lsalib.c revision 89dc44ce9705974a8bc4a39f1e878a0491a5be61
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * CDDL HEADER START
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * The contents of this file are subject to the terms of the
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * Common Development and Distribution License (the "License").
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * You may not use this file except in compliance with the License.
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * See the License for the specific language governing permissions
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * and limitations under the License.
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * When distributing Covered Code, include this CDDL HEADER in each
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * If applicable, add the following below this CDDL HEADER, with the
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * fields enclosed by brackets "[]" replaced with your own identifying
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * information: Portions Copyright [yyyy] [name of copyright owner]
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * CDDL HEADER END
89dc44ce9705974a8bc4a39f1e878a0491a5be61jose borrego * Copyright 2009 Sun Microsystems, Inc. All rights reserved.
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * Use is subject to license terms.
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * This module provides the high level interface to the LSA RPC functions.
89dc44ce9705974a8bc4a39f1e878a0491a5be61jose borregostatic uint32_t lsa_lookup_name_builtin(char *, char *, smb_userinfo_t *);
dc20a3024900c47dd2ee44b9707e6df38f7d62a5asstatic uint32_t lsa_lookup_name_local(char *, char *, uint16_t,
89dc44ce9705974a8bc4a39f1e878a0491a5be61jose borregostatic uint32_t lsa_lookup_name_domain(char *, smb_userinfo_t *);
6537f381d2d9e7b4e2f7b29c3e7a3f13be036f2easstatic uint32_t lsa_lookup_name_lusr(char *, smb_sid_t **);
6537f381d2d9e7b4e2f7b29c3e7a3f13be036f2easstatic uint32_t lsa_lookup_name_lgrp(char *, smb_sid_t **);
6537f381d2d9e7b4e2f7b29c3e7a3f13be036f2easstatic uint32_t lsa_lookup_sid_builtin(smb_sid_t *, smb_userinfo_t *);
6537f381d2d9e7b4e2f7b29c3e7a3f13be036f2easstatic uint32_t lsa_lookup_sid_local(smb_sid_t *, smb_userinfo_t *);
6537f381d2d9e7b4e2f7b29c3e7a3f13be036f2easstatic uint32_t lsa_lookup_sid_domain(smb_sid_t *, smb_userinfo_t *);
dc20a3024900c47dd2ee44b9707e6df38f7d62a5as * Lookup the given account and returns the account information
89dc44ce9705974a8bc4a39f1e878a0491a5be61jose borrego * in the passed smb_userinfo_t structure.
89dc44ce9705974a8bc4a39f1e878a0491a5be61jose borrego * The lookup is performed in the following order:
89dc44ce9705974a8bc4a39f1e878a0491a5be61jose borrego * well known accounts
89dc44ce9705974a8bc4a39f1e878a0491a5be61jose borrego * local accounts
89dc44ce9705974a8bc4a39f1e878a0491a5be61jose borrego * domain accounts
89dc44ce9705974a8bc4a39f1e878a0491a5be61jose borrego * If it's established the given account is well know or local
89dc44ce9705974a8bc4a39f1e878a0491a5be61jose borrego * but the lookup fails for some reason, the next step(s) won't be
89dc44ce9705974a8bc4a39f1e878a0491a5be61jose borrego * performed.
dc20a3024900c47dd2ee44b9707e6df38f7d62a5as * If the name is a domain account, it may refer to a user, group or
dc20a3024900c47dd2ee44b9707e6df38f7d62a5as * alias. If it is a local account, its type should be specified
dc20a3024900c47dd2ee44b9707e6df38f7d62a5as * in the sid_type parameter. In case the account type is unknown
dc20a3024900c47dd2ee44b9707e6df38f7d62a5as * sid_type should be set to SidTypeUnknown.
89dc44ce9705974a8bc4a39f1e878a0491a5be61jose borrego * account argument could be either [domain\]name or [domain/]name.
