archive
/
windows-server-2003
mirror of https://github.com/selfrender/Windows-Server-2003
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
Leaked source code of windows server 2003
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
3 Commits
1 Branch
0 Tags
4.9 GiB
Tree: 827363a95b
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '827363a95b'
${ noResults }
windows-server-2003/net/mmc/tapi/lsastuff.cpp

463 lines
12 KiB
Raw Normal View History

commiting as it is
4 years ago
  1. //+-------------------------------------------------------------------------
  2. //
  3. // Microsoft Windows
  4. //
  5. // Copyright (C) Microsoft Corporation, 1998 - 1999
  6. //
  7. // File: lsastuff.cpp
  8. //
  9. //--------------------------------------------------------------------------
  11. // LsaStuff.cpp
  12. //
  13. // LSA-dependent code
  14. //
  15. // HISTORY
  16. // 09-Jul-97 jonn Creation.
  17. //
  19. #include "stdafx.h"
  20. #include "DynamLnk.h" // DynamicDLL
  21. #include "servpp.h"
  23. extern "C"
  24. {
  25. #include <lmcons.h>
  26. #include <lmshare.h>
  27. #include <lmerr.h>
  28. #include <lmapibuf.h>
  30. #define NTSTATUS LONG
  31. #define PNTSTATUS NTSTATUS*
  32. #define NT_SUCCESS(Status) ((NTSTATUS)(Status) >= 0)
  33. #define SE_SHUTDOWN_PRIVILEGE (19L)
  35. // stuff taken from ntdef.h
  36. typedef struct _UNICODE_STRING {
  37. USHORT Length;
  38. USHORT MaximumLength;
  39. #ifdef MIDL_PASS
  40. [size_is(MaximumLength / 2), length_is((Length) / 2) ] USHORT * Buffer;
  41. #else // MIDL_PASS
  42. PWSTR Buffer;
  43. #endif // MIDL_PASS
  44. } UNICODE_STRING;
  45. typedef UNICODE_STRING *PUNICODE_STRING;
  46. typedef struct _OBJECT_ATTRIBUTES {
  47. ULONG Length;
  48. HANDLE RootDirectory;
  49. PUNICODE_STRING ObjectName;
  50. ULONG Attributes;
  51. PVOID SecurityDescriptor; // Points to type SECURITY_DESCRIPTOR
  52. PVOID SecurityQualityOfService; // Points to type SECURITY_QUALITY_OF_SERVICE
  53. } OBJECT_ATTRIBUTES;
  54. typedef OBJECT_ATTRIBUTES *POBJECT_ATTRIBUTES;
  55. #define InitializeObjectAttributes( p, n, a, r, s ) { \
  56. (p)->Length = sizeof( OBJECT_ATTRIBUTES ); \
  57. (p)->RootDirectory = r; \
  58. (p)->Attributes = a; \
  59. (p)->ObjectName = n; \
  60. (p)->SecurityDescriptor = s; \
  61. (p)->SecurityQualityOfService = NULL; \
  62. }
  63. #define _NTDEF
  65. // from ntstatus.h
  66. #define STATUS_OBJECT_NAME_NOT_FOUND ((NTSTATUS)0xC0000034L)
  68. // from lmaccess.h
  69. NET_API_STATUS NET_API_FUNCTION
  70. NetUserModalsGet (
  71. IN LPCWSTR servername OPTIONAL,
  72. IN DWORD level,
  73. OUT LPBYTE *bufptr
  74. );
  75. typedef struct _USER_MODALS_INFO_1 {
  76. DWORD usrmod1_role;
  77. LPWSTR usrmod1_primary;
  78. }USER_MODALS_INFO_1, *PUSER_MODALS_INFO_1, *LPUSER_MODALS_INFO_1;
  79. //
  80. // UAS role manifests under NETLOGON
  81. //
  82. #define UAS_ROLE_STANDALONE 0
  83. #define UAS_ROLE_MEMBER 1
  84. #define UAS_ROLE_BACKUP 2
  85. #define UAS_ROLE_PRIMARY 3
  87. #include <ntlsa.h>
  88. }
  91. #ifdef _DEBUG
  92. #define new DEBUG_NEW
  93. #undef THIS_FILE
  94. static char THIS_FILE[] = __FILE__;
  95. #endif
  98. typedef enum _Netapi32ApiIndex
  99. {
  100. BUFFERFREE_ENUM = 0,
  101. USERMODALSGET_ENUM
  102. };
  104. // not subject to localization
  105. static LPCSTR g_apchNetapi32FunctionNames[] = {
  106. "NetApiBufferFree",
  107. "NetUserModalsGet",
  108. NULL
  109. };
  111. typedef NET_API_STATUS (*BUFFERFREEPROC)(LPVOID);
  112. typedef NET_API_STATUS (*USERMODALSGETPROC)(LPCWSTR, DWORD, LPBYTE*);
