Leaked source code of windows server 2003
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

2317 lines
62 KiB

  1. /*++
  2. Copyright (c) 1992 Microsoft Corporation
  3. Module Name:
  4. account.cxx
  5. Abstract:
  6. This module contains service account related routines:
  7. ScInitServiceAccount
  8. ScEndServiceAccount
  9. ScCanonAccountName
  10. ScValidateAndSaveAccount
  11. ScValidateAndChangeAccount
  12. ScRemoveAccount
  13. ScLookupAccount
  14. ScSetPassword
  15. ScDeletePassword
  16. ScOpenPolicy
  17. ScFormSecretName
  18. ScLookupServiceAccount
  19. ScLogonService
  20. ScLoadUserProfile
  21. ScUPNToAccountName
  22. Author:
  23. Rita Wong (ritaw) 19-Apr-1992
  24. Environment:
  25. Calls NT native APIs.
  26. Revision History:
  27. 24-Jan-1993 Danl
  28. Added call to WNetLogonNotify when logging on a service (ScLogonService).
  29. 29-Apr-1993 Danl
  30. ScGetAccountDomainInfo() is now only called at init time. Otherwise,
  31. we risked race conditions because it updates a global location.
  32. (ScLocalDomain).
  33. 17-Jan-1995 AnirudhS
  34. Added call to LsaOpenSecret when the secret already exists in
  35. ScCreatePassword.
  36. 29-Nov-1995 AnirudhS
  37. Added call to LoadUserProfile when logging on a service.
  38. 14-May-1996 AnirudhS
  39. Changed to simpler Lsa PrivateData APIs instead of Lsa Secret APIs
  40. for storing secrets and removed the use of OldPassword (as done in
  41. the _CAIRO_ version of this file on 05-Apr-1995).
  42. 22-Oct-1997 JSchwart (after AnirudhS in _CAIRO_ 10-Apr-1995)
  43. Split out ScLookupServiceAccount from ScLogonService.
  44. 04-Mar-1999 jschwart
  45. Added support for UPNs
  46. --*/
  47. #include "precomp.hxx"
  48. #include <stdlib.h> // srand, rand
  49. extern "C" {
  50. #include <ntlsa.h> // LsaOpenPolicy, LsaCreateSecret
  51. }
  52. #include <winerror.h>
  53. #include <userenv.h> // LoadUserProfile
  54. #include <userenvp.h> // PI_HIDEPROFILE flag
  55. #include <tstr.h> // WCSSIZE
  56. #include <ntdsapi.h> // DsCrackNames
  57. #include <sclib.h> // _wcsicmp
  58. #include <scseclib.h> // LocalSid
  59. #include <svcslib.h> // SetupInProgress()
  60. #include "scconfig.h" // ScWriteStartName
  61. #include "account.h" // Exported function prototypes
  62. //-------------------------------------------------------------------//
  63. // //
  64. // Constants and Macros //
  65. // //
  66. //-------------------------------------------------------------------//
  67. #define SC_SECRET_PREFIX L"_SC_"
  68. #define SC_SECRET_PREFIX_LENGTH (sizeof(SC_SECRET_PREFIX) / sizeof(WCHAR) - 1)
  69. #define SC_UPN_SYMBOL L'@'
  70. //-------------------------------------------------------------------//
  71. // //
  72. // Static global variables //
  73. // //
  74. //-------------------------------------------------------------------//
  75. //
  76. // Mutex to serialize access to secret objects
  77. //
  78. HANDLE ScSecretObjectsMutex = (HANDLE) NULL;
  79. UNICODE_STRING ScComputerName;
  80. UNICODE_STRING ScAccountDomain;
  81. //-------------------------------------------------------------------//
  82. // //
  83. // Local function prototypes //
  84. // //
  85. //-------------------------------------------------------------------//
  86. DWORD
  87. ScLookupAccount(
  88. IN LPWSTR AccountName,
  89. OUT LPWSTR *DomainName,
  90. OUT LPWSTR *UserName
  91. );
  92. DWORD
  93. ScSetPassword(
  94. IN LPWSTR ServiceName,
  95. IN LPWSTR Password
  96. );
  97. DWORD
  98. ScDeletePassword(
  99. IN LPWSTR ServiceName
  100. );
  101. DWORD
  102. ScOpenPolicy(
  103. IN ACCESS_MASK DesiredAccess,
  104. OUT LSA_HANDLE *PolicyHandle
  105. );
  106. DWORD
  107. ScFormSecretName(
  108. IN LPWSTR ServiceName,
  109. OUT LPWSTR *LsaSecretName
  110. );
  111. VOID
  112. ScLoadUserProfile(
  113. IN HANDLE LogonToken,
  114. IN LPWSTR DomainName,
  115. IN LPWSTR UserName,
  116. OUT PHANDLE pProfileHandle OPTIONAL
  117. );
  118. DWORD
  119. ScUPNToAccountName(
  120. IN LPWSTR lpUPN,
  121. OUT LPWSTR *ppAccountName
  122. );
  123. //-------------------------------------------------------------------//
  124. // //
  125. // Functions //
  126. // //
  127. //-------------------------------------------------------------------//
  128. BOOL
  129. ScGetComputerNameAndMutex(
  130. VOID
  131. )
  132. /*++
  133. Routine Description:
  134. This function allocates the memory for the ScComputerName global
  135. pointer and retrieves the current computer name into it. This
  136. functionality used to be in the ScInitAccount routine but has to
  137. be put into its own routine because the main initialization code
  138. needs to call this before ScInitDatabase() since the computername
  139. is needed for deleting service entries that have the persistent
  140. delete flag set.
  141. This function also creates ScSecretObjectsMutex because it is used
  142. to remove accounts early in the init process.
  143. If successful, the pointer to the computername must be freed when
  144. done. This is freed by the ScEndServiceAccount routine called
  145. by SvcctrlMain(). The handle to ScSecretObjectsMutex is closed
  146. by ScSecretObjectsMutex.
  147. Arguments:
  148. None
  149. Return Value:
  150. TRUE - The operation was completely successful.
  151. FALSE - An error occurred.
  152. --*/
  153. {
  154. DWORD ComputerNameSize = MAX_COMPUTERNAME_LENGTH + 1;
  155. ScComputerName.Buffer = NULL;
  156. //
  157. // Allocate the exact size needed to hold the computername
  158. //
  159. if ((ScComputerName.Buffer = (LPWSTR)LocalAlloc(
  160. LMEM_ZEROINIT,
  161. (UINT) ComputerNameSize * sizeof(WCHAR)
  162. )) == NULL) {
  163. SC_LOG1(ERROR, "ScInitServiceAccount: LocalAlloc failed %lu\n", GetLastError());
  164. return FALSE;
  165. }
  166. ScComputerName.MaximumLength = (USHORT) ComputerNameSize * sizeof(WCHAR);
  167. if (! GetComputerNameW(
  168. ScComputerName.Buffer,
  169. &ComputerNameSize
  170. )) {
  171. SC_LOG2(ERROR, "GetComputerNameW returned %lu, required size=%lu\n",
  172. GetLastError(), ComputerNameSize);
  173. LocalFree(ScComputerName.Buffer);
  174. ScComputerName.Buffer = NULL;
  175. return FALSE;
  176. }
  177. ScComputerName.Length = (USHORT) (wcslen(ScComputerName.Buffer) * sizeof(WCHAR));
  178. SC_LOG(ACCOUNT, "ScInitServiceAccount: ScComputerName is "
  179. FORMAT_LPWSTR "\n", ScComputerName.Buffer);
  180. //
  181. // Create a mutex to serialize accesses to all secret objects. A secret
  182. // object can be created, deleted, or set by installation programs, set
  183. // by the service controller during periodic password changes, and queried
  184. // or set by a start service operation.
  185. //
  186. ScSecretObjectsMutex = CreateMutex(NULL, FALSE, NULL);
  187. if (ScSecretObjectsMutex == NULL) {
  188. SC_LOG1(ERROR, "ScInitServiceAccount: CreateMutex failed "
  189. FORMAT_DWORD "\n", GetLastError());
  190. return FALSE;
  191. }
  192. return TRUE;
  193. }
  194. BOOL
  195. ScInitServiceAccount(
  196. VOID
  197. )
  198. /*++
  199. Routine Description:
  200. This function initializes accounts for services by
  201. 2) Register service controller as an LSA logon process and
  202. lookup the MS V 1.0 authentication package.
  203. Arguments:
  204. None
  205. Return Value:
  206. TRUE - The operation was completely successful.
  207. FALSE - An error occurred.
  208. --*/
  209. {
  210. DWORD status;
  211. //
  212. // Initialize the account domain buffer so that we know if it has
  213. // been filled in.
