archive
/
windows-server-2003
mirror of https://github.com/selfrender/Windows-Server-2003
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
Leaked source code of windows server 2003
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
2 Commits
1 Branch
0 Tags
1.5 GiB
Tree: 7b07a90fc1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '7b07a90fc1'
${ noResults }
windows-server-2003/net/ias/providers/ntuser/auth/ntsamuser.cpp

385 lines
9.3 KiB
Raw Normal View History

commiting as it is
4 years ago
  1. ///////////////////////////////////////////////////////////////////////////////
  2. //
  3. // Copyright (c) Microsoft Corporation
  4. //
  5. // SYNOPSIS
  6. //
  7. // Defines the class AccountValidation.
  8. //
  9. ///////////////////////////////////////////////////////////////////////////////
  11. #include <ias.h>
  12. #include <ntsamuser.h>
  13. #include <autohdl.h>
  14. #include <iaslsa.h>
  15. #include <iasntds.h>
  16. #include <iastlutl.h>
  17. #include <lmaccess.h>
  18. #include <samutil.h>
  19. #include <sdoias.h>
  21. //////////
  22. // Attributes that should be retrieved for each user.
  23. //////////
  24. const PCWSTR PER_USER_ATTRS[] =
  25. {
  26. L"userAccountControl",
  27. L"accountExpires",
  28. L"logonHours",
  29. L"tokenGroups",
  30. L"objectSid",
  31. NULL
  32. };
  35. //////////
  36. //
  37. // Process an LDAP response.
  38. //
  39. // Based on the empirical evidence, it seems that userAccountControl and
  40. // accountExpires are always present while logonHours is optional. However,
  41. // none of these attributes are marked as mandatory in the LDAP schema. Since
  42. // we have already done a rudimentary access check at bind, we will allow any
  43. // of these attributes to be absent.
  44. //
  45. //////////
  46. inline
  47. DWORD
  48. ValidateLdapResponse(
  49. IASTL::IASRequest& request,
  50. LDAPMessage* msg
  51. )
  52. {
  53. // Retrieve the connection for this message.
  54. LDAP* ld = ldap_conn_from_msg(NULL, msg);
  56. PWCHAR *str;
  57. PLDAP_BERVAL *data1, *data2;
  59. // There is exactly one entry.
  60. LDAPMessage* e = ldap_first_entry(ld, msg);
  62. //////////
  63. // Check the UserAccountControl flags.
  64. //////////
  66. ULONG userAccountControl;
  67. str = ldap_get_valuesW(ld, e, L"userAccountControl");
  68. if (str)
  69. {
  70. userAccountControl = (ULONG)_wtoi64(*str);
  71. ldap_value_freeW(str);
  73. if (userAccountControl & UF_ACCOUNTDISABLE)
  74. {
  75. return ERROR_ACCOUNT_DISABLED;
  76. }
  78. if (userAccountControl & UF_LOCKOUT)
  79. {
  80. return ERROR_ACCOUNT_LOCKED_OUT;
  81. }
  82. }
  84. //////////
  85. // Retrieve AccountExpires.
  86. //////////
  88. LARGE_INTEGER accountExpires;
  89. str = ldap_get_valuesW(ld, e, L"accountExpires");
  90. if (str)
  91. {
  92. accountExpires.QuadPart = _wtoi64(*str);
  93. ldap_value_freeW(str);
  94. }
  95. else
  96. {
  97. accountExpires.QuadPart = 0;
  98. }
  100. //////////
  101. // Retrieve LogonHours.
  102. //////////
  104. IAS_LOGON_HOURS logonHours;
  105. data1 = ldap_get_values_lenW(ld, e, L"logonHours");
  106. if (data1 != NULL)
  107. {
  108. logonHours.UnitsPerWeek = 8 * (USHORT)data1[0]->bv_len;
  109. logonHours.LogonHours = (PUCHAR)data1[0]->bv_val;
  110. }
  111. else
  112. {
  113. logonHours.UnitsPerWeek = 0;
  114. logonHours.LogonHours = NULL;
  115. }
  117. //////////
  118. // Check the account restrictions.
