2 * Unix SMB/CIFS implementation.
3 * RPC Pipe client / server routines
4 * Copyright (C) Andrew Tridgell 1992-1997,
5 * Copyright (C) Luke Kenneth Casson Leighton 1996-1997,
6 * Copyright (C) Paul Ashton 1997,
7 * Copyright (C) Jeremy Allison 2001, 2006.
8 * Copyright (C) Rafal Szczesniak 2002,
9 * Copyright (C) Jim McDonough <jmcd@us.ibm.com> 2002,
10 * Copyright (C) Simo Sorce 2003.
11 * Copyright (C) Gerald (Jerry) Carter 2005.
12 * Copyright (C) Volker Lendecke 2005.
13 * Copyright (C) Guenther Deschner 2008.
14 * Copyright (C) Andrew Bartlett 2010.
16 * This program is free software; you can redistribute it and/or modify
17 * it under the terms of the GNU General Public License as published by
18 * the Free Software Foundation; either version 3 of the License, or
19 * (at your option) any later version.
21 * This program is distributed in the hope that it will be useful,
22 * but WITHOUT ANY WARRANTY; without even the implied warranty of
23 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
24 * GNU General Public License for more details.
26 * You should have received a copy of the GNU General Public License
27 * along with this program; if not, see <http://www.gnu.org/licenses/>.
30 /* This is the implementation of the lsa server code. */
33 #include "../librpc/gen_ndr/srv_lsa.h"
35 #include "../librpc/gen_ndr/netlogon.h"
36 #include "rpc_client/init_lsa.h"
37 #include "../libcli/security/security.h"
40 #define DBGC_CLASS DBGC_RPC_SRV
42 #define MAX_LOOKUP_SIDS 0x5000 /* 20480 */
44 enum lsa_handle_type { LSA_HANDLE_POLICY_TYPE = 1, LSA_HANDLE_ACCOUNT_TYPE };
50 enum lsa_handle_type type;
51 struct security_descriptor *sd;
54 const struct generic_mapping lsa_account_mapping = {
58 LSA_ACCOUNT_ALL_ACCESS
61 const struct generic_mapping lsa_policy_mapping = {
68 const struct generic_mapping lsa_secret_mapping = {
75 const struct generic_mapping lsa_trusted_domain_mapping = {
76 LSA_TRUSTED_DOMAIN_READ,
77 LSA_TRUSTED_DOMAIN_WRITE,
78 LSA_TRUSTED_DOMAIN_EXECUTE,
79 LSA_TRUSTED_DOMAIN_ALL_ACCESS
82 /***************************************************************************
83 init_lsa_ref_domain_list - adds a domain if it's not already in, returns the index.
84 ***************************************************************************/
86 static int init_lsa_ref_domain_list(TALLOC_CTX *mem_ctx,
87 struct lsa_RefDomainList *ref,
89 struct dom_sid *dom_sid)
93 if (dom_name != NULL) {
94 for (num = 0; num < ref->count; num++) {
95 if (dom_sid_equal(dom_sid, ref->domains[num].sid)) {
103 if (num >= LSA_REF_DOMAIN_LIST_MULTIPLIER) {
104 /* index not found, already at maximum domain limit */
108 ref->count = num + 1;
109 ref->max_size = LSA_REF_DOMAIN_LIST_MULTIPLIER;
111 ref->domains = TALLOC_REALLOC_ARRAY(mem_ctx, ref->domains,
112 struct lsa_DomainInfo, ref->count);
117 ZERO_STRUCT(ref->domains[num]);
119 init_lsa_StringLarge(&ref->domains[num].name, dom_name);
120 ref->domains[num].sid = dom_sid_dup(mem_ctx, dom_sid);
121 if (!ref->domains[num].sid) {
129 /***************************************************************************
130 initialize a lsa_DomainInfo structure.
131 ***************************************************************************/
133 static void init_dom_query_3(struct lsa_DomainInfo *r,
137 init_lsa_StringLarge(&r->name, name);
141 /***************************************************************************
142 initialize a lsa_DomainInfo structure.
143 ***************************************************************************/
145 static void init_dom_query_5(struct lsa_DomainInfo *r,
149 init_lsa_StringLarge(&r->name, name);
153 /***************************************************************************
154 lookup_lsa_rids. Must be called as root for lookup_name to work.
