LCOV - code coverage report
Current view: top level - auth - auth_sam_reply.c (source / functions) Hit Total Coverage
Test: coverage report for master 98b443d9 Lines: 347 465 74.6 %
Date: 2024-05-31 13:13:24 Functions: 12 12 100.0 %

          Line data    Source code
       1             : /*
       2             :    Unix SMB/CIFS implementation.
       3             : 
       4             :    Convert a server info struct into the form for PAC and NETLOGON replies
       5             : 
       6             :    Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2011
       7             :    Copyright (C) Stefan Metzmacher <metze@samba.org>  2005
       8             : 
       9             :    This program is free software; you can redistribute it and/or modify
      10             :    it under the terms of the GNU General Public License as published by
      11             :    the Free Software Foundation; either version 3 of the License, or
      12             :    (at your option) any later version.
      13             : 
      14             :    This program is distributed in the hope that it will be useful,
      15             :    but WITHOUT ANY WARRANTY; without even the implied warranty of
      16             :    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
      17             :    GNU General Public License for more details.
      18             : 
      19             :    You should have received a copy of the GNU General Public License
      20             :    along with this program.  If not, see <http://www.gnu.org/licenses/>.
      21             : */
      22             : 
      23             : #include "includes.h"
      24             : #include "librpc/gen_ndr/auth.h"
      25             : #include "libcli/security/security.h"
      26             : #include "auth/auth_sam_reply.h"
      27             : 
      28             : /* Returns true if this SID belongs in SamBaseInfo, otherwise false. */
      29     1187430 : static bool is_base_sid(const struct auth_SidAttr *sid,
      30             :                         const struct dom_sid *domain_sid)
      31             : {
      32     1187430 :         if (sid->attrs & SE_GROUP_RESOURCE) {
      33             :                 /*
      34             :                  * Resource groups don't belong in the base
      35             :                  * RIDs, they're handled elsewhere.
      36             :                  */
      37      138670 :                 return false;
      38             :         }
      39             : 
      40             :         /*
      41             :          * This SID belongs in the base structure only if it's in the account's
      42             :          * domain.
      43             :          */
      44     1040978 :         return dom_sid_in_domain(domain_sid, &sid->sid);
      45             : }
      46             : 
      47             : /* Stores a SID in a previously allocated array. */
      48      173190 : static NTSTATUS store_extra_sid(struct netr_SidAttr *sids,
      49             :                                 uint32_t *sidcount,
      50             :                                 const uint32_t allocated_sids,
      51             :                                 const struct auth_SidAttr *sid)
      52             : {
      53             :         /* Check we aren't about to overflow our allocation. */
      54      173190 :         if (*sidcount >= allocated_sids) {
      55           0 :                 return NT_STATUS_INVALID_PARAMETER;
      56             :         }
      57             : 
      58      173190 :         sids[*sidcount].sid = dom_sid_dup(sids, &sid->sid);
      59      173190 :         if (sids[*sidcount].sid == NULL) {
      60           0 :                 return NT_STATUS_NO_MEMORY;
      61             :         }
      62      173190 :         sids[*sidcount].attributes = sid->attrs;
      63      173190 :         *sidcount += 1;
      64             : 
      65      173190 :         return NT_STATUS_OK;
      66             : }
      67             : 
      68             : /*
      69             :  * Stores a resource SID in a previously allocated array, either Extra SIDs or
      70             :  * Resource SIDs. Any SID within the domain of the first SID so added is stored
      71             :  * there, while remaining SIDs are stored in Extra SIDs.
      72             :  */
      73       16482 : static NTSTATUS store_resource_sid(struct netr_SidAttr *sids,
      74             :                                    uint32_t *sidcount,
      75             :                                    const uint32_t allocated_sids,
      76             :                                    const struct auth_SidAttr *sid,
      77             :                                    struct PAC_DOMAIN_GROUP_MEMBERSHIP *resource_groups,
      78             :                                    const uint32_t allocated_resource_groups)
      79             : {
      80         588 :         NTSTATUS status;
      81             : 
      82       16482 :         struct dom_sid *resource_domain = NULL;
      83         588 :         uint32_t rid;
      84             : 
      85       16482 :         if (resource_groups == NULL) {
      86           0 :                 return NT_STATUS_INVALID_PARAMETER;
      87             :         }
      88             : 
      89             :         /* Split the SID into domain and RID.  */
      90       16482 :         status = dom_sid_split_rid(resource_groups, &sid->sid, &resource_domain, &rid);
      91       16482 :         if (!NT_STATUS_IS_OK(status)) {
      92           0 :                 return status;
      93             :         }
      94             : 
      95       16482 :         if (resource_groups->domain_sid == NULL) {
      96             :                 /*
      97             :                  * There is no domain SID set. Set it to the domain of this SID.
      98             :                  */
      99       16462 :                 resource_groups->domain_sid = resource_domain;
     100             :         } else {
     101             :                 /*
     102             :                  * A domain SID has already been set. Check whether this SID's
     103             :                  * domain matches.
     104             :                  *
     105             :                  * Assuming that resource SIDs have been obtained with
     106             :                  * dsdb_expand_nested_groups(), they should all be within the
     107             :                  * same domain (ours), so unless something has gone horribly
     108             :                  * wrong, we should always find that they match.
     109             :                  */
     110          20 :                 bool match = dom_sid_equal(resource_groups->domain_sid, resource_domain);
     111          20 :                 talloc_free(resource_domain);
     112          20 :                 if (!match) {
     113             :                         /*
     114             :                          * It doesn't match, so we can't store this SID here. It
     115             :                          * will have to go in Extra SIDs.
     116             :                          */
     117           0 :                         return store_extra_sid(sids, sidcount, allocated_sids, sid);
     118             :                 }
     119             :         }
     120             : 
     121             :         /* Store the SID in Resource SIDs. */
     122             : 
     123             :         /* Check we aren't about to overflow our allocation. */
     124       16482 :         if (resource_groups->groups.count >= allocated_resource_groups) {
     125           0 :                 return NT_STATUS_INVALID_PARAMETER;
     126             :         }
     127             : 
     128       16482 :         resource_groups->groups.rids[resource_groups->groups.count].rid = rid;
     129       16482 :         resource_groups->groups.rids[resource_groups->groups.count].attributes = sid->attrs;
     130       16482 :         resource_groups->groups.count++;
     131             : 
     132       16482 :         return NT_STATUS_OK;
     133             : }
     134             : 
     135             : /*
     136             :  * Stores a SID in a previously allocated array, or excludes it if we are not
     137             :  * storing resource groups. It will be placed in either Extra SIDs or Resource
     138             :  * SIDs, depending on which is appropriate.
