/*
* samr_query_user_info
*
* Query information on a specific user. The handle must be a valid
* user handle obtained via samr_open_user.
*
* Returns 0 on success, otherwise returns -ve error code.
*/
int
samr_query_user_info(mlsvc_handle_t *user_handle, WORD switch_value,
union samr_user_info *user_info)
{
struct samr_QueryUserInfo arg;
int opnum;
int rc;
if (ndr_is_null_handle(user_handle) || user_info == 0)
return (-1);
opnum = SAMR_OPNUM_QueryUserInfo;
bzero(&arg, sizeof (struct samr_QueryUserInfo));
(void) memcpy(&arg.user_handle, &user_handle->handle,
sizeof (samr_handle_t));
arg.switch_value = switch_value;
if (ndr_rpc_call(user_handle, opnum, &arg) != 0) {
ndr_rpc_release(user_handle);
return (-1);
}
if (arg.status != 0)
rc = -1;
else
rc = samr_setup_user_info(switch_value, &arg, user_info);
ndr_rpc_release(user_handle);
return (rc);
}
/*
* lsar_lookup_sids3
*
* This function is only valid if the remote RPC server is a domain
* controller and requires the security extensions defined in MS-RPCE.
*
* Domain controllers will return RPC_NT_PROTSEQ_NOT_SUPPORTED here
* because we don't support the RPC_C_AUTHN_NETLOGON security provider.
* Non-domain controllers will return NT_STATUS_INVALID_SERVER_STATE.
*/
static uint32_t /*LINTED E_STATIC_UNUSED*/
lsar_lookup_sids3(mlsvc_handle_t *lsa_handle, lsa_sid_t *sid,
smb_account_t *account)
{
struct lsar_lookup_sids3 arg;
lsar_translated_name_ex_t *name_entry;
struct mslsa_lup_sid_entry sid_entry;
struct mslsa_domain_entry *domain_entry;
uint32_t status = NT_STATUS_SUCCESS;
char *name;
int opnum = LSARPC_OPNUM_LookupSids3;
bzero(&arg, sizeof (struct lsar_lookup_sids3));
sid_entry.psid = sid;
arg.lup_sid_table.n_entry = 1;
arg.lup_sid_table.entries = &sid_entry;
arg.lookup_level = LSA_LOOKUP_WKSTA;
arg.client_revision = LSA_CLIENT_REVISION_AD;
if (ndr_rpc_call(lsa_handle, opnum, &arg) != 0) {
ndr_rpc_release(lsa_handle);
return (NT_STATUS_INVALID_PARAMETER);
}
if (arg.status != NT_STATUS_SUCCESS) {
ndr_rpc_status(lsa_handle, opnum, arg.status);
ndr_rpc_release(lsa_handle);
if (arg.status == RPC_NT_PROTSEQ_NOT_SUPPORTED ||
arg.status == NT_STATUS_INVALID_SERVER_STATE)
return (NT_STATUS_INVALID_PARAMETER);
return (NT_SC_VALUE(arg.status));
}
if (arg.mapped_count == 0) {
ndr_rpc_release(lsa_handle);
return (NT_STATUS_NONE_MAPPED);
}
name_entry = &arg.name_table.entries[0];
if (name_entry->domain_ix != 0) {
ndr_rpc_release(lsa_handle);
return (NT_STATUS_NONE_MAPPED);
}
name = (char *)name_entry->name.str;
account->a_name = (name) ? strdup(name) : strdup("");
account->a_type = name_entry->sid_name_use;
account->a_sid = smb_sid_dup((smb_sid_t *)sid);
(void) smb_sid_getrid(account->a_sid, &account->a_rid);
domain_entry = &arg.domain_table->entries[0];
if ((name = (char *)domain_entry->domain_name.str) != NULL)
account->a_domain = strdup(name);
account->a_domsid = smb_sid_dup((smb_sid_t *)domain_entry->domain_sid);
ndr_rpc_release(lsa_handle);
return (status);
}
/*
* lsar_lookup_sids1
*/
static uint32_t
lsar_lookup_sids1(mlsvc_handle_t *lsa_handle, lsa_sid_t *sid,
smb_account_t *account)
{
struct mslsa_LookupSids arg;
struct mslsa_lup_sid_entry sid_entry;
struct mslsa_name_entry *name_entry;
struct mslsa_domain_entry *domain_entry;
uint32_t status = NT_STATUS_SUCCESS;
char *name;
int opnum = LSARPC_OPNUM_LookupSids;
bzero(&arg, sizeof (struct mslsa_LookupSids));
(void) memcpy(&arg.handle, lsa_handle, sizeof (mslsa_handle_t));
arg.lookup_level = LSA_LOOKUP_WKSTA;
sid_entry.psid = sid;
arg.lup_sid_table.n_entry = 1;
arg.lup_sid_table.entries = &sid_entry;
if (ndr_rpc_call(lsa_handle, opnum, &arg) != 0) {
ndr_rpc_release(lsa_handle);
return (NT_STATUS_INVALID_PARAMETER);
}
if (arg.status != NT_STATUS_SUCCESS) {
ndr_rpc_status(lsa_handle, opnum, arg.status);
ndr_rpc_release(lsa_handle);
return (NT_SC_VALUE(arg.status));
}
if (arg.mapped_count == 0) {
ndr_rpc_release(lsa_handle);
return (NT_STATUS_NONE_MAPPED);
}
name_entry = &arg.name_table.entries[0];
if (name_entry->domain_ix != 0) {
ndr_rpc_release(lsa_handle);
return (NT_STATUS_NONE_MAPPED);
}
name = (char *)name_entry->name.str;
account->a_name = (name) ? strdup(name) : strdup("");
account->a_type = name_entry->sid_name_use;
account->a_sid = smb_sid_dup((smb_sid_t *)sid);
(void) smb_sid_getrid(account->a_sid, &account->a_rid);
domain_entry = &arg.domain_table->entries[0];
if ((name = (char *)domain_entry->domain_name.str) != NULL)
account->a_domain = strdup(name);
account->a_domsid = smb_sid_dup((smb_sid_t *)domain_entry->domain_sid);
ndr_rpc_release(lsa_handle);
return (status);
}
/*
* lsar_enum_accounts
*
* Enumerate the list of accounts (i.e. SIDs). Use the handle returned
* from lsa_open_policy2. The enum_context is used to support multiple
* calls to this enumeration function. It should be set to 0 on the
* first call. It will be updated by the domain controller and should
* simply be passed unchanged to subsequent calls until there are no
* more accounts. A warning status of 0x1A indicates that no more data
* is available. The list of accounts will be returned in accounts.
