2 * Unix SMB/CIFS implementation.
3 * RPC Pipe client / server routines
4 * Copyright (C) Andrew Tridgell 1992-1997,
5 * Copyright (C) Luke Kenneth Casson Leighton 1996-1997,
6 * Copyright (C) Paul Ashton 1997,
7 * Copyright (C) Jeremy Allison 2001, 2006.
8 * Copyright (C) Rafal Szczesniak 2002,
9 * Copyright (C) Jim McDonough <jmcd@us.ibm.com> 2002,
10 * Copyright (C) Simo Sorce 2003.
11 * Copyright (C) Gerald (Jerry) Carter 2005.
12 * Copyright (C) Volker Lendecke 2005.
13 * Copyright (C) Guenther Deschner 2008.
15 * This program is free software; you can redistribute it and/or modify
16 * it under the terms of the GNU General Public License as published by
17 * the Free Software Foundation; either version 3 of the License, or
18 * (at your option) any later version.
20 * This program is distributed in the hope that it will be useful,
21 * but WITHOUT ANY WARRANTY; without even the implied warranty of
22 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
23 * GNU General Public License for more details.
25 * You should have received a copy of the GNU General Public License
26 * along with this program; if not, see <http://www.gnu.org/licenses/>.
29 /* This is the implementation of the lsa server code. */
34 #define DBGC_CLASS DBGC_RPC_SRV
36 #define MAX_LOOKUP_SIDS 0x5000 /* 20480 */
40 enum lsa_handle_type { LSA_HANDLE_POLICY_TYPE = 1, LSA_HANDLE_ACCOUNT_TYPE };
45 enum lsa_handle_type type;
48 const struct generic_mapping lsa_account_mapping = {
52 LSA_ACCOUNT_ALL_ACCESS
55 const struct generic_mapping lsa_policy_mapping = {
62 /***************************************************************************
63 init_lsa_ref_domain_list - adds a domain if it's not already in, returns the index.
64 ***************************************************************************/
66 static int init_lsa_ref_domain_list(TALLOC_CTX *mem_ctx,
67 struct lsa_RefDomainList *ref,
73 if (dom_name != NULL) {
74 for (num = 0; num < ref->count; num++) {
75 if (sid_equal(dom_sid, ref->domains[num].sid)) {
83 if (num >= LSA_REF_DOMAIN_LIST_MULTIPLIER) {
84 /* index not found, already at maximum domain limit */
89 ref->max_size = LSA_REF_DOMAIN_LIST_MULTIPLIER;
91 ref->domains = TALLOC_REALLOC_ARRAY(mem_ctx, ref->domains,
92 struct lsa_DomainInfo, ref->count);
97 ZERO_STRUCT(ref->domains[num]);
99 init_lsa_StringLarge(&ref->domains[num].name, dom_name);
100 ref->domains[num].sid = sid_dup_talloc(mem_ctx, dom_sid);
101 if (!ref->domains[num].sid) {
109 /***************************************************************************
110 initialize a lsa_DomainInfo structure.
111 ***************************************************************************/
113 static void init_dom_query_3(struct lsa_DomainInfo *r,
117 init_lsa_StringLarge(&r->name, name);
121 /***************************************************************************
122 initialize a lsa_DomainInfo structure.
123 ***************************************************************************/
125 static void init_dom_query_5(struct lsa_DomainInfo *r,
129 init_lsa_StringLarge(&r->name, name);
133 /***************************************************************************
134 lookup_lsa_rids. Must be called as root for lookup_name to work.
135 ***************************************************************************/
137 static NTSTATUS lookup_lsa_rids(TALLOC_CTX *mem_ctx,
138 struct lsa_RefDomainList *ref,
139 struct lsa_TranslatedSid *prid,
140 uint32_t num_entries,
141 struct lsa_String *name,
143 uint32_t *pmapped_count)
145 uint32 mapped_count, i;
147 SMB_ASSERT(num_entries <= MAX_LOOKUP_SIDS);
152 for (i = 0; i < num_entries; i++) {
156 const char *full_name;
158 enum lsa_SidType type = SID_NAME_UNKNOWN;
160 /* Split name into domain and user component */
162 full_name = name[i].string;
163 if (full_name == NULL) {
164 return NT_STATUS_NO_MEMORY;
167 DEBUG(5, ("lookup_lsa_rids: looking up name %s\n", full_name));
169 /* We can ignore the result of lookup_name, it will not touch
170 "type" if it's not successful */
172 lookup_name(mem_ctx, full_name, flags, &domain, NULL,
177 case SID_NAME_DOM_GRP:
178 case SID_NAME_DOMAIN:
180 case SID_NAME_WKN_GRP:
181 DEBUG(5, ("init_lsa_rids: %s found\n", full_name));
182 /* Leave these unchanged */
185 /* Don't hand out anything but the list above */
186 DEBUG(5, ("init_lsa_rids: %s not found\n", full_name));
187 type = SID_NAME_UNKNOWN;
194 if (type != SID_NAME_UNKNOWN) {
195 sid_split_rid(&sid, &rid);
196 dom_idx = init_lsa_ref_domain_list(mem_ctx, ref, domain, &sid);
200 prid[i].sid_type = type;
202 prid[i].sid_index = dom_idx;
205 *pmapped_count = mapped_count;
209 /***************************************************************************
210 lookup_lsa_sids. Must be called as root for lookup_name to work.
211 ***************************************************************************/
213 static NTSTATUS lookup_lsa_sids(TALLOC_CTX *mem_ctx,
214 struct lsa_RefDomainList *ref,
215 struct lsa_TranslatedSid3 *trans_sids,
216 uint32_t num_entries,
217 struct lsa_String *name,
219 uint32 *pmapped_count)
221 uint32 mapped_count, i;
223 SMB_ASSERT(num_entries <= MAX_LOOKUP_SIDS);
228 for (i = 0; i < num_entries; i++) {
232 const char *full_name;
234 enum lsa_SidType type = SID_NAME_UNKNOWN;
238 /* Split name into domain and user component */
240 full_name = name[i].string;
241 if (full_name == NULL) {
242 return NT_STATUS_NO_MEMORY;
245 DEBUG(5, ("init_lsa_sids: looking up name %s\n", full_name));
247 /* We can ignore the result of lookup_name, it will not touch
248 "type" if it's not successful */
250 lookup_name(mem_ctx, full_name, flags, &domain, NULL,
255 case SID_NAME_DOM_GRP:
256 case SID_NAME_DOMAIN:
258 case SID_NAME_WKN_GRP:
259 DEBUG(5, ("init_lsa_sids: %s found\n", full_name));
260 /* Leave these unchanged */
263 /* Don't hand out anything but the list above */
264 DEBUG(5, ("init_lsa_sids: %s not found\n", full_name));
265 type = SID_NAME_UNKNOWN;
272 if (type != SID_NAME_UNKNOWN) {
274 sid_copy(&domain_sid, &sid);
275 sid_split_rid(&domain_sid, &rid);
276 dom_idx = init_lsa_ref_domain_list(mem_ctx, ref, domain, &domain_sid);
280 /* Initialize the lsa_TranslatedSid3 return. */
281 trans_sids[i].sid_type = type;
282 trans_sids[i].sid = sid_dup_talloc(mem_ctx, &sid);
283 trans_sids[i].sid_index = dom_idx;
286 *pmapped_count = mapped_count;
290 static NTSTATUS make_lsa_object_sd(TALLOC_CTX *mem_ctx, SEC_DESC **sd, size_t *sd_size,
291 const struct generic_mapping *map,
292 DOM_SID *sid, uint32_t sid_access)
300 /* READ|EXECUTE access for Everyone */
302 init_sec_ace(&ace[i++], &global_sid_World, SEC_ACE_TYPE_ACCESS_ALLOWED,
303 map->generic_execute | map->generic_read, 0);
305 /* Add Full Access 'BUILTIN\Administrators' and 'BUILTIN\Account Operators */
307 init_sec_ace(&ace[i++], &global_sid_Builtin_Administrators,
308 SEC_ACE_TYPE_ACCESS_ALLOWED, map->generic_all, 0);
309 init_sec_ace(&ace[i++], &global_sid_Builtin_Account_Operators,
310 SEC_ACE_TYPE_ACCESS_ALLOWED, map->generic_all, 0);
312 /* Add Full Access for Domain Admins */
313 sid_copy(&adm_sid, get_global_sam_sid());
314 sid_append_rid(&adm_sid, DOMAIN_GROUP_RID_ADMINS);
315 init_sec_ace(&ace[i++], &adm_sid, SEC_ACE_TYPE_ACCESS_ALLOWED,
316 map->generic_all, 0);
318 /* If we have a sid, give it some special access */
321 init_sec_ace(&ace[i++], sid, SEC_ACE_TYPE_ACCESS_ALLOWED,
325 if((psa = make_sec_acl(mem_ctx, NT4_ACL_REVISION, i, ace)) == NULL)
326 return NT_STATUS_NO_MEMORY;
328 if((*sd = make_sec_desc(mem_ctx, SECURITY_DESCRIPTOR_REVISION_1,
329 SEC_DESC_SELF_RELATIVE, &adm_sid, NULL, NULL,
330 psa, sd_size)) == NULL)
331 return NT_STATUS_NO_MEMORY;
337 /***************************************************************************
339 ***************************************************************************/
341 NTSTATUS _lsa_OpenPolicy2(pipes_struct *p,
342 struct lsa_OpenPolicy2 *r)
344 struct lsa_info *info;
345 SEC_DESC *psd = NULL;
347 uint32 des_access = r->in.access_mask;
351 /* Work out max allowed. */
352 map_max_allowed_access(p->server_info->ptok, &des_access);
354 /* map the generic bits to the lsa policy ones */
355 se_map_generic(&des_access, &lsa_policy_mapping);
357 /* get the generic lsa policy SD until we store it */
358 status = make_lsa_object_sd(p->mem_ctx, &psd, &sd_size, &lsa_policy_mapping,
360 if (!NT_STATUS_IS_OK(status)) {
364 status = access_check_object(psd, p->server_info->ptok,
366 &acc_granted, "_lsa_OpenPolicy2" );
368 if (!NT_STATUS_IS_OK(status)) {
372 /* associate the domain SID with the (unique) handle. */
373 info = TALLOC_ZERO_P(p->mem_ctx, struct lsa_info);
375 return NT_STATUS_NO_MEMORY;
378 sid_copy(&info->sid,get_global_sam_sid());
379 info->access = acc_granted;
380 info->type = LSA_HANDLE_POLICY_TYPE;
382 /* set up the LSA QUERY INFO response */
383 if (!create_policy_hnd(p, r->out.handle, info))
384 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
389 /***************************************************************************
391 ***************************************************************************/
393 NTSTATUS _lsa_OpenPolicy(pipes_struct *p,
394 struct lsa_OpenPolicy *r)
396 struct lsa_OpenPolicy2 o;
398 o.in.system_name = NULL; /* should be ignored */
399 o.in.attr = r->in.attr;
400 o.in.access_mask = r->in.access_mask;
402 o.out.handle = r->out.handle;
404 return _lsa_OpenPolicy2(p, &o);
407 /***************************************************************************
408 _lsa_EnumTrustDom - this needs fixing to do more than return NULL ! JRA.
