2 * Unix SMB/CIFS implementation.
3 * RPC Pipe client / server routines
4 * Copyright (C) Andrew Tridgell 1992-1997,
5 * Copyright (C) Luke Kenneth Casson Leighton 1996-1997,
6 * Copyright (C) Paul Ashton 1997,
7 * Copyright (C) Jeremy Allison 2001, 2006.
8 * Copyright (C) Rafal Szczesniak 2002,
9 * Copyright (C) Jim McDonough <jmcd@us.ibm.com> 2002,
10 * Copyright (C) Simo Sorce 2003.
11 * Copyright (C) Gerald (Jerry) Carter 2005.
12 * Copyright (C) Volker Lendecke 2005.
13 * Copyright (C) Guenther Deschner 2008.
15 * This program is free software; you can redistribute it and/or modify
16 * it under the terms of the GNU General Public License as published by
17 * the Free Software Foundation; either version 3 of the License, or
18 * (at your option) any later version.
20 * This program is distributed in the hope that it will be useful,
21 * but WITHOUT ANY WARRANTY; without even the implied warranty of
22 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
23 * GNU General Public License for more details.
25 * You should have received a copy of the GNU General Public License
26 * along with this program; if not, see <http://www.gnu.org/licenses/>.
29 /* This is the implementation of the lsa server code. */
34 #define DBGC_CLASS DBGC_RPC_SRV
43 const struct generic_mapping lsa_generic_mapping
= {
50 /***************************************************************************
51 init_lsa_ref_domain_list - adds a domain if it's not already in, returns the index.
52 ***************************************************************************/
54 static int init_lsa_ref_domain_list(TALLOC_CTX
*mem_ctx
,
55 struct lsa_RefDomainList
*ref
,
61 if (dom_name
!= NULL
) {
62 for (num
= 0; num
< ref
->count
; num
++) {
63 if (sid_equal(dom_sid
, ref
->domains
[num
].sid
)) {
71 if (num
>= MAX_REF_DOMAINS
) {
72 /* index not found, already at maximum domain limit */
77 ref
->max_size
= MAX_REF_DOMAINS
;
79 ref
->domains
= TALLOC_REALLOC_ARRAY(mem_ctx
, ref
->domains
,
80 struct lsa_DomainInfo
, ref
->count
);
85 ZERO_STRUCT(ref
->domains
[num
]);
87 init_lsa_StringLarge(&ref
->domains
[num
].name
, dom_name
);
88 ref
->domains
[num
].sid
= sid_dup_talloc(mem_ctx
, dom_sid
);
89 if (!ref
->domains
[num
].sid
) {
97 /*******************************************************************
98 Function to free the per handle data.
99 ********************************************************************/
101 static void free_lsa_info(void *ptr
)
103 struct lsa_info
*lsa
= (struct lsa_info
*)ptr
;
108 /***************************************************************************
109 initialize a lsa_DomainInfo structure.
110 ***************************************************************************/
112 static void init_dom_query_3(struct lsa_DomainInfo
*r
,
116 init_lsa_StringLarge(&r
->name
, name
);
120 /***************************************************************************
121 initialize a lsa_DomainInfo structure.
122 ***************************************************************************/
124 static void init_dom_query_5(struct lsa_DomainInfo
*r
,
128 init_lsa_StringLarge(&r
->name
, name
);
132 /***************************************************************************
133 lookup_lsa_rids. Must be called as root for lookup_name to work.
134 ***************************************************************************/
136 static NTSTATUS
lookup_lsa_rids(TALLOC_CTX
*mem_ctx
,
137 struct lsa_RefDomainList
*ref
,
138 struct lsa_TranslatedSid
*prid
,
139 uint32_t num_entries
,
140 struct lsa_String
*name
,
142 uint32_t *pmapped_count
)
144 uint32 mapped_count
, i
;
146 SMB_ASSERT(num_entries
<= MAX_LOOKUP_SIDS
);
151 for (i
= 0; i
< num_entries
; i
++) {
155 const char *full_name
;
157 enum lsa_SidType type
= SID_NAME_UNKNOWN
;
159 /* Split name into domain and user component */
161 full_name
= name
[i
].string
;
162 if (full_name
== NULL
) {
163 return NT_STATUS_NO_MEMORY
;
166 DEBUG(5, ("lookup_lsa_rids: looking up name %s\n", full_name
));
168 /* We can ignore the result of lookup_name, it will not touch
169 "type" if it's not successful */
171 lookup_name(mem_ctx
, full_name
, flags
, &domain
, NULL
,
176 case SID_NAME_DOM_GRP
:
177 case SID_NAME_DOMAIN
:
179 case SID_NAME_WKN_GRP
:
180 DEBUG(5, ("init_lsa_rids: %s found\n", full_name
));
181 /* Leave these unchanged */
184 /* Don't hand out anything but the list above */
185 DEBUG(5, ("init_lsa_rids: %s not found\n", full_name
));
186 type
= SID_NAME_UNKNOWN
;
193 if (type
!= SID_NAME_UNKNOWN
) {
194 sid_split_rid(&sid
, &rid
);
195 dom_idx
= init_lsa_ref_domain_list(mem_ctx
, ref
, domain
, &sid
);
199 init_lsa_translated_sid(&prid
[i
], type
, rid
, dom_idx
);
202 *pmapped_count
= mapped_count
;
206 /***************************************************************************
207 lookup_lsa_sids. Must be called as root for lookup_name to work.
208 ***************************************************************************/
210 static NTSTATUS
lookup_lsa_sids(TALLOC_CTX
*mem_ctx
,
211 struct lsa_RefDomainList
*ref
,
212 struct lsa_TranslatedSid3
*trans_sids
,
213 uint32_t num_entries
,
214 struct lsa_String
*name
,
216 uint32
*pmapped_count
)
218 uint32 mapped_count
, i
;
220 SMB_ASSERT(num_entries
<= MAX_LOOKUP_SIDS
);
225 for (i
= 0; i
< num_entries
; i
++) {
229 const char *full_name
;
231 enum lsa_SidType type
= SID_NAME_UNKNOWN
;
235 /* Split name into domain and user component */
237 full_name
= name
[i
].string
;
238 if (full_name
== NULL
) {
239 return NT_STATUS_NO_MEMORY
;
242 DEBUG(5, ("init_lsa_sids: looking up name %s\n", full_name
));
244 /* We can ignore the result of lookup_name, it will not touch
245 "type" if it's not successful */
247 lookup_name(mem_ctx
, full_name
, flags
, &domain
, NULL
,
252 case SID_NAME_DOM_GRP
:
253 case SID_NAME_DOMAIN
:
255 case SID_NAME_WKN_GRP
:
256 DEBUG(5, ("init_lsa_sids: %s found\n", full_name
));
257 /* Leave these unchanged */
260 /* Don't hand out anything but the list above */
261 DEBUG(5, ("init_lsa_sids: %s not found\n", full_name
));
262 type
= SID_NAME_UNKNOWN
;
269 if (type
!= SID_NAME_UNKNOWN
) {
271 sid_copy(&domain_sid
, &sid
);
272 sid_split_rid(&domain_sid
, &rid
);
273 dom_idx
= init_lsa_ref_domain_list(mem_ctx
, ref
, domain
, &domain_sid
);
277 /* Initialize the lsa_TranslatedSid3 return. */
278 trans_sids
[i
].sid_type
= type
;
279 trans_sids
[i
].sid
= sid_dup_talloc(mem_ctx
, &sid
);
280 trans_sids
[i
].sid_index
= dom_idx
;
283 *pmapped_count
= mapped_count
;
287 static NTSTATUS
lsa_get_generic_sd(TALLOC_CTX
*mem_ctx
, SEC_DESC
**sd
, size_t *sd_size
)
289 DOM_SID local_adm_sid
;
296 init_sec_ace(&ace
[0], &global_sid_World
, SEC_ACE_TYPE_ACCESS_ALLOWED
, LSA_POLICY_EXECUTE
, 0);
298 sid_copy(&adm_sid
, get_global_sam_sid());
299 sid_append_rid(&adm_sid
, DOMAIN_GROUP_RID_ADMINS
);
300 init_sec_ace(&ace
[1], &adm_sid
, SEC_ACE_TYPE_ACCESS_ALLOWED
, LSA_POLICY_ALL_ACCESS
, 0);
302 sid_copy(&local_adm_sid
, &global_sid_Builtin
);
303 sid_append_rid(&local_adm_sid
, BUILTIN_ALIAS_RID_ADMINS
);
304 init_sec_ace(&ace
[2], &local_adm_sid
, SEC_ACE_TYPE_ACCESS_ALLOWED
, LSA_POLICY_ALL_ACCESS
, 0);
306 if((psa
= make_sec_acl(mem_ctx
, NT4_ACL_REVISION
, 3, ace
)) == NULL
)
307 return NT_STATUS_NO_MEMORY
;
309 if((*sd
= make_sec_desc(mem_ctx
, SECURITY_DESCRIPTOR_REVISION_1
,
310 SEC_DESC_SELF_RELATIVE
, &adm_sid
, NULL
, NULL
,
311 psa
, sd_size
)) == NULL
)
312 return NT_STATUS_NO_MEMORY
;
317 #if 0 /* AD DC work in ongoing in Samba 4 */
319 /***************************************************************************
321 ***************************************************************************/
323 static void init_dns_dom_info(LSA_DNS_DOM_INFO
*r_l
, const char *nb_name
,
324 const char *dns_name
, const char *forest_name
,
325 struct GUID
*dom_guid
, DOM_SID
*dom_sid
)
327 if (nb_name
&& *nb_name
) {
328 init_unistr2(&r_l
->uni_nb_dom_name
, nb_name
, UNI_FLAGS_NONE
);
329 init_uni_hdr(&r_l
->hdr_nb_dom_name
, &r_l
->uni_nb_dom_name
);
330 r_l
->hdr_nb_dom_name
.uni_max_len
+= 2;
331 r_l
->uni_nb_dom_name
.uni_max_len
+= 1;
334 if (dns_name
&& *dns_name
) {
335 init_unistr2(&r_l
->uni_dns_dom_name
, dns_name
, UNI_FLAGS_NONE
);
336 init_uni_hdr(&r_l
->hdr_dns_dom_name
, &r_l
->uni_dns_dom_name
);
337 r_l
->hdr_dns_dom_name
.uni_max_len
+= 2;
338 r_l
->uni_dns_dom_name
.uni_max_len
+= 1;
341 if (forest_name
&& *forest_name
) {
342 init_unistr2(&r_l
->uni_forest_name
, forest_name
, UNI_FLAGS_NONE
);
343 init_uni_hdr(&r_l
->hdr_forest_name
, &r_l
->uni_forest_name
);
344 r_l
->hdr_forest_name
.uni_max_len
+= 2;
345 r_l
->uni_forest_name
.uni_max_len
