2 * Unix SMB/CIFS implementation.
3 * RPC Pipe client / server routines
4 * Copyright (C) Andrew Tridgell 1992-1997,
5 * Copyright (C) Luke Kenneth Casson Leighton 1996-1997,
6 * Copyright (C) Paul Ashton 1997,
7 * Copyright (C) Jeremy Allison 2001, 2006.
8 * Copyright (C) Rafal Szczesniak 2002,
9 * Copyright (C) Jim McDonough <jmcd@us.ibm.com> 2002,
10 * Copyright (C) Simo Sorce 2003.
11 * Copyright (C) Gerald (Jerry) Carter 2005.
12 * Copyright (C) Volker Lendecke 2005.
13 * Copyright (C) Guenther Deschner 2008.
15 * This program is free software; you can redistribute it and/or modify
16 * it under the terms of the GNU General Public License as published by
17 * the Free Software Foundation; either version 3 of the License, or
18 * (at your option) any later version.
20 * This program is distributed in the hope that it will be useful,
21 * but WITHOUT ANY WARRANTY; without even the implied warranty of
22 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
23 * GNU General Public License for more details.
25 * You should have received a copy of the GNU General Public License
26 * along with this program; if not, see <http://www.gnu.org/licenses/>.
29 /* This is the implementation of the lsa server code. */
34 #define DBGC_CLASS DBGC_RPC_SRV
36 #define MAX_LOOKUP_SIDS 0x5000 /* 20480 */
45 const struct generic_mapping lsa_generic_mapping
= {
52 /***************************************************************************
53 init_lsa_ref_domain_list - adds a domain if it's not already in, returns the index.
54 ***************************************************************************/
56 static int init_lsa_ref_domain_list(TALLOC_CTX
*mem_ctx
,
57 struct lsa_RefDomainList
*ref
,
63 if (dom_name
!= NULL
) {
64 for (num
= 0; num
< ref
->count
; num
++) {
65 if (sid_equal(dom_sid
, ref
->domains
[num
].sid
)) {
73 if (num
>= LSA_REF_DOMAIN_LIST_MULTIPLIER
) {
74 /* index not found, already at maximum domain limit */
79 ref
->max_size
= LSA_REF_DOMAIN_LIST_MULTIPLIER
;
81 ref
->domains
= TALLOC_REALLOC_ARRAY(mem_ctx
, ref
->domains
,
82 struct lsa_DomainInfo
, ref
->count
);
87 ZERO_STRUCT(ref
->domains
[num
]);
89 init_lsa_StringLarge(&ref
->domains
[num
].name
, dom_name
);
90 ref
->domains
[num
].sid
= sid_dup_talloc(mem_ctx
, dom_sid
);
91 if (!ref
->domains
[num
].sid
) {
99 /***************************************************************************
100 initialize a lsa_DomainInfo structure.
101 ***************************************************************************/
103 static void init_dom_query_3(struct lsa_DomainInfo
*r
,
107 init_lsa_StringLarge(&r
->name
, name
);
111 /***************************************************************************
112 initialize a lsa_DomainInfo structure.
113 ***************************************************************************/
115 static void init_dom_query_5(struct lsa_DomainInfo
*r
,
119 init_lsa_StringLarge(&r
->name
, name
);
123 /***************************************************************************
124 lookup_lsa_rids. Must be called as root for lookup_name to work.
125 ***************************************************************************/
127 static NTSTATUS
lookup_lsa_rids(TALLOC_CTX
*mem_ctx
,
128 struct lsa_RefDomainList
*ref
,
129 struct lsa_TranslatedSid
*prid
,
130 uint32_t num_entries
,
131 struct lsa_String
*name
,
133 uint32_t *pmapped_count
)
135 uint32 mapped_count
, i
;
137 SMB_ASSERT(num_entries
<= MAX_LOOKUP_SIDS
);
142 for (i
= 0; i
< num_entries
; i
++) {
146 const char *full_name
;
148 enum lsa_SidType type
= SID_NAME_UNKNOWN
;
150 /* Split name into domain and user component */
152 full_name
= name
[i
].string
;
153 if (full_name
== NULL
) {
154 return NT_STATUS_NO_MEMORY
;
157 DEBUG(5, ("lookup_lsa_rids: looking up name %s\n", full_name
));
159 /* We can ignore the result of lookup_name, it will not touch
160 "type" if it's not successful */
162 lookup_name(mem_ctx
, full_name
, flags
, &domain
, NULL
,
167 case SID_NAME_DOM_GRP
:
168 case SID_NAME_DOMAIN
:
170 case SID_NAME_WKN_GRP
:
171 DEBUG(5, ("init_lsa_rids: %s found\n", full_name
));
172 /* Leave these unchanged */
175 /* Don't hand out anything but the list above */
176 DEBUG(5, ("init_lsa_rids: %s not found\n", full_name
));
177 type
= SID_NAME_UNKNOWN
;
184 if (type
!= SID_NAME_UNKNOWN
) {
185 sid_split_rid(&sid
, &rid
);
186 dom_idx
= init_lsa_ref_domain_list(mem_ctx
, ref
, domain
, &sid
);
190 prid
[i
].sid_type
= type
;
192 prid
[i
].sid_index
= dom_idx
;
195 *pmapped_count
= mapped_count
;
199 /***************************************************************************
200 lookup_lsa_sids. Must be called as root for lookup_name to work.
201 ***************************************************************************/
203 static NTSTATUS
lookup_lsa_sids(TALLOC_CTX
*mem_ctx
,
204 struct lsa_RefDomainList
*ref
,
205 struct lsa_TranslatedSid3
*trans_sids
,
206 uint32_t num_entries
,
207 struct lsa_String
*name
,
209 uint32
*pmapped_count
)
211 uint32 mapped_count
, i
;
213 SMB_ASSERT(num_entries
<= MAX_LOOKUP_SIDS
);
218 for (i
= 0; i
< num_entries
; i
++) {
222 const char *full_name
;
224 enum lsa_SidType type
= SID_NAME_UNKNOWN
;
228 /* Split name into domain and user component */
230 full_name
= name
[i
].string
;
231 if (full_name
== NULL
) {
232 return NT_STATUS_NO_MEMORY
;
235 DEBUG(5, ("init_lsa_sids: looking up name %s\n", full_name
));
237 /* We can ignore the result of lookup_name, it will not touch
238 "type" if it's not successful */
240 lookup_name(mem_ctx
, full_name
, flags
, &domain
, NULL
,
245 case SID_NAME_DOM_GRP
:
246 case SID_NAME_DOMAIN
:
248 case SID_NAME_WKN_GRP
:
249 DEBUG(5, ("init_lsa_sids: %s found\n", full_name
));
250 /* Leave these unchanged */
253 /* Don't hand out anything but the list above */
254 DEBUG(5, ("init_lsa_sids: %s not found\n", full_name
));
255 type
= SID_NAME_UNKNOWN
;
262 if (type
!= SID_NAME_UNKNOWN
) {
264 sid_copy(&domain_sid
, &sid
);
265 sid_split_rid(&domain_sid
, &rid
);
266 dom_idx
= init_lsa_ref_domain_list(mem_ctx
, ref
, domain
, &domain_sid
);
270 /* Initialize the lsa_TranslatedSid3 return. */
271 trans_sids
[i
].sid_type
= type
;
272 trans_sids
[i
].sid
= sid_dup_talloc(mem_ctx
, &sid
);
273 trans_sids
[i
].sid_index
= dom_idx
;
276 *pmapped_count
= mapped_count
;
280 static NTSTATUS
lsa_get_generic_sd(TALLOC_CTX
*mem_ctx
, SEC_DESC
**sd
, size_t *sd_size
)
282 DOM_SID local_adm_sid
;
289 init_sec_ace(&ace
[0], &global_sid_World
, SEC_ACE_TYPE_ACCESS_ALLOWED
, LSA_POLICY_EXECUTE
, 0);
291 sid_copy(&adm_sid
, get_global_sam_sid());
292 sid_append_rid(&adm_sid
, DOMAIN_GROUP_RID_ADMINS
);
293 init_sec_ace(&ace
[1], &adm_sid
, SEC_ACE_TYPE_ACCESS_ALLOWED
, LSA_POLICY_ALL_ACCESS
, 0);
295 sid_copy(&local_adm_sid
, &global_sid_Builtin
);
296 sid_append_rid(&local_adm_sid
, BUILTIN_ALIAS_RID_ADMINS
);
297 init_sec_ace(&ace
[2], &local_adm_sid
, SEC_ACE_TYPE_ACCESS_ALLOWED
, LSA_POLICY_ALL_ACCESS
, 0);
299 if((psa
= make_sec_acl(mem_ctx
, NT4_ACL_REVISION
, 3, ace
)) == NULL
)
300 return NT_STATUS_NO_MEMORY
;
302 if((*sd
= make_sec_desc(mem_ctx
, SECURITY_DESCRIPTOR_REVISION_1
,
303 SEC_DESC_SELF_RELATIVE
, &adm_sid
, NULL
, NULL
,
304 psa
, sd_size
)) == NULL
)
305 return NT_STATUS_NO_MEMORY
;
310 #if 0 /* AD DC work in ongoing in Samba 4 */
312 /***************************************************************************
314 ***************************************************************************/
316 static void init_dns_dom_info(LSA_DNS_DOM_INFO
*r_l
, const char *nb_name
,
317 const char *dns_name
, const char *forest_name
,
318 struct GUID
*dom_guid
, DOM_SID
*dom_sid
)
320 if (nb_name
&& *nb_name
) {
321 init_unistr2(&r_l
->uni_nb_dom_name
, nb_name
, UNI_FLAGS_NONE
);
322 init_uni_hdr(&r_l
->hdr_nb_dom_name
, &r_l
->uni_nb_dom_name
);
323 r_l
->hdr_nb_dom_name
.uni_max_len
+= 2;
324 r_l
->uni_nb_dom_name
.uni_max_len
+= 1;
327 if (dns_name
&& *dns_name
) {
328 init_unistr2(&r_l
->uni_dns_dom_name
, dns_name
, UNI_FLAGS_NONE
);
329 init_uni_hdr(&r_l
->hdr_dns_dom_name
, &r_l
->uni_dns_dom_name
);
330 r_l
->hdr_dns_dom_name
.uni_max_len
+= 2;
331 r_l
->uni_dns_dom_name
.uni_max_len
+= 1;
334 if (forest_name
&& *forest_name
) {
335 init_unistr2(&r_l
->uni_forest_name
, forest_name
, UNI_FLAGS_NONE
);
336 init_uni_hdr(&r_l
->hdr_forest_name
, &r_l
->uni_forest_name
);
337 r_l
->hdr_forest_name
.uni_max_len
+= 2;
338 r_l
->uni_forest_name
.uni_max_len
+= 1;
341 /* how do we init the guid ? probably should write an init fn */
343 memcpy(&r_l
->dom_guid
, dom_guid
, sizeof(struct GUID
));
347 r_l
->ptr_dom_sid
= 1;
348 init_dom_sid2(&r_l
->dom_sid
, dom_sid
);
351 #endif /* AD DC work in ongoing in Samba 4 */
354 /***************************************************************************
356 ***************************************************************************/
358 NTSTATUS
_lsa_OpenPolicy2(pipes_struct
*p
,
359 struct lsa_OpenPolicy2
*r
)
361 struct lsa_info
*info
;
362 SEC_DESC
*psd
= NULL
;
364 uint32 des_access
= r
->in
.access_mask
;
369 /* map the generic bits to the lsa policy ones */
370 se_map_generic(&des_access
, &lsa_generic_mapping
);
372 /* get the generic lsa policy SD until we store it */
373 lsa_get_generic_sd(p
->mem_ctx
, &psd
, &sd_size
);
375 status
= se_access_check(psd
, p
->server_info
->ptok
, des_access
,
377 if (!NT_STATUS_IS_OK(status
)) {
378 if (p
->server_info
->utok
.uid
!= sec_initial_uid()) {
381 DEBUG(4,("ACCESS should be DENIED (granted: %#010x; required: %#010x)\n",
382 acc_granted
, des_access
));
383 DEBUGADD(4,("but overwritten by euid == 0\n"));
386 /* This is needed for lsa_open_account and rpcclient .... :-) */
388 if (p
->server_info
->utok
.uid
== sec_initial_uid())
389 acc_granted
= LSA_POLICY_ALL_ACCESS
;
391 /* associate the domain SID with the (unique) handle. */
392 info
= TALLOC_ZERO_P(p
->mem_ctx
, struct lsa_info
);
394 return NT_STATUS_NO_MEMORY
;
397 sid_copy(&info
->sid
,get_global_sam_sid());
398 info
->access
= acc_granted
;
400 /* set up the LSA QUERY INFO response */
401 if (!create_policy_hnd(p
, r
->out
.handle
, info
))
402 return NT_STATUS_OBJECT_NAME_NOT_FOUND
;
407 /***************************************************************************
409 ***************************************************************************/
411 NTSTATUS
_lsa_OpenPolicy(pipes_struct
*p
,
412 struct lsa_OpenPolicy
*r
)
414 struct lsa_OpenPolicy2 o
;
416 o
.in
.system_name
= NULL
; /* should be ignored */
417 o
.in
.attr
= r
->in
.attr
;
418 o
.in
.access_mask
= r
->in
.access_mask
;
420 o
.out
.handle
= r
->out
.handle
;
422 return _lsa_OpenPolicy2(p
, &o
);
425 /***************************************************************************
426 _lsa_EnumTrustDom - this needs fixing to do more than return NULL ! JRA.
