da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * CDDL HEADER START
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * The contents of this file are subject to the terms of the
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * Common Development and Distribution License (the "License").
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * You may not use this file except in compliance with the License.
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * See the License for the specific language governing permissions
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * and limitations under the License.
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * When distributing Covered Code, include this CDDL HEADER in each
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * If applicable, add the following below this CDDL HEADER, with the
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * fields enclosed by brackets "[]" replaced with your own identifying
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * information: Portions Copyright [yyyy] [name of copyright owner]
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * CDDL HEADER END
148c5f43199ca0b43fc8e3b643aab11cd66ea327Alan Wright * Copyright (c) 2007, 2010, Oracle and/or its affiliates. All rights reserved.
b3700b074e637f8c6991b70754c88a2cfffb246bGordon Ross * Copyright 2015 Nexenta Systems, Inc. All rights reserved.
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * This module provides the high level interface to the SAM RPC
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * functions.
1ed6b69a5ca1ca3ee5e9a4931f74e2237c7e1c9fGordon Ross/* little-endian values on little-endian */
1ed6b69a5ca1ca3ee5e9a4931f74e2237c7e1c9fGordon Ross#else /* (BYTE_ORDER == LITTLE_ENDIAN) */
1ed6b69a5ca1ca3ee5e9a4931f74e2237c7e1c9fGordon Ross/* little-endian values on big-endian (swap) */
1ed6b69a5ca1ca3ee5e9a4931f74e2237c7e1c9fGordon Ross#endif /* (BYTE_ORDER == LITTLE_ENDIAN) */
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * Valid values for the OEM OWF password encryption.
1ed6b69a5ca1ca3ee5e9a4931f74e2237c7e1c9fGordon Rossstatic void samr_fill_userpw(struct samr_user_password *, const char *);
1ed6b69a5ca1ca3ee5e9a4931f74e2237c7e1c9fGordon Ross * Todo: Implement "unjoin" domain, which would use the
1ed6b69a5ca1ca3ee5e9a4931f74e2237c7e1c9fGordon Ross * sam_remove_trust_account code below.
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * sam_remove_trust_account
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * Attempt to remove the workstation trust account for this system.
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * Administrator access is required to perform this operation.
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * Returns NT status codes.
b89a8333f5e1f75ec0c269b22524bd2eccb972banatalie li - Sun Microsystems - Irvine United States char account_name[SMB_SAMACCT_MAXLEN];
b89a8333f5e1f75ec0c269b22524bd2eccb972banatalie li - Sun Microsystems - Irvine United States if (smb_getsamaccount(account_name, SMB_SAMACCT_MAXLEN) != 0)
b89a8333f5e1f75ec0c269b22524bd2eccb972banatalie li - Sun Microsystems - Irvine United States return (NT_STATUS_INTERNAL_ERROR);
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw return (sam_delete_account(server, domain, account_name));
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * sam_delete_account
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * Attempt to remove an account from the SAM database on the specified
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * Returns NT status codes.
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amwsam_delete_account(char *server, char *domain_name, char *account_name)
55bf511df53aad0fdb7eb3fa349f0308cc05234cas rc = samr_open(server, domain_name, user, SAM_LOOKUP_INFORMATION,
1ed6b69a5ca1ca3ee5e9a4931f74e2237c7e1c9fGordon Ross sid = samr_lookup_domain(&samr_handle, domain_name);
1ed6b69a5ca1ca3ee5e9a4931f74e2237c7e1c9fGordon Ross status = samr_open_domain(&samr_handle, SAM_LOOKUP_INFORMATION,
1ed6b69a5ca1ca3ee5e9a4931f74e2237c7e1c9fGordon Ross status = samr_lookup_domain_names(&domain_handle, account_name, &ainfo);
1ed6b69a5ca1ca3ee5e9a4931f74e2237c7e1c9fGordon Ross status = samr_open_user(&domain_handle, access_mask,
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * sam_lookup_name
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * Lookup an account name in the SAM database on the specified domain
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * controller. Provides the account RID on success.
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * Returns NT status codes.
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amwsam_lookup_name(char *server, char *domain_name, char *account_name,
55bf511df53aad0fdb7eb3fa349f0308cc05234cas rc = samr_open(server, domain_name, user, SAM_LOOKUP_INFORMATION,
7f667e74610492ddbce8ce60f52ece95d2401949jose borrego domain_sid = (struct samr_sid *)samr_lookup_domain(&samr_handle,
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw status = samr_open_domain(&samr_handle, SAM_LOOKUP_INFORMATION,
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * sam_get_local_domains
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * Query a remote server to get the list of local domains that it
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * supports.
