|
|
//+---------------------------------------------------------------------------
//
// Microsoft Windows
// Copyright (C) Microsoft Corporation, 1992 - 1995.
//
// File: libmain.cxx
//
// Contents: LibMain for nds.dll
//
// Functions: LibMain, DllGetClassObject
//
// History: 25-Oct-94 KrishnaG Created.
//
//----------------------------------------------------------------------------
#include "oleds.hxx"
#pragma hdrstop
CRITICAL_SECTION g_StringsCriticalSection;WCHAR g_szBuiltin[100];WCHAR g_szNT_Authority[100];WCHAR g_szAccountOperators[100];WCHAR g_szPrintOperators[100];WCHAR g_szBackupOperators[100];WCHAR g_szServerOperators[100];WCHAR g_szPreWindows2000[100];
BOOL g_fStringsLoaded = FALSE;
//
// Global variables for dynamically loaded fn's.
//
HANDLE g_hDllAdvapi32 = NULL;BOOL g_fDllsLoaded = FALSE;
extern "C" {
HRESULT ConvertSidToString( PSID pSid, LPWSTR String );}
DWORDGetDomainDNSNameForDomain( LPWSTR pszDomainFlatName, BOOL fVerify, BOOL fWriteable, LPWSTR pszServerName, LPWSTR pszDomainDNSName );
#define GetAce ADSIGetAce
#define AddAce ADSIAddAce
#define DeleteAce ADSIDeleteAce
#define GetAclInformation ADSIGetAclInformation
#define SetAclInformation ADSISetAclInformation
#define IsValidAcl ADSIIsValidAcl
#define InitializeAcl ADSIInitializeAcl
#define SetSecurityDescriptorControl ADSISetControlSecurityDescriptor
#define SE_VALID_CONTROL_BITS ( SE_DACL_UNTRUSTED | \
SE_SERVER_SECURITY | \ SE_DACL_AUTO_INHERIT_REQ | \ SE_SACL_AUTO_INHERIT_REQ | \ SE_DACL_AUTO_INHERITED | \ SE_SACL_AUTO_INHERITED | \ SE_DACL_PROTECTED | \ SE_SACL_PROTECTED )
BOOLEquivalentServers( LPWSTR pszTargetServer, LPWSTR pszSourceServer );
HRESULTSecCreateSidFromArray ( OUT PSID *PPSid, IN PSID_IDENTIFIER_AUTHORITY PSidAuthority, IN UCHAR SubAuthorityCount, IN ULONG SubAuthorities[], OUT PDWORD pdwSidSize );
HRESULTConvertStringToSid( IN PWSTR string, OUT PSID *sid, OUT PDWORD pdwSidSize, OUT PWSTR *end );
HRESULTAddFilteredACEs( PACL pAcl, DWORD dwAclRevision, PACE_HEADER *ppAceHdr, DWORD dwCountACEs, DWORD *pdwAclPosition, BOOL fInheritedACEs, BOOL fDenyACEs, BOOL fDenyObjectACEs, BOOL fGrantACEs, BOOL fGrantObjectACEs, BOOL fAuditACEs );
//
// These wrapper functions are needed as some fn's need to
// be loaded dynamically as they are not available on NT4
//
#define SET_SD_CONTROL_API "SetSecurityDescriptorControl"
//
// Helper that loads functions in advapi32.
//
PVOID LoadAdvapi32Function(CHAR *function){ //
// Since the strings critical section is only used in this file,
// be fine just re-using it here.
//
if (!g_fDllsLoaded) { EnterCriticalSection(&g_StringsCriticalSection); if (!g_fDllsLoaded) { g_hDllAdvapi32 = LoadLibrary(L"ADVAPI32.DLL"); //
// Even if this fails, there is nothing we can do.
//
g_fDllsLoaded = TRUE; } LeaveCriticalSection(&g_StringsCriticalSection); }
if (g_hDllAdvapi32) { return((PVOID*) GetProcAddress((HMODULE) g_hDllAdvapi32, function)); }
return NULL;}
typedef DWORD (*PF_SetSecurityDescriptorControl) ( IN PSECURITY_DESCRIPTOR pSecurityDescriptor, IN SECURITY_DESCRIPTOR_CONTROL ControlBitsOfInterest, IN SECURITY_DESCRIPTOR_CONTROL ControlBitsToSet );
//
// Wrapper function for the same.
//
DWORD SetSecurityDescriptorControlWrapper( IN PSECURITY_DESCRIPTOR pSecurityDescriptor, IN SECURITY_DESCRIPTOR_CONTROL ControlBitsOfInterest, IN SECURITY_DESCRIPTOR_CONTROL ControlBitsToSet ){ static PF_SetSecurityDescriptorControl pfSetSecDescControl = NULL; static BOOL f_LoadAttempted = FALSE;
//
// Load the fn and set the variables accordingly.
//
if (!f_LoadAttempted && pfSetSecDescControl == NULL) { pfSetSecDescControl = (PF_SetSecurityDescriptorControl) LoadAdvapi32Function(SET_SD_CONTROL_API); f_LoadAttempted = TRUE; }
if (pfSetSecDescControl != NULL) { return ((*pfSetSecDescControl)( pSecurityDescriptor, ControlBitsOfInterest, ControlBitsToSet ) ); } else { //
// This will call the routine in acledit.cxx.
// We should be in this codepath only in pre win2k
// machines.
