ReactOS 0.4.15-dev-6068-g8061a6f
Functions
sam.c File Reference
#include "precomp.h"
#include "wine/debug.h"
Include dependency graph for sam.c:

Go to the source code of this file.

Functions

 WINE_DEFAULT_DEBUG_CHANNEL (msv1_0_sam)
 
static NTSTATUS GetAccountDomainSid (_In_ PRPC_SID *Sid)
 
static NTSTATUS MsvpCheckPassword (_In_ PLSA_SAM_PWD_DATA UserPwdData, _In_ PSAMPR_USER_INFO_BUFFER UserInfo)
 
static bool MsvpCheckLogonHours (_In_ PSAMPR_LOGON_HOURS LogonHours, _In_ LARGE_INTEGER LogonTime)
 
static bool MsvpCheckWorkstations (_In_ PRPC_UNICODE_STRING WorkStations, _In_ PWSTR ComputerName)
 
static NTSTATUS SamValidateNormalUser (_In_ PUNICODE_STRING UserName, _In_ PLSA_SAM_PWD_DATA PwdData, _In_ PUNICODE_STRING ComputerName, _Out_ PRPC_SID *AccountDomainSidPtr, _Out_ SAMPR_HANDLE *UserHandlePtr, _Out_ PSAMPR_USER_INFO_BUFFER *UserInfoPtr, _Out_ PNTSTATUS SubStatus)
 
static NTSTATUS GetNtAuthorityDomainSid (_In_ PRPC_SID *Sid)
 
NTSTATUS SamValidateUser (_In_ SECURITY_LOGON_TYPE LogonType, _In_ PUNICODE_STRING LogonUserName, _In_ PUNICODE_STRING LogonDomain, _In_ PLSA_SAM_PWD_DATA LogonPwdData, _In_ PUNICODE_STRING ComputerName, _Out_ PBOOL SpecialAccount, _Out_ PRPC_SID *AccountDomainSidPtr, _Out_ SAMPR_HANDLE *UserHandlePtr, _Out_ PSAMPR_USER_INFO_BUFFER *UserInfoPtr, _Out_ PNTSTATUS SubStatus)
 Validates a user by checking if it exists in the sam database. Some other checks are done further.
 

Function Documentation

◆ GetAccountDomainSid()

static NTSTATUS GetAccountDomainSid ( _In_ PRPC_SID Sid)
static

Definition at line 16 of file sam.c.

18{
19 LSAPR_HANDLE PolicyHandle = NULL;
20 PLSAPR_POLICY_INFORMATION PolicyInfo = NULL;
21 ULONG Length = 0;
22 NTSTATUS Status;
23
24 Status = LsaIOpenPolicyTrusted(&PolicyHandle);
25 if (!NT_SUCCESS(Status))
26 {
27 TRACE("LsaIOpenPolicyTrusted() failed (Status 0x%08lx)\n", Status);
28 return Status;
29 }
30
31 Status = LsarQueryInformationPolicy(PolicyHandle,
32 PolicyAccountDomainInformation,
33 &PolicyInfo);
34 if (!NT_SUCCESS(Status))
35 {
36 TRACE("LsarQueryInformationPolicy() failed (Status 0x%08lx)\n", Status);
37 goto done;
38 }
39
40 Length = RtlLengthSid(PolicyInfo->PolicyAccountDomainInfo.Sid);
41
42 *Sid = RtlAllocateHeap(RtlGetProcessHeap(), 0, Length);
43 if (*Sid == NULL)
44 {
45 ERR("Failed to allocate SID\n");
46 Status = STATUS_INSUFFICIENT_RESOURCES;
47 goto done;
48 }
49
50 memcpy(*Sid, PolicyInfo->PolicyAccountDomainInfo.Sid, Length);
51
52done:
53 if (PolicyInfo != NULL)
54 LsaIFree_LSAPR_POLICY_INFORMATION(PolicyAccountDomainInformation,
55 PolicyInfo);
56
57 if (PolicyHandle != NULL)
58 LsarClose(&PolicyHandle);
59
60 return Status;
61}
NTSTATUS
LONG NTSTATUS
Definition: precomp.h:26
ERR
#define ERR(fmt,...)
Definition: debug.h:110
RtlAllocateHeap
PVOID NTAPI RtlAllocateHeap(IN PVOID HeapHandle, IN ULONG Flags, IN SIZE_T Size)
Definition: heap.c:588
NULL
#define NULL
Definition: types.h:112
NT_SUCCESS
#define NT_SUCCESS(StatCode)
Definition: apphelp.c:32
LsaIOpenPolicyTrusted
NTSTATUS WINAPI LsaIOpenPolicyTrusted(OUT LSAPR_HANDLE *PolicyHandle)
Definition: policy.c:15
Status
Status
Definition: gdiplustypes.h:25
LsarClose
NTSTATUS WINAPI LsarClose(LSAPR_HANDLE *ObjectHandle)
Definition: lsarpc.c:125
LsarQueryInformationPolicy
NTSTATUS WINAPI LsarQueryInformationPolicy(LSAPR_HANDLE PolicyHandle, POLICY_INFORMATION_CLASS InformationClass, PLSAPR_POLICY_INFORMATION *PolicyInformation)
Definition: lsarpc.c:531
LsaIFree_LSAPR_POLICY_INFORMATION
VOID NTAPI LsaIFree_LSAPR_POLICY_INFORMATION(IN POLICY_INFORMATION_CLASS InformationClass, IN PLSAPR_POLICY_INFORMATION PolicyInformation)
Definition: lsasrv.c:51
memcpy
#define memcpy(s1, s2, n)
Definition: mkisofs.h:878
RtlLengthSid
NTSYSAPI ULONG NTAPI RtlLengthSid(IN PSID Sid)
Definition: sid.c:150
Sid
_In_ ULONG _In_ ACCESS_MASK _In_ PSID Sid
Definition: rtlfuncs.h:1133
Length
_In_ ULONG _In_ ULONG _In_ ULONG Length
Definition: ntddpcm.h:102
PolicyAccountDomainInformation
@ PolicyAccountDomainInformation
Definition: ntsecapi.h:247
TRACE
#define TRACE(s)
Definition: solgame.cpp:4
_LSAPR_POLICY_ACCOUNT_DOM_INFO::Sid
PRPC_SID Sid
Definition: msv1_0.h:247
ULONG
uint32_t ULONG
Definition: typedefs.h:59
STATUS_INSUFFICIENT_RESOURCES
#define STATUS_INSUFFICIENT_RESOURCES
Definition: udferr_usr.h:158
_LSAPR_POLICY_INFORMATION
Definition: msv1_0.h:271
_LSAPR_POLICY_INFORMATION::PolicyAccountDomainInfo
LSAPR_POLICY_ACCOUNT_DOM_INFO PolicyAccountDomainInfo
Definition: msv1_0.h:276

