lsalib.c revision 55bf511df53aad0fdb7eb3fa349f0308cc05234c
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * CDDL HEADER START
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * The contents of this file are subject to the terms of the
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * Common Development and Distribution License (the "License").
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * You may not use this file except in compliance with the License.
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * See the License for the specific language governing permissions
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * and limitations under the License.
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * When distributing Covered Code, include this CDDL HEADER in each
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * If applicable, add the following below this CDDL HEADER, with the
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * fields enclosed by brackets "[]" replaced with your own identifying
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * information: Portions Copyright [yyyy] [name of copyright owner]
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * CDDL HEADER END
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * Copyright 2007 Sun Microsystems, Inc. All rights reserved.
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * Use is subject to license terms.
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw#pragma ident "%Z%%M% %I% %E% SMI"
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * This module provides the high level interface to the LSA RPC functions.
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * lsa_query_primary_domain_info
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * Obtains the primary domain SID and name from the specified server
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * (domain controller). The information is stored in the NT domain
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * database by the lower level lsar_query_info_policy call. The caller
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * should query the database to obtain a reference to the primary
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * domain information.
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * Returns NT status codes.
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * lsa_query_account_domain_info
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * Obtains the account domain SID and name from the current server
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * (domain controller). The information is stored in the NT domain
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * database by the lower level lsar_query_info_policy call. The caller
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * should query the database to obtain a reference to the account
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * domain information.
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * Returns NT status codes.
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * lsa_enum_trusted_domains
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * Enumerate the trusted domains in our primary domain. The information
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * is stored in the NT domain database by the lower level
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * lsar_enum_trusted_domains call. The caller should query the database
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * to obtain a reference to the trusted domain information.
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * Returns NT status codes.
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw status = lsar_enum_trusted_domains(&domain_handle, &enum_context);
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * MLSVC_NO_MORE_DATA indicates that we
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * have all of the available information.
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * lsa_test_lookup
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * Test routine for lsa_lookup_name and lsa_lookup_sid.
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw if (status == 0) {
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * lsa_lookup_builtin_name
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * lookup builtin account table to see if account_name is
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * there. If it is there, set sid_name_use, domain_sid,
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * domain_name, and rid fields of the passed user_info
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * structure and return 0. If lookup fails return 1.
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amwlsa_lookup_builtin_name(char *account_name, smb_userinfo_t *user_info)
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw user_info->domain_sid = nt_builtin_lookup_name(account_name,
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw return (1);
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw res = nt_sid_split(user_info->domain_sid, &user_info->rid);
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw return (1);
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw return (0);
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw return (1);
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * lsa_lookup_local_sam
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * lookup for the given account name in the local SAM database.
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * Returns 0 on success. If lookup fails return 1.
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw return (1);
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw return (1);
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw return (1);
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw (void) nt_sid_split(user_info->domain_sid, &user_info->rid);
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw return (1);
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw return (0);
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * lsa_lookup_local
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * if given account name has domain part, check to see if
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * it matches with host name or any of host's primary addresses.
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * if any match found first lookup in builtin accounts table and
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * then in local SAM table.
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * if account name doesn't have domain part, first do local lookups
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * if nothing is found return 1. This means that caller function should
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * do domain lookup.
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * if any error happened return -1, if name is found return 0.
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw return (-1);
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw if (tmp != 0) {
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw /* do domain lookup */
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw return (1);
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw return (0);
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw return (-1);
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw return (1);
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * lsa_lookup_name
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * Lookup a name on the specified server (domain controller) and obtain
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * the appropriate SID. The information is returned in the user_info
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * structure. The caller is responsible for allocating and releasing
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * this structure. On success sid_name_use will be set to indicate the
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * type of SID. If the name is the domain name, this function will be
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * identical to lsa_domain_info. Otherwise the rid and name fields will
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * also be valid. On failure sid_name_use will be set to SidTypeUnknown.
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * On success 0 is returned. Otherwise a -ve error code.
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amwint lsa_lookup_name(char *server, char *domain, char *account_name,
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw return (-1);
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw rc = lsar_lookup_names(&domain_handle, account_name, user_info);
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * lsa_lookup_name2
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * Returns NT status codes.
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amwDWORD lsa_lookup_name2(char *server, char *domain, char *account_name,
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw status = lsar_lookup_names2(&domain_handle, account_name, user_info);
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * Not a Windows 2000 domain controller:
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * use the NT compatible call.
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * lsa_lookup_sid
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * Lookup a SID on the specified server (domain controller) and obtain
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * the appropriate name. The information is returned in the user_info
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * structure. The caller is responsible for allocating and releasing
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * this structure. On success sid_name_use will be set to indicate the
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * type of SID. On failure sid_name_use will be set to SidTypeUnknown.
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * On success 0 is returned. Otherwise a -ve error code.
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw return (-1);
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * lsa_lookup_sid2
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * Returns NT status codes.
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amwlsa_lookup_sid2(nt_sid_t *sid, smb_userinfo_t *user_info)
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * Not a Windows 2000 domain controller:
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * use the NT compatible call.
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw if (lsar_lookup_sids(&domain_handle, (struct mslsa_sid *)sid,
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * lsa_test_lookup2
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * Test routine for lsa_lookup_name2 and lsa_lookup_sid2.
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw if (status == 0) {
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * lsa_lookup_privs
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * Request the privileges associated with the specified account. In
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * order to get the privileges, we first have to lookup the name on
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * the specified domain controller and obtain the appropriate SID.
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * The SID can then be used to open the account and obtain the
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * account privileges. The results from both the name lookup and the
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * privileges are returned in the user_info structure. The caller is
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * responsible for allocating and releasing this structure.
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * On success 0 is returned. Otherwise a -ve error code.
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw/*ARGSUSED*/
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amwlsa_lookup_privs(char *server, char *account_name, char *target_name,
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw return (-1);
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * lsa_list_privs
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * List the privileges supported by the specified server.
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * This function is only intended for diagnostics.
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * Returns NT status codes.
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw for (i = 0; i < 30; ++i) {
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw rc = lsar_lookup_priv_name(&domain_handle, &luid, name, 128);
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw (void) lsar_lookup_priv_value(&domain_handle, name, &luid);
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw (void) lsar_lookup_priv_display_name(&domain_handle, name,
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * lsa_test
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * LSA test routine: open and close the LSA interface.
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * TBD: the parameters should be server and domain.
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * On success 0 is returned. Otherwise a -ve error code.
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw/*ARGSUSED*/
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw return (-1);
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw return (-1);
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw return (0);
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * lsa_list_accounts
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * This function can be used to list the accounts in the specified
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * domain. For now the SIDs are just listed in the system log.
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * On success 0 is returned. Otherwise a -ve error code.
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw if (name == 0) {
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw return (0);