s3-lsa: make lsa_lookup_trusted_domain_by_name() use pdb_get_trusted_domain().
[Samba/vl.git] / source3 / rpc_server / lsa / srv_lsa_nt.c
blob8a70a987d6b92643bbd77cc026fc8ea67b4f7c2d
1 /*
2 * Unix SMB/CIFS implementation.
3 * RPC Pipe client / server routines
4 * Copyright (C) Andrew Tridgell 1992-1997,
5 * Copyright (C) Luke Kenneth Casson Leighton 1996-1997,
6 * Copyright (C) Paul Ashton 1997,
7 * Copyright (C) Jeremy Allison 2001, 2006.
8 * Copyright (C) Rafal Szczesniak 2002,
9 * Copyright (C) Jim McDonough <jmcd@us.ibm.com> 2002,
10 * Copyright (C) Simo Sorce 2003.
11 * Copyright (C) Gerald (Jerry) Carter 2005.
12 * Copyright (C) Volker Lendecke 2005.
13 * Copyright (C) Guenther Deschner 2008.
14 * Copyright (C) Andrew Bartlett 2010.
16 * This program is free software; you can redistribute it and/or modify
17 * it under the terms of the GNU General Public License as published by
18 * the Free Software Foundation; either version 3 of the License, or
19 * (at your option) any later version.
21 * This program is distributed in the hope that it will be useful,
22 * but WITHOUT ANY WARRANTY; without even the implied warranty of
23 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
24 * GNU General Public License for more details.
26 * You should have received a copy of the GNU General Public License
27 * along with this program; if not, see <http://www.gnu.org/licenses/>.
30 /* This is the implementation of the lsa server code. */
32 #include "includes.h"
33 #include "../librpc/gen_ndr/srv_lsa.h"
34 #include "secrets.h"
35 #include "../librpc/gen_ndr/netlogon.h"
36 #include "rpc_client/init_lsa.h"
37 #include "../libcli/security/security.h"
39 #undef DBGC_CLASS
40 #define DBGC_CLASS DBGC_RPC_SRV
42 #define MAX_LOOKUP_SIDS 0x5000 /* 20480 */
44 enum lsa_handle_type {
45 LSA_HANDLE_POLICY_TYPE = 1,
46 LSA_HANDLE_ACCOUNT_TYPE = 2,
47 LSA_HANDLE_TRUST_TYPE = 3};
49 struct lsa_info {
50 struct dom_sid sid;
51 const char *name;
52 uint32 access;
53 enum lsa_handle_type type;
54 struct security_descriptor *sd;
57 const struct generic_mapping lsa_account_mapping = {
58 LSA_ACCOUNT_READ,
59 LSA_ACCOUNT_WRITE,
60 LSA_ACCOUNT_EXECUTE,
61 LSA_ACCOUNT_ALL_ACCESS
64 const struct generic_mapping lsa_policy_mapping = {
65 LSA_POLICY_READ,
66 LSA_POLICY_WRITE,
67 LSA_POLICY_EXECUTE,
68 LSA_POLICY_ALL_ACCESS
71 const struct generic_mapping lsa_secret_mapping = {
72 LSA_SECRET_READ,
73 LSA_SECRET_WRITE,
74 LSA_SECRET_EXECUTE,
75 LSA_SECRET_ALL_ACCESS
78 const struct generic_mapping lsa_trusted_domain_mapping = {
79 LSA_TRUSTED_DOMAIN_READ,
80 LSA_TRUSTED_DOMAIN_WRITE,
81 LSA_TRUSTED_DOMAIN_EXECUTE,
82 LSA_TRUSTED_DOMAIN_ALL_ACCESS
85 /***************************************************************************
86 init_lsa_ref_domain_list - adds a domain if it's not already in, returns the index.
87 ***************************************************************************/
89 static int init_lsa_ref_domain_list(TALLOC_CTX *mem_ctx,
90 struct lsa_RefDomainList *ref,
91 const char *dom_name,
92 struct dom_sid *dom_sid)
94 int num = 0;
96 if (dom_name != NULL) {
97 for (num = 0; num < ref->count; num++) {
98 if (dom_sid_equal(dom_sid, ref->domains[num].sid)) {
99 return num;
102 } else {
103 num = ref->count;
106 if (num >= LSA_REF_DOMAIN_LIST_MULTIPLIER) {
107 /* index not found, already at maximum domain limit */
108 return -1;
111 ref->count = num + 1;
112 ref->max_size = LSA_REF_DOMAIN_LIST_MULTIPLIER;
114 ref->domains = TALLOC_REALLOC_ARRAY(mem_ctx, ref->domains,
115 struct lsa_DomainInfo, ref->count);
116 if (!ref->domains) {
117 return -1;
120 ZERO_STRUCT(ref->domains[num]);
122 init_lsa_StringLarge(&ref->domains[num].name, dom_name);
123 ref->domains[num].sid = dom_sid_dup(mem_ctx, dom_sid);
124 if (!ref->domains[num].sid) {
125 return -1;
128 return num;
132 /***************************************************************************
133 initialize a lsa_DomainInfo structure.
134 ***************************************************************************/
136 static void init_dom_query_3(struct lsa_DomainInfo *r,
137 const char *name,
138 struct dom_sid *sid)
140 init_lsa_StringLarge(&r->name, name);
141 r->sid = sid;
144 /***************************************************************************
145 initialize a lsa_DomainInfo structure.
146 ***************************************************************************/
148 static void init_dom_query_5(struct lsa_DomainInfo *r,
149 const char *name,
150 struct dom_sid *sid)
152 init_lsa_StringLarge(&r->name, name);
153 r->sid = sid;
156 /***************************************************************************
157 lookup_lsa_rids. Must be called as root for lookup_name to work.
158 ***************************************************************************/
160 static NTSTATUS lookup_lsa_rids(TALLOC_CTX *mem_ctx,
161 struct lsa_RefDomainList *ref,
162 struct lsa_TranslatedSid *prid,
163 uint32_t num_entries,
164 struct lsa_String *name,
165 int flags,
166 uint32_t *pmapped_count)
168 uint32 mapped_count, i;
170 SMB_ASSERT(num_entries <= MAX_LOOKUP_SIDS);
172 mapped_count = 0;
173 *pmapped_count = 0;
175 for (i = 0; i < num_entries; i++) {
176 struct dom_sid sid;
177 uint32 rid;
178 int dom_idx;
179 const char *full_name;
180 const char *domain;
181 enum lsa_SidType type = SID_NAME_UNKNOWN;
183 /* Split name into domain and user component */
185 /* follow w2k8 behavior and return the builtin domain when no
186 * input has been passed in */
188 if (name[i].string) {
189 full_name = name[i].string;
190 } else {
191 full_name = "BUILTIN";
194 DEBUG(5, ("lookup_lsa_rids: looking up name %s\n", full_name));
196 /* We can ignore the result of lookup_name, it will not touch
197 "type" if it's not successful */
199 lookup_name(mem_ctx, full_name, flags, &domain, NULL,
200 &sid, &type);
202 switch (type) {
203 case SID_NAME_USER:
204 case SID_NAME_DOM_GRP:
205 case SID_NAME_DOMAIN:
206 case SID_NAME_ALIAS:
207 case SID_NAME_WKN_GRP:
208 DEBUG(5, ("init_lsa_rids: %s found\n", full_name));
209 /* Leave these unchanged */
210 break;
211 default:
212 /* Don't hand out anything but the list above */
213 DEBUG(5, ("init_lsa_rids: %s not found\n", full_name));
214 type = SID_NAME_UNKNOWN;
215 break;
218 rid = 0;
219 dom_idx = -1;
221 if (type != SID_NAME_UNKNOWN) {
222 if (type == SID_NAME_DOMAIN) {
223 rid = (uint32_t)-1;
224 } else {
225 sid_split_rid(&sid, &rid);
227 dom_idx = init_lsa_ref_domain_list(mem_ctx, ref, domain, &sid);
228 mapped_count++;
231 prid[i].sid_type = type;
232 prid[i].rid = rid;
233 prid[i].sid_index = dom_idx;
236 *pmapped_count = mapped_count;
237 return NT_STATUS_OK;
240 /***************************************************************************
241 lookup_lsa_sids. Must be called as root for lookup_name to work.
242 ***************************************************************************/
244 static NTSTATUS lookup_lsa_sids(TALLOC_CTX *mem_ctx,
245 struct lsa_RefDomainList *ref,
246 struct lsa_TranslatedSid3 *trans_sids,
247 uint32_t num_entries,
248 struct lsa_String *name,
249 int flags,
250 uint32 *pmapped_count)
252 uint32 mapped_count, i;
254 SMB_ASSERT(num_entries <= MAX_LOOKUP_SIDS);
256 mapped_count = 0;
257 *pmapped_count = 0;
259 for (i = 0; i < num_entries; i++) {
260 struct dom_sid sid;
261 uint32 rid;
262 int dom_idx;
263 const char *full_name;
264 const char *domain;
265 enum lsa_SidType type = SID_NAME_UNKNOWN;
267 ZERO_STRUCT(sid);
269 /* Split name into domain and user component */
271 full_name = name[i].string;
272 if (full_name == NULL) {
273 return NT_STATUS_NO_MEMORY;
276 DEBUG(5, ("init_lsa_sids: looking up name %s\n", full_name));
278 /* We can ignore the result of lookup_name, it will not touch
279 "type" if it's not successful */
281 lookup_name(mem_ctx, full_name, flags, &domain, NULL,
282 &sid, &type);
284 switch (type) {
285 case SID_NAME_USER:
286 case SID_NAME_DOM_GRP:
287 case SID_NAME_DOMAIN:
288 case SID_NAME_ALIAS:
289 case SID_NAME_WKN_GRP:
290 DEBUG(5, ("init_lsa_sids: %s found\n", full_name));
291 /* Leave these unchanged */
292 break;
293 default:
294 /* Don't hand out anything but the list above */
295 DEBUG(5, ("init_lsa_sids: %s not found\n", full_name));
296 type = SID_NAME_UNKNOWN;
297 break;
300 rid = 0;
301 dom_idx = -1;
303 if (type != SID_NAME_UNKNOWN) {
304 struct dom_sid domain_sid;
305 sid_copy(&domain_sid, &sid);
306 sid_split_rid(&domain_sid, &rid);
307 dom_idx = init_lsa_ref_domain_list(mem_ctx, ref, domain, &domain_sid);
308 mapped_count++;
311 /* Initialize the lsa_TranslatedSid3 return. */
312 trans_sids[i].sid_type = type;
313 trans_sids[i].sid = dom_sid_dup(mem_ctx, &sid);
314 trans_sids[i].sid_index = dom_idx;
317 *pmapped_count = mapped_count;
318 return NT_STATUS_OK;
321 static NTSTATUS make_lsa_object_sd(TALLOC_CTX *mem_ctx, struct security_descriptor **sd, size_t *sd_size,
322 const struct generic_mapping *map,
323 struct dom_sid *sid, uint32_t sid_access)
325 struct dom_sid adm_sid;
326 struct security_ace ace[5];
327 size_t i = 0;
329 struct security_acl *psa = NULL;
331 /* READ|EXECUTE access for Everyone */
333 init_sec_ace(&ace[i++], &global_sid_World, SEC_ACE_TYPE_ACCESS_ALLOWED,
334 map->generic_execute | map->generic_read, 0);
336 /* Add Full Access 'BUILTIN\Administrators' and 'BUILTIN\Account Operators */
338 init_sec_ace(&ace[i++], &global_sid_Builtin_Administrators,
339 SEC_ACE_TYPE_ACCESS_ALLOWED, map->generic_all, 0);
340 init_sec_ace(&ace[i++], &global_sid_Builtin_Account_Operators,
341 SEC_ACE_TYPE_ACCESS_ALLOWED, map->generic_all, 0);
343 /* Add Full Access for Domain Admins */
344 sid_compose(&adm_sid, get_global_sam_sid(), DOMAIN_RID_ADMINS);
345 init_sec_ace(&ace[i++], &adm_sid, SEC_ACE_TYPE_ACCESS_ALLOWED,
346 map->generic_all, 0);
348 /* If we have a sid, give it some special access */
350 if (sid) {
351 init_sec_ace(&ace[i++], sid, SEC_ACE_TYPE_ACCESS_ALLOWED,
352 sid_access, 0);
355 if((psa = make_sec_acl(mem_ctx, NT4_ACL_REVISION, i, ace)) == NULL)
356 return NT_STATUS_NO_MEMORY;
358 if((*sd = make_sec_desc(mem_ctx, SECURITY_DESCRIPTOR_REVISION_1,
359 SEC_DESC_SELF_RELATIVE, &adm_sid, NULL, NULL,
360 psa, sd_size)) == NULL)
361 return NT_STATUS_NO_MEMORY;
363 return NT_STATUS_OK;
366 /***************************************************************************
367 ***************************************************************************/
369 static NTSTATUS create_lsa_policy_handle(TALLOC_CTX *mem_ctx,
370 struct pipes_struct *p,
371 enum lsa_handle_type type,
372 uint32_t acc_granted,
373 struct dom_sid *sid,
374 const char *name,
375 const struct security_descriptor *sd,
376 struct policy_handle *handle)
378 struct lsa_info *info;
380 ZERO_STRUCTP(handle);
382 info = talloc_zero(mem_ctx, struct lsa_info);
383 if (!info) {
384 return NT_STATUS_NO_MEMORY;
387 info->type = type;
388 info->access = acc_granted;
390 if (sid) {
391 sid_copy(&info->sid, sid);
394 info->name = talloc_strdup(info, name);
396 if (sd) {
397 info->sd = dup_sec_desc(info, sd);
398 if (!info->sd) {
399 talloc_free(info);
400 return NT_STATUS_NO_MEMORY;
404 if (!create_policy_hnd(p, handle, info)) {
405 talloc_free(info);
406 ZERO_STRUCTP(handle);
407 return NT_STATUS_NO_MEMORY;
410 return NT_STATUS_OK;
413 /***************************************************************************
414 _lsa_OpenPolicy2
415 ***************************************************************************/
417 NTSTATUS _lsa_OpenPolicy2(struct pipes_struct *p,
418 struct lsa_OpenPolicy2 *r)
420 struct security_descriptor *psd = NULL;
421 size_t sd_size;
422 uint32 des_access = r->in.access_mask;
423 uint32 acc_granted;
424 NTSTATUS status;
426 /* Work out max allowed. */
427 map_max_allowed_access(p->server_info->security_token,
428 &p->server_info->utok,
429 &des_access);
431 /* map the generic bits to the lsa policy ones */
432 se_map_generic(&des_access, &lsa_policy_mapping);
434 /* get the generic lsa policy SD until we store it */
435 status = make_lsa_object_sd(p->mem_ctx, &psd, &sd_size, &lsa_policy_mapping,
436 NULL, 0);
437 if (!NT_STATUS_IS_OK(status)) {
438 return status;
441 status = access_check_object(psd, p->server_info->security_token,
442 SEC_PRIV_INVALID, SEC_PRIV_INVALID, 0, des_access,
443 &acc_granted, "_lsa_OpenPolicy2" );
444 if (!NT_STATUS_IS_OK(status)) {
445 return status;
448 status = create_lsa_policy_handle(p->mem_ctx, p,
449 LSA_HANDLE_POLICY_TYPE,
450 acc_granted,
451 get_global_sam_sid(),
452 NULL,
453 psd,
454 r->out.handle);
455 if (!NT_STATUS_IS_OK(status)) {
456 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
459 return NT_STATUS_OK;
462 /***************************************************************************
463 _lsa_OpenPolicy
464 ***************************************************************************/
466 NTSTATUS _lsa_OpenPolicy(struct pipes_struct *p,
467 struct lsa_OpenPolicy *r)
469 struct lsa_OpenPolicy2 o;
471 o.in.system_name = NULL; /* should be ignored */
472 o.in.attr = r->in.attr;
473 o.in.access_mask = r->in.access_mask;
475 o.out.handle = r->out.handle;
477 return _lsa_OpenPolicy2(p, &o);
480 /***************************************************************************
481 _lsa_EnumTrustDom - this needs fixing to do more than return NULL ! JRA.
