search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
s3-lsa: Implement _lsa_EnumTrustedDomainsEx()
[Samba.git] / source3 / rpc_server / lsa / srv_lsa_nt.c
blobd190775111a71a3a69c20c46be32d60b9f2a9861
1 /*
2 * Unix SMB/CIFS implementation.
3 * RPC Pipe client / server routines
4 * Copyright (C) Andrew Tridgell 1992-1997,
5 * Copyright (C) Luke Kenneth Casson Leighton 1996-1997,
6 * Copyright (C) Paul Ashton 1997,
7 * Copyright (C) Jeremy Allison 2001, 2006.
8 * Copyright (C) Rafal Szczesniak 2002,
9 * Copyright (C) Jim McDonough <jmcd@us.ibm.com> 2002,
10 * Copyright (C) Simo Sorce 2003.
11 * Copyright (C) Gerald (Jerry) Carter 2005.
12 * Copyright (C) Volker Lendecke 2005.
13 * Copyright (C) Guenther Deschner 2008.
14 * Copyright (C) Andrew Bartlett 2010.
15 *
16 * This program is free software; you can redistribute it and/or modify
17 * it under the terms of the GNU General Public License as published by
18 * the Free Software Foundation; either version 3 of the License, or
19 * (at your option) any later version.
20 *
21 * This program is distributed in the hope that it will be useful,
22 * but WITHOUT ANY WARRANTY; without even the implied warranty of
23 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
24 * GNU General Public License for more details.
25 *
26 * You should have received a copy of the GNU General Public License
27 * along with this program; if not, see <http://www.gnu.org/licenses/>.
28 */
29
30 /* This is the implementation of the lsa server code. */
31
32 #include "includes.h"
33 #include "../librpc/gen_ndr/srv_lsa.h"
34 #include "secrets.h"
35 #include "../librpc/gen_ndr/netlogon.h"
36 #include "rpc_client/init_lsa.h"
37 #include "../libcli/security/security.h"
38
39 #undef DBGC_CLASS
40 #define DBGC_CLASS DBGC_RPC_SRV
41
42 #define MAX_LOOKUP_SIDS 0x5000 /* 20480 */
43
44 enum lsa_handle_type {
45 LSA_HANDLE_POLICY_TYPE = 1,
46 LSA_HANDLE_ACCOUNT_TYPE = 2,
47 LSA_HANDLE_TRUST_TYPE = 3};
48
49 struct lsa_info {
50 struct dom_sid sid;
51 const char *name;
52 uint32 access;
53 enum lsa_handle_type type;
54 struct security_descriptor *sd;
55 };
56
57 const struct generic_mapping lsa_account_mapping = {
58 LSA_ACCOUNT_READ,
59 LSA_ACCOUNT_WRITE,
60 LSA_ACCOUNT_EXECUTE,
61 LSA_ACCOUNT_ALL_ACCESS
62 };
63
64 const struct generic_mapping lsa_policy_mapping = {
65 LSA_POLICY_READ,
66 LSA_POLICY_WRITE,
67 LSA_POLICY_EXECUTE,
68 LSA_POLICY_ALL_ACCESS
69 };
70
71 const struct generic_mapping lsa_secret_mapping = {
72 LSA_SECRET_READ,
73 LSA_SECRET_WRITE,
74 LSA_SECRET_EXECUTE,
75 LSA_SECRET_ALL_ACCESS
76 };
77
78 const struct generic_mapping lsa_trusted_domain_mapping = {
79 LSA_TRUSTED_DOMAIN_READ,
80 LSA_TRUSTED_DOMAIN_WRITE,
81 LSA_TRUSTED_DOMAIN_EXECUTE,
82 LSA_TRUSTED_DOMAIN_ALL_ACCESS
83 };
84
85 /***************************************************************************
86 init_lsa_ref_domain_list - adds a domain if it's not already in, returns the index.
87 ***************************************************************************/
88
89 static int init_lsa_ref_domain_list(TALLOC_CTX *mem_ctx,
90 struct lsa_RefDomainList *ref,
91 const char *dom_name,
92 struct dom_sid *dom_sid)
93 {
94 int num = 0;
95
96 if (dom_name != NULL) {
97 for (num = 0; num < ref->count; num++) {
98 if (dom_sid_equal(dom_sid, ref->domains[num].sid)) {
99 return num;
100 }
101 }
102 } else {
103 num = ref->count;
104 }
105
106 if (num >= LSA_REF_DOMAIN_LIST_MULTIPLIER) {
107 /* index not found, already at maximum domain limit */
108 return -1;
109 }
110
111 ref->count = num + 1;
112 ref->max_size = LSA_REF_DOMAIN_LIST_MULTIPLIER;
113
114 ref->domains = TALLOC_REALLOC_ARRAY(mem_ctx, ref->domains,
115 struct lsa_DomainInfo, ref->count);
116 if (!ref->domains) {
117 return -1;
118 }
119
120 ZERO_STRUCT(ref->domains[num]);
121
122 init_lsa_StringLarge(&ref->domains[num].name, dom_name);
123 ref->domains[num].sid = dom_sid_dup(mem_ctx, dom_sid);
124 if (!ref->domains[num].sid) {
125 return -1;
126 }
127
128 return num;
129 }
130
131
132 /***************************************************************************
133 initialize a lsa_DomainInfo structure.
134 ***************************************************************************/
135
136 static void init_dom_query_3(struct lsa_DomainInfo *r,
137 const char *name,
138 struct dom_sid *sid)
139 {
140 init_lsa_StringLarge(&r->name, name);
141 r->sid = sid;
142 }
143
144 /***************************************************************************
145 initialize a lsa_DomainInfo structure.
146 ***************************************************************************/
147
148 static void init_dom_query_5(struct lsa_DomainInfo *r,
149 const char *name,
150 struct dom_sid *sid)
151 {
152 init_lsa_StringLarge(&r->name, name);
153 r->sid = sid;
154 }
155
156 /***************************************************************************
157 lookup_lsa_rids. Must be called as root for lookup_name to work.
158 ***************************************************************************/
159
160 static NTSTATUS lookup_lsa_rids(TALLOC_CTX *mem_ctx,
161 struct lsa_RefDomainList *ref,
162 struct lsa_TranslatedSid *prid,
163 uint32_t num_entries,
164 struct lsa_String *name,
165 int flags,
166 uint32_t *pmapped_count)
167 {
168 uint32 mapped_count, i;
169
170 SMB_ASSERT(num_entries <= MAX_LOOKUP_SIDS);
171
172 mapped_count = 0;
173 *pmapped_count = 0;
174
175 for (i = 0; i < num_entries; i++) {
176 struct dom_sid sid;
177 uint32 rid;
178 int dom_idx;
179 const char *full_name;
180 const char *domain;
181 enum lsa_SidType type = SID_NAME_UNKNOWN;
182
183 /* Split name into domain and user component */
184
185 /* follow w2k8 behavior and return the builtin domain when no
186 * input has been passed in */
187
188 if (name[i].string) {
189 full_name = name[i].string;
190 } else {
191 full_name = "BUILTIN";
192 }
193
194 DEBUG(5, ("lookup_lsa_rids: looking up name %s\n", full_name));
195
196 /* We can ignore the result of lookup_name, it will not touch
197 "type" if it's not successful */
198
199 lookup_name(mem_ctx, full_name, flags, &domain, NULL,
200 &sid, &type);
201
202 switch (type) {
203 case SID_NAME_USER:
204 case SID_NAME_DOM_GRP:
205 case SID_NAME_DOMAIN:
206 case SID_NAME_ALIAS:
207 case SID_NAME_WKN_GRP:
208 DEBUG(5, ("init_lsa_rids: %s found\n", full_name));
209 /* Leave these unchanged */
210 break;
211 default:
212 /* Don't hand out anything but the list above */
213 DEBUG(5, ("init_lsa_rids: %s not found\n", full_name));
214 type = SID_NAME_UNKNOWN;
215 break;
216 }
217
218 rid = 0;
219 dom_idx = -1;
220
221 if (type != SID_NAME_UNKNOWN) {
222 if (type == SID_NAME_DOMAIN) {
223 rid = (uint32_t)-1;
224 } else {
225 sid_split_rid(&sid, &rid);
226 }
227 dom_idx = init_lsa_ref_domain_list(mem_ctx, ref, domain, &sid);
228 mapped_count++;
229 }
230
231 prid[i].sid_type = type;
232 prid[i].rid = rid;
233 prid[i].sid_index = dom_idx;
234 }
235
236 *pmapped_count = mapped_count;
237 return NT_STATUS_OK;
238 }
239
240 /***************************************************************************
241 lookup_lsa_sids. Must be called as root for lookup_name to work.
242 ***************************************************************************/
243
244 static NTSTATUS lookup_lsa_sids(TALLOC_CTX *mem_ctx,
245 struct lsa_RefDomainList *ref,
246 struct lsa_TranslatedSid3 *trans_sids,
247 uint32_t num_entries,
248 struct lsa_String *name,
249 int flags,
250 uint32 *pmapped_count)
251 {
252 uint32 mapped_count, i;
253
254 SMB_ASSERT(num_entries <= MAX_LOOKUP_SIDS);
255
256 mapped_count = 0;
257 *pmapped_count = 0;
258
259 for (i = 0; i < num_entries; i++) {
260 struct dom_sid sid;
261 uint32 rid;
262 int dom_idx;
263 const char *full_name;
264 const char *domain;
265 enum lsa_SidType type = SID_NAME_UNKNOWN;
266
267 ZERO_STRUCT(sid);
268
269 /* Split name into domain and user component */
270
271 full_name = name[i].string;
272 if (full_name == NULL) {
273 return NT_STATUS_NO_MEMORY;
274 }
275
276 DEBUG(5, ("init_lsa_sids: looking up name %s\n", full_name));
277
278 /* We can ignore the result of lookup_name, it will not touch
279 "type" if it's not successful */
280
281 lookup_name(mem_ctx, full_name, flags, &domain, NULL,
282 &sid, &type);
283
284 switch (type) {
285 case SID_NAME_USER:
286 case SID_NAME_DOM_GRP:
287 case SID_NAME_DOMAIN:
288 case SID_NAME_ALIAS:
289 case SID_NAME_WKN_GRP:
290 DEBUG(5, ("init_lsa_sids: %s found\n", full_name));
291 /* Leave these unchanged */
292 break;
293 default:
294 /* Don't hand out anything but the list above */
295 DEBUG(5, ("init_lsa_sids: %s not found\n", full_name));
296 type = SID_NAME_UNKNOWN;
297 break;
298 }
299
300 rid = 0;
301 dom_idx = -1;
302
303 if (type != SID_NAME_UNKNOWN) {
304 struct dom_sid domain_sid;
305 sid_copy(&domain_sid, &sid);
306 sid_split_rid(&domain_sid, &rid);
307 dom_idx = init_lsa_ref_domain_list(mem_ctx, ref, domain, &domain_sid);
308 mapped_count++;
309 }
310
311 /* Initialize the lsa_TranslatedSid3 return. */
312 trans_sids[i].sid_type = type;
313 trans_sids[i].sid = dom_sid_dup(mem_ctx, &sid);
314 trans_sids[i].sid_index = dom_idx;
315 }
316
317 *pmapped_count = mapped_count;
318 return NT_STATUS_OK;
319 }
320
321 static NTSTATUS make_lsa_object_sd(TALLOC_CTX *mem_ctx, struct security_descriptor **sd, size_t *sd_size,
322 const struct generic_mapping *map,
323 struct dom_sid *sid, uint32_t sid_access)
324 {
325 struct dom_sid adm_sid;
326 struct security_ace ace[5];
327 size_t i = 0;
328
329 struct security_acl *psa = NULL;
330
331 /* READ|EXECUTE access for Everyone */
332
333 init_sec_ace(&ace[i++], &global_sid_World, SEC_ACE_TYPE_ACCESS_ALLOWED,
334 map->generic_execute | map->generic_read, 0);
335
336 /* Add Full Access 'BUILTIN\Administrators' and 'BUILTIN\Account Operators */
337
338 init_sec_ace(&ace[i++], &global_sid_Builtin_Administrators,
339 SEC_ACE_TYPE_ACCESS_ALLOWED, map->generic_all, 0);
340 init_sec_ace(&ace[i++], &global_sid_Builtin_Account_Operators,
341 SEC_ACE_TYPE_ACCESS_ALLOWED, map->generic_all, 0);
342
343 /* Add Full Access for Domain Admins */
344 sid_compose(&adm_sid, get_global_sam_sid(), DOMAIN_RID_ADMINS);
345 init_sec_ace(&ace[i++], &adm_sid, SEC_ACE_TYPE_ACCESS_ALLOWED,
346 map->generic_all, 0);
347
348 /* If we have a sid, give it some special access */
349
350 if (sid) {
351 init_sec_ace(&ace[i++], sid, SEC_ACE_TYPE_ACCESS_ALLOWED,
352 sid_access, 0);
353 }
354
355 if((psa = make_sec_acl(mem_ctx, NT4_ACL_REVISION, i, ace)) == NULL)
356 return NT_STATUS_NO_MEMORY;
357
358 if((*sd = make_sec_desc(mem_ctx, SECURITY_DESCRIPTOR_REVISION_1,
359 SEC_DESC_SELF_RELATIVE, &adm_sid, NULL, NULL,
360 psa, sd_size)) == NULL)
361 return NT_STATUS_NO_MEMORY;
362
363 return NT_STATUS_OK;
364 }
365
366 /***************************************************************************
367 ***************************************************************************/
368
369 static NTSTATUS create_lsa_policy_handle(TALLOC_CTX *mem_ctx,
370 struct pipes_struct *p,
371 enum lsa_handle_type type,
372 uint32_t acc_granted,
373 struct dom_sid *sid,
374 const char *name,
375 const struct security_descriptor *sd,
376 struct policy_handle *handle)
377 {
378 struct lsa_info *info;
379
380 ZERO_STRUCTP(handle);
381
382 info = talloc_zero(mem_ctx, struct lsa_info);
383 if (!info) {
384 return NT_STATUS_NO_MEMORY;
385 }
386
387 info->type = type;
388 info->access = acc_granted;
389
390 if (sid) {
391 sid_copy(&info->sid, sid);
392 }
393
394 info->name = talloc_strdup(info, name);
395
396 if (sd) {
397 info->sd = dup_sec_desc(info, sd);
398 if (!info->sd) {
399 talloc_free(info);
400 return NT_STATUS_NO_MEMORY;
401 }
402 }
403
404 if (!create_policy_hnd(p, handle, info)) {
405 talloc_free(info);
406 ZERO_STRUCTP(handle);
407 return NT_STATUS_NO_MEMORY;
408 }
409
410 return NT_STATUS_OK;
411 }
412
413 /***************************************************************************
414 _lsa_OpenPolicy2
415 ***************************************************************************/
416
417 NTSTATUS _lsa_OpenPolicy2(struct pipes_struct *p,
418 struct lsa_OpenPolicy2 *r)
419 {
420 struct security_descriptor *psd = NULL;
421 size_t sd_size;
422 uint32 des_access = r->in.access_mask;
423 uint32 acc_granted;
424 NTSTATUS status;
425
426 /* Work out max allowed. */
427 map_max_allowed_access(p->server_info->security_token,
428 &p->server_info->utok,
429 &des_access);
430
431 /* map the generic bits to the lsa policy ones */
432 se_map_generic(&des_access, &lsa_policy_mapping);
433
434 /* get the generic lsa policy SD until we store it */
435 status = make_lsa_object_sd(p->mem_ctx, &psd, &sd_size, &lsa_policy_mapping,
436 NULL, 0);
437 if (!NT_STATUS_IS_OK(status)) {
438 return status;
439 }
440
441 status = access_check_object(psd, p->server_info->security_token,
442 SEC_PRIV_INVALID, SEC_PRIV_INVALID, 0, des_access,
443 &acc_granted, "_lsa_OpenPolicy2" );
444 if (!NT_STATUS_IS_OK(status)) {
445 return status;
446 }
447
448 status = create_lsa_policy_handle(p->mem_ctx, p,
449 LSA_HANDLE_POLICY_TYPE,
450 acc_granted,
451 get_global_sam_sid(),
452 NULL,
453 psd,
454 r->out.handle);
455 if (!NT_STATUS_IS_OK(status)) {
456 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
457 }
458
459 return NT_STATUS_OK;
460 }
461
462 /***************************************************************************
463 _lsa_OpenPolicy
464 ***************************************************************************/
465
466 NTSTATUS _lsa_OpenPolicy(struct pipes_struct *p,
467 struct lsa_OpenPolicy *r)
468 {
469 struct lsa_OpenPolicy2 o;
470
471 o.in.system_name = NULL; /* should be ignored */
472 o.in.attr = r->in.attr;
473 o.in.access_mask = r->in.access_mask;
474
475 o.out.handle = r->out.handle;
476
477 return _lsa_OpenPolicy2(p, &o);
478 }
479
480 /***************************************************************************
481 _lsa_EnumTrustDom - this needs fixing to do more than return NULL ! JRA.
