You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
1142 lines
27 KiB
1142 lines
27 KiB
/*++
|
|
|
|
Copyright (c) 1987-1996 Microsoft Corporation
|
|
|
|
Module Name:
|
|
|
|
lsarepl.c
|
|
|
|
Abstract:
|
|
|
|
Low level LSA Replication functions.
|
|
|
|
Author:
|
|
|
|
06-Apr-1992 (madana)
|
|
Created for LSA replication.
|
|
|
|
Environment:
|
|
|
|
User mode only.
|
|
Contains NT-specific code.
|
|
Requires ANSI C extensions: slash-slash comments, long external names.
|
|
|
|
Revision History:
|
|
|
|
--*/
|
|
|
|
//
|
|
// Common include files.
|
|
//
|
|
|
|
#include "logonsrv.h" // Include files common to entire service
|
|
#pragma hdrstop
|
|
|
|
#include "lsarepl.h"
|
|
|
|
|
|
NTSTATUS
|
|
NlPackLsaPolicy(
|
|
IN OUT PNETLOGON_DELTA_ENUM Delta,
|
|
IN PDB_INFO DBInfo,
|
|
IN LPDWORD BufferSize )
|
|
/*++
|
|
|
|
Routine Description:
|
|
|
|
Pack a description of the LSA policy info into the specified buffer.
|
|
|
|
Arguments:
|
|
|
|
Delta: pointer to the delta structure where the new delta will
|
|
be returned.
|
|
|
|
DBInfo: pointer to the database info structure.
|
|
|
|
BufferSize: size of MIDL buffer that is consumed for this delta is
|
|
returned here.
|
|
|
|
Return Value:
|
|
|
|
NT status code.
|
|
|
|
--*/
|
|
{
|
|
NTSTATUS Status;
|
|
ULONG i;
|
|
|
|
PLSAPR_SR_SECURITY_DESCRIPTOR SecurityDescriptor = NULL;
|
|
|
|
PLSAPR_POLICY_INFORMATION PolicyAuditLogInfo = NULL;
|
|
PLSAPR_POLICY_INFORMATION PolicyAuditEventsInfo = NULL;
|
|
PLSAPR_POLICY_INFORMATION PolicyPrimaryDomainInfo = NULL;
|
|
PLSAPR_POLICY_INFORMATION PolicyDefaultQuotaInfo = NULL;
|
|
PLSAPR_POLICY_INFORMATION PolicyModificationInfo = NULL;
|
|
|
|
PNETLOGON_DELTA_POLICY DeltaPolicy = NULL;
|
|
|
|
DEFPACKTIMER;
|
|
DEFLSATIMER;
|
|
|
|
INITPACKTIMER;
|
|
INITLSATIMER;
|
|
|
|
STARTPACKTIMER;
|
|
|
|
NlPrint((NL_SYNC_MORE, "Packing Policy Object\n"));
|
|
|
|
*BufferSize = 0;
|
|
|
|
Delta->DeltaType = AddOrChangeLsaPolicy;
|
|
Delta->DeltaUnion.DeltaPolicy = NULL;
|
|
|
|
QUERY_LSA_SECOBJ_INFO(DBInfo->DBHandle);
|
|
|
|
STARTLSATIMER;
|
|
|
|
Status = LsarQueryInformationPolicy(
|
|
DBInfo->DBHandle,
|
|
PolicyAuditLogInformation,
|
|
&PolicyAuditLogInfo);
|
|
|
|
STOPLSATIMER;
|
|
|
|
if (!NT_SUCCESS(Status)) {
|
|
PolicyAuditLogInfo = NULL;
|
|
goto Cleanup;
|
|
}
|
|
|
|
STARTLSATIMER;
|
|
|
|
Status = LsarQueryInformationPolicy(
|
|
DBInfo->DBHandle,
|
|
PolicyAuditEventsInformation,
|
|
&PolicyAuditEventsInfo);
|
|
|
|
STOPLSATIMER;
|
|
|
|
if (!NT_SUCCESS(Status)) {
|
|
PolicyAuditEventsInfo = NULL;
|
|
goto Cleanup;
|
|
}
|
|
|
|
STARTLSATIMER;
|
|
|
|
Status = LsarQueryInformationPolicy(
|
|
DBInfo->DBHandle,
|
|
PolicyPrimaryDomainInformation,
|
|
&PolicyPrimaryDomainInfo);
|
|
|
|
STOPLSATIMER;
|
|
|
|
if (!NT_SUCCESS(Status)) {
|
|
PolicyPrimaryDomainInfo = NULL;
|
|
goto Cleanup;
|
|
}
|
|
|
|
|
|
STARTLSATIMER;
|
|
|
|
Status = LsarQueryInformationPolicy(
|
|
DBInfo->DBHandle,
|
|
PolicyDefaultQuotaInformation,
|
|
&PolicyDefaultQuotaInfo);
|
|
|
|
STOPLSATIMER;
|
|
|
|
if (!NT_SUCCESS(Status)) {
|
|
PolicyDefaultQuotaInfo = NULL;
|
|
goto Cleanup;
|
|
}
|
|
|
|
STARTLSATIMER;
|
|
|
|
Status = LsarQueryInformationPolicy(
|
|
DBInfo->DBHandle,
|
|
PolicyModificationInformation,
|
|
&PolicyModificationInfo);
|
|
|
|
STOPLSATIMER;
|
|
|
|
if (!NT_SUCCESS(Status)) {
|
|
PolicyModificationInfo = NULL;
|
|
goto Cleanup;
|
|
}
|
|
|
|
//
|
|
// Fill in the delta structure
|
|
//
|
|
|
|
//
|
|
// copy SID info (There is only one policy database. It has no SID).
