|
|
//+---------------------------------------------------------------------------
//
// Microsoft Windows
// Copyright (C) Microsoft Corporation, 2000 - 2001.
//
// File: sidcache.cpp
//
// Contents:
//
// History:
//----------------------------------------------------------------------------
#include "headers.h"
const struct{ SID sid; // contains 1 subauthority
DWORD dwSubAuth[1]; // we currently need at most 2 subauthorities
} g_StaticSids[] ={ {{SID_REVISION,2,SECURITY_NT_AUTHORITY, {SECURITY_BUILTIN_DOMAIN_RID}}, {DOMAIN_ALIAS_RID_ADMINS} },};
#define IsAliasSid(pSid) EqualPrefixSid(pSid, (PSID)&g_StaticSids[0])
/******************************************************************************
Class: SID_CACHE_ENTRYPurpose: Contains info for a single security principle******************************************************************************/DEBUG_DECLARE_INSTANCE_COUNTER(SID_CACHE_ENTRY);
SID_CACHE_ENTRY::SID_CACHE_ENTRY(PSID pSid) :m_SidType(SidTypeUnknown){ DEBUG_INCREMENT_INSTANCE_COUNTER(SID_CACHE_ENTRY); ASSERT(pSid); DWORD dwLen = GetLengthSid(pSid); m_pSid = new BYTE[dwLen]; ASSERT(m_pSid); CopySid(dwLen,m_pSid,pSid); ConvertSidToStringSid(m_pSid,&m_strSid); m_strType.LoadString(IDS_TYPE_UNKNOWN); m_strNameToDisplay = m_strSid; m_SidType = SidTypeUnknown;}
SID_CACHE_ENTRY::~SID_CACHE_ENTRY(){ DEBUG_DECREMENT_INSTANCE_COUNTER(SID_CACHE_ENTRY); delete[] m_pSid;}
VOID SID_CACHE_ENTRY::AddNameAndType(IN SID_NAME_USE SidType, const CString& strAccountName, const CString& strLogonName){ AFX_MANAGE_STATE(AfxGetStaticModuleState()); //Empty the m_strNameToDisplay which was made using
//ealier values of strAccountName and strLogonName
m_strNameToDisplay.Empty(); m_strType.Empty(); m_SidType = SidType; m_strAccountName = strAccountName; m_strLogonName = strLogonName;
//
//Set the Display Name
//
if(m_SidType == SidTypeDeletedAccount || m_SidType == SidTypeInvalid || m_SidType == SidTypeUnknown) { UINT idFormat; if(m_SidType == SidTypeDeletedAccount) idFormat = IDS_SID_DELETED; if(m_SidType == SidTypeInvalid) idFormat = IDS_SID_INVALID; if(m_SidType == SidTypeUnknown) idFormat = IDS_SID_UNKNOWN; FormatString(m_strNameToDisplay,idFormat,LPCTSTR(m_strSid)); } else if(!m_strAccountName.IsEmpty()) { if(!m_strLogonName.IsEmpty()) { //Both the names are present.
FormatString(m_strNameToDisplay, IDS_NT_USER_FORMAT, (LPCTSTR)m_strAccountName, (LPCTSTR)m_strLogonName); } else { m_strNameToDisplay = m_strAccountName; } } else { //Just return the sid in string format
m_SidType = SidTypeUnknown; m_strNameToDisplay = m_strSid; }
//
//Set Sid Type String
//
if(m_SidType == SidTypeDeletedAccount || m_SidType == SidTypeInvalid || m_SidType == SidTypeUnknown) { m_strType.LoadString(IDS_TYPE_UNKNOWN); } else if(m_SidType == SidTypeUser) { m_strType.LoadString(IDS_TYPE_WINDOWS_USER); } else if(m_SidType == SidTypeComputer) { m_strType.LoadString(IDS_TYPE_WINDOWS_COMPUTER); } else //Assume everything else is group
{ m_strType.LoadString(IDS_TYPE_WINDOWS_GROUP); }}
/******************************************************************************
Class: CMachineInfoPurpose: Contains all the info for machine.******************************************************************************/DEBUG_DECLARE_INSTANCE_COUNTER(CMachineInfo);CMachineInfo::CMachineInfo():m_bIsStandAlone(TRUE), m_bIsDC(FALSE){ DEBUG_INCREMENT_INSTANCE_COUNTER(CMachineInfo);}
CMachineInfo::~CMachineInfo(){ DEBUG_DECREMENT_INSTANCE_COUNTER(CMachineInfo);}
//+----------------------------------------------------------------------------
// Function:InitializeMacineConfiguration
// Synopsis:Get the information about TargetComputer's conficguration
//-----------------------------------------------------------------------------
VOIDCMachineInfo::InitializeMacineConfiguration(IN const CString& strTargetComputerName){ TRACE_METHOD_EX(DEB_SNAPIN,CMachineInfo,InitializeMacineConfiguration) //
//Initialize the values to default
//
m_strTargetComputerName = strTargetComputerName; m_bIsStandAlone = TRUE; m_strDCName.Empty(); m_bIsDC = FALSE; m_strTargetDomainFlat.Empty(); m_strTargetDomainDNS.Empty(); HRESULT hr = S_OK; ULONG ulResult; PDSROLE_PRIMARY_DOMAIN_INFO_BASIC pDsRole = NULL; PDOMAIN_CONTROLLER_INFO pdci = NULL; do { PCWSTR pwzMachine = strTargetComputerName; ulResult = DsRoleGetPrimaryDomainInformation(pwzMachine, DsRolePrimaryDomainInfoBasic, (PBYTE *)&pDsRole); if (ulResult != NO_ERROR) { DBG_OUT_LRESULT(ulResult); break; } if(!pDsRole) { //We should never reach here, but sadly DsRoleGetPrimaryDomainInformation
//sometimes succeeds but pDsRole is null.
