1 /*
2 * CDDL HEADER START
3 *
4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
7 *
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
12 *
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 *
19 * CDDL HEADER END
20 */
21
22 /*
23 * Copyright (c) 2009, 2010, Oracle and/or its affiliates. All rights reserved.
24 * Copyright 2018 Nexenta Systems, Inc. All rights reserved.
25 */
26
27 /*
28 * Security Accounts Manager RPC (SAMR) client-side interface.
29 *
30 * The SAM is a hierarchical database:
31 * - If you want to talk to the SAM you need a SAM handle.
32 * - If you want to work with a domain, use the SAM handle.
33 * to obtain a domain handle.
34 * - Use domain handles to obtain user handles etc.
35 *
36 * Be careful about returning null handles to the application. Use of a
37 * null handle may crash the domain controller if you attempt to use it.
38 */
39
40 #include <stdio.h>
41 #include <strings.h>
42 #include <stdlib.h>
43 #include <unistd.h>
44 #include <netdb.h>
45 #include <sys/param.h>
46
47 #include <libmlrpc/libmlrpc.h>
48 #include <smbsrv/libsmb.h>
49 #include <smbsrv/libmlsvc.h>
50 #include <smbsrv/smbinfo.h>
51 #include <smb/ntaccess.h>
52 #include <smbsrv/smb_sid.h>
53 #include <samlib.h>
54
55 static DWORD samr_connect2(char *, char *, char *, DWORD, mlsvc_handle_t *);
56 static DWORD samr_connect4(char *, char *, char *, DWORD, mlsvc_handle_t *);
57 static DWORD samr_connect5(char *, char *, char *, DWORD, mlsvc_handle_t *);
58
59 typedef DWORD (*samr_connop_t)(char *, char *, char *, DWORD,
60 mlsvc_handle_t *);
61
62 static int samr_setup_user_info(WORD, struct samr_QueryUserInfo *,
63 union samr_user_info *);
64
65 /*
66 * samr_open
67 *
68 * Wrapper round samr_connect to ensure that we connect using the server
69 * and domain. We default to the resource domain if the caller doesn't
70 * supply a server name and a domain name.
71 *
72 * If username argument is NULL, an anonymous connection will be established.
73 * Otherwise, an authenticated connection will be established.
74 *
75 * On success 0 is returned. Otherwise a -ve error code.
76 */
77 DWORD
samr_open(char * server,char * domain,char * username,DWORD access_mask,mlsvc_handle_t * samr_handle)78 samr_open(char *server, char *domain, char *username, DWORD access_mask,
79 mlsvc_handle_t *samr_handle)
80 {
81 smb_domainex_t di;
82 DWORD status;
83
84 if (server == NULL || domain == NULL) {
85 if (!smb_domain_getinfo(&di))
86 return (NT_STATUS_INTERNAL_ERROR);
87 server = di.d_dci.dc_name;
88 domain = di.d_primary.di_nbname;
89 }
90
91 if (username == NULL)
92 username = MLSVC_ANON_USER;
93
94 status = samr_connect(server, domain, username, access_mask,
95 samr_handle);
96
97 return (status);
98 }
99
100
101 /*
102 * samr_connect
103 *
104 * Connect to the SAMR service on the specified server (domain controller).
105 * New SAM connect calls have been added to Windows over time:
106 *
107 * Windows NT3.x: SamrConnect
108 * Windows NT4.0: SamrConnect2
109 * Windows 2000: SamrConnect4
110 * Windows XP: SamrConnect5
111 *
112 * Try the calls from most recent to oldest until the server responds with
113 * something other than an RPC protocol error. We don't use the original
114 * connect call because all supported servers should support SamrConnect2.
115 */
116 DWORD
samr_connect(char * server,char * domain,char * username,DWORD access_mask,mlsvc_handle_t * samr_handle)117 samr_connect(char *server, char *domain, char *username, DWORD access_mask,
118 mlsvc_handle_t *samr_handle)
119 {
120 static samr_connop_t samr_connop[] = {
121 samr_connect5,
122 samr_connect4,
123 samr_connect2
124 };
125
126 int n_op = (sizeof (samr_connop) / sizeof (samr_connop[0]));
127 DWORD status;
128 int i;
129
130 status = ndr_rpc_bind(samr_handle, server, domain, username, "SAMR");
131 if (status)
132 return (status);
133
134 for (i = 0; i < n_op; ++i) {
135 status = (*samr_connop[i])(server, domain, username,
136 access_mask, samr_handle);
137
138 if (status == NT_STATUS_SUCCESS)
139 return (status);
140 }
141
142 ndr_rpc_unbind(samr_handle);
143 return (status);
144 }
145
146 /*
147 * samr_connect2
148 *
149 * Connect to the SAM on a Windows NT 4.0 server (domain controller).
