archive
/
windows-xp
mirror of https://github.com/tongzx/nt5src
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
Source code of Windows XP (NT5)
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
8 Commits
1 Branch
0 Tags
2.0 GiB
Tree: 744f0b4006
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '744f0b4006'
${ noResults }
windows-xp/Source/XPSP1/NT/ds/adsi/router/sec2var.cxx

1559 lines
39 KiB
Raw Normal View History

Add source files
4 years ago
  1. //+---------------------------------------------------------------------------
  2. //
  3. // Microsoft Windows
  4. // Copyright (C) Microsoft Corporation, 1992 - 1995.
  5. //
  6. // File: libmain.cxx
  7. //
  8. // Contents: LibMain for nds.dll
  9. //
  10. // Functions: LibMain, DllGetClassObject
  11. //
  12. // History: 25-Oct-94 KrishnaG Created.
  13. //
  14. //----------------------------------------------------------------------------
  15. #include "oleds.hxx"
  16. #pragma hdrstop
  19. #define GetAce ADSIGetAce
  21. #define DeleteAce ADSIDeleteAce
  23. #define GetAclInformation ADSIGetAclInformation
  25. #define SetAclInformation ADSISetAclInformation
  27. #define IsValidAcl ADSIIsValidAcl
  29. #define InitializeAcl ADSIInitializeAcl
  32. extern HRESULT
  33. ConvertSidToString(
  34. PSID pSid,
  35. LPWSTR String
  36. );
  38. DWORD
  39. GetDomainDNSNameForDomain(
  40. LPWSTR pszDomainFlatName,
  41. BOOL fVerify,
  42. BOOL fWriteable,
  43. LPWSTR pszServerName,
  44. LPWSTR pszDomainDNSName
  45. );
  47. //
  48. // Helper routine.
  49. //
  50. PSID
  51. ComputeSidFromAceAddress(
  52. LPBYTE pAce
  53. );
  55. //+---------------------------------------------------------------------------
  56. // Function: GetLsaPolicyHandle - helper routine.
  57. //
  58. // Synopsis: Returns the lsa policy handle to the server in question.
  59. // If a serverName is present we will first try that. If no servername
  60. // is present we will try and connect up to the default server for the
  61. // currently logged on user. If everything else fails, we will
  62. // connnect to the local machine (NULL server).
  63. //
  64. // Arguments: pszServerName - Name of targtet server/domain or NULL.
  65. // Credentials - Credentials to use for the connection.
  66. // Currently this is not used.
  67. // phLsaPolicy - Return ptr for lsa policy handle.
  68. //
  69. // Returns: S_OK or any valid error code.
  70. //
  71. // Modifies: phLsaPolicy.
  72. //
  73. //----------------------------------------------------------------------------
  74. HRESULT
  75. GetLsaPolicyHandle(
  76. LPWSTR pszServerName,
  77. CCredentials &Credentials,
  78. PLSA_HANDLE phLsaPolicy
  79. )
  80. {
  81. HRESULT hr = S_OK;
  82. DWORD dwStatus = NO_ERROR;
  83. NTSTATUS ntStatus = STATUS_SUCCESS;
  84. DWORD dwErr;
  85. DWORD dwLen = 0;
  86. LPWSTR pszServer = NULL;
  87. BOOL fNullServer = FALSE;
  88. LSA_OBJECT_ATTRIBUTES lsaObjectAttributes;
  89. LSA_UNICODE_STRING lsaSystemName;
  90. WCHAR szDomainName[MAX_PATH];
  91. WCHAR szServerName[MAX_PATH];
  93. memset(&lsaObjectAttributes, 0, sizeof(LSA_OBJECT_ATTRIBUTES));
  95. //
  96. // First most common case of serverless paths.
  97. //
  98. if (!pszServerName) {
  99. dwStatus = GetDomainDNSNameForDomain(
  100. NULL,
  101. FALSE, // do not force verify
  102. FALSE, // does not need to be writable
  103. szServerName,
  104. szDomainName
  105. );
  107. //
  108. // If we succeeded we will use the name returned,
  109. // otherwise we will go with NULL.
  110. //
  111. if (dwStatus == NO_ERROR) {
  112. pszServer = szServerName;
  113. }
  114. else {
  115. fNullServer = TRUE;
  116. }
  117. }
  118. else {
  119. pszServer = pszServerName;
  120. }
  122. if (pszServer) {
  123. dwLen = wcslen(pszServer);
  124. }
  126. lsaSystemName.Buffer = pszServer;
  127. lsaSystemName.Length = dwLen * sizeof(WCHAR);
  128. lsaSystemName.MaximumLength = lsaSystemName.Length;
  130. //
  131. // First attempt at opening policy handle.
  132. //
  133. ntStatus = LsaOpenPolicy(
  134. &lsaSystemName,
  135. &lsaObjectAttributes,
  136. POLICY_LOOKUP_NAMES,
  137. phLsaPolicy
  138. );
  140. if (ntStatus != STATUS_SUCCESS) {
  141. //
  142. // Irrespective of failure should retry if we have not already
  143. // tried with a NULL serverName.
  144. //
  145. if (!fNullServer) {
  146. fNullServer = TRUE;
  148. lsaSystemName.Buffer = NULL;
  149. lsaSystemName.Length = 0;
  150. lsaSystemName.MaximumLength = 0;
  151. ntStatus = LsaOpenPolicy(
  152. &lsaSystemName,
  153. &lsaObjectAttributes,
  154. POLICY_LOOKUP_NAMES,
  155. phLsaPolicy
  156. );
  157. }
  159. hr = HRESULT_FROM_WIN32(
  160. LsaNtStatusToWinError(ntStatus)
  161. );
  162. BAIL_ON_FAILURE(hr);
  163. }
  165. error:
  167. RRETURN(hr);
  168. }
  170. //+---------------------------------------------------------------------------
  171. // Function: GetNamesFromSids - helper routine.
  172. //
  173. // Synopsis: Simple helper routine that calls LsaLookupSids and if the
  174. // the error returned is ERROR_SOME_NOT_MAPPED, then the hr is
  175. // set S_OK.