|
|
//
|
|
|
|
Delta->DeltaID.Sid = NULL;
|
|
|
|
//
|
|
// allocate delta buffer
|
|
//
|
|
|
|
DeltaPolicy = (PNETLOGON_DELTA_POLICY)
|
|
MIDL_user_allocate( sizeof(NETLOGON_DELTA_POLICY) );
|
|
|
|
if( DeltaPolicy == NULL ) {
|
|
|
|
Status = STATUS_NO_MEMORY;
|
|
goto Cleanup;
|
|
}
|
|
|
|
//
|
|
// wipe off the buffer so that cleanup will not be in fault.
|
|
//
|
|
|
|
RtlZeroMemory( DeltaPolicy, sizeof(NETLOGON_DELTA_POLICY) );
|
|
// INIT_PLACE_HOLDER(DeltaPolicy);
|
|
|
|
Delta->DeltaUnion.DeltaPolicy = DeltaPolicy;
|
|
*BufferSize += sizeof(NETLOGON_DELTA_POLICY);
|
|
|
|
DeltaPolicy->MaximumLogSize =
|
|
PolicyAuditLogInfo->PolicyAuditLogInfo.MaximumLogSize;
|
|
DeltaPolicy->AuditRetentionPeriod;
|
|
PolicyAuditLogInfo->PolicyAuditLogInfo.AuditRetentionPeriod;
|
|
|
|
DeltaPolicy->AuditingMode =
|
|
PolicyAuditEventsInfo->
|
|
PolicyAuditEventsInfo.AuditingMode;
|
|
DeltaPolicy->MaximumAuditEventCount =
|
|
PolicyAuditEventsInfo->
|
|
PolicyAuditEventsInfo.MaximumAuditEventCount;
|
|
|
|
*BufferSize += NlCopyData(
|
|
(LPBYTE *)&(PolicyAuditEventsInfo->
|
|
PolicyAuditEventsInfo.EventAuditingOptions),
|
|
(LPBYTE *)&(DeltaPolicy->EventAuditingOptions),
|
|
(DeltaPolicy->MaximumAuditEventCount + 1) *
|
|
sizeof(ULONG));
|
|
|
|
// Tell the BDC to 'set' these bits and not just 'or' them in to the current ones
|
|
for ( i=0; i<DeltaPolicy->MaximumAuditEventCount; i++ ) {
|
|
DeltaPolicy->EventAuditingOptions[i] |= POLICY_AUDIT_EVENT_NONE;
|
|
}
|
|
|
|
//
|
|
// sanitity check, EventAuditingOptions size is ULONG size.
|
|
//
|
|
|
|
NlAssert(sizeof(*(PolicyAuditEventsInfo->
|
|
PolicyAuditEventsInfo.EventAuditingOptions)) ==
|
|
sizeof(ULONG) );
|
|
|
|
*BufferSize += NlCopyUnicodeString(
|
|
(PUNICODE_STRING)&PolicyPrimaryDomainInfo->
|
|
PolicyPrimaryDomainInfo.Name,
|
|
&DeltaPolicy->PrimaryDomainName );
|
|
|
|
*BufferSize += NlCopyData(
|
|
(LPBYTE *)&(PolicyPrimaryDomainInfo->
|
|
PolicyPrimaryDomainInfo.Sid),
|
|
(LPBYTE *)&(DeltaPolicy->PrimaryDomainSid),
|
|
RtlLengthSid((PSID)(PolicyPrimaryDomainInfo->
|
|
PolicyPrimaryDomainInfo.Sid) ));
|
|
|
|
DeltaPolicy->QuotaLimits.PagedPoolLimit =
|
|
(ULONG)PolicyDefaultQuotaInfo->PolicyDefaultQuotaInfo.QuotaLimits.PagedPoolLimit;
|
|
DeltaPolicy->QuotaLimits.NonPagedPoolLimit =
|
|
(ULONG)PolicyDefaultQuotaInfo->PolicyDefaultQuotaInfo.QuotaLimits.NonPagedPoolLimit;
|
|
DeltaPolicy->QuotaLimits.MinimumWorkingSetSize =
|
|
(ULONG)PolicyDefaultQuotaInfo->PolicyDefaultQuotaInfo.QuotaLimits.MinimumWorkingSetSize;
|
|
DeltaPolicy->QuotaLimits.MaximumWorkingSetSize =
|
|
(ULONG)PolicyDefaultQuotaInfo->PolicyDefaultQuotaInfo.QuotaLimits.MaximumWorkingSetSize;
|
|
DeltaPolicy->QuotaLimits.PagefileLimit =
|
|
(ULONG)PolicyDefaultQuotaInfo->PolicyDefaultQuotaInfo.QuotaLimits.PagefileLimit;
|
|
|
|
NEW_TO_OLD_LARGE_INTEGER(
|
|
PolicyDefaultQuotaInfo->PolicyDefaultQuotaInfo.QuotaLimits.TimeLimit,
|
|
DeltaPolicy->QuotaLimits.TimeLimit );
|
|
|
|
NEW_TO_OLD_LARGE_INTEGER(
|
|
PolicyModificationInfo->PolicyModificationInfo.ModifiedId,
|
|
DeltaPolicy->ModifiedId );
|
|
|
|
NEW_TO_OLD_LARGE_INTEGER(
|
|
PolicyModificationInfo->PolicyModificationInfo.DatabaseCreationTime,