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * Returns NT status codes.
55bf511df53aad0fdb7eb3fa349f0308cc05234cas rc = samr_open(server, domain_name, user, SAM_ENUM_LOCAL_DOMAIN,
1ed6b69a5ca1ca3ee5e9a4931f74e2237c7e1c9fGordon Ross * Set the account control flags on some account for which we
1ed6b69a5ca1ca3ee5e9a4931f74e2237c7e1c9fGordon Ross * have already opened a SAM handle with appropriate rights,
1ed6b69a5ca1ca3ee5e9a4931f74e2237c7e1c9fGordon Ross * passed in here as sam_handle, along with the new flags.
1ed6b69a5ca1ca3ee5e9a4931f74e2237c7e1c9fGordon Ross return (samr_set_user_info(user_handle, 16, &info));
1ed6b69a5ca1ca3ee5e9a4931f74e2237c7e1c9fGordon Ross * Set the password on some account, for which we have already
1ed6b69a5ca1ca3ee5e9a4931f74e2237c7e1c9fGordon Ross * opened a SAM handle with appropriate rights, passed in here
1ed6b69a5ca1ca3ee5e9a4931f74e2237c7e1c9fGordon Ross * as sam_handle, along with the new password as cleartext.
1ed6b69a5ca1ca3ee5e9a4931f74e2237c7e1c9fGordon Ross * This builds a struct SAMPR_USER_INTERNAL5_INFORMATION [MS-SAMR]
1ed6b69a5ca1ca3ee5e9a4931f74e2237c7e1c9fGordon Ross * containing the new password, encrypted with our session key.
1ed6b69a5ca1ca3ee5e9a4931f74e2237c7e1c9fGordon Ross if (ndr_rpc_get_ssnkey(user_handle, ssn_key, SMBAUTH_HASH_SZ))
1ed6b69a5ca1ca3ee5e9a4931f74e2237c7e1c9fGordon Ross samr_make_encrypted_password(&info.encr_pw, new_pw_clear, ssn_key);
1ed6b69a5ca1ca3ee5e9a4931f74e2237c7e1c9fGordon Ross /* Rather not leave the session key around. */
1ed6b69a5ca1ca3ee5e9a4931f74e2237c7e1c9fGordon Ross return (samr_set_user_info(user_handle, 24, &info));
1ed6b69a5ca1ca3ee5e9a4931f74e2237c7e1c9fGordon Ross * Change a password like NetUserChangePassword(),
1ed6b69a5ca1ca3ee5e9a4931f74e2237c7e1c9fGordon Ross * but where we already know which AD server to use,
1ed6b69a5ca1ca3ee5e9a4931f74e2237c7e1c9fGordon Ross * so we don't request the domain name or search for
1ed6b69a5ca1ca3ee5e9a4931f74e2237c7e1c9fGordon Ross * an AD server for that domain here.
1ed6b69a5ca1ca3ee5e9a4931f74e2237c7e1c9fGordon Ross * Create an RPC handle to this server, bound to SAMR.
b3700b074e637f8c6991b70754c88a2cfffb246bGordon Ross status = ndr_rpc_bind(&handle, server, "", "", "SAMR");
1ed6b69a5ca1ca3ee5e9a4931f74e2237c7e1c9fGordon Ross * Encrypt the new p/w (plus random filler) with the
1ed6b69a5ca1ca3ee5e9a4931f74e2237c7e1c9fGordon Ross * old password, and send the old p/w encrypted with
1ed6b69a5ca1ca3ee5e9a4931f74e2237c7e1c9fGordon Ross * the new p/w hash to prove we know the old p/w.
1ed6b69a5ca1ca3ee5e9a4931f74e2237c7e1c9fGordon Ross * Details: [MS-SAMR 3.1.5.10.3]
1ed6b69a5ca1ca3ee5e9a4931f74e2237c7e1c9fGordon Ross (void) smb_auth_ntlm_hash(old_pw_clear, old_nt_hash);
1ed6b69a5ca1ca3ee5e9a4931f74e2237c7e1c9fGordon Ross (void) smb_auth_ntlm_hash(new_pw_clear, new_nt_hash);
1ed6b69a5ca1ca3ee5e9a4931f74e2237c7e1c9fGordon Ross samr_make_encrypted_password(&epw, new_pw_clear, old_nt_hash);
1ed6b69a5ca1ca3ee5e9a4931f74e2237c7e1c9fGordon Ross (void) smb_auth_DES(old_hash.data, SAMR_PWHASH_LEN,
1ed6b69a5ca1ca3ee5e9a4931f74e2237c7e1c9fGordon Ross * Finally, ready to try the OtW call.
