|
|
/********************************************************************//** Copyright(c) 1989 Microsoft Corporation. **//********************************************************************/
//***
//
// Filename: srvrhlpr.c
//
// Description: This module will contain code to process specific security
// information requests by the server. This is done because
// the api's required to obtain this information cannot be
// called from kernel mode. The following functionality is
// supported:
//
// 1) Name to Sid Lookup.
// 2) Sid to Name lookup.
// 3) Enumerate Posix offsets of all domains.
// 4) Change password.
// 5) Log an event.
//
// History: August 18,1992. NarenG Created original version.
//
#include <afpsvcp.h>
#include <lm.h>
#include <logonmsv.h> // prototype of I_NetGetDCList
#include <seposix.h>
#include <dsgetdc.h>
static PPOLICY_ACCOUNT_DOMAIN_INFO pAccountDomainInfo = NULL;static PPOLICY_PRIMARY_DOMAIN_INFO pPrimaryDomainInfo = NULL;
static HANDLE hmutexThreadCount = NULL;
NTSTATUSAfpNameToSid( IN LSA_HANDLE hLsa, IN PAFP_FSD_CMD_PKT pAfpFsdCmd, OUT PAFP_FSD_CMD_PKT *ppAfpFsdCmdResponse, OUT LPDWORD pcbResponse);
NTSTATUSAfpSidToName( IN LSA_HANDLE hLsa, IN PPOLICY_ACCOUNT_DOMAIN_INFO pAccountDomainInfo, IN PPOLICY_PRIMARY_DOMAIN_INFO pPrimaryDomainInfo, IN PAFP_FSD_CMD_PKT pAfpFsdCmd, OUT PAFP_FSD_CMD_PKT *ppAfpFsdCmdResponse, OUT LPDWORD pcbResponse);
NTSTATUSAfpChangePassword( IN LSA_HANDLE hLsa, IN PPOLICY_ACCOUNT_DOMAIN_INFO pAccountDomainInfo, IN PPOLICY_PRIMARY_DOMAIN_INFO pPrimaryDomainInfo, IN PAFP_FSD_CMD_PKT pAfpFsdCmd, OUT PAFP_FSD_CMD_PKT *ppAfpFsdCmdResponse, OUT LPDWORD pcbResponse);
NTSTATUSAfpChangePasswordOnDomain( IN PAFP_PASSWORD_DESC pPassword, IN PUNICODE_STRING pDomainName, IN PSID pDomainSid);
NTSTATUSAfpCreateWellknownSids( OUT AFP_SID_OFFSET pWellKnownSids[]);
NTSTATUSAfpInsertSidOffset( IN PAFP_SID_OFFSET pSidOffset, IN LPBYTE pbVariableData, IN PSID pSid, IN DWORD Offset, IN AFP_SID_TYPE SidType);
DWORDAfpGetDomainInfo( IN LSA_HANDLE hLsa, IN OUT PLSA_HANDLE phLsaController, IN OUT PPOLICY_ACCOUNT_DOMAIN_INFO* ppAccountDomainInfo, IN OUT PPOLICY_PRIMARY_DOMAIN_INFO* ppPrimaryDomainInfo);
DWORDAfpIOCTLDomainOffsets( IN LSA_HANDLE hLsa, IN PPOLICY_ACCOUNT_DOMAIN_INFO pAccountDomainInfo, IN PPOLICY_PRIMARY_DOMAIN_INFO pPrimaryDomainInfo);
DWORDAfpOpenLsa( IN PUNICODE_STRING pSystem OPTIONAL, IN OUT PLSA_HANDLE phLsa);
NTSTATUSAfpChangePwdArapStyle( IN PAFP_PASSWORD_DESC pPassword, IN PUNICODE_STRING pDomainName, IN PSID pDomainSid);
�//**
//
// Call: AfpServerHelper
//
// Returns: NO_ERROR
//
// Description: This is the main function for each helper thread. If sits
// in a loop processing commands from the server. It is terminated
// by command from the server.
//
DWORDAfpServerHelper( IN LPVOID fFirstThread){NTSTATUS ntStatus;DWORD dwRetCode;PAFP_FSD_CMD_PKT pAfpFsdCmdResponse;AFP_FSD_CMD_HEADER AfpCmdHeader;PAFP_FSD_CMD_PKT pAfpFsdCmd;PBYTE pOutputBuffer;DWORD cbOutputBuffer;PBYTE pInputBuffer;DWORD cbInputBuffer;IO_STATUS_BLOCK IoStatus;BYTE OutputBuffer[MAX_FSD_CMD_SIZE];HANDLE hFSD = NULL;LSA_HANDLE hLsa = NULL;BOOLEAN fFirstLoop=TRUE;
// Open the AFP Server FSD and obtain a handle to it
//
if ( ( dwRetCode = AfpFSDOpen( &hFSD ) ) != NO_ERROR ) { AfpGlobals.dwSrvrHlprCode = dwRetCode; AfpLogEvent( AFPLOG_OPEN_FSD, 0, NULL, dwRetCode, EVENTLOG_ERROR_TYPE ); SetEvent( AfpGlobals.heventSrvrHlprThread ); return( dwRetCode ); }
// Open the Local LSA
//
if ( ( dwRetCode = AfpOpenLsa( NULL, &hLsa ) ) != NO_ERROR ) {
AfpFSDClose( hFSD ); AfpGlobals.dwSrvrHlprCode = dwRetCode; AfpLogEvent( AFPLOG_OPEN_LSA, 0, NULL, dwRetCode, EVENTLOG_ERROR_TYPE ); SetEvent( AfpGlobals.heventSrvrHlprThread ); return( dwRetCode ); }
// If this is the first server helper thread then enumerate and
// IOCTL down the list of domains and their offsets.
//
if ( (BOOL)(ULONG_PTR)fFirstThread ) {
LSA_HANDLE hLsaController = NULL;
//
// Create the event object for mutual exclusion around the thread
// count
//
if ( (hmutexThreadCount = CreateMutex( NULL, FALSE, NULL ) ) == NULL) { AFP_PRINT( ( "SFMSVC: CreateMutex failed\n")); return( GetLastError() ); }
while (1) { // Get the account, primary and all trusted domain info
//
dwRetCode = AfpGetDomainInfo( hLsa, &hLsaController, &pAccountDomainInfo, &pPrimaryDomainInfo);
AfpGlobals.dwSrvrHlprCode = dwRetCode;
if (dwRetCode == NO_ERROR) { break; } else if (dwRetCode != ERROR_CANT_ACCESS_DOMAIN_INFO) { AFP_PRINT( ( "SFMSVC: Get Domain Info failed %ld\n",dwRetCode)); AfpLogEvent( AFPLOG_CANT_GET_DOMAIN_INFO, 0, NULL, dwRetCode, EVENTLOG_ERROR_TYPE ); AfpFSDClose( hFSD ); LsaClose( hLsa ); SetEvent( AfpGlobals.heventSrvrHlprThread ); return( dwRetCode ); }
// ok, we couldn't access domain info. keep retrying until we
// are successful (or until the service is stopped!)
AfpGlobals.dwServerState |= AFPSTATE_BLOCKED_ON_DOMINFO;
if (fFirstLoop) { fFirstLoop = FALSE;
AFP_PRINT( ( "SFMSVC: first loop, telling service controller to go ahead\n"));
// tell the service controller we're running, so the user
// doesn't have to wait as long as we're blocked here!
//
AfpGlobals.ServiceStatus.dwCurrentState = SERVICE_RUNNING; AfpGlobals.ServiceStatus.dwControlsAccepted = SERVICE_ACCEPT_STOP | SERVICE_ACCEPT_PAUSE_CONTINUE; AfpGlobals.ServiceStatus.dwCheckPoint = 0; AfpGlobals.ServiceStatus.dwWaitHint = 0;
AfpAnnounceServiceStatus();
// log an event to give the bad news..
AfpLogEvent( AFPLOG_DOMAIN_INFO_RETRY, 0, NULL, dwRetCode, EVENTLOG_WARNING_TYPE ); }
AFP_PRINT( ( "SFMSVC: sleeping 20 sec before retrying domain info\n"));
// wait for 20 seconds before retrying for the domain info
// Meanwhile, watch to see if the service is stopping. If so, we
// must do the necessary setevent and get out
if (WaitForSingleObject( AfpGlobals.heventSrvrHlprSpecial, 20000 ) == 0) { AfpFSDClose( hFSD ); LsaClose( hLsa ); SetEvent( AfpGlobals.heventSrvrHlprThread ); return( dwRetCode ); }
AFP_PRINT( ( "SFMSVC: retrying getdomain info\n")); }
// if we were blocked retrying the domain-info, log an event that we
// are ok now
if (AfpGlobals.dwServerState & AFPSTATE_BLOCKED_ON_DOMINFO) { AFP_PRINT( ( "SFMSVC: domain info stuff finally worked\n"));
AfpGlobals.dwServerState &= ~AFPSTATE_BLOCKED_ON_DOMINFO;
AfpLogEvent( AFPLOG_SFM_STARTED_OK, 0, NULL, 0, EVENTLOG_SUCCESS ); }
//
// IOCTL all the domain offsets
// if hLsaController is NULL, the server is in a WorkGroup, not domain
//
if ( ( dwRetCode = AfpIOCTLDomainOffsets( hLsaController, pAccountDomainInfo, pPrimaryDomainInfo) ) != NO_ERROR ) {
AFP_PRINT( ( "SFMSVC: Ioctl Domain Offsets failed.\n"));
AfpLogEvent( AFPLOG_CANT_INIT_DOMAIN_INFO, 0, NULL, dwRetCode, EVENTLOG_ERROR_TYPE );
// First clean up
//
AfpFSDClose( hFSD );
// If the local machine is not a controller
//
if ( (hLsaController != NULL) && (hLsa != hLsaController) ) { LsaClose( hLsaController ); }
LsaClose( hLsa );
if ( pAccountDomainInfo != NULL ) { LsaFreeMemory( pAccountDomainInfo ); }
if ( pPrimaryDomainInfo != NULL ) { LsaFreeMemory( pPrimaryDomainInfo ); }
AfpGlobals.dwSrvrHlprCode = dwRetCode; SetEvent( AfpGlobals.heventSrvrHlprThread );
return( dwRetCode ); }
// If the local machine is not a controller, then close the handle
// since we have all the information we need.
