2 * Unix SMB/CIFS implementation.
3 * RPC Pipe client / server routines
4 * Copyright (C) Andrew Tridgell 1992-1997,
5 * Copyright (C) Luke Kenneth Casson Leighton 1996-1997,
6 * Copyright (C) Paul Ashton 1997,
7 * Copyright (C) Jeremy Allison 2001, 2006.
8 * Copyright (C) Rafal Szczesniak 2002,
9 * Copyright (C) Jim McDonough <jmcd@us.ibm.com> 2002,
10 * Copyright (C) Simo Sorce 2003.
11 * Copyright (C) Gerald (Jerry) Carter 2005.
12 * Copyright (C) Volker Lendecke 2005.
13 * Copyright (C) Guenther Deschner 2008.
14 * Copyright (C) Andrew Bartlett 2010.
16 * This program is free software; you can redistribute it and/or modify
17 * it under the terms of the GNU General Public License as published by
18 * the Free Software Foundation; either version 3 of the License, or
19 * (at your option) any later version.
21 * This program is distributed in the hope that it will be useful,
22 * but WITHOUT ANY WARRANTY; without even the implied warranty of
23 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
24 * GNU General Public License for more details.
26 * You should have received a copy of the GNU General Public License
27 * along with this program; if not, see <http://www.gnu.org/licenses/>.
30 /* This is the implementation of the lsa server code. */
33 #include "../librpc/gen_ndr/srv_lsa.h"
35 #include "../librpc/gen_ndr/netlogon.h"
36 #include "rpc_client/init_lsa.h"
37 #include "../libcli/security/security.h"
40 #define DBGC_CLASS DBGC_RPC_SRV
42 #define MAX_LOOKUP_SIDS 0x5000 /* 20480 */
44 enum lsa_handle_type
{
45 LSA_HANDLE_POLICY_TYPE
= 1,
46 LSA_HANDLE_ACCOUNT_TYPE
= 2,
47 LSA_HANDLE_TRUST_TYPE
= 3};
53 enum lsa_handle_type type
;
54 struct security_descriptor
*sd
;
57 const struct generic_mapping lsa_account_mapping
= {
61 LSA_ACCOUNT_ALL_ACCESS
64 const struct generic_mapping lsa_policy_mapping
= {
71 const struct generic_mapping lsa_secret_mapping
= {
78 const struct generic_mapping lsa_trusted_domain_mapping
= {
79 LSA_TRUSTED_DOMAIN_READ
,
80 LSA_TRUSTED_DOMAIN_WRITE
,
81 LSA_TRUSTED_DOMAIN_EXECUTE
,
82 LSA_TRUSTED_DOMAIN_ALL_ACCESS
85 /***************************************************************************
86 init_lsa_ref_domain_list - adds a domain if it's not already in, returns the index.
87 ***************************************************************************/
89 static int init_lsa_ref_domain_list(TALLOC_CTX
*mem_ctx
,
90 struct lsa_RefDomainList
*ref
,
92 struct dom_sid
*dom_sid
)
96 if (dom_name
!= NULL
) {
97 for (num
= 0; num
< ref
->count
; num
++) {
98 if (dom_sid_equal(dom_sid
, ref
->domains
[num
].sid
)) {
106 if (num
>= LSA_REF_DOMAIN_LIST_MULTIPLIER
) {
107 /* index not found, already at maximum domain limit */
111 ref
->count
= num
+ 1;
112 ref
->max_size
= LSA_REF_DOMAIN_LIST_MULTIPLIER
;
114 ref
->domains
= TALLOC_REALLOC_ARRAY(mem_ctx
, ref
->domains
,
115 struct lsa_DomainInfo
, ref
->count
);
120 ZERO_STRUCT(ref
->domains
[num
]);
122 init_lsa_StringLarge(&ref
->domains
[num
].name
, dom_name
);
123 ref
->domains
[num
].sid
= dom_sid_dup(mem_ctx
, dom_sid
);
124 if (!ref
->domains
[num
].sid
) {
132 /***************************************************************************
133 initialize a lsa_DomainInfo structure.
134 ***************************************************************************/
136 static void init_dom_query_3(struct lsa_DomainInfo
*r
,
140 init_lsa_StringLarge(&r
->name
, name
);
144 /***************************************************************************
145 initialize a lsa_DomainInfo structure.
146 ***************************************************************************/
148 static void init_dom_query_5(struct lsa_DomainInfo
*r
,
152 init_lsa_StringLarge(&r
->name
, name
);
156 /***************************************************************************
157 lookup_lsa_rids. Must be called as root for lookup_name to work.
158 ***************************************************************************/
160 static NTSTATUS
lookup_lsa_rids(TALLOC_CTX
*mem_ctx
,
161 struct lsa_RefDomainList
*ref
,
162 struct lsa_TranslatedSid
*prid
,
163 uint32_t num_entries
,
164 struct lsa_String
*name
,
166 uint32_t *pmapped_count
)
168 uint32 mapped_count
, i
;
170 SMB_ASSERT(num_entries
<= MAX_LOOKUP_SIDS
);
175 for (i
= 0; i
< num_entries
; i
++) {
179 const char *full_name
;
181 enum lsa_SidType type
= SID_NAME_UNKNOWN
;
183 /* Split name into domain and user component */
185 /* follow w2k8 behavior and return the builtin domain when no
186 * input has been passed in */
188 if (name
[i
].string
) {
189 full_name
= name
[i
].string
;
191 full_name
= "BUILTIN";
194 DEBUG(5, ("lookup_lsa_rids: looking up name %s\n", full_name
));
196 /* We can ignore the result of lookup_name, it will not touch
197 "type" if it's not successful */
199 lookup_name(mem_ctx
, full_name
, flags
, &domain
, NULL
,
204 case SID_NAME_DOM_GRP
:
205 case SID_NAME_DOMAIN
:
207 case SID_NAME_WKN_GRP
:
208 DEBUG(5, ("init_lsa_rids: %s found\n", full_name
));
209 /* Leave these unchanged */
212 /* Don't hand out anything but the list above */
213 DEBUG(5, ("init_lsa_rids: %s not found\n", full_name
));
214 type
= SID_NAME_UNKNOWN
;
221 if (type
!= SID_NAME_UNKNOWN
) {
222 if (type
== SID_NAME_DOMAIN
) {
225 sid_split_rid(&sid
, &rid
);
227 dom_idx
= init_lsa_ref_domain_list(mem_ctx
, ref
, domain
, &sid
);
231 prid
[i
].sid_type
= type
;
233 prid
[i
].sid_index
= dom_idx
;
236 *pmapped_count
= mapped_count
;
240 /***************************************************************************
241 lookup_lsa_sids. Must be called as root for lookup_name to work.
242 ***************************************************************************/
244 static NTSTATUS
lookup_lsa_sids(TALLOC_CTX
*mem_ctx
,
245 struct lsa_RefDomainList
*ref
,
246 struct lsa_TranslatedSid3
*trans_sids
,
247 uint32_t num_entries
,
248 struct lsa_String
*name
,
250 uint32
*pmapped_count
)
252 uint32 mapped_count
, i
;
254 SMB_ASSERT(num_entries
<= MAX_LOOKUP_SIDS
);
259 for (i
= 0; i
< num_entries
; i
++) {
263 const char *full_name
;
265 enum lsa_SidType type
= SID_NAME_UNKNOWN
;
269 /* Split name into domain and user component */
271 full_name
= name
[i
].string
;
272 if (full_name
== NULL
) {
273 return NT_STATUS_NO_MEMORY
;
276 DEBUG(5, ("init_lsa_sids: looking up name %s\n", full_name
));
278 /* We can ignore the result of lookup_name, it will not touch
279 "type" if it's not successful */
281 lookup_name(mem_ctx
, full_name
, flags
, &domain
, NULL
,
286 case SID_NAME_DOM_GRP
:
287 case SID_NAME_DOMAIN
:
289 case SID_NAME_WKN_GRP
:
290 DEBUG(5, ("init_lsa_sids: %s found\n", full_name
));
291 /* Leave these unchanged */
294 /* Don't hand out anything but the list above */
295 DEBUG(5, ("init_lsa_sids: %s not found\n", full_name
));
296 type
= SID_NAME_UNKNOWN
;
303 if (type
!= SID_NAME_UNKNOWN
) {
304 struct dom_sid domain_sid
;
305 sid_copy(&domain_sid
, &sid
);
306 sid_split_rid(&domain_sid
, &rid
);
307 dom_idx
= init_lsa_ref_domain_list(mem_ctx
, ref
, domain
, &domain_sid
);
311 /* Initialize the lsa_TranslatedSid3 return. */
312 trans_sids
[i
].sid_type
= type
;
313 trans_sids
[i
].sid
= dom_sid_dup(mem_ctx
, &sid
);
314 trans_sids
[i
].sid_index
= dom_idx
;
317 *pmapped_count
= mapped_count
;
321 static NTSTATUS
make_lsa_object_sd(TALLOC_CTX
*mem_ctx
, struct security_descriptor
**sd
, size_t *sd_size
,
322 const struct generic_mapping
*map
,
323 struct dom_sid
*sid
, uint32_t sid_access
)
325 struct dom_sid adm_sid
;
326 struct security_ace ace
[5];
329 struct security_acl
*psa
= NULL
;
331 /* READ|EXECUTE access for Everyone */
333 init_sec_ace(&ace
[i
++], &global_sid_World
, SEC_ACE_TYPE_ACCESS_ALLOWED
,
334 map
->generic_execute
| map
->generic_read
, 0);
336 /* Add Full Access 'BUILTIN\Administrators' and 'BUILTIN\Account Operators */
338 init_sec_ace(&ace
[i
++], &global_sid_Builtin_Administrators
,
339 SEC_ACE_TYPE_ACCESS_ALLOWED
, map
->generic_all
, 0);
340 init_sec_ace(&ace
[i
++], &global_sid_Builtin_Account_Operators
,
341 SEC_ACE_TYPE_ACCESS_ALLOWED
, map
->generic_all
, 0);
343 /* Add Full Access for Domain Admins */
344 sid_compose(&adm_sid
, get_global_sam_sid(), DOMAIN_RID_ADMINS
);
345 init_sec_ace(&ace
[i
++], &adm_sid
, SEC_ACE_TYPE_ACCESS_ALLOWED
,
346 map
->generic_all
, 0);
348 /* If we have a sid, give it some special access */
351 init_sec_ace(&ace
[i
++], sid
, SEC_ACE_TYPE_ACCESS_ALLOWED
,
355 if((psa
= make_sec_acl(mem_ctx
, NT4_ACL_REVISION
, i
, ace
)) == NULL
)
356 return NT_STATUS_NO_MEMORY
;
358 if((*sd
= make_sec_desc(mem_ctx
, SECURITY_DESCRIPTOR_REVISION_1
,
359 SEC_DESC_SELF_RELATIVE
, &adm_sid
, NULL
, NULL
,
360 psa
, sd_size
)) == NULL
)
361 return NT_STATUS_NO_MEMORY
;
366 /***************************************************************************
367 ***************************************************************************/
369 static NTSTATUS
create_lsa_policy_handle(TALLOC_CTX
*mem_ctx
,
370 struct pipes_struct
*p
,
371 enum lsa_handle_type type
,
372 uint32_t acc_granted
,
375 const struct security_descriptor
*sd
,
376 struct policy_handle
*handle
)
378 struct lsa_info
*info
;
380 ZERO_STRUCTP(handle
);
382 info
= talloc_zero(mem_ctx
, struct lsa_info
);
384 return NT_STATUS_NO_MEMORY
;
388 info
->access
= acc_granted
;
391 sid_copy(&info
->sid
, sid
);
394 info
->name
= talloc_strdup(info
, name
);
397 info
->sd
= dup_sec_desc(info
, sd
);
400 return NT_STATUS_NO_MEMORY
;
404 if (!create_policy_hnd(p
, handle
, info
)) {
406 ZERO_STRUCTP(handle
);
407 return NT_STATUS_NO_MEMORY
;
413 /***************************************************************************
415 ***************************************************************************/
417 NTSTATUS
_lsa_OpenPolicy2(struct pipes_struct
*p
,
418 struct lsa_OpenPolicy2
*r
)
420 struct security_descriptor
*psd
= NULL
;
422 uint32 des_access
= r
->in
.access_mask
;
426 /* Work out max allowed. */
427 map_max_allowed_access(p
->server_info
->security_token
,
428 &p
->server_info
->utok
,
431 /* map the generic bits to the lsa policy ones */
432 se_map_generic(&des_access
, &lsa_policy_mapping
);
434 /* get the generic lsa policy SD until we store it */
435 status
= make_lsa_object_sd(p
->mem_ctx
, &psd
, &sd_size
, &lsa_policy_mapping
,
437 if (!NT_STATUS_IS_OK(status
)) {
441 status
= access_check_object(psd
, p
->server_info
->security_token
,
442 SEC_PRIV_INVALID
, SEC_PRIV_INVALID
, 0, des_access
,
443 &acc_granted
, "_lsa_OpenPolicy2" );
444 if (!NT_STATUS_IS_OK(status
)) {
448 status
= create_lsa_policy_handle(p
->mem_ctx
, p
,
449 LSA_HANDLE_POLICY_TYPE
,
451 get_global_sam_sid(),
455 if (!NT_STATUS_IS_OK(status
)) {
456 return NT_STATUS_OBJECT_NAME_NOT_FOUND
;
462 /***************************************************************************
464 ***************************************************************************/
466 NTSTATUS
_lsa_OpenPolicy(struct pipes_struct
*p
,
467 struct lsa_OpenPolicy
*r
)
469 struct lsa_OpenPolicy2 o
;
471 o
.in
.system_name
= NULL
; /* should be ignored */
472 o
.in
.attr
= r
->in
.attr
;
473 o
.in
.access_mask
= r
->in
.access_mask
;
475 o
.out
.handle
= r
->out
.handle
;
477 return _lsa_OpenPolicy2(p
, &o
);
480 /***************************************************************************
481 _lsa_EnumTrustDom - this needs fixing to do more than return NULL ! JRA.
