From ecff0e52a340772656edfc283bbee006407244b1 Mon Sep 17 00:00:00 2001
From: Eric Kohl <eric.kohl@reactos.org>
Date: Wed, 30 May 2012 22:53:37 +0000
Subject: [PATCH] [LSASRV][SYSSETUP] Move the creation of the random account
 domain SID from syssetup.dll to lsasrv.dll. This change is required because
 the account domain SID must be stored in the LSA database before the SAM
 database initializes. Syssetup.dll created the account domain SID much too
 late.

svn path=/trunk/; revision=56678
---
 reactos/dll/win32/lsasrv/database.c   | 48 +++++++++++++++++++++----
 reactos/dll/win32/lsasrv/lsasrv.h     |  1 +
 reactos/dll/win32/syssetup/globals.h  |  1 +
 reactos/dll/win32/syssetup/install.c  | 52 +++++----------------------
 reactos/dll/win32/syssetup/security.c | 34 ++++++++++++++++++
 5 files changed, 85 insertions(+), 51 deletions(-)

diff --git a/reactos/dll/win32/lsasrv/database.c b/reactos/dll/win32/lsasrv/database.c
index c7b770c7131..faa85ba65a8 100644
--- a/reactos/dll/win32/lsasrv/database.c
+++ b/reactos/dll/win32/lsasrv/database.c
@@ -199,12 +199,42 @@ Done:
 }
 
 
+static NTSTATUS
+LsapCreateRandomDomainSid(OUT PSID *Sid)
+{
+    SID_IDENTIFIER_AUTHORITY SystemAuthority = {SECURITY_NT_AUTHORITY};
+    LARGE_INTEGER SystemTime;
+    PULONG Seed;
+
+    NtQuerySystemTime(&SystemTime);
+    Seed = &SystemTime.u.LowPart;
+
+    return RtlAllocateAndInitializeSid(&SystemAuthority,
+                                       4,
+                                       SECURITY_NT_NON_UNIQUE,
+                                       RtlUniform(Seed),
+                                       RtlUniform(Seed),
+                                       RtlUniform(Seed),
+                                       SECURITY_NULL_RID,
+                                       SECURITY_NULL_RID,
+                                       SECURITY_NULL_RID,
+                                       SECURITY_NULL_RID,
+                                       Sid);
+}
+
+
 static NTSTATUS
 LsapCreateDatabaseObjects(VOID)
 {
-    PLSA_DB_OBJECT PolicyObject;
+    PLSA_DB_OBJECT PolicyObject = NULL;
+    PSID AccountDomainSid = NULL;
     NTSTATUS Status;
 
+    /* Create a random domain SID */
+    Status = LsapCreateRandomDomainSid(&AccountDomainSid);
+    if (!NT_SUCCESS(Status))
+        return Status;
+
     /* Open the 'Policy' object */
     Status = LsapOpenDbObject(NULL,
                               L"Policy",
@@ -212,7 +242,7 @@ LsapCreateDatabaseObjects(VOID)
                               0,
                               &PolicyObject);
     if (!NT_SUCCESS(Status))
-        return Status;
+        goto done;
 
     LsapSetObjectAttribute(PolicyObject,
                            L"PolPrDmN",
@@ -231,13 +261,17 @@ LsapCreateDatabaseObjects(VOID)
 
     LsapSetObjectAttribute(PolicyObject,
                            L"PolAcDmS",
-                           NULL,
-                           0);
+                           AccountDomainSid,
+                           RtlLengthSid(AccountDomainSid));
 
-    /* Close the 'Policy' object */
-    LsapCloseDbObject(PolicyObject);
+done:
+    if (PolicyObject != NULL)
+        LsapCloseDbObject(PolicyObject);
 
-    return STATUS_SUCCESS;
+    if (AccountDomainSid != NULL)
+        RtlFreeSid(AccountDomainSid);
+
+    return Status;
 }
 
 
diff --git a/reactos/dll/win32/lsasrv/lsasrv.h b/reactos/dll/win32/lsasrv/lsasrv.h
index 79f7ed49937..7442977e371 100644
--- a/reactos/dll/win32/lsasrv/lsasrv.h
+++ b/reactos/dll/win32/lsasrv/lsasrv.h
@@ -11,6 +11,7 @@
 #include <windows.h>
 #define NTOS_MODE_USER
 #include <ndk/cmfuncs.h>
+#include <ndk/kefuncs.h>
 #include <ndk/lpctypes.h>
 #include <ndk/lpcfuncs.h>
 #include <ndk/obfuncs.h>
diff --git a/reactos/dll/win32/syssetup/globals.h b/reactos/dll/win32/syssetup/globals.h
index 385b5c810c4..483a6d4d7f5 100644
--- a/reactos/dll/win32/syssetup/globals.h
+++ b/reactos/dll/win32/syssetup/globals.h
@@ -64,6 +64,7 @@ extern SETUPDATA SetupData;
 /* security.c */
 NTSTATUS SetAccountDomain(LPCWSTR DomainName,
                           PSID DomainSid);
+NTSTATUS GetAccountDomainInfo(PPOLICY_ACCOUNT_DOMAIN_INFO *AccountDomainInfo);
 VOID InstallSecurity(VOID);
 
 /* wizard.c */
diff --git a/reactos/dll/win32/syssetup/install.c b/reactos/dll/win32/syssetup/install.c
index 1e611254a5a..01b99dde738 100644
--- a/reactos/dll/win32/syssetup/install.c
+++ b/reactos/dll/win32/syssetup/install.c
@@ -36,9 +36,6 @@ CMP_WaitNoPendingInstallEvents(DWORD dwTimeout);
 