  114. // not subject to localization
  115. DynamicDLL g_LSASTUFF_Netapi32DLL( _T("NETAPI32.DLL"), g_apchNetapi32FunctionNames );
  119. /*******************************************************************
  121. NAME: ::FillUnicodeString
  123. SYNOPSIS: Standalone method for filling in a UNICODE_STRING
  125. ENTRY: punistr - Unicode string to be filled in.
  126. nls - Source for filling the unistr
  128. EXIT:
  130. NOTES: punistr->Buffer is allocated here and must be deallocated
  131. by the caller using FreeUnicodeString.
  133. HISTORY:
  134. jonn 07/09/97 copied from net\ui\common\src\lmobj\lmobj\uintmem.cxx
  136. ********************************************************************/
  137. VOID FillUnicodeString( LSA_UNICODE_STRING * punistr, LPCWSTR psz )
  138. {
  139. ASSERT( NULL != punistr && NULL != psz );
  140. int cTchar = ::wcslen(psz);
  141. // Length and MaximumLength are counts of bytes.
  142. punistr->Length = (USHORT) (cTchar * sizeof(WCHAR));
  143. punistr->MaximumLength = punistr->Length + sizeof(WCHAR);
  144. punistr->Buffer = new WCHAR[cTchar + 1];
  145. ASSERT( NULL != punistr->Buffer );
  146. ::wcscpy( punistr->Buffer, psz );
  147. }
  149. /*******************************************************************
  151. NAME: ::FreeUnicodeString
  153. SYNOPSIS: Standalone method for freeing in a UNICODE_STRING
  155. ENTRY: unistr - Unicode string whose Buffer is to be freed.
  157. EXIT:
  159. HISTORY:
  160. jonn 07/09/97 copied from net\ui\common\src\lmobj\lmobj\uintmem.cxx
  162. ********************************************************************/
  163. VOID FreeUnicodeString( LSA_UNICODE_STRING * punistr )
  164. {
  165. ASSERT( punistr != NULL );
  166. delete punistr->Buffer;
  167. }
  171. /*******************************************************************
  173. NAME: InitObjectAttributes
  175. SYNOPSIS:
  177. This function initializes the given Object Attributes structure, including
  178. Security Quality Of Service. Memory must be allcated for both
  179. ObjectAttributes and Security QOS by the caller.
  181. ENTRY:
  183. poa - Pointer to Object Attributes to be initialized.
  185. psqos - Pointer to Security QOS to be initialized.
  187. EXIT:
  189. NOTES:
  191. HISTORY:
  192. jonn 07/09/97 copied from net\ui\common\src\lmobj\lmobj\uintlsa.cxx
  194. ********************************************************************/
  195. VOID InitObjectAttributes( PLSA_OBJECT_ATTRIBUTES poa,
  196. PSECURITY_QUALITY_OF_SERVICE psqos )
  198. {
  199. ASSERT( poa != NULL );
  200. ASSERT( psqos != NULL );
  202. psqos->Length = sizeof(SECURITY_QUALITY_OF_SERVICE);
  203. psqos->ImpersonationLevel = SecurityImpersonation;
  204. psqos->ContextTrackingMode = SECURITY_DYNAMIC_TRACKING;
  205. psqos->EffectiveOnly = FALSE;
  207. //
  208. // Set up the object attributes prior to opening the LSA.
  209. //
  211. InitializeObjectAttributes(
  212. poa,
  213. NULL,
  214. 0L,
  215. NULL,
  216. NULL );
  218. //
  219. // The InitializeObjectAttributes macro presently stores NULL for
  220. // the psqos field, so we must manually copy that
  221. // structure for now.