|
|
DeltaPolicy->DatabaseCreationTime );
|
|
|
|
|
|
DELTA_SECOBJ_INFO(DeltaPolicy);
|
|
|
|
|
|
//
|
|
// All Done
|
|
//
|
|
|
|
Status = STATUS_SUCCESS;
|
|
|
|
Cleanup:
|
|
|
|
STARTLSATIMER;
|
|
|
|
if ( SecurityDescriptor != NULL ) {
|
|
LsaIFree_LSAPR_SR_SECURITY_DESCRIPTOR( SecurityDescriptor );
|
|
}
|
|
|
|
if ( PolicyAuditLogInfo != NULL ) {
|
|
LsaIFree_LSAPR_POLICY_INFORMATION(
|
|
PolicyAuditLogInformation,
|
|
PolicyAuditLogInfo );
|
|
}
|
|
|
|
if ( PolicyAuditEventsInfo != NULL ) {
|
|
LsaIFree_LSAPR_POLICY_INFORMATION(
|
|
PolicyAuditEventsInformation,
|
|
PolicyAuditEventsInfo );
|
|
}
|
|
|
|
if ( PolicyPrimaryDomainInfo != NULL ) {
|
|
LsaIFree_LSAPR_POLICY_INFORMATION(
|
|
PolicyPrimaryDomainInformation,
|
|
PolicyPrimaryDomainInfo );
|
|
}
|
|
|
|
if ( PolicyDefaultQuotaInfo != NULL ) {
|
|
LsaIFree_LSAPR_POLICY_INFORMATION(
|
|
PolicyDefaultQuotaInformation,
|
|
PolicyDefaultQuotaInfo );
|
|
}
|
|
|
|
if ( PolicyModificationInfo != NULL ) {
|
|
LsaIFree_LSAPR_POLICY_INFORMATION(
|
|
PolicyModificationInformation,
|
|
PolicyModificationInfo );
|
|
}
|
|
|
|
STOPLSATIMER;
|
|
|
|
if( !NT_SUCCESS(Status) ) {
|
|
NlFreeDBDelta( Delta );
|
|
*BufferSize = 0;
|
|
}
|
|
|
|
|
|
STOPPACKTIMER;
|
|
|
|
NlPrint((NL_REPL_OBJ_TIME,"Time taken to pack POLICY object:\n"));
|
|
PRINTPACKTIMER;
|
|
PRINTLSATIMER;
|
|
|
|
return(Status);
|
|
}
|
|
|
|
|
|
NTSTATUS
|
|
NlPackLsaTDomain(
|
|
IN PSID Sid,
|
|
IN OUT PNETLOGON_DELTA_ENUM Delta,
|
|
IN PDB_INFO DBInfo,
|
|
IN LPDWORD BufferSize )
|
|
/*++
|
|
|
|
Routine Description:
|
|
|
|
Pack a description of the specified trusted domain info into the
|
|
specified buffer.
|
|
|
|
Arguments:
|
|
|
|
Sid - The SID of the trusted domain.
|
|
|
|
Delta: pointer to the delta structure where the new delta will
|
|
be returned.
|
|
|
|
DBInfo: pointer to the database info structure.
|
|
|
|
BufferSize: size of MIDL buffer that is consumed for this delta is
|
|
returned here.
|
|
|
|
Return Value:
|
|
|
|
NT status code.
|
|
|
|
--*/
|
|
{
|
|
NTSTATUS Status;
|
|
|
|
LSAPR_HANDLE TrustedDomainHandle = NULL;
|
|
PLSAPR_TRUSTED_DOMAIN_INFO TrustedDomainNameInfo = NULL;
|
|
PLSAPR_TRUSTED_DOMAIN_INFO TrustedPosixOffsetInfo = NULL;
|
|
|
|
PLSAPR_SR_SECURITY_DESCRIPTOR SecurityDescriptor = NULL;
|
|
|
|
PNETLOGON_DELTA_TRUSTED_DOMAINS DeltaTDomain = NULL;
|
|
|
|
DWORD i;
|
|
DWORD Entries;
|
|
DWORD Size = 0;
|
|
PLSAPR_UNICODE_STRING UnicodeControllerName;
|
|
|
|
DEFPACKTIMER;
|
|
DEFLSATIMER;
|
|
|
|
INITPACKTIMER;
|
|
INITLSATIMER;
|
|
|
|
STARTPACKTIMER;
|
|
|
|
NlPrint((NL_SYNC_MORE, "Packing Trusted Domain Object\n"));
|
|
|
|
*BufferSize = 0;
|
|
|
|
Delta->DeltaType = AddOrChangeLsaTDomain;
|
|
Delta->DeltaID.Sid = NULL;
|
|
Delta->DeltaUnion.DeltaTDomains = NULL;
|
|
|
|
//
|
|
// open trusted domain
|
|
//
|
|
|
|
STARTLSATIMER;
|
|
|
|
Status = LsarOpenTrustedDomain(
|
|
DBInfo->DBHandle,
|
|
(PLSAPR_SID)Sid,
|
|
0,
|
|
&TrustedDomainHandle );
|
|
|
|
STOPLSATIMER;
|
|
|
|
if (!NT_SUCCESS(Status)) {
|
|
TrustedDomainHandle = NULL;
|
|
goto Cleanup;
|
|
}
|
|
|
|
QUERY_LSA_SECOBJ_INFO(TrustedDomainHandle);
|
|
|
|
STARTLSATIMER;
|
|
|
|
