2 Unix SMB/CIFS implementation.
4 endpoint server for the lsarpc pipe
6 Copyright (C) Andrew Tridgell 2004
7 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2007
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 3 of the License, or
12 (at your option) any later version.
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
19 You should have received a copy of the GNU General Public License
20 along with this program. If not, see <http://www.gnu.org/licenses/>.
23 #include "rpc_server/lsa/lsa.h"
24 #include "util/util_ldb.h"
25 #include "libcli/ldap/ldap_ndr.h"
28 this type allows us to distinguish handle types
32 state associated with a lsa_OpenAccount() operation
34 struct lsa_account_state {
35 struct lsa_policy_state *policy;
37 struct dom_sid *account_sid;
42 state associated with a lsa_OpenSecret() operation
44 struct lsa_secret_state {
45 struct lsa_policy_state *policy;
47 struct ldb_dn *secret_dn;
48 struct ldb_context *sam_ldb;
53 state associated with a lsa_OpenTrustedDomain() operation
55 struct lsa_trusted_domain_state {
56 struct lsa_policy_state *policy;
58 struct ldb_dn *trusted_domain_dn;
61 static NTSTATUS dcesrv_lsa_EnumAccountRights(struct dcesrv_call_state *dce_call,
63 struct lsa_EnumAccountRights *r);
65 static NTSTATUS dcesrv_lsa_AddRemoveAccountRights(struct dcesrv_call_state *dce_call,
67 struct lsa_policy_state *state,
70 const struct lsa_RightSet *rights);
75 static NTSTATUS dcesrv_lsa_Close(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
78 struct dcesrv_handle *h;
80 *r->out.handle = *r->in.handle;
82 DCESRV_PULL_HANDLE(h, r->in.handle, DCESRV_HANDLE_ANY);
86 ZERO_STRUCTP(r->out.handle);
95 static NTSTATUS dcesrv_lsa_Delete(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
98 struct dcesrv_handle *h;
101 DCESRV_PULL_HANDLE(h, r->in.handle, DCESRV_HANDLE_ANY);
103 if (h->wire_handle.handle_type == LSA_HANDLE_SECRET) {
104 struct lsa_secret_state *secret_state = h->data;
106 /* Ensure user is permitted to delete this... */
107 switch (security_session_user_level(dce_call->conn->auth_state.session_info))
109 case SECURITY_SYSTEM:
110 case SECURITY_ADMINISTRATOR:
113 /* Users and annonymous are not allowed delete things */
114 return NT_STATUS_ACCESS_DENIED;
117 ret = ldb_delete(secret_state->sam_ldb,
118 secret_state->secret_dn);
121 return NT_STATUS_INVALID_HANDLE;
125 } else if (h->wire_handle.handle_type == LSA_HANDLE_TRUSTED_DOMAIN) {
126 struct lsa_trusted_domain_state *trusted_domain_state = h->data;
127 ret = ldb_delete(trusted_domain_state->policy->sam_ldb,
128 trusted_domain_state->trusted_domain_dn);
131 return NT_STATUS_INVALID_HANDLE;
135 } else if (h->wire_handle.handle_type == LSA_HANDLE_ACCOUNT) {
136 struct lsa_RightSet *rights;
137 struct lsa_account_state *astate;
138 struct lsa_EnumAccountRights r2;
141 rights = talloc(mem_ctx, struct lsa_RightSet);
143 DCESRV_PULL_HANDLE(h, r->in.handle, LSA_HANDLE_ACCOUNT);
147 r2.in.handle = &astate->policy->handle->wire_handle;
148 r2.in.sid = astate->account_sid;
149 r2.out.rights = rights;
151 status = dcesrv_lsa_EnumAccountRights(dce_call, mem_ctx, &r2);
152 if (NT_STATUS_EQUAL(status, NT_STATUS_OBJECT_NAME_NOT_FOUND)) {
156 if (!NT_STATUS_IS_OK(status)) {
160 status = dcesrv_lsa_AddRemoveAccountRights(dce_call, mem_ctx, astate->policy,
161 LDB_FLAG_MOD_DELETE, astate->account_sid,
163 if (NT_STATUS_EQUAL(status, NT_STATUS_OBJECT_NAME_NOT_FOUND)) {
167 if (!NT_STATUS_IS_OK(status)) {
172 return NT_STATUS_INVALID_HANDLE;
179 static NTSTATUS dcesrv_lsa_EnumPrivs(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
180 struct lsa_EnumPrivs *r)
182 struct dcesrv_handle *h;
183 struct lsa_policy_state *state;
185 const char *privname;
187 DCESRV_PULL_HANDLE(h, r->in.handle, LSA_HANDLE_POLICY);
191 i = *r->in.resume_handle;
194 while ((privname = sec_privilege_name(i)) &&
195 r->out.privs->count < r->in.max_count) {
196 struct lsa_PrivEntry *e;
198 r->out.privs->privs = talloc_realloc(r->out.privs,
200 struct lsa_PrivEntry,
201 r->out.privs->count+1);
202 if (r->out.privs->privs == NULL) {
203 return NT_STATUS_NO_MEMORY;
205 e = &r->out.privs->privs[r->out.privs->count];
208 e->name.string = privname;
209 r->out.privs->count++;
213 *r->out.resume_handle = i;
222 static NTSTATUS dcesrv_lsa_QuerySecurity(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
223 struct lsa_QuerySecurity *r)
225 DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
232 static NTSTATUS dcesrv_lsa_SetSecObj(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
233 struct lsa_SetSecObj *r)
235 DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
242 static NTSTATUS dcesrv_lsa_ChangePassword(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
243 struct lsa_ChangePassword *r)
245 DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
249 dssetup_DsRoleGetPrimaryDomainInformation
251 This is not an LSA call, but is the only call left on the DSSETUP
252 pipe (after the pipe was truncated), and needs lsa_get_policy_state
254 static WERROR dcesrv_dssetup_DsRoleGetPrimaryDomainInformation(struct dcesrv_call_state *dce_call,
256 struct dssetup_DsRoleGetPrimaryDomainInformation *r)
258 union dssetup_DsRoleInfo *info;
260 info = talloc(mem_ctx, union dssetup_DsRoleInfo);
261 W_ERROR_HAVE_NO_MEMORY(info);
263 switch (r->in.level) {
264 case DS_ROLE_BASIC_INFORMATION:
266 enum dssetup_DsRole role = DS_ROLE_STANDALONE_SERVER;
268 const char *domain = NULL;
269 const char *dns_domain = NULL;
270 const char *forest = NULL;
271 struct GUID domain_guid;
272 struct lsa_policy_state *state;
274 NTSTATUS status = dcesrv_lsa_get_policy_state(dce_call, mem_ctx, &state);
275 if (!NT_STATUS_IS_OK(status)) {
276 return ntstatus_to_werror(status);
279 ZERO_STRUCT(domain_guid);
281 switch (lp_server_role(dce_call->conn->dce_ctx->lp_ctx)) {
282 case ROLE_STANDALONE:
283 role = DS_ROLE_STANDALONE_SERVER;
285 case ROLE_DOMAIN_MEMBER:
286 role = DS_ROLE_MEMBER_SERVER;
288 case ROLE_DOMAIN_CONTROLLER:
289 if (samdb_is_pdc(state->sam_ldb)) {
290 role = DS_ROLE_PRIMARY_DC;
292 role = DS_ROLE_BACKUP_DC;
297 switch (lp_server_role(dce_call->conn->dce_ctx->lp_ctx)) {
298 case ROLE_STANDALONE:
299 domain = talloc_strdup(mem_ctx, lp_workgroup(dce_call->conn->dce_ctx->lp_ctx));
300 W_ERROR_HAVE_NO_MEMORY(domain);
302 case ROLE_DOMAIN_MEMBER:
303 domain = talloc_strdup(mem_ctx, lp_workgroup(dce_call->conn->dce_ctx->lp_ctx));
304 W_ERROR_HAVE_NO_MEMORY(domain);
305 /* TODO: what is with dns_domain and forest and guid? */
307 case ROLE_DOMAIN_CONTROLLER:
308 flags = DS_ROLE_PRIMARY_DS_RUNNING;
310 if (state->mixed_domain == 1) {
311 flags |= DS_ROLE_PRIMARY_DS_MIXED_MODE;
314 domain = state->domain_name;
315 dns_domain = state->domain_dns;
316 forest = state->forest_dns;
318 domain_guid = state->domain_guid;
319 flags |= DS_ROLE_PRIMARY_DOMAIN_GUID_PRESENT;
323 info->basic.role = role;
324 info->basic.flags = flags;
325 info->basic.domain = domain;
326 info->basic.dns_domain = dns_domain;
327 info->basic.forest = forest;
328 info->basic.domain_guid = domain_guid;
333 case DS_ROLE_UPGRADE_STATUS:
335 info->upgrade.upgrading = DS_ROLE_NOT_UPGRADING;
336 info->upgrade.previous_role = DS_ROLE_PREVIOUS_UNKNOWN;
341 case DS_ROLE_OP_STATUS:
343 info->opstatus.status = DS_ROLE_OP_IDLE;
349 return WERR_INVALID_PARAM;
352 return WERR_INVALID_PARAM;
357 fill in the AccountDomain info
359 static NTSTATUS dcesrv_lsa_info_AccountDomain(struct lsa_policy_state *state, TALLOC_CTX *mem_ctx,
360 struct lsa_DomainInfo *info)
362 info->name.string = state->domain_name;
363 info->sid = state->domain_sid;
369 fill in the DNS domain info
371 static NTSTATUS dcesrv_lsa_info_DNS(struct lsa_policy_state *state, TALLOC_CTX *mem_ctx,
372 struct lsa_DnsDomainInfo *info)
374 info->name.string = state->domain_name;
375 info->sid = state->domain_sid;
376 info->dns_domain.string = state->domain_dns;
377 info->dns_forest.string = state->forest_dns;
378 info->domain_guid = state->domain_guid;
386 static NTSTATUS dcesrv_lsa_QueryInfoPolicy2(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
387 struct lsa_QueryInfoPolicy2 *r)
389 struct lsa_policy_state *state;
390 struct dcesrv_handle *h;
394 DCESRV_PULL_HANDLE(h, r->in.handle, LSA_HANDLE_POLICY);
398 r->out.info = talloc(mem_ctx, union lsa_PolicyInformation);
400 return NT_STATUS_NO_MEMORY;
403 ZERO_STRUCTP(r->out.info);
405 switch (r->in.level) {
406 case LSA_POLICY_INFO_DOMAIN:
407 case LSA_POLICY_INFO_ACCOUNT_DOMAIN:
408 return dcesrv_lsa_info_AccountDomain(state, mem_ctx, &r->out.info->account_domain);
410 case LSA_POLICY_INFO_DNS:
411 return dcesrv_lsa_info_DNS(state, mem_ctx, &r->out.info->dns);
412 case LSA_POLICY_INFO_DB:
