archive
/
windows-xp
mirror of https://github.com/tongzx/nt5src
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
Source code of Windows XP (NT5)
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
6 Commits
1 Branch
0 Tags
4.0 GiB
Branch: master
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'master'
${ noResults }
windows-xp/Source/XPSP1/NT/base/fs/dfs/ui/dfsutil/dfsacl.cxx

841 lines
24 KiB
Raw Permalink Normal View History

Add source files
4 years ago
  1. //-----------------------------------------------------------------------------
  2. //
  3. // Copyright (C) 1998, Microsoft Corporation
  4. //
  5. // File: dfsacl.c
  7. // Contents: Functions to add/remove entries from ACL list(s).
  8. //
  9. // History: Nov 6, 1998 JHarper created
  10. //
  11. //-----------------------------------------------------------------------------
  13. #define UNICODE
  15. #include <stdio.h>
  16. #include <nt.h>
  17. #include <ntrtl.h>
  18. #include <nturtl.h>
  19. #include <windows.h>
  20. #include <winldap.h>
  21. #include <ntldap.h>
  22. #include <stdlib.h>
  23. #include <dsgetdc.h>
  24. #include <lm.h>
  25. #include <sddl.h>
  26. #include <dfsstr.h>
  27. #include <dfsmrshl.h>
  28. #include <marshal.hxx>
  29. #include <lmdfs.h>
  30. #include <dfspriv.h>
  31. #include <csites.hxx>
  32. #include <dfsm.hxx>
  33. #include <recon.hxx>
  35. #include "dfsacl.hxx"
  36. #include "struct.hxx"
  38. DWORD
  39. ReadDSObjSecDesc(
  40. PLDAP pLDAP,
  41. PWSTR pwszObject,
  42. SECURITY_INFORMATION SeInfo,
  43. PSECURITY_DESCRIPTOR *ppSD,
  44. PULONG pcSDSize);
  46. DWORD
  47. DfsGetObjSecurity(
  48. LDAP *pldap,
  49. LPWSTR pwszObjectName,
  50. LPWSTR *pwszStringSD);
  52. DWORD
  53. DfsStampSD(
  54. PWSTR pwszObject,
  55. ULONG cSDSize,
  56. SECURITY_INFORMATION SeInfo,
  57. PSECURITY_DESCRIPTOR pSD,
  58. PLDAP pLDAP);
  60. DWORD
  61. DfsAddAce(
  62. LDAP *pldap,
  63. LPWSTR wszObjectName,
  64. LPWSTR wszStringSD,
  65. LPWSTR wszwszStringSid);
  67. DWORD
  68. DfsRemoveAce(
  69. LDAP *pldap,
  70. LPWSTR wszObjectName,
  71. LPWSTR wszStringSD,
  72. LPWSTR wszwszStringSid);
  74. BOOL
  75. DfsFindSid(
  76. LPWSTR DcName,
  77. LPWSTR Name,
  78. PSID *Sid);
  80. BOOLEAN
  81. DfsSidInAce(
  82. LPWSTR wszAce,
  83. LPWSTR wszStringSid);
  85. #define ACTRL_SD_PROP_NAME L"nTSecurityDescriptor"
  87. //
  88. // Name of the attribute holding the ACL/ACE list
  89. //
  91. #define ACTRL_SD_PROP_NAME L"nTSecurityDescriptor"
  93. //
  94. // The sddl description of the ACE we will be adding
  95. //
  96. LPWSTR wszAce = L"(A;;RPWP;;;";
  98. //+---------------------------------------------------------------------------
  99. //
  100. // Function: DfsAddMachineAce
  101. //
  102. // Synopsis: Adds an ACE representing this machine to the ACL list of the
  103. // object.
  104. //
  105. // Arguments: [pldap] -- The open LDAP connection
  106. // [wszDcName] -- The DC whose DS we are to use.
