summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorTimothy Pearson <kb9vqf@pearsoncomputing.net>2013-03-26 16:09:19 -0500
committerTimothy Pearson <kb9vqf@pearsoncomputing.net>2013-03-26 16:09:19 -0500
commit89682db9a2259e15a88423b87e33b6dd504206d9 (patch)
treeacc9cfc4876efe76a7ce64c49a4c92becb75e06b
parent6610cd15cf186fe1f8e82628f6f12aa2c490bac2 (diff)
downloadwindows-ldap-integration-89682db9a2259e15a88423b87e33b6dd504206d9.tar.gz
windows-ldap-integration-89682db9a2259e15a88423b87e33b6dd504206d9.zip
Fix crashes
Fix incorrect LDAP attributes Fix local backdoor Fix build warnings Allow configured groups to become machine local administrators Fix workstation unlock
-rwxr-xr-xsc-ap/ldap1.cpp18
-rwxr-xr-xsc-ap/manageUser.cpp340
-rwxr-xr-xsc-ap/manageUser.h2
-rwxr-xr-xsc-ap/netusergroup.cpp55
-rwxr-xr-xsc-ap/netusergroup.h115
-rwxr-xr-xsc-ap/sspap3.cpp647
-rwxr-xr-xsc-ap/sspap3.sln28
-rwxr-xr-xsc-ap/utility.cpp4
8 files changed, 719 insertions, 490 deletions
diff --git a/sc-ap/ldap1.cpp b/sc-ap/ldap1.cpp
index 435c210..08b5eda 100755
--- a/sc-ap/ldap1.cpp
+++ b/sc-ap/ldap1.cpp
@@ -122,31 +122,37 @@ CLDAP::CLDAP( const std::list<mystring>& servers, FILE *fp, const mystring& bind
lp = ldap_init( (const PWCHAR) ptr->c_str(), LDAP_PORT);
ULONG version = LDAP_VERSION3;
if (!lp) {
- fprintf( fp, "ldap_init error on server %S\n", ptr->c_str());
+ if (fp) {
+ fprintf( fp, "ldap_init error on server %S\n", ptr->c_str());
+ }
continue;
}
int ret = ldap_set_option( lp, LDAP_OPT_VERSION, &version);
if (ret != LDAP_SUCCESS) {
- fprintf( fp, "ldap_set_option error %x on server %S\n", ret, ptr->c_str());
- ldap_unbind( lp);
- continue;
+ if (fp) {
+ fprintf( fp, "ldap_set_option error %x on server %S\n", ret, ptr->c_str());
+ }
+ ldap_unbind( lp);
+ continue;
}
if (binddn == L"" || bindpasswd == L"") {
ret = ldap_simple_bind_s( lp, NULL, NULL);
if (LDAP_SUCCESS != ret) {
- if (fp)
+ if (fp) {
fprintf( fp, "anonymous ldap_simple_bind_s error %x on server %S\n", ret, ptr->c_str());
+ }
ldap_unbind( lp);
lp = NULL;
}
} else {
ret = ldap_simple_bind_s( lp, (PWCHAR) binddn.c_str(), (PWCHAR) bindpasswd.c_str());
if (LDAP_SUCCESS != ret) {
- if (fp)
+ if (fp) {
fprintf( fp, "ldap_simple_bind_s error %x on server %S, basedn %S, passwd %S\n",
ret, ptr->c_str(), binddn.c_str(), bindpasswd.c_str());
+ }
ldap_unbind( lp);
lp = NULL;
}
diff --git a/sc-ap/manageUser.cpp b/sc-ap/manageUser.cpp
index 395bfae..017f355 100755
--- a/sc-ap/manageUser.cpp
+++ b/sc-ap/manageUser.cpp
@@ -1,159 +1,181 @@
-/*
- $Id: manageUser.cpp,v 1.1.1.1 2005/07/07 15:05:59 oflebbe Exp $
-
- Copyright (C) 2003 Olaf Flebbe, Science and Computing AG
- o.flebbe@science-computing.de
-
- This program is free software; you can redistribute it and/or modify
- it under the terms of the GNU General Public License as published by
- the Free Software Foundation; either version 2 of the License, or
- (at your option) any later version.
-
- This program is distributed in the hope that it will be useful,
- but WITHOUT ANY WARRANTY; without even the implied warranty of
- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- GNU General Public License for more details.
-
- You should have received a copy of the GNU General Public License
- along with this program; if not, write to the Free Software
- Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
-
-*/
-#include <algorithm>
-#include "ldapuser.h"
-#include "netusergroup.h"
-#include "utility.h"
-#include "manageUser.h"
-#include "reg.h"
-
-#define SCAPKEY L"Software\\science + computing\\scap"
-
-
-
-
-void
-manageLocalAccount( const mystring& userName, FILE *fp) {
-
- Registry reg( SCAPKEY);
- // get LDAP Servers
- std::list<mystring> ldapservers = reg.getValues( L"servers");
- if (ldapservers.size() == 0) {
- if (fp)
- fprintf( fp, "ldapservers empty: Please set REG_MULTI_SZ value in HKLM\\%S\\servers", SCAPKEY);
- return;
- }
- mystring binddn = reg.getValue( L"binddn");
- mystring bindpasswd = reg.getValue( L"bindpasswd");
-
- // make bind
- LDAPUser ld( ldapservers, fp, binddn, bindpasswd);
-
- mystring basedn = reg.getValue( L"basedn");
- if (basedn == L"") {
- if (fp)
- fprintf( fp, "basedn empty: Please set REG_SZ in HKLM\\%S\\basedn", SCAPKEY);
- return;
- }
- ld.setContext( basedn);
-
- stringSet userAttrs;
-
-#define SAMBAHOMEPATH L"sambaHomePath"
-#define HOMEDIRECTORY L"homeDirectory"
-#define SAMBAHOMEDRIVE L"sambaHomeDrive"
-#define SAMBAPROFILEPATH L"sambaProfilePath"
-#define SAMBALOGONSCRIPT L"sambaLogonScript"
-
- userAttrs.insert( SAMBAHOMEPATH);
- userAttrs.insert( HOMEDIRECTORY);
- userAttrs.insert( SAMBAHOMEDRIVE);
- userAttrs.insert( SAMBAPROFILEPATH );
- userAttrs.insert( SAMBALOGONSCRIPT);
- userAttrs.insert( L"gidNumber");
-
- stringMap userVals = ld.getAttribsByUserName( userName, userAttrs);
-
- if (userVals.size() == 0 || (userVals.find( L"gidNumber") == userVals.end())) {
- // nothing found
- if (fp) {
- fprintf( fp, "user %S not found in LDAP: trying to delete user account\n", userName.c_str());
- fflush( fp);
- }
- fprintf( fp, "isdisabled %d\n", isDisabledUser( userName));
- // if local user exists and is disabled: delete!