Referenced by NetUserEnum(), NetUserGetGroups(), NetUserGetInfo(), NetUserGetLocalGroups(), NetUserModalsGet(), and SamValidateNormalUser().

◆ GetNtAuthorityDomainSid()

static NTSTATUS GetNtAuthorityDomainSid ( _In_ PRPC_SID Sid)
static

Definition at line 439 of file sam.c.

441{
442 SID_IDENTIFIER_AUTHORITY NtAuthority = {SECURITY_NT_AUTHORITY};
443 ULONG Length = 0;
444
445 Length = RtlLengthRequiredSid(0);
446 *Sid = RtlAllocateHeap(RtlGetProcessHeap(), 0, Length);
447 if (*Sid == NULL)
448 {
449 ERR("Failed to allocate SID\n");
450 return STATUS_INSUFFICIENT_RESOURCES;
451 }
452
453 RtlInitializeSid(*Sid,&NtAuthority, 0);
454
455 return STATUS_SUCCESS;
456}
NtAuthority
static SID_IDENTIFIER_AUTHORITY NtAuthority
Definition: security.c:40
RtlLengthRequiredSid
NTSYSAPI ULONG NTAPI RtlLengthRequiredSid(IN ULONG SubAuthorityCount)
Definition: sid.c:54
RtlInitializeSid
NTSYSAPI NTSTATUS NTAPI RtlInitializeSid(IN OUT PSID Sid, IN PSID_IDENTIFIER_AUTHORITY IdentifierAuthority, IN UCHAR SubAuthorityCount)
STATUS_SUCCESS
#define STATUS_SUCCESS
Definition: shellext.h:65
_SID_IDENTIFIER_AUTHORITY
Definition: ms-dtyp.idl:194
SECURITY_NT_AUTHORITY
#define SECURITY_NT_AUTHORITY
Definition: setypes.h:554

Referenced by SamValidateUser().

◆ MsvpCheckLogonHours()

static bool MsvpCheckLogonHours ( _In_ PSAMPR_LOGON_HOURS  LogonHours,
_In_ LARGE_INTEGER  LogonTime 
)
static

Definition at line 157 of file sam.c.

160{
161#if 0
162 LARGE_INTEGER LocalLogonTime;
163 TIME_FIELDS TimeFields;
164 USHORT MinutesPerUnit, Offset;
165 bool bFound;
166
167 FIXME("MsvpCheckLogonHours(%p %llx)\n", LogonHours, LogonTime);
168
169 if (LogonHours->UnitsPerWeek == 0 || LogonHours->LogonHours == NULL)
170 {
171 FIXME("No logon hours!\n");
172 return true;
173 }
174
175 RtlSystemTimeToLocalTime(&LogonTime, &LocalLogonTime);
176 RtlTimeToTimeFields(&LocalLogonTime, &TimeFields);
177
178 FIXME("UnitsPerWeek: %u\n", LogonHours->UnitsPerWeek);
179 MinutesPerUnit = 10080 / LogonHours->UnitsPerWeek;
180
181 Offset = ((TimeFields.Weekday * 24 + TimeFields.Hour) * 60 + TimeFields.Minute) / MinutesPerUnit;
182 FIXME("Offset: %us\n", Offset);
183
184 bFound = (bool)(LogonHours->LogonHours[Offset / 8] & (1 << (Offset % 8)));
185 FIXME("Logon permitted: %s\n", bFound ? "Yes" : "No");
186
187 return bFound;
188#endif
189 return true;
190}
FIXME
#define FIXME(fmt,...)
Definition: debug.h:111
RtlTimeToTimeFields
BOOLEAN RtlTimeToTimeFields(IN PLARGE_INTEGER Time, IN PTIME_FIELDS TimeFields)
Definition: env_spec_w32.cpp:895
TimeFields
static PTIME_FIELDS TimeFields
Definition: time.c:104
RtlSystemTimeToLocalTime
NTSYSAPI NTSTATUS NTAPI RtlSystemTimeToLocalTime(_In_ PLARGE_INTEGER SystemTime, _Out_ PLARGE_INTEGER LocalTime)
bool
#define bool
Definition: nsiface.idl:72
Offset
_In_ ULONG _In_ ULONG Offset
Definition: ntddpcm.h:101
USHORT
unsigned short USHORT
Definition: pedump.c:61
_TIME_FIELDS
Definition: env_spec_w32.h:710
_TIME_FIELDS::Minute
USHORT Minute
Definition: env_spec_w32.h:715
_TIME_FIELDS::Weekday
USHORT Weekday
Definition: env_spec_w32.h:718
_TIME_FIELDS::Hour
USHORT Hour
Definition: env_spec_w32.h:714
_LARGE_INTEGER
Definition: typedefs.h:103