Status = LsarQueryInfoTrustedDomain(
|
|
TrustedDomainHandle,
|
|
TrustedDomainNameInformation,
|
|
&TrustedDomainNameInfo );
|
|
|
|
STOPLSATIMER;
|
|
|
|
if (!NT_SUCCESS(Status)) {
|
|
TrustedDomainNameInfo = NULL;
|
|
goto Cleanup;
|
|
}
|
|
|
|
NlPrint((NL_SYNC_MORE,
|
|
"\t Trusted Domain Object name %wZ\n",
|
|
(PUNICODE_STRING)&TrustedDomainNameInfo->
|
|
TrustedDomainNameInfo.Name ));
|
|
|
|
STARTLSATIMER;
|
|
|
|
Status = LsarQueryInfoTrustedDomain(
|
|
TrustedDomainHandle,
|
|
TrustedPosixOffsetInformation,
|
|
&TrustedPosixOffsetInfo );
|
|
|
|
STOPLSATIMER;
|
|
|
|
if (!NT_SUCCESS(Status)) {
|
|
TrustedPosixOffsetInfo = NULL;
|
|
goto Cleanup;
|
|
}
|
|
|
|
//
|
|
// Fill in the delta structure
|
|
//
|
|
|
|
//
|
|
// copy SID info
|
|
//
|
|
|
|
Delta->DeltaID.Sid = MIDL_user_allocate( RtlLengthSid(Sid) );
|
|
|
|
|
|
if( Delta->DeltaID.Sid == NULL ) {
|
|
|
|
Status = STATUS_NO_MEMORY;
|
|
goto Cleanup;
|
|
}
|
|
|
|
RtlCopyMemory( Delta->DeltaID.Sid, Sid, RtlLengthSid(Sid) );
|
|
|
|
//
|
|
// allocate delta buffer
|
|
//
|
|
|
|
DeltaTDomain = (PNETLOGON_DELTA_TRUSTED_DOMAINS)
|
|
MIDL_user_allocate( sizeof(NETLOGON_DELTA_TRUSTED_DOMAINS) );
|
|
|
|
if( DeltaTDomain == NULL ) {
|
|
|
|
Status = STATUS_NO_MEMORY;
|
|
goto Cleanup;
|
|
}
|
|
|
|
//
|
|
// wipe off the buffer so that cleanup will not be in fault.
|
|
//
|
|
|
|
RtlZeroMemory( DeltaTDomain, sizeof(NETLOGON_DELTA_TRUSTED_DOMAINS) );
|
|
// INIT_PLACE_HOLDER(DeltaTDomain);
|
|
|
|
Delta->DeltaUnion.DeltaTDomains = DeltaTDomain;
|
|
*BufferSize += sizeof(NETLOGON_DELTA_TRUSTED_DOMAINS);
|
|
|
|
*BufferSize += NlCopyUnicodeString(
|
|
(PUNICODE_STRING)&TrustedDomainNameInfo->
|
|
TrustedDomainNameInfo.Name,
|
|
&DeltaTDomain->DomainName );
|
|
|
|
DELTA_SECOBJ_INFO(DeltaTDomain);
|
|
|
|
//
|
|
// send Posix Offset info across using place holder.
|
|
//
|
|
|
|
DeltaTDomain->DummyLong1 =
|
|
TrustedPosixOffsetInfo->TrustedPosixOffsetInfo.Offset;
|
|
|
|
//
|
|
// All Done
|
|
//
|
|
|
|
Status = STATUS_SUCCESS;
|
|
|
|
Cleanup:
|
|
|
|
STARTLSATIMER;
|
|
|
|
if ( TrustedDomainHandle != NULL ) {
|
|
LsarClose( &TrustedDomainHandle );
|
|
}
|
|
|
|
if ( SecurityDescriptor != NULL ) {
|
|
LsaIFree_LSAPR_SR_SECURITY_DESCRIPTOR( SecurityDescriptor );
|
|
}
|
|
|
|
if ( TrustedDomainNameInfo != NULL ) {
|
|
LsaIFree_LSAPR_TRUSTED_DOMAIN_INFO(
|
|
TrustedDomainNameInformation,
|
|
TrustedDomainNameInfo );
|
|
}
|
|
|
|
if ( TrustedPosixOffsetInfo != NULL ) {
|
|
LsaIFree_LSAPR_TRUSTED_DOMAIN_INFO(
|
|
TrustedPosixOffsetInformation,
|
|
TrustedPosixOffsetInfo );
|
|
}
|
|
|
|
STOPLSATIMER;
|
|
|
|
if( !NT_SUCCESS(Status) ) {
|
|
NlFreeDBDelta( Delta );
|
|
*BufferSize = 0;
|
|
}
|
|
|
|
STOPPACKTIMER;
|
|
|
|
NlPrint((NL_REPL_OBJ_TIME,"Time taken to pack TDOMAIN object:\n"));
|
|
PRINTPACKTIMER;
|
|
PRINTLSATIMER;
|
|
|
|
return(Status);
|
|
}
|
|
|
|
|
|
NTSTATUS
|
|
NlPackLsaAccount(
|
|
IN PSID Sid,
|
|
IN OUT PNETLOGON_DELTA_ENUM Delta,
|
|
IN PDB_INFO DBInfo,
|
|
IN LPDWORD BufferSize,
|
|
IN PSESSION_INFO SessionInfo
|
|
)
|
|
/*++
|
|
|
|
Routine Description:
|
|
|
|
Pack a description of the specified LSA account info into the
|
|
specified buffer.