155 ***************************************************************************/
157 static NTSTATUS lookup_lsa_rids(TALLOC_CTX *mem_ctx,
158 struct lsa_RefDomainList *ref,
159 struct lsa_TranslatedSid *prid,
160 uint32_t num_entries,
161 struct lsa_String *name,
163 uint32_t *pmapped_count)
165 uint32 mapped_count, i;
167 SMB_ASSERT(num_entries <= MAX_LOOKUP_SIDS);
172 for (i = 0; i < num_entries; i++) {
176 const char *full_name;
178 enum lsa_SidType type = SID_NAME_UNKNOWN;
180 /* Split name into domain and user component */
182 /* follow w2k8 behavior and return the builtin domain when no
183 * input has been passed in */
185 if (name[i].string) {
186 full_name = name[i].string;
188 full_name = "BUILTIN";
191 DEBUG(5, ("lookup_lsa_rids: looking up name %s\n", full_name));
193 /* We can ignore the result of lookup_name, it will not touch
194 "type" if it's not successful */
196 lookup_name(mem_ctx, full_name, flags, &domain, NULL,
201 case SID_NAME_DOM_GRP:
202 case SID_NAME_DOMAIN:
204 case SID_NAME_WKN_GRP:
205 DEBUG(5, ("init_lsa_rids: %s found\n", full_name));
206 /* Leave these unchanged */
209 /* Don't hand out anything but the list above */
210 DEBUG(5, ("init_lsa_rids: %s not found\n", full_name));
211 type = SID_NAME_UNKNOWN;
218 if (type != SID_NAME_UNKNOWN) {
219 if (type == SID_NAME_DOMAIN) {
222 sid_split_rid(&sid, &rid);
224 dom_idx = init_lsa_ref_domain_list(mem_ctx, ref, domain, &sid);
228 prid[i].sid_type = type;
230 prid[i].sid_index = dom_idx;
233 *pmapped_count = mapped_count;
237 /***************************************************************************
238 lookup_lsa_sids. Must be called as root for lookup_name to work.
239 ***************************************************************************/
241 static NTSTATUS lookup_lsa_sids(TALLOC_CTX *mem_ctx,
242 struct lsa_RefDomainList *ref,
243 struct lsa_TranslatedSid3 *trans_sids,
244 uint32_t num_entries,
245 struct lsa_String *name,
247 uint32 *pmapped_count)
249 uint32 mapped_count, i;
251 SMB_ASSERT(num_entries <= MAX_LOOKUP_SIDS);
256 for (i = 0; i < num_entries; i++) {
260 const char *full_name;
262 enum lsa_SidType type = SID_NAME_UNKNOWN;
266 /* Split name into domain and user component */
268 full_name = name[i].string;
269 if (full_name == NULL) {
270 return NT_STATUS_NO_MEMORY;
273 DEBUG(5, ("init_lsa_sids: looking up name %s\n", full_name));
275 /* We can ignore the result of lookup_name, it will not touch
276 "type" if it's not successful */
278 lookup_name(mem_ctx, full_name, flags, &domain, NULL,
283 case SID_NAME_DOM_GRP:
284 case SID_NAME_DOMAIN:
286 case SID_NAME_WKN_GRP:
287 DEBUG(5, ("init_lsa_sids: %s found\n", full_name));
288 /* Leave these unchanged */
291 /* Don't hand out anything but the list above */
292 DEBUG(5, ("init_lsa_sids: %s not found\n", full_name));
293 type = SID_NAME_UNKNOWN;
300 if (type != SID_NAME_UNKNOWN) {
301 struct dom_sid domain_sid;
302 sid_copy(&domain_sid, &sid);
303 sid_split_rid(&domain_sid, &rid);
304 dom_idx = init_lsa_ref_domain_list(mem_ctx, ref, domain, &domain_sid);
308 /* Initialize the lsa_TranslatedSid3 return. */
309 trans_sids[i].sid_type = type;
310 trans_sids[i].sid = dom_sid_dup(mem_ctx, &sid);
311 trans_sids[i].sid_index = dom_idx;
314 *pmapped_count = mapped_count;
318 static NTSTATUS make_lsa_object_sd(TALLOC_CTX *mem_ctx, struct security_descriptor **sd, size_t *sd_size,
319 const struct generic_mapping *map,
320 struct dom_sid *sid, uint32_t sid_access)
322 struct dom_sid adm_sid;
323 struct security_ace ace[5];
326 struct security_acl *psa = NULL;
328 /* READ|EXECUTE access for Everyone */
330 init_sec_ace(&ace[i++], &global_sid_World, SEC_ACE_TYPE_ACCESS_ALLOWED,
331 map->generic_execute | map->generic_read, 0);
333 /* Add Full Access 'BUILTIN\Administrators' and 'BUILTIN\Account Operators */
335 init_sec_ace(&ace[i++], &global_sid_Builtin_Administrators,
336 SEC_ACE_TYPE_ACCESS_ALLOWED, map->generic_all, 0);
337 init_sec_ace(&ace[i++], &global_sid_Builtin_Account_Operators,
338 SEC_ACE_TYPE_ACCESS_ALLOWED, map->generic_all, 0);