482 ufff, done :) mimir
483 ***************************************************************************/
484
485 NTSTATUS _lsa_EnumTrustDom(struct pipes_struct *p,
486 struct lsa_EnumTrustDom *r)
487 {
488 struct lsa_info *info;
489 uint32_t count;
490 struct trustdom_info **domains;
491 struct lsa_DomainInfo *entries;
492 int i;
493 NTSTATUS nt_status;
494
495 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
496 return NT_STATUS_INVALID_HANDLE;
497
498 if (info->type != LSA_HANDLE_POLICY_TYPE) {
499 return NT_STATUS_INVALID_HANDLE;
500 }
501
502 /* check if the user has enough rights */
503 if (!(info->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
504 return NT_STATUS_ACCESS_DENIED;
505
506 become_root();
507 nt_status = pdb_enum_trusteddoms(p->mem_ctx, &count, &domains);
508 unbecome_root();
509
510 if (!NT_STATUS_IS_OK(nt_status)) {
511 return nt_status;
512 }
513
514 entries = TALLOC_ZERO_ARRAY(p->mem_ctx, struct lsa_DomainInfo, count);
515 if (!entries) {
516 return NT_STATUS_NO_MEMORY;
517 }
518
519 for (i=0; i<count; i++) {
520 init_lsa_StringLarge(&entries[i].name, domains[i]->name);
521 entries[i].sid = &domains[i]->sid;
522 }
523
524 if (*r->in.resume_handle >= count) {
525 *r->out.resume_handle = -1;
526 TALLOC_FREE(entries);
527 return NT_STATUS_NO_MORE_ENTRIES;
528 }
529
530 /* return the rest, limit by max_size. Note that we
531 use the w2k3 element size value of 60 */
532 r->out.domains->count = count - *r->in.resume_handle;
533 r->out.domains->count = MIN(r->out.domains->count,
534 1+(r->in.max_size/LSA_ENUM_TRUST_DOMAIN_MULTIPLIER));
535
536 r->out.domains->domains = entries + *r->in.resume_handle;
537
538 if (r->out.domains->count < count - *r->in.resume_handle) {
539 *r->out.resume_handle = *r->in.resume_handle + r->out.domains->count;
540 return STATUS_MORE_ENTRIES;
541 }
542
543 /* according to MS-LSAD 3.1.4.7.8 output resume handle MUST
544 * always be larger than the previous input resume handle, in
545 * particular when hitting the last query it is vital to set the
546 * resume handle correctly to avoid infinite client loops, as
547 * seen e.g. with Windows XP SP3 when resume handle is 0 and
548 * status is NT_STATUS_OK - gd */
549
550 *r->out.resume_handle = (uint32_t)-1;
551
552 return NT_STATUS_OK;
553 }
554
555 #define LSA_AUDIT_NUM_CATEGORIES_NT4 7
556 #define LSA_AUDIT_NUM_CATEGORIES_WIN2K 9
557 #define LSA_AUDIT_NUM_CATEGORIES LSA_AUDIT_NUM_CATEGORIES_NT4
558
559 /***************************************************************************
560 _lsa_QueryInfoPolicy
561 ***************************************************************************/
562
563 NTSTATUS _lsa_QueryInfoPolicy(struct pipes_struct *p,
564 struct lsa_QueryInfoPolicy *r)
565 {
566 NTSTATUS status = NT_STATUS_OK;
567 struct lsa_info *handle;
568 struct dom_sid domain_sid;
569 const char *name;
570 struct dom_sid *sid = NULL;
571 union lsa_PolicyInformation *info = NULL;
572 uint32_t acc_required = 0;
573
574 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle))
575 return NT_STATUS_INVALID_HANDLE;
576
577 if (handle->type != LSA_HANDLE_POLICY_TYPE) {
578 return NT_STATUS_INVALID_HANDLE;
579 }
580
581 switch (r->in.level) {
582 case LSA_POLICY_INFO_AUDIT_LOG:
583 case LSA_POLICY_INFO_AUDIT_EVENTS:
584 acc_required = LSA_POLICY_VIEW_AUDIT_INFORMATION;
585 break;
586 case LSA_POLICY_INFO_DOMAIN:
587 acc_required = LSA_POLICY_VIEW_LOCAL_INFORMATION;
588 break;
589 case LSA_POLICY_INFO_PD:
590 acc_required = LSA_POLICY_GET_PRIVATE_INFORMATION;
591 break;
592 case LSA_POLICY_INFO_ACCOUNT_DOMAIN:
593 acc_required = LSA_POLICY_VIEW_LOCAL_INFORMATION;
594 break;
595 case LSA_POLICY_INFO_ROLE:
596 case LSA_POLICY_INFO_REPLICA:
597 acc_required = LSA_POLICY_VIEW_LOCAL_INFORMATION;
598 break;
599 case LSA_POLICY_INFO_QUOTA:
600 acc_required = LSA_POLICY_VIEW_LOCAL_INFORMATION;
601 break;
602 case LSA_POLICY_INFO_MOD:
603 case LSA_POLICY_INFO_AUDIT_FULL_SET:
604 /* according to MS-LSAD 3.1.4.4.3 */
605 return NT_STATUS_INVALID_PARAMETER;
606 case LSA_POLICY_INFO_AUDIT_FULL_QUERY:
607 acc_required = LSA_POLICY_VIEW_AUDIT_INFORMATION;
608 break;
609 case LSA_POLICY_INFO_DNS:
610 case LSA_POLICY_INFO_DNS_INT:
611 case LSA_POLICY_INFO_L_ACCOUNT_DOMAIN:
612 acc_required = LSA_POLICY_VIEW_LOCAL_INFORMATION;
613 break;
614 default:
615 break;
616 }
617
618 if (!(handle->access & acc_required)) {
619 /* return NT_STATUS_ACCESS_DENIED; */
620 }
621
622 info = TALLOC_ZERO_P(p->mem_ctx, union lsa_PolicyInformation);
623 if (!info) {
624 return NT_STATUS_NO_MEMORY;
625 }
626
627 switch (r->in.level) {
628 /* according to MS-LSAD 3.1.4.4.3 */
629 case LSA_POLICY_INFO_MOD:
630 case LSA_POLICY_INFO_AUDIT_FULL_SET:
631 case LSA_POLICY_INFO_AUDIT_FULL_QUERY:
632 return NT_STATUS_INVALID_PARAMETER;
633 case LSA_POLICY_INFO_AUDIT_LOG:
634 info->audit_log.percent_full = 0;
635 info->audit_log.maximum_log_size = 0;
636 info->audit_log.retention_time = 0;
637 info->audit_log.shutdown_in_progress = 0;
638 info->audit_log.time_to_shutdown = 0;
639 info->audit_log.next_audit_record = 0;
640 status = NT_STATUS_OK;
641 break;
642 case LSA_POLICY_INFO_PD:
643 info->pd.name.string = NULL;
644 status = NT_STATUS_OK;
645 break;
646 case LSA_POLICY_INFO_REPLICA:
647 info->replica.source.string = NULL;
648 info->replica.account.string = NULL;
649 status = NT_STATUS_OK;
650 break;
651 case LSA_POLICY_INFO_QUOTA:
652 info->quota.paged_pool = 0;
653 info->quota.non_paged_pool = 0;
654 info->quota.min_wss = 0;
655 info->quota.max_wss = 0;
656 info->quota.pagefile = 0;
657 info->quota.unknown = 0;
658 status = NT_STATUS_OK;
659 break;
660 case LSA_POLICY_INFO_AUDIT_EVENTS:
661 {
662
663 uint32 policy_def = LSA_AUDIT_POLICY_ALL;
664
665 /* check if the user has enough rights */
666 if (!(handle->access & LSA_POLICY_VIEW_AUDIT_INFORMATION)) {
667 DEBUG(10,("_lsa_QueryInfoPolicy: insufficient access rights\n"));
668 return NT_STATUS_ACCESS_DENIED;
669 }
670
671 /* fake info: We audit everything. ;) */
672
673 info->audit_events.auditing_mode = true;
674 info->audit_events.count = LSA_AUDIT_NUM_CATEGORIES;
675 info->audit_events.settings = TALLOC_ZERO_ARRAY(p->mem_ctx,
676 enum lsa_PolicyAuditPolicy,
677 info->audit_events.count);
678 if (!info->audit_events.settings) {
679 return NT_STATUS_NO_MEMORY;
680 }
681
682 info->audit_events.settings[LSA_AUDIT_CATEGORY_ACCOUNT_MANAGEMENT] = policy_def;
683 info->audit_events.settings[LSA_AUDIT_CATEGORY_FILE_AND_OBJECT_ACCESS] = policy_def;
684 info->audit_events.settings[LSA_AUDIT_CATEGORY_LOGON] = policy_def;
685 info->audit_events.settings[LSA_AUDIT_CATEGORY_PROCCESS_TRACKING] = policy_def;
686 info->audit_events.settings[LSA_AUDIT_CATEGORY_SECURITY_POLICY_CHANGES] = policy_def;
687 info->audit_events.settings[LSA_AUDIT_CATEGORY_SYSTEM] = policy_def;
688 info->audit_events.settings[LSA_AUDIT_CATEGORY_USE_OF_USER_RIGHTS] = policy_def;
689
690 break;
691 }
692 case LSA_POLICY_INFO_DOMAIN:
693 /* check if the user has enough rights */
694 if (!(handle->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
695 return NT_STATUS_ACCESS_DENIED;
696
697 /* Request PolicyPrimaryDomainInformation. */
698 switch (lp_server_role()) {
699 case ROLE_DOMAIN_PDC:
700 case ROLE_DOMAIN_BDC:
701 name = get_global_sam_name();
702 sid = dom_sid_dup(p->mem_ctx, get_global_sam_sid());
703 if (!sid) {
704 return NT_STATUS_NO_MEMORY;
705 }
706 break;
707 case ROLE_DOMAIN_MEMBER:
708 name = lp_workgroup();
709 /* We need to return the Domain SID here. */
710 if (secrets_fetch_domain_sid(lp_workgroup(), &domain_sid)) {
711 sid = dom_sid_dup(p->mem_ctx, &domain_sid);
712 if (!sid) {
713 return NT_STATUS_NO_MEMORY;
714 }
715 } else {
716 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
717 }
718 break;
719 case ROLE_STANDALONE:
720 name = lp_workgroup();
721 sid = NULL;
722 break;
723 default:
724 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
725 }
726 init_dom_query_3(&info->domain, name, sid);
727 break;
728 case LSA_POLICY_INFO_ACCOUNT_DOMAIN:
729 /* check if the user has enough rights */
730 if (!(handle->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
731 return NT_STATUS_ACCESS_DENIED;
732
733 /* Request PolicyAccountDomainInformation. */
734 name = get_global_sam_name();
735 sid = get_global_sam_sid();
736
737 init_dom_query_5(&info->account_domain, name, sid);
738 break;
739 case LSA_POLICY_INFO_ROLE:
740 /* check if the user has enough rights */
741 if (!(handle->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
742 return NT_STATUS_ACCESS_DENIED;
743
744 switch (lp_server_role()) {
745 case ROLE_DOMAIN_BDC:
746 /*
747 * only a BDC is a backup controller
748 * of the domain, it controls.
749 */
750 info->role.role = LSA_ROLE_BACKUP;
751 break;
752 default:
753 /*
754 * any other role is a primary
755 * of the domain, it controls.
