lsar_lookup.c revision 29bd28862cfb8abbd3a0f0a4b17e08bbc3652836
/*
* CDDL HEADER START
*
* The contents of this file are subject to the terms of the
* Common Development and Distribution License (the "License").
* You may not use this file except in compliance with the License.
*
* You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
* See the License for the specific language governing permissions
* and limitations under the License.
*
* When distributing Covered Code, include this CDDL HEADER in each
* file and include the License file at usr/src/OPENSOLARIS.LICENSE.
* If applicable, add the following below this CDDL HEADER, with the
* fields enclosed by brackets "[]" replaced with your own identifying
* information: Portions Copyright [yyyy] [name of copyright owner]
*
* CDDL HEADER END
*/
/*
* Copyright 2009 Sun Microsystems, Inc. All rights reserved.
* Use is subject to license terms.
*/
/*
* Local Security Authority RPC (LSARPC) library interface functions for
* query, lookup and enumeration calls.
*/
#include <stdio.h>
#include <stdlib.h>
#include <strings.h>
#include <smbsrv/ntaccess.h>
#include <smbsrv/ntstatus.h>
#include <smbsrv/ntlocale.h>
#include <smbsrv/libmlsvc.h>
#include <lsalib.h>
/*
* The maximum number of bytes we are prepared to deal with in a
* response.
*/
#define MLSVC_MAX_RESPONSE_LEN 1024
/*
* This structure is used when lookuping up names. We only lookup one
* name at a time but the structure will allow for more.
*/
typedef struct lookup_name_table {
static void lsar_set_trusted_domains_ex(struct mslsa_EnumTrustedDomainBufEx *,
static void lsar_set_trusted_domains(struct mslsa_EnumTrustedDomainBuf *,
/*
* lsar_query_security_desc
*
* Don't use this call yet. It is just a place holder for now.
*/
int
{
struct mslsa_QuerySecurityObject arg;
int rc;
int opnum;
return (rc);
}
/*
* lsar_query_info_policy
*
* The general purpose of this function is to allow various pieces of
* information to be queried on the domain controller. The only
* information queries supported are MSLSA_POLICY_PRIMARY_DOMAIN_INFO
* and MSLSA_POLICY_ACCOUNT_DOMAIN_INFO.
*
* On success, the return code will be 0 and the user_info structure
* will be set up. The sid_name_use field will be set to SidTypeDomain
* indicating that the domain name and domain sid fields are vaild. If
* the infoClass returned from the server is not one of the supported
* values, the sid_name_use willbe set to SidTypeUnknown. If the RPC
* fails, a negative error code will be returned, in which case the
* user_info will not have been updated.
*/
{
struct mslsa_QueryInfoPolicy arg;
struct mslsa_PrimaryDomainInfo *pd_info;
struct mslsa_AccountDomainInfo *ad_info;
struct mslsa_DnsDomainInfo *dns_info;
char sidstr[SMB_SID_STRSZ];
int opnum;
return (NT_STATUS_INVALID_PARAMETER);
} else {
switch (infoClass) {
break;
break;
guid_str);
break;
default:
break;
}
}
return (status);
}
/*
* lsar_lookup_names
*
* Lookup a name and obtain the domain and user rid. The RPC call will
* actually support lookup of multiple names but we probably don't
* need to do that. On the final system the lookup level should be
* level 2 but for now we want to restrict it to level 1 so that we
* don't crash the PDC when we get things wrong.
*
* If the lookup fails, the status will typically be
* NT_STATUS_NONE_MAPPED.
*/
{
struct mslsa_LookupNames arg;
struct mslsa_rid_entry *rid_entry;
struct mslsa_domain_entry *domain_entry;
char *domname;
int opnum;
char *p;
return (NT_STATUS_INVALID_PARAMETER);
/*
* Windows NT expects the name length to exclude the terminating
* wchar null but doesn't care whether the allosize includes or
* excludes the null char. Windows 2000 insists that both the
* length and the allosize include the wchar null.