413 case LSA_POLICY_INFO_AUDIT_FULL_SET:
414 case LSA_POLICY_INFO_AUDIT_FULL_QUERY:
415 return NT_STATUS_INVALID_PARAMETER;
418 return NT_STATUS_INVALID_INFO_CLASS;
424 static NTSTATUS dcesrv_lsa_QueryInfoPolicy(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
425 struct lsa_QueryInfoPolicy *r)
427 struct lsa_QueryInfoPolicy2 r2;
430 r2.in.handle = r->in.handle;
431 r2.in.level = r->in.level;
433 status = dcesrv_lsa_QueryInfoPolicy2(dce_call, mem_ctx, &r2);
435 r->out.info = r2.out.info;
443 static NTSTATUS dcesrv_lsa_SetInfoPolicy(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
444 struct lsa_SetInfoPolicy *r)
446 DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
453 static NTSTATUS dcesrv_lsa_ClearAuditLog(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
454 struct lsa_ClearAuditLog *r)
456 DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
463 This call does not seem to have any long-term effects, hence no database operations
465 static NTSTATUS dcesrv_lsa_CreateAccount(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
466 struct lsa_CreateAccount *r)
468 struct lsa_account_state *astate;
470 struct lsa_policy_state *state;
471 struct dcesrv_handle *h, *ah;
473 ZERO_STRUCTP(r->out.acct_handle);
475 DCESRV_PULL_HANDLE(h, r->in.handle, LSA_HANDLE_POLICY);
479 astate = talloc(dce_call->conn, struct lsa_account_state);
480 if (astate == NULL) {
481 return NT_STATUS_NO_MEMORY;
484 astate->account_sid = dom_sid_dup(astate, r->in.sid);
485 if (astate->account_sid == NULL) {
487 return NT_STATUS_NO_MEMORY;
490 astate->policy = talloc_reference(astate, state);
491 astate->access_mask = r->in.access_mask;
493 ah = dcesrv_handle_new(dce_call->context, LSA_HANDLE_ACCOUNT);
496 return NT_STATUS_NO_MEMORY;
499 ah->data = talloc_steal(ah, astate);
501 *r->out.acct_handle = ah->wire_handle;
510 static NTSTATUS dcesrv_lsa_EnumAccounts(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
511 struct lsa_EnumAccounts *r)
513 struct dcesrv_handle *h;
514 struct lsa_policy_state *state;
516 struct ldb_message **res;
517 const char * const attrs[] = { "objectSid", NULL};
520 DCESRV_PULL_HANDLE(h, r->in.handle, LSA_HANDLE_POLICY);
524 /* NOTE: This call must only return accounts that have at least
527 ret = gendb_search(state->sam_ldb, mem_ctx, NULL, &res, attrs,
528 "(&(objectSid=*)(privilege=*))");
530 return NT_STATUS_NO_SUCH_USER;
533 if (*r->in.resume_handle >= ret) {
534 return NT_STATUS_NO_MORE_ENTRIES;
537 count = ret - *r->in.resume_handle;
538 if (count > r->in.num_entries) {
539 count = r->in.num_entries;
543 return NT_STATUS_NO_MORE_ENTRIES;
546 r->out.sids->sids = talloc_array(r->out.sids, struct lsa_SidPtr, count);
547 if (r->out.sids->sids == NULL) {
548 return NT_STATUS_NO_MEMORY;
551 for (i=0;i<count;i++) {
552 r->out.sids->sids[i].sid =
553 samdb_result_dom_sid(r->out.sids->sids,
554 res[i + *r->in.resume_handle],
556 NT_STATUS_HAVE_NO_MEMORY(r->out.sids->sids[i].sid);
559 r->out.sids->num_sids = count;
560 *r->out.resume_handle = count + *r->in.resume_handle;
568 lsa_CreateTrustedDomainEx2
570 static NTSTATUS dcesrv_lsa_CreateTrustedDomainEx2(struct dcesrv_call_state *dce_call,
572 struct lsa_CreateTrustedDomainEx2 *r)
574 DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
578 lsa_CreateTrustedDomainEx
580 static NTSTATUS dcesrv_lsa_CreateTrustedDomainEx(struct dcesrv_call_state *dce_call,
582 struct lsa_CreateTrustedDomainEx *r)
584 DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
588 lsa_CreateTrustedDomain
590 static NTSTATUS dcesrv_lsa_CreateTrustedDomain(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
591 struct lsa_CreateTrustedDomain *r)
593 struct dcesrv_handle *policy_handle;
594 struct lsa_policy_state *policy_state;
595 struct lsa_trusted_domain_state *trusted_domain_state;
596 struct dcesrv_handle *handle;
597 struct ldb_message **msgs, *msg;
598 const char *attrs[] = {
604 DCESRV_PULL_HANDLE(policy_handle, r->in.handle, LSA_HANDLE_POLICY);
605 ZERO_STRUCTP(r->out.trustdom_handle);
607 policy_state = policy_handle->data;
609 if (!r->in.info->name.string) {
610 return NT_STATUS_INVALID_PARAMETER;
612 name = r->in.info->name.string;
614 trusted_domain_state = talloc(mem_ctx, struct lsa_trusted_domain_state);
615 if (!trusted_domain_state) {
616 return NT_STATUS_NO_MEMORY;
618 trusted_domain_state->policy = policy_state;
620 msg = ldb_msg_new(mem_ctx);
622 return NT_STATUS_NO_MEMORY;
625 /* search for the trusted_domain record */
626 ret = gendb_search(trusted_domain_state->policy->sam_ldb,
627 mem_ctx, policy_state->system_dn, &msgs, attrs,
628 "(&(cn=%s)(objectclass=trustedDomain))",
629 ldb_binary_encode_string(mem_ctx, r->in.info->name.string));
631 return NT_STATUS_OBJECT_NAME_COLLISION;
634 if (ret < 0 || ret > 1) {
635 DEBUG(0,("Found %d records matching DN %s\n", ret,
636 ldb_dn_get_linearized(policy_state->system_dn)));
637 return NT_STATUS_INTERNAL_DB_CORRUPTION;
640 msg->dn = ldb_dn_copy(mem_ctx, policy_state->system_dn);
641 if ( ! ldb_dn_add_child_fmt(msg->dn, "cn=%s", name)) {
642 return NT_STATUS_NO_MEMORY;
645 samdb_msg_add_string(trusted_domain_state->policy->sam_ldb, mem_ctx, msg, "flatname", name);
647 if (r->in.info->sid) {
648 const char *sid_string = dom_sid_string(mem_ctx, r->in.info->sid);
650 return NT_STATUS_NO_MEMORY;
653 samdb_msg_add_string(trusted_domain_state->policy->sam_ldb, mem_ctx, msg, "securityIdentifier", sid_string);
656 samdb_msg_add_string(trusted_domain_state->policy->sam_ldb, mem_ctx, msg, "objectClass", "trustedDomain");
658 trusted_domain_state->trusted_domain_dn = talloc_reference(trusted_domain_state, msg->dn);
660 /* create the trusted_domain */
661 ret = ldb_add(trusted_domain_state->policy->sam_ldb, msg);
665 case LDB_ERR_ENTRY_ALREADY_EXISTS:
666 ldb_transaction_cancel(trusted_domain_state->policy->sam_ldb);
667 DEBUG(0,("Failed to create trusted domain record %s: %s\n",
668 ldb_dn_get_linearized(msg->dn),
669 ldb_errstring(trusted_domain_state->policy->sam_ldb)));
670 return NT_STATUS_DOMAIN_EXISTS;
671 case LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS:
672 ldb_transaction_cancel(trusted_domain_state->policy->sam_ldb);
673 DEBUG(0,("Failed to create trusted domain record %s: %s\n",
674 ldb_dn_get_linearized(msg->dn),
675 ldb_errstring(trusted_domain_state->policy->sam_ldb)));
676 return NT_STATUS_ACCESS_DENIED;
678 ldb_transaction_cancel(trusted_domain_state->policy->sam_ldb);
679 DEBUG(0,("Failed to create user record %s: %s\n",
680 ldb_dn_get_linearized(msg->dn),
681 ldb_errstring(trusted_domain_state->policy->sam_ldb)));
682 return NT_STATUS_INTERNAL_DB_CORRUPTION;
685 handle = dcesrv_handle_new(dce_call->context, LSA_HANDLE_TRUSTED_DOMAIN);
687 return NT_STATUS_NO_MEMORY;
690 handle->data = talloc_steal(handle, trusted_domain_state);
692 trusted_domain_state->access_mask = r->in.access_mask;
693 trusted_domain_state->policy = talloc_reference(trusted_domain_state, policy_state);
695 *r->out.trustdom_handle = handle->wire_handle;
701 lsa_OpenTrustedDomain
703 static NTSTATUS dcesrv_lsa_OpenTrustedDomain(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
704 struct lsa_OpenTrustedDomain *r)
706 struct dcesrv_handle *policy_handle;
708 struct lsa_policy_state *policy_state;
709 struct lsa_trusted_domain_state *trusted_domain_state;
710 struct dcesrv_handle *handle;
711 struct ldb_message **msgs;
712 const char *attrs[] = {
716 const char *sid_string;
719 DCESRV_PULL_HANDLE(policy_handle, r->in.handle, LSA_HANDLE_POLICY);
720 ZERO_STRUCTP(r->out.trustdom_handle);
721 policy_state = policy_handle->data;
723 trusted_domain_state = talloc(mem_ctx, struct lsa_trusted_domain_state);
724 if (!trusted_domain_state) {
725 return NT_STATUS_NO_MEMORY;
727 trusted_domain_state->policy = policy_state;
729 sid_string = dom_sid_string(mem_ctx, r->in.sid);
731 return NT_STATUS_NO_MEMORY;
734 /* search for the trusted_domain record */
735 ret = gendb_search(trusted_domain_state->policy->sam_ldb,
736 mem_ctx, policy_state->system_dn, &msgs, attrs,
737 "(&(securityIdentifier=%s)(objectclass=trustedDomain))",
740 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
744 DEBUG(0,("Found %d records matching DN %s\n", ret,
745 ldb_dn_get_linearized(policy_state->system_dn)));
746 return NT_STATUS_INTERNAL_DB_CORRUPTION;
749 trusted_domain_state->trusted_domain_dn = talloc_reference(trusted_domain_state, msgs[0]->dn);
751 handle = dcesrv_handle_new(dce_call->context, LSA_HANDLE_TRUSTED_DOMAIN);
753 return NT_STATUS_NO_MEMORY;
756 handle->data = talloc_steal(handle, trusted_domain_state);
758 trusted_domain_state->access_mask = r->in.access_mask;
759 trusted_domain_state->policy = talloc_reference(trusted_domain_state, policy_state);