  214. //
  215. ScAccountDomain.Buffer = NULL;
  216. status = ScGetAccountDomainInfo();
  217. if (status != NO_ERROR)
  218. {
  219. SC_LOG1(ERROR, "ScInitServiceAccount: ScGetAccountDomainInfo failed "
  220. FORMAT_DWORD "\n", status);
  221. return FALSE;
  222. }
  223. return TRUE;
  224. }
  225. VOID
  226. ScEndServiceAccount(
  227. VOID
  228. )
  229. /*++
  230. Routine Description:
  231. This function frees the memory for the ScComputerName global pointer,
  232. and closes the ScSecretObjectsMutex.
  233. Arguments:
  234. None.
  235. Return Value:
  236. None.
  237. --*/
  238. {
  239. //
  240. // Free computer name buffer allocated by ScGetComputerName
  241. //
  242. LocalFree(ScComputerName.Buffer);
  243. ScComputerName.Buffer = NULL;
  244. if (ScSecretObjectsMutex != (HANDLE) NULL)
  245. {
  246. CloseHandle(ScSecretObjectsMutex);
  247. }
  248. LocalFree(ScAccountDomain.Buffer);
  249. }
  250. DWORD
  251. ScValidateAndSaveAccount(
  252. IN LPWSTR ServiceName,
  253. IN HKEY ServiceNameKey,
  254. IN LPWSTR CanonAccountName,
  255. IN LPWSTR Password OPTIONAL
  256. )
  257. /*++
  258. Routine Description:
  259. This function verifies that the account is valid, and then saves
  260. the account information away. The account name is saved in the
  261. registry under the service node in the ObjectName value. The
  262. password is saved in an LSA secret object created which can be
  263. looked up based on the name string formed with the service name.
  264. This function can only be called for the installation of a Win32
  265. service (CreateService).
  266. NOTE: The registry ServiceNameKey is NOT flushed by this function.
  267. Arguments:
  268. ServiceName - Supplies the name of the service to save away account
  269. info for. This makes up part of the secret object name to tuck
  270. away the password.
  271. ServiceNameKey - Supplies an opened registry key handle for the service.
  272. CanonAccountName - Supplies a canonicalized account name string in the
  273. format of DomainName\Username, LocalSystem, or UPN
  274. Password - Supplies the password of the account, if any. This is
  275. ignored if LocalSystem is specified for the account name.
  276. Return Value:
  277. NO_ERROR - The operation was successful.
  278. ERROR_INVALID_SERVICE_ACCOUNT - The account name is invalid.
  279. ERROR_NOT_ENOUGH_MEMORY - Failed to allocate work buffer.
  280. Registry error codes caused by failure to read old account name
  281. string.
  282. --*/
  283. {
  284. DWORD status;
  285. LPWSTR DomainName;
  286. LPWSTR UserName;
  287. LPWSTR lpNameToParse = CanonAccountName;
  288. //
  289. // Empty account name is invalid.
  290. //
  291. if ((CanonAccountName == NULL) || (*CanonAccountName == 0)) {
  292. return ERROR_INVALID_SERVICE_ACCOUNT;
  293. }
  294. if (_wcsicmp(CanonAccountName, SC_LOCAL_SYSTEM_USER_NAME) == 0) {
  295. //
  296. // CanonAccountName is LocalSystem. Write to the registry and
  297. // we are done.
  298. //
  299. return ScWriteStartName(
  300. ServiceNameKey,
  301. SC_LOCAL_SYSTEM_USER_NAME
  302. );
  303. }
  304. //
  305. // Account name is DomainName\UserName or a UPN
  306. //
  307. if (wcschr(CanonAccountName, SCDOMAIN_USERNAME_SEPARATOR) == NULL
  308. &&
  309. wcschr(CanonAccountName, SC_UPN_SYMBOL) != NULL)
  310. {
  311. //
  312. // It's a UPN -- we need to crack it
  313. //
  314. status = ScUPNToAccountName(CanonAccountName, &lpNameToParse);
  315. if (status != NO_ERROR) {
  316. return status;
  317. }
  318. }
  319. //
  320. // Look up the account to see if it exists.
  321. //
  322. if ((status = ScLookupAccount(
  323. lpNameToParse,
  324. &DomainName,
  325. &UserName
  326. )) != NO_ERROR) {
  327. if (lpNameToParse != CanonAccountName) {
  328. LocalFree(lpNameToParse);
  329. }
  330. return status;
  331. }
  332. //
  333. // Write the new account name to the registry.
  334. // Note -- for UPNs, write the UPN to the registry, not
  335. // the cracked UPN
  336. //
  337. if ((status = ScWriteStartName(
  338. ServiceNameKey,
  339. CanonAccountName
  340. )) != NO_ERROR) {
  341. if (lpNameToParse != CanonAccountName) {
  342. LocalFree(lpNameToParse);
  343. }
  344. LocalFree(DomainName);
  345. return status;
  346. }
  347. //
  348. // Create the password for the new account.
  349. //
  350. status = ScSetPassword(
  351. ServiceName,
  352. Password
  353. );
  354. if (lpNameToParse != CanonAccountName) {
  355. LocalFree(lpNameToParse);
  356. }
  357. LocalFree(DomainName);
  358. return status;
  359. //
  360. // Don't have to worry about removing the account name written to
  361. // the registry if ScSetPassword returned an error because the
  362. // entire service key will be deleted by the caller of this routine.
  363. //
  364. }
  365. DWORD
  366. ScValidateAndChangeAccount(
  367. IN LPSERVICE_RECORD ServiceRecord,
  368. IN HKEY ServiceNameKey,
  369. IN LPWSTR OldAccountName,
  370. IN LPWSTR CanonAccountName,
  371. IN LPWSTR Password OPTIONAL
  372. )
  373. /*++
  374. Routine Description:
  375. This function validates that the account is valid, and then replaces
  376. the old account information. The account name is saved in the
  377. registry under the service node in the ObjectName value. The
  378. password is saved in an LSA secret object created which can be
  379. looked up based on the name string formed with the service name.
  380. This function can only be called for the reconfiguration of a Win32
  381. service (ChangeServiceConfig).
  382. NOTE: The registry ServiceNameKey is NOT flushed by this function.
  383. Arguments:
  384. ServiceRecord - Supplies the record of the service to change account
  385. info. This makes up part of the secret object name to tuck
  386. away the password.
  387. ServiceNameKey - Supplies an opened registry key handle for the service.
  388. OldAccountName - Supplies the string to the old account name.
  389. CanonAccountName - Supplies a canonicalized account name string in the
  390. format of DomainName\Username, LocalSystem, or a UPN.
  391. Password - Supplies the password of the account, if any. This is
  392. ignored if LocalSystem is specified for the account name.
  393. Return Value:
  394. NO_ERROR - The operation was successful.
  395. ERROR_INVALID_SERVICE_ACCOUNT - The account name is invalid.
  396. ERROR_ALREADY_EXISTS - Attempt to create an LSA secret object that
  397. already exists.
  398. Registry error codes caused by failure to read old account name
  399. string.
  400. --*/
  401. {
  402. DWORD status;
  403. LPWSTR DomainName;
  404. LPWSTR UserName;
  405. BOOL fIsUPN = FALSE;
  406. LPWSTR lpNameToParse = CanonAccountName;
  407. if ((CanonAccountName == OldAccountName) ||
  408. (_wcsicmp(CanonAccountName, OldAccountName) == 0)) {
  409. //
  410. // Newly specified account name is identical to existing
  411. // account name.
  412. //
  413. if (Password == NULL) {
  414. //
  415. // Not changing account name or password.
  416. //
  417. return NO_ERROR;
  418. }
  419. if (_wcsicmp(CanonAccountName, SC_LOCAL_SYSTEM_USER_NAME) == 0) {
  420. //
  421. // Account name is LocalSystem and password is specified.
  422. // Just ignore.
  423. //
  424. return NO_ERROR;
  425. }
  426. else {
  427. //
  428. // Account name is DomainName\UserName or a UPN.
  429. // Set the specified password.
  430. //
  431. status = ScSetPassword(
  432. ServiceRecord->ServiceName,
  433. Password);
  434. return status;
  435. }
  436. }
  437. //
  438. // Newly specified account name is different from existing
  439. // account name.
  440. //
  441. if (_wcsicmp(CanonAccountName, SC_LOCAL_SYSTEM_USER_NAME) == 0) {
  442. //
  443. // Change from DomainName\UserName or UPN to LocalSystem
  444. //
  445. //
  446. // Write the new account name to the registry.
  447. //
  448. if ((status = ScWriteStartName(
  449. ServiceNameKey,
  450. SC_LOCAL_SYSTEM_USER_NAME
  451. )) != NO_ERROR) {
  452. return status;
  453. }
  454. //
  455. // Account name is LocalSystem and password is specified.
  456. // Ignore the password specified, and delete the password
  457. // for the old account.
  458. //
  459. status = ScDeletePassword(ServiceRecord->ServiceName);
  460. if (status != NO_ERROR) {
  461. //
  462. // Restore the old account name to the registry.