483 ***************************************************************************/
485 NTSTATUS
_lsa_EnumTrustDom(struct pipes_struct
*p
,
486 struct lsa_EnumTrustDom
*r
)
488 struct lsa_info
*info
;
490 struct trustdom_info
**domains
;
491 struct lsa_DomainInfo
*entries
;
495 if (!find_policy_by_hnd(p
, r
->in
.handle
, (void **)(void *)&info
))
496 return NT_STATUS_INVALID_HANDLE
;
498 if (info
->type
!= LSA_HANDLE_POLICY_TYPE
) {
499 return NT_STATUS_INVALID_HANDLE
;
502 /* check if the user has enough rights */
503 if (!(info
->access
& LSA_POLICY_VIEW_LOCAL_INFORMATION
))
504 return NT_STATUS_ACCESS_DENIED
;
507 nt_status
= pdb_enum_trusteddoms(p
->mem_ctx
, &count
, &domains
);
510 if (!NT_STATUS_IS_OK(nt_status
)) {
514 entries
= TALLOC_ZERO_ARRAY(p
->mem_ctx
, struct lsa_DomainInfo
, count
);
516 return NT_STATUS_NO_MEMORY
;
519 for (i
=0; i
<count
; i
++) {
520 init_lsa_StringLarge(&entries
[i
].name
, domains
[i
]->name
);
521 entries
[i
].sid
= &domains
[i
]->sid
;
524 if (*r
->in
.resume_handle
>= count
) {
525 *r
->out
.resume_handle
= -1;
526 TALLOC_FREE(entries
);
527 return NT_STATUS_NO_MORE_ENTRIES
;
530 /* return the rest, limit by max_size. Note that we
531 use the w2k3 element size value of 60 */
532 r
->out
.domains
->count
= count
- *r
->in
.resume_handle
;
533 r
->out
.domains
->count
= MIN(r
->out
.domains
->count
,
534 1+(r
->in
.max_size
/LSA_ENUM_TRUST_DOMAIN_MULTIPLIER
));
536 r
->out
.domains
->domains
= entries
+ *r
->in
.resume_handle
;
538 if (r
->out
.domains
->count
< count
- *r
->in
.resume_handle
) {
539 *r
->out
.resume_handle
= *r
->in
.resume_handle
+ r
->out
.domains
->count
;
540 return STATUS_MORE_ENTRIES
;
543 /* according to MS-LSAD 3.1.4.7.8 output resume handle MUST
544 * always be larger than the previous input resume handle, in
545 * particular when hitting the last query it is vital to set the
546 * resume handle correctly to avoid infinite client loops, as
547 * seen e.g. with Windows XP SP3 when resume handle is 0 and
548 * status is NT_STATUS_OK - gd */
550 *r
->out
.resume_handle
= (uint32_t)-1;
555 #define LSA_AUDIT_NUM_CATEGORIES_NT4 7
556 #define LSA_AUDIT_NUM_CATEGORIES_WIN2K 9
557 #define LSA_AUDIT_NUM_CATEGORIES LSA_AUDIT_NUM_CATEGORIES_NT4
559 /***************************************************************************
561 ***************************************************************************/
563 NTSTATUS
_lsa_QueryInfoPolicy(struct pipes_struct
*p
,
564 struct lsa_QueryInfoPolicy
*r
)
566 NTSTATUS status
= NT_STATUS_OK
;
567 struct lsa_info
*handle
;
568 struct dom_sid domain_sid
;
570 struct dom_sid
*sid
= NULL
;
571 union lsa_PolicyInformation
*info
= NULL
;
572 uint32_t acc_required
= 0;
574 if (!find_policy_by_hnd(p
, r
->in
.handle
, (void **)(void *)&handle
))
575 return NT_STATUS_INVALID_HANDLE
;
577 if (handle
->type
!= LSA_HANDLE_POLICY_TYPE
) {
578 return NT_STATUS_INVALID_HANDLE
;
581 switch (r
->in
.level
) {
582 case LSA_POLICY_INFO_AUDIT_LOG
:
583 case LSA_POLICY_INFO_AUDIT_EVENTS
:
584 acc_required
= LSA_POLICY_VIEW_AUDIT_INFORMATION
;
586 case LSA_POLICY_INFO_DOMAIN
:
587 acc_required
= LSA_POLICY_VIEW_LOCAL_INFORMATION
;
589 case LSA_POLICY_INFO_PD
:
590 acc_required
= LSA_POLICY_GET_PRIVATE_INFORMATION
;
592 case LSA_POLICY_INFO_ACCOUNT_DOMAIN
:
593 acc_required
= LSA_POLICY_VIEW_LOCAL_INFORMATION
;
595 case LSA_POLICY_INFO_ROLE
:
596 case LSA_POLICY_INFO_REPLICA
:
597 acc_required
= LSA_POLICY_VIEW_LOCAL_INFORMATION
;
599 case LSA_POLICY_INFO_QUOTA
:
600 acc_required
= LSA_POLICY_VIEW_LOCAL_INFORMATION
;
602 case LSA_POLICY_INFO_MOD
:
603 case LSA_POLICY_INFO_AUDIT_FULL_SET
:
604 /* according to MS-LSAD 3.1.4.4.3 */
605 return NT_STATUS_INVALID_PARAMETER
;
606 case LSA_POLICY_INFO_AUDIT_FULL_QUERY
:
607 acc_required
= LSA_POLICY_VIEW_AUDIT_INFORMATION
;
609 case LSA_POLICY_INFO_DNS
:
610 case LSA_POLICY_INFO_DNS_INT
:
611 case LSA_POLICY_INFO_L_ACCOUNT_DOMAIN
:
612 acc_required
= LSA_POLICY_VIEW_LOCAL_INFORMATION
;
618 if (!(handle
->access
& acc_required
)) {
619 /* return NT_STATUS_ACCESS_DENIED; */
622 info
= TALLOC_ZERO_P(p
->mem_ctx
, union lsa_PolicyInformation
);
624 return NT_STATUS_NO_MEMORY
;
627 switch (r
->in
.level
) {
628 /* according to MS-LSAD 3.1.4.4.3 */
629 case LSA_POLICY_INFO_MOD
:
630 case LSA_POLICY_INFO_AUDIT_FULL_SET
:
631 case LSA_POLICY_INFO_AUDIT_FULL_QUERY
:
632 return NT_STATUS_INVALID_PARAMETER
;
633 case LSA_POLICY_INFO_AUDIT_LOG
:
634 info
->audit_log
.percent_full
= 0;
635 info
->audit_log
.maximum_log_size
= 0;
636 info
->audit_log
.retention_time
= 0;
637 info
->audit_log
.shutdown_in_progress
= 0;
638 info
->audit_log
.time_to_shutdown
= 0;
639 info
->audit_log
.next_audit_record
= 0;
640 status
= NT_STATUS_OK
;
642 case LSA_POLICY_INFO_PD
:
643 info
->pd
.name
.string
= NULL
;
644 status
= NT_STATUS_OK
;
646 case LSA_POLICY_INFO_REPLICA
:
647 info
->replica
.source
.string
= NULL
;
648 info
->replica
.account
.string
= NULL
;
649 status
= NT_STATUS_OK
;
651 case LSA_POLICY_INFO_QUOTA
:
652 info
->quota
.paged_pool
= 0;
653 info
->quota
.non_paged_pool
= 0;
654 info
->quota
.min_wss
= 0;
655 info
->quota
.max_wss
= 0;
656 info
->quota
.pagefile
= 0;
657 info
->quota
.unknown
= 0;
658 status
= NT_STATUS_OK
;
660 case LSA_POLICY_INFO_AUDIT_EVENTS
:
663 uint32 policy_def
= LSA_AUDIT_POLICY_ALL
;
665 /* check if the user has enough rights */
666 if (!(handle
->access
& LSA_POLICY_VIEW_AUDIT_INFORMATION
)) {
667 DEBUG(10,("_lsa_QueryInfoPolicy: insufficient access rights\n"));
668 return NT_STATUS_ACCESS_DENIED
;
671 /* fake info: We audit everything. ;) */
673 info
->audit_events
.auditing_mode
= true;
674 info
->audit_events
.count
= LSA_AUDIT_NUM_CATEGORIES
;
675 info
->audit_events
.settings
= TALLOC_ZERO_ARRAY(p
->mem_ctx
,
676 enum lsa_PolicyAuditPolicy
,
677 info
->audit_events
.count
);
678 if (!info
->audit_events
.settings
) {
679 return NT_STATUS_NO_MEMORY
;
682 info
->audit_events
.settings
[LSA_AUDIT_CATEGORY_ACCOUNT_MANAGEMENT
] = policy_def
;
683 info
->audit_events
.settings
[LSA_AUDIT_CATEGORY_FILE_AND_OBJECT_ACCESS
] = policy_def
;
684 info
->audit_events
.settings
[LSA_AUDIT_CATEGORY_LOGON
] = policy_def
;
685 info
->audit_events
.settings
[LSA_AUDIT_CATEGORY_PROCCESS_TRACKING
] = policy_def
;
686 info
->audit_events
.settings
[LSA_AUDIT_CATEGORY_SECURITY_POLICY_CHANGES
] = policy_def
;
687 info
->audit_events
.settings
[LSA_AUDIT_CATEGORY_SYSTEM
] = policy_def
;
688 info
->audit_events
.settings
[LSA_AUDIT_CATEGORY_USE_OF_USER_RIGHTS
] = policy_def
;
692 case LSA_POLICY_INFO_DOMAIN
:
693 /* check if the user has enough rights */
694 if (!(handle
->access
& LSA_POLICY_VIEW_LOCAL_INFORMATION
))
695 return NT_STATUS_ACCESS_DENIED
;
697 /* Request PolicyPrimaryDomainInformation. */
698 switch (lp_server_role()) {
699 case ROLE_DOMAIN_PDC
:
700 case ROLE_DOMAIN_BDC
:
701 name
= get_global_sam_name();
702 sid
= dom_sid_dup(p
->mem_ctx
, get_global_sam_sid());
704 return NT_STATUS_NO_MEMORY
;
707 case ROLE_DOMAIN_MEMBER
:
708 name
= lp_workgroup();
709 /* We need to return the Domain SID here. */
710 if (secrets_fetch_domain_sid(lp_workgroup(), &domain_sid
)) {
711 sid
= dom_sid_dup(p
->mem_ctx
, &domain_sid
);
713 return NT_STATUS_NO_MEMORY
;
716 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO
;
719 case ROLE_STANDALONE
:
720 name
= lp_workgroup();
724 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO
;
726 init_dom_query_3(&info
->domain
, name
, sid
);
728 case LSA_POLICY_INFO_ACCOUNT_DOMAIN
:
729 /* check if the user has enough rights */
730 if (!(handle
->access
& LSA_POLICY_VIEW_LOCAL_INFORMATION
))
731 return NT_STATUS_ACCESS_DENIED
;
733 /* Request PolicyAccountDomainInformation. */
734 name
= get_global_sam_name();
735 sid
= get_global_sam_sid();
737 init_dom_query_5(&info
->account_domain
, name
, sid
);
739 case LSA_POLICY_INFO_ROLE
:
740 /* check if the user has enough rights */
741 if (!(handle
->access
& LSA_POLICY_VIEW_LOCAL_INFORMATION
))
742 return NT_STATUS_ACCESS_DENIED
;
744 switch (lp_server_role()) {
745 case ROLE_DOMAIN_BDC
:
747 * only a BDC is a backup controller
748 * of the domain, it controls.
750 info
->role
.role
= LSA_ROLE_BACKUP
;
754 * any other role is a primary
755 * of the domain, it controls.