150 * We need the domain controller name and, if everything works, we
151 * return a handle. This function adds the double backslash prefx to
152 * make it easy for applications.
153 *
154 * Returns 0 on success. Otherwise returns a -ve error code.
155 */
156 /*ARGSUSED*/
157 static DWORD
samr_connect2(char * server,char * domain,char * username,DWORD access_mask,mlsvc_handle_t * samr_handle)158 samr_connect2(char *server, char *domain, char *username, DWORD access_mask,
159 mlsvc_handle_t *samr_handle)
160 {
161 struct samr_Connect2 arg;
162 int opnum;
163 DWORD status;
164 int len;
165
166 bzero(&arg, sizeof (struct samr_Connect2));
167 opnum = SAMR_OPNUM_Connect2;
168 status = NT_STATUS_SUCCESS;
169
170 len = strlen(server) + 4;
171 arg.servername = ndr_rpc_malloc(samr_handle, len);
172 (void) snprintf((char *)arg.servername, len, "\\\\%s", server);
173 arg.access_mask = access_mask;
174
175 if (ndr_rpc_call(samr_handle, opnum, &arg) != 0) {
176 status = NT_STATUS_UNSUCCESSFUL;
177 } else if (arg.status != 0) {
178 status = NT_SC_VALUE(arg.status);
179 } else {
180 (void) memcpy(&samr_handle->handle, &arg.handle,
181 sizeof (ndr_hdid_t));
182
183 if (ndr_is_null_handle(samr_handle))
184 status = NT_STATUS_INVALID_HANDLE;
185 }
186
187 ndr_rpc_release(samr_handle);
188 return (status);
189 }
190
191 /*
192 * samr_connect4
193 *
194 * Connect to the SAM on a Windows 2000 domain controller.
195 */
196 /*ARGSUSED*/
197 static DWORD
samr_connect4(char * server,char * domain,char * username,DWORD access_mask,mlsvc_handle_t * samr_handle)198 samr_connect4(char *server, char *domain, char *username, DWORD access_mask,
199 mlsvc_handle_t *samr_handle)
200 {
201 struct samr_Connect4 arg;
202 int opnum;
203 DWORD status;
204 int len;
205
206 bzero(&arg, sizeof (struct samr_Connect4));
207 opnum = SAMR_OPNUM_Connect4;
208 status = NT_STATUS_SUCCESS;
209
210 len = strlen(server) + 4;
211 arg.servername = ndr_rpc_malloc(samr_handle, len);
212 (void) snprintf((char *)arg.servername, len, "\\\\%s", server);
213 arg.revision = SAMR_REVISION_2;
214 arg.access_mask = access_mask;
215
216 if (ndr_rpc_call(samr_handle, opnum, &arg) != 0) {
217 status = NT_STATUS_UNSUCCESSFUL;
218 } else if (arg.status != 0) {
219 status = NT_SC_VALUE(arg.status);
220 } else {
221 (void) memcpy(&samr_handle->handle, &arg.handle,
222 sizeof (ndr_hdid_t));
223
224 if (ndr_is_null_handle(samr_handle))
225 status = NT_STATUS_INVALID_HANDLE;
226 }
227
228 ndr_rpc_release(samr_handle);
229 return (status);
230 }
231
232 /*
233 * samr_connect5
234 *
235 * Connect to the SAM on a Windows XP domain controller. On Windows
236 * XP, the server should be the fully qualified DNS domain name with
237 * a double backslash prefix. At this point, it is assumed that we
238 * need to add the prefix and the DNS domain name here.
239 *
240 * If this call succeeds, a SAMR handle is placed in samr_handle and
241 * zero is returned. Otherwise, a -ve error code is returned.
242 */
243 /*ARGSUSED*/
244 static DWORD
samr_connect5(char * server,char * domain,char * username,DWORD access_mask,mlsvc_handle_t * samr_handle)245 samr_connect5(char *server, char *domain, char *username, DWORD access_mask,
246 mlsvc_handle_t *samr_handle)
247 {
248 struct samr_Connect5 arg;
249 int len;
250 int opnum;
251 DWORD status;
252
253 bzero(&arg, sizeof (struct samr_Connect5));
254 opnum = SAMR_OPNUM_Connect5;
255 status = NT_STATUS_SUCCESS;
256
257 len = strlen(server) + 4;
258 arg.servername = ndr_rpc_malloc(samr_handle, len);
259 (void) snprintf((char *)arg.servername, len, "\\\\%s", server);
260
261 arg.access_mask = SAM_ENUM_LOCAL_DOMAIN;
262 arg.unknown2_00000001 = 0x00000001;
263 arg.unknown3_00000001 = 0x00000001;
264 arg.unknown4_00000003 = 0x00000003;
265 arg.unknown5_00000000 = 0x00000000;
266
267 if (ndr_rpc_call(samr_handle, opnum, &arg) != 0) {
268 status = NT_STATUS_UNSUCCESSFUL;
269 } else if (arg.status != 0) {
270 status = NT_SC_VALUE(arg.status);
271 } else {
272
273 (void) memcpy(&samr_handle->handle, &arg.handle,
274 sizeof (ndr_hdid_t));
275
276 if (ndr_is_null_handle(samr_handle))
277 status = NT_STATUS_INVALID_HANDLE;
278 }
279
280 ndr_rpc_release(samr_handle);
281 return (status);
282 }
283
284
285 /*
286 * samr_close_handle
287 *
288 * This is function closes any valid handle, i.e. sam, domain, user etc.