482 ufff, done :) mimir
483 ***************************************************************************/
485 NTSTATUS _lsa_EnumTrustDom(struct pipes_struct *p,
486 struct lsa_EnumTrustDom *r)
488 struct lsa_info *info;
489 uint32_t count;
490 struct trustdom_info **domains;
491 struct lsa_DomainInfo *entries;
492 int i;
493 NTSTATUS nt_status;
495 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
496 return NT_STATUS_INVALID_HANDLE;
498 if (info->type != LSA_HANDLE_POLICY_TYPE) {
499 return NT_STATUS_INVALID_HANDLE;
502 /* check if the user has enough rights */
503 if (!(info->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
504 return NT_STATUS_ACCESS_DENIED;
506 become_root();
507 nt_status = pdb_enum_trusteddoms(p->mem_ctx, &count, &domains);
508 unbecome_root();
510 if (!NT_STATUS_IS_OK(nt_status)) {
511 return nt_status;
514 entries = TALLOC_ZERO_ARRAY(p->mem_ctx, struct lsa_DomainInfo, count);
515 if (!entries) {
516 return NT_STATUS_NO_MEMORY;
519 for (i=0; i<count; i++) {
520 init_lsa_StringLarge(&entries[i].name, domains[i]->name);
521 entries[i].sid = &domains[i]->sid;
524 if (*r->in.resume_handle >= count) {
525 *r->out.resume_handle = -1;
526 TALLOC_FREE(entries);
527 return NT_STATUS_NO_MORE_ENTRIES;
530 /* return the rest, limit by max_size. Note that we
531 use the w2k3 element size value of 60 */
532 r->out.domains->count = count - *r->in.resume_handle;
533 r->out.domains->count = MIN(r->out.domains->count,
534 1+(r->in.max_size/LSA_ENUM_TRUST_DOMAIN_MULTIPLIER));
536 r->out.domains->domains = entries + *r->in.resume_handle;
538 if (r->out.domains->count < count - *r->in.resume_handle) {
539 *r->out.resume_handle = *r->in.resume_handle + r->out.domains->count;
540 return STATUS_MORE_ENTRIES;
543 /* according to MS-LSAD 3.1.4.7.8 output resume handle MUST
544 * always be larger than the previous input resume handle, in
545 * particular when hitting the last query it is vital to set the
546 * resume handle correctly to avoid infinite client loops, as
547 * seen e.g. with Windows XP SP3 when resume handle is 0 and
548 * status is NT_STATUS_OK - gd */
550 *r->out.resume_handle = (uint32_t)-1;
552 return NT_STATUS_OK;
555 #define LSA_AUDIT_NUM_CATEGORIES_NT4 7
556 #define LSA_AUDIT_NUM_CATEGORIES_WIN2K 9
557 #define LSA_AUDIT_NUM_CATEGORIES LSA_AUDIT_NUM_CATEGORIES_NT4
559 /***************************************************************************
560 _lsa_QueryInfoPolicy
561 ***************************************************************************/
563 NTSTATUS _lsa_QueryInfoPolicy(struct pipes_struct *p,
564 struct lsa_QueryInfoPolicy *r)
566 NTSTATUS status = NT_STATUS_OK;
567 struct lsa_info *handle;
568 struct dom_sid domain_sid;
569 const char *name;
570 struct dom_sid *sid = NULL;
571 union lsa_PolicyInformation *info = NULL;
572 uint32_t acc_required = 0;
574 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle))
575 return NT_STATUS_INVALID_HANDLE;
577 if (handle->type != LSA_HANDLE_POLICY_TYPE) {
578 return NT_STATUS_INVALID_HANDLE;
581 switch (r->in.level) {
582 case LSA_POLICY_INFO_AUDIT_LOG:
583 case LSA_POLICY_INFO_AUDIT_EVENTS:
584 acc_required = LSA_POLICY_VIEW_AUDIT_INFORMATION;
585 break;
586 case LSA_POLICY_INFO_DOMAIN:
587 acc_required = LSA_POLICY_VIEW_LOCAL_INFORMATION;
588 break;
589 case LSA_POLICY_INFO_PD:
590 acc_required = LSA_POLICY_GET_PRIVATE_INFORMATION;
591 break;
592 case LSA_POLICY_INFO_ACCOUNT_DOMAIN:
593 acc_required = LSA_POLICY_VIEW_LOCAL_INFORMATION;
594 break;
595 case LSA_POLICY_INFO_ROLE:
596 case LSA_POLICY_INFO_REPLICA:
597 acc_required = LSA_POLICY_VIEW_LOCAL_INFORMATION;
598 break;
599 case LSA_POLICY_INFO_QUOTA:
600 acc_required = LSA_POLICY_VIEW_LOCAL_INFORMATION;
601 break;
602 case LSA_POLICY_INFO_MOD:
603 case LSA_POLICY_INFO_AUDIT_FULL_SET:
604 /* according to MS-LSAD 3.1.4.4.3 */
605 return NT_STATUS_INVALID_PARAMETER;
606 case LSA_POLICY_INFO_AUDIT_FULL_QUERY:
607 acc_required = LSA_POLICY_VIEW_AUDIT_INFORMATION;
608 break;
609 case LSA_POLICY_INFO_DNS:
610 case LSA_POLICY_INFO_DNS_INT:
611 case LSA_POLICY_INFO_L_ACCOUNT_DOMAIN:
612 acc_required = LSA_POLICY_VIEW_LOCAL_INFORMATION;
613 break;
614 default:
615 break;
618 if (!(handle->access & acc_required)) {
619 /* return NT_STATUS_ACCESS_DENIED; */
622 info = TALLOC_ZERO_P(p->mem_ctx, union lsa_PolicyInformation);
623 if (!info) {
624 return NT_STATUS_NO_MEMORY;
627 switch (r->in.level) {
628 /* according to MS-LSAD 3.1.4.4.3 */
629 case LSA_POLICY_INFO_MOD:
630 case LSA_POLICY_INFO_AUDIT_FULL_SET:
631 case LSA_POLICY_INFO_AUDIT_FULL_QUERY:
632 return NT_STATUS_INVALID_PARAMETER;
633 case LSA_POLICY_INFO_AUDIT_LOG:
634 info->audit_log.percent_full = 0;
635 info->audit_log.maximum_log_size = 0;
636 info->audit_log.retention_time = 0;
637 info->audit_log.shutdown_in_progress = 0;
638 info->audit_log.time_to_shutdown = 0;
639 info->audit_log.next_audit_record = 0;
640 status = NT_STATUS_OK;
641 break;
642 case LSA_POLICY_INFO_PD:
643 info->pd.name.string = NULL;
644 status = NT_STATUS_OK;
645 break;
646 case LSA_POLICY_INFO_REPLICA:
647 info->replica.source.string = NULL;
648 info->replica.account.string = NULL;
649 status = NT_STATUS_OK;
650 break;
651 case LSA_POLICY_INFO_QUOTA:
652 info->quota.paged_pool = 0;
653 info->quota.non_paged_pool = 0;
654 info->quota.min_wss = 0;
655 info->quota.max_wss = 0;
656 info->quota.pagefile = 0;
657 info->quota.unknown = 0;
658 status = NT_STATUS_OK;
659 break;
660 case LSA_POLICY_INFO_AUDIT_EVENTS:
663 uint32 policy_def = LSA_AUDIT_POLICY_ALL;
665 /* check if the user has enough rights */
666 if (!(handle->access & LSA_POLICY_VIEW_AUDIT_INFORMATION)) {
667 DEBUG(10,("_lsa_QueryInfoPolicy: insufficient access rights\n"));
668 return NT_STATUS_ACCESS_DENIED;
671 /* fake info: We audit everything. ;) */
673 info->audit_events.auditing_mode = true;
674 info->audit_events.count = LSA_AUDIT_NUM_CATEGORIES;
675 info->audit_events.settings = TALLOC_ZERO_ARRAY(p->mem_ctx,
676 enum lsa_PolicyAuditPolicy,
677 info->audit_events.count);
678 if (!info->audit_events.settings) {
679 return NT_STATUS_NO_MEMORY;
682 info->audit_events.settings[LSA_AUDIT_CATEGORY_ACCOUNT_MANAGEMENT] = policy_def;
683 info->audit_events.settings[LSA_AUDIT_CATEGORY_FILE_AND_OBJECT_ACCESS] = policy_def;
684 info->audit_events.settings[LSA_AUDIT_CATEGORY_LOGON] = policy_def;
685 info->audit_events.settings[LSA_AUDIT_CATEGORY_PROCCESS_TRACKING] = policy_def;
686 info->audit_events.settings[LSA_AUDIT_CATEGORY_SECURITY_POLICY_CHANGES] = policy_def;
687 info->audit_events.settings[LSA_AUDIT_CATEGORY_SYSTEM] = policy_def;
688 info->audit_events.settings[LSA_AUDIT_CATEGORY_USE_OF_USER_RIGHTS] = policy_def;
690 break;
692 case LSA_POLICY_INFO_DOMAIN:
693 /* check if the user has enough rights */
694 if (!(handle->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
695 return NT_STATUS_ACCESS_DENIED;
697 /* Request PolicyPrimaryDomainInformation. */
698 switch (lp_server_role()) {
699 case ROLE_DOMAIN_PDC:
700 case ROLE_DOMAIN_BDC:
701 name = get_global_sam_name();
702 sid = dom_sid_dup(p->mem_ctx, get_global_sam_sid());
703 if (!sid) {
704 return NT_STATUS_NO_MEMORY;
706 break;
707 case ROLE_DOMAIN_MEMBER:
708 name = lp_workgroup();
709 /* We need to return the Domain SID here. */
710 if (secrets_fetch_domain_sid(lp_workgroup(), &domain_sid)) {
711 sid = dom_sid_dup(p->mem_ctx, &domain_sid);
712 if (!sid) {
713 return NT_STATUS_NO_MEMORY;
715 } else {
716 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
718 break;
719 case ROLE_STANDALONE:
720 name = lp_workgroup();
721 sid = NULL;
722 break;
723 default:
724 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
726 init_dom_query_3(&info->domain, name, sid);
727 break;
728 case LSA_POLICY_INFO_ACCOUNT_DOMAIN:
729 /* check if the user has enough rights */
730 if (!(handle->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
731 return NT_STATUS_ACCESS_DENIED;
733 /* Request PolicyAccountDomainInformation. */
734 name = get_global_sam_name();
735 sid = get_global_sam_sid();
737 init_dom_query_5(&info->account_domain, name, sid);
738 break;
739 case LSA_POLICY_INFO_ROLE:
740 /* check if the user has enough rights */
741 if (!(handle->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
742 return NT_STATUS_ACCESS_DENIED;
744 switch (lp_server_role()) {
745 case ROLE_DOMAIN_BDC:
747 * only a BDC is a backup controller
748 * of the domain, it controls.