+= 1;
348 /* how do we init the guid ? probably should write an init fn */
350 memcpy(&r_l
->dom_guid
, dom_guid
, sizeof(struct GUID
));
354 r_l
->ptr_dom_sid
= 1;
355 init_dom_sid2(&r_l
->dom_sid
, dom_sid
);
358 #endif /* AD DC work in ongoing in Samba 4 */
361 /***************************************************************************
363 ***************************************************************************/
365 NTSTATUS
_lsa_OpenPolicy2(pipes_struct
*p
,
366 struct lsa_OpenPolicy2
*r
)
368 struct lsa_info
*info
;
369 SEC_DESC
*psd
= NULL
;
371 uint32 des_access
= r
->in
.access_mask
;
376 /* map the generic bits to the lsa policy ones */
377 se_map_generic(&des_access
, &lsa_generic_mapping
);
379 /* get the generic lsa policy SD until we store it */
380 lsa_get_generic_sd(p
->mem_ctx
, &psd
, &sd_size
);
382 status
= se_access_check(psd
, p
->pipe_user
.nt_user_token
, des_access
, &acc_granted
);
383 if (!NT_STATUS_IS_OK(status
)) {
384 if (p
->pipe_user
.ut
.uid
!= sec_initial_uid()) {
387 DEBUG(4,("ACCESS should be DENIED (granted: %#010x; required: %#010x)\n",
388 acc_granted
, des_access
));
389 DEBUGADD(4,("but overwritten by euid == 0\n"));
392 /* This is needed for lsa_open_account and rpcclient .... :-) */
394 if (p
->pipe_user
.ut
.uid
== sec_initial_uid())
395 acc_granted
= LSA_POLICY_ALL_ACCESS
;
397 /* associate the domain SID with the (unique) handle. */
398 if ((info
= SMB_MALLOC_P(struct lsa_info
)) == NULL
)
399 return NT_STATUS_NO_MEMORY
;
402 sid_copy(&info
->sid
,get_global_sam_sid());
403 info
->access
= acc_granted
;
405 /* set up the LSA QUERY INFO response */
406 if (!create_policy_hnd(p
, r
->out
.handle
, free_lsa_info
, (void *)info
))
407 return NT_STATUS_OBJECT_NAME_NOT_FOUND
;
412 /***************************************************************************
414 ***************************************************************************/
416 NTSTATUS
_lsa_OpenPolicy(pipes_struct
*p
,
417 struct lsa_OpenPolicy
*r
)
419 struct lsa_info
*info
;
420 SEC_DESC
*psd
= NULL
;
422 uint32 des_access
= r
->in
.access_mask
;
427 /* map the generic bits to the lsa policy ones */
428 se_map_generic(&des_access
, &lsa_generic_mapping
);
430 /* get the generic lsa policy SD until we store it */
431 lsa_get_generic_sd(p
->mem_ctx
, &psd
, &sd_size
);
433 status
= se_access_check(psd
, p
->pipe_user
.nt_user_token
, des_access
, &acc_granted
);
434 if (!NT_STATUS_IS_OK(status
)) {
435 if (p
->pipe_user
.ut
.uid
!= sec_initial_uid()) {
438 DEBUG(4,("ACCESS should be DENIED (granted: %#010x; required: %#010x)\n",
439 acc_granted
, des_access
));
440 DEBUGADD(4,("but overwritten by euid == 0\n"));
441 acc_granted
= des_access
;
444 /* associate the domain SID with the (unique) handle. */
445 if ((info
= SMB_MALLOC_P(struct lsa_info
)) == NULL
)
446 return NT_STATUS_NO_MEMORY
;
449 sid_copy(&info
->sid
,get_global_sam_sid());
450 info
->access
= acc_granted
;
452 /* set up the LSA QUERY INFO response */
453 if (!create_policy_hnd(p
, r
->out
.handle
, free_lsa_info
, (void *)info
))
454 return NT_STATUS_OBJECT_NAME_NOT_FOUND
;
459 /***************************************************************************
460 _lsa_EnumTrustDom - this needs fixing to do more than return NULL ! JRA.
462 ***************************************************************************/
464 NTSTATUS
_lsa_EnumTrustDom(pipes_struct
*p
,
465 struct lsa_EnumTrustDom
*r
)
467 struct lsa_info
*info
;
469 struct trustdom_info
**domains
;
470 struct lsa_DomainInfo
*lsa_domains
= NULL
;
474 * preferred length is set to 5 as a "our" preferred length
475 * nt sets this parameter to 2
476 * update (20.08.2002): it's not preferred length, but preferred size!
477 * it needs further investigation how to optimally choose this value
479 uint32 max_num_domains
=
480 r
->in
.max_size
< 5 ? r
->in
.max_size
: 10;
485 if (!find_policy_by_hnd(p
, r
->in
.handle
, (void **)(void *)&info
))
486 return NT_STATUS_INVALID_HANDLE
;
488 /* check if the user has enough rights */
489 if (!(info
->access
& LSA_POLICY_VIEW_LOCAL_INFORMATION
))
490 return NT_STATUS_ACCESS_DENIED
;
493 nt_status
= pdb_enum_trusteddoms(p
->mem_ctx
, &num_domains
, &domains
);
496 if (!NT_STATUS_IS_OK(nt_status
)) {
500 if (*r
->in
.resume_handle
< num_domains
) {
501 num_thistime
= MIN(num_domains
, max_num_domains
);
503 nt_status
= STATUS_MORE_ENTRIES
;
505 if (*r
->in
.resume_handle
+ num_thistime
> num_domains
) {
506 num_thistime
= num_domains
- *r
->in
.resume_handle
;
507 nt_status
= NT_STATUS_OK
;
510 next_idx
= *r
->in
.resume_handle
+ num_thistime
;
513 next_idx
= 0xffffffff;
514 nt_status
= NT_STATUS_NO_MORE_ENTRIES
;
517 /* set up the lsa_enum_trust_dom response */
519 lsa_domains
= TALLOC_ZERO_ARRAY(p
->mem_ctx
, struct lsa_DomainInfo
,
522 return NT_STATUS_NO_MEMORY
;
525 for (i
=0; i
<num_thistime
; i
++) {
526 init_lsa_StringLarge(&lsa_domains
[i
].name
, domains
[i
]->name
);
527 lsa_domains
[i
].sid
= &domains
[i
]->sid
;
530 *r
->out
.resume_handle
= next_idx
;
531 r
->out
.domains
->count
= num_thistime
;
532 r
->out
.domains
->domains
= lsa_domains
;
537 #define LSA_AUDIT_NUM_CATEGORIES_NT4 7
538 #define LSA_AUDIT_NUM_CATEGORIES_WIN2K 9
539 #define LSA_AUDIT_NUM_CATEGORIES LSA_AUDIT_NUM_CATEGORIES_NT4
541 /***************************************************************************
543 ***************************************************************************/
545 NTSTATUS
_lsa_QueryInfoPolicy(pipes_struct
*p
,
546 struct lsa_QueryInfoPolicy
*r
)
548 NTSTATUS status
= NT_STATUS_OK
;
549 struct lsa_info
*handle
;
553 union lsa_PolicyInformation
*info
= NULL
;
555 if (!find_policy_by_hnd(p
, r
->in
.handle
, (void **)(void *)&handle
))
556 return NT_STATUS_INVALID_HANDLE
;
558 info
= TALLOC_ZERO_P(p
->mem_ctx
, union lsa_PolicyInformation
);
560 return NT_STATUS_NO_MEMORY
;
563 switch (r
->in
.level
) {
567 uint32 policy_def
= LSA_AUDIT_POLICY_ALL
;
569 /* check if the user has enough rights */
570 if (!(handle
->access
& LSA_POLICY_VIEW_AUDIT_INFORMATION
)) {
571 DEBUG(10,("_lsa_QueryInfoPolicy: insufficient access rights\n"));
572 return NT_STATUS_ACCESS_DENIED
;
575 /* fake info: We audit everything. ;) */
577 info
->audit_events
.auditing_mode
= true;
578 info
->audit_events
.count
= LSA_AUDIT_NUM_CATEGORIES
;
579 info
->audit_events
.settings
= TALLOC_ZERO_ARRAY(p
->mem_ctx
,
580 enum lsa_PolicyAuditPolicy
,
581 info
->audit_events
.count
);
582 if (!info
->audit_events
.settings
) {
583 return NT_STATUS_NO_MEMORY
;
586 info
->audit_events
.settings
[LSA_AUDIT_CATEGORY_ACCOUNT_MANAGEMENT
] = policy_def
;
587 info
->audit_events
.settings
[LSA_AUDIT_CATEGORY_FILE_AND_OBJECT_ACCESS
] = policy_def
;
588 info
->audit_events
.settings
[LSA_AUDIT_CATEGORY_LOGON
] = policy_def
;
589 info
->audit_events
.settings
[LSA_AUDIT_CATEGORY_PROCCESS_TRACKING
] = policy_def
;
590 info
->audit_events
.settings
[LSA_AUDIT_CATEGORY_SECURITY_POLICY_CHANGES
] = policy_def
;
591 info
->audit_events
.settings
[LSA_AUDIT_CATEGORY_SYSTEM
] = policy_def
;
592 info
->audit_events
.settings
[LSA_AUDIT_CATEGORY_USE_OF_USER_RIGHTS
] = policy_def
;
597 /* check if the user has enough rights */
598 if (!(handle
->access
& LSA_POLICY_VIEW_LOCAL_INFORMATION
))
599 return NT_STATUS_ACCESS_DENIED
;
601 /* Request PolicyPrimaryDomainInformation. */
602 switch (lp_server_role()) {
603 case ROLE_DOMAIN_PDC
:
604 case ROLE_DOMAIN_BDC
:
605 name
= get_global_sam_name();
606 sid
= sid_dup_talloc(p
->mem_ctx
, get_global_sam_sid());
608 return NT_STATUS_NO_MEMORY
;
611 case ROLE_DOMAIN_MEMBER
:
612 name
= lp_workgroup();
613 /* We need to return the Domain SID here. */
614 if (secrets_fetch_domain_sid(lp_workgroup(), &domain_sid
)) {
615 sid
= sid_dup_talloc(p
->mem_ctx
, &domain_sid
);
617 return NT_STATUS_NO_MEMORY
;
620 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO
;
623 case ROLE_STANDALONE
:
624 name
= lp_workgroup();
628 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO
;
630 init_dom_query_3(&info
->domain
, name
, sid
);
633 /* check if the user has enough rights */
634 if (!(handle
->access
& LSA_POLICY_VIEW_LOCAL_INFORMATION
))
635 return NT_STATUS_ACCESS_DENIED
;
637 /* Request PolicyAccountDomainInformation. */
638 name
= get_global_sam_name();
639 sid
= get_global_sam_sid();
641 init_dom_query_5(&info
->account_domain
, name
, sid
);
644 /* check if the user has enough rights */
645 if (!(handle
->access
& LSA_POLICY_VIEW_LOCAL_INFORMATION
))
646 return NT_STATUS_ACCESS_DENIED
;
648 switch (lp_server_role()) {
649 case ROLE_DOMAIN_BDC
:
651 * only a BDC is a backup controller
652 * of the domain, it controls.
658 * any other role is a primary
659 * of the domain, it controls.
666 DEBUG(0,("_lsa_QueryInfoPolicy: unknown info level in Lsa Query: %d\n",
668 status
= NT_STATUS_INVALID_INFO_CLASS
;
677 /***************************************************************************
678 _lsa_lookup_sids_internal
679 ***************************************************************************/
681 static NTSTATUS
_lsa_lookup_sids_internal(pipes_struct
*p
,
683 uint16_t level
, /* input */
684 int num_sids
, /* input */
685 struct lsa_SidPtr
*sid
, /* input */
686 struct lsa_RefDomainList
**pp_ref
, /* input/output */
687 struct lsa_TranslatedName2
**pp_names
,/* input/output */
688 uint32_t *pp_mapped_count
) /* input/output */
692 const DOM_SID
**sids
= NULL
;
693 struct lsa_RefDomainList
*ref
= NULL
;
694 uint32 mapped_count
= 0;
695 struct lsa_dom_info
*dom_infos
= NULL
;
696 struct lsa_name_info
*name_infos
= NULL
;
697 struct lsa_TranslatedName2
*names
= NULL
;
699 *pp_mapped_count
= 0;
707 sids
= TALLOC_ARRAY(p
->mem_ctx
, const DOM_SID
*, num_sids
);
708 ref
= TALLOC_ZERO_P(p
->mem_ctx
, struct lsa_RefDomainList
);
710 if (sids
== NULL
|| ref
== NULL
) {
711 return NT_STATUS_NO_MEMORY
;
714 for (i
=0; i
<num_sids
; i
++) {
715 sids
[i
] = sid
[i
].sid
;
718 status
= lookup_sids(p
->mem_ctx
, num_sids
, sids
, level
,
719 &dom_infos
, &name_infos
);
721 if (!NT_STATUS_IS_OK(status
)) {
725 names
= TALLOC_ARRAY(p
->mem_ctx
, struct lsa_TranslatedName2
, num_sids
);
727 return NT_STATUS_NO_MEMORY
;
730 for (i
=0; i
<MAX_REF_DOMAINS
; i
++) {
732 if (!dom_infos
[i
].valid
) {
736 if (init_lsa_ref_domain_list(mem_ctx
, ref
,
738 &dom_infos
[i
].sid
) != i
) {
739 DEBUG(0, ("Domain %s mentioned twice??\n",
741 return NT_STATUS_INTERNAL_ERROR
;
745 for (i
=0; i
<num_sids
; i
++) {
746 struct lsa_name_info
*name
= &name_infos
[i
];
748 if (name
->type
== SID_NAME_UNKNOWN
) {
751 /* Unknown sids should return the string
752 * representation of the SID. Windows 2003 behaves
753 * rather erratic here, in many cases it returns the
754 * RID as 8 bytes hex, in others it returns the full
755 * SID. We (Jerry/VL) could not figure out which the
756 * hard cases are, so leave it with the SID. */
757 name
->name
= talloc_asprintf(p
->mem_ctx
, "%s",
760 if (name
->name
== NULL
) {
761 return NT_STATUS_NO_MEMORY
;
767 init_lsa_translated_name2(&names
[i
], name
->type
,
768 name
->name
, name
->dom_idx
, 0);
771 status
= NT_STATUS_NONE_MAPPED
;
772 if (mapped_count
> 0) {
773 status
= (mapped_count
< num_sids
) ?
774 STATUS_SOME_UNMAPPED
: NT_STATUS_OK
;
777 DEBUG(10, ("num_sids %d, mapped_count %d, status %s\n",
778 num_sids
, mapped_count
, nt_errstr(status
)));
780 *pp_mapped_count
= mapped_count
;
787 /***************************************************************************
789 ***************************************************************************/
791 NTSTATUS
_lsa_LookupSids(pipes_struct
*p
,
792 struct lsa_LookupSids
*r
)
795 struct lsa_info
*handle
;
796 int num_sids
= r
->in
.sids
->num_sids
;
797 uint32 mapped_count
= 0;
798 struct lsa_RefDomainList
*domains
= NULL
;
799 struct lsa_TranslatedName
*names_out
= NULL
;
800 struct lsa_TranslatedName2
*names
= NULL
;
803 if ((r
->in
.level
< 1) || (r
->in
.level
> 6)) {
804 return NT_STATUS_INVALID_PARAMETER
;
807 if (!find_policy_by_hnd(p
, r
->in
.handle
, (void **)(void *)&handle
)) {
808 return NT_STATUS_INVALID_HANDLE
;
811 /* check if the user has enough rights */
812 if (!(handle
->access
& LSA_POLICY_LOOKUP_NAMES
)) {
813 return NT_STATUS_ACCESS_DENIED
;
816 if (num_sids
> MAX_LOOKUP_SIDS
) {
817 DEBUG(5,("_lsa_LookupSids: limit of %d exceeded, requested %d\n",
818 MAX_LOOKUP_SIDS
, num_sids
));
819 return NT_STATUS_NONE_MAPPED
;
822 status
= _lsa_lookup_sids_internal(p
,
831 /* Only return here when there is a real error.
832 NT_STATUS_NONE_MAPPED is a special case as it indicates that none of
833 the requested sids could be resolved. Older versions of XP (pre SP3)
834 rely that we return with the string representations of those SIDs in
835 that case. If we don't, XP crashes - Guenther
838 if (NT_STATUS_IS_ERR(status
) &&
839 !NT_STATUS_EQUAL(status
, NT_STATUS_NONE_MAPPED
)) {
843 /* Convert from lsa_TranslatedName2 to lsa_TranslatedName */
844 names_out
= TALLOC_ARRAY(p
->mem_ctx
, struct lsa_TranslatedName
,
847 return NT_STATUS_NO_MEMORY
;
850 for (i
=0; i
<num_sids
; i
++) {
851 names_out
[i
].sid_type
= names
[i
].sid_type
;
852 names_out
[i
].name
= names
[i
].name
;
853 names_out
[i
].sid_index
= names
[i
].sid_index
;
856 *r
->out
.domains
= domains
;
857 r
->out
.names
->count
= num_sids
;
858 r
->out
.names
->names
= names_out
;
859 *r
->out
.count
= mapped_count
;
864 /***************************************************************************
866 ***************************************************************************/
868 NTSTATUS
_lsa_LookupSids2(pipes_struct
*p
,
869 struct lsa_LookupSids2
*r
)
872 struct lsa_info
*handle
;
873 int num_sids
= r
->in
.sids
->num_sids
;
874 uint32 mapped_count
= 0;
875 struct lsa_RefDomainList
*domains
= NULL
;
876 struct lsa_TranslatedName2
*names
= NULL
;
877 bool check_policy
= true;
879 switch (p
->hdr_req
.opnum
) {
880 case NDR_LSA_LOOKUPSIDS3
:
881 check_policy
= false;
883 case NDR_LSA_LOOKUPSIDS2
:
888 if ((r
->in
.level
< 1) || (r
->in
.level
> 6)) {
889 return NT_STATUS_INVALID_PARAMETER
;
893 if (!find_policy_by_hnd(p
, r
->in
.handle
, (void **)(void *)&handle
)) {
894 return NT_STATUS_INVALID_HANDLE
;
897 /* check if the user has enough rights */
898 if (!(handle
->access
& LSA_POLICY_LOOKUP_NAMES
)) {
899 return NT_STATUS_ACCESS_DENIED
;
903 if (num_sids
> MAX_LOOKUP_SIDS
) {
904 DEBUG(5,("_lsa_LookupSids2: limit of %d exceeded, requested %d\n",
905 MAX_LOOKUP_SIDS
, num_sids
));
906 return NT_STATUS_NONE_MAPPED
;
909 status
= _lsa_lookup_sids_internal(p
,
918 *r
->out
.domains
= domains
;
919 r
->out
.names
->count
= num_sids
;
920 r
->out
.names
->names
= names
;
921 *r
->out
.count
= mapped_count
;
926 /***************************************************************************
928 ***************************************************************************/
930 NTSTATUS
_lsa_LookupSids3(pipes_struct
*p
,
931 struct lsa_LookupSids3
*r
)
933 struct lsa_LookupSids2 q
;
935 /* No policy handle on this call. Restrict to crypto connections. */
936 if (p
->auth
.auth_type
!= PIPE_AUTH_TYPE_SCHANNEL
) {
937 DEBUG(0,("_lsa_LookupSids3: client %s not using schannel for netlogon\n",
938 get_remote_machine_name() ));
939 return NT_STATUS_INVALID_PARAMETER
;
943 q
.in
.sids
= r
->in
.sids
;
944 q
.in
.level
= r
->in
.level
;
945 q
.in
.unknown1
= r
->in
.unknown1
;
946 q
.in
.unknown2
= r
->in
.unknown2
;
947 q
.in
.names
= r
->in
.names
;
948 q
.in
.count
= r
->in
.count
;
950 q
.out
.domains
= r
->out
.domains
;
951 q
.out
.names
= r
->out
.names
;
952 q
.out
.count
= r
->out
.count
;
954 return _lsa_LookupSids2(p
, &q
);
957 /***************************************************************************
958 ***************************************************************************/
960 static int lsa_lookup_level_to_flags(uint16 level
)
966 flags
= LOOKUP_NAME_ALL
;
969 flags
= LOOKUP_NAME_DOMAIN
|LOOKUP_NAME_REMOTE
|LOOKUP_NAME_ISOLATED
;
972 flags
= LOOKUP_NAME_DOMAIN
|LOOKUP_NAME_ISOLATED
;
978 flags
= LOOKUP_NAME_NONE
;
985 /***************************************************************************
987 ***************************************************************************/
989 NTSTATUS
_lsa_LookupNames(pipes_struct
*p
,
990 struct lsa_LookupNames
*r
)
992 NTSTATUS status
= NT_STATUS_NONE_MAPPED
;
993 struct lsa_info
*handle
;
994 struct lsa_String
*names
= r
->in
.names
;
995 uint32 num_entries
= r
->in
.num_names
;
996 struct lsa_RefDomainList
*domains
= NULL
;
997 struct lsa_TranslatedSid
*rids
= NULL
;
998 uint32 mapped_count
= 0;
1001 if (num_entries
> MAX_LOOKUP_SIDS
) {
1002 num_entries
= MAX_LOOKUP_SIDS
;
1003 DEBUG(5,("_lsa_LookupNames: truncating name lookup list to %d\n",
1007 flags
= lsa_lookup_level_to_flags(r
->in
.level
);
1009 domains
= TALLOC_ZERO_P(p
->mem_ctx
, struct lsa_RefDomainList
);
1011 return NT_STATUS_NO_MEMORY
;
1015 rids
= TALLOC_ZERO_ARRAY(p
->mem_ctx
, struct lsa_TranslatedSid
,
1018 return NT_STATUS_NO_MEMORY
;
1024 if (!find_policy_by_hnd(p
, r
->in
.handle
, (void **)(void *)&handle
)) {
1025 status
= NT_STATUS_INVALID_HANDLE
;
1029 /* check if the user has enough rights */
1030 if (!(handle
->access
& LSA_POLICY_LOOKUP_NAMES
)) {
1031 status
= NT_STATUS_ACCESS_DENIED
;
1035 /* set up the LSA Lookup RIDs response */
1036 become_root(); /* lookup_name can require root privs */
1037 status
= lookup_lsa_rids(p
->mem_ctx
, domains
, rids
, num_entries
,
1038 names
, flags
, &mapped_count
);
1043 if (NT_STATUS_IS_OK(status
) && (num_entries
!= 0) ) {
1044 if (mapped_count
== 0) {
1045 status
= NT_STATUS_NONE_MAPPED
;
1046 } else if (mapped_count
!= num_entries
) {
1047 status
= STATUS_SOME_UNMAPPED
;
1051 *r
->out
.count
= mapped_count
;
1052 *r
->out
.domains
= domains
;
1053 r
->out
.sids
->sids
= rids
;
1054 r
->out
.sids
->count
= num_entries
;
1059 /***************************************************************************
1061 ***************************************************************************/
1063 NTSTATUS
_lsa_LookupNames2(pipes_struct
*p
,
1064 struct lsa_LookupNames2
*r
)
1067 struct lsa_LookupNames q
;
1068 struct lsa_TransSidArray2
*sid_array2
= r
->in
.sids
;
1069 struct lsa_TransSidArray
*sid_array
= NULL
;
1072 sid_array
= TALLOC_ZERO_P(p
->mem_ctx
, struct lsa_TransSidArray
);
1074 return NT_STATUS_NO_MEMORY
;
1077 q
.in
.handle
= r
->in
.handle
;
1078 q
.in
.num_names
= r
->in
.num_names
;
1079 q
.in
.names
= r
->in
.names
;
1080 q
.in
.level
= r
->in
.level
;
1081 q
.in
.sids
= sid_array
;
1082 q
.in
.count
= r
->in
.count
;
1083 /* we do not know what this is for */
1084 /* = r->in.unknown1; */
1085 /* = r->in.unknown2; */
1087 q
.out
.domains
= r
->out
.domains
;
1088 q
.out
.sids
= sid_array
;
1089 q
.out
.count
= r
->out
.count
;
1091 status
= _lsa_LookupNames(p
, &q
);
1093 sid_array2
->sids
= TALLOC_ARRAY(p
->mem_ctx
, struct lsa_TranslatedSid2
, sid_array
->count
);
1094 if (!sid_array2
->sids
) {
1095 return NT_STATUS_NO_MEMORY
;
1098 for (i
=0; i
<sid_array
->count
; i
++) {
1099 sid_array2
->sids
[i
].sid_type
= sid_array
->sids
[i
].sid_type
;
1100 sid_array2
->sids
[i
].rid
= sid_array
->sids
[i
].rid
;
1101 sid_array2
->sids
[i
].sid_index
= sid_array
->sids
[i
].sid_index
;
1102 sid_array2
->sids
[i
].unknown
= 0;
1105 r
->out
.sids
= sid_array2
;
1110 /***************************************************************************
1112 ***************************************************************************/
1114 NTSTATUS
_lsa_LookupNames3(pipes_struct
*p
,
1115 struct lsa_LookupNames3
*r
)
1118 struct lsa_info
*handle
;
1119 struct lsa_String
*names
= r
->in
.names
;
1120 uint32 num_entries
= r
->in
.num_names
;
1121 struct lsa_RefDomainList
*domains
= NULL
;
1122 struct lsa_TranslatedSid3
*trans_sids
= NULL
;
1123 uint32 mapped_count
= 0;
1125 bool check_policy
= true;
1127 switch (p
->hdr_req
.opnum
) {
1128 case NDR_LSA_LOOKUPNAMES4
:
1129 check_policy
= false;
1131 case NDR_LSA_LOOKUPNAMES3
:
1133 check_policy
= true;
1136 if (num_entries
> MAX_LOOKUP_SIDS
) {
1137 num_entries
= MAX_LOOKUP_SIDS
;
1138 DEBUG(5,("_lsa_LookupNames3: truncating name lookup list to %d\n", num_entries
));
1141 /* Probably the lookup_level is some sort of bitmask. */
1142 if (r
->in
.level
== 1) {
1143 flags
= LOOKUP_NAME_ALL
;
1146 domains
= TALLOC_ZERO_P(p
->mem_ctx
, struct lsa_RefDomainList
);
1148 return NT_STATUS_NO_MEMORY
;
1152 trans_sids
= TALLOC_ZERO_ARRAY(p
->mem_ctx
, struct lsa_TranslatedSid3
,
1155 return NT_STATUS_NO_MEMORY
;
1163 if (!find_policy_by_hnd(p
, r
->in
.handle
, (void **)(void *)&handle
)) {
1164 status
= NT_STATUS_INVALID_HANDLE
;
1168 /* check if the user has enough rights */
1169 if (!(handle
->access
& LSA_POLICY_LOOKUP_NAMES
)) {
1170 status
= NT_STATUS_ACCESS_DENIED
;
1175 /* set up the LSA Lookup SIDs response */
1176 become_root(); /* lookup_name can require root privs */
1177 status
= lookup_lsa_sids(p
->mem_ctx
, domains
, trans_sids
, num_entries
,
1178 names
, flags
, &mapped_count
);
1183 if (NT_STATUS_IS_OK(status
)) {
1184 if (mapped_count
== 0) {
1185 status
= NT_STATUS_NONE_MAPPED
;
1186 } else if (mapped_count
!= num_entries
) {
1187 status
= STATUS_SOME_UNMAPPED
;
1191 *r
->out
.count
= mapped_count
;
1192 *r
->out
.domains
= domains
;
1193 r
->out
.sids
->sids
= trans_sids
;
1194 r
->out
.sids
->count
= num_entries
;
1199 /***************************************************************************
1201 ***************************************************************************/
1203 NTSTATUS
_lsa_LookupNames4(pipes_struct
*p
,
1204 struct lsa_LookupNames4
*r
)
1206 struct lsa_LookupNames3 q
;
1208 /* No policy handle on this call. Restrict to crypto connections. */
1209 if (p
->auth
.auth_type
!= PIPE_AUTH_TYPE_SCHANNEL
) {
1210 DEBUG(0,("_lsa_lookup_names4: client %s not using schannel for netlogon\n",
1211 get_remote_machine_name() ));
1212 return NT_STATUS_INVALID_PARAMETER
;
1216 q
.in
.num_names
= r
->in
.num_names
;
1217 q
.in
.names
= r
->in
.names
;
1218 q
.in
.level
= r
->in
.level
;
1219 q
.in
.unknown1
= r
->in
.unknown1
;
1220 q
.in
.unknown2
= r
->in
.unknown2
;
1221 q
.in
.sids
= r
->in
.sids
;
1222 q
.in
.count
= r
->in
.count
;
1224 q
.out
.domains
= r
->out
.domains
;
1225 q
.out
.sids
= r
->out
.sids
;
1226 q
.out
.count
= r
->out
.count
;
1228 return _lsa_LookupNames3(p
, &q
);
1231 /***************************************************************************
1232 _lsa_close. Also weird - needs to check if lsa handle is correct. JRA.
1233 ***************************************************************************/
1235 NTSTATUS
_lsa_Close(pipes_struct
*p
, struct lsa_Close
*r
)
1237 if (!find_policy_by_hnd(p
, r
->in
.handle
, NULL
)) {
1238 return NT_STATUS_INVALID_HANDLE
;
1241 close_policy_hnd(p
, r
->in
.handle
);
1242 ZERO_STRUCTP(r
->out
.handle
);
1243 return NT_STATUS_OK
;
1246 /***************************************************************************
1247 ***************************************************************************/
1249 NTSTATUS
_lsa_OpenSecret(pipes_struct
*p
, struct lsa_OpenSecret
*r
)
1251 return NT_STATUS_OBJECT_NAME_NOT_FOUND
;
1254 /***************************************************************************
1255 ***************************************************************************/
1257 NTSTATUS
_lsa_OpenTrustedDomain(pipes_struct
*p
, struct lsa_OpenTrustedDomain
*r
)
1259 return NT_STATUS_OBJECT_NAME_NOT_FOUND
;
1262 /***************************************************************************
1263 ***************************************************************************/
1265 NTSTATUS
_lsa_CreateTrustedDomain(pipes_struct
*p
, struct lsa_CreateTrustedDomain
*r
)
1267 return NT_STATUS_ACCESS_DENIED
;
1270 /***************************************************************************
1271 ***************************************************************************/
1273 NTSTATUS
_lsa_CreateSecret(pipes_struct
*p
, struct lsa_CreateSecret
*r
)
1275 return NT_STATUS_ACCESS_DENIED
;
1278 /***************************************************************************
1279 ***************************************************************************/
1281 NTSTATUS
_lsa_SetSecret(pipes_struct
*p
, struct lsa_SetSecret
*r
)
1283 return NT_STATUS_ACCESS_DENIED
;
1286 /***************************************************************************
1288 ***************************************************************************/
1290 NTSTATUS
_lsa_DeleteObject(pipes_struct
*p
,
1291 struct lsa_DeleteObject
*r
)
1293 return NT_STATUS_ACCESS_DENIED
;
1296 /***************************************************************************
1298 ***************************************************************************/
1300 NTSTATUS
_lsa_EnumPrivs(pipes_struct
*p
,
1301 struct lsa_EnumPrivs
*r
)
1303 struct lsa_info
*handle
;
1305 uint32 enum_context
= *r
->in
.resume_handle
;
1306 int num_privs
= count_all_privileges();
1307 struct lsa_PrivEntry
*entries
= NULL
;
1310 /* remember that the enum_context starts at 0 and not 1 */
1312 if ( enum_context
>= num_privs
)
1313 return NT_STATUS_NO_MORE_ENTRIES
;
1315 DEBUG(10,("_lsa_EnumPrivs: enum_context:%d total entries:%d\n",
1316 enum_context
, num_privs
));
1318 if (!find_policy_by_hnd(p
, r
->in
.handle
, (void **)(void *)&handle
))
1319 return NT_STATUS_INVALID_HANDLE
;
1321 /* check if the user has enough rights
1322 I don't know if it's the right one. not documented. */
1324 if (!(handle
->access
& LSA_POLICY_VIEW_LOCAL_INFORMATION
))
1325 return NT_STATUS_ACCESS_DENIED
;
1328 entries
= TALLOC_ZERO_ARRAY(p
->mem_ctx
, struct lsa_PrivEntry
, num_privs
);
1330 return NT_STATUS_NO_MEMORY
;
1336 for (i
= 0; i
< num_privs
; i
++) {
1337 if( i
< enum_context
) {
1339 init_lsa_StringLarge(&entries
[i
].name
, NULL
);
1341 entries
[i
].luid
.low
= 0;
1342 entries
[i
].luid
.high
= 0;
1345 init_lsa_StringLarge(&entries
[i
].name
, privs
[i
].name
);
1347 luid
= get_privilege_luid( &privs
[i
].se_priv
);
1349 entries
[i
].luid
.low
= luid
.luid
.low
;
1350 entries
[i
].luid
.high
= luid
.luid
.high
;
1354 enum_context
= num_privs
;
1356 *r
->out
.resume_handle
= enum_context
;
1357 r
->out
.privs
->count
= num_privs
;
1358 r
->out
.privs
->privs
= entries
;
1360 return NT_STATUS_OK
;
1363 /***************************************************************************
1364 _lsa_LookupPrivDisplayName
1365 ***************************************************************************/
1367 NTSTATUS
_lsa_LookupPrivDisplayName(pipes_struct
*p
,
1368 struct lsa_LookupPrivDisplayName
*r
)
1370 struct lsa_info
*handle
;
1371 const char *description
;
1372 struct lsa_StringLarge
*lsa_name
;
1374 if (!find_policy_by_hnd(p
, r
->in
.handle
, (void **)(void *)&handle
))
1375 return NT_STATUS_INVALID_HANDLE
;
1377 /* check if the user has enough rights */
1380 * I don't know if it's the right one. not documented.
1382 if (!(handle
->access
& LSA_POLICY_VIEW_LOCAL_INFORMATION
))
1383 return NT_STATUS_ACCESS_DENIED
;
1385 DEBUG(10,("_lsa_LookupPrivDisplayName: name = %s\n", r
->in
.name
->string
));
1387 description
= get_privilege_dispname(r
->in
.name
->string
);
1389 DEBUG(10,("_lsa_LookupPrivDisplayName: doesn't exist\n"));
1390 return NT_STATUS_NO_SUCH_PRIVILEGE
;
1393 DEBUG(10,("_lsa_LookupPrivDisplayName: display name = %s\n", description
));
1395 lsa_name
= TALLOC_ZERO_P(p
->mem_ctx
, struct lsa_StringLarge
);
1397 return NT_STATUS_NO_MEMORY
;
1400 init_lsa_StringLarge(lsa_name
, description
);
1402 *r
->out
.returned_language_id
= r
->in
.language_id
;
1403 *r
->out
.disp_name
= lsa_name
;
1405 return NT_STATUS_OK
;
1408 /***************************************************************************
1410 ***************************************************************************/
1412 NTSTATUS
_lsa_EnumAccounts(pipes_struct
*p
,
1413 struct lsa_EnumAccounts
*r
)
1415 struct lsa_info
*handle
;
1417 int i
, j
, num_entries
;
1419 struct lsa_SidPtr
*sids
= NULL
;
1421 if (!find_policy_by_hnd(p
, r
->in
.handle
, (void **)(void *)&handle
))
1422 return NT_STATUS_INVALID_HANDLE
;
1424 if (!(handle
->access
& LSA_POLICY_VIEW_LOCAL_INFORMATION
))
1425 return NT_STATUS_ACCESS_DENIED
;
1430 /* The only way we can currently find out all the SIDs that have been
1431 privileged is to scan all privileges */
1433 status
= privilege_enumerate_accounts(&sid_list
, &num_entries
);
1434 if (!NT_STATUS_IS_OK(status
)) {
1438 if (*r
->in
.resume_handle
>= num_entries
) {
1439 return NT_STATUS_NO_MORE_ENTRIES
;
1442 if (num_entries
- *r
->in
.resume_handle
) {
1443 sids
= TALLOC_ZERO_ARRAY(p
->mem_ctx
, struct lsa_SidPtr
,
1444 num_entries
- *r
->in
.resume_handle
);
1446 SAFE_FREE(sid_list
);
1447 return NT_STATUS_NO_MEMORY
;
1450 for (i
= *r
->in
.resume_handle
, j
= 0; i
< num_entries
; i
++, j
++) {
1451 sids
[j
].sid
= sid_dup_talloc(p
->mem_ctx
, &sid_list
[i
]);
1453 SAFE_FREE(sid_list
);
1454 return NT_STATUS_NO_MEMORY
;
1459 talloc_free(sid_list
);
1461 *r
->out
.resume_handle
= num_entries
;
1462 r
->out
.sids
->num_sids
= num_entries
;
1463 r
->out
.sids
->sids
= sids
;
1465 return NT_STATUS_OK
;
1468 /***************************************************************************
1470 ***************************************************************************/
1472 NTSTATUS
_lsa_GetUserName(pipes_struct
*p
,
1473 struct lsa_GetUserName
*r
)
1475 const char *username
, *domname
;
1476 struct lsa_String
*account_name
= NULL
;
1477 struct lsa_String
*authority_name
= NULL
;
1479 if (r
->in
.account_name
&&
1480 *r
->in
.account_name
) {
1481 return NT_STATUS_INVALID_PARAMETER
;
1484 if (r
->in
.authority_name
&&
1485 *r
->in
.authority_name
) {
1486 return NT_STATUS_INVALID_PARAMETER
;
1489 if (p
->server_info
->guest
) {
1491 * I'm 99% sure this is not the right place to do this,
1492 * global_sid_Anonymous should probably be put into the token
1493 * instead of the guest id -- vl
1495 if (!lookup_sid(p
->mem_ctx
, &global_sid_Anonymous
,
1496 &domname
, &username
, NULL
)) {
1497 return NT_STATUS_NO_MEMORY
;
1500 username
= p
->server_info
->sanitized_username
;
1501 domname
= pdb_get_domain(p
->server_info
->sam_account
);
1504 account_name
= TALLOC_ZERO_P(p
->mem_ctx
, struct lsa_String
);
1505 if (!account_name
) {
1506 return NT_STATUS_NO_MEMORY
;
1508 init_lsa_String(account_name
, username
);
1510 if (r
->out
.authority_name
) {
1511 authority_name
= TALLOC_ZERO_P(p
->mem_ctx
, struct lsa_String
);
1512 if (!authority_name
) {
1513 return NT_STATUS_NO_MEMORY
;
1515 init_lsa_String(authority_name
, domname
);
1518 *r
->out
.account_name
= account_name
;
1519 if (r
->out
.authority_name
) {
1520 *r
->out
.authority_name
= authority_name
;
1523 return NT_STATUS_OK
;
1526 /***************************************************************************
1528 ***************************************************************************/
1530 NTSTATUS
_lsa_CreateAccount(pipes_struct
*p
,
1531 struct lsa_CreateAccount
*r
)
1533 struct lsa_info
*handle
;
1534 struct lsa_info
*info
;
1536 /* find the connection policy handle. */
1537 if (!find_policy_by_hnd(p
, r
->in
.handle
, (void **)(void *)&handle
))
1538 return NT_STATUS_INVALID_HANDLE
;
1540 /* check if the user has enough rights */
1543 * I don't know if it's the right one. not documented.
1544 * but guessed with rpcclient.
1546 if (!(handle
->access
& LSA_POLICY_GET_PRIVATE_INFORMATION
))
1547 return NT_STATUS_ACCESS_DENIED
;
1549 /* check to see if the pipe_user is a Domain Admin since
1550 account_pol.tdb was already opened as root, this is all we have */
1552 if ( p
->pipe_user
.ut
.uid
!= sec_initial_uid()
1553 && !nt_token_check_domain_rid( p
->pipe_user
.nt_user_token
, DOMAIN_GROUP_RID_ADMINS
) )
1554 return NT_STATUS_ACCESS_DENIED
;
1556 if ( is_privileged_sid( r
->in
.sid
) )
1557 return NT_STATUS_OBJECT_NAME_COLLISION
;
1559 /* associate the user/group SID with the (unique) handle. */
1561 if ((info
= SMB_MALLOC_P(struct lsa_info
)) == NULL
)
1562 return NT_STATUS_NO_MEMORY
;
1565 info
->sid
= *r
->in
.sid
;
1566 info
->access
= r
->in
.access_mask
;
1568 /* get a (unique) handle. open a policy on it. */
1569 if (!create_policy_hnd(p
, r
->out
.acct_handle
, free_lsa_info
, (void *)info
))
1570 return NT_STATUS_OBJECT_NAME_NOT_FOUND
;
1572 return privilege_create_account( &info
->sid
);
1576 /***************************************************************************
1578 ***************************************************************************/
1580 NTSTATUS
_lsa_OpenAccount(pipes_struct
*p
,
1581 struct lsa_OpenAccount
*r
)
1583 struct lsa_info
*handle
;
1584 struct lsa_info
*info
;
1586 /* find the connection policy handle. */
1587 if (!find_policy_by_hnd(p
, r
->in
.handle
, (void **)(void *)&handle
))
1588 return NT_STATUS_INVALID_HANDLE
;
1590 /* check if the user has enough rights */
1593 * I don't know if it's the right one. not documented.
1594 * but guessed with rpcclient.
1596 if (!(handle
->access
& LSA_POLICY_GET_PRIVATE_INFORMATION
))
1597 return NT_STATUS_ACCESS_DENIED
;
1599 /* TODO: Fis the parsing routine before reenabling this check! */
1601 if (!lookup_sid(&handle
->sid
, dom_name
, name
, &type
))
1602 return NT_STATUS_ACCESS_DENIED
;
1604 /* associate the user/group SID with the (unique) handle. */
1605 if ((info
= SMB_MALLOC_P(struct lsa_info
)) == NULL
)
1606 return NT_STATUS_NO_MEMORY
;
1609 info
->sid
= *r
->in
.sid
;
1610 info
->access
= r
->in
.access_mask
;
1612 /* get a (unique) handle. open a policy on it. */
1613 if (!create_policy_hnd(p
, r
->out
.acct_handle
, free_lsa_info
, (void *)info
))
1614 return NT_STATUS_OBJECT_NAME_NOT_FOUND
;
1616 return NT_STATUS_OK
;
1619 /***************************************************************************
1620 _lsa_EnumPrivsAccount
1621 For a given SID, enumerate all the privilege this account has.
1622 ***************************************************************************/
1624 NTSTATUS
_lsa_EnumPrivsAccount(pipes_struct
*p
,
1625 struct lsa_EnumPrivsAccount
*r
)
1627 NTSTATUS status
= NT_STATUS_OK
;
1628 struct lsa_info
*info
=NULL
;
1630 PRIVILEGE_SET privileges
;
1631 struct lsa_PrivilegeSet
*priv_set
= NULL
;
1632 struct lsa_LUIDAttribute
*luid_attrs
= NULL
;
1635 /* find the connection policy handle. */
1636 if (!find_policy_by_hnd(p
, r
->in
.handle
, (void **)(void *)&info
))
1637 return NT_STATUS_INVALID_HANDLE
;
1639 if (!(info
->access
& LSA_POLICY_VIEW_LOCAL_INFORMATION
))
1640 return NT_STATUS_ACCESS_DENIED
;
1642 if ( !get_privileges_for_sids( &mask
, &info
->sid
, 1 ) )
1643 return NT_STATUS_OBJECT_NAME_NOT_FOUND
;
1645 privilege_set_init( &privileges
);
1647 if ( se_priv_to_privilege_set( &privileges
, &mask
) ) {
1649 DEBUG(10,("_lsa_EnumPrivsAccount: %s has %d privileges\n",
1650 sid_string_dbg(&info
->sid
),
1653 priv_set
= TALLOC_ZERO_P(p
->mem_ctx
, struct lsa_PrivilegeSet
);
1655 status
= NT_STATUS_NO_MEMORY
;
1659 luid_attrs
= TALLOC_ZERO_ARRAY(p
->mem_ctx
,
1660 struct lsa_LUIDAttribute
,
1663 status
= NT_STATUS_NO_MEMORY
;
1667 for (i
=0; i
<privileges
.count
; i
++) {
1668 luid_attrs
[i
].luid
.low
= privileges
.set
[i
].luid
.low
;
1669 luid_attrs
[i
].luid
.high
= privileges
.set
[i
].luid
.high
;
1670 luid_attrs
[i
].attribute
= privileges
.set
[i
].attr
;
1673 priv_set
->count
= privileges
.count
;
1674 priv_set
->unknown
= 0;
1675 priv_set
->set
= luid_attrs
;
1677 *r
->out
.privs
= priv_set
;
1679 status
= NT_STATUS_NO_SUCH_PRIVILEGE
;
1683 privilege_set_free( &privileges
);
1688 /***************************************************************************
1689 _lsa_GetSystemAccessAccount
1690 ***************************************************************************/
1692 NTSTATUS
_lsa_GetSystemAccessAccount(pipes_struct
*p
,
1693 struct lsa_GetSystemAccessAccount
*r
)
1695 struct lsa_info
*info
=NULL
;
1697 /* find the connection policy handle. */
1699 if (!find_policy_by_hnd(p
, r
->in
.handle
, (void **)(void *)&info
))
1700 return NT_STATUS_INVALID_HANDLE
;
1702 if (!(info
->access
& LSA_POLICY_VIEW_LOCAL_INFORMATION
))
1703 return NT_STATUS_ACCESS_DENIED
;
1705 if (!lookup_sid(p
->mem_ctx
, &info
->sid
, NULL
, NULL
, NULL
))
1706 return NT_STATUS_ACCESS_DENIED
;
1709 0x01 -> Log on locally
1710 0x02 -> Access this computer from network
1711 0x04 -> Log on as a batch job
1712 0x10 -> Log on as a service
1714 they can be ORed together
1717 *r
->out
.access_mask
= PR_LOG_ON_LOCALLY
| PR_ACCESS_FROM_NETWORK
;
1719 return NT_STATUS_OK
;
1722 /***************************************************************************
1723 update the systemaccount information
1724 ***************************************************************************/
1726 NTSTATUS
_lsa_SetSystemAccessAccount(pipes_struct
*p
,
1727 struct lsa_SetSystemAccessAccount
*r
)
1729 struct lsa_info
*info
=NULL
;
1732 /* find the connection policy handle. */
1733 if (!find_policy_by_hnd(p
, r
->in
.handle
, (void **)(void *)&info
))
1734 return NT_STATUS_INVALID_HANDLE
;
1736 /* check to see if the pipe_user is a Domain Admin since
1737 account_pol.tdb was already opened as root, this is all we have */
1739 if ( p
->pipe_user
.ut
.uid
!= sec_initial_uid()
1740 && !nt_token_check_domain_rid( p
->pipe_user
.nt_user_token
, DOMAIN_GROUP_RID_ADMINS
) )
1741 return NT_STATUS_ACCESS_DENIED
;
1743 if (!pdb_getgrsid(&map
, info
->sid
))
1744 return NT_STATUS_NO_SUCH_GROUP
;
1746 return pdb_update_group_mapping_entry(&map
);
1749 /***************************************************************************
1750 _lsa_AddPrivilegesToAccount
1751 For a given SID, add some privileges.
1752 ***************************************************************************/
1754 NTSTATUS
_lsa_AddPrivilegesToAccount(pipes_struct
*p
,
1755 struct lsa_AddPrivilegesToAccount
*r
)
1757 struct lsa_info
*info
= NULL
;
1759 struct lsa_PrivilegeSet
*set
= NULL
;
1761 /* find the connection policy handle. */
1762 if (!find_policy_by_hnd(p
, r
->in
.handle
, (void **)(void *)&info
))
1763 return NT_STATUS_INVALID_HANDLE
;
1765 /* check to see if the pipe_user is root or a Domain Admin since
1766 account_pol.tdb was already opened as root, this is all we have */
1768 if ( p
->pipe_user
.ut
.uid
!= sec_initial_uid()
1769 && !nt_token_check_domain_rid( p
->pipe_user
.nt_user_token
, DOMAIN_GROUP_RID_ADMINS
) )
1771 return NT_STATUS_ACCESS_DENIED
;
1775 if ( !privilege_set_to_se_priv( &mask
, set
) )
1776 return NT_STATUS_NO_SUCH_PRIVILEGE
;
1778 if ( !grant_privilege( &info
->sid
, &mask
) ) {
1779 DEBUG(3,("_lsa_AddPrivilegesToAccount: grant_privilege(%s) failed!\n",
1780 sid_string_dbg(&info
->sid
) ));
1781 DEBUG(3,("Privilege mask:\n"));
1782 dump_se_priv( DBGC_ALL
, 3, &mask
);
1783 return NT_STATUS_NO_SUCH_PRIVILEGE
;
1786 return NT_STATUS_OK
;
1789 /***************************************************************************
1790 _lsa_RemovePrivilegesFromAccount
1791 For a given SID, remove some privileges.
1792 ***************************************************************************/
1794 NTSTATUS
_lsa_RemovePrivilegesFromAccount(pipes_struct
*p
,
1795 struct lsa_RemovePrivilegesFromAccount
*r
)
1797 struct lsa_info
*info
= NULL
;
1799 struct lsa_PrivilegeSet
*set
= NULL
;
1801 /* find the connection policy handle. */
1802 if (!find_policy_by_hnd(p
, r
->in
.handle
, (void **)(void *)&info
))
1803 return NT_STATUS_INVALID_HANDLE
;
1805 /* check to see if the pipe_user is root or a Domain Admin since
1806 account_pol.tdb was already opened as root, this is all we have */
1808 if ( p
->pipe_user
.ut
.uid
!= sec_initial_uid()
1809 && !nt_token_check_domain_rid( p
->pipe_user
.nt_user_token
, DOMAIN_GROUP_RID_ADMINS
) )
1811 return NT_STATUS_ACCESS_DENIED
;
1816 if ( !privilege_set_to_se_priv( &mask
, set
) )
1817 return NT_STATUS_NO_SUCH_PRIVILEGE
;
1819 if ( !revoke_privilege( &info
->sid
, &mask
) ) {
1820 DEBUG(3,("_lsa_RemovePrivilegesFromAccount: revoke_privilege(%s) failed!\n",
1821 sid_string_dbg(&info
->sid
) ));
1822 DEBUG(3,("Privilege mask:\n"));
1823 dump_se_priv( DBGC_ALL
, 3, &mask
);
1824 return NT_STATUS_NO_SUCH_PRIVILEGE
;
1827 return NT_STATUS_OK
;
1830 /***************************************************************************
1832 ***************************************************************************/
1834 NTSTATUS
_lsa_QuerySecurity(pipes_struct
*p
,
1835 struct lsa_QuerySecurity
*r
)
1837 struct lsa_info
*handle
=NULL
;
1838 SEC_DESC
*psd
= NULL
;
1842 /* find the connection policy handle. */
1843 if (!find_policy_by_hnd(p
, r
->in
.handle
, (void **)(void *)&handle
))
1844 return NT_STATUS_INVALID_HANDLE
;
1846 /* check if the user has enough rights */
1847 if (!(handle
->access
& LSA_POLICY_VIEW_LOCAL_INFORMATION
))
1848 return NT_STATUS_ACCESS_DENIED
;
1850 switch (r
->in
.sec_info
) {
1852 /* SD contains only the owner */
1854 status
=lsa_get_generic_sd(p
->mem_ctx
, &psd
, &sd_size
);
1855 if(!NT_STATUS_IS_OK(status
))
1856 return NT_STATUS_NO_MEMORY
;
1859 if((*r
->out
.sdbuf
= make_sec_desc_buf(p
->mem_ctx
, sd_size
, psd
)) == NULL
)
1860 return NT_STATUS_NO_MEMORY
;
1863 /* SD contains only the ACL */
1865 status
=lsa_get_generic_sd(p
->mem_ctx
, &psd
, &sd_size
);
1866 if(!NT_STATUS_IS_OK(status
))
1867 return NT_STATUS_NO_MEMORY
;
1869 if((*r
->out
.sdbuf
= make_sec_desc_buf(p
->mem_ctx
, sd_size
, psd
)) == NULL
)
1870 return NT_STATUS_NO_MEMORY
;
1873 return NT_STATUS_INVALID_LEVEL
;
1879 #if 0 /* AD DC work in ongoing in Samba 4 */
1881 /***************************************************************************
1882 ***************************************************************************/
1884 NTSTATUS
_lsa_query_info2(pipes_struct
*p
, LSA_Q_QUERY_INFO2
*q_u
, LSA_R_QUERY_INFO2
*r_u
)
1886 struct lsa_info
*handle
;
1887 const char *nb_name
;
1888 char *dns_name
= NULL
;
1889 char *forest_name
= NULL
;
1890 DOM_SID
*sid
= NULL
;
1895 r_u
->status
= NT_STATUS_OK
;
1897 if (!find_policy_by_hnd(p
, &q_u
->pol
, (void **)(void *)&handle
))
1898 return NT_STATUS_INVALID_HANDLE
;
1900 switch (q_u
->info_class
) {
1902 /* check if the user has enough rights */
1903 if (!(handle
->access
& LSA_POLICY_VIEW_LOCAL_INFORMATION
))
1904 return NT_STATUS_ACCESS_DENIED
;
1906 /* Request PolicyPrimaryDomainInformation. */
1907 switch (lp_server_role()) {
1908 case ROLE_DOMAIN_PDC
:
1909 case ROLE_DOMAIN_BDC
:
1910 nb_name
= get_global_sam_name();
1911 /* ugly temp hack for these next two */
1913 /* This should be a 'netbios domain -> DNS domain' mapping */
1914 dnsdomname
= get_mydnsdomname(p
->mem_ctx
);
1915 if (!dnsdomname
|| !*dnsdomname
) {
1916 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO
;
1918 strlower_m(dnsdomname
);
1920 dns_name
= dnsdomname
;
1921 forest_name
= dnsdomname
;
1923 sid
= get_global_sam_sid();
1924 secrets_fetch_domain_guid(lp_workgroup(), &guid
);
1927 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO
;
1929 init_dns_dom_info(&r_u
->info
.dns_dom_info
, nb_name
, dns_name
,
1930 forest_name
,&guid
,sid
);
1933 DEBUG(0,("_lsa_query_info2: unknown info level in Lsa Query: %d\n", q_u
->info_class
));
1934 r_u
->status
= NT_STATUS_INVALID_INFO_CLASS
;
1938 if (NT_STATUS_IS_OK(r_u
->status
)) {
1940 r_u
->info_class
= q_u
->info_class
;
1945 #endif /* AD DC work in ongoing in Samba 4 */
1947 /***************************************************************************
1948 _lsa_AddAccountRights
1949 ***************************************************************************/
1951 NTSTATUS
_lsa_AddAccountRights(pipes_struct
*p
,
1952 struct lsa_AddAccountRights
*r
)
1954 struct lsa_info
*info
= NULL
;
1958 /* find the connection policy handle. */
1959 if (!find_policy_by_hnd(p
, r
->in
.handle
, (void **)(void *)&info
))
1960 return NT_STATUS_INVALID_HANDLE
;
1962 /* check to see if the pipe_user is a Domain Admin since
1963 account_pol.tdb was already opened as root, this is all we have */
1965 if ( p
->pipe_user
.ut
.uid
!= sec_initial_uid()
1966 && !nt_token_check_domain_rid( p
->pipe_user
.nt_user_token
, DOMAIN_GROUP_RID_ADMINS
) )
1968 return NT_STATUS_ACCESS_DENIED
;
1971 /* according to an NT4 PDC, you can add privileges to SIDs even without
1972 call_lsa_create_account() first. And you can use any arbitrary SID. */
1974 sid_copy( &sid
, r
->in
.sid
);
1976 for ( i
=0; i
< r
->in
.rights
->count
; i
++ ) {
1978 const char *privname
= r
->in
.rights
->names
[i
].string
;
1980 /* only try to add non-null strings */
1985 if ( !grant_privilege_by_name( &sid
, privname
) ) {
1986 DEBUG(2,("_lsa_AddAccountRights: Failed to add privilege [%s]\n",
1988 return NT_STATUS_NO_SUCH_PRIVILEGE
;
1992 return NT_STATUS_OK
;
1995 /***************************************************************************
1996 _lsa_RemoveAccountRights
1997 ***************************************************************************/
1999 NTSTATUS
_lsa_RemoveAccountRights(pipes_struct
*p
,
2000 struct lsa_RemoveAccountRights
*r
)
2002 struct lsa_info
*info
= NULL
;
2005 const char *privname
= NULL
;
2007 /* find the connection policy handle. */
2008 if (!find_policy_by_hnd(p
, r
->in
.handle
, (void **)(void *)&info
))
2009 return NT_STATUS_INVALID_HANDLE
;
2011 /* check to see if the pipe_user is a Domain Admin since
2012 account_pol.tdb was already opened as root, this is all we have */
2014 if ( p
->pipe_user
.ut
.uid
!= sec_initial_uid()
2015 && !nt_token_check_domain_rid( p
->pipe_user
.nt_user_token
, DOMAIN_GROUP_RID_ADMINS
) )
2017 return NT_STATUS_ACCESS_DENIED
;
2020 sid_copy( &sid
, r
->in
.sid
);
2022 if ( r
->in
.remove_all
) {
2023 if ( !revoke_all_privileges( &sid
) )
2024 return NT_STATUS_ACCESS_DENIED
;
2026 return NT_STATUS_OK
;
2029 for ( i
=0; i
< r
->in
.rights
->count
; i
++ ) {
2031 privname
= r
->in
.rights
->names
[i
].string
;
2033 /* only try to add non-null strings */
2038 if ( !revoke_privilege_by_name( &sid
, privname
) ) {
2039 DEBUG(2,("_lsa_RemoveAccountRights: Failed to revoke privilege [%s]\n",
2041 return NT_STATUS_NO_SUCH_PRIVILEGE
;
2045 return NT_STATUS_OK
;
2048 /*******************************************************************
2049 ********************************************************************/
2051 static NTSTATUS
init_lsa_right_set(TALLOC_CTX
*mem_ctx
,
2052 struct lsa_RightSet
*r
,
2053 PRIVILEGE_SET
*privileges
)
2056 const char *privname
;
2057 const char **privname_array
= NULL
;
2060 for (i
=0; i
<privileges
->count
; i
++) {
2062 privname
= luid_to_privilege_name(&privileges
->set
[i
].luid
);
2064 if (!add_string_to_array(mem_ctx
, privname
,
2065 &privname_array
, &num_priv
)) {
2066 return NT_STATUS_NO_MEMORY
;
2073 r
->names
= TALLOC_ZERO_ARRAY(mem_ctx
, struct lsa_StringLarge
,
2076 return NT_STATUS_NO_MEMORY
;
2079 for (i
=0; i
<num_priv
; i
++) {
2080 init_lsa_StringLarge(&r
->names
[i
], privname_array
[i
]);
2083 r
->count
= num_priv
;
2086 return NT_STATUS_OK
;
2089 /***************************************************************************
2090 _lsa_EnumAccountRights
2091 ***************************************************************************/
2093 NTSTATUS
_lsa_EnumAccountRights(pipes_struct
*p
,
2094 struct lsa_EnumAccountRights
*r
)
2097 struct lsa_info
*info
= NULL
;
2099 PRIVILEGE_SET privileges
;
2102 /* find the connection policy handle. */
2104 if (!find_policy_by_hnd(p
, r
->in
.handle
, (void **)(void *)&info
))
2105 return NT_STATUS_INVALID_HANDLE
;
2107 if (!(info
->access
& LSA_POLICY_VIEW_LOCAL_INFORMATION
))
2108 return NT_STATUS_ACCESS_DENIED
;
2110 /* according to an NT4 PDC, you can add privileges to SIDs even without
2111 call_lsa_create_account() first. And you can use any arbitrary SID. */
2113 sid_copy( &sid
, r
->in
.sid
);
2115 if ( !get_privileges_for_sids( &mask
, &sid
, 1 ) )
2116 return NT_STATUS_OBJECT_NAME_NOT_FOUND
;
2118 privilege_set_init( &privileges
);
2120 if ( se_priv_to_privilege_set( &privileges
, &mask
) ) {
2122 DEBUG(10,("_lsa_EnumAccountRights: %s has %d privileges\n",
2123 sid_string_dbg(&sid
), privileges
.count
));
2125 status
= init_lsa_right_set(p
->mem_ctx
, r
->out
.rights
, &privileges
);
2127 status
= NT_STATUS_NO_SUCH_PRIVILEGE
;
2130 privilege_set_free( &privileges
);
2135 /***************************************************************************
2136 _lsa_LookupPrivValue
2137 ***************************************************************************/
2139 NTSTATUS
_lsa_LookupPrivValue(pipes_struct
*p
,
2140 struct lsa_LookupPrivValue
*r
)
2142 struct lsa_info
*info
= NULL
;
2143 const char *name
= NULL
;
2144 LUID_ATTR priv_luid
;
2147 /* find the connection policy handle. */
2149 if (!find_policy_by_hnd(p
, r
->in
.handle
, (void **)(void *)&info
))
2150 return NT_STATUS_INVALID_HANDLE
;
2152 if (!(info
->access
& LSA_POLICY_VIEW_LOCAL_INFORMATION
))
2153 return NT_STATUS_ACCESS_DENIED
;
2155 name
= r
->in
.name
->string
;
2157 DEBUG(10,("_lsa_lookup_priv_value: name = %s\n", name
));
2159 if ( !se_priv_from_name( name
, &mask
) )
2160 return NT_STATUS_NO_SUCH_PRIVILEGE
;
2162 priv_luid
= get_privilege_luid( &mask
);
2164 r
->out
.luid
->low
= priv_luid
.luid
.low
;
2165 r
->out
.luid
->high
= priv_luid
.luid
.high
;
2167 return NT_STATUS_OK
;
2171 * From here on the server routines are just dummy ones to make smbd link with
2172 * librpc/gen_ndr/srv_lsa.c. These routines are actually never called, we are
2173 * pulling the server stubs across one by one.
2176 NTSTATUS
_lsa_Delete(pipes_struct
*p
, struct lsa_Delete
*r
)
2178 p
->rng_fault_state
= True
;
2179 return NT_STATUS_NOT_IMPLEMENTED
;
2182 NTSTATUS
_lsa_SetSecObj(pipes_struct
*p
, struct lsa_SetSecObj
*r
)
2184 p
->rng_fault_state
= True
;
2185 return NT_STATUS_NOT_IMPLEMENTED
;
2188 NTSTATUS
_lsa_ChangePassword(pipes_struct
*p
, struct lsa_ChangePassword
*r
)
2190 p
->rng_fault_state
= True
;
2191 return NT_STATUS_NOT_IMPLEMENTED
;
2194 NTSTATUS
_lsa_SetInfoPolicy(pipes_struct
*p
, struct lsa_SetInfoPolicy
*r
)
2196 p
->rng_fault_state
= True
;
2197 return NT_STATUS_NOT_IMPLEMENTED
;
2200 NTSTATUS
_lsa_ClearAuditLog(pipes_struct
*p
, struct lsa_ClearAuditLog
*r
)
2202 p
->rng_fault_state
= True
;
2203 return NT_STATUS_NOT_IMPLEMENTED
;
2206 NTSTATUS
_lsa_GetQuotasForAccount(pipes_struct
*p
, struct lsa_GetQuotasForAccount
*r
)
2208 p
->rng_fault_state
= True
;
2209 return NT_STATUS_NOT_IMPLEMENTED
;
2212 NTSTATUS
_lsa_SetQuotasForAccount(pipes_struct
*p
, struct lsa_SetQuotasForAccount
*r
)
2214 p
->rng_fault_state
= True
;
2215 return NT_STATUS_NOT_IMPLEMENTED
;
2218 NTSTATUS
_lsa_QueryTrustedDomainInfo(pipes_struct
*p
, struct lsa_QueryTrustedDomainInfo
*r
)
2220 p
->rng_fault_state
= True
;
2221 return NT_STATUS_NOT_IMPLEMENTED
;
2224 NTSTATUS
_lsa_SetInformationTrustedDomain(pipes_struct
*p
, struct lsa_SetInformationTrustedDomain
*r
)
2226 p
->rng_fault_state
= True
;
2227 return NT_STATUS_NOT_IMPLEMENTED
;
2230 NTSTATUS
_lsa_QuerySecret(pipes_struct
*p
, struct lsa_QuerySecret
*r
)
2232 p
->rng_fault_state
= True
;
2233 return NT_STATUS_NOT_IMPLEMENTED
;
2236 NTSTATUS
_lsa_LookupPrivName(pipes_struct
*p
, struct lsa_LookupPrivName
*r
)
2238 p
->rng_fault_state
= True
;
2239 return NT_STATUS_NOT_IMPLEMENTED
;
2242 NTSTATUS
_lsa_EnumAccountsWithUserRight(pipes_struct
*p
, struct lsa_EnumAccountsWithUserRight
*r
)
2244 p
->rng_fault_state
= True
;
2245 return NT_STATUS_NOT_IMPLEMENTED
;
2248 NTSTATUS
_lsa_QueryTrustedDomainInfoBySid(pipes_struct
*p
, struct lsa_QueryTrustedDomainInfoBySid
*r
)
2250 p
->rng_fault_state
= True
;
2251 return NT_STATUS_NOT_IMPLEMENTED
;
2254 NTSTATUS
_lsa_SetTrustedDomainInfo(pipes_struct
*p
, struct lsa_SetTrustedDomainInfo
*r
)
2256 p
->rng_fault_state
= True
;
2257 return NT_STATUS_NOT_IMPLEMENTED
;
2260 NTSTATUS
_lsa_DeleteTrustedDomain(pipes_struct
*p
, struct lsa_DeleteTrustedDomain
*r
)
2262 p
->rng_fault_state
= True
;
2263 return NT_STATUS_NOT_IMPLEMENTED
;
2266 NTSTATUS
_lsa_StorePrivateData(pipes_struct
*p
, struct lsa_StorePrivateData
*r
)
2268 p
->rng_fault_state
= True
;
2269 return NT_STATUS_NOT_IMPLEMENTED
;
2272 NTSTATUS
_lsa_RetrievePrivateData(pipes_struct
*p
, struct lsa_RetrievePrivateData
*r
)
2274 p
->rng_fault_state
= True
;
2275 return NT_STATUS_NOT_IMPLEMENTED
;
2278 NTSTATUS
_lsa_QueryInfoPolicy2(pipes_struct
*p
, struct lsa_QueryInfoPolicy2
*r
)
2280 p
->rng_fault_state
= True
;
2281 return NT_STATUS_NOT_IMPLEMENTED
;
2284 NTSTATUS
_lsa_SetInfoPolicy2(pipes_struct
*p
, struct lsa_SetInfoPolicy2
*r
)
2286 p
->rng_fault_state
= True
;
2287 return NT_STATUS_NOT_IMPLEMENTED
;
2290 NTSTATUS
_lsa_QueryTrustedDomainInfoByName(pipes_struct
*p
, struct lsa_QueryTrustedDomainInfoByName
*r
)
2292 p
->rng_fault_state
= True
;
2293 return NT_STATUS_NOT_IMPLEMENTED
;
2296 NTSTATUS
_lsa_SetTrustedDomainInfoByName(pipes_struct
*p
, struct lsa_SetTrustedDomainInfoByName
*r
)
2298 p
->rng_fault_state
= True
;
2299 return NT_STATUS_NOT_IMPLEMENTED
;
2302 NTSTATUS
_lsa_EnumTrustedDomainsEx(pipes_struct
*p
, struct lsa_EnumTrustedDomainsEx
*r
)
2304 p
->rng_fault_state
= True
;
2305 return NT_STATUS_NOT_IMPLEMENTED
;
2308 NTSTATUS
_lsa_CreateTrustedDomainEx(pipes_struct
*p
, struct lsa_CreateTrustedDomainEx
*r
)
2310 p
->rng_fault_state
= True
;
2311 return NT_STATUS_NOT_IMPLEMENTED
;
2314 NTSTATUS
_lsa_CloseTrustedDomainEx(pipes_struct
*p
, struct lsa_CloseTrustedDomainEx
*r
)
2316 p
->rng_fault_state
= True
;
2317 return NT_STATUS_NOT_IMPLEMENTED
;
2320 NTSTATUS
_lsa_QueryDomainInformationPolicy(pipes_struct
*p
, struct lsa_QueryDomainInformationPolicy
*r
)
2322 p
->rng_fault_state
= True
;
2323 return NT_STATUS_NOT_IMPLEMENTED
;
2326 NTSTATUS
_lsa_SetDomainInformationPolicy(pipes_struct
*p
, struct lsa_SetDomainInformationPolicy
*r
)
2328 p
->rng_fault_state
= True
;
2329 return NT_STATUS_NOT_IMPLEMENTED
;
2332 NTSTATUS
_lsa_OpenTrustedDomainByName(pipes_struct
*p
, struct lsa_OpenTrustedDomainByName
*r
)
2334 p
->rng_fault_state
= True
;
2335 return NT_STATUS_NOT_IMPLEMENTED
;
2338 NTSTATUS
_lsa_TestCall(pipes_struct
*p
, struct lsa_TestCall
*r
)
2340 p
->rng_fault_state
= True
;
2341 return NT_STATUS_NOT_IMPLEMENTED
;
2344 NTSTATUS
_lsa_CreateTrustedDomainEx2(pipes_struct
*p
, struct lsa_CreateTrustedDomainEx2
*r
)
2346 p
->rng_fault_state
= True
;
2347 return NT_STATUS_NOT_IMPLEMENTED
;
2350 NTSTATUS
_lsa_CREDRWRITE(pipes_struct
*p
, struct lsa_CREDRWRITE
*r
)
2352 p
->rng_fault_state
= True
;
2353 return NT_STATUS_NOT_IMPLEMENTED
;
2356 NTSTATUS
_lsa_CREDRREAD(pipes_struct
*p
, struct lsa_CREDRREAD
*r
)
2358 p
->rng_fault_state
= True
;
2359 return NT_STATUS_NOT_IMPLEMENTED
;
2362 NTSTATUS
_lsa_CREDRENUMERATE(pipes_struct
*p
, struct lsa_CREDRENUMERATE
*r
)
2364 p
->rng_fault_state
= True
;
2365 return NT_STATUS_NOT_IMPLEMENTED
;
2368 NTSTATUS
_lsa_CREDRWRITEDOMAINCREDENTIALS(pipes_struct
*p
, struct lsa_CREDRWRITEDOMAINCREDENTIALS
*r
)
2370 p
->rng_fault_state
= True
;
2371 return NT_STATUS_NOT_IMPLEMENTED
;
2374 NTSTATUS
_lsa_CREDRREADDOMAINCREDENTIALS(pipes_struct
*p
, struct lsa_CREDRREADDOMAINCREDENTIALS
*r
)
2376 p
->rng_fault_state
= True
;
2377 return NT_STATUS_NOT_IMPLEMENTED
;
2380 NTSTATUS
_lsa_CREDRDELETE(pipes_struct
*p
, struct lsa_CREDRDELETE
*r
)
2382 p
->rng_fault_state
= True
;
2383 return NT_STATUS_NOT_IMPLEMENTED
;
2386 NTSTATUS
_lsa_CREDRGETTARGETINFO(pipes_struct
*p
, struct lsa_CREDRGETTARGETINFO
*r
)
2388 p
->rng_fault_state
= True
;
2389 return NT_STATUS_NOT_IMPLEMENTED
;
2392 NTSTATUS
_lsa_CREDRPROFILELOADED(pipes_struct
*p
, struct lsa_CREDRPROFILELOADED
*r
)
2394 p
->rng_fault_state
= True
;
2395 return NT_STATUS_NOT_IMPLEMENTED
;
2398 NTSTATUS
_lsa_CREDRGETSESSIONTYPES(pipes_struct
*p
, struct lsa_CREDRGETSESSIONTYPES
*r
)
2400 p
->rng_fault_state
= True
;
2401 return NT_STATUS_NOT_IMPLEMENTED
;
2404 NTSTATUS
_lsa_LSARREGISTERAUDITEVENT(pipes_struct
*p
, struct lsa_LSARREGISTERAUDITEVENT
*r
)
2406 p
->rng_fault_state
= True
;
2407 return NT_STATUS_NOT_IMPLEMENTED
;
2410 NTSTATUS
_lsa_LSARGENAUDITEVENT(pipes_struct
*p
, struct lsa_LSARGENAUDITEVENT
*r
)
2412 p
->rng_fault_state
= True
;
2413 return NT_STATUS_NOT_IMPLEMENTED
;
2416 NTSTATUS
_lsa_LSARUNREGISTERAUDITEVENT(pipes_struct
*p
, struct lsa_LSARUNREGISTERAUDITEVENT
*r
)
2418 p
->rng_fault_state
= True
;
2419 return NT_STATUS_NOT_IMPLEMENTED
;
2422 NTSTATUS
_lsa_lsaRQueryForestTrustInformation(pipes_struct
*p
, struct lsa_lsaRQueryForestTrustInformation
*r
)
2424 p
->rng_fault_state
= True
;
2425 return NT_STATUS_NOT_IMPLEMENTED
;
2428 NTSTATUS
_lsa_LSARSETFORESTTRUSTINFORMATION(pipes_struct
*p
, struct lsa_LSARSETFORESTTRUSTINFORMATION
*r
)
2430 p
->rng_fault_state
= True
;
2431 return NT_STATUS_NOT_IMPLEMENTED
;
2434 NTSTATUS
_lsa_CREDRRENAME(pipes_struct
*p
, struct lsa_CREDRRENAME
*r
)
2436 p
->rng_fault_state
= True
;
2437 return NT_STATUS_NOT_IMPLEMENTED
;
2440 NTSTATUS
_lsa_LSAROPENPOLICYSCE(pipes_struct
*p
, struct lsa_LSAROPENPOLICYSCE
*r
)
2442 p
->rng_fault_state
= True
;
2443 return NT_STATUS_NOT_IMPLEMENTED
;
2446 NTSTATUS
_lsa_LSARADTREGISTERSECURITYEVENTSOURCE(pipes_struct
*p
, struct lsa_LSARADTREGISTERSECURITYEVENTSOURCE
*r
)
2448 p
->rng_fault_state
= True
;
2449 return NT_STATUS_NOT_IMPLEMENTED
;
2452 NTSTATUS
_lsa_LSARADTUNREGISTERSECURITYEVENTSOURCE(pipes_struct
*p
, struct lsa_LSARADTUNREGISTERSECURITYEVENTSOURCE
*r
)
2454 p
->rng_fault_state
= True
;
2455 return NT_STATUS_NOT_IMPLEMENTED
;
2458 NTSTATUS
_lsa_LSARADTREPORTSECURITYEVENT(pipes_struct
*p
, struct lsa_LSARADTREPORTSECURITYEVENT
*r
)
2460 p
->rng_fault_state
= True
;
2461 return NT_STATUS_NOT_IMPLEMENTED
;