  176. //
  177. // Arguments: hLsaPolicy - LSA_HANDLE to do the lookup on.
  178. // pSidArray - Array of sid's top lookup.
  179. // dwSidCount - Number of sids to translate.
  180. // ppLsaRefDomList - Ret value for domain list.
  181. // ppLsaNames - Ret value for name list.
  182. //
  183. // Returns: S_OK or any valid error code.
  184. //
  185. // Modifies: n/a.
  186. //
  187. //----------------------------------------------------------------------------
  188. HRESULT
  189. GetNamesFromSids(
  190. LSA_HANDLE hLsaPolicy,
  191. PSID *pSidArray,
  192. DWORD dwSidCount,
  193. PLSA_REFERENCED_DOMAIN_LIST *ppLsaRefDomList,
  194. PLSA_TRANSLATED_NAME *ppLsaNames
  195. )
  196. {
  197. HRESULT hr;
  198. NTSTATUS ntStatus;
  200. ntStatus = LsaLookupSids(
  201. hLsaPolicy,
  202. dwSidCount,
  203. pSidArray,
  204. ppLsaRefDomList,
  205. ppLsaNames
  206. );
  208. hr = HRESULT_FROM_WIN32(LsaNtStatusToWinError(ntStatus));
  210. if (hr == HRESULT_FROM_WIN32(ERROR_SOME_NOT_MAPPED)) {
  211. hr = S_OK;
  212. }
  214. RRETURN(hr);
  215. }
  217. //+---------------------------------------------------------------------------
  218. // Function: GetNamesForSidFromArray - helper routine.
  219. //
  220. // Synopsis: Given the position of the ace and the retrun value from
  221. // LsaLookupSids, constructs the actual name of the trustee.
  222. //
  223. // Arguments: dwAceNumber - Position of the ace in the array.
  224. // pLsaRefDoms - List of reference domains.
  225. // pLsaNames - List of LSA names.
  226. // ppszFriendlyName - Return string pointer.
  227. //
  228. // Returns: S_OK or any valid error code.
  229. //
  230. // Modifies: n/a.
  231. //
  232. //----------------------------------------------------------------------------
  233. HRESULT
  234. GetNameForSidFromArray(
  235. DWORD dwAceNumber,
  236. LSA_REFERENCED_DOMAIN_LIST *pLsaRefDoms,
  237. LSA_TRANSLATED_NAME *pLsaNames,
  238. LPWSTR * ppszFriendlyName
  239. )
  240. {
  241. HRESULT hr = S_OK;
  242. DWORD dwLengthDomain;
  243. DWORD dwLengthName = 0;
  244. BOOL fDomainInvalid = FALSE;
  245. BOOL fNameInvalid = FALSE;
  246. LPWSTR pszName = NULL;
  248. *ppszFriendlyName = NULL;
  250. if (!pLsaNames) {
  251. RRETURN(hr = E_FAIL);
  252. }
  254. switch (pLsaNames[dwAceNumber].Use) {
  256. case SidTypeDomain:
  257. fNameInvalid = TRUE;
  258. break;
  260. case SidTypeInvalid:
  261. fNameInvalid = TRUE;
  262. fDomainInvalid = TRUE;
  263. break;
  265. case SidTypeUnknown:
  266. fNameInvalid = TRUE;
  267. fDomainInvalid = TRUE;
  268. break;
  270. case SidTypeWellKnownGroup:
  271. if (pLsaNames[dwAceNumber].DomainIndex < 0 ) {
  272. fDomainInvalid = TRUE;
  273. }
  274. break;
  276. default:
  277. //
  278. // Name and domain are valid.
  279. //
  280. fDomainInvalid = FALSE;
  281. fNameInvalid = FALSE;
  282. }
  284. if (!fNameInvalid) {
  285. dwLengthName = ((pLsaNames[dwAceNumber]).Name).Length + sizeof(WCHAR);
  286. }
  288. //
  289. // Process domain if valid.
  290. //
  291. if (!fDomainInvalid) {
  292. DWORD domainIndex = pLsaNames[dwAceNumber].DomainIndex;
  293. LSA_UNICODE_STRING lsaString;
  294. //
  295. // Need to make sure that the index is valid.
  296. //
  297. if (domainIndex > pLsaRefDoms->Entries) {
  298. BAIL_ON_FAILURE(hr = E_FAIL);
  299. }
  301. lsaString = ((pLsaRefDoms->Domains)[domainIndex]).Name;
  303. //
  304. // Add sizeof(WCHAR) for the trailing \0.
  305. //
  306. dwLengthDomain = lsaString.Length + sizeof(WCHAR);
  308. if (lsaString.Length > 0) {
  309. pszName = (LPWSTR) AllocADsMem( dwLengthDomain + dwLengthName);
  311. if (!pszName) {
  312. BAIL_ON_FAILURE(hr = E_OUTOFMEMORY);
  313. }
  315. memcpy(
  316. pszName,
  317. lsaString.Buffer,
  318. lsaString.Length
  319. );
  322. }
  324. }
  326. if (!fNameInvalid) {
  327. LSA_UNICODE_STRING lsaNameString = (pLsaNames[dwAceNumber]).Name;
  328. //
  329. // Length of pszName is zero if the group name is Everyone but
  330. // there is still a domain name component.