410 ***************************************************************************/
412 NTSTATUS _lsa_EnumTrustDom(pipes_struct *p,
413 struct lsa_EnumTrustDom *r)
415 struct lsa_info *info;
417 struct trustdom_info **domains;
418 struct lsa_DomainInfo *lsa_domains = NULL;
422 * preferred length is set to 5 as a "our" preferred length
423 * nt sets this parameter to 2
424 * update (20.08.2002): it's not preferred length, but preferred size!
425 * it needs further investigation how to optimally choose this value
427 uint32 max_num_domains =
428 r->in.max_size < 5 ? r->in.max_size : 10;
433 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
434 return NT_STATUS_INVALID_HANDLE;
436 if (info->type != LSA_HANDLE_POLICY_TYPE) {
437 return NT_STATUS_INVALID_HANDLE;
440 /* check if the user has enough rights */
441 if (!(info->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
442 return NT_STATUS_ACCESS_DENIED;
445 nt_status = pdb_enum_trusteddoms(p->mem_ctx, &num_domains, &domains);
448 if (!NT_STATUS_IS_OK(nt_status)) {
452 if (*r->in.resume_handle < num_domains) {
453 num_thistime = MIN(num_domains, max_num_domains);
455 nt_status = STATUS_MORE_ENTRIES;
457 if (*r->in.resume_handle + num_thistime > num_domains) {
458 num_thistime = num_domains - *r->in.resume_handle;
459 nt_status = NT_STATUS_OK;
462 next_idx = *r->in.resume_handle + num_thistime;
465 next_idx = 0xffffffff;
466 nt_status = NT_STATUS_NO_MORE_ENTRIES;
469 /* set up the lsa_enum_trust_dom response */
471 lsa_domains = TALLOC_ZERO_ARRAY(p->mem_ctx, struct lsa_DomainInfo,
474 return NT_STATUS_NO_MEMORY;
477 for (i=0; i<num_thistime; i++) {
478 init_lsa_StringLarge(&lsa_domains[i].name, domains[i]->name);
479 lsa_domains[i].sid = &domains[i]->sid;
482 *r->out.resume_handle = next_idx;
483 r->out.domains->count = num_thistime;
484 r->out.domains->domains = lsa_domains;
489 #define LSA_AUDIT_NUM_CATEGORIES_NT4 7
490 #define LSA_AUDIT_NUM_CATEGORIES_WIN2K 9
491 #define LSA_AUDIT_NUM_CATEGORIES LSA_AUDIT_NUM_CATEGORIES_NT4
493 /***************************************************************************
495 ***************************************************************************/
497 NTSTATUS _lsa_QueryInfoPolicy(pipes_struct *p,
498 struct lsa_QueryInfoPolicy *r)
500 NTSTATUS status = NT_STATUS_OK;
501 struct lsa_info *handle;
505 union lsa_PolicyInformation *info = NULL;
507 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle))
508 return NT_STATUS_INVALID_HANDLE;
510 if (handle->type != LSA_HANDLE_POLICY_TYPE) {
511 return NT_STATUS_INVALID_HANDLE;
514 info = TALLOC_ZERO_P(p->mem_ctx, union lsa_PolicyInformation);
516 return NT_STATUS_NO_MEMORY;
519 switch (r->in.level) {
520 case LSA_POLICY_INFO_AUDIT_EVENTS:
523 uint32 policy_def = LSA_AUDIT_POLICY_ALL;
525 /* check if the user has enough rights */
526 if (!(handle->access & LSA_POLICY_VIEW_AUDIT_INFORMATION)) {
527 DEBUG(10,("_lsa_QueryInfoPolicy: insufficient access rights\n"));
528 return NT_STATUS_ACCESS_DENIED;
531 /* fake info: We audit everything. ;) */
533 info->audit_events.auditing_mode = true;
534 info->audit_events.count = LSA_AUDIT_NUM_CATEGORIES;
535 info->audit_events.settings = TALLOC_ZERO_ARRAY(p->mem_ctx,
536 enum lsa_PolicyAuditPolicy,
537 info->audit_events.count);
538 if (!info->audit_events.settings) {
539 return NT_STATUS_NO_MEMORY;
542 info->audit_events.settings[LSA_AUDIT_CATEGORY_ACCOUNT_MANAGEMENT] = policy_def;
543 info->audit_events.settings[LSA_AUDIT_CATEGORY_FILE_AND_OBJECT_ACCESS] = policy_def;
544 info->audit_events.settings[LSA_AUDIT_CATEGORY_LOGON] = policy_def;
545 info->audit_events.settings[LSA_AUDIT_CATEGORY_PROCCESS_TRACKING] = policy_def;
546 info->audit_events.settings[LSA_AUDIT_CATEGORY_SECURITY_POLICY_CHANGES] = policy_def;
547 info->audit_events.settings[LSA_AUDIT_CATEGORY_SYSTEM] = policy_def;
548 info->audit_events.settings[LSA_AUDIT_CATEGORY_USE_OF_USER_RIGHTS] = policy_def;
552 case LSA_POLICY_INFO_DOMAIN:
553 /* check if the user has enough rights */
554 if (!(handle->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
555 return NT_STATUS_ACCESS_DENIED;
557 /* Request PolicyPrimaryDomainInformation. */
558 switch (lp_server_role()) {
559 case ROLE_DOMAIN_PDC:
560 case ROLE_DOMAIN_BDC:
561 name = get_global_sam_name();
562 sid = sid_dup_talloc(p->mem_ctx, get_global_sam_sid());
564 return NT_STATUS_NO_MEMORY;
567 case ROLE_DOMAIN_MEMBER:
568 name = lp_workgroup();
569 /* We need to return the Domain SID here. */
570 if (secrets_fetch_domain_sid(lp_workgroup(), &domain_sid)) {
571 sid = sid_dup_talloc(p->mem_ctx, &domain_sid);
573 return NT_STATUS_NO_MEMORY;
576 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
579 case ROLE_STANDALONE:
580 name = lp_workgroup();
584 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
586 init_dom_query_3(&info->domain, name, sid);
588 case LSA_POLICY_INFO_ACCOUNT_DOMAIN:
589 /* check if the user has enough rights */
590 if (!(handle->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
591 return NT_STATUS_ACCESS_DENIED;
593 /* Request PolicyAccountDomainInformation. */
594 name = get_global_sam_name();
595 sid = get_global_sam_sid();
597 init_dom_query_5(&info->account_domain, name, sid);
599 case LSA_POLICY_INFO_ROLE:
600 /* check if the user has enough rights */
601 if (!(handle->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
602 return NT_STATUS_ACCESS_DENIED;
604 switch (lp_server_role()) {
605 case ROLE_DOMAIN_BDC:
607 * only a BDC is a backup controller
608 * of the domain, it controls.
610 info->role.role = LSA_ROLE_BACKUP;
614 * any other role is a primary
615 * of the domain, it controls.
617 info->role.role = LSA_ROLE_PRIMARY;
622 DEBUG(0,("_lsa_QueryInfoPolicy: unknown info level in Lsa Query: %d\n",
624 status = NT_STATUS_INVALID_INFO_CLASS;
633 /***************************************************************************
634 _lsa_lookup_sids_internal
635 ***************************************************************************/
637 static NTSTATUS _lsa_lookup_sids_internal(pipes_struct *p,
639 uint16_t level, /* input */
640 int num_sids, /* input */
641 struct lsa_SidPtr *sid, /* input */
642 struct lsa_RefDomainList **pp_ref, /* input/output */
643 struct lsa_TranslatedName2 **pp_names,/* input/output */
644 uint32_t *pp_mapped_count) /* input/output */
648 const DOM_SID **sids = NULL;
649 struct lsa_RefDomainList *ref = NULL;
650 uint32 mapped_count = 0;
651 struct lsa_dom_info *dom_infos = NULL;
652 struct lsa_name_info *name_infos = NULL;
653 struct lsa_TranslatedName2 *names = NULL;
655 *pp_mapped_count = 0;
663 sids = TALLOC_ARRAY(p->mem_ctx, const DOM_SID *, num_sids);
664 ref = TALLOC_ZERO_P(p->mem_ctx, struct lsa_RefDomainList);
666 if (sids == NULL || ref == NULL) {
667 return NT_STATUS_NO_MEMORY;
670 for (i=0; i<num_sids; i++) {
671 sids[i] = sid[i].sid;
674 status = lookup_sids(p->mem_ctx, num_sids, sids, level,
675 &dom_infos, &name_infos);
677 if (!NT_STATUS_IS_OK(status)) {
681 names = TALLOC_ARRAY(p->mem_ctx, struct lsa_TranslatedName2, num_sids);
683 return NT_STATUS_NO_MEMORY;
686 for (i=0; i<LSA_REF_DOMAIN_LIST_MULTIPLIER; i++) {
688 if (!dom_infos[i].valid) {
692 if (init_lsa_ref_domain_list(mem_ctx, ref,
694 &dom_infos[i].sid) != i) {
695 DEBUG(0, ("Domain %s mentioned twice??\n",
697 return NT_STATUS_INTERNAL_ERROR;
701 for (i=0; i<num_sids; i++) {
702 struct lsa_name_info *name = &name_infos[i];
704 if (name->type == SID_NAME_UNKNOWN) {
707 /* Unknown sids should return the string
708 * representation of the SID. Windows 2003 behaves
709 * rather erratic here, in many cases it returns the
710 * RID as 8 bytes hex, in others it returns the full
711 * SID. We (Jerry/VL) could not figure out which the
712 * hard cases are, so leave it with the SID. */
713 name->name = talloc_asprintf(p->mem_ctx, "%s",
716 if (name->name == NULL) {
717 return NT_STATUS_NO_MEMORY;
723 names[i].sid_type = name->type;
724 names[i].name.string = name->name;
725 names[i].sid_index = name->dom_idx;
726 names[i].unknown = 0;
729 status = NT_STATUS_NONE_MAPPED;
730 if (mapped_count > 0) {
731 status = (mapped_count < num_sids) ?
