archive
/
windows-server-2003
mirror of https://github.com/selfrender/Windows-Server-2003
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
Leaked source code of windows server 2003
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
2 Commits
1 Branch
0 Tags
1.5 GiB
Tree: 7b07a90fc1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '7b07a90fc1'
${ noResults }
windows-server-2003/ds/netapi/netlib/accessp.c

778 lines
17 KiB
Raw Normal View History

commiting as it is
4 years ago
  1. /*++
  3. Copyright (c) 1991 Microsoft Corporation
  5. Module Name:
  7. accessp.c
  9. Abstract:
  11. Internal routines shared by NetUser API and Netlogon service. These
  12. routines convert from SAM specific data formats to UAS specific data
  13. formats.
  15. Author:
  17. Cliff Van Dyke (cliffv) 29-Aug-1991
  19. Environment:
  21. User mode only.
  22. Contains NT-specific code.
  23. Requires ANSI C extensions: slash-slash comments, long external names.
  25. Revision History:
  27. 22-Oct-1991 JohnRo
  28. Made changes suggested by PC-LINT.
  29. 04-Dec-1991 JohnRo
  30. Trying to get around a weird MIPS compiler bug.
  31. --*/
  33. #include <nt.h>
  34. #include <ntrtl.h>
  35. #include <nturtl.h>
  36. #undef DOMAIN_ALL_ACCESS // defined in both ntsam.h and ntwinapi.h
  37. #include <ntsam.h>
  39. #include <windef.h>
  40. #include <lmcons.h>
  42. #include <accessp.h>
  43. #include <debuglib.h>
  44. #include <lmaccess.h>
  45. #include <netdebug.h>
  46. #include <netsetp.h>
  49. #if(_WIN32_WINNT >= 0x0500)
  51. NET_API_STATUS
  52. NET_API_FUNCTION
  53. NetpSetDnsComputerNameAsRequired(
  54. IN PWSTR DnsDomainName
  55. )
  56. /*++
  58. Routine Description:
  60. Determines if the machine is set to update the machine Dns computer name based on changes
  61. to the Dns domain name. If so, the new value is set. Otherwise, no action is taken.
  63. Arguments:
  65. DnsDomainName - New Dns domain name of this machine
  67. Return Value:
  69. NERR_Success -- Success
  71. --*/
  72. {
  73. NET_API_STATUS NetStatus = NERR_Success;
  74. HKEY SyncKey;
  75. DWORD ValueType, Value, Length;
  76. BOOLEAN SetName = FALSE;
  77. PWCHAR AbsoluteSignifier = NULL;
  79. if ( DnsDomainName == NULL ) {
  80. return ERROR_INVALID_PARAMETER;
  81. }
  83. //
  84. // See if we should be doing the name change
  85. //
  86. NetStatus = RegOpenKeyEx( HKEY_LOCAL_MACHINE,
  87. L"System\\CurrentControlSet\\Services\\Tcpip\\Parameters",
  88. 0,
  89. KEY_QUERY_VALUE,
  90. &SyncKey );
  92. if ( NetStatus == NERR_Success ) {
  94. Length = sizeof( ULONG );
  95. NetStatus = RegQueryValueEx( SyncKey,
  96. L"SyncDomainWithMembership",
  97. NULL,
  98. &ValueType,
  99. ( LPBYTE )&Value,
  100. &Length );
  101. if ( NetStatus == NERR_Success) {
  103. if ( Value == 1 ) {
  105. SetName = TRUE;
  106. }
  108. } else if ( NetStatus == ERROR_FILE_NOT_FOUND ) {
  110. NetStatus = NERR_Success;
  111. SetName = TRUE;
  112. }
  114. RegCloseKey( SyncKey );
  116. }
  118. if ( NetStatus == NERR_Success && SetName == TRUE ) {
  120. //
  121. // If we've got an absolute Dns domain name, shorten it up...
