2 * Unix SMB/CIFS implementation.
3 * RPC Pipe client / server routines
4 * Copyright (C) Andrew Tridgell 1992-1997,
5 * Copyright (C) Luke Kenneth Casson Leighton 1996-1997,
6 * Copyright (C) Paul Ashton 1997,
7 * Copyright (C) Jeremy Allison 2001, 2006.
8 * Copyright (C) Rafal Szczesniak 2002,
9 * Copyright (C) Jim McDonough <jmcd@us.ibm.com> 2002,
10 * Copyright (C) Simo Sorce 2003.
11 * Copyright (C) Gerald (Jerry) Carter 2005.
12 * Copyright (C) Volker Lendecke 2005.
13 * Copyright (C) Guenther Deschner 2008.
15 * This program is free software; you can redistribute it and/or modify
16 * it under the terms of the GNU General Public License as published by
17 * the Free Software Foundation; either version 3 of the License, or
18 * (at your option) any later version.
20 * This program is distributed in the hope that it will be useful,
21 * but WITHOUT ANY WARRANTY; without even the implied warranty of
22 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
23 * GNU General Public License for more details.
25 * You should have received a copy of the GNU General Public License
26 * along with this program; if not, see <http://www.gnu.org/licenses/>.
29 /* This is the implementation of the lsa server code. */
32 #include "../librpc/gen_ndr/srv_lsa.h"
35 #define DBGC_CLASS DBGC_RPC_SRV
37 #define MAX_LOOKUP_SIDS 0x5000 /* 20480 */
41 enum lsa_handle_type
{ LSA_HANDLE_POLICY_TYPE
= 1, LSA_HANDLE_ACCOUNT_TYPE
};
47 enum lsa_handle_type type
;
48 struct security_descriptor
*sd
;
51 const struct generic_mapping lsa_account_mapping
= {
55 LSA_ACCOUNT_ALL_ACCESS
58 const struct generic_mapping lsa_policy_mapping
= {
65 const struct generic_mapping lsa_secret_mapping
= {
72 const struct generic_mapping lsa_trusted_domain_mapping
= {
73 LSA_TRUSTED_DOMAIN_READ
,
74 LSA_TRUSTED_DOMAIN_WRITE
,
75 LSA_TRUSTED_DOMAIN_EXECUTE
,
76 LSA_TRUSTED_DOMAIN_ALL_ACCESS
79 /***************************************************************************
80 init_lsa_ref_domain_list - adds a domain if it's not already in, returns the index.
81 ***************************************************************************/
83 static int init_lsa_ref_domain_list(TALLOC_CTX
*mem_ctx
,
84 struct lsa_RefDomainList
*ref
,
90 if (dom_name
!= NULL
) {
91 for (num
= 0; num
< ref
->count
; num
++) {
92 if (sid_equal(dom_sid
, ref
->domains
[num
].sid
)) {
100 if (num
>= LSA_REF_DOMAIN_LIST_MULTIPLIER
) {
101 /* index not found, already at maximum domain limit */
105 ref
->count
= num
+ 1;
106 ref
->max_size
= LSA_REF_DOMAIN_LIST_MULTIPLIER
;
108 ref
->domains
= TALLOC_REALLOC_ARRAY(mem_ctx
, ref
->domains
,
109 struct lsa_DomainInfo
, ref
->count
);
114 ZERO_STRUCT(ref
->domains
[num
]);
116 init_lsa_StringLarge(&ref
->domains
[num
].name
, dom_name
);
117 ref
->domains
[num
].sid
= sid_dup_talloc(mem_ctx
, dom_sid
);
118 if (!ref
->domains
[num
].sid
) {
126 /***************************************************************************
127 initialize a lsa_DomainInfo structure.
128 ***************************************************************************/
130 static void init_dom_query_3(struct lsa_DomainInfo
*r
,
134 init_lsa_StringLarge(&r
->name
, name
);
138 /***************************************************************************
139 initialize a lsa_DomainInfo structure.
140 ***************************************************************************/
142 static void init_dom_query_5(struct lsa_DomainInfo
*r
,
146 init_lsa_StringLarge(&r
->name
, name
);
150 /***************************************************************************
151 lookup_lsa_rids. Must be called as root for lookup_name to work.
152 ***************************************************************************/
154 static NTSTATUS
lookup_lsa_rids(TALLOC_CTX
*mem_ctx
,
155 struct lsa_RefDomainList
*ref
,
156 struct lsa_TranslatedSid
*prid
,
157 uint32_t num_entries
,
158 struct lsa_String
*name
,
160 uint32_t *pmapped_count
)
162 uint32 mapped_count
, i
;
164 SMB_ASSERT(num_entries
<= MAX_LOOKUP_SIDS
);
169 for (i
= 0; i
< num_entries
; i
++) {
173 const char *full_name
;
175 enum lsa_SidType type
= SID_NAME_UNKNOWN
;
177 /* Split name into domain and user component */
179 /* follow w2k8 behavior and return the builtin domain when no
180 * input has been passed in */
182 if (name
[i
].string
) {
183 full_name
= name
[i
].string
;
185 full_name
= "BUILTIN";
188 DEBUG(5, ("lookup_lsa_rids: looking up name %s\n", full_name
));
190 /* We can ignore the result of lookup_name, it will not touch
191 "type" if it's not successful */
193 lookup_name(mem_ctx
, full_name
, flags
, &domain
, NULL
,
198 case SID_NAME_DOM_GRP
:
199 case SID_NAME_DOMAIN
:
201 case SID_NAME_WKN_GRP
:
202 DEBUG(5, ("init_lsa_rids: %s found\n", full_name
));
203 /* Leave these unchanged */
206 /* Don't hand out anything but the list above */
207 DEBUG(5, ("init_lsa_rids: %s not found\n", full_name
));
208 type
= SID_NAME_UNKNOWN
;
215 if (type
!= SID_NAME_UNKNOWN
) {
216 if (type
== SID_NAME_DOMAIN
) {
219 sid_split_rid(&sid
, &rid
);
221 dom_idx
= init_lsa_ref_domain_list(mem_ctx
, ref
, domain
, &sid
);
225 prid
[i
].sid_type
= type
;
227 prid
[i
].sid_index
= dom_idx
;
230 *pmapped_count
= mapped_count
;
234 /***************************************************************************
235 lookup_lsa_sids. Must be called as root for lookup_name to work.
236 ***************************************************************************/
238 static NTSTATUS
lookup_lsa_sids(TALLOC_CTX
*mem_ctx
,
239 struct lsa_RefDomainList
*ref
,
240 struct lsa_TranslatedSid3
*trans_sids
,
241 uint32_t num_entries
,
242 struct lsa_String
*name
,
244 uint32
*pmapped_count
)
246 uint32 mapped_count
, i
;
248 SMB_ASSERT(num_entries
<= MAX_LOOKUP_SIDS
);
253 for (i
= 0; i
< num_entries
; i
++) {
257 const char *full_name
;
259 enum lsa_SidType type
= SID_NAME_UNKNOWN
;
263 /* Split name into domain and user component */
265 full_name
= name
[i
].string
;
266 if (full_name
== NULL
) {
267 return NT_STATUS_NO_MEMORY
;
270 DEBUG(5, ("init_lsa_sids: looking up name %s\n", full_name
));
272 /* We can ignore the result of lookup_name, it will not touch
273 "type" if it's not successful */
275 lookup_name(mem_ctx
, full_name
, flags
, &domain
, NULL
,
280 case SID_NAME_DOM_GRP
:
281 case SID_NAME_DOMAIN
:
283 case SID_NAME_WKN_GRP
:
284 DEBUG(5, ("init_lsa_sids: %s found\n", full_name
));
285 /* Leave these unchanged */
288 /* Don't hand out anything but the list above */
289 DEBUG(5, ("init_lsa_sids: %s not found\n", full_name
));
290 type
= SID_NAME_UNKNOWN
;
297 if (type
!= SID_NAME_UNKNOWN
) {
299 sid_copy(&domain_sid
, &sid
);
300 sid_split_rid(&domain_sid
, &rid
);
301 dom_idx
= init_lsa_ref_domain_list(mem_ctx
, ref
, domain
, &domain_sid
);
305 /* Initialize the lsa_TranslatedSid3 return. */
306 trans_sids
[i
].sid_type
= type
;
307 trans_sids
[i
].sid
= sid_dup_talloc(mem_ctx
, &sid
);
308 trans_sids
[i
].sid_index
= dom_idx
;
311 *pmapped_count
= mapped_count
;
315 static NTSTATUS
make_lsa_object_sd(TALLOC_CTX
*mem_ctx
, SEC_DESC
**sd
, size_t *sd_size
,
316 const struct generic_mapping
*map
,
317 DOM_SID
*sid
, uint32_t sid_access
)
325 /* READ|EXECUTE access for Everyone */
327 init_sec_ace(&ace
[i
++], &global_sid_World
, SEC_ACE_TYPE_ACCESS_ALLOWED
,
328 map
->generic_execute
| map
->generic_read
, 0);
330 /* Add Full Access 'BUILTIN\Administrators' and 'BUILTIN\Account Operators */
332 init_sec_ace(&ace
[i
++], &global_sid_Builtin_Administrators
,
333 SEC_ACE_TYPE_ACCESS_ALLOWED
, map
->generic_all
, 0);
334 init_sec_ace(&ace
[i
++], &global_sid_Builtin_Account_Operators
,
335 SEC_ACE_TYPE_ACCESS_ALLOWED
, map
->generic_all
, 0);
337 /* Add Full Access for Domain Admins */
338 sid_copy(&adm_sid
, get_global_sam_sid());
339 sid_append_rid(&adm_sid
, DOMAIN_GROUP_RID_ADMINS
);
340 init_sec_ace(&ace
[i
++], &adm_sid
, SEC_ACE_TYPE_ACCESS_ALLOWED
,
341 map
->generic_all
, 0);
343 /* If we have a sid, give it some special access */
346 init_sec_ace(&ace
[i
++], sid
, SEC_ACE_TYPE_ACCESS_ALLOWED
,
350 if((psa
= make_sec_acl(mem_ctx
, NT4_ACL_REVISION
, i
, ace
)) == NULL
)
351 return NT_STATUS_NO_MEMORY
;
353 if((*sd
= make_sec_desc(mem_ctx
, SECURITY_DESCRIPTOR_REVISION_1
,
354 SEC_DESC_SELF_RELATIVE
, &adm_sid
, NULL
, NULL
,
355 psa
, sd_size
)) == NULL
)
356 return NT_STATUS_NO_MEMORY
;
362 /***************************************************************************
364 ***************************************************************************/
366 NTSTATUS
_lsa_OpenPolicy2(pipes_struct
*p
,
367 struct lsa_OpenPolicy2
*r
)
369 struct lsa_info
*info
;
370 SEC_DESC
*psd
= NULL
;
372 uint32 des_access
= r
->in
.access_mask
;
376 /* Work out max allowed. */
377 map_max_allowed_access(p
->server_info
->ptok
,
378 &p
->server_info
->utok
,
381 /* map the generic bits to the lsa policy ones */
382 se_map_generic(&des_access
, &lsa_policy_mapping
);
384 /* get the generic lsa policy SD until we store it */
385 status
= make_lsa_object_sd(p
->mem_ctx
, &psd
, &sd_size
, &lsa_policy_mapping
,
387 if (!NT_STATUS_IS_OK(status
)) {
391 status
= access_check_object(psd
, p
->server_info
->ptok
,
393 &acc_granted
, "_lsa_OpenPolicy2" );
394 if (!NT_STATUS_IS_OK(status
)) {
398 /* associate the domain SID with the (unique) handle. */
399 info
= TALLOC_ZERO_P(p
->mem_ctx
, struct lsa_info
);
401 return NT_STATUS_NO_MEMORY
;
404 sid_copy(&info
->sid
,get_global_sam_sid());
405 info
->access
= acc_granted
;
406 info
->type
= LSA_HANDLE_POLICY_TYPE
;
408 /* set up the LSA QUERY INFO response */
409 if (!create_policy_hnd(p
, r
->out
.handle
, info
))
410 return NT_STATUS_OBJECT_NAME_NOT_FOUND
;
415 /***************************************************************************
417 ***************************************************************************/
419 NTSTATUS
_lsa_OpenPolicy(pipes_struct
*p
,
420 struct lsa_OpenPolicy
*r
)
422 struct lsa_OpenPolicy2 o
;
424 o
.in
.system_name
= NULL
; /* should be ignored */
425 o
.in
.attr
= r
->in
.attr
;
426 o
.in
.access_mask
= r
->in
.access_mask
;
428 o
.out
.handle
= r
->out
.handle
;
430 return _lsa_OpenPolicy2(p
, &o
);
433 /***************************************************************************
434 _lsa_EnumTrustDom - this needs fixing to do more than return NULL ! JRA.
