user.nt_user_token, &des_access);
3288 make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &usr_generic_mapping,
3289 &sid, SAMR_USR_RIGHTS_WRITE_PW);
3290 se_map_generic(&des_access, &usr_generic_mapping);
3292 nt_status = access_check_samr_object(psd, p->pipe_user.nt_user_token,
3293 &se_rights, GENERIC_RIGHTS_USER_WRITE, des_access,
3294 &acc_granted, "_samr_CreateUser2");
3296 if ( !NT_STATUS_IS_OK(nt_status) ) {
3300 /* associate the user's SID with the new handle. */
3301 if ((info = get_samr_info_by_sid(&sid)) == NULL) {
3302 return NT_STATUS_NO_MEMORY;
3307 info->acc_granted = acc_granted;
3309 /* get a (unique) handle. open a policy on it. */
3310 if (!create_policy_hnd(p, user_pol, free_samr_info, (void *)info)) {
3311 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
3314 /* After a "set" ensure we have no cached display info. */
3315 force_flush_samr_cache(info->disp_info);
3317 *r->out.access_granted = acc_granted;
3319 return NT_STATUS_OK;
3322 /*******************************************************************
3324 ********************************************************************/
3326 NTSTATUS _samr_Connect(pipes_struct *p,
3327 struct samr_Connect *r)
3329 struct samr_info *info = NULL;
3330 uint32 des_access = r->in.access_mask;
3334 if (!pipe_access_check(p)) {
3335 DEBUG(3, ("access denied to _samr_Connect\n"));
3336 return NT_STATUS_ACCESS_DENIED;
3339 /* set up the SAMR connect_anon response */
3341 /* associate the user's SID with the new handle. */
3342 if ((info = get_samr_info_by_sid(NULL)) == NULL)
3343 return NT_STATUS_NO_MEMORY;
3345 /* don't give away the farm but this is probably ok. The SA_RIGHT_SAM_ENUM_DOMAINS
3346 was observed from a win98 client trying to enumerate users (when configured
3347 user level access control on shares) --jerry */
3349 map_max_allowed_access(p->pipe_user.nt_user_token, &des_access);
3351 se_map_generic( &des_access, &sam_generic_mapping );
3352 info->acc_granted = des_access & (SA_RIGHT_SAM_ENUM_DOMAINS|SA_RIGHT_SAM_OPEN_DOMAIN);
3354 /* get a (unique) handle. open a policy on it. */
3355 if (!create_policy_hnd(p, r->out.connect_handle, free_samr_info, (void *)info))
3356 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
3358 return NT_STATUS_OK;
3361 /*******************************************************************
3363 ********************************************************************/
3365 NTSTATUS _samr_Connect2(pipes_struct *p,
3366 struct samr_Connect2 *r)
3368 struct samr_info *info = NULL;
3369 SEC_DESC *psd = NULL;
3371 uint32 des_access = r->in.access_mask;
3376 DEBUG(5,("_samr_Connect2: %d\n", __LINE__));
3380 if (!pipe_access_check(p)) {
3381 DEBUG(3, ("access denied to _samr_Connect2\n"));
3382 return NT_STATUS_ACCESS_DENIED;
3385 map_max_allowed_access(p->pipe_user.nt_user_token, &des_access);
3387 make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &sam_generic_mapping, NULL, 0);
3388 se_map_generic(&des_access, &sam_generic_mapping);
3390 nt_status = access_check_samr_object(psd, p->pipe_user.nt_user_token,
3391 NULL, 0, des_access, &acc_granted, "_samr_Connect2");
3393 if ( !NT_STATUS_IS_OK(nt_status) )
3396 /* associate the user's SID and access granted with the new handle. */
3397 if ((info = get_samr_info_by_sid(NULL)) == NULL)
3398 return NT_STATUS_NO_MEMORY;
3400 info->acc_granted = acc_granted;
3401 info->status = r->in.access_mask; /* this looks so wrong... - gd */
3403 /* get a (unique) handle. open a policy on it. */
3404 if (!create_policy_hnd(p, r->out.connect_handle, free_samr_info, (void *)info))
3405 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
3407 DEBUG(5,("_samr_Connect2: %d\n", __LINE__));
3412 /*******************************************************************
3414 ********************************************************************/
3416 NTSTATUS _samr_Connect4(pipes_struct *p,
3417 struct samr_Connect4 *r)
3419 struct samr_info *info = NULL;
3420 SEC_DESC *psd = NULL;
3422 uint32 des_access = r->in.access_mask;
3427 DEBUG(5,("_samr_Connect4: %d\n", __LINE__));
3431 if (!pipe_access_check(p)) {
3432 DEBUG(3, ("access denied to samr_Connect4\n"));
3433 return NT_STATUS_ACCESS_DENIED;
3436 map_max_allowed_access(p->pipe_user.nt_user_token, &des_access);
3438 make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &sam_generic_mapping, NULL, 0);
3439 se_map_generic(&des_access, &sam_generic_mapping);
3441 nt_status = access_check_samr_object(psd, p->pipe_user.nt_user_token,
3442 NULL, 0, des_access, &acc_granted, "_samr_Connect4");
3444 if ( !NT_STATUS_IS_OK(nt_status) )
3447 /* associate the user's SID and access granted with the new handle. */
3448 if ((info = get_samr_info_by_sid(NULL)) == NULL)
3449 return NT_STATUS_NO_MEMORY;
3451 info->acc_granted = acc_granted;
3452 info->status = r->in.access_mask; /* ??? */
3454 /* get a (unique) handle. open a policy on it. */
3455 if (!create_policy_hnd(p, r->out.connect_handle, free_samr_info, (void *)info))
3456 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
3458 DEBUG(5,("_samr_Connect4: %d\n", __LINE__));
3460 return NT_STATUS_OK;
3463 /*******************************************************************
3465 ********************************************************************/
3467 NTSTATUS _samr_Connect5(pipes_struct *p,
3468 struct samr_Connect5 *r)
3470 struct samr_info *info = NULL;
3471 SEC_DESC *psd = NULL;
3473 uint32 des_access = r->in.access_mask;
3476 struct samr_ConnectInfo1 info1;
3478 DEBUG(5,("_samr_Connect5: %d\n", __LINE__));
3482 if (!pipe_access_check(p)) {
3483 DEBUG(3, ("access denied to samr_Connect5\n"));
3484 return NT_STATUS_ACCESS_DENIED;
3487 map_max_allowed_access(p->pipe_user.nt_user_token, &des_access);
3489 make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &sam_generic_mapping, NULL, 0);
3490 se_map_generic(&des_access, &sam_generic_mapping);
3492 nt_status = access_check_samr_object(psd, p->pipe_user.nt_user_token,
3493 NULL, 0, des_access, &acc_granted, "_samr_Connect5");
3495 if ( !NT_STATUS_IS_OK(nt_status) )
3498 /* associate the user's SID and access granted with the new handle. */
3499 if ((info = get_samr_info_by_sid(NULL)) == NULL)
3500 return NT_STATUS_NO_MEMORY;
3502 info->acc_granted = acc_granted;
3503 info->status = r->in.access_mask; /* ??? */
3505 /* get a (unique) handle. open a policy on it. */
3506 if (!create_policy_hnd(p, r->out.connect_handle, free_samr_info, (void *)info))
3507 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
3509 DEBUG(5,("_samr_Connect5: %d\n", __LINE__));
3511 info1.client_version = SAMR_CONNECT_AFTER_W2K;
3514 *r->out.level_out = 1;
3515 r->out.info_out->info1 = info1;
3517 return NT_STATUS_OK;
3520 /**********************************************************************
3522 **********************************************************************/
3524 NTSTATUS _samr_LookupDomain(pipes_struct *p,
3525 struct samr_LookupDomain *r)
3527 NTSTATUS status = NT_STATUS_OK;
3528 struct samr_info *info;
3529 const char *domain_name;
3530 DOM_SID *sid = NULL;
3532 if (!find_policy_by_hnd(p, r->in.connect_handle, (void**)(void *)&info))
3533 return NT_STATUS_INVALID_HANDLE;
3535 /* win9x user manager likes to use SA_RIGHT_SAM_ENUM_DOMAINS here.