757 info
->role
.role
= LSA_ROLE_PRIMARY
;
761 case LSA_POLICY_INFO_DNS
:
762 case LSA_POLICY_INFO_DNS_INT
: {
763 struct pdb_domain_info
*dominfo
;
765 if ((pdb_capabilities() & PDB_CAP_ADS
) == 0) {
766 DEBUG(10, ("Not replying to LSA_POLICY_INFO_DNS "
767 "without ADS passdb backend\n"));
768 status
= NT_STATUS_INVALID_INFO_CLASS
;
772 dominfo
= pdb_get_domain_info(info
);
773 if (dominfo
== NULL
) {
774 status
= NT_STATUS_NO_MEMORY
;
778 init_lsa_StringLarge(&info
->dns
.name
,
780 init_lsa_StringLarge(&info
->dns
.dns_domain
,
781 dominfo
->dns_domain
);
782 init_lsa_StringLarge(&info
->dns
.dns_forest
,
783 dominfo
->dns_forest
);
784 info
->dns
.domain_guid
= dominfo
->guid
;
785 info
->dns
.sid
= &dominfo
->sid
;
789 DEBUG(0,("_lsa_QueryInfoPolicy: unknown info level in Lsa Query: %d\n",
791 status
= NT_STATUS_INVALID_INFO_CLASS
;
800 /***************************************************************************
801 _lsa_QueryInfoPolicy2
802 ***************************************************************************/
804 NTSTATUS
_lsa_QueryInfoPolicy2(struct pipes_struct
*p
,
805 struct lsa_QueryInfoPolicy2
*r2
)
807 struct lsa_QueryInfoPolicy r
;
809 if ((pdb_capabilities() & PDB_CAP_ADS
) == 0) {
810 p
->rng_fault_state
= True
;
811 return NT_STATUS_NOT_IMPLEMENTED
;
815 r
.in
.handle
= r2
->in
.handle
;
816 r
.in
.level
= r2
->in
.level
;
817 r
.out
.info
= r2
->out
.info
;
819 return _lsa_QueryInfoPolicy(p
, &r
);
822 /***************************************************************************
823 _lsa_lookup_sids_internal
824 ***************************************************************************/
826 static NTSTATUS
_lsa_lookup_sids_internal(struct pipes_struct
*p
,
828 uint16_t level
, /* input */
829 int num_sids
, /* input */
830 struct lsa_SidPtr
*sid
, /* input */
831 struct lsa_RefDomainList
**pp_ref
, /* input/output */
832 struct lsa_TranslatedName2
**pp_names
,/* input/output */
833 uint32_t *pp_mapped_count
) /* input/output */
837 const struct dom_sid
**sids
= NULL
;
838 struct lsa_RefDomainList
*ref
= NULL
;
839 uint32 mapped_count
= 0;
840 struct lsa_dom_info
*dom_infos
= NULL
;
841 struct lsa_name_info
*name_infos
= NULL
;
842 struct lsa_TranslatedName2
*names
= NULL
;
844 *pp_mapped_count
= 0;
852 sids
= TALLOC_ARRAY(p
->mem_ctx
, const struct dom_sid
*, num_sids
);
853 ref
= TALLOC_ZERO_P(p
->mem_ctx
, struct lsa_RefDomainList
);
855 if (sids
== NULL
|| ref
== NULL
) {
856 return NT_STATUS_NO_MEMORY
;
859 for (i
=0; i
<num_sids
; i
++) {
860 sids
[i
] = sid
[i
].sid
;
863 status
= lookup_sids(p
->mem_ctx
, num_sids
, sids
, level
,
864 &dom_infos
, &name_infos
);
866 if (!NT_STATUS_IS_OK(status
)) {
870 names
= TALLOC_ARRAY(p
->mem_ctx
, struct lsa_TranslatedName2
, num_sids
);
872 return NT_STATUS_NO_MEMORY
;
875 for (i
=0; i
<LSA_REF_DOMAIN_LIST_MULTIPLIER
; i
++) {
877 if (!dom_infos
[i
].valid
) {
881 if (init_lsa_ref_domain_list(mem_ctx
, ref
,
883 &dom_infos
[i
].sid
) != i
) {
884 DEBUG(0, ("Domain %s mentioned twice??\n",
886 return NT_STATUS_INTERNAL_ERROR
;
890 for (i
=0; i
<num_sids
; i
++) {
891 struct lsa_name_info
*name
= &name_infos
[i
];
893 if (name
->type
== SID_NAME_UNKNOWN
) {
896 /* Unknown sids should return the string
897 * representation of the SID. Windows 2003 behaves
898 * rather erratic here, in many cases it returns the
899 * RID as 8 bytes hex, in others it returns the full
900 * SID. We (Jerry/VL) could not figure out which the
901 * hard cases are, so leave it with the SID. */
902 name
->name
= talloc_asprintf(p
->mem_ctx
, "%s",
905 if (name
->name
== NULL
) {
906 return NT_STATUS_NO_MEMORY
;
912 names
[i
].sid_type
= name
->type
;
913 names
[i
].name
.string
= name
->name
;
914 names
[i
].sid_index
= name
->dom_idx
;
915 names
[i
].unknown
= 0;
918 status
= NT_STATUS_NONE_MAPPED
;
919 if (mapped_count
> 0) {
920 status
= (mapped_count
< num_sids
) ?
921 STATUS_SOME_UNMAPPED
: NT_STATUS_OK
;
924 DEBUG(10, ("num_sids %d, mapped_count %d, status %s\n",
925 num_sids
, mapped_count
, nt_errstr(status
)));
927 *pp_mapped_count
= mapped_count
;
934 /***************************************************************************
936 ***************************************************************************/
938 NTSTATUS
_lsa_LookupSids(struct pipes_struct
*p
,
939 struct lsa_LookupSids
*r
)
942 struct lsa_info
*handle
;
943 int num_sids
= r
->in
.sids
->num_sids
;
944 uint32 mapped_count
= 0;
945 struct lsa_RefDomainList
*domains
= NULL
;
946 struct lsa_TranslatedName
*names_out
= NULL
;
947 struct lsa_TranslatedName2
*names
= NULL
;
950 if ((r
->in
.level
< 1) || (r
->in
.level
> 6)) {
951 return NT_STATUS_INVALID_PARAMETER
;
954 if (!find_policy_by_hnd(p
, r
->in
.handle
, (void **)(void *)&handle
)) {
955 return NT_STATUS_INVALID_HANDLE
;
958 if (handle
->type
!= LSA_HANDLE_POLICY_TYPE
) {
959 return NT_STATUS_INVALID_HANDLE
;
962 /* check if the user has enough rights */
963 if (!(handle
->access
& LSA_POLICY_LOOKUP_NAMES
)) {
964 return NT_STATUS_ACCESS_DENIED
;
967 if (num_sids
> MAX_LOOKUP_SIDS
) {
968 DEBUG(5,("_lsa_LookupSids: limit of %d exceeded, requested %d\n",
969 MAX_LOOKUP_SIDS
, num_sids
));
970 return NT_STATUS_NONE_MAPPED
;
973 status
= _lsa_lookup_sids_internal(p
,
982 /* Only return here when there is a real error.
983 NT_STATUS_NONE_MAPPED is a special case as it indicates that none of
984 the requested sids could be resolved. Older versions of XP (pre SP3)
985 rely that we return with the string representations of those SIDs in
986 that case. If we don't, XP crashes - Guenther
989 if (NT_STATUS_IS_ERR(status
) &&
990 !NT_STATUS_EQUAL(status
, NT_STATUS_NONE_MAPPED
)) {
994 /* Convert from lsa_TranslatedName2 to lsa_TranslatedName */
995 names_out
= TALLOC_ARRAY(p
->mem_ctx
, struct lsa_TranslatedName
,
998 return NT_STATUS_NO_MEMORY
;
1001 for (i
=0; i
<num_sids
; i
++) {
1002 names_out
[i
].sid_type
= names
[i
].sid_type
;
1003 names_out
[i
].name
= names
[i
].name
;
1004 names_out
[i
].sid_index
= names
[i
].sid_index
;
1007 *r
->out
.domains
= domains
;
1008 r
->out
.names
->count
= num_sids
;
1009 r
->out
.names
->names
= names_out
;
1010 *r
->out
.count
= mapped_count
;
1015 /***************************************************************************
1017 ***************************************************************************/
1019 NTSTATUS
_lsa_LookupSids2(struct pipes_struct
*p
,
1020 struct lsa_LookupSids2
*r
)
1023 struct lsa_info
*handle
;
1024 int num_sids
= r
->in
.sids
->num_sids
;
1025 uint32 mapped_count
= 0;
1026 struct lsa_RefDomainList
*domains
= NULL
;
1027 struct lsa_TranslatedName2
*names
= NULL
;
1028 bool check_policy
= true;
1031 case NDR_LSA_LOOKUPSIDS3
:
1032 check_policy
= false;
1034 case NDR_LSA_LOOKUPSIDS2
:
1036 check_policy
= true;
1039 if ((r
->in
.level
< 1) || (r
->in
.level
> 6)) {
1040 return NT_STATUS_INVALID_PARAMETER
;
1044 if (!find_policy_by_hnd(p
, r
->in
.handle
, (void **)(void *)&handle
)) {
1045 return NT_STATUS_INVALID_HANDLE
;
1048 if (handle
->type
!= LSA_HANDLE_POLICY_TYPE
) {
1049 return NT_STATUS_INVALID_HANDLE
;
1052 /* check if the user has enough rights */
1053 if (!(handle
->access
& LSA_POLICY_LOOKUP_NAMES
)) {
1054 return NT_STATUS_ACCESS_DENIED
;
1058 if (num_sids
> MAX_LOOKUP_SIDS
) {
1059 DEBUG(5,("_lsa_LookupSids2: limit of %d exceeded, requested %d\n",
1060 MAX_LOOKUP_SIDS
, num_sids
));
1061 return NT_STATUS_NONE_MAPPED
;
1064 status
= _lsa_lookup_sids_internal(p
,
1073 *r
->out
.domains
= domains
;
1074 r
->out
.names
->count
= num_sids
;
1075 r
->out
.names
->names
= names
;
1076 *r
->out
.count
= mapped_count
;
1081 /***************************************************************************
1083 ***************************************************************************/
1085 NTSTATUS
_lsa_LookupSids3(struct pipes_struct
*p
,
1086 struct lsa_LookupSids3
*r
)
1088 struct lsa_LookupSids2 q
;
1090 /* No policy handle on this call. Restrict to crypto connections. */
1091 if (p
->auth
.auth_type
!= DCERPC_AUTH_TYPE_SCHANNEL
) {
1092 DEBUG(0,("_lsa_LookupSids3: client %s not using schannel for netlogon\n",
1093 get_remote_machine_name() ));
1094 return NT_STATUS_INVALID_PARAMETER
;
1098 q
.in
.sids
= r
->in
.sids
;
1099 q
.in
.level
= r
->in
.level
;
1100 q
.in
.lookup_options
= r
->in
.lookup_options
;
1101 q
.in
.client_revision
= r
->in
.client_revision
;
1102 q
.in
.names
= r
->in
.names
;
1103 q
.in
.count
= r
->in
.count
;
1105 q
.out
.domains
= r
->out
.domains
;
1106 q
.out
.names
= r
->out
.names
;
1107 q
.out
.count
= r
->out
.count
;
1109 return _lsa_LookupSids2(p
, &q
);
1112 /***************************************************************************
1113 ***************************************************************************/
1115 static int lsa_lookup_level_to_flags(enum lsa_LookupNamesLevel level
)
1120 case LSA_LOOKUP_NAMES_ALL
: /* 1 */
1121 flags
= LOOKUP_NAME_ALL
;
1123 case LSA_LOOKUP_NAMES_DOMAINS_ONLY
: /* 2 */
1124 flags
= LOOKUP_NAME_DOMAIN
|LOOKUP_NAME_REMOTE
|LOOKUP_NAME_ISOLATED
;
1126 case LSA_LOOKUP_NAMES_PRIMARY_DOMAIN_ONLY
: /* 3 */
1127 flags
= LOOKUP_NAME_DOMAIN
|LOOKUP_NAME_ISOLATED
;
1129 case LSA_LOOKUP_NAMES_UPLEVEL_TRUSTS_ONLY
: /* 4 */
1130 case LSA_LOOKUP_NAMES_FOREST_TRUSTS_ONLY
: /* 5 */
1131 case LSA_LOOKUP_NAMES_UPLEVEL_TRUSTS_ONLY2
: /* 6 */
1132 case LSA_LOOKUP_NAMES_RODC_REFERRAL_TO_FULL_DC
: /* 7 */
1134 flags
= LOOKUP_NAME_NONE
;
1141 /***************************************************************************
1143 ***************************************************************************/
1145 NTSTATUS
_lsa_LookupNames(struct pipes_struct
*p
,
1146 struct lsa_LookupNames
*r
)
1148 NTSTATUS status
= NT_STATUS_NONE_MAPPED
;
1149 struct lsa_info
*handle
;
1150 struct lsa_String
*names
= r
->in
.names
;
1151 uint32 num_entries
= r
->in
.num_names
;
1152 struct lsa_RefDomainList
*domains
= NULL
;
1153 struct lsa_TranslatedSid
*rids
= NULL
;
1154 uint32 mapped_count
= 0;
1157 if (num_entries
> MAX_LOOKUP_SIDS
) {
1158 num_entries