436 ***************************************************************************/
438 NTSTATUS
_lsa_EnumTrustDom(pipes_struct
*p
,
439 struct lsa_EnumTrustDom
*r
)
441 struct lsa_info
*info
;
443 struct trustdom_info
**domains
;
444 struct lsa_DomainInfo
*entries
;
448 if (!find_policy_by_hnd(p
, r
->in
.handle
, (void **)(void *)&info
))
449 return NT_STATUS_INVALID_HANDLE
;
451 if (info
->type
!= LSA_HANDLE_POLICY_TYPE
) {
452 return NT_STATUS_INVALID_HANDLE
;
455 /* check if the user has enough rights */
456 if (!(info
->access
& LSA_POLICY_VIEW_LOCAL_INFORMATION
))
457 return NT_STATUS_ACCESS_DENIED
;
460 nt_status
= pdb_enum_trusteddoms(p
->mem_ctx
, &count
, &domains
);
463 if (!NT_STATUS_IS_OK(nt_status
)) {
467 entries
= TALLOC_ZERO_ARRAY(p
->mem_ctx
, struct lsa_DomainInfo
, count
);
469 return NT_STATUS_NO_MEMORY
;
472 for (i
=0; i
<count
; i
++) {
473 init_lsa_StringLarge(&entries
[i
].name
, domains
[i
]->name
);
474 entries
[i
].sid
= &domains
[i
]->sid
;
477 if (*r
->in
.resume_handle
>= count
) {
478 *r
->out
.resume_handle
= -1;
479 TALLOC_FREE(entries
);
480 return NT_STATUS_NO_MORE_ENTRIES
;
483 /* return the rest, limit by max_size. Note that we
484 use the w2k3 element size value of 60 */
485 r
->out
.domains
->count
= count
- *r
->in
.resume_handle
;
486 r
->out
.domains
->count
= MIN(r
->out
.domains
->count
,
487 1+(r
->in
.max_size
/LSA_ENUM_TRUST_DOMAIN_MULTIPLIER
));
489 r
->out
.domains
->domains
= entries
+ *r
->in
.resume_handle
;
491 if (r
->out
.domains
->count
< count
- *r
->in
.resume_handle
) {
492 *r
->out
.resume_handle
= *r
->in
.resume_handle
+ r
->out
.domains
->count
;
493 return STATUS_MORE_ENTRIES
;
496 /* according to MS-LSAD 3.1.4.7.8 output resume handle MUST
497 * always be larger than the previous input resume handle, in
498 * particular when hitting the last query it is vital to set the
499 * resume handle correctly to avoid infinite client loops, as
500 * seen e.g. with Windows XP SP3 when resume handle is 0 and
501 * status is NT_STATUS_OK - gd */
503 *r
->out
.resume_handle
= (uint32_t)-1;
508 #define LSA_AUDIT_NUM_CATEGORIES_NT4 7
509 #define LSA_AUDIT_NUM_CATEGORIES_WIN2K 9
510 #define LSA_AUDIT_NUM_CATEGORIES LSA_AUDIT_NUM_CATEGORIES_NT4
512 /***************************************************************************
514 ***************************************************************************/
516 NTSTATUS
_lsa_QueryInfoPolicy(pipes_struct
*p
,
517 struct lsa_QueryInfoPolicy
*r
)
519 NTSTATUS status
= NT_STATUS_OK
;
520 struct lsa_info
*handle
;
524 union lsa_PolicyInformation
*info
= NULL
;
525 uint32_t acc_required
= 0;
527 if (!find_policy_by_hnd(p
, r
->in
.handle
, (void **)(void *)&handle
))
528 return NT_STATUS_INVALID_HANDLE
;
530 if (handle
->type
!= LSA_HANDLE_POLICY_TYPE
) {
531 return NT_STATUS_INVALID_HANDLE
;
534 switch (r
->in
.level
) {
535 case LSA_POLICY_INFO_AUDIT_LOG
:
536 case LSA_POLICY_INFO_AUDIT_EVENTS
:
537 acc_required
= LSA_POLICY_VIEW_AUDIT_INFORMATION
;
539 case LSA_POLICY_INFO_DOMAIN
:
540 acc_required
= LSA_POLICY_VIEW_LOCAL_INFORMATION
;
542 case LSA_POLICY_INFO_PD
:
543 acc_required
= LSA_POLICY_GET_PRIVATE_INFORMATION
;
545 case LSA_POLICY_INFO_ACCOUNT_DOMAIN
:
546 acc_required
= LSA_POLICY_VIEW_LOCAL_INFORMATION
;
548 case LSA_POLICY_INFO_ROLE
:
549 case LSA_POLICY_INFO_REPLICA
:
550 acc_required
= LSA_POLICY_VIEW_LOCAL_INFORMATION
;
552 case LSA_POLICY_INFO_QUOTA
:
553 acc_required
= LSA_POLICY_VIEW_LOCAL_INFORMATION
;
555 case LSA_POLICY_INFO_MOD
:
556 case LSA_POLICY_INFO_AUDIT_FULL_SET
:
557 /* according to MS-LSAD 3.1.4.4.3 */
558 return NT_STATUS_INVALID_PARAMETER
;
559 case LSA_POLICY_INFO_AUDIT_FULL_QUERY
:
560 acc_required
= LSA_POLICY_VIEW_AUDIT_INFORMATION
;
562 case LSA_POLICY_INFO_DNS
:
563 case LSA_POLICY_INFO_DNS_INT
:
564 case LSA_POLICY_INFO_L_ACCOUNT_DOMAIN
:
565 acc_required
= LSA_POLICY_VIEW_LOCAL_INFORMATION
;
571 if (!(handle
->access
& acc_required
)) {
572 /* return NT_STATUS_ACCESS_DENIED; */
575 info
= TALLOC_ZERO_P(p
->mem_ctx
, union lsa_PolicyInformation
);
577 return NT_STATUS_NO_MEMORY
;
580 switch (r
->in
.level
) {
581 /* according to MS-LSAD 3.1.4.4.3 */
582 case LSA_POLICY_INFO_MOD
:
583 case LSA_POLICY_INFO_AUDIT_FULL_SET
:
584 case LSA_POLICY_INFO_AUDIT_FULL_QUERY
:
585 return NT_STATUS_INVALID_PARAMETER
;
586 case LSA_POLICY_INFO_AUDIT_LOG
:
587 info
->audit_log
.percent_full
= 0;
588 info
->audit_log
.maximum_log_size
= 0;
589 info
->audit_log
.retention_time
= 0;
590 info
->audit_log
.shutdown_in_progress
= 0;
591 info
->audit_log
.time_to_shutdown
= 0;
592 info
->audit_log
.next_audit_record
= 0;
593 status
= NT_STATUS_OK
;
595 case LSA_POLICY_INFO_PD
:
596 info
->pd
.name
.string
= NULL
;
597 status
= NT_STATUS_OK
;
599 case LSA_POLICY_INFO_REPLICA
:
600 info
->replica
.source
.string
= NULL
;
601 info
->replica
.account
.string
= NULL
;
602 status
= NT_STATUS_OK
;
604 case LSA_POLICY_INFO_QUOTA
:
605 info
->quota
.paged_pool
= 0;
606 info
->quota
.non_paged_pool
= 0;
607 info
->quota
.min_wss
= 0;
608 info
->quota
.max_wss
= 0;
609 info
->quota
.pagefile
= 0;
610 info
->quota
.unknown
= 0;
611 status
= NT_STATUS_OK
;
613 case LSA_POLICY_INFO_AUDIT_EVENTS
:
616 uint32 policy_def
= LSA_AUDIT_POLICY_ALL
;
618 /* check if the user has enough rights */
619 if (!(handle
->access
& LSA_POLICY_VIEW_AUDIT_INFORMATION
)) {
620 DEBUG(10,("_lsa_QueryInfoPolicy: insufficient access rights\n"));
621 return NT_STATUS_ACCESS_DENIED
;
624 /* fake info: We audit everything. ;) */
626 info
->audit_events
.auditing_mode
= true;
627 info
->audit_events
.count
= LSA_AUDIT_NUM_CATEGORIES
;
628 info
->audit_events
.settings
= TALLOC_ZERO_ARRAY(p
->mem_ctx
,
629 enum lsa_PolicyAuditPolicy
,
630 info
->audit_events
.count
);
631 if (!info
->audit_events
.settings
) {
632 return NT_STATUS_NO_MEMORY
;
635 info
->audit_events
.settings
[LSA_AUDIT_CATEGORY_ACCOUNT_MANAGEMENT
] = policy_def
;
636 info
->audit_events
.settings
[LSA_AUDIT_CATEGORY_FILE_AND_OBJECT_ACCESS
] = policy_def
;
637 info
->audit_events
.settings
[LSA_AUDIT_CATEGORY_LOGON
] = policy_def
;
638 info
->audit_events
.settings
[LSA_AUDIT_CATEGORY_PROCCESS_TRACKING
] = policy_def
;
639 info
->audit_events
.settings
[LSA_AUDIT_CATEGORY_SECURITY_POLICY_CHANGES
] = policy_def
;
640 info
->audit_events
.settings
[LSA_AUDIT_CATEGORY_SYSTEM
] = policy_def
;
641 info
->audit_events
.settings
[LSA_AUDIT_CATEGORY_USE_OF_USER_RIGHTS
] = policy_def
;
645 case LSA_POLICY_INFO_DOMAIN
:
646 /* check if the user has enough rights */
647 if (!(handle
->access
& LSA_POLICY_VIEW_LOCAL_INFORMATION
))
648 return NT_STATUS_ACCESS_DENIED
;
650 /* Request PolicyPrimaryDomainInformation. */
651 switch (lp_server_role()) {
652 case ROLE_DOMAIN_PDC
:
653 case ROLE_DOMAIN_BDC
:
654 name
= get_global_sam_name();
655 sid
= sid_dup_talloc(p
->mem_ctx
, get_global_sam_sid());
657 return NT_STATUS_NO_MEMORY
;
660 case ROLE_DOMAIN_MEMBER
:
661 name
= lp_workgroup();
662 /* We need to return the Domain SID here. */
663 if (secrets_fetch_domain_sid(lp_workgroup(), &domain_sid
)) {
664 sid
= sid_dup_talloc(p
->mem_ctx
, &domain_sid
);
666 return NT_STATUS_NO_MEMORY
;
669 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO
;
672 case ROLE_STANDALONE
:
673 name
= lp_workgroup();
677 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO
;
679 init_dom_query_3(&info
->domain
, name
, sid
);
681 case LSA_POLICY_INFO_ACCOUNT_DOMAIN
:
682 /* check if the user has enough rights */
683 if (!(handle
->access
& LSA_POLICY_VIEW_LOCAL_INFORMATION
))
684 return NT_STATUS_ACCESS_DENIED
;
686 /* Request PolicyAccountDomainInformation. */
687 name
= get_global_sam_name();
688 sid
= get_global_sam_sid();
690 init_dom_query_5(&info
->account_domain
, name
, sid
);
692 case LSA_POLICY_INFO_ROLE
:
693 /* check if the user has enough rights */
694 if (!(handle
->access
& LSA_POLICY_VIEW_LOCAL_INFORMATION
))
695 return NT_STATUS_ACCESS_DENIED
;
697 switch (lp_server_role()) {
698 case ROLE_DOMAIN_BDC
:
700 * only a BDC is a backup controller
701 * of the domain, it controls.
703 info
->role
.role
= LSA_ROLE_BACKUP
;
707 * any other role is a primary
708 * of the domain, it controls.
