search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Revert "Fix bug #7067 - Linux asynchronous IO (aio) can cause smbd to fail to respond...
[Samba.git] / source3 / rpc_server / srv_lsa_nt.c
blobe903f0e974e3502a5b1797c771ebb576631eccbe
1 /*
2 * Unix SMB/CIFS implementation.
3 * RPC Pipe client / server routines
4 * Copyright (C) Andrew Tridgell 1992-1997,
5 * Copyright (C) Luke Kenneth Casson Leighton 1996-1997,
6 * Copyright (C) Paul Ashton 1997,
7 * Copyright (C) Jeremy Allison 2001, 2006.
8 * Copyright (C) Rafal Szczesniak 2002,
9 * Copyright (C) Jim McDonough <jmcd@us.ibm.com> 2002,
10 * Copyright (C) Simo Sorce 2003.
11 * Copyright (C) Gerald (Jerry) Carter 2005.
12 * Copyright (C) Volker Lendecke 2005.
13 * Copyright (C) Guenther Deschner 2008.
14 *
15 * This program is free software; you can redistribute it and/or modify
16 * it under the terms of the GNU General Public License as published by
17 * the Free Software Foundation; either version 3 of the License, or
18 * (at your option) any later version.
19 *
20 * This program is distributed in the hope that it will be useful,
21 * but WITHOUT ANY WARRANTY; without even the implied warranty of
22 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
23 * GNU General Public License for more details.
24 *
25 * You should have received a copy of the GNU General Public License
26 * along with this program; if not, see <http://www.gnu.org/licenses/>.
27 */
28
29 /* This is the implementation of the lsa server code. */
30
31 #include "includes.h"
32 #include "../librpc/gen_ndr/srv_lsa.h"
33
34 #undef DBGC_CLASS
35 #define DBGC_CLASS DBGC_RPC_SRV
36
37 #define MAX_LOOKUP_SIDS 0x5000 /* 20480 */
38
39 extern PRIVS privs[];
40
41 enum lsa_handle_type { LSA_HANDLE_POLICY_TYPE = 1, LSA_HANDLE_ACCOUNT_TYPE };
42
43 struct lsa_info {
44 DOM_SID sid;
45 const char *name;
46 uint32 access;
47 enum lsa_handle_type type;
48 struct security_descriptor *sd;
49 };
50
51 const struct generic_mapping lsa_account_mapping = {
52 LSA_ACCOUNT_READ,
53 LSA_ACCOUNT_WRITE,
54 LSA_ACCOUNT_EXECUTE,
55 LSA_ACCOUNT_ALL_ACCESS
56 };
57
58 const struct generic_mapping lsa_policy_mapping = {
59 LSA_POLICY_READ,
60 LSA_POLICY_WRITE,
61 LSA_POLICY_EXECUTE,
62 LSA_POLICY_ALL_ACCESS
63 };
64
65 const struct generic_mapping lsa_secret_mapping = {
66 LSA_SECRET_READ,
67 LSA_SECRET_WRITE,
68 LSA_SECRET_EXECUTE,
69 LSA_SECRET_ALL_ACCESS
70 };
71
72 const struct generic_mapping lsa_trusted_domain_mapping = {
73 LSA_TRUSTED_DOMAIN_READ,
74 LSA_TRUSTED_DOMAIN_WRITE,
75 LSA_TRUSTED_DOMAIN_EXECUTE,
76 LSA_TRUSTED_DOMAIN_ALL_ACCESS
77 };
78
79 /***************************************************************************
80 init_lsa_ref_domain_list - adds a domain if it's not already in, returns the index.
81 ***************************************************************************/
82
83 static int init_lsa_ref_domain_list(TALLOC_CTX *mem_ctx,
84 struct lsa_RefDomainList *ref,
85 const char *dom_name,
86 DOM_SID *dom_sid)
87 {
88 int num = 0;
89
90 if (dom_name != NULL) {
91 for (num = 0; num < ref->count; num++) {
92 if (sid_equal(dom_sid, ref->domains[num].sid)) {
93 return num;
94 }
95 }
96 } else {
97 num = ref->count;
98 }
99
100 if (num >= LSA_REF_DOMAIN_LIST_MULTIPLIER) {
101 /* index not found, already at maximum domain limit */
102 return -1;
103 }
104
105 ref->count = num + 1;
106 ref->max_size = LSA_REF_DOMAIN_LIST_MULTIPLIER;
107
108 ref->domains = TALLOC_REALLOC_ARRAY(mem_ctx, ref->domains,
109 struct lsa_DomainInfo, ref->count);
110 if (!ref->domains) {
111 return -1;
112 }
113
114 ZERO_STRUCT(ref->domains[num]);
115
116 init_lsa_StringLarge(&ref->domains[num].name, dom_name);
117 ref->domains[num].sid = sid_dup_talloc(mem_ctx, dom_sid);
118 if (!ref->domains[num].sid) {
119 return -1;
120 }
121
122 return num;
123 }
124
125
126 /***************************************************************************
127 initialize a lsa_DomainInfo structure.
128 ***************************************************************************/
129
130 static void init_dom_query_3(struct lsa_DomainInfo *r,
131 const char *name,
132 DOM_SID *sid)
133 {
134 init_lsa_StringLarge(&r->name, name);
135 r->sid = sid;
136 }
137
138 /***************************************************************************
139 initialize a lsa_DomainInfo structure.
140 ***************************************************************************/
141
142 static void init_dom_query_5(struct lsa_DomainInfo *r,
143 const char *name,
144 DOM_SID *sid)
145 {
146 init_lsa_StringLarge(&r->name, name);
147 r->sid = sid;
148 }
149
150 /***************************************************************************
151 lookup_lsa_rids. Must be called as root for lookup_name to work.
152 ***************************************************************************/
153
154 static NTSTATUS lookup_lsa_rids(TALLOC_CTX *mem_ctx,
155 struct lsa_RefDomainList *ref,
156 struct lsa_TranslatedSid *prid,
157 uint32_t num_entries,
158 struct lsa_String *name,
159 int flags,
160 uint32_t *pmapped_count)
161 {
162 uint32 mapped_count, i;
163
164 SMB_ASSERT(num_entries <= MAX_LOOKUP_SIDS);
165
166 mapped_count = 0;
167 *pmapped_count = 0;
168
169 for (i = 0; i < num_entries; i++) {
170 DOM_SID sid;
171 uint32 rid;
172 int dom_idx;
173 const char *full_name;
174 const char *domain;
175 enum lsa_SidType type = SID_NAME_UNKNOWN;
176
177 /* Split name into domain and user component */
178
179 /* follow w2k8 behavior and return the builtin domain when no
180 * input has been passed in */
181
182 if (name[i].string) {
183 full_name = name[i].string;
184 } else {
185 full_name = "BUILTIN";
186 }
187
188 DEBUG(5, ("lookup_lsa_rids: looking up name %s\n", full_name));
189
190 /* We can ignore the result of lookup_name, it will not touch
191 "type" if it's not successful */
192
193 lookup_name(mem_ctx, full_name, flags, &domain, NULL,
194 &sid, &type);
195
196 switch (type) {
197 case SID_NAME_USER:
198 case SID_NAME_DOM_GRP:
199 case SID_NAME_DOMAIN:
200 case SID_NAME_ALIAS:
201 case SID_NAME_WKN_GRP:
202 DEBUG(5, ("init_lsa_rids: %s found\n", full_name));
203 /* Leave these unchanged */
204 break;
205 default:
206 /* Don't hand out anything but the list above */
207 DEBUG(5, ("init_lsa_rids: %s not found\n", full_name));
208 type = SID_NAME_UNKNOWN;
209 break;
210 }
211
212 rid = 0;
213 dom_idx = -1;
214
215 if (type != SID_NAME_UNKNOWN) {
216 if (type == SID_NAME_DOMAIN) {
217 rid = (uint32_t)-1;
218 } else {
219 sid_split_rid(&sid, &rid);
220 }
221 dom_idx = init_lsa_ref_domain_list(mem_ctx, ref, domain, &sid);
222 mapped_count++;
223 }
224
225 prid[i].sid_type = type;
226 prid[i].rid = rid;
227 prid[i].sid_index = dom_idx;
228 }
229
230 *pmapped_count = mapped_count;
231 return NT_STATUS_OK;
232 }
233
234 /***************************************************************************
235 lookup_lsa_sids. Must be called as root for lookup_name to work.
236 ***************************************************************************/
237
238 static NTSTATUS lookup_lsa_sids(TALLOC_CTX *mem_ctx,
239 struct lsa_RefDomainList *ref,
240 struct lsa_TranslatedSid3 *trans_sids,
241 uint32_t num_entries,
242 struct lsa_String *name,
243 int flags,
244 uint32 *pmapped_count)
245 {
246 uint32 mapped_count, i;
247
248 SMB_ASSERT(num_entries <= MAX_LOOKUP_SIDS);
249
250 mapped_count = 0;
251 *pmapped_count = 0;
252
253 for (i = 0; i < num_entries; i++) {
254 DOM_SID sid;
255 uint32 rid;
256 int dom_idx;
257 const char *full_name;
258 const char *domain;
259 enum lsa_SidType type = SID_NAME_UNKNOWN;
260
261 ZERO_STRUCT(sid);
262
263 /* Split name into domain and user component */
264
265 full_name = name[i].string;
266 if (full_name == NULL) {
267 return NT_STATUS_NO_MEMORY;
268 }
269
270 DEBUG(5, ("init_lsa_sids: looking up name %s\n", full_name));
271
272 /* We can ignore the result of lookup_name, it will not touch
273 "type" if it's not successful */
274
275 lookup_name(mem_ctx, full_name, flags, &domain, NULL,
276 &sid, &type);
277
278 switch (type) {
279 case SID_NAME_USER:
280 case SID_NAME_DOM_GRP:
281 case SID_NAME_DOMAIN:
282 case SID_NAME_ALIAS:
283 case SID_NAME_WKN_GRP:
284 DEBUG(5, ("init_lsa_sids: %s found\n", full_name));
285 /* Leave these unchanged */
286 break;
287 default:
288 /* Don't hand out anything but the list above */
289 DEBUG(5, ("init_lsa_sids: %s not found\n", full_name));
290 type = SID_NAME_UNKNOWN;
291 break;
292 }
293
294 rid = 0;
295 dom_idx = -1;
296
297 if (type != SID_NAME_UNKNOWN) {
298 DOM_SID domain_sid;
299 sid_copy(&domain_sid, &sid);
300 sid_split_rid(&domain_sid, &rid);
301 dom_idx = init_lsa_ref_domain_list(mem_ctx, ref, domain, &domain_sid);
302 mapped_count++;
303 }
304
305 /* Initialize the lsa_TranslatedSid3 return. */
306 trans_sids[i].sid_type = type;
307 trans_sids[i].sid = sid_dup_talloc(mem_ctx, &sid);
308 trans_sids[i].sid_index = dom_idx;
309 }
310
311 *pmapped_count = mapped_count;
312 return NT_STATUS_OK;
313 }
314
315 static NTSTATUS make_lsa_object_sd(TALLOC_CTX *mem_ctx, SEC_DESC **sd, size_t *sd_size,
316 const struct generic_mapping *map,
317 DOM_SID *sid, uint32_t sid_access)
318 {
319 DOM_SID adm_sid;
320 SEC_ACE ace[5];
321 size_t i = 0;
322
323 SEC_ACL *psa = NULL;
324
325 /* READ|EXECUTE access for Everyone */
326
327 init_sec_ace(&ace[i++], &global_sid_World, SEC_ACE_TYPE_ACCESS_ALLOWED,
328 map->generic_execute | map->generic_read, 0);
329
330 /* Add Full Access 'BUILTIN\Administrators' and 'BUILTIN\Account Operators */
331
332 init_sec_ace(&ace[i++], &global_sid_Builtin_Administrators,
333 SEC_ACE_TYPE_ACCESS_ALLOWED, map->generic_all, 0);
334 init_sec_ace(&ace[i++], &global_sid_Builtin_Account_Operators,
335 SEC_ACE_TYPE_ACCESS_ALLOWED, map->generic_all, 0);
336
337 /* Add Full Access for Domain Admins */
338 sid_copy(&adm_sid, get_global_sam_sid());
339 sid_append_rid(&adm_sid, DOMAIN_GROUP_RID_ADMINS);
340 init_sec_ace(&ace[i++], &adm_sid, SEC_ACE_TYPE_ACCESS_ALLOWED,
341 map->generic_all, 0);
342
343 /* If we have a sid, give it some special access */
344
345 if (sid) {
346 init_sec_ace(&ace[i++], sid, SEC_ACE_TYPE_ACCESS_ALLOWED,
347 sid_access, 0);
348 }
349
350 if((psa = make_sec_acl(mem_ctx, NT4_ACL_REVISION, i, ace)) == NULL)
351 return NT_STATUS_NO_MEMORY;
352
353 if((*sd = make_sec_desc(mem_ctx, SECURITY_DESCRIPTOR_REVISION_1,
354 SEC_DESC_SELF_RELATIVE, &adm_sid, NULL, NULL,
355 psa, sd_size)) == NULL)
356 return NT_STATUS_NO_MEMORY;
357
358 return NT_STATUS_OK;
359 }
360
361
362 /***************************************************************************
363 _lsa_OpenPolicy2
364 ***************************************************************************/
365
366 NTSTATUS _lsa_OpenPolicy2(pipes_struct *p,
367 struct lsa_OpenPolicy2 *r)
368 {
369 struct lsa_info *info;
370 SEC_DESC *psd = NULL;
371 size_t sd_size;
372 uint32 des_access = r->in.access_mask;
373 uint32 acc_granted;
374 NTSTATUS status;
375
376 /* Work out max allowed. */
377 map_max_allowed_access(p->server_info->ptok,
378 &p->server_info->utok,
379 &des_access);
380
381 /* map the generic bits to the lsa policy ones */
382 se_map_generic(&des_access, &lsa_policy_mapping);
383
384 /* get the generic lsa policy SD until we store it */
385 status = make_lsa_object_sd(p->mem_ctx, &psd, &sd_size, &lsa_policy_mapping,
386 NULL, 0);
387 if (!NT_STATUS_IS_OK(status)) {
388 return status;
389 }
390
391 status = access_check_object(psd, p->server_info->ptok,
392 NULL, 0, des_access,
393 &acc_granted, "_lsa_OpenPolicy2" );
394 if (!NT_STATUS_IS_OK(status)) {
395 return status;
396 }
397
398 /* associate the domain SID with the (unique) handle. */
399 info = TALLOC_ZERO_P(p->mem_ctx, struct lsa_info);
400 if (info == NULL) {
401 return NT_STATUS_NO_MEMORY;
402 }
403
404 sid_copy(&info->sid,get_global_sam_sid());
405 info->access = acc_granted;
406 info->type = LSA_HANDLE_POLICY_TYPE;
407
408 /* set up the LSA QUERY INFO response */
409 if (!create_policy_hnd(p, r->out.handle, info))
410 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
411
412 return NT_STATUS_OK;
413 }
414
415 /***************************************************************************
416 _lsa_OpenPolicy
417 ***************************************************************************/
418
419 NTSTATUS _lsa_OpenPolicy(pipes_struct *p,
420 struct lsa_OpenPolicy *r)
421 {
422 struct lsa_OpenPolicy2 o;
423
424 o.in.system_name = NULL; /* should be ignored */
425 o.in.attr = r->in.attr;
426 o.in.access_mask = r->in.access_mask;
427
428 o.out.handle = r->out.handle;
429
430 return _lsa_OpenPolicy2(p, &o);
431 }
432
433 /***************************************************************************
434 _lsa_EnumTrustDom - this needs fixing to do more than return NULL ! JRA.
