mlsvc_lsa.c revision 6537f381d2d9e7b4e2f7b29c3e7a3f13be036f2e
/*
* CDDL HEADER START
*
* The contents of this file are subject to the terms of the
* Common Development and Distribution License (the "License").
* You may not use this file except in compliance with the License.
*
* You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
* See the License for the specific language governing permissions
* and limitations under the License.
*
* When distributing Covered Code, include this CDDL HEADER in each
* file and include the License file at usr/src/OPENSOLARIS.LICENSE.
* If applicable, add the following below this CDDL HEADER, with the
* fields enclosed by brackets "[]" replaced with your own identifying
* information: Portions Copyright [yyyy] [name of copyright owner]
*
* CDDL HEADER END
*/
/*
* Copyright 2008 Sun Microsystems, Inc. All rights reserved.
* Use is subject to license terms.
*/
#pragma ident "%Z%%M% %I% %E% SMI"
/*
* Local Security Authority RPC (LSARPC) server-side interface definition.
*/
#include <unistd.h>
#include <strings.h>
#include <pwd.h>
#include <grp.h>
#include <smbsrv/libmlrpc.h>
#include <smbsrv/libmlsvc.h>
#include <smbsrv/mlsvc_util.h>
#include <smbsrv/ntstatus.h>
#include <smbsrv/ntlocale.h>
struct local_group_table {
char *sid;
char *name;
};
static int lsarpc_key_domain;
static int lsarpc_key_account;
static int lsarpc_s_CreateSecret(void *, struct mlrpc_xaction *);
static int lsarpc_s_OpenSecret(void *, struct mlrpc_xaction *);
struct mlrpc_xaction *);
struct mlrpc_xaction *);
static int lsarpc_s_UpdateDomainTable(struct mlrpc_xaction *,
static int lsarpc_w2k_enable;
static mlrpc_stub_table_t lsarpc_stub_table[] = {
{0}
};
static mlrpc_service_t lsarpc_service = {
"LSARPC", /* name */
"Local Security Authority", /* desc */
"\\lsarpc", /* endpoint */
PIPE_LSASS, /* sec_addr_port */
"12345778-1234-abcd-ef000123456789ab", 0, /* abstract */
"8a885d04-1ceb-11c9-9fe808002b104860", 2, /* transfer */
0, /* no bind_instance_size */
NULL, /* no bind_req() */
NULL, /* no unbind_and_close() */
lsarpc_call_stub, /* call_stub() */
lsarpc_stub_table /* stub_table */
};
/*
* Windows 2000 interface.
*/
static mlrpc_service_t lsarpc_w2k_service = {
"LSARPC_W2K", /* name */
"Local Security Authority", /* desc */
"\\lsarpc", /* endpoint */
PIPE_LSASS, /* sec_addr_port */
"3919286a-b10c-11d0-9ba800c04fd92ef5", 0, /* abstract */
"8a885d04-1ceb-11c9-9fe808002b104860", 2, /* transfer */
0, /* no bind_instance_size */
NULL, /* no bind_req() */
NULL, /* no unbind_and_close() */
lsarpc_call_stub, /* call_stub() */
lsarpc_stub_table /* stub_table */
};
/*
* lsarpc_initialize
*
* This function registers the LSA RPC interface with the RPC runtime
* library. It must be called in order to use either the client side
* or the server side functions.
*/
void
lsarpc_initialize(void)
{
(void) mlrpc_register_service(&lsarpc_service);
if (lsarpc_w2k_enable)
(void) mlrpc_register_service(&lsarpc_w2k_service);
}
/*
* Custom call_stub to set the stream string policy.
*/
static int
{
return (mlrpc_generic_call_stub(mxa));
}
/*
* lsarpc_s_OpenDomainHandle opnum=0x06
*
* This is a request to open the LSA (OpenPolicy and OpenPolicy2).
* The client is looking for an LSA domain handle.
