archive
/
windows-server-2003
mirror of https://github.com/selfrender/Windows-Server-2003
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
Leaked source code of windows server 2003
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
4 Commits
1 Branch
0 Tags
1.5 GiB
Branch: master
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'master'
${ noResults }
windows-server-2003/ds/adsi/router/sec2var.cxx

1558 lines
40 KiB
Raw Permalink Normal View History

commiting as it is
4 years ago
  1. //+---------------------------------------------------------------------------
  2. //
  3. // Microsoft Windows
  4. // Copyright (C) Microsoft Corporation, 1992 - 1995.
  5. //
  6. // File: libmain.cxx
  7. //
  8. // Contents: LibMain for nds.dll
  9. //
  10. // Functions: LibMain, DllGetClassObject
  11. //
  12. // History: 25-Oct-94 KrishnaG Created.
  13. //
  14. //----------------------------------------------------------------------------
  15. #include "oleds.hxx"
  16. #pragma hdrstop
  19. #define GetAce ADSIGetAce
  21. #define DeleteAce ADSIDeleteAce
  23. #define GetAclInformation ADSIGetAclInformation
  25. #define SetAclInformation ADSISetAclInformation
  27. #define IsValidAcl ADSIIsValidAcl
  29. #define InitializeAcl ADSIInitializeAcl
  32. extern HRESULT
  33. ConvertSidToString(
  34. PSID pSid,
  35. LPWSTR String
  36. );
  38. DWORD
  39. GetDomainDNSNameForDomain(
  40. LPWSTR pszDomainFlatName,
  41. BOOL fVerify,
  42. BOOL fWriteable,
  43. LPWSTR pszServerName,
  44. LPWSTR pszDomainDNSName
  45. );
  47. //
  48. // Helper routine.
  49. //
  50. PSID
  51. ComputeSidFromAceAddress(
  52. LPBYTE pAce
  53. );
  55. //+---------------------------------------------------------------------------
  56. // Function: GetLsaPolicyHandle - helper routine.
  57. //
  58. // Synopsis: Returns the lsa policy handle to the server in question.
  59. // If a serverName is present we will first try that. If no servername
  60. // is present we will try and connect up to the default server for the
  61. // currently logged on user. If everything else fails, we will
  62. // connnect to the local machine (NULL server).
  63. //
  64. // Arguments: pszServerName - Name of targtet server/domain or NULL.
  65. // Credentials - Credentials to use for the connection.
  66. // Currently this is not used.
  67. // phLsaPolicy - Return ptr for lsa policy handle.
  68. //
  69. // Returns: S_OK or any valid error code.
  70. //
  71. // Modifies: phLsaPolicy.
  72. //
  73. //----------------------------------------------------------------------------
  74. HRESULT
  75. GetLsaPolicyHandle(
  76. LPWSTR pszServerName,
  77. CCredentials &Credentials,
  78. PLSA_HANDLE phLsaPolicy
  79. )
  80. {
  81. HRESULT hr = S_OK;
  82. DWORD dwStatus = NO_ERROR;
  83. NTSTATUS ntStatus = STATUS_SUCCESS;
  84. DWORD dwErr;
  85. DWORD dwLen = 0;
  86. LPWSTR pszServer = NULL;
  87. BOOL fNullServer = FALSE;
  88. LSA_OBJECT_ATTRIBUTES lsaObjectAttributes;
  89. LSA_UNICODE_STRING lsaSystemName;
  90. WCHAR szDomainName[MAX_PATH];
  91. WCHAR szServerName[MAX_PATH];
  93. memset(&lsaObjectAttributes, 0, sizeof(LSA_OBJECT_ATTRIBUTES));
  95. //
  96. // First most common case of serverless paths.
  97. //
  98. if (!pszServerName) {
  99. dwStatus = GetDomainDNSNameForDomain(
  100. NULL,
  101. FALSE, // do not force verify
  102. FALSE, // does not need to be writable
  103. szServerName,
  104. szDomainName
  105. );
  107. //
  108. // If we succeeded we will use the name returned,
  109. // otherwise we will go with NULL.
  110. //
  111. if (dwStatus == NO_ERROR) {
  112. pszServer = szServerName;
  113. }
  114. else {
  115. fNullServer = TRUE;
  116. }
  117. }
  118. else {
  119. pszServer = pszServerName;
  120. }
  122. if (pszServer) {
  123. dwLen = wcslen(pszServer);
  124. }
  126. lsaSystemName.Buffer = pszServer;
  127. lsaSystemName.Length = dwLen * sizeof(WCHAR);
  128. lsaSystemName.MaximumLength = lsaSystemName.Length;
  130. //
  131. // First attempt at opening policy handle.
  132. //
  133. ntStatus = LsaOpenPolicy(
  134. &lsaSystemName,
  135. &lsaObjectAttributes,
  136. POLICY_LOOKUP_NAMES,
  137. phLsaPolicy
  138. );
  140. if (ntStatus != STATUS_SUCCESS) {
  141. //
  142. // Irrespective of failure should retry if we have not already
  143. // tried with a NULL serverName.
  144. //
  145. if (!fNullServer) {
  146. fNullServer = TRUE;
  148. lsaSystemName.Buffer = NULL;
  149. lsaSystemName.Length = 0;
  150. lsaSystemName.MaximumLength = 0;
  151. ntStatus = LsaOpenPolicy(
  152. &lsaSystemName,
  153. &lsaObjectAttributes,
  154. POLICY_LOOKUP_NAMES,
  155. phLsaPolicy
  156. );
  157. }
  159. hr = HRESULT_FROM_WIN32(
  160. LsaNtStatusToWinError(ntStatus)
  161. );
  162. BAIL_ON_FAILURE(hr);
  163. }
  165. error:
  167. RRETURN(hr);
  168. }
  170. //+---------------------------------------------------------------------------
  171. // Function: GetNamesFromSids - helper routine.
  172. //
  173. // Synopsis: Simple helper routine that calls LsaLookupSids and if the
  174. // the error returned is ERROR_SOME_NOT_MAPPED, then the hr is
  175. // set S_OK.