//
if ( (hLsaController != NULL) && (hLsa != hLsaController) ) { LsaClose( hLsaController ); }
}
// OK everything initialize OK. Tell parent (init) thread that it may
// continue.
//
AfpGlobals.dwSrvrHlprCode = dwRetCode; SetEvent( AfpGlobals.heventSrvrHlprThread );
WaitForSingleObject( hmutexThreadCount, INFINITE ); AfpGlobals.nThreadCount++; ReleaseMutex( hmutexThreadCount );
pOutputBuffer = OutputBuffer; cbOutputBuffer = sizeof( OutputBuffer ); pAfpFsdCmd = (PAFP_FSD_CMD_PKT)pOutputBuffer;
pInputBuffer = NULL; cbInputBuffer = 0; pAfpFsdCmdResponse = (PAFP_FSD_CMD_PKT)NULL;
while( TRUE ) {
// IOCTL the FSD
//
ntStatus = NtFsControlFile( hFSD, NULL, NULL, NULL, &IoStatus, OP_GET_FSD_COMMAND, pInputBuffer, cbInputBuffer, pOutputBuffer, cbOutputBuffer );
if (!NT_SUCCESS(ntStatus)) AFP_PRINT(("SFMSVC: NtFsControlFile Returned %lx\n", ntStatus));
ASSERT( NT_SUCCESS( ntStatus ));
// Free previous call's input buffer
//
if ( pAfpFsdCmdResponse != NULL ) LocalFree( pAfpFsdCmdResponse );
// Process the command
//
switch( pAfpFsdCmd->Header.FsdCommand ) {
case AFP_FSD_CMD_NAME_TO_SID:
ntStatus = AfpNameToSid( hLsa, pAfpFsdCmd, &pAfpFsdCmdResponse, &cbInputBuffer );
if ( NT_SUCCESS( ntStatus )) pInputBuffer = (PBYTE)pAfpFsdCmdResponse; else { pInputBuffer = (PBYTE)&AfpCmdHeader; cbInputBuffer = sizeof( AFP_FSD_CMD_HEADER ); pAfpFsdCmdResponse = NULL; }
break;
case AFP_FSD_CMD_SID_TO_NAME:
ntStatus = AfpSidToName( hLsa, pAccountDomainInfo, pPrimaryDomainInfo, pAfpFsdCmd, &pAfpFsdCmdResponse, &cbInputBuffer );
if ( NT_SUCCESS( ntStatus )) pInputBuffer = (PBYTE)pAfpFsdCmdResponse; else { pInputBuffer = (PBYTE)&AfpCmdHeader; cbInputBuffer = sizeof( AFP_FSD_CMD_HEADER ); pAfpFsdCmdResponse = NULL; }
break;
case AFP_FSD_CMD_CHANGE_PASSWORD:
ntStatus = AfpChangePassword( hLsa, pAccountDomainInfo, pPrimaryDomainInfo, pAfpFsdCmd, &pAfpFsdCmdResponse, &cbInputBuffer );
pInputBuffer = (PBYTE)&AfpCmdHeader; cbInputBuffer = sizeof( AFP_FSD_CMD_HEADER ); pAfpFsdCmdResponse = NULL;
break;
case AFP_FSD_CMD_LOG_EVENT:
AfpLogServerEvent(pAfpFsdCmd);
pInputBuffer = (PBYTE)&AfpCmdHeader; cbInputBuffer = sizeof( AFP_FSD_CMD_HEADER ); pAfpFsdCmdResponse = NULL; ntStatus = STATUS_SUCCESS;
break;
case AFP_FSD_CMD_TERMINATE_THREAD:
// Do clean up
//
LsaClose( hLsa ); AfpFSDClose( hFSD );
WaitForSingleObject( hmutexThreadCount, INFINITE );
AfpGlobals.nThreadCount --; // This is the last thread so clean up all the global stuff.
//
if ( AfpGlobals.nThreadCount == 0 ) {
if ( pAccountDomainInfo != NULL ) { LsaFreeMemory( pAccountDomainInfo ); pAccountDomainInfo = NULL; }
if ( pPrimaryDomainInfo != NULL ) LsaFreeMemory( pPrimaryDomainInfo );
SetEvent(AfpGlobals.heventSrvrHlprThreadTerminate); }
ReleaseMutex( hmutexThreadCount );
return( NO_ERROR );
break;
default: ntStatus = STATUS_NOT_SUPPORTED; pInputBuffer = (PBYTE)&AfpCmdHeader; cbInputBuffer = sizeof( AFP_FSD_CMD_HEADER ); pAfpFsdCmdResponse = NULL; break;
}
CopyMemory( pInputBuffer, pAfpFsdCmd, sizeof( AFP_FSD_CMD_HEADER ) );
((PAFP_FSD_CMD_HEADER)pInputBuffer)->ntStatus = ntStatus; }
return( NO_ERROR );}�//**
//
// Call: AfpGetDomainInfo
//
// Returns: LsaQueryInformationPolicy, I_NetGetDCList and AfpOpenLsa
//
// Description: Will retrieve information regarding the account, primary and
// trusted domains.
//
DWORDAfpGetDomainInfo( IN LSA_HANDLE hLsa, IN OUT PLSA_HANDLE phLsaController, IN OUT PPOLICY_ACCOUNT_DOMAIN_INFO* ppAccountDomainInfo, IN OUT PPOLICY_PRIMARY_DOMAIN_INFO* ppPrimaryDomainInfo){ DWORD dwRetCode = 0; NTSTATUS ntStatus = STATUS_SUCCESS; LSA_ENUMERATION_HANDLE hLsaEnum = 0; LPWSTR DomainName = NULL; PDOMAIN_CONTROLLER_INFO pDCInfo = NULL; UNICODE_STRING DCName;
// This is not a loop.
//
do {
*phLsaController = NULL; *ppAccountDomainInfo = NULL; *ppPrimaryDomainInfo = NULL;
// Get the account domain
//
ntStatus = LsaQueryInformationPolicy( hLsa, PolicyAccountDomainInformation, (PVOID*)ppAccountDomainInfo );
if ( !NT_SUCCESS( ntStatus ) ) { AFP_PRINT( ( "SFMSVC: Lsa..Policy for Acct dom failed %lx\n",ntStatus)); break; }
// Get the primary domain
//
ntStatus = LsaQueryInformationPolicy( hLsa, PolicyPrimaryDomainInformation, (PVOID*)ppPrimaryDomainInfo ); if ( !NT_SUCCESS( ntStatus ) ) { AFP_PRINT( ( "SFMSVC: Lsa..Policy for Primary dom failed %lx\n",ntStatus)); break; }
// If this machine is part of a domain (not standalone), then we need
// to get a list of trusted domains. Note that a workstation and a
// member server can both join a domain, but they don't have to.
//
if ( (*ppPrimaryDomainInfo)->Sid != NULL ) {
// To obtain a list of trusted domains, we need to first open
// the LSA on a domain controller. If we are an PDC/BDC
// (NtProductLanManNt) then the local LSA will do, otherwise we need
// to search for domain controllers (NtProductServer, NtProductWinNt).