  107. // [wszObjectName] -- The fully-qualified name of the DS object
  108. // [wszRootName] -- The name of the machine/root we want to add
  109. //
  110. // Returns: ERROR_SUCCESS -- The object is reachable
  111. // ERROR_NOT_ENOUGH_MEMORY A memory allocation failed
  112. //
  113. //----------------------------------------------------------------------------
  114. DWORD
  115. DfsAddMachineAce(
  116. LDAP *pldap,
  117. LPWSTR wszDcName,
  118. LPWSTR wszObjectName,
  119. LPWSTR wszRootName)
  120. {
  121. ULONG dwErr = ERROR_SUCCESS;
  122. PSID Sid;
  123. BOOL Result;
  124. ULONG i;
  125. WCHAR wszNewSD[MAX_PATH];
  126. LPWSTR wszStringSD = NULL;
  127. LPWSTR wszStringSid = NULL;
  128. LPWSTR wszNewRootName = NULL;
  130. if (fSwDebug != 0)
  131. MyPrintf(L"DfsAddMachineAce(%ws,%ws)\r\n", wszObjectName, wszRootName);
  132. //
  133. // Get Security Descriptor on the FtDfs object
  134. //
  135. dwErr = DfsGetObjSecurity(pldap, wszObjectName, &wszStringSD);
  136. if (dwErr == ERROR_SUCCESS) {
  137. if (fSwDebug != 0)
  138. MyPrintf(L"ACL=[%ws]\r\n", wszStringSD);
  139. wszNewRootName = (LPWSTR)malloc((wcslen(wszRootName) + 2) * sizeof(WCHAR));
  140. if (wszNewRootName != NULL) {
  141. wcscpy(wszNewRootName, wszRootName);
  142. for (i = 0; wszNewRootName[i] != L'\0'; i++) {
  143. if (wszNewRootName[i] == L'.') {
  144. wszNewRootName[i] = L'\0';
  145. break;
  146. }
  147. }
  148. wcscat(wszNewRootName, L"$");
  149. //
  150. // Get SID representing root machine
  151. //
  152. Result = DfsFindSid(wszDcName,wszNewRootName, &Sid);
  153. if (Result == TRUE) {
  154. if (fSwDebug != 0)
  155. MyPrintf(L"Got SID for %ws\r\n", wszRootName);
  156. //
  157. // Convert the machine SID to a string
  158. //
  159. Result = ConvertSidToStringSid(Sid, &wszStringSid);
  160. if (Result == TRUE) {
  161. if (fSwDebug != 0)
  162. MyPrintf(L"Sid=[%ws]\r\n", wszStringSid);
  163. //
  164. // Now update the ACL list on the FtDfs object
  165. //
  166. DfsAddAce(
  167. pldap,
  168. wszObjectName,
  169. wszStringSD,
  170. wszStringSid);
  171. LocalFree(wszStringSid);
  172. }
  173. } else {
  174. dwErr = ERROR_OBJECT_NOT_FOUND;
  175. }
  176. free(wszNewRootName);
  177. } else {
  178. dwErr = ERROR_OUTOFMEMORY;
  179. }
  180. LocalFree(wszStringSD);
  181. }
  182. if (fSwDebug != 0)
  183. MyPrintf(L"DfsAddMachineAce returning %d\r\n", dwErr);
  184. return dwErr;
  186. }
  188. //+---------------------------------------------------------------------------
  189. //
  190. // Function: DfsRemoveMachineAce
  191. //
  192. // Synopsis: Removes an ACE representing this machine from the ACL list of the
  193. // object.
  194. //
  195. // Arguments: [pldap] -- The open LDAP connection
  196. // [wszDcName] -- The DC whose DS we are to use.