  331. //
  332. if (!fDomainInvalid
  333. && pszName
  334. && wcslen(pszName)
  335. ) {
  336. wcscat(pszName, L"\\");
  337. } else {
  338. pszName = (LPWSTR) AllocADsMem(dwLengthName);
  339. if (!pszName) {
  340. BAIL_ON_FAILURE (hr = E_OUTOFMEMORY);
  341. }
  342. }
  344. memcpy(
  345. fDomainInvalid ? pszName : (pszName + wcslen(pszName)),
  346. lsaNameString.Buffer,
  347. lsaNameString.Length
  348. );
  349. }
  351. *ppszFriendlyName = pszName;
  353. RRETURN(hr);
  355. error:
  357. if (pszName) {
  358. FreeADsMem(pszName);
  359. }
  361. RRETURN(hr);
  362. }
  364. HRESULT
  365. ConvertSecDescriptorToVariant(
  366. LPWSTR pszServerName,
  367. CCredentials& Credentials,
  368. PSECURITY_DESCRIPTOR pSecurityDescriptor,
  369. VARIANT * pVarSec,
  370. BOOL fNTDS
  371. )
  372. {
  373. IADsSecurityDescriptor * pSecDes = NULL;
  374. IDispatch * pDispatch = NULL;
  375. LPWSTR pszGroup = NULL;
  376. LPWSTR pszOwner = NULL;
  378. BOOL fOwnerDefaulted = 0;
  379. BOOL fGroupDefaulted = 0;
  380. BOOL fDaclDefaulted = 0;
  381. BOOL fSaclDefaulted = 0;
  383. BOOL fSaclPresent = 0;
  384. BOOL fDaclPresent = 0;
  386. LPBYTE pOwnerSidAddress = NULL;
  387. LPBYTE pGroupSidAddress = NULL;
  388. LPBYTE pDACLAddress = NULL;
  389. LPBYTE pSACLAddress = NULL;
  391. DWORD dwRet = 0;
  393. VARIANT varDACL;
  394. VARIANT varSACL;
  396. HRESULT hr = S_OK;
  398. DWORD dwRevision = 0;
  399. WORD wControl = 0;
  401. VariantInit(pVarSec);
  402. memset(&varSACL, 0, sizeof(VARIANT));
  403. memset(&varDACL, 0, sizeof(VARIANT));
  405. if (!pSecurityDescriptor) {
  406. RRETURN(E_FAIL);
  407. }
  410. //
  411. // Control & Revision
  412. //
  413. dwRet = GetSecurityDescriptorControl(
  414. pSecurityDescriptor,
  415. &wControl,
  416. &dwRevision
  417. );
  418. if (!dwRet){
  419. hr = HRESULT_FROM_WIN32(GetLastError());
  420. BAIL_ON_FAILURE(hr);
  421. }
  423. //
  424. // Owner
  425. //
  426. dwRet = GetSecurityDescriptorOwner(
  427. pSecurityDescriptor,
  428. (PSID *)&pOwnerSidAddress,
  429. &fOwnerDefaulted
  430. );
  432. if (!dwRet){
  433. hr = HRESULT_FROM_WIN32(GetLastError());
  434. BAIL_ON_FAILURE(hr);
  435. }
  437. if (pOwnerSidAddress) {
  438. //
  439. // For Owner and Group, we will convert the sid in old way without optimization
  440. //
  441. hr = ConvertSidToFriendlyName2(
  442. pszServerName,
  443. Credentials,
  444. pOwnerSidAddress,
  445. &pszOwner,
  446. fNTDS
  447. );
  448. BAIL_ON_FAILURE(hr);
  449. }
  452. //
  453. // Group
  454. //
  455. dwRet = GetSecurityDescriptorGroup(
  456. pSecurityDescriptor,
  457. (PSID *)&pGroupSidAddress,
  458. &fOwnerDefaulted
  459. );
  460. if (!dwRet){
  461. hr = HRESULT_FROM_WIN32(GetLastError());
  462. BAIL_ON_FAILURE(hr);
  463. }
  465. if (pGroupSidAddress) {
  466. //
  467. // For Owner and Group, we will convert the sid in old way without optimization
  468. //
  469. hr = ConvertSidToFriendlyName2(
  470. pszServerName,
  471. Credentials,
  472. pGroupSidAddress,
  473. &pszGroup,
  474. fNTDS
  475. );
  476. BAIL_ON_FAILURE(hr);
  477. }
  480. //
  481. // DACL
  482. //
  483. dwRet = GetSecurityDescriptorDacl(
  484. pSecurityDescriptor,
  485. &fDaclPresent,
  486. (PACL*)&pDACLAddress,
  487. &fDaclDefaulted
  488. );
  489. if (!dwRet){
  490. hr = HRESULT_FROM_WIN32(GetLastError());
  491. BAIL_ON_FAILURE(hr);
  492. }
  494. if (pDACLAddress) {
  496. hr = ConvertACLToVariant(
  497. pszServerName,
  498. Credentials,
  499. (PACL)pDACLAddress,
  500. &varDACL,
  501. fNTDS
  502. );
  503. BAIL_ON_FAILURE(hr);
  504. }
  506. //
  507. // SACL
  508. //
  509. dwRet = GetSecurityDescriptorSacl(
  510. pSecurityDescriptor,
  511. &fSaclPresent,
  512. (PACL *)&pSACLAddress,
  513. &fSaclDefaulted
  514. );
  515. if (!dwRet){
  516. hr = HRESULT_FROM_WIN32(GetLastError());
  517. BAIL_ON_FAILURE(hr);
  518. }
  520. if (pSACLAddress) {
  522. hr = ConvertACLToVariant(
  523. pszServerName,
  524. Credentials,
  525. (PACL)pSACLAddress,
  526. &varSACL,
  527. fNTDS
  528. );
  529. BAIL_ON_FAILURE(hr);
  530. }
  533. //
  534. // Construct an IADsSecurityDescriptor with the data
  535. // retrieved from the raw SD
  536. //
  537. hr = CoCreateInstance(
  538. CLSID_SecurityDescriptor,
  539. NULL,
  540. CLSCTX_INPROC_SERVER,
  541. IID_IADsSecurityDescriptor,
  542. (void **)&pSecDes
  543. );
  544. BAIL_ON_FAILURE(hr);
  546. hr = pSecDes->put_Owner(pszOwner);
  547. BAIL_ON_FAILURE(hr);
  549. hr = pSecDes->put_Group(pszGroup);
  550. BAIL_ON_FAILURE(hr);
  552. hr = pSecDes->put_Revision(dwRevision);
  553. BAIL_ON_FAILURE(hr);
