2 * Unix SMB/CIFS implementation.
4 * Winbind rpc backend functions
6 * Copyright (c) 2000-2003 Tim Potter
7 * Copyright (c) 2001 Andrew Tridgell
8 * Copyright (c) 2005 Volker Lendecke
9 * Copyright (c) 2008 Guenther Deschner (pidl conversion)
10 * Copyright (c) 2010 Andreas Schneider <asn@samba.org>
12 * This program is free software; you can redistribute it and/or modify
13 * it under the terms of the GNU General Public License as published by
14 * the Free Software Foundation; either version 3 of the License, or
15 * (at your option) any later version.
17 * This program is distributed in the hope that it will be useful,
18 * but WITHOUT ANY WARRANTY; without even the implied warranty of
19 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
20 * GNU General Public License for more details.
22 * You should have received a copy of the GNU General Public License
23 * along with this program. If not, see <http://www.gnu.org/licenses/>.
28 #include "winbindd_rpc.h"
30 #include "../librpc/gen_ndr/cli_samr.h"
31 #include "rpc_client/cli_samr.h"
32 #include "../librpc/gen_ndr/srv_samr.h"
33 #include "../librpc/gen_ndr/cli_lsa.h"
34 #include "rpc_client/cli_lsarpc.h"
35 #include "../librpc/gen_ndr/srv_lsa.h"
38 #define DBGC_CLASS DBGC_WINBIND
40 static NTSTATUS
open_internal_samr_pipe(TALLOC_CTX
*mem_ctx
,
41 struct rpc_pipe_client
**samr_pipe
)
43 static struct rpc_pipe_client
*cli
= NULL
;
44 struct auth_serversupplied_info
*server_info
= NULL
;
51 if (server_info
== NULL
) {
52 status
= make_server_info_system(mem_ctx
, &server_info
);
53 if (!NT_STATUS_IS_OK(status
)) {
54 DEBUG(0, ("open_samr_pipe: Could not create auth_serversupplied_info: %s\n",
60 /* create a samr connection */
61 status
= rpc_pipe_open_internal(talloc_autofree_context(),
62 &ndr_table_samr
.syntax_id
,
66 if (!NT_STATUS_IS_OK(status
)) {
67 DEBUG(0, ("open_samr_pipe: Could not connect to samr_pipe: %s\n",
80 static NTSTATUS
open_internal_samr_conn(TALLOC_CTX
*mem_ctx
,
81 struct winbindd_domain
*domain
,
82 struct rpc_pipe_client
**samr_pipe
,
83 struct policy_handle
*samr_domain_hnd
)
86 struct policy_handle samr_connect_hnd
;
88 status
= open_internal_samr_pipe(mem_ctx
, samr_pipe
);
89 if (!NT_STATUS_IS_OK(status
)) {
93 status
= rpccli_samr_Connect2((*samr_pipe
),
95 (*samr_pipe
)->desthost
,
96 SEC_FLAG_MAXIMUM_ALLOWED
,
98 if (!NT_STATUS_IS_OK(status
)) {
102 status
= rpccli_samr_OpenDomain((*samr_pipe
),
105 SEC_FLAG_MAXIMUM_ALLOWED
,
112 static NTSTATUS
open_internal_lsa_pipe(TALLOC_CTX
*mem_ctx
,
113 struct rpc_pipe_client
**lsa_pipe
)
115 static struct rpc_pipe_client
*cli
= NULL
;
116 struct auth_serversupplied_info
*server_info
= NULL
;
123 if (server_info
== NULL
) {
124 status
= make_server_info_system(mem_ctx
, &server_info
);
125 if (!NT_STATUS_IS_OK(status
)) {
126 DEBUG(0, ("open_samr_pipe: Could not create auth_serversupplied_info: %s\n",
132 /* create a samr connection */
133 status
= rpc_pipe_open_internal(talloc_autofree_context(),
134 &ndr_table_lsarpc
.syntax_id
,
138 if (!NT_STATUS_IS_OK(status
)) {
139 DEBUG(0, ("open_samr_pipe: Could not connect to samr_pipe: %s\n",
152 static NTSTATUS
open_internal_lsa_conn(TALLOC_CTX
*mem_ctx
,
153 struct rpc_pipe_client
**lsa_pipe
,
154 struct policy_handle
*lsa_hnd
)
158 status
= open_internal_lsa_pipe(mem_ctx
, lsa_pipe
);