     139             :  */
     140      237656 : static NTSTATUS store_sid(struct netr_SidAttr *sids,
     141             :                           uint32_t *sidcount,
     142             :                           const uint32_t allocated_sids,
     143             :                           const struct auth_SidAttr *sid,
     144             :                           struct PAC_DOMAIN_GROUP_MEMBERSHIP *resource_groups,
     145             :                           const uint32_t allocated_resource_groups,
     146             :                           const enum auth_group_inclusion group_inclusion)
     147             : {
     148             :         /* See if it's a resource SID. */
     149      237656 :         if (sid->attrs & SE_GROUP_RESOURCE) {
     150             :                 /*
     151             :                  * If this is the SID of a resource group, determine whether it
     152             :                  * should be included or filtered out.
     153             :                  */
     154       73226 :                 switch (group_inclusion) {
     155        7486 :                 case AUTH_INCLUDE_RESOURCE_GROUPS:
     156             :                         /* Include this SID in Extra SIDs. */
     157        7486 :                         break;
     158       16482 :                 case AUTH_INCLUDE_RESOURCE_GROUPS_COMPRESSED:
     159             :                         /*
     160             :                          * Try to include this SID in Resource Groups. If this
     161             :                          * can't be arranged, we shall fall back to Extra
     162             :                          * SIDs.
     163             :                          */
     164       62437 :                         return store_resource_sid(sids,
     165             :                                                   sidcount,
     166             :                                                   allocated_sids,
     167             :                                                   sid,
     168             :                                                   resource_groups,
     169             :                                                   allocated_resource_groups);
     170       47984 :                 case AUTH_EXCLUDE_RESOURCE_GROUPS:
     171             :                         /* Ignore this SID. */
     172       47984 :                         return NT_STATUS_OK;
     173           0 :                 default:
     174             :                         /* This means we have a bug. */
     175           0 :                         DBG_ERR("invalid group inclusion parameter: %u\n", group_inclusion);
     176           0 :                         return NT_STATUS_INVALID_PARAMETER;
     177             :                 }
     178             :         }
     179             : 
     180             :         /* Just store the SID in Extra SIDs. */
     181      173190 :         return store_extra_sid(sids,
     182             :                                sidcount,
     183             :                                allocated_sids,
     184             :                                sid);
     185             : }
     186             : 
     187       90010 : static NTSTATUS auth_convert_user_info_dc_sambaseinfo(TALLOC_CTX *mem_ctx,
     188             :                                 const struct auth_user_info_dc *user_info_dc,
     189             :                                 struct netr_SamBaseInfo *sam)
     190             : {
     191        4132 :         NTSTATUS status;
     192        4132 :         const struct auth_user_info *info;
     193             : 
     194       90010 :         ZERO_STRUCTP(sam);
     195             : 
     196       90010 :         if (user_info_dc->num_sids > PRIMARY_USER_SID_INDEX) {
     197       90010 :                 status = dom_sid_split_rid(sam, &user_info_dc->sids[PRIMARY_USER_SID_INDEX].sid,
     198             :                                            &sam->domain_sid, &sam->rid);
     199       90010 :                 if (!NT_STATUS_IS_OK(status)) {
     200           0 :                         return status;
     201             :                 }
     202             :         } else {
     203           0 :                 return NT_STATUS_INVALID_PARAMETER;
     204             :         }
     205             : 
     206       90010 :         if (user_info_dc->num_sids > PRIMARY_GROUP_SID_INDEX) {
     207       90009 :                 status = dom_sid_split_rid(NULL, &user_info_dc->sids[PRIMARY_GROUP_SID_INDEX].sid,
     208             :                                            NULL, &sam->primary_gid);
     209       90009 :                 if (!NT_STATUS_IS_OK(status)) {
     210           0 :                         return status;
     211             :                 }
     212             :         } else {
     213             :                 /* if we have to encode something like SYSTEM (with no
     214             :                  * second SID in the token) then this is the only
     215             :                  * choice */
     216           1 :                 sam->primary_gid = sam->rid;
     217             :         }
     218             : 
     219       90010 :         info = user_info_dc->info;
     220             : 
     221       90010 :         sam->logon_time = info->last_logon;
     222       90010 :         sam->logoff_time =  info->last_logoff;
     223       90010 :         sam->kickoff_time = info->acct_expiry;
     224       90010 :         sam->last_password_change = info->last_password_change;
     225       90010 :         sam->allow_password_change = info->allow_password_change;
     226       90010 :         sam->force_password_change = info->force_password_change;
     227             : 
     228             : #define _COPY_STRING_TALLOC(src_name, dst_name) do { \
     229             :         if (info->src_name != NULL) {\
     230             :                 sam->dst_name.string = talloc_strdup(mem_ctx, info->src_name); \
     231             :                 if (sam->dst_name.string == NULL) { \
     232             :                         return NT_STATUS_NO_MEMORY; \
     233             :                 } \
     234             :         } \
     235             : } while(0)
     236       90010 :         _COPY_STRING_TALLOC(account_name, account_name);
     237       90010 :         _COPY_STRING_TALLOC(full_name, full_name);
     238       90010 :         _COPY_STRING_TALLOC(logon_script, logon_script);
     239       90010 :         _COPY_STRING_TALLOC(profile_path, profile_path);
     240       90010 :         _COPY_STRING_TALLOC(home_directory, home_directory);
     241       90010 :         _COPY_STRING_TALLOC(home_drive, home_drive);
     242       90010 :         _COPY_STRING_TALLOC(logon_server, logon_server);
     243       90010 :         _COPY_STRING_TALLOC(domain_name, logon_domain);
     244             : #undef _COPY_STRING_TALLOC
     245             : 
     246       90010 :         sam->logon_count = info->logon_count;
     247       90010 :         sam->bad_password_count = info->bad_password_count;
     248       90010 :         sam->groups.count = 0;
     249       90010 :         sam->groups.rids = NULL;
     250             : 
     251       90010 :         if (user_info_dc->num_sids > REMAINING_SIDS_INDEX) {
     252        4131 :                 size_t i;
     253       90009 :                 sam->groups.rids = talloc_array(mem_ctx, struct samr_RidWithAttribute,