= MAX_LOOKUP_SIDS
;
1159 DEBUG(5,("_lsa_LookupNames: truncating name lookup list to %d\n",
1163 flags
= lsa_lookup_level_to_flags(r
->in
.level
);
1165 domains
= TALLOC_ZERO_P(p
->mem_ctx
, struct lsa_RefDomainList
);
1167 return NT_STATUS_NO_MEMORY
;
1171 rids
= TALLOC_ZERO_ARRAY(p
->mem_ctx
, struct lsa_TranslatedSid
,
1174 return NT_STATUS_NO_MEMORY
;
1180 if (!find_policy_by_hnd(p
, r
->in
.handle
, (void **)(void *)&handle
)) {
1181 status
= NT_STATUS_INVALID_HANDLE
;
1185 if (handle
->type
!= LSA_HANDLE_POLICY_TYPE
) {
1186 return NT_STATUS_INVALID_HANDLE
;
1189 /* check if the user has enough rights */
1190 if (!(handle
->access
& LSA_POLICY_LOOKUP_NAMES
)) {
1191 status
= NT_STATUS_ACCESS_DENIED
;
1195 /* set up the LSA Lookup RIDs response */
1196 become_root(); /* lookup_name can require root privs */
1197 status
= lookup_lsa_rids(p
->mem_ctx
, domains
, rids
, num_entries
,
1198 names
, flags
, &mapped_count
);
1203 if (NT_STATUS_IS_OK(status
) && (num_entries
!= 0) ) {
1204 if (mapped_count
== 0) {
1205 status
= NT_STATUS_NONE_MAPPED
;
1206 } else if (mapped_count
!= num_entries
) {
1207 status
= STATUS_SOME_UNMAPPED
;
1211 *r
->out
.count
= mapped_count
;
1212 *r
->out
.domains
= domains
;
1213 r
->out
.sids
->sids
= rids
;
1214 r
->out
.sids
->count
= num_entries
;
1219 /***************************************************************************
1221 ***************************************************************************/
1223 NTSTATUS
_lsa_LookupNames2(struct pipes_struct
*p
,
1224 struct lsa_LookupNames2
*r
)
1227 struct lsa_LookupNames q
;
1228 struct lsa_TransSidArray2
*sid_array2
= r
->in
.sids
;
1229 struct lsa_TransSidArray
*sid_array
= NULL
;
1232 sid_array
= TALLOC_ZERO_P(p
->mem_ctx
, struct lsa_TransSidArray
);
1234 return NT_STATUS_NO_MEMORY
;
1237 q
.in
.handle
= r
->in
.handle
;
1238 q
.in
.num_names
= r
->in
.num_names
;
1239 q
.in
.names
= r
->in
.names
;
1240 q
.in
.level
= r
->in
.level
;
1241 q
.in
.sids
= sid_array
;
1242 q
.in
.count
= r
->in
.count
;
1243 /* we do not know what this is for */
1244 /* = r->in.unknown1; */
1245 /* = r->in.unknown2; */
1247 q
.out
.domains
= r
->out
.domains
;
1248 q
.out
.sids
= sid_array
;
1249 q
.out
.count
= r
->out
.count
;
1251 status
= _lsa_LookupNames(p
, &q
);
1253 sid_array2
->count
= sid_array
->count
;
1254 sid_array2
->sids
= TALLOC_ARRAY(p
->mem_ctx
, struct lsa_TranslatedSid2
, sid_array
->count
);
1255 if (!sid_array2
->sids
) {
1256 return NT_STATUS_NO_MEMORY
;
1259 for (i
=0; i
<sid_array
->count
; i
++) {
1260 sid_array2
->sids
[i
].sid_type
= sid_array
->sids
[i
].sid_type
;
1261 sid_array2
->sids
[i
].rid
= sid_array
->sids
[i
].rid
;
1262 sid_array2
->sids
[i
].sid_index
= sid_array
->sids
[i
].sid_index
;
1263 sid_array2
->sids
[i
].unknown
= 0;
1266 r
->out
.sids
= sid_array2
;
1271 /***************************************************************************
1273 ***************************************************************************/
1275 NTSTATUS
_lsa_LookupNames3(struct pipes_struct
*p
,
1276 struct lsa_LookupNames3
*r
)
1279 struct lsa_info
*handle
;
1280 struct lsa_String
*names
= r
->in
.names
;
1281 uint32 num_entries
= r
->in
.num_names
;
1282 struct lsa_RefDomainList
*domains
= NULL
;
1283 struct lsa_TranslatedSid3
*trans_sids
= NULL
;
1284 uint32 mapped_count
= 0;
1286 bool check_policy
= true;
1289 case NDR_LSA_LOOKUPNAMES4
:
1290 check_policy
= false;
1292 case NDR_LSA_LOOKUPNAMES3
:
1294 check_policy
= true;
1297 if (num_entries
> MAX_LOOKUP_SIDS
) {
1298 num_entries
= MAX_LOOKUP_SIDS
;
1299 DEBUG(5,("_lsa_LookupNames3: truncating name lookup list to %d\n", num_entries
));
1302 /* Probably the lookup_level is some sort of bitmask. */
1303 if (r
->in
.level
== 1) {
1304 flags
= LOOKUP_NAME_ALL
;
1307 domains
= TALLOC_ZERO_P(p
->mem_ctx
, struct lsa_RefDomainList
);
1309 return NT_STATUS_NO_MEMORY
;
1313 trans_sids
= TALLOC_ZERO_ARRAY(p
->mem_ctx
, struct lsa_TranslatedSid3
,
1316 return NT_STATUS_NO_MEMORY
;
1324 if (!find_policy_by_hnd(p
, r
->in
.handle
, (void **)(void *)&handle
)) {
1325 status
= NT_STATUS_INVALID_HANDLE
;
1329 if (handle
->type
!= LSA_HANDLE_POLICY_TYPE
) {
1330 return NT_STATUS_INVALID_HANDLE
;
1333 /* check if the user has enough rights */
1334 if (!(handle
->access
& LSA_POLICY_LOOKUP_NAMES
)) {
1335 status
= NT_STATUS_ACCESS_DENIED
;
1340 /* set up the LSA Lookup SIDs response */
1341 become_root(); /* lookup_name can require root privs */
1342 status
= lookup_lsa_sids(p
->mem_ctx
, domains
, trans_sids
, num_entries
,
1343 names
, flags
, &mapped_count
);
1348 if (NT_STATUS_IS_OK(status
)) {
1349 if (mapped_count
== 0) {
1350 status
= NT_STATUS_NONE_MAPPED
;
1351 } else if (mapped_count
!= num_entries
) {
1352 status
= STATUS_SOME_UNMAPPED
;
1356 *r
->out
.count
= mapped_count
;
1357 *r
->out
.domains
= domains
;
1358 r
->out
.sids
->sids
= trans_sids
;
1359 r
->out
.sids
->count
= num_entries
;
1364 /***************************************************************************
1366 ***************************************************************************/
1368 NTSTATUS
_lsa_LookupNames4(struct pipes_struct
*p
,
1369 struct lsa_LookupNames4
*r
)
1371 struct lsa_LookupNames3 q
;
1373 /* No policy handle on this call. Restrict to crypto connections. */
1374 if (p
->auth
.auth_type
!= DCERPC_AUTH_TYPE_SCHANNEL
) {
1375 DEBUG(0,("_lsa_lookup_names4: client %s not using schannel for netlogon\n",
1376 get_remote_machine_name() ));
1377 return NT_STATUS_INVALID_PARAMETER
;
1381 q
.in
.num_names
= r
->in
.num_names
;
1382 q
.in
.names
= r
->in
.names
;
1383 q
.in
.level
= r
->in
.level
;
1384 q
.in
.lookup_options
= r
->in
.lookup_options
;
1385 q
.in
.client_revision
= r
->in
.client_revision
;
1386 q
.in
.sids
= r
->in
.sids
;
1387 q
.in
.count
= r
->in
.count
;
1389 q
.out
.domains
= r
->out
.domains
;
1390 q
.out
.sids
= r
->out
.sids
;
1391 q
.out
.count
= r
->out
.count
;
1393 return _lsa_LookupNames3(p
, &q
);
1396 /***************************************************************************
1397 _lsa_close. Also weird - needs to check if lsa handle is correct. JRA.
1398 ***************************************************************************/
1400 NTSTATUS
_lsa_Close(struct pipes_struct
*p
, struct lsa_Close
*r
)
1402 if (!find_policy_by_hnd(p
, r
->in
.handle
, NULL
)) {
1403 return NT_STATUS_INVALID_HANDLE
;
1406 close_policy_hnd(p
, r
->in
.handle
);
1407 ZERO_STRUCTP(r
->out
.handle
);
1408 return NT_STATUS_OK
;
1411 /***************************************************************************
1412 ***************************************************************************/
1414 static NTSTATUS
lsa_lookup_trusted_domain_by_sid(TALLOC_CTX
*mem_ctx
,
1415 const struct dom_sid
*sid
,
1416 struct trustdom_info
**info
)
1419 uint32_t num_domains
= 0;
1420 struct trustdom_info
**domains
= NULL
;
1423 status
= pdb_enum_trusteddoms(mem_ctx
, &num_domains
, &domains
);
1424 if (!NT_STATUS_IS_OK(status
)) {
1428 for (i
=0; i
< num_domains
; i
++) {
1429 if (dom_sid_equal(&domains
[i
]->sid
, sid
)) {
1434 if (i
== num_domains
) {
1435 return NT_STATUS_INVALID_PARAMETER
;
1440 return NT_STATUS_OK
;
1443 /***************************************************************************
1444 ***************************************************************************/
1446 static NTSTATUS
lsa_lookup_trusted_domain_by_name(TALLOC_CTX
*mem_ctx
,
1447 const char *netbios_domain_name
,
1448 struct trustdom_info
**info_p
)
1451 struct trustdom_info
*info
;
1452 struct pdb_trusted_domain
*td
;
1454 status
= pdb_get_trusted_domain(mem_ctx
, netbios_domain_name
, &td
);
1455 if (!NT_STATUS_IS_OK(status
)) {
1459 info
= talloc(mem_ctx
, struct trustdom_info
);
1461 return NT_STATUS_NO_MEMORY
;
1464 info
->name
= talloc_strdup(info
, netbios_domain_name
);
1465 NT_STATUS_HAVE_NO_MEMORY(info
->name
);
1467 sid_copy(&info
->sid
, &td
->security_identifier
);
1471 return NT_STATUS_OK
;
1474 /***************************************************************************
1475 ***************************************************************************/
1477 NTSTATUS
_lsa_OpenSecret(struct pipes_struct
*p
, struct lsa_OpenSecret
*r
)
1479 return NT_STATUS_OBJECT_NAME_NOT_FOUND
;
1482 /***************************************************************************
1483 ***************************************************************************/
1485 NTSTATUS
_lsa_OpenTrustedDomain(struct pipes_struct
*p
,
1486 struct lsa_OpenTrustedDomain
*r
)
1488 return NT_STATUS_OBJECT_NAME_NOT_FOUND
;
1491 /***************************************************************************
1492 _lsa_CreateTrustedDomainEx2
1493 ***************************************************************************/
1495 NTSTATUS
_lsa_CreateTrustedDomainEx2(struct pipes_struct
*p
,
1496 struct lsa_CreateTrustedDomainEx2
*r
)
1498 struct lsa_info
*policy
;
1500 uint32_t acc_granted
;
1501 struct security_descriptor
*psd
;
1503 struct pdb_trusted_domain td
;
1506 return NT_STATUS_NOT_SUPPORTED
;
1509 if (!find_policy_by_hnd(p
, r
->in
.policy_handle
, (void **)(void *)&policy
)) {
1510 return NT_STATUS_INVALID_HANDLE
;
1513 if (!(policy
->access
& LSA_POLICY_TRUST_ADMIN
)) {
1514 return NT_STATUS_ACCESS_DENIED
;
1517 if (p
->server_info
->utok
.uid
!= sec_initial_uid() &&
1518 !nt_token_check_domain_rid(p
->server_info
->security_token
, DOMAIN_RID_ADMINS
)) {
1519 return NT_STATUS_ACCESS_DENIED
;
1522 /* Work out max allowed. */
1523 map_max_allowed_access(p
->server_info
->security_token
,
1524 &p
->server_info
->utok
,
1525 &r
->in
.access_mask
);
1527 /* map the generic bits to the lsa policy ones */
1528 se_map_generic(&r
->in
.access_mask
, &lsa_account_mapping
);
1530 status
= make_lsa_object_sd(p
->mem_ctx
, &psd
, &sd_size
,
1531 &lsa_trusted_domain_mapping
,
1533 if (!NT_STATUS_IS_OK(status
)) {
1537 status
= access_check_object(psd
, p
->server_info
->security_token
,
1538 SEC_PRIV_INVALID
, SEC_PRIV_INVALID
, 0,
1539 r
->in
.access_mask
, &acc_granted
,