  555. hr = pSecDes->put_Control((DWORD)wControl);
  556. BAIL_ON_FAILURE(hr);
  558. hr = pSecDes->put_DiscretionaryAcl(V_DISPATCH(&varDACL));
  559. BAIL_ON_FAILURE(hr);
  561. hr = pSecDes->put_SystemAcl(V_DISPATCH(&varSACL));
  562. BAIL_ON_FAILURE(hr);
  564. hr = pSecDes->QueryInterface(IID_IDispatch, (void**)&pDispatch);
  565. BAIL_ON_FAILURE(hr);
  567. //
  568. // Construct a VARIANT with the IADsSecurityDescriptor
  569. //
  570. V_VT(pVarSec) = VT_DISPATCH;
  571. V_DISPATCH(pVarSec) = pDispatch;
  573. error:
  574. VariantClear(&varSACL);
  575. VariantClear(&varDACL);
  577. if (pszOwner) {
  578. FreeADsStr(pszOwner);
  579. }
  581. if (pszGroup) {
  582. FreeADsStr(pszGroup);
  583. }
  586. if (pSecDes) {
  587. pSecDes->Release();
  588. }
  590. RRETURN(hr);
  591. }
  594. HRESULT
  595. ConvertSidToFriendlyName(
  596. LPWSTR pszServerName,
  597. CCredentials& Credentials,
  598. PSID pSid,
  599. LPWSTR * ppszAccountName,
  600. BOOL fNTDS
  601. )
  602. {
  603. HRESULT hr = S_OK;
  604. SID_NAME_USE eUse;
  605. WCHAR szAccountName[MAX_PATH];
  606. WCHAR szDomainName[MAX_PATH];
  607. WCHAR szServerName[MAX_PATH];
  608. DWORD dwLen = 0;
  609. DWORD dwRet = 0;
  611. LPWSTR pszAccountName = NULL;
  613. DWORD dwAcctLen = 0;
  614. DWORD dwDomainLen = 0;
  616. #if 0
  617. /**************************************************************
  619. //
  620. // parse Trustee and determine whether its NTDS or U2
  621. //
  623. if (fNTDS) {
  625. dwAcctLen = sizeof(szAccountName);
  626. dwDomainLen = sizeof(szDomainName);
  628. dwRet = LookupAccountSid(
  629. pszServerName,
  630. pSid,
  631. szAccountName,
  632. &dwAcctLen,
  633. szDomainName,
  634. &dwDomainLen,
  635. (PSID_NAME_USE)&eUse
  636. );
  638. //
  639. // Try with NULL server name if we have not already
  640. // done that for error cases.
  641. //
  642. if (!dwRet && pszServerName) {
  643. dwRet = LookupAccountSid(
  644. NULL,
  645. pSid,
  646. szAccountName,
  647. &dwAcctLen,
  648. szDomainName,
  649. &dwDomainLen,
  650. (PSID_NAME_USE)&eUse
  651. );
  652. }
  654. //
  655. // If using serverless paths, try it on the DC if it
  656. // failed (which will happen if we're trying to resolve
  657. // something like "BUILTIN\Print Operators" on a member
  658. // computer)
  659. //
  660. if (!dwRet && !pszServerName) {
  662. dwAcctLen = sizeof(szAccountName);
  663. dwDomainLen = sizeof(szDomainName);
  666. DWORD dwStatus = GetDomainDNSNameForDomain(
  667. NULL,
  668. FALSE, // don't force verify
  669. FALSE, // not writable
  670. szServerName,
  671. szDomainName
  672. );
  674. if (dwStatus == NO_ERROR) {
  676. dwRet = LookupAccountSid(
  677. szServerName,
  678. pSid,
  679. szAccountName,
  680. &dwAcctLen,
  681. szDomainName,
  682. &dwDomainLen,
  683. (PSID_NAME_USE)&eUse
  684. );
  686. //
  687. // If the lookup failed because the server was unavailable, try to get
  688. // the server again, this time forcing DsGetDcName to do rediscovery
  689. //
  690. if (!dwRet && (GetLastError() == RPC_S_SERVER_UNAVAILABLE)) {
  692. dwStatus = GetDomainDNSNameForDomain(
  693. NULL,
  694. TRUE, // force verify
  695. FALSE,// not writable
  696. szServerName,
  697. szDomainName
  698. );
  700. if (dwStatus == NO_ERROR) {
  702. dwRet = LookupAccountSid(
  703. szServerName,
  704. pSid,
  705. szAccountName,
  706. &dwAcctLen,
  707. szDomainName,
  708. &dwDomainLen,
  709. (PSID_NAME_USE)&eUse
  710. );
  711. }
  712. }
  713. }
  714. }
  716. if (!dwRet) {
  717. hr = HRESULT_FROM_WIN32(GetLastError());
  718. }else {
  720. dwLen = wcslen(szAccountName) + wcslen(szDomainName) + 1 + 1;
  722. pszAccountName = (LPWSTR)AllocADsMem(dwLen * sizeof(WCHAR));
  723. if (!pszAccountName) {
  724. hr = E_OUTOFMEMORY;
  725. BAIL_ON_FAILURE(hr);
  726. }
  728. if (szDomainName[0] && szAccountName[0]) {
  729. wsprintf(pszAccountName,L"%s\\%s",szDomainName, szAccountName);
  730. }else if (szAccountName[0]) {
  731. wsprintf(pszAccountName,L"%s", szAccountName);
  732. }
  734. *ppszAccountName = pszAccountName;
  736. }
  738. }else {
  739. *****************************************************************/
  740. #endif
  742. if (!fNTDS) {
  744. hr = ConvertSidToU2Trustee(
  745. pszServerName,
  746. Credentials,
  747. pSid,
  748. szAccountName
  749. );
  751. if (SUCCEEDED(hr)) {
  753. pszAccountName = AllocADsStr(szAccountName);
  754. if (!pszAccountName) {
  755. hr = E_OUTOFMEMORY;
  756. BAIL_ON_FAILURE(hr);
  757. }
  759. *ppszAccountName = pszAccountName;
  761. }
  763. }
  764. else {
  765. //
  766. // This is NTDS case where we need to stringize SID.