340 /* Add Full Access for Domain Admins */
341 sid_compose(&adm_sid, get_global_sam_sid(), DOMAIN_RID_ADMINS);
342 init_sec_ace(&ace[i++], &adm_sid, SEC_ACE_TYPE_ACCESS_ALLOWED,
343 map->generic_all, 0);
345 /* If we have a sid, give it some special access */
348 init_sec_ace(&ace[i++], sid, SEC_ACE_TYPE_ACCESS_ALLOWED,
352 if((psa = make_sec_acl(mem_ctx, NT4_ACL_REVISION, i, ace)) == NULL)
353 return NT_STATUS_NO_MEMORY;
355 if((*sd = make_sec_desc(mem_ctx, SECURITY_DESCRIPTOR_REVISION_1,
356 SEC_DESC_SELF_RELATIVE, &adm_sid, NULL, NULL,
357 psa, sd_size)) == NULL)
358 return NT_STATUS_NO_MEMORY;
363 /***************************************************************************
364 ***************************************************************************/
366 static NTSTATUS create_lsa_policy_handle(TALLOC_CTX *mem_ctx,
367 struct pipes_struct *p,
368 enum lsa_handle_type type,
369 uint32_t acc_granted,
372 const struct security_descriptor *sd,
373 struct policy_handle *handle)
375 struct lsa_info *info;
377 ZERO_STRUCTP(handle);
379 info = talloc_zero(mem_ctx, struct lsa_info);
381 return NT_STATUS_NO_MEMORY;
385 info->access = acc_granted;
388 sid_copy(&info->sid, sid);
391 info->name = talloc_strdup(info, name);
394 info->sd = dup_sec_desc(info, sd);
397 return NT_STATUS_NO_MEMORY;
401 if (!create_policy_hnd(p, handle, info)) {
403 ZERO_STRUCTP(handle);
404 return NT_STATUS_NO_MEMORY;
410 /***************************************************************************
412 ***************************************************************************/
414 NTSTATUS _lsa_OpenPolicy2(struct pipes_struct *p,
415 struct lsa_OpenPolicy2 *r)
417 struct security_descriptor *psd = NULL;
419 uint32 des_access = r->in.access_mask;
423 /* Work out max allowed. */
424 map_max_allowed_access(p->server_info->security_token,
425 &p->server_info->utok,
428 /* map the generic bits to the lsa policy ones */
429 se_map_generic(&des_access, &lsa_policy_mapping);
431 /* get the generic lsa policy SD until we store it */
432 status = make_lsa_object_sd(p->mem_ctx, &psd, &sd_size, &lsa_policy_mapping,
434 if (!NT_STATUS_IS_OK(status)) {
438 status = access_check_object(psd, p->server_info->security_token,
439 SEC_PRIV_INVALID, SEC_PRIV_INVALID, 0, des_access,
440 &acc_granted, "_lsa_OpenPolicy2" );
441 if (!NT_STATUS_IS_OK(status)) {
445 status = create_lsa_policy_handle(p->mem_ctx, p,
446 LSA_HANDLE_POLICY_TYPE,
448 get_global_sam_sid(),
452 if (!NT_STATUS_IS_OK(status)) {
453 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
459 /***************************************************************************
461 ***************************************************************************/
463 NTSTATUS _lsa_OpenPolicy(struct pipes_struct *p,
464 struct lsa_OpenPolicy *r)
466 struct lsa_OpenPolicy2 o;
468 o.in.system_name = NULL; /* should be ignored */
469 o.in.attr = r->in.attr;
470 o.in.access_mask = r->in.access_mask;
472 o.out.handle = r->out.handle;
474 return _lsa_OpenPolicy2(p, &o);
477 /***************************************************************************
478 _lsa_EnumTrustDom - this needs fixing to do more than return NULL ! JRA.
480 ***************************************************************************/
482 NTSTATUS _lsa_EnumTrustDom(struct pipes_struct *p,
483 struct lsa_EnumTrustDom *r)
485 struct lsa_info *info;
487 struct trustdom_info **domains;
488 struct lsa_DomainInfo *entries;
492 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
493 return NT_STATUS_INVALID_HANDLE;
495 if (info->type != LSA_HANDLE_POLICY_TYPE) {
496 return NT_STATUS_INVALID_HANDLE;
499 /* check if the user has enough rights */
500 if (!(info->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
501 return NT_STATUS_ACCESS_DENIED;
504 nt_status = pdb_enum_trusteddoms(p->mem_ctx, &count, &domains);
507 if (!NT_STATUS_IS_OK(nt_status)) {
511 entries = TALLOC_ZERO_ARRAY(p->mem_ctx, struct lsa_DomainInfo, count);
513 return NT_STATUS_NO_MEMORY;
516 for (i=0; i<count; i++) {
517 init_lsa_StringLarge(&entries[i].name, domains[i]->name);
