xref: /illumos-gate/usr/src/lib/smbsrv/libmlsvc/common/samlib.c (revision 47842382d52f28aa3173aa6b511781c322ccb6a2)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 /*
22  * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
23  * Use is subject to license terms.
24  */
25 
26 /*
27  * This module provides the high level interface to the SAM RPC
28  * functions.
29  */
30 
31 #include <alloca.h>
32 
33 #include <smbsrv/libsmb.h>
34 #include <smbsrv/libsmbrdr.h>
35 #include <smbsrv/libmlsvc.h>
36 
37 #include <smbsrv/ntstatus.h>
38 #include <smbsrv/ntaccess.h>
39 #include <lsalib.h>
40 #include <samlib.h>
41 
42 /*
43  * Valid values for the OEM OWF password encryption.
44  */
45 #define	SAM_PASSWORD_516	516
46 #define	SAM_KEYLEN		16
47 
48 extern DWORD samr_set_user_info(mlsvc_handle_t *, smb_auth_info_t *);
49 static struct samr_sid *sam_get_domain_sid(mlsvc_handle_t *, char *, char *);
50 
51 /*
52  * sam_create_trust_account
53  *
54  * Create a trust account for this system.
55  *
56  *	SAMR_AF_WORKSTATION_TRUST_ACCOUNT: servers and workstations.
57  *	SAMR_AF_SERVER_TRUST_ACCOUNT: domain controllers.
58  *
59  * Returns NT status codes.
60  */
61 DWORD
62 sam_create_trust_account(char *server, char *domain, smb_auth_info_t *auth)
63 {
64 	char account_name[SMB_SAMACCT_MAXLEN];
65 	DWORD status;
66 
67 	if (smb_getsamaccount(account_name, SMB_SAMACCT_MAXLEN) != 0)
68 		return (NT_STATUS_INTERNAL_ERROR);
69 
70 	/*
71 	 * The trust account value here should match
72 	 * the value that will be used when the user
73 	 * information is set on this account.
74 	 */
75 	status = sam_create_account(server, domain, account_name,
76 	    auth, SAMR_AF_WORKSTATION_TRUST_ACCOUNT);
77 
78 	/*
79 	 * Based on network traces, a Windows 2000 client will
80 	 * always try to create the computer account first.
81 	 * If it existed, then check the user permission to join
82 	 * the domain.
83 	 */
84 
85 	if (status == NT_STATUS_USER_EXISTS)
86 		status = sam_check_user(server, domain, account_name);
87 
88 	return (status);
89 }
90 
91 
92 /*
93  * sam_create_account
94  *
95  * Create the specified domain account in the SAM database on the
96  * domain controller.
97  *
98  * Account flags:
99  *		SAMR_AF_NORMAL_ACCOUNT
100  *		SAMR_AF_WORKSTATION_TRUST_ACCOUNT
101  *		SAMR_AF_SERVER_TRUST_ACCOUNT
102  *
103  * Returns NT status codes.
104  */
105 DWORD
106 sam_create_account(char *server, char *domain_name, char *account_name,
107     smb_auth_info_t *auth, DWORD account_flags)
108 {
109 	mlsvc_handle_t samr_handle;
110 	mlsvc_handle_t domain_handle;
111 	mlsvc_handle_t user_handle;
112 	union samr_user_info sui;
113 	struct samr_sid *sid;
114 	DWORD rid;
115 	DWORD status;
116 	int rc;
117 	char *user = smbrdr_ipc_get_user();
118 
119 	rc = samr_open(server, domain_name, user, SAM_CONNECT_CREATE_ACCOUNT,
120 	    &samr_handle);
121 
122 	if (rc != 0) {
123 		status = NT_STATUS_OPEN_FAILED;
124 		smb_tracef("SamCreateAccount[%s\\%s]: %s",
125 		    domain_name, account_name, xlate_nt_status(status));
126 		return (status);
127 	}
128 
129 	sid = sam_get_domain_sid(&samr_handle, server, domain_name);
130 
131 	status = samr_open_domain(&samr_handle,
132 	    SAM_DOMAIN_CREATE_ACCOUNT, sid, &domain_handle);
133 
134 	if (status == NT_STATUS_SUCCESS) {
135 		status = samr_create_user(&domain_handle, account_name,
136 		    account_flags, &rid, &user_handle);
137 
138 		if (status == NT_STATUS_SUCCESS) {
139 			(void) samr_query_user_info(&user_handle,
140 			    SAMR_QUERY_USER_UNKNOWN16, &sui);
141 
142 			(void) samr_get_user_pwinfo(&user_handle);
143 			(void) samr_set_user_info(&user_handle, auth);
144 			(void) samr_close_handle(&user_handle);
145 		} else if (status != NT_STATUS_USER_EXISTS) {
146 			smb_tracef("SamCreateAccount[%s]: %s",
147 			    account_name, xlate_nt_status(status));
148 		}
149 
150 		(void) samr_close_handle(&domain_handle);
151 	} else {
152 		smb_tracef("SamCreateAccount[%s]: open domain failed",
153 		    account_name);
154 		status = (NT_STATUS_CANT_ACCESS_DOMAIN_INFO);
155 	}
156 
157 	(void) samr_close_handle(&samr_handle);
158 	free(sid);
159 	return (status);
160 }
161 
162 
163 /*
164  * sam_remove_trust_account
165  *
166  * Attempt to remove the workstation trust account for this system.