 /* GLOBALS ******************************************************************/
 
-PSID DomainSid = NULL;
-PSID AdminSid = NULL;
-
 HINF hSysSetupInf = INVALID_HANDLE_VALUE;
 
 /* FUNCTIONS ****************************************************************/
@@ -227,33 +224,6 @@ CreateShortcutFolder(int csidl, UINT nID, LPTSTR pszName, int cchNameLen)
     return CreateDirectory(szPath, NULL) || GetLastError()==ERROR_ALREADY_EXISTS;
 }
 
-static BOOL
-CreateRandomSid(
-    OUT PSID *Sid)
-{
-    SID_IDENTIFIER_AUTHORITY SystemAuthority = {SECURITY_NT_AUTHORITY};
-    LARGE_INTEGER SystemTime;
-    PULONG Seed;
-    NTSTATUS Status;
-
-    NtQuerySystemTime(&SystemTime);
-    Seed = &SystemTime.u.LowPart;
-
-    Status = RtlAllocateAndInitializeSid(
-        &SystemAuthority,
-        4,
-        SECURITY_NT_NON_UNIQUE,
-        RtlUniform(Seed),
-        RtlUniform(Seed),
-        RtlUniform(Seed),
-        SECURITY_NULL_RID,
-        SECURITY_NULL_RID,
-        SECURITY_NULL_RID,
-        SECURITY_NULL_RID,
-        Sid);
-    return NT_SUCCESS(Status);
-}
-
 static VOID
 AppendRidToSid(
     OUT PSID *Dst,
@@ -878,6 +848,8 @@ SetSetupType(DWORD dwSetupType)
 DWORD WINAPI
 InstallReactOS(HINSTANCE hInstance)
 {
+    PPOLICY_ACCOUNT_DOMAIN_INFO AccountDomainInfo = NULL;
+    PSID AdminSid = NULL;
     TCHAR szBuffer[MAX_PATH];
     DWORD LastError;
     HANDLE token;
@@ -893,23 +865,17 @@ InstallReactOS(HINSTANCE hInstance)
         return 0;
     }
 
-    /* Create the semi-random Domain-SID */
-    if (!CreateRandomSid(&DomainSid))
+    /* Get account domain information */
+    if (GetAccountDomainInfo(&AccountDomainInfo) != STATUS_SUCCESS)
     {
-        FatalError("Domain-SID creation failed!");
-        return 0;
-    }
-
-    /* Set the Domain SID (aka Computer SID) */
-    if (SetAccountDomain(NULL, DomainSid) != STATUS_SUCCESS)
-    {
-        FatalError("SetAccountDomain() failed!");
-        RtlFreeSid(DomainSid);
+        FatalError("GetAccountDomainInfo() failed!");
         return 0;
     }
 
     /* Append the Admin-RID */
-    AppendRidToSid(&AdminSid, DomainSid, DOMAIN_USER_RID_ADMIN);
+    AppendRidToSid(&AdminSid, AccountDomainInfo->DomainSid, DOMAIN_USER_RID_ADMIN);
+
+    LsaFreeMemory(AccountDomainInfo);
 
     CreateTempDir(L"TEMP");
     CreateTempDir(L"TMP");
@@ -964,13 +930,11 @@ InstallReactOS(HINSTANCE hInstance)
         {
             FatalError("SamCreateUser() failed!");
             RtlFreeSid(AdminSid);
-            RtlFreeSid(DomainSid);
             return 0;
         }
     }
 
     RtlFreeSid(AdminSid);
-    RtlFreeSid(DomainSid);
 
     if (!CreateShortcuts())
     {
diff --git a/reactos/dll/win32/syssetup/security.c b/reactos/dll/win32/syssetup/security.c
index ecf892d8666..3d822fb9daf 100644
--- a/reactos/dll/win32/syssetup/security.c
+++ b/reactos/dll/win32/syssetup/security.c
@@ -26,6 +26,8 @@ SetAccountDomain(LPCWSTR DomainName,
     LSA_HANDLE PolicyHandle;
     NTSTATUS Status;
 
+    DPRINT1("SYSSETUP: SetAccountDomain\n");
+
     memset(&ObjectAttributes, 0, sizeof(LSA_OBJECT_ATTRIBUTES));
     ObjectAttributes.Length = sizeof(LSA_OBJECT_ATTRIBUTES);
 
@@ -87,6 +89,38 @@ SetAccountDomain(LPCWSTR DomainName,
 }
 
 
+NTSTATUS
+GetAccountDomainInfo(PPOLICY_ACCOUNT_DOMAIN_INFO *AccountDomainInfo)
+{
+    LSA_OBJECT_ATTRIBUTES ObjectAttributes;
+    LSA_HANDLE PolicyHandle;
+    NTSTATUS Status;
+
+    DPRINT1("SYSSETUP: GetAccountDomain\n");
+
+    memset(&ObjectAttributes, 0, sizeof(LSA_OBJECT_ATTRIBUTES));
+    ObjectAttributes.Length = sizeof(LSA_OBJECT_ATTRIBUTES);
+
+    Status = LsaOpenPolicy(NULL,
+                           &ObjectAttributes,
+                           POLICY_TRUST_ADMIN,
+                           &PolicyHandle);
+    if (Status != STATUS_SUCCESS)
+    {
+        DPRINT("LsaOpenPolicy failed (Status: 0x%08lx)\n", Status);
+        return Status;
+    }
+
+    Status = LsaQueryInformationPolicy(PolicyHandle,
+                                       PolicyAccountDomainInformation,
+                                       (PVOID *)AccountDomainInfo);
+
+    LsaClose(PolicyHandle);
+
+    return Status;
+}
+
+
 static
 VOID
 InstallBuiltinAccounts(VOID)
-- 
2.17.1