750 info->role.role = LSA_ROLE_BACKUP;
751 break;
752 default:
754 * any other role is a primary
755 * of the domain, it controls.
757 info->role.role = LSA_ROLE_PRIMARY;
758 break;
760 break;
761 case LSA_POLICY_INFO_DNS:
762 case LSA_POLICY_INFO_DNS_INT: {
763 struct pdb_domain_info *dominfo;
765 if ((pdb_capabilities() & PDB_CAP_ADS) == 0) {
766 DEBUG(10, ("Not replying to LSA_POLICY_INFO_DNS "
767 "without ADS passdb backend\n"));
768 status = NT_STATUS_INVALID_INFO_CLASS;
769 break;
772 dominfo = pdb_get_domain_info(info);
773 if (dominfo == NULL) {
774 status = NT_STATUS_NO_MEMORY;
775 break;
778 init_lsa_StringLarge(&info->dns.name,
779 dominfo->name);
780 init_lsa_StringLarge(&info->dns.dns_domain,
781 dominfo->dns_domain);
782 init_lsa_StringLarge(&info->dns.dns_forest,
783 dominfo->dns_forest);
784 info->dns.domain_guid = dominfo->guid;
785 info->dns.sid = &dominfo->sid;
786 break;
788 default:
789 DEBUG(0,("_lsa_QueryInfoPolicy: unknown info level in Lsa Query: %d\n",
790 r->in.level));
791 status = NT_STATUS_INVALID_INFO_CLASS;
792 break;
795 *r->out.info = info;
797 return status;
800 /***************************************************************************
801 _lsa_QueryInfoPolicy2
802 ***************************************************************************/
804 NTSTATUS _lsa_QueryInfoPolicy2(struct pipes_struct *p,
805 struct lsa_QueryInfoPolicy2 *r2)
807 struct lsa_QueryInfoPolicy r;
809 if ((pdb_capabilities() & PDB_CAP_ADS) == 0) {
810 p->rng_fault_state = True;
811 return NT_STATUS_NOT_IMPLEMENTED;
814 ZERO_STRUCT(r);
815 r.in.handle = r2->in.handle;
816 r.in.level = r2->in.level;
817 r.out.info = r2->out.info;
819 return _lsa_QueryInfoPolicy(p, &r);
822 /***************************************************************************
823 _lsa_lookup_sids_internal
824 ***************************************************************************/
826 static NTSTATUS _lsa_lookup_sids_internal(struct pipes_struct *p,
827 TALLOC_CTX *mem_ctx,
828 uint16_t level, /* input */
829 int num_sids, /* input */
830 struct lsa_SidPtr *sid, /* input */
831 struct lsa_RefDomainList **pp_ref, /* input/output */
832 struct lsa_TranslatedName2 **pp_names,/* input/output */
833 uint32_t *pp_mapped_count) /* input/output */
835 NTSTATUS status;
836 int i;
837 const struct dom_sid **sids = NULL;
838 struct lsa_RefDomainList *ref = NULL;
839 uint32 mapped_count = 0;
840 struct lsa_dom_info *dom_infos = NULL;
841 struct lsa_name_info *name_infos = NULL;
842 struct lsa_TranslatedName2 *names = NULL;
844 *pp_mapped_count = 0;
845 *pp_names = NULL;
846 *pp_ref = NULL;
848 if (num_sids == 0) {
849 return NT_STATUS_OK;
852 sids = TALLOC_ARRAY(p->mem_ctx, const struct dom_sid *, num_sids);
853 ref = TALLOC_ZERO_P(p->mem_ctx, struct lsa_RefDomainList);
855 if (sids == NULL || ref == NULL) {
856 return NT_STATUS_NO_MEMORY;
859 for (i=0; i<num_sids; i++) {
860 sids[i] = sid[i].sid;
863 status = lookup_sids(p->mem_ctx, num_sids, sids, level,
864 &dom_infos, &name_infos);
866 if (!NT_STATUS_IS_OK(status)) {
867 return status;
870 names = TALLOC_ARRAY(p->mem_ctx, struct lsa_TranslatedName2, num_sids);
871 if (names == NULL) {
872 return NT_STATUS_NO_MEMORY;
875 for (i=0; i<LSA_REF_DOMAIN_LIST_MULTIPLIER; i++) {
877 if (!dom_infos[i].valid) {
878 break;
881 if (init_lsa_ref_domain_list(mem_ctx, ref,
882 dom_infos[i].name,
883 &dom_infos[i].sid) != i) {
884 DEBUG(0, ("Domain %s mentioned twice??\n",
885 dom_infos[i].name));
886 return NT_STATUS_INTERNAL_ERROR;
890 for (i=0; i<num_sids; i++) {
891 struct lsa_name_info *name = &name_infos[i];
893 if (name->type == SID_NAME_UNKNOWN) {
894 fstring tmp;
895 name->dom_idx = -1;
896 /* Unknown sids should return the string
897 * representation of the SID. Windows 2003 behaves
898 * rather erratic here, in many cases it returns the
899 * RID as 8 bytes hex, in others it returns the full
900 * SID. We (Jerry/VL) could not figure out which the
901 * hard cases are, so leave it with the SID. */
902 name->name = talloc_asprintf(p->mem_ctx, "%s",
903 sid_to_fstring(tmp,
904 sids[i]));
905 if (name->name == NULL) {
906 return NT_STATUS_NO_MEMORY;
908 } else {
909 mapped_count += 1;
912 names[i].sid_type = name->type;
913 names[i].name.string = name->name;
914 names[i].sid_index = name->dom_idx;
915 names[i].unknown = 0;
918 status = NT_STATUS_NONE_MAPPED;
919 if (mapped_count > 0) {
920 status = (mapped_count < num_sids) ?
921 STATUS_SOME_UNMAPPED : NT_STATUS_OK;
924 DEBUG(10, ("num_sids %d, mapped_count %d, status %s\n",
925 num_sids, mapped_count, nt_errstr(status)));
927 *pp_mapped_count = mapped_count;
928 *pp_names = names;
929 *pp_ref = ref;
931 return status;
934 /***************************************************************************
935 _lsa_LookupSids
936 ***************************************************************************/
938 NTSTATUS _lsa_LookupSids(struct pipes_struct *p,
939 struct lsa_LookupSids *r)
941 NTSTATUS status;
942 struct lsa_info *handle;
943 int num_sids = r->in.sids->num_sids;
944 uint32 mapped_count = 0;
945 struct lsa_RefDomainList *domains = NULL;
946 struct lsa_TranslatedName *names_out = NULL;
947 struct lsa_TranslatedName2 *names = NULL;
948 int i;
950 if ((r->in.level < 1) || (r->in.level > 6)) {
951 return NT_STATUS_INVALID_PARAMETER;
954 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle)) {
955 return NT_STATUS_INVALID_HANDLE;
958 if (handle->type != LSA_HANDLE_POLICY_TYPE) {
959 return NT_STATUS_INVALID_HANDLE;
962 /* check if the user has enough rights */
963 if (!(handle->access & LSA_POLICY_LOOKUP_NAMES)) {
964 return NT_STATUS_ACCESS_DENIED;
967 if (num_sids > MAX_LOOKUP_SIDS) {
968 DEBUG(5,("_lsa_LookupSids: limit of %d exceeded, requested %d\n",
969 MAX_LOOKUP_SIDS, num_sids));
970 return NT_STATUS_NONE_MAPPED;
973 status = _lsa_lookup_sids_internal(p,
974 p->mem_ctx,
975 r->in.level,
976 num_sids,
977 r->in.sids->sids,
978 &domains,
979 &names,
980 &mapped_count);
982 /* Only return here when there is a real error.
983 NT_STATUS_NONE_MAPPED is a special case as it indicates that none of
984 the requested sids could be resolved. Older versions of XP (pre SP3)
985 rely that we return with the string representations of those SIDs in
986 that case. If we don't, XP crashes - Guenther
989 if (NT_STATUS_IS_ERR(status) &&
990 !NT_STATUS_EQUAL(status, NT_STATUS_NONE_MAPPED)) {
991 return status;
994 /* Convert from lsa_TranslatedName2 to lsa_TranslatedName */
995 names_out = TALLOC_ARRAY(p->mem_ctx, struct lsa_TranslatedName,
996 num_sids);
997 if (!names_out) {
998 return NT_STATUS_NO_MEMORY;
1001 for (i=0; i<num_sids; i++) {
1002 names_out[i].sid_type = names[i].sid_type;
1003 names_out[i].name = names[i].name;
1004 names_out[i].sid_index = names[i].sid_index;
1007 *r->out.domains = domains;
1008 r->out.names->count = num_sids;
1009 r->out.names->names = names_out;
1010 *r->out.count = mapped_count;
1012 return status;
1015 /***************************************************************************
1016 _lsa_LookupSids2
1017 ***************************************************************************/
1019 NTSTATUS _lsa_LookupSids2(struct pipes_struct *p,
1020 struct lsa_LookupSids2 *r)
1022 NTSTATUS status;
1023 struct lsa_info *handle;
1024 int num_sids = r->in.sids->num_sids;
1025 uint32 mapped_count = 0;
1026 struct lsa_RefDomainList *domains = NULL;
1027 struct lsa_TranslatedName2 *names = NULL;
1028 bool check_policy = true;
1030 switch (p->opnum) {
1031 case NDR_LSA_LOOKUPSIDS3:
1032 check_policy = false;
1033 break;
1034 case NDR_LSA_LOOKUPSIDS2:
1035 default:
1036 check_policy = true;
1039 if ((r->in.level < 1) || (r->in.level > 6)) {
1040 return NT_STATUS_INVALID_PARAMETER;
1043 if (check_policy) {
1044 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle)) {
1045 return NT_STATUS_INVALID_HANDLE;
1048 if (handle->type != LSA_HANDLE_POLICY_TYPE) {
1049 return NT_STATUS_INVALID_HANDLE;
1052 /* check if the user has enough rights */
1053 if (!(handle->access & LSA_POLICY_LOOKUP_NAMES)) {
1054 return NT_STATUS_ACCESS_DENIED;
1058 if (num_sids > MAX_LOOKUP_SIDS) {
1059 DEBUG(5,("_lsa_LookupSids2: limit of %d exceeded, requested %d\n",
1060 MAX_LOOKUP_SIDS, num_sids));
1061 return NT_STATUS_NONE_MAPPED;
1064 status = _lsa_lookup_sids_internal(p,
1065 p->mem_ctx,
1066 r->in.level,
1067 num_sids,
1068 r->in.sids->sids,
1069 &domains,
1070 &names,
1071 &mapped_count);
1073 *r->out.domains = domains;
1074 r->out.names->count = num_sids;
1075 r->out.names->names = names;
1076 *r->out.count = mapped_count;
1078 return status;
1081 /***************************************************************************
1082 _lsa_LookupSids3
1083 ***************************************************************************/
1085 NTSTATUS _lsa_LookupSids3(struct pipes_struct *p,
1086 struct lsa_LookupSids3 *r)