ASSERT(FALSE); break; } Dbg(DEB_SNAPIN, "DsRoleGetPrimaryDomainInformation returned:\n"); Dbg(DEB_SNAPIN, "DomainNameFlat: %ws\n", CHECK_NULL(pDsRole->DomainNameFlat)); Dbg(DEB_SNAPIN, "DomainNameDns: %ws\n", CHECK_NULL(pDsRole->DomainNameDns)); Dbg(DEB_SNAPIN, "DomainForestName: %ws\n", CHECK_NULL(pDsRole->DomainForestName)); //
// If machine is in a workgroup, we're done.
//
if (pDsRole->MachineRole == DsRole_RoleStandaloneWorkstation || pDsRole->MachineRole == DsRole_RoleStandaloneServer) { Dbg(DEB_SNAPIN, "Target machine is not joined to a domain\n"); m_bIsStandAlone = TRUE; m_bIsDC = FALSE; break; } //
// Target Computer is joined to a domain
//
m_bIsStandAlone = FALSE; if (pDsRole->DomainNameFlat) { m_strTargetDomainFlat = pDsRole->DomainNameFlat; } if (pDsRole->DomainNameDns) { m_strTargetDomainDNS = pDsRole->DomainNameDns; } //
// TargetComputer is Joined to a domain and is dc
//
if (pDsRole->MachineRole == DsRole_RolePrimaryDomainController || pDsRole->MachineRole == DsRole_RoleBackupDomainController) { m_bIsDC = TRUE; m_strDCName = m_strTargetComputerName; break; } //
//Target computer is Joined to domain and is not a DC.
//Get a DC for the domain
//
PWSTR pwzDomainNameForDsGetDc; ULONG flDsGetDc = DS_DIRECTORY_SERVICE_PREFERRED; if (pDsRole->DomainNameDns) { pwzDomainNameForDsGetDc = pDsRole->DomainNameDns; flDsGetDc |= DS_IS_DNS_NAME; Dbg(DEB_TRACE, "DsGetDcName(Domain=%ws, flags=DS_IS_DNS_NAME | DS_DIRECTORY_SERVICE_PREFERRED)\n", CHECK_NULL(pwzDomainNameForDsGetDc)); } else { pwzDomainNameForDsGetDc = pDsRole->DomainNameFlat; flDsGetDc |= DS_IS_FLAT_NAME; Dbg(DEB_TRACE, "DsGetDcName(Domain=%ws, flags=DS_IS_FLAT_NAME | DS_DIRECTORY_SERVICE_PREFERRED)\n", CHECK_NULL(pwzDomainNameForDsGetDc)); } ulResult = DsGetDcName(NULL, pwzDomainNameForDsGetDc, NULL, NULL, flDsGetDc, &pdci); if (ulResult != NO_ERROR) { Dbg(DEB_ERROR, "DsGetDcName for domain %ws returned %#x, Too bad don't have the dc name\n", pwzDomainNameForDsGetDc, ulResult); break; } ASSERT(pdci); m_strDCName = pdci->DomainControllerName; } while (0); if (pdci) { NetApiBufferFree(pdci); } if (pDsRole) { DsRoleFreeMemory(pDsRole); }}
intCopyUnicodeString(CString* pstrDest, PLSA_UNICODE_STRING pSrc){ ULONG cchSrc;
// If UNICODE, cchDest is size of destination buffer in chars
// Else (MBCS) cchDest is size of destination buffer in bytes
if (pstrDest == NULL ) return 0;
if (pSrc == NULL || pSrc->Buffer == NULL) return 0;
// Get # of chars in source (not including NULL)
cchSrc = pSrc->Length/sizeof(WCHAR);
//
// Note that pSrc->Buffer may not be NULL terminated so we can't just
// call lstrcpynW with cchDest. Also, if we call lstrcpynW with cchSrc,
// it copies the correct # of chars, but then overwrites the last char
// with NULL giving an incorrect result. If we call lstrcpynW with
// (cchSrc+1) it reads past the end of the buffer, which may fault (360251)
// causing lstrcpynW's exception handler to return 0 without NULL-
// terminating the resulting string.
//
// So let's just copy the bits.