  463. //
  464. ScWriteStartName(ServiceNameKey,
  465. OldAccountName);
  466. }
  467. else {
  468. LPWSTR CurrentDependencies;
  469. //
  470. // Get rid of the implicit dependency on NetLogon since this
  471. // service no longer runs in an account. Since the dependency
  472. // on NetLogon is soft (i.e., not stored in the registry),
  473. // simply read in the dependencies and update the service record
  474. //
  475. status = ScReadDependencies(ServiceNameKey,
  476. &CurrentDependencies,
  477. ServiceRecord->ServiceName);
  478. if (status == NO_ERROR) {
  479. //
  480. // Dynamically update the dependencies
  481. //
  482. status = ScUpdateServiceRecordConfig(
  483. ServiceRecord,
  484. SERVICE_NO_CHANGE,
  485. SERVICE_NO_CHANGE,
  486. SERVICE_NO_CHANGE,
  487. NULL,
  488. (LPBYTE) CurrentDependencies);
  489. if (status != NO_ERROR) {
  490. SC_LOG1(ERROR,
  491. "ScValidateAndChangeAccount: ScUpdateServiceRecordConfig "
  492. "FAILED %d\n",
  493. status);
  494. }
  495. LocalFree(CurrentDependencies);
  496. }
  497. else {
  498. SC_LOG1(ERROR,
  499. "ScValidateAndChangeAccount: ScReadDependencies "
  500. "FAILED %d\n",
  501. status);
  502. }
  503. }
  504. return status;
  505. }
  506. if (Password == NULL)
  507. {
  508. //
  509. // Cannot specify new non-SYSTEM account name
  510. // without specifying the password also.
  511. //
  512. return ERROR_INVALID_SERVICE_ACCOUNT;
  513. }
  514. if (_wcsicmp(OldAccountName, SC_LOCAL_SYSTEM_USER_NAME) == 0)
  515. {
  516. //
  517. // Change from LocalSystem to DomainName\UserName or UPN.
  518. //
  519. if (wcschr(CanonAccountName, SCDOMAIN_USERNAME_SEPARATOR) == NULL
  520. &&
  521. wcschr(CanonAccountName, SC_UPN_SYMBOL) != NULL)
  522. {
  523. fIsUPN = TRUE;
  524. status = ScUPNToAccountName(CanonAccountName, &lpNameToParse);
  525. if (status != NO_ERROR)
  526. {
  527. return status;
  528. }
  529. }
  530. if ((status = ScLookupAccount(
  531. lpNameToParse,
  532. &DomainName,
  533. &UserName
  534. )) != NO_ERROR)
  535. {
  536. if (fIsUPN)
  537. {
  538. LocalFree(lpNameToParse);
  539. }
  540. return status;
  541. }
  542. //
  543. // Write the new account name to the registry.
  544. //
  545. if ((status = ScWriteStartName(
  546. ServiceNameKey,
  547. CanonAccountName
  548. )) != NO_ERROR)
  549. {
  550. if (fIsUPN)
  551. {
  552. LocalFree(lpNameToParse);
  553. }
  554. LocalFree(DomainName);
  555. return status;
  556. }
  557. //
  558. // Create the password for the new account.
  559. //
  560. status = ScSetPassword(ServiceRecord->ServiceName, Password);
  561. if (status != NO_ERROR)
  562. {
  563. //
  564. // Restore the old account name to the registry.
  565. //
  566. ScWriteStartName(ServiceNameKey, SC_LOCAL_SYSTEM_USER_NAME);
  567. }
  568. if (fIsUPN)
  569. {
  570. LocalFree(lpNameToParse);
  571. }
  572. LocalFree(DomainName);
  573. return status;
  574. }
  575. //
  576. // Must be changing an account of DomainName\UserName or UPN to
  577. // DomainName\UserName or UPN
  578. //
  579. if (wcschr(CanonAccountName, SCDOMAIN_USERNAME_SEPARATOR) == NULL
  580. &&
  581. wcschr(CanonAccountName, SC_UPN_SYMBOL) != NULL)
  582. {
  583. fIsUPN = TRUE;
  584. status = ScUPNToAccountName(CanonAccountName, &lpNameToParse);
  585. if (status != NO_ERROR)
  586. {
  587. return status;
  588. }
  589. }
  590. if ((status = ScLookupAccount(lpNameToParse, &DomainName, &UserName)) != NO_ERROR)
  591. {
  592. if (fIsUPN)
  593. {
  594. LocalFree(lpNameToParse);
  595. }
  596. return status;
  597. }
  598. //
  599. // Write the new account name to the registry.
  600. //
  601. if ((status = ScWriteStartName(ServiceNameKey, CanonAccountName)) != NO_ERROR)
  602. {
  603. if (fIsUPN)
  604. {
  605. LocalFree(lpNameToParse);
  606. }
  607. LocalFree(DomainName);
  608. return status;
  609. }
  610. //
  611. // Set the password for the new account.
  612. //
  613. status = ScSetPassword(ServiceRecord->ServiceName, Password);
  614. if (status != NO_ERROR)
  615. {
  616. //
  617. // Restore the old account name to the registry.
  618. //
  619. ScWriteStartName(ServiceNameKey, OldAccountName);
  620. }
  621. else if (*DomainName == L'.' && !fIsUPN)
  622. {
  623. LPWSTR CurrentDependencies;
  624. //
  625. // Get rid of the implicit dependency on NetLogon since this
  626. // service now runs in a local account (domain is ".\")
  627. //
  628. status = ScReadDependencies(ServiceNameKey,
  629. &CurrentDependencies,
  630. ServiceRecord->ServiceName);
  631. if (status == NO_ERROR)
  632. {
  633. //
  634. // Dynamically update the dependencies
  635. //
  636. status = ScUpdateServiceRecordConfig(
  637. ServiceRecord,
  638. SERVICE_NO_CHANGE,
  639. SERVICE_NO_CHANGE,
  640. SERVICE_NO_CHANGE,
  641. NULL,
  642. (LPBYTE) CurrentDependencies);
  643. if (status != NO_ERROR)
  644. {
  645. SC_LOG1(ERROR,
  646. "ScValidateAndChangeAccount: ScUpdateServiceRecordConfig "
  647. "FAILED %d\n",
  648. status);
  649. }
  650. LocalFree(CurrentDependencies);
  651. }
  652. else
  653. {
  654. SC_LOG1(ERROR,
  655. "ScValidateAndChangeAccount: ScReadDependencies "
  656. "FAILED %d\n",
  657. status);
  658. }
  659. }
  660. if (fIsUPN)
  661. {
  662. LocalFree(lpNameToParse);
  663. }
  664. LocalFree(DomainName);
  665. return status;
  666. }
  667. VOID
  668. ScRemoveAccount(
  669. IN LPWSTR ServiceName
  670. )
  671. {
  672. ScDeletePassword(ServiceName);
  673. }
  674. DWORD
  675. ScCanonAccountName(
  676. IN LPWSTR AccountName,
  677. OUT LPWSTR *CanonAccountName
  678. )
  679. /*++
  680. Routine Description:
  681. This function canonicalizes the account name and allocates the
  682. returned buffer for returning the canonicalized string.
  683. AccountName *CanonAccountName
  684. ----------- -----------------
  685. .\UserName .\UserName
  686. ComputerName\UserName .\UserName
  687. LocalSystem LocalSystem
  688. .\LocalSystem LocalSystem
  689. ComputerName\LocalSystem LocalSystem
  690. DomainName\UserName DomainName\UserName
  691. DomainName\LocalSystem Error!
  692. UPN (foo@bar) UPN (foo@bar)
  693. Caller must free the CanonAccountName pointer with LocalFree when done.
  694. Arguments:
  695. AccountName - Supplies a pointer to the account name.
  696. CanonAccountName - Receives a pointer to the buffer (allocated by this
  697. routine) which contains the canonicalized account name. Must
  698. free this pointer with LocalFree.
  699. Return Value:
  700. NO_ERROR - Successful canonicalization.
  701. ERROR_NOT_ENOUGH_MEMORY - Out of memory trying to allocate CanonAccountName
  702. buffer.
  703. ERROR_INVALID_SERVICE_ACCOUNT - Invalid account name.
  704. --*/
  705. {
  706. LPWSTR BufPtr = wcschr(AccountName, SCDOMAIN_USERNAME_SEPARATOR);
  707. //
  708. // Allocate buffer for receiving the canonicalized account name.
  709. //
  710. if ((*CanonAccountName = (LPWSTR)LocalAlloc(
  711. 0,
  712. WCSSIZE(AccountName) +
  713. ScComputerName.MaximumLength
  714. )) == NULL) {
  715. SC_LOG1(ERROR, "ScCanonAccountName: LocalAlloc failed %lu\n",
  716. GetLastError());
  717. return ERROR_NOT_ENOUGH_MEMORY;
  718. }
  719. if (BufPtr == NULL) {
  720. //
  721. // Backslash is not found.