  197. // [wszObjectName] -- The fully-qualified name of the DS object
  198. // [wszRootName] -- The name of the machine/root we want to remove
  199. //
  200. // Returns: ERROR_SUCCESS -- The object is reachable
  201. // ERROR_NOT_ENOUGH_MEMORY A memory allocation failed
  202. //
  203. //----------------------------------------------------------------------------
  204. DWORD
  205. DfsRemoveMachineAce(
  206. LDAP *pldap,
  207. LPWSTR wszDcName,
  208. LPWSTR wszObjectName,
  209. LPWSTR wszRootName)
  210. {
  211. ULONG dwErr = ERROR_SUCCESS;
  212. PSID Sid;
  213. BOOL Result;
  214. WCHAR wszNewSD[MAX_PATH];
  215. LPWSTR wszStringSD = NULL;
  216. LPWSTR wszStringSid = NULL;
  217. LPWSTR wszNewRootName = NULL;
  218. ULONG i;
  220. if (fSwDebug != 0)
  221. MyPrintf(L"DfsRemoveMachineAce(DC=%ws,DN=\"%ws\",Root=%ws)\r\n",
  222. wszDcName,
  223. wszObjectName,
  224. wszRootName);
  225. //
  226. // Get Security Descriptor on the FtDfs object
  227. //
  228. dwErr = DfsGetObjSecurity(pldap, wszObjectName, &wszStringSD);
  229. if (dwErr == ERROR_SUCCESS) {
  230. if (fSwDebug != 0)
  231. MyPrintf(L"ACL=[%ws]\r\n", wszStringSD);
  232. wszNewRootName = (LPWSTR)malloc((wcslen(wszRootName) + 2) * sizeof(WCHAR));
  233. if (wszNewRootName != NULL) {
  234. wcscpy(wszNewRootName, wszRootName);
  235. for (i = 0; wszNewRootName[i] != L'\0'; i++) {
  236. if (wszNewRootName[i] == L'.') {
  237. wszNewRootName[i] = L'\0';
  238. break;
  239. }
  240. }
  241. wcscat(wszNewRootName, L"$");
  242. //
  243. // Get SID representing root machine
  244. //
  245. Result = DfsFindSid(wszDcName,wszNewRootName, &Sid);
  246. if (Result == TRUE) {
  247. if (fSwDebug != 0)
  248. MyPrintf(L"Got SID for %ws\r\n", wszRootName);
  249. //
  250. // Convert the machine SID to a string
  251. //
  252. Result = ConvertSidToStringSid(Sid, &wszStringSid);
  253. if (Result == TRUE) {
  254. if (fSwDebug != 0)
  255. MyPrintf(L"Sid=[%ws]\r\n", wszStringSid);
  256. //
  257. // Now update the ACL list on the FtDfs object
  258. //
  259. DfsRemoveAce(
  260. pldap,
  261. wszObjectName,
  262. wszStringSD,
  263. wszStringSid);
  264. LocalFree(wszStringSid);
  265. }
  266. } else {
  267. dwErr = ERROR_OBJECT_NOT_FOUND;
  268. }
  269. free(wszNewRootName);
  270. } else {
  271. dwErr = ERROR_OUTOFMEMORY;
  272. }
  273. LocalFree(wszStringSD);
  274. }
  275. if (fSwDebug != 0)
  276. MyPrintf(L"DfsRemoveMachineAce exit %d\r\n", dwErr);
  277. return dwErr;
  279. }
  281. //+---------------------------------------------------------------------------
  282. //
  283. // Function: ReadDSObjSecDesc
  284. //
  285. // Synopsis: Reads the security descriptor from the specied object via
  286. // the open ldap connection
  287. //
  288. // Arguments: [pLDAP] -- The open LDAP connection
  289. // [pwszDSObj] -- The DSObject to get the security
  290. // descriptor for
  291. // [SeInfo] -- Parts of the security descriptor to
  292. // read.