710 info
->role
.role
= LSA_ROLE_PRIMARY
;
714 case LSA_POLICY_INFO_DNS
:
715 case LSA_POLICY_INFO_DNS_INT
: {
716 struct pdb_domain_info
*dominfo
;
718 if ((pdb_capabilities() & PDB_CAP_ADS
) == 0) {
719 DEBUG(10, ("Not replying to LSA_POLICY_INFO_DNS "
720 "without ADS passdb backend\n"));
721 status
= NT_STATUS_INVALID_INFO_CLASS
;
725 dominfo
= pdb_get_domain_info(info
);
726 if (dominfo
== NULL
) {
727 status
= NT_STATUS_NO_MEMORY
;
731 init_lsa_StringLarge(&info
->dns
.name
,
733 init_lsa_StringLarge(&info
->dns
.dns_domain
,
734 dominfo
->dns_domain
);
735 init_lsa_StringLarge(&info
->dns
.dns_forest
,
736 dominfo
->dns_forest
);
737 info
->dns
.domain_guid
= dominfo
->guid
;
738 info
->dns
.sid
= &dominfo
->sid
;
742 DEBUG(0,("_lsa_QueryInfoPolicy: unknown info level in Lsa Query: %d\n",
744 status
= NT_STATUS_INVALID_INFO_CLASS
;
753 /***************************************************************************
754 _lsa_QueryInfoPolicy2
755 ***************************************************************************/
757 NTSTATUS
_lsa_QueryInfoPolicy2(pipes_struct
*p
,
758 struct lsa_QueryInfoPolicy2
*r2
)
760 struct lsa_QueryInfoPolicy r
;
762 if ((pdb_capabilities() & PDB_CAP_ADS
) == 0) {
763 p
->rng_fault_state
= True
;
764 return NT_STATUS_NOT_IMPLEMENTED
;
768 r
.in
.handle
= r2
->in
.handle
;
769 r
.in
.level
= r2
->in
.level
;
770 r
.out
.info
= r2
->out
.info
;
772 return _lsa_QueryInfoPolicy(p
, &r
);
775 /***************************************************************************
776 _lsa_lookup_sids_internal
777 ***************************************************************************/
779 static NTSTATUS
_lsa_lookup_sids_internal(pipes_struct
*p
,
781 uint16_t level
, /* input */
782 int num_sids
, /* input */
783 struct lsa_SidPtr
*sid
, /* input */
784 struct lsa_RefDomainList
**pp_ref
, /* input/output */
785 struct lsa_TranslatedName2
**pp_names
,/* input/output */
786 uint32_t *pp_mapped_count
) /* input/output */
790 const DOM_SID
**sids
= NULL
;
791 struct lsa_RefDomainList
*ref
= NULL
;
792 uint32 mapped_count
= 0;
793 struct lsa_dom_info
*dom_infos
= NULL
;
794 struct lsa_name_info
*name_infos
= NULL
;
795 struct lsa_TranslatedName2
*names
= NULL
;
797 *pp_mapped_count
= 0;
805 sids
= TALLOC_ARRAY(p
->mem_ctx
, const DOM_SID
*, num_sids
);
806 ref
= TALLOC_ZERO_P(p
->mem_ctx
, struct lsa_RefDomainList
);
808 if (sids
== NULL
|| ref
== NULL
) {
809 return NT_STATUS_NO_MEMORY
;
812 for (i
=0; i
<num_sids
; i
++) {
813 sids
[i
] = sid
[i
].sid
;
816 status
= lookup_sids(p
->mem_ctx
, num_sids
, sids
, level
,
817 &dom_infos
, &name_infos
);
819 if (!NT_STATUS_IS_OK(status
)) {
823 names
= TALLOC_ARRAY(p
->mem_ctx
, struct lsa_TranslatedName2
, num_sids
);
825 return NT_STATUS_NO_MEMORY
;
828 for (i
=0; i
<LSA_REF_DOMAIN_LIST_MULTIPLIER
; i
++) {
830 if (!dom_infos
[i
].valid
) {
834 if (init_lsa_ref_domain_list(mem_ctx
, ref
,
836 &dom_infos
[i
].sid
) != i
) {
837 DEBUG(0, ("Domain %s mentioned twice??\n",
839 return NT_STATUS_INTERNAL_ERROR
;
843 for (i
=0; i
<num_sids
; i
++) {
844 struct lsa_name_info
*name
= &name_infos
[i
];
846 if (name
->type
== SID_NAME_UNKNOWN
) {
849 /* Unknown sids should return the string
850 * representation of the SID. Windows 2003 behaves
851 * rather erratic here, in many cases it returns the
852 * RID as 8 bytes hex, in others it returns the full
853 * SID. We (Jerry/VL) could not figure out which the
854 * hard cases are, so leave it with the SID. */
855 name
->name
= talloc_asprintf(p
->mem_ctx
, "%s",
858 if (name
->name
== NULL
) {
859 return NT_STATUS_NO_MEMORY
;
865 names
[i
].sid_type
= name
->type
;
866 names
[i
].name
.string
= name
->name
;
867 names
[i
].sid_index
= name
->dom_idx
;
868 names
[i
].unknown
= 0;
871 status
= NT_STATUS_NONE_MAPPED
;
872 if (mapped_count
> 0) {
873 status
= (mapped_count
< num_sids
) ?
874 STATUS_SOME_UNMAPPED
: NT_STATUS_OK
;
877 DEBUG(10, ("num_sids %d, mapped_count %d, status %s\n",
878 num_sids
, mapped_count
, nt_errstr(status
)));
880 *pp_mapped_count
= mapped_count
;
887 /***************************************************************************
889 ***************************************************************************/
891 NTSTATUS
_lsa_LookupSids(pipes_struct
*p
,
892 struct lsa_LookupSids
*r
)
895 struct lsa_info
*handle
;
896 int num_sids
= r
->in
.sids
->num_sids
;
897 uint32 mapped_count
= 0;
898 struct lsa_RefDomainList
*domains
= NULL
;
899 struct lsa_TranslatedName
*names_out
= NULL
;
900 struct lsa_TranslatedName2
*names
= NULL
;
903 if ((r
->in
.level
< 1) || (r
->in
.level
> 6)) {
904 return NT_STATUS_INVALID_PARAMETER
;
907 if (!find_policy_by_hnd(p
, r
->in
.handle
, (void **)(void *)&handle
)) {
908 return NT_STATUS_INVALID_HANDLE
;
911 if (handle
->type
!= LSA_HANDLE_POLICY_TYPE
) {
912 return NT_STATUS_INVALID_HANDLE
;
915 /* check if the user has enough rights */
916 if (!(handle
->access
& LSA_POLICY_LOOKUP_NAMES
)) {
917 return NT_STATUS_ACCESS_DENIED
;
920 if (num_sids
> MAX_LOOKUP_SIDS
) {
921 DEBUG(5,("_lsa_LookupSids: limit of %d exceeded, requested %d\n",
922 MAX_LOOKUP_SIDS
, num_sids
));
923 return NT_STATUS_NONE_MAPPED
;
926 status
= _lsa_lookup_sids_internal(p
,
935 /* Only return here when there is a real error.
936 NT_STATUS_NONE_MAPPED is a special case as it indicates that none of
937 the requested sids could be resolved. Older versions of XP (pre SP3)
938 rely that we return with the string representations of those SIDs in
939 that case. If we don't, XP crashes - Guenther
942 if (NT_STATUS_IS_ERR(status
) &&
943 !NT_STATUS_EQUAL(status
, NT_STATUS_NONE_MAPPED
)) {
947 /* Convert from lsa_TranslatedName2 to lsa_TranslatedName */
948 names_out
= TALLOC_ARRAY(p
->mem_ctx
, struct lsa_TranslatedName
,
951 return NT_STATUS_NO_MEMORY
;
954 for (i
=0; i
<num_sids
; i
++) {
955 names_out
[i
].sid_type
= names
[i
].sid_type
;
956 names_out
[i
].name
= names
[i
].name
;
957 names_out
[i
].sid_index
= names
[i
].sid_index
;
960 *r
->out
.domains
= domains
;
961 r
->out
.names
->count
= num_sids
;
962 r
->out
.names
->names
= names_out
;
963 *r
->out
.count
= mapped_count
;
968 /***************************************************************************
970 ***************************************************************************/
972 NTSTATUS
_lsa_LookupSids2(pipes_struct
*p
,
973 struct lsa_LookupSids2
*r
)
976 struct lsa_info
*handle
;
977 int num_sids
= r
->in
.sids
->num_sids
;
978 uint32 mapped_count
= 0;
979 struct lsa_RefDomainList
*domains
= NULL
;
980 struct lsa_TranslatedName2
*names
= NULL
;
981 bool check_policy
= true;
983 switch (p
->hdr_req
.opnum
) {
984 case NDR_LSA_LOOKUPSIDS3
:
985 check_policy
= false;
987 case NDR_LSA_LOOKUPSIDS2
:
992 if ((r
->in
.level
< 1) || (r
->in
.level
> 6)) {
993 return NT_STATUS_INVALID_PARAMETER
;
997 if (!find_policy_by_hnd(p
, r
->in
.handle
, (void **)(void *)&handle
)) {
998 return NT_STATUS_INVALID_HANDLE
;
1001 if (handle
->type
!= LSA_HANDLE_POLICY_TYPE
) {
1002 return NT_STATUS_INVALID_HANDLE
;
1005 /* check if the user has enough rights */
1006 if (!(handle
->access
& LSA_POLICY_LOOKUP_NAMES
)) {
1007 return NT_STATUS_ACCESS_DENIED
;
1011 if (num_sids
> MAX_LOOKUP_SIDS
) {
1012 DEBUG(5,("_lsa_LookupSids2: limit of %d exceeded, requested %d\n",
1013 MAX_LOOKUP_SIDS
, num_sids
));
1014 return NT_STATUS_NONE_MAPPED
;
1017 status
= _lsa_lookup_sids_internal(p
,
1026 *r
->out
.domains
= domains
;
1027 r
->out
.names
->count
= num_sids
;
1028 r
->out
.names
->names
= names
;
1029 *r
->out
.count
= mapped_count
;
1034 /***************************************************************************
1036 ***************************************************************************/
1038 NTSTATUS
_lsa_LookupSids3(pipes_struct
*p
,
1039 struct lsa_LookupSids3
*r
)
1041 struct lsa_LookupSids2 q
;
1043 /* No policy handle on this call. Restrict to crypto connections. */
1044 if (p
->auth
.auth_type
!= PIPE_AUTH_TYPE_SCHANNEL
) {
1045 DEBUG(0,("_lsa_LookupSids3: client %s not using schannel for netlogon\n",
1046 get_remote_machine_name() ));
1047 return NT_STATUS_INVALID_PARAMETER
;
1051 q
.in
.sids
= r
->in
.sids
;
1052 q
.in
.level
= r
->in
.level
;
1053 q
.in
.lookup_options
= r
->in
.lookup_options
;
1054 q
.in
.client_revision
= r
->in
.client_revision
;
1055 q
.in
.names
= r
->in
.names
;
1056 q
.in
.count
= r
->in
.count
;
1058 q
.out
.domains
= r
->out
.domains
;
1059 q
.out
.names
= r
->out
.names
;
1060 q
.out
.count
= r
->out
.count
;
1062 return _lsa_LookupSids2(p
, &q
);
1065 /***************************************************************************
1066 ***************************************************************************/
1068 static int lsa_lookup_level_to_flags(enum lsa_LookupNamesLevel level
)
1073 case LSA_LOOKUP_NAMES_ALL
: /* 1 */
1074 flags
= LOOKUP_NAME_ALL
;
1076 case LSA_LOOKUP_NAMES_DOMAINS_ONLY
: /* 2 */
1077 flags
= LOOKUP_NAME_DOMAIN
|LOOKUP_NAME_REMOTE
|LOOKUP_NAME_ISOLATED
;
1079 case LSA_LOOKUP_NAMES_PRIMARY_DOMAIN_ONLY
: /* 3 */
1080 flags
= LOOKUP_NAME_DOMAIN
|LOOKUP_NAME_ISOLATED
;
1082 case LSA_LOOKUP_NAMES_UPLEVEL_TRUSTS_ONLY
: /* 4 */
1083 case LSA_LOOKUP_NAMES_FOREST_TRUSTS_ONLY
: /* 5 */
1084 case LSA_LOOKUP_NAMES_UPLEVEL_TRUSTS_ONLY2
: /* 6 */
1085 case LSA_LOOKUP_NAMES_RODC_REFERRAL_TO_FULL_DC
: /* 7 */
1087 flags
= LOOKUP_NAME_NONE
;
1094 /***************************************************************************
1096 ***************************************************************************/
1098 NTSTATUS
_lsa_LookupNames(pipes_struct
*p
,
1099 struct lsa_LookupNames
*r
)
1101 NTSTATUS status
= NT_STATUS_NONE_MAPPED
;
1102 struct lsa_info
*handle
;
1103 struct lsa_String
*names
= r
->in
.names
;
1104 uint32 num_entries
= r
->in
.num_names
;
1105 struct lsa_RefDomainList
*domains
= NULL
;
1106 struct lsa_TranslatedSid
*rids
= NULL
;
1107 uint32 mapped_count
= 0;
1110 if (num_entries
> MAX_LOOKUP_SIDS
) {
1111 num_entries
= MAX_LOOKUP_SIDS
;
1112 DEBUG(5,("_lsa_LookupNames: truncating name lookup list to %d\n",
1116 flags
= lsa_lookup_level_to_flags(r
->in
.level
);
1118 domains
= TALLOC_ZERO_P(p
->mem_ctx
, struct lsa_RefDomainList
);
1120 return NT_STATUS_NO_MEMORY
;
1124 rids
= TALLOC_ZERO_ARRAY(p
->mem_ctx
, struct lsa_TranslatedSid
,
1127 return NT_STATUS_NO_MEMORY
;
1133 if (!find_policy_by_hnd(p
, r
->in
.handle
, (void **)(void *)&handle
)) {
1134 status
= NT_STATUS_INVALID_HANDLE
;
1138 if (handle
->type
!= LSA_HANDLE_POLICY_TYPE
) {
1139 return NT_STATUS_INVALID_HANDLE
;
1142 /* check if the user has enough rights */
1143 if (!(handle
->access
& LSA_POLICY_LOOKUP_NAMES
)) {
