//---------------------------------------------------------------------------
// TrustEnumerator.cpp
//
// definition of a COM object for enumerating trust relationships
//
// (c) Copyright 1999, Mission Critical Software, Inc., All Rights Reserved
//
// Proprietary and confidential to Mission Critical Software, Inc.
//---------------------------------------------------------------------------
// TrustEnumerator.cpp : Implementation of CTrustEnumerator
#include "stdafx.h"
#include "EnumTr.h"
#include "TrEnum.h"
#include <activeds.h>
#include <lm.h>
#include <dsgetdc.h>
#include "ntsecapi.h"
#import "\bin\McsVarSetMin.tlb"
#include "LSAUtils.h"
#include "UString.hpp"
#include "ErrDct.hpp"
#include "EaLen.hpp"
TErrorDct err;
/////////////////////////////////////////////////////////////////////////////
// CTrustEnumerator
#undef DIM
#define DIM(array) (sizeof(array) / sizeof(array[0]))
#define MAX_ELEM 16
using MCSVARSETMINLib::IVarSet;
using MCSVARSETMINLib::IVarSetPtr;
using MCSVARSETMINLib::VarSet;
// Get the LDAP distinguished name of the server
HRESULT
GetNameDc(
_bstr_t & sNameDc ,// out-LDAP distinguished name
const BSTR sServer // in -command line arguments
)
{
HRESULT hr;
CComPtr<IADs> pIRootDse = NULL;
_bstr_t sLdapPath;
sLdapPath = L"LDAP://";
if( sServer && wcslen(sServer) > 0 )
{
sLdapPath += sServer;
sLdapPath += L"/";
}
sLdapPath += L"RootDse";
hr = ADsGetObject(static_cast<WCHAR*>(sLdapPath), IID_IADs, (void **) &pIRootDse);
if ( FAILED(hr) )
{
return hr;
}
else
{
VARIANT var;
VariantInit(&var);
hr = pIRootDse->Get(L"DefaultNamingContext", &var);
if ( FAILED(hr) )
{
VariantClear(&var);
return hr;
}
else
{
sNameDc = var.bstrVal;
}
VariantClear(&var);
}
return S_OK;
}
// given a server name, get a pointer to an IADsContainer
HRESULT
getIADContainer
(
BSTR const server , // in, the server to use
IADsContainer ** ppIContainer // out
)
{
HRESULT hr;
_bstr_t sNameDc; // LDAP distinguished name
_bstr_t sLdapPath(L"LDAP://");
hr = GetNameDc(sNameDc, server);
if( FAILED(hr) ) { return hr; }
if( server )
{
sLdapPath += server;
sLdapPath += L"/";
}
sLdapPath += L"CN=System,";
sLdapPath += sNameDc;
hr = ADsGetObject(sLdapPath, IID_IADsContainer, (void **) ppIContainer);
return hr;
}
// clear all the elements of an array of variants
void
clearVariantArray(
VARIANT * array ,
unsigned int const numItems
)
{
for( VARIANT *currItem = array;
currItem < array + numItems;
++currItem )
{
VariantClear(currItem);
}
}
// This class maintains the state across multiple insertions into the VarSet.