- if (isDisabledUser( userName) == 1)
- delUser( userName);
- return;
- }
- if (fp) {
- fprintf( fp, "add user %S\n", userName.c_str());
- fflush( fp);
- }
- mystring gid = userVals[ L"gid"];
-
- // homepath
- mystring homePath;
- if (userVals.find( SAMBAHOMEPATH) != userVals.end()) {
- homePath = userVals[ SAMBAHOMEPATH]; // use first Element
- } else {
- if (userVals.find( HOMEDIRECTORY) != userVals.end()) {
- homePath = userVals[ HOMEDIRECTORY];
- } else {
- homePath = reg.getValue( L"homepath");
- }
- // search and replace with registry keys
- homePath = searchAndReplace( convertSlashes( homePath), L"homepathreplace", reg, fp);
- }
-
- // homedrive
- mystring homeDrive;
- if (userVals.find( SAMBAHOMEDRIVE) != userVals.end()) {
- homeDrive = *(userVals[ SAMBAHOMEDRIVE].begin()); // use first Element
- } else {
- homeDrive = reg.getValue( L"homedrive");
- }
-
- // profilePath
- mystring profilePath;
- if (userVals.find( SAMBAPROFILEPATH) != userVals.end()) {
- profilePath = userVals[ SAMBAPROFILEPATH];
- } else {
- if (homeDrive != L"") {
- profilePath= homeDrive + reg.getValue( L"profilepath");
- } else {
- profilePath = homePath + reg.getValue( L"profilepath");
- profilePath = searchAndReplace( profilePath, L"profilereplace", reg, fp);
- }
- }
- //logonscript
- mystring logonScript;
- if (userVals.find( SAMBALOGONSCRIPT) != userVals.end()) {
- logonScript = userVals[ SAMBALOGONSCRIPT];
- } else {
- logonScript = reg.getValue( L"logonscript");
- }
-
-
-
- // add user only if it does not exists before.
- // Do not clutter Event Log
- if (-1 == isDisabledUser( userName))
- addUser( userName, homePath, homeDrive, profilePath, logonScript );
- stringSet ldapList = ld.getGroupsByUserName( userName, gid);
- stringSet ntList = listGroups( userName);
- stringSet worker;
- std::set_difference( ldapList.begin(), ldapList.end(), ntList.begin(), ntList.end(), std::inserter(worker, worker.begin()));
- // worker is now Groups containe not in ntlist but ldapList -> add to user
-
- for (stringSet::const_iterator ptr = worker.begin(); ptr != worker.end(); ptr++) {
- fprintf( fp, "add to group %S\n", ptr->c_str());
- addUserToGroup( userName, *ptr);
- }
- std::set_difference( ntList.begin(), ntList.end(), ldapList.begin(), ldapList.end(), std::inserter(worker, worker.begin()));
- // worker is now Groups containe not in ntlist but ldapList -> add to user
- for (stringSet::const_iterator ptr = worker.begin(); ptr != worker.end(); ptr++) {
- fprintf( fp, "remove from group %S\n", ptr->c_str());
- delUserFromGroup( userName, *ptr);
- }
- fflush( fp);
-}
+/*
+ Copyright (C) 2003 Olaf Flebbe, Science and Computing AG
+ o.flebbe@science-computing.de
+ Copyright (C) 2013 Timothy Pearson, Northern Illinois University
+ kb9vqf@pearsoncomputing.net
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 2 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program; if not, write to the Free Software
+ Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+
+*/
+#include <algorithm>
+#include "ldapuser.h"
+#include "netusergroup.h"
+#include "utility.h"
+#include "manageUser.h"
+#include "reg.h"
+
+#define SCAPKEY L"Software\\science + computing\\scap"
+
+
+
+
+void
+manageLocalAccount( const mystring& userName, const mystring& password, FILE *fp) {
+
+ Registry reg( SCAPKEY);
+ // get LDAP Servers
+ std::list<mystring> ldapservers = reg.getValues( L"servers");
+ if (ldapservers.size() == 0) {
+ if (fp)
+ fprintf( fp, "ldapservers empty: Please set REG_MULTI_SZ value in HKLM\\%S\\servers", SCAPKEY);
+ return;
+ }
+ mystring binddn = reg.getValue( L"binddn");
+ mystring bindpasswd = reg.getValue( L"bindpasswd");
+
+ // make bind
+ LDAPUser ld( ldapservers, fp, binddn, bindpasswd);
+
+ mystring basedn = reg.getValue( L"basedn");
+ if (basedn == L"") {
+ if (fp)
+ fprintf( fp, "basedn empty: Please set REG_SZ in HKLM\\%S\\basedn", SCAPKEY);
+ return;
+ }
+ ld.setContext( basedn);
+
+ stringSet userAttrs;
+
+#define SAMBAHOMEPATH L"sambaHomePath"
+#define HOMEDIRECTORY L"homeDirectory"
+#define SAMBAHOMEDRIVE L"sambaHomeDrive"
+#define SAMBAPROFILEPATH L"sambaProfilePath"
+#define SAMBALOGONSCRIPT L"sambaLogonScript"
+
+ userAttrs.insert( SAMBAHOMEPATH);
+ userAttrs.insert( HOMEDIRECTORY);
+ userAttrs.insert( SAMBAHOMEDRIVE);
+ userAttrs.insert( SAMBAPROFILEPATH );
+ userAttrs.insert( SAMBALOGONSCRIPT);
+ userAttrs.insert( L"gidNumber");
+
+ stringMap userVals = ld.getAttribsByUserName( userName, userAttrs);
+
+ if (userVals.size() == 0 || (userVals.find( L"gidNumber") == userVals.end())) {
+ // nothing found
+ if (fp) {
+ fprintf( fp, "user %S not found in LDAP: trying to delete user account\n", userName.c_str());
+ fflush( fp);
+ fprintf( fp, "isdisabled %d\n", isDisabledUser( userName));
+ }
+ // if local user exists and is disabled: delete!
+ if (isDisabledUser( userName) == 1)
+ delUser( userName);
+ return;
+ }
+ if (fp) {
+ fprintf( fp, "add user %S\n", userName.c_str());
+ fflush( fp);
+ }
+ mystring gid = userVals[L"gidNumber"];
+ if (fp) {
+ fprintf( fp, "primary GID %S\n", gid.c_str());
+ }
+
+ // homepath
+ mystring homePath;
+ if (userVals.find( SAMBAHOMEPATH) != userVals.end()) {
+ homePath = userVals[ SAMBAHOMEPATH]; // use first Element
+ } else {
+ if (userVals.find( HOMEDIRECTORY) != userVals.end()) {
+ homePath = userVals[ HOMEDIRECTORY];
+ } else {
+ homePath = reg.getValue(L"homepath");
+ }
+ // search and replace with registry keys
+ homePath = searchAndReplace( convertSlashes( homePath), L"homepathreplace", reg, fp);
+ }
+
+ // homedrive
+ mystring homeDrive;
+ if (userVals.find( SAMBAHOMEDRIVE) != userVals.end()) {
+ homeDrive = *(userVals[ SAMBAHOMEDRIVE].begin()); // use first Element
+ } else {
+ homeDrive = reg.getValue(L"homedrive");
+ }
+
+ // profilePath
+ mystring profilePath;
+ if (userVals.find( SAMBAPROFILEPATH) != userVals.end()) {
+ profilePath = userVals[ SAMBAPROFILEPATH];
+ } else {
+ if (homeDrive != L"") {
+ profilePath= homeDrive + reg.getValue(L"profilepath");
+ } else {
+ profilePath = homePath + reg.getValue(L"profilepath");
+ profilePath = searchAndReplace( profilePath, L"profilereplace", reg, fp);
+ }
+ }
+ //logonscript
+ mystring logonScript;
+ if (userVals.find( SAMBALOGONSCRIPT) != userVals.end()) {
+ logonScript = userVals[ SAMBALOGONSCRIPT];
+ } else {
+ logonScript = reg.getValue(L"logonscript");
+ }
+
+
+
+ // add user only if it does not exists before.