*/
static int
{
ndr_hdid_t *id;
} else {
}
return (MLRPC_DRC_OK);
}
/*
* lsarpc_s_CloseHandle opnum=0x00
*
* This is a request to close the LSA interface specified by the handle.
* We don't track handles (yet), so just zero out the handle and return
* MLRPC_DRC_OK. Setting the handle to zero appears to be standard
* behaviour and someone may rely on it, i.e. we do on the client side.
*/
static int
{
return (MLRPC_DRC_OK);
}
/*
* lsarpc_s_QuerySecurityObject
*/
/*ARGSUSED*/
static int
{
return (MLRPC_DRC_OK);
}
/*
* lsarpc_s_EnumAccounts
*
* Enumerate the list of local accounts SIDs. The client should supply
* a valid OpenPolicy2 handle. The enum_context is used to support
* multiple enumeration calls to obtain the complete list of SIDs.
* It should be set to 0 on the first call and passed unchanged on
* subsequent calls until there are no more accounts - the server will
* return NT_SC_WARNING(MLSVC_NO_MORE_DATA).
*
* For now just set the status to access-denied. Note that we still have
* to provide a valid address for enum_buf because it's a reference and
* the marshalling rules require that references must not be null.
* The enum_context is used to support multiple
*/
static int
{
struct mslsa_EnumAccountBuf *enum_buf;
return (MLRPC_DRC_OK);
}
return (MLRPC_DRC_OK);
}
/*
* lsarpc_s_EnumTrustedDomain
*
* This is the server side function for handling requests to enumerate
* the list of trusted domains: currently held in the NT domain database.
* This call requires an OpenPolicy2 handle. The enum_context is used to
* support multiple enumeration calls to obtain the complete list.
* It should be set to 0 on the first call and passed unchanged on
* subsequent calls until there are no more accounts - the server will
* return NT_SC_WARNING(MLSVC_NO_MORE_DATA).
*
* For now just set the status to access-denied. Note that we still have
* to provide a valid address for enum_buf because it's a reference and
* the marshalling rules require that references must not be null.
*/
static int
{
struct mslsa_EnumTrustedDomainBuf *enum_buf;
return (MLRPC_DRC_OK);
}
return (MLRPC_DRC_OK);
}
/*
* lsarpc_s_OpenAccount
*
* This is a request to open an account handle.
*/
static int
{
return (MLRPC_DRC_OK);
}
} else {
}
return (MLRPC_DRC_OK);
}
/*
* lsarpc_s_EnumPrivsAccount
*
* This is the server side function for handling requests for account
* privileges. For now just set the status to not-supported status and
* return MLRPC_DRC_OK. Note that we still have to provide a valid
* address for enum_buf because it's a reference and the marshalling
* rules require that references must not be null.
*/
/*ARGSUSED*/
static int
{
return (MLRPC_DRC_OK);
}
/*
* lsarpc_s_LookupPrivValue
*
* Server side function used to map a privilege name to a locally unique
* identifier (LUID).
*/
/*ARGSUSED*/
static int
{
return (MLRPC_DRC_OK);
}
return (MLRPC_DRC_OK);
}
/*
* lsarpc_s_LookupPrivName
*
* Server side function used to map a locally unique identifier (LUID)
* to the appropriate privilege name string.
*/
static int
{
int rc;
return (MLRPC_DRC_OK);
}
return (MLRPC_DRC_OK);
}
if (rc == 0) {
return (MLRPC_DRC_OK);
}
return (MLRPC_DRC_OK);
}
/*
* lsarpc_s_LookupPrivDisplayName
*
* This is the server side function for handling requests for account
* privileges. For now just set the status to not-supported status and
* return MLRPC_DRC_OK.