289 * If the handle being closed is the top level connect handle, we unbind.
290 * Then we zero out the handle to invalidate it.
291 */
292 void
samr_close_handle(mlsvc_handle_t * samr_handle)293 samr_close_handle(mlsvc_handle_t *samr_handle)
294 {
295 struct samr_CloseHandle arg;
296 int opnum;
297
298 if (ndr_is_null_handle(samr_handle))
299 return;
300
301 opnum = SAMR_OPNUM_CloseHandle;
302 bzero(&arg, sizeof (struct samr_CloseHandle));
303 (void) memcpy(&arg.handle, &samr_handle->handle, sizeof (ndr_hdid_t));
304
305 (void) ndr_rpc_call(samr_handle, opnum, &arg);
306 ndr_rpc_release(samr_handle);
307
308 if (ndr_is_bind_handle(samr_handle))
309 ndr_rpc_unbind(samr_handle);
310
311 bzero(samr_handle, sizeof (mlsvc_handle_t));
312 }
313
314 /*
315 * samr_open_domain
316 *
317 * We use a SAM handle to obtain a handle for a domain, specified by
318 * the SID. The SID can be obtain via the LSA interface. A handle for
319 * the domain is returned in domain_handle.
320 */
321 DWORD
samr_open_domain(mlsvc_handle_t * samr_handle,DWORD access_mask,struct samr_sid * sid,mlsvc_handle_t * domain_handle)322 samr_open_domain(mlsvc_handle_t *samr_handle, DWORD access_mask,
323 struct samr_sid *sid, mlsvc_handle_t *domain_handle)
324 {
325 struct samr_OpenDomain arg;
326 int opnum;
327 DWORD status;
328
329 if (ndr_is_null_handle(samr_handle) ||
330 sid == NULL || domain_handle == NULL) {
331 return (NT_STATUS_INVALID_PARAMETER);
332 }
333
334 opnum = SAMR_OPNUM_OpenDomain;
335 bzero(&arg, sizeof (struct samr_OpenDomain));
336 (void) memcpy(&arg.handle, &samr_handle->handle, sizeof (ndr_hdid_t));
337
338 arg.access_mask = access_mask;
339 arg.sid = sid;
340
341 if (ndr_rpc_call(samr_handle, opnum, &arg) != 0) {
342 status = NT_STATUS_UNSUCCESSFUL;
343 } else if (arg.status != 0) {
344 status = arg.status;
345 } else {
346 status = NT_STATUS_SUCCESS;
347 ndr_inherit_handle(domain_handle, samr_handle);
348
349 (void) memcpy(&domain_handle->handle, &arg.domain_handle,
350 sizeof (ndr_hdid_t));
351
352 if (ndr_is_null_handle(domain_handle))
353 status = NT_STATUS_INVALID_HANDLE;
354 }
355
356 if (status != NT_STATUS_SUCCESS)
357 ndr_rpc_status(samr_handle, opnum, status);
358
359 ndr_rpc_release(samr_handle);
360 return (status);
361 }
362
363 /*
364 * samr_open_user
365 *
366 * Use a domain handle to obtain a handle for a user, specified by the
367 * user RID. A user RID (effectively a uid) can be obtained via the
368 * LSA interface. A handle for the user is returned in user_handle.
369 * Once you have a user handle it should be possible to query the SAM
370 * for information on that user.