167  * Administrator access is required to perform this operation.
168  *
169  * Returns NT status codes.
170  */
171 DWORD
172 sam_remove_trust_account(char *server, char *domain)
173 {
174 	char account_name[SMB_SAMACCT_MAXLEN];
175 
176 	if (smb_getsamaccount(account_name, SMB_SAMACCT_MAXLEN) != 0)
177 		return (NT_STATUS_INTERNAL_ERROR);
178 
179 	return (sam_delete_account(server, domain, account_name));
180 }
181 
182 
183 /*
184  * sam_delete_account
185  *
186  * Attempt to remove an account from the SAM database on the specified
187  * server.
188  *
189  * Returns NT status codes.
190  */
191 DWORD
192 sam_delete_account(char *server, char *domain_name, char *account_name)
193 {
194 	mlsvc_handle_t samr_handle;
195 	mlsvc_handle_t domain_handle;
196 	mlsvc_handle_t user_handle;
197 	smb_account_t ainfo;
198 	struct samr_sid *sid;
199 	DWORD access_mask;
200 	DWORD status;
201 	int rc;
202 	char *user = smbrdr_ipc_get_user();
203 
204 	rc = samr_open(server, domain_name, user, SAM_LOOKUP_INFORMATION,
205 	    &samr_handle);
206 
207 	if (rc != 0)
208 		return (NT_STATUS_OPEN_FAILED);
209 
210 	sid = sam_get_domain_sid(&samr_handle, server, domain_name);
211 	status = samr_open_domain(&samr_handle, SAM_LOOKUP_INFORMATION, sid,
212 	    &domain_handle);
213 	free(sid);
214 	if (status != NT_STATUS_SUCCESS) {
215 		(void) samr_close_handle(&samr_handle);
216 		return (status);
217 	}
218 
219 	status = samr_lookup_domain_names(&domain_handle, account_name, &ainfo);
220 	if (status == NT_STATUS_SUCCESS) {
221 		access_mask = STANDARD_RIGHTS_EXECUTE | DELETE;
222 		status = samr_open_user(&domain_handle, access_mask,
223 		    ainfo.a_rid, &user_handle);
224 		if (status == NT_STATUS_SUCCESS) {
225 			if (samr_delete_user(&user_handle) != 0)
226 				(void) samr_close_handle(&user_handle);
227 		}
228 	}
229 
230 	(void) samr_close_handle(&domain_handle);
231 	(void) samr_close_handle(&samr_handle);
232 	return (status);
233 }
234 
235 /*
236  * sam_check_user
237  *
238  * Check to see if user have permission to access computer account.
239  * The user being checked is the specified user for joining the Solaris
240  * host to the domain.
241  */
242 DWORD
243 sam_check_user(char *server, char *domain_name, char *account_name)
244 {
245 	mlsvc_handle_t samr_handle;
246 	mlsvc_handle_t domain_handle;
247 	mlsvc_handle_t user_handle;
248 	smb_account_t ainfo;
249 	struct samr_sid *sid;
250 	DWORD access_mask;
251 	DWORD status;
252 	int rc;
253 	char *user = smbrdr_ipc_get_user();
254 
255 	rc = samr_open(server, domain_name, user, SAM_LOOKUP_INFORMATION,
256 	    &samr_handle);
257 
258 	if (rc != 0)
259 		return (NT_STATUS_OPEN_FAILED);
260 
261 	sid = sam_get_domain_sid(&samr_handle, server, domain_name);
262 	status = samr_open_domain(&samr_handle, SAM_LOOKUP_INFORMATION, sid,
263 	    &domain_handle);
264 	free(sid);
265 	if (status != NT_STATUS_SUCCESS) {
266 		(void) samr_close_handle(&samr_handle);
267 		return (status);
268 	}
269 
270 	status = samr_lookup_domain_names(&domain_handle, account_name, &ainfo);
271 	if (status == NT_STATUS_SUCCESS) {
272 		/*
273 		 * Win2000 client uses this access mask.  The
274 		 * following SAMR user specific rights bits are
275 		 * set: set password, set attributes, and get
276 		 * attributes.