3536 Reverted that change so we will work with RAS servers again */
3538 status = access_check_samr_function(info->acc_granted,
3539 SA_RIGHT_SAM_OPEN_DOMAIN,
3540 "_samr_LookupDomain");
3541 if (!NT_STATUS_IS_OK(status)) {
3545 domain_name = r->in.domain_name->string;
3547 sid = TALLOC_ZERO_P(p->mem_ctx, struct dom_sid2);
3549 return NT_STATUS_NO_MEMORY;
3552 if (strequal(domain_name, builtin_domain_name())) {
3553 sid_copy(sid, &global_sid_Builtin);
3555 if (!secrets_fetch_domain_sid(domain_name, sid)) {
3556 status = NT_STATUS_NO_SUCH_DOMAIN;
3560 DEBUG(2,("Returning domain sid for domain %s -> %s\n", domain_name,
3561 sid_string_dbg(sid)));
3568 /**********************************************************************
3570 **********************************************************************/
3572 NTSTATUS _samr_EnumDomains(pipes_struct *p,
3573 struct samr_EnumDomains *r)
3576 struct samr_info *info;
3577 uint32_t num_entries = 2;
3578 struct samr_SamEntry *entry_array = NULL;
3579 struct samr_SamArray *sam;
3581 if (!find_policy_by_hnd(p, r->in.connect_handle, (void**)(void *)&info))
3582 return NT_STATUS_INVALID_HANDLE;
3584 status = access_check_samr_function(info->acc_granted,
3585 SA_RIGHT_SAM_ENUM_DOMAINS,
3586 "_samr_EnumDomains");
3587 if (!NT_STATUS_IS_OK(status)) {
3591 sam = TALLOC_ZERO_P(p->mem_ctx, struct samr_SamArray);
3593 return NT_STATUS_NO_MEMORY;
3596 entry_array = TALLOC_ZERO_ARRAY(p->mem_ctx,
3597 struct samr_SamEntry,
3600 return NT_STATUS_NO_MEMORY;
3603 entry_array[0].idx = 0;
3604 init_lsa_String(&entry_array[0].name, get_global_sam_name());
3606 entry_array[1].idx = 1;
3607 init_lsa_String(&entry_array[1].name, "Builtin");
3609 sam->count = num_entries;
3610 sam->entries = entry_array;
3613 *r->out.num_entries = num_entries;
3618 /*******************************************************************
3620 ********************************************************************/
3622 NTSTATUS _samr_OpenAlias(pipes_struct *p,
3623 struct samr_OpenAlias *r)
3626 POLICY_HND domain_pol = *r->in.domain_handle;
3627 uint32 alias_rid = r->in.rid;
3628 POLICY_HND *alias_pol = r->out.alias_handle;
3629 struct samr_info *info = NULL;
3630 SEC_DESC *psd = NULL;
3632 uint32 des_access = r->in.access_mask;
3637 /* find the domain policy and get the SID / access bits stored in the domain policy */
3639 if ( !get_lsa_policy_samr_sid(p, &domain_pol, &sid, &acc_granted, NULL) )
3640 return NT_STATUS_INVALID_HANDLE;
3642 status = access_check_samr_function(acc_granted,
3643 SA_RIGHT_DOMAIN_OPEN_ACCOUNT,
3646 if ( !NT_STATUS_IS_OK(status) )
3649 /* append the alias' RID to it */
3651 if (!sid_append_rid(&sid, alias_rid))
3652 return NT_STATUS_NO_SUCH_ALIAS;
3654 /*check if access can be granted as requested by client. */
3656 map_max_allowed_access(p->pipe_user.nt_user_token, &des_access);
3658 make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &ali_generic_mapping, NULL, 0);
3659 se_map_generic(&des_access,&ali_generic_mapping);
3661 se_priv_copy( &se_rights, &se_add_users );
3664 status = access_check_samr_object(psd, p->pipe_user.nt_user_token,
3665 &se_rights, GENERIC_RIGHTS_ALIAS_WRITE, des_access,
3666 &acc_granted, "_samr_OpenAlias");
3668 if ( !NT_STATUS_IS_OK(status) )
3672 /* Check we actually have the requested alias */
3673 enum lsa_SidType type;
3678 result = lookup_sid(NULL, &sid, NULL, NULL, &type);
3681 if (!result || (type != SID_NAME_ALIAS)) {
3682 return NT_STATUS_NO_SUCH_ALIAS;
3685 /* make sure there is a mapping */
3687 if ( !sid_to_gid( &sid, &gid ) ) {
3688 return NT_STATUS_NO_SUCH_ALIAS;
3693 /* associate the alias SID with the new handle. */
3694 if ((info = get_samr_info_by_sid(&sid)) == NULL)
3695 return NT_STATUS_NO_MEMORY;
3697 info->acc_granted = acc_granted;
3699 /* get a (unique) handle. open a policy on it. */
3700 if (!create_policy_hnd(p, alias_pol, free_samr_info, (void *)info))
3701 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
3703 return NT_STATUS_OK;
3706 /*******************************************************************
3708 ********************************************************************/
3710 static NTSTATUS set_user_info_7(TALLOC_CTX *mem_ctx,
3711 struct samr_UserInfo7 *id7,
3717 DEBUG(5, ("set_user_info_7: NULL id7\n"));
3719 return NT_STATUS_ACCESS_DENIED;
3722 if (!id7->account_name.string) {
3723 DEBUG(5, ("set_user_info_7: failed to get new username\n"));
3725 return NT_STATUS_ACCESS_DENIED;
3728 /* check to see if the new username already exists. Note: we can't
3729 reliably lock all backends, so there is potentially the
3730 possibility that a user can be created in between this check and
3731 the rename. The rename should fail, but may not get the
3732 exact same failure status code. I think this is small enough
3733 of a window for this type of operation and the results are
3734 simply that the rename fails with a slightly different status
3735 code (like UNSUCCESSFUL instead of ALREADY_EXISTS). */
3737 rc = can_create(mem_ctx, id7->account_name.string);
3738 if (!NT_STATUS_IS_OK(rc)) {
3742 rc = pdb_rename_sam_account(pwd, id7->account_name.string);
3748 /*******************************************************************
3750 ********************************************************************/
3752 static bool set_user_info_16(struct samr_UserInfo16 *id16,
3756 DEBUG(5, ("set_user_info_16: NULL id16\n"));
3761 /* FIX ME: check if the value is really changed --metze */
3762 if (!pdb_set_acct_ctrl(pwd, id16->acct_flags, PDB_CHANGED)) {
3767 if(!NT_STATUS_IS_OK(pdb_update_sam_account(pwd))) {
3777 /*******************************************************************
3779 ********************************************************************/
3781 static bool set_user_info_18(struct samr_UserInfo18 *id18,
3785 DEBUG(2, ("set_user_info_18: id18 is NULL\n"));
3790 if (!pdb_set_lanman_passwd (pwd, id18->lm_pwd.hash, PDB_CHANGED)) {
3794 if (!pdb_set_nt_passwd (pwd, id18->nt_pwd.hash, PDB_CHANGED)) {
3798 if (!pdb_set_pass_last_set_time (pwd, time(NULL), PDB_CHANGED)) {
3803 if(!NT_STATUS_IS_OK(pdb_update_sam_account(pwd))) {
3812 /*******************************************************************
3814 ********************************************************************/
3816 static bool set_user_info_20(struct samr_UserInfo20 *id20,
3820 DEBUG(5, ("set_user_info_20: NULL id20\n"));
3824 copy_id20_to_sam_passwd(pwd, id20);
3826 /* write the change out */
3827 if(!NT_STATUS_IS_OK(pdb_update_sam_account(pwd))) {
3837 /*******************************************************************
3839 ********************************************************************/
3841 static NTSTATUS set_user_info_21(TALLOC_CTX *mem_ctx,
3842 struct samr_UserInfo21 *id21,
3848 DEBUG(5, ("set_user_info_21: NULL id21\n"));
3849 return NT_STATUS_INVALID_PARAMETER;
3852 /* we need to separately check for an account rename first */
3854 if (id21->account_name.string &&
3855 (!strequal(id21->account_name.string, pdb_get_username(pwd))))
3858 /* check to see if the new username already exists. Note: we can't
3859 reliably lock all backends, so there is potentially the
3860 possibility that a user can be created in between this check and
3861 the rename. The rename should fail, but may not get the
3862 exact same failure status code. I think this is small enough
3863 of a window for this type of operation and the results are
3864 simply that the rename fails with a slightly different status
3865 code (like UNSUCCESSFUL instead of ALREADY_EXISTS). */
3867 status = can_create(mem_ctx, id21->account_name.string);
3868 if (!NT_STATUS_IS_OK(status)) {
3872 status = pdb_rename_sam_account(pwd, id21->account_name.string);
3874 if (!NT_STATUS_IS_OK(status)) {
3875 DEBUG(0,("set_user_info_21: failed to rename account: %s\n",
3876 nt_errstr(status)));
3881 /* set the new username so that later
3882 functions can work on the new account */
3883 pdb_set_username(pwd, id21->account_name.string, PDB_SET);
3886 copy_id21_to_sam_passwd("INFO_21", pwd, id21);
3889 * The funny part about the previous two calls is
3890 * that pwd still has the password hashes from the
3891 * passdb entry. These have not been updated from
3892 * id21. I don't know if they need to be set. --jerry
3895 if ( IS_SAM_CHANGED(pwd, PDB_GROUPSID) ) {
3896 status = pdb_set_unix_primary_group(mem_ctx, pwd);
3897 if ( !NT_STATUS_IS_OK(status) ) {
3902 /* Don't worry about writing out the user account since the
3903 primary group SID is generated solely from the user's Unix
3906 /* write the change out */
3907 if(!NT_STATUS_IS_OK(status = pdb_update_sam_account(pwd))) {
3914 return NT_STATUS_OK;
3917 /*******************************************************************
3919 ********************************************************************/
3921 static NTSTATUS set_user_info_23(TALLOC_CTX *mem_ctx,
3922 struct samr_UserInfo23 *id23,
3925 char *plaintext_buf = NULL;
3931 DEBUG(5, ("set_user_info_23: NULL id23\n"));
3932 return NT_STATUS_INVALID_PARAMETER;
3935 DEBUG(5, ("Attempting administrator password change (level 23) for user %s\n",
3936 pdb_get_username(pwd)));
3938 acct_ctrl = pdb_get_acct_ctrl(pwd);
3940 if (!decode_pw_buffer(mem_ctx,
3941 id23->password.data,
3946 return NT_STATUS_INVALID_PARAMETER;
3949 if (!pdb_set_plaintext_passwd (pwd, plaintext_buf)) {
3951 return NT_STATUS_ACCESS_DENIED;
3954 copy_id23_to_sam_passwd(pwd, id23);
3956 /* if it's a trust account, don't update /etc/passwd */
3957 if ( ( (acct_ctrl & ACB_DOMTRUST) == ACB_DOMTRUST ) ||
3958 ( (acct_ctrl & ACB_WSTRUST) == ACB_WSTRUST) ||
3959 ( (acct_ctrl & ACB_SVRTRUST) == ACB_SVRTRUST) ) {
3960 DEBUG(5, ("Changing trust account. Not updating /etc/passwd\n"));
3962 /* update the UNIX password */
3963 if (lp_unix_password_sync() ) {
3964 struct passwd *passwd;
3965 if (pdb_get_username(pwd) == NULL) {
3966 DEBUG(1, ("chgpasswd: User without name???\n"));
3968 return NT_STATUS_ACCESS_DENIED;
3971 passwd = Get_Pwnam_alloc(pwd, pdb_get_username(pwd));
3972 if (passwd == NULL) {
3973 DEBUG(1, ("chgpasswd: Username does not exist in system !?!\n"));
3976 if(!chgpasswd(pdb_get_username(pwd), passwd, "", plaintext_buf, True)) {
3978 return NT_STATUS_ACCESS_DENIED;
3980 TALLOC_FREE(passwd);
3984 memset(plaintext_buf, '\0', strlen(plaintext_buf));
3986 if (IS_SAM_CHANGED(pwd, PDB_GROUPSID) &&
3987 (!NT_STATUS_IS_OK(status = pdb_set_unix_primary_group(mem_ctx,
3993 if(!NT_STATUS_IS_OK(status = pdb_update_sam_account(pwd))) {
4000 return NT_STATUS_OK;
4003 /*******************************************************************
4005 ********************************************************************/
4007 static bool set_user_info_pw(uint8 *pass, struct samu *pwd,
4011 char *plaintext_buf = NULL;
4013 time_t last_set_time;
4014 enum pdb_value_state last_set_state;
4016 DEBUG(5, ("Attempting administrator password change for user %s\n",
4017 pdb_get_username(pwd)));
4019 acct_ctrl = pdb_get_acct_ctrl(pwd);
4020 /* we need to know if it's expired, because this is an admin change, not a
4021 user change, so it's still expired when we're done */
4022 last_set_state = pdb_get_init_flags(pwd, PDB_PASSLASTSET);
4023 last_set_time = pdb_get_pass_last_set_time(pwd);
4025 if (!decode_pw_buffer(talloc_tos(),
4034 if (!pdb_set_plaintext_passwd (pwd, plaintext_buf)) {
4039 /* if it's a trust account, don't update /etc/passwd */
4040 if ( ( (acct_ctrl & ACB_DOMTRUST) == ACB_DOMTRUST ) ||
4041 ( (acct_ctrl & ACB_WSTRUST) == ACB_WSTRUST) ||
4042 ( (acct_ctrl & ACB_SVRTRUST) == ACB_SVRTRUST) ) {
4043 DEBUG(5, ("Changing trust account or non-unix-user password, not updating /etc/passwd\n"));
4045 /* update the UNIX password */
4046 if (lp_unix_password_sync()) {
4047 struct passwd *passwd;
4049 if (pdb_get_username(pwd) == NULL) {
4050 DEBUG(1, ("chgpasswd: User without name???\n"));
4055 passwd = Get_Pwnam_alloc(pwd, pdb_get_username(pwd));
4056 if (passwd == NULL) {
4057 DEBUG(1, ("chgpasswd: Username does not exist in system !?!\n"));
4060 if(!chgpasswd(pdb_get_username(pwd), passwd, "", plaintext_buf, True)) {
4064 TALLOC_FREE(passwd);
4068 memset(plaintext_buf, '\0', strlen(plaintext_buf));
4071 * A level 25 change does reset the pwdlastset field, a level 24
4072 * change does not. I know this is probably not the full story, but
4073 * it is needed to make XP join LDAP correctly, without it the later
4074 * auth2 check can fail with PWD_MUST_CHANGE.