// Mainly this is needed to name the servers properly: Server1, Server2, Server3, etc
class AdItemHandler
{
private:
IVarSetPtr pIVarset; // The VarSet in which to insert all items processed
int counter; // the number (converted to a string) to append to "Server" to get the name
AdItemHandler(){} // don't allow use of the default constructor
public:
AdItemHandler( IVarSetPtr & p ) : pIVarset(p), counter(1) {}
void insertItem( IADs * pObject );
};
// Take in an IADs an insert it into the VarSet if it is a TrustedDomain. The name to put it under
void AdItemHandler::
insertItem(
IADs * pObject // in -AD object
)
{
HRESULT hr;
WCHAR * sClass=NULL; // class
WCHAR * sName=NULL; // name
VARIANT var;
WCHAR numBuffer [3 * sizeof(int)]; // hold result of _itow
VariantInit(&var);
// See if desired class
hr = pObject->get_Class(&sClass);
if ( FAILED(hr) )
{ /* so what */ }
else
{
if ( !wcsicmp(L"TrustedDomain", sClass) )
{
hr = pObject->get_Name(&sName);
if ( FAILED(hr) )
{ /* so what */ }
else
{
_bstr_t name;
if( wcsncmp(sName, L"CN=", 3) == 0 )
{
name = (sName + 3); // chop off the leading "CN="
}
else
{
name = sName;
}
_bstr_t server(L"Server");
SysFreeString(sName);
server += _itow(counter++, numBuffer, 10); // the servers are named "Server1", "Server2", etc
hr = pIVarset->put(server + L".Name", name);
hr = pObject->Get(L"TrustDirection", &var);
if ( SUCCEEDED(hr) )
{
hr = pIVarset->put( server + L".TrustDirection", var );
}
VariantClear(&var);
hr = pObject->Get(L"TrustType", &var);
if ( SUCCEEDED(hr) )
{
hr = pIVarset->put( server + L".TrustType", var);
}
VariantClear(&var);
hr = pObject->Get(L"TrustAttributes", &var);
if ( SUCCEEDED(hr) )
{
hr = pIVarset->put( server + L".TrustAttributes", var);
}
VariantClear(&var);
}
}
SysFreeString(sClass);
}
}
BOOL IsDownLevel(WCHAR * sComputer)
{
BOOL bDownlevel = TRUE;
WKSTA_INFO_100 * pInfo;
long rc = NetWkstaGetInfo(sComputer,100,(LPBYTE*)&pInfo);
if ( ! rc )
{
if ( pInfo->wki100_ver_major >= 5 )
{
bDownlevel = FALSE;
}
NetApiBufferFree(pInfo);
}
return bDownlevel;
}
STDMETHODIMP CTrustEnumerator::createTrust(/*[in]*/ BSTR trustingDomain,/*[in]*/ BSTR trustedDomain)
{
HRESULT hr = S_OK;
WCHAR trustingComp[MAX_PATH];
WCHAR trustedComp[MAX_PATH];
WCHAR trustingDNSName[MAX_PATH];
WCHAR trustedDNSName[MAX_PATH];
WCHAR name[LEN_Domain];
DWORD lenName = DIM(name);
BYTE trustingSid[200];
BYTE trustedSid[200];
DWORD lenSid = DIM(trustingSid);
SID_NAME_USE snu;
DOMAIN_CONTROLLER_INFO * pInfo;
DWORD rc = 0;
LSA_HANDLE hTrusting = NULL;
LSA_HANDLE hTrusted = NULL;
NTSTATUS status;
LSA_AUTH_INFORMATION curr;
LSA_AUTH_INFORMATION prev;
WCHAR password[] = L"password";
rc = DsGetDcName(NULL, trustingDomain, NULL, NULL, DS_PDC_REQUIRED, &pInfo);
if ( !rc )
{
wcscpy(trustingComp,pInfo->DomainControllerName);
wcscpy(trustingDNSName,pInfo->DomainName);
NetApiBufferFree(pInfo);
}
rc = DsGetDcName(NULL, trustedDomain, NULL, NULL, DS_PDC_REQUIRED, &pInfo);
if ( !rc )
{
wcscpy(trustedComp,pInfo->DomainControllerName);
wcscpy(trustedDNSName,pInfo->DomainName);
NetApiBufferFree(pInfo);
}
// Need to get the computer name and the SIDs for the domains.