//
if ( AfpGlobals.NtProductType != NtProductLanManNt ) {
ULONG ulCount; ULONG ControllerCount = 0; PUNICODE_STRING ControllerNames = NULL; PUNICODE_STRING DomainController = NULL;
DomainName = (LPWSTR)LocalAlloc( LPTR, (*ppPrimaryDomainInfo)->Name.Length+sizeof(WCHAR));
if ( DomainName == NULL ) { dwRetCode = ERROR_NOT_ENOUGH_MEMORY; break; }
CopyMemory( DomainName, (*ppPrimaryDomainInfo)->Name.Buffer, (*ppPrimaryDomainInfo)->Name.Length );
DomainName[(*ppPrimaryDomainInfo)->Name.Length/sizeof(WCHAR)] = 0;
dwRetCode = DsGetDcName( NULL, (LPWSTR)DomainName, NULL, // domain
NULL, // site name
DS_DIRECTORY_SERVICE_PREFERRED, &pDCInfo);
if ( dwRetCode != NO_ERROR ) { AFP_PRINT( ( "SFMSVC: DsGetDcName failed 0x%lx\n",dwRetCode)); dwRetCode = ERROR_CANT_ACCESS_DOMAIN_INFO; break; }
AFP_PRINT(("SFMSVC: AfpOpenLsa on DC %ws for domain %ws\n", pDCInfo->DomainControllerName,DomainName));
RtlInitUnicodeString(&DCName, pDCInfo->DomainControllerName);
dwRetCode = AfpOpenLsa(&DCName, phLsaController );
//
// it's possible that this DC is down: force discovery
//
if (dwRetCode != NO_ERROR) {
AFP_PRINT(("SFMSVC: DC %ws unreachable, forcing discovery\n", pDCInfo->DomainControllerName));
NetApiBufferFree(pDCInfo);
pDCInfo = NULL;
dwRetCode = DsGetDcName( NULL, (LPWSTR)DomainName, NULL, NULL, (DS_DIRECTORY_SERVICE_PREFERRED | DS_FORCE_REDISCOVERY), &pDCInfo);
if ( dwRetCode != NO_ERROR ) { AFP_PRINT(("SFMSVC: second DsGetDcName failed %lx\n",dwRetCode)); dwRetCode = ERROR_CANT_ACCESS_DOMAIN_INFO; break; }
RtlInitUnicodeString(&DCName, pDCInfo->DomainControllerName);
dwRetCode = AfpOpenLsa(&DCName, phLsaController ); }
} else {
*phLsaController = hLsa;
// Since the local server is an PDC/BDC, it's account
// domain is the same as it's primary domain so set the
// account domain info to NULL
//
LsaFreeMemory( *ppAccountDomainInfo ); *ppAccountDomainInfo = NULL; }
} else { LsaFreeMemory( *ppPrimaryDomainInfo ); *ppPrimaryDomainInfo = NULL; }
} while( FALSE );
if (DomainName) { LocalFree( DomainName ); }
if (pDCInfo) { NetApiBufferFree(pDCInfo); }
if ( !NT_SUCCESS( ntStatus ) || ( dwRetCode != NO_ERROR ) ) { if ( *ppAccountDomainInfo != NULL ) { LsaFreeMemory( *ppAccountDomainInfo ); }
if ( *ppPrimaryDomainInfo != NULL ) { LsaFreeMemory( *ppPrimaryDomainInfo ); }
if ( *phLsaController != NULL ) { LsaClose( *phLsaController ); }
if ( dwRetCode == NO_ERROR ) { dwRetCode = RtlNtStatusToDosError( ntStatus ); } }
return( dwRetCode );
}�//**
//
// Call: AfpOpenLsa
//
// Returns: Returns from LsaOpenPolicy.
//
// Description: The LSA will be opened.
//
DWORDAfpOpenLsa( IN PUNICODE_STRING pSystem OPTIONAL, IN OUT PLSA_HANDLE phLsa){SECURITY_QUALITY_OF_SERVICE QOS;OBJECT_ATTRIBUTES ObjectAttributes;NTSTATUS ntStatus;
// Open the LSA and obtain a handle to it.
//
QOS.Length = sizeof( QOS ); QOS.ImpersonationLevel = SecurityImpersonation; QOS.ContextTrackingMode = SECURITY_DYNAMIC_TRACKING; QOS.EffectiveOnly = FALSE;
InitializeObjectAttributes( &ObjectAttributes, NULL, 0L, NULL, NULL );
ObjectAttributes.SecurityQualityOfService = &QOS;
ntStatus = LsaOpenPolicy( pSystem, &ObjectAttributes, POLICY_VIEW_LOCAL_INFORMATION | POLICY_LOOKUP_NAMES, phLsa );
if ( !NT_SUCCESS( ntStatus )) { AFP_PRINT(("SFMSVC: AfpOpenLsa: LsaOpenPolicy failed %lx\n",ntStatus)); return( RtlNtStatusToDosError( ntStatus ) ); }
return( NO_ERROR );}�//
// Call: AfpNameToSid
//
// Returns: NT_SUCCESS
// error return codes from LSA apis.
//
// Description: Will use LSA API's to translate a name to a SID. On a
// successful return, the pSid should be freed using LocalFree.
//
NTSTATUSAfpNameToSid( IN LSA_HANDLE hLsa, IN PAFP_FSD_CMD_PKT pAfpFsdCmd, OUT PAFP_FSD_CMD_PKT *ppAfpFsdCmdResponse, OUT LPDWORD pcbResponse){NTSTATUS ntStatus;UNICODE_STRING Name;PLSA_REFERENCED_DOMAIN_LIST pDomainList;PLSA_TRANSLATED_SID pSids;UCHAR AuthCount;PSID pDomainSid;PSID pSid;
// This do - while(FALSE) loop facilitates a single exit and clean-up point.
//
do {
*ppAfpFsdCmdResponse = NULL; pDomainList = NULL; pSids = NULL;
RtlInitUnicodeString( &Name, (LPWSTR)(pAfpFsdCmd->Data.Name) );
ntStatus = LsaLookupNames( hLsa, 1, &Name, &pDomainList, &pSids );
if ( !NT_SUCCESS( ntStatus ) ) return( ntStatus );
if ( pSids->Use == SidTypeDeletedAccount ){ ntStatus = STATUS_NO_SUCH_USER; break; }
if ( ( pDomainList->Entries == 0 ) || ( pSids->Use == SidTypeDomain ) || ( pSids->Use == SidTypeInvalid ) || ( pSids->Use == SidTypeUnknown ) || ( pSids->DomainIndex == -1 )) {
ntStatus = STATUS_NONE_MAPPED; break; }
pDomainSid = pDomainList->Domains[pSids->DomainIndex].Sid;
AuthCount = *RtlSubAuthorityCountSid( pDomainSid ) + 1;
*pcbResponse = sizeof(AFP_FSD_CMD_PKT)+RtlLengthRequiredSid(AuthCount);
*ppAfpFsdCmdResponse = (PAFP_FSD_CMD_PKT)LocalAlloc(LPTR,*pcbResponse); if ( *ppAfpFsdCmdResponse == NULL ) { ntStatus = STATUS_NO_MEMORY ; break; }
pSid = (*ppAfpFsdCmdResponse)->Data.Sid;
// Copy the Domain Sid.
//
RtlCopySid( RtlLengthRequiredSid(AuthCount), pSid, pDomainSid );
// Append the Relative Id.
//
*RtlSubAuthorityCountSid( pSid ) += 1; *RtlSubAuthoritySid( pSid, AuthCount - 1) = pSids->RelativeId;
} while( FALSE );
if ( (!NT_SUCCESS( ntStatus )) && ( *ppAfpFsdCmdResponse != NULL ) ) LocalFree( *ppAfpFsdCmdResponse );
if ( pSids != NULL ) LsaFreeMemory( pSids );
if ( pDomainList != NULL ) LsaFreeMemory( pDomainList );
return( ntStatus );
}�//**
//
// Call: AfpSidToName
//
// Returns: NT_SUCCESS
// error return codes from LSA apis.
//
// Description: Given a SID, this routine will find the corresponding
// UNICODE name.
//
NTSTATUSAfpSidToName( IN LSA_HANDLE hLsa, IN PPOLICY_ACCOUNT_DOMAIN_INFO pAccountDomainInfo, IN PPOLICY_PRIMARY_DOMAIN_INFO pPrimaryDomainInfo, IN PAFP_FSD_CMD_PKT pAfpFsdCmd, OUT PAFP_FSD_CMD_PKT *ppAfpFsdCmdResponse, OUT LPDWORD pcbResponse){NTSTATUS ntStatus;PLSA_REFERENCED_DOMAIN_LIST pDomainList = NULL;PLSA_TRANSLATED_NAME pNames = NULL;PSID pSid = (PSID)&(pAfpFsdCmd->Data.Sid);WCHAR * pWchar;BOOL fDoNotCopyDomainName = TRUE;DWORD cbResponse;DWORD dwUse;SID AfpBuiltInSid = { 1, 1, SECURITY_NT_AUTHORITY, SECURITY_BUILTIN_DOMAIN_RID };
do {
*ppAfpFsdCmdResponse = NULL;
ntStatus = LsaLookupSids( hLsa, 1, &pSid, &pDomainList, &pNames );
if ( !NT_SUCCESS( ntStatus ) ) {
if ( ntStatus == STATUS_NONE_MAPPED ) {
dwUse = SidTypeUnknown; ntStatus = STATUS_SUCCESS; } else break; } else dwUse = pNames->Use;
cbResponse = sizeof( AFP_FSD_CMD_PKT );
switch( dwUse ){
case SidTypeInvalid: cbResponse += ((wcslen(AfpGlobals.wchInvalid)+1) * sizeof(WCHAR)); break;
case SidTypeDeletedAccount: cbResponse += ((wcslen(AfpGlobals.wchDeleted)+1) * sizeof(WCHAR)); break;
case SidTypeUnknown: cbResponse += ((wcslen(AfpGlobals.wchUnknown)+1) * sizeof(WCHAR)); break;
case SidTypeWellKnownGroup: cbResponse += ( pNames->Name.Length + sizeof(WCHAR) ); break;
case SidTypeDomain: cbResponse += ( pDomainList->Domains->Name.Length + sizeof(WCHAR) ); break;
default:
if ((pNames->DomainIndex == -1) || (pNames->Name.Buffer == NULL)){ ntStatus = STATUS_NONE_MAPPED; break; }
// Do not copy the domain name if the name is either a well known
// group or if the SID belongs to the ACCOUNT or BUILTIN domains.