159 if (!NT_STATUS_IS_OK(status
)) {
163 status
= rpccli_lsa_open_policy((*lsa_pipe
),
166 SEC_FLAG_MAXIMUM_ALLOWED
,
172 /*********************************************************************
173 SAM specific functions.
174 *********************************************************************/
176 /* List all domain groups */
177 static NTSTATUS
sam_enum_dom_groups(struct winbindd_domain
*domain
,
180 struct acct_info
**pinfo
)
182 struct rpc_pipe_client
*samr_pipe
;
183 struct policy_handle dom_pol
;
184 struct acct_info
*info
= NULL
;
185 uint32_t num_info
= 0;
189 DEBUG(3,("sam_enum_dom_groups\n"));
195 tmp_ctx
= talloc_stackframe();
196 if (tmp_ctx
== NULL
) {
197 return NT_STATUS_NO_MEMORY
;
200 status
= open_internal_samr_conn(tmp_ctx
, domain
, &samr_pipe
, &dom_pol
);
201 if (!NT_STATUS_IS_OK(status
)) {
205 status
= rpc_enum_dom_groups(tmp_ctx
,
210 if (!NT_STATUS_IS_OK(status
)) {
215 *pnum_info
= num_info
;
219 *pinfo
= talloc_move(mem_ctx
, &info
);
223 TALLOC_FREE(tmp_ctx
);
227 /* Query display info for a domain */
228 static NTSTATUS
sam_query_user_list(struct winbindd_domain
*domain
,
231 struct wbint_userinfo
**pinfo
)
233 struct rpc_pipe_client
*samr_pipe
= NULL
;
234 struct policy_handle dom_pol
;
235 struct wbint_userinfo
*info
= NULL
;
236 uint32_t num_info
= 0;
240 DEBUG(3,("samr_query_user_list\n"));
246 tmp_ctx
= talloc_stackframe();
247 if (tmp_ctx
== NULL
) {
248 return NT_STATUS_NO_MEMORY
;
251 status
= open_internal_samr_conn(tmp_ctx
, domain
, &samr_pipe
, &dom_pol
);
252 if (!NT_STATUS_IS_OK(status
)) {
256 status
= rpc_query_user_list(tmp_ctx
,
262 if (!NT_STATUS_IS_OK(status
)) {
267 *pnum_info
= num_info
;
271 *pinfo
= talloc_move(mem_ctx
, &info
);
275 TALLOC_FREE(tmp_ctx
);
279 /* Lookup user information from a rid or username. */
280 static NTSTATUS
sam_query_user(struct winbindd_domain
*domain
,
282 const struct dom_sid
*user_sid
,
283 struct wbint_userinfo
*user_info
)
285 struct rpc_pipe_client
*samr_pipe
;
286 struct policy_handle dom_pol
;
290 DEBUG(3,("sam_query_user\n"));
293 if (!sid_check_is_in_our_domain(user_sid
)) {
294 return NT_STATUS_NO_SUCH_USER
;
298 user_info
->homedir
= NULL
;
299 user_info
->shell
= NULL
;
300 user_info
->primary_gid
= (gid_t
) -1;
303 tmp_ctx
= talloc_stackframe();
304 if (tmp_ctx
== NULL
) {
305 return NT_STATUS_NO_MEMORY
;
308 status
= open_internal_samr_conn(tmp_ctx
, domain
, &samr_pipe
, &dom_pol
);
309 if (!NT_STATUS_IS_OK(status
)) {
313 status
= rpc_query_user(tmp_ctx
,
321 TALLOC_FREE(tmp_ctx
);
325 /* get a list of trusted domains - builtin domain */
326 static NTSTATUS
sam_trusted_domains(struct winbindd_domain
*domain
,
328 struct netr_DomainTrustList
*trusts
)
330 struct rpc_pipe_client
*lsa_pipe
;
331 struct netr_DomainTrust
*array
= NULL
;
332 struct policy_handle lsa_policy
;
333 uint32_t enum_ctx
= 0;
338 DEBUG(3,("samr: trusted domains\n"));
340 tmp_ctx
= talloc_stackframe();
341 if (tmp_ctx
== NULL
) {
342 return NT_STATUS_NO_MEMORY
;
345 status
= open_internal_lsa_conn(tmp_ctx
, &lsa_pipe
, &lsa_policy
);
346 if (!NT_STATUS_IS_OK(status
)) {
351 struct lsa_DomainList dom_list
;
356 * We don't run into deadlocks here, cause winbind_off() is
357 * called in the main function.