756 */
757 info->role.role = LSA_ROLE_PRIMARY;
758 break;
759 }
760 break;
761 case LSA_POLICY_INFO_DNS:
762 case LSA_POLICY_INFO_DNS_INT: {
763 struct pdb_domain_info *dominfo;
764
765 if ((pdb_capabilities() & PDB_CAP_ADS) == 0) {
766 DEBUG(10, ("Not replying to LSA_POLICY_INFO_DNS "
767 "without ADS passdb backend\n"));
768 status = NT_STATUS_INVALID_INFO_CLASS;
769 break;
770 }
771
772 dominfo = pdb_get_domain_info(info);
773 if (dominfo == NULL) {
774 status = NT_STATUS_NO_MEMORY;
775 break;
776 }
777
778 init_lsa_StringLarge(&info->dns.name,
779 dominfo->name);
780 init_lsa_StringLarge(&info->dns.dns_domain,
781 dominfo->dns_domain);
782 init_lsa_StringLarge(&info->dns.dns_forest,
783 dominfo->dns_forest);
784 info->dns.domain_guid = dominfo->guid;
785 info->dns.sid = &dominfo->sid;
786 break;
787 }
788 default:
789 DEBUG(0,("_lsa_QueryInfoPolicy: unknown info level in Lsa Query: %d\n",
790 r->in.level));
791 status = NT_STATUS_INVALID_INFO_CLASS;
792 break;
793 }
794
795 *r->out.info = info;
796
797 return status;
798 }
799
800 /***************************************************************************
801 _lsa_QueryInfoPolicy2
802 ***************************************************************************/
803
804 NTSTATUS _lsa_QueryInfoPolicy2(struct pipes_struct *p,
805 struct lsa_QueryInfoPolicy2 *r2)
806 {
807 struct lsa_QueryInfoPolicy r;
808
809 if ((pdb_capabilities() & PDB_CAP_ADS) == 0) {
810 p->rng_fault_state = True;
811 return NT_STATUS_NOT_IMPLEMENTED;
812 }
813
814 ZERO_STRUCT(r);
815 r.in.handle = r2->in.handle;
816 r.in.level = r2->in.level;
817 r.out.info = r2->out.info;
818
819 return _lsa_QueryInfoPolicy(p, &r);
820 }
821
822 /***************************************************************************
823 _lsa_lookup_sids_internal
824 ***************************************************************************/
825
826 static NTSTATUS _lsa_lookup_sids_internal(struct pipes_struct *p,
827 TALLOC_CTX *mem_ctx,
828 uint16_t level, /* input */
829 int num_sids, /* input */
830 struct lsa_SidPtr *sid, /* input */
831 struct lsa_RefDomainList **pp_ref, /* input/output */
832 struct lsa_TranslatedName2 **pp_names,/* input/output */
833 uint32_t *pp_mapped_count) /* input/output */
834 {
835 NTSTATUS status;
836 int i;
837 const struct dom_sid **sids = NULL;
838 struct lsa_RefDomainList *ref = NULL;
839 uint32 mapped_count = 0;
840 struct lsa_dom_info *dom_infos = NULL;
841 struct lsa_name_info *name_infos = NULL;
842 struct lsa_TranslatedName2 *names = NULL;
843
844 *pp_mapped_count = 0;
845 *pp_names = NULL;
846 *pp_ref = NULL;
847
848 if (num_sids == 0) {
849 return NT_STATUS_OK;
850 }
851
852 sids = TALLOC_ARRAY(p->mem_ctx, const struct dom_sid *, num_sids);
853 ref = TALLOC_ZERO_P(p->mem_ctx, struct lsa_RefDomainList);
854
855 if (sids == NULL || ref == NULL) {
856 return NT_STATUS_NO_MEMORY;
857 }
858
859 for (i=0; i<num_sids; i++) {
860 sids[i] = sid[i].sid;
861 }
862
863 status = lookup_sids(p->mem_ctx, num_sids, sids, level,
864 &dom_infos, &name_infos);
865
866 if (!NT_STATUS_IS_OK(status)) {
867 return status;
868 }
869
870 names = TALLOC_ARRAY(p->mem_ctx, struct lsa_TranslatedName2, num_sids);
871 if (names == NULL) {
872 return NT_STATUS_NO_MEMORY;
873 }
874
875 for (i=0; i<LSA_REF_DOMAIN_LIST_MULTIPLIER; i++) {
876
877 if (!dom_infos[i].valid) {
878 break;
879 }
880
881 if (init_lsa_ref_domain_list(mem_ctx, ref,
882 dom_infos[i].name,
883 &dom_infos[i].sid) != i) {
884 DEBUG(0, ("Domain %s mentioned twice??\n",
885 dom_infos[i].name));
886 return NT_STATUS_INTERNAL_ERROR;
887 }
888 }
889
890 for (i=0; i<num_sids; i++) {
891 struct lsa_name_info *name = &name_infos[i];
892
893 if (name->type == SID_NAME_UNKNOWN) {
894 fstring tmp;
895 name->dom_idx = -1;
896 /* Unknown sids should return the string
897 * representation of the SID. Windows 2003 behaves
898 * rather erratic here, in many cases it returns the
899 * RID as 8 bytes hex, in others it returns the full
900 * SID. We (Jerry/VL) could not figure out which the
901 * hard cases are, so leave it with the SID. */
902 name->name = talloc_asprintf(p->mem_ctx, "%s",
903 sid_to_fstring(tmp,
904 sids[i]));
905 if (name->name == NULL) {
906 return NT_STATUS_NO_MEMORY;
907 }
908 } else {
909 mapped_count += 1;
910 }
911
912 names[i].sid_type = name->type;
913 names[i].name.string = name->name;
914 names[i].sid_index = name->dom_idx;
915 names[i].unknown = 0;
916 }
917
918 status = NT_STATUS_NONE_MAPPED;
919 if (mapped_count > 0) {
920 status = (mapped_count < num_sids) ?
921 STATUS_SOME_UNMAPPED : NT_STATUS_OK;
922 }
923
924 DEBUG(10, ("num_sids %d, mapped_count %d, status %s\n",
925 num_sids, mapped_count, nt_errstr(status)));
926
927 *pp_mapped_count = mapped_count;
928 *pp_names = names;
929 *pp_ref = ref;
930
931 return status;
932 }
933
934 /***************************************************************************
935 _lsa_LookupSids
936 ***************************************************************************/
937
938 NTSTATUS _lsa_LookupSids(struct pipes_struct *p,
939 struct lsa_LookupSids *r)
940 {
941 NTSTATUS status;
942 struct lsa_info *handle;
943 int num_sids = r->in.sids->num_sids;
944 uint32 mapped_count = 0;
945 struct lsa_RefDomainList *domains = NULL;
946 struct lsa_TranslatedName *names_out = NULL;
947 struct lsa_TranslatedName2 *names = NULL;
948 int i;
949
950 if ((r->in.level < 1) || (r->in.level > 6)) {
951 return NT_STATUS_INVALID_PARAMETER;
952 }
953
954 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle)) {
955 return NT_STATUS_INVALID_HANDLE;
956 }
957
958 if (handle->type != LSA_HANDLE_POLICY_TYPE) {
959 return NT_STATUS_INVALID_HANDLE;
960 }
961
962 /* check if the user has enough rights */
963 if (!(handle->access & LSA_POLICY_LOOKUP_NAMES)) {
964 return NT_STATUS_ACCESS_DENIED;
965 }
966
967 if (num_sids > MAX_LOOKUP_SIDS) {
968 DEBUG(5,("_lsa_LookupSids: limit of %d exceeded, requested %d\n",
969 MAX_LOOKUP_SIDS, num_sids));
970 return NT_STATUS_NONE_MAPPED;
971 }
972
973 status = _lsa_lookup_sids_internal(p,
974 p->mem_ctx,
975 r->in.level,
976 num_sids,
977 r->in.sids->sids,
978 &domains,
979 &names,
980 &mapped_count);
981
982 /* Only return here when there is a real error.
983 NT_STATUS_NONE_MAPPED is a special case as it indicates that none of
984 the requested sids could be resolved. Older versions of XP (pre SP3)
985 rely that we return with the string representations of those SIDs in
986 that case. If we don't, XP crashes - Guenther
987 */
988
989 if (NT_STATUS_IS_ERR(status) &&
990 !NT_STATUS_EQUAL(status, NT_STATUS_NONE_MAPPED)) {
991 return status;
992 }
993
994 /* Convert from lsa_TranslatedName2 to lsa_TranslatedName */
995 names_out = TALLOC_ARRAY(p->mem_ctx, struct lsa_TranslatedName,
996 num_sids);
997 if (!names_out) {
998 return NT_STATUS_NO_MEMORY;
999 }
1000
1001 for (i=0; i<num_sids; i++) {
1002 names_out[i].sid_type = names[i].sid_type;
1003 names_out[i].name = names[i].name;
1004 names_out[i].sid_index = names[i].sid_index;
1005 }
1006
1007 *r->out.domains = domains;
1008 r->out.names->count = num_sids;
1009 r->out.names->names = names_out;
1010 *r->out.count = mapped_count;
1011
1012 return status;
1013 }
1014
1015 /***************************************************************************
1016 _lsa_LookupSids2
1017 ***************************************************************************/
1018
1019 NTSTATUS _lsa_LookupSids2(struct pipes_struct *p,
1020 struct lsa_LookupSids2 *r)
1021 {
1022 NTSTATUS status;
1023 struct lsa_info *handle;
1024 int num_sids = r->in.sids->num_sids;
1025 uint32 mapped_count = 0;
1026 struct lsa_RefDomainList *domains = NULL;
1027 struct lsa_TranslatedName2 *names = NULL;
1028 bool check_policy = true;
1029
1030 switch (p->opnum) {
1031 case NDR_LSA_LOOKUPSIDS3:
1032 check_policy = false;
1033 break;
1034 case NDR_LSA_LOOKUPSIDS2:
1035 default:
1036 check_policy = true;
1037 }
1038
1039 if ((r->in.level < 1) || (r->in.level > 6)) {
1040 return NT_STATUS_INVALID_PARAMETER;
1041 }
1042
1043 if (check_policy) {
1044 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle)) {
1045 return NT_STATUS_INVALID_HANDLE;
1046 }
1047
1048 if (handle->type != LSA_HANDLE_POLICY_TYPE) {
1049 return NT_STATUS_INVALID_HANDLE;
1050 }
1051
1052 /* check if the user has enough rights */
1053 if (!(handle->access & LSA_POLICY_LOOKUP_NAMES)) {
1054 return NT_STATUS_ACCESS_DENIED;
1055 }
1056 }
1057
1058 if (num_sids > MAX_LOOKUP_SIDS) {
1059 DEBUG(5,("_lsa_LookupSids2: limit of %d exceeded, requested %d\n",
1060 MAX_LOOKUP_SIDS, num_sids));
1061 return NT_STATUS_NONE_MAPPED;
1062 }
1063
1064 status = _lsa_lookup_sids_internal(p,
1065 p->mem_ctx,
1066 r->in.level,
1067 num_sids,
1068 r->in.sids->sids,
1069 &domains,
1070 &names,
1071 &mapped_count);
1072
1073 *r->out.domains = domains;
1074 r->out.names->count = num_sids;
1075 r->out.names->names = names;
1076 *r->out.count = mapped_count;
1077
1078 return status;
1079 }
1080
1081 /***************************************************************************
1082 _lsa_LookupSids3
1083 ***************************************************************************/
1084
1085 NTSTATUS _lsa_LookupSids3(struct pipes_struct *p,
1086 struct lsa_LookupSids3 *r)
1087 {
1088 struct lsa_LookupSids2 q;
1089
1090 /* No policy handle on this call. Restrict to crypto connections. */
1091 if (p->auth.auth_type != DCERPC_AUTH_TYPE_SCHANNEL) {
1092 DEBUG(0,("_lsa_LookupSids3: client %s not using schannel for netlogon\n",
1093 get_remote_machine_name() ));
1094 return NT_STATUS_INVALID_PARAMETER;
1095 }
1096
1097 q.in.handle = NULL;
1098 q.in.sids = r->in.sids;
1099 q.in.level = r->in.level;
1100 q.in.lookup_options = r->in.lookup_options;
1101 q.in.client_revision = r->in.client_revision;
1102 q.in.names = r->in.names;
1103 q.in.count = r->in.count;
1104
1105 q.out.domains = r->out.domains;
1106 q.out.names = r->out.names;
1107 q.out.count = r->out.count;
1108
1109 return _lsa_LookupSids2(p, &q);
1110 }
1111
1112 /***************************************************************************
1113 ***************************************************************************/
1114
1115 static int lsa_lookup_level_to_flags(enum lsa_LookupNamesLevel level)
1116 {
1117 int flags;
1118
1119 switch (level) {
1120 case LSA_LOOKUP_NAMES_ALL: /* 1 */
1121 flags = LOOKUP_NAME_ALL;
1122 break;
1123 case LSA_LOOKUP_NAMES_DOMAINS_ONLY: /* 2 */
1124 flags = LOOKUP_NAME_DOMAIN|LOOKUP_NAME_REMOTE|LOOKUP_NAME_ISOLATED;
1125 break;
1126 case LSA_LOOKUP_NAMES_PRIMARY_DOMAIN_ONLY: /* 3 */
1127 flags = LOOKUP_NAME_DOMAIN|LOOKUP_NAME_ISOLATED;
1128 break;
1129 case LSA_LOOKUP_NAMES_UPLEVEL_TRUSTS_ONLY: /* 4 */
1130 case LSA_LOOKUP_NAMES_FOREST_TRUSTS_ONLY: /* 5 */
1131 case LSA_LOOKUP_NAMES_UPLEVEL_TRUSTS_ONLY2: /* 6 */
1132 case LSA_LOOKUP_NAMES_RODC_REFERRAL_TO_FULL_DC: /* 7 */
1133 default:
1134 flags = LOOKUP_NAME_NONE;
1135 break;
1136 }
1137
1138 return flags;
1139 }
1140
1141 /***************************************************************************
1142 _lsa_LookupNames
1143 ***************************************************************************/
1144
1145 NTSTATUS _lsa_LookupNames(struct pipes_struct *p,
1146 struct lsa_LookupNames *r)
1147 {
1148 NTSTATUS status = NT_STATUS_NONE_MAPPED;
1149 struct lsa_info *handle;
1150 struct lsa_String *names = r->in.names;
1151 uint32 num_entries = r->in.num_names;
1152 struct lsa_RefDomainList *domains = NULL;
1153 struct lsa_TranslatedSid *rids = NULL;
1154 uint32 mapped_count = 0;
1155 int flags = 0;
1156
1157 if (num_entries > MAX_LOOKUP_SIDS) {
1158 num_entries = MAX_LOOKUP_SIDS;
1159 DEBUG(5,("_lsa_LookupNames: truncating name lookup list to %d\n",
1160 num_entries));
1161 }
1162
1163 flags = lsa_lookup_level_to_flags(r->in.level);
1164
1165 domains = TALLOC_ZERO_P(p->mem_ctx, struct lsa_RefDomainList);
1166 if (!domains) {
1167 return NT_STATUS_NO_MEMORY;
1168 }
1169
1170 if (num_entries) {
1171 rids = TALLOC_ZERO_ARRAY(p->mem_ctx, struct lsa_TranslatedSid,
1172 num_entries);
1173 if (!rids) {
1174 return NT_STATUS_NO_MEMORY;
1175 }
1176 } else {
1177 rids = NULL;
1178 }
1179
1180 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle)) {
1181 status = NT_STATUS_INVALID_HANDLE;
1182 goto done;
1183 }
1184
1185 if (handle->type != LSA_HANDLE_POLICY_TYPE) {
1186 return NT_STATUS_INVALID_HANDLE;
1187 }
1188
1189 /* check if the user has enough rights */
1190 if (!(handle->access & LSA_POLICY_LOOKUP_NAMES)) {
1191 status = NT_STATUS_ACCESS_DENIED;
1192 goto done;
1193 }
1194
1195 /* set up the LSA Lookup RIDs response */
1196 become_root(); /* lookup_name can require root privs */
1197 status = lookup_lsa_rids(p->mem_ctx, domains, rids, num_entries,
1198 names, flags, &mapped_count);
1199 unbecome_root();
1200
1201 done:
1202
1203 if (NT_STATUS_IS_OK(status) && (num_entries != 0) ) {
1204 if (mapped_count == 0) {