  293. // [ppSD] -- Where the security descriptor is
  294. // returned
  295. // [pcSDSize -- Size of the security descriptor
  296. //
  297. // Returns: ERROR_SUCCESS -- The object is reachable
  298. // ERROR_NOT_ENOUGH_MEMORY A memory allocation failed
  299. //
  300. // Notes: The returned security descriptor must be freed with LocalFree
  301. //
  302. //----------------------------------------------------------------------------
  303. DWORD
  304. ReadDSObjSecDesc(
  305. PLDAP pLDAP,
  306. PWSTR pwszObject,
  307. SECURITY_INFORMATION SeInfo,
  308. PSECURITY_DESCRIPTOR *ppSD,
  309. PULONG pcSDSize)
  310. {
  311. DWORD dwErr = ERROR_SUCCESS;
  312. PLDAPMessage pMsg = NULL;
  313. PWSTR rgAttribs[2];
  314. BYTE berValue[8];
  316. LDAPControl SeInfoControl =
  317. {
  318. LDAP_SERVER_SD_FLAGS_OID_W,
  319. {
  320. 5, (PCHAR)berValue
  321. },
  322. TRUE
  323. };
  325. PLDAPControl ServerControls[2] =
  326. {
  327. &SeInfoControl,
  328. NULL
  329. };
  331. if (fSwDebug != 0)
  332. MyPrintf(L"ReadDSObjSecDesc(%ws)\r\n", pwszObject);
  334. berValue[0] = 0x30;
  335. berValue[1] = 0x03;
  336. berValue[2] = 0x02;
  337. berValue[3] = 0x01;
  338. berValue[4] = (BYTE)((ULONG)SeInfo & 0xF);
  341. rgAttribs[0] = ACTRL_SD_PROP_NAME;
  342. rgAttribs[1] = NULL;
  344. dwErr = ldap_search_ext_s(
  345. pLDAP,
  346. pwszObject,
  347. LDAP_SCOPE_BASE,
  348. L"(objectClass=*)",
  349. rgAttribs,
  350. 0,
  351. (PLDAPControl *)&ServerControls,
  352. NULL,
  353. NULL,
  354. 10000,
  355. &pMsg);
  357. dwErr = LdapMapErrorToWin32( dwErr );
  358. if(dwErr == ERROR_SUCCESS) {
  360. LDAPMessage *pEntry = NULL;
  361. PWSTR *ppwszValues = NULL;
  362. PLDAP_BERVAL *pSize = NULL;
  364. pEntry = ldap_first_entry(pLDAP, pMsg);
  365. if(pEntry != NULL) {
  366. //
  367. // Now, we'll have to get the values
  368. //
  369. ppwszValues = ldap_get_values(pLDAP, pEntry, rgAttribs[0]);
  370. if(ppwszValues != NULL) {
  371. pSize = ldap_get_values_len(pLDAP, pMsg, rgAttribs[0]);
  372. if(pSize != NULL) {
  373. //
  374. // Allocate the security descriptor to return
  375. //
  376. *ppSD = (PSECURITY_DESCRIPTOR)malloc((*pSize)->bv_len);
  377. if(*ppSD != NULL) {
  378. memcpy(*ppSD, (PBYTE)(*pSize)->bv_val, (*pSize)->bv_len);
  379. *pcSDSize = (*pSize)->bv_len;
  380. } else {
  381. dwErr = ERROR_NOT_ENOUGH_MEMORY;
  382. }
  383. ldap_value_free_len(pSize);
  384. } else {
  385. dwErr = LdapMapErrorToWin32( pLDAP->ld_errno );
  386. }
  387. ldap_value_free(ppwszValues);
  388. } else {
  389. dwErr = LdapMapErrorToWin32( pLDAP->ld_errno );
  390. }
  391. } else {
  392. dwErr = LdapMapErrorToWin32( pLDAP->ld_errno );
  393. }
  394. ldap_msgfree(pMsg);
  396. }
  397. if (fSwDebug != 0)
  398. MyPrintf(L"ReadDSObjSecDesc returning %d\r\n", dwErr);
  399. return(dwErr);
  400. }
  402. //+---------------------------------------------------------------------------
  403. //
  404. // Function: DfsGetObjSecurity
  405. //
  406. // Synopsis: Gets the ACL list of an object in sddl stringized form