732 STATUS_SOME_UNMAPPED : NT_STATUS_OK;
735 DEBUG(10, ("num_sids %d, mapped_count %d, status %s\n",
736 num_sids, mapped_count, nt_errstr(status)));
738 *pp_mapped_count = mapped_count;
745 /***************************************************************************
747 ***************************************************************************/
749 NTSTATUS _lsa_LookupSids(pipes_struct *p,
750 struct lsa_LookupSids *r)
753 struct lsa_info *handle;
754 int num_sids = r->in.sids->num_sids;
755 uint32 mapped_count = 0;
756 struct lsa_RefDomainList *domains = NULL;
757 struct lsa_TranslatedName *names_out = NULL;
758 struct lsa_TranslatedName2 *names = NULL;
761 if ((r->in.level < 1) || (r->in.level > 6)) {
762 return NT_STATUS_INVALID_PARAMETER;
765 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle)) {
766 return NT_STATUS_INVALID_HANDLE;
769 if (handle->type != LSA_HANDLE_POLICY_TYPE) {
770 return NT_STATUS_INVALID_HANDLE;
773 /* check if the user has enough rights */
774 if (!(handle->access & LSA_POLICY_LOOKUP_NAMES)) {
775 return NT_STATUS_ACCESS_DENIED;
778 if (num_sids > MAX_LOOKUP_SIDS) {
779 DEBUG(5,("_lsa_LookupSids: limit of %d exceeded, requested %d\n",
780 MAX_LOOKUP_SIDS, num_sids));
781 return NT_STATUS_NONE_MAPPED;
784 status = _lsa_lookup_sids_internal(p,
793 /* Only return here when there is a real error.
794 NT_STATUS_NONE_MAPPED is a special case as it indicates that none of
795 the requested sids could be resolved. Older versions of XP (pre SP3)
796 rely that we return with the string representations of those SIDs in
797 that case. If we don't, XP crashes - Guenther
800 if (NT_STATUS_IS_ERR(status) &&
801 !NT_STATUS_EQUAL(status, NT_STATUS_NONE_MAPPED)) {
805 /* Convert from lsa_TranslatedName2 to lsa_TranslatedName */
806 names_out = TALLOC_ARRAY(p->mem_ctx, struct lsa_TranslatedName,
809 return NT_STATUS_NO_MEMORY;
812 for (i=0; i<num_sids; i++) {
813 names_out[i].sid_type = names[i].sid_type;
814 names_out[i].name = names[i].name;
815 names_out[i].sid_index = names[i].sid_index;
818 *r->out.domains = domains;
819 r->out.names->count = num_sids;
820 r->out.names->names = names_out;
821 *r->out.count = mapped_count;
826 /***************************************************************************
828 ***************************************************************************/
830 NTSTATUS _lsa_LookupSids2(pipes_struct *p,
831 struct lsa_LookupSids2 *r)
834 struct lsa_info *handle;
835 int num_sids = r->in.sids->num_sids;
836 uint32 mapped_count = 0;
837 struct lsa_RefDomainList *domains = NULL;
838 struct lsa_TranslatedName2 *names = NULL;
839 bool check_policy = true;
841 switch (p->hdr_req.opnum) {
842 case NDR_LSA_LOOKUPSIDS3:
843 check_policy = false;
845 case NDR_LSA_LOOKUPSIDS2:
850 if ((r->in.level < 1) || (r->in.level > 6)) {
851 return NT_STATUS_INVALID_PARAMETER;
855 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle)) {
856 return NT_STATUS_INVALID_HANDLE;
859 if (handle->type != LSA_HANDLE_POLICY_TYPE) {
860 return NT_STATUS_INVALID_HANDLE;
863 /* check if the user has enough rights */
864 if (!(handle->access & LSA_POLICY_LOOKUP_NAMES)) {
865 return NT_STATUS_ACCESS_DENIED;
869 if (num_sids > MAX_LOOKUP_SIDS) {
870 DEBUG(5,("_lsa_LookupSids2: limit of %d exceeded, requested %d\n",
871 MAX_LOOKUP_SIDS, num_sids));
872 return NT_STATUS_NONE_MAPPED;
875 status = _lsa_lookup_sids_internal(p,
884 *r->out.domains = domains;
885 r->out.names->count = num_sids;
886 r->out.names->names = names;
887 *r->out.count = mapped_count;
892 /***************************************************************************
894 ***************************************************************************/
896 NTSTATUS _lsa_LookupSids3(pipes_struct *p,
897 struct lsa_LookupSids3 *r)
899 struct lsa_LookupSids2 q;
901 /* No policy handle on this call. Restrict to crypto connections. */
902 if (p->auth.auth_type != PIPE_AUTH_TYPE_SCHANNEL) {
903 DEBUG(0,("_lsa_LookupSids3: client %s not using schannel for netlogon\n",
904 get_remote_machine_name() ));
905 return NT_STATUS_INVALID_PARAMETER;
909 q.in.sids = r->in.sids;
910 q.in.level = r->in.level;
911 q.in.unknown1 = r->in.unknown1;
912 q.in.unknown2 = r->in.unknown2;
913 q.in.names = r->in.names;
914 q.in.count = r->in.count;
916 q.out.domains = r->out.domains;
917 q.out.names = r->out.names;
918 q.out.count = r->out.count;
920 return _lsa_LookupSids2(p, &q);
923 /***************************************************************************
924 ***************************************************************************/
926 static int lsa_lookup_level_to_flags(uint16 level)
932 flags = LOOKUP_NAME_ALL;
935 flags = LOOKUP_NAME_DOMAIN|LOOKUP_NAME_REMOTE|LOOKUP_NAME_ISOLATED;
938 flags = LOOKUP_NAME_DOMAIN|LOOKUP_NAME_ISOLATED;
944 flags = LOOKUP_NAME_NONE;
951 /***************************************************************************
953 ***************************************************************************/
955 NTSTATUS _lsa_LookupNames(pipes_struct *p,
956 struct lsa_LookupNames *r)
958 NTSTATUS status = NT_STATUS_NONE_MAPPED;
959 struct lsa_info *handle;
960 struct lsa_String *names = r->in.names;
961 uint32 num_entries = r->in.num_names;
962 struct lsa_RefDomainList *domains = NULL;
963 struct lsa_TranslatedSid *rids = NULL;
964 uint32 mapped_count = 0;
967 if (num_entries > MAX_LOOKUP_SIDS) {
968 num_entries = MAX_LOOKUP_SIDS;
969 DEBUG(5,("_lsa_LookupNames: truncating name lookup list to %d\n",
973 flags = lsa_lookup_level_to_flags(r->in.level);
975 domains = TALLOC_ZERO_P(p->mem_ctx, struct lsa_RefDomainList);
977 return NT_STATUS_NO_MEMORY;
981 rids = TALLOC_ZERO_ARRAY(p->mem_ctx, struct lsa_TranslatedSid,
984 return NT_STATUS_NO_MEMORY;
990 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle)) {
991 status = NT_STATUS_INVALID_HANDLE;
995 if (handle->type != LSA_HANDLE_POLICY_TYPE) {
996 return NT_STATUS_INVALID_HANDLE;
999 /* check if the user has enough rights */
1000 if (!(handle->access & LSA_POLICY_LOOKUP_NAMES)) {
1001 status = NT_STATUS_ACCESS_DENIED;
1005 /* set up the LSA Lookup RIDs response */
1006 become_root(); /* lookup_name can require root privs */
1007 status = lookup_lsa_rids(p->mem_ctx, domains, rids, num_entries,
1008 names, flags, &mapped_count);
1013 if (NT_STATUS_IS_OK(status) && (num_entries != 0) ) {
1014 if (mapped_count == 0) {
1015 status = NT_STATUS_NONE_MAPPED;
1016 } else if (mapped_count != num_entries) {
1017 status = STATUS_SOME_UNMAPPED;
1021 *r->out.count = mapped_count;
1022 *r->out.domains = domains;
1023 r->out.sids->sids = rids;
1024 r->out.sids->count = num_entries;
1029 /***************************************************************************
1031 ***************************************************************************/
1033 NTSTATUS _lsa_LookupNames2(pipes_struct *p,
1034 struct lsa_LookupNames2 *r)
1037 struct lsa_LookupNames q;
1038 struct lsa_TransSidArray2 *sid_array2 = r->in.sids;
1039 struct lsa_TransSidArray *sid_array = NULL;
1042 sid_array = TALLOC_ZERO_P(p->mem_ctx, struct lsa_TransSidArray);
1044 return NT_STATUS_NO_MEMORY;
1047 q.in.handle = r->in.handle;
1048 q.in.num_names = r->in.num_names;
1049 q.in.names = r->in.names;
1050 q.in.level = r->in.level;
1051 q.in.sids = sid_array;
1052 q.in.count = r->in.count;
1053 /* we do not know what this is for */
1054 /* = r->in.unknown1; */
1055 /* = r->in.unknown2; */
1057 q.out.domains = r->out.domains;
1058 q.out.sids = sid_array;
1059 q.out.count = r->out.count;
1061 status = _lsa_LookupNames(p, &q);
1063 sid_array2->count = sid_array->count;
1064 sid_array2->sids = TALLOC_ARRAY(p->mem_ctx, struct lsa_TranslatedSid2, sid_array->count);
1065 if (!sid_array2->sids) {
1066 return NT_STATUS_NO_MEMORY;
1069 for (i=0; i<sid_array->count; i++) {
1070 sid_array2->sids[i].sid_type = sid_array->sids[i].sid_type;
1071 sid_array2->sids[i].rid = sid_array->sids[i].rid;
1072 sid_array2->sids[i].sid_index = sid_array->sids[i].sid_index;
1073 sid_array2->sids[i].unknown = 0;
1076 r->out.sids = sid_array2;