371 */
372 DWORD
samr_open_user(mlsvc_handle_t * domain_handle,DWORD access_mask,DWORD rid,mlsvc_handle_t * user_handle)373 samr_open_user(mlsvc_handle_t *domain_handle, DWORD access_mask, DWORD rid,
374 mlsvc_handle_t *user_handle)
375 {
376 struct samr_OpenUser arg;
377 int opnum;
378 DWORD status = NT_STATUS_SUCCESS;
379
380 if (ndr_is_null_handle(domain_handle) || user_handle == NULL)
381 return (NT_STATUS_INVALID_PARAMETER);
382
383 opnum = SAMR_OPNUM_OpenUser;
384 bzero(&arg, sizeof (struct samr_OpenUser));
385 (void) memcpy(&arg.handle, &domain_handle->handle,
386 sizeof (ndr_hdid_t));
387 arg.access_mask = access_mask;
388 arg.rid = rid;
389
390 if (ndr_rpc_call(domain_handle, opnum, &arg) != 0) {
391 status = NT_STATUS_UNSUCCESSFUL;
392 } else if (arg.status != 0) {
393 ndr_rpc_status(domain_handle, opnum, arg.status);
394 status = NT_SC_VALUE(arg.status);
395 } else {
396 ndr_inherit_handle(user_handle, domain_handle);
397
398 (void) memcpy(&user_handle->handle, &arg.user_handle,
399 sizeof (ndr_hdid_t));
400
401 if (ndr_is_null_handle(user_handle))
402 status = NT_STATUS_INVALID_HANDLE;
403 }
404
405 ndr_rpc_release(domain_handle);
406 return (status);
407 }
408
409 /*
410 * samr_delete_user
411 *
412 * Delete the user specified by the user_handle.
413 */
414 DWORD
samr_delete_user(mlsvc_handle_t * user_handle)415 samr_delete_user(mlsvc_handle_t *user_handle)
416 {
417 struct samr_DeleteUser arg;
418 int opnum;
419 DWORD status;
420
421 if (ndr_is_null_handle(user_handle))
422 return (NT_STATUS_INVALID_PARAMETER);
423
424 opnum = SAMR_OPNUM_DeleteUser;
425 bzero(&arg, sizeof (struct samr_DeleteUser));
426 (void) memcpy(&arg.user_handle, &user_handle->handle,
427 sizeof (ndr_hdid_t));
428
429 if (ndr_rpc_call(user_handle, opnum, &arg) != 0) {
430 status = NT_STATUS_INVALID_PARAMETER;
431 } else if (arg.status != 0) {
432 ndr_rpc_status(user_handle, opnum, arg.status);
433 status = NT_SC_VALUE(arg.status);
434 } else {
435 status = 0;
436 }
437
438 ndr_rpc_release(user_handle);
439 return (status);
440 }
441
442 /*
443 * samr_open_group
444 *
445 * Use a domain handle to obtain a handle for a group, specified by the
446 * group RID. A group RID (effectively a gid) can be obtained via the
447 * LSA interface. A handle for the group is returned in group_handle.
448 * Once you have a group handle it should be possible to query the SAM
449 * for information on that group.
450 */
451 int
samr_open_group(mlsvc_handle_t * domain_handle,DWORD rid,mlsvc_handle_t * group_handle)452 samr_open_group(
453 mlsvc_handle_t *domain_handle,
454 DWORD rid,
455 mlsvc_handle_t *group_handle)
456 {
457 struct samr_OpenGroup arg;
458 int opnum;
459 int rc;
460
461 if (ndr_is_null_handle(domain_handle) || group_handle == NULL)
462 return (-1);
463
464 opnum = SAMR_OPNUM_OpenGroup;
465 bzero(&arg, sizeof (struct samr_OpenUser));
466 (void) memcpy(&arg.handle, &domain_handle->handle,
467 sizeof (ndr_hdid_t));
468 arg.access_mask = SAM_LOOKUP_INFORMATION | SAM_ACCESS_USER_READ;
469 arg.rid = rid;
470
471 if ((rc = ndr_rpc_call(domain_handle, opnum, &arg)) != 0)
472 return (-1);
473
474 if (arg.status != 0) {
475 ndr_rpc_status(domain_handle, opnum, arg.status);
476 rc = -1;
477 } else {
478 ndr_inherit_handle(group_handle, domain_handle);
479
480 (void) memcpy(&group_handle->handle, &arg.group_handle,
481 sizeof (ndr_hdid_t));
482
483 if (ndr_is_null_handle(group_handle))
484 rc = -1;
485 }
486
487 ndr_rpc_release(domain_handle);
488 return (rc);
489 }
490
491 /*
492 * samr_create_user
493 *
494 * Create a user in the domain specified by the domain handle. If this
495 * call is successful, the server will return the RID for the user and
496 * a user handle, which may be used to set or query the SAM.
497 *
498 * Observed status codes:
499 * NT_STATUS_INVALID_PARAMETER
500 * NT_STATUS_INVALID_ACCOUNT_NAME
501 * NT_STATUS_ACCESS_DENIED
502 * NT_STATUS_USER_EXISTS
503 *
504 * Returns 0 on success. Otherwise returns an NT status code.
