search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
s4-netlogon: implement dcesrv_netr_DsRAddressToSitenamesExW
[Samba/aatanasov.git] / source3 / rpc_server / srv_lsa_nt.c
blobcc5d23ce71fc3e3f3682ed3b0040637ce1f83fae
1 /*
2 * Unix SMB/CIFS implementation.
3 * RPC Pipe client / server routines
4 * Copyright (C) Andrew Tridgell 1992-1997,
5 * Copyright (C) Luke Kenneth Casson Leighton 1996-1997,
6 * Copyright (C) Paul Ashton 1997,
7 * Copyright (C) Jeremy Allison 2001, 2006.
8 * Copyright (C) Rafal Szczesniak 2002,
9 * Copyright (C) Jim McDonough <jmcd@us.ibm.com> 2002,
10 * Copyright (C) Simo Sorce 2003.
11 * Copyright (C) Gerald (Jerry) Carter 2005.
12 * Copyright (C) Volker Lendecke 2005.
13 * Copyright (C) Guenther Deschner 2008.
14 *
15 * This program is free software; you can redistribute it and/or modify
16 * it under the terms of the GNU General Public License as published by
17 * the Free Software Foundation; either version 3 of the License, or
18 * (at your option) any later version.
19 *
20 * This program is distributed in the hope that it will be useful,
21 * but WITHOUT ANY WARRANTY; without even the implied warranty of
22 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
23 * GNU General Public License for more details.
24 *
25 * You should have received a copy of the GNU General Public License
26 * along with this program; if not, see <http://www.gnu.org/licenses/>.
27 */
28
29 /* This is the implementation of the lsa server code. */
30
31 #include "includes.h"
32
33 #undef DBGC_CLASS
34 #define DBGC_CLASS DBGC_RPC_SRV
35
36 #define MAX_LOOKUP_SIDS 0x5000 /* 20480 */
37
38 extern PRIVS privs[];
39
40 enum lsa_handle_type { LSA_HANDLE_POLICY_TYPE = 1, LSA_HANDLE_ACCOUNT_TYPE };
41
42 struct lsa_info {
43 DOM_SID sid;
44 uint32 access;
45 enum lsa_handle_type type;
46 };
47
48 const struct generic_mapping lsa_account_mapping = {
49 LSA_ACCOUNT_READ,
50 LSA_ACCOUNT_WRITE,
51 LSA_ACCOUNT_EXECUTE,
52 LSA_ACCOUNT_ALL_ACCESS
53 };
54
55 const struct generic_mapping lsa_policy_mapping = {
56 LSA_POLICY_READ,
57 LSA_POLICY_WRITE,
58 LSA_POLICY_EXECUTE,
59 LSA_POLICY_ALL_ACCESS
60 };
61
62 /***************************************************************************
63 init_lsa_ref_domain_list - adds a domain if it's not already in, returns the index.
64 ***************************************************************************/
65
66 static int init_lsa_ref_domain_list(TALLOC_CTX *mem_ctx,
67 struct lsa_RefDomainList *ref,
68 const char *dom_name,
69 DOM_SID *dom_sid)
70 {
71 int num = 0;
72
73 if (dom_name != NULL) {
74 for (num = 0; num < ref->count; num++) {
75 if (sid_equal(dom_sid, ref->domains[num].sid)) {
76 return num;
77 }
78 }
79 } else {
80 num = ref->count;
81 }
82
83 if (num >= LSA_REF_DOMAIN_LIST_MULTIPLIER) {
84 /* index not found, already at maximum domain limit */
85 return -1;
86 }
87
88 ref->count = num + 1;
89 ref->max_size = LSA_REF_DOMAIN_LIST_MULTIPLIER;
90
91 ref->domains = TALLOC_REALLOC_ARRAY(mem_ctx, ref->domains,
92 struct lsa_DomainInfo, ref->count);
93 if (!ref->domains) {
94 return -1;
95 }
96
97 ZERO_STRUCT(ref->domains[num]);
98
99 init_lsa_StringLarge(&ref->domains[num].name, dom_name);
100 ref->domains[num].sid = sid_dup_talloc(mem_ctx, dom_sid);
101 if (!ref->domains[num].sid) {
102 return -1;
103 }
104
105 return num;
106 }
107
108
109 /***************************************************************************
110 initialize a lsa_DomainInfo structure.
111 ***************************************************************************/
112
113 static void init_dom_query_3(struct lsa_DomainInfo *r,
114 const char *name,
115 DOM_SID *sid)
116 {
117 init_lsa_StringLarge(&r->name, name);
118 r->sid = sid;
119 }
120
121 /***************************************************************************
122 initialize a lsa_DomainInfo structure.
123 ***************************************************************************/
124
125 static void init_dom_query_5(struct lsa_DomainInfo *r,
126 const char *name,
127 DOM_SID *sid)
128 {
129 init_lsa_StringLarge(&r->name, name);
130 r->sid = sid;
131 }
132
133 /***************************************************************************
134 lookup_lsa_rids. Must be called as root for lookup_name to work.
135 ***************************************************************************/
136
137 static NTSTATUS lookup_lsa_rids(TALLOC_CTX *mem_ctx,
138 struct lsa_RefDomainList *ref,
139 struct lsa_TranslatedSid *prid,
140 uint32_t num_entries,
141 struct lsa_String *name,
142 int flags,
143 uint32_t *pmapped_count)
144 {
145 uint32 mapped_count, i;
146
147 SMB_ASSERT(num_entries <= MAX_LOOKUP_SIDS);
148
149 mapped_count = 0;
150 *pmapped_count = 0;
151
152 for (i = 0; i < num_entries; i++) {
153 DOM_SID sid;
154 uint32 rid;
155 int dom_idx;
156 const char *full_name;
157 const char *domain;
158 enum lsa_SidType type = SID_NAME_UNKNOWN;
159
160 /* Split name into domain and user component */
161
162 full_name = name[i].string;
163 if (full_name == NULL) {
164 return NT_STATUS_NO_MEMORY;
165 }
166
167 DEBUG(5, ("lookup_lsa_rids: looking up name %s\n", full_name));
168
169 /* We can ignore the result of lookup_name, it will not touch
170 "type" if it's not successful */
171
172 lookup_name(mem_ctx, full_name, flags, &domain, NULL,
173 &sid, &type);
174
175 switch (type) {
176 case SID_NAME_USER:
177 case SID_NAME_DOM_GRP:
178 case SID_NAME_DOMAIN:
179 case SID_NAME_ALIAS:
180 case SID_NAME_WKN_GRP:
181 DEBUG(5, ("init_lsa_rids: %s found\n", full_name));
182 /* Leave these unchanged */
183 break;
184 default:
185 /* Don't hand out anything but the list above */
186 DEBUG(5, ("init_lsa_rids: %s not found\n", full_name));
187 type = SID_NAME_UNKNOWN;
188 break;
189 }
190
191 rid = 0;
192 dom_idx = -1;
193
194 if (type != SID_NAME_UNKNOWN) {
195 sid_split_rid(&sid, &rid);
196 dom_idx = init_lsa_ref_domain_list(mem_ctx, ref, domain, &sid);
197 mapped_count++;
198 }
199
200 prid[i].sid_type = type;
201 prid[i].rid = rid;
202 prid[i].sid_index = dom_idx;
203 }
204
205 *pmapped_count = mapped_count;
206 return NT_STATUS_OK;
207 }
208
209 /***************************************************************************
210 lookup_lsa_sids. Must be called as root for lookup_name to work.
211 ***************************************************************************/
212
213 static NTSTATUS lookup_lsa_sids(TALLOC_CTX *mem_ctx,
214 struct lsa_RefDomainList *ref,
215 struct lsa_TranslatedSid3 *trans_sids,
216 uint32_t num_entries,
217 struct lsa_String *name,
218 int flags,
219 uint32 *pmapped_count)
220 {
221 uint32 mapped_count, i;
222
223 SMB_ASSERT(num_entries <= MAX_LOOKUP_SIDS);
224
225 mapped_count = 0;
226 *pmapped_count = 0;
227
228 for (i = 0; i < num_entries; i++) {
229 DOM_SID sid;
230 uint32 rid;
231 int dom_idx;
232 const char *full_name;
233 const char *domain;
234 enum lsa_SidType type = SID_NAME_UNKNOWN;
235
236 ZERO_STRUCT(sid);
237
238 /* Split name into domain and user component */
239
240 full_name = name[i].string;
241 if (full_name == NULL) {
242 return NT_STATUS_NO_MEMORY;
243 }
244
245 DEBUG(5, ("init_lsa_sids: looking up name %s\n", full_name));
246
247 /* We can ignore the result of lookup_name, it will not touch
248 "type" if it's not successful */
249
250 lookup_name(mem_ctx, full_name, flags, &domain, NULL,
251 &sid, &type);
252
253 switch (type) {
254 case SID_NAME_USER:
255 case SID_NAME_DOM_GRP:
256 case SID_NAME_DOMAIN:
257 case SID_NAME_ALIAS:
258 case SID_NAME_WKN_GRP:
259 DEBUG(5, ("init_lsa_sids: %s found\n", full_name));
260 /* Leave these unchanged */
261 break;
262 default:
263 /* Don't hand out anything but the list above */
264 DEBUG(5, ("init_lsa_sids: %s not found\n", full_name));
265 type = SID_NAME_UNKNOWN;
266 break;
267 }
268
269 rid = 0;
270 dom_idx = -1;
271
272 if (type != SID_NAME_UNKNOWN) {
273 DOM_SID domain_sid;
274 sid_copy(&domain_sid, &sid);
275 sid_split_rid(&domain_sid, &rid);
276 dom_idx = init_lsa_ref_domain_list(mem_ctx, ref, domain, &domain_sid);
277 mapped_count++;
278 }
279
280 /* Initialize the lsa_TranslatedSid3 return. */
281 trans_sids[i].sid_type = type;
282 trans_sids[i].sid = sid_dup_talloc(mem_ctx, &sid);
283 trans_sids[i].sid_index = dom_idx;
284 }
285
286 *pmapped_count = mapped_count;
287 return NT_STATUS_OK;
288 }
289
290 static NTSTATUS make_lsa_object_sd(TALLOC_CTX *mem_ctx, SEC_DESC **sd, size_t *sd_size,
291 const struct generic_mapping *map,
292 DOM_SID *sid, uint32_t sid_access)
293 {
294 DOM_SID adm_sid;
295 SEC_ACE ace[5];
296 size_t i = 0;
297
298 SEC_ACL *psa = NULL;
299
300 /* READ|EXECUTE access for Everyone */
301
302 init_sec_ace(&ace[i++], &global_sid_World, SEC_ACE_TYPE_ACCESS_ALLOWED,
303 map->generic_execute | map->generic_read, 0);
304
305 /* Add Full Access 'BUILTIN\Administrators' and 'BUILTIN\Account Operators */
306
307 init_sec_ace(&ace[i++], &global_sid_Builtin_Administrators,
308 SEC_ACE_TYPE_ACCESS_ALLOWED, map->generic_all, 0);
309 init_sec_ace(&ace[i++], &global_sid_Builtin_Account_Operators,
310 SEC_ACE_TYPE_ACCESS_ALLOWED, map->generic_all, 0);
311
312 /* Add Full Access for Domain Admins */
313 sid_copy(&adm_sid, get_global_sam_sid());
314 sid_append_rid(&adm_sid, DOMAIN_GROUP_RID_ADMINS);
315 init_sec_ace(&ace[i++], &adm_sid, SEC_ACE_TYPE_ACCESS_ALLOWED,
316 map->generic_all, 0);
317
318 /* If we have a sid, give it some special access */
319
320 if (sid) {
321 init_sec_ace(&ace[i++], sid, SEC_ACE_TYPE_ACCESS_ALLOWED,
322 sid_access, 0);
323 }
324
325 if((psa = make_sec_acl(mem_ctx, NT4_ACL_REVISION, i, ace)) == NULL)
326 return NT_STATUS_NO_MEMORY;
327
328 if((*sd = make_sec_desc(mem_ctx, SECURITY_DESCRIPTOR_REVISION_1,
329 SEC_DESC_SELF_RELATIVE, &adm_sid, NULL, NULL,
330 psa, sd_size)) == NULL)
331 return NT_STATUS_NO_MEMORY;
332
333 return NT_STATUS_OK;
334 }
335
336
337 /***************************************************************************
338 _lsa_OpenPolicy2
339 ***************************************************************************/
340
341 NTSTATUS _lsa_OpenPolicy2(pipes_struct *p,
342 struct lsa_OpenPolicy2 *r)
343 {
344 struct lsa_info *info;
345 SEC_DESC *psd = NULL;
346 size_t sd_size;
347 uint32 des_access = r->in.access_mask;
348 uint32 acc_granted;
349 NTSTATUS status;
350
351 /* Work out max allowed. */
352 map_max_allowed_access(p->server_info->ptok,
353 &p->server_info->utok,
354 &des_access);
355
356 /* map the generic bits to the lsa policy ones */
357 se_map_generic(&des_access, &lsa_policy_mapping);
358
359 /* get the generic lsa policy SD until we store it */
360 status = make_lsa_object_sd(p->mem_ctx, &psd, &sd_size, &lsa_policy_mapping,
361 NULL, 0);
362 if (!NT_STATUS_IS_OK(status)) {
363 return status;
364 }
365
366 status = access_check_object(psd, p->server_info->ptok,
367 NULL, 0, des_access,
368 &acc_granted, "_lsa_OpenPolicy2" );
369
370 if (!NT_STATUS_IS_OK(status)) {
371 return status;
372 }
373
374 /* associate the domain SID with the (unique) handle. */
375 info = TALLOC_ZERO_P(p->mem_ctx, struct lsa_info);
376 if (info == NULL) {
377 return NT_STATUS_NO_MEMORY;
378 }
379
380 sid_copy(&info->sid,get_global_sam_sid());
381 info->access = acc_granted;
382 info->type = LSA_HANDLE_POLICY_TYPE;
383
384 /* set up the LSA QUERY INFO response */
385 if (!create_policy_hnd(p, r->out.handle, info))
386 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
387
388 return NT_STATUS_OK;
389 }
390
391 /***************************************************************************
392 _lsa_OpenPolicy
393 ***************************************************************************/
394
395 NTSTATUS _lsa_OpenPolicy(pipes_struct *p,
396 struct lsa_OpenPolicy *r)
397 {
398 struct lsa_OpenPolicy2 o;
399
400 o.in.system_name = NULL; /* should be ignored */
401 o.in.attr = r->in.attr;
402 o.in.access_mask = r->in.access_mask;
403
404 o.out.handle = r->out.handle;
405
406 return _lsa_OpenPolicy2(p, &o);
407 }
408
409 /***************************************************************************
410 _lsa_EnumTrustDom - this needs fixing to do more than return NULL ! JRA.