     254             :                                                 user_info_dc->num_sids);
     255             : 
     256       90009 :                 if (sam->groups.rids == NULL)
     257           0 :                         return NT_STATUS_NO_MEMORY;
     258             : 
     259      683724 :                 for (i=REMAINING_SIDS_INDEX; i<user_info_dc->num_sids; i++) {
     260      593715 :                         struct auth_SidAttr *group_sid = &user_info_dc->sids[i];
     261             : 
     262      593715 :                         bool belongs_in_base = is_base_sid(group_sid, sam->domain_sid);
     263      589824 :                         if (!belongs_in_base) {
     264             :                                 /* We handle this elsewhere */
     265      237656 :                                 continue;
     266             :                         }
     267      356059 :                         sam->groups.rids[sam->groups.count].rid =
     268      356059 :                                 group_sid->sid.sub_auths[group_sid->sid.num_auths-1];
     269             : 
     270      356059 :                         sam->groups.rids[sam->groups.count].attributes = group_sid->attrs;
     271      356059 :                         sam->groups.count += 1;
     272             :                 }
     273             : 
     274       90009 :                 if (sam->groups.count == 0) {
     275           0 :                         TALLOC_FREE(sam->groups.rids);
     276             :                 }
     277             :         }
     278             : 
     279       90010 :         sam->user_flags = info->user_flags; /* w2k3 uses NETLOGON_EXTRA_SIDS | NETLOGON_NTLMV2_ENABLED */
     280       90010 :         sam->acct_flags = user_info_dc->info->acct_flags;
     281       90010 :         sam->sub_auth_status = 0;
     282       90010 :         sam->last_successful_logon = 0;
     283       90010 :         sam->last_failed_logon = 0;
     284       90010 :         sam->failed_logon_count = 0;
     285       90010 :         sam->reserved = 0;
     286             : 
     287       90010 :         ZERO_STRUCT(sam->key);
     288       90010 :         if (user_info_dc->user_session_key.length == sizeof(sam->key.key)) {
     289        9958 :                 memcpy(sam->key.key, user_info_dc->user_session_key.data, sizeof(sam->key.key));
     290             :         }
     291             : 
     292       90010 :         ZERO_STRUCT(sam->LMSessKey);
     293       90010 :         if (user_info_dc->lm_session_key.length == sizeof(sam->LMSessKey.key)) {
     294        8682 :                 memcpy(sam->LMSessKey.key, user_info_dc->lm_session_key.data,
     295             :                        sizeof(sam->LMSessKey.key));
     296             :         }
     297             : 
     298       90010 :         return NT_STATUS_OK;
     299             : }
     300             : 
     301             : /* Note that the validity of the _sam6 and resource_groups structures is only as
     302             :  * long as the user_info_dc it was generated from */
     303       90010 : NTSTATUS auth_convert_user_info_dc_saminfo6(TALLOC_CTX *mem_ctx,
     304             :                                             const struct auth_user_info_dc *user_info_dc,
     305             :                                             enum auth_group_inclusion group_inclusion,
     306             :                                             struct netr_SamInfo6 **_sam6,
     307             :                                             struct PAC_DOMAIN_GROUP_MEMBERSHIP **_resource_groups)
     308             : {
     309        4132 :         NTSTATUS status;
     310       90010 :         struct netr_SamInfo6 *sam6 = NULL;
     311       90010 :         struct PAC_DOMAIN_GROUP_MEMBERSHIP *resource_groups = NULL;
     312        4132 :         size_t i;
     313             : 
     314       90010 :         const uint32_t allocated_sids = user_info_dc->num_sids;
     315       90010 :         uint32_t allocated_resource_groups = 0;
     316             : 
     317       90010 :         sam6 = talloc_zero(mem_ctx, struct netr_SamInfo6);
     318       90010 :         if (sam6 == NULL) {
     319           0 :                 return NT_STATUS_NO_MEMORY;
     320             :         }
     321             : 
     322       90010 :         if (_resource_groups == NULL) {
     323       11042 :                 if (group_inclusion == AUTH_INCLUDE_RESOURCE_GROUPS_COMPRESSED) {
     324           0 :                         DBG_ERR("_resource_groups parameter not provided to receive resource groups!\n");
     325           0 :                         TALLOC_FREE(sam6);
     326           0 :                         return NT_STATUS_INVALID_PARAMETER;
     327             :                 }
     328       78968 :         } else if (group_inclusion == AUTH_INCLUDE_RESOURCE_GROUPS_COMPRESSED) {
     329       23771 :                 *_resource_groups = NULL;
     330             : 
     331             :                 /* Allocate resource groups structure. */
     332       23771 :                 resource_groups = talloc_zero(mem_ctx, struct PAC_DOMAIN_GROUP_MEMBERSHIP);
     333       23771 :                 if (resource_groups == NULL) {
     334           0 :                         TALLOC_FREE(sam6);
     335           0 :                         return NT_STATUS_NO_MEMORY;
     336             :                 }
     337             : 
     338             :                 /*
     339             :                  * Allocate enough space to store user_info_dc->num_sids
     340             :                  * RIDs in the worst case.
     341             :                  */
     342       23771 :                 allocated_resource_groups = user_info_dc->num_sids;
     343       23771 :                 resource_groups->groups.rids = talloc_zero_array(resource_groups,
     344             :                                                                  struct samr_RidWithAttribute,
     345             :                                                                  allocated_resource_groups);
     346       23771 :                 if (resource_groups->groups.rids == NULL) {
     347           0 :                         TALLOC_FREE(sam6);
     348           0 :                         TALLOC_FREE(resource_groups);
     349           0 :                         return NT_STATUS_NO_MEMORY;
     350             :                 }
     351             :         } else {
     352             :                 /* No resource groups will be provided. */
     353       55197 :                 *_resource_groups = NULL;
     354             :         }
     355             : 
     356       90010 :         status = auth_convert_user_info_dc_sambaseinfo(sam6,
     357             :                                                        user_info_dc,
     358             :                                                        &sam6->base);
     359       90010 :         if (!NT_STATUS_IS_OK(status)) {
     360           0 :                 TALLOC_FREE(sam6);
     361           0 :                 TALLOC_FREE(resource_groups);
     362           0 :                 return status;
     363             :         }
     364             : 
     365             :         /*
     366             :          * Allocate enough space to store user_info_dc->num_sids SIDs in the
     367             :          * worst case.