//
return SetSecurityDescriptorControl( pSecurityDescriptor, ControlBitsOfInterest, ControlBitsToSet ); }
}
HRESULTConvertSecurityDescriptorToSecDes( LPWSTR pszServerName, CCredentials& Credentials, IADsSecurityDescriptor FAR * pSecDes, PSECURITY_DESCRIPTOR * ppSecurityDescriptor, PDWORD pdwSDLength, BOOL fNTDSType ){ HRESULT hr = S_OK;
SECURITY_DESCRIPTOR AbsoluteSD; PSECURITY_DESCRIPTOR pRelative = NULL; BOOL Defaulted = FALSE; BOOL DaclPresent = FALSE; BOOL SaclPresent = FALSE;
BOOL fDaclDefaulted = FALSE; BOOL fSaclDefaulted = FALSE; BOOL fOwnerDefaulted = FALSE; BOOL fGroupDefaulted = FALSE;
PSID pOwnerSid = NULL; PSID pGroupSid = NULL; PACL pDacl = NULL; PACL pSacl = NULL; DWORD dwSDLength = 0; BOOL dwStatus = 0;
DWORD dwControl = 0; DWORD dwRevision = 0;
hr = pSecDes->get_Revision((long *)&dwRevision); BAIL_ON_FAILURE(hr);
dwStatus = InitializeSecurityDescriptor ( &AbsoluteSD, dwRevision ); if (!dwStatus) { hr = HRESULT_FROM_WIN32(GetLastError()); BAIL_ON_FAILURE(hr); }
hr = pSecDes->get_Control((long *)&dwControl); BAIL_ON_FAILURE(hr);
dwStatus = SetSecurityDescriptorControlWrapper( &AbsoluteSD, SE_VALID_CONTROL_BITS, (SECURITY_DESCRIPTOR_CONTROL) (dwControl & SE_VALID_CONTROL_BITS) ); if (!dwStatus) { hr = HRESULT_FROM_WIN32(GetLastError()); BAIL_ON_FAILURE(hr); }
hr = GetOwnerSecurityIdentifier( pszServerName, Credentials, pSecDes, &pOwnerSid, &fOwnerDefaulted, fNTDSType ); BAIL_ON_FAILURE(hr);
dwStatus = SetSecurityDescriptorOwner( &AbsoluteSD, pOwnerSid, fOwnerDefaulted ); if (!dwStatus) { hr = HRESULT_FROM_WIN32(GetLastError()); BAIL_ON_FAILURE(hr); }
hr = GetGroupSecurityIdentifier( pszServerName, Credentials, pSecDes, &pGroupSid, &fGroupDefaulted, fNTDSType ); BAIL_ON_FAILURE(hr);
dwStatus = SetSecurityDescriptorGroup( &AbsoluteSD, pGroupSid, fGroupDefaulted );
if (!dwStatus) { hr = HRESULT_FROM_WIN32(GetLastError()); BAIL_ON_FAILURE(hr); }
hr = GetDacl( pszServerName, Credentials, pSecDes, &pDacl, &fDaclDefaulted, fNTDSType ); BAIL_ON_FAILURE(hr);
if (pDacl || fDaclDefaulted) { DaclPresent = TRUE; }
//
// This is a special case, basically the DACL is defaulted
// and pDacl is NULL. In order for this to work correctly,
// pDacl should be an empty ACL not null.
//
if (DaclPresent && !pDacl) { pDacl = (PACL) AllocADsMem(sizeof(ACL)); if (!pDacl) { BAIL_ON_FAILURE(hr = E_OUTOFMEMORY); }
dwStatus = InitializeAcl( pDacl, sizeof(ACL), ACL_REVISION // this revision will work for NT4 and Win2k
); if (!dwStatus) { hr = HRESULT_FROM_WIN32(GetLastError()); BAIL_ON_FAILURE(hr); } }
dwStatus = SetSecurityDescriptorDacl( &AbsoluteSD, DaclPresent, pDacl, fDaclDefaulted ); if (!dwStatus) { hr = HRESULT_FROM_WIN32(GetLastError()); BAIL_ON_FAILURE(hr); }
hr = GetSacl( pszServerName, Credentials, pSecDes, &pSacl, &fSaclDefaulted, fNTDSType ); BAIL_ON_FAILURE(hr);
if (pSacl || fSaclDefaulted) { SaclPresent = TRUE; }
dwStatus = SetSecurityDescriptorSacl( &AbsoluteSD, SaclPresent, pSacl, fSaclDefaulted );
if (!dwStatus) { hr = HRESULT_FROM_WIN32(GetLastError()); BAIL_ON_FAILURE(hr); }
dwSDLength = GetSecurityDescriptorLength( &AbsoluteSD );
pRelative = AllocADsMem(dwSDLength); if (!pRelative) { hr = E_OUTOFMEMORY; BAIL_ON_FAILURE(hr); }
if (!MakeSelfRelativeSD (&AbsoluteSD, pRelative, &dwSDLength)) { FreeADsMem(pRelative);
hr = HRESULT_FROM_WIN32(GetLastError()); BAIL_ON_FAILURE(hr); }
*ppSecurityDescriptor = pRelative; *pdwSDLength = dwSDLength;
cleanup:
if (pDacl) { FreeADsMem(pDacl); }
if (pSacl) { FreeADsMem(pSacl); }
if (pOwnerSid) { FreeADsMem(pOwnerSid); }
if (pGroupSid) { FreeADsMem(pGroupSid); }
RRETURN(hr);
error: if (pRelative) { FreeADsMem(pRelative); }
*ppSecurityDescriptor = NULL; *pdwSDLength = 0;
goto cleanup;
}
HRESULTGetOwnerSecurityIdentifier( LPWSTR pszServerName, CCredentials& Credentials, IADsSecurityDescriptor FAR * pSecDes, PSID * ppSid, PBOOL pfOwnerDefaulted, BOOL fNTDSType ){ BSTR bstrOwner = NULL; DWORD dwSidSize = 0; HRESULT hr = S_OK; VARIANT_BOOL varBool = VARIANT_FALSE;
hr = pSecDes->get_Owner( &bstrOwner ); BAIL_ON_FAILURE(hr);
hr = pSecDes->get_OwnerDefaulted( &varBool ); BAIL_ON_FAILURE(hr);
if (varBool == VARIANT_FALSE) {
if (bstrOwner && *bstrOwner) {
hr = ConvertTrusteeToSid( pszServerName, Credentials, bstrOwner, ppSid, &dwSidSize, fNTDSType ); BAIL_ON_FAILURE(hr); *pfOwnerDefaulted = FALSE; }else {
*ppSid = NULL; *pfOwnerDefaulted = FALSE; }
}else { *ppSid = NULL; dwSidSize = 0; *pfOwnerDefaulted = TRUE; }
error:
if (bstrOwner) { ADsFreeString(bstrOwner); }