411 ufff, done :) mimir
412 ***************************************************************************/
413
414 NTSTATUS _lsa_EnumTrustDom(pipes_struct *p,
415 struct lsa_EnumTrustDom *r)
416 {
417 struct lsa_info *info;
418 uint32 next_idx;
419 struct trustdom_info **domains;
420 struct lsa_DomainInfo *lsa_domains = NULL;
421 int i;
422
423 /*
424 * preferred length is set to 5 as a "our" preferred length
425 * nt sets this parameter to 2
426 * update (20.08.2002): it's not preferred length, but preferred size!
427 * it needs further investigation how to optimally choose this value
428 */
429 uint32 max_num_domains =
430 r->in.max_size < 5 ? r->in.max_size : 10;
431 uint32 num_domains;
432 NTSTATUS nt_status;
433 uint32 num_thistime;
434
435 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
436 return NT_STATUS_INVALID_HANDLE;
437
438 if (info->type != LSA_HANDLE_POLICY_TYPE) {
439 return NT_STATUS_INVALID_HANDLE;
440 }
441
442 /* check if the user has enough rights */
443 if (!(info->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
444 return NT_STATUS_ACCESS_DENIED;
445
446 become_root();
447 nt_status = pdb_enum_trusteddoms(p->mem_ctx, &num_domains, &domains);
448 unbecome_root();
449
450 if (!NT_STATUS_IS_OK(nt_status)) {
451 return nt_status;
452 }
453
454 if (*r->in.resume_handle < num_domains) {
455 num_thistime = MIN(num_domains, max_num_domains);
456
457 nt_status = STATUS_MORE_ENTRIES;
458
459 if (*r->in.resume_handle + num_thistime > num_domains) {
460 num_thistime = num_domains - *r->in.resume_handle;
461 nt_status = NT_STATUS_OK;
462 }
463
464 next_idx = *r->in.resume_handle + num_thistime;
465 } else {
466 num_thistime = 0;
467 next_idx = 0xffffffff;
468 nt_status = NT_STATUS_NO_MORE_ENTRIES;
469 }
470
471 /* set up the lsa_enum_trust_dom response */
472
473 lsa_domains = TALLOC_ZERO_ARRAY(p->mem_ctx, struct lsa_DomainInfo,
474 num_thistime);
475 if (!lsa_domains) {
476 return NT_STATUS_NO_MEMORY;
477 }
478
479 for (i=0; i<num_thistime; i++) {
480 init_lsa_StringLarge(&lsa_domains[i].name, domains[i]->name);
481 lsa_domains[i].sid = &domains[i]->sid;
482 }
483
484 *r->out.resume_handle = next_idx;
485 r->out.domains->count = num_thistime;
486 r->out.domains->domains = lsa_domains;
487
488 return nt_status;
489 }
490
491 #define LSA_AUDIT_NUM_CATEGORIES_NT4 7
492 #define LSA_AUDIT_NUM_CATEGORIES_WIN2K 9
493 #define LSA_AUDIT_NUM_CATEGORIES LSA_AUDIT_NUM_CATEGORIES_NT4
494
495 /***************************************************************************
496 _lsa_QueryInfoPolicy
497 ***************************************************************************/
498
499 NTSTATUS _lsa_QueryInfoPolicy(pipes_struct *p,
500 struct lsa_QueryInfoPolicy *r)
501 {
502 NTSTATUS status = NT_STATUS_OK;
503 struct lsa_info *handle;
504 DOM_SID domain_sid;
505 const char *name;
506 DOM_SID *sid = NULL;
507 union lsa_PolicyInformation *info = NULL;
508 uint32_t acc_required = 0;
509
510 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle))
511 return NT_STATUS_INVALID_HANDLE;
512
513 if (handle->type != LSA_HANDLE_POLICY_TYPE) {
514 return NT_STATUS_INVALID_HANDLE;
515 }
516
517 switch (r->in.level) {
518 case LSA_POLICY_INFO_AUDIT_LOG:
519 case LSA_POLICY_INFO_AUDIT_EVENTS:
520 acc_required = LSA_POLICY_VIEW_AUDIT_INFORMATION;
521 break;
522 case LSA_POLICY_INFO_DOMAIN:
523 acc_required = LSA_POLICY_VIEW_LOCAL_INFORMATION;
524 break;
525 case LSA_POLICY_INFO_PD:
526 acc_required = LSA_POLICY_GET_PRIVATE_INFORMATION;
527 break;
528 case LSA_POLICY_INFO_ACCOUNT_DOMAIN:
529 acc_required = LSA_POLICY_VIEW_LOCAL_INFORMATION;
530 break;
531 case LSA_POLICY_INFO_ROLE:
532 case LSA_POLICY_INFO_REPLICA:
533 acc_required = LSA_POLICY_VIEW_LOCAL_INFORMATION;
534 break;
535 case LSA_POLICY_INFO_QUOTA:
536 acc_required = LSA_POLICY_VIEW_LOCAL_INFORMATION;
537 break;
538 case LSA_POLICY_INFO_MOD:
539 case LSA_POLICY_INFO_AUDIT_FULL_SET:
540 /* according to MS-LSAD 3.1.4.4.3 */
541 return NT_STATUS_INVALID_PARAMETER;
542 case LSA_POLICY_INFO_AUDIT_FULL_QUERY:
543 acc_required = LSA_POLICY_VIEW_AUDIT_INFORMATION;
544 break;
545 case LSA_POLICY_INFO_DNS:
546 case LSA_POLICY_INFO_DNS_INT:
547 case LSA_POLICY_INFO_L_ACCOUNT_DOMAIN:
548 acc_required = LSA_POLICY_VIEW_LOCAL_INFORMATION;
549 break;
550 default:
551 break;
552 }
553
554 if (!(handle->access & acc_required)) {
555 /* return NT_STATUS_ACCESS_DENIED; */
556 }
557
558 info = TALLOC_ZERO_P(p->mem_ctx, union lsa_PolicyInformation);
559 if (!info) {
560 return NT_STATUS_NO_MEMORY;
561 }
562
563 switch (r->in.level) {
564 case LSA_POLICY_INFO_AUDIT_EVENTS:
565 {
566
567 uint32 policy_def = LSA_AUDIT_POLICY_ALL;
568
569 /* check if the user has enough rights */
570 if (!(handle->access & LSA_POLICY_VIEW_AUDIT_INFORMATION)) {
571 DEBUG(10,("_lsa_QueryInfoPolicy: insufficient access rights\n"));
572 return NT_STATUS_ACCESS_DENIED;
573 }
574
575 /* fake info: We audit everything. ;) */
576
577 info->audit_events.auditing_mode = true;
578 info->audit_events.count = LSA_AUDIT_NUM_CATEGORIES;
579 info->audit_events.settings = TALLOC_ZERO_ARRAY(p->mem_ctx,
580 enum lsa_PolicyAuditPolicy,
581 info->audit_events.count);
582 if (!info->audit_events.settings) {
583 return NT_STATUS_NO_MEMORY;
584 }
585
586 info->audit_events.settings[LSA_AUDIT_CATEGORY_ACCOUNT_MANAGEMENT] = policy_def;
587 info->audit_events.settings[LSA_AUDIT_CATEGORY_FILE_AND_OBJECT_ACCESS] = policy_def;
588 info->audit_events.settings[LSA_AUDIT_CATEGORY_LOGON] = policy_def;
589 info->audit_events.settings[LSA_AUDIT_CATEGORY_PROCCESS_TRACKING] = policy_def;
590 info->audit_events.settings[LSA_AUDIT_CATEGORY_SECURITY_POLICY_CHANGES] = policy_def;
591 info->audit_events.settings[LSA_AUDIT_CATEGORY_SYSTEM] = policy_def;
592 info->audit_events.settings[LSA_AUDIT_CATEGORY_USE_OF_USER_RIGHTS] = policy_def;
593
594 break;
595 }
596 case LSA_POLICY_INFO_DOMAIN:
597 /* check if the user has enough rights */
598 if (!(handle->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
599 return NT_STATUS_ACCESS_DENIED;
600
601 /* Request PolicyPrimaryDomainInformation. */
602 switch (lp_server_role()) {
603 case ROLE_DOMAIN_PDC:
604 case ROLE_DOMAIN_BDC:
605 name = get_global_sam_name();
606 sid = sid_dup_talloc(p->mem_ctx, get_global_sam_sid());
607 if (!sid) {
608 return NT_STATUS_NO_MEMORY;
609 }
610 break;
611 case ROLE_DOMAIN_MEMBER:
612 name = lp_workgroup();
613 /* We need to return the Domain SID here. */
614 if (secrets_fetch_domain_sid(lp_workgroup(), &domain_sid)) {
615 sid = sid_dup_talloc(p->mem_ctx, &domain_sid);
616 if (!sid) {
617 return NT_STATUS_NO_MEMORY;
618 }
619 } else {
620 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
621 }
622 break;
623 case ROLE_STANDALONE:
624 name = lp_workgroup();
625 sid = NULL;
626 break;
627 default:
628 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
629 }
630 init_dom_query_3(&info->domain, name, sid);
631 break;
632 case LSA_POLICY_INFO_ACCOUNT_DOMAIN:
633 /* check if the user has enough rights */
634 if (!(handle->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
635 return NT_STATUS_ACCESS_DENIED;
636
637 /* Request PolicyAccountDomainInformation. */
638 name = get_global_sam_name();
639 sid = get_global_sam_sid();
640
641 init_dom_query_5(&info->account_domain, name, sid);
642 break;
643 case LSA_POLICY_INFO_ROLE:
644 /* check if the user has enough rights */
645 if (!(handle->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
646 return NT_STATUS_ACCESS_DENIED;
647
648 switch (lp_server_role()) {
649 case ROLE_DOMAIN_BDC:
650 /*
651 * only a BDC is a backup controller
652 * of the domain, it controls.
653 */
654 info->role.role = LSA_ROLE_BACKUP;
655 break;
656 default:
657 /*
658 * any other role is a primary
659 * of the domain, it controls.
