2 * Unix SMB/CIFS implementation.
3 * RPC Pipe client / server routines
4 * Copyright (C) Andrew Tridgell 1992-1997,
5 * Copyright (C) Luke Kenneth Casson Leighton 1996-1997,
6 * Copyright (C) Paul Ashton 1997,
7 * Copyright (C) Jeremy Allison 2001, 2006.
8 * Copyright (C) Rafal Szczesniak 2002,
9 * Copyright (C) Jim McDonough <jmcd@us.ibm.com> 2002,
10 * Copyright (C) Simo Sorce 2003.
11 * Copyright (C) Gerald (Jerry) Carter 2005.
12 * Copyright (C) Volker Lendecke 2005.
13 * Copyright (C) Guenther Deschner 2008.
14 * Copyright (C) Andrew Bartlett 2010.
16 * This program is free software; you can redistribute it and/or modify
17 * it under the terms of the GNU General Public License as published by
18 * the Free Software Foundation; either version 3 of the License, or
19 * (at your option) any later version.
21 * This program is distributed in the hope that it will be useful,
22 * but WITHOUT ANY WARRANTY; without even the implied warranty of
23 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
24 * GNU General Public License for more details.
26 * You should have received a copy of the GNU General Public License
27 * along with this program; if not, see <http://www.gnu.org/licenses/>.
30 /* This is the implementation of the lsa server code. */
33 #include "../librpc/gen_ndr/srv_lsa.h"
35 #include "../librpc/gen_ndr/netlogon.h"
36 #include "rpc_client/init_lsa.h"
37 #include "../libcli/security/dom_sid.h"
40 #define DBGC_CLASS DBGC_RPC_SRV
42 #define MAX_LOOKUP_SIDS 0x5000 /* 20480 */
44 enum lsa_handle_type
{ LSA_HANDLE_POLICY_TYPE
= 1, LSA_HANDLE_ACCOUNT_TYPE
};
50 enum lsa_handle_type type
;
51 struct security_descriptor
*sd
;
54 const struct generic_mapping lsa_account_mapping
= {
58 LSA_ACCOUNT_ALL_ACCESS
61 const struct generic_mapping lsa_policy_mapping
= {
68 const struct generic_mapping lsa_secret_mapping
= {
75 const struct generic_mapping lsa_trusted_domain_mapping
= {
76 LSA_TRUSTED_DOMAIN_READ
,
77 LSA_TRUSTED_DOMAIN_WRITE
,
78 LSA_TRUSTED_DOMAIN_EXECUTE
,
79 LSA_TRUSTED_DOMAIN_ALL_ACCESS
82 /***************************************************************************
83 init_lsa_ref_domain_list - adds a domain if it's not already in, returns the index.
84 ***************************************************************************/
86 static int init_lsa_ref_domain_list(TALLOC_CTX
*mem_ctx
,
87 struct lsa_RefDomainList
*ref
,
89 struct dom_sid
*dom_sid
)
93 if (dom_name
!= NULL
) {
94 for (num
= 0; num
< ref
->count
; num
++) {
95 if (dom_sid_equal(dom_sid
, ref
->domains
[num
].sid
)) {
103 if (num
>= LSA_REF_DOMAIN_LIST_MULTIPLIER
) {
104 /* index not found, already at maximum domain limit */
108 ref
->count
= num
+ 1;
109 ref
->max_size
= LSA_REF_DOMAIN_LIST_MULTIPLIER
;
111 ref
->domains
= TALLOC_REALLOC_ARRAY(mem_ctx
, ref
->domains
,
112 struct lsa_DomainInfo
, ref
->count
);
117 ZERO_STRUCT(ref
->domains
[num
]);
119 init_lsa_StringLarge(&ref
->domains
[num
].name
, dom_name
);
120 ref
->domains
[num
].sid
= sid_dup_talloc(mem_ctx
, dom_sid
);
121 if (!ref
->domains
[num
].sid
) {
129 /***************************************************************************
130 initialize a lsa_DomainInfo structure.
131 ***************************************************************************/
133 static void init_dom_query_3(struct lsa_DomainInfo
*r
,
137 init_lsa_StringLarge(&r
->name
, name
);
141 /***************************************************************************
142 initialize a lsa_DomainInfo structure.
143 ***************************************************************************/
145 static void init_dom_query_5(struct lsa_DomainInfo
*r
,
149 init_lsa_StringLarge(&r
->name
, name
);
153 /***************************************************************************
154 lookup_lsa_rids. Must be called as root for lookup_name to work.
155 ***************************************************************************/
157 static NTSTATUS
lookup_lsa_rids(TALLOC_CTX
*mem_ctx
,
158 struct lsa_RefDomainList
*ref
,
159 struct lsa_TranslatedSid
*prid
,
160 uint32_t num_entries
,
161 struct lsa_String
*name
,
163 uint32_t *pmapped_count
)
165 uint32 mapped_count
, i
;
167 SMB_ASSERT(num_entries
<= MAX_LOOKUP_SIDS
);
172 for (i
= 0; i
< num_entries
; i
++) {
176 const char *full_name
;
178 enum lsa_SidType type
= SID_NAME_UNKNOWN
;
180 /* Split name into domain and user component */
182 /* follow w2k8 behavior and return the builtin domain when no
183 * input has been passed in */
185 if (name
[i
].string
) {
186 full_name
= name
[i
].string
;
188 full_name
= "BUILTIN";
191 DEBUG(5, ("lookup_lsa_rids: looking up name %s\n", full_name
));
193 /* We can ignore the result of lookup_name, it will not touch
194 "type" if it's not successful */
196 lookup_name(mem_ctx
, full_name
, flags
, &domain
, NULL
,
201 case SID_NAME_DOM_GRP
:
202 case SID_NAME_DOMAIN
:
204 case SID_NAME_WKN_GRP
:
205 DEBUG(5, ("init_lsa_rids: %s found\n", full_name
));
206 /* Leave these unchanged */
209 /* Don't hand out anything but the list above */
210 DEBUG(5, ("init_lsa_rids: %s not found\n", full_name
));
211 type
= SID_NAME_UNKNOWN
;
218 if (type
!= SID_NAME_UNKNOWN
) {
219 if (type
== SID_NAME_DOMAIN
) {
222 sid_split_rid(&sid
, &rid
);
224 dom_idx
= init_lsa_ref_domain_list(mem_ctx
, ref
, domain
, &sid
);
228 prid
[i
].sid_type
= type
;
230 prid
[i
].sid_index
= dom_idx
;
233 *pmapped_count
= mapped_count
;
237 /***************************************************************************
238 lookup_lsa_sids. Must be called as root for lookup_name to work.
239 ***************************************************************************/
241 static NTSTATUS
lookup_lsa_sids(TALLOC_CTX
*mem_ctx
,
242 struct lsa_RefDomainList
*ref
,
243 struct lsa_TranslatedSid3
*trans_sids
,
244 uint32_t num_entries
,
245 struct lsa_String
*name
,
247 uint32
*pmapped_count
)
249 uint32 mapped_count
, i
;
251 SMB_ASSERT(num_entries
<= MAX_LOOKUP_SIDS
);
256 for (i
= 0; i
< num_entries
; i
++) {
260 const char *full_name
;
262 enum lsa_SidType type
= SID_NAME_UNKNOWN
;
266 /* Split name into domain and user component */
268 full_name
= name
[i
].string
;
269 if (full_name
== NULL
) {
270 return NT_STATUS_NO_MEMORY
;
273 DEBUG(5, ("init_lsa_sids: looking up name %s\n", full_name
));
275 /* We can ignore the result of lookup_name, it will not touch
276 "type" if it's not successful */
278 lookup_name(mem_ctx
, full_name
, flags
, &domain
, NULL
,
283 case SID_NAME_DOM_GRP
:
284 case SID_NAME_DOMAIN
:
286 case SID_NAME_WKN_GRP
:
287 DEBUG(5, ("init_lsa_sids: %s found\n", full_name
));
288 /* Leave these unchanged */
291 /* Don't hand out anything but the list above */
292 DEBUG(5, ("init_lsa_sids: %s not found\n", full_name
));
293 type
= SID_NAME_UNKNOWN
;
300 if (type
!= SID_NAME_UNKNOWN
) {
301 struct dom_sid domain_sid
;
302 sid_copy(&domain_sid
, &sid
);
303 sid_split_rid(&domain_sid
, &rid
);
304 dom_idx
= init_lsa_ref_domain_list(mem_ctx
, ref
, domain
, &domain_sid
);
308 /* Initialize the lsa_TranslatedSid3 return. */
309 trans_sids
[i
].sid_type
= type
;
310 trans_sids
[i
].sid
= sid_dup_talloc(mem_ctx
, &sid
);
311 trans_sids
[i
].sid_index
= dom_idx
;
314 *pmapped_count
= mapped_count
;
318 static NTSTATUS
make_lsa_object_sd(TALLOC_CTX
*mem_ctx
, struct security_descriptor
**sd
, size_t *sd_size
,
319 const struct generic_mapping
*map
,
320 struct dom_sid
*sid
, uint32_t sid_access
)
322 struct dom_sid adm_sid
;
323 struct security_ace ace
[5];
326 struct security_acl
*psa
= NULL
;
328 /* READ|EXECUTE access for Everyone */
330 init_sec_ace(&ace
[i
++], &global_sid_World
, SEC_ACE_TYPE_ACCESS_ALLOWED
,
331 map
->generic_execute
| map
->generic_read
, 0);
333 /* Add Full Access 'BUILTIN\Administrators' and 'BUILTIN\Account Operators */
335 init_sec_ace(&ace
[i
++], &global_sid_Builtin_Administrators
,
336 SEC_ACE_TYPE_ACCESS_ALLOWED
, map
->generic_all
, 0);
337 init_sec_ace(&ace
[i
++], &global_sid_Builtin_Account_Operators
,
338 SEC_ACE_TYPE_ACCESS_ALLOWED
, map
->generic_all
, 0);
340 /* Add Full Access for Domain Admins */
341 sid_compose(&adm_sid
, get_global_sam_sid(), DOMAIN_RID_ADMINS
);
342 init_sec_ace(&ace
[i
++], &adm_sid
, SEC_ACE_TYPE_ACCESS_ALLOWED
,
343 map
->generic_all
, 0);
345 /* If we have a sid, give it some special access */
348 init_sec_ace(&ace
[i
++], sid
, SEC_ACE_TYPE_ACCESS_ALLOWED
,
352 if((psa
= make_sec_acl(mem_ctx
, NT4_ACL_REVISION
, i
, ace
)) == NULL
)
353 return NT_STATUS_NO_MEMORY
;
355 if((*sd
= make_sec_desc(mem_ctx
, SECURITY_DESCRIPTOR_REVISION_1
,
356 SEC_DESC_SELF_RELATIVE
, &adm_sid
, NULL
, NULL
,
357 psa
, sd_size
)) == NULL
)
358 return NT_STATUS_NO_MEMORY
;
364 /***************************************************************************
366 ***************************************************************************/
368 NTSTATUS
_lsa_OpenPolicy2(struct pipes_struct
*p
,
369 struct lsa_OpenPolicy2
*r
)
371 struct lsa_info
*info
;
372 struct security_descriptor
*psd
= NULL
;
374 uint32 des_access
= r
->in
.access_mask
;
378 /* Work out max allowed. */
379 map_max_allowed_access(p
->server_info
->ptok
,
380 &p
->server_info
->utok
,
383 /* map the generic bits to the lsa policy ones */
384 se_map_generic(&des_access
, &lsa_policy_mapping
);
386 /* get the generic lsa policy SD until we store it */
387 status
= make_lsa_object_sd(p
->mem_ctx
, &psd
, &sd_size
, &lsa_policy_mapping
,
389 if (!NT_STATUS_IS_OK(status
)) {
393 status
= access_check_object(psd
, p
->server_info
->ptok
,
394 SEC_PRIV_INVALID
, SEC_PRIV_INVALID
, 0, des_access
,
395 &acc_granted
, "_lsa_OpenPolicy2" );
396 if (!NT_STATUS_IS_OK(status
)) {
400 /* associate the domain SID with the (unique) handle. */
401 info
= TALLOC_ZERO_P(p
->mem_ctx
, struct lsa_info
);
403 return NT_STATUS_NO_MEMORY
;
406 sid_copy(&info
->sid
,get_global_sam_sid());
407 info
->access
= acc_granted
;
408 info
->type
= LSA_HANDLE_POLICY_TYPE
;
410 /* set up the LSA QUERY INFO response */
411 if (!create_policy_hnd(p
, r
->out
.handle
, info
))
412 return NT_STATUS_OBJECT_NAME_NOT_FOUND
;
417 /***************************************************************************
419 ***************************************************************************/
421 NTSTATUS
_lsa_OpenPolicy(struct pipes_struct
*p
,
422 struct lsa_OpenPolicy
*r
)
424 struct lsa_OpenPolicy2 o
;
426 o
.in
.system_name
= NULL
; /* should be ignored */
427 o
.in
.attr
= r
->in
.attr
;
428 o
.in
.access_mask
= r
->in
.access_mask
;
430 o
.out
.handle
= r
->out
.handle
;
432 return _lsa_OpenPolicy2(p
, &o
);
435 /***************************************************************************
436 _lsa_EnumTrustDom - this needs fixing to do more than return NULL ! JRA.