Referenced by SamValidateNormalUser().

◆ MsvpCheckPassword()

static NTSTATUS MsvpCheckPassword ( _In_ PLSA_SAM_PWD_DATA  UserPwdData,
_In_ PSAMPR_USER_INFO_BUFFER  UserInfo 
)
static

Definition at line 66 of file sam.c.

69{
70 ENCRYPTED_NT_OWF_PASSWORD UserNtPassword;
71 ENCRYPTED_LM_OWF_PASSWORD UserLmPassword;
72 BOOLEAN UserLmPasswordPresent = FALSE;
73 BOOLEAN UserNtPasswordPresent = FALSE;
74 OEM_STRING LmPwdString;
75 CHAR LmPwdBuffer[15];
76 NTSTATUS Status;
77
78 TRACE("(%p %p)\n", UserPwdData, UserInfo);
79
80 /* Calculate the LM password and hash for the users password */
81 LmPwdString.Length = 15;
82 LmPwdString.MaximumLength = 15;
83 LmPwdString.Buffer = LmPwdBuffer;
84 ZeroMemory(LmPwdString.Buffer, LmPwdString.MaximumLength);
85
86 Status = RtlUpcaseUnicodeStringToOemString(&LmPwdString,
87 UserPwdData->PlainPwd,
88 FALSE);
89 if (NT_SUCCESS(Status))
90 {
91 /* Calculate the LM hash value of the users password */
92 Status = SystemFunction006(LmPwdString.Buffer,
93 (LPSTR)&UserLmPassword);
94 if (NT_SUCCESS(Status))
95 {
96 UserLmPasswordPresent = TRUE;
97 }
98 }
99
100 /* Calculate the NT hash of the users password */
101 Status = SystemFunction007(UserPwdData->PlainPwd,
102 (LPBYTE)&UserNtPassword);
103 if (NT_SUCCESS(Status))
104 {
105 UserNtPasswordPresent = TRUE;
106 }
107
108 Status = STATUS_WRONG_PASSWORD;
109
110 /* Succeed, if no password has been set */
111 if (UserInfo->All.NtPasswordPresent == FALSE &&
112 UserInfo->All.LmPasswordPresent == FALSE)
113 {
114 TRACE("No password check!\n");
115 Status = STATUS_SUCCESS;
116 goto done;
117 }
118
119 /* Succeed, if NT password matches */
120 if (UserNtPasswordPresent && UserInfo->All.NtPasswordPresent)
121 {
122 TRACE("Check NT password hashes:\n");
123 if (RtlEqualMemory(&UserNtPassword,
124 UserInfo->All.NtOwfPassword.Buffer,
125 sizeof(ENCRYPTED_NT_OWF_PASSWORD)))
126 {
127 TRACE(" success!\n");
128 Status = STATUS_SUCCESS;
129 goto done;
130 }
131
132 TRACE(" failed!\n");
133 }
134
135 /* Succeed, if LM password matches */
136 if (UserLmPasswordPresent && UserInfo->All.LmPasswordPresent)
137 {
138 TRACE("Check LM password hashes:\n");
139 if (RtlEqualMemory(&UserLmPassword,
140 UserInfo->All.LmOwfPassword.Buffer,
141 sizeof(ENCRYPTED_LM_OWF_PASSWORD)))
142 {
143 TRACE(" success!\n");
144 Status = STATUS_SUCCESS;
145 goto done;
146 }
147 TRACE(" failed!\n");
148 }
149
150done:
151 return Status;
152}
BOOLEAN
unsigned char BOOLEAN
Definition: ProcessorBind.h:185
TRUE
#define TRUE
Definition: types.h:120
FALSE
#define FALSE
Definition: types.h:117
SystemFunction006
NTSTATUS WINAPI SystemFunction006(LPCSTR password, LPSTR hash)
Definition: crypt_lmhash.c:53
RtlEqualMemory
#define RtlEqualMemory(a, b, c)
Definition: kdvm.h:18
RtlUpcaseUnicodeStringToOemString
NTSYSAPI NTSTATUS NTAPI RtlUpcaseUnicodeStringToOemString(POEM_STRING DestinationString, PCUNICODE_STRING SourceString, BOOLEAN AllocateDestinationString)
STATUS_WRONG_PASSWORD
#define STATUS_WRONG_PASSWORD
Definition: ntstatus.h:342
_ENCRYPTED_LM_OWF_PASSWORD
Definition: msv1_0.h:50
SystemFunction007
NTSTATUS WINAPI SystemFunction007(const UNICODE_STRING *string, LPBYTE hash)
Definition: sysfunc.c:245
LPBYTE
unsigned char * LPBYTE
Definition: typedefs.h:53
OEM_STRING
STRING OEM_STRING
Definition: umtypes.h:203
ZeroMemory
#define ZeroMemory
Definition: winbase.h:1670
LPSTR
char * LPSTR
Definition: xmlstorage.h:182
CHAR
char CHAR
Definition: xmlstorage.h:175