1205 status = NT_STATUS_NONE_MAPPED;
1206 } else if (mapped_count != num_entries) {
1207 status = STATUS_SOME_UNMAPPED;
1208 }
1209 }
1210
1211 *r->out.count = mapped_count;
1212 *r->out.domains = domains;
1213 r->out.sids->sids = rids;
1214 r->out.sids->count = num_entries;
1215
1216 return status;
1217 }
1218
1219 /***************************************************************************
1220 _lsa_LookupNames2
1221 ***************************************************************************/
1222
1223 NTSTATUS _lsa_LookupNames2(struct pipes_struct *p,
1224 struct lsa_LookupNames2 *r)
1225 {
1226 NTSTATUS status;
1227 struct lsa_LookupNames q;
1228 struct lsa_TransSidArray2 *sid_array2 = r->in.sids;
1229 struct lsa_TransSidArray *sid_array = NULL;
1230 uint32_t i;
1231
1232 sid_array = TALLOC_ZERO_P(p->mem_ctx, struct lsa_TransSidArray);
1233 if (!sid_array) {
1234 return NT_STATUS_NO_MEMORY;
1235 }
1236
1237 q.in.handle = r->in.handle;
1238 q.in.num_names = r->in.num_names;
1239 q.in.names = r->in.names;
1240 q.in.level = r->in.level;
1241 q.in.sids = sid_array;
1242 q.in.count = r->in.count;
1243 /* we do not know what this is for */
1244 /* = r->in.unknown1; */
1245 /* = r->in.unknown2; */
1246
1247 q.out.domains = r->out.domains;
1248 q.out.sids = sid_array;
1249 q.out.count = r->out.count;
1250
1251 status = _lsa_LookupNames(p, &q);
1252
1253 sid_array2->count = sid_array->count;
1254 sid_array2->sids = TALLOC_ARRAY(p->mem_ctx, struct lsa_TranslatedSid2, sid_array->count);
1255 if (!sid_array2->sids) {
1256 return NT_STATUS_NO_MEMORY;
1257 }
1258
1259 for (i=0; i<sid_array->count; i++) {
1260 sid_array2->sids[i].sid_type = sid_array->sids[i].sid_type;
1261 sid_array2->sids[i].rid = sid_array->sids[i].rid;
1262 sid_array2->sids[i].sid_index = sid_array->sids[i].sid_index;
1263 sid_array2->sids[i].unknown = 0;
1264 }
1265
1266 r->out.sids = sid_array2;
1267
1268 return status;
1269 }
1270
1271 /***************************************************************************
1272 _lsa_LookupNames3
1273 ***************************************************************************/
1274
1275 NTSTATUS _lsa_LookupNames3(struct pipes_struct *p,
1276 struct lsa_LookupNames3 *r)
1277 {
1278 NTSTATUS status;
1279 struct lsa_info *handle;
1280 struct lsa_String *names = r->in.names;
1281 uint32 num_entries = r->in.num_names;
1282 struct lsa_RefDomainList *domains = NULL;
1283 struct lsa_TranslatedSid3 *trans_sids = NULL;
1284 uint32 mapped_count = 0;
1285 int flags = 0;
1286 bool check_policy = true;
1287
1288 switch (p->opnum) {
1289 case NDR_LSA_LOOKUPNAMES4:
1290 check_policy = false;
1291 break;
1292 case NDR_LSA_LOOKUPNAMES3:
1293 default:
1294 check_policy = true;
1295 }
1296
1297 if (num_entries > MAX_LOOKUP_SIDS) {
1298 num_entries = MAX_LOOKUP_SIDS;
1299 DEBUG(5,("_lsa_LookupNames3: truncating name lookup list to %d\n", num_entries));
1300 }
1301
1302 /* Probably the lookup_level is some sort of bitmask. */
1303 if (r->in.level == 1) {
1304 flags = LOOKUP_NAME_ALL;
1305 }
1306
1307 domains = TALLOC_ZERO_P(p->mem_ctx, struct lsa_RefDomainList);
1308 if (!domains) {
1309 return NT_STATUS_NO_MEMORY;
1310 }
1311
1312 if (num_entries) {
1313 trans_sids = TALLOC_ZERO_ARRAY(p->mem_ctx, struct lsa_TranslatedSid3,
1314 num_entries);
1315 if (!trans_sids) {
1316 return NT_STATUS_NO_MEMORY;
1317 }
1318 } else {
1319 trans_sids = NULL;
1320 }
1321
1322 if (check_policy) {
1323
1324 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle)) {
1325 status = NT_STATUS_INVALID_HANDLE;
1326 goto done;
1327 }
1328
1329 if (handle->type != LSA_HANDLE_POLICY_TYPE) {
1330 return NT_STATUS_INVALID_HANDLE;
1331 }
1332
1333 /* check if the user has enough rights */
1334 if (!(handle->access & LSA_POLICY_LOOKUP_NAMES)) {
1335 status = NT_STATUS_ACCESS_DENIED;
1336 goto done;
1337 }
1338 }
1339
1340 /* set up the LSA Lookup SIDs response */
1341 become_root(); /* lookup_name can require root privs */
1342 status = lookup_lsa_sids(p->mem_ctx, domains, trans_sids, num_entries,
1343 names, flags, &mapped_count);
1344 unbecome_root();
1345
1346 done:
1347
1348 if (NT_STATUS_IS_OK(status)) {
1349 if (mapped_count == 0) {
1350 status = NT_STATUS_NONE_MAPPED;
1351 } else if (mapped_count != num_entries) {
1352 status = STATUS_SOME_UNMAPPED;
1353 }
1354 }
1355
1356 *r->out.count = mapped_count;
1357 *r->out.domains = domains;
1358 r->out.sids->sids = trans_sids;
1359 r->out.sids->count = num_entries;
1360
1361 return status;
1362 }
1363
1364 /***************************************************************************
1365 _lsa_LookupNames4
1366 ***************************************************************************/
1367
1368 NTSTATUS _lsa_LookupNames4(struct pipes_struct *p,
1369 struct lsa_LookupNames4 *r)
1370 {
1371 struct lsa_LookupNames3 q;
1372
1373 /* No policy handle on this call. Restrict to crypto connections. */
1374 if (p->auth.auth_type != DCERPC_AUTH_TYPE_SCHANNEL) {
1375 DEBUG(0,("_lsa_lookup_names4: client %s not using schannel for netlogon\n",
1376 get_remote_machine_name() ));
1377 return NT_STATUS_INVALID_PARAMETER;
1378 }
1379
1380 q.in.handle = NULL;
1381 q.in.num_names = r->in.num_names;
1382 q.in.names = r->in.names;
1383 q.in.level = r->in.level;
1384 q.in.lookup_options = r->in.lookup_options;
1385 q.in.client_revision = r->in.client_revision;
1386 q.in.sids = r->in.sids;
1387 q.in.count = r->in.count;
1388
1389 q.out.domains = r->out.domains;
1390 q.out.sids = r->out.sids;
1391 q.out.count = r->out.count;
1392
1393 return _lsa_LookupNames3(p, &q);
1394 }
1395
1396 /***************************************************************************
1397 _lsa_close. Also weird - needs to check if lsa handle is correct. JRA.
1398 ***************************************************************************/
1399
1400 NTSTATUS _lsa_Close(struct pipes_struct *p, struct lsa_Close *r)
1401 {
1402 if (!find_policy_by_hnd(p, r->in.handle, NULL)) {
1403 return NT_STATUS_INVALID_HANDLE;
1404 }
1405
1406 close_policy_hnd(p, r->in.handle);
1407 ZERO_STRUCTP(r->out.handle);
1408 return NT_STATUS_OK;
1409 }
1410
1411 /***************************************************************************
1412 ***************************************************************************/
1413
1414 static NTSTATUS lsa_lookup_trusted_domain_by_sid(TALLOC_CTX *mem_ctx,
1415 const struct dom_sid *sid,
1416 struct trustdom_info **info)
1417 {
1418 NTSTATUS status;
1419 uint32_t num_domains = 0;
1420 struct trustdom_info **domains = NULL;
1421 int i;
1422
1423 status = pdb_enum_trusteddoms(mem_ctx, &num_domains, &domains);
1424 if (!NT_STATUS_IS_OK(status)) {
1425 return status;
1426 }
1427
1428 for (i=0; i < num_domains; i++) {
1429 if (dom_sid_equal(&domains[i]->sid, sid)) {
1430 break;
1431 }
1432 }
1433
1434 if (i == num_domains) {
1435 return NT_STATUS_INVALID_PARAMETER;
1436 }
1437
1438 *info = domains[i];
1439
1440 return NT_STATUS_OK;
1441 }
1442
1443 /***************************************************************************
1444 ***************************************************************************/
1445
1446 static NTSTATUS lsa_lookup_trusted_domain_by_name(TALLOC_CTX *mem_ctx,
1447 const char *netbios_domain_name,
1448 struct trustdom_info **info_p)
1449 {
1450 NTSTATUS status;
1451 struct trustdom_info *info;
1452 struct pdb_trusted_domain *td;
1453
1454 status = pdb_get_trusted_domain(mem_ctx, netbios_domain_name, &td);
1455 if (!NT_STATUS_IS_OK(status)) {
1456 return status;
1457 }
1458
1459 info = talloc(mem_ctx, struct trustdom_info);
1460 if (!info) {
1461 return NT_STATUS_NO_MEMORY;
1462 }
1463
1464 info->name = talloc_strdup(info, netbios_domain_name);
1465 NT_STATUS_HAVE_NO_MEMORY(info->name);
1466
1467 sid_copy(&info->sid, &td->security_identifier);
1468
1469 *info_p = info;
1470
1471 return NT_STATUS_OK;
1472 }
1473
1474 /***************************************************************************
1475 ***************************************************************************/
1476
1477 NTSTATUS _lsa_OpenSecret(struct pipes_struct *p, struct lsa_OpenSecret *r)
1478 {
1479 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
1480 }
1481
1482 /***************************************************************************
1483 ***************************************************************************/
1484
1485 NTSTATUS _lsa_OpenTrustedDomain(struct pipes_struct *p,
1486 struct lsa_OpenTrustedDomain *r)
1487 {
1488 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
1489 }
1490
1491 /***************************************************************************
1492 _lsa_CreateTrustedDomainEx2
1493 ***************************************************************************/
1494
1495 NTSTATUS _lsa_CreateTrustedDomainEx2(struct pipes_struct *p,
1496 struct lsa_CreateTrustedDomainEx2 *r)
1497 {
1498 struct lsa_info *policy;
1499 NTSTATUS status;
1500 uint32_t acc_granted;
1501 struct security_descriptor *psd;
1502 size_t sd_size;
1503 struct pdb_trusted_domain td;
1504
1505 if (!IS_DC) {
1506 return NT_STATUS_NOT_SUPPORTED;
1507 }
1508
1509 if (!find_policy_by_hnd(p, r->in.policy_handle, (void **)(void *)&policy)) {
1510 return NT_STATUS_INVALID_HANDLE;
1511 }
1512
1513 if (!(policy->access & LSA_POLICY_TRUST_ADMIN)) {
1514 return NT_STATUS_ACCESS_DENIED;
1515 }
1516
1517 if (p->server_info->utok.uid != sec_initial_uid() &&
1518 !nt_token_check_domain_rid(p->server_info->security_token, DOMAIN_RID_ADMINS)) {
1519 return NT_STATUS_ACCESS_DENIED;
1520 }
1521
1522 /* Work out max allowed. */
1523 map_max_allowed_access(p->server_info->security_token,
1524 &p->server_info->utok,
1525 &r->in.access_mask);
1526
1527 /* map the generic bits to the lsa policy ones */
1528 se_map_generic(&r->in.access_mask, &lsa_account_mapping);
1529
1530 status = make_lsa_object_sd(p->mem_ctx, &psd, &sd_size,
1531 &lsa_trusted_domain_mapping,
1532 NULL, 0);
1533 if (!NT_STATUS_IS_OK(status)) {
1534 return status;
1535 }
1536
1537 status = access_check_object(psd, p->server_info->security_token,
1538 SEC_PRIV_INVALID, SEC_PRIV_INVALID, 0,
1539 r->in.access_mask, &acc_granted,
1540 "_lsa_CreateTrustedDomainEx2");
1541 if (!NT_STATUS_IS_OK(status)) {
1542 return status;
1543 }
1544
1545 ZERO_STRUCT(td);
1546
1547 td.domain_name = r->in.info->domain_name.string;
1548 td.netbios_name = r->in.info->netbios_name.string;
1549 sid_copy(&td.security_identifier, r->in.info->sid);
1550 td.trust_auth_incoming.data = NULL;
1551 td.trust_auth_incoming.length = 0;
1552 td.trust_auth_outgoing.data = NULL;
1553 td.trust_auth_outgoing.length = 0;
1554 td.trust_direction = r->in.info->trust_direction;
1555 td.trust_type = r->in.info->trust_type;
1556 td.trust_attributes = r->in.info->trust_attributes;
1557
1558 status = pdb_set_trusted_domain(r->in.info->domain_name.string, &td);
1559 if (!NT_STATUS_IS_OK(status)) {
1560 return status;
1561 }
1562
1563 status = create_lsa_policy_handle(p->mem_ctx, p,
1564 LSA_HANDLE_TRUST_TYPE,
1565 acc_granted,
1566 r->in.info->sid,
1567 r->in.info->netbios_name.string,
1568 psd,
1569 r->out.trustdom_handle);
1570 if (!NT_STATUS_IS_OK(status)) {
1571 pdb_del_trusteddom_pw(r->in.info->netbios_name.string);
1572 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
1573 }
1574
1575 return NT_STATUS_OK;
1576 }
1577
1578 /***************************************************************************
1579 _lsa_CreateTrustedDomainEx
1580 ***************************************************************************/
1581
1582 NTSTATUS _lsa_CreateTrustedDomainEx(struct pipes_struct *p,
1583 struct lsa_CreateTrustedDomainEx *r)
1584 {
1585 struct lsa_CreateTrustedDomainEx2 q;
1586
1587 q.in.policy_handle = r->in.policy_handle;
1588 q.in.info = r->in.info;
1589 q.in.auth_info = r->in.auth_info;
1590 q.in.access_mask = r->in.access_mask;
1591 q.out.trustdom_handle = r->out.trustdom_handle;
1592
1593 return _lsa_CreateTrustedDomainEx2(p, &q);
1594 }
1595
1596 /***************************************************************************
1597 _lsa_CreateTrustedDomain
1598 ***************************************************************************/
1599
1600 NTSTATUS _lsa_CreateTrustedDomain(struct pipes_struct *p,
1601 struct lsa_CreateTrustedDomain *r)
1602 {
1603 struct lsa_CreateTrustedDomainEx2 c;
1604 struct lsa_TrustDomainInfoInfoEx info;
1605 struct lsa_TrustDomainInfoAuthInfoInternal auth_info;
1606
1607 ZERO_STRUCT(auth_info);
1608
1609 info.domain_name = r->in.info->name;
1610 info.netbios_name = r->in.info->name;
1611 info.sid = r->in.info->sid;
1612 info.trust_direction = LSA_TRUST_DIRECTION_OUTBOUND;
1613 info.trust_type = LSA_TRUST_TYPE_DOWNLEVEL;
1614 info.trust_attributes = 0;
1615
1616 c.in.policy_handle = r->in.policy_handle;
1617 c.in.info = &info;
1618 c.in.auth_info = &auth_info;
1619 c.in.access_mask = r->in.access_mask;
1620 c.out.trustdom_handle = r->out.trustdom_handle;
1621
