srcctl3: Improve debug messages

A customer's syslog was filled with

_svcctl_OpenServiceW: Failed to get a valid security descriptor

messages. This improves the messages to give info about which service failed
with which error code. Also, it makes OpenServiceW fail with the same error
message Windows fails with for unknown services.

Signed-off-by: Volker Lendecke <[email protected]>
Reviewed-by: Jeremy Allison <[email protected]>

Autobuild-User(master): Jeremy Allison <[email protected]>
Autobuild-Date(master): Tue Jan 16 02:43:03 CET 2018 on sn-devel-144

source3/rpc_server/svcctl/srv_svcctl_nt.c

@@ -301,6 +301,7 @@ WERROR _svcctl_OpenServiceW(struct pipes_struct *p,
 	uint32_t access_granted = 0;
 	NTSTATUS status;
 	const char *service = NULL;
+	WERROR err;
 
 	service = r->in.ServiceName;
 	if (!service) {
@@ -317,14 +318,19 @@ WERROR _svcctl_OpenServiceW(struct pipes_struct *p,
 	 * Perform access checks. Use the system session_info in order to ensure
 	 * that we retrieve the security descriptor
 	 */
-	sec_desc = svcctl_get_secdesc(p->mem_ctx,
-				      p->msg_ctx,
-				      get_session_info_system(),
-				      service);
-	if (sec_desc == NULL) {
-		DEBUG(0, ("_svcctl_OpenServiceW: Failed to get a valid security "
-			  "descriptor"));
-		return WERR_NOT_ENOUGH_MEMORY;
+	err = svcctl_get_secdesc(p->msg_ctx,
+				 get_session_info_system(),
+				 service,
+				 p->mem_ctx,
+				 &sec_desc);
+	if (W_ERROR_EQUAL(err, WERR_FILE_NOT_FOUND)) {
+		DBG_NOTICE("service %s does not exist\n", service);
+		return WERR_SERVICE_DOES_NOT_EXIST;
+	}
+	if (!W_ERROR_IS_OK(err)) {
+		DBG_NOTICE("Failed to get a valid secdesc for %s: %s\n",
+			   service, win_errstr(err));
+		return err;
 	}
 
 	se_map_generic( &r->in.access_mask, &svc_generic_map );
@@ -899,6 +905,7 @@ WERROR _svcctl_QueryServiceObjectSecurity(struct pipes_struct *p,
 	NTSTATUS status;
 	uint8_t *buffer = NULL;
 	size_t len = 0;
+	WERROR err;
 
 
 	/* only support the SCM and individual services */
@@ -917,12 +924,19 @@ WERROR _svcctl_QueryServiceObjectSecurity(struct pipes_struct *p,
 		return WERR_INVALID_PARAMETER;
 
 	/* Lookup the security descriptor and marshall it up for a reply */
-	sec_desc = svcctl_get_secdesc(p->mem_ctx,
-				      p->msg_ctx,
-				      get_session_info_system(),
-				      info->name);
-	if (sec_desc == NULL) {
-		return WERR_NOT_ENOUGH_MEMORY;
+	err = svcctl_get_secdesc(p->msg_ctx,
+				 get_session_info_system(),
+				 info->name,
+				 p->mem_ctx,
+				 &sec_desc);
+	if (W_ERROR_EQUAL(err, WERR_FILE_NOT_FOUND)) {
+		DBG_NOTICE("service %s does not exist\n", info->name);
+		return WERR_SERVICE_DOES_NOT_EXIST;
+	}
+	if (!W_ERROR_IS_OK(err)) {
+		DBG_NOTICE("Failed to get a valid secdesc for %s: %s\n",
+			   info->name, win_errstr(err));
+		return err;
 	}
 
 	*r->out.needed = ndr_size_security_descriptor(sec_desc, 0);

source3/services/svc_winreg_glue.c

@@ -75,10 +75,11 @@ struct security_descriptor* svcctl_gen_service_sd(TALLOC_CTX *mem_ctx)
 	return sd;
 }
 