518 entries[i].sid = &domains[i]->sid;
521 if (*r->in.resume_handle >= count) {
522 *r->out.resume_handle = -1;
523 TALLOC_FREE(entries);
524 return NT_STATUS_NO_MORE_ENTRIES;
527 /* return the rest, limit by max_size. Note that we
528 use the w2k3 element size value of 60 */
529 r->out.domains->count = count - *r->in.resume_handle;
530 r->out.domains->count = MIN(r->out.domains->count,
531 1+(r->in.max_size/LSA_ENUM_TRUST_DOMAIN_MULTIPLIER));
533 r->out.domains->domains = entries + *r->in.resume_handle;
535 if (r->out.domains->count < count - *r->in.resume_handle) {
536 *r->out.resume_handle = *r->in.resume_handle + r->out.domains->count;
537 return STATUS_MORE_ENTRIES;
540 /* according to MS-LSAD 3.1.4.7.8 output resume handle MUST
541 * always be larger than the previous input resume handle, in
542 * particular when hitting the last query it is vital to set the
543 * resume handle correctly to avoid infinite client loops, as
544 * seen e.g. with Windows XP SP3 when resume handle is 0 and
545 * status is NT_STATUS_OK - gd */
547 *r->out.resume_handle = (uint32_t)-1;
552 #define LSA_AUDIT_NUM_CATEGORIES_NT4 7
553 #define LSA_AUDIT_NUM_CATEGORIES_WIN2K 9
554 #define LSA_AUDIT_NUM_CATEGORIES LSA_AUDIT_NUM_CATEGORIES_NT4
556 /***************************************************************************
558 ***************************************************************************/
560 NTSTATUS _lsa_QueryInfoPolicy(struct pipes_struct *p,
561 struct lsa_QueryInfoPolicy *r)
563 NTSTATUS status = NT_STATUS_OK;
564 struct lsa_info *handle;
565 struct dom_sid domain_sid;
567 struct dom_sid *sid = NULL;
568 union lsa_PolicyInformation *info = NULL;
569 uint32_t acc_required = 0;
571 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle))
572 return NT_STATUS_INVALID_HANDLE;
574 if (handle->type != LSA_HANDLE_POLICY_TYPE) {
575 return NT_STATUS_INVALID_HANDLE;
578 switch (r->in.level) {
579 case LSA_POLICY_INFO_AUDIT_LOG:
580 case LSA_POLICY_INFO_AUDIT_EVENTS:
581 acc_required = LSA_POLICY_VIEW_AUDIT_INFORMATION;
583 case LSA_POLICY_INFO_DOMAIN:
584 acc_required = LSA_POLICY_VIEW_LOCAL_INFORMATION;
586 case LSA_POLICY_INFO_PD:
587 acc_required = LSA_POLICY_GET_PRIVATE_INFORMATION;
589 case LSA_POLICY_INFO_ACCOUNT_DOMAIN:
590 acc_required = LSA_POLICY_VIEW_LOCAL_INFORMATION;
592 case LSA_POLICY_INFO_ROLE:
593 case LSA_POLICY_INFO_REPLICA:
594 acc_required = LSA_POLICY_VIEW_LOCAL_INFORMATION;
596 case LSA_POLICY_INFO_QUOTA:
597 acc_required = LSA_POLICY_VIEW_LOCAL_INFORMATION;
599 case LSA_POLICY_INFO_MOD:
600 case LSA_POLICY_INFO_AUDIT_FULL_SET:
601 /* according to MS-LSAD 3.1.4.4.3 */
602 return NT_STATUS_INVALID_PARAMETER;
603 case LSA_POLICY_INFO_AUDIT_FULL_QUERY:
604 acc_required = LSA_POLICY_VIEW_AUDIT_INFORMATION;
606 case LSA_POLICY_INFO_DNS:
607 case LSA_POLICY_INFO_DNS_INT:
608 case LSA_POLICY_INFO_L_ACCOUNT_DOMAIN:
609 acc_required = LSA_POLICY_VIEW_LOCAL_INFORMATION;
615 if (!(handle->access & acc_required)) {
616 /* return NT_STATUS_ACCESS_DENIED; */
619 info = TALLOC_ZERO_P(p->mem_ctx, union lsa_PolicyInformation);
621 return NT_STATUS_NO_MEMORY;
624 switch (r->in.level) {
625 /* according to MS-LSAD 3.1.4.4.3 */
626 case LSA_POLICY_INFO_MOD:
627 case LSA_POLICY_INFO_AUDIT_FULL_SET:
628 case LSA_POLICY_INFO_AUDIT_FULL_QUERY:
629 return NT_STATUS_INVALID_PARAMETER;
630 case LSA_POLICY_INFO_AUDIT_LOG:
631 info->audit_log.percent_full = 0;
632 info->audit_log.maximum_log_size = 0;
633 info->audit_log.retention_time = 0;
634 info->audit_log.shutdown_in_progress = 0;
635 info->audit_log.time_to_shutdown = 0;
636 info->audit_log.next_audit_record = 0;
637 status = NT_STATUS_OK;
639 case LSA_POLICY_INFO_PD:
640 info->pd.name.string = NULL;
641 status = NT_STATUS_OK;
643 case LSA_POLICY_INFO_REPLICA:
644 info->replica.source.string = NULL;
645 info->replica.account.string = NULL;
646 status = NT_STATUS_OK;
648 case LSA_POLICY_INFO_QUOTA:
649 info->quota.paged_pool = 0;
650 info->quota.non_paged_pool = 0;
651 info->quota.min_wss = 0;
652 info->quota.max_wss = 0;