  767. //
  768. hr = E_FAIL;
  769. }
  772. if (FAILED(hr)) {
  774. hr = ConvertSidToString(
  775. pSid,
  776. szAccountName
  777. );
  778. BAIL_ON_FAILURE(hr);
  779. pszAccountName = AllocADsStr(szAccountName);
  780. if (!pszAccountName) {
  781. hr = E_OUTOFMEMORY;
  782. BAIL_ON_FAILURE(hr);
  783. }
  785. *ppszAccountName = pszAccountName;
  786. }
  789. error:
  791. RRETURN(hr);
  792. }
  794. HRESULT
  795. ConvertSidToFriendlyName2(
  796. LPWSTR pszServerName,
  797. CCredentials& Credentials,
  798. PSID pSid,
  799. LPWSTR * ppszAccountName,
  800. BOOL fNTDS
  801. )
  802. {
  803. HRESULT hr = S_OK;
  804. SID_NAME_USE eUse;
  805. WCHAR szAccountName[MAX_PATH];
  806. WCHAR szDomainName[MAX_PATH];
  807. WCHAR szServerName[MAX_PATH];
  808. DWORD dwLen = 0;
  809. DWORD dwRet = 0;
  811. LPWSTR pszAccountName = NULL;
  813. DWORD dwAcctLen = 0;
  814. DWORD dwDomainLen = 0;
  817. //
  818. // parse Trustee and determine whether its NTDS or U2
  819. //
  821. if (fNTDS) {
  823. dwAcctLen = sizeof(szAccountName);
  824. dwDomainLen = sizeof(szDomainName);
  826. //
  827. // Servername is specified
  828. //
  829. if (pszServerName) {
  831. dwRet = LookupAccountSid(
  832. pszServerName,
  833. pSid,
  834. szAccountName,
  835. &dwAcctLen,
  836. szDomainName,
  837. &dwDomainLen,
  838. (PSID_NAME_USE)&eUse
  839. );
  841. }
  842. //
  843. // Servername not specified
  844. //
  845. else {
  847. //
  848. // If using serverless paths, try it first on the DC
  849. //
  851. DWORD dwStatus = GetDomainDNSNameForDomain(
  852. NULL,
  853. FALSE, // don't force verify
  854. FALSE, // not writable
  855. szServerName,
  856. szDomainName
  857. );
  859. if (dwStatus == NO_ERROR) {
  861. dwRet = LookupAccountSid(
  862. szServerName,
  863. pSid,
  864. szAccountName,
  865. &dwAcctLen,
  866. szDomainName,
  867. &dwDomainLen,
  868. (PSID_NAME_USE)&eUse
  869. );
  871. //
  872. // If the lookup failed because the server was unavailable, try to get
  873. // the server again, this time forcing DsGetDcName to do rediscovery
  874. //
  875. if (!dwRet && (GetLastError() == RPC_S_SERVER_UNAVAILABLE)) {
  877. dwStatus = GetDomainDNSNameForDomain(
  878. NULL,
  879. TRUE, // force verify
  880. FALSE,// not writable
  881. szServerName,
  882. szDomainName
  883. );
  885. if (dwStatus == NO_ERROR) {
  887. dwRet = LookupAccountSid(
  888. szServerName,
  889. pSid,
  890. szAccountName,
  891. &dwAcctLen,
  892. szDomainName,
  893. &dwDomainLen,
  894. (PSID_NAME_USE)&eUse
  895. );
  896. }
  897. }
  898. }
  899. }
  901. //
  902. // At last try with NULL server name
  903. //
  904. if (!dwRet) {
  906. dwAcctLen = sizeof(szAccountName);
  907. dwDomainLen = sizeof(szDomainName);
  909. dwRet = LookupAccountSid(
  910. NULL,
  911. pSid,
  912. szAccountName,
  913. &dwAcctLen,
  914. szDomainName,
  915. &dwDomainLen,
  916. (PSID_NAME_USE)&eUse
  917. );
  918. }
  920. if (!dwRet) {
  921. hr = HRESULT_FROM_WIN32(GetLastError());
  922. }else {
  924. dwLen = wcslen(szAccountName) + wcslen(szDomainName) + 1 + 1;
  926. pszAccountName = (LPWSTR)AllocADsMem(dwLen * sizeof(WCHAR));
  927. if (!pszAccountName) {
  928. hr = E_OUTOFMEMORY;
  929. BAIL_ON_FAILURE(hr);
  930. }
  932. if (szDomainName[0] && szAccountName[0]) {
  933. wsprintf(pszAccountName,L"%s\\%s",szDomainName, szAccountName);
  934. }else if (szAccountName[0]) {
  935. wsprintf(pszAccountName,L"%s", szAccountName);
  936. }
  938. *ppszAccountName = pszAccountName;
  940. }
  942. }
  944. else {
  946. hr = ConvertSidToU2Trustee(
  947. pszServerName,
  948. Credentials,
  949. pSid,
  950. szAccountName
  951. );
  953. if (SUCCEEDED(hr)) {
  955. pszAccountName = AllocADsStr(szAccountName);
  956. if (!pszAccountName) {
  957. hr = E_OUTOFMEMORY;
  958. BAIL_ON_FAILURE(hr);
  959. }
  961. *ppszAccountName = pszAccountName;
  963. }
  965. }
  968. if (FAILED(hr)) {
  970. hr = ConvertSidToString(
  971. pSid,
  972. szAccountName
  973. );
  974. BAIL_ON_FAILURE(hr);
  975. pszAccountName = AllocADsStr(szAccountName);
  976. if (!pszAccountName) {
  977. hr = E_OUTOFMEMORY;
  978. BAIL_ON_FAILURE(hr);
  979. }
  981. *ppszAccountName = pszAccountName;
  982. }
  985. error:
  987. RRETURN(hr);
  988. }
  992. HRESULT
  993. ConvertACLToVariant(
  994. LPWSTR pszServerName,