660 */
661 info->role.role = LSA_ROLE_PRIMARY;
662 break;
663 }
664 break;
665 case LSA_POLICY_INFO_DNS:
666 case LSA_POLICY_INFO_DNS_INT: {
667 struct pdb_domain_info *dominfo;
668
669 if ((pdb_capabilities() & PDB_CAP_ADS) == 0) {
670 DEBUG(10, ("Not replying to LSA_POLICY_INFO_DNS "
671 "without ADS passdb backend\n"));
672 status = NT_STATUS_INVALID_INFO_CLASS;
673 break;
674 }
675
676 dominfo = pdb_get_domain_info(info);
677 if (dominfo == NULL) {
678 status = NT_STATUS_NO_MEMORY;
679 break;
680 }
681
682 init_lsa_StringLarge(&info->dns.name,
683 dominfo->name);
684 init_lsa_StringLarge(&info->dns.dns_domain,
685 dominfo->dns_domain);
686 init_lsa_StringLarge(&info->dns.dns_forest,
687 dominfo->dns_forest);
688 info->dns.domain_guid = dominfo->guid;
689 info->dns.sid = &dominfo->sid;
690 break;
691 }
692 default:
693 DEBUG(0,("_lsa_QueryInfoPolicy: unknown info level in Lsa Query: %d\n",
694 r->in.level));
695 status = NT_STATUS_INVALID_INFO_CLASS;
696 break;
697 }
698
699 *r->out.info = info;
700
701 return status;
702 }
703
704 /***************************************************************************
705 _lsa_QueryInfoPolicy2
706 ***************************************************************************/
707
708 NTSTATUS _lsa_QueryInfoPolicy2(pipes_struct *p,
709 struct lsa_QueryInfoPolicy2 *r2)
710 {
711 struct lsa_QueryInfoPolicy r;
712
713 if ((pdb_capabilities() & PDB_CAP_ADS) == 0) {
714 p->rng_fault_state = True;
715 return NT_STATUS_NOT_IMPLEMENTED;
716 }
717
718 ZERO_STRUCT(r);
719 r.in.handle = r2->in.handle;
720 r.in.level = r2->in.level;
721 r.out.info = r2->out.info;
722
723 return _lsa_QueryInfoPolicy(p, &r);
724 }
725
726 /***************************************************************************
727 _lsa_lookup_sids_internal
728 ***************************************************************************/
729
730 static NTSTATUS _lsa_lookup_sids_internal(pipes_struct *p,
731 TALLOC_CTX *mem_ctx,
732 uint16_t level, /* input */
733 int num_sids, /* input */
734 struct lsa_SidPtr *sid, /* input */
735 struct lsa_RefDomainList **pp_ref, /* input/output */
736 struct lsa_TranslatedName2 **pp_names,/* input/output */
737 uint32_t *pp_mapped_count) /* input/output */
738 {
739 NTSTATUS status;
740 int i;
741 const DOM_SID **sids = NULL;
742 struct lsa_RefDomainList *ref = NULL;
743 uint32 mapped_count = 0;
744 struct lsa_dom_info *dom_infos = NULL;
745 struct lsa_name_info *name_infos = NULL;
746 struct lsa_TranslatedName2 *names = NULL;
747
748 *pp_mapped_count = 0;
749 *pp_names = NULL;
750 *pp_ref = NULL;
751
752 if (num_sids == 0) {
753 return NT_STATUS_OK;
754 }
755
756 sids = TALLOC_ARRAY(p->mem_ctx, const DOM_SID *, num_sids);
757 ref = TALLOC_ZERO_P(p->mem_ctx, struct lsa_RefDomainList);
758
759 if (sids == NULL || ref == NULL) {
760 return NT_STATUS_NO_MEMORY;
761 }
762
763 for (i=0; i<num_sids; i++) {
764 sids[i] = sid[i].sid;
765 }
766
767 status = lookup_sids(p->mem_ctx, num_sids, sids, level,
768 &dom_infos, &name_infos);
769
770 if (!NT_STATUS_IS_OK(status)) {
771 return status;
772 }
773
774 names = TALLOC_ARRAY(p->mem_ctx, struct lsa_TranslatedName2, num_sids);
775 if (names == NULL) {
776 return NT_STATUS_NO_MEMORY;
777 }
778
779 for (i=0; i<LSA_REF_DOMAIN_LIST_MULTIPLIER; i++) {
780
781 if (!dom_infos[i].valid) {
782 break;
783 }
784
785 if (init_lsa_ref_domain_list(mem_ctx, ref,
786 dom_infos[i].name,
787 &dom_infos[i].sid) != i) {
788 DEBUG(0, ("Domain %s mentioned twice??\n",
789 dom_infos[i].name));
790 return NT_STATUS_INTERNAL_ERROR;
791 }
792 }
793
794 for (i=0; i<num_sids; i++) {
795 struct lsa_name_info *name = &name_infos[i];
796
797 if (name->type == SID_NAME_UNKNOWN) {
798 fstring tmp;
799 name->dom_idx = -1;
800 /* Unknown sids should return the string
801 * representation of the SID. Windows 2003 behaves
802 * rather erratic here, in many cases it returns the
803 * RID as 8 bytes hex, in others it returns the full
804 * SID. We (Jerry/VL) could not figure out which the
805 * hard cases are, so leave it with the SID. */
806 name->name = talloc_asprintf(p->mem_ctx, "%s",
807 sid_to_fstring(tmp,
808 sids[i]));
809 if (name->name == NULL) {
810 return NT_STATUS_NO_MEMORY;
811 }
812 } else {
813 mapped_count += 1;
814 }
815
816 names[i].sid_type = name->type;
817 names[i].name.string = name->name;
818 names[i].sid_index = name->dom_idx;
819 names[i].unknown = 0;
820 }
821
822 status = NT_STATUS_NONE_MAPPED;
823 if (mapped_count > 0) {
824 status = (mapped_count < num_sids) ?
825 STATUS_SOME_UNMAPPED : NT_STATUS_OK;
826 }
827
828 DEBUG(10, ("num_sids %d, mapped_count %d, status %s\n",
829 num_sids, mapped_count, nt_errstr(status)));
830
831 *pp_mapped_count = mapped_count;
832 *pp_names = names;
833 *pp_ref = ref;
834
835 return status;
836 }
837
838 /***************************************************************************
839 _lsa_LookupSids
840 ***************************************************************************/
841
842 NTSTATUS _lsa_LookupSids(pipes_struct *p,
843 struct lsa_LookupSids *r)
844 {
845 NTSTATUS status;
846 struct lsa_info *handle;
847 int num_sids = r->in.sids->num_sids;
848 uint32 mapped_count = 0;
849 struct lsa_RefDomainList *domains = NULL;
850 struct lsa_TranslatedName *names_out = NULL;
851 struct lsa_TranslatedName2 *names = NULL;
852 int i;
853
854 if ((r->in.level < 1) || (r->in.level > 6)) {
855 return NT_STATUS_INVALID_PARAMETER;
856 }
857
858 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle)) {
859 return NT_STATUS_INVALID_HANDLE;
860 }
861
862 if (handle->type != LSA_HANDLE_POLICY_TYPE) {
863 return NT_STATUS_INVALID_HANDLE;
864 }
865
866 /* check if the user has enough rights */
867 if (!(handle->access & LSA_POLICY_LOOKUP_NAMES)) {
868 return NT_STATUS_ACCESS_DENIED;
869 }
870
871 if (num_sids > MAX_LOOKUP_SIDS) {
872 DEBUG(5,("_lsa_LookupSids: limit of %d exceeded, requested %d\n",
873 MAX_LOOKUP_SIDS, num_sids));
874 return NT_STATUS_NONE_MAPPED;
875 }
876
877 status = _lsa_lookup_sids_internal(p,
878 p->mem_ctx,
879 r->in.level,
880 num_sids,
881 r->in.sids->sids,
882 &domains,
883 &names,
884 &mapped_count);
885
886 /* Only return here when there is a real error.
887 NT_STATUS_NONE_MAPPED is a special case as it indicates that none of
888 the requested sids could be resolved. Older versions of XP (pre SP3)
889 rely that we return with the string representations of those SIDs in
890 that case. If we don't, XP crashes - Guenther
891 */
892
893 if (NT_STATUS_IS_ERR(status) &&
894 !NT_STATUS_EQUAL(status, NT_STATUS_NONE_MAPPED)) {
895 return status;
896 }
897
898 /* Convert from lsa_TranslatedName2 to lsa_TranslatedName */
899 names_out = TALLOC_ARRAY(p->mem_ctx, struct lsa_TranslatedName,
900 num_sids);
901 if (!names_out) {
902 return NT_STATUS_NO_MEMORY;
903 }
904
905 for (i=0; i<num_sids; i++) {
906 names_out[i].sid_type = names[i].sid_type;
907 names_out[i].name = names[i].name;
908 names_out[i].sid_index = names[i].sid_index;
909 }
910
911 *r->out.domains = domains;
912 r->out.names->count = num_sids;
913 r->out.names->names = names_out;
914 *r->out.count = mapped_count;
915
916 return status;
917 }
918
919 /***************************************************************************
920 _lsa_LookupSids2
921 ***************************************************************************/
922
923 NTSTATUS _lsa_LookupSids2(pipes_struct *p,
924 struct lsa_LookupSids2 *r)
925 {
926 NTSTATUS status;
927 struct lsa_info *handle;
928 int num_sids = r->in.sids->num_sids;
929 uint32 mapped_count = 0;
930 struct lsa_RefDomainList *domains = NULL;
931 struct lsa_TranslatedName2 *names = NULL;
932 bool check_policy = true;
933
934 switch (p->hdr_req.opnum) {
935 case NDR_LSA_LOOKUPSIDS3:
936 check_policy = false;
937 break;
938 case NDR_LSA_LOOKUPSIDS2:
939 default:
940 check_policy = true;
941 }
942
943 if ((r->in.level < 1) || (r->in.level > 6)) {
944 return NT_STATUS_INVALID_PARAMETER;
945 }
946
947 if (check_policy) {
948 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle)) {
949 return NT_STATUS_INVALID_HANDLE;
950 }
951
952 if (handle->type != LSA_HANDLE_POLICY_TYPE) {
953 return NT_STATUS_INVALID_HANDLE;
954 }
955
956 /* check if the user has enough rights */
957 if (!(handle->access & LSA_POLICY_LOOKUP_NAMES)) {
958 return NT_STATUS_ACCESS_DENIED;
959 }
960 }
961
962 if (num_sids > MAX_LOOKUP_SIDS) {
963 DEBUG(5,("_lsa_LookupSids2: limit of %d exceeded, requested %d\n",
964 MAX_LOOKUP_SIDS, num_sids));
965 return NT_STATUS_NONE_MAPPED;
966 }
967
968 status = _lsa_lookup_sids_internal(p,
969 p->mem_ctx,
970 r->in.level,
971 num_sids,
972 r->in.sids->sids,
973 &domains,
974 &names,
975 &mapped_count);
976
977 *r->out.domains = domains;
978 r->out.names->count = num_sids;
979 r->out.names->names = names;
980 *r->out.count = mapped_count;
981
982 return status;
983 }
984
985 /***************************************************************************
986 _lsa_LookupSids3
987 ***************************************************************************/
988
989 NTSTATUS _lsa_LookupSids3(pipes_struct *p,
990 struct lsa_LookupSids3 *r)
991 {
992 struct lsa_LookupSids2 q;
993
994 /* No policy handle on this call. Restrict to crypto connections. */
995 if (p->auth.auth_type != PIPE_AUTH_TYPE_SCHANNEL) {
996 DEBUG(0,("_lsa_LookupSids3: client %s not using schannel for netlogon\n",
997 get_remote_machine_name() ));
998 return NT_STATUS_INVALID_PARAMETER;
999 }
1000
1001 q.in.handle = NULL;
1002 q.in.sids = r->in.sids;
1003 q.in.level = r->in.level;
1004 q.in.lookup_options = r->in.lookup_options;
1005 q.in.client_revision = r->in.client_revision;
1006 q.in.names = r->in.names;
1007 q.in.count = r->in.count;
1008
1009 q.out.domains = r->out.domains;
1010 q.out.names = r->out.names;
1011 q.out.count = r->out.count;
1012
1013 return _lsa_LookupSids2(p, &q);
1014 }
1015
1016 /***************************************************************************
1017 ***************************************************************************/
1018
1019 static int lsa_lookup_level_to_flags(uint16 level)
1020 {
1021 int flags;
1022
1023 switch (level) {
1024 case 1:
1025 flags = LOOKUP_NAME_ALL;
1026 break;
1027 case 2:
1028 flags = LOOKUP_NAME_DOMAIN|LOOKUP_NAME_REMOTE|LOOKUP_NAME_ISOLATED;
1029 break;
1030 case 3:
1031 flags = LOOKUP_NAME_DOMAIN|LOOKUP_NAME_ISOLATED;
1032 break;
1033 case 4:
1034 case 5:
1035 case 6:
1036 default:
1037 flags = LOOKUP_NAME_NONE;
1038 break;
1039 }
1040
1041 return flags;
1042 }
1043
1044 /***************************************************************************
1045 _lsa_LookupNames
1046 ***************************************************************************/
1047
1048 NTSTATUS _lsa_LookupNames(pipes_struct *p,
1049 struct lsa_LookupNames *r)
1050 {
1051 NTSTATUS status = NT_STATUS_NONE_MAPPED;
1052 struct lsa_info *handle;
1053 struct lsa_String *names = r->in.names;
1054 uint32 num_entries = r->in.num_names;
1055 struct lsa_RefDomainList *domains = NULL;
1056 struct lsa_TranslatedSid *rids = NULL;
1057 uint32 mapped_count = 0;
1058 int flags = 0;
1059
1060 if (num_entries > MAX_LOOKUP_SIDS) {
1061 num_entries = MAX_LOOKUP_SIDS;
1062 DEBUG(5,("_lsa_LookupNames: truncating name lookup list to %d\n",
1063 num_entries));
1064 }
1065
1066 flags = lsa_lookup_level_to_flags(r->in.level);
1067
1068 domains = TALLOC_ZERO_P(p->mem_ctx, struct lsa_RefDomainList);
1069 if (!domains) {
1070 return NT_STATUS_NO_MEMORY;
1071 }
1072
1073 if (num_entries) {
1074 rids = TALLOC_ZERO_ARRAY(p->mem_ctx, struct lsa_TranslatedSid,
1075 num_entries);
1076 if (!rids) {
1077 return NT_STATUS_NO_MEMORY;
1078 }
1079 } else {
1080 rids = NULL;
1081 }
1082
1083 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle)) {
1084 status = NT_STATUS_INVALID_HANDLE;
1085 goto done;
1086 }
1087
1088 if (handle->type != LSA_HANDLE_POLICY_TYPE) {
1089 return NT_STATUS_INVALID_HANDLE;
1090 }
1091