359 status
= rpccli_lsa_EnumTrustDom(lsa_pipe
,
365 if (!NT_STATUS_IS_OK(status
)) {
366 if (!NT_STATUS_EQUAL(status
, STATUS_MORE_ENTRIES
)) {
371 start_idx
= trusts
->count
;
372 count
+= dom_list
.count
;
374 array
= talloc_realloc(tmp_ctx
,
376 struct netr_DomainTrust
,
379 status
= NT_STATUS_NO_MEMORY
;
383 for (i
= 0; i
< dom_list
.count
; i
++) {
384 struct netr_DomainTrust
*trust
= &array
[i
];
389 trust
->netbios_name
= talloc_move(array
,
390 &dom_list
.domains
[i
].name
.string
);
391 trust
->dns_name
= NULL
;
393 sid
= talloc(array
, struct dom_sid
);
395 status
= NT_STATUS_NO_MEMORY
;
398 sid_copy(sid
, dom_list
.domains
[i
].sid
);
401 } while (NT_STATUS_EQUAL(status
, STATUS_MORE_ENTRIES
));
404 trusts
->count
= count
;
405 trusts
->array
= talloc_move(mem_ctx
, &array
);
409 TALLOC_FREE(tmp_ctx
);
413 /* Lookup group membership given a rid. */
414 static NTSTATUS
sam_lookup_groupmem(struct winbindd_domain
*domain
,
416 const struct dom_sid
*group_sid
,
417 enum lsa_SidType type
,
418 uint32_t *pnum_names
,
419 struct dom_sid
**psid_mem
,
421 uint32_t **pname_types
)
423 struct rpc_pipe_client
*samr_pipe
;
424 struct policy_handle dom_pol
;
426 uint32_t num_names
= 0;
427 struct dom_sid
*sid_mem
= NULL
;
429 uint32_t *name_types
= NULL
;
434 DEBUG(3,("sam_lookup_groupmem\n"));
437 if (sid_check_is_in_builtin(group_sid
) && (type
!= SID_NAME_ALIAS
)) {
438 /* There's no groups, only aliases in BUILTIN */
439 return NT_STATUS_NO_SUCH_GROUP
;
446 tmp_ctx
= talloc_stackframe();
447 if (tmp_ctx
== NULL
) {
448 return NT_STATUS_NO_MEMORY
;
451 status
= open_internal_samr_conn(tmp_ctx
, domain
, &samr_pipe
, &dom_pol
);
452 if (!NT_STATUS_IS_OK(status
)) {
456 status
= rpc_lookup_groupmem(tmp_ctx
,
469 *pnum_names
= num_names
;
473 *pnames
= talloc_move(mem_ctx
, &names
);
477 *pname_types
= talloc_move(mem_ctx
, &name_types
);
481 *psid_mem
= talloc_move(mem_ctx
, &sid_mem
);
485 TALLOC_FREE(tmp_ctx
);