RRETURN(hr);}
HRESULTGetGroupSecurityIdentifier( LPWSTR pszServerName, CCredentials& Credentials, IADsSecurityDescriptor FAR * pSecDes, PSID * ppSid, PBOOL pfGroupDefaulted, BOOL fNTDSType ){ BSTR bstrGroup = NULL; DWORD dwSidSize = 0; HRESULT hr = S_OK; VARIANT_BOOL varBool = VARIANT_FALSE;
hr = pSecDes->get_Group( &bstrGroup ); BAIL_ON_FAILURE(hr);
hr = pSecDes->get_GroupDefaulted( &varBool ); BAIL_ON_FAILURE(hr);
if (varBool == VARIANT_FALSE) {
if (bstrGroup && *bstrGroup) {
hr = ConvertTrusteeToSid( pszServerName, Credentials, bstrGroup, ppSid, &dwSidSize, fNTDSType ); BAIL_ON_FAILURE(hr); *pfGroupDefaulted = FALSE; }else { *ppSid = NULL; *pfGroupDefaulted = FALSE; }
}else { *ppSid = NULL; dwSidSize = 0; *pfGroupDefaulted = TRUE; }
error:
if (bstrGroup) { ADsFreeString(bstrGroup); }
RRETURN(hr);
}
HRESULTGetDacl( LPWSTR pszServerName, CCredentials& Credentials, IADsSecurityDescriptor FAR * pSecDes, PACL * ppDacl, PBOOL pfDaclDefaulted, BOOL fNTDSType ){ IADsAccessControlList FAR * pDiscAcl = NULL; IDispatch FAR * pDispatch = NULL; HRESULT hr = S_OK; VARIANT_BOOL varBool = VARIANT_FALSE;
hr = pSecDes->get_DaclDefaulted( &varBool ); BAIL_ON_FAILURE(hr);
if (varBool == VARIANT_FALSE) { *pfDaclDefaulted = FALSE; }else { *pfDaclDefaulted = TRUE; }
hr = pSecDes->get_DiscretionaryAcl( &pDispatch ); BAIL_ON_FAILURE(hr);
if (!pDispatch) { *ppDacl = NULL; goto error; }
hr = pDispatch->QueryInterface( IID_IADsAccessControlList, (void **)&pDiscAcl ); BAIL_ON_FAILURE(hr);
hr = ConvertAccessControlListToAcl( pszServerName, Credentials, pDiscAcl, ppDacl, fNTDSType ); BAIL_ON_FAILURE(hr);
error:
if (pDispatch) { pDispatch->Release(); }
if (pDiscAcl) { pDiscAcl->Release(); }
RRETURN(hr);}
HRESULTGetSacl( LPWSTR pszServerName, CCredentials& Credentials, IADsSecurityDescriptor FAR * pSecDes, PACL * ppSacl, PBOOL pfSaclDefaulted, BOOL fNTDSType ){ IADsAccessControlList FAR * pSystemAcl = NULL; IDispatch FAR * pDispatch = NULL; HRESULT hr = S_OK; VARIANT_BOOL varBool = VARIANT_FALSE;
hr = pSecDes->get_SaclDefaulted( &varBool ); BAIL_ON_FAILURE(hr);
if (varBool == VARIANT_FALSE) { *pfSaclDefaulted = FALSE; }else { *pfSaclDefaulted = TRUE; }
hr = pSecDes->get_SystemAcl( &pDispatch ); BAIL_ON_FAILURE(hr);
if (!pDispatch) { *ppSacl = NULL; goto error; }
hr = pDispatch->QueryInterface( IID_IADsAccessControlList, (void **)&pSystemAcl ); BAIL_ON_FAILURE(hr);
hr = ConvertAccessControlListToAcl( pszServerName, Credentials, pSystemAcl, ppSacl, fNTDSType ); BAIL_ON_FAILURE(hr);
error:
if (pDispatch) { pDispatch->Release(); }
if (pSystemAcl) { pSystemAcl->Release(); }
RRETURN(hr);}
HRESULTConvertAccessControlListToAcl( LPWSTR pszServerName, CCredentials& Credentials, IADsAccessControlList FAR * pAccessList, PACL * ppAcl, BOOL fNTDSType ){ IUnknown * pUnknown = NULL; IEnumVARIANT * pEnumerator = NULL; HRESULT hr = S_OK; DWORD i = 0; DWORD iAclPosition = 0; DWORD cReturned = 0; VARIANT varAce;
DWORD dwAceCount = 0;
IADsAccessControlEntry FAR * pAccessControlEntry = NULL;
LPBYTE pTempAce = NULL; DWORD dwCount = 0;
PACL pAcl = NULL; DWORD dwAclSize = 0; PACE_HEADER * ppAceHdr = NULL;
DWORD dwRet = 0; DWORD dwAclRevision = 0; DWORD dwError = 0;
//
// Defines the canonical ordering of the ACEs.
//
struct AceOrderElement { BOOL fInheritedACEs; BOOL fDenyACEs; BOOL fDenyObjectACEs; BOOL fGrantACEs; BOOL fGrantObjectACEs; BOOL fAuditACEs; } AceOrderSequence [] = { {FALSE, FALSE, FALSE, FALSE, FALSE, TRUE}, {FALSE, TRUE, FALSE, FALSE, FALSE, FALSE}, {FALSE, FALSE, TRUE, FALSE, FALSE, FALSE}, {FALSE, FALSE, FALSE, TRUE, FALSE, FALSE}, {FALSE, FALSE, FALSE, FALSE, TRUE, FALSE},
{TRUE, FALSE, FALSE, FALSE, FALSE, TRUE}, {TRUE, TRUE, FALSE, FALSE, FALSE, FALSE}, {TRUE, FALSE, TRUE, FALSE, FALSE, FALSE}, {TRUE, FALSE, FALSE, TRUE, FALSE, FALSE}, {TRUE, FALSE, FALSE, FALSE, TRUE, FALSE} };
DWORD dwAceOrderSequenceLen = sizeof(AceOrderSequence) / sizeof (AceOrderElement);
hr = pAccessList->get_AceCount((long *)&dwAceCount); BAIL_ON_FAILURE(hr);
hr = pAccessList->get__NewEnum( &pUnknown ); BAIL_ON_FAILURE(hr);
hr = pUnknown->QueryInterface( IID_IEnumVARIANT, (void FAR * FAR *)&pEnumerator ); BAIL_ON_FAILURE(hr);
ppAceHdr = (PACE_HEADER *)AllocADsMem(sizeof(PACE_HEADER)*dwAceCount); if (!ppAceHdr) { hr = E_OUTOFMEMORY; BAIL_ON_FAILURE(hr); }
for (i = 0; i < dwAceCount; i++) {
VariantInit(&varAce);
hr = pEnumerator->Next( 1, &varAce, &cReturned );
//
// Need to BAIL here as we could not convert an ACL.