if ( ! LookupAccountName(trustingComp,trustingDomain,trustingSid,&lenSid,name,&lenName,&snu) )
{
rc = GetLastError();
return 1;
}
lenSid = DIM(trustedSid);
lenName = DIM(name);
if (! LookupAccountName(trustedComp,trustedDomain,trustedSid,&lenSid,name,&lenName,&snu) )
{
rc = GetLastError();
return 1;
}
// open an LSA handle to each domain
if ( *trustingComp && *trustedComp )
{
status = OpenPolicy(trustedComp,POLICY_VIEW_LOCAL_INFORMATION | POLICY_TRUST_ADMIN | POLICY_CREATE_SECRET,&hTrusted);
rc = LsaNtStatusToWinError(rc);
if ( ! rc )
{
// set up the auth information for the trust relationship
curr.AuthInfo = (LPBYTE)password;
curr.AuthInfoLength = sizeof (password);
curr.AuthType = TRUST_AUTH_TYPE_CLEAR;
curr.LastUpdateTime.QuadPart = 0;
prev.AuthInfo = NULL;
prev.AuthInfoLength = 0;
prev.AuthType = TRUST_AUTH_TYPE_CLEAR;
prev.LastUpdateTime.QuadPart = 0;
// set up the trusted side of the relationship
if ( IsDownLevel(trustedComp) )
{
// create an inter-domain trust account for the trusting domain on the trusted domain
USER_INFO_1 uInfo;
DWORD parmErr;
memset(&uInfo,0,(sizeof uInfo));
UStrCpy(name,trustingDomain);
name[UStrLen(name) + 1] = 0;
name[UStrLen(name)] = L'$';
uInfo.usri1_flags = UF_SCRIPT | UF_INTERDOMAIN_TRUST_ACCOUNT;
uInfo.usri1_name = name;
uInfo.usri1_password = password;
uInfo.usri1_priv = 1;
rc = NetUserAdd(trustedComp,1,(LPBYTE)&uInfo,&parmErr);
}
else
{
// Create the trustedDomain object.
LSA_UNICODE_STRING sTemp;
TRUSTED_DOMAIN_INFORMATION_EX trustedInfo;
TRUSTED_DOMAIN_AUTH_INFORMATION trustAuth;
InitLsaString(&sTemp, const_cast<WCHAR*>(trustingDomain));
trustedInfo.FlatName = sTemp;
InitLsaString(&sTemp, trustingDNSName);
trustedInfo.Name = sTemp;
trustedInfo.Sid = trustingSid;
if ( IsDownLevel(trustingComp) )
{
trustedInfo.TrustAttributes = TRUST_TYPE_DOWNLEVEL;
}
else
{
trustedInfo.TrustAttributes = TRUST_TYPE_UPLEVEL;
}
trustedInfo.TrustDirection = TRUST_DIRECTION_INBOUND;
trustedInfo.TrustType = TRUST_ATTRIBUTE_NON_TRANSITIVE;
trustAuth.IncomingAuthInfos = 1;
trustAuth.OutgoingAuthInfos = 0;
trustAuth.OutgoingAuthenticationInformation = NULL;
trustAuth.OutgoingPreviousAuthenticationInformation = NULL;
trustAuth.IncomingAuthenticationInformation = &curr;
trustAuth.IncomingPreviousAuthenticationInformation = &prev;
status = LsaCreateTrustedDomainEx( hTrusted, &trustedInfo, &trustAuth, POLICY_VIEW_LOCAL_INFORMATION |
POLICY_TRUST_ADMIN | POLICY_CREATE_SECRET, &hTrusting );
rc = LsaNtStatusToWinError(status);
if ( ! rc )
{
LsaClose(hTrusting);
hTrusting = NULL;
}
}
status = OpenPolicy(trustingComp,POLICY_VIEW_LOCAL_INFORMATION
| POLICY_TRUST_ADMIN | POLICY_CREATE_SECRET,&hTrusting);
rc = LsaNtStatusToWinError(rc);
// set up the trusting side of the relationship
if ( IsDownLevel(trustingComp) )
{
TRUSTED_DOMAIN_NAME_INFO nameInfo;
InitLsaString(&nameInfo.Name,const_cast<WCHAR*>(trustedDomain));
status = LsaSetTrustedDomainInformation(hTrusting,trustedSid,TrustedDomainNameInformation,&nameInfo);
rc = LsaNtStatusToWinError(status);
if ( ! rc )
{
// set the password for the new trust
TRUSTED_PASSWORD_INFO pwdInfo;
InitLsaString(&pwdInfo.Password,password);
InitLsaString(&pwdInfo.OldPassword,NULL);
status = LsaSetTrustedDomainInformation(hTrusting,trustedSid,TrustedPasswordInformation,&pwdInfo);
rc = LsaNtStatusToWinError(status);
}
}
else
{
// for Win2K domain, use LsaCreateTrustedDomainEx
// to create the trustedDomain object.