*
* Note: NT returns an error if the mapped_count is non-zero
* when the RPC is called.
*/
/*
* Windows 2000 doesn't like an LSA lookup for
* DOMAIN\Administrator.
*/
++p;
if (strcasecmp(p, "administrator") == 0)
name = p;
}
} else {
}
return (NT_STATUS_INVALID_PARAMETER);
}
}
if (arg.mapped_count == 0) {
return (NT_STATUS_NONE_MAPPED);
}
if (rid_entry->domain_index != 0) {
return (NT_STATUS_NONE_MAPPED);
}
if (!smb_account_validate(info)) {
}
return (status);
}
/*
* lsar_lookup_sids
*
* Lookup a sid and obtain the domain sid and user name. The RPC call
* will actually support lookup of multiple sids but we probably don't
* need to do that. On the final system the lookup level should be
* level 2 but for now we want to restrict it to level 1 so that we
* don't crash the PDC when we get things wrong.
*/
{
struct mslsa_LookupSids arg;
struct mslsa_lup_sid_entry sid_entry;
struct mslsa_name_entry *name_entry;
struct mslsa_domain_entry *domain_entry;
char *name;
int opnum;
return (NT_STATUS_INVALID_PARAMETER);
return (NT_STATUS_INVALID_PARAMETER);
}
}
if (arg.mapped_count == 0) {
return (NT_STATUS_NONE_MAPPED);
}
if (name_entry->domain_ix != 0) {
return (NT_STATUS_NONE_MAPPED);
}
if (!smb_account_validate(account)) {
}
return (status);
}
/*
* lsar_enum_accounts
*
* Enumerate the list of accounts (i.e. SIDs). Use the handle returned
* from lsa_open_policy2. The enum_context is used to support multiple
* calls to this enumeration function. It should be set to 0 on the
* first call. It will be updated by the domain controller and should
* simply be passed unchanged to subsequent calls until there are no
* more accounts. A warning status of 0x1A indicates that no more data
* is available. The list of accounts will be returned in accounts.
* This list is dynamically allocated using malloc, it should be freed
* by the caller when it is no longer required.
*/
int
struct mslsa_EnumAccountBuf *accounts)
{
struct mslsa_EnumerateAccounts arg;
struct mslsa_AccountInfo *info;
int opnum;
int rc;
DWORD i;
int nbytes;
return (-1);
accounts->entries_read = 0;
if (rc == 0) {
} else {
rc = -1;
}
return (-1);
}
for (i = 0; i < n_entries; ++i)
}
}
return (rc);
}
/*
* lsar_enum_trusted_domains
*
* Enumerate the list of trusted domains. Use the handle returned from
* lsa_open_policy2. The enum_context is used to support multiple calls
* to this enumeration function. It should be set to 0 on the first
* call. It will be updated by the domain controller and should simply
* be passed unchanged to subsequent calls until there are no more
* domains.
*
* The trusted domains aren't actually returned here. They are added
* to the NT domain database. After all of the trusted domains have
* been discovered, the database can be interrogated to find all of
* the trusted domains.
*/
{
struct mslsa_EnumTrustedDomain arg;
int opnum;
return (NT_STATUS_INVALID_PARAMETER);
/*
* status 0x8000001A means NO_MORE_DATA,
* which is not an error.
*/
if (status != MLSVC_NO_MORE_DATA)
status = 0;
} else {
status = 0;
}
return (status);
}
{
struct mslsa_EnumTrustedDomainEx arg;
int opnum;
return (NT_STATUS_INVALID_PARAMETER);
/*
* status 0x8000001A means NO_MORE_DATA,
* which is not an error.
*/
if (status != MLSVC_NO_MORE_DATA)
status = 0;
} else {
status = 0;
}
return (status);
}
/*
* lsar_enum_privs_account
*
* Privileges enum? Need an account handle.