     368             :          */
     369       90010 :         sam6->sids = talloc_zero_array(sam6, struct netr_SidAttr,
     370             :                                        allocated_sids);
     371       90010 :         if (sam6->sids == NULL) {
     372           0 :                 TALLOC_FREE(sam6);
     373           0 :                 TALLOC_FREE(resource_groups);
     374           0 :                 return NT_STATUS_NO_MEMORY;
     375             :         }
     376             : 
     377             :         /* We don't put the user and group SIDs in there */
     378      683725 :         for (i=REMAINING_SIDS_INDEX; i<user_info_dc->num_sids; i++) {
     379      593715 :                 struct auth_SidAttr *group_sid = &user_info_dc->sids[i];
     380      593715 :                 bool belongs_in_base = is_base_sid(group_sid, sam6->base.domain_sid);
     381      589824 :                 if (belongs_in_base) {
     382             :                         /* We already handled this in the base. */
     383      356059 :                         continue;
     384             :                 }
     385             : 
     386      237656 :                 status = store_sid(sam6->sids,
     387             :                                    &sam6->sidcount,
     388             :                                    allocated_sids,
     389             :                                    group_sid,
     390             :                                    resource_groups,
     391             :                                    allocated_resource_groups,
     392             :                                    group_inclusion);
     393      237656 :                 if (!NT_STATUS_IS_OK(status)) {
     394           0 :                         TALLOC_FREE(sam6);
     395           0 :                         TALLOC_FREE(resource_groups);
     396           0 :                         return status;
     397             :                 }
     398             :         }
     399       90010 :         if (sam6->sidcount) {
     400       87693 :                 sam6->base.user_flags |= NETLOGON_EXTRA_SIDS;
     401             :         } else {
     402        2317 :                 sam6->base.user_flags &= ~NETLOGON_EXTRA_SIDS;
     403        2317 :                 TALLOC_FREE(sam6->sids);
     404             :         }
     405             : 
     406       90010 :         if (user_info_dc->info->dns_domain_name != NULL) {
     407      175886 :                 sam6->dns_domainname.string = talloc_strdup(sam6,
     408       85878 :                                         user_info_dc->info->dns_domain_name);
     409       90008 :                 if (sam6->dns_domainname.string == NULL) {
     410           0 :                         TALLOC_FREE(sam6);
     411           0 :                         TALLOC_FREE(resource_groups);
     412           0 :                         return NT_STATUS_NO_MEMORY;
     413             :                 }
     414             :         }
     415             : 
     416       90010 :         if (user_info_dc->info->user_principal_name != NULL) {
     417      175886 :                 sam6->principal_name.string = talloc_strdup(sam6,
     418       85878 :                                         user_info_dc->info->user_principal_name);
     419       90008 :                 if (sam6->principal_name.string == NULL) {
     420           0 :                         TALLOC_FREE(sam6);
     421           0 :                         TALLOC_FREE(resource_groups);
     422           0 :                         return NT_STATUS_NO_MEMORY;
     423             :                 }
     424             :         }
     425             : 
     426       90010 :         *_sam6 = sam6;
     427       90010 :         if (resource_groups != NULL) {
     428       23771 :                 if (resource_groups->groups.count > 0) {
     429       16462 :                         *_resource_groups = resource_groups;
     430             :                 } else {
     431        7309 :                         TALLOC_FREE(resource_groups);
     432             :                 }
     433             :         }
     434       90010 :         return NT_STATUS_OK;
     435             : }
     436             : 
     437             : /* Note that the validity of the _sam2 structure is only as long as
     438             :  * the user_info_dc it was generated from */
     439        4254 : NTSTATUS auth_convert_user_info_dc_saminfo2(TALLOC_CTX *mem_ctx,
     440             :                                            const struct auth_user_info_dc *user_info_dc,
     441             :                                            enum auth_group_inclusion group_inclusion,
     442             :                                            struct netr_SamInfo2 **_sam2)
     443             : {
     444         601 :         NTSTATUS status;
     445        4254 :         struct netr_SamInfo6 *sam6 = NULL;
     446        4254 :         struct netr_SamInfo2 *sam2 = NULL;
     447             : 
     448        4254 :         sam2 = talloc_zero(mem_ctx, struct netr_SamInfo2);
     449        4254 :         if (sam2 == NULL) {
     450           0 :                 return NT_STATUS_NO_MEMORY;
     451             :         }
     452             : 
     453        4254 :         status = auth_convert_user_info_dc_saminfo6(sam2, user_info_dc,
     454             :                                                     group_inclusion, &sam6,
     455             :                                                     NULL);
     456        4254 :         if (!NT_STATUS_IS_OK(status)) {
     457           0 :                 TALLOC_FREE(sam2);
     458           0 :                 return status;
     459             :         }
     460        4254 :         sam2->base   = sam6->base;
     461             :         /*
     462             :          * We have nowhere to put sam6->sids, so we follow Windows here and drop
     463             :          * it. Any resource groups it happened to contain are lost.