1081 /***************************************************************************
1083 ***************************************************************************/
1085 NTSTATUS _lsa_LookupNames3(pipes_struct *p,
1086 struct lsa_LookupNames3 *r)
1089 struct lsa_info *handle;
1090 struct lsa_String *names = r->in.names;
1091 uint32 num_entries = r->in.num_names;
1092 struct lsa_RefDomainList *domains = NULL;
1093 struct lsa_TranslatedSid3 *trans_sids = NULL;
1094 uint32 mapped_count = 0;
1096 bool check_policy = true;
1098 switch (p->hdr_req.opnum) {
1099 case NDR_LSA_LOOKUPNAMES4:
1100 check_policy = false;
1102 case NDR_LSA_LOOKUPNAMES3:
1104 check_policy = true;
1107 if (num_entries > MAX_LOOKUP_SIDS) {
1108 num_entries = MAX_LOOKUP_SIDS;
1109 DEBUG(5,("_lsa_LookupNames3: truncating name lookup list to %d\n", num_entries));
1112 /* Probably the lookup_level is some sort of bitmask. */
1113 if (r->in.level == 1) {
1114 flags = LOOKUP_NAME_ALL;
1117 domains = TALLOC_ZERO_P(p->mem_ctx, struct lsa_RefDomainList);
1119 return NT_STATUS_NO_MEMORY;
1123 trans_sids = TALLOC_ZERO_ARRAY(p->mem_ctx, struct lsa_TranslatedSid3,
1126 return NT_STATUS_NO_MEMORY;
1134 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle)) {
1135 status = NT_STATUS_INVALID_HANDLE;
1139 if (handle->type != LSA_HANDLE_POLICY_TYPE) {
1140 return NT_STATUS_INVALID_HANDLE;
1143 /* check if the user has enough rights */
1144 if (!(handle->access & LSA_POLICY_LOOKUP_NAMES)) {
1145 status = NT_STATUS_ACCESS_DENIED;
1150 /* set up the LSA Lookup SIDs response */
1151 become_root(); /* lookup_name can require root privs */
1152 status = lookup_lsa_sids(p->mem_ctx, domains, trans_sids, num_entries,
1153 names, flags, &mapped_count);
1158 if (NT_STATUS_IS_OK(status)) {
1159 if (mapped_count == 0) {
1160 status = NT_STATUS_NONE_MAPPED;
1161 } else if (mapped_count != num_entries) {
1162 status = STATUS_SOME_UNMAPPED;
1166 *r->out.count = mapped_count;
1167 *r->out.domains = domains;
1168 r->out.sids->sids = trans_sids;
1169 r->out.sids->count = num_entries;
1174 /***************************************************************************
1176 ***************************************************************************/
1178 NTSTATUS _lsa_LookupNames4(pipes_struct *p,
1179 struct lsa_LookupNames4 *r)
1181 struct lsa_LookupNames3 q;
1183 /* No policy handle on this call. Restrict to crypto connections. */
1184 if (p->auth.auth_type != PIPE_AUTH_TYPE_SCHANNEL) {
1185 DEBUG(0,("_lsa_lookup_names4: client %s not using schannel for netlogon\n",
1186 get_remote_machine_name() ));
1187 return NT_STATUS_INVALID_PARAMETER;
1191 q.in.num_names = r->in.num_names;
1192 q.in.names = r->in.names;
1193 q.in.level = r->in.level;
1194 q.in.lookup_options = r->in.lookup_options;
1195 q.in.client_revision = r->in.client_revision;
1196 q.in.sids = r->in.sids;
1197 q.in.count = r->in.count;
1199 q.out.domains = r->out.domains;
1200 q.out.sids = r->out.sids;
1201 q.out.count = r->out.count;
1203 return _lsa_LookupNames3(p, &q);
1206 /***************************************************************************
1207 _lsa_close. Also weird - needs to check if lsa handle is correct. JRA.
1208 ***************************************************************************/
1210 NTSTATUS _lsa_Close(pipes_struct *p, struct lsa_Close *r)
1212 if (!find_policy_by_hnd(p, r->in.handle, NULL)) {
1213 return NT_STATUS_INVALID_HANDLE;
1216 close_policy_hnd(p, r->in.handle);
1217 ZERO_STRUCTP(r->out.handle);
1218 return NT_STATUS_OK;
1221 /***************************************************************************
1222 ***************************************************************************/
1224 NTSTATUS _lsa_OpenSecret(pipes_struct *p, struct lsa_OpenSecret *r)
1226 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
1229 /***************************************************************************
1230 ***************************************************************************/
1232 NTSTATUS _lsa_OpenTrustedDomain(pipes_struct *p, struct lsa_OpenTrustedDomain *r)
1234 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
1237 /***************************************************************************
1238 ***************************************************************************/
1240 NTSTATUS _lsa_CreateTrustedDomain(pipes_struct *p, struct lsa_CreateTrustedDomain *r)
1242 return NT_STATUS_ACCESS_DENIED;
1245 /***************************************************************************
1246 ***************************************************************************/
1248 NTSTATUS _lsa_CreateSecret(pipes_struct *p, struct lsa_CreateSecret *r)
1250 return NT_STATUS_ACCESS_DENIED;
1253 /***************************************************************************
1254 ***************************************************************************/
1256 NTSTATUS _lsa_SetSecret(pipes_struct *p, struct lsa_SetSecret *r)
1258 return NT_STATUS_ACCESS_DENIED;
1261 /***************************************************************************
1263 ***************************************************************************/
1265 NTSTATUS _lsa_DeleteObject(pipes_struct *p,
1266 struct lsa_DeleteObject *r)
1269 struct lsa_info *info = NULL;
1271 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info)) {
1272 return NT_STATUS_INVALID_HANDLE;
1275 if (!(info->access & STD_RIGHT_DELETE_ACCESS)) {
1276 return NT_STATUS_ACCESS_DENIED;
1279 status = privilege_delete_account(&info->sid);
1280 if (!NT_STATUS_IS_OK(status)) {
1281 DEBUG(10,("_lsa_DeleteObject: privilege_delete_account gave: %s\n",
1282 nt_errstr(status)));
1288 /***************************************************************************
1290 ***************************************************************************/
1292 NTSTATUS _lsa_EnumPrivs(pipes_struct *p,
1293 struct lsa_EnumPrivs *r)
1295 struct lsa_info *handle;
1297 uint32 enum_context = *r->in.resume_handle;
1298 int num_privs = count_all_privileges();
1299 struct lsa_PrivEntry *entries = NULL;
1302 /* remember that the enum_context starts at 0 and not 1 */
1304 if ( enum_context >= num_privs )
1305 return NT_STATUS_NO_MORE_ENTRIES;
1307 DEBUG(10,("_lsa_EnumPrivs: enum_context:%d total entries:%d\n",
1308 enum_context, num_privs));
1310 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle))
1311 return NT_STATUS_INVALID_HANDLE;
1313 if (handle->type != LSA_HANDLE_POLICY_TYPE) {
1314 return NT_STATUS_INVALID_HANDLE;
1317 /* check if the user has enough rights
1318 I don't know if it's the right one. not documented. */
1320 if (!(handle->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
1321 return NT_STATUS_ACCESS_DENIED;
1324 entries = TALLOC_ZERO_ARRAY(p->mem_ctx, struct lsa_PrivEntry, num_privs);
1326 return NT_STATUS_NO_MEMORY;
1332 for (i = 0; i < num_privs; i++) {
1333 if( i < enum_context) {
1335 init_lsa_StringLarge(&entries[i].name, NULL);
1337 entries[i].luid.low = 0;
1338 entries[i].luid.high = 0;
1341 init_lsa_StringLarge(&entries[i].name, privs[i].name);
1343 luid = get_privilege_luid( &privs[i].se_priv );
1345 entries[i].luid.low = luid.luid.low;
1346 entries[i].luid.high = luid.luid.high;
1350 enum_context = num_privs;
1352 *r->out.resume_handle = enum_context;
1353 r->out.privs->count = num_privs;
1354 r->out.privs->privs = entries;
1356 return NT_STATUS_OK;
1359 /***************************************************************************
1360 _lsa_LookupPrivDisplayName
1361 ***************************************************************************/
1363 NTSTATUS _lsa_LookupPrivDisplayName(pipes_struct *p,
1364 struct lsa_LookupPrivDisplayName *r)
1366 struct lsa_info *handle;
1367 const char *description;
1368 struct lsa_StringLarge *lsa_name;
1370 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle))
1371 return NT_STATUS_INVALID_HANDLE;
1373 if (handle->type != LSA_HANDLE_POLICY_TYPE) {
1374 return NT_STATUS_INVALID_HANDLE;
1377 /* check if the user has enough rights */
1380 * I don't know if it's the right one. not documented.