|
|
|
|
Arguments:
|
|
|
|
Sid - The SID of the LSA account.
|
|
|
|
Delta: pointer to the delta structure where the new delta will
|
|
be returned.
|
|
|
|
DBInfo: pointer to the database info structure.
|
|
|
|
BufferSize: size of MIDL buffer that is consumed for this delta is
|
|
returned here.
|
|
|
|
SessionInfo: Info describing BDC that's calling us
|
|
|
|
Return Value:
|
|
|
|
NT status code.
|
|
|
|
--*/
|
|
{
|
|
NTSTATUS Status;
|
|
|
|
PLSAPR_SR_SECURITY_DESCRIPTOR SecurityDescriptor = NULL;
|
|
|
|
PNETLOGON_DELTA_ACCOUNTS DeltaAccount = NULL;
|
|
LSAPR_HANDLE AccountHandle = NULL;
|
|
|
|
PLSAPR_PRIVILEGE_SET Privileges = NULL;
|
|
ULONG SystemAccessFlags;
|
|
|
|
PULONG PrivilegeAttributes;
|
|
PUNICODE_STRING PrivilegeNames;
|
|
LUID MachineAccountPrivilegeLuid;
|
|
DWORD CopiedPrivilegeCount;
|
|
|
|
DWORD i;
|
|
DWORD Size;
|
|
|
|
DEFPACKTIMER;
|
|
DEFLSATIMER;
|
|
|
|
INITPACKTIMER;
|
|
INITLSATIMER;
|
|
|
|
STARTPACKTIMER;
|
|
|
|
NlPrint((NL_SYNC_MORE, "Packing Lsa Account Object\n"));
|
|
|
|
*BufferSize = 0;
|
|
MachineAccountPrivilegeLuid = RtlConvertLongToLuid(SE_MACHINE_ACCOUNT_PRIVILEGE);
|
|
|
|
Delta->DeltaType = AddOrChangeLsaAccount;
|
|
Delta->DeltaID.Sid = NULL;
|
|
Delta->DeltaUnion.DeltaAccounts = NULL;
|
|
|
|
//
|
|
// open lsa account
|
|
//
|
|
|
|
STARTLSATIMER;
|
|
|
|
Status = LsarOpenAccount(
|
|
DBInfo->DBHandle,
|
|
(PLSAPR_SID)Sid,
|
|
0,
|
|
&AccountHandle );
|
|
|
|
STOPLSATIMER;
|
|
|
|
if (!NT_SUCCESS(Status)) {
|
|
AccountHandle = NULL;
|
|
goto Cleanup;
|
|
}
|
|
|
|
QUERY_LSA_SECOBJ_INFO(AccountHandle);
|
|
|
|
STARTLSATIMER;
|
|
|
|
Status = LsarEnumeratePrivilegesAccount(
|
|
AccountHandle,
|
|
&Privileges );
|
|
|
|
STOPLSATIMER;
|
|
|
|
if (!NT_SUCCESS(Status)) {
|
|
Privileges = NULL;
|
|
goto Cleanup;
|
|
}
|
|
|
|
STARTLSATIMER;
|
|
|
|
Status = LsarGetSystemAccessAccount(
|
|
AccountHandle,
|
|
&SystemAccessFlags );
|
|
|
|
STOPLSATIMER;
|
|
|
|
if (!NT_SUCCESS(Status)) {
|
|
goto Cleanup;
|
|
}
|
|
|
|
//
|
|
// Fill in the delta structure
|
|
//
|
|
|
|
//
|
|
// copy SID info
|
|
//
|
|
|
|
Delta->DeltaID.Sid = MIDL_user_allocate( RtlLengthSid(Sid) );
|
|
|
|
|
|
if( Delta->DeltaID.Sid == NULL ) {
|
|
|
|
Status = STATUS_NO_MEMORY;
|
|
goto Cleanup;
|
|
}
|
|
|
|
RtlCopyMemory( Delta->DeltaID.Sid, Sid, RtlLengthSid(Sid) );
|
|
|
|
//
|
|
// allocate delta buffer
|
|
//
|
|
|
|
DeltaAccount = (PNETLOGON_DELTA_ACCOUNTS)
|
|
MIDL_user_allocate( sizeof(NETLOGON_DELTA_ACCOUNTS) );
|
|
|
|
if( DeltaAccount == NULL ) {
|
|
|
|
Status = STATUS_NO_MEMORY;
|
|
goto Cleanup;
|
|
}
|
|
|
|
//
|
|
// wipe off the buffer so that cleanup will not be in fault.