428 ***************************************************************************/
430 NTSTATUS
_lsa_EnumTrustDom(pipes_struct
*p
,
431 struct lsa_EnumTrustDom
*r
)
433 struct lsa_info
*info
;
435 struct trustdom_info
**domains
;
436 struct lsa_DomainInfo
*lsa_domains
= NULL
;
440 * preferred length is set to 5 as a "our" preferred length
441 * nt sets this parameter to 2
442 * update (20.08.2002): it's not preferred length, but preferred size!
443 * it needs further investigation how to optimally choose this value
445 uint32 max_num_domains
=
446 r
->in
.max_size
< 5 ? r
->in
.max_size
: 10;
451 if (!find_policy_by_hnd(p
, r
->in
.handle
, (void **)(void *)&info
))
452 return NT_STATUS_INVALID_HANDLE
;
454 /* check if the user has enough rights */
455 if (!(info
->access
& LSA_POLICY_VIEW_LOCAL_INFORMATION
))
456 return NT_STATUS_ACCESS_DENIED
;
459 nt_status
= pdb_enum_trusteddoms(p
->mem_ctx
, &num_domains
, &domains
);
462 if (!NT_STATUS_IS_OK(nt_status
)) {
466 if (*r
->in
.resume_handle
< num_domains
) {
467 num_thistime
= MIN(num_domains
, max_num_domains
);
469 nt_status
= STATUS_MORE_ENTRIES
;
471 if (*r
->in
.resume_handle
+ num_thistime
> num_domains
) {
472 num_thistime
= num_domains
- *r
->in
.resume_handle
;
473 nt_status
= NT_STATUS_OK
;
476 next_idx
= *r
->in
.resume_handle
+ num_thistime
;
479 next_idx
= 0xffffffff;
480 nt_status
= NT_STATUS_NO_MORE_ENTRIES
;
483 /* set up the lsa_enum_trust_dom response */
485 lsa_domains
= TALLOC_ZERO_ARRAY(p
->mem_ctx
, struct lsa_DomainInfo
,
488 return NT_STATUS_NO_MEMORY
;
491 for (i
=0; i
<num_thistime
; i
++) {
492 init_lsa_StringLarge(&lsa_domains
[i
].name
, domains
[i
]->name
);
493 lsa_domains
[i
].sid
= &domains
[i
]->sid
;
496 *r
->out
.resume_handle
= next_idx
;
497 r
->out
.domains
->count
= num_thistime
;
498 r
->out
.domains
->domains
= lsa_domains
;
503 #define LSA_AUDIT_NUM_CATEGORIES_NT4 7
504 #define LSA_AUDIT_NUM_CATEGORIES_WIN2K 9
505 #define LSA_AUDIT_NUM_CATEGORIES LSA_AUDIT_NUM_CATEGORIES_NT4
507 /***************************************************************************
509 ***************************************************************************/
511 NTSTATUS
_lsa_QueryInfoPolicy(pipes_struct
*p
,
512 struct lsa_QueryInfoPolicy
*r
)
514 NTSTATUS status
= NT_STATUS_OK
;
515 struct lsa_info
*handle
;
519 union lsa_PolicyInformation
*info
= NULL
;
521 if (!find_policy_by_hnd(p
, r
->in
.handle
, (void **)(void *)&handle
))
522 return NT_STATUS_INVALID_HANDLE
;
524 info
= TALLOC_ZERO_P(p
->mem_ctx
, union lsa_PolicyInformation
);
526 return NT_STATUS_NO_MEMORY
;
529 switch (r
->in
.level
) {
533 uint32 policy_def
= LSA_AUDIT_POLICY_ALL
;
535 /* check if the user has enough rights */
536 if (!(handle
->access
& LSA_POLICY_VIEW_AUDIT_INFORMATION
)) {
537 DEBUG(10,("_lsa_QueryInfoPolicy: insufficient access rights\n"));
538 return NT_STATUS_ACCESS_DENIED
;
541 /* fake info: We audit everything. ;) */
543 info
->audit_events
.auditing_mode
= true;
544 info
->audit_events
.count
= LSA_AUDIT_NUM_CATEGORIES
;
545 info
->audit_events
.settings
= TALLOC_ZERO_ARRAY(p
->mem_ctx
,
546 enum lsa_PolicyAuditPolicy
,
547 info
->audit_events
.count
);
548 if (!info
->audit_events
.settings
) {
549 return NT_STATUS_NO_MEMORY
;
552 info
->audit_events
.settings
[LSA_AUDIT_CATEGORY_ACCOUNT_MANAGEMENT
] = policy_def
;
553 info
->audit_events
.settings
[LSA_AUDIT_CATEGORY_FILE_AND_OBJECT_ACCESS
] = policy_def
;
554 info
->audit_events
.settings
[LSA_AUDIT_CATEGORY_LOGON
] = policy_def
;
555 info
->audit_events
.settings
[LSA_AUDIT_CATEGORY_PROCCESS_TRACKING
] = policy_def
;
556 info
->audit_events
.settings
[LSA_AUDIT_CATEGORY_SECURITY_POLICY_CHANGES
] = policy_def
;
557 info
->audit_events
.settings
[LSA_AUDIT_CATEGORY_SYSTEM
] = policy_def
;
558 info
->audit_events
.settings
[LSA_AUDIT_CATEGORY_USE_OF_USER_RIGHTS
] = policy_def
;
563 /* check if the user has enough rights */
564 if (!(handle
->access
& LSA_POLICY_VIEW_LOCAL_INFORMATION
))
565 return NT_STATUS_ACCESS_DENIED
;
567 /* Request PolicyPrimaryDomainInformation. */
568 switch (lp_server_role()) {
569 case ROLE_DOMAIN_PDC
:
570 case ROLE_DOMAIN_BDC
:
571 name
= get_global_sam_name();
572 sid
= sid_dup_talloc(p
->mem_ctx
, get_global_sam_sid());
574 return NT_STATUS_NO_MEMORY
;
577 case ROLE_DOMAIN_MEMBER
:
578 name
= lp_workgroup();
579 /* We need to return the Domain SID here. */
580 if (secrets_fetch_domain_sid(lp_workgroup(), &domain_sid
)) {
581 sid
= sid_dup_talloc(p
->mem_ctx
, &domain_sid
);
583 return NT_STATUS_NO_MEMORY
;
586 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO
;
589 case ROLE_STANDALONE
:
590 name
= lp_workgroup();
594 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO
;
596 init_dom_query_3(&info
->domain
, name
, sid
);
599 /* check if the user has enough rights */
600 if (!(handle
->access
& LSA_POLICY_VIEW_LOCAL_INFORMATION
))
601 return NT_STATUS_ACCESS_DENIED
;
603 /* Request PolicyAccountDomainInformation. */
604 name
= get_global_sam_name();
605 sid
= get_global_sam_sid();
607 init_dom_query_5(&info
->account_domain
, name
, sid
);
610 /* check if the user has enough rights */
611 if (!(handle
->access
& LSA_POLICY_VIEW_LOCAL_INFORMATION
))
612 return NT_STATUS_ACCESS_DENIED
;
614 switch (lp_server_role()) {
615 case ROLE_DOMAIN_BDC
:
617 * only a BDC is a backup controller
618 * of the domain, it controls.
620 info
->role
.role
= LSA_ROLE_BACKUP
;
624 * any other role is a primary
625 * of the domain, it controls.