// Note, the pAccountDomainInfo is NULL is this is an advanced
// server, in that case we check to see if the domain name is
// the primary domain name.
//
if (( RtlEqualSid( &AfpBuiltInSid, pDomainList->Domains->Sid )) || (( pAccountDomainInfo != NULL ) && (RtlEqualUnicodeString( &(pAccountDomainInfo->DomainName), &(pDomainList->Domains->Name), TRUE ))) || ((pAccountDomainInfo == NULL) && (pPrimaryDomainInfo != NULL) && (RtlEqualUnicodeString( &(pPrimaryDomainInfo->Name), &(pDomainList->Domains->Name), TRUE )))){
cbResponse += ( pNames->Name.Length + sizeof(WCHAR) );
fDoNotCopyDomainName = TRUE; } else {
fDoNotCopyDomainName = FALSE;
cbResponse += ( pDomainList->Domains->Name.Length + sizeof(TEXT('\\')) + pNames->Name.Length + sizeof(WCHAR) ); } }
if ( !NT_SUCCESS( ntStatus ) ) break;
*pcbResponse = cbResponse;
*ppAfpFsdCmdResponse = (PAFP_FSD_CMD_PKT)LocalAlloc(LPTR,cbResponse);
if ( *ppAfpFsdCmdResponse == NULL ){ ntStatus = STATUS_NO_MEMORY ; break; }
pWchar = (WCHAR*)((*ppAfpFsdCmdResponse)->Data.Name);
switch( dwUse ){
case SidTypeInvalid: wcscpy( pWchar, AfpGlobals.wchInvalid ); break;
case SidTypeDeletedAccount: wcscpy( pWchar, AfpGlobals.wchDeleted ); break;
case SidTypeUnknown: wcscpy( pWchar, AfpGlobals.wchUnknown ); break;
case SidTypeWellKnownGroup: CopyMemory( pWchar, pNames->Name.Buffer, pNames->Name.Length ); break;
case SidTypeDomain: CopyMemory( pWchar, pDomainList->Domains->Name.Buffer, pDomainList->Domains->Name.Length ); break;
default:
if ( !fDoNotCopyDomainName ) {
CopyMemory( pWchar, pDomainList->Domains->Name.Buffer, pDomainList->Domains->Name.Length );
pWchar += wcslen( pWchar );
CopyMemory( pWchar, TEXT("\\"), sizeof(TEXT("\\")) );
pWchar += wcslen( pWchar ); }
CopyMemory( pWchar, pNames->Name.Buffer, pNames->Name.Length ); }
} while( FALSE );
if ( (!NT_SUCCESS( ntStatus )) && ( *ppAfpFsdCmdResponse != NULL ) ) LocalFree( *ppAfpFsdCmdResponse );
if ( pNames != NULL ) LsaFreeMemory( pNames );
if ( pDomainList != NULL ) LsaFreeMemory( pDomainList );
return( ntStatus );
}�//**
//
// Call: AfpChangePassword
//
// Returns: NT_SUCCESS
// error return codes from LSA apis.
//
// Description: Given the AFP_PASSWORD_DESC data structure, this procedure
// will change the password of a given user.
// If the passwords are supplied in clear text, then it calculate
// the OWF's (encrypt OWF = One Way Function) them.
// If the domain name that the user
// belongs to is not supplied then a list of domains are tried
// in sequence. The sequence is 1) ACCOUNT domain
// 2) PRIMARY domain
// 3) All trusted domains.
//
NTSTATUSAfpChangePassword( IN LSA_HANDLE hLsa, IN PPOLICY_ACCOUNT_DOMAIN_INFO pAccountDomainInfo, IN PPOLICY_PRIMARY_DOMAIN_INFO pPrimaryDomainInfo, IN PAFP_FSD_CMD_PKT pAfpFsdCmd, OUT PAFP_FSD_CMD_PKT *ppAfpFsdCmdResponse, OUT LPDWORD pcbResponse){
PAFP_PASSWORD_DESC pPassword = &(pAfpFsdCmd->Data.Password); NTSTATUS ntStatus=STATUS_SUCCESS; PSID pDomainSid; UNICODE_STRING TargetDomainName; WCHAR RefDomainName[DNLEN+1]; DWORD cbRefDomainNameLen; DWORD cbSidLen; PSID pUserSid=NULL; PLSA_TRANSLATED_SID pTransSids; SID_NAME_USE peUse; PLSA_REFERENCED_DOMAIN_LIST pDomainList=NULL; DWORD dwRetCode;
AFP_PRINT(("SFMSVC: entered AfpChangePassword for user %ws\n",(LPWSTR)pPassword->UserName));
do {
//
// Was the domain on which the account name exists specified ??
//
if ( pPassword->DomainName[0] != TEXT('\0') ) { RtlInitUnicodeString(&TargetDomainName, (LPWSTR)pPassword->DomainName); }
//
// hmmm, no domain name. We must first find which domain this user belongs to
//
else { cbRefDomainNameLen = DNLEN+1;
cbSidLen = 100;
do { dwRetCode = ERROR_SUCCESS; if (pUserSid) { LocalFree(pUserSid); }
pUserSid = (PSID)LocalAlloc(LPTR, cbSidLen);
if (pUserSid == NULL) { dwRetCode = ERROR_NO_SYSTEM_RESOURCES; break; }
if (!LookupAccountName( NULL, (LPWSTR)pPassword->UserName, pUserSid, &cbSidLen, RefDomainName, &cbRefDomainNameLen, &peUse)) { ntStatus = (NTSTATUS)GetLastError(); }
AFP_PRINT(("SFMSVC: LookupAccountName in loop: %#x\n",GetLastError()));
} while ( dwRetCode == ERROR_INSUFFICIENT_BUFFER );
if (dwRetCode != ERROR_SUCCESS) { AFP_PRINT(("SFMSVC: LookupAccountName on %ws failed with %ld\n",(LPWSTR)pPassword->UserName,dwRetCode)); ntStatus = (NTSTATUS)dwRetCode; break; }
LocalFree(pUserSid);
RtlInitUnicodeString(&TargetDomainName, RefDomainName); }
AFP_PRINT(("SFMSVC: changing pwd for user (%ws), domain (%ws)\n", (LPWSTR)pPassword->UserName,TargetDomainName.Buffer));
//
// now, we must find the sid for this domain
//
ntStatus = LsaLookupNames(hLsa, 1, &TargetDomainName, &pDomainList, &pTransSids);
if (!NT_SUCCESS(ntStatus)) { AFP_PRINT(("SFMSVC: LsaLookupNames failed %lx\n",ntStatus)); break; }
if ((pDomainList->Entries == 0) || (pTransSids->DomainIndex == -1) || (pTransSids->Use != SidTypeDomain) || (pTransSids->Use == SidTypeInvalid) || (pTransSids->Use == SidTypeUnknown)) { AFP_PRINT(("SFMSVC: invalide type? Entries = %d, DomIndex = %d, Use = %d\n", pDomainList->Entries,pTransSids->DomainIndex,pTransSids->Use)); ntStatus = STATUS_NONE_MAPPED; break; }
pDomainSid = pDomainList->Domains[pTransSids->DomainIndex].Sid;
//
// call our function to change the password
//
ntStatus = AfpChangePasswordOnDomain( pPassword, &TargetDomainName, pDomainSid );
AFP_PRINT(("SFMSVC: AfpChangePasswordOnDomain returned %lx\n",ntStatus));
} while ( FALSE );
if (pDomainList) { LsaFreeMemory( pDomainList ); }
return( ntStatus );}�//**
//
// Call: AfpChangePasswordOnDomain
//
// Returns: NT_SUCCESS
// STATUS_NONE_MAPPED - If the user account does not
// exist in the specified domain.
// error return codes from LSA apis.
//
// Description: This procedure will try to change the user's password on a
// specified domain. It is assumed that this procedure will be
// called with either the pDomainName pointing to the domain, or
// the pPassword->DomainName field containing the domain.