  176. //
  177. // Arguments: hLsaPolicy - LSA_HANDLE to do the lookup on.
  178. // pSidArray - Array of sid's top lookup.
  179. // dwSidCount - Number of sids to translate.
  180. // ppLsaRefDomList - Ret value for domain list.
  181. // ppLsaNames - Ret value for name list.
  182. //
  183. // Returns: S_OK or any valid error code.
  184. //
  185. // Modifies: n/a.
  186. //
  187. //----------------------------------------------------------------------------
  188. HRESULT
  189. GetNamesFromSids(
  190. LSA_HANDLE hLsaPolicy,
  191. PSID *pSidArray,
  192. DWORD dwSidCount,
  193. PLSA_REFERENCED_DOMAIN_LIST *ppLsaRefDomList,
  194. PLSA_TRANSLATED_NAME *ppLsaNames
  195. )
  196. {
  197. HRESULT hr = S_OK;
  198. NTSTATUS ntStatus;
  200. ntStatus = LsaLookupSids(
  201. hLsaPolicy,
  202. dwSidCount,
  203. pSidArray,
  204. ppLsaRefDomList,
  205. ppLsaNames
  206. );
  208. // even if the above call fails, we don't want to bail out since even if all the name resolving fails
  209. // we still want to try to use the stringlized sid
  211. RRETURN(hr);
  212. }
  214. //+---------------------------------------------------------------------------
  215. // Function: GetNamesForSidFromArray - helper routine.
  216. //
  217. // Synopsis: Given the position of the ace and the retrun value from
  218. // LsaLookupSids, constructs the actual name of the trustee.
  219. //
  220. // Arguments: dwAceNumber - Position of the ace in the array.
  221. // pLsaRefDoms - List of reference domains.
  222. // pLsaNames - List of LSA names.
  223. // ppszFriendlyName - Return string pointer.
  224. //
  225. // Returns: S_OK or any valid error code.
  226. //
  227. // Modifies: n/a.
  228. //
  229. //----------------------------------------------------------------------------
  230. HRESULT
  231. GetNameForSidFromArray(
  232. DWORD dwAceNumber,
  233. LSA_REFERENCED_DOMAIN_LIST *pLsaRefDoms,
  234. LSA_TRANSLATED_NAME *pLsaNames,
  235. LPWSTR * ppszFriendlyName
  236. )
  237. {
  238. HRESULT hr = S_OK;
  239. DWORD dwLengthDomain;
  240. DWORD dwLengthName = 0;
  241. BOOL fDomainInvalid = FALSE;
  242. BOOL fNameInvalid = FALSE;
  243. LPWSTR pszName = NULL;
  245. *ppszFriendlyName = NULL;
  247. if (!pLsaNames) {
  248. RRETURN(hr = E_FAIL);
  249. }
  251. switch (pLsaNames[dwAceNumber].Use) {
  253. case SidTypeDomain:
  254. fNameInvalid = TRUE;
  255. break;
  257. case SidTypeInvalid:
  258. fNameInvalid = TRUE;
  259. fDomainInvalid = TRUE;
  260. break;
  262. case SidTypeUnknown:
  263. fNameInvalid = TRUE;
  264. fDomainInvalid = TRUE;
  265. break;
  267. case SidTypeWellKnownGroup:
  268. if (pLsaNames[dwAceNumber].DomainIndex < 0 ) {
  269. fDomainInvalid = TRUE;
  270. }
  271. break;
  273. default:
  274. //
  275. // Name and domain are valid.
  276. //
  277. fDomainInvalid = FALSE;
  278. fNameInvalid = FALSE;
  279. }
  281. if (!fNameInvalid) {
  282. dwLengthName = ((pLsaNames[dwAceNumber]).Name).Length + sizeof(WCHAR);
  283. }
  285. //
  286. // Process domain if valid.
  287. //
  288. if (!fDomainInvalid) {
  289. DWORD domainIndex = pLsaNames[dwAceNumber].DomainIndex;
  290. LSA_UNICODE_STRING lsaString;
  291. //
  292. // Need to make sure that the index is valid.
  293. //
  294. if (domainIndex > pLsaRefDoms->Entries) {
  295. BAIL_ON_FAILURE(hr = E_FAIL);
  296. }
  298. lsaString = ((pLsaRefDoms->Domains)[domainIndex]).Name;
  300. //
  301. // Add sizeof(WCHAR) for the trailing \0.
  302. //
  303. dwLengthDomain = lsaString.Length + sizeof(WCHAR);
  305. if (lsaString.Length > 0) {
  306. pszName = (LPWSTR) AllocADsMem( dwLengthDomain + dwLengthName);
  308. if (!pszName) {
  309. BAIL_ON_FAILURE(hr = E_OUTOFMEMORY);
  310. }
  312. memcpy(
  313. pszName,
  314. lsaString.Buffer,
  315. lsaString.Length
  316. );
  319. }
  321. }
  323. if (!fNameInvalid) {
  324. LSA_UNICODE_STRING lsaNameString = (pLsaNames[dwAceNumber]).Name;
  325. //
  326. // Length of pszName is zero if the group name is Everyone but
  327. // there is still a domain name component.