505 */
506 DWORD
samr_create_user(mlsvc_handle_t * domain_handle,char * username,DWORD account_flags,DWORD * rid,mlsvc_handle_t * user_handle)507 samr_create_user(mlsvc_handle_t *domain_handle, char *username,
508 DWORD account_flags, DWORD *rid, mlsvc_handle_t *user_handle)
509 {
510 struct samr_CreateUser arg;
511 ndr_heap_t *heap;
512 int opnum;
513 int rc;
514 DWORD status = 0;
515
516 if (ndr_is_null_handle(domain_handle) ||
517 username == NULL || rid == NULL) {
518 return (NT_STATUS_INVALID_PARAMETER);
519 }
520
521 opnum = SAMR_OPNUM_CreateUser;
522
523 bzero(&arg, sizeof (struct samr_CreateUser));
524 (void) memcpy(&arg.handle, &domain_handle->handle,
525 sizeof (ndr_hdid_t));
526
527 heap = ndr_rpc_get_heap(domain_handle);
528 ndr_heap_mkvcs(heap, username, (ndr_vcstr_t *)&arg.username);
529
530 arg.account_flags = account_flags;
531 arg.desired_access = 0xE00500B0;
532
533 rc = ndr_rpc_call(domain_handle, opnum, &arg);
534 if (rc != 0) {
535 status = NT_STATUS_INVALID_PARAMETER;
536 } else if (arg.status != 0) {
537 status = NT_SC_VALUE(arg.status);
538
539 if (status != NT_STATUS_USER_EXISTS) {
540 smb_tracef("SamrCreateUser[%s]: %s",
541 username, xlate_nt_status(status));
542 }
543 } else {
544 ndr_inherit_handle(user_handle, domain_handle);
545
546 (void) memcpy(&user_handle->handle, &arg.user_handle,
547 sizeof (ndr_hdid_t));
548
549 *rid = arg.rid;
550
551 if (ndr_is_null_handle(user_handle))
552 status = NT_STATUS_INVALID_HANDLE;
553 else
554 status = 0;
555 }
556
557 ndr_rpc_release(domain_handle);
558 return (status);
559 }
560
561 /*
562 * samr_lookup_domain
563 *
564 * Lookup up the domain SID for the specified domain name. The handle
565 * should be one returned from samr_connect. The allocated memory for
566 * the returned SID must be freed by caller.
567 */
568 smb_sid_t *
samr_lookup_domain(mlsvc_handle_t * samr_handle,char * domain_name)569 samr_lookup_domain(mlsvc_handle_t *samr_handle, char *domain_name)
570 {
571 struct samr_LookupDomain arg;
572 smb_sid_t *domsid = NULL;
573 int opnum;
574 size_t length;
575
576 if (ndr_is_null_handle(samr_handle) || domain_name == NULL)
577 return (NULL);
578
579 opnum = SAMR_OPNUM_LookupDomain;
580 bzero(&arg, sizeof (struct samr_LookupDomain));
581
582 (void) memcpy(&arg.handle, &samr_handle->handle,
583 sizeof (samr_handle_t));
584
585 length = smb_wcequiv_strlen(domain_name);
586 length += sizeof (smb_wchar_t);
587
588 arg.domain_name.length = length;
589 arg.domain_name.allosize = length;
590 arg.domain_name.str = (unsigned char *)domain_name;
591
592 if (ndr_rpc_call(samr_handle, opnum, &arg) == 0)
593 domsid = smb_sid_dup((smb_sid_t *)arg.sid);
594
595 ndr_rpc_release(samr_handle);
596 return (domsid);
597 }
598
599 /*
600 * samr_enum_local_domains
601 *
602 * Get the list of local domains supported by a server.
603 *
604 * Returns NT status codes.
605 */
606 DWORD
samr_enum_local_domains(mlsvc_handle_t * samr_handle)607 samr_enum_local_domains(mlsvc_handle_t *samr_handle)
608 {
609 struct samr_EnumLocalDomain arg;
610 int opnum;
611 DWORD status;
612
613 if (ndr_is_null_handle(samr_handle))
614 return (NT_STATUS_INVALID_PARAMETER);
615
616 opnum = SAMR_OPNUM_EnumLocalDomains;
617 bzero(&arg, sizeof (struct samr_EnumLocalDomain));
618
619 (void) memcpy(&arg.handle, &samr_handle->handle,
620 sizeof (samr_handle_t));
621 arg.enum_context = 0;
622 arg.max_length = 0x00002000; /* Value used by NT */
623
624 if (ndr_rpc_call(samr_handle, opnum, &arg) != 0) {
625 status = NT_STATUS_INVALID_PARAMETER;
626 } else {
627 status = NT_SC_VALUE(arg.status);
628
629 /*
630 * Handle none-mapped status quietly.
631 */
632 if (status != NT_STATUS_NONE_MAPPED)
633 ndr_rpc_status(samr_handle, opnum, arg.status);
634 }
635
636 ndr_rpc_release(samr_handle);
637 return (status);
638 }
639
640 /*
641 * samr_lookup_domain_names
642 *
643 * Lookup up the given name in the domain specified by domain_handle.