* This list is dynamically allocated using malloc, it should be freed
* by the caller when it is no longer required.
*/
int
lsar_enum_accounts(mlsvc_handle_t *lsa_handle, DWORD *enum_context,
struct mslsa_EnumAccountBuf *accounts)
{
struct mslsa_EnumerateAccounts arg;
struct mslsa_AccountInfo *info;
int opnum;
int rc;
DWORD n_entries;
DWORD i;
int nbytes;
if (lsa_handle == NULL || enum_context == NULL || accounts == NULL)
return (-1);
accounts->entries_read = 0;
accounts->info = 0;
opnum = LSARPC_OPNUM_EnumerateAccounts;
bzero(&arg, sizeof (struct mslsa_EnumerateAccounts));
(void) memcpy(&arg.handle, lsa_handle, sizeof (mslsa_handle_t));
arg.enum_context = *enum_context;
arg.max_length = MLSVC_MAX_RESPONSE_LEN;
rc = ndr_rpc_call(lsa_handle, opnum, &arg);
if (rc == 0) {
if (arg.status != 0) {
if (arg.status == NT_STATUS_NO_MORE_ENTRIES) {
*enum_context = arg.enum_context;
} else {
ndr_rpc_status(lsa_handle, opnum, arg.status);
rc = -1;
}
} else if (arg.enum_buf->entries_read != 0) {
n_entries = arg.enum_buf->entries_read;
nbytes = n_entries * sizeof (struct mslsa_AccountInfo);
if ((info = malloc(nbytes)) == NULL) {
ndr_rpc_release(lsa_handle);
return (-1);
}
for (i = 0; i < n_entries; ++i)
info[i].sid = (lsa_sid_t *)smb_sid_dup(
(smb_sid_t *)arg.enum_buf->info[i].sid);
accounts->entries_read = n_entries;
accounts->info = info;
*enum_context = arg.enum_context;
}
}
ndr_rpc_release(lsa_handle);
return (rc);
}
/*
* lsar_lookup_names4
*
* This function is only valid if the remote RPC server is a domain
* controller and requires the security extensions defined in MS-RPCE.
*
* Domain controllers will return RPC_NT_PROTSEQ_NOT_SUPPORTED here
* because we don't support the RPC_C_AUTHN_NETLOGON security provider.
* Non-domain controllers will return NT_STATUS_INVALID_SERVER_STATE.
*/
static uint32_t /*LINTED E_STATIC_UNUSED*/
lsar_lookup_names4(mlsvc_handle_t *lsa_handle, lsa_names_t *names,
smb_account_t *info)
{
struct lsar_LookupNames4 arg;
lsar_translated_sid_ex2_t *sid_entry;
struct mslsa_domain_entry *domain_entry;
uint32_t status = NT_STATUS_SUCCESS;
char *domname;
int opnum = LSARPC_OPNUM_LookupNames4;
bzero(&arg, sizeof (struct lsar_LookupNames4));
arg.lookup_level = LSA_LOOKUP_WKSTA;
arg.client_revision = LSA_CLIENT_REVISION_AD;
arg.name_table = (struct mslsa_lup_name_table *)names;
if (ndr_rpc_call(lsa_handle, opnum, &arg) != 0) {
ndr_rpc_release(lsa_handle);
return (NT_STATUS_INVALID_PARAMETER);
}
if (arg.status != NT_STATUS_SUCCESS) {
ndr_rpc_status(lsa_handle, opnum, arg.status);
ndr_rpc_release(lsa_handle);
if (arg.status == RPC_NT_PROTSEQ_NOT_SUPPORTED ||
arg.status == NT_STATUS_INVALID_SERVER_STATE)
return (NT_STATUS_INVALID_PARAMETER);
return (NT_SC_VALUE(arg.status));
}
if (arg.mapped_count == 0) {
ndr_rpc_release(lsa_handle);
return (NT_STATUS_NONE_MAPPED);
}
sid_entry = &arg.translated_sids.sids[0];
if (sid_entry->domain_index != 0) {
ndr_rpc_release(lsa_handle);
return (NT_STATUS_NONE_MAPPED);
}
domain_entry = &arg.domain_table->entries[0];
info->a_type = sid_entry->sid_name_use;
info->a_domsid = smb_sid_dup((smb_sid_t *)domain_entry->domain_sid);
if ((domname = (char *)domain_entry->domain_name.str) != NULL)
info->a_domain = strdup(domname);
info->a_sid = smb_sid_dup((smb_sid_t *)sid_entry->sid);
(void) smb_sid_getrid(info->a_sid, &info->a_rid);
ndr_rpc_release(lsa_handle);
return (status);
}
/*
* lsar_lookup_names2
*/
static uint32_t
lsar_lookup_names2(mlsvc_handle_t *lsa_handle, lsa_names_t *names,
smb_account_t *info)
{
struct lsar_LookupNames2 arg;
struct lsar_rid_entry2 *rid_entry;
struct mslsa_domain_entry *domain_entry;
uint32_t status = NT_STATUS_SUCCESS;
char *domname;
int opnum = LSARPC_OPNUM_LookupNames2;
bzero(&arg, sizeof (struct lsar_LookupNames2));
(void) memcpy(&arg.policy_handle, lsa_handle, sizeof (mslsa_handle_t));
arg.lookup_level = LSA_LOOKUP_WKSTA;
arg.client_revision = LSA_CLIENT_REVISION_AD;
arg.name_table = (struct mslsa_lup_name_table *)names;
if (ndr_rpc_call(lsa_handle, opnum, &arg) != 0) {
ndr_rpc_release(lsa_handle);
return (NT_STATUS_INVALID_PARAMETER);