1622 return _lsa_CreateTrustedDomainEx2(p, &c);
1623 }
1624
1625 /***************************************************************************
1626 _lsa_DeleteTrustedDomain
1627 ***************************************************************************/
1628
1629 NTSTATUS _lsa_DeleteTrustedDomain(struct pipes_struct *p,
1630 struct lsa_DeleteTrustedDomain *r)
1631 {
1632 NTSTATUS status;
1633 struct lsa_info *handle;
1634 struct trustdom_info *info;
1635
1636 /* find the connection policy handle. */
1637 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle)) {
1638 return NT_STATUS_INVALID_HANDLE;
1639 }
1640
1641 if (handle->type != LSA_HANDLE_POLICY_TYPE) {
1642 return NT_STATUS_INVALID_HANDLE;
1643 }
1644
1645 if (!(handle->access & LSA_POLICY_TRUST_ADMIN)) {
1646 return NT_STATUS_ACCESS_DENIED;
1647 }
1648
1649 status = lsa_lookup_trusted_domain_by_sid(p->mem_ctx,
1650 r->in.dom_sid,
1651 &info);
1652 if (!NT_STATUS_IS_OK(status)) {
1653 return status;
1654 }
1655
1656 status = pdb_del_trusted_domain(info->name);
1657 if (!NT_STATUS_IS_OK(status)) {
1658 return status;
1659 }
1660
1661 return NT_STATUS_OK;
1662 }
1663
1664 /***************************************************************************
1665 _lsa_CloseTrustedDomainEx
1666 ***************************************************************************/
1667
1668 NTSTATUS _lsa_CloseTrustedDomainEx(struct pipes_struct *p,
1669 struct lsa_CloseTrustedDomainEx *r)
1670 {
1671 return NT_STATUS_NOT_IMPLEMENTED;
1672 }
1673
1674 /***************************************************************************
1675 _lsa_QueryTrustedDomainInfo
1676 ***************************************************************************/
1677
1678 NTSTATUS _lsa_QueryTrustedDomainInfo(struct pipes_struct *p,
1679 struct lsa_QueryTrustedDomainInfo *r)
1680 {
1681 NTSTATUS status;
1682 struct lsa_info *handle;
1683 union lsa_TrustedDomainInfo *info;
1684 struct trustdom_info *trust_info;
1685 uint32_t acc_required;
1686
1687 /* find the connection policy handle. */
1688 if (!find_policy_by_hnd(p, r->in.trustdom_handle, (void **)(void *)&handle)) {
1689 return NT_STATUS_INVALID_HANDLE;
1690 }
1691
1692 if (handle->type != LSA_HANDLE_TRUST_TYPE) {
1693 return NT_STATUS_INVALID_HANDLE;
1694 }
1695
1696 switch (r->in.level) {
1697 case LSA_TRUSTED_DOMAIN_INFO_NAME:
1698 acc_required = LSA_TRUSTED_QUERY_DOMAIN_NAME;
1699 break;
1700 case LSA_TRUSTED_DOMAIN_INFO_CONTROLLERS:
1701 acc_required = LSA_TRUSTED_QUERY_CONTROLLERS;
1702 break;
1703 case LSA_TRUSTED_DOMAIN_INFO_POSIX_OFFSET:
1704 acc_required = LSA_TRUSTED_QUERY_POSIX;
1705 break;
1706 case LSA_TRUSTED_DOMAIN_INFO_PASSWORD:
1707 acc_required = LSA_TRUSTED_QUERY_AUTH;
1708 break;
1709 case LSA_TRUSTED_DOMAIN_INFO_BASIC:
1710 acc_required = LSA_TRUSTED_QUERY_DOMAIN_NAME;
1711 break;
1712 case LSA_TRUSTED_DOMAIN_INFO_INFO_EX:
1713 acc_required = LSA_TRUSTED_QUERY_DOMAIN_NAME;
1714 break;
1715 case LSA_TRUSTED_DOMAIN_INFO_AUTH_INFO:
1716 acc_required = LSA_TRUSTED_QUERY_AUTH;
1717 break;
1718 case LSA_TRUSTED_DOMAIN_INFO_FULL_INFO:
1719 acc_required = LSA_TRUSTED_QUERY_DOMAIN_NAME |
1720 LSA_TRUSTED_QUERY_POSIX |
1721 LSA_TRUSTED_QUERY_AUTH;
1722 break;
1723 case LSA_TRUSTED_DOMAIN_INFO_AUTH_INFO_INTERNAL:
1724 acc_required = LSA_TRUSTED_QUERY_AUTH;
1725 break;
1726 case LSA_TRUSTED_DOMAIN_INFO_FULL_INFO_INTERNAL:
1727 acc_required = LSA_TRUSTED_QUERY_DOMAIN_NAME |
1728 LSA_TRUSTED_QUERY_POSIX |
1729 LSA_TRUSTED_QUERY_AUTH;
1730 break;
1731 case LSA_TRUSTED_DOMAIN_INFO_INFO_EX2_INTERNAL:
1732 acc_required = LSA_TRUSTED_QUERY_DOMAIN_NAME;
1733 break;
1734 case LSA_TRUSTED_DOMAIN_INFO_FULL_INFO_2_INTERNAL:
1735 acc_required = LSA_TRUSTED_QUERY_DOMAIN_NAME |
1736 LSA_TRUSTED_QUERY_POSIX |
1737 LSA_TRUSTED_QUERY_AUTH;
1738 break;
1739 case LSA_TRUSTED_DOMAIN_SUPPORTED_ENCRYPTION_TYPES:
1740 acc_required = LSA_TRUSTED_QUERY_POSIX;
1741 break;
1742 default:
1743 return NT_STATUS_INVALID_PARAMETER;
1744 }
1745
1746 if (!(handle->access & acc_required)) {
1747 return NT_STATUS_ACCESS_DENIED;
1748 }
1749
1750 status = lsa_lookup_trusted_domain_by_sid(p->mem_ctx,
1751 &handle->sid,
1752 &trust_info);
1753 if (!NT_STATUS_IS_OK(status)) {
1754 return status;
1755 }
1756
1757 info = TALLOC_ZERO_P(p->mem_ctx, union lsa_TrustedDomainInfo);
1758 if (!info) {
1759 return NT_STATUS_NO_MEMORY;
1760 }
1761
1762 switch (r->in.level) {
1763 case LSA_TRUSTED_DOMAIN_INFO_NAME:
1764 init_lsa_StringLarge(&info->name.netbios_name, trust_info->name);
1765 break;
1766 case LSA_TRUSTED_DOMAIN_INFO_CONTROLLERS:
1767 return NT_STATUS_INVALID_PARAMETER;
1768 case LSA_TRUSTED_DOMAIN_INFO_POSIX_OFFSET:
1769 break;
1770 case LSA_TRUSTED_DOMAIN_INFO_PASSWORD:
1771 return NT_STATUS_INVALID_INFO_CLASS;
1772 case LSA_TRUSTED_DOMAIN_INFO_BASIC:
1773 init_lsa_String(&info->info_basic.netbios_name, trust_info->name);
1774 info->info_basic.sid = dom_sid_dup(info, &trust_info->sid);
1775 if (!info->info_basic.sid) {
1776 return NT_STATUS_NO_MEMORY;
1777 }
1778 break;
1779 case LSA_TRUSTED_DOMAIN_INFO_INFO_EX:
1780 init_lsa_StringLarge(&info->info_ex.domain_name, trust_info->name);
1781 init_lsa_StringLarge(&info->info_ex.netbios_name, trust_info->name);
1782 info->info_ex.sid = dom_sid_dup(info, &trust_info->sid);
1783 if (!info->info_ex.sid) {
1784 return NT_STATUS_NO_MEMORY;
1785 }
1786 info->info_ex.trust_direction = LSA_TRUST_DIRECTION_OUTBOUND;
1787 info->info_ex.trust_type = LSA_TRUST_TYPE_DOWNLEVEL;
1788 info->info_ex.trust_attributes = 0;
1789 break;
1790 case LSA_TRUSTED_DOMAIN_INFO_AUTH_INFO:
1791 return NT_STATUS_INVALID_INFO_CLASS;
1792 case LSA_TRUSTED_DOMAIN_INFO_FULL_INFO:
1793 break;
1794 case LSA_TRUSTED_DOMAIN_INFO_AUTH_INFO_INTERNAL:
1795 return NT_STATUS_INVALID_INFO_CLASS;
1796 case LSA_TRUSTED_DOMAIN_INFO_FULL_INFO_INTERNAL:
1797 return NT_STATUS_INVALID_INFO_CLASS;
1798 case LSA_TRUSTED_DOMAIN_INFO_INFO_EX2_INTERNAL:
1799 return NT_STATUS_INVALID_PARAMETER;
1800 case LSA_TRUSTED_DOMAIN_INFO_FULL_INFO_2_INTERNAL:
1801 break;
1802 case LSA_TRUSTED_DOMAIN_SUPPORTED_ENCRYPTION_TYPES:
1803 break;
1804 default:
1805 return NT_STATUS_INVALID_PARAMETER;
1806 }
1807
1808 *r->out.info = info;
1809
1810 return NT_STATUS_OK;
1811 }
1812
1813 /***************************************************************************
1814 _lsa_QueryTrustedDomainInfoBySid
1815 ***************************************************************************/
1816
1817 NTSTATUS _lsa_QueryTrustedDomainInfoBySid(struct pipes_struct *p,
1818 struct lsa_QueryTrustedDomainInfoBySid *r)
1819 {
1820 NTSTATUS status;
1821 struct policy_handle trustdom_handle;
1822 struct lsa_OpenTrustedDomain o;
1823 struct lsa_QueryTrustedDomainInfo q;
1824 struct lsa_Close c;
1825
1826 o.in.handle = r->in.handle;
1827 o.in.sid = r->in.dom_sid;
1828 o.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
1829 o.out.trustdom_handle = &trustdom_handle;
1830
1831 status = _lsa_OpenTrustedDomain(p, &o);
1832 if (!NT_STATUS_IS_OK(status)) {
1833 return status;
1834 }
1835
1836 q.in.trustdom_handle = &trustdom_handle;
1837 q.in.level = r->in.level;
1838 q.out.info = r->out.info;
1839
1840 status = _lsa_QueryTrustedDomainInfo(p, &q);
1841 if (!NT_STATUS_IS_OK(status)) {
1842 return status;
1843 }
1844
1845 c.in.handle = &trustdom_handle;
1846 c.out.handle = &trustdom_handle;
1847
1848 return _lsa_Close(p, &c);
1849 }
1850
1851 /***************************************************************************
1852 _lsa_QueryTrustedDomainInfoByName
1853 ***************************************************************************/
1854
1855 NTSTATUS _lsa_QueryTrustedDomainInfoByName(struct pipes_struct *p,
1856 struct lsa_QueryTrustedDomainInfoByName *r)
1857 {
1858 NTSTATUS status;
1859 struct policy_handle trustdom_handle;
1860 struct lsa_OpenTrustedDomainByName o;
1861 struct lsa_QueryTrustedDomainInfo q;
1862 struct lsa_Close c;
1863
1864 o.in.handle = r->in.handle;
1865 o.in.name.string = r->in.trusted_domain->string;
1866 o.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
1867 o.out.trustdom_handle = &trustdom_handle;
1868
1869 status = _lsa_OpenTrustedDomainByName(p, &o);
1870 if (!NT_STATUS_IS_OK(status)) {
1871 return status;
1872 }
1873
1874 q.in.trustdom_handle = &trustdom_handle;
1875 q.in.level = r->in.level;
1876 q.out.info = r->out.info;
1877
1878 status = _lsa_QueryTrustedDomainInfo(p, &q);
1879 if (!NT_STATUS_IS_OK(status)) {
1880 return status;
1881 }
1882
1883 c.in.handle = &trustdom_handle;
1884 c.out.handle = &trustdom_handle;
1885
1886 return _lsa_Close(p, &c);
1887 }
1888
1889 /***************************************************************************
1890 ***************************************************************************/
1891
1892 NTSTATUS _lsa_CreateSecret(struct pipes_struct *p, struct lsa_CreateSecret *r)
1893 {
1894 return NT_STATUS_ACCESS_DENIED;
1895 }
1896
1897 /***************************************************************************
1898 ***************************************************************************/
1899
1900 NTSTATUS _lsa_SetSecret(struct pipes_struct *p, struct lsa_SetSecret *r)
1901 {
1902 return NT_STATUS_ACCESS_DENIED;
1903 }
1904
1905 /***************************************************************************
1906 _lsa_DeleteObject
1907 ***************************************************************************/
1908
1909 NTSTATUS _lsa_DeleteObject(struct pipes_struct *p,
1910 struct lsa_DeleteObject *r)
1911 {
1912 NTSTATUS status;
1913 struct lsa_info *info = NULL;
1914
1915 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info)) {
1916 return NT_STATUS_INVALID_HANDLE;
1917 }
1918
1919 if (!(info->access & SEC_STD_DELETE)) {
1920 return NT_STATUS_ACCESS_DENIED;
1921 }
1922
1923 switch (info->type) {
1924 case LSA_HANDLE_ACCOUNT_TYPE:
1925 status = privilege_delete_account(&info->sid);
1926 if (!NT_STATUS_IS_OK(status)) {
1927 DEBUG(10,("_lsa_DeleteObject: privilege_delete_account gave: %s\n",
1928 nt_errstr(status)));
1929 return status;
1930 }
1931 break;
1932 default:
1933 return NT_STATUS_INVALID_HANDLE;
1934 }
1935
1936 close_policy_hnd(p, r->in.handle);
1937 ZERO_STRUCTP(r->out.handle);
1938
1939 return status;
1940 }
1941
1942 /***************************************************************************
1943 _lsa_EnumPrivs
1944 ***************************************************************************/
1945
1946 NTSTATUS _lsa_EnumPrivs(struct pipes_struct *p,
1947 struct lsa_EnumPrivs *r)
1948 {
1949 struct lsa_info *handle;
1950 uint32 i;
1951 uint32 enum_context = *r->in.resume_handle;
1952 int num_privs = num_privileges_in_short_list();
1953 struct lsa_PrivEntry *entries = NULL;
1954
1955 /* remember that the enum_context starts at 0 and not 1 */
1956
1957 if ( enum_context >= num_privs )
1958 return NT_STATUS_NO_MORE_ENTRIES;
1959
1960 DEBUG(10,("_lsa_EnumPrivs: enum_context:%d total entries:%d\n",
1961 enum_context, num_privs));
1962
1963 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle))
1964 return NT_STATUS_INVALID_HANDLE;
1965
1966 if (handle->type != LSA_HANDLE_POLICY_TYPE) {
1967 return NT_STATUS_INVALID_HANDLE;
1968 }
1969
1970 /* check if the user has enough rights
1971 I don't know if it's the right one. not documented. */
1972
1973 if (!(handle->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
1974 return NT_STATUS_ACCESS_DENIED;
1975
1976 if (num_privs) {
1977 entries = TALLOC_ZERO_ARRAY(p->mem_ctx, struct lsa_PrivEntry, num_privs);
1978 if (!entries) {
1979 return NT_STATUS_NO_MEMORY;
1980 }
1981 } else {
1982 entries = NULL;
1983 }
1984
1985 for (i = 0; i < num_privs; i++) {
1986 if( i < enum_context) {
1987
1988 init_lsa_StringLarge(&entries[i].name, NULL);
1989
1990 entries[i].luid.low = 0;
1991 entries[i].luid.high = 0;
1992 } else {
1993
1994 init_lsa_StringLarge(&entries[i].name, sec_privilege_name_from_index(i));
1995
1996 entries[i].luid.low = sec_privilege_from_index(i);
1997 entries[i].luid.high = 0;
1998 }
1999 }
2000
2001 enum_context = num_privs;
2002
2003 *r->out.resume_handle = enum_context;
2004 r->out.privs->count = num_privs;
2005 r->out.privs->privs = entries;
2006
2007 return NT_STATUS_OK;
2008 }
2009
2010 /***************************************************************************
2011 _lsa_LookupPrivDisplayName
2012 ***************************************************************************/
2013
2014 NTSTATUS _lsa_LookupPrivDisplayName(struct pipes_struct *p,
2015 struct lsa_LookupPrivDisplayName *r)
2016 {
2017 struct lsa_info *handle;
2018 const char *description;
2019 struct lsa_StringLarge *lsa_name;
2020
2021 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle))
2022 return NT_STATUS_INVALID_HANDLE;
2023
2024 if (handle->type != LSA_HANDLE_POLICY_TYPE) {
2025 return NT_STATUS_INVALID_HANDLE;
2026 }
2027
2028 /* check if the user has enough rights */
2029
2030 /*
2031 * I don't know if it's the right one. not documented.