644 * Upon a successful lookup the information is returned in the account
645 * arg and caller must free allocated memories by calling smb_account_free().
646 *
647 * Returns NT status codes.
648 */
649 uint32_t
samr_lookup_domain_names(mlsvc_handle_t * domain_handle,char * name,smb_account_t * account)650 samr_lookup_domain_names(mlsvc_handle_t *domain_handle, char *name,
651 smb_account_t *account)
652 {
653 struct samr_LookupNames arg;
654 int opnum;
655 uint32_t status;
656 size_t length;
657
658 if (ndr_is_null_handle(domain_handle) ||
659 name == NULL || account == NULL) {
660 return (NT_STATUS_INVALID_PARAMETER);
661 }
662
663 bzero(account, sizeof (smb_account_t));
664 opnum = SAMR_OPNUM_LookupNames;
665 bzero(&arg, sizeof (struct samr_LookupNames));
666
667 (void) memcpy(&arg.handle, &domain_handle->handle,
668 sizeof (samr_handle_t));
669 arg.n_entry = 1;
670 arg.max_n_entry = 1000;
671 arg.index = 0;
672 arg.total = 1;
673
674 length = smb_wcequiv_strlen(name);
675 length += sizeof (smb_wchar_t);
676
677 arg.name.length = length;
678 arg.name.allosize = length;
679 arg.name.str = (unsigned char *)name;
680
681 if (ndr_rpc_call(domain_handle, opnum, &arg) != 0) {
682 status = NT_STATUS_INVALID_PARAMETER;
683 } else if (arg.status != NT_STATUS_SUCCESS) {
684 status = NT_SC_VALUE(arg.status);
685
686 /*
687 * Handle none-mapped status quietly.
688 */
689 if (status != NT_STATUS_NONE_MAPPED)
690 ndr_rpc_status(domain_handle, opnum, arg.status);
691 } else {
692 account->a_type = arg.rid_types.rid_type[0];
693 account->a_rid = arg.rids.rid[0];
694 status = NT_STATUS_SUCCESS;
695 }
696
697 ndr_rpc_release(domain_handle);
698 return (status);
699 }
700
701 /*
702 * samr_query_user_info
703 *
704 * Query information on a specific user. The handle must be a valid
705 * user handle obtained via samr_open_user.
706 *
707 * Returns 0 on success, otherwise returns NT status code.
708 */
709 DWORD
samr_query_user_info(mlsvc_handle_t * user_handle,WORD switch_value,union samr_user_info * user_info)710 samr_query_user_info(mlsvc_handle_t *user_handle, WORD switch_value,
711 union samr_user_info *user_info)
712 {
713 struct samr_QueryUserInfo arg;
714 int opnum;
715
716 if (ndr_is_null_handle(user_handle) || user_info == 0)
717 return (NT_STATUS_INTERNAL_ERROR);
718
719 opnum = SAMR_OPNUM_QueryUserInfo;
720 bzero(&arg, sizeof (struct samr_QueryUserInfo));
721
722 (void) memcpy(&arg.user_handle, &user_handle->handle,
723 sizeof (samr_handle_t));
724 arg.switch_value = switch_value;
725
726 if (ndr_rpc_call(user_handle, opnum, &arg) != 0)
727 arg.status = RPC_NT_CALL_FAILED;
728
729 if (arg.status == 0)
730 (void) samr_setup_user_info(switch_value, &arg, user_info);
731
732 return (arg.status);
733 }
734
735 /*
736 * samr_setup_user_info
737 *
738 * Private function to set up the samr_user_info data. Dependent on
739 * the switch value this function may use strdup which will malloc
740 * memory. The caller is responsible for deallocating this memory.
741 *
742 * Returns 0 on success, otherwise returns -1.
743 */
744 static int
samr_setup_user_info(WORD switch_value,struct samr_QueryUserInfo * arg,union samr_user_info * user_info)745 samr_setup_user_info(WORD switch_value,
746 struct samr_QueryUserInfo *arg, union samr_user_info *user_info)
747 {
748 struct samr_QueryUserInfo1 *info1;
749 struct samr_QueryUserInfo6 *info6;
750
751 switch (switch_value) {
752 case 1:
753 info1 = &arg->ru.info1;
754 user_info->info1.username = strdup(
755 (char const *)info1->username.str);
756 user_info->info1.fullname = strdup(
757 (char const *)info1->fullname.str);
758 user_info->info1.description = strdup(
759 (char const *)info1->description.str);
760 user_info->info1.unknown = 0;
761 user_info->info1.group_rid = info1->group_rid;
762 return (0);
763
764 case 6:
765 info6 = &arg->ru.info6;
766 user_info->info6.username = strdup(
767 (char const *)info6->username.str);
768 user_info->info6.fullname = strdup(
769 (char const *)info6->fullname.str);
770 return (0);
771
772 case 7:
773 user_info->info7.username = strdup(
774 (char const *)arg->ru.info7.username.str);
775 return (0);
776
777 case 8:
778 user_info->info8.fullname = strdup(
779 (char const *)arg->ru.info8.fullname.str);
780 return (0);
781
782 case 9:
783 user_info->info9.group_rid = arg->ru.info9.group_rid;
784 return (0);
785
786 case 16:
787 user_info->info16.acct_ctrl =
788 arg->ru.info16.UserAccountControl;
789 return (0);
790
791 default:
792 break;
793 };
794
795 return (-1);
796 }
797
798 /*
799 * samr_query_user_groups
800 *
801 * Query the groups for a specific user. The handle must be a valid
802 * user handle obtained via samr_open_user. The list of groups is
803 * returned in group_info. Note that group_info->groups is allocated
804 * using malloc. The caller is responsible for deallocating this
805 * memory when it is no longer required. If group_info->n_entry is 0
806 * then no memory was allocated.