4078 * restore last set time as this is an admin change, not a
4081 pdb_set_pass_last_set_time (pwd, last_set_time,
4085 DEBUG(5,("set_user_info_pw: pdb_update_pwd()\n"));
4087 /* update the SAMBA password */
4088 if(!NT_STATUS_IS_OK(pdb_update_sam_account(pwd))) {
4098 /*******************************************************************
4100 ********************************************************************/
4102 static NTSTATUS set_user_info_25(TALLOC_CTX *mem_ctx,
4103 struct samr_UserInfo25 *id25,
4109 DEBUG(5, ("set_user_info_25: NULL id25\n"));
4110 return NT_STATUS_INVALID_PARAMETER;
4113 copy_id25_to_sam_passwd(pwd, id25);
4115 /* write the change out */
4116 if(!NT_STATUS_IS_OK(status = pdb_update_sam_account(pwd))) {
4122 * We need to "pdb_update_sam_account" before the unix primary group
4123 * is set, because the idealx scripts would also change the
4124 * sambaPrimaryGroupSid using the ldap replace method. pdb_ldap uses
4125 * the delete explicit / add explicit, which would then fail to find
4126 * the previous primaryGroupSid value.
4129 if ( IS_SAM_CHANGED(pwd, PDB_GROUPSID) ) {
4130 status = pdb_set_unix_primary_group(mem_ctx, pwd);
4131 if ( !NT_STATUS_IS_OK(status) ) {
4136 /* WARNING: No TALLOC_FREE(pwd), we are about to set the password
4139 return NT_STATUS_OK;
4142 /*******************************************************************
4143 samr_SetUserInfo_internal
4144 ********************************************************************/
4146 static NTSTATUS samr_SetUserInfo_internal(const char *fn_name,
4148 struct policy_handle *user_handle,
4150 union samr_UserInfo *info)
4153 struct samu *pwd = NULL;
4155 POLICY_HND *pol = user_handle;
4156 uint16_t switch_value = level;
4157 uint32_t acc_granted;
4158 uint32_t acc_required;
4160 bool has_enough_rights = False;
4162 DISP_INFO *disp_info = NULL;
4164 DEBUG(5,("%s: %d\n", fn_name, __LINE__));
4166 /* find the policy handle. open a policy on it. */
4167 if (!get_lsa_policy_samr_sid(p, pol, &sid, &acc_granted, &disp_info)) {
4168 return NT_STATUS_INVALID_HANDLE;
4171 /* This is tricky. A WinXP domain join sets
4172 (SA_RIGHT_USER_SET_PASSWORD|SA_RIGHT_USER_SET_ATTRIBUTES|SA_RIGHT_USER_ACCT_FLAGS_EXPIRY)
4173 The MMC lusrmgr plugin includes these perms and more in the SamrOpenUser(). But the
4174 standard Win32 API calls just ask for SA_RIGHT_USER_SET_PASSWORD in the SamrOpenUser().
4175 This should be enough for levels 18, 24, 25,& 26. Info level 23 can set more so
4176 we'll use the set from the WinXP join as the basis. */
4178 switch (switch_value) {
4183 acc_required = SA_RIGHT_USER_SET_PASSWORD;
4186 acc_required = SA_RIGHT_USER_SET_PASSWORD |
4187 SA_RIGHT_USER_SET_ATTRIBUTES |
4188 SA_RIGHT_USER_ACCT_FLAGS_EXPIRY;
4192 status = access_check_samr_function(acc_granted,
4195 if (!NT_STATUS_IS_OK(status)) {
4199 DEBUG(5, ("%s: sid:%s, level:%d\n",
4200 fn_name, sid_string_dbg(&sid), switch_value));
4203 DEBUG(5, ("%s: NULL info level\n", fn_name));
4204 return NT_STATUS_INVALID_INFO_CLASS;
4207 if (!(pwd = samu_new(NULL))) {
4208 return NT_STATUS_NO_MEMORY;
4212 ret = pdb_getsampwsid(pwd, &sid);
4217 return NT_STATUS_NO_SUCH_USER;
4220 /* deal with machine password changes differently from userinfo changes */
4221 /* check to see if we have the sufficient rights */
4223 acb_info = pdb_get_acct_ctrl(pwd);
4224 if (acb_info & ACB_WSTRUST)
4225 has_enough_rights = user_has_privileges(p->pipe_user.nt_user_token,
4226 &se_machine_account);
4227 else if (acb_info & ACB_NORMAL)
4228 has_enough_rights = user_has_privileges(p->pipe_user.nt_user_token,
4230 else if (acb_info & (ACB_SVRTRUST|ACB_DOMTRUST)) {
4231 if (lp_enable_privileges()) {
4232 has_enough_rights = nt_token_check_domain_rid(p->pipe_user.nt_user_token,
4233 DOMAIN_GROUP_RID_ADMINS);
4237 DEBUG(5, ("%s: %s does%s possess sufficient rights\n",
4239 uidtoname(p->pipe_user.ut.uid),
4240 has_enough_rights ? "" : " not"));
4242 /* ================ BEGIN SeMachineAccountPrivilege BLOCK ================ */
4244 if (has_enough_rights) {
4248 /* ok! user info levels (lots: see MSDEV help), off we go... */
4250 switch (switch_value) {
4253 status = set_user_info_7(p->mem_ctx,
4258 if (!set_user_info_16(&info->info16, pwd)) {
4259 status = NT_STATUS_ACCESS_DENIED;
4264 /* Used by AS/U JRA. */
4265 if (!set_user_info_18(&info->info18, pwd)) {
4266 status = NT_STATUS_ACCESS_DENIED;
4271 if (!set_user_info_20(&info->info20, pwd)) {
4272 status = NT_STATUS_ACCESS_DENIED;
4277 status = set_user_info_21(p->mem_ctx,
4278 &info->info21, pwd);
4282 if (!p->server_info->user_session_key.length) {
4283 status = NT_STATUS_NO_USER_SESSION_KEY;
4285 SamOEMhashBlob(info->info23.password.data, 516,
4286 &p->server_info->user_session_key);
4288 dump_data(100, info->info23.password.data, 516);
4290 status = set_user_info_23(p->mem_ctx,
4291 &info->info23, pwd);
4295 if (!p->server_info->user_session_key.length) {
4296 status = NT_STATUS_NO_USER_SESSION_KEY;
4298 SamOEMhashBlob(info->info24.password.data,
4300 &p->server_info->user_session_key);
4302 dump_data(100, info->info24.password.data, 516);
4304 if (!set_user_info_pw(info->info24.password.data, pwd,
4306 status = NT_STATUS_ACCESS_DENIED;
4311 if (!p->server_info->user_session_key.length) {
4312 status = NT_STATUS_NO_USER_SESSION_KEY;
4314 encode_or_decode_arc4_passwd_buffer(
4315 info->info25.password.data,
4316 &p->server_info->user_session_key);
4318 dump_data(100, info->info25.password.data, 532);
4320 status = set_user_info_25(p->mem_ctx,
4321 &info->info25, pwd);
4322 if (!NT_STATUS_IS_OK(status)) {
4325 if (!set_user_info_pw(info->info25.password.data, pwd,
4327 status = NT_STATUS_ACCESS_DENIED;
4332 if (!p->server_info->user_session_key.length) {
4333 status = NT_STATUS_NO_USER_SESSION_KEY;
4335 encode_or_decode_arc4_passwd_buffer(
4336 info->info26.password.data,
4337 &p->server_info->user_session_key);
4339 dump_data(100, info->info26.password.data, 516);
4341 if (!set_user_info_pw(info->info26.password.data, pwd,
4343 status = NT_STATUS_ACCESS_DENIED;
4348 status = NT_STATUS_INVALID_INFO_CLASS;
4353 if (has_enough_rights) {
4357 /* ================ END SeMachineAccountPrivilege BLOCK ================ */
4359 if (NT_STATUS_IS_OK(status)) {
4360 force_flush_samr_cache(disp_info);
4366 /*******************************************************************
4368 ********************************************************************/
4370 NTSTATUS _samr_SetUserInfo(pipes_struct *p,
4371 struct samr_SetUserInfo *r)
4373 return samr_SetUserInfo_internal("_samr_SetUserInfo",
4380 /*******************************************************************
4382 ********************************************************************/
4384 NTSTATUS _samr_SetUserInfo2(pipes_struct *p,
4385 struct samr_SetUserInfo2 *r)
4387 return samr_SetUserInfo_internal("_samr_SetUserInfo2",
4394 /*********************************************************************
4395 _samr_GetAliasMembership
4396 *********************************************************************/
4398 NTSTATUS _samr_GetAliasMembership(pipes_struct *p,
4399 struct samr_GetAliasMembership *r)
4401 size_t num_alias_rids;
4403 struct samr_info *info = NULL;
4411 DEBUG(5,("_samr_GetAliasMembership: %d\n", __LINE__));
4413 /* find the policy handle. open a policy on it. */
4414 if (!find_policy_by_hnd(p, r->in.domain_handle, (void **)(void *)&info))
4415 return NT_STATUS_INVALID_HANDLE;
4417 ntstatus1 = access_check_samr_function(info->acc_granted,
4418 SA_RIGHT_DOMAIN_LOOKUP_ALIAS_BY_MEM,
4419 "_samr_GetAliasMembership");
4420 ntstatus2 = access_check_samr_function(info->acc_granted,
4421 SA_RIGHT_DOMAIN_OPEN_ACCOUNT,
4422 "_samr_GetAliasMembership");
4424 if (!NT_STATUS_IS_OK(ntstatus1) || !NT_STATUS_IS_OK(ntstatus2)) {