435 ufff, done :) mimir
436 ***************************************************************************/
437
438 NTSTATUS _lsa_EnumTrustDom(pipes_struct *p,
439 struct lsa_EnumTrustDom *r)
440 {
441 struct lsa_info *info;
442 uint32_t count;
443 struct trustdom_info **domains;
444 struct lsa_DomainInfo *entries;
445 int i;
446 NTSTATUS nt_status;
447
448 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
449 return NT_STATUS_INVALID_HANDLE;
450
451 if (info->type != LSA_HANDLE_POLICY_TYPE) {
452 return NT_STATUS_INVALID_HANDLE;
453 }
454
455 /* check if the user has enough rights */
456 if (!(info->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
457 return NT_STATUS_ACCESS_DENIED;
458
459 become_root();
460 nt_status = pdb_enum_trusteddoms(p->mem_ctx, &count, &domains);
461 unbecome_root();
462
463 if (!NT_STATUS_IS_OK(nt_status)) {
464 return nt_status;
465 }
466
467 entries = TALLOC_ZERO_ARRAY(p->mem_ctx, struct lsa_DomainInfo, count);
468 if (!entries) {
469 return NT_STATUS_NO_MEMORY;
470 }
471
472 for (i=0; i<count; i++) {
473 init_lsa_StringLarge(&entries[i].name, domains[i]->name);
474 entries[i].sid = &domains[i]->sid;
475 }
476
477 if (*r->in.resume_handle >= count) {
478 *r->out.resume_handle = -1;
479 TALLOC_FREE(entries);
480 return NT_STATUS_NO_MORE_ENTRIES;
481 }
482
483 /* return the rest, limit by max_size. Note that we
484 use the w2k3 element size value of 60 */
485 r->out.domains->count = count - *r->in.resume_handle;
486 r->out.domains->count = MIN(r->out.domains->count,
487 1+(r->in.max_size/LSA_ENUM_TRUST_DOMAIN_MULTIPLIER));
488
489 r->out.domains->domains = entries + *r->in.resume_handle;
490
491 if (r->out.domains->count < count - *r->in.resume_handle) {
492 *r->out.resume_handle = *r->in.resume_handle + r->out.domains->count;
493 return STATUS_MORE_ENTRIES;
494 }
495
496 /* according to MS-LSAD 3.1.4.7.8 output resume handle MUST
497 * always be larger than the previous input resume handle, in
498 * particular when hitting the last query it is vital to set the
499 * resume handle correctly to avoid infinite client loops, as
500 * seen e.g. with Windows XP SP3 when resume handle is 0 and
501 * status is NT_STATUS_OK - gd */
502
503 *r->out.resume_handle = (uint32_t)-1;
504
505 return NT_STATUS_OK;
506 }
507
508 #define LSA_AUDIT_NUM_CATEGORIES_NT4 7
509 #define LSA_AUDIT_NUM_CATEGORIES_WIN2K 9
510 #define LSA_AUDIT_NUM_CATEGORIES LSA_AUDIT_NUM_CATEGORIES_NT4
511
512 /***************************************************************************
513 _lsa_QueryInfoPolicy
514 ***************************************************************************/
515
516 NTSTATUS _lsa_QueryInfoPolicy(pipes_struct *p,
517 struct lsa_QueryInfoPolicy *r)
518 {
519 NTSTATUS status = NT_STATUS_OK;
520 struct lsa_info *handle;
521 DOM_SID domain_sid;
522 const char *name;
523 DOM_SID *sid = NULL;
524 union lsa_PolicyInformation *info = NULL;
525 uint32_t acc_required = 0;
526
527 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle))
528 return NT_STATUS_INVALID_HANDLE;
529
530 if (handle->type != LSA_HANDLE_POLICY_TYPE) {
531 return NT_STATUS_INVALID_HANDLE;
532 }
533
534 switch (r->in.level) {
535 case LSA_POLICY_INFO_AUDIT_LOG:
536 case LSA_POLICY_INFO_AUDIT_EVENTS:
537 acc_required = LSA_POLICY_VIEW_AUDIT_INFORMATION;
538 break;
539 case LSA_POLICY_INFO_DOMAIN:
540 acc_required = LSA_POLICY_VIEW_LOCAL_INFORMATION;
541 break;
542 case LSA_POLICY_INFO_PD:
543 acc_required = LSA_POLICY_GET_PRIVATE_INFORMATION;
544 break;
545 case LSA_POLICY_INFO_ACCOUNT_DOMAIN:
546 acc_required = LSA_POLICY_VIEW_LOCAL_INFORMATION;
547 break;
548 case LSA_POLICY_INFO_ROLE:
549 case LSA_POLICY_INFO_REPLICA:
550 acc_required = LSA_POLICY_VIEW_LOCAL_INFORMATION;
551 break;
552 case LSA_POLICY_INFO_QUOTA:
553 acc_required = LSA_POLICY_VIEW_LOCAL_INFORMATION;
554 break;
555 case LSA_POLICY_INFO_MOD:
556 case LSA_POLICY_INFO_AUDIT_FULL_SET:
557 /* according to MS-LSAD 3.1.4.4.3 */
558 return NT_STATUS_INVALID_PARAMETER;
559 case LSA_POLICY_INFO_AUDIT_FULL_QUERY:
560 acc_required = LSA_POLICY_VIEW_AUDIT_INFORMATION;
561 break;
562 case LSA_POLICY_INFO_DNS:
563 case LSA_POLICY_INFO_DNS_INT:
564 case LSA_POLICY_INFO_L_ACCOUNT_DOMAIN:
565 acc_required = LSA_POLICY_VIEW_LOCAL_INFORMATION;
566 break;
567 default:
568 break;
569 }
570
571 if (!(handle->access & acc_required)) {
572 /* return NT_STATUS_ACCESS_DENIED; */
573 }
574
575 info = TALLOC_ZERO_P(p->mem_ctx, union lsa_PolicyInformation);
576 if (!info) {
577 return NT_STATUS_NO_MEMORY;
578 }
579
580 switch (r->in.level) {
581 /* according to MS-LSAD 3.1.4.4.3 */
582 case LSA_POLICY_INFO_MOD:
583 case LSA_POLICY_INFO_AUDIT_FULL_SET:
584 case LSA_POLICY_INFO_AUDIT_FULL_QUERY:
585 return NT_STATUS_INVALID_PARAMETER;
586 case LSA_POLICY_INFO_AUDIT_LOG:
587 info->audit_log.percent_full = 0;
588 info->audit_log.maximum_log_size = 0;
589 info->audit_log.retention_time = 0;
590 info->audit_log.shutdown_in_progress = 0;
591 info->audit_log.time_to_shutdown = 0;
592 info->audit_log.next_audit_record = 0;
593 status = NT_STATUS_OK;
594 break;
595 case LSA_POLICY_INFO_PD:
596 info->pd.name.string = NULL;
597 status = NT_STATUS_OK;
598 break;
599 case LSA_POLICY_INFO_REPLICA:
600 info->replica.source.string = NULL;
601 info->replica.account.string = NULL;
602 status = NT_STATUS_OK;
603 break;
604 case LSA_POLICY_INFO_QUOTA:
605 info->quota.paged_pool = 0;
606 info->quota.non_paged_pool = 0;
607 info->quota.min_wss = 0;
608 info->quota.max_wss = 0;
609 info->quota.pagefile = 0;
610 info->quota.unknown = 0;
611 status = NT_STATUS_OK;
612 break;
613 case LSA_POLICY_INFO_AUDIT_EVENTS:
614 {
615
616 uint32 policy_def = LSA_AUDIT_POLICY_ALL;
617
618 /* check if the user has enough rights */
619 if (!(handle->access & LSA_POLICY_VIEW_AUDIT_INFORMATION)) {
620 DEBUG(10,("_lsa_QueryInfoPolicy: insufficient access rights\n"));
621 return NT_STATUS_ACCESS_DENIED;
622 }
623
624 /* fake info: We audit everything. ;) */
625
626 info->audit_events.auditing_mode = true;
627 info->audit_events.count = LSA_AUDIT_NUM_CATEGORIES;
628 info->audit_events.settings = TALLOC_ZERO_ARRAY(p->mem_ctx,
629 enum lsa_PolicyAuditPolicy,
630 info->audit_events.count);
631 if (!info->audit_events.settings) {
632 return NT_STATUS_NO_MEMORY;
633 }
634
635 info->audit_events.settings[LSA_AUDIT_CATEGORY_ACCOUNT_MANAGEMENT] = policy_def;
636 info->audit_events.settings[LSA_AUDIT_CATEGORY_FILE_AND_OBJECT_ACCESS] = policy_def;
637 info->audit_events.settings[LSA_AUDIT_CATEGORY_LOGON] = policy_def;
638 info->audit_events.settings[LSA_AUDIT_CATEGORY_PROCCESS_TRACKING] = policy_def;
639 info->audit_events.settings[LSA_AUDIT_CATEGORY_SECURITY_POLICY_CHANGES] = policy_def;
640 info->audit_events.settings[LSA_AUDIT_CATEGORY_SYSTEM] = policy_def;
641 info->audit_events.settings[LSA_AUDIT_CATEGORY_USE_OF_USER_RIGHTS] = policy_def;
642
643 break;
644 }
645 case LSA_POLICY_INFO_DOMAIN:
646 /* check if the user has enough rights */
647 if (!(handle->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
648 return NT_STATUS_ACCESS_DENIED;
649
650 /* Request PolicyPrimaryDomainInformation. */
651 switch (lp_server_role()) {
652 case ROLE_DOMAIN_PDC:
653 case ROLE_DOMAIN_BDC:
654 name = get_global_sam_name();
655 sid = sid_dup_talloc(p->mem_ctx, get_global_sam_sid());
656 if (!sid) {
657 return NT_STATUS_NO_MEMORY;
658 }
659 break;
660 case ROLE_DOMAIN_MEMBER:
661 name = lp_workgroup();
662 /* We need to return the Domain SID here. */
663 if (secrets_fetch_domain_sid(lp_workgroup(), &domain_sid)) {
664 sid = sid_dup_talloc(p->mem_ctx, &domain_sid);
665 if (!sid) {
666 return NT_STATUS_NO_MEMORY;
667 }
668 } else {
669 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
670 }
671 break;
672 case ROLE_STANDALONE:
673 name = lp_workgroup();
674 sid = NULL;
675 break;
676 default:
677 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
678 }
679 init_dom_query_3(&info->domain, name, sid);
680 break;
681 case LSA_POLICY_INFO_ACCOUNT_DOMAIN:
682 /* check if the user has enough rights */
683 if (!(handle->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
684 return NT_STATUS_ACCESS_DENIED;
685
686 /* Request PolicyAccountDomainInformation. */
687 name = get_global_sam_name();
688 sid = get_global_sam_sid();
689
690 init_dom_query_5(&info->account_domain, name, sid);
691 break;
692 case LSA_POLICY_INFO_ROLE:
693 /* check if the user has enough rights */
694 if (!(handle->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
695 return NT_STATUS_ACCESS_DENIED;
696
697 switch (lp_server_role()) {
698 case ROLE_DOMAIN_BDC:
699 /*
700 * only a BDC is a backup controller
701 * of the domain, it controls.