438 ***************************************************************************/
440 NTSTATUS
_lsa_EnumTrustDom(struct pipes_struct
*p
,
441 struct lsa_EnumTrustDom
*r
)
443 struct lsa_info
*info
;
445 struct trustdom_info
**domains
;
446 struct lsa_DomainInfo
*entries
;
450 if (!find_policy_by_hnd(p
, r
->in
.handle
, (void **)(void *)&info
))
451 return NT_STATUS_INVALID_HANDLE
;
453 if (info
->type
!= LSA_HANDLE_POLICY_TYPE
) {
454 return NT_STATUS_INVALID_HANDLE
;
457 /* check if the user has enough rights */
458 if (!(info
->access
& LSA_POLICY_VIEW_LOCAL_INFORMATION
))
459 return NT_STATUS_ACCESS_DENIED
;
462 nt_status
= pdb_enum_trusteddoms(p
->mem_ctx
, &count
, &domains
);
465 if (!NT_STATUS_IS_OK(nt_status
)) {
469 entries
= TALLOC_ZERO_ARRAY(p
->mem_ctx
, struct lsa_DomainInfo
, count
);
471 return NT_STATUS_NO_MEMORY
;
474 for (i
=0; i
<count
; i
++) {
475 init_lsa_StringLarge(&entries
[i
].name
, domains
[i
]->name
);
476 entries
[i
].sid
= &domains
[i
]->sid
;
479 if (*r
->in
.resume_handle
>= count
) {
480 *r
->out
.resume_handle
= -1;
481 TALLOC_FREE(entries
);
482 return NT_STATUS_NO_MORE_ENTRIES
;
485 /* return the rest, limit by max_size. Note that we
486 use the w2k3 element size value of 60 */
487 r
->out
.domains
->count
= count
- *r
->in
.resume_handle
;
488 r
->out
.domains
->count
= MIN(r
->out
.domains
->count
,
489 1+(r
->in
.max_size
/LSA_ENUM_TRUST_DOMAIN_MULTIPLIER
));
491 r
->out
.domains
->domains
= entries
+ *r
->in
.resume_handle
;
493 if (r
->out
.domains
->count
< count
- *r
->in
.resume_handle
) {
494 *r
->out
.resume_handle
= *r
->in
.resume_handle
+ r
->out
.domains
->count
;
495 return STATUS_MORE_ENTRIES
;
498 /* according to MS-LSAD 3.1.4.7.8 output resume handle MUST
499 * always be larger than the previous input resume handle, in
500 * particular when hitting the last query it is vital to set the
501 * resume handle correctly to avoid infinite client loops, as
502 * seen e.g. with Windows XP SP3 when resume handle is 0 and
503 * status is NT_STATUS_OK - gd */
505 *r
->out
.resume_handle
= (uint32_t)-1;
510 #define LSA_AUDIT_NUM_CATEGORIES_NT4 7
511 #define LSA_AUDIT_NUM_CATEGORIES_WIN2K 9
512 #define LSA_AUDIT_NUM_CATEGORIES LSA_AUDIT_NUM_CATEGORIES_NT4
514 /***************************************************************************
516 ***************************************************************************/
518 NTSTATUS
_lsa_QueryInfoPolicy(struct pipes_struct
*p
,
519 struct lsa_QueryInfoPolicy
*r
)
521 NTSTATUS status
= NT_STATUS_OK
;
522 struct lsa_info
*handle
;
523 struct dom_sid domain_sid
;
525 struct dom_sid
*sid
= NULL
;
526 union lsa_PolicyInformation
*info
= NULL
;
527 uint32_t acc_required
= 0;
529 if (!find_policy_by_hnd(p
, r
->in
.handle
, (void **)(void *)&handle
))
530 return NT_STATUS_INVALID_HANDLE
;
532 if (handle
->type
!= LSA_HANDLE_POLICY_TYPE
) {
533 return NT_STATUS_INVALID_HANDLE
;
536 switch (r
->in
.level
) {
537 case LSA_POLICY_INFO_AUDIT_LOG
:
538 case LSA_POLICY_INFO_AUDIT_EVENTS
:
539 acc_required
= LSA_POLICY_VIEW_AUDIT_INFORMATION
;
541 case LSA_POLICY_INFO_DOMAIN
:
542 acc_required
= LSA_POLICY_VIEW_LOCAL_INFORMATION
;
544 case LSA_POLICY_INFO_PD
:
545 acc_required
= LSA_POLICY_GET_PRIVATE_INFORMATION
;
547 case LSA_POLICY_INFO_ACCOUNT_DOMAIN
:
548 acc_required
= LSA_POLICY_VIEW_LOCAL_INFORMATION
;
550 case LSA_POLICY_INFO_ROLE
:
551 case LSA_POLICY_INFO_REPLICA
:
552 acc_required
= LSA_POLICY_VIEW_LOCAL_INFORMATION
;
554 case LSA_POLICY_INFO_QUOTA
:
555 acc_required
= LSA_POLICY_VIEW_LOCAL_INFORMATION
;
557 case LSA_POLICY_INFO_MOD
:
558 case LSA_POLICY_INFO_AUDIT_FULL_SET
:
559 /* according to MS-LSAD 3.1.4.4.3 */
560 return NT_STATUS_INVALID_PARAMETER
;
561 case LSA_POLICY_INFO_AUDIT_FULL_QUERY
:
562 acc_required
= LSA_POLICY_VIEW_AUDIT_INFORMATION
;
564 case LSA_POLICY_INFO_DNS
:
565 case LSA_POLICY_INFO_DNS_INT
:
566 case LSA_POLICY_INFO_L_ACCOUNT_DOMAIN
:
567 acc_required
= LSA_POLICY_VIEW_LOCAL_INFORMATION
;
573 if (!(handle
->access
& acc_required
)) {
574 /* return NT_STATUS_ACCESS_DENIED; */
577 info
= TALLOC_ZERO_P(p
->mem_ctx
, union lsa_PolicyInformation
);
579 return NT_STATUS_NO_MEMORY
;
582 switch (r
->in
.level
) {
583 /* according to MS-LSAD 3.1.4.4.3 */
584 case LSA_POLICY_INFO_MOD
:
585 case LSA_POLICY_INFO_AUDIT_FULL_SET
:
586 case LSA_POLICY_INFO_AUDIT_FULL_QUERY
:
587 return NT_STATUS_INVALID_PARAMETER
;
588 case LSA_POLICY_INFO_AUDIT_LOG
:
589 info
->audit_log
.percent_full
= 0;
590 info
->audit_log
.maximum_log_size
= 0;
591 info
->audit_log
.retention_time
= 0;
592 info
->audit_log
.shutdown_in_progress
= 0;
593 info
->audit_log
.time_to_shutdown
= 0;
594 info
->audit_log
.next_audit_record
= 0;
595 status
= NT_STATUS_OK
;
597 case LSA_POLICY_INFO_PD
:
598 info
->pd
.name
.string
= NULL
;
599 status
= NT_STATUS_OK
;
601 case LSA_POLICY_INFO_REPLICA
:
602 info
->replica
.source
.string
= NULL
;
603 info
->replica
.account
.string
= NULL
;
604 status
= NT_STATUS_OK
;
606 case LSA_POLICY_INFO_QUOTA
:
607 info
->quota
.paged_pool
= 0;
608 info
->quota
.non_paged_pool
= 0;
609 info
->quota
.min_wss
= 0;
610 info
->quota
.max_wss
= 0;
611 info
->quota
.pagefile
= 0;
612 info
->quota
.unknown
= 0;
613 status
= NT_STATUS_OK
;
615 case LSA_POLICY_INFO_AUDIT_EVENTS
:
618 uint32 policy_def
= LSA_AUDIT_POLICY_ALL
;
620 /* check if the user has enough rights */
621 if (!(handle
->access
& LSA_POLICY_VIEW_AUDIT_INFORMATION
)) {
622 DEBUG(10,("_lsa_QueryInfoPolicy: insufficient access rights\n"));
623 return NT_STATUS_ACCESS_DENIED
;
626 /* fake info: We audit everything. ;) */
628 info
->audit_events
.auditing_mode
= true;
629 info
->audit_events
.count
= LSA_AUDIT_NUM_CATEGORIES
;
630 info
->audit_events
.settings
= TALLOC_ZERO_ARRAY(p
->mem_ctx
,
631 enum lsa_PolicyAuditPolicy
,
632 info
->audit_events
.count
);
633 if (!info
->audit_events
.settings
) {
634 return NT_STATUS_NO_MEMORY
;
637 info
->audit_events
.settings
[LSA_AUDIT_CATEGORY_ACCOUNT_MANAGEMENT
] = policy_def
;
638 info
->audit_events
.settings
[LSA_AUDIT_CATEGORY_FILE_AND_OBJECT_ACCESS
] = policy_def
;
639 info
->audit_events
.settings
[LSA_AUDIT_CATEGORY_LOGON
] = policy_def
;
640 info
->audit_events
.settings
[LSA_AUDIT_CATEGORY_PROCCESS_TRACKING
] = policy_def
;
641 info
->audit_events
.settings
[LSA_AUDIT_CATEGORY_SECURITY_POLICY_CHANGES
] = policy_def
;
642 info
->audit_events
.settings
[LSA_AUDIT_CATEGORY_SYSTEM
] = policy_def
;
643 info
->audit_events
.settings
[LSA_AUDIT_CATEGORY_USE_OF_USER_RIGHTS
] = policy_def
;
647 case LSA_POLICY_INFO_DOMAIN
:
648 /* check if the user has enough rights */
649 if (!(handle
->access
& LSA_POLICY_VIEW_LOCAL_INFORMATION
))
650 return NT_STATUS_ACCESS_DENIED
;
652 /* Request PolicyPrimaryDomainInformation. */
653 switch (lp_server_role()) {
654 case ROLE_DOMAIN_PDC
:
655 case ROLE_DOMAIN_BDC
:
656 name
= get_global_sam_name();
657 sid
= sid_dup_talloc(p
->mem_ctx
, get_global_sam_sid());
659 return NT_STATUS_NO_MEMORY
;
662 case ROLE_DOMAIN_MEMBER
:
663 name
= lp_workgroup();
664 /* We need to return the Domain SID here. */
665 if (secrets_fetch_domain_sid(lp_workgroup(), &domain_sid
)) {
666 sid
= sid_dup_talloc(p
->mem_ctx
, &domain_sid
);
668 return NT_STATUS_NO_MEMORY
;
671 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO
;
674 case ROLE_STANDALONE
:
675 name
= lp_workgroup();
679 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO
;
681 init_dom_query_3(&info
->domain
, name
, sid
);
683 case LSA_POLICY_INFO_ACCOUNT_DOMAIN
:
684 /* check if the user has enough rights */
685 if (!(handle
->access
& LSA_POLICY_VIEW_LOCAL_INFORMATION
))
686 return NT_STATUS_ACCESS_DENIED
;
688 /* Request PolicyAccountDomainInformation. */
689 name
= get_global_sam_name();
690 sid
= get_global_sam_sid();
692 init_dom_query_5(&info
->account_domain
, name
, sid
);
694 case LSA_POLICY_INFO_ROLE
:
695 /* check if the user has enough rights */
696 if (!(handle
->access
& LSA_POLICY_VIEW_LOCAL_INFORMATION
))
697 return NT_STATUS_ACCESS_DENIED
;
699 switch (lp_server_role()) {
700 case ROLE_DOMAIN_BDC
:
702 * only a BDC is a backup controller
703 * of the domain, it controls.