1088 struct lsa_LookupSids2 q;
1090 /* No policy handle on this call. Restrict to crypto connections. */
1091 if (p->auth.auth_type != DCERPC_AUTH_TYPE_SCHANNEL) {
1092 DEBUG(0,("_lsa_LookupSids3: client %s not using schannel for netlogon\n",
1093 get_remote_machine_name() ));
1094 return NT_STATUS_INVALID_PARAMETER;
1097 q.in.handle = NULL;
1098 q.in.sids = r->in.sids;
1099 q.in.level = r->in.level;
1100 q.in.lookup_options = r->in.lookup_options;
1101 q.in.client_revision = r->in.client_revision;
1102 q.in.names = r->in.names;
1103 q.in.count = r->in.count;
1105 q.out.domains = r->out.domains;
1106 q.out.names = r->out.names;
1107 q.out.count = r->out.count;
1109 return _lsa_LookupSids2(p, &q);
1112 /***************************************************************************
1113 ***************************************************************************/
1115 static int lsa_lookup_level_to_flags(enum lsa_LookupNamesLevel level)
1117 int flags;
1119 switch (level) {
1120 case LSA_LOOKUP_NAMES_ALL: /* 1 */
1121 flags = LOOKUP_NAME_ALL;
1122 break;
1123 case LSA_LOOKUP_NAMES_DOMAINS_ONLY: /* 2 */
1124 flags = LOOKUP_NAME_DOMAIN|LOOKUP_NAME_REMOTE|LOOKUP_NAME_ISOLATED;
1125 break;
1126 case LSA_LOOKUP_NAMES_PRIMARY_DOMAIN_ONLY: /* 3 */
1127 flags = LOOKUP_NAME_DOMAIN|LOOKUP_NAME_ISOLATED;
1128 break;
1129 case LSA_LOOKUP_NAMES_UPLEVEL_TRUSTS_ONLY: /* 4 */
1130 case LSA_LOOKUP_NAMES_FOREST_TRUSTS_ONLY: /* 5 */
1131 case LSA_LOOKUP_NAMES_UPLEVEL_TRUSTS_ONLY2: /* 6 */
1132 case LSA_LOOKUP_NAMES_RODC_REFERRAL_TO_FULL_DC: /* 7 */
1133 default:
1134 flags = LOOKUP_NAME_NONE;
1135 break;
1138 return flags;
1141 /***************************************************************************
1142 _lsa_LookupNames
1143 ***************************************************************************/
1145 NTSTATUS _lsa_LookupNames(struct pipes_struct *p,
1146 struct lsa_LookupNames *r)
1148 NTSTATUS status = NT_STATUS_NONE_MAPPED;
1149 struct lsa_info *handle;
1150 struct lsa_String *names = r->in.names;
1151 uint32 num_entries = r->in.num_names;
1152 struct lsa_RefDomainList *domains = NULL;
1153 struct lsa_TranslatedSid *rids = NULL;
1154 uint32 mapped_count = 0;
1155 int flags = 0;
1157 if (num_entries > MAX_LOOKUP_SIDS) {
1158 num_entries = MAX_LOOKUP_SIDS;
1159 DEBUG(5,("_lsa_LookupNames: truncating name lookup list to %d\n",
1160 num_entries));
1163 flags = lsa_lookup_level_to_flags(r->in.level);
1165 domains = TALLOC_ZERO_P(p->mem_ctx, struct lsa_RefDomainList);
1166 if (!domains) {
1167 return NT_STATUS_NO_MEMORY;
1170 if (num_entries) {
1171 rids = TALLOC_ZERO_ARRAY(p->mem_ctx, struct lsa_TranslatedSid,
1172 num_entries);
1173 if (!rids) {
1174 return NT_STATUS_NO_MEMORY;
1176 } else {
1177 rids = NULL;
1180 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle)) {
1181 status = NT_STATUS_INVALID_HANDLE;
1182 goto done;
1185 if (handle->type != LSA_HANDLE_POLICY_TYPE) {
1186 return NT_STATUS_INVALID_HANDLE;
1189 /* check if the user has enough rights */
1190 if (!(handle->access & LSA_POLICY_LOOKUP_NAMES)) {
1191 status = NT_STATUS_ACCESS_DENIED;
1192 goto done;
1195 /* set up the LSA Lookup RIDs response */
1196 become_root(); /* lookup_name can require root privs */
1197 status = lookup_lsa_rids(p->mem_ctx, domains, rids, num_entries,
1198 names, flags, &mapped_count);
1199 unbecome_root();
1201 done:
1203 if (NT_STATUS_IS_OK(status) && (num_entries != 0) ) {
1204 if (mapped_count == 0) {
1205 status = NT_STATUS_NONE_MAPPED;
1206 } else if (mapped_count != num_entries) {
1207 status = STATUS_SOME_UNMAPPED;
1211 *r->out.count = mapped_count;
1212 *r->out.domains = domains;
1213 r->out.sids->sids = rids;
1214 r->out.sids->count = num_entries;
1216 return status;
1219 /***************************************************************************
1220 _lsa_LookupNames2
1221 ***************************************************************************/
1223 NTSTATUS _lsa_LookupNames2(struct pipes_struct *p,
1224 struct lsa_LookupNames2 *r)
1226 NTSTATUS status;
1227 struct lsa_LookupNames q;
1228 struct lsa_TransSidArray2 *sid_array2 = r->in.sids;
1229 struct lsa_TransSidArray *sid_array = NULL;
1230 uint32_t i;
1232 sid_array = TALLOC_ZERO_P(p->mem_ctx, struct lsa_TransSidArray);
1233 if (!sid_array) {
1234 return NT_STATUS_NO_MEMORY;
1237 q.in.handle = r->in.handle;
1238 q.in.num_names = r->in.num_names;
1239 q.in.names = r->in.names;
1240 q.in.level = r->in.level;
1241 q.in.sids = sid_array;
1242 q.in.count = r->in.count;
1243 /* we do not know what this is for */
1244 /* = r->in.unknown1; */
1245 /* = r->in.unknown2; */
1247 q.out.domains = r->out.domains;
1248 q.out.sids = sid_array;
1249 q.out.count = r->out.count;
1251 status = _lsa_LookupNames(p, &q);
1253 sid_array2->count = sid_array->count;
1254 sid_array2->sids = TALLOC_ARRAY(p->mem_ctx, struct lsa_TranslatedSid2, sid_array->count);
1255 if (!sid_array2->sids) {
1256 return NT_STATUS_NO_MEMORY;
1259 for (i=0; i<sid_array->count; i++) {
1260 sid_array2->sids[i].sid_type = sid_array->sids[i].sid_type;
1261 sid_array2->sids[i].rid = sid_array->sids[i].rid;
1262 sid_array2->sids[i].sid_index = sid_array->sids[i].sid_index;
1263 sid_array2->sids[i].unknown = 0;
1266 r->out.sids = sid_array2;
1268 return status;
1271 /***************************************************************************
1272 _lsa_LookupNames3
1273 ***************************************************************************/
1275 NTSTATUS _lsa_LookupNames3(struct pipes_struct *p,
1276 struct lsa_LookupNames3 *r)
1278 NTSTATUS status;
1279 struct lsa_info *handle;
1280 struct lsa_String *names = r->in.names;
1281 uint32 num_entries = r->in.num_names;
1282 struct lsa_RefDomainList *domains = NULL;
1283 struct lsa_TranslatedSid3 *trans_sids = NULL;
1284 uint32 mapped_count = 0;
1285 int flags = 0;
1286 bool check_policy = true;
1288 switch (p->opnum) {
1289 case NDR_LSA_LOOKUPNAMES4:
1290 check_policy = false;
1291 break;
1292 case NDR_LSA_LOOKUPNAMES3:
1293 default:
1294 check_policy = true;
1297 if (num_entries > MAX_LOOKUP_SIDS) {
1298 num_entries = MAX_LOOKUP_SIDS;
1299 DEBUG(5,("_lsa_LookupNames3: truncating name lookup list to %d\n", num_entries));
1302 /* Probably the lookup_level is some sort of bitmask. */
1303 if (r->in.level == 1) {
1304 flags = LOOKUP_NAME_ALL;
1307 domains = TALLOC_ZERO_P(p->mem_ctx, struct lsa_RefDomainList);
1308 if (!domains) {
1309 return NT_STATUS_NO_MEMORY;
1312 if (num_entries) {
1313 trans_sids = TALLOC_ZERO_ARRAY(p->mem_ctx, struct lsa_TranslatedSid3,
1314 num_entries);
1315 if (!trans_sids) {
1316 return NT_STATUS_NO_MEMORY;
1318 } else {
1319 trans_sids = NULL;
1322 if (check_policy) {
1324 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle)) {
1325 status = NT_STATUS_INVALID_HANDLE;
1326 goto done;
1329 if (handle->type != LSA_HANDLE_POLICY_TYPE) {
1330 return NT_STATUS_INVALID_HANDLE;
1333 /* check if the user has enough rights */
1334 if (!(handle->access & LSA_POLICY_LOOKUP_NAMES)) {
1335 status = NT_STATUS_ACCESS_DENIED;
1336 goto done;
1340 /* set up the LSA Lookup SIDs response */
1341 become_root(); /* lookup_name can require root privs */
1342 status = lookup_lsa_sids(p->mem_ctx, domains, trans_sids, num_entries,
1343 names, flags, &mapped_count);
1344 unbecome_root();
1346 done:
1348 if (NT_STATUS_IS_OK(status)) {
1349 if (mapped_count == 0) {
1350 status = NT_STATUS_NONE_MAPPED;
1351 } else if (mapped_count != num_entries) {
1352 status = STATUS_SOME_UNMAPPED;
1356 *r->out.count = mapped_count;
1357 *r->out.domains = domains;
1358 r->out.sids->sids = trans_sids;
1359 r->out.sids->count = num_entries;
1361 return status;
1364 /***************************************************************************
1365 _lsa_LookupNames4
1366 ***************************************************************************/
1368 NTSTATUS _lsa_LookupNames4(struct pipes_struct *p,
1369 struct lsa_LookupNames4 *r)
1371 struct lsa_LookupNames3 q;
1373 /* No policy handle on this call. Restrict to crypto connections. */
1374 if (p->auth.auth_type != DCERPC_AUTH_TYPE_SCHANNEL) {
1375 DEBUG(0,("_lsa_lookup_names4: client %s not using schannel for netlogon\n",
1376 get_remote_machine_name() ));
1377 return NT_STATUS_INVALID_PARAMETER;
1380 q.in.handle = NULL;
1381 q.in.num_names = r->in.num_names;
1382 q.in.names = r->in.names;
1383 q.in.level = r->in.level;
1384 q.in.lookup_options = r->in.lookup_options;
1385 q.in.client_revision = r->in.client_revision;
1386 q.in.sids = r->in.sids;
1387 q.in.count = r->in.count;
1389 q.out.domains = r->out.domains;
1390 q.out.sids = r->out.sids;
1391 q.out.count = r->out.count;
1393 return _lsa_LookupNames3(p, &q);
1396 /***************************************************************************
1397 _lsa_close. Also weird - needs to check if lsa handle is correct. JRA.