702 */
703 info->role.role = LSA_ROLE_BACKUP;
704 break;
705 default:
706 /*
707 * any other role is a primary
708 * of the domain, it controls.
709 */
710 info->role.role = LSA_ROLE_PRIMARY;
711 break;
712 }
713 break;
714 case LSA_POLICY_INFO_DNS:
715 case LSA_POLICY_INFO_DNS_INT: {
716 struct pdb_domain_info *dominfo;
717
718 if ((pdb_capabilities() & PDB_CAP_ADS) == 0) {
719 DEBUG(10, ("Not replying to LSA_POLICY_INFO_DNS "
720 "without ADS passdb backend\n"));
721 status = NT_STATUS_INVALID_INFO_CLASS;
722 break;
723 }
724
725 dominfo = pdb_get_domain_info(info);
726 if (dominfo == NULL) {
727 status = NT_STATUS_NO_MEMORY;
728 break;
729 }
730
731 init_lsa_StringLarge(&info->dns.name,
732 dominfo->name);
733 init_lsa_StringLarge(&info->dns.dns_domain,
734 dominfo->dns_domain);
735 init_lsa_StringLarge(&info->dns.dns_forest,
736 dominfo->dns_forest);
737 info->dns.domain_guid = dominfo->guid;
738 info->dns.sid = &dominfo->sid;
739 break;
740 }
741 default:
742 DEBUG(0,("_lsa_QueryInfoPolicy: unknown info level in Lsa Query: %d\n",
743 r->in.level));
744 status = NT_STATUS_INVALID_INFO_CLASS;
745 break;
746 }
747
748 *r->out.info = info;
749
750 return status;
751 }
752
753 /***************************************************************************
754 _lsa_QueryInfoPolicy2
755 ***************************************************************************/
756
757 NTSTATUS _lsa_QueryInfoPolicy2(pipes_struct *p,
758 struct lsa_QueryInfoPolicy2 *r2)
759 {
760 struct lsa_QueryInfoPolicy r;
761
762 if ((pdb_capabilities() & PDB_CAP_ADS) == 0) {
763 p->rng_fault_state = True;
764 return NT_STATUS_NOT_IMPLEMENTED;
765 }
766
767 ZERO_STRUCT(r);
768 r.in.handle = r2->in.handle;
769 r.in.level = r2->in.level;
770 r.out.info = r2->out.info;
771
772 return _lsa_QueryInfoPolicy(p, &r);
773 }
774
775 /***************************************************************************
776 _lsa_lookup_sids_internal
777 ***************************************************************************/
778
779 static NTSTATUS _lsa_lookup_sids_internal(pipes_struct *p,
780 TALLOC_CTX *mem_ctx,
781 uint16_t level, /* input */
782 int num_sids, /* input */
783 struct lsa_SidPtr *sid, /* input */
784 struct lsa_RefDomainList **pp_ref, /* input/output */
785 struct lsa_TranslatedName2 **pp_names,/* input/output */
786 uint32_t *pp_mapped_count) /* input/output */
787 {
788 NTSTATUS status;
789 int i;
790 const DOM_SID **sids = NULL;
791 struct lsa_RefDomainList *ref = NULL;
792 uint32 mapped_count = 0;
793 struct lsa_dom_info *dom_infos = NULL;
794 struct lsa_name_info *name_infos = NULL;
795 struct lsa_TranslatedName2 *names = NULL;
796
797 *pp_mapped_count = 0;
798 *pp_names = NULL;
799 *pp_ref = NULL;
800
801 if (num_sids == 0) {
802 return NT_STATUS_OK;
803 }
804
805 sids = TALLOC_ARRAY(p->mem_ctx, const DOM_SID *, num_sids);
806 ref = TALLOC_ZERO_P(p->mem_ctx, struct lsa_RefDomainList);
807
808 if (sids == NULL || ref == NULL) {
809 return NT_STATUS_NO_MEMORY;
810 }
811
812 for (i=0; i<num_sids; i++) {
813 sids[i] = sid[i].sid;
814 }
815
816 status = lookup_sids(p->mem_ctx, num_sids, sids, level,
817 &dom_infos, &name_infos);
818
819 if (!NT_STATUS_IS_OK(status)) {
820 return status;
821 }
822
823 names = TALLOC_ARRAY(p->mem_ctx, struct lsa_TranslatedName2, num_sids);
824 if (names == NULL) {
825 return NT_STATUS_NO_MEMORY;
826 }
827
828 for (i=0; i<LSA_REF_DOMAIN_LIST_MULTIPLIER; i++) {
829
830 if (!dom_infos[i].valid) {
831 break;
832 }
833
834 if (init_lsa_ref_domain_list(mem_ctx, ref,
835 dom_infos[i].name,
836 &dom_infos[i].sid) != i) {
837 DEBUG(0, ("Domain %s mentioned twice??\n",
838 dom_infos[i].name));
839 return NT_STATUS_INTERNAL_ERROR;
840 }
841 }
842
843 for (i=0; i<num_sids; i++) {
844 struct lsa_name_info *name = &name_infos[i];
845
846 if (name->type == SID_NAME_UNKNOWN) {
847 fstring tmp;
848 name->dom_idx = -1;
849 /* Unknown sids should return the string
850 * representation of the SID. Windows 2003 behaves
851 * rather erratic here, in many cases it returns the
852 * RID as 8 bytes hex, in others it returns the full
853 * SID. We (Jerry/VL) could not figure out which the
854 * hard cases are, so leave it with the SID. */
855 name->name = talloc_asprintf(p->mem_ctx, "%s",
856 sid_to_fstring(tmp,
857 sids[i]));
858 if (name->name == NULL) {
859 return NT_STATUS_NO_MEMORY;
860 }
861 } else {
862 mapped_count += 1;
863 }
864
865 names[i].sid_type = name->type;
866 names[i].name.string = name->name;
867 names[i].sid_index = name->dom_idx;
868 names[i].unknown = 0;
869 }
870
871 status = NT_STATUS_NONE_MAPPED;
872 if (mapped_count > 0) {
873 status = (mapped_count < num_sids) ?
874 STATUS_SOME_UNMAPPED : NT_STATUS_OK;
875 }
876
877 DEBUG(10, ("num_sids %d, mapped_count %d, status %s\n",
878 num_sids, mapped_count, nt_errstr(status)));
879
880 *pp_mapped_count = mapped_count;
881 *pp_names = names;
882 *pp_ref = ref;
883
884 return status;
885 }
886
887 /***************************************************************************
888 _lsa_LookupSids
889 ***************************************************************************/
890
891 NTSTATUS _lsa_LookupSids(pipes_struct *p,
892 struct lsa_LookupSids *r)
893 {
894 NTSTATUS status;
895 struct lsa_info *handle;
896 int num_sids = r->in.sids->num_sids;
897 uint32 mapped_count = 0;
898 struct lsa_RefDomainList *domains = NULL;
899 struct lsa_TranslatedName *names_out = NULL;
900 struct lsa_TranslatedName2 *names = NULL;
901 int i;
902
903 if ((r->in.level < 1) || (r->in.level > 6)) {
904 return NT_STATUS_INVALID_PARAMETER;
905 }
906
907 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle)) {
908 return NT_STATUS_INVALID_HANDLE;
909 }
910
911 if (handle->type != LSA_HANDLE_POLICY_TYPE) {
912 return NT_STATUS_INVALID_HANDLE;
913 }
914
915 /* check if the user has enough rights */
916 if (!(handle->access & LSA_POLICY_LOOKUP_NAMES)) {
917 return NT_STATUS_ACCESS_DENIED;
918 }
919
920 if (num_sids > MAX_LOOKUP_SIDS) {
921 DEBUG(5,("_lsa_LookupSids: limit of %d exceeded, requested %d\n",
922 MAX_LOOKUP_SIDS, num_sids));
923 return NT_STATUS_NONE_MAPPED;
924 }
925
926 status = _lsa_lookup_sids_internal(p,
927 p->mem_ctx,
928 r->in.level,
929 num_sids,
930 r->in.sids->sids,
931 &domains,
932 &names,
933 &mapped_count);
934
935 /* Only return here when there is a real error.
936 NT_STATUS_NONE_MAPPED is a special case as it indicates that none of
937 the requested sids could be resolved. Older versions of XP (pre SP3)
938 rely that we return with the string representations of those SIDs in
939 that case. If we don't, XP crashes - Guenther
940 */
941
942 if (NT_STATUS_IS_ERR(status) &&
943 !NT_STATUS_EQUAL(status, NT_STATUS_NONE_MAPPED)) {
944 return status;
945 }
946
947 /* Convert from lsa_TranslatedName2 to lsa_TranslatedName */
948 names_out = TALLOC_ARRAY(p->mem_ctx, struct lsa_TranslatedName,
949 num_sids);
950 if (!names_out) {
951 return NT_STATUS_NO_MEMORY;
952 }
953
954 for (i=0; i<num_sids; i++) {
955 names_out[i].sid_type = names[i].sid_type;
956 names_out[i].name = names[i].name;
957 names_out[i].sid_index = names[i].sid_index;
958 }
959
960 *r->out.domains = domains;
961 r->out.names->count = num_sids;
962 r->out.names->names = names_out;
963 *r->out.count = mapped_count;
964
965 return status;
966 }
967
968 /***************************************************************************
969 _lsa_LookupSids2
970 ***************************************************************************/
971
972 NTSTATUS _lsa_LookupSids2(pipes_struct *p,
973 struct lsa_LookupSids2 *r)
974 {
975 NTSTATUS status;
976 struct lsa_info *handle;
977 int num_sids = r->in.sids->num_sids;
978 uint32 mapped_count = 0;
979 struct lsa_RefDomainList *domains = NULL;
980 struct lsa_TranslatedName2 *names = NULL;
981 bool check_policy = true;
982
983 switch (p->hdr_req.opnum) {
984 case NDR_LSA_LOOKUPSIDS3:
985 check_policy = false;
986 break;
987 case NDR_LSA_LOOKUPSIDS2:
988 default:
989 check_policy = true;
990 }
991
992 if ((r->in.level < 1) || (r->in.level > 6)) {
993 return NT_STATUS_INVALID_PARAMETER;
994 }
995
996 if (check_policy) {
997 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle)) {
998 return NT_STATUS_INVALID_HANDLE;
999 }
1000
1001 if (handle->type != LSA_HANDLE_POLICY_TYPE) {
1002 return NT_STATUS_INVALID_HANDLE;
1003 }
1004
1005 /* check if the user has enough rights */
1006 if (!(handle->access & LSA_POLICY_LOOKUP_NAMES)) {
1007 return NT_STATUS_ACCESS_DENIED;
1008 }
1009 }
1010
1011 if (num_sids > MAX_LOOKUP_SIDS) {
1012 DEBUG(5,("_lsa_LookupSids2: limit of %d exceeded, requested %d\n",
1013 MAX_LOOKUP_SIDS, num_sids));
1014 return NT_STATUS_NONE_MAPPED;
1015 }
1016
1017 status = _lsa_lookup_sids_internal(p,
1018 p->mem_ctx,
1019 r->in.level,
1020 num_sids,
1021 r->in.sids->sids,
1022 &domains,
1023 &names,
1024 &mapped_count);
1025
1026 *r->out.domains = domains;
1027 r->out.names->count = num_sids;
1028 r->out.names->names = names;
1029 *r->out.count = mapped_count;
1030
1031 return status;
1032 }
1033
1034 /***************************************************************************
1035 _lsa_LookupSids3
1036 ***************************************************************************/
1037
1038 NTSTATUS _lsa_LookupSids3(pipes_struct *p,
1039 struct lsa_LookupSids3 *r)
1040 {
1041 struct lsa_LookupSids2 q;