}
if (arg.status != NT_STATUS_SUCCESS) {
ndr_rpc_status(lsa_handle, opnum, arg.status);
ndr_rpc_release(lsa_handle);
return (NT_SC_VALUE(arg.status));
}
if (arg.mapped_count == 0) {
ndr_rpc_release(lsa_handle);
return (NT_STATUS_NONE_MAPPED);
}
rid_entry = &arg.translated_sids.rids[0];
if (rid_entry->domain_index != 0) {
ndr_rpc_release(lsa_handle);
return (NT_STATUS_NONE_MAPPED);
}
domain_entry = &arg.domain_table->entries[0];
info->a_type = rid_entry->sid_name_use;
info->a_domsid = smb_sid_dup((smb_sid_t *)domain_entry->domain_sid);
if ((domname = (char *)domain_entry->domain_name.str) != NULL)
info->a_domain = strdup(domname);
info->a_rid = rid_entry->rid;
info->a_sid = smb_sid_splice(info->a_domsid, info->a_rid);
ndr_rpc_release(lsa_handle);
return (status);
}
/*
* lsar_lookup_priv_name
*
* Map a local unique id (LUID) to a privilege name. Privilege names
* are consistent across the network. LUIDs are machine specific.
* This function the means to map the LUID used by a remote server to
* the appropriate privilege name. The handle here is a policy handle.
*/
int
lsar_lookup_priv_name(mlsvc_handle_t *lsa_handle, struct ms_luid *luid,
char *name, int namelen)
{
struct mslsa_LookupPrivName arg;
int opnum;
int rc;
if (lsa_handle == NULL || luid == NULL || name == NULL)
return (-1);
opnum = LSARPC_OPNUM_LookupPrivName;
bzero(&arg, sizeof (struct mslsa_LookupPrivName));
(void) memcpy(&arg.handle, lsa_handle, sizeof (mslsa_handle_t));
(void) memcpy(&arg.luid, luid, sizeof (struct ms_luid));
rc = ndr_rpc_call(lsa_handle, opnum, &arg);
if (rc == 0) {
if (arg.status != 0)
rc = -1;
else
(void) strlcpy(name, (char const *)arg.name->str,
namelen);
}
ndr_rpc_release(lsa_handle);
return (rc);
}
/*ARGSUSED*/
static DWORD
samr_connect4(char *server, char *domain, char *username, DWORD access_mask,
mlsvc_handle_t *samr_handle)
{
struct samr_Connect4 arg;
int opnum;
DWORD status;
int len;
bzero(&arg, sizeof (struct samr_Connect4));
opnum = SAMR_OPNUM_Connect4;
status = NT_STATUS_SUCCESS;
len = strlen(server) + 4;
arg.servername = ndr_rpc_malloc(samr_handle, len);
(void) snprintf((char *)arg.servername, len, "\\\\%s", server);
arg.revision = SAMR_REVISION_2;
arg.access_mask = access_mask;
if (ndr_rpc_call(samr_handle, opnum, &arg) != 0) {
status = NT_STATUS_UNSUCCESSFUL;
} else if (arg.status != 0) {
status = NT_SC_VALUE(arg.status);
} else {
(void) memcpy(&samr_handle->handle, &arg.handle,
sizeof (ndr_hdid_t));
if (ndr_is_null_handle(samr_handle))
status = NT_STATUS_INVALID_HANDLE;
}
ndr_rpc_release(samr_handle);
return (status);
}
/*ARGSUSED*/
static DWORD
samr_connect1(char *server, char *domain, char *username, DWORD access_mask,
mlsvc_handle_t *samr_handle)
{
struct samr_Connect arg;
int opnum;
DWORD status;
bzero(&arg, sizeof (struct samr_Connect));
opnum = SAMR_OPNUM_Connect;
status = NT_STATUS_SUCCESS;
arg.servername = ndr_rpc_malloc(samr_handle, sizeof (DWORD));
*(arg.servername) = 0x0001005c;
arg.access_mask = access_mask;
if (ndr_rpc_call(samr_handle, opnum, &arg) != 0) {
status = NT_STATUS_UNSUCCESSFUL;
} else if (arg.status != 0) {
status = NT_SC_VALUE(arg.status);
} else {
(void) memcpy(&samr_handle->handle, &arg.handle,
sizeof (ndr_hdid_t));
if (ndr_is_null_handle(samr_handle))
status = NT_STATUS_INVALID_HANDLE;
}
ndr_rpc_release(samr_handle);
return (status);
}
/*
* samr_enum_local_domains
*
* Get the list of local domains supported by a server.
*
* Returns NT status codes.
*/
DWORD
samr_enum_local_domains(mlsvc_handle_t *samr_handle)
{
struct samr_EnumLocalDomain arg;
int opnum;
DWORD status;
if (ndr_is_null_handle(samr_handle))
return (NT_STATUS_INVALID_PARAMETER);
opnum = SAMR_OPNUM_EnumLocalDomains;
bzero(&arg, sizeof (struct samr_EnumLocalDomain));
(void) memcpy(&arg.handle, &samr_handle->handle,
sizeof (samr_handle_t));
arg.enum_context = 0;
arg.max_length = 0x00002000; /* Value used by NT */
if (ndr_rpc_call(samr_handle, opnum, &arg) != 0) {
status = NT_STATUS_INVALID_PARAMETER;
} else {
status = NT_SC_VALUE(arg.status);
/*
* Handle none-mapped status quietly.