1398 ***************************************************************************/
1400 NTSTATUS _lsa_Close(struct pipes_struct *p, struct lsa_Close *r)
1402 if (!find_policy_by_hnd(p, r->in.handle, NULL)) {
1403 return NT_STATUS_INVALID_HANDLE;
1406 close_policy_hnd(p, r->in.handle);
1407 ZERO_STRUCTP(r->out.handle);
1408 return NT_STATUS_OK;
1411 /***************************************************************************
1412 ***************************************************************************/
1414 static NTSTATUS lsa_lookup_trusted_domain_by_sid(TALLOC_CTX *mem_ctx,
1415 const struct dom_sid *sid,
1416 struct trustdom_info **info)
1418 NTSTATUS status;
1419 uint32_t num_domains = 0;
1420 struct trustdom_info **domains = NULL;
1421 int i;
1423 status = pdb_enum_trusteddoms(mem_ctx, &num_domains, &domains);
1424 if (!NT_STATUS_IS_OK(status)) {
1425 return status;
1428 for (i=0; i < num_domains; i++) {
1429 if (dom_sid_equal(&domains[i]->sid, sid)) {
1430 break;
1434 if (i == num_domains) {
1435 return NT_STATUS_INVALID_PARAMETER;
1438 *info = domains[i];
1440 return NT_STATUS_OK;
1443 /***************************************************************************
1444 ***************************************************************************/
1446 static NTSTATUS lsa_lookup_trusted_domain_by_name(TALLOC_CTX *mem_ctx,
1447 const char *netbios_domain_name,
1448 struct trustdom_info **info_p)
1450 NTSTATUS status;
1451 struct trustdom_info *info;
1452 struct pdb_trusted_domain *td;
1454 status = pdb_get_trusted_domain(mem_ctx, netbios_domain_name, &td);
1455 if (!NT_STATUS_IS_OK(status)) {
1456 return status;
1459 info = talloc(mem_ctx, struct trustdom_info);
1460 if (!info) {
1461 return NT_STATUS_NO_MEMORY;
1464 info->name = talloc_strdup(info, netbios_domain_name);
1465 NT_STATUS_HAVE_NO_MEMORY(info->name);
1467 sid_copy(&info->sid, &td->security_identifier);
1469 *info_p = info;
1471 return NT_STATUS_OK;
1474 /***************************************************************************
1475 ***************************************************************************/
1477 NTSTATUS _lsa_OpenSecret(struct pipes_struct *p, struct lsa_OpenSecret *r)
1479 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
1482 /***************************************************************************
1483 ***************************************************************************/
1485 NTSTATUS _lsa_OpenTrustedDomain(struct pipes_struct *p,
1486 struct lsa_OpenTrustedDomain *r)
1488 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
1491 /***************************************************************************
1492 _lsa_CreateTrustedDomainEx2
1493 ***************************************************************************/
1495 NTSTATUS _lsa_CreateTrustedDomainEx2(struct pipes_struct *p,
1496 struct lsa_CreateTrustedDomainEx2 *r)
1498 struct lsa_info *policy;
1499 NTSTATUS status;
1500 uint32_t acc_granted;
1501 struct security_descriptor *psd;
1502 size_t sd_size;
1503 struct pdb_trusted_domain td;
1505 if (!IS_DC) {
1506 return NT_STATUS_NOT_SUPPORTED;
1509 if (!find_policy_by_hnd(p, r->in.policy_handle, (void **)(void *)&policy)) {
1510 return NT_STATUS_INVALID_HANDLE;
1513 if (!(policy->access & LSA_POLICY_TRUST_ADMIN)) {
1514 return NT_STATUS_ACCESS_DENIED;
1517 if (p->server_info->utok.uid != sec_initial_uid() &&
1518 !nt_token_check_domain_rid(p->server_info->security_token, DOMAIN_RID_ADMINS)) {
1519 return NT_STATUS_ACCESS_DENIED;
1522 /* Work out max allowed. */
1523 map_max_allowed_access(p->server_info->security_token,
1524 &p->server_info->utok,
1525 &r->in.access_mask);
1527 /* map the generic bits to the lsa policy ones */
1528 se_map_generic(&r->in.access_mask, &lsa_account_mapping);
1530 status = make_lsa_object_sd(p->mem_ctx, &psd, &sd_size,
1531 &lsa_trusted_domain_mapping,
1532 NULL, 0);
1533 if (!NT_STATUS_IS_OK(status)) {
1534 return status;
1537 status = access_check_object(psd, p->server_info->security_token,
1538 SEC_PRIV_INVALID, SEC_PRIV_INVALID, 0,
1539 r->in.access_mask, &acc_granted,
1540 "_lsa_CreateTrustedDomainEx2");
1541 if (!NT_STATUS_IS_OK(status)) {
1542 return status;
1545 ZERO_STRUCT(td);
1547 td.domain_name = r->in.info->domain_name.string;
1548 td.netbios_name = r->in.info->netbios_name.string;
1549 sid_copy(&td.security_identifier, r->in.info->sid);
1550 td.trust_auth_incoming.data = NULL;
1551 td.trust_auth_incoming.length = 0;
1552 td.trust_auth_outgoing.data = NULL;
1553 td.trust_auth_outgoing.length = 0;
1554 td.trust_direction = r->in.info->trust_direction;
1555 td.trust_type = r->in.info->trust_type;
1556 td.trust_attributes = r->in.info->trust_attributes;
1558 status = pdb_set_trusted_domain(r->in.info->domain_name.string, &td);
1559 if (!NT_STATUS_IS_OK(status)) {
1560 return status;
1563 status = create_lsa_policy_handle(p->mem_ctx, p,
1564 LSA_HANDLE_TRUST_TYPE,
1565 acc_granted,
1566 r->in.info->sid,
1567 r->in.info->netbios_name.string,
1568 psd,
1569 r->out.trustdom_handle);
1570 if (!NT_STATUS_IS_OK(status)) {
1571 pdb_del_trusteddom_pw(r->in.info->netbios_name.string);
1572 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
1575 return NT_STATUS_OK;
1578 /***************************************************************************
1579 _lsa_CreateTrustedDomainEx
1580 ***************************************************************************/
1582 NTSTATUS _lsa_CreateTrustedDomainEx(struct pipes_struct *p,
1583 struct lsa_CreateTrustedDomainEx *r)
1585 struct lsa_CreateTrustedDomainEx2 q;
1587 q.in.policy_handle = r->in.policy_handle;
1588 q.in.info = r->in.info;
1589 q.in.auth_info = r->in.auth_info;
1590 q.in.access_mask = r->in.access_mask;
1591 q.out.trustdom_handle = r->out.trustdom_handle;
1593 return _lsa_CreateTrustedDomainEx2(p, &q);
1596 /***************************************************************************
1597 _lsa_CreateTrustedDomain
1598 ***************************************************************************/
1600 NTSTATUS _lsa_CreateTrustedDomain(struct pipes_struct *p,
1601 struct lsa_CreateTrustedDomain *r)
1603 struct lsa_CreateTrustedDomainEx2 c;
1604 struct lsa_TrustDomainInfoInfoEx info;
1605 struct lsa_TrustDomainInfoAuthInfoInternal auth_info;
1607 ZERO_STRUCT(auth_info);
1609 info.domain_name = r->in.info->name;
1610 info.netbios_name = r->in.info->name;
1611 info.sid = r->in.info->sid;
1612 info.trust_direction = LSA_TRUST_DIRECTION_OUTBOUND;
1613 info.trust_type = LSA_TRUST_TYPE_DOWNLEVEL;
1614 info.trust_attributes = 0;
1616 c.in.policy_handle = r->in.policy_handle;
1617 c.in.info = &info;
1618 c.in.auth_info = &auth_info;
1619 c.in.access_mask = r->in.access_mask;
1620 c.out.trustdom_handle = r->out.trustdom_handle;
1622 return _lsa_CreateTrustedDomainEx2(p, &c);
1625 /***************************************************************************
1626 ***************************************************************************/
1628 NTSTATUS _lsa_CreateSecret(struct pipes_struct *p, struct lsa_CreateSecret *r)
1630 return NT_STATUS_ACCESS_DENIED;
1633 /***************************************************************************
1634 ***************************************************************************/
1636 NTSTATUS _lsa_SetSecret(struct pipes_struct *p, struct lsa_SetSecret *r)
1638 return NT_STATUS_ACCESS_DENIED;
1641 /***************************************************************************
1642 _lsa_DeleteObject
1643 ***************************************************************************/
1645 NTSTATUS _lsa_DeleteObject(struct pipes_struct *p,
1646 struct lsa_DeleteObject *r)
1648 NTSTATUS status;
1649 struct lsa_info *info = NULL;
1651 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info)) {
1652 return NT_STATUS_INVALID_HANDLE;
1655 if (!(info->access & SEC_STD_DELETE)) {
1656 return NT_STATUS_ACCESS_DENIED;
1659 switch (info->type) {
1660 case LSA_HANDLE_ACCOUNT_TYPE:
1661 status = privilege_delete_account(&info->sid);
1662 if (!NT_STATUS_IS_OK(status)) {
1663 DEBUG(10,("_lsa_DeleteObject: privilege_delete_account gave: %s\n",
1664 nt_errstr(status)));
1665 return status;
1667 break;
1668 default:
1669 return NT_STATUS_INVALID_HANDLE;
1672 close_policy_hnd(p, r->in.handle);
1673 ZERO_STRUCTP(r->out.handle);
1675 return status;
1678 /***************************************************************************
1679 _lsa_EnumPrivs
1680 ***************************************************************************/
1682 NTSTATUS _lsa_EnumPrivs(struct pipes_struct *p,
1683 struct lsa_EnumPrivs *r)
1685 struct lsa_info *handle;
1686 uint32 i;
1687 uint32 enum_context = *r->in.resume_handle;
1688 int num_privs = num_privileges_in_short_list();
1689 struct lsa_PrivEntry *entries = NULL;
1691 /* remember that the enum_context starts at 0 and not 1 */
1693 if ( enum_context >= num_privs )
1694 return NT_STATUS_NO_MORE_ENTRIES;
1696 DEBUG(10,("_lsa_EnumPrivs: enum_context:%d total entries:%d\n",
1697 enum_context, num_privs));
1699 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle))
1700 return NT_STATUS_INVALID_HANDLE;
1702 if (handle->type != LSA_HANDLE_POLICY_TYPE) {
1703 return NT_STATUS_INVALID_HANDLE;
1706 /* check if the user has enough rights
1707 I don't know if it's the right one. not documented. */
1709 if (!(handle->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
1710 return NT_STATUS_ACCESS_DENIED;
1712 if (num_privs) {
1713 entries = TALLOC_ZERO_ARRAY(p->mem_ctx, struct lsa_PrivEntry, num_privs);
1714 if (!entries) {
1715 return NT_STATUS_NO_MEMORY;
1717 } else {
1718 entries = NULL;
1721 for (i = 0; i < num_privs; i++) {
1722 if( i < enum_context) {
1724 init_lsa_StringLarge(&entries[i].name, NULL);
1726 entries[i].luid.low = 0;
1727 entries[i].luid.high = 0;
1728 } else {
1730 init_lsa_StringLarge(&entries[i].name, sec_privilege_name_from_index(i));
1732 entries[i].luid.low = sec_privilege_from_index(i);
1733 entries[i].luid.high = 0;
1737 enum_context = num_privs;
1739 *r->out.resume_handle = enum_context;
1740 r->out.privs->count = num_privs;
1741 r->out.privs->privs = entries;
1743 return NT_STATUS_OK;
1746 /***************************************************************************
1747 _lsa_LookupPrivDisplayName
1748 ***************************************************************************/
1750 NTSTATUS _lsa_LookupPrivDisplayName(struct pipes_struct *p,
1751 struct lsa_LookupPrivDisplayName *r)
1753 struct lsa_info *handle;
1754 const char *description;
1755 struct lsa_StringLarge *lsa_name;
1757 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle))
1758 return NT_STATUS_INVALID_HANDLE;
1760 if (handle->type != LSA_HANDLE_POLICY_TYPE) {
1761 return NT_STATUS_INVALID_HANDLE;
1764 /* check if the user has enough rights */
1767 * I don't know if it's the right one. not documented.