//
CString temp(pSrc->Buffer,cchSrc);
*pstrDest = temp; return cchSrc;}
VOIDGetAccountAndDomainName(int index, PLSA_TRANSLATED_NAME pTranslatedNames, PLSA_REFERENCED_DOMAIN_LIST pRefDomains, CString* pstrAccountName, CString* pstrDomainName, SID_NAME_USE* puse){ PLSA_TRANSLATED_NAME pLsaName = &pTranslatedNames[index]; PLSA_TRUST_INFORMATION pLsaDomain = NULL;
// Get the referenced domain, if any
if (pLsaName->DomainIndex >= 0 && pRefDomains) { pLsaDomain = &pRefDomains->Domains[pLsaName->DomainIndex]; }
CopyUnicodeString(pstrAccountName,&pLsaName->Name); if (pLsaDomain) { CopyUnicodeString(pstrDomainName,&pLsaDomain->Name); }
*puse = pLsaName->Use;}
HRESULTTranslateNameInternal(IN const CString& strAccountName, IN EXTENDED_NAME_FORMAT AccountNameFormat, IN EXTENDED_NAME_FORMAT DesiredNameFormat, OUT CString* pstrTranslatedName){ if (!pstrTranslatedName) { ASSERT(pstrTranslatedName); return E_POINTER; }
HRESULT hr = S_OK; //
// cchTrans is static so that if a particular installation's
// account names are really long, we'll not be resizing the
// buffer for each account.
//
static ULONG cchTrans = MAX_PATH; ULONG cch = cchTrans;
LPTSTR lpszTranslatedName = (LPTSTR)LocalAlloc(LPTR, cch*sizeof(WCHAR)); if (lpszTranslatedName == NULL) return E_OUTOFMEMORY;
*lpszTranslatedName = L'\0';
//
// TranslateName is delay-loaded from secur32.dll using the linker's
// delay-load mechanism. Therefore, wrap with an exception handler.
//
__try { while(!::TranslateName(strAccountName, AccountNameFormat, DesiredNameFormat, lpszTranslatedName, &cch)) { if (ERROR_INSUFFICIENT_BUFFER == GetLastError()) { LocalFree(lpszTranslatedName); lpszTranslatedName = (LPTSTR)LocalAlloc(LPTR, cch*sizeof(WCHAR)); if (!lpszTranslatedName) { hr = E_OUTOFMEMORY; break; }
*lpszTranslatedName = L'\0'; } else { hr = E_FAIL; break; } }
cchTrans = max(cch, cchTrans); } __except(EXCEPTION_EXECUTE_HANDLER) { hr = E_FAIL; }
if (FAILED(hr)) { if(lpszTranslatedName) { LocalFree(lpszTranslatedName); } } else { *pstrTranslatedName = lpszTranslatedName; } return hr;}
#define DSOP_FILTER_COMMON1 ( DSOP_FILTER_INCLUDE_ADVANCED_VIEW \
| DSOP_FILTER_USERS \ | DSOP_FILTER_UNIVERSAL_GROUPS_SE \ | DSOP_FILTER_GLOBAL_GROUPS_SE \ | DSOP_FILTER_COMPUTERS \ )#define DSOP_FILTER_COMMON2 ( DSOP_FILTER_COMMON1 \
| DSOP_FILTER_WELL_KNOWN_PRINCIPALS \ | DSOP_FILTER_DOMAIN_LOCAL_GROUPS_SE\ )#define DSOP_FILTER_COMMON3 ( DSOP_FILTER_COMMON2 \
| DSOP_FILTER_BUILTIN_GROUPS \ )
#define DSOP_FILTER_DL_COMMON1 ( DSOP_DOWNLEVEL_FILTER_USERS \
| DSOP_DOWNLEVEL_FILTER_GLOBAL_GROUPS \ )
#define DSOP_FILTER_DL_COMMON2 ( DSOP_FILTER_DL_COMMON1 \
| DSOP_DOWNLEVEL_FILTER_ALL_WELLKNOWN_SIDS \ )
#define DSOP_FILTER_DL_COMMON3 ( DSOP_FILTER_DL_COMMON2 \
| DSOP_DOWNLEVEL_FILTER_LOCAL_GROUPS \ )// Same as DSOP_DOWNLEVEL_FILTER_ALL_WELLKNOWN_SIDS, except no CREATOR flags.
// Note that we need to keep this in sync with any object picker changes.
#define DSOP_FILTER_DL_WELLKNOWN ( DSOP_DOWNLEVEL_FILTER_WORLD \
| DSOP_DOWNLEVEL_FILTER_AUTHENTICATED_USER \ | DSOP_DOWNLEVEL_FILTER_ANONYMOUS \ | DSOP_DOWNLEVEL_FILTER_BATCH \ | DSOP_DOWNLEVEL_FILTER_DIALUP \ | DSOP_DOWNLEVEL_FILTER_INTERACTIVE \ | DSOP_DOWNLEVEL_FILTER_NETWORK \ | DSOP_DOWNLEVEL_FILTER_SERVICE \ | DSOP_DOWNLEVEL_FILTER_SYSTEM \ | DSOP_DOWNLEVEL_FILTER_TERMINAL_SERVER \ )
#define DECLARE_SCOPE(t,f,b,m,n,d) \
{ sizeof(DSOP_SCOPE_INIT_INFO), (t), (f|DSOP_SCOPE_FLAG_DEFAULT_FILTER_GROUPS|DSOP_SCOPE_FLAG_DEFAULT_FILTER_USERS), { { (b), (m), (n) }, (d) }, NULL, NULL, S_OK }
// The domain to which the target computer is joined.