//
NTSTATUSAfpChangePasswordOnDomain( IN PAFP_PASSWORD_DESC pPassword, IN PUNICODE_STRING pDomainName, IN PSID pDomainSid){
LPWSTR DCName = (LPWSTR)NULL; SAM_HANDLE hServer = (SAM_HANDLE)NULL; SAM_HANDLE hDomain = (SAM_HANDLE)NULL; SAM_HANDLE hUser = (SAM_HANDLE)NULL; PULONG pUserId = (PULONG)NULL; PSID_NAME_USE pUse = (PSID_NAME_USE)NULL; OBJECT_ATTRIBUTES ObjectAttributes; UNICODE_STRING UserName; ANSI_STRING AOldPassword; UNICODE_STRING UOldPassword; ANSI_STRING ANewPassword; UNICODE_STRING UNewPassword; POEM_STRING pOemSrvName; OEM_STRING OemServerName; OEM_STRING OemUserName; SECURITY_QUALITY_OF_SERVICE QOS; PPOLICY_ACCOUNT_DOMAIN_INFO pDomainInfo = NULL; NTSTATUS ntStatus; UNICODE_STRING PDCServerName; PUNICODE_STRING pPDCServerName = &PDCServerName; PDOMAIN_PASSWORD_INFORMATION pPasswordInfo = NULL; BYTE EncryptedPassword[LM_OWF_PASSWORD_LENGTH]; WCHAR wchDomain[DNLEN+1]; PDOMAIN_CONTROLLER_INFO pDCInfo = NULL; PUSER_INFO_1 pUserInfo = NULL; BOOLEAN fNeedToResolveDCName = FALSE; DWORD dwRetCode;
if ((pPassword->AuthentMode == RANDNUM_EXCHANGE) || (pPassword->AuthentMode == TWOWAY_EXCHANGE)) {
AFP_PRINT(("SFMSVC: Entering AfpChangePwdArapStyle for RANDNUM_EXCHANGE || TWOWAY_EXCHANGE\n")); ntStatus = AfpChangePwdArapStyle(pPassword, pDomainName, pDomainSid); AFP_PRINT(("SFMSVC: Returned from AfpChangePwdArapStyle with error %lx\n", ntStatus)); return(ntStatus); }
OemServerName.Buffer = NULL; OemUserName.Buffer = NULL;
InitializeObjectAttributes( &ObjectAttributes, NULL, 0L, NULL, NULL );
QOS.Length = sizeof( QOS ); QOS.ImpersonationLevel = SecurityImpersonation; QOS.ContextTrackingMode = SECURITY_DYNAMIC_TRACKING; QOS.EffectiveOnly = FALSE;
ObjectAttributes.SecurityQualityOfService = &QOS;
// If the domain was not the account domain then we try to get the
// primary domain controller for the domain.
//
if ((pDomainName != NULL) && (pAccountDomainInfo != NULL) && !(RtlEqualUnicodeString( &(pAccountDomainInfo->DomainName),pDomainName, TRUE))) { fNeedToResolveDCName = TRUE; } if ((pAccountDomainInfo == NULL) && (pDomainName != NULL)) { fNeedToResolveDCName = TRUE; } if (fNeedToResolveDCName) { ZeroMemory( wchDomain, sizeof( wchDomain ) );
CopyMemory( wchDomain, pDomainName->Buffer, pDomainName->Length );
// Get the PDC for the domain if this is not the account domain
//
dwRetCode = DsGetDcName( NULL, wchDomain, NULL, NULL, (DS_DIRECTORY_SERVICE_PREFERRED | DS_WRITABLE_REQUIRED), &pDCInfo);
if ( dwRetCode != NO_ERROR ) { AFP_PRINT (("SFMSVC: AfpChange... DsGetDcName failed %lx\n",dwRetCode)); return( STATUS_CANT_ACCESS_DOMAIN_INFO ); } else { AFP_PRINT (("SFMSVC: AfpChange... DsGetDcName succeeded\n")); }
AFP_PRINT (("SFMSVC: AfpChange... DsGetDcName: Got DC Name (%ws)\n", pDCInfo->DomainControllerName));
RtlInitUnicodeString(pPDCServerName, pDCInfo->DomainControllerName);
DCName = pDCInfo->DomainControllerName; } else { AFP_PRINT (("SFMSVC: AfpChange... Do *not* require to call DsGetDcName\n"));
pPDCServerName = NULL;
DCName = NULL; }
do { //
// first and foremost: make sure this user can actually change pwd
//
if ((ntStatus= NetUserGetInfo( (LPWSTR)DCName, pPassword->UserName, 1, (LPBYTE*)&pUserInfo )) == NO_ERROR ) {
if ( ( pUserInfo->usri1_flags & UF_PASSWD_CANT_CHANGE ) || ( pUserInfo->usri1_flags & UF_LOCKOUT ) ) { AFP_PRINT(("SFMSVC: can't change pwd: %s\n", (pUserInfo->usri1_flags & UF_LOCKOUT) ? "account is locked out" : "user not allowed to change pwd"));
ntStatus = STATUS_ACCESS_DENIED; break; } else if ( pUserInfo->usri1_flags & UF_ACCOUNTDISABLE ) { AFP_PRINT(("SFMSVC: can't change pwd: user account is disabled\n")); ntStatus = STATUS_ACCOUNT_DISABLED; break; } } else { AFP_PRINT(("SFMSVC: can't change pwd: NetUserGetInfo failed with error %ld\n", ntStatus));
if (ntStatus == ERROR_ACCESS_DENIED) { ntStatus = STATUS_SUCCESS; } else { ntStatus = STATUS_PASSWORD_RESTRICTION; break; } }
//
// if this is a password change request coming from MSUAM Version 2 or 3
// then we are getting passwords (and not OWFs) encrypted. Use a
// different scheme of changing password
//
if (pPassword->AuthentMode == CUSTOM_UAM_V2) { OemServerName.MaximumLength = OemServerName.Length = 0; OemUserName.MaximumLength = OemUserName.Length = 0;
RtlInitUnicodeString( &UserName, pPassword->UserName );
if (pPDCServerName) { ntStatus = RtlUnicodeStringToOemString( &OemServerName, pPDCServerName, TRUE // allocate buffer
); if (!NT_SUCCESS(ntStatus)) { AFP_PRINT(("SFMSVC: 1st Rtl..OemString failed %lx\n",ntStatus)); break; }
pOemSrvName = &OemServerName; } else { pOemSrvName = NULL; }
ntStatus = RtlUnicodeStringToOemString( &OemUserName, &UserName, TRUE // allocate buffer
); if (!NT_SUCCESS(ntStatus)) { AFP_PRINT(("SFMSVC: 2nd Rtl..OemString failed %lx\n",ntStatus)); break; }
ntStatus = SamiOemChangePasswordUser2( pOemSrvName, &OemUserName, (PSAMPR_ENCRYPTED_USER_PASSWORD)pPassword->NewPassword, (PENCRYPTED_LM_OWF_PASSWORD)pPassword->OldPassword);
AFP_PRINT(("SFMSVC: change pwd for MSUAM V2.0 user done, status = %lx\n",ntStatus));
// done here
break; } else if (pPassword->AuthentMode == CUSTOM_UAM_V3) { BOOLEAN LmPresent;
RtlInitUnicodeString( &UserName, pPassword->UserName );
if (pPassword->NtEncryptedBuff.Ciphers.h.Version != 1 && pPassword->NtEncryptedBuff.Ciphers.h.Version != 2) { ntStatus = STATUS_INVALID_PARAMETER; break; }
LmPresent = pPassword->NtEncryptedBuff.Ciphers.h.Version == 2 ? TRUE : FALSE;
ntStatus = SamiChangePasswordUser2( pPDCServerName, &UserName, &pPassword->NtEncryptedBuff.Ciphers.m1.NewPasswordEncryptedWithOldNt, &pPassword->NtEncryptedBuff.Ciphers.m1.OldNtOwfPasswordEncryptedWithNewNt, LmPresent, LmPresent ? &pPassword->NtEncryptedBuff.Ciphers.m2.NewPasswordEncryptedWithOldLm : NULL, LmPresent ? &pPassword->NtEncryptedBuff.Ciphers.m2.OldLmOwfPasswordEncryptedWithNewLmOrNt : NULL ); AFP_PRINT(("SFMSVC: change pwd for MSUAM V3.0 user done, status = %#x\n", ntStatus));
// done here
break; }
AFP_PRINT(("SFMSVC: AuthMode != MSUAM\n"));
// Connect to the PDC of that domain
//
ntStatus = SamConnect( pPDCServerName, &hServer, SAM_SERVER_EXECUTE, &ObjectAttributes);
if ( !NT_SUCCESS( ntStatus )) { AFP_PRINT(("SFMSVC: SamConnect to %ws failed %lx\n", (pPDCServerName)?pPDCServerName->Buffer:L"LOCAL",ntStatus)); break; }
// Get Sid of Domain and open the domain
//
ntStatus = SamOpenDomain( hServer, DOMAIN_EXECUTE, pDomainSid, &hDomain );
if ( !NT_SUCCESS( ntStatus )) { AFP_PRINT(("SFMSVC: SamOpenDomain failed %lx\n",ntStatus)); break; }
// Get this user's ID
//
RtlInitUnicodeString( &UserName, pPassword->UserName );
ntStatus = SamLookupNamesInDomain( hDomain, 1, &UserName, &pUserId, &pUse );
if ( !NT_SUCCESS( ntStatus )) { AFP_PRINT(("SFMSVC: SamLookupNamesInDomain failed %lx\n",ntStatus)); break; }
// Open the user account for this user
//
ntStatus = SamOpenUser( hDomain, USER_CHANGE_PASSWORD, *pUserId, &hUser );
if ( !NT_SUCCESS( ntStatus )) { AFP_PRINT(("SFMSVC: SamOpenUser failed %lx\n",ntStatus)); break; }
// First get the minimum password length requred
//
ntStatus = SamQueryInformationDomain( hDomain, DomainPasswordInformation, &pPasswordInfo );
if ( !NT_SUCCESS( ntStatus ) ) { AFP_PRINT(("SFMSVC: SamQueryInformationDomain failed %lx\n",ntStatus)); break; }
// First we check to see if the passwords passed are in cleartext.
// If they are, we need to calculate the OWF's for them.