1144 status
= NT_STATUS_ACCESS_DENIED
;
1148 /* set up the LSA Lookup RIDs response */
1149 become_root(); /* lookup_name can require root privs */
1150 status
= lookup_lsa_rids(p
->mem_ctx
, domains
, rids
, num_entries
,
1151 names
, flags
, &mapped_count
);
1156 if (NT_STATUS_IS_OK(status
) && (num_entries
!= 0) ) {
1157 if (mapped_count
== 0) {
1158 status
= NT_STATUS_NONE_MAPPED
;
1159 } else if (mapped_count
!= num_entries
) {
1160 status
= STATUS_SOME_UNMAPPED
;
1164 *r
->out
.count
= mapped_count
;
1165 *r
->out
.domains
= domains
;
1166 r
->out
.sids
->sids
= rids
;
1167 r
->out
.sids
->count
= num_entries
;
1172 /***************************************************************************
1174 ***************************************************************************/
1176 NTSTATUS
_lsa_LookupNames2(pipes_struct
*p
,
1177 struct lsa_LookupNames2
*r
)
1180 struct lsa_LookupNames q
;
1181 struct lsa_TransSidArray2
*sid_array2
= r
->in
.sids
;
1182 struct lsa_TransSidArray
*sid_array
= NULL
;
1185 sid_array
= TALLOC_ZERO_P(p
->mem_ctx
, struct lsa_TransSidArray
);
1187 return NT_STATUS_NO_MEMORY
;
1190 q
.in
.handle
= r
->in
.handle
;
1191 q
.in
.num_names
= r
->in
.num_names
;
1192 q
.in
.names
= r
->in
.names
;
1193 q
.in
.level
= r
->in
.level
;
1194 q
.in
.sids
= sid_array
;
1195 q
.in
.count
= r
->in
.count
;
1196 /* we do not know what this is for */
1197 /* = r->in.unknown1; */
1198 /* = r->in.unknown2; */
1200 q
.out
.domains
= r
->out
.domains
;
1201 q
.out
.sids
= sid_array
;
1202 q
.out
.count
= r
->out
.count
;
1204 status
= _lsa_LookupNames(p
, &q
);
1206 sid_array2
->count
= sid_array
->count
;
1207 sid_array2
->sids
= TALLOC_ARRAY(p
->mem_ctx
, struct lsa_TranslatedSid2
, sid_array
->count
);
1208 if (!sid_array2
->sids
) {
1209 return NT_STATUS_NO_MEMORY
;
1212 for (i
=0; i
<sid_array
->count
; i
++) {
1213 sid_array2
->sids
[i
].sid_type
= sid_array
->sids
[i
].sid_type
;
1214 sid_array2
->sids
[i
].rid
= sid_array
->sids
[i
].rid
;
1215 sid_array2
->sids
[i
].sid_index
= sid_array
->sids
[i
].sid_index
;
1216 sid_array2
->sids
[i
].unknown
= 0;
1219 r
->out
.sids
= sid_array2
;
1224 /***************************************************************************
1226 ***************************************************************************/
1228 NTSTATUS
_lsa_LookupNames3(pipes_struct
*p
,
1229 struct lsa_LookupNames3
*r
)
1232 struct lsa_info
*handle
;
1233 struct lsa_String
*names
= r
->in
.names
;
1234 uint32 num_entries
= r
->in
.num_names
;
1235 struct lsa_RefDomainList
*domains
= NULL
;
1236 struct lsa_TranslatedSid3
*trans_sids
= NULL
;
1237 uint32 mapped_count
= 0;
1239 bool check_policy
= true;
1241 switch (p
->hdr_req
.opnum
) {
1242 case NDR_LSA_LOOKUPNAMES4
:
1243 check_policy
= false;
1245 case NDR_LSA_LOOKUPNAMES3
:
1247 check_policy
= true;
1250 if (num_entries
> MAX_LOOKUP_SIDS
) {
1251 num_entries
= MAX_LOOKUP_SIDS
;
1252 DEBUG(5,("_lsa_LookupNames3: truncating name lookup list to %d\n", num_entries
));
1255 /* Probably the lookup_level is some sort of bitmask. */
1256 if (r
->in
.level
== 1) {
1257 flags
= LOOKUP_NAME_ALL
;
1260 domains
= TALLOC_ZERO_P(p
->mem_ctx
, struct lsa_RefDomainList
);
1262 return NT_STATUS_NO_MEMORY
;
1266 trans_sids
= TALLOC_ZERO_ARRAY(p
->mem_ctx
, struct lsa_TranslatedSid3
,
1269 return NT_STATUS_NO_MEMORY
;
1277 if (!find_policy_by_hnd(p
, r
->in
.handle
, (void **)(void *)&handle
)) {
1278 status
= NT_STATUS_INVALID_HANDLE
;
1282 if (handle
->type
!= LSA_HANDLE_POLICY_TYPE
) {
1283 return NT_STATUS_INVALID_HANDLE
;
1286 /* check if the user has enough rights */
1287 if (!(handle
->access
& LSA_POLICY_LOOKUP_NAMES
)) {
1288 status
= NT_STATUS_ACCESS_DENIED
;
1293 /* set up the LSA Lookup SIDs response */
1294 become_root(); /* lookup_name can require root privs */
1295 status
= lookup_lsa_sids(p
->mem_ctx
, domains
, trans_sids
, num_entries
,
1296 names
, flags
, &mapped_count
);
1301 if (NT_STATUS_IS_OK(status
)) {
1302 if (mapped_count
== 0) {
1303 status
= NT_STATUS_NONE_MAPPED
;
1304 } else if (mapped_count
!= num_entries
) {
1305 status
= STATUS_SOME_UNMAPPED
;
1309 *r
->out
.count
= mapped_count
;
1310 *r
->out
.domains
= domains
;
1311 r
->out
.sids
->sids
= trans_sids
;
1312 r
->out
.sids
->count
= num_entries
;
1317 /***************************************************************************
1319 ***************************************************************************/
1321 NTSTATUS
_lsa_LookupNames4(pipes_struct
*p
,
1322 struct lsa_LookupNames4
*r
)
1324 struct lsa_LookupNames3 q
;
1326 /* No policy handle on this call. Restrict to crypto connections. */
1327 if (p
->auth
.auth_type
!= PIPE_AUTH_TYPE_SCHANNEL
) {
1328 DEBUG(0,("_lsa_lookup_names4: client %s not using schannel for netlogon\n",
1329 get_remote_machine_name() ));
1330 return NT_STATUS_INVALID_PARAMETER
;
1334 q
.in
.num_names
= r
->in
.num_names
;
1335 q
.in
.names
= r
->in
.names
;
1336 q
.in
.level
= r
->in
.level
;
1337 q
.in
.lookup_options
= r
->in
.lookup_options
;
1338 q
.in
.client_revision
= r
->in
.client_revision
;
1339 q
.in
.sids
= r
->in
.sids
;
1340 q
.in
.count
= r
->in
.count
;
1342 q
.out
.domains
= r
->out
.domains
;
1343 q
.out
.sids
= r
->out
.sids
;
1344 q
.out
.count
= r
->out
.count
;
1346 return _lsa_LookupNames3(p
, &q
);
1349 /***************************************************************************
1350 _lsa_close. Also weird - needs to check if lsa handle is correct. JRA.
1351 ***************************************************************************/
1353 NTSTATUS
_lsa_Close(pipes_struct
*p
, struct lsa_Close
*r
)
1355 if (!find_policy_by_hnd(p
, r
->in
.handle
, NULL
)) {
1356 return NT_STATUS_INVALID_HANDLE
;
1359 close_policy_hnd(p
, r
->in
.handle
);
1360 ZERO_STRUCTP(r
->out
.handle
);
1361 return NT_STATUS_OK
;
1364 /***************************************************************************
1365 ***************************************************************************/
1367 NTSTATUS
_lsa_OpenSecret(pipes_struct
*p
, struct lsa_OpenSecret
*r
)
1369 return NT_STATUS_OBJECT_NAME_NOT_FOUND
;
1372 /***************************************************************************
1373 ***************************************************************************/
1375 NTSTATUS
_lsa_OpenTrustedDomain(pipes_struct
*p
, struct lsa_OpenTrustedDomain
*r
)
1377 return NT_STATUS_OBJECT_NAME_NOT_FOUND
;
1380 /***************************************************************************
1381 ***************************************************************************/
1383 NTSTATUS
_lsa_CreateTrustedDomain(pipes_struct
*p
, struct lsa_CreateTrustedDomain
*r
)
1385 return NT_STATUS_ACCESS_DENIED
;
1388 /***************************************************************************
1389 ***************************************************************************/
1391 NTSTATUS
_lsa_CreateSecret(pipes_struct
*p
, struct lsa_CreateSecret
*r
)
1393 return NT_STATUS_ACCESS_DENIED
;
1396 /***************************************************************************
1397 ***************************************************************************/
1399 NTSTATUS
_lsa_SetSecret(pipes_struct
*p
, struct lsa_SetSecret
*r
)
1401 return NT_STATUS_ACCESS_DENIED
;
1404 /***************************************************************************
1406 ***************************************************************************/
1408 NTSTATUS
_lsa_DeleteObject(pipes_struct
*p
,
1409 struct lsa_DeleteObject
*r
)
1412 struct lsa_info
*info
= NULL
;
1414 if (!find_policy_by_hnd(p
, r
->in
.handle
, (void **)(void *)&info
)) {
1415 return NT_STATUS_INVALID_HANDLE
;
1418 if (!(info
->access
& STD_RIGHT_DELETE_ACCESS
)) {
1419 return NT_STATUS_ACCESS_DENIED
;
1422 switch (info
->type
) {
1423 case LSA_HANDLE_ACCOUNT_TYPE
:
1424 status
= privilege_delete_account(&info
->sid
);
1425 if (!NT_STATUS_IS_OK(status
)) {
1426 DEBUG(10,("_lsa_DeleteObject: privilege_delete_account gave: %s\n",
1427 nt_errstr(status
)));
1432 return NT_STATUS_INVALID_HANDLE
;
1435 close_policy_hnd(p
, r
->in
.handle
);
1436 ZERO_STRUCTP(r
->out
.handle
);
1441 /***************************************************************************
1443 ***************************************************************************/
1445 NTSTATUS
_lsa_EnumPrivs(pipes_struct
*p
,
1446 struct lsa_EnumPrivs
*r
)
1448 struct lsa_info
*handle
;
1450 uint32 enum_context
= *r
->in
.resume_handle
;
1451 int num_privs
= count_all_privileges();
1452 struct lsa_PrivEntry
*entries
= NULL
;
1455 /* remember that the enum_context starts at 0 and not 1 */
1457 if ( enum_context
>= num_privs
)
1458 return NT_STATUS_NO_MORE_ENTRIES
;
1460 DEBUG(10,("_lsa_EnumPrivs: enum_context:%d total entries:%d\n",
1461 enum_context
, num_privs
));
1463 if (!find_policy_by_hnd(p
, r
->in
.handle
, (void **)(void *)&handle
))
1464 return NT_STATUS_INVALID_HANDLE
;
1466 if (handle
->type
!= LSA_HANDLE_POLICY_TYPE
) {
1467 return NT_STATUS_INVALID_HANDLE
;
1470 /* check if the user has enough rights
1471 I don't know if it's the right one. not documented. */
1473 if (!(handle
->access
& LSA_POLICY_VIEW_LOCAL_INFORMATION
))
1474 return NT_STATUS_ACCESS_DENIED
;
1477 entries
= TALLOC_ZERO_ARRAY(p
->mem_ctx
, struct lsa_PrivEntry
, num_privs
);
1479 return NT_STATUS_NO_MEMORY
;
1485 for (i
= 0; i
< num_privs
; i
++) {
1486 if( i
< enum_context
) {
1488 init_lsa_StringLarge(&entries
[i
].name
, NULL
);
1490 entries
[i
].luid
.low
= 0;
1491 entries
[i
].luid
.high
= 0;
1494 init_lsa_StringLarge(&entries
[i
].name
, privs
[i
].name
);
1496 luid
= get_privilege_luid( &privs
[i
].se_priv
);
1498 entries
[i
].luid
.low
= luid
.luid
.low
;
1499 entries
[i
].luid
.high
= luid
.luid
.high
;
1503 enum_context
= num_privs
;
1505 *r
->out
.resume_handle
= enum_context
;
1506 r
->out
.privs
->count
= num_privs
;
1507 r
->out
.privs
->privs
= entries
;
1509 return NT_STATUS_OK
;
1512 /***************************************************************************
1513 _lsa_LookupPrivDisplayName
1514 ***************************************************************************/
1516 NTSTATUS
_lsa_LookupPrivDisplayName(pipes_struct
*p
,
1517 struct lsa_LookupPrivDisplayName
*r
)
1519 struct lsa_info
*handle
;
1520 const char *description
;
1521 struct lsa_StringLarge
*lsa_name
;
1523 if (!find_policy_by_hnd(p
, r
->in
.handle
, (void **)(void *)&handle
))
1524 return NT_STATUS_INVALID_HANDLE
;
1526 if (handle
->type
!= LSA_HANDLE_POLICY_TYPE
) {
1527 return NT_STATUS_INVALID_HANDLE
;
1530 /* check if the user has enough rights */
1533 * I don't know if it's the right one. not documented.