*/
static int
{
int rc;
return (MLRPC_DRC_OK);
}
return (MLRPC_DRC_OK);
}
if (rc == 0) {
return (MLRPC_DRC_OK);
}
return (MLRPC_DRC_OK);
}
static int
{
return (MLRPC_DRC_OK);
}
return (MLRPC_DRC_OK);
}
static int
{
return (MLRPC_DRC_OK);
}
return (MLRPC_DRC_OK);
}
/*
* lsarpc_s_GetConnectedUser
*
* This is still guesswork. Netmon doesn't know about this
* call and I'm not really sure what it is intended to achieve.
* Another packet capture application, Ethereal, calls this RPC as
* GetConnectedUser.
* We will receive our own hostname in the request and it appears
* we should respond with an account name and the domain name of connected
* user from the client that makes this call.
*/
static int
{
int rc1;
int rc2;
return (MLRPC_DRC_OK);
}
if (smb_getdomaininfo(0) == NULL) {
return (MLRPC_DRC_OK);
}
return (MLRPC_DRC_OK);
}
return (MLRPC_DRC_OK);
}
return (MLRPC_DRC_OK);
}
/*
* lsarpc_s_QueryInfoPolicy
*
* This is the server side function for handling LSA information policy
* queries. Currently, we only support primary domain and account
* domain queries. This is just a front end to switch on the request
* and hand it off to the appropriate function to actually deal with
* obtaining and building the response.
*/
static int
{
struct mslsa_PolicyInfo *info;
int security_mode;
mxa, sizeof (struct mslsa_PolicyInfo));
return (MLRPC_DRC_OK);
}
switch (param->info_class) {
break;
break;
break;
if (security_mode == SMB_SECMODE_DOMAIN)
else
break;
default:
return (MLRPC_DRC_OK);
}
if (status != NT_STATUS_SUCCESS)
else
return (MLRPC_DRC_OK);
}
/*
* lsarpc_s_PrimaryDomainInfo
*
* This is the service side function for handling primary domain policy
* queries. This will return the primary domain name and sid. This is
* currently a pass through interface so all we do is act as a proxy
* between the client and the DC. If there is no session, fake up the
* response with default values - useful for share mode.
*
* If the server name matches the local hostname, we should return
* the local domain SID.
*/
static DWORD
struct mlrpc_xaction *mxa)
{
char domain_name[MLSVC_DOMAIN_NAME_MAX];
int security_mode;
int rc;
if (security_mode != SMB_SECMODE_DOMAIN) {
} else {
sid = smb_getdomainsid();
}
return (NT_STATUS_CANT_ACCESS_DOMAIN_INFO);
return (NT_STATUS_NO_MEMORY);
return (NT_STATUS_SUCCESS);
}
/*
* lsarpc_s_AccountDomainInfo
*
* This is the service side function for handling account domain policy
* queries. This is where we return our local domain information so that
* NT knows who to query for information on local names and SIDs. The
* domain name is the local hostname.
*/
static DWORD
struct mlrpc_xaction *mxa)
{
char domain_name[MLSVC_DOMAIN_NAME_MAX];
int rc;
return (NT_STATUS_NO_MEMORY);
return (NT_STATUS_NO_MEMORY);
return (NT_STATUS_NO_MEMORY);
return (NT_STATUS_SUCCESS);
}
/*
* lsarpc_s_LookupNames
*
* This is the service side function for handling name lookup requests.
* Currently, we only support lookups of a single name. This is also a
* pass through interface so all we do is act as a proxy between the
* client and the DC.
*/
static int
{
struct mslsa_rid_entry *rids;
smb_userinfo_t *user_info = 0;
struct mslsa_domain_table *domain_table;
struct mslsa_domain_entry *domain_entry;
char *account;
int rc = 0;
return (MLRPC_DRC_FAULT_PARAM_0_UNIMPLEMENTED);
goto name_lookup_failed;
}
if (status != NT_STATUS_SUCCESS)
goto name_lookup_failed;
/*
* Set up the rid table.
*/
rids[0].domain_index = 0;
/*
* Set up the domain table.