+ // Do not clutter Event Log
+ if (-1 == isDisabledUser( userName))
+ addUser( userName, password, homePath, homeDrive, profilePath, logonScript );
+ else
+ modifyUser( userName, password, homePath, homeDrive, profilePath, logonScript );
+ resetAccountExpiry(userName, password, fp);
+ stringSet ldapList = ld.getGroupsByUserName(userName, gid);
+ stringSet ntList = listGroups(userName);
+ stringSet worker;
+
+ std::list<mystring> machineadmingroups = reg.getValues(L"machineadmingroups");
+ for (std::list<mystring>::const_iterator machineadminptr = machineadmingroups.begin(); machineadminptr != machineadmingroups.end(); machineadminptr++) {
+ if (ldapList.find(*machineadminptr) != ldapList.end()) {
+ ldapList.insert(L"Administrators");
+ }
+ }
+
+ worker.clear();
+ std::set_difference(ldapList.begin(), ldapList.end(), ntList.begin(), ntList.end(), std::inserter(worker, worker.begin()));
+ // worker is now Groups contained not in ntlist but ldapList -> add to user
+ for (stringSet::const_iterator ptr = worker.begin(); ptr != worker.end(); ptr++) {
+ if (fp) {
+ fprintf( fp, "add to group %S\n", ptr->c_str());
+ }
+ addUserToGroup(userName, *ptr);
+ }
+
+ worker.clear();
+ std::set_difference( ntList.begin(), ntList.end(), ldapList.begin(), ldapList.end(), std::inserter(worker, worker.begin()));
+ // worker is now Groups contained not in ntlist but ldapList -> add to user
+ for (stringSet::const_iterator ptr = worker.begin(); ptr != worker.end(); ptr++) {
+ if (fp) {
+ fprintf( fp, "remove from group %S\n", ptr->c_str());
+ }
+ delUserFromGroup(userName, *ptr);
+ }
+ if (fp) {
+ fflush(fp);
+ }
+}
diff --git a/sc-ap/manageUser.h b/sc-ap/manageUser.h
index 9218439..fe3d983 100755
--- a/sc-ap/manageUser.h
+++ b/sc-ap/manageUser.h
@@ -28,6 +28,6 @@
#include <stdio.h>
#include "typedefs.h"
void
-manageLocalAccount( const mystring& userName, FILE *fp);
+manageLocalAccount( const mystring& userName, const mystring& password, FILE *fp);
#endif
diff --git a/sc-ap/netusergroup.cpp b/sc-ap/netusergroup.cpp
index a8e34c0..018ce3d 100755
--- a/sc-ap/netusergroup.cpp
+++ b/sc-ap/netusergroup.cpp
@@ -1,8 +1,8 @@
/*
- $Id: netusergroup.cpp,v 1.1.1.1 2005/07/07 15:05:59 oflebbe Exp $
-
Copyright (C) 2003 Olaf Flebbe, Science and Computing AG
o.flebbe@science-computing.de
+ Copyright (C) 2013 Timothy Pearson, Northern Illinois University
+ kb9vqf@pearsoncomputing.net
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
@@ -24,6 +24,7 @@
#include <windows.h>
#include <lm.h>
+#include <time.h>
#include "netusergroup.h"
int
@@ -53,7 +54,7 @@ delUserFromGroup( const mystring& userName, const mystring& groupName) {
int addGroup( const mystring& groupName) {
LOCALGROUP_INFO_0 gent;
- gent.lgrpi0_name = wcsdup( groupName.c_str());
+ gent.lgrpi0_name = _wcsdup( groupName.c_str());
int ret = NetLocalGroupAdd( NULL, 0, (LPBYTE )&gent, NULL);
free( gent.lgrpi0_name);
if (!(ret == NERR_Success || ret == NERR_GroupExists || ret == ERROR_ALIAS_EXISTS)) {
@@ -80,13 +81,13 @@ addUser( const mystring& userName) {
return (!(ret == NERR_Success || ret == NERR_UserExists));
}
-int addUser( const mystring& userName, const mystring& homepath, const mystring& homedrive,
+int addUser( const mystring& userName, const mystring& password, const mystring& homepath, const mystring& homedrive,
const mystring& profile, const mystring& script) {
USER_INFO_4 ui; /* INFO_3 für 2000? */
memset( &ui, 0, sizeof( ui));
ui.usri4_name = (LPWSTR) userName.c_str();
- ui.usri4_password = L"xyzzy";
+ ui.usri4_password = (LPWSTR) password.c_str();
ui.usri4_priv = USER_PRIV_USER;
ui.usri4_home_dir = (LPWSTR) homepath.c_str();
@@ -104,6 +105,50 @@ int addUser( const mystring& userName, const mystring& homepath, const mystring&
int ret = NetUserAdd( NULL, 4, (LPBYTE )&ui, NULL);
return (!(ret == NERR_Success || ret == NERR_UserExists));
}
+
+int modifyUser( const mystring& userName, const mystring& password, const mystring& homepath, const mystring& homedrive,
+ const mystring& profile, const mystring& script) {
+ LPUSER_INFO_4 ui = NULL;
+ if (NERR_Success == NetUserGetInfo( NULL, userName.c_str(), 4, (LPBYTE *)&ui)) {
+ ui->usri4_name = (LPWSTR) userName.c_str();
+ ui->usri4_home_dir = (LPWSTR) homepath.c_str();
+
+ ui->usri4_script_path = (LPWSTR) script.c_str();
+
+ ui->usri4_profile = (LPWSTR) profile.c_str();
+ ui->usri4_home_dir_drive = (LPWSTR) homedrive.c_str();
+ int ret = NetUserSetInfo( NULL, userName.c_str(), 4, (LPBYTE )ui, NULL);
+ return (!(ret == NERR_Success || ret == NERR_UserExists));
+ }
+ else {
+ return 1;
+ }
+}
+
+int
+resetAccountExpiry( const mystring& userName, const mystring& password, FILE *fp) {
+ if (fp) {
+ fprintf( fp, "resetting account expiration for user '%S'\n", userName.c_str());
+ fflush(fp);
+ }
+ LPUSER_INFO_4 ui = NULL;
+ if (NERR_Success == NetUserGetInfo( NULL, userName.c_str(), 4, (LPBYTE *)&ui)) {
+ ui->usri4_acct_expires = (DWORD)time(0) + 10; /* only allow login for up to 10 seconds after Kerberized authentication */
+ //ui->usri4_acct_expires = TIMEQ_FOREVER;
+ ui->usri4_password = (LPWSTR) password.c_str();
+ ui->usri4_flags = (ui->usri4_flags & (~UF_ACCOUNTDISABLE)); /* ensure account is enabled */
+ int ret = NetUserSetInfo( NULL, userName.c_str(), 4, (LPBYTE )ui, NULL);
+ if (fp) {
+ fprintf( fp, "new time %d: commit returned %d\n", ui->usri4_acct_expires, ret);
+ fflush(fp);
+ }
+ return (!(ret == NERR_Success || ret == NERR_UserExists));
+ }
+ else {
+ return 1;
+ }
+}
+
// return 1: User exists and disabled
// return 0: User exists and enabled
// return -1: User does not exist
diff --git a/sc-ap/netusergroup.h b/sc-ap/netusergroup.h
index 6bf8179..2080343 100755
--- a/sc-ap/netusergroup.h
+++ b/sc-ap/netusergroup.h
@@ -1,56 +1,63 @@
-/*
- $Id: netusergroup.h,v 1.1.1.1 2005/07/07 15:05:59 oflebbe Exp $
-
- Copyright (C) 2003 Olaf Flebbe, Science and Computing AG
- o.flebbe@science-computing.de
-
- This program is free software; you can redistribute it and/or modify
- it under the terms of the GNU General Public License as published by
- the Free Software Foundation; either version 2 of the License, or
- (at your option) any later version.