  328. //
  329. if (!fDomainInvalid
  330. && pszName
  331. && wcslen(pszName)
  332. ) {
  333. wcscat(pszName, L"\\");
  334. } else {
  335. pszName = (LPWSTR) AllocADsMem(dwLengthName);
  336. if (!pszName) {
  337. BAIL_ON_FAILURE (hr = E_OUTOFMEMORY);
  338. }
  339. }
  341. memcpy(
  342. fDomainInvalid ? pszName : (pszName + wcslen(pszName)),
  343. lsaNameString.Buffer,
  344. lsaNameString.Length
  345. );
  346. }
  348. *ppszFriendlyName = pszName;
  350. RRETURN(hr);
  352. error:
  354. if (pszName) {
  355. FreeADsMem(pszName);
  356. }
  358. RRETURN(hr);
  359. }
  361. HRESULT
  362. ConvertSecDescriptorToVariant(
  363. LPWSTR pszServerName,
  364. CCredentials& Credentials,
  365. PSECURITY_DESCRIPTOR pSecurityDescriptor,
  366. VARIANT * pVarSec,
  367. BOOL fNTDS
  368. )
  369. {
  370. IADsSecurityDescriptor * pSecDes = NULL;
  371. IDispatch * pDispatch = NULL;
  372. LPWSTR pszGroup = NULL;
  373. LPWSTR pszOwner = NULL;
  375. BOOL fOwnerDefaulted = 0;
  376. BOOL fGroupDefaulted = 0;
  377. BOOL fDaclDefaulted = 0;
  378. BOOL fSaclDefaulted = 0;
  380. BOOL fSaclPresent = 0;
  381. BOOL fDaclPresent = 0;
  383. LPBYTE pOwnerSidAddress = NULL;
  384. LPBYTE pGroupSidAddress = NULL;
  385. LPBYTE pDACLAddress = NULL;
  386. LPBYTE pSACLAddress = NULL;
  388. DWORD dwRet = 0;
  390. VARIANT varDACL;
  391. VARIANT varSACL;
  393. HRESULT hr = S_OK;
  395. DWORD dwRevision = 0;
  396. WORD wControl = 0;
  398. VariantInit(pVarSec);
  399. memset(&varSACL, 0, sizeof(VARIANT));
  400. memset(&varDACL, 0, sizeof(VARIANT));
  402. if (!pSecurityDescriptor) {
  403. RRETURN(E_FAIL);
  404. }
  407. //
  408. // Control & Revision
  409. //
  410. dwRet = GetSecurityDescriptorControl(
  411. pSecurityDescriptor,
  412. &wControl,
  413. &dwRevision
  414. );
  415. if (!dwRet){
  416. hr = HRESULT_FROM_WIN32(GetLastError());
  417. BAIL_ON_FAILURE(hr);
  418. }
  420. //
  421. // Owner
  422. //
  423. dwRet = GetSecurityDescriptorOwner(
  424. pSecurityDescriptor,
  425. (PSID *)&pOwnerSidAddress,
  426. &fOwnerDefaulted
  427. );
  429. if (!dwRet){
  430. hr = HRESULT_FROM_WIN32(GetLastError());
  431. BAIL_ON_FAILURE(hr);
  432. }
  434. if (pOwnerSidAddress) {
  435. //
  436. // For Owner and Group, we will convert the sid in old way without optimization
  437. //
  438. hr = ConvertSidToFriendlyName2(
  439. pszServerName,
  440. Credentials,
  441. pOwnerSidAddress,
  442. &pszOwner,
  443. fNTDS
  444. );
  445. BAIL_ON_FAILURE(hr);
  446. }
  449. //
  450. // Group
  451. //
  452. dwRet = GetSecurityDescriptorGroup(
  453. pSecurityDescriptor,
  454. (PSID *)&pGroupSidAddress,
  455. &fOwnerDefaulted
  456. );
  457. if (!dwRet){
  458. hr = HRESULT_FROM_WIN32(GetLastError());
  459. BAIL_ON_FAILURE(hr);
  460. }
  462. if (pGroupSidAddress) {
  463. //
  464. // For Owner and Group, we will convert the sid in old way without optimization
  465. //
  466. hr = ConvertSidToFriendlyName2(
  467. pszServerName,
  468. Credentials,
  469. pGroupSidAddress,
  470. &pszGroup,
  471. fNTDS
  472. );
  473. BAIL_ON_FAILURE(hr);
  474. }
  477. //
  478. // DACL
  479. //
  480. dwRet = GetSecurityDescriptorDacl(
  481. pSecurityDescriptor,
  482. &fDaclPresent,
  483. (PACL*)&pDACLAddress,
  484. &fDaclDefaulted
  485. );
  486. if (!dwRet){
  487. hr = HRESULT_FROM_WIN32(GetLastError());
  488. BAIL_ON_FAILURE(hr);
  489. }
  491. if (pDACLAddress) {
  493. hr = ConvertACLToVariant(
  494. pszServerName,
  495. Credentials,
  496. (PACL)pDACLAddress,
  497. &varDACL,
  498. fNTDS
  499. );
  500. BAIL_ON_FAILURE(hr);
  501. }
  503. //
  504. // SACL
  505. //
  506. dwRet = GetSecurityDescriptorSacl(
  507. pSecurityDescriptor,
  508. &fSaclPresent,
  509. (PACL *)&pSACLAddress,
  510. &fSaclDefaulted
  511. );
  512. if (!dwRet){
  513. hr = HRESULT_FROM_WIN32(GetLastError());
  514. BAIL_ON_FAILURE(hr);
  515. }
  517. if (pSACLAddress) {
  519. hr = ConvertACLToVariant(
  520. pszServerName,
  521. Credentials,
  522. (PACL)pSACLAddress,
  523. &varSACL,
  524. fNTDS
  525. );
  526. BAIL_ON_FAILURE(hr);
  527. }
  530. //
  531. // Construct an IADsSecurityDescriptor with the data
  532. // retrieved from the raw SD
  533. //
  534. hr = CoCreateInstance(
  535. CLSID_SecurityDescriptor,
  536. NULL,
  537. CLSCTX_INPROC_SERVER,
  538. IID_IADsSecurityDescriptor,
  539. (void **)&pSecDes
  540. );
  541. BAIL_ON_FAILURE(hr);
  543. hr = pSecDes->put_Owner(pszOwner);
  544. BAIL_ON_FAILURE(hr);
  546. hr = pSecDes->put_Group(pszGroup);
  547. BAIL_ON_FAILURE(hr);
  549. hr = pSecDes->put_Revision(dwRevision);
  550. BAIL_ON_FAILURE(hr);