1769 if (!(handle->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
1770 return NT_STATUS_ACCESS_DENIED;
1772 DEBUG(10,("_lsa_LookupPrivDisplayName: name = %s\n", r->in.name->string));
1774 description = get_privilege_dispname(r->in.name->string);
1775 if (!description) {
1776 DEBUG(10,("_lsa_LookupPrivDisplayName: doesn't exist\n"));
1777 return NT_STATUS_NO_SUCH_PRIVILEGE;
1780 DEBUG(10,("_lsa_LookupPrivDisplayName: display name = %s\n", description));
1782 lsa_name = TALLOC_ZERO_P(p->mem_ctx, struct lsa_StringLarge);
1783 if (!lsa_name) {
1784 return NT_STATUS_NO_MEMORY;
1787 init_lsa_StringLarge(lsa_name, description);
1789 *r->out.returned_language_id = r->in.language_id;
1790 *r->out.disp_name = lsa_name;
1792 return NT_STATUS_OK;
1795 /***************************************************************************
1796 _lsa_EnumAccounts
1797 ***************************************************************************/
1799 NTSTATUS _lsa_EnumAccounts(struct pipes_struct *p,
1800 struct lsa_EnumAccounts *r)
1802 struct lsa_info *handle;
1803 struct dom_sid *sid_list;
1804 int i, j, num_entries;
1805 NTSTATUS status;
1806 struct lsa_SidPtr *sids = NULL;
1808 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle))
1809 return NT_STATUS_INVALID_HANDLE;
1811 if (handle->type != LSA_HANDLE_POLICY_TYPE) {
1812 return NT_STATUS_INVALID_HANDLE;
1815 if (!(handle->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
1816 return NT_STATUS_ACCESS_DENIED;
1818 sid_list = NULL;
1819 num_entries = 0;
1821 /* The only way we can currently find out all the SIDs that have been
1822 privileged is to scan all privileges */
1824 status = privilege_enumerate_accounts(&sid_list, &num_entries);
1825 if (!NT_STATUS_IS_OK(status)) {
1826 return status;
1829 if (*r->in.resume_handle >= num_entries) {
1830 return NT_STATUS_NO_MORE_ENTRIES;
1833 if (num_entries - *r->in.resume_handle) {
1834 sids = TALLOC_ZERO_ARRAY(p->mem_ctx, struct lsa_SidPtr,
1835 num_entries - *r->in.resume_handle);
1836 if (!sids) {
1837 talloc_free(sid_list);
1838 return NT_STATUS_NO_MEMORY;
1841 for (i = *r->in.resume_handle, j = 0; i < num_entries; i++, j++) {
1842 sids[j].sid = dom_sid_dup(p->mem_ctx, &sid_list[i]);
1843 if (!sids[j].sid) {
1844 talloc_free(sid_list);
1845 return NT_STATUS_NO_MEMORY;
1850 talloc_free(sid_list);
1852 *r->out.resume_handle = num_entries;
1853 r->out.sids->num_sids = num_entries;
1854 r->out.sids->sids = sids;
1856 return NT_STATUS_OK;
1859 /***************************************************************************
1860 _lsa_GetUserName
1861 ***************************************************************************/
1863 NTSTATUS _lsa_GetUserName(struct pipes_struct *p,
1864 struct lsa_GetUserName *r)
1866 const char *username, *domname;
1867 struct lsa_String *account_name = NULL;
1868 struct lsa_String *authority_name = NULL;
1870 if (r->in.account_name &&
1871 *r->in.account_name) {
1872 return NT_STATUS_INVALID_PARAMETER;
1875 if (r->in.authority_name &&
1876 *r->in.authority_name) {
1877 return NT_STATUS_INVALID_PARAMETER;
1880 if (p->server_info->guest) {
1882 * I'm 99% sure this is not the right place to do this,
1883 * global_sid_Anonymous should probably be put into the token
1884 * instead of the guest id -- vl
1886 if (!lookup_sid(p->mem_ctx, &global_sid_Anonymous,
1887 &domname, &username, NULL)) {
1888 return NT_STATUS_NO_MEMORY;
1890 } else {
1891 username = p->server_info->sanitized_username;
1892 domname = p->server_info->info3->base.domain.string;
1895 account_name = TALLOC_P(p->mem_ctx, struct lsa_String);
1896 if (!account_name) {
1897 return NT_STATUS_NO_MEMORY;
1899 init_lsa_String(account_name, username);
1901 if (r->out.authority_name) {
1902 authority_name = TALLOC_P(p->mem_ctx, struct lsa_String);
1903 if (!authority_name) {
1904 return NT_STATUS_NO_MEMORY;
1906 init_lsa_String(authority_name, domname);
1909 *r->out.account_name = account_name;
1910 if (r->out.authority_name) {
1911 *r->out.authority_name = authority_name;
1914 return NT_STATUS_OK;
1917 /***************************************************************************
1918 _lsa_CreateAccount
1919 ***************************************************************************/
1921 NTSTATUS _lsa_CreateAccount(struct pipes_struct *p,
1922 struct lsa_CreateAccount *r)
1924 NTSTATUS status;
1925 struct lsa_info *handle;
1926 uint32_t acc_granted;
1927 struct security_descriptor *psd;
1928 size_t sd_size;
1930 /* find the connection policy handle. */
1931 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle))
1932 return NT_STATUS_INVALID_HANDLE;
1934 if (handle->type != LSA_HANDLE_POLICY_TYPE) {
1935 return NT_STATUS_INVALID_HANDLE;
1938 /* check if the user has enough rights */
1940 if (!(handle->access & LSA_POLICY_CREATE_ACCOUNT)) {
1941 return NT_STATUS_ACCESS_DENIED;
1944 /* Work out max allowed. */
1945 map_max_allowed_access(p->server_info->security_token,
1946 &p->server_info->utok,
1947 &r->in.access_mask);
1949 /* map the generic bits to the lsa policy ones */
1950 se_map_generic(&r->in.access_mask, &lsa_account_mapping);
1952 status = make_lsa_object_sd(p->mem_ctx, &psd, &sd_size,
1953 &lsa_account_mapping,
1954 r->in.sid, LSA_POLICY_ALL_ACCESS);
1955 if (!NT_STATUS_IS_OK(status)) {
1956 return status;
1959 status = access_check_object(psd, p->server_info->security_token,
1960 SEC_PRIV_INVALID, SEC_PRIV_INVALID, 0, r->in.access_mask,
1961 &acc_granted, "_lsa_CreateAccount");
1962 if (!NT_STATUS_IS_OK(status)) {
1963 return status;
1966 if ( is_privileged_sid( r->in.sid ) )
1967 return NT_STATUS_OBJECT_NAME_COLLISION;
1969 status = create_lsa_policy_handle(p->mem_ctx, p,
1970 LSA_HANDLE_ACCOUNT_TYPE,
1971 acc_granted,
1972 r->in.sid,
1973 NULL,
1974 psd,
1975 r->out.acct_handle);
1976 if (!NT_STATUS_IS_OK(status)) {
1977 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
1980 return privilege_create_account(r->in.sid);
1983 /***************************************************************************
1984 _lsa_OpenAccount
1985 ***************************************************************************/
1987 NTSTATUS _lsa_OpenAccount(struct pipes_struct *p,
1988 struct lsa_OpenAccount *r)
1990 struct lsa_info *handle;
1991 struct security_descriptor *psd = NULL;
1992 size_t sd_size;
1993 uint32_t des_access = r->in.access_mask;
1994 uint32_t acc_granted;
1995 NTSTATUS status;
1997 /* find the connection policy handle. */
1998 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle))
1999 return NT_STATUS_INVALID_HANDLE;
2001 if (handle->type != LSA_HANDLE_POLICY_TYPE) {
2002 return NT_STATUS_INVALID_HANDLE;
2005 /* des_access is for the account here, not the policy
2006 * handle - so don't check against policy handle. */
2008 /* Work out max allowed. */
2009 map_max_allowed_access(p->server_info->security_token,
2010 &p->server_info->utok,
2011 &des_access);
2013 /* map the generic bits to the lsa account ones */
2014 se_map_generic(&des_access, &lsa_account_mapping);
2016 /* get the generic lsa account SD until we store it */
2017 status = make_lsa_object_sd(p->mem_ctx, &psd, &sd_size,
2018 &lsa_account_mapping,
2019 r->in.sid, LSA_ACCOUNT_ALL_ACCESS);
2020 if (!NT_STATUS_IS_OK(status)) {
2021 return status;
2024 status = access_check_object(psd, p->server_info->security_token,
2025 SEC_PRIV_INVALID, SEC_PRIV_INVALID, 0, des_access,
2026 &acc_granted, "_lsa_OpenAccount" );
2027 if (!NT_STATUS_IS_OK(status)) {
2028 return status;
2031 /* TODO: Fis the parsing routine before reenabling this check! */
2032 #if 0
2033 if (!lookup_sid(&handle->sid, dom_name, name, &type))
2034 return NT_STATUS_ACCESS_DENIED;
2035 #endif
2037 status = create_lsa_policy_handle(p->mem_ctx, p,
2038 LSA_HANDLE_ACCOUNT_TYPE,
2039 acc_granted,
2040 r->in.sid,
2041 NULL,
2042 psd,
2043 r->out.acct_handle);
2044 if (!NT_STATUS_IS_OK(status)) {
2045 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
2048 return NT_STATUS_OK;
2051 /***************************************************************************
2052 _lsa_EnumPrivsAccount
2053 For a given SID, enumerate all the privilege this account has.
2054 ***************************************************************************/
2056 NTSTATUS _lsa_EnumPrivsAccount(struct pipes_struct *p,
2057 struct lsa_EnumPrivsAccount *r)
2059 NTSTATUS status = NT_STATUS_OK;
2060 struct lsa_info *info=NULL;
2061 PRIVILEGE_SET *privileges;
2062 struct lsa_PrivilegeSet *priv_set = NULL;
2064 /* find the connection policy handle. */
2065 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
2066 return NT_STATUS_INVALID_HANDLE;
2068 if (info->type != LSA_HANDLE_ACCOUNT_TYPE) {
2069 return NT_STATUS_INVALID_HANDLE;
2072 if (!(info->access & LSA_ACCOUNT_VIEW))
2073 return NT_STATUS_ACCESS_DENIED;
2075 status = get_privileges_for_sid_as_set(p->mem_ctx, &privileges, &info->sid);
2076 if (!NT_STATUS_IS_OK(status)) {
2077 return status;
2080 *r->out.privs = priv_set = TALLOC_ZERO_P(p->mem_ctx, struct lsa_PrivilegeSet);
2081 if (!priv_set) {
2082 return NT_STATUS_NO_MEMORY;
2085 DEBUG(10,("_lsa_EnumPrivsAccount: %s has %d privileges\n",
2086 sid_string_dbg(&info->sid),
2087 privileges->count));
2089 priv_set->count = privileges->count;
2090 priv_set->unknown = 0;
2091 priv_set->set = talloc_move(priv_set, &privileges->set);
2093 return status;
2096 /***************************************************************************
2097 _lsa_GetSystemAccessAccount
2098 ***************************************************************************/
2100 NTSTATUS _lsa_GetSystemAccessAccount(struct pipes_struct *p,
2101 struct lsa_GetSystemAccessAccount *r)
2103 NTSTATUS status;
2104 struct lsa_info *info = NULL;
2105 struct lsa_EnumPrivsAccount e;
2106 struct lsa_PrivilegeSet *privset;
2108 /* find the connection policy handle. */
2110 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
2111 return NT_STATUS_INVALID_HANDLE;
2113 if (info->type != LSA_HANDLE_ACCOUNT_TYPE) {
2114 return NT_STATUS_INVALID_HANDLE;
2117 if (!(info->access & LSA_ACCOUNT_VIEW))
2118 return NT_STATUS_ACCESS_DENIED;
2120 privset = talloc_zero(p->mem_ctx, struct lsa_PrivilegeSet);
2121 if (!privset) {
2122 return NT_STATUS_NO_MEMORY;
2125 e.in.handle = r->in.handle;
2126 e.out.privs = &privset;
2128 status = _lsa_EnumPrivsAccount(p, &e);
2129 if (!NT_STATUS_IS_OK(status)) {
2130 DEBUG(10,("_lsa_GetSystemAccessAccount: "
2131 "failed to call _lsa_EnumPrivsAccount(): %s\n",
2132 nt_errstr(status)));
2133 return status;
2136 /* Samba4 would iterate over the privset to merge the policy mode bits,
2137 * not sure samba3 can do the same here, so just return what we did in
2138 * the past - gd */
2141 0x01 -> Log on locally
2142 0x02 -> Access this computer from network
2143 0x04 -> Log on as a batch job
2144 0x10 -> Log on as a service
2146 they can be ORed together
2149 *r->out.access_mask = LSA_POLICY_MODE_INTERACTIVE |
2150 LSA_POLICY_MODE_NETWORK;
2152 return NT_STATUS_OK;
2155 /***************************************************************************
2156 update the systemaccount information
2157 ***************************************************************************/
2159 NTSTATUS _lsa_SetSystemAccessAccount(struct pipes_struct *p,
2160 struct lsa_SetSystemAccessAccount *r)
2162 struct lsa_info *info=NULL;
2163 GROUP_MAP map;
2165 /* find the connection policy handle. */
2166 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
2167 return NT_STATUS_INVALID_HANDLE;
2169 if (info->type != LSA_HANDLE_ACCOUNT_TYPE) {
2170 return NT_STATUS_INVALID_HANDLE;
2173 if (!(info->access & LSA_ACCOUNT_ADJUST_SYSTEM_ACCESS)) {
2174 return NT_STATUS_ACCESS_DENIED;
2177 if (!pdb_getgrsid(&map, info->sid))
2178 return NT_STATUS_NO_SUCH_GROUP;
2180 return pdb_update_group_mapping_entry(&map);
2183 /***************************************************************************
2184 _lsa_AddPrivilegesToAccount
2185 For a given SID, add some privileges.
2186 ***************************************************************************/
2188 NTSTATUS _lsa_AddPrivilegesToAccount(struct pipes_struct *p,
2189 struct lsa_AddPrivilegesToAccount *r)
2191 struct lsa_info *info = NULL;
2192 struct lsa_PrivilegeSet *set = NULL;
2194 /* find the connection policy handle. */
2195 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
2196 return NT_STATUS_INVALID_HANDLE;
2198 if (info->type != LSA_HANDLE_ACCOUNT_TYPE) {
2199 return NT_STATUS_INVALID_HANDLE;
2202 if (!(info->access & LSA_ACCOUNT_ADJUST_PRIVILEGES)) {
2203 return NT_STATUS_ACCESS_DENIED;
2206 set = r->in.privs;
2208 if ( !grant_privilege_set( &info->sid, set ) ) {
2209 DEBUG(3,("_lsa_AddPrivilegesToAccount: grant_privilege_set(%s) failed!\n",
2210 sid_string_dbg(&info->sid) ));
2211 return NT_STATUS_NO_SUCH_PRIVILEGE;
2214 return NT_STATUS_OK;
2217 /***************************************************************************