1540 "_lsa_CreateTrustedDomainEx2");
1541 if (!NT_STATUS_IS_OK(status
)) {
1547 td
.domain_name
= r
->in
.info
->domain_name
.string
;
1548 td
.netbios_name
= r
->in
.info
->netbios_name
.string
;
1549 sid_copy(&td
.security_identifier
, r
->in
.info
->sid
);
1550 td
.trust_auth_incoming
.data
= NULL
;
1551 td
.trust_auth_incoming
.length
= 0;
1552 td
.trust_auth_outgoing
.data
= NULL
;
1553 td
.trust_auth_outgoing
.length
= 0;
1554 td
.trust_direction
= r
->in
.info
->trust_direction
;
1555 td
.trust_type
= r
->in
.info
->trust_type
;
1556 td
.trust_attributes
= r
->in
.info
->trust_attributes
;
1558 status
= pdb_set_trusted_domain(r
->in
.info
->domain_name
.string
, &td
);
1559 if (!NT_STATUS_IS_OK(status
)) {
1563 status
= create_lsa_policy_handle(p
->mem_ctx
, p
,
1564 LSA_HANDLE_TRUST_TYPE
,
1567 r
->in
.info
->netbios_name
.string
,
1569 r
->out
.trustdom_handle
);
1570 if (!NT_STATUS_IS_OK(status
)) {
1571 pdb_del_trusteddom_pw(r
->in
.info
->netbios_name
.string
);
1572 return NT_STATUS_OBJECT_NAME_NOT_FOUND
;
1575 return NT_STATUS_OK
;
1578 /***************************************************************************
1579 _lsa_CreateTrustedDomainEx
1580 ***************************************************************************/
1582 NTSTATUS
_lsa_CreateTrustedDomainEx(struct pipes_struct
*p
,
1583 struct lsa_CreateTrustedDomainEx
*r
)
1585 struct lsa_CreateTrustedDomainEx2 q
;
1587 q
.in
.policy_handle
= r
->in
.policy_handle
;
1588 q
.in
.info
= r
->in
.info
;
1589 q
.in
.auth_info
= r
->in
.auth_info
;
1590 q
.in
.access_mask
= r
->in
.access_mask
;
1591 q
.out
.trustdom_handle
= r
->out
.trustdom_handle
;
1593 return _lsa_CreateTrustedDomainEx2(p
, &q
);
1596 /***************************************************************************
1597 _lsa_CreateTrustedDomain
1598 ***************************************************************************/
1600 NTSTATUS
_lsa_CreateTrustedDomain(struct pipes_struct
*p
,
1601 struct lsa_CreateTrustedDomain
*r
)
1603 struct lsa_CreateTrustedDomainEx2 c
;
1604 struct lsa_TrustDomainInfoInfoEx info
;
1605 struct lsa_TrustDomainInfoAuthInfoInternal auth_info
;
1607 ZERO_STRUCT(auth_info
);
1609 info
.domain_name
= r
->in
.info
->name
;
1610 info
.netbios_name
= r
->in
.info
->name
;
1611 info
.sid
= r
->in
.info
->sid
;
1612 info
.trust_direction
= LSA_TRUST_DIRECTION_OUTBOUND
;
1613 info
.trust_type
= LSA_TRUST_TYPE_DOWNLEVEL
;
1614 info
.trust_attributes
= 0;
1616 c
.in
.policy_handle
= r
->in
.policy_handle
;
1618 c
.in
.auth_info
= &auth_info
;
1619 c
.in
.access_mask
= r
->in
.access_mask
;
1620 c
.out
.trustdom_handle
= r
->out
.trustdom_handle
;
1622 return _lsa_CreateTrustedDomainEx2(p
, &c
);
1625 /***************************************************************************
1626 _lsa_DeleteTrustedDomain
1627 ***************************************************************************/
1629 NTSTATUS
_lsa_DeleteTrustedDomain(struct pipes_struct
*p
,
1630 struct lsa_DeleteTrustedDomain
*r
)
1633 struct lsa_info
*handle
;
1634 struct trustdom_info
*info
;
1636 /* find the connection policy handle. */
1637 if (!find_policy_by_hnd(p
, r
->in
.handle
, (void **)(void *)&handle
)) {
1638 return NT_STATUS_INVALID_HANDLE
;
1641 if (handle
->type
!= LSA_HANDLE_POLICY_TYPE
) {
1642 return NT_STATUS_INVALID_HANDLE
;
1645 if (!(handle
->access
& LSA_POLICY_TRUST_ADMIN
)) {
1646 return NT_STATUS_ACCESS_DENIED
;
1649 status
= lsa_lookup_trusted_domain_by_sid(p
->mem_ctx
,
1652 if (!NT_STATUS_IS_OK(status
)) {
1656 status
= pdb_del_trusted_domain(info
->name
);
1657 if (!NT_STATUS_IS_OK(status
)) {
1661 return NT_STATUS_OK
;
1664 /***************************************************************************
1665 ***************************************************************************/
1667 NTSTATUS
_lsa_CreateSecret(struct pipes_struct
*p
, struct lsa_CreateSecret
*r
)
1669 return NT_STATUS_ACCESS_DENIED
;
1672 /***************************************************************************
1673 ***************************************************************************/
1675 NTSTATUS
_lsa_SetSecret(struct pipes_struct
*p
, struct lsa_SetSecret
*r
)
1677 return NT_STATUS_ACCESS_DENIED
;
1680 /***************************************************************************
1682 ***************************************************************************/
1684 NTSTATUS
_lsa_DeleteObject(struct pipes_struct
*p
,
1685 struct lsa_DeleteObject
*r
)
1688 struct lsa_info
*info
= NULL
;
1690 if (!find_policy_by_hnd(p
, r
->in
.handle
, (void **)(void *)&info
)) {
1691 return NT_STATUS_INVALID_HANDLE
;
1694 if (!(info
->access
& SEC_STD_DELETE
)) {
1695 return NT_STATUS_ACCESS_DENIED
;
1698 switch (info
->type
) {
1699 case LSA_HANDLE_ACCOUNT_TYPE
:
1700 status
= privilege_delete_account(&info
->sid
);
1701 if (!NT_STATUS_IS_OK(status
)) {
1702 DEBUG(10,("_lsa_DeleteObject: privilege_delete_account gave: %s\n",
1703 nt_errstr(status
)));
1708 return NT_STATUS_INVALID_HANDLE
;
1711 close_policy_hnd(p
, r
->in
.handle
);
1712 ZERO_STRUCTP(r
->out
.handle
);
1717 /***************************************************************************
1719 ***************************************************************************/
1721 NTSTATUS
_lsa_EnumPrivs(struct pipes_struct
*p
,
1722 struct lsa_EnumPrivs
*r
)
1724 struct lsa_info
*handle
;
1726 uint32 enum_context
= *r
->in
.resume_handle
;
1727 int num_privs
= num_privileges_in_short_list();
1728 struct lsa_PrivEntry
*entries
= NULL
;
1730 /* remember that the enum_context starts at 0 and not 1 */
1732 if ( enum_context
>= num_privs
)
1733 return NT_STATUS_NO_MORE_ENTRIES
;
1735 DEBUG(10,("_lsa_EnumPrivs: enum_context:%d total entries:%d\n",
1736 enum_context
, num_privs
));
1738 if (!find_policy_by_hnd(p
, r
->in
.handle
, (void **)(void *)&handle
))
1739 return NT_STATUS_INVALID_HANDLE
;
1741 if (handle
->type
!= LSA_HANDLE_POLICY_TYPE
) {
1742 return NT_STATUS_INVALID_HANDLE
;
1745 /* check if the user has enough rights
1746 I don't know if it's the right one. not documented. */
1748 if (!(handle
->access
& LSA_POLICY_VIEW_LOCAL_INFORMATION
))
1749 return NT_STATUS_ACCESS_DENIED
;
1752 entries
= TALLOC_ZERO_ARRAY(p
->mem_ctx
, struct lsa_PrivEntry
, num_privs
);
1754 return NT_STATUS_NO_MEMORY
;
1760 for (i
= 0; i
< num_privs
; i
++) {
1761 if( i
< enum_context
) {
1763 init_lsa_StringLarge(&entries
[i
].name
, NULL
);
1765 entries
[i
].luid
.low
= 0;
1766 entries
[i
].luid
.high
= 0;
1769 init_lsa_StringLarge(&entries
[i
].name
, sec_privilege_name_from_index(i
));
1771 entries
[i
].luid
.low
= sec_privilege_from_index(i
);
1772 entries
[i
].luid
.high
= 0;
1776 enum_context
= num_privs
;
1778 *r
->out
.resume_handle
= enum_context
;
1779 r
->out
.privs
->count
= num_privs
;
1780 r
->out
.privs
->privs
= entries
;
1782 return NT_STATUS_OK
;
1785 /***************************************************************************
1786 _lsa_LookupPrivDisplayName
1787 ***************************************************************************/
1789 NTSTATUS
_lsa_LookupPrivDisplayName(struct pipes_struct
*p
,
1790 struct lsa_LookupPrivDisplayName
*r
)
1792 struct lsa_info
*handle
;
1793 const char *description
;
1794 struct lsa_StringLarge
*lsa_name
;
1796 if (!find_policy_by_hnd(p
, r
->in
.handle
, (void **)(void *)&handle
))
1797 return NT_STATUS_INVALID_HANDLE
;
1799 if (handle
->type
!= LSA_HANDLE_POLICY_TYPE
) {
1800 return NT_STATUS_INVALID_HANDLE
;
1803 /* check if the user has enough rights */
1806 * I don't know if it's the right one. not documented.
1808 if (!(handle
->access
& LSA_POLICY_VIEW_LOCAL_INFORMATION
))
1809 return NT_STATUS_ACCESS_DENIED
;
1811 DEBUG(10,("_lsa_LookupPrivDisplayName: name = %s\n", r
->in
.name
->string
));
1813 description
= get_privilege_dispname(r
->in
.name
->string
);
1815 DEBUG(10,("_lsa_LookupPrivDisplayName: doesn't exist\n"));
1816 return NT_STATUS_NO_SUCH_PRIVILEGE
;
1819 DEBUG(10,("_lsa_LookupPrivDisplayName: display name = %s\n", description
));
1821 lsa_name
= TALLOC_ZERO_P(p
->mem_ctx
, struct lsa_StringLarge
);
1823 return NT_STATUS_NO_MEMORY
;
1826 init_lsa_StringLarge(lsa_name
, description
);
1828 *r
->out
.returned_language_id
= r
->in
.language_id
;
1829 *r
->out
.disp_name
= lsa_name
;
1831 return NT_STATUS_OK
;
1834 /***************************************************************************
1836 ***************************************************************************/
1838 NTSTATUS
_lsa_EnumAccounts(struct pipes_struct
*p
,
1839 struct lsa_EnumAccounts
*r
)
1841 struct lsa_info
*handle
;
1842 struct dom_sid
*sid_list
;
1843 int i
, j
, num_entries
;
1845 struct lsa_SidPtr
*sids
= NULL
;
1847 if (!find_policy_by_hnd(p
, r
->in
.handle
, (void **)(void *)&handle
))
1848 return NT_STATUS_INVALID_HANDLE
;
1850 if (handle
->type
!= LSA_HANDLE_POLICY_TYPE
) {
1851 return NT_STATUS_INVALID_HANDLE
;
1854 if (!(handle
->access
& LSA_POLICY_VIEW_LOCAL_INFORMATION
))
1855 return NT_STATUS_ACCESS_DENIED
;
1860 /* The only way we can currently find out all the SIDs that have been
1861 privileged is to scan all privileges */
1863 status
= privilege_enumerate_accounts(&sid_list
, &num_entries
);
1864 if (!NT_STATUS_IS_OK(status
)) {
1868 if (*r
->in
.resume_handle
>= num_entries
) {
1869 return NT_STATUS_NO_MORE_ENTRIES
;
1872 if (num_entries
- *r
->in
.resume_handle
) {
1873 sids
= TALLOC_ZERO_ARRAY(p
->mem_ctx
, struct lsa_SidPtr
,
1874 num_entries
- *r
->in
.resume_handle
);
1876 talloc_free(sid_list
);
1877 return NT_STATUS_NO_MEMORY
;
1880 for (i
= *r
->in
.resume_handle
, j
= 0; i
< num_entries
; i
++, j
++) {
1881 sids
[j
].sid
= dom_sid_dup(p
->mem_ctx
, &sid_list
[i
]);
1883 talloc_free(sid_list
);
1884 return NT_STATUS_NO_MEMORY
;
1889 talloc_free(sid_list
);
1891 *r
->out
.resume_handle
= num_entries
;
1892 r
->out
.sids
->num_sids
= num_entries
;
1893 r
->out
.sids
->sids
= sids
;
1895 return NT_STATUS_OK
;
1898 /***************************************************************************