Referenced by SamValidateNormalUser().

◆ MsvpCheckWorkstations()

static bool MsvpCheckWorkstations ( _In_ PRPC_UNICODE_STRING  WorkStations,
_In_ PWSTR  ComputerName 
)
static

Definition at line 195 of file sam.c.

198{
199 PWSTR pStart, pEnd;
200 bool bFound = false;
201
202 TRACE("MsvpCheckWorkstations(%p %S)\n", WorkStations, ComputerName);
203
204 if (WorkStations->Length == 0 || WorkStations->Buffer == NULL)
205 {
206 TRACE("No workstations!\n");
207 return true;
208 }
209
210 TRACE("Workstations: %wZ\n", WorkStations);
211
212 pStart = WorkStations->Buffer;
213 for (;;)
214 {
215 pEnd = wcschr(pStart, L',');
216 if (pEnd != NULL)
217 *pEnd = UNICODE_NULL;
218
219 TRACE("Comparing '%S' and '%S'\n", ComputerName, pStart);
220 if (_wcsicmp(ComputerName, pStart) == 0)
221 {
222 bFound = true;
223 if (pEnd != NULL)
224 *pEnd = L',';
225 break;
226 }
227
228 if (pEnd == NULL)
229 break;
230
231 *pEnd = L',';
232 pStart = pEnd + 1;
233 }
234
235 TRACE("Found allowed workstation: %s\n", (bFound) ? "Yes" : "No");
236
237 return bFound;
238}
wcschr
#define wcschr
Definition: compat.h:17
UNICODE_NULL
#define UNICODE_NULL
L
#define L(x)
Definition: ntvdm.h:50
_wcsicmp
_Check_return_ _CRTIMP int __cdecl _wcsicmp(_In_z_ const wchar_t *_Str1, _In_z_ const wchar_t *_Str2)
PWSTR
uint16_t * PWSTR
Definition: typedefs.h:56

Referenced by SamValidateNormalUser().

◆ SamValidateNormalUser()

static NTSTATUS SamValidateNormalUser ( _In_ PUNICODE_STRING  UserName,
_In_ PLSA_SAM_PWD_DATA  PwdData,
_In_ PUNICODE_STRING  ComputerName,
_Out_ PRPC_SID AccountDomainSidPtr,
_Out_ SAMPR_HANDLE UserHandlePtr,
_Out_ PSAMPR_USER_INFO_BUFFER UserInfoPtr,
_Out_ PNTSTATUS  SubStatus 
)
static

Definition at line 243 of file sam.c.