-struct security_descriptor *svcctl_get_secdesc(TALLOC_CTX *mem_ctx,
-					       struct messaging_context *msg_ctx,
-					       const struct auth_session_info *session_info,
-					       const char *name)
+WERROR svcctl_get_secdesc(struct messaging_context *msg_ctx,
+			  const struct auth_session_info *session_info,
+			  const char *name,
+			  TALLOC_CTX *mem_ctx,
+			  struct security_descriptor **psd)
 {
 	struct dcerpc_binding_handle *h = NULL;
 	uint32_t access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
@@ -92,7 +93,7 @@ struct security_descriptor *svcctl_get_secdesc(TALLOC_CTX *mem_ctx,
 			      "%s\\%s\\Security",
 			      TOP_LEVEL_SERVICES_KEY, name);
 	if (key == NULL) {
-		return NULL;
+		return WERR_NOT_ENOUGH_MEMORY;
 	}
 
 	status = dcerpc_winreg_int_hklm_openkey(mem_ctx,
@@ -108,12 +109,12 @@ struct security_descriptor *svcctl_get_secdesc(TALLOC_CTX *mem_ctx,
 	if (!NT_STATUS_IS_OK(status)) {
 		DEBUG(2, ("svcctl_set_secdesc: Could not open %s - %s\n",
 			  key, nt_errstr(status)));
-		return NULL;
+		return WERR_INTERNAL_ERROR;
 	}
 	if (!W_ERROR_IS_OK(result)) {
 		DEBUG(2, ("svcctl_set_secdesc: Could not open %s - %s\n",
 			  key, win_errstr(result)));
-		return NULL;
+		return result;
 	}
 
 	status = dcerpc_winreg_query_sd(mem_ctx,
@@ -125,14 +126,14 @@ struct security_descriptor *svcctl_get_secdesc(TALLOC_CTX *mem_ctx,
 	if (!NT_STATUS_IS_OK(status)) {
 		DEBUG(2, ("svcctl_get_secdesc: error getting value 'Security': "
 			  "%s\n", nt_errstr(status)));
-		return NULL;
+		return WERR_INTERNAL_ERROR;
 	}
 	if (W_ERROR_EQUAL(result, WERR_FILE_NOT_FOUND)) {
 		goto fallback_to_default_sd;
 	} else if (!W_ERROR_IS_OK(result)) {
 		DEBUG(2, ("svcctl_get_secdesc: error getting value 'Security': "
 			  "%s\n", win_errstr(result)));
-		return NULL;
+		return result;
 	}
 
 	goto done;
@@ -141,9 +142,13 @@ struct security_descriptor *svcctl_get_secdesc(TALLOC_CTX *mem_ctx,
 	DEBUG(6, ("svcctl_get_secdesc: constructing default secdesc for "
 		  "service [%s]\n", name));
 	sd = svcctl_gen_service_sd(mem_ctx);
+	if (sd == NULL) {
+		return WERR_NOT_ENOUGH_MEMORY;
+	}
 
 done:
-	return sd;
+	*psd = sd;
+	return WERR_OK;
 }
 
 bool svcctl_set_secdesc(struct messaging_context *msg_ctx,

source3/services/svc_winreg_glue.h

@@ -28,10 +28,11 @@ struct auth_session_info;
 
 struct security_descriptor* svcctl_gen_service_sd(TALLOC_CTX *mem_ctx);
 
-struct security_descriptor *svcctl_get_secdesc(TALLOC_CTX *mem_ctx,
-					       struct messaging_context *msg_ctx,
-					       const struct auth_session_info *session_info,
-					       const char *name);
+WERROR svcctl_get_secdesc(struct messaging_context *msg_ctx,
+			  const struct auth_session_info *session_info,
+			  const char *name,
+			  TALLOC_CTX *mem_ctx,
+			  struct security_descriptor **result);
 
 bool svcctl_set_secdesc(struct messaging_context *msg_ctx,
 			const struct auth_session_info *session_info,