  119. //////////
  121. DWORD status;
  122. LARGE_INTEGER sessionTimeout;
  123. status = IASCheckAccountRestrictions(
  124. &accountExpires,
  125. &logonHours,
  126. &sessionTimeout
  127. );
  129. InsertInternalTimeout(request, sessionTimeout);
  131. ldap_value_free_len(data1);
  133. if (status != NO_ERROR) { return status; }
  135. //////////
  136. // Retrieve tokenGroups and objectSid.
  137. //////////
  139. data1 = ldap_get_values_lenW(ld, e, L"tokenGroups");
  140. data2 = ldap_get_values_lenW(ld, e, L"objectSid");
  142. PTOKEN_GROUPS allGroups;
  143. ULONG length;
  144. if (data1 && data2)
  145. {
  146. // Allocate memory for the TOKEN_GROUPS struct.
  147. ULONG numGroups = ldap_count_values_len(data1);
  148. PTOKEN_GROUPS tokenGroups =
  149. (PTOKEN_GROUPS)_alloca(
  150. FIELD_OFFSET(TOKEN_GROUPS, Groups) +
  151. sizeof(SID_AND_ATTRIBUTES) * numGroups
  152. );
  154. // Store the number of groups.
  155. tokenGroups->GroupCount = numGroups;
  157. // Store the group SIDs.
  158. for (ULONG i = 0; i < numGroups; ++i)
  159. {
  160. tokenGroups->Groups[i].Sid = (PSID)data1[i]->bv_val;
  161. tokenGroups->Groups[i].Attributes = SE_GROUP_ENABLED;
  162. }
  164. // Expand the group membership locally.
  165. status = IASGetAliasMembership(
  166. (PSID)data2[0]->bv_val,
  167. tokenGroups,
  168. CoTaskMemAlloc,
  169. &allGroups,
  170. &length
  171. );
  172. }
  173. else
  174. {
  175. status = ERROR_ACCESS_DENIED;
  176. }
  178. ldap_value_free_len(data1);
  179. ldap_value_free_len(data2);
  181. if (status != NO_ERROR) { return status; }
  183. //////////
  184. // Initialize and store the attribute.
  185. //////////
  187. IASTL::IASAttribute attr(true);
  188. attr->dwId = IAS_ATTRIBUTE_TOKEN_GROUPS;
  189. attr->Value.itType = IASTYPE_OCTET_STRING;
  190. attr->Value.OctetString.dwLength = length;
  191. attr->Value.OctetString.lpValue = (PBYTE)allGroups;
  193. attr.store(request);
  195. return NO_ERROR;
  196. }
  199. HRESULT AccountValidation::Initialize()
  200. {
  201. return IASNtdsInitialize();
  202. }
  205. HRESULT AccountValidation::Shutdown() throw ()
  206. {
  207. IASNtdsUninitialize();
  208. return S_OK;
  209. }
  212. IASREQUESTSTATUS AccountValidation::onSyncRequest(IRequest* pRequest) throw ()
  213. {
  214. try
  215. {
  216. IASTL::IASRequest request(pRequest);
  218. //////////
  219. // Only process requests that don't have Token-Groups already.
  220. //////////
  222. IASTL::IASAttribute tokenGroups;
  223. if (!tokenGroups.load(
  224. request,
  225. IAS_ATTRIBUTE_TOKEN_GROUPS,
  226. IASTYPE_OCTET_STRING
  227. ))
  228. {
  229. //////////
  230. // Extract the NT4-Account-Name attribute.
  231. //////////
  233. IASTL::IASAttribute identity;
  234. if (identity.load(
  235. request,
  236. IAS_ATTRIBUTE_NT4_ACCOUNT_NAME,
  237. IASTYPE_STRING
  238. ))
  239. {
  240. //////////
  241. // Convert the User-Name to SAM format.