277 		 */
278 
279 		access_mask = 0xb0;
280 		status = samr_open_user(&domain_handle,
281 		    access_mask, ainfo.a_rid, &user_handle);
282 		if (status == NT_STATUS_SUCCESS)
283 			(void) samr_close_handle(&user_handle);
284 	}
285 
286 	(void) samr_close_handle(&domain_handle);
287 	(void) samr_close_handle(&samr_handle);
288 	return (status);
289 }
290 
291 /*
292  * sam_lookup_name
293  *
294  * Lookup an account name in the SAM database on the specified domain
295  * controller. Provides the account RID on success.
296  *
297  * Returns NT status codes.
298  */
299 DWORD
300 sam_lookup_name(char *server, char *domain_name, char *account_name,
301     DWORD *rid_ret)
302 {
303 	mlsvc_handle_t samr_handle;
304 	mlsvc_handle_t domain_handle;
305 	smb_account_t ainfo;
306 	struct samr_sid *domain_sid;
307 	int rc;
308 	DWORD status;
309 	char *user = smbrdr_ipc_get_user();
310 
311 	*rid_ret = 0;
312 
313 	rc = samr_open(server, domain_name, user, SAM_LOOKUP_INFORMATION,
314 	    &samr_handle);
315 
316 	if (rc != 0)
317 		return (NT_STATUS_OPEN_FAILED);
318 
319 	domain_sid = (struct samr_sid *)samr_lookup_domain(&samr_handle,
320 	    domain_name);
321 	if (domain_sid == NULL) {
322 		(void) samr_close_handle(&samr_handle);
323 		return (NT_STATUS_NO_SUCH_DOMAIN);
324 	}
325 
326 	status = samr_open_domain(&samr_handle, SAM_LOOKUP_INFORMATION,
327 	    domain_sid, &domain_handle);
328 	if (status == NT_STATUS_SUCCESS) {
329 		status = samr_lookup_domain_names(&domain_handle,
330 		    account_name, &ainfo);
331 		if (status == NT_STATUS_SUCCESS)
332 			*rid_ret = ainfo.a_rid;
333 
334 		(void) samr_close_handle(&domain_handle);
335 	}
336 
337 	(void) samr_close_handle(&samr_handle);
338 	return (status);
339 }
340 
341 /*
342  * sam_get_local_domains
343  *
344  * Query a remote server to get the list of local domains that it
345  * supports.
346  *
347  * Returns NT status codes.
348  */
349 DWORD
350 sam_get_local_domains(char *server, char *domain_name)
351 {
352 	mlsvc_handle_t samr_handle;
353 	DWORD status;
354 	int rc;
355 	char *user = smbrdr_ipc_get_user();
356 
357 	rc = samr_open(server, domain_name, user, SAM_ENUM_LOCAL_DOMAIN,
358 	    &samr_handle);
359 	if (rc != 0)
360 		return (NT_STATUS_OPEN_FAILED);
361 
362 	status = samr_enum_local_domains(&samr_handle);
363 	(void) samr_close_handle(&samr_handle);
364 	return (status);
365 }
366 
367 /*
368  * sam_oem_password
369  *
370  * Generate an OEM password.
371  */
372 int
373 sam_oem_password(oem_password_t *oem_password, unsigned char *new_password,
374     unsigned char *old_password)
375 {
376 	mts_wchar_t *unicode_password;
377 	int length;
378 
379 #ifdef PBSHORTCUT
380 	assert(sizeof (oem_password_t) == SAM_PASSWORD_516);
381 #endif /* PBSHORTCUT */
382 
383 	length = strlen((char const *)new_password);
384 	unicode_password = alloca((length + 1) * sizeof (mts_wchar_t));
385 
386 	length = smb_auth_qnd_unicode((unsigned short *)unicode_password,
387 	    (char *)new_password, length);
388 	oem_password->length = length;
389 
390 	(void) memcpy(&oem_password->data[512 - length],
391 	    unicode_password, length);
392 
393 	rand_hash((unsigned char *)oem_password, sizeof (oem_password_t),
394 	    old_password, SAM_KEYLEN);
395 
396 	return (0);
397 }
398 
399 static struct samr_sid *
400 sam_get_domain_sid(mlsvc_handle_t *samr_handle, char *server, char *domain_name)
401 {
402 	struct samr_sid *sid;
403 
404 	if (ndr_rpc_server_os(samr_handle) == NATIVE_OS_WIN2000) {
405 		nt_domain_t *ntdp;
406 		lsa_info_t account_domain;
407 
408 		if ((ntdp = nt_domain_lookup_name(domain_name)) == 0) {
409 			if (lsa_query_account_domain_info(server,
410 			    domain_name, &account_domain) != NT_STATUS_SUCCESS)
411 				return (NULL);
412 
413 			sid = (struct samr_sid *)
414 			    account_domain.i_domain.di_account.n_sid;
415 		} else {
416 			sid = (struct samr_sid *)smb_sid_dup(ntdp->sid);
417 		}
418 	} else {
419 		sid = (struct samr_sid *)samr_lookup_domain(samr_handle,
420 		    domain_name);
421 	}
422 
423 	return (sid);
424 }
425