  407. //
  408. // Arguments: [pldap] -- The open LDAP connection
  409. // [wszObjectName] -- The fully-qualified name of the DS object
  410. // [pwszStringSD] -- Pointer to pointer to SD in string form (sddl)
  411. //
  412. // Returns: ERROR_SUCCESS -- The object is reachable
  413. //
  414. //----------------------------------------------------------------------------
  415. DWORD
  416. DfsGetObjSecurity(
  417. LDAP *pldap,
  418. LPWSTR pwszObjectName,
  419. LPWSTR *pwszStringSD)
  420. {
  421. DWORD dwErr;
  422. WCHAR wszObjectName[ MAX_PATH ];
  423. SECURITY_INFORMATION si;
  424. PSECURITY_DESCRIPTOR pSD = NULL;
  425. ULONG cSDSize;
  427. if (fSwDebug != 0)
  428. MyPrintf(L"DfsGetObjSecurity(%ws)\r\n", pwszObjectName);
  430. si = DACL_SECURITY_INFORMATION;
  432. dwErr = ReadDSObjSecDesc(
  433. pldap,
  434. pwszObjectName,
  435. si,
  436. &pSD,
  437. &cSDSize);
  439. if (dwErr == ERROR_SUCCESS) {
  440. if (!ConvertSecurityDescriptorToStringSecurityDescriptor(
  441. pSD,
  442. SDDL_REVISION_1,
  443. DACL_SECURITY_INFORMATION,
  444. pwszStringSD,
  445. NULL)
  446. ) {
  447. dwErr = GetLastError();
  448. if (fSwDebug != 0)
  449. MyPrintf(L"ConvertSecurityDescriptorToStringSecurityDescriptor FAILED %d:\r\n", dwErr);
  450. }
  452. }
  454. return(dwErr);
  456. }
  458. //+---------------------------------------------------------------------------
  459. //
  460. // Function: DfsFindSid
  461. //
  462. // Synopsis: Gets the SID for a name
  463. //
  464. // [DcName] -- The DC to remote to
  465. // [Name] -- The Name of the object
  466. // [Sid] -- Pointer to pointer to returned SID, which must be freed
  467. // using LocalFree
  468. //
  469. // Returns: TRUE or FALSE
  470. //
  471. //----------------------------------------------------------------------------
  472. BOOL
  473. DfsFindSid(
  474. LPWSTR DcName,
  475. LPWSTR Name,
  476. PSID *Sid
  477. )
  478. {
  479. DWORD SidLength = 0;
  480. WCHAR DomainName[256];
  481. DWORD DomainNameLength = 256;
  482. SID_NAME_USE Use;
  483. BOOL Result;
  485. if (fSwDebug != 0)
  486. MyPrintf(L"DfsFindSid(%ws,%ws)\r\n", DcName,Name);
  488. Result = LookupAccountName(
  489. DcName,
  490. Name,
  491. (PSID)NULL,
  492. &SidLength,
  493. DomainName,
  494. &DomainNameLength,
  495. &Use);
  497. if ( !Result && (GetLastError() == ERROR_INSUFFICIENT_BUFFER) ) {
  499. *Sid = LocalAlloc( 0, SidLength );
  501. Result = LookupAccountName(
  502. NULL,
  503. Name,
  504. *Sid,
  505. &SidLength,
  506. DomainName,
  507. &DomainNameLength,
  508. &Use);
  510. }
  512. if (fSwDebug != 0)
  513. MyPrintf(L"DfsFindSid returning %s\r\n", Result == TRUE ? "TRUE" : "FALSE");
  515. return( Result );
  516. }
  518. //+---------------------------------------------------------------------------
  519. //
  520. // Function: DfsAddAce
  521. //
  522. // Synopsis: Adds a string ACE to a string version of an objects SD
  523. // object. This is a string manipulation routine.