     464             :          */
     465        4254 :         sam2->base.user_flags &= ~NETLOGON_EXTRA_SIDS;
     466        4254 :         TALLOC_FREE(sam6->sids);
     467             : 
     468        4254 :         *_sam2 = sam2;
     469        4254 :         return NT_STATUS_OK;
     470             : }
     471             : 
     472             : /* Note that the validity of the _sam3 structure is only as long as
     473             :  * the user_info_dc it was generated from */
     474       83341 : NTSTATUS auth_convert_user_info_dc_saminfo3(TALLOC_CTX *mem_ctx,
     475             :                                            const struct auth_user_info_dc *user_info_dc,
     476             :                                            enum auth_group_inclusion group_inclusion,
     477             :                                            struct netr_SamInfo3 **_sam3,
     478             :                                            struct PAC_DOMAIN_GROUP_MEMBERSHIP **_resource_groups)
     479             : {
     480        3459 :         NTSTATUS status;
     481       83341 :         struct netr_SamInfo6 *sam6 = NULL;
     482       83341 :         struct netr_SamInfo3 *sam3 = NULL;
     483             : 
     484       83341 :         sam3 = talloc_zero(mem_ctx, struct netr_SamInfo3);
     485       83341 :         if (sam3 == NULL) {
     486           0 :                 return NT_STATUS_NO_MEMORY;
     487             :         }
     488             : 
     489       83341 :         status = auth_convert_user_info_dc_saminfo6(sam3, user_info_dc,
     490             :                                                     group_inclusion, &sam6,
     491             :                                                     _resource_groups);
     492       83341 :         if (!NT_STATUS_IS_OK(status)) {
     493           0 :                 TALLOC_FREE(sam3);
     494           0 :                 return status;
     495             :         }
     496       83341 :         sam3->base   = sam6->base;
     497       83341 :         sam3->sidcount       = sam6->sidcount;
     498       83341 :         sam3->sids   = sam6->sids;
     499             : 
     500       83341 :         *_sam3 = sam3;
     501       83341 :         return NT_STATUS_OK;
     502             : }
     503             : 
     504             : /**
     505             :  * Make a user_info struct from the info3 or similar returned by a domain logon.
     506             :  *
     507             :  * The netr_SamInfo3 is also a key structure in the source3 auth subsystem
     508             :  */
     509             : 
     510      104871 : NTSTATUS make_user_info_SamBaseInfo(TALLOC_CTX *mem_ctx,
     511             :                                     const char *account_name,
     512             :                                     const struct netr_SamBaseInfo *base,
     513             :                                     bool authenticated,
     514             :                                     struct auth_user_info **_user_info)
     515             : {
     516        2564 :         struct auth_user_info *info;
     517             : 
     518      104871 :         info = talloc_zero(mem_ctx, struct auth_user_info);
     519      104871 :         if (info == NULL) {
     520           0 :                 return NT_STATUS_NO_MEMORY;
     521             :         }
     522             : 
     523      104871 :         if (base->account_name.string) {
     524      104871 :                 info->account_name = talloc_strdup(info, base->account_name.string);
     525             :         } else {
     526           0 :                 info->account_name = talloc_strdup(info, account_name);
     527             :         }
     528      104871 :         if (info->account_name == NULL) {
     529           0 :                 talloc_free(info);
     530           0 :                 return NT_STATUS_NO_MEMORY;
     531             :         }
     532             : 
     533      104871 :         if (base->logon_domain.string) {
     534      104871 :                 info->domain_name = talloc_strdup(info, base->logon_domain.string);
     535      104871 :                 if (info->domain_name == NULL) {
     536           0 :                         talloc_free(info);
     537           0 :                         return NT_STATUS_NO_MEMORY;
     538             :                 }
     539             :         }
     540             : 
     541      104871 :         if (base->full_name.string) {
     542      103866 :                 info->full_name = talloc_strdup(info, base->full_name.string);
     543      103866 :                 if (info->full_name == NULL) {
     544           0 :                         talloc_free(info);
     545           0 :                         return NT_STATUS_NO_MEMORY;
     546             :                 }
     547             :         }
     548      104871 :         if (base->logon_script.string) {
     549      103866 :                 info->logon_script = talloc_strdup(info, base->logon_script.string);
     550      103866 :                 if (info->logon_script == NULL) {
     551           0 :                         talloc_free(info);
     552           0 :                         return NT_STATUS_NO_MEMORY;
     553             :                 }
     554             :         }
     555      104871 :         if (base->profile_path.string) {
     556      103866 :                 info->profile_path = talloc_strdup(info, base->profile_path.string);
     557      103866 :                 if (info->profile_path == NULL) {
     558           0 :                         talloc_free(info);
     559           0 :                         return NT_STATUS_NO_MEMORY;
     560             :                 }
     561             :         }
     562      104871 :         if (base->home_directory.string) {
     563      103866 :                 info->home_directory = talloc_strdup(info, base->home_directory.string);
     564      103866 :                 if (info->home_directory == NULL) {
     565           0 :                         talloc_free(info);
     566           0 :                         return NT_STATUS_NO_MEMORY;
     567             :                 }
     568             :         }
     569      104871 :         if (base->home_drive.string) {
     570      103866 :                 info->home_drive = talloc_strdup(info, base->home_drive.string);
     571      103866 :                 if (info->home_drive == NULL) {
     572           0 :                         talloc_free(info);
     573           0 :                         return NT_STATUS_NO_MEMORY;
     574             :                 }
     575             :         }
     576      104871 :         if (base->logon_server.string) {
     577      103866 :                 info->logon_server = talloc_strdup(info, base->logon_server.string);
     578      103866 :                 if (info->logon_server == NULL) {
     579           0 :                         talloc_free(info);
     580           0 :                         return NT_STATUS_NO_MEMORY;
     581             :                 }
     582             :         }
     583      104871 :         info->last_logon = base->logon_time;
     584      104871 :         info->last_logoff = base->logoff_time;
     585      104871 :         info->acct_expiry = base->kickoff_time;
     586      104871 :         info->last_password_change = base->last_password_change;
     587      104871 :         info->allow_password_change = base->allow_password_change;
     588      104871 :         info->force_password_change = base->force_password_change;
     589      104871 :         info->logon_count = base->logon_count;
     590      104871 :         info->bad_password_count = base->bad_password_count;
     591      104871 :         info->acct_flags = base->acct_flags;
     592             : 
     593      104871 :         info->user_flags = base->user_flags;
     594      104871 :         if (!authenticated) {
     595             :                 /*
     596             :                  * We only consider the user authenticated if NETLOGON_GUEST is
     597             :                  * not set, and authenticated is set
     598             :                  */