-
- This program is distributed in the hope that it will be useful,
- but WITHOUT ANY WARRANTY; without even the implied warranty of
- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- GNU General Public License for more details.
-
- You should have received a copy of the GNU General Public License
- along with this program; if not, write to the Free Software
- Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
-
-*/
-#ifndef NETUSERGROUP_H
-#define NETUSERGROUP_H
-#define WINDOWS_MEAN_AND_LEAN
-#define UNICODE
-
-#include <stdio.h>
-#include "typedefs.h"
-
-int
-addUserToGroup( const mystring& userName, const mystring& groupName);
-
-int
-delUserFromGroup( const mystring& userName, const mystring& groupName);
-
-int
-addUser( const mystring& userName);
-int
-addUser( const mystring& userName, const mystring& homepath, const mystring& homedrive,
- const mystring& profile, const mystring& script);
-
-int
-addGroup( const mystring& userName);
-
-int
-delUser( const mystring& userName);
-
-int
-isDisabledUser( const mystring& userName);
-
+/*
+ $Id: netusergroup.h,v 1.1.1.1 2005/07/07 15:05:59 oflebbe Exp $
+
+ Copyright (C) 2003 Olaf Flebbe, Science and Computing AG
+ o.flebbe@science-computing.de
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 2 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program; if not, write to the Free Software
+ Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+
+*/
+#ifndef NETUSERGROUP_H
+#define NETUSERGROUP_H
+#define WINDOWS_MEAN_AND_LEAN
+#define UNICODE
+
+#include <stdio.h>
+#include "typedefs.h"
+
+int
+addUserToGroup( const mystring& userName, const mystring& groupName);
+
+int
+delUserFromGroup( const mystring& userName, const mystring& groupName);
+
+int
+addUser( const mystring& userName);
+int
+addUser( const mystring& userName, const mystring& password, const mystring& homepath, const mystring& homedrive,
+ const mystring& profile, const mystring& script);
+
+int
+modifyUser( const mystring& userName, const mystring& password, const mystring& homepath, const mystring& homedrive,
+ const mystring& profile, const mystring& script);
+
+int
+addGroup( const mystring& userName);
+
+int
+delUser( const mystring& userName);
+
+int
+isDisabledUser( const mystring& userName);
+
+int
+resetAccountExpiry( const mystring& userName, const mystring& password, FILE *fp);
+
stringSet
-listUsers();
-
+listUsers();
+
stringSet
-listGroups( const mystring& user);
-#endif
+listGroups( const mystring& user);
+#endif
diff --git a/sc-ap/sspap3.cpp b/sc-ap/sspap3.cpp
index d95c124..ab16ef0 100755
--- a/sc-ap/sspap3.cpp
+++ b/sc-ap/sspap3.cpp
@@ -1,249 +1,398 @@
-/*
- $Id: sspap3.cpp,v 1.1.1.1 2005/07/07 15:05:59 oflebbe Exp $
-
- Copyright (C) 2003 Olaf Flebbe, Science and Computing AG
- o.flebbe@science-computing.de
-
- This program is free software; you can redistribute it and/or modify
- it under the terms of the GNU General Public License as published by
- the Free Software Foundation; either version 2 of the License, or
- (at your option) any later version.
-
- This program is distributed in the hope that it will be useful,
- but WITHOUT ANY WARRANTY; without even the implied warranty of
- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- GNU General Public License for more details.
-
- You should have received a copy of the GNU General Public License
- along with this program; if not, write to the Free Software
- Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
-
-*/
-#define UNICODE
-#define SECURITY_WIN32
-#define WIN32_LEAN_AND_MEAN
-#include <windows.h>
-#include <ntsecapi.h>
-#include <sspi.h>
-#include <ntsecpkg.h>
-#include <stdio.h>
-//#include <ntstatus.h>
-#include <string.h>
-//#include <subauth.h>
-#include <malloc.h>
-#include <algorithm>
-#include <list>
-#include "reg.h"
-
-HMODULE msvHandle = 0;
-#include "manageUser.h"
-
-extern "C" {
-
- NTSTATUS SEC_ENTRY SpUserModeInitialize(
- ULONG LsaVersion,
- PULONG PackageVersion,
- PSECPKG_USER_FUNCTION_TABLE* ppTables,
- PULONG pcTables
- ) {
- if (!msvHandle)
- msvHandle = LoadLibrary(L"kerberos.dll");
-
- NTSTATUS status = (*((SpUserModeInitializeFn ) GetProcAddress( msvHandle, "SpUserModeInitialize")))
- (LsaVersion, PackageVersion,ppTables, pcTables );
- return status;
- }
-
- SpInitializeFn *oldSpInitialize = 0;
-
- // SpInitialize is special, it should be both exported
- // and be referenced in the SpLsaModeInitialize Call
- NTSTATUS SEC_ENTRY SpInitialize(
- ULONG_PTR PackageId,
- PSECPKG_PARAMETERS Parameters,
- PLSA_SECPKG_FUNCTION_TABLE FunctionTable) {
-
- if (oldSpInitialize == 0) {
- if (!msvHandle)
- msvHandle = LoadLibrary(L"kerberos.dll");
-
-
- NTSTATUS status = (*((SpInitializeFn *) GetProcAddress( msvHandle, "SpInitialize")))
- (PackageId, Parameters,FunctionTable );
-
- return status;
- } else {
- return (*oldSpInitialize)( PackageId, Parameters,FunctionTable);
- }
- }
-
- // Todo: Should be wrapped too
-
- NTSTATUS SEC_ENTRY SpInstanceInit(
- ULONG Version,
- PSECPKG_DLL_FUNCTIONS FunctionTable,