LSA_UNICODE_STRING sTemp;
TRUSTED_DOMAIN_INFORMATION_EX trustedInfo;
TRUSTED_DOMAIN_AUTH_INFORMATION trustAuth;
InitLsaString(&sTemp, const_cast<WCHAR*>(trustedDomain));
trustedInfo.FlatName = sTemp;
InitLsaString(&sTemp, trustedDNSName);
trustedInfo.Name = sTemp;
trustedInfo.Sid = trustedSid;
if ( IsDownLevel(trustedComp) )
{
trustedInfo.TrustAttributes = TRUST_TYPE_DOWNLEVEL;
}
else
{
trustedInfo.TrustAttributes = TRUST_TYPE_UPLEVEL;
}
trustedInfo.TrustDirection = TRUST_DIRECTION_OUTBOUND;
trustedInfo.TrustType = TRUST_ATTRIBUTE_NON_TRANSITIVE;
trustAuth.IncomingAuthInfos = 0;
trustAuth.OutgoingAuthInfos = 1;
trustAuth.IncomingAuthenticationInformation = NULL;
trustAuth.IncomingPreviousAuthenticationInformation = NULL;
trustAuth.OutgoingAuthenticationInformation = &curr;
trustAuth.OutgoingPreviousAuthenticationInformation = &prev;
LSA_HANDLE hTemp;
status = LsaCreateTrustedDomainEx( hTrusting, &trustedInfo, &trustAuth, 0, &hTemp );
rc = LsaNtStatusToWinError(status);
if( ! rc )
{
LsaClose(hTemp);
}
}
}
}
if ( hTrusting )
LsaClose(hTrusting);
if( hTrusted )
LsaClose(hTrusted);
return HRESULT_FROM_WIN32(rc);
}
// externally visible method
STDMETHODIMP CTrustEnumerator::
getTrustRelations
(
BSTR server ,// in, The name of the server from which to get trust information
IUnknown ** enumeration // [out, retval] a pointer to an IVarSet containing the enumerated machines
)
{
*enumeration = NULL;
IVarSetPtr pIVarset = NULL;
CComPtr<IADsContainer> pIContainer = NULL;
HRESULT hr;
IEnumVARIANT * pIContents=NULL;
hr = getIADContainer(server, &pIContainer);
if( FAILED(hr) ) { return hr; }
hr = pIVarset.CreateInstance(__uuidof(VarSet));
if( FAILED(hr) ) { return hr; }
AdItemHandler handler(pIVarset);
hr = ADsBuildEnumerator(pIContainer, &pIContents);
if( FAILED(hr) ) { return hr; }
DWORD nRead=0; // number enumerated items returned
do
{
VARIANT arrayEnumItems[MAX_ELEM]; // array of enumerated items
VARIANT * pEnumItem; // enumerated item
nRead = 0;
memset(arrayEnumItems, 0, sizeof arrayEnumItems);
hr = ADsEnumerateNext(
pIContents,
DIM(arrayEnumItems),
arrayEnumItems,
&nRead );
if( FAILED(hr) ) { return hr; }
const VARIANT *pEndOfItems = arrayEnumItems + nRead;
for ( pEnumItem = arrayEnumItems;
pEnumItem < pEndOfItems;
pEnumItem++ )
{
CComPtr<IDispatch> pDispatch (pEnumItem->pdispVal);
CComPtr<IADs> pObject;
hr = pDispatch->QueryInterface(
IID_IADs,
(void **) &pObject );
if ( FAILED(hr) )
{
clearVariantArray(arrayEnumItems, nRead);
return hr;
}
if ( SUCCEEDED(hr) )
handler.insertItem(pObject); // insert the item into the varset if necessary
}
clearVariantArray(arrayEnumItems, nRead);
} while ( nRead );
if ( pIContents )
{
ADsFreeEnumerator( pIContents );
// pIContents->Release();
pIContents = NULL;
}
hr = pIVarset->QueryInterface(__uuidof(IUnknown), reinterpret_cast<void**>(enumeration));
return hr;
}