search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
s3-lsa: expand struct lsa_info to carry name and sd.
[Samba/kamenim.git] / source3 / rpc_server / srv_lsa_nt.c
blob931026ea2618820f7598f4c5a8b63f369159c48a
1 /*
2 * Unix SMB/CIFS implementation.
3 * RPC Pipe client / server routines
4 * Copyright (C) Andrew Tridgell 1992-1997,
5 * Copyright (C) Luke Kenneth Casson Leighton 1996-1997,
6 * Copyright (C) Paul Ashton 1997,
7 * Copyright (C) Jeremy Allison 2001, 2006.
8 * Copyright (C) Rafal Szczesniak 2002,
9 * Copyright (C) Jim McDonough <jmcd@us.ibm.com> 2002,
10 * Copyright (C) Simo Sorce 2003.
11 * Copyright (C) Gerald (Jerry) Carter 2005.
12 * Copyright (C) Volker Lendecke 2005.
13 * Copyright (C) Guenther Deschner 2008.
14 *
15 * This program is free software; you can redistribute it and/or modify
16 * it under the terms of the GNU General Public License as published by
17 * the Free Software Foundation; either version 3 of the License, or
18 * (at your option) any later version.
19 *
20 * This program is distributed in the hope that it will be useful,
21 * but WITHOUT ANY WARRANTY; without even the implied warranty of
22 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
23 * GNU General Public License for more details.
24 *
25 * You should have received a copy of the GNU General Public License
26 * along with this program; if not, see <http://www.gnu.org/licenses/>.
27 */
28
29 /* This is the implementation of the lsa server code. */
30
31 #include "includes.h"
32
33 #undef DBGC_CLASS
34 #define DBGC_CLASS DBGC_RPC_SRV
35
36 #define MAX_LOOKUP_SIDS 0x5000 /* 20480 */
37
38 extern PRIVS privs[];
39
40 enum lsa_handle_type { LSA_HANDLE_POLICY_TYPE = 1, LSA_HANDLE_ACCOUNT_TYPE };
41
42 struct lsa_info {
43 DOM_SID sid;
44 const char *name;
45 uint32 access;
46 enum lsa_handle_type type;
47 struct security_descriptor *sd;
48 };
49
50 const struct generic_mapping lsa_account_mapping = {
51 LSA_ACCOUNT_READ,
52 LSA_ACCOUNT_WRITE,
53 LSA_ACCOUNT_EXECUTE,
54 LSA_ACCOUNT_ALL_ACCESS
55 };
56
57 const struct generic_mapping lsa_policy_mapping = {
58 LSA_POLICY_READ,
59 LSA_POLICY_WRITE,
60 LSA_POLICY_EXECUTE,
61 LSA_POLICY_ALL_ACCESS
62 };
63
64 const struct generic_mapping lsa_secret_mapping = {
65 LSA_SECRET_READ,
66 LSA_SECRET_WRITE,
67 LSA_SECRET_EXECUTE,
68 LSA_SECRET_ALL_ACCESS
69 };
70
71 const struct generic_mapping lsa_trusted_domain_mapping = {
72 LSA_TRUSTED_DOMAIN_READ,
73 LSA_TRUSTED_DOMAIN_WRITE,
74 LSA_TRUSTED_DOMAIN_EXECUTE,
75 LSA_TRUSTED_DOMAIN_ALL_ACCESS
76 };
77
78 /***************************************************************************
79 init_lsa_ref_domain_list - adds a domain if it's not already in, returns the index.
80 ***************************************************************************/
81
82 static int init_lsa_ref_domain_list(TALLOC_CTX *mem_ctx,
83 struct lsa_RefDomainList *ref,
84 const char *dom_name,
85 DOM_SID *dom_sid)
86 {
87 int num = 0;
88
89 if (dom_name != NULL) {
90 for (num = 0; num < ref->count; num++) {
91 if (sid_equal(dom_sid, ref->domains[num].sid)) {
92 return num;
93 }
94 }
95 } else {
96 num = ref->count;
97 }
98
99 if (num >= LSA_REF_DOMAIN_LIST_MULTIPLIER) {
100 /* index not found, already at maximum domain limit */
101 return -1;
102 }
103
104 ref->count = num + 1;
105 ref->max_size = LSA_REF_DOMAIN_LIST_MULTIPLIER;
106
107 ref->domains = TALLOC_REALLOC_ARRAY(mem_ctx, ref->domains,
108 struct lsa_DomainInfo, ref->count);
109 if (!ref->domains) {
110 return -1;
111 }
112
113 ZERO_STRUCT(ref->domains[num]);
114
115 init_lsa_StringLarge(&ref->domains[num].name, dom_name);
116 ref->domains[num].sid = sid_dup_talloc(mem_ctx, dom_sid);
117 if (!ref->domains[num].sid) {
118 return -1;
119 }
120
121 return num;
122 }
123
124
125 /***************************************************************************
126 initialize a lsa_DomainInfo structure.
127 ***************************************************************************/
128
129 static void init_dom_query_3(struct lsa_DomainInfo *r,
130 const char *name,
131 DOM_SID *sid)
132 {
133 init_lsa_StringLarge(&r->name, name);
134 r->sid = sid;
135 }
136
137 /***************************************************************************
138 initialize a lsa_DomainInfo structure.
139 ***************************************************************************/
140
141 static void init_dom_query_5(struct lsa_DomainInfo *r,
142 const char *name,
143 DOM_SID *sid)
144 {
145 init_lsa_StringLarge(&r->name, name);
146 r->sid = sid;
147 }
148
149 /***************************************************************************
150 lookup_lsa_rids. Must be called as root for lookup_name to work.
151 ***************************************************************************/
152
153 static NTSTATUS lookup_lsa_rids(TALLOC_CTX *mem_ctx,
154 struct lsa_RefDomainList *ref,
155 struct lsa_TranslatedSid *prid,
156 uint32_t num_entries,
157 struct lsa_String *name,
158 int flags,
159 uint32_t *pmapped_count)
160 {
161 uint32 mapped_count, i;
162
163 SMB_ASSERT(num_entries <= MAX_LOOKUP_SIDS);
164
165 mapped_count = 0;
166 *pmapped_count = 0;
167
168 for (i = 0; i < num_entries; i++) {
169 DOM_SID sid;
170 uint32 rid;
171 int dom_idx;
172 const char *full_name;
173 const char *domain;
174 enum lsa_SidType type = SID_NAME_UNKNOWN;
175
176 /* Split name into domain and user component */
177
178 /* follow w2k8 behavior and return the builtin domain when no
179 * input has been passed in */
180
181 if (name[i].string) {
182 full_name = name[i].string;
183 } else {
184 full_name = "BUILTIN";
185 }
186
187 DEBUG(5, ("lookup_lsa_rids: looking up name %s\n", full_name));
188
189 /* We can ignore the result of lookup_name, it will not touch
190 "type" if it's not successful */
191
192 lookup_name(mem_ctx, full_name, flags, &domain, NULL,
193 &sid, &type);
194
195 switch (type) {
196 case SID_NAME_USER:
197 case SID_NAME_DOM_GRP:
198 case SID_NAME_DOMAIN:
199 case SID_NAME_ALIAS:
200 case SID_NAME_WKN_GRP:
201 DEBUG(5, ("init_lsa_rids: %s found\n", full_name));
202 /* Leave these unchanged */
203 break;
204 default:
205 /* Don't hand out anything but the list above */
206 DEBUG(5, ("init_lsa_rids: %s not found\n", full_name));
207 type = SID_NAME_UNKNOWN;
208 break;
209 }
210
211 rid = 0;
212 dom_idx = -1;
213
214 if (type != SID_NAME_UNKNOWN) {
215 if (type == SID_NAME_DOMAIN) {
216 rid = (uint32_t)-1;
217 } else {
218 sid_split_rid(&sid, &rid);
219 }
220 dom_idx = init_lsa_ref_domain_list(mem_ctx, ref, domain, &sid);
221 mapped_count++;
222 }
223
224 prid[i].sid_type = type;
225 prid[i].rid = rid;
226 prid[i].sid_index = dom_idx;
227 }
228
229 *pmapped_count = mapped_count;
230 return NT_STATUS_OK;
231 }
232
233 /***************************************************************************
234 lookup_lsa_sids. Must be called as root for lookup_name to work.
235 ***************************************************************************/
236
237 static NTSTATUS lookup_lsa_sids(TALLOC_CTX *mem_ctx,
238 struct lsa_RefDomainList *ref,
239 struct lsa_TranslatedSid3 *trans_sids,
240 uint32_t num_entries,
241 struct lsa_String *name,
242 int flags,
243 uint32 *pmapped_count)
244 {
245 uint32 mapped_count, i;
246
247 SMB_ASSERT(num_entries <= MAX_LOOKUP_SIDS);
248
249 mapped_count = 0;
250 *pmapped_count = 0;
251
252 for (i = 0; i < num_entries; i++) {
253 DOM_SID sid;
254 uint32 rid;
255 int dom_idx;
256 const char *full_name;
257 const char *domain;
258 enum lsa_SidType type = SID_NAME_UNKNOWN;
259
260 ZERO_STRUCT(sid);
261
262 /* Split name into domain and user component */
263
264 full_name = name[i].string;
265 if (full_name == NULL) {
266 return NT_STATUS_NO_MEMORY;
267 }
268
269 DEBUG(5, ("init_lsa_sids: looking up name %s\n", full_name));
270
271 /* We can ignore the result of lookup_name, it will not touch
272 "type" if it's not successful */
273
274 lookup_name(mem_ctx, full_name, flags, &domain, NULL,
275 &sid, &type);
276
277 switch (type) {
278 case SID_NAME_USER:
279 case SID_NAME_DOM_GRP:
280 case SID_NAME_DOMAIN:
281 case SID_NAME_ALIAS:
282 case SID_NAME_WKN_GRP:
283 DEBUG(5, ("init_lsa_sids: %s found\n", full_name));
284 /* Leave these unchanged */
285 break;
286 default:
287 /* Don't hand out anything but the list above */
288 DEBUG(5, ("init_lsa_sids: %s not found\n", full_name));
289 type = SID_NAME_UNKNOWN;
290 break;
291 }
292
293 rid = 0;
294 dom_idx = -1;
295
296 if (type != SID_NAME_UNKNOWN) {
297 DOM_SID domain_sid;
298 sid_copy(&domain_sid, &sid);
299 sid_split_rid(&domain_sid, &rid);
300 dom_idx = init_lsa_ref_domain_list(mem_ctx, ref, domain, &domain_sid);
301 mapped_count++;
302 }
303
304 /* Initialize the lsa_TranslatedSid3 return. */
305 trans_sids[i].sid_type = type;
306 trans_sids[i].sid = sid_dup_talloc(mem_ctx, &sid);
307 trans_sids[i].sid_index = dom_idx;
308 }
309
310 *pmapped_count = mapped_count;
311 return NT_STATUS_OK;
312 }
313
314 static NTSTATUS make_lsa_object_sd(TALLOC_CTX *mem_ctx, SEC_DESC **sd, size_t *sd_size,
315 const struct generic_mapping *map,
316 DOM_SID *sid, uint32_t sid_access)
317 {
318 DOM_SID adm_sid;
319 SEC_ACE ace[5];
320 size_t i = 0;
321
322 SEC_ACL *psa = NULL;
323
324 /* READ|EXECUTE access for Everyone */
325
326 init_sec_ace(&ace[i++], &global_sid_World, SEC_ACE_TYPE_ACCESS_ALLOWED,
327 map->generic_execute | map->generic_read, 0);
328
329 /* Add Full Access 'BUILTIN\Administrators' and 'BUILTIN\Account Operators */
330
331 init_sec_ace(&ace[i++], &global_sid_Builtin_Administrators,
332 SEC_ACE_TYPE_ACCESS_ALLOWED, map->generic_all, 0);
333 init_sec_ace(&ace[i++], &global_sid_Builtin_Account_Operators,
334 SEC_ACE_TYPE_ACCESS_ALLOWED, map->generic_all, 0);
335
336 /* Add Full Access for Domain Admins */
337 sid_copy(&adm_sid, get_global_sam_sid());
338 sid_append_rid(&adm_sid, DOMAIN_GROUP_RID_ADMINS);
339 init_sec_ace(&ace[i++], &adm_sid, SEC_ACE_TYPE_ACCESS_ALLOWED,
340 map->generic_all, 0);
341
342 /* If we have a sid, give it some special access */
343
344 if (sid) {
345 init_sec_ace(&ace[i++], sid, SEC_ACE_TYPE_ACCESS_ALLOWED,
346 sid_access, 0);
347 }
348
349 if((psa = make_sec_acl(mem_ctx, NT4_ACL_REVISION, i, ace)) == NULL)
350 return NT_STATUS_NO_MEMORY;
351
352 if((*sd = make_sec_desc(mem_ctx, SECURITY_DESCRIPTOR_REVISION_1,
353 SEC_DESC_SELF_RELATIVE, &adm_sid, NULL, NULL,
354 psa, sd_size)) == NULL)
355 return NT_STATUS_NO_MEMORY;
356
357 return NT_STATUS_OK;
358 }
359
360
361 /***************************************************************************
362 _lsa_OpenPolicy2
363 ***************************************************************************/
364
365 NTSTATUS _lsa_OpenPolicy2(pipes_struct *p,
366 struct lsa_OpenPolicy2 *r)
367 {
368 struct lsa_info *info;
369 SEC_DESC *psd = NULL;
370 size_t sd_size;
371 uint32 des_access = r->in.access_mask;
372 uint32 acc_granted;
373 NTSTATUS status;
374
375 /* Work out max allowed. */
376 map_max_allowed_access(p->server_info->ptok,
377 &p->server_info->utok,
378 &des_access);
379
380 /* map the generic bits to the lsa policy ones */
381 se_map_generic(&des_access, &lsa_policy_mapping);
382
383 /* get the generic lsa policy SD until we store it */
384 status = make_lsa_object_sd(p->mem_ctx, &psd, &sd_size, &lsa_policy_mapping,
385 NULL, 0);
386 if (!NT_STATUS_IS_OK(status)) {
387 return status;
388 }
389
390 status = access_check_object(psd, p->server_info->ptok,
391 NULL, 0, des_access,
392 &acc_granted, "_lsa_OpenPolicy2" );
393 if (!NT_STATUS_IS_OK(status)) {
394 return status;
395 }
396
397 /* associate the domain SID with the (unique) handle. */
398 info = TALLOC_ZERO_P(p->mem_ctx, struct lsa_info);
399 if (info == NULL) {
400 return NT_STATUS_NO_MEMORY;
401 }
402
403 sid_copy(&info->sid,get_global_sam_sid());
404 info->access = acc_granted;
405 info->type = LSA_HANDLE_POLICY_TYPE;
406
407 /* set up the LSA QUERY INFO response */
408 if (!create_policy_hnd(p, r->out.handle, info))
409 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
410
411 return NT_STATUS_OK;
412 }
413
414 /***************************************************************************
415 _lsa_OpenPolicy
416 ***************************************************************************/
417
418 NTSTATUS _lsa_OpenPolicy(pipes_struct *p,
419 struct lsa_OpenPolicy *r)
420 {
421 struct lsa_OpenPolicy2 o;
422
423 o.in.system_name = NULL; /* should be ignored */
424 o.in.attr = r->in.attr;
425 o.in.access_mask = r->in.access_mask;
426
427 o.out.handle = r->out.handle;
428
429 return _lsa_OpenPolicy2(p, &o);
430 }
431
432 /***************************************************************************
433 _lsa_EnumTrustDom - this needs fixing to do more than return NULL ! JRA.
