// ServMigr.cpp : Implementation of CServMigr
#include "stdafx.h"
#include "ScmMigr.h"
#include "ServMigr.h"
#include "ErrDct.hpp"
#include "ResStr.h"
#include "Common.hpp"
#include "PWGen.hpp"
#include "EaLen.hpp"
#include "TReg.hpp"
#include "TxtSid.h"
#include "ARExt_i.c"
#include "LsaUtils.h"
#include "crypt.hxx"
#include "GetDcName.h"
#include <lm.h>
#include <dsgetdc.h>
#include <ntdsapi.h>
#include <Sddl.h>
#include "folders.h"
using namespace nsFolders;
//#import "\bin\McsVarSetMin.tlb" no_namespace, named_guids
//#import "\bin\DBManager.tlb" no_namespace, named_guids
//#import "\bin\McsDctWorkerObjects.tlb" no_namespace, named_guids
#import "VarSet.tlb" no_namespace, named_guids rename("property", "aproperty")
//#import "DBMgr.tlb" no_namespace, named_guids //already #imported in ServMigr.h
#import "WorkObj.tlb" no_namespace, named_guids
TErrorDct err;
StringLoader gString;
#define BLOCK_SIZE 160
#define BUFFER_SIZE 400
#define SvcAcctStatus_NotMigratedYet 0
#define SvcAcctStatus_DoNotUpdate 1
#define SvcAcctStatus_Updated 2
#define SvcAcctStatus_UpdateFailed 4
#define SvcAcctStatus_NeverAllowUpdate 8
// these defines are for GetWellKnownSid
#define ADMINISTRATORS 1
#define SYSTEM 7
/////////////////////////////////////////////////////////////////////////////
// CServMigr
STDMETHODIMP CServMigr::ProcessUndo(/*[in]*/ IUnknown * pSource, /*[in]*/ IUnknown * pTarget, /*[in]*/ IUnknown * pMainSettings, /*[in, out]*/ IUnknown ** pPropToSet, /*[in,out]*/ EAMAccountStats* pStats)
{
return E_NOTIMPL;
}
STDMETHODIMP CServMigr::PreProcessObject(/*[in]*/ IUnknown * pSource, /*[in]*/ IUnknown * pTarget, /*[in]*/ IUnknown * pMainSettings, /*[in, out]*/ IUnknown ** pPropToSet, /*[in,out]*/ EAMAccountStats* pStats)
{
return S_OK;
}
STDMETHODIMP
CServMigr::ProcessObject(
/*[in]*/ IUnknown * pSource,
/*[in]*/ IUnknown * pTarget,
/*[in]*/ IUnknown * pMainSettings,
/*[in,out]*/IUnknown ** ppPropsToSet,
/*[in,out]*/ EAMAccountStats* pStats
)
{
HRESULT hr = S_OK;
WCHAR domAccount[500];
WCHAR domTgtAccount[500];
IVarSetPtr pVarSet(pMainSettings);
IIManageDBPtr pDB;
_bstr_t logfile;
_bstr_t srcComputer;
_bstr_t tgtComputer;
IVarSetPtr pData(CLSID_VarSet);
IUnknown * pUnk = NULL;
DWORD rc = 0;
_bstr_t sIntraForest;
BOOL bIntraForest = FALSE;
USER_INFO_2 * uInfo = NULL;
try {
logfile = pVarSet->get(GET_BSTR(DCTVS_Options_Logfile));
if ( logfile.length() )
{
err.LogOpen(logfile,1);
}
pDB = pVarSet->get(GET_BSTR(DCTVS_DBManager));
if ( pDB != NULL )
{
// Check to see if this account is referenced in the service accounts table
m_strSourceDomain = pVarSet->get(GET_BSTR(DCTVS_Options_SourceDomain));
m_strSourceDomainFlat = pVarSet->get(GET_BSTR(DCTVS_Options_SourceDomainFlat));
m_strTargetDomain = pVarSet->get(GET_BSTR(DCTVS_Options_TargetDomain));
m_strTargetDomainFlat = pVarSet->get(GET_BSTR(DCTVS_Options_TargetDomainFlat));
m_strSourceSam = pVarSet->get(GET_BSTR(DCTVS_CopiedAccount_SourceSam));
m_strTargetSam = pVarSet->get(GET_BSTR(DCTVS_CopiedAccount_TargetSam));
srcComputer = pVarSet->get(GET_BSTR(DCTVS_Options_SourceServer));
tgtComputer = pVarSet->get(GET_BSTR(DCTVS_Options_TargetServer));
sIntraForest = pVarSet->get(GET_BSTR(DCTVS_Options_IsIntraforest));
if ( ! UStrICmp((WCHAR*)sIntraForest,GET_STRING(IDS_YES)) )
{
// for intra-forest migration we are moving, not copying, so we don't need to update the password
// Actually, it turns out that ChangeServiceConfig will not let us update just the service account
// and not the passord, so we'll have to go ahead and change the password for the service ac
//bIntraForest = TRUE;
}
//if the SAM account name has a " character in it, it cannot be a service
//account, and therefore we leave
if (wcschr((WCHAR*)m_strSourceSam, L'\"')) {
return S_OK;
}
swprintf(domAccount,L"%s\\%s",(WCHAR*)m_strSourceDomainFlat,(WCHAR*)m_strSourceSam);
swprintf(domTgtAccount,L"%s\\%s",(WCHAR*)m_strTargetDomainFlat,(WCHAR*)m_strTargetSam);
}
}
catch (_com_error& ce) {
hr = ce.Error();
return hr;
}
catch (... )
{
return E_FAIL;
}
try {
hr = pData->QueryInterface(IID_IUnknown,(void**)&pUnk);
if ( SUCCEEDED(hr) )
{
hr = pDB->raw_GetServiceAccount(_bstr_t(domAccount),&pUnk);
}
}
catch (_com_error& ce) {
if (pUnk)
pUnk->Release();
hr = ce.Error();
return hr;
}
catch ( ... )
{
if (pUnk)
pUnk->Release();
return E_FAIL;
}
try {
if ( SUCCEEDED(hr) )
{
pData = pUnk;
pUnk->Release();
pUnk=NULL;
// remove the password must change flag, if set
DWORD parmErr = 0;
WCHAR password[LEN_Password];
long entries = pData->get("ServiceAccountEntries");
if ( (entries != 0) && !bIntraForest ) // if we're moving the account, don't mess with its properties
{
//
// Open password log file if it has not been already opened.