1900 ***************************************************************************/
1902 NTSTATUS
_lsa_GetUserName(struct pipes_struct
*p
,
1903 struct lsa_GetUserName
*r
)
1905 const char *username
, *domname
;
1906 struct lsa_String
*account_name
= NULL
;
1907 struct lsa_String
*authority_name
= NULL
;
1909 if (r
->in
.account_name
&&
1910 *r
->in
.account_name
) {
1911 return NT_STATUS_INVALID_PARAMETER
;
1914 if (r
->in
.authority_name
&&
1915 *r
->in
.authority_name
) {
1916 return NT_STATUS_INVALID_PARAMETER
;
1919 if (p
->server_info
->guest
) {
1921 * I'm 99% sure this is not the right place to do this,
1922 * global_sid_Anonymous should probably be put into the token
1923 * instead of the guest id -- vl
1925 if (!lookup_sid(p
->mem_ctx
, &global_sid_Anonymous
,
1926 &domname
, &username
, NULL
)) {
1927 return NT_STATUS_NO_MEMORY
;
1930 username
= p
->server_info
->sanitized_username
;
1931 domname
= p
->server_info
->info3
->base
.domain
.string
;
1934 account_name
= TALLOC_P(p
->mem_ctx
, struct lsa_String
);
1935 if (!account_name
) {
1936 return NT_STATUS_NO_MEMORY
;
1938 init_lsa_String(account_name
, username
);
1940 if (r
->out
.authority_name
) {
1941 authority_name
= TALLOC_P(p
->mem_ctx
, struct lsa_String
);
1942 if (!authority_name
) {
1943 return NT_STATUS_NO_MEMORY
;
1945 init_lsa_String(authority_name
, domname
);
1948 *r
->out
.account_name
= account_name
;
1949 if (r
->out
.authority_name
) {
1950 *r
->out
.authority_name
= authority_name
;
1953 return NT_STATUS_OK
;
1956 /***************************************************************************
1958 ***************************************************************************/
1960 NTSTATUS
_lsa_CreateAccount(struct pipes_struct
*p
,
1961 struct lsa_CreateAccount
*r
)
1964 struct lsa_info
*handle
;
1965 uint32_t acc_granted
;
1966 struct security_descriptor
*psd
;
1969 /* find the connection policy handle. */
1970 if (!find_policy_by_hnd(p
, r
->in
.handle
, (void **)(void *)&handle
))
1971 return NT_STATUS_INVALID_HANDLE
;
1973 if (handle
->type
!= LSA_HANDLE_POLICY_TYPE
) {
1974 return NT_STATUS_INVALID_HANDLE
;
1977 /* check if the user has enough rights */
1979 if (!(handle
->access
& LSA_POLICY_CREATE_ACCOUNT
)) {
1980 return NT_STATUS_ACCESS_DENIED
;
1983 /* Work out max allowed. */
1984 map_max_allowed_access(p
->server_info
->security_token
,
1985 &p
->server_info
->utok
,
1986 &r
->in
.access_mask
);
1988 /* map the generic bits to the lsa policy ones */
1989 se_map_generic(&r
->in
.access_mask
, &lsa_account_mapping
);
1991 status
= make_lsa_object_sd(p
->mem_ctx
, &psd
, &sd_size
,
1992 &lsa_account_mapping
,
1993 r
->in
.sid
, LSA_POLICY_ALL_ACCESS
);
1994 if (!NT_STATUS_IS_OK(status
)) {
1998 status
= access_check_object(psd
, p
->server_info
->security_token
,
1999 SEC_PRIV_INVALID
, SEC_PRIV_INVALID
, 0, r
->in
.access_mask
,
2000 &acc_granted
, "_lsa_CreateAccount");
2001 if (!NT_STATUS_IS_OK(status
)) {
2005 if ( is_privileged_sid( r
->in
.sid
) )
2006 return NT_STATUS_OBJECT_NAME_COLLISION
;
2008 status
= create_lsa_policy_handle(p
->mem_ctx
, p
,
2009 LSA_HANDLE_ACCOUNT_TYPE
,
2014 r
->out
.acct_handle
);
2015 if (!NT_STATUS_IS_OK(status
)) {
2016 return NT_STATUS_OBJECT_NAME_NOT_FOUND
;
2019 return privilege_create_account(r
->in
.sid
);
2022 /***************************************************************************
2024 ***************************************************************************/
2026 NTSTATUS
_lsa_OpenAccount(struct pipes_struct
*p
,
2027 struct lsa_OpenAccount
*r
)
2029 struct lsa_info
*handle
;
2030 struct security_descriptor
*psd
= NULL
;
2032 uint32_t des_access
= r
->in
.access_mask
;
2033 uint32_t acc_granted
;
2036 /* find the connection policy handle. */
2037 if (!find_policy_by_hnd(p
, r
->in
.handle
, (void **)(void *)&handle
))
2038 return NT_STATUS_INVALID_HANDLE
;
2040 if (handle
->type
!= LSA_HANDLE_POLICY_TYPE
) {
2041 return NT_STATUS_INVALID_HANDLE
;
2044 /* des_access is for the account here, not the policy
2045 * handle - so don't check against policy handle. */
2047 /* Work out max allowed. */
2048 map_max_allowed_access(p
->server_info
->security_token
,
2049 &p
->server_info
->utok
,
2052 /* map the generic bits to the lsa account ones */
2053 se_map_generic(&des_access
, &lsa_account_mapping
);
2055 /* get the generic lsa account SD until we store it */
2056 status
= make_lsa_object_sd(p
->mem_ctx
, &psd
, &sd_size
,
2057 &lsa_account_mapping
,
2058 r
->in
.sid
, LSA_ACCOUNT_ALL_ACCESS
);
2059 if (!NT_STATUS_IS_OK(status
)) {
2063 status
= access_check_object(psd
, p
->server_info
->security_token
,
2064 SEC_PRIV_INVALID
, SEC_PRIV_INVALID
, 0, des_access
,
2065 &acc_granted
, "_lsa_OpenAccount" );
2066 if (!NT_STATUS_IS_OK(status
)) {
2070 /* TODO: Fis the parsing routine before reenabling this check! */
2072 if (!lookup_sid(&handle
->sid
, dom_name
, name
, &type
))
2073 return NT_STATUS_ACCESS_DENIED
;
2076 status
= create_lsa_policy_handle(p
->mem_ctx
, p
,
2077 LSA_HANDLE_ACCOUNT_TYPE
,
2082 r
->out
.acct_handle
);
2083 if (!NT_STATUS_IS_OK(status
)) {
2084 return NT_STATUS_OBJECT_NAME_NOT_FOUND
;
2087 return NT_STATUS_OK
;
2090 /***************************************************************************
2091 _lsa_EnumPrivsAccount
2092 For a given SID, enumerate all the privilege this account has.
2093 ***************************************************************************/
2095 NTSTATUS
_lsa_EnumPrivsAccount(struct pipes_struct
*p
,
2096 struct lsa_EnumPrivsAccount
*r
)
2098 NTSTATUS status
= NT_STATUS_OK
;
2099 struct lsa_info
*info
=NULL
;
2100 PRIVILEGE_SET
*privileges
;
2101 struct lsa_PrivilegeSet
*priv_set
= NULL
;
2103 /* find the connection policy handle. */
2104 if (!find_policy_by_hnd(p
, r
->in
.handle
, (void **)(void *)&info
))
2105 return NT_STATUS_INVALID_HANDLE
;
2107 if (info
->type
!= LSA_HANDLE_ACCOUNT_TYPE
) {
2108 return NT_STATUS_INVALID_HANDLE
;
2111 if (!(info
->access
& LSA_ACCOUNT_VIEW
))
2112 return NT_STATUS_ACCESS_DENIED
;
2114 status
= get_privileges_for_sid_as_set(p
->mem_ctx
, &privileges
, &info
->sid
);
2115 if (!NT_STATUS_IS_OK(status
)) {
2119 *r
->out
.privs
= priv_set
= TALLOC_ZERO_P(p
->mem_ctx
, struct lsa_PrivilegeSet
);
2121 return NT_STATUS_NO_MEMORY
;
2124 DEBUG(10,("_lsa_EnumPrivsAccount: %s has %d privileges\n",
2125 sid_string_dbg(&info
->sid
),
2126 privileges
->count
));
2128 priv_set
->count
= privileges
->count
;
2129 priv_set
->unknown
= 0;
2130 priv_set
->set
= talloc_move(priv_set
, &privileges
->set
);
2135 /***************************************************************************
2136 _lsa_GetSystemAccessAccount
2137 ***************************************************************************/
2139 NTSTATUS
_lsa_GetSystemAccessAccount(struct pipes_struct
*p
,
2140 struct lsa_GetSystemAccessAccount
*r
)
2143 struct lsa_info
*info
= NULL
;
2144 struct lsa_EnumPrivsAccount e
;
2145 struct lsa_PrivilegeSet
*privset
;
2147 /* find the connection policy handle. */
2149 if (!find_policy_by_hnd(p
, r
->in
.handle
, (void **)(void *)&info
))
2150 return NT_STATUS_INVALID_HANDLE
;
2152 if (info
->type
!= LSA_HANDLE_ACCOUNT_TYPE
) {
2153 return NT_STATUS_INVALID_HANDLE
;
2156 if (!(info
->access
& LSA_ACCOUNT_VIEW
))
2157 return NT_STATUS_ACCESS_DENIED
;
2159 privset
= talloc_zero(p
->mem_ctx
, struct lsa_PrivilegeSet
);
2161 return NT_STATUS_NO_MEMORY
;
2164 e
.in
.handle
= r
->in
.handle
;
2165 e
.out
.privs
= &privset
;
2167 status
= _lsa_EnumPrivsAccount(p
, &e
);
2168 if (!NT_STATUS_IS_OK(status
)) {
2169 DEBUG(10,("_lsa_GetSystemAccessAccount: "
2170 "failed to call _lsa_EnumPrivsAccount(): %s\n",
2171 nt_errstr(status
)));
2175 /* Samba4 would iterate over the privset to merge the policy mode bits,
2176 * not sure samba3 can do the same here, so just return what we did in
2180 0x01 -> Log on locally
2181 0x02 -> Access this computer from network
2182 0x04 -> Log on as a batch job
2183 0x10 -> Log on as a service
2185 they can be ORed together
2188 *r
->out
.access_mask
= LSA_POLICY_MODE_INTERACTIVE
|
2189 LSA_POLICY_MODE_NETWORK
;
2191 return NT_STATUS_OK
;
2194 /***************************************************************************
2195 update the systemaccount information
2196 ***************************************************************************/
2198 NTSTATUS
_lsa_SetSystemAccessAccount(struct pipes_struct
*p
,
2199 struct lsa_SetSystemAccessAccount
*r
)
2201 struct lsa_info
*info
=NULL
;
2204 /* find the connection policy handle. */
2205 if (!find_policy_by_hnd(p
, r
->in
.handle
, (void **)(void *)&info
))
2206 return NT_STATUS_INVALID_HANDLE
;
2208 if (info
->type
!= LSA_HANDLE_ACCOUNT_TYPE
) {
2209 return NT_STATUS_INVALID_HANDLE
;
2212 if (!(info
->access
& LSA_ACCOUNT_ADJUST_SYSTEM_ACCESS
)) {
2213 return NT_STATUS_ACCESS_DENIED
;
2216 if (!pdb_getgrsid(&map
, info
->sid
))
2217 return NT_STATUS_NO_SUCH_GROUP
;
2219 return pdb_update_group_mapping_entry(&map
);
2222 /***************************************************************************
2223 _lsa_AddPrivilegesToAccount
2224 For a given SID, add some privileges.
2225 ***************************************************************************/
2227 NTSTATUS
_lsa_AddPrivilegesToAccount(struct pipes_struct
*p
,
2228 struct lsa_AddPrivilegesToAccount
*r
)
2230 struct lsa_info
*info
= NULL
;
2231 struct lsa_PrivilegeSet
*set
= NULL
;
2233 /* find the connection policy handle. */
2234 if (!find_policy_by_hnd(p
, r
->in
.handle
, (void **)(void *)&info
))
2235 return NT_STATUS_INVALID_HANDLE
;
2237 if (info
->type
!= LSA_HANDLE_ACCOUNT_TYPE
) {
2238 return NT_STATUS_INVALID_HANDLE
;
2241 if (!(info
->access
& LSA_ACCOUNT_ADJUST_PRIVILEGES
)) {
2242 return NT_STATUS_ACCESS_DENIED
;
2247 if ( !grant_privilege_set( &info
->sid
, set
) ) {
2248 DEBUG(3,("_lsa_AddPrivilegesToAccount: grant_privilege_set(%s) failed!\n",
2249 sid_string_dbg(&info
->sid
) ));
2250 return NT_STATUS_NO_SUCH_PRIVILEGE
;
2253 return NT_STATUS_OK
;
2256 /***************************************************************************