*/
if (status != NT_STATUS_NONE_MAPPED)
ndr_rpc_status(samr_handle, opnum, arg.status);
}
ndr_rpc_release(samr_handle);
return (status);
}
/*
* samr_get_user_pwinfo
*
* Get some user password info. I'm not sure what this is yet but it is
* part of the create user sequence. The handle must be a valid user
* handle. Since I don't know what this is returning, I haven't provided
* any return data yet.
*
* Returns 0 on success. Otherwise returns an NT status code.
*/
DWORD
samr_get_user_pwinfo(mlsvc_handle_t *user_handle)
{
struct samr_GetUserPwInfo arg;
int opnum;
DWORD status;
if (ndr_is_null_handle(user_handle))
return (NT_STATUS_INVALID_PARAMETER);
opnum = SAMR_OPNUM_GetUserPwInfo;
bzero(&arg, sizeof (struct samr_GetUserPwInfo));
(void) memcpy(&arg.user_handle, &user_handle->handle,
sizeof (samr_handle_t));
if (ndr_rpc_call(user_handle, opnum, &arg) != 0) {
status = NT_STATUS_INVALID_PARAMETER;
} else if (arg.status != 0) {
ndr_rpc_status(user_handle, opnum, arg.status);
status = NT_SC_VALUE(arg.status);
} else {
status = 0;
}
ndr_rpc_release(user_handle);
return (status);
}
/*
* samr_lookup_domain
*
* Lookup up the domain SID for the specified domain name. The handle
* should be one returned from samr_connect. The allocated memory for
* the returned SID must be freed by caller.
*/
smb_sid_t *
samr_lookup_domain(mlsvc_handle_t *samr_handle, char *domain_name)
{
struct samr_LookupDomain arg;
smb_sid_t *domsid = NULL;
int opnum;
size_t length;
if (ndr_is_null_handle(samr_handle) || domain_name == NULL)
return (NULL);
opnum = SAMR_OPNUM_LookupDomain;
bzero(&arg, sizeof (struct samr_LookupDomain));
(void) memcpy(&arg.handle, &samr_handle->handle,
sizeof (samr_handle_t));
length = smb_wcequiv_strlen(domain_name);
if (ndr_rpc_server_os(samr_handle) == NATIVE_OS_WIN2000)
length += sizeof (smb_wchar_t);
arg.domain_name.length = length;
arg.domain_name.allosize = length;
arg.domain_name.str = (unsigned char *)domain_name;
if (ndr_rpc_call(samr_handle, opnum, &arg) == 0)
domsid = smb_sid_dup((smb_sid_t *)arg.sid);
ndr_rpc_release(samr_handle);
return (domsid);
}
/*
* samr_create_user
*
* Create a user in the domain specified by the domain handle. If this
* call is successful, the server will return the RID for the user and
* a user handle, which may be used to set or query the SAM.
*
* Observed status codes:
* NT_STATUS_INVALID_PARAMETER
* NT_STATUS_INVALID_ACCOUNT_NAME
* NT_STATUS_ACCESS_DENIED
* NT_STATUS_USER_EXISTS
*
* Returns 0 on success. Otherwise returns an NT status code.
*/
DWORD
samr_create_user(mlsvc_handle_t *domain_handle, char *username,
DWORD account_flags, DWORD *rid, mlsvc_handle_t *user_handle)
{
struct samr_CreateUser arg;
ndr_heap_t *heap;
int opnum;
int rc;
DWORD status = 0;
if (ndr_is_null_handle(domain_handle) ||
username == NULL || rid == NULL) {
return (NT_STATUS_INVALID_PARAMETER);
}
opnum = SAMR_OPNUM_CreateUser;
bzero(&arg, sizeof (struct samr_CreateUser));
(void) memcpy(&arg.handle, &domain_handle->handle,
sizeof (ndr_hdid_t));
heap = ndr_rpc_get_heap(domain_handle);
ndr_heap_mkvcs(heap, username, (ndr_vcstr_t *)&arg.username);
arg.account_flags = account_flags;
arg.desired_access = 0xE00500B0;
rc = ndr_rpc_call(domain_handle, opnum, &arg);
if (rc != 0) {
status = NT_STATUS_INVALID_PARAMETER;
} else if (arg.status != 0) {
status = NT_SC_VALUE(arg.status);
if (status != NT_STATUS_USER_EXISTS) {
smb_tracef("SamrCreateUser[%s]: %s", username,
xlate_nt_status(status));
}
} else {
ndr_inherit_handle(user_handle, domain_handle);
(void) memcpy(&user_handle->handle, &arg.user_handle,
sizeof (ndr_hdid_t));
*rid = arg.rid;
if (ndr_is_null_handle(user_handle))
status = NT_STATUS_INVALID_HANDLE;
else
status = 0;
}
ndr_rpc_release(domain_handle);
return (status);
}
/*
* samr_lookup_domain_names
*
* Lookup up the given name in the domain specified by domain_handle.
* Upon a successful lookup the information is returned in the account
* arg and caller must free allocated memories by calling smb_account_free().
*
* Returns NT status codes.