  122. //
  123. if ( wcslen(DnsDomainName) > 0 ) {
  124. AbsoluteSignifier = &DnsDomainName[ wcslen( DnsDomainName ) - 1 ];
  125. if ( *AbsoluteSignifier == L'.' ) {
  127. *AbsoluteSignifier = UNICODE_NULL;
  129. } else {
  131. AbsoluteSignifier = NULL;
  132. }
  133. }
  135. if ( !SetComputerNameEx( ComputerNamePhysicalDnsDomain, DnsDomainName ) ) {
  136. NetStatus = GetLastError();
  137. }
  139. if ( AbsoluteSignifier ) {
  141. *AbsoluteSignifier = L'.';
  142. }
  144. }
  146. return( NetStatus );
  147. }
  149. #endif
  152. VOID
  153. NetpGetAllowedAce(
  154. IN PACL Dacl,
  155. IN PSID Sid,
  156. OUT PVOID *Ace
  157. )
  158. /*++
  160. Routine Description:
  162. Given a DACL, find an AccessAllowed ACE containing a particuar SID.
  164. Arguments:
  166. Dacl - A pointer to the ACL to search.
  168. Sid - A pointer to the Sid to search for.
  170. Ace - Returns a pointer to the specified ACE. Returns NULL if there
  171. is no such ACE
  173. Return Value:
  175. None.
  177. --*/
  178. {
  179. NTSTATUS Status;
  181. ACL_SIZE_INFORMATION AclSize;
  182. DWORD AceIndex;
  184. //
  185. // Determine the size of the DACL so we can copy it
  186. //
  188. Status = RtlQueryInformationAcl(
  189. Dacl,
  190. &AclSize,
  191. sizeof(AclSize),
  192. AclSizeInformation );
  194. if ( ! NT_SUCCESS( Status ) ) {
  195. IF_DEBUG( ACCESSP ) {
  196. NetpKdPrint((
  197. "NetpGetDacl: RtlQueryInformationAcl returns %lX\n",
  198. Status ));
  199. }
  200. *Ace = NULL;
  201. return;
  202. }
  205. //
  206. // Loop through the ACEs looking for an ACCESS_ALLOWED ACE with the
  207. // right SID.
  208. //
  210. for ( AceIndex=0; AceIndex<AclSize.AceCount; AceIndex++ ) {
  212. Status = RtlGetAce( Dacl, AceIndex, (PVOID *)Ace );
  214. if ( ! NT_SUCCESS( Status ) ) {
  215. *Ace = NULL;
  216. return;
  217. }
  219. if ( ((PACE_HEADER)*Ace)->AceType != ACCESS_ALLOWED_ACE_TYPE ) {
  220. continue;
  221. }
  223. if ( RtlEqualSid( Sid,
  224. (PSID)&((PACCESS_ALLOWED_ACE)(*Ace))->SidStart )
  225. ){
  226. return;
  227. }
  228. }
  230. //
  231. // Couldn't find any such ACE.
  232. //
  234. *Ace = NULL;
  235. return;
  237. }
  241. DWORD
  242. NetpAccountControlToFlags(
  243. IN DWORD UserAccountControl,
  244. IN PACL UserDacl
  245. )
  246. /*++
  248. Routine Description:
  250. Convert a SAM UserAccountControl field and the Discretionary ACL for
  251. the user into the NetUser API usriX_flags field.
  253. Arguments:
  255. UserAccountControl - The SAM UserAccountControl field for the user.
  257. UserDacl - The Discretionary ACL for the user.
  259. Return Value:
  261. Returns the usriX_flags field for the user.
  263. --*/
  264. {
  265. SID_IDENTIFIER_AUTHORITY WorldSidAuthority = SECURITY_WORLD_SID_AUTHORITY;
  266. DWORD WorldSid[sizeof(SID)/sizeof(DWORD) + SID_MAX_SUB_AUTHORITIES ];
  267. PACCESS_ALLOWED_ACE Ace;
  268. DWORD Flags = UF_SCRIPT;
  270. //
  271. // Build a copy of the world SID for later comparison.
  272. //
  274. RtlInitializeSid( (PSID) WorldSid, &WorldSidAuthority, 1 );
  275. *(RtlSubAuthoritySid( (PSID)WorldSid, 0 )) = SECURITY_WORLD_RID;
  277. //
  278. // Determine if the UF_PASSWD_CANT_CHANGE bit should be returned
  279. //
  280. // Return UF_PASSWD_CANT_CHANGE unless the world can change the
  281. // password.
