lsalib.c revision 8d7e41661dc4633488e93b13363137523ce59977
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * CDDL HEADER START
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * The contents of this file are subject to the terms of the
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * Common Development and Distribution License (the "License").
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * You may not use this file except in compliance with the License.
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * See the License for the specific language governing permissions
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * and limitations under the License.
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * When distributing Covered Code, include this CDDL HEADER in each
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * If applicable, add the following below this CDDL HEADER, with the
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * fields enclosed by brackets "[]" replaced with your own identifying
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * information: Portions Copyright [yyyy] [name of copyright owner]
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * CDDL HEADER END
dc20a3024900c47dd2ee44b9707e6df38f7d62a5as * Copyright 2008 Sun Microsystems, Inc. All rights reserved.
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * Use is subject to license terms.
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * This module provides the high level interface to the LSA RPC functions.
dc20a3024900c47dd2ee44b9707e6df38f7d62a5as * Name Lookup modes
dc20a3024900c47dd2ee44b9707e6df38f7d62a5asstatic int lsa_lookup_mode(const char *, const char *);
dc20a3024900c47dd2ee44b9707e6df38f7d62a5asstatic uint32_t lsa_lookup_name_builtin(char *, smb_userinfo_t *);
dc20a3024900c47dd2ee44b9707e6df38f7d62a5asstatic uint32_t lsa_lookup_name_local(char *, char *, uint16_t,
6537f381d2d9e7b4e2f7b29c3e7a3f13be036f2easstatic uint32_t lsa_lookup_name_lusr(char *, smb_sid_t **);
6537f381d2d9e7b4e2f7b29c3e7a3f13be036f2easstatic uint32_t lsa_lookup_name_lgrp(char *, smb_sid_t **);
dc20a3024900c47dd2ee44b9707e6df38f7d62a5asstatic uint32_t lsa_lookup_name_domain(char *, char *, char *,
6537f381d2d9e7b4e2f7b29c3e7a3f13be036f2easstatic uint32_t lsa_lookup_sid_builtin(smb_sid_t *, smb_userinfo_t *);
6537f381d2d9e7b4e2f7b29c3e7a3f13be036f2easstatic uint32_t lsa_lookup_sid_local(smb_sid_t *, smb_userinfo_t *);
6537f381d2d9e7b4e2f7b29c3e7a3f13be036f2easstatic uint32_t lsa_lookup_sid_domain(smb_sid_t *, smb_userinfo_t *);
dc20a3024900c47dd2ee44b9707e6df38f7d62a5as * lsa_lookup_name
dc20a3024900c47dd2ee44b9707e6df38f7d62a5as * Lookup the given account and returns the account information
dc20a3024900c47dd2ee44b9707e6df38f7d62a5as * in 'ainfo'
dc20a3024900c47dd2ee44b9707e6df38f7d62a5as * If the name is a domain account, it may refer to a user, group or
dc20a3024900c47dd2ee44b9707e6df38f7d62a5as * alias. If it is a local account, its type should be specified
dc20a3024900c47dd2ee44b9707e6df38f7d62a5as * in the sid_type parameter. In case the account type is unknown
dc20a3024900c47dd2ee44b9707e6df38f7d62a5as * sid_type should be set to SidTypeUnknown.
dc20a3024900c47dd2ee44b9707e6df38f7d62a5as * account argument could be either [domain\\]name or [domain/]name.
dc20a3024900c47dd2ee44b9707e6df38f7d62a5as * If domain is not specified and service is in domain mode then it
dc20a3024900c47dd2ee44b9707e6df38f7d62a5as * first does a domain lookup and then a local lookup.