*/
/*ARGSUSED*/
int
{
struct mslsa_EnumPrivsAccount arg;
int opnum;
int rc;
sizeof (mslsa_handle_t));
rc = -1;
}
return (rc);
}
/*
* lsar_lookup_priv_value
*
* Map a privilege name to a local unique id (LUID). Privilege names
* are consistent across the network. LUIDs are machine specific.
* This function provides the means to map a privilege name to the
* LUID used by a remote server to represent it. The handle here is
* a policy handle.
*/
int
{
struct mslsa_LookupPrivValue arg;
int opnum;
int rc;
return (-1);
length += sizeof (mts_wchar_t);
if (rc == 0) {
rc = -1;
else
}
return (rc);
}
/*
* lsar_lookup_priv_name
*
* Map a local unique id (LUID) to a privilege name. Privilege names
* are consistent across the network. LUIDs are machine specific.
* This function the means to map the LUID used by a remote server to
* the appropriate privilege name. The handle here is a policy handle.
*/
int
{
struct mslsa_LookupPrivName arg;
int opnum;
int rc;
return (-1);
if (rc == 0) {
rc = -1;
else
namelen);
}
return (rc);
}
/*
* lsar_lookup_priv_display_name
*
* Map a privilege name to a privilege display name. The input handle
* should be an LSA policy handle and the name would normally be one
* of the privileges defined in smb_privilege.h
*
* There's something peculiar about the return status from NT servers,
* it's not always present. So for now, I'm ignoring the status in the
* RPC response.
*
* Returns NT status codes.
*/
char *display_name, int display_len)
{
struct mslsa_LookupPrivDisplayName arg;
int opnum;
return (NT_STATUS_INVALID_PARAMETER);
#if 0
#endif
else {
(void) strlcpy(display_name,
}
return (status);
}
/*
* lsar_lookup_sids2
*/
{
struct lsar_lookup_sids2 arg;
struct lsar_name_entry2 *name_entry;
struct mslsa_lup_sid_entry sid_entry;
struct mslsa_domain_entry *domain_entry;
char *name;
int opnum;
return (NT_STATUS_INVALID_PARAMETER);
return (NT_STATUS_REVISION_MISMATCH);
return (NT_STATUS_INVALID_PARAMETER);
}
}
if (arg.mapped_count == 0) {
return (NT_STATUS_NONE_MAPPED);
}
if (name_entry->domain_ix != 0) {
return (NT_STATUS_NONE_MAPPED);
}
if (!smb_account_validate(account)) {
}
return (status);
}
/*
* lsar_lookup_names2
*
* Windows NT expects the name length to exclude the terminating
* wchar null but Windows 2000 insists that both the length and
* the allosize include the wchar null. Windows NT doesn't care
* whether or not the allosize includes or excludes the null char.
*
* As a precaution, I set the lookup level to 1 on Windows 2000
* until I can do some more testing.
*
* Note that NT returns an error if the mapped_count is non-zero
* when the RPC is called.
*
* It should be okay to lookup DOMAIN\Administrator in this function.
*/
{
struct lsar_LookupNames2 arg;
struct lsar_rid_entry2 *rid_entry;
struct mslsa_domain_entry *domain_entry;
char *domname;
int opnum;
return (NT_STATUS_INVALID_PARAMETER);
return (NT_STATUS_REVISION_MISMATCH);
return (NT_STATUS_INVALID_PARAMETER);
}
}
if (arg.mapped_count == 0) {
return (NT_STATUS_NONE_MAPPED);
}
if (rid_entry->domain_index != 0) {
return (NT_STATUS_NONE_MAPPED);
}
if (!smb_account_validate(info)) {
}
return (status);
}
static void
{
char sidstr[SMB_SID_STRSZ];
int i;
return;
return;
&list->td_domains[i]);
}
}
static void
{
char sidstr[SMB_SID_STRSZ];
int i;
return;
return;
}
}