archive
/
windows-xp
mirror of https://github.com/tongzx/nt5src
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
Source code of Windows XP (NT5)
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
6 Commits
1 Branch
0 Tags
2.0 GiB
Tree: daad8a087a
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'daad8a087a'
${ noResults }
windows-xp/Source/XPSP1/NT/net/ias/providers/ntuser/auth/ntsamuser.cpp

383 lines
8.8 KiB
Raw Normal View History

Add source files
4 years ago
  1. ///////////////////////////////////////////////////////////////////////////////
  2. //
  3. // Copyright (c) 2000, Microsoft Corp. All rights reserved.
  4. //
  5. // FILE
  6. //
  7. // ntsamuser.cpp
  8. //
  9. // SYNOPSIS
  10. //
  11. // Defines the class AccountValidation.
  12. //
  13. ///////////////////////////////////////////////////////////////////////////////
  15. #include <ias.h>
  16. #include <ntsamuser.h>
  17. #include <autohdl.h>
  18. #include <iaslsa.h>
  19. #include <iasntds.h>
  20. #include <iastlutl.h>
  21. #include <lmaccess.h>
  22. #include <samutil.h>
  23. #include <sdoias.h>
  25. //////////
  26. // Attributes that should be retrieved for each user.
  27. //////////
  28. const PCWSTR PER_USER_ATTRS[] =
  29. {
  30. L"userAccountControl",
  31. L"accountExpires",
  32. L"logonHours",
  33. L"tokenGroups",
  34. L"objectSid",
  35. NULL
  36. };
  39. //////////
  40. //
  41. // Process an LDAP response.
  42. //
  43. // Based on the empirical evidence, it seems that userAccountControl and
  44. // accountExpires are always present while logonHours is optional. However,
  45. // none of these attributes are marked as mandatory in the LDAP schema. Since
  46. // we have already done a rudimentary access check at bind, we will allow any
  47. // of these attributes to be absent.
  48. //
  49. //////////
  50. inline
  51. DWORD
  52. ValidateLdapResponse(
  53. IASTL::IASRequest& request,
  54. LDAPMessage* msg
  55. )
  56. {
  57. // Retrieve the connection for this message.
  58. LDAP* ld = ldap_conn_from_msg(NULL, msg);
  60. PWCHAR *str;
  61. PLDAP_BERVAL *data1, *data2;
  63. // There is exactly one entry.
  64. LDAPMessage* e = ldap_first_entry(ld, msg);
  66. //////////
  67. // Check the UserAccountControl flags.
  68. //////////
  70. ULONG userAccountControl;
  71. str = ldap_get_valuesW(ld, e, L"userAccountControl");
  72. if (str)
  73. {
  74. userAccountControl = (ULONG)_wtoi64(*str);
  75. ldap_value_freeW(str);
  77. if (userAccountControl & UF_ACCOUNTDISABLE)
  78. {
  79. return ERROR_ACCOUNT_DISABLED;
  80. }
  82. if (userAccountControl & UF_LOCKOUT)
  83. {
  84. return ERROR_ACCOUNT_LOCKED_OUT;
  85. }
  86. }
  88. //////////
  89. // Retrieve AccountExpires.
  90. //////////
  92. LARGE_INTEGER accountExpires;
  93. str = ldap_get_valuesW(ld, e, L"accountExpires");
  94. if (str)
  95. {
  96. accountExpires.QuadPart = _wtoi64(*str);
  97. ldap_value_freeW(str);
  98. }
  99. else
  100. {
  101. accountExpires.QuadPart = 0;
  102. }
  104. //////////
  105. // Retrieve LogonHours.