// Make 2 scopes, one for uplevel domains, the other for downlevel.
#define JOINED_DOMAIN_SCOPE(f) \
DECLARE_SCOPE(DSOP_SCOPE_TYPE_UPLEVEL_JOINED_DOMAIN,(f),0,(DSOP_FILTER_COMMON2 & ~(DSOP_FILTER_UNIVERSAL_GROUPS_SE|DSOP_FILTER_DOMAIN_LOCAL_GROUPS_SE)),DSOP_FILTER_COMMON2,0), \DECLARE_SCOPE(DSOP_SCOPE_TYPE_DOWNLEVEL_JOINED_DOMAIN,(f),0,0,0,DSOP_FILTER_DL_COMMON2)
// The domain for which the target computer is a Domain Controller.
// Make 2 scopes, one for uplevel domains, the other for downlevel.
#define JOINED_DOMAIN_SCOPE_DC(f) \
DECLARE_SCOPE(DSOP_SCOPE_TYPE_UPLEVEL_JOINED_DOMAIN,(f),0,(DSOP_FILTER_COMMON3 & ~DSOP_FILTER_UNIVERSAL_GROUPS_SE),DSOP_FILTER_COMMON3,0), \DECLARE_SCOPE(DSOP_SCOPE_TYPE_DOWNLEVEL_JOINED_DOMAIN,(f),0,0,0,DSOP_FILTER_DL_COMMON3)
// Target computer scope. Computer scopes are always treated as
// downlevel (i.e., they use the WinNT provider).
#define TARGET_COMPUTER_SCOPE(f)\
DECLARE_SCOPE(DSOP_SCOPE_TYPE_TARGET_COMPUTER,(f),0,0,0,DSOP_FILTER_DL_COMMON3)
// The Global Catalog
#define GLOBAL_CATALOG_SCOPE(f) \
DECLARE_SCOPE(DSOP_SCOPE_TYPE_GLOBAL_CATALOG,(f),DSOP_FILTER_COMMON1|DSOP_FILTER_WELL_KNOWN_PRINCIPALS,0,0,0)
// The domains in the same forest (enterprise) as the domain to which
// the target machine is joined. Note these can only be DS-aware
#define ENTERPRISE_SCOPE(f) \
DECLARE_SCOPE(DSOP_SCOPE_TYPE_ENTERPRISE_DOMAIN,(f),DSOP_FILTER_COMMON1,0,0,0)
// Domains external to the enterprise but trusted directly by the
// domain to which the target machine is joined.
#define EXTERNAL_SCOPE(f) \
DECLARE_SCOPE(DSOP_SCOPE_TYPE_EXTERNAL_UPLEVEL_DOMAIN|DSOP_SCOPE_TYPE_EXTERNAL_DOWNLEVEL_DOMAIN,\ (f),DSOP_FILTER_COMMON1,0,0,DSOP_DOWNLEVEL_FILTER_USERS|DSOP_DOWNLEVEL_FILTER_GLOBAL_GROUPS)
// Workgroup scope. Only valid if the target computer is not joined
// to a domain.
#define WORKGROUP_SCOPE(f) \
DECLARE_SCOPE(DSOP_SCOPE_TYPE_WORKGROUP,(f),0,0,0, DSOP_FILTER_DL_COMMON1|DSOP_DOWNLEVEL_FILTER_LOCAL_GROUPS )
//
// Array of Default Scopes
//
static const DSOP_SCOPE_INIT_INFO g_aDefaultScopes[] ={ JOINED_DOMAIN_SCOPE(DSOP_SCOPE_FLAG_STARTING_SCOPE), TARGET_COMPUTER_SCOPE(0), GLOBAL_CATALOG_SCOPE(0), ENTERPRISE_SCOPE(0), EXTERNAL_SCOPE(0),};
//
// Same as above, but without the Target Computer
// Used when the target is a Domain Controller
//
static const DSOP_SCOPE_INIT_INFO g_aDCScopes[] ={ JOINED_DOMAIN_SCOPE_DC(DSOP_SCOPE_FLAG_STARTING_SCOPE), GLOBAL_CATALOG_SCOPE(0), ENTERPRISE_SCOPE(0), EXTERNAL_SCOPE(0),};
//
// Array of scopes for standalone machines
//
static const DSOP_SCOPE_INIT_INFO g_aStandAloneScopes[] ={//
//On Standalone machine Both User And Groups are selected by default
//
TARGET_COMPUTER_SCOPE(DSOP_SCOPE_FLAG_STARTING_SCOPE|DSOP_SCOPE_FLAG_DEFAULT_FILTER_USERS),};
//
// Attributes that we want the Object Picker to retrieve
//
static const LPCTSTR g_aszOPAttributes[] ={ TEXT("ObjectSid"),};
/******************************************************************************
Class: CSidHandlerPurpose: class for handling tasks related to selecting windows users, converting sids to name etc.******************************************************************************/DEBUG_DECLARE_INSTANCE_COUNTER(CSidHandler);
CSidHandler::CSidHandler(CMachineInfo* pMachineInfo) :m_pMachineInfo(pMachineInfo), m_bObjectPickerInitialized(FALSE){ DEBUG_INCREMENT_INSTANCE_COUNTER(CSidHandler); InitializeCriticalSection(&m_csSidHandlerLock); InitializeCriticalSection(&m_csSidCacheLock);}
CSidHandler::~CSidHandler(){ DEBUG_DECREMENT_INSTANCE_COUNTER(CSidHandler); delete m_pMachineInfo; //Remove itesm from the map
LockSidHandler(); for (SidCacheMap::iterator it = m_mapSidCache.begin(); it != m_mapSidCache.end(); ++it) { delete (*it).second; } UnlockSidHandler(); DeleteCriticalSection(&m_csSidCacheLock); DeleteCriticalSection(&m_csSidHandlerLock);}