251{
252 NTSTATUS Status;
253 SAMPR_HANDLE ServerHandle = NULL;
254 SAMPR_HANDLE DomainHandle = NULL;
255 PRPC_SID AccountDomainSid;
256 RPC_UNICODE_STRING Names[1];
257 SAMPR_HANDLE UserHandle = NULL;
258 SAMPR_ULONG_ARRAY RelativeIds = {0, NULL};
259 SAMPR_ULONG_ARRAY Use = {0, NULL};
260 PSAMPR_USER_INFO_BUFFER UserInfo = NULL;
261 LARGE_INTEGER LogonTime;
262
263 /* Get the logon time */
264 NtQuerySystemTime(&LogonTime);
265
266 /* Get the account domain SID */
267 Status = GetAccountDomainSid(&AccountDomainSid);
268 if (!NT_SUCCESS(Status))
269 {
270 ERR("GetAccountDomainSid() failed (Status 0x%08lx)\n", Status);
271 return Status;
272 }
273
274 /* Connect to the SAM server */
275 Status = SamIConnect(NULL, &ServerHandle, SAM_SERVER_CONNECT | SAM_SERVER_LOOKUP_DOMAIN, TRUE);
276 if (!NT_SUCCESS(Status))
277 {
278 TRACE("SamIConnect() failed (Status 0x%08lx)\n", Status);
279 goto done;
280 }
281
282 /* Open the account domain */
283 Status = SamrOpenDomain(ServerHandle, DOMAIN_LOOKUP, AccountDomainSid, &DomainHandle);
284 if (!NT_SUCCESS(Status))
285 {
286 ERR("SamrOpenDomain failed (Status %08lx)\n", Status);
287 goto done;
288 }
289
290 Names[0].Length = UserName->Length;
291 Names[0].MaximumLength = UserName->MaximumLength;
292 Names[0].Buffer = UserName->Buffer;
293
294 /* Try to get the RID for the user name */
295 Status = SamrLookupNamesInDomain(DomainHandle, 1, Names, &RelativeIds, &Use);
296 if (!NT_SUCCESS(Status))
297 {
298 ERR("SamrLookupNamesInDomain failed (Status %08lx)\n", Status);
299 Status = STATUS_NO_SUCH_USER;
300 // FIXME: Try without domain?
301 goto done;
302 }
303
304 /* Fail, if it is not a user account */
305 if (Use.Element[0] != SidTypeUser)
306 {
307 ERR("Account is not a user account!\n");
308 Status = STATUS_NO_SUCH_USER;
309 goto done;
310 }
311
312 /* Open the user object */
313 Status = SamrOpenUser(DomainHandle,
314 USER_READ_GENERAL | USER_READ_LOGON |
315 USER_READ_ACCOUNT | USER_READ_PREFERENCES, /* FIXME */
316 RelativeIds.Element[0],
317 &UserHandle);
318 if (!NT_SUCCESS(Status))
319 {
320 ERR("SamrOpenUser failed (Status %08lx)\n", Status);
321 goto done;
322 }
323
324 Status = SamrQueryInformationUser(UserHandle, UserAllInformation, &UserInfo);
325 if (!NT_SUCCESS(Status))
326 {
327 ERR("SamrQueryInformationUser failed (Status %08lx)\n", Status);
328 goto done;
329 }
330
331 TRACE("UserName: %wZ\n", &UserInfo->All.UserName);
332
333 /* Check the password */
334 if ((UserInfo->All.UserAccountControl & USER_PASSWORD_NOT_REQUIRED) == 0)
335 {
336 Status = MsvpCheckPassword(PwdData, UserInfo);
337 if (!NT_SUCCESS(Status))
338 {
339 ERR("MsvpCheckPassword failed (Status %08lx)\n", Status);
340 goto done;
341 }
342 }
343
344 /* Check account restrictions for non-administrator accounts */
345 if (RelativeIds.Element[0] != DOMAIN_USER_RID_ADMIN)
346 {
347 /* Check if the account has been disabled */
348 if (UserInfo->All.UserAccountControl & USER_ACCOUNT_DISABLED)
349 {
350 ERR("Account disabled!\n");
351 *SubStatus = STATUS_ACCOUNT_DISABLED;
352 Status = STATUS_ACCOUNT_RESTRICTION;
353 goto done;
354 }
355
356 /* Check if the account has been locked */
357 if (UserInfo->All.UserAccountControl & USER_ACCOUNT_AUTO_LOCKED)
358 {
359 ERR("Account locked!\n");
360 *SubStatus = STATUS_ACCOUNT_LOCKED_OUT;
361 Status = STATUS_ACCOUNT_RESTRICTION;
362 goto done;
363 }
364
365 /* Check if the account expired */
366 if (LogonTime.QuadPart >= *(UINT64*)&UserInfo->All.AccountExpires)
367 {