//
BAIL_ON_FAILURE(hr);
hr = (V_DISPATCH(&varAce))->QueryInterface( IID_IADsAccessControlEntry, (void **)&pAccessControlEntry ); BAIL_ON_FAILURE(hr);
hr = ConvertAccessControlEntryToAce( pszServerName, Credentials, pAccessControlEntry, &(pTempAce), fNTDSType ); BAIL_ON_FAILURE(hr);
*(ppAceHdr + dwCount) = (PACE_HEADER)pTempAce;
VariantClear(&varAce); if (pAccessControlEntry) { pAccessControlEntry->Release(); pAccessControlEntry = NULL; }
dwCount++; }
hr = ComputeTotalAclSize(ppAceHdr, dwCount, &dwAclSize); BAIL_ON_FAILURE(hr);
pAcl = (PACL)AllocADsMem(dwAclSize); if (!pAcl) { hr = E_OUTOFMEMORY; BAIL_ON_FAILURE(hr); }
hr = pAccessList->get_AclRevision((long *)&dwAclRevision); BAIL_ON_FAILURE(hr);
dwRet = InitializeAcl( pAcl, dwAclSize, dwAclRevision ); if (!dwRet) { hr = HRESULT_FROM_WIN32(GetLastError()); BAIL_ON_FAILURE(hr); }
//
// Add the ACEs in canonical ordering:
// All Explitic Audit
// All Explicit Deny
// All Explicit Object Deny
// All Explicit Allow
// All Explicit Object Allow
//
// All Inherited Audit
// All Inherited Deny
// All Inherited Object Deny
// All Inherited Allow
// All Inherited Object Allow
//
for (i=0; i < dwAceOrderSequenceLen; i++) {
hr = AddFilteredACEs( pAcl, dwAclRevision, ppAceHdr, dwCount, &iAclPosition, AceOrderSequence[i].fInheritedACEs, AceOrderSequence[i].fDenyACEs, AceOrderSequence[i].fDenyObjectACEs, AceOrderSequence[i].fGrantACEs, AceOrderSequence[i].fGrantObjectACEs, AceOrderSequence[i].fAuditACEs ); BAIL_ON_FAILURE(hr); }
*ppAcl = pAcl;
error:
if (ppAceHdr) { for (i = 0; i < dwCount; i++) { if (*(ppAceHdr + i)) {
FreeADsMem(*(ppAceHdr + i)); } }
FreeADsMem(ppAceHdr); }
if (pUnknown) { pUnknown->Release(); }
if (pEnumerator) { pEnumerator->Release(); }
RRETURN(hr);}
/*
* AddFilteredACEs * * Adds ACEs from ppAceHdr (of size dwCountACEs) to the ACL pAcl * (of revision dwAclRevision), starting at position *pdwAclPosition in * the ACL, based on the filter settings fInheritedACEs, fDenyACEs, * fGrantACEs, fDenyObjectACEs, fGrantObjectACEs, and fAuditACEs. * * On return, *pdwAclPosition is the position to continue adding * ACEs at. * */HRESULTAddFilteredACEs( PACL pAcl, // the ACL to add the ACEs to
DWORD dwAclRevision, // the revision of the ACL
PACE_HEADER *ppAceHdr, // the ACEs to add
DWORD dwCountACEs, // number of ACEs in ppAceHdr
DWORD *pdwAclPosition, // starting(in)/ending(out) position
BOOL fInheritedACEs, // include explicit or inherited ACEs?
BOOL fDenyACEs, // include access-deny ACEs?
BOOL fDenyObjectACEs, // include access-deny-object ACEs?
BOOL fGrantACEs, // include access-grant ACEs?
BOOL fGrantObjectACEs, // include access-grant-object ACEs?
BOOL fAuditACEs // include audit ACEs?
){ HRESULT hr = S_OK; DWORD dwStatus;
DWORD i; DWORD iAclPosition = *pdwAclPosition; BOOL fAddIt;
BOOL fIsAceInherited;
for (i = 0; i < dwCountACEs; i++) {
//
// Filter based on whether we're adding explicit or inherited ACEs
//
fIsAceInherited = (((*(ppAceHdr + i))->AceFlags) & INHERITED_ACE) ? TRUE : FALSE;
if ( fIsAceInherited == fInheritedACEs) {
fAddIt = FALSE;
//
// Filter based on ACE type
//
switch ((*(ppAceHdr + i))->AceType) { case ACCESS_ALLOWED_ACE_TYPE: if (fGrantACEs) { fAddIt = TRUE; } break;
case ACCESS_ALLOWED_OBJECT_ACE_TYPE: if (fGrantObjectACEs) { fAddIt = TRUE; } break;
case ACCESS_DENIED_ACE_TYPE: if (fDenyACEs) { fAddIt = TRUE; } break; case ACCESS_DENIED_OBJECT_ACE_TYPE: if (fDenyObjectACEs) { fAddIt = TRUE; } break; case SYSTEM_AUDIT_ACE_TYPE: case SYSTEM_AUDIT_OBJECT_ACE_TYPE: if (fAuditACEs) { fAddIt = TRUE; } break;
default: BAIL_ON_FAILURE(hr = E_INVALIDARG); break; }
//
// If the ACE met the criteria, add it to the ACL
//
if (fAddIt) { dwStatus = AddAce( pAcl, dwAclRevision, iAclPosition++, (LPBYTE)*(ppAceHdr + i), (*(ppAceHdr + i))->AceSize ); if (!dwStatus) {
BAIL_ON_FAILURE(hr = HRESULT_FROM_WIN32(GetLastError())); } } } }
error:
*pdwAclPosition = iAclPosition; RRETURN(hr);}
HRESULTConvertAccessControlEntryToAce( LPWSTR pszServerName, CCredentials& Credentials, IADsAccessControlEntry * pAccessControlEntry, LPBYTE * ppAce, BOOL fNTDSType ){
DWORD dwAceType = 0; HRESULT hr = S_OK; BSTR bstrTrustee = NULL; PSID pSid = NULL; DWORD dwSidSize = 0;
DWORD dwAceFlags = 0; DWORD dwAccessMask = 0; DWORD dwAceSize = 0; LPBYTE pAce = NULL; PACCESS_MASK pAccessMask = NULL; PSID pSidAddress = NULL;
PUSHORT pCompoundAceType = NULL; DWORD dwCompoundAceType = 0;
PACE_HEADER pAceHeader = NULL;
LPBYTE pOffset = NULL;
BSTR bstrObjectTypeClsid = NULL; BSTR bstrInheritedObjectTypeClsid = NULL;
GUID ObjectTypeGUID; GUID InheritedObjectTypeGUID; PULONG pFlags; DWORD dwFlags = 0; BOOL fLookupTrustee = TRUE; BOOL fSidValid = FALSE; IADsAcePrivate *pPrivAce = NULL;
hr = pAccessControlEntry->get_AceType((LONG *)&dwAceType); BAIL_ON_FAILURE(hr);
hr = pAccessControlEntry->get_Trustee(&bstrTrustee); BAIL_ON_FAILURE(hr);
//
// We need to see if we can use a cached SID here.
//
hr = pAccessControlEntry->QueryInterface( IID_IADsAcePrivate, (void **)&pPrivAce ); if (SUCCEEDED(hr)) { //
// See if the SID is valid and if so try and retrieve it.