PSID_CACHE_ENTRY CSidHandler::GetEntryFromCache(PSID pSid){ PSID_CACHE_ENTRY pSidCache = NULL; LockSidHandler();
//Check if item in the cache
CString strSid; ConvertSidToStringSid(pSid,&strSid);
SidCacheMap::iterator it = m_mapSidCache.find(&strSid); if(it != m_mapSidCache.end()) pSidCache = (*it).second;
if(!pSidCache) { //No in the cache Create a new entry and add to the cache
pSidCache = new SID_CACHE_ENTRY(pSid); if(pSidCache) { m_mapSidCache.insert(pair<const CString*,PSID_CACHE_ENTRY>(&(pSidCache->GetStringSid()),pSidCache)); } } UnlockSidHandler(); return pSidCache;}
//+----------------------------------------------------------------------------
// Synopsis: CoCreateInstance ObjectPikcer
//-----------------------------------------------------------------------------
HRESULTCSidHandler::GetObjectPicker(){ LockSidHandler(); TRACE_METHOD_EX(DEB_SNAPIN,CSidHandler,GetObjectPicker) HRESULT hr = S_OK; if (!m_spDsObjectPicker) { hr = CoCreateInstance(CLSID_DsObjectPicker, NULL, CLSCTX_INPROC_SERVER, IID_IDsObjectPicker, (LPVOID*)&m_spDsObjectPicker); CHECK_HRESULT(hr); } UnlockSidHandler(); return hr;}
//+----------------------------------------------------------------------------
// Function: InitObjectPicker
// Synopsis: Initializes the object picker. This needs to be done once in
// lifetime
//-----------------------------------------------------------------------------
HRESULTCSidHandler::InitObjectPicker(){ TRACE_METHOD_EX(DEB_SNAPIN,CSidHandler,InitObjectPicker)
HRESULT hr = S_OK; hr = GetObjectPicker(); if(FAILED(hr)) return hr;
LockSidHandler(); do { if(m_bObjectPickerInitialized) break; DSOP_INIT_INFO InitInfo; InitInfo.cbSize = sizeof(InitInfo); InitInfo.flOptions = DSOP_FLAG_SKIP_TARGET_COMPUTER_DC_CHECK | DSOP_FLAG_MULTISELECT;
//Select the appropriate scopes
PCDSOP_SCOPE_INIT_INFO pScopes; ULONG cScopes; if(m_pMachineInfo->IsStandAlone()) { cScopes = ARRAYLEN(g_aStandAloneScopes); pScopes = g_aStandAloneScopes; } else if(m_pMachineInfo->IsDC()) { cScopes = ARRAYLEN(g_aDCScopes); pScopes = g_aDCScopes; } else { pScopes = g_aDefaultScopes; cScopes = ARRAYLEN(g_aDefaultScopes); }
InitInfo.pwzTargetComputer = m_pMachineInfo->GetMachineName(); InitInfo.cDsScopeInfos = cScopes; InitInfo.aDsScopeInfos = (PDSOP_SCOPE_INIT_INFO)LocalAlloc(LPTR, sizeof(*pScopes)*cScopes); if (!InitInfo.aDsScopeInfos) { hr = E_OUTOFMEMORY; break; }
CopyMemory(InitInfo.aDsScopeInfos, pScopes, sizeof(*pScopes)*cScopes); InitInfo.cAttributesToFetch = ARRAYLEN(g_aszOPAttributes); InitInfo.apwzAttributeNames = (LPCTSTR*)g_aszOPAttributes; if (m_pMachineInfo->IsDC()) { for (ULONG i = 0; i < cScopes; i++) { // Set the DC name if appropriate
if(InitInfo.aDsScopeInfos[i].flType & DSOP_SCOPE_TYPE_UPLEVEL_JOINED_DOMAIN) { InitInfo.aDsScopeInfos[i].pwzDcName = InitInfo.pwzTargetComputer; } } } //Initialize the object picker
hr = m_spDsObjectPicker->Initialize(&InitInfo); if (SUCCEEDED(hr)) { m_bObjectPickerInitialized = TRUE; } if(InitInfo.aDsScopeInfos) LocalFree(InitInfo.aDsScopeInfos);
}while(0);
UnlockSidHandler(); return hr;}
//+----------------------------------------------------------------------------
// Synopsis: Pops up object pikcer. Function also does the sidlookop for
// objects selected. Information is returned in listSidCacheEntry
//-----------------------------------------------------------------------------
HRESULTCSidHandler:: GetUserGroup(IN HWND hDlg, IN CBaseAz* pOwnerAz, OUT CList<CBaseAz*,CBaseAz*>& listWindowsGroups){ if(!pOwnerAz) { ASSERT(pOwnerAz); return E_POINTER; }
TRACE_METHOD_EX(DEB_SNAPIN,CSidHandler,GetUserGroup)
HRESULT hr; LPDATAOBJECT pdoSelection = NULL; STGMEDIUM medium = {0}; FORMATETC fe = { (CLIPFORMAT)g_cfDsSelectionList, NULL, DVASPECT_CONTENT, -1, TYMED_HGLOBAL }; PDS_SELECTION_LIST pDsSelList = NULL; do {
// Create and initialize the Object Picker object