1382 if (!(handle->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
1383 return NT_STATUS_ACCESS_DENIED;
1385 DEBUG(10,("_lsa_LookupPrivDisplayName: name = %s\n", r->in.name->string));
1387 description = get_privilege_dispname(r->in.name->string);
1389 DEBUG(10,("_lsa_LookupPrivDisplayName: doesn't exist\n"));
1390 return NT_STATUS_NO_SUCH_PRIVILEGE;
1393 DEBUG(10,("_lsa_LookupPrivDisplayName: display name = %s\n", description));
1395 lsa_name = TALLOC_ZERO_P(p->mem_ctx, struct lsa_StringLarge);
1397 return NT_STATUS_NO_MEMORY;
1400 init_lsa_StringLarge(lsa_name, description);
1402 *r->out.returned_language_id = r->in.language_id;
1403 *r->out.disp_name = lsa_name;
1405 return NT_STATUS_OK;
1408 /***************************************************************************
1410 ***************************************************************************/
1412 NTSTATUS _lsa_EnumAccounts(pipes_struct *p,
1413 struct lsa_EnumAccounts *r)
1415 struct lsa_info *handle;
1417 int i, j, num_entries;
1419 struct lsa_SidPtr *sids = NULL;
1421 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle))
1422 return NT_STATUS_INVALID_HANDLE;
1424 if (handle->type != LSA_HANDLE_POLICY_TYPE) {
1425 return NT_STATUS_INVALID_HANDLE;
1428 if (!(handle->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
1429 return NT_STATUS_ACCESS_DENIED;
1434 /* The only way we can currently find out all the SIDs that have been
1435 privileged is to scan all privileges */
1437 status = privilege_enumerate_accounts(&sid_list, &num_entries);
1438 if (!NT_STATUS_IS_OK(status)) {
1442 if (*r->in.resume_handle >= num_entries) {
1443 return NT_STATUS_NO_MORE_ENTRIES;
1446 if (num_entries - *r->in.resume_handle) {
1447 sids = TALLOC_ZERO_ARRAY(p->mem_ctx, struct lsa_SidPtr,
1448 num_entries - *r->in.resume_handle);
1450 talloc_free(sid_list);
1451 return NT_STATUS_NO_MEMORY;
1454 for (i = *r->in.resume_handle, j = 0; i < num_entries; i++, j++) {
1455 sids[j].sid = sid_dup_talloc(p->mem_ctx, &sid_list[i]);
1457 talloc_free(sid_list);
1458 return NT_STATUS_NO_MEMORY;
1463 talloc_free(sid_list);
1465 *r->out.resume_handle = num_entries;
1466 r->out.sids->num_sids = num_entries;
1467 r->out.sids->sids = sids;
1469 return NT_STATUS_OK;
1472 /***************************************************************************
1474 ***************************************************************************/
1476 NTSTATUS _lsa_GetUserName(pipes_struct *p,
1477 struct lsa_GetUserName *r)
1479 const char *username, *domname;
1480 struct lsa_String *account_name = NULL;
1481 struct lsa_String *authority_name = NULL;
1483 if (r->in.account_name &&
1484 *r->in.account_name) {
1485 return NT_STATUS_INVALID_PARAMETER;
1488 if (r->in.authority_name &&
1489 *r->in.authority_name) {
1490 return NT_STATUS_INVALID_PARAMETER;
1493 if (p->server_info->guest) {
1495 * I'm 99% sure this is not the right place to do this,
1496 * global_sid_Anonymous should probably be put into the token
1497 * instead of the guest id -- vl
1499 if (!lookup_sid(p->mem_ctx, &global_sid_Anonymous,
1500 &domname, &username, NULL)) {
1501 return NT_STATUS_NO_MEMORY;
1504 username = p->server_info->sanitized_username;
1505 domname = pdb_get_domain(p->server_info->sam_account);
1508 account_name = TALLOC_P(p->mem_ctx, struct lsa_String);
1509 if (!account_name) {
1510 return NT_STATUS_NO_MEMORY;
1512 init_lsa_String(account_name, username);
1514 if (r->out.authority_name) {
1515 authority_name = TALLOC_P(p->mem_ctx, struct lsa_String);
1516 if (!authority_name) {
1517 return NT_STATUS_NO_MEMORY;
1519 init_lsa_String(authority_name, domname);
1522 *r->out.account_name = account_name;
1523 if (r->out.authority_name) {
1524 *r->out.authority_name = authority_name;
1527 return NT_STATUS_OK;
1530 /***************************************************************************
1532 ***************************************************************************/
1534 NTSTATUS _lsa_CreateAccount(pipes_struct *p,
1535 struct lsa_CreateAccount *r)
1537 struct lsa_info *handle;
1538 struct lsa_info *info;
1540 /* find the connection policy handle. */
1541 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle))
1542 return NT_STATUS_INVALID_HANDLE;
1544 if (handle->type != LSA_HANDLE_POLICY_TYPE) {
1545 return NT_STATUS_INVALID_HANDLE;
1548 /* check if the user has enough rights */
1551 * I don't know if it's the right one. not documented.
1552 * but guessed with rpcclient.
1554 if (!(handle->access & LSA_POLICY_CREATE_ACCOUNT))
1555 return NT_STATUS_ACCESS_DENIED;
1557 if ( is_privileged_sid( r->in.sid ) )
1558 return NT_STATUS_OBJECT_NAME_COLLISION;
1560 /* associate the user/group SID with the (unique) handle. */
1562 info = TALLOC_ZERO_P(p->mem_ctx, struct lsa_info);
1564 return NT_STATUS_NO_MEMORY;
1567 info->sid = *r->in.sid;
1568 info->access = r->in.access_mask;
1569 info->type = LSA_HANDLE_ACCOUNT_TYPE;
1571 /* get a (unique) handle. open a policy on it. */
1572 if (!create_policy_hnd(p, r->out.acct_handle, info))
1573 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
1575 return privilege_create_account( &info->sid );
1578 /***************************************************************************
1580 ***************************************************************************/
1582 NTSTATUS _lsa_OpenAccount(pipes_struct *p,
1583 struct lsa_OpenAccount *r)
1585 struct lsa_info *handle;
1586 struct lsa_info *info;
1587 SEC_DESC *psd = NULL;
1589 uint32_t des_access = r->in.access_mask;
1590 uint32_t acc_granted;
1593 /* find the connection policy handle. */
1594 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle))
1595 return NT_STATUS_INVALID_HANDLE;
1597 if (handle->type != LSA_HANDLE_POLICY_TYPE) {
1598 return NT_STATUS_INVALID_HANDLE;
1601 /* des_access is for the account here, not the policy
1602 * handle - so don't check against policy handle. */
1604 /* Work out max allowed. */
1605 map_max_allowed_access(p->server_info->ptok, &des_access);
1607 /* map the generic bits to the lsa account ones */
1608 se_map_generic(&des_access, &lsa_account_mapping);
1610 /* get the generic lsa account SD until we store it */
1611 status = make_lsa_object_sd(p->mem_ctx, &psd, &sd_size,
1612 &lsa_account_mapping,
1613 r->in.sid, LSA_ACCOUNT_ALL_ACCESS);
1614 if (!NT_STATUS_IS_OK(status)) {
1618 status = access_check_object(psd, p->server_info->ptok,
1619 NULL, 0, des_access,
1620 &acc_granted, "_lsa_OpenAccount" );
1622 if (!NT_STATUS_IS_OK(status)) {
1626 /* TODO: Fis the parsing routine before reenabling this check! */
1628 if (!lookup_sid(&handle->sid, dom_name, name, &type))
1629 return NT_STATUS_ACCESS_DENIED;
1631 /* associate the user/group SID with the (unique) handle. */
1632 info = TALLOC_ZERO_P(p->mem_ctx, struct lsa_info);
1634 return NT_STATUS_NO_MEMORY;
1637 info->sid = *r->in.sid;
1638 info->access = acc_granted;
1639 info->type = LSA_HANDLE_ACCOUNT_TYPE;
1641 /* get a (unique) handle. open a policy on it. */
1642 if (!create_policy_hnd(p, r->out.acct_handle, info))
1643 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
1645 return NT_STATUS_OK;
1648 /***************************************************************************