  552. hr = pSecDes->put_Control((DWORD)wControl);
  553. BAIL_ON_FAILURE(hr);
  555. hr = pSecDes->put_DiscretionaryAcl(V_DISPATCH(&varDACL));
  556. BAIL_ON_FAILURE(hr);
  558. hr = pSecDes->put_SystemAcl(V_DISPATCH(&varSACL));
  559. BAIL_ON_FAILURE(hr);
  561. hr = pSecDes->QueryInterface(IID_IDispatch, (void**)&pDispatch);
  562. BAIL_ON_FAILURE(hr);
  564. //
  565. // Construct a VARIANT with the IADsSecurityDescriptor
  566. //
  567. V_VT(pVarSec) = VT_DISPATCH;
  568. V_DISPATCH(pVarSec) = pDispatch;
  570. error:
  571. VariantClear(&varSACL);
  572. VariantClear(&varDACL);
  574. if (pszOwner) {
  575. FreeADsStr(pszOwner);
  576. }
  578. if (pszGroup) {
  579. FreeADsStr(pszGroup);
  580. }
  583. if (pSecDes) {
  584. pSecDes->Release();
  585. }
  587. RRETURN(hr);
  588. }
  591. HRESULT
  592. ConvertSidToFriendlyName(
  593. LPWSTR pszServerName,
  594. CCredentials& Credentials,
  595. PSID pSid,
  596. LPWSTR * ppszAccountName,
  597. BOOL fNTDS
  598. )
  599. {
  600. HRESULT hr = S_OK;
  601. SID_NAME_USE eUse;
  602. WCHAR szAccountName[MAX_PATH];
  603. WCHAR szDomainName[MAX_PATH];
  604. WCHAR szServerName[MAX_PATH];
  605. DWORD dwLen = 0;
  606. DWORD dwRet = 0;
  608. LPWSTR pszAccountName = NULL;
  610. DWORD dwAcctLen = 0;
  611. DWORD dwDomainLen = 0;
  613. #if 0
  614. /**************************************************************
  616. //
  617. // parse Trustee and determine whether its NTDS or U2
  618. //
  620. if (fNTDS) {
  622. dwAcctLen = sizeof(szAccountName);
  623. dwDomainLen = sizeof(szDomainName);
  625. dwRet = LookupAccountSid(
  626. pszServerName,
  627. pSid,
  628. szAccountName,
  629. &dwAcctLen,
  630. szDomainName,
  631. &dwDomainLen,
  632. (PSID_NAME_USE)&eUse
  633. );
  635. //
  636. // Try with NULL server name if we have not already
  637. // done that for error cases.
  638. //
  639. if (!dwRet && pszServerName) {
  640. dwRet = LookupAccountSid(
  641. NULL,
  642. pSid,
  643. szAccountName,
  644. &dwAcctLen,
  645. szDomainName,
  646. &dwDomainLen,
  647. (PSID_NAME_USE)&eUse
  648. );
  649. }
  651. //
  652. // If using serverless paths, try it on the DC if it
  653. // failed (which will happen if we're trying to resolve
  654. // something like "BUILTIN\Print Operators" on a member
  655. // computer)
  656. //
  657. if (!dwRet && !pszServerName) {
  659. dwAcctLen = sizeof(szAccountName);
  660. dwDomainLen = sizeof(szDomainName);
  663. DWORD dwStatus = GetDomainDNSNameForDomain(
  664. NULL,
  665. FALSE, // don't force verify
  666. FALSE, // not writable
  667. szServerName,
  668. szDomainName
  669. );
  671. if (dwStatus == NO_ERROR) {
  673. dwRet = LookupAccountSid(
  674. szServerName,
  675. pSid,
  676. szAccountName,
  677. &dwAcctLen,
  678. szDomainName,
  679. &dwDomainLen,
  680. (PSID_NAME_USE)&eUse
  681. );
  683. //
  684. // If the lookup failed because the server was unavailable, try to get
  685. // the server again, this time forcing DsGetDcName to do rediscovery
  686. //
  687. if (!dwRet && (GetLastError() == RPC_S_SERVER_UNAVAILABLE)) {
  689. dwStatus = GetDomainDNSNameForDomain(
  690. NULL,
  691. TRUE, // force verify
  692. FALSE,// not writable
  693. szServerName,
  694. szDomainName
  695. );
  697. if (dwStatus == NO_ERROR) {
  699. dwRet = LookupAccountSid(
  700. szServerName,
  701. pSid,
  702. szAccountName,
  703. &dwAcctLen,
  704. szDomainName,
  705. &dwDomainLen,
  706. (PSID_NAME_USE)&eUse
  707. );
  708. }
  709. }
  710. }
  711. }
  713. if (!dwRet) {
  714. hr = HRESULT_FROM_WIN32(GetLastError());
  715. }else {
  717. dwLen = wcslen(szAccountName) + wcslen(szDomainName) + 1 + 1;
  719. pszAccountName = (LPWSTR)AllocADsMem(dwLen * sizeof(WCHAR));
  720. if (!pszAccountName) {
  721. hr = E_OUTOFMEMORY;
  722. BAIL_ON_FAILURE(hr);
  723. }
  725. if (szDomainName[0] && szAccountName[0]) {
  726. wsprintf(pszAccountName,L"%s\\%s",szDomainName, szAccountName);
  727. }else if (szAccountName[0]) {
  728. wsprintf(pszAccountName,L"%s", szAccountName);
  729. }
  731. *ppszAccountName = pszAccountName;
  733. }
  735. }else {
  736. *****************************************************************/
  737. #endif
  739. if (!fNTDS) {
  741. hr = ConvertSidToU2Trustee(
  742. pszServerName,
  743. Credentials,
  744. pSid,
  745. szAccountName
  746. );
  748. if (SUCCEEDED(hr)) {
  750. pszAccountName = AllocADsStr(szAccountName);
  751. if (!pszAccountName) {
  752. hr = E_OUTOFMEMORY;
  753. BAIL_ON_FAILURE(hr);
  754. }
  756. *ppszAccountName = pszAccountName;
  758. }
  760. }
  761. else {
  762. //
  763. // This is NTDS case where we need to stringize SID.