hr = InitObjectPicker(); if (FAILED(hr)) return hr;
// Bring up the object picker dialog
hr = m_spDsObjectPicker->InvokeDialog(hDlg, &pdoSelection); BREAK_ON_FAIL_HRESULT(hr);
//User Pressed cancel
if (S_FALSE == hr) { hr = S_OK; break; }
hr = pdoSelection->GetData(&fe, &medium); BREAK_ON_FAIL_HRESULT(hr);
pDsSelList = (PDS_SELECTION_LIST)GlobalLock(medium.hGlobal); if (!pDsSelList) { hr = E_FAIL; BREAK_ON_FAIL_HRESULT(hr); } CList<SID_CACHE_ENTRY*,SID_CACHE_ENTRY*> listSidCacheEntry; CList<SID_CACHE_ENTRY*,SID_CACHE_ENTRY*> listUnresolvedSidCacheEntry;
//Get the listof sidcache entries from pDsSelList
hr = GetSidCacheListFromOPOutput(pDsSelList, listSidCacheEntry, listUnresolvedSidCacheEntry); BREAK_ON_FAIL_HRESULT(hr);
//Resolve the sids not resolved in listSidCacheEntry
LookupSidsHelper(listUnresolvedSidCacheEntry, m_pMachineInfo->GetMachineName(), m_pMachineInfo->IsStandAlone(), m_pMachineInfo->IsDC(), FALSE); POSITION pos = listSidCacheEntry.GetHeadPosition(); for( int i = 0; i < listSidCacheEntry.GetCount(); ++i) { SID_CACHE_ENTRY* pSidCacheEntry = listSidCacheEntry.GetNext(pos); CSidCacheAz* pSidCacheAz = new CSidCacheAz(pSidCacheEntry, pOwnerAz); if(!pSidCacheAz) { hr = E_OUTOFMEMORY; break; } listWindowsGroups.AddTail(pSidCacheAz); } }while(0); if (pDsSelList) GlobalUnlock(medium.hGlobal);
ReleaseStgMedium(&medium); if(pdoSelection) pdoSelection->Release();
return hr;}
//+----------------------------------------------------------------------------
// Function:LookupSidsHelper
// Synopsis:Calls LsaLookupSid for sids in listSids. First it tries on
// strServerName machine and next it tries on DC( if possible).
// Arguments:listSidCacheEntry
// Returns:
//-----------------------------------------------------------------------------
VOIDCSidHandler::LookupSidsHelper(IN OUT CList<PSID_CACHE_ENTRY,PSID_CACHE_ENTRY>& listSidCacheEntry, IN const CString& strServerName, IN BOOL bStandAlone, IN BOOL bIsDC, IN BOOL bSecondTry){ TRACE_METHOD_EX(DEB_SNAPIN,CSidHandler,LookupSidsHelper) PLSA_REFERENCED_DOMAIN_LIST pRefDomains = NULL; PLSA_TRANSLATED_NAME pTranslatedNames = NULL; LSA_HANDLE hlsa = NULL; CList<PSID_CACHE_ENTRY,PSID_CACHE_ENTRY> listUnknownSids; PSID *ppSid = NULL;
if(!listSidCacheEntry.GetCount()) return;
do { //
//Open LsaConnection
//
hlsa = GetLSAConnection(strServerName, POLICY_LOOKUP_NAMES); if (NULL == hlsa && !strServerName.IsEmpty() && !bSecondTry) { CString strLocalMachine = L""; hlsa = GetLSAConnection(strLocalMachine, POLICY_LOOKUP_NAMES); } if (hlsa == NULL) { break; } //
//Now we have LSA Connection
//Do LookupSids
//
int cSids = (int)listSidCacheEntry.GetCount(); ppSid = new PSID[cSids]; if(!ppSid) { break; } POSITION pos = listSidCacheEntry.GetHeadPosition(); for (int i=0;i < cSids; i++) { PSID_CACHE_ENTRY pSidCacheEntry = listSidCacheEntry.GetNext(pos); ppSid[i] = pSidCacheEntry->GetSid(); }
DWORD dwStatus = 0;
dwStatus = LsaLookupSids(hlsa, cSids, ppSid, &pRefDomains, &pTranslatedNames);
if (STATUS_SUCCESS == dwStatus || STATUS_SOME_NOT_MAPPED == dwStatus || STATUS_NONE_MAPPED == dwStatus) { ASSERT(pTranslatedNames); ASSERT(pRefDomains);
//
// Build cache entries with NT4 style names
//
pos = listSidCacheEntry.GetHeadPosition(); for (int i = 0; i < cSids; i++) { PSID_CACHE_ENTRY pSidCacheEntry = listSidCacheEntry.GetNext(pos); PSID pSid = pSidCacheEntry->GetSid(); BOOL bNoCache = FALSE;
CString strAccountName; CString strDomainName; SID_NAME_USE sid_name_use; GetAccountAndDomainName(i, pTranslatedNames, pRefDomains, &strAccountName, &strDomainName, &sid_name_use); CString strLogonName; //
// Build NT4 "domain\user" style name
//
if (!strDomainName.IsEmpty() && !strAccountName.IsEmpty()) { strLogonName = strDomainName; strLogonName += L"\\"; strLogonName += strAccountName; }
switch (sid_name_use) { case SidTypeUser: { if(!bStandAlone) { // Get "User Principal Name" etc.