1092 /* check if the user has enough rights */
1093 if (!(handle->access & LSA_POLICY_LOOKUP_NAMES)) {
1094 status = NT_STATUS_ACCESS_DENIED;
1095 goto done;
1096 }
1097
1098 /* set up the LSA Lookup RIDs response */
1099 become_root(); /* lookup_name can require root privs */
1100 status = lookup_lsa_rids(p->mem_ctx, domains, rids, num_entries,
1101 names, flags, &mapped_count);
1102 unbecome_root();
1103
1104 done:
1105
1106 if (NT_STATUS_IS_OK(status) && (num_entries != 0) ) {
1107 if (mapped_count == 0) {
1108 status = NT_STATUS_NONE_MAPPED;
1109 } else if (mapped_count != num_entries) {
1110 status = STATUS_SOME_UNMAPPED;
1111 }
1112 }
1113
1114 *r->out.count = mapped_count;
1115 *r->out.domains = domains;
1116 r->out.sids->sids = rids;
1117 r->out.sids->count = num_entries;
1118
1119 return status;
1120 }
1121
1122 /***************************************************************************
1123 _lsa_LookupNames2
1124 ***************************************************************************/
1125
1126 NTSTATUS _lsa_LookupNames2(pipes_struct *p,
1127 struct lsa_LookupNames2 *r)
1128 {
1129 NTSTATUS status;
1130 struct lsa_LookupNames q;
1131 struct lsa_TransSidArray2 *sid_array2 = r->in.sids;
1132 struct lsa_TransSidArray *sid_array = NULL;
1133 uint32_t i;
1134
1135 sid_array = TALLOC_ZERO_P(p->mem_ctx, struct lsa_TransSidArray);
1136 if (!sid_array) {
1137 return NT_STATUS_NO_MEMORY;
1138 }
1139
1140 q.in.handle = r->in.handle;
1141 q.in.num_names = r->in.num_names;
1142 q.in.names = r->in.names;
1143 q.in.level = r->in.level;
1144 q.in.sids = sid_array;
1145 q.in.count = r->in.count;
1146 /* we do not know what this is for */
1147 /* = r->in.unknown1; */
1148 /* = r->in.unknown2; */
1149
1150 q.out.domains = r->out.domains;
1151 q.out.sids = sid_array;
1152 q.out.count = r->out.count;
1153
1154 status = _lsa_LookupNames(p, &q);
1155
1156 sid_array2->count = sid_array->count;
1157 sid_array2->sids = TALLOC_ARRAY(p->mem_ctx, struct lsa_TranslatedSid2, sid_array->count);
1158 if (!sid_array2->sids) {
1159 return NT_STATUS_NO_MEMORY;
1160 }
1161
1162 for (i=0; i<sid_array->count; i++) {
1163 sid_array2->sids[i].sid_type = sid_array->sids[i].sid_type;
1164 sid_array2->sids[i].rid = sid_array->sids[i].rid;
1165 sid_array2->sids[i].sid_index = sid_array->sids[i].sid_index;
1166 sid_array2->sids[i].unknown = 0;
1167 }
1168
1169 r->out.sids = sid_array2;
1170
1171 return status;
1172 }
1173
1174 /***************************************************************************
1175 _lsa_LookupNames3
1176 ***************************************************************************/
1177
1178 NTSTATUS _lsa_LookupNames3(pipes_struct *p,
1179 struct lsa_LookupNames3 *r)
1180 {
1181 NTSTATUS status;
1182 struct lsa_info *handle;
1183 struct lsa_String *names = r->in.names;
1184 uint32 num_entries = r->in.num_names;
1185 struct lsa_RefDomainList *domains = NULL;
1186 struct lsa_TranslatedSid3 *trans_sids = NULL;
1187 uint32 mapped_count = 0;
1188 int flags = 0;
1189 bool check_policy = true;
1190
1191 switch (p->hdr_req.opnum) {
1192 case NDR_LSA_LOOKUPNAMES4:
1193 check_policy = false;
1194 break;
1195 case NDR_LSA_LOOKUPNAMES3:
1196 default:
1197 check_policy = true;
1198 }
1199
1200 if (num_entries > MAX_LOOKUP_SIDS) {
1201 num_entries = MAX_LOOKUP_SIDS;
1202 DEBUG(5,("_lsa_LookupNames3: truncating name lookup list to %d\n", num_entries));
1203 }
1204
1205 /* Probably the lookup_level is some sort of bitmask. */
1206 if (r->in.level == 1) {
1207 flags = LOOKUP_NAME_ALL;
1208 }
1209
1210 domains = TALLOC_ZERO_P(p->mem_ctx, struct lsa_RefDomainList);
1211 if (!domains) {
1212 return NT_STATUS_NO_MEMORY;
1213 }
1214
1215 if (num_entries) {
1216 trans_sids = TALLOC_ZERO_ARRAY(p->mem_ctx, struct lsa_TranslatedSid3,
1217 num_entries);
1218 if (!trans_sids) {
1219 return NT_STATUS_NO_MEMORY;
1220 }
1221 } else {
1222 trans_sids = NULL;
1223 }
1224
1225 if (check_policy) {
1226
1227 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle)) {
1228 status = NT_STATUS_INVALID_HANDLE;
1229 goto done;
1230 }
1231
1232 if (handle->type != LSA_HANDLE_POLICY_TYPE) {
1233 return NT_STATUS_INVALID_HANDLE;
1234 }
1235
1236 /* check if the user has enough rights */
1237 if (!(handle->access & LSA_POLICY_LOOKUP_NAMES)) {
1238 status = NT_STATUS_ACCESS_DENIED;
1239 goto done;
1240 }
1241 }
1242
1243 /* set up the LSA Lookup SIDs response */
1244 become_root(); /* lookup_name can require root privs */
1245 status = lookup_lsa_sids(p->mem_ctx, domains, trans_sids, num_entries,
1246 names, flags, &mapped_count);
1247 unbecome_root();
1248
1249 done:
1250
1251 if (NT_STATUS_IS_OK(status)) {
1252 if (mapped_count == 0) {
1253 status = NT_STATUS_NONE_MAPPED;
1254 } else if (mapped_count != num_entries) {
1255 status = STATUS_SOME_UNMAPPED;
1256 }
1257 }
1258
1259 *r->out.count = mapped_count;
1260 *r->out.domains = domains;
1261 r->out.sids->sids = trans_sids;
1262 r->out.sids->count = num_entries;
1263
1264 return status;
1265 }
1266
1267 /***************************************************************************
1268 _lsa_LookupNames4
1269 ***************************************************************************/
1270
1271 NTSTATUS _lsa_LookupNames4(pipes_struct *p,
1272 struct lsa_LookupNames4 *r)
1273 {
1274 struct lsa_LookupNames3 q;
1275
1276 /* No policy handle on this call. Restrict to crypto connections. */
1277 if (p->auth.auth_type != PIPE_AUTH_TYPE_SCHANNEL) {
1278 DEBUG(0,("_lsa_lookup_names4: client %s not using schannel for netlogon\n",
1279 get_remote_machine_name() ));
1280 return NT_STATUS_INVALID_PARAMETER;
1281 }
1282
1283 q.in.handle = NULL;
1284 q.in.num_names = r->in.num_names;
1285 q.in.names = r->in.names;
1286 q.in.level = r->in.level;
1287 q.in.lookup_options = r->in.lookup_options;
1288 q.in.client_revision = r->in.client_revision;
1289 q.in.sids = r->in.sids;
1290 q.in.count = r->in.count;
1291
1292 q.out.domains = r->out.domains;
1293 q.out.sids = r->out.sids;
1294 q.out.count = r->out.count;
1295
1296 return _lsa_LookupNames3(p, &q);
1297 }
1298
1299 /***************************************************************************
1300 _lsa_close. Also weird - needs to check if lsa handle is correct. JRA.
1301 ***************************************************************************/
1302
1303 NTSTATUS _lsa_Close(pipes_struct *p, struct lsa_Close *r)
1304 {
1305 if (!find_policy_by_hnd(p, r->in.handle, NULL)) {
1306 return NT_STATUS_INVALID_HANDLE;
1307 }
1308
1309 close_policy_hnd(p, r->in.handle);
1310 ZERO_STRUCTP(r->out.handle);
1311 return NT_STATUS_OK;
1312 }
1313
1314 /***************************************************************************
1315 ***************************************************************************/
1316
1317 NTSTATUS _lsa_OpenSecret(pipes_struct *p, struct lsa_OpenSecret *r)
1318 {
1319 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
1320 }
1321
1322 /***************************************************************************
1323 ***************************************************************************/
1324
1325 NTSTATUS _lsa_OpenTrustedDomain(pipes_struct *p, struct lsa_OpenTrustedDomain *r)
1326 {
1327 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
1328 }
1329
1330 /***************************************************************************
1331 ***************************************************************************/
1332
1333 NTSTATUS _lsa_CreateTrustedDomain(pipes_struct *p, struct lsa_CreateTrustedDomain *r)
1334 {
1335 return NT_STATUS_ACCESS_DENIED;
1336 }
1337
1338 /***************************************************************************
1339 ***************************************************************************/
1340
1341 NTSTATUS _lsa_CreateSecret(pipes_struct *p, struct lsa_CreateSecret *r)
1342 {
1343 return NT_STATUS_ACCESS_DENIED;
1344 }
1345
1346 /***************************************************************************
1347 ***************************************************************************/
1348
1349 NTSTATUS _lsa_SetSecret(pipes_struct *p, struct lsa_SetSecret *r)
1350 {
1351 return NT_STATUS_ACCESS_DENIED;
1352 }
1353
1354 /***************************************************************************
1355 _lsa_DeleteObject
1356 ***************************************************************************/
1357
1358 NTSTATUS _lsa_DeleteObject(pipes_struct *p,
1359 struct lsa_DeleteObject *r)
1360 {
1361 NTSTATUS status;
1362 struct lsa_info *info = NULL;
1363
1364 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info)) {
1365 return NT_STATUS_INVALID_HANDLE;
1366 }
1367
1368 if (!(info->access & STD_RIGHT_DELETE_ACCESS)) {
1369 return NT_STATUS_ACCESS_DENIED;
1370 }
1371
1372 switch (info->type) {
1373 case LSA_HANDLE_ACCOUNT_TYPE:
1374 status = privilege_delete_account(&info->sid);
1375 if (!NT_STATUS_IS_OK(status)) {
1376 DEBUG(10,("_lsa_DeleteObject: privilege_delete_account gave: %s\n",
1377 nt_errstr(status)));
1378 return status;
1379 }
1380 break;
1381 default:
1382 return NT_STATUS_INVALID_HANDLE;
1383 }
1384
1385 close_policy_hnd(p, r->in.handle);
1386 ZERO_STRUCTP(r->out.handle);
1387
1388 return status;
1389 }
1390
1391 /***************************************************************************
1392 _lsa_EnumPrivs
1393 ***************************************************************************/
1394
1395 NTSTATUS _lsa_EnumPrivs(pipes_struct *p,
1396 struct lsa_EnumPrivs *r)
1397 {
1398 struct lsa_info *handle;
1399 uint32 i;
1400 uint32 enum_context = *r->in.resume_handle;
1401 int num_privs = count_all_privileges();
1402 struct lsa_PrivEntry *entries = NULL;
1403 LUID_ATTR luid;
1404
1405 /* remember that the enum_context starts at 0 and not 1 */
1406
1407 if ( enum_context >= num_privs )
1408 return NT_STATUS_NO_MORE_ENTRIES;
1409
1410 DEBUG(10,("_lsa_EnumPrivs: enum_context:%d total entries:%d\n",
1411 enum_context, num_privs));
1412
1413 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle))
1414 return NT_STATUS_INVALID_HANDLE;
1415
1416 if (handle->type != LSA_HANDLE_POLICY_TYPE) {
1417 return NT_STATUS_INVALID_HANDLE;
1418 }
1419
1420 /* check if the user has enough rights
1421 I don't know if it's the right one. not documented. */
1422
1423 if (!(handle->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
1424 return NT_STATUS_ACCESS_DENIED;
1425
1426 if (num_privs) {
1427 entries = TALLOC_ZERO_ARRAY(p->mem_ctx, struct lsa_PrivEntry, num_privs);
1428 if (!entries) {
1429 return NT_STATUS_NO_MEMORY;
1430 }
1431 } else {
1432 entries = NULL;
1433 }
1434
1435 for (i = 0; i < num_privs; i++) {
1436 if( i < enum_context) {
1437
1438 init_lsa_StringLarge(&entries[i].name, NULL);
1439
1440 entries[i].luid.low = 0;
1441 entries[i].luid.high = 0;
1442 } else {
1443
1444 init_lsa_StringLarge(&entries[i].name, privs[i].name);
1445
1446 luid = get_privilege_luid( &privs[i].se_priv );
1447
1448 entries[i].luid.low = luid.luid.low;
1449 entries[i].luid.high = luid.luid.high;
1450 }
1451 }
1452
1453 enum_context = num_privs;
1454
1455 *r->out.resume_handle = enum_context;
1456 r->out.privs->count = num_privs;
1457 r->out.privs->privs = entries;
1458
1459 return NT_STATUS_OK;
1460 }
1461
1462 /***************************************************************************
1463 _lsa_LookupPrivDisplayName
1464 ***************************************************************************/
1465
1466 NTSTATUS _lsa_LookupPrivDisplayName(pipes_struct *p,
1467 struct lsa_LookupPrivDisplayName *r)
1468 {
1469 struct lsa_info *handle;
1470 const char *description;
1471 struct lsa_StringLarge *lsa_name;
1472
1473 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle))
1474 return NT_STATUS_INVALID_HANDLE;
1475
1476 if (handle->type != LSA_HANDLE_POLICY_TYPE) {
1477 return NT_STATUS_INVALID_HANDLE;
1478 }
1479
1480 /* check if the user has enough rights */
1481
1482 /*
1483 * I don't know if it's the right one. not documented.