2032 */
2033 if (!(handle->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
2034 return NT_STATUS_ACCESS_DENIED;
2035
2036 DEBUG(10,("_lsa_LookupPrivDisplayName: name = %s\n", r->in.name->string));
2037
2038 description = get_privilege_dispname(r->in.name->string);
2039 if (!description) {
2040 DEBUG(10,("_lsa_LookupPrivDisplayName: doesn't exist\n"));
2041 return NT_STATUS_NO_SUCH_PRIVILEGE;
2042 }
2043
2044 DEBUG(10,("_lsa_LookupPrivDisplayName: display name = %s\n", description));
2045
2046 lsa_name = TALLOC_ZERO_P(p->mem_ctx, struct lsa_StringLarge);
2047 if (!lsa_name) {
2048 return NT_STATUS_NO_MEMORY;
2049 }
2050
2051 init_lsa_StringLarge(lsa_name, description);
2052
2053 *r->out.returned_language_id = r->in.language_id;
2054 *r->out.disp_name = lsa_name;
2055
2056 return NT_STATUS_OK;
2057 }
2058
2059 /***************************************************************************
2060 _lsa_EnumAccounts
2061 ***************************************************************************/
2062
2063 NTSTATUS _lsa_EnumAccounts(struct pipes_struct *p,
2064 struct lsa_EnumAccounts *r)
2065 {
2066 struct lsa_info *handle;
2067 struct dom_sid *sid_list;
2068 int i, j, num_entries;
2069 NTSTATUS status;
2070 struct lsa_SidPtr *sids = NULL;
2071
2072 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle))
2073 return NT_STATUS_INVALID_HANDLE;
2074
2075 if (handle->type != LSA_HANDLE_POLICY_TYPE) {
2076 return NT_STATUS_INVALID_HANDLE;
2077 }
2078
2079 if (!(handle->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
2080 return NT_STATUS_ACCESS_DENIED;
2081
2082 sid_list = NULL;
2083 num_entries = 0;
2084
2085 /* The only way we can currently find out all the SIDs that have been
2086 privileged is to scan all privileges */
2087
2088 status = privilege_enumerate_accounts(&sid_list, &num_entries);
2089 if (!NT_STATUS_IS_OK(status)) {
2090 return status;
2091 }
2092
2093 if (*r->in.resume_handle >= num_entries) {
2094 return NT_STATUS_NO_MORE_ENTRIES;
2095 }
2096
2097 if (num_entries - *r->in.resume_handle) {
2098 sids = TALLOC_ZERO_ARRAY(p->mem_ctx, struct lsa_SidPtr,
2099 num_entries - *r->in.resume_handle);
2100 if (!sids) {
2101 talloc_free(sid_list);
2102 return NT_STATUS_NO_MEMORY;
2103 }
2104
2105 for (i = *r->in.resume_handle, j = 0; i < num_entries; i++, j++) {
2106 sids[j].sid = dom_sid_dup(p->mem_ctx, &sid_list[i]);
2107 if (!sids[j].sid) {
2108 talloc_free(sid_list);
2109 return NT_STATUS_NO_MEMORY;
2110 }
2111 }
2112 }
2113
2114 talloc_free(sid_list);
2115
2116 *r->out.resume_handle = num_entries;
2117 r->out.sids->num_sids = num_entries;
2118 r->out.sids->sids = sids;
2119
2120 return NT_STATUS_OK;
2121 }
2122
2123 /***************************************************************************
2124 _lsa_GetUserName
2125 ***************************************************************************/
2126
2127 NTSTATUS _lsa_GetUserName(struct pipes_struct *p,
2128 struct lsa_GetUserName *r)
2129 {
2130 const char *username, *domname;
2131 struct lsa_String *account_name = NULL;
2132 struct lsa_String *authority_name = NULL;
2133
2134 if (r->in.account_name &&
2135 *r->in.account_name) {
2136 return NT_STATUS_INVALID_PARAMETER;
2137 }
2138
2139 if (r->in.authority_name &&
2140 *r->in.authority_name) {
2141 return NT_STATUS_INVALID_PARAMETER;
2142 }
2143
2144 if (p->server_info->guest) {
2145 /*
2146 * I'm 99% sure this is not the right place to do this,
2147 * global_sid_Anonymous should probably be put into the token
2148 * instead of the guest id -- vl
2149 */
2150 if (!lookup_sid(p->mem_ctx, &global_sid_Anonymous,
2151 &domname, &username, NULL)) {
2152 return NT_STATUS_NO_MEMORY;
2153 }
2154 } else {
2155 username = p->server_info->sanitized_username;
2156 domname = p->server_info->info3->base.domain.string;
2157 }
2158
2159 account_name = TALLOC_P(p->mem_ctx, struct lsa_String);
2160 if (!account_name) {
2161 return NT_STATUS_NO_MEMORY;
2162 }
2163 init_lsa_String(account_name, username);
2164
2165 if (r->out.authority_name) {
2166 authority_name = TALLOC_P(p->mem_ctx, struct lsa_String);
2167 if (!authority_name) {
2168 return NT_STATUS_NO_MEMORY;
2169 }
2170 init_lsa_String(authority_name, domname);
2171 }
2172
2173 *r->out.account_name = account_name;
2174 if (r->out.authority_name) {
2175 *r->out.authority_name = authority_name;
2176 }
2177
2178 return NT_STATUS_OK;
2179 }
2180
2181 /***************************************************************************
2182 _lsa_CreateAccount
2183 ***************************************************************************/
2184
2185 NTSTATUS _lsa_CreateAccount(struct pipes_struct *p,
2186 struct lsa_CreateAccount *r)
2187 {
2188 NTSTATUS status;
2189 struct lsa_info *handle;
2190 uint32_t acc_granted;
2191 struct security_descriptor *psd;
2192 size_t sd_size;
2193
2194 /* find the connection policy handle. */
2195 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle))
2196 return NT_STATUS_INVALID_HANDLE;
2197
2198 if (handle->type != LSA_HANDLE_POLICY_TYPE) {
2199 return NT_STATUS_INVALID_HANDLE;
2200 }
2201
2202 /* check if the user has enough rights */
2203
2204 if (!(handle->access & LSA_POLICY_CREATE_ACCOUNT)) {
2205 return NT_STATUS_ACCESS_DENIED;
2206 }
2207
2208 /* Work out max allowed. */
2209 map_max_allowed_access(p->server_info->security_token,
2210 &p->server_info->utok,
2211 &r->in.access_mask);
2212
2213 /* map the generic bits to the lsa policy ones */
2214 se_map_generic(&r->in.access_mask, &lsa_account_mapping);
2215
2216 status = make_lsa_object_sd(p->mem_ctx, &psd, &sd_size,
2217 &lsa_account_mapping,
2218 r->in.sid, LSA_POLICY_ALL_ACCESS);
2219 if (!NT_STATUS_IS_OK(status)) {
2220 return status;
2221 }
2222
2223 status = access_check_object(psd, p->server_info->security_token,
2224 SEC_PRIV_INVALID, SEC_PRIV_INVALID, 0, r->in.access_mask,
2225 &acc_granted, "_lsa_CreateAccount");
2226 if (!NT_STATUS_IS_OK(status)) {
2227 return status;
2228 }
2229
2230 if ( is_privileged_sid( r->in.sid ) )
2231 return NT_STATUS_OBJECT_NAME_COLLISION;
2232
2233 status = create_lsa_policy_handle(p->mem_ctx, p,
2234 LSA_HANDLE_ACCOUNT_TYPE,
2235 acc_granted,
2236 r->in.sid,
2237 NULL,
2238 psd,
2239 r->out.acct_handle);
2240 if (!NT_STATUS_IS_OK(status)) {
2241 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
2242 }
2243
2244 return privilege_create_account(r->in.sid);
2245 }
2246
2247 /***************************************************************************
2248 _lsa_OpenAccount
2249 ***************************************************************************/
2250
2251 NTSTATUS _lsa_OpenAccount(struct pipes_struct *p,
2252 struct lsa_OpenAccount *r)
2253 {
2254 struct lsa_info *handle;
2255 struct security_descriptor *psd = NULL;
2256 size_t sd_size;
2257 uint32_t des_access = r->in.access_mask;
2258 uint32_t acc_granted;
2259 NTSTATUS status;
2260
2261 /* find the connection policy handle. */
2262 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle))
2263 return NT_STATUS_INVALID_HANDLE;
2264
2265 if (handle->type != LSA_HANDLE_POLICY_TYPE) {
2266 return NT_STATUS_INVALID_HANDLE;
2267 }
2268
2269 /* des_access is for the account here, not the policy
2270 * handle - so don't check against policy handle. */
2271
2272 /* Work out max allowed. */
2273 map_max_allowed_access(p->server_info->security_token,
2274 &p->server_info->utok,
2275 &des_access);
2276
2277 /* map the generic bits to the lsa account ones */
2278 se_map_generic(&des_access, &lsa_account_mapping);
2279
2280 /* get the generic lsa account SD until we store it */
2281 status = make_lsa_object_sd(p->mem_ctx, &psd, &sd_size,
2282 &lsa_account_mapping,
2283 r->in.sid, LSA_ACCOUNT_ALL_ACCESS);
2284 if (!NT_STATUS_IS_OK(status)) {
2285 return status;
2286 }
2287
2288 status = access_check_object(psd, p->server_info->security_token,
2289 SEC_PRIV_INVALID, SEC_PRIV_INVALID, 0, des_access,
2290 &acc_granted, "_lsa_OpenAccount" );
2291 if (!NT_STATUS_IS_OK(status)) {
2292 return status;
2293 }
2294
2295 /* TODO: Fis the parsing routine before reenabling this check! */
2296 #if 0
2297 if (!lookup_sid(&handle->sid, dom_name, name, &type))
2298 return NT_STATUS_ACCESS_DENIED;
2299 #endif
2300
2301 status = create_lsa_policy_handle(p->mem_ctx, p,
2302 LSA_HANDLE_ACCOUNT_TYPE,
2303 acc_granted,
2304 r->in.sid,
2305 NULL,
2306 psd,
2307 r->out.acct_handle);
2308 if (!NT_STATUS_IS_OK(status)) {
2309 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
2310 }
2311
2312 return NT_STATUS_OK;
2313 }
2314
2315 /***************************************************************************
2316 _lsa_EnumPrivsAccount
2317 For a given SID, enumerate all the privilege this account has.
2318 ***************************************************************************/
2319
2320 NTSTATUS _lsa_EnumPrivsAccount(struct pipes_struct *p,
2321 struct lsa_EnumPrivsAccount *r)
2322 {
2323 NTSTATUS status = NT_STATUS_OK;
2324 struct lsa_info *info=NULL;
2325 PRIVILEGE_SET *privileges;
2326 struct lsa_PrivilegeSet *priv_set = NULL;
2327
2328 /* find the connection policy handle. */
2329 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
2330 return NT_STATUS_INVALID_HANDLE;
2331
2332 if (info->type != LSA_HANDLE_ACCOUNT_TYPE) {
2333 return NT_STATUS_INVALID_HANDLE;
2334 }
2335
2336 if (!(info->access & LSA_ACCOUNT_VIEW))
2337 return NT_STATUS_ACCESS_DENIED;
2338
2339 status = get_privileges_for_sid_as_set(p->mem_ctx, &privileges, &info->sid);
2340 if (!NT_STATUS_IS_OK(status)) {
2341 return status;
2342 }
2343
2344 *r->out.privs = priv_set = TALLOC_ZERO_P(p->mem_ctx, struct lsa_PrivilegeSet);
2345 if (!priv_set) {
2346 return NT_STATUS_NO_MEMORY;
2347 }
2348
2349 DEBUG(10,("_lsa_EnumPrivsAccount: %s has %d privileges\n",
2350 sid_string_dbg(&info->sid),
2351 privileges->count));
2352
2353 priv_set->count = privileges->count;
2354 priv_set->unknown = 0;
2355 priv_set->set = talloc_move(priv_set, &privileges->set);
2356
2357 return status;
2358 }
2359
2360 /***************************************************************************
2361 _lsa_GetSystemAccessAccount
2362 ***************************************************************************/
2363
2364 NTSTATUS _lsa_GetSystemAccessAccount(struct pipes_struct *p,
2365 struct lsa_GetSystemAccessAccount *r)
2366 {
2367 NTSTATUS status;
2368 struct lsa_info *info = NULL;
2369 struct lsa_EnumPrivsAccount e;
2370 struct lsa_PrivilegeSet *privset;
2371
2372 /* find the connection policy handle. */
2373
2374 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
2375 return NT_STATUS_INVALID_HANDLE;
2376
2377 if (info->type != LSA_HANDLE_ACCOUNT_TYPE) {
2378 return NT_STATUS_INVALID_HANDLE;
2379 }
2380
2381 if (!(info->access & LSA_ACCOUNT_VIEW))
2382 return NT_STATUS_ACCESS_DENIED;
2383
2384 privset = talloc_zero(p->mem_ctx, struct lsa_PrivilegeSet);
2385 if (!privset) {
2386 return NT_STATUS_NO_MEMORY;
2387 }
2388
2389 e.in.handle = r->in.handle;
2390 e.out.privs = &privset;
2391
2392 status = _lsa_EnumPrivsAccount(p, &e);
2393 if (!NT_STATUS_IS_OK(status)) {
2394 DEBUG(10,("_lsa_GetSystemAccessAccount: "
2395 "failed to call _lsa_EnumPrivsAccount(): %s\n",
2396 nt_errstr(status)));
2397 return status;
2398 }
2399
2400 /* Samba4 would iterate over the privset to merge the policy mode bits,
2401 * not sure samba3 can do the same here, so just return what we did in
2402 * the past - gd */
2403
2404 /*
2405 0x01 -> Log on locally
2406 0x02 -> Access this computer from network
2407 0x04 -> Log on as a batch job
2408 0x10 -> Log on as a service
2409
2410 they can be ORed together
2411 */
2412
2413 *r->out.access_mask = LSA_POLICY_MODE_INTERACTIVE |
2414 LSA_POLICY_MODE_NETWORK;
2415
2416 return NT_STATUS_OK;
2417 }
2418
2419 /***************************************************************************
2420 update the systemaccount information
2421 ***************************************************************************/
2422
2423 NTSTATUS _lsa_SetSystemAccessAccount(struct pipes_struct *p,
2424 struct lsa_SetSystemAccessAccount *r)
2425 {
2426 struct lsa_info *info=NULL;
2427 GROUP_MAP map;
2428
2429 /* find the connection policy handle. */
2430 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
2431 return NT_STATUS_INVALID_HANDLE;
2432
2433 if (info->type != LSA_HANDLE_ACCOUNT_TYPE) {
2434 return NT_STATUS_INVALID_HANDLE;
2435 }
2436
2437 if (!(info->access & LSA_ACCOUNT_ADJUST_SYSTEM_ACCESS)) {
2438 return NT_STATUS_ACCESS_DENIED;
2439 }
2440
2441 if (!pdb_getgrsid(&map, info->sid))
2442 return NT_STATUS_NO_SUCH_GROUP;
2443
2444 return pdb_update_group_mapping_entry(&map);
2445 }
2446
2447 /***************************************************************************
2448 _lsa_AddPrivilegesToAccount
2449 For a given SID, add some privileges.
2450 ***************************************************************************/
2451
2452 NTSTATUS _lsa_AddPrivilegesToAccount(struct pipes_struct *p,
2453 struct lsa_AddPrivilegesToAccount *r)
2454 {
2455 struct lsa_info *info = NULL;
2456 struct lsa_PrivilegeSet *set = NULL;
2457
2458 /* find the connection policy handle. */
2459 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
2460 return NT_STATUS_INVALID_HANDLE;
2461
2462 if (info->type != LSA_HANDLE_ACCOUNT_TYPE) {
2463 return NT_STATUS_INVALID_HANDLE;
2464 }
2465
2466 if (!(info->access & LSA_ACCOUNT_ADJUST_PRIVILEGES)) {
2467 return NT_STATUS_ACCESS_DENIED;
2468 }
2469
2470 set = r->in.privs;
2471
2472 if ( !grant_privilege_set( &info->sid, set ) ) {
2473 DEBUG(3,("_lsa_AddPrivilegesToAccount: grant_privilege_set(%s) failed!\n",
2474 sid_string_dbg(&info->sid) ));
2475 return NT_STATUS_NO_SUCH_PRIVILEGE;
2476 }
2477
2478 return NT_STATUS_OK;
2479 }
2480
2481 /***************************************************************************