// (OWF = "One Way Function")
//
if ( pPassword->AuthentMode == CLEAR_TEXT_AUTHENT ) { AFP_PRINT(("SFMSVC: AuthentMode == CLEAR_TEXT_AUTHENT\n"));
// First check to see if the new password is long enough
//
if ( wcslen ( (PWCHAR)pPassword->NewPassword ) < pPasswordInfo->MinPasswordLength ) { AFP_PRINT (("SFMSVC: NewPwdLen (%ld) < MinPwdLen (%ld)\n", wcslen ( (PWCHAR)pPassword->NewPassword ), pPasswordInfo->MinPasswordLength)); ntStatus = STATUS_PWD_TOO_SHORT; break; }
UOldPassword.Buffer = (PWCHAR)pPassword->OldPassword; UOldPassword.Length = UOldPassword.MaximumLength = (USHORT)pPassword->OldPasswordLen;
UNewPassword.Buffer = (PWCHAR)pPassword->NewPassword; UNewPassword.Length = UNewPassword.MaximumLength = (USHORT)pPassword->NewPasswordLen;
#if 0
AFP_PRINT (("SFMSVC: OldPwd = %Z, OldLen = (%ld), NewPwd = %Z, NewLen = (%ld)\n", &UOldPassword, UOldPassword.Length, &UNewPassword, UNewPassword.Length));#endif
AFP_PRINT(("SFMSVC: Calling SamChangePasswordUser2\n"));
// Change the password for this user
//
ntStatus = SamChangePasswordUser2 ( pPDCServerName, &UserName, &UOldPassword, &UNewPassword );
AFP_PRINT(("SFMSVC: SamChangePasswordUser2 returned %lx\n", ntStatus));
break; } else {
if (pPassword->bPasswordLength < pPasswordInfo->MinPasswordLength) { AFP_PRINT(("SFMSVC: AfpChangePasswordOnDomain: pwd is too short\n")); ntStatus = STATUS_PWD_TOO_SHORT; break; } }
AFP_PRINT(("SFMSVC: Invalid UAM type\n")); ntStatus = STATUS_INVALID_PARAMETER; break;
} while( FALSE );
if ( pUserInfo != NULL ) { NetApiBufferFree( pUserInfo ); }
if ( hServer != (SAM_HANDLE)NULL ) { SamCloseHandle( hServer ); }
if ( hDomain != (SAM_HANDLE)NULL ) { SamCloseHandle( hDomain ); }
if ( hUser != (SAM_HANDLE)NULL ) { SamCloseHandle( hUser ); }
if ( pDomainInfo != NULL ) { LsaFreeMemory( pDomainInfo ); }
if ( pUserId != (PULONG)NULL ) { SamFreeMemory( pUserId ); }
if ( pUse != (PSID_NAME_USE)NULL ) { SamFreeMemory( pUse ); }
if ( pPasswordInfo != (PDOMAIN_PASSWORD_INFORMATION)NULL ) { SamFreeMemory( pPasswordInfo ); }
if (pDCInfo) { NetApiBufferFree(pDCInfo); }
if (OemServerName.Buffer) { RtlFreeAnsiString(&OemServerName); }
if (OemUserName.Buffer) { RtlFreeAnsiString(&OemUserName); }
return( ntStatus );}�//**
//
// Call: AfpIOCTLDomainOffsets
//
// Returns: NT_SUCCESS
// error return codes from LSA apis.
//
// Description: Will IOCTL a list of SIDs and corresponding POSIX offsets
// of all trusted domains and other well known domains.
//
//
DWORDAfpIOCTLDomainOffsets( IN LSA_HANDLE hLsa, IN PPOLICY_ACCOUNT_DOMAIN_INFO pAccountDomainInfo, IN PPOLICY_PRIMARY_DOMAIN_INFO pPrimaryDomainInfo){ NTSTATUS ntStatus; LSA_HANDLE hLsaDomain; PTRUSTED_POSIX_OFFSET_INFO pPosixOffset; PAFP_SID_OFFSET pSidOffset; ULONG cbSids; PBYTE pbVariableData; AFP_SID_OFFSET pWellKnownSids[20]; DWORD dwIndex; DWORD dwCount; AFP_REQUEST_PACKET AfpRequestPkt; PAFP_SID_OFFSET_DESC pAfpSidOffsets = NULL; DWORD cbSidOffsets; DWORD dwRetCode;
// Null this array out.
//
ZeroMemory( pWellKnownSids, sizeof(AFP_SID_OFFSET)*20 );
// This is a dummy loop used only so that the break statement may
// be used to localize all the clean up in one place.
//
do {
// Create all the well known SIDs
//
ntStatus = AfpCreateWellknownSids( pWellKnownSids );
if ( !NT_SUCCESS( ntStatus ) ) { break; }
// Add the size of the all the well known SIDS
//
for( dwCount = 0, cbSids = 0; pWellKnownSids[dwCount].pSid != (PBYTE)NULL; dwCount++ ) { cbSids += RtlLengthSid( (PSID)(pWellKnownSids[dwCount].pSid) ); }
// Insert the SID of the Account domain if is is not an advanced server
//
if ( pAccountDomainInfo != NULL ) { cbSids += RtlLengthSid( pAccountDomainInfo->DomainSid ); dwCount++; }
// Add the primary domain Sids only if this machine
// is a member of a domain.
//
if ( pPrimaryDomainInfo != NULL ) { cbSids += RtlLengthSid( pPrimaryDomainInfo->Sid ); dwCount++; }
// OK, now allocate space for all these SIDS plus their offsets
//
cbSidOffsets = (dwCount * sizeof(AFP_SID_OFFSET)) + cbSids + (sizeof(AFP_SID_OFFSET_DESC) - sizeof(AFP_SID_OFFSET));
pAfpSidOffsets = (PAFP_SID_OFFSET_DESC)LocalAlloc( LPTR, cbSidOffsets );
if ( pAfpSidOffsets == NULL ) { ntStatus = STATUS_NO_MEMORY ; break; }
// First insert all the well known SIDS
//
for( dwIndex = 0, pAfpSidOffsets->CountOfSidOffsets = dwCount, pSidOffset = pAfpSidOffsets->SidOffsetPairs, pbVariableData = (LPBYTE)pAfpSidOffsets + cbSidOffsets;
pWellKnownSids[dwIndex].pSid != (PBYTE)NULL;
dwIndex++ ) {
pbVariableData-=RtlLengthSid((PSID)(pWellKnownSids[dwIndex].pSid));
ntStatus = AfpInsertSidOffset( pSidOffset++, pbVariableData, (PSID)(pWellKnownSids[dwIndex].pSid), pWellKnownSids[dwIndex].Offset, pWellKnownSids[dwIndex].SidType );
if ( !NT_SUCCESS( ntStatus ) ) { break; } }
if ( !NT_SUCCESS( ntStatus ) ) { break; }
// Now insert the Account domain's SID/OFFSET pair if there is one
//
if ( pAccountDomainInfo != NULL ) { pbVariableData -= RtlLengthSid( pAccountDomainInfo->DomainSid );
ntStatus = AfpInsertSidOffset( pSidOffset++, pbVariableData, pAccountDomainInfo->DomainSid, SE_ACCOUNT_DOMAIN_POSIX_OFFSET, AFP_SID_TYPE_DOMAIN );
if ( !NT_SUCCESS( ntStatus ) ) { break; }
// Construct the "None" sid if we are a standalone server (i.e. not
// a PDC or BDC). This will be used when querying the group ID of
// a directory so the the UI will never show this group to the user.
//
if ( AfpGlobals.NtProductType != NtProductLanManNt ) { ULONG SubAuthCount, SizeNoneSid = 0;
SubAuthCount = *RtlSubAuthorityCountSid(pAccountDomainInfo->DomainSid);
SizeNoneSid = RtlLengthRequiredSid(SubAuthCount + 1);
if ((AfpGlobals.pSidNone = (PSID)LocalAlloc(LPTR,SizeNoneSid)) == NULL) { ntStatus = STATUS_INSUFFICIENT_RESOURCES; break; }
RtlCopySid(SizeNoneSid, AfpGlobals.pSidNone, pAccountDomainInfo->DomainSid);
// Add the relative ID
*RtlSubAuthorityCountSid(AfpGlobals.pSidNone) = (UCHAR)(SubAuthCount+1);
// Note that the "None" sid on standalone is the same as the
// "Domain Users" Sid on PDC/BDC. (On PDC/BDC the primary
// domain is the same as the account domain).
*RtlSubAuthoritySid(AfpGlobals.pSidNone, SubAuthCount) = DOMAIN_GROUP_RID_USERS;
}
}
// Now insert the primary domain if this machine is a member of a domain
//
if ( pPrimaryDomainInfo != NULL ) {
// Insert the primary domain's SID/OFFSET pair
//
pbVariableData -= RtlLengthSid( pPrimaryDomainInfo->Sid );
ntStatus = AfpInsertSidOffset( pSidOffset++, pbVariableData, pPrimaryDomainInfo->Sid, SE_PRIMARY_DOMAIN_POSIX_OFFSET, AFP_SID_TYPE_PRIMARY_DOMAIN );
if ( !NT_SUCCESS( ntStatus ) ) { break; } }
} while( FALSE );
// IOCTL down the information if all was OK
//
if ( NT_SUCCESS( ntStatus ) ) { AfpRequestPkt.dwRequestCode = OP_SERVER_ADD_SID_OFFSETS; AfpRequestPkt.dwApiType = AFP_API_TYPE_ADD; AfpRequestPkt.Type.SetInfo.pInputBuf = pAfpSidOffsets; AfpRequestPkt.Type.Add.cbInputBufSize = cbSidOffsets;
dwRetCode = AfpServerIOCtrl( &AfpRequestPkt ); } else { dwRetCode = RtlNtStatusToDosError( ntStatus ); }
if ( pAfpSidOffsets != NULL ) { LocalFree( pAfpSidOffsets ); }
// Free all the well known SIDS
//
for( dwIndex = 0; pWellKnownSids[dwIndex].pSid != (PBYTE)NULL; dwIndex++ ) { RtlFreeSid( (PSID)(pWellKnownSids[dwIndex].pSid) ); }
return( dwRetCode );
}�//**
//
// Call: AfpInsertSidOffset
//
// Returns: NT_SUCCESS
// error return codes from RtlCopySid
//
// Description: Will insert a SID/OFFSET pair in the slot pointed to by
// pSidOffset. The pbVariableData will point to where the
// SID will be stored.
//
NTSTATUSAfpInsertSidOffset( IN PAFP_SID_OFFSET pSidOffset, IN LPBYTE pbVariableData, IN PSID pSid, IN DWORD Offset, IN AFP_SID_TYPE afpSidType){NTSTATUS ntStatus;
// Copy the offset
//
pSidOffset->Offset = Offset;
// Set the SID type
//
pSidOffset->SidType = afpSidType;
// Copy Sid at the end of the buffer and set the offset to it
//
ntStatus = RtlCopySid( RtlLengthSid( pSid ), pbVariableData, pSid );
if ( !NT_SUCCESS( ntStatus ) ) return( ntStatus );
pSidOffset->pSid = pbVariableData;
POINTER_TO_OFFSET( (pSidOffset->pSid), pSidOffset );
return( STATUS_SUCCESS );
}�//**
//
// Call: AfpCreateWellknownSids
//
// Returns: NT_SUCCESS
// STATUS_NO_MEMORY
// non-zero returns from RtlAllocateAndInitializeSid
//
// Description: Will allocate and initialize all well known SIDs.
// The array is terminated by a NULL pointer.
//
NTSTATUSAfpCreateWellknownSids( OUT AFP_SID_OFFSET pWellKnownSids[]){PSID pSid;DWORD dwIndex = 0;NTSTATUS ntStatus;SID_IDENTIFIER_AUTHORITY NullSidAuthority = SECURITY_NULL_SID_AUTHORITY;SID_IDENTIFIER_AUTHORITY WorldSidAuthority = SECURITY_WORLD_SID_AUTHORITY;SID_IDENTIFIER_AUTHORITY LocalSidAuthority = SECURITY_LOCAL_SID_AUTHORITY;SID_IDENTIFIER_AUTHORITY CreatorSidAuthority= SECURITY_CREATOR_SID_AUTHORITY;SID_IDENTIFIER_AUTHORITY NtAuthority = SECURITY_NT_AUTHORITY;
do {
//
// OK, create all the well known SIDS
//
// Create NULL SID
//
ntStatus = RtlAllocateAndInitializeSid( &NullSidAuthority, 1, SECURITY_NULL_RID, 0,0,0,0,0,0,0, &pSid );
if ( !NT_SUCCESS( ntStatus ) ) break;
pWellKnownSids[dwIndex].pSid = (PBYTE)pSid; pWellKnownSids[dwIndex].Offset = SE_NULL_POSIX_ID; pWellKnownSids[dwIndex].SidType = AFP_SID_TYPE_WELL_KNOWN; dwIndex++;
// Create WORLD SID
//
ntStatus = RtlAllocateAndInitializeSid( &WorldSidAuthority, 1, SECURITY_WORLD_RID, 0,0,0,0,0,0,0, &pSid );
if ( !NT_SUCCESS( ntStatus ) ) break;
pWellKnownSids[dwIndex].pSid = (PBYTE)pSid; pWellKnownSids[dwIndex].Offset = SE_WORLD_POSIX_ID; pWellKnownSids[dwIndex].SidType = AFP_SID_TYPE_WELL_KNOWN; dwIndex++;
// Create LOCAL SID
//
ntStatus = RtlAllocateAndInitializeSid( &LocalSidAuthority, 1, SECURITY_LOCAL_RID, 0,0,0,0,0,0,0, &pSid );
if ( !NT_SUCCESS( ntStatus ) ) break;
pWellKnownSids[dwIndex].pSid = (PBYTE)pSid; pWellKnownSids[dwIndex].Offset = SE_LOCAL_POSIX_ID; pWellKnownSids[dwIndex].SidType = AFP_SID_TYPE_WELL_KNOWN; dwIndex++;
// Create CREATOR OWNER SID
//
ntStatus = RtlAllocateAndInitializeSid( &CreatorSidAuthority, 1, SECURITY_CREATOR_OWNER_RID, 0,0,0,0,0,0,0, &pSid );
if ( !NT_SUCCESS( ntStatus ) ) break;
pWellKnownSids[dwIndex].pSid = (PBYTE)pSid; pWellKnownSids[dwIndex].Offset = SE_CREATOR_OWNER_POSIX_ID; pWellKnownSids[dwIndex].SidType = AFP_SID_TYPE_WELL_KNOWN; dwIndex++;
// Create CREATOR GROUP SID
//
ntStatus = RtlAllocateAndInitializeSid( &CreatorSidAuthority, 1, SECURITY_CREATOR_GROUP_RID, 0,0,0,0,0,0,0, &pSid );
if ( !NT_SUCCESS( ntStatus ) ) break;
pWellKnownSids[dwIndex].pSid = (PBYTE)pSid; pWellKnownSids[dwIndex].Offset = SE_CREATOR_GROUP_POSIX_ID; pWellKnownSids[dwIndex].SidType = AFP_SID_TYPE_WELL_KNOWN; dwIndex++;
// Create SECURITY_NT_AUTHORITY Sid
//
ntStatus = RtlAllocateAndInitializeSid( &NtAuthority, 0,0,0,0,0,0,0,0,0, &pSid );
if ( !NT_SUCCESS( ntStatus ) ) break;
pWellKnownSids[dwIndex].pSid = (PBYTE)pSid; pWellKnownSids[dwIndex].Offset = SE_AUTHORITY_POSIX_ID; pWellKnownSids[dwIndex].SidType = AFP_SID_TYPE_WELL_KNOWN; dwIndex++;
// Create SECURITY_DIALUP Sid
//
ntStatus = RtlAllocateAndInitializeSid( &NtAuthority, 1, SECURITY_DIALUP_RID, 0,0,0,0,0,0,0, &pSid );
if ( !NT_SUCCESS( ntStatus ) ) break;
pWellKnownSids[dwIndex].pSid = (PBYTE)pSid; pWellKnownSids[dwIndex].Offset = SE_DIALUP_POSIX_ID; pWellKnownSids[dwIndex].SidType = AFP_SID_TYPE_WELL_KNOWN; dwIndex++;
// Create SECURITY_NETWORK Sid
//
ntStatus = RtlAllocateAndInitializeSid( &NtAuthority, 1, SECURITY_NETWORK_RID, 0,0,0,0,0,0,0, &pSid );
if ( !NT_SUCCESS( ntStatus ) ) break;
pWellKnownSids[dwIndex].pSid = (PBYTE)pSid; pWellKnownSids[dwIndex].Offset = SE_NETWORK_POSIX_ID; pWellKnownSids[dwIndex].SidType = AFP_SID_TYPE_WELL_KNOWN; dwIndex++;
// Create SECURITY_BATCH Sid
//
ntStatus = RtlAllocateAndInitializeSid( &NtAuthority, 1, SECURITY_BATCH_RID, 0,0,0,0,0,0,0, &pSid );
if ( !NT_SUCCESS( ntStatus ) ) break;
pWellKnownSids[dwIndex].pSid = (PBYTE)pSid; pWellKnownSids[dwIndex].Offset = SE_NETWORK_POSIX_ID; pWellKnownSids[dwIndex].SidType = AFP_SID_TYPE_WELL_KNOWN; dwIndex++;
// Create SECURITY_INTERACTIVE Sid
//
ntStatus = RtlAllocateAndInitializeSid( &NtAuthority, 1, SECURITY_INTERACTIVE_RID, 0,0,0,0,0,0,0, &pSid );
if ( !NT_SUCCESS( ntStatus ) ) break;
pWellKnownSids[dwIndex].pSid = (PBYTE)pSid; pWellKnownSids[dwIndex].Offset = SE_INTERACTIVE_POSIX_ID; pWellKnownSids[dwIndex].SidType = AFP_SID_TYPE_WELL_KNOWN; dwIndex++;
// Create SECURITY_SERVICE Sid
//
ntStatus = RtlAllocateAndInitializeSid( &NtAuthority, 1, SECURITY_SERVICE_RID, 0,0,0,0,0,0,0, &pSid );
if ( !NT_SUCCESS( ntStatus ) ) break;
pWellKnownSids[dwIndex].pSid = (PBYTE)pSid; pWellKnownSids[dwIndex].Offset = SE_SERVICE_POSIX_ID; pWellKnownSids[dwIndex].SidType = AFP_SID_TYPE_WELL_KNOWN; dwIndex++;
// Create the built in domain SID
//
ntStatus = RtlAllocateAndInitializeSid( &NtAuthority, 1, SECURITY_BUILTIN_DOMAIN_RID, 0,0,0,0,0,0,0, &pSid );
if ( !NT_SUCCESS( ntStatus ) ) break;
pWellKnownSids[dwIndex].pSid = (PBYTE)pSid; pWellKnownSids[dwIndex].Offset = SE_BUILT_IN_DOMAIN_POSIX_OFFSET; pWellKnownSids[dwIndex].SidType = AFP_SID_TYPE_DOMAIN; dwIndex++;
pWellKnownSids[dwIndex].pSid = (PBYTE)NULL;
} while( FALSE );
if ( !NT_SUCCESS( ntStatus ) ) {
while( dwIndex > 0 ) RtlFreeSid( pWellKnownSids[--dwIndex].pSid ); }
return( ntStatus );}
//**
//
// Call: AfpChangePwdArapStyle
//
// Returns: return code
//
// Description: This procedure will try to change the user's password on a
// specified domain. This does it only for native Apple UAM clients
// i.e., the user's password is stored in the DS in a reversibly-encrypted
// form, and the client sends the old and the new password (not owf as in
// MS-UAM case). This is what ARAP does, that's why the name.
// This function is big time cut-n-paste from the ARAP code
//
NTSTATUSAfpChangePwdArapStyle( IN PAFP_PASSWORD_DESC pPassword, IN PUNICODE_STRING pDomainName, IN PSID pDomainSid){
NTSTATUS status; NTSTATUS PStatus; PMSV1_0_PASSTHROUGH_REQUEST pPassThruReq; PMSV1_0_SUBAUTH_REQUEST pSubAuthReq; PMSV1_0_PASSTHROUGH_RESPONSE pPassThruResp; PMSV1_0_SUBAUTH_RESPONSE pSubAuthResp; DWORD dwSubmitBufLen; DWORD dwSubmitBufOffset; PRAS_SUBAUTH_INFO pRasSubAuthInfo; PARAP_SUBAUTH_REQ pArapSubAuthInfo; ARAP_SUBAUTH_RESP ArapResp; PARAP_SUBAUTH_RESP pArapRespBuffer; PVOID RetBuf; DWORD dwRetBufLen;
// if our registeration with lsa process failed at init time, or if
// there is no domain name for this user, just fail the succer
// (if the user logged on successfully using native Apple UAM, then
// there had better be a domain!)
if ((SfmLsaHandle == NULL) ||(pDomainName == NULL)) { return(STATUS_LOGON_FAILURE); }
if (pDomainName != NULL) { if (pDomainName->Length == 0) { return(STATUS_LOGON_FAILURE); } }
dwSubmitBufLen = sizeof(MSV1_0_PASSTHROUGH_REQUEST) + sizeof(WCHAR)*(MAX_ARAP_USER_NAMELEN+1) + // domain name
sizeof(TEXT(MSV1_0_PACKAGE_NAME)) + // package name
sizeof(MSV1_0_SUBAUTH_REQUEST) + sizeof(RAS_SUBAUTH_INFO) + sizeof(ARAP_SUBAUTH_REQ) + ALIGN_WORST; // for alignment
pPassThruReq = (PMSV1_0_PASSTHROUGH_REQUEST) GlobalAlloc(GMEM_FIXED, dwSubmitBufLen);
if (!pPassThruReq) { return (STATUS_INSUFFICIENT_RESOURCES); }
RtlZeroMemory((PBYTE)pPassThruReq, dwSubmitBufLen);
//
// Set up the MSV1_0_PASSTHROUGH_REQUEST structure
//
// tell MSV that it needs to visit our subauth pkg (for change pwd)
pPassThruReq->MessageType = MsV1_0GenericPassthrough;
pPassThruReq->DomainName.Length = pDomainName->Length;
pPassThruReq->DomainName.MaximumLength = (sizeof(WCHAR) * (MAX_ARAP_USER_NAMELEN+1));
pPassThruReq->DomainName.Buffer = (PWSTR) (pPassThruReq + 1);
RtlMoveMemory(pPassThruReq->DomainName.Buffer, pDomainName->Buffer, pPassThruReq->DomainName.Length);
pPassThruReq->PackageName.Length = (sizeof(WCHAR) * wcslen(TEXT(MSV1_0_PACKAGE_NAME)));
pPassThruReq->PackageName.MaximumLength = sizeof(TEXT(MSV1_0_PACKAGE_NAME));
pPassThruReq->PackageName.Buffer = (PWSTR)((PBYTE)(pPassThruReq->DomainName.Buffer) + pPassThruReq->DomainName.MaximumLength);
RtlMoveMemory(pPassThruReq->PackageName.Buffer, TEXT(MSV1_0_PACKAGE_NAME), sizeof(TEXT(MSV1_0_PACKAGE_NAME)));
pPassThruReq->DataLength = sizeof(MSV1_0_SUBAUTH_REQUEST) + sizeof(RAS_SUBAUTH_INFO) + sizeof(ARAP_SUBAUTH_REQ);
pPassThruReq->LogonData = ROUND_UP_POINTER( ((PBYTE)pPassThruReq->PackageName.Buffer + pPassThruReq->PackageName.MaximumLength), ALIGN_WORST );
if (pPassThruReq->LogonData >= ((PCHAR)pPassThruReq + dwSubmitBufLen)) { AFP_PRINT (("srvrhlpr.c: Error in ROUND_UP_POINTER\n")); GlobalFree((HGLOBAL)pPassThruReq); return STATUS_INVALID_BUFFER_SIZE; }
pSubAuthReq = (PMSV1_0_SUBAUTH_REQUEST)pPassThruReq->LogonData;
pSubAuthReq->MessageType = MsV1_0SubAuth; pSubAuthReq->SubAuthPackageId = MSV1_0_SUBAUTHENTICATION_DLL_RAS;
pSubAuthReq->SubAuthInfoLength = sizeof(RAS_SUBAUTH_INFO) + sizeof(ARAP_SUBAUTH_REQ);
//
// this pointer is self-relative
//
pSubAuthReq->SubAuthSubmitBuffer = (PUCHAR)sizeof(MSV1_0_SUBAUTH_REQUEST);
//
// copy the structure our subauth pkg will use at the other end
//
pRasSubAuthInfo = (PRAS_SUBAUTH_INFO)(pSubAuthReq + 1);
pRasSubAuthInfo->ProtocolType = RAS_SUBAUTH_PROTO_ARAP; pRasSubAuthInfo->DataSize = sizeof(ARAP_SUBAUTH_REQ);
pArapSubAuthInfo = (PARAP_SUBAUTH_REQ)&pRasSubAuthInfo->Data[0];
pArapSubAuthInfo->PacketType = SFM_SUBAUTH_CHGPWD_PKT;
if (wcslen(pPassword->UserName) > MAX_ARAP_USER_NAMELEN) { AFP_PRINT (("srvrhlpr.c: Username greater than 32 characters\n")); GlobalFree((HGLOBAL)pPassThruReq); return STATUS_INVALID_PARAMETER; }
wcsncpy(pArapSubAuthInfo->ChgPwd.UserName, pPassword->UserName, MAX_ARAP_USER_NAMELEN); pArapSubAuthInfo->ChgPwd.UserName[wcslen(pPassword->UserName)] = L'\0';
RtlCopyMemory(pArapSubAuthInfo->ChgPwd.OldMunge, pPassword->OldPassword, MAX_MAC_PWD_LEN);
pArapSubAuthInfo->ChgPwd.OldMunge[MAX_MAC_PWD_LEN] = 0;
RtlCopyMemory(pArapSubAuthInfo->ChgPwd.NewMunge, pPassword->NewPassword, MAX_MAC_PWD_LEN);
pArapSubAuthInfo->ChgPwd.NewMunge[MAX_MAC_PWD_LEN] = 0;
//
// whew! finally done setting up all the parms: now call that api
//
status = LsaCallAuthenticationPackage ( SfmLsaHandle, SfmAuthPkgId, pPassThruReq, dwSubmitBufLen, &RetBuf, &dwRetBufLen, &PStatus);
if (status != STATUS_SUCCESS || PStatus != STATUS_SUCCESS) { GlobalFree((HGLOBAL)pPassThruReq);
if (status == STATUS_SUCCESS) { status = PStatus; } return(status); }
pPassThruResp = (PMSV1_0_PASSTHROUGH_RESPONSE)RetBuf;
pSubAuthResp = (PMSV1_0_SUBAUTH_RESPONSE)(pPassThruResp->ValidationData);
// our return buffer is in self-relative format
pArapRespBuffer = (PARAP_SUBAUTH_RESP)((PBYTE)pSubAuthResp + (ULONG_PTR)(pSubAuthResp->SubAuthReturnBuffer));
RtlCopyMemory(&ArapResp, (PUCHAR)pArapRespBuffer, pSubAuthResp->SubAuthInfoLength);
GlobalFree((HGLOBAL)pPassThruReq);
LsaFreeReturnBuffer(RetBuf);
if(ArapResp.Result != 0) { return(STATUS_UNSUCCESSFUL); }
return(STATUS_SUCCESS);
}
|