//
if (!m_bTriedToOpenFile)
{
m_bTriedToOpenFile = true;
_bstr_t strPasswordFile = pVarSet->get(GET_BSTR(DCTVS_AccountOptions_PasswordFile));
if (m_passwordLog.LogOpen(strPasswordFile) == FALSE)
{
err.MsgWrite(ErrI, DCT_MSG_SERVICES_WILL_NOT_BE_UPDATED);
if (pStats != NULL)
{
pStats->errors.users++;
}
}
}
rc = NetUserGetInfo(tgtComputer,m_strTargetSam,2,(LPBYTE*)&uInfo);
if ( ! rc )
{
// generate a new, strong, 14 character password for this account,
// and set the password to not expire
rc = EaPasswordGenerate(3,3,3,3,6,14,password,DIM(password));
if (!rc)
{
//
// Only set password to not expire if able
// to write password to password file.
//
if (m_passwordLog.IsOpen())
{
uInfo->usri2_flags |= (UF_DONT_EXPIRE_PASSWD);
}
uInfo->usri2_password = password;
rc = NetUserSetInfo(tgtComputer,m_strTargetSam,2,(LPBYTE)uInfo,&parmErr);
if ( ! rc )
{
if (m_passwordLog.IsOpen())
{
err.MsgWrite(0,DCT_MSG_REMOVED_PWDCHANGE_FLAG_S,(WCHAR*)m_strTargetSam);
}
err.MsgWrite(0,DCT_MSG_PWGENERATED_S,(WCHAR*)m_strTargetSam);
// write the password to the password log file and mark this account, so that the
// SetPassword extension will not reset the password again.
pVarSet->put(GET_BSTR(DCTVS_CopiedAccount_DoNotUpdatePassword),m_strSourceSam);
//
// If password log is open then write password to file
// otherwise set error code so that services are not updated.
//
if (m_passwordLog.IsOpen())
{
m_passwordLog.MsgWrite(L"%ls,%ls",(WCHAR*)m_strTargetSam,password);
}
else
{
rc = ERROR_OPEN_FAILED;
}
}
else
{
if (pStats != NULL)
pStats->errors.users++;
err.SysMsgWrite(ErrE,rc,DCT_MSG_REMOVED_PWDCHANGE_FLAG_FAILED_SD,(WCHAR*)m_strTargetSam,rc);
}
uInfo->usri2_password = NULL;
}
NetApiBufferFree(uInfo);
uInfo = NULL;
}
}
if (entries != 0 )
{
try {
if ( ! rc )
{
WCHAR strSID[200] = L"";
BYTE sid[200];
WCHAR sdomain[LEN_Domain];
SID_NAME_USE snu;
DWORD lenSid = DIM(sid);
DWORD lenDomain = DIM(sdomain);
DWORD lenStrSid = DIM(strSID);
if ( LookupAccountName(tgtComputer,m_strTargetSam,sid,&lenSid,sdomain,&lenDomain,&snu) )
{
if ( GetTextualSid(sid,strSID,&lenStrSid) )
{
// for each reference to the service account, update the SCM
// for intra-forest migration, don't update the password
if ( bIntraForest )
UpdateSCMs(pData,domTgtAccount,NULL,strSID,pDB, pStats);
else
UpdateSCMs(pData,domTgtAccount,password,strSID,pDB, pStats);
}
else
{
if (pStats != NULL)
pStats->errors.users++;
err.SysMsgWrite(ErrE,GetLastError(),DCT_MSG_CANNOT_FIND_ACCOUNT_SSD,m_strTargetSam,tgtComputer,GetLastError());
}
}
else
{
if (pStats != NULL)
pStats->errors.users++;
err.SysMsgWrite(ErrE,GetLastError(),DCT_MSG_CANNOT_FIND_ACCOUNT_SSD,m_strTargetSam,tgtComputer,GetLastError());
}
}
}
catch (_com_error& ce) {
hr = ce.Error();
return hr;
}
catch(...)
