| public static GetUserPrincipal ( SecurityIdentifier sid ) : System.DirectoryServices.AccountManagement.UserPrincipal | ||
| sid | SecurityIdentifier | |
| return | System.DirectoryServices.AccountManagement.UserPrincipal | |
public BooleanResult ChangePassword(ChangePasswordInfo cpInfo, ChangePasswordPluginActivityInfo pluginInfo)
{
m_logger.Debug("ChangePassword()");
// Verify the old password
if (Abstractions.WindowsApi.pInvokes.ValidateCredentials(cpInfo.Username, cpInfo.OldPassword))
{
m_logger.DebugFormat("Authenticated via old password: {0}", cpInfo.Username);
}
else
{
return(new BooleanResult {
Success = false, Message = "Current password or username is not valid."
});
}
using (UserPrincipal user = LocalAccount.GetUserPrincipal(cpInfo.Username))
{
if (user != null)
{
m_logger.DebugFormat("Found principal, changing password for {0}", cpInfo.Username);
user.SetPassword(cpInfo.NewPassword);
}
else
{
return(new BooleanResult {
Success = false, Message = "Local machine plugin internal error: directory entry not found."
});
}
}
return(new BooleanResult {
Success = true, Message = "Local password successfully changed."
});
}
// Load userInfo.Username's group list and populate userInfo.Groups accordingly
public static void SyncLocalGroupsToUserInfo(UserInformation userInfo)
{
ILog logger = LogManager.GetLogger("LocalAccount.SyncLocalGroupsToUserInfo");
try
{
SecurityIdentifier EveryoneSid = new SecurityIdentifier("S-1-1-0");
SecurityIdentifier AuthenticatedUsersSid = new SecurityIdentifier(WellKnownSidType.AuthenticatedUserSid, null);
if (LocalAccount.UserExists(userInfo.Username))
{
using (UserPrincipal user = LocalAccount.GetUserPrincipal(userInfo.Username))
{
foreach (GroupPrincipal group in LocalAccount.GetGroups(user))
{
// Skip "Authenticated Users" and "Everyone" as these are generated
if (group.Sid == EveryoneSid || group.Sid == AuthenticatedUsersSid)
{
continue;
}
userInfo.AddGroup(new GroupInformation()
{
Name = group.Name,
Description = group.Description,
SID = group.Sid
});
}
}
}
}
catch (Exception e)
{
logger.ErrorFormat("Unexpected error while syncing local groups, skipping rest: {0}", e);
}
}
public BooleanResult AuthenticatedUserGateway(SessionProperties properties)
{
// Our job, if we've been elected to do gateway, is to ensure that an
// authenticated user:
//
// 1. Has a local account
// 2. That account's password is set to the one they used to authenticate
// 3. That account is a member of all groups listed, and not a member of any others
// Is failure at #3 a total fail?
bool failIfGroupSyncFails = Settings.Store.GroupCreateFailIsFail;
// Groups everyone is added to
string[] MandatoryGroups = Settings.Store.MandatoryGroups;
// user info
UserInformation userInfo = properties.GetTrackedSingle <UserInformation>();
// is this a pgina user?
Abstractions.WindowsApi.pInvokes.structenums.USER_INFO_4 userinfo4 = new Abstractions.WindowsApi.pInvokes.structenums.USER_INFO_4();
if (Abstractions.WindowsApi.pInvokes.UserGet(userInfo.Username, ref userinfo4)) //true if user exists
{
if (!userinfo4.comment.Contains("pGina created"))
{
m_logger.InfoFormat("User {0} is'nt a pGina created user. I'm not executing Gateway stage", userInfo.Username);
return(new BooleanResult()
{
Success = true
});
}
}
// Add user to all mandatory groups
if (MandatoryGroups.Length > 0)
{
foreach (string group in MandatoryGroups)
{
string group_string = group;
m_logger.DebugFormat("Is there a Group with SID/Name:{0}", group);
using (GroupPrincipal groupconf = LocalAccount.GetGroupPrincipal(group))
{
if (groupconf != null)
{
m_logger.DebugFormat("Groupname: \"{0}\"", groupconf.Name);
group_string = groupconf.Name;
}
else
{
m_logger.ErrorFormat("Group: \"{0}\" not found", group);
m_logger.Error("Failsave add user to group Users");
using (GroupPrincipal groupfail = LocalAccount.GetGroupPrincipal(new SecurityIdentifier(WellKnownSidType.BuiltinUsersSid, null).ToString()))
{
if (groupfail != null)
{
group_string = groupfail.Name;
}
else
{
m_logger.Debug("no BuiltinUsers. I'm out of options");
group_string = null;
}
}
}
}
if (group_string != null)
{
userInfo.AddGroup(new GroupInformation()
{
Name = group_string
});
}
}
}
try
{
m_logger.DebugFormat("AuthenticatedUserGateway({0}) for user: {1}", properties.Id.ToString(), userInfo.Username);
LocalAccount.SyncUserInfoToLocalUser(userInfo);
using (UserPrincipal user = LocalAccount.GetUserPrincipal(userInfo.Username))
{
userInfo.SID = user.Sid;
userInfo.Description = user.Description;
}
properties.AddTrackedSingle <UserInformation>(userInfo);
}
catch (LocalAccount.GroupSyncException e)
{
if (failIfGroupSyncFails)
{
return new BooleanResult()
{
Success = false, Message = string.Format("Unable to sync users local group membership: {0}", e.RootException)
}
}
;
}
catch (Exception e)
{
if (e.Message.ToLower().Contains("0x800708c5"))
{
return(new BooleanResult()
{
Success = false, Message = string.Format("This Worstation is denying the password of {0}.\nMost likely the password does not meet complexity requirements\n\n{1}", userInfo.Username, e)
});
}
return(new BooleanResult()
{
Success = false, Message = string.Format("Unexpected error while syncing user's info: {0}", e)
});
}
return(new BooleanResult()
{
Success = true
});
}
private void IterateCleanupUsers()
{
lock (this)
{
List <CleanupTask> tasks = CleanupTasks.GetEligibleTasks();
List <string> loggedOnUsers = null;
try
{
loggedOnUsers = LoggedOnLocalUsers();
}
catch (System.ComponentModel.Win32Exception e)
{
m_logger.ErrorFormat("Error (ignored) LoggedOnLocalUsers {0}", e);
return;
}
m_logger.DebugFormat("IterateCleanupUsers Eligible users: {0}", string.Join(",", tasks));
m_logger.DebugFormat("IterateCleanupUsers loggedOnUsers: {0}", string.Join(",", loggedOnUsers));
foreach (CleanupTask task in tasks)
{
try
{
using (UserPrincipal userPrincipal = LocalAccount.GetUserPrincipal(task.UserName))
{
// Make sure the user exists
if (userPrincipal == null)
{
// This dude doesn't exist!
m_logger.DebugFormat("User {0} doesn't exist, not cleaning up.", task.UserName);
CleanupTasks.RemoveTaskForUser(task.UserName);
continue;
}
// Is she logged in still?
if (loggedOnUsers.Contains(task.UserName, StringComparer.CurrentCultureIgnoreCase))
{
continue;
}
m_logger.InfoFormat("Cleaning up: {0} -> {1}", task.UserName, task.Action);
try
{
switch (task.Action)
{
case CleanupAction.SCRAMBLE_PASSWORD:
LocalAccount.ScrambleUsersPassword(task.UserName);
break;
case CleanupAction.DELETE_PROFILE:
LocalAccount.RemoveUserAndProfile(task.UserName);
break;
default:
m_logger.ErrorFormat("Unrecognized action: {0}, skipping user {1}", task.Action, task.UserName);
throw new Exception();
}
}
catch (Exception e)
{
m_logger.WarnFormat("Cleanup for {0} failed, will retry next time around. Error: {1}", task.UserName, e);
continue;
}
// All done! No more cleanup for this user needed
CleanupTasks.RemoveTaskForUser(task.UserName);
}
}
catch (Exception e)
{
// If something goes wrong, we log the exception and ignore.
m_logger.ErrorFormat("Caught (ignoring) Exception {0}", e);
}
}
}
}