761 *r->out.trustdom_handle = handle->wire_handle;
768 lsa_OpenTrustedDomainByName
770 static NTSTATUS dcesrv_lsa_OpenTrustedDomainByName(struct dcesrv_call_state *dce_call,
772 struct lsa_OpenTrustedDomainByName *r)
774 struct dcesrv_handle *policy_handle;
776 struct lsa_policy_state *policy_state;
777 struct lsa_trusted_domain_state *trusted_domain_state;
778 struct dcesrv_handle *handle;
779 struct ldb_message **msgs;
780 const char *attrs[] = {
786 DCESRV_PULL_HANDLE(policy_handle, r->in.handle, LSA_HANDLE_POLICY);
787 ZERO_STRUCTP(r->out.trustdom_handle);
788 policy_state = policy_handle->data;
790 if (!r->in.name.string) {
791 return NT_STATUS_INVALID_PARAMETER;
794 trusted_domain_state = talloc(mem_ctx, struct lsa_trusted_domain_state);
795 if (!trusted_domain_state) {
796 return NT_STATUS_NO_MEMORY;
798 trusted_domain_state->policy = policy_state;
800 /* search for the trusted_domain record */
801 ret = gendb_search(trusted_domain_state->policy->sam_ldb,
802 mem_ctx, policy_state->system_dn, &msgs, attrs,
803 "(&(flatname=%s)(objectclass=trustedDomain))",
804 ldb_binary_encode_string(mem_ctx, r->in.name.string));
806 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
810 DEBUG(0,("Found %d records matching DN %s\n", ret,
811 ldb_dn_get_linearized(policy_state->system_dn)));
812 return NT_STATUS_INTERNAL_DB_CORRUPTION;
815 trusted_domain_state->trusted_domain_dn = talloc_reference(trusted_domain_state, msgs[0]->dn);
817 handle = dcesrv_handle_new(dce_call->context, LSA_HANDLE_TRUSTED_DOMAIN);
819 return NT_STATUS_NO_MEMORY;
822 handle->data = talloc_steal(handle, trusted_domain_state);
824 trusted_domain_state->access_mask = r->in.access_mask;
825 trusted_domain_state->policy = talloc_reference(trusted_domain_state, policy_state);
827 *r->out.trustdom_handle = handle->wire_handle;
835 lsa_SetTrustedDomainInfo
837 static NTSTATUS dcesrv_lsa_SetTrustedDomainInfo(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
838 struct lsa_SetTrustedDomainInfo *r)
840 DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
846 lsa_SetInfomrationTrustedDomain
848 static NTSTATUS dcesrv_lsa_SetInformationTrustedDomain(struct dcesrv_call_state *dce_call,
850 struct lsa_SetInformationTrustedDomain *r)
852 DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
857 lsa_DeleteTrustedDomain
859 static NTSTATUS dcesrv_lsa_DeleteTrustedDomain(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
860 struct lsa_DeleteTrustedDomain *r)
863 struct lsa_OpenTrustedDomain open;
864 struct lsa_Delete delete;
865 struct dcesrv_handle *h;
867 open.in.handle = r->in.handle;
868 open.in.sid = r->in.dom_sid;
869 open.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
870 open.out.trustdom_handle = talloc(mem_ctx, struct policy_handle);
871 if (!open.out.trustdom_handle) {
872 return NT_STATUS_NO_MEMORY;
874 status = dcesrv_lsa_OpenTrustedDomain(dce_call, mem_ctx, &open);
875 if (!NT_STATUS_IS_OK(status)) {
879 DCESRV_PULL_HANDLE(h, open.out.trustdom_handle, DCESRV_HANDLE_ANY);
880 talloc_steal(mem_ctx, h);
882 delete.in.handle = open.out.trustdom_handle;
883 status = dcesrv_lsa_Delete(dce_call, mem_ctx, &delete);
884 if (!NT_STATUS_IS_OK(status)) {
890 static NTSTATUS fill_trust_domain_ex(TALLOC_CTX *mem_ctx,
891 struct ldb_message *msg,
892 struct lsa_TrustDomainInfoInfoEx *info_ex)
894 info_ex->domain_name.string
895 = ldb_msg_find_attr_as_string(msg, "trustPartner", NULL);
896 info_ex->netbios_name.string
897 = ldb_msg_find_attr_as_string(msg, "flatname", NULL);
899 = samdb_result_dom_sid(mem_ctx, msg, "securityIdentifier");
900 info_ex->trust_direction
901 = ldb_msg_find_attr_as_int(msg, "trustDirection", 0);
903 = ldb_msg_find_attr_as_int(msg, "trustType", 0);
904 info_ex->trust_attributes
905 = ldb_msg_find_attr_as_int(msg, "trustAttributes", 0);
910 lsa_QueryTrustedDomainInfo
912 static NTSTATUS dcesrv_lsa_QueryTrustedDomainInfo(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
913 struct lsa_QueryTrustedDomainInfo *r)
915 struct dcesrv_handle *h;
916 struct lsa_trusted_domain_state *trusted_domain_state;
917 struct ldb_message *msg;
919 struct ldb_message **res;
920 const char *attrs[] = {
923 "securityIdentifier",
930 DCESRV_PULL_HANDLE(h, r->in.trustdom_handle, LSA_HANDLE_TRUSTED_DOMAIN);
932 trusted_domain_state = h->data;
934 /* pull all the user attributes */
935 ret = gendb_search_dn(trusted_domain_state->policy->sam_ldb, mem_ctx,
936 trusted_domain_state->trusted_domain_dn, &res, attrs);
938 return NT_STATUS_INTERNAL_DB_CORRUPTION;
942 r->out.info = talloc(mem_ctx, union lsa_TrustedDomainInfo);
944 return NT_STATUS_NO_MEMORY;
946 switch (r->in.level) {
947 case LSA_TRUSTED_DOMAIN_INFO_NAME:
948 r->out.info->name.netbios_name.string
949 = samdb_result_string(msg, "flatname", NULL);
951 case LSA_TRUSTED_DOMAIN_INFO_POSIX_OFFSET:
952 r->out.info->posix_offset.posix_offset
953 = samdb_result_uint(msg, "posixOffset", 0);
955 #if 0 /* Win2k3 doesn't implement this */
956 case LSA_TRUSTED_DOMAIN_INFO_BASIC:
957 r->out.info->info_basic.netbios_name.string
958 = ldb_msg_find_attr_as_string(msg, "flatname", NULL);
959 r->out.info->info_basic.sid
960 = samdb_result_dom_sid(mem_ctx, msg, "securityIdentifier");
963 case LSA_TRUSTED_DOMAIN_INFO_INFO_EX:
964 return fill_trust_domain_ex(mem_ctx, msg, &r->out.info->info_ex);
966 case LSA_TRUSTED_DOMAIN_INFO_FULL_INFO:
967 ZERO_STRUCT(r->out.info->full_info);
968 return fill_trust_domain_ex(mem_ctx, msg, &r->out.info->full_info.info_ex);
970 case LSA_TRUSTED_DOMAIN_INFO_INFO_ALL:
971 ZERO_STRUCT(r->out.info->info_all);
972 return fill_trust_domain_ex(mem_ctx, msg, &r->out.info->info_all.info_ex);
974 case LSA_TRUSTED_DOMAIN_INFO_CONTROLLERS_INFO:
975 case LSA_TRUSTED_DOMAIN_INFO_11:
976 /* oops, we don't want to return the info after all */
977 talloc_free(r->out.info);
979 return NT_STATUS_INVALID_PARAMETER;
981 /* oops, we don't want to return the info after all */
982 talloc_free(r->out.info);
984 return NT_STATUS_INVALID_INFO_CLASS;
992 lsa_QueryTrustedDomainInfoBySid
994 static NTSTATUS dcesrv_lsa_QueryTrustedDomainInfoBySid(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
995 struct lsa_QueryTrustedDomainInfoBySid *r)
998 struct lsa_OpenTrustedDomain open;
999 struct lsa_QueryTrustedDomainInfo query;
1000 struct dcesrv_handle *h;
1001 open.in.handle = r->in.handle;
1002 open.in.sid = r->in.dom_sid;
1003 open.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
1004 open.out.trustdom_handle = talloc(mem_ctx, struct policy_handle);
1005 if (!open.out.trustdom_handle) {
1006 return NT_STATUS_NO_MEMORY;
1008 status = dcesrv_lsa_OpenTrustedDomain(dce_call, mem_ctx, &open);
1009 if (!NT_STATUS_IS_OK(status)) {
1013 /* Ensure this handle goes away at the end of this call */
1014 DCESRV_PULL_HANDLE(h, open.out.trustdom_handle, DCESRV_HANDLE_ANY);
1015 talloc_steal(mem_ctx, h);
1017 query.in.trustdom_handle = open.out.trustdom_handle;
1018 query.in.level = r->in.level;
1019 status = dcesrv_lsa_QueryTrustedDomainInfo(dce_call, mem_ctx, &query);
1020 if (!NT_STATUS_IS_OK(status)) {
1024 r->out.info = query.out.info;
1025 return NT_STATUS_OK;
1029 lsa_SetTrustedDomainInfoByName
1031 static NTSTATUS dcesrv_lsa_SetTrustedDomainInfoByName(struct dcesrv_call_state *dce_call,
1032 TALLOC_CTX *mem_ctx,
1033 struct lsa_SetTrustedDomainInfoByName *r)
1035 DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
1039 lsa_QueryTrustedDomainInfoByName
1041 static NTSTATUS dcesrv_lsa_QueryTrustedDomainInfoByName(struct dcesrv_call_state *dce_call,
1042 TALLOC_CTX *mem_ctx,
1043 struct lsa_QueryTrustedDomainInfoByName *r)
1046 struct lsa_OpenTrustedDomainByName open;
1047 struct lsa_QueryTrustedDomainInfo query;
1048 struct dcesrv_handle *h;
1049 open.in.handle = r->in.handle;
1050 open.in.name = r->in.trusted_domain;
1051 open.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
1052 open.out.trustdom_handle = talloc(mem_ctx, struct policy_handle);
1053 if (!open.out.trustdom_handle) {
1054 return NT_STATUS_NO_MEMORY;
1056 status = dcesrv_lsa_OpenTrustedDomainByName(dce_call, mem_ctx, &open);
1057 if (!NT_STATUS_IS_OK(status)) {
1061 /* Ensure this handle goes away at the end of this call */
1062 DCESRV_PULL_HANDLE(h, open.out.trustdom_handle, DCESRV_HANDLE_ANY);
1063 talloc_steal(mem_ctx, h);
1065 query.in.trustdom_handle = open.out.trustdom_handle;
1066 query.in.level = r->in.level;
1067 status = dcesrv_lsa_QueryTrustedDomainInfo(dce_call, mem_ctx, &query);
1068 if (!NT_STATUS_IS_OK(status)) {
1072 r->out.info = query.out.info;
1073 return NT_STATUS_OK;
1077 lsa_CloseTrustedDomainEx
1079 static NTSTATUS dcesrv_lsa_CloseTrustedDomainEx(struct dcesrv_call_state *dce_call,