*/
uint32_t
samr_lookup_domain_names(mlsvc_handle_t *domain_handle, char *name,
smb_account_t *account)
{
struct samr_LookupNames arg;
int opnum;
uint32_t status;
size_t length;
if (ndr_is_null_handle(domain_handle) ||
name == NULL || account == NULL) {
return (NT_STATUS_INVALID_PARAMETER);
}
bzero(account, sizeof (smb_account_t));
opnum = SAMR_OPNUM_LookupNames;
bzero(&arg, sizeof (struct samr_LookupNames));
(void) memcpy(&arg.handle, &domain_handle->handle,
sizeof (samr_handle_t));
arg.n_entry = 1;
arg.max_n_entry = 1000;
arg.index = 0;
arg.total = 1;
length = smb_wcequiv_strlen(name);
if (ndr_rpc_server_os(domain_handle) == NATIVE_OS_WIN2000)
length += sizeof (smb_wchar_t);
arg.name.length = length;
arg.name.allosize = length;
arg.name.str = (unsigned char *)name;
if (ndr_rpc_call(domain_handle, opnum, &arg) != 0) {
status = NT_STATUS_INVALID_PARAMETER;
} else if (arg.status != NT_STATUS_SUCCESS) {
status = NT_SC_VALUE(arg.status);
/*
* Handle none-mapped status quietly.
*/
if (status != NT_STATUS_NONE_MAPPED)
ndr_rpc_status(domain_handle, opnum, arg.status);
} else {
account->a_type = arg.rid_types.rid_type[0];
account->a_rid = arg.rids.rid[0];
status = NT_STATUS_SUCCESS;
}
ndr_rpc_release(domain_handle);
return (status);
}
/*ARGSUSED*/
static DWORD
samr_connect5(char *server, char *domain, char *username, DWORD access_mask,
mlsvc_handle_t *samr_handle)
{
struct samr_Connect5 arg;
int len;
int opnum;
DWORD status;
smb_domainex_t dinfo;
bzero(&arg, sizeof (struct samr_Connect5));
opnum = SAMR_OPNUM_Connect5;
status = NT_STATUS_SUCCESS;
if (!smb_domain_getinfo(&dinfo))
return (NT_STATUS_CANT_ACCESS_DOMAIN_INFO);
len = strlen(server) + strlen(dinfo.d_primary.di_fqname) + 4;
arg.servername = ndr_rpc_malloc(samr_handle, len);
if (*dinfo.d_primary.di_fqname != '\0')
(void) snprintf((char *)arg.servername, len, "\\\\%s.%s",
server, dinfo.d_primary.di_fqname);
else
(void) snprintf((char *)arg.servername, len, "\\\\%s", server);
arg.access_mask = SAM_ENUM_LOCAL_DOMAIN;
arg.unknown2_00000001 = 0x00000001;
arg.unknown3_00000001 = 0x00000001;
arg.unknown4_00000003 = 0x00000003;
arg.unknown5_00000000 = 0x00000000;
if (ndr_rpc_call(samr_handle, opnum, &arg) != 0) {
status = NT_STATUS_UNSUCCESSFUL;
} else if (arg.status != 0) {
status = NT_SC_VALUE(arg.status);
} else {
(void) memcpy(&samr_handle->handle, &arg.handle,
sizeof (ndr_hdid_t));
if (ndr_is_null_handle(samr_handle))
status = NT_STATUS_INVALID_HANDLE;
}
ndr_rpc_release(samr_handle);
return (status);
}
/*
* lsar_open_policy2
*
* Obtain an LSA policy handle. A policy handle is required to access
* LSA resources on a remote server. The server name supplied here does
* not need the double backslash prefix; it is added here. Call this
* function via lsar_open to ensure that the appropriate connection is
* in place.
*
* Returns 0 on success. Otherwise non-zero to indicate a failure.
*/
int
lsar_open_policy2(char *server, char *domain, char *username,
mlsvc_handle_t *lsa_handle)
{
struct mslsa_OpenPolicy2 arg;
int opnum;
int len;
int rc;
rc = ndr_rpc_bind(lsa_handle, server, domain, username, "LSARPC");
if (rc != 0)
return (-1);
opnum = LSARPC_OPNUM_OpenPolicy2;
bzero(&arg, sizeof (struct mslsa_OpenPolicy2));
len = strlen(server) + 4;
arg.servername = ndr_rpc_malloc(lsa_handle, len);
if (arg.servername == NULL) {
ndr_rpc_unbind(lsa_handle);
return (-1);
}
(void) snprintf((char *)arg.servername, len, "\\\\%s", server);
arg.attributes.length = sizeof (struct mslsa_object_attributes);
arg.desiredAccess = MAXIMUM_ALLOWED;
if ((rc = ndr_rpc_call(lsa_handle, opnum, &arg)) != 0) {
ndr_rpc_unbind(lsa_handle);
return (-1);
}
if (arg.status != 0) {
rc = -1;
} else {
(void) memcpy(&lsa_handle->handle, &arg.domain_handle,
sizeof (ndr_hdid_t));
if (ndr_is_null_handle(lsa_handle))
rc = -1;
}
ndr_rpc_release(lsa_handle);
if (rc != 0)
ndr_rpc_unbind(lsa_handle);
return (rc);
}
/*
* lsar_query_security_desc
*
* Don't use this call yet. It is just a place holder for now.
*/
int
lsar_query_security_desc(mlsvc_handle_t *lsa_handle)
{
struct mslsa_QuerySecurityObject arg;
int rc;
int opnum;
opnum = LSARPC_OPNUM_QuerySecurityObject;
bzero(&arg, sizeof (struct mslsa_QuerySecurityObject));
(void) memcpy(&arg.handle, lsa_handle, sizeof (mslsa_handle_t));
rc = ndr_rpc_call(lsa_handle, opnum, &arg);
ndr_rpc_release(lsa_handle);
return (rc);
}
DWORD
lsar_enum_trusted_domains_ex(mlsvc_handle_t *lsa_handle, DWORD *enum_context,
smb_trusted_domains_t *list)
{
struct mslsa_EnumTrustedDomainEx arg;
int opnum;
DWORD status;
if (list == NULL)
return (NT_STATUS_INVALID_PARAMETER);
opnum = LSARPC_OPNUM_EnumTrustedDomainsEx;
bzero(list, sizeof (smb_trusted_domains_t));
bzero(&arg, sizeof (struct mslsa_EnumTrustedDomainEx));
(void) memcpy(&arg.handle, lsa_handle, sizeof (mslsa_handle_t));
arg.enum_context = *enum_context;
arg.max_length = MLSVC_MAX_RESPONSE_LEN;
if (ndr_rpc_call(lsa_handle, opnum, &arg) != 0) {
status = NT_STATUS_INVALID_PARAMETER;
} else if (arg.status != 0) {
*enum_context = arg.enum_context;
status = NT_SC_VALUE(arg.status);
/*
* STATUS_NO_MORE_ENTRIES provides call
* status but does not indicate an error.