627 info
->role
.role
= LSA_ROLE_PRIMARY
;
632 DEBUG(0,("_lsa_QueryInfoPolicy: unknown info level in Lsa Query: %d\n",
634 status
= NT_STATUS_INVALID_INFO_CLASS
;
643 /***************************************************************************
644 _lsa_lookup_sids_internal
645 ***************************************************************************/
647 static NTSTATUS
_lsa_lookup_sids_internal(pipes_struct
*p
,
649 uint16_t level
, /* input */
650 int num_sids
, /* input */
651 struct lsa_SidPtr
*sid
, /* input */
652 struct lsa_RefDomainList
**pp_ref
, /* input/output */
653 struct lsa_TranslatedName2
**pp_names
,/* input/output */
654 uint32_t *pp_mapped_count
) /* input/output */
658 const DOM_SID
**sids
= NULL
;
659 struct lsa_RefDomainList
*ref
= NULL
;
660 uint32 mapped_count
= 0;
661 struct lsa_dom_info
*dom_infos
= NULL
;
662 struct lsa_name_info
*name_infos
= NULL
;
663 struct lsa_TranslatedName2
*names
= NULL
;
665 *pp_mapped_count
= 0;
673 sids
= TALLOC_ARRAY(p
->mem_ctx
, const DOM_SID
*, num_sids
);
674 ref
= TALLOC_ZERO_P(p
->mem_ctx
, struct lsa_RefDomainList
);
676 if (sids
== NULL
|| ref
== NULL
) {
677 return NT_STATUS_NO_MEMORY
;
680 for (i
=0; i
<num_sids
; i
++) {
681 sids
[i
] = sid
[i
].sid
;
684 status
= lookup_sids(p
->mem_ctx
, num_sids
, sids
, level
,
685 &dom_infos
, &name_infos
);
687 if (!NT_STATUS_IS_OK(status
)) {
691 names
= TALLOC_ARRAY(p
->mem_ctx
, struct lsa_TranslatedName2
, num_sids
);
693 return NT_STATUS_NO_MEMORY
;
696 for (i
=0; i
<LSA_REF_DOMAIN_LIST_MULTIPLIER
; i
++) {
698 if (!dom_infos
[i
].valid
) {
702 if (init_lsa_ref_domain_list(mem_ctx
, ref
,
704 &dom_infos
[i
].sid
) != i
) {
705 DEBUG(0, ("Domain %s mentioned twice??\n",
707 return NT_STATUS_INTERNAL_ERROR
;
711 for (i
=0; i
<num_sids
; i
++) {
712 struct lsa_name_info
*name
= &name_infos
[i
];
714 if (name
->type
== SID_NAME_UNKNOWN
) {
717 /* Unknown sids should return the string
718 * representation of the SID. Windows 2003 behaves
719 * rather erratic here, in many cases it returns the
720 * RID as 8 bytes hex, in others it returns the full
721 * SID. We (Jerry/VL) could not figure out which the
722 * hard cases are, so leave it with the SID. */
723 name
->name
= talloc_asprintf(p
->mem_ctx
, "%s",
726 if (name
->name
== NULL
) {
727 return NT_STATUS_NO_MEMORY
;
733 names
[i
].sid_type
= name
->type
;
734 names
[i
].name
.string
= name
->name
;
735 names
[i
].sid_index
= name
->dom_idx
;
736 names
[i
].unknown
= 0;
739 status
= NT_STATUS_NONE_MAPPED
;
740 if (mapped_count
> 0) {
741 status
= (mapped_count
< num_sids
) ?
742 STATUS_SOME_UNMAPPED
: NT_STATUS_OK
;
745 DEBUG(10, ("num_sids %d, mapped_count %d, status %s\n",
746 num_sids
, mapped_count
, nt_errstr(status
)));
748 *pp_mapped_count
= mapped_count
;
755 /***************************************************************************
757 ***************************************************************************/
759 NTSTATUS
_lsa_LookupSids(pipes_struct
*p
,
760 struct lsa_LookupSids
*r
)
763 struct lsa_info
*handle
;
764 int num_sids
= r
->in
.sids
->num_sids
;
765 uint32 mapped_count
= 0;
766 struct lsa_RefDomainList
*domains
= NULL
;
767 struct lsa_TranslatedName
*names_out
= NULL
;
768 struct lsa_TranslatedName2
*names
= NULL
;
771 if ((r
->in
.level
< 1) || (r
->in
.level
> 6)) {
772 return NT_STATUS_INVALID_PARAMETER
;
775 if (!find_policy_by_hnd(p
, r
->in
.handle
, (void **)(void *)&handle
)) {
776 return NT_STATUS_INVALID_HANDLE
;
779 /* check if the user has enough rights */
780 if (!(handle
->access
& LSA_POLICY_LOOKUP_NAMES
)) {
781 return NT_STATUS_ACCESS_DENIED
;
784 if (num_sids
> MAX_LOOKUP_SIDS
) {
785 DEBUG(5,("_lsa_LookupSids: limit of %d exceeded, requested %d\n",
786 MAX_LOOKUP_SIDS
, num_sids
));
787 return NT_STATUS_NONE_MAPPED
;
790 status
= _lsa_lookup_sids_internal(p
,
799 /* Only return here when there is a real error.
800 NT_STATUS_NONE_MAPPED is a special case as it indicates that none of
801 the requested sids could be resolved. Older versions of XP (pre SP3)
802 rely that we return with the string representations of those SIDs in
803 that case. If we don't, XP crashes - Guenther
806 if (NT_STATUS_IS_ERR(status
) &&
807 !NT_STATUS_EQUAL(status
, NT_STATUS_NONE_MAPPED
)) {
811 /* Convert from lsa_TranslatedName2 to lsa_TranslatedName */
812 names_out
= TALLOC_ARRAY(p
->mem_ctx
, struct lsa_TranslatedName
,
815 return NT_STATUS_NO_MEMORY
;
818 for (i
=0; i
<num_sids
; i
++) {
819 names_out
[i
].sid_type
= names
[i
].sid_type
;
820 names_out
[i
].name
= names
[i
].name
;
821 names_out
[i
].sid_index
= names
[i
].sid_index
;
824 *r
->out
.domains
= domains
;
825 r
->out
.names
->count
= num_sids
;
826 r
->out
.names
->names
= names_out
;
827 *r
->out
.count
= mapped_count
;
832 /***************************************************************************
834 ***************************************************************************/
836 NTSTATUS
_lsa_LookupSids2(pipes_struct
*p
,
837 struct lsa_LookupSids2
*r
)
840 struct lsa_info
*handle
;
841 int num_sids
= r
->in
.sids
->num_sids
;
842 uint32 mapped_count
= 0;
843 struct lsa_RefDomainList
*domains
= NULL
;
844 struct lsa_TranslatedName2
*names
= NULL
;
845 bool check_policy
= true;
847 switch (p
->hdr_req
.opnum
) {
848 case NDR_LSA_LOOKUPSIDS3
:
849 check_policy
= false;
851 case NDR_LSA_LOOKUPSIDS2
:
856 if ((r
->in
.level
< 1) || (r
->in
.level
> 6)) {
857 return NT_STATUS_INVALID_PARAMETER
;
861 if (!find_policy_by_hnd(p
, r
->in
.handle
, (void **)(void *)&handle
)) {
862 return NT_STATUS_INVALID_HANDLE
;
865 /* check if the user has enough rights */
866 if (!(handle
->access
& LSA_POLICY_LOOKUP_NAMES
)) {
867 return NT_STATUS_ACCESS_DENIED
;
871 if (num_sids
> MAX_LOOKUP_SIDS
) {
872 DEBUG(5,("_lsa_LookupSids2: limit of %d exceeded, requested %d\n",
873 MAX_LOOKUP_SIDS
, num_sids
));
874 return NT_STATUS_NONE_MAPPED
;
877 status
= _lsa_lookup_sids_internal(p
,
886 *r
->out
.domains
= domains
;
887 r
->out
.names
->count
= num_sids
;
888 r
->out
.names
->names
= names
;
889 *r
->out
.count
= mapped_count
;
894 /***************************************************************************
896 ***************************************************************************/
898 NTSTATUS
_lsa_LookupSids3(pipes_struct
*p
,
899 struct lsa_LookupSids3
*r
)
901 struct lsa_LookupSids2 q
;
903 /* No policy handle on this call. Restrict to crypto connections. */
904 if (p
->auth
.auth_type
!= PIPE_AUTH_TYPE_SCHANNEL
) {
905 DEBUG(0,("_lsa_LookupSids3: client %s not using schannel for netlogon\n",
906 get_remote_machine_name() ));
907 return NT_STATUS_INVALID_PARAMETER
;
911 q
.in
.sids
= r
->in
.sids
;
912 q
.in
.level
= r
->in
.level
;
913 q
.in
.unknown1
= r
->in
.unknown1
;
914 q
.in
.unknown2
= r
->in
.unknown2
;
915 q
.in
.names
= r
->in
.names
;
916 q
.in
.count
= r
->in
.count
;
918 q
.out
.domains
= r
->out
.domains
;
919 q
.out
.names
= r
->out
.names
;
920 q
.out
.count
= r
->out
.count
;
922 return _lsa_LookupSids2(p
, &q
);
925 /***************************************************************************
926 ***************************************************************************/
928 static int lsa_lookup_level_to_flags(uint16 level
)
934 flags
= LOOKUP_NAME_ALL
;
937 flags
= LOOKUP_NAME_DOMAIN
|LOOKUP_NAME_REMOTE
|LOOKUP_NAME_ISOLATED
;
940 flags
= LOOKUP_NAME_DOMAIN
|LOOKUP_NAME_ISOLATED
;
946 flags
= LOOKUP_NAME_NONE
;
953 /***************************************************************************
955 ***************************************************************************/
957 NTSTATUS
_lsa_LookupNames(pipes_struct
*p
,
958 struct lsa_LookupNames
*r
)
960 NTSTATUS status
= NT_STATUS_NONE_MAPPED
;
961 struct lsa_info
*handle
;
962 struct lsa_String
*names
= r
->in
.names
;
963 uint32 num_entries
= r
->in
.num_names
;
964 struct lsa_RefDomainList
*domains
= NULL
;
965 struct lsa_TranslatedSid
*rids
= NULL
;
966 uint32 mapped_count
= 0;
969 if (num_entries
> MAX_LOOKUP_SIDS
) {
970 num_entries
= MAX_LOOKUP_SIDS
;
971 DEBUG(5,("_lsa_LookupNames: truncating name lookup list to %d\n",
975 flags
= lsa_lookup_level_to_flags(r
->in
.level
);
977 domains
= TALLOC_ZERO_P(p
->mem_ctx
, struct lsa_RefDomainList
);
979 return NT_STATUS_NO_MEMORY
;
983 rids
= TALLOC_ZERO_ARRAY(p
->mem_ctx
, struct lsa_TranslatedSid
,
986 return NT_STATUS_NO_MEMORY
;
992 if (!find_policy_by_hnd(p
, r
->in
.handle
, (void **)(void *)&handle
)) {
993 status
= NT_STATUS_INVALID_HANDLE
;
997 /* check if the user has enough rights */
998 if (!(handle
->access
& LSA_POLICY_LOOKUP_NAMES
)) {
999 status
= NT_STATUS_ACCESS_DENIED
;
1003 /* set up the LSA Lookup RIDs response */
1004 become_root(); /* lookup_name can require root privs */
1005 status
= lookup_lsa_rids(p
->mem_ctx
, domains
, rids
, num_entries
,
1006 names
, flags
, &mapped_count
);
1011 if (NT_STATUS_IS_OK(status
) && (num_entries
!= 0) ) {
1012 if (mapped_count
== 0) {
1013 status
= NT_STATUS_NONE_MAPPED
;
1014 } else if (mapped_count
!= num_entries
) {
1015 status
= STATUS_SOME_UNMAPPED
;
1019 *r
->out
.count
= mapped_count
;
1020 *r
->out
.domains
= domains
;
1021 r
->out
.sids
->sids
= rids
;
1022 r
->out
.sids
->count
= num_entries
;
1027 /***************************************************************************
1029 ***************************************************************************/
1031 NTSTATUS
_lsa_LookupNames2(pipes_struct
*p
,
1032 struct lsa_LookupNames2
*r
)
1035 struct lsa_LookupNames q
;