8d7e41661dc4633488e93b13363137523ce59977jose borregolsa_lookup_name(char *account, uint16_t sid_type,
dc20a3024900c47dd2ee44b9707e6df38f7d62a5as /* domain is specified */
dc20a3024900c47dd2ee44b9707e6df38f7d62a5as return (lsa_lookup_name_local(domain, name, sid_type, ainfo));
8d7e41661dc4633488e93b13363137523ce59977jose borrego return (lsa_lookup_name_domain(dinfo.d_dc, dinfo.d_nbdomain,
dc20a3024900c47dd2ee44b9707e6df38f7d62a5as /* lookup the name in domain */
8d7e41661dc4633488e93b13363137523ce59977jose borrego status = lsa_lookup_name_domain(dinfo.d_dc, dinfo.d_nbdomain,
dc20a3024900c47dd2ee44b9707e6df38f7d62a5as /* lookup the name locally */
dc20a3024900c47dd2ee44b9707e6df38f7d62a5as status = lsa_lookup_name_local(domain, name, sid_type, ainfo);
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * lsa_query_primary_domain_info
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * Obtains the primary domain SID and name from the specified server
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * (domain controller). The information is stored in the NT domain
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * database by the lower level lsar_query_info_policy call. The caller
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * should query the database to obtain a reference to the primary
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * domain information.
8d7e41661dc4633488e93b13363137523ce59977jose borrego * The requested information will be returned via 'info' argument.
8d7e41661dc4633488e93b13363137523ce59977jose borrego * Caller must call lsa_free_info() when done.
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * Returns NT status codes.
8d7e41661dc4633488e93b13363137523ce59977jose borregolsa_query_primary_domain_info(char *server, char *domain, lsa_info_t *info)
8d7e41661dc4633488e93b13363137523ce59977jose borrego if ((lsar_open(server, domain, user, &domain_handle)) != 0)
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * lsa_query_account_domain_info
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * Obtains the account domain SID and name from the current server
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * (domain controller). The information is stored in the NT domain
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * database by the lower level lsar_query_info_policy call. The caller
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * should query the database to obtain a reference to the account
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * domain information.
8d7e41661dc4633488e93b13363137523ce59977jose borrego * The requested information will be returned via 'info' argument.
8d7e41661dc4633488e93b13363137523ce59977jose borrego * Caller must invoke lsa_free_info() to when done.
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * Returns NT status codes.
8d7e41661dc4633488e93b13363137523ce59977jose borregolsa_query_account_domain_info(char *server, char *domain, lsa_info_t *info)
8d7e41661dc4633488e93b13363137523ce59977jose borrego if ((lsar_open(server, domain, user, &domain_handle)) != 0)
8d7e41661dc4633488e93b13363137523ce59977jose borrego * lsa_query_dns_domain_info
8d7e41661dc4633488e93b13363137523ce59977jose borrego * Obtains the DNS domain info from the specified server
8d7e41661dc4633488e93b13363137523ce59977jose borrego * (domain controller).
8d7e41661dc4633488e93b13363137523ce59977jose borrego * The requested information will be returned via 'info' argument.
8d7e41661dc4633488e93b13363137523ce59977jose borrego * Caller must call lsa_free_info() when done.
8d7e41661dc4633488e93b13363137523ce59977jose borrego * Returns NT status codes.
8d7e41661dc4633488e93b13363137523ce59977jose borregolsa_query_dns_domain_info(char *server, char *domain, lsa_info_t *info)
8d7e41661dc4633488e93b13363137523ce59977jose borrego if ((lsar_open(server, domain, user, &domain_handle)) != 0)
8d7e41661dc4633488e93b13363137523ce59977jose borrego status = lsar_query_info_policy(&domain_handle,
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * lsa_enum_trusted_domains
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * Enumerate the trusted domains in our primary domain. The information
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * is stored in the NT domain database by the lower level
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * lsar_enum_trusted_domains call. The caller should query the database
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * to obtain a reference to the trusted domain information.
8d7e41661dc4633488e93b13363137523ce59977jose borrego * The requested information will be returned via 'info' argument.
8d7e41661dc4633488e93b13363137523ce59977jose borrego * Caller must call lsa_free_info() when done.
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * Returns NT status codes.
8d7e41661dc4633488e93b13363137523ce59977jose borregolsa_enum_trusted_domains(char *server, char *domain, lsa_info_t *info)
8d7e41661dc4633488e93b13363137523ce59977jose borrego if ((lsar_open(server, domain, user, &domain_handle)) != 0)
8d7e41661dc4633488e93b13363137523ce59977jose borrego status = lsar_enum_trusted_domains(&domain_handle, &enum_context, info);
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * MLSVC_NO_MORE_DATA indicates that we
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * have all of the available information.