2482 _lsa_RemovePrivilegesFromAccount
2483 For a given SID, remove some privileges.
2484 ***************************************************************************/
2485
2486 NTSTATUS _lsa_RemovePrivilegesFromAccount(struct pipes_struct *p,
2487 struct lsa_RemovePrivilegesFromAccount *r)
2488 {
2489 struct lsa_info *info = NULL;
2490 struct lsa_PrivilegeSet *set = NULL;
2491
2492 /* find the connection policy handle. */
2493 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
2494 return NT_STATUS_INVALID_HANDLE;
2495
2496 if (info->type != LSA_HANDLE_ACCOUNT_TYPE) {
2497 return NT_STATUS_INVALID_HANDLE;
2498 }
2499
2500 if (!(info->access & LSA_ACCOUNT_ADJUST_PRIVILEGES)) {
2501 return NT_STATUS_ACCESS_DENIED;
2502 }
2503
2504 set = r->in.privs;
2505
2506 if ( !revoke_privilege_set( &info->sid, set) ) {
2507 DEBUG(3,("_lsa_RemovePrivilegesFromAccount: revoke_privilege(%s) failed!\n",
2508 sid_string_dbg(&info->sid) ));
2509 return NT_STATUS_NO_SUCH_PRIVILEGE;
2510 }
2511
2512 return NT_STATUS_OK;
2513 }
2514
2515 /***************************************************************************
2516 _lsa_LookupPrivName
2517 ***************************************************************************/
2518
2519 NTSTATUS _lsa_LookupPrivName(struct pipes_struct *p,
2520 struct lsa_LookupPrivName *r)
2521 {
2522 struct lsa_info *info = NULL;
2523 const char *name;
2524 struct lsa_StringLarge *lsa_name;
2525
2526 /* find the connection policy handle. */
2527 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info)) {
2528 return NT_STATUS_INVALID_HANDLE;
2529 }
2530
2531 if (info->type != LSA_HANDLE_POLICY_TYPE) {
2532 return NT_STATUS_INVALID_HANDLE;
2533 }
2534
2535 if (!(info->access & LSA_POLICY_VIEW_LOCAL_INFORMATION)) {
2536 return NT_STATUS_ACCESS_DENIED;
2537 }
2538
2539 if (r->in.luid->high != 0) {
2540 return NT_STATUS_NO_SUCH_PRIVILEGE;
2541 }
2542
2543 name = sec_privilege_name(r->in.luid->low);
2544 if (!name) {
2545 return NT_STATUS_NO_SUCH_PRIVILEGE;
2546 }
2547
2548 lsa_name = TALLOC_ZERO_P(p->mem_ctx, struct lsa_StringLarge);
2549 if (!lsa_name) {
2550 return NT_STATUS_NO_MEMORY;
2551 }
2552
2553 lsa_name->string = talloc_strdup(lsa_name, name);
2554 if (!lsa_name->string) {
2555 TALLOC_FREE(lsa_name);
2556 return NT_STATUS_NO_MEMORY;
2557 }
2558
2559 *r->out.name = lsa_name;
2560
2561 return NT_STATUS_OK;
2562 }
2563
2564 /***************************************************************************
2565 _lsa_QuerySecurity
2566 ***************************************************************************/
2567
2568 NTSTATUS _lsa_QuerySecurity(struct pipes_struct *p,
2569 struct lsa_QuerySecurity *r)
2570 {
2571 struct lsa_info *handle=NULL;
2572 struct security_descriptor *psd = NULL;
2573 size_t sd_size;
2574 NTSTATUS status;
2575
2576 /* find the connection policy handle. */
2577 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle))
2578 return NT_STATUS_INVALID_HANDLE;
2579
2580 switch (handle->type) {
2581 case LSA_HANDLE_POLICY_TYPE:
2582 status = make_lsa_object_sd(p->mem_ctx, &psd, &sd_size,
2583 &lsa_policy_mapping, NULL, 0);
2584 break;
2585 case LSA_HANDLE_ACCOUNT_TYPE:
2586 status = make_lsa_object_sd(p->mem_ctx, &psd, &sd_size,
2587 &lsa_account_mapping,
2588 &handle->sid, LSA_ACCOUNT_ALL_ACCESS);
2589 break;
2590 default:
2591 status = NT_STATUS_INVALID_HANDLE;
2592 break;
2593 }
2594
2595 if (!NT_STATUS_IS_OK(status)) {
2596 return status;
2597 }
2598
2599 *r->out.sdbuf = make_sec_desc_buf(p->mem_ctx, sd_size, psd);
2600 if (!*r->out.sdbuf) {
2601 return NT_STATUS_NO_MEMORY;
2602 }
2603
2604 return status;
2605 }
2606
2607 /***************************************************************************
2608 _lsa_AddAccountRights
2609 ***************************************************************************/
2610
2611 NTSTATUS _lsa_AddAccountRights(struct pipes_struct *p,
2612 struct lsa_AddAccountRights *r)
2613 {
2614 struct lsa_info *info = NULL;
2615 int i = 0;
2616 uint32_t acc_granted = 0;
2617 struct security_descriptor *psd = NULL;
2618 size_t sd_size;
2619 struct dom_sid sid;
2620 NTSTATUS status;
2621
2622 /* find the connection policy handle. */
2623 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
2624 return NT_STATUS_INVALID_HANDLE;
2625
2626 if (info->type != LSA_HANDLE_POLICY_TYPE) {
2627 return NT_STATUS_INVALID_HANDLE;
2628 }
2629
2630 /* get the generic lsa account SD for this SID until we store it */
2631 status = make_lsa_object_sd(p->mem_ctx, &psd, &sd_size,
2632 &lsa_account_mapping,
2633 r->in.sid, LSA_ACCOUNT_ALL_ACCESS);
2634 if (!NT_STATUS_IS_OK(status)) {
2635 return status;
2636 }
2637
2638 /*
2639 * From the MS DOCs. If the sid doesn't exist, ask for LSA_POLICY_CREATE_ACCOUNT
2640 * on the policy handle. If it does, ask for
2641 * LSA_ACCOUNT_ADJUST_PRIVILEGES|LSA_ACCOUNT_ADJUST_SYSTEM_ACCESS|LSA_ACCOUNT_VIEW,
2642 * on the account sid. We don't check here so just use the latter. JRA.
2643 */
2644
2645 status = access_check_object(psd, p->server_info->security_token,
2646 SEC_PRIV_INVALID, SEC_PRIV_INVALID, 0,
2647 LSA_ACCOUNT_ADJUST_PRIVILEGES|LSA_ACCOUNT_ADJUST_SYSTEM_ACCESS|LSA_ACCOUNT_VIEW,
2648 &acc_granted, "_lsa_AddAccountRights" );
2649 if (!NT_STATUS_IS_OK(status)) {
2650 return status;
2651 }
2652
2653 /* according to an NT4 PDC, you can add privileges to SIDs even without
2654 call_lsa_create_account() first. And you can use any arbitrary SID. */
2655
2656 sid_copy( &sid, r->in.sid );
2657
2658 for ( i=0; i < r->in.rights->count; i++ ) {
2659
2660 const char *privname = r->in.rights->names[i].string;
2661
2662 /* only try to add non-null strings */
2663
2664 if ( !privname )
2665 continue;
2666
2667 if ( !grant_privilege_by_name( &sid, privname ) ) {
2668 DEBUG(2,("_lsa_AddAccountRights: Failed to add privilege [%s]\n",
2669 privname ));
2670 return NT_STATUS_NO_SUCH_PRIVILEGE;
2671 }
2672 }
2673
2674 return NT_STATUS_OK;
2675 }
2676
2677 /***************************************************************************
2678 _lsa_RemoveAccountRights
2679 ***************************************************************************/
2680
2681 NTSTATUS _lsa_RemoveAccountRights(struct pipes_struct *p,
2682 struct lsa_RemoveAccountRights *r)
2683 {
2684 struct lsa_info *info = NULL;
2685 int i = 0;
2686 struct security_descriptor *psd = NULL;
2687 size_t sd_size;
2688 struct dom_sid sid;
2689 const char *privname = NULL;
2690 uint32_t acc_granted = 0;
2691 NTSTATUS status;
2692
2693 /* find the connection policy handle. */
2694 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
2695 return NT_STATUS_INVALID_HANDLE;
2696
2697 if (info->type != LSA_HANDLE_POLICY_TYPE) {
2698 return NT_STATUS_INVALID_HANDLE;
2699 }
2700
2701 /* get the generic lsa account SD for this SID until we store it */
2702 status = make_lsa_object_sd(p->mem_ctx, &psd, &sd_size,
2703 &lsa_account_mapping,
2704 r->in.sid, LSA_ACCOUNT_ALL_ACCESS);
2705 if (!NT_STATUS_IS_OK(status)) {
2706 return status;
2707 }
2708
2709 /*
2710 * From the MS DOCs. We need
2711 * LSA_ACCOUNT_ADJUST_PRIVILEGES|LSA_ACCOUNT_ADJUST_SYSTEM_ACCESS|LSA_ACCOUNT_VIEW
2712 * and DELETE on the account sid.
2713 */
2714
2715 status = access_check_object(psd, p->server_info->security_token,
2716 SEC_PRIV_INVALID, SEC_PRIV_INVALID, 0,
2717 LSA_ACCOUNT_ADJUST_PRIVILEGES|LSA_ACCOUNT_ADJUST_SYSTEM_ACCESS|
2718 LSA_ACCOUNT_VIEW|SEC_STD_DELETE,
2719 &acc_granted, "_lsa_RemoveAccountRights");
2720 if (!NT_STATUS_IS_OK(status)) {
2721 return status;
2722 }
2723
2724 sid_copy( &sid, r->in.sid );
2725
2726 if ( r->in.remove_all ) {
2727 if ( !revoke_all_privileges( &sid ) )
2728 return NT_STATUS_ACCESS_DENIED;
2729
2730 return NT_STATUS_OK;
2731 }
2732
2733 for ( i=0; i < r->in.rights->count; i++ ) {
2734
2735 privname = r->in.rights->names[i].string;
2736
2737 /* only try to add non-null strings */
2738
2739 if ( !privname )
2740 continue;
2741
2742 if ( !revoke_privilege_by_name( &sid, privname ) ) {
2743 DEBUG(2,("_lsa_RemoveAccountRights: Failed to revoke privilege [%s]\n",
2744 privname ));
2745 return NT_STATUS_NO_SUCH_PRIVILEGE;
2746 }
2747 }
2748
2749 return NT_STATUS_OK;
2750 }
2751
2752 /*******************************************************************
2753 ********************************************************************/
2754
2755 static NTSTATUS init_lsa_right_set(TALLOC_CTX *mem_ctx,
2756 struct lsa_RightSet *r,
2757 PRIVILEGE_SET *privileges)
2758 {
2759 uint32 i;
2760 const char *privname;
2761 const char **privname_array = NULL;
2762 int num_priv = 0;
2763
2764 for (i=0; i<privileges->count; i++) {
2765 if (privileges->set[i].luid.high) {
2766 continue;
2767 }
2768 privname = sec_privilege_name(privileges->set[i].luid.low);
2769 if (privname) {
2770 if (!add_string_to_array(mem_ctx, privname,
2771 &privname_array, &num_priv)) {
2772 return NT_STATUS_NO_MEMORY;
2773 }
2774 }
2775 }
2776
2777 if (num_priv) {
2778
2779 r->names = TALLOC_ZERO_ARRAY(mem_ctx, struct lsa_StringLarge,
2780 num_priv);
2781 if (!r->names) {
2782 return NT_STATUS_NO_MEMORY;
2783 }
2784
2785 for (i=0; i<num_priv; i++) {
2786 init_lsa_StringLarge(&r->names[i], privname_array[i]);
2787 }
2788
2789 r->count = num_priv;
2790 }
2791
2792 return NT_STATUS_OK;
2793 }
2794
2795 /***************************************************************************
2796 _lsa_EnumAccountRights
2797 ***************************************************************************/
2798
2799 NTSTATUS _lsa_EnumAccountRights(struct pipes_struct *p,
2800 struct lsa_EnumAccountRights *r)
2801 {
2802 NTSTATUS status;
2803 struct lsa_info *info = NULL;
2804 PRIVILEGE_SET *privileges;
2805
2806 /* find the connection policy handle. */
2807
2808 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
2809 return NT_STATUS_INVALID_HANDLE;
2810
2811 if (info->type != LSA_HANDLE_POLICY_TYPE) {
2812 return NT_STATUS_INVALID_HANDLE;
2813 }
2814
2815 if (!(info->access & LSA_ACCOUNT_VIEW)) {
2816 return NT_STATUS_ACCESS_DENIED;
2817 }
2818
2819 /* according to an NT4 PDC, you can add privileges to SIDs even without
2820 call_lsa_create_account() first. And you can use any arbitrary SID. */
2821
2822 /* according to MS-LSAD 3.1.4.5.10 it is required to return
2823 * NT_STATUS_OBJECT_NAME_NOT_FOUND if the account sid was not found in
2824 * the lsa database */
2825
2826 status = get_privileges_for_sid_as_set(p->mem_ctx, &privileges, r->in.sid);
2827 if (!NT_STATUS_IS_OK(status)) {
2828 return status;
2829 }
2830
2831 DEBUG(10,("_lsa_EnumAccountRights: %s has %d privileges\n",
2832 sid_string_dbg(r->in.sid), privileges->count));
2833
2834 status = init_lsa_right_set(p->mem_ctx, r->out.rights, privileges);
2835
2836 return status;
2837 }
2838
2839 /***************************************************************************
2840 _lsa_LookupPrivValue
2841 ***************************************************************************/
2842
2843 NTSTATUS _lsa_LookupPrivValue(struct pipes_struct *p,
2844 struct lsa_LookupPrivValue *r)
2845 {
2846 struct lsa_info *info = NULL;
2847 const char *name = NULL;
2848
2849 /* find the connection policy handle. */
2850
2851 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
2852 return NT_STATUS_INVALID_HANDLE;
2853
2854 if (info->type != LSA_HANDLE_POLICY_TYPE) {
2855 return NT_STATUS_INVALID_HANDLE;
2856 }
2857
2858 if (!(info->access & LSA_POLICY_LOOKUP_NAMES))
2859 return NT_STATUS_ACCESS_DENIED;
2860
2861 name = r->in.name->string;
2862
2863 DEBUG(10,("_lsa_lookup_priv_value: name = %s\n", name));
2864
2865 r->out.luid->low = sec_privilege_id(name);
2866 r->out.luid->high = 0;
2867 if (r->out.luid->low == SEC_PRIV_INVALID) {
2868 return NT_STATUS_NO_SUCH_PRIVILEGE;
2869 }
2870 return NT_STATUS_OK;
2871 }
2872
2873 /***************************************************************************
2874 _lsa_EnumAccountsWithUserRight
2875 ***************************************************************************/
2876
2877 NTSTATUS _lsa_EnumAccountsWithUserRight(struct pipes_struct *p,
2878 struct lsa_EnumAccountsWithUserRight *r)
2879 {
2880 NTSTATUS status;
2881 struct lsa_info *info = NULL;
2882 struct dom_sid *sids = NULL;
2883 int num_sids = 0;
2884 uint32_t i;
2885 enum sec_privilege privilege;
2886
2887 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info)) {
2888 return NT_STATUS_INVALID_HANDLE;
2889 }
2890
2891 if (info->type != LSA_HANDLE_POLICY_TYPE) {
2892 return NT_STATUS_INVALID_HANDLE;
2893 }
2894
2895 if (!(info->access & LSA_POLICY_LOOKUP_NAMES)) {
2896 return NT_STATUS_ACCESS_DENIED;
2897 }
2898
2899 if (!r->in.name || !r->in.name->string) {
2900 return NT_STATUS_NO_SUCH_PRIVILEGE;
2901 }
2902
2903 privilege = sec_privilege_id(r->in.name->string);
2904 if (privilege == SEC_PRIV_INVALID) {
2905 return NT_STATUS_NO_SUCH_PRIVILEGE;
2906 }
2907
2908 status = privilege_enum_sids(privilege, p->mem_ctx,
2909 &sids, &num_sids);
2910 if (!NT_STATUS_IS_OK(status)) {
2911 return status;
2912 }
2913
2914 r->out.sids->num_sids = num_sids;
2915 r->out.sids->sids = talloc_array(p->mem_ctx, struct lsa_SidPtr,
2916 r->out.sids->num_sids);
2917
2918 for (i=0; i < r->out.sids->num_sids; i++) {
2919 r->out.sids->sids[i].sid = dom_sid_dup(r->out.sids->sids,
2920 &sids[i]);
2921 if (!r->out.sids->sids[i].sid) {
2922 TALLOC_FREE(r->out.sids->sids);
2923 r->out.sids->num_sids = 0;
2924 return NT_STATUS_NO_MEMORY;
2925 }
2926 }
2927
2928 return NT_STATUS_OK;
2929 }
2930
2931 /***************************************************************************
2932 _lsa_Delete
2933 ***************************************************************************/
2934
2935 NTSTATUS _lsa_Delete(struct pipes_struct *p,
2936 struct lsa_Delete *r)
2937 {
2938 return NT_STATUS_NOT_SUPPORTED;
2939 }
2940
2941 /*
2942 * From here on the server routines are just dummy ones to make smbd link with
2943 * librpc/gen_ndr/srv_lsa.c. These routines are actually never called, we are
2944 * pulling the server stubs across one by one.
