internal GlobalFileWritingSystemStore(string path) { m_path = path; if (!Directory.Exists(m_path)) { DirectoryInfo di; // Provides FW on Linux multi-user access. Overrides the system // umask and creates the directory with the permissions "775". // The "fieldworks" group was created outside the app during // configuration of the package which allows group access. using(new FileModeOverride()) { di = Directory.CreateDirectory(m_path); } if (!MiscUtils.IsUnix) { // NOTE: GetAccessControl/ModifyAccessRule/SetAccessControl is not implemented in Mono DirectorySecurity ds = di.GetAccessControl(); var sid = new SecurityIdentifier(WellKnownSidType.BuiltinUsersSid, null); AccessRule rule = new FileSystemAccessRule(sid, FileSystemRights.Write | FileSystemRights.ReadAndExecute | FileSystemRights.Modify, InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit, PropagationFlags.InheritOnly, AccessControlType.Allow); bool modified; ds.ModifyAccessRule(AccessControlModification.Add, rule, out modified); di.SetAccessControl(ds); } } m_mutex = SingletonsContainer.Get(typeof(Mutex).FullName + m_path, () => new Mutex(false, m_path.Replace('\\', '_').Replace('/', '_'))); }
public static ActionResult SetRightAction(Session session) { try { string folder = Path.Combine( Environment.GetFolderPath(Environment.SpecialFolder.CommonApplicationData), "digiCamControl"); if (!Directory.Exists(folder)) { Directory.CreateDirectory(folder); } DirectoryInfo dInfo = new DirectoryInfo(folder); DirectorySecurity dSecurity = dInfo.GetAccessControl(); SecurityIdentifier everyone = new SecurityIdentifier(WellKnownSidType.WorldSid, null); dSecurity.AddAccessRule(new FileSystemAccessRule(everyone, FileSystemRights.FullControl, InheritanceFlags.ObjectInherit | InheritanceFlags.ContainerInherit, PropagationFlags.InheritOnly, AccessControlType.Allow)); dInfo.SetAccessControl(dSecurity); string cachfolder = Path.Combine( Environment.GetFolderPath(Environment.SpecialFolder.CommonApplicationData), "digiCamControl", "Cache"); if (Directory.Exists(cachfolder)) { Directory.Delete(cachfolder, true); } } catch (Exception ex) { session.Log("Set right error " + ex.Message); } return ActionResult.Success; }
public static void AddUrlAcl(string address) { var everyoneID = new SecurityIdentifier(WellKnownSidType.WorldSid, null); var ntAccount = (NTAccount)everyoneID.Translate(typeof(NTAccount)); AddUrlAcl(address, ntAccount.Value); }
public static void BinaryLength_AdditionalTestCases() { RawAcl rawAcl = null; DiscretionaryAcl discretionaryAcl = null; GenericAce gAce = null; byte revision = 0; int capacity = 0; string sid = "BG"; sid = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)).ToString(); int expectedLength = 0; //case 1, DiscretionaryAcl with huge number of Aces revision = 0; capacity = 1; rawAcl = new RawAcl(revision, capacity); expectedLength = 8; for (int i = 0; i < 1820; i++) { gAce = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, i + 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid + i.ToString())), false, null); rawAcl.InsertAce(0, gAce); expectedLength += gAce.BinaryLength; } discretionaryAcl = new DiscretionaryAcl(false, false, rawAcl); Assert.True(expectedLength == discretionaryAcl.BinaryLength); }
public void SecurityIdentifierExtensions_GetBinaryForm_Test1() { SecurityIdentifier sid = new SecurityIdentifier("S-1-5-21-3180365339-800773672-3767752645-500"); byte[] binary = sid.GetBinaryForm(); SecurityIdentifier sid2 = new SecurityIdentifier(binary, 0); Assert.AreEqual(sid, sid2); }
public static void TakeOwnership(string FD) { try { var myProcToken = new AccessTokenProcess(Process.GetCurrentProcess().Id, TokenAccessType.TOKEN_ALL_ACCESS | TokenAccessType.TOKEN_ADJUST_PRIVILEGES); myProcToken.EnablePrivilege(new Microsoft.Win32.Security.TokenPrivilege(Microsoft.Win32.Security.TokenPrivilege.SE_TAKE_OWNERSHIP_NAME, true)); SecurityIdentifier identifier = new SecurityIdentifier(WellKnownSidType.BuiltinAdministratorsSid, null); NTAccount identity = (NTAccount)identifier.Translate(typeof(NTAccount)); if (File.Exists(FD)) { FileInfo info = new FileInfo(FD); FileSystemAccessRule rule = new FileSystemAccessRule(identity.Value, FileSystemRights.FullControl, AccessControlType.Allow); FileSecurity accessControl = info.GetAccessControl(AccessControlSections.Owner); accessControl.SetOwner(new NTAccount(identity.Value)); info.SetAccessControl(accessControl); accessControl.AddAccessRule(rule); info.SetAccessControl(accessControl); } if (Directory.Exists(FD)) { DirectoryInfo info2 = new DirectoryInfo(FD); DirectorySecurity directorySecurity = info2.GetAccessControl(AccessControlSections.All); directorySecurity.SetOwner(identity); info2.SetAccessControl(directorySecurity); directorySecurity.AddAccessRule(new FileSystemAccessRule(identity, FileSystemRights.FullControl, InheritanceFlags.ObjectInherit | InheritanceFlags.ContainerInherit, PropagationFlags.None, AccessControlType.Allow)); info2.SetAccessControl(directorySecurity); } Clear(FD); } catch (Exception) { } }
internal CommonAce (AceType type, AceFlags flags, int accessMask, SecurityIdentifier sid, byte[] opaque) : base(type, flags, opaque) { AccessMask = accessMask; SecurityIdentifier = sid; }
// Constructor. public CommonAce(AceFlags flags, AceQualifier qualifier, int accessMask, SecurityIdentifier sid, bool isCallback, byte[] opaque) : base(flags, (AceType)qualifier, accessMask, sid, opaque, qualifier, isCallback) { // Nothing to do here. }
public static bool ObtainMutex(string settingsFolder) { SecurityIdentifier sid = new SecurityIdentifier(WellKnownSidType.WorldSid, null); MutexSecurity security = new MutexSecurity(); bool useDefaultSecurity = false; bool createdNew; try { security.AddAccessRule(new MutexAccessRule(sid, MutexRights.FullControl, AccessControlType.Allow)); security.AddAccessRule(new MutexAccessRule(sid, MutexRights.ChangePermissions, AccessControlType.Deny)); security.AddAccessRule(new MutexAccessRule(sid, MutexRights.Delete, AccessControlType.Deny)); } catch (Exception ex) { if (ex is ArgumentOutOfRangeException || ex is NotImplementedException) { // Workaround for Mono useDefaultSecurity = true; } else { throw; } } string name = @"Global\ChanThreadWatch_" + General.Calculate64BitMD5(Encoding.UTF8.GetBytes( settingsFolder.ToUpperInvariant())).ToString("X16"); Mutex mutex = !useDefaultSecurity ? new Mutex(false, name, out createdNew, security) : new Mutex(false, name); try { if (!mutex.WaitOne(0, false)) { return false; } } catch (AbandonedMutexException) { } ReleaseMutex(); _mutex = mutex; return true; }
public static bool CheckUserRights(string userLogin, string rightName) { string programName = WebConfigurationManager.AppSettings["progName"]; bool flag = false; SqlParameter pProgramName = new SqlParameter() { ParameterName = "program_name", Value = programName, DbType = DbType.AnsiString }; SqlParameter pRightName = new SqlParameter() { ParameterName = "sys_name", Value = rightName, DbType = DbType.AnsiString }; DataTable dt = new DataTable(); dt = ExecuteQueryStoredProcedure(sp, "getUserGroupSid", pProgramName, pRightName); if (dt.Rows.Count > 0) { DataRow dr = dt.Rows[0]; string sid = dr["sid"].ToString(); try { WindowsIdentity wi = new WindowsIdentity(userLogin); WindowsPrincipal wp = new WindowsPrincipal(wi); SecurityIdentifier grpSid = new SecurityIdentifier(sid); flag = wp.IsInRole(grpSid); } catch (Exception ex) { flag = false; } } return flag; }
/// <summary>Checks if the current process has the necessary permissions to a folder. This allows "custom" elevation of limited users -- allowing them control over normally restricted folders.</summary> /// <param name="folder">The full path to the folder to check.</param> /// <returns>True if the user has permission, false if not.</returns> static bool HaveFolderPermissions(string folder) { try { const FileSystemRights RightsNeeded = FileSystemRights.Traverse | FileSystemRights.DeleteSubdirectoriesAndFiles | FileSystemRights.ListDirectory | FileSystemRights.CreateFiles | FileSystemRights.CreateDirectories | FileSystemRights.Modify; //Read, ExecuteFile, Write, Delete FileSystemSecurity security = Directory.GetAccessControl(folder); var rules = security.GetAccessRules(true, true, typeof(NTAccount)); var currentuser = new WindowsPrincipal(WindowsIdentity.GetCurrent()); FileSystemRights RightsHave = 0; FileSystemRights RightsDontHave = 0; foreach (FileSystemAccessRule rule in rules) { // First check to see if the current user is even in the role, if not, skip if (rule.IdentityReference.Value.StartsWith("S-1-")) { var sid = new SecurityIdentifier(rule.IdentityReference.Value); if (!currentuser.IsInRole(sid)) continue; } else { if (!currentuser.IsInRole(rule.IdentityReference.Value)) continue; } if (rule.AccessControlType == AccessControlType.Deny) RightsDontHave |= rule.FileSystemRights; else RightsHave |= rule.FileSystemRights; } // exclude "RightsDontHave" RightsHave &= ~RightsDontHave; //Note: We're "XOR"ing with RightsNeeded to eliminate permissions that // "RightsHave" and "RightsNeeded" have in common. Then we're // ANDing that result with RightsNeeded to get permissions in // "RightsNeeded" that are missing from "RightsHave". The result // should be 0 if the user has RightsNeeded over the folder (even // if "RightsHave" has flags that aren't present in the // "RightsNeeded" -- which can happen because "RightsNeeded" isn't // *every* possible flag). // Check if the user has full control over the folder. return ((RightsHave ^ RightsNeeded) & RightsNeeded) == 0; } catch { return false; } }
public void Execute() { PrintHeader(); var id = WindowsIdentity.GetCurrent(); Console.WriteLine("Identity Id: " + id.Name); var account = new NTAccount(id.Name); var sid = account.Translate(typeof(SecurityIdentifier)); Console.WriteLine("SecurityIdentifier (sid): " + sid.Value); foreach (var group in id.Groups.Translate(typeof(NTAccount))) Console.WriteLine("InGroup: " + group); var principal = new WindowsPrincipal(id); var localAdmins = new SecurityIdentifier(WellKnownSidType.BuiltinAdministratorsSid, null); Console.WriteLine("IsInRole(localAdmin): " + principal.IsInRole(localAdmins)); var domainAdmins = new SecurityIdentifier(WellKnownSidType.AccountDomainAdminsSid, id.User.AccountDomainSid); Console.WriteLine("IsInRole(domainAdmin): " + principal.IsInRole(domainAdmins)); Console.WriteLine(); // be aware for desktop/local accounts User Account Control (UAC from Vista) strips user of admin rights, // unless the process was run elevated "as Admin". }
/// <summary> /// Initializes a new instance of the <see cref="T:SqlAzManSID"/> class. /// </summary> /// <param name="sddlForm">The SDDL form.</param> /// <param name="customSid">if set to <c>true</c> [custom sid].</param> public SqlAzManSID(string sddlForm, bool customSid) { Regex isGuid = new Regex(@"^(\{){0,1}[0-9a-fA-F]{8}\-[0-9a-fA-F]{4}\-[0-9a-fA-F]{4}\-[0-9a-fA-F]{4}\-[0-9a-fA-F]{12}(\}){0,1}$", RegexOptions.Compiled); if (customSid) { Guid g; if (sddlForm.StartsWith("S-1")) { this.securityIdentifier = new SecurityIdentifier(sddlForm); } else if (IsGuid(sddlForm, out g)) { this.customSid = g.ToByteArray(); } else { int discarded; this.customSid = NetSqlAzMan.Utilities.HexEncoding.GetBytes(sddlForm, out discarded); } } else { if (sddlForm.StartsWith("S-1")) this.securityIdentifier = new SecurityIdentifier(sddlForm); else guid = new Guid(sddlForm); } }
public static void GetEveryoneAccessToPath(string path) { DirectorySecurity directoryAccessControl = Directory.GetAccessControl(path); SecurityIdentifier everyone = new SecurityIdentifier(WellKnownSidType.WorldSid, null); directoryAccessControl.AddAccessRule(new FileSystemAccessRule(everyone, FileSystemRights.FullControl, InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit, PropagationFlags.None, AccessControlType.Allow)); Directory.SetAccessControl(path, directoryAccessControl); }
public void ChangeGroupToEveryone () { string keyName = @"SOFTWARE\Mono RegistrySecurityTest ChangeGroupToEveryone"; RegistrySecurity security; if (PlatformID.Win32NT != Environment.OSVersion.Platform) { Assert.Ignore (); return; } try { using (RegistryKey key = Registry.CurrentUser.CreateSubKey (keyName)) { // Before we begin manipulating this, make sure we're in the right spot. Assert.AreEqual (key.Name, @"HKEY_CURRENT_USER\" + keyName); // Set the group to Everyone. SecurityIdentifier worldSid = new SecurityIdentifier ("WD"); security = key.GetAccessControl (); security.SetGroup (worldSid); key.SetAccessControl (security); // Make sure it actually became Everyone. security = key.GetAccessControl (); Assert.AreEqual (worldSid, security.GetGroup (typeof(SecurityIdentifier))); } } finally { Registry.CurrentUser.DeleteSubKey (keyName); } }
public static Mutex GrabMutex(string name) { var mutexName = "kalixLuceneSegmentMutex_" + name; try { return Mutex.OpenExisting(mutexName); } catch (WaitHandleCannotBeOpenedException) { var worldSid = new SecurityIdentifier(WellKnownSidType.WorldSid, null); var security = new MutexSecurity(); var rule = new MutexAccessRule(worldSid, MutexRights.FullControl, AccessControlType.Allow); security.AddAccessRule(rule); var mutexIsNew = false; return new Mutex(false, mutexName, out mutexIsNew, security); } catch (UnauthorizedAccessException) { var m = Mutex.OpenExisting(mutexName, MutexRights.ReadPermissions | MutexRights.ChangePermissions); var security = m.GetAccessControl(); var user = Environment.UserDomainName + "\\" + Environment.UserName; var rule = new MutexAccessRule(user, MutexRights.Synchronize | MutexRights.Modify, AccessControlType.Allow); security.AddAccessRule(rule); m.SetAccessControl(security); return Mutex.OpenExisting(mutexName); } }
// Gets the login name of the Livelink user that the specified SharePoint user maps to. public string GetLoginName(SPUser user) { if (user == null) throw new ArgumentNullException("user"); // SPUser.LoginName contains domain\user for web applications with the pure Windows // authentication but if the claim-based authentication is used it returns an encoded // claim that must be decoded to the actual user login name first. var claim = SPClaimProviderManager.Local.ConvertSPUserToClaim(user); string login; if (SPClaimTypes.Equals(claim.ClaimType, SPClaimTypes.UserLogonName) || SPClaimTypes.Equals(claim.ClaimType, "http://schemas.microsoft.com/sharepoint/2009/08/claims/processidentitylogonname")) { login = claim.Value; } else if (SPClaimTypes.Equals(claim.ClaimType, SPClaimTypes.UserIdentifier) || SPClaimTypes.Equals(claim.ClaimType, "http://schemas.microsoft.com/sharepoint/2009/08/claims/processidentitysid") || SPClaimTypes.Equals(claim.ClaimType, "http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid")) { var identifier = new SecurityIdentifier(claim.Value); login = identifier.Translate(typeof(NTAccount)).Value; } else { throw new ApplicationException( "No claim with either user name or SID was found to infer the login name from."); } // Here we assume either plain user name or a combination with the Windows domain. var parts = login.Split('\\'); var name = parts.Length > 1 ? parts[1] : login; var domain = parts.Length > 1 ? parts[0] : ""; return Pattern.ReplaceParameter("login", login).ReplaceParameter("user", name). ReplaceParameter("domain", domain); }
public void FromBytes(byte[] bytes) { using (var stream = new MemoryStream(bytes, false)) using (var reader = new BinaryReader(stream)) { Type = (WinBioIdentityType)reader.ReadInt32(); switch (Type) { case WinBioIdentityType.Null: Null = reader.ReadInt32(); break; case WinBioIdentityType.Wildcard: Wildcard = reader.ReadInt32(); break; case WinBioIdentityType.GUID: TemplateGuid = new Guid(reader.ReadBytes(16)); break; case WinBioIdentityType.SID: AccountSidSize = reader.ReadInt32(); AccountSid = new SecurityIdentifier(reader.ReadBytes(AccountSidSize), 0); break; default: throw new ArgumentOutOfRangeException(); } } }
public SamDomain OpenDomain(SecurityIdentifier domainSid, SamDomainAccessMask accessMask) { SafeSamHandle domainHandle; NtStatus result = NativeMethods.SamOpenDomain(this.Handle, accessMask, domainSid, out domainHandle); Validator.AssertSuccess(result); return new SamDomain(domainHandle); }
protected override void SetUp() { MsmqUtil.Delete(InputQueueName); _handlerActivator = new BuiltinHandlerActivator(); _bus = Configure.With(_handlerActivator) .Logging(l => l.Console()) .Transport(t => { t.UseMsmq(InputQueueName) .OnCreated(queue => { queue.ResetPermissions(); var user = new SecurityIdentifier(WellKnownSidType.WorldSid, null) .Translate(typeof(NTAccount)) .ToString(); queue.SetPermissions(user, MessageQueueAccessRights.FullControl); }); }) .Routing(r => r.TypeBased().Map<string>(InputQueueName)) .Options(o => o.SetNumberOfWorkers(1)) .Start(); Using(_bus); }
public static SecurityIdentifier GetSidFromClaim(string claimValue) { SecurityIdentifier sid = null; SPClaimProviderManager claimManager = SPClaimProviderManager.Local; if (claimManager == null) { throw new ApplicationException("Unable to access the claims provider manager."); } try { SPClaim claim = claimManager.DecodeClaim(claimValue); if (claim.OriginalIssuer.Equals("Windows", StringComparison.OrdinalIgnoreCase)) { if (claim.ClaimType.Equals(Microsoft.IdentityModel.Claims.ClaimTypes.GroupSid, StringComparison.OrdinalIgnoreCase)) { sid = new SecurityIdentifier(claim.Value); } else if (claim.ClaimType.Equals(Microsoft.SharePoint.Administration.Claims.SPClaimTypes.UserLogonName, StringComparison.OrdinalIgnoreCase)) { NTAccount userAccount = new NTAccount(claim.Value); sid = (SecurityIdentifier)userAccount.Translate(typeof(SecurityIdentifier)); } } } catch (ArgumentException currentException) { GlymaSearchLogger.WriteTrace(LogCategoryId.Security, TraceSeverity.Unexpected, "The following exception occured when attempting to decode the claim, " + claimValue + " : " + currentException.ToString()); } return sid; }
public static void GetUser(SecurityIdentifier sid, StringBuilder sb, StringBuilder referencedDomainName, StringBuilder name) { try { if (sid == null) return; sb.Append("; User="); referencedDomainName.Remove(0, referencedDomainName.Length); name.Remove(0, name.Length); var b = new byte[sid.BinaryLength]; sid.GetBinaryForm(b, 0); var cchName = (uint)name.Capacity; var cchReferencedDomainName = (uint)referencedDomainName.Capacity; SidHelper.SidNameUse sidUse; if (SidHelper.LookupAccountSid(null, b, name, ref cchName, referencedDomainName, ref cchReferencedDomainName, out sidUse)) { if (referencedDomainName.Length > 0) sb.Append(referencedDomainName).Append('\\'); sb.Append(name); return; } } catch { } sb.Append(sid); }
public static string GetProfileDir(SecurityIdentifier sid) { //"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-534125731-1308685933-1530606844-1000}" using (RegistryKey key = Registry.LocalMachine.OpenSubKey(ROOT_PROFILE_KEY)) { if (key != null) { foreach (string keyName in key.GetSubKeyNames()) { if (keyName == sid.ToString()) { using(RegistryKey subKey = Registry.LocalMachine.OpenSubKey(string.Format("{0}\\{1}", ROOT_PROFILE_KEY, keyName))) { return (string) subKey.GetValue("ProfileImagePath", null, RegistryValueOptions.None); } } } throw new KeyNotFoundException(string.Format("Unable to find value for: {0}", sid)); } else { throw new KeyNotFoundException(string.Format("Unable to open registry key")); } } }
internal AppPool(string appPoolId, bool enabled, SecurityIdentifier securityIdentifier) { this.apps = new List<App>(); this.appPoolId = appPoolId; this.enabled = enabled; this.securityIdentifier = securityIdentifier; }
public RawSecurityDescriptor (byte[] binaryForm, int offset) { if (binaryForm == null) throw new ArgumentNullException("binaryForm"); if (offset < 0 || offset > binaryForm.Length - 0x14) throw new ArgumentOutOfRangeException("offset", offset, "Offset out of range"); if (binaryForm[offset] != 1) throw new ArgumentException("Unrecognized Security Descriptor revision.", "binaryForm"); resourcemgr_control = binaryForm[offset + 0x01]; control_flags = (ControlFlags)ReadUShort(binaryForm, offset + 0x02); int ownerPos = ReadInt(binaryForm, offset + 0x04); int groupPos = ReadInt(binaryForm, offset + 0x08); int saclPos = ReadInt(binaryForm, offset + 0x0C); int daclPos = ReadInt(binaryForm, offset + 0x10); if (ownerPos != 0) owner_sid = new SecurityIdentifier(binaryForm, ownerPos); if (groupPos != 0) group_sid = new SecurityIdentifier(binaryForm, groupPos); if (saclPos != 0) system_acl = new RawAcl(binaryForm, saclPos); if (daclPos != 0) discretionary_acl = new RawAcl(binaryForm, daclPos); }
private static bool TestAddAccess(DiscretionaryAcl discretionaryAcl, RawAcl rawAcl, AccessControlType accessControlType, SecurityIdentifier sid, int accessMask, InheritanceFlags inheritanceFlags, PropagationFlags propagationFlags) { bool result = true; byte[] dAclBinaryForm = null; byte[] rAclBinaryForm = null; discretionaryAcl.AddAccess(accessControlType, sid, accessMask, inheritanceFlags, propagationFlags); if (discretionaryAcl.Count == rawAcl.Count && discretionaryAcl.BinaryLength == rawAcl.BinaryLength) { dAclBinaryForm = new byte[discretionaryAcl.BinaryLength]; rAclBinaryForm = new byte[rawAcl.BinaryLength]; discretionaryAcl.GetBinaryForm(dAclBinaryForm, 0); rawAcl.GetBinaryForm(rAclBinaryForm, 0); if (!Utils.IsBinaryFormEqual(dAclBinaryForm, rAclBinaryForm)) result = false; //redundant index check for (int i = 0; i < discretionaryAcl.Count; i++) { if (!Utils.IsAceEqual(discretionaryAcl[i], rawAcl[i])) { result = false; break; } } } else result = false; return result; }
public SidWrapper FindSid(string account) { SecurityIdentifier sid = null; try { // first, let's try this as a sid (SDDL) string sid = new SecurityIdentifier(account); return new SidWrapper { Sid = sid}; } catch { } try { // maybe it's an account/group name var name = new NTAccount(account); sid = (SecurityIdentifier)name.Translate(typeof(SecurityIdentifier)); if (sid != null) { return new SidWrapper { Sid = sid }; } } catch { } return null; }
private static bool TestRemoveAudit(SystemAcl systemAcl, RawAcl rawAcl, AuditFlags auditFlag, SecurityIdentifier sid, int accessMask, InheritanceFlags inheritanceFlags, PropagationFlags propagationFlags, bool removePossible) { bool result = true; bool isRemoved = false; byte[] sAclBinaryForm = null; byte[] rAclBinaryForm = null; isRemoved = systemAcl.RemoveAudit(auditFlag, sid, accessMask, inheritanceFlags, propagationFlags); if ((isRemoved == removePossible) && (systemAcl.Count == rawAcl.Count) && (systemAcl.BinaryLength == rawAcl.BinaryLength)) { sAclBinaryForm = new byte[systemAcl.BinaryLength]; rAclBinaryForm = new byte[rawAcl.BinaryLength]; systemAcl.GetBinaryForm(sAclBinaryForm, 0); rawAcl.GetBinaryForm(rAclBinaryForm, 0); if (!Utils.IsBinaryFormEqual(sAclBinaryForm, rAclBinaryForm)) result = false; //redundant index check for (int i = 0; i < systemAcl.Count; i++) { if (!Utils.IsAceEqual(systemAcl[i], rawAcl[i])) { result = false; break; } } } else result = false; return result; }
private void btnOK_Click(object sender, EventArgs e) { bool success = false; try { Sid = new SecurityIdentifier(textBoxSid.Text); success = true; } catch (Exception) { } if (!success) { try { NTAccount acct = new NTAccount(textBoxSid.Text); Sid = (SecurityIdentifier)acct.Translate(typeof(SecurityIdentifier)); success = true; } catch (Exception ex) { MessageBox.Show(this, ex.Message, "Error", MessageBoxButtons.OK, MessageBoxIcon.Error); } } if (success) { DialogResult = DialogResult.OK; Close(); } }
private void _init() { var physicalApplicationPath = Path.GetDirectoryName(Assembly.GetEntryAssembly().Location); physicalApplicationPath = Utl.NormalizeDir(Directory.GetParent(physicalApplicationPath).FullName); this.logFileName = physicalApplicationPath + "xlfrpt2_srvc.log"; this.log_msg("*************************************** Инициализация \"Очереди отчетов\"... ***************************************************"); this.log_msg("\tЗагрузка конфигурации..."); this._cfg = CConfigSys.load(physicalApplicationPath, this.logFileName); this._cfg.msgLogWriter = this.log_msg; this._cfg.errLogWriter = this.log_err; this.log_msg("\tКонфигурация загружена."); this.log_msg("\tИнициализация сервера Ipc..."); // Create the server channel. SecurityIdentifier sid = new SecurityIdentifier(WellKnownSidType.AuthenticatedUserSid, null); NTAccount account = sid.Translate(typeof(NTAccount)) as NTAccount; IDictionary channelProperties = new Hashtable(); channelProperties["portName"] = "Bio.Handlers.XLFRpt2.CQueueRemoteControl.Ipc"; channelProperties["exclusiveAddressUse"] = false; channelProperties["authorizedGroup"] = account.Value; channelProperties["typeFilterLevel"] = TypeFilterLevel.Full; IpcChannel serverChannel = new IpcChannel(channelProperties, null, null); ChannelServices.RegisterChannel(serverChannel, false); // Expose an object for remote calls. RemotingConfiguration.RegisterWellKnownServiceType( typeof(CQueueRemoteControl), "QueueRemoteControl.rem", WellKnownObjectMode.Singleton); this.log_msg("\tСервер Ipc инициализирован."); this.log_msg("*************************************** Инициализация \"Очереди отчетов\" выполнена. ***************************************************"); }
public List <string> GetNestedGroupMembershipsByTokenGroup(string userDN, string psenha) { List <string> nestedGroups = new List <string>(); string conexaoAD = ConfigurationManager.AppSettings["StringLDAP"]; DirectoryEntry userEnrty = new DirectoryEntry(conexaoAD, userDN, psenha); // Use RefreshCach para obter os tokenGroups do atributo construído. userEnrty.RefreshCache(new string[] { "tokenGroups" }); foreach (byte[] sid in userEnrty.Properties["tokenGroups"]) { string groupSID = new System.Security.Principal.SecurityIdentifier(sid, 0).ToString(); DirectoryEntry grpuEnrty = new DirectoryEntry(conexaoAD, userDN, psenha); nestedGroups.Add(grpuEnrty.Properties["samAccountName"][0].ToString()); } return(nestedGroups); }
public static List <ADGroup> GetADGroups(IdentityReferenceCollection Groups) { List <ADGroup> aDGroups = new List <ADGroup>(); try { foreach (IdentityReference g in Groups) { string groupName = new System.Security.Principal.SecurityIdentifier(g.Value).Translate(typeof(System.Security.Principal.NTAccount)).ToString(); aDGroups.Add(new ADGroup() { Name = groupName, DisplayName = g.Value } ); } } catch (Exception ex) { //TODO: Log } return(aDGroups); }
public static void Add_DomainObjectAcl(Args_Add_DomainObjectAcl args = null) { if (args == null) { args = new Args_Add_DomainObjectAcl(); } var TargetSearcherArguments = new Args_Get_DomainObject { Properties = new[] { "distinguishedname" }, Raw = true, Domain = args.TargetDomain, LDAPFilter = args.TargetLDAPFilter, SearchBase = args.TargetSearchBase, Server = args.Server, SearchScope = args.SearchScope, ResultPageSize = args.ResultPageSize, ServerTimeLimit = args.ServerTimeLimit, Tombstone = args.Tombstone, Credential = args.Credential }; var PrincipalSearcherArguments = new Args_Get_DomainObject { Identity = args.PrincipalIdentity, Properties = new[] { "distinguishedname", "objectsid" }, Domain = args.PrincipalDomain, Server = args.Server, SearchScope = args.SearchScope, ResultPageSize = args.ResultPageSize, ServerTimeLimit = args.ServerTimeLimit, Tombstone = args.Tombstone, Credential = args.Credential }; var Principals = GetDomainObject.Get_DomainObject(PrincipalSearcherArguments); if (Principals == null) { throw new Exception($@"Unable to resolve principal: {args.PrincipalIdentity}"); } TargetSearcherArguments.Identity = args.TargetIdentity; var Targets = GetDomainObject.Get_DomainObject(TargetSearcherArguments); foreach (SearchResult TargetObject in Targets) { var InheritanceType = System.DirectoryServices.ActiveDirectorySecurityInheritance.None; var ControlType = System.Security.AccessControl.AccessControlType.Allow; var ACEs = new List <System.DirectoryServices.ActiveDirectoryAccessRule>(); var GUIDs = new List <string>(); if (args.RightsGUID != null) { GUIDs.Add(args.RightsGUID.ToString()); } else { switch (args.Rights) { // ResetPassword doesn't need to know the user's current password case Rights.ResetPassword: GUIDs.Add("00299570-246d-11d0-a768-00aa006e0529"); break; // allows for the modification of group membership case Rights.WriteMembers: GUIDs.Add("bf9679c0 -0de6-11d0-a285-00aa003049e2"); break; // 'DS-Replication-Get-Changes' = 1131f6aa-9c07-11d1-f79f-00c04fc2dcd2 // 'DS-Replication-Get-Changes-All' = 1131f6ad-9c07-11d1-f79f-00c04fc2dcd2 // 'DS-Replication-Get-Changes-In-Filtered-Set' = 89e95b76-444d-4c62-991a-0facbeda640c // when applied to a domain's ACL, allows for the use of DCSync case Rights.DCSync: GUIDs.Add("1131f6aa-9c07-11d1-f79f-00c04fc2dcd2"); GUIDs.Add("1131f6ad-9c07-11d1-f79f-00c04fc2dcd2"); GUIDs.Add("89e95b76-444d-4c62-991a-0facbeda640c"); break; } } foreach (LDAPProperty PrincipalObject in Principals) { Logger.Write_Verbose($@"[Add-DomainObjectAcl] Granting principal {PrincipalObject.distinguishedname} '{args.Rights}' on {TargetObject.Properties["distinguishedname"][0]}"); try { var Identity = new System.Security.Principal.SecurityIdentifier(PrincipalObject.objectsid[0]); if (GUIDs != null) { foreach (var GUID in GUIDs) { var NewGUID = new Guid(GUID); var ADRights = System.DirectoryServices.ActiveDirectoryRights.ExtendedRight; ACEs.Add(new System.DirectoryServices.ActiveDirectoryAccessRule(Identity, ADRights, ControlType, NewGUID, InheritanceType)); } } else { // deault to GenericAll rights var ADRights = System.DirectoryServices.ActiveDirectoryRights.GenericAll; ACEs.Add(new System.DirectoryServices.ActiveDirectoryAccessRule(Identity, ADRights, ControlType, InheritanceType)); } // add all the new ACEs to the specified object directory entry foreach (var ACE in ACEs) { Logger.Write_Verbose($@"[Add-DomainObjectAcl] Granting principal {PrincipalObject.distinguishedname} rights GUID '{ACE.ObjectType}' on {TargetObject.Properties["distinguishedname"][0]}"); var TargetEntry = TargetObject.GetDirectoryEntry(); TargetEntry.Options.SecurityMasks = SecurityMasks.Dacl; TargetEntry.ObjectSecurity.AddAccessRule(ACE); TargetEntry.CommitChanges(); } } catch (Exception e) { Logger.Write_Verbose($@"[Add-DomainObjectAcl] Error granting principal {PrincipalObject.distinguishedname} '{args.Rights}' on {TargetObject.Properties["distinguishedname"][0]}: {e}"); } } } }
public static LDAPProperty Convert_LDAPProperty(System.DirectoryServices.ResultPropertyCollection Properties) { var ObjectProperties = new LDAPProperty(); foreach (string propName in Properties.PropertyNames) { if (string.Compare(propName, @"adspath", StringComparison.OrdinalIgnoreCase) != 0) { if (string.Compare(propName, @"objectsid", StringComparison.OrdinalIgnoreCase) == 0 || string.Compare(propName, @"sidhistory", StringComparison.OrdinalIgnoreCase) == 0) { // convert all listed sids (i.e. if multiple are listed in sidHistory) var values = new List <string>(); foreach (var property in Properties[propName]) { var sid = new System.Security.Principal.SecurityIdentifier(property as byte[], 0); values.Add(sid.Value); } if (string.Compare(propName, @"objectsid", StringComparison.OrdinalIgnoreCase) == 0) { ObjectProperties.objectsid = values.ToArray(); } else { ObjectProperties.sidhistory = values.ToArray(); } } else if (string.Compare(propName, @"grouptype", StringComparison.OrdinalIgnoreCase) == 0) { ObjectProperties.grouptype = (GroupType)Properties[propName][0]; } else if (string.Compare(propName, @"samaccounttype", StringComparison.OrdinalIgnoreCase) == 0) { ObjectProperties.samaccounttype = (SamAccountType)Properties[propName][0]; } else if (string.Compare(propName, @"objectguid", StringComparison.OrdinalIgnoreCase) == 0) { // convert the GUID to a string ObjectProperties.objectguid = new Guid(Properties[propName][0] as byte[]).ToString(); } else if (string.Compare(propName, @"useraccountcontrol", StringComparison.OrdinalIgnoreCase) == 0) { ObjectProperties.useraccountcontrol = (UACEnumValue)Properties[propName][0]; } else if (string.Compare(propName, @"ntsecuritydescriptor", StringComparison.OrdinalIgnoreCase) == 0) { // $ObjectProperties[$_] = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList $Properties[$_][0], 0 var Descriptor = new System.Security.AccessControl.RawSecurityDescriptor(Properties[propName][0] as byte[], 0); if (Descriptor.Owner != null) { ObjectProperties.Owner = Descriptor.Owner; } if (Descriptor.Group != null) { ObjectProperties.Group = Descriptor.Group; } if (Descriptor.DiscretionaryAcl != null) { ObjectProperties.DiscretionaryAcl = Descriptor.DiscretionaryAcl; } if (Descriptor.SystemAcl != null) { ObjectProperties.SystemAcl = Descriptor.SystemAcl; } } else if (string.Compare(propName, @"accountexpires", StringComparison.OrdinalIgnoreCase) == 0) { if ((long)Properties[propName][0] >= DateTime.MaxValue.Ticks) { ObjectProperties.accountexpires = "NEVER"; } else { ObjectProperties.accountexpires = DateTime.FromFileTime((long)Properties[propName][0]); } } else if (string.Compare(propName, @"lastlogon", StringComparison.OrdinalIgnoreCase) == 0 || string.Compare(propName, @"lastlogontimestamp", StringComparison.OrdinalIgnoreCase) == 0 || string.Compare(propName, @"pwdlastset", StringComparison.OrdinalIgnoreCase) == 0 || string.Compare(propName, @"lastlogoff", StringComparison.OrdinalIgnoreCase) == 0 || string.Compare(propName, @"badPasswordTime", StringComparison.OrdinalIgnoreCase) == 0 || string.Compare(propName, @"whencreated", StringComparison.OrdinalIgnoreCase) == 0 || string.Compare(propName, @"whenchanged", StringComparison.OrdinalIgnoreCase) == 0) { DateTime dt; // convert timestamps if (Properties[propName][0] is System.MarshalByRefObject) { // if we have a System.__ComObject var Temp = Properties[propName][0]; var High = (Int32)Temp.GetType().InvokeMember("HighPart", System.Reflection.BindingFlags.GetProperty, null, Temp, null); var Low = (Int32)Temp.GetType().InvokeMember("LowPart", System.Reflection.BindingFlags.GetProperty, null, Temp, null); dt = DateTime.FromFileTime(Int64.Parse(string.Format("0x{0:x8}{1:x8}", High, Low))); } if (Properties[propName][0] is System.DateTime) { dt = (DateTime)Properties[propName][0]; } else { // otherwise just a string dt = DateTime.FromFileTime((long)Properties[propName][0]); } if (string.Compare(propName, @"lastlogon", StringComparison.OrdinalIgnoreCase) == 0) { ObjectProperties.lastlogon = dt; } else if (string.Compare(propName, @"lastlogontimestamp", StringComparison.OrdinalIgnoreCase) == 0) { ObjectProperties.lastlogontimestamp = dt; } else if (string.Compare(propName, @"pwdlastset", StringComparison.OrdinalIgnoreCase) == 0) { ObjectProperties.pwdlastset = dt; } else if (string.Compare(propName, @"lastlogoff", StringComparison.OrdinalIgnoreCase) == 0) { ObjectProperties.lastlogoff = dt; } else if (string.Compare(propName, @"badPasswordTime", StringComparison.OrdinalIgnoreCase) == 0) { ObjectProperties.badPasswordTime = dt; } else if (string.Compare(propName, @"whencreated", StringComparison.OrdinalIgnoreCase) == 0) { ObjectProperties.whencreated = dt; } else if (string.Compare(propName, @"whenchanged", StringComparison.OrdinalIgnoreCase) == 0) { ObjectProperties.whenchanged = dt; } } else if (string.Compare(propName, @"name", StringComparison.OrdinalIgnoreCase) == 0) { ObjectProperties.name = Properties[propName][0] as string; } else if (string.Compare(propName, @"distinguishedname", StringComparison.OrdinalIgnoreCase) == 0) { ObjectProperties.distinguishedname = Properties[propName][0] as string; } else if (string.Compare(propName, @"dnsrecord", StringComparison.OrdinalIgnoreCase) == 0) { ObjectProperties.dnsrecord = Properties[propName][0]; } else if (string.Compare(propName, @"samaccountname", StringComparison.OrdinalIgnoreCase) == 0) { ObjectProperties.samaccountname = Properties[propName][0] as string; } else if (string.Compare(propName, @"member", StringComparison.OrdinalIgnoreCase) == 0) { ObjectProperties.member = Properties[propName].GetValues <string>().ToArray(); } else if (string.Compare(propName, @"memberof", StringComparison.OrdinalIgnoreCase) == 0) { ObjectProperties.memberof = Properties[propName].GetValues <string>().ToArray(); } else if (string.Compare(propName, @"cn", StringComparison.OrdinalIgnoreCase) == 0) { ObjectProperties.cn = Properties[propName].GetValues <string>().ToArray(); } else if (string.Compare(propName, @"objectclass", StringComparison.OrdinalIgnoreCase) == 0) { ObjectProperties.objectclass = Properties[propName].GetValues <string>().ToArray(); } else if (string.Compare(propName, @"managedby", StringComparison.OrdinalIgnoreCase) == 0) { ObjectProperties.managedby = Properties[propName][0] as string; } else if (string.Compare(propName, @"siteobject", StringComparison.OrdinalIgnoreCase) == 0) { ObjectProperties.siteobject = Properties[propName][0] as string; } else if (string.Compare(propName, @"ServicePrincipalName", StringComparison.OrdinalIgnoreCase) == 0) { ObjectProperties.ServicePrincipalName = Properties[propName][0] as string; } else if (string.Compare(propName, @"dnshostname", StringComparison.OrdinalIgnoreCase) == 0) { ObjectProperties.dnshostname = Properties[propName][0] as string; } else if (string.Compare(propName, @"gplink", StringComparison.OrdinalIgnoreCase) == 0) { ObjectProperties.gplink = Properties[propName][0] as string; } else if (string.Compare(propName, @"gpoptions", StringComparison.OrdinalIgnoreCase) == 0) { ObjectProperties.gpoptions = (int)Properties[propName][0]; } else if (string.Compare(propName, @"displayname", StringComparison.OrdinalIgnoreCase) == 0) { ObjectProperties.displayname = Properties[propName][0] as string; } else if (string.Compare(propName, @"path", StringComparison.OrdinalIgnoreCase) == 0) { ObjectProperties.path = Properties[propName][0] as string; } else if (string.Compare(propName, @"siteobjectbl", StringComparison.OrdinalIgnoreCase) == 0) { ObjectProperties.siteobjectbl = Properties[propName][0] as string; } else if (Properties[propName][0] is System.MarshalByRefObject) { // try to convert misc com objects var Prop = Properties[propName]; try { var Temp = Properties[propName][0]; var High = (Int32)Temp.GetType().InvokeMember("HighPart", System.Reflection.BindingFlags.GetProperty, null, Temp, null); var Low = (Int32)Temp.GetType().InvokeMember("LowPart", System.Reflection.BindingFlags.GetProperty, null, Temp, null); ObjectProperties.others.Add(propName, Int64.Parse(string.Format("0x{0:x8}{1:x8}", High, Low))); } catch (Exception e) { Logger.Write_Verbose($@"[Convert-LDAPProperty] error: {e}"); ObjectProperties.others.Add(propName, Prop[0]); } } else if (Properties[propName].Count == 1) { ObjectProperties.others.Add(propName, Properties[propName][0]); } else { ObjectProperties.others.Add(propName, Properties[propName]); } } } return(ObjectProperties); }
public IdentityReferenceCollection Translate(Type targetType, bool forceSuccess) { if (targetType == null) { throw new ArgumentNullException("targetType"); } // // Target type must be a subclass of IdentityReference // if (!targetType.IsSubclassOf(typeof(IdentityReference))) { throw new ArgumentException(Environment.GetResourceString("IdentityReference_MustBeIdentityReference"), "targetType"); } Contract.EndContractBlock(); // // if the source collection is empty, just return an empty collection // if (Identities.Count == 0) { return(new IdentityReferenceCollection()); } int SourceSidsCount = 0; int SourceNTAccountsCount = 0; // // First, see how many of each of the source types we have. // The cases where source type == target type require no conversion. // for (int i = 0; i < Identities.Count; i++) { Type type = Identities[i].GetType(); if (type == targetType) { continue; } else if (type == typeof(SecurityIdentifier)) { SourceSidsCount += 1; } else if (type == typeof(NTAccount)) { SourceNTAccountsCount += 1; } else { // // Rare case that we have defined a type of identity reference and // not included it in the code logic above (this is more like a Contract.Assert(false, "Source type is an IdentityReference type which has not been included in translation logic."); throw new SystemException(); } } bool Homogeneous = false; IdentityReferenceCollection SourceSids = null; IdentityReferenceCollection SourceNTAccounts = null; if (SourceSidsCount == Count) { Homogeneous = true; SourceSids = this; } else if (SourceSidsCount > 0) { SourceSids = new IdentityReferenceCollection(SourceSidsCount); } if (SourceNTAccountsCount == Count) { Homogeneous = true; SourceNTAccounts = this; } else if (SourceNTAccountsCount > 0) { SourceNTAccounts = new IdentityReferenceCollection(SourceNTAccountsCount); } // // Repackage only if the source is not homogeneous (contains different source types) // IdentityReferenceCollection Result = null; if (!Homogeneous) { Result = new IdentityReferenceCollection(Identities.Count); for (int i = 0; i < Identities.Count; i++) { IdentityReference id = this[i]; Type type = id.GetType(); if (type == targetType) { continue; } else if (type == typeof(SecurityIdentifier)) { SourceSids.Add(id); } else if (type == typeof(NTAccount)) { SourceNTAccounts.Add(id); } else { // // Rare case that we have defined a type of identity reference and // not included it in the code logic above (this is more like a Contract.Assert(false, "Source type is an IdentityReference type which has not been included in translation logic."); throw new SystemException(); } } } bool someFailed = false; IdentityReferenceCollection TargetSids = null, TargetNTAccounts = null; if (SourceSidsCount > 0) { TargetSids = SecurityIdentifier.Translate(SourceSids, targetType, out someFailed); if (Homogeneous && !(forceSuccess && someFailed)) { Result = TargetSids; } } if (SourceNTAccountsCount > 0) { TargetNTAccounts = NTAccount.Translate(SourceNTAccounts, targetType, out someFailed); if (Homogeneous && !(forceSuccess && someFailed)) { Result = TargetNTAccounts; } } if (forceSuccess && someFailed) { // // Need to throw an exception here and provide information regarding // which identity references could not be translated to the target type // Result = new IdentityReferenceCollection(); if (TargetSids != null) { foreach (IdentityReference id in TargetSids) { if (id.GetType() != targetType) { Result.Add(id); } } } if (TargetNTAccounts != null) { foreach (IdentityReference id in TargetNTAccounts) { if (id.GetType() != targetType) { Result.Add(id); } } } throw new IdentityNotMappedException(Environment.GetResourceString("IdentityReference_IdentityNotMapped"), Result); } else if (!Homogeneous) { SourceSidsCount = 0; SourceNTAccountsCount = 0; Result = new IdentityReferenceCollection(Identities.Count); for (int i = 0; i < Identities.Count; i++) { IdentityReference id = this[i]; Type type = id.GetType(); if (type == targetType) { Result.Add(id); } else if (type == typeof(SecurityIdentifier)) { Result.Add(TargetSids[SourceSidsCount++]); } else if (type == typeof(NTAccount)) { Result.Add(TargetNTAccounts[SourceNTAccountsCount++]); } else { // // Rare case that we have defined a type of identity reference and // not included it in the code logic above (this is more like a Contract.Assert(false, "Source type is an IdentityReference type which has not been included in translation logic."); throw new SystemException(); } } } return(Result); }
/// <summary> /// Creates a collection of SID claims that represent the users groups. /// </summary> private void AddGroupSidClaims(List <Claim> instanceClaims) { // special case the anonymous identity. if (_safeTokenHandle.IsInvalid) { return; } SafeLocalAllocHandle safeAllocHandle = SafeLocalAllocHandle.InvalidHandle; SafeLocalAllocHandle safeAllocHandlePrimaryGroup = SafeLocalAllocHandle.InvalidHandle; try { // Retrieve the primary group sid safeAllocHandlePrimaryGroup = GetTokenInformation(_safeTokenHandle, TokenInformationClass.TokenPrimaryGroup); Interop.TOKEN_PRIMARY_GROUP primaryGroup = (Interop.TOKEN_PRIMARY_GROUP)Marshal.PtrToStructure <Interop.TOKEN_PRIMARY_GROUP>(safeAllocHandlePrimaryGroup.DangerousGetHandle()); SecurityIdentifier primaryGroupSid = new SecurityIdentifier(primaryGroup.PrimaryGroup, true); // only add one primary group sid bool foundPrimaryGroupSid = false; // Retrieve all group sids, primary group sid is one of them safeAllocHandle = GetTokenInformation(_safeTokenHandle, TokenInformationClass.TokenGroups); int count = Marshal.ReadInt32(safeAllocHandle.DangerousGetHandle()); IntPtr pSidAndAttributes = new IntPtr((long)safeAllocHandle.DangerousGetHandle() + (long)Marshal.OffsetOf <Interop.TOKEN_GROUPS>("Groups")); Claim claim; for (int i = 0; i < count; ++i) { Interop.SID_AND_ATTRIBUTES group = (Interop.SID_AND_ATTRIBUTES)Marshal.PtrToStructure <Interop.SID_AND_ATTRIBUTES>(pSidAndAttributes); uint mask = Interop.SecurityGroups.SE_GROUP_ENABLED | Interop.SecurityGroups.SE_GROUP_LOGON_ID | Interop.SecurityGroups.SE_GROUP_USE_FOR_DENY_ONLY; SecurityIdentifier groupSid = new SecurityIdentifier(group.Sid, true); if ((group.Attributes & mask) == Interop.SecurityGroups.SE_GROUP_ENABLED) { if (!foundPrimaryGroupSid && StringComparer.Ordinal.Equals(groupSid.Value, primaryGroupSid.Value)) { claim = new Claim(ClaimTypes.PrimaryGroupSid, groupSid.Value, ClaimValueTypes.String, _issuerName, _issuerName, this); claim.Properties.Add(ClaimTypes.WindowsSubAuthority, groupSid.IdentifierAuthority.ToString()); instanceClaims.Add(claim); foundPrimaryGroupSid = true; } //Primary group sid generates both regular groupsid claim and primary groupsid claim claim = new Claim(ClaimTypes.GroupSid, groupSid.Value, ClaimValueTypes.String, _issuerName, _issuerName, this); claim.Properties.Add(ClaimTypes.WindowsSubAuthority, groupSid.IdentifierAuthority.ToString()); instanceClaims.Add(claim); } else if ((group.Attributes & mask) == Interop.SecurityGroups.SE_GROUP_USE_FOR_DENY_ONLY) { if (!foundPrimaryGroupSid && StringComparer.Ordinal.Equals(groupSid.Value, primaryGroupSid.Value)) { claim = new Claim(ClaimTypes.DenyOnlyPrimaryGroupSid, groupSid.Value, ClaimValueTypes.String, _issuerName, _issuerName, this); claim.Properties.Add(ClaimTypes.WindowsSubAuthority, groupSid.IdentifierAuthority.ToString()); instanceClaims.Add(claim); foundPrimaryGroupSid = true; } //Primary group sid generates both regular groupsid claim and primary groupsid claim claim = new Claim(ClaimTypes.DenyOnlySid, groupSid.Value, ClaimValueTypes.String, _issuerName, _issuerName, this); claim.Properties.Add(ClaimTypes.WindowsSubAuthority, groupSid.IdentifierAuthority.ToString()); instanceClaims.Add(claim); } pSidAndAttributes = new IntPtr((long)pSidAndAttributes + Marshal.SizeOf <Interop.SID_AND_ATTRIBUTES>()); } } finally { safeAllocHandle.Dispose(); safeAllocHandlePrimaryGroup.Dispose(); } }
public SecurityIdentifierElement(System.Security.Principal.SecurityIdentifier sid) : this() { this.SecurityIdentifier = sid; }
public IdentityReferenceCollection Translate(Type targetType, bool forceSuccess) { if (targetType == null) { throw new ArgumentNullException("targetType"); } if (!targetType.IsSubclassOf(typeof(IdentityReference))) { throw new ArgumentException(Environment.GetResourceString("IdentityReference_MustBeIdentityReference"), "targetType"); } if (this.Identities.Count == 0) { return(new IdentityReferenceCollection()); } int num = 0; int num2 = 0; for (int i = 0; i < this.Identities.Count; i++) { Type type = this.Identities[i].GetType(); if (!(type == targetType)) { if (type == typeof(SecurityIdentifier)) { num++; } else { if (!(type == typeof(NTAccount))) { throw new SystemException(); } num2++; } } } bool flag = false; IdentityReferenceCollection identityReferenceCollection = null; IdentityReferenceCollection identityReferenceCollection2 = null; if (num == this.Count) { flag = true; identityReferenceCollection = this; } else if (num > 0) { identityReferenceCollection = new IdentityReferenceCollection(num); } if (num2 == this.Count) { flag = true; identityReferenceCollection2 = this; } else if (num2 > 0) { identityReferenceCollection2 = new IdentityReferenceCollection(num2); } IdentityReferenceCollection identityReferenceCollection3 = null; if (!flag) { identityReferenceCollection3 = new IdentityReferenceCollection(this.Identities.Count); for (int j = 0; j < this.Identities.Count; j++) { IdentityReference identityReference = this[j]; Type type2 = identityReference.GetType(); if (!(type2 == targetType)) { if (type2 == typeof(SecurityIdentifier)) { identityReferenceCollection.Add(identityReference); } else { if (!(type2 == typeof(NTAccount))) { throw new SystemException(); } identityReferenceCollection2.Add(identityReference); } } } } bool flag2 = false; IdentityReferenceCollection identityReferenceCollection4 = null; IdentityReferenceCollection identityReferenceCollection5 = null; if (num > 0) { identityReferenceCollection4 = SecurityIdentifier.Translate(identityReferenceCollection, targetType, out flag2); if (flag && (!forceSuccess || !flag2)) { identityReferenceCollection3 = identityReferenceCollection4; } } if (num2 > 0) { identityReferenceCollection5 = NTAccount.Translate(identityReferenceCollection2, targetType, out flag2); if (flag && (!forceSuccess || !flag2)) { identityReferenceCollection3 = identityReferenceCollection5; } } if (forceSuccess && flag2) { identityReferenceCollection3 = new IdentityReferenceCollection(); if (identityReferenceCollection4 != null) { foreach (IdentityReference identityReference2 in identityReferenceCollection4) { if (identityReference2.GetType() != targetType) { identityReferenceCollection3.Add(identityReference2); } } } if (identityReferenceCollection5 != null) { foreach (IdentityReference identityReference3 in identityReferenceCollection5) { if (identityReference3.GetType() != targetType) { identityReferenceCollection3.Add(identityReference3); } } } throw new IdentityNotMappedException(Environment.GetResourceString("IdentityReference_IdentityNotMapped"), identityReferenceCollection3); } if (!flag) { num = 0; num2 = 0; identityReferenceCollection3 = new IdentityReferenceCollection(this.Identities.Count); for (int k = 0; k < this.Identities.Count; k++) { IdentityReference identityReference4 = this[k]; Type type3 = identityReference4.GetType(); if (type3 == targetType) { identityReferenceCollection3.Add(identityReference4); } else if (type3 == typeof(SecurityIdentifier)) { identityReferenceCollection3.Add(identityReferenceCollection4[num++]); } else { if (!(type3 == typeof(NTAccount))) { throw new SystemException(); } identityReferenceCollection3.Add(identityReferenceCollection5[num2++]); } } } return(identityReferenceCollection3); }
static void Main(string[] args) { string ldapCookie = "adsync-cookie.dat"; string str_dcName = "dc01.isengard.local"; bool firstRun = true; _nullSids = new ConcurrentDictionary <string, byte>(); _guidMap = new ConcurrentDictionary <string, string>(); _baseGuids = new ConcurrentDictionary <string, string>(); _baseGuids.TryAdd("user", "bf967aba-0de6-11d0-a285-00aa003049e2"); _baseGuids.TryAdd("computer", "bf967a86-0de6-11d0-a285-00aa003049e2"); _baseGuids.TryAdd("group", "bf967a9c-0de6-11d0-a285-00aa003049e2"); _baseGuids.TryAdd("domain", "19195a5a-6da0-11d0-afd3-00c04fd930c9"); _baseGuids.TryAdd("gpo", "f30e3bc2-9ff0-11d1-b603-0000f80367c1"); System.DirectoryServices.DirectoryEntry rootDSE = new System.DirectoryServices.DirectoryEntry("LDAP://rootDSE"); System.Net.NetworkCredential cr = new System.Net.NetworkCredential(@"Administrator", "1qazxsw2..", "isengard.local"); LdapConnection connection = new LdapConnection(str_dcName); connection.Credential = cr; connection.Bind(); DirectorySynchronization sync = new DirectorySynchronization(); DirectorySearcher src2 = new DirectorySearcher(); if (File.Exists(ldapCookie)) { byte[] byteCookie = File.ReadAllBytes(ldapCookie); sync.ResetDirectorySynchronizationCookie(byteCookie); firstRun = false; } src2.DirectorySynchronization = sync; foreach (SearchResult res in src2.FindAll()) { ResultPropertyCollection fields = res.Properties; foreach (String ldapField in fields.PropertyNames) { foreach (Object myCollection in fields[ldapField]) { if (!firstRun) { if (ldapField == "distinguishedname") { Console.WriteLine(String.Format("[+] DN = {0}", myCollection)); } if (ldapField == "ntsecuritydescriptor") { Console.WriteLine("[+] Detected ACL Change: "); var aces = new List <ACL>(); var newDescriptor = new ActiveDirectorySecurity(); newDescriptor.SetSecurityDescriptorBinaryForm((byte[])myCollection); // todo add owner foreach (ActiveDirectoryAccessRule ace in newDescriptor.GetAccessRules(true, true, typeof(SecurityIdentifier))) { //Ignore null aces if (ace == null) { continue; } //Ignore Deny aces if (!ace.AccessControlType.Equals(AccessControlType.Allow)) { continue; } //Resolve the principal in the ACE var principal = GetAcePrincipal(ace, "isengard.local"); string name = new System.Security.Principal.SecurityIdentifier(principal).Translate(typeof(System.Security.Principal.NTAccount)).ToString(); //If its null, we don't care so move on if (principal == null) { continue; } //Interesting Domain ACEs - GenericAll, WriteDacl, WriteOwner, Replication Rights, AllExtendedRights var rights = ace.ActiveDirectoryRights; var objectAceType = ace.ObjectType.ToString(); if (rights.HasFlag(ActiveDirectoryRights.GenericAll)) { if (objectAceType == AllGuid || objectAceType == "") { aces.Add(new ACL { AceType = "", RightName = "GenericAll", PrincipalName = name, PrincipalType = principal }); } //GenericAll includes every other flag, so continue here so we don't duplicate privs continue; } if (rights.HasFlag(ActiveDirectoryRights.WriteDacl)) { aces.Add(new ACL { AceType = "", RightName = "WriteDacl", PrincipalName = name, PrincipalType = principal }); } if (rights.HasFlag(ActiveDirectoryRights.WriteOwner)) { aces.Add(new ACL { AceType = "", RightName = "WriteOwner", PrincipalName = name, PrincipalType = principal }); } if (rights.HasFlag(ActiveDirectoryRights.ExtendedRight)) { if (objectAceType == "1131f6aa-9c07-11d1-f79f-00c04fc2dcd2") { aces.Add(new ACL { AceType = "GetChanges", RightName = "ExtendedRight", PrincipalName = name, PrincipalType = principal }); } else if (objectAceType == "1131f6ad-9c07-11d1-f79f-00c04fc2dcd2") { aces.Add(new ACL { AceType = "GetChangesAll", RightName = "ExtendedRight", PrincipalName = name, PrincipalType = principal }); } else if (objectAceType == AllGuid || objectAceType == "") { aces.Add(new ACL { AceType = "All", RightName = "ExtendedRight", PrincipalName = name, PrincipalType = principal }); } } } foreach (var ace in aces) { Console.WriteLine(String.Format("[+] {0} has {1}", ace.PrincipalName, ace.RightName)); } ; } if (ldapField == "useraccountcontrol") { Console.WriteLine(String.Format("[+] UAC edited: {0}", myCollection)); } } } } } File.WriteAllBytes(ldapCookie, sync.GetDirectorySynchronizationCookie()); }
public static IEnumerable <ACL> Get_DomainObjectAcl(Args_Get_DomainObjectAcl args = null) { if (args == null) { args = new Args_Get_DomainObjectAcl(); } var SearcherArguments = new Args_Get_DomainSearcher { Properties = new[] { "samaccountname", "ntsecuritydescriptor", "distinguishedname", "objectsid" }, SecurityMasks = args.Sacl ? SecurityMasks.Sacl : SecurityMasks.Dacl, Domain = args.Domain, SearchBase = args.SearchBase, Server = args.Server, SearchScope = args.SearchScope, ResultPageSize = args.ResultPageSize, ServerTimeLimit = args.ServerTimeLimit, Tombstone = args.Tombstone, Credential = args.Credential }; var Searcher = GetDomainSearcher.Get_DomainSearcher(SearcherArguments); var DomainGUIDMapArguments = new Args_Get_DomainGUIDMap { Domain = args.Domain, Server = args.Server, ResultPageSize = args.ResultPageSize, ServerTimeLimit = args.ServerTimeLimit, Credential = args.Credential }; // get a GUID -> name mapping IDictionary <string, string> GUIDs = null; if (args.ResolveGUIDs) { GUIDs = GetDomainGUIDMap.Get_DomainGUIDMap(DomainGUIDMapArguments); } var ACLs = new List <ACL>(); if (Searcher != null) { var IdentityFilter = ""; var Filter = ""; if (args.Identity != null) { foreach (var item in args.Identity) { var IdentityInstance = item.Replace(@"(", @"\28").Replace(@")", @"\29"); if (IdentityInstance.IsRegexMatch(@"^S-1-.*")) { IdentityFilter += $@"(objectsid={IdentityInstance})"; } else if (IdentityInstance.IsRegexMatch(@"^(CN|OU|DC)=.*")) { IdentityFilter += $@"(distinguishedname={IdentityInstance})"; if (args.Domain.IsNullOrEmpty() && args.SearchBase.IsNullOrEmpty()) { // if a -Domain isn't explicitly set, extract the object domain out of the distinguishedname // and rebuild the domain searcher var IdentityDomain = IdentityInstance.Substring(IdentityInstance.IndexOf("DC=")).Replace("DC=", "").Replace(",", "."); Logger.Write_Verbose($@"[Get-DomainObjectAcl] Extracted domain '{IdentityDomain}' from '{IdentityInstance}'"); SearcherArguments.Domain = IdentityDomain; Searcher = GetDomainSearcher.Get_DomainSearcher(SearcherArguments); if (Searcher == null) { Logger.Write_Warning($@"[Get-DomainObjectAcl] Unable to retrieve domain searcher for '{IdentityDomain}'"); } } } else if (IdentityInstance.IsRegexMatch(@"^[0-9A-F]{8}-([0-9A-F]{4}-){3}[0-9A-F]{12}$")) { var GuidByteString = string.Join(string.Empty, Guid.Parse(IdentityInstance).ToByteArray().Select(x => x.ToString(@"\X2"))); IdentityFilter += $@"(objectguid={GuidByteString})"; } else if (IdentityInstance.Contains('.')) { IdentityFilter += $@"(|(samAccountName={IdentityInstance})(name={IdentityInstance})(dnshostname={IdentityInstance}))"; } else { IdentityFilter += $@"(|(samAccountName={IdentityInstance})(name={IdentityInstance})(displayname={IdentityInstance}))"; } } } if (IdentityFilter != null && IdentityFilter.Trim() != "") { Filter += $@"(|{IdentityFilter})"; } if (args.LDAPFilter.IsNotNullOrEmpty()) { Logger.Write_Verbose($@"[Get-DomainObjectAcl] Using additional LDAP filter: {args.LDAPFilter}"); Filter += $@"{args.LDAPFilter}"; } if (Filter.IsNotNullOrEmpty()) { Searcher.Filter = $@"(&{Filter})"; } Logger.Write_Verbose($@"[Get-DomainObjectAcl] Get-DomainObjectAcl filter string: {Searcher.Filter}"); var Results = Searcher.FindAll(); foreach (SearchResult result in Results) { var Object = result.Properties; string ObjectSid = null; if (Object["objectsid"] != null && Object["objectsid"].Count > 0 && Object["objectsid"][0] != null) { ObjectSid = new System.Security.Principal.SecurityIdentifier(Object["objectsid"][0] as byte[], 0).Value; } else { ObjectSid = null; } try { var rsd = new System.Security.AccessControl.RawSecurityDescriptor(Object["ntsecuritydescriptor"][0] as byte[], 0); var rawAcl = args.Sacl ? rsd.SystemAcl : rsd.DiscretionaryAcl; foreach (var ace in rawAcl) { var acl = new ACL { Ace = ace }; bool Continue = false; if (args.RightsFilter != null) { string GuidFilter = null; switch (args.RightsFilter.Value) { case Rights.ResetPassword: GuidFilter = "00299570-246d-11d0-a768-00aa006e0529"; break; case Rights.WriteMembers: GuidFilter = "bf9679c0-0de6-11d0-a285-00aa003049e2"; break; default: GuidFilter = "00000000-0000-0000-0000-000000000000"; break; } if (ace is System.Security.AccessControl.ObjectAccessRule) { if (string.Compare(((object)ace as System.Security.AccessControl.ObjectAccessRule).ObjectType.ToString(), GuidFilter, StringComparison.OrdinalIgnoreCase) == 0) { acl.ObjectDN = Object["distinguishedname"][0] as string; acl.ObjectSID = ObjectSid; Continue = true; } } } else { acl.ObjectDN = Object["distinguishedname"][0] as string; acl.ObjectSID = ObjectSid; Continue = true; } if (Continue) { if (ace is System.Security.AccessControl.KnownAce) { acl.ActiveDirectoryRights = (System.DirectoryServices.ActiveDirectoryRights)(ace as System.Security.AccessControl.KnownAce).AccessMask; } if (GUIDs != null) { // if we're resolving GUIDs, map them them to the resolved hash table if (ace is ObjectAce) { try { (acl.Ace as ObjectAce).ObjectAceType = new Guid(GUIDs[(ace as ObjectAce).ObjectAceType.ToString()]); } catch { } try { (acl.Ace as ObjectAce).InheritedObjectAceType = new Guid(GUIDs[(ace as ObjectAce).InheritedObjectAceType.ToString()]); } catch { } } else if (ace is ObjectAccessRule) { /*try { (acl.Ace as ObjectAccessRule).ObjectType = new Guid(GUIDs[(ace as ObjectAccessRule).ObjectType.ToString()]); } * catch { } * try { (acl.Ace as ObjectAccessRule).InheritedObjectType = new Guid(GUIDs[(ace as ObjectAccessRule).InheritedObjectType.ToString()]); } * catch { }*/ } } ACLs.Add(acl); } } } catch (Exception e) { Logger.Write_Verbose($@"[Get-DomainObjectAcl] Error: {e}"); } } } return(ACLs); }
/// <summary> /// Initializes a new instance of the <see cref="SafePSID"/> class from a /// <see cref="System.Security.Principal.SecurityIdentifier"/> instance. /// </summary> /// <param name="si">The <see cref="System.Security.Principal.SecurityIdentifier"/> instance.</param> public SafePSID(System.Security.Principal.SecurityIdentifier si) : this(si is null ? null : GetBytes(si)) { }
public string Create(IIdentity identity, string audience, List <string> appGroupRegexes) { var nowUtc = DateTime.UtcNow; var expires = _settings.TokenExpiryMinutes > 0 ? nowUtc.AddMinutes(_settings.TokenExpiryMinutes) : nowUtc.AddDays(_settings.TokenExpiryDays); var centuryBegin = new DateTime(1970, 1, 1); var exp = (long)(new TimeSpan(expires.Ticks - centuryBegin.Ticks).TotalSeconds); var now = (long)(new TimeSpan(nowUtc.Ticks - centuryBegin.Ticks).TotalSeconds); var issuer = _settings.Issuer ?? string.Empty; var payload = new JwtPayload { { "sub", identity.Name }, { "unique_name", identity.Name }, { "iss", issuer }, { "aud", audience }, { "iat", now }, { "nbf", now }, { "exp", exp }, { "jti", Guid.NewGuid().ToString("N") } }; var windowsUser = identity as WindowsIdentity; // SId var claim = windowsUser.Claims.FirstOrDefault(c => c.Type == ClaimTypes.PrimarySid); if (claim != null) { payload.AddClaim(new Claim("sid", claim.Value)); } // Group SId if (_settings.IncludeGroupSIdClaims) { var groupClaims = windowsUser.Claims.Where(c => c.Type == ClaimTypes.GroupSid); if (groupClaims != null) { foreach (Claim c in groupClaims) { payload.AddClaim(new Claim(c.Type, c.Value)); } } } // Group Roles if (_settings.IncludeGroupRoleClaims) { var groupClaims = windowsUser.Claims.Where(c => c.Type == ClaimTypes.GroupSid); if (groupClaims != null) { foreach (Claim c in groupClaims) { var role = new System.Security.Principal.SecurityIdentifier(c.Value).Translate(typeof(System.Security.Principal.NTAccount)).ToString(); foreach (var regex in appGroupRegexes) { if (Regex.IsMatch(role, regex)) { payload.AddClaim(new Claim("role", role)); } } } } } var jwt = new JwtSecurityToken(_jwtHeader, payload); return(_jwtSecurityTokenHandler.WriteToken(jwt)); }
public static void EnumerateLogonSessions(uint currentLUID) { UInt64 count; IntPtr pLuid; IntPtr pLuidList = IntPtr.Zero; uint AccessDenied = 0xc0000022; DateTime systime = new DateTime(1601, 1, 1, 0, 0, 0, 0); if (LsaEnumerateLogonSessions(out count, out pLuidList) != 0) { Console.WriteLine("[!] Error running LsaEnumerateLogonSessions()"); Console.ReadLine(); return; } // Sets pLuid to the first LUID structure in the list pLuid = pLuidList; // count stores number of LUIDs in the list for (ulong idx = 0; idx < count; idx++) { IntPtr pSessionData; uint result = LsaGetLogonSessionData(pLuid, out pSessionData); if (result != 0) { if (result == AccessDenied) { Console.WriteLine("[!] Access denied enumerating LogonId {0:X2}", pLuid); } else { Console.WriteLine("[!] Unknown error accessing session data for LogonId {0:X2}: {1}", pLuid, result); } continue; } SECURITY_LOGON_SESSION_DATA sessionData = (SECURITY_LOGON_SESSION_DATA)Marshal.PtrToStructure(pSessionData, typeof(SECURITY_LOGON_SESSION_DATA)); if (pSessionData == IntPtr.Zero) { // Not a valid logon session continue; } // Marshal our data String username = Marshal.PtrToStringUni(sessionData.Username.buffer).Trim(); String domain = Marshal.PtrToStringUni(sessionData.DnsDomainName.buffer).Trim(); String sid = new System.Security.Principal.SecurityIdentifier(sessionData.PSiD).Value; String package = Marshal.PtrToStringUni(sessionData.AuthenticationPackage.buffer).Trim(); SECURITY_LOGON_TYPE logonType = (SECURITY_LOGON_TYPE)sessionData.LogonType; DateTime logonTime = systime.AddTicks((long)sessionData.LoginTime); if (domain == "") { domain = Marshal.PtrToStringUni(sessionData.LoginDomain.buffer).Trim(); } // Write our data Console.WriteLine(); if (currentLUID == sessionData.LoginID.LowPart) { Console.WriteLine("***********Current Session***********"); } Console.WriteLine("LogonID (LUID): {0}", sessionData.LoginID.LowPart); Console.WriteLine("User: {0}\\{1}", domain, username); Console.WriteLine("SID: {0}", sid); Console.WriteLine("Auth Package: {0}", package); Console.WriteLine("Logon Type: {0}", logonType); Console.WriteLine("Logon Time: {0}", logonTime); if (currentLUID == sessionData.LoginID.LowPart) { Console.WriteLine("*************************************"); } Console.WriteLine(); // Bunch of typecasts to essentially move our pointer to the next LUID in the list pLuid = (IntPtr)((int)pLuid + Marshal.SizeOf(typeof(LUID))); LsaFreeReturnBuffer(pSessionData); } LsaFreeReturnBuffer(pLuid); }
// Summary: // Compares the current System.Security.Principal.SecurityIdentifier object // with the specified System.Security.Principal.SecurityIdentifier object. // // Parameters: // sid: // The System.Security.Principal.SecurityIdentifier object with which to compare // the current System.Security.Principal.SecurityIdentifier object. // // Returns: // A signed number indicating the relative values of this instance and sid.Return // Value Description Less than zero This instance is less than sid. Zero This // instance is equal to sid. Greater than zero This instance is greater than // sid. // public int CompareTo(SecurityIdentifier sid); // // Summary: // Indicates whether the specified System.Security.Principal.SecurityIdentifier // object is equal to the current System.Security.Principal.SecurityIdentifier // object. // // Parameters: // sid: // The System.Security.Principal.SecurityIdentifier object to compare. // // Returns: // true if the value of sid is equal to the value of the current System.Security.Principal.SecurityIdentifier // object. extern public bool Equals(SecurityIdentifier sid);
// // Summary: // Returns a value that indicates whether the security identifier (SID) represented // by this System.Security.Principal.SecurityIdentifier object is from the same // domain as the specified SID. // // Parameters: // sid: // The SID to compare with this System.Security.Principal.SecurityIdentifier // object. // // Returns: // true if the SID represented by this System.Security.Principal.SecurityIdentifier // object is in the same domain as the sid SID; otherwise, false. extern public bool IsEqualDomainSid(SecurityIdentifier sid);
public virtual bool IsInRole(SecurityIdentifier sid) { throw new NotImplementedException(); }
// // Summary: // Initializes a new instance of the System.Security.Principal.SecurityIdentifier // class by using the specified well known security identifier (SID) type and // domain SID. // // Parameters: // sidType: // A System.Security.Principal.WellKnownSidType value.This value must not be // System.Security.Principal.WellKnownSidType.WinLogonIdsSid. // // domainSid: // The domain SID. This value is required for the following System.Security.Principal.WellKnownSidType // values. This parameter is ignored for any other System.Security.Principal.WellKnownSidType // values.System.Security.Principal.WellKnownSidType.WinAccountAdministratorSidSystem.Security.Principal.WellKnownSidType.WinAccountGuestSidSystem.Security.Principal.WellKnownSidType.WinAccountKrbtgtSidSystem.Security.Principal.WellKnownSidType.WinAccountDomainAdminsSidSystem.Security.Principal.WellKnownSidType.WinAccountDomainUsersSidSystem.Security.Principal.WellKnownSidType.WinAccountDomainGuestsSidSystem.Security.Principal.WellKnownSidType.WinAccountComputersSidSystem.Security.Principal.WellKnownSidType.WinAccountControllersSidSystem.Security.Principal.WellKnownSidType.WinAccountCertAdminsSidSystem.Security.Principal.WellKnownSidType.WinAccountSchemaAdminsSidSystem.Security.Principal.WellKnownSidType.WinAccountEnterpriseAdminsSidSystem.Security.Principal.WellKnownSidType.WinAccountPolicyAdminsSidSystem.Security.Principal.WellKnownSidType.WinAccountRasAndIasServersSid public SecurityIdentifier(WellKnownSidType sidType, SecurityIdentifier domainSid) { Contract.Requires(sidType != WellKnownSidType.LogonIdsSid); Contract.Requires(sidType >= WellKnownSidType.NullSid); Contract.Requires(sidType <= WellKnownSidType.WinBuiltinTerminalServerLicenseServersSid); }
private Paragraph PropParagraph(string name, System.Collections.ICollection props) { Paragraph p = new Paragraph(); bool appendSeparator = false; if (props != null) { foreach (dynamic value in props.Cast <object>().OrderBy(x => x.ToString())) { if (appendSeparator) { p.Inlines.Add("\r\n"); } else { appendSeparator = true; } string valueString = ((Object)value).ToString(); if (name == "userAccountControl:") { p.Inlines.Add(new Run(GetUserAccountControl(value))); } else if (valueString == "System.__ComObject") { try { // Try an ADSI Large Integer Object o = value; Object low = o.GetType().InvokeMember("LowPart", System.Reflection.BindingFlags.GetProperty, null, o, null); Object high = o.GetType().InvokeMember("HighPart", System.Reflection.BindingFlags.GetProperty, null, o, null); //long dateValue = (value.HighPart * &H100000000) + value.LowPart; long dateValue = ((long)((int)high) << 32) + (long)((int)low); DateTime dt = DateTime.FromFileTime(dateValue); if (dt.ToString("dd-MMM-yyyy HH:mm") != "01-Jan-1601 11:00") { if (dt.Year == 1601) { p.Inlines.Add(dt.ToString("HH:mm")); } else { p.Inlines.Add(dt.ToString("dd-MMM-yyyy HH:mm")); } } } catch { p.Inlines.Add(valueString); } } else if (valueString == "System.Byte[]") { byte[] bytes = value as byte[]; if (bytes.Length == 16) { Guid guid = new Guid(bytes); p.Inlines.Add(guid.ToString("B")); } else if (bytes.Length == 28) { try { System.Security.Principal.SecurityIdentifier sid = new System.Security.Principal.SecurityIdentifier(bytes, 0); p.Inlines.Add(sid.ToString()); } catch { p.Inlines.Add(valueString); } } else { System.IO.MemoryStream ms = new System.IO.MemoryStream(bytes); try { BitmapImage photoBitmap = new BitmapImage(); photoBitmap.BeginInit(); photoBitmap.StreamSource = ms; photoBitmap.EndInit(); Image img = new Image(); img.Source = photoBitmap; img.Stretch = Stretch.None; p.Inlines.Add(img); } catch { p.Inlines.Add(valueString); } } } else { if (valueString.StartsWith("CN=") || valueString.ToLower().StartsWith("http://")) { //string display = Regex.Match(valueString + ",", "CN=(.*?),").Groups[1].Captures[0].Value; //Hyperlink h = new Hyperlink(new Run(display)); Hyperlink h = new Hyperlink(new Run(valueString)); h.NavigateUri = new Uri(valueString, valueString.ToLower().StartsWith("http://") ? UriKind.Absolute : UriKind.Relative); h.Click += new RoutedEventHandler(HyperlinkClicked); //p.TextIndent = -20; //p.Margin = new Thickness(20, p.Margin.Top, p.Margin.Right, p.Margin.Bottom); p.Inlines.Add(h); } else { p.Inlines.Add(new Run(valueString)); } } } } return(p); }
public virtual new bool IsInRole(SecurityIdentifier sid) { return(default(bool)); }
public static IEnumerable <GroupMember> Get_DomainGroupMember(Args_Get_DomainGroupMember args = null) { if (args == null) { args = new Args_Get_DomainGroupMember(); } var SearcherArguments = new Args_Get_DomainSearcher() { Properties = new string[] { @"member", @"samaccountname", @"distinguishedname" }, Domain = args.Domain, LDAPFilter = args.LDAPFilter, SearchBase = args.SearchBase, Server = args.Server, SearchScope = args.SearchScope, ResultPageSize = args.ResultPageSize, ServerTimeLimit = args.ServerTimeLimit, Tombstone = args.Tombstone, Credential = args.Credential }; var ADNameArguments = new Args_Convert_ADName { Domain = args.Domain, Server = args.Server, Credential = args.Credential }; var GroupMembers = new List <GroupMember>(); var GroupSearcher = GetDomainSearcher.Get_DomainSearcher(SearcherArguments); if (GroupSearcher != null) { string GroupFoundDomain = null; string GroupFoundName = null; string GroupFoundDN = null; List <string> Members = null; if (args.RecurseUsingMatchingRule) { var GroupArguments = new Args_Get_DomainGroup() { Properties = SearcherArguments.Properties, Domain = SearcherArguments.Domain, LDAPFilter = SearcherArguments.LDAPFilter, SearchBase = SearcherArguments.SearchBase, Server = SearcherArguments.Server, SearchScope = SearcherArguments.SearchScope, ResultPageSize = SearcherArguments.ResultPageSize, ServerTimeLimit = SearcherArguments.ServerTimeLimit, Tombstone = SearcherArguments.Tombstone, Credential = SearcherArguments.Credential, Identity = args.Identity, Raw = true }; var Groups = GetDomainGroup.Get_DomainGroup(GroupArguments); if (Groups == null) { Logger.Write_Warning($@"[Get-DomainGroupMember] Error searching for group with identity: {args.Identity}"); } else { var Group = Groups.First() as SearchResult; GroupFoundName = Group.Properties[@"samaccountname"][0] as string; GroupFoundDN = Group.Properties[@"distinguishedname"][0] as string; if (args.Domain.IsNotNullOrEmpty()) { GroupFoundDomain = args.Domain; } else { // if a domain isn't passed, try to extract it from the found group distinguished name if (GroupFoundDN.IsNotNullOrEmpty()) { GroupFoundDomain = GroupFoundDN.Substring(GroupFoundDN.IndexOf(@"DC=")).Replace(@"DC=", @"").Replace(@",", @"."); } } Logger.Write_Verbose($@"[Get-DomainGroupMember] Using LDAP matching rule to recurse on '{GroupFoundDN}', only user accounts will be returned."); GroupSearcher.Filter = $@"(&(samAccountType=805306368)(memberof:1.2.840.113556.1.4.1941:={GroupFoundDN}))"; GroupSearcher.PropertiesToLoad.AddRange(new string[] { @"distinguishedName" }); var Results = GroupSearcher.FindAll(); if (Results != null) { Members = new List <string>(); foreach (SearchResult result in Results) { Members.Add(result.Properties[@"distinguishedname"][0] as string); } } } } else { var IdentityFilter = @""; var Filter = @""; if (args.Identity != null) { foreach (var item in args.Identity) { var IdentityInstance = item.Replace(@"(", @"\28").Replace(@")", @"\29"); if (new Regex(@"^S-1-").Match(IdentityInstance).Success) { IdentityFilter += $@"(objectsid={IdentityInstance})"; } else if (new Regex(@"^CN=").Match(IdentityInstance).Success) { IdentityFilter += $@"(distinguishedname={IdentityInstance})"; if (args.Domain.IsNullOrEmpty() && args.SearchBase.IsNullOrEmpty()) { // if a -Domain isn't explicitly set, extract the object domain out of the distinguishedname // and rebuild the domain searcher var IdentityDomain = IdentityInstance.Substring(IdentityInstance.IndexOf(@"DC=")).Replace(@"DC=", @"".Replace(@",", @".")); Logger.Write_Verbose($@"[Get-DomainGroupMember] Extracted domain '{IdentityDomain}' from '{IdentityInstance}'"); SearcherArguments.Domain = IdentityDomain; GroupSearcher = GetDomainSearcher.Get_DomainSearcher(SearcherArguments); if (GroupSearcher == null) { Logger.Write_Warning($@"[Get-DomainGroupMember] Unable to retrieve domain searcher for '{IdentityDomain}'"); } } } else if (new Regex(@"^[0-9A-F]{8}-([0-9A-F]{4}-){3}[0-9A-F]{12}$").Match(IdentityInstance).Success) { var GuidByteString = string.Join(string.Empty, Guid.Parse(IdentityInstance).ToByteArray().Select(x => x.ToString(@"\X2"))); IdentityFilter += $@"(objectguid={GuidByteString})"; } else if (IdentityInstance.Contains(@"\")) { var ConvertedIdentityInstance = ConvertADName.Convert_ADName(new Args_Convert_ADName { OutputType = ADSNameType.Canonical, Identity = new string[] { IdentityInstance.Replace(@"\28", @"(").Replace(@"\29", @")") } }); if (ConvertedIdentityInstance != null && ConvertedIdentityInstance.Any()) { var GroupDomain = ConvertedIdentityInstance.First().Substring(0, ConvertedIdentityInstance.First().IndexOf('/')); var GroupName = IdentityInstance.Split(new char[] { '\\' })[1]; IdentityFilter += $@"(samAccountName={GroupName})"; SearcherArguments.Domain = GroupDomain; Logger.Write_Verbose($@"[Get-DomainGroupMember] Extracted domain '{GroupDomain}' from '{IdentityInstance}'"); GroupSearcher = GetDomainSearcher.Get_DomainSearcher(SearcherArguments); } } else { IdentityFilter += $@"(samAccountName={IdentityInstance})"; } } } if (IdentityFilter != null && IdentityFilter.Trim() != @"") { Filter += $@"(|{IdentityFilter})"; } if (args.LDAPFilter.IsNotNullOrEmpty()) { Logger.Write_Verbose($@"[Get-DomainGroupMember] Using additional LDAP filter: {args.LDAPFilter}"); Filter += $@"{args.LDAPFilter}"; } GroupSearcher.Filter = $@"(&(objectCategory=group){Filter})"; Logger.Write_Verbose($@"[Get-DomainGroupMember] Get-DomainGroupMember filter string: {GroupSearcher.Filter}"); SearchResult Result = null; try { Result = GroupSearcher.FindOne(); } catch (Exception e) { Logger.Write_Warning($@"[Get-DomainGroupMember] Error searching for group with identity '{args.Identity}': {e}"); Members = new List <string>(); } GroupFoundName = @""; GroupFoundDN = @""; if (Result != null) { var tmpProperty = Result.Properties[@"member"]; var tmpValues = new string[tmpProperty.Count]; tmpProperty.CopyTo(tmpValues, 0); Members = tmpValues.ToList(); string RangedProperty = ""; if (Members.Count == 0) { // ranged searching, thanks @meatballs__ ! var Finished = false; var Bottom = 0; var Top = 0; while (!Finished) { Top = Bottom + 1499; var MemberRange = $@"member;range={Bottom}-{Top}"; Bottom += 1500; GroupSearcher.PropertiesToLoad.Clear(); GroupSearcher.PropertiesToLoad.Add($@"{MemberRange}"); GroupSearcher.PropertiesToLoad.Add(@"samaccountname"); GroupSearcher.PropertiesToLoad.Add(@"distinguishedname"); try { Result = GroupSearcher.FindOne(); RangedProperty = Result.Properties.PropertyNames.GetFirstMatch(@"member;range=*"); tmpProperty = Result.Properties[RangedProperty]; tmpValues = new string[tmpProperty.Count]; tmpProperty.CopyTo(tmpValues, 0); Members.AddRange(tmpValues.ToList()); GroupFoundName = Result.Properties[@"samaccountname"][0] as string; GroupFoundDN = Result.Properties[@"distinguishedname"][0] as string; if (Members.Count == 0) { Finished = true; } } catch { Finished = true; } } } else { GroupFoundName = Result.Properties[@"samaccountname"][0] as string; GroupFoundDN = Result.Properties[@"distinguishedname"][0] as string; tmpProperty = Result.Properties[RangedProperty]; tmpValues = new string[tmpProperty.Count]; tmpProperty.CopyTo(tmpValues, 0); Members.AddRange(tmpValues.ToList()); } if (args.Domain.IsNotNullOrEmpty()) { GroupFoundDomain = args.Domain; } else { // if a domain isn't passed, try to extract it from the found group distinguished name if (GroupFoundDN.IsNotNullOrEmpty()) { GroupFoundDomain = GroupFoundDN.Substring(GroupFoundDN.IndexOf(@"DC=")).Replace(@"DC=", @"".Replace(@",", @".")); } } } var UseMatchingRule = false; string MemberDomain = null; foreach (var Member in Members) { ResultPropertyCollection Properties = null; if (args.Recurse && UseMatchingRule) { //$Properties = $_.Properties } else { var ObjectSearcherArguments = new Args_Get_DomainObject { ADSPath = SearcherArguments.ADSPath, Credential = SearcherArguments.Credential, Domain = SearcherArguments.Domain, DomainController = SearcherArguments.DomainController, Filter = SearcherArguments.Filter, LDAPFilter = SearcherArguments.LDAPFilter, Properties = SearcherArguments.Properties, ResultPageSize = SearcherArguments.ResultPageSize, SearchBase = SearcherArguments.SearchBase, SearchScope = SearcherArguments.SearchScope, SecurityMasks = SearcherArguments.SecurityMasks, Server = SearcherArguments.Server, ServerTimeLimit = SearcherArguments.ServerTimeLimit, Tombstone = SearcherArguments.Tombstone }; ObjectSearcherArguments.Identity = new string[] { Member }; ObjectSearcherArguments.Raw = true; ObjectSearcherArguments.Properties = new string[] { @"distinguishedname", @"cn", @"samaccountname", @"objectsid", @"objectclass" }; var Object = GetDomainObject.Get_DomainObject(ObjectSearcherArguments)?.FirstOrDefault() as SearchResult; Properties = Object.Properties; } if (Properties != null) { var GroupMember = new GroupMember { GroupDomain = GroupFoundDomain, GroupName = GroupFoundName, GroupDistinguishedName = GroupFoundDN }; string MemberSID = null; if (Properties["objectsid"] != null) { MemberSID = new System.Security.Principal.SecurityIdentifier(Properties["objectsid"][0] as byte[], 0).Value; } else { MemberSID = null; } string MemberDN = null; try { MemberDN = Properties["distinguishedname"][0].ToString(); if (MemberDN.IsRegexMatch(@"ForeignSecurityPrincipals|S-1-5-21")) { try { if (MemberSID.IsNullOrEmpty()) { MemberSID = Properties["cn"][0].ToString(); } ADNameArguments.Identity = new string[] { MemberSID }; ADNameArguments.OutputType = ADSNameType.DomainSimple; var MemberSimpleName = ConvertADName.Convert_ADName(ADNameArguments); if (MemberSimpleName != null && MemberSimpleName.Any()) { MemberDomain = MemberSimpleName.First().Split('@')[1]; } else { Logger.Write_Warning($@"[Get-DomainGroupMember] Error converting {MemberDN}"); MemberDomain = null; } } catch { Logger.Write_Warning($@"[Get-DomainGroupMember] Error converting {MemberDN}"); MemberDomain = null; } } else { // extract the FQDN from the Distinguished Name MemberDomain = MemberDN.Substring(MemberDN.IndexOf(@"DC=")).Replace(@"DC=", @"").Replace(@",", @"."); } } catch { MemberDN = null; MemberDomain = null; } string MemberName = null; if (Properties["samaccountname"] != null) { // forest users have the samAccountName set MemberName = Properties["samaccountname"][0].ToString(); } else { // external trust users have a SID, so convert it try { MemberName = ConvertFromSID.ConvertFrom_SID(new Args_ConvertFrom_SID { ObjectSID = new string[] { Properties["cn"][0].ToString() }, Domain = ADNameArguments.Domain, Server = ADNameArguments.Server, Credential = ADNameArguments.Credential }).First(); } catch { // if there's a problem contacting the domain to resolve the SID MemberName = Properties["cn"][0].ToString(); } } string MemberObjectClass = null; if (Properties["objectclass"].RegexContains(@"computer")) { MemberObjectClass = @"computer"; } else if (Properties["objectclass"].RegexContains(@"group")) { MemberObjectClass = @"group"; } else if (Properties["objectclass"].RegexContains(@"user")) { MemberObjectClass = @"user"; } else { MemberObjectClass = null; } GroupMember.MemberDomain = MemberDomain; GroupMember.MemberName = MemberName; GroupMember.MemberDistinguishedName = MemberDN; GroupMember.MemberObjectClass = MemberObjectClass; GroupMember.MemberSID = MemberSID; GroupMembers.Add(GroupMember); // if we're doing manual recursion if (args.Recurse && MemberDN.IsNotNullOrEmpty() && MemberObjectClass.IsRegexMatch(@"group")) { Logger.Write_Verbose($@"[Get-DomainGroupMember] Manually recursing on group: {MemberDN}"); var GroupArguments = new Args_Get_DomainGroupMember() { Domain = SearcherArguments.Domain, LDAPFilter = SearcherArguments.LDAPFilter, SearchBase = SearcherArguments.SearchBase, Server = SearcherArguments.Server, SearchScope = SearcherArguments.SearchScope, ResultPageSize = SearcherArguments.ResultPageSize, ServerTimeLimit = SearcherArguments.ServerTimeLimit, Tombstone = SearcherArguments.Tombstone, Credential = SearcherArguments.Credential, Identity = new string[] { MemberDN } }; GroupMembers.AddRange(Get_DomainGroupMember(GroupArguments)); } } } } GroupSearcher.Dispose(); } return(GroupMembers); }
/// <summary> /// Called by a connection when it has received an intact and complete message in wire-format. /// Parses the supplied byte-array to generate a typed message for processing. /// On return from this routine the connection is free to overwrite the buffer contents. /// /// </summary> /// <param name="conn">Connection (think TCP to specific network agent) on which message arrived.</param> /// <param name="buff">Buffer encoding the message.</param> /// <param name="offset">Offset to start of message in the supplied buffer.</param> /// <param name="length">Length of message encoding in supplied buffer</param> public void ReceiveMessage(Connection conn, MessageTypes messageType, byte[] buff, int offset, int length) { switch (messageType) { case MessageTypes.MessageTypeRegister: { MessageRegister msgRegister = MessageRegister.CreateFromNetBytes(buff, offset); TenantId = msgRegister.TenantId; client.CallbackMessageRegister(conn, msgRegister.TenantId, msgRegister.AlertVec); MessageAck ack = new MessageAck(msgRegister.SeqNo, MessageTypes.MessageTypeRegisterAck, (uint)OktoResultCodes.OKTO_RESULT_SUCCESS); SendSynchronous(conn, ack.Serialize); conn.BeginReceive(); break; } case MessageTypes.MessageTypeIoFlowCreate: { MessageIoFlowCreate msgFlowc = MessageIoFlowCreate.CreateFromNetBytes(buff, offset); lock (LockLocal) { foreach (IoFlowMessageParams flowc in msgFlowc.ListParams) { Console.WriteLine("Agent MessageIoFlowCreate({0},{1})", flowc.FlowId, flowc.ParameterString); if (DictFlowCreateParams.ContainsKey(flowc.FlowId)) { throw new ArgumentOutOfRangeException(string.Format("Agent flowc dup FlowId {0}", flowc.FlowId)); } DictFlowCreateParams.Add(flowc.FlowId, flowc); } } MessageAck ack = new MessageAck(msgFlowc.SeqNo, MessageTypes.MessageTypeIoFlowCreateAck, (uint)OktoResultCodes.OKTO_RESULT_SUCCESS); SendSynchronous(conn, ack.Serialize); conn.BeginReceive(); break; } case MessageTypes.MessageTypeRapFsCreate: { MessageRapFsCreate msgRapc = MessageRapFsCreate.CreateFromNetBytes(buff, offset); lock (LockLocal) { foreach (MsgRapArg rapc in msgRapc.ListMsgRapArg) { Console.WriteLine("Agent MessageRapFsCreate({0},{1},{2})", rapc.FlowId, rapc.stringSid, rapc.ShareOrVolume); if (!DictFlowCreateParams.ContainsKey(rapc.FlowId)) { throw new ArgumentOutOfRangeException(string.Format("Agent rapc invalid FlowId {0}", rapc.FlowId)); } if (DictRapCreateParams.ContainsKey(rapc.FlowId)) { throw new ArgumentOutOfRangeException(string.Format("Agent rapc dup FlowId {0}", rapc.FlowId)); } if (!DictFlowCreateParams.ContainsKey(rapc.FlowId)) { throw new ArgumentOutOfRangeException(string.Format("Agent rapc unmatched FlowId {0}", rapc.FlowId)); } DictRapCreateParams.Add(rapc.FlowId, rapc); } } // // Params look reasonable and FlowCreate and RapCreate match up. // Now we can invite the client to create its IoFlows. // OktoResultCodes result = client.CallbackIoFlowCreate(DictFlowCreateParams, DictRapCreateParams); MessageAck ack = new MessageAck(msgRapc.SeqNo, MessageTypes.MessageTypeRapFsCreateAck, (uint)result); SendSynchronous(conn, ack.Serialize); conn.BeginReceive(); break; } case MessageTypes.MessageTypeStatsZero: { MessageStatsZero msgZero = MessageStatsZero.CreateFromNetBytes(buff, offset); OktoResultCodes result = client.CallbackMessageStatsZero(); MessageAck ack = new MessageAck(msgZero.SeqNo, MessageTypes.MessageTypeStatsZeroAck, (uint)result); SendSynchronous(conn, ack.Serialize); conn.BeginReceive(); break; } case MessageTypes.MessageTypeIoFlowUpdate: { MessageIoFlowUpdate msgFlowc = MessageIoFlowUpdate.CreateFromNetBytes(buff, offset); lock (LockLocal) { foreach (IoFlowMessageParams flowu in msgFlowc.ListParams) { if (!DictFlowCreateParams.ContainsKey(flowu.FlowId)) { throw new ArgumentOutOfRangeException(string.Format("Agent flowu invalid FlowId {0}", flowu.FlowId)); } } } OktoResultCodes result = client.CallbackMessageIoFlowUpdate(msgFlowc.ListParams); MessageAck ack = new MessageAck(msgFlowc.SeqNo, MessageTypes.MessageTypeIoFlowUpdateAck, (uint)result); SendSynchronous(conn, ack.Serialize); conn.BeginReceive(); break; } case MessageTypes.MessageTypeTenantDelete: { MessageTenantDelete msgTend = MessageTenantDelete.CreateFromNetBytes(buff, offset); OktoResultCodes result = client.CallbackMessageTenantDelete(); MessageAck ack = new MessageAck(msgTend.SeqNo, MessageTypes.MessageTypeTenantDeleteAck, (uint)result); SendSynchronous(conn, ack.Serialize); conn.BeginReceive(); break; } case MessageTypes.MessageTypeIoFlowStatsQuery: { MessageIoFlowStatsQuery msgStatsQ = MessageIoFlowStatsQuery.CreateFromNetBytes(buff, offset); List <IoFlowMessageParams> listStats = client.CallbackMessageIoFlowStatsQuery(); lock (LockLocal) { foreach (IoFlowMessageParams stats in listStats) { if (!DictFlowCreateParams.ContainsKey(stats.FlowId)) { throw new ArgumentOutOfRangeException(string.Format("Stats reply invalid FlowId {0}", stats.FlowId)); } } } MessageIoFlowStatsReply msgStatsReply = new MessageIoFlowStatsReply(msgStatsQ.SeqNo, listStats, TenantId); SendSynchronous(conn, msgStatsReply.Serialize); conn.BeginReceive(); break; } case MessageTypes.MessageTypeNameToStringSidBatchQuery: { MessageNameToStringSidBatchQuery msgSidBatchQuery = MessageNameToStringSidBatchQuery.CreateFromNetBytes(buff, offset); Dictionary <string, string> DictVmNameToSid = new Dictionary <string, string>(); System.Security.Principal.SecurityIdentifier sid = null; foreach (string vmName in msgSidBatchQuery.ListVmNames) { //XXXET: following two lines are for account names of type europe\ sid = VmSID.GetVMnameSid(vmName); if (sid == null) { try { NTAccount ntaccount = new NTAccount(vmName); sid = (SecurityIdentifier)ntaccount.Translate(typeof(SecurityIdentifier)); } catch (Exception e) { Debug.Assert(0 == 1, e.Message); } } Console.WriteLine("MessageTypeNameToStringSidBatchQuery: {0} sid {1}", vmName, sid.ToString()); DictVmNameToSid.Add(vmName, sid.ToString()); } MessageVmNameToStringSidBatchReply msgSidReply = new MessageVmNameToStringSidBatchReply(msgSidBatchQuery.SeqNo, (uint)OktoResultCodes.OKTO_RESULT_SUCCESS, DictVmNameToSid); SendSynchronous(conn, msgSidReply.Serialize); conn.BeginReceive(); break; } default: { string msg = string.Format("ReceiveMessage: unexpected message type {0}", messageType); throw new ApplicationException(msg); } } // switch }
public static IEnumerable <object> Get_DomainGroup(Args_Get_DomainGroup args = null) { if (args == null) { args = new Args_Get_DomainGroup(); } var SearcherArguments = new Args_Get_DomainSearcher { Domain = args.Domain, Properties = args.Properties, SearchBase = args.SearchBase, Server = args.Server, SearchScope = args.SearchScope, ResultPageSize = args.ResultPageSize, ServerTimeLimit = args.ServerTimeLimit, SecurityMasks = args.SecurityMasks, Tombstone = args.Tombstone, Credential = args.Credential }; var ObjectArguments = new Args_Get_DomainObject { Domain = args.Domain, Properties = args.Properties, SearchBase = args.SearchBase, Server = args.Server, SearchScope = args.SearchScope, ResultPageSize = args.ResultPageSize, ServerTimeLimit = args.ServerTimeLimit, SecurityMasks = args.SecurityMasks, Tombstone = args.Tombstone, Credential = args.Credential }; var GroupSearcher = GetDomainSearcher.Get_DomainSearcher(SearcherArguments); var Groups = new List <object>(); if (GroupSearcher != null) { if (args.MemberIdentity != null) { string[] OldProperties = null; if (args.Properties != null) { OldProperties = SearcherArguments.Properties; } ObjectArguments.Identity = args.MemberIdentity; ObjectArguments.Raw = true; var Objects = GetDomainObject.Get_DomainObject(ObjectArguments); if (Objects != null) { } foreach (SearchResult obj in Objects) { // convert the user/group to a directory entry var ObjectDirectoryEntry = obj.GetDirectoryEntry(); // cause the cache to calculate the token groups for the user/group ObjectDirectoryEntry.RefreshCache(new string[] { @"tokenGroups" }); foreach (byte[] tokenGroup in ObjectDirectoryEntry.Properties[@"tokenGroups"]) { // convert the token group sid var GroupSid = new System.Security.Principal.SecurityIdentifier(tokenGroup, 0).Value; // ignore the built in groups if (new Regex(@"^S-1-5-32-.*").Match(GroupSid).Success == false) { ObjectArguments.Identity = new string[] { GroupSid }; ObjectArguments.Raw = false; if (OldProperties != null) { ObjectArguments.Properties = OldProperties; } var Group = GetDomainObject.Get_DomainObject(ObjectArguments); if (Group != null) { Groups.AddRange(Group); } } } } } else { var IdentityFilter = ""; var Filter = ""; if (args.Identity != null) { foreach (var samName in args.Identity) { var IdentityInstance = samName.Replace(@"(", @"\28").Replace(@")", @"\29"); if (new Regex(@"^S-1-").Match(IdentityInstance).Success) { IdentityFilter += $@"(objectsid={IdentityInstance})"; } else if (new Regex(@"^CN=").Match(IdentityInstance).Success) { IdentityFilter += $@"(distinguishedname={IdentityInstance})"; if (args.Domain.IsNullOrEmpty() && args.SearchBase.IsNullOrEmpty()) { // if a -Domain isn't explicitly set, extract the object domain out of the distinguishedname // and rebuild the domain searcher var IdentityDomain = IdentityInstance.Substring(IdentityInstance.IndexOf(@"DC=")).Replace(@"DC=", @"").Replace(@",", @"."); Logger.Write_Verbose($@"[Get-DomainGroup] Extracted domain '{IdentityDomain}' from '{IdentityInstance}'"); SearcherArguments.Domain = IdentityDomain; GroupSearcher = GetDomainSearcher.Get_DomainSearcher(SearcherArguments); if (GroupSearcher == null) { Logger.Write_Warning($@"[Get-DomainGroup] Unable to retrieve domain searcher for '{IdentityDomain}'"); } } } else if (new Regex(@"^[0-9A-F]{8}-([0-9A-F]{4}-){3}[0-9A-F]{12}$").Match(IdentityInstance).Success) { var GuidByteString = string.Join(string.Empty, Guid.Parse(IdentityInstance).ToByteArray().Select(x => x.ToString(@"\X2"))); IdentityFilter += $@"(objectguid={GuidByteString})"; } else if (IdentityInstance.Contains(@"\")) { var ConvertedIdentityInstance = ConvertADName.Convert_ADName(new Args_Convert_ADName { OutputType = ADSNameType.Canonical, Identity = new string[] { IdentityInstance.Replace(@"\28", @"(").Replace(@"\29", @")") } }); if (ConvertedIdentityInstance != null && ConvertedIdentityInstance.Any()) { var GroupDomain = ConvertedIdentityInstance.First().Substring(0, ConvertedIdentityInstance.First().IndexOf('/')); var GroupName = IdentityInstance.Split(new char[] { '\\' })[1]; IdentityFilter += $@"(samAccountName={GroupName})"; SearcherArguments.Domain = GroupDomain; Logger.Write_Verbose($@"[Get-DomainUser] Extracted domain '{GroupDomain}' from '{IdentityInstance}'"); GroupSearcher = GetDomainSearcher.Get_DomainSearcher(SearcherArguments); } } else { IdentityFilter += $@"(|(samAccountName={IdentityInstance})(name={IdentityInstance}))"; } } } if (IdentityFilter != null && IdentityFilter.Trim() != "") { Filter += $@"(|{IdentityFilter})"; } if (args.AdminCount) { Logger.Write_Verbose(@"[Get-DomainGroup] Searching for adminCount=1"); Filter += "(admincount=1)"; } if (args.GroupScope != null) { switch (args.GroupScope.Value) { case GroupScope.DomainLocal: Filter = "(groupType:1.2.840.113556.1.4.803:=4)"; break; case GroupScope.NotDomainLocal: Filter = "(!(groupType:1.2.840.113556.1.4.803:=4))"; break; case GroupScope.Global: Filter = "(groupType:1.2.840.113556.1.4.803:=2)"; break; case GroupScope.NotGlobal: Filter = "(!(groupType:1.2.840.113556.1.4.803:=2))"; break; case GroupScope.Universal: Filter = "(groupType:1.2.840.113556.1.4.803:=8)"; break; case GroupScope.NotUniversal: Filter = "(!(groupType:1.2.840.113556.1.4.803:=8))"; break; default: break; } Logger.Write_Verbose($@"[Get-DomainGroup] Searching for group scope '{args.GroupScope.Value.ToString()}'"); } if (args.GroupProperty != null) { switch (args.GroupProperty.Value) { case GroupProperty.Security: Filter = "(groupType:1.2.840.113556.1.4.803:=2147483648)"; break; case GroupProperty.Distribution: Filter = "(!(groupType:1.2.840.113556.1.4.803:=2147483648))"; break; case GroupProperty.CreatedBySystem: Filter = "(groupType:1.2.840.113556.1.4.803:=1)"; break; case GroupProperty.NotCreatedBySystem: Filter = "(!(groupType:1.2.840.113556.1.4.803:=1))"; break; default: break; } Logger.Write_Verbose($@"[Get-DomainGroup] Searching for group property '{args.GroupProperty.Value.ToString()}'"); } if (args.LDAPFilter.IsNotNullOrEmpty()) { Logger.Write_Verbose($@"[Get-DomainGroup] Using additional LDAP filter: {args.LDAPFilter}"); Filter += $@"{args.LDAPFilter}"; } GroupSearcher.Filter = $@"(&(objectCategory=group){Filter})"; Logger.Write_Verbose($@"[Get-DomainGroup] filter string: {GroupSearcher.Filter}"); if (args.FindOne) { var result = GroupSearcher.FindOne(); if (args.Raw) { // return raw result objects Groups.Add(result); } else { Groups.Add(ConvertLDAPProperty.Convert_LDAPProperty(result.Properties)); } } else { var Results = GroupSearcher.FindAll(); foreach (SearchResult result in Results) { if (args.Raw) { // return raw result objects Groups.Add(result); } else { Groups.Add(ConvertLDAPProperty.Convert_LDAPProperty(result.Properties)); } } if (Results != null) { try { Results.Dispose(); } catch (Exception e) { Logger.Write_Verbose($@"[Get-DomainGroup] Error disposing of the Results object: {e}"); } } } GroupSearcher.Dispose(); } } return(Groups); }
private static IdentityReferenceCollection TranslateToSids(IdentityReferenceCollection sourceAccounts, out bool someFailed) { if (sourceAccounts == null) { throw new ArgumentNullException("sourceAccounts"); } if (sourceAccounts.Count == 0) { throw new ArgumentException(Environment.GetResourceString("Arg_EmptyCollection"), "sourceAccounts"); } SafeLsaPolicyHandle safeLsaPolicyHandle = SafeLsaPolicyHandle.InvalidHandle; SafeLsaMemoryHandle invalidHandle = SafeLsaMemoryHandle.InvalidHandle; SafeLsaMemoryHandle invalidHandle2 = SafeLsaMemoryHandle.InvalidHandle; IdentityReferenceCollection result; try { Win32Native.UNICODE_STRING[] array = new Win32Native.UNICODE_STRING[sourceAccounts.Count]; int num = 0; foreach (IdentityReference identityReference in sourceAccounts) { NTAccount ntaccount = identityReference as NTAccount; if (ntaccount == null) { throw new ArgumentException(Environment.GetResourceString("Argument_ImproperType"), "sourceAccounts"); } array[num].Buffer = ntaccount.ToString(); if (array[num].Buffer.Length * 2 + 2 > 65535) { throw new SystemException(); } array[num].Length = (ushort)(array[num].Buffer.Length * 2); array[num].MaximumLength = array[num].Length + 2; num++; } safeLsaPolicyHandle = Win32.LsaOpenPolicy(null, PolicyRights.POLICY_LOOKUP_NAMES); someFailed = false; uint num2; if (Win32.LsaLookupNames2Supported) { num2 = Win32Native.LsaLookupNames2(safeLsaPolicyHandle, 0, sourceAccounts.Count, array, ref invalidHandle, ref invalidHandle2); } else { num2 = Win32Native.LsaLookupNames(safeLsaPolicyHandle, sourceAccounts.Count, array, ref invalidHandle, ref invalidHandle2); } if (num2 == 3221225495U || num2 == 3221225626U) { throw new OutOfMemoryException(); } if (num2 == 3221225506U) { throw new UnauthorizedAccessException(); } if (num2 == 3221225587U || num2 == 263U) { someFailed = true; } else if (num2 != 0U) { int errorCode = Win32Native.LsaNtStatusToWinError((int)num2); throw new SystemException(Win32Native.GetMessage(errorCode)); } IdentityReferenceCollection identityReferenceCollection = new IdentityReferenceCollection(sourceAccounts.Count); if (num2 == 0U || num2 == 263U) { if (Win32.LsaLookupNames2Supported) { invalidHandle2.Initialize((uint)sourceAccounts.Count, (uint)Marshal.SizeOf(typeof(Win32Native.LSA_TRANSLATED_SID2))); Win32.InitializeReferencedDomainsPointer(invalidHandle); Win32Native.LSA_TRANSLATED_SID2[] array2 = new Win32Native.LSA_TRANSLATED_SID2[sourceAccounts.Count]; invalidHandle2.ReadArray <Win32Native.LSA_TRANSLATED_SID2>(0UL, array2, 0, array2.Length); int i = 0; while (i < sourceAccounts.Count) { Win32Native.LSA_TRANSLATED_SID2 lsa_TRANSLATED_SID = array2[i]; switch (lsa_TRANSLATED_SID.Use) { case 1: case 2: case 4: case 5: case 9: identityReferenceCollection.Add(new SecurityIdentifier(lsa_TRANSLATED_SID.Sid, true)); break; case 3: case 6: case 7: case 8: goto IL_282; default: goto IL_282; } IL_294: i++; continue; IL_282: someFailed = true; identityReferenceCollection.Add(sourceAccounts[i]); goto IL_294; } } else { invalidHandle2.Initialize((uint)sourceAccounts.Count, (uint)Marshal.SizeOf(typeof(Win32Native.LSA_TRANSLATED_SID))); Win32.InitializeReferencedDomainsPointer(invalidHandle); Win32Native.LSA_REFERENCED_DOMAIN_LIST lsa_REFERENCED_DOMAIN_LIST = invalidHandle.Read <Win32Native.LSA_REFERENCED_DOMAIN_LIST>(0UL); SecurityIdentifier[] array3 = new SecurityIdentifier[lsa_REFERENCED_DOMAIN_LIST.Entries]; for (int j = 0; j < lsa_REFERENCED_DOMAIN_LIST.Entries; j++) { Win32Native.LSA_TRUST_INFORMATION lsa_TRUST_INFORMATION = (Win32Native.LSA_TRUST_INFORMATION)Marshal.PtrToStructure(new IntPtr((long)lsa_REFERENCED_DOMAIN_LIST.Domains + (long)(j * Marshal.SizeOf(typeof(Win32Native.LSA_TRUST_INFORMATION)))), typeof(Win32Native.LSA_TRUST_INFORMATION)); array3[j] = new SecurityIdentifier(lsa_TRUST_INFORMATION.Sid, true); } Win32Native.LSA_TRANSLATED_SID[] array4 = new Win32Native.LSA_TRANSLATED_SID[sourceAccounts.Count]; invalidHandle2.ReadArray <Win32Native.LSA_TRANSLATED_SID>(0UL, array4, 0, array4.Length); int k = 0; while (k < sourceAccounts.Count) { Win32Native.LSA_TRANSLATED_SID lsa_TRANSLATED_SID2 = array4[k]; switch (lsa_TRANSLATED_SID2.Use) { case 1: case 2: case 4: case 5: case 9: identityReferenceCollection.Add(new SecurityIdentifier(array3[lsa_TRANSLATED_SID2.DomainIndex], lsa_TRANSLATED_SID2.Rid)); break; case 3: case 6: case 7: case 8: goto IL_3C8; default: goto IL_3C8; } IL_3DA: k++; continue; IL_3C8: someFailed = true; identityReferenceCollection.Add(sourceAccounts[k]); goto IL_3DA; } } } else { for (int l = 0; l < sourceAccounts.Count; l++) { identityReferenceCollection.Add(sourceAccounts[l]); } } result = identityReferenceCollection; } finally { safeLsaPolicyHandle.Dispose(); invalidHandle.Dispose(); invalidHandle2.Dispose(); } return(result); }
public static string GetUserFromSID(string sid) { string account = new System.Security.Principal.SecurityIdentifier(sid).Translate(typeof(System.Security.Principal.NTAccount)).ToString(); return(account); }
[System.Security.SecurityCritical] // auto-generated private static IdentityReferenceCollection TranslateToSids(IdentityReferenceCollection sourceAccounts, out bool someFailed) { if (sourceAccounts == null) { throw new ArgumentNullException("sourceAccounts"); } if (sourceAccounts.Count == 0) { throw new ArgumentException(Environment.GetResourceString("Arg_EmptyCollection"), "sourceAccounts"); } Contract.EndContractBlock(); SafeLsaPolicyHandle LsaHandle = SafeLsaPolicyHandle.InvalidHandle; SafeLsaMemoryHandle ReferencedDomainsPtr = SafeLsaMemoryHandle.InvalidHandle; SafeLsaMemoryHandle SidsPtr = SafeLsaMemoryHandle.InvalidHandle; try { // // Construct an array of unicode strings // Win32Native.UNICODE_STRING[] Names = new Win32Native.UNICODE_STRING[sourceAccounts.Count]; int currentName = 0; foreach (IdentityReference id in sourceAccounts) { NTAccount nta = id as NTAccount; if (nta == null) { throw new ArgumentException(Environment.GetResourceString("Argument_ImproperType"), "sourceAccounts"); } Names[currentName].Buffer = nta.ToString(); if (Names[currentName].Buffer.Length * 2 + 2 > ushort.MaxValue) { // this should never happen since we are already validating account name length in constructor and // it is less than this limit Contract.Assert(false, "NTAccount::TranslateToSids - source account name is too long."); throw new SystemException(); } Names[currentName].Length = (ushort)(Names[currentName].Buffer.Length * 2); Names[currentName].MaximumLength = (ushort)(Names[currentName].Length + 2); currentName++; } // // Open LSA policy (for lookup requires it) // LsaHandle = Win32.LsaOpenPolicy(null, PolicyRights.POLICY_LOOKUP_NAMES); // // Now perform the actual lookup // someFailed = false; uint ReturnCode; if (Win32.LsaLookupNames2Supported) { ReturnCode = Win32Native.LsaLookupNames2(LsaHandle, 0, sourceAccounts.Count, Names, ref ReferencedDomainsPtr, ref SidsPtr); } else { ReturnCode = Win32Native.LsaLookupNames(LsaHandle, sourceAccounts.Count, Names, ref ReferencedDomainsPtr, ref SidsPtr); } // // Make a decision regarding whether it makes sense to proceed // based on the return code and the value of the forceSuccess argument // if (ReturnCode == Win32Native.STATUS_NO_MEMORY || ReturnCode == Win32Native.STATUS_INSUFFICIENT_RESOURCES) { throw new OutOfMemoryException(); } else if (ReturnCode == Win32Native.STATUS_ACCESS_DENIED) { throw new UnauthorizedAccessException(); } else if (ReturnCode == Win32Native.STATUS_NONE_MAPPED || ReturnCode == Win32Native.STATUS_SOME_NOT_MAPPED) { someFailed = true; } else if (ReturnCode != 0) { int win32ErrorCode = Win32Native.LsaNtStatusToWinError(unchecked ((int)ReturnCode)); if (win32ErrorCode != Win32Native.ERROR_TRUSTED_RELATIONSHIP_FAILURE) { Contract.Assert(false, string.Format(CultureInfo.InvariantCulture, "Win32Native.LsaLookupNames(2) returned unrecognized error {0}", win32ErrorCode)); } throw new SystemException(Win32Native.GetMessage(win32ErrorCode)); } // // Interpret the results and generate SID objects // IdentityReferenceCollection Result = new IdentityReferenceCollection(sourceAccounts.Count); if (ReturnCode == 0 || ReturnCode == Win32Native.STATUS_SOME_NOT_MAPPED) { if (Win32.LsaLookupNames2Supported) { SidsPtr.Initialize((uint)sourceAccounts.Count, (uint)Marshal.SizeOf(typeof(Win32Native.LSA_TRANSLATED_SID2))); Win32.InitializeReferencedDomainsPointer(ReferencedDomainsPtr); Win32Native.LSA_TRANSLATED_SID2[] translatedSids = new Win32Native.LSA_TRANSLATED_SID2[sourceAccounts.Count]; SidsPtr.ReadArray(0, translatedSids, 0, translatedSids.Length); for (int i = 0; i < sourceAccounts.Count; i++) { Win32Native.LSA_TRANSLATED_SID2 Lts = translatedSids[i]; // // Only some names are recognized as NTAccount objects // switch ((SidNameUse)Lts.Use) { case SidNameUse.User: case SidNameUse.Group: case SidNameUse.Alias: case SidNameUse.Computer: case SidNameUse.WellKnownGroup: Result.Add(new SecurityIdentifier(Lts.Sid, true)); break; default: someFailed = true; Result.Add(sourceAccounts[i]); break; } } } else { SidsPtr.Initialize((uint)sourceAccounts.Count, (uint)Marshal.SizeOf(typeof(Win32Native.LSA_TRANSLATED_SID))); Win32.InitializeReferencedDomainsPointer(ReferencedDomainsPtr); Win32Native.LSA_REFERENCED_DOMAIN_LIST rdl = ReferencedDomainsPtr.Read <Win32Native.LSA_REFERENCED_DOMAIN_LIST>(0); SecurityIdentifier[] ReferencedDomains = new SecurityIdentifier[rdl.Entries]; for (int i = 0; i < rdl.Entries; i++) { Win32Native.LSA_TRUST_INFORMATION ti = (Win32Native.LSA_TRUST_INFORMATION)Marshal.PtrToStructure(new IntPtr(( long )rdl.Domains + i * Marshal.SizeOf(typeof(Win32Native.LSA_TRUST_INFORMATION))), typeof(Win32Native.LSA_TRUST_INFORMATION)); ReferencedDomains[i] = new SecurityIdentifier(ti.Sid, true); } Win32Native.LSA_TRANSLATED_SID[] translatedSids = new Win32Native.LSA_TRANSLATED_SID[sourceAccounts.Count]; SidsPtr.ReadArray(0, translatedSids, 0, translatedSids.Length); for (int i = 0; i < sourceAccounts.Count; i++) { Win32Native.LSA_TRANSLATED_SID Lts = translatedSids[i]; switch ((SidNameUse)Lts.Use) { case SidNameUse.User: case SidNameUse.Group: case SidNameUse.Alias: case SidNameUse.Computer: case SidNameUse.WellKnownGroup: Result.Add(new SecurityIdentifier(ReferencedDomains[Lts.DomainIndex], Lts.Rid)); break; default: someFailed = true; Result.Add(sourceAccounts[i]); break; } } } } else { for (int i = 0; i < sourceAccounts.Count; i++) { Result.Add(sourceAccounts[i]); } } return(Result); } finally { LsaHandle.Dispose(); ReferencedDomainsPtr.Dispose(); SidsPtr.Dispose(); } }