368 ERR("Account expired!\n");
369 *SubStatus = STATUS_ACCOUNT_EXPIRED;
370 Status = STATUS_ACCOUNT_RESTRICTION;
371 goto done;
372 }
373
374 /* Check if the password expired */
375 if (LogonTime.QuadPart >= *(UINT64*)&UserInfo->All.PasswordMustChange)
376 {
377 ERR("Password expired!\n");
378 if (*(UINT64*)&UserInfo->All.PasswordLastSet == 0)
379 *SubStatus = STATUS_PASSWORD_MUST_CHANGE;
380 else
381 *SubStatus = STATUS_PASSWORD_EXPIRED;
382
383 Status = STATUS_ACCOUNT_RESTRICTION;
384 goto done;
385 }
386
387 /* Check logon hours */
388 if (!MsvpCheckLogonHours(&UserInfo->All.LogonHours, LogonTime))
389 {
390 ERR("Invalid logon hours!\n");
391 *SubStatus = STATUS_INVALID_LOGON_HOURS;
392 Status = STATUS_ACCOUNT_RESTRICTION;
393 goto done;
394 }
395
396 /* Check workstations */
397 if (!MsvpCheckWorkstations(&UserInfo->All.WorkStations, ComputerName->Buffer))
398 {
399 ERR("Invalid workstation!\n");
400 *SubStatus = STATUS_INVALID_WORKSTATION;
401 Status = STATUS_ACCOUNT_RESTRICTION;
402 goto done;
403 }
404 }
405done:
406 if (NT_SUCCESS(Status))
407 {
408 *UserHandlePtr = UserHandle;
409 *AccountDomainSidPtr = AccountDomainSid;
410 *UserInfoPtr = UserInfo;
411 }
412 else
413 {
414 if (AccountDomainSid != NULL)
415 RtlFreeHeap(RtlGetProcessHeap(), 0, AccountDomainSid);
416
417 if (UserHandle != NULL)
418 SamrCloseHandle(&UserHandle);
419
420 SamIFree_SAMPR_USER_INFO_BUFFER(UserInfo,
421 UserAllInformation);
422 }
423
424 SamIFree_SAMPR_ULONG_ARRAY(&RelativeIds);
425 SamIFree_SAMPR_ULONG_ARRAY(&Use);
426
427 if (DomainHandle != NULL)
428 SamrCloseHandle(&DomainHandle);
429
430 if (ServerHandle != NULL)
431 SamrCloseHandle(&ServerHandle);
432
433 return Status;
434}
UINT64
unsigned long long UINT64
Definition: ProcessorBind.h:155
Names
PWSTR Names[]
Definition: RtlGenerate8dot3Name.c:34
SamrOpenDomain
NTSTATUS __stdcall SamrOpenDomain(SAMPR_HANDLE ServerHandle, ACCESS_MASK DesiredAccess, PRPC_SID DomainId, SAMPR_HANDLE *DomainHandle)
SamIFree_SAMPR_ULONG_ARRAY
VOID NTAPI SamIFree_SAMPR_ULONG_ARRAY(PSAMPR_ULONG_ARRAY Ptr)
Definition: samsrv.c:524
SamrCloseHandle
NTSTATUS __stdcall SamrCloseHandle(SAMPR_HANDLE *SamHandle)
SamIConnect
NTSTATUS NTAPI SamIConnect(PSAMPR_SERVER_NAME ServerName, SAMPR_HANDLE *ServerHandle, ACCESS_MASK DesiredAccess, BOOLEAN Trusted)
RtlFreeHeap
BOOLEAN NTAPI RtlFreeHeap(IN PVOID HeapHandle, IN ULONG Flags, IN PVOID HeapBase)
Definition: heap.c:606
AccountDomainSid
PSID AccountDomainSid
Definition: database.c:24
SamrLookupNamesInDomain
NTSTATUS NTAPI SamrLookupNamesInDomain(IN SAMPR_HANDLE DomainHandle, IN ULONG Count, IN RPC_UNICODE_STRING Names[], OUT PSAMPR_ULONG_ARRAY RelativeIds, OUT PSAMPR_ULONG_ARRAY Use)
Definition: samrpc.c:3464
SidTypeUser
@ SidTypeUser
Definition: lsa.idl:118
SamIFree_SAMPR_USER_INFO_BUFFER
VOID NTAPI SamIFree_SAMPR_USER_INFO_BUFFER(PSAMPR_USER_INFO_BUFFER Ptr, USER_INFORMATION_CLASS InformationClass)
Definition: samsrv.c:540
SamrOpenUser
NTSTATUS NTAPI SamrOpenUser(IN SAMPR_HANDLE DomainHandle, IN ACCESS_MASK DesiredAccess, IN ULONG UserId, OUT SAMPR_HANDLE *UserHandle)
SamrQueryInformationUser
NTSTATUS NTAPI SamrQueryInformationUser(IN SAMPR_HANDLE UserHandle, IN USER_INFORMATION_CLASS UserInformationClass, OUT PSAMPR_USER_INFO_BUFFER *Buffer)
Definition: samrpc.c:7234
SubStatus
_IRQL_requires_same_ _In_ PLSA_STRING _In_ SECURITY_LOGON_TYPE _In_ ULONG _In_ ULONG _In_opt_ PTOKEN_GROUPS _In_ PTOKEN_SOURCE _Out_ PVOID _Out_ PULONG _Inout_ PLUID _Out_ PHANDLE _Out_ PQUOTA_LIMITS _Out_ PNTSTATUS SubStatus