//
hr = pPrivAce->isSidValid(&fSidValid); if (SUCCEEDED(hr) && fSidValid) { hr = pPrivAce->getSid( &pSid, &dwSidSize );
if (SUCCEEDED(hr)) { fLookupTrustee = FALSE; } }
}
if (fLookupTrustee) {
hr = ConvertTrusteeToSid( pszServerName, Credentials, bstrTrustee, &pSid, &dwSidSize, fNTDSType ); }
BAIL_ON_FAILURE(hr);
hr = pAccessControlEntry->get_AceFlags((long *)&dwAceFlags); BAIL_ON_FAILURE(hr);
hr = pAccessControlEntry->get_AccessMask((long *)&dwAccessMask); BAIL_ON_FAILURE(hr);
//
// we will compensateby adding the entire ACE size
//
dwAceSize = dwSidSize - sizeof(ULONG);
switch (dwAceType) {
case ACCESS_ALLOWED_ACE_TYPE: dwAceSize += sizeof(ACCESS_ALLOWED_ACE); pAce = (LPBYTE)AllocADsMem(dwAceSize); if (!pAce) { hr = E_OUTOFMEMORY; BAIL_ON_FAILURE(hr); } pAceHeader = (PACE_HEADER)pAce; pAceHeader->AceType = (UCHAR)dwAceType; pAceHeader->AceFlags = (UCHAR)dwAceFlags; pAceHeader->AceSize = (USHORT)dwAceSize;
pAccessMask = (PACCESS_MASK)((LPBYTE)pAceHeader + sizeof(ACE_HEADER));
*pAccessMask = (ACCESS_MASK)dwAccessMask;
pSidAddress = (PSID)((LPBYTE)pAccessMask + sizeof(ACCESS_MASK)); memcpy(pSidAddress, pSid, dwSidSize); break;
case ACCESS_DENIED_ACE_TYPE: dwAceSize += sizeof(ACCESS_ALLOWED_ACE); pAce = (LPBYTE)AllocADsMem(dwAceSize); if (!pAce) { hr = E_OUTOFMEMORY; BAIL_ON_FAILURE(hr); } pAceHeader = (PACE_HEADER)pAce; pAceHeader->AceType = (UCHAR)dwAceType; pAceHeader->AceFlags = (UCHAR)dwAceFlags; pAceHeader->AceSize = (USHORT)dwAceSize;
pAccessMask = (PACCESS_MASK)((LPBYTE)pAceHeader + sizeof(ACE_HEADER));
*pAccessMask = (ACCESS_MASK)dwAccessMask;
pSidAddress = (PSID)((LPBYTE)pAccessMask + sizeof(ACCESS_MASK)); memcpy(pSidAddress, pSid, dwSidSize); break;
case SYSTEM_AUDIT_ACE_TYPE: dwAceSize += sizeof(ACCESS_ALLOWED_ACE); pAce = (LPBYTE)AllocADsMem(dwAceSize); if (!pAce) { hr = E_OUTOFMEMORY; BAIL_ON_FAILURE(hr); } pAceHeader = (PACE_HEADER)pAce; pAceHeader->AceType = (UCHAR)dwAceType; pAceHeader->AceFlags = (UCHAR)dwAceFlags; pAceHeader->AceSize = (USHORT)dwAceSize;
pAccessMask = (PACCESS_MASK)((LPBYTE)pAceHeader + sizeof(ACE_HEADER));
*pAccessMask = (ACCESS_MASK)dwAccessMask;
pSidAddress = (PSID)((LPBYTE)pAccessMask + sizeof(ACCESS_MASK)); memcpy(pSidAddress, pSid, dwSidSize); break;
case SYSTEM_ALARM_ACE_TYPE: dwAceSize += sizeof(ACCESS_ALLOWED_ACE); pAce = (LPBYTE)AllocADsMem(dwAceSize); if (!pAce) { hr = E_OUTOFMEMORY; BAIL_ON_FAILURE(hr); } pAceHeader = (PACE_HEADER)pAce; pAceHeader->AceType = (UCHAR)dwAceType; pAceHeader->AceFlags = (UCHAR)dwAceFlags; pAceHeader->AceSize = (USHORT)dwAceSize;
pAccessMask = (PACCESS_MASK)((LPBYTE)pAceHeader + sizeof(ACE_HEADER));
*pAccessMask = (ACCESS_MASK)dwAccessMask;
pSidAddress = (PSID)((LPBYTE)pAccessMask + sizeof(ACCESS_MASK)); memcpy(pSidAddress, pSid, dwSidSize); break;
case ACCESS_ALLOWED_COMPOUND_ACE_TYPE: dwAceSize += sizeof(COMPOUND_ACCESS_ALLOWED_ACE); pAce = (LPBYTE)AllocADsMem(dwAceSize); if (!pAce) { hr = E_OUTOFMEMORY; BAIL_ON_FAILURE(hr); } pAceHeader = (PACE_HEADER)pAce; pAceHeader->AceType = (UCHAR)dwAceType; pAceHeader->AceFlags = (UCHAR)dwAceFlags; pAceHeader->AceSize = (USHORT)dwAceSize;
pAccessMask = (PACCESS_MASK)((LPBYTE)pAceHeader + sizeof(ACE_HEADER));
*pAccessMask = (ACCESS_MASK)dwAccessMask;
pCompoundAceType = (PUSHORT)(pAccessMask + sizeof(ACCESS_MASK)); *pCompoundAceType = (USHORT)dwCompoundAceType;
//
// Fill in the reserved field here.