1649 _lsa_EnumPrivsAccount
1650 For a given SID, enumerate all the privilege this account has.
1651 ***************************************************************************/
1653 NTSTATUS _lsa_EnumPrivsAccount(pipes_struct *p,
1654 struct lsa_EnumPrivsAccount *r)
1656 NTSTATUS status = NT_STATUS_OK;
1657 struct lsa_info *info=NULL;
1659 PRIVILEGE_SET privileges;
1660 struct lsa_PrivilegeSet *priv_set = NULL;
1661 struct lsa_LUIDAttribute *luid_attrs = NULL;
1664 /* find the connection policy handle. */
1665 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
1666 return NT_STATUS_INVALID_HANDLE;
1668 if (info->type != LSA_HANDLE_ACCOUNT_TYPE) {
1669 return NT_STATUS_INVALID_HANDLE;
1672 if (!(info->access & LSA_ACCOUNT_VIEW))
1673 return NT_STATUS_ACCESS_DENIED;
1675 get_privileges_for_sids(&mask, &info->sid, 1);
1677 privilege_set_init( &privileges );
1679 priv_set = TALLOC_ZERO_P(p->mem_ctx, struct lsa_PrivilegeSet);
1681 status = NT_STATUS_NO_MEMORY;
1685 if ( se_priv_to_privilege_set( &privileges, &mask ) ) {
1687 DEBUG(10,("_lsa_EnumPrivsAccount: %s has %d privileges\n",
1688 sid_string_dbg(&info->sid),
1691 luid_attrs = TALLOC_ZERO_ARRAY(p->mem_ctx,
1692 struct lsa_LUIDAttribute,
1695 status = NT_STATUS_NO_MEMORY;
1699 for (i=0; i<privileges.count; i++) {
1700 luid_attrs[i].luid.low = privileges.set[i].luid.low;
1701 luid_attrs[i].luid.high = privileges.set[i].luid.high;
1702 luid_attrs[i].attribute = privileges.set[i].attr;
1705 priv_set->count = privileges.count;
1706 priv_set->unknown = 0;
1707 priv_set->set = luid_attrs;
1710 priv_set->count = 0;
1711 priv_set->unknown = 0;
1712 priv_set->set = NULL;
1715 *r->out.privs = priv_set;
1718 privilege_set_free( &privileges );
1723 /***************************************************************************
1724 _lsa_GetSystemAccessAccount
1725 ***************************************************************************/
1727 NTSTATUS _lsa_GetSystemAccessAccount(pipes_struct *p,
1728 struct lsa_GetSystemAccessAccount *r)
1731 struct lsa_info *info = NULL;
1732 struct lsa_EnumPrivsAccount e;
1733 struct lsa_PrivilegeSet *privset;
1735 /* find the connection policy handle. */
1737 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
1738 return NT_STATUS_INVALID_HANDLE;
1740 if (info->type != LSA_HANDLE_ACCOUNT_TYPE) {
1741 return NT_STATUS_INVALID_HANDLE;
1744 if (!(info->access & LSA_ACCOUNT_VIEW))
1745 return NT_STATUS_ACCESS_DENIED;
1747 privset = talloc_zero(p->mem_ctx, struct lsa_PrivilegeSet);
1749 return NT_STATUS_NO_MEMORY;
1752 e.in.handle = r->in.handle;
1753 e.out.privs = &privset;
1755 status = _lsa_EnumPrivsAccount(p, &e);
1756 if (!NT_STATUS_IS_OK(status)) {
1757 DEBUG(10,("_lsa_GetSystemAccessAccount: "
1758 "failed to call _lsa_EnumPrivsAccount(): %s\n",
1759 nt_errstr(status)));
1763 /* Samba4 would iterate over the privset to merge the policy mode bits,
1764 * not sure samba3 can do the same here, so just return what we did in
1768 0x01 -> Log on locally
1769 0x02 -> Access this computer from network
1770 0x04 -> Log on as a batch job
1771 0x10 -> Log on as a service
1773 they can be ORed together
1776 *r->out.access_mask = LSA_POLICY_MODE_INTERACTIVE |
1777 LSA_POLICY_MODE_NETWORK;
1779 return NT_STATUS_OK;
1782 /***************************************************************************
1783 update the systemaccount information
1784 ***************************************************************************/
1786 NTSTATUS _lsa_SetSystemAccessAccount(pipes_struct *p,
1787 struct lsa_SetSystemAccessAccount *r)
1789 struct lsa_info *info=NULL;
1792 /* find the connection policy handle. */
1793 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
1794 return NT_STATUS_INVALID_HANDLE;
1796 if (info->type != LSA_HANDLE_ACCOUNT_TYPE) {
1797 return NT_STATUS_INVALID_HANDLE;
1800 if (!(info->access & LSA_ACCOUNT_ADJUST_SYSTEM_ACCESS)) {
1801 return NT_STATUS_ACCESS_DENIED;
1804 if (!pdb_getgrsid(&map, info->sid))
1805 return NT_STATUS_NO_SUCH_GROUP;
1807 return pdb_update_group_mapping_entry(&map);
1810 /***************************************************************************
1811 _lsa_AddPrivilegesToAccount
1812 For a given SID, add some privileges.
1813 ***************************************************************************/
1815 NTSTATUS _lsa_AddPrivilegesToAccount(pipes_struct *p,
1816 struct lsa_AddPrivilegesToAccount *r)
1818 struct lsa_info *info = NULL;
1820 struct lsa_PrivilegeSet *set = NULL;
1822 /* find the connection policy handle. */
1823 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
1824 return NT_STATUS_INVALID_HANDLE;
1826 if (info->type != LSA_HANDLE_ACCOUNT_TYPE) {
1827 return NT_STATUS_INVALID_HANDLE;
1830 if (!(info->access & LSA_ACCOUNT_ADJUST_PRIVILEGES)) {
1831 return NT_STATUS_ACCESS_DENIED;
1835 if ( !privilege_set_to_se_priv( &mask, set ) )
1836 return NT_STATUS_NO_SUCH_PRIVILEGE;
1838 if ( !grant_privilege( &info->sid, &mask ) ) {
1839 DEBUG(3,("_lsa_AddPrivilegesToAccount: grant_privilege(%s) failed!\n",
1840 sid_string_dbg(&info->sid) ));
1841 DEBUG(3,("Privilege mask:\n"));
1842 dump_se_priv( DBGC_ALL, 3, &mask );
1843 return NT_STATUS_NO_SUCH_PRIVILEGE;
1846 return NT_STATUS_OK;
1849 /***************************************************************************
1850 _lsa_RemovePrivilegesFromAccount
1851 For a given SID, remove some privileges.
1852 ***************************************************************************/
1854 NTSTATUS _lsa_RemovePrivilegesFromAccount(pipes_struct *p,
1855 struct lsa_RemovePrivilegesFromAccount *r)
1857 struct lsa_info *info = NULL;
1859 struct lsa_PrivilegeSet *set = NULL;
1861 /* find the connection policy handle. */
1862 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
1863 return NT_STATUS_INVALID_HANDLE;
1865 if (info->type != LSA_HANDLE_ACCOUNT_TYPE) {
1866 return NT_STATUS_INVALID_HANDLE;
1869 if (!(info->access & LSA_ACCOUNT_ADJUST_PRIVILEGES)) {
1870 return NT_STATUS_ACCESS_DENIED;
1875 if ( !privilege_set_to_se_priv( &mask, set ) )
1876 return NT_STATUS_NO_SUCH_PRIVILEGE;
1878 if ( !revoke_privilege( &info->sid, &mask ) ) {
1879 DEBUG(3,("_lsa_RemovePrivilegesFromAccount: revoke_privilege(%s) failed!\n",
1880 sid_string_dbg(&info->sid) ));
1881 DEBUG(3,("Privilege mask:\n"));
1882 dump_se_priv( DBGC_ALL, 3, &mask );
1883 return NT_STATUS_NO_SUCH_PRIVILEGE;
1886 return NT_STATUS_OK;
1889 /***************************************************************************
1891 ***************************************************************************/
1893 NTSTATUS _lsa_QuerySecurity(pipes_struct *p,
1894 struct lsa_QuerySecurity *r)
1896 struct lsa_info *handle=NULL;
1897 SEC_DESC *psd = NULL;
1901 /* find the connection policy handle. */
1902 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle))
1903 return NT_STATUS_INVALID_HANDLE;
1905 if (handle->type == LSA_HANDLE_POLICY_TYPE) {
1906 status = make_lsa_object_sd(p->mem_ctx, &psd, &sd_size,
1907 &lsa_policy_mapping, NULL, 0);
1908 } else if (handle->type == LSA_HANDLE_ACCOUNT_TYPE) {
1909 status = make_lsa_object_sd(p->mem_ctx, &psd, &sd_size,
1910 &lsa_account_mapping,
1911 &handle->sid, LSA_ACCOUNT_ALL_ACCESS);
1913 status = NT_STATUS_INVALID_HANDLE;
1916 if (!NT_STATUS_IS_OK(status)) {
1920 switch (r->in.sec_info) {
1922 /* SD contains only the owner */
1923 if((*r->out.sdbuf = make_sec_desc_buf(p->mem_ctx, sd_size, psd)) == NULL)
1924 return NT_STATUS_NO_MEMORY;
1927 /* SD contains only the ACL */
1928 if((*r->out.sdbuf = make_sec_desc_buf(p->mem_ctx, sd_size, psd)) == NULL)
1929 return NT_STATUS_NO_MEMORY;
1932 return NT_STATUS_INVALID_LEVEL;
1938 /***************************************************************************
1939 _lsa_AddAccountRights
1940 ***************************************************************************/
1942 NTSTATUS _lsa_AddAccountRights(pipes_struct *p,
1943 struct lsa_AddAccountRights *r)
1945 struct lsa_info *info = NULL;
1947 uint32_t acc_granted = 0;
1948 SEC_DESC *psd = NULL;
1953 /* find the connection policy handle. */
1954 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
1955 return NT_STATUS_INVALID_HANDLE;
1957 if (info->type != LSA_HANDLE_POLICY_TYPE) {
1958 return NT_STATUS_INVALID_HANDLE;
1961 /* get the generic lsa account SD for this SID until we store it */
1962 status = make_lsa_object_sd(p->mem_ctx, &psd, &sd_size,
1963 &lsa_account_mapping,
1964 r->in.sid, LSA_ACCOUNT_ALL_ACCESS);
1965 if (!NT_STATUS_IS_OK(status)) {
1970 * From the MS DOCs. If the sid doesn't exist, ask for LSA_POLICY_CREATE_ACCOUNT
1971 * on the policy handle. If it does, ask for
1972 * LSA_ACCOUNT_ADJUST_PRIVILEGES|LSA_ACCOUNT_ADJUST_SYSTEM_ACCESS|LSA_ACCOUNT_VIEW,
1973 * on the account sid. We don't check here so just use the latter. JRA.
