archive
/
windows-xp
mirror of https://github.com/tongzx/nt5src
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
Source code of Windows XP (NT5)
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
7 Commits
1 Branch
0 Tags
2.0 GiB
Tree: 1b390dddff
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '1b390dddff'
${ noResults }
windows-xp/Source/XPSP1/NT/admin/snapin/filemgmt/lsastuff.cpp

446 lines
11 KiB
Raw Normal View History

Add source files
4 years ago
  1. // LsaStuff.cpp
  2. //
  3. // LSA-dependent code
  4. //
  5. // HISTORY
  6. // 09-Jul-97 jonn Creation.
  7. //
  9. #include "stdafx.h"
  10. #include "DynamLnk.h" // DynamicDLL
  12. extern "C"
  13. {
  14. #define NTSTATUS LONG
  15. #define PNTSTATUS NTSTATUS*
  16. #define NT_SUCCESS(Status) ((NTSTATUS)(Status) >= 0)
  17. #define SE_SHUTDOWN_PRIVILEGE (19L)
  19. // stuff taken from ntdef.h
  20. typedef struct _UNICODE_STRING {
  21. USHORT Length;
  22. USHORT MaximumLength;
  23. #ifdef MIDL_PASS
  24. [size_is(MaximumLength / 2), length_is((Length) / 2) ] USHORT * Buffer;
  25. #else // MIDL_PASS
  26. PWSTR Buffer;
  27. #endif // MIDL_PASS
  28. } UNICODE_STRING;
  29. typedef UNICODE_STRING *PUNICODE_STRING;
  30. typedef struct _OBJECT_ATTRIBUTES {
  31. ULONG Length;
  32. HANDLE RootDirectory;
  33. PUNICODE_STRING ObjectName;
  34. ULONG Attributes;
  35. PVOID SecurityDescriptor; // Points to type SECURITY_DESCRIPTOR
  36. PVOID SecurityQualityOfService; // Points to type SECURITY_QUALITY_OF_SERVICE
  37. } OBJECT_ATTRIBUTES;
  38. typedef OBJECT_ATTRIBUTES *POBJECT_ATTRIBUTES;
  39. #define InitializeObjectAttributes( p, n, a, r, s ) { \
  40. (p)->Length = sizeof( OBJECT_ATTRIBUTES ); \
  41. (p)->RootDirectory = r; \
  42. (p)->Attributes = a; \
  43. (p)->ObjectName = n; \
  44. (p)->SecurityDescriptor = s; \
  45. (p)->SecurityQualityOfService = NULL; \
  46. }
  47. #define _NTDEF
  49. // from ntstatus.h
  50. #define STATUS_OBJECT_NAME_NOT_FOUND ((NTSTATUS)0xC0000034L)
  52. // from lmaccess.h
  53. NET_API_STATUS NET_API_FUNCTION
  54. NetUserModalsGet (
  55. IN LPCWSTR servername OPTIONAL,
  56. IN DWORD level,
  57. OUT LPBYTE *bufptr
  58. );
  59. typedef struct _USER_MODALS_INFO_1 {
  60. DWORD usrmod1_role;
  61. LPWSTR usrmod1_primary;
  62. }USER_MODALS_INFO_1, *PUSER_MODALS_INFO_1, *LPUSER_MODALS_INFO_1;
  63. //
  64. // UAS role manifests under NETLOGON
  65. //
  66. #define UAS_ROLE_STANDALONE 0
  67. #define UAS_ROLE_MEMBER 1
  68. #define UAS_ROLE_BACKUP 2
  69. #define UAS_ROLE_PRIMARY 3
  71. #include <ntlsa.h>
  72. }
  75. #ifdef _DEBUG
  76. #define new DEBUG_NEW
  77. #undef THIS_FILE
  78. static char THIS_FILE[] = __FILE__;
  79. #endif
  82. typedef enum _Netapi32ApiIndex
  83. {
  84. BUFFERFREE_ENUM = 0,
  85. USERMODALSGET_ENUM
  86. };
  88. // not subject to localization
  89. static LPCSTR g_apchNetapi32FunctionNames[] = {
  90. "NetApiBufferFree",
  91. "NetUserModalsGet",
  92. NULL
  93. };
  95. typedef NET_API_STATUS (*BUFFERFREEPROC)(LPVOID);
  96. typedef NET_API_STATUS (*USERMODALSGETPROC)(LPCWSTR, DWORD, LPBYTE*);
  98. // not subject to localization
  99. DynamicDLL g_LSASTUFF_Netapi32DLL( _T("NETAPI32.DLL"), g_apchNetapi32FunctionNames );
  103. /*******************************************************************
  105. NAME: ::FillUnicodeString
  107. SYNOPSIS: Standalone method for filling in a UNICODE_STRING
  109. ENTRY: punistr - Unicode string to be filled in.
  110. nls - Source for filling the unistr
  112. EXIT:
  114. NOTES: punistr->Buffer is allocated here and must be deallocated
  115. by the caller using FreeUnicodeString.