CString strNewLogonName; CString strNewAccountName; GetUserFriendlyName(strLogonName, &strNewLogonName, &strNewAccountName); if (!strNewLogonName.IsEmpty()) strLogonName = strNewLogonName; if (!strNewAccountName.IsEmpty()) strAccountName = strNewAccountName; } break; } case SidTypeGroup: case SidTypeDomain: break; case SidTypeAlias: { if (!IsAliasSid(pSid)) { sid_name_use = SidTypeGroup; break; } if(!m_pMachineInfo->GetTargetDomainFlat().IsEmpty() && !strAccountName.IsEmpty()) { strLogonName = m_pMachineInfo->GetTargetDomainFlat(); strLogonName += L"\\"; strLogonName += strAccountName; } break; } // else Fall Through
case SidTypeWellKnownGroup: { // No logon name for these
strLogonName.Empty(); break; } case SidTypeDeletedAccount: case SidTypeInvalid: // 7
break; case SidTypeUnknown: // 8
{ // Some SIDs can only be looked up on a DC, so
// if pszServer is not a DC, remember them and
// look them up on a DC after this loop is done.
if (!bSecondTry && !bStandAlone && !bIsDC && !(m_pMachineInfo->GetDCName()).IsEmpty()) { //Add to unknown list
listUnknownSids.AddTail(pSidCacheEntry); bNoCache = TRUE; } break; } case SidTypeComputer: // 9
{ // TODO
// Strip the trailing '$'
break; } }
if (!bNoCache) { //Only one sidcahce entry per sid chache handler can
//be updated at a time. Which is fine.
LockSidCacheEntry(); pSidCacheEntry->AddNameAndType(sid_name_use, strAccountName, strLogonName); UnlockSidCacheEntry(); }
} }
}while(0); // Cleanup
if(pTranslatedNames) LsaFreeMemory(pTranslatedNames); if(pRefDomains) LsaFreeMemory(pRefDomains); if(hlsa) LsaClose(hlsa); if(ppSid) delete[] ppSid;
if (!listUnknownSids.IsEmpty()) { //
// Some (or all) SIDs were unknown on the target machine,
// try a DC for the target machine's primary domain.
//
// This typically happens for certain Alias SIDs, such
// as Print Operators and System Operators, for which LSA
// only returns names if the lookup is done on a DC.
//
LookupSidsHelper(listUnknownSids, m_pMachineInfo->GetDCName(), FALSE, TRUE, TRUE); }}
//+----------------------------------------------------------------------------
// Function: GetUserFriendlyName
// Synopsis: Gets name in Domain\Name format and returns UPN name and
// Display Name.
// Arguments:
// Returns:
//-----------------------------------------------------------------------------
voidCSidHandler::GetUserFriendlyName(IN const CString & strSamLogonName, OUT CString *pstrLogonName, OUT CString *pstrDisplayName){
if(strSamLogonName.IsEmpty()|| !pstrLogonName || !pstrDisplayName) { ASSERT(strSamLogonName.IsEmpty()); ASSERT(!pstrLogonName); ASSERT(!pstrDisplayName); return; } //
// Start by getting the FQDN. Cracking is most efficient when the
// FQDN is the starting point.
//
// TranslateName takes a while to complete, so bUseSamCompatibleInfo
// should be TRUE whenever possible, e.g. for local accounts on a non-DC
// or anything where we know a FQDN doesn't exist.