  995. CCredentials& Credentials,
  996. PACL pACL,
  997. PVARIANT pvarACL,
  998. BOOL fNTDS
  999. )
  1000. {
  1001. IADsAccessControlList * pAccessControlList = NULL;
  1002. IDispatch * pDispatch = NULL;
  1003. LPWSTR pszFriendlyName = NULL;
  1005. VARIANT varAce;
  1006. DWORD dwAclSize = 0;
  1007. DWORD dwAclRevision = 0;
  1008. DWORD dwAceCount = 0;
  1010. ACL_SIZE_INFORMATION AclSize;
  1011. ACL_REVISION_INFORMATION AclRevision;
  1012. DWORD dwStatus = 0;
  1014. DWORD i = 0;
  1015. DWORD dwNewAceCount = 0;
  1017. HRESULT hr = S_OK;
  1018. LPBYTE pAceAddress = NULL;
  1019. LSA_HANDLE hLsaPolicy = NULL;
  1020. PLSA_REFERENCED_DOMAIN_LIST pLsaRefDomList = NULL;
  1021. PLSA_TRANSLATED_NAME pLsaNames = NULL;
  1023. PSID *pSidArray = NULL;
  1026. memset(&AclSize, 0, sizeof(ACL_SIZE_INFORMATION));
  1027. memset(&AclRevision, 0, sizeof(ACL_REVISION_INFORMATION));
  1030. dwStatus = GetAclInformation(
  1031. pACL,
  1032. &AclSize,
  1033. sizeof(ACL_SIZE_INFORMATION),
  1034. AclSizeInformation
  1035. );
  1036. //
  1037. // Status should be nonzero for success
  1038. //
  1039. if (!dwStatus) {
  1040. hr = HRESULT_FROM_WIN32(GetLastError());
  1041. BAIL_ON_FAILURE(hr);
  1042. }
  1044. dwStatus = GetAclInformation(
  1045. pACL,
  1046. &AclRevision,
  1047. sizeof(ACL_REVISION_INFORMATION),
  1048. AclRevisionInformation
  1049. );
  1050. if (!dwStatus) {
  1051. hr = HRESULT_FROM_WIN32(GetLastError());
  1052. BAIL_ON_FAILURE(hr);
  1053. }
  1055. dwAceCount = AclSize.AceCount;
  1056. dwAclRevision = AclRevision.AclRevision;
  1058. VariantInit(pvarACL);
  1060. hr = CoCreateInstance(
  1061. CLSID_AccessControlList,
  1062. NULL,
  1063. CLSCTX_INPROC_SERVER,
  1064. IID_IADsAccessControlList,
  1065. (void **)&pAccessControlList
  1066. );
  1067. BAIL_ON_FAILURE(hr);
  1070. //
  1071. // Do this only when we actually have ACE
  1072. //
  1073. if(dwAceCount > 0) {
  1076. //
  1077. // Sid lookup can be optimized only for NT style SD's.
  1078. // SiteServer style SD's will continue to be processed as before.
  1079. //
  1080. if (fNTDS) {
  1081. //
  1082. // To speed up the conversion of SID's to trustees, an array of
  1083. // SID's to lookup is built and the whole array processed in one
  1084. // shot. Then the result of the Lookup is used in contstructing
  1085. // the individual ACE's.
  1086. //
  1088. pSidArray = (PSID*) AllocADsMem(sizeof(PSID) * dwAceCount);
  1089. if (!pSidArray) {
  1090. BAIL_ON_FAILURE(hr = E_OUTOFMEMORY);
  1091. }
  1093. for (i = 0; i < dwAceCount; i++) {
  1094. dwStatus = GetAce(pACL, i , (void **) &pAceAddress);
  1095. if (!dwStatus) {
  1096. BAIL_ON_FAILURE(hr = HRESULT_FROM_WIN32(GetLastError()));
  1097. }
  1099. pSidArray[i] = ComputeSidFromAceAddress(pAceAddress);
  1101. //
  1102. // Sanity check we should always have valid data.
  1103. //
  1104. if (!pSidArray[i]) {
  1105. BAIL_ON_FAILURE(hr = E_FAIL);
  1106. }
  1107. }
  1109. hr = GetLsaPolicyHandle(
  1110. pszServerName,
  1111. Credentials,
  1112. &hLsaPolicy
  1113. );
  1115. //
  1116. // Should we just convert to string SID's ?
  1117. //
  1118. BAIL_ON_FAILURE(hr);
  1120. hr = GetNamesFromSids(
  1121. hLsaPolicy,
  1122. pSidArray,
  1123. dwAceCount,
  1124. &pLsaRefDomList,
  1125. &pLsaNames
  1126. );
  1127. BAIL_ON_FAILURE(hr);
  1130. }
  1132. for (i = 0; i < dwAceCount; i++) {
  1134. if (pszFriendlyName) {
  1135. FreeADsStr(pszFriendlyName);
  1136. pszFriendlyName = NULL;
  1137. }
  1139. dwStatus = GetAce(pACL, i, (void **)&pAceAddress);
  1141. //
  1142. // Need to verify we got back the ace correctly.
  1143. //
  1144. if (!dwStatus) {
  1145. BAIL_ON_FAILURE(hr = HRESULT_FROM_WIN32(GetLastError()));
  1146. }
  1148. if(fNTDS) {
  1149. hr = GetNameForSidFromArray(
  1150. i,
  1151. pLsaRefDomList,
  1152. pLsaNames,
  1153. &pszFriendlyName
  1154. );
  1155. }
  1157. //
  1158. // We can ignore the failure.
  1159. // On failure pszFriendlyName is set to NULL in which case
  1160. // we will convert to stringised sid format (for NTDS of course).
  1161. //
  1162. hr = ConvertAceToVariant(
  1163. pszServerName,
  1164. pszFriendlyName,
  1165. Credentials,
  1166. pAceAddress,
  1167. (PVARIANT)&varAce,
  1168. fNTDS
  1169. );
  1170. //
  1171. // If we cannot convert an ACE we should error out.