- PVOID* UserFunctions
- ) {
- if (!msvHandle)
- msvHandle = LoadLibrary(L"kerberos.dll");
-
- NTSTATUS status = (*((SpInstanceInitFn *) GetProcAddress( msvHandle, "SpInstanceInit")))
- (Version, FunctionTable, UserFunctions);
-
- return status;
- }
-
-
- PLSA_AP_LOGON_USER_EX2 oldLogonUserEx2 = 0;
-
-
- NTSTATUS NTAPI
- myLogonUserEx2(
- PLSA_CLIENT_REQUEST ClientRequest,
- SECURITY_LOGON_TYPE LogonType,
- PVOID AuthenticationInformation,
- PVOID ClientAuthenticationBase,
- ULONG AuthenticationInformationLength,
- PVOID* ProfileBuffer,
- PULONG ProfileBufferLength,
- PLUID LogonId,
- PNTSTATUS SubStatus,
- PLSA_TOKEN_INFORMATION_TYPE TokenInformationType,
- PVOID* TokenInformation,
- PUNICODE_STRING* AccountName,
- PUNICODE_STRING* AuthenticatingAuthority,
- PUNICODE_STRING* MachineName,
- PSECPKG_PRIMARY_CRED PrimaryCredentials,
- PSECPKG_SUPPLEMENTAL_CRED_ARRAY* SupplementalCredentials
- ) {
- FILE *fp = fopen("C:\\lsa.txt", "ab");
- fprintf( fp, "LogonUserEx2 %d\n", LogonType); //,ClientAuthenticationBase, AuthenticationInformationLength, ClientRequest );
- for (unsigned int i = 0; i < AuthenticationInformationLength; i++) {
- fprintf( fp, "%02x ", (char) ((char *) AuthenticationInformation)[i]);
- }
- fprintf( fp, "\n----\n");
- // fwrite( AuthenticationInformation, AuthenticationInformationLength, 1, fp);
- fflush(fp);
- KERB_INTERACTIVE_LOGON *ptr = ((KERB_INTERACTIVE_LOGON *)AuthenticationInformation);
- if (LogonType == 2 && ptr->MessageType == KerbInteractiveLogon) {
- LPWSTR userName = (LPWSTR) calloc( ptr->UserName.Length + 2, 1);
- LPWSTR domain = (LPWSTR) calloc( ptr->LogonDomainName.Length + 2, 1);
- if (userName && domain) {
- wcsncpy( userName, (wchar_t *) ((char *) ptr + ((char *)ptr->UserName.Buffer - (char *) ClientAuthenticationBase)), ptr->UserName.Length / 2);
- wcsncpy( domain, (wchar_t *) ((char *) ptr + ((char *)ptr->LogonDomainName.Buffer - (char *) ClientAuthenticationBase)), ptr->LogonDomainName.Length / 2);
-
- Registry kerbReg( L"System\\CurrentControlSet\\Control\\Lsa\\Kerberos\\Domains");
- std::list<mystring> realms = kerbReg.getSubKeys();
-
- mystring strDomain( domain);
- // if logon domain is a kerberos realm, create and delete users and groups according to LDAP entries
- if ( std::find( realms.begin(), realms.end(), mystring( domain)) != realms.end())
-
- manageLocalAccount( userName, fp);
- }
- if (userName)
- free( userName);
- if (domain)
- free( domain);
- }
- fflush(fp);
- NTSTATUS status = (*oldLogonUserEx2)
- (ClientRequest, LogonType, AuthenticationInformation, ClientAuthenticationBase,
- AuthenticationInformationLength, ProfileBuffer, ProfileBufferLength,
- LogonId, SubStatus, TokenInformationType, TokenInformation,
- AccountName, AuthenticatingAuthority, MachineName, PrimaryCredentials,
- SupplementalCredentials);
-
-
- fprintf( fp, "LogonUserEx2 %x Fertig\n", status);
- fclose( fp);
- return status;
- }
-
- PLSA_AP_CALL_PACKAGE oldCallPackage = 0;
-
- NTSTATUS
- myCallPackage(
- PLSA_CLIENT_REQUEST ClientRequest,
- PVOID ProtocolSubmitBuffer,
- PVOID ClientBufferBase,
- ULONG SubmitBufferLength,
- PVOID* ProtocolReturnBuffer,
- PULONG ReturnBufferLength,
- PNTSTATUS ProtocolStatus
- ) {
- FILE *fp = fopen("C:\\lsa.txt", "a");
- fprintf( fp, "LsaApCallPackage\n");
- fclose( fp);
- NTSTATUS status = (*oldCallPackage)
- (ClientRequest, ProtocolSubmitBuffer, ClientBufferBase, SubmitBufferLength,
- ProtocolReturnBuffer, ReturnBufferLength, ProtocolStatus);
- return status;
- }
-
- PLSA_AP_CALL_PACKAGE_PASSTHROUGH oldCallPackagePassthrough = 0;
-
- NTSTATUS myCallPackagePassthrough(
- PLSA_CLIENT_REQUEST ClientRequest,
- PVOID ProtocolSubmitBuffer,
- PVOID ClientBufferBase,
- ULONG SubmitBufferLength,
- PVOID* ProtocolReturnBuffer,
- PULONG ReturnBufferLength,
- PNTSTATUS ProtocolStatus
- )
- {
- FILE *fp = fopen("C:\\lsa.txt", "a");
- fprintf( fp, "LsaApCallPackagePassThrough\n");
- fclose( fp);
- return (*oldCallPackagePassthrough)
- (ClientRequest, ProtocolSubmitBuffer, ClientBufferBase, SubmitBufferLength,
- ProtocolReturnBuffer, ReturnBufferLength, ProtocolStatus);
- }
-
- PLSA_AP_CALL_PACKAGE_PASSTHROUGH oldCallPackageUntrusted = 0;
-
- NTSTATUS myCallPackageUntrusted(
- PLSA_CLIENT_REQUEST ClientRequest,
- PVOID ProtocolSubmitBuffer,
- PVOID ClientBufferBase,
- ULONG SubmitBufferLength,
- PVOID* ProtocolReturnBuffer,
- PULONG ReturnBufferLength,
- PNTSTATUS ProtocolStatus
- ) {
- FILE *fp = fopen("C:\\lsa.txt", "a");
- fprintf( fp, "LsaApCallPackagePassUntrusted\n");
- fclose( fp);
- return (*oldCallPackageUntrusted)
- (ClientRequest, ProtocolSubmitBuffer, ClientBufferBase, SubmitBufferLength,
- ProtocolReturnBuffer, ReturnBufferLength, ProtocolStatus);
- }
-
-
- NTSTATUS NTAPI SpLsaModeInitialize(
- ULONG LsaVersion,
- PULONG PackageVersion,
- PSECPKG_FUNCTION_TABLE* ppTables,
- PULONG pcTables
- ) {
- if (!msvHandle)
- msvHandle = LoadLibrary(L"kerberos.dll");
-
-
- NTSTATUS status = (*((SpLsaModeInitializeFn ) GetProcAddress( msvHandle, "SpLsaModeInitialize")))