  222. //
  224. poa->SecurityQualityOfService = psqos;
  225. }
  228. BOOL
  229. I_CheckLSAAccount( LSA_UNICODE_STRING* punistrServerName,
  230. LPCTSTR pszLogOnAccountName,
  231. DWORD* pdwMsgID ) // *pdsMsgID is always set if this fails
  232. {
  233. ASSERT( NULL != pdwMsgID );
  235. BOOL fSuccess = FALSE;
  236. LSA_HANDLE hlsa = NULL;
  237. LSA_HANDLE hlsaAccount = NULL;
  238. PSID psidAccount = NULL;
  240. do { // false loop
  242. //
  243. // Determine whether the target machine is a BDC, and if so, get the PDC
  244. //
  246. // if an error occurs now, it is a read error
  247. *pdwMsgID = IDS_LSAERR_READ_FAILED;
  249. //
  250. // Get LSA_POLICY handle
  251. //
  252. LSA_OBJECT_ATTRIBUTES oa;
  253. SECURITY_QUALITY_OF_SERVICE sqos;
  254. InitObjectAttributes( &oa, &sqos );
  256. NTSTATUS ntstatus = ::LsaOpenPolicy(
  257. punistrServerName,
  258. &oa,
  259. POLICY_ALL_ACCESS, // CODEWORK ??
  260. &hlsa );
  261. if ( !NT_SUCCESS(ntstatus) )
  262. break;
  264. //
  265. // Remove ".\" from the head of the account name if it is present
  266. //
  267. CString strAccountName = pszLogOnAccountName;
  268. if ( strAccountName.GetLength() >= 2
  269. && strAccountName[0] == _T('.')
  270. && strAccountName[1] == _T('\\')
  271. )
  272. {
  273. strAccountName = strAccountName.Mid(2);
  274. }
  276. //
  277. // determine the SID of the account
  278. //
  279. PLSA_REFERENCED_DOMAIN_LIST plsardl = NULL;
  280. PLSA_TRANSLATED_SID plsasid = NULL;
  281. LSA_UNICODE_STRING unistrAccountName;
  282. ::FillUnicodeString( &unistrAccountName, strAccountName );
  283. ntstatus = ::LsaLookupNames(
  284. hlsa,
  285. 1,
  286. &unistrAccountName,
  287. &plsardl,
  288. &plsasid );
  289. ::FreeUnicodeString( &unistrAccountName );
  290. if ( !NT_SUCCESS(ntstatus) )
  291. break;
  293. //
  294. // Build the SID of the account by taking the SID of the domain
  295. // and adding at the end the RID of the account
  296. //
  297. PSID psidDomain = plsardl->Domains[0].Sid;
  298. DWORD ridAccount = plsasid[0].RelativeId;
  299. DWORD cbNewSid = ::GetLengthSid(psidDomain)+sizeof(ridAccount);
  300. psidAccount = (PSID) new BYTE[cbNewSid];
  301. ASSERT( NULL != psidAccount );
  302. (void) ::CopySid( cbNewSid, psidAccount, psidDomain );
  303. UCHAR* pcSubAuthorities = ::GetSidSubAuthorityCount( psidAccount ) ;
  304. (*pcSubAuthorities)++;
  305. DWORD* pdwSubAuthority = ::GetSidSubAuthority(
  306. psidAccount, (*pcSubAuthorities)-1 );
  307. *pdwSubAuthority = ridAccount;
  309. (void) ::LsaFreeMemory( plsardl );
  310. (void) ::LsaFreeMemory( plsasid );
  312. //
  313. // Determine whether this LSA account exists, create it if not
  314. //
  315. ntstatus = ::LsaOpenAccount( hlsa,
  316. psidAccount,
  317. ACCOUNT_ALL_ACCESS | DELETE, // CODEWORK
  318. &hlsaAccount );
  319. ULONG ulSystemAccessCurrent = 0;
  320. if (STATUS_OBJECT_NAME_NOT_FOUND == ntstatus)
  321. {
  322. // handle account-not-found case
  324. // if an error occurs now, it is a write error
  325. *pdwMsgID = IDS_LSAERR_WRITE_FAILED;
  326. ntstatus = ::LsaCreateAccount( hlsa,
  327. psidAccount,
  328. ACCOUNT_ALL_ACCESS | DELETE,
  329. &hlsaAccount );
  330. // presumably the account is created without POLICY_MODE_SERVICE privilege
  331. }
  332. else
  333. {
  334. ntstatus = ::LsaGetSystemAccessAccount( hlsaAccount, &ulSystemAccessCurrent );
