xref: /illumos-gate/usr/src/lib/smbsrv/libmlsvc/common/samlib.c (revision a2de976fd11ced5331ebe7c3a8ffbaf11f5427cf)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 /*
22  * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
23  * Use is subject to license terms.
24  */
25 
26 /*
27  * This module provides the high level interface to the SAM RPC
28  * functions.
29  */
30 
31 #include <alloca.h>
32 
33 #include <smbsrv/libsmb.h>
34 #include <smbsrv/libmlsvc.h>
35 
36 #include <smbsrv/ntstatus.h>
37 #include <smbsrv/ntaccess.h>
38 #include <lsalib.h>
39 #include <samlib.h>
40 
41 /*
42  * Valid values for the OEM OWF password encryption.
43  */
44 #define	SAM_PASSWORD_516	516
45 #define	SAM_KEYLEN		16
46 
47 extern DWORD samr_set_user_info(mlsvc_handle_t *);
48 static struct samr_sid *sam_get_domain_sid(mlsvc_handle_t *, char *, char *);
49 
50 /*
51  * sam_create_trust_account
52  *
53  * Create a trust account for this system.
54  *
55  *	SAMR_AF_WORKSTATION_TRUST_ACCOUNT: servers and workstations.
56  *	SAMR_AF_SERVER_TRUST_ACCOUNT: domain controllers.
57  *
58  * Returns NT status codes.
59  */
60 DWORD
61 sam_create_trust_account(char *server, char *domain)
62 {
63 	char account_name[SMB_SAMACCT_MAXLEN];
64 	DWORD status;
65 
66 	if (smb_getsamaccount(account_name, SMB_SAMACCT_MAXLEN) != 0)
67 		return (NT_STATUS_INTERNAL_ERROR);
68 
69 	/*
70 	 * The trust account value here should match
71 	 * the value that will be used when the user
72 	 * information is set on this account.
73 	 */
74 	status = sam_create_account(server, domain, account_name,
75 	    SAMR_AF_WORKSTATION_TRUST_ACCOUNT);
76 
77 	/*
78 	 * Based on network traces, a Windows 2000 client will
79 	 * always try to create the computer account first.
80 	 * If it existed, then check the user permission to join
81 	 * the domain.
82 	 */
83 
84 	if (status == NT_STATUS_USER_EXISTS)
85 		status = sam_check_user(server, domain, account_name);
86 
87 	return (status);
88 }
89 
90 
91 /*
92  * sam_create_account
93  *
94  * Create the specified domain account in the SAM database on the
95  * domain controller.
96  *
97  * Account flags:
98  *		SAMR_AF_NORMAL_ACCOUNT
99  *		SAMR_AF_WORKSTATION_TRUST_ACCOUNT
100  *		SAMR_AF_SERVER_TRUST_ACCOUNT
101  *
102  * Returns NT status codes.
103  */
104 DWORD
105 sam_create_account(char *server, char *domain_name, char *account_name,
106     DWORD account_flags)
107 {
108 	mlsvc_handle_t samr_handle;
109 	mlsvc_handle_t domain_handle;
110 	mlsvc_handle_t user_handle;
111 	union samr_user_info sui;
112 	struct samr_sid *sid;
113 	DWORD rid;
114 	DWORD status;
115 	int rc;
116 	char user[SMB_USERNAME_MAXLEN];
117 
118 	smb_ipc_get_user(user, SMB_USERNAME_MAXLEN);
119 
120 	rc = samr_open(server, domain_name, user, SAM_CONNECT_CREATE_ACCOUNT,
121 	    &samr_handle);
122 
123 	if (rc != 0) {
124 		status = NT_STATUS_OPEN_FAILED;
125 		smb_tracef("SamCreateAccount[%s\\%s]: %s",
126 		    domain_name, account_name, xlate_nt_status(status));
127 		return (status);
128 	}
129 
130 	sid = sam_get_domain_sid(&samr_handle, server, domain_name);
131 
132 	status = samr_open_domain(&samr_handle,
133 	    SAM_DOMAIN_CREATE_ACCOUNT, sid, &domain_handle);
134 
135 	if (status == NT_STATUS_SUCCESS) {
136 		status = samr_create_user(&domain_handle, account_name,
137 		    account_flags, &rid, &user_handle);
138 
139 		if (status == NT_STATUS_SUCCESS) {
140 			(void) samr_query_user_info(&user_handle,
141 			    SAMR_QUERY_USER_UNKNOWN16, &sui);
142 
143 			(void) samr_get_user_pwinfo(&user_handle);
144 			(void) samr_set_user_info(&user_handle);
145 			(void) samr_close_handle(&user_handle);
146 		} else if (status != NT_STATUS_USER_EXISTS) {
147 			smb_tracef("SamCreateAccount[%s]: %s",
148 			    account_name, xlate_nt_status(status));
149 		}
150 
151 		(void) samr_close_handle(&domain_handle);
152 	} else {
153 		smb_tracef("SamCreateAccount[%s]: open domain failed",
154 		    account_name);
155 		status = (NT_STATUS_CANT_ACCESS_DOMAIN_INFO);
156 	}
157 
158 	(void) samr_close_handle(&samr_handle);
159 	free(sid);
160 	return (status);
161 }
162 
163 
164 /*
165  * sam_remove_trust_account
166  *
167  * Attempt to remove the workstation trust account for this system.