  1172. //
  1173. BAIL_ON_FAILURE(hr);
  1175. hr = pAccessControlList->AddAce(V_DISPATCH(&varAce));
  1177. BAIL_ON_FAILURE(hr);
  1179. dwNewAceCount++;
  1181. VariantClear(&varAce);
  1182. }
  1184. }
  1186. pAccessControlList->put_AclRevision(dwAclRevision);
  1188. pAccessControlList->put_AceCount(dwNewAceCount);
  1191. hr = pAccessControlList->QueryInterface(
  1192. IID_IDispatch,
  1193. (void **)&pDispatch
  1194. );
  1195. V_VT(pvarACL) = VT_DISPATCH;
  1196. V_DISPATCH(pvarACL) = pDispatch;
  1198. error:
  1200. if (pAccessControlList) {
  1202. pAccessControlList->Release();
  1203. }
  1205. if (pszFriendlyName) {
  1206. FreeADsStr(pszFriendlyName);
  1207. }
  1209. if (pLsaNames) {
  1210. LsaFreeMemory(pLsaNames);
  1211. }
  1212. if (pLsaRefDomList) {
  1213. LsaFreeMemory(pLsaRefDomList);
  1214. }
  1215. if (hLsaPolicy) {
  1216. LsaClose(hLsaPolicy);
  1217. }
  1219. if(pSidArray) {
  1220. FreeADsMem(pSidArray);
  1221. }
  1224. RRETURN(hr);
  1225. }
  1229. HRESULT
  1230. ConvertAceToVariant(
  1231. LPWSTR pszServerName,
  1232. LPWSTR pszTrusteeName,
  1233. CCredentials& Credentials,
  1234. PBYTE pAce,
  1235. PVARIANT pvarAce,
  1236. BOOL fNTDS
  1237. )
  1238. {
  1239. IADsAccessControlEntry * pAccessControlEntry = NULL;
  1240. IDispatch * pDispatch = NULL;
  1241. IADsAcePrivate *pPrivAce = NULL;
  1243. DWORD dwAceType = 0;
  1244. DWORD dwAceFlags = 0;
  1245. DWORD dwAccessMask = 0;
  1246. DWORD dwLenSid = 0;
  1247. DWORD dwErr = 0;
  1248. LPWSTR pszAccountName = NULL;
  1249. PACE_HEADER pAceHeader = NULL;
  1250. LPBYTE pSidAddress = NULL;
  1251. LPBYTE pOffset = NULL;
  1252. DWORD dwFlags = 0;
  1254. GUID ObjectGUID;
  1255. GUID InheritedObjectGUID;
  1256. BSTR bstrObjectGUID = NULL;
  1257. BSTR bstrInheritedObjectGUID = NULL;
  1259. HRESULT hr = S_OK;
  1261. VariantInit(pvarAce);
  1263. hr = CoCreateInstance(
  1264. CLSID_AccessControlEntry,
  1265. NULL,
  1266. CLSCTX_INPROC_SERVER,
  1267. IID_IADsAccessControlEntry,
  1268. (void **)&pAccessControlEntry
  1269. );
  1270. BAIL_ON_FAILURE(hr);
  1272. pAceHeader = (ACE_HEADER *)pAce;
  1275. dwAceType = pAceHeader->AceType;
  1276. dwAceFlags = pAceHeader->AceFlags;
  1277. dwAccessMask = *(PACCESS_MASK)((LPBYTE)pAceHeader + sizeof(ACE_HEADER));
  1279. switch (dwAceType) {
  1281. case ACCESS_ALLOWED_ACE_TYPE:
  1282. case ACCESS_DENIED_ACE_TYPE:
  1283. case SYSTEM_AUDIT_ACE_TYPE:
  1284. case SYSTEM_ALARM_ACE_TYPE:
  1285. pSidAddress = (LPBYTE)pAceHeader + sizeof(ACE_HEADER) + sizeof(ACCESS_MASK);
  1286. break;
  1288. case ACCESS_ALLOWED_OBJECT_ACE_TYPE:
  1289. case ACCESS_DENIED_OBJECT_ACE_TYPE:
  1290. case SYSTEM_AUDIT_OBJECT_ACE_TYPE:
  1291. case SYSTEM_ALARM_OBJECT_ACE_TYPE:
  1292. pOffset = (LPBYTE)((LPBYTE)pAceHeader + sizeof(ACE_HEADER) + sizeof(ACCESS_MASK));
  1293. dwFlags = (DWORD)(*(PDWORD)pOffset);
  1295. //
  1296. // Now advance by the size of the flags
  1297. //
  1298. pOffset += sizeof(ULONG);
  1300. if (dwFlags & ACE_OBJECT_TYPE_PRESENT) {
  1302. memcpy(&ObjectGUID, pOffset, sizeof(GUID));
  1304. hr = BuildADsGuid(ObjectGUID, &bstrObjectGUID);
  1305. BAIL_ON_FAILURE(hr);
  1307. pOffset += sizeof (GUID);
  1309. }
  1311. if (dwFlags & ACE_INHERITED_OBJECT_TYPE_PRESENT) {
  1312. memcpy(&InheritedObjectGUID, pOffset, sizeof(GUID));
  1314. hr = BuildADsGuid(InheritedObjectGUID, &bstrInheritedObjectGUID);
  1315. BAIL_ON_FAILURE(hr);
  1317. pOffset += sizeof (GUID);
  1319. }
  1321. pSidAddress = pOffset;
  1322. break;
  1324. default:
  1325. break;
  1327. }
  1329. if (pSidAddress) {
  1330. //
  1331. // Nt4 does not reset the last error correctly.
  1332. //
  1333. SetLastError(NO_ERROR);
  1335. dwLenSid = GetLengthSid(pSidAddress);
  1337. if ((dwErr = GetLastError()) != NO_ERROR) {
  1338. BAIL_ON_FAILURE(hr = HRESULT_FROM_WIN32(dwErr));
  1339. }
  1340. }
  1341. else {
  1342. //
  1343. // We should always have a valid sid address here.
  1344. // Should we be bailing here ? Or for that matter,
  1345. // should be bail on the default cluase of the switch ?