705 info
->role
.role
= LSA_ROLE_BACKUP
;
709 * any other role is a primary
710 * of the domain, it controls.
712 info
->role
.role
= LSA_ROLE_PRIMARY
;
716 case LSA_POLICY_INFO_DNS
:
717 case LSA_POLICY_INFO_DNS_INT
: {
718 struct pdb_domain_info
*dominfo
;
720 if ((pdb_capabilities() & PDB_CAP_ADS
) == 0) {
721 DEBUG(10, ("Not replying to LSA_POLICY_INFO_DNS "
722 "without ADS passdb backend\n"));
723 status
= NT_STATUS_INVALID_INFO_CLASS
;
727 dominfo
= pdb_get_domain_info(info
);
728 if (dominfo
== NULL
) {
729 status
= NT_STATUS_NO_MEMORY
;
733 init_lsa_StringLarge(&info
->dns
.name
,
735 init_lsa_StringLarge(&info
->dns
.dns_domain
,
736 dominfo
->dns_domain
);
737 init_lsa_StringLarge(&info
->dns
.dns_forest
,
738 dominfo
->dns_forest
);
739 info
->dns
.domain_guid
= dominfo
->guid
;
740 info
->dns
.sid
= &dominfo
->sid
;
744 DEBUG(0,("_lsa_QueryInfoPolicy: unknown info level in Lsa Query: %d\n",
746 status
= NT_STATUS_INVALID_INFO_CLASS
;
755 /***************************************************************************
756 _lsa_QueryInfoPolicy2
757 ***************************************************************************/
759 NTSTATUS
_lsa_QueryInfoPolicy2(struct pipes_struct
*p
,
760 struct lsa_QueryInfoPolicy2
*r2
)
762 struct lsa_QueryInfoPolicy r
;
764 if ((pdb_capabilities() & PDB_CAP_ADS
) == 0) {
765 p
->rng_fault_state
= True
;
766 return NT_STATUS_NOT_IMPLEMENTED
;
770 r
.in
.handle
= r2
->in
.handle
;
771 r
.in
.level
= r2
->in
.level
;
772 r
.out
.info
= r2
->out
.info
;
774 return _lsa_QueryInfoPolicy(p
, &r
);
777 /***************************************************************************
778 _lsa_lookup_sids_internal
779 ***************************************************************************/
781 static NTSTATUS
_lsa_lookup_sids_internal(struct pipes_struct
*p
,
783 uint16_t level
, /* input */
784 int num_sids
, /* input */
785 struct lsa_SidPtr
*sid
, /* input */
786 struct lsa_RefDomainList
**pp_ref
, /* input/output */
787 struct lsa_TranslatedName2
**pp_names
,/* input/output */
788 uint32_t *pp_mapped_count
) /* input/output */
792 const struct dom_sid
**sids
= NULL
;
793 struct lsa_RefDomainList
*ref
= NULL
;
794 uint32 mapped_count
= 0;
795 struct lsa_dom_info
*dom_infos
= NULL
;
796 struct lsa_name_info
*name_infos
= NULL
;
797 struct lsa_TranslatedName2
*names
= NULL
;
799 *pp_mapped_count
= 0;
807 sids
= TALLOC_ARRAY(p
->mem_ctx
, const struct dom_sid
*, num_sids
);
808 ref
= TALLOC_ZERO_P(p
->mem_ctx
, struct lsa_RefDomainList
);
810 if (sids
== NULL
|| ref
== NULL
) {
811 return NT_STATUS_NO_MEMORY
;
814 for (i
=0; i
<num_sids
; i
++) {
815 sids
[i
] = sid
[i
].sid
;
818 status
= lookup_sids(p
->mem_ctx
, num_sids
, sids
, level
,
819 &dom_infos
, &name_infos
);
821 if (!NT_STATUS_IS_OK(status
)) {
825 names
= TALLOC_ARRAY(p
->mem_ctx
, struct lsa_TranslatedName2
, num_sids
);
827 return NT_STATUS_NO_MEMORY
;
830 for (i
=0; i
<LSA_REF_DOMAIN_LIST_MULTIPLIER
; i
++) {
832 if (!dom_infos
[i
].valid
) {
836 if (init_lsa_ref_domain_list(mem_ctx
, ref
,
838 &dom_infos
[i
].sid
) != i
) {
839 DEBUG(0, ("Domain %s mentioned twice??\n",
841 return NT_STATUS_INTERNAL_ERROR
;
845 for (i
=0; i
<num_sids
; i
++) {
846 struct lsa_name_info
*name
= &name_infos
[i
];
848 if (name
->type
== SID_NAME_UNKNOWN
) {
851 /* Unknown sids should return the string
852 * representation of the SID. Windows 2003 behaves
853 * rather erratic here, in many cases it returns the
854 * RID as 8 bytes hex, in others it returns the full
855 * SID. We (Jerry/VL) could not figure out which the
856 * hard cases are, so leave it with the SID. */
857 name
->name
= talloc_asprintf(p
->mem_ctx
, "%s",
860 if (name
->name
== NULL
) {
861 return NT_STATUS_NO_MEMORY
;
867 names
[i
].sid_type
= name
->type
;
868 names
[i
].name
.string
= name
->name
;
869 names
[i
].sid_index
= name
->dom_idx
;
870 names
[i
].unknown
= 0;
873 status
= NT_STATUS_NONE_MAPPED
;
874 if (mapped_count
> 0) {
875 status
= (mapped_count
< num_sids
) ?
876 STATUS_SOME_UNMAPPED
: NT_STATUS_OK
;
879 DEBUG(10, ("num_sids %d, mapped_count %d, status %s\n",
880 num_sids
, mapped_count
, nt_errstr(status
)));
882 *pp_mapped_count
= mapped_count
;
889 /***************************************************************************
891 ***************************************************************************/
893 NTSTATUS
_lsa_LookupSids(struct pipes_struct
*p
,
894 struct lsa_LookupSids
*r
)
897 struct lsa_info
*handle
;
898 int num_sids
= r
->in
.sids
->num_sids
;
899 uint32 mapped_count
= 0;
900 struct lsa_RefDomainList
*domains
= NULL
;
901 struct lsa_TranslatedName
*names_out
= NULL
;
902 struct lsa_TranslatedName2
*names
= NULL
;
905 if ((r
->in
.level
< 1) || (r
->in
.level
> 6)) {
906 return NT_STATUS_INVALID_PARAMETER
;
909 if (!find_policy_by_hnd(p
, r
->in
.handle
, (void **)(void *)&handle
)) {
910 return NT_STATUS_INVALID_HANDLE
;
913 if (handle
->type
!= LSA_HANDLE_POLICY_TYPE
) {
914 return NT_STATUS_INVALID_HANDLE
;
917 /* check if the user has enough rights */
918 if (!(handle
->access
& LSA_POLICY_LOOKUP_NAMES
)) {
919 return NT_STATUS_ACCESS_DENIED
;
922 if (num_sids
> MAX_LOOKUP_SIDS
) {
923 DEBUG(5,("_lsa_LookupSids: limit of %d exceeded, requested %d\n",
924 MAX_LOOKUP_SIDS
, num_sids
));
925 return NT_STATUS_NONE_MAPPED
;
928 status
= _lsa_lookup_sids_internal(p
,
937 /* Only return here when there is a real error.
938 NT_STATUS_NONE_MAPPED is a special case as it indicates that none of
939 the requested sids could be resolved. Older versions of XP (pre SP3)
940 rely that we return with the string representations of those SIDs in
941 that case. If we don't, XP crashes - Guenther
944 if (NT_STATUS_IS_ERR(status
) &&
945 !NT_STATUS_EQUAL(status
, NT_STATUS_NONE_MAPPED
)) {
949 /* Convert from lsa_TranslatedName2 to lsa_TranslatedName */
950 names_out
= TALLOC_ARRAY(p
->mem_ctx
, struct lsa_TranslatedName
,
953 return NT_STATUS_NO_MEMORY
;
956 for (i
=0; i
<num_sids
; i
++) {
957 names_out
[i
].sid_type
= names
[i
].sid_type
;
958 names_out
[i
].name
= names
[i
].name
;
959 names_out
[i
].sid_index
= names
[i
].sid_index
;
962 *r
->out
.domains
= domains
;
963 r
->out
.names
->count
= num_sids
;
964 r
->out
.names
->names
= names_out
;
965 *r
->out
.count
= mapped_count
;
970 /***************************************************************************
972 ***************************************************************************/
974 NTSTATUS
_lsa_LookupSids2(struct pipes_struct
*p
,
975 struct lsa_LookupSids2
*r
)
978 struct lsa_info
*handle
;
979 int num_sids
= r
->in
.sids
->num_sids
;
980 uint32 mapped_count
= 0;
981 struct lsa_RefDomainList
*domains
= NULL
;
982 struct lsa_TranslatedName2
*names
= NULL
;
983 bool check_policy
= true;
986 case NDR_LSA_LOOKUPSIDS3
:
987 check_policy
= false;
989 case NDR_LSA_LOOKUPSIDS2
:
994 if ((r
->in
.level
< 1) || (r
->in
.level
> 6)) {
995 return NT_STATUS_INVALID_PARAMETER
;
999 if (!find_policy_by_hnd(p
, r
->in
.handle
, (void **)(void *)&handle
)) {
1000 return NT_STATUS_INVALID_HANDLE
;
1003 if (handle
->type
!= LSA_HANDLE_POLICY_TYPE
) {
1004 return NT_STATUS_INVALID_HANDLE
;
1007 /* check if the user has enough rights */
1008 if (!(handle
->access
& LSA_POLICY_LOOKUP_NAMES
)) {
1009 return NT_STATUS_ACCESS_DENIED
;
1013 if (num_sids
> MAX_LOOKUP_SIDS
) {
1014 DEBUG(5,("_lsa_LookupSids2: limit of %d exceeded, requested %d\n",
1015 MAX_LOOKUP_SIDS
, num_sids
));
1016 return NT_STATUS_NONE_MAPPED
;
1019 status
= _lsa_lookup_sids_internal(p
,
1028 *r
->out
.domains
= domains
;
1029 r
->out
.names
->count
= num_sids
;
1030 r
->out
.names
->names
= names
;
1031 *r
->out
.count
= mapped_count
;
1036 /***************************************************************************
1038 ***************************************************************************/
1040 NTSTATUS
_lsa_LookupSids3(struct pipes_struct
*p
,
1041 struct lsa_LookupSids3
*r
)
1043 struct lsa_LookupSids2 q
;
1045 /* No policy handle on this call. Restrict to crypto connections. */
1046 if (p
->auth
.auth_type
!= DCERPC_AUTH_TYPE_SCHANNEL
) {