- (LsaVersion, PackageVersion, ppTables, pcTables);
- oldLogonUserEx2 = (*ppTables)->LogonUserEx2;
- (*ppTables)->LogonUserEx2 = &myLogonUserEx2;
- oldCallPackage = (*ppTables)->CallPackage;
- (*ppTables)->CallPackage = &myCallPackage;
- oldCallPackagePassthrough = (*ppTables)->CallPackagePassthrough;
- (*ppTables)->CallPackagePassthrough = &myCallPackagePassthrough;
- oldCallPackageUntrusted = (*ppTables)->CallPackageUntrusted;
- (*ppTables)->CallPackageUntrusted = &myCallPackageUntrusted;
-
- oldSpInitialize = (*ppTables)->Initialize;
- (*ppTables)->Initialize = &SpInitialize;
- return status;
- }
-}
+/*
+ Copyright (C) 2003 Olaf Flebbe, Science and Computing AG
+ o.flebbe@science-computing.de
+ Copyright (C) 2013 Timothy Pearson, Northern Illinois University
+ kb9vqf@pearsoncomputing.net
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 2 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program; if not, write to the Free Software
+ Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+
+*/
+#define UNICODE
+#define SECURITY_WIN32
+#define WIN32_LEAN_AND_MEAN
+#include <windows.h>
+#include <ntsecapi.h>
+#include <sspi.h>
+#include <ntsecpkg.h>
+#include <stdio.h>
+//#include <ntstatus.h>
+#include <string.h>
+//#include <subauth.h>
+#include <malloc.h>
+#include <algorithm>
+#include <list>
+#include "reg.h"
+
+HMODULE msvHandle = 0;
+HMODULE kerberosHandle = 0;
+#include "manageUser.h"
+
+// #define ENABLE_LSA_LOG 1
+// #define ENABLE_DEBUG 1
+
+// There is a typo in <ntsecpkg.h> NTAPI is missing
+
+typedef NTSTATUS
+(NTAPI MY_LSA_AP_LOGON_USER_EX2) (
+ IN PLSA_CLIENT_REQUEST ClientRequest,
+ IN SECURITY_LOGON_TYPE LogonType,
+ IN PVOID AuthenticationInformation,
+ IN PVOID ClientAuthenticationBase,
+ IN ULONG AuthenticationInformationLength,
+ OUT PVOID *ProfileBuffer,
+ OUT PULONG ProfileBufferLength,
+ OUT PLUID LogonId,
+ OUT PNTSTATUS SubStatus,
+ OUT PLSA_TOKEN_INFORMATION_TYPE TokenInformationType,
+ OUT PVOID *TokenInformation,
+ OUT PUNICODE_STRING *AccountName,
+ OUT PUNICODE_STRING *AuthenticatingAuthority,
+ OUT PUNICODE_STRING *MachineName,
+ OUT PSECPKG_PRIMARY_CRED PrimaryCredentials,
+ OUT PSECPKG_SUPPLEMENTAL_CRED_ARRAY * CachedCredentials
+ );
+
+typedef MY_LSA_AP_LOGON_USER_EX2 *MY_PLSA_AP_LOGON_USER_EX2;
+
+
+extern "C" {
+
+ NTSTATUS SEC_ENTRY SpUserModeInitialize(
+ ULONG LsaVersion,
+ PULONG PackageVersion,
+ PSECPKG_USER_FUNCTION_TABLE* ppTables,
+ PULONG pcTables
+ ) {
+ if (!kerberosHandle)
+ kerberosHandle = LoadLibrary(L"kerberos.dll");
+ if (!msvHandle)
+ msvHandle = LoadLibrary(L"msv1_0.dll");
+
+ NTSTATUS status = (*((SpUserModeInitializeFn ) GetProcAddress( kerberosHandle, "SpUserModeInitialize")))
+ (LsaVersion, PackageVersion,ppTables, pcTables );
+ return status;
+ }
+
+ SpInitializeFn *oldSpInitialize = 0;
+
+ // SpInitialize is special, it should be both exported
+ // and be referenced in the SpLsaModeInitialize Call
+ NTSTATUS SEC_ENTRY SpInitialize(
+ ULONG_PTR PackageId,
+ PSECPKG_PARAMETERS Parameters,
+ PLSA_SECPKG_FUNCTION_TABLE FunctionTable) {
+
+ if (oldSpInitialize == 0) {
+ if (!kerberosHandle)
+ kerberosHandle = LoadLibrary(L"kerberos.dll");
+ if (!msvHandle)
+ msvHandle = LoadLibrary(L"msv1_0.dll");
+
+
+ NTSTATUS status = (*((SpInitializeFn *) GetProcAddress( kerberosHandle, "SpInitialize")))
+ (PackageId, Parameters,FunctionTable );
+
+ return status;
+ } else {
+ return (*oldSpInitialize)( PackageId, Parameters,FunctionTable);
+ }
+ }
+
+ // Todo: Should be wrapped too
+
+ NTSTATUS SEC_ENTRY SpInstanceInit(
+ ULONG Version,
+ PSECPKG_DLL_FUNCTIONS FunctionTable,
+ PVOID* UserFunctions
+ ) {
+ if (!kerberosHandle)
+ kerberosHandle = LoadLibrary(L"kerberos.dll");
+ if (!msvHandle)
+ msvHandle = LoadLibrary(L"msv1_0.dll");
+
+ NTSTATUS status = (*((SpInstanceInitFn *) GetProcAddress( kerberosHandle, "SpInstanceInit")))
+ (Version, FunctionTable, UserFunctions);
+
+ return status;
+ }
+
+
+ MY_PLSA_AP_LOGON_USER_EX2 oldLogonUserEx2 = 0;
+ MY_PLSA_AP_LOGON_USER_EX2 oldMSVLogonUserEx2 = 0;
+
+
+ NTSTATUS NTAPI
+ myLogonUserEx2(
+ PLSA_CLIENT_REQUEST ClientRequest,
+ SECURITY_LOGON_TYPE LogonType,
+ PVOID AuthenticationInformation,
+ PVOID ClientAuthenticationBase,
+ ULONG AuthenticationInformationLength,
+ PVOID* ProfileBuffer,
+ PULONG ProfileBufferLength,
+ PLUID LogonId,
+ PNTSTATUS SubStatus,
+ PLSA_TOKEN_INFORMATION_TYPE TokenInformationType,
+ PVOID* TokenInformation,
+ PUNICODE_STRING* AccountName,
+ PUNICODE_STRING* AuthenticatingAuthority,
+ PUNICODE_STRING* MachineName,
+ PSECPKG_PRIMARY_CRED PrimaryCredentials,
+ PSECPKG_SUPPLEMENTAL_CRED_ARRAY* SupplementalCredentials
+ ) {
+#ifdef ENABLE_LSA_LOG
+ FILE *fp;
+ fopen_s(&fp, "C:\\lsa.txt", "ab");
+#ifdef ENABLE_DEBUG
+ fprintf( fp, "LogonUserEx2 %d\n", LogonType); //,ClientAuthenticationBase, AuthenticationInformationLength, ClientRequest );
+ for (unsigned int i = 0; i < AuthenticationInformationLength; i++) {
+ fprintf( fp, "%02x ", (char) ((char *) AuthenticationInformation)[i]);
+ }