4425 if (!(NT_STATUS_EQUAL(ntstatus1,NT_STATUS_ACCESS_DENIED) && NT_STATUS_IS_OK(ntstatus2)) &&
4426 !(NT_STATUS_EQUAL(ntstatus1,NT_STATUS_ACCESS_DENIED) && NT_STATUS_IS_OK(ntstatus1))) {
4427 return (NT_STATUS_IS_OK(ntstatus1)) ? ntstatus2 : ntstatus1;
4431 if (!sid_check_is_domain(&info->sid) &&
4432 !sid_check_is_builtin(&info->sid))
4433 return NT_STATUS_OBJECT_TYPE_MISMATCH;
4435 if (r->in.sids->num_sids) {
4436 members = TALLOC_ARRAY(p->mem_ctx, DOM_SID, r->in.sids->num_sids);
4438 if (members == NULL)
4439 return NT_STATUS_NO_MEMORY;
4444 for (i=0; i<r->in.sids->num_sids; i++)
4445 sid_copy(&members[i], r->in.sids->sids[i].sid);
4451 ntstatus1 = pdb_enum_alias_memberships(p->mem_ctx, &info->sid, members,
4452 r->in.sids->num_sids,
4453 &alias_rids, &num_alias_rids);
4456 if (!NT_STATUS_IS_OK(ntstatus1)) {
4460 r->out.rids->count = num_alias_rids;
4461 r->out.rids->ids = alias_rids;
4463 return NT_STATUS_OK;
4466 /*********************************************************************
4467 _samr_GetMembersInAlias
4468 *********************************************************************/
4470 NTSTATUS _samr_GetMembersInAlias(pipes_struct *p,
4471 struct samr_GetMembersInAlias *r)
4475 size_t num_sids = 0;
4476 struct lsa_SidPtr *sids = NULL;
4477 DOM_SID *pdb_sids = NULL;
4483 /* find the policy handle. open a policy on it. */
4484 if (!get_lsa_policy_samr_sid(p, r->in.alias_handle, &alias_sid, &acc_granted, NULL))
4485 return NT_STATUS_INVALID_HANDLE;
4487 status = access_check_samr_function(acc_granted,
4488 SA_RIGHT_ALIAS_GET_MEMBERS,
4489 "_samr_GetMembersInAlias");
4490 if (!NT_STATUS_IS_OK(status)) {
4494 DEBUG(10, ("sid is %s\n", sid_string_dbg(&alias_sid)));
4497 status = pdb_enum_aliasmem(&alias_sid, &pdb_sids, &num_sids);
4500 if (!NT_STATUS_IS_OK(status)) {
4505 sids = TALLOC_ZERO_ARRAY(p->mem_ctx, struct lsa_SidPtr, num_sids);
4507 TALLOC_FREE(pdb_sids);
4508 return NT_STATUS_NO_MEMORY;
4512 for (i = 0; i < num_sids; i++) {
4513 sids[i].sid = sid_dup_talloc(p->mem_ctx, &pdb_sids[i]);
4515 TALLOC_FREE(pdb_sids);
4516 return NT_STATUS_NO_MEMORY;
4520 r->out.sids->num_sids = num_sids;
4521 r->out.sids->sids = sids;
4523 TALLOC_FREE(pdb_sids);
4525 return NT_STATUS_OK;
4528 /*********************************************************************
4529 _samr_QueryGroupMember
4530 *********************************************************************/
4532 NTSTATUS _samr_QueryGroupMember(pipes_struct *p,
4533 struct samr_QueryGroupMember *r)
4536 size_t i, num_members;
4544 struct samr_RidTypeArray *rids = NULL;
4546 rids = TALLOC_ZERO_P(p->mem_ctx, struct samr_RidTypeArray);
4548 return NT_STATUS_NO_MEMORY;
4551 /* find the policy handle. open a policy on it. */
4552 if (!get_lsa_policy_samr_sid(p, r->in.group_handle, &group_sid, &acc_granted, NULL))
4553 return NT_STATUS_INVALID_HANDLE;
4555 status = access_check_samr_function(acc_granted,
4556 SA_RIGHT_GROUP_GET_MEMBERS,
4557 "_samr_QueryGroupMember");
4558 if (!NT_STATUS_IS_OK(status)) {
4562 DEBUG(10, ("sid is %s\n", sid_string_dbg(&group_sid)));
4564 if (!sid_check_is_in_our_domain(&group_sid)) {
4565 DEBUG(3, ("sid %s is not in our domain\n",
4566 sid_string_dbg(&group_sid)));
4567 return NT_STATUS_NO_SUCH_GROUP;
4570 DEBUG(10, ("lookup on Domain SID\n"));
4573 status = pdb_enum_group_members(p->mem_ctx, &group_sid,
4574 &rid, &num_members);
4577 if (!NT_STATUS_IS_OK(status))
4581 attr=TALLOC_ZERO_ARRAY(p->mem_ctx, uint32, num_members);
4583 return NT_STATUS_NO_MEMORY;
4589 for (i=0; i<num_members; i++)
4590 attr[i] = SID_NAME_USER;
4592 rids->count = num_members;
4596 *r->out.rids = rids;
4598 return NT_STATUS_OK;
4601 /*********************************************************************
4602 _samr_AddAliasMember
4603 *********************************************************************/
4605 NTSTATUS _samr_AddAliasMember(pipes_struct *p,
4606 struct samr_AddAliasMember *r)
4611 bool can_add_accounts;
4613 DISP_INFO *disp_info = NULL;
4615 /* Find the policy handle. Open a policy on it. */
4616 if (!get_lsa_policy_samr_sid(p, r->in.alias_handle, &alias_sid, &acc_granted, &disp_info))
4617 return NT_STATUS_INVALID_HANDLE;
4619 status = access_check_samr_function(acc_granted,
4620 SA_RIGHT_ALIAS_ADD_MEMBER,
4621 "_samr_AddAliasMember");
4622 if (!NT_STATUS_IS_OK(status)) {
4626 DEBUG(10, ("sid is %s\n", sid_string_dbg(&alias_sid)));
4628 se_priv_copy( &se_rights, &se_add_users );
4629 can_add_accounts = user_has_privileges( p->pipe_user.nt_user_token, &se_rights );
4631 /******** BEGIN SeAddUsers BLOCK *********/
4633 if ( can_add_accounts )
4636 status = pdb_add_aliasmem(&alias_sid, r->in.sid);
4638 if ( can_add_accounts )
4641 /******** END SeAddUsers BLOCK *********/
4643 if (NT_STATUS_IS_OK(status)) {
4644 force_flush_samr_cache(disp_info);
4650 /*********************************************************************
4651 _samr_DeleteAliasMember
4652 *********************************************************************/
4654 NTSTATUS _samr_DeleteAliasMember(pipes_struct *p,
4655 struct samr_DeleteAliasMember *r)
4660 bool can_add_accounts;
4662 DISP_INFO *disp_info = NULL;
4664 /* Find the policy handle. Open a policy on it. */
4665 if (!get_lsa_policy_samr_sid(p, r->in.alias_handle, &alias_sid, &acc_granted, &disp_info))
4666 return NT_STATUS_INVALID_HANDLE;
4668 status = access_check_samr_function(acc_granted,
4669 SA_RIGHT_ALIAS_REMOVE_MEMBER,
4670 "_samr_DeleteAliasMember");
4671 if (!NT_STATUS_IS_OK(status)) {
4675 DEBUG(10, ("_samr_del_aliasmem:sid is %s\n",
4676 sid_string_dbg(&alias_sid)));
4678 se_priv_copy( &se_rights, &se_add_users );
4679 can_add_accounts = user_has_privileges( p->pipe_user.nt_user_token, &se_rights );
4681 /******** BEGIN SeAddUsers BLOCK *********/
4683 if ( can_add_accounts )
4686 status = pdb_del_aliasmem(&alias_sid, r->in.sid);
4688 if ( can_add_accounts )
4691 /******** END SeAddUsers BLOCK *********/
4693 if (NT_STATUS_IS_OK(status)) {
4694 force_flush_samr_cache(disp_info);
4700 /*********************************************************************
4701 _samr_AddGroupMember
4702 *********************************************************************/
4704 NTSTATUS _samr_AddGroupMember(pipes_struct *p,
4705 struct samr_AddGroupMember *r)
4712 bool can_add_accounts;
4713 DISP_INFO *disp_info = NULL;
4715 /* Find the policy handle. Open a policy on it. */
4716 if (!get_lsa_policy_samr_sid(p, r->in.group_handle, &group_sid, &acc_granted, &disp_info))
4717 return NT_STATUS_INVALID_HANDLE;
4719 status = access_check_samr_function(acc_granted,
4720 SA_RIGHT_GROUP_ADD_MEMBER,
4721 "_samr_AddGroupMember");
4722 if (!NT_STATUS_IS_OK(status)) {
4726 DEBUG(10, ("sid is %s\n", sid_string_dbg(&group_sid)));
4728 if (!sid_peek_check_rid(get_global_sam_sid(), &group_sid,
4730 return NT_STATUS_INVALID_HANDLE;
4733 se_priv_copy( &se_rights, &se_add_users );
4734 can_add_accounts = user_has_privileges( p->pipe_user.nt_user_token, &se_rights );
4736 /******** BEGIN SeAddUsers BLOCK *********/
4738 if ( can_add_accounts )
4741 status = pdb_add_groupmem(p->mem_ctx, group_rid, r->in.rid);
4743 if ( can_add_accounts )
4746 /******** END SeAddUsers BLOCK *********/
4748 force_flush_samr_cache(disp_info);
4753 /*********************************************************************
4754 _samr_DeleteGroupMember
4755 *********************************************************************/
4757 NTSTATUS _samr_DeleteGroupMember(pipes_struct *p,
4758 struct samr_DeleteGroupMember *r)
4766 bool can_add_accounts;
4767 DISP_INFO *disp_info = NULL;
4770 * delete the group member named r->in.rid
4771 * who is a member of the sid associated with the handle
4772 * the rid is a user's rid as the group is a domain group.
4775 /* Find the policy handle. Open a policy on it. */
4776 if (!get_lsa_policy_samr_sid(p, r->in.group_handle, &group_sid, &acc_granted, &disp_info))
4777 return NT_STATUS_INVALID_HANDLE;
4779 status = access_check_samr_function(acc_granted,
4780 SA_RIGHT_GROUP_REMOVE_MEMBER,
4781 "_samr_DeleteGroupMember");
4782 if (!NT_STATUS_IS_OK(status)) {
4786 if (!sid_peek_check_rid(get_global_sam_sid(), &group_sid,
4788 return NT_STATUS_INVALID_HANDLE;
4791 se_priv_copy( &se_rights, &se_add_users );
4792 can_add_accounts = user_has_privileges( p->pipe_user.nt_user_token, &se_rights );
4794 /******** BEGIN SeAddUsers BLOCK *********/
4796 if ( can_add_accounts )
4799 status = pdb_del_groupmem(p->mem_ctx, group_rid, r->in.rid);
4801 if ( can_add_accounts )
4804 /******** END SeAddUsers BLOCK *********/
4806 force_flush_samr_cache(disp_info);
4811 /*********************************************************************
4813 *********************************************************************/
4815 NTSTATUS _samr_DeleteUser(pipes_struct *p,
4816 struct samr_DeleteUser *r)
4820 struct samu *sam_pass=NULL;
4822 bool can_add_accounts;
4824 DISP_INFO *disp_info = NULL;
4827 DEBUG(5, ("_samr_DeleteUser: %d\n", __LINE__));
4829 /* Find the policy handle. Open a policy on it. */
4830 if (!get_lsa_policy_samr_sid(p, r->in.user_handle, &user_sid, &acc_granted, &disp_info))
4831 return NT_STATUS_INVALID_HANDLE;
4833 status = access_check_samr_function(acc_granted,
4834 STD_RIGHT_DELETE_ACCESS,
4835 "_samr_DeleteUser");
4836 if (!NT_STATUS_IS_OK(status)) {
4840 if (!sid_check_is_in_our_domain(&user_sid))
4841 return NT_STATUS_CANNOT_DELETE;
4843 /* check if the user exists before trying to delete */
4844 if ( !(sam_pass = samu_new( NULL )) ) {
4845 return NT_STATUS_NO_MEMORY;
4849 ret = pdb_getsampwsid(sam_pass, &user_sid);
4853 DEBUG(5,("_samr_DeleteUser: User %s doesn't exist.\n",
4854 sid_string_dbg(&user_sid)));
4855 TALLOC_FREE(sam_pass);
4856 return NT_STATUS_NO_SUCH_USER;
4859 acb_info = pdb_get_acct_ctrl(sam_pass);
4861 /* For machine accounts it's the SeMachineAccountPrivilege that counts. */
4862 if ( acb_info & ACB_WSTRUST ) {
4863 can_add_accounts = user_has_privileges( p->pipe_user.nt_user_token, &se_machine_account );
4865 can_add_accounts = user_has_privileges( p->pipe_user.nt_user_token, &se_add_users );
4868 /******** BEGIN SeAddUsers BLOCK *********/
4870 if ( can_add_accounts )
4873 status = pdb_delete_user(p->mem_ctx, sam_pass);
4875 if ( can_add_accounts )
4878 /******** END SeAddUsers BLOCK *********/
4880 if ( !NT_STATUS_IS_OK(status) ) {
4881 DEBUG(5,("_samr_DeleteUser: Failed to delete entry for "
4882 "user %s: %s.\n", pdb_get_username(sam_pass),
4883 nt_errstr(status)));
4884 TALLOC_FREE(sam_pass);
4889 TALLOC_FREE(sam_pass);
4891 if (!close_policy_hnd(p, r->in.user_handle))
4892 return NT_STATUS_OBJECT_NAME_INVALID;
4894 ZERO_STRUCTP(r->out.user_handle);
4896 force_flush_samr_cache(disp_info);
4898 return NT_STATUS_OK;
4901 /*********************************************************************
4902 _samr_DeleteDomainGroup
4903 *********************************************************************/
4905 NTSTATUS _samr_DeleteDomainGroup(pipes_struct *p,
4906 struct samr_DeleteDomainGroup *r)
4913 bool can_add_accounts;
4914 DISP_INFO *disp_info = NULL;
4916 DEBUG(5, ("samr_DeleteDomainGroup: %d\n", __LINE__));
4918 /* Find the policy handle. Open a policy on it. */
4919 if (!get_lsa_policy_samr_sid(p, r->in.group_handle, &group_sid, &acc_granted, &disp_info))
4920 return NT_STATUS_INVALID_HANDLE;
4922 status = access_check_samr_function(acc_granted,
4923 STD_RIGHT_DELETE_ACCESS,
4924 "_samr_DeleteDomainGroup");
4925 if (!NT_STATUS_IS_OK(status)) {
4929 DEBUG(10, ("sid is %s\n", sid_string_dbg(&group_sid)));
4931 if (!sid_peek_check_rid(get_global_sam_sid(), &group_sid,
4933 return NT_STATUS_NO_SUCH_GROUP;
4936 se_priv_copy( &se_rights, &se_add_users );
4937 can_add_accounts = user_has_privileges( p->pipe_user.nt_user_token, &se_rights );
4939 /******** BEGIN SeAddUsers BLOCK *********/
4941 if ( can_add_accounts )
4944 status = pdb_delete_dom_group(p->mem_ctx, group_rid);
4946 if ( can_add_accounts )
4949 /******** END SeAddUsers BLOCK *********/
4951 if ( !NT_STATUS_IS_OK(status) ) {
4952 DEBUG(5,("_samr_DeleteDomainGroup: Failed to delete mapping "
4953 "entry for group %s: %s\n",
4954 sid_string_dbg(&group_sid),
4955 nt_errstr(status)));
4959 if (!close_policy_hnd(p, r->in.group_handle))
4960 return NT_STATUS_OBJECT_NAME_INVALID;
4962 force_flush_samr_cache(disp_info);
4964 return NT_STATUS_OK;
4967 /*********************************************************************
4968 _samr_DeleteDomAlias
4969 *********************************************************************/
4971 NTSTATUS _samr_DeleteDomAlias(pipes_struct *p,
4972 struct samr_DeleteDomAlias *r)
4977 bool can_add_accounts;
4979 DISP_INFO *disp_info = NULL;
4981 DEBUG(5, ("_samr_DeleteDomAlias: %d\n", __LINE__));
4983 /* Find the policy handle. Open a policy on it. */
4984 if (!get_lsa_policy_samr_sid(p, r->in.alias_handle, &alias_sid, &acc_granted, &disp_info))
4985 return NT_STATUS_INVALID_HANDLE;
4987 /* copy the handle to the outgoing reply */
4989 memcpy(r->out.alias_handle, r->in.alias_handle, sizeof(r->out.alias_handle));
4991 status = access_check_samr_function(acc_granted,
4992 STD_RIGHT_DELETE_ACCESS,
4993 "_samr_DeleteDomAlias");
4994 if (!NT_STATUS_IS_OK(status)) {
4998 DEBUG(10, ("sid is %s\n", sid_string_dbg(&alias_sid)));
5000 /* Don't let Windows delete builtin groups */
5002 if ( sid_check_is_in_builtin( &alias_sid ) ) {
5003 return NT_STATUS_SPECIAL_ACCOUNT;
5006 if (!sid_check_is_in_our_domain(&alias_sid))
5007 return NT_STATUS_NO_SUCH_ALIAS;
5009 DEBUG(10, ("lookup on Local SID\n"));
5011 se_priv_copy( &se_rights, &se_add_users );
5012 can_add_accounts = user_has_privileges( p->pipe_user.nt_user_token, &se_rights );
5014 /******** BEGIN SeAddUsers BLOCK *********/
5016 if ( can_add_accounts )
5019 /* Have passdb delete the alias */
5020 status = pdb_delete_alias(&alias_sid);
5022 if ( can_add_accounts )
5025 /******** END SeAddUsers BLOCK *********/
5027 if ( !NT_STATUS_IS_OK(status))
5030 if (!close_policy_hnd(p, r->in.alias_handle))
5031 return NT_STATUS_OBJECT_NAME_INVALID;
5033 force_flush_samr_cache(disp_info);
5035 return NT_STATUS_OK;
5038 /*********************************************************************
5039 _samr_CreateDomainGroup
5040 *********************************************************************/
5042 NTSTATUS _samr_CreateDomainGroup(pipes_struct *p,
5043 struct samr_CreateDomainGroup *r)
5050 struct samr_info *info;
5053 bool can_add_accounts;
5054 DISP_INFO *disp_info = NULL;
5056 /* Find the policy handle. Open a policy on it. */
5057 if (!get_lsa_policy_samr_sid(p, r->in.domain_handle, &dom_sid, &acc_granted, &disp_info))
5058 return NT_STATUS_INVALID_HANDLE;
5060 status = access_check_samr_function(acc_granted,
5061 SA_RIGHT_DOMAIN_CREATE_GROUP,
5062 "_samr_CreateDomainGroup");
5063 if (!NT_STATUS_IS_OK(status)) {
5067 if (!sid_equal(&dom_sid, get_global_sam_sid()))
5068 return NT_STATUS_ACCESS_DENIED;
5070 name = r->in.name->string;
5072 return NT_STATUS_NO_MEMORY;
5075 status = can_create(p->mem_ctx, name);
5076 if (!NT_STATUS_IS_OK(status)) {
5080 se_priv_copy( &se_rights, &se_add_users );
5081 can_add_accounts = user_has_privileges( p->pipe_user.nt_user_token, &se_rights );
5083 /******** BEGIN SeAddUsers BLOCK *********/
5085 if ( can_add_accounts )
5088 /* check that we successfully create the UNIX group */
5090 status = pdb_create_dom_group(p->mem_ctx, name, r->out.rid);
5092 if ( can_add_accounts )
5095 /******** END SeAddUsers BLOCK *********/
5097 /* check if we should bail out here */
5099 if ( !NT_STATUS_IS_OK(status) )
5102 sid_compose(&info_sid, get_global_sam_sid(), *r->out.rid);
5104 if ((info = get_samr_info_by_sid(&info_sid)) == NULL)
5105 return NT_STATUS_NO_MEMORY;
5107 /* they created it; let the user do what he wants with it */
5109 info->acc_granted = GENERIC_RIGHTS_GROUP_ALL_ACCESS;
5111 /* get a (unique) handle. open a policy on it. */
5112 if (!create_policy_hnd(p, r->out.group_handle, free_samr_info, (void *)info))
5113 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
5115 force_flush_samr_cache(disp_info);
5117 return NT_STATUS_OK;
5120 /*********************************************************************
5121 _samr_CreateDomAlias
5122 *********************************************************************/
5124 NTSTATUS _samr_CreateDomAlias(pipes_struct *p,
5125 struct samr_CreateDomAlias *r)
5129 const char *name = NULL;
5130 struct samr_info *info;
5135 bool can_add_accounts;
5136 DISP_INFO *disp_info = NULL;
5138 /* Find the policy handle. Open a policy on it. */
5139 if (!get_lsa_policy_samr_sid(p, r->in.domain_handle, &dom_sid, &acc_granted, &disp_info))
5140 return NT_STATUS_INVALID_HANDLE;
5142 result = access_check_samr_function(acc_granted,
5143 SA_RIGHT_DOMAIN_CREATE_ALIAS,
5144 "_samr_CreateDomAlias");
5145 if (!NT_STATUS_IS_OK(result)) {
5149 if (!sid_equal(&dom_sid, get_global_sam_sid()))
5150 return NT_STATUS_ACCESS_DENIED;
5152 name = r->in.alias_name->string;
5154 se_priv_copy( &se_rights, &se_add_users );
5155 can_add_accounts = user_has_privileges( p->pipe_user.nt_user_token, &se_rights );
5157 result = can_create(p->mem_ctx, name);
5158 if (!NT_STATUS_IS_OK(result)) {
5162 /******** BEGIN SeAddUsers BLOCK *********/
5164 if ( can_add_accounts )
5167 /* Have passdb create the alias */
5168 result = pdb_create_alias(name, r->out.rid);
5170 if ( can_add_accounts )
5173 /******** END SeAddUsers BLOCK *********/
5175 if (!NT_STATUS_IS_OK(result)) {
5176 DEBUG(10, ("pdb_create_alias failed: %s\n",
5177 nt_errstr(result)));
5181 sid_copy(&info_sid, get_global_sam_sid());
5182 sid_append_rid(&info_sid, *r->out.rid);
5184 if (!sid_to_gid(&info_sid, &gid)) {
5185 DEBUG(10, ("Could not find alias just created\n"));
5186 return NT_STATUS_ACCESS_DENIED;
5189 /* check if the group has been successfully created */
5190 if ( getgrgid(gid) == NULL ) {
5191 DEBUG(10, ("getgrgid(%d) of just created alias failed\n",
5193 return NT_STATUS_ACCESS_DENIED;
5196 if ((info = get_samr_info_by_sid(&info_sid)) == NULL)
5197 return NT_STATUS_NO_MEMORY;
5199 /* they created it; let the user do what he wants with it */
5201 info->acc_granted = GENERIC_RIGHTS_ALIAS_ALL_ACCESS;
5203 /* get a (unique) handle. open a policy on it. */
5204 if (!create_policy_hnd(p, r->out.alias_handle, free_samr_info, (void *)info))
5205 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
5207 force_flush_samr_cache(disp_info);
5209 return NT_STATUS_OK;
5212 /*********************************************************************
5213 _samr_QueryGroupInfo
5214 *********************************************************************/
5216 NTSTATUS _samr_QueryGroupInfo(pipes_struct *p,
5217 struct samr_QueryGroupInfo *r)
5222 union samr_GroupInfo *info = NULL;
5225 uint32_t attributes = SE_GROUP_MANDATORY |
5226 SE_GROUP_ENABLED_BY_DEFAULT |
5228 const char *group_name = NULL;
5229 const char *group_description = NULL;
5231 if (!get_lsa_policy_samr_sid(p, r->in.group_handle, &group_sid, &acc_granted, NULL))
5232 return NT_STATUS_INVALID_HANDLE;
5234 status = access_check_samr_function(acc_granted,
5235 SA_RIGHT_GROUP_LOOKUP_INFO,
5236 "_samr_QueryGroupInfo");
5237 if (!NT_STATUS_IS_OK(status)) {
5242 ret = get_domain_group_from_sid(group_sid, &map);
5245 return NT_STATUS_INVALID_HANDLE;
5247 /* FIXME: map contains fstrings */
5248 group_name = talloc_strdup(r, map.nt_name);
5249 group_description = talloc_strdup(r, map.comment);
5251 info = TALLOC_ZERO_P(p->mem_ctx, union samr_GroupInfo);
5253 return NT_STATUS_NO_MEMORY;
5256 switch (r->in.level) {
5262 status = pdb_enum_group_members(
5263 p->mem_ctx, &group_sid, &members, &num_members);
5266 if (!NT_STATUS_IS_OK(status)) {
5270 init_samr_group_info1(&info->all,
5278 init_samr_group_info2(&info->name,
5282 init_samr_group_info3(&info->attributes,
5286 init_samr_group_info4(&info->description,
5297 status = pdb_enum_group_members(
5298 p->mem_ctx, &group_sid, &members, &num_members);
5301 if (!NT_STATUS_IS_OK(status)) {
5305 init_samr_group_info5(&info->all2,
5308 0, /* num_members - in w2k3 this is always 0 */
5314 return NT_STATUS_INVALID_INFO_CLASS;
5317 *r->out.info = info;
5319 return NT_STATUS_OK;
5322 /*********************************************************************
5324 *********************************************************************/
5326 NTSTATUS _samr_SetGroupInfo(pipes_struct *p,
5327 struct samr_SetGroupInfo *r)
5334 bool can_mod_accounts;
5335 DISP_INFO *disp_info = NULL;
5337 if (!get_lsa_policy_samr_sid(p, r->in.group_handle, &group_sid, &acc_granted, &disp_info))
5338 return NT_STATUS_INVALID_HANDLE;
5340 status = access_check_samr_function(acc_granted,
5341 SA_RIGHT_GROUP_SET_INFO,
5342 "_samr_SetGroupInfo");
5343 if (!NT_STATUS_IS_OK(status)) {
5348 ret = get_domain_group_from_sid(group_sid, &map);
5351 return NT_STATUS_NO_SUCH_GROUP;
5353 switch (r->in.level) {
5355 fstrcpy(map.comment, r->in.info->all.description.string);
5358 fstrcpy(map.comment, r->in.info->description.string);
5361 return NT_STATUS_INVALID_INFO_CLASS;
5364 can_mod_accounts = user_has_privileges( p->pipe_user.nt_user_token, &se_add_users );
5366 /******** BEGIN SeAddUsers BLOCK *********/
5368 if ( can_mod_accounts )
5371 status = pdb_update_group_mapping_entry(&map);
5373 if ( can_mod_accounts )
5376 /******** End SeAddUsers BLOCK *********/
5378 if (NT_STATUS_IS_OK(status)) {
5379 force_flush_samr_cache(disp_info);
5385 /*********************************************************************
5387 *********************************************************************/
5389 NTSTATUS _samr_SetAliasInfo(pipes_struct *p,
5390 struct samr_SetAliasInfo *r)
5393 struct acct_info info;
5395 bool can_mod_accounts;
5397 DISP_INFO *disp_info = NULL;
5399 if (!get_lsa_policy_samr_sid(p, r->in.alias_handle, &group_sid, &acc_granted, &disp_info))
5400 return NT_STATUS_INVALID_HANDLE;
5402 status = access_check_samr_function(acc_granted,
5403 SA_RIGHT_ALIAS_SET_INFO,
5404 "_samr_SetAliasInfo");
5405 if (!NT_STATUS_IS_OK(status)) {
5409 /* get the current group information */
5412 status = pdb_get_aliasinfo( &group_sid, &info );
5415 if ( !NT_STATUS_IS_OK(status))
5418 switch (r->in.level) {
5423 /* We currently do not support renaming groups in the
5424 the BUILTIN domain. Refer to util_builtin.c to understand
5425 why. The eventually needs to be fixed to be like Windows
5426 where you can rename builtin groups, just not delete them */
5428 if ( sid_check_is_in_builtin( &group_sid ) ) {
5429 return NT_STATUS_SPECIAL_ACCOUNT;
5432 /* There has to be a valid name (and it has to be different) */
5434 if ( !r->in.info->name.string )
5435 return NT_STATUS_INVALID_PARAMETER;
5437 /* If the name is the same just reply "ok". Yes this
5438 doesn't allow you to change the case of a group name. */
5440 if ( strequal( r->in.info->name.string, info.acct_name ) )
5441 return NT_STATUS_OK;
5443 fstrcpy( info.acct_name, r->in.info->name.string);
5445 /* make sure the name doesn't already exist as a user
5448 fstr_sprintf( group_name, "%s\\%s", global_myname(), info.acct_name );
5449 status = can_create( p->mem_ctx, group_name );
5450 if ( !NT_STATUS_IS_OK( status ) )
5454 case ALIASINFODESCRIPTION:
5455 if (r->in.info->description.string) {
5456 fstrcpy(info.acct_desc,
5457 r->in.info->description.string);
5459 fstrcpy( info.acct_desc, "" );
5463 return NT_STATUS_INVALID_INFO_CLASS;
5466 can_mod_accounts = user_has_privileges( p->pipe_user.nt_user_token, &se_add_users );
5468 /******** BEGIN SeAddUsers BLOCK *********/
5470 if ( can_mod_accounts )
5473 status = pdb_set_aliasinfo( &group_sid, &info );
5475 if ( can_mod_accounts )
5478 /******** End SeAddUsers BLOCK *********/
5480 if (NT_STATUS_IS_OK(status))
5481 force_flush_samr_cache(disp_info);
5486 /****************************************************************
5488 ****************************************************************/
5490 NTSTATUS _samr_GetDomPwInfo(pipes_struct *p,
5491 struct samr_GetDomPwInfo *r)
5493 uint32_t min_password_length = 0;
5494 uint32_t password_properties = 0;
5496 /* Perform access check. Since this rpc does not require a
5497 policy handle it will not be caught by the access checks on
5498 SAMR_CONNECT or SAMR_CONNECT_ANON. */
5500 if (!pipe_access_check(p)) {
5501 DEBUG(3, ("access denied to _samr_GetDomPwInfo\n"));
5502 return NT_STATUS_ACCESS_DENIED;
5506 pdb_get_account_policy(AP_MIN_PASSWORD_LEN,
5507 &min_password_length);
5508 pdb_get_account_policy(AP_USER_MUST_LOGON_TO_CHG_PASS,
5509 &password_properties);
5512 if (lp_check_password_script() && *lp_check_password_script()) {
5513 password_properties |= DOMAIN_PASSWORD_COMPLEX;
5516 r->out.info->min_password_length = min_password_length;
5517 r->out.info->password_properties = password_properties;
5519 return NT_STATUS_OK;
5522 /*********************************************************************
5524 *********************************************************************/
5526 NTSTATUS _samr_OpenGroup(pipes_struct *p,
5527 struct samr_OpenGroup *r)
5533 struct samr_info *info;
5534 SEC_DESC *psd = NULL;
5536 uint32 des_access = r->in.access_mask;
5543 if (!get_lsa_policy_samr_sid(p, r->in.domain_handle, &sid, &acc_granted, NULL))
5544 return NT_STATUS_INVALID_HANDLE;
5546 status = access_check_samr_function(acc_granted,
5547 SA_RIGHT_DOMAIN_OPEN_ACCOUNT,
5550 if ( !NT_STATUS_IS_OK(status) )
5553 /*check if access can be granted as requested by client. */
5554 map_max_allowed_access(p->pipe_user.nt_user_token, &des_access);
5556 make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &grp_generic_mapping, NULL, 0);
5557 se_map_generic(&des_access,&grp_generic_mapping);
5559 se_priv_copy( &se_rights, &se_add_users );
5561 status = access_check_samr_object(psd, p->pipe_user.nt_user_token,
5562 &se_rights, GENERIC_RIGHTS_GROUP_WRITE, des_access,
5563 &acc_granted, "_samr_OpenGroup");
5565 if ( !NT_STATUS_IS_OK(status) )
5568 /* this should not be hard-coded like this */
5570 if (!sid_equal(&sid, get_global_sam_sid()))
5571 return NT_STATUS_ACCESS_DENIED;
5573 sid_copy(&info_sid, get_global_sam_sid());
5574 sid_append_rid(&info_sid, r->in.rid);
5575 sid_to_fstring(sid_string, &info_sid);
5577 if ((info = get_samr_info_by_sid(&info_sid)) == NULL)
5578 return NT_STATUS_NO_MEMORY;
5580 info->acc_granted = acc_granted;
5582 DEBUG(10, ("_samr_OpenGroup:Opening SID: %s\n", sid_string));
5584 /* check if that group really exists */
5586 ret = get_domain_group_from_sid(info->sid, &map);
5589 return NT_STATUS_NO_SUCH_GROUP;
5591 /* get a (unique) handle. open a policy on it. */
5592 if (!create_policy_hnd(p, r->out.group_handle, free_samr_info, (void *)info))
5593 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
5595 return NT_STATUS_OK;
5598 /*********************************************************************
5599 _samr_RemoveMemberFromForeignDomain
5600 *********************************************************************/
5602 NTSTATUS _samr_RemoveMemberFromForeignDomain(pipes_struct *p,
5603 struct samr_RemoveMemberFromForeignDomain *r)
5605 DOM_SID delete_sid, domain_sid;
5608 DISP_INFO *disp_info = NULL;
5610 sid_copy( &delete_sid, r->in.sid );
5612 DEBUG(5,("_samr_RemoveMemberFromForeignDomain: removing SID [%s]\n",
5613 sid_string_dbg(&delete_sid)));
5615 /* Find the policy handle. Open a policy on it. */
5617 if (!get_lsa_policy_samr_sid(p, r->in.domain_handle, &domain_sid,
5618 &acc_granted, &disp_info))
5619 return NT_STATUS_INVALID_HANDLE;
5621 result = access_check_samr_function(acc_granted,
5622 STD_RIGHT_DELETE_ACCESS,
5623 "_samr_RemoveMemberFromForeignDomain");
5625 if (!NT_STATUS_IS_OK(result))
5628 DEBUG(8, ("_samr_RemoveMemberFromForeignDomain: sid is %s\n",
5629 sid_string_dbg(&domain_sid)));
5631 /* we can only delete a user from a group since we don't have
5632 nested groups anyways. So in the latter case, just say OK */
5634 /* TODO: The above comment nowadays is bogus. Since we have nested
5635 * groups now, and aliases members are never reported out of the unix
5636 * group membership, the "just say OK" makes this call a no-op. For
5637 * us. This needs fixing however. */
5639 /* I've only ever seen this in the wild when deleting a user from
5640 * usrmgr.exe. domain_sid is the builtin domain, and the sid to delete
5641 * is the user about to be deleted. I very much suspect this is the
5642 * only application of this call. To verify this, let people report
5645 if (!sid_check_is_builtin(&domain_sid)) {
5646 DEBUG(1,("_samr_RemoveMemberFromForeignDomain: domain_sid = %s, "
5647 "global_sam_sid() = %s\n",
5648 sid_string_dbg(&domain_sid),
5649 sid_string_dbg(get_global_sam_sid())));
5650 DEBUGADD(1,("please report to samba-technical@samba.org!\n"));
5651 return NT_STATUS_OK;
5654 force_flush_samr_cache(disp_info);
5656 result = NT_STATUS_OK;
5661 /*******************************************************************
5662 _samr_QueryDomainInfo2
5663 ********************************************************************/
5665 NTSTATUS _samr_QueryDomainInfo2(pipes_struct *p,
5666 struct samr_QueryDomainInfo2 *r)
5668 struct samr_QueryDomainInfo q;
5670 q.in.domain_handle = r->in.domain_handle;
5671 q.in.level = r->in.level;
5673 q.out.info = r->out.info;
5675 return _samr_QueryDomainInfo(p, &q);
5678 /*******************************************************************
5680 ********************************************************************/
5682 NTSTATUS _samr_SetDomainInfo(pipes_struct *p,
5683 struct samr_SetDomainInfo *r)
5685 struct samr_info *info = NULL;
5686 time_t u_expire, u_min_age;
5688 time_t u_lock_duration, u_reset_time;
5691 DEBUG(5,("_samr_SetDomainInfo: %d\n", __LINE__));
5693 /* find the policy handle. open a policy on it. */
5694 if (!find_policy_by_hnd(p, r->in.domain_handle, (void **)(void *)&info))
5695 return NT_STATUS_INVALID_HANDLE;
5697 /* We do have different access bits for info
5698 * levels here, but we're really just looking for
5699 * GENERIC_RIGHTS_DOMAIN_WRITE access. Unfortunately
5700 * this maps to different specific bits. So
5701 * assume if we have SA_RIGHT_DOMAIN_SET_INFO_1
5704 result = access_check_samr_function(info->acc_granted,
5705 SA_RIGHT_DOMAIN_SET_INFO_1,
5706 "_samr_SetDomainInfo");
5708 if (!NT_STATUS_IS_OK(result))
5711 DEBUG(5,("_samr_SetDomainInfo: level: %d\n", r->in.level));
5713 switch (r->in.level) {
5715 u_expire=nt_time_to_unix_abs((NTTIME *)&r->in.info->info1.max_password_age);
5716 u_min_age=nt_time_to_unix_abs((NTTIME *)&r->in.info->info1.min_password_age);
5717 pdb_set_account_policy(AP_MIN_PASSWORD_LEN, (uint32)r->in.info->info1.min_password_length);
5718 pdb_set_account_policy(AP_PASSWORD_HISTORY, (uint32)r->in.info->info1.password_history_length);
5719 pdb_set_account_policy(AP_USER_MUST_LOGON_TO_CHG_PASS, (uint32)r->in.info->info1.password_properties);
5720 pdb_set_account_policy(AP_MAX_PASSWORD_AGE, (int)u_expire);
5721 pdb_set_account_policy(AP_MIN_PASSWORD_AGE, (int)u_min_age);
5726 u_logout=nt_time_to_unix_abs((NTTIME *)&r->in.info->info3.force_logoff_time);
5727 pdb_set_account_policy(AP_TIME_TO_LOGOUT, (int)u_logout);
5736 u_lock_duration=nt_time_to_unix_abs((NTTIME *)&r->in.info->info12.lockout_duration);
5737 if (u_lock_duration != -1)
5738 u_lock_duration /= 60;
5740 u_reset_time=nt_time_to_unix_abs((NTTIME *)&r->in.info->info12.lockout_window)/60;
5742 pdb_set_account_policy(AP_LOCK_ACCOUNT_DURATION, (int)u_lock_duration);
5743 pdb_set_account_policy(AP_RESET_COUNT_TIME, (int)u_reset_time);
5744 pdb_set_account_policy(AP_BAD_ATTEMPT_LOCKOUT, (uint32)r->in.info->info12.lockout_threshold);
5747 return NT_STATUS_INVALID_INFO_CLASS;
5750 DEBUG(5,("_samr_SetDomainInfo: %d\n", __LINE__));
5752 return NT_STATUS_OK;
5755 /****************************************************************
5756 _samr_GetDisplayEnumerationIndex
5757 ****************************************************************/
5759 NTSTATUS _samr_GetDisplayEnumerationIndex(pipes_struct *p,
5760 struct samr_GetDisplayEnumerationIndex *r)
5762 struct samr_info *info = NULL;
5763 uint32_t max_entries = (uint32_t) -1;
5764 uint32_t enum_context = 0;
5766 uint32_t num_account = 0;
5767 struct samr_displayentry *entries = NULL;
5770 DEBUG(5,("_samr_GetDisplayEnumerationIndex: %d\n", __LINE__));
5772 /* find the policy handle. open a policy on it. */
5773 if (!find_policy_by_hnd(p, r->in.domain_handle, (void **)(void *)&info)) {
5774 return NT_STATUS_INVALID_HANDLE;