89dc44ce9705974a8bc4a39f1e878a0491a5be61jose borrego * Return status:
89dc44ce9705974a8bc4a39f1e878a0491a5be61jose borrego * NT_STATUS_SUCCESS Account is successfully translated
89dc44ce9705974a8bc4a39f1e878a0491a5be61jose borrego * NT_STATUS_NONE_MAPPED Couldn't translate the account
89dc44ce9705974a8bc4a39f1e878a0491a5be61jose borregolsa_lookup_name(char *account, uint16_t sid_type, smb_userinfo_t *info)
89dc44ce9705974a8bc4a39f1e878a0491a5be61jose borrego /* \john -> john */
89dc44ce9705974a8bc4a39f1e878a0491a5be61jose borrego (void) strlcpy(dombuf, account, sizeof (dombuf));
89dc44ce9705974a8bc4a39f1e878a0491a5be61jose borrego (void) strlcpy(nambuf, slash + 1, sizeof (nambuf));
89dc44ce9705974a8bc4a39f1e878a0491a5be61jose borrego status = lsa_lookup_name_builtin(domain, name, info);
89dc44ce9705974a8bc4a39f1e878a0491a5be61jose borrego status = lsa_lookup_name_local(domain, name, sid_type, info);
89dc44ce9705974a8bc4a39f1e878a0491a5be61jose borrego if ((domain == NULL) || (status == NT_STATUS_NOT_FOUND))
89dc44ce9705974a8bc4a39f1e878a0491a5be61jose borrego status = lsa_lookup_name_domain(account, info);
89dc44ce9705974a8bc4a39f1e878a0491a5be61jose borrego return ((status == NT_STATUS_SUCCESS) ? status : NT_STATUS_NONE_MAPPED);
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * lsa_query_primary_domain_info
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * Obtains the primary domain SID and name from the specified server
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * (domain controller). The information is stored in the NT domain
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * database by the lower level lsar_query_info_policy call. The caller
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * should query the database to obtain a reference to the primary
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * domain information.
8d7e41661dc4633488e93b13363137523ce59977jose borrego * The requested information will be returned via 'info' argument.
8d7e41661dc4633488e93b13363137523ce59977jose borrego * Caller must call lsa_free_info() when done.
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * Returns NT status codes.
8d7e41661dc4633488e93b13363137523ce59977jose borregolsa_query_primary_domain_info(char *server, char *domain, lsa_info_t *info)
8d7e41661dc4633488e93b13363137523ce59977jose borrego if ((lsar_open(server, domain, user, &domain_handle)) != 0)
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * lsa_query_account_domain_info
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * Obtains the account domain SID and name from the current server
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * (domain controller). The information is stored in the NT domain
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * database by the lower level lsar_query_info_policy call. The caller
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * should query the database to obtain a reference to the account
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * domain information.
8d7e41661dc4633488e93b13363137523ce59977jose borrego * The requested information will be returned via 'info' argument.
8d7e41661dc4633488e93b13363137523ce59977jose borrego * Caller must invoke lsa_free_info() to when done.
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * Returns NT status codes.
8d7e41661dc4633488e93b13363137523ce59977jose borregolsa_query_account_domain_info(char *server, char *domain, lsa_info_t *info)
8d7e41661dc4633488e93b13363137523ce59977jose borrego if ((lsar_open(server, domain, user, &domain_handle)) != 0)
8d7e41661dc4633488e93b13363137523ce59977jose borrego * lsa_query_dns_domain_info
8d7e41661dc4633488e93b13363137523ce59977jose borrego * Obtains the DNS domain info from the specified server
8d7e41661dc4633488e93b13363137523ce59977jose borrego * (domain controller).
8d7e41661dc4633488e93b13363137523ce59977jose borrego * The requested information will be returned via 'info' argument.
8d7e41661dc4633488e93b13363137523ce59977jose borrego * Caller must call lsa_free_info() when done.
8d7e41661dc4633488e93b13363137523ce59977jose borrego * Returns NT status codes.
8d7e41661dc4633488e93b13363137523ce59977jose borregolsa_query_dns_domain_info(char *server, char *domain, lsa_info_t *info)
8d7e41661dc4633488e93b13363137523ce59977jose borrego if ((lsar_open(server, domain, user, &domain_handle)) != 0)
8d7e41661dc4633488e93b13363137523ce59977jose borrego status = lsar_query_info_policy(&domain_handle,
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * lsa_enum_trusted_domains
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * Enumerate the trusted domains in our primary domain. The information
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * is stored in the NT domain database by the lower level
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * lsar_enum_trusted_domains call. The caller should query the database
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * to obtain a reference to the trusted domain information.
8d7e41661dc4633488e93b13363137523ce59977jose borrego * The requested information will be returned via 'info' argument.
8d7e41661dc4633488e93b13363137523ce59977jose borrego * Caller must call lsa_free_info() when done.
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * Returns NT status codes.
8d7e41661dc4633488e93b13363137523ce59977jose borregolsa_enum_trusted_domains(char *server, char *domain, lsa_info_t *info)
8d7e41661dc4633488e93b13363137523ce59977jose borrego if ((lsar_open(server, domain, user, &domain_handle)) != 0)
8d7e41661dc4633488e93b13363137523ce59977jose borrego status = lsar_enum_trusted_domains(&domain_handle, &enum_context, info);
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * MLSVC_NO_MORE_DATA indicates that we
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * have all of the available information.