  282. //
  284. //
  285. // If the user has no DACL, the password can change
  286. //
  288. if ( UserDacl != NULL ) {
  290. //
  291. // Find the WORLD grant ACE
  292. //
  294. NetpGetAllowedAce( UserDacl, (PSID) WorldSid, (PVOID *)&Ace );
  296. if ( Ace == NULL ) {
  297. Flags |= UF_PASSWD_CANT_CHANGE;
  298. } else {
  299. if ( (Ace->Mask & USER_CHANGE_PASSWORD) == 0 ) {
  300. Flags |= UF_PASSWD_CANT_CHANGE;
  301. }
  302. }
  304. }
  306. //
  307. // Set all other bits as a function of the SAM UserAccountControl
  308. //
  310. if ( UserAccountControl & USER_ACCOUNT_DISABLED ) {
  311. Flags |= UF_ACCOUNTDISABLE;
  312. }
  313. if ( UserAccountControl & USER_HOME_DIRECTORY_REQUIRED ){
  314. Flags |= UF_HOMEDIR_REQUIRED;
  315. }
  316. if ( UserAccountControl & USER_PASSWORD_NOT_REQUIRED ){
  317. Flags |= UF_PASSWD_NOTREQD;
  318. }
  319. if ( UserAccountControl & USER_DONT_EXPIRE_PASSWORD ){
  320. Flags |= UF_DONT_EXPIRE_PASSWD;
  321. }
  322. if ( UserAccountControl & USER_ACCOUNT_AUTO_LOCKED ){
  323. Flags |= UF_LOCKOUT;
  324. }
  325. if ( UserAccountControl & USER_MNS_LOGON_ACCOUNT ){
  326. Flags |= UF_MNS_LOGON_ACCOUNT;
  327. }
  329. if ( UserAccountControl & USER_ENCRYPTED_TEXT_PASSWORD_ALLOWED ){
  330. Flags |= UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED;
  331. }
  333. if ( UserAccountControl & USER_SMARTCARD_REQUIRED ){
  334. Flags |= UF_SMARTCARD_REQUIRED;
  335. }
  336. if ( UserAccountControl & USER_TRUSTED_FOR_DELEGATION ){
  337. Flags |= UF_TRUSTED_FOR_DELEGATION;
  338. }
  340. if ( UserAccountControl & USER_NOT_DELEGATED ){
  341. Flags |= UF_NOT_DELEGATED;
  342. }
  344. if ( UserAccountControl & USER_USE_DES_KEY_ONLY ){
  345. Flags |= UF_USE_DES_KEY_ONLY;
  346. }
  347. if ( UserAccountControl & USER_DONT_REQUIRE_PREAUTH) {
  348. Flags |= UF_DONT_REQUIRE_PREAUTH;
  349. }
  350. if ( UserAccountControl & USER_PASSWORD_EXPIRED) {
  351. Flags |= UF_PASSWORD_EXPIRED;
  352. }
  353. if ( UserAccountControl & USER_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION) {
  354. Flags |= UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION;
  355. }
  359. //
  360. // set account type bit.
  361. //
  363. //
  364. // account type bit are exculsive and precisely only one
  365. // account type bit is set. So, as soon as an account type bit is set
  366. // in the following if sequence we can return.
  367. //
  370. if( UserAccountControl & USER_TEMP_DUPLICATE_ACCOUNT ) {
  371. Flags |= UF_TEMP_DUPLICATE_ACCOUNT;
  373. } else if( UserAccountControl & USER_NORMAL_ACCOUNT ) {
  374. Flags |= UF_NORMAL_ACCOUNT;
  376. } else if( UserAccountControl & USER_INTERDOMAIN_TRUST_ACCOUNT ) {
  377. Flags |= UF_INTERDOMAIN_TRUST_ACCOUNT;
  379. } else if( UserAccountControl & USER_WORKSTATION_TRUST_ACCOUNT ) {
  380. Flags |= UF_WORKSTATION_TRUST_ACCOUNT;
  382. } else if( UserAccountControl & USER_SERVER_TRUST_ACCOUNT ) {
  383. Flags |= UF_SERVER_TRUST_ACCOUNT;
  385. } else {
  387. //
  388. // There is no known account type bit set in UserAccountControl.
  389. // ?? Flags |= UF_NORMAL_ACCOUNT;
  391. // NetpAssert( FALSE );
  392. }
  394. return Flags;
  396. }
  399. ULONG
  400. NetpDeltaTimeToSeconds(
  401. IN LARGE_INTEGER DeltaTime
  402. )
  404. /*++
  406. Routine Description:
  408. Convert an NT delta time specification to seconds
  410. Arguments:
  412. DeltaTime - Specifies the NT Delta time to convert. NT delta time is
  413. a negative number of 100ns units.
  415. Return Value:
  417. Returns the number of seconds. Any invalid or too large input
  418. returns TIMEQ_FOREVER.
  420. --*/
  422. {
  423. LARGE_INTEGER LargeSeconds;
  425. //
  426. // These are the magic numbers needed to do our extended division by
  427. // 10,000,000 = convert 100ns tics to one second tics
  428. //
  430. LARGE_INTEGER Magic10000000 = { (ULONG) 0xe57a42bd, (LONG) 0xd6bf94d5};
  431. #define SHIFT10000000 23
  433. //
  434. // Special case zero.