1484 */
1485 if (!(handle->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
1486 return NT_STATUS_ACCESS_DENIED;
1487
1488 DEBUG(10,("_lsa_LookupPrivDisplayName: name = %s\n", r->in.name->string));
1489
1490 description = get_privilege_dispname(r->in.name->string);
1491 if (!description) {
1492 DEBUG(10,("_lsa_LookupPrivDisplayName: doesn't exist\n"));
1493 return NT_STATUS_NO_SUCH_PRIVILEGE;
1494 }
1495
1496 DEBUG(10,("_lsa_LookupPrivDisplayName: display name = %s\n", description));
1497
1498 lsa_name = TALLOC_ZERO_P(p->mem_ctx, struct lsa_StringLarge);
1499 if (!lsa_name) {
1500 return NT_STATUS_NO_MEMORY;
1501 }
1502
1503 init_lsa_StringLarge(lsa_name, description);
1504
1505 *r->out.returned_language_id = r->in.language_id;
1506 *r->out.disp_name = lsa_name;
1507
1508 return NT_STATUS_OK;
1509 }
1510
1511 /***************************************************************************
1512 _lsa_EnumAccounts
1513 ***************************************************************************/
1514
1515 NTSTATUS _lsa_EnumAccounts(pipes_struct *p,
1516 struct lsa_EnumAccounts *r)
1517 {
1518 struct lsa_info *handle;
1519 DOM_SID *sid_list;
1520 int i, j, num_entries;
1521 NTSTATUS status;
1522 struct lsa_SidPtr *sids = NULL;
1523
1524 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle))
1525 return NT_STATUS_INVALID_HANDLE;
1526
1527 if (handle->type != LSA_HANDLE_POLICY_TYPE) {
1528 return NT_STATUS_INVALID_HANDLE;
1529 }
1530
1531 if (!(handle->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
1532 return NT_STATUS_ACCESS_DENIED;
1533
1534 sid_list = NULL;
1535 num_entries = 0;
1536
1537 /* The only way we can currently find out all the SIDs that have been
1538 privileged is to scan all privileges */
1539
1540 status = privilege_enumerate_accounts(&sid_list, &num_entries);
1541 if (!NT_STATUS_IS_OK(status)) {
1542 return status;
1543 }
1544
1545 if (*r->in.resume_handle >= num_entries) {
1546 return NT_STATUS_NO_MORE_ENTRIES;
1547 }
1548
1549 if (num_entries - *r->in.resume_handle) {
1550 sids = TALLOC_ZERO_ARRAY(p->mem_ctx, struct lsa_SidPtr,
1551 num_entries - *r->in.resume_handle);
1552 if (!sids) {
1553 talloc_free(sid_list);
1554 return NT_STATUS_NO_MEMORY;
1555 }
1556
1557 for (i = *r->in.resume_handle, j = 0; i < num_entries; i++, j++) {
1558 sids[j].sid = sid_dup_talloc(p->mem_ctx, &sid_list[i]);
1559 if (!sids[j].sid) {
1560 talloc_free(sid_list);
1561 return NT_STATUS_NO_MEMORY;
1562 }
1563 }
1564 }
1565
1566 talloc_free(sid_list);
1567
1568 *r->out.resume_handle = num_entries;
1569 r->out.sids->num_sids = num_entries;
1570 r->out.sids->sids = sids;
1571
1572 return NT_STATUS_OK;
1573 }
1574
1575 /***************************************************************************
1576 _lsa_GetUserName
1577 ***************************************************************************/
1578
1579 NTSTATUS _lsa_GetUserName(pipes_struct *p,
1580 struct lsa_GetUserName *r)
1581 {
1582 const char *username, *domname;
1583 struct lsa_String *account_name = NULL;
1584 struct lsa_String *authority_name = NULL;
1585
1586 if (r->in.account_name &&
1587 *r->in.account_name) {
1588 return NT_STATUS_INVALID_PARAMETER;
1589 }
1590
1591 if (r->in.authority_name &&
1592 *r->in.authority_name) {
1593 return NT_STATUS_INVALID_PARAMETER;
1594 }
1595
1596 if (p->server_info->guest) {
1597 /*
1598 * I'm 99% sure this is not the right place to do this,
1599 * global_sid_Anonymous should probably be put into the token
1600 * instead of the guest id -- vl
1601 */
1602 if (!lookup_sid(p->mem_ctx, &global_sid_Anonymous,
1603 &domname, &username, NULL)) {
1604 return NT_STATUS_NO_MEMORY;
1605 }
1606 } else {
1607 username = p->server_info->sanitized_username;
1608 domname = pdb_get_domain(p->server_info->sam_account);
1609 }
1610
1611 account_name = TALLOC_P(p->mem_ctx, struct lsa_String);
1612 if (!account_name) {
1613 return NT_STATUS_NO_MEMORY;
1614 }
1615 init_lsa_String(account_name, username);
1616
1617 if (r->out.authority_name) {
1618 authority_name = TALLOC_P(p->mem_ctx, struct lsa_String);
1619 if (!authority_name) {
1620 return NT_STATUS_NO_MEMORY;
1621 }
1622 init_lsa_String(authority_name, domname);
1623 }
1624
1625 *r->out.account_name = account_name;
1626 if (r->out.authority_name) {
1627 *r->out.authority_name = authority_name;
1628 }
1629
1630 return NT_STATUS_OK;
1631 }
1632
1633 /***************************************************************************
1634 _lsa_CreateAccount
1635 ***************************************************************************/
1636
1637 NTSTATUS _lsa_CreateAccount(pipes_struct *p,
1638 struct lsa_CreateAccount *r)
1639 {
1640 NTSTATUS status;
1641 struct lsa_info *handle;
1642 struct lsa_info *info;
1643 uint32_t acc_granted;
1644 struct security_descriptor *psd;
1645 size_t sd_size;
1646
1647 /* find the connection policy handle. */
1648 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle))
1649 return NT_STATUS_INVALID_HANDLE;
1650
1651 if (handle->type != LSA_HANDLE_POLICY_TYPE) {
1652 return NT_STATUS_INVALID_HANDLE;
1653 }
1654
1655 /* check if the user has enough rights */
1656
1657 if (!(handle->access & LSA_POLICY_CREATE_ACCOUNT)) {
1658 return NT_STATUS_ACCESS_DENIED;
1659 }
1660
1661 /* map the generic bits to the lsa policy ones */
1662 se_map_generic(&r->in.access_mask, &lsa_account_mapping);
1663
1664 status = make_lsa_object_sd(p->mem_ctx, &psd, &sd_size,
1665 &lsa_account_mapping,
1666 r->in.sid, LSA_POLICY_ALL_ACCESS);
1667 if (!NT_STATUS_IS_OK(status)) {
1668 return status;
1669 }
1670
1671 status = access_check_object(psd, p->server_info->ptok,
1672 NULL, 0, r->in.access_mask,
1673 &acc_granted, "_lsa_CreateAccount");
1674 if (!NT_STATUS_IS_OK(status)) {
1675 return status;
1676 }
1677
1678 if ( is_privileged_sid( r->in.sid ) )
1679 return NT_STATUS_OBJECT_NAME_COLLISION;
1680
1681 /* associate the user/group SID with the (unique) handle. */
1682
1683 info = TALLOC_ZERO_P(p->mem_ctx, struct lsa_info);
1684 if (info == NULL) {
1685 return NT_STATUS_NO_MEMORY;
1686 }
1687
1688 info->sid = *r->in.sid;
1689 info->access = acc_granted;
1690 info->type = LSA_HANDLE_ACCOUNT_TYPE;
1691
1692 /* get a (unique) handle. open a policy on it. */
1693 if (!create_policy_hnd(p, r->out.acct_handle, info))
1694 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
1695
1696 return privilege_create_account( &info->sid );
1697 }
1698
1699 /***************************************************************************
1700 _lsa_OpenAccount
1701 ***************************************************************************/
1702
1703 NTSTATUS _lsa_OpenAccount(pipes_struct *p,
1704 struct lsa_OpenAccount *r)
1705 {
1706 struct lsa_info *handle;
1707 struct lsa_info *info;
1708 SEC_DESC *psd = NULL;
1709 size_t sd_size;
1710 uint32_t des_access = r->in.access_mask;
1711 uint32_t acc_granted;
1712 NTSTATUS status;
1713
1714 /* find the connection policy handle. */
1715 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle))
1716 return NT_STATUS_INVALID_HANDLE;
1717
1718 if (handle->type != LSA_HANDLE_POLICY_TYPE) {
1719 return NT_STATUS_INVALID_HANDLE;
1720 }
1721
1722 /* des_access is for the account here, not the policy
1723 * handle - so don't check against policy handle. */
1724
1725 /* Work out max allowed. */
1726 map_max_allowed_access(p->server_info->ptok,
1727 &p->server_info->utok,
1728 &des_access);
1729
1730 /* map the generic bits to the lsa account ones */
1731 se_map_generic(&des_access, &lsa_account_mapping);
1732
1733 /* get the generic lsa account SD until we store it */
1734 status = make_lsa_object_sd(p->mem_ctx, &psd, &sd_size,
1735 &lsa_account_mapping,
1736 r->in.sid, LSA_ACCOUNT_ALL_ACCESS);
1737 if (!NT_STATUS_IS_OK(status)) {
1738 return status;
1739 }
1740
1741 status = access_check_object(psd, p->server_info->ptok,
1742 NULL, 0, des_access,
1743 &acc_granted, "_lsa_OpenAccount" );
1744
1745 if (!NT_STATUS_IS_OK(status)) {
1746 return status;
1747 }
1748
1749 /* TODO: Fis the parsing routine before reenabling this check! */
1750 #if 0
1751 if (!lookup_sid(&handle->sid, dom_name, name, &type))
1752 return NT_STATUS_ACCESS_DENIED;
1753 #endif
1754 /* associate the user/group SID with the (unique) handle. */
1755 info = TALLOC_ZERO_P(p->mem_ctx, struct lsa_info);
1756 if (info == NULL) {
1757 return NT_STATUS_NO_MEMORY;
1758 }
1759
1760 info->sid = *r->in.sid;
1761 info->access = acc_granted;
1762 info->type = LSA_HANDLE_ACCOUNT_TYPE;
1763
1764 /* get a (unique) handle. open a policy on it. */
1765 if (!create_policy_hnd(p, r->out.acct_handle, info))
1766 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
1767
1768 return NT_STATUS_OK;
1769 }
1770
1771 /***************************************************************************