489 /*********************************************************************
490 BUILTIN specific functions.
491 *********************************************************************/
493 /* List all domain groups */
494 static NTSTATUS
builtin_enum_dom_groups(struct winbindd_domain
*domain
,
497 struct acct_info
**info
)
499 /* BUILTIN doesn't have domain groups */
505 /* Query display info for a domain */
506 static NTSTATUS
builtin_query_user_list(struct winbindd_domain
*domain
,
509 struct wbint_userinfo
**info
)
511 /* We don't have users */
517 /* Lookup user information from a rid or username. */
518 static NTSTATUS
builtin_query_user(struct winbindd_domain
*domain
,
520 const struct dom_sid
*user_sid
,
521 struct wbint_userinfo
*user_info
)
523 return NT_STATUS_NO_SUCH_USER
;
526 /* get a list of trusted domains - builtin domain */
527 static NTSTATUS
builtin_trusted_domains(struct winbindd_domain
*domain
,
529 struct netr_DomainTrustList
*trusts
)
531 ZERO_STRUCTP(trusts
);
535 /*********************************************************************
537 *********************************************************************/
539 /* List all local groups (aliases) */
540 static NTSTATUS
sam_enum_local_groups(struct winbindd_domain
*domain
,
543 struct acct_info
**pinfo
)
545 struct rpc_pipe_client
*samr_pipe
;
546 struct policy_handle dom_pol
;
547 struct acct_info
*info
= NULL
;
548 uint32_t num_info
= 0;
552 DEBUG(3,("samr: enum local groups\n"));
558 tmp_ctx
= talloc_stackframe();
559 if (tmp_ctx
== NULL
) {
560 return NT_STATUS_NO_MEMORY
;
563 status
= open_internal_samr_conn(tmp_ctx
, domain
, &samr_pipe
, &dom_pol
);
564 if (!NT_STATUS_IS_OK(status
)) {
568 status
= rpc_enum_local_groups(mem_ctx
,
573 if (!NT_STATUS_IS_OK(status
)) {
578 *pnum_info
= num_info
;
582 *pinfo
= talloc_move(mem_ctx
, &info
);
586 TALLOC_FREE(tmp_ctx
);
590 /* convert a single name to a sid in a domain */
591 static NTSTATUS
sam_name_to_sid(struct winbindd_domain
*domain
,
593 const char *domain_name
,
596 struct dom_sid
*psid
,
597 enum lsa_SidType
*ptype
)
599 struct rpc_pipe_client
*lsa_pipe
;
600 struct policy_handle lsa_policy
;
602 enum lsa_SidType type
;
606 DEBUG(3,("sam_name_to_sid\n"));
608 tmp_ctx
= talloc_stackframe();
609 if (tmp_ctx
== NULL
) {
610 return NT_STATUS_NO_MEMORY
;
613 status
= open_internal_lsa_conn(tmp_ctx
, &lsa_pipe
, &lsa_policy
);
614 if (!NT_STATUS_IS_OK(status
)) {
618 status
= rpc_name_to_sid(tmp_ctx
,
626 if (!NT_STATUS_IS_OK(status
)) {
631 sid_copy(psid
, &sid
);
638 TALLOC_FREE(tmp_ctx
);
642 /* convert a domain SID to a user or group name */
643 static NTSTATUS
sam_sid_to_name(struct winbindd_domain
*domain
,
645 const struct dom_sid
*sid
,
648 enum lsa_SidType
*ptype
)
650 struct rpc_pipe_client
*lsa_pipe
;
651 struct policy_handle lsa_policy
;
652 char *domain_name
= NULL
;
654 enum lsa_SidType type
;
658 DEBUG(3,("sam_sid_to_name\n"));
661 if (!sid_check_is_in_builtin(sid
) &&
662 !sid_check_is_in_our_domain(sid
) &&
663 !sid_check_is_in_unix_users(sid
) &&
664 !sid_check_is_unix_users(sid
) &&
665 !sid_check_is_in_unix_groups(sid
) &&
666 !sid_check_is_unix_groups(sid
) &&
667 !sid_check_is_in_wellknown_domain(sid
)) {
668 DEBUG(0, ("sam_sid_to_name: possible deadlock - trying to "
669 "lookup SID %s\n", sid_string_dbg(sid
)));
670 return NT_STATUS_NONE_MAPPED
;
673 tmp_ctx
= talloc_stackframe();
674 if (tmp_ctx
== NULL
) {
675 return NT_STATUS_NO_MEMORY
;
678 status
= open_internal_lsa_conn(tmp_ctx
, &lsa_pipe
, &lsa_policy
);
679 if (!NT_STATUS_IS_OK(status
)) {
683 status
= rpc_sid_to_name(tmp_ctx
,
697 *pname
= talloc_move(mem_ctx
, &name
);
701 *pdomain_name
= talloc_move(mem_ctx
, &domain_name
);
705 TALLOC_FREE(tmp_ctx
);
709 static NTSTATUS
sam_rids_to_names(struct winbindd_domain
*domain
,
711 const struct dom_sid
*sid
,
716 enum lsa_SidType
**ptypes
)
718 struct rpc_pipe_client
*lsa_pipe
;
719 struct policy_handle lsa_policy
;
720 enum lsa_SidType
*types
= NULL
;
721 char *domain_name
= NULL
;
726 DEBUG(3,("sam_rids_to_names for %s\n", domain
->name
));
729 if (!sid_check_is_in_builtin(sid
) &&
730 !sid_check_is_in_our_domain(sid
) &&
731 !sid_check_is_in_unix_users(sid
) &&
732 !sid_check_is_unix_users(sid
) &&
733 !sid_check_is_in_unix_groups(sid
) &&
734 !sid_check_is_unix_groups(sid
) &&
735 !sid_check_is_in_wellknown_domain(sid
)) {
736 DEBUG(0, ("sam_rids_to_names: possible deadlock - trying to "
737 "lookup SID %s\n", sid_string_dbg(sid
)));
738 return NT_STATUS_NONE_MAPPED
;
741 tmp_ctx
= talloc_stackframe();
742 if (tmp_ctx
== NULL
) {
743 return NT_STATUS_NO_MEMORY
;
746 status
= open_internal_lsa_conn(tmp_ctx
, &lsa_pipe
, &lsa_policy
);
747 if (!NT_STATUS_IS_OK(status
)) {
751 status
= rpc_rids_to_names(tmp_ctx
,
761 if (!NT_STATUS_IS_OK(status
)) {
766 *pdomain_name
= talloc_move(mem_ctx
, &domain_name
);
770 *ptypes
= talloc_move(mem_ctx
, &types
);
774 *pnames
= talloc_move(mem_ctx
, &names
);
778 TALLOC_FREE(tmp_ctx
);
782 static NTSTATUS
sam_lockout_policy(struct winbindd_domain
*domain
,
784 struct samr_DomInfo12
*lockout_policy
)
786 struct rpc_pipe_client
*samr_pipe
;
787 struct policy_handle dom_pol
;
788 union samr_DomainInfo
*info
= NULL
;
792 DEBUG(3,("sam_lockout_policy\n"));
794 tmp_ctx
= talloc_stackframe();
795 if (tmp_ctx
== NULL
) {
796 return NT_STATUS_NO_MEMORY
;
799 status
= open_internal_samr_conn(tmp_ctx
, domain
, &samr_pipe
, &dom_pol
);
800 if (!NT_STATUS_IS_OK(status
)) {
804 status
= rpccli_samr_QueryDomainInfo(samr_pipe
,
809 if (!NT_STATUS_IS_OK(status
)) {
813 *lockout_policy
= info
->info12
;
816 TALLOC_FREE(tmp_ctx
);
820 static NTSTATUS
sam_password_policy(struct winbindd_domain
*domain
,
822 struct samr_DomInfo1
*passwd_policy
)
824 struct rpc_pipe_client
*samr_pipe
;
825 struct policy_handle dom_pol
;
826 union samr_DomainInfo
*info
= NULL
;
830 DEBUG(3,("sam_password_policy\n"));
832 tmp_ctx
= talloc_stackframe();
833 if (tmp_ctx
== NULL
) {
834 return NT_STATUS_NO_MEMORY
;
837 status
= open_internal_samr_conn(tmp_ctx
, domain
, &samr_pipe
, &dom_pol
);
838 if (!NT_STATUS_IS_OK(status
)) {
842 status
= rpccli_samr_QueryDomainInfo(samr_pipe
,
847 if (!NT_STATUS_IS_OK(status
)) {
851 *passwd_policy
= info
->info1
;
854 TALLOC_FREE(tmp_ctx
);
858 /* Lookup groups a user is a member of. */
859 static NTSTATUS
sam_lookup_usergroups(struct winbindd_domain
*domain
,
861 const struct dom_sid
*user_sid
,
862 uint32_t *pnum_groups
,
863 struct dom_sid
**puser_grpsids
)
865 struct rpc_pipe_client
*samr_pipe
;
866 struct policy_handle dom_pol
;
867 struct dom_sid
*user_grpsids
= NULL
;
868 uint32_t num_groups
= 0;
872 DEBUG(3,("sam_lookup_usergroups\n"));
878 tmp_ctx
= talloc_stackframe();
879 if (tmp_ctx
== NULL
) {
880 return NT_STATUS_NO_MEMORY
;
883 status
= open_internal_samr_conn(tmp_ctx
, domain
, &samr_pipe
, &dom_pol
);
884 if (!NT_STATUS_IS_OK(status
)) {
888 status
= rpc_lookup_usergroups(tmp_ctx
,
895 if (!NT_STATUS_IS_OK(status
)) {
900 *pnum_groups
= num_groups
;
904 *puser_grpsids
= talloc_move(mem_ctx
, &user_grpsids
);
908 TALLOC_FREE(tmp_ctx
);
912 static NTSTATUS
sam_lookup_useraliases(struct winbindd_domain
*domain
,
915 const struct dom_sid
*sids
,
916 uint32_t *pnum_aliases
,
917 uint32_t **palias_rids
)
919 struct rpc_pipe_client
*samr_pipe
;
920 struct policy_handle dom_pol
;
921 uint32_t num_aliases
= 0;
922 uint32_t *alias_rids
= NULL
;
926 DEBUG(3,("sam_lookup_useraliases\n"));
932 tmp_ctx
= talloc_stackframe();
933 if (tmp_ctx
== NULL
) {
934 return NT_STATUS_NO_MEMORY
;
937 status
= open_internal_samr_conn(tmp_ctx
, domain
, &samr_pipe
, &dom_pol
);
938 if (!NT_STATUS_IS_OK(status
)) {
942 status
= rpc_lookup_useraliases(tmp_ctx
,
949 if (!NT_STATUS_IS_OK(status
)) {
954 *pnum_aliases
= num_aliases
;
958 *palias_rids
= talloc_move(mem_ctx
, &alias_rids
);
962 TALLOC_FREE(tmp_ctx
);
966 /* find the sequence number for a domain */
967 static NTSTATUS
sam_sequence_number(struct winbindd_domain
*domain
,
970 struct rpc_pipe_client
*samr_pipe
;
971 struct policy_handle dom_pol
;
976 DEBUG(3,("samr: sequence number\n"));
979 *pseq
= DOM_SEQUENCE_NONE
;
982 tmp_ctx
= talloc_stackframe();
983 if (tmp_ctx
== NULL
) {
984 return NT_STATUS_NO_MEMORY
;
987 status
= open_internal_samr_conn(tmp_ctx
, domain
, &samr_pipe
, &dom_pol
);
988 if (!NT_STATUS_IS_OK(status
)) {
992 status
= rpc_sequence_number(tmp_ctx
,
997 if (!NT_STATUS_IS_OK(status
)) {
1005 TALLOC_FREE(tmp_ctx
);
1009 /* the rpc backend methods are exposed via this structure */
1010 struct winbindd_methods builtin_passdb_methods
= {
1011 .consistent
= false,
1013 .query_user_list
= builtin_query_user_list
,
1014 .enum_dom_groups
= builtin_enum_dom_groups
,
1015 .enum_local_groups
= sam_enum_local_groups
,
1016 .name_to_sid
= sam_name_to_sid
,
1017 .sid_to_name
= sam_sid_to_name
,
1018 .rids_to_names
= sam_rids_to_names
,
1019 .query_user
= builtin_query_user
,
1020 .lookup_usergroups
= sam_lookup_usergroups
,
1021 .lookup_useraliases
= sam_lookup_useraliases
,
1022 .lookup_groupmem
= sam_lookup_groupmem
,
1023 .sequence_number
= sam_sequence_number
,
1024 .lockout_policy
= sam_lockout_policy
,
1025 .password_policy
= sam_password_policy
,
1026 .trusted_domains
= builtin_trusted_domains
1029 /* the rpc backend methods are exposed via this structure */
1030 struct winbindd_methods sam_passdb_methods
= {
1031 .consistent
= false,
1033 .query_user_list
= sam_query_user_list
,
1034 .enum_dom_groups
= sam_enum_dom_groups
,
1035 .enum_local_groups
= sam_enum_local_groups
,
1036 .name_to_sid
= sam_name_to_sid
,
1037 .sid_to_name
= sam_sid_to_name
,
1038 .rids_to_names
= sam_rids_to_names
,
1039 .query_user
= sam_query_user
,
1040 .lookup_usergroups
= sam_lookup_usergroups
,
1041 .lookup_useraliases
= sam_lookup_useraliases
,
1042 .lookup_groupmem
= sam_lookup_groupmem
,
1043 .sequence_number
= sam_sequence_number
,
1044 .lockout_policy
= sam_lockout_policy
,
1045 .password_policy
= sam_password_policy
,
1046 .trusted_domains
= sam_trusted_domains