1047 DEBUG(0,("_lsa_LookupSids3: client %s not using schannel for netlogon\n",
1048 get_remote_machine_name() ));
1049 return NT_STATUS_INVALID_PARAMETER
;
1053 q
.in
.sids
= r
->in
.sids
;
1054 q
.in
.level
= r
->in
.level
;
1055 q
.in
.lookup_options
= r
->in
.lookup_options
;
1056 q
.in
.client_revision
= r
->in
.client_revision
;
1057 q
.in
.names
= r
->in
.names
;
1058 q
.in
.count
= r
->in
.count
;
1060 q
.out
.domains
= r
->out
.domains
;
1061 q
.out
.names
= r
->out
.names
;
1062 q
.out
.count
= r
->out
.count
;
1064 return _lsa_LookupSids2(p
, &q
);
1067 /***************************************************************************
1068 ***************************************************************************/
1070 static int lsa_lookup_level_to_flags(enum lsa_LookupNamesLevel level
)
1075 case LSA_LOOKUP_NAMES_ALL
: /* 1 */
1076 flags
= LOOKUP_NAME_ALL
;
1078 case LSA_LOOKUP_NAMES_DOMAINS_ONLY
: /* 2 */
1079 flags
= LOOKUP_NAME_DOMAIN
|LOOKUP_NAME_REMOTE
|LOOKUP_NAME_ISOLATED
;
1081 case LSA_LOOKUP_NAMES_PRIMARY_DOMAIN_ONLY
: /* 3 */
1082 flags
= LOOKUP_NAME_DOMAIN
|LOOKUP_NAME_ISOLATED
;
1084 case LSA_LOOKUP_NAMES_UPLEVEL_TRUSTS_ONLY
: /* 4 */
1085 case LSA_LOOKUP_NAMES_FOREST_TRUSTS_ONLY
: /* 5 */
1086 case LSA_LOOKUP_NAMES_UPLEVEL_TRUSTS_ONLY2
: /* 6 */
1087 case LSA_LOOKUP_NAMES_RODC_REFERRAL_TO_FULL_DC
: /* 7 */
1089 flags
= LOOKUP_NAME_NONE
;
1096 /***************************************************************************
1098 ***************************************************************************/
1100 NTSTATUS
_lsa_LookupNames(struct pipes_struct
*p
,
1101 struct lsa_LookupNames
*r
)
1103 NTSTATUS status
= NT_STATUS_NONE_MAPPED
;
1104 struct lsa_info
*handle
;
1105 struct lsa_String
*names
= r
->in
.names
;
1106 uint32 num_entries
= r
->in
.num_names
;
1107 struct lsa_RefDomainList
*domains
= NULL
;
1108 struct lsa_TranslatedSid
*rids
= NULL
;
1109 uint32 mapped_count
= 0;
1112 if (num_entries
> MAX_LOOKUP_SIDS
) {
1113 num_entries
= MAX_LOOKUP_SIDS
;
1114 DEBUG(5,("_lsa_LookupNames: truncating name lookup list to %d\n",
1118 flags
= lsa_lookup_level_to_flags(r
->in
.level
);
1120 domains
= TALLOC_ZERO_P(p
->mem_ctx
, struct lsa_RefDomainList
);
1122 return NT_STATUS_NO_MEMORY
;
1126 rids
= TALLOC_ZERO_ARRAY(p
->mem_ctx
, struct lsa_TranslatedSid
,
1129 return NT_STATUS_NO_MEMORY
;
1135 if (!find_policy_by_hnd(p
, r
->in
.handle
, (void **)(void *)&handle
)) {
1136 status
= NT_STATUS_INVALID_HANDLE
;
1140 if (handle
->type
!= LSA_HANDLE_POLICY_TYPE
) {
1141 return NT_STATUS_INVALID_HANDLE
;
1144 /* check if the user has enough rights */
1145 if (!(handle
->access
& LSA_POLICY_LOOKUP_NAMES
)) {
1146 status
= NT_STATUS_ACCESS_DENIED
;
1150 /* set up the LSA Lookup RIDs response */
1151 become_root(); /* lookup_name can require root privs */
1152 status
= lookup_lsa_rids(p
->mem_ctx
, domains
, rids
, num_entries
,
1153 names
, flags
, &mapped_count
);
1158 if (NT_STATUS_IS_OK(status
) && (num_entries
!= 0) ) {
1159 if (mapped_count
== 0) {
1160 status
= NT_STATUS_NONE_MAPPED
;
1161 } else if (mapped_count
!= num_entries
) {
1162 status
= STATUS_SOME_UNMAPPED
;
1166 *r
->out
.count
= mapped_count
;
1167 *r
->out
.domains
= domains
;
1168 r
->out
.sids
->sids
= rids
;
1169 r
->out
.sids
->count
= num_entries
;
1174 /***************************************************************************
1176 ***************************************************************************/
1178 NTSTATUS
_lsa_LookupNames2(struct pipes_struct
*p
,
1179 struct lsa_LookupNames2
*r
)
1182 struct lsa_LookupNames q
;
1183 struct lsa_TransSidArray2
*sid_array2
= r
->in
.sids
;
1184 struct lsa_TransSidArray
*sid_array
= NULL
;
1187 sid_array
= TALLOC_ZERO_P(p
->mem_ctx
, struct lsa_TransSidArray
);
1189 return NT_STATUS_NO_MEMORY
;
1192 q
.in
.handle
= r
->in
.handle
;
1193 q
.in
.num_names
= r
->in
.num_names
;
1194 q
.in
.names
= r
->in
.names
;
1195 q
.in
.level
= r
->in
.level
;
1196 q
.in
.sids
= sid_array
;
1197 q
.in
.count
= r
->in
.count
;
1198 /* we do not know what this is for */
1199 /* = r->in.unknown1; */
1200 /* = r->in.unknown2; */
1202 q
.out
.domains
= r
->out
.domains
;
1203 q
.out
.sids
= sid_array
;
1204 q
.out
.count
= r
->out
.count
;
1206 status
= _lsa_LookupNames(p
, &q
);
1208 sid_array2
->count
= sid_array
->count
;
1209 sid_array2
->sids
= TALLOC_ARRAY(p
->mem_ctx
, struct lsa_TranslatedSid2
, sid_array
->count
);
1210 if (!sid_array2
->sids
) {
1211 return NT_STATUS_NO_MEMORY
;
1214 for (i
=0; i
<sid_array
->count
; i
++) {
1215 sid_array2
->sids
[i
].sid_type
= sid_array
->sids
[i
].sid_type
;
1216 sid_array2
->sids
[i
].rid
= sid_array
->sids
[i
].rid
;
1217 sid_array2
->sids
[i
].sid_index
= sid_array
->sids
[i
].sid_index
;
1218 sid_array2
->sids
[i
].unknown
= 0;
1221 r
->out
.sids
= sid_array2
;
1226 /***************************************************************************
1228 ***************************************************************************/
1230 NTSTATUS
_lsa_LookupNames3(struct pipes_struct
*p
,
1231 struct lsa_LookupNames3
*r
)
1234 struct lsa_info
*handle
;
1235 struct lsa_String
*names
= r
->in
.names
;
1236 uint32 num_entries
= r
->in
.num_names
;
1237 struct lsa_RefDomainList
*domains
= NULL
;
1238 struct lsa_TranslatedSid3
*trans_sids
= NULL
;
1239 uint32 mapped_count
= 0;
1241 bool check_policy
= true;
1244 case NDR_LSA_LOOKUPNAMES4
:
1245 check_policy
= false;
1247 case NDR_LSA_LOOKUPNAMES3
:
1249 check_policy
= true;
1252 if (num_entries
> MAX_LOOKUP_SIDS
) {
1253 num_entries
= MAX_LOOKUP_SIDS
;
1254 DEBUG(5,("_lsa_LookupNames3: truncating name lookup list to %d\n", num_entries
));
1257 /* Probably the lookup_level is some sort of bitmask. */
1258 if (r
->in
.level
== 1) {
1259 flags
= LOOKUP_NAME_ALL
;
1262 domains
= TALLOC_ZERO_P(p
->mem_ctx
, struct lsa_RefDomainList
);
1264 return NT_STATUS_NO_MEMORY
;
1268 trans_sids
= TALLOC_ZERO_ARRAY(p
->mem_ctx
, struct lsa_TranslatedSid3
,
1271 return NT_STATUS_NO_MEMORY
;
1279 if (!find_policy_by_hnd(p
, r
->in
.handle
, (void **)(void *)&handle
)) {
1280 status
= NT_STATUS_INVALID_HANDLE
;
1284 if (handle
->type
!= LSA_HANDLE_POLICY_TYPE
) {
1285 return NT_STATUS_INVALID_HANDLE
;
1288 /* check if the user has enough rights */
1289 if (!(handle
->access
& LSA_POLICY_LOOKUP_NAMES
)) {
1290 status
= NT_STATUS_ACCESS_DENIED
;
1295 /* set up the LSA Lookup SIDs response */
1296 become_root(); /* lookup_name can require root privs */
1297 status
= lookup_lsa_sids(p
->mem_ctx
, domains
, trans_sids
, num_entries
,
1298 names
, flags
, &mapped_count
);
1303 if (NT_STATUS_IS_OK(status
)) {
1304 if (mapped_count
== 0) {
1305 status
= NT_STATUS_NONE_MAPPED
;
1306 } else if (mapped_count
!= num_entries
) {
1307 status
= STATUS_SOME_UNMAPPED
;
1311 *r
->out
.count
= mapped_count
;
1312 *r
->out
.domains
= domains
;
1313 r
->out
.sids
->sids
= trans_sids
;
1314 r
->out
.sids
->count
= num_entries
;
1319 /***************************************************************************
1321 ***************************************************************************/
1323 NTSTATUS
_lsa_LookupNames4(struct pipes_struct
*p
,
1324 struct lsa_LookupNames4
*r
)
1326 struct lsa_LookupNames3 q
;
1328 /* No policy handle on this call. Restrict to crypto connections. */
1329 if (p
->auth
.auth_type
!= DCERPC_AUTH_TYPE_SCHANNEL
) {
1330 DEBUG(0,("_lsa_lookup_names4: client %s not using schannel for netlogon\n",
1331 get_remote_machine_name() ));
1332 return NT_STATUS_INVALID_PARAMETER
;
1336 q
.in
.num_names
= r
->in
.num_names
;
1337 q
.in
.names
= r
->in
.names
;
1338 q
.in
.level
= r
->in
.level
;
1339 q
.in
.lookup_options
= r
->in
.lookup_options
;
1340 q
.in
.client_revision
= r
->in
.client_revision
;
1341 q
.in
.sids
= r
->in
.sids
;
1342 q
.in
.count
= r
->in
.count
;
1344 q
.out
.domains
= r
->out
.domains
;
1345 q
.out
.sids
= r
->out
.sids
;
1346 q
.out
.count
= r
->out
.count
;
1348 return _lsa_LookupNames3(p
, &q
);
1351 /***************************************************************************
1352 _lsa_close. Also weird - needs to check if lsa handle is correct. JRA.