  524. //
  525. // Arguments: [pldap] -- The open LDAP connection
  526. // [wszObjectName] -- The fully-qualified name of the DS object
  527. // [wszStringSD] -- String version of SD
  528. // [wszStringSid] -- String version of SID to add
  529. //
  530. // Returns: ERROR_SUCCESS -- ACE was added
  531. //
  532. //----------------------------------------------------------------------------
  533. DWORD
  534. DfsAddAce(
  535. LDAP *pldap,
  536. LPWSTR wszObjectName,
  537. LPWSTR wszStringSD,
  538. LPWSTR wszStringSid)
  539. {
  540. DWORD dwErr = ERROR_SUCCESS;
  541. LPWSTR wszNewStringSD = NULL;
  542. SECURITY_INFORMATION si;
  543. PSECURITY_DESCRIPTOR pSD = NULL;
  544. BOOL Result;
  545. ULONG Size = 0;
  546. ULONG cSDSize = 0;
  548. if (fSwDebug != 0)
  549. MyPrintf(L"DfsAddAce(%ws)\r\n", wszObjectName);
  551. Size = wcslen(wszStringSD) * sizeof(WCHAR) +
  552. wcslen(wszAce) * sizeof(WCHAR) +
  553. wcslen(wszStringSid) * sizeof(WCHAR) +
  554. wcslen(L")") * sizeof(WCHAR) +
  555. sizeof(WCHAR);
  557. wszNewStringSD = (LPWSTR)malloc(Size);
  559. if (wszNewStringSD != NULL) {
  560. wcscpy(wszNewStringSD,wszStringSD);
  561. wcscat(wszNewStringSD,wszAce);
  562. wcscat(wszNewStringSD,wszStringSid);
  563. wcscat(wszNewStringSD,L")");
  564. if (fSwDebug != 0)
  565. MyPrintf(L"NewSD=[%ws]\r\n", wszNewStringSD);
  566. Result = ConvertStringSecurityDescriptorToSecurityDescriptor(
  567. wszNewStringSD,
  568. SDDL_REVISION_1,
  569. &pSD,
  570. &cSDSize);
  571. if (Result == TRUE) {
  572. si = DACL_SECURITY_INFORMATION;
  573. dwErr = DfsStampSD(
  574. wszObjectName,
  575. cSDSize,
  576. si,
  577. pSD,
  578. pldap);
  579. LocalFree(pSD);
  580. } else {
  581. dwErr = GetLastError();
  582. if (fSwDebug != 0)
  583. MyPrintf(L"Convert returned %d\r\n", dwErr);
  584. }
  585. free(wszNewStringSD);
  586. } else {
  587. dwErr = ERROR_OUTOFMEMORY;
  588. }
  590. if (fSwDebug != 0)
  591. MyPrintf(L"DfsAddAce returning %d\r\n", dwErr);
  592. return(dwErr);
  594. }
  596. //+---------------------------------------------------------------------------
  597. //
  598. // Function: DfsRemoveAce
  599. //
  600. // Synopsis: Finds and removes a string ACE from the string SD of an
  601. // object. This is a string manipulation routine.
  602. //
  603. // Arguments: [pldap] -- The open LDAP connection
  604. // [wszObjectName] -- The fully-qualified name of the DS object
  605. // [wszStringSD] -- String version of SD
  606. // [wszStringSid] -- String version of SID to remove
  607. //
  608. // Returns: ERROR_SUCCESS -- ACE was removed or was not present
  609. //
  610. //----------------------------------------------------------------------------
  611. DWORD
  612. DfsRemoveAce(
  613. LDAP *pldap,
  614. LPWSTR wszObjectName,
  615. LPWSTR wszStringSD,
  616. LPWSTR wszStringSid)
  617. {
  618. DWORD dwErr = ERROR_SUCCESS;
  619. LPWSTR wszNewStringSD = NULL;
  620. SECURITY_INFORMATION si;
  621. PSECURITY_DESCRIPTOR pSD = NULL;
  622. BOOL Result;
  623. ULONG Size = 0;
  624. ULONG cSDSize = 0;
  625. BOOLEAN fCopying;
  626. ULONG s1, s2;
  628. if (fSwDebug != 0)
  629. MyPrintf(L"DfsRemoveAce(%ws)\r\n", wszObjectName);
  631. Size = wcslen(wszStringSD) * sizeof(WCHAR) + sizeof(WCHAR);
  633. wszNewStringSD = (LPWSTR)malloc(Size);
  635. if (wszNewStringSD != NULL) {
  637. RtlZeroMemory(wszNewStringSD, Size);
  639. //
  640. // We have to find the ACEs containing this SID, and remove them.