807 *
808 * Returns 0 on success, otherwise returns -1.
809 */
810 int
samr_query_user_groups(mlsvc_handle_t * user_handle,int * n_groups,struct samr_UserGroups ** groups)811 samr_query_user_groups(mlsvc_handle_t *user_handle, int *n_groups,
812 struct samr_UserGroups **groups)
813 {
814 struct samr_QueryUserGroups arg;
815 int opnum;
816 int rc;
817 int nbytes;
818
819 if (ndr_is_null_handle(user_handle))
820 return (-1);
821
822 opnum = SAMR_OPNUM_QueryUserGroups;
823 bzero(&arg, sizeof (struct samr_QueryUserGroups));
824
825 (void) memcpy(&arg.user_handle, &user_handle->handle,
826 sizeof (samr_handle_t));
827
828 rc = ndr_rpc_call(user_handle, opnum, &arg);
829 if (rc == 0) {
830 if (arg.info == 0) {
831 rc = -1;
832 } else {
833 nbytes = arg.info->n_entry *
834 sizeof (struct samr_UserGroups);
835
836 if ((*groups = malloc(nbytes)) == NULL) {
837 *n_groups = 0;
838 rc = -1;
839 } else {
840 *n_groups = arg.info->n_entry;
841 bcopy(arg.info->groups, *groups, nbytes);
842 }
843 }
844 }
845
846 ndr_rpc_release(user_handle);
847 return (rc);
848 }
849
850 /*
851 * samr_get_user_pwinfo
852 *
853 * Get some user password info. I'm not sure what this is yet but it is
854 * part of the create user sequence. The handle must be a valid user
855 * handle. Since I don't know what this is returning, I haven't provided
856 * any return data yet.
857 *
858 * Returns 0 on success. Otherwise returns an NT status code.
859 */
860 DWORD
samr_get_user_pwinfo(mlsvc_handle_t * user_handle)861 samr_get_user_pwinfo(mlsvc_handle_t *user_handle)
862 {
863 struct samr_GetUserPwInfo arg;
864 int opnum;
865 DWORD status;
866
867 if (ndr_is_null_handle(user_handle))
868 return (NT_STATUS_INVALID_PARAMETER);
869
870 opnum = SAMR_OPNUM_GetUserPwInfo;
871 bzero(&arg, sizeof (struct samr_GetUserPwInfo));
872 (void) memcpy(&arg.user_handle, &user_handle->handle,
873 sizeof (samr_handle_t));
874
875 if (ndr_rpc_call(user_handle, opnum, &arg) != 0) {
876 status = NT_STATUS_INVALID_PARAMETER;
877 } else if (arg.status != 0) {
878 ndr_rpc_status(user_handle, opnum, arg.status);
879 status = NT_SC_VALUE(arg.status);
880 } else {
881 status = 0;
882 }
883
884 ndr_rpc_release(user_handle);
885 return (status);
886 }
887
888 DECL_FIXUP_STRUCT(samr_SetUserInfo_u);
889 DECL_FIXUP_STRUCT(samr_SetUserInfo_s);
890 DECL_FIXUP_STRUCT(samr_SetUserInfo);
891
892 /*
893 * samr_set_user_info
894 *
895 * Returns 0 on success. Otherwise returns an NT status code.