653 info->quota.pagefile = 0;
654 info->quota.unknown = 0;
655 status = NT_STATUS_OK;
657 case LSA_POLICY_INFO_AUDIT_EVENTS:
660 uint32 policy_def = LSA_AUDIT_POLICY_ALL;
662 /* check if the user has enough rights */
663 if (!(handle->access & LSA_POLICY_VIEW_AUDIT_INFORMATION)) {
664 DEBUG(10,("_lsa_QueryInfoPolicy: insufficient access rights\n"));
665 return NT_STATUS_ACCESS_DENIED;
668 /* fake info: We audit everything. ;) */
670 info->audit_events.auditing_mode = true;
671 info->audit_events.count = LSA_AUDIT_NUM_CATEGORIES;
672 info->audit_events.settings = TALLOC_ZERO_ARRAY(p->mem_ctx,
673 enum lsa_PolicyAuditPolicy,
674 info->audit_events.count);
675 if (!info->audit_events.settings) {
676 return NT_STATUS_NO_MEMORY;
679 info->audit_events.settings[LSA_AUDIT_CATEGORY_ACCOUNT_MANAGEMENT] = policy_def;
680 info->audit_events.settings[LSA_AUDIT_CATEGORY_FILE_AND_OBJECT_ACCESS] = policy_def;
681 info->audit_events.settings[LSA_AUDIT_CATEGORY_LOGON] = policy_def;
682 info->audit_events.settings[LSA_AUDIT_CATEGORY_PROCCESS_TRACKING] = policy_def;
683 info->audit_events.settings[LSA_AUDIT_CATEGORY_SECURITY_POLICY_CHANGES] = policy_def;
684 info->audit_events.settings[LSA_AUDIT_CATEGORY_SYSTEM] = policy_def;
685 info->audit_events.settings[LSA_AUDIT_CATEGORY_USE_OF_USER_RIGHTS] = policy_def;
689 case LSA_POLICY_INFO_DOMAIN:
690 /* check if the user has enough rights */
691 if (!(handle->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
692 return NT_STATUS_ACCESS_DENIED;
694 /* Request PolicyPrimaryDomainInformation. */
695 switch (lp_server_role()) {
696 case ROLE_DOMAIN_PDC:
697 case ROLE_DOMAIN_BDC:
698 name = get_global_sam_name();
699 sid = dom_sid_dup(p->mem_ctx, get_global_sam_sid());
701 return NT_STATUS_NO_MEMORY;
704 case ROLE_DOMAIN_MEMBER:
705 name = lp_workgroup();
706 /* We need to return the Domain SID here. */
707 if (secrets_fetch_domain_sid(lp_workgroup(), &domain_sid)) {
708 sid = dom_sid_dup(p->mem_ctx, &domain_sid);
710 return NT_STATUS_NO_MEMORY;
713 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
716 case ROLE_STANDALONE:
717 name = lp_workgroup();
721 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
723 init_dom_query_3(&info->domain, name, sid);
725 case LSA_POLICY_INFO_ACCOUNT_DOMAIN:
726 /* check if the user has enough rights */
727 if (!(handle->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
728 return NT_STATUS_ACCESS_DENIED;
730 /* Request PolicyAccountDomainInformation. */
731 name = get_global_sam_name();
732 sid = get_global_sam_sid();
734 init_dom_query_5(&info->account_domain, name, sid);
736 case LSA_POLICY_INFO_ROLE:
737 /* check if the user has enough rights */
738 if (!(handle->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
739 return NT_STATUS_ACCESS_DENIED;
741 switch (lp_server_role()) {
742 case ROLE_DOMAIN_BDC:
744 * only a BDC is a backup controller
745 * of the domain, it controls.
747 info->role.role = LSA_ROLE_BACKUP;
751 * any other role is a primary
752 * of the domain, it controls.
754 info->role.role = LSA_ROLE_PRIMARY;
758 case LSA_POLICY_INFO_DNS:
759 case LSA_POLICY_INFO_DNS_INT: {
760 struct pdb_domain_info *dominfo;
762 if ((pdb_capabilities() & PDB_CAP_ADS) == 0) {
763 DEBUG(10, ("Not replying to LSA_POLICY_INFO_DNS "
764 "without ADS passdb backend\n"));
765 status = NT_STATUS_INVALID_INFO_CLASS;
769 dominfo = pdb_get_domain_info(info);
770 if (dominfo == NULL) {
771 status = NT_STATUS_NO_MEMORY;
775 init_lsa_StringLarge(&info->dns.name,
777 init_lsa_StringLarge(&info->dns.dns_domain,
778 dominfo->dns_domain);
779 init_lsa_StringLarge(&info->dns.dns_forest,
780 dominfo->dns_forest);
781 info->dns.domain_guid = dominfo->guid;
782 info->dns.sid = &dominfo->sid;
786 DEBUG(0,("_lsa_QueryInfoPolicy: unknown info level in Lsa Query: %d\n",
788 status = NT_STATUS_INVALID_INFO_CLASS;
797 /***************************************************************************
798 _lsa_QueryInfoPolicy2
799 ***************************************************************************/
801 NTSTATUS _lsa_QueryInfoPolicy2(struct pipes_struct *p,