//
CString strFQDN; if (FAILED(TranslateNameInternal(strSamLogonName, NameSamCompatible, NameFullyQualifiedDN, &strFQDN))) { return; }
//
//Get UPN
//
TranslateNameInternal(strFQDN, NameFullyQualifiedDN, NameUserPrincipal, pstrLogonName);
//
//Get Display Name
//
TranslateNameInternal(strFQDN, NameFullyQualifiedDN, NameDisplay, pstrDisplayName);}
//+----------------------------------------------------------------------------
// Function: LookupSids
// Synopsis: Given a list of sids, retuns a list of corresponding
// CSidCacheAz objects
// Arguments:
// Returns:
//-----------------------------------------------------------------------------
HRESULTCSidHandler::LookupSids(IN CBaseAz* pOwnerAz, IN CList<PSID,PSID>& listSids, OUT CList<CBaseAz*,CBaseAz*>& listSidCacheAz){ if(!pOwnerAz) { ASSERT(pOwnerAz); return E_POINTER; }
HRESULT hr = S_OK;
CList<PSID_CACHE_ENTRY,PSID_CACHE_ENTRY> listSidCacheEntries; CList<PSID_CACHE_ENTRY,PSID_CACHE_ENTRY> listUnResolvedSidCacheEntries;
hr = GetSidCacheListFromSidList(listSids, listSidCacheEntries, listUnResolvedSidCacheEntries); if(FAILED(hr)) { return hr; } //Do the Lookup for unresolved sids
LookupSidsHelper(listUnResolvedSidCacheEntries, m_pMachineInfo->GetMachineName(), m_pMachineInfo->IsStandAlone(), m_pMachineInfo->IsDC(), FALSE);
POSITION pos = listSidCacheEntries.GetHeadPosition(); for( int i = 0; i < listSidCacheEntries.GetCount(); ++i) { PSID_CACHE_ENTRY pSidCacheEntry = listSidCacheEntries.GetNext(pos); CSidCacheAz* pSidCacheAz = new CSidCacheAz(pSidCacheEntry, pOwnerAz); if(!pSidCacheAz) { hr = E_OUTOFMEMORY; break; } listSidCacheAz.AddTail(pSidCacheAz); }
if(FAILED(hr)) { RemoveItemsFromList(listSidCacheAz); } return hr;}
//+----------------------------------------------------------------------------
// Function: GetSidCacheListFromSidList
// Gets a list of sids and returns corresponding list of sidcache
// entries and unresolved sid cache entries
// Arguments:listSid: List of sids
// listSidCacheEntry: Gets list of SidCacheEntries
// listUnresolvedSidCacheEntry Gets List of unresolved
// SidCacheEntries
//-----------------------------------------------------------------------------
HRESULTCSidHandler::GetSidCacheListFromSidList(IN CList<PSID,PSID>& listSid, OUT CList<PSID_CACHE_ENTRY,PSID_CACHE_ENTRY>& listSidCacheEntry, OUT CList<PSID_CACHE_ENTRY,PSID_CACHE_ENTRY>& listUnresolvedSidCacheEntry){ POSITION pos = listSid.GetHeadPosition(); for( int i = 0; i < listSid.GetCount(); ++i) { PSID pSid = listSid.GetNext(pos);
PSID_CACHE_ENTRY pEntry = GetEntryFromCache(pSid); if(!pEntry) { return E_OUTOFMEMORY; } listSidCacheEntry.AddTail(pEntry); if(!pEntry->IsSidResolved()) listUnresolvedSidCacheEntry.AddTail(pEntry); } return S_OK;}
//+----------------------------------------------------------------------------
// Function: GetSidCacheListFromOPOutput
// Synopsis: Gets the sid from Object Pickers output and returns corresponding
// list of SidCacheEntries. Also returns sids of unresolved sids.
//
// Arguments:pDsSelList selection list from OP.
// listSidCacheEntry: Gets list of SidCacheEntries
// listUnresolvedSidCacheEntry Gets List of unresolved
// SidCacheEntries
//-----------------------------------------------------------------------------
HRESULTCSidHandler::GetSidCacheListFromOPOutput(IN PDS_SELECTION_LIST pDsSelList, OUT CList<PSID_CACHE_ENTRY,PSID_CACHE_ENTRY>& listSidCacheEntry, OUT CList<PSID_CACHE_ENTRY,PSID_CACHE_ENTRY>& listUnresolvedSidCacheEntry){ if(!pDsSelList) { ASSERT(pDsSelList); return E_POINTER; }
HRESULT hr = S_OK; int cNames = pDsSelList->cItems; for (int i = 0; i < cNames; i++) { PSID pSid = NULL; LPVARIANT pvarSid = pDsSelList->aDsSelection[i].pvarFetchedAttributes;
if (NULL == pvarSid || (VT_ARRAY | VT_UI1) != V_VT(pvarSid) || FAILED(SafeArrayAccessData(V_ARRAY(pvarSid), &pSid))) { continue; }
PSID_CACHE_ENTRY pEntry = GetEntryFromCache(pSid); if(!pEntry) { return E_OUTOFMEMORY; } listSidCacheEntry.AddTail(pEntry); if(!pEntry->IsSidResolved()) listUnresolvedSidCacheEntry.AddTail(pEntry); } return S_OK;}
|