1042
1043 /* No policy handle on this call. Restrict to crypto connections. */
1044 if (p->auth.auth_type != PIPE_AUTH_TYPE_SCHANNEL) {
1045 DEBUG(0,("_lsa_LookupSids3: client %s not using schannel for netlogon\n",
1046 get_remote_machine_name() ));
1047 return NT_STATUS_INVALID_PARAMETER;
1048 }
1049
1050 q.in.handle = NULL;
1051 q.in.sids = r->in.sids;
1052 q.in.level = r->in.level;
1053 q.in.lookup_options = r->in.lookup_options;
1054 q.in.client_revision = r->in.client_revision;
1055 q.in.names = r->in.names;
1056 q.in.count = r->in.count;
1057
1058 q.out.domains = r->out.domains;
1059 q.out.names = r->out.names;
1060 q.out.count = r->out.count;
1061
1062 return _lsa_LookupSids2(p, &q);
1063 }
1064
1065 /***************************************************************************
1066 ***************************************************************************/
1067
1068 static int lsa_lookup_level_to_flags(enum lsa_LookupNamesLevel level)
1069 {
1070 int flags;
1071
1072 switch (level) {
1073 case LSA_LOOKUP_NAMES_ALL: /* 1 */
1074 flags = LOOKUP_NAME_ALL;
1075 break;
1076 case LSA_LOOKUP_NAMES_DOMAINS_ONLY: /* 2 */
1077 flags = LOOKUP_NAME_DOMAIN|LOOKUP_NAME_REMOTE|LOOKUP_NAME_ISOLATED;
1078 break;
1079 case LSA_LOOKUP_NAMES_PRIMARY_DOMAIN_ONLY: /* 3 */
1080 flags = LOOKUP_NAME_DOMAIN|LOOKUP_NAME_ISOLATED;
1081 break;
1082 case LSA_LOOKUP_NAMES_UPLEVEL_TRUSTS_ONLY: /* 4 */
1083 case LSA_LOOKUP_NAMES_FOREST_TRUSTS_ONLY: /* 5 */
1084 case LSA_LOOKUP_NAMES_UPLEVEL_TRUSTS_ONLY2: /* 6 */
1085 case LSA_LOOKUP_NAMES_RODC_REFERRAL_TO_FULL_DC: /* 7 */
1086 default:
1087 flags = LOOKUP_NAME_NONE;
1088 break;
1089 }
1090
1091 return flags;
1092 }
1093
1094 /***************************************************************************
1095 _lsa_LookupNames
1096 ***************************************************************************/
1097
1098 NTSTATUS _lsa_LookupNames(pipes_struct *p,
1099 struct lsa_LookupNames *r)
1100 {
1101 NTSTATUS status = NT_STATUS_NONE_MAPPED;
1102 struct lsa_info *handle;
1103 struct lsa_String *names = r->in.names;
1104 uint32 num_entries = r->in.num_names;
1105 struct lsa_RefDomainList *domains = NULL;
1106 struct lsa_TranslatedSid *rids = NULL;
1107 uint32 mapped_count = 0;
1108 int flags = 0;
1109
1110 if (num_entries > MAX_LOOKUP_SIDS) {
1111 num_entries = MAX_LOOKUP_SIDS;
1112 DEBUG(5,("_lsa_LookupNames: truncating name lookup list to %d\n",
1113 num_entries));
1114 }
1115
1116 flags = lsa_lookup_level_to_flags(r->in.level);
1117
1118 domains = TALLOC_ZERO_P(p->mem_ctx, struct lsa_RefDomainList);
1119 if (!domains) {
1120 return NT_STATUS_NO_MEMORY;
1121 }
1122
1123 if (num_entries) {
1124 rids = TALLOC_ZERO_ARRAY(p->mem_ctx, struct lsa_TranslatedSid,
1125 num_entries);
1126 if (!rids) {
1127 return NT_STATUS_NO_MEMORY;
1128 }
1129 } else {
1130 rids = NULL;
1131 }
1132
1133 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle)) {
1134 status = NT_STATUS_INVALID_HANDLE;
1135 goto done;
1136 }
1137
1138 if (handle->type != LSA_HANDLE_POLICY_TYPE) {
1139 return NT_STATUS_INVALID_HANDLE;
1140 }
1141
1142 /* check if the user has enough rights */
1143 if (!(handle->access & LSA_POLICY_LOOKUP_NAMES)) {
1144 status = NT_STATUS_ACCESS_DENIED;
1145 goto done;
1146 }
1147
1148 /* set up the LSA Lookup RIDs response */
1149 become_root(); /* lookup_name can require root privs */
1150 status = lookup_lsa_rids(p->mem_ctx, domains, rids, num_entries,
1151 names, flags, &mapped_count);
1152 unbecome_root();
1153
1154 done:
1155
1156 if (NT_STATUS_IS_OK(status) && (num_entries != 0) ) {
1157 if (mapped_count == 0) {
1158 status = NT_STATUS_NONE_MAPPED;
1159 } else if (mapped_count != num_entries) {
1160 status = STATUS_SOME_UNMAPPED;
1161 }
1162 }
1163
1164 *r->out.count = mapped_count;
1165 *r->out.domains = domains;
1166 r->out.sids->sids = rids;
1167 r->out.sids->count = num_entries;
1168
1169 return status;
1170 }
1171
1172 /***************************************************************************
1173 _lsa_LookupNames2
1174 ***************************************************************************/
1175
1176 NTSTATUS _lsa_LookupNames2(pipes_struct *p,
1177 struct lsa_LookupNames2 *r)
1178 {
1179 NTSTATUS status;
1180 struct lsa_LookupNames q;
1181 struct lsa_TransSidArray2 *sid_array2 = r->in.sids;
1182 struct lsa_TransSidArray *sid_array = NULL;
1183 uint32_t i;
1184
1185 sid_array = TALLOC_ZERO_P(p->mem_ctx, struct lsa_TransSidArray);
1186 if (!sid_array) {
1187 return NT_STATUS_NO_MEMORY;
1188 }
1189
1190 q.in.handle = r->in.handle;
1191 q.in.num_names = r->in.num_names;
1192 q.in.names = r->in.names;
1193 q.in.level = r->in.level;
1194 q.in.sids = sid_array;
1195 q.in.count = r->in.count;
1196 /* we do not know what this is for */
1197 /* = r->in.unknown1; */
1198 /* = r->in.unknown2; */
1199
1200 q.out.domains = r->out.domains;
1201 q.out.sids = sid_array;
1202 q.out.count = r->out.count;
1203
1204 status = _lsa_LookupNames(p, &q);
1205
1206 sid_array2->count = sid_array->count;
1207 sid_array2->sids = TALLOC_ARRAY(p->mem_ctx, struct lsa_TranslatedSid2, sid_array->count);
1208 if (!sid_array2->sids) {
1209 return NT_STATUS_NO_MEMORY;
1210 }
1211
1212 for (i=0; i<sid_array->count; i++) {
1213 sid_array2->sids[i].sid_type = sid_array->sids[i].sid_type;
1214 sid_array2->sids[i].rid = sid_array->sids[i].rid;
1215 sid_array2->sids[i].sid_index = sid_array->sids[i].sid_index;
1216 sid_array2->sids[i].unknown = 0;
1217 }
1218
1219 r->out.sids = sid_array2;
1220
1221 return status;
1222 }
1223
1224 /***************************************************************************
1225 _lsa_LookupNames3
1226 ***************************************************************************/
1227
1228 NTSTATUS _lsa_LookupNames3(pipes_struct *p,
1229 struct lsa_LookupNames3 *r)
1230 {
1231 NTSTATUS status;
1232 struct lsa_info *handle;
1233 struct lsa_String *names = r->in.names;
1234 uint32 num_entries = r->in.num_names;
1235 struct lsa_RefDomainList *domains = NULL;
1236 struct lsa_TranslatedSid3 *trans_sids = NULL;
1237 uint32 mapped_count = 0;
1238 int flags = 0;
1239 bool check_policy = true;
1240
1241 switch (p->hdr_req.opnum) {
1242 case NDR_LSA_LOOKUPNAMES4:
1243 check_policy = false;
1244 break;
1245 case NDR_LSA_LOOKUPNAMES3:
1246 default:
1247 check_policy = true;
1248 }
1249
1250 if (num_entries > MAX_LOOKUP_SIDS) {
1251 num_entries = MAX_LOOKUP_SIDS;
1252 DEBUG(5,("_lsa_LookupNames3: truncating name lookup list to %d\n", num_entries));
1253 }
1254
1255 /* Probably the lookup_level is some sort of bitmask. */
1256 if (r->in.level == 1) {
1257 flags = LOOKUP_NAME_ALL;
1258 }
1259
1260 domains = TALLOC_ZERO_P(p->mem_ctx, struct lsa_RefDomainList);
1261 if (!domains) {
1262 return NT_STATUS_NO_MEMORY;
1263 }
1264
1265 if (num_entries) {
1266 trans_sids = TALLOC_ZERO_ARRAY(p->mem_ctx, struct lsa_TranslatedSid3,
1267 num_entries);
1268 if (!trans_sids) {
1269 return NT_STATUS_NO_MEMORY;
1270 }
1271 } else {
1272 trans_sids = NULL;
1273 }
1274
1275 if (check_policy) {
1276
1277 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle)) {
1278 status = NT_STATUS_INVALID_HANDLE;
1279 goto done;
1280 }
1281
1282 if (handle->type != LSA_HANDLE_POLICY_TYPE) {
1283 return NT_STATUS_INVALID_HANDLE;
1284 }
1285
1286 /* check if the user has enough rights */
1287 if (!(handle->access & LSA_POLICY_LOOKUP_NAMES)) {
1288 status = NT_STATUS_ACCESS_DENIED;
1289 goto done;
1290 }
1291 }
1292
1293 /* set up the LSA Lookup SIDs response */
1294 become_root(); /* lookup_name can require root privs */
1295 status = lookup_lsa_sids(p->mem_ctx, domains, trans_sids, num_entries,
1296 names, flags, &mapped_count);
1297 unbecome_root();
1298
1299 done:
1300
1301 if (NT_STATUS_IS_OK(status)) {
1302 if (mapped_count == 0) {
1303 status = NT_STATUS_NONE_MAPPED;
1304 } else if (mapped_count != num_entries) {
1305 status = STATUS_SOME_UNMAPPED;
1306 }
1307 }
1308
1309 *r->out.count = mapped_count;
1310 *r->out.domains = domains;
1311 r->out.sids->sids = trans_sids;
1312 r->out.sids->count = num_entries;
1313
1314 return status;
1315 }
1316
1317 /***************************************************************************
1318 _lsa_LookupNames4
1319 ***************************************************************************/
1320
1321 NTSTATUS _lsa_LookupNames4(pipes_struct *p,
1322 struct lsa_LookupNames4 *r)
1323 {
1324 struct lsa_LookupNames3 q;
1325
1326 /* No policy handle on this call. Restrict to crypto connections. */
1327 if (p->auth.auth_type != PIPE_AUTH_TYPE_SCHANNEL) {
1328 DEBUG(0,("_lsa_lookup_names4: client %s not using schannel for netlogon\n",
1329 get_remote_machine_name() ));
1330 return NT_STATUS_INVALID_PARAMETER;
1331 }
1332
1333 q.in.handle = NULL;
1334 q.in.num_names = r->in.num_names;
1335 q.in.names = r->in.names;
1336 q.in.level = r->in.level;
1337 q.in.lookup_options = r->in.lookup_options;
1338 q.in.client_revision = r->in.client_revision;
1339 q.in.sids = r->in.sids;
1340 q.in.count = r->in.count;
1341
1342 q.out.domains = r->out.domains;
1343 q.out.sids = r->out.sids;
1344 q.out.count = r->out.count;
1345
1346 return _lsa_LookupNames3(p, &q);
1347 }
1348
1349 /***************************************************************************
1350 _lsa_close. Also weird - needs to check if lsa handle is correct. JRA.