802 struct lsa_QueryInfoPolicy2 *r2)
804 struct lsa_QueryInfoPolicy r;
806 if ((pdb_capabilities() & PDB_CAP_ADS) == 0) {
807 p->rng_fault_state = True;
808 return NT_STATUS_NOT_IMPLEMENTED;
812 r.in.handle = r2->in.handle;
813 r.in.level = r2->in.level;
814 r.out.info = r2->out.info;
816 return _lsa_QueryInfoPolicy(p, &r);
819 /***************************************************************************
820 _lsa_lookup_sids_internal
821 ***************************************************************************/
823 static NTSTATUS _lsa_lookup_sids_internal(struct pipes_struct *p,
825 uint16_t level, /* input */
826 int num_sids, /* input */
827 struct lsa_SidPtr *sid, /* input */
828 struct lsa_RefDomainList **pp_ref, /* input/output */
829 struct lsa_TranslatedName2 **pp_names,/* input/output */
830 uint32_t *pp_mapped_count) /* input/output */
834 const struct dom_sid **sids = NULL;
835 struct lsa_RefDomainList *ref = NULL;
836 uint32 mapped_count = 0;
837 struct lsa_dom_info *dom_infos = NULL;
838 struct lsa_name_info *name_infos = NULL;
839 struct lsa_TranslatedName2 *names = NULL;
841 *pp_mapped_count = 0;
849 sids = TALLOC_ARRAY(p->mem_ctx, const struct dom_sid *, num_sids);
850 ref = TALLOC_ZERO_P(p->mem_ctx, struct lsa_RefDomainList);
852 if (sids == NULL || ref == NULL) {
853 return NT_STATUS_NO_MEMORY;
856 for (i=0; i<num_sids; i++) {
857 sids[i] = sid[i].sid;
860 status = lookup_sids(p->mem_ctx, num_sids, sids, level,
861 &dom_infos, &name_infos);
863 if (!NT_STATUS_IS_OK(status)) {
867 names = TALLOC_ARRAY(p->mem_ctx, struct lsa_TranslatedName2, num_sids);
869 return NT_STATUS_NO_MEMORY;
872 for (i=0; i<LSA_REF_DOMAIN_LIST_MULTIPLIER; i++) {
874 if (!dom_infos[i].valid) {
878 if (init_lsa_ref_domain_list(mem_ctx, ref,
880 &dom_infos[i].sid) != i) {
881 DEBUG(0, ("Domain %s mentioned twice??\n",
883 return NT_STATUS_INTERNAL_ERROR;
887 for (i=0; i<num_sids; i++) {
888 struct lsa_name_info *name = &name_infos[i];
890 if (name->type == SID_NAME_UNKNOWN) {
893 /* Unknown sids should return the string
894 * representation of the SID. Windows 2003 behaves
895 * rather erratic here, in many cases it returns the
896 * RID as 8 bytes hex, in others it returns the full
897 * SID. We (Jerry/VL) could not figure out which the
898 * hard cases are, so leave it with the SID. */
899 name->name = talloc_asprintf(p->mem_ctx, "%s",
902 if (name->name == NULL) {
903 return NT_STATUS_NO_MEMORY;
909 names[i].sid_type = name->type;
910 names[i].name.string = name->name;
911 names[i].sid_index = name->dom_idx;
912 names[i].unknown = 0;
915 status = NT_STATUS_NONE_MAPPED;
916 if (mapped_count > 0) {
917 status = (mapped_count < num_sids) ?
918 STATUS_SOME_UNMAPPED : NT_STATUS_OK;
921 DEBUG(10, ("num_sids %d, mapped_count %d, status %s\n",
922 num_sids, mapped_count, nt_errstr(status)));
924 *pp_mapped_count = mapped_count;
931 /***************************************************************************
933 ***************************************************************************/
935 NTSTATUS _lsa_LookupSids(struct pipes_struct *p,
936 struct lsa_LookupSids *r)
939 struct lsa_info *handle;
940 int num_sids = r->in.sids->num_sids;
941 uint32 mapped_count = 0;
942 struct lsa_RefDomainList *domains = NULL;
943 struct lsa_TranslatedName *names_out = NULL;
944 struct lsa_TranslatedName2 *names = NULL;
947 if ((r->in.level < 1) || (r->in.level > 6)) {
948 return NT_STATUS_INVALID_PARAMETER;
951 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle)) {
952 return NT_STATUS_INVALID_HANDLE;
955 if (handle->type != LSA_HANDLE_POLICY_TYPE) {
956 return NT_STATUS_INVALID_HANDLE;
959 /* check if the user has enough rights */
960 if (!(handle->access & LSA_POLICY_LOOKUP_NAMES)) {
961 return NT_STATUS_ACCESS_DENIED;
964 if (num_sids > MAX_LOOKUP_SIDS) {
965 DEBUG(5,("_lsa_LookupSids: limit of %d exceeded, requested %d\n",
966 MAX_LOOKUP_SIDS, num_sids));
967 return NT_STATUS_NONE_MAPPED;
970 status = _lsa_lookup_sids_internal(p,
979 /* Only return here when there is a real error.