  1346. //
  1347. dwLenSid = 0;
  1348. }
  1350. //
  1351. // Call the old function only if we could not resolve the name
  1352. //
  1353. if (!pszTrusteeName) {
  1354. hr = ConvertSidToFriendlyName(
  1355. pszServerName,
  1356. Credentials,
  1357. pSidAddress,
  1358. &pszAccountName,
  1359. fNTDS
  1360. );
  1361. }
  1363. if (FAILED(hr)){
  1364. pszAccountName = AllocADsStr(L"Unknown Trustee");
  1365. if (!pszAccountName) {
  1366. hr = E_OUTOFMEMORY;
  1367. BAIL_ON_FAILURE(hr);
  1368. }
  1369. }
  1371. //
  1372. // Now set all the information in the Access Control Entry
  1373. //
  1375. hr = pAccessControlEntry->put_AccessMask(dwAccessMask);
  1376. hr = pAccessControlEntry->put_AceFlags(dwAceFlags);
  1377. hr = pAccessControlEntry->put_AceType(dwAceType);
  1379. //
  1380. // Extended ACE information
  1381. //
  1382. hr = pAccessControlEntry->put_Flags(dwFlags);
  1384. if (dwFlags & ACE_OBJECT_TYPE_PRESENT) {
  1386. //
  1387. // Add in the Object Type GUID
  1388. //
  1389. hr = pAccessControlEntry->put_ObjectType(bstrObjectGUID);
  1391. }
  1393. if (dwFlags & ACE_INHERITED_OBJECT_TYPE_PRESENT) {
  1395. //
  1396. // Add in the Inherited Object Type GUID
  1397. //
  1399. hr = pAccessControlEntry->put_InheritedObjectType(
  1400. bstrInheritedObjectGUID
  1401. );
  1402. }
  1404. //
  1405. // This is a string, so need to check the ecode. We use the
  1406. // friendlyName if that was set and if not the pszAccountName.
  1407. //
  1408. hr = pAccessControlEntry->put_Trustee(
  1409. pszTrusteeName ?
  1410. pszTrusteeName :
  1411. pszAccountName
  1412. );
  1413. BAIL_ON_FAILURE(hr);
  1415. if (pSidAddress) {
  1416. //
  1417. // We should now put the SID on this ACE for quick reverse lookup.
  1418. //
  1419. hr = pAccessControlEntry->QueryInterface(
  1420. IID_IADsAcePrivate,
  1421. (void **)&pPrivAce
  1422. );
  1424. if SUCCEEDED(hr) {
  1427. hr = pPrivAce->putSid(
  1428. pSidAddress,
  1429. dwLenSid
  1430. );
  1431. }
  1432. //
  1433. // No bail on failure here as it is not a critical failure
  1434. //
  1435. }
  1437. hr = pAccessControlEntry->QueryInterface(
  1438. IID_IDispatch,
  1439. (void **)&pDispatch
  1440. );
  1441. BAIL_ON_FAILURE(hr);
  1443. V_DISPATCH(pvarAce) = pDispatch;
  1444. V_VT(pvarAce) = VT_DISPATCH;
  1446. cleanup:
  1448. if (pszAccountName) {
  1449. FreeADsStr(pszAccountName);
  1450. }
  1452. if (pAccessControlEntry) {
  1453. pAccessControlEntry->Release();
  1454. }
  1456. if (pPrivAce) {
  1457. pPrivAce->Release();
  1458. }
  1460. if (bstrObjectGUID) {
  1461. ADsFreeString(bstrObjectGUID);
  1462. }
  1464. if (bstrInheritedObjectGUID) {
  1465. ADsFreeString(bstrInheritedObjectGUID);
  1466. }
  1468. RRETURN(hr);
  1471. error:
  1473. if (pDispatch) {
  1475. pDispatch->Release();
  1477. }
  1479. goto cleanup;
  1480. }
  1483. //+---------------------------------------------------------------------------
  1484. // Function: ComputeSidFromAceAddress - helper routine.
  1485. //
  1486. // Synopsis: Returns the pointer to the SID, given a ptr to an ACE.
  1487. //
  1488. // Arguments: pAce - ptr to the ACE.
  1489. //
  1490. // Returns: NULL on error or valid PSID.
  1491. //
  1492. // Modifies: N/A.
  1493. //
  1494. //----------------------------------------------------------------------------
  1495. PSID
  1496. ComputeSidFromAceAddress(
  1497. LPBYTE pAce
  1498. )
  1499. {
  1500. PSID pSidRetVal = NULL;
  1501. PACE_HEADER pAceHeader = NULL;
  1502. LPBYTE pOffset = NULL;
  1503. DWORD dwAceType, dwAceFlags, dwAccessMask;
  1504. DWORD dwFlags;
  1506. pAceHeader = (ACE_HEADER *)pAce;
  1508. dwAceType = pAceHeader->AceType;
  1509. dwAceFlags = pAceHeader->AceFlags;
  1510. dwAccessMask = *(PACCESS_MASK)((LPBYTE)pAceHeader + sizeof(ACE_HEADER));
  1512. switch (dwAceType) {
  1514. case ACCESS_ALLOWED_ACE_TYPE:
  1515. case ACCESS_DENIED_ACE_TYPE:
  1516. case SYSTEM_AUDIT_ACE_TYPE:
  1517. case SYSTEM_ALARM_ACE_TYPE:
  1518. pSidRetVal = (LPBYTE)pAceHeader
  1519. + sizeof(ACE_HEADER)
  1520. + sizeof(ACCESS_MASK);
  1521. break;
  1523. case ACCESS_ALLOWED_OBJECT_ACE_TYPE:
  1524. case ACCESS_DENIED_OBJECT_ACE_TYPE:
  1525. case SYSTEM_AUDIT_OBJECT_ACE_TYPE:
  1526. case SYSTEM_ALARM_OBJECT_ACE_TYPE:
  1527. pOffset = (LPBYTE)((LPBYTE)pAceHeader
  1528. + sizeof(ACE_HEADER)
  1529. + sizeof(ACCESS_MASK)
  1530. );
  1531. dwFlags = (DWORD)(*(PDWORD)pOffset);
  1533. //
  1534. // Now advance by the size of the flags
  1535. //
  1536. pOffset += sizeof(ULONG);
  1538. if (dwFlags & ACE_OBJECT_TYPE_PRESENT) {
  1540. pOffset += sizeof (GUID);
  1542. }
  1544. if (dwFlags & ACE_INHERITED_OBJECT_TYPE_PRESENT) {
  1546. pOffset += sizeof (GUID);
  1548. }
  1550. pSidRetVal = pOffset;
  1551. break;
  1553. default:
  1554. break;
  1556. } // end of switch case.
  1558. return pSidRetVal;
  1559. }