     599         824 :                 info->user_flags |= NETLOGON_GUEST;
     600             :         }
     601             : 
     602      104871 :         *_user_info = info;
     603      104871 :         return NT_STATUS_OK;
     604             : }
     605             : 
     606        1336 : struct auth_user_info *auth_user_info_copy(TALLOC_CTX *mem_ctx,
     607             :                                            const struct auth_user_info *src)
     608             : {
     609        1336 :         struct auth_user_info *dst = NULL;
     610             : 
     611        1336 :         dst = talloc_zero(mem_ctx, struct auth_user_info);
     612        1336 :         if (dst == NULL) {
     613           0 :                 return NULL;
     614             :         }
     615             : 
     616        1336 :         *dst = *src;
     617             : #define _COPY_STRING(_mem, _str) do { \
     618             :         if ((_str) != NULL) { \
     619             :                 (_str) = talloc_strdup((_mem), (_str)); \
     620             :                 if ((_str) == NULL) { \
     621             :                         TALLOC_FREE(dst); \
     622             :                         return NULL; \
     623             :                 } \
     624             :         } \
     625             : } while(0)
     626        1336 :         _COPY_STRING(dst, dst->account_name);
     627        1336 :         _COPY_STRING(dst, dst->user_principal_name);
     628        1336 :         _COPY_STRING(dst, dst->domain_name);
     629        1336 :         _COPY_STRING(dst, dst->dns_domain_name);
     630        1336 :         _COPY_STRING(dst, dst->full_name);
     631        1336 :         _COPY_STRING(dst, dst->logon_script);
     632        1336 :         _COPY_STRING(dst, dst->profile_path);
     633        1336 :         _COPY_STRING(dst, dst->home_directory);
     634        1336 :         _COPY_STRING(dst, dst->home_drive);
     635        1336 :         _COPY_STRING(dst, dst->logon_server);
     636             : #undef _COPY_STRING
     637             : 
     638        1336 :         return dst;
     639             : }
     640             : 
     641             : /**
     642             :  * Make a user_info_dc struct from the info3 returned by a domain logon
     643             :  */
     644       82492 : NTSTATUS make_user_info_dc_netlogon_validation(TALLOC_CTX *mem_ctx,
     645             :                                               const char *account_name,
     646             :                                               uint16_t validation_level,
     647             :                                               const union netr_Validation *validation,
     648             :                                                bool authenticated,
     649             :                                               struct auth_user_info_dc **_user_info_dc)
     650             : {
     651        2564 :         NTSTATUS status;
     652       82492 :         struct auth_user_info_dc *user_info_dc = NULL;
     653       82492 :         const struct netr_SamBaseInfo *base = NULL;
     654       82492 :         uint32_t sidcount = 0;
     655       82492 :         const struct netr_SidAttr *sids = NULL;
     656       82492 :         const char *dns_domainname = NULL;
     657       82492 :         const char *principal = NULL;
     658        2564 :         uint32_t i;
     659             : 
     660       82492 :         switch (validation_level) {
     661           0 :         case 2:
     662           0 :                 if (!validation || !validation->sam2) {
     663           0 :                         return NT_STATUS_INVALID_PARAMETER;
     664             :                 }
     665           0 :                 base = &validation->sam2->base;
     666           0 :                 break;
     667       82204 :         case 3:
     668       82204 :                 if (!validation || !validation->sam3) {
     669           0 :                         return NT_STATUS_INVALID_PARAMETER;
     670             :                 }
     671       82204 :                 base = &validation->sam3->base;
     672       82204 :                 sidcount = validation->sam3->sidcount;
     673       82204 :                 sids = validation->sam3->sids;
     674       82204 :                 break;
     675         288 :         case 6:
     676         288 :                 if (!validation || !validation->sam6) {
     677           0 :                         return NT_STATUS_INVALID_PARAMETER;
     678             :                 }
     679         288 :                 base = &validation->sam6->base;
     680         288 :                 sidcount = validation->sam6->sidcount;
     681         288 :                 sids = validation->sam6->sids;
     682         288 :                 dns_domainname = validation->sam6->dns_domainname.string;
     683         288 :                 principal = validation->sam6->principal_name.string;
     684         288 :                 break;
     685           0 :         default:
     686           0 :                 return NT_STATUS_INVALID_LEVEL;
     687             :         }
     688             : 
     689       82492 :         user_info_dc = talloc_zero(mem_ctx, struct auth_user_info_dc);
     690       82492 :         if (user_info_dc == NULL) {
     691           0 :                 return NT_STATUS_NO_MEMORY;
     692             :         }
     693             : 
     694             :         /*
     695             :            Here is where we should check the list of
     696             :            trusted domains, and verify that the SID
     697             :            matches.
     698             :         */
     699       82492 :         if (!base->domain_sid) {
     700           0 :                 DEBUG(0, ("Cannot operate on a Netlogon Validation without a domain SID\n"));
     701           0 :                 talloc_free(user_info_dc);
     702           0 :                 return NT_STATUS_INVALID_PARAMETER;
     703             :         }
     704             : 
     705             :         /* The IDL layer would be a better place to check this, but to
     706             :          * guard the integer addition below, we double-check */
     707       82492 :         if (base->groups.count > 65535) {
     708           0 :                 talloc_free(user_info_dc);
     709           0 :                 return NT_STATUS_INVALID_PARAMETER;
     710             :         }
     711             : 
     712       82492 :         user_info_dc->num_sids = PRIMARY_SIDS_COUNT;
     713             : 
     714       82492 :         user_info_dc->sids = talloc_array(user_info_dc, struct auth_SidAttr,  user_info_dc->num_sids + base->groups.count);
     715       82492 :         if (user_info_dc->sids == NULL) {
     716           0 :                 talloc_free(user_info_dc);
     717           0 :                 return NT_STATUS_NO_MEMORY;
     718             :         }
     719             : 
     720       82492 :         user_info_dc->sids[PRIMARY_USER_SID_INDEX].sid = *base->domain_sid;
     721       82492 :         if (!sid_append_rid(&user_info_dc->sids[PRIMARY_USER_SID_INDEX].sid, base->rid)) {
     722           0 :                 talloc_free(user_info_dc);
     723           0 :                 return NT_STATUS_INVALID_PARAMETER;
     724             :         }
     725       82492 :         user_info_dc->sids[PRIMARY_USER_SID_INDEX].attrs = SE_GROUP_DEFAULT_FLAGS;
     726             : 
     727       82492 :         user_info_dc->sids[PRIMARY_GROUP_SID_INDEX].sid = *base->domain_sid;
     728       82492 :         if (!sid_append_rid(&user_info_dc->sids[PRIMARY_GROUP_SID_INDEX].sid, base->primary_gid)) {
     729           0 :                 talloc_free(user_info_dc);
     730           0 :                 return NT_STATUS_INVALID_PARAMETER;
     731             :         }
     732             :         /*
     733             :          * This attribute value might be wrong if the primary group is a
     734             :          * resource group. But a resource group is not meant to be in a primary
     735             :          * group in the first place, and besides, these attributes will never
     736             :          * make their way into a PAC.