  435. //
  437. if ( DeltaTime.HighPart == 0 && DeltaTime.LowPart == 0 ) {
  438. return( 0 );
  439. }
  441. //
  442. // Convert the Delta time to a Large integer seconds.
  443. //
  445. LargeSeconds = RtlExtendedMagicDivide(
  446. DeltaTime,
  447. Magic10000000,
  448. SHIFT10000000 );
  450. #ifdef notdef
  451. NetpKdPrint(( "NetpDeltaTimeToSeconds: %lx %lx %lx %lx\n",
  452. DeltaTime.HighPart,
  453. DeltaTime.LowPart,
  454. LargeSeconds.HighPart,
  455. LargeSeconds.LowPart ));
  456. #endif // notdef
  458. //
  459. // Return too large a number or a positive number as TIMEQ_FOREVER
  460. //
  462. if ( LargeSeconds.HighPart != -1 ) {
  463. return TIMEQ_FOREVER;
  464. }
  466. return ( (ULONG)(- ((LONG)(LargeSeconds.LowPart))) );
  468. } // NetpDeltaTimeToSeconds
  471. LARGE_INTEGER
  472. NetpSecondsToDeltaTime(
  473. IN ULONG Seconds
  474. )
  476. /*++
  478. Routine Description:
  480. Convert a number of seconds to an NT delta time specification
  482. Arguments:
  484. Seconds - a positive number of seconds
  486. Return Value:
  488. Returns the NT Delta time. NT delta time is a negative number
  489. of 100ns units.
  491. --*/
  493. {
  494. LARGE_INTEGER DeltaTime;
  495. LARGE_INTEGER LargeSeconds;
  496. LARGE_INTEGER Answer;
  498. //
  499. // Special case TIMEQ_FOREVER (return a full scale negative)
  500. //
  502. if ( Seconds == TIMEQ_FOREVER ) {
  503. DeltaTime.LowPart = 0;
  504. DeltaTime.HighPart = (LONG) 0x80000000;
  506. //
  507. // Convert seconds to 100ns units simply by multiplying by 10000000.
  508. //
  509. // Convert to delta time by negating.
  510. //
  512. } else {
  514. LargeSeconds = RtlConvertUlongToLargeInteger( Seconds );
  516. Answer = RtlExtendedIntegerMultiply( LargeSeconds, 10000000 );
  518. if ( Answer.QuadPart < 0 ) {
  519. DeltaTime.LowPart = 0;
  520. DeltaTime.HighPart = (LONG) 0x80000000;
  521. } else {
  522. DeltaTime.QuadPart = -Answer.QuadPart;
  523. }
  525. }
  527. return DeltaTime;
  529. } // NetpSecondsToDeltaTime
  532. VOID
  533. NetpAliasMemberToPriv(
  534. IN ULONG AliasCount,
  535. IN PULONG AliasMembership,
  536. OUT LPDWORD Priv,
  537. OUT LPDWORD AuthFlags
  538. )
  540. /*++
  542. Routine Description:
  544. Converts membership in Aliases to LANMAN 2.0 style Priv and AuthFlags.
  546. Arguments:
  548. AliasCount - Specifies the number of Aliases in the AliasMembership array.
  550. AliasMembership - Specifies the Aliases that are to be converted to Priv
  551. and AuthFlags. Each element in the array specifies the RID of an
  552. alias in the BuiltIn domain.
  554. Priv - Returns the Lanman 2.0 Privilege level for the specified aliases.
  556. AuthFlags - Returns the Lanman 2.0 Authflags for the specified aliases.
  559. Return Value:
  561. None.
  563. --*/
  565. {
  566. DWORD j;
  567. BOOLEAN IsAdmin = FALSE;
  568. BOOLEAN IsUser = FALSE;
  571. //
  572. // Loop through the aliases finding any special aliases.
  573. //
  574. // If this user is the member of multiple operator aliases,
  575. // just "or" the appropriate bits in.
  576. //
  577. // If this user is the member of multiple "privilege" aliases,
  578. // just report the one with the highest privilege.
  579. // Report the user is a member of the Guest aliases by default.