434 ufff, done :) mimir
435 ***************************************************************************/
436
437 NTSTATUS _lsa_EnumTrustDom(pipes_struct *p,
438 struct lsa_EnumTrustDom *r)
439 {
440 struct lsa_info *info;
441 uint32_t count;
442 struct trustdom_info **domains;
443 struct lsa_DomainInfo *entries;
444 int i;
445 NTSTATUS nt_status;
446
447 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
448 return NT_STATUS_INVALID_HANDLE;
449
450 if (info->type != LSA_HANDLE_POLICY_TYPE) {
451 return NT_STATUS_INVALID_HANDLE;
452 }
453
454 /* check if the user has enough rights */
455 if (!(info->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
456 return NT_STATUS_ACCESS_DENIED;
457
458 become_root();
459 nt_status = pdb_enum_trusteddoms(p->mem_ctx, &count, &domains);
460 unbecome_root();
461
462 if (!NT_STATUS_IS_OK(nt_status)) {
463 return nt_status;
464 }
465
466 entries = TALLOC_ZERO_ARRAY(p->mem_ctx, struct lsa_DomainInfo, count);
467 if (!entries) {
468 return NT_STATUS_NO_MEMORY;
469 }
470
471 for (i=0; i<count; i++) {
472 init_lsa_StringLarge(&entries[i].name, domains[i]->name);
473 entries[i].sid = &domains[i]->sid;
474 }
475
476 if (*r->in.resume_handle >= count) {
477 *r->out.resume_handle = -1;
478 TALLOC_FREE(entries);
479 return NT_STATUS_NO_MORE_ENTRIES;
480 }
481
482 /* return the rest, limit by max_size. Note that we
483 use the w2k3 element size value of 60 */
484 r->out.domains->count = count - *r->in.resume_handle;
485 r->out.domains->count = MIN(r->out.domains->count,
486 1+(r->in.max_size/LSA_ENUM_TRUST_DOMAIN_MULTIPLIER));
487
488 r->out.domains->domains = entries + *r->in.resume_handle;
489
490 if (r->out.domains->count < count - *r->in.resume_handle) {
491 *r->out.resume_handle = *r->in.resume_handle + r->out.domains->count;
492 return STATUS_MORE_ENTRIES;
493 }
494
495 /* according to MS-LSAD 3.1.4.7.8 output resume handle MUST
496 * always be larger than the previous input resume handle, in
497 * particular when hitting the last query it is vital to set the
498 * resume handle correctly to avoid infinite client loops, as
499 * seen e.g. with Windows XP SP3 when resume handle is 0 and
500 * status is NT_STATUS_OK - gd */
501
502 *r->out.resume_handle = (uint32_t)-1;
503
504 return NT_STATUS_OK;
505 }
506
507 #define LSA_AUDIT_NUM_CATEGORIES_NT4 7
508 #define LSA_AUDIT_NUM_CATEGORIES_WIN2K 9
509 #define LSA_AUDIT_NUM_CATEGORIES LSA_AUDIT_NUM_CATEGORIES_NT4
510
511 /***************************************************************************
512 _lsa_QueryInfoPolicy
513 ***************************************************************************/
514
515 NTSTATUS _lsa_QueryInfoPolicy(pipes_struct *p,
516 struct lsa_QueryInfoPolicy *r)
517 {
518 NTSTATUS status = NT_STATUS_OK;
519 struct lsa_info *handle;
520 DOM_SID domain_sid;
521 const char *name;
522 DOM_SID *sid = NULL;
523 union lsa_PolicyInformation *info = NULL;
524 uint32_t acc_required = 0;
525
526 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle))
527 return NT_STATUS_INVALID_HANDLE;
528
529 if (handle->type != LSA_HANDLE_POLICY_TYPE) {
530 return NT_STATUS_INVALID_HANDLE;
531 }
532
533 switch (r->in.level) {
534 case LSA_POLICY_INFO_AUDIT_LOG:
535 case LSA_POLICY_INFO_AUDIT_EVENTS:
536 acc_required = LSA_POLICY_VIEW_AUDIT_INFORMATION;
537 break;
538 case LSA_POLICY_INFO_DOMAIN:
539 acc_required = LSA_POLICY_VIEW_LOCAL_INFORMATION;
540 break;
541 case LSA_POLICY_INFO_PD:
542 acc_required = LSA_POLICY_GET_PRIVATE_INFORMATION;
543 break;
544 case LSA_POLICY_INFO_ACCOUNT_DOMAIN:
545 acc_required = LSA_POLICY_VIEW_LOCAL_INFORMATION;
546 break;
547 case LSA_POLICY_INFO_ROLE:
548 case LSA_POLICY_INFO_REPLICA:
549 acc_required = LSA_POLICY_VIEW_LOCAL_INFORMATION;
550 break;
551 case LSA_POLICY_INFO_QUOTA:
552 acc_required = LSA_POLICY_VIEW_LOCAL_INFORMATION;
553 break;
554 case LSA_POLICY_INFO_MOD:
555 case LSA_POLICY_INFO_AUDIT_FULL_SET:
556 /* according to MS-LSAD 3.1.4.4.3 */
557 return NT_STATUS_INVALID_PARAMETER;
558 case LSA_POLICY_INFO_AUDIT_FULL_QUERY:
559 acc_required = LSA_POLICY_VIEW_AUDIT_INFORMATION;
560 break;
561 case LSA_POLICY_INFO_DNS:
562 case LSA_POLICY_INFO_DNS_INT:
563 case LSA_POLICY_INFO_L_ACCOUNT_DOMAIN:
564 acc_required = LSA_POLICY_VIEW_LOCAL_INFORMATION;
565 break;
566 default:
567 break;
568 }
569
570 if (!(handle->access & acc_required)) {
571 /* return NT_STATUS_ACCESS_DENIED; */
572 }
573
574 info = TALLOC_ZERO_P(p->mem_ctx, union lsa_PolicyInformation);
575 if (!info) {
576 return NT_STATUS_NO_MEMORY;
577 }
578
579 switch (r->in.level) {
580 case LSA_POLICY_INFO_AUDIT_EVENTS:
581 {
582
583 uint32 policy_def = LSA_AUDIT_POLICY_ALL;
584
585 /* check if the user has enough rights */
586 if (!(handle->access & LSA_POLICY_VIEW_AUDIT_INFORMATION)) {
587 DEBUG(10,("_lsa_QueryInfoPolicy: insufficient access rights\n"));
588 return NT_STATUS_ACCESS_DENIED;
589 }
590
591 /* fake info: We audit everything. ;) */
592
593 info->audit_events.auditing_mode = true;
594 info->audit_events.count = LSA_AUDIT_NUM_CATEGORIES;
595 info->audit_events.settings = TALLOC_ZERO_ARRAY(p->mem_ctx,
596 enum lsa_PolicyAuditPolicy,
597 info->audit_events.count);
598 if (!info->audit_events.settings) {
599 return NT_STATUS_NO_MEMORY;
600 }
601
602 info->audit_events.settings[LSA_AUDIT_CATEGORY_ACCOUNT_MANAGEMENT] = policy_def;
603 info->audit_events.settings[LSA_AUDIT_CATEGORY_FILE_AND_OBJECT_ACCESS] = policy_def;
604 info->audit_events.settings[LSA_AUDIT_CATEGORY_LOGON] = policy_def;
605 info->audit_events.settings[LSA_AUDIT_CATEGORY_PROCCESS_TRACKING] = policy_def;
606 info->audit_events.settings[LSA_AUDIT_CATEGORY_SECURITY_POLICY_CHANGES] = policy_def;
607 info->audit_events.settings[LSA_AUDIT_CATEGORY_SYSTEM] = policy_def;
608 info->audit_events.settings[LSA_AUDIT_CATEGORY_USE_OF_USER_RIGHTS] = policy_def;
609
610 break;
611 }
612 case LSA_POLICY_INFO_DOMAIN:
613 /* check if the user has enough rights */
614 if (!(handle->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
615 return NT_STATUS_ACCESS_DENIED;
616
617 /* Request PolicyPrimaryDomainInformation. */
618 switch (lp_server_role()) {
619 case ROLE_DOMAIN_PDC:
620 case ROLE_DOMAIN_BDC:
621 name = get_global_sam_name();
622 sid = sid_dup_talloc(p->mem_ctx, get_global_sam_sid());
623 if (!sid) {
624 return NT_STATUS_NO_MEMORY;
625 }
626 break;
627 case ROLE_DOMAIN_MEMBER:
628 name = lp_workgroup();
629 /* We need to return the Domain SID here. */
630 if (secrets_fetch_domain_sid(lp_workgroup(), &domain_sid)) {
631 sid = sid_dup_talloc(p->mem_ctx, &domain_sid);
632 if (!sid) {
633 return NT_STATUS_NO_MEMORY;
634 }
635 } else {
636 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
637 }
638 break;
639 case ROLE_STANDALONE:
640 name = lp_workgroup();
641 sid = NULL;
642 break;
643 default:
644 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
645 }
646 init_dom_query_3(&info->domain, name, sid);
647 break;
648 case LSA_POLICY_INFO_ACCOUNT_DOMAIN:
649 /* check if the user has enough rights */
650 if (!(handle->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
651 return NT_STATUS_ACCESS_DENIED;
652
653 /* Request PolicyAccountDomainInformation. */
654 name = get_global_sam_name();
655 sid = get_global_sam_sid();
656
657 init_dom_query_5(&info->account_domain, name, sid);
658 break;
659 case LSA_POLICY_INFO_ROLE:
660 /* check if the user has enough rights */
661 if (!(handle->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
662 return NT_STATUS_ACCESS_DENIED;
663
664 switch (lp_server_role()) {
665 case ROLE_DOMAIN_BDC:
666 /*
667 * only a BDC is a backup controller
668 * of the domain, it controls.
669 */
670 info->role.role = LSA_ROLE_BACKUP;
671 break;
672 default:
673 /*
674 * any other role is a primary
675 * of the domain, it controls.