2257 _lsa_RemovePrivilegesFromAccount
2258 For a given SID, remove some privileges.
2259 ***************************************************************************/
2261 NTSTATUS
_lsa_RemovePrivilegesFromAccount(struct pipes_struct
*p
,
2262 struct lsa_RemovePrivilegesFromAccount
*r
)
2264 struct lsa_info
*info
= NULL
;
2265 struct lsa_PrivilegeSet
*set
= NULL
;
2267 /* find the connection policy handle. */
2268 if (!find_policy_by_hnd(p
, r
->in
.handle
, (void **)(void *)&info
))
2269 return NT_STATUS_INVALID_HANDLE
;
2271 if (info
->type
!= LSA_HANDLE_ACCOUNT_TYPE
) {
2272 return NT_STATUS_INVALID_HANDLE
;
2275 if (!(info
->access
& LSA_ACCOUNT_ADJUST_PRIVILEGES
)) {
2276 return NT_STATUS_ACCESS_DENIED
;
2281 if ( !revoke_privilege_set( &info
->sid
, set
) ) {
2282 DEBUG(3,("_lsa_RemovePrivilegesFromAccount: revoke_privilege(%s) failed!\n",
2283 sid_string_dbg(&info
->sid
) ));
2284 return NT_STATUS_NO_SUCH_PRIVILEGE
;
2287 return NT_STATUS_OK
;
2290 /***************************************************************************
2292 ***************************************************************************/
2294 NTSTATUS
_lsa_LookupPrivName(struct pipes_struct
*p
,
2295 struct lsa_LookupPrivName
*r
)
2297 struct lsa_info
*info
= NULL
;
2299 struct lsa_StringLarge
*lsa_name
;
2301 /* find the connection policy handle. */
2302 if (!find_policy_by_hnd(p
, r
->in
.handle
, (void **)(void *)&info
)) {
2303 return NT_STATUS_INVALID_HANDLE
;
2306 if (info
->type
!= LSA_HANDLE_POLICY_TYPE
) {
2307 return NT_STATUS_INVALID_HANDLE
;
2310 if (!(info
->access
& LSA_POLICY_VIEW_LOCAL_INFORMATION
)) {
2311 return NT_STATUS_ACCESS_DENIED
;
2314 if (r
->in
.luid
->high
!= 0) {
2315 return NT_STATUS_NO_SUCH_PRIVILEGE
;
2318 name
= sec_privilege_name(r
->in
.luid
->low
);
2320 return NT_STATUS_NO_SUCH_PRIVILEGE
;
2323 lsa_name
= TALLOC_ZERO_P(p
->mem_ctx
, struct lsa_StringLarge
);
2325 return NT_STATUS_NO_MEMORY
;
2328 lsa_name
->string
= talloc_strdup(lsa_name
, name
);
2329 if (!lsa_name
->string
) {
2330 TALLOC_FREE(lsa_name
);
2331 return NT_STATUS_NO_MEMORY
;
2334 *r
->out
.name
= lsa_name
;
2336 return NT_STATUS_OK
;
2339 /***************************************************************************
2341 ***************************************************************************/
2343 NTSTATUS
_lsa_QuerySecurity(struct pipes_struct
*p
,
2344 struct lsa_QuerySecurity
*r
)
2346 struct lsa_info
*handle
=NULL
;
2347 struct security_descriptor
*psd
= NULL
;
2351 /* find the connection policy handle. */
2352 if (!find_policy_by_hnd(p
, r
->in
.handle
, (void **)(void *)&handle
))
2353 return NT_STATUS_INVALID_HANDLE
;
2355 switch (handle
->type
) {
2356 case LSA_HANDLE_POLICY_TYPE
:
2357 status
= make_lsa_object_sd(p
->mem_ctx
, &psd
, &sd_size
,
2358 &lsa_policy_mapping
, NULL
, 0);
2360 case LSA_HANDLE_ACCOUNT_TYPE
:
2361 status
= make_lsa_object_sd(p
->mem_ctx
, &psd
, &sd_size
,
2362 &lsa_account_mapping
,
2363 &handle
->sid
, LSA_ACCOUNT_ALL_ACCESS
);
2366 status
= NT_STATUS_INVALID_HANDLE
;
2370 if (!NT_STATUS_IS_OK(status
)) {
2374 *r
->out
.sdbuf
= make_sec_desc_buf(p
->mem_ctx
, sd_size
, psd
);
2375 if (!*r
->out
.sdbuf
) {
2376 return NT_STATUS_NO_MEMORY
;
2382 /***************************************************************************
2383 _lsa_AddAccountRights
2384 ***************************************************************************/
2386 NTSTATUS
_lsa_AddAccountRights(struct pipes_struct
*p
,
2387 struct lsa_AddAccountRights
*r
)
2389 struct lsa_info
*info
= NULL
;
2391 uint32_t acc_granted
= 0;
2392 struct security_descriptor
*psd
= NULL
;
2397 /* find the connection policy handle. */
2398 if (!find_policy_by_hnd(p
, r
->in
.handle
, (void **)(void *)&info
))
2399 return NT_STATUS_INVALID_HANDLE
;
2401 if (info
->type
!= LSA_HANDLE_POLICY_TYPE
) {
2402 return NT_STATUS_INVALID_HANDLE
;
2405 /* get the generic lsa account SD for this SID until we store it */
2406 status
= make_lsa_object_sd(p
->mem_ctx
, &psd
, &sd_size
,
2407 &lsa_account_mapping
,
2408 r
->in
.sid
, LSA_ACCOUNT_ALL_ACCESS
);
2409 if (!NT_STATUS_IS_OK(status
)) {
2414 * From the MS DOCs. If the sid doesn't exist, ask for LSA_POLICY_CREATE_ACCOUNT
2415 * on the policy handle. If it does, ask for
2416 * LSA_ACCOUNT_ADJUST_PRIVILEGES|LSA_ACCOUNT_ADJUST_SYSTEM_ACCESS|LSA_ACCOUNT_VIEW,
2417 * on the account sid. We don't check here so just use the latter. JRA.
2420 status
= access_check_object(psd
, p
->server_info
->security_token
,
2421 SEC_PRIV_INVALID
, SEC_PRIV_INVALID
, 0,
2422 LSA_ACCOUNT_ADJUST_PRIVILEGES
|LSA_ACCOUNT_ADJUST_SYSTEM_ACCESS
|LSA_ACCOUNT_VIEW
,
2423 &acc_granted
, "_lsa_AddAccountRights" );
2424 if (!NT_STATUS_IS_OK(status
)) {
2428 /* according to an NT4 PDC, you can add privileges to SIDs even without
2429 call_lsa_create_account() first. And you can use any arbitrary SID. */
2431 sid_copy( &sid
, r
->in
.sid
);
2433 for ( i
=0; i
< r
->in
.rights
->count
; i
++ ) {
2435 const char *privname
= r
->in
.rights
->names
[i
].string
;
2437 /* only try to add non-null strings */
2442 if ( !grant_privilege_by_name( &sid
, privname
) ) {
2443 DEBUG(2,("_lsa_AddAccountRights: Failed to add privilege [%s]\n",
2445 return NT_STATUS_NO_SUCH_PRIVILEGE
;
2449 return NT_STATUS_OK
;
2452 /***************************************************************************
2453 _lsa_RemoveAccountRights
2454 ***************************************************************************/
2456 NTSTATUS
_lsa_RemoveAccountRights(struct pipes_struct
*p
,
2457 struct lsa_RemoveAccountRights
*r
)
2459 struct lsa_info
*info
= NULL
;
2461 struct security_descriptor
*psd
= NULL
;
2464 const char *privname
= NULL
;
2465 uint32_t acc_granted
= 0;
2468 /* find the connection policy handle. */
2469 if (!find_policy_by_hnd(p
, r
->in
.handle
, (void **)(void *)&info
))
2470 return NT_STATUS_INVALID_HANDLE
;
2472 if (info
->type
!= LSA_HANDLE_POLICY_TYPE
) {
2473 return NT_STATUS_INVALID_HANDLE
;
2476 /* get the generic lsa account SD for this SID until we store it */
2477 status
= make_lsa_object_sd(p
->mem_ctx
, &psd
, &sd_size
,
2478 &lsa_account_mapping
,
2479 r
->in
.sid
, LSA_ACCOUNT_ALL_ACCESS
);
2480 if (!NT_STATUS_IS_OK(status
)) {
2485 * From the MS DOCs. We need
2486 * LSA_ACCOUNT_ADJUST_PRIVILEGES|LSA_ACCOUNT_ADJUST_SYSTEM_ACCESS|LSA_ACCOUNT_VIEW
2487 * and DELETE on the account sid.
2490 status
= access_check_object(psd
, p
->server_info
->security_token
,
2491 SEC_PRIV_INVALID
, SEC_PRIV_INVALID
, 0,
2492 LSA_ACCOUNT_ADJUST_PRIVILEGES
|LSA_ACCOUNT_ADJUST_SYSTEM_ACCESS
|
2493 LSA_ACCOUNT_VIEW
|SEC_STD_DELETE
,
2494 &acc_granted
, "_lsa_RemoveAccountRights");
2495 if (!NT_STATUS_IS_OK(status
)) {
2499 sid_copy( &sid
, r
->in
.sid
);
2501 if ( r
->in
.remove_all
) {
2502 if ( !revoke_all_privileges( &sid
) )
2503 return NT_STATUS_ACCESS_DENIED
;
2505 return NT_STATUS_OK
;
2508 for ( i
=0; i
< r
->in
.rights
->count
; i
++ ) {
2510 privname
= r
->in
.rights
->names
[i
].string
;
2512 /* only try to add non-null strings */
2517 if ( !revoke_privilege_by_name( &sid
, privname
) ) {
2518 DEBUG(2,("_lsa_RemoveAccountRights: Failed to revoke privilege [%s]\n",
2520 return NT_STATUS_NO_SUCH_PRIVILEGE
;
2524 return NT_STATUS_OK
;
2527 /*******************************************************************
2528 ********************************************************************/
2530 static NTSTATUS
init_lsa_right_set(TALLOC_CTX
*mem_ctx
,
2531 struct lsa_RightSet
*r
,
2532 PRIVILEGE_SET
*privileges
)
2535 const char *privname
;
2536 const char **privname_array
= NULL
;
2539 for (i
=0; i
<privileges
->count
; i
++) {
2540 if (privileges
->set
[i
].luid
.high
) {
2543 privname
= sec_privilege_name(privileges
->set
[i
].luid
.low
);
2545 if (!add_string_to_array(mem_ctx
, privname
,
2546 &privname_array
, &num_priv
)) {
2547 return NT_STATUS_NO_MEMORY
;
2554 r
->names
= TALLOC_ZERO_ARRAY(mem_ctx
, struct lsa_StringLarge
,
2557 return NT_STATUS_NO_MEMORY
;
2560 for (i
=0; i
<num_priv
; i
++) {
2561 init_lsa_StringLarge(&r
->names
[i
], privname_array
[i
]);
2564 r
->count
= num_priv
;
2567 return NT_STATUS_OK
;
2570 /***************************************************************************
2571 _lsa_EnumAccountRights
2572 ***************************************************************************/
2574 NTSTATUS
_lsa_EnumAccountRights(struct pipes_struct
*p
,
2575 struct lsa_EnumAccountRights
*r
)
2578 struct lsa_info
*info
= NULL
;
2579 PRIVILEGE_SET
*privileges
;
2581 /* find the connection policy handle. */
2583 if (!find_policy_by_hnd(p
, r
->in
.handle
, (void **)(void *)&info
))
2584 return NT_STATUS_INVALID_HANDLE
;
2586 if (info
->type
!= LSA_HANDLE_POLICY_TYPE
) {
2587 return NT_STATUS_INVALID_HANDLE
;
2590 if (!(info
->access
& LSA_ACCOUNT_VIEW
)) {
2591 return NT_STATUS_ACCESS_DENIED
;
2594 /* according to an NT4 PDC, you can add privileges to SIDs even without
2595 call_lsa_create_account() first. And you can use any arbitrary SID. */
2597 /* according to MS-LSAD 3.1.4.5.10 it is required to return
2598 * NT_STATUS_OBJECT_NAME_NOT_FOUND if the account sid was not found in
2599 * the lsa database */
2601 status
= get_privileges_for_sid_as_set(p
->mem_ctx
, &privileges
, r
->in
.sid
);
2602 if (!NT_STATUS_IS_OK(status
)) {
2606 DEBUG(10,("_lsa_EnumAccountRights: %s has %d privileges\n",
2607 sid_string_dbg(r
->in
.sid
), privileges
->count
));
2609 status
= init_lsa_right_set(p
->mem_ctx
, r
->out
.rights
, privileges
);
2614 /***************************************************************************
2615 _lsa_LookupPrivValue
2616 ***************************************************************************/
2618 NTSTATUS
_lsa_LookupPrivValue(struct pipes_struct
*p
,
2619 struct lsa_LookupPrivValue
*r
)
2621 struct lsa_info
*info
= NULL
;
2622 const char *name
= NULL
;
2624 /* find the connection policy handle. */
2626 if (!find_policy_by_hnd(p
, r
->in
.handle
, (void **)(void *)&info
))
2627 return NT_STATUS_INVALID_HANDLE
;
2629 if (info
->type
!= LSA_HANDLE_POLICY_TYPE
) {
2630 return NT_STATUS_INVALID_HANDLE
;
2633 if (!(info
->access
& LSA_POLICY_LOOKUP_NAMES
))
2634 return NT_STATUS_ACCESS_DENIED
;
2636 name
= r
->in
.name
->string
;
2638 DEBUG(10,("_lsa_lookup_priv_value: name = %s\n", name
));
2640 r
->out
.luid
->low
= sec_privilege_id(name
);
2641 r
->out
.luid
->high
= 0;
2642 if (r
->out
.luid
->low
== SEC_PRIV_INVALID
) {
2643 return NT_STATUS_NO_SUCH_PRIVILEGE
;
2645 return NT_STATUS_OK
;
2648 /***************************************************************************
2649 _lsa_EnumAccountsWithUserRight
2650 ***************************************************************************/
2652 NTSTATUS
_lsa_EnumAccountsWithUserRight(struct pipes_struct
*p
,
2653 struct lsa_EnumAccountsWithUserRight
*r
)
2656 struct lsa_info
*info
= NULL
;
2657 struct dom_sid
*sids
= NULL
;
2660 enum sec_privilege privilege
;
2662 if (!find_policy_by_hnd(p
, r
->in
.handle
, (void **)(void *)&info
)) {
2663 return NT_STATUS_INVALID_HANDLE
;
2666 if (info
->type
!= LSA_HANDLE_POLICY_TYPE
) {
2667 return NT_STATUS_INVALID_HANDLE
;
2670 if (!(info
->access
& LSA_POLICY_LOOKUP_NAMES
)) {
2671 return NT_STATUS_ACCESS_DENIED
;
2674 if (!r
->in
.name
|| !r
->in
.name
->string
) {
2675 return NT_STATUS_NO_SUCH_PRIVILEGE
;
2678 privilege
= sec_privilege_id(r
->in
.name
->string
);
2679 if (privilege
== SEC_PRIV_INVALID
) {
2680 return NT_STATUS_NO_SUCH_PRIVILEGE
;
2683 status
= privilege_enum_sids(privilege
, p
->mem_ctx
,
2685 if (!NT_STATUS_IS_OK(status
)) {
2689 r
->out
.sids
->num_sids
= num_sids
;
2690 r
->out
.sids
->sids
= talloc_array(p
->mem_ctx
, struct lsa_SidPtr
,
2691 r
->out
.sids
->num_sids
);
2693 for (i
=0; i
< r
->out
.sids
->num_sids
; i
++) {
2694 r
->out
.sids
->sids
[i
].sid
= dom_sid_dup(r
->out
.sids
->sids
,
2696 if (!r
->out
.sids
->sids
[i
].sid
) {
2697 TALLOC_FREE(r
->out
.sids
->sids
);
2698 r
->out
.sids
->num_sids
= 0;
2699 return NT_STATUS_NO_MEMORY
;
2703 return NT_STATUS_OK
;
2706 /***************************************************************************
2708 ***************************************************************************/
2710 NTSTATUS
_lsa_Delete(struct pipes_struct
*p
,
2711 struct lsa_Delete
*r
)
2713 return NT_STATUS_NOT_SUPPORTED
;
2717 * From here on the server routines are just dummy ones to make smbd link with
2718 * librpc/gen_ndr/srv_lsa.c. These routines are actually never called, we are
2719 * pulling the server stubs across one by one.