8d7e41661dc4633488e93b13363137523ce59977jose borrego * lsa_free_info
89dc44ce9705974a8bc4a39f1e878a0491a5be61jose borrego * Lookup well known accounts table
89dc44ce9705974a8bc4a39f1e878a0491a5be61jose borrego * Return status:
89dc44ce9705974a8bc4a39f1e878a0491a5be61jose borrego * NT_STATUS_SUCCESS Account is translated successfully
89dc44ce9705974a8bc4a39f1e878a0491a5be61jose borrego * NT_STATUS_NOT_FOUND This is not a well known account
89dc44ce9705974a8bc4a39f1e878a0491a5be61jose borrego * NT_STATUS_NONE_MAPPED Account is found but domains don't match
89dc44ce9705974a8bc4a39f1e878a0491a5be61jose borrego * NT_STATUS_NO_MEMORY Memory shortage
89dc44ce9705974a8bc4a39f1e878a0491a5be61jose borrego * NT_STATUS_INTERNAL_ERROR Internal error/unexpected failure
89dc44ce9705974a8bc4a39f1e878a0491a5be61jose borregolsa_lookup_name_builtin(char *domain, char *name, smb_userinfo_t *info)
89dc44ce9705974a8bc4a39f1e878a0491a5be61jose borrego if ((wkadom = smb_wka_get_domain(wka->wka_domidx)) == NULL)
89dc44ce9705974a8bc4a39f1e878a0491a5be61jose borrego if ((domain != NULL) && (utf8_strcasecmp(domain, wkadom) != 0))
89dc44ce9705974a8bc4a39f1e878a0491a5be61jose borrego info->domain_sid = smb_sid_dup(wka->wka_binsid);
89dc44ce9705974a8bc4a39f1e878a0491a5be61jose borrego if ((info->user_sid == NULL) || (info->domain_sid == NULL) ||
89dc44ce9705974a8bc4a39f1e878a0491a5be61jose borrego if (smb_sid_split(info->domain_sid, &info->rid) < 0)
dc20a3024900c47dd2ee44b9707e6df38f7d62a5as * Obtains the infomation for the given local account name if it
dc20a3024900c47dd2ee44b9707e6df38f7d62a5as * can be found. The type of account is specified by sid_type,
dc20a3024900c47dd2ee44b9707e6df38f7d62a5as * which can be of user, group or unknown type. If the caller
dc20a3024900c47dd2ee44b9707e6df38f7d62a5as * doesn't know whether the name is a user or group name then
dc20a3024900c47dd2ee44b9707e6df38f7d62a5as * SidTypeUnknown should be passed, in which case this
dc20a3024900c47dd2ee44b9707e6df38f7d62a5as * function first tries to find a user and then a group match.
89dc44ce9705974a8bc4a39f1e878a0491a5be61jose borrego * Return status:
89dc44ce9705974a8bc4a39f1e878a0491a5be61jose borrego * NT_STATUS_NOT_FOUND This is not a local account
89dc44ce9705974a8bc4a39f1e878a0491a5be61jose borrego * NT_STATUS_NONE_MAPPED It's a local account but cannot be
89dc44ce9705974a8bc4a39f1e878a0491a5be61jose borrego * translated.
89dc44ce9705974a8bc4a39f1e878a0491a5be61jose borrego * other error status codes.
dc20a3024900c47dd2ee44b9707e6df38f7d62a5aslsa_lookup_name_local(char *domain, char *name, uint16_t sid_type,
89dc44ce9705974a8bc4a39f1e878a0491a5be61jose borrego (void) smb_getnetbiosname(hostname, sizeof (hostname));
89dc44ce9705974a8bc4a39f1e878a0491a5be61jose borrego /* Only Netbios hostname is accepted */
89dc44ce9705974a8bc4a39f1e878a0491a5be61jose borrego if ((info->domain_name = strdup(hostname)) == NULL)
89dc44ce9705974a8bc4a39f1e878a0491a5be61jose borrego (void) smb_sid_split(info->domain_sid, &info->rid);
89dc44ce9705974a8bc4a39f1e878a0491a5be61jose borrego * Lookup the given account in domain.
89dc44ce9705974a8bc4a39f1e878a0491a5be61jose borrego * The information is returned in the user_info structure.
89dc44ce9705974a8bc4a39f1e878a0491a5be61jose borrego * The caller is responsible for allocating and releasing
89dc44ce9705974a8bc4a39f1e878a0491a5be61jose borrego * this structure.
89dc44ce9705974a8bc4a39f1e878a0491a5be61jose borregolsa_lookup_name_domain(char *account_name, smb_userinfo_t *user_info)
89dc44ce9705974a8bc4a39f1e878a0491a5be61jose borrego if (lsar_open(dinfo.d_dc, dinfo.d_nbdomain, user, &domain_handle) != 0)
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw status = lsar_lookup_names2(&domain_handle, account_name, user_info);
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * Not a Windows 2000 domain controller:
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * use the NT compatible call.
