search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
s3:libsmb: add tstream_is_cli_np()
[Samba/gebeck_regimport.git] / source3 / rpc_server / srv_lsa_nt.c
blobfeec3661a25a4e945d7608f92ac235a83ade7985
1 /*
2 * Unix SMB/CIFS implementation.
3 * RPC Pipe client / server routines
4 * Copyright (C) Andrew Tridgell 1992-1997,
5 * Copyright (C) Luke Kenneth Casson Leighton 1996-1997,
6 * Copyright (C) Paul Ashton 1997,
7 * Copyright (C) Jeremy Allison 2001, 2006.
8 * Copyright (C) Rafal Szczesniak 2002,
9 * Copyright (C) Jim McDonough <jmcd@us.ibm.com> 2002,
10 * Copyright (C) Simo Sorce 2003.
11 * Copyright (C) Gerald (Jerry) Carter 2005.
12 * Copyright (C) Volker Lendecke 2005.
13 * Copyright (C) Guenther Deschner 2008.
14 * Copyright (C) Andrew Bartlett 2010.
15 *
16 * This program is free software; you can redistribute it and/or modify
17 * it under the terms of the GNU General Public License as published by
18 * the Free Software Foundation; either version 3 of the License, or
19 * (at your option) any later version.
20 *
21 * This program is distributed in the hope that it will be useful,
22 * but WITHOUT ANY WARRANTY; without even the implied warranty of
23 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
24 * GNU General Public License for more details.
25 *
26 * You should have received a copy of the GNU General Public License
27 * along with this program; if not, see <http://www.gnu.org/licenses/>.
28 */
29
30 /* This is the implementation of the lsa server code. */
31
32 #include "includes.h"
33 #include "../librpc/gen_ndr/srv_lsa.h"
34 #include "secrets.h"
35 #include "../librpc/gen_ndr/netlogon.h"
36 #include "rpc_client/init_lsa.h"
37 #include "../libcli/security/security.h"
38
39 #undef DBGC_CLASS
40 #define DBGC_CLASS DBGC_RPC_SRV
41
42 #define MAX_LOOKUP_SIDS 0x5000 /* 20480 */
43
44 enum lsa_handle_type { LSA_HANDLE_POLICY_TYPE = 1, LSA_HANDLE_ACCOUNT_TYPE };
45
46 struct lsa_info {
47 struct dom_sid sid;
48 const char *name;
49 uint32 access;
50 enum lsa_handle_type type;
51 struct security_descriptor *sd;
52 };
53
54 const struct generic_mapping lsa_account_mapping = {
55 LSA_ACCOUNT_READ,
56 LSA_ACCOUNT_WRITE,
57 LSA_ACCOUNT_EXECUTE,
58 LSA_ACCOUNT_ALL_ACCESS
59 };
60
61 const struct generic_mapping lsa_policy_mapping = {
62 LSA_POLICY_READ,
63 LSA_POLICY_WRITE,
64 LSA_POLICY_EXECUTE,
65 LSA_POLICY_ALL_ACCESS
66 };
67
68 const struct generic_mapping lsa_secret_mapping = {
69 LSA_SECRET_READ,
70 LSA_SECRET_WRITE,
71 LSA_SECRET_EXECUTE,
72 LSA_SECRET_ALL_ACCESS
73 };
74
75 const struct generic_mapping lsa_trusted_domain_mapping = {
76 LSA_TRUSTED_DOMAIN_READ,
77 LSA_TRUSTED_DOMAIN_WRITE,
78 LSA_TRUSTED_DOMAIN_EXECUTE,
79 LSA_TRUSTED_DOMAIN_ALL_ACCESS
80 };
81
82 /***************************************************************************
83 init_lsa_ref_domain_list - adds a domain if it's not already in, returns the index.
84 ***************************************************************************/
85
86 static int init_lsa_ref_domain_list(TALLOC_CTX *mem_ctx,
87 struct lsa_RefDomainList *ref,
88 const char *dom_name,
89 struct dom_sid *dom_sid)
90 {
91 int num = 0;
92
93 if (dom_name != NULL) {
94 for (num = 0; num < ref->count; num++) {
95 if (dom_sid_equal(dom_sid, ref->domains[num].sid)) {
96 return num;
97 }
98 }
99 } else {
100 num = ref->count;
101 }
102
103 if (num >= LSA_REF_DOMAIN_LIST_MULTIPLIER) {
104 /* index not found, already at maximum domain limit */
105 return -1;
106 }
107
108 ref->count = num + 1;
109 ref->max_size = LSA_REF_DOMAIN_LIST_MULTIPLIER;
110
111 ref->domains = TALLOC_REALLOC_ARRAY(mem_ctx, ref->domains,
112 struct lsa_DomainInfo, ref->count);
113 if (!ref->domains) {
114 return -1;
115 }
116
117 ZERO_STRUCT(ref->domains[num]);
118
119 init_lsa_StringLarge(&ref->domains[num].name, dom_name);
120 ref->domains[num].sid = dom_sid_dup(mem_ctx, dom_sid);
121 if (!ref->domains[num].sid) {
122 return -1;
123 }
124
125 return num;
126 }
127
128
129 /***************************************************************************
130 initialize a lsa_DomainInfo structure.
131 ***************************************************************************/
132
133 static void init_dom_query_3(struct lsa_DomainInfo *r,
134 const char *name,
135 struct dom_sid *sid)
136 {
137 init_lsa_StringLarge(&r->name, name);
138 r->sid = sid;
139 }
140
141 /***************************************************************************
142 initialize a lsa_DomainInfo structure.
143 ***************************************************************************/
144
145 static void init_dom_query_5(struct lsa_DomainInfo *r,
146 const char *name,
147 struct dom_sid *sid)
148 {
149 init_lsa_StringLarge(&r->name, name);
150 r->sid = sid;
151 }
152
153 /***************************************************************************
154 lookup_lsa_rids. Must be called as root for lookup_name to work.
155 ***************************************************************************/
156
157 static NTSTATUS lookup_lsa_rids(TALLOC_CTX *mem_ctx,
158 struct lsa_RefDomainList *ref,
159 struct lsa_TranslatedSid *prid,
160 uint32_t num_entries,
161 struct lsa_String *name,
162 int flags,
163 uint32_t *pmapped_count)
164 {
165 uint32 mapped_count, i;
166
167 SMB_ASSERT(num_entries <= MAX_LOOKUP_SIDS);
168
169 mapped_count = 0;
170 *pmapped_count = 0;
171
172 for (i = 0; i < num_entries; i++) {
173 struct dom_sid sid;
174 uint32 rid;
175 int dom_idx;
176 const char *full_name;
177 const char *domain;
178 enum lsa_SidType type = SID_NAME_UNKNOWN;
179
180 /* Split name into domain and user component */
181
182 /* follow w2k8 behavior and return the builtin domain when no
183 * input has been passed in */
184
185 if (name[i].string) {
186 full_name = name[i].string;
187 } else {
188 full_name = "BUILTIN";
189 }
190
191 DEBUG(5, ("lookup_lsa_rids: looking up name %s\n", full_name));
192
193 /* We can ignore the result of lookup_name, it will not touch
194 "type" if it's not successful */
195
196 lookup_name(mem_ctx, full_name, flags, &domain, NULL,
197 &sid, &type);
198
199 switch (type) {
200 case SID_NAME_USER:
201 case SID_NAME_DOM_GRP:
202 case SID_NAME_DOMAIN:
203 case SID_NAME_ALIAS:
204 case SID_NAME_WKN_GRP:
205 DEBUG(5, ("init_lsa_rids: %s found\n", full_name));
206 /* Leave these unchanged */
207 break;
208 default:
209 /* Don't hand out anything but the list above */
210 DEBUG(5, ("init_lsa_rids: %s not found\n", full_name));
211 type = SID_NAME_UNKNOWN;
212 break;
213 }
214
215 rid = 0;
216 dom_idx = -1;
217
218 if (type != SID_NAME_UNKNOWN) {
219 if (type == SID_NAME_DOMAIN) {
220 rid = (uint32_t)-1;
221 } else {
222 sid_split_rid(&sid, &rid);
223 }
224 dom_idx = init_lsa_ref_domain_list(mem_ctx, ref, domain, &sid);
225 mapped_count++;
226 }
227
228 prid[i].sid_type = type;
229 prid[i].rid = rid;
230 prid[i].sid_index = dom_idx;
231 }
232
233 *pmapped_count = mapped_count;
234 return NT_STATUS_OK;
235 }
236
237 /***************************************************************************
238 lookup_lsa_sids. Must be called as root for lookup_name to work.
239 ***************************************************************************/
240
241 static NTSTATUS lookup_lsa_sids(TALLOC_CTX *mem_ctx,
242 struct lsa_RefDomainList *ref,
243 struct lsa_TranslatedSid3 *trans_sids,
244 uint32_t num_entries,
245 struct lsa_String *name,
246 int flags,
247 uint32 *pmapped_count)
248 {
249 uint32 mapped_count, i;
250
251 SMB_ASSERT(num_entries <= MAX_LOOKUP_SIDS);
252
253 mapped_count = 0;
254 *pmapped_count = 0;
255
256 for (i = 0; i < num_entries; i++) {
257 struct dom_sid sid;
258 uint32 rid;
259 int dom_idx;
260 const char *full_name;
261 const char *domain;
262 enum lsa_SidType type = SID_NAME_UNKNOWN;
263
264 ZERO_STRUCT(sid);
265
266 /* Split name into domain and user component */
267
268 full_name = name[i].string;
269 if (full_name == NULL) {
270 return NT_STATUS_NO_MEMORY;
271 }
272
273 DEBUG(5, ("init_lsa_sids: looking up name %s\n", full_name));
274
275 /* We can ignore the result of lookup_name, it will not touch
276 "type" if it's not successful */
277
278 lookup_name(mem_ctx, full_name, flags, &domain, NULL,
279 &sid, &type);
280
281 switch (type) {
282 case SID_NAME_USER:
283 case SID_NAME_DOM_GRP:
284 case SID_NAME_DOMAIN:
285 case SID_NAME_ALIAS:
286 case SID_NAME_WKN_GRP:
287 DEBUG(5, ("init_lsa_sids: %s found\n", full_name));
288 /* Leave these unchanged */
289 break;
290 default:
291 /* Don't hand out anything but the list above */
292 DEBUG(5, ("init_lsa_sids: %s not found\n", full_name));
293 type = SID_NAME_UNKNOWN;
294 break;
295 }
296
297 rid = 0;
298 dom_idx = -1;
299
300 if (type != SID_NAME_UNKNOWN) {
301 struct dom_sid domain_sid;
302 sid_copy(&domain_sid, &sid);
303 sid_split_rid(&domain_sid, &rid);
304 dom_idx = init_lsa_ref_domain_list(mem_ctx, ref, domain, &domain_sid);
305 mapped_count++;
306 }
307
308 /* Initialize the lsa_TranslatedSid3 return. */
309 trans_sids[i].sid_type = type;
310 trans_sids[i].sid = dom_sid_dup(mem_ctx, &sid);
311 trans_sids[i].sid_index = dom_idx;
312 }
313
314 *pmapped_count = mapped_count;
315 return NT_STATUS_OK;
316 }
317
318 static NTSTATUS make_lsa_object_sd(TALLOC_CTX *mem_ctx, struct security_descriptor **sd, size_t *sd_size,
319 const struct generic_mapping *map,
320 struct dom_sid *sid, uint32_t sid_access)
321 {
322 struct dom_sid adm_sid;
323 struct security_ace ace[5];
324 size_t i = 0;
325
326 struct security_acl *psa = NULL;
327
328 /* READ|EXECUTE access for Everyone */
329
330 init_sec_ace(&ace[i++], &global_sid_World, SEC_ACE_TYPE_ACCESS_ALLOWED,
331 map->generic_execute | map->generic_read, 0);
332
333 /* Add Full Access 'BUILTIN\Administrators' and 'BUILTIN\Account Operators */
334
335 init_sec_ace(&ace[i++], &global_sid_Builtin_Administrators,
336 SEC_ACE_TYPE_ACCESS_ALLOWED, map->generic_all, 0);
337 init_sec_ace(&ace[i++], &global_sid_Builtin_Account_Operators,
338 SEC_ACE_TYPE_ACCESS_ALLOWED, map->generic_all, 0);
339
340 /* Add Full Access for Domain Admins */
341 sid_compose(&adm_sid, get_global_sam_sid(), DOMAIN_RID_ADMINS);
342 init_sec_ace(&ace[i++], &adm_sid, SEC_ACE_TYPE_ACCESS_ALLOWED,
343 map->generic_all, 0);
344
345 /* If we have a sid, give it some special access */
346
347 if (sid) {
348 init_sec_ace(&ace[i++], sid, SEC_ACE_TYPE_ACCESS_ALLOWED,
349 sid_access, 0);
350 }
351
352 if((psa = make_sec_acl(mem_ctx, NT4_ACL_REVISION, i, ace)) == NULL)
353 return NT_STATUS_NO_MEMORY;
354
355 if((*sd = make_sec_desc(mem_ctx, SECURITY_DESCRIPTOR_REVISION_1,
356 SEC_DESC_SELF_RELATIVE, &adm_sid, NULL, NULL,
357 psa, sd_size)) == NULL)
358 return NT_STATUS_NO_MEMORY;
359
360 return NT_STATUS_OK;
361 }
362
363
364 /***************************************************************************
365 _lsa_OpenPolicy2
366 ***************************************************************************/
367
368 NTSTATUS _lsa_OpenPolicy2(struct pipes_struct *p,
369 struct lsa_OpenPolicy2 *r)
370 {
371 struct lsa_info *info;
372 struct security_descriptor *psd = NULL;
373 size_t sd_size;
374 uint32 des_access = r->in.access_mask;
375 uint32 acc_granted;
376 NTSTATUS status;
377
378 /* Work out max allowed. */
379 map_max_allowed_access(p->server_info->ptok,
380 &p->server_info->utok,
381 &des_access);
382
383 /* map the generic bits to the lsa policy ones */
384 se_map_generic(&des_access, &lsa_policy_mapping);
385
386 /* get the generic lsa policy SD until we store it */
387 status = make_lsa_object_sd(p->mem_ctx, &psd, &sd_size, &lsa_policy_mapping,
388 NULL, 0);
389 if (!NT_STATUS_IS_OK(status)) {
390 return status;
391 }
392
393 status = access_check_object(psd, p->server_info->ptok,
394 SEC_PRIV_INVALID, SEC_PRIV_INVALID, 0, des_access,
395 &acc_granted, "_lsa_OpenPolicy2" );
396 if (!NT_STATUS_IS_OK(status)) {
397 return status;
398 }
399
400 /* associate the domain SID with the (unique) handle. */
401 info = TALLOC_ZERO_P(p->mem_ctx, struct lsa_info);
402 if (info == NULL) {
403 return NT_STATUS_NO_MEMORY;
404 }
405
406 sid_copy(&info->sid,get_global_sam_sid());
407 info->access = acc_granted;
408 info->type = LSA_HANDLE_POLICY_TYPE;
409
410 /* set up the LSA QUERY INFO response */
411 if (!create_policy_hnd(p, r->out.handle, info))
412 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
413
414 return NT_STATUS_OK;
415 }
416
417 /***************************************************************************
418 _lsa_OpenPolicy
419 ***************************************************************************/
420
421 NTSTATUS _lsa_OpenPolicy(struct pipes_struct *p,
422 struct lsa_OpenPolicy *r)
423 {
424 struct lsa_OpenPolicy2 o;
425
426 o.in.system_name = NULL; /* should be ignored */
427 o.in.attr = r->in.attr;
428 o.in.access_mask = r->in.access_mask;
429
430 o.out.handle = r->out.handle;
431
432 return _lsa_OpenPolicy2(p, &o);
433 }
434
435 /***************************************************************************
436 _lsa_EnumTrustDom - this needs fixing to do more than return NULL ! JRA.
437 ufff, done :) mimir
438 ***************************************************************************/
439
440 NTSTATUS _lsa_EnumTrustDom(struct pipes_struct *p,
441 struct lsa_EnumTrustDom *r)
442 {
443 struct lsa_info *info;
444 uint32_t count;
445 struct trustdom_info **domains;
446 struct lsa_DomainInfo *entries;
447 int i;
448 NTSTATUS nt_status;
449
450 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
451 return NT_STATUS_INVALID_HANDLE;
452
453 if (info->type != LSA_HANDLE_POLICY_TYPE) {
454 return NT_STATUS_INVALID_HANDLE;
455 }
456
457 /* check if the user has enough rights */
458 if (!(info->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
459 return NT_STATUS_ACCESS_DENIED;
460
461 become_root();
462 nt_status = pdb_enum_trusteddoms(p->mem_ctx, &count, &domains);
463 unbecome_root();
464
465 if (!NT_STATUS_IS_OK(nt_status)) {
466 return nt_status;
467 }
468
469 entries = TALLOC_ZERO_ARRAY(p->mem_ctx, struct lsa_DomainInfo, count);
470 if (!entries) {
471 return NT_STATUS_NO_MEMORY;
472 }
473
474 for (i=0; i<count; i++) {
475 init_lsa_StringLarge(&entries[i].name, domains[i]->name);
476 entries[i].sid = &domains[i]->sid;
477 }
478
479 if (*r->in.resume_handle >= count) {
480 *r->out.resume_handle = -1;
481 TALLOC_FREE(entries);
482 return NT_STATUS_NO_MORE_ENTRIES;
483 }
484
485 /* return the rest, limit by max_size. Note that we
486 use the w2k3 element size value of 60 */
487 r->out.domains->count = count - *r->in.resume_handle;
488 r->out.domains->count = MIN(r->out.domains->count,
489 1+(r->in.max_size/LSA_ENUM_TRUST_DOMAIN_MULTIPLIER));
490
491 r->out.domains->domains = entries + *r->in.resume_handle;
492
493 if (r->out.domains->count < count - *r->in.resume_handle) {
494 *r->out.resume_handle = *r->in.resume_handle + r->out.domains->count;
495 return STATUS_MORE_ENTRIES;
496 }
497
498 /* according to MS-LSAD 3.1.4.7.8 output resume handle MUST
499 * always be larger than the previous input resume handle, in
500 * particular when hitting the last query it is vital to set the
501 * resume handle correctly to avoid infinite client loops, as
502 * seen e.g. with Windows XP SP3 when resume handle is 0 and
503 * status is NT_STATUS_OK - gd */
504
505 *r->out.resume_handle = (uint32_t)-1;
506
507 return NT_STATUS_OK;
508 }
509
510 #define LSA_AUDIT_NUM_CATEGORIES_NT4 7
511 #define LSA_AUDIT_NUM_CATEGORIES_WIN2K 9
512 #define LSA_AUDIT_NUM_CATEGORIES LSA_AUDIT_NUM_CATEGORIES_NT4
513
514 /***************************************************************************
515 _lsa_QueryInfoPolicy
516 ***************************************************************************/
517
518 NTSTATUS _lsa_QueryInfoPolicy(struct pipes_struct *p,
519 struct lsa_QueryInfoPolicy *r)
520 {
521 NTSTATUS status = NT_STATUS_OK;
522 struct lsa_info *handle;
523 struct dom_sid domain_sid;
524 const char *name;
525 struct dom_sid *sid = NULL;
526 union lsa_PolicyInformation *info = NULL;
527 uint32_t acc_required = 0;
528
529 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle))
530 return NT_STATUS_INVALID_HANDLE;
531
532 if (handle->type != LSA_HANDLE_POLICY_TYPE) {
533 return NT_STATUS_INVALID_HANDLE;
534 }
535
536 switch (r->in.level) {
537 case LSA_POLICY_INFO_AUDIT_LOG:
538 case LSA_POLICY_INFO_AUDIT_EVENTS:
539 acc_required = LSA_POLICY_VIEW_AUDIT_INFORMATION;
540 break;
541 case LSA_POLICY_INFO_DOMAIN:
542 acc_required = LSA_POLICY_VIEW_LOCAL_INFORMATION;
543 break;
544 case LSA_POLICY_INFO_PD:
545 acc_required = LSA_POLICY_GET_PRIVATE_INFORMATION;
546 break;
547 case LSA_POLICY_INFO_ACCOUNT_DOMAIN:
548 acc_required = LSA_POLICY_VIEW_LOCAL_INFORMATION;
549 break;
550 case LSA_POLICY_INFO_ROLE:
551 case LSA_POLICY_INFO_REPLICA:
552 acc_required = LSA_POLICY_VIEW_LOCAL_INFORMATION;
553 break;
554 case LSA_POLICY_INFO_QUOTA:
555 acc_required = LSA_POLICY_VIEW_LOCAL_INFORMATION;
556 break;
557 case LSA_POLICY_INFO_MOD:
558 case LSA_POLICY_INFO_AUDIT_FULL_SET:
559 /* according to MS-LSAD 3.1.4.4.3 */
560 return NT_STATUS_INVALID_PARAMETER;
561 case LSA_POLICY_INFO_AUDIT_FULL_QUERY:
562 acc_required = LSA_POLICY_VIEW_AUDIT_INFORMATION;
563 break;
564 case LSA_POLICY_INFO_DNS:
565 case LSA_POLICY_INFO_DNS_INT:
566 case LSA_POLICY_INFO_L_ACCOUNT_DOMAIN:
567 acc_required = LSA_POLICY_VIEW_LOCAL_INFORMATION;
568 break;
569 default:
570 break;
571 }
572
573 if (!(handle->access & acc_required)) {
574 /* return NT_STATUS_ACCESS_DENIED; */
575 }
576
577 info = TALLOC_ZERO_P(p->mem_ctx, union lsa_PolicyInformation);
578 if (!info) {
579 return NT_STATUS_NO_MEMORY;
580 }
581
582 switch (r->in.level) {
583 /* according to MS-LSAD 3.1.4.4.3 */
584 case LSA_POLICY_INFO_MOD:
585 case LSA_POLICY_INFO_AUDIT_FULL_SET:
586 case LSA_POLICY_INFO_AUDIT_FULL_QUERY:
587 return NT_STATUS_INVALID_PARAMETER;
588 case LSA_POLICY_INFO_AUDIT_LOG:
589 info->audit_log.percent_full = 0;
590 info->audit_log.maximum_log_size = 0;
591 info->audit_log.retention_time = 0;
592 info->audit_log.shutdown_in_progress = 0;
593 info->audit_log.time_to_shutdown = 0;
594 info->audit_log.next_audit_record = 0;
595 status = NT_STATUS_OK;
596 break;
597 case LSA_POLICY_INFO_PD:
598 info->pd.name.string = NULL;
599 status = NT_STATUS_OK;
600 break;
601 case LSA_POLICY_INFO_REPLICA:
602 info->replica.source.string = NULL;
603 info->replica.account.string = NULL;
604 status = NT_STATUS_OK;
605 break;
606 case LSA_POLICY_INFO_QUOTA:
607 info->quota.paged_pool = 0;
608 info->quota.non_paged_pool = 0;
609 info->quota.min_wss = 0;
610 info->quota.max_wss = 0;
611 info->quota.pagefile = 0;
612 info->quota.unknown = 0;
613 status = NT_STATUS_OK;
614 break;
615 case LSA_POLICY_INFO_AUDIT_EVENTS:
616 {
617
618 uint32 policy_def = LSA_AUDIT_POLICY_ALL;
619
620 /* check if the user has enough rights */
621 if (!(handle->access & LSA_POLICY_VIEW_AUDIT_INFORMATION)) {
622 DEBUG(10,("_lsa_QueryInfoPolicy: insufficient access rights\n"));
623 return NT_STATUS_ACCESS_DENIED;
624 }
625
626 /* fake info: We audit everything. ;) */
627
628 info->audit_events.auditing_mode = true;
629 info->audit_events.count = LSA_AUDIT_NUM_CATEGORIES;
630 info->audit_events.settings = TALLOC_ZERO_ARRAY(p->mem_ctx,
631 enum lsa_PolicyAuditPolicy,
632 info->audit_events.count);
633 if (!info->audit_events.settings) {
634 return NT_STATUS_NO_MEMORY;
635 }
636
637 info->audit_events.settings[LSA_AUDIT_CATEGORY_ACCOUNT_MANAGEMENT] = policy_def;
638 info->audit_events.settings[LSA_AUDIT_CATEGORY_FILE_AND_OBJECT_ACCESS] = policy_def;
639 info->audit_events.settings[LSA_AUDIT_CATEGORY_LOGON] = policy_def;
640 info->audit_events.settings[LSA_AUDIT_CATEGORY_PROCCESS_TRACKING] = policy_def;
641 info->audit_events.settings[LSA_AUDIT_CATEGORY_SECURITY_POLICY_CHANGES] = policy_def;
642 info->audit_events.settings[LSA_AUDIT_CATEGORY_SYSTEM] = policy_def;
643 info->audit_events.settings[LSA_AUDIT_CATEGORY_USE_OF_USER_RIGHTS] = policy_def;
644
645 break;
646 }
647 case LSA_POLICY_INFO_DOMAIN:
648 /* check if the user has enough rights */
649 if (!(handle->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
650 return NT_STATUS_ACCESS_DENIED;
651
652 /* Request PolicyPrimaryDomainInformation. */
653 switch (lp_server_role()) {
654 case ROLE_DOMAIN_PDC:
655 case ROLE_DOMAIN_BDC:
656 name = get_global_sam_name();
657 sid = dom_sid_dup(p->mem_ctx, get_global_sam_sid());
658 if (!sid) {
659 return NT_STATUS_NO_MEMORY;
660 }
661 break;
662 case ROLE_DOMAIN_MEMBER:
663 name = lp_workgroup();
664 /* We need to return the Domain SID here. */
665 if (secrets_fetch_domain_sid(lp_workgroup(), &domain_sid)) {
666 sid = dom_sid_dup(p->mem_ctx, &domain_sid);
667 if (!sid) {
668 return NT_STATUS_NO_MEMORY;
669 }
670 } else {
671 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
672 }
673 break;
674 case ROLE_STANDALONE:
675 name = lp_workgroup();
676 sid = NULL;
677 break;
678 default:
679 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
680 }
681 init_dom_query_3(&info->domain, name, sid);
682 break;
683 case LSA_POLICY_INFO_ACCOUNT_DOMAIN:
684 /* check if the user has enough rights */
685 if (!(handle->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
686 return NT_STATUS_ACCESS_DENIED;
687
688 /* Request PolicyAccountDomainInformation. */
689 name = get_global_sam_name();
690 sid = get_global_sam_sid();
691
692 init_dom_query_5(&info->account_domain, name, sid);
693 break;
694 case LSA_POLICY_INFO_ROLE:
695 /* check if the user has enough rights */
696 if (!(handle->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
697 return NT_STATUS_ACCESS_DENIED;
698
699 switch (lp_server_role()) {
700 case ROLE_DOMAIN_BDC:
701 /*
702 * only a BDC is a backup controller
703 * of the domain, it controls.
704 */
705 info->role.role = LSA_ROLE_BACKUP;
706 break;
707 default:
708 /*
709 * any other role is a primary
710 * of the domain, it controls.
711 */
712 info->role.role = LSA_ROLE_PRIMARY;
713 break;
714 }
715 break;
716 case LSA_POLICY_INFO_DNS:
717 case LSA_POLICY_INFO_DNS_INT: {
718 struct pdb_domain_info *dominfo;
719
720 if ((pdb_capabilities() & PDB_CAP_ADS) == 0) {
721 DEBUG(10, ("Not replying to LSA_POLICY_INFO_DNS "
722 "without ADS passdb backend\n"));
723 status = NT_STATUS_INVALID_INFO_CLASS;
724 break;
725 }
726
727 dominfo = pdb_get_domain_info(info);
728 if (dominfo == NULL) {
729 status = NT_STATUS_NO_MEMORY;
730 break;
731 }
732
733 init_lsa_StringLarge(&info->dns.name,
734 dominfo->name);
735 init_lsa_StringLarge(&info->dns.dns_domain,
736 dominfo->dns_domain);
737 init_lsa_StringLarge(&info->dns.dns_forest,
738 dominfo->dns_forest);
739 info->dns.domain_guid = dominfo->guid;
740 info->dns.sid = &dominfo->sid;
741 break;
742 }
743 default:
744 DEBUG(0,("_lsa_QueryInfoPolicy: unknown info level in Lsa Query: %d\n",
745 r->in.level));
746 status = NT_STATUS_INVALID_INFO_CLASS;
747 break;
748 }
749
750 *r->out.info = info;
751
752 return status;
753 }
754
755 /***************************************************************************
756 _lsa_QueryInfoPolicy2
757 ***************************************************************************/
758
759 NTSTATUS _lsa_QueryInfoPolicy2(struct pipes_struct *p,
760 struct lsa_QueryInfoPolicy2 *r2)
761 {
762 struct lsa_QueryInfoPolicy r;
763
764 if ((pdb_capabilities() & PDB_CAP_ADS) == 0) {
765 p->rng_fault_state = True;
766 return NT_STATUS_NOT_IMPLEMENTED;
767 }
768
769 ZERO_STRUCT(r);
770 r.in.handle = r2->in.handle;
771 r.in.level = r2->in.level;
772 r.out.info = r2->out.info;
773
774 return _lsa_QueryInfoPolicy(p, &r);
775 }
776
777 /***************************************************************************
778 _lsa_lookup_sids_internal
779 ***************************************************************************/
780
781 static NTSTATUS _lsa_lookup_sids_internal(struct pipes_struct *p,
782 TALLOC_CTX *mem_ctx,
783 uint16_t level, /* input */
784 int num_sids, /* input */
785 struct lsa_SidPtr *sid, /* input */
786 struct lsa_RefDomainList **pp_ref, /* input/output */
787 struct lsa_TranslatedName2 **pp_names,/* input/output */
788 uint32_t *pp_mapped_count) /* input/output */
789 {
790 NTSTATUS status;
791 int i;
792 const struct dom_sid **sids = NULL;
793 struct lsa_RefDomainList *ref = NULL;
794 uint32 mapped_count = 0;
795 struct lsa_dom_info *dom_infos = NULL;
796 struct lsa_name_info *name_infos = NULL;
797 struct lsa_TranslatedName2 *names = NULL;
798
799 *pp_mapped_count = 0;
800 *pp_names = NULL;
801 *pp_ref = NULL;
802
803 if (num_sids == 0) {
804 return NT_STATUS_OK;
805 }
806
807 sids = TALLOC_ARRAY(p->mem_ctx, const struct dom_sid *, num_sids);
808 ref = TALLOC_ZERO_P(p->mem_ctx, struct lsa_RefDomainList);
809
810 if (sids == NULL || ref == NULL) {
811 return NT_STATUS_NO_MEMORY;
812 }
813
814 for (i=0; i<num_sids; i++) {
815 sids[i] = sid[i].sid;
816 }
817
818 status = lookup_sids(p->mem_ctx, num_sids, sids, level,
819 &dom_infos, &name_infos);
820
821 if (!NT_STATUS_IS_OK(status)) {
822 return status;
823 }
824
825 names = TALLOC_ARRAY(p->mem_ctx, struct lsa_TranslatedName2, num_sids);
826 if (names == NULL) {
827 return NT_STATUS_NO_MEMORY;
828 }
829
830 for (i=0; i<LSA_REF_DOMAIN_LIST_MULTIPLIER; i++) {
831
832 if (!dom_infos[i].valid) {
833 break;
834 }
835
836 if (init_lsa_ref_domain_list(mem_ctx, ref,
837 dom_infos[i].name,
838 &dom_infos[i].sid) != i) {
839 DEBUG(0, ("Domain %s mentioned twice??\n",
840 dom_infos[i].name));
841 return NT_STATUS_INTERNAL_ERROR;
842 }
843 }
844
845 for (i=0; i<num_sids; i++) {
846 struct lsa_name_info *name = &name_infos[i];
847
848 if (name->type == SID_NAME_UNKNOWN) {
849 fstring tmp;
850 name->dom_idx = -1;
851 /* Unknown sids should return the string
852 * representation of the SID. Windows 2003 behaves
853 * rather erratic here, in many cases it returns the
854 * RID as 8 bytes hex, in others it returns the full
855 * SID. We (Jerry/VL) could not figure out which the
856 * hard cases are, so leave it with the SID. */
857 name->name = talloc_asprintf(p->mem_ctx, "%s",
858 sid_to_fstring(tmp,
859 sids[i]));
860 if (name->name == NULL) {
861 return NT_STATUS_NO_MEMORY;
862 }
863 } else {
864 mapped_count += 1;
865 }
866
867 names[i].sid_type = name->type;
868 names[i].name.string = name->name;
869 names[i].sid_index = name->dom_idx;
870 names[i].unknown = 0;
871 }
872
873 status = NT_STATUS_NONE_MAPPED;
874 if (mapped_count > 0) {
875 status = (mapped_count < num_sids) ?
876 STATUS_SOME_UNMAPPED : NT_STATUS_OK;
877 }
878
879 DEBUG(10, ("num_sids %d, mapped_count %d, status %s\n",
880 num_sids, mapped_count, nt_errstr(status)));
881
882 *pp_mapped_count = mapped_count;
883 *pp_names = names;
884 *pp_ref = ref;
885
886 return status;
887 }
888
889 /***************************************************************************
890 _lsa_LookupSids
891 ***************************************************************************/
892
893 NTSTATUS _lsa_LookupSids(struct pipes_struct *p,
894 struct lsa_LookupSids *r)
895 {
896 NTSTATUS status;
897 struct lsa_info *handle;
898 int num_sids = r->in.sids->num_sids;
899 uint32 mapped_count = 0;
900 struct lsa_RefDomainList *domains = NULL;
901 struct lsa_TranslatedName *names_out = NULL;
902 struct lsa_TranslatedName2 *names = NULL;
903 int i;
904
905 if ((r->in.level < 1) || (r->in.level > 6)) {
906 return NT_STATUS_INVALID_PARAMETER;
907 }
908
909 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle)) {
910 return NT_STATUS_INVALID_HANDLE;
911 }
912
913 if (handle->type != LSA_HANDLE_POLICY_TYPE) {
914 return NT_STATUS_INVALID_HANDLE;
915 }
916
917 /* check if the user has enough rights */
918 if (!(handle->access & LSA_POLICY_LOOKUP_NAMES)) {
919 return NT_STATUS_ACCESS_DENIED;
920 }
921
922 if (num_sids > MAX_LOOKUP_SIDS) {
923 DEBUG(5,("_lsa_LookupSids: limit of %d exceeded, requested %d\n",
924 MAX_LOOKUP_SIDS, num_sids));
925 return NT_STATUS_NONE_MAPPED;
926 }
927
928 status = _lsa_lookup_sids_internal(p,
929 p->mem_ctx,
930 r->in.level,
931 num_sids,
932 r->in.sids->sids,
933 &domains,
934 &names,
935 &mapped_count);
936
937 /* Only return here when there is a real error.
938 NT_STATUS_NONE_MAPPED is a special case as it indicates that none of
939 the requested sids could be resolved. Older versions of XP (pre SP3)
940 rely that we return with the string representations of those SIDs in
941 that case. If we don't, XP crashes - Guenther
942 */
943
944 if (NT_STATUS_IS_ERR(status) &&
945 !NT_STATUS_EQUAL(status, NT_STATUS_NONE_MAPPED)) {
946 return status;
947 }
948
949 /* Convert from lsa_TranslatedName2 to lsa_TranslatedName */
950 names_out = TALLOC_ARRAY(p->mem_ctx, struct lsa_TranslatedName,
951 num_sids);
952 if (!names_out) {
953 return NT_STATUS_NO_MEMORY;
954 }
955
956 for (i=0; i<num_sids; i++) {
957 names_out[i].sid_type = names[i].sid_type;
958 names_out[i].name = names[i].name;
959 names_out[i].sid_index = names[i].sid_index;
960 }
961
962 *r->out.domains = domains;
963 r->out.names->count = num_sids;
964 r->out.names->names = names_out;
965 *r->out.count = mapped_count;
966
967 return status;
968 }
969
970 /***************************************************************************
971 _lsa_LookupSids2
972 ***************************************************************************/
973
974 NTSTATUS _lsa_LookupSids2(struct pipes_struct *p,
975 struct lsa_LookupSids2 *r)
976 {
977 NTSTATUS status;
978 struct lsa_info *handle;
979 int num_sids = r->in.sids->num_sids;
980 uint32 mapped_count = 0;
981 struct lsa_RefDomainList *domains = NULL;
982 struct lsa_TranslatedName2 *names = NULL;
983 bool check_policy = true;
984
985 switch (p->opnum) {
986 case NDR_LSA_LOOKUPSIDS3:
987 check_policy = false;
988 break;
989 case NDR_LSA_LOOKUPSIDS2:
990 default:
991 check_policy = true;
992 }
993
994 if ((r->in.level < 1) || (r->in.level > 6)) {
995 return NT_STATUS_INVALID_PARAMETER;
996 }
997
998 if (check_policy) {
999 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle)) {
1000 return NT_STATUS_INVALID_HANDLE;
1001 }
1002
1003 if (handle->type != LSA_HANDLE_POLICY_TYPE) {
1004 return NT_STATUS_INVALID_HANDLE;
1005 }
1006
1007 /* check if the user has enough rights */
1008 if (!(handle->access & LSA_POLICY_LOOKUP_NAMES)) {
1009 return NT_STATUS_ACCESS_DENIED;
1010 }
1011 }
1012
1013 if (num_sids > MAX_LOOKUP_SIDS) {
1014 DEBUG(5,("_lsa_LookupSids2: limit of %d exceeded, requested %d\n",
1015 MAX_LOOKUP_SIDS, num_sids));
1016 return NT_STATUS_NONE_MAPPED;
1017 }
1018
1019 status = _lsa_lookup_sids_internal(p,
1020 p->mem_ctx,
1021 r->in.level,
1022 num_sids,
1023 r->in.sids->sids,
1024 &domains,
1025 &names,
1026 &mapped_count);
1027
1028 *r->out.domains = domains;
1029 r->out.names->count = num_sids;
1030 r->out.names->names = names;
1031 *r->out.count = mapped_count;
1032
1033 return status;
1034 }
1035
1036 /***************************************************************************
1037 _lsa_LookupSids3
1038 ***************************************************************************/
1039
1040 NTSTATUS _lsa_LookupSids3(struct pipes_struct *p,
1041 struct lsa_LookupSids3 *r)
1042 {
1043 struct lsa_LookupSids2 q;
1044
1045 /* No policy handle on this call. Restrict to crypto connections. */
1046 if (p->auth.auth_type != DCERPC_AUTH_TYPE_SCHANNEL) {
1047 DEBUG(0,("_lsa_LookupSids3: client %s not using schannel for netlogon\n",
1048 get_remote_machine_name() ));
1049 return NT_STATUS_INVALID_PARAMETER;
1050 }
1051
1052 q.in.handle = NULL;
1053 q.in.sids = r->in.sids;
1054 q.in.level = r->in.level;
1055 q.in.lookup_options = r->in.lookup_options;
1056 q.in.client_revision = r->in.client_revision;
1057 q.in.names = r->in.names;
1058 q.in.count = r->in.count;
1059
1060 q.out.domains = r->out.domains;
1061 q.out.names = r->out.names;
1062 q.out.count = r->out.count;
1063
1064 return _lsa_LookupSids2(p, &q);
1065 }
1066
1067 /***************************************************************************
1068 ***************************************************************************/
1069
1070 static int lsa_lookup_level_to_flags(enum lsa_LookupNamesLevel level)
1071 {
1072 int flags;
1073
1074 switch (level) {
1075 case LSA_LOOKUP_NAMES_ALL: /* 1 */
1076 flags = LOOKUP_NAME_ALL;
1077 break;
1078 case LSA_LOOKUP_NAMES_DOMAINS_ONLY: /* 2 */
1079 flags = LOOKUP_NAME_DOMAIN|LOOKUP_NAME_REMOTE|LOOKUP_NAME_ISOLATED;
1080 break;
1081 case LSA_LOOKUP_NAMES_PRIMARY_DOMAIN_ONLY: /* 3 */
1082 flags = LOOKUP_NAME_DOMAIN|LOOKUP_NAME_ISOLATED;
1083 break;
1084 case LSA_LOOKUP_NAMES_UPLEVEL_TRUSTS_ONLY: /* 4 */
1085 case LSA_LOOKUP_NAMES_FOREST_TRUSTS_ONLY: /* 5 */
1086 case LSA_LOOKUP_NAMES_UPLEVEL_TRUSTS_ONLY2: /* 6 */
1087 case LSA_LOOKUP_NAMES_RODC_REFERRAL_TO_FULL_DC: /* 7 */
1088 default:
1089 flags = LOOKUP_NAME_NONE;
1090 break;
1091 }
1092
1093 return flags;
1094 }
1095
1096 /***************************************************************************
1097 _lsa_LookupNames
1098 ***************************************************************************/
1099
1100 NTSTATUS _lsa_LookupNames(struct pipes_struct *p,
1101 struct lsa_LookupNames *r)
1102 {
1103 NTSTATUS status = NT_STATUS_NONE_MAPPED;
1104 struct lsa_info *handle;
1105 struct lsa_String *names = r->in.names;
1106 uint32 num_entries = r->in.num_names;
1107 struct lsa_RefDomainList *domains = NULL;
1108 struct lsa_TranslatedSid *rids = NULL;
1109 uint32 mapped_count = 0;
1110 int flags = 0;
1111
1112 if (num_entries > MAX_LOOKUP_SIDS) {
1113 num_entries = MAX_LOOKUP_SIDS;
1114 DEBUG(5,("_lsa_LookupNames: truncating name lookup list to %d\n",
1115 num_entries));
1116 }
1117
1118 flags = lsa_lookup_level_to_flags(r->in.level);
1119
1120 domains = TALLOC_ZERO_P(p->mem_ctx, struct lsa_RefDomainList);
1121 if (!domains) {
1122 return NT_STATUS_NO_MEMORY;
1123 }
1124
1125 if (num_entries) {
1126 rids = TALLOC_ZERO_ARRAY(p->mem_ctx, struct lsa_TranslatedSid,
1127 num_entries);
1128 if (!rids) {
1129 return NT_STATUS_NO_MEMORY;
1130 }
1131 } else {
1132 rids = NULL;
1133 }
1134
1135 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle)) {
1136 status = NT_STATUS_INVALID_HANDLE;
1137 goto done;
1138 }
1139
1140 if (handle->type != LSA_HANDLE_POLICY_TYPE) {
1141 return NT_STATUS_INVALID_HANDLE;
1142 }
1143
1144 /* check if the user has enough rights */
1145 if (!(handle->access & LSA_POLICY_LOOKUP_NAMES)) {
1146 status = NT_STATUS_ACCESS_DENIED;
1147 goto done;
1148 }
1149
1150 /* set up the LSA Lookup RIDs response */
1151 become_root(); /* lookup_name can require root privs */
1152 status = lookup_lsa_rids(p->mem_ctx, domains, rids, num_entries,
1153 names, flags, &mapped_count);
1154 unbecome_root();
1155
1156 done:
1157
1158 if (NT_STATUS_IS_OK(status) && (num_entries != 0) ) {
1159 if (mapped_count == 0) {
1160 status = NT_STATUS_NONE_MAPPED;
1161 } else if (mapped_count != num_entries) {
1162 status = STATUS_SOME_UNMAPPED;
1163 }
1164 }
1165
1166 *r->out.count = mapped_count;
1167 *r->out.domains = domains;
1168 r->out.sids->sids = rids;
1169 r->out.sids->count = num_entries;
1170
1171 return status;
1172 }
1173
1174 /***************************************************************************
1175 _lsa_LookupNames2
1176 ***************************************************************************/
1177
1178 NTSTATUS _lsa_LookupNames2(struct pipes_struct *p,
1179 struct lsa_LookupNames2 *r)
1180 {
1181 NTSTATUS status;
1182 struct lsa_LookupNames q;
1183 struct lsa_TransSidArray2 *sid_array2 = r->in.sids;
1184 struct lsa_TransSidArray *sid_array = NULL;
1185 uint32_t i;
1186
1187 sid_array = TALLOC_ZERO_P(p->mem_ctx, struct lsa_TransSidArray);
1188 if (!sid_array) {
1189 return NT_STATUS_NO_MEMORY;
1190 }
1191
1192 q.in.handle = r->in.handle;
1193 q.in.num_names = r->in.num_names;
1194 q.in.names = r->in.names;
1195 q.in.level = r->in.level;
1196 q.in.sids = sid_array;
1197 q.in.count = r->in.count;
1198 /* we do not know what this is for */
1199 /* = r->in.unknown1; */
1200 /* = r->in.unknown2; */
1201
1202 q.out.domains = r->out.domains;
1203 q.out.sids = sid_array;
1204 q.out.count = r->out.count;
1205
1206 status = _lsa_LookupNames(p, &q);
1207
1208 sid_array2->count = sid_array->count;
1209 sid_array2->sids = TALLOC_ARRAY(p->mem_ctx, struct lsa_TranslatedSid2, sid_array->count);
1210 if (!sid_array2->sids) {
1211 return NT_STATUS_NO_MEMORY;
1212 }
1213
1214 for (i=0; i<sid_array->count; i++) {
1215 sid_array2->sids[i].sid_type = sid_array->sids[i].sid_type;
1216 sid_array2->sids[i].rid = sid_array->sids[i].rid;
1217 sid_array2->sids[i].sid_index = sid_array->sids[i].sid_index;
1218 sid_array2->sids[i].unknown = 0;
1219 }
1220
1221 r->out.sids = sid_array2;
1222
1223 return status;
1224 }
1225
1226 /***************************************************************************
1227 _lsa_LookupNames3
1228 ***************************************************************************/
1229
1230 NTSTATUS _lsa_LookupNames3(struct pipes_struct *p,
1231 struct lsa_LookupNames3 *r)
1232 {
1233 NTSTATUS status;
1234 struct lsa_info *handle;
1235 struct lsa_String *names = r->in.names;
1236 uint32 num_entries = r->in.num_names;
1237 struct lsa_RefDomainList *domains = NULL;
1238 struct lsa_TranslatedSid3 *trans_sids = NULL;
1239 uint32 mapped_count = 0;
1240 int flags = 0;
1241 bool check_policy = true;
1242
1243 switch (p->opnum) {
1244 case NDR_LSA_LOOKUPNAMES4:
1245 check_policy = false;
1246 break;
1247 case NDR_LSA_LOOKUPNAMES3:
1248 default:
1249 check_policy = true;
1250 }
1251
1252 if (num_entries > MAX_LOOKUP_SIDS) {
1253 num_entries = MAX_LOOKUP_SIDS;
1254 DEBUG(5,("_lsa_LookupNames3: truncating name lookup list to %d\n", num_entries));
1255 }
1256
1257 /* Probably the lookup_level is some sort of bitmask. */
1258 if (r->in.level == 1) {
1259 flags = LOOKUP_NAME_ALL;
1260 }
1261
1262 domains = TALLOC_ZERO_P(p->mem_ctx, struct lsa_RefDomainList);
1263 if (!domains) {
1264 return NT_STATUS_NO_MEMORY;
1265 }
1266
1267 if (num_entries) {
1268 trans_sids = TALLOC_ZERO_ARRAY(p->mem_ctx, struct lsa_TranslatedSid3,
1269 num_entries);
1270 if (!trans_sids) {
1271 return NT_STATUS_NO_MEMORY;
1272 }
1273 } else {
1274 trans_sids = NULL;
1275 }
1276
1277 if (check_policy) {
1278
1279 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle)) {
1280 status = NT_STATUS_INVALID_HANDLE;
1281 goto done;
1282 }
1283
1284 if (handle->type != LSA_HANDLE_POLICY_TYPE) {
1285 return NT_STATUS_INVALID_HANDLE;
1286 }
1287
1288 /* check if the user has enough rights */
1289 if (!(handle->access & LSA_POLICY_LOOKUP_NAMES)) {
1290 status = NT_STATUS_ACCESS_DENIED;
1291 goto done;
1292 }
1293 }
1294
1295 /* set up the LSA Lookup SIDs response */
1296 become_root(); /* lookup_name can require root privs */
1297 status = lookup_lsa_sids(p->mem_ctx, domains, trans_sids, num_entries,
1298 names, flags, &mapped_count);
1299 unbecome_root();
1300
1301 done:
1302
1303 if (NT_STATUS_IS_OK(status)) {
1304 if (mapped_count == 0) {
1305 status = NT_STATUS_NONE_MAPPED;
1306 } else if (mapped_count != num_entries) {
1307 status = STATUS_SOME_UNMAPPED;
1308 }
1309 }
1310
1311 *r->out.count = mapped_count;
1312 *r->out.domains = domains;
1313 r->out.sids->sids = trans_sids;
1314 r->out.sids->count = num_entries;
1315
1316 return status;
1317 }
1318
1319 /***************************************************************************
1320 _lsa_LookupNames4
1321 ***************************************************************************/
1322
1323 NTSTATUS _lsa_LookupNames4(struct pipes_struct *p,
1324 struct lsa_LookupNames4 *r)
1325 {
1326 struct lsa_LookupNames3 q;
1327
1328 /* No policy handle on this call. Restrict to crypto connections. */
1329 if (p->auth.auth_type != DCERPC_AUTH_TYPE_SCHANNEL) {
1330 DEBUG(0,("_lsa_lookup_names4: client %s not using schannel for netlogon\n",
1331 get_remote_machine_name() ));
1332 return NT_STATUS_INVALID_PARAMETER;
1333 }
1334
1335 q.in.handle = NULL;
1336 q.in.num_names = r->in.num_names;
1337 q.in.names = r->in.names;
1338 q.in.level = r->in.level;
1339 q.in.lookup_options = r->in.lookup_options;
1340 q.in.client_revision = r->in.client_revision;
1341 q.in.sids = r->in.sids;
1342 q.in.count = r->in.count;
1343
1344 q.out.domains = r->out.domains;
1345 q.out.sids = r->out.sids;
1346 q.out.count = r->out.count;
1347
1348 return _lsa_LookupNames3(p, &q);
1349 }
1350
1351 /***************************************************************************
1352 _lsa_close. Also weird - needs to check if lsa handle is correct. JRA.
1353 ***************************************************************************/
1354
1355 NTSTATUS _lsa_Close(struct pipes_struct *p, struct lsa_Close *r)
1356 {
1357 if (!find_policy_by_hnd(p, r->in.handle, NULL)) {
1358 return NT_STATUS_INVALID_HANDLE;
1359 }
1360
1361 close_policy_hnd(p, r->in.handle);
1362 ZERO_STRUCTP(r->out.handle);
1363 return NT_STATUS_OK;
1364 }
1365
1366 /***************************************************************************
1367 ***************************************************************************/
1368
1369 NTSTATUS _lsa_OpenSecret(struct pipes_struct *p, struct lsa_OpenSecret *r)
1370 {
1371 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
1372 }
1373
1374 /***************************************************************************
1375 ***************************************************************************/
1376
1377 NTSTATUS _lsa_OpenTrustedDomain(struct pipes_struct *p,
1378 struct lsa_OpenTrustedDomain *r)
1379 {
1380 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
1381 }
1382
1383 /***************************************************************************
1384 ***************************************************************************/
1385
1386 NTSTATUS _lsa_CreateTrustedDomain(struct pipes_struct *p,
1387 struct lsa_CreateTrustedDomain *r)
1388 {
1389 return NT_STATUS_ACCESS_DENIED;
1390 }
1391
1392 /***************************************************************************
1393 ***************************************************************************/
1394
1395 NTSTATUS _lsa_CreateSecret(struct pipes_struct *p, struct lsa_CreateSecret *r)
1396 {
1397 return NT_STATUS_ACCESS_DENIED;
1398 }
1399
1400 /***************************************************************************
1401 ***************************************************************************/
1402
1403 NTSTATUS _lsa_SetSecret(struct pipes_struct *p, struct lsa_SetSecret *r)
1404 {
1405 return NT_STATUS_ACCESS_DENIED;
1406 }
1407
1408 /***************************************************************************
1409 _lsa_DeleteObject
1410 ***************************************************************************/
1411
1412 NTSTATUS _lsa_DeleteObject(struct pipes_struct *p,
1413 struct lsa_DeleteObject *r)
1414 {
1415 NTSTATUS status;
1416 struct lsa_info *info = NULL;
1417
1418 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info)) {
1419 return NT_STATUS_INVALID_HANDLE;
1420 }
1421
1422 if (!(info->access & SEC_STD_DELETE)) {
1423 return NT_STATUS_ACCESS_DENIED;
1424 }
1425
1426 switch (info->type) {
1427 case LSA_HANDLE_ACCOUNT_TYPE:
1428 status = privilege_delete_account(&info->sid);
1429 if (!NT_STATUS_IS_OK(status)) {
1430 DEBUG(10,("_lsa_DeleteObject: privilege_delete_account gave: %s\n",
1431 nt_errstr(status)));
1432 return status;
1433 }
1434 break;
1435 default:
1436 return NT_STATUS_INVALID_HANDLE;
1437 }
1438
1439 close_policy_hnd(p, r->in.handle);
1440 ZERO_STRUCTP(r->out.handle);
1441
1442 return status;
1443 }
1444
1445 /***************************************************************************
1446 _lsa_EnumPrivs
1447 ***************************************************************************/
1448
1449 NTSTATUS _lsa_EnumPrivs(struct pipes_struct *p,
1450 struct lsa_EnumPrivs *r)
1451 {
1452 struct lsa_info *handle;
1453 uint32 i;
1454 uint32 enum_context = *r->in.resume_handle;
1455 int num_privs = num_privileges_in_short_list();
1456 struct lsa_PrivEntry *entries = NULL;
1457
1458 /* remember that the enum_context starts at 0 and not 1 */
1459
1460 if ( enum_context >= num_privs )
1461 return NT_STATUS_NO_MORE_ENTRIES;
1462
1463 DEBUG(10,("_lsa_EnumPrivs: enum_context:%d total entries:%d\n",
1464 enum_context, num_privs));
1465
1466 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle))
1467 return NT_STATUS_INVALID_HANDLE;
1468
1469 if (handle->type != LSA_HANDLE_POLICY_TYPE) {
1470 return NT_STATUS_INVALID_HANDLE;
1471 }
1472
1473 /* check if the user has enough rights
1474 I don't know if it's the right one. not documented. */
1475
1476 if (!(handle->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
1477 return NT_STATUS_ACCESS_DENIED;
1478
1479 if (num_privs) {
1480 entries = TALLOC_ZERO_ARRAY(p->mem_ctx, struct lsa_PrivEntry, num_privs);
1481 if (!entries) {
1482 return NT_STATUS_NO_MEMORY;
1483 }
1484 } else {
1485 entries = NULL;
1486 }
1487
1488 for (i = 0; i < num_privs; i++) {
1489 if( i < enum_context) {
1490
1491 init_lsa_StringLarge(&entries[i].name, NULL);
1492
1493 entries[i].luid.low = 0;
1494 entries[i].luid.high = 0;
1495 } else {
1496
1497 init_lsa_StringLarge(&entries[i].name, sec_privilege_name_from_index(i));
1498
1499 entries[i].luid.low = sec_privilege_from_index(i);
1500 entries[i].luid.high = 0;
1501 }
1502 }
1503
1504 enum_context = num_privs;
1505
1506 *r->out.resume_handle = enum_context;
1507 r->out.privs->count = num_privs;
1508 r->out.privs->privs = entries;
1509
1510 return NT_STATUS_OK;
1511 }
1512
1513 /***************************************************************************
1514 _lsa_LookupPrivDisplayName
1515 ***************************************************************************/
1516
1517 NTSTATUS _lsa_LookupPrivDisplayName(struct pipes_struct *p,
1518 struct lsa_LookupPrivDisplayName *r)
1519 {
1520 struct lsa_info *handle;
1521 const char *description;
1522 struct lsa_StringLarge *lsa_name;
1523
1524 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle))
1525 return NT_STATUS_INVALID_HANDLE;
1526
1527 if (handle->type != LSA_HANDLE_POLICY_TYPE) {
1528 return NT_STATUS_INVALID_HANDLE;
1529 }
1530
1531 /* check if the user has enough rights */
1532
1533 /*
1534 * I don't know if it's the right one. not documented.
1535 */
1536 if (!(handle->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
1537 return NT_STATUS_ACCESS_DENIED;
1538
1539 DEBUG(10,("_lsa_LookupPrivDisplayName: name = %s\n", r->in.name->string));
1540
1541 description = get_privilege_dispname(r->in.name->string);
1542 if (!description) {
1543 DEBUG(10,("_lsa_LookupPrivDisplayName: doesn't exist\n"));
1544 return NT_STATUS_NO_SUCH_PRIVILEGE;
1545 }
1546
1547 DEBUG(10,("_lsa_LookupPrivDisplayName: display name = %s\n", description));
1548
1549 lsa_name = TALLOC_ZERO_P(p->mem_ctx, struct lsa_StringLarge);
1550 if (!lsa_name) {
1551 return NT_STATUS_NO_MEMORY;
1552 }
1553
1554 init_lsa_StringLarge(lsa_name, description);
1555
1556 *r->out.returned_language_id = r->in.language_id;
1557 *r->out.disp_name = lsa_name;
1558
1559 return NT_STATUS_OK;
1560 }
1561
1562 /***************************************************************************
1563 _lsa_EnumAccounts
1564 ***************************************************************************/
1565
1566 NTSTATUS _lsa_EnumAccounts(struct pipes_struct *p,
1567 struct lsa_EnumAccounts *r)
1568 {
1569 struct lsa_info *handle;
1570 struct dom_sid *sid_list;
1571 int i, j, num_entries;
1572 NTSTATUS status;
1573 struct lsa_SidPtr *sids = NULL;
1574
1575 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle))
1576 return NT_STATUS_INVALID_HANDLE;
1577
1578 if (handle->type != LSA_HANDLE_POLICY_TYPE) {
1579 return NT_STATUS_INVALID_HANDLE;
1580 }
1581
1582 if (!(handle->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
1583 return NT_STATUS_ACCESS_DENIED;
1584
1585 sid_list = NULL;
1586 num_entries = 0;
1587
1588 /* The only way we can currently find out all the SIDs that have been
1589 privileged is to scan all privileges */
1590
1591 status = privilege_enumerate_accounts(&sid_list, &num_entries);
1592 if (!NT_STATUS_IS_OK(status)) {
1593 return status;
1594 }
1595
1596 if (*r->in.resume_handle >= num_entries) {
1597 return NT_STATUS_NO_MORE_ENTRIES;
1598 }
1599
1600 if (num_entries - *r->in.resume_handle) {
1601 sids = TALLOC_ZERO_ARRAY(p->mem_ctx, struct lsa_SidPtr,
1602 num_entries - *r->in.resume_handle);
1603 if (!sids) {
1604 talloc_free(sid_list);
1605 return NT_STATUS_NO_MEMORY;
1606 }
1607
1608 for (i = *r->in.resume_handle, j = 0; i < num_entries; i++, j++) {
1609 sids[j].sid = dom_sid_dup(p->mem_ctx, &sid_list[i]);
1610 if (!sids[j].sid) {
1611 talloc_free(sid_list);
1612 return NT_STATUS_NO_MEMORY;
1613 }
1614 }
1615 }
1616
1617 talloc_free(sid_list);
1618
1619 *r->out.resume_handle = num_entries;
1620 r->out.sids->num_sids = num_entries;
1621 r->out.sids->sids = sids;
1622
1623 return NT_STATUS_OK;
1624 }
1625
1626 /***************************************************************************
1627 _lsa_GetUserName
1628 ***************************************************************************/
1629
1630 NTSTATUS _lsa_GetUserName(struct pipes_struct *p,
1631 struct lsa_GetUserName *r)
1632 {
1633 const char *username, *domname;
1634 struct lsa_String *account_name = NULL;
1635 struct lsa_String *authority_name = NULL;
1636
1637 if (r->in.account_name &&
1638 *r->in.account_name) {
1639 return NT_STATUS_INVALID_PARAMETER;
1640 }
1641
1642 if (r->in.authority_name &&
1643 *r->in.authority_name) {
1644 return NT_STATUS_INVALID_PARAMETER;
1645 }
1646
1647 if (p->server_info->guest) {
1648 /*
1649 * I'm 99% sure this is not the right place to do this,
1650 * global_sid_Anonymous should probably be put into the token
1651 * instead of the guest id -- vl
1652 */
1653 if (!lookup_sid(p->mem_ctx, &global_sid_Anonymous,
1654 &domname, &username, NULL)) {
1655 return NT_STATUS_NO_MEMORY;
1656 }
1657 } else {
1658 username = p->server_info->sanitized_username;
1659 domname = p->server_info->info3->base.domain.string;
1660 }
1661
1662 account_name = TALLOC_P(p->mem_ctx, struct lsa_String);
1663 if (!account_name) {
1664 return NT_STATUS_NO_MEMORY;
1665 }
1666 init_lsa_String(account_name, username);
1667
1668 if (r->out.authority_name) {
1669 authority_name = TALLOC_P(p->mem_ctx, struct lsa_String);
1670 if (!authority_name) {
1671 return NT_STATUS_NO_MEMORY;
1672 }
1673 init_lsa_String(authority_name, domname);
1674 }
1675
1676 *r->out.account_name = account_name;
1677 if (r->out.authority_name) {
1678 *r->out.authority_name = authority_name;
1679 }
1680
1681 return NT_STATUS_OK;
1682 }
1683
1684 /***************************************************************************
1685 _lsa_CreateAccount
1686 ***************************************************************************/
1687
1688 NTSTATUS _lsa_CreateAccount(struct pipes_struct *p,
1689 struct lsa_CreateAccount *r)
1690 {
1691 NTSTATUS status;
1692 struct lsa_info *handle;
1693 struct lsa_info *info;
1694 uint32_t acc_granted;
1695 struct security_descriptor *psd;
1696 size_t sd_size;
1697
1698 /* find the connection policy handle. */
1699 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle))
1700 return NT_STATUS_INVALID_HANDLE;
1701
1702 if (handle->type != LSA_HANDLE_POLICY_TYPE) {
1703 return NT_STATUS_INVALID_HANDLE;
1704 }
1705
1706 /* check if the user has enough rights */
1707
1708 if (!(handle->access & LSA_POLICY_CREATE_ACCOUNT)) {
1709 return NT_STATUS_ACCESS_DENIED;
1710 }
1711
1712 /* Work out max allowed. */
1713 map_max_allowed_access(p->server_info->ptok,
1714 &p->server_info->utok,
1715 &r->in.access_mask);
1716
1717 /* map the generic bits to the lsa policy ones */
1718 se_map_generic(&r->in.access_mask, &lsa_account_mapping);
1719
1720 status = make_lsa_object_sd(p->mem_ctx, &psd, &sd_size,
1721 &lsa_account_mapping,
1722 r->in.sid, LSA_POLICY_ALL_ACCESS);
1723 if (!NT_STATUS_IS_OK(status)) {
1724 return status;
1725 }
1726
1727 status = access_check_object(psd, p->server_info->ptok,
1728 SEC_PRIV_INVALID, SEC_PRIV_INVALID, 0, r->in.access_mask,
1729 &acc_granted, "_lsa_CreateAccount");
1730 if (!NT_STATUS_IS_OK(status)) {
1731 return status;
1732 }
1733
1734 if ( is_privileged_sid( r->in.sid ) )
1735 return NT_STATUS_OBJECT_NAME_COLLISION;
1736
1737 /* associate the user/group SID with the (unique) handle. */
1738
1739 info = TALLOC_ZERO_P(p->mem_ctx, struct lsa_info);
1740 if (info == NULL) {
1741 return NT_STATUS_NO_MEMORY;
1742 }
1743
1744 info->sid = *r->in.sid;
1745 info->access = acc_granted;
1746 info->type = LSA_HANDLE_ACCOUNT_TYPE;
1747
1748 /* get a (unique) handle. open a policy on it. */
1749 if (!create_policy_hnd(p, r->out.acct_handle, info))
1750 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
1751
1752 return privilege_create_account( &info->sid );
1753 }
1754
1755 /***************************************************************************
1756 _lsa_OpenAccount
1757 ***************************************************************************/
1758
1759 NTSTATUS _lsa_OpenAccount(struct pipes_struct *p,
1760 struct lsa_OpenAccount *r)
1761 {
1762 struct lsa_info *handle;
1763 struct lsa_info *info;
1764 struct security_descriptor *psd = NULL;
1765 size_t sd_size;
1766 uint32_t des_access = r->in.access_mask;
1767 uint32_t acc_granted;
1768 NTSTATUS status;
1769
1770 /* find the connection policy handle. */
1771 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle))
1772 return NT_STATUS_INVALID_HANDLE;
1773
1774 if (handle->type != LSA_HANDLE_POLICY_TYPE) {
1775 return NT_STATUS_INVALID_HANDLE;
1776 }
1777
1778 /* des_access is for the account here, not the policy
1779 * handle - so don't check against policy handle. */
1780
1781 /* Work out max allowed. */
1782 map_max_allowed_access(p->server_info->ptok,
1783 &p->server_info->utok,
1784 &des_access);
1785
1786 /* map the generic bits to the lsa account ones */
1787 se_map_generic(&des_access, &lsa_account_mapping);
1788
1789 /* get the generic lsa account SD until we store it */
1790 status = make_lsa_object_sd(p->mem_ctx, &psd, &sd_size,
1791 &lsa_account_mapping,
1792 r->in.sid, LSA_ACCOUNT_ALL_ACCESS);
1793 if (!NT_STATUS_IS_OK(status)) {
1794 return status;
1795 }
1796
1797 status = access_check_object(psd, p->server_info->ptok,
1798 SEC_PRIV_INVALID, SEC_PRIV_INVALID, 0, des_access,
1799 &acc_granted, "_lsa_OpenAccount" );
1800 if (!NT_STATUS_IS_OK(status)) {
1801 return status;
1802 }
1803
1804 /* TODO: Fis the parsing routine before reenabling this check! */
1805 #if 0
1806 if (!lookup_sid(&handle->sid, dom_name, name, &type))
1807 return NT_STATUS_ACCESS_DENIED;
1808 #endif
1809 /* associate the user/group SID with the (unique) handle. */
1810 info = TALLOC_ZERO_P(p->mem_ctx, struct lsa_info);
1811 if (info == NULL) {
1812 return NT_STATUS_NO_MEMORY;
1813 }
1814
1815 info->sid = *r->in.sid;
1816 info->access = acc_granted;
1817 info->type = LSA_HANDLE_ACCOUNT_TYPE;
1818
1819 /* get a (unique) handle. open a policy on it. */
1820 if (!create_policy_hnd(p, r->out.acct_handle, info))
1821 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
1822
1823 return NT_STATUS_OK;
1824 }
1825
1826 /***************************************************************************
1827 _lsa_EnumPrivsAccount
1828 For a given SID, enumerate all the privilege this account has.
1829 ***************************************************************************/
1830
1831 NTSTATUS _lsa_EnumPrivsAccount(struct pipes_struct *p,
1832 struct lsa_EnumPrivsAccount *r)
1833 {
1834 NTSTATUS status = NT_STATUS_OK;
1835 struct lsa_info *info=NULL;
1836 PRIVILEGE_SET *privileges;
1837 struct lsa_PrivilegeSet *priv_set = NULL;
1838
1839 /* find the connection policy handle. */
1840 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
1841 return NT_STATUS_INVALID_HANDLE;
1842
1843 if (info->type != LSA_HANDLE_ACCOUNT_TYPE) {
1844 return NT_STATUS_INVALID_HANDLE;
1845 }
1846
1847 if (!(info->access & LSA_ACCOUNT_VIEW))
1848 return NT_STATUS_ACCESS_DENIED;
1849
1850 status = get_privileges_for_sid_as_set(p->mem_ctx, &privileges, &info->sid);
1851 if (!NT_STATUS_IS_OK(status)) {
1852 return status;
1853 }
1854
1855 *r->out.privs = priv_set = TALLOC_ZERO_P(p->mem_ctx, struct lsa_PrivilegeSet);
1856 if (!priv_set) {
1857 return NT_STATUS_NO_MEMORY;
1858 }
1859
1860 DEBUG(10,("_lsa_EnumPrivsAccount: %s has %d privileges\n",
1861 sid_string_dbg(&info->sid),
1862 privileges->count));
1863
1864 priv_set->count = privileges->count;
1865 priv_set->unknown = 0;
1866 priv_set->set = talloc_move(priv_set, &privileges->set);
1867
1868 return status;
1869 }
1870
1871 /***************************************************************************
1872 _lsa_GetSystemAccessAccount
1873 ***************************************************************************/
1874
1875 NTSTATUS _lsa_GetSystemAccessAccount(struct pipes_struct *p,
1876 struct lsa_GetSystemAccessAccount *r)
1877 {
1878 NTSTATUS status;
1879 struct lsa_info *info = NULL;
1880 struct lsa_EnumPrivsAccount e;
1881 struct lsa_PrivilegeSet *privset;
1882
1883 /* find the connection policy handle. */
1884
1885 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
1886 return NT_STATUS_INVALID_HANDLE;
1887
1888 if (info->type != LSA_HANDLE_ACCOUNT_TYPE) {
1889 return NT_STATUS_INVALID_HANDLE;
1890 }
1891
1892 if (!(info->access & LSA_ACCOUNT_VIEW))
1893 return NT_STATUS_ACCESS_DENIED;
1894
1895 privset = talloc_zero(p->mem_ctx, struct lsa_PrivilegeSet);
1896 if (!privset) {
1897 return NT_STATUS_NO_MEMORY;
1898 }
1899
1900 e.in.handle = r->in.handle;
1901 e.out.privs = &privset;
1902
1903 status = _lsa_EnumPrivsAccount(p, &e);
1904 if (!NT_STATUS_IS_OK(status)) {
1905 DEBUG(10,("_lsa_GetSystemAccessAccount: "
1906 "failed to call _lsa_EnumPrivsAccount(): %s\n",
1907 nt_errstr(status)));
1908 return status;
1909 }
1910
1911 /* Samba4 would iterate over the privset to merge the policy mode bits,
1912 * not sure samba3 can do the same here, so just return what we did in
1913 * the past - gd */
1914
1915 /*
1916 0x01 -> Log on locally
1917 0x02 -> Access this computer from network
1918 0x04 -> Log on as a batch job
1919 0x10 -> Log on as a service
1920
1921 they can be ORed together
1922 */
1923
1924 *r->out.access_mask = LSA_POLICY_MODE_INTERACTIVE |
1925 LSA_POLICY_MODE_NETWORK;
1926
1927 return NT_STATUS_OK;
1928 }
1929
1930 /***************************************************************************
1931 update the systemaccount information
1932 ***************************************************************************/
1933
1934 NTSTATUS _lsa_SetSystemAccessAccount(struct pipes_struct *p,
1935 struct lsa_SetSystemAccessAccount *r)
1936 {
1937 struct lsa_info *info=NULL;
1938 GROUP_MAP map;
1939
1940 /* find the connection policy handle. */
1941 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
1942 return NT_STATUS_INVALID_HANDLE;
1943
1944 if (info->type != LSA_HANDLE_ACCOUNT_TYPE) {
1945 return NT_STATUS_INVALID_HANDLE;
1946 }
1947
1948 if (!(info->access & LSA_ACCOUNT_ADJUST_SYSTEM_ACCESS)) {
1949 return NT_STATUS_ACCESS_DENIED;
1950 }
1951
1952 if (!pdb_getgrsid(&map, info->sid))
1953 return NT_STATUS_NO_SUCH_GROUP;
1954
1955 return pdb_update_group_mapping_entry(&map);
1956 }
1957
1958 /***************************************************************************
1959 _lsa_AddPrivilegesToAccount
1960 For a given SID, add some privileges.
1961 ***************************************************************************/
1962
1963 NTSTATUS _lsa_AddPrivilegesToAccount(struct pipes_struct *p,
1964 struct lsa_AddPrivilegesToAccount *r)
1965 {
1966 struct lsa_info *info = NULL;
1967 struct lsa_PrivilegeSet *set = NULL;
1968
1969 /* find the connection policy handle. */
1970 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
1971 return NT_STATUS_INVALID_HANDLE;
1972
1973 if (info->type != LSA_HANDLE_ACCOUNT_TYPE) {
1974 return NT_STATUS_INVALID_HANDLE;
1975 }
1976
1977 if (!(info->access & LSA_ACCOUNT_ADJUST_PRIVILEGES)) {
1978 return NT_STATUS_ACCESS_DENIED;
1979 }
1980
1981 set = r->in.privs;
1982
1983 if ( !grant_privilege_set( &info->sid, set ) ) {
1984 DEBUG(3,("_lsa_AddPrivilegesToAccount: grant_privilege_set(%s) failed!\n",
1985 sid_string_dbg(&info->sid) ));
1986 return NT_STATUS_NO_SUCH_PRIVILEGE;
1987 }
1988
1989 return NT_STATUS_OK;
1990 }
1991
1992 /***************************************************************************
1993 _lsa_RemovePrivilegesFromAccount
1994 For a given SID, remove some privileges.
1995 ***************************************************************************/
1996
1997 NTSTATUS _lsa_RemovePrivilegesFromAccount(struct pipes_struct *p,
1998 struct lsa_RemovePrivilegesFromAccount *r)
1999 {
2000 struct lsa_info *info = NULL;
2001 struct lsa_PrivilegeSet *set = NULL;
2002
2003 /* find the connection policy handle. */
2004 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
2005 return NT_STATUS_INVALID_HANDLE;
2006
2007 if (info->type != LSA_HANDLE_ACCOUNT_TYPE) {
2008 return NT_STATUS_INVALID_HANDLE;
2009 }
2010
2011 if (!(info->access & LSA_ACCOUNT_ADJUST_PRIVILEGES)) {
2012 return NT_STATUS_ACCESS_DENIED;
2013 }
2014
2015 set = r->in.privs;
2016
2017 if ( !revoke_privilege_set( &info->sid, set) ) {
2018 DEBUG(3,("_lsa_RemovePrivilegesFromAccount: revoke_privilege(%s) failed!\n",
2019 sid_string_dbg(&info->sid) ));
2020 return NT_STATUS_NO_SUCH_PRIVILEGE;
2021 }
2022
2023 return NT_STATUS_OK;
2024 }
2025
2026 /***************************************************************************
2027 _lsa_LookupPrivName
2028 ***************************************************************************/
2029
2030 NTSTATUS _lsa_LookupPrivName(struct pipes_struct *p,
2031 struct lsa_LookupPrivName *r)
2032 {
2033 struct lsa_info *info = NULL;
2034 const char *name;
2035 struct lsa_StringLarge *lsa_name;
2036
2037 /* find the connection policy handle. */
2038 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info)) {
2039 return NT_STATUS_INVALID_HANDLE;
2040 }
2041
2042 if (info->type != LSA_HANDLE_POLICY_TYPE) {
2043 return NT_STATUS_INVALID_HANDLE;
2044 }
2045
2046 if (!(info->access & LSA_POLICY_VIEW_LOCAL_INFORMATION)) {
2047 return NT_STATUS_ACCESS_DENIED;
2048 }
2049
2050 if (r->in.luid->high != 0) {
2051 return NT_STATUS_NO_SUCH_PRIVILEGE;
2052 }
2053
2054 name = sec_privilege_name(r->in.luid->low);
2055 if (!name) {
2056 return NT_STATUS_NO_SUCH_PRIVILEGE;
2057 }
2058
2059 lsa_name = TALLOC_ZERO_P(p->mem_ctx, struct lsa_StringLarge);
2060 if (!lsa_name) {
2061 return NT_STATUS_NO_MEMORY;
2062 }
2063
2064 lsa_name->string = talloc_strdup(lsa_name, name);
2065 if (!lsa_name->string) {
2066 TALLOC_FREE(lsa_name);
2067 return NT_STATUS_NO_MEMORY;
2068 }
2069
2070 *r->out.name = lsa_name;
2071
2072 return NT_STATUS_OK;
2073 }
2074
2075 /***************************************************************************
2076 _lsa_QuerySecurity
2077 ***************************************************************************/
2078
2079 NTSTATUS _lsa_QuerySecurity(struct pipes_struct *p,
2080 struct lsa_QuerySecurity *r)
2081 {
2082 struct lsa_info *handle=NULL;
2083 struct security_descriptor *psd = NULL;
2084 size_t sd_size;
2085 NTSTATUS status;
2086
2087 /* find the connection policy handle. */
2088 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle))
2089 return NT_STATUS_INVALID_HANDLE;
2090
2091 switch (handle->type) {
2092 case LSA_HANDLE_POLICY_TYPE:
2093 status = make_lsa_object_sd(p->mem_ctx, &psd, &sd_size,
2094 &lsa_policy_mapping, NULL, 0);
2095 break;
2096 case LSA_HANDLE_ACCOUNT_TYPE:
2097 status = make_lsa_object_sd(p->mem_ctx, &psd, &sd_size,
2098 &lsa_account_mapping,
2099 &handle->sid, LSA_ACCOUNT_ALL_ACCESS);
2100 break;
2101 default:
2102 status = NT_STATUS_INVALID_HANDLE;
2103 break;
2104 }
2105
2106 if (!NT_STATUS_IS_OK(status)) {
2107 return status;
2108 }
2109
2110 *r->out.sdbuf = make_sec_desc_buf(p->mem_ctx, sd_size, psd);
2111 if (!*r->out.sdbuf) {
2112 return NT_STATUS_NO_MEMORY;
2113 }
2114
2115 return status;
2116 }
2117
2118 /***************************************************************************
2119 _lsa_AddAccountRights
2120 ***************************************************************************/
2121
2122 NTSTATUS _lsa_AddAccountRights(struct pipes_struct *p,
2123 struct lsa_AddAccountRights *r)
2124 {
2125 struct lsa_info *info = NULL;
2126 int i = 0;
2127 uint32_t acc_granted = 0;
2128 struct security_descriptor *psd = NULL;
2129 size_t sd_size;
2130 struct dom_sid sid;
2131 NTSTATUS status;
2132
2133 /* find the connection policy handle. */
2134 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
2135 return NT_STATUS_INVALID_HANDLE;
2136
2137 if (info->type != LSA_HANDLE_POLICY_TYPE) {
2138 return NT_STATUS_INVALID_HANDLE;
2139 }
2140
2141 /* get the generic lsa account SD for this SID until we store it */
2142 status = make_lsa_object_sd(p->mem_ctx, &psd, &sd_size,
2143 &lsa_account_mapping,
2144 r->in.sid, LSA_ACCOUNT_ALL_ACCESS);
2145 if (!NT_STATUS_IS_OK(status)) {
2146 return status;
2147 }
2148
2149 /*
2150 * From the MS DOCs. If the sid doesn't exist, ask for LSA_POLICY_CREATE_ACCOUNT
2151 * on the policy handle. If it does, ask for
2152 * LSA_ACCOUNT_ADJUST_PRIVILEGES|LSA_ACCOUNT_ADJUST_SYSTEM_ACCESS|LSA_ACCOUNT_VIEW,
2153 * on the account sid. We don't check here so just use the latter. JRA.
2154 */
2155
2156 status = access_check_object(psd, p->server_info->ptok,
2157 SEC_PRIV_INVALID, SEC_PRIV_INVALID, 0,
2158 LSA_ACCOUNT_ADJUST_PRIVILEGES|LSA_ACCOUNT_ADJUST_SYSTEM_ACCESS|LSA_ACCOUNT_VIEW,
2159 &acc_granted, "_lsa_AddAccountRights" );
2160 if (!NT_STATUS_IS_OK(status)) {
2161 return status;
2162 }
2163
2164 /* according to an NT4 PDC, you can add privileges to SIDs even without
2165 call_lsa_create_account() first. And you can use any arbitrary SID. */
2166
2167 sid_copy( &sid, r->in.sid );
2168
2169 for ( i=0; i < r->in.rights->count; i++ ) {
2170
2171 const char *privname = r->in.rights->names[i].string;
2172
2173 /* only try to add non-null strings */
2174
2175 if ( !privname )
2176 continue;
2177
2178 if ( !grant_privilege_by_name( &sid, privname ) ) {
2179 DEBUG(2,("_lsa_AddAccountRights: Failed to add privilege [%s]\n",
2180 privname ));
2181 return NT_STATUS_NO_SUCH_PRIVILEGE;
2182 }
2183 }
2184
2185 return NT_STATUS_OK;
2186 }
2187
2188 /***************************************************************************
2189 _lsa_RemoveAccountRights
2190 ***************************************************************************/
2191
2192 NTSTATUS _lsa_RemoveAccountRights(struct pipes_struct *p,
2193 struct lsa_RemoveAccountRights *r)
2194 {
2195 struct lsa_info *info = NULL;
2196 int i = 0;
2197 struct security_descriptor *psd = NULL;
2198 size_t sd_size;
2199 struct dom_sid sid;
2200 const char *privname = NULL;
2201 uint32_t acc_granted = 0;
2202 NTSTATUS status;
2203
2204 /* find the connection policy handle. */
2205 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
2206 return NT_STATUS_INVALID_HANDLE;
2207
2208 if (info->type != LSA_HANDLE_POLICY_TYPE) {
2209 return NT_STATUS_INVALID_HANDLE;
2210 }
2211
2212 /* get the generic lsa account SD for this SID until we store it */
2213 status = make_lsa_object_sd(p->mem_ctx, &psd, &sd_size,
2214 &lsa_account_mapping,
2215 r->in.sid, LSA_ACCOUNT_ALL_ACCESS);
2216 if (!NT_STATUS_IS_OK(status)) {
2217 return status;
2218 }
2219
2220 /*
2221 * From the MS DOCs. We need
2222 * LSA_ACCOUNT_ADJUST_PRIVILEGES|LSA_ACCOUNT_ADJUST_SYSTEM_ACCESS|LSA_ACCOUNT_VIEW
2223 * and DELETE on the account sid.
2224 */
2225
2226 status = access_check_object(psd, p->server_info->ptok,
2227 SEC_PRIV_INVALID, SEC_PRIV_INVALID, 0,
2228 LSA_ACCOUNT_ADJUST_PRIVILEGES|LSA_ACCOUNT_ADJUST_SYSTEM_ACCESS|
2229 LSA_ACCOUNT_VIEW|SEC_STD_DELETE,
2230 &acc_granted, "_lsa_RemoveAccountRights");
2231 if (!NT_STATUS_IS_OK(status)) {
2232 return status;
2233 }
2234
2235 sid_copy( &sid, r->in.sid );
2236
2237 if ( r->in.remove_all ) {
2238 if ( !revoke_all_privileges( &sid ) )
2239 return NT_STATUS_ACCESS_DENIED;
2240
2241 return NT_STATUS_OK;
2242 }
2243
2244 for ( i=0; i < r->in.rights->count; i++ ) {
2245
2246 privname = r->in.rights->names[i].string;
2247
2248 /* only try to add non-null strings */
2249
2250 if ( !privname )
2251 continue;
2252
2253 if ( !revoke_privilege_by_name( &sid, privname ) ) {
2254 DEBUG(2,("_lsa_RemoveAccountRights: Failed to revoke privilege [%s]\n",
2255 privname ));
2256 return NT_STATUS_NO_SUCH_PRIVILEGE;
2257 }
2258 }
2259
2260 return NT_STATUS_OK;
2261 }
2262
2263 /*******************************************************************
2264 ********************************************************************/
2265
2266 static NTSTATUS init_lsa_right_set(TALLOC_CTX *mem_ctx,
2267 struct lsa_RightSet *r,
2268 PRIVILEGE_SET *privileges)
2269 {
2270 uint32 i;
2271 const char *privname;
2272 const char **privname_array = NULL;
2273 int num_priv = 0;
2274
2275 for (i=0; i<privileges->count; i++) {
2276 if (privileges->set[i].luid.high) {
2277 continue;
2278 }
2279 privname = sec_privilege_name(privileges->set[i].luid.low);
2280 if (privname) {
2281 if (!add_string_to_array(mem_ctx, privname,
2282 &privname_array, &num_priv)) {
2283 return NT_STATUS_NO_MEMORY;
2284 }
2285 }
2286 }
2287
2288 if (num_priv) {
2289
2290 r->names = TALLOC_ZERO_ARRAY(mem_ctx, struct lsa_StringLarge,
2291 num_priv);
2292 if (!r->names) {
2293 return NT_STATUS_NO_MEMORY;
2294 }
2295
2296 for (i=0; i<num_priv; i++) {
2297 init_lsa_StringLarge(&r->names[i], privname_array[i]);
2298 }
2299
2300 r->count = num_priv;
2301 }
2302
2303 return NT_STATUS_OK;
2304 }
2305
2306 /***************************************************************************
2307 _lsa_EnumAccountRights
2308 ***************************************************************************/
2309
2310 NTSTATUS _lsa_EnumAccountRights(struct pipes_struct *p,
2311 struct lsa_EnumAccountRights *r)
2312 {
2313 NTSTATUS status;
2314 struct lsa_info *info = NULL;
2315 PRIVILEGE_SET *privileges;
2316
2317 /* find the connection policy handle. */
2318
2319 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
2320 return NT_STATUS_INVALID_HANDLE;
2321
2322 if (info->type != LSA_HANDLE_POLICY_TYPE) {
2323 return NT_STATUS_INVALID_HANDLE;
2324 }
2325
2326 if (!(info->access & LSA_ACCOUNT_VIEW)) {
2327 return NT_STATUS_ACCESS_DENIED;
2328 }
2329
2330 /* according to an NT4 PDC, you can add privileges to SIDs even without
2331 call_lsa_create_account() first. And you can use any arbitrary SID. */
2332
2333 /* according to MS-LSAD 3.1.4.5.10 it is required to return
2334 * NT_STATUS_OBJECT_NAME_NOT_FOUND if the account sid was not found in
2335 * the lsa database */
2336
2337 status = get_privileges_for_sid_as_set(p->mem_ctx, &privileges, r->in.sid);
2338 if (!NT_STATUS_IS_OK(status)) {
2339 return status;
2340 }
2341
2342 DEBUG(10,("_lsa_EnumAccountRights: %s has %d privileges\n",
2343 sid_string_dbg(r->in.sid), privileges->count));
2344
2345 status = init_lsa_right_set(p->mem_ctx, r->out.rights, privileges);
2346
2347 return status;
2348 }
2349
2350 /***************************************************************************
2351 _lsa_LookupPrivValue
2352 ***************************************************************************/
2353
2354 NTSTATUS _lsa_LookupPrivValue(struct pipes_struct *p,
2355 struct lsa_LookupPrivValue *r)
2356 {
2357 struct lsa_info *info = NULL;
2358 const char *name = NULL;
2359
2360 /* find the connection policy handle. */
2361
2362 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
2363 return NT_STATUS_INVALID_HANDLE;
2364
2365 if (info->type != LSA_HANDLE_POLICY_TYPE) {
2366 return NT_STATUS_INVALID_HANDLE;
2367 }
2368
2369 if (!(info->access & LSA_POLICY_LOOKUP_NAMES))
2370 return NT_STATUS_ACCESS_DENIED;
2371
2372 name = r->in.name->string;
2373
2374 DEBUG(10,("_lsa_lookup_priv_value: name = %s\n", name));
2375
2376 r->out.luid->low = sec_privilege_id(name);
2377 r->out.luid->high = 0;
2378 if (r->out.luid->low == SEC_PRIV_INVALID) {
2379 return NT_STATUS_NO_SUCH_PRIVILEGE;
2380 }
2381 return NT_STATUS_OK;
2382 }
2383
2384 /***************************************************************************
2385 _lsa_EnumAccountsWithUserRight
2386 ***************************************************************************/
2387
2388 NTSTATUS _lsa_EnumAccountsWithUserRight(struct pipes_struct *p,
2389 struct lsa_EnumAccountsWithUserRight *r)
2390 {
2391 NTSTATUS status;
2392 struct lsa_info *info = NULL;
2393 struct dom_sid *sids = NULL;
2394 int num_sids = 0;
2395 uint32_t i;
2396 enum sec_privilege privilege;
2397
2398 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info)) {
2399 return NT_STATUS_INVALID_HANDLE;
2400 }
2401
2402 if (info->type != LSA_HANDLE_POLICY_TYPE) {
2403 return NT_STATUS_INVALID_HANDLE;
2404 }
2405
2406 if (!(info->access & LSA_POLICY_LOOKUP_NAMES)) {
2407 return NT_STATUS_ACCESS_DENIED;
2408 }
2409
2410 if (!r->in.name || !r->in.name->string) {
2411 return NT_STATUS_NO_SUCH_PRIVILEGE;
2412 }
2413
2414 privilege = sec_privilege_id(r->in.name->string);
2415 if (privilege == SEC_PRIV_INVALID) {
2416 return NT_STATUS_NO_SUCH_PRIVILEGE;
2417 }
2418
2419 status = privilege_enum_sids(privilege, p->mem_ctx,
2420 &sids, &num_sids);
2421 if (!NT_STATUS_IS_OK(status)) {
2422 return status;
2423 }
2424
2425 r->out.sids->num_sids = num_sids;
2426 r->out.sids->sids = talloc_array(p->mem_ctx, struct lsa_SidPtr,
2427 r->out.sids->num_sids);
2428
2429 for (i=0; i < r->out.sids->num_sids; i++) {
2430 r->out.sids->sids[i].sid = dom_sid_dup(r->out.sids->sids,
2431 &sids[i]);
2432 if (!r->out.sids->sids[i].sid) {
2433 TALLOC_FREE(r->out.sids->sids);
2434 r->out.sids->num_sids = 0;
2435 return NT_STATUS_NO_MEMORY;
2436 }
2437 }
2438
2439 return NT_STATUS_OK;
2440 }
2441
2442 /***************************************************************************
2443 _lsa_Delete
2444 ***************************************************************************/
2445
2446 NTSTATUS _lsa_Delete(struct pipes_struct *p,
2447 struct lsa_Delete *r)
2448 {
2449 return NT_STATUS_NOT_SUPPORTED;
2450 }
2451
2452 /*
2453 * From here on the server routines are just dummy ones to make smbd link with
2454 * librpc/gen_ndr/srv_lsa.c. These routines are actually never called, we are
2455 * pulling the server stubs across one by one.
2456 */
2457
2458 NTSTATUS _lsa_SetSecObj(struct pipes_struct *p, struct lsa_SetSecObj *r)
2459 {
2460 p->rng_fault_state = True;
2461 return NT_STATUS_NOT_IMPLEMENTED;
2462 }
2463
2464 NTSTATUS _lsa_ChangePassword(struct pipes_struct *p,
2465 struct lsa_ChangePassword *r)
2466 {
2467 p->rng_fault_state = True;
2468 return NT_STATUS_NOT_IMPLEMENTED;
2469 }
2470
2471 NTSTATUS _lsa_SetInfoPolicy(struct pipes_struct *p, struct lsa_SetInfoPolicy *r)
2472 {
2473 p->rng_fault_state = True;
2474 return NT_STATUS_NOT_IMPLEMENTED;
2475 }
2476
2477 NTSTATUS _lsa_ClearAuditLog(struct pipes_struct *p, struct lsa_ClearAuditLog *r)
2478 {
2479 p->rng_fault_state = True;
2480 return NT_STATUS_NOT_IMPLEMENTED;
2481 }
2482
2483 NTSTATUS _lsa_GetQuotasForAccount(struct pipes_struct *p,
2484 struct lsa_GetQuotasForAccount *r)
2485 {
2486 p->rng_fault_state = True;
2487 return NT_STATUS_NOT_IMPLEMENTED;
2488 }
2489
2490 NTSTATUS _lsa_SetQuotasForAccount(struct pipes_struct *p,
2491 struct lsa_SetQuotasForAccount *r)
2492 {
2493 p->rng_fault_state = True;
2494 return NT_STATUS_NOT_IMPLEMENTED;
2495 }
2496
2497 NTSTATUS _lsa_QueryTrustedDomainInfo(struct pipes_struct *p,
2498 struct lsa_QueryTrustedDomainInfo *r)
2499 {
2500 p->rng_fault_state = True;
2501 return NT_STATUS_NOT_IMPLEMENTED;
2502 }
2503
2504 NTSTATUS _lsa_SetInformationTrustedDomain(struct pipes_struct *p,
2505 struct lsa_SetInformationTrustedDomain *r)
2506 {
2507 p->rng_fault_state = True;
2508 return NT_STATUS_NOT_IMPLEMENTED;
2509 }
2510
2511 NTSTATUS _lsa_QuerySecret(struct pipes_struct *p, struct lsa_QuerySecret *r)
2512 {
2513 p->rng_fault_state = True;
2514 return NT_STATUS_NOT_IMPLEMENTED;
2515 }
2516
2517 NTSTATUS _lsa_QueryTrustedDomainInfoBySid(struct pipes_struct *p,
2518 struct lsa_QueryTrustedDomainInfoBySid *r)
2519 {
2520 p->rng_fault_state = True;
2521 return NT_STATUS_NOT_IMPLEMENTED;
2522 }
2523
2524 NTSTATUS _lsa_SetTrustedDomainInfo(struct pipes_struct *p,
2525 struct lsa_SetTrustedDomainInfo *r)
2526 {
2527 p->rng_fault_state = True;
2528 return NT_STATUS_NOT_IMPLEMENTED;
2529 }
2530
2531 NTSTATUS _lsa_DeleteTrustedDomain(struct pipes_struct *p,
2532 struct lsa_DeleteTrustedDomain *r)
2533 {
2534 p->rng_fault_state = True;
2535 return NT_STATUS_NOT_IMPLEMENTED;
2536 }
2537
2538 NTSTATUS _lsa_StorePrivateData(struct pipes_struct *p,
2539 struct lsa_StorePrivateData *r)
2540 {
2541 p->rng_fault_state = True;
2542 return NT_STATUS_NOT_IMPLEMENTED;
2543 }
2544
2545 NTSTATUS _lsa_RetrievePrivateData(struct pipes_struct *p,
2546 struct lsa_RetrievePrivateData *r)
2547 {
2548 p->rng_fault_state = True;
2549 return NT_STATUS_NOT_IMPLEMENTED;
2550 }
2551
2552 NTSTATUS _lsa_SetInfoPolicy2(struct pipes_struct *p,
2553 struct lsa_SetInfoPolicy2 *r)
2554 {
2555 p->rng_fault_state = True;
2556 return NT_STATUS_NOT_IMPLEMENTED;
2557 }
2558
2559 NTSTATUS _lsa_QueryTrustedDomainInfoByName(struct pipes_struct *p,
2560 struct lsa_QueryTrustedDomainInfoByName *r)
2561 {
2562 p->rng_fault_state = True;
2563 return NT_STATUS_NOT_IMPLEMENTED;
2564 }
2565
2566 NTSTATUS _lsa_SetTrustedDomainInfoByName(struct pipes_struct *p,
2567 struct lsa_SetTrustedDomainInfoByName *r)
2568 {
2569 p->rng_fault_state = True;
2570 return NT_STATUS_NOT_IMPLEMENTED;
2571 }
2572
2573 NTSTATUS _lsa_EnumTrustedDomainsEx(struct pipes_struct *p,
2574 struct lsa_EnumTrustedDomainsEx *r)
2575 {
2576 p->rng_fault_state = True;
2577 return NT_STATUS_NOT_IMPLEMENTED;
2578 }
2579
2580 NTSTATUS _lsa_CreateTrustedDomainEx(struct pipes_struct *p,
2581 struct lsa_CreateTrustedDomainEx *r)
2582 {
2583 p->rng_fault_state = True;
2584 return NT_STATUS_NOT_IMPLEMENTED;
2585 }
2586
2587 NTSTATUS _lsa_CloseTrustedDomainEx(struct pipes_struct *p,
2588 struct lsa_CloseTrustedDomainEx *r)
2589 {
2590 p->rng_fault_state = True;
2591 return NT_STATUS_NOT_IMPLEMENTED;
2592 }
2593
2594 NTSTATUS _lsa_QueryDomainInformationPolicy(struct pipes_struct *p,
2595 struct lsa_QueryDomainInformationPolicy *r)
2596 {
2597 p->rng_fault_state = True;
2598 return NT_STATUS_NOT_IMPLEMENTED;
2599 }
2600
2601 NTSTATUS _lsa_SetDomainInformationPolicy(struct pipes_struct *p,
2602 struct lsa_SetDomainInformationPolicy *r)
2603 {
2604 p->rng_fault_state = True;
2605 return NT_STATUS_NOT_IMPLEMENTED;
2606 }
2607
2608 NTSTATUS _lsa_OpenTrustedDomainByName(struct pipes_struct *p,
2609 struct lsa_OpenTrustedDomainByName *r)
2610 {
2611 p->rng_fault_state = True;
2612 return NT_STATUS_NOT_IMPLEMENTED;
2613 }
2614
2615 NTSTATUS _lsa_TestCall(struct pipes_struct *p, struct lsa_TestCall *r)
2616 {
2617 p->rng_fault_state = True;
2618 return NT_STATUS_NOT_IMPLEMENTED;
2619 }
2620
2621 NTSTATUS _lsa_CreateTrustedDomainEx2(struct pipes_struct *p,
2622 struct lsa_CreateTrustedDomainEx2 *r)
2623 {
2624 p->rng_fault_state = True;
2625 return NT_STATUS_NOT_IMPLEMENTED;
2626 }
2627
2628 NTSTATUS _lsa_CREDRWRITE(struct pipes_struct *p, struct lsa_CREDRWRITE *r)
2629 {
2630 p->rng_fault_state = True;
2631 return NT_STATUS_NOT_IMPLEMENTED;
2632 }
2633
2634 NTSTATUS _lsa_CREDRREAD(struct pipes_struct *p, struct lsa_CREDRREAD *r)
2635 {
2636 p->rng_fault_state = True;
2637 return NT_STATUS_NOT_IMPLEMENTED;
2638 }
2639
2640 NTSTATUS _lsa_CREDRENUMERATE(struct pipes_struct *p, struct lsa_CREDRENUMERATE *r)
2641 {
2642 p->rng_fault_state = True;
2643 return NT_STATUS_NOT_IMPLEMENTED;
2644 }
2645
2646 NTSTATUS _lsa_CREDRWRITEDOMAINCREDENTIALS(struct pipes_struct *p,
2647 struct lsa_CREDRWRITEDOMAINCREDENTIALS *r)
2648 {
2649 p->rng_fault_state = True;
2650 return NT_STATUS_NOT_IMPLEMENTED;
2651 }
2652
2653 NTSTATUS _lsa_CREDRREADDOMAINCREDENTIALS(struct pipes_struct *p,
2654 struct lsa_CREDRREADDOMAINCREDENTIALS *r)
2655 {
2656 p->rng_fault_state = True;
2657 return NT_STATUS_NOT_IMPLEMENTED;
2658 }
2659
2660 NTSTATUS _lsa_CREDRDELETE(struct pipes_struct *p, struct lsa_CREDRDELETE *r)
2661 {
2662 p->rng_fault_state = True;
2663 return NT_STATUS_NOT_IMPLEMENTED;
2664 }
2665
2666 NTSTATUS _lsa_CREDRGETTARGETINFO(struct pipes_struct *p,
2667 struct lsa_CREDRGETTARGETINFO *r)
2668 {
2669 p->rng_fault_state = True;
2670 return NT_STATUS_NOT_IMPLEMENTED;
2671 }
2672
2673 NTSTATUS _lsa_CREDRPROFILELOADED(struct pipes_struct *p,
2674 struct lsa_CREDRPROFILELOADED *r)
2675 {
2676 p->rng_fault_state = True;
2677 return NT_STATUS_NOT_IMPLEMENTED;
2678 }
2679
2680 NTSTATUS _lsa_CREDRGETSESSIONTYPES(struct pipes_struct *p,
2681 struct lsa_CREDRGETSESSIONTYPES *r)
2682 {
2683 p->rng_fault_state = True;
2684 return NT_STATUS_NOT_IMPLEMENTED;
2685 }
2686
2687 NTSTATUS _lsa_LSARREGISTERAUDITEVENT(struct pipes_struct *p,
2688 struct lsa_LSARREGISTERAUDITEVENT *r)
2689 {
2690 p->rng_fault_state = True;
2691 return NT_STATUS_NOT_IMPLEMENTED;
2692 }
2693
2694 NTSTATUS _lsa_LSARGENAUDITEVENT(struct pipes_struct *p,
2695 struct lsa_LSARGENAUDITEVENT *r)
2696 {
2697 p->rng_fault_state = True;
2698 return NT_STATUS_NOT_IMPLEMENTED;
2699 }
2700
2701 NTSTATUS _lsa_LSARUNREGISTERAUDITEVENT(struct pipes_struct *p,
2702 struct lsa_LSARUNREGISTERAUDITEVENT *r)
2703 {
2704 p->rng_fault_state = True;
2705 return NT_STATUS_NOT_IMPLEMENTED;
2706 }
2707
2708 NTSTATUS _lsa_lsaRQueryForestTrustInformation(struct pipes_struct *p,
2709 struct lsa_lsaRQueryForestTrustInformation *r)
2710 {
2711 p->rng_fault_state = True;
2712 return NT_STATUS_NOT_IMPLEMENTED;
2713 }
2714
2715 NTSTATUS _lsa_lsaRSetForestTrustInformation(struct pipes_struct *p,
2716 struct lsa_lsaRSetForestTrustInformation *r)
2717 {
2718 p->rng_fault_state = True;
2719 return NT_STATUS_NOT_IMPLEMENTED;
2720 }
2721
2722 NTSTATUS _lsa_CREDRRENAME(struct pipes_struct *p,
2723 struct lsa_CREDRRENAME *r)
2724 {
2725 p->rng_fault_state = True;
2726 return NT_STATUS_NOT_IMPLEMENTED;
2727 }
2728
2729 NTSTATUS _lsa_LSAROPENPOLICYSCE(struct pipes_struct *p,
2730 struct lsa_LSAROPENPOLICYSCE *r)
2731 {
2732 p->rng_fault_state = True;
2733 return NT_STATUS_NOT_IMPLEMENTED;
2734 }
2735
2736 NTSTATUS _lsa_LSARADTREGISTERSECURITYEVENTSOURCE(struct pipes_struct *p,
2737 struct lsa_LSARADTREGISTERSECURITYEVENTSOURCE *r)
2738 {
2739 p->rng_fault_state = True;
2740 return NT_STATUS_NOT_IMPLEMENTED;
2741 }
2742
2743 NTSTATUS _lsa_LSARADTUNREGISTERSECURITYEVENTSOURCE(struct pipes_struct *p,
2744 struct lsa_LSARADTUNREGISTERSECURITYEVENTSOURCE *r)
2745 {
2746 p->rng_fault_state = True;
2747 return NT_STATUS_NOT_IMPLEMENTED;
2748 }
2749
2750 NTSTATUS _lsa_LSARADTREPORTSECURITYEVENT(struct pipes_struct *p,
2751 struct lsa_LSARADTREPORTSECURITYEVENT *r)
2752 {
2753 p->rng_fault_state = True;
2754 return NT_STATUS_NOT_IMPLEMENTED;
2755 }
reg import