1036 struct lsa_TransSidArray2
*sid_array2
= r
->in
.sids
;
1037 struct lsa_TransSidArray
*sid_array
= NULL
;
1040 sid_array
= TALLOC_ZERO_P(p
->mem_ctx
, struct lsa_TransSidArray
);
1042 return NT_STATUS_NO_MEMORY
;
1045 q
.in
.handle
= r
->in
.handle
;
1046 q
.in
.num_names
= r
->in
.num_names
;
1047 q
.in
.names
= r
->in
.names
;
1048 q
.in
.level
= r
->in
.level
;
1049 q
.in
.sids
= sid_array
;
1050 q
.in
.count
= r
->in
.count
;
1051 /* we do not know what this is for */
1052 /* = r->in.unknown1; */
1053 /* = r->in.unknown2; */
1055 q
.out
.domains
= r
->out
.domains
;
1056 q
.out
.sids
= sid_array
;
1057 q
.out
.count
= r
->out
.count
;
1059 status
= _lsa_LookupNames(p
, &q
);
1061 sid_array2
->count
= sid_array
->count
;
1062 sid_array2
->sids
= TALLOC_ARRAY(p
->mem_ctx
, struct lsa_TranslatedSid2
, sid_array
->count
);
1063 if (!sid_array2
->sids
) {
1064 return NT_STATUS_NO_MEMORY
;
1067 for (i
=0; i
<sid_array
->count
; i
++) {
1068 sid_array2
->sids
[i
].sid_type
= sid_array
->sids
[i
].sid_type
;
1069 sid_array2
->sids
[i
].rid
= sid_array
->sids
[i
].rid
;
1070 sid_array2
->sids
[i
].sid_index
= sid_array
->sids
[i
].sid_index
;
1071 sid_array2
->sids
[i
].unknown
= 0;
1074 r
->out
.sids
= sid_array2
;
1079 /***************************************************************************
1081 ***************************************************************************/
1083 NTSTATUS
_lsa_LookupNames3(pipes_struct
*p
,
1084 struct lsa_LookupNames3
*r
)
1087 struct lsa_info
*handle
;
1088 struct lsa_String
*names
= r
->in
.names
;
1089 uint32 num_entries
= r
->in
.num_names
;
1090 struct lsa_RefDomainList
*domains
= NULL
;
1091 struct lsa_TranslatedSid3
*trans_sids
= NULL
;
1092 uint32 mapped_count
= 0;
1094 bool check_policy
= true;
1096 switch (p
->hdr_req
.opnum
) {
1097 case NDR_LSA_LOOKUPNAMES4
:
1098 check_policy
= false;
1100 case NDR_LSA_LOOKUPNAMES3
:
1102 check_policy
= true;
1105 if (num_entries
> MAX_LOOKUP_SIDS
) {
1106 num_entries
= MAX_LOOKUP_SIDS
;
1107 DEBUG(5,("_lsa_LookupNames3: truncating name lookup list to %d\n", num_entries
));
1110 /* Probably the lookup_level is some sort of bitmask. */
1111 if (r
->in
.level
== 1) {
1112 flags
= LOOKUP_NAME_ALL
;
1115 domains
= TALLOC_ZERO_P(p
->mem_ctx
, struct lsa_RefDomainList
);
1117 return NT_STATUS_NO_MEMORY
;
1121 trans_sids
= TALLOC_ZERO_ARRAY(p
->mem_ctx
, struct lsa_TranslatedSid3
,
1124 return NT_STATUS_NO_MEMORY
;
1132 if (!find_policy_by_hnd(p
, r
->in
.handle
, (void **)(void *)&handle
)) {
1133 status
= NT_STATUS_INVALID_HANDLE
;
1137 /* check if the user has enough rights */
1138 if (!(handle
->access
& LSA_POLICY_LOOKUP_NAMES
)) {
1139 status
= NT_STATUS_ACCESS_DENIED
;
1144 /* set up the LSA Lookup SIDs response */
1145 become_root(); /* lookup_name can require root privs */
1146 status
= lookup_lsa_sids(p
->mem_ctx
, domains
, trans_sids
, num_entries
,
1147 names
, flags
, &mapped_count
);
1152 if (NT_STATUS_IS_OK(status
)) {
1153 if (mapped_count
== 0) {
1154 status
= NT_STATUS_NONE_MAPPED
;
1155 } else if (mapped_count
!= num_entries
) {
1156 status
= STATUS_SOME_UNMAPPED
;
1160 *r
->out
.count
= mapped_count
;
1161 *r
->out
.domains
= domains
;
1162 r
->out
.sids
->sids
= trans_sids
;
1163 r
->out
.sids
->count
= num_entries
;
1168 /***************************************************************************
1170 ***************************************************************************/
1172 NTSTATUS
_lsa_LookupNames4(pipes_struct
*p
,
1173 struct lsa_LookupNames4
*r
)
1175 struct lsa_LookupNames3 q
;
1177 /* No policy handle on this call. Restrict to crypto connections. */
1178 if (p
->auth
.auth_type
!= PIPE_AUTH_TYPE_SCHANNEL
) {
1179 DEBUG(0,("_lsa_lookup_names4: client %s not using schannel for netlogon\n",
1180 get_remote_machine_name() ));
1181 return NT_STATUS_INVALID_PARAMETER
;
1185 q
.in
.num_names
= r
->in
.num_names
;
1186 q
.in
.names
= r
->in
.names
;
1187 q
.in
.level
= r
->in
.level
;
1188 q
.in
.lookup_options
= r
->in
.lookup_options
;
1189 q
.in
.client_revision
= r
->in
.client_revision
;
1190 q
.in
.sids
= r
->in
.sids
;
1191 q
.in
.count
= r
->in
.count
;
1193 q
.out
.domains
= r
->out
.domains
;
1194 q
.out
.sids
= r
->out
.sids
;
1195 q
.out
.count
= r
->out
.count
;
1197 return _lsa_LookupNames3(p
, &q
);
1200 /***************************************************************************
1201 _lsa_close. Also weird - needs to check if lsa handle is correct. JRA.
1202 ***************************************************************************/
1204 NTSTATUS
_lsa_Close(pipes_struct
*p
, struct lsa_Close
*r
)
1206 if (!find_policy_by_hnd(p
, r
->in
.handle
, NULL
)) {
1207 return NT_STATUS_INVALID_HANDLE
;
1210 close_policy_hnd(p
, r
->in
.handle
);
1211 ZERO_STRUCTP(r
->out
.handle
);
1212 return NT_STATUS_OK
;
1215 /***************************************************************************
1216 ***************************************************************************/
1218 NTSTATUS
_lsa_OpenSecret(pipes_struct
*p
, struct lsa_OpenSecret
*r
)
1220 return NT_STATUS_OBJECT_NAME_NOT_FOUND
;
1223 /***************************************************************************
1224 ***************************************************************************/
1226 NTSTATUS
_lsa_OpenTrustedDomain(pipes_struct
*p
, struct lsa_OpenTrustedDomain
*r
)
1228 return NT_STATUS_OBJECT_NAME_NOT_FOUND
;
1231 /***************************************************************************
1232 ***************************************************************************/
1234 NTSTATUS
_lsa_CreateTrustedDomain(pipes_struct
*p
, struct lsa_CreateTrustedDomain
*r
)
1236 return NT_STATUS_ACCESS_DENIED
;
1239 /***************************************************************************
1240 ***************************************************************************/
1242 NTSTATUS
_lsa_CreateSecret(pipes_struct
*p
, struct lsa_CreateSecret
*r
)
1244 return NT_STATUS_ACCESS_DENIED
;
1247 /***************************************************************************
1248 ***************************************************************************/
1250 NTSTATUS
_lsa_SetSecret(pipes_struct
*p
, struct lsa_SetSecret
*r
)
1252 return NT_STATUS_ACCESS_DENIED
;
1255 /***************************************************************************
1257 ***************************************************************************/
1259 NTSTATUS
_lsa_DeleteObject(pipes_struct
*p
,
1260 struct lsa_DeleteObject
*r
)
1263 struct lsa_info
*info
= NULL
;
1265 if (!find_policy_by_hnd(p
, r
->in
.handle
, (void **)(void *)&info
)) {
1266 return NT_STATUS_INVALID_HANDLE
;
1269 /* check to see if the pipe_user is root or a Domain Admin since
1270 account_pol.tdb was already opened as root, this is all we have */
1272 if (p
->server_info
->utok
.uid
!= sec_initial_uid() &&
1273 !nt_token_check_domain_rid(p
->server_info
->ptok
,
1274 DOMAIN_GROUP_RID_ADMINS
)) {
1275 return NT_STATUS_ACCESS_DENIED
;
1278 status
= privilege_delete_account(&info
->sid
);
1279 if (!NT_STATUS_IS_OK(status
)) {
1280 DEBUG(10,("_lsa_DeleteObject: privilege_delete_account gave: %s\n",
1281 nt_errstr(status
)));
1287 /***************************************************************************
1289 ***************************************************************************/
1291 NTSTATUS
_lsa_EnumPrivs(pipes_struct
*p
,
1292 struct lsa_EnumPrivs
*r
)
1294 struct lsa_info
*handle
;
1296 uint32 enum_context
= *r
->in
.resume_handle
;
1297 int num_privs
= count_all_privileges();
1298 struct lsa_PrivEntry
*entries
= NULL
;
1301 /* remember that the enum_context starts at 0 and not 1 */
1303 if ( enum_context
>= num_privs
)
1304 return NT_STATUS_NO_MORE_ENTRIES
;
1306 DEBUG(10,("_lsa_EnumPrivs: enum_context:%d total entries:%d\n",
1307 enum_context
, num_privs
));
1309 if (!find_policy_by_hnd(p
, r
->in
.handle
, (void **)(void *)&handle
))
1310 return NT_STATUS_INVALID_HANDLE
;
1312 /* check if the user has enough rights
1313 I don't know if it's the right one. not documented. */
1315 if (!(handle
->access
& LSA_POLICY_VIEW_LOCAL_INFORMATION
))
1316 return NT_STATUS_ACCESS_DENIED
;
1319 entries
= TALLOC_ZERO_ARRAY(p
->mem_ctx
, struct lsa_PrivEntry
, num_privs
);
1321 return NT_STATUS_NO_MEMORY
;
1327 for (i
= 0; i
< num_privs
; i
++) {
1328 if( i
< enum_context
) {
1330 init_lsa_StringLarge(&entries
[i
].name
, NULL
);
1332 entries
[i
].luid
.low
= 0;
1333 entries
[i
].luid
.high
= 0;
1336 init_lsa_StringLarge(&entries
[i
].name
, privs
[i
].name
);
1338 luid
= get_privilege_luid( &privs
[i
].se_priv
);
1340 entries
[i
].luid
.low
= luid
.luid
.low
;
1341 entries
[i
].luid
.high
= luid
.luid
.high
;
1345 enum_context
= num_privs
;
1347 *r
->out
.resume_handle
= enum_context
;
1348 r
->out
.privs
->count
= num_privs
;
1349 r
->out
.privs
->privs
= entries
;
1351 return NT_STATUS_OK
;
1354 /***************************************************************************
1355 _lsa_LookupPrivDisplayName
1356 ***************************************************************************/
1358 NTSTATUS
_lsa_LookupPrivDisplayName(pipes_struct
*p
,
1359 struct lsa_LookupPrivDisplayName
*r
)
1361 struct lsa_info
*handle
;
1362 const char *description
;
1363 struct lsa_StringLarge
*lsa_name
;
1365 if (!find_policy_by_hnd(p
, r
->in
.handle
, (void **)(void *)&handle
))
1366 return NT_STATUS_INVALID_HANDLE
;
1368 /* check if the user has enough rights */
1371 * I don't know if it's the right one. not documented.