1353 ***************************************************************************/
1355 NTSTATUS
_lsa_Close(struct pipes_struct
*p
, struct lsa_Close
*r
)
1357 if (!find_policy_by_hnd(p
, r
->in
.handle
, NULL
)) {
1358 return NT_STATUS_INVALID_HANDLE
;
1361 close_policy_hnd(p
, r
->in
.handle
);
1362 ZERO_STRUCTP(r
->out
.handle
);
1363 return NT_STATUS_OK
;
1366 /***************************************************************************
1367 ***************************************************************************/
1369 NTSTATUS
_lsa_OpenSecret(struct pipes_struct
*p
, struct lsa_OpenSecret
*r
)
1371 return NT_STATUS_OBJECT_NAME_NOT_FOUND
;
1374 /***************************************************************************
1375 ***************************************************************************/
1377 NTSTATUS
_lsa_OpenTrustedDomain(struct pipes_struct
*p
,
1378 struct lsa_OpenTrustedDomain
*r
)
1380 return NT_STATUS_OBJECT_NAME_NOT_FOUND
;
1383 /***************************************************************************
1384 ***************************************************************************/
1386 NTSTATUS
_lsa_CreateTrustedDomain(struct pipes_struct
*p
,
1387 struct lsa_CreateTrustedDomain
*r
)
1389 return NT_STATUS_ACCESS_DENIED
;
1392 /***************************************************************************
1393 ***************************************************************************/
1395 NTSTATUS
_lsa_CreateSecret(struct pipes_struct
*p
, struct lsa_CreateSecret
*r
)
1397 return NT_STATUS_ACCESS_DENIED
;
1400 /***************************************************************************
1401 ***************************************************************************/
1403 NTSTATUS
_lsa_SetSecret(struct pipes_struct
*p
, struct lsa_SetSecret
*r
)
1405 return NT_STATUS_ACCESS_DENIED
;
1408 /***************************************************************************
1410 ***************************************************************************/
1412 NTSTATUS
_lsa_DeleteObject(struct pipes_struct
*p
,
1413 struct lsa_DeleteObject
*r
)
1416 struct lsa_info
*info
= NULL
;
1418 if (!find_policy_by_hnd(p
, r
->in
.handle
, (void **)(void *)&info
)) {
1419 return NT_STATUS_INVALID_HANDLE
;
1422 if (!(info
->access
& SEC_STD_DELETE
)) {
1423 return NT_STATUS_ACCESS_DENIED
;
1426 switch (info
->type
) {
1427 case LSA_HANDLE_ACCOUNT_TYPE
:
1428 status
= privilege_delete_account(&info
->sid
);
1429 if (!NT_STATUS_IS_OK(status
)) {
1430 DEBUG(10,("_lsa_DeleteObject: privilege_delete_account gave: %s\n",
1431 nt_errstr(status
)));
1436 return NT_STATUS_INVALID_HANDLE
;
1439 close_policy_hnd(p
, r
->in
.handle
);
1440 ZERO_STRUCTP(r
->out
.handle
);
1445 /***************************************************************************
1447 ***************************************************************************/
1449 NTSTATUS
_lsa_EnumPrivs(struct pipes_struct
*p
,
1450 struct lsa_EnumPrivs
*r
)
1452 struct lsa_info
*handle
;
1454 uint32 enum_context
= *r
->in
.resume_handle
;
1455 int num_privs
= num_privileges_in_short_list();
1456 struct lsa_PrivEntry
*entries
= NULL
;
1458 /* remember that the enum_context starts at 0 and not 1 */
1460 if ( enum_context
>= num_privs
)
1461 return NT_STATUS_NO_MORE_ENTRIES
;
1463 DEBUG(10,("_lsa_EnumPrivs: enum_context:%d total entries:%d\n",
1464 enum_context
, num_privs
));
1466 if (!find_policy_by_hnd(p
, r
->in
.handle
, (void **)(void *)&handle
))
1467 return NT_STATUS_INVALID_HANDLE
;
1469 if (handle
->type
!= LSA_HANDLE_POLICY_TYPE
) {
1470 return NT_STATUS_INVALID_HANDLE
;
1473 /* check if the user has enough rights
1474 I don't know if it's the right one. not documented. */
1476 if (!(handle
->access
& LSA_POLICY_VIEW_LOCAL_INFORMATION
))
1477 return NT_STATUS_ACCESS_DENIED
;
1480 entries
= TALLOC_ZERO_ARRAY(p
->mem_ctx
, struct lsa_PrivEntry
, num_privs
);
1482 return NT_STATUS_NO_MEMORY
;
1488 for (i
= 0; i
< num_privs
; i
++) {
1489 if( i
< enum_context
) {
1491 init_lsa_StringLarge(&entries
[i
].name
, NULL
);
1493 entries
[i
].luid
.low
= 0;
1494 entries
[i
].luid
.high
= 0;
1497 init_lsa_StringLarge(&entries
[i
].name
, sec_privilege_name_from_index(i
));
1499 entries
[i
].luid
.low
= sec_privilege_from_index(i
);
1500 entries
[i
].luid
.high
= 0;
1504 enum_context
= num_privs
;
1506 *r
->out
.resume_handle
= enum_context
;
1507 r
->out
.privs
->count
= num_privs
;
1508 r
->out
.privs
->privs
= entries
;
1510 return NT_STATUS_OK
;
1513 /***************************************************************************
1514 _lsa_LookupPrivDisplayName
1515 ***************************************************************************/
1517 NTSTATUS
_lsa_LookupPrivDisplayName(struct pipes_struct
*p
,
1518 struct lsa_LookupPrivDisplayName
*r
)
1520 struct lsa_info
*handle
;
1521 const char *description
;
1522 struct lsa_StringLarge
*lsa_name
;
1524 if (!find_policy_by_hnd(p
, r
->in
.handle
, (void **)(void *)&handle
))
1525 return NT_STATUS_INVALID_HANDLE
;
1527 if (handle
->type
!= LSA_HANDLE_POLICY_TYPE
) {
1528 return NT_STATUS_INVALID_HANDLE
;
1531 /* check if the user has enough rights */
1534 * I don't know if it's the right one. not documented.
1536 if (!(handle
->access
& LSA_POLICY_VIEW_LOCAL_INFORMATION
))
1537 return NT_STATUS_ACCESS_DENIED
;
1539 DEBUG(10,("_lsa_LookupPrivDisplayName: name = %s\n", r
->in
.name
->string
));
1541 description
= get_privilege_dispname(r
->in
.name
->string
);
1543 DEBUG(10,("_lsa_LookupPrivDisplayName: doesn't exist\n"));
1544 return NT_STATUS_NO_SUCH_PRIVILEGE
;
1547 DEBUG(10,("_lsa_LookupPrivDisplayName: display name = %s\n", description
));
1549 lsa_name
= TALLOC_ZERO_P(p
->mem_ctx
, struct lsa_StringLarge
);
1551 return NT_STATUS_NO_MEMORY
;
1554 init_lsa_StringLarge(lsa_name
, description
);
1556 *r
->out
.returned_language_id
= r
->in
.language_id
;
1557 *r
->out
.disp_name
= lsa_name
;
1559 return NT_STATUS_OK
;
1562 /***************************************************************************
1564 ***************************************************************************/
1566 NTSTATUS
_lsa_EnumAccounts(struct pipes_struct
*p
,
1567 struct lsa_EnumAccounts
*r
)
1569 struct lsa_info
*handle
;
1570 struct dom_sid
*sid_list
;
1571 int i
, j
, num_entries
;
1573 struct lsa_SidPtr
*sids
= NULL
;
1575 if (!find_policy_by_hnd(p
, r
->in
.handle
, (void **)(void *)&handle
))
1576 return NT_STATUS_INVALID_HANDLE
;
1578 if (handle
->type
!= LSA_HANDLE_POLICY_TYPE
) {
1579 return NT_STATUS_INVALID_HANDLE
;
1582 if (!(handle
->access
& LSA_POLICY_VIEW_LOCAL_INFORMATION
))
1583 return NT_STATUS_ACCESS_DENIED
;
1588 /* The only way we can currently find out all the SIDs that have been
1589 privileged is to scan all privileges */
1591 status
= privilege_enumerate_accounts(&sid_list
, &num_entries
);
1592 if (!NT_STATUS_IS_OK(status
)) {
1596 if (*r
->in
.resume_handle
>= num_entries
) {
1597 return NT_STATUS_NO_MORE_ENTRIES
;
1600 if (num_entries
- *r
->in
.resume_handle
) {
1601 sids
= TALLOC_ZERO_ARRAY(p
->mem_ctx
, struct lsa_SidPtr
,
1602 num_entries
- *r
->in
.resume_handle
);
1604 talloc_free(sid_list
);
1605 return NT_STATUS_NO_MEMORY
;
1608 for (i
= *r
->in
.resume_handle
, j
= 0; i
< num_entries
; i
++, j
++) {
1609 sids
[j
].sid
= sid_dup_talloc(p
->mem_ctx
, &sid_list
[i
]);
1611 talloc_free(sid_list
);
1612 return NT_STATUS_NO_MEMORY
;
1617 talloc_free(sid_list
);
1619 *r
->out
.resume_handle
= num_entries
;
1620 r
->out
.sids
->num_sids
= num_entries
;
1621 r
->out
.sids
->sids
= sids
;
1623 return NT_STATUS_OK
;
1626 /***************************************************************************
1628 ***************************************************************************/
1630 NTSTATUS
_lsa_GetUserName(struct pipes_struct
*p
,
1631 struct lsa_GetUserName
*r
)
1633 const char *username
, *domname
;
1634 struct lsa_String
*account_name
= NULL
;
1635 struct lsa_String
*authority_name
= NULL
;
1637 if (r
->in
.account_name
&&
1638 *r
->in
.account_name
) {
1639 return NT_STATUS_INVALID_PARAMETER
;
1642 if (r
->in
.authority_name
&&
1643 *r
->in
.authority_name
) {
1644 return NT_STATUS_INVALID_PARAMETER
;
1647 if (p
->server_info
->guest
) {
1649 * I'm 99% sure this is not the right place to do this,
1650 * global_sid_Anonymous should probably be put into the token
1651 * instead of the guest id -- vl
1653 if (!lookup_sid(p
->mem_ctx
, &global_sid_Anonymous
,
1654 &domname
, &username
, NULL
)) {
1655 return NT_STATUS_NO_MEMORY
;
1658 username
= p
->server_info
->sanitized_username
;
1659 domname
= p
->server_info
->info3
->base
.domain
.string
;
1662 account_name
= TALLOC_P(p
->mem_ctx
, struct lsa_String
);
1663 if (!account_name
) {
1664 return NT_STATUS_NO_MEMORY
;
1666 init_lsa_String(account_name
, username
);
1668 if (r
->out
.authority_name
) {
1669 authority_name
= TALLOC_P(p
->mem_ctx
, struct lsa_String
);
1670 if (!authority_name
) {
1671 return NT_STATUS_NO_MEMORY
;
1673 init_lsa_String(authority_name
, domname
);
1676 *r
->out
.account_name
= account_name
;
1677 if (r
->out
.authority_name
) {
1678 *r
->out
.authority_name
= authority_name
;
1681 return NT_STATUS_OK
;
1684 /***************************************************************************
1686 ***************************************************************************/
1688 NTSTATUS
_lsa_CreateAccount(struct pipes_struct
*p
,
1689 struct lsa_CreateAccount
*r
)
1692 struct lsa_info
*handle
;
1693 struct lsa_info
*info
;
1694 uint32_t acc_granted
;
1695 struct security_descriptor
*psd
;
1698 /* find the connection policy handle. */
1699 if (!find_policy_by_hnd(p
, r
->in
.handle
, (void **)(void *)&handle
))
1700 return NT_STATUS_INVALID_HANDLE
;
1702 if (handle
->type
!= LSA_HANDLE_POLICY_TYPE
) {
1703 return NT_STATUS_INVALID_HANDLE
;
1706 /* check if the user has enough rights */
1708 if (!(handle
->access
& LSA_POLICY_CREATE_ACCOUNT
)) {
1709 return NT_STATUS_ACCESS_DENIED
;
1712 /* Work out max allowed. */
1713 map_max_allowed_access(p
->server_info
->ptok
,
1714 &p
->server_info
->utok
,
1715 &r
->in
.access_mask
);
1717 /* map the generic bits to the lsa policy ones */
1718 se_map_generic(&r
->in
.access_mask
, &lsa_account_mapping
);
1720 status
= make_lsa_object_sd(p
->mem_ctx
, &psd
, &sd_size
,
1721 &lsa_account_mapping
,
1722 r
->in
.sid
, LSA_POLICY_ALL_ACCESS
);
1723 if (!NT_STATUS_IS_OK(status
)) {
1727 status
= access_check_object(psd
, p
->server_info
->ptok
,
1728 SEC_PRIV_INVALID
, SEC_PRIV_INVALID
, 0, r
->in
.access_mask
,
1729 &acc_granted
, "_lsa_CreateAccount");
1730 if (!NT_STATUS_IS_OK(status
)) {
1734 if ( is_privileged_sid( r
->in
.sid
) )
1735 return NT_STATUS_OBJECT_NAME_COLLISION
;
1737 /* associate the user/group SID with the (unique) handle. */
1739 info
= TALLOC_ZERO_P(p
->mem_ctx
, struct lsa_info
);
1741 return NT_STATUS_NO_MEMORY
;
1744 info
->sid
= *r
->in
.sid
;
1745 info
->access
= acc_granted
;
1746 info
->type
= LSA_HANDLE_ACCOUNT_TYPE
;
1748 /* get a (unique) handle. open a policy on it. */
1749 if (!create_policy_hnd(p
, r
->out
.acct_handle
, info
))
1750 return NT_STATUS_OBJECT_NAME_NOT_FOUND
;
1752 return privilege_create_account( &info
->sid
);
1755 /***************************************************************************
1757 ***************************************************************************/
1759 NTSTATUS
_lsa_OpenAccount(struct pipes_struct
*p
,
1760 struct lsa_OpenAccount
*r
)
1762 struct lsa_info
*handle
;
1763 struct lsa_info
*info
;
1764 struct security_descriptor
*psd
= NULL
;
1766 uint32_t des_access
= r
->in
.access_mask
;
1767 uint32_t acc_granted
;
1770 /* find the connection policy handle. */
1771 if (!find_policy_by_hnd(p
, r
->in
.handle
, (void **)(void *)&handle
))
1772 return NT_STATUS_INVALID_HANDLE
;
1774 if (handle
->type
!= LSA_HANDLE_POLICY_TYPE
) {
1775 return NT_STATUS_INVALID_HANDLE
;
1778 /* des_access is for the account here, not the policy
1779 * handle - so don't check against policy handle. */
1781 /* Work out max allowed. */
1782 map_max_allowed_access(p
->server_info
->ptok
,
1783 &p
->server_info
->utok
,
1786 /* map the generic bits to the lsa account ones */
1787 se_map_generic(&des_access
, &lsa_account_mapping
);
1789 /* get the generic lsa account SD until we store it */
1790 status
= make_lsa_object_sd(p
->mem_ctx
, &psd
, &sd_size
,
1791 &lsa_account_mapping
,
1792 r
->in
.sid
, LSA_ACCOUNT_ALL_ACCESS
);
1793 if (!NT_STATUS_IS_OK(status
)) {
1797 status
= access_check_object(psd
, p
->server_info
->ptok
,
1798 SEC_PRIV_INVALID
, SEC_PRIV_INVALID
, 0, des_access
,
1799 &acc_granted
, "_lsa_OpenAccount" );
1800 if (!NT_STATUS_IS_OK(status
)) {
1804 /* TODO: Fis the parsing routine before reenabling this check! */
1806 if (!lookup_sid(&handle
->sid
, dom_name
, name
, &type
))
1807 return NT_STATUS_ACCESS_DENIED
;
1809 /* associate the user/group SID with the (unique) handle. */
1810 info
= TALLOC_ZERO_P(p
->mem_ctx
, struct lsa_info
);
1812 return NT_STATUS_NO_MEMORY
;
1815 info
->sid
= *r
->in
.sid
;
1816 info
->access
= acc_granted
;
1817 info
->type
= LSA_HANDLE_ACCOUNT_TYPE
;
1819 /* get a (unique) handle. open a policy on it. */
1820 if (!create_policy_hnd(p
, r
->out
.acct_handle
, info
))
1821 return NT_STATUS_OBJECT_NAME_NOT_FOUND
;
1823 return NT_STATUS_OK
;
1826 /***************************************************************************