//
pSidAddress = (PSID)((LPBYTE)pCompoundAceType + sizeof(DWORD)); memcpy(pSidAddress, pSid, dwSidSize); break;
case ACCESS_ALLOWED_OBJECT_ACE_TYPE:
case ACCESS_DENIED_OBJECT_ACE_TYPE:
case SYSTEM_AUDIT_OBJECT_ACE_TYPE:
case SYSTEM_ALARM_OBJECT_ACE_TYPE:
hr = pAccessControlEntry->get_AceFlags((LONG *)&dwAceFlags); BAIL_ON_FAILURE(hr);
hr = pAccessControlEntry->get_Flags((LONG *)&dwFlags); BAIL_ON_FAILURE(hr);
if (dwFlags & ACE_OBJECT_TYPE_PRESENT) { dwAceSize += sizeof(GUID); }
if (dwFlags & ACE_INHERITED_OBJECT_TYPE_PRESENT) { dwAceSize += sizeof(GUID); }
hr = pAccessControlEntry->get_ObjectType(&bstrObjectTypeClsid); BAIL_ON_FAILURE(hr);
hr = CLSIDFromString(bstrObjectTypeClsid, &ObjectTypeGUID); BAIL_ON_FAILURE(hr);
hr = pAccessControlEntry->get_InheritedObjectType(&bstrInheritedObjectTypeClsid); BAIL_ON_FAILURE(hr);
hr = CLSIDFromString(bstrInheritedObjectTypeClsid, &InheritedObjectTypeGUID); BAIL_ON_FAILURE(hr);
dwAceSize += sizeof(ACCESS_ALLOWED_OBJECT_ACE); pAce = (LPBYTE)AllocADsMem(dwAceSize); if (!pAce) { hr = E_OUTOFMEMORY; BAIL_ON_FAILURE(hr); }
pAceHeader = (PACE_HEADER)pAce; pAceHeader->AceType = (UCHAR)dwAceType; pAceHeader->AceFlags = (UCHAR)dwAceFlags; pAceHeader->AceSize = (USHORT)dwAceSize;
pAccessMask = (PACCESS_MASK)((LPBYTE)pAceHeader + sizeof(ACE_HEADER));
*pAccessMask = (ACCESS_MASK)dwAccessMask;
//
// Fill in Flags
//
pOffset = (LPBYTE)((LPBYTE)pAceHeader + sizeof(ACE_HEADER) + sizeof(ACCESS_MASK));
pFlags = (PULONG)(pOffset);
*pFlags = dwFlags;
pOffset += sizeof(ULONG);
if (dwFlags & ACE_OBJECT_TYPE_PRESENT) {
memcpy(pOffset, &ObjectTypeGUID, sizeof(GUID));
pOffset += sizeof(GUID);
}
if (dwFlags & ACE_INHERITED_OBJECT_TYPE_PRESENT) {
memcpy(pOffset, &InheritedObjectTypeGUID, sizeof(GUID));
pOffset += sizeof(GUID); }
pSidAddress = (PSID)((LPBYTE)pOffset); memcpy(pSidAddress, pSid, dwSidSize); break;
default: hr = HRESULT_FROM_WIN32(ERROR_INVALID_ACL); BAIL_ON_FAILURE(hr); break;
}
*ppAce = pAce;
error:
if (bstrTrustee) { ADsFreeString(bstrTrustee); }
if (pSid) { FreeADsMem(pSid); }
if (bstrObjectTypeClsid) { SysFreeString(bstrObjectTypeClsid); }
if (bstrInheritedObjectTypeClsid) { SysFreeString(bstrInheritedObjectTypeClsid); }
if (pPrivAce) { pPrivAce->Release(); }
RRETURN(hr);}
HRESULTComputeTotalAclSize( PACE_HEADER * ppAceHdr, DWORD dwAceCount, PDWORD pdwAclSize ){ DWORD i = 0; PACE_HEADER pAceHdr = NULL; DWORD dwAceSize = 0; DWORD dwAclSize = 0;
for (i = 0; i < dwAceCount; i++) {
pAceHdr = *(ppAceHdr + i); dwAceSize = pAceHdr->AceSize; dwAclSize += dwAceSize; }
dwAclSize += sizeof(ACL);
*pdwAclSize = dwAclSize;
RRETURN(S_OK);
}
HRESULTParseAccountName(LPWSTR szFullAccountName, LPWSTR *pszUserDomainName, LPWSTR *pszUserAccountName){ HRESULT hr = S_OK; DWORD dwDomain = 0; BOOLEAN bFound = FALSE; LPWSTR szUserDomainName = NULL; LPWSTR szUserAccountName = NULL; LPWSTR szCount = szFullAccountName;
if (!szFullAccountName) { hr = E_FAIL; BAIL_ON_FAILURE(hr); }
while (*szCount) { if (*szCount == '\\') { bFound = TRUE; break; } dwDomain++; szCount++; }
if (bFound) { DWORD dwRest = 0; szUserDomainName = (LPWSTR)AllocADsMem(sizeof(WCHAR) * (dwDomain+1)); if (!szUserDomainName) { hr = E_OUTOFMEMORY; BAIL_ON_FAILURE(hr); } wcsncpy(szUserDomainName, szFullAccountName, dwDomain); wcscat(szUserDomainName, L"\0");
szUserAccountName = AllocADsStr(szCount+1); if (!szUserAccountName) { hr = E_OUTOFMEMORY; BAIL_ON_FAILURE(hr); } } else { szUserAccountName = AllocADsStr(szFullAccountName); if (!szUserAccountName) { hr = E_OUTOFMEMORY; BAIL_ON_FAILURE(hr); } szUserDomainName = NULL; } *pszUserAccountName = szUserAccountName; *pszUserDomainName = szUserDomainName; return hr;
error: if (szUserAccountName) { FreeADsMem(szUserAccountName); } if (szUserDomainName) { FreeADsMem(szUserDomainName); } return hr;}
HRESULTConvertTrusteeToSid( LPWSTR pszServerName, CCredentials& Credentials, BSTR bstrTrustee, PSID * ppSid, PDWORD pdwSidSize, BOOL fNTDSType ){ HRESULT hr = S_OK; BYTE Sid[MAX_PATH]; DWORD dwSidSize = sizeof(Sid); DWORD dwRet = 0; DWORD dwErr = 0; WCHAR szDomainName[MAX_PATH]; DWORD dwDomainSize = sizeof(szDomainName)/sizeof(WCHAR); SID_NAME_USE eUse;
PSID pSid = NULL; LPWSTR pszEnd = NULL;
LPWSTR szUserDomainName = NULL; LPWSTR szUserAccountName = NULL; LPWSTR szAccountName = NULL; BOOL fForceVerify = FALSE;
//
// Load the strings into table if necessary
//
if (!g_fStringsLoaded) {
EnterCriticalSection(&g_StringsCriticalSection);
//
// Verify flag again.
//
if (!g_fStringsLoaded) {
dwRet = LoadStringW( g_hInst, ADS_BUILTIN, g_szBuiltin, sizeof( g_szBuiltin ) / sizeof( WCHAR ) );
if (!dwRet) { //
// Default to English values.
//
wcscpy(g_szBuiltin, L"BUILTIN"); }
dwRet = LoadStringW( g_hInst, ADS_NT_AUTHORITY, g_szNT_Authority, sizeof( g_szNT_Authority ) / sizeof( WCHAR ) );
if (!dwRet) { //
// Default to English values.
//
wcscpy(g_szNT_Authority, L"NT AUTHORITY"); }
dwRet = LoadStringW( g_hInst, ADS_ACCOUNT_OPERATORS, g_szAccountOperators, sizeof( g_szAccountOperators ) / sizeof( WCHAR ) );
if (!dwRet) { //
// Default to English values.
//
wcscpy(g_szAccountOperators, L"Account Operators"); }
dwRet = LoadStringW( g_hInst, ADS_PRINT_OPERATORS, g_szPrintOperators, sizeof( g_szPrintOperators ) / sizeof( WCHAR ) );
if (!dwRet) { //
// Default to English values.
//
wcscpy(g_szPrintOperators, L"Print Operators"); }
dwRet = LoadStringW( g_hInst, ADS_BACKUP_OPERATORS, g_szBackupOperators, sizeof( g_szBackupOperators ) / sizeof( WCHAR ) );
if (!dwRet) { //
// Default to English values.