980 NT_STATUS_NONE_MAPPED is a special case as it indicates that none of
981 the requested sids could be resolved. Older versions of XP (pre SP3)
982 rely that we return with the string representations of those SIDs in
983 that case. If we don't, XP crashes - Guenther
986 if (NT_STATUS_IS_ERR(status) &&
987 !NT_STATUS_EQUAL(status, NT_STATUS_NONE_MAPPED)) {
991 /* Convert from lsa_TranslatedName2 to lsa_TranslatedName */
992 names_out = TALLOC_ARRAY(p->mem_ctx, struct lsa_TranslatedName,
995 return NT_STATUS_NO_MEMORY;
998 for (i=0; i<num_sids; i++) {
999 names_out[i].sid_type = names[i].sid_type;
1000 names_out[i].name = names[i].name;
1001 names_out[i].sid_index = names[i].sid_index;
1004 *r->out.domains = domains;
1005 r->out.names->count = num_sids;
1006 r->out.names->names = names_out;
1007 *r->out.count = mapped_count;
1012 /***************************************************************************
1014 ***************************************************************************/
1016 NTSTATUS _lsa_LookupSids2(struct pipes_struct *p,
1017 struct lsa_LookupSids2 *r)
1020 struct lsa_info *handle;
1021 int num_sids = r->in.sids->num_sids;
1022 uint32 mapped_count = 0;
1023 struct lsa_RefDomainList *domains = NULL;
1024 struct lsa_TranslatedName2 *names = NULL;
1025 bool check_policy = true;
1028 case NDR_LSA_LOOKUPSIDS3:
1029 check_policy = false;
1031 case NDR_LSA_LOOKUPSIDS2:
1033 check_policy = true;
1036 if ((r->in.level < 1) || (r->in.level > 6)) {
1037 return NT_STATUS_INVALID_PARAMETER;
1041 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle)) {
1042 return NT_STATUS_INVALID_HANDLE;
1045 if (handle->type != LSA_HANDLE_POLICY_TYPE) {
1046 return NT_STATUS_INVALID_HANDLE;
1049 /* check if the user has enough rights */
1050 if (!(handle->access & LSA_POLICY_LOOKUP_NAMES)) {
1051 return NT_STATUS_ACCESS_DENIED;
1055 if (num_sids > MAX_LOOKUP_SIDS) {
1056 DEBUG(5,("_lsa_LookupSids2: limit of %d exceeded, requested %d\n",
1057 MAX_LOOKUP_SIDS, num_sids));
1058 return NT_STATUS_NONE_MAPPED;
1061 status = _lsa_lookup_sids_internal(p,
1070 *r->out.domains = domains;
1071 r->out.names->count = num_sids;
1072 r->out.names->names = names;
1073 *r->out.count = mapped_count;
1078 /***************************************************************************
1080 ***************************************************************************/
1082 NTSTATUS _lsa_LookupSids3(struct pipes_struct *p,
1083 struct lsa_LookupSids3 *r)
1085 struct lsa_LookupSids2 q;
1087 /* No policy handle on this call. Restrict to crypto connections. */
1088 if (p->auth.auth_type != DCERPC_AUTH_TYPE_SCHANNEL) {
1089 DEBUG(0,("_lsa_LookupSids3: client %s not using schannel for netlogon\n",
1090 get_remote_machine_name() ));
1091 return NT_STATUS_INVALID_PARAMETER;
1095 q.in.sids = r->in.sids;
1096 q.in.level = r->in.level;
1097 q.in.lookup_options = r->in.lookup_options;
1098 q.in.client_revision = r->in.client_revision;
1099 q.in.names = r->in.names;
1100 q.in.count = r->in.count;
1102 q.out.domains = r->out.domains;
1103 q.out.names = r->out.names;
1104 q.out.count = r->out.count;
1106 return _lsa_LookupSids2(p, &q);
1109 /***************************************************************************
1110 ***************************************************************************/
1112 static int lsa_lookup_level_to_flags(enum lsa_LookupNamesLevel level)
1117 case LSA_LOOKUP_NAMES_ALL: /* 1 */
1118 flags = LOOKUP_NAME_ALL;
1120 case LSA_LOOKUP_NAMES_DOMAINS_ONLY: /* 2 */
1121 flags = LOOKUP_NAME_DOMAIN|LOOKUP_NAME_REMOTE|LOOKUP_NAME_ISOLATED;
1123 case LSA_LOOKUP_NAMES_PRIMARY_DOMAIN_ONLY: /* 3 */
1124 flags = LOOKUP_NAME_DOMAIN|LOOKUP_NAME_ISOLATED;
1126 case LSA_LOOKUP_NAMES_UPLEVEL_TRUSTS_ONLY: /* 4 */
1127 case LSA_LOOKUP_NAMES_FOREST_TRUSTS_ONLY: /* 5 */
1128 case LSA_LOOKUP_NAMES_UPLEVEL_TRUSTS_ONLY2: /* 6 */
1129 case LSA_LOOKUP_NAMES_RODC_REFERRAL_TO_FULL_DC: /* 7 */
1131 flags = LOOKUP_NAME_NONE;
1138 /***************************************************************************