  106. //////////
  108. IAS_LOGON_HOURS logonHours;
  109. data1 = ldap_get_values_lenW(ld, e, L"logonHours");
  110. if (data1 != NULL)
  111. {
  112. logonHours.UnitsPerWeek = 8 * (USHORT)data1[0]->bv_len;
  113. logonHours.LogonHours = (PUCHAR)data1[0]->bv_val;
  114. }
  115. else
  116. {
  117. logonHours.UnitsPerWeek = 0;
  118. logonHours.LogonHours = NULL;
  119. }
  121. //////////
  122. // Check the account restrictions.
  123. //////////
  125. DWORD status;
  126. status = IASCheckAccountRestrictions(
  127. &accountExpires,
  128. &logonHours
  129. );
  131. ldap_value_free_len(data1);
  133. if (status != NO_ERROR) { return status; }
  135. //////////
  136. // Retrieve tokenGroups and objectSid.
  137. //////////
  139. data1 = ldap_get_values_lenW(ld, e, L"tokenGroups");
  140. data2 = ldap_get_values_lenW(ld, e, L"objectSid");
  142. PTOKEN_GROUPS allGroups;
  143. ULONG length;
  144. if (data1 && data2)
  145. {
  146. // Allocate memory for the TOKEN_GROUPS struct.
  147. ULONG numGroups = ldap_count_values_len(data1);
  148. PTOKEN_GROUPS tokenGroups =
  149. (PTOKEN_GROUPS)_alloca(
  150. FIELD_OFFSET(TOKEN_GROUPS, Groups) +
  151. sizeof(SID_AND_ATTRIBUTES) * numGroups
  152. );
  154. // Store the number of groups.
  155. tokenGroups->GroupCount = numGroups;
  157. // Store the group SIDs.
  158. for (ULONG i = 0; i < numGroups; ++i)
  159. {
  160. tokenGroups->Groups[i].Sid = (PSID)data1[i]->bv_val;
  161. tokenGroups->Groups[i].Attributes = SE_GROUP_ENABLED;
  162. }
  164. // Expand the group membership locally.
  165. status = IASGetAliasMembership(
  166. (PSID)data2[0]->bv_val,
  167. tokenGroups,
  168. CoTaskMemAlloc,
  169. &allGroups,
  170. &length
  171. );
  172. }
  173. else
  174. {
  175. status = ERROR_ACCESS_DENIED;
  176. }
  178. ldap_value_free_len(data1);
  179. ldap_value_free_len(data2);
  181. if (status != NO_ERROR) { return status; }
  183. //////////
  184. // Initialize and store the attribute.
  185. //////////
  187. IASTL::IASAttribute attr(true);
  188. attr->dwId = IAS_ATTRIBUTE_TOKEN_GROUPS;
  189. attr->Value.itType = IASTYPE_OCTET_STRING;
  190. attr->Value.OctetString.dwLength = length;
  191. attr->Value.OctetString.lpValue = (PBYTE)allGroups;
  193. attr.store(request);
  195. return NO_ERROR;
  196. }
  199. HRESULT AccountValidation::Initialize()
  200. {
  201. return IASNtdsInitialize();
  202. }
  205. HRESULT AccountValidation::Shutdown() throw ()
  206. {
  207. IASNtdsUninitialize();
  208. return S_OK;
  209. }
  212. IASREQUESTSTATUS AccountValidation::onSyncRequest(IRequest* pRequest) throw ()
  213. {
  214. try
  215. {
  216. IASTL::IASRequest request(pRequest);
  218. //////////
  219. // Only process requests that don't have Token-Groups already.
  220. //////////
  222. IASTL::IASAttribute tokenGroups;
  223. if (!tokenGroups.load(
  224. request,
  225. IAS_ATTRIBUTE_TOKEN_GROUPS,
  226. IASTYPE_OCTET_STRING
  227. ))
  228. {
  229. //////////
  230. // Extract the NT4-Account-Name attribute.
  231. //////////
  233. IASTL::IASAttribute identity;
  234. if (identity.load(
  235. request,
  236. IAS_ATTRIBUTE_NT4_ACCOUNT_NAME,
  237. IASTYPE_STRING
  238. ))
  239. {
  240. //////////
  241. // Convert the User-Name to SAM format.