1976 status = access_check_object(psd, p->server_info->ptok,
1977 NULL, 0, LSA_ACCOUNT_ADJUST_PRIVILEGES|LSA_ACCOUNT_ADJUST_SYSTEM_ACCESS|LSA_ACCOUNT_VIEW,
1978 &acc_granted, "_lsa_AddAccountRights" );
1980 if (!NT_STATUS_IS_OK(status)) {
1984 /* according to an NT4 PDC, you can add privileges to SIDs even without
1985 call_lsa_create_account() first. And you can use any arbitrary SID. */
1987 sid_copy( &sid, r->in.sid );
1989 for ( i=0; i < r->in.rights->count; i++ ) {
1991 const char *privname = r->in.rights->names[i].string;
1993 /* only try to add non-null strings */
1998 if ( !grant_privilege_by_name( &sid, privname ) ) {
1999 DEBUG(2,("_lsa_AddAccountRights: Failed to add privilege [%s]\n",
2001 return NT_STATUS_NO_SUCH_PRIVILEGE;
2005 return NT_STATUS_OK;
2008 /***************************************************************************
2009 _lsa_RemoveAccountRights
2010 ***************************************************************************/
2012 NTSTATUS _lsa_RemoveAccountRights(pipes_struct *p,
2013 struct lsa_RemoveAccountRights *r)
2015 struct lsa_info *info = NULL;
2017 SEC_DESC *psd = NULL;
2020 const char *privname = NULL;
2021 uint32_t acc_granted = 0;
2024 /* find the connection policy handle. */
2025 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
2026 return NT_STATUS_INVALID_HANDLE;
2028 if (info->type != LSA_HANDLE_POLICY_TYPE) {
2029 return NT_STATUS_INVALID_HANDLE;
2032 /* get the generic lsa account SD for this SID until we store it */
2033 status = make_lsa_object_sd(p->mem_ctx, &psd, &sd_size,
2034 &lsa_account_mapping,
2035 r->in.sid, LSA_ACCOUNT_ALL_ACCESS);
2036 if (!NT_STATUS_IS_OK(status)) {
2041 * From the MS DOCs. We need
2042 * LSA_ACCOUNT_ADJUST_PRIVILEGES|LSA_ACCOUNT_ADJUST_SYSTEM_ACCESS|LSA_ACCOUNT_VIEW
2043 * and DELETE on the account sid.
2046 status = access_check_object(psd, p->server_info->ptok,
2047 NULL, 0, LSA_ACCOUNT_ADJUST_PRIVILEGES|LSA_ACCOUNT_ADJUST_SYSTEM_ACCESS|
2048 LSA_ACCOUNT_VIEW|STD_RIGHT_DELETE_ACCESS,
2049 &acc_granted, "_lsa_AddAccountRights" );
2051 if (!NT_STATUS_IS_OK(status)) {
2055 sid_copy( &sid, r->in.sid );
2057 if ( r->in.remove_all ) {
2058 if ( !revoke_all_privileges( &sid ) )
2059 return NT_STATUS_ACCESS_DENIED;
2061 return NT_STATUS_OK;
2064 for ( i=0; i < r->in.rights->count; i++ ) {
2066 privname = r->in.rights->names[i].string;
2068 /* only try to add non-null strings */
2073 if ( !revoke_privilege_by_name( &sid, privname ) ) {
2074 DEBUG(2,("_lsa_RemoveAccountRights: Failed to revoke privilege [%s]\n",
2076 return NT_STATUS_NO_SUCH_PRIVILEGE;
2080 return NT_STATUS_OK;
2083 /*******************************************************************
2084 ********************************************************************/
2086 static NTSTATUS init_lsa_right_set(TALLOC_CTX *mem_ctx,
2087 struct lsa_RightSet *r,
2088 PRIVILEGE_SET *privileges)
2091 const char *privname;
2092 const char **privname_array = NULL;
2095 for (i=0; i<privileges->count; i++) {
2097 privname = luid_to_privilege_name(&privileges->set[i].luid);
2099 if (!add_string_to_array(mem_ctx, privname,
2100 &privname_array, &num_priv)) {
2101 return NT_STATUS_NO_MEMORY;
2108 r->names = TALLOC_ZERO_ARRAY(mem_ctx, struct lsa_StringLarge,
2111 return NT_STATUS_NO_MEMORY;
2114 for (i=0; i<num_priv; i++) {
2115 init_lsa_StringLarge(&r->names[i], privname_array[i]);
2118 r->count = num_priv;
2121 return NT_STATUS_OK;
2124 /***************************************************************************
2125 _lsa_EnumAccountRights
2126 ***************************************************************************/
2128 NTSTATUS _lsa_EnumAccountRights(pipes_struct *p,
2129 struct lsa_EnumAccountRights *r)
2132 struct lsa_info *info = NULL;
2134 PRIVILEGE_SET privileges;
2137 /* find the connection policy handle. */
2139 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
2140 return NT_STATUS_INVALID_HANDLE;
2142 if (info->type != LSA_HANDLE_POLICY_TYPE) {
2143 return NT_STATUS_INVALID_HANDLE;
2146 if (!(info->access & LSA_ACCOUNT_VIEW)) {
2147 return NT_STATUS_ACCESS_DENIED;
2150 /* according to an NT4 PDC, you can add privileges to SIDs even without
2151 call_lsa_create_account() first. And you can use any arbitrary SID. */
2153 sid_copy( &sid, r->in.sid );
2155 /* according to MS-LSAD 3.1.4.5.10 it is required to return
2156 * NT_STATUS_OBJECT_NAME_NOT_FOUND if the account sid was not found in
2157 * the lsa database */
2159 if (!get_privileges_for_sids(&mask, &sid, 1)) {
2160 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
2163 status = privilege_set_init(&privileges);
2164 if (!NT_STATUS_IS_OK(status)) {
2168 se_priv_to_privilege_set(&privileges, &mask);
2170 DEBUG(10,("_lsa_EnumAccountRights: %s has %d privileges\n",
2171 sid_string_dbg(&sid), privileges.count));
2173 status = init_lsa_right_set(p->mem_ctx, r->out.rights, &privileges);
2175 privilege_set_free( &privileges );
2180 /***************************************************************************
2181 _lsa_LookupPrivValue
2182 ***************************************************************************/
2184 NTSTATUS _lsa_LookupPrivValue(pipes_struct *p,
2185 struct lsa_LookupPrivValue *r)
2187 struct lsa_info *info = NULL;
2188 const char *name = NULL;
2189 LUID_ATTR priv_luid;
2192 /* find the connection policy handle. */
2194 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
2195 return NT_STATUS_INVALID_HANDLE;
2197 if (info->type != LSA_HANDLE_POLICY_TYPE) {
2198 return NT_STATUS_INVALID_HANDLE;
2201 if (!(info->access & LSA_POLICY_LOOKUP_NAMES))
2202 return NT_STATUS_ACCESS_DENIED;
2204 name = r->in.name->string;
2206 DEBUG(10,("_lsa_lookup_priv_value: name = %s\n", name));
2208 if ( !se_priv_from_name( name, &mask ) )
2209 return NT_STATUS_NO_SUCH_PRIVILEGE;
2211 priv_luid = get_privilege_luid( &mask );
2213 r->out.luid->low = priv_luid.luid.low;
2214 r->out.luid->high = priv_luid.luid.high;
2216 return NT_STATUS_OK;
2220 * From here on the server routines are just dummy ones to make smbd link with
2221 * librpc/gen_ndr/srv_lsa.c. These routines are actually never called, we are
2222 * pulling the server stubs across one by one.