*/
if (status != NT_STATUS_NO_MORE_ENTRIES)
ndr_rpc_status(lsa_handle, opnum, arg.status);
} else if (arg.enum_buf->entries_read == 0) {
*enum_context = arg.enum_context;
status = 0;
} else {
lsar_set_trusted_domains_ex(arg.enum_buf, list);
*enum_context = arg.enum_context;
status = 0;
}
ndr_rpc_release(lsa_handle);
return (status);
}
/*
* lsar_open_account
*
* Obtain an LSA account handle. The lsa_handle must be a valid handle
* obtained via lsar_open_policy2. The main thing to remember here is
* to set up the context in the lsa_account_handle. I'm not sure what
* the requirements are for desired access. Some values require admin
* access.
*
* Returns 0 on success. Otherwise non-zero to indicate a failure.
*/
int
lsar_open_account(mlsvc_handle_t *lsa_handle, struct mslsa_sid *sid,
mlsvc_handle_t *lsa_account_handle)
{
struct mslsa_OpenAccount arg;
int opnum;
int rc;
if (ndr_is_null_handle(lsa_handle) || sid == NULL)
return (-1);
opnum = LSARPC_OPNUM_OpenAccount;
bzero(&arg, sizeof (struct mslsa_OpenAccount));
(void) memcpy(&arg.handle, lsa_handle, sizeof (mslsa_handle_t));
arg.sid = sid;
arg.access_mask = STANDARD_RIGHTS_REQUIRED
#if 0
| POLICY_VIEW_AUDIT_INFORMATION
| POLICY_GET_PRIVATE_INFORMATION
| POLICY_TRUST_ADMIN
#endif
| POLICY_VIEW_LOCAL_INFORMATION;
if ((rc = ndr_rpc_call(lsa_handle, opnum, &arg)) != 0)
return (-1);
if (arg.status != 0) {
rc = -1;
} else {
ndr_inherit_handle(lsa_account_handle, lsa_handle);
(void) memcpy(&lsa_account_handle->handle,
&arg.account_handle, sizeof (ndr_hdid_t));
if (ndr_is_null_handle(lsa_account_handle))
rc = -1;
}
ndr_rpc_release(lsa_handle);
return (rc);
}
/*
* samr_open_domain
*
* We use a SAM handle to obtain a handle for a domain, specified by
* the SID. The SID can be obtain via the LSA interface. A handle for
* the domain is returned in domain_handle.
*/
DWORD
samr_open_domain(mlsvc_handle_t *samr_handle, DWORD access_mask,
struct samr_sid *sid, mlsvc_handle_t *domain_handle)
{
struct samr_OpenDomain arg;
int opnum;
DWORD status;
if (ndr_is_null_handle(samr_handle) ||
sid == NULL || domain_handle == NULL) {
return (NT_STATUS_INVALID_PARAMETER);
}
opnum = SAMR_OPNUM_OpenDomain;
bzero(&arg, sizeof (struct samr_OpenDomain));
(void) memcpy(&arg.handle, &samr_handle->handle, sizeof (ndr_hdid_t));
arg.access_mask = access_mask;
arg.sid = sid;
if (ndr_rpc_call(samr_handle, opnum, &arg) != 0) {
status = NT_STATUS_UNSUCCESSFUL;
} else if (arg.status != 0) {
status = arg.status;
} else {
status = NT_STATUS_SUCCESS;
ndr_inherit_handle(domain_handle, samr_handle);
(void) memcpy(&domain_handle->handle, &arg.domain_handle,
sizeof (ndr_hdid_t));
if (ndr_is_null_handle(domain_handle))
status = NT_STATUS_INVALID_HANDLE;
}
if (status != NT_STATUS_SUCCESS)
ndr_rpc_status(samr_handle, opnum, status);
ndr_rpc_release(samr_handle);
return (status);
}
/*ARGSUSED*/
int
lsar_enum_privs_account(mlsvc_handle_t *account_handle, smb_account_t *account)
{
struct mslsa_EnumPrivsAccount arg;
int opnum;
int rc;
opnum = LSARPC_OPNUM_EnumPrivsAccount;
bzero(&arg, sizeof (struct mslsa_EnumPrivsAccount));
(void) memcpy(&arg.account_handle, &account_handle->handle,
sizeof (mslsa_handle_t));
rc = ndr_rpc_call(account_handle, opnum, &arg);
if ((rc == 0) && (arg.status != 0)) {
ndr_rpc_status(account_handle, opnum, arg.status);
rc = -1;
}
ndr_rpc_release(account_handle);
return (rc);
}
/*
* lsar_lookup_priv_display_name
*
* Map a privilege name to a privilege display name. The input handle
* should be an LSA policy handle and the name would normally be one
* of the privileges defined in smb_privilege.h
*
* There's something peculiar about the return status from NT servers,
* it's not always present. So for now, I'm ignoring the status in the
* RPC response.
*
* Returns NT status codes.