  335. }
  336. if ( !NT_SUCCESS(ntstatus) )
  337. break;
  339. //
  340. // Determine whether this LSA account has POLICY_MODE_SERVICE privilege,
  341. // grant it if not
  342. //
  343. if ( POLICY_MODE_SERVICE != (ulSystemAccessCurrent & POLICY_MODE_SERVICE ) )
  344. {
  345. // if an error occurs now, it is a write error
  346. *pdwMsgID = IDS_LSAERR_WRITE_FAILED;
  348. ntstatus = ::LsaSetSystemAccessAccount(
  349. hlsaAccount,
  350. ulSystemAccessCurrent | POLICY_MODE_SERVICE );
  351. if ( !NT_SUCCESS(ntstatus) )
  352. break; // CODEWORK could check for STATUS_BACKUP_CONTROLLER
  354. *pdwMsgID = 0;
  355. }
  356. else
  357. {
  358. *pdwMsgID = 0;
  359. }
  361. fSuccess = TRUE;
  363. } while (FALSE); // false loop
  365. // CODEWORK should check for special error code for NT5 non-DC
  366. // using local policy object
  368. if (NULL != hlsa)
  369. {
  370. ::LsaClose( hlsa );
  371. }
  372. if (NULL != hlsaAccount)
  373. {
  374. ::LsaClose( hlsaAccount );
  375. }
  376. if (NULL != psidAccount)
  377. {
  378. delete psidAccount;
  379. }
  381. return fSuccess;
  383. } // I_CheckLSAAccount()
  385. /////////////////////////////////////////////////////////////////////
  386. // FCheckLSAAccount()
  387. //
  388. VOID
  389. CServerProperties::FCheckLSAAccount()
  390. {
  391. LSA_UNICODE_STRING unistrServerName;
  392. PLSA_UNICODE_STRING punistrServerName = NULL ;
  393. USER_MODALS_INFO_1* pum1 = NULL;
  394. DWORD dwMsgID = 0;
  396. TRACE1("INFO: Checking LSA permissions for account %s...\n",
  397. (LPCTSTR)m_strLogOnAccountName);
  399. if ( !m_strMachineName.IsEmpty() )
  400. {
  401. ::FillUnicodeString( &unistrServerName, m_strMachineName );
  402. punistrServerName = &unistrServerName;
  403. }
  405. do // false loop
  406. {
  407. // check on the local machine
  408. // this will always set dwMsgID if it fails
  409. if (I_CheckLSAAccount(punistrServerName, m_strLogOnAccountName, &dwMsgID))
  410. break; // this succeeded, we can stop now
  412. // check whether this is a Backup Domain Controller
  413. if ( !g_LSASTUFF_Netapi32DLL.LoadFunctionPointers() )
  414. {
  415. ASSERT(FALSE);
  416. return;
  417. }
  418. DWORD err = ((USERMODALSGETPROC)g_LSASTUFF_Netapi32DLL[USERMODALSGET_ENUM])(
  419. (m_strMachineName.IsEmpty()) ? NULL : const_cast<LPTSTR>((LPCTSTR)m_strMachineName),
  420. 1,
  421. reinterpret_cast<LPBYTE*>(&pum1) );
  422. if (NERR_Success != err)
  423. break;
  424. ASSERT( NULL != pum1 );
  425. if (UAS_ROLE_BACKUP != pum1->usrmod1_role)
  426. break; // not a backup controller
  427. if (NULL == pum1->usrmod1_primary )
  428. {
  429. ASSERT(FALSE);
  430. break;
  431. }
  433. // Try it on the PDC
  434. (void) I_CheckLSAAccount(punistrServerName, pum1->usrmod1_primary, &dwMsgID);
  436. } while (FALSE); // false loop
  438. if ( NULL != punistrServerName )
  439. {
  440. ::FreeUnicodeString( punistrServerName );
  441. }
  443. if ( NULL != pum1 )
  444. {
  445. if ( !g_LSASTUFF_Netapi32DLL.LoadFunctionPointers() )
  446. {
  447. ASSERT(FALSE);
  448. return;
  449. }
  451. ((BUFFERFREEPROC)g_LSASTUFF_Netapi32DLL[BUFFERFREE_ENUM])( pum1 );
  452. }
  454. if (0 != dwMsgID)
  455. {
  456. CString strMessage;
  458. strMessage.FormatMessage(dwMsgID, m_strLogOnAccountName);
  460. AfxMessageBox(strMessage);
  461. }
  463. } // FCheckLSAAccount()