2225 NTSTATUS _lsa_Delete(pipes_struct *p, struct lsa_Delete *r)
2227 p->rng_fault_state = True;
2228 return NT_STATUS_NOT_IMPLEMENTED;
2231 NTSTATUS _lsa_SetSecObj(pipes_struct *p, struct lsa_SetSecObj *r)
2233 p->rng_fault_state = True;
2234 return NT_STATUS_NOT_IMPLEMENTED;
2237 NTSTATUS _lsa_ChangePassword(pipes_struct *p, struct lsa_ChangePassword *r)
2239 p->rng_fault_state = True;
2240 return NT_STATUS_NOT_IMPLEMENTED;
2243 NTSTATUS _lsa_SetInfoPolicy(pipes_struct *p, struct lsa_SetInfoPolicy *r)
2245 p->rng_fault_state = True;
2246 return NT_STATUS_NOT_IMPLEMENTED;
2249 NTSTATUS _lsa_ClearAuditLog(pipes_struct *p, struct lsa_ClearAuditLog *r)
2251 p->rng_fault_state = True;
2252 return NT_STATUS_NOT_IMPLEMENTED;
2255 NTSTATUS _lsa_GetQuotasForAccount(pipes_struct *p, struct lsa_GetQuotasForAccount *r)
2257 p->rng_fault_state = True;
2258 return NT_STATUS_NOT_IMPLEMENTED;
2261 NTSTATUS _lsa_SetQuotasForAccount(pipes_struct *p, struct lsa_SetQuotasForAccount *r)
2263 p->rng_fault_state = True;
2264 return NT_STATUS_NOT_IMPLEMENTED;
2267 NTSTATUS _lsa_QueryTrustedDomainInfo(pipes_struct *p, struct lsa_QueryTrustedDomainInfo *r)
2269 p->rng_fault_state = True;
2270 return NT_STATUS_NOT_IMPLEMENTED;
2273 NTSTATUS _lsa_SetInformationTrustedDomain(pipes_struct *p, struct lsa_SetInformationTrustedDomain *r)
2275 p->rng_fault_state = True;
2276 return NT_STATUS_NOT_IMPLEMENTED;
2279 NTSTATUS _lsa_QuerySecret(pipes_struct *p, struct lsa_QuerySecret *r)
2281 p->rng_fault_state = True;
2282 return NT_STATUS_NOT_IMPLEMENTED;
2285 NTSTATUS _lsa_LookupPrivName(pipes_struct *p, struct lsa_LookupPrivName *r)
2287 p->rng_fault_state = True;
2288 return NT_STATUS_NOT_IMPLEMENTED;
2291 NTSTATUS _lsa_EnumAccountsWithUserRight(pipes_struct *p, struct lsa_EnumAccountsWithUserRight *r)
2293 p->rng_fault_state = True;
2294 return NT_STATUS_NOT_IMPLEMENTED;
2297 NTSTATUS _lsa_QueryTrustedDomainInfoBySid(pipes_struct *p, struct lsa_QueryTrustedDomainInfoBySid *r)
2299 p->rng_fault_state = True;
2300 return NT_STATUS_NOT_IMPLEMENTED;
2303 NTSTATUS _lsa_SetTrustedDomainInfo(pipes_struct *p, struct lsa_SetTrustedDomainInfo *r)
2305 p->rng_fault_state = True;
2306 return NT_STATUS_NOT_IMPLEMENTED;
2309 NTSTATUS _lsa_DeleteTrustedDomain(pipes_struct *p, struct lsa_DeleteTrustedDomain *r)
2311 p->rng_fault_state = True;
2312 return NT_STATUS_NOT_IMPLEMENTED;
2315 NTSTATUS _lsa_StorePrivateData(pipes_struct *p, struct lsa_StorePrivateData *r)
2317 p->rng_fault_state = True;
2318 return NT_STATUS_NOT_IMPLEMENTED;
2321 NTSTATUS _lsa_RetrievePrivateData(pipes_struct *p, struct lsa_RetrievePrivateData *r)
2323 p->rng_fault_state = True;
2324 return NT_STATUS_NOT_IMPLEMENTED;
2327 NTSTATUS _lsa_QueryInfoPolicy2(pipes_struct *p,
2328 struct lsa_QueryInfoPolicy2 *r2)
2330 struct lsa_QueryInfoPolicy r;
2332 if ((pdb_capabilities() & PDB_CAP_ADS) == 0) {
2333 p->rng_fault_state = True;
2334 return NT_STATUS_NOT_IMPLEMENTED;
2338 r.in.handle = r2->in.handle;
2339 r.in.level = r2->in.level;
2340 r.out.info = r2->out.info;
2342 return _lsa_QueryInfoPolicy(p, &r);
2345 NTSTATUS _lsa_SetInfoPolicy2(pipes_struct *p, struct lsa_SetInfoPolicy2 *r)
2347 p->rng_fault_state = True;
2348 return NT_STATUS_NOT_IMPLEMENTED;
2351 NTSTATUS _lsa_QueryTrustedDomainInfoByName(pipes_struct *p, struct lsa_QueryTrustedDomainInfoByName *r)
2353 p->rng_fault_state = True;
2354 return NT_STATUS_NOT_IMPLEMENTED;
2357 NTSTATUS _lsa_SetTrustedDomainInfoByName(pipes_struct *p, struct lsa_SetTrustedDomainInfoByName *r)
2359 p->rng_fault_state = True;
2360 return NT_STATUS_NOT_IMPLEMENTED;
2363 NTSTATUS _lsa_EnumTrustedDomainsEx(pipes_struct *p, struct lsa_EnumTrustedDomainsEx *r)
2365 p->rng_fault_state = True;
2366 return NT_STATUS_NOT_IMPLEMENTED;
2369 NTSTATUS _lsa_CreateTrustedDomainEx(pipes_struct *p, struct lsa_CreateTrustedDomainEx *r)
2371 p->rng_fault_state = True;
2372 return NT_STATUS_NOT_IMPLEMENTED;
2375 NTSTATUS _lsa_CloseTrustedDomainEx(pipes_struct *p, struct lsa_CloseTrustedDomainEx *r)
2377 p->rng_fault_state = True;
2378 return NT_STATUS_NOT_IMPLEMENTED;
2381 NTSTATUS _lsa_QueryDomainInformationPolicy(pipes_struct *p, struct lsa_QueryDomainInformationPolicy *r)
2383 p->rng_fault_state = True;
2384 return NT_STATUS_NOT_IMPLEMENTED;
2387 NTSTATUS _lsa_SetDomainInformationPolicy(pipes_struct *p, struct lsa_SetDomainInformationPolicy *r)
2389 p->rng_fault_state = True;
2390 return NT_STATUS_NOT_IMPLEMENTED;
2393 NTSTATUS _lsa_OpenTrustedDomainByName(pipes_struct *p, struct lsa_OpenTrustedDomainByName *r)
2395 p->rng_fault_state = True;
2396 return NT_STATUS_NOT_IMPLEMENTED;
2399 NTSTATUS _lsa_TestCall(pipes_struct *p, struct lsa_TestCall *r)
2401 p->rng_fault_state = True;
2402 return NT_STATUS_NOT_IMPLEMENTED;
2405 NTSTATUS _lsa_CreateTrustedDomainEx2(pipes_struct *p, struct lsa_CreateTrustedDomainEx2 *r)
2407 p->rng_fault_state = True;
2408 return NT_STATUS_NOT_IMPLEMENTED;
2411 NTSTATUS _lsa_CREDRWRITE(pipes_struct *p, struct lsa_CREDRWRITE *r)
2413 p->rng_fault_state = True;
2414 return NT_STATUS_NOT_IMPLEMENTED;
2417 NTSTATUS _lsa_CREDRREAD(pipes_struct *p, struct lsa_CREDRREAD *r)
2419 p->rng_fault_state = True;
2420 return NT_STATUS_NOT_IMPLEMENTED;
2423 NTSTATUS _lsa_CREDRENUMERATE(pipes_struct *p, struct lsa_CREDRENUMERATE *r)
2425 p->rng_fault_state = True;
2426 return NT_STATUS_NOT_IMPLEMENTED;
2429 NTSTATUS _lsa_CREDRWRITEDOMAINCREDENTIALS(pipes_struct *p, struct lsa_CREDRWRITEDOMAINCREDENTIALS *r)
2431 p->rng_fault_state = True;
2432 return NT_STATUS_NOT_IMPLEMENTED;
2435 NTSTATUS _lsa_CREDRREADDOMAINCREDENTIALS(pipes_struct *p, struct lsa_CREDRREADDOMAINCREDENTIALS *r)
2437 p->rng_fault_state = True;
2438 return NT_STATUS_NOT_IMPLEMENTED;
2441 NTSTATUS _lsa_CREDRDELETE(pipes_struct *p, struct lsa_CREDRDELETE *r)
2443 p->rng_fault_state = True;
2444 return NT_STATUS_NOT_IMPLEMENTED;
2447 NTSTATUS _lsa_CREDRGETTARGETINFO(pipes_struct *p, struct lsa_CREDRGETTARGETINFO *r)
2449 p->rng_fault_state = True;
2450 return NT_STATUS_NOT_IMPLEMENTED;
2453 NTSTATUS _lsa_CREDRPROFILELOADED(pipes_struct *p, struct lsa_CREDRPROFILELOADED *r)
2455 p->rng_fault_state = True;
2456 return NT_STATUS_NOT_IMPLEMENTED;
2459 NTSTATUS _lsa_CREDRGETSESSIONTYPES(pipes_struct *p, struct lsa_CREDRGETSESSIONTYPES *r)
2461 p->rng_fault_state = True;
2462 return NT_STATUS_NOT_IMPLEMENTED;
2465 NTSTATUS _lsa_LSARREGISTERAUDITEVENT(pipes_struct *p, struct lsa_LSARREGISTERAUDITEVENT *r)
2467 p->rng_fault_state = True;
2468 return NT_STATUS_NOT_IMPLEMENTED;
2471 NTSTATUS _lsa_LSARGENAUDITEVENT(pipes_struct *p, struct lsa_LSARGENAUDITEVENT *r)
2473 p->rng_fault_state = True;
2474 return NT_STATUS_NOT_IMPLEMENTED;
2477 NTSTATUS _lsa_LSARUNREGISTERAUDITEVENT(pipes_struct *p, struct lsa_LSARUNREGISTERAUDITEVENT *r)
2479 p->rng_fault_state = True;
2480 return NT_STATUS_NOT_IMPLEMENTED;
2483 NTSTATUS _lsa_lsaRQueryForestTrustInformation(pipes_struct *p, struct lsa_lsaRQueryForestTrustInformation *r)
2485 p->rng_fault_state = True;
2486 return NT_STATUS_NOT_IMPLEMENTED;
2489 NTSTATUS _lsa_LSARSETFORESTTRUSTINFORMATION(pipes_struct *p, struct lsa_LSARSETFORESTTRUSTINFORMATION *r)
2491 p->rng_fault_state = True;
2492 return NT_STATUS_NOT_IMPLEMENTED;
2495 NTSTATUS _lsa_CREDRRENAME(pipes_struct *p, struct lsa_CREDRRENAME *r)
2497 p->rng_fault_state = True;
2498 return NT_STATUS_NOT_IMPLEMENTED;
2501 NTSTATUS _lsa_LSAROPENPOLICYSCE(pipes_struct *p, struct lsa_LSAROPENPOLICYSCE *r)
2503 p->rng_fault_state = True;
2504 return NT_STATUS_NOT_IMPLEMENTED;
2507 NTSTATUS _lsa_LSARADTREGISTERSECURITYEVENTSOURCE(pipes_struct *p, struct lsa_LSARADTREGISTERSECURITYEVENTSOURCE *r)
2509 p->rng_fault_state = True;
2510 return NT_STATUS_NOT_IMPLEMENTED;
2513 NTSTATUS _lsa_LSARADTUNREGISTERSECURITYEVENTSOURCE(pipes_struct *p, struct lsa_LSARADTUNREGISTERSECURITYEVENTSOURCE *r)
2515 p->rng_fault_state = True;
2516 return NT_STATUS_NOT_IMPLEMENTED;
2519 NTSTATUS _lsa_LSARADTREPORTSECURITYEVENT(pipes_struct *p, struct lsa_LSARADTREPORTSECURITYEVENT *r)
2521 p->rng_fault_state = True;
2522 return NT_STATUS_NOT_IMPLEMENTED;
git.samba.org / samba.git / blob