1351 ***************************************************************************/
1352
1353 NTSTATUS _lsa_Close(pipes_struct *p, struct lsa_Close *r)
1354 {
1355 if (!find_policy_by_hnd(p, r->in.handle, NULL)) {
1356 return NT_STATUS_INVALID_HANDLE;
1357 }
1358
1359 close_policy_hnd(p, r->in.handle);
1360 ZERO_STRUCTP(r->out.handle);
1361 return NT_STATUS_OK;
1362 }
1363
1364 /***************************************************************************
1365 ***************************************************************************/
1366
1367 NTSTATUS _lsa_OpenSecret(pipes_struct *p, struct lsa_OpenSecret *r)
1368 {
1369 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
1370 }
1371
1372 /***************************************************************************
1373 ***************************************************************************/
1374
1375 NTSTATUS _lsa_OpenTrustedDomain(pipes_struct *p, struct lsa_OpenTrustedDomain *r)
1376 {
1377 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
1378 }
1379
1380 /***************************************************************************
1381 ***************************************************************************/
1382
1383 NTSTATUS _lsa_CreateTrustedDomain(pipes_struct *p, struct lsa_CreateTrustedDomain *r)
1384 {
1385 return NT_STATUS_ACCESS_DENIED;
1386 }
1387
1388 /***************************************************************************
1389 ***************************************************************************/
1390
1391 NTSTATUS _lsa_CreateSecret(pipes_struct *p, struct lsa_CreateSecret *r)
1392 {
1393 return NT_STATUS_ACCESS_DENIED;
1394 }
1395
1396 /***************************************************************************
1397 ***************************************************************************/
1398
1399 NTSTATUS _lsa_SetSecret(pipes_struct *p, struct lsa_SetSecret *r)
1400 {
1401 return NT_STATUS_ACCESS_DENIED;
1402 }
1403
1404 /***************************************************************************
1405 _lsa_DeleteObject
1406 ***************************************************************************/
1407
1408 NTSTATUS _lsa_DeleteObject(pipes_struct *p,
1409 struct lsa_DeleteObject *r)
1410 {
1411 NTSTATUS status;
1412 struct lsa_info *info = NULL;
1413
1414 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info)) {
1415 return NT_STATUS_INVALID_HANDLE;
1416 }
1417
1418 if (!(info->access & STD_RIGHT_DELETE_ACCESS)) {
1419 return NT_STATUS_ACCESS_DENIED;
1420 }
1421
1422 switch (info->type) {
1423 case LSA_HANDLE_ACCOUNT_TYPE:
1424 status = privilege_delete_account(&info->sid);
1425 if (!NT_STATUS_IS_OK(status)) {
1426 DEBUG(10,("_lsa_DeleteObject: privilege_delete_account gave: %s\n",
1427 nt_errstr(status)));
1428 return status;
1429 }
1430 break;
1431 default:
1432 return NT_STATUS_INVALID_HANDLE;
1433 }
1434
1435 close_policy_hnd(p, r->in.handle);
1436 ZERO_STRUCTP(r->out.handle);
1437
1438 return status;
1439 }
1440
1441 /***************************************************************************
1442 _lsa_EnumPrivs
1443 ***************************************************************************/
1444
1445 NTSTATUS _lsa_EnumPrivs(pipes_struct *p,
1446 struct lsa_EnumPrivs *r)
1447 {
1448 struct lsa_info *handle;
1449 uint32 i;
1450 uint32 enum_context = *r->in.resume_handle;
1451 int num_privs = count_all_privileges();
1452 struct lsa_PrivEntry *entries = NULL;
1453 LUID_ATTR luid;
1454
1455 /* remember that the enum_context starts at 0 and not 1 */
1456
1457 if ( enum_context >= num_privs )
1458 return NT_STATUS_NO_MORE_ENTRIES;
1459
1460 DEBUG(10,("_lsa_EnumPrivs: enum_context:%d total entries:%d\n",
1461 enum_context, num_privs));
1462
1463 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle))
1464 return NT_STATUS_INVALID_HANDLE;
1465
1466 if (handle->type != LSA_HANDLE_POLICY_TYPE) {
1467 return NT_STATUS_INVALID_HANDLE;
1468 }
1469
1470 /* check if the user has enough rights
1471 I don't know if it's the right one. not documented. */
1472
1473 if (!(handle->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
1474 return NT_STATUS_ACCESS_DENIED;
1475
1476 if (num_privs) {
1477 entries = TALLOC_ZERO_ARRAY(p->mem_ctx, struct lsa_PrivEntry, num_privs);
1478 if (!entries) {
1479 return NT_STATUS_NO_MEMORY;
1480 }
1481 } else {
1482 entries = NULL;
1483 }
1484
1485 for (i = 0; i < num_privs; i++) {
1486 if( i < enum_context) {
1487
1488 init_lsa_StringLarge(&entries[i].name, NULL);
1489
1490 entries[i].luid.low = 0;
1491 entries[i].luid.high = 0;
1492 } else {
1493
1494 init_lsa_StringLarge(&entries[i].name, privs[i].name);
1495
1496 luid = get_privilege_luid( &privs[i].se_priv );
1497
1498 entries[i].luid.low = luid.luid.low;
1499 entries[i].luid.high = luid.luid.high;
1500 }
1501 }
1502
1503 enum_context = num_privs;
1504
1505 *r->out.resume_handle = enum_context;
1506 r->out.privs->count = num_privs;
1507 r->out.privs->privs = entries;
1508
1509 return NT_STATUS_OK;
1510 }
1511
1512 /***************************************************************************
1513 _lsa_LookupPrivDisplayName
1514 ***************************************************************************/
1515
1516 NTSTATUS _lsa_LookupPrivDisplayName(pipes_struct *p,
1517 struct lsa_LookupPrivDisplayName *r)
1518 {
1519 struct lsa_info *handle;
1520 const char *description;
1521 struct lsa_StringLarge *lsa_name;
1522
1523 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle))
1524 return NT_STATUS_INVALID_HANDLE;
1525
1526 if (handle->type != LSA_HANDLE_POLICY_TYPE) {
1527 return NT_STATUS_INVALID_HANDLE;
1528 }
1529
1530 /* check if the user has enough rights */
1531
1532 /*
1533 * I don't know if it's the right one. not documented.
1534 */
1535 if (!(handle->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
1536 return NT_STATUS_ACCESS_DENIED;
1537
1538 DEBUG(10,("_lsa_LookupPrivDisplayName: name = %s\n", r->in.name->string));
1539
1540 description = get_privilege_dispname(r->in.name->string);
1541 if (!description) {
1542 DEBUG(10,("_lsa_LookupPrivDisplayName: doesn't exist\n"));
1543 return NT_STATUS_NO_SUCH_PRIVILEGE;
1544 }
1545
1546 DEBUG(10,("_lsa_LookupPrivDisplayName: display name = %s\n", description));
1547
1548 lsa_name = TALLOC_ZERO_P(p->mem_ctx, struct lsa_StringLarge);
1549 if (!lsa_name) {
1550 return NT_STATUS_NO_MEMORY;
1551 }
1552
1553 init_lsa_StringLarge(lsa_name, description);
1554
1555 *r->out.returned_language_id = r->in.language_id;
1556 *r->out.disp_name = lsa_name;
1557
1558 return NT_STATUS_OK;
1559 }
1560
1561 /***************************************************************************
1562 _lsa_EnumAccounts
1563 ***************************************************************************/
1564
1565 NTSTATUS _lsa_EnumAccounts(pipes_struct *p,
1566 struct lsa_EnumAccounts *r)
1567 {
1568 struct lsa_info *handle;
1569 DOM_SID *sid_list;
1570 int i, j, num_entries;
1571 NTSTATUS status;
1572 struct lsa_SidPtr *sids = NULL;
1573
1574 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle))
1575 return NT_STATUS_INVALID_HANDLE;
1576
1577 if (handle->type != LSA_HANDLE_POLICY_TYPE) {
1578 return NT_STATUS_INVALID_HANDLE;
1579 }
1580
1581 if (!(handle->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
1582 return NT_STATUS_ACCESS_DENIED;
1583
1584 sid_list = NULL;
1585 num_entries = 0;
1586
1587 /* The only way we can currently find out all the SIDs that have been
1588 privileged is to scan all privileges */
1589
1590 status = privilege_enumerate_accounts(&sid_list, &num_entries);
1591 if (!NT_STATUS_IS_OK(status)) {
1592 return status;
1593 }
1594
1595 if (*r->in.resume_handle >= num_entries) {
1596 return NT_STATUS_NO_MORE_ENTRIES;
1597 }
1598
1599 if (num_entries - *r->in.resume_handle) {
1600 sids = TALLOC_ZERO_ARRAY(p->mem_ctx, struct lsa_SidPtr,
1601 num_entries - *r->in.resume_handle);
1602 if (!sids) {
1603 talloc_free(sid_list);
1604 return NT_STATUS_NO_MEMORY;
1605 }
1606
1607 for (i = *r->in.resume_handle, j = 0; i < num_entries; i++, j++) {
1608 sids[j].sid = sid_dup_talloc(p->mem_ctx, &sid_list[i]);
1609 if (!sids[j].sid) {
1610 talloc_free(sid_list);
1611 return NT_STATUS_NO_MEMORY;
1612 }
1613 }
1614 }
1615
1616 talloc_free(sid_list);
1617
1618 *r->out.resume_handle = num_entries;
1619 r->out.sids->num_sids = num_entries;
1620 r->out.sids->sids = sids;
1621
1622 return NT_STATUS_OK;
1623 }
1624
1625 /***************************************************************************
1626 _lsa_GetUserName
1627 ***************************************************************************/
1628
1629 NTSTATUS _lsa_GetUserName(pipes_struct *p,
1630 struct lsa_GetUserName *r)
1631 {
1632 const char *username, *domname;
1633 struct lsa_String *account_name = NULL;
1634 struct lsa_String *authority_name = NULL;
1635
1636 if (r->in.account_name &&
1637 *r->in.account_name) {
1638 return NT_STATUS_INVALID_PARAMETER;
1639 }
1640
1641 if (r->in.authority_name &&
1642 *r->in.authority_name) {
1643 return NT_STATUS_INVALID_PARAMETER;
1644 }
1645
1646 if (p->server_info->guest) {
1647 /*
1648 * I'm 99% sure this is not the right place to do this,
1649 * global_sid_Anonymous should probably be put into the token
1650 * instead of the guest id -- vl
1651 */
1652 if (!lookup_sid(p->mem_ctx, &global_sid_Anonymous,
1653 &domname, &username, NULL)) {
1654 return NT_STATUS_NO_MEMORY;
1655 }
1656 } else {
1657 username = p->server_info->sanitized_username;
1658 domname = pdb_get_domain(p->server_info->sam_account);
1659 }
1660
1661 account_name = TALLOC_P(p->mem_ctx, struct lsa_String);
1662 if (!account_name) {
1663 return NT_STATUS_NO_MEMORY;
1664 }
1665 init_lsa_String(account_name, username);
1666
1667 if (r->out.authority_name) {
1668 authority_name = TALLOC_P(p->mem_ctx, struct lsa_String);
1669 if (!authority_name) {
1670 return NT_STATUS_NO_MEMORY;
1671 }
1672 init_lsa_String(authority_name, domname);
1673 }
1674
1675 *r->out.account_name = account_name;
1676 if (r->out.authority_name) {
1677 *r->out.authority_name = authority_name;
1678 }
1679
1680 return NT_STATUS_OK;
1681 }
1682
1683 /***************************************************************************
1684 _lsa_CreateAccount
1685 ***************************************************************************/
1686
1687 NTSTATUS _lsa_CreateAccount(pipes_struct *p,
1688 struct lsa_CreateAccount *r)
1689 {
1690 NTSTATUS status;
1691 struct lsa_info *handle;
1692 struct lsa_info *info;
1693 uint32_t acc_granted;
1694 struct security_descriptor *psd;
1695 size_t sd_size;
1696
1697 /* find the connection policy handle. */
1698 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle))
1699 return NT_STATUS_INVALID_HANDLE;
1700
1701 if (handle->type != LSA_HANDLE_POLICY_TYPE) {
1702 return NT_STATUS_INVALID_HANDLE;
1703 }
1704
1705 /* check if the user has enough rights */
1706
1707 if (!(handle->access & LSA_POLICY_CREATE_ACCOUNT)) {
1708 return NT_STATUS_ACCESS_DENIED;
1709 }
1710
1711 /* Work out max allowed. */
1712 map_max_allowed_access(p->server_info->ptok,
1713 &p->server_info->utok,
1714 &r->in.access_mask);
1715
1716 /* map the generic bits to the lsa policy ones */
1717 se_map_generic(&r->in.access_mask, &lsa_account_mapping);
1718
1719 status = make_lsa_object_sd(p->mem_ctx, &psd, &sd_size,
1720 &lsa_account_mapping,
1721 r->in.sid, LSA_POLICY_ALL_ACCESS);
1722 if (!NT_STATUS_IS_OK(status)) {
1723 return status;
1724 }
1725
1726 status = access_check_object(psd, p->server_info->ptok,
1727 NULL, 0, r->in.access_mask,
1728 &acc_granted, "_lsa_CreateAccount");
1729 if (!NT_STATUS_IS_OK(status)) {
1730 return status;
1731 }
1732
1733 if ( is_privileged_sid( r->in.sid ) )
1734 return NT_STATUS_OBJECT_NAME_COLLISION;
1735
1736 /* associate the user/group SID with the (unique) handle. */
1737
1738 info = TALLOC_ZERO_P(p->mem_ctx, struct lsa_info);
1739 if (info == NULL) {
1740 return NT_STATUS_NO_MEMORY;
1741 }
1742
1743 info->sid = *r->in.sid;
1744 info->access = acc_granted;
1745 info->type = LSA_HANDLE_ACCOUNT_TYPE;
1746
1747 /* get a (unique) handle. open a policy on it. */
1748 if (!create_policy_hnd(p, r->out.acct_handle, info))
1749 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
1750
1751 return privilege_create_account( &info->sid );
1752 }
1753
1754 /***************************************************************************
1755 _lsa_OpenAccount
1756 ***************************************************************************/
1757
1758 NTSTATUS _lsa_OpenAccount(pipes_struct *p,
1759 struct lsa_OpenAccount *r)
1760 {
1761 struct lsa_info *handle;
1762 struct lsa_info *info;
1763 SEC_DESC *psd = NULL;
1764 size_t sd_size;
1765 uint32_t des_access = r->in.access_mask;
1766 uint32_t acc_granted;
1767 NTSTATUS status;
1768
1769 /* find the connection policy handle. */
1770 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle))
1771 return NT_STATUS_INVALID_HANDLE;
1772
1773 if (handle->type != LSA_HANDLE_POLICY_TYPE) {
1774 return NT_STATUS_INVALID_HANDLE;
1775 }
1776
1777 /* des_access is for the account here, not the policy
1778 * handle - so don't check against policy handle. */
1779
1780 /* Work out max allowed. */
1781 map_max_allowed_access(p->server_info->ptok,
1782 &p->server_info->utok,
1783 &des_access);
1784
1785 /* map the generic bits to the lsa account ones */
1786 se_map_generic(&des_access, &lsa_account_mapping);
1787
1788 /* get the generic lsa account SD until we store it */
1789 status = make_lsa_object_sd(p->mem_ctx, &psd, &sd_size,
1790 &lsa_account_mapping,
1791 r->in.sid, LSA_ACCOUNT_ALL_ACCESS);
1792 if (!NT_STATUS_IS_OK(status)) {
1793 return status;
1794 }
1795
1796 status = access_check_object(psd, p->server_info->ptok,
1797 NULL, 0, des_access,
1798 &acc_granted, "_lsa_OpenAccount" );
1799 if (!NT_STATUS_IS_OK(status)) {
1800 return status;
1801 }
1802
1803 /* TODO: Fis the parsing routine before reenabling this check! */
1804 #if 0
1805 if (!lookup_sid(&handle->sid, dom_name, name, &type))
1806 return NT_STATUS_ACCESS_DENIED;
1807 #endif
1808 /* associate the user/group SID with the (unique) handle. */
1809 info = TALLOC_ZERO_P(p->mem_ctx, struct lsa_info);
1810 if (info == NULL) {
1811 return NT_STATUS_NO_MEMORY;
1812 }
1813
1814 info->sid = *r->in.sid;
1815 info->access = acc_granted;
1816 info->type = LSA_HANDLE_ACCOUNT_TYPE;
1817
1818 /* get a (unique) handle. open a policy on it. */
1819 if (!create_policy_hnd(p, r->out.acct_handle, info))
1820 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
1821
1822 return NT_STATUS_OK;
1823 }
1824
1825 /***************************************************************************