1772 _lsa_EnumPrivsAccount
1773 For a given SID, enumerate all the privilege this account has.
1774 ***************************************************************************/
1775
1776 NTSTATUS _lsa_EnumPrivsAccount(pipes_struct *p,
1777 struct lsa_EnumPrivsAccount *r)
1778 {
1779 NTSTATUS status = NT_STATUS_OK;
1780 struct lsa_info *info=NULL;
1781 SE_PRIV mask;
1782 PRIVILEGE_SET privileges;
1783 struct lsa_PrivilegeSet *priv_set = NULL;
1784 struct lsa_LUIDAttribute *luid_attrs = NULL;
1785 int i;
1786
1787 /* find the connection policy handle. */
1788 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
1789 return NT_STATUS_INVALID_HANDLE;
1790
1791 if (info->type != LSA_HANDLE_ACCOUNT_TYPE) {
1792 return NT_STATUS_INVALID_HANDLE;
1793 }
1794
1795 if (!(info->access & LSA_ACCOUNT_VIEW))
1796 return NT_STATUS_ACCESS_DENIED;
1797
1798 get_privileges_for_sids(&mask, &info->sid, 1);
1799
1800 privilege_set_init( &privileges );
1801
1802 priv_set = TALLOC_ZERO_P(p->mem_ctx, struct lsa_PrivilegeSet);
1803 if (!priv_set) {
1804 status = NT_STATUS_NO_MEMORY;
1805 goto done;
1806 }
1807
1808 if ( se_priv_to_privilege_set( &privileges, &mask ) ) {
1809
1810 DEBUG(10,("_lsa_EnumPrivsAccount: %s has %d privileges\n",
1811 sid_string_dbg(&info->sid),
1812 privileges.count));
1813
1814 luid_attrs = TALLOC_ZERO_ARRAY(p->mem_ctx,
1815 struct lsa_LUIDAttribute,
1816 privileges.count);
1817 if (!luid_attrs) {
1818 status = NT_STATUS_NO_MEMORY;
1819 goto done;
1820 }
1821
1822 for (i=0; i<privileges.count; i++) {
1823 luid_attrs[i].luid.low = privileges.set[i].luid.low;
1824 luid_attrs[i].luid.high = privileges.set[i].luid.high;
1825 luid_attrs[i].attribute = privileges.set[i].attr;
1826 }
1827
1828 priv_set->count = privileges.count;
1829 priv_set->unknown = 0;
1830 priv_set->set = luid_attrs;
1831
1832 } else {
1833 priv_set->count = 0;
1834 priv_set->unknown = 0;
1835 priv_set->set = NULL;
1836 }
1837
1838 *r->out.privs = priv_set;
1839
1840 done:
1841 privilege_set_free( &privileges );
1842
1843 return status;
1844 }
1845
1846 /***************************************************************************
1847 _lsa_GetSystemAccessAccount
1848 ***************************************************************************/
1849
1850 NTSTATUS _lsa_GetSystemAccessAccount(pipes_struct *p,
1851 struct lsa_GetSystemAccessAccount *r)
1852 {
1853 NTSTATUS status;
1854 struct lsa_info *info = NULL;
1855 struct lsa_EnumPrivsAccount e;
1856 struct lsa_PrivilegeSet *privset;
1857
1858 /* find the connection policy handle. */
1859
1860 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
1861 return NT_STATUS_INVALID_HANDLE;
1862
1863 if (info->type != LSA_HANDLE_ACCOUNT_TYPE) {
1864 return NT_STATUS_INVALID_HANDLE;
1865 }
1866
1867 if (!(info->access & LSA_ACCOUNT_VIEW))
1868 return NT_STATUS_ACCESS_DENIED;
1869
1870 privset = talloc_zero(p->mem_ctx, struct lsa_PrivilegeSet);
1871 if (!privset) {
1872 return NT_STATUS_NO_MEMORY;
1873 }
1874
1875 e.in.handle = r->in.handle;
1876 e.out.privs = &privset;
1877
1878 status = _lsa_EnumPrivsAccount(p, &e);
1879 if (!NT_STATUS_IS_OK(status)) {
1880 DEBUG(10,("_lsa_GetSystemAccessAccount: "
1881 "failed to call _lsa_EnumPrivsAccount(): %s\n",
1882 nt_errstr(status)));
1883 return status;
1884 }
1885
1886 /* Samba4 would iterate over the privset to merge the policy mode bits,
1887 * not sure samba3 can do the same here, so just return what we did in
1888 * the past - gd */
1889
1890 /*
1891 0x01 -> Log on locally
1892 0x02 -> Access this computer from network
1893 0x04 -> Log on as a batch job
1894 0x10 -> Log on as a service
1895
1896 they can be ORed together
1897 */
1898
1899 *r->out.access_mask = LSA_POLICY_MODE_INTERACTIVE |
1900 LSA_POLICY_MODE_NETWORK;
1901
1902 return NT_STATUS_OK;
1903 }
1904
1905 /***************************************************************************
1906 update the systemaccount information
1907 ***************************************************************************/
1908
1909 NTSTATUS _lsa_SetSystemAccessAccount(pipes_struct *p,
1910 struct lsa_SetSystemAccessAccount *r)
1911 {
1912 struct lsa_info *info=NULL;
1913 GROUP_MAP map;
1914
1915 /* find the connection policy handle. */
1916 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
1917 return NT_STATUS_INVALID_HANDLE;
1918
1919 if (info->type != LSA_HANDLE_ACCOUNT_TYPE) {
1920 return NT_STATUS_INVALID_HANDLE;
1921 }
1922
1923 if (!(info->access & LSA_ACCOUNT_ADJUST_SYSTEM_ACCESS)) {
1924 return NT_STATUS_ACCESS_DENIED;
1925 }
1926
1927 if (!pdb_getgrsid(&map, info->sid))
1928 return NT_STATUS_NO_SUCH_GROUP;
1929
1930 return pdb_update_group_mapping_entry(&map);
1931 }
1932
1933 /***************************************************************************
1934 _lsa_AddPrivilegesToAccount
1935 For a given SID, add some privileges.
1936 ***************************************************************************/
1937
1938 NTSTATUS _lsa_AddPrivilegesToAccount(pipes_struct *p,
1939 struct lsa_AddPrivilegesToAccount *r)
1940 {
1941 struct lsa_info *info = NULL;
1942 SE_PRIV mask;
1943 struct lsa_PrivilegeSet *set = NULL;
1944
1945 /* find the connection policy handle. */
1946 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
1947 return NT_STATUS_INVALID_HANDLE;
1948
1949 if (info->type != LSA_HANDLE_ACCOUNT_TYPE) {
1950 return NT_STATUS_INVALID_HANDLE;
1951 }
1952
1953 if (!(info->access & LSA_ACCOUNT_ADJUST_PRIVILEGES)) {
1954 return NT_STATUS_ACCESS_DENIED;
1955 }
1956
1957 set = r->in.privs;
1958 if ( !privilege_set_to_se_priv( &mask, set ) )
1959 return NT_STATUS_NO_SUCH_PRIVILEGE;
1960
1961 if ( !grant_privilege( &info->sid, &mask ) ) {
1962 DEBUG(3,("_lsa_AddPrivilegesToAccount: grant_privilege(%s) failed!\n",
1963 sid_string_dbg(&info->sid) ));
1964 DEBUG(3,("Privilege mask:\n"));
1965 dump_se_priv( DBGC_ALL, 3, &mask );
1966 return NT_STATUS_NO_SUCH_PRIVILEGE;
1967 }
1968
1969 return NT_STATUS_OK;
1970 }
1971
1972 /***************************************************************************
1973 _lsa_RemovePrivilegesFromAccount
1974 For a given SID, remove some privileges.
1975 ***************************************************************************/
1976
1977 NTSTATUS _lsa_RemovePrivilegesFromAccount(pipes_struct *p,
1978 struct lsa_RemovePrivilegesFromAccount *r)
1979 {
1980 struct lsa_info *info = NULL;
1981 SE_PRIV mask;
1982 struct lsa_PrivilegeSet *set = NULL;
1983
1984 /* find the connection policy handle. */
1985 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
1986 return NT_STATUS_INVALID_HANDLE;
1987
1988 if (info->type != LSA_HANDLE_ACCOUNT_TYPE) {
1989 return NT_STATUS_INVALID_HANDLE;
1990 }
1991
1992 if (!(info->access & LSA_ACCOUNT_ADJUST_PRIVILEGES)) {
1993 return NT_STATUS_ACCESS_DENIED;
1994 }
1995
1996 set = r->in.privs;
1997
1998 if ( !privilege_set_to_se_priv( &mask, set ) )
1999 return NT_STATUS_NO_SUCH_PRIVILEGE;
2000
2001 if ( !revoke_privilege( &info->sid, &mask ) ) {
2002 DEBUG(3,("_lsa_RemovePrivilegesFromAccount: revoke_privilege(%s) failed!\n",
2003 sid_string_dbg(&info->sid) ));
2004 DEBUG(3,("Privilege mask:\n"));
2005 dump_se_priv( DBGC_ALL, 3, &mask );
2006 return NT_STATUS_NO_SUCH_PRIVILEGE;
2007 }
2008
2009 return NT_STATUS_OK;
2010 }
2011
2012 /***************************************************************************
2013 _lsa_LookupPrivName
2014 ***************************************************************************/
2015
2016 NTSTATUS _lsa_LookupPrivName(pipes_struct *p,
2017 struct lsa_LookupPrivName *r)
2018 {
2019 struct lsa_info *info = NULL;
2020 const char *name;
2021 struct lsa_StringLarge *lsa_name;
2022
2023 /* find the connection policy handle. */
2024 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info)) {
2025 return NT_STATUS_INVALID_HANDLE;
2026 }
2027
2028 if (info->type != LSA_HANDLE_POLICY_TYPE) {
2029 return NT_STATUS_INVALID_HANDLE;
2030 }
2031
2032 if (!(info->access & LSA_POLICY_VIEW_LOCAL_INFORMATION)) {
2033 return NT_STATUS_ACCESS_DENIED;
2034 }
2035
2036 name = luid_to_privilege_name((LUID *)r->in.luid);
2037 if (!name) {
2038 return NT_STATUS_NO_SUCH_PRIVILEGE;
2039 }
2040
2041 lsa_name = TALLOC_ZERO_P(p->mem_ctx, struct lsa_StringLarge);
2042 if (!lsa_name) {
2043 return NT_STATUS_NO_MEMORY;
2044 }
2045
2046 lsa_name->string = talloc_strdup(lsa_name, name);
2047 if (!lsa_name->string) {
2048 TALLOC_FREE(lsa_name);
2049 return NT_STATUS_NO_MEMORY;
2050 }
2051
2052 *r->out.name = lsa_name;
2053
2054 return NT_STATUS_OK;
2055 }
2056
2057 /***************************************************************************
2058 _lsa_QuerySecurity
2059 ***************************************************************************/
2060
2061 NTSTATUS _lsa_QuerySecurity(pipes_struct *p,
2062 struct lsa_QuerySecurity *r)
2063 {
2064 struct lsa_info *handle=NULL;
2065 SEC_DESC *psd = NULL;
2066 size_t sd_size;
2067 NTSTATUS status;
2068
2069 /* find the connection policy handle. */
2070 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle))
2071 return NT_STATUS_INVALID_HANDLE;
2072
2073 if (handle->type == LSA_HANDLE_POLICY_TYPE) {
2074 status = make_lsa_object_sd(p->mem_ctx, &psd, &sd_size,
2075 &lsa_policy_mapping, NULL, 0);
2076 } else if (handle->type == LSA_HANDLE_ACCOUNT_TYPE) {
2077 status = make_lsa_object_sd(p->mem_ctx, &psd, &sd_size,
2078 &lsa_account_mapping,
2079 &handle->sid, LSA_ACCOUNT_ALL_ACCESS);
2080 } else {
2081 status = NT_STATUS_INVALID_HANDLE;
2082 }
2083
2084 if (!NT_STATUS_IS_OK(status)) {
2085 return status;
2086 }
2087
2088 *r->out.sdbuf = make_sec_desc_buf(p->mem_ctx, sd_size, psd);
2089 if (!*r->out.sdbuf) {
2090 return NT_STATUS_NO_MEMORY;
2091 }
2092
2093 return status;
2094 }
2095
2096 /***************************************************************************
2097 _lsa_AddAccountRights
2098 ***************************************************************************/
2099
2100 NTSTATUS _lsa_AddAccountRights(pipes_struct *p,
2101 struct lsa_AddAccountRights *r)
2102 {
2103 struct lsa_info *info = NULL;
2104 int i = 0;
2105 uint32_t acc_granted = 0;
2106 SEC_DESC *psd = NULL;
2107 size_t sd_size;
2108 DOM_SID sid;
2109 NTSTATUS status;
2110
2111 /* find the connection policy handle. */
2112 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
2113 return NT_STATUS_INVALID_HANDLE;
2114
2115 if (info->type != LSA_HANDLE_POLICY_TYPE) {
2116 return NT_STATUS_INVALID_HANDLE;
2117 }
2118
2119 /* get the generic lsa account SD for this SID until we store it */
2120 status = make_lsa_object_sd(p->mem_ctx, &psd, &sd_size,
2121 &lsa_account_mapping,
2122 r->in.sid, LSA_ACCOUNT_ALL_ACCESS);
2123 if (!NT_STATUS_IS_OK(status)) {
2124 return status;
2125 }
2126
2127 /*
2128 * From the MS DOCs. If the sid doesn't exist, ask for LSA_POLICY_CREATE_ACCOUNT
2129 * on the policy handle. If it does, ask for
2130 * LSA_ACCOUNT_ADJUST_PRIVILEGES|LSA_ACCOUNT_ADJUST_SYSTEM_ACCESS|LSA_ACCOUNT_VIEW,
2131 * on the account sid. We don't check here so just use the latter. JRA.