2722 NTSTATUS
_lsa_SetSecObj(struct pipes_struct
*p
, struct lsa_SetSecObj
*r
)
2724 p
->rng_fault_state
= True
;
2725 return NT_STATUS_NOT_IMPLEMENTED
;
2728 NTSTATUS
_lsa_ChangePassword(struct pipes_struct
*p
,
2729 struct lsa_ChangePassword
*r
)
2731 p
->rng_fault_state
= True
;
2732 return NT_STATUS_NOT_IMPLEMENTED
;
2735 NTSTATUS
_lsa_SetInfoPolicy(struct pipes_struct
*p
, struct lsa_SetInfoPolicy
*r
)
2737 p
->rng_fault_state
= True
;
2738 return NT_STATUS_NOT_IMPLEMENTED
;
2741 NTSTATUS
_lsa_ClearAuditLog(struct pipes_struct
*p
, struct lsa_ClearAuditLog
*r
)
2743 p
->rng_fault_state
= True
;
2744 return NT_STATUS_NOT_IMPLEMENTED
;
2747 NTSTATUS
_lsa_GetQuotasForAccount(struct pipes_struct
*p
,
2748 struct lsa_GetQuotasForAccount
*r
)
2750 p
->rng_fault_state
= True
;
2751 return NT_STATUS_NOT_IMPLEMENTED
;
2754 NTSTATUS
_lsa_SetQuotasForAccount(struct pipes_struct
*p
,
2755 struct lsa_SetQuotasForAccount
*r
)
2757 p
->rng_fault_state
= True
;
2758 return NT_STATUS_NOT_IMPLEMENTED
;
2761 NTSTATUS
_lsa_QueryTrustedDomainInfo(struct pipes_struct
*p
,
2762 struct lsa_QueryTrustedDomainInfo
*r
)
2764 p
->rng_fault_state
= True
;
2765 return NT_STATUS_NOT_IMPLEMENTED
;
2768 NTSTATUS
_lsa_SetInformationTrustedDomain(struct pipes_struct
*p
,
2769 struct lsa_SetInformationTrustedDomain
*r
)
2771 p
->rng_fault_state
= True
;
2772 return NT_STATUS_NOT_IMPLEMENTED
;
2775 NTSTATUS
_lsa_QuerySecret(struct pipes_struct
*p
, struct lsa_QuerySecret
*r
)
2777 p
->rng_fault_state
= True
;
2778 return NT_STATUS_NOT_IMPLEMENTED
;
2781 NTSTATUS
_lsa_QueryTrustedDomainInfoBySid(struct pipes_struct
*p
,
2782 struct lsa_QueryTrustedDomainInfoBySid
*r
)
2784 p
->rng_fault_state
= True
;
2785 return NT_STATUS_NOT_IMPLEMENTED
;
2788 NTSTATUS
_lsa_SetTrustedDomainInfo(struct pipes_struct
*p
,
2789 struct lsa_SetTrustedDomainInfo
*r
)
2791 p
->rng_fault_state
= True
;
2792 return NT_STATUS_NOT_IMPLEMENTED
;
2795 NTSTATUS
_lsa_StorePrivateData(struct pipes_struct
*p
,
2796 struct lsa_StorePrivateData
*r
)
2798 p
->rng_fault_state
= True
;
2799 return NT_STATUS_NOT_IMPLEMENTED
;
2802 NTSTATUS
_lsa_RetrievePrivateData(struct pipes_struct
*p
,
2803 struct lsa_RetrievePrivateData
*r
)
2805 p
->rng_fault_state
= True
;
2806 return NT_STATUS_NOT_IMPLEMENTED
;
2809 NTSTATUS
_lsa_SetInfoPolicy2(struct pipes_struct
*p
,
2810 struct lsa_SetInfoPolicy2
*r
)
2812 p
->rng_fault_state
= True
;
2813 return NT_STATUS_NOT_IMPLEMENTED
;
2816 NTSTATUS
_lsa_QueryTrustedDomainInfoByName(struct pipes_struct
*p
,
2817 struct lsa_QueryTrustedDomainInfoByName
*r
)
2819 p
->rng_fault_state
= True
;
2820 return NT_STATUS_NOT_IMPLEMENTED
;
2823 NTSTATUS
_lsa_SetTrustedDomainInfoByName(struct pipes_struct
*p
,
2824 struct lsa_SetTrustedDomainInfoByName
*r
)
2826 p
->rng_fault_state
= True
;
2827 return NT_STATUS_NOT_IMPLEMENTED
;
2830 NTSTATUS
_lsa_EnumTrustedDomainsEx(struct pipes_struct
*p
,
2831 struct lsa_EnumTrustedDomainsEx
*r
)
2833 p
->rng_fault_state
= True
;
2834 return NT_STATUS_NOT_IMPLEMENTED
;
2837 NTSTATUS
_lsa_CloseTrustedDomainEx(struct pipes_struct
*p
,
2838 struct lsa_CloseTrustedDomainEx
*r
)
2840 p
->rng_fault_state
= True
;
2841 return NT_STATUS_NOT_IMPLEMENTED
;
2844 NTSTATUS
_lsa_QueryDomainInformationPolicy(struct pipes_struct
*p
,
2845 struct lsa_QueryDomainInformationPolicy
*r
)
2847 p
->rng_fault_state
= True
;
2848 return NT_STATUS_NOT_IMPLEMENTED
;
2851 NTSTATUS
_lsa_SetDomainInformationPolicy(struct pipes_struct
*p
,
2852 struct lsa_SetDomainInformationPolicy
*r
)
2854 p
->rng_fault_state
= True
;
2855 return NT_STATUS_NOT_IMPLEMENTED
;
2858 NTSTATUS
_lsa_OpenTrustedDomainByName(struct pipes_struct
*p
,
2859 struct lsa_OpenTrustedDomainByName
*r
)
2861 p
->rng_fault_state
= True
;
2862 return NT_STATUS_NOT_IMPLEMENTED
;
2865 NTSTATUS
_lsa_TestCall(struct pipes_struct
*p
, struct lsa_TestCall
*r
)
2867 p
->rng_fault_state
= True
;
2868 return NT_STATUS_NOT_IMPLEMENTED
;
2871 NTSTATUS
_lsa_CREDRWRITE(struct pipes_struct
*p
, struct lsa_CREDRWRITE
*r
)
2873 p
->rng_fault_state
= True
;
2874 return NT_STATUS_NOT_IMPLEMENTED
;
2877 NTSTATUS
_lsa_CREDRREAD(struct pipes_struct
*p
, struct lsa_CREDRREAD
*r
)
2879 p
->rng_fault_state
= True
;
2880 return NT_STATUS_NOT_IMPLEMENTED
;
2883 NTSTATUS
_lsa_CREDRENUMERATE(struct pipes_struct
*p
, struct lsa_CREDRENUMERATE
*r
)
2885 p
->rng_fault_state
= True
;
2886 return NT_STATUS_NOT_IMPLEMENTED
;
2889 NTSTATUS
_lsa_CREDRWRITEDOMAINCREDENTIALS(struct pipes_struct
*p
,
2890 struct lsa_CREDRWRITEDOMAINCREDENTIALS
*r
)
2892 p
->rng_fault_state
= True
;
2893 return NT_STATUS_NOT_IMPLEMENTED
;
2896 NTSTATUS
_lsa_CREDRREADDOMAINCREDENTIALS(struct pipes_struct
*p
,
2897 struct lsa_CREDRREADDOMAINCREDENTIALS
*r
)
2899 p
->rng_fault_state
= True
;
2900 return NT_STATUS_NOT_IMPLEMENTED
;
2903 NTSTATUS
_lsa_CREDRDELETE(struct pipes_struct
*p
, struct lsa_CREDRDELETE
*r
)
2905 p
->rng_fault_state
= True
;
2906 return NT_STATUS_NOT_IMPLEMENTED
;
2909 NTSTATUS
_lsa_CREDRGETTARGETINFO(struct pipes_struct
*p
,
2910 struct lsa_CREDRGETTARGETINFO
*r
)
2912 p
->rng_fault_state
= True
;
2913 return NT_STATUS_NOT_IMPLEMENTED
;
2916 NTSTATUS
_lsa_CREDRPROFILELOADED(struct pipes_struct
*p
,
2917 struct lsa_CREDRPROFILELOADED
*r
)
2919 p
->rng_fault_state
= True
;
2920 return NT_STATUS_NOT_IMPLEMENTED
;
2923 NTSTATUS
_lsa_CREDRGETSESSIONTYPES(struct pipes_struct
*p
,
2924 struct lsa_CREDRGETSESSIONTYPES
*r
)
2926 p
->rng_fault_state
= True
;
2927 return NT_STATUS_NOT_IMPLEMENTED
;
2930 NTSTATUS
_lsa_LSARREGISTERAUDITEVENT(struct pipes_struct
*p
,
2931 struct lsa_LSARREGISTERAUDITEVENT
*r
)
2933 p
->rng_fault_state
= True
;
2934 return NT_STATUS_NOT_IMPLEMENTED
;
2937 NTSTATUS
_lsa_LSARGENAUDITEVENT(struct pipes_struct
*p
,
2938 struct lsa_LSARGENAUDITEVENT
*r
)
2940 p
->rng_fault_state
= True
;
2941 return NT_STATUS_NOT_IMPLEMENTED
;
2944 NTSTATUS
_lsa_LSARUNREGISTERAUDITEVENT(struct pipes_struct
*p
,
2945 struct lsa_LSARUNREGISTERAUDITEVENT
*r
)
2947 p
->rng_fault_state
= True
;
2948 return NT_STATUS_NOT_IMPLEMENTED
;
2951 NTSTATUS
_lsa_lsaRQueryForestTrustInformation(struct pipes_struct
*p
,
2952 struct lsa_lsaRQueryForestTrustInformation
*r
)
2954 p
->rng_fault_state
= True
;
2955 return NT_STATUS_NOT_IMPLEMENTED
;
2958 NTSTATUS
_lsa_lsaRSetForestTrustInformation(struct pipes_struct
*p
,
2959 struct lsa_lsaRSetForestTrustInformation
*r
)
2961 p
->rng_fault_state
= True
;
2962 return NT_STATUS_NOT_IMPLEMENTED
;
2965 NTSTATUS
_lsa_CREDRRENAME(struct pipes_struct
*p
,
2966 struct lsa_CREDRRENAME
*r
)
2968 p
->rng_fault_state
= True
;
2969 return NT_STATUS_NOT_IMPLEMENTED
;
2972 NTSTATUS
_lsa_LSAROPENPOLICYSCE(struct pipes_struct
*p
,
2973 struct lsa_LSAROPENPOLICYSCE
*r
)
2975 p
->rng_fault_state
= True
;
2976 return NT_STATUS_NOT_IMPLEMENTED
;
2979 NTSTATUS
_lsa_LSARADTREGISTERSECURITYEVENTSOURCE(struct pipes_struct
*p
,
2980 struct lsa_LSARADTREGISTERSECURITYEVENTSOURCE
*r
)
2982 p
->rng_fault_state
= True
;
2983 return NT_STATUS_NOT_IMPLEMENTED
;
2986 NTSTATUS
_lsa_LSARADTUNREGISTERSECURITYEVENTSOURCE(struct pipes_struct
*p
,
2987 struct lsa_LSARADTUNREGISTERSECURITYEVENTSOURCE
*r
)
2989 p
->rng_fault_state
= True
;
2990 return NT_STATUS_NOT_IMPLEMENTED
;
2993 NTSTATUS
_lsa_LSARADTREPORTSECURITYEVENT(struct pipes_struct
*p
,
2994 struct lsa_LSARADTREPORTSECURITYEVENT
*r
)
2996 p
->rng_fault_state
= True
;
2997 return NT_STATUS_NOT_IMPLEMENTED
;