896 * NT status codes observed so far:
897 * NT_STATUS_WRONG_PASSWORD
898 */
899 DWORD
samr_set_user_info(mlsvc_handle_t * user_handle,int info_level,void * info_buf)900 samr_set_user_info(
901 mlsvc_handle_t *user_handle,
902 int info_level,
903 void *info_buf)
904 {
905 struct samr_SetUserInfo arg;
906 uint16_t usize, tsize;
907 int opnum;
908
909 if (ndr_is_null_handle(user_handle))
910 return (NT_STATUS_INTERNAL_ERROR);
911
912 /*
913 * Only support a few levels
914 * MS-SAMR: UserInternal4Information
915 */
916 switch (info_level) {
917 case 16: /* samr_SetUserInfo16 */
918 usize = sizeof (struct samr_SetUserInfo16);
919 break;
920 case 21: /* samr_SetUserInfo21 */
921 usize = sizeof (struct samr_SetUserInfo21);
922 break;
923 case 23: /* samr_SetUserInfo23 */
924 usize = sizeof (struct samr_SetUserInfo23);
925 break;
926 case 24: /* samr_SetUserInfo24 */
927 usize = sizeof (struct samr_SetUserInfo24);
928 break;
929 default:
930 return (NT_STATUS_INVALID_LEVEL);
931 }
932
933 /*
934 * OK, now this gets really ugly, because
935 * ndrgen doesn't do unions correctly.
936 */
937 FIXUP_PDU_SIZE(samr_SetUserInfo_u, usize);
938 tsize = usize + (2 * sizeof (WORD));
939 FIXUP_PDU_SIZE(samr_SetUserInfo_s, tsize);
940 tsize += sizeof (ndr_request_hdr_t) + sizeof (DWORD);
941 FIXUP_PDU_SIZE(samr_SetUserInfo, tsize);
942
943 opnum = SAMR_OPNUM_SetUserInfo;
944 bzero(&arg, sizeof (arg));
945 (void) memcpy(&arg.user_handle, &user_handle->handle,
946 sizeof (samr_handle_t));
947 arg.info.info_level = info_level;
948 arg.info.switch_value = info_level;
949 (void) memcpy(&arg.info.ru, info_buf, usize);
950
951 if (ndr_rpc_call(user_handle, opnum, &arg) != 0)
952 arg.status = RPC_NT_CALL_FAILED;
953 else if (arg.status != 0)
954 ndr_rpc_status(user_handle, opnum, arg.status);
955
956 ndr_rpc_release(user_handle);
957 return (arg.status);
958 }
959
960 /*
961 * Client side wrapper for SamrUnicodeChangePasswordUser2
962 * [MS-SAMR 3.1.5.10.3]
963 */
964
965 DWORD
samr_change_password(mlsvc_handle_t * handle,char * server,char * account,struct samr_encr_passwd * newpw,struct samr_encr_hash * oldpw)966 samr_change_password(
967 mlsvc_handle_t *handle,
968 char *server,
969 char *account,
970 struct samr_encr_passwd *newpw,
971 struct samr_encr_hash *oldpw)
972 {
973 static struct samr_encr_passwd zero_newpw;
974 static struct samr_encr_hash zero_oldpw;
975 struct samr_ChangePasswordUser2 arg;
976 int opnum = SAMR_OPNUM_ChangePasswordUser2;
977 char *slashserver;
978 int len;
979
980 (void) memset(&arg, 0, sizeof (arg));
981
982 /* Need server name with slashes */
983 len = 2 + strlen(server) + 1;
984 slashserver = ndr_rpc_malloc(handle, len);
985 if (slashserver == NULL)
986 return (NT_STATUS_NO_MEMORY);
987 (void) snprintf(slashserver, len, "\\\\%s", server);
988
989 arg.servername = ndr_rpc_malloc(handle, sizeof (samr_string_t));
990 if (arg.servername == NULL)
991 return (NT_STATUS_NO_MEMORY);
992 len = smb_wcequiv_strlen(slashserver);
993 if (len < 1)
994 return (NT_STATUS_INVALID_PARAMETER);
995 len += 2; /* the WC null */
996 arg.servername->length = len;
997 arg.servername->allosize = len;
998 arg.servername->str = (uint8_t *)slashserver;
999
1000 arg.username = ndr_rpc_malloc(handle, sizeof (samr_string_t));
1001 if (arg.username == NULL)
1002 return (NT_STATUS_NO_MEMORY);
1003 len = smb_wcequiv_strlen(account);
1004 if (len < 1)
1005 return (NT_STATUS_INVALID_PARAMETER);
1006 len += 2; /* the WC null */
1007 arg.username->length = len;
1008 arg.username->allosize = len;
1009 arg.username->str = (uint8_t *)account;
1010
1011 arg.nt_newpw = newpw;
1012 arg.nt_oldpw = oldpw;
1013
1014 arg.lm_newpw = &zero_newpw;
1015 arg.lm_oldpw = &zero_oldpw;
1016
1017 if (ndr_rpc_call(handle, opnum, &arg) != 0)
1018 arg.status = RPC_NT_CALL_FAILED;
1019 else if (arg.status != 0)
1020 ndr_rpc_status(handle, opnum, arg.status);
1021
1022 ndr_rpc_release(handle);
1023 return (arg.status);
1024 }
1025