1827 _lsa_EnumPrivsAccount
1828 For a given SID, enumerate all the privilege this account has.
1829 ***************************************************************************/
1831 NTSTATUS
_lsa_EnumPrivsAccount(struct pipes_struct
*p
,
1832 struct lsa_EnumPrivsAccount
*r
)
1834 NTSTATUS status
= NT_STATUS_OK
;
1835 struct lsa_info
*info
=NULL
;
1836 PRIVILEGE_SET
*privileges
;
1837 struct lsa_PrivilegeSet
*priv_set
= NULL
;
1839 /* find the connection policy handle. */
1840 if (!find_policy_by_hnd(p
, r
->in
.handle
, (void **)(void *)&info
))
1841 return NT_STATUS_INVALID_HANDLE
;
1843 if (info
->type
!= LSA_HANDLE_ACCOUNT_TYPE
) {
1844 return NT_STATUS_INVALID_HANDLE
;
1847 if (!(info
->access
& LSA_ACCOUNT_VIEW
))
1848 return NT_STATUS_ACCESS_DENIED
;
1850 status
= get_privileges_for_sid_as_set(p
->mem_ctx
, &privileges
, &info
->sid
);
1851 if (!NT_STATUS_IS_OK(status
)) {
1855 *r
->out
.privs
= priv_set
= TALLOC_ZERO_P(p
->mem_ctx
, struct lsa_PrivilegeSet
);
1857 return NT_STATUS_NO_MEMORY
;
1860 DEBUG(10,("_lsa_EnumPrivsAccount: %s has %d privileges\n",
1861 sid_string_dbg(&info
->sid
),
1862 privileges
->count
));
1864 priv_set
->count
= privileges
->count
;
1865 priv_set
->unknown
= 0;
1866 priv_set
->set
= talloc_move(priv_set
, &privileges
->set
);
1871 /***************************************************************************
1872 _lsa_GetSystemAccessAccount
1873 ***************************************************************************/
1875 NTSTATUS
_lsa_GetSystemAccessAccount(struct pipes_struct
*p
,
1876 struct lsa_GetSystemAccessAccount
*r
)
1879 struct lsa_info
*info
= NULL
;
1880 struct lsa_EnumPrivsAccount e
;
1881 struct lsa_PrivilegeSet
*privset
;
1883 /* find the connection policy handle. */
1885 if (!find_policy_by_hnd(p
, r
->in
.handle
, (void **)(void *)&info
))
1886 return NT_STATUS_INVALID_HANDLE
;
1888 if (info
->type
!= LSA_HANDLE_ACCOUNT_TYPE
) {
1889 return NT_STATUS_INVALID_HANDLE
;
1892 if (!(info
->access
& LSA_ACCOUNT_VIEW
))
1893 return NT_STATUS_ACCESS_DENIED
;
1895 privset
= talloc_zero(p
->mem_ctx
, struct lsa_PrivilegeSet
);
1897 return NT_STATUS_NO_MEMORY
;
1900 e
.in
.handle
= r
->in
.handle
;
1901 e
.out
.privs
= &privset
;
1903 status
= _lsa_EnumPrivsAccount(p
, &e
);
1904 if (!NT_STATUS_IS_OK(status
)) {
1905 DEBUG(10,("_lsa_GetSystemAccessAccount: "
1906 "failed to call _lsa_EnumPrivsAccount(): %s\n",
1907 nt_errstr(status
)));
1911 /* Samba4 would iterate over the privset to merge the policy mode bits,
1912 * not sure samba3 can do the same here, so just return what we did in
1916 0x01 -> Log on locally
1917 0x02 -> Access this computer from network
1918 0x04 -> Log on as a batch job
1919 0x10 -> Log on as a service
1921 they can be ORed together
1924 *r
->out
.access_mask
= LSA_POLICY_MODE_INTERACTIVE
|
1925 LSA_POLICY_MODE_NETWORK
;
1927 return NT_STATUS_OK
;
1930 /***************************************************************************
1931 update the systemaccount information
1932 ***************************************************************************/
1934 NTSTATUS
_lsa_SetSystemAccessAccount(struct pipes_struct
*p
,
1935 struct lsa_SetSystemAccessAccount
*r
)
1937 struct lsa_info
*info
=NULL
;
1940 /* find the connection policy handle. */
1941 if (!find_policy_by_hnd(p
, r
->in
.handle
, (void **)(void *)&info
))
1942 return NT_STATUS_INVALID_HANDLE
;
1944 if (info
->type
!= LSA_HANDLE_ACCOUNT_TYPE
) {
1945 return NT_STATUS_INVALID_HANDLE
;
1948 if (!(info
->access
& LSA_ACCOUNT_ADJUST_SYSTEM_ACCESS
)) {
1949 return NT_STATUS_ACCESS_DENIED
;
1952 if (!pdb_getgrsid(&map
, info
->sid
))
1953 return NT_STATUS_NO_SUCH_GROUP
;
1955 return pdb_update_group_mapping_entry(&map
);
1958 /***************************************************************************
1959 _lsa_AddPrivilegesToAccount
1960 For a given SID, add some privileges.
1961 ***************************************************************************/
1963 NTSTATUS
_lsa_AddPrivilegesToAccount(struct pipes_struct
*p
,
1964 struct lsa_AddPrivilegesToAccount
*r
)
1966 struct lsa_info
*info
= NULL
;
1967 struct lsa_PrivilegeSet
*set
= NULL
;
1969 /* find the connection policy handle. */
1970 if (!find_policy_by_hnd(p
, r
->in
.handle
, (void **)(void *)&info
))
1971 return NT_STATUS_INVALID_HANDLE
;
1973 if (info
->type
!= LSA_HANDLE_ACCOUNT_TYPE
) {
1974 return NT_STATUS_INVALID_HANDLE
;
1977 if (!(info
->access
& LSA_ACCOUNT_ADJUST_PRIVILEGES
)) {
1978 return NT_STATUS_ACCESS_DENIED
;
1983 if ( !grant_privilege_set( &info
->sid
, set
) ) {
1984 DEBUG(3,("_lsa_AddPrivilegesToAccount: grant_privilege_set(%s) failed!\n",
1985 sid_string_dbg(&info
->sid
) ));
1986 return NT_STATUS_NO_SUCH_PRIVILEGE
;
1989 return NT_STATUS_OK
;
1992 /***************************************************************************
1993 _lsa_RemovePrivilegesFromAccount
1994 For a given SID, remove some privileges.
1995 ***************************************************************************/
1997 NTSTATUS
_lsa_RemovePrivilegesFromAccount(struct pipes_struct
*p
,
1998 struct lsa_RemovePrivilegesFromAccount
*r
)
2000 struct lsa_info
*info
= NULL
;
2001 struct lsa_PrivilegeSet
*set
= NULL
;
2003 /* find the connection policy handle. */
2004 if (!find_policy_by_hnd(p
, r
->in
.handle
, (void **)(void *)&info
))
2005 return NT_STATUS_INVALID_HANDLE
;
2007 if (info
->type
!= LSA_HANDLE_ACCOUNT_TYPE
) {
2008 return NT_STATUS_INVALID_HANDLE
;
2011 if (!(info
->access
& LSA_ACCOUNT_ADJUST_PRIVILEGES
)) {
2012 return NT_STATUS_ACCESS_DENIED
;
2017 if ( !revoke_privilege_set( &info
->sid
, set
) ) {
2018 DEBUG(3,("_lsa_RemovePrivilegesFromAccount: revoke_privilege(%s) failed!\n",
2019 sid_string_dbg(&info
->sid
) ));
2020 return NT_STATUS_NO_SUCH_PRIVILEGE
;
2023 return NT_STATUS_OK
;
2026 /***************************************************************************
2028 ***************************************************************************/
2030 NTSTATUS
_lsa_LookupPrivName(struct pipes_struct
*p
,
2031 struct lsa_LookupPrivName
*r
)
2033 struct lsa_info
*info
= NULL
;
2035 struct lsa_StringLarge
*lsa_name
;
2037 /* find the connection policy handle. */
2038 if (!find_policy_by_hnd(p
, r
->in
.handle
, (void **)(void *)&info
)) {
2039 return NT_STATUS_INVALID_HANDLE
;
2042 if (info
->type
!= LSA_HANDLE_POLICY_TYPE
) {
2043 return NT_STATUS_INVALID_HANDLE
;
2046 if (!(info
->access
& LSA_POLICY_VIEW_LOCAL_INFORMATION
)) {
2047 return NT_STATUS_ACCESS_DENIED
;
2050 if (r
->in
.luid
->high
!= 0) {
2051 return NT_STATUS_NO_SUCH_PRIVILEGE
;
2054 name
= sec_privilege_name(r
->in
.luid
->low
);
2056 return NT_STATUS_NO_SUCH_PRIVILEGE
;
2059 lsa_name
= TALLOC_ZERO_P(p
->mem_ctx
, struct lsa_StringLarge
);
2061 return NT_STATUS_NO_MEMORY
;
2064 lsa_name
->string
= talloc_strdup(lsa_name
, name
);
2065 if (!lsa_name
->string
) {
2066 TALLOC_FREE(lsa_name
);
2067 return NT_STATUS_NO_MEMORY
;
2070 *r
->out
.name
= lsa_name
;
2072 return NT_STATUS_OK
;
2075 /***************************************************************************
2077 ***************************************************************************/
2079 NTSTATUS
_lsa_QuerySecurity(struct pipes_struct
*p
,
2080 struct lsa_QuerySecurity
*r
)
2082 struct lsa_info
*handle
=NULL
;
2083 struct security_descriptor
*psd
= NULL
;
2087 /* find the connection policy handle. */
2088 if (!find_policy_by_hnd(p
, r
->in
.handle
, (void **)(void *)&handle
))
2089 return NT_STATUS_INVALID_HANDLE
;
2091 switch (handle
->type
) {
2092 case LSA_HANDLE_POLICY_TYPE
:
2093 status
= make_lsa_object_sd(p
->mem_ctx
, &psd
, &sd_size
,
2094 &lsa_policy_mapping
, NULL
, 0);
2096 case LSA_HANDLE_ACCOUNT_TYPE
:
2097 status
= make_lsa_object_sd(p
->mem_ctx
, &psd
, &sd_size
,
2098 &lsa_account_mapping
,
2099 &handle
->sid
, LSA_ACCOUNT_ALL_ACCESS
);
2102 status
= NT_STATUS_INVALID_HANDLE
;
2106 if (!NT_STATUS_IS_OK(status
)) {
2110 *r
->out
.sdbuf
= make_sec_desc_buf(p
->mem_ctx
, sd_size
, psd
);
2111 if (!*r
->out
.sdbuf
) {
2112 return NT_STATUS_NO_MEMORY
;
2118 /***************************************************************************
2119 _lsa_AddAccountRights
2120 ***************************************************************************/
2122 NTSTATUS
_lsa_AddAccountRights(struct pipes_struct
*p
,
2123 struct lsa_AddAccountRights
*r
)
2125 struct lsa_info
*info
= NULL
;
2127 uint32_t acc_granted
= 0;
2128 struct security_descriptor
*psd
= NULL
;
2133 /* find the connection policy handle. */
2134 if (!find_policy_by_hnd(p
, r
->in
.handle
, (void **)(void *)&info
))
2135 return NT_STATUS_INVALID_HANDLE
;
2137 if (info
->type
!= LSA_HANDLE_POLICY_TYPE
) {
2138 return NT_STATUS_INVALID_HANDLE
;
2141 /* get the generic lsa account SD for this SID until we store it */
2142 status
= make_lsa_object_sd(p
->mem_ctx
, &psd
, &sd_size
,
2143 &lsa_account_mapping
,
2144 r
->in
.sid
, LSA_ACCOUNT_ALL_ACCESS
);
2145 if (!NT_STATUS_IS_OK(status
)) {
2150 * From the MS DOCs. If the sid doesn't exist, ask for LSA_POLICY_CREATE_ACCOUNT
2151 * on the policy handle. If it does, ask for
2152 * LSA_ACCOUNT_ADJUST_PRIVILEGES|LSA_ACCOUNT_ADJUST_SYSTEM_ACCESS|LSA_ACCOUNT_VIEW,
2153 * on the account sid. We don't check here so just use the latter. JRA.