  580. //
  582. *AuthFlags = 0;
  584. for ( j=0; j < AliasCount; j++ ) {
  586. switch ( AliasMembership[j] ) {
  587. case DOMAIN_ALIAS_RID_ADMINS:
  588. IsAdmin = TRUE;
  589. break;
  591. case DOMAIN_ALIAS_RID_USERS:
  592. IsUser = TRUE;
  593. break;
  595. case DOMAIN_ALIAS_RID_ACCOUNT_OPS:
  596. *AuthFlags |= AF_OP_ACCOUNTS;
  597. break;
  599. case DOMAIN_ALIAS_RID_SYSTEM_OPS:
  600. *AuthFlags |= AF_OP_SERVER;
  601. break;
  603. case DOMAIN_ALIAS_RID_PRINT_OPS:
  604. *AuthFlags |= AF_OP_PRINT;
  605. break;
  607. }
  608. }
  610. if ( IsAdmin ) {
  611. *Priv = USER_PRIV_ADMIN;
  613. } else if ( IsUser ) {
  614. *Priv = USER_PRIV_USER;
  616. } else {
  617. *Priv = USER_PRIV_GUEST;
  618. }
  619. }
  622. DWORD
  623. NetpGetElapsedSeconds(
  624. IN PLARGE_INTEGER Time
  625. )
  627. /*++
  629. Routine Description:
  631. Computes the elapsed time in seconds since the time specified.
  632. Returns 0 on error.
  634. Arguments:
  636. Time - Time (typically in the past) to compute the elapsed time from.
  639. Return Value:
  641. 0: on error.
  643. Number of seconds.
  645. --*/
  647. {
  648. LARGE_INTEGER CurrentTime;
  649. DWORD Current1980Time;
  650. DWORD Prior1980Time;
  651. NTSTATUS Status;
  653. //
  654. // Compute the age of the password
  655. //
  657. Status = NtQuerySystemTime( &CurrentTime );
  658. if( !NT_SUCCESS(Status) ) {
  659. return 0;
  660. }
  662. if ( !RtlTimeToSecondsSince1980( &CurrentTime, &Current1980Time) ) {
  663. return 0;
  664. }
  666. if ( !RtlTimeToSecondsSince1980( Time, &Prior1980Time ) ) {
  667. return 0;
  668. }
  670. if ( Current1980Time <= Prior1980Time ) {
  671. return 0;
  672. }
  674. return Current1980Time - Prior1980Time;
  676. }
  681. VOID
  682. NetpConvertWorkstationList(
  683. IN OUT PUNICODE_STRING WorkstationList
  684. )
  685. /*++
  687. Routine Description:
  689. Convert the list of workstations from a comma separated list to
  690. a blank separated list. Any workstation name containing a blank is
  691. silently removed.
  693. Arguments:
  695. WorkstationList - List of workstations to convert
  697. Return Value:
  699. None
  701. --*/
  702. {
  703. LPWSTR Source;
  704. LPWSTR Destination;
  705. LPWSTR EndOfBuffer;
  706. LPWSTR BeginningOfName;
  707. BOOLEAN SkippingName;
  708. ULONG NumberOfCharacters;
  710. //
  711. // Handle the trivial case.
  712. //
  714. if ( WorkstationList->Length == 0 ) {
  715. return;
  716. }
  718. //
  719. // Initialization.
  720. //
  722. Destination = Source = WorkstationList->Buffer;
  723. EndOfBuffer = Source + WorkstationList->Length/sizeof(WCHAR);
  725. //
  726. // Loop handling special characters
  727. //
  729. SkippingName = FALSE;
  730. BeginningOfName = Destination;
  733. while ( Source < EndOfBuffer ) {
  735. switch ( *Source ) {
  736. case ',':
  738. if ( !SkippingName ) {
  739. *Destination = ' ';
  740. Destination++;
  741. }
  743. SkippingName = FALSE;
  744. BeginningOfName = Destination;
  745. break;
  747. case ' ':
  748. SkippingName = TRUE;
  749. Destination = BeginningOfName;
  750. break;
  752. default:
  753. if ( !SkippingName ) {
  754. *Destination = *Source;
  755. Destination ++;
  756. }
  757. break;
  758. }
  760. Source ++;
  761. }
  763. //
  764. // Remove any trailing delimiter
  765. //
  767. NumberOfCharacters = (ULONG)(Destination - WorkstationList->Buffer);
  769. if ( NumberOfCharacters > 0 &&
  770. WorkstationList->Buffer[NumberOfCharacters-1] == ' ' ) {
  772. NumberOfCharacters--;
  773. }
  775. WorkstationList->Length = (USHORT) (NumberOfCharacters * sizeof(WCHAR));
  778. }