|
|
//
|
|
|
|
RtlZeroMemory( DeltaAccount, sizeof(NETLOGON_DELTA_ACCOUNTS) );
|
|
// INIT_PLACE_HOLDER(DeltaAccount);
|
|
|
|
Delta->DeltaUnion.DeltaAccounts = DeltaAccount;
|
|
*BufferSize += sizeof(NETLOGON_DELTA_ACCOUNTS);
|
|
|
|
DeltaAccount->PrivilegeControl = Privileges->Control;
|
|
|
|
DeltaAccount->PrivilegeEntries = 0;
|
|
DeltaAccount->PrivilegeAttributes = NULL;
|
|
DeltaAccount->PrivilegeNames = NULL;
|
|
|
|
Size = Privileges->PrivilegeCount * sizeof(ULONG);
|
|
|
|
PrivilegeAttributes = MIDL_user_allocate( Size );
|
|
|
|
if( PrivilegeAttributes == NULL ) {
|
|
|
|
Status = STATUS_NO_MEMORY;
|
|
goto Cleanup;
|
|
}
|
|
|
|
DeltaAccount->PrivilegeAttributes = PrivilegeAttributes;
|
|
*BufferSize += Size;
|
|
|
|
Size = Privileges->PrivilegeCount * sizeof(UNICODE_STRING);
|
|
|
|
PrivilegeNames = MIDL_user_allocate( Size );
|
|
|
|
if( PrivilegeNames == NULL ) {
|
|
|
|
Status = STATUS_NO_MEMORY;
|
|
goto Cleanup;
|
|
}
|
|
|
|
DeltaAccount->PrivilegeNames = PrivilegeNames;
|
|
*BufferSize += Size;
|
|
|
|
//
|
|
// now fill up Privilege Attributes and Names
|
|
//
|
|
|
|
CopiedPrivilegeCount = 0;
|
|
for( i = 0; i < Privileges->PrivilegeCount; i++ ) {
|
|
|
|
//
|
|
// Don't replicate SeMachineAccount privilege to NT 3.1. It can't handle it.
|
|
// (Use the SUPPORTS_ACCOUNT_LOCKOUT bit so we don't have to consume
|
|
// another bit.)
|
|
//
|
|
if ( (SessionInfo->NegotiatedFlags & NETLOGON_SUPPORTS_ACCOUNT_LOCKOUT) ||
|
|
(!RtlEqualLuid((PLUID)(&Privileges->Privilege[i].Luid),
|
|
&MachineAccountPrivilegeLuid ))) {
|
|
|
|
PLSAPR_UNICODE_STRING PrivName = NULL;
|
|
|
|
*PrivilegeAttributes = Privileges->Privilege[i].Attributes;
|
|
|
|
|
|
//
|
|
// convert LUID to Name
|
|
//
|
|
|
|
STARTLSATIMER;
|
|
|
|
Status = LsarLookupPrivilegeName(
|
|
DBInfo->DBHandle,
|
|
(PLUID)&Privileges->Privilege[i].Luid,
|
|
&PrivName );
|
|
|
|
STOPLSATIMER;
|
|
|
|
if (!NT_SUCCESS(Status)) {
|
|
goto Cleanup;
|
|
}
|
|
|
|
*BufferSize += NlCopyUnicodeString(
|
|
(PUNICODE_STRING)PrivName,
|
|
PrivilegeNames );
|
|
|
|
LsaIFree_LSAPR_UNICODE_STRING( PrivName );
|
|
CopiedPrivilegeCount ++;
|
|
PrivilegeAttributes++;
|
|
PrivilegeNames++;
|
|
} else {
|
|
NlPrint((NL_SYNC_MORE,
|
|
"NlPackLsaAccount: ignored privilege %ld %ld\n",
|
|
(PLUID) LongToPtr( (&Privileges->Privilege[i].Luid)->HighPart ),
|
|
(PLUID) ULongToPtr( (&Privileges->Privilege[i].Luid)->LowPart ) ));
|
|
}
|
|
}
|
|
DeltaAccount->PrivilegeEntries = CopiedPrivilegeCount;
|
|
|
|
//
|
|
// Send only those bits that NT4.0 BDC understands.
|
|
// Otherwise, it will choke on it.
|
|
//
|
|
DeltaAccount->SystemAccessFlags = SystemAccessFlags & POLICY_MODE_ALL_NT4;
|
|
|
|
DELTA_SECOBJ_INFO(DeltaAccount);
|
|
|
|
//
|
|
// All Done
|
|
//
|
|
|
|
Status = STATUS_SUCCESS;
|
|
|
|
Cleanup:
|
|
|
|
STARTLSATIMER;
|
|
|
|
if ( AccountHandle != NULL ) {
|
|
LsarClose( &AccountHandle );
|
|
}
|
|
|
|
if ( SecurityDescriptor != NULL ) {
|
|
LsaIFree_LSAPR_SR_SECURITY_DESCRIPTOR( SecurityDescriptor );
|
|
}
|
|
|
|
if ( Privileges != NULL ) {
|
|
LsaIFree_LSAPR_PRIVILEGE_SET( Privileges );
|
|
}
|
|
|
|
STOPLSATIMER;
|
|
|
|
if( !NT_SUCCESS(Status) ) {
|
|
NlFreeDBDelta( Delta );
|
|
*BufferSize = 0;
|
|
}
|
|
|
|
STOPPACKTIMER;
|
|
|
|
NlPrint((NL_REPL_OBJ_TIME,"Time taken to pack LSAACCOUNT object:\n"));
|
|
PRINTPACKTIMER;
|
|
PRINTLSATIMER;
|
|
|
|
return(Status);
|
|
|
|
}
|
|
|
|
|
|
|
|
NTSTATUS
|
|
NlPackLsaSecret(
|
|
IN PUNICODE_STRING Name,
|
|
IN OUT PNETLOGON_DELTA_ENUM Delta,
|
|
IN PDB_INFO DBInfo,
|
|
IN LPDWORD BufferSize,
|
|
IN PSESSION_INFO SessionInfo
|
|
)
|
|
/*++
|
|
|
|
Routine Description:
|
|
|
|
Pack a description of the specified LSA secret info into the
|
|
specified buffer.
