2 * Unix SMB/CIFS implementation.
3 * RPC Pipe client / server routines
4 * Copyright (C) Andrew Tridgell 1992-1997,
5 * Copyright (C) Luke Kenneth Casson Leighton 1996-1997,
6 * Copyright (C) Paul Ashton 1997,
7 * Copyright (C) Jeremy Allison 2001, 2006.
8 * Copyright (C) Rafal Szczesniak 2002,
9 * Copyright (C) Jim McDonough <jmcd@us.ibm.com> 2002,
10 * Copyright (C) Simo Sorce 2003.
11 * Copyright (C) Gerald (Jerry) Carter 2005.
12 * Copyright (C) Volker Lendecke 2005.
13 * Copyright (C) Guenther Deschner 2008.
15 * This program is free software; you can redistribute it and/or modify
16 * it under the terms of the GNU General Public License as published by
17 * the Free Software Foundation; either version 3 of the License, or
18 * (at your option) any later version.
20 * This program is distributed in the hope that it will be useful,
21 * but WITHOUT ANY WARRANTY; without even the implied warranty of
22 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
23 * GNU General Public License for more details.
25 * You should have received a copy of the GNU General Public License
26 * along with this program; if not, see <http://www.gnu.org/licenses/>.
29 /* This is the implementation of the lsa server code. */
34 #define DBGC_CLASS DBGC_RPC_SRV
43 const struct generic_mapping lsa_generic_mapping
= {
50 /***************************************************************************
51 init_lsa_ref_domain_list - adds a domain if it's not already in, returns the index.
52 ***************************************************************************/
54 static int init_lsa_ref_domain_list(TALLOC_CTX
*mem_ctx
,
55 struct lsa_RefDomainList
*ref
,
61 if (dom_name
!= NULL
) {
62 for (num
= 0; num
< ref
->count
; num
++) {
63 if (sid_equal(dom_sid
, ref
->domains
[num
].sid
)) {
71 if (num
>= MAX_REF_DOMAINS
) {
72 /* index not found, already at maximum domain limit */
77 ref
->max_size
= MAX_REF_DOMAINS
;
79 ref
->domains
= TALLOC_REALLOC_ARRAY(mem_ctx
, ref
->domains
,
80 struct lsa_DomainInfo
, ref
->count
);
85 ZERO_STRUCT(ref
->domains
[num
]);
87 init_lsa_StringLarge(&ref
->domains
[num
].name
, dom_name
);
88 ref
->domains
[num
].sid
= sid_dup_talloc(mem_ctx
, dom_sid
);
89 if (!ref
->domains
[num
].sid
) {
97 /*******************************************************************
98 Function to free the per handle data.
99 ********************************************************************/
101 static void free_lsa_info(void *ptr
)
103 struct lsa_info
*lsa
= (struct lsa_info
*)ptr
;
108 /***************************************************************************
109 initialize a lsa_DomainInfo structure.
110 ***************************************************************************/
112 static void init_dom_query_3(struct lsa_DomainInfo
*r
,
116 init_lsa_StringLarge(&r
->name
, name
);
120 /***************************************************************************
121 initialize a lsa_DomainInfo structure.
122 ***************************************************************************/
124 static void init_dom_query_5(struct lsa_DomainInfo
*r
,
128 init_lsa_StringLarge(&r
->name
, name
);
132 /***************************************************************************
133 lookup_lsa_rids. Must be called as root for lookup_name to work.
134 ***************************************************************************/
136 static NTSTATUS
lookup_lsa_rids(TALLOC_CTX
*mem_ctx
,
137 struct lsa_RefDomainList
*ref
,
138 struct lsa_TranslatedSid
*prid
,
139 uint32_t num_entries
,
140 struct lsa_String
*name
,
142 uint32_t *pmapped_count
)
144 uint32 mapped_count
, i
;
146 SMB_ASSERT(num_entries
<= MAX_LOOKUP_SIDS
);
151 for (i
= 0; i
< num_entries
; i
++) {
155 const char *full_name
;
157 enum lsa_SidType type
= SID_NAME_UNKNOWN
;
159 /* Split name into domain and user component */
161 full_name
= name
[i
].string
;
162 if (full_name
== NULL
) {
163 return NT_STATUS_NO_MEMORY
;
166 DEBUG(5, ("lookup_lsa_rids: looking up name %s\n", full_name
));
168 /* We can ignore the result of lookup_name, it will not touch
169 "type" if it's not successful */
171 lookup_name(mem_ctx
, full_name
, flags
, &domain
, NULL
,
176 case SID_NAME_DOM_GRP
:
177 case SID_NAME_DOMAIN
:
179 case SID_NAME_WKN_GRP
:
180 DEBUG(5, ("init_lsa_rids: %s found\n", full_name
));
181 /* Leave these unchanged */
184 /* Don't hand out anything but the list above */
185 DEBUG(5, ("init_lsa_rids: %s not found\n", full_name
));
186 type
= SID_NAME_UNKNOWN
;
193 if (type
!= SID_NAME_UNKNOWN
) {
194 sid_split_rid(&sid
, &rid
);
195 dom_idx
= init_lsa_ref_domain_list(mem_ctx
, ref
, domain
, &sid
);
199 init_lsa_translated_sid(&prid
[i
], type
, rid
, dom_idx
);
202 *pmapped_count
= mapped_count
;
206 /***************************************************************************
207 lookup_lsa_sids. Must be called as root for lookup_name to work.
208 ***************************************************************************/
210 static NTSTATUS
lookup_lsa_sids(TALLOC_CTX
*mem_ctx
,
211 struct lsa_RefDomainList
*ref
,
212 struct lsa_TranslatedSid3
*trans_sids
,
213 uint32_t num_entries
,
214 struct lsa_String
*name
,
216 uint32
*pmapped_count
)
218 uint32 mapped_count
, i
;
220 SMB_ASSERT(num_entries
<= MAX_LOOKUP_SIDS
);
225 for (i
= 0; i
< num_entries
; i
++) {
229 const char *full_name
;
231 enum lsa_SidType type
= SID_NAME_UNKNOWN
;
235 /* Split name into domain and user component */
237 full_name
= name
[i
].string
;
238 if (full_name
== NULL
) {
239 return NT_STATUS_NO_MEMORY
;
242 DEBUG(5, ("init_lsa_sids: looking up name %s\n", full_name
));
244 /* We can ignore the result of lookup_name, it will not touch
245 "type" if it's not successful */
247 lookup_name(mem_ctx
, full_name
, flags
, &domain
, NULL
,
252 case SID_NAME_DOM_GRP
:
253 case SID_NAME_DOMAIN
:
255 case SID_NAME_WKN_GRP
:
256 DEBUG(5, ("init_lsa_sids: %s found\n", full_name
));
257 /* Leave these unchanged */
260 /* Don't hand out anything but the list above */
261 DEBUG(5, ("init_lsa_sids: %s not found\n", full_name
));
262 type
= SID_NAME_UNKNOWN
;
269 if (type
!= SID_NAME_UNKNOWN
) {
271 sid_copy(&domain_sid
, &sid
);
272 sid_split_rid(&domain_sid
, &rid
);
273 dom_idx
= init_lsa_ref_domain_list(mem_ctx
, ref
, domain
, &domain_sid
);
277 /* Initialize the lsa_TranslatedSid3 return. */
278 trans_sids
[i
].sid_type
= type
;
279 trans_sids
[i
].sid
= sid_dup_talloc(mem_ctx
, &sid
);
280 trans_sids
[i
].sid_index
= dom_idx
;
283 *pmapped_count
= mapped_count
;
287 static NTSTATUS
lsa_get_generic_sd(TALLOC_CTX
*mem_ctx
, SEC_DESC
**sd
, size_t *sd_size
)
289 DOM_SID local_adm_sid
;
296 init_sec_ace(&ace
[0], &global_sid_World
, SEC_ACE_TYPE_ACCESS_ALLOWED
, LSA_POLICY_EXECUTE
, 0);
298 sid_copy(&adm_sid
, get_global_sam_sid());
299 sid_append_rid(&adm_sid
, DOMAIN_GROUP_RID_ADMINS
);
300 init_sec_ace(&ace
[1], &adm_sid
, SEC_ACE_TYPE_ACCESS_ALLOWED
, LSA_POLICY_ALL_ACCESS
, 0);
302 sid_copy(&local_adm_sid
, &global_sid_Builtin
);
303 sid_append_rid(&local_adm_sid
, BUILTIN_ALIAS_RID_ADMINS
);
304 init_sec_ace(&ace
[2], &local_adm_sid
, SEC_ACE_TYPE_ACCESS_ALLOWED
, LSA_POLICY_ALL_ACCESS
, 0);
306 if((psa
= make_sec_acl(mem_ctx
, NT4_ACL_REVISION
, 3, ace
)) == NULL
)
307 return NT_STATUS_NO_MEMORY
;
309 if((*sd
= make_sec_desc(mem_ctx
, SECURITY_DESCRIPTOR_REVISION_1
,
310 SEC_DESC_SELF_RELATIVE
, &adm_sid
, NULL
, NULL
,
311 psa
, sd_size
)) == NULL
)
312 return NT_STATUS_NO_MEMORY
;
317 #if 0 /* AD DC work in ongoing in Samba 4 */
319 /***************************************************************************
321 ***************************************************************************/
323 static void init_dns_dom_info(LSA_DNS_DOM_INFO
*r_l
, const char *nb_name
,
324 const char *dns_name
, const char *forest_name
,
325 struct GUID
*dom_guid
, DOM_SID
*dom_sid
)
327 if (nb_name
&& *nb_name
) {
328 init_unistr2(&r_l
->uni_nb_dom_name
, nb_name
, UNI_FLAGS_NONE
);
329 init_uni_hdr(&r_l
->hdr_nb_dom_name
, &r_l
->uni_nb_dom_name
);
330 r_l
->hdr_nb_dom_name
.uni_max_len
+= 2;
331 r_l
->uni_nb_dom_name
.uni_max_len
+= 1;
334 if (dns_name
&& *dns_name
) {
335 init_unistr2(&r_l
->uni_dns_dom_name
, dns_name
, UNI_FLAGS_NONE
);
336 init_uni_hdr(&r_l
->hdr_dns_dom_name
, &r_l
->uni_dns_dom_name
);
337 r_l
->hdr_dns_dom_name
.uni_max_len
+= 2;
338 r_l
->uni_dns_dom_name
.uni_max_len
+= 1;
341 if (forest_name
&& *forest_name
) {
342 init_unistr2(&r_l
->uni_forest_name
, forest_name
, UNI_FLAGS_NONE
);
343 init_uni_hdr(&r_l
->hdr_forest_name
, &r_l
->uni_forest_name
);
344 r_l
->hdr_forest_name
.uni_max_len
+= 2;
345 r_l
->uni_forest_name
.uni_max_len