  722. //
  723. if (_wcsicmp(AccountName, SC_LOCAL_SYSTEM_USER_NAME) == 0
  724. ||
  725. wcschr(AccountName, SC_UPN_SYMBOL) != NULL)
  726. {
  727. //
  728. // Account name is LocalSystem or a UPN
  729. //
  730. wcscpy(*CanonAccountName, AccountName);
  731. return NO_ERROR;
  732. }
  733. else {
  734. //
  735. // The AccountName is neither LocalSystem nor a UPN -- invalid.
  736. //
  737. SC_LOG1(ERROR,
  738. "Account name %ws is not LocalSystem and has no \\ or @\n",
  739. AccountName);
  740. LocalFree(*CanonAccountName);
  741. *CanonAccountName = NULL;
  742. return ERROR_INVALID_SERVICE_ACCOUNT;
  743. }
  744. }
  745. //
  746. // BufPtr points to the first occurrence of backslash in
  747. // AccountName.
  748. //
  749. //
  750. // If first portion of the AccountName matches ".\" or "ComputerName\"
  751. //
  752. if ((wcsncmp(AccountName, L".\\", 2) == 0) ||
  753. ((_wcsnicmp(AccountName, ScComputerName.Buffer,
  754. ScComputerName.Length / sizeof(WCHAR)) == 0) &&
  755. ((LPWSTR) ((DWORD_PTR) AccountName + ScComputerName.Length) == BufPtr))) {
  756. if (_wcsicmp(BufPtr + 1, SC_LOCAL_SYSTEM_USER_NAME) == 0) {
  757. //
  758. // .\LocalSystem -> LocalSystem OR
  759. // Computer\LocalSystem -> LocalSystem
  760. //
  761. wcscpy(*CanonAccountName, SC_LOCAL_SYSTEM_USER_NAME);
  762. return NO_ERROR;
  763. }
  764. //
  765. // .\XXX -> .\XXX
  766. // ComputerName\XXX -> .\XXX
  767. //
  768. wcscpy(*CanonAccountName, SC_LOCAL_DOMAIN_NAME);
  769. wcscat(*CanonAccountName, BufPtr);
  770. return NO_ERROR;
  771. }
  772. //
  773. // First portion of the AccountName specifies a domain name other than
  774. // the local one. This domain name will be validated later in
  775. // ScValidateAndSaveAccount.
  776. //
  777. if (_wcsicmp(BufPtr + 1, SC_LOCAL_SYSTEM_USER_NAME) == 0) {
  778. //
  779. // XXX\LocalSystem is invalid.
  780. //
  781. LocalFree(*CanonAccountName);
  782. *CanonAccountName = NULL;
  783. SC_LOG0(ERROR, "Account name is LocalSystem but is not local\n");
  784. return ERROR_INVALID_SERVICE_ACCOUNT;
  785. }
  786. wcscpy(*CanonAccountName, AccountName);
  787. return NO_ERROR;
  788. }
  789. BOOL
  790. GetDefaultDomainName(
  791. LPWSTR DomainName
  792. )
  793. {
  794. OBJECT_ATTRIBUTES ObjectAttributes;
  795. NTSTATUS NtStatus;
  796. LSA_HANDLE LsaPolicyHandle = NULL;
  797. PPOLICY_ACCOUNT_DOMAIN_INFO DomainInfo = NULL;
  798. //
  799. // Open a handle to the local machine's LSA policy object.
  800. //
  801. InitializeObjectAttributes( &ObjectAttributes, // object attributes
  802. NULL, // name
  803. 0L, // attributes
  804. NULL, // root directory
  805. NULL ); // security descriptor
  806. NtStatus = LsaOpenPolicy( NULL, // system name
  807. &ObjectAttributes, // object attributes
  808. POLICY_EXECUTE, // access mask
  809. &LsaPolicyHandle ); // policy handle
  810. if( !NT_SUCCESS( NtStatus ) )
  811. {
  812. return FALSE;
  813. }
  814. //
  815. // Query the domain information from the policy object.
  816. //
  817. NtStatus = LsaQueryInformationPolicy( LsaPolicyHandle,
  818. PolicyAccountDomainInformation,
  819. (PVOID *) &DomainInfo );
  820. if (!NT_SUCCESS(NtStatus))
  821. {
  822. LsaClose(LsaPolicyHandle);
  823. return(FALSE);
  824. }
  825. LsaClose(LsaPolicyHandle);
  826. //
  827. // Copy the domain name into our cache...
  828. //
  829. CopyMemory( DomainName,
  830. DomainInfo->DomainName.Buffer,
  831. DomainInfo->DomainName.Length );
  832. //
  833. // ...and null terminate it appropriately
  834. //
  835. DomainName[DomainInfo->DomainName.Length / sizeof(WCHAR)] = L'\0';
  836. //
  837. // Clean up
  838. //
  839. LsaFreeMemory(DomainInfo);
  840. return TRUE;
  841. }
  842. DWORD
  843. ScLookupAccount(
  844. IN LPWSTR AccountName,
  845. OUT LPWSTR *DomainName,
  846. OUT LPWSTR *UserName
  847. )
  848. /*++
  849. Routine Description:
  850. This function calls LsaLookupNames to see if the specified username
  851. exists in the specified domain name. If this function returns
  852. NO_ERROR, DomainName and UserName pointers will be set to the
  853. domain name and username strings in the buffer allocated by this
  854. function.
  855. The caller must free the returned buffer by calling LocalFree
  856. on the pointer returned in DomainName.
  857. Arguments:
  858. AccountName - Supplies the account name in the format of
  859. DomainName\UserName to look up.
  860. DomainName - Receives a pointer to the allocated buffer which
  861. contains the NULL-terminated domain name string, followed
  862. by the NULL-terminated user name string.
  863. UserName - Receives a pointer to the username in the returned
  864. buffer allocated by this routine.
  865. Return Value:
  866. NO_ERROR - UserName is found in the DomainName.
  867. ERROR_NOT_ENOUGH_MEMORY - Failed to allocate work buffer.
  868. ERROR_INVALID_SERVICE_ACCOUNT - any other error that is encountered
  869. in this function.
  870. --*/
  871. {
  872. DWORD status;
  873. NTSTATUS ntstatus;
  874. LSA_HANDLE PolicyHandle;
  875. UNICODE_STRING AccountNameString;
  876. PLSA_REFERENCED_DOMAIN_LIST ReferencedDomains;
  877. PLSA_TRANSLATED_SID Sids;
  878. LPWSTR BackSlashPtr;
  879. LPWSTR LocalAccount = NULL;
  880. WCHAR Domain[MAX_COMPUTERNAME_LENGTH+1];
  881. //
  882. // Allocate buffer for separating AccountName into DomainName and
  883. // UserName.
  884. //
  885. if ((*DomainName = (LPWSTR) LocalAlloc(
  886. 0,
  887. WCSSIZE(AccountName)
  888. )) == NULL) {
  889. SC_LOG1(ERROR, "ScLookupAccount: LocalAlloc failed %lu\n",
  890. GetLastError());
  891. return ERROR_NOT_ENOUGH_MEMORY;
  892. }
  893. //
  894. // Find the backslash character in the specified account name
  895. //
  896. wcscpy(*DomainName, AccountName);
  897. BackSlashPtr = wcschr(*DomainName, SCDOMAIN_USERNAME_SEPARATOR);
  898. if (BackSlashPtr == NULL) {
  899. SC_LOG0(ERROR, "ScLookupAccount: No backslash in account name!\n");
  900. ScLogEvent(NEVENT_BAD_ACCOUNT_NAME);
  901. SC_ASSERT(FALSE);
  902. status = ERROR_GEN_FAILURE;
  903. goto CleanExit;
  904. }
  905. *UserName = BackSlashPtr + 1; // Skip the backslash
  906. if (_wcsnicmp(*DomainName, SC_LOCAL_DOMAIN_NAME, SC_LOCAL_DOMAIN_NAME_LENGTH) == 0)
  907. {
  908. //
  909. // DomainName is "." (local domain), so convert "." to the
  910. // local domain name, which on WinNT systems is the computername,
  911. // and on Adv Server systems it's the account domain name.
  912. //
  913. //
  914. // This code does not use a global containing the local domain
  915. // because it contains invalid data during gui mode setup.
  916. // Calling the GetDefaultDomainName funtion guarantees that we
  917. // have the correct value in all cases.