*/
DWORD
lsar_lookup_priv_display_name(mlsvc_handle_t *lsa_handle, char *name,
char *display_name, int display_len)
{
struct mslsa_LookupPrivDisplayName arg;
int opnum;
size_t length;
DWORD status;
if (lsa_handle == NULL || name == NULL || display_name == NULL)
return (NT_STATUS_INVALID_PARAMETER);
opnum = LSARPC_OPNUM_LookupPrivDisplayName;
bzero(&arg, sizeof (struct mslsa_LookupPrivDisplayName));
(void) memcpy(&arg.handle, lsa_handle, sizeof (mslsa_handle_t));
length = smb_wcequiv_strlen(name);
arg.name.length = length;
arg.name.allosize = length;
arg.name.str = (unsigned char *)name;
arg.client_language = MAKELANGID(LANG_ENGLISH, SUBLANG_ENGLISH_US);
arg.default_language = MAKELANGID(LANG_ENGLISH, SUBLANG_NEUTRAL);
if (ndr_rpc_call(lsa_handle, opnum, &arg) != 0)
status = NT_STATUS_INVALID_PARAMETER;
#if 0
else if (arg.status != 0)
status = NT_SC_VALUE(arg.status);
#endif
else {
(void) strlcpy(display_name,
(char const *)arg.display_name->str, display_len);
status = NT_STATUS_SUCCESS;
}
ndr_rpc_release(lsa_handle);
return (status);
}
/*
* samr_query_user_groups
*
* Query the groups for a specific user. The handle must be a valid
* user handle obtained via samr_open_user. The list of groups is
* returned in group_info. Note that group_info->groups is allocated
* using malloc. The caller is responsible for deallocating this
* memory when it is no longer required. If group_info->n_entry is 0
* then no memory was allocated.
*
* Returns 0 on success, otherwise returns -1.
*/
int
samr_query_user_groups(mlsvc_handle_t *user_handle, int *n_groups,
struct samr_UserGroups **groups)
{
struct samr_QueryUserGroups arg;
int opnum;
int rc;
int nbytes;
if (ndr_is_null_handle(user_handle))
return (-1);
opnum = SAMR_OPNUM_QueryUserGroups;
bzero(&arg, sizeof (struct samr_QueryUserGroups));
(void) memcpy(&arg.user_handle, &user_handle->handle,
sizeof (samr_handle_t));
rc = ndr_rpc_call(user_handle, opnum, &arg);
if (rc == 0) {
if (arg.info == 0) {
rc = -1;
} else {
nbytes = arg.info->n_entry *
sizeof (struct samr_UserGroups);
if ((*groups = malloc(nbytes)) == NULL) {
*n_groups = 0;
rc = -1;
} else {
*n_groups = arg.info->n_entry;
bcopy(arg.info->groups, *groups, nbytes);
}
}
}
ndr_rpc_release(user_handle);
return (rc);
}
/*
* samr_close_handle
*
* This is function closes any valid handle, i.e. sam, domain, user etc.
* If the handle being closed is the top level connect handle, we unbind.
* Then we zero out the handle to invalidate it.
*/
int
samr_close_handle(mlsvc_handle_t *samr_handle)
{
struct samr_CloseHandle arg;
int opnum;
if (ndr_is_null_handle(samr_handle))
return (-1);
opnum = SAMR_OPNUM_CloseHandle;
bzero(&arg, sizeof (struct samr_CloseHandle));
(void) memcpy(&arg.handle, &samr_handle->handle, sizeof (ndr_hdid_t));
(void) ndr_rpc_call(samr_handle, opnum, &arg);
ndr_rpc_release(samr_handle);
if (ndr_is_bind_handle(samr_handle))
ndr_rpc_unbind(samr_handle);
bzero(samr_handle, sizeof (mlsvc_handle_t));
return (0);
}
/*
* lsar_close
*
* Close the LSA connection associated with the handle. The lsa_handle
* must be a valid handle obtained via a call to lsar_open_policy2 or
* lsar_open_account. On success the handle will be zeroed out to
* ensure that it is not used again. If this is the top level handle
* (i.e. the one obtained via lsar_open_policy2) the pipe is closed.
*
* Returns 0 on success. Otherwise non-zero to indicate a failure.
*/
int
lsar_close(mlsvc_handle_t *lsa_handle)
{
struct mslsa_CloseHandle arg;
int opnum;
if (ndr_is_null_handle(lsa_handle))
return (-1);
opnum = LSARPC_OPNUM_CloseHandle;
bzero(&arg, sizeof (struct mslsa_CloseHandle));
(void) memcpy(&arg.handle, lsa_handle, sizeof (mslsa_handle_t));
(void) ndr_rpc_call(lsa_handle, opnum, &arg);
ndr_rpc_release(lsa_handle);
if (ndr_is_bind_handle(lsa_handle))
ndr_rpc_unbind(lsa_handle);
bzero(lsa_handle, sizeof (mlsvc_handle_t));
return (0);
}
/*
* samr_open_group
*
* Use a domain handle to obtain a handle for a group, specified by the
* group RID. A group RID (effectively a gid) can be obtained via the
* LSA interface. A handle for the group is returned in group_handle.
* Once you have a group handle it should be possible to query the SAM
* for information on that group.