1080 TALLOC_CTX *mem_ctx,
1081 struct lsa_CloseTrustedDomainEx *r)
1083 /* The result of a bad hair day from an IDL programmer? Not
1084 * implmented in Win2k3. You should always just lsa_Close
1086 return NT_STATUS_NOT_IMPLEMENTED;
1091 comparison function for sorting lsa_DomainInformation array
1093 static int compare_DomainInfo(struct lsa_DomainInfo *e1, struct lsa_DomainInfo *e2)
1095 return strcasecmp_m(e1->name.string, e2->name.string);
1101 static NTSTATUS dcesrv_lsa_EnumTrustDom(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
1102 struct lsa_EnumTrustDom *r)
1104 struct dcesrv_handle *policy_handle;
1105 struct lsa_DomainInfo *entries;
1106 struct lsa_policy_state *policy_state;
1107 struct ldb_message **domains;
1108 const char *attrs[] = {
1110 "securityIdentifier",
1117 *r->out.resume_handle = 0;
1119 r->out.domains->domains = NULL;
1120 r->out.domains->count = 0;
1122 DCESRV_PULL_HANDLE(policy_handle, r->in.handle, LSA_HANDLE_POLICY);
1124 policy_state = policy_handle->data;
1126 /* search for all users in this domain. This could possibly be cached and
1127 resumed based on resume_key */
1128 count = gendb_search(policy_state->sam_ldb, mem_ctx, policy_state->system_dn, &domains, attrs,
1129 "objectclass=trustedDomain");
1131 return NT_STATUS_INTERNAL_DB_CORRUPTION;
1133 if (count == 0 || r->in.max_size == 0) {
1134 return NT_STATUS_OK;
1137 /* convert to lsa_TrustInformation format */
1138 entries = talloc_array(mem_ctx, struct lsa_DomainInfo, count);
1140 return NT_STATUS_NO_MEMORY;
1142 for (i=0;i<count;i++) {
1143 entries[i].sid = samdb_result_dom_sid(mem_ctx, domains[i], "securityIdentifier");
1144 entries[i].name.string = samdb_result_string(domains[i], "flatname", NULL);
1147 /* sort the results by name */
1148 qsort(entries, count, sizeof(*entries),
1149 (comparison_fn_t)compare_DomainInfo);
1151 if (*r->in.resume_handle >= count) {
1152 *r->out.resume_handle = -1;
1154 return NT_STATUS_NO_MORE_ENTRIES;
1157 /* return the rest, limit by max_size. Note that we
1158 use the w2k3 element size value of 60 */
1159 r->out.domains->count = count - *r->in.resume_handle;
1160 r->out.domains->count = MIN(r->out.domains->count,
1161 1+(r->in.max_size/LSA_ENUM_TRUST_DOMAIN_MULTIPLIER));
1163 r->out.domains->domains = entries + *r->in.resume_handle;
1164 r->out.domains->count = r->out.domains->count;
1166 if (r->out.domains->count < count - *r->in.resume_handle) {
1167 *r->out.resume_handle = *r->in.resume_handle + r->out.domains->count;
1168 return STATUS_MORE_ENTRIES;
1171 return NT_STATUS_OK;
1175 comparison function for sorting lsa_DomainInformation array
1177 static int compare_TrustDomainInfoInfoEx(struct lsa_TrustDomainInfoInfoEx *e1, struct lsa_TrustDomainInfoInfoEx *e2)
1179 return strcasecmp_m(e1->netbios_name.string, e2->netbios_name.string);
1183 lsa_EnumTrustedDomainsEx
1185 static NTSTATUS dcesrv_lsa_EnumTrustedDomainsEx(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
1186 struct lsa_EnumTrustedDomainsEx *r)
1188 struct dcesrv_handle *policy_handle;
1189 struct lsa_TrustDomainInfoInfoEx *entries;
1190 struct lsa_policy_state *policy_state;
1191 struct ldb_message **domains;
1192 const char *attrs[] = {
1195 "securityIdentifier",
1205 *r->out.resume_handle = 0;
1207 r->out.domains->domains = NULL;
1208 r->out.domains->count = 0;
1210 DCESRV_PULL_HANDLE(policy_handle, r->in.handle, LSA_HANDLE_POLICY);
1212 policy_state = policy_handle->data;
1214 /* search for all users in this domain. This could possibly be cached and
1215 resumed based on resume_key */
1216 count = gendb_search(policy_state->sam_ldb, mem_ctx, policy_state->system_dn, &domains, attrs,
1217 "objectclass=trustedDomain");
1219 return NT_STATUS_INTERNAL_DB_CORRUPTION;
1221 if (count == 0 || r->in.max_size == 0) {
1222 return NT_STATUS_OK;
1225 /* convert to lsa_DomainInformation format */
1226 entries = talloc_array(mem_ctx, struct lsa_TrustDomainInfoInfoEx, count);
1228 return NT_STATUS_NO_MEMORY;
1230 for (i=0;i<count;i++) {
1231 nt_status = fill_trust_domain_ex(mem_ctx, domains[i], &entries[i]);
1232 if (!NT_STATUS_IS_OK(nt_status)) {
1237 /* sort the results by name */
1238 qsort(entries, count, sizeof(*entries),
1239 (comparison_fn_t)compare_TrustDomainInfoInfoEx);
1241 if (*r->in.resume_handle >= count) {
1242 *r->out.resume_handle = -1;
1244 return NT_STATUS_NO_MORE_ENTRIES;
1247 /* return the rest, limit by max_size. Note that we
1248 use the w2k3 element size value of 60 */
1249 r->out.domains->count = count - *r->in.resume_handle;
1250 r->out.domains->count = MIN(r->out.domains->count,
1251 1+(r->in.max_size/LSA_ENUM_TRUST_DOMAIN_EX_MULTIPLIER));
1253 r->out.domains->domains = entries + *r->in.resume_handle;
1254 r->out.domains->count = r->out.domains->count;
1256 if (r->out.domains->count < count - *r->in.resume_handle) {
1257 *r->out.resume_handle = *r->in.resume_handle + r->out.domains->count;
1258 return STATUS_MORE_ENTRIES;
1261 return NT_STATUS_OK;
1268 static NTSTATUS dcesrv_lsa_OpenAccount(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
1269 struct lsa_OpenAccount *r)
1271 struct dcesrv_handle *h, *ah;
1272 struct lsa_policy_state *state;
1273 struct lsa_account_state *astate;
1275 ZERO_STRUCTP(r->out.acct_handle);
1277 DCESRV_PULL_HANDLE(h, r->in.handle, LSA_HANDLE_POLICY);
1281 astate = talloc(dce_call->conn, struct lsa_account_state);
1282 if (astate == NULL) {
1283 return NT_STATUS_NO_MEMORY;
1286 astate->account_sid = dom_sid_dup(astate, r->in.sid);
1287 if (astate->account_sid == NULL) {
1288 talloc_free(astate);
1289 return NT_STATUS_NO_MEMORY;
1292 astate->policy = talloc_reference(astate, state);
1293 astate->access_mask = r->in.access_mask;
1295 ah = dcesrv_handle_new(dce_call->context, LSA_HANDLE_ACCOUNT);
1297 talloc_free(astate);
1298 return NT_STATUS_NO_MEMORY;
1301 ah->data = talloc_steal(ah, astate);
1303 *r->out.acct_handle = ah->wire_handle;
1305 return NT_STATUS_OK;
1310 lsa_EnumPrivsAccount
1312 static NTSTATUS dcesrv_lsa_EnumPrivsAccount(struct dcesrv_call_state *dce_call,
1313 TALLOC_CTX *mem_ctx,
1314 struct lsa_EnumPrivsAccount *r)
1316 struct dcesrv_handle *h;
1317 struct lsa_account_state *astate;
1319 struct ldb_message **res;
1320 const char * const attrs[] = { "privilege", NULL};
1321 struct ldb_message_element *el;
1324 DCESRV_PULL_HANDLE(h, r->in.handle, LSA_HANDLE_ACCOUNT);
1328 r->out.privs = talloc(mem_ctx, struct lsa_PrivilegeSet);
1329 r->out.privs->count = 0;
1330 r->out.privs->unknown = 0;
1331 r->out.privs->set = NULL;
1333 sidstr = ldap_encode_ndr_dom_sid(mem_ctx, astate->account_sid);
1334 if (sidstr == NULL) {
1335 return NT_STATUS_NO_MEMORY;
1338 ret = gendb_search(astate->policy->sam_ldb, mem_ctx, NULL, &res, attrs,
1339 "objectSid=%s", sidstr);
1341 return NT_STATUS_OK;
1344 el = ldb_msg_find_element(res[0], "privilege");
1345 if (el == NULL || el->num_values == 0) {
1346 return NT_STATUS_OK;
1349 r->out.privs->set = talloc_array(r->out.privs,
1350 struct lsa_LUIDAttribute, el->num_values);
1351 if (r->out.privs->set == NULL) {
1352 return NT_STATUS_NO_MEMORY;
1355 for (i=0;i<el->num_values;i++) {
1356 int id = sec_privilege_id((const char *)el->values[i].data);
1358 return NT_STATUS_INTERNAL_DB_CORRUPTION;
1360 r->out.privs->set[i].attribute = 0;
1361 r->out.privs->set[i].luid.low = id;
1362 r->out.privs->set[i].luid.high = 0;
1365 r->out.privs->count = el->num_values;
1367 return NT_STATUS_OK;
1371 lsa_EnumAccountRights
1373 static NTSTATUS dcesrv_lsa_EnumAccountRights(struct dcesrv_call_state *dce_call,
1374 TALLOC_CTX *mem_ctx,
1375 struct lsa_EnumAccountRights *r)
1377 struct dcesrv_handle *h;
1378 struct lsa_policy_state *state;
1380 struct ldb_message **res;
1381 const char * const attrs[] = { "privilege", NULL};
1383 struct ldb_message_element *el;
1385 DCESRV_PULL_HANDLE(h, r->in.handle, LSA_HANDLE_POLICY);
1389 sidstr = ldap_encode_ndr_dom_sid(mem_ctx, r->in.sid);
1390 if (sidstr == NULL) {
1391 return NT_STATUS_NO_MEMORY;
1394 ret = gendb_search(state->sam_ldb, mem_ctx, NULL, &res, attrs,
1395 "(&(objectSid=%s)(privilege=*))", sidstr);
1397 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
1400 return NT_STATUS_INTERNAL_DB_CORRUPTION;
1403 DEBUG(3, ("searching for account rights for SID: %s failed: %s",
1404 dom_sid_string(mem_ctx, r->in.sid),
1405 ldb_errstring(state->sam_ldb)));
1406 return NT_STATUS_INTERNAL_DB_CORRUPTION;
1409 el = ldb_msg_find_element(res[0], "privilege");
1410 if (el == NULL || el->num_values == 0) {
1411 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
1414 r->out.rights->count = el->num_values;
1415 r->out.rights->names = talloc_array(r->out.rights,