168  * Administrator access is required to perform this operation.
169  *
170  * Returns NT status codes.
171  */
172 DWORD
173 sam_remove_trust_account(char *server, char *domain)
174 {
175 	char account_name[SMB_SAMACCT_MAXLEN];
176 
177 	if (smb_getsamaccount(account_name, SMB_SAMACCT_MAXLEN) != 0)
178 		return (NT_STATUS_INTERNAL_ERROR);
179 
180 	return (sam_delete_account(server, domain, account_name));
181 }
182 
183 
184 /*
185  * sam_delete_account
186  *
187  * Attempt to remove an account from the SAM database on the specified
188  * server.
189  *
190  * Returns NT status codes.
191  */
192 DWORD
193 sam_delete_account(char *server, char *domain_name, char *account_name)
194 {
195 	mlsvc_handle_t samr_handle;
196 	mlsvc_handle_t domain_handle;
197 	mlsvc_handle_t user_handle;
198 	smb_account_t ainfo;
199 	struct samr_sid *sid;
200 	DWORD access_mask;
201 	DWORD status;
202 	int rc;
203 	char user[SMB_USERNAME_MAXLEN];
204 
205 	smb_ipc_get_user(user, SMB_USERNAME_MAXLEN);
206 
207 	rc = samr_open(server, domain_name, user, SAM_LOOKUP_INFORMATION,
208 	    &samr_handle);
209 
210 	if (rc != 0)
211 		return (NT_STATUS_OPEN_FAILED);
212 
213 	sid = sam_get_domain_sid(&samr_handle, server, domain_name);
214 	status = samr_open_domain(&samr_handle, SAM_LOOKUP_INFORMATION, sid,
215 	    &domain_handle);
216 	free(sid);
217 	if (status != NT_STATUS_SUCCESS) {
218 		(void) samr_close_handle(&samr_handle);
219 		return (status);
220 	}
221 
222 	status = samr_lookup_domain_names(&domain_handle, account_name, &ainfo);
223 	if (status == NT_STATUS_SUCCESS) {
224 		access_mask = STANDARD_RIGHTS_EXECUTE | DELETE;
225 		status = samr_open_user(&domain_handle, access_mask,
226 		    ainfo.a_rid, &user_handle);
227 		if (status == NT_STATUS_SUCCESS) {
228 			if (samr_delete_user(&user_handle) != 0)
229 				(void) samr_close_handle(&user_handle);
230 		}
231 	}
232 
233 	(void) samr_close_handle(&domain_handle);
234 	(void) samr_close_handle(&samr_handle);
235 	return (status);
236 }
237 
238 /*
239  * sam_check_user
240  *
241  * Check to see if user have permission to access computer account.
242  * The user being checked is the specified user for joining the Solaris
243  * host to the domain.
244  */
245 DWORD
246 sam_check_user(char *server, char *domain_name, char *account_name)
247 {
248 	mlsvc_handle_t samr_handle;
249 	mlsvc_handle_t domain_handle;
250 	mlsvc_handle_t user_handle;
251 	smb_account_t ainfo;
252 	struct samr_sid *sid;
253 	DWORD access_mask;
254 	DWORD status;
255 	int rc;
256 	char user[SMB_USERNAME_MAXLEN];
257 
258 	smb_ipc_get_user(user, SMB_USERNAME_MAXLEN);
259 
260 	rc = samr_open(server, domain_name, user, SAM_LOOKUP_INFORMATION,
261 	    &samr_handle);
262 
263 	if (rc != 0)
264 		return (NT_STATUS_OPEN_FAILED);
265 
266 	sid = sam_get_domain_sid(&samr_handle, server, domain_name);
267 	status = samr_open_domain(&samr_handle, SAM_LOOKUP_INFORMATION, sid,
268 	    &domain_handle);
269 	free(sid);
270 	if (status != NT_STATUS_SUCCESS) {
271 		(void) samr_close_handle(&samr_handle);
272 		return (status);
273 	}
274 
275 	status = samr_lookup_domain_names(&domain_handle, account_name, &ainfo);
276 	if (status == NT_STATUS_SUCCESS) {
277 		/*
278 		 * Win2000 client uses this access mask.  The
279 		 * following SAMR user specific rights bits are
280 		 * set: set password, set attributes, and get
281 		 * attributes.