+= 1;
348 /* how do we init the guid ? probably should write an init fn */
350 memcpy(&r_l
->dom_guid
, dom_guid
, sizeof(struct GUID
));
354 r_l
->ptr_dom_sid
= 1;
355 init_dom_sid2(&r_l
->dom_sid
, dom_sid
);
358 #endif /* AD DC work in ongoing in Samba 4 */
361 /***************************************************************************
363 ***************************************************************************/
365 NTSTATUS
_lsa_OpenPolicy2(pipes_struct
*p
,
366 struct lsa_OpenPolicy2
*r
)
368 struct lsa_info
*info
;
369 SEC_DESC
*psd
= NULL
;
371 uint32 des_access
= r
->in
.access_mask
;
376 /* map the generic bits to the lsa policy ones */
377 se_map_generic(&des_access
, &lsa_generic_mapping
);
379 /* get the generic lsa policy SD until we store it */
380 lsa_get_generic_sd(p
->mem_ctx
, &psd
, &sd_size
);
382 status
= se_access_check(psd
, p
->pipe_user
.nt_user_token
, des_access
, &acc_granted
);
383 if (!NT_STATUS_IS_OK(status
)) {
384 if (p
->pipe_user
.ut
.uid
!= sec_initial_uid()) {
387 DEBUG(4,("ACCESS should be DENIED (granted: %#010x; required: %#010x)\n",
388 acc_granted
, des_access
));
389 DEBUGADD(4,("but overwritten by euid == 0\n"));
392 /* This is needed for lsa_open_account and rpcclient .... :-) */
394 if (p
->pipe_user
.ut
.uid
== sec_initial_uid())
395 acc_granted
= LSA_POLICY_ALL_ACCESS
;
397 /* associate the domain SID with the (unique) handle. */
398 if ((info
= SMB_MALLOC_P(struct lsa_info
)) == NULL
)
399 return NT_STATUS_NO_MEMORY
;
402 sid_copy(&info
->sid
,get_global_sam_sid());
403 info
->access
= acc_granted
;
405 /* set up the LSA QUERY INFO response */
406 if (!create_policy_hnd(p
, r
->out
.handle
, free_lsa_info
, (void *)info
))
407 return NT_STATUS_OBJECT_NAME_NOT_FOUND
;
412 /***************************************************************************
414 ***************************************************************************/
416 NTSTATUS
_lsa_OpenPolicy(pipes_struct
*p
,
417 struct lsa_OpenPolicy
*r
)
419 struct lsa_info
*info
;
420 SEC_DESC
*psd
= NULL
;
422 uint32 des_access
= r
->in
.access_mask
;
427 /* map the generic bits to the lsa policy ones */
428 se_map_generic(&des_access
, &lsa_generic_mapping
);
430 /* get the generic lsa policy SD until we store it */
431 lsa_get_generic_sd(p
->mem_ctx
, &psd
, &sd_size
);
433 status
= se_access_check(psd
, p
->pipe_user
.nt_user_token
, des_access
, &acc_granted
);
434 if (!NT_STATUS_IS_OK(status
)) {
435 if (p
->pipe_user
.ut
.uid
!= sec_initial_uid()) {
438 DEBUG(4,("ACCESS should be DENIED (granted: %#010x; required: %#010x)\n",
439 acc_granted
, des_access
));
440 DEBUGADD(4,("but overwritten by euid == 0\n"));
441 acc_granted
= des_access
;
444 /* associate the domain SID with the (unique) handle. */
445 if ((info
= SMB_MALLOC_P(struct lsa_info
)) == NULL
)
446 return NT_STATUS_NO_MEMORY
;
449 sid_copy(&info
->sid
,get_global_sam_sid());
450 info
->access
= acc_granted
;
452 /* set up the LSA QUERY INFO response */
453 if (!create_policy_hnd(p
, r
->out
.handle
, free_lsa_info
, (void *)info
))
454 return NT_STATUS_OBJECT_NAME_NOT_FOUND
;
459 /***************************************************************************
460 _lsa_EnumTrustDom - this needs fixing to do more than return NULL ! JRA.
462 ***************************************************************************/
464 NTSTATUS
_lsa_EnumTrustDom(pipes_struct
*p
,
465 struct lsa_EnumTrustDom
*r
)
467 struct lsa_info
*info
;
469 struct trustdom_info
**domains
;
470 struct lsa_DomainInfo
*lsa_domains
= NULL
;
474 * preferred length is set to 5 as a "our" preferred length
475 * nt sets this parameter to 2
476 * update (20.08.2002): it's not preferred length, but preferred size!
477 * it needs further investigation how to optimally choose this value
479 uint32 max_num_domains
=
480 r
->in
.max_size
< 5 ? r
->in
.max_size
: 10;
485 if (!find_policy_by_hnd(p
, r
->in
.handle
, (void **)(void *)&info
))
486 return NT_STATUS_INVALID_HANDLE
;
488 /* check if the user has enough rights */
489 if (!(info
->access
& LSA_POLICY_VIEW_LOCAL_INFORMATION
))
490 return NT_STATUS_ACCESS_DENIED
;
493 nt_status
= pdb_enum_trusteddoms(p
->mem_ctx
, &num_domains
, &domains
);
496 if (!NT_STATUS_IS_OK(nt_status
)) {
500 if (*r
->in
.resume_handle
< num_domains
) {
501 num_thistime
= MIN(num_domains
, max_num_domains
);
503 nt_status
= STATUS_MORE_ENTRIES
;
505 if (*r
->in
.resume_handle
+ num_thistime
> num_domains
) {
506 num_thistime
= num_domains
- *r
->in
.resume_handle
;
507 nt_status
= NT_STATUS_OK
;
510 next_idx
= *r
->in
.resume_handle
+ num_thistime
;
513 next_idx
= 0xffffffff;
514 nt_status
= NT_STATUS_NO_MORE_ENTRIES
;
517 /* set up the lsa_enum_trust_dom response */
519 lsa_domains
= TALLOC_ZERO_ARRAY(p
->mem_ctx
, struct lsa_DomainInfo
,
522 return NT_STATUS_NO_MEMORY
;
525 for (i
=0; i
<num_thistime
; i
++) {
526 init_lsa_StringLarge(&lsa_domains
[i
].name
, domains
[i
]->name
);
527 lsa_domains
[i
].sid
= &domains
[i
]->sid
;
530 *r
->out
.resume_handle
= next_idx
;
531 r
->out
.domains
->count
= num_thistime
;
532 r
->out
.domains
->domains
= lsa_domains
;
537 #define LSA_AUDIT_NUM_CATEGORIES_NT4 7
538 #define LSA_AUDIT_NUM_CATEGORIES_WIN2K 9
539 #define LSA_AUDIT_NUM_CATEGORIES LSA_AUDIT_NUM_CATEGORIES_NT4
541 /***************************************************************************
543 ***************************************************************************/
545 NTSTATUS
_lsa_QueryInfoPolicy(pipes_struct
*p
,
546 struct lsa_QueryInfoPolicy
*r
)
548 NTSTATUS status
= NT_STATUS_OK
;
549 struct lsa_info
*handle
;
553 union lsa_PolicyInformation
*info
= NULL
;
555 if (!find_policy_by_hnd(p
, r
->in
.handle
, (void **)(void *)&handle
))
556 return NT_STATUS_INVALID_HANDLE
;
558 info
= TALLOC_ZERO_P(p
->mem_ctx
, union lsa_PolicyInformation
);
560 return NT_STATUS_NO_MEMORY
;
563 switch (r
->in
.level
) {
567 uint32 policy_def
= LSA_AUDIT_POLICY_ALL
;
569 /* check if the user has enough rights */
570 if (!(handle
->access
& LSA_POLICY_VIEW_AUDIT_INFORMATION
)) {
571 DEBUG(10,("_lsa_QueryInfoPolicy: insufficient access rights\n"));
572 return NT_STATUS_ACCESS_DENIED
;
575 /* fake info: We audit everything. ;) */
577 info
->audit_events
.auditing_mode
= true;
578 info
->audit_events
.count
= LSA_AUDIT_NUM_CATEGORIES
;
579 info
->audit_events
.settings
= TALLOC_ZERO_ARRAY(p
->mem_ctx
,
580 enum lsa_PolicyAuditPolicy
,
581 info
->audit_events
.count
);
582 if (!info
->audit_events
.settings
) {
583 return NT_STATUS_NO_MEMORY
;
586 info
->audit_events
.settings
[LSA_AUDIT_CATEGORY_ACCOUNT_MANAGEMENT
] = policy_def
;
587 info
->audit_events
.settings
[LSA_AUDIT_CATEGORY_FILE_AND_OBJECT_ACCESS
] = policy_def
;
588 info
->audit_events
.settings
[LSA_AUDIT_CATEGORY_LOGON
] = policy_def
;
589 info
->audit_events
.settings
[LSA_AUDIT_CATEGORY_PROCCESS_TRACKING
] = policy_def
;
590 info
->audit_events
.settings
[LSA_AUDIT_CATEGORY_SECURITY_POLICY_CHANGES
] = policy_def
;
591 info
->audit_events
.settings
[LSA_AUDIT_CATEGORY_SYSTEM
] = policy_def
;
592 info
->audit_events
.settings
[LSA_AUDIT_CATEGORY_USE_OF_USER_RIGHTS
] = policy_def
;
597 /* check if the user has enough rights */
598 if (!(handle
->access
& LSA_POLICY_VIEW_LOCAL_INFORMATION
))
599 return NT_STATUS_ACCESS_DENIED
;
601 /* Request PolicyPrimaryDomainInformation. */
602 switch (lp_server_role()) {
603 case ROLE_DOMAIN_PDC
:
604 case ROLE_DOMAIN_BDC
:
605 name
= get_global_sam_name();
606 sid
= sid_dup_talloc(p
->mem_ctx
, get_global_sam_sid());
608 return NT_STATUS_NO_MEMORY
;
611 case ROLE_DOMAIN_MEMBER
:
612 name
= lp_workgroup();
613 /* We need to return the Domain SID here. */
614 if (secrets_fetch_domain_sid(lp_workgroup(), &domain_sid
)) {
615 sid
= sid_dup_talloc(p
->mem_ctx
, &domain_sid
);
617 return NT_STATUS_NO_MEMORY
;
620 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO
;
623 case ROLE_STANDALONE
:
624 name
= lp_workgroup();
628 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO
;
630 init_dom_query_3(&info
->domain
, name
, sid
);
633 /* check if the user has enough rights */
634 if (!(handle
->access
& LSA_POLICY_VIEW_LOCAL_INFORMATION
))
635 return NT_STATUS_ACCESS_DENIED
;
637 /* Request PolicyAccountDomainInformation. */
638 name
= get_global_sam_name();
639 sid
= get_global_sam_sid();
641 init_dom_query_5(&info
->account_domain
, name
, sid
);
644 /* check if the user has enough rights */
645 if (!(handle
->access
& LSA_POLICY_VIEW_LOCAL_INFORMATION
))
646 return NT_STATUS_ACCESS_DENIED
;
648 switch (lp_server_role()) {
649 case ROLE_DOMAIN_BDC
:
651 * only a BDC is a backup controller
652 * of the domain, it controls.