1373 if (!(handle
->access
& LSA_POLICY_VIEW_LOCAL_INFORMATION
))
1374 return NT_STATUS_ACCESS_DENIED
;
1376 DEBUG(10,("_lsa_LookupPrivDisplayName: name = %s\n", r
->in
.name
->string
));
1378 description
= get_privilege_dispname(r
->in
.name
->string
);
1380 DEBUG(10,("_lsa_LookupPrivDisplayName: doesn't exist\n"));
1381 return NT_STATUS_NO_SUCH_PRIVILEGE
;
1384 DEBUG(10,("_lsa_LookupPrivDisplayName: display name = %s\n", description
));
1386 lsa_name
= TALLOC_ZERO_P(p
->mem_ctx
, struct lsa_StringLarge
);
1388 return NT_STATUS_NO_MEMORY
;
1391 init_lsa_StringLarge(lsa_name
, description
);
1393 *r
->out
.returned_language_id
= r
->in
.language_id
;
1394 *r
->out
.disp_name
= lsa_name
;
1396 return NT_STATUS_OK
;
1399 /***************************************************************************
1401 ***************************************************************************/
1403 NTSTATUS
_lsa_EnumAccounts(pipes_struct
*p
,
1404 struct lsa_EnumAccounts
*r
)
1406 struct lsa_info
*handle
;
1408 int i
, j
, num_entries
;
1410 struct lsa_SidPtr
*sids
= NULL
;
1412 if (!find_policy_by_hnd(p
, r
->in
.handle
, (void **)(void *)&handle
))
1413 return NT_STATUS_INVALID_HANDLE
;
1415 if (!(handle
->access
& LSA_POLICY_VIEW_LOCAL_INFORMATION
))
1416 return NT_STATUS_ACCESS_DENIED
;
1421 /* The only way we can currently find out all the SIDs that have been
1422 privileged is to scan all privileges */
1424 status
= privilege_enumerate_accounts(&sid_list
, &num_entries
);
1425 if (!NT_STATUS_IS_OK(status
)) {
1429 if (*r
->in
.resume_handle
>= num_entries
) {
1430 return NT_STATUS_NO_MORE_ENTRIES
;
1433 if (num_entries
- *r
->in
.resume_handle
) {
1434 sids
= TALLOC_ZERO_ARRAY(p
->mem_ctx
, struct lsa_SidPtr
,
1435 num_entries
- *r
->in
.resume_handle
);
1437 talloc_free(sid_list
);
1438 return NT_STATUS_NO_MEMORY
;
1441 for (i
= *r
->in
.resume_handle
, j
= 0; i
< num_entries
; i
++, j
++) {
1442 sids
[j
].sid
= sid_dup_talloc(p
->mem_ctx
, &sid_list
[i
]);
1444 talloc_free(sid_list
);
1445 return NT_STATUS_NO_MEMORY
;
1450 talloc_free(sid_list
);
1452 *r
->out
.resume_handle
= num_entries
;
1453 r
->out
.sids
->num_sids
= num_entries
;
1454 r
->out
.sids
->sids
= sids
;
1456 return NT_STATUS_OK
;
1459 /***************************************************************************
1461 ***************************************************************************/
1463 NTSTATUS
_lsa_GetUserName(pipes_struct
*p
,
1464 struct lsa_GetUserName
*r
)
1466 const char *username
, *domname
;
1467 struct lsa_String
*account_name
= NULL
;
1468 struct lsa_String
*authority_name
= NULL
;
1470 if (r
->in
.account_name
&&
1471 *r
->in
.account_name
) {
1472 return NT_STATUS_INVALID_PARAMETER
;
1475 if (r
->in
.authority_name
&&
1476 *r
->in
.authority_name
) {
1477 return NT_STATUS_INVALID_PARAMETER
;
1480 if (p
->server_info
->guest
) {
1482 * I'm 99% sure this is not the right place to do this,
1483 * global_sid_Anonymous should probably be put into the token
1484 * instead of the guest id -- vl
1486 if (!lookup_sid(p
->mem_ctx
, &global_sid_Anonymous
,
1487 &domname
, &username
, NULL
)) {
1488 return NT_STATUS_NO_MEMORY
;
1491 username
= p
->server_info
->sanitized_username
;
1492 domname
= pdb_get_domain(p
->server_info
->sam_account
);
1495 account_name
= TALLOC_P(p
->mem_ctx
, struct lsa_String
);
1496 if (!account_name
) {
1497 return NT_STATUS_NO_MEMORY
;
1499 init_lsa_String(account_name
, username
);
1501 if (r
->out
.authority_name
) {
1502 authority_name
= TALLOC_P(p
->mem_ctx
, struct lsa_String
);
1503 if (!authority_name
) {
1504 return NT_STATUS_NO_MEMORY
;
1506 init_lsa_String(authority_name
, domname
);
1509 *r
->out
.account_name
= account_name
;
1510 if (r
->out
.authority_name
) {
1511 *r
->out
.authority_name
= authority_name
;
1514 return NT_STATUS_OK
;
1517 /***************************************************************************
1519 ***************************************************************************/
1521 NTSTATUS
_lsa_CreateAccount(pipes_struct
*p
,
1522 struct lsa_CreateAccount
*r
)
1524 struct lsa_info
*handle
;
1525 struct lsa_info
*info
;
1527 /* find the connection policy handle. */
1528 if (!find_policy_by_hnd(p
, r
->in
.handle
, (void **)(void *)&handle
))
1529 return NT_STATUS_INVALID_HANDLE
;
1531 /* check if the user has enough rights */
1534 * I don't know if it's the right one. not documented.
1535 * but guessed with rpcclient.
1537 if (!(handle
->access
& LSA_POLICY_GET_PRIVATE_INFORMATION
))
1538 return NT_STATUS_ACCESS_DENIED
;
1540 /* check to see if the pipe_user is a Domain Admin since
1541 account_pol.tdb was already opened as root, this is all we have */
1543 if ( p
->server_info
->utok
.uid
!= sec_initial_uid()
1544 && !nt_token_check_domain_rid( p
->server_info
->ptok
,
1545 DOMAIN_GROUP_RID_ADMINS
) )
1546 return NT_STATUS_ACCESS_DENIED
;
1548 if ( is_privileged_sid( r
->in
.sid
) )
1549 return NT_STATUS_OBJECT_NAME_COLLISION
;
1551 /* associate the user/group SID with the (unique) handle. */
1553 info
= TALLOC_ZERO_P(p
->mem_ctx
, struct lsa_info
);
1555 return NT_STATUS_NO_MEMORY
;
1558 info
->sid
= *r
->in
.sid
;
1559 info
->access
= r
->in
.access_mask
;
1561 /* get a (unique) handle. open a policy on it. */
1562 if (!create_policy_hnd(p
, r
->out
.acct_handle
, info
))
1563 return NT_STATUS_OBJECT_NAME_NOT_FOUND
;
1565 return privilege_create_account( &info
->sid
);
1569 /***************************************************************************
1571 ***************************************************************************/
1573 NTSTATUS
_lsa_OpenAccount(pipes_struct
*p
,
1574 struct lsa_OpenAccount
*r
)
1576 struct lsa_info
*handle
;
1577 struct lsa_info
*info
;
1579 /* find the connection policy handle. */
1580 if (!find_policy_by_hnd(p
, r
->in
.handle
, (void **)(void *)&handle
))
1581 return NT_STATUS_INVALID_HANDLE
;
1583 /* check if the user has enough rights */
1586 * I don't know if it's the right one. not documented.
1587 * but guessed with rpcclient.
1589 if (!(handle
->access
& LSA_POLICY_GET_PRIVATE_INFORMATION
))
1590 return NT_STATUS_ACCESS_DENIED
;
1592 /* TODO: Fis the parsing routine before reenabling this check! */
1594 if (!lookup_sid(&handle
->sid
, dom_name
, name
, &type
))
1595 return NT_STATUS_ACCESS_DENIED
;
1597 /* associate the user/group SID with the (unique) handle. */
1598 info
= TALLOC_ZERO_P(p
->mem_ctx
, struct lsa_info
);
1600 return NT_STATUS_NO_MEMORY
;
1603 info
->sid
= *r
->in
.sid
;
1604 info
->access
= r
->in
.access_mask
;
1606 /* get a (unique) handle. open a policy on it. */
1607 if (!create_policy_hnd(p
, r
->out
.acct_handle
, info
))
1608 return NT_STATUS_OBJECT_NAME_NOT_FOUND
;
1610 return NT_STATUS_OK
;
1613 /***************************************************************************