8d7e41661dc4633488e93b13363137523ce59977jose borrego * lsa_free_info
dc20a3024900c47dd2ee44b9707e6df38f7d62a5as * lsa_lookup_name_builtin
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * lookup builtin account table to see if account_name is
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * there. If it is there, set sid_name_use, domain_sid,
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * domain_name, and rid fields of the passed user_info
dc20a3024900c47dd2ee44b9707e6df38f7d62a5as * structure.
dc20a3024900c47dd2ee44b9707e6df38f7d62a5aslsa_lookup_name_builtin(char *account_name, smb_userinfo_t *user_info)
6537f381d2d9e7b4e2f7b29c3e7a3f13be036f2eas user_info->domain_sid = smb_sid_dup(user_info->user_sid);
6537f381d2d9e7b4e2f7b29c3e7a3f13be036f2eas res = smb_sid_split(user_info->domain_sid, &user_info->rid);
dc20a3024900c47dd2ee44b9707e6df38f7d62a5as * lsa_lookup_name_local
dc20a3024900c47dd2ee44b9707e6df38f7d62a5as * Obtains the infomation for the given local account name if it
dc20a3024900c47dd2ee44b9707e6df38f7d62a5as * can be found. The type of account is specified by sid_type,
dc20a3024900c47dd2ee44b9707e6df38f7d62a5as * which can be of user, group or unknown type. If the caller
dc20a3024900c47dd2ee44b9707e6df38f7d62a5as * doesn't know whether the name is a user or group name then
dc20a3024900c47dd2ee44b9707e6df38f7d62a5as * SidTypeUnknown should be passed, in which case this
dc20a3024900c47dd2ee44b9707e6df38f7d62a5as * function first tries to find a user and then a group match.
dc20a3024900c47dd2ee44b9707e6df38f7d62a5as * CAVEAT: if there are both a user and a group account with
dc20a3024900c47dd2ee44b9707e6df38f7d62a5as * the same name, user SID will always be returned.
dc20a3024900c47dd2ee44b9707e6df38f7d62a5aslsa_lookup_name_local(char *domain, char *name, uint16_t sid_type,
dc20a3024900c47dd2ee44b9707e6df38f7d62a5as * lsa_lookup_name_domain
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * Lookup a name on the specified server (domain controller) and obtain
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * the appropriate SID. The information is returned in the user_info
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * structure. The caller is responsible for allocating and releasing
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * this structure. On success sid_name_use will be set to indicate the
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * type of SID. If the name is the domain name, this function will be
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * identical to lsa_domain_info. Otherwise the rid and name fields will
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * also be valid. On failure sid_name_use will be set to SidTypeUnknown.
dc20a3024900c47dd2ee44b9707e6df38f7d62a5aslsa_lookup_name_domain(char *server, char *domain, char *account_name,
dc20a3024900c47dd2ee44b9707e6df38f7d62a5as if (lsar_open(server, domain, user, &domain_handle) != 0)
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw status = lsar_lookup_names2(&domain_handle, account_name, user_info);
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * Not a Windows 2000 domain controller:
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * use the NT compatible call.
dc20a3024900c47dd2ee44b9707e6df38f7d62a5as * lsa_test_lookup
dc20a3024900c47dd2ee44b9707e6df38f7d62a5as * Test routine for lsa_lookup_name_domain and lsa_lookup_sid2.
8d7e41661dc4633488e93b13363137523ce59977jose borrego status = lsa_lookup_name_domain(di.d_dc, di.d_nbdomain, name,
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw if (status == 0) {
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * lsa_lookup_privs
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * Request the privileges associated with the specified account. In
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * order to get the privileges, we first have to lookup the name on
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * the specified domain controller and obtain the appropriate SID.
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * The SID can then be used to open the account and obtain the
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * account privileges. The results from both the name lookup and the
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * privileges are returned in the user_info structure. The caller is
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * responsible for allocating and releasing this structure.
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * On success 0 is returned. Otherwise a -ve error code.
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw/*ARGSUSED*/
8d7e41661dc4633488e93b13363137523ce59977jose borregolsa_lookup_privs(char *account_name, char *target_name,
8d7e41661dc4633488e93b13363137523ce59977jose borrego return (-1);
8d7e41661dc4633488e93b13363137523ce59977jose borrego if ((lsar_open(dinfo.d_dc, dinfo.d_nbdomain, user,
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw return (-1);
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * lsa_list_privs
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * List the privileges supported by the specified server.