  242. //////////
  244. SamExtractor extractor(*identity);
  245. PCWSTR domain = extractor.getDomain();
  246. PCWSTR username = extractor.getUsername();
  248. IASTracePrintf(
  249. "Validating Windows account %S\\%S.",
  250. domain,
  251. username
  252. );
  254. //////////
  255. // Validate the account.
  256. //////////
  258. if (!tryNativeMode(request, domain, username))
  259. {
  260. doDownlevel(request, domain, username);
  261. }
  262. }
  263. }
  264. }
  265. catch (const _com_error& ce)
  266. {
  267. IASTraceExcept();
  268. IASProcessFailure(pRequest, ce.Error());
  269. }
  271. return IAS_REQUEST_STATUS_CONTINUE;
  272. }
  275. void AccountValidation::doDownlevel(
  276. IASTL::IASRequest& request,
  277. PCWSTR domainName,
  278. PCWSTR username
  279. )
  280. {
  281. IASTraceString("Using downlevel APIs to validate account.");
  283. //////////
  284. // Inject the user's groups.
  285. //////////
  287. IASTL::IASAttribute groups(true);
  289. DWORD status;
  290. LARGE_INTEGER sessionTimeout;
  291. status = IASGetGroupsForUser(
  292. username,
  293. domainName,
  294. &CoTaskMemAlloc,
  295. (PTOKEN_GROUPS*)&groups->Value.OctetString.lpValue,
  296. &groups->Value.OctetString.dwLength,
  297. &sessionTimeout
  298. );
  300. InsertInternalTimeout(request, sessionTimeout);
  302. if (status == NO_ERROR)
  303. {
  304. // Insert the groups.
  305. groups->dwId = IAS_ATTRIBUTE_TOKEN_GROUPS;
  306. groups->Value.itType = IASTYPE_OCTET_STRING;
  307. groups.store(request);
  309. IASTraceString("Successfully validated account.");
  310. }
  311. else
  312. {
  313. IASTraceFailure("IASGetGroupsForUser", status);
  314. status = IASMapWin32Error(status, IAS_SERVER_UNAVAILABLE);
  315. IASProcessFailure(request, status);
  316. }
  317. }
  320. bool AccountValidation::tryNativeMode(
  321. IASTL::IASRequest& request,
  322. PCWSTR domainName,
  323. PCWSTR username
  324. )
  325. {
  326. //////////
  327. // Only handle domain users.
  328. //////////
  330. if (IASGetRole() != IAS_ROLE_DC && IASIsDomainLocal(domainName))
  331. {
  332. return false;
  333. }
  335. //////////
  336. // Query the DS.
  337. //////////
  339. DWORD error;
  340. IASNtdsResult result;
  341. error = IASNtdsQueryUserAttributes(
  342. domainName,
  343. username,
  344. LDAP_SCOPE_BASE,
  345. const_cast<PWCHAR*>(PER_USER_ATTRS),
  346. &result
  347. );
  349. switch (error)
  350. {
  351. case NO_ERROR:
  352. {
  353. // We got something back, so validate the response.
  354. error = ValidateLdapResponse(request, result.msg);
  355. if (error == NO_ERROR)
  356. {
  357. IASTraceString("Successfully validated account.");
  358. return true;
  359. }
  361. IASTraceFailure("ValidateLdapResponse", error);
  362. break;
  363. }
  365. case ERROR_DS_NOT_INSTALLED:
  366. case ERROR_INVALID_DOMAIN_ROLE:
  367. {
  368. // No DS, so we can't handle.
  369. return false;
  370. }
  372. default:
  373. {
  374. // We have a DS for this user, but we can't talk to it.
  375. break;
  376. }
  377. }
  379. IASProcessFailure(
  380. request,
  381. IASMapWin32Error(error, IAS_DOMAIN_UNAVAILABLE)
  382. );
  384. return true;
  385. }