  918. //
  919. if (!GetDefaultDomainName( Domain ))
  920. {
  921. SC_LOG0( ERROR, "ScLookupAccount: GetDefaultDomainName failed\n");
  922. status = ERROR_GEN_FAILURE;
  923. goto CleanExit;
  924. }
  925. if ((LocalAccount = (LPWSTR) LocalAlloc(
  926. LMEM_ZEROINIT,
  927. WCSSIZE(Domain) + WCSSIZE(*UserName)
  928. )) == NULL)
  929. {
  930. SC_LOG1(ERROR, "ScLookupAccount: LocalAlloc failed %lu\n", GetLastError());
  931. status = ERROR_NOT_ENOUGH_MEMORY;
  932. goto CleanExit;
  933. }
  934. wcscpy( LocalAccount, Domain );
  935. wcscat( LocalAccount, BackSlashPtr );
  936. RtlInitUnicodeString( &AccountNameString, LocalAccount );
  937. }
  938. else
  939. {
  940. //
  941. // Lookup the domain-qualified name.
  942. //
  943. RtlInitUnicodeString(&AccountNameString, *DomainName);
  944. }
  945. //
  946. // Open a handle to the local security policy.
  947. //
  948. if (ScOpenPolicy(
  949. POLICY_LOOKUP_NAMES |
  950. POLICY_VIEW_LOCAL_INFORMATION,
  951. &PolicyHandle
  952. ) != NO_ERROR)
  953. {
  954. SC_LOG0(ERROR, "ScLookupAccount: ScOpenPolicy failed\n");
  955. status = ERROR_INVALID_SERVICE_ACCOUNT;
  956. goto CleanExit;
  957. }
  958. ntstatus = LsaLookupNames(
  959. PolicyHandle,
  960. 1,
  961. &AccountNameString,
  962. &ReferencedDomains,
  963. &Sids
  964. );
  965. if (! NT_SUCCESS(ntstatus)) {
  966. SC_LOG1(ERROR,
  967. "ScLookupAccount: LsaLookupNames returned " FORMAT_NTSTATUS "\n",
  968. ntstatus);
  969. LsaClose(PolicyHandle);
  970. status = ERROR_INVALID_SERVICE_ACCOUNT;
  971. goto CleanExit;
  972. }
  973. //
  974. // Don't need PolicyHandle anymore
  975. //
  976. LsaClose(PolicyHandle);
  977. //
  978. // Free the returned SIDs since we don't look at them.
  979. //
  980. if (Sids != NULL)
  981. {
  982. LsaFreeMemory(Sids);
  983. }
  984. if (ReferencedDomains == NULL) {
  985. SC_LOG1(ERROR, "ScLookupAccount: Did not find " FORMAT_LPWSTR
  986. " in any domain\n", AccountNameString.Buffer);
  987. status = ERROR_INVALID_SERVICE_ACCOUNT;
  988. goto CleanExit;
  989. }
  990. else {
  991. LsaFreeMemory((PVOID) ReferencedDomains);
  992. }
  993. status = NO_ERROR;
  994. //
  995. // Convert DomainName\UserName into DomainName0UserName.
  996. //
  997. *BackSlashPtr = 0;
  998. CleanExit:
  999. LocalFree(LocalAccount);
  1000. if (status != NO_ERROR) {
  1001. LocalFree(*DomainName);
  1002. *DomainName = NULL;
  1003. }
  1004. return status;
  1005. }
  1006. DWORD
  1007. ScSetPassword(
  1008. IN LPWSTR ServiceName,
  1009. IN LPWSTR Password
  1010. )
  1011. /*++
  1012. Routine Description:
  1013. This function sets the secret object for the service with the specified
  1014. password. If the secret object doesn't already exist, it is created.
  1015. Arguments:
  1016. ServiceName - Supplies the service name which is part of the secret
  1017. object name to be created.
  1018. Password - Supplies the user specified password for an account.
  1019. Return Value:
  1020. NO_ERROR - Secret object for the password is created and set with new value.
  1021. ERROR_INVALID_SERVICE_ACCOUNT - for any error encountered in this
  1022. function. The true error is written to the event log.
  1023. --*/
  1024. {
  1025. DWORD status;
  1026. NTSTATUS ntstatus;
  1027. LSA_HANDLE PolicyHandle;
  1028. LPWSTR LsaSecretName;
  1029. UNICODE_STRING SecretNameString;
  1030. UNICODE_STRING NewPasswordString;
  1031. //
  1032. // Open a handle to the local security policy.
  1033. //
  1034. if (ScOpenPolicy(
  1035. POLICY_CREATE_SECRET,
  1036. &PolicyHandle
  1037. ) != NO_ERROR) {
  1038. SC_LOG0(ERROR, "ScSetPassword: ScOpenPolicy failed\n");
  1039. return ERROR_INVALID_SERVICE_ACCOUNT;
  1040. }
  1041. //
  1042. // Create the secret object. But first, let's form a secret
  1043. // name that is oh-so-difficult to guess.
  1044. //
  1045. if ((status = ScFormSecretName(
  1046. ServiceName,
  1047. &LsaSecretName
  1048. )) != NO_ERROR) {
  1049. LsaClose(PolicyHandle);
  1050. return status;
  1051. }
  1052. //
  1053. // Serialize secret object operations
  1054. //
  1055. // CODEWORK: This mutex may not be necessary if we're always holding
  1056. // a write lock when ScSetPassword/ScDeletePassword are called
  1057. //
  1058. if (WaitForSingleObject(ScSecretObjectsMutex, INFINITE) == MAXULONG) {
  1059. status = GetLastError();
  1060. SC_LOG1(ERROR, "ScSetPassword: WaitForSingleObject failed "
  1061. FORMAT_DWORD "\n", status);
  1062. LocalFree(LsaSecretName);
  1063. LsaClose(PolicyHandle);
  1064. return status;
  1065. }
  1066. RtlInitUnicodeString(&SecretNameString, LsaSecretName);
  1067. RtlInitUnicodeString(&NewPasswordString, Password);
  1068. ntstatus = LsaStorePrivateData(
  1069. PolicyHandle,
  1070. &SecretNameString,
  1071. &NewPasswordString
  1072. );
  1073. if (NT_SUCCESS(ntstatus)) {
  1074. SC_LOG1(ACCOUNT, "ScSetPassword " FORMAT_LPWSTR " success\n",
  1075. ServiceName);
  1076. status = NO_ERROR;
  1077. }
  1078. else {
  1079. SC_LOG2(ERROR,
  1080. "ScSetPassword: LsaStorePrivateData returned " FORMAT_NTSTATUS
  1081. " for " FORMAT_LPWSTR "\n", ntstatus, LsaSecretName);
  1082. //
  1083. // The ntstatus code was not mapped to a windows error because it wasn't
  1084. // clear if all the mappings made sense, and the feeling was that
  1085. // information would be lost during the mapping.
  1086. //
  1087. ScLogEvent(
  1088. NEVENT_CALL_TO_FUNCTION_FAILED,
  1089. SC_LSA_STOREPRIVATEDATA,
  1090. ntstatus);
  1091. status = ERROR_INVALID_SERVICE_ACCOUNT;
  1092. }
  1093. LocalFree(LsaSecretName);
  1094. LsaClose(PolicyHandle);
  1095. ReleaseMutex(ScSecretObjectsMutex);
  1096. return status;
  1097. }
  1098. DWORD
  1099. ScDeletePassword(
  1100. IN LPWSTR ServiceName
  1101. )
  1102. /*++
  1103. Routine Description:
  1104. This function deletes the LSA secret object whose name is derived
  1105. from the specified ServiceName.
  1106. Arguments:
  1107. ServiceName - Supplies the service name which is part of the secret
  1108. object name to be deleted.
  1109. Return Value:
  1110. NO_ERROR - Secret object for password is deleted.
  1111. ERROR_INVALID_SERVICE_ACCOUNT - for any error encountered in this
  1112. function. The true error is written to the event log.
  1113. --*/
  1114. {
  1115. DWORD status;
  1116. NTSTATUS ntstatus;
  1117. LSA_HANDLE PolicyHandle;
  1118. UNICODE_STRING SecretNameString;
  1119. LPWSTR LsaSecretName;
  1120. //
  1121. // Open a handle to the local security policy.
  1122. //
  1123. if (ScOpenPolicy(
  1124. POLICY_VIEW_LOCAL_INFORMATION,
  1125. &PolicyHandle
  1126. ) != NO_ERROR) {
  1127. SC_LOG0(ERROR, "ScDeletePassword: ScOpenPolicy failed\n");
  1128. return ERROR_INVALID_SERVICE_ACCOUNT;
  1129. }
  1130. //
  1131. // Get the secret object name from the specified service name.
  1132. //
  1133. if ((status = ScFormSecretName(
  1134. ServiceName,
  1135. &LsaSecretName
  1136. )) != NO_ERROR) {
  1137. (void) LsaClose(PolicyHandle);
  1138. return status;
  1139. }
  1140. //
  1141. // Serialize secret object operations
  1142. //
  1143. if (WaitForSingleObject(ScSecretObjectsMutex, INFINITE) == MAXULONG) {
  1144. status = GetLastError();
  1145. SC_LOG1(ERROR, "ScDeletePassword: WaitForSingleObject failed "
  1146. FORMAT_DWORD "\n", status);
  1147. LocalFree(LsaSecretName);
  1148. LsaClose(PolicyHandle);
  1149. return status;
  1150. }
  1151. RtlInitUnicodeString(&SecretNameString, LsaSecretName);
  1152. ntstatus = LsaStorePrivateData(
  1153. PolicyHandle,
  1154. &SecretNameString,
  1155. NULL
  1156. );
  1157. //
  1158. // Treat STATUS_OBJECT_NAME_NOT_FOUND as success since the
  1159. // password's already deleted (effectively) in that case.