658 * any other role is a primary
659 * of the domain, it controls.
666 DEBUG(0,("_lsa_QueryInfoPolicy: unknown info level in Lsa Query: %d\n",
668 status
= NT_STATUS_INVALID_INFO_CLASS
;
677 /***************************************************************************
678 _lsa_lookup_sids_internal
679 ***************************************************************************/
681 static NTSTATUS
_lsa_lookup_sids_internal(pipes_struct
*p
,
683 uint16_t level
, /* input */
684 int num_sids
, /* input */
685 struct lsa_SidPtr
*sid
, /* input */
686 struct lsa_RefDomainList
**pp_ref
, /* input/output */
687 struct lsa_TranslatedName2
**pp_names
,/* input/output */
688 uint32_t *pp_mapped_count
) /* input/output */
692 const DOM_SID
**sids
= NULL
;
693 struct lsa_RefDomainList
*ref
= NULL
;
694 uint32 mapped_count
= 0;
695 struct lsa_dom_info
*dom_infos
= NULL
;
696 struct lsa_name_info
*name_infos
= NULL
;
697 struct lsa_TranslatedName2
*names
= NULL
;
699 *pp_mapped_count
= 0;
707 sids
= TALLOC_ARRAY(p
->mem_ctx
, const DOM_SID
*, num_sids
);
708 ref
= TALLOC_ZERO_P(p
->mem_ctx
, struct lsa_RefDomainList
);
710 if (sids
== NULL
|| ref
== NULL
) {
711 return NT_STATUS_NO_MEMORY
;
714 for (i
=0; i
<num_sids
; i
++) {
715 sids
[i
] = sid
[i
].sid
;
718 status
= lookup_sids(p
->mem_ctx
, num_sids
, sids
, level
,
719 &dom_infos
, &name_infos
);
721 if (!NT_STATUS_IS_OK(status
)) {
725 names
= TALLOC_ARRAY(p
->mem_ctx
, struct lsa_TranslatedName2
, num_sids
);
727 return NT_STATUS_NO_MEMORY
;
730 for (i
=0; i
<MAX_REF_DOMAINS
; i
++) {
732 if (!dom_infos
[i
].valid
) {
736 if (init_lsa_ref_domain_list(mem_ctx
, ref
,
738 &dom_infos
[i
].sid
) != i
) {
739 DEBUG(0, ("Domain %s mentioned twice??\n",
741 return NT_STATUS_INTERNAL_ERROR
;
745 for (i
=0; i
<num_sids
; i
++) {
746 struct lsa_name_info
*name
= &name_infos
[i
];
748 if (name
->type
== SID_NAME_UNKNOWN
) {
751 /* Unknown sids should return the string
752 * representation of the SID. Windows 2003 behaves
753 * rather erratic here, in many cases it returns the
754 * RID as 8 bytes hex, in others it returns the full
755 * SID. We (Jerry/VL) could not figure out which the
756 * hard cases are, so leave it with the SID. */
757 name
->name
= talloc_asprintf(p
->mem_ctx
, "%s",
760 if (name
->name
== NULL
) {
761 return NT_STATUS_NO_MEMORY
;
767 init_lsa_translated_name2(&names
[i
], name
->type
,
768 name
->name
, name
->dom_idx
, 0);
771 status
= NT_STATUS_NONE_MAPPED
;
772 if (mapped_count
> 0) {
773 status
= (mapped_count
< num_sids
) ?
774 STATUS_SOME_UNMAPPED
: NT_STATUS_OK
;
777 DEBUG(10, ("num_sids %d, mapped_count %d, status %s\n",
778 num_sids
, mapped_count
, nt_errstr(status
)));
780 *pp_mapped_count
= mapped_count
;
787 /***************************************************************************
789 ***************************************************************************/
791 NTSTATUS
_lsa_LookupSids(pipes_struct
*p
,
792 struct lsa_LookupSids
*r
)
795 struct lsa_info
*handle
;
796 int num_sids
= r
->in
.sids
->num_sids
;
797 uint32 mapped_count
= 0;
798 struct lsa_RefDomainList
*domains
= NULL
;
799 struct lsa_TranslatedName
*names_out
= NULL
;
800 struct lsa_TranslatedName2
*names
= NULL
;
803 if ((r
->in
.level
< 1) || (r
->in
.level
> 6)) {
804 return NT_STATUS_INVALID_PARAMETER
;
807 if (!find_policy_by_hnd(p
, r
->in
.handle
, (void **)(void *)&handle
)) {
808 return NT_STATUS_INVALID_HANDLE
;
811 /* check if the user has enough rights */
812 if (!(handle
->access
& LSA_POLICY_LOOKUP_NAMES
)) {
813 return NT_STATUS_ACCESS_DENIED
;
816 if (num_sids
> MAX_LOOKUP_SIDS
) {
817 DEBUG(5,("_lsa_LookupSids: limit of %d exceeded, requested %d\n",
818 MAX_LOOKUP_SIDS
, num_sids
));
819 return NT_STATUS_NONE_MAPPED
;
822 status
= _lsa_lookup_sids_internal(p
,
831 /* Only return here when there is a real error.
832 NT_STATUS_NONE_MAPPED is a special case as it indicates that none of
833 the requested sids could be resolved. Older versions of XP (pre SP3)
834 rely that we return with the string representations of those SIDs in
835 that case. If we don't, XP crashes - Guenther
838 if (NT_STATUS_IS_ERR(status
) &&
839 !NT_STATUS_EQUAL(status
, NT_STATUS_NONE_MAPPED
)) {
843 /* Convert from lsa_TranslatedName2 to lsa_TranslatedName */
844 names_out
= TALLOC_ARRAY(p
->mem_ctx
, struct lsa_TranslatedName
,
847 return NT_STATUS_NO_MEMORY
;
850 for (i
=0; i
<num_sids
; i
++) {
851 names_out
[i
].sid_type
= names
[i
].sid_type
;
852 names_out
[i
].name
= names
[i
].name
;
853 names_out
[i
].sid_index
= names
[i
].sid_index
;
856 *r
->out
.domains
= domains
;
857 r
->out
.names
->count
= num_sids
;
858 r
->out
.names
->names
= names_out
;
859 *r
->out
.count
= mapped_count
;
864 /***************************************************************************
866 ***************************************************************************/
868 NTSTATUS
_lsa_LookupSids2(pipes_struct
*p
,
869 struct lsa_LookupSids2
*r
)
872 struct lsa_info
*handle
;
873 int num_sids
= r
->in
.sids
->num_sids
;
874 uint32 mapped_count
= 0;
875 struct lsa_RefDomainList
*domains
= NULL
;
876 struct lsa_TranslatedName2
*names
= NULL
;
877 bool check_policy
= true;
879 switch (p
->hdr_req
.opnum
) {
880 case NDR_LSA_LOOKUPSIDS3
:
881 check_policy
= false;
883 case NDR_LSA_LOOKUPSIDS2
:
888 if ((r
->in
.level
< 1) || (r
->in
.level
> 6)) {
889 return NT_STATUS_INVALID_PARAMETER
;
893 if (!find_policy_by_hnd(p
, r
->in
.handle
, (void **)(void *)&handle
)) {
894 return NT_STATUS_INVALID_HANDLE
;
897 /* check if the user has enough rights */
898 if (!(handle
->access
& LSA_POLICY_LOOKUP_NAMES
)) {
899 return NT_STATUS_ACCESS_DENIED
;
903 if (num_sids
> MAX_LOOKUP_SIDS
) {
904 DEBUG(5,("_lsa_LookupSids2: limit of %d exceeded, requested %d\n",
905 MAX_LOOKUP_SIDS
, num_sids
));
906 return NT_STATUS_NONE_MAPPED
;
909 status
= _lsa_lookup_sids_internal(p
,
918 *r
->out
.domains
= domains
;
919 r
->out
.names
->count
= num_sids
;
920 r
->out
.names
->names
= names
;
921 *r
->out
.count
= mapped_count
;
926 /***************************************************************************
928 ***************************************************************************/
930 NTSTATUS
_lsa_LookupSids3(pipes_struct
*p
,
931 struct lsa_LookupSids3
*r
)
933 struct lsa_LookupSids2 q
;
935 /* No policy handle on this call. Restrict to crypto connections. */
936 if (p
->auth
.auth_type
!= PIPE_AUTH_TYPE_SCHANNEL
) {
937 DEBUG(0,("_lsa_LookupSids3: client %s not using schannel for netlogon\n",
938 get_remote_machine_name() ));
939 return NT_STATUS_INVALID_PARAMETER
;
943 q
.in
.sids
= r
->in
.sids
;
944 q
.in
.level
= r
->in
.level
;
945 q
.in
.unknown1
= r
->in
.unknown1
;
946 q
.in
.unknown2
= r
->in
.unknown2
;
947 q
.in
.names
= r
->in
.names
;
948 q
.in
.count
= r
->in
.count
;
950 q
.out
.domains
= r
->out
.domains
;
951 q
.out
.names
= r
->out
.names
;
952 q
.out
.count
= r
->out
.count
;
954 return _lsa_LookupSids2(p
, &q
);
957 /***************************************************************************
958 ***************************************************************************/
960 static int lsa_lookup_level_to_flags(uint16 level
)
966 flags
= LOOKUP_NAME_ALL
;
969 flags
= LOOKUP_NAME_DOMAIN
|LOOKUP_NAME_REMOTE
|LOOKUP_NAME_ISOLATED
;
972 flags
= LOOKUP_NAME_DOMAIN
|LOOKUP_NAME_ISOLATED
;
978 flags
= LOOKUP_NAME_NONE
;
985 /***************************************************************************
987 ***************************************************************************/
989 NTSTATUS
_lsa_LookupNames(pipes_struct
*p
,
990 struct lsa_LookupNames
*r
)
992 NTSTATUS status
= NT_STATUS_NONE_MAPPED
;
993 struct lsa_info
*handle
;
994 struct lsa_String
*names
= r
->in
.names
;
995 uint32 num_entries
= r
->in
.num_names
;
996 struct lsa_RefDomainList
*domains
= NULL
;
997 struct lsa_TranslatedSid
*rids
= NULL
;
998 uint32 mapped_count
= 0;
1001 if (num_entries
> MAX_LOOKUP_SIDS
) {
1002 num_entries
= MAX_LOOKUP_SIDS
;
1003 DEBUG(5,("_lsa_LookupNames: truncating name lookup list to %d\n",
1007 flags
= lsa_lookup_level_to_flags(r
->in
.level
);
1009 domains
= TALLOC_ZERO_P(p
->mem_ctx
, struct lsa_RefDomainList
);
1011 return NT_STATUS_NO_MEMORY
;
1015 rids
= TALLOC_ZERO_ARRAY(p
->mem_ctx
, struct lsa_TranslatedSid
,
1018 return NT_STATUS_NO_MEMORY
;
1024 if (!find_policy_by_hnd(p
, r
->in
.handle
, (void **)(void *)&handle
)) {
1025 status
= NT_STATUS_INVALID_HANDLE
;
1029 /* check if the user has enough rights */
1030 if (!(handle
->access
& LSA_POLICY_LOOKUP_NAMES
)) {
1031 status
= NT_STATUS_ACCESS_DENIED
;
1035 /* set up the LSA Lookup RIDs response */
1036 become_root(); /* lookup_name can require root privs */
1037 status
= lookup_lsa_rids(p
->mem_ctx
, domains
, rids
, num_entries
,
1038 names
, flags
, &mapped_count
);
1043 if (NT_STATUS_IS_OK(status
) && (num_entries
!= 0) ) {
1044 if (mapped_count
== 0) {
1045 status
= NT_STATUS_NONE_MAPPED
;
1046 } else if (mapped_count
!= num_entries
) {
1047 status
= STATUS_SOME_UNMAPPED
;
1051 *r
->out
.count
= mapped_count
;
1052 *r
->out
.domains
= domains
;
1053 r
->out
.sids
->sids
= rids
;
1054 r
->out
.sids