  764. //
  765. hr = E_FAIL;
  766. }
  769. if (FAILED(hr)) {
  771. hr = ConvertSidToString(
  772. pSid,
  773. szAccountName
  774. );
  775. BAIL_ON_FAILURE(hr);
  776. pszAccountName = AllocADsStr(szAccountName);
  777. if (!pszAccountName) {
  778. hr = E_OUTOFMEMORY;
  779. BAIL_ON_FAILURE(hr);
  780. }
  782. *ppszAccountName = pszAccountName;
  783. }
  786. error:
  788. RRETURN(hr);
  789. }
  791. HRESULT
  792. ConvertSidToFriendlyName2(
  793. LPWSTR pszServerName,
  794. CCredentials& Credentials,
  795. PSID pSid,
  796. LPWSTR * ppszAccountName,
  797. BOOL fNTDS
  798. )
  799. {
  800. HRESULT hr = S_OK;
  801. SID_NAME_USE eUse;
  802. WCHAR szAccountName[MAX_PATH];
  803. WCHAR szDomainName[MAX_PATH];
  804. WCHAR szServerName[MAX_PATH];
  805. DWORD dwLen = 0;
  806. DWORD dwRet = 0;
  808. LPWSTR pszAccountName = NULL;
  810. DWORD dwAcctLen = 0;
  811. DWORD dwDomainLen = 0;
  814. //
  815. // parse Trustee and determine whether its NTDS or U2
  816. //
  818. if (fNTDS) {
  820. dwAcctLen = MAX_PATH;
  821. dwDomainLen = MAX_PATH;
  823. //
  824. // Servername is specified
  825. //
  826. if (pszServerName) {
  828. dwRet = LookupAccountSid(
  829. pszServerName,
  830. pSid,
  831. szAccountName,
  832. &dwAcctLen,
  833. szDomainName,
  834. &dwDomainLen,
  835. (PSID_NAME_USE)&eUse
  836. );
  838. }
  839. //
  840. // Servername not specified
  841. //
  842. else {
  844. //
  845. // If using serverless paths, try it first on the DC
  846. //
  848. DWORD dwStatus = GetDomainDNSNameForDomain(
  849. NULL,
  850. FALSE, // don't force verify
  851. FALSE, // not writable
  852. szServerName,
  853. szDomainName
  854. );
  856. if (dwStatus == NO_ERROR) {
  858. dwRet = LookupAccountSid(
  859. szServerName,
  860. pSid,
  861. szAccountName,
  862. &dwAcctLen,
  863. szDomainName,
  864. &dwDomainLen,
  865. (PSID_NAME_USE)&eUse
  866. );
  868. //
  869. // If the lookup failed because the server was unavailable, try to get
  870. // the server again, this time forcing DsGetDcName to do rediscovery
  871. //
  872. if (!dwRet && (GetLastError() == RPC_S_SERVER_UNAVAILABLE)) {
  874. dwStatus = GetDomainDNSNameForDomain(
  875. NULL,
  876. TRUE, // force verify
  877. FALSE,// not writable
  878. szServerName,
  879. szDomainName
  880. );
  882. if (dwStatus == NO_ERROR) {
  884. dwRet = LookupAccountSid(
  885. szServerName,
  886. pSid,
  887. szAccountName,
  888. &dwAcctLen,
  889. szDomainName,
  890. &dwDomainLen,
  891. (PSID_NAME_USE)&eUse
  892. );
  893. }
  894. }
  895. }
  896. }
  898. //
  899. // At last try with NULL server name
  900. //
  901. if (!dwRet) {
  903. dwAcctLen = MAX_PATH;
  904. dwDomainLen = MAX_PATH;
  906. dwRet = LookupAccountSid(
  907. NULL,
  908. pSid,
  909. szAccountName,
  910. &dwAcctLen,
  911. szDomainName,
  912. &dwDomainLen,
  913. (PSID_NAME_USE)&eUse
  914. );
  915. }
  917. if (!dwRet) {
  918. hr = HRESULT_FROM_WIN32(GetLastError());
  919. }else {
  921. dwLen = wcslen(szAccountName) + wcslen(szDomainName) + 1 + 1;
  923. pszAccountName = (LPWSTR)AllocADsMem(dwLen * sizeof(WCHAR));
  924. if (!pszAccountName) {
  925. hr = E_OUTOFMEMORY;
  926. BAIL_ON_FAILURE(hr);
  927. }
  929. if (szDomainName[0] && szAccountName[0]) {
  930. wsprintf(pszAccountName,L"%s\\%s",szDomainName, szAccountName);
  931. }else if (szAccountName[0]) {
  932. wsprintf(pszAccountName,L"%s", szAccountName);
  933. }
  935. *ppszAccountName = pszAccountName;
  937. }
  939. }
  941. else {
  943. hr = ConvertSidToU2Trustee(
  944. pszServerName,
  945. Credentials,
  946. pSid,
  947. szAccountName
  948. );
  950. if (SUCCEEDED(hr)) {
  952. pszAccountName = AllocADsStr(szAccountName);
  953. if (!pszAccountName) {
  954. hr = E_OUTOFMEMORY;
  955. BAIL_ON_FAILURE(hr);
  956. }
  958. *ppszAccountName = pszAccountName;
  960. }
  962. }
  965. if (FAILED(hr)) {
  967. hr = ConvertSidToString(
  968. pSid,
  969. szAccountName
  970. );
  971. BAIL_ON_FAILURE(hr);
  972. pszAccountName = AllocADsStr(szAccountName);
  973. if (!pszAccountName) {
  974. hr = E_OUTOFMEMORY;
  975. BAIL_ON_FAILURE(hr);
  976. }
  978. *ppszAccountName = pszAccountName;
  979. }
  982. error:
  984. RRETURN(hr);
  985. }
  989. HRESULT
  990. ConvertACLToVariant(
  991. LPWSTR pszServerName,
  992. CCredentials& Credentials,