  641. //
  643. fCopying = TRUE;
  644. for (s1 = s2 = 0; wszStringSD[s1]; s1++) {
  646. //
  647. // If this is the start of an ACE that has this SID, stop copying
  648. //
  649. if (wszStringSD[s1] == L'(' && DfsSidInAce(&wszStringSD[s1],wszStringSid) == TRUE) {
  650. fCopying = FALSE;
  651. continue;
  652. }
  654. //
  655. // If this is the end of SID we are not copying, start copying again
  656. //
  657. if (wszStringSD[s1] == L')' && fCopying == FALSE) {
  658. fCopying = TRUE;
  659. continue;
  660. }
  662. //
  663. // If we are copying, do so.
  664. //
  665. if (fCopying == TRUE)
  666. wszNewStringSD[s2++] = wszStringSD[s1];
  667. }
  669. if (fSwDebug != 0)
  670. MyPrintf(L"NewSD=[%ws]\r\n", wszNewStringSD);
  671. Result = ConvertStringSecurityDescriptorToSecurityDescriptor(
  672. wszNewStringSD,
  673. SDDL_REVISION_1,
  674. &pSD,
  675. &cSDSize);
  676. if (Result == TRUE) {
  677. si = DACL_SECURITY_INFORMATION;
  678. dwErr = DfsStampSD(
  679. wszObjectName,
  680. cSDSize,
  681. si,
  682. pSD,
  683. pldap);
  684. LocalFree(pSD);
  685. } else {
  686. dwErr = GetLastError();
  687. if (fSwDebug != 0)
  688. MyPrintf(L"Convert returned %d\r\n", dwErr);
  689. }
  690. free(wszNewStringSD);
  691. } else {
  692. dwErr = ERROR_OUTOFMEMORY;
  693. }
  695. if (fSwDebug != 0)
  696. MyPrintf(L"DfsRemoveAce returning %d\r\n", dwErr);
  697. return(dwErr);
  699. }
  701. //+---------------------------------------------------------------------------
  702. //
  703. // Function: DfsSidInAce
  704. //
  705. // Synopsis: Scans an ACE to see if the string SID is in it.
  706. //
  707. // Arguments: [wszAce] -- ACE to scan
  708. // [wszStringSid] -- SID to scan for
  709. //
  710. // Returns: TRUE -- SID is in this ACE
  711. // FALSE -- SID is not in this ACE
  712. //
  713. //----------------------------------------------------------------------------
  714. BOOLEAN
  715. DfsSidInAce(
  716. LPWSTR wszAce,
  717. LPWSTR wszStringSid)
  718. {
  719. ULONG i;
  720. ULONG SidLen = wcslen(wszStringSid);
  721. ULONG AceLen;
  722. WCHAR Oldcp;
  724. for (AceLen = 0; wszAce[AceLen] && wszAce[AceLen] != L')'; AceLen++)
  725. /* NOTHING */;
  727. Oldcp = wszAce[AceLen];
  728. wszAce[AceLen] = L'\0';
  729. if (fSwDebug != 0)
  730. MyPrintf(L"DfsSidInAce(%ws),%ws)\r\n", wszAce, wszStringSid);
  731. wszAce[AceLen] = Oldcp;
  733. if (SidLen > AceLen || wszAce[0] != L'(') {
  734. if (fSwDebug != 0)
  735. MyPrintf(L"DfsSidInAce returning FALSE(1)\r\n");
  736. return FALSE;
  737. }
  739. for (i = 0; i <= (AceLen - SidLen); i++) {
  741. if (wszAce[i] == wszStringSid[0] && wcsncmp(&wszAce[i],wszStringSid,SidLen) == 0) {
  742. if (fSwDebug != 0)
  743. MyPrintf(L"DfsSidInAce returning TRUE\r\n");
  744. return TRUE;
  745. }
  747. }
  749. if (fSwDebug != 0)
  750. MyPrintf(L"DfsSidInAce returning FALSE(2)\r\n");
  751. return FALSE;
  752. }
  754. //+---------------------------------------------------------------------------
  755. //
  756. // Function: DfsStampSD
  757. //
  758. // Synopsis: Actually stamps the security descriptor on the object.