{
return E_FAIL;
}
}
}
else
{
if (pStats != NULL)
pStats->errors.users++;
err.SysMsgWrite(ErrE,E_FAIL,DCT_MSG_DB_OBJECT_CREATE_FAILED_D,E_FAIL);
}
err.LogClose();
}
catch (_com_error& ce) {
if (pUnk)
pUnk->Release();
if (uInfo)
NetApiBufferFree(uInfo);
hr = ce.Error();
return hr;
}
catch (... )
{
if (pUnk)
pUnk->Release();
if (uInfo)
NetApiBufferFree(uInfo);
return E_FAIL;
}
return S_OK;
}
STDMETHODIMP CServMigr::get_sDesc(/*[out, retval]*/ BSTR *pVal)
{
(*pVal) = SysAllocString(L"Updates SCM entries for services using migrated accounts.");
return S_OK;
}
STDMETHODIMP CServMigr::put_sDesc(/*[in]*/ BSTR newVal)
{
return E_NOTIMPL;
}
STDMETHODIMP CServMigr::get_sName(/*[out, retval]*/ BSTR *pVal)
{
(*pVal) = SysAllocString(L"Generic Service Account Migration");
return S_OK;
}
STDMETHODIMP CServMigr::put_sName(/*[in]*/ BSTR newVal)
{
return E_NOTIMPL;
}
DWORD
CServMigr::DoUpdate(
WCHAR const * account,
WCHAR const * password,
WCHAR const * strSid,
WCHAR const * computer,
WCHAR const * service,
BOOL bNeedToGrantLOS,
EAMAccountStats *pStats
)
{
DWORD rc = 0;
WCHAR const * ppassword = password;
// if password is empty, set it to NULL
if ( ppassword && ppassword[0] == 0 )
{
ppassword = NULL;
}
else if ( !UStrCmp(password,L"NULL") )
{
ppassword = NULL;
}
// only try to update entries that we need to be updating
// try to connect to the SCM on this machine
SC_HANDLE pScm = OpenSCManager(computer, NULL, SC_MANAGER_ALL_ACCESS );
if ( pScm )
{
// grant the logon as a service right to the target account
if ( bNeedToGrantLOS )
{
LSA_HANDLE hPolicy;
NTSTATUS ntsStatus = OpenPolicy(
const_cast<LPWSTR>(computer),
POLICY_CREATE_ACCOUNT|POLICY_LOOKUP_NAMES,
&hPolicy
);
rc = LsaNtStatusToWinError(ntsStatus);
if (rc == ERROR_SUCCESS)
{
LSA_UNICODE_STRING lsausUserRights;
InitLsaString(&lsausUserRights, _T("SeServiceLogonRight"));
PSID pSid = SidFromString(strSid);
if (pSid)
{
ntsStatus = LsaAddAccountRights(hPolicy, pSid, &lsausUserRights, 1L);
rc = LsaNtStatusToWinError(ntsStatus);
FreeSid(pSid);
}
else
{
rc = ERROR_OUTOFMEMORY;
}
LsaClose(hPolicy);
}
if ( rc )
{
if (pStats != NULL)
pStats->errors.users++;
err.SysMsgWrite(ErrE,rc,DCT_MSG_LOS_GRANT_FAILED_SSD,
account,(WCHAR*)computer,rc);
}
else
{
err.MsgWrite(0,DCT_MSG_LOS_GRANTED_SS,
account,(WCHAR*)computer);
}
}
SC_HANDLE pService = OpenService(pScm,service,SERVICE_ALL_ACCESS);
if ( pService )
{
int nCnt = 0;
/* make sure the same user still starts this service */
//get the source account names
BOOL bSameAccount = TRUE;
_bstr_t sSrcDom, sSrcSAM, sSrcUPN;
_bstr_t sSrcAccount = L"";
_bstr_t sSrcAccountUPN = L"";
//if not given src names (not migrating right now), get them
if ((!m_strSourceDomainFlat) && (!m_strSourceSam))
{
//if got names, get UPN name also
if (RetrieveOriginalAccount(sSrcDom, sSrcSAM))
{
sSrcUPN = GetUPNName(sSrcSAM);
sSrcAccount = sSrcDom + _bstr_t(L"\\") + sSrcSAM;
}
}
else //els if given src names (migrate this object now), use those names
{
sSrcDom = m_strSourceDomainFlat;
sSrcSAM = m_strSourceSam;
sSrcUPN = GetUPNName(sSrcSAM);
sSrcAccount = sSrcDom + _bstr_t(L"\\") + sSrcSAM;
}
//if got names to check, check them
if ((sSrcAccount.length()) || (sSrcUPN.length()))
{
BYTE buf[3000];
QUERY_SERVICE_CONFIG * pConfig = (QUERY_SERVICE_CONFIG *)buf;
DWORD lenNeeded = 0;
// get the information about this service
if (QueryServiceConfig(pService, pConfig, sizeof buf, &lenNeeded))
{
//if not the same account, check UPN name or set to FALSE
if ((sSrcAccount.length()) && (UStrICmp(pConfig->lpServiceStartName,sSrcAccount)))
{
//if UPN name, try it
if (sSrcUPN.length())
{
//if not match either, set flag to FALSE;
if (UStrICmp(pConfig->lpServiceStartName,sSrcUPN))
bSameAccount = FALSE;
}
else //else, not a match
bSameAccount = FALSE;
}
}
}//if got names
//if same account, update the SCM
if (bSameAccount)
{
// update the account and password for the service
while ( !ChangeServiceConfig(pService,
SERVICE_NO_CHANGE, // dwServiceType
SERVICE_NO_CHANGE, // dwStartType
SERVICE_NO_CHANGE, // dwErrorControl
NULL, // lpBinaryPathName
NULL, // lpLoadOrderGroup
NULL, // lpdwTagId
NULL, // lpDependencies
account, // lpServiceStartName
ppassword, // lpPassword
NULL) && nCnt < 5) // lpDisplayName
{
nCnt++;
Sleep(500);
}
if ( nCnt < 5 )
{
err.MsgWrite(0,DCT_MSG_UPDATED_SCM_ENTRY_SS,(WCHAR*)computer,(WCHAR*)service);
}
else
{
rc = GetLastError();
}
}//end if still same account
else //else if not same user, put message in log and return error
{