1535 if (!(handle
->access
& LSA_POLICY_VIEW_LOCAL_INFORMATION
))
1536 return NT_STATUS_ACCESS_DENIED
;
1538 DEBUG(10,("_lsa_LookupPrivDisplayName: name = %s\n", r
->in
.name
->string
));
1540 description
= get_privilege_dispname(r
->in
.name
->string
);
1542 DEBUG(10,("_lsa_LookupPrivDisplayName: doesn't exist\n"));
1543 return NT_STATUS_NO_SUCH_PRIVILEGE
;
1546 DEBUG(10,("_lsa_LookupPrivDisplayName: display name = %s\n", description
));
1548 lsa_name
= TALLOC_ZERO_P(p
->mem_ctx
, struct lsa_StringLarge
);
1550 return NT_STATUS_NO_MEMORY
;
1553 init_lsa_StringLarge(lsa_name
, description
);
1555 *r
->out
.returned_language_id
= r
->in
.language_id
;
1556 *r
->out
.disp_name
= lsa_name
;
1558 return NT_STATUS_OK
;
1561 /***************************************************************************
1563 ***************************************************************************/
1565 NTSTATUS
_lsa_EnumAccounts(pipes_struct
*p
,
1566 struct lsa_EnumAccounts
*r
)
1568 struct lsa_info
*handle
;
1570 int i
, j
, num_entries
;
1572 struct lsa_SidPtr
*sids
= NULL
;
1574 if (!find_policy_by_hnd(p
, r
->in
.handle
, (void **)(void *)&handle
))
1575 return NT_STATUS_INVALID_HANDLE
;
1577 if (handle
->type
!= LSA_HANDLE_POLICY_TYPE
) {
1578 return NT_STATUS_INVALID_HANDLE
;
1581 if (!(handle
->access
& LSA_POLICY_VIEW_LOCAL_INFORMATION
))
1582 return NT_STATUS_ACCESS_DENIED
;
1587 /* The only way we can currently find out all the SIDs that have been
1588 privileged is to scan all privileges */
1590 status
= privilege_enumerate_accounts(&sid_list
, &num_entries
);
1591 if (!NT_STATUS_IS_OK(status
)) {
1595 if (*r
->in
.resume_handle
>= num_entries
) {
1596 return NT_STATUS_NO_MORE_ENTRIES
;
1599 if (num_entries
- *r
->in
.resume_handle
) {
1600 sids
= TALLOC_ZERO_ARRAY(p
->mem_ctx
, struct lsa_SidPtr
,
1601 num_entries
- *r
->in
.resume_handle
);
1603 talloc_free(sid_list
);
1604 return NT_STATUS_NO_MEMORY
;
1607 for (i
= *r
->in
.resume_handle
, j
= 0; i
< num_entries
; i
++, j
++) {
1608 sids
[j
].sid
= sid_dup_talloc(p
->mem_ctx
, &sid_list
[i
]);
1610 talloc_free(sid_list
);
1611 return NT_STATUS_NO_MEMORY
;
1616 talloc_free(sid_list
);
1618 *r
->out
.resume_handle
= num_entries
;
1619 r
->out
.sids
->num_sids
= num_entries
;
1620 r
->out
.sids
->sids
= sids
;
1622 return NT_STATUS_OK
;
1625 /***************************************************************************
1627 ***************************************************************************/
1629 NTSTATUS
_lsa_GetUserName(pipes_struct
*p
,
1630 struct lsa_GetUserName
*r
)
1632 const char *username
, *domname
;
1633 struct lsa_String
*account_name
= NULL
;
1634 struct lsa_String
*authority_name
= NULL
;
1636 if (r
->in
.account_name
&&
1637 *r
->in
.account_name
) {
1638 return NT_STATUS_INVALID_PARAMETER
;
1641 if (r
->in
.authority_name
&&
1642 *r
->in
.authority_name
) {
1643 return NT_STATUS_INVALID_PARAMETER
;
1646 if (p
->server_info
->guest
) {
1648 * I'm 99% sure this is not the right place to do this,
1649 * global_sid_Anonymous should probably be put into the token
1650 * instead of the guest id -- vl
1652 if (!lookup_sid(p
->mem_ctx
, &global_sid_Anonymous
,
1653 &domname
, &username
, NULL
)) {
1654 return NT_STATUS_NO_MEMORY
;
1657 username
= p
->server_info
->sanitized_username
;
1658 domname
= pdb_get_domain(p
->server_info
->sam_account
);
1661 account_name
= TALLOC_P(p
->mem_ctx
, struct lsa_String
);
1662 if (!account_name
) {
1663 return NT_STATUS_NO_MEMORY
;
1665 init_lsa_String(account_name
, username
);
1667 if (r
->out
.authority_name
) {
1668 authority_name
= TALLOC_P(p
->mem_ctx
, struct lsa_String
);
1669 if (!authority_name
) {
1670 return NT_STATUS_NO_MEMORY
;
1672 init_lsa_String(authority_name
, domname
);
1675 *r
->out
.account_name
= account_name
;
1676 if (r
->out
.authority_name
) {
1677 *r
->out
.authority_name
= authority_name
;
1680 return NT_STATUS_OK
;
1683 /***************************************************************************
1685 ***************************************************************************/
1687 NTSTATUS
_lsa_CreateAccount(pipes_struct
*p
,
1688 struct lsa_CreateAccount
*r
)
1691 struct lsa_info
*handle
;
1692 struct lsa_info
*info
;
1693 uint32_t acc_granted
;
1694 uint32_t owner_access
= (LSA_ACCOUNT_ALL_ACCESS
&
1695 ~(LSA_ACCOUNT_ADJUST_PRIVILEGES
|
1696 LSA_ACCOUNT_ADJUST_SYSTEM_ACCESS
|
1697 STD_RIGHT_DELETE_ACCESS
));
1698 struct security_descriptor
*psd
;
1701 /* find the connection policy handle. */
1702 if (!find_policy_by_hnd(p
, r
->in
.handle
, (void **)(void *)&handle
))
1703 return NT_STATUS_INVALID_HANDLE
;
1705 if (handle
->type
!= LSA_HANDLE_POLICY_TYPE
) {
1706 return NT_STATUS_INVALID_HANDLE
;
1709 /* check if the user has enough rights */
1711 if (!(handle
->access
& LSA_POLICY_CREATE_ACCOUNT
)) {
1712 return NT_STATUS_ACCESS_DENIED
;
1715 /* Work out max allowed. */
1716 map_max_allowed_access(p
->server_info
->ptok
,
1717 &p
->server_info
->utok
,
1718 &r
->in
.access_mask
);
1720 /* map the generic bits to the lsa policy ones */
1721 se_map_generic(&r
->in
.access_mask
, &lsa_account_mapping
);
1723 status
= make_lsa_object_sd(p
->mem_ctx
, &psd
, &sd_size
,
1724 &lsa_account_mapping
,
1725 r
->in
.sid
, owner_access
);
1726 if (!NT_STATUS_IS_OK(status
)) {
1730 status
= access_check_object(psd
, p
->server_info
->ptok
,
1731 NULL
, 0, r
->in
.access_mask
,
1732 &acc_granted
, "_lsa_CreateAccount");
1733 if (!NT_STATUS_IS_OK(status
)) {
1737 if ( is_privileged_sid( r
->in
.sid
) )
1738 return NT_STATUS_OBJECT_NAME_COLLISION
;
1740 /* associate the user/group SID with the (unique) handle. */
1742 info
= TALLOC_ZERO_P(p
->mem_ctx
, struct lsa_info
);
1744 return NT_STATUS_NO_MEMORY
;
1747 info
->sid
= *r
->in
.sid
;
1748 info
->access
= acc_granted
;
1749 info
->type
= LSA_HANDLE_ACCOUNT_TYPE
;
1751 /* get a (unique) handle. open a policy on it. */
1752 if (!create_policy_hnd(p
, r
->out
.acct_handle
, info
))
1753 return NT_STATUS_OBJECT_NAME_NOT_FOUND
;
1755 return privilege_create_account( &info
->sid
);
1758 /***************************************************************************
1760 ***************************************************************************/
1762 NTSTATUS
_lsa_OpenAccount(pipes_struct
*p
,
1763 struct lsa_OpenAccount
*r
)
1765 struct lsa_info
*handle
;
1766 struct lsa_info
*info
;
1767 SEC_DESC
*psd
= NULL
;
1769 uint32_t des_access
= r
->in
.access_mask
;
1770 uint32_t acc_granted
;
1771 uint32_t owner_access
= (LSA_ACCOUNT_ALL_ACCESS
&
1772 ~(LSA_ACCOUNT_ADJUST_PRIVILEGES
|
1773 LSA_ACCOUNT_ADJUST_SYSTEM_ACCESS
|
1774 STD_RIGHT_DELETE_ACCESS
));
1777 /* find the connection policy handle. */
1778 if (!find_policy_by_hnd(p
, r
->in
.handle
, (void **)(void *)&handle
))
1779 return NT_STATUS_INVALID_HANDLE
;
1781 if (handle
->type
!= LSA_HANDLE_POLICY_TYPE
) {
1782 return NT_STATUS_INVALID_HANDLE
;
1785 /* des_access is for the account here, not the policy
1786 * handle - so don't check against policy handle. */
1788 /* Work out max allowed. */
1789 map_max_allowed_access(p
->server_info
->ptok
,
1790 &p
->server_info
->utok
,
1793 /* map the generic bits to the lsa account ones */
1794 se_map_generic(&des_access
, &lsa_account_mapping
);
1796 /* get the generic lsa account SD until we store it */
1797 status
= make_lsa_object_sd(p
->mem_ctx
, &psd
, &sd_size
,
1798 &lsa_account_mapping
,
1799 r
->in
.sid
, owner_access
);
1800 if (!NT_STATUS_IS_OK(status
)) {
1804 status
= access_check_object(psd
, p
->server_info
->ptok
,
1805 NULL
, 0, des_access
,
1806 &acc_granted
, "_lsa_OpenAccount" );
1807 if (!NT_STATUS_IS_OK(status
)) {
1811 /* TODO: Fis the parsing routine before reenabling this check! */
1813 if (!lookup_sid(&handle
->sid
, dom_name
, name
, &type
))
1814 return NT_STATUS_ACCESS_DENIED
;
1816 /* associate the user/group SID with the (unique) handle. */
1817 info
= TALLOC_ZERO_P(p
->mem_ctx
, struct lsa_info
);
1819 return NT_STATUS_NO_MEMORY
;
1822 info
->sid
= *r
->in
.sid
;
1823 info
->access
= acc_granted
;
1824 info
->type
= LSA_HANDLE_ACCOUNT_TYPE
;
1826 /* get a (unique) handle. open a policy on it. */
1827 if (!create_policy_hnd(p
, r
->out
.acct_handle
, info
))
1828 return NT_STATUS_OBJECT_NAME_NOT_FOUND
;
1830 return NT_STATUS_OK
;
1833 /***************************************************************************