     737             :          */
     738       82492 :         user_info_dc->sids[PRIMARY_GROUP_SID_INDEX].attrs = SE_GROUP_DEFAULT_FLAGS;
     739             : 
     740      422390 :         for (i = 0; i < base->groups.count; i++) {
     741      339898 :                 user_info_dc->sids[user_info_dc->num_sids].sid = *base->domain_sid;
     742      339898 :                 if (!sid_append_rid(&user_info_dc->sids[user_info_dc->num_sids].sid, base->groups.rids[i].rid)) {
     743           0 :                         talloc_free(user_info_dc);
     744           0 :                         return NT_STATUS_INVALID_PARAMETER;
     745             :                 }
     746      339898 :                 user_info_dc->sids[user_info_dc->num_sids].attrs = base->groups.rids[i].attributes;
     747      339898 :                 user_info_dc->num_sids++;
     748             :         }
     749             : 
     750             :         /* Copy 'other' sids.  We need to do sid filtering here to
     751             :            prevent possible elevation of privileges.  See:
     752             : 
     753             :            http://www.microsoft.com/windows2000/techinfo/administration/security/sidfilter.asp
     754             :          */
     755             : 
     756             :         /*
     757             :          * The IDL layer would be a better place to check this, but to
     758             :          * guard the integer addition below, we double-check
     759             :          */
     760       82492 :         if (sidcount > UINT16_MAX) {
     761           0 :                 talloc_free(user_info_dc);
     762           0 :                 return NT_STATUS_INVALID_PARAMETER;
     763             :         }
     764             : 
     765       82492 :         if (sidcount > 0) {
     766       82415 :                 struct auth_SidAttr *dgrps = user_info_dc->sids;
     767        2562 :                 size_t dgrps_count;
     768             : 
     769       82415 :                 dgrps_count = user_info_dc->num_sids + sidcount;
     770       82415 :                 dgrps = talloc_realloc(user_info_dc, dgrps, struct auth_SidAttr,
     771             :                                        dgrps_count);
     772       82415 :                 if (dgrps == NULL) {
     773           0 :                         talloc_free(user_info_dc);
     774           0 :                         return NT_STATUS_NO_MEMORY;
     775             :                 }
     776             : 
     777      253543 :                 for (i = 0; i < sidcount; i++) {
     778      171128 :                         if (sids[i].sid) {
     779      171128 :                                 dgrps[user_info_dc->num_sids].sid = *sids[i].sid;
     780      171128 :                                 dgrps[user_info_dc->num_sids].attrs = sids[i].attributes;
     781      171128 :                                 user_info_dc->num_sids++;
     782             :                         }
     783             :                 }
     784             : 
     785       82415 :                 user_info_dc->sids = dgrps;
     786             : 
     787             :                 /* Where are the 'global' sids?... */
     788             :         }
     789             : 
     790       82492 :         status = make_user_info_SamBaseInfo(user_info_dc, account_name, base, authenticated, &user_info_dc->info);
     791       82492 :         if (!NT_STATUS_IS_OK(status)) {
     792           0 :                 talloc_free(user_info_dc);
     793           0 :                 return status;
     794             :         }
     795             : 
     796       82492 :         if (dns_domainname != NULL) {
     797         288 :                 user_info_dc->info->dns_domain_name = talloc_strdup(user_info_dc->info,
     798             :                                                                     dns_domainname);
     799         288 :                 if (user_info_dc->info->dns_domain_name == NULL) {
     800           0 :                         talloc_free(user_info_dc);
     801           0 :                         return NT_STATUS_NO_MEMORY;
     802             :                 }
     803             :         }
     804             : 
     805       82492 :         if (principal != NULL) {
     806         288 :                 user_info_dc->info->user_principal_name = talloc_strdup(user_info_dc->info,
     807             :                                                                         principal);
     808         288 :                 if (user_info_dc->info->user_principal_name == NULL) {
     809           0 :                         talloc_free(user_info_dc);
     810           0 :                         return NT_STATUS_NO_MEMORY;
     811             :                 }
     812             :         }
     813             : 
     814             :         /* ensure we are never given NULL session keys */
     815             : 
     816       82492 :         if (all_zero(base->key.key, sizeof(base->key.key))) {
     817       82270 :                 user_info_dc->user_session_key = data_blob(NULL, 0);
     818             :         } else {
     819         222 :                 user_info_dc->user_session_key = data_blob_talloc(user_info_dc, base->key.key, sizeof(base->key.key));
     820         222 :                 if (user_info_dc->user_session_key.data == NULL) {
     821           0 :                         talloc_free(user_info_dc);
     822           0 :                         return NT_STATUS_NO_MEMORY;
     823             :                 }
     824             :         }
     825             : 
     826       82492 :         if (all_zero(base->LMSessKey.key, sizeof(base->LMSessKey.key))) {
     827       82280 :                 user_info_dc->lm_session_key = data_blob(NULL, 0);
     828             :         } else {
     829         212 :                 user_info_dc->lm_session_key = data_blob_talloc(user_info_dc, base->LMSessKey.key, sizeof(base->LMSessKey.key));
     830         212 :                 if (user_info_dc->lm_session_key.data == NULL) {
     831           0 :                         talloc_free(user_info_dc);
     832           0 :                         return NT_STATUS_NO_MEMORY;
     833             :                 }
     834             :         }
     835             : 
     836       82492 :         *_user_info_dc = user_info_dc;
     837       82492 :         return NT_STATUS_OK;
     838             : }
     839             : 
     840             : /**
     841             :  * Make a user_info_dc struct from the PAC_LOGON_INFO supplied in the krb5
     842             :  * logon. For group_inclusion, pass AUTH_INCLUDE_RESOURCE_GROUPS if SIDs from
     843             :  * the resource groups are to be included in the resulting structure, and pass
     844             :  * AUTH_EXCLUDE_RESOURCE_GROUPS otherwise.