2132 */
2133
2134 status = access_check_object(psd, p->server_info->ptok,
2135 NULL, 0, LSA_ACCOUNT_ADJUST_PRIVILEGES|LSA_ACCOUNT_ADJUST_SYSTEM_ACCESS|LSA_ACCOUNT_VIEW,
2136 &acc_granted, "_lsa_AddAccountRights" );
2137
2138 if (!NT_STATUS_IS_OK(status)) {
2139 return status;
2140 }
2141
2142 /* according to an NT4 PDC, you can add privileges to SIDs even without
2143 call_lsa_create_account() first. And you can use any arbitrary SID. */
2144
2145 sid_copy( &sid, r->in.sid );
2146
2147 for ( i=0; i < r->in.rights->count; i++ ) {
2148
2149 const char *privname = r->in.rights->names[i].string;
2150
2151 /* only try to add non-null strings */
2152
2153 if ( !privname )
2154 continue;
2155
2156 if ( !grant_privilege_by_name( &sid, privname ) ) {
2157 DEBUG(2,("_lsa_AddAccountRights: Failed to add privilege [%s]\n",
2158 privname ));
2159 return NT_STATUS_NO_SUCH_PRIVILEGE;
2160 }
2161 }
2162
2163 return NT_STATUS_OK;
2164 }
2165
2166 /***************************************************************************
2167 _lsa_RemoveAccountRights
2168 ***************************************************************************/
2169
2170 NTSTATUS _lsa_RemoveAccountRights(pipes_struct *p,
2171 struct lsa_RemoveAccountRights *r)
2172 {
2173 struct lsa_info *info = NULL;
2174 int i = 0;
2175 SEC_DESC *psd = NULL;
2176 size_t sd_size;
2177 DOM_SID sid;
2178 const char *privname = NULL;
2179 uint32_t acc_granted = 0;
2180 NTSTATUS status;
2181
2182 /* find the connection policy handle. */
2183 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
2184 return NT_STATUS_INVALID_HANDLE;
2185
2186 if (info->type != LSA_HANDLE_POLICY_TYPE) {
2187 return NT_STATUS_INVALID_HANDLE;
2188 }
2189
2190 /* get the generic lsa account SD for this SID until we store it */
2191 status = make_lsa_object_sd(p->mem_ctx, &psd, &sd_size,
2192 &lsa_account_mapping,
2193 r->in.sid, LSA_ACCOUNT_ALL_ACCESS);
2194 if (!NT_STATUS_IS_OK(status)) {
2195 return status;
2196 }
2197
2198 /*
2199 * From the MS DOCs. We need
2200 * LSA_ACCOUNT_ADJUST_PRIVILEGES|LSA_ACCOUNT_ADJUST_SYSTEM_ACCESS|LSA_ACCOUNT_VIEW
2201 * and DELETE on the account sid.
2202 */
2203
2204 status = access_check_object(psd, p->server_info->ptok,
2205 NULL, 0, LSA_ACCOUNT_ADJUST_PRIVILEGES|LSA_ACCOUNT_ADJUST_SYSTEM_ACCESS|
2206 LSA_ACCOUNT_VIEW|STD_RIGHT_DELETE_ACCESS,
2207 &acc_granted, "_lsa_AddAccountRights" );
2208
2209 if (!NT_STATUS_IS_OK(status)) {
2210 return status;
2211 }
2212
2213 sid_copy( &sid, r->in.sid );
2214
2215 if ( r->in.remove_all ) {
2216 if ( !revoke_all_privileges( &sid ) )
2217 return NT_STATUS_ACCESS_DENIED;
2218
2219 return NT_STATUS_OK;
2220 }
2221
2222 for ( i=0; i < r->in.rights->count; i++ ) {
2223
2224 privname = r->in.rights->names[i].string;
2225
2226 /* only try to add non-null strings */
2227
2228 if ( !privname )
2229 continue;
2230
2231 if ( !revoke_privilege_by_name( &sid, privname ) ) {
2232 DEBUG(2,("_lsa_RemoveAccountRights: Failed to revoke privilege [%s]\n",
2233 privname ));
2234 return NT_STATUS_NO_SUCH_PRIVILEGE;
2235 }
2236 }
2237
2238 return NT_STATUS_OK;
2239 }
2240
2241 /*******************************************************************
2242 ********************************************************************/
2243
2244 static NTSTATUS init_lsa_right_set(TALLOC_CTX *mem_ctx,
2245 struct lsa_RightSet *r,
2246 PRIVILEGE_SET *privileges)
2247 {
2248 uint32 i;
2249 const char *privname;
2250 const char **privname_array = NULL;
2251 int num_priv = 0;
2252
2253 for (i=0; i<privileges->count; i++) {
2254
2255 privname = luid_to_privilege_name(&privileges->set[i].luid);
2256 if (privname) {
2257 if (!add_string_to_array(mem_ctx, privname,
2258 &privname_array, &num_priv)) {
2259 return NT_STATUS_NO_MEMORY;
2260 }
2261 }
2262 }
2263
2264 if (num_priv) {
2265
2266 r->names = TALLOC_ZERO_ARRAY(mem_ctx, struct lsa_StringLarge,
2267 num_priv);
2268 if (!r->names) {
2269 return NT_STATUS_NO_MEMORY;
2270 }
2271
2272 for (i=0; i<num_priv; i++) {
2273 init_lsa_StringLarge(&r->names[i], privname_array[i]);
2274 }
2275
2276 r->count = num_priv;
2277 }
2278
2279 return NT_STATUS_OK;
2280 }
2281
2282 /***************************************************************************
2283 _lsa_EnumAccountRights
2284 ***************************************************************************/
2285
2286 NTSTATUS _lsa_EnumAccountRights(pipes_struct *p,
2287 struct lsa_EnumAccountRights *r)
2288 {
2289 NTSTATUS status;
2290 struct lsa_info *info = NULL;
2291 DOM_SID sid;
2292 PRIVILEGE_SET privileges;
2293 SE_PRIV mask;
2294
2295 /* find the connection policy handle. */
2296
2297 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
2298 return NT_STATUS_INVALID_HANDLE;
2299
2300 if (info->type != LSA_HANDLE_POLICY_TYPE) {
2301 return NT_STATUS_INVALID_HANDLE;
2302 }
2303
2304 if (!(info->access & LSA_ACCOUNT_VIEW)) {
2305 return NT_STATUS_ACCESS_DENIED;
2306 }
2307
2308 /* according to an NT4 PDC, you can add privileges to SIDs even without
2309 call_lsa_create_account() first. And you can use any arbitrary SID. */
2310
2311 sid_copy( &sid, r->in.sid );
2312
2313 /* according to MS-LSAD 3.1.4.5.10 it is required to return
2314 * NT_STATUS_OBJECT_NAME_NOT_FOUND if the account sid was not found in
2315 * the lsa database */
2316
2317 if (!get_privileges_for_sids(&mask, &sid, 1)) {
2318 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
2319 }
2320
2321 status = privilege_set_init(&privileges);
2322 if (!NT_STATUS_IS_OK(status)) {
2323 return status;
2324 }
2325
2326 se_priv_to_privilege_set(&privileges, &mask);
2327
2328 DEBUG(10,("_lsa_EnumAccountRights: %s has %d privileges\n",
2329 sid_string_dbg(&sid), privileges.count));
2330
2331 status = init_lsa_right_set(p->mem_ctx, r->out.rights, &privileges);
2332
2333 privilege_set_free( &privileges );
2334
2335 return status;
2336 }
2337
2338 /***************************************************************************
2339 _lsa_LookupPrivValue
2340 ***************************************************************************/
2341
2342 NTSTATUS _lsa_LookupPrivValue(pipes_struct *p,
2343 struct lsa_LookupPrivValue *r)
2344 {
2345 struct lsa_info *info = NULL;
2346 const char *name = NULL;
2347 LUID_ATTR priv_luid;
2348 SE_PRIV mask;
2349
2350 /* find the connection policy handle. */
2351
2352 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
2353 return NT_STATUS_INVALID_HANDLE;
2354
2355 if (info->type != LSA_HANDLE_POLICY_TYPE) {
2356 return NT_STATUS_INVALID_HANDLE;
2357 }
2358
2359 if (!(info->access & LSA_POLICY_LOOKUP_NAMES))
2360 return NT_STATUS_ACCESS_DENIED;
2361
2362 name = r->in.name->string;
2363
2364 DEBUG(10,("_lsa_lookup_priv_value: name = %s\n", name));
2365
2366 if ( !se_priv_from_name( name, &mask ) )
2367 return NT_STATUS_NO_SUCH_PRIVILEGE;
2368
2369 priv_luid = get_privilege_luid( &mask );
2370
2371 r->out.luid->low = priv_luid.luid.low;
2372 r->out.luid->high = priv_luid.luid.high;
2373
2374 return NT_STATUS_OK;
2375 }
2376
2377 /***************************************************************************
2378 _lsa_EnumAccountsWithUserRight
2379 ***************************************************************************/
2380
2381 NTSTATUS _lsa_EnumAccountsWithUserRight(pipes_struct *p,
2382 struct lsa_EnumAccountsWithUserRight *r)
2383 {
2384 NTSTATUS status;
2385 struct lsa_info *info = NULL;
2386 struct dom_sid *sids = NULL;
2387 int num_sids = 0;
2388 uint32_t i;
2389 SE_PRIV mask;
2390
2391 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info)) {
2392 return NT_STATUS_INVALID_HANDLE;
2393 }
2394
2395 if (info->type != LSA_HANDLE_POLICY_TYPE) {
2396 return NT_STATUS_INVALID_HANDLE;
2397 }
2398
2399 if (!(info->access & LSA_POLICY_LOOKUP_NAMES)) {
2400 return NT_STATUS_ACCESS_DENIED;
2401 }
2402
2403 if (!r->in.name || !r->in.name->string) {
2404 return NT_STATUS_NO_SUCH_PRIVILEGE;
2405 }
2406
2407 if (!se_priv_from_name(r->in.name->string, &mask)) {
2408 return NT_STATUS_NO_SUCH_PRIVILEGE;
2409 }
2410
2411 status = privilege_enum_sids(&mask, p->mem_ctx,
2412 &sids, &num_sids);
2413 if (!NT_STATUS_IS_OK(status)) {
2414 return status;
2415 }
2416
2417 r->out.sids->num_sids = num_sids;
2418 r->out.sids->sids = talloc_array(p->mem_ctx, struct lsa_SidPtr,
2419 r->out.sids->num_sids);
2420
2421 for (i=0; i < r->out.sids->num_sids; i++) {
2422 r->out.sids->sids[i].sid = sid_dup_talloc(r->out.sids->sids,
2423 &sids[i]);
2424 if (!r->out.sids->sids[i].sid) {
2425 TALLOC_FREE(r->out.sids->sids);
2426 r->out.sids->num_sids = 0;
2427 return NT_STATUS_NO_MEMORY;
2428 }
2429 }
2430
2431 return NT_STATUS_OK;
2432 }
2433
2434 /***************************************************************************
2435 _lsa_Delete
2436 ***************************************************************************/
2437
2438 NTSTATUS _lsa_Delete(pipes_struct *p,
2439 struct lsa_Delete *r)
2440 {
2441 return NT_STATUS_NOT_SUPPORTED;
2442 }
2443
2444 /*
2445 * From here on the server routines are just dummy ones to make smbd link with
2446 * librpc/gen_ndr/srv_lsa.c. These routines are actually never called, we are
2447 * pulling the server stubs across one by one.