2945 */
2946
2947 NTSTATUS _lsa_SetSecObj(struct pipes_struct *p, struct lsa_SetSecObj *r)
2948 {
2949 p->rng_fault_state = True;
2950 return NT_STATUS_NOT_IMPLEMENTED;
2951 }
2952
2953 NTSTATUS _lsa_ChangePassword(struct pipes_struct *p,
2954 struct lsa_ChangePassword *r)
2955 {
2956 p->rng_fault_state = True;
2957 return NT_STATUS_NOT_IMPLEMENTED;
2958 }
2959
2960 NTSTATUS _lsa_SetInfoPolicy(struct pipes_struct *p, struct lsa_SetInfoPolicy *r)
2961 {
2962 p->rng_fault_state = True;
2963 return NT_STATUS_NOT_IMPLEMENTED;
2964 }
2965
2966 NTSTATUS _lsa_ClearAuditLog(struct pipes_struct *p, struct lsa_ClearAuditLog *r)
2967 {
2968 p->rng_fault_state = True;
2969 return NT_STATUS_NOT_IMPLEMENTED;
2970 }
2971
2972 NTSTATUS _lsa_GetQuotasForAccount(struct pipes_struct *p,
2973 struct lsa_GetQuotasForAccount *r)
2974 {
2975 p->rng_fault_state = True;
2976 return NT_STATUS_NOT_IMPLEMENTED;
2977 }
2978
2979 NTSTATUS _lsa_SetQuotasForAccount(struct pipes_struct *p,
2980 struct lsa_SetQuotasForAccount *r)
2981 {
2982 p->rng_fault_state = True;
2983 return NT_STATUS_NOT_IMPLEMENTED;
2984 }
2985
2986 NTSTATUS _lsa_SetInformationTrustedDomain(struct pipes_struct *p,
2987 struct lsa_SetInformationTrustedDomain *r)
2988 {
2989 p->rng_fault_state = True;
2990 return NT_STATUS_NOT_IMPLEMENTED;
2991 }
2992
2993 NTSTATUS _lsa_QuerySecret(struct pipes_struct *p, struct lsa_QuerySecret *r)
2994 {
2995 p->rng_fault_state = True;
2996 return NT_STATUS_NOT_IMPLEMENTED;
2997 }
2998
2999 NTSTATUS _lsa_SetTrustedDomainInfo(struct pipes_struct *p,
3000 struct lsa_SetTrustedDomainInfo *r)
3001 {
3002 p->rng_fault_state = True;
3003 return NT_STATUS_NOT_IMPLEMENTED;
3004 }
3005
3006 NTSTATUS _lsa_StorePrivateData(struct pipes_struct *p,
3007 struct lsa_StorePrivateData *r)
3008 {
3009 p->rng_fault_state = True;
3010 return NT_STATUS_NOT_IMPLEMENTED;
3011 }
3012
3013 NTSTATUS _lsa_RetrievePrivateData(struct pipes_struct *p,
3014 struct lsa_RetrievePrivateData *r)
3015 {
3016 p->rng_fault_state = True;
3017 return NT_STATUS_NOT_IMPLEMENTED;
3018 }
3019
3020 NTSTATUS _lsa_SetInfoPolicy2(struct pipes_struct *p,
3021 struct lsa_SetInfoPolicy2 *r)
3022 {
3023 p->rng_fault_state = True;
3024 return NT_STATUS_NOT_IMPLEMENTED;
3025 }
3026
3027 NTSTATUS _lsa_SetTrustedDomainInfoByName(struct pipes_struct *p,
3028 struct lsa_SetTrustedDomainInfoByName *r)
3029 {
3030 p->rng_fault_state = True;
3031 return NT_STATUS_NOT_IMPLEMENTED;
3032 }
3033
3034 NTSTATUS _lsa_EnumTrustedDomainsEx(struct pipes_struct *p,
3035 struct lsa_EnumTrustedDomainsEx *r)
3036 {
3037 struct lsa_info *info;
3038 uint32_t count;
3039 struct pdb_trusted_domain **domains;
3040 struct lsa_TrustDomainInfoInfoEx *entries;
3041 int i;
3042 NTSTATUS nt_status;
3043
3044 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
3045 return NT_STATUS_INVALID_HANDLE;
3046
3047 if (info->type != LSA_HANDLE_POLICY_TYPE) {
3048 return NT_STATUS_INVALID_HANDLE;
3049 }
3050
3051 /* check if the user has enough rights */
3052 if (!(info->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
3053 return NT_STATUS_ACCESS_DENIED;
3054
3055 become_root();
3056 nt_status = pdb_enum_trusted_domains(p->mem_ctx, &count, &domains);
3057 unbecome_root();
3058
3059 if (!NT_STATUS_IS_OK(nt_status)) {
3060 return nt_status;
3061 }
3062
3063 entries = TALLOC_ZERO_ARRAY(p->mem_ctx, struct lsa_TrustDomainInfoInfoEx,
3064 count);
3065 if (!entries) {
3066 return NT_STATUS_NO_MEMORY;
3067 }
3068
3069 for (i=0; i<count; i++) {
3070 init_lsa_StringLarge(&entries[i].netbios_name,
3071 domains[i]->netbios_name);
3072 entries[i].sid = &domains[i]->security_identifier;
3073 }
3074
3075 if (*r->in.resume_handle >= count) {
3076 *r->out.resume_handle = -1;
3077 TALLOC_FREE(entries);
3078 return NT_STATUS_NO_MORE_ENTRIES;
3079 }
3080
3081 /* return the rest, limit by max_size. Note that we
3082 use the w2k3 element size value of 60 */
3083 r->out.domains->count = count - *r->in.resume_handle;
3084 r->out.domains->count = MIN(r->out.domains->count,
3085 (r->in.max_size/LSA_ENUM_TRUST_DOMAIN_EX_MULTIPLIER));
3086
3087 r->out.domains->domains = entries + *r->in.resume_handle;
3088
3089 if (r->out.domains->count < count - *r->in.resume_handle) {
3090 *r->out.resume_handle = *r->in.resume_handle + r->out.domains->count;
3091 return STATUS_MORE_ENTRIES;
3092 }
3093
3094 /* according to MS-LSAD 3.1.4.7.8 output resume handle MUST
3095 * always be larger than the previous input resume handle, in
3096 * particular when hitting the last query it is vital to set the
3097 * resume handle correctly to avoid infinite client loops, as
3098 * seen e.g. with Windows XP SP3 when resume handle is 0 and
3099 * status is NT_STATUS_OK - gd */
3100
3101 *r->out.resume_handle = (uint32_t)-1;
3102
3103 return NT_STATUS_OK;
3104 }
3105
3106 NTSTATUS _lsa_QueryDomainInformationPolicy(struct pipes_struct *p,
3107 struct lsa_QueryDomainInformationPolicy *r)
3108 {
3109 p->rng_fault_state = True;
3110 return NT_STATUS_NOT_IMPLEMENTED;
3111 }
3112
3113 NTSTATUS _lsa_SetDomainInformationPolicy(struct pipes_struct *p,
3114 struct lsa_SetDomainInformationPolicy *r)
3115 {
3116 p->rng_fault_state = True;
3117 return NT_STATUS_NOT_IMPLEMENTED;
3118 }
3119
3120 NTSTATUS _lsa_OpenTrustedDomainByName(struct pipes_struct *p,
3121 struct lsa_OpenTrustedDomainByName *r)
3122 {
3123 p->rng_fault_state = True;
3124 return NT_STATUS_NOT_IMPLEMENTED;
3125 }
3126
3127 NTSTATUS _lsa_TestCall(struct pipes_struct *p, struct lsa_TestCall *r)
3128 {
3129 p->rng_fault_state = True;
3130 return NT_STATUS_NOT_IMPLEMENTED;
3131 }
3132
3133 NTSTATUS _lsa_CREDRWRITE(struct pipes_struct *p, struct lsa_CREDRWRITE *r)
3134 {
3135 p->rng_fault_state = True;
3136 return NT_STATUS_NOT_IMPLEMENTED;
3137 }
3138
3139 NTSTATUS _lsa_CREDRREAD(struct pipes_struct *p, struct lsa_CREDRREAD *r)
3140 {
3141 p->rng_fault_state = True;
3142 return NT_STATUS_NOT_IMPLEMENTED;
3143 }
3144
3145 NTSTATUS _lsa_CREDRENUMERATE(struct pipes_struct *p, struct lsa_CREDRENUMERATE *r)
3146 {
3147 p->rng_fault_state = True;
3148 return NT_STATUS_NOT_IMPLEMENTED;
3149 }
3150
3151 NTSTATUS _lsa_CREDRWRITEDOMAINCREDENTIALS(struct pipes_struct *p,
3152 struct lsa_CREDRWRITEDOMAINCREDENTIALS *r)
3153 {
3154 p->rng_fault_state = True;
3155 return NT_STATUS_NOT_IMPLEMENTED;
3156 }
3157
3158 NTSTATUS _lsa_CREDRREADDOMAINCREDENTIALS(struct pipes_struct *p,
3159 struct lsa_CREDRREADDOMAINCREDENTIALS *r)
3160 {
3161 p->rng_fault_state = True;
3162 return NT_STATUS_NOT_IMPLEMENTED;
3163 }
3164
3165 NTSTATUS _lsa_CREDRDELETE(struct pipes_struct *p, struct lsa_CREDRDELETE *r)
3166 {
3167 p->rng_fault_state = True;
3168 return NT_STATUS_NOT_IMPLEMENTED;
3169 }
3170
3171 NTSTATUS _lsa_CREDRGETTARGETINFO(struct pipes_struct *p,
3172 struct lsa_CREDRGETTARGETINFO *r)
3173 {
3174 p->rng_fault_state = True;
3175 return NT_STATUS_NOT_IMPLEMENTED;
3176 }
3177
3178 NTSTATUS _lsa_CREDRPROFILELOADED(struct pipes_struct *p,
3179 struct lsa_CREDRPROFILELOADED *r)
3180 {
3181 p->rng_fault_state = True;
3182 return NT_STATUS_NOT_IMPLEMENTED;
3183 }
3184
3185 NTSTATUS _lsa_CREDRGETSESSIONTYPES(struct pipes_struct *p,
3186 struct lsa_CREDRGETSESSIONTYPES *r)
3187 {
3188 p->rng_fault_state = True;
3189 return NT_STATUS_NOT_IMPLEMENTED;
3190 }
3191
3192 NTSTATUS _lsa_LSARREGISTERAUDITEVENT(struct pipes_struct *p,
3193 struct lsa_LSARREGISTERAUDITEVENT *r)
3194 {
3195 p->rng_fault_state = True;
3196 return NT_STATUS_NOT_IMPLEMENTED;
3197 }
3198
3199 NTSTATUS _lsa_LSARGENAUDITEVENT(struct pipes_struct *p,
3200 struct lsa_LSARGENAUDITEVENT *r)
3201 {
3202 p->rng_fault_state = True;
3203 return NT_STATUS_NOT_IMPLEMENTED;
3204 }
3205
3206 NTSTATUS _lsa_LSARUNREGISTERAUDITEVENT(struct pipes_struct *p,
3207 struct lsa_LSARUNREGISTERAUDITEVENT *r)
3208 {
3209 p->rng_fault_state = True;
3210 return NT_STATUS_NOT_IMPLEMENTED;
3211 }
3212
3213 NTSTATUS _lsa_lsaRQueryForestTrustInformation(struct pipes_struct *p,
3214 struct lsa_lsaRQueryForestTrustInformation *r)
3215 {
3216 p->rng_fault_state = True;
3217 return NT_STATUS_NOT_IMPLEMENTED;
3218 }
3219
3220 NTSTATUS _lsa_lsaRSetForestTrustInformation(struct pipes_struct *p,
3221 struct lsa_lsaRSetForestTrustInformation *r)
3222 {
3223 p->rng_fault_state = True;
3224 return NT_STATUS_NOT_IMPLEMENTED;
3225 }
3226
3227 NTSTATUS _lsa_CREDRRENAME(struct pipes_struct *p,
3228 struct lsa_CREDRRENAME *r)
3229 {
3230 p->rng_fault_state = True;
3231 return NT_STATUS_NOT_IMPLEMENTED;
3232 }
3233
3234 NTSTATUS _lsa_LSAROPENPOLICYSCE(struct pipes_struct *p,
3235 struct lsa_LSAROPENPOLICYSCE *r)
3236 {
3237 p->rng_fault_state = True;
3238 return NT_STATUS_NOT_IMPLEMENTED;
3239 }
3240
3241 NTSTATUS _lsa_LSARADTREGISTERSECURITYEVENTSOURCE(struct pipes_struct *p,
3242 struct lsa_LSARADTREGISTERSECURITYEVENTSOURCE *r)
3243 {
3244 p->rng_fault_state = True;
3245 return NT_STATUS_NOT_IMPLEMENTED;
3246 }
3247
3248 NTSTATUS _lsa_LSARADTUNREGISTERSECURITYEVENTSOURCE(struct pipes_struct *p,
3249 struct lsa_LSARADTUNREGISTERSECURITYEVENTSOURCE *r)
3250 {
3251 p->rng_fault_state = True;
3252 return NT_STATUS_NOT_IMPLEMENTED;
3253 }
3254
3255 NTSTATUS _lsa_LSARADTREPORTSECURITYEVENT(struct pipes_struct *p,
3256 struct lsa_LSARADTREPORTSECURITYEVENT *r)
3257 {
3258 p->rng_fault_state = True;
3259 return NT_STATUS_NOT_IMPLEMENTED;
3260 }
Samba GIT mirror