1416 struct lsa_StringLarge, r->out.rights->count);
1417 if (r->out.rights->names == NULL) {
1418 return NT_STATUS_NO_MEMORY;
1421 for (i=0;i<el->num_values;i++) {
1422 r->out.rights->names[i].string = (const char *)el->values[i].data;
1425 return NT_STATUS_OK;
1431 helper for lsa_AddAccountRights and lsa_RemoveAccountRights
1433 static NTSTATUS dcesrv_lsa_AddRemoveAccountRights(struct dcesrv_call_state *dce_call,
1434 TALLOC_CTX *mem_ctx,
1435 struct lsa_policy_state *state,
1437 struct dom_sid *sid,
1438 const struct lsa_RightSet *rights)
1441 struct ldb_message *msg;
1442 struct ldb_message_element *el;
1444 struct lsa_EnumAccountRights r2;
1446 sidstr = ldap_encode_ndr_dom_sid(mem_ctx, sid);
1447 if (sidstr == NULL) {
1448 return NT_STATUS_NO_MEMORY;
1451 msg = ldb_msg_new(mem_ctx);
1453 return NT_STATUS_NO_MEMORY;
1456 msg->dn = samdb_search_dn(state->sam_ldb, mem_ctx,
1457 NULL, "objectSid=%s", sidstr);
1458 if (msg->dn == NULL) {
1460 if (ldb_flag == LDB_FLAG_MOD_DELETE) {
1461 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
1463 status = samdb_create_foreign_security_principal(state->sam_ldb, mem_ctx,
1465 if (!NT_STATUS_IS_OK(status)) {
1468 return NT_STATUS_NO_SUCH_USER;
1471 if (ldb_msg_add_empty(msg, "privilege", ldb_flag, NULL)) {
1472 return NT_STATUS_NO_MEMORY;
1475 if (ldb_flag == LDB_FLAG_MOD_ADD) {
1478 r2.in.handle = &state->handle->wire_handle;
1480 r2.out.rights = talloc(mem_ctx, struct lsa_RightSet);
1482 status = dcesrv_lsa_EnumAccountRights(dce_call, mem_ctx, &r2);
1483 if (!NT_STATUS_IS_OK(status)) {
1484 ZERO_STRUCTP(r2.out.rights);
1488 for (i=0;i<rights->count;i++) {
1489 if (sec_privilege_id(rights->names[i].string) == -1) {
1490 return NT_STATUS_NO_SUCH_PRIVILEGE;
1493 if (ldb_flag == LDB_FLAG_MOD_ADD) {
1495 for (j=0;j<r2.out.rights->count;j++) {
1496 if (strcasecmp_m(r2.out.rights->names[j].string,
1497 rights->names[i].string) == 0) {
1501 if (j != r2.out.rights->count) continue;
1504 ret = ldb_msg_add_string(msg, "privilege", rights->names[i].string);
1505 if (ret != LDB_SUCCESS) {
1506 return NT_STATUS_NO_MEMORY;
1510 el = ldb_msg_find_element(msg, "privilege");
1512 return NT_STATUS_OK;
1515 ret = ldb_modify(state->sam_ldb, msg);
1517 if (ldb_flag == LDB_FLAG_MOD_DELETE && ret == LDB_ERR_NO_SUCH_ATTRIBUTE) {
1518 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
1520 DEBUG(3, ("Could not %s attributes from %s: %s",
1521 ldb_flag == LDB_FLAG_MOD_DELETE ? "delete" : "add",
1522 ldb_dn_get_linearized(msg->dn), ldb_errstring(state->sam_ldb)));
1523 return NT_STATUS_UNEXPECTED_IO_ERROR;
1526 return NT_STATUS_OK;
1530 lsa_AddPrivilegesToAccount
1532 static NTSTATUS dcesrv_lsa_AddPrivilegesToAccount(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
1533 struct lsa_AddPrivilegesToAccount *r)
1535 struct lsa_RightSet rights;
1536 struct dcesrv_handle *h;
1537 struct lsa_account_state *astate;
1540 DCESRV_PULL_HANDLE(h, r->in.handle, LSA_HANDLE_ACCOUNT);
1544 rights.count = r->in.privs->count;
1545 rights.names = talloc_array(mem_ctx, struct lsa_StringLarge, rights.count);
1546 if (rights.names == NULL) {
1547 return NT_STATUS_NO_MEMORY;
1549 for (i=0;i<rights.count;i++) {
1550 int id = r->in.privs->set[i].luid.low;
1551 if (r->in.privs->set[i].luid.high) {
1552 return NT_STATUS_NO_SUCH_PRIVILEGE;
1554 rights.names[i].string = sec_privilege_name(id);
1555 if (rights.names[i].string == NULL) {
1556 return NT_STATUS_NO_SUCH_PRIVILEGE;
1560 return dcesrv_lsa_AddRemoveAccountRights(dce_call, mem_ctx, astate->policy,
1561 LDB_FLAG_MOD_ADD, astate->account_sid,
1567 lsa_RemovePrivilegesFromAccount
1569 static NTSTATUS dcesrv_lsa_RemovePrivilegesFromAccount(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
1570 struct lsa_RemovePrivilegesFromAccount *r)
1572 struct lsa_RightSet *rights;
1573 struct dcesrv_handle *h;
1574 struct lsa_account_state *astate;
1577 DCESRV_PULL_HANDLE(h, r->in.handle, LSA_HANDLE_ACCOUNT);
1581 rights = talloc(mem_ctx, struct lsa_RightSet);
1583 if (r->in.remove_all == 1 &&
1584 r->in.privs == NULL) {
1585 struct lsa_EnumAccountRights r2;
1588 r2.in.handle = &astate->policy->handle->wire_handle;
1589 r2.in.sid = astate->account_sid;
1590 r2.out.rights = rights;
1592 status = dcesrv_lsa_EnumAccountRights(dce_call, mem_ctx, &r2);
1593 if (!NT_STATUS_IS_OK(status)) {
1597 return dcesrv_lsa_AddRemoveAccountRights(dce_call, mem_ctx, astate->policy,
1598 LDB_FLAG_MOD_DELETE, astate->account_sid,
1602 if (r->in.remove_all != 0) {
1603 return NT_STATUS_INVALID_PARAMETER;
1606 rights->count = r->in.privs->count;
1607 rights->names = talloc_array(mem_ctx, struct lsa_StringLarge, rights->count);
1608 if (rights->names == NULL) {
1609 return NT_STATUS_NO_MEMORY;
1611 for (i=0;i<rights->count;i++) {
1612 int id = r->in.privs->set[i].luid.low;
1613 if (r->in.privs->set[i].luid.high) {
1614 return NT_STATUS_NO_SUCH_PRIVILEGE;
1616 rights->names[i].string = sec_privilege_name(id);
1617 if (rights->names[i].string == NULL) {
1618 return NT_STATUS_NO_SUCH_PRIVILEGE;
1622 return dcesrv_lsa_AddRemoveAccountRights(dce_call, mem_ctx, astate->policy,
1623 LDB_FLAG_MOD_DELETE, astate->account_sid,
1629 lsa_GetQuotasForAccount
1631 static NTSTATUS dcesrv_lsa_GetQuotasForAccount(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
1632 struct lsa_GetQuotasForAccount *r)
1634 DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
1639 lsa_SetQuotasForAccount
1641 static NTSTATUS dcesrv_lsa_SetQuotasForAccount(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
1642 struct lsa_SetQuotasForAccount *r)
1644 DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
1649 lsa_GetSystemAccessAccount
1651 static NTSTATUS dcesrv_lsa_GetSystemAccessAccount(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
1652 struct lsa_GetSystemAccessAccount *r)
1654 DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
1659 lsa_SetSystemAccessAccount
1661 static NTSTATUS dcesrv_lsa_SetSystemAccessAccount(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
1662 struct lsa_SetSystemAccessAccount *r)
1664 DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
1671 static NTSTATUS dcesrv_lsa_CreateSecret(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
1672 struct lsa_CreateSecret *r)
1674 struct dcesrv_handle *policy_handle;
1675 struct lsa_policy_state *policy_state;
1676 struct lsa_secret_state *secret_state;
1677 struct dcesrv_handle *handle;
1678 struct ldb_message **msgs, *msg;
1680 const char *attrs[] = {
1688 DCESRV_PULL_HANDLE(policy_handle, r->in.handle, LSA_HANDLE_POLICY);
1689 ZERO_STRUCTP(r->out.sec_handle);
1691 switch (security_session_user_level(dce_call->conn->auth_state.session_info))
1693 case SECURITY_SYSTEM:
1694 case SECURITY_ADMINISTRATOR:
1697 /* Users and annonymous are not allowed create secrets */
1698 return NT_STATUS_ACCESS_DENIED;
1701 policy_state = policy_handle->data;
1703 if (!r->in.name.string) {
1704 return NT_STATUS_INVALID_PARAMETER;
1707 secret_state = talloc(mem_ctx, struct lsa_secret_state);
1708 if (!secret_state) {
1709 return NT_STATUS_NO_MEMORY;
1711 secret_state->policy = policy_state;
1713 msg = ldb_msg_new(mem_ctx);
1715 return NT_STATUS_NO_MEMORY;
1718 if (strncmp("G$", r->in.name.string, 2) == 0) {
1720 name = &r->in.name.string[2];
1721 secret_state->sam_ldb = talloc_reference(secret_state, policy_state->sam_ldb);
1722 secret_state->global = true;
1724 if (strlen(name) < 1) {
1725 return NT_STATUS_INVALID_PARAMETER;
1728 name2 = talloc_asprintf(mem_ctx, "%s Secret", ldb_binary_encode_string(mem_ctx, name));
1729 /* search for the secret record */
1730 ret = gendb_search(secret_state->sam_ldb,
1731 mem_ctx, policy_state->system_dn, &msgs, attrs,
1732 "(&(cn=%s)(objectclass=secret))",
1735 return NT_STATUS_OBJECT_NAME_COLLISION;
1739 DEBUG(0,("Failure searching for CN=%s: %s\n",
1740 name2, ldb_errstring(secret_state->sam_ldb)));
1741 return NT_STATUS_INTERNAL_DB_CORRUPTION;
1744 msg->dn = ldb_dn_copy(mem_ctx, policy_state->system_dn);
1745 if (!name2 || ! ldb_dn_add_child_fmt(msg->dn, "cn=%s", name2)) {
1746 return NT_STATUS_NO_MEMORY;
1749 samdb_msg_add_string(secret_state->sam_ldb, mem_ctx, msg, "cn", name2);
1752 secret_state->global = false;
1754 name = r->in.name.string;
1755 if (strlen(name) < 1) {
1756 return NT_STATUS_INVALID_PARAMETER;
1759 secret_state->sam_ldb = talloc_reference(secret_state,
1760 secrets_db_connect(mem_ctx, dce_call->conn->dce_ctx->lp_ctx));
1761 /* search for the secret record */
1762 ret = gendb_search(secret_state->sam_ldb, mem_ctx,
1763 ldb_dn_new(mem_ctx, secret_state->sam_ldb, "cn=LSA Secrets"),
1765 "(&(cn=%s)(objectclass=secret))",
1766 ldb_binary_encode_string(mem_ctx, name));
1768 return NT_STATUS_OBJECT_NAME_COLLISION;
1772 DEBUG(0,("Failure searching for CN=%s: %s\n",
1773 name, ldb_errstring(secret_state->sam_ldb)));
1774 return NT_STATUS_INTERNAL_DB_CORRUPTION;
1777 msg->dn = ldb_dn_new_fmt(mem_ctx, secret_state->sam_ldb, "cn=%s,cn=LSA Secrets", name);
1778 samdb_msg_add_string(secret_state->sam_ldb, mem_ctx, msg, "cn", name);
1781 /* pull in all the template attributes. Note this is always from the global samdb */
1782 ret = samdb_copy_template(secret_state->policy->sam_ldb, msg,
1785 DEBUG(0,("Failed to load TemplateSecret from samdb: %s\n",
1787 return NT_STATUS_INTERNAL_DB_CORRUPTION;
1790 samdb_msg_add_string(secret_state->sam_ldb, mem_ctx, msg, "objectClass", "secret");
1792 secret_state->secret_dn = talloc_reference(secret_state, msg->dn);
1794 /* create the secret */
1795 ret = ldb_add(secret_state->sam_ldb, msg);
1797 DEBUG(0,("Failed to create secret record %s: %s\n",
1798 ldb_dn_get_linearized(msg->dn),
1799 ldb_errstring(secret_state->sam_ldb)));
1800 return NT_STATUS_ACCESS_DENIED;
1803 handle = dcesrv_handle_new(dce_call->context, LSA_HANDLE_SECRET);
1805 return NT_STATUS_NO_MEMORY;
1808 handle->data = talloc_steal(handle, secret_state);
1810 secret_state->access_mask = r->in.access_mask;
1811 secret_state->policy = talloc_reference(secret_state, policy_state);
1813 *r->out.sec_handle = handle->wire_handle;
1815 return NT_STATUS_OK;
1822 static NTSTATUS dcesrv_lsa_OpenSecret(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
1823 struct lsa_OpenSecret *r)
1825 struct dcesrv_handle *policy_handle;
1827 struct lsa_policy_state *policy_state;
1828 struct lsa_secret_state *secret_state;
1829 struct dcesrv_handle *handle;
1830 struct ldb_message **msgs;
1831 const char *attrs[] = {
1839 DCESRV_PULL_HANDLE(policy_handle, r->in.handle, LSA_HANDLE_POLICY);
1840 ZERO_STRUCTP(r->out.sec_handle);
1841 policy_state = policy_handle->data;
1843 if (!r->in.name.string) {
1844 return NT_STATUS_INVALID_PARAMETER;
1847 switch (security_session_user_level(dce_call->conn->auth_state.session_info))
1849 case SECURITY_SYSTEM:
1850 case SECURITY_ADMINISTRATOR:
1853 /* Users and annonymous are not allowed to access secrets */
1854 return NT_STATUS_ACCESS_DENIED;
1857 secret_state = talloc(mem_ctx, struct lsa_secret_state);
1858 if (!secret_state) {
1859 return NT_STATUS_NO_MEMORY;
1861 secret_state->policy = policy_state;
1863 if (strncmp("G$", r->in.name.string, 2) == 0) {
1864 name = &r->in.name.string[2];
1865 secret_state->sam_ldb = talloc_reference(secret_state, policy_state->sam_ldb);
1866 secret_state->global = true;
1868 if (strlen(name) < 1) {
1869 return NT_STATUS_INVALID_PARAMETER;
1872 /* search for the secret record */
1873 ret = gendb_search(secret_state->sam_ldb,
1874 mem_ctx, policy_state->system_dn, &msgs, attrs,
1875 "(&(cn=%s Secret)(objectclass=secret))",
1876 ldb_binary_encode_string(mem_ctx, name));
1878 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
1882 DEBUG(0,("Found %d records matching DN %s\n", ret,
1883 ldb_dn_get_linearized(policy_state->system_dn)));
1884 return NT_STATUS_INTERNAL_DB_CORRUPTION;
1888 secret_state->global = false;
1889 secret_state->sam_ldb = talloc_reference(secret_state,
1890 secrets_db_connect(mem_ctx, dce_call->conn->dce_ctx->lp_ctx));
1892 name = r->in.name.string;
1893 if (strlen(name) < 1) {
1894 return NT_STATUS_INVALID_PARAMETER;
1897 /* search for the secret record */
1898 ret = gendb_search(secret_state->sam_ldb, mem_ctx,
1899 ldb_dn_new(mem_ctx, secret_state->sam_ldb, "cn=LSA Secrets"),
1901 "(&(cn=%s)(objectclass=secret))",
1902 ldb_binary_encode_string(mem_ctx, name));
1904 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
1908 DEBUG(0,("Found %d records matching CN=%s\n",
1909 ret, ldb_binary_encode_string(mem_ctx, name)));
1910 return NT_STATUS_INTERNAL_DB_CORRUPTION;
1914 secret_state->secret_dn = talloc_reference(secret_state, msgs[0]->dn);
1916 handle = dcesrv_handle_new(dce_call->context, LSA_HANDLE_SECRET);
1918 return NT_STATUS_NO_MEMORY;
1921 handle->data = talloc_steal(handle, secret_state);
1923 secret_state->access_mask = r->in.access_mask;
1924 secret_state->policy = talloc_reference(secret_state, policy_state);
1926 *r->out.sec_handle = handle->wire_handle;
1928 return NT_STATUS_OK;
1935 static NTSTATUS dcesrv_lsa_SetSecret(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
1936 struct lsa_SetSecret *r)
1939 struct dcesrv_handle *h;
1940 struct lsa_secret_state *secret_state;
1941 struct ldb_message *msg;
1942 DATA_BLOB session_key;
1943 DATA_BLOB crypt_secret, secret;
1946 NTSTATUS status = NT_STATUS_OK;
1948 struct timeval now = timeval_current();
1949 NTTIME nt_now = timeval_to_nttime(&now);
1951 DCESRV_PULL_HANDLE(h, r->in.sec_handle, LSA_HANDLE_SECRET);
1953 secret_state = h->data;
1955 msg = ldb_msg_new(mem_ctx);
1957 return NT_STATUS_NO_MEMORY;
1960 msg->dn = talloc_reference(mem_ctx, secret_state->secret_dn);
1962 return NT_STATUS_NO_MEMORY;
1964 status = dcesrv_fetch_session_key(dce_call->conn, &session_key);
1965 if (!NT_STATUS_IS_OK(status)) {
1969 if (r->in.old_val) {
1971 crypt_secret.data = r->in.old_val->data;
1972 crypt_secret.length = r->in.old_val->size;
1974 status = sess_decrypt_blob(mem_ctx, &crypt_secret, &session_key, &secret);
1975 if (!NT_STATUS_IS_OK(status)) {
1979 val.data = secret.data;
1980 val.length = secret.length;
1983 if (samdb_msg_add_value(secret_state->sam_ldb,
1984 mem_ctx, msg, "priorValue", &val) != 0) {
1985 return NT_STATUS_NO_MEMORY;
1988 /* set old value mtime */
1989 if (samdb_msg_add_uint64(secret_state->sam_ldb,
1990 mem_ctx, msg, "priorSetTime", nt_now) != 0) {
1991 return NT_STATUS_NO_MEMORY;
1994 if (!r->in.new_val) {
1995 /* This behaviour varies depending of if this is a local, or a global secret... */
1996 if (secret_state->global) {
1997 /* set old value mtime */
1998 if (samdb_msg_add_uint64(secret_state->sam_ldb,
1999 mem_ctx, msg, "lastSetTime", nt_now) != 0) {
2000 return NT_STATUS_NO_MEMORY;
2003 if (samdb_msg_add_delete(secret_state->sam_ldb,
2004 mem_ctx, msg, "currentValue")) {
2005 return NT_STATUS_NO_MEMORY;
2007 if (samdb_msg_add_delete(secret_state->sam_ldb,
2008 mem_ctx, msg, "lastSetTime")) {
2009 return NT_STATUS_NO_MEMORY;
2015 if (r->in.new_val) {
2017 crypt_secret.data = r->in.new_val->data;
2018 crypt_secret.length = r->in.new_val->size;
2020 status = sess_decrypt_blob(mem_ctx, &crypt_secret, &session_key, &secret);
2021 if (!NT_STATUS_IS_OK(status)) {
2025 val.data = secret.data;
2026 val.length = secret.length;
2029 if (samdb_msg_add_value(secret_state->sam_ldb,
2030 mem_ctx, msg, "currentValue", &val) != 0) {
2031 return NT_STATUS_NO_MEMORY;
2034 /* set new value mtime */
2035 if (samdb_msg_add_uint64(secret_state->sam_ldb,
2036 mem_ctx, msg, "lastSetTime", nt_now) != 0) {
2037 return NT_STATUS_NO_MEMORY;
2040 /* If the old value is not set, then migrate the
2041 * current value to the old value */
2042 if (!r->in.old_val) {
2043 const struct ldb_val *new_val;
2044 NTTIME last_set_time;
2045 struct ldb_message **res;
2046 const char *attrs[] = {
2052 /* search for the secret record */
2053 ret = gendb_search_dn(secret_state->sam_ldb,mem_ctx,
2054 secret_state->secret_dn, &res, attrs);
2056 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
2060 DEBUG(0,("Found %d records matching dn=%s\n", ret,
2061 ldb_dn_get_linearized(secret_state->secret_dn)));
2062 return NT_STATUS_INTERNAL_DB_CORRUPTION;
2065 new_val = ldb_msg_find_ldb_val(res[0], "currentValue");
2066 last_set_time = ldb_msg_find_attr_as_uint64(res[0], "lastSetTime", 0);
2070 if (samdb_msg_add_value(secret_state->sam_ldb,
2071 mem_ctx, msg, "priorValue",
2073 return NT_STATUS_NO_MEMORY;
2077 /* set new value mtime */
2078 if (ldb_msg_find_ldb_val(res[0], "lastSetTime")) {
2079 if (samdb_msg_add_uint64(secret_state->sam_ldb,
2080 mem_ctx, msg, "priorSetTime", last_set_time) != 0) {
2081 return NT_STATUS_NO_MEMORY;
2087 /* modify the samdb record */
2088 ret = samdb_replace(secret_state->sam_ldb, mem_ctx, msg);
2090 /* we really need samdb.c to return NTSTATUS */
2091 return NT_STATUS_UNSUCCESSFUL;
2094 return NT_STATUS_OK;
2101 static NTSTATUS dcesrv_lsa_QuerySecret(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
2102 struct lsa_QuerySecret *r)
2104 struct dcesrv_handle *h;
2105 struct lsa_secret_state *secret_state;
2106 struct ldb_message *msg;
2107 DATA_BLOB session_key;
2108 DATA_BLOB crypt_secret, secret;
2110 struct ldb_message **res;
2111 const char *attrs[] = {
2121 DCESRV_PULL_HANDLE(h, r->in.sec_handle, LSA_HANDLE_SECRET);
2123 /* Ensure user is permitted to read this... */
2124 switch (security_session_user_level(dce_call->conn->auth_state.session_info))
2126 case SECURITY_SYSTEM:
2127 case SECURITY_ADMINISTRATOR:
2130 /* Users and annonymous are not allowed to read secrets */
2131 return NT_STATUS_ACCESS_DENIED;
2134 secret_state = h->data;
2136 /* pull all the user attributes */
2137 ret = gendb_search_dn(secret_state->sam_ldb, mem_ctx,
2138 secret_state->secret_dn, &res, attrs);
2140 return NT_STATUS_INTERNAL_DB_CORRUPTION;
2144 nt_status = dcesrv_fetch_session_key(dce_call->conn, &session_key);
2145 if (!NT_STATUS_IS_OK(nt_status)) {
2149 if (r->in.old_val) {
2150 const struct ldb_val *prior_val;
2151 r->out.old_val = talloc_zero(mem_ctx, struct lsa_DATA_BUF_PTR);
2152 if (!r->out.old_val) {
2153 return NT_STATUS_NO_MEMORY;
2155 prior_val = ldb_msg_find_ldb_val(res[0], "priorValue");
2157 if (prior_val && prior_val->length) {
2158 secret.data = prior_val->data;
2159 secret.length = prior_val->length;
2162 crypt_secret = sess_encrypt_blob(mem_ctx, &secret, &session_key);
2163 if (!crypt_secret.length) {
2164 return NT_STATUS_NO_MEMORY;
2166 r->out.old_val->buf = talloc(mem_ctx, struct lsa_DATA_BUF);
2167 if (!r->out.old_val->buf) {
2168 return NT_STATUS_NO_MEMORY;
2170 r->out.old_val->buf->size = crypt_secret.length;
2171 r->out.old_val->buf->length = crypt_secret.length;
2172 r->out.old_val->buf->data = crypt_secret.data;
2176 if (r->in.old_mtime) {
2177 r->out.old_mtime = talloc(mem_ctx, NTTIME);
2178 if (!r->out.old_mtime) {
2179 return NT_STATUS_NO_MEMORY;
2181 *r->out.old_mtime = ldb_msg_find_attr_as_uint64(res[0], "priorSetTime", 0);
2184 if (r->in.new_val) {
2185 const struct ldb_val *new_val;
2186 r->out.new_val = talloc_zero(mem_ctx, struct lsa_DATA_BUF_PTR);
2187 if (!r->out.new_val) {
2188 return NT_STATUS_NO_MEMORY;
2191 new_val = ldb_msg_find_ldb_val(res[0], "currentValue");
2193 if (new_val && new_val->length) {
2194 secret.data = new_val->data;
2195 secret.length = new_val->length;
2198 crypt_secret = sess_encrypt_blob(mem_ctx, &secret, &session_key);
2199 if (!crypt_secret.length) {
2200 return NT_STATUS_NO_MEMORY;
2202 r->out.new_val->buf = talloc(mem_ctx, struct lsa_DATA_BUF);
2203 if (!r->out.new_val->buf) {
2204 return NT_STATUS_NO_MEMORY;
2206 r->out.new_val->buf->length = crypt_secret.length;
2207 r->out.new_val->buf->size = crypt_secret.length;
2208 r->out.new_val->buf->data = crypt_secret.data;
2212 if (r->in.new_mtime) {
2213 r->out.new_mtime = talloc(mem_ctx, NTTIME);
2214 if (!r->out.new_mtime) {
2215 return NT_STATUS_NO_MEMORY;
2217 *r->out.new_mtime = ldb_msg_find_attr_as_uint64(res[0], "lastSetTime", 0);
2220 return NT_STATUS_OK;
2227 static NTSTATUS dcesrv_lsa_LookupPrivValue(struct dcesrv_call_state *dce_call,
2228 TALLOC_CTX *mem_ctx,
2229 struct lsa_LookupPrivValue *r)
2231 struct dcesrv_handle *h;
2232 struct lsa_policy_state *state;
2235 DCESRV_PULL_HANDLE(h, r->in.handle, LSA_HANDLE_POLICY);
2239 id = sec_privilege_id(r->in.name->string);
2241 return NT_STATUS_NO_SUCH_PRIVILEGE;
2244 r->out.luid->low = id;
2245 r->out.luid->high = 0;
2247 return NT_STATUS_OK;
2254 static NTSTATUS dcesrv_lsa_LookupPrivName(struct dcesrv_call_state *dce_call,
2255 TALLOC_CTX *mem_ctx,
2256 struct lsa_LookupPrivName *r)
2258 struct dcesrv_handle *h;
2259 struct lsa_policy_state *state;
2260 const char *privname;
2262 DCESRV_PULL_HANDLE(h, r->in.handle, LSA_HANDLE_POLICY);
2266 if (r->in.luid->high != 0) {
2267 return NT_STATUS_NO_SUCH_PRIVILEGE;
2270 privname = sec_privilege_name(r->in.luid->low);
2271 if (privname == NULL) {
2272 return NT_STATUS_NO_SUCH_PRIVILEGE;
2275 r->out.name = talloc(mem_ctx, struct lsa_StringLarge);
2276 if (r->out.name == NULL) {
2277 return NT_STATUS_NO_MEMORY;
2279 r->out.name->string = privname;
2281 return NT_STATUS_OK;
2286 lsa_LookupPrivDisplayName
2288 static NTSTATUS dcesrv_lsa_LookupPrivDisplayName(struct dcesrv_call_state *dce_call,
2289 TALLOC_CTX *mem_ctx,
2290 struct lsa_LookupPrivDisplayName *r)
2292 struct dcesrv_handle *h;
2293 struct lsa_policy_state *state;
2296 DCESRV_PULL_HANDLE(h, r->in.handle, LSA_HANDLE_POLICY);
2300 id = sec_privilege_id(r->in.name->string);
2302 return NT_STATUS_NO_SUCH_PRIVILEGE;
2305 r->out.disp_name = talloc(mem_ctx, struct lsa_StringLarge);
2306 if (r->out.disp_name == NULL) {
2307 return NT_STATUS_NO_MEMORY;
2310 r->out.disp_name->string = sec_privilege_display_name(id, r->in.language_id);
2311 if (r->out.disp_name->string == NULL) {
2312 return NT_STATUS_INTERNAL_ERROR;
2315 return NT_STATUS_OK;
2322 static NTSTATUS dcesrv_lsa_DeleteObject(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
2323 struct lsa_DeleteObject *r)
2325 DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
2330 lsa_EnumAccountsWithUserRight
2332 static NTSTATUS dcesrv_lsa_EnumAccountsWithUserRight(struct dcesrv_call_state *dce_call,
2333 TALLOC_CTX *mem_ctx,
2334 struct lsa_EnumAccountsWithUserRight *r)
2336 struct dcesrv_handle *h;
2337 struct lsa_policy_state *state;
2339 struct ldb_message **res;
2340 const char * const attrs[] = { "objectSid", NULL};
2341 const char *privname;
2343 DCESRV_PULL_HANDLE(h, r->in.handle, LSA_HANDLE_POLICY);
2347 if (r->in.name == NULL) {
2348 return NT_STATUS_NO_SUCH_PRIVILEGE;
2351 privname = r->in.name->string;
2352 if (sec_privilege_id(privname) == -1) {
2353 return NT_STATUS_NO_SUCH_PRIVILEGE;
2356 ret = gendb_search(state->sam_ldb, mem_ctx, NULL, &res, attrs,
2357 "privilege=%s", privname);
2359 return NT_STATUS_INTERNAL_DB_CORRUPTION;
2362 return NT_STATUS_NO_MORE_ENTRIES;
2365 r->out.sids->sids = talloc_array(r->out.sids, struct lsa_SidPtr, ret);
2366 if (r->out.sids->sids == NULL) {
2367 return NT_STATUS_NO_MEMORY;
2369 for (i=0;i<ret;i++) {
2370 r->out.sids->sids[i].sid = samdb_result_dom_sid(r->out.sids->sids,
2371 res[i], "objectSid");
2372 NT_STATUS_HAVE_NO_MEMORY(r->out.sids->sids[i].sid);
2374 r->out.sids->num_sids = ret;
2376 return NT_STATUS_OK;
2381 lsa_AddAccountRights
2383 static NTSTATUS dcesrv_lsa_AddAccountRights(struct dcesrv_call_state *dce_call,
2384 TALLOC_CTX *mem_ctx,
2385 struct lsa_AddAccountRights *r)
2387 struct dcesrv_handle *h;
2388 struct lsa_policy_state *state;
2390 DCESRV_PULL_HANDLE(h, r->in.handle, LSA_HANDLE_POLICY);
2394 return dcesrv_lsa_AddRemoveAccountRights(dce_call, mem_ctx, state,
2396 r->in.sid, r->in.rights);
2401 lsa_RemoveAccountRights
2403 static NTSTATUS dcesrv_lsa_RemoveAccountRights(struct dcesrv_call_state *dce_call,
2404 TALLOC_CTX *mem_ctx,
2405 struct lsa_RemoveAccountRights *r)
2407 struct dcesrv_handle *h;
2408 struct lsa_policy_state *state;
2410 DCESRV_PULL_HANDLE(h, r->in.handle, LSA_HANDLE_POLICY);
2414 return dcesrv_lsa_AddRemoveAccountRights(dce_call, mem_ctx, state,
2415 LDB_FLAG_MOD_DELETE,
2416 r->in.sid, r->in.rights);
2421 lsa_StorePrivateData
2423 static NTSTATUS dcesrv_lsa_StorePrivateData(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
2424 struct lsa_StorePrivateData *r)
2426 DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
2431 lsa_RetrievePrivateData
2433 static NTSTATUS dcesrv_lsa_RetrievePrivateData(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
2434 struct lsa_RetrievePrivateData *r)
2436 DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
2443 static NTSTATUS dcesrv_lsa_GetUserName(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
2444 struct lsa_GetUserName *r)
2446 NTSTATUS status = NT_STATUS_OK;
2447 const char *account_name;
2448 const char *authority_name;
2449 struct lsa_String *_account_name;
2450 struct lsa_StringPointer *_authority_name = NULL;
2452 /* this is what w2k3 does */
2453 r->out.account_name = r->in.account_name;
2454 r->out.authority_name = r->in.authority_name;
2456 if (r->in.account_name && r->in.account_name->string) {
2457 return NT_STATUS_INVALID_PARAMETER;
2460 if (r->in.authority_name &&
2461 r->in.authority_name->string &&
2462 r->in.authority_name->string->string) {
2463 return NT_STATUS_INVALID_PARAMETER;
2466 account_name = talloc_reference(mem_ctx, dce_call->conn->auth_state.session_info->server_info->account_name);
2467 authority_name = talloc_reference(mem_ctx, dce_call->conn->auth_state.session_info->server_info->domain_name);
2469 _account_name = talloc(mem_ctx, struct lsa_String);
2470 NT_STATUS_HAVE_NO_MEMORY(_account_name);
2471 _account_name->string = account_name;
2473 if (r->in.authority_name) {
2474 _authority_name = talloc(mem_ctx, struct lsa_StringPointer);
2475 NT_STATUS_HAVE_NO_MEMORY(_authority_name);
2476 _authority_name->string = talloc(mem_ctx, struct lsa_String);
2477 NT_STATUS_HAVE_NO_MEMORY(_authority_name->string);
2478 _authority_name->string->string = authority_name;
2481 r->out.account_name = _account_name;
2482 r->out.authority_name = _authority_name;
2490 static NTSTATUS dcesrv_lsa_SetInfoPolicy2(struct dcesrv_call_state *dce_call,
2491 TALLOC_CTX *mem_ctx,
2492 struct lsa_SetInfoPolicy2 *r)
2494 DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
2498 lsa_QueryDomainInformationPolicy
2500 static NTSTATUS dcesrv_lsa_QueryDomainInformationPolicy(struct dcesrv_call_state *dce_call,
2501 TALLOC_CTX *mem_ctx,
2502 struct lsa_QueryDomainInformationPolicy *r)
2504 DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
2508 lsa_SetDomInfoPolicy
2510 static NTSTATUS dcesrv_lsa_SetDomainInformationPolicy(struct dcesrv_call_state *dce_call,
2511 TALLOC_CTX *mem_ctx,
2512 struct lsa_SetDomainInformationPolicy *r)
2514 DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
2520 static NTSTATUS dcesrv_lsa_TestCall(struct dcesrv_call_state *dce_call,
2521 TALLOC_CTX *mem_ctx,
2522 struct lsa_TestCall *r)
2524 DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
2530 static NTSTATUS dcesrv_lsa_CREDRWRITE(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
2531 struct lsa_CREDRWRITE *r)
2533 DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
2540 static NTSTATUS dcesrv_lsa_CREDRREAD(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
2541 struct lsa_CREDRREAD *r)
2543 DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
2550 static NTSTATUS dcesrv_lsa_CREDRENUMERATE(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
2551 struct lsa_CREDRENUMERATE *r)
2553 DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
2558 lsa_CREDRWRITEDOMAINCREDENTIALS
2560 static NTSTATUS dcesrv_lsa_CREDRWRITEDOMAINCREDENTIALS(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
2561 struct lsa_CREDRWRITEDOMAINCREDENTIALS *r)
2563 DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
2568 lsa_CREDRREADDOMAINCREDENTIALS
2570 static NTSTATUS dcesrv_lsa_CREDRREADDOMAINCREDENTIALS(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
2571 struct lsa_CREDRREADDOMAINCREDENTIALS *r)
2573 DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
2580 static NTSTATUS dcesrv_lsa_CREDRDELETE(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
2581 struct lsa_CREDRDELETE *r)
2583 DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
2588 lsa_CREDRGETTARGETINFO
2590 static NTSTATUS dcesrv_lsa_CREDRGETTARGETINFO(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
2591 struct lsa_CREDRGETTARGETINFO *r)
2593 DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
2598 lsa_CREDRPROFILELOADED
2600 static NTSTATUS dcesrv_lsa_CREDRPROFILELOADED(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
2601 struct lsa_CREDRPROFILELOADED *r)
2603 DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
2608 lsa_CREDRGETSESSIONTYPES
2610 static NTSTATUS dcesrv_lsa_CREDRGETSESSIONTYPES(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
2611 struct lsa_CREDRGETSESSIONTYPES *r)
2613 DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
2618 lsa_LSARREGISTERAUDITEVENT
2620 static NTSTATUS dcesrv_lsa_LSARREGISTERAUDITEVENT(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
2621 struct lsa_LSARREGISTERAUDITEVENT *r)
2623 DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
2628 lsa_LSARGENAUDITEVENT
2630 static NTSTATUS dcesrv_lsa_LSARGENAUDITEVENT(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
2631 struct lsa_LSARGENAUDITEVENT *r)
2633 DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
2638 lsa_LSARUNREGISTERAUDITEVENT
2640 static NTSTATUS dcesrv_lsa_LSARUNREGISTERAUDITEVENT(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
2641 struct lsa_LSARUNREGISTERAUDITEVENT *r)
2643 DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
2648 lsa_lsaRQueryForestTrustInformation
2650 static NTSTATUS dcesrv_lsa_lsaRQueryForestTrustInformation(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
2651 struct lsa_lsaRQueryForestTrustInformation *r)
2653 DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
2658 lsa_LSARSETFORESTTRUSTINFORMATION
2660 static NTSTATUS dcesrv_lsa_LSARSETFORESTTRUSTINFORMATION(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
2661 struct lsa_LSARSETFORESTTRUSTINFORMATION *r)
2663 DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
2670 static NTSTATUS dcesrv_lsa_CREDRRENAME(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
2671 struct lsa_CREDRRENAME *r)
2673 DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
2679 lsa_LSAROPENPOLICYSCE
2681 static NTSTATUS dcesrv_lsa_LSAROPENPOLICYSCE(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
2682 struct lsa_LSAROPENPOLICYSCE *r)
2684 DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
2689 lsa_LSARADTREGISTERSECURITYEVENTSOURCE
2691 static NTSTATUS dcesrv_lsa_LSARADTREGISTERSECURITYEVENTSOURCE(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
2692 struct lsa_LSARADTREGISTERSECURITYEVENTSOURCE *r)
2694 DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
2699 lsa_LSARADTUNREGISTERSECURITYEVENTSOURCE
2701 static NTSTATUS dcesrv_lsa_LSARADTUNREGISTERSECURITYEVENTSOURCE(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
2702 struct lsa_LSARADTUNREGISTERSECURITYEVENTSOURCE *r)
2704 DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
2709 lsa_LSARADTREPORTSECURITYEVENT
2711 static NTSTATUS dcesrv_lsa_LSARADTREPORTSECURITYEVENT(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
2712 struct lsa_LSARADTREPORTSECURITYEVENT *r)
2714 DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
2718 /* include the generated boilerplate */
2719 #include "librpc/gen_ndr/ndr_lsa_s.c"
2723 /*****************************************
2724 NOTE! The remaining calls below were
2725 removed in w2k3, so the DCESRV_FAULT()
2726 replies are the correct implementation. Do
2727 not try and fill these in with anything else
2728 ******************************************/
2731 dssetup_DsRoleDnsNameToFlatName
2733 static WERROR dcesrv_dssetup_DsRoleDnsNameToFlatName(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
2734 struct dssetup_DsRoleDnsNameToFlatName *r)
2736 DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
2741 dssetup_DsRoleDcAsDc
2743 static WERROR dcesrv_dssetup_DsRoleDcAsDc(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
2744 struct dssetup_DsRoleDcAsDc *r)
2746 DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
2751 dssetup_DsRoleDcAsReplica
2753 static WERROR dcesrv_dssetup_DsRoleDcAsReplica(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
2754 struct dssetup_DsRoleDcAsReplica *r)
2756 DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
2761 dssetup_DsRoleDemoteDc
2763 static WERROR dcesrv_dssetup_DsRoleDemoteDc(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
2764 struct dssetup_DsRoleDemoteDc *r)
2766 DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
2771 dssetup_DsRoleGetDcOperationProgress
2773 static WERROR dcesrv_dssetup_DsRoleGetDcOperationProgress(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
2774 struct dssetup_DsRoleGetDcOperationProgress *r)
2776 DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
2781 dssetup_DsRoleGetDcOperationResults
2783 static WERROR dcesrv_dssetup_DsRoleGetDcOperationResults(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
2784 struct dssetup_DsRoleGetDcOperationResults *r)
2786 DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
2791 dssetup_DsRoleCancel
2793 static WERROR dcesrv_dssetup_DsRoleCancel(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
2794 struct dssetup_DsRoleCancel *r)
2796 DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
2801 dssetup_DsRoleServerSaveStateForUpgrade
2803 static WERROR dcesrv_dssetup_DsRoleServerSaveStateForUpgrade(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
2804 struct dssetup_DsRoleServerSaveStateForUpgrade *r)
2806 DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
2811 dssetup_DsRoleUpgradeDownlevelServer
2813 static WERROR dcesrv_dssetup_DsRoleUpgradeDownlevelServer(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
2814 struct dssetup_DsRoleUpgradeDownlevelServer *r)
2816 DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
2821 dssetup_DsRoleAbortDownlevelServerUpgrade
2823 static WERROR dcesrv_dssetup_DsRoleAbortDownlevelServerUpgrade(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
2824 struct dssetup_DsRoleAbortDownlevelServerUpgrade *r)
2826 DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
2830 /* include the generated boilerplate */
2831 #include "librpc/gen_ndr/ndr_dssetup_s.c"
2833 NTSTATUS dcerpc_server_lsa_init(void)
2837 ret = dcerpc_server_dssetup_init();
2838 if (!NT_STATUS_IS_OK(ret)) {
2841 ret = dcerpc_server_lsarpc_init();
2842 if (!NT_STATUS_IS_OK(ret)) {
git.samba.org / samba.git / blob