676 */
677 info->role.role = LSA_ROLE_PRIMARY;
678 break;
679 }
680 break;
681 case LSA_POLICY_INFO_DNS:
682 case LSA_POLICY_INFO_DNS_INT: {
683 struct pdb_domain_info *dominfo;
684
685 if ((pdb_capabilities() & PDB_CAP_ADS) == 0) {
686 DEBUG(10, ("Not replying to LSA_POLICY_INFO_DNS "
687 "without ADS passdb backend\n"));
688 status = NT_STATUS_INVALID_INFO_CLASS;
689 break;
690 }
691
692 dominfo = pdb_get_domain_info(info);
693 if (dominfo == NULL) {
694 status = NT_STATUS_NO_MEMORY;
695 break;
696 }
697
698 init_lsa_StringLarge(&info->dns.name,
699 dominfo->name);
700 init_lsa_StringLarge(&info->dns.dns_domain,
701 dominfo->dns_domain);
702 init_lsa_StringLarge(&info->dns.dns_forest,
703 dominfo->dns_forest);
704 info->dns.domain_guid = dominfo->guid;
705 info->dns.sid = &dominfo->sid;
706 break;
707 }
708 default:
709 DEBUG(0,("_lsa_QueryInfoPolicy: unknown info level in Lsa Query: %d\n",
710 r->in.level));
711 status = NT_STATUS_INVALID_INFO_CLASS;
712 break;
713 }
714
715 *r->out.info = info;
716
717 return status;
718 }
719
720 /***************************************************************************
721 _lsa_QueryInfoPolicy2
722 ***************************************************************************/
723
724 NTSTATUS _lsa_QueryInfoPolicy2(pipes_struct *p,
725 struct lsa_QueryInfoPolicy2 *r2)
726 {
727 struct lsa_QueryInfoPolicy r;
728
729 if ((pdb_capabilities() & PDB_CAP_ADS) == 0) {
730 p->rng_fault_state = True;
731 return NT_STATUS_NOT_IMPLEMENTED;
732 }
733
734 ZERO_STRUCT(r);
735 r.in.handle = r2->in.handle;
736 r.in.level = r2->in.level;
737 r.out.info = r2->out.info;
738
739 return _lsa_QueryInfoPolicy(p, &r);
740 }
741
742 /***************************************************************************
743 _lsa_lookup_sids_internal
744 ***************************************************************************/
745
746 static NTSTATUS _lsa_lookup_sids_internal(pipes_struct *p,
747 TALLOC_CTX *mem_ctx,
748 uint16_t level, /* input */
749 int num_sids, /* input */
750 struct lsa_SidPtr *sid, /* input */
751 struct lsa_RefDomainList **pp_ref, /* input/output */
752 struct lsa_TranslatedName2 **pp_names,/* input/output */
753 uint32_t *pp_mapped_count) /* input/output */
754 {
755 NTSTATUS status;
756 int i;
757 const DOM_SID **sids = NULL;
758 struct lsa_RefDomainList *ref = NULL;
759 uint32 mapped_count = 0;
760 struct lsa_dom_info *dom_infos = NULL;
761 struct lsa_name_info *name_infos = NULL;
762 struct lsa_TranslatedName2 *names = NULL;
763
764 *pp_mapped_count = 0;
765 *pp_names = NULL;
766 *pp_ref = NULL;
767
768 if (num_sids == 0) {
769 return NT_STATUS_OK;
770 }
771
772 sids = TALLOC_ARRAY(p->mem_ctx, const DOM_SID *, num_sids);
773 ref = TALLOC_ZERO_P(p->mem_ctx, struct lsa_RefDomainList);
774
775 if (sids == NULL || ref == NULL) {
776 return NT_STATUS_NO_MEMORY;
777 }
778
779 for (i=0; i<num_sids; i++) {
780 sids[i] = sid[i].sid;
781 }
782
783 status = lookup_sids(p->mem_ctx, num_sids, sids, level,
784 &dom_infos, &name_infos);
785
786 if (!NT_STATUS_IS_OK(status)) {
787 return status;
788 }
789
790 names = TALLOC_ARRAY(p->mem_ctx, struct lsa_TranslatedName2, num_sids);
791 if (names == NULL) {
792 return NT_STATUS_NO_MEMORY;
793 }
794
795 for (i=0; i<LSA_REF_DOMAIN_LIST_MULTIPLIER; i++) {
796
797 if (!dom_infos[i].valid) {
798 break;
799 }
800
801 if (init_lsa_ref_domain_list(mem_ctx, ref,
802 dom_infos[i].name,
803 &dom_infos[i].sid) != i) {
804 DEBUG(0, ("Domain %s mentioned twice??\n",
805 dom_infos[i].name));
806 return NT_STATUS_INTERNAL_ERROR;
807 }
808 }
809
810 for (i=0; i<num_sids; i++) {
811 struct lsa_name_info *name = &name_infos[i];
812
813 if (name->type == SID_NAME_UNKNOWN) {
814 fstring tmp;
815 name->dom_idx = -1;
816 /* Unknown sids should return the string
817 * representation of the SID. Windows 2003 behaves
818 * rather erratic here, in many cases it returns the
819 * RID as 8 bytes hex, in others it returns the full
820 * SID. We (Jerry/VL) could not figure out which the
821 * hard cases are, so leave it with the SID. */
822 name->name = talloc_asprintf(p->mem_ctx, "%s",
823 sid_to_fstring(tmp,
824 sids[i]));
825 if (name->name == NULL) {
826 return NT_STATUS_NO_MEMORY;
827 }
828 } else {
829 mapped_count += 1;
830 }
831
832 names[i].sid_type = name->type;
833 names[i].name.string = name->name;
834 names[i].sid_index = name->dom_idx;
835 names[i].unknown = 0;
836 }
837
838 status = NT_STATUS_NONE_MAPPED;
839 if (mapped_count > 0) {
840 status = (mapped_count < num_sids) ?
841 STATUS_SOME_UNMAPPED : NT_STATUS_OK;
842 }
843
844 DEBUG(10, ("num_sids %d, mapped_count %d, status %s\n",
845 num_sids, mapped_count, nt_errstr(status)));
846
847 *pp_mapped_count = mapped_count;
848 *pp_names = names;
849 *pp_ref = ref;
850
851 return status;
852 }
853
854 /***************************************************************************
855 _lsa_LookupSids
856 ***************************************************************************/
857
858 NTSTATUS _lsa_LookupSids(pipes_struct *p,
859 struct lsa_LookupSids *r)
860 {
861 NTSTATUS status;
862 struct lsa_info *handle;
863 int num_sids = r->in.sids->num_sids;
864 uint32 mapped_count = 0;
865 struct lsa_RefDomainList *domains = NULL;
866 struct lsa_TranslatedName *names_out = NULL;
867 struct lsa_TranslatedName2 *names = NULL;
868 int i;
869
870 if ((r->in.level < 1) || (r->in.level > 6)) {
871 return NT_STATUS_INVALID_PARAMETER;
872 }
873
874 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle)) {
875 return NT_STATUS_INVALID_HANDLE;
876 }
877
878 if (handle->type != LSA_HANDLE_POLICY_TYPE) {
879 return NT_STATUS_INVALID_HANDLE;
880 }
881
882 /* check if the user has enough rights */
883 if (!(handle->access & LSA_POLICY_LOOKUP_NAMES)) {
884 return NT_STATUS_ACCESS_DENIED;
885 }
886
887 if (num_sids > MAX_LOOKUP_SIDS) {
888 DEBUG(5,("_lsa_LookupSids: limit of %d exceeded, requested %d\n",
889 MAX_LOOKUP_SIDS, num_sids));
890 return NT_STATUS_NONE_MAPPED;
891 }
892
893 status = _lsa_lookup_sids_internal(p,
894 p->mem_ctx,
895 r->in.level,
896 num_sids,
897 r->in.sids->sids,
898 &domains,
899 &names,
900 &mapped_count);
901
902 /* Only return here when there is a real error.
903 NT_STATUS_NONE_MAPPED is a special case as it indicates that none of
904 the requested sids could be resolved. Older versions of XP (pre SP3)
905 rely that we return with the string representations of those SIDs in
906 that case. If we don't, XP crashes - Guenther
907 */
908
909 if (NT_STATUS_IS_ERR(status) &&
910 !NT_STATUS_EQUAL(status, NT_STATUS_NONE_MAPPED)) {
911 return status;
912 }
913
914 /* Convert from lsa_TranslatedName2 to lsa_TranslatedName */
915 names_out = TALLOC_ARRAY(p->mem_ctx, struct lsa_TranslatedName,
916 num_sids);
917 if (!names_out) {
918 return NT_STATUS_NO_MEMORY;
919 }
920
921 for (i=0; i<num_sids; i++) {
922 names_out[i].sid_type = names[i].sid_type;
923 names_out[i].name = names[i].name;
924 names_out[i].sid_index = names[i].sid_index;
925 }
926
927 *r->out.domains = domains;
928 r->out.names->count = num_sids;
929 r->out.names->names = names_out;
930 *r->out.count = mapped_count;
931
932 return status;
933 }
934
935 /***************************************************************************
936 _lsa_LookupSids2
937 ***************************************************************************/
938
939 NTSTATUS _lsa_LookupSids2(pipes_struct *p,
940 struct lsa_LookupSids2 *r)
941 {
942 NTSTATUS status;
943 struct lsa_info *handle;
944 int num_sids = r->in.sids->num_sids;
945 uint32 mapped_count = 0;
946 struct lsa_RefDomainList *domains = NULL;
947 struct lsa_TranslatedName2 *names = NULL;
948 bool check_policy = true;
949
950 switch (p->hdr_req.opnum) {
951 case NDR_LSA_LOOKUPSIDS3:
952 check_policy = false;
953 break;
954 case NDR_LSA_LOOKUPSIDS2:
955 default:
956 check_policy = true;
957 }
958
959 if ((r->in.level < 1) || (r->in.level > 6)) {
960 return NT_STATUS_INVALID_PARAMETER;
961 }
962
963 if (check_policy) {
964 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle)) {
965 return NT_STATUS_INVALID_HANDLE;
966 }
967
968 if (handle->type != LSA_HANDLE_POLICY_TYPE) {
969 return NT_STATUS_INVALID_HANDLE;
970 }
971
972 /* check if the user has enough rights */
973 if (!(handle->access & LSA_POLICY_LOOKUP_NAMES)) {
974 return NT_STATUS_ACCESS_DENIED;
975 }
976 }
977
978 if (num_sids > MAX_LOOKUP_SIDS) {
979 DEBUG(5,("_lsa_LookupSids2: limit of %d exceeded, requested %d\n",
980 MAX_LOOKUP_SIDS, num_sids));
981 return NT_STATUS_NONE_MAPPED;
982 }
983
984 status = _lsa_lookup_sids_internal(p,
985 p->mem_ctx,
986 r->in.level,
987 num_sids,
988 r->in.sids->sids,
989 &domains,
990 &names,
991 &mapped_count);
992
993 *r->out.domains = domains;
994 r->out.names->count = num_sids;
995 r->out.names->names = names;
996 *r->out.count = mapped_count;
997
998 return status;
999 }
1000
1001 /***************************************************************************
1002 _lsa_LookupSids3
1003 ***************************************************************************/
1004
1005 NTSTATUS _lsa_LookupSids3(pipes_struct *p,
1006 struct lsa_LookupSids3 *r)
1007 {
1008 struct lsa_LookupSids2 q;
1009
1010 /* No policy handle on this call. Restrict to crypto connections. */
1011 if (p->auth.auth_type != PIPE_AUTH_TYPE_SCHANNEL) {
1012 DEBUG(0,("_lsa_LookupSids3: client %s not using schannel for netlogon\n",
1013 get_remote_machine_name() ));
1014 return NT_STATUS_INVALID_PARAMETER;
1015 }
1016
1017 q.in.handle = NULL;
1018 q.in.sids = r->in.sids;
1019 q.in.level = r->in.level;
1020 q.in.lookup_options = r->in.lookup_options;
1021 q.in.client_revision = r->in.client_revision;
1022 q.in.names = r->in.names;
1023 q.in.count = r->in.count;
1024
1025 q.out.domains = r->out.domains;
1026 q.out.names = r->out.names;
1027 q.out.count = r->out.count;
1028
1029 return _lsa_LookupSids2(p, &q);
1030 }
1031
1032 /***************************************************************************
1033 ***************************************************************************/
1034
1035 static int lsa_lookup_level_to_flags(enum lsa_LookupNamesLevel level)
1036 {
1037 int flags;
1038
1039 switch (level) {
1040 case LSA_LOOKUP_NAMES_ALL: /* 1 */
1041 flags = LOOKUP_NAME_ALL;
1042 break;
1043 case LSA_LOOKUP_NAMES_DOMAINS_ONLY: /* 2 */
1044 flags = LOOKUP_NAME_DOMAIN|LOOKUP_NAME_REMOTE|LOOKUP_NAME_ISOLATED;
1045 break;
1046 case LSA_LOOKUP_NAMES_PRIMARY_DOMAIN_ONLY: /* 3 */
1047 flags = LOOKUP_NAME_DOMAIN|LOOKUP_NAME_ISOLATED;
1048 break;
1049 case LSA_LOOKUP_NAMES_UPLEVEL_TRUSTS_ONLY: /* 4 */
1050 case LSA_LOOKUP_NAMES_FOREST_TRUSTS_ONLY: /* 5 */
1051 case LSA_LOOKUP_NAMES_UPLEVEL_TRUSTS_ONLY2: /* 6 */
1052 case LSA_LOOKUP_NAMES_RODC_REFERRAL_TO_FULL_DC: /* 7 */
1053 default:
1054 flags = LOOKUP_NAME_NONE;
1055 break;
1056 }
1057
1058 return flags;
1059 }
1060
1061 /***************************************************************************
1062 _lsa_LookupNames
1063 ***************************************************************************/
1064
1065 NTSTATUS _lsa_LookupNames(pipes_struct *p,
1066 struct lsa_LookupNames *r)
1067 {
1068 NTSTATUS status = NT_STATUS_NONE_MAPPED;
1069 struct lsa_info *handle;
1070 struct lsa_String *names = r->in.names;
1071 uint32 num_entries = r->in.num_names;
1072 struct lsa_RefDomainList *domains = NULL;
1073 struct lsa_TranslatedSid *rids = NULL;
1074 uint32 mapped_count = 0;
1075 int flags = 0;
1076
1077 if (num_entries > MAX_LOOKUP_SIDS) {
1078 num_entries = MAX_LOOKUP_SIDS;
1079 DEBUG(5,("_lsa_LookupNames: truncating name lookup list to %d\n",
1080 num_entries));
1081 }
1082
1083 flags = lsa_lookup_level_to_flags(r->in.level);
1084
1085 domains = TALLOC_ZERO_P(p->mem_ctx, struct lsa_RefDomainList);
1086 if (!domains) {
1087 return NT_STATUS_NO_MEMORY;
1088 }
1089
1090 if (num_entries) {
1091 rids = TALLOC_ZERO_ARRAY(p->mem_ctx, struct lsa_TranslatedSid,
1092 num_entries);
1093 if (!rids) {
1094 return NT_STATUS_NO_MEMORY;
1095 }
1096 } else {
1097 rids = NULL;
1098 }
1099
1100 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle)) {
1101 status = NT_STATUS_INVALID_HANDLE;
1102 goto done;
1103 }
1104
1105 if (handle->type != LSA_HANDLE_POLICY_TYPE) {
1106 return NT_STATUS_INVALID_HANDLE;
1107 }
1108
1109 /* check if the user has enough rights */
1110 if (!(handle->access & LSA_POLICY_LOOKUP_NAMES)) {
1111 status = NT_STATUS_ACCESS_DENIED;
1112 goto done;
1113 }
1114
1115 /* set up the LSA Lookup RIDs response */
1116 become_root(); /* lookup_name can require root privs */
1117 status = lookup_lsa_rids(p->mem_ctx, domains, rids, num_entries,
1118 names, flags, &mapped_count);
1119 unbecome_root();
1120
1121 done:
1122
1123 if (NT_STATUS_IS_OK(status) && (num_entries != 0) ) {
1124 if (mapped_count == 0) {
1125 status = NT_STATUS_NONE_MAPPED;
1126 } else if (mapped_count != num_entries) {
1127 status = STATUS_SOME_UNMAPPED;
1128 }
1129 }
1130
1131 *r->out.count = mapped_count;
1132 *r->out.domains = domains;
1133 r->out.sids->sids = rids;
1134 r->out.sids->count = num_entries;
1135
1136 return status;
1137 }
1138
1139 /***************************************************************************
1140 _lsa_LookupNames2
1141 ***************************************************************************/
1142
1143 NTSTATUS _lsa_LookupNames2(pipes_struct *p,
1144 struct lsa_LookupNames2 *r)
1145 {
1146 NTSTATUS status;
1147 struct lsa_LookupNames q;
1148 struct lsa_TransSidArray2 *sid_array2 = r->in.sids;
1149 struct lsa_TransSidArray *sid_array = NULL;
1150 uint32_t i;
1151
1152 sid_array = TALLOC_ZERO_P(p->mem_ctx, struct lsa_TransSidArray);
1153 if (!sid_array) {
1154 return NT_STATUS_NO_MEMORY;
1155 }
1156
1157 q.in.handle = r->in.handle;
1158 q.in.num_names = r->in.num_names;
1159 q.in.names = r->in.names;
1160 q.in.level = r->in.level;
1161 q.in.sids = sid_array;
1162 q.in.count = r->in.count;
1163 /* we do not know what this is for */
1164 /* = r->in.unknown1; */
1165 /* = r->in.unknown2; */
1166
1167 q.out.domains = r->out.domains;
1168 q.out.sids = sid_array;
1169 q.out.count = r->out.count;
1170
1171 status = _lsa_LookupNames(p, &q);
1172
1173 sid_array2->count = sid_array->count;
1174 sid_array2->sids = TALLOC_ARRAY(p->mem_ctx, struct lsa_TranslatedSid2, sid_array->count);
1175 if (!sid_array2->sids) {
1176 return NT_STATUS_NO_MEMORY;
1177 }
1178
1179 for (i=0; i<sid_array->count; i++) {
1180 sid_array2->sids[i].sid_type = sid_array->sids[i].sid_type;
1181 sid_array2->sids[i].rid = sid_array->sids[i].rid;
1182 sid_array2->sids[i].sid_index = sid_array->sids[i].sid_index;
1183 sid_array2->sids[i].unknown = 0;
1184 }
1185
1186 r->out.sids = sid_array2;
1187
1188 return status;
1189 }
1190
1191 /***************************************************************************
1192 _lsa_LookupNames3
1193 ***************************************************************************/
1194
1195 NTSTATUS _lsa_LookupNames3(pipes_struct *p,
1196 struct lsa_LookupNames3 *r)
1197 {
1198 NTSTATUS status;
1199 struct lsa_info *handle;
1200 struct lsa_String *names = r->in.names;
1201 uint32 num_entries = r->in.num_names;
1202 struct lsa_RefDomainList *domains = NULL;
1203 struct lsa_TranslatedSid3 *trans_sids = NULL;
1204 uint32 mapped_count = 0;
1205 int flags = 0;
1206 bool check_policy = true;
1207
1208 switch (p->hdr_req.opnum) {
1209 case NDR_LSA_LOOKUPNAMES4:
1210 check_policy = false;
1211 break;
1212 case NDR_LSA_LOOKUPNAMES3:
1213 default:
1214 check_policy = true;
1215 }
1216
1217 if (num_entries > MAX_LOOKUP_SIDS) {
1218 num_entries = MAX_LOOKUP_SIDS;
1219 DEBUG(5,("_lsa_LookupNames3: truncating name lookup list to %d\n", num_entries));
1220 }
1221
1222 /* Probably the lookup_level is some sort of bitmask. */
1223 if (r->in.level == 1) {
1224 flags = LOOKUP_NAME_ALL;
1225 }
1226
1227 domains = TALLOC_ZERO_P(p->mem_ctx, struct lsa_RefDomainList);
1228 if (!domains) {
1229 return NT_STATUS_NO_MEMORY;
1230 }
1231
1232 if (num_entries) {
1233 trans_sids = TALLOC_ZERO_ARRAY(p->mem_ctx, struct lsa_TranslatedSid3,
1234 num_entries);
1235 if (!trans_sids) {
1236 return NT_STATUS_NO_MEMORY;
1237 }
1238 } else {
1239 trans_sids = NULL;
1240 }
1241
1242 if (check_policy) {
1243
1244 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle)) {
1245 status = NT_STATUS_INVALID_HANDLE;
1246 goto done;
1247 }
1248
1249 if (handle->type != LSA_HANDLE_POLICY_TYPE) {
1250 return NT_STATUS_INVALID_HANDLE;
1251 }
1252
1253 /* check if the user has enough rights */
1254 if (!(handle->access & LSA_POLICY_LOOKUP_NAMES)) {
1255 status = NT_STATUS_ACCESS_DENIED;
1256 goto done;
1257 }
1258 }
1259
1260 /* set up the LSA Lookup SIDs response */
1261 become_root(); /* lookup_name can require root privs */
1262 status = lookup_lsa_sids(p->mem_ctx, domains, trans_sids, num_entries,
1263 names, flags, &mapped_count);
1264 unbecome_root();
1265
1266 done:
1267
1268 if (NT_STATUS_IS_OK(status)) {
1269 if (mapped_count == 0) {
1270 status = NT_STATUS_NONE_MAPPED;
1271 } else if (mapped_count != num_entries) {
1272 status = STATUS_SOME_UNMAPPED;
1273 }
1274 }
1275
1276 *r->out.count = mapped_count;
1277 *r->out.domains = domains;
1278 r->out.sids->sids = trans_sids;
1279 r->out.sids->count = num_entries;
1280
1281 return status;
1282 }
1283
1284 /***************************************************************************
1285 _lsa_LookupNames4
1286 ***************************************************************************/
1287
1288 NTSTATUS _lsa_LookupNames4(pipes_struct *p,
1289 struct lsa_LookupNames4 *r)
1290 {
1291 struct lsa_LookupNames3 q;
1292
1293 /* No policy handle on this call. Restrict to crypto connections. */
1294 if (p->auth.auth_type != PIPE_AUTH_TYPE_SCHANNEL) {
1295 DEBUG(0,("_lsa_lookup_names4: client %s not using schannel for netlogon\n",
1296 get_remote_machine_name() ));
1297 return NT_STATUS_INVALID_PARAMETER;
1298 }
1299
1300 q.in.handle = NULL;
1301 q.in.num_names = r->in.num_names;
1302 q.in.names = r->in.names;
1303 q.in.level = r->in.level;
1304 q.in.lookup_options = r->in.lookup_options;
1305 q.in.client_revision = r->in.client_revision;
1306 q.in.sids = r->in.sids;
1307 q.in.count = r->in.count;
1308
1309 q.out.domains = r->out.domains;
1310 q.out.sids = r->out.sids;
1311 q.out.count = r->out.count;
1312
1313 return _lsa_LookupNames3(p, &q);
1314 }
1315
1316 /***************************************************************************
1317 _lsa_close. Also weird - needs to check if lsa handle is correct. JRA.
1318 ***************************************************************************/
1319
1320 NTSTATUS _lsa_Close(pipes_struct *p, struct lsa_Close *r)
1321 {
1322 if (!find_policy_by_hnd(p, r->in.handle, NULL)) {
1323 return NT_STATUS_INVALID_HANDLE;
1324 }
1325
1326 close_policy_hnd(p, r->in.handle);
1327 ZERO_STRUCTP(r->out.handle);
1328 return NT_STATUS_OK;
1329 }
1330
1331 /***************************************************************************
1332 ***************************************************************************/
1333
1334 NTSTATUS _lsa_OpenSecret(pipes_struct *p, struct lsa_OpenSecret *r)
1335 {
1336 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
1337 }
1338
1339 /***************************************************************************
1340 ***************************************************************************/
1341
1342 NTSTATUS _lsa_OpenTrustedDomain(pipes_struct *p, struct lsa_OpenTrustedDomain *r)
1343 {
1344 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
1345 }
1346
1347 /***************************************************************************
1348 ***************************************************************************/
1349
1350 NTSTATUS _lsa_CreateTrustedDomain(pipes_struct *p, struct lsa_CreateTrustedDomain *r)
1351 {
1352 return NT_STATUS_ACCESS_DENIED;
1353 }
1354
1355 /***************************************************************************
1356 ***************************************************************************/
1357
1358 NTSTATUS _lsa_CreateSecret(pipes_struct *p, struct lsa_CreateSecret *r)
1359 {
1360 return NT_STATUS_ACCESS_DENIED;
1361 }
1362
1363 /***************************************************************************
1364 ***************************************************************************/
1365
1366 NTSTATUS _lsa_SetSecret(pipes_struct *p, struct lsa_SetSecret *r)
1367 {
1368 return NT_STATUS_ACCESS_DENIED;
1369 }
1370
1371 /***************************************************************************
1372 _lsa_DeleteObject
1373 ***************************************************************************/
1374
1375 NTSTATUS _lsa_DeleteObject(pipes_struct *p,
1376 struct lsa_DeleteObject *r)
1377 {
1378 NTSTATUS status;
1379 struct lsa_info *info = NULL;
1380
1381 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info)) {
1382 return NT_STATUS_INVALID_HANDLE;
1383 }
1384
1385 if (!(info->access & STD_RIGHT_DELETE_ACCESS)) {
1386 return NT_STATUS_ACCESS_DENIED;
1387 }
1388
1389 switch (info->type) {
1390 case LSA_HANDLE_ACCOUNT_TYPE:
1391 status = privilege_delete_account(&info->sid);
1392 if (!NT_STATUS_IS_OK(status)) {
1393 DEBUG(10,("_lsa_DeleteObject: privilege_delete_account gave: %s\n",
1394 nt_errstr(status)));
1395 return status;
1396 }
1397 break;
1398 default:
1399 return NT_STATUS_INVALID_HANDLE;
1400 }
1401
1402 close_policy_hnd(p, r->in.handle);
1403 ZERO_STRUCTP(r->out.handle);
1404
1405 return status;
1406 }
1407
1408 /***************************************************************************
1409 _lsa_EnumPrivs
1410 ***************************************************************************/
1411
1412 NTSTATUS _lsa_EnumPrivs(pipes_struct *p,
1413 struct lsa_EnumPrivs *r)
1414 {
1415 struct lsa_info *handle;
1416 uint32 i;
1417 uint32 enum_context = *r->in.resume_handle;
1418 int num_privs = count_all_privileges();
1419 struct lsa_PrivEntry *entries = NULL;
1420 LUID_ATTR luid;
1421
1422 /* remember that the enum_context starts at 0 and not 1 */
1423
1424 if ( enum_context >= num_privs )
1425 return NT_STATUS_NO_MORE_ENTRIES;
1426
1427 DEBUG(10,("_lsa_EnumPrivs: enum_context:%d total entries:%d\n",
1428 enum_context, num_privs));
1429
1430 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle))
1431 return NT_STATUS_INVALID_HANDLE;
1432
1433 if (handle->type != LSA_HANDLE_POLICY_TYPE) {
1434 return NT_STATUS_INVALID_HANDLE;
1435 }
1436
1437 /* check if the user has enough rights
1438 I don't know if it's the right one. not documented. */
1439
1440 if (!(handle->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
1441 return NT_STATUS_ACCESS_DENIED;
1442
1443 if (num_privs) {
1444 entries = TALLOC_ZERO_ARRAY(p->mem_ctx, struct lsa_PrivEntry, num_privs);
1445 if (!entries) {
1446 return NT_STATUS_NO_MEMORY;
1447 }
1448 } else {
1449 entries = NULL;
1450 }
1451
1452 for (i = 0; i < num_privs; i++) {
1453 if( i < enum_context) {
1454
1455 init_lsa_StringLarge(&entries[i].name, NULL);
1456
1457 entries[i].luid.low = 0;
1458 entries[i].luid.high = 0;
1459 } else {
1460
1461 init_lsa_StringLarge(&entries[i].name, privs[i].name);
1462
1463 luid = get_privilege_luid( &privs[i].se_priv );
1464
1465 entries[i].luid.low = luid.luid.low;
1466 entries[i].luid.high = luid.luid.high;
1467 }
1468 }
1469
1470 enum_context = num_privs;
1471
1472 *r->out.resume_handle = enum_context;
1473 r->out.privs->count = num_privs;
1474 r->out.privs->privs = entries;
1475
1476 return NT_STATUS_OK;
1477 }
1478
1479 /***************************************************************************
1480 _lsa_LookupPrivDisplayName
1481 ***************************************************************************/
1482
1483 NTSTATUS _lsa_LookupPrivDisplayName(pipes_struct *p,
1484 struct lsa_LookupPrivDisplayName *r)
1485 {
1486 struct lsa_info *handle;
1487 const char *description;
1488 struct lsa_StringLarge *lsa_name;
1489
1490 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle))
1491 return NT_STATUS_INVALID_HANDLE;
1492
1493 if (handle->type != LSA_HANDLE_POLICY_TYPE) {
1494 return NT_STATUS_INVALID_HANDLE;
1495 }
1496
1497 /* check if the user has enough rights */
1498
1499 /*
1500 * I don't know if it's the right one. not documented.
1501 */
1502 if (!(handle->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
1503 return NT_STATUS_ACCESS_DENIED;
1504
1505 DEBUG(10,("_lsa_LookupPrivDisplayName: name = %s\n", r->in.name->string));
1506
1507 description = get_privilege_dispname(r->in.name->string);
1508 if (!description) {
1509 DEBUG(10,("_lsa_LookupPrivDisplayName: doesn't exist\n"));
1510 return NT_STATUS_NO_SUCH_PRIVILEGE;
1511 }
1512
1513 DEBUG(10,("_lsa_LookupPrivDisplayName: display name = %s\n", description));
1514
1515 lsa_name = TALLOC_ZERO_P(p->mem_ctx, struct lsa_StringLarge);
1516 if (!lsa_name) {
1517 return NT_STATUS_NO_MEMORY;
1518 }
1519
1520 init_lsa_StringLarge(lsa_name, description);
1521
1522 *r->out.returned_language_id = r->in.language_id;
1523 *r->out.disp_name = lsa_name;
1524
1525 return NT_STATUS_OK;
1526 }
1527
1528 /***************************************************************************
1529 _lsa_EnumAccounts
1530 ***************************************************************************/
1531
1532 NTSTATUS _lsa_EnumAccounts(pipes_struct *p,
1533 struct lsa_EnumAccounts *r)
1534 {
1535 struct lsa_info *handle;
1536 DOM_SID *sid_list;
1537 int i, j, num_entries;
1538 NTSTATUS status;
1539 struct lsa_SidPtr *sids = NULL;
1540
1541 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle))
1542 return NT_STATUS_INVALID_HANDLE;
1543
1544 if (handle->type != LSA_HANDLE_POLICY_TYPE) {
1545 return NT_STATUS_INVALID_HANDLE;
1546 }
1547
1548 if (!(handle->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
1549 return NT_STATUS_ACCESS_DENIED;
1550
1551 sid_list = NULL;
1552 num_entries = 0;
1553
1554 /* The only way we can currently find out all the SIDs that have been
1555 privileged is to scan all privileges */
1556
1557 status = privilege_enumerate_accounts(&sid_list, &num_entries);
1558 if (!NT_STATUS_IS_OK(status)) {
1559 return status;
1560 }
1561
1562 if (*r->in.resume_handle >= num_entries) {
1563 return NT_STATUS_NO_MORE_ENTRIES;
1564 }
1565
1566 if (num_entries - *r->in.resume_handle) {
1567 sids = TALLOC_ZERO_ARRAY(p->mem_ctx, struct lsa_SidPtr,
1568 num_entries - *r->in.resume_handle);
1569 if (!sids) {
1570 talloc_free(sid_list);
1571 return NT_STATUS_NO_MEMORY;
1572 }
1573
1574 for (i = *r->in.resume_handle, j = 0; i < num_entries; i++, j++) {
1575 sids[j].sid = sid_dup_talloc(p->mem_ctx, &sid_list[i]);
1576 if (!sids[j].sid) {
1577 talloc_free(sid_list);
1578 return NT_STATUS_NO_MEMORY;
1579 }
1580 }
1581 }
1582
1583 talloc_free(sid_list);
1584
1585 *r->out.resume_handle = num_entries;
1586 r->out.sids->num_sids = num_entries;
1587 r->out.sids->sids = sids;
1588
1589 return NT_STATUS_OK;
1590 }
1591
1592 /***************************************************************************
1593 _lsa_GetUserName
1594 ***************************************************************************/
1595
1596 NTSTATUS _lsa_GetUserName(pipes_struct *p,
1597 struct lsa_GetUserName *r)
1598 {
1599 const char *username, *domname;
1600 struct lsa_String *account_name = NULL;
1601 struct lsa_String *authority_name = NULL;
1602
1603 if (r->in.account_name &&
1604 *r->in.account_name) {
1605 return NT_STATUS_INVALID_PARAMETER;
1606 }
1607
1608 if (r->in.authority_name &&
1609 *r->in.authority_name) {
1610 return NT_STATUS_INVALID_PARAMETER;
1611 }
1612
1613 if (p->server_info->guest) {
1614 /*
1615 * I'm 99% sure this is not the right place to do this,
1616 * global_sid_Anonymous should probably be put into the token
1617 * instead of the guest id -- vl
1618 */
1619 if (!lookup_sid(p->mem_ctx, &global_sid_Anonymous,
1620 &domname, &username, NULL)) {
1621 return NT_STATUS_NO_MEMORY;
1622 }
1623 } else {
1624 username = p->server_info->sanitized_username;
1625 domname = pdb_get_domain(p->server_info->sam_account);
1626 }
1627
1628 account_name = TALLOC_P(p->mem_ctx, struct lsa_String);
1629 if (!account_name) {
1630 return NT_STATUS_NO_MEMORY;
1631 }
1632 init_lsa_String(account_name, username);
1633
1634 if (r->out.authority_name) {
1635 authority_name = TALLOC_P(p->mem_ctx, struct lsa_String);
1636 if (!authority_name) {
1637 return NT_STATUS_NO_MEMORY;
1638 }
1639 init_lsa_String(authority_name, domname);
1640 }
1641
1642 *r->out.account_name = account_name;
1643 if (r->out.authority_name) {
1644 *r->out.authority_name = authority_name;
1645 }
1646
1647 return NT_STATUS_OK;
1648 }
1649
1650 /***************************************************************************
1651 _lsa_CreateAccount
1652 ***************************************************************************/
1653
1654 NTSTATUS _lsa_CreateAccount(pipes_struct *p,
1655 struct lsa_CreateAccount *r)
1656 {
1657 NTSTATUS status;
1658 struct lsa_info *handle;
1659 struct lsa_info *info;
1660 uint32_t acc_granted;
1661 struct security_descriptor *psd;
1662 size_t sd_size;
1663
1664 /* find the connection policy handle. */
1665 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle))
1666 return NT_STATUS_INVALID_HANDLE;
1667
1668 if (handle->type != LSA_HANDLE_POLICY_TYPE) {
1669 return NT_STATUS_INVALID_HANDLE;
1670 }
1671
1672 /* check if the user has enough rights */
1673
1674 if (!(handle->access & LSA_POLICY_CREATE_ACCOUNT)) {
1675 return NT_STATUS_ACCESS_DENIED;
1676 }
1677
1678 /* Work out max allowed. */
1679 map_max_allowed_access(p->server_info->ptok,
1680 &p->server_info->utok,
1681 &r->in.access_mask);
1682
1683 /* map the generic bits to the lsa policy ones */
1684 se_map_generic(&r->in.access_mask, &lsa_account_mapping);
1685
1686 status = make_lsa_object_sd(p->mem_ctx, &psd, &sd_size,
1687 &lsa_account_mapping,
1688 r->in.sid, LSA_POLICY_ALL_ACCESS);
1689 if (!NT_STATUS_IS_OK(status)) {
1690 return status;
1691 }
1692
1693 status = access_check_object(psd, p->server_info->ptok,
1694 NULL, 0, r->in.access_mask,
1695 &acc_granted, "_lsa_CreateAccount");
1696 if (!NT_STATUS_IS_OK(status)) {
1697 return status;
1698 }
1699
1700 if ( is_privileged_sid( r->in.sid ) )
1701 return NT_STATUS_OBJECT_NAME_COLLISION;
1702
1703 /* associate the user/group SID with the (unique) handle. */
1704
1705 info = TALLOC_ZERO_P(p->mem_ctx, struct lsa_info);
1706 if (info == NULL) {
1707 return NT_STATUS_NO_MEMORY;
1708 }
1709
1710 info->sid = *r->in.sid;
1711 info->access = acc_granted;
1712 info->type = LSA_HANDLE_ACCOUNT_TYPE;
1713
1714 /* get a (unique) handle. open a policy on it. */
1715 if (!create_policy_hnd(p, r->out.acct_handle, info))
1716 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
1717
1718 return privilege_create_account( &info->sid );
1719 }
1720
1721 /***************************************************************************
1722 _lsa_OpenAccount
1723 ***************************************************************************/
1724
1725 NTSTATUS _lsa_OpenAccount(pipes_struct *p,
1726 struct lsa_OpenAccount *r)
1727 {
1728 struct lsa_info *handle;
1729 struct lsa_info *info;
1730 SEC_DESC *psd = NULL;
1731 size_t sd_size;
1732 uint32_t des_access = r->in.access_mask;
1733 uint32_t acc_granted;
1734 NTSTATUS status;
1735
1736 /* find the connection policy handle. */
1737 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle))
1738 return NT_STATUS_INVALID_HANDLE;
1739
1740 if (handle->type != LSA_HANDLE_POLICY_TYPE) {
1741 return NT_STATUS_INVALID_HANDLE;
1742 }
1743
1744 /* des_access is for the account here, not the policy
1745 * handle - so don't check against policy handle. */
1746
1747 /* Work out max allowed. */
1748 map_max_allowed_access(p->server_info->ptok,
1749 &p->server_info->utok,
1750 &des_access);
1751
1752 /* map the generic bits to the lsa account ones */
1753 se_map_generic(&des_access, &lsa_account_mapping);
1754
1755 /* get the generic lsa account SD until we store it */
1756 status = make_lsa_object_sd(p->mem_ctx, &psd, &sd_size,
1757 &lsa_account_mapping,
1758 r->in.sid, LSA_ACCOUNT_ALL_ACCESS);
1759 if (!NT_STATUS_IS_OK(status)) {
1760 return status;
1761 }
1762
1763 status = access_check_object(psd, p->server_info->ptok,
1764 NULL, 0, des_access,
1765 &acc_granted, "_lsa_OpenAccount" );
1766 if (!NT_STATUS_IS_OK(status)) {
1767 return status;
1768 }
1769
1770 /* TODO: Fis the parsing routine before reenabling this check! */
1771 #if 0
1772 if (!lookup_sid(&handle->sid, dom_name, name, &type))
1773 return NT_STATUS_ACCESS_DENIED;
1774 #endif
1775 /* associate the user/group SID with the (unique) handle. */
1776 info = TALLOC_ZERO_P(p->mem_ctx, struct lsa_info);
1777 if (info == NULL) {
1778 return NT_STATUS_NO_MEMORY;
1779 }
1780
1781 info->sid = *r->in.sid;
1782 info->access = acc_granted;
1783 info->type = LSA_HANDLE_ACCOUNT_TYPE;
1784
1785 /* get a (unique) handle. open a policy on it. */
1786 if (!create_policy_hnd(p, r->out.acct_handle, info))
1787 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
1788
1789 return NT_STATUS_OK;
1790 }
1791
1792 /***************************************************************************
1793 _lsa_EnumPrivsAccount
1794 For a given SID, enumerate all the privilege this account has.
1795 ***************************************************************************/
1796
1797 NTSTATUS _lsa_EnumPrivsAccount(pipes_struct *p,
1798 struct lsa_EnumPrivsAccount *r)
1799 {
1800 NTSTATUS status = NT_STATUS_OK;
1801 struct lsa_info *info=NULL;
1802 SE_PRIV mask;
1803 PRIVILEGE_SET privileges;
1804 struct lsa_PrivilegeSet *priv_set = NULL;
1805 struct lsa_LUIDAttribute *luid_attrs = NULL;
1806 int i;
1807
1808 /* find the connection policy handle. */
1809 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
1810 return NT_STATUS_INVALID_HANDLE;
1811
1812 if (info->type != LSA_HANDLE_ACCOUNT_TYPE) {
1813 return NT_STATUS_INVALID_HANDLE;
1814 }
1815
1816 if (!(info->access & LSA_ACCOUNT_VIEW))
1817 return NT_STATUS_ACCESS_DENIED;
1818
1819 get_privileges_for_sids(&mask, &info->sid, 1);
1820
1821 privilege_set_init( &privileges );
1822
1823 priv_set = TALLOC_ZERO_P(p->mem_ctx, struct lsa_PrivilegeSet);
1824 if (!priv_set) {
1825 status = NT_STATUS_NO_MEMORY;
1826 goto done;
1827 }
1828
1829 if ( se_priv_to_privilege_set( &privileges, &mask ) ) {
1830
1831 DEBUG(10,("_lsa_EnumPrivsAccount: %s has %d privileges\n",
1832 sid_string_dbg(&info->sid),
1833 privileges.count));
1834
1835 luid_attrs = TALLOC_ZERO_ARRAY(p->mem_ctx,
1836 struct lsa_LUIDAttribute,
1837 privileges.count);
1838 if (!luid_attrs) {
1839 status = NT_STATUS_NO_MEMORY;
1840 goto done;
1841 }
1842
1843 for (i=0; i<privileges.count; i++) {
1844 luid_attrs[i].luid.low = privileges.set[i].luid.low;
1845 luid_attrs[i].luid.high = privileges.set[i].luid.high;
1846 luid_attrs[i].attribute = privileges.set[i].attr;
1847 }
1848
1849 priv_set->count = privileges.count;
1850 priv_set->unknown = 0;
1851 priv_set->set = luid_attrs;
1852
1853 } else {
1854 priv_set->count = 0;
1855 priv_set->unknown = 0;
1856 priv_set->set = NULL;
1857 }
1858
1859 *r->out.privs = priv_set;
1860
1861 done:
1862 privilege_set_free( &privileges );
1863
1864 return status;
1865 }
1866
1867 /***************************************************************************
1868 _lsa_GetSystemAccessAccount
1869 ***************************************************************************/
1870
1871 NTSTATUS _lsa_GetSystemAccessAccount(pipes_struct *p,
1872 struct lsa_GetSystemAccessAccount *r)
1873 {
1874 NTSTATUS status;
1875 struct lsa_info *info = NULL;
1876 struct lsa_EnumPrivsAccount e;
1877 struct lsa_PrivilegeSet *privset;
1878
1879 /* find the connection policy handle. */
1880
1881 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
1882 return NT_STATUS_INVALID_HANDLE;
1883
1884 if (info->type != LSA_HANDLE_ACCOUNT_TYPE) {
1885 return NT_STATUS_INVALID_HANDLE;
1886 }
1887
1888 if (!(info->access & LSA_ACCOUNT_VIEW))
1889 return NT_STATUS_ACCESS_DENIED;
1890
1891 privset = talloc_zero(p->mem_ctx, struct lsa_PrivilegeSet);
1892 if (!privset) {
1893 return NT_STATUS_NO_MEMORY;
1894 }
1895
1896 e.in.handle = r->in.handle;
1897 e.out.privs = &privset;
1898
1899 status = _lsa_EnumPrivsAccount(p, &e);
1900 if (!NT_STATUS_IS_OK(status)) {
1901 DEBUG(10,("_lsa_GetSystemAccessAccount: "
1902 "failed to call _lsa_EnumPrivsAccount(): %s\n",
1903 nt_errstr(status)));
1904 return status;
1905 }
1906
1907 /* Samba4 would iterate over the privset to merge the policy mode bits,
1908 * not sure samba3 can do the same here, so just return what we did in
1909 * the past - gd */
1910
1911 /*
1912 0x01 -> Log on locally
1913 0x02 -> Access this computer from network
1914 0x04 -> Log on as a batch job
1915 0x10 -> Log on as a service
1916
1917 they can be ORed together
1918 */
1919
1920 *r->out.access_mask = LSA_POLICY_MODE_INTERACTIVE |
1921 LSA_POLICY_MODE_NETWORK;
1922
1923 return NT_STATUS_OK;
1924 }
1925
1926 /***************************************************************************
1927 update the systemaccount information
1928 ***************************************************************************/
1929
1930 NTSTATUS _lsa_SetSystemAccessAccount(pipes_struct *p,
1931 struct lsa_SetSystemAccessAccount *r)
1932 {
1933 struct lsa_info *info=NULL;
1934 GROUP_MAP map;
1935
1936 /* find the connection policy handle. */
1937 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
1938 return NT_STATUS_INVALID_HANDLE;
1939
1940 if (info->type != LSA_HANDLE_ACCOUNT_TYPE) {
1941 return NT_STATUS_INVALID_HANDLE;
1942 }
1943
1944 if (!(info->access & LSA_ACCOUNT_ADJUST_SYSTEM_ACCESS)) {
1945 return NT_STATUS_ACCESS_DENIED;
1946 }
1947
1948 if (!pdb_getgrsid(&map, info->sid))
1949 return NT_STATUS_NO_SUCH_GROUP;
1950
1951 return pdb_update_group_mapping_entry(&map);
1952 }
1953
1954 /***************************************************************************
1955 _lsa_AddPrivilegesToAccount
1956 For a given SID, add some privileges.
1957 ***************************************************************************/
1958
1959 NTSTATUS _lsa_AddPrivilegesToAccount(pipes_struct *p,
1960 struct lsa_AddPrivilegesToAccount *r)
1961 {
1962 struct lsa_info *info = NULL;
1963 SE_PRIV mask;
1964 struct lsa_PrivilegeSet *set = NULL;
1965
1966 /* find the connection policy handle. */
1967 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
1968 return NT_STATUS_INVALID_HANDLE;
1969
1970 if (info->type != LSA_HANDLE_ACCOUNT_TYPE) {
1971 return NT_STATUS_INVALID_HANDLE;
1972 }
1973
1974 if (!(info->access & LSA_ACCOUNT_ADJUST_PRIVILEGES)) {
1975 return NT_STATUS_ACCESS_DENIED;
1976 }
1977
1978 set = r->in.privs;
1979 if ( !privilege_set_to_se_priv( &mask, set ) )
1980 return NT_STATUS_NO_SUCH_PRIVILEGE;
1981
1982 if ( !grant_privilege( &info->sid, &mask ) ) {
1983 DEBUG(3,("_lsa_AddPrivilegesToAccount: grant_privilege(%s) failed!\n",
1984 sid_string_dbg(&info->sid) ));
1985 DEBUG(3,("Privilege mask:\n"));
1986 dump_se_priv( DBGC_ALL, 3, &mask );
1987 return NT_STATUS_NO_SUCH_PRIVILEGE;
1988 }
1989
1990 return NT_STATUS_OK;
1991 }
1992
1993 /***************************************************************************
1994 _lsa_RemovePrivilegesFromAccount
1995 For a given SID, remove some privileges.
1996 ***************************************************************************/
1997
1998 NTSTATUS _lsa_RemovePrivilegesFromAccount(pipes_struct *p,
1999 struct lsa_RemovePrivilegesFromAccount *r)
2000 {
2001 struct lsa_info *info = NULL;
2002 SE_PRIV mask;
2003 struct lsa_PrivilegeSet *set = NULL;
2004
2005 /* find the connection policy handle. */
2006 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
2007 return NT_STATUS_INVALID_HANDLE;
2008
2009 if (info->type != LSA_HANDLE_ACCOUNT_TYPE) {
2010 return NT_STATUS_INVALID_HANDLE;
2011 }
2012
2013 if (!(info->access & LSA_ACCOUNT_ADJUST_PRIVILEGES)) {
2014 return NT_STATUS_ACCESS_DENIED;
2015 }
2016
2017 set = r->in.privs;
2018
2019 if ( !privilege_set_to_se_priv( &mask, set ) )
2020 return NT_STATUS_NO_SUCH_PRIVILEGE;
2021
2022 if ( !revoke_privilege( &info->sid, &mask ) ) {
2023 DEBUG(3,("_lsa_RemovePrivilegesFromAccount: revoke_privilege(%s) failed!\n",
2024 sid_string_dbg(&info->sid) ));
2025 DEBUG(3,("Privilege mask:\n"));
2026 dump_se_priv( DBGC_ALL, 3, &mask );
2027 return NT_STATUS_NO_SUCH_PRIVILEGE;
2028 }
2029
2030 return NT_STATUS_OK;
2031 }
2032
2033 /***************************************************************************
2034 _lsa_LookupPrivName
2035 ***************************************************************************/
2036
2037 NTSTATUS _lsa_LookupPrivName(pipes_struct *p,
2038 struct lsa_LookupPrivName *r)
2039 {
2040 struct lsa_info *info = NULL;
2041 const char *name;
2042 struct lsa_StringLarge *lsa_name;
2043
2044 /* find the connection policy handle. */
2045 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info)) {
2046 return NT_STATUS_INVALID_HANDLE;
2047 }
2048
2049 if (info->type != LSA_HANDLE_POLICY_TYPE) {
2050 return NT_STATUS_INVALID_HANDLE;
2051 }
2052
2053 if (!(info->access & LSA_POLICY_VIEW_LOCAL_INFORMATION)) {
2054 return NT_STATUS_ACCESS_DENIED;
2055 }
2056
2057 name = luid_to_privilege_name((LUID *)r->in.luid);
2058 if (!name) {
2059 return NT_STATUS_NO_SUCH_PRIVILEGE;
2060 }
2061
2062 lsa_name = TALLOC_ZERO_P(p->mem_ctx, struct lsa_StringLarge);
2063 if (!lsa_name) {
2064 return NT_STATUS_NO_MEMORY;
2065 }
2066
2067 lsa_name->string = talloc_strdup(lsa_name, name);
2068 if (!lsa_name->string) {
2069 TALLOC_FREE(lsa_name);
2070 return NT_STATUS_NO_MEMORY;
2071 }
2072
2073 *r->out.name = lsa_name;
2074
2075 return NT_STATUS_OK;
2076 }
2077
2078 /***************************************************************************
2079 _lsa_QuerySecurity
2080 ***************************************************************************/
2081
2082 NTSTATUS _lsa_QuerySecurity(pipes_struct *p,
2083 struct lsa_QuerySecurity *r)
2084 {
2085 struct lsa_info *handle=NULL;
2086 SEC_DESC *psd = NULL;
2087 size_t sd_size;
2088 NTSTATUS status;
2089
2090 /* find the connection policy handle. */
2091 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle))
2092 return NT_STATUS_INVALID_HANDLE;
2093
2094 switch (handle->type) {
2095 case LSA_HANDLE_POLICY_TYPE:
2096 status = make_lsa_object_sd(p->mem_ctx, &psd, &sd_size,
2097 &lsa_policy_mapping, NULL, 0);
2098 break;
2099 case LSA_HANDLE_ACCOUNT_TYPE:
2100 status = make_lsa_object_sd(p->mem_ctx, &psd, &sd_size,
2101 &lsa_account_mapping,
2102 &handle->sid, LSA_ACCOUNT_ALL_ACCESS);
2103 break;
2104 default:
2105 status = NT_STATUS_INVALID_HANDLE;
2106 break;
2107 }
2108
2109 if (!NT_STATUS_IS_OK(status)) {
2110 return status;
2111 }
2112
2113 *r->out.sdbuf = make_sec_desc_buf(p->mem_ctx, sd_size, psd);
2114 if (!*r->out.sdbuf) {
2115 return NT_STATUS_NO_MEMORY;
2116 }
2117
2118 return status;
2119 }
2120
2121 /***************************************************************************
2122 _lsa_AddAccountRights
2123 ***************************************************************************/
2124
2125 NTSTATUS _lsa_AddAccountRights(pipes_struct *p,
2126 struct lsa_AddAccountRights *r)
2127 {
2128 struct lsa_info *info = NULL;
2129 int i = 0;
2130 uint32_t acc_granted = 0;
2131 SEC_DESC *psd = NULL;
2132 size_t sd_size;
2133 DOM_SID sid;
2134 NTSTATUS status;
2135
2136 /* find the connection policy handle. */
2137 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
2138 return NT_STATUS_INVALID_HANDLE;
2139
2140 if (info->type != LSA_HANDLE_POLICY_TYPE) {
2141 return NT_STATUS_INVALID_HANDLE;
2142 }
2143
2144 /* get the generic lsa account SD for this SID until we store it */
2145 status = make_lsa_object_sd(p->mem_ctx, &psd, &sd_size,
2146 &lsa_account_mapping,
2147 r->in.sid, LSA_ACCOUNT_ALL_ACCESS);
2148 if (!NT_STATUS_IS_OK(status)) {
2149 return status;
2150 }
2151
2152 /*
2153 * From the MS DOCs. If the sid doesn't exist, ask for LSA_POLICY_CREATE_ACCOUNT
2154 * on the policy handle. If it does, ask for
2155 * LSA_ACCOUNT_ADJUST_PRIVILEGES|LSA_ACCOUNT_ADJUST_SYSTEM_ACCESS|LSA_ACCOUNT_VIEW,
2156 * on the account sid. We don't check here so just use the latter. JRA.
2157 */
2158
2159 status = access_check_object(psd, p->server_info->ptok,
2160 NULL, 0,
2161 LSA_ACCOUNT_ADJUST_PRIVILEGES|LSA_ACCOUNT_ADJUST_SYSTEM_ACCESS|LSA_ACCOUNT_VIEW,
2162 &acc_granted, "_lsa_AddAccountRights" );
2163 if (!NT_STATUS_IS_OK(status)) {
2164 return status;
2165 }
2166
2167 /* according to an NT4 PDC, you can add privileges to SIDs even without
2168 call_lsa_create_account() first. And you can use any arbitrary SID. */
2169
2170 sid_copy( &sid, r->in.sid );
2171
2172 for ( i=0; i < r->in.rights->count; i++ ) {
2173
2174 const char *privname = r->in.rights->names[i].string;
2175
2176 /* only try to add non-null strings */
2177
2178 if ( !privname )
2179 continue;
2180
2181 if ( !grant_privilege_by_name( &sid, privname ) ) {
2182 DEBUG(2,("_lsa_AddAccountRights: Failed to add privilege [%s]\n",
2183 privname ));
2184 return NT_STATUS_NO_SUCH_PRIVILEGE;
2185 }
2186 }
2187
2188 return NT_STATUS_OK;
2189 }
2190
2191 /***************************************************************************
2192 _lsa_RemoveAccountRights
2193 ***************************************************************************/
2194
2195 NTSTATUS _lsa_RemoveAccountRights(pipes_struct *p,
2196 struct lsa_RemoveAccountRights *r)
2197 {
2198 struct lsa_info *info = NULL;
2199 int i = 0;
2200 SEC_DESC *psd = NULL;
2201 size_t sd_size;
2202 DOM_SID sid;
2203 const char *privname = NULL;
2204 uint32_t acc_granted = 0;
2205 NTSTATUS status;
2206
2207 /* find the connection policy handle. */
2208 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
2209 return NT_STATUS_INVALID_HANDLE;
2210
2211 if (info->type != LSA_HANDLE_POLICY_TYPE) {
2212 return NT_STATUS_INVALID_HANDLE;
2213 }
2214
2215 /* get the generic lsa account SD for this SID until we store it */
2216 status = make_lsa_object_sd(p->mem_ctx, &psd, &sd_size,
2217 &lsa_account_mapping,
2218 r->in.sid, LSA_ACCOUNT_ALL_ACCESS);
2219 if (!NT_STATUS_IS_OK(status)) {
2220 return status;
2221 }
2222
2223 /*
2224 * From the MS DOCs. We need
2225 * LSA_ACCOUNT_ADJUST_PRIVILEGES|LSA_ACCOUNT_ADJUST_SYSTEM_ACCESS|LSA_ACCOUNT_VIEW
2226 * and DELETE on the account sid.
2227 */
2228
2229 status = access_check_object(psd, p->server_info->ptok,
2230 NULL, 0,
2231 LSA_ACCOUNT_ADJUST_PRIVILEGES|LSA_ACCOUNT_ADJUST_SYSTEM_ACCESS|
2232 LSA_ACCOUNT_VIEW|STD_RIGHT_DELETE_ACCESS,
2233 &acc_granted, "_lsa_RemoveAccountRights");
2234 if (!NT_STATUS_IS_OK(status)) {
2235 return status;
2236 }
2237
2238 sid_copy( &sid, r->in.sid );
2239
2240 if ( r->in.remove_all ) {
2241 if ( !revoke_all_privileges( &sid ) )
2242 return NT_STATUS_ACCESS_DENIED;
2243
2244 return NT_STATUS_OK;
2245 }
2246
2247 for ( i=0; i < r->in.rights->count; i++ ) {
2248
2249 privname = r->in.rights->names[i].string;
2250
2251 /* only try to add non-null strings */
2252
2253 if ( !privname )
2254 continue;
2255
2256 if ( !revoke_privilege_by_name( &sid, privname ) ) {
2257 DEBUG(2,("_lsa_RemoveAccountRights: Failed to revoke privilege [%s]\n",
2258 privname ));
2259 return NT_STATUS_NO_SUCH_PRIVILEGE;
2260 }
2261 }
2262
2263 return NT_STATUS_OK;
2264 }
2265
2266 /*******************************************************************
2267 ********************************************************************/
2268
2269 static NTSTATUS init_lsa_right_set(TALLOC_CTX *mem_ctx,
2270 struct lsa_RightSet *r,
2271 PRIVILEGE_SET *privileges)
2272 {
2273 uint32 i;
2274 const char *privname;
2275 const char **privname_array = NULL;
2276 int num_priv = 0;
2277
2278 for (i=0; i<privileges->count; i++) {
2279
2280 privname = luid_to_privilege_name(&privileges->set[i].luid);
2281 if (privname) {
2282 if (!add_string_to_array(mem_ctx, privname,
2283 &privname_array, &num_priv)) {
2284 return NT_STATUS_NO_MEMORY;
2285 }
2286 }
2287 }
2288
2289 if (num_priv) {
2290
2291 r->names = TALLOC_ZERO_ARRAY(mem_ctx, struct lsa_StringLarge,
2292 num_priv);
2293 if (!r->names) {
2294 return NT_STATUS_NO_MEMORY;
2295 }
2296
2297 for (i=0; i<num_priv; i++) {
2298 init_lsa_StringLarge(&r->names[i], privname_array[i]);
2299 }
2300
2301 r->count = num_priv;
2302 }
2303
2304 return NT_STATUS_OK;
2305 }
2306
2307 /***************************************************************************
2308 _lsa_EnumAccountRights
2309 ***************************************************************************/
2310
2311 NTSTATUS _lsa_EnumAccountRights(pipes_struct *p,
2312 struct lsa_EnumAccountRights *r)
2313 {
2314 NTSTATUS status;
2315 struct lsa_info *info = NULL;
2316 DOM_SID sid;
2317 PRIVILEGE_SET privileges;
2318 SE_PRIV mask;
2319
2320 /* find the connection policy handle. */
2321
2322 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
2323 return NT_STATUS_INVALID_HANDLE;
2324
2325 if (info->type != LSA_HANDLE_POLICY_TYPE) {
2326 return NT_STATUS_INVALID_HANDLE;
2327 }
2328
2329 if (!(info->access & LSA_ACCOUNT_VIEW)) {
2330 return NT_STATUS_ACCESS_DENIED;
2331 }
2332
2333 /* according to an NT4 PDC, you can add privileges to SIDs even without
2334 call_lsa_create_account() first. And you can use any arbitrary SID. */
2335
2336 sid_copy( &sid, r->in.sid );
2337
2338 /* according to MS-LSAD 3.1.4.5.10 it is required to return
2339 * NT_STATUS_OBJECT_NAME_NOT_FOUND if the account sid was not found in
2340 * the lsa database */
2341
2342 if (!get_privileges_for_sids(&mask, &sid, 1)) {
2343 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
2344 }
2345
2346 status = privilege_set_init(&privileges);
2347 if (!NT_STATUS_IS_OK(status)) {
2348 return status;
2349 }
2350
2351 se_priv_to_privilege_set(&privileges, &mask);
2352
2353 DEBUG(10,("_lsa_EnumAccountRights: %s has %d privileges\n",
2354 sid_string_dbg(&sid), privileges.count));
2355
2356 status = init_lsa_right_set(p->mem_ctx, r->out.rights, &privileges);
2357
2358 privilege_set_free( &privileges );
2359
2360 return status;
2361 }
2362
2363 /***************************************************************************
2364 _lsa_LookupPrivValue
2365 ***************************************************************************/
2366
2367 NTSTATUS _lsa_LookupPrivValue(pipes_struct *p,
2368 struct lsa_LookupPrivValue *r)
2369 {
2370 struct lsa_info *info = NULL;
2371 const char *name = NULL;
2372 LUID_ATTR priv_luid;
2373 SE_PRIV mask;
2374
2375 /* find the connection policy handle. */
2376
2377 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
2378 return NT_STATUS_INVALID_HANDLE;
2379
2380 if (info->type != LSA_HANDLE_POLICY_TYPE) {
2381 return NT_STATUS_INVALID_HANDLE;
2382 }
2383
2384 if (!(info->access & LSA_POLICY_LOOKUP_NAMES))
2385 return NT_STATUS_ACCESS_DENIED;
2386
2387 name = r->in.name->string;
2388
2389 DEBUG(10,("_lsa_lookup_priv_value: name = %s\n", name));
2390
2391 if ( !se_priv_from_name( name, &mask ) )
2392 return NT_STATUS_NO_SUCH_PRIVILEGE;
2393
2394 priv_luid = get_privilege_luid( &mask );
2395
2396 r->out.luid->low = priv_luid.luid.low;
2397 r->out.luid->high = priv_luid.luid.high;
2398
2399 return NT_STATUS_OK;
2400 }
2401
2402 /***************************************************************************
2403 _lsa_EnumAccountsWithUserRight
2404 ***************************************************************************/
2405
2406 NTSTATUS _lsa_EnumAccountsWithUserRight(pipes_struct *p,
2407 struct lsa_EnumAccountsWithUserRight *r)
2408 {
2409 NTSTATUS status;
2410 struct lsa_info *info = NULL;
2411 struct dom_sid *sids = NULL;
2412 int num_sids = 0;
2413 uint32_t i;
2414 SE_PRIV mask;
2415
2416 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info)) {
2417 return NT_STATUS_INVALID_HANDLE;
2418 }
2419
2420 if (info->type != LSA_HANDLE_POLICY_TYPE) {
2421 return NT_STATUS_INVALID_HANDLE;
2422 }
2423
2424 if (!(info->access & LSA_POLICY_LOOKUP_NAMES)) {
2425 return NT_STATUS_ACCESS_DENIED;
2426 }
2427
2428 if (!r->in.name || !r->in.name->string) {
2429 return NT_STATUS_NO_SUCH_PRIVILEGE;
2430 }
2431
2432 if (!se_priv_from_name(r->in.name->string, &mask)) {
2433 return NT_STATUS_NO_SUCH_PRIVILEGE;
2434 }
2435
2436 status = privilege_enum_sids(&mask, p->mem_ctx,
2437 &sids, &num_sids);
2438 if (!NT_STATUS_IS_OK(status)) {
2439 return status;
2440 }
2441
2442 r->out.sids->num_sids = num_sids;
2443 r->out.sids->sids = talloc_array(p->mem_ctx, struct lsa_SidPtr,
2444 r->out.sids->num_sids);
2445
2446 for (i=0; i < r->out.sids->num_sids; i++) {
2447 r->out.sids->sids[i].sid = sid_dup_talloc(r->out.sids->sids,
2448 &sids[i]);
2449 if (!r->out.sids->sids[i].sid) {
2450 TALLOC_FREE(r->out.sids->sids);
2451 r->out.sids->num_sids = 0;
2452 return NT_STATUS_NO_MEMORY;
2453 }
2454 }
2455
2456 return NT_STATUS_OK;
2457 }
2458
2459 /***************************************************************************
2460 _lsa_Delete
2461 ***************************************************************************/
2462
2463 NTSTATUS _lsa_Delete(pipes_struct *p,
2464 struct lsa_Delete *r)
2465 {
2466 return NT_STATUS_NOT_SUPPORTED;
2467 }
2468
2469 /*
2470 * From here on the server routines are just dummy ones to make smbd link with
2471 * librpc/gen_ndr/srv_lsa.c. These routines are actually never called, we are
2472 * pulling the server stubs across one by one.
2473 */
2474
2475 NTSTATUS _lsa_SetSecObj(pipes_struct *p, struct lsa_SetSecObj *r)
2476 {
2477 p->rng_fault_state = True;
2478 return NT_STATUS_NOT_IMPLEMENTED;
2479 }
2480
2481 NTSTATUS _lsa_ChangePassword(pipes_struct *p, struct lsa_ChangePassword *r)
2482 {
2483 p->rng_fault_state = True;
2484 return NT_STATUS_NOT_IMPLEMENTED;
2485 }
2486
2487 NTSTATUS _lsa_SetInfoPolicy(pipes_struct *p, struct lsa_SetInfoPolicy *r)
2488 {
2489 p->rng_fault_state = True;
2490 return NT_STATUS_NOT_IMPLEMENTED;
2491 }
2492
2493 NTSTATUS _lsa_ClearAuditLog(pipes_struct *p, struct lsa_ClearAuditLog *r)
2494 {
2495 p->rng_fault_state = True;
2496 return NT_STATUS_NOT_IMPLEMENTED;
2497 }
2498
2499 NTSTATUS _lsa_GetQuotasForAccount(pipes_struct *p, struct lsa_GetQuotasForAccount *r)
2500 {
2501 p->rng_fault_state = True;
2502 return NT_STATUS_NOT_IMPLEMENTED;
2503 }
2504
2505 NTSTATUS _lsa_SetQuotasForAccount(pipes_struct *p, struct lsa_SetQuotasForAccount *r)
2506 {
2507 p->rng_fault_state = True;
2508 return NT_STATUS_NOT_IMPLEMENTED;
2509 }
2510
2511 NTSTATUS _lsa_QueryTrustedDomainInfo(pipes_struct *p, struct lsa_QueryTrustedDomainInfo *r)
2512 {
2513 p->rng_fault_state = True;
2514 return NT_STATUS_NOT_IMPLEMENTED;
2515 }
2516
2517 NTSTATUS _lsa_SetInformationTrustedDomain(pipes_struct *p, struct lsa_SetInformationTrustedDomain *r)
2518 {
2519 p->rng_fault_state = True;
2520 return NT_STATUS_NOT_IMPLEMENTED;
2521 }
2522
2523 NTSTATUS _lsa_QuerySecret(pipes_struct *p, struct lsa_QuerySecret *r)
2524 {
2525 p->rng_fault_state = True;
2526 return NT_STATUS_NOT_IMPLEMENTED;
2527 }
2528
2529 NTSTATUS _lsa_QueryTrustedDomainInfoBySid(pipes_struct *p, struct lsa_QueryTrustedDomainInfoBySid *r)
2530 {
2531 p->rng_fault_state = True;
2532 return NT_STATUS_NOT_IMPLEMENTED;
2533 }
2534
2535 NTSTATUS _lsa_SetTrustedDomainInfo(pipes_struct *p, struct lsa_SetTrustedDomainInfo *r)
2536 {
2537 p->rng_fault_state = True;
2538 return NT_STATUS_NOT_IMPLEMENTED;
2539 }
2540
2541 NTSTATUS _lsa_DeleteTrustedDomain(pipes_struct *p, struct lsa_DeleteTrustedDomain *r)
2542 {
2543 p->rng_fault_state = True;
2544 return NT_STATUS_NOT_IMPLEMENTED;
2545 }
2546
2547 NTSTATUS _lsa_StorePrivateData(pipes_struct *p, struct lsa_StorePrivateData *r)
2548 {
2549 p->rng_fault_state = True;
2550 return NT_STATUS_NOT_IMPLEMENTED;
2551 }
2552
2553 NTSTATUS _lsa_RetrievePrivateData(pipes_struct *p, struct lsa_RetrievePrivateData *r)
2554 {
2555 p->rng_fault_state = True;
2556 return NT_STATUS_NOT_IMPLEMENTED;
2557 }
2558
2559 NTSTATUS _lsa_SetInfoPolicy2(pipes_struct *p, struct lsa_SetInfoPolicy2 *r)
2560 {
2561 p->rng_fault_state = True;
2562 return NT_STATUS_NOT_IMPLEMENTED;
2563 }
2564
2565 NTSTATUS _lsa_QueryTrustedDomainInfoByName(pipes_struct *p, struct lsa_QueryTrustedDomainInfoByName *r)
2566 {
2567 p->rng_fault_state = True;
2568 return NT_STATUS_NOT_IMPLEMENTED;
2569 }
2570
2571 NTSTATUS _lsa_SetTrustedDomainInfoByName(pipes_struct *p, struct lsa_SetTrustedDomainInfoByName *r)
2572 {
2573 p->rng_fault_state = True;
2574 return NT_STATUS_NOT_IMPLEMENTED;
2575 }
2576
2577 NTSTATUS _lsa_EnumTrustedDomainsEx(pipes_struct *p, struct lsa_EnumTrustedDomainsEx *r)
2578 {
2579 p->rng_fault_state = True;
2580 return NT_STATUS_NOT_IMPLEMENTED;
2581 }
2582
2583 NTSTATUS _lsa_CreateTrustedDomainEx(pipes_struct *p, struct lsa_CreateTrustedDomainEx *r)
2584 {
2585 p->rng_fault_state = True;
2586 return NT_STATUS_NOT_IMPLEMENTED;
2587 }
2588
2589 NTSTATUS _lsa_CloseTrustedDomainEx(pipes_struct *p, struct lsa_CloseTrustedDomainEx *r)
2590 {
2591 p->rng_fault_state = True;
2592 return NT_STATUS_NOT_IMPLEMENTED;
2593 }
2594
2595 NTSTATUS _lsa_QueryDomainInformationPolicy(pipes_struct *p, struct lsa_QueryDomainInformationPolicy *r)
2596 {
2597 p->rng_fault_state = True;
2598 return NT_STATUS_NOT_IMPLEMENTED;
2599 }
2600
2601 NTSTATUS _lsa_SetDomainInformationPolicy(pipes_struct *p, struct lsa_SetDomainInformationPolicy *r)
2602 {
2603 p->rng_fault_state = True;
2604 return NT_STATUS_NOT_IMPLEMENTED;
2605 }
2606
2607 NTSTATUS _lsa_OpenTrustedDomainByName(pipes_struct *p, struct lsa_OpenTrustedDomainByName *r)
2608 {
2609 p->rng_fault_state = True;
2610 return NT_STATUS_NOT_IMPLEMENTED;
2611 }
2612
2613 NTSTATUS _lsa_TestCall(pipes_struct *p, struct lsa_TestCall *r)
2614 {
2615 p->rng_fault_state = True;
2616 return NT_STATUS_NOT_IMPLEMENTED;
2617 }
2618
2619 NTSTATUS _lsa_CreateTrustedDomainEx2(pipes_struct *p, struct lsa_CreateTrustedDomainEx2 *r)
2620 {
2621 p->rng_fault_state = True;
2622 return NT_STATUS_NOT_IMPLEMENTED;
2623 }
2624
2625 NTSTATUS _lsa_CREDRWRITE(pipes_struct *p, struct lsa_CREDRWRITE *r)
2626 {
2627 p->rng_fault_state = True;
2628 return NT_STATUS_NOT_IMPLEMENTED;
2629 }
2630
2631 NTSTATUS _lsa_CREDRREAD(pipes_struct *p, struct lsa_CREDRREAD *r)
2632 {
2633 p->rng_fault_state = True;
2634 return NT_STATUS_NOT_IMPLEMENTED;
2635 }
2636
2637 NTSTATUS _lsa_CREDRENUMERATE(pipes_struct *p, struct lsa_CREDRENUMERATE *r)
2638 {
2639 p->rng_fault_state = True;
2640 return NT_STATUS_NOT_IMPLEMENTED;
2641 }
2642
2643 NTSTATUS _lsa_CREDRWRITEDOMAINCREDENTIALS(pipes_struct *p, struct lsa_CREDRWRITEDOMAINCREDENTIALS *r)
2644 {
2645 p->rng_fault_state = True;
2646 return NT_STATUS_NOT_IMPLEMENTED;
2647 }
2648
2649 NTSTATUS _lsa_CREDRREADDOMAINCREDENTIALS(pipes_struct *p, struct lsa_CREDRREADDOMAINCREDENTIALS *r)
2650 {
2651 p->rng_fault_state = True;
2652 return NT_STATUS_NOT_IMPLEMENTED;
2653 }
2654
2655 NTSTATUS _lsa_CREDRDELETE(pipes_struct *p, struct lsa_CREDRDELETE *r)
2656 {
2657 p->rng_fault_state = True;
2658 return NT_STATUS_NOT_IMPLEMENTED;
2659 }
2660
2661 NTSTATUS _lsa_CREDRGETTARGETINFO(pipes_struct *p, struct lsa_CREDRGETTARGETINFO *r)
2662 {
2663 p->rng_fault_state = True;
2664 return NT_STATUS_NOT_IMPLEMENTED;
2665 }
2666
2667 NTSTATUS _lsa_CREDRPROFILELOADED(pipes_struct *p, struct lsa_CREDRPROFILELOADED *r)
2668 {
2669 p->rng_fault_state = True;
2670 return NT_STATUS_NOT_IMPLEMENTED;
2671 }
2672
2673 NTSTATUS _lsa_CREDRGETSESSIONTYPES(pipes_struct *p, struct lsa_CREDRGETSESSIONTYPES *r)
2674 {
2675 p->rng_fault_state = True;
2676 return NT_STATUS_NOT_IMPLEMENTED;
2677 }
2678
2679 NTSTATUS _lsa_LSARREGISTERAUDITEVENT(pipes_struct *p, struct lsa_LSARREGISTERAUDITEVENT *r)
2680 {
2681 p->rng_fault_state = True;
2682 return NT_STATUS_NOT_IMPLEMENTED;
2683 }
2684
2685 NTSTATUS _lsa_LSARGENAUDITEVENT(pipes_struct *p, struct lsa_LSARGENAUDITEVENT *r)
2686 {
2687 p->rng_fault_state = True;
2688 return NT_STATUS_NOT_IMPLEMENTED;
2689 }
2690
2691 NTSTATUS _lsa_LSARUNREGISTERAUDITEVENT(pipes_struct *p, struct lsa_LSARUNREGISTERAUDITEVENT *r)
2692 {
2693 p->rng_fault_state = True;
2694 return NT_STATUS_NOT_IMPLEMENTED;
2695 }
2696
2697 NTSTATUS _lsa_lsaRQueryForestTrustInformation(pipes_struct *p, struct lsa_lsaRQueryForestTrustInformation *r)
2698 {
2699 p->rng_fault_state = True;
2700 return NT_STATUS_NOT_IMPLEMENTED;
2701 }
2702
2703 NTSTATUS _lsa_LSARSETFORESTTRUSTINFORMATION(pipes_struct *p, struct lsa_LSARSETFORESTTRUSTINFORMATION *r)
2704 {
2705 p->rng_fault_state = True;
2706 return NT_STATUS_NOT_IMPLEMENTED;
2707 }
2708
2709 NTSTATUS _lsa_CREDRRENAME(pipes_struct *p, struct lsa_CREDRRENAME *r)
2710 {
2711 p->rng_fault_state = True;
2712 return NT_STATUS_NOT_IMPLEMENTED;
2713 }
2714
2715 NTSTATUS _lsa_LSAROPENPOLICYSCE(pipes_struct *p, struct lsa_LSAROPENPOLICYSCE *r)
2716 {
2717 p->rng_fault_state = True;
2718 return NT_STATUS_NOT_IMPLEMENTED;
2719 }
2720
2721 NTSTATUS _lsa_LSARADTREGISTERSECURITYEVENTSOURCE(pipes_struct *p, struct lsa_LSARADTREGISTERSECURITYEVENTSOURCE *r)
2722 {
2723 p->rng_fault_state = True;
2724 return NT_STATUS_NOT_IMPLEMENTED;
2725 }
2726
2727 NTSTATUS _lsa_LSARADTUNREGISTERSECURITYEVENTSOURCE(pipes_struct *p, struct lsa_LSARADTUNREGISTERSECURITYEVENTSOURCE *r)
2728 {
2729 p->rng_fault_state = True;
2730 return NT_STATUS_NOT_IMPLEMENTED;
2731 }
2732
2733 NTSTATUS _lsa_LSARADTREPORTSECURITYEVENT(pipes_struct *p, struct lsa_LSARADTREPORTSECURITYEVENT *r)
2734 {
2735 p->rng_fault_state = True;
2736 return NT_STATUS_NOT_IMPLEMENTED;
2737 }
kamenim's samba4 branches