s3-lsa: implement _lsa_OpenTrustedDomain().

Guenther

Signed-off-by: Günther Deschner <gd@samba.org>

diff --git a/source3/rpc_server/lsa/srv_lsa_nt.c b/source3/rpc_server/lsa/srv_lsa_nt.c
index d190775111a71a3a69c20c46be32d60b9f2a9861..e3b5009e31b6f3d410b70b941bb15799153f9a17 100644 (file)
--- a/source3/rpc_server/lsa/srv_lsa_nt.c
+++ b/source3/rpc_server/lsa/srv_lsa_nt.c
@@ -1480,12 +1480,88 @@ NTSTATUS _lsa_OpenSecret(struct pipes_struct *p, struct lsa_OpenSecret *r)
 }
 
 /***************************************************************************
+ _lsa_OpenTrustedDomain_base
+ ***************************************************************************/
+
+static NTSTATUS _lsa_OpenTrustedDomain_base(struct pipes_struct *p,
+                                           uint32_t access_mask,
+                                           struct trustdom_info *info,
+                                           struct policy_handle *handle)
+{
+       struct security_descriptor *psd = NULL;
+       size_t sd_size;
+       uint32_t acc_granted;
+       NTSTATUS status;
+
+       /* des_access is for the account here, not the policy
+        * handle - so don't check against policy handle. */
+
+       /* Work out max allowed. */
+       map_max_allowed_access(p->server_info->security_token,
+                              &p->server_info->utok,
+                              &access_mask);
+
+       /* map the generic bits to the lsa account ones */
+       se_map_generic(&access_mask, &lsa_account_mapping);
+
+       /* get the generic lsa account SD until we store it */
+       status = make_lsa_object_sd(p->mem_ctx, &psd, &sd_size,
+                                   &lsa_trusted_domain_mapping,
+                                   NULL, 0);
+       if (!NT_STATUS_IS_OK(status)) {
+               return status;
+       }
+
+       status = access_check_object(psd, p->server_info->security_token,
+                                    SEC_PRIV_INVALID, SEC_PRIV_INVALID, 0,
+                                    access_mask, &acc_granted,
+                                    "_lsa_OpenTrustedDomain");
+       if (!NT_STATUS_IS_OK(status)) {
+               return status;
+       }
+
+       status = create_lsa_policy_handle(p->mem_ctx, p,
+                                         LSA_HANDLE_TRUST_TYPE,
+                                         acc_granted,
+                                         &info->sid,
+                                         info->name,
+                                         psd,
+                                         handle);
+       if (!NT_STATUS_IS_OK(status)) {
+               return NT_STATUS_OBJECT_NAME_NOT_FOUND;
+       }
+
+       return NT_STATUS_OK;
+}
+
+/***************************************************************************
+ _lsa_OpenTrustedDomain
  ***************************************************************************/
 
 NTSTATUS _lsa_OpenTrustedDomain(struct pipes_struct *p,
                                struct lsa_OpenTrustedDomain *r)
 {
-       return NT_STATUS_OBJECT_NAME_NOT_FOUND;
+       struct lsa_info *handle = NULL;
+       struct trustdom_info *info;
+       NTSTATUS status;
+
+       if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle)) {
+               return NT_STATUS_INVALID_HANDLE;
+       }
+
+       if (handle->type != LSA_HANDLE_POLICY_TYPE) {
+               return NT_STATUS_INVALID_HANDLE;
+       }
+
+       status = lsa_lookup_trusted_domain_by_sid(p->mem_ctx,
+                                                 r->in.sid,
+                                                 &info);
+       if (!NT_STATUS_IS_OK(status)) {
+               return status;
+       }
+
+       return _lsa_OpenTrustedDomain_base(p, r->in.access_mask, info,
+                                          r->out.trustdom_handle);
 }
 
 /***************************************************************************