1140 ***************************************************************************/
1142 NTSTATUS _lsa_LookupNames(struct pipes_struct *p,
1143 struct lsa_LookupNames *r)
1145 NTSTATUS status = NT_STATUS_NONE_MAPPED;
1146 struct lsa_info *handle;
1147 struct lsa_String *names = r->in.names;
1148 uint32 num_entries = r->in.num_names;
1149 struct lsa_RefDomainList *domains = NULL;
1150 struct lsa_TranslatedSid *rids = NULL;
1151 uint32 mapped_count = 0;
1154 if (num_entries > MAX_LOOKUP_SIDS) {
1155 num_entries = MAX_LOOKUP_SIDS;
1156 DEBUG(5,("_lsa_LookupNames: truncating name lookup list to %d\n",
1160 flags = lsa_lookup_level_to_flags(r->in.level);
1162 domains = TALLOC_ZERO_P(p->mem_ctx, struct lsa_RefDomainList);
1164 return NT_STATUS_NO_MEMORY;
1168 rids = TALLOC_ZERO_ARRAY(p->mem_ctx, struct lsa_TranslatedSid,
1171 return NT_STATUS_NO_MEMORY;
1177 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle)) {
1178 status = NT_STATUS_INVALID_HANDLE;
1182 if (handle->type != LSA_HANDLE_POLICY_TYPE) {
1183 return NT_STATUS_INVALID_HANDLE;
1186 /* check if the user has enough rights */
1187 if (!(handle->access & LSA_POLICY_LOOKUP_NAMES)) {
1188 status = NT_STATUS_ACCESS_DENIED;
1192 /* set up the LSA Lookup RIDs response */
1193 become_root(); /* lookup_name can require root privs */
1194 status = lookup_lsa_rids(p->mem_ctx, domains, rids, num_entries,
1195 names, flags, &mapped_count);
1200 if (NT_STATUS_IS_OK(status) && (num_entries != 0) ) {
1201 if (mapped_count == 0) {
1202 status = NT_STATUS_NONE_MAPPED;
1203 } else if (mapped_count != num_entries) {
1204 status = STATUS_SOME_UNMAPPED;
1208 *r->out.count = mapped_count;
1209 *r->out.domains = domains;
1210 r->out.sids->sids = rids;
1211 r->out.sids->count = num_entries;
1216 /***************************************************************************
1218 ***************************************************************************/
1220 NTSTATUS _lsa_LookupNames2(struct pipes_struct *p,
1221 struct lsa_LookupNames2 *r)
1224 struct lsa_LookupNames q;
1225 struct lsa_TransSidArray2 *sid_array2 = r->in.sids;
1226 struct lsa_TransSidArray *sid_array = NULL;
1229 sid_array = TALLOC_ZERO_P(p->mem_ctx, struct lsa_TransSidArray);
1231 return NT_STATUS_NO_MEMORY;
1234 q.in.handle = r->in.handle;
1235 q.in.num_names = r->in.num_names;
1236 q.in.names = r->in.names;
1237 q.in.level = r->in.level;
1238 q.in.sids = sid_array;
1239 q.in.count = r->in.count;
1240 /* we do not know what this is for */
1241 /* = r->in.unknown1; */
1242 /* = r->in.unknown2; */
1244 q.out.domains = r->out.domains;
1245 q.out.sids = sid_array;
1246 q.out.count = r->out.count;
1248 status = _lsa_LookupNames(p, &q);
1250 sid_array2->count = sid_array->count;
1251 sid_array2->sids = TALLOC_ARRAY(p->mem_ctx, struct lsa_TranslatedSid2, sid_array->count);
1252 if (!sid_array2->sids) {
1253 return NT_STATUS_NO_MEMORY;
1256 for (i=0; i<sid_array->count; i++) {
1257 sid_array2->sids[i].sid_type = sid_array->sids[i].sid_type;
1258 sid_array2->sids[i].rid = sid_array->sids[i].rid;
1259 sid_array2->sids[i].sid_index = sid_array->sids[i].sid_index;
1260 sid_array2->sids[i].unknown = 0;
1263 r->out.sids = sid_array2;
1268 /***************************************************************************
1270 ***************************************************************************/
1272 NTSTATUS _lsa_LookupNames3(struct pipes_struct *p,
1273 struct lsa_LookupNames3 *r)
1276 struct lsa_info *handle;
1277 struct lsa_String *names = r->in.names;
1278 uint32 num_entries = r->in.num_names;
1279 struct lsa_RefDomainList *domains = NULL;
1280 struct lsa_TranslatedSid3 *trans_sids = NULL;
1281 uint32 mapped_count = 0;
1283 bool check_policy = true;
1286 case NDR_LSA_LOOKUPNAMES4:
1287 check_policy = false;
1289 case NDR_LSA_LOOKUPNAMES3:
1291 check_policy = true;
1294 if (num_entries > MAX_LOOKUP_SIDS) {
1295 num_entries = MAX_LOOKUP_SIDS;
1296 DEBUG(5,("_lsa_LookupNames3: truncating name lookup list to %d\n", num_entries));
1299 /* Probably the lookup_level is some sort of bitmask. */
1300 if (r->in.level == 1) {
1301 flags = LOOKUