/**
* @brief
* add_service_account: creates the PBS service account if it doesn't exist,
* otherwise, validate the password against the existing the service
* account.
*
* @param[in] password - The password to be validated.
*
* @return int
*/
int
add_service_account(char *password)
{
char dname[PBS_MAXHOSTNAME+1];
char dctrl[PBS_MAXHOSTNAME+1];
wchar_t unamew[UNLEN+1];
wchar_t dnamew[UNLEN+1];
wchar_t dctrlw[PBS_MAXHOSTNAME+1];
NET_API_STATUS nstatus;
USER_INFO_1 *ui1_ptr = NULL; /* better indicator of lookup */
/* permission */
struct passwd *pw = NULL;
char sa_name[PBS_MAXHOSTNAME+UNLEN+2]; /* service account fullname */
/* domain\user\0 */
int ret_val = 0;
int in_domain_environment;
USER_INFO_1 ui;
wchar_t passwordw[LM20_PWLEN+1];
/* find domain name, group name to add service account to */
in_domain_environment = GetComputerDomainName(dname);
strcpy(dctrl, dname);
if (in_domain_environment) {
char dname_a[PBS_MAXHOSTNAME+1];
get_dcinfo(dname, dname_a, dctrl);
}
mbstowcs(unamew, service_accountname, UNLEN+1);
mbstowcs(dnamew, dname, PBS_MAXHOSTNAME+1);
mbstowcs(dctrlw, dctrl, PBS_MAXHOSTNAME+1);
/* create account if it doesn't exist */
/* FIX: Perform the following "if action" if either */
/* 1) in a domain environment, and the */
/* executing account (i.e. intaller) is an account in */
/* the domain, */
/* 2) in a standalone environment, and the */
/* executing account (i.e. installer) is a local account */
/* in the local computer. */
/* This fix is needed as during testing, I was finding that */
/* the local "Administrator" account itself has permission */
/* to query the domain, and to create accounts on the domain. */
/* However, the created domain "pbsadmin" account would have */
/* weirdness to it in that attempts to impersonate it would */
/* initially fail, and even after adding the account to the */
/* local "Administrators" group, that user entry on the group */
/* would suddenly disappear. */
if ((stricmp(exec_dname, dname) == 0) &&
((nstatus=wrap_NetUserGetInfo(dctrlw, unamew, 1,
(LPBYTE *)&ui1_ptr)) == NERR_UserNotFound)) {
mbstowcs(passwordw, password, LM20_PWLEN+1);
ui.usri1_name = (wchar_t *)unamew;
ui.usri1_password = (wchar_t *)passwordw;
ui.usri1_password_age = 0;
ui.usri1_priv = USER_PRIV_USER;
ui.usri1_home_dir = NULL;
ui.usri1_comment = NULL;
ui.usri1_flags = UF_PASSWD_CANT_CHANGE|UF_DONT_EXPIRE_PASSWD;
ui.usri1_script_path = NULL;
if (for_info_only)
nstatus = NERR_Success;
else
nstatus=NetUserAdd(dctrlw, 1, (LPBYTE)&ui, NULL);
if ((nstatus != NERR_Success) && (nstatus != NERR_UserExists)) {
fprintf(stderr,
"Failed to create %s\\%S: error status=%d\n", dname,
unamew, nstatus);
goto end_add_service_account;
}
printf("%s account %s\\%S\n",
(for_info_only?"Creating":"Created"), dname, unamew);
set_account_expiration(dnamew, dctrlw, unamew,
TIMEQ_FOREVER);
/* cache new token since the account was just created */
cache_usertoken_and_homedir(service_accountname, NULL,
0, read_sa_password, (char *)service_accountname,
decrypt_sa_password, 1);
if (add_to_administrators_group(dnamew, unamew) != 0)
goto end_add_service_account;
}
/* Verify password */
if (pw == NULL) {
pw = getpwnam(service_accountname);
if (pw == NULL) {
fprintf(stderr, "Password could not be validated against %s\\%s.\n", dname, service_accountname);
goto end_add_service_account;
}
}
/* validate password */
sprintf(sa_name, "%s\\%s", dname, service_accountname);
if (!for_info_only) {
if (pw->pw_userlogin != INVALID_HANDLE_VALUE) {
if (ImpersonateLoggedOnUser(pw->pw_userlogin) == 0) { /* fail */
if (validate_account_password(sa_name, password) == 0) {
/* we still call validate_account_password() as backup since */
/* under Windows 2000, LogonUser(), called from */
/* cache_usertoken_and_homedir(), might fail due to not */
/* having the SE_TCB_NAME privilege. This must be */
/* already set before calling the "cmd" process that */
/* executes the install program. */
fprintf(stderr, "Password did not validate against %s\\%s err=%d\n\nClick BACK button to retry a different password.\nClick NEXT button to abort installation.", dname, service_accountname, GetLastError());
goto end_add_service_account;
}
} else {
printf("Validated password for %s\n", sa_name);
RevertToSelf();
}
}
} else {
printf("Validating password for %s\n", sa_name);
}
/* add service account to appropriate Admin group */
if (!for_info_only && !isLocalAdminMember(service_accountname)) {
if (add_to_administrators_group(dnamew, unamew) != 0)
goto end_add_service_account;
}
wcsset(passwordw, 0);
ret_val = 1;
if (for_info_only) {
printf("%s will need the following privileges:\n", sa_name);
printf("\n\tCreate Token Object\n");
printf("\n\tReplace Process Level Token\n");
printf("\n\tLogon On As a Service\n");
printf("\n\tAct As Part of the Operating System\n");
}
end_add_service_account:
if (ui1_ptr != NULL)
NetApiBufferFree(ui1_ptr);
return (ret_val);
}
/**
* @brief
* main - the entry point in pbs_account_win.c
*
* @param[in] argc - argument count
* @param[in] argv - argument variables.
* @param[in] env - environment values.
*
* @return int
* @retval 0 : success
* @retval !=0 : error code
*/
main(int argc, char *argv[])
{
SID *sa_sid = NULL; /* service account SID */
char sa_name[PBS_MAXHOSTNAME+UNLEN+2] = {'\0'}; /* service account name */
/* domain\user\0 */
int ret_val = 0;
int c_opt = 0;
int s_opt = 0;
int a_opt = 0;
int p_opt = 0;
int R_opt = 0;
int U_opt = 0;
int instid_opt = 0;
char service_bin_path[MAXPATHLEN+1] = {'\0'};
char service_name[MAXPATHLEN+1] = {'\0'};
int i = 0;
char outputfile[MAXPATHLEN+1] = {'\0'};
char instanceName[MAXPATHLEN+1] = {'\0'};
int output_fd = -1;
struct passwd *pw = NULL;
char *p = NULL;
winsock_init();
/*test for real deal or just version and exit*/
execution_mode(argc, argv);
strcpy(exec_unamef, getlogin_full());
strcpy(exec_dname, ".");
if ((p=strchr(exec_unamef, '\\'))) {
*p = '\0';
strcpy(exec_dname, exec_unamef);
*p = '\\';
}
strcpy(sa_password, "");
strcpy(outputfile, "");
/* with no option, check only if service account exists */
if (argc == 1) {
int in_domain_environment = 0;
char dname[PBS_MAXHOSTNAME+1] = {'\0'};
char dctrl[PBS_MAXHOSTNAME+1] = {'\0'};
wchar_t unamew[UNLEN+1] = {'\0'};
wchar_t dctrlw[PBS_MAXHOSTNAME+1] = {'\0'};
USER_INFO_0 *ui1_ptr = NULL;
NET_API_STATUS netst = 0;
/* figure out the domain controller hostname (dctrl) */
/* in domain environment, */
/* domain name (dname) != domain controller hostname */
/* in standalone environment, */
/* domain name (dname) == domain controller hostname */
in_domain_environment = GetComputerDomainName(dname);
strcpy(dctrl, dname);
if (in_domain_environment) {
char dname_a[PBS_MAXHOSTNAME+1];
get_dcinfo(dname, dname_a, dctrl);
}
/* convert strings to "wide" format */
mbstowcs(unamew, service_accountname, UNLEN+1);
mbstowcs(dctrlw, dctrl, PBS_MAXHOSTNAME+1);
netst = wrap_NetUserGetInfo(dctrlw, unamew, 1,
(LPBYTE *)&ui1_ptr);
if (strlen(winlog_buffer) > 0) {
fprintf(stderr, "%s\n", winlog_buffer);
}
if (netst == NERR_UserNotFound) {
fprintf(stderr, "%s not found!\n", service_accountname);
if (in_domain_environment &&
stricmp(exec_dname, dname) != 0) {
fprintf(stderr,
"But no privilege to create service account %s\\%s!\n",
dname, service_accountname);
ret_val=2;
} else {
ret_val=1;
}
} else if ((netst == ERROR_ACCESS_DENIED) ||
(netst == ERROR_LOGON_FAILURE)) {
fprintf(stderr,
"no privilege to obtain info for service account %s\\%s!\n",
dname, service_accountname);
ret_val= 2;
} else {
fprintf(stderr, "service account is %s\\%s!\n",
dname, service_accountname);
ret_val = 0;
}
if (ui1_ptr != NULL)
NetApiBufferFree(ui1_ptr);
goto end_pbs_account;
}
i = 1;
while (i < argc) {
if (strcmp(argv[i], "-c") == 0) {
c_opt = 1;
i++;
} else if (strcmp(argv[i], "--ci") == 0) {
c_opt = 1;
for_info_only = 1;
i++;
} else if (strcmp(argv[i], "-s") == 0) {
s_opt = 1;
i++;
} else if (strcmp(argv[i], "-a") == 0) {
if ((argv[i+1] == NULL) || (argv[i+1][0] == '-')) {
fprintf(stderr, "No service account name argument supplied!\n");
usage(argv[0]);
exit(1);
}
a_opt = 1;
strcpy(service_accountname, argv[i+1]);
i+=2;
} else if (strcmp(argv[i], "-p") == 0) {
if ((argv[i+1] == NULL) || (argv[i+1][0] == '-')) {
fprintf(stderr, "No password argument supplied!\n");
usage(argv[0]);
exit(1);
}
p_opt = 1;
strcpy(sa_password, argv[i+1]);
cache_usertoken_and_homedir(service_accountname, NULL, 0,
read_sa_password, (char*)service_accountname,
decrypt_sa_password, 1);
i+=2;
} else if (strcmp(argv[i], "--reg") == 0) {
if ((argv[i+1] == NULL) || (argv[i+1][0] == '-')) {
fprintf(stderr, "No service binary path given\n");
usage(argv[0]);
exit(1);
}
R_opt = 1;
strcpy(service_bin_path, argv[i+1]);
i+=2;
} else if (strcmp(argv[i], "--unreg") == 0) {
if ((argv[i+1] == NULL) || (argv[i+1][0] == '-')) {
fprintf(stderr, "No service binary path given\n");
usage(argv[0]);
exit(1);
}
U_opt = 1;
strcpy(service_bin_path, argv[i+1]);
i+=2;
} else if (strcmp(argv[i], "-o") == 0) {
if ((argv[i+1] == NULL) || (argv[i+1][0] == '-')) {
fprintf(stderr, "No output path argument supplied!\n");
usage(argv[0]);
exit(1);
}
p_opt = 1;
strcpy(outputfile, argv[i+1]);
i+=2;
} else if (strncmp(argv[i], "--instid", strlen("--instid")) == 0) {
if ((argv[i+1] == NULL) || (argv[i+1][0] == '-')) {
fprintf(stderr, "No instance id supplied!\n");
usage(argv[0]);
exit(1);
}
instid_opt = 1;
strncpy(instanceName, argv[i+1], MAXPATHLEN);
i+=2;
} else {
fprintf(stderr, "Unknown option %s\n", argv[i]);
usage(argv[0]);
exit(1);
}
}
if (strlen(outputfile) > 0) {
if ((output_fd=open(outputfile, O_RDWR|O_CREAT, 0600)) != -1) {
_dup2(output_fd, 1); /* put stdout in file */
_dup2(output_fd, 2); /* put stderr in file */
}
}
/* prompt for password if not supplied with -p */
if ((c_opt || R_opt) && (strcmp(sa_password, "") == 0)) {
prompt_to_get_password(sa_password);
cache_usertoken_and_homedir(service_accountname, NULL, 0,
read_sa_password, (char *)service_accountname,
decrypt_sa_password, 1);
}
/* Need to get service_name */
if (R_opt || U_opt) {
char *p = NULL;
int k = 0;
strcpy(service_name, service_bin_path);
if ((p=strrchr(service_bin_path, '\\'))) {
strcpy(service_name, p+1);
}
if ((p=strrchr(service_name, '.'))) {/*remove .exe portion*/
*p = '\0';
}
/* translate from lower-case to upper-case */
for (k=0; k < strlen(service_name); k++) {
service_name[k] = toupper(service_name[k]);
}
if (instid_opt) {
strcat_s(service_name, MAXPATHLEN, "_");
strcat_s(service_name, MAXPATHLEN, instanceName);
}
}
if (c_opt) {
if (add_service_account(sa_password) == 0) {
ret_val = 3;
goto end_pbs_account;
}
}
if (s_opt || R_opt) { /* need service account name */
sa_sid = getusersid2(service_accountname, sa_name);
if (sa_sid == NULL) {
fprintf(stderr, "%s not found!\n", service_accountname);
ret_val= 1;
goto end_pbs_account;
}
if (!isAdminPrivilege(service_accountname)) {
fprintf(stderr, "%s is not ADMIN! - %s\n",
service_accountname, winlog_buffer);
ret_val = 2;
goto end_pbs_account;
}
}
if (s_opt) {
int r1, r2, r3, r4;
printf("Setting the following privileges to %s:\n", sa_name);
r1 = add_privilege(sa_sid, SE_CREATE_TOKEN_NAME);
r2 = add_privilege(sa_sid, SE_ASSIGNPRIMARYTOKEN_NAME);
r3 = add_privilege(sa_sid, SE_SERVICE_LOGON_NAME);
r4 = add_privilege(sa_sid, SE_TCB_NAME);
if ((r1 != 0) || (r2 != 0) || (r3 != 0) || (r4 != 0)) {
ret_val = 4;
goto end_pbs_account;
}
}
if (R_opt) {
ret_val = register_scm(__TEXT(service_name), service_bin_path,
sa_name, sa_password);
}
if (U_opt) {
ret_val = unregister_scm(__TEXT(service_name));
}
end_pbs_account:
if (sa_sid != NULL)
LocalFree(sa_sid);
if (strlen(sa_password) > 0)
memset((char *)sa_password, 0, strlen(sa_password));
if (output_fd != -1)
(void)close(output_fd);
exit(ret_val);
}
int
svr_get_privilege(char *user, char *host)
{
int is_root = 0;
int priv = (ATR_DFLAG_USRD | ATR_DFLAG_USWR);
char uh[PBS_MAXUSER + PBS_MAXHOSTNAME + 2];
#ifdef WIN32
char server_host_netbios[MAX_COMPUTERNAME_LENGTH+1];
DWORD hsize = MAX_COMPUTERNAME_LENGTH;
char current_domain[PBS_MAXHOSTNAME+1];
char server_host_domain[PBS_MAXHOSTNAME+1];
char user_s[PBS_MAXHOSTNAME+ UNLEN+2];
char *p = NULL;
char *p0 = NULL;
int ch = '\\';
#endif
(void)strcpy(uh, user);
(void)strcat(uh, "@");
(void)strcat(uh, host);
#ifdef WIN32
/* Try to match requesting host against: */
/* localhost */
/* <server_host> */
/* <server_host_netbios_name> */
/* <server_host_netbios_name>.<windows_domain> */
if ( isAdminPrivilege(user) && \
( (strcasecmp(host, server_host) == 0) || \
(strcasecmp(host, LOCALHOST_SHORTNAME) == 0) || \
(GetComputerName(server_host_netbios, &hsize) && \
(strcasecmp(host, server_host_netbios) == 0)) || \
(GetComputerDomainName(current_domain) && \
sprintf(server_host_domain, "%s.%s", server_host_netbios,
current_domain) && \
(strcasecmp(host, server_host_domain) == 0)) ) ) {
is_root = 1;
}
#else
if (strcmp(user, PBS_DEFAULT_ADMIN) == 0) {
char myhostname[PBS_MAXHOSTNAME+1];
/* First try without DNS lookup. */
if (strcasecmp(host, server_host) == 0) {
is_root = 1;
} else if (strcasecmp(host, LOCALHOST_SHORTNAME) == 0) {
is_root = 1;
} else if (strcasecmp(host, LOCALHOST_FULLNAME) == 0) {
is_root = 1;
} else {
if (gethostname(myhostname, (sizeof(myhostname) - 1)) == -1) {
myhostname[0] = '\0';
}
if (strcasecmp(host, myhostname) == 0) {
is_root = 1;
}
}
if (is_root == 0) {
/* Now try with DNS lookup. */
if (is_same_host(host, server_host)) {
is_root = 1;
} else if (is_same_host(host, myhostname)) {
is_root = 1;
}
}
}
#endif /* WIN32 */
#ifdef PBS_ROOT_ALWAYS_ADMIN
if (is_root)
return (priv | ATR_DFLAG_MGRD | ATR_DFLAG_MGWR | ATR_DFLAG_OPRD | ATR_DFLAG_OPWR);
#endif /* PBS_ROOT_ALWAYS_ADMIN */
if (!(server.sv_attr[(int)SRV_ATR_managers].at_flags & ATR_VFLAG_SET)) {
if (is_root)
priv |= (ATR_DFLAG_MGRD | ATR_DFLAG_MGWR);
} else if (acl_check(&server.sv_attr[SRV_ATR_managers], uh, ACL_User))
priv |= (ATR_DFLAG_MGRD | ATR_DFLAG_MGWR);
if (!(server.sv_attr[(int)SRV_ATR_operators].at_flags&ATR_VFLAG_SET)) {
if (is_root)
priv |= (ATR_DFLAG_OPRD | ATR_DFLAG_OPWR);
} else if (acl_check(&server.sv_attr[SRV_ATR_operators], uh, ACL_User))
priv |= (ATR_DFLAG_OPRD | ATR_DFLAG_OPWR);
return (priv);
}