1826 _lsa_EnumPrivsAccount
1827 For a given SID, enumerate all the privilege this account has.
1828 ***************************************************************************/
1829
1830 NTSTATUS _lsa_EnumPrivsAccount(pipes_struct *p,
1831 struct lsa_EnumPrivsAccount *r)
1832 {
1833 NTSTATUS status = NT_STATUS_OK;
1834 struct lsa_info *info=NULL;
1835 SE_PRIV mask;
1836 PRIVILEGE_SET privileges;
1837 struct lsa_PrivilegeSet *priv_set = NULL;
1838 struct lsa_LUIDAttribute *luid_attrs = NULL;
1839 int i;
1840
1841 /* find the connection policy handle. */
1842 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
1843 return NT_STATUS_INVALID_HANDLE;
1844
1845 if (info->type != LSA_HANDLE_ACCOUNT_TYPE) {
1846 return NT_STATUS_INVALID_HANDLE;
1847 }
1848
1849 if (!(info->access & LSA_ACCOUNT_VIEW))
1850 return NT_STATUS_ACCESS_DENIED;
1851
1852 get_privileges_for_sids(&mask, &info->sid, 1);
1853
1854 privilege_set_init( &privileges );
1855
1856 priv_set = TALLOC_ZERO_P(p->mem_ctx, struct lsa_PrivilegeSet);
1857 if (!priv_set) {
1858 status = NT_STATUS_NO_MEMORY;
1859 goto done;
1860 }
1861
1862 if ( se_priv_to_privilege_set( &privileges, &mask ) ) {
1863
1864 DEBUG(10,("_lsa_EnumPrivsAccount: %s has %d privileges\n",
1865 sid_string_dbg(&info->sid),
1866 privileges.count));
1867
1868 luid_attrs = TALLOC_ZERO_ARRAY(p->mem_ctx,
1869 struct lsa_LUIDAttribute,
1870 privileges.count);
1871 if (!luid_attrs) {
1872 status = NT_STATUS_NO_MEMORY;
1873 goto done;
1874 }
1875
1876 for (i=0; i<privileges.count; i++) {
1877 luid_attrs[i].luid.low = privileges.set[i].luid.low;
1878 luid_attrs[i].luid.high = privileges.set[i].luid.high;
1879 luid_attrs[i].attribute = privileges.set[i].attr;
1880 }
1881
1882 priv_set->count = privileges.count;
1883 priv_set->unknown = 0;
1884 priv_set->set = luid_attrs;
1885
1886 } else {
1887 priv_set->count = 0;
1888 priv_set->unknown = 0;
1889 priv_set->set = NULL;
1890 }
1891
1892 *r->out.privs = priv_set;
1893
1894 done:
1895 privilege_set_free( &privileges );
1896
1897 return status;
1898 }
1899
1900 /***************************************************************************
1901 _lsa_GetSystemAccessAccount
1902 ***************************************************************************/
1903
1904 NTSTATUS _lsa_GetSystemAccessAccount(pipes_struct *p,
1905 struct lsa_GetSystemAccessAccount *r)
1906 {
1907 NTSTATUS status;
1908 struct lsa_info *info = NULL;
1909 struct lsa_EnumPrivsAccount e;
1910 struct lsa_PrivilegeSet *privset;
1911
1912 /* find the connection policy handle. */
1913
1914 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
1915 return NT_STATUS_INVALID_HANDLE;
1916
1917 if (info->type != LSA_HANDLE_ACCOUNT_TYPE) {
1918 return NT_STATUS_INVALID_HANDLE;
1919 }
1920
1921 if (!(info->access & LSA_ACCOUNT_VIEW))
1922 return NT_STATUS_ACCESS_DENIED;
1923
1924 privset = talloc_zero(p->mem_ctx, struct lsa_PrivilegeSet);
1925 if (!privset) {
1926 return NT_STATUS_NO_MEMORY;
1927 }
1928
1929 e.in.handle = r->in.handle;
1930 e.out.privs = &privset;
1931
1932 status = _lsa_EnumPrivsAccount(p, &e);
1933 if (!NT_STATUS_IS_OK(status)) {
1934 DEBUG(10,("_lsa_GetSystemAccessAccount: "
1935 "failed to call _lsa_EnumPrivsAccount(): %s\n",
1936 nt_errstr(status)));
1937 return status;
1938 }
1939
1940 /* Samba4 would iterate over the privset to merge the policy mode bits,
1941 * not sure samba3 can do the same here, so just return what we did in
1942 * the past - gd */
1943
1944 /*
1945 0x01 -> Log on locally
1946 0x02 -> Access this computer from network
1947 0x04 -> Log on as a batch job
1948 0x10 -> Log on as a service
1949
1950 they can be ORed together
1951 */
1952
1953 *r->out.access_mask = LSA_POLICY_MODE_INTERACTIVE |
1954 LSA_POLICY_MODE_NETWORK;
1955
1956 return NT_STATUS_OK;
1957 }
1958
1959 /***************************************************************************
1960 update the systemaccount information
1961 ***************************************************************************/
1962
1963 NTSTATUS _lsa_SetSystemAccessAccount(pipes_struct *p,
1964 struct lsa_SetSystemAccessAccount *r)
1965 {
1966 struct lsa_info *info=NULL;
1967 GROUP_MAP map;
1968
1969 /* find the connection policy handle. */
1970 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
1971 return NT_STATUS_INVALID_HANDLE;
1972
1973 if (info->type != LSA_HANDLE_ACCOUNT_TYPE) {
1974 return NT_STATUS_INVALID_HANDLE;
1975 }
1976
1977 if (!(info->access & LSA_ACCOUNT_ADJUST_SYSTEM_ACCESS)) {
1978 return NT_STATUS_ACCESS_DENIED;
1979 }
1980
1981 if (!pdb_getgrsid(&map, info->sid))
1982 return NT_STATUS_NO_SUCH_GROUP;
1983
1984 return pdb_update_group_mapping_entry(&map);
1985 }
1986
1987 /***************************************************************************
1988 _lsa_AddPrivilegesToAccount
1989 For a given SID, add some privileges.
1990 ***************************************************************************/
1991
1992 NTSTATUS _lsa_AddPrivilegesToAccount(pipes_struct *p,
1993 struct lsa_AddPrivilegesToAccount *r)
1994 {
1995 struct lsa_info *info = NULL;
1996 SE_PRIV mask;
1997 struct lsa_PrivilegeSet *set = NULL;
1998
1999 /* find the connection policy handle. */
2000 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
2001 return NT_STATUS_INVALID_HANDLE;
2002
2003 if (info->type != LSA_HANDLE_ACCOUNT_TYPE) {
2004 return NT_STATUS_INVALID_HANDLE;
2005 }
2006
2007 if (!(info->access & LSA_ACCOUNT_ADJUST_PRIVILEGES)) {
2008 return NT_STATUS_ACCESS_DENIED;
2009 }
2010
2011 set = r->in.privs;
2012 if ( !privilege_set_to_se_priv( &mask, set ) )
2013 return NT_STATUS_NO_SUCH_PRIVILEGE;
2014
2015 if ( !grant_privilege( &info->sid, &mask ) ) {
2016 DEBUG(3,("_lsa_AddPrivilegesToAccount: grant_privilege(%s) failed!\n",
2017 sid_string_dbg(&info->sid) ));
2018 DEBUG(3,("Privilege mask:\n"));
2019 dump_se_priv( DBGC_ALL, 3, &mask );
2020 return NT_STATUS_NO_SUCH_PRIVILEGE;
2021 }
2022
2023 return NT_STATUS_OK;
2024 }
2025
2026 /***************************************************************************
2027 _lsa_RemovePrivilegesFromAccount
2028 For a given SID, remove some privileges.
2029 ***************************************************************************/
2030
2031 NTSTATUS _lsa_RemovePrivilegesFromAccount(pipes_struct *p,
2032 struct lsa_RemovePrivilegesFromAccount *r)
2033 {
2034 struct lsa_info *info = NULL;
2035 SE_PRIV mask;
2036 struct lsa_PrivilegeSet *set = NULL;
2037
2038 /* find the connection policy handle. */
2039 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
2040 return NT_STATUS_INVALID_HANDLE;
2041
2042 if (info->type != LSA_HANDLE_ACCOUNT_TYPE) {
2043 return NT_STATUS_INVALID_HANDLE;
2044 }
2045
2046 if (!(info->access & LSA_ACCOUNT_ADJUST_PRIVILEGES)) {
2047 return NT_STATUS_ACCESS_DENIED;
2048 }
2049
2050 set = r->in.privs;
2051
2052 if ( !privilege_set_to_se_priv( &mask, set ) )
2053 return NT_STATUS_NO_SUCH_PRIVILEGE;
2054
2055 if ( !revoke_privilege( &info->sid, &mask ) ) {
2056 DEBUG(3,("_lsa_RemovePrivilegesFromAccount: revoke_privilege(%s) failed!\n",
2057 sid_string_dbg(&info->sid) ));
2058 DEBUG(3,("Privilege mask:\n"));
2059 dump_se_priv( DBGC_ALL, 3, &mask );
2060 return NT_STATUS_NO_SUCH_PRIVILEGE;
2061 }
2062
2063 return NT_STATUS_OK;
2064 }
2065
2066 /***************************************************************************
2067 _lsa_LookupPrivName
2068 ***************************************************************************/
2069
2070 NTSTATUS _lsa_LookupPrivName(pipes_struct *p,
2071 struct lsa_LookupPrivName *r)
2072 {
2073 struct lsa_info *info = NULL;
2074 const char *name;
2075 struct lsa_StringLarge *lsa_name;
2076
2077 /* find the connection policy handle. */
2078 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info)) {
2079 return NT_STATUS_INVALID_HANDLE;
2080 }
2081
2082 if (info->type != LSA_HANDLE_POLICY_TYPE) {
2083 return NT_STATUS_INVALID_HANDLE;
2084 }
2085
2086 if (!(info->access & LSA_POLICY_VIEW_LOCAL_INFORMATION)) {
2087 return NT_STATUS_ACCESS_DENIED;
2088 }
2089
2090 name = luid_to_privilege_name((LUID *)r->in.luid);
2091 if (!name) {
2092 return NT_STATUS_NO_SUCH_PRIVILEGE;
2093 }
2094
2095 lsa_name = TALLOC_ZERO_P(p->mem_ctx, struct lsa_StringLarge);
2096 if (!lsa_name) {
2097 return NT_STATUS_NO_MEMORY;
2098 }
2099
2100 lsa_name->string = talloc_strdup(lsa_name, name);
2101 if (!lsa_name->string) {
2102 TALLOC_FREE(lsa_name);
2103 return NT_STATUS_NO_MEMORY;
2104 }
2105
2106 *r->out.name = lsa_name;
2107
2108 return NT_STATUS_OK;
2109 }
2110
2111 /***************************************************************************
2112 _lsa_QuerySecurity
2113 ***************************************************************************/
2114
2115 NTSTATUS _lsa_QuerySecurity(pipes_struct *p,
2116 struct lsa_QuerySecurity *r)
2117 {
2118 struct lsa_info *handle=NULL;
2119 SEC_DESC *psd = NULL;
2120 size_t sd_size;
2121 NTSTATUS status;
2122
2123 /* find the connection policy handle. */
2124 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle))
2125 return NT_STATUS_INVALID_HANDLE;
2126
2127 switch (handle->type) {
2128 case LSA_HANDLE_POLICY_TYPE:
2129 status = make_lsa_object_sd(p->mem_ctx, &psd, &sd_size,
2130 &lsa_policy_mapping, NULL, 0);
2131 break;
2132 case LSA_HANDLE_ACCOUNT_TYPE:
2133 status = make_lsa_object_sd(p->mem_ctx, &psd, &sd_size,
2134 &lsa_account_mapping,
2135 &handle->sid, LSA_ACCOUNT_ALL_ACCESS);
2136 break;
2137 default:
2138 status = NT_STATUS_INVALID_HANDLE;
2139 break;
2140 }
2141
2142 if (!NT_STATUS_IS_OK(status)) {
2143 return status;
2144 }
2145
2146 *r->out.sdbuf = make_sec_desc_buf(p->mem_ctx, sd_size, psd);
2147 if (!*r->out.sdbuf) {
2148 return NT_STATUS_NO_MEMORY;
2149 }
2150
2151 return status;
2152 }
2153
2154 /***************************************************************************
2155 _lsa_AddAccountRights
2156 ***************************************************************************/
2157
2158 NTSTATUS _lsa_AddAccountRights(pipes_struct *p,
2159 struct lsa_AddAccountRights *r)
2160 {
2161 struct lsa_info *info = NULL;
2162 int i = 0;
2163 uint32_t acc_granted = 0;
2164 SEC_DESC *psd = NULL;
2165 size_t sd_size;
2166 DOM_SID sid;
2167 NTSTATUS status;
2168
2169 /* find the connection policy handle. */
2170 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
2171 return NT_STATUS_INVALID_HANDLE;
2172
2173 if (info->type != LSA_HANDLE_POLICY_TYPE) {
2174 return NT_STATUS_INVALID_HANDLE;
2175 }
2176
2177 /* get the generic lsa account SD for this SID until we store it */
2178 status = make_lsa_object_sd(p->mem_ctx, &psd, &sd_size,
2179 &lsa_account_mapping,
2180 r->in.sid, LSA_ACCOUNT_ALL_ACCESS);
2181 if (!NT_STATUS_IS_OK(status)) {
2182 return status;
2183 }
2184
2185 /*
2186 * From the MS DOCs. If the sid doesn't exist, ask for LSA_POLICY_CREATE_ACCOUNT
2187 * on the policy handle. If it does, ask for
2188 * LSA_ACCOUNT_ADJUST_PRIVILEGES|LSA_ACCOUNT_ADJUST_SYSTEM_ACCESS|LSA_ACCOUNT_VIEW,
2189 * on the account sid. We don't check here so just use the latter. JRA.