|
|
|
|
Arguments:
|
|
|
|
Name - Name of the secret.
|
|
|
|
Delta: pointer to the delta structure where the new delta will
|
|
be returned.
|
|
|
|
DBInfo: pointer to the database info structure.
|
|
|
|
BufferSize: size of MIDL buffer that is consumed for this delta is
|
|
returned here.
|
|
|
|
SessionInfo: Information shared between BDC and PDC
|
|
|
|
Return Value:
|
|
|
|
NT status code.
|
|
|
|
--*/
|
|
{
|
|
NTSTATUS Status;
|
|
|
|
PLSAPR_SR_SECURITY_DESCRIPTOR SecurityDescriptor = NULL;
|
|
|
|
LSAPR_HANDLE SecretHandle = NULL;
|
|
|
|
PNETLOGON_DELTA_SECRET DeltaSecret = NULL;
|
|
|
|
PLSAPR_CR_CIPHER_VALUE CurrentValue = NULL;
|
|
PLSAPR_CR_CIPHER_VALUE OldValue = NULL;
|
|
LARGE_INTEGER CurrentValueSetTime;
|
|
LARGE_INTEGER OldValueSetTime;
|
|
|
|
DEFPACKTIMER;
|
|
DEFLSATIMER;
|
|
|
|
INITPACKTIMER;
|
|
INITLSATIMER;
|
|
|
|
STARTPACKTIMER;
|
|
|
|
NlPrint((NL_SYNC_MORE, "Packing Secret Object: %wZ\n", Name));
|
|
|
|
//
|
|
// we should be packing only GLOBAL secrets
|
|
//
|
|
|
|
NlAssert(
|
|
(Name->Length / sizeof(WCHAR) >
|
|
LSA_GLOBAL_SECRET_PREFIX_LENGTH ) &&
|
|
(_wcsnicmp( Name->Buffer,
|
|
LSA_GLOBAL_SECRET_PREFIX,
|
|
LSA_GLOBAL_SECRET_PREFIX_LENGTH ) == 0) );
|
|
|
|
*BufferSize = 0;
|
|
|
|
Delta->DeltaType = AddOrChangeLsaSecret;
|
|
Delta->DeltaID.Name = NULL;
|
|
Delta->DeltaUnion.DeltaPolicy = NULL;
|
|
|
|
//
|
|
// open lsa account
|
|
//
|
|
|
|
STARTLSATIMER;
|
|
|
|
Status = LsarOpenSecret(
|
|
DBInfo->DBHandle,
|
|
(PLSAPR_UNICODE_STRING)Name,
|
|
0,
|
|
&SecretHandle );
|
|
|
|
STOPLSATIMER;
|
|
|
|
if (!NT_SUCCESS(Status)) {
|
|
SecretHandle = NULL;
|
|
goto Cleanup;
|
|
}
|
|
|
|
QUERY_LSA_SECOBJ_INFO(SecretHandle);
|
|
|
|
STARTLSATIMER;
|
|
|
|
Status = LsarQuerySecret(
|
|
SecretHandle,
|
|
&CurrentValue,
|
|
&CurrentValueSetTime,
|
|
&OldValue,
|
|
&OldValueSetTime );
|
|
|
|
STOPLSATIMER;
|
|
|
|
if (!NT_SUCCESS(Status)) {
|
|
CurrentValue = NULL;
|
|
OldValue = NULL;
|
|
goto Cleanup;
|
|
}
|
|
|
|
//
|
|
// Fill in the delta structure
|
|
//
|
|
|
|
//
|
|
// copy ID field
|
|
//
|
|
|
|
Delta->DeltaID.Name =
|
|
MIDL_user_allocate( Name->Length + sizeof(WCHAR) );
|
|
|
|
if( Delta->DeltaID.Name == NULL ) {
|
|
|
|
Status = STATUS_NO_MEMORY;
|
|
goto Cleanup;
|
|
}
|
|
|
|
wcsncpy( Delta->DeltaID.Name,
|
|
Name->Buffer,
|
|
Name->Length / sizeof(WCHAR) );
|
|
|
|
//
|
|
// terminate string
|
|
//
|
|
|
|
Delta->DeltaID.Name[ Name->Length / sizeof(WCHAR) ] = L'\0';
|
|
|
|
|
|
DeltaSecret = (PNETLOGON_DELTA_SECRET)
|
|
MIDL_user_allocate( sizeof(NETLOGON_DELTA_SECRET) );
|
|
|
|
if( DeltaSecret == NULL ) {
|
|
Status = STATUS_NO_MEMORY;
|
|
goto Cleanup;
|
|
}
|
|
|
|
//
|
|
// wipe off the buffer so that cleanup will not be in fault.