1834 _lsa_EnumPrivsAccount
1835 For a given SID, enumerate all the privilege this account has.
1836 ***************************************************************************/
1838 NTSTATUS
_lsa_EnumPrivsAccount(pipes_struct
*p
,
1839 struct lsa_EnumPrivsAccount
*r
)
1841 NTSTATUS status
= NT_STATUS_OK
;
1842 struct lsa_info
*info
=NULL
;
1844 PRIVILEGE_SET privileges
;
1845 struct lsa_PrivilegeSet
*priv_set
= NULL
;
1846 struct lsa_LUIDAttribute
*luid_attrs
= NULL
;
1849 /* find the connection policy handle. */
1850 if (!find_policy_by_hnd(p
, r
->in
.handle
, (void **)(void *)&info
))
1851 return NT_STATUS_INVALID_HANDLE
;
1853 if (info
->type
!= LSA_HANDLE_ACCOUNT_TYPE
) {
1854 return NT_STATUS_INVALID_HANDLE
;
1857 if (!(info
->access
& LSA_ACCOUNT_VIEW
))
1858 return NT_STATUS_ACCESS_DENIED
;
1860 get_privileges_for_sids(&mask
, &info
->sid
, 1);
1862 privilege_set_init( &privileges
);
1864 priv_set
= TALLOC_ZERO_P(p
->mem_ctx
, struct lsa_PrivilegeSet
);
1866 status
= NT_STATUS_NO_MEMORY
;
1870 if ( se_priv_to_privilege_set( &privileges
, &mask
) ) {
1872 DEBUG(10,("_lsa_EnumPrivsAccount: %s has %d privileges\n",
1873 sid_string_dbg(&info
->sid
),
1876 luid_attrs
= TALLOC_ZERO_ARRAY(p
->mem_ctx
,
1877 struct lsa_LUIDAttribute
,
1880 status
= NT_STATUS_NO_MEMORY
;
1884 for (i
=0; i
<privileges
.count
; i
++) {
1885 luid_attrs
[i
].luid
.low
= privileges
.set
[i
].luid
.low
;
1886 luid_attrs
[i
].luid
.high
= privileges
.set
[i
].luid
.high
;
1887 luid_attrs
[i
].attribute
= privileges
.set
[i
].attr
;
1890 priv_set
->count
= privileges
.count
;
1891 priv_set
->unknown
= 0;
1892 priv_set
->set
= luid_attrs
;
1895 priv_set
->count
= 0;
1896 priv_set
->unknown
= 0;
1897 priv_set
->set
= NULL
;
1900 *r
->out
.privs
= priv_set
;
1903 privilege_set_free( &privileges
);
1908 /***************************************************************************
1909 _lsa_GetSystemAccessAccount
1910 ***************************************************************************/
1912 NTSTATUS
_lsa_GetSystemAccessAccount(pipes_struct
*p
,
1913 struct lsa_GetSystemAccessAccount
*r
)
1916 struct lsa_info
*info
= NULL
;
1917 struct lsa_EnumPrivsAccount e
;
1918 struct lsa_PrivilegeSet
*privset
;
1920 /* find the connection policy handle. */
1922 if (!find_policy_by_hnd(p
, r
->in
.handle
, (void **)(void *)&info
))
1923 return NT_STATUS_INVALID_HANDLE
;
1925 if (info
->type
!= LSA_HANDLE_ACCOUNT_TYPE
) {
1926 return NT_STATUS_INVALID_HANDLE
;
1929 if (!(info
->access
& LSA_ACCOUNT_VIEW
))
1930 return NT_STATUS_ACCESS_DENIED
;
1932 privset
= talloc_zero(p
->mem_ctx
, struct lsa_PrivilegeSet
);
1934 return NT_STATUS_NO_MEMORY
;
1937 e
.in
.handle
= r
->in
.handle
;
1938 e
.out
.privs
= &privset
;
1940 status
= _lsa_EnumPrivsAccount(p
, &e
);
1941 if (!NT_STATUS_IS_OK(status
)) {
1942 DEBUG(10,("_lsa_GetSystemAccessAccount: "
1943 "failed to call _lsa_EnumPrivsAccount(): %s\n",
1944 nt_errstr(status
)));
1948 /* Samba4 would iterate over the privset to merge the policy mode bits,
1949 * not sure samba3 can do the same here, so just return what we did in
1953 0x01 -> Log on locally
1954 0x02 -> Access this computer from network
1955 0x04 -> Log on as a batch job
1956 0x10 -> Log on as a service
1958 they can be ORed together
1961 *r
->out
.access_mask
= LSA_POLICY_MODE_INTERACTIVE
|
1962 LSA_POLICY_MODE_NETWORK
;
1964 return NT_STATUS_OK
;
1967 /***************************************************************************
1968 update the systemaccount information
1969 ***************************************************************************/
1971 NTSTATUS
_lsa_SetSystemAccessAccount(pipes_struct
*p
,
1972 struct lsa_SetSystemAccessAccount
*r
)
1974 struct lsa_info
*info
=NULL
;
1977 /* find the connection policy handle. */
1978 if (!find_policy_by_hnd(p
, r
->in
.handle
, (void **)(void *)&info
))
1979 return NT_STATUS_INVALID_HANDLE
;
1981 if (info
->type
!= LSA_HANDLE_ACCOUNT_TYPE
) {
1982 return NT_STATUS_INVALID_HANDLE
;
1985 if (!(info
->access
& LSA_ACCOUNT_ADJUST_SYSTEM_ACCESS
)) {
1986 return NT_STATUS_ACCESS_DENIED
;
1989 if (!pdb_getgrsid(&map
, info
->sid
))
1990 return NT_STATUS_NO_SUCH_GROUP
;
1992 return pdb_update_group_mapping_entry(&map
);
1995 /***************************************************************************
1996 _lsa_AddPrivilegesToAccount
1997 For a given SID, add some privileges.
1998 ***************************************************************************/
2000 NTSTATUS
_lsa_AddPrivilegesToAccount(pipes_struct
*p
,
2001 struct lsa_AddPrivilegesToAccount
*r
)
2003 struct lsa_info
*info
= NULL
;
2005 struct lsa_PrivilegeSet
*set
= NULL
;
2007 /* find the connection policy handle. */
2008 if (!find_policy_by_hnd(p
, r
->in
.handle
, (void **)(void *)&info
))
2009 return NT_STATUS_INVALID_HANDLE
;
2011 if (info
->type
!= LSA_HANDLE_ACCOUNT_TYPE
) {
2012 return NT_STATUS_INVALID_HANDLE
;
2015 if (!(info
->access
& LSA_ACCOUNT_ADJUST_PRIVILEGES
)) {
2016 return NT_STATUS_ACCESS_DENIED
;
2020 if ( !privilege_set_to_se_priv( &mask
, set
) )
2021 return NT_STATUS_NO_SUCH_PRIVILEGE
;
2023 if ( !grant_privilege( &info
->sid
, &mask
) ) {
2024 DEBUG(3,("_lsa_AddPrivilegesToAccount: grant_privilege(%s) failed!\n",
2025 sid_string_dbg(&info
->sid
) ));
2026 DEBUG(3,("Privilege mask:\n"));
2027 dump_se_priv( DBGC_ALL
, 3, &mask
);
2028 return NT_STATUS_NO_SUCH_PRIVILEGE
;
2031 return NT_STATUS_OK
;
2034 /***************************************************************************
2035 _lsa_RemovePrivilegesFromAccount
2036 For a given SID, remove some privileges.
2037 ***************************************************************************/
2039 NTSTATUS
_lsa_RemovePrivilegesFromAccount(pipes_struct
*p
,
2040 struct lsa_RemovePrivilegesFromAccount
*r
)
2042 struct lsa_info
*info
= NULL
;
2044 struct lsa_PrivilegeSet
*set
= NULL
;
2046 /* find the connection policy handle. */
2047 if (!find_policy_by_hnd(p
, r
->in
.handle
, (void **)(void *)&info
))
2048 return NT_STATUS_INVALID_HANDLE
;
2050 if (info
->type
!= LSA_HANDLE_ACCOUNT_TYPE
) {
2051 return NT_STATUS_INVALID_HANDLE
;
2054 if (!(info
->access
& LSA_ACCOUNT_ADJUST_PRIVILEGES
)) {
2055 return NT_STATUS_ACCESS_DENIED
;
2060 if ( !privilege_set_to_se_priv( &mask
, set
) )
2061 return NT_STATUS_NO_SUCH_PRIVILEGE
;
2063 if ( !revoke_privilege( &info
->sid
, &mask
) ) {
2064 DEBUG(3,("_lsa_RemovePrivilegesFromAccount: revoke_privilege(%s) failed!\n",
2065 sid_string_dbg(&info
->sid
) ));
2066 DEBUG(3,("Privilege mask:\n"));
2067 dump_se_priv( DBGC_ALL
, 3, &mask
);
2068 return NT_STATUS_NO_SUCH_PRIVILEGE
;
2071 return NT_STATUS_OK
;
2074 /***************************************************************************
2076 ***************************************************************************/
2078 NTSTATUS
_lsa_LookupPrivName(pipes_struct
*p
,
2079 struct lsa_LookupPrivName
*r
)
2081 struct lsa_info
*info
= NULL
;
2083 struct lsa_StringLarge
*lsa_name
;
2085 /* find the connection policy handle. */
2086 if (!find_policy_by_hnd(p
, r
->in
.handle
, (void **)(void *)&info
)) {
2087 return NT_STATUS_INVALID_HANDLE
;
2090 if (info
->type
!= LSA_HANDLE_POLICY_TYPE
) {
2091 return NT_STATUS_INVALID_HANDLE
;
2094 if (!(info
->access
& LSA_POLICY_VIEW_LOCAL_INFORMATION
)) {
2095 return NT_STATUS_ACCESS_DENIED
;
2098 name
= luid_to_privilege_name((LUID
*)r
->in
.luid
);
2100 return NT_STATUS_NO_SUCH_PRIVILEGE
;
2103 lsa_name
= TALLOC_ZERO_P(p
->mem_ctx
, struct lsa_StringLarge
);
2105 return NT_STATUS_NO_MEMORY
;
2108 lsa_name
->string
= talloc_strdup(lsa_name
, name
);
2109 if (!lsa_name
->string
) {
2110 TALLOC_FREE(lsa_name
);
2111 return NT_STATUS_NO_MEMORY
;
2114 *r
->out
.name
= lsa_name
;
2116 return NT_STATUS_OK
;
2119 /***************************************************************************
2121 ***************************************************************************/
2123 NTSTATUS
_lsa_QuerySecurity(pipes_struct
*p
,
2124 struct lsa_QuerySecurity
*r
)
2126 struct lsa_info
*handle
=NULL
;
2127 SEC_DESC
*psd
= NULL
;
2131 /* find the connection policy handle. */
2132 if (!find_policy_by_hnd(p
, r
->in
.handle
, (void **)(void *)&handle
))
2133 return NT_STATUS_INVALID_HANDLE
;
2135 switch (handle
->type
) {
2136 case LSA_HANDLE_POLICY_TYPE
:
2137 status
= make_lsa_object_sd(p
->mem_ctx
, &psd
, &sd_size
,
2138 &lsa_policy_mapping
, NULL
, 0);
2140 case LSA_HANDLE_ACCOUNT_TYPE
:
2141 status
= make_lsa_object_sd(p
->mem_ctx
, &psd
, &sd_size
,
2142 &lsa_account_mapping
,
2143 &handle
->sid
, LSA_ACCOUNT_ALL_ACCESS
);
2146 status
= NT_STATUS_INVALID_HANDLE
;
2150 if (!NT_STATUS_IS_OK(status
)) {
2154 *r
->out
.sdbuf
= make_sec_desc_buf(p
->mem_ctx
, sd_size
, psd
);
2155 if (!*r
->out
.sdbuf
) {
2156 return NT_STATUS_NO_MEMORY
;
2162 /***************************************************************************
2163 _lsa_AddAccountRights
2164 ***************************************************************************/
2166 NTSTATUS
_lsa_AddAccountRights(pipes_struct
*p
,
2167 struct lsa_AddAccountRights
*r
)
2169 struct lsa_info
*info
= NULL
;
2171 uint32_t acc_granted
= 0;
2172 SEC_DESC
*psd
= NULL
;
2177 /* find the connection policy handle. */
2178 if (!find_policy_by_hnd(p
, r
->in
.handle
, (void **)(void *)&info
))
2179 return NT_STATUS_INVALID_HANDLE
;
2181 if (info
->type
!= LSA_HANDLE_POLICY_TYPE
) {
2182 return NT_STATUS_INVALID_HANDLE
;
2185 /* get the generic lsa account SD until we store it */
2186 status
= make_lsa_object_sd(p
->mem_ctx
, &psd
, &sd_size
,
2187 &lsa_account_mapping
,
2189 if (!NT_STATUS_IS_OK(status
)) {
2194 * From the MS DOCs. If the sid doesn't exist, ask for LSA_POLICY_CREATE_ACCOUNT
2195 * on the policy handle. If it does, ask for
2196 * LSA_ACCOUNT_ADJUST_PRIVILEGES|LSA_ACCOUNT_ADJUST_SYSTEM_ACCESS|LSA_ACCOUNT_VIEW,
2197 * on the account sid. We don't check here so just use the latter. JRA.