err.MsgWrite(0,DCT_MSG_UPDATE_SCM_ENTRY_UNMATCHED_SSD,(WCHAR*)computer,(WCHAR*)service,(WCHAR*)sSrcAccount);
rc = DCT_MSG_UPDATE_SCM_ENTRY_UNMATCHED_SSD;
}
CloseServiceHandle(pService);
}
CloseServiceHandle(pScm);
}
else
{
rc = GetLastError();
}
return rc;
}
BOOL
CServMigr::UpdateSCMs(
IUnknown * pVS,
WCHAR const * account,
WCHAR const * password,
WCHAR const * strSid,
IIManageDB * pDB,
EAMAccountStats * pStats
)
{
BOOL bGotThemAll = TRUE;
IVarSetPtr pVarSet = pVS;
LONG nCount = 0;
WCHAR key[LEN_Path];
_bstr_t computer;
_bstr_t service;
long status;
DWORD rc = 0;
BOOL bFirst = TRUE;
WCHAR prevComputer[LEN_Path] = L"";
try {
nCount = pVarSet->get("ServiceAccountEntries");
for ( long i = 0 ; i < nCount ; i++ )
{
swprintf(key,L"Computer.%ld",i);
computer = pVarSet->get(key);
swprintf(key,L"Service.%ld",i);
service = pVarSet->get(key);
swprintf(key,L"ServiceAccountStatus.%ld",i);
status = pVarSet->get(key);
if ( status == SvcAcctStatus_NotMigratedYet || status == SvcAcctStatus_UpdateFailed )
{
if ( UStrICmp(prevComputer,(WCHAR*)computer) )
{
bFirst = TRUE; // reset the 'first' flag when the computer changes
}
try {
rc = DoUpdate(account,password,strSid,computer,service,bFirst/*only grant SeServiceLogonRight once per account*/,
pStats);
bFirst = FALSE;
safecopy(prevComputer,(WCHAR*)computer);
}
catch (...)
{
// Do we need to trigger the counter increment here?
// if (pStats != NULL)
// pStats->errors.users++;
err.DbgMsgWrite(ErrE,L"Exception!");
err.DbgMsgWrite(0,L"Updating %ls on %ls",(WCHAR*)service,(WCHAR*)computer);
err.DbgMsgWrite(0,L"Account=%ls, SID=%ls",(WCHAR*)account,(WCHAR*)strSid);
rc = E_FAIL;
}
if (! rc )
{
// the update was successful
pDB->raw_SetServiceAcctEntryStatus(computer,service,_bstr_t(account),SvcAcctStatus_Updated);
}
else
{
// couldn't connect to this one -- we will need to save this account's password
// in our encrypted storage
pDB->raw_SetServiceAcctEntryStatus(computer,service,NULL,SvcAcctStatus_UpdateFailed);
bGotThemAll = FALSE;
SaveEncryptedPassword(computer,service,account,password);
//if the current service account didn't match, we need not log an error
if (rc != DCT_MSG_UPDATE_SCM_ENTRY_UNMATCHED_SSD)
{
err.SysMsgWrite(ErrE,rc,DCT_MSG_UPDATE_SCM_ENTRY_FAILED_SSD,(WCHAR*)computer,(WCHAR*)service,rc);
pStats->errors.users++;
}
}
}
//else if skipping, still log in file so we can update later
else if (status == SvcAcctStatus_DoNotUpdate)
SaveEncryptedPassword(computer,service,account,password);
}
}
catch ( ... )
{
// Do we need to trigger the counter increment here?
// if (pStats != NULL)
// pStats->errors.users++;
err.DbgMsgWrite(ErrE,L"Exception!");
}
return bGotThemAll;
}
HRESULT
CServMigr::SaveEncryptedPassword(
WCHAR const * server,
WCHAR const * service,
WCHAR const * account,
WCHAR const * password
)
{
HRESULT hr = S_OK;
TNodeListEnum e;
TEntryNode* pNode;
// if entry exists...
for (pNode = (TEntryNode*)e.OpenFirst(&m_List); pNode; pNode = (TEntryNode*)e.Next())
{
if (_wcsicmp(pNode->GetComputer(), server) == 0)
{
if (_wcsicmp(pNode->GetService(), service) == 0)
{
if (_wcsicmp(pNode->GetAccount(), account) == 0)
{
// update password
try {
pNode->SetPassword(password);
}
catch (_com_error& ce) {
hr = ce.Error();
return hr;
}
break;
}
}
}
}
// else...
if (pNode == NULL)
{
// insert new entry
try {
pNode = new TEntryNode(server, service, account, password);
}
catch (_com_error& ce) {
hr = ce.Error();
return hr;
}
if (pNode)
{
m_List.InsertBottom(pNode);
}
else
{
hr = E_OUTOFMEMORY;
}
}
return hr;
}
//////////////////////////////////////////////////////////////////////////////////////
///
/// TEntryList implementation of secure storage for service account passwords
///
///
//////////////////////////////////////////////////////////////////////////////////////
DWORD
TEntryList::LoadFromFile(WCHAR const * filename)
{
DWORD rc = 0;
FILE * hSource = NULL;
HCRYPTPROV hProv = 0;
HCRYPTKEY hKey = 0;
BYTE pbBuffer[BLOCK_SIZE];
WCHAR strData[BLOCK_SIZE * 5] = { 0 };
DWORD dwCount;
int eof = 0;
WCHAR fullpath[LEN_Path];
BYTE *pbKeyBlob = NULL;
DWORD dwBlobLen;
// Get our install directory from the registry, and then append the filename
HKEY hRegKey;
DWORD type;
DWORD lenValue = (sizeof fullpath);
rc = RegOpenKey(HKEY_LOCAL_MACHINE,REGKEY_ADMT,&hRegKey);
if ( ! rc )
{
rc = RegQueryValueEx(hRegKey,L"Directory",0,&type,(LPBYTE)fullpath,&lenValue);
if (! rc )
{
UStrCpy(fullpath+UStrLen(fullpath),filename);
}
RegCloseKey(hRegKey);
}
if (rc != ERROR_SUCCESS)
{
goto done;
}
// Open the source file.