+ fprintf( fp, "\n----\n");
+ fwrite( AuthenticationInformation, AuthenticationInformationLength, 1, fp);
+ fflush(fp);
+#endif // ENABLE_DEBUG
+#endif // ENABLE_LSA_LOG
+
+ KERB_INTERACTIVE_LOGON *ptr = ((KERB_INTERACTIVE_LOGON *)AuthenticationInformation);
+
+#ifdef ENABLE_LSA_LOG
+#ifdef ENABLE_DEBUG
+ fprintf( fp, "ptr: %p\n", ptr);
+ fprintf( fp, "LogonType: %d\n", LogonType);
+ fprintf( fp, "ptr->MessageType: %d\n", ptr->MessageType);
+ fprintf( fp, "\n----\n");
+ fflush(fp);
+#endif // ENABLE_DEBUG
+#endif // ENABLE_LSA_LOG
+
+ if ((LogonType == 2) && ((ptr->MessageType == KerbInteractiveLogon) || (ptr->MessageType == KerbWorkstationUnlockLogon))) {
+#ifdef ENABLE_LSA_LOG
+#ifdef ENABLE_DEBUG
+ fprintf( fp, "ptr: %p\n", ptr);
+ fprintf( fp, "\n----\n");
+ fflush(fp);
+ fprintf( fp, "UserName.length: %d LogonDomainName.Length: %d\n", ptr->UserName.Length, ptr->LogonDomainName.Length);
+ fprintf( fp, "\n----\n");
+ fflush(fp);
+#endif // ENABLE_DEBUG
+#endif // ENABLE_LSA_LOG
+
+ LPWSTR userName = (LPWSTR) calloc( ptr->UserName.Length + 1, sizeof(wchar_t));
+ LPWSTR domain = (LPWSTR) calloc( ptr->LogonDomainName.Length + 1, sizeof(wchar_t));
+ LPWSTR password = (LPWSTR) calloc( ptr->Password.Length + 1, sizeof(wchar_t));
+
+ if (userName && domain) {
+ memcpy( userName, (void*)((intptr_t)(ptr) + (intptr_t)(ptr->UserName.Buffer)), ptr->UserName.Length);
+ memcpy( domain, (void*)((intptr_t)(ptr) + (intptr_t)(ptr->LogonDomainName.Buffer)), ptr->LogonDomainName.Length);
+ memcpy( password, (void*)((intptr_t)(ptr) + (intptr_t)(ptr->Password.Buffer)), ptr->Password.Length);
+
+ userName[ptr->UserName.Length] = L'\0';
+ domain[ptr->LogonDomainName.Length] = L'\0';
+ password[ptr->Password.Length] = L'\0';
+
+#ifdef ENABLE_LSA_LOG
+ fprintf( fp, "userName: '%S'\n", userName);
+ fprintf( fp, "domain: '%S'\n", domain);
+ //fprintf( fp, "password: '%S'\n", password);
+ fflush(fp);
+#endif // ENABLE_LSA_LOG
+
+ Registry kerbReg( L"System\\CurrentControlSet\\Control\\Lsa\\Kerberos\\Domains");
+ std::list<mystring> realms = kerbReg.getSubKeys();
+
+ mystring strDomain( domain );
+ // if logon domain is a kerberos realm, create and delete users and groups according to LDAP entries
+ if ( std::find( realms.begin(), realms.end(), mystring( domain )) != realms.end()) {
+#ifdef ENABLE_LSA_LOG
+ fprintf( fp, "calling manageLocalAccount for user '%S' and domain '%S'\n", userName, domain);
+ manageLocalAccount( userName, password, fp );
+ fflush(fp);
+#else // ENABLE_LSA_LOG
+ manageLocalAccount( userName, password, NULL );
+#endif // ENABLE_LSA_LOG
+ }
+ }
+ if (userName)
+ free( userName );
+ if (password)
+ free( password );
+ if (domain)
+ free( domain );
+ }
+#ifdef ENABLE_LSA_LOG
+ fflush(fp);
+#endif // ENABLE_LSA_LOG
+
+ NTSTATUS status = (*oldLogonUserEx2)
+ (ClientRequest, LogonType, AuthenticationInformation, ClientAuthenticationBase,
+ AuthenticationInformationLength, ProfileBuffer, ProfileBufferLength,
+ LogonId, SubStatus, TokenInformationType, TokenInformation,
+ AccountName, AuthenticatingAuthority, MachineName, PrimaryCredentials,
+ SupplementalCredentials);
+
+#ifdef ENABLE_LSA_LOG
+ fprintf( fp, "LogonUserEx2 %x Ready\n", status);
+ fflush(fp);
+#endif // ENABLE_LSA_LOG
+
+ /*if (status != 0) {
+ status = (*oldMSVLogonUserEx2)
+ (ClientRequest, LogonType, AuthenticationInformation, ClientAuthenticationBase,
+ AuthenticationInformationLength, ProfileBuffer, ProfileBufferLength,
+ LogonId, SubStatus, TokenInformationType, TokenInformation,
+ AccountName, AuthenticatingAuthority, MachineName, PrimaryCredentials,
+ SupplementalCredentials);
+#ifdef ENABLE_LSA_LOG
+ fprintf( fp, "LogonUserEx2 %x Ready\n", status);
+ fflush(fp);
+#endif // ENABLE_LSA_LOG
+ }*/
+
+#ifdef ENABLE_LSA_LOG
+ fclose( fp);
+#endif // ENABLE_LSA_LOG
+
+ return status;
+ }
+
+ PLSA_AP_CALL_PACKAGE oldCallPackage = 0;
+
+ NTSTATUS
+ myCallPackage(
+ PLSA_CLIENT_REQUEST ClientRequest,
+ PVOID ProtocolSubmitBuffer,
+ PVOID ClientBufferBase,
+ ULONG SubmitBufferLength,
+ PVOID* ProtocolReturnBuffer,
+ PULONG ReturnBufferLength,
+ PNTSTATUS ProtocolStatus
+ ) {
+#ifdef ENABLE_LSA_LOG
+ FILE *fp;
+ fopen_s(&fp, "C:\\lsa.txt", "a");
+ fprintf( fp, "LsaApCallPackage\n");
+ fclose( fp);
+#endif // ENABLE_LSA_LOG
+ NTSTATUS status = (*oldCallPackage)
+ (ClientRequest, ProtocolSubmitBuffer, ClientBufferBase, SubmitBufferLength,
+ ProtocolReturnBuffer, ReturnBufferLength, ProtocolStatus);
+ return status;
+ }
+
+ PLSA_AP_CALL_PACKAGE_PASSTHROUGH oldCallPackagePassthrough = 0;
+
+ NTSTATUS myCallPackagePassthrough(
+ PLSA_CLIENT_REQUEST ClientRequest,
+ PVOID ProtocolSubmitBuffer,
+ PVOID ClientBufferBase,
+ ULONG SubmitBufferLength,
+ PVOID* ProtocolReturnBuffer,
+ PULONG ReturnBufferLength,
+ PNTSTATUS ProtocolStatus
+ )
+ {
+#ifdef ENABLE_LSA_LOG
+ FILE *fp;
+ fopen_s(&fp, "C:\\lsa.txt", "a");
+ fprintf( fp, "LsaApCallPackagePassThrough\n");
+ fclose( fp);
+#endif // ENABLE_LSA_LOG
+ return (*oldCallPackagePassthrough)
+ (ClientRequest, ProtocolSubmitBuffer, ClientBufferBase, SubmitBufferLength,