  1160. //
  1161. if (NT_SUCCESS(ntstatus) || (ntstatus == STATUS_OBJECT_NAME_NOT_FOUND))
  1162. {
  1163. SC_LOG1(ACCOUNT, "ScDeletePassword " FORMAT_LPWSTR " success\n",
  1164. ServiceName);
  1165. status = NO_ERROR;
  1166. }
  1167. else
  1168. {
  1169. SC_LOG2(ERROR,
  1170. "ScDeletePassword: LsaStorePrivateData returned " FORMAT_NTSTATUS
  1171. " for " FORMAT_LPWSTR "\n", ntstatus, LsaSecretName);
  1172. //
  1173. // The ntstatus code was not mapped to a windows error because it wasn't
  1174. // clear if all the mappings made sense, and the feeling was that
  1175. // information would be lost during the mapping.
  1176. //
  1177. ScLogEvent(
  1178. NEVENT_CALL_TO_FUNCTION_FAILED,
  1179. SC_LSA_STOREPRIVATEDATA,
  1180. ntstatus);
  1181. status = ERROR_INVALID_SERVICE_ACCOUNT;
  1182. }
  1183. LocalFree(LsaSecretName);
  1184. LsaClose(PolicyHandle);
  1185. ReleaseMutex(ScSecretObjectsMutex);
  1186. return status;
  1187. }
  1188. DWORD
  1189. ScOpenPolicy(
  1190. IN ACCESS_MASK DesiredAccess,
  1191. OUT LSA_HANDLE *PolicyHandle
  1192. )
  1193. /*++
  1194. Routine Description:
  1195. This function gets a handle to the local security policy by calling
  1196. LsaOpenPolicy.
  1197. Arguments:
  1198. DesiredAccess - Supplies the desired access to the local security
  1199. policy.
  1200. PolicyHandle - Receives a handle to the opened policy.
  1201. Return Value:
  1202. NO_ERROR - Policy handle is returned.
  1203. ERROR_INVALID_SERVICE_ACCOUNT - for any error encountered in this
  1204. function.
  1205. --*/
  1206. {
  1207. NTSTATUS ntstatus;
  1208. OBJECT_ATTRIBUTES ObjAttributes;
  1209. //
  1210. // Open a handle to the local security policy. Initialize the
  1211. // objects attributes structure first.
  1212. //
  1213. InitializeObjectAttributes(
  1214. &ObjAttributes,
  1215. NULL,
  1216. 0L,
  1217. NULL,
  1218. NULL
  1219. );
  1220. ntstatus = LsaOpenPolicy(
  1221. NULL,
  1222. &ObjAttributes,
  1223. DesiredAccess,
  1224. PolicyHandle
  1225. );
  1226. if (! NT_SUCCESS(ntstatus)) {
  1227. SC_LOG1(ERROR,
  1228. "ScOpenPolicy: LsaOpenPolicy returned " FORMAT_NTSTATUS "\n",
  1229. ntstatus);
  1230. //
  1231. // The ntstatus code was not mapped to a windows error because it wasn't
  1232. // clear if all the mappings made sense, and the feeling was that
  1233. // information would be lost during the mapping.
  1234. //
  1235. ScLogEvent(
  1236. NEVENT_CALL_TO_FUNCTION_FAILED,
  1237. SC_LSA_OPENPOLICY,
  1238. ntstatus
  1239. );
  1240. return ERROR_INVALID_SERVICE_ACCOUNT;
  1241. }
  1242. return NO_ERROR;
  1243. }
  1244. DWORD
  1245. ScFormSecretName(
  1246. IN LPWSTR ServiceName,
  1247. OUT LPWSTR *LsaSecretName
  1248. )
  1249. /*++
  1250. Routine Description:
  1251. This function creates a secret name from the service name.
  1252. It also allocates the buffer to return the created secret name which
  1253. must be freed by the caller using LocalFree when done with it.
  1254. Arguments:
  1255. ServiceName - Supplies the service name which is part of the secret
  1256. object name we are creating.
  1257. LsaSecretName - Receives a pointer to the buffer which contains the
  1258. secret object name.
  1259. Return Value:
  1260. NO_ERROR - Successfully returned secret name.
  1261. ERROR_NOT_ENOUGH_MEMORY - Failed to allocate buffer to hold the secret
  1262. name.
  1263. --*/
  1264. {
  1265. if ((*LsaSecretName = (LPWSTR)LocalAlloc(
  1266. 0,
  1267. (SC_SECRET_PREFIX_LENGTH +
  1268. wcslen(ServiceName) +
  1269. 1) * sizeof(WCHAR)
  1270. )) == NULL) {
  1271. SC_LOG1(ERROR, "ScFormSecretName: LocalAlloc failed %lu\n",
  1272. GetLastError());
  1273. return ERROR_NOT_ENOUGH_MEMORY;
  1274. }
  1275. wcscpy(*LsaSecretName, SC_SECRET_PREFIX);
  1276. wcscat(*LsaSecretName, ServiceName);
  1277. return NO_ERROR;
  1278. }
  1279. DWORD
  1280. ScLookupServiceAccount(
  1281. IN LPWSTR ServiceName,
  1282. OUT LPWSTR *AccountName
  1283. )
  1284. /*++
  1285. Routine Description:
  1286. This function looks up the service account from the registry.
  1287. Arguments:
  1288. ServiceName - Supplies the service name to logon.
  1289. AccountName - Receives a pointer to a string containing the name of
  1290. the account that the service is configured to logon under. The
  1291. pointer returned is NULL if the service account is LocalSystem.
  1292. Otherwise the string is in the form .\UserName or
  1293. DomainName\UserName where DomainName != the local computername.
  1294. It must be freed with LocalAlloc when done.
  1295. Return Value:
  1296. NO_ERROR - Secret object for password is changed to new value.
  1297. ERROR_INVALID_SERVICE_ACCOUNT - The account name obtained from the
  1298. registry is invalid.
  1299. Other errors from registry APIs.
  1300. --*/
  1301. {
  1302. DWORD status;
  1303. HKEY ServiceNameKey;
  1304. LPWSTR DomainName = NULL;
  1305. LPWSTR UserName;
  1306. LPWSTR Separator;
  1307. LPWSTR lpNameToParse;
  1308. *AccountName = NULL;
  1309. //
  1310. // Open the service name key.
  1311. //
  1312. status = ScOpenServiceConfigKey(
  1313. ServiceName,
  1314. KEY_READ,
  1315. FALSE, // Create if missing
  1316. &ServiceNameKey
  1317. );
  1318. if (status != NO_ERROR) {
  1319. return status;
  1320. }
  1321. //
  1322. // Read the account name from the registry.
  1323. //
  1324. status = ScReadStartName(
  1325. ServiceNameKey,
  1326. &lpNameToParse
  1327. );
  1328. ScRegCloseKey(ServiceNameKey);
  1329. if (status != NO_ERROR) {
  1330. return status;
  1331. }
  1332. if (lpNameToParse == NULL) {
  1333. return ERROR_INVALID_SERVICE_ACCOUNT;
  1334. }
  1335. //
  1336. // Check if the account name is LocalSystem.
  1337. //
  1338. if (_wcsicmp(lpNameToParse, SC_LOCAL_SYSTEM_USER_NAME) == 0) {
  1339. LocalFree(lpNameToParse);
  1340. return NO_ERROR;
  1341. }
  1342. //
  1343. // If it isn't LocalSystem, it must be in the form
  1344. // Domain\User or .\User.