2156 status
= access_check_object(psd
, p
->server_info
->ptok
,
2157 SEC_PRIV_INVALID
, SEC_PRIV_INVALID
, 0,
2158 LSA_ACCOUNT_ADJUST_PRIVILEGES
|LSA_ACCOUNT_ADJUST_SYSTEM_ACCESS
|LSA_ACCOUNT_VIEW
,
2159 &acc_granted
, "_lsa_AddAccountRights" );
2160 if (!NT_STATUS_IS_OK(status
)) {
2164 /* according to an NT4 PDC, you can add privileges to SIDs even without
2165 call_lsa_create_account() first. And you can use any arbitrary SID. */
2167 sid_copy( &sid
, r
->in
.sid
);
2169 for ( i
=0; i
< r
->in
.rights
->count
; i
++ ) {
2171 const char *privname
= r
->in
.rights
->names
[i
].string
;
2173 /* only try to add non-null strings */
2178 if ( !grant_privilege_by_name( &sid
, privname
) ) {
2179 DEBUG(2,("_lsa_AddAccountRights: Failed to add privilege [%s]\n",
2181 return NT_STATUS_NO_SUCH_PRIVILEGE
;
2185 return NT_STATUS_OK
;
2188 /***************************************************************************
2189 _lsa_RemoveAccountRights
2190 ***************************************************************************/
2192 NTSTATUS
_lsa_RemoveAccountRights(struct pipes_struct
*p
,
2193 struct lsa_RemoveAccountRights
*r
)
2195 struct lsa_info
*info
= NULL
;
2197 struct security_descriptor
*psd
= NULL
;
2200 const char *privname
= NULL
;
2201 uint32_t acc_granted
= 0;
2204 /* find the connection policy handle. */
2205 if (!find_policy_by_hnd(p
, r
->in
.handle
, (void **)(void *)&info
))
2206 return NT_STATUS_INVALID_HANDLE
;
2208 if (info
->type
!= LSA_HANDLE_POLICY_TYPE
) {
2209 return NT_STATUS_INVALID_HANDLE
;
2212 /* get the generic lsa account SD for this SID until we store it */
2213 status
= make_lsa_object_sd(p
->mem_ctx
, &psd
, &sd_size
,
2214 &lsa_account_mapping
,
2215 r
->in
.sid
, LSA_ACCOUNT_ALL_ACCESS
);
2216 if (!NT_STATUS_IS_OK(status
)) {
2221 * From the MS DOCs. We need
2222 * LSA_ACCOUNT_ADJUST_PRIVILEGES|LSA_ACCOUNT_ADJUST_SYSTEM_ACCESS|LSA_ACCOUNT_VIEW
2223 * and DELETE on the account sid.
2226 status
= access_check_object(psd
, p
->server_info
->ptok
,
2227 SEC_PRIV_INVALID
, SEC_PRIV_INVALID
, 0,
2228 LSA_ACCOUNT_ADJUST_PRIVILEGES
|LSA_ACCOUNT_ADJUST_SYSTEM_ACCESS
|
2229 LSA_ACCOUNT_VIEW
|SEC_STD_DELETE
,
2230 &acc_granted
, "_lsa_RemoveAccountRights");
2231 if (!NT_STATUS_IS_OK(status
)) {
2235 sid_copy( &sid
, r
->in
.sid
);
2237 if ( r
->in
.remove_all
) {
2238 if ( !revoke_all_privileges( &sid
) )
2239 return NT_STATUS_ACCESS_DENIED
;
2241 return NT_STATUS_OK
;
2244 for ( i
=0; i
< r
->in
.rights
->count
; i
++ ) {
2246 privname
= r
->in
.rights
->names
[i
].string
;
2248 /* only try to add non-null strings */
2253 if ( !revoke_privilege_by_name( &sid
, privname
) ) {
2254 DEBUG(2,("_lsa_RemoveAccountRights: Failed to revoke privilege [%s]\n",
2256 return NT_STATUS_NO_SUCH_PRIVILEGE
;
2260 return NT_STATUS_OK
;
2263 /*******************************************************************
2264 ********************************************************************/
2266 static NTSTATUS
init_lsa_right_set(TALLOC_CTX
*mem_ctx
,
2267 struct lsa_RightSet
*r
,
2268 PRIVILEGE_SET
*privileges
)
2271 const char *privname
;
2272 const char **privname_array
= NULL
;
2275 for (i
=0; i
<privileges
->count
; i
++) {
2276 if (privileges
->set
[i
].luid
.high
) {
2279 privname
= sec_privilege_name(privileges
->set
[i
].luid
.low
);
2281 if (!add_string_to_array(mem_ctx
, privname
,
2282 &privname_array
, &num_priv
)) {
2283 return NT_STATUS_NO_MEMORY
;
2290 r
->names
= TALLOC_ZERO_ARRAY(mem_ctx
, struct lsa_StringLarge
,
2293 return NT_STATUS_NO_MEMORY
;
2296 for (i
=0; i
<num_priv
; i
++) {
2297 init_lsa_StringLarge(&r
->names
[i
], privname_array
[i
]);
2300 r
->count
= num_priv
;
2303 return NT_STATUS_OK
;
2306 /***************************************************************************
2307 _lsa_EnumAccountRights
2308 ***************************************************************************/
2310 NTSTATUS
_lsa_EnumAccountRights(struct pipes_struct
*p
,
2311 struct lsa_EnumAccountRights
*r
)
2314 struct lsa_info
*info
= NULL
;
2316 PRIVILEGE_SET
*privileges
;
2318 /* find the connection policy handle. */
2320 if (!find_policy_by_hnd(p
, r
->in
.handle
, (void **)(void *)&info
))
2321 return NT_STATUS_INVALID_HANDLE
;
2323 if (info
->type
!= LSA_HANDLE_POLICY_TYPE
) {
2324 return NT_STATUS_INVALID_HANDLE
;
2327 if (!(info
->access
& LSA_ACCOUNT_VIEW
)) {
2328 return NT_STATUS_ACCESS_DENIED
;
2331 /* according to an NT4 PDC, you can add privileges to SIDs even without
2332 call_lsa_create_account() first. And you can use any arbitrary SID. */
2334 /* according to MS-LSAD 3.1.4.5.10 it is required to return
2335 * NT_STATUS_OBJECT_NAME_NOT_FOUND if the account sid was not found in
2336 * the lsa database */
2338 status
= get_privileges_for_sid_as_set(p
->mem_ctx
, &privileges
, r
->in
.sid
);
2339 if (!NT_STATUS_IS_OK(status
)) {
2343 DEBUG(10,("_lsa_EnumAccountRights: %s has %d privileges\n",
2344 sid_string_dbg(&sid
), privileges
->count
));
2346 status
= init_lsa_right_set(p
->mem_ctx
, r
->out
.rights
, privileges
);
2351 /***************************************************************************
2352 _lsa_LookupPrivValue
2353 ***************************************************************************/
2355 NTSTATUS
_lsa_LookupPrivValue(struct pipes_struct
*p
,
2356 struct lsa_LookupPrivValue
*r
)
2358 struct lsa_info
*info
= NULL
;
2359 const char *name
= NULL
;
2361 /* find the connection policy handle. */
2363 if (!find_policy_by_hnd(p
, r
->in
.handle
, (void **)(void *)&info
))
2364 return NT_STATUS_INVALID_HANDLE
;
2366 if (info
->type
!= LSA_HANDLE_POLICY_TYPE
) {
2367 return NT_STATUS_INVALID_HANDLE
;
2370 if (!(info
->access
& LSA_POLICY_LOOKUP_NAMES
))
2371 return NT_STATUS_ACCESS_DENIED
;
2373 name
= r
->in
.name
->string
;
2375 DEBUG(10,("_lsa_lookup_priv_value: name = %s\n", name
));
2377 r
->out
.luid
->low
= sec_privilege_id(name
);
2378 r
->out
.luid
->high
= 0;
2379 if (r
->out
.luid
->low
== SEC_PRIV_INVALID
) {
2380 return NT_STATUS_NO_SUCH_PRIVILEGE
;
2382 return NT_STATUS_OK
;
2385 /***************************************************************************
2386 _lsa_EnumAccountsWithUserRight
2387 ***************************************************************************/
2389 NTSTATUS
_lsa_EnumAccountsWithUserRight(struct pipes_struct
*p
,
2390 struct lsa_EnumAccountsWithUserRight
*r
)
2393 struct lsa_info
*info
= NULL
;
2394 struct dom_sid
*sids
= NULL
;
2397 enum sec_privilege privilege
;
2399 if (!find_policy_by_hnd(p
, r
->in
.handle
, (void **)(void *)&info
)) {
2400 return NT_STATUS_INVALID_HANDLE
;
2403 if (info
->type
!= LSA_HANDLE_POLICY_TYPE
) {
2404 return NT_STATUS_INVALID_HANDLE
;
2407 if (!(info
->access
& LSA_POLICY_LOOKUP_NAMES
)) {
2408 return NT_STATUS_ACCESS_DENIED
;
2411 if (!r
->in
.name
|| !r
->in
.name
->string
) {
2412 return NT_STATUS_NO_SUCH_PRIVILEGE
;
2415 privilege
= sec_privilege_id(r
->in
.name
->string
);
2416 if (privilege
== SEC_PRIV_INVALID
) {
2417 return NT_STATUS_NO_SUCH_PRIVILEGE
;
2420 status
= privilege_enum_sids(privilege
, p
->mem_ctx
,
2422 if (!NT_STATUS_IS_OK(status
)) {
2426 r
->out
.sids
->num_sids
= num_sids
;
2427 r
->out
.sids
->sids
= talloc_array(p
->mem_ctx
, struct lsa_SidPtr
,
2428 r
->out
.sids
->num_sids
);
2430 for (i
=0; i
< r
->out
.sids
->num_sids
; i
++) {
2431 r
->out
.sids
->sids
[i
].sid
= sid_dup_talloc(r
->out
.sids
->sids
,
2433 if (!r
->out
.sids
->sids
[i
].sid
) {
2434 TALLOC_FREE(r
->out
.sids
->sids
);
2435 r
->out
.sids
->num_sids
= 0;
2436 return NT_STATUS_NO_MEMORY
;
2440 return NT_STATUS_OK
;
2443 /***************************************************************************
2445 ***************************************************************************/
2447 NTSTATUS
_lsa_Delete(struct pipes_struct
*p
,
2448 struct lsa_Delete
*r
)
2450 return NT_STATUS_NOT_SUPPORTED
;
2454 * From here on the server routines are just dummy ones to make smbd link with
2455 * librpc/gen_ndr/srv_lsa.c. These routines are actually never called, we are
2456 * pulling the server stubs across one by one.