if((hSource = _wfopen(fullpath,L"rb"))==NULL)
{
rc = GetLastError();
goto done;
}
// acquire handle to key container which must exist
if ((hProv = AcquireContext(true)) == 0)
{
rc = GetLastError();
goto done;
}
// Read the key blob length from the source file and allocate it to memory.
fread(&dwBlobLen, sizeof(DWORD), 1, hSource);
if(ferror(hSource) || feof(hSource))
{
rc = GetLastError();
goto done;
}
if((pbKeyBlob = (BYTE*)malloc(dwBlobLen)) == NULL)
{
rc = GetLastError();
goto done;
}
// Read the key blob from the source file.
fread(pbKeyBlob, 1, dwBlobLen, hSource);
if(ferror(hSource) || feof(hSource))
{
rc = GetLastError();
goto done;
}
// Import the key blob into the CSP.
if(!CryptImportKey(hProv, pbKeyBlob, dwBlobLen, 0, 0, &hKey))
{
rc = GetLastError();
goto done;
}
// Decrypt the source file and load the list
do {
// Read up to BLOCK_SIZE bytes from source file.
dwCount = fread(pbBuffer, 1, BLOCK_SIZE, hSource);
if(ferror(hSource))
{
rc = GetLastError();
goto done;
}
eof=feof(hSource);
// Decrypt the data.
if(!CryptDecrypt(hKey, 0, eof, 0, pbBuffer, &dwCount))
{
rc = GetLastError();
goto done;
}
// Read any complete entries from the buffer
// first, add the buffer contents to any leftover information we had read from before
WCHAR * curr = strData;
long len = UStrLen(strData);
WCHAR * nl = NULL;
WCHAR computer[LEN_Computer];
WCHAR service[LEN_Service];
WCHAR account[LEN_Account];
WCHAR password[LEN_Password];
wcsncpy(strData + len,(WCHAR*)pbBuffer, dwCount / sizeof(WCHAR));
strData[len + (dwCount / sizeof(WCHAR))] = 0;
do {
nl = wcschr(curr,L'\n');
if ( nl )
{
*nl = 0;
if ( swscanf(curr,L" %[^\t]\t%[^\t]\t%[^\t]\t%[^\t]\n",computer,service,account,password) )
{
TEntryNode * pNode = NULL;
try {
pNode = new TEntryNode(computer,service,account,password);
}
catch (_com_error& ce) {
rc = ERROR_NOT_ENOUGH_MEMORY;
goto done;
}
InsertBottom(pNode);
}
else
{
rc = E_FAIL;
break;
}
// go on to the next entry
curr = nl + 1;
}
} while ( nl );
// there may be a partial record left in the buffer
// if so, save it for the next read
if ( (*curr) != 0 )
{
memmove(strData,curr,( 1 + UStrLen(curr) ) * (sizeof WCHAR));
}
else
{
strData[0] = L'\0';
}
} while(!feof(hSource));
done:
// Clean up
if(pbKeyBlob)
free(pbKeyBlob);
if(hKey != 0)
CryptDestroyKey(hKey);
if(hProv != 0)
CryptReleaseContext(hProv, 0);
if(hSource != NULL)
fclose(hSource);
return rc;
}
DWORD
TEntryList::SaveToFile(WCHAR const * filename)
{
DWORD rc = 0;
BYTE pbBuffer[BUFFER_SIZE];
DWORD dwCount;
HANDLE hDest = INVALID_HANDLE_VALUE;
BYTE * pbKeyBlob = NULL;
DWORD dwBlobLen;
HCRYPTPROV hProv = 0;
HCRYPTKEY hKey = 0;
HCRYPTKEY hXchgKey = 0;
TEntryNode * pNode;
TNodeListEnum e;
WCHAR fullpath[LEN_Path];
DWORD dwBlockSize;
DWORD cbBlockSize = sizeof(dwBlockSize);
DWORD dwPaddedCount;
DWORD cbWritten;
// Open the destination file.
HKEY hRegKey;
DWORD type;
DWORD lenValue = (sizeof fullpath);
rc = RegOpenKey(HKEY_LOCAL_MACHINE,REGKEY_ADMT,&hRegKey);
if ( ! rc )
{
rc = RegQueryValueEx(hRegKey,L"Directory",0,&type,(LPBYTE)fullpath,&lenValue);
if (! rc )
{
UStrCpy(fullpath+UStrLen(fullpath),filename);
}
RegCloseKey(hRegKey);
}
if (rc != ERROR_SUCCESS)
{
goto done;
}
//
// Delete previous data file if it exists. This obviates the need to change the
// security descriptor on the file as CreateFile does not apply the security
// descriptor if the file is opened but only when created.