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * lsa_lookup_privs
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * Request the privileges associated with the specified account. In
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * order to get the privileges, we first have to lookup the name on
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * the specified domain controller and obtain the appropriate SID.
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * The SID can then be used to open the account and obtain the
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * account privileges. The results from both the name lookup and the
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * privileges are returned in the user_info structure. The caller is
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * responsible for allocating and releasing this structure.
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * On success 0 is returned. Otherwise a -ve error code.
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw/*ARGSUSED*/
8d7e41661dc4633488e93b13363137523ce59977jose borregolsa_lookup_privs(char *account_name, char *target_name,
8d7e41661dc4633488e93b13363137523ce59977jose borrego return (-1);
8d7e41661dc4633488e93b13363137523ce59977jose borrego if ((lsar_open(dinfo.d_dc, dinfo.d_nbdomain, user,
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw return (-1);
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * lsa_list_privs
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * List the privileges supported by the specified server.
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * This function is only intended for diagnostics.
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * Returns NT status codes.
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw for (i = 0; i < 30; ++i) {
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw rc = lsar_lookup_priv_name(&domain_handle, &luid, name, 128);
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw (void) lsar_lookup_priv_value(&domain_handle, name, &luid);
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw (void) lsar_lookup_priv_display_name(&domain_handle, name,
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * lsa_test
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * LSA test routine: open and close the LSA interface.
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * On success 0 is returned. Otherwise a -ve error code.
8d7e41661dc4633488e93b13363137523ce59977jose borrego rc = lsar_open(server, domain, user, &domain_handle);
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw return (-1);
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw return (-1);
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw return (0);
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * lsa_list_accounts
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * This function can be used to list the accounts in the specified
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * domain. For now the SIDs are just listed in the system log.
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * On success 0 is returned. Otherwise a -ve error code.
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw if (name == 0) {
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw return (0);
89dc44ce9705974a8bc4a39f1e878a0491a5be61jose borrego * Lookup local SMB user account database (/var/smb/smbpasswd)
89dc44ce9705974a8bc4a39f1e878a0491a5be61jose borrego * if there's a match query its SID from idmap service and make
89dc44ce9705974a8bc4a39f1e878a0491a5be61jose borrego * sure the SID is a local SID.
89dc44ce9705974a8bc4a39f1e878a0491a5be61jose borrego * The memory for the returned SID must be freed by the caller.
89dc44ce9705974a8bc4a39f1e878a0491a5be61jose borrego if (smb_idmap_getsid(smbpw.pw_uid, SMB_IDMAP_USER, sid)
89dc44ce9705974a8bc4a39f1e878a0491a5be61jose borrego * Lookup local SMB group account database (/var/smb/smbgroup.db)
89dc44ce9705974a8bc4a39f1e878a0491a5be61jose borrego * The memory for the returned SID must be freed by the caller.
89dc44ce9705974a8bc4a39f1e878a0491a5be61jose borrego if (smb_lgrp_getbyname(name, &grp) != SMB_LGRP_SUCCESS)
89dc44ce9705974a8bc4a39f1e878a0491a5be61jose borrego return ((*sid == NULL) ? NT_STATUS_NO_MEMORY : NT_STATUS_SUCCESS);
6537f381d2d9e7b4e2f7b29c3e7a3f13be036f2easlsa_lookup_sid_local(smb_sid_t *sid, smb_userinfo_t *ainfo)
dc20a3024900c47dd2ee44b9707e6df38f7d62a5as if (smb_idmap_getid(sid, &id, &id_type) != IDMAP_SUCCESS)
89dc44ce9705974a8bc4a39f1e878a0491a5be61jose borrego rc = smb_lgrp_getbyrid(rid, SMB_LGRP_LOCAL, &grp);
6537f381d2d9e7b4e2f7b29c3e7a3f13be036f2easlsa_lookup_sid_builtin(smb_sid_t *sid, smb_userinfo_t *ainfo)
6537f381d2d9e7b4e2f7b29c3e7a3f13be036f2eas if ((name = smb_wka_lookup_sid(sid, &sid_name_use)) == NULL)
6537f381d2d9e7b4e2f7b29c3e7a3f13be036f2easlsa_lookup_sid_domain(smb_sid_t *sid, smb_userinfo_t *ainfo)
8d7e41661dc4633488e93b13363137523ce59977jose borrego if (lsar_open(dinfo.d_dc, dinfo.d_nbdomain, user, &domain_handle) != 0)
dc20a3024900c47dd2ee44b9707e6df38f7d62a5as * Not a Windows 2000 domain controller:
dc20a3024900c47dd2ee44b9707e6df38f7d62a5as * use the NT compatible call.