2459 NTSTATUS
_lsa_SetSecObj(struct pipes_struct
*p
, struct lsa_SetSecObj
*r
)
2461 p
->rng_fault_state
= True
;
2462 return NT_STATUS_NOT_IMPLEMENTED
;
2465 NTSTATUS
_lsa_ChangePassword(struct pipes_struct
*p
,
2466 struct lsa_ChangePassword
*r
)
2468 p
->rng_fault_state
= True
;
2469 return NT_STATUS_NOT_IMPLEMENTED
;
2472 NTSTATUS
_lsa_SetInfoPolicy(struct pipes_struct
*p
, struct lsa_SetInfoPolicy
*r
)
2474 p
->rng_fault_state
= True
;
2475 return NT_STATUS_NOT_IMPLEMENTED
;
2478 NTSTATUS
_lsa_ClearAuditLog(struct pipes_struct
*p
, struct lsa_ClearAuditLog
*r
)
2480 p
->rng_fault_state
= True
;
2481 return NT_STATUS_NOT_IMPLEMENTED
;
2484 NTSTATUS
_lsa_GetQuotasForAccount(struct pipes_struct
*p
,
2485 struct lsa_GetQuotasForAccount
*r
)
2487 p
->rng_fault_state
= True
;
2488 return NT_STATUS_NOT_IMPLEMENTED
;
2491 NTSTATUS
_lsa_SetQuotasForAccount(struct pipes_struct
*p
,
2492 struct lsa_SetQuotasForAccount
*r
)
2494 p
->rng_fault_state
= True
;
2495 return NT_STATUS_NOT_IMPLEMENTED
;
2498 NTSTATUS
_lsa_QueryTrustedDomainInfo(struct pipes_struct
*p
,
2499 struct lsa_QueryTrustedDomainInfo
*r
)
2501 p
->rng_fault_state
= True
;
2502 return NT_STATUS_NOT_IMPLEMENTED
;
2505 NTSTATUS
_lsa_SetInformationTrustedDomain(struct pipes_struct
*p
,
2506 struct lsa_SetInformationTrustedDomain
*r
)
2508 p
->rng_fault_state
= True
;
2509 return NT_STATUS_NOT_IMPLEMENTED
;
2512 NTSTATUS
_lsa_QuerySecret(struct pipes_struct
*p
, struct lsa_QuerySecret
*r
)
2514 p
->rng_fault_state
= True
;
2515 return NT_STATUS_NOT_IMPLEMENTED
;
2518 NTSTATUS
_lsa_QueryTrustedDomainInfoBySid(struct pipes_struct
*p
,
2519 struct lsa_QueryTrustedDomainInfoBySid
*r
)
2521 p
->rng_fault_state
= True
;
2522 return NT_STATUS_NOT_IMPLEMENTED
;
2525 NTSTATUS
_lsa_SetTrustedDomainInfo(struct pipes_struct
*p
,
2526 struct lsa_SetTrustedDomainInfo
*r
)
2528 p
->rng_fault_state
= True
;
2529 return NT_STATUS_NOT_IMPLEMENTED
;
2532 NTSTATUS
_lsa_DeleteTrustedDomain(struct pipes_struct
*p
,
2533 struct lsa_DeleteTrustedDomain
*r
)
2535 p
->rng_fault_state
= True
;
2536 return NT_STATUS_NOT_IMPLEMENTED
;
2539 NTSTATUS
_lsa_StorePrivateData(struct pipes_struct
*p
,
2540 struct lsa_StorePrivateData
*r
)
2542 p
->rng_fault_state
= True
;
2543 return NT_STATUS_NOT_IMPLEMENTED
;
2546 NTSTATUS
_lsa_RetrievePrivateData(struct pipes_struct
*p
,
2547 struct lsa_RetrievePrivateData
*r
)
2549 p
->rng_fault_state
= True
;
2550 return NT_STATUS_NOT_IMPLEMENTED
;
2553 NTSTATUS
_lsa_SetInfoPolicy2(struct pipes_struct
*p
,
2554 struct lsa_SetInfoPolicy2
*r
)
2556 p
->rng_fault_state
= True
;
2557 return NT_STATUS_NOT_IMPLEMENTED
;
2560 NTSTATUS
_lsa_QueryTrustedDomainInfoByName(struct pipes_struct
*p
,
2561 struct lsa_QueryTrustedDomainInfoByName
*r
)
2563 p
->rng_fault_state
= True
;
2564 return NT_STATUS_NOT_IMPLEMENTED
;
2567 NTSTATUS
_lsa_SetTrustedDomainInfoByName(struct pipes_struct
*p
,
2568 struct lsa_SetTrustedDomainInfoByName
*r
)
2570 p
->rng_fault_state
= True
;
2571 return NT_STATUS_NOT_IMPLEMENTED
;
2574 NTSTATUS
_lsa_EnumTrustedDomainsEx(struct pipes_struct
*p
,
2575 struct lsa_EnumTrustedDomainsEx
*r
)
2577 p
->rng_fault_state
= True
;
2578 return NT_STATUS_NOT_IMPLEMENTED
;
2581 NTSTATUS
_lsa_CreateTrustedDomainEx(struct pipes_struct
*p
,
2582 struct lsa_CreateTrustedDomainEx
*r
)
2584 p
->rng_fault_state
= True
;
2585 return NT_STATUS_NOT_IMPLEMENTED
;
2588 NTSTATUS
_lsa_CloseTrustedDomainEx(struct pipes_struct
*p
,
2589 struct lsa_CloseTrustedDomainEx
*r
)
2591 p
->rng_fault_state
= True
;
2592 return NT_STATUS_NOT_IMPLEMENTED
;
2595 NTSTATUS
_lsa_QueryDomainInformationPolicy(struct pipes_struct
*p
,
2596 struct lsa_QueryDomainInformationPolicy
*r
)
2598 p
->rng_fault_state
= True
;
2599 return NT_STATUS_NOT_IMPLEMENTED
;
2602 NTSTATUS
_lsa_SetDomainInformationPolicy(struct pipes_struct
*p
,
2603 struct lsa_SetDomainInformationPolicy
*r
)
2605 p
->rng_fault_state
= True
;
2606 return NT_STATUS_NOT_IMPLEMENTED
;
2609 NTSTATUS
_lsa_OpenTrustedDomainByName(struct pipes_struct
*p
,
2610 struct lsa_OpenTrustedDomainByName
*r
)
2612 p
->rng_fault_state
= True
;
2613 return NT_STATUS_NOT_IMPLEMENTED
;
2616 NTSTATUS
_lsa_TestCall(struct pipes_struct
*p
, struct lsa_TestCall
*r
)
2618 p
->rng_fault_state
= True
;
2619 return NT_STATUS_NOT_IMPLEMENTED
;
2622 NTSTATUS
_lsa_CreateTrustedDomainEx2(struct pipes_struct
*p
,
2623 struct lsa_CreateTrustedDomainEx2
*r
)
2625 p
->rng_fault_state
= True
;
2626 return NT_STATUS_NOT_IMPLEMENTED
;
2629 NTSTATUS
_lsa_CREDRWRITE(struct pipes_struct
*p
, struct lsa_CREDRWRITE
*r
)
2631 p
->rng_fault_state
= True
;
2632 return NT_STATUS_NOT_IMPLEMENTED
;
2635 NTSTATUS
_lsa_CREDRREAD(struct pipes_struct
*p
, struct lsa_CREDRREAD
*r
)
2637 p
->rng_fault_state
= True
;
2638 return NT_STATUS_NOT_IMPLEMENTED
;
2641 NTSTATUS
_lsa_CREDRENUMERATE(struct pipes_struct
*p
, struct lsa_CREDRENUMERATE
*r
)
2643 p
->rng_fault_state
= True
;
2644 return NT_STATUS_NOT_IMPLEMENTED
;
2647 NTSTATUS
_lsa_CREDRWRITEDOMAINCREDENTIALS(struct pipes_struct
*p
,
2648 struct lsa_CREDRWRITEDOMAINCREDENTIALS
*r
)
2650 p
->rng_fault_state
= True
;
2651 return NT_STATUS_NOT_IMPLEMENTED
;
2654 NTSTATUS
_lsa_CREDRREADDOMAINCREDENTIALS(struct pipes_struct
*p
,
2655 struct lsa_CREDRREADDOMAINCREDENTIALS
*r
)
2657 p
->rng_fault_state
= True
;
2658 return NT_STATUS_NOT_IMPLEMENTED
;
2661 NTSTATUS
_lsa_CREDRDELETE(struct pipes_struct
*p
, struct lsa_CREDRDELETE
*r
)
2663 p
->rng_fault_state
= True
;
2664 return NT_STATUS_NOT_IMPLEMENTED
;
2667 NTSTATUS
_lsa_CREDRGETTARGETINFO(struct pipes_struct
*p
,
2668 struct lsa_CREDRGETTARGETINFO
*r
)
2670 p
->rng_fault_state
= True
;
2671 return NT_STATUS_NOT_IMPLEMENTED
;
2674 NTSTATUS
_lsa_CREDRPROFILELOADED(struct pipes_struct
*p
,
2675 struct lsa_CREDRPROFILELOADED
*r
)
2677 p
->rng_fault_state
= True
;
2678 return NT_STATUS_NOT_IMPLEMENTED
;
2681 NTSTATUS
_lsa_CREDRGETSESSIONTYPES(struct pipes_struct
*p
,
2682 struct lsa_CREDRGETSESSIONTYPES
*r
)
2684 p
->rng_fault_state
= True
;
2685 return NT_STATUS_NOT_IMPLEMENTED
;
2688 NTSTATUS
_lsa_LSARREGISTERAUDITEVENT(struct pipes_struct
*p
,
2689 struct lsa_LSARREGISTERAUDITEVENT
*r
)
2691 p
->rng_fault_state
= True
;
2692 return NT_STATUS_NOT_IMPLEMENTED
;
2695 NTSTATUS
_lsa_LSARGENAUDITEVENT(struct pipes_struct
*p
,
2696 struct lsa_LSARGENAUDITEVENT
*r
)
2698 p
->rng_fault_state
= True
;
2699 return NT_STATUS_NOT_IMPLEMENTED
;
2702 NTSTATUS
_lsa_LSARUNREGISTERAUDITEVENT(struct pipes_struct
*p
,
2703 struct lsa_LSARUNREGISTERAUDITEVENT
*r
)
2705 p
->rng_fault_state
= True
;
2706 return NT_STATUS_NOT_IMPLEMENTED
;
2709 NTSTATUS
_lsa_lsaRQueryForestTrustInformation(struct pipes_struct
*p
,
2710 struct lsa_lsaRQueryForestTrustInformation
*r
)
2712 p
->rng_fault_state
= True
;
2713 return NT_STATUS_NOT_IMPLEMENTED
;
2716 NTSTATUS
_lsa_lsaRSetForestTrustInformation(struct pipes_struct
*p
,
2717 struct lsa_lsaRSetForestTrustInformation
*r
)
2719 p
->rng_fault_state
= True
;
2720 return NT_STATUS_NOT_IMPLEMENTED
;
2723 NTSTATUS
_lsa_CREDRRENAME(struct pipes_struct
*p
,
2724 struct lsa_CREDRRENAME
*r
)
2726 p
->rng_fault_state
= True
;
2727 return NT_STATUS_NOT_IMPLEMENTED
;
2730 NTSTATUS
_lsa_LSAROPENPOLICYSCE(struct pipes_struct
*p
,
2731 struct lsa_LSAROPENPOLICYSCE
*r
)
2733 p
->rng_fault_state
= True
;
2734 return NT_STATUS_NOT_IMPLEMENTED
;
2737 NTSTATUS
_lsa_LSARADTREGISTERSECURITYEVENTSOURCE(struct pipes_struct
*p
,
2738 struct lsa_LSARADTREGISTERSECURITYEVENTSOURCE
*r
)
2740 p
->rng_fault_state
= True
;
2741 return NT_STATUS_NOT_IMPLEMENTED
;
2744 NTSTATUS
_lsa_LSARADTUNREGISTERSECURITYEVENTSOURCE(struct pipes_struct
*p
,
2745 struct lsa_LSARADTUNREGISTERSECURITYEVENTSOURCE
*r
)
2747 p
->rng_fault_state
= True
;
2748 return NT_STATUS_NOT_IMPLEMENTED
;
2751 NTSTATUS
_lsa_LSARADTREPORTSECURITYEVENT(struct pipes_struct
*p
,
2752 struct lsa_LSARADTREPORTSECURITYEVENT
*r
)
2754 p
->rng_fault_state
= True
;
2755 return NT_STATUS_NOT_IMPLEMENTED
;