//
wcscpy(g_szBackupOperators, L"Backup Operators"); }
dwRet = LoadStringW( g_hInst, ADS_SERVER_OPERATORS, g_szServerOperators, sizeof( g_szServerOperators ) / sizeof( WCHAR ) );
if (!dwRet) { //
// Default to English values.
//
wcscpy(g_szServerOperators, L"Server Operators"); }
dwRet = LoadStringW( g_hInst, ADS_PRE_WIN2000, g_szPreWindows2000, sizeof( g_szPreWindows2000 ) / sizeof( WCHAR ) );
if (!dwRet) { //
// Default to English values.
//
wcscpy( g_szPreWindows2000, L"Pre-Windows 2000 Compatible Access" ); }
}
g_fStringsLoaded = TRUE;
LeaveCriticalSection(&g_StringsCriticalSection);
}
//
//
// parse Trustee and determine whether its NTDS or U2
//
if (fNTDSType) { WCHAR szDomainName[MAX_PATH]; WCHAR szServerName[MAX_PATH]; LPWSTR szLookupServer = NULL; BOOL fSpecialLookup = FALSE; BOOL fLookupOnServer = FALSE; DWORD dwTmpSidLen = 0;
dwSidSize = sizeof(Sid); szAccountName = bstrTrustee;
hr = ParseAccountName(bstrTrustee, &szUserDomainName, &szUserAccountName); BAIL_ON_FAILURE(hr);
//
// Need to look these up on the server only.
//
if (szUserAccountName && ((_wcsicmp(szUserAccountName, g_szAccountOperators) == 0) || (_wcsicmp(szUserAccountName, g_szPrintOperators) == 0) || (_wcsicmp(szUserAccountName, g_szBackupOperators) == 0) || (_wcsicmp(szUserAccountName, g_szServerOperators) == 0) || (_wcsicmp(szUserAccountName, g_szPreWindows2000) == 0) ) ) { if (szUserDomainName && (_wcsicmp(szUserDomainName, g_szBuiltin)) == 0) { fSpecialLookup = TRUE; } else { fSpecialLookup = FALSE; } } // special users
if (fSpecialLookup || (szUserDomainName && (_wcsicmp(szUserDomainName, g_szBuiltin) != 0) && (_wcsicmp(szUserDomainName, g_szNT_Authority) != 0)) ) {
//
// We will come back here and do a force retry
// if the server is down.
//
retryForce: //
// Force hr to S_OK. This will be needed especially
// when we jump to the retryForce label.
//
hr = S_OK;
//
// Set Lookup on server to true so that later
// on we do not do the lookup on the server again.
// In some cases just like we fall back to local machine,
// we need to look at the server if the local machine fails.
// this will be the case for mixed locale domains.
//
DWORD dwStatus = GetDomainDNSNameForDomain( fSpecialLookup ? NULL : szUserDomainName, fForceVerify, // forceVerify
FALSE, szServerName, szDomainName );
fLookupOnServer = TRUE;
if (dwStatus) { szLookupServer = NULL; } else { szLookupServer = szServerName; } szAccountName = szUserAccountName; }
dwRet = LookupAccountName( szLookupServer, bstrTrustee, Sid, &dwSidSize, szDomainName, &dwDomainSize, (PSID_NAME_USE)&eUse ); if (!dwRet) { hr = HRESULT_FROM_WIN32(GetLastError()); } else { //
// Update the length of the SID.
//
//
// Call needed on NT4 where GetLenghtSid does not
// reset the error correctly leading to false errors.
//
SetLastError(NO_ERROR); dwTmpSidLen = GetLengthSid(Sid); if ((dwRet = GetLastError()) == NO_ERROR) { //
// Got the correct length so update dwSidSize
//
dwSidSize = dwTmpSidLen; } }
if (FAILED(hr) && hr != HRESULT_FROM_WIN32(RPC_S_SERVER_UNAVAILABLE)) {
//
// This code path should not be hit often but it can
// happen on multi locale domains. The server when might
// have returned say Builtin instead of german for the same.
// If the client is german we will be looking for germanbuiltin
// and that wont work. The lookup will fail locally but
// will succeed on the server. This is especially true for
// Builtin\Print Operators as that can only be resolved on the DC.
//
if (pszServerName) { //
// Before we do a dsgetdc, we should try with
// the serverName passed in.
//
hr = S_OK; dwRet = LookupAccountName( pszServerName, bstrTrustee, Sid, &dwSidSize, szDomainName, &dwDomainSize, (PSID_NAME_USE)&eUse ); if (!dwRet) { hr = HRESULT_FROM_WIN32(GetLastError()); //
// force server name to NULL so we wont
// try this again.
//
pszServerName = NULL; } else { //
// Update the length of the SID.
//
//
// Call needed on NT4 where GetLenghtSid does not
// reset the error correctly leading to false errors.
//
SetLastError(NO_ERROR); dwTmpSidLen = GetLengthSid(Sid); if ((dwRet = GetLastError()) == NO_ERROR) { //
// Got the correct length so update dwSidSize
//
dwSidSize = dwTmpSidLen; } } }
if (FAILED(hr)) { //
// We could be here if either pszServerName was always
// NULL or if the call to the server failed.
// The only thing we can do is to retry if we know
// that the szLookupServer was NULL (that is local machine)
// or if szLookupServer was something other than the default
// server for the machine (that is we called DsGetDC with
// the name of a domain rather than NULL).
// In all other cases we should not retry and just return
// the error.
//
if (fSpecialLookup) { //
// We should not retry in this case as we will not
// get anything useful. Setting fLookupOnServer
// to true will force this (if you look above this
// is not really needed but it helps clear things)
//
fLookupOnServer = TRUE; } else { //
// This was not a special lookup, so we
// need to retry irrespective of what
// szLookupServer was.
//
fLookupOnServer = FALSE; szLookupServer = NULL; }
}
//
// This will do the correct thing even if the above
// LookUpCall failed. If not we should go down this
// as we can get stuck in an infinite loop.
//
if (FAILED(hr) && !pszServerName && !szLookupServer && !fLookupOnServer ) { //
// In this case we want to try and call
// DsGetDCName and hopefully we will get the right
// DC. fSpecialLookup will be true so that we go to
// the default DC for the machine/user.
//
fSpecialLookup = TRUE; goto retryForce; } }
//
// If failure was due to an expected error then retry
//
if (FAILED(hr) && hr == HRESULT_FROM_WIN32(RPC_S_SERVER_UNAVAILABLE) ) { if (!fForceVerify) { fForceVerify = TRUE; goto retryForce; } }
}else {
//
// We know that LookupAccountName failed,
// so now try the U2 DS
//
dwSidSize = 0;
hr = ConvertU2TrusteeToSid( pszServerName, Credentials, bstrTrustee, Sid, &dwSidSize ); }
//
// If neither the NTDS nor the U2 conversion
// worked, then try a textual translation
//
if (FAILED(hr)) {
hr = ConvertStringToSid( bstrTrustee, &pSid, &dwSidSize, &pszEnd ); BAIL_ON_FAILURE(hr);
memcpy(Sid,pSid, dwSidSize);
if (pSid) { FreeADsMem(pSid); }
}
//
// On NT4 for some reason GetLengthSID does not set lasterror to 0
//
SetLastError(NO_ERROR);
dwSidSize = GetLengthSid((PSID) Sid);
dwErr = GetLastError();
//
// This is an extra check to make sure that we have the
// correct length.