  993. PACL pACL,
  994. PVARIANT pvarACL,
  995. BOOL fNTDS
  996. )
  997. {
  998. IADsAccessControlList * pAccessControlList = NULL;
  999. IDispatch * pDispatch = NULL;
  1000. LPWSTR pszFriendlyName = NULL;
  1002. VARIANT varAce;
  1003. DWORD dwAclSize = 0;
  1004. DWORD dwAclRevision = 0;
  1005. DWORD dwAceCount = 0;
  1007. ACL_SIZE_INFORMATION AclSize;
  1008. ACL_REVISION_INFORMATION AclRevision;
  1009. DWORD dwStatus = 0;
  1011. DWORD i = 0;
  1012. DWORD dwNewAceCount = 0;
  1014. HRESULT hr = S_OK;
  1015. LPBYTE pAceAddress = NULL;
  1016. LSA_HANDLE hLsaPolicy = NULL;
  1017. PLSA_REFERENCED_DOMAIN_LIST pLsaRefDomList = NULL;
  1018. PLSA_TRANSLATED_NAME pLsaNames = NULL;
  1020. PSID *pSidArray = NULL;
  1023. memset(&AclSize, 0, sizeof(ACL_SIZE_INFORMATION));
  1024. memset(&AclRevision, 0, sizeof(ACL_REVISION_INFORMATION));
  1027. dwStatus = GetAclInformation(
  1028. pACL,
  1029. &AclSize,
  1030. sizeof(ACL_SIZE_INFORMATION),
  1031. AclSizeInformation
  1032. );
  1033. //
  1034. // Status should be nonzero for success
  1035. //
  1036. if (!dwStatus) {
  1037. hr = HRESULT_FROM_WIN32(GetLastError());
  1038. BAIL_ON_FAILURE(hr);
  1039. }
  1041. dwStatus = GetAclInformation(
  1042. pACL,
  1043. &AclRevision,
  1044. sizeof(ACL_REVISION_INFORMATION),
  1045. AclRevisionInformation
  1046. );
  1047. if (!dwStatus) {
  1048. hr = HRESULT_FROM_WIN32(GetLastError());
  1049. BAIL_ON_FAILURE(hr);
  1050. }
  1052. dwAceCount = AclSize.AceCount;
  1053. dwAclRevision = AclRevision.AclRevision;
  1055. VariantInit(pvarACL);
  1057. hr = CoCreateInstance(
  1058. CLSID_AccessControlList,
  1059. NULL,
  1060. CLSCTX_INPROC_SERVER,
  1061. IID_IADsAccessControlList,
  1062. (void **)&pAccessControlList
  1063. );
  1064. BAIL_ON_FAILURE(hr);
  1067. //
  1068. // Do this only when we actually have ACE
  1069. //
  1070. if(dwAceCount > 0) {
  1073. //
  1074. // Sid lookup can be optimized only for NT style SD's.
  1075. // SiteServer style SD's will continue to be processed as before.
  1076. //
  1077. if (fNTDS) {
  1078. //
  1079. // To speed up the conversion of SID's to trustees, an array of
  1080. // SID's to lookup is built and the whole array processed in one
  1081. // shot. Then the result of the Lookup is used in contstructing
  1082. // the individual ACE's.
  1083. //
  1085. pSidArray = (PSID*) AllocADsMem(sizeof(PSID) * dwAceCount);
  1086. if (!pSidArray) {
  1087. BAIL_ON_FAILURE(hr = E_OUTOFMEMORY);
  1088. }
  1090. for (i = 0; i < dwAceCount; i++) {
  1091. dwStatus = GetAce(pACL, i , (void **) &pAceAddress);
  1092. if (!dwStatus) {
  1093. BAIL_ON_FAILURE(hr = HRESULT_FROM_WIN32(GetLastError()));
  1094. }
  1096. pSidArray[i] = ComputeSidFromAceAddress(pAceAddress);
  1098. //
  1099. // Sanity check we should always have valid data.
  1100. //
  1101. if (!pSidArray[i]) {
  1102. BAIL_ON_FAILURE(hr = E_FAIL);
  1103. }
  1104. }
  1106. hr = GetLsaPolicyHandle(
  1107. pszServerName,
  1108. Credentials,
  1109. &hLsaPolicy
  1110. );
  1112. //
  1113. // Should we just convert to string SID's ?
  1114. //
  1115. BAIL_ON_FAILURE(hr);
  1117. hr = GetNamesFromSids(
  1118. hLsaPolicy,
  1119. pSidArray,
  1120. dwAceCount,
  1121. &pLsaRefDomList,
  1122. &pLsaNames
  1123. );
  1124. BAIL_ON_FAILURE(hr);
  1127. }
  1129. for (i = 0; i < dwAceCount; i++) {
  1131. if (pszFriendlyName) {
  1132. FreeADsStr(pszFriendlyName);
  1133. pszFriendlyName = NULL;
  1134. }
  1136. dwStatus = GetAce(pACL, i, (void **)&pAceAddress);
  1138. //
  1139. // Need to verify we got back the ace correctly.
  1140. //
  1141. if (!dwStatus) {
  1142. BAIL_ON_FAILURE(hr = HRESULT_FROM_WIN32(GetLastError()));
  1143. }
  1145. if(fNTDS) {
  1146. hr = GetNameForSidFromArray(
  1147. i,
  1148. pLsaRefDomList,
  1149. pLsaNames,
  1150. &pszFriendlyName
  1151. );
  1152. }
  1154. //
  1155. // We can ignore the failure.
  1156. // On failure pszFriendlyName is set to NULL in which case
  1157. // we will convert to stringised sid format (for NTDS of course).
  1158. //
  1159. hr = ConvertAceToVariant(
  1160. pszServerName,
  1161. pszFriendlyName,
  1162. Credentials,
  1163. pAceAddress,
  1164. (PVARIANT)&varAce,
  1165. fNTDS
  1166. );
  1167. //
  1168. // If we cannot convert an ACE we should error out.