1ed6b69a5ca1ca3ee5e9a4931f74e2237c7e1c9fGordon Ross /* Avoid leaving cleartext (or equivalent) around. */
1ed6b69a5ca1ca3ee5e9a4931f74e2237c7e1c9fGordon Ross (void) memset(old_nt_hash, 0, sizeof (old_nt_hash));
1ed6b69a5ca1ca3ee5e9a4931f74e2237c7e1c9fGordon Ross (void) memset(new_nt_hash, 0, sizeof (new_nt_hash));
1ed6b69a5ca1ca3ee5e9a4931f74e2237c7e1c9fGordon Ross * Build an encrypted password, as used by samr_set_user_info
1ed6b69a5ca1ca3ee5e9a4931f74e2237c7e1c9fGordon Ross * and samr_change_password. Note: This builds the unencrypted
1ed6b69a5ca1ca3ee5e9a4931f74e2237c7e1c9fGordon Ross * form in one union arm, and encrypts it in the other union arm.
1ed6b69a5ca1ca3ee5e9a4931f74e2237c7e1c9fGordon Ross (void) smb_auth_RC4(pwu.e.data, sizeof (pwu.e.data),
1ed6b69a5ca1ca3ee5e9a4931f74e2237c7e1c9fGordon Ross (void) memcpy(epw->data, pwu.e.data, sizeof (pwu.e.data));
1ed6b69a5ca1ca3ee5e9a4931f74e2237c7e1c9fGordon Ross (void) memset(pwu.e.data, 0, sizeof (pwu.e.data));
1ed6b69a5ca1ca3ee5e9a4931f74e2237c7e1c9fGordon Ross * This fills in a samr_user_password (a.k.a. SAMPR_USER_PASSWORD
1ed6b69a5ca1ca3ee5e9a4931f74e2237c7e1c9fGordon Ross * in the MS Net API) which has the new password "right justified"
1ed6b69a5ca1ca3ee5e9a4931f74e2237c7e1c9fGordon Ross * in the buffer, and any space on the left filled with random junk
1ed6b69a5ca1ca3ee5e9a4931f74e2237c7e1c9fGordon Ross * to improve the quality of the encryption that is subsequently
1ed6b69a5ca1ca3ee5e9a4931f74e2237c7e1c9fGordon Ross * applied to this buffer before it goes over the wire.
1ed6b69a5ca1ca3ee5e9a4931f74e2237c7e1c9fGordon Rosssamr_fill_userpw(struct samr_user_password *upw, const char *new_pw)
1ed6b69a5ca1ca3ee5e9a4931f74e2237c7e1c9fGordon Ross * First fill the whole buffer with the random junk.
1ed6b69a5ca1ca3ee5e9a4931f74e2237c7e1c9fGordon Ross * (Slightly less random when debugging:)
1ed6b69a5ca1ca3ee5e9a4931f74e2237c7e1c9fGordon Ross (void) memset(upw->Buffer, '*', sizeof (upw->Buffer));
1ed6b69a5ca1ca3ee5e9a4931f74e2237c7e1c9fGordon Ross randomize((char *)upw->Buffer, sizeof (upw->Buffer));
1ed6b69a5ca1ca3ee5e9a4931f74e2237c7e1c9fGordon Ross * Now overwrite the last pwlen characters of
1ed6b69a5ca1ca3ee5e9a4931f74e2237c7e1c9fGordon Ross * that buffer with the password, and set the
1ed6b69a5ca1ca3ee5e9a4931f74e2237c7e1c9fGordon Ross * length field so the receiving end knows where
1ed6b69a5ca1ca3ee5e9a4931f74e2237c7e1c9fGordon Ross * the junk ends and the real password starts.
1ed6b69a5ca1ca3ee5e9a4931f74e2237c7e1c9fGordon Ross pbuf = &upw->Buffer[SAMR_USER_PWLEN - pwlen_wchars];
1ed6b69a5ca1ca3ee5e9a4931f74e2237c7e1c9fGordon Ross (void) smb_mbstowcs(pbuf, new_pw, pwlen_wchars);
1ed6b69a5ca1ca3ee5e9a4931f74e2237c7e1c9fGordon Ross /* Yes, this is in Bytes, not wchars. */