2190 */
2191
2192 status = access_check_object(psd, p->server_info->ptok,
2193 NULL, 0,
2194 LSA_ACCOUNT_ADJUST_PRIVILEGES|LSA_ACCOUNT_ADJUST_SYSTEM_ACCESS|LSA_ACCOUNT_VIEW,
2195 &acc_granted, "_lsa_AddAccountRights" );
2196 if (!NT_STATUS_IS_OK(status)) {
2197 return status;
2198 }
2199
2200 /* according to an NT4 PDC, you can add privileges to SIDs even without
2201 call_lsa_create_account() first. And you can use any arbitrary SID. */
2202
2203 sid_copy( &sid, r->in.sid );
2204
2205 for ( i=0; i < r->in.rights->count; i++ ) {
2206
2207 const char *privname = r->in.rights->names[i].string;
2208
2209 /* only try to add non-null strings */
2210
2211 if ( !privname )
2212 continue;
2213
2214 if ( !grant_privilege_by_name( &sid, privname ) ) {
2215 DEBUG(2,("_lsa_AddAccountRights: Failed to add privilege [%s]\n",
2216 privname ));
2217 return NT_STATUS_NO_SUCH_PRIVILEGE;
2218 }
2219 }
2220
2221 return NT_STATUS_OK;
2222 }
2223
2224 /***************************************************************************
2225 _lsa_RemoveAccountRights
2226 ***************************************************************************/
2227
2228 NTSTATUS _lsa_RemoveAccountRights(pipes_struct *p,
2229 struct lsa_RemoveAccountRights *r)
2230 {
2231 struct lsa_info *info = NULL;
2232 int i = 0;
2233 SEC_DESC *psd = NULL;
2234 size_t sd_size;
2235 DOM_SID sid;
2236 const char *privname = NULL;
2237 uint32_t acc_granted = 0;
2238 NTSTATUS status;
2239
2240 /* find the connection policy handle. */
2241 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
2242 return NT_STATUS_INVALID_HANDLE;
2243
2244 if (info->type != LSA_HANDLE_POLICY_TYPE) {
2245 return NT_STATUS_INVALID_HANDLE;
2246 }
2247
2248 /* get the generic lsa account SD for this SID until we store it */
2249 status = make_lsa_object_sd(p->mem_ctx, &psd, &sd_size,
2250 &lsa_account_mapping,
2251 r->in.sid, LSA_ACCOUNT_ALL_ACCESS);
2252 if (!NT_STATUS_IS_OK(status)) {
2253 return status;
2254 }
2255
2256 /*
2257 * From the MS DOCs. We need
2258 * LSA_ACCOUNT_ADJUST_PRIVILEGES|LSA_ACCOUNT_ADJUST_SYSTEM_ACCESS|LSA_ACCOUNT_VIEW
2259 * and DELETE on the account sid.
2260 */
2261
2262 status = access_check_object(psd, p->server_info->ptok,
2263 NULL, 0,
2264 LSA_ACCOUNT_ADJUST_PRIVILEGES|LSA_ACCOUNT_ADJUST_SYSTEM_ACCESS|
2265 LSA_ACCOUNT_VIEW|STD_RIGHT_DELETE_ACCESS,
2266 &acc_granted, "_lsa_RemoveAccountRights");
2267 if (!NT_STATUS_IS_OK(status)) {
2268 return status;
2269 }
2270
2271 sid_copy( &sid, r->in.sid );
2272
2273 if ( r->in.remove_all ) {
2274 if ( !revoke_all_privileges( &sid ) )
2275 return NT_STATUS_ACCESS_DENIED;
2276
2277 return NT_STATUS_OK;
2278 }
2279
2280 for ( i=0; i < r->in.rights->count; i++ ) {
2281
2282 privname = r->in.rights->names[i].string;
2283
2284 /* only try to add non-null strings */
2285
2286 if ( !privname )
2287 continue;
2288
2289 if ( !revoke_privilege_by_name( &sid, privname ) ) {
2290 DEBUG(2,("_lsa_RemoveAccountRights: Failed to revoke privilege [%s]\n",
2291 privname ));
2292 return NT_STATUS_NO_SUCH_PRIVILEGE;
2293 }
2294 }
2295
2296 return NT_STATUS_OK;
2297 }
2298
2299 /*******************************************************************
2300 ********************************************************************/
2301
2302 static NTSTATUS init_lsa_right_set(TALLOC_CTX *mem_ctx,
2303 struct lsa_RightSet *r,
2304 PRIVILEGE_SET *privileges)
2305 {
2306 uint32 i;
2307 const char *privname;
2308 const char **privname_array = NULL;
2309 int num_priv = 0;
2310
2311 for (i=0; i<privileges->count; i++) {
2312
2313 privname = luid_to_privilege_name(&privileges->set[i].luid);
2314 if (privname) {
2315 if (!add_string_to_array(mem_ctx, privname,
2316 &privname_array, &num_priv)) {
2317 return NT_STATUS_NO_MEMORY;
2318 }
2319 }
2320 }
2321
2322 if (num_priv) {
2323
2324 r->names = TALLOC_ZERO_ARRAY(mem_ctx, struct lsa_StringLarge,
2325 num_priv);
2326 if (!r->names) {
2327 return NT_STATUS_NO_MEMORY;
2328 }
2329
2330 for (i=0; i<num_priv; i++) {
2331 init_lsa_StringLarge(&r->names[i], privname_array[i]);
2332 }
2333
2334 r->count = num_priv;
2335 }
2336
2337 return NT_STATUS_OK;
2338 }
2339
2340 /***************************************************************************
2341 _lsa_EnumAccountRights
2342 ***************************************************************************/
2343
2344 NTSTATUS _lsa_EnumAccountRights(pipes_struct *p,
2345 struct lsa_EnumAccountRights *r)
2346 {
2347 NTSTATUS status;
2348 struct lsa_info *info = NULL;
2349 DOM_SID sid;
2350 PRIVILEGE_SET privileges;
2351 SE_PRIV mask;
2352
2353 /* find the connection policy handle. */
2354
2355 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
2356 return NT_STATUS_INVALID_HANDLE;
2357
2358 if (info->type != LSA_HANDLE_POLICY_TYPE) {
2359 return NT_STATUS_INVALID_HANDLE;
2360 }
2361
2362 if (!(info->access & LSA_ACCOUNT_VIEW)) {
2363 return NT_STATUS_ACCESS_DENIED;
2364 }
2365
2366 /* according to an NT4 PDC, you can add privileges to SIDs even without
2367 call_lsa_create_account() first. And you can use any arbitrary SID. */
2368
2369 sid_copy( &sid, r->in.sid );
2370
2371 /* according to MS-LSAD 3.1.4.5.10 it is required to return
2372 * NT_STATUS_OBJECT_NAME_NOT_FOUND if the account sid was not found in
2373 * the lsa database */
2374
2375 if (!get_privileges_for_sids(&mask, &sid, 1)) {
2376 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
2377 }
2378
2379 status = privilege_set_init(&privileges);
2380 if (!NT_STATUS_IS_OK(status)) {
2381 return status;
2382 }
2383
2384 se_priv_to_privilege_set(&privileges, &mask);
2385
2386 DEBUG(10,("_lsa_EnumAccountRights: %s has %d privileges\n",
2387 sid_string_dbg(&sid), privileges.count));
2388
2389 status = init_lsa_right_set(p->mem_ctx, r->out.rights, &privileges);
2390
2391 privilege_set_free( &privileges );
2392
2393 return status;
2394 }
2395
2396 /***************************************************************************
2397 _lsa_LookupPrivValue
2398 ***************************************************************************/
2399
2400 NTSTATUS _lsa_LookupPrivValue(pipes_struct *p,
2401 struct lsa_LookupPrivValue *r)
2402 {
2403 struct lsa_info *info = NULL;
2404 const char *name = NULL;
2405 LUID_ATTR priv_luid;
2406 SE_PRIV mask;
2407
2408 /* find the connection policy handle. */
2409
2410 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
2411 return NT_STATUS_INVALID_HANDLE;
2412
2413 if (info->type != LSA_HANDLE_POLICY_TYPE) {
2414 return NT_STATUS_INVALID_HANDLE;
2415 }
2416
2417 if (!(info->access & LSA_POLICY_LOOKUP_NAMES))
2418 return NT_STATUS_ACCESS_DENIED;
2419
2420 name = r->in.name->string;
2421
2422 DEBUG(10,("_lsa_lookup_priv_value: name = %s\n", name));
2423
2424 if ( !se_priv_from_name( name, &mask ) )
2425 return NT_STATUS_NO_SUCH_PRIVILEGE;
2426
2427 priv_luid = get_privilege_luid( &mask );
2428
2429 r->out.luid->low = priv_luid.luid.low;
2430 r->out.luid->high = priv_luid.luid.high;
2431
2432 return NT_STATUS_OK;
2433 }
2434
2435 /***************************************************************************
2436 _lsa_EnumAccountsWithUserRight
2437 ***************************************************************************/
2438
2439 NTSTATUS _lsa_EnumAccountsWithUserRight(pipes_struct *p,
2440 struct lsa_EnumAccountsWithUserRight *r)
2441 {
2442 NTSTATUS status;
2443 struct lsa_info *info = NULL;
2444 struct dom_sid *sids = NULL;
2445 int num_sids = 0;
2446 uint32_t i;
2447 SE_PRIV mask;
2448
2449 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info)) {
2450 return NT_STATUS_INVALID_HANDLE;
2451 }
2452
2453 if (info->type != LSA_HANDLE_POLICY_TYPE) {
2454 return NT_STATUS_INVALID_HANDLE;
2455 }
2456
2457 if (!(info->access & LSA_POLICY_LOOKUP_NAMES)) {
2458 return NT_STATUS_ACCESS_DENIED;
2459 }
2460
2461 if (!r->in.name || !r->in.name->string) {
2462 return NT_STATUS_NO_SUCH_PRIVILEGE;
2463 }
2464
2465 if (!se_priv_from_name(r->in.name->string, &mask)) {
2466 return NT_STATUS_NO_SUCH_PRIVILEGE;
2467 }
2468
2469 status = privilege_enum_sids(&mask, p->mem_ctx,
2470 &sids, &num_sids);
2471 if (!NT_STATUS_IS_OK(status)) {
2472 return status;
2473 }
2474
2475 r->out.sids->num_sids = num_sids;
2476 r->out.sids->sids = talloc_array(p->mem_ctx, struct lsa_SidPtr,
2477 r->out.sids->num_sids);
2478
2479 for (i=0; i < r->out.sids->num_sids; i++) {
2480 r->out.sids->sids[i].sid = sid_dup_talloc(r->out.sids->sids,
2481 &sids[i]);
2482 if (!r->out.sids->sids[i].sid) {
2483 TALLOC_FREE(r->out.sids->sids);
2484 r->out.sids->num_sids = 0;
2485 return NT_STATUS_NO_MEMORY;
2486 }
2487 }
2488
2489 return NT_STATUS_OK;
2490 }
2491
2492 /***************************************************************************
2493 _lsa_Delete
2494 ***************************************************************************/
2495
2496 NTSTATUS _lsa_Delete(pipes_struct *p,
2497 struct lsa_Delete *r)
2498 {
2499 return NT_STATUS_NOT_SUPPORTED;
2500 }
2501
2502 /*
2503 * From here on the server routines are just dummy ones to make smbd link with
2504 * librpc/gen_ndr/srv_lsa.c. These routines are actually never called, we are
2505 * pulling the server stubs across one by one.