//
if (dwErr != NO_ERROR) { hr = HRESULT_FROM_WIN32(dwErr); }
BAIL_ON_FAILURE(hr); ; pSid = AllocADsMem(dwSidSize); if (!pSid) { hr = E_OUTOFMEMORY; BAIL_ON_FAILURE(hr); }
memcpy(pSid, Sid, dwSidSize);
*pdwSidSize = dwSidSize;
*ppSid = pSid;
error:
if (szUserDomainName) { FreeADsStr(szUserDomainName); }; if (szUserAccountName) { FreeADsStr(szUserAccountName); }
RRETURN(hr);}
/*
+--------------------------------------------------------------------------------+
NAME: get_sid_out_of_string
FUNCTION: Convert a string representation of a SID back into a sid. The expected format of the string is: L"S-1-5-32-549"
If a string in a different format or an incorrect or incomplete string is given, the operation is failed.
The returned sid must be free via a call to SEC_FREE.
Arguments:
string - The wide string to be converted
sid - Where the created SID is to be returned
end - Where in the string we stopped processing
RETURN:
NTSTATUS error codes or success.
+--------------------------------------------------------------------------------+*/HRESULTConvertStringToSid( IN PWSTR string, OUT PSID *sid, OUT PDWORD pdwSidSize, OUT PWSTR *end ){ HRESULT hr = S_OK; UCHAR revision; UCHAR sub_authority_count; SID_IDENTIFIER_AUTHORITY authority; ULONG sub_authority[SID_MAX_SUB_AUTHORITIES]; PWSTR end_list; PWSTR current; PWSTR next; ULONG x;
*sid = NULL;
if (((*string != L'S') && (*string != L's')) || (*(string + 1) != L'-')) { hr = HRESULT_FROM_WIN32(ERROR_INVALID_SID); BAIL_ON_FAILURE(hr); }
current = string + 2;
revision = (UCHAR)wcstol(current, &end_list, 10);
current = end_list + 1;
//
// Count the number of characters in the indentifer authority...
//
next = wcschr(current, L'-'); if (!next) { hr = HRESULT_FROM_WIN32(ERROR_INVALID_SID); BAIL_ON_FAILURE(hr); }
if(next - current == 6) { for(x = 0; x < 6; x++) { authority.Value[x] = (UCHAR)next[x]; }
current +=6; } else { ULONG Auto = wcstoul(current, &end_list, 10); authority.Value[0] = authority.Value[1] = 0; authority.Value[5] = (UCHAR)Auto & 0xF; authority.Value[4] = (UCHAR)((Auto >> 8) & 0xFF); authority.Value[3] = (UCHAR)((Auto >> 16) & 0xFF); authority.Value[2] = (UCHAR)((Auto >> 24) & 0xFF); current = end_list; }
//
// Now, count the number of sub auths
//
sub_authority_count = 0; next = current;
//
// We'll have to count our sub authoritys one character at a time,
// since there are several deliminators that we can have...
//
while(next) { next++;
if(*next == L'-') { //
// We've found one!
//
sub_authority_count++; } else if(*next == L';' || *next == L'\0') { *end = next; sub_authority_count++; break; } }
if(sub_authority_count != 0) { current++;
for(x = 0; x < sub_authority_count; x++) { sub_authority[x] = wcstoul(current, &end_list, 10); current = end_list + 1; } }
//
// Now, create the SID
//
hr = SecCreateSidFromArray( sid, &authority, sub_authority_count, sub_authority, pdwSidSize );
if (SUCCEEDED(hr)) { /* Set the revision to what was specified in the string, in case, our
system creates one with newer revision */
((SID *)(*sid))->Revision = revision; }
error:
RRETURN(hr);}
HRESULTSecCreateSidFromArray ( OUT PSID *PPSid, IN PSID_IDENTIFIER_AUTHORITY PSidAuthority, IN UCHAR SubAuthorityCount, IN ULONG SubAuthorities[], OUT PDWORD pdwSidSize )/*++
Routine Description:
Creates a SID with desired authority and sub authorities.
NOTE: This routine allocates memory for the SID. When finished the caller should free memory using SEC_FREE (PSid).
Arguments:
PPSid -- addr of ptr to SID to be created Note: if SID creation fails ptr set to NULL
PSidAuthority -- desired value for SID authority
SubAuthorityCount -- number of sub authorities desired
SubAuthorities -- sub-authority values, MUST SPECIFY contain at least SubAuthorityCount number of values
Return Value:
STATUS_SUCCESS if SID created. STATUS_UNSUCCESSFUL otherwise.
--*/{ USHORT iSub; /* sub-authority index */ DWORD dwSidSize = 0; HRESULT hr = S_OK;
/* allocate memory for SID */
dwSidSize = RtlLengthRequiredSid(SubAuthorityCount); *PPSid = (PSID) AllocADsMem( dwSidSize ); if (! *PPSid){ hr = E_OUTOFMEMORY; BAIL_ON_FAILURE(hr); }
*pdwSidSize = dwSidSize;
/* initialize SID with top level SID identifier authority */ RtlInitializeSid( *PPSid, PSidAuthority, SubAuthorityCount);
/* fill in sub authorities */ for (iSub=0; iSub < SubAuthorityCount; iSub++) * RtlSubAuthoritySid( *PPSid, iSub) = SubAuthorities[iSub];
/* sanity check */
if ( ! RtlValidSid( *PPSid) ) { FreeADsMem( *PPSid); *PPSid = NULL; hr = HRESULT_FROM_WIN32(ERROR_INVALID_SID); BAIL_ON_FAILURE(hr); }
error:
RRETURN(hr);}
BOOLEquivalentServers( LPWSTR pszTargetServer, LPWSTR pszSourceServer ){ if (!pszTargetServer && !pszSourceServer) { return(TRUE); }
if (pszTargetServer && pszSourceServer) {
#ifdef WIN95
if (!_wcsicmp(pszTargetServer, pszSourceServer)) {#else
if (CompareStringW( LOCALE_SYSTEM_DEFAULT, NORM_IGNORECASE, pszTargetServer, -1, pszSourceServer, -1 ) == CSTR_EQUAL ) {#endif
return(TRUE); } }
return(FALSE);}
|