2218 _lsa_RemovePrivilegesFromAccount
2219 For a given SID, remove some privileges.
2220 ***************************************************************************/
2222 NTSTATUS _lsa_RemovePrivilegesFromAccount(struct pipes_struct *p,
2223 struct lsa_RemovePrivilegesFromAccount *r)
2225 struct lsa_info *info = NULL;
2226 struct lsa_PrivilegeSet *set = NULL;
2228 /* find the connection policy handle. */
2229 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
2230 return NT_STATUS_INVALID_HANDLE;
2232 if (info->type != LSA_HANDLE_ACCOUNT_TYPE) {
2233 return NT_STATUS_INVALID_HANDLE;
2236 if (!(info->access & LSA_ACCOUNT_ADJUST_PRIVILEGES)) {
2237 return NT_STATUS_ACCESS_DENIED;
2240 set = r->in.privs;
2242 if ( !revoke_privilege_set( &info->sid, set) ) {
2243 DEBUG(3,("_lsa_RemovePrivilegesFromAccount: revoke_privilege(%s) failed!\n",
2244 sid_string_dbg(&info->sid) ));
2245 return NT_STATUS_NO_SUCH_PRIVILEGE;
2248 return NT_STATUS_OK;
2251 /***************************************************************************
2252 _lsa_LookupPrivName
2253 ***************************************************************************/
2255 NTSTATUS _lsa_LookupPrivName(struct pipes_struct *p,
2256 struct lsa_LookupPrivName *r)
2258 struct lsa_info *info = NULL;
2259 const char *name;
2260 struct lsa_StringLarge *lsa_name;
2262 /* find the connection policy handle. */
2263 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info)) {
2264 return NT_STATUS_INVALID_HANDLE;
2267 if (info->type != LSA_HANDLE_POLICY_TYPE) {
2268 return NT_STATUS_INVALID_HANDLE;
2271 if (!(info->access & LSA_POLICY_VIEW_LOCAL_INFORMATION)) {
2272 return NT_STATUS_ACCESS_DENIED;
2275 if (r->in.luid->high != 0) {
2276 return NT_STATUS_NO_SUCH_PRIVILEGE;
2279 name = sec_privilege_name(r->in.luid->low);
2280 if (!name) {
2281 return NT_STATUS_NO_SUCH_PRIVILEGE;
2284 lsa_name = TALLOC_ZERO_P(p->mem_ctx, struct lsa_StringLarge);
2285 if (!lsa_name) {
2286 return NT_STATUS_NO_MEMORY;
2289 lsa_name->string = talloc_strdup(lsa_name, name);
2290 if (!lsa_name->string) {
2291 TALLOC_FREE(lsa_name);
2292 return NT_STATUS_NO_MEMORY;
2295 *r->out.name = lsa_name;
2297 return NT_STATUS_OK;
2300 /***************************************************************************
2301 _lsa_QuerySecurity
2302 ***************************************************************************/
2304 NTSTATUS _lsa_QuerySecurity(struct pipes_struct *p,
2305 struct lsa_QuerySecurity *r)
2307 struct lsa_info *handle=NULL;
2308 struct security_descriptor *psd = NULL;
2309 size_t sd_size;
2310 NTSTATUS status;
2312 /* find the connection policy handle. */
2313 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle))
2314 return NT_STATUS_INVALID_HANDLE;
2316 switch (handle->type) {
2317 case LSA_HANDLE_POLICY_TYPE:
2318 status = make_lsa_object_sd(p->mem_ctx, &psd, &sd_size,
2319 &lsa_policy_mapping, NULL, 0);
2320 break;
2321 case LSA_HANDLE_ACCOUNT_TYPE:
2322 status = make_lsa_object_sd(p->mem_ctx, &psd, &sd_size,
2323 &lsa_account_mapping,
2324 &handle->sid, LSA_ACCOUNT_ALL_ACCESS);
2325 break;
2326 default:
2327 status = NT_STATUS_INVALID_HANDLE;
2328 break;
2331 if (!NT_STATUS_IS_OK(status)) {
2332 return status;
2335 *r->out.sdbuf = make_sec_desc_buf(p->mem_ctx, sd_size, psd);
2336 if (!*r->out.sdbuf) {
2337 return NT_STATUS_NO_MEMORY;
2340 return status;
2343 /***************************************************************************
2344 _lsa_AddAccountRights
2345 ***************************************************************************/
2347 NTSTATUS _lsa_AddAccountRights(struct pipes_struct *p,
2348 struct lsa_AddAccountRights *r)
2350 struct lsa_info *info = NULL;
2351 int i = 0;
2352 uint32_t acc_granted = 0;
2353 struct security_descriptor *psd = NULL;
2354 size_t sd_size;
2355 struct dom_sid sid;
2356 NTSTATUS status;
2358 /* find the connection policy handle. */
2359 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
2360 return NT_STATUS_INVALID_HANDLE;
2362 if (info->type != LSA_HANDLE_POLICY_TYPE) {
2363 return NT_STATUS_INVALID_HANDLE;
2366 /* get the generic lsa account SD for this SID until we store it */
2367 status = make_lsa_object_sd(p->mem_ctx, &psd, &sd_size,
2368 &lsa_account_mapping,
2369 r->in.sid, LSA_ACCOUNT_ALL_ACCESS);
2370 if (!NT_STATUS_IS_OK(status)) {
2371 return status;
2375 * From the MS DOCs. If the sid doesn't exist, ask for LSA_POLICY_CREATE_ACCOUNT
2376 * on the policy handle. If it does, ask for
2377 * LSA_ACCOUNT_ADJUST_PRIVILEGES|LSA_ACCOUNT_ADJUST_SYSTEM_ACCESS|LSA_ACCOUNT_VIEW,
2378 * on the account sid. We don't check here so just use the latter. JRA.
2381 status = access_check_object(psd, p->server_info->security_token,
2382 SEC_PRIV_INVALID, SEC_PRIV_INVALID, 0,
2383 LSA_ACCOUNT_ADJUST_PRIVILEGES|LSA_ACCOUNT_ADJUST_SYSTEM_ACCESS|LSA_ACCOUNT_VIEW,
2384 &acc_granted, "_lsa_AddAccountRights" );
2385 if (!NT_STATUS_IS_OK(status)) {
2386 return status;
2389 /* according to an NT4 PDC, you can add privileges to SIDs even without
2390 call_lsa_create_account() first. And you can use any arbitrary SID. */
2392 sid_copy( &sid, r->in.sid );
2394 for ( i=0; i < r->in.rights->count; i++ ) {
2396 const char *privname = r->in.rights->names[i].string;
2398 /* only try to add non-null strings */
2400 if ( !privname )
2401 continue;
2403 if ( !grant_privilege_by_name( &sid, privname ) ) {
2404 DEBUG(2,("_lsa_AddAccountRights: Failed to add privilege [%s]\n",
2405 privname ));
2406 return NT_STATUS_NO_SUCH_PRIVILEGE;
2410 return NT_STATUS_OK;
2413 /***************************************************************************
2414 _lsa_RemoveAccountRights
2415 ***************************************************************************/
2417 NTSTATUS _lsa_RemoveAccountRights(struct pipes_struct *p,
2418 struct lsa_RemoveAccountRights *r)
2420 struct lsa_info *info = NULL;
2421 int i = 0;
2422 struct security_descriptor *psd = NULL;
2423 size_t sd_size;
2424 struct dom_sid sid;
2425 const char *privname = NULL;
2426 uint32_t acc_granted = 0;
2427 NTSTATUS status;
2429 /* find the connection policy handle. */
2430 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
2431 return NT_STATUS_INVALID_HANDLE;
2433 if (info->type != LSA_HANDLE_POLICY_TYPE) {
2434 return NT_STATUS_INVALID_HANDLE;
2437 /* get the generic lsa account SD for this SID until we store it */
2438 status = make_lsa_object_sd(p->mem_ctx, &psd, &sd_size,
2439 &lsa_account_mapping,
2440 r->in.sid, LSA_ACCOUNT_ALL_ACCESS);
2441 if (!NT_STATUS_IS_OK(status)) {
2442 return status;
2446 * From the MS DOCs. We need
2447 * LSA_ACCOUNT_ADJUST_PRIVILEGES|LSA_ACCOUNT_ADJUST_SYSTEM_ACCESS|LSA_ACCOUNT_VIEW
2448 * and DELETE on the account sid.
2451 status = access_check_object(psd, p->server_info->security_token,
2452 SEC_PRIV_INVALID, SEC_PRIV_INVALID, 0,
2453 LSA_ACCOUNT_ADJUST_PRIVILEGES|LSA_ACCOUNT_ADJUST_SYSTEM_ACCESS|
2454 LSA_ACCOUNT_VIEW|SEC_STD_DELETE,
2455 &acc_granted, "_lsa_RemoveAccountRights");
2456 if (!NT_STATUS_IS_OK(status)) {
2457 return status;
2460 sid_copy( &sid, r->in.sid );
2462 if ( r->in.remove_all ) {
2463 if ( !revoke_all_privileges( &sid ) )
2464 return NT_STATUS_ACCESS_DENIED;
2466 return NT_STATUS_OK;
2469 for ( i=0; i < r->in.rights->count; i++ ) {
2471 privname = r->in.rights->names[i].string;
2473 /* only try to add non-null strings */
2475 if ( !privname )
2476 continue;
2478 if ( !revoke_privilege_by_name( &sid, privname ) ) {
2479 DEBUG(2,("_lsa_RemoveAccountRights: Failed to revoke privilege [%s]\n",
2480 privname ));
2481 return NT_STATUS_NO_SUCH_PRIVILEGE;
2485 return NT_STATUS_OK;
2488 /*******************************************************************
2489 ********************************************************************/
2491 static NTSTATUS init_lsa_right_set(TALLOC_CTX *mem_ctx,
2492 struct lsa_RightSet *r,
2493 PRIVILEGE_SET *privileges)
2495 uint32 i;
2496 const char *privname;
2497 const char **privname_array = NULL;
2498 int num_priv = 0;
2500 for (i=0; i<privileges->count; i++) {
2501 if (privileges->set[i].luid.high) {
2502 continue;
2504 privname = sec_privilege_name(privileges->set[i].luid.low);
2505 if (privname) {
2506 if (!add_string_to_array(mem_ctx, privname,
2507 &privname_array, &num_priv)) {
2508 return NT_STATUS_NO_MEMORY;
2513 if (num_priv) {
2515 r->names = TALLOC_ZERO_ARRAY(mem_ctx, struct lsa_StringLarge,
2516 num_priv);
2517 if (!r->names) {
2518 return NT_STATUS_NO_MEMORY;
2521 for (i=0; i<num_priv; i++) {
2522 init_lsa_StringLarge(&r->names[i], privname_array[i]);
2525 r->count = num_priv;
2528 return NT_STATUS_OK;
2531 /***************************************************************************
2532 _lsa_EnumAccountRights
2533 ***************************************************************************/
2535 NTSTATUS _lsa_EnumAccountRights(struct pipes_struct *p,
2536 struct lsa_EnumAccountRights *r)
2538 NTSTATUS status;
2539 struct lsa_info *info = NULL;
2540 PRIVILEGE_SET *privileges;
2542 /* find the connection policy handle. */
2544 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
2545 return NT_STATUS_INVALID_HANDLE;
2547 if (info->type != LSA_HANDLE_POLICY_TYPE) {
2548 return NT_STATUS_INVALID_HANDLE;
2551 if (!(info->access & LSA_ACCOUNT_VIEW)) {
2552 return NT_STATUS_ACCESS_DENIED;
2555 /* according to an NT4 PDC, you can add privileges to SIDs even without
2556 call_lsa_create_account() first. And you can use any arbitrary SID. */
2558 /* according to MS-LSAD 3.1.4.5.10 it is required to return
2559 * NT_STATUS_OBJECT_NAME_NOT_FOUND if the account sid was not found in
2560 * the lsa database */
2562 status = get_privileges_for_sid_as_set(p->mem_ctx, &privileges, r->in.sid);
2563 if (!NT_STATUS_IS_OK(status)) {
2564 return status;
2567 DEBUG(10,("_lsa_EnumAccountRights: %s has %d privileges\n",
2568 sid_string_dbg(r->in.sid), privileges->count));
2570 status = init_lsa_right_set(p->mem_ctx, r->out.rights, privileges);
2572 return status;
2575 /***************************************************************************
2576 _lsa_LookupPrivValue
2577 ***************************************************************************/
2579 NTSTATUS _lsa_LookupPrivValue(struct pipes_struct *p,
2580 struct lsa_LookupPrivValue *r)
2582 struct lsa_info *info = NULL;
2583 const char *name = NULL;
2585 /* find the connection policy handle. */
2587 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
2588 return NT_STATUS_INVALID_HANDLE;
2590 if (info->type != LSA_HANDLE_POLICY_TYPE) {
2591 return NT_STATUS_INVALID_HANDLE;
2594 if (!(info->access & LSA_POLICY_LOOKUP_NAMES))
2595 return NT_STATUS_ACCESS_DENIED;
2597 name = r->in.name->string;
2599 DEBUG(10,("_lsa_lookup_priv_value: name = %s\n", name));
2601 r->out.luid->low = sec_privilege_id(name);
2602 r->out.luid->high = 0;
2603 if (r->out.luid->low == SEC_PRIV_INVALID) {
2604 return NT_STATUS_NO_SUCH_PRIVILEGE;
2606 return NT_STATUS_OK;
2609 /***************************************************************************
2610 _lsa_EnumAccountsWithUserRight
2611 ***************************************************************************/
2613 NTSTATUS _lsa_EnumAccountsWithUserRight(struct pipes_struct *p,
2614 struct lsa_EnumAccountsWithUserRight *r)
2616 NTSTATUS status;
2617 struct lsa_info *info = NULL;
2618 struct dom_sid *sids = NULL;
2619 int num_sids = 0;
2620 uint32_t i;
2621 enum sec_privilege privilege;
2623 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info)) {
2624 return NT_STATUS_INVALID_HANDLE;
2627 if (info->type != LSA_HANDLE_POLICY_TYPE) {
2628 return NT_STATUS_INVALID_HANDLE;
2631 if (!(info->access & LSA_POLICY_LOOKUP_NAMES)) {
2632 return NT_STATUS_ACCESS_DENIED;
2635 if (!r->in.name || !r->in.name->string) {
2636 return NT_STATUS_NO_SUCH_PRIVILEGE;
2639 privilege = sec_privilege_id(r->in.name->string);
2640 if (privilege == SEC_PRIV_INVALID) {
2641 return NT_STATUS_NO_SUCH_PRIVILEGE;
2644 status = privilege_enum_sids(privilege, p->mem_ctx,
2645 &sids, &num_sids);
2646 if (!NT_STATUS_IS_OK(status)) {
2647 return status;
2650 r->out.sids->num_sids = num_sids;
2651 r->out.sids->sids = talloc_array(p->mem_ctx, struct lsa_SidPtr,
2652 r->out.sids->num_sids);
2654 for (i=0; i < r->out.sids->num_sids; i++) {
2655 r->out.sids->sids[i].sid = dom_sid_dup(r->out.sids->sids,
2656 &sids[i]);
2657 if (!r->out.sids->sids[i].sid) {
2658 TALLOC_FREE(r->out.sids->sids);
2659 r->out.sids->num_sids = 0;
2660 return NT_STATUS_NO_MEMORY;
2664 return NT_STATUS_OK;
2667 /***************************************************************************
2668 _lsa_Delete
2669 ***************************************************************************/
2671 NTSTATUS _lsa_Delete(struct pipes_struct *p,
2672 struct lsa_Delete *r)
2674 return NT_STATUS_NOT_SUPPORTED;
2678 * From here on the server routines are just dummy ones to make smbd link with
2679 * librpc/gen_ndr/srv_lsa.c. These routines are actually never called, we are
2680 * pulling the server stubs across one by one.