->count
= num_entries
;
1059 /***************************************************************************
1061 ***************************************************************************/
1063 NTSTATUS
_lsa_LookupNames2(pipes_struct
*p
,
1064 struct lsa_LookupNames2
*r
)
1067 struct lsa_LookupNames q
;
1068 struct lsa_TransSidArray2
*sid_array2
= r
->in
.sids
;
1069 struct lsa_TransSidArray
*sid_array
= NULL
;
1072 sid_array
= TALLOC_ZERO_P(p
->mem_ctx
, struct lsa_TransSidArray
);
1074 return NT_STATUS_NO_MEMORY
;
1077 q
.in
.handle
= r
->in
.handle
;
1078 q
.in
.num_names
= r
->in
.num_names
;
1079 q
.in
.names
= r
->in
.names
;
1080 q
.in
.level
= r
->in
.level
;
1081 q
.in
.sids
= sid_array
;
1082 q
.in
.count
= r
->in
.count
;
1083 /* we do not know what this is for */
1084 /* = r->in.unknown1; */
1085 /* = r->in.unknown2; */
1087 q
.out
.domains
= r
->out
.domains
;
1088 q
.out
.sids
= sid_array
;
1089 q
.out
.count
= r
->out
.count
;
1091 status
= _lsa_LookupNames(p
, &q
);
1093 sid_array2
->count
= sid_array
->count
;
1094 sid_array2
->sids
= TALLOC_ARRAY(p
->mem_ctx
, struct lsa_TranslatedSid2
, sid_array
->count
);
1095 if (!sid_array2
->sids
) {
1096 return NT_STATUS_NO_MEMORY
;
1099 for (i
=0; i
<sid_array
->count
; i
++) {
1100 sid_array2
->sids
[i
].sid_type
= sid_array
->sids
[i
].sid_type
;
1101 sid_array2
->sids
[i
].rid
= sid_array
->sids
[i
].rid
;
1102 sid_array2
->sids
[i
].sid_index
= sid_array
->sids
[i
].sid_index
;
1103 sid_array2
->sids
[i
].unknown
= 0;
1106 r
->out
.sids
= sid_array2
;
1111 /***************************************************************************
1113 ***************************************************************************/
1115 NTSTATUS
_lsa_LookupNames3(pipes_struct
*p
,
1116 struct lsa_LookupNames3
*r
)
1119 struct lsa_info
*handle
;
1120 struct lsa_String
*names
= r
->in
.names
;
1121 uint32 num_entries
= r
->in
.num_names
;
1122 struct lsa_RefDomainList
*domains
= NULL
;
1123 struct lsa_TranslatedSid3
*trans_sids
= NULL
;
1124 uint32 mapped_count
= 0;
1126 bool check_policy
= true;
1128 switch (p
->hdr_req
.opnum
) {
1129 case NDR_LSA_LOOKUPNAMES4
:
1130 check_policy
= false;
1132 case NDR_LSA_LOOKUPNAMES3
:
1134 check_policy
= true;
1137 if (num_entries
> MAX_LOOKUP_SIDS
) {
1138 num_entries
= MAX_LOOKUP_SIDS
;
1139 DEBUG(5,("_lsa_LookupNames3: truncating name lookup list to %d\n", num_entries
));
1142 /* Probably the lookup_level is some sort of bitmask. */
1143 if (r
->in
.level
== 1) {
1144 flags
= LOOKUP_NAME_ALL
;
1147 domains
= TALLOC_ZERO_P(p
->mem_ctx
, struct lsa_RefDomainList
);
1149 return NT_STATUS_NO_MEMORY
;
1153 trans_sids
= TALLOC_ZERO_ARRAY(p
->mem_ctx
, struct lsa_TranslatedSid3
,
1156 return NT_STATUS_NO_MEMORY
;
1164 if (!find_policy_by_hnd(p
, r
->in
.handle
, (void **)(void *)&handle
)) {
1165 status
= NT_STATUS_INVALID_HANDLE
;
1169 /* check if the user has enough rights */
1170 if (!(handle
->access
& LSA_POLICY_LOOKUP_NAMES
)) {
1171 status
= NT_STATUS_ACCESS_DENIED
;
1176 /* set up the LSA Lookup SIDs response */
1177 become_root(); /* lookup_name can require root privs */
1178 status
= lookup_lsa_sids(p
->mem_ctx
, domains
, trans_sids
, num_entries
,
1179 names
, flags
, &mapped_count
);
1184 if (NT_STATUS_IS_OK(status
)) {
1185 if (mapped_count
== 0) {
1186 status
= NT_STATUS_NONE_MAPPED
;
1187 } else if (mapped_count
!= num_entries
) {
1188 status
= STATUS_SOME_UNMAPPED
;
1192 *r
->out
.count
= mapped_count
;
1193 *r
->out
.domains
= domains
;
1194 r
->out
.sids
->sids
= trans_sids
;
1195 r
->out
.sids
->count
= num_entries
;
1200 /***************************************************************************
1202 ***************************************************************************/
1204 NTSTATUS
_lsa_LookupNames4(pipes_struct
*p
,
1205 struct lsa_LookupNames4
*r
)
1207 struct lsa_LookupNames3 q
;
1209 /* No policy handle on this call. Restrict to crypto connections. */
1210 if (p
->auth
.auth_type
!= PIPE_AUTH_TYPE_SCHANNEL
) {
1211 DEBUG(0,("_lsa_lookup_names4: client %s not using schannel for netlogon\n",
1212 get_remote_machine_name() ));
1213 return NT_STATUS_INVALID_PARAMETER
;
1217 q
.in
.num_names
= r
->in
.num_names
;
1218 q
.in
.names
= r
->in
.names
;
1219 q
.in
.level
= r
->in
.level
;
1220 q
.in
.unknown1
= r
->in
.unknown1
;
1221 q
.in
.unknown2
= r
->in
.unknown2
;
1222 q
.in
.sids
= r
->in
.sids
;
1223 q
.in
.count
= r
->in
.count
;
1225 q
.out
.domains
= r
->out
.domains
;
1226 q
.out
.sids
= r
->out
.sids
;
1227 q
.out
.count
= r
->out
.count
;
1229 return _lsa_LookupNames3(p
, &q
);
1232 /***************************************************************************
1233 _lsa_close. Also weird - needs to check if lsa handle is correct. JRA.
1234 ***************************************************************************/
1236 NTSTATUS
_lsa_Close(pipes_struct
*p
, struct lsa_Close
*r
)
1238 if (!find_policy_by_hnd(p
, r
->in
.handle
, NULL
)) {
1239 return NT_STATUS_INVALID_HANDLE
;
1242 close_policy_hnd(p
, r
->in
.handle
);
1243 ZERO_STRUCTP(r
->out
.handle
);
1244 return NT_STATUS_OK
;
1247 /***************************************************************************
1248 ***************************************************************************/
1250 NTSTATUS
_lsa_OpenSecret(pipes_struct
*p
, struct lsa_OpenSecret
*r
)
1252 return NT_STATUS_OBJECT_NAME_NOT_FOUND
;
1255 /***************************************************************************
1256 ***************************************************************************/
1258 NTSTATUS
_lsa_OpenTrustedDomain(pipes_struct
*p
, struct lsa_OpenTrustedDomain
*r
)
1260 return NT_STATUS_OBJECT_NAME_NOT_FOUND
;
1263 /***************************************************************************
1264 ***************************************************************************/
1266 NTSTATUS
_lsa_CreateTrustedDomain(pipes_struct
*p
, struct lsa_CreateTrustedDomain
*r
)
1268 return NT_STATUS_ACCESS_DENIED
;
1271 /***************************************************************************
1272 ***************************************************************************/
1274 NTSTATUS
_lsa_CreateSecret(pipes_struct
*p
, struct lsa_CreateSecret
*r
)
1276 return NT_STATUS_ACCESS_DENIED
;
1279 /***************************************************************************
1280 ***************************************************************************/
1282 NTSTATUS
_lsa_SetSecret(pipes_struct
*p
, struct lsa_SetSecret
*r
)
1284 return NT_STATUS_ACCESS_DENIED
;
1287 /***************************************************************************
1289 ***************************************************************************/
1291 NTSTATUS
_lsa_DeleteObject(pipes_struct
*p
,
1292 struct lsa_DeleteObject
*r
)
1294 return NT_STATUS_ACCESS_DENIED
;
1297 /***************************************************************************
1299 ***************************************************************************/
1301 NTSTATUS
_lsa_EnumPrivs(pipes_struct
*p
,
1302 struct lsa_EnumPrivs
*r
)
1304 struct lsa_info
*handle
;
1306 uint32 enum_context
= *r
->in
.resume_handle
;
1307 int num_privs
= count_all_privileges();
1308 struct lsa_PrivEntry
*entries
= NULL
;
1311 /* remember that the enum_context starts at 0 and not 1 */
1313 if ( enum_context
>= num_privs
)
1314 return NT_STATUS_NO_MORE_ENTRIES
;
1316 DEBUG(10,("_lsa_EnumPrivs: enum_context:%d total entries:%d\n",
1317 enum_context
, num_privs
));
1319 if (!find_policy_by_hnd(p
, r
->in
.handle
, (void **)(void *)&handle
))
1320 return NT_STATUS_INVALID_HANDLE
;
1322 /* check if the user has enough rights
1323 I don't know if it's the right one. not documented. */
1325 if (!(handle
->access
& LSA_POLICY_VIEW_LOCAL_INFORMATION
))
1326 return NT_STATUS_ACCESS_DENIED
;
1329 entries
= TALLOC_ZERO_ARRAY(p
->mem_ctx
, struct lsa_PrivEntry
, num_privs
);
1331 return NT_STATUS_NO_MEMORY
;
1337 for (i
= 0; i
< num_privs
; i
++) {
1338 if( i
< enum_context
) {
1340 init_lsa_StringLarge(&entries
[i
].name
, NULL
);
1342 entries
[i
].luid
.low
= 0;
1343 entries
[i
].luid
.high
= 0;
1346 init_lsa_StringLarge(&entries
[i
].name
, privs
[i
].name
);
1348 luid
= get_privilege_luid( &privs
[i
].se_priv
);
1350 entries
[i
].luid
.low
= luid
.luid
.low
;
1351 entries
[i
].luid
.high
= luid
.luid
.high
;
1355 enum_context
= num_privs
;
1357 *r
->out
.resume_handle
= enum_context
;
1358 r
->out
.privs
->count
= num_privs
;
1359 r
->out
.privs
->privs
= entries
;
1361 return NT_STATUS_OK
;
1364 /***************************************************************************
1365 _lsa_LookupPrivDisplayName
1366 ***************************************************************************/
1368 NTSTATUS
_lsa_LookupPrivDisplayName(pipes_struct
*p
,
1369 struct lsa_LookupPrivDisplayName
*r
)
1371 struct lsa_info
*handle
;
1372 const char *description
;
1373 struct lsa_StringLarge
*lsa_name
;
1375 if (!find_policy_by_hnd(p
, r
->in
.handle
, (void **)(void *)&handle
))
1376 return NT_STATUS_INVALID_HANDLE
;
1378 /* check if the user has enough rights */
1381 * I don't know if it's the right one. not documented.
1383 if (!(handle
->access
& LSA_POLICY_VIEW_LOCAL_INFORMATION
))
1384 return NT_STATUS_ACCESS_DENIED
;
1386 DEBUG(10,("_lsa_LookupPrivDisplayName: name = %s\n", r
->in
.name
->string
));
1388 description
= get_privilege_dispname(r
->in
.name
->string
);
1390 DEBUG(10,("_lsa_LookupPrivDisplayName: doesn't exist\n"));
1391 return NT_STATUS_NO_SUCH_PRIVILEGE
;
1394 DEBUG(10,("_lsa_LookupPrivDisplayName: display name = %s\n", description
));
1396 lsa_name
= TALLOC_ZERO_P(p
->mem_ctx
, struct lsa_StringLarge
);
1398 return NT_STATUS_NO_MEMORY
;
1401 init_lsa_StringLarge(lsa_name
, description
);
1403 *r
->out
.returned_language_id
= r
->in
.language_id
;
1404 *r
->out
.disp_name
= lsa_name
;
1406 return NT_STATUS_OK
;
1409 /***************************************************************************
1411 ***************************************************************************/
1413 NTSTATUS
_lsa_EnumAccounts(pipes_struct
*p
,
1414 struct lsa_EnumAccounts
*r
)
1416 struct lsa_info
*handle
;
1418 int i
, j
, num_entries
;
1420 struct lsa_SidPtr
*sids
= NULL
;
1422 if (!find_policy_by_hnd(p
, r
->in
.handle
, (void **)(void *)&handle
))
1423 return NT_STATUS_INVALID_HANDLE
;
1425 if (!(handle
->access
& LSA_POLICY_VIEW_LOCAL_INFORMATION
))
1426 return NT_STATUS_ACCESS_DENIED
;
1431 /* The only way we can currently find out all the SIDs that have been
1432 privileged is to scan all privileges */
1434 status
= privilege_enumerate_accounts(&sid_list
, &num_entries
);
1435 if (!NT_STATUS_IS_OK(status
)) {
1439 if (*r
->in
.resume_handle
>= num_entries
) {
1440 return NT_STATUS_NO_MORE_ENTRIES
;
1443 if (num_entries
- *r
->in
.resume_handle
) {
1444 sids
= TALLOC_ZERO_ARRAY(p
->mem_ctx
, struct lsa_SidPtr
,
1445 num_entries
- *r
->in
.resume_handle
);
1447 SAFE_FREE(sid_list
);
1448 return NT_STATUS_NO_MEMORY
;
1451 for (i
= *r
->in
.resume_handle
, j
= 0; i
< num_entries
; i
++, j
++) {
1452 sids
[j
].sid
= sid_dup_talloc(p
->mem_ctx
, &sid_list
[i
]);
1454 SAFE_FREE(sid_list
);
1455 return NT_STATUS_NO_MEMORY
;
1460 talloc_free(sid_list
);
1462 *r
->out
.resume_handle
= num_entries
;
1463 r
->out
.sids
->num_sids
= num_entries
;
1464 r
->out
.sids
->sids
= sids
;
1466 return NT_STATUS_OK
;
1469 /***************************************************************************
1471 ***************************************************************************/
1473 NTSTATUS
_lsa_GetUserName(pipes_struct
*p
,
1474 struct lsa_GetUserName
*r
)
1476 const char *username
, *domname
;
1477 struct lsa_String
*account_name
= NULL
;
1478 struct lsa_String
*authority_name
= NULL
;
1480 if (r
->in
.account_name
&&
1481 *r
->in
.account_name
) {
1482 return NT_STATUS_INVALID_PARAMETER
;
1485 if (r
->in
.authority_name
&&
1486 *r
->in
.authority_name
) {
1487 return NT_STATUS_INVALID_PARAMETER
;
1490 if (p
->server_info
->guest
) {
1492 * I'm 99% sure this is not the right place to do this,
1493 * global_sid_Anonymous should probably be put into the token
1494 * instead of the guest id -- vl
1496 if (!lookup_sid(p
->mem_ctx
, &global_sid_Anonymous
,
1497 &domname
, &username
, NULL
)) {
1498 return NT_STATUS_NO_MEMORY
;
1501 username
= p
->server_info
->sanitized_username
;
1502 domname
= pdb_get_domain(p
->server_info
->sam_account
);
1505 account_name
= TALLOC_ZERO_P(p
->mem_ctx
, struct lsa_String
);
1506 if (!account_name
) {
1507 return NT_STATUS_NO_MEMORY
;
1509 init_lsa_String(account_name
, username
);
1511 if (r
->out
.authority_name
) {
1512 authority_name
= TALLOC_ZERO_P(p
->mem_ctx
, struct lsa_String
);
1513 if (!authority_name
) {
1514 return NT_STATUS_NO_MEMORY
;
1516 init_lsa_String(authority_name
, domname
);
1519 *r
->out
.account_name
= account_name
;
1520 if (r
->out
.authority_name
) {
1521 *r
->out
.authority_name
= authority_name
;
1524 return NT_STATUS_OK
;
1527 /***************************************************************************
1529 ***************************************************************************/
1531 NTSTATUS
_lsa_CreateAccount(pipes_struct
*p
,
1532 struct lsa_CreateAccount
*r
)
1534 struct lsa_info
*handle
;
1535 struct lsa_info
*info
;
1537 /* find the connection policy handle. */
1538 if (!find_policy_by_hnd(p
, r
->in
.handle
, (void **)(void *)&handle
))
1539 return NT_STATUS_INVALID_HANDLE
;
1541 /* check if the user has enough rights */
1544 * I don't know if it's the right one. not documented.
1545 * but guessed with rpcclient.
1547 if (!(handle
->access
& LSA_POLICY_GET_PRIVATE_INFORMATION
))
1548 return NT_STATUS_ACCESS_DENIED
;
1550 /* check to see if the pipe_user is a Domain Admin since
1551 account_pol.tdb was already opened as root, this is all we have */
1553 if ( p
->pipe_user
.ut
.uid
!= sec_initial_uid()
1554 && !nt_token_check_domain_rid( p
->pipe_user
.nt_user_token
, DOMAIN_GROUP_RID_ADMINS
) )
1555 return NT_STATUS_ACCESS_DENIED
;
1557 if ( is_privileged_sid( r
->in
.sid
) )
1558 return NT_STATUS_OBJECT_NAME_COLLISION
;
1560 /* associate the user/group SID with the (unique) handle. */
1562 if ((info
= SMB_MALLOC_P(struct lsa_info
)) == NULL
)
1563 return NT_STATUS_NO_MEMORY
;
1566 info
->sid
= *r
->in
.sid
;
1567 info
->access
= r
->in
.access_mask
;
1569 /* get a (unique) handle. open a policy on it. */
1570 if (!create_policy_hnd(p
, r
->out
.acct_handle
, free_lsa_info
, (void *)info
))
1571 return NT_STATUS_OBJECT_NAME_NOT_FOUND
;
1573 return privilege_create_account( &info
->sid
);
1577 /***************************************************************************
1579 ***************************************************************************/
1581 NTSTATUS
_lsa_OpenAccount(pipes_struct
*p
,
1582 struct lsa_OpenAccount
*r
)
1584 struct lsa_info
*handle
;
1585 struct lsa_info
*info
;
1587 /* find the connection policy handle. */
1588 if (!find_policy_by_hnd(p
, r
->in
.handle
, (void **)(void *)&handle
))
1589 return NT_STATUS_INVALID_HANDLE
;
1591 /* check if the user has enough rights */
1594 * I don't know if it's the right one. not documented.
1595 * but guessed with rpcclient.
1597 if (!(handle
->access
& LSA_POLICY_GET_PRIVATE_INFORMATION
))
1598 return NT_STATUS_ACCESS_DENIED
;
1600 /* TODO: Fis the parsing routine before reenabling this check! */
1602 if (!lookup_sid(&handle
->sid
, dom_name
, name
, &type
))
1603 return NT_STATUS_ACCESS_DENIED
;
1605 /* associate the user/group SID with the (unique) handle. */
1606 if ((info
= SMB_MALLOC_P(struct lsa_info
)) == NULL
)
1607 return NT_STATUS_NO_MEMORY
;
1610 info
->sid
= *r
->in
.sid
;
1611 info
->access
= r
->in
.access_mask
;
1613 /* get a (unique) handle. open a policy on it. */
1614 if (!create_policy_hnd(p
, r
->out
.acct_handle
, free_lsa_info
, (void *)info
))
1615 return NT_STATUS_OBJECT_NAME_NOT_FOUND
;
1617 return NT_STATUS_OK
;
1620 /***************************************************************************
1621 _lsa_EnumPrivsAccount
1622 For a given SID, enumerate all the privilege this account has.
1623 ***************************************************************************/
1625 NTSTATUS
_lsa_EnumPrivsAccount(pipes_struct
*p
,
1626 struct lsa_EnumPrivsAccount
*r
)
1628 NTSTATUS status
= NT_STATUS_OK
;
1629 struct lsa_info
*info
=NULL
;
1631 PRIVILEGE_SET privileges
;
1632 struct lsa_PrivilegeSet
*priv_set
= NULL
;
1633 struct lsa_LUIDAttribute
*luid_attrs
= NULL
;
1636 /* find the connection policy handle. */
1637 if (!find_policy_by_hnd(p
, r
->in
.handle
, (void **)(void *)&info
))
1638 return NT_STATUS_INVALID_HANDLE
;
1640 if (!(info
->access
& LSA_POLICY_VIEW_LOCAL_INFORMATION
))
1641 return NT_STATUS_ACCESS_DENIED
;
1643 if ( !get_privileges_for_sids( &mask
, &info
->sid
, 1 ) )
1644 return NT_STATUS_OBJECT_NAME_NOT_FOUND
;
1646 privilege_set_init( &privileges
);
1648 if ( se_priv_to_privilege_set( &privileges
, &mask
) ) {
1650 DEBUG(10,("_lsa_EnumPrivsAccount: %s has %d privileges\n",
1651 sid_string_dbg(&info
->sid
),
1654 priv_set
= TALLOC_ZERO_P(p
->mem_ctx
, struct lsa_PrivilegeSet
);
1656 status
= NT_STATUS_NO_MEMORY
;
1660 luid_attrs
= TALLOC_ZERO_ARRAY(p
->mem_ctx
,
1661 struct lsa_LUIDAttribute
,
1664 status
= NT_STATUS_NO_MEMORY
;
1668 for (i
=0; i
<privileges
.count
; i
++) {
1669 luid_attrs
[i
].luid
.low
= privileges
.set
[i
].luid
.low
;
1670 luid_attrs
[i
].luid
.high
= privileges
.set
[i
].luid
.high
;
1671 luid_attrs
[i
].attribute
= privileges
.set
[i
].attr
;
1674 priv_set
->count
= privileges
.count
;
1675 priv_set
->unknown
= 0;
1676 priv_set
->set
= luid_attrs
;
1678 *r
->out
.privs
= priv_set
;
1680 status
= NT_STATUS_NO_SUCH_PRIVILEGE
;
1684 privilege_set_free( &privileges
);
1689 /***************************************************************************
1690 _lsa_GetSystemAccessAccount
1691 ***************************************************************************/
1693 NTSTATUS
_lsa_GetSystemAccessAccount(pipes_struct
*p
,
1694 struct lsa_GetSystemAccessAccount
*r
)
1696 struct lsa_info
*info
=NULL
;
1698 /* find the connection policy handle. */
1700 if (!find_policy_by_hnd(p
, r
->in
.handle
, (void **)(void *)&info
))
1701 return NT_STATUS_INVALID_HANDLE
;
1703 if (!(info
->access
& LSA_POLICY_VIEW_LOCAL_INFORMATION
))
1704 return NT_STATUS_ACCESS_DENIED
;
1706 if (!lookup_sid(p
->mem_ctx
, &info
->sid
, NULL
, NULL
, NULL
))
1707 return NT_STATUS_ACCESS_DENIED
;
1710 0x01 -> Log on locally
1711 0x02 -> Access this computer from network
1712 0x04 -> Log on as a batch job
1713 0x10 -> Log on as a service
1715 they can be ORed together
1718 *r
->out
.access_mask
= PR_LOG_ON_LOCALLY
| PR_ACCESS_FROM_NETWORK
;
1720 return NT_STATUS_OK
;
1723 /***************************************************************************
1724 update the systemaccount information
1725 ***************************************************************************/
1727 NTSTATUS
_lsa_SetSystemAccessAccount(pipes_struct
*p
,
1728 struct lsa_SetSystemAccessAccount
*r
)
1730 struct lsa_info
*info
=NULL
;
1733 /* find the connection policy handle. */
1734 if (!find_policy_by_hnd(p
, r
->in
.handle
, (void **)(void *)&info
))
1735 return NT_STATUS_INVALID_HANDLE
;
1737 /* check to see if the pipe_user is a Domain Admin since
1738 account_pol.tdb was already opened as root, this is all we have */
1740 if ( p
->pipe_user
.ut
.uid
!= sec_initial_uid()
1741 && !nt_token_check_domain_rid( p
->pipe_user
.nt_user_token
, DOMAIN_GROUP_RID_ADMINS
) )
1742 return NT_STATUS_ACCESS_DENIED
;
1744 if (!pdb_getgrsid(&map
, info
->sid
))
1745 return NT_STATUS_NO_SUCH_GROUP
;
1747 return pdb_update_group_mapping_entry(&map
);
1750 /***************************************************************************
1751 _lsa_AddPrivilegesToAccount
1752 For a given SID, add some privileges.
1753 ***************************************************************************/
1755 NTSTATUS
_lsa_AddPrivilegesToAccount(pipes_struct
*p
,
1756 struct lsa_AddPrivilegesToAccount
*r
)
1758 struct lsa_info
*info
= NULL
;
1760 struct lsa_PrivilegeSet
*set
= NULL
;
1762 /* find the connection policy handle. */
1763 if (!find_policy_by_hnd(p
, r
->in
.handle
, (void **)(void *)&info
))
1764 return NT_STATUS_INVALID_HANDLE
;
1766 /* check to see if the pipe_user is root or a Domain Admin since
1767 account_pol.tdb was already opened as root, this is all we have */
1769 if ( p
->pipe_user
.ut
.uid
!= sec_initial_uid()
1770 && !nt_token_check_domain_rid( p
->pipe_user
.nt_user_token
, DOMAIN_GROUP_RID_ADMINS
) )
1772 return NT_STATUS_ACCESS_DENIED
;
1776 if ( !privilege_set_to_se_priv( &mask
, set
) )
1777 return NT_STATUS_NO_SUCH_PRIVILEGE
;
1779 if ( !grant_privilege( &info
->sid
, &mask
) ) {
1780 DEBUG(3,("_lsa_AddPrivilegesToAccount: grant_privilege(%s) failed!\n",
1781 sid_string_dbg(&info
->sid
) ));
1782 DEBUG(3,("Privilege mask:\n"));
1783 dump_se_priv( DBGC_ALL
, 3, &mask
);
1784 return NT_STATUS_NO_SUCH_PRIVILEGE
;
1787 return NT_STATUS_OK
;
1790 /***************************************************************************
1791 _lsa_RemovePrivilegesFromAccount
1792 For a given SID, remove some privileges.
1793 ***************************************************************************/
1795 NTSTATUS
_lsa_RemovePrivilegesFromAccount(pipes_struct
*p
,
1796 struct lsa_RemovePrivilegesFromAccount
*r
)
1798 struct lsa_info
*info
= NULL
;
1800 struct lsa_PrivilegeSet
*set
= NULL
;
1802 /* find the connection policy handle. */
1803 if (!find_policy_by_hnd(p
, r
->in
.handle
, (void **)(void *)&info
))
1804 return NT_STATUS_INVALID_HANDLE
;
1806 /* check to see if the pipe_user is root or a Domain Admin since
1807 account_pol.tdb was already opened as root, this is all we have */
1809 if ( p
->pipe_user
.ut
.uid
!= sec_initial_uid()
1810 && !nt_token_check_domain_rid( p
->pipe_user
.nt_user_token
, DOMAIN_GROUP_RID_ADMINS
) )
1812 return NT_STATUS_ACCESS_DENIED
;
1817 if ( !privilege_set_to_se_priv( &mask
, set
) )
1818 return NT_STATUS_NO_SUCH_PRIVILEGE
;
1820 if ( !revoke_privilege( &info
->sid
, &mask
) ) {
1821 DEBUG(3,("_lsa_RemovePrivilegesFromAccount: revoke_privilege(%s) failed!\n",
1822 sid_string_dbg(&info
->sid
) ));
1823 DEBUG(3,("Privilege mask:\n"));
1824 dump_se_priv( DBGC_ALL
, 3, &mask
);
1825 return NT_STATUS_NO_SUCH_PRIVILEGE
;
1828 return NT_STATUS_OK
;
1831 /***************************************************************************
1833 ***************************************************************************/
1835 NTSTATUS
_lsa_QuerySecurity(pipes_struct
*p
,
1836 struct lsa_QuerySecurity
*r
)
1838 struct lsa_info
*handle
=NULL
;
1839 SEC_DESC
*psd
= NULL
;
1843 /* find the connection policy handle. */
1844 if (!find_policy_by_hnd(p
, r
->in
.handle
, (void **)(void *)&handle
))
1845 return NT_STATUS_INVALID_HANDLE
;
1847 /* check if the user has enough rights */
1848 if (!(handle
->access
& LSA_POLICY_VIEW_LOCAL_INFORMATION
))
1849 return NT_STATUS_ACCESS_DENIED
;
1851 switch (r
->in
.sec_info
) {
1853 /* SD contains only the owner */
1855 status
=lsa_get_generic_sd(p
->mem_ctx
, &psd
, &sd_size
);
1856 if(!NT_STATUS_IS_OK(status
))
1857 return NT_STATUS_NO_MEMORY
;
1860 if((*r
->out
.sdbuf
= make_sec_desc_buf(p
->mem_ctx
, sd_size
, psd
)) == NULL
)
1861 return NT_STATUS_NO_MEMORY
;
1864 /* SD contains only the ACL */
1866 status
=lsa_get_generic_sd(p
->mem_ctx
, &psd
, &sd_size
);
1867 if(!NT_STATUS_IS_OK(status
))
1868 return NT_STATUS_NO_MEMORY
;
1870 if((*r
->out
.sdbuf
= make_sec_desc_buf(p
->mem_ctx
, sd_size
, psd
)) == NULL
)
1871 return NT_STATUS_NO_MEMORY
;
1874 return NT_STATUS_INVALID_LEVEL
;
1880 #if 0 /* AD DC work in ongoing in Samba 4 */
1882 /***************************************************************************
1883 ***************************************************************************/
1885 NTSTATUS
_lsa_query_info2(pipes_struct
*p
, LSA_Q_QUERY_INFO2
*q_u
, LSA_R_QUERY_INFO2
*r_u
)
1887 struct lsa_info
*handle
;
1888 const char *nb_name
;
1889 char *dns_name
= NULL
;
1890 char *forest_name
= NULL
;
1891 DOM_SID
*sid
= NULL
;
1896 r_u
->status
= NT_STATUS_OK
;
1898 if (!find_policy_by_hnd(p
, &q_u
->pol
, (void **)(void *)&handle
))
1899 return NT_STATUS_INVALID_HANDLE
;
1901 switch (q_u
->info_class
) {
1903 /* check if the user has enough rights */
1904 if (!(handle
->access
& LSA_POLICY_VIEW_LOCAL_INFORMATION
))
1905 return NT_STATUS_ACCESS_DENIED
;
1907 /* Request PolicyPrimaryDomainInformation. */
1908 switch (lp_server_role()) {
1909 case ROLE_DOMAIN_PDC
:
1910 case ROLE_DOMAIN_BDC
:
1911 nb_name
= get_global_sam_name();
1912 /* ugly temp hack for these next two */
1914 /* This should be a 'netbios domain -> DNS domain' mapping */
1915 dnsdomname
= get_mydnsdomname(p
->mem_ctx
);
1916 if (!dnsdomname
|| !*dnsdomname
) {
1917 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO
;
1919 strlower_m(dnsdomname
);
1921 dns_name
= dnsdomname
;
1922 forest_name
= dnsdomname
;
1924 sid
= get_global_sam_sid();
1925 secrets_fetch_domain_guid(lp_workgroup(), &guid
);
1928 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO
;
1930 init_dns_dom_info(&r_u
->info
.dns_dom_info
, nb_name
, dns_name
,
1931 forest_name
,&guid
,sid
);
1934 DEBUG(0,("_lsa_query_info2: unknown info level in Lsa Query: %d\n", q_u
->info_class
));
1935 r_u
->status
= NT_STATUS_INVALID_INFO_CLASS
;
1939 if (NT_STATUS_IS_OK(r_u
->status
)) {
1941 r_u
->info_class
= q_u
->info_class
;
1946 #endif /* AD DC work in ongoing in Samba 4 */
1948 /***************************************************************************
1949 _lsa_AddAccountRights
1950 ***************************************************************************/
1952 NTSTATUS
_lsa_AddAccountRights(pipes_struct
*p
,
1953 struct lsa_AddAccountRights
*r
)
1955 struct lsa_info
*info
= NULL
;
1959 /* find the connection policy handle. */
1960 if (!find_policy_by_hnd(p
, r
->in
.handle
, (void **)(void *)&info
))
1961 return NT_STATUS_INVALID_HANDLE
;
1963 /* check to see if the pipe_user is a Domain Admin since
1964 account_pol.tdb was already opened as root, this is all we have */
1966 if ( p
->pipe_user
.ut
.uid
!= sec_initial_uid()
1967 && !nt_token_check_domain_rid( p
->pipe_user
.nt_user_token
, DOMAIN_GROUP_RID_ADMINS
) )
1969 return NT_STATUS_ACCESS_DENIED
;
1972 /* according to an NT4 PDC, you can add privileges to SIDs even without
1973 call_lsa_create_account() first. And you can use any arbitrary SID. */
1975 sid_copy( &sid
, r
->in
.sid
);
1977 for ( i
=0; i
< r
->in
.rights
->count
; i
++ ) {
1979 const char *privname
= r
->in
.rights
->names
[i
].string
;
1981 /* only try to add non-null strings */
1986 if ( !grant_privilege_by_name( &sid
, privname
) ) {
1987 DEBUG(2,("_lsa_AddAccountRights: Failed to add privilege [%s]\n",
1989 return NT_STATUS_NO_SUCH_PRIVILEGE
;
1993 return NT_STATUS_OK
;
1996 /***************************************************************************
1997 _lsa_RemoveAccountRights
1998 ***************************************************************************/
2000 NTSTATUS
_lsa_RemoveAccountRights(pipes_struct
*p
,
2001 struct lsa_RemoveAccountRights
*r
)
2003 struct lsa_info
*info
= NULL
;
2006 const char *privname
= NULL
;
2008 /* find the connection policy handle. */
2009 if (!find_policy_by_hnd(p
, r
->in
.handle
, (void **)(void *)&info
))
2010 return NT_STATUS_INVALID_HANDLE
;
2012 /* check to see if the pipe_user is a Domain Admin since
2013 account_pol.tdb was already opened as root, this is all we have */
2015 if ( p
->pipe_user
.ut
.uid
!= sec_initial_uid()
2016 && !nt_token_check_domain_rid( p
->pipe_user
.nt_user_token
, DOMAIN_GROUP_RID_ADMINS
) )
2018 return NT_STATUS_ACCESS_DENIED
;
2021 sid_copy( &sid
, r
->in
.sid
);
2023 if ( r
->in
.remove_all
) {
2024 if ( !revoke_all_privileges( &sid
) )
2025 return NT_STATUS_ACCESS_DENIED
;
2027 return NT_STATUS_OK
;
2030 for ( i
=0; i
< r
->in
.rights
->count
; i
++ ) {
2032 privname
= r
->in
.rights
->names
[i
].string
;
2034 /* only try to add non-null strings */
2039 if ( !revoke_privilege_by_name( &sid
, privname
) ) {
2040 DEBUG(2,("_lsa_RemoveAccountRights: Failed to revoke privilege [%s]\n",
2042 return NT_STATUS_NO_SUCH_PRIVILEGE
;
2046 return NT_STATUS_OK
;
2049 /*******************************************************************
2050 ********************************************************************/
2052 static NTSTATUS
init_lsa_right_set(TALLOC_CTX
*mem_ctx
,
2053 struct lsa_RightSet
*r
,
2054 PRIVILEGE_SET
*privileges
)
2057 const char *privname
;
2058 const char **privname_array
= NULL
;
2061 for (i
=0; i
<privileges
->count
; i
++) {
2063 privname
= luid_to_privilege_name(&privileges
->set
[i
].luid
);
2065 if (!add_string_to_array(mem_ctx
, privname
,
2066 &privname_array
, &num_priv
)) {
2067 return NT_STATUS_NO_MEMORY
;
2074 r
->names
= TALLOC_ZERO_ARRAY(mem_ctx
, struct lsa_StringLarge
,
2077 return NT_STATUS_NO_MEMORY
;
2080 for (i
=0; i
<num_priv
; i
++) {
2081 init_lsa_StringLarge(&r
->names
[i
], privname_array
[i
]);
2084 r
->count
= num_priv
;
2087 return NT_STATUS_OK
;
2090 /***************************************************************************
2091 _lsa_EnumAccountRights
2092 ***************************************************************************/
2094 NTSTATUS
_lsa_EnumAccountRights(pipes_struct
*p
,
2095 struct lsa_EnumAccountRights
*r
)
2098 struct lsa_info
*info
= NULL
;
2100 PRIVILEGE_SET privileges
;
2103 /* find the connection policy handle. */
2105 if (!find_policy_by_hnd(p
, r
->in
.handle
, (void **)(void *)&info
))
2106 return NT_STATUS_INVALID_HANDLE
;
2108 if (!(info
->access
& LSA_POLICY_VIEW_LOCAL_INFORMATION
))
2109 return NT_STATUS_ACCESS_DENIED
;
2111 /* according to an NT4 PDC, you can add privileges to SIDs even without
2112 call_lsa_create_account() first. And you can use any arbitrary SID. */
2114 sid_copy( &sid
, r
->in
.sid
);
2116 if ( !get_privileges_for_sids( &mask
, &sid
, 1 ) )
2117 return NT_STATUS_OBJECT_NAME_NOT_FOUND
;
2119 privilege_set_init( &privileges
);
2121 if ( se_priv_to_privilege_set( &privileges
, &mask
) ) {
2123 DEBUG(10,("_lsa_EnumAccountRights: %s has %d privileges\n",
2124 sid_string_dbg(&sid
), privileges
.count
));
2126 status
= init_lsa_right_set(p
->mem_ctx
, r
->out
.rights
, &privileges
);
2128 status
= NT_STATUS_NO_SUCH_PRIVILEGE
;
2131 privilege_set_free( &privileges
);
2136 /***************************************************************************
2137 _lsa_LookupPrivValue
2138 ***************************************************************************/
2140 NTSTATUS
_lsa_LookupPrivValue(pipes_struct
*p
,
2141 struct lsa_LookupPrivValue
*r
)
2143 struct lsa_info
*info
= NULL
;
2144 const char *name
= NULL
;
2145 LUID_ATTR priv_luid
;
2148 /* find the connection policy handle. */
2150 if (!find_policy_by_hnd(p
, r
->in
.handle
, (void **)(void *)&info
))
2151 return NT_STATUS_INVALID_HANDLE
;
2153 if (!(info
->access
& LSA_POLICY_VIEW_LOCAL_INFORMATION
))
2154 return NT_STATUS_ACCESS_DENIED
;
2156 name
= r
->in
.name
->string
;
2158 DEBUG(10,("_lsa_lookup_priv_value: name = %s\n", name
));
2160 if ( !se_priv_from_name( name
, &mask
) )
2161 return NT_STATUS_NO_SUCH_PRIVILEGE
;
2163 priv_luid
= get_privilege_luid( &mask
);
2165 r
->out
.luid
->low
= priv_luid
.luid
.low
;
2166 r
->out
.luid
->high
= priv_luid
.luid
.high
;
2168 return NT_STATUS_OK
;
2172 * From here on the server routines are just dummy ones to make smbd link with
2173 * librpc/gen_ndr/srv_lsa.c. These routines are actually never called, we are
2174 * pulling the server stubs across one by one.
2177 NTSTATUS
_lsa_Delete(pipes_struct
*p
, struct lsa_Delete
*r
)
2179 p
->rng_fault_state
= True
;
2180 return NT_STATUS_NOT_IMPLEMENTED
;
2183 NTSTATUS
_lsa_SetSecObj(pipes_struct
*p
, struct lsa_SetSecObj
*r
)
2185 p
->rng_fault_state
= True
;
2186 return NT_STATUS_NOT_IMPLEMENTED
;
2189 NTSTATUS
_lsa_ChangePassword(pipes_struct
*p
, struct lsa_ChangePassword
*r
)
2191 p
->rng_fault_state
= True
;
2192 return NT_STATUS_NOT_IMPLEMENTED
;
2195 NTSTATUS
_lsa_SetInfoPolicy(pipes_struct
*p
, struct lsa_SetInfoPolicy
*r
)
2197 p
->rng_fault_state
= True
;
2198 return NT_STATUS_NOT_IMPLEMENTED
;
2201 NTSTATUS
_lsa_ClearAuditLog(pipes_struct
*p
, struct lsa_ClearAuditLog
*r
)
2203 p
->rng_fault_state
= True
;
2204 return NT_STATUS_NOT_IMPLEMENTED
;
2207 NTSTATUS
_lsa_GetQuotasForAccount(pipes_struct
*p
, struct lsa_GetQuotasForAccount
*r
)
2209 p
->rng_fault_state
= True
;
2210 return NT_STATUS_NOT_IMPLEMENTED
;
2213 NTSTATUS
_lsa_SetQuotasForAccount(pipes_struct
*p
, struct lsa_SetQuotasForAccount
*r
)
2215 p
->rng_fault_state
= True
;
2216 return NT_STATUS_NOT_IMPLEMENTED
;
2219 NTSTATUS
_lsa_QueryTrustedDomainInfo(pipes_struct
*p
, struct lsa_QueryTrustedDomainInfo
*r
)
2221 p
->rng_fault_state
= True
;
2222 return NT_STATUS_NOT_IMPLEMENTED
;
2225 NTSTATUS
_lsa_SetInformationTrustedDomain(pipes_struct
*p
, struct lsa_SetInformationTrustedDomain
*r
)
2227 p
->rng_fault_state
= True
;
2228 return NT_STATUS_NOT_IMPLEMENTED
;
2231 NTSTATUS
_lsa_QuerySecret(pipes_struct
*p
, struct lsa_QuerySecret
*r
)
2233 p
->rng_fault_state
= True
;
2234 return NT_STATUS_NOT_IMPLEMENTED
;
2237 NTSTATUS
_lsa_LookupPrivName(pipes_struct
*p
, struct lsa_LookupPrivName
*r
)
2239 p
->rng_fault_state
= True
;
2240 return NT_STATUS_NOT_IMPLEMENTED
;
2243 NTSTATUS
_lsa_EnumAccountsWithUserRight(pipes_struct
*p
, struct lsa_EnumAccountsWithUserRight
*r
)
2245 p
->rng_fault_state
= True
;
2246 return NT_STATUS_NOT_IMPLEMENTED
;
2249 NTSTATUS
_lsa_QueryTrustedDomainInfoBySid(pipes_struct
*p
, struct lsa_QueryTrustedDomainInfoBySid
*r
)
2251 p
->rng_fault_state
= True
;
2252 return NT_STATUS_NOT_IMPLEMENTED
;
2255 NTSTATUS
_lsa_SetTrustedDomainInfo(pipes_struct
*p
, struct lsa_SetTrustedDomainInfo
*r
)
2257 p
->rng_fault_state
= True
;
2258 return NT_STATUS_NOT_IMPLEMENTED
;
2261 NTSTATUS
_lsa_DeleteTrustedDomain(pipes_struct
*p
, struct lsa_DeleteTrustedDomain
*r
)
2263 p
->rng_fault_state
= True
;
2264 return NT_STATUS_NOT_IMPLEMENTED
;
2267 NTSTATUS
_lsa_StorePrivateData(pipes_struct
*p
, struct lsa_StorePrivateData
*r
)
2269 p
->rng_fault_state
= True
;
2270 return NT_STATUS_NOT_IMPLEMENTED
;
2273 NTSTATUS
_lsa_RetrievePrivateData(pipes_struct
*p
, struct lsa_RetrievePrivateData
*r
)
2275 p
->rng_fault_state
= True
;
2276 return NT_STATUS_NOT_IMPLEMENTED
;
2279 NTSTATUS
_lsa_QueryInfoPolicy2(pipes_struct
*p
, struct lsa_QueryInfoPolicy2
*r
)
2281 p
->rng_fault_state
= True
;
2282 return NT_STATUS_NOT_IMPLEMENTED
;
2285 NTSTATUS
_lsa_SetInfoPolicy2(pipes_struct
*p
, struct lsa_SetInfoPolicy2
*r
)
2287 p
->rng_fault_state
= True
;
2288 return NT_STATUS_NOT_IMPLEMENTED
;
2291 NTSTATUS
_lsa_QueryTrustedDomainInfoByName(pipes_struct
*p
, struct lsa_QueryTrustedDomainInfoByName
*r
)
2293 p
->rng_fault_state
= True
;
2294 return NT_STATUS_NOT_IMPLEMENTED
;
2297 NTSTATUS
_lsa_SetTrustedDomainInfoByName(pipes_struct
*p
, struct lsa_SetTrustedDomainInfoByName
*r
)
2299 p
->rng_fault_state
= True
;
2300 return NT_STATUS_NOT_IMPLEMENTED
;
2303 NTSTATUS
_lsa_EnumTrustedDomainsEx(pipes_struct
*p
, struct lsa_EnumTrustedDomainsEx
*r
)
2305 p
->rng_fault_state
= True
;
2306 return NT_STATUS_NOT_IMPLEMENTED
;
2309 NTSTATUS
_lsa_CreateTrustedDomainEx(pipes_struct
*p
, struct lsa_CreateTrustedDomainEx
*r
)
2311 p
->rng_fault_state
= True
;
2312 return NT_STATUS_NOT_IMPLEMENTED
;
2315 NTSTATUS
_lsa_CloseTrustedDomainEx(pipes_struct
*p
, struct lsa_CloseTrustedDomainEx
*r
)
2317 p
->rng_fault_state
= True
;
2318 return NT_STATUS_NOT_IMPLEMENTED
;
2321 NTSTATUS
_lsa_QueryDomainInformationPolicy(pipes_struct
*p
, struct lsa_QueryDomainInformationPolicy
*r
)
2323 p
->rng_fault_state
= True
;
2324 return NT_STATUS_NOT_IMPLEMENTED
;
2327 NTSTATUS
_lsa_SetDomainInformationPolicy(pipes_struct
*p
, struct lsa_SetDomainInformationPolicy
*r
)
2329 p
->rng_fault_state
= True
;
2330 return NT_STATUS_NOT_IMPLEMENTED
;
2333 NTSTATUS
_lsa_OpenTrustedDomainByName(pipes_struct
*p
, struct lsa_OpenTrustedDomainByName
*r
)
2335 p
->rng_fault_state
= True
;
2336 return NT_STATUS_NOT_IMPLEMENTED
;
2339 NTSTATUS
_lsa_TestCall(pipes_struct
*p
, struct lsa_TestCall
*r
)
2341 p
->rng_fault_state
= True
;
2342 return NT_STATUS_NOT_IMPLEMENTED
;
2345 NTSTATUS
_lsa_CreateTrustedDomainEx2(pipes_struct
*p
, struct lsa_CreateTrustedDomainEx2
*r
)
2347 p
->rng_fault_state
= True
;
2348 return NT_STATUS_NOT_IMPLEMENTED
;
2351 NTSTATUS
_lsa_CREDRWRITE(pipes_struct
*p
, struct lsa_CREDRWRITE
*r
)
2353 p
->rng_fault_state
= True
;
2354 return NT_STATUS_NOT_IMPLEMENTED
;
2357 NTSTATUS
_lsa_CREDRREAD(pipes_struct
*p
, struct lsa_CREDRREAD
*r
)
2359 p
->rng_fault_state
= True
;
2360 return NT_STATUS_NOT_IMPLEMENTED
;
2363 NTSTATUS
_lsa_CREDRENUMERATE(pipes_struct
*p
, struct lsa_CREDRENUMERATE
*r
)
2365 p
->rng_fault_state
= True
;
2366 return NT_STATUS_NOT_IMPLEMENTED
;
2369 NTSTATUS
_lsa_CREDRWRITEDOMAINCREDENTIALS(pipes_struct
*p
, struct lsa_CREDRWRITEDOMAINCREDENTIALS
*r
)
2371 p
->rng_fault_state
= True
;
2372 return NT_STATUS_NOT_IMPLEMENTED
;
2375 NTSTATUS
_lsa_CREDRREADDOMAINCREDENTIALS(pipes_struct
*p
, struct lsa_CREDRREADDOMAINCREDENTIALS
*r
)
2377 p
->rng_fault_state
= True
;
2378 return NT_STATUS_NOT_IMPLEMENTED
;
2381 NTSTATUS
_lsa_CREDRDELETE(pipes_struct
*p
, struct lsa_CREDRDELETE
*r
)
2383 p
->rng_fault_state
= True
;
2384 return NT_STATUS_NOT_IMPLEMENTED
;
2387 NTSTATUS
_lsa_CREDRGETTARGETINFO(pipes_struct
*p
, struct lsa_CREDRGETTARGETINFO
*r
)
2389 p
->rng_fault_state
= True
;
2390 return NT_STATUS_NOT_IMPLEMENTED
;
2393 NTSTATUS
_lsa_CREDRPROFILELOADED(pipes_struct
*p
, struct lsa_CREDRPROFILELOADED
*r
)
2395 p
->rng_fault_state
= True
;
2396 return NT_STATUS_NOT_IMPLEMENTED
;
2399 NTSTATUS
_lsa_CREDRGETSESSIONTYPES(pipes_struct
*p
, struct lsa_CREDRGETSESSIONTYPES
*r
)
2401 p
->rng_fault_state
= True
;
2402 return NT_STATUS_NOT_IMPLEMENTED
;
2405 NTSTATUS
_lsa_LSARREGISTERAUDITEVENT(pipes_struct
*p
, struct lsa_LSARREGISTERAUDITEVENT
*r
)
2407 p
->rng_fault_state
= True
;
2408 return NT_STATUS_NOT_IMPLEMENTED
;
2411 NTSTATUS
_lsa_LSARGENAUDITEVENT(pipes_struct
*p
, struct lsa_LSARGENAUDITEVENT
*r
)
2413 p
->rng_fault_state
= True
;
2414 return NT_STATUS_NOT_IMPLEMENTED
;
2417 NTSTATUS
_lsa_LSARUNREGISTERAUDITEVENT(pipes_struct
*p
, struct lsa_LSARUNREGISTERAUDITEVENT
*r
)
2419 p
->rng_fault_state
= True
;
2420 return NT_STATUS_NOT_IMPLEMENTED
;
2423 NTSTATUS
_lsa_lsaRQueryForestTrustInformation(pipes_struct
*p
, struct lsa_lsaRQueryForestTrustInformation
*r
)
2425 p
->rng_fault_state
= True
;
2426 return NT_STATUS_NOT_IMPLEMENTED
;
2429 NTSTATUS
_lsa_LSARSETFORESTTRUSTINFORMATION(pipes_struct
*p
, struct lsa_LSARSETFORESTTRUSTINFORMATION
*r
)
2431 p
->rng_fault_state
= True
;
2432 return NT_STATUS_NOT_IMPLEMENTED
;
2435 NTSTATUS
_lsa_CREDRRENAME(pipes_struct
*p
, struct lsa_CREDRRENAME
*r
)
2437 p
->rng_fault_state
= True
;
2438 return NT_STATUS_NOT_IMPLEMENTED
;
2441 NTSTATUS
_lsa_LSAROPENPOLICYSCE(pipes_struct
*p
, struct lsa_LSAROPENPOLICYSCE
*r
)
2443 p
->rng_fault_state
= True
;
2444 return NT_STATUS_NOT_IMPLEMENTED
;
2447 NTSTATUS
_lsa_LSARADTREGISTERSECURITYEVENTSOURCE(pipes_struct
*p
, struct lsa_LSARADTREGISTERSECURITYEVENTSOURCE
*r
)
2449 p
->rng_fault_state
= True
;
2450 return NT_STATUS_NOT_IMPLEMENTED
;
2453 NTSTATUS
_lsa_LSARADTUNREGISTERSECURITYEVENTSOURCE(pipes_struct
*p
, struct lsa_LSARADTUNREGISTERSECURITYEVENTSOURCE
*r
)
2455 p
->rng_fault_state
= True
;
2456 return NT_STATUS_NOT_IMPLEMENTED
;
2459 NTSTATUS
_lsa_LSARADTREPORTSECURITYEVENT(pipes_struct
*p
, struct lsa_LSARADTREPORTSECURITYEVENT
*r
)
2461 p
->rng_fault_state
= True
;
2462 return NT_STATUS_NOT_IMPLEMENTED
;