Definition: ntifs.template.h:719
NtQuerySystemTime
NTSTATUS NTAPI NtQuerySystemTime(OUT PLARGE_INTEGER SystemTime)
Definition: time.c:472
USER_READ_GENERAL
#define USER_READ_GENERAL
Definition: ntsam.h:126
USER_READ_LOGON
#define USER_READ_LOGON
Definition: ntsam.h:129
DOMAIN_LOOKUP
#define DOMAIN_LOOKUP
Definition: ntsam.h:42
USER_PASSWORD_NOT_REQUIRED
#define USER_PASSWORD_NOT_REQUIRED
Definition: ntsam.h:169
USER_READ_PREFERENCES
#define USER_READ_PREFERENCES
Definition: ntsam.h:127
USER_READ_ACCOUNT
#define USER_READ_ACCOUNT
Definition: ntsam.h:130
SAM_SERVER_LOOKUP_DOMAIN
#define SAM_SERVER_LOOKUP_DOMAIN
Definition: ntsam.h:104
UserAllInformation
@ UserAllInformation
Definition: ntsam.h:534
SAM_SERVER_CONNECT
#define SAM_SERVER_CONNECT
Definition: ntsam.h:99
USER_ACCOUNT_AUTO_LOCKED
#define USER_ACCOUNT_AUTO_LOCKED
Definition: ntsam.h:177
USER_ACCOUNT_DISABLED
#define USER_ACCOUNT_DISABLED
Definition: ntsam.h:167
STATUS_INVALID_LOGON_HOURS
#define STATUS_INVALID_LOGON_HOURS
Definition: ntstatus.h:347
STATUS_ACCOUNT_DISABLED
#define STATUS_ACCOUNT_DISABLED
Definition: ntstatus.h:350
STATUS_NO_SUCH_USER
#define STATUS_NO_SUCH_USER
Definition: ntstatus.h:336
STATUS_PASSWORD_MUST_CHANGE
#define STATUS_PASSWORD_MUST_CHANGE
Definition: ntstatus.h:680
STATUS_PASSWORD_EXPIRED
#define STATUS_PASSWORD_EXPIRED
Definition: ntstatus.h:349
STATUS_INVALID_WORKSTATION
#define STATUS_INVALID_WORKSTATION
Definition: ntstatus.h:348
STATUS_ACCOUNT_EXPIRED
#define STATUS_ACCOUNT_EXPIRED
Definition: ntstatus.h:636
STATUS_ACCOUNT_LOCKED_OUT
#define STATUS_ACCOUNT_LOCKED_OUT
Definition: ntstatus.h:696
STATUS_ACCOUNT_RESTRICTION
#define STATUS_ACCOUNT_RESTRICTION
Definition: ntstatus.h:346
MsvpCheckWorkstations
static bool MsvpCheckWorkstations(_In_ PRPC_UNICODE_STRING WorkStations, _In_ PWSTR ComputerName)
Definition: sam.c:195
GetAccountDomainSid
static NTSTATUS GetAccountDomainSid(_In_ PRPC_SID *Sid)
Definition: sam.c:16
MsvpCheckPassword
static NTSTATUS MsvpCheckPassword(_In_ PLSA_SAM_PWD_DATA UserPwdData, _In_ PSAMPR_USER_INFO_BUFFER UserInfo)
Definition: sam.c:66
MsvpCheckLogonHours
static bool MsvpCheckLogonHours(_In_ PSAMPR_LOGON_HOURS LogonHours, _In_ LARGE_INTEGER LogonTime)
Definition: sam.c:157
_RPC_SID
Definition: msv1_0.h:13
_RPC_UNICODE_STRING
Definition: msv1_0.h:21
_RPC_UNICODE_STRING::Buffer
wchar_t * Buffer
Definition: msv1_0.h:24
_SAMPR_ULONG_ARRAY
Definition: lsasrv.h:86
_SAMPR_ULONG_ARRAY::Element
unsigned long * Element
Definition: lsasrv.h:88
_SAMPR_USER_ALL_INFORMATION::PasswordMustChange
OLD_LARGE_INTEGER PasswordMustChange
Definition: msv1_0.h:85
_SAMPR_USER_ALL_INFORMATION::PasswordLastSet
OLD_LARGE_INTEGER PasswordLastSet
Definition: msv1_0.h:82
_SAMPR_USER_ALL_INFORMATION::UserName
RPC_UNICODE_STRING UserName
Definition: msv1_0.h:86
_SAMPR_USER_ALL_INFORMATION::LogonHours
SAMPR_LOGON_HOURS LogonHours
Definition: msv1_0.h:104
_SAMPR_USER_ALL_INFORMATION::AccountExpires
OLD_LARGE_INTEGER AccountExpires
Definition: msv1_0.h:83
_SAMPR_USER_ALL_INFORMATION::UserAccountControl
unsigned long UserAccountControl
Definition: msv1_0.h:102
_SAMPR_USER_ALL_INFORMATION::WorkStations
RPC_UNICODE_STRING WorkStations
Definition: msv1_0.h:93
_LARGE_INTEGER::QuadPart
LONGLONG QuadPart
Definition: typedefs.h:114
_SAMPR_USER_INFO_BUFFER
Definition: msv1_0.h:116
_SAMPR_USER_INFO_BUFFER::All
SAMPR_USER_ALL_INFORMATION All
Definition: msv1_0.h:141
DOMAIN_USER_RID_ADMIN
#define DOMAIN_USER_RID_ADMIN
Definition: setypes.h:631