2683 NTSTATUS _lsa_SetSecObj(struct pipes_struct *p, struct lsa_SetSecObj *r)
2685 p->rng_fault_state = True;
2686 return NT_STATUS_NOT_IMPLEMENTED;
2689 NTSTATUS _lsa_ChangePassword(struct pipes_struct *p,
2690 struct lsa_ChangePassword *r)
2692 p->rng_fault_state = True;
2693 return NT_STATUS_NOT_IMPLEMENTED;
2696 NTSTATUS _lsa_SetInfoPolicy(struct pipes_struct *p, struct lsa_SetInfoPolicy *r)
2698 p->rng_fault_state = True;
2699 return NT_STATUS_NOT_IMPLEMENTED;
2702 NTSTATUS _lsa_ClearAuditLog(struct pipes_struct *p, struct lsa_ClearAuditLog *r)
2704 p->rng_fault_state = True;
2705 return NT_STATUS_NOT_IMPLEMENTED;
2708 NTSTATUS _lsa_GetQuotasForAccount(struct pipes_struct *p,
2709 struct lsa_GetQuotasForAccount *r)
2711 p->rng_fault_state = True;
2712 return NT_STATUS_NOT_IMPLEMENTED;
2715 NTSTATUS _lsa_SetQuotasForAccount(struct pipes_struct *p,
2716 struct lsa_SetQuotasForAccount *r)
2718 p->rng_fault_state = True;
2719 return NT_STATUS_NOT_IMPLEMENTED;
2722 NTSTATUS _lsa_QueryTrustedDomainInfo(struct pipes_struct *p,
2723 struct lsa_QueryTrustedDomainInfo *r)
2725 p->rng_fault_state = True;
2726 return NT_STATUS_NOT_IMPLEMENTED;
2729 NTSTATUS _lsa_SetInformationTrustedDomain(struct pipes_struct *p,
2730 struct lsa_SetInformationTrustedDomain *r)
2732 p->rng_fault_state = True;
2733 return NT_STATUS_NOT_IMPLEMENTED;
2736 NTSTATUS _lsa_QuerySecret(struct pipes_struct *p, struct lsa_QuerySecret *r)
2738 p->rng_fault_state = True;
2739 return NT_STATUS_NOT_IMPLEMENTED;
2742 NTSTATUS _lsa_QueryTrustedDomainInfoBySid(struct pipes_struct *p,
2743 struct lsa_QueryTrustedDomainInfoBySid *r)
2745 p->rng_fault_state = True;
2746 return NT_STATUS_NOT_IMPLEMENTED;
2749 NTSTATUS _lsa_SetTrustedDomainInfo(struct pipes_struct *p,
2750 struct lsa_SetTrustedDomainInfo *r)
2752 p->rng_fault_state = True;
2753 return NT_STATUS_NOT_IMPLEMENTED;
2756 NTSTATUS _lsa_DeleteTrustedDomain(struct pipes_struct *p,
2757 struct lsa_DeleteTrustedDomain *r)
2759 p->rng_fault_state = True;
2760 return NT_STATUS_NOT_IMPLEMENTED;
2763 NTSTATUS _lsa_StorePrivateData(struct pipes_struct *p,
2764 struct lsa_StorePrivateData *r)
2766 p->rng_fault_state = True;
2767 return NT_STATUS_NOT_IMPLEMENTED;
2770 NTSTATUS _lsa_RetrievePrivateData(struct pipes_struct *p,
2771 struct lsa_RetrievePrivateData *r)
2773 p->rng_fault_state = True;
2774 return NT_STATUS_NOT_IMPLEMENTED;
2777 NTSTATUS _lsa_SetInfoPolicy2(struct pipes_struct *p,
2778 struct lsa_SetInfoPolicy2 *r)
2780 p->rng_fault_state = True;
2781 return NT_STATUS_NOT_IMPLEMENTED;
2784 NTSTATUS _lsa_QueryTrustedDomainInfoByName(struct pipes_struct *p,
2785 struct lsa_QueryTrustedDomainInfoByName *r)
2787 p->rng_fault_state = True;
2788 return NT_STATUS_NOT_IMPLEMENTED;
2791 NTSTATUS _lsa_SetTrustedDomainInfoByName(struct pipes_struct *p,
2792 struct lsa_SetTrustedDomainInfoByName *r)
2794 p->rng_fault_state = True;
2795 return NT_STATUS_NOT_IMPLEMENTED;
2798 NTSTATUS _lsa_EnumTrustedDomainsEx(struct pipes_struct *p,
2799 struct lsa_EnumTrustedDomainsEx *r)
2801 p->rng_fault_state = True;
2802 return NT_STATUS_NOT_IMPLEMENTED;
2805 NTSTATUS _lsa_CloseTrustedDomainEx(struct pipes_struct *p,
2806 struct lsa_CloseTrustedDomainEx *r)
2808 p->rng_fault_state = True;
2809 return NT_STATUS_NOT_IMPLEMENTED;
2812 NTSTATUS _lsa_QueryDomainInformationPolicy(struct pipes_struct *p,
2813 struct lsa_QueryDomainInformationPolicy *r)
2815 p->rng_fault_state = True;
2816 return NT_STATUS_NOT_IMPLEMENTED;
2819 NTSTATUS _lsa_SetDomainInformationPolicy(struct pipes_struct *p,
2820 struct lsa_SetDomainInformationPolicy *r)
2822 p->rng_fault_state = True;
2823 return NT_STATUS_NOT_IMPLEMENTED;
2826 NTSTATUS _lsa_OpenTrustedDomainByName(struct pipes_struct *p,
2827 struct lsa_OpenTrustedDomainByName *r)
2829 p->rng_fault_state = True;
2830 return NT_STATUS_NOT_IMPLEMENTED;
2833 NTSTATUS _lsa_TestCall(struct pipes_struct *p, struct lsa_TestCall *r)
2835 p->rng_fault_state = True;
2836 return NT_STATUS_NOT_IMPLEMENTED;
2839 NTSTATUS _lsa_CREDRWRITE(struct pipes_struct *p, struct lsa_CREDRWRITE *r)
2841 p->rng_fault_state = True;
2842 return NT_STATUS_NOT_IMPLEMENTED;
2845 NTSTATUS _lsa_CREDRREAD(struct pipes_struct *p, struct lsa_CREDRREAD *r)
2847 p->rng_fault_state = True;
2848 return NT_STATUS_NOT_IMPLEMENTED;
2851 NTSTATUS _lsa_CREDRENUMERATE(struct pipes_struct *p, struct lsa_CREDRENUMERATE *r)
2853 p->rng_fault_state = True;
2854 return NT_STATUS_NOT_IMPLEMENTED;
2857 NTSTATUS _lsa_CREDRWRITEDOMAINCREDENTIALS(struct pipes_struct *p,
2858 struct lsa_CREDRWRITEDOMAINCREDENTIALS *r)
2860 p->rng_fault_state = True;
2861 return NT_STATUS_NOT_IMPLEMENTED;
2864 NTSTATUS _lsa_CREDRREADDOMAINCREDENTIALS(struct pipes_struct *p,
2865 struct lsa_CREDRREADDOMAINCREDENTIALS *r)
2867 p->rng_fault_state = True;
2868 return NT_STATUS_NOT_IMPLEMENTED;
2871 NTSTATUS _lsa_CREDRDELETE(struct pipes_struct *p, struct lsa_CREDRDELETE *r)
2873 p->rng_fault_state = True;
2874 return NT_STATUS_NOT_IMPLEMENTED;
2877 NTSTATUS _lsa_CREDRGETTARGETINFO(struct pipes_struct *p,
2878 struct lsa_CREDRGETTARGETINFO *r)
2880 p->rng_fault_state = True;
2881 return NT_STATUS_NOT_IMPLEMENTED;
2884 NTSTATUS _lsa_CREDRPROFILELOADED(struct pipes_struct *p,
2885 struct lsa_CREDRPROFILELOADED *r)
2887 p->rng_fault_state = True;
2888 return NT_STATUS_NOT_IMPLEMENTED;
2891 NTSTATUS _lsa_CREDRGETSESSIONTYPES(struct pipes_struct *p,
2892 struct lsa_CREDRGETSESSIONTYPES *r)
2894 p->rng_fault_state = True;
2895 return NT_STATUS_NOT_IMPLEMENTED;
2898 NTSTATUS _lsa_LSARREGISTERAUDITEVENT(struct pipes_struct *p,
2899 struct lsa_LSARREGISTERAUDITEVENT *r)
2901 p->rng_fault_state = True;
2902 return NT_STATUS_NOT_IMPLEMENTED;
2905 NTSTATUS _lsa_LSARGENAUDITEVENT(struct pipes_struct *p,
2906 struct lsa_LSARGENAUDITEVENT *r)
2908 p->rng_fault_state = True;
2909 return NT_STATUS_NOT_IMPLEMENTED;
2912 NTSTATUS _lsa_LSARUNREGISTERAUDITEVENT(struct pipes_struct *p,
2913 struct lsa_LSARUNREGISTERAUDITEVENT *r)
2915 p->rng_fault_state = True;
2916 return NT_STATUS_NOT_IMPLEMENTED;
2919 NTSTATUS _lsa_lsaRQueryForestTrustInformation(struct pipes_struct *p,
2920 struct lsa_lsaRQueryForestTrustInformation *r)
2922 p->rng_fault_state = True;
2923 return NT_STATUS_NOT_IMPLEMENTED;
2926 NTSTATUS _lsa_lsaRSetForestTrustInformation(struct pipes_struct *p,
2927 struct lsa_lsaRSetForestTrustInformation *r)
2929 p->rng_fault_state = True;
2930 return NT_STATUS_NOT_IMPLEMENTED;
2933 NTSTATUS _lsa_CREDRRENAME(struct pipes_struct *p,
2934 struct lsa_CREDRRENAME *r)
2936 p->rng_fault_state = True;
2937 return NT_STATUS_NOT_IMPLEMENTED;
2940 NTSTATUS _lsa_LSAROPENPOLICYSCE(struct pipes_struct *p,
2941 struct lsa_LSAROPENPOLICYSCE *r)
2943 p->rng_fault_state = True;
2944 return NT_STATUS_NOT_IMPLEMENTED;
2947 NTSTATUS _lsa_LSARADTREGISTERSECURITYEVENTSOURCE(struct pipes_struct *p,
2948 struct lsa_LSARADTREGISTERSECURITYEVENTSOURCE *r)
2950 p->rng_fault_state = True;
2951 return NT_STATUS_NOT_IMPLEMENTED;
2954 NTSTATUS _lsa_LSARADTUNREGISTERSECURITYEVENTSOURCE(struct pipes_struct *p,
2955 struct lsa_LSARADTUNREGISTERSECURITYEVENTSOURCE *r)
2957 p->rng_fault_state = True;
2958 return NT_STATUS_NOT_IMPLEMENTED;
2961 NTSTATUS _lsa_LSARADTREPORTSECURITYEVENT(struct pipes_struct *p,
2962 struct lsa_LSARADTREPORTSECURITYEVENT *r)
2964 p->rng_fault_state = True;
2965 return NT_STATUS_NOT_IMPLEMENTED;