*/
goto name_lookup_failed;
}
return (MLRPC_DRC_OK);
return (MLRPC_DRC_OK);
}
/*
* lsarpc_s_LookupSids
*
* This is the service side function for handling sid lookup requests.
* We have to set up both the name table and the domain table in the
* response. For each SID, we check for UNIX domain (local lookup) or
* NT domain (DC lookup) and call the appropriate lookup function. This
* should resolve the SID to a name. Then we need to update the domain
* table and make the name entry point at the appropriate domain table
* entry.
*
* On success return 0. Otherwise return an RPC specific error code.
*/
static int
{
struct mslsa_domain_table *domain_table;
struct mslsa_domain_entry *domain_entry;
struct mslsa_name_entry *names;
struct mslsa_name_entry *name;
int result;
int i;
return (MLRPC_DRC_OK);
}
domain_table->n_entry = 0;
if (result != NT_STATUS_SUCCESS)
goto lookup_sid_failed;
goto lookup_sid_failed;
}
if (result == -1) {
goto lookup_sid_failed;
}
}
return (MLRPC_DRC_OK);
param->domain_table = 0;
param->mapped_count = 0;
return (MLRPC_DRC_OK);
}
/*
* lsarpc_s_UpdateDomainTable
*
* This routine is responsible for maintaining the domain table which
* will be returned from a SID lookup. Whenever a name is added to the
* name table, this function should be called with the corresponding
* domain name. If the domain information is not already in the table,
* it is added. On success return 0; Otherwise -1 is returned.
*/
static int
{
struct mslsa_domain_entry *dentry;
DWORD i;
/*
* These types don't need to reference an entry in the
* domain table. So return -1.
*/
return (0);
}
return (-1);
return (-1);
for (i = 0; i < n_entry; ++i) {
user_info->domain_sid)) {
*domain_idx = i;
return (0);
}
}
if (i == MLSVC_DOMAIN_MAX)
return (-1);
return (-1);
dentry[i].domain_sid =
return (-1);
++domain_table->n_entry;
*domain_idx = i;
return (0);
}
/*
* lsarpc_s_LookupSids2
*
* Other than the use of lsar_lookup_sids2 and lsar_name_entry2, this
* is identical to lsarpc_s_LookupSids.
*/
static int
{
struct lsar_name_entry2 *names;
struct lsar_name_entry2 *name;
struct mslsa_domain_table *domain_table;
struct mslsa_domain_entry *domain_entry;
int result;
int i;
return (MLRPC_DRC_OK);
}
domain_table->n_entry = 0;
if (result != NT_STATUS_SUCCESS)
goto lookup_sid_failed;
goto lookup_sid_failed;
}
if (result == -1) {
goto lookup_sid_failed;
}
}
return (MLRPC_DRC_OK);
param->domain_table = 0;
param->mapped_count = 0;
return (MLRPC_DRC_OK);
}
/*
* lsarpc_s_LookupNames2
*
* Other than the use of lsar_LookupNames2 and lsar_rid_entry2, this
* is identical to lsarpc_s_LookupNames.
*/
static int
{
struct lsar_rid_entry2 *rids;
smb_userinfo_t *user_info = 0;
struct mslsa_domain_table *domain_table;
struct mslsa_domain_entry *domain_entry;
char *account;
int rc = 0;
return (MLRPC_DRC_FAULT_PARAM_0_UNIMPLEMENTED);
if (rids == 0 || domain_table == 0 ||
domain_entry == 0 || user_info == 0) {
goto name_lookup2_failed;
}
if (status != NT_STATUS_SUCCESS)
goto name_lookup2_failed;
/*
* Set up the rid table.
*/
rids[0].domain_index = 0;
/*
* Set up the domain table.
*/
goto name_lookup2_failed;
}
return (MLRPC_DRC_OK);
return (MLRPC_DRC_OK);
}