2506 */
2507
2508 NTSTATUS _lsa_SetSecObj(pipes_struct *p, struct lsa_SetSecObj *r)
2509 {
2510 p->rng_fault_state = True;
2511 return NT_STATUS_NOT_IMPLEMENTED;
2512 }
2513
2514 NTSTATUS _lsa_ChangePassword(pipes_struct *p, struct lsa_ChangePassword *r)
2515 {
2516 p->rng_fault_state = True;
2517 return NT_STATUS_NOT_IMPLEMENTED;
2518 }
2519
2520 NTSTATUS _lsa_SetInfoPolicy(pipes_struct *p, struct lsa_SetInfoPolicy *r)
2521 {
2522 p->rng_fault_state = True;
2523 return NT_STATUS_NOT_IMPLEMENTED;
2524 }
2525
2526 NTSTATUS _lsa_ClearAuditLog(pipes_struct *p, struct lsa_ClearAuditLog *r)
2527 {
2528 p->rng_fault_state = True;
2529 return NT_STATUS_NOT_IMPLEMENTED;
2530 }
2531
2532 NTSTATUS _lsa_GetQuotasForAccount(pipes_struct *p, struct lsa_GetQuotasForAccount *r)
2533 {
2534 p->rng_fault_state = True;
2535 return NT_STATUS_NOT_IMPLEMENTED;
2536 }
2537
2538 NTSTATUS _lsa_SetQuotasForAccount(pipes_struct *p, struct lsa_SetQuotasForAccount *r)
2539 {
2540 p->rng_fault_state = True;
2541 return NT_STATUS_NOT_IMPLEMENTED;
2542 }
2543
2544 NTSTATUS _lsa_QueryTrustedDomainInfo(pipes_struct *p, struct lsa_QueryTrustedDomainInfo *r)
2545 {
2546 p->rng_fault_state = True;
2547 return NT_STATUS_NOT_IMPLEMENTED;
2548 }
2549
2550 NTSTATUS _lsa_SetInformationTrustedDomain(pipes_struct *p, struct lsa_SetInformationTrustedDomain *r)
2551 {
2552 p->rng_fault_state = True;
2553 return NT_STATUS_NOT_IMPLEMENTED;
2554 }
2555
2556 NTSTATUS _lsa_QuerySecret(pipes_struct *p, struct lsa_QuerySecret *r)
2557 {
2558 p->rng_fault_state = True;
2559 return NT_STATUS_NOT_IMPLEMENTED;
2560 }
2561
2562 NTSTATUS _lsa_QueryTrustedDomainInfoBySid(pipes_struct *p, struct lsa_QueryTrustedDomainInfoBySid *r)
2563 {
2564 p->rng_fault_state = True;
2565 return NT_STATUS_NOT_IMPLEMENTED;
2566 }
2567
2568 NTSTATUS _lsa_SetTrustedDomainInfo(pipes_struct *p, struct lsa_SetTrustedDomainInfo *r)
2569 {
2570 p->rng_fault_state = True;
2571 return NT_STATUS_NOT_IMPLEMENTED;
2572 }
2573
2574 NTSTATUS _lsa_DeleteTrustedDomain(pipes_struct *p, struct lsa_DeleteTrustedDomain *r)
2575 {
2576 p->rng_fault_state = True;
2577 return NT_STATUS_NOT_IMPLEMENTED;
2578 }
2579
2580 NTSTATUS _lsa_StorePrivateData(pipes_struct *p, struct lsa_StorePrivateData *r)
2581 {
2582 p->rng_fault_state = True;
2583 return NT_STATUS_NOT_IMPLEMENTED;
2584 }
2585
2586 NTSTATUS _lsa_RetrievePrivateData(pipes_struct *p, struct lsa_RetrievePrivateData *r)
2587 {
2588 p->rng_fault_state = True;
2589 return NT_STATUS_NOT_IMPLEMENTED;
2590 }
2591
2592 NTSTATUS _lsa_SetInfoPolicy2(pipes_struct *p, struct lsa_SetInfoPolicy2 *r)
2593 {
2594 p->rng_fault_state = True;
2595 return NT_STATUS_NOT_IMPLEMENTED;
2596 }
2597
2598 NTSTATUS _lsa_QueryTrustedDomainInfoByName(pipes_struct *p, struct lsa_QueryTrustedDomainInfoByName *r)
2599 {
2600 p->rng_fault_state = True;
2601 return NT_STATUS_NOT_IMPLEMENTED;
2602 }
2603
2604 NTSTATUS _lsa_SetTrustedDomainInfoByName(pipes_struct *p, struct lsa_SetTrustedDomainInfoByName *r)
2605 {
2606 p->rng_fault_state = True;
2607 return NT_STATUS_NOT_IMPLEMENTED;
2608 }
2609
2610 NTSTATUS _lsa_EnumTrustedDomainsEx(pipes_struct *p, struct lsa_EnumTrustedDomainsEx *r)
2611 {
2612 p->rng_fault_state = True;
2613 return NT_STATUS_NOT_IMPLEMENTED;
2614 }
2615
2616 NTSTATUS _lsa_CreateTrustedDomainEx(pipes_struct *p, struct lsa_CreateTrustedDomainEx *r)
2617 {
2618 p->rng_fault_state = True;
2619 return NT_STATUS_NOT_IMPLEMENTED;
2620 }
2621
2622 NTSTATUS _lsa_CloseTrustedDomainEx(pipes_struct *p, struct lsa_CloseTrustedDomainEx *r)
2623 {
2624 p->rng_fault_state = True;
2625 return NT_STATUS_NOT_IMPLEMENTED;
2626 }
2627
2628 NTSTATUS _lsa_QueryDomainInformationPolicy(pipes_struct *p, struct lsa_QueryDomainInformationPolicy *r)
2629 {
2630 p->rng_fault_state = True;
2631 return NT_STATUS_NOT_IMPLEMENTED;
2632 }
2633
2634 NTSTATUS _lsa_SetDomainInformationPolicy(pipes_struct *p, struct lsa_SetDomainInformationPolicy *r)
2635 {
2636 p->rng_fault_state = True;
2637 return NT_STATUS_NOT_IMPLEMENTED;
2638 }
2639
2640 NTSTATUS _lsa_OpenTrustedDomainByName(pipes_struct *p, struct lsa_OpenTrustedDomainByName *r)
2641 {
2642 p->rng_fault_state = True;
2643 return NT_STATUS_NOT_IMPLEMENTED;
2644 }
2645
2646 NTSTATUS _lsa_TestCall(pipes_struct *p, struct lsa_TestCall *r)
2647 {
2648 p->rng_fault_state = True;
2649 return NT_STATUS_NOT_IMPLEMENTED;
2650 }
2651
2652 NTSTATUS _lsa_CreateTrustedDomainEx2(pipes_struct *p, struct lsa_CreateTrustedDomainEx2 *r)
2653 {
2654 p->rng_fault_state = True;
2655 return NT_STATUS_NOT_IMPLEMENTED;
2656 }
2657
2658 NTSTATUS _lsa_CREDRWRITE(pipes_struct *p, struct lsa_CREDRWRITE *r)
2659 {
2660 p->rng_fault_state = True;
2661 return NT_STATUS_NOT_IMPLEMENTED;
2662 }
2663
2664 NTSTATUS _lsa_CREDRREAD(pipes_struct *p, struct lsa_CREDRREAD *r)
2665 {
2666 p->rng_fault_state = True;
2667 return NT_STATUS_NOT_IMPLEMENTED;
2668 }
2669
2670 NTSTATUS _lsa_CREDRENUMERATE(pipes_struct *p, struct lsa_CREDRENUMERATE *r)
2671 {
2672 p->rng_fault_state = True;
2673 return NT_STATUS_NOT_IMPLEMENTED;
2674 }
2675
2676 NTSTATUS _lsa_CREDRWRITEDOMAINCREDENTIALS(pipes_struct *p, struct lsa_CREDRWRITEDOMAINCREDENTIALS *r)
2677 {
2678 p->rng_fault_state = True;
2679 return NT_STATUS_NOT_IMPLEMENTED;
2680 }
2681
2682 NTSTATUS _lsa_CREDRREADDOMAINCREDENTIALS(pipes_struct *p, struct lsa_CREDRREADDOMAINCREDENTIALS *r)
2683 {
2684 p->rng_fault_state = True;
2685 return NT_STATUS_NOT_IMPLEMENTED;
2686 }
2687
2688 NTSTATUS _lsa_CREDRDELETE(pipes_struct *p, struct lsa_CREDRDELETE *r)
2689 {
2690 p->rng_fault_state = True;
2691 return NT_STATUS_NOT_IMPLEMENTED;
2692 }
2693
2694 NTSTATUS _lsa_CREDRGETTARGETINFO(pipes_struct *p, struct lsa_CREDRGETTARGETINFO *r)
2695 {
2696 p->rng_fault_state = True;
2697 return NT_STATUS_NOT_IMPLEMENTED;
2698 }
2699
2700 NTSTATUS _lsa_CREDRPROFILELOADED(pipes_struct *p, struct lsa_CREDRPROFILELOADED *r)
2701 {
2702 p->rng_fault_state = True;
2703 return NT_STATUS_NOT_IMPLEMENTED;
2704 }
2705
2706 NTSTATUS _lsa_CREDRGETSESSIONTYPES(pipes_struct *p, struct lsa_CREDRGETSESSIONTYPES *r)
2707 {
2708 p->rng_fault_state = True;
2709 return NT_STATUS_NOT_IMPLEMENTED;
2710 }
2711
2712 NTSTATUS _lsa_LSARREGISTERAUDITEVENT(pipes_struct *p, struct lsa_LSARREGISTERAUDITEVENT *r)
2713 {
2714 p->rng_fault_state = True;
2715 return NT_STATUS_NOT_IMPLEMENTED;
2716 }
2717
2718 NTSTATUS _lsa_LSARGENAUDITEVENT(pipes_struct *p, struct lsa_LSARGENAUDITEVENT *r)
2719 {
2720 p->rng_fault_state = True;
2721 return NT_STATUS_NOT_IMPLEMENTED;
2722 }
2723
2724 NTSTATUS _lsa_LSARUNREGISTERAUDITEVENT(pipes_struct *p, struct lsa_LSARUNREGISTERAUDITEVENT *r)
2725 {
2726 p->rng_fault_state = True;
2727 return NT_STATUS_NOT_IMPLEMENTED;
2728 }
2729
2730 NTSTATUS _lsa_lsaRQueryForestTrustInformation(pipes_struct *p, struct lsa_lsaRQueryForestTrustInformation *r)
2731 {
2732 p->rng_fault_state = True;
2733 return NT_STATUS_NOT_IMPLEMENTED;
2734 }
2735
2736 NTSTATUS _lsa_LSARSETFORESTTRUSTINFORMATION(pipes_struct *p, struct lsa_LSARSETFORESTTRUSTINFORMATION *r)
2737 {
2738 p->rng_fault_state = True;
2739 return NT_STATUS_NOT_IMPLEMENTED;
2740 }
2741
2742 NTSTATUS _lsa_CREDRRENAME(pipes_struct *p, struct lsa_CREDRRENAME *r)
2743 {
2744 p->rng_fault_state = True;
2745 return NT_STATUS_NOT_IMPLEMENTED;
2746 }
2747
2748 NTSTATUS _lsa_LSAROPENPOLICYSCE(pipes_struct *p, struct lsa_LSAROPENPOLICYSCE *r)
2749 {
2750 p->rng_fault_state = True;
2751 return NT_STATUS_NOT_IMPLEMENTED;
2752 }
2753
2754 NTSTATUS _lsa_LSARADTREGISTERSECURITYEVENTSOURCE(pipes_struct *p, struct lsa_LSARADTREGISTERSECURITYEVENTSOURCE *r)
2755 {
2756 p->rng_fault_state = True;
2757 return NT_STATUS_NOT_IMPLEMENTED;
2758 }
2759
2760 NTSTATUS _lsa_LSARADTUNREGISTERSECURITYEVENTSOURCE(pipes_struct *p, struct lsa_LSARADTUNREGISTERSECURITYEVENTSOURCE *r)
2761 {
2762 p->rng_fault_state = True;
2763 return NT_STATUS_NOT_IMPLEMENTED;
2764 }
2765
2766 NTSTATUS _lsa_LSARADTREPORTSECURITYEVENT(pipes_struct *p, struct lsa_LSARADTREPORTSECURITYEVENT *r)
2767 {
2768 p->rng_fault_state = True;
2769 return NT_STATUS_NOT_IMPLEMENTED;
2770 }
Samba GIT mirror