  117. HISTORY:
  118. jonn 07/09/97 copied from net\ui\common\src\lmobj\lmobj\uintmem.cxx
  120. ********************************************************************/
  121. VOID FillUnicodeString( LSA_UNICODE_STRING * punistr, LPCWSTR psz )
  122. {
  123. ASSERT( NULL != punistr && NULL != psz );
  124. size_t cTchar = ::wcslen(psz);
  125. // Length and MaximumLength are counts of bytes.
  126. punistr->Length = (USHORT)(cTchar * sizeof(WCHAR));
  127. punistr->MaximumLength = punistr->Length + sizeof(WCHAR);
  128. punistr->Buffer = new WCHAR[cTchar + 1];
  129. ASSERT( NULL != punistr->Buffer );
  130. ::wcscpy( punistr->Buffer, psz );
  131. }
  133. /*******************************************************************
  135. NAME: ::FreeUnicodeString
  137. SYNOPSIS: Standalone method for freeing in a UNICODE_STRING
  139. ENTRY: unistr - Unicode string whose Buffer is to be freed.
  141. EXIT:
  143. HISTORY:
  144. jonn 07/09/97 copied from net\ui\common\src\lmobj\lmobj\uintmem.cxx
  146. ********************************************************************/
  147. VOID FreeUnicodeString( LSA_UNICODE_STRING * punistr )
  148. {
  149. ASSERT( punistr != NULL );
  150. delete punistr->Buffer;
  151. }
  155. /*******************************************************************
  157. NAME: InitObjectAttributes
  159. SYNOPSIS:
  161. This function initializes the given Object Attributes structure, including
  162. Security Quality Of Service. Memory must be allcated for both
  163. ObjectAttributes and Security QOS by the caller.
  165. ENTRY:
  167. poa - Pointer to Object Attributes to be initialized.
  169. psqos - Pointer to Security QOS to be initialized.
  171. EXIT:
  173. NOTES:
  175. HISTORY:
  176. jonn 07/09/97 copied from net\ui\common\src\lmobj\lmobj\uintlsa.cxx
  178. ********************************************************************/
  179. VOID InitObjectAttributes( PLSA_OBJECT_ATTRIBUTES poa,
  180. PSECURITY_QUALITY_OF_SERVICE psqos )
  182. {
  183. ASSERT( poa != NULL );
  184. ASSERT( psqos != NULL );
  186. psqos->Length = sizeof(SECURITY_QUALITY_OF_SERVICE);
  187. psqos->ImpersonationLevel = SecurityImpersonation;
  188. psqos->ContextTrackingMode = SECURITY_DYNAMIC_TRACKING;
  189. psqos->EffectiveOnly = FALSE;
  191. //
  192. // Set up the object attributes prior to opening the LSA.
  193. //
  195. InitializeObjectAttributes(
  196. poa,
  197. NULL,
  198. 0L,
  199. NULL,
  200. NULL );
  202. //
  203. // The InitializeObjectAttributes macro presently stores NULL for
  204. // the psqos field, so we must manually copy that
  205. // structure for now.
  206. //
  208. poa->SecurityQualityOfService = psqos;
  209. }
  212. BOOL
  213. I_CheckLSAAccount( LSA_UNICODE_STRING* punistrServerName,
  214. LPCTSTR pszLogOnAccountName,
  215. DWORD* pdwMsgID ) // *pdsMsgID is always set if this fails
  216. {
  217. ASSERT( NULL != pdwMsgID );
  219. BOOL fSuccess = FALSE;
  220. LSA_HANDLE hlsa = NULL;
  221. LSA_HANDLE hlsaAccount = NULL;
  222. PSID psidAccount = NULL;
  224. do { // false loop
  226. //
  227. // Determine whether the target machine is a BDC, and if so, get the PDC
  228. //
  230. // if an error occurs now, it is a read error
  231. *pdwMsgID = IDS_LSAERR_READ_FAILED;