*/
int
samr_open_group(
mlsvc_handle_t *domain_handle,
DWORD rid,
mlsvc_handle_t *group_handle)
{
struct samr_OpenGroup arg;
int opnum;
int rc;
if (ndr_is_null_handle(domain_handle) || group_handle == NULL)
return (-1);
opnum = SAMR_OPNUM_OpenGroup;
bzero(&arg, sizeof (struct samr_OpenUser));
(void) memcpy(&arg.handle, &domain_handle->handle,
sizeof (ndr_hdid_t));
arg.access_mask = SAM_LOOKUP_INFORMATION | SAM_ACCESS_USER_READ;
arg.rid = rid;
if ((rc = ndr_rpc_call(domain_handle, opnum, &arg)) != 0)
return (-1);
if (arg.status != 0) {
ndr_rpc_status(domain_handle, opnum, arg.status);
rc = -1;
} else {
ndr_inherit_handle(group_handle, domain_handle);
(void) memcpy(&group_handle->handle, &arg.group_handle,
sizeof (ndr_hdid_t));
if (ndr_is_null_handle(group_handle))
rc = -1;
}
ndr_rpc_release(domain_handle);
return (rc);
}
/*ARGSUSED*/
DWORD
samr_set_user_info(mlsvc_handle_t *user_handle)
{
unsigned char ssn_key[SMBAUTH_SESSION_KEY_SZ];
struct samr_SetUserInfo arg;
int opnum;
DWORD status = 0;
if (ndr_is_null_handle(user_handle))
return (NT_STATUS_INVALID_PARAMETER);
if (ndr_rpc_get_ssnkey(user_handle, ssn_key, sizeof (ssn_key)))
return (NT_STATUS_INVALID_PARAMETER);
opnum = SAMR_OPNUM_SetUserInfo;
bzero(&arg, sizeof (struct samr_SetUserInfo));
(void) memcpy(&arg.user_handle, &user_handle->handle,
sizeof (samr_handle_t));
arg.info.index = SAMR_SET_USER_INFO_23;
arg.info.switch_value = SAMR_SET_USER_INFO_23;
samr_set_user_unknowns(&arg.info.ru.info23);
samr_set_user_logon_hours(&arg);
if (samr_set_user_password(ssn_key, arg.info.ru.info23.password) < 0)
status = NT_STATUS_INTERNAL_ERROR;
if (ndr_rpc_call(user_handle, opnum, &arg) != 0) {
status = NT_STATUS_INVALID_PARAMETER;
} else if (arg.status != 0) {
ndr_rpc_status(user_handle, opnum, arg.status);
status = NT_SC_VALUE(arg.status);
}
ndr_rpc_release(user_handle);
return (status);
}
/*
* samr_open_user
*
* Use a domain handle to obtain a handle for a user, specified by the
* user RID. A user RID (effectively a uid) can be obtained via the
* LSA interface. A handle for the user is returned in user_handle.
* Once you have a user handle it should be possible to query the SAM
* for information on that user.
*/
DWORD
samr_open_user(mlsvc_handle_t *domain_handle, DWORD access_mask, DWORD rid,
mlsvc_handle_t *user_handle)
{
struct samr_OpenUser arg;
int opnum;
DWORD status = NT_STATUS_SUCCESS;
if (ndr_is_null_handle(domain_handle) || user_handle == NULL)
return (NT_STATUS_INVALID_PARAMETER);
opnum = SAMR_OPNUM_OpenUser;
bzero(&arg, sizeof (struct samr_OpenUser));
(void) memcpy(&arg.handle, &domain_handle->handle,
sizeof (ndr_hdid_t));
arg.access_mask = access_mask;
arg.rid = rid;
if (ndr_rpc_call(domain_handle, opnum, &arg) != 0) {
status = NT_STATUS_UNSUCCESSFUL;
} else if (arg.status != 0) {
ndr_rpc_status(domain_handle, opnum, arg.status);
status = NT_SC_VALUE(arg.status);
} else {
ndr_inherit_handle(user_handle, domain_handle);
(void) memcpy(&user_handle->handle, &arg.user_handle,
sizeof (ndr_hdid_t));
if (ndr_is_null_handle(user_handle))
status = NT_STATUS_INVALID_HANDLE;
}
ndr_rpc_release(domain_handle);
return (status);
}
/*
* Call the RPC function identified by opnum. The remote service is
* identified by the handle, which should have been initialized by
* ndr_rpc_bind.
*
* If the RPC call is successful (returns 0), the caller must call
* ndr_rpc_release to release the heap. Otherwise, we release the
* heap here.
*/
int
ndr_rpc_call(mlsvc_handle_t *handle, int opnum, void *params)
{
ndr_client_t *clnt = handle->clnt;
int rc;
if (ndr_rpc_get_heap(handle) == NULL)
return (-1);
rc = ndr_clnt_call(clnt->binding, opnum, params);
/*
* Always clear the nonull flag to ensure
* it is not applied to subsequent calls.
*/
clnt->nonull = B_FALSE;
if (NDR_DRC_IS_FAULT(rc)) {
ndr_rpc_release(handle);
return (-1);
}
return (0);
}
/*
* lsar_lookup_priv_value
*
* Map a privilege name to a local unique id (LUID). Privilege names
* are consistent across the network. LUIDs are machine specific.
* This function provides the means to map a privilege name to the
* LUID used by a remote server to represent it. The handle here is
* a policy handle.
*/
int
lsar_lookup_priv_value(mlsvc_handle_t *lsa_handle, char *name,
struct ms_luid *luid)
{
struct mslsa_LookupPrivValue arg;
int opnum;
int rc;
size_t length;
if (lsa_handle == NULL || name == NULL || luid == NULL)
return (-1);
opnum = LSARPC_OPNUM_LookupPrivValue;
bzero(&arg, sizeof (struct mslsa_LookupPrivValue));
(void) memcpy(&arg.handle, lsa_handle, sizeof (mslsa_handle_t));
length = smb_wcequiv_strlen(name);
if (ndr_rpc_server_os(lsa_handle) == NATIVE_OS_WIN2000)
length += sizeof (smb_wchar_t);
arg.name.length = length;
arg.name.allosize = length;
arg.name.str = (unsigned char *)name;
rc = ndr_rpc_call(lsa_handle, opnum, &arg);
if (rc == 0) {
if (arg.status != 0)
rc = -1;
else
(void) memcpy(luid, &arg.luid, sizeof (struct ms_luid));
}
ndr_rpc_release(lsa_handle);
return (rc);
}