  1345. //
  1346. Separator = wcsrchr(lpNameToParse, SCDOMAIN_USERNAME_SEPARATOR);
  1347. if (Separator == NULL) {
  1348. if (wcsrchr(lpNameToParse, SC_UPN_SYMBOL) != NULL) {
  1349. //
  1350. // It's a UPN -- crack it
  1351. //
  1352. status = ScUPNToAccountName(lpNameToParse, &DomainName);
  1353. LocalFree(lpNameToParse);
  1354. if (status != NO_ERROR
  1355. ||
  1356. (Separator = wcschr(DomainName, SCDOMAIN_USERNAME_SEPARATOR)) == NULL)
  1357. {
  1358. SC_LOG1(ERROR,
  1359. "ScLookupServiceAccount: ScUPNToAccountName failed %d\n",
  1360. status);
  1361. if (status == NO_ERROR) {
  1362. SC_LOG1(ACCOUNT,
  1363. "Cracked account name was %ws\n",
  1364. DomainName);
  1365. }
  1366. LocalFree(DomainName);
  1367. return ERROR_INVALID_SERVICE_ACCOUNT;
  1368. }
  1369. }
  1370. else {
  1371. SC_LOG1(ERROR,
  1372. "ScLookupServiceAccount: No \\ or @ in account name %ws\n",
  1373. lpNameToParse);
  1374. LocalFree(lpNameToParse);
  1375. return ERROR_INVALID_SERVICE_ACCOUNT;
  1376. }
  1377. }
  1378. else {
  1379. DomainName = lpNameToParse;
  1380. }
  1381. *Separator = 0;
  1382. UserName = Separator + 1;
  1383. //
  1384. // Translate ComputerName into . (to facilitate subsequent comparison
  1385. // of account names)
  1386. //
  1387. if (_wcsicmp(DomainName, ScComputerName.Buffer) == 0)
  1388. {
  1389. WCHAR *Dest, *Src;
  1390. // Assumption: "." is no longer than any computer name
  1391. SC_ASSERT(wcslen(SC_LOCAL_DOMAIN_NAME) == 1 &&
  1392. wcslen(DomainName) >= 1);
  1393. wcscpy(DomainName, SC_LOCAL_DOMAIN_NAME);
  1394. Separator = DomainName + SC_LOCAL_DOMAIN_NAME_LENGTH;
  1395. // Shift username left
  1396. Src = UserName;
  1397. UserName = Separator + 1;
  1398. Dest = UserName;
  1399. while (*Dest++ = *Src++)
  1400. ;
  1401. }
  1402. //
  1403. // Check if the user name is LocalSystem
  1404. //
  1405. if (_wcsicmp(UserName, SC_LOCAL_SYSTEM_USER_NAME) == 0) {
  1406. //
  1407. // This is only acceptable if DomainName is "."
  1408. //
  1409. if (_wcsicmp(DomainName, SC_LOCAL_DOMAIN_NAME) == 0) {
  1410. status = NO_ERROR;
  1411. }
  1412. else {
  1413. status = ERROR_INVALID_SERVICE_ACCOUNT;
  1414. }
  1415. LocalFree(DomainName);
  1416. return status;
  1417. }
  1418. //
  1419. // Restore the "\"
  1420. //
  1421. *Separator = SCDOMAIN_USERNAME_SEPARATOR;
  1422. *AccountName = DomainName;
  1423. return NO_ERROR;
  1424. }
  1425. DWORD
  1426. ScLogonService(
  1427. IN LPWSTR ServiceName,
  1428. IN LPWSTR AccountName,
  1429. OUT LPHANDLE ServiceToken,
  1430. OUT LPHANDLE pProfileHandle OPTIONAL,
  1431. OUT PSID *ServiceSid
  1432. )
  1433. /*++
  1434. Routine Description:
  1435. This function looks up the service account from the registry and
  1436. the password from the secret object to logon the service. If
  1437. successful, the handle to the logon token is returned.
  1438. Arguments:
  1439. ServiceName - Supplies the service name to logon.
  1440. AccountName - Supplies the account name to logon the service under.
  1441. (Supplied as an optimization since ScLookupServiceAccount will
  1442. have been called before calling this routine.) It must be of
  1443. the form .\UserName or DomainName\UserName, where DomainName !=
  1444. the local computer name and UserName != LocalSystem.
  1445. ServiceToken - Receives a handle to the logon token for the
  1446. service. The handle returned is NULL if the service account
  1447. is LocalSystem (i.e. spawn as child process of the service
  1448. controller).
  1449. ServiceSid - Receives a pointer to the logon SID of the service.
  1450. This must be freed with LocalAlloc when done.
  1451. Return Value:
  1452. NO_ERROR - Secret object for password is changed to new value.
  1453. ERROR_SERVICE_LOGON_FAILED - for any error encountered in this
  1454. function.
  1455. --*/
  1456. {
  1457. DWORD status;
  1458. LPWSTR Separator;
  1459. LPWSTR LsaSecretName = NULL;
  1460. *ServiceToken = NULL;
  1461. *ServiceSid = NULL;
  1462. status = ScFormSecretName(ServiceName, &LsaSecretName);
  1463. if (status != NO_ERROR)
  1464. {
  1465. SC_LOG(ERROR, "ScLogonService: ScFormSecretname failed %lu\n", status);
  1466. return ERROR_SERVICE_LOGON_FAILED;
  1467. }
  1468. Separator = wcsrchr(AccountName, SCDOMAIN_USERNAME_SEPARATOR);
  1469. if (Separator == NULL)
  1470. {
  1471. SC_ASSERT(Separator != NULL);
  1472. LocalFree(LsaSecretName);
  1473. return ERROR_INVALID_SERVICE_ACCOUNT;
  1474. }
  1475. *Separator = 0;
  1476. //
  1477. // Get the service token
  1478. //
  1479. if (!LogonUserEx(Separator + 1, // Username
  1480. AccountName, // Domain
  1481. LsaSecretName, // Password
  1482. LOGON32_LOGON_SERVICE, // Logon type
  1483. LOGON32_PROVIDER_DEFAULT, // Default logon provider
  1484. ServiceToken, // Pointer to token handle
  1485. ServiceSid, // Logon Sid
  1486. NULL, // Profile buffer
  1487. NULL, // Length of profile buffer
  1488. NULL)) // Quota limits
  1489. {
  1490. status = GetLastError();
  1491. *Separator = SCDOMAIN_USERNAME_SEPARATOR;
  1492. SC_LOG2(ERROR,
  1493. "ScLogonService: LogonUser for %ws service failed %d\n",
  1494. ServiceName,
  1495. status);
  1496. ScLogEvent(NEVENT_FIRST_LOGON_FAILED_II,
  1497. ServiceName,
  1498. AccountName,
  1499. status);
  1500. goto Cleanup;
  1501. }
  1502. if (ARGUMENT_PRESENT(pProfileHandle))
  1503. {
  1504. //
  1505. // Load the user profile for the service
  1506. // (Errors are written to the event log, but otherwise ignored)
  1507. //
  1508. ScLoadUserProfile(*ServiceToken,
  1509. AccountName, // Domain
  1510. Separator + 1, // Username
  1511. pProfileHandle);
  1512. }
  1513. LocalFree(LsaSecretName);
  1514. *Separator = SCDOMAIN_USERNAME_SEPARATOR;
  1515. return NO_ERROR;
  1516. Cleanup:
  1517. LocalFree(LsaSecretName);
  1518. *Separator = SCDOMAIN_USERNAME_SEPARATOR;
  1519. LocalFree(*ServiceSid);
  1520. *ServiceSid = NULL;
  1521. if (*ServiceToken != NULL)
  1522. {
  1523. CloseHandle(*ServiceToken);
  1524. *ServiceToken = NULL;
  1525. }
  1526. return ERROR_SERVICE_LOGON_FAILED;
  1527. }
  1528. DWORD
  1529. ScGetAccountDomainInfo(
  1530. VOID
  1531. )
  1532. {
  1533. NTSTATUS ntstatus;
  1534. LSA_HANDLE PolicyHandle;
  1535. PPOLICY_ACCOUNT_DOMAIN_INFO AccountDomainInfo;
  1536. //
  1537. // Account domain info is cached. Look it up it this is the first
  1538. // time.
  1539. //
  1540. if (ScAccountDomain.Buffer == NULL) {
  1541. //
  1542. // Open a handle to the local security policy.
  1543. //
  1544. if (ScOpenPolicy(
  1545. POLICY_VIEW_LOCAL_INFORMATION,
  1546. &PolicyHandle
  1547. ) != NO_ERROR) {
  1548. SC_LOG0(ERROR, "ScGetAccountDomainInfo: ScOpenPolicy failed\n");
  1549. return ERROR_INVALID_SERVICE_ACCOUNT;
  1550. }
  1551. //
  1552. // Get the name of the account domain from LSA if we have
  1553. // not done it already.