  242. //////////
  244. PCWSTR domain, username;
  245. EXTRACT_SAM_IDENTITY(identity->Value.String, domain, username);
  247. IASTracePrintf(
  248. "Validating Windows account %S\\%S.",
  249. domain,
  250. username
  251. );
  253. //////////
  254. // Validate the account.
  255. //////////
  257. if (!tryNativeMode(request, domain, username))
  258. {
  259. doDownlevel(request, domain, username);
  260. }
  261. }
  262. }
  263. }
  264. catch (const _com_error& ce)
  265. {
  266. IASTraceExcept();
  267. IASProcessFailure(pRequest, ce.Error());
  268. }
  270. return IAS_REQUEST_STATUS_CONTINUE;
  271. }
  274. void AccountValidation::doDownlevel(
  275. IASTL::IASRequest& request,
  276. PCWSTR domainName,
  277. PCWSTR username
  278. )
  279. {
  280. IASTraceString("Using downlevel APIs to validate account.");
  282. //////////
  283. // Inject the user's groups.
  284. //////////
  286. IASTL::IASAttribute groups(true);
  288. DWORD status;
  289. status = IASGetGroupsForUser(
  290. username,
  291. domainName,
  292. &CoTaskMemAlloc,
  293. (PTOKEN_GROUPS*)&groups->Value.OctetString.lpValue,
  294. &groups->Value.OctetString.dwLength
  295. );
  297. if (status == NO_ERROR)
  298. {
  299. // Insert the groups.
  300. groups->dwId = IAS_ATTRIBUTE_TOKEN_GROUPS;
  301. groups->Value.itType = IASTYPE_OCTET_STRING;
  302. groups.store(request);
  304. IASTraceString("Successfully validated account.");
  305. }
  306. else
  307. {
  308. IASTraceFailure("IASGetGroupsForUser", status);
  309. status = IASMapWin32Error(status, IAS_SERVER_UNAVAILABLE);
  310. IASProcessFailure(request, status);
  311. }
  312. }
  315. bool AccountValidation::tryNativeMode(
  316. IASTL::IASRequest& request,
  317. PCWSTR domainName,
  318. PCWSTR username
  319. )
  320. {
  321. //////////
  322. // Only handle domain users.
  323. //////////
  325. if (IASGetRole() != IAS_ROLE_DC && IASIsDomainLocal(domainName))
  326. {
  327. return false;
  328. }
  330. //////////
  331. // Query the DS.
  332. //////////
  334. DWORD error;
  335. auto_handle< PLDAPMessage,
  336. ULONG (LDAPAPI*)(PLDAPMessage),
  337. &ldap_msgfree
  338. > res;
  339. error = IASNtdsQueryUserAttributes(
  340. domainName,
  341. username,
  342. LDAP_SCOPE_BASE,
  343. const_cast<PWCHAR*>(PER_USER_ATTRS),
  344. &res
  345. );
  347. switch (error)
  348. {
  349. case NO_ERROR:
  350. {
  351. // We got something back, so validate the response.
  352. error = ValidateLdapResponse(request, res);
  353. if (error == NO_ERROR)
  354. {
  355. IASTraceString("Successfully validated account.");
  356. return true;
  357. }
  359. IASTraceFailure("ValidateLdapResponse", error);
  360. break;
  361. }
  363. case ERROR_DS_NOT_INSTALLED:
  364. case ERROR_INVALID_DOMAIN_ROLE:
  365. {
  366. // No DS, so we can't handle.
  367. return false;
  368. }
  370. default:
  371. {
  372. // We have a DS for this user, but we can't talk to it.
  373. break;
  374. }
  375. }
  377. IASProcessFailure(
  378. request,
  379. IASMapWin32Error(error, IAS_DOMAIN_UNAVAILABLE)
  380. );
  382. return true;
  383. }