//
if (!DeleteFile(fullpath))
{
rc = GetLastError();
if (rc == ERROR_FILE_NOT_FOUND)
{
rc = ERROR_SUCCESS;
}
else
{
goto done;
}
}
//
// Create security descriptor with administrators as owner and permissions on file
// so that only administrators and system have full access to the file.
//
PSECURITY_DESCRIPTOR psd = NULL;
BOOL bConvert = ConvertStringSecurityDescriptorToSecurityDescriptor(
_T("O:BAD:P(A;NP;FA;;;BA)(A;NP;FA;;;SY)"),
SDDL_REVISION_1,
&psd,
NULL
);
if (!bConvert)
{
rc = GetLastError();
goto done;
}
//
// Create file.
//
SECURITY_ATTRIBUTES sa;
sa.nLength = sizeof(SECURITY_ATTRIBUTES);
sa.lpSecurityDescriptor = psd;
sa.bInheritHandle = FALSE;
hDest = CreateFile(
fullpath,
GENERIC_WRITE,
0,
&sa,
CREATE_NEW,
FILE_ATTRIBUTE_NORMAL,
NULL
);
rc = GetLastError();
if (psd)
{
LocalFree(psd);
}
if (hDest == INVALID_HANDLE_VALUE)
{
goto done;
}
// acquire handle to key container
if ((hProv = AcquireContext(false)) == 0)
{
rc = GetLastError();
goto done;
}
// Attempt to get handle to exchange key.
if(!CryptGetUserKey(hProv,AT_KEYEXCHANGE,&hKey))
{
if(GetLastError()==NTE_NO_KEY)
{
// Create key exchange key pair.
if(!CryptGenKey(hProv,AT_KEYEXCHANGE,0,&hKey))
{
rc = GetLastError();
goto done;
}
}
else
{
rc = GetLastError();
goto done;
}
}
CryptDestroyKey(hKey);
CryptReleaseContext(hProv,0);
// acquire handle to key container
if ((hProv = AcquireContext(false)) == 0)
{
rc = GetLastError();
goto done;
}
// Get a handle to key exchange key.
if(!CryptGetUserKey(hProv, AT_KEYEXCHANGE, &hXchgKey))
{
rc = GetLastError();
goto done;
}
// Create a random block cipher session key.
if(!CryptGenKey(hProv, CALG_RC2, CRYPT_EXPORTABLE, &hKey))
{
rc = GetLastError();
goto done;
}
// Determine the size of the key blob and allocate memory.
if(!CryptExportKey(hKey, hXchgKey, SIMPLEBLOB, 0, NULL, &dwBlobLen))
{
rc = GetLastError();
goto done;
}
if((pbKeyBlob = (BYTE*)malloc(dwBlobLen)) == NULL)
{
rc = ERROR_NOT_ENOUGH_MEMORY;
goto done;
}
// Export the key into a simple key blob.
if(!CryptExportKey(hKey, hXchgKey, SIMPLEBLOB, 0, pbKeyBlob,
&dwBlobLen))
{
rc = GetLastError();
free(pbKeyBlob);
goto done;
}
// Write the size of the key blob to the destination file.
if (!WriteFile(hDest, &dwBlobLen, sizeof(DWORD), &cbWritten, NULL))
{
rc = GetLastError();
free(pbKeyBlob);
goto done;
}
// Write the key blob to the destination file.
if(!WriteFile(hDest, pbKeyBlob, dwBlobLen, &cbWritten, NULL))
{
rc = GetLastError();
free(pbKeyBlob);
goto done;
}
// Free memory.
free(pbKeyBlob);
// get key cipher's block length in bytes
if (CryptGetKeyParam(hKey, KP_BLOCKLEN, (BYTE*)&dwBlockSize, &cbBlockSize, 0))
{
dwBlockSize /= 8;
}
else
{
rc = GetLastError();
goto done;
}
// Encrypt the item list and write it to the destination file.
for ( pNode = (TEntryNode*)e.OpenFirst(this); pNode ; pNode = (TEntryNode *)e.Next() )
{
// copy an item into the buffer in the following format:
// Computer\tService\tAccount\tPassword
int cchWritten;
const size_t BUFFER_SIZE_IN_WCHARS = sizeof(pbBuffer) / sizeof(wchar_t);
wchar_t* pchLast = &(((wchar_t*)pbBuffer)[BUFFER_SIZE_IN_WCHARS - 1]);
*pchLast = L'\0';
const WCHAR * pszPwd = NULL;
try {
pszPwd = pNode->GetPassword();
}
catch (_com_error& ce) {
rc = ERROR_DECRYPTION_FAILED;
goto done;
}
if ( pszPwd && *pszPwd )
{
cchWritten = _snwprintf(
(wchar_t*)pbBuffer,
BUFFER_SIZE_IN_WCHARS,
L"%s\t%s\t%s\t%s\n",
pNode->GetComputer(),
pNode->GetService(),
pNode->GetAccount(),
pszPwd
);
}
else
{
cchWritten = _snwprintf(
(wchar_t*)pbBuffer,
BUFFER_SIZE_IN_WCHARS,
L"%s\t%s\t%s\t%s\n",
pNode->GetComputer(),
pNode->GetService(),
pNode->GetAccount(),
L"NULL"
);
}
pNode->ReleasePassword();
pszPwd = NULL;
if ((cchWritten < 0) || (*pchLast != L'\0'))
{
rc = ERROR_INSUFFICIENT_BUFFER;
goto done;
}
dwCount = UStrLen((WCHAR*)pbBuffer) * (sizeof WCHAR) ;
// the buffer must be a multiple of the key cipher's block length
// NOTE: this algorithm assumes block length is multiple of sizeof(WCHAR)
if (dwBlockSize > 0)
{
// calculate next multiple greater than count
dwPaddedCount = ((dwCount + dwBlockSize - 1) / dwBlockSize) * dwBlockSize;
// pad buffer with space characters
WCHAR* pch = (WCHAR*)(pbBuffer + dwCount);
for (; dwCount < dwPaddedCount; dwCount += sizeof(WCHAR))
{
*pch++ = L' ';
}
}
// Encrypt the data.