  1554. //
  1555. ntstatus = LsaQueryInformationPolicy(
  1556. PolicyHandle,
  1557. PolicyAccountDomainInformation,
  1558. (PVOID *) &AccountDomainInfo
  1559. );
  1560. if (! NT_SUCCESS(ntstatus)) {
  1561. SC_LOG1(ERROR, "ScGetAccountDomainInfo: LsaQueryInformationPolicy failed "
  1562. FORMAT_NTSTATUS "\n", ntstatus);
  1563. LsaClose(PolicyHandle);
  1564. return ERROR_INVALID_SERVICE_ACCOUNT;
  1565. }
  1566. LsaClose(PolicyHandle);
  1567. if ((ScAccountDomain.Buffer = (LPWSTR)LocalAlloc(
  1568. LMEM_ZEROINIT,
  1569. (UINT) (AccountDomainInfo->DomainName.Length +
  1570. sizeof(WCHAR))
  1571. )) == NULL) {
  1572. LsaFreeMemory(AccountDomainInfo);
  1573. return ERROR_NOT_ENOUGH_MEMORY;
  1574. }
  1575. ScAccountDomain.MaximumLength = (USHORT) (AccountDomainInfo->DomainName.Length +
  1576. sizeof(WCHAR));
  1577. RtlCopyUnicodeString(&ScAccountDomain, &AccountDomainInfo->DomainName);
  1578. SC_LOG1(ACCOUNT, "ScGetAccountDomainInfo got " FORMAT_LPWSTR "\n",
  1579. ScAccountDomain.Buffer);
  1580. LsaFreeMemory(AccountDomainInfo);
  1581. }
  1582. return NO_ERROR;
  1583. }
  1584. VOID
  1585. ScLoadUserProfile(
  1586. IN HANDLE LogonToken,
  1587. IN LPWSTR DomainName,
  1588. IN LPWSTR UserName,
  1589. OUT PHANDLE pProfileHandle
  1590. )
  1591. /*++
  1592. Routine Description:
  1593. This function loads the user profile for the account that a service
  1594. process will run under, so that the process has an HKEY_CURRENT_USER.
  1595. Arguments:
  1596. LogonToken - The token handle returned by LogonUser.
  1597. UserName - The account's user name. (Used by LoadUserProfile to
  1598. generate a profile directory name.)
  1599. pProfileHandle - A handle to the profile is returned here. It must
  1600. be closed by calling UnloadUserProfile after the service process
  1601. exits.
  1602. Return Value:
  1603. None. Errors from LoadUserProfile are written to the event log.
  1604. --*/
  1605. {
  1606. PROFILEINFO ProfileInfo =
  1607. {
  1608. sizeof(ProfileInfo), // dwSize
  1609. PI_NOUI, // dwFlags - no UI
  1610. UserName, // lpUserName (used for dir name)
  1611. NULL, // lpProfilePath
  1612. NULL, // lpDefaultPath
  1613. NULL, // lpServerName (used to get group info - N/A)
  1614. NULL, // lpPolicyPath
  1615. NULL // hProfile (filled in by LoadUserProfile)
  1616. };
  1617. SC_ASSERT(pProfileHandle != NULL);
  1618. if (_wcsicmp(DomainName, SC_LOCAL_NTAUTH_NAME) == 0)
  1619. {
  1620. //
  1621. // Hide LocalService/NetworkService profiles from the Admin
  1622. // (i.e., they won't show up via "dir", etc).
  1623. //
  1624. ProfileInfo.dwFlags |= PI_HIDEPROFILE;
  1625. }
  1626. //
  1627. // NOTE: This ignores a service with a roaming profile. May need
  1628. // to use the profile path from the LogonUserEx call.
  1629. //
  1630. if (LoadUserProfile(LogonToken, &ProfileInfo))
  1631. {
  1632. SC_ASSERT(ProfileInfo.hProfile != NULL);
  1633. *pProfileHandle = ProfileInfo.hProfile;
  1634. }
  1635. else if (!SetupInProgress(NULL, NULL))
  1636. {
  1637. //
  1638. // Don't log during GUI-mode setup in case a
  1639. // non-SYSTEM service is started then.
  1640. //
  1641. DWORD Error = GetLastError();
  1642. SC_LOG(ERROR, "LoadUserProfile failed %lu\n", Error);
  1643. ScLogEvent(
  1644. NEVENT_CALL_TO_FUNCTION_FAILED,
  1645. SC_LOAD_USER_PROFILE,
  1646. Error);
  1647. *pProfileHandle = NULL;
  1648. }
  1649. }
  1650. DWORD
  1651. ScUPNToAccountName(
  1652. IN LPWSTR lpUPN,
  1653. OUT LPWSTR *ppAccountName
  1654. )
  1655. /*++
  1656. Routine Description:
  1657. This function attempts to convert a UPN into Domain\User
  1658. Arguments:
  1659. lpUPN - The UPN
  1660. ppAccountName - Pointer to the location to create/copy the account name
  1661. Return Value:
  1662. NO_ERROR -- Success (ppAccountName contains the converted UPN)
  1663. Any other Win32 error -- error at some stage of conversion
  1664. --*/
  1665. {
  1666. DWORD dwError;
  1667. HANDLE hDS;
  1668. PDS_NAME_RESULT pdsResult;
  1669. SC_ASSERT(ppAccountName != NULL);
  1670. SC_LOG1(ACCOUNT, "ScUPNToAccountName: Converting %ws\n", lpUPN);
  1671. //
  1672. // Get a binding handle to the DS
  1673. //
  1674. dwError = DsBind(NULL, NULL, &hDS);
  1675. if (dwError != NO_ERROR)
  1676. {
  1677. SC_LOG1(ERROR, "ScUPNToAccountName: DsBind failed %d\n", dwError);
  1678. return dwError;
  1679. }
  1680. dwError = DsCrackNames(hDS, // Handle to the DS
  1681. DS_NAME_NO_FLAGS, // No parsing flags
  1682. DS_USER_PRINCIPAL_NAME, // We have a UPN
  1683. DS_NT4_ACCOUNT_NAME, // We want Domain\User
  1684. 1, // Number of names to crack
  1685. &lpUPN, // Array of name(s)
  1686. &pdsResult); // Filled in by API
  1687. if (dwError != NO_ERROR)
  1688. {
  1689. SC_LOG1(ERROR,
  1690. "ScUPNToAccountName: DsCrackNames failed %d\n",
  1691. dwError);
  1692. DsUnBind(&hDS);
  1693. return dwError;
  1694. }
  1695. SC_ASSERT(pdsResult->cItems == 1);
  1696. SC_ASSERT(pdsResult->rItems != NULL);
  1697. if (pdsResult->rItems[0].status == DS_NAME_ERROR_DOMAIN_ONLY)
  1698. {
  1699. //
  1700. // Couldn't crack the name but we got the name of
  1701. // the domain where it is -- let's try it
  1702. //
  1703. DsUnBind(&hDS);
  1704. SC_ASSERT(pdsResult->rItems[0].pDomain != NULL);
  1705. SC_LOG1(ACCOUNT,
  1706. "Retrying DsBind on domain %ws\n",
  1707. pdsResult->rItems[0].pDomain);
  1708. dwError = DsBind(NULL, pdsResult->rItems[0].pDomain, &hDS);
  1709. //
  1710. // Free up the structure holding the old info
  1711. //
  1712. DsFreeNameResult(pdsResult);
  1713. if (dwError != NO_ERROR)
  1714. {
  1715. SC_LOG1(ERROR,
  1716. "ScUPNToAccountName: DsBind #2 failed %d\n",
  1717. dwError);
  1718. return dwError;
  1719. }
  1720. dwError = DsCrackNames(hDS, // Handle to the DS
  1721. DS_NAME_NO_FLAGS, // No parsing flags
  1722. DS_USER_PRINCIPAL_NAME, // We have a UPN
  1723. DS_NT4_ACCOUNT_NAME, // We want Domain\User
  1724. 1, // Number of names to crack
  1725. &lpUPN, // Array of name(s)
  1726. &pdsResult); // Filled in by API
  1727. if (dwError != NO_ERROR)
  1728. {
  1729. SC_LOG1(ERROR,
  1730. "ScUPNToAccountName: DsCrackNames #2 failed %d\n",
  1731. dwError);
  1732. DsUnBind(&hDS);
  1733. return dwError;
  1734. }
  1735. SC_ASSERT(pdsResult->cItems == 1);
  1736. SC_ASSERT(pdsResult->rItems != NULL);
  1737. }
  1738. if (pdsResult->rItems[0].status != DS_NAME_NO_ERROR)
  1739. {
  1740. SC_LOG1(ERROR,
  1741. "ScUPNToAccountName: DsCrackNames failure (status %#x)\n",
  1742. pdsResult->rItems[0].status);
  1743. //
  1744. // DS errors don't map to Win32 errors -- this is the best we can do
  1745. //
  1746. dwError = ERROR_INVALID_SERVICE_ACCOUNT;
  1747. }
  1748. else
  1749. {
  1750. *ppAccountName = (LPWSTR)LocalAlloc(
  1751. LPTR,
  1752. (wcslen(pdsResult->rItems[0].pName) + 1) * sizeof(WCHAR));
  1753. if (*ppAccountName != NULL)
  1754. {
  1755. wcscpy(*ppAccountName, pdsResult->rItems[0].pName);
  1756. }
  1757. else
  1758. {
  1759. dwError = GetLastError();
  1760. SC_LOG1(ERROR, "ScUPNToAccountName: LocalAlloc failed %d\n", dwError);
  1761. }
  1762. }
  1763. DsUnBind(&hDS);
  1764. DsFreeNameResult(pdsResult);
  1765. return dwError;
  1766. }