1614 _lsa_EnumPrivsAccount
1615 For a given SID, enumerate all the privilege this account has.
1616 ***************************************************************************/
1618 NTSTATUS
_lsa_EnumPrivsAccount(pipes_struct
*p
,
1619 struct lsa_EnumPrivsAccount
*r
)
1621 NTSTATUS status
= NT_STATUS_OK
;
1622 struct lsa_info
*info
=NULL
;
1624 PRIVILEGE_SET privileges
;
1625 struct lsa_PrivilegeSet
*priv_set
= NULL
;
1626 struct lsa_LUIDAttribute
*luid_attrs
= NULL
;
1629 /* find the connection policy handle. */
1630 if (!find_policy_by_hnd(p
, r
->in
.handle
, (void **)(void *)&info
))
1631 return NT_STATUS_INVALID_HANDLE
;
1633 if (!(info
->access
& LSA_POLICY_VIEW_LOCAL_INFORMATION
))
1634 return NT_STATUS_ACCESS_DENIED
;
1636 if ( !get_privileges_for_sids( &mask
, &info
->sid
, 1 ) )
1637 return NT_STATUS_OBJECT_NAME_NOT_FOUND
;
1639 privilege_set_init( &privileges
);
1641 if ( se_priv_to_privilege_set( &privileges
, &mask
) ) {
1643 DEBUG(10,("_lsa_EnumPrivsAccount: %s has %d privileges\n",
1644 sid_string_dbg(&info
->sid
),
1647 priv_set
= TALLOC_ZERO_P(p
->mem_ctx
, struct lsa_PrivilegeSet
);
1649 status
= NT_STATUS_NO_MEMORY
;
1653 luid_attrs
= TALLOC_ZERO_ARRAY(p
->mem_ctx
,
1654 struct lsa_LUIDAttribute
,
1657 status
= NT_STATUS_NO_MEMORY
;
1661 for (i
=0; i
<privileges
.count
; i
++) {
1662 luid_attrs
[i
].luid
.low
= privileges
.set
[i
].luid
.low
;
1663 luid_attrs
[i
].luid
.high
= privileges
.set
[i
].luid
.high
;
1664 luid_attrs
[i
].attribute
= privileges
.set
[i
].attr
;
1667 priv_set
->count
= privileges
.count
;
1668 priv_set
->unknown
= 0;
1669 priv_set
->set
= luid_attrs
;
1671 *r
->out
.privs
= priv_set
;
1673 status
= NT_STATUS_NO_SUCH_PRIVILEGE
;
1677 privilege_set_free( &privileges
);
1682 /***************************************************************************
1683 _lsa_GetSystemAccessAccount
1684 ***************************************************************************/
1686 NTSTATUS
_lsa_GetSystemAccessAccount(pipes_struct
*p
,
1687 struct lsa_GetSystemAccessAccount
*r
)
1690 struct lsa_info
*info
= NULL
;
1691 struct lsa_EnumPrivsAccount e
;
1692 struct lsa_PrivilegeSet
*privset
;
1694 /* find the connection policy handle. */
1696 if (!find_policy_by_hnd(p
, r
->in
.handle
, (void **)(void *)&info
))
1697 return NT_STATUS_INVALID_HANDLE
;
1699 if (!(info
->access
& LSA_POLICY_VIEW_LOCAL_INFORMATION
))
1700 return NT_STATUS_ACCESS_DENIED
;
1702 privset
= talloc_zero(p
->mem_ctx
, struct lsa_PrivilegeSet
);
1704 return NT_STATUS_NO_MEMORY
;
1707 e
.in
.handle
= r
->in
.handle
;
1708 e
.out
.privs
= &privset
;
1710 status
= _lsa_EnumPrivsAccount(p
, &e
);
1711 if (!NT_STATUS_IS_OK(status
)) {
1712 DEBUG(10,("_lsa_GetSystemAccessAccount: "
1713 "failed to call _lsa_EnumPrivsAccount(): %s\n",
1714 nt_errstr(status
)));
1718 /* Samba4 would iterate over the privset to merge the policy mode bits,
1719 * not sure samba3 can do the same here, so just return what we did in
1723 0x01 -> Log on locally
1724 0x02 -> Access this computer from network
1725 0x04 -> Log on as a batch job
1726 0x10 -> Log on as a service
1728 they can be ORed together
1731 *r
->out
.access_mask
= LSA_POLICY_MODE_INTERACTIVE
|
1732 LSA_POLICY_MODE_NETWORK
;
1734 return NT_STATUS_OK
;
1737 /***************************************************************************
1738 update the systemaccount information
1739 ***************************************************************************/
1741 NTSTATUS
_lsa_SetSystemAccessAccount(pipes_struct
*p
,
1742 struct lsa_SetSystemAccessAccount
*r
)
1744 struct lsa_info
*info
=NULL
;
1747 /* find the connection policy handle. */
1748 if (!find_policy_by_hnd(p
, r
->in
.handle
, (void **)(void *)&info
))
1749 return NT_STATUS_INVALID_HANDLE
;
1751 /* check to see if the pipe_user is a Domain Admin since
1752 account_pol.tdb was already opened as root, this is all we have */
1754 if ( p
->server_info
->utok
.uid
!= sec_initial_uid()
1755 && !nt_token_check_domain_rid( p
->server_info
->ptok
,
1756 DOMAIN_GROUP_RID_ADMINS
) )
1757 return NT_STATUS_ACCESS_DENIED
;
1759 if (!pdb_getgrsid(&map
, info
->sid
))
1760 return NT_STATUS_NO_SUCH_GROUP
;
1762 return pdb_update_group_mapping_entry(&map
);
1765 /***************************************************************************
1766 _lsa_AddPrivilegesToAccount
1767 For a given SID, add some privileges.
1768 ***************************************************************************/
1770 NTSTATUS
_lsa_AddPrivilegesToAccount(pipes_struct
*p
,
1771 struct lsa_AddPrivilegesToAccount
*r
)
1773 struct lsa_info
*info
= NULL
;
1775 struct lsa_PrivilegeSet
*set
= NULL
;
1777 /* find the connection policy handle. */
1778 if (!find_policy_by_hnd(p
, r
->in
.handle
, (void **)(void *)&info
))
1779 return NT_STATUS_INVALID_HANDLE
;
1781 /* check to see if the pipe_user is root or a Domain Admin since
1782 account_pol.tdb was already opened as root, this is all we have */
1784 if ( p
->server_info
->utok
.uid
!= sec_initial_uid()
1785 && !nt_token_check_domain_rid( p
->server_info
->ptok
,
1786 DOMAIN_GROUP_RID_ADMINS
) )
1788 return NT_STATUS_ACCESS_DENIED
;
1792 if ( !privilege_set_to_se_priv( &mask
, set
) )
1793 return NT_STATUS_NO_SUCH_PRIVILEGE
;
1795 if ( !grant_privilege( &info
->sid
, &mask
) ) {
1796 DEBUG(3,("_lsa_AddPrivilegesToAccount: grant_privilege(%s) failed!\n",
1797 sid_string_dbg(&info
->sid
) ));
1798 DEBUG(3,("Privilege mask:\n"));
1799 dump_se_priv( DBGC_ALL
, 3, &mask
);
1800 return NT_STATUS_NO_SUCH_PRIVILEGE
;
1803 return NT_STATUS_OK
;
1806 /***************************************************************************
1807 _lsa_RemovePrivilegesFromAccount
1808 For a given SID, remove some privileges.
1809 ***************************************************************************/
1811 NTSTATUS
_lsa_RemovePrivilegesFromAccount(pipes_struct
*p
,
1812 struct lsa_RemovePrivilegesFromAccount
*r
)
1814 struct lsa_info
*info
= NULL
;
1816 struct lsa_PrivilegeSet
*set
= NULL
;
1818 /* find the connection policy handle. */
1819 if (!find_policy_by_hnd(p
, r
->in
.handle
, (void **)(void *)&info
))
1820 return NT_STATUS_INVALID_HANDLE
;
1822 /* check to see if the pipe_user is root or a Domain Admin since
1823 account_pol.tdb was already opened as root, this is all we have */
1825 if ( p
->server_info
->utok
.uid
!= sec_initial_uid()
1826 && !nt_token_check_domain_rid( p
->server_info
->ptok
,
1827 DOMAIN_GROUP_RID_ADMINS
) )
1829 return NT_STATUS_ACCESS_DENIED
;
1834 if ( !privilege_set_to_se_priv( &mask
, set
) )
1835 return NT_STATUS_NO_SUCH_PRIVILEGE
;
1837 if ( !revoke_privilege( &info
->sid
, &mask
) ) {
1838 DEBUG(3,("_lsa_RemovePrivilegesFromAccount: revoke_privilege(%s) failed!\n",
1839 sid_string_dbg(&info
->sid
) ));
1840 DEBUG(3,("Privilege mask:\n"));
1841 dump_se_priv( DBGC_ALL
, 3, &mask
);
1842 return NT_STATUS_NO_SUCH_PRIVILEGE
;
1845 return NT_STATUS_OK
;
1848 /***************************************************************************
1850 ***************************************************************************/
1852 NTSTATUS
_lsa_QuerySecurity(pipes_struct
*p
,
1853 struct lsa_QuerySecurity
*r
)
1855 struct lsa_info
*handle
=NULL
;
1856 SEC_DESC
*psd
= NULL
;
1860 /* find the connection policy handle. */
1861 if (!find_policy_by_hnd(p
, r
->in
.handle
, (void **)(void *)&handle
))
1862 return NT_STATUS_INVALID_HANDLE
;
1864 /* check if the user has enough rights */
1865 if (!(handle
->access
& LSA_POLICY_VIEW_LOCAL_INFORMATION
))
1866 return NT_STATUS_ACCESS_DENIED
;
1868 switch (r
->in
.sec_info
) {
1870 /* SD contains only the owner */
1872 status
=lsa_get_generic_sd(p
->mem_ctx
, &psd
, &sd_size
);
1873 if(!NT_STATUS_IS_OK(status
))
1874 return NT_STATUS_NO_MEMORY
;
1877 if((*r
->out
.sdbuf
= make_sec_desc_buf(p
->mem_ctx
, sd_size
, psd
)) == NULL
)
1878 return NT_STATUS_NO_MEMORY
;
1881 /* SD contains only the ACL */
1883 status
=lsa_get_generic_sd(p
->mem_ctx
, &psd
, &sd_size
);
1884 if(!NT_STATUS_IS_OK(status
))
1885 return NT_STATUS_NO_MEMORY
;
1887 if((*r
->out
.sdbuf
= make_sec_desc_buf(p