     845             :  */
     846       82118 : NTSTATUS make_user_info_dc_pac(TALLOC_CTX *mem_ctx,
     847             :                               const struct PAC_LOGON_INFO *pac_logon_info,
     848             :                               const struct PAC_UPN_DNS_INFO *pac_upn_dns_info,
     849             :                               const enum auth_group_inclusion group_inclusion,
     850             :                               struct auth_user_info_dc **_user_info_dc)
     851             : {
     852        2562 :         uint32_t i;
     853        2562 :         NTSTATUS nt_status;
     854        2562 :         union netr_Validation validation;
     855        2562 :         struct auth_user_info_dc *user_info_dc;
     856       82118 :         const struct PAC_DOMAIN_GROUP_MEMBERSHIP *rg = NULL;
     857        2562 :         size_t sidcount;
     858             : 
     859       82118 :         validation.sam3 = discard_const_p(struct netr_SamInfo3, &pac_logon_info->info3);
     860             : 
     861       82118 :         nt_status = make_user_info_dc_netlogon_validation(mem_ctx, "", 3, &validation,
     862             :                                                           true, /* This user was authenticated */
     863             :                                                           &user_info_dc);
     864       82118 :         if (!NT_STATUS_IS_OK(nt_status)) {
     865           0 :                 return nt_status;
     866             :         }
     867             : 
     868       82118 :         if (pac_logon_info->info3.base.user_flags & NETLOGON_RESOURCE_GROUPS) {
     869       30441 :                 switch (group_inclusion) {
     870       30393 :                 case AUTH_INCLUDE_RESOURCE_GROUPS:
     871             :                         /* Take resource groups from the PAC. */
     872       30393 :                         rg = &pac_logon_info->resource_groups;
     873       30441 :                         break;
     874          48 :                 case AUTH_EXCLUDE_RESOURCE_GROUPS:
     875             :                         /*
     876             :                          * The PAC is from a TGT, or we don't want to process
     877             :                          * its resource groups.
     878             :                          */
     879          48 :                         break;
     880           0 :                 default:
     881           0 :                         DBG_ERR("invalid group inclusion parameter: %u\n", group_inclusion);
     882           0 :                         talloc_free(user_info_dc);
     883           0 :                         return NT_STATUS_INVALID_PARAMETER;
     884             :                 }
     885             :         }
     886             : 
     887       80329 :         if (rg != NULL && rg->groups.count > 0) {
     888             :                 /* The IDL layer would be a better place to check this, but to
     889             :                  * guard the integer addition below, we double-check */
     890       30393 :                 if (rg->groups.count > 65535) {
     891           0 :                         talloc_free(user_info_dc);
     892           0 :                         return NT_STATUS_INVALID_PARAMETER;
     893             :                 }
     894             : 
     895             :                 /*
     896             :                   Here is where we should check the list of
     897             :                   trusted domains, and verify that the SID
     898             :                   matches.
     899             :                 */
     900       30393 :                 if (rg->domain_sid == NULL) {
     901           0 :                         talloc_free(user_info_dc);
     902           0 :                         DEBUG(0, ("Cannot operate on a PAC without a resource domain SID\n"));
     903           0 :                         return NT_STATUS_INVALID_PARAMETER;
     904             :                 }
     905             : 
     906       30393 :                 sidcount = user_info_dc->num_sids + rg->groups.count;
     907       30393 :                 user_info_dc->sids
     908       30393 :                         = talloc_realloc(user_info_dc, user_info_dc->sids, struct auth_SidAttr, sidcount);
     909       30393 :                 if (user_info_dc->sids == NULL) {
     910           0 :                         TALLOC_FREE(user_info_dc);
     911           0 :                         return NT_STATUS_NO_MEMORY;
     912             :                 }
     913             : 
     914       60802 :                 for (i = 0; i < rg->groups.count; i++) {
     915         773 :                         bool ok;
     916             : 
     917       30409 :                         user_info_dc->sids[user_info_dc->num_sids].sid = *rg->domain_sid;
     918       31182 :                         ok = sid_append_rid(&user_info_dc->sids[user_info_dc->num_sids].sid,
     919       30409 :                                             rg->groups.rids[i].rid);
     920       30409 :                         if (!ok) {
     921           0 :                                 talloc_free(user_info_dc);
     922           0 :                                 return NT_STATUS_INVALID_PARAMETER;
     923             :                         }
     924       30409 :                         user_info_dc->sids[user_info_dc->num_sids].attrs = rg->groups.rids[i].attributes;
     925       30409 :                         user_info_dc->num_sids++;
     926             :                 }
     927             :         }
     928             : 
     929       82118 :         if (pac_upn_dns_info != NULL) {
     930       82116 :                 if (pac_upn_dns_info->upn_name != NULL) {
     931      164232 :                         user_info_dc->info->user_principal_name =
     932       82116 :                                 talloc_strdup(user_info_dc->info,
     933       79556 :                                               pac_upn_dns_info->upn_name);
     934       82116 :                         if (user_info_dc->info->user_principal_name == NULL) {
     935           0 :                                 talloc_free(user_info_dc);
     936           0 :                                 return NT_STATUS_NO_MEMORY;
     937             :                         }
     938             :                 }
     939             : 
     940      164232 :                 user_info_dc->info->dns_domain_name =
     941       82116 :                         talloc_strdup(user_info_dc->info,
     942       82116 :                                       pac_upn_dns_info->dns_domain_name);
     943       82116 :                 if (user_info_dc->info->dns_domain_name == NULL) {
     944           0 :                         talloc_free(user_info_dc);
     945           0 :                         return NT_STATUS_NO_MEMORY;
     946             :                 }
     947             : 
     948       82116 :                 if (pac_upn_dns_info->flags & PAC_UPN_DNS_FLAG_CONSTRUCTED) {
     949       78439 :                         user_info_dc->info->user_principal_constructed = true;
     950             :                 }
     951             :         }
     952             : 
     953       82118 :         *_user_info_dc = user_info_dc;
     954       82118 :         return NT_STATUS_OK;
     955             : }

Generated by: LCOV version 1.14