|
|
//
|
|
|
|
RtlZeroMemory( DeltaSecret, sizeof(NETLOGON_DELTA_SECRET) );
|
|
// INIT_PLACE_HOLDER(DeltaSecret);
|
|
|
|
Delta->DeltaUnion.DeltaSecret = DeltaSecret;
|
|
*BufferSize += sizeof(NETLOGON_DELTA_SECRET);
|
|
|
|
NEW_TO_OLD_LARGE_INTEGER(
|
|
CurrentValueSetTime,
|
|
DeltaSecret->CurrentValueSetTime );
|
|
|
|
NEW_TO_OLD_LARGE_INTEGER(
|
|
OldValueSetTime,
|
|
DeltaSecret->OldValueSetTime );
|
|
|
|
if( CurrentValue != NULL && CurrentValue->Buffer != NULL && CurrentValue->Length != 0) {
|
|
|
|
//
|
|
// Copy the secret into an allocated buffer and encrypt it in place.
|
|
// Don't use the LSA's buffer since it a ALLOCATE_ALL_NODES.
|
|
//
|
|
|
|
DeltaSecret->CurrentValue.Buffer =
|
|
MIDL_user_allocate( CurrentValue->Length );
|
|
|
|
if( DeltaSecret->CurrentValue.Buffer == NULL ) {
|
|
Status = STATUS_NO_MEMORY;
|
|
goto Cleanup;
|
|
}
|
|
|
|
DeltaSecret->CurrentValue.Length =
|
|
DeltaSecret->CurrentValue.MaximumLength = CurrentValue->Length;
|
|
RtlCopyMemory( DeltaSecret->CurrentValue.Buffer,
|
|
CurrentValue->Buffer,
|
|
CurrentValue->Length );
|
|
|
|
|
|
//
|
|
// secret values are encrypted using session keys.
|
|
//
|
|
|
|
Status = NlEncryptSensitiveData(
|
|
(PCRYPT_BUFFER) &DeltaSecret->CurrentValue,
|
|
SessionInfo );
|
|
|
|
if (!NT_SUCCESS(Status)) {
|
|
goto Cleanup;
|
|
}
|
|
|
|
} else {
|
|
|
|
DeltaSecret->CurrentValue.Length = 0;
|
|
DeltaSecret->CurrentValue.MaximumLength = 0;
|
|
DeltaSecret->CurrentValue.Buffer = NULL;
|
|
}
|
|
|
|
*BufferSize += DeltaSecret->CurrentValue.MaximumLength;
|
|
|
|
if( OldValue != NULL && OldValue->Buffer != NULL && OldValue->Length != 0 ) {
|
|
|
|
//
|
|
// Copy the secret into an allocated buffer and encrypt it in place.
|
|
// Don't use the LSA's buffer since it a ALLOCATE_ALL_NODES.
|
|
//
|
|
|
|
DeltaSecret->OldValue.Buffer =
|
|
MIDL_user_allocate( OldValue->Length );
|
|
|
|
if( DeltaSecret->OldValue.Buffer == NULL ) {
|
|
Status = STATUS_NO_MEMORY;
|
|
goto Cleanup;
|
|
}
|
|
|
|
DeltaSecret->OldValue.Length =
|
|
DeltaSecret->OldValue.MaximumLength = OldValue->Length;
|
|
RtlCopyMemory( DeltaSecret->OldValue.Buffer,
|
|
OldValue->Buffer,
|
|
OldValue->Length );
|
|
|
|
|
|
//
|
|
// secret values are encrypted using session keys.
|
|
//
|
|
|
|
Status = NlEncryptSensitiveData(
|
|
(PCRYPT_BUFFER) &DeltaSecret->OldValue,
|
|
SessionInfo );
|
|
|
|
if (!NT_SUCCESS(Status)) {
|
|
goto Cleanup;
|
|
}
|
|
|
|
} else {
|
|
|
|
DeltaSecret->OldValue.Length = 0;
|
|
DeltaSecret->OldValue.MaximumLength = 0;
|
|
DeltaSecret->OldValue.Buffer = NULL;
|
|
}
|
|
|
|
*BufferSize += DeltaSecret->OldValue.MaximumLength;
|
|
|
|
DELTA_SECOBJ_INFO(DeltaSecret);
|
|
|
|
//
|
|
// All Done
|
|
//
|
|
|
|
Status = STATUS_SUCCESS;
|
|
|
|
Cleanup:
|
|
|
|
STARTLSATIMER;
|
|
|
|
if ( SecretHandle != NULL ) {
|
|
LsarClose( &SecretHandle );
|
|
}
|
|
|
|
if ( SecurityDescriptor != NULL ) {
|
|
LsaIFree_LSAPR_SR_SECURITY_DESCRIPTOR( SecurityDescriptor );
|
|
}
|
|
|
|
if( CurrentValue != NULL ) {
|
|
LsaIFree_LSAPR_CR_CIPHER_VALUE( CurrentValue );
|
|
}
|
|
|
|
if( OldValue != NULL ) {
|
|
LsaIFree_LSAPR_CR_CIPHER_VALUE( OldValue );
|
|
}
|
|
|
|
STOPLSATIMER;
|
|
|
|
if( !NT_SUCCESS(Status) ) {
|
|
NlFreeDBDelta( Delta );
|
|
*BufferSize = 0;
|
|
}
|
|
|
|
STOPPACKTIMER;
|
|
|
|
NlPrint((NL_REPL_OBJ_TIME,"Time taken to pack SECRET object:\n"));
|
|
PRINTPACKTIMER;
|
|
PRINTLSATIMER;
|
|
|
|
return(Status);
|
|
|
|
}
|
|
|