->mem_ctx
, sd_size
, psd
)) == NULL
)
1888 return NT_STATUS_NO_MEMORY
;
1891 return NT_STATUS_INVALID_LEVEL
;
1897 #if 0 /* AD DC work in ongoing in Samba 4 */
1899 /***************************************************************************
1900 ***************************************************************************/
1902 NTSTATUS
_lsa_query_info2(pipes_struct
*p
, LSA_Q_QUERY_INFO2
*q_u
, LSA_R_QUERY_INFO2
*r_u
)
1904 struct lsa_info
*handle
;
1905 const char *nb_name
;
1906 char *dns_name
= NULL
;
1907 char *forest_name
= NULL
;
1908 DOM_SID
*sid
= NULL
;
1913 r_u
->status
= NT_STATUS_OK
;
1915 if (!find_policy_by_hnd(p
, &q_u
->pol
, (void **)(void *)&handle
))
1916 return NT_STATUS_INVALID_HANDLE
;
1918 switch (q_u
->info_class
) {
1920 /* check if the user has enough rights */
1921 if (!(handle
->access
& LSA_POLICY_VIEW_LOCAL_INFORMATION
))
1922 return NT_STATUS_ACCESS_DENIED
;
1924 /* Request PolicyPrimaryDomainInformation. */
1925 switch (lp_server_role()) {
1926 case ROLE_DOMAIN_PDC
:
1927 case ROLE_DOMAIN_BDC
:
1928 nb_name
= get_global_sam_name();
1929 /* ugly temp hack for these next two */
1931 /* This should be a 'netbios domain -> DNS domain' mapping */
1932 dnsdomname
= get_mydnsdomname(p
->mem_ctx
);
1933 if (!dnsdomname
|| !*dnsdomname
) {
1934 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO
;
1936 strlower_m(dnsdomname
);
1938 dns_name
= dnsdomname
;
1939 forest_name
= dnsdomname
;
1941 sid
= get_global_sam_sid();
1942 secrets_fetch_domain_guid(lp_workgroup(), &guid
);
1945 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO
;
1947 init_dns_dom_info(&r_u
->info
.dns_dom_info
, nb_name
, dns_name
,
1948 forest_name
,&guid
,sid
);
1951 DEBUG(0,("_lsa_query_info2: unknown info level in Lsa Query: %d\n", q_u
->info_class
));
1952 r_u
->status
= NT_STATUS_INVALID_INFO_CLASS
;
1956 if (NT_STATUS_IS_OK(r_u
->status
)) {
1958 r_u
->info_class
= q_u
->info_class
;
1963 #endif /* AD DC work in ongoing in Samba 4 */
1965 /***************************************************************************
1966 _lsa_AddAccountRights
1967 ***************************************************************************/
1969 NTSTATUS
_lsa_AddAccountRights(pipes_struct
*p
,
1970 struct lsa_AddAccountRights
*r
)
1972 struct lsa_info
*info
= NULL
;
1976 /* find the connection policy handle. */
1977 if (!find_policy_by_hnd(p
, r
->in
.handle
, (void **)(void *)&info
))
1978 return NT_STATUS_INVALID_HANDLE
;
1980 /* check to see if the pipe_user is a Domain Admin since
1981 account_pol.tdb was already opened as root, this is all we have */
1983 if ( p
->server_info
->utok
.uid
!= sec_initial_uid()
1984 && !nt_token_check_domain_rid( p
->server_info
->ptok
,
1985 DOMAIN_GROUP_RID_ADMINS
) )
1987 return NT_STATUS_ACCESS_DENIED
;
1990 /* according to an NT4 PDC, you can add privileges to SIDs even without
1991 call_lsa_create_account() first. And you can use any arbitrary SID. */
1993 sid_copy( &sid
, r
->in
.sid
);
1995 for ( i
=0; i
< r
->in
.rights
->count
; i
++ ) {
1997 const char *privname
= r
->in
.rights
->names
[i
].string
;
1999 /* only try to add non-null strings */
2004 if ( !grant_privilege_by_name( &sid
, privname
) ) {
2005 DEBUG(2,("_lsa_AddAccountRights: Failed to add privilege [%s]\n",
2007 return NT_STATUS_NO_SUCH_PRIVILEGE
;
2011 return NT_STATUS_OK
;
2014 /***************************************************************************
2015 _lsa_RemoveAccountRights
2016 ***************************************************************************/
2018 NTSTATUS
_lsa_RemoveAccountRights(pipes_struct
*p
,
2019 struct lsa_RemoveAccountRights
*r
)
2021 struct lsa_info
*info
= NULL
;
2024 const char *privname
= NULL
;
2026 /* find the connection policy handle. */
2027 if (!find_policy_by_hnd(p
, r
->in
.handle
, (void **)(void *)&info
))
2028 return NT_STATUS_INVALID_HANDLE
;
2030 /* check to see if the pipe_user is a Domain Admin since
2031 account_pol.tdb was already opened as root, this is all we have */
2033 if ( p
->server_info
->utok
.uid
!= sec_initial_uid()
2034 && !nt_token_check_domain_rid( p
->server_info
->ptok
,
2035 DOMAIN_GROUP_RID_ADMINS
) )
2037 return NT_STATUS_ACCESS_DENIED
;
2040 sid_copy( &sid
, r
->in
.sid
);
2042 if ( r
->in
.remove_all
) {
2043 if ( !revoke_all_privileges( &sid
) )
2044 return NT_STATUS_ACCESS_DENIED
;
2046 return NT_STATUS_OK
;
2049 for ( i
=0; i
< r
->in
.rights
->count
; i
++ ) {
2051 privname
= r
->in
.rights
->names
[i
].string
;
2053 /* only try to add non-null strings */
2058 if ( !revoke_privilege_by_name( &sid
, privname
) ) {
2059 DEBUG(2,("_lsa_RemoveAccountRights: Failed to revoke privilege [%s]\n",
2061 return NT_STATUS_NO_SUCH_PRIVILEGE
;
2065 return NT_STATUS_OK
;
2068 /*******************************************************************
2069 ********************************************************************/
2071 static NTSTATUS
init_lsa_right_set(TALLOC_CTX
*mem_ctx
,
2072 struct lsa_RightSet
*r
,
2073 PRIVILEGE_SET
*privileges
)
2076 const char *privname
;
2077 const char **privname_array
= NULL
;
2080 for (i
=0; i
<privileges
->count
; i
++) {
2082 privname
= luid_to_privilege_name(&privileges
->set
[i
].luid
);
2084 if (!add_string_to_array(mem_ctx
, privname
,
2085 &privname_array
, &num_priv
)) {
2086 return NT_STATUS_NO_MEMORY
;
2093 r
->names
= TALLOC_ZERO_ARRAY(mem_ctx
, struct lsa_StringLarge
,
2096 return NT_STATUS_NO_MEMORY
;
2099 for (i
=0; i
<num_priv
; i
++) {
2100 init_lsa_StringLarge(&r
->names
[i
], privname_array
[i
]);
2103 r
->count
= num_priv
;
2106 return NT_STATUS_OK
;
2109 /***************************************************************************
2110 _lsa_EnumAccountRights
2111 ***************************************************************************/
2113 NTSTATUS
_lsa_EnumAccountRights(pipes_struct
*p
,
2114 struct lsa_EnumAccountRights
*r
)
2117 struct lsa_info
*info
= NULL
;
2119 PRIVILEGE_SET privileges
;
2122 /* find the connection policy handle. */
2124 if (!find_policy_by_hnd(p
, r
->in
.handle
, (void **)(void *)&info
))
2125 return NT_STATUS_INVALID_HANDLE
;
2127 if (!(info
->access
& LSA_POLICY_VIEW_LOCAL_INFORMATION
))
2128 return NT_STATUS_ACCESS_DENIED
;
2130 /* according to an NT4 PDC, you can add privileges to SIDs even without
2131 call_lsa_create_account() first. And you can use any arbitrary SID. */
2133 sid_copy( &sid
, r
->in
.sid
);
2135 if ( !get_privileges_for_sids( &mask
, &sid
, 1 ) )
2136 return NT_STATUS_OBJECT_NAME_NOT_FOUND
;
2138 privilege_set_init( &privileges
);
2140 if ( se_priv_to_privilege_set( &privileges
, &mask
) ) {
2142 DEBUG(10,("_lsa_EnumAccountRights: %s has %d privileges\n",
2143 sid_string_dbg(&sid
), privileges
.count
));
2145 status
= init_lsa_right_set(p
->mem_ctx
, r
->out
.rights
, &privileges
);
2147 status
= NT_STATUS_NO_SUCH_PRIVILEGE
;
2150 privilege_set_free( &privileges
);
2155 /***************************************************************************
2156 _lsa_LookupPrivValue
2157 ***************************************************************************/
2159 NTSTATUS
_lsa_LookupPrivValue(pipes_struct
*p
,
2160 struct lsa_LookupPrivValue
*r
)
2162 struct lsa_info
*info
= NULL
;
2163 const char *name
= NULL
;
2164 LUID_ATTR priv_luid
;
2167 /* find the connection policy handle. */
2169 if (!find_policy_by_hnd(p
, r
->in
.handle
, (void **)(void *)&info
))
2170 return NT_STATUS_INVALID_HANDLE
;
2172 if (!(info
->access
& LSA_POLICY_VIEW_LOCAL_INFORMATION
))
2173 return NT_STATUS_ACCESS_DENIED
;
2175 name
= r
->in
.name
->string
;
2177 DEBUG(10,("_lsa_lookup_priv_value: name = %s\n", name
));
2179 if ( !se_priv_from_name( name
, &mask
) )
2180 return NT_STATUS_NO_SUCH_PRIVILEGE
;
2182 priv_luid
= get_privilege_luid( &mask
);
2184 r
->out
.luid
->low
= priv_luid
.luid
.low
;
2185 r
->out
.luid
->high
= priv_luid
.luid
.high
;
2187 return NT_STATUS_OK
;
2191 * From here on the server routines are just dummy ones to make smbd link with
2192 * librpc/gen_ndr/srv_lsa.c. These routines are actually never called, we are
2193 * pulling the server stubs across one by one.