  233. //
  234. // Get LSA_POLICY handle
  235. //
  236. LSA_OBJECT_ATTRIBUTES oa;
  237. SECURITY_QUALITY_OF_SERVICE sqos;
  238. InitObjectAttributes( &oa, &sqos );
  240. NTSTATUS ntstatus = ::LsaOpenPolicy(
  241. punistrServerName,
  242. &oa,
  243. POLICY_ALL_ACCESS, // CODEWORK ??
  244. &hlsa );
  245. if ( !NT_SUCCESS(ntstatus) )
  246. break;
  248. //
  249. // Remove ".\" or "thismachine\" from the head of the account name if it is present
  250. //
  251. CString strAccountName = pszLogOnAccountName;
  252. int iBackslash = strAccountName.Find( _T('\\') );
  253. if ( -1 < iBackslash )
  254. {
  255. CString strPrefix = strAccountName.Left(iBackslash);
  256. if ( !lstrcmp(strPrefix, _T(".")) || IsLocalComputername(strPrefix) )
  257. {
  258. strAccountName = strAccountName.Mid(iBackslash+1);
  259. }
  260. }
  262. //
  263. // determine the SID of the account
  264. //
  265. PLSA_REFERENCED_DOMAIN_LIST plsardl = NULL;
  266. PLSA_TRANSLATED_SID plsasid = NULL;
  267. LSA_UNICODE_STRING unistrAccountName;
  268. ::FillUnicodeString( &unistrAccountName, strAccountName );
  269. ntstatus = ::LsaLookupNames(
  270. hlsa,
  271. 1,
  272. &unistrAccountName,
  273. &plsardl,
  274. &plsasid );
  275. ::FreeUnicodeString( &unistrAccountName );
  276. if ( !NT_SUCCESS(ntstatus) )
  277. break;
  279. //
  280. // Build the SID of the account by taking the SID of the domain
  281. // and adding at the end the RID of the account
  282. //
  283. PSID psidDomain = plsardl->Domains[0].Sid;
  284. DWORD ridAccount = plsasid[0].RelativeId;
  285. DWORD cbNewSid = ::GetLengthSid(psidDomain)+sizeof(ridAccount);
  286. psidAccount = (PSID) new BYTE[cbNewSid];
  287. ASSERT( NULL != psidAccount );
  288. (void) ::CopySid( cbNewSid, psidAccount, psidDomain );
  289. UCHAR* pcSubAuthorities = ::GetSidSubAuthorityCount( psidAccount ) ;
  290. (*pcSubAuthorities)++;
  291. DWORD* pdwSubAuthority = ::GetSidSubAuthority(
  292. psidAccount, (*pcSubAuthorities)-1 );
  293. *pdwSubAuthority = ridAccount;
  295. (void) ::LsaFreeMemory( plsardl );
  296. (void) ::LsaFreeMemory( plsasid );
  298. //
  299. // Determine whether this LSA account exists, create it if not
  300. //
  301. ntstatus = ::LsaOpenAccount( hlsa,
  302. psidAccount,
  303. ACCOUNT_ALL_ACCESS | DELETE, // CODEWORK
  304. &hlsaAccount );
  305. ULONG ulSystemAccessCurrent = 0;
  306. if (STATUS_OBJECT_NAME_NOT_FOUND == ntstatus)
  307. {
  308. // handle account-not-found case
  310. // if an error occurs now, it is a write error
  311. *pdwMsgID = IDS_LSAERR_WRITE_FAILED;
  312. ntstatus = ::LsaCreateAccount( hlsa,
  313. psidAccount,
  314. ACCOUNT_ALL_ACCESS | DELETE,
  315. &hlsaAccount );
  316. // presumably the account is created without POLICY_MODE_SERVICE privilege
  317. }
  318. else
  319. {
  320. ntstatus = ::LsaGetSystemAccessAccount( hlsaAccount, &ulSystemAccessCurrent );
  321. }
  322. if ( !NT_SUCCESS(ntstatus) )
  323. break;
  325. //
  326. // Determine whether this LSA account has POLICY_MODE_SERVICE privilege,
  327. // grant it if not
  328. //
  329. if ( POLICY_MODE_SERVICE != (ulSystemAccessCurrent & POLICY_MODE_SERVICE ) )