2200 status
= access_check_object(psd
, p
->server_info
->ptok
,
2202 LSA_ACCOUNT_ADJUST_PRIVILEGES
|LSA_ACCOUNT_ADJUST_SYSTEM_ACCESS
|LSA_ACCOUNT_VIEW
,
2203 &acc_granted
, "_lsa_AddAccountRights" );
2204 if (!NT_STATUS_IS_OK(status
)) {
2208 /* according to an NT4 PDC, you can add privileges to SIDs even without
2209 call_lsa_create_account() first. And you can use any arbitrary SID. */
2211 sid_copy( &sid
, r
->in
.sid
);
2213 for ( i
=0; i
< r
->in
.rights
->count
; i
++ ) {
2215 const char *privname
= r
->in
.rights
->names
[i
].string
;
2217 /* only try to add non-null strings */
2222 if ( !grant_privilege_by_name( &sid
, privname
) ) {
2223 DEBUG(2,("_lsa_AddAccountRights: Failed to add privilege [%s]\n",
2225 return NT_STATUS_NO_SUCH_PRIVILEGE
;
2229 return NT_STATUS_OK
;
2232 /***************************************************************************
2233 _lsa_RemoveAccountRights
2234 ***************************************************************************/
2236 NTSTATUS
_lsa_RemoveAccountRights(pipes_struct
*p
,
2237 struct lsa_RemoveAccountRights
*r
)
2239 struct lsa_info
*info
= NULL
;
2241 SEC_DESC
*psd
= NULL
;
2244 const char *privname
= NULL
;
2245 uint32_t acc_granted
= 0;
2248 /* find the connection policy handle. */
2249 if (!find_policy_by_hnd(p
, r
->in
.handle
, (void **)(void *)&info
))
2250 return NT_STATUS_INVALID_HANDLE
;
2252 if (info
->type
!= LSA_HANDLE_POLICY_TYPE
) {
2253 return NT_STATUS_INVALID_HANDLE
;
2256 /* get the generic lsa account SD until we store it */
2257 status
= make_lsa_object_sd(p
->mem_ctx
, &psd
, &sd_size
,
2258 &lsa_account_mapping
,
2260 if (!NT_STATUS_IS_OK(status
)) {
2265 * From the MS DOCs. We need
2266 * LSA_ACCOUNT_ADJUST_PRIVILEGES|LSA_ACCOUNT_ADJUST_SYSTEM_ACCESS|LSA_ACCOUNT_VIEW
2267 * and DELETE on the account sid.
2270 status
= access_check_object(psd
, p
->server_info
->ptok
,
2272 LSA_ACCOUNT_ADJUST_PRIVILEGES
|LSA_ACCOUNT_ADJUST_SYSTEM_ACCESS
|
2273 LSA_ACCOUNT_VIEW
|STD_RIGHT_DELETE_ACCESS
,
2274 &acc_granted
, "_lsa_RemoveAccountRights");
2275 if (!NT_STATUS_IS_OK(status
)) {
2279 sid_copy( &sid
, r
->in
.sid
);
2281 if ( r
->in
.remove_all
) {
2282 if ( !revoke_all_privileges( &sid
) )
2283 return NT_STATUS_ACCESS_DENIED
;
2285 return NT_STATUS_OK
;
2288 for ( i
=0; i
< r
->in
.rights
->count
; i
++ ) {
2290 privname
= r
->in
.rights
->names
[i
].string
;
2292 /* only try to add non-null strings */
2297 if ( !revoke_privilege_by_name( &sid
, privname
) ) {
2298 DEBUG(2,("_lsa_RemoveAccountRights: Failed to revoke privilege [%s]\n",
2300 return NT_STATUS_NO_SUCH_PRIVILEGE
;
2304 return NT_STATUS_OK
;
2307 /*******************************************************************
2308 ********************************************************************/
2310 static NTSTATUS
init_lsa_right_set(TALLOC_CTX
*mem_ctx
,
2311 struct lsa_RightSet
*r
,
2312 PRIVILEGE_SET
*privileges
)
2315 const char *privname
;
2316 const char **privname_array
= NULL
;
2319 for (i
=0; i
<privileges
->count
; i
++) {
2321 privname
= luid_to_privilege_name(&privileges
->set
[i
].luid
);
2323 if (!add_string_to_array(mem_ctx
, privname
,
2324 &privname_array
, &num_priv
)) {
2325 return NT_STATUS_NO_MEMORY
;
2332 r
->names
= TALLOC_ZERO_ARRAY(mem_ctx
, struct lsa_StringLarge
,
2335 return NT_STATUS_NO_MEMORY
;
2338 for (i
=0; i
<num_priv
; i
++) {
2339 init_lsa_StringLarge(&r
->names
[i
], privname_array
[i
]);
2342 r
->count
= num_priv
;
2345 return NT_STATUS_OK
;
2348 /***************************************************************************
2349 _lsa_EnumAccountRights
2350 ***************************************************************************/
2352 NTSTATUS
_lsa_EnumAccountRights(pipes_struct
*p
,
2353 struct lsa_EnumAccountRights
*r
)
2356 struct lsa_info
*info
= NULL
;
2358 PRIVILEGE_SET privileges
;
2361 /* find the connection policy handle. */
2363 if (!find_policy_by_hnd(p
, r
->in
.handle
, (void **)(void *)&info
))
2364 return NT_STATUS_INVALID_HANDLE
;
2366 if (info
->type
!= LSA_HANDLE_POLICY_TYPE
) {
2367 return NT_STATUS_INVALID_HANDLE
;
2370 if (!(info
->access
& LSA_ACCOUNT_VIEW
)) {
2371 return NT_STATUS_ACCESS_DENIED
;
2374 /* according to an NT4 PDC, you can add privileges to SIDs even without
2375 call_lsa_create_account() first. And you can use any arbitrary SID. */
2377 sid_copy( &sid
, r
->in
.sid
);
2379 /* according to MS-LSAD 3.1.4.5.10 it is required to return
2380 * NT_STATUS_OBJECT_NAME_NOT_FOUND if the account sid was not found in
2381 * the lsa database */
2383 if (!get_privileges_for_sids(&mask
, &sid
, 1)) {
2384 return NT_STATUS_OBJECT_NAME_NOT_FOUND
;
2387 status
= privilege_set_init(&privileges
);
2388 if (!NT_STATUS_IS_OK(status
)) {
2392 se_priv_to_privilege_set(&privileges
, &mask
);
2394 DEBUG(10,("_lsa_EnumAccountRights: %s has %d privileges\n",
2395 sid_string_dbg(&sid
), privileges
.count
));
2397 status
= init_lsa_right_set(p
->mem_ctx
, r
->out
.rights
, &privileges
);
2399 privilege_set_free( &privileges
);
2404 /***************************************************************************
2405 _lsa_LookupPrivValue
2406 ***************************************************************************/
2408 NTSTATUS
_lsa_LookupPrivValue(pipes_struct
*p
,
2409 struct lsa_LookupPrivValue
*r
)
2411 struct lsa_info
*info
= NULL
;
2412 const char *name
= NULL
;
2413 LUID_ATTR priv_luid
;
2416 /* find the connection policy handle. */
2418 if (!find_policy_by_hnd(p
, r
->in
.handle
, (void **)(void *)&info
))
2419 return NT_STATUS_INVALID_HANDLE
;
2421 if (info
->type
!= LSA_HANDLE_POLICY_TYPE
) {
2422 return NT_STATUS_INVALID_HANDLE
;
2425 if (!(info
->access
& LSA_POLICY_LOOKUP_NAMES
))
2426 return NT_STATUS_ACCESS_DENIED
;
2428 name
= r
->in
.name
->string
;
2430 DEBUG(10,("_lsa_lookup_priv_value: name = %s\n", name
));
2432 if ( !se_priv_from_name( name
, &mask
) )
2433 return NT_STATUS_NO_SUCH_PRIVILEGE
;
2435 priv_luid
= get_privilege_luid( &mask
);
2437 r
->out
.luid
->low
= priv_luid
.luid
.low
;
2438 r
->out
.luid
->high
= priv_luid
.luid
.high
;
2440 return NT_STATUS_OK
;
2443 /***************************************************************************
2444 _lsa_EnumAccountsWithUserRight
2445 ***************************************************************************/
2447 NTSTATUS
_lsa_EnumAccountsWithUserRight(pipes_struct
*p
,
2448 struct lsa_EnumAccountsWithUserRight
*r
)
2451 struct lsa_info
*info
= NULL
;
2452 struct dom_sid
*sids
= NULL
;
2457 if (!find_policy_by_hnd(p
, r
->in
.handle
, (void **)(void *)&info
)) {
2458 return NT_STATUS_INVALID_HANDLE
;
2461 if (info
->type
!= LSA_HANDLE_POLICY_TYPE
) {
2462 return NT_STATUS_INVALID_HANDLE
;
2465 if (!(info
->access
& LSA_POLICY_LOOKUP_NAMES
)) {
2466 return NT_STATUS_ACCESS_DENIED
;
2469 if (!r
->in
.name
|| !r
->in
.name
->string
) {
2470 return NT_STATUS_NO_SUCH_PRIVILEGE
;
2473 if (!se_priv_from_name(r
->in
.name
->string
, &mask
)) {
2474 return NT_STATUS_NO_SUCH_PRIVILEGE
;
2477 status
= privilege_enum_sids(&mask
, p
->mem_ctx
,
2479 if (!NT_STATUS_IS_OK(status
)) {
2483 r
->out
.sids
->num_sids
= num_sids
;
2484 r
->out
.sids
->sids
= talloc_array(p
->mem_ctx
, struct lsa_SidPtr
,
2485 r
->out
.sids
->num_sids
);
2487 for (i
=0; i
< r
->out
.sids
->num_sids
; i
++) {
2488 r
->out
.sids
->sids
[i
].sid
= sid_dup_talloc(r
->out
.sids
->sids
,
2490 if (!r
->out
.sids
->sids
[i
].sid
) {
2491 TALLOC_FREE(r
->out
.sids
->sids
);
2492 r
->out
.sids
->num_sids
= 0;
2493 return NT_STATUS_NO_MEMORY
;
2497 return NT_STATUS_OK
;
2500 /***************************************************************************
2502 ***************************************************************************/
2504 NTSTATUS
_lsa_Delete(pipes_struct
*p
,
2505 struct lsa_Delete
*r
)
2507 return NT_STATUS_NOT_SUPPORTED
;
2511 * From here on the server routines are just dummy ones to make smbd link with
2512 * librpc/gen_ndr/srv_lsa.c. These routines are actually never called, we are
2513 * pulling the server stubs across one by one.