  1169. //
  1170. BAIL_ON_FAILURE(hr);
  1172. hr = pAccessControlList->AddAce(V_DISPATCH(&varAce));
  1174. VariantClear(&varAce);
  1176. BAIL_ON_FAILURE(hr);
  1178. dwNewAceCount++;
  1181. }
  1183. }
  1185. pAccessControlList->put_AclRevision(dwAclRevision);
  1187. pAccessControlList->put_AceCount(dwNewAceCount);
  1190. hr = pAccessControlList->QueryInterface(
  1191. IID_IDispatch,
  1192. (void **)&pDispatch
  1193. );
  1194. V_VT(pvarACL) = VT_DISPATCH;
  1195. V_DISPATCH(pvarACL) = pDispatch;
  1197. error:
  1199. if (pAccessControlList) {
  1201. pAccessControlList->Release();
  1202. }
  1204. if (pszFriendlyName) {
  1205. FreeADsStr(pszFriendlyName);
  1206. }
  1208. if (pLsaNames) {
  1209. LsaFreeMemory(pLsaNames);
  1210. }
  1211. if (pLsaRefDomList) {
  1212. LsaFreeMemory(pLsaRefDomList);
  1213. }
  1214. if (hLsaPolicy) {
  1215. LsaClose(hLsaPolicy);
  1216. }
  1218. if(pSidArray) {
  1219. FreeADsMem(pSidArray);
  1220. }
  1223. RRETURN(hr);
  1224. }
  1228. HRESULT
  1229. ConvertAceToVariant(
  1230. LPWSTR pszServerName,
  1231. LPWSTR pszTrusteeName,
  1232. CCredentials& Credentials,
  1233. PBYTE pAce,
  1234. PVARIANT pvarAce,
  1235. BOOL fNTDS
  1236. )
  1237. {
  1238. IADsAccessControlEntry * pAccessControlEntry = NULL;
  1239. IDispatch * pDispatch = NULL;
  1240. IADsAcePrivate *pPrivAce = NULL;
  1242. DWORD dwAceType = 0;
  1243. DWORD dwAceFlags = 0;
  1244. DWORD dwAccessMask = 0;
  1245. DWORD dwLenSid = 0;
  1246. DWORD dwErr = 0;
  1247. LPWSTR pszAccountName = NULL;
  1248. PACE_HEADER pAceHeader = NULL;
  1249. LPBYTE pSidAddress = NULL;
  1250. LPBYTE pOffset = NULL;
  1251. DWORD dwFlags = 0;
  1253. GUID ObjectGUID;
  1254. GUID InheritedObjectGUID;
  1255. BSTR bstrObjectGUID = NULL;
  1256. BSTR bstrInheritedObjectGUID = NULL;
  1258. HRESULT hr = S_OK;
  1260. VariantInit(pvarAce);
  1262. hr = CoCreateInstance(
  1263. CLSID_AccessControlEntry,
  1264. NULL,
  1265. CLSCTX_INPROC_SERVER,
  1266. IID_IADsAccessControlEntry,
  1267. (void **)&pAccessControlEntry
  1268. );
  1269. BAIL_ON_FAILURE(hr);
  1271. pAceHeader = (ACE_HEADER *)pAce;
  1274. dwAceType = pAceHeader->AceType;
  1275. dwAceFlags = pAceHeader->AceFlags;
  1276. dwAccessMask = *(PACCESS_MASK)((LPBYTE)pAceHeader + sizeof(ACE_HEADER));
  1278. switch (dwAceType) {
  1280. case ACCESS_ALLOWED_ACE_TYPE:
  1281. case ACCESS_DENIED_ACE_TYPE:
  1282. case SYSTEM_AUDIT_ACE_TYPE:
  1283. case SYSTEM_ALARM_ACE_TYPE:
  1284. pSidAddress = (LPBYTE)pAceHeader + sizeof(ACE_HEADER) + sizeof(ACCESS_MASK);
  1285. break;
  1287. case ACCESS_ALLOWED_OBJECT_ACE_TYPE:
  1288. case ACCESS_DENIED_OBJECT_ACE_TYPE:
  1289. case SYSTEM_AUDIT_OBJECT_ACE_TYPE:
  1290. case SYSTEM_ALARM_OBJECT_ACE_TYPE:
  1291. pOffset = (LPBYTE)((LPBYTE)pAceHeader + sizeof(ACE_HEADER) + sizeof(ACCESS_MASK));
  1292. dwFlags = (DWORD)(*(PDWORD)pOffset);
  1294. //
  1295. // Now advance by the size of the flags
  1296. //
  1297. pOffset += sizeof(ULONG);
  1299. if (dwFlags & ACE_OBJECT_TYPE_PRESENT) {
  1301. memcpy(&ObjectGUID, pOffset, sizeof(GUID));
  1303. hr = BuildADsGuid(ObjectGUID, &bstrObjectGUID);
  1304. BAIL_ON_FAILURE(hr);
  1306. pOffset += sizeof (GUID);
  1308. }
  1310. if (dwFlags & ACE_INHERITED_OBJECT_TYPE_PRESENT) {
  1311. memcpy(&InheritedObjectGUID, pOffset, sizeof(GUID));
  1313. hr = BuildADsGuid(InheritedObjectGUID, &bstrInheritedObjectGUID);
  1314. BAIL_ON_FAILURE(hr);
  1316. pOffset += sizeof (GUID);
  1318. }
  1320. pSidAddress = pOffset;
  1321. break;
  1323. default:
  1324. break;
  1326. }
  1328. if (pSidAddress) {
  1329. //
  1330. // Nt4 does not reset the last error correctly.
  1331. //
  1332. SetLastError(NO_ERROR);
  1334. dwLenSid = GetLengthSid(pSidAddress);
  1336. if ((dwErr = GetLastError()) != NO_ERROR) {
  1337. BAIL_ON_FAILURE(hr = HRESULT_FROM_WIN32(dwErr));
  1338. }
  1339. }
  1340. else {
  1341. //
  1342. // We should always have a valid sid address here.
  1343. // Should we be bailing here ? Or for that matter,
  1344. // should be bail on the default cluase of the switch ?