  330. {
  331. // if an error occurs now, it is a write error
  332. *pdwMsgID = IDS_LSAERR_WRITE_FAILED;
  334. ntstatus = ::LsaSetSystemAccessAccount(
  335. hlsaAccount,
  336. ulSystemAccessCurrent | POLICY_MODE_SERVICE );
  337. if ( !NT_SUCCESS(ntstatus) )
  338. break; // CODEWORK could check for STATUS_BACKUP_CONTROLLER
  340. // display the write-succeeded message
  341. *pdwMsgID = IDS_LSAERR_WRITE_SUCCEEDED;
  342. }
  343. else
  344. {
  345. *pdwMsgID = 0;
  346. }
  348. fSuccess = TRUE;
  350. } while (FALSE); // false loop
  352. // CODEWORK should check for special error code for NT5 non-DC
  353. // using local policy object
  355. if (NULL != hlsa)
  356. {
  357. ::LsaClose( hlsa );
  358. }
  359. if (NULL != hlsaAccount)
  360. {
  361. ::LsaClose( hlsaAccount );
  362. }
  363. if (NULL != psidAccount)
  364. {
  365. delete psidAccount;
  366. }
  368. return fSuccess;
  370. } // I_CheckLSAAccount()
  372. /////////////////////////////////////////////////////////////////////
  373. // FCheckLSAAccount()
  374. //
  375. VOID
  376. CServicePropertyData::FCheckLSAAccount()
  377. {
  378. LSA_UNICODE_STRING unistrServerName;
  379. PLSA_UNICODE_STRING punistrServerName = NULL ;
  380. USER_MODALS_INFO_1* pum1 = NULL;
  381. DWORD dwMsgID = 0;
  383. TRACE1("INFO: Checking LSA permissions for account %s...\n",
  384. (LPCTSTR)m_strLogOnAccountName);
  386. if ( !m_strMachineName.IsEmpty() )
  387. {
  388. ::FillUnicodeString( &unistrServerName, m_strMachineName );
  389. punistrServerName = &unistrServerName;
  390. }
  392. do // false loop
  393. {
  394. // check on the local machine
  395. // this will always set dwMsgID if it fails
  396. if (I_CheckLSAAccount(punistrServerName, m_strLogOnAccountName, &dwMsgID))
  397. break; // this succeeded, we can stop now
  399. // check whether this is a Backup Domain Controller
  400. if ( !g_LSASTUFF_Netapi32DLL.LoadFunctionPointers() )
  401. {
  402. ASSERT(FALSE);
  403. return;
  404. }
  405. DWORD err = ((USERMODALSGETPROC)g_LSASTUFF_Netapi32DLL[USERMODALSGET_ENUM])(
  406. (m_strMachineName.IsEmpty()) ? NULL : const_cast<LPTSTR>((LPCTSTR)m_strMachineName),
  407. 1,
  408. reinterpret_cast<LPBYTE*>(&pum1) );
  409. if (NERR_Success != err)
  410. break;
  411. ASSERT( NULL != pum1 );
  412. if (UAS_ROLE_BACKUP != pum1->usrmod1_role)
  413. break; // not a backup controller
  414. if (NULL == pum1->usrmod1_primary )
  415. {
  416. ASSERT(FALSE);
  417. break;
  418. }
  420. // Try it on the PDC
  421. (void) I_CheckLSAAccount(punistrServerName, pum1->usrmod1_primary, &dwMsgID);
  423. } while (FALSE); // false loop
  425. if ( NULL != punistrServerName )
  426. {
  427. ::FreeUnicodeString( punistrServerName );
  428. }
  430. if ( NULL != pum1 )
  431. {
  432. if ( !g_LSASTUFF_Netapi32DLL.LoadFunctionPointers() )
  433. {
  434. ASSERT(FALSE);
  435. return;
  436. }
  438. ((BUFFERFREEPROC)g_LSASTUFF_Netapi32DLL[BUFFERFREE_ENUM])( pum1 );
  439. }
  441. if (0 != dwMsgID)
  442. {
  443. DoServicesErrMsgBox( GetActiveWindow(), MB_OK | MB_ICONEXCLAMATION, 0, dwMsgID, (LPCTSTR)m_strLogOnAccountName );
  444. }
  446. } // FCheckLSAAccount()