2448 */
2449
2450 NTSTATUS _lsa_SetSecObj(pipes_struct *p, struct lsa_SetSecObj *r)
2451 {
2452 p->rng_fault_state = True;
2453 return NT_STATUS_NOT_IMPLEMENTED;
2454 }
2455
2456 NTSTATUS _lsa_ChangePassword(pipes_struct *p, struct lsa_ChangePassword *r)
2457 {
2458 p->rng_fault_state = True;
2459 return NT_STATUS_NOT_IMPLEMENTED;
2460 }
2461
2462 NTSTATUS _lsa_SetInfoPolicy(pipes_struct *p, struct lsa_SetInfoPolicy *r)
2463 {
2464 p->rng_fault_state = True;
2465 return NT_STATUS_NOT_IMPLEMENTED;
2466 }
2467
2468 NTSTATUS _lsa_ClearAuditLog(pipes_struct *p, struct lsa_ClearAuditLog *r)
2469 {
2470 p->rng_fault_state = True;
2471 return NT_STATUS_NOT_IMPLEMENTED;
2472 }
2473
2474 NTSTATUS _lsa_GetQuotasForAccount(pipes_struct *p, struct lsa_GetQuotasForAccount *r)
2475 {
2476 p->rng_fault_state = True;
2477 return NT_STATUS_NOT_IMPLEMENTED;
2478 }
2479
2480 NTSTATUS _lsa_SetQuotasForAccount(pipes_struct *p, struct lsa_SetQuotasForAccount *r)
2481 {
2482 p->rng_fault_state = True;
2483 return NT_STATUS_NOT_IMPLEMENTED;
2484 }
2485
2486 NTSTATUS _lsa_QueryTrustedDomainInfo(pipes_struct *p, struct lsa_QueryTrustedDomainInfo *r)
2487 {
2488 p->rng_fault_state = True;
2489 return NT_STATUS_NOT_IMPLEMENTED;
2490 }
2491
2492 NTSTATUS _lsa_SetInformationTrustedDomain(pipes_struct *p, struct lsa_SetInformationTrustedDomain *r)
2493 {
2494 p->rng_fault_state = True;
2495 return NT_STATUS_NOT_IMPLEMENTED;
2496 }
2497
2498 NTSTATUS _lsa_QuerySecret(pipes_struct *p, struct lsa_QuerySecret *r)
2499 {
2500 p->rng_fault_state = True;
2501 return NT_STATUS_NOT_IMPLEMENTED;
2502 }
2503
2504 NTSTATUS _lsa_QueryTrustedDomainInfoBySid(pipes_struct *p, struct lsa_QueryTrustedDomainInfoBySid *r)
2505 {
2506 p->rng_fault_state = True;
2507 return NT_STATUS_NOT_IMPLEMENTED;
2508 }
2509
2510 NTSTATUS _lsa_SetTrustedDomainInfo(pipes_struct *p, struct lsa_SetTrustedDomainInfo *r)
2511 {
2512 p->rng_fault_state = True;
2513 return NT_STATUS_NOT_IMPLEMENTED;
2514 }
2515
2516 NTSTATUS _lsa_DeleteTrustedDomain(pipes_struct *p, struct lsa_DeleteTrustedDomain *r)
2517 {
2518 p->rng_fault_state = True;
2519 return NT_STATUS_NOT_IMPLEMENTED;
2520 }
2521
2522 NTSTATUS _lsa_StorePrivateData(pipes_struct *p, struct lsa_StorePrivateData *r)
2523 {
2524 p->rng_fault_state = True;
2525 return NT_STATUS_NOT_IMPLEMENTED;
2526 }
2527
2528 NTSTATUS _lsa_RetrievePrivateData(pipes_struct *p, struct lsa_RetrievePrivateData *r)
2529 {
2530 p->rng_fault_state = True;
2531 return NT_STATUS_NOT_IMPLEMENTED;
2532 }
2533
2534 NTSTATUS _lsa_SetInfoPolicy2(pipes_struct *p, struct lsa_SetInfoPolicy2 *r)
2535 {
2536 p->rng_fault_state = True;
2537 return NT_STATUS_NOT_IMPLEMENTED;
2538 }
2539
2540 NTSTATUS _lsa_QueryTrustedDomainInfoByName(pipes_struct *p, struct lsa_QueryTrustedDomainInfoByName *r)
2541 {
2542 p->rng_fault_state = True;
2543 return NT_STATUS_NOT_IMPLEMENTED;
2544 }
2545
2546 NTSTATUS _lsa_SetTrustedDomainInfoByName(pipes_struct *p, struct lsa_SetTrustedDomainInfoByName *r)
2547 {
2548 p->rng_fault_state = True;
2549 return NT_STATUS_NOT_IMPLEMENTED;
2550 }
2551
2552 NTSTATUS _lsa_EnumTrustedDomainsEx(pipes_struct *p, struct lsa_EnumTrustedDomainsEx *r)
2553 {
2554 p->rng_fault_state = True;
2555 return NT_STATUS_NOT_IMPLEMENTED;
2556 }
2557
2558 NTSTATUS _lsa_CreateTrustedDomainEx(pipes_struct *p, struct lsa_CreateTrustedDomainEx *r)
2559 {
2560 p->rng_fault_state = True;
2561 return NT_STATUS_NOT_IMPLEMENTED;
2562 }
2563
2564 NTSTATUS _lsa_CloseTrustedDomainEx(pipes_struct *p, struct lsa_CloseTrustedDomainEx *r)
2565 {
2566 p->rng_fault_state = True;
2567 return NT_STATUS_NOT_IMPLEMENTED;
2568 }
2569
2570 NTSTATUS _lsa_QueryDomainInformationPolicy(pipes_struct *p, struct lsa_QueryDomainInformationPolicy *r)
2571 {
2572 p->rng_fault_state = True;
2573 return NT_STATUS_NOT_IMPLEMENTED;
2574 }
2575
2576 NTSTATUS _lsa_SetDomainInformationPolicy(pipes_struct *p, struct lsa_SetDomainInformationPolicy *r)
2577 {
2578 p->rng_fault_state = True;
2579 return NT_STATUS_NOT_IMPLEMENTED;
2580 }
2581
2582 NTSTATUS _lsa_OpenTrustedDomainByName(pipes_struct *p, struct lsa_OpenTrustedDomainByName *r)
2583 {
2584 p->rng_fault_state = True;
2585 return NT_STATUS_NOT_IMPLEMENTED;
2586 }
2587
2588 NTSTATUS _lsa_TestCall(pipes_struct *p, struct lsa_TestCall *r)
2589 {
2590 p->rng_fault_state = True;
2591 return NT_STATUS_NOT_IMPLEMENTED;
2592 }
2593
2594 NTSTATUS _lsa_CreateTrustedDomainEx2(pipes_struct *p, struct lsa_CreateTrustedDomainEx2 *r)
2595 {
2596 p->rng_fault_state = True;
2597 return NT_STATUS_NOT_IMPLEMENTED;
2598 }
2599
2600 NTSTATUS _lsa_CREDRWRITE(pipes_struct *p, struct lsa_CREDRWRITE *r)
2601 {
2602 p->rng_fault_state = True;
2603 return NT_STATUS_NOT_IMPLEMENTED;
2604 }
2605
2606 NTSTATUS _lsa_CREDRREAD(pipes_struct *p, struct lsa_CREDRREAD *r)
2607 {
2608 p->rng_fault_state = True;
2609 return NT_STATUS_NOT_IMPLEMENTED;
2610 }
2611
2612 NTSTATUS _lsa_CREDRENUMERATE(pipes_struct *p, struct lsa_CREDRENUMERATE *r)
2613 {
2614 p->rng_fault_state = True;
2615 return NT_STATUS_NOT_IMPLEMENTED;
2616 }
2617
2618 NTSTATUS _lsa_CREDRWRITEDOMAINCREDENTIALS(pipes_struct *p, struct lsa_CREDRWRITEDOMAINCREDENTIALS *r)
2619 {
2620 p->rng_fault_state = True;
2621 return NT_STATUS_NOT_IMPLEMENTED;
2622 }
2623
2624 NTSTATUS _lsa_CREDRREADDOMAINCREDENTIALS(pipes_struct *p, struct lsa_CREDRREADDOMAINCREDENTIALS *r)
2625 {
2626 p->rng_fault_state = True;
2627 return NT_STATUS_NOT_IMPLEMENTED;
2628 }
2629
2630 NTSTATUS _lsa_CREDRDELETE(pipes_struct *p, struct lsa_CREDRDELETE *r)
2631 {
2632 p->rng_fault_state = True;
2633 return NT_STATUS_NOT_IMPLEMENTED;
2634 }
2635
2636 NTSTATUS _lsa_CREDRGETTARGETINFO(pipes_struct *p, struct lsa_CREDRGETTARGETINFO *r)
2637 {
2638 p->rng_fault_state = True;
2639 return NT_STATUS_NOT_IMPLEMENTED;
2640 }
2641
2642 NTSTATUS _lsa_CREDRPROFILELOADED(pipes_struct *p, struct lsa_CREDRPROFILELOADED *r)
2643 {
2644 p->rng_fault_state = True;
2645 return NT_STATUS_NOT_IMPLEMENTED;
2646 }
2647
2648 NTSTATUS _lsa_CREDRGETSESSIONTYPES(pipes_struct *p, struct lsa_CREDRGETSESSIONTYPES *r)
2649 {
2650 p->rng_fault_state = True;
2651 return NT_STATUS_NOT_IMPLEMENTED;
2652 }
2653
2654 NTSTATUS _lsa_LSARREGISTERAUDITEVENT(pipes_struct *p, struct lsa_LSARREGISTERAUDITEVENT *r)
2655 {
2656 p->rng_fault_state = True;
2657 return NT_STATUS_NOT_IMPLEMENTED;
2658 }
2659
2660 NTSTATUS _lsa_LSARGENAUDITEVENT(pipes_struct *p, struct lsa_LSARGENAUDITEVENT *r)
2661 {
2662 p->rng_fault_state = True;
2663 return NT_STATUS_NOT_IMPLEMENTED;
2664 }
2665
2666 NTSTATUS _lsa_LSARUNREGISTERAUDITEVENT(pipes_struct *p, struct lsa_LSARUNREGISTERAUDITEVENT *r)
2667 {
2668 p->rng_fault_state = True;
2669 return NT_STATUS_NOT_IMPLEMENTED;
2670 }
2671
2672 NTSTATUS _lsa_lsaRQueryForestTrustInformation(pipes_struct *p, struct lsa_lsaRQueryForestTrustInformation *r)
2673 {
2674 p->rng_fault_state = True;
2675 return NT_STATUS_NOT_IMPLEMENTED;
2676 }
2677
2678 NTSTATUS _lsa_LSARSETFORESTTRUSTINFORMATION(pipes_struct *p, struct lsa_LSARSETFORESTTRUSTINFORMATION *r)
2679 {
2680 p->rng_fault_state = True;
2681 return NT_STATUS_NOT_IMPLEMENTED;
2682 }
2683
2684 NTSTATUS _lsa_CREDRRENAME(pipes_struct *p, struct lsa_CREDRRENAME *r)
2685 {
2686 p->rng_fault_state = True;
2687 return NT_STATUS_NOT_IMPLEMENTED;
2688 }
2689
2690 NTSTATUS _lsa_LSAROPENPOLICYSCE(pipes_struct *p, struct lsa_LSAROPENPOLICYSCE *r)
2691 {
2692 p->rng_fault_state = True;
2693 return NT_STATUS_NOT_IMPLEMENTED;
2694 }
2695
2696 NTSTATUS _lsa_LSARADTREGISTERSECURITYEVENTSOURCE(pipes_struct *p, struct lsa_LSARADTREGISTERSECURITYEVENTSOURCE *r)
2697 {
2698 p->rng_fault_state = True;
2699 return NT_STATUS_NOT_IMPLEMENTED;
2700 }
2701
2702 NTSTATUS _lsa_LSARADTUNREGISTERSECURITYEVENTSOURCE(pipes_struct *p, struct lsa_LSARADTUNREGISTERSECURITYEVENTSOURCE *r)
2703 {
2704 p->rng_fault_state = True;
2705 return NT_STATUS_NOT_IMPLEMENTED;
2706 }
2707
2708 NTSTATUS _lsa_LSARADTREPORTSECURITYEVENT(pipes_struct *p, struct lsa_LSARADTREPORTSECURITYEVENT *r)
2709 {
2710 p->rng_fault_state = True;
2711 return NT_STATUS_NOT_IMPLEMENTED;
2712 }
aatanasov's samba4 branch