282 		 */
283 
284 		access_mask = 0xb0;
285 		status = samr_open_user(&domain_handle,
286 		    access_mask, ainfo.a_rid, &user_handle);
287 		if (status == NT_STATUS_SUCCESS)
288 			(void) samr_close_handle(&user_handle);
289 	}
290 
291 	(void) samr_close_handle(&domain_handle);
292 	(void) samr_close_handle(&samr_handle);
293 	return (status);
294 }
295 
296 /*
297  * sam_lookup_name
298  *
299  * Lookup an account name in the SAM database on the specified domain
300  * controller. Provides the account RID on success.
301  *
302  * Returns NT status codes.
303  */
304 DWORD
305 sam_lookup_name(char *server, char *domain_name, char *account_name,
306     DWORD *rid_ret)
307 {
308 	mlsvc_handle_t samr_handle;
309 	mlsvc_handle_t domain_handle;
310 	smb_account_t ainfo;
311 	struct samr_sid *domain_sid;
312 	int rc;
313 	DWORD status;
314 	char user[SMB_USERNAME_MAXLEN];
315 
316 	smb_ipc_get_user(user, SMB_USERNAME_MAXLEN);
317 
318 	*rid_ret = 0;
319 
320 	rc = samr_open(server, domain_name, user, SAM_LOOKUP_INFORMATION,
321 	    &samr_handle);
322 
323 	if (rc != 0)
324 		return (NT_STATUS_OPEN_FAILED);
325 
326 	domain_sid = (struct samr_sid *)samr_lookup_domain(&samr_handle,
327 	    domain_name);
328 	if (domain_sid == NULL) {
329 		(void) samr_close_handle(&samr_handle);
330 		return (NT_STATUS_NO_SUCH_DOMAIN);
331 	}
332 
333 	status = samr_open_domain(&samr_handle, SAM_LOOKUP_INFORMATION,
334 	    domain_sid, &domain_handle);
335 	if (status == NT_STATUS_SUCCESS) {
336 		status = samr_lookup_domain_names(&domain_handle,
337 		    account_name, &ainfo);
338 		if (status == NT_STATUS_SUCCESS)
339 			*rid_ret = ainfo.a_rid;
340 
341 		(void) samr_close_handle(&domain_handle);
342 	}
343 
344 	(void) samr_close_handle(&samr_handle);
345 	return (status);
346 }
347 
348 /*
349  * sam_get_local_domains
350  *
351  * Query a remote server to get the list of local domains that it
352  * supports.
353  *
354  * Returns NT status codes.
355  */
356 DWORD
357 sam_get_local_domains(char *server, char *domain_name)
358 {
359 	mlsvc_handle_t samr_handle;
360 	DWORD status;
361 	int rc;
362 	char user[SMB_USERNAME_MAXLEN];
363 
364 	smb_ipc_get_user(user, SMB_USERNAME_MAXLEN);
365 
366 	rc = samr_open(server, domain_name, user, SAM_ENUM_LOCAL_DOMAIN,
367 	    &samr_handle);
368 	if (rc != 0)
369 		return (NT_STATUS_OPEN_FAILED);
370 
371 	status = samr_enum_local_domains(&samr_handle);
372 	(void) samr_close_handle(&samr_handle);
373 	return (status);
374 }
375 
376 /*
377  * sam_oem_password
378  *
379  * Generate an OEM password.
380  */
381 int
382 sam_oem_password(oem_password_t *oem_password, unsigned char *new_password,
383     unsigned char *old_password)
384 {
385 	smb_wchar_t *unicode_password;
386 	int length;
387 
388 #ifdef PBSHORTCUT
389 	assert(sizeof (oem_password_t) == SAM_PASSWORD_516);
390 #endif /* PBSHORTCUT */
391 
392 	length = strlen((char const *)new_password);
393 	unicode_password = alloca((length + 1) * sizeof (smb_wchar_t));
394 
395 	length = smb_auth_qnd_unicode((unsigned short *)unicode_password,
396 	    (char *)new_password, length);
397 	oem_password->length = length;
398 
399 	(void) memcpy(&oem_password->data[512 - length],
400 	    unicode_password, length);
401 
402 	rand_hash((unsigned char *)oem_password, sizeof (oem_password_t),
403 	    old_password, SAM_KEYLEN);
404 
405 	return (0);
406 }
407 
408 static struct samr_sid *
409 sam_get_domain_sid(mlsvc_handle_t *samr_handle, char *server, char *domain_name)
410 {
411 	smb_sid_t *sid = NULL;
412 	smb_domainex_t domain;
413 
414 	if (ndr_rpc_server_os(samr_handle) == NATIVE_OS_WIN2000) {
415 		if (!smb_domain_getinfo(&domain)) {
416 			if (lsa_query_account_domain_info(server, domain_name,
417 			    &domain.d_primary) != NT_STATUS_SUCCESS)
418 				return (NULL);
419 		}
420 
421 		sid = smb_sid_fromstr(domain.d_primary.di_sid);
422 	} else {
423 		sid = samr_lookup_domain(samr_handle, domain_name);
424 	}
425 
426 	return ((struct samr_sid *)sid);
427 }
428