  1345. //
  1346. dwLenSid = 0;
  1347. }
  1349. //
  1350. // Call the old function only if we could not resolve the name
  1351. //
  1352. if (!pszTrusteeName) {
  1353. hr = ConvertSidToFriendlyName(
  1354. pszServerName,
  1355. Credentials,
  1356. pSidAddress,
  1357. &pszAccountName,
  1358. fNTDS
  1359. );
  1360. }
  1362. if (FAILED(hr)){
  1363. pszAccountName = AllocADsStr(L"Unknown Trustee");
  1364. if (!pszAccountName) {
  1365. hr = E_OUTOFMEMORY;
  1366. BAIL_ON_FAILURE(hr);
  1367. }
  1368. }
  1370. //
  1371. // Now set all the information in the Access Control Entry
  1372. //
  1374. hr = pAccessControlEntry->put_AccessMask(dwAccessMask);
  1375. hr = pAccessControlEntry->put_AceFlags(dwAceFlags);
  1376. hr = pAccessControlEntry->put_AceType(dwAceType);
  1378. //
  1379. // Extended ACE information
  1380. //
  1381. hr = pAccessControlEntry->put_Flags(dwFlags);
  1383. if (dwFlags & ACE_OBJECT_TYPE_PRESENT) {
  1385. //
  1386. // Add in the Object Type GUID
  1387. //
  1388. hr = pAccessControlEntry->put_ObjectType(bstrObjectGUID);
  1390. }
  1392. if (dwFlags & ACE_INHERITED_OBJECT_TYPE_PRESENT) {
  1394. //
  1395. // Add in the Inherited Object Type GUID
  1396. //
  1398. hr = pAccessControlEntry->put_InheritedObjectType(
  1399. bstrInheritedObjectGUID
  1400. );
  1401. }
  1403. //
  1404. // This is a string, so need to check the ecode. We use the
  1405. // friendlyName if that was set and if not the pszAccountName.
  1406. //
  1407. hr = pAccessControlEntry->put_Trustee(
  1408. pszTrusteeName ?
  1409. pszTrusteeName :
  1410. pszAccountName
  1411. );
  1412. BAIL_ON_FAILURE(hr);
  1414. if (pSidAddress) {
  1415. //
  1416. // We should now put the SID on this ACE for quick reverse lookup.
  1417. //
  1418. hr = pAccessControlEntry->QueryInterface(
  1419. IID_IADsAcePrivate,
  1420. (void **)&pPrivAce
  1421. );
  1423. if SUCCEEDED(hr) {
  1426. hr = pPrivAce->putSid(
  1427. pSidAddress,
  1428. dwLenSid
  1429. );
  1430. }
  1431. //
  1432. // No bail on failure here as it is not a critical failure
  1433. //
  1434. }
  1436. hr = pAccessControlEntry->QueryInterface(
  1437. IID_IDispatch,
  1438. (void **)&pDispatch
  1439. );
  1440. BAIL_ON_FAILURE(hr);
  1442. V_DISPATCH(pvarAce) = pDispatch;
  1443. V_VT(pvarAce) = VT_DISPATCH;
  1445. cleanup:
  1447. if (pszAccountName) {
  1448. FreeADsStr(pszAccountName);
  1449. }
  1451. if (pAccessControlEntry) {
  1452. pAccessControlEntry->Release();
  1453. }
  1455. if (pPrivAce) {
  1456. pPrivAce->Release();
  1457. }
  1459. if (bstrObjectGUID) {
  1460. ADsFreeString(bstrObjectGUID);
  1461. }
  1463. if (bstrInheritedObjectGUID) {
  1464. ADsFreeString(bstrInheritedObjectGUID);
  1465. }
  1467. RRETURN(hr);
  1470. error:
  1472. if (pDispatch) {
  1474. pDispatch->Release();
  1476. }
  1478. goto cleanup;
  1479. }
  1482. //+---------------------------------------------------------------------------
  1483. // Function: ComputeSidFromAceAddress - helper routine.
  1484. //
  1485. // Synopsis: Returns the pointer to the SID, given a ptr to an ACE.
  1486. //
  1487. // Arguments: pAce - ptr to the ACE.
  1488. //
  1489. // Returns: NULL on error or valid PSID.
  1490. //
  1491. // Modifies: N/A.
  1492. //
  1493. //----------------------------------------------------------------------------
  1494. PSID
  1495. ComputeSidFromAceAddress(
  1496. LPBYTE pAce
  1497. )
  1498. {
  1499. PSID pSidRetVal = NULL;
  1500. PACE_HEADER pAceHeader = NULL;
  1501. LPBYTE pOffset = NULL;
  1502. DWORD dwAceType, dwAceFlags, dwAccessMask;
  1503. DWORD dwFlags;
  1505. pAceHeader = (ACE_HEADER *)pAce;
  1507. dwAceType = pAceHeader->AceType;
  1508. dwAceFlags = pAceHeader->AceFlags;
  1509. dwAccessMask = *(PACCESS_MASK)((LPBYTE)pAceHeader + sizeof(ACE_HEADER));
  1511. switch (dwAceType) {
  1513. case ACCESS_ALLOWED_ACE_TYPE:
  1514. case ACCESS_DENIED_ACE_TYPE:
  1515. case SYSTEM_AUDIT_ACE_TYPE:
  1516. case SYSTEM_ALARM_ACE_TYPE:
  1517. pSidRetVal = (LPBYTE)pAceHeader
  1518. + sizeof(ACE_HEADER)
  1519. + sizeof(ACCESS_MASK);
  1520. break;
  1522. case ACCESS_ALLOWED_OBJECT_ACE_TYPE:
  1523. case ACCESS_DENIED_OBJECT_ACE_TYPE:
  1524. case SYSTEM_AUDIT_OBJECT_ACE_TYPE:
  1525. case SYSTEM_ALARM_OBJECT_ACE_TYPE:
  1526. pOffset = (LPBYTE)((LPBYTE)pAceHeader
  1527. + sizeof(ACE_HEADER)
  1528. + sizeof(ACCESS_MASK)
  1529. );
  1530. dwFlags = (DWORD)(*(PDWORD)pOffset);
  1532. //
  1533. // Now advance by the size of the flags
  1534. //
  1535. pOffset += sizeof(ULONG);
  1537. if (dwFlags & ACE_OBJECT_TYPE_PRESENT) {
  1539. pOffset += sizeof (GUID);
  1541. }
  1543. if (dwFlags & ACE_INHERITED_OBJECT_TYPE_PRESENT) {
  1545. pOffset += sizeof (GUID);
  1547. }
  1549. pSidRetVal = pOffset;
  1550. break;
  1552. default:
  1553. break;
  1555. } // end of switch case.
  1557. return pSidRetVal;
  1558. }