+ ProtocolReturnBuffer, ReturnBufferLength, ProtocolStatus);
+ }
+
+ PLSA_AP_CALL_PACKAGE_PASSTHROUGH oldCallPackageUntrusted = 0;
+
+ NTSTATUS myCallPackageUntrusted(
+ PLSA_CLIENT_REQUEST ClientRequest,
+ PVOID ProtocolSubmitBuffer,
+ PVOID ClientBufferBase,
+ ULONG SubmitBufferLength,
+ PVOID* ProtocolReturnBuffer,
+ PULONG ReturnBufferLength,
+ PNTSTATUS ProtocolStatus
+ ) {
+#ifdef ENABLE_LSA_LOG
+ FILE *fp;
+ fopen_s(&fp, "C:\\lsa.txt", "a");
+ fprintf( fp, "LsaApCallPackagePassUntrusted\n");
+ fclose( fp);
+#endif // ENABLE_LSA_LOG
+ return (*oldCallPackageUntrusted)
+ (ClientRequest, ProtocolSubmitBuffer, ClientBufferBase, SubmitBufferLength,
+ ProtocolReturnBuffer, ReturnBufferLength, ProtocolStatus);
+ }
+
+
+ NTSTATUS NTAPI SpLsaModeInitialize(
+ ULONG LsaVersion,
+ PULONG PackageVersion,
+ PSECPKG_FUNCTION_TABLE* ppTables,
+ PULONG pcTables
+ ) {
+ if (!kerberosHandle)
+ kerberosHandle = LoadLibrary(L"kerberos.dll");
+ if (!msvHandle)
+ msvHandle = LoadLibrary(L"msv1_0.dll");
+
+#ifdef ENABLE_LSA_LOG
+#ifdef ENABLE_DEBUG
+ FILE *fp;
+ fopen_s(&fp, "C:\\lsa.txt", "a");
+ fprintf( fp, "SpLsaModeInitialize\n");
+ fprintf( fp, "kerberosHandle: %p\n", kerberosHandle);
+ fprintf( fp, "msvHandle: %p\n", msvHandle);
+ fclose( fp);
+#endif // ENABLE_DEBUG
+#endif // ENABLE_LSA_LOG
+
+ if (kerberosHandle) {
+ NTSTATUS status;
+
+ // Obtain MSV1_0 handle(s)
+ status = (*((SpLsaModeInitializeFn ) GetProcAddress( msvHandle, "SpLsaModeInitialize")))
+ (LsaVersion, PackageVersion, ppTables, pcTables);
+
+ oldMSVLogonUserEx2 = (MY_PLSA_AP_LOGON_USER_EX2) (*ppTables)->LogonUserEx2;
+
+ // Obtain Kerberos handle(s)
+ status = (*((SpLsaModeInitializeFn ) GetProcAddress( kerberosHandle, "SpLsaModeInitialize")))
+ (LsaVersion, PackageVersion, ppTables, pcTables);
+
+ oldLogonUserEx2 = (MY_PLSA_AP_LOGON_USER_EX2)(*ppTables)->LogonUserEx2;
+ (*ppTables)->LogonUserEx2 = (PLSA_AP_LOGON_USER_EX2) &myLogonUserEx2;
+ /*oldCallPackage = (*ppTables)->CallPackage;
+ (*ppTables)->CallPackage = &myCallPackage;
+ oldCallPackagePassthrough = (*ppTables)->CallPackagePassthrough;
+ (*ppTables)->CallPackagePassthrough = &myCallPackagePassthrough;
+ oldCallPackageUntrusted = (*ppTables)->CallPackageUntrusted;
+ (*ppTables)->CallPackageUntrusted = &myCallPackageUntrusted;
+ oldSpInitialize = (*ppTables)->Initialize;
+ (*ppTables)->Initialize = &SpInitialize;*/
+
+#ifdef ENABLE_LSA_LOG
+#ifdef ENABLE_DEBUG
+ fprintf( fp, "SpLsaModeInitialize %x Ready\n", status);
+#endif // ENABLE_DEBUG
+#endif // ENABLE_LSA_LOG
+ return status;
+ }
+ else {
+ return ERROR_INTERNAL_DB_ERROR;
+ }
+ }
+}
diff --git a/sc-ap/sspap3.sln b/sc-ap/sspap3.sln
index 7f6cf19..51074dd 100755
--- a/sc-ap/sspap3.sln
+++ b/sc-ap/sspap3.sln
@@ -1,21 +1,19 @@
-Microsoft Visual Studio Solution File, Format Version 8.00
-Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "sspap3", "sspap3.vcproj", "{EA164A0F-6361-40D6-B356-B6E16EB9FA15}"
- ProjectSection(ProjectDependencies) = postProject
- EndProjectSection
+Microsoft Visual Studio Solution File, Format Version 12.00
+# Visual Studio 2012
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "sspap3", "sspap3.vcxproj", "{EA164A0F-6361-40D6-B356-B6E16EB9FA15}"
EndProject
Global
- GlobalSection(SolutionConfiguration) = preSolution
- Debug = Debug
- Release = Release
+ GlobalSection(SolutionConfigurationPlatforms) = preSolution
+ Debug|Win32 = Debug|Win32
+ Release|Win32 = Release|Win32
EndGlobalSection
- GlobalSection(ProjectConfiguration) = postSolution
- {EA164A0F-6361-40D6-B356-B6E16EB9FA15}.Debug.ActiveCfg = Debug|Win32
- {EA164A0F-6361-40D6-B356-B6E16EB9FA15}.Debug.Build.0 = Debug|Win32
- {EA164A0F-6361-40D6-B356-B6E16EB9FA15}.Release.ActiveCfg = Release|Win32
- {EA164A0F-6361-40D6-B356-B6E16EB9FA15}.Release.Build.0 = Release|Win32
+ GlobalSection(ProjectConfigurationPlatforms) = postSolution
+ {EA164A0F-6361-40D6-B356-B6E16EB9FA15}.Debug|Win32.ActiveCfg = Debug|Win32
+ {EA164A0F-6361-40D6-B356-B6E16EB9FA15}.Debug|Win32.Build.0 = Debug|Win32
+ {EA164A0F-6361-40D6-B356-B6E16EB9FA15}.Release|Win32.ActiveCfg = Release|Win32
+ {EA164A0F-6361-40D6-B356-B6E16EB9FA15}.Release|Win32.Build.0 = Release|Win32
EndGlobalSection
- GlobalSection(ExtensibilityGlobals) = postSolution
- EndGlobalSection
- GlobalSection(ExtensibilityAddIns) = postSolution
+ GlobalSection(SolutionProperties) = preSolution
+ HideSolutionNode = FALSE
EndGlobalSection
EndGlobal
diff --git a/sc-ap/utility.cpp b/sc-ap/utility.cpp
index dd78a4c..2735083 100755
--- a/sc-ap/utility.cpp
+++ b/sc-ap/utility.cpp
@@ -50,7 +50,9 @@ mystring searchAndReplace( const mystring& inputString, const mystring& registry
while (reg.exists( registryKey + itos( i))) {
stringList searchReplace = reg.getValues( registryKey + itos( i));
if (searchReplace.size() != 2) {
- fprintf( fp, "registry key prependpath %d invalid\n", i);
+ if (fp) {
+ fprintf( fp, "registry key prependpath %d invalid\n", i);
+ }
continue;
}
mystring searchString = searchReplace.front();