  759. //
  760. // Arguments: [pwszObject] -- The object to stamp the SD on
  761. // [cSDSize] -- The size of the security descriptor
  762. // [SeInfo] -- SecurityInformation about the security
  763. // descriptor
  764. // [pSD] -- The SD to stamp
  765. // [pLDAP] -- The LDAP connection to use
  766. //
  767. // Returns: ERROR_SUCCESS -- Success
  768. //
  769. //----------------------------------------------------------------------------
  770. DWORD
  771. DfsStampSD(
  772. PWSTR pwszObject,
  773. ULONG cSDSize,
  774. SECURITY_INFORMATION SeInfo,
  775. PSECURITY_DESCRIPTOR pSD,
  776. PLDAP pLDAP)
  777. {
  778. DWORD dwErr = ERROR_SUCCESS;
  779. PLDAPMod rgMods[2];
  780. PLDAP_BERVAL pBVals[2];
  781. LDAPMod Mod;
  782. LDAP_BERVAL BVal;
  783. BYTE ControlBuffer[ 5 ];
  785. LDAPControl SeInfoControl =
  786. {
  787. LDAP_SERVER_SD_FLAGS_OID_W,
  788. {
  789. 5, (PCHAR) &ControlBuffer
  790. },
  791. TRUE
  792. };
  794. PLDAPControl ServerControls[2] =
  795. {
  796. &SeInfoControl,
  797. NULL
  798. };
  800. if (fSwDebug != 0)
  801. MyPrintf(L"DfsStampSD(%ws,%d)\r\n", pwszObject, cSDSize);
  803. ASSERT(*(PULONG)pSD > 0xF );
  805. ControlBuffer[0] = 0x30;
  806. ControlBuffer[1] = 0x3;
  807. ControlBuffer[2] = 0x02; // Denotes an integer;
  808. ControlBuffer[3] = 0x01; // Size
  809. ControlBuffer[4] = (BYTE)((ULONG)SeInfo & 0xF);
  811. ASSERT(IsValidSecurityDescriptor( pSD ) );
  813. rgMods[0] = &Mod;
  814. rgMods[1] = NULL;
  816. pBVals[0] = &BVal;
  817. pBVals[1] = NULL;
  819. BVal.bv_len = cSDSize;
  820. BVal.bv_val = (PCHAR)pSD;
  822. Mod.mod_op = LDAP_MOD_REPLACE | LDAP_MOD_BVALUES;
  823. Mod.mod_type = ACTRL_SD_PROP_NAME;
  824. Mod.mod_values = (PWSTR *)pBVals;
  826. //
  827. // Now, we'll do the write...
  828. //
  829. dwErr = ldap_modify_ext_s(pLDAP,
  830. pwszObject,
  831. rgMods,
  832. (PLDAPControl *)&ServerControls,
  833. NULL);
  835. dwErr = LdapMapErrorToWin32(dwErr);
  837. if (fSwDebug != 0)
  838. MyPrintf(L"DfsStampSD returning %d\r\n", dwErr);
  840. return(dwErr);
  841. }