Referenced by SamValidateUser().

◆ SamValidateUser()

NTSTATUS SamValidateUser ( _In_ SECURITY_LOGON_TYPE  LogonType,
_In_ PUNICODE_STRING  LogonUserName,
_In_ PUNICODE_STRING  LogonDomain,
_In_ PLSA_SAM_PWD_DATA  LogonPwdData,
_In_ PUNICODE_STRING  ComputerName,
_Out_ PBOOL  SpecialAccount,
_Out_ PRPC_SID AccountDomainSidPtr,
_Out_ SAMPR_HANDLE UserHandlePtr,
_Out_ PSAMPR_USER_INFO_BUFFER UserInfoPtr,
_Out_ PNTSTATUS  SubStatus 
)

Validates a user by checking if it exists in the sam database. Some other checks are done further.

Definition at line 460 of file sam.c.

471{
472 static const UNICODE_STRING NtAuthorityU = RTL_CONSTANT_STRING(L"NT AUTHORITY");
473 static const UNICODE_STRING LocalServiceU = RTL_CONSTANT_STRING(L"LocalService");
474 static const UNICODE_STRING NetworkServiceU = RTL_CONSTANT_STRING(L"NetworkService");
475
476 NTSTATUS Status = STATUS_SUCCESS;
477
478 *SpecialAccount = FALSE;
479 *UserInfoPtr = NULL;
480 *SubStatus = STATUS_SUCCESS;
481
482 /* Check for special accounts */
483 // FIXME: Windows does not do this that way!! (msv1_0 does not contain these hardcoded values)
484 if (RtlEqualUnicodeString(LogonDomain, &NtAuthorityU, TRUE))
485 {
486 *SpecialAccount = TRUE;
487
488 /* Get the authority domain SID */
489 Status = GetNtAuthorityDomainSid(AccountDomainSidPtr);
490 if (!NT_SUCCESS(Status))
491 {
492 ERR("GetNtAuthorityDomainSid() failed (Status 0x%08lx)\n", Status);
493 return Status;
494 }
495
496 if (RtlEqualUnicodeString(LogonUserName, &LocalServiceU, TRUE))
497 {
498 TRACE("SpecialAccount: LocalService\n");
499
500 if (LogonType != Service)
501 return STATUS_LOGON_FAILURE;
502
503 *UserInfoPtr = RtlAllocateHeap(RtlGetProcessHeap(),
504 HEAP_ZERO_MEMORY,
505 sizeof(SAMPR_USER_ALL_INFORMATION));
506 if (*UserInfoPtr == NULL)
507 return STATUS_INSUFFICIENT_RESOURCES;
508
509 (*UserInfoPtr)->All.UserId = SECURITY_LOCAL_SERVICE_RID;
510 (*UserInfoPtr)->All.PrimaryGroupId = SECURITY_LOCAL_SERVICE_RID;
511 }
512 else if (RtlEqualUnicodeString(LogonUserName, &NetworkServiceU, TRUE))
513 {
514 TRACE("SpecialAccount: NetworkService\n");
515
516 if (LogonType != Service)
517 return STATUS_LOGON_FAILURE;
518
519 *UserInfoPtr = RtlAllocateHeap(RtlGetProcessHeap(),
520 HEAP_ZERO_MEMORY,
521 sizeof(SAMPR_USER_ALL_INFORMATION));
522 if (*UserInfoPtr == NULL)
523 return STATUS_INSUFFICIENT_RESOURCES;
524
525 (*UserInfoPtr)->All.UserId = SECURITY_NETWORK_SERVICE_RID;
526 (*UserInfoPtr)->All.PrimaryGroupId = SECURITY_NETWORK_SERVICE_RID;
527 }
528 else
529 {
530 return STATUS_NO_SUCH_USER;
531 }
532 }
533 else
534 {
535 TRACE("NormalAccount\n");
536 Status = SamValidateNormalUser(LogonUserName,
537 LogonPwdData,
538 ComputerName,
539 AccountDomainSidPtr,
540 UserHandlePtr,
541 UserInfoPtr,
542 SubStatus);
543 if (!NT_SUCCESS(Status))
544 {
545 ERR("SamValidateNormalUser() failed (Status 0x%08lx)\n", Status);
546 return Status;
547 }
548 }
549
550 return Status;
551}
HEAP_ZERO_MEMORY
#define HEAP_ZERO_MEMORY
Definition: compat.h:134
RtlEqualUnicodeString
NTSYSAPI BOOLEAN NTAPI RtlEqualUnicodeString(PUNICODE_STRING String1, PUNICODE_STRING String2, BOOLEAN CaseInSensitive)
LogonType
_IRQL_requires_same_ _In_ PLSA_STRING _In_ SECURITY_LOGON_TYPE LogonType
Definition: ntifs.template.h:708
Service
@ Service
Definition: ntsecapi.h:292
STATUS_LOGON_FAILURE
#define STATUS_LOGON_FAILURE
Definition: ntstatus.h:345
GetNtAuthorityDomainSid
static NTSTATUS GetNtAuthorityDomainSid(_In_ PRPC_SID *Sid)
Definition: sam.c:439
SamValidateNormalUser
static NTSTATUS SamValidateNormalUser(_In_ PUNICODE_STRING UserName, _In_ PLSA_SAM_PWD_DATA PwdData, _In_ PUNICODE_STRING ComputerName, _Out_ PRPC_SID *AccountDomainSidPtr, _Out_ SAMPR_HANDLE *UserHandlePtr, _Out_ PSAMPR_USER_INFO_BUFFER *UserInfoPtr, _Out_ PNTSTATUS SubStatus)
Definition: sam.c:243
_SAMPR_USER_ALL_INFORMATION
Definition: msv1_0.h:79
_UNICODE_STRING
Definition: env_spec_w32.h:368
RTL_CONSTANT_STRING
#define RTL_CONSTANT_STRING(s)
Definition: tunneltest.c:14
SECURITY_LOCAL_SERVICE_RID
#define SECURITY_LOCAL_SERVICE_RID
Definition: setypes.h:575
SECURITY_NETWORK_SERVICE_RID
#define SECURITY_NETWORK_SERVICE_RID
Definition: setypes.h:576

Referenced by LsaApLogonUserEx2(), and LsaApLogonUserEx2_Network().

◆ WINE_DEFAULT_DEBUG_CHANNEL()

WINE_DEFAULT_DEBUG_CHANNEL ( msv1_0_sam  )