5777 status = access_check_samr_function(info->acc_granted,
5778 SA_RIGHT_DOMAIN_ENUM_ACCOUNTS,
5779 "_samr_GetDisplayEnumerationIndex");
5780 if (!NT_STATUS_IS_OK(status)) {
5784 if ((r->in.level < 1) || (r->in.level > 3)) {
5785 DEBUG(0,("_samr_GetDisplayEnumerationIndex: "
5786 "Unknown info level (%u)\n",
5788 return NT_STATUS_INVALID_INFO_CLASS;
5793 /* The following done as ROOT. Don't return without unbecome_root(). */
5795 switch (r->in.level) {
5797 if (info->disp_info->users == NULL) {
5798 info->disp_info->users = pdb_search_users(ACB_NORMAL);
5799 if (info->disp_info->users == NULL) {
5801 return NT_STATUS_ACCESS_DENIED;
5803 DEBUG(10,("_samr_GetDisplayEnumerationIndex: "
5804 "starting user enumeration at index %u\n",
5805 (unsigned int)enum_context));
5807 DEBUG(10,("_samr_GetDisplayEnumerationIndex: "
5808 "using cached user enumeration at index %u\n",
5809 (unsigned int)enum_context));
5811 num_account = pdb_search_entries(info->disp_info->users,
5812 enum_context, max_entries,
5816 if (info->disp_info->machines == NULL) {
5817 info->disp_info->machines =
5818 pdb_search_users(ACB_WSTRUST|ACB_SVRTRUST);
5819 if (info->disp_info->machines == NULL) {
5821 return NT_STATUS_ACCESS_DENIED;
5823 DEBUG(10,("_samr_GetDisplayEnumerationIndex: "
5824 "starting machine enumeration at index %u\n",
5825 (unsigned int)enum_context));
5827 DEBUG(10,("_samr_GetDisplayEnumerationIndex: "
5828 "using cached machine enumeration at index %u\n",
5829 (unsigned int)enum_context));
5831 num_account = pdb_search_entries(info->disp_info->machines,
5832 enum_context, max_entries,
5836 if (info->disp_info->groups == NULL) {
5837 info->disp_info->groups = pdb_search_groups();
5838 if (info->disp_info->groups == NULL) {
5840 return NT_STATUS_ACCESS_DENIED;
5842 DEBUG(10,("_samr_GetDisplayEnumerationIndex: "
5843 "starting group enumeration at index %u\n",
5844 (unsigned int)enum_context));
5846 DEBUG(10,("_samr_GetDisplayEnumerationIndex: "
5847 "using cached group enumeration at index %u\n",
5848 (unsigned int)enum_context));
5850 num_account = pdb_search_entries(info->disp_info->groups,
5851 enum_context, max_entries,
5856 smb_panic("info class changed");
5862 /* Ensure we cache this enumeration. */
5863 set_disp_info_cache_timeout(info->disp_info, DISP_INFO_CACHE_TIMEOUT);
5865 DEBUG(10,("_samr_GetDisplayEnumerationIndex: looking for :%s\n",
5866 r->in.name->string));
5868 for (i=0; i<num_account; i++) {
5869 if (strequal(entries[i].account_name, r->in.name->string)) {
5870 DEBUG(10,("_samr_GetDisplayEnumerationIndex: "
5871 "found %s at idx %d\n",
5872 r->in.name->string, i));
5874 return NT_STATUS_OK;
5878 /* assuming account_name lives at the very end */
5879 *r->out.idx = num_account;
5881 return NT_STATUS_NO_MORE_ENTRIES;
5884 /****************************************************************
5885 _samr_GetDisplayEnumerationIndex2
5886 ****************************************************************/
5888 NTSTATUS _samr_GetDisplayEnumerationIndex2(pipes_struct *p,
5889 struct samr_GetDisplayEnumerationIndex2 *r)
5891 struct samr_GetDisplayEnumerationIndex q;
5893 q.in.domain_handle = r->in.domain_handle;
5894 q.in.level = r->in.level;
5895 q.in.name = r->in.name;
5897 q.out.idx = r->out.idx;
5899 return _samr_GetDisplayEnumerationIndex(p, &q);
5902 /****************************************************************
5903 ****************************************************************/
5905 NTSTATUS _samr_Shutdown(pipes_struct *p,
5906 struct samr_Shutdown *r)
5908 p->rng_fault_state = true;
5909 return NT_STATUS_NOT_IMPLEMENTED;
5912 /****************************************************************
5913 ****************************************************************/
5915 NTSTATUS _samr_CreateUser(pipes_struct *p,
5916 struct samr_CreateUser *r)
5918 p->rng_fault_state = true;
5919 return NT_STATUS_NOT_IMPLEMENTED;
5922 /****************************************************************
5923 ****************************************************************/
5925 NTSTATUS _samr_SetMemberAttributesOfGroup(pipes_struct *p,
5926 struct samr_SetMemberAttributesOfGroup *r)
5928 p->rng_fault_state = true;
5929 return NT_STATUS_NOT_IMPLEMENTED;
5932 /****************************************************************
5933 ****************************************************************/
5935 NTSTATUS _samr_ChangePasswordUser(pipes_struct *p,
5936 struct samr_ChangePasswordUser *r)
5938 p->rng_fault_state = true;
5939 return NT_STATUS_NOT_IMPLEMENTED;
5942 /****************************************************************
5943 ****************************************************************/
5945 NTSTATUS _samr_TestPrivateFunctionsDomain(pipes_struct *p,
5946 struct samr_TestPrivateFunctionsDomain *r)
5948 p->rng_fault_state = true;
5949 return NT_STATUS_NOT_IMPLEMENTED;
5952 /****************************************************************
5953 ****************************************************************/
5955 NTSTATUS _samr_TestPrivateFunctionsUser(pipes_struct *p,
5956 struct samr_TestPrivateFunctionsUser *r)
5958 p->rng_fault_state = true;
5959 return NT_STATUS_NOT_IMPLEMENTED;
5962 /****************************************************************
5963 ****************************************************************/
5965 NTSTATUS _samr_QueryUserInfo2(pipes_struct *p,
5966 struct samr_QueryUserInfo2 *r)
5968 p->rng_fault_state = true;
5969 return NT_STATUS_NOT_IMPLEMENTED;
5972 /****************************************************************
5973 ****************************************************************/
5975 NTSTATUS _samr_AddMultipleMembersToAlias(pipes_struct *p,
5976 struct samr_AddMultipleMembersToAlias *r)
5978 p->rng_fault_state = true;
5979 return NT_STATUS_NOT_IMPLEMENTED;
5982 /****************************************************************
5983 ****************************************************************/
5985 NTSTATUS _samr_RemoveMultipleMembersFromAlias(pipes_struct *p,
5986 struct samr_RemoveMultipleMembersFromAlias *r)
5988 p->rng_fault_state = true;
5989 return NT_STATUS_NOT_IMPLEMENTED;
5992 /****************************************************************
5993 ****************************************************************/
5995 NTSTATUS _samr_OemChangePasswordUser2(pipes_struct *p,
5996 struct samr_OemChangePasswordUser2 *r)
5998 p->rng_fault_state = true;
5999 return NT_STATUS_NOT_IMPLEMENTED;
6002 /****************************************************************
6003 ****************************************************************/
6005 NTSTATUS _samr_SetBootKeyInformation(pipes_struct *p,
6006 struct samr_SetBootKeyInformation *r)
6008 p->rng_fault_state = true;
6009 return NT_STATUS_NOT_IMPLEMENTED;
6012 /****************************************************************
6013 ****************************************************************/
6015 NTSTATUS _samr_GetBootKeyInformation(pipes_struct *p,
6016 struct samr_GetBootKeyInformation *r)
6018 p->rng_fault_state = true;
6019 return NT_STATUS_NOT_IMPLEMENTED;
6022 /****************************************************************
6023 ****************************************************************/
6025 NTSTATUS _samr_Connect3(pipes_struct *p,
6026 struct samr_Connect3 *r)
6028 p->rng_fault_state = true;
6029 return NT_STATUS_NOT_IMPLEMENTED;
6032 /****************************************************************
6033 ****************************************************************/
6035 NTSTATUS _samr_RidToSid(pipes_struct *p,
6036 struct samr_RidToSid *r)
6038 p->rng_fault_state = true;
6039 return NT_STATUS_NOT_IMPLEMENTED;
6042 /****************************************************************
6043 ****************************************************************/
6045 NTSTATUS _samr_SetDsrmPassword(pipes_struct *p,
6046 struct samr_SetDsrmPassword *r)
6048 p->rng_fault_state = true;
6049 return NT_STATUS_NOT_IMPLEMENTED;
6052 /****************************************************************
6053 ****************************************************************/
6055 NTSTATUS _samr_ValidatePassword(pipes_struct *p,
6056 struct samr_ValidatePassword *r)
6058 p->rng_fault_state = true;
6059 return NT_STATUS_NOT_IMPLEMENTED;