if(!CryptEncrypt(hKey, 0, (pNode->Next() == NULL) , 0, pbBuffer, &dwCount,
BUFFER_SIZE))
{
rc = GetLastError();
goto done;
}
// Write the data to the destination file.
if(!WriteFile(hDest, pbBuffer, dwCount, &cbWritten, NULL))
{
rc = GetLastError();
goto done;
}
}
done:
// Destroy the session key.
if(hKey != 0) CryptDestroyKey(hKey);
// Destroy the key exchange key.
if(hXchgKey != 0) CryptDestroyKey(hXchgKey);
// Release the provider handle.
if(hProv != 0) CryptReleaseContext(hProv, 0);
// Close destination file.
if(hDest != INVALID_HANDLE_VALUE) CloseHandle(hDest);
return rc;
}
// AcquireContext Method
//
// acquire handle to key container within cryptographic service provider (CSP)
//
HCRYPTPROV TEntryList::AcquireContext(bool bContainerMustExist)
{
HCRYPTPROV hProv = 0;
#define KEY_CONTAINER_NAME _T("A69904BC349C4CFEAAEAB038BAB8C3B1")
if (bContainerMustExist)
{
// first try Microsoft Enhanced Cryptographic Provider
if (!CryptAcquireContext(&hProv, KEY_CONTAINER_NAME, MS_ENHANCED_PROV, PROV_RSA_FULL, CRYPT_MACHINE_KEYSET))
{
if (GetLastError() == NTE_KEYSET_NOT_DEF)
{
// then try Microsoft Base Cryptographic Provider
CryptAcquireContext(&hProv, KEY_CONTAINER_NAME, MS_DEF_PROV, PROV_RSA_FULL, CRYPT_MACHINE_KEYSET);
}
}
}
else
{
// first try Microsoft Enhanced Cryptographic Provider
if (!CryptAcquireContext(&hProv, KEY_CONTAINER_NAME, MS_ENHANCED_PROV, PROV_RSA_FULL, CRYPT_MACHINE_KEYSET))
{
DWORD dwError = GetLastError();
if ((dwError == NTE_BAD_KEYSET) || (dwError == NTE_KEYSET_NOT_DEF))
{
// then try creating key container in enhanced provider
if (!CryptAcquireContext(&hProv, KEY_CONTAINER_NAME, MS_ENHANCED_PROV, PROV_RSA_FULL, CRYPT_MACHINE_KEYSET|CRYPT_NEWKEYSET))
{
dwError = GetLastError();
if (dwError == NTE_KEYSET_NOT_DEF)
{
// then try Microsoft Base Cryptographic Provider
if (!CryptAcquireContext(&hProv, KEY_CONTAINER_NAME, MS_DEF_PROV, PROV_RSA_FULL, CRYPT_MACHINE_KEYSET))
{
dwError = GetLastError();
if ((dwError == NTE_BAD_KEYSET) || (dwError == NTE_KEYSET_NOT_DEF))
{
// finally try creating key container in base provider
CryptAcquireContext(&hProv, KEY_CONTAINER_NAME, MS_DEF_PROV, PROV_RSA_FULL, CRYPT_MACHINE_KEYSET|CRYPT_NEWKEYSET);
}
}
}
}
}
}
}
return hProv;
}
STDMETHODIMP CServMigr::TryUpdateSam(BSTR computer,BSTR service,BSTR account)
{
HRESULT hr = S_OK;
// Find the entry in the list, and perform the update
TNodeListEnum e;
TEntryNode * pNode;
BOOL bFound = FALSE;
for ( pNode = (TEntryNode*)e.OpenFirst(&m_List) ; pNode ; pNode = (TEntryNode*)e.Next() )
{
if ( !UStrICmp(computer,pNode->GetComputer())
&& !UStrICmp(service,pNode->GetService())
&& !UStrICmp(account,pNode->GetAccount())
)
{
// found it!