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * This function is only intended for diagnostics.
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * Returns NT status codes.
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw for (i = 0; i < 30; ++i) {
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw rc = lsar_lookup_priv_name(&domain_handle, &luid, name, 128);
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw (void) lsar_lookup_priv_value(&domain_handle, name, &luid);
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw (void) lsar_lookup_priv_display_name(&domain_handle, name,
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * lsa_test
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * LSA test routine: open and close the LSA interface.
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * On success 0 is returned. Otherwise a -ve error code.
8d7e41661dc4633488e93b13363137523ce59977jose borrego rc = lsar_open(server, domain, user, &domain_handle);
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw return (-1);
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw return (-1);
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw return (0);
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * lsa_list_accounts
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * This function can be used to list the accounts in the specified
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * domain. For now the SIDs are just listed in the system log.
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * On success 0 is returned. Otherwise a -ve error code.
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw if (name == 0) {
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw return (0);
dc20a3024900c47dd2ee44b9707e6df38f7d62a5as * lsa_lookup_name_lusr
dc20a3024900c47dd2ee44b9707e6df38f7d62a5as * Obtains the SID for the given local user name if it
dc20a3024900c47dd2ee44b9707e6df38f7d62a5as * can be found. Upon successful return the allocated memory
dc20a3024900c47dd2ee44b9707e6df38f7d62a5as * for the returned SID must be freed by the caller.
dc20a3024900c47dd2ee44b9707e6df38f7d62a5as * Note that in domain mode this function might actually return
dc20a3024900c47dd2ee44b9707e6df38f7d62a5as * a domain SID if local users are mapped to domain users.
dc20a3024900c47dd2ee44b9707e6df38f7d62a5as if (smb_idmap_getsid(pw->pw_uid, SMB_IDMAP_USER, sid) != IDMAP_SUCCESS)
dc20a3024900c47dd2ee44b9707e6df38f7d62a5as * lsa_lookup_name_lgrp
dc20a3024900c47dd2ee44b9707e6df38f7d62a5as * Obtains the SID for the given local group name if it
dc20a3024900c47dd2ee44b9707e6df38f7d62a5as * can be found. Upon successful return the allocated memory
dc20a3024900c47dd2ee44b9707e6df38f7d62a5as * for the returned SID must be freed by the caller.
dc20a3024900c47dd2ee44b9707e6df38f7d62a5as * Note that in domain mode this function might actually return
dc20a3024900c47dd2ee44b9707e6df38f7d62a5as * a domain SID if local groups are mapped to domain groups.
dc20a3024900c47dd2ee44b9707e6df38f7d62a5as if (smb_idmap_getsid(gr->gr_gid, SMB_IDMAP_GROUP, sid) != IDMAP_SUCCESS)
6537f381d2d9e7b4e2f7b29c3e7a3f13be036f2easlsa_lookup_sid_local(smb_sid_t *sid, smb_userinfo_t *ainfo)
dc20a3024900c47dd2ee44b9707e6df38f7d62a5as if (smb_idmap_getid(sid, &id, &id_type) != IDMAP_SUCCESS)
6537f381d2d9e7b4e2f7b29c3e7a3f13be036f2easlsa_lookup_sid_builtin(smb_sid_t *sid, smb_userinfo_t *ainfo)
6537f381d2d9e7b4e2f7b29c3e7a3f13be036f2eas if ((name = smb_wka_lookup_sid(sid, &sid_name_use)) == NULL)
6537f381d2d9e7b4e2f7b29c3e7a3f13be036f2easlsa_lookup_sid_domain(smb_sid_t *sid, smb_userinfo_t *ainfo)
8d7e41661dc4633488e93b13363137523ce59977jose borrego if (lsar_open(dinfo.d_dc, dinfo.d_nbdomain, user, &domain_handle) != 0)
dc20a3024900c47dd2ee44b9707e6df38f7d62a5as * Not a Windows 2000 domain controller:
dc20a3024900c47dd2ee44b9707e6df38f7d62a5as * use the NT compatible call.