2196 NTSTATUS
_lsa_Delete(pipes_struct
*p
, struct lsa_Delete
*r
)
2198 p
->rng_fault_state
= True
;
2199 return NT_STATUS_NOT_IMPLEMENTED
;
2202 NTSTATUS
_lsa_SetSecObj(pipes_struct
*p
, struct lsa_SetSecObj
*r
)
2204 p
->rng_fault_state
= True
;
2205 return NT_STATUS_NOT_IMPLEMENTED
;
2208 NTSTATUS
_lsa_ChangePassword(pipes_struct
*p
, struct lsa_ChangePassword
*r
)
2210 p
->rng_fault_state
= True
;
2211 return NT_STATUS_NOT_IMPLEMENTED
;
2214 NTSTATUS
_lsa_SetInfoPolicy(pipes_struct
*p
, struct lsa_SetInfoPolicy
*r
)
2216 p
->rng_fault_state
= True
;
2217 return NT_STATUS_NOT_IMPLEMENTED
;
2220 NTSTATUS
_lsa_ClearAuditLog(pipes_struct
*p
, struct lsa_ClearAuditLog
*r
)
2222 p
->rng_fault_state
= True
;
2223 return NT_STATUS_NOT_IMPLEMENTED
;
2226 NTSTATUS
_lsa_GetQuotasForAccount(pipes_struct
*p
, struct lsa_GetQuotasForAccount
*r
)
2228 p
->rng_fault_state
= True
;
2229 return NT_STATUS_NOT_IMPLEMENTED
;
2232 NTSTATUS
_lsa_SetQuotasForAccount(pipes_struct
*p
, struct lsa_SetQuotasForAccount
*r
)
2234 p
->rng_fault_state
= True
;
2235 return NT_STATUS_NOT_IMPLEMENTED
;
2238 NTSTATUS
_lsa_QueryTrustedDomainInfo(pipes_struct
*p
, struct lsa_QueryTrustedDomainInfo
*r
)
2240 p
->rng_fault_state
= True
;
2241 return NT_STATUS_NOT_IMPLEMENTED
;
2244 NTSTATUS
_lsa_SetInformationTrustedDomain(pipes_struct
*p
, struct lsa_SetInformationTrustedDomain
*r
)
2246 p
->rng_fault_state
= True
;
2247 return NT_STATUS_NOT_IMPLEMENTED
;
2250 NTSTATUS
_lsa_QuerySecret(pipes_struct
*p
, struct lsa_QuerySecret
*r
)
2252 p
->rng_fault_state
= True
;
2253 return NT_STATUS_NOT_IMPLEMENTED
;
2256 NTSTATUS
_lsa_LookupPrivName(pipes_struct
*p
, struct lsa_LookupPrivName
*r
)
2258 p
->rng_fault_state
= True
;
2259 return NT_STATUS_NOT_IMPLEMENTED
;
2262 NTSTATUS
_lsa_EnumAccountsWithUserRight(pipes_struct
*p
, struct lsa_EnumAccountsWithUserRight
*r
)
2264 p
->rng_fault_state
= True
;
2265 return NT_STATUS_NOT_IMPLEMENTED
;
2268 NTSTATUS
_lsa_QueryTrustedDomainInfoBySid(pipes_struct
*p
, struct lsa_QueryTrustedDomainInfoBySid
*r
)
2270 p
->rng_fault_state
= True
;
2271 return NT_STATUS_NOT_IMPLEMENTED
;
2274 NTSTATUS
_lsa_SetTrustedDomainInfo(pipes_struct
*p
, struct lsa_SetTrustedDomainInfo
*r
)
2276 p
->rng_fault_state
= True
;
2277 return NT_STATUS_NOT_IMPLEMENTED
;
2280 NTSTATUS
_lsa_DeleteTrustedDomain(pipes_struct
*p
, struct lsa_DeleteTrustedDomain
*r
)
2282 p
->rng_fault_state
= True
;
2283 return NT_STATUS_NOT_IMPLEMENTED
;
2286 NTSTATUS
_lsa_StorePrivateData(pipes_struct
*p
, struct lsa_StorePrivateData
*r
)
2288 p
->rng_fault_state
= True
;
2289 return NT_STATUS_NOT_IMPLEMENTED
;
2292 NTSTATUS
_lsa_RetrievePrivateData(pipes_struct
*p
, struct lsa_RetrievePrivateData
*r
)
2294 p
->rng_fault_state
= True
;
2295 return NT_STATUS_NOT_IMPLEMENTED
;
2298 NTSTATUS
_lsa_QueryInfoPolicy2(pipes_struct
*p
, struct lsa_QueryInfoPolicy2
*r
)
2300 p
->rng_fault_state
= True
;
2301 return NT_STATUS_NOT_IMPLEMENTED
;
2304 NTSTATUS
_lsa_SetInfoPolicy2(pipes_struct
*p
, struct lsa_SetInfoPolicy2
*r
)
2306 p
->rng_fault_state
= True
;
2307 return NT_STATUS_NOT_IMPLEMENTED
;
2310 NTSTATUS
_lsa_QueryTrustedDomainInfoByName(pipes_struct
*p
, struct lsa_QueryTrustedDomainInfoByName
*r
)
2312 p
->rng_fault_state
= True
;
2313 return NT_STATUS_NOT_IMPLEMENTED
;
2316 NTSTATUS
_lsa_SetTrustedDomainInfoByName(pipes_struct
*p
, struct lsa_SetTrustedDomainInfoByName
*r
)
2318 p
->rng_fault_state
= True
;
2319 return NT_STATUS_NOT_IMPLEMENTED
;
2322 NTSTATUS
_lsa_EnumTrustedDomainsEx(pipes_struct
*p
, struct lsa_EnumTrustedDomainsEx
*r
)
2324 p
->rng_fault_state
= True
;
2325 return NT_STATUS_NOT_IMPLEMENTED
;
2328 NTSTATUS
_lsa_CreateTrustedDomainEx(pipes_struct
*p
, struct lsa_CreateTrustedDomainEx
*r
)
2330 p
->rng_fault_state
= True
;
2331 return NT_STATUS_NOT_IMPLEMENTED
;
2334 NTSTATUS
_lsa_CloseTrustedDomainEx(pipes_struct
*p
, struct lsa_CloseTrustedDomainEx
*r
)
2336 p
->rng_fault_state
= True
;
2337 return NT_STATUS_NOT_IMPLEMENTED
;
2340 NTSTATUS
_lsa_QueryDomainInformationPolicy(pipes_struct
*p
, struct lsa_QueryDomainInformationPolicy
*r
)
2342 p
->rng_fault_state
= True
;
2343 return NT_STATUS_NOT_IMPLEMENTED
;
2346 NTSTATUS
_lsa_SetDomainInformationPolicy(pipes_struct
*p
, struct lsa_SetDomainInformationPolicy
*r
)
2348 p
->rng_fault_state
= True
;
2349 return NT_STATUS_NOT_IMPLEMENTED
;
2352 NTSTATUS
_lsa_OpenTrustedDomainByName(pipes_struct
*p
, struct lsa_OpenTrustedDomainByName
*r
)
2354 p
->rng_fault_state
= True
;
2355 return NT_STATUS_NOT_IMPLEMENTED
;
2358 NTSTATUS
_lsa_TestCall(pipes_struct
*p
, struct lsa_TestCall
*r
)
2360 p
->rng_fault_state
= True
;
2361 return NT_STATUS_NOT_IMPLEMENTED
;
2364 NTSTATUS
_lsa_CreateTrustedDomainEx2(pipes_struct
*p
, struct lsa_CreateTrustedDomainEx2
*r
)
2366 p
->rng_fault_state
= True
;
2367 return NT_STATUS_NOT_IMPLEMENTED
;
2370 NTSTATUS
_lsa_CREDRWRITE(pipes_struct
*p
, struct lsa_CREDRWRITE
*r
)
2372 p
->rng_fault_state
= True
;
2373 return NT_STATUS_NOT_IMPLEMENTED
;
2376 NTSTATUS
_lsa_CREDRREAD(pipes_struct
*p
, struct lsa_CREDRREAD
*r
)
2378 p
->rng_fault_state
= True
;
2379 return NT_STATUS_NOT_IMPLEMENTED
;
2382 NTSTATUS
_lsa_CREDRENUMERATE(pipes_struct
*p
, struct lsa_CREDRENUMERATE
*r
)
2384 p
->rng_fault_state
= True
;
2385 return NT_STATUS_NOT_IMPLEMENTED
;
2388 NTSTATUS
_lsa_CREDRWRITEDOMAINCREDENTIALS(pipes_struct
*p
, struct lsa_CREDRWRITEDOMAINCREDENTIALS
*r
)
2390 p
->rng_fault_state
= True
;
2391 return NT_STATUS_NOT_IMPLEMENTED
;
2394 NTSTATUS
_lsa_CREDRREADDOMAINCREDENTIALS(pipes_struct
*p
, struct lsa_CREDRREADDOMAINCREDENTIALS
*r
)
2396 p
->rng_fault_state
= True
;
2397 return NT_STATUS_NOT_IMPLEMENTED
;
2400 NTSTATUS
_lsa_CREDRDELETE(pipes_struct
*p
, struct lsa_CREDRDELETE
*r
)
2402 p
->rng_fault_state
= True
;
2403 return NT_STATUS_NOT_IMPLEMENTED
;
2406 NTSTATUS
_lsa_CREDRGETTARGETINFO(pipes_struct
*p
, struct lsa_CREDRGETTARGETINFO
*r
)
2408 p
->rng_fault_state
= True
;
2409 return NT_STATUS_NOT_IMPLEMENTED
;
2412 NTSTATUS
_lsa_CREDRPROFILELOADED(pipes_struct
*p
, struct lsa_CREDRPROFILELOADED
*r
)
2414 p
->rng_fault_state
= True
;
2415 return NT_STATUS_NOT_IMPLEMENTED
;
2418 NTSTATUS
_lsa_CREDRGETSESSIONTYPES(pipes_struct
*p
, struct lsa_CREDRGETSESSIONTYPES
*r
)
2420 p
->rng_fault_state
= True
;
2421 return NT_STATUS_NOT_IMPLEMENTED
;
2424 NTSTATUS
_lsa_LSARREGISTERAUDITEVENT(pipes_struct
*p
, struct lsa_LSARREGISTERAUDITEVENT
*r
)
2426 p
->rng_fault_state
= True
;
2427 return NT_STATUS_NOT_IMPLEMENTED
;
2430 NTSTATUS
_lsa_LSARGENAUDITEVENT(pipes_struct
*p
, struct lsa_LSARGENAUDITEVENT
*r
)
2432 p
->rng_fault_state
= True
;
2433 return NT_STATUS_NOT_IMPLEMENTED
;
2436 NTSTATUS
_lsa_LSARUNREGISTERAUDITEVENT(pipes_struct
*p
, struct lsa_LSARUNREGISTERAUDITEVENT
*r
)
2438 p
->rng_fault_state
= True
;
2439 return NT_STATUS_NOT_IMPLEMENTED
;
2442 NTSTATUS
_lsa_lsaRQueryForestTrustInformation(pipes_struct
*p
, struct lsa_lsaRQueryForestTrustInformation
*r
)
2444 p
->rng_fault_state
= True
;
2445 return NT_STATUS_NOT_IMPLEMENTED
;
2448 NTSTATUS
_lsa_LSARSETFORESTTRUSTINFORMATION(pipes_struct
*p
, struct lsa_LSARSETFORESTTRUSTINFORMATION
*r
)
2450 p
->rng_fault_state
= True
;
2451 return NT_STATUS_NOT_IMPLEMENTED
;
2454 NTSTATUS
_lsa_CREDRRENAME(pipes_struct
*p
, struct lsa_CREDRRENAME
*r
)
2456 p
->rng_fault_state
= True
;
2457 return NT_STATUS_NOT_IMPLEMENTED
;
2460 NTSTATUS
_lsa_LSAROPENPOLICYSCE(pipes_struct
*p
, struct lsa_LSAROPENPOLICYSCE
*r
)
2462 p
->rng_fault_state
= True
;
2463 return NT_STATUS_NOT_IMPLEMENTED
;
2466 NTSTATUS
_lsa_LSARADTREGISTERSECURITYEVENTSOURCE(pipes_struct
*p
, struct lsa_LSARADTREGISTERSECURITYEVENTSOURCE
*r
)
2468 p
->rng_fault_state
= True
;
2469 return NT_STATUS_NOT_IMPLEMENTED
;
2472 NTSTATUS
_lsa_LSARADTUNREGISTERSECURITYEVENTSOURCE(pipes_struct
*p
, struct lsa_LSARADTUNREGISTERSECURITYEVENTSOURCE
*r
)
2474 p
->rng_fault_state
= True
;
2475 return NT_STATUS_NOT_IMPLEMENTED
;
2478 NTSTATUS
_lsa_LSARADTREPORTSECURITYEVENT(pipes_struct
*p
, struct lsa_LSARADTREPORTSECURITYEVENT
*r
)
2480 p
->rng_fault_state
= True
;
2481 return NT_STATUS_NOT_IMPLEMENTED
;