bFound = TRUE;
const WCHAR * pszPwd = NULL;
try {
pszPwd = pNode->GetPassword();
}
catch (_com_error& ce) {
hr = ce.Error();
break;
}
BSTR bstrPwd = SysAllocString(pszPwd);
if ((bstrPwd == NULL) && pszPwd && pszPwd[0])
{
hr = E_OUTOFMEMORY;
pNode->ReleasePassword();
break;
}
hr = TryUpdateSamWithPassword(computer,service,account,bstrPwd );
pNode->ReleasePassword();
SecureZeroMemory(bstrPwd, wcslen(bstrPwd)*sizeof(WCHAR));
SysFreeString(bstrPwd);
break;
}
}
if ( ! bFound )
{
hr = HRESULT_FROM_WIN32(ERROR_NOT_FOUND);
}
return hr;
}
STDMETHODIMP CServMigr::TryUpdateSamWithPassword(BSTR computer,BSTR service,BSTR domAccount,BSTR password)
{
DWORD rc = 0;
WCHAR domain[LEN_Domain];
_bstr_t dc;
WCHAR account[LEN_Account];
WCHAR domStr[LEN_Domain];
BYTE sid[100];
WCHAR strSid[200];
WCHAR * pSlash = wcschr(domAccount,L'\\');
SID_NAME_USE snu;
DWORD lenSid = DIM(sid);
DWORD lenDomStr = DIM(domStr);
DWORD lenStrSid = DIM(strSid);
// split out the domain and account names
if ( pSlash )
{
// UStrCpy(domain,domAccount,pSlash - domAccount + 1);
UStrCpy(domain,domAccount,(int)(pSlash - domAccount + 1));
UStrCpy(account,pSlash+1);
GetAnyDcName5(domain, dc);
// get the SID for the target account
if ( LookupAccountName(dc,account,sid,&lenSid,domStr,&lenDomStr,&snu) )
{
GetTextualSid(sid,strSid,&lenStrSid);
rc = DoUpdate(domAccount,password,strSid,computer,service,TRUE, NULL);
}
else
{
rc = GetLastError();
}
}
else
{
rc = ERROR_NOT_FOUND;
}
return HRESULT_FROM_WIN32(rc);
}
BOOL // ret - TRUE if directory found
CServMigr::GetDirectory(
WCHAR * filename // out - string buffer to store directory name
)
{
DWORD rc = 0;
BOOL bFound = FALSE;
TRegKey key;
rc = key.OpenRead(GET_STRING(IDS_HKLM_DomainAdmin_Key),HKEY_LOCAL_MACHINE);
if ( ! rc )
{
rc = key.ValueGetStr(L"Directory",filename,MAX_PATH);
if ( ! rc )
{
if ( *filename )
bFound = TRUE;
}
}
key.Close();
return bFound;
}
/*********************************************************************
* *
* Written by: Paul Thompson *
* Date: 28 MAY 2001 *
* *
* This function is responsible for retrieving the original *
* service account of the given migrated service account. We use the*
* target service account name and domain to lookup its source *
* account name and domain from the Migrated Objects table. *
* This function returns TRUE or FALSE and if TRUE, fills in the *
* given BSTRs for soure domain and source SAM name. *
* *
*********************************************************************/
//BEGIN RetrieveOriginalAccount
BOOL CServMigr::RetrieveOriginalAccount(_bstr_t &sSrcDom, _bstr_t &sSrcSAM)
{
/* local constants */
const long ONLY_ONE_MATCHED = 1;
/* local variables */
WCHAR sTemp[MAX_PATH];
BOOL bSuccess = FALSE;
IUnknown * pUnk = NULL;
/* function body */
try
{
IVarSetPtr pVSMig(__uuidof(VarSet));
IIManageDBPtr pDb(__uuidof(IManageDB));
//see if any target account fitting this SAM name and domain have been migrated
pVSMig->QueryInterface(IID_IUnknown, (void**) &pUnk);
HRESULT hrFind = pDb->raw_GetMigratedObjectsByTarget(m_strTargetDomain, m_strTargetSam, &pUnk);
pUnk->Release();
pUnk = NULL;
//if migrated only one account to this name, then fill the return strings
if (hrFind == S_OK)
{
//get objects number matching this description
long nMatched = pVSMig->get(L"MigratedObjects");
//if only one found, fill output strings
if (nMatched == ONLY_ONE_MATCHED)
{
swprintf(sTemp,L"MigratedObjects.0.%s",GET_STRING(DB_SourceDomain));
sSrcDom = pVSMig->get(sTemp);
swprintf(sTemp,L"MigratedObjects.0.%s",GET_STRING(DB_SourceSamName));
sSrcSAM = pVSMig->get(sTemp);
bSuccess = TRUE; //set success flag
}//end if found only one
}//end if found at least one
}
catch ( ... )
{
if (pUnk)
pUnk->Release();
bSuccess = false;
}
return bSuccess;
}
//END RetrieveOriginalAccount
/*********************************************************************
* *
* Written by: Paul Thompson *
* Date: 28 MAY 2001 *
* *
* This function is responsible for retrieving the UPN name of *
* the given account. The given account should be in NT4 format *
* (Domain\Username). The return will be the UPN or empty if not *
* retrieved. *
* *
*********************************************************************/
//BEGIN GetUPNName
_bstr_t CServMigr::GetUPNName(_bstr_t sSrcSAM)
{
/* local variables */
HRESULT hr;
_bstr_t sUPN = L"";
HANDLE hDs = NULL;
/* function body */
//bind to the source domain
DWORD dwError = DsBind(NULL,m_strSourceDomain,&hDs);
//now try to call DSCrackNames to get the UPN name
if ((dwError == ERROR_SUCCESS) && hDs)
{
PDS_NAME_RESULT pNamesOut = NULL;
WCHAR * pNamesIn[1];
_bstr_t sSrcAccount = m_strSourceDomainFlat + _bstr_t(L"\\") + m_strSourceSam;
pNamesIn[0] = (WCHAR*)sSrcAccount;
hr = DsCrackNames(hDs,DS_NAME_NO_FLAGS,DS_NT4_ACCOUNT_NAME,DS_USER_PRINCIPAL_NAME,1,pNamesIn,&pNamesOut);
DsUnBind(&hDs);
hDs = NULL;
//if got UPN name, store it
if ( !hr )
{
if ( pNamesOut->rItems[0].status == DS_NAME_NO_ERROR )
sUPN = pNamesOut->rItems[0].pName;
DsFreeNameResult(pNamesOut); //free the results
}//end if cracked name
}//end if bound
return sUPN;
}
//END GetUPNName