2516 NTSTATUS
_lsa_SetSecObj(pipes_struct
*p
, struct lsa_SetSecObj
*r
)
2518 p
->rng_fault_state
= True
;
2519 return NT_STATUS_NOT_IMPLEMENTED
;
2522 NTSTATUS
_lsa_ChangePassword(pipes_struct
*p
, struct lsa_ChangePassword
*r
)
2524 p
->rng_fault_state
= True
;
2525 return NT_STATUS_NOT_IMPLEMENTED
;
2528 NTSTATUS
_lsa_SetInfoPolicy(pipes_struct
*p
, struct lsa_SetInfoPolicy
*r
)
2530 p
->rng_fault_state
= True
;
2531 return NT_STATUS_NOT_IMPLEMENTED
;
2534 NTSTATUS
_lsa_ClearAuditLog(pipes_struct
*p
, struct lsa_ClearAuditLog
*r
)
2536 p
->rng_fault_state
= True
;
2537 return NT_STATUS_NOT_IMPLEMENTED
;
2540 NTSTATUS
_lsa_GetQuotasForAccount(pipes_struct
*p
, struct lsa_GetQuotasForAccount
*r
)
2542 p
->rng_fault_state
= True
;
2543 return NT_STATUS_NOT_IMPLEMENTED
;
2546 NTSTATUS
_lsa_SetQuotasForAccount(pipes_struct
*p
, struct lsa_SetQuotasForAccount
*r
)
2548 p
->rng_fault_state
= True
;
2549 return NT_STATUS_NOT_IMPLEMENTED
;
2552 NTSTATUS
_lsa_QueryTrustedDomainInfo(pipes_struct
*p
, struct lsa_QueryTrustedDomainInfo
*r
)
2554 p
->rng_fault_state
= True
;
2555 return NT_STATUS_NOT_IMPLEMENTED
;
2558 NTSTATUS
_lsa_SetInformationTrustedDomain(pipes_struct
*p
, struct lsa_SetInformationTrustedDomain
*r
)
2560 p
->rng_fault_state
= True
;
2561 return NT_STATUS_NOT_IMPLEMENTED
;
2564 NTSTATUS
_lsa_QuerySecret(pipes_struct
*p
, struct lsa_QuerySecret
*r
)
2566 p
->rng_fault_state
= True
;
2567 return NT_STATUS_NOT_IMPLEMENTED
;
2570 NTSTATUS
_lsa_QueryTrustedDomainInfoBySid(pipes_struct
*p
, struct lsa_QueryTrustedDomainInfoBySid
*r
)
2572 p
->rng_fault_state
= True
;
2573 return NT_STATUS_NOT_IMPLEMENTED
;
2576 NTSTATUS
_lsa_SetTrustedDomainInfo(pipes_struct
*p
, struct lsa_SetTrustedDomainInfo
*r
)
2578 p
->rng_fault_state
= True
;
2579 return NT_STATUS_NOT_IMPLEMENTED
;
2582 NTSTATUS
_lsa_DeleteTrustedDomain(pipes_struct
*p
, struct lsa_DeleteTrustedDomain
*r
)
2584 p
->rng_fault_state
= True
;
2585 return NT_STATUS_NOT_IMPLEMENTED
;
2588 NTSTATUS
_lsa_StorePrivateData(pipes_struct
*p
, struct lsa_StorePrivateData
*r
)
2590 p
->rng_fault_state
= True
;
2591 return NT_STATUS_NOT_IMPLEMENTED
;
2594 NTSTATUS
_lsa_RetrievePrivateData(pipes_struct
*p
, struct lsa_RetrievePrivateData
*r
)
2596 p
->rng_fault_state
= True
;
2597 return NT_STATUS_NOT_IMPLEMENTED
;
2600 NTSTATUS
_lsa_SetInfoPolicy2(pipes_struct
*p
, struct lsa_SetInfoPolicy2
*r
)
2602 p
->rng_fault_state
= True
;
2603 return NT_STATUS_NOT_IMPLEMENTED
;
2606 NTSTATUS
_lsa_QueryTrustedDomainInfoByName(pipes_struct
*p
, struct lsa_QueryTrustedDomainInfoByName
*r
)
2608 p
->rng_fault_state
= True
;
2609 return NT_STATUS_NOT_IMPLEMENTED
;
2612 NTSTATUS
_lsa_SetTrustedDomainInfoByName(pipes_struct
*p
, struct lsa_SetTrustedDomainInfoByName
*r
)
2614 p
->rng_fault_state
= True
;
2615 return NT_STATUS_NOT_IMPLEMENTED
;
2618 NTSTATUS
_lsa_EnumTrustedDomainsEx(pipes_struct
*p
, struct lsa_EnumTrustedDomainsEx
*r
)
2620 p
->rng_fault_state
= True
;
2621 return NT_STATUS_NOT_IMPLEMENTED
;
2624 NTSTATUS
_lsa_CreateTrustedDomainEx(pipes_struct
*p
, struct lsa_CreateTrustedDomainEx
*r
)
2626 p
->rng_fault_state
= True
;
2627 return NT_STATUS_NOT_IMPLEMENTED
;
2630 NTSTATUS
_lsa_CloseTrustedDomainEx(pipes_struct
*p
, struct lsa_CloseTrustedDomainEx
*r
)
2632 p
->rng_fault_state
= True
;
2633 return NT_STATUS_NOT_IMPLEMENTED
;
2636 NTSTATUS
_lsa_QueryDomainInformationPolicy(pipes_struct
*p
, struct lsa_QueryDomainInformationPolicy
*r
)
2638 p
->rng_fault_state
= True
;
2639 return NT_STATUS_NOT_IMPLEMENTED
;
2642 NTSTATUS
_lsa_SetDomainInformationPolicy(pipes_struct
*p
, struct lsa_SetDomainInformationPolicy
*r
)
2644 p
->rng_fault_state
= True
;
2645 return NT_STATUS_NOT_IMPLEMENTED
;
2648 NTSTATUS
_lsa_OpenTrustedDomainByName(pipes_struct
*p
, struct lsa_OpenTrustedDomainByName
*r
)
2650 p
->rng_fault_state
= True
;
2651 return NT_STATUS_NOT_IMPLEMENTED
;
2654 NTSTATUS
_lsa_TestCall(pipes_struct
*p
, struct lsa_TestCall
*r
)
2656 p
->rng_fault_state
= True
;
2657 return NT_STATUS_NOT_IMPLEMENTED
;
2660 NTSTATUS
_lsa_CreateTrustedDomainEx2(pipes_struct
*p
, struct lsa_CreateTrustedDomainEx2
*r
)
2662 p
->rng_fault_state
= True
;
2663 return NT_STATUS_NOT_IMPLEMENTED
;
2666 NTSTATUS
_lsa_CREDRWRITE(pipes_struct
*p
, struct lsa_CREDRWRITE
*r
)
2668 p
->rng_fault_state
= True
;
2669 return NT_STATUS_NOT_IMPLEMENTED
;
2672 NTSTATUS
_lsa_CREDRREAD(pipes_struct
*p
, struct lsa_CREDRREAD
*r
)
2674 p
->rng_fault_state
= True
;
2675 return NT_STATUS_NOT_IMPLEMENTED
;
2678 NTSTATUS
_lsa_CREDRENUMERATE(pipes_struct
*p
, struct lsa_CREDRENUMERATE
*r
)
2680 p
->rng_fault_state
= True
;
2681 return NT_STATUS_NOT_IMPLEMENTED
;
2684 NTSTATUS
_lsa_CREDRWRITEDOMAINCREDENTIALS(pipes_struct
*p
, struct lsa_CREDRWRITEDOMAINCREDENTIALS
*r
)
2686 p
->rng_fault_state
= True
;
2687 return NT_STATUS_NOT_IMPLEMENTED
;
2690 NTSTATUS
_lsa_CREDRREADDOMAINCREDENTIALS(pipes_struct
*p
, struct lsa_CREDRREADDOMAINCREDENTIALS
*r
)
2692 p
->rng_fault_state
= True
;
2693 return NT_STATUS_NOT_IMPLEMENTED
;
2696 NTSTATUS
_lsa_CREDRDELETE(pipes_struct
*p
, struct lsa_CREDRDELETE
*r
)
2698 p
->rng_fault_state
= True
;
2699 return NT_STATUS_NOT_IMPLEMENTED
;
2702 NTSTATUS
_lsa_CREDRGETTARGETINFO(pipes_struct
*p
, struct lsa_CREDRGETTARGETINFO
*r
)
2704 p
->rng_fault_state
= True
;
2705 return NT_STATUS_NOT_IMPLEMENTED
;
2708 NTSTATUS
_lsa_CREDRPROFILELOADED(pipes_struct
*p
, struct lsa_CREDRPROFILELOADED
*r
)
2710 p
->rng_fault_state
= True
;
2711 return NT_STATUS_NOT_IMPLEMENTED
;
2714 NTSTATUS
_lsa_CREDRGETSESSIONTYPES(pipes_struct
*p
, struct lsa_CREDRGETSESSIONTYPES
*r
)
2716 p
->rng_fault_state
= True
;
2717 return NT_STATUS_NOT_IMPLEMENTED
;
2720 NTSTATUS
_lsa_LSARREGISTERAUDITEVENT(pipes_struct
*p
, struct lsa_LSARREGISTERAUDITEVENT
*r
)
2722 p
->rng_fault_state
= True
;
2723 return NT_STATUS_NOT_IMPLEMENTED
;
2726 NTSTATUS
_lsa_LSARGENAUDITEVENT(pipes_struct
*p
, struct lsa_LSARGENAUDITEVENT
*r
)
2728 p
->rng_fault_state
= True
;
2729 return NT_STATUS_NOT_IMPLEMENTED
;
2732 NTSTATUS
_lsa_LSARUNREGISTERAUDITEVENT(pipes_struct
*p
, struct lsa_LSARUNREGISTERAUDITEVENT
*r
)
2734 p
->rng_fault_state
= True
;
2735 return NT_STATUS_NOT_IMPLEMENTED
;
2738 NTSTATUS
_lsa_lsaRQueryForestTrustInformation(pipes_struct
*p
, struct lsa_lsaRQueryForestTrustInformation
*r
)
2740 p
->rng_fault_state
= True
;
2741 return NT_STATUS_NOT_IMPLEMENTED
;
2744 NTSTATUS
_lsa_LSARSETFORESTTRUSTINFORMATION(pipes_struct
*p
, struct lsa_LSARSETFORESTTRUSTINFORMATION
*r
)
2746 p
->rng_fault_state
= True
;
2747 return NT_STATUS_NOT_IMPLEMENTED
;
2750 NTSTATUS
_lsa_CREDRRENAME(pipes_struct
*p
, struct lsa_CREDRRENAME
*r
)
2752 p
->rng_fault_state
= True
;
2753 return NT_STATUS_NOT_IMPLEMENTED
;
2756 NTSTATUS
_lsa_LSAROPENPOLICYSCE(pipes_struct
*p
, struct lsa_LSAROPENPOLICYSCE
*r
)
2758 p
->rng_fault_state
= True
;
2759 return NT_STATUS_NOT_IMPLEMENTED
;
2762 NTSTATUS
_lsa_LSARADTREGISTERSECURITYEVENTSOURCE(pipes_struct
*p
, struct lsa_LSARADTREGISTERSECURITYEVENTSOURCE
*r
)
2764 p
->rng_fault_state
= True
;
2765 return NT_STATUS_NOT_IMPLEMENTED
;
2768 NTSTATUS
_lsa_LSARADTUNREGISTERSECURITYEVENTSOURCE(pipes_struct
*p
, struct lsa_LSARADTUNREGISTERSECURITYEVENTSOURCE
*r
)
2770 p
->rng_fault_state
= True
;
2771 return NT_STATUS_NOT_IMPLEMENTED
;
2774 NTSTATUS
_lsa_LSARADTREPORTSECURITYEVENT(pipes_struct
*p
, struct lsa_LSARADTREPORTSECURITYEVENT
*r
)
2776 p
->rng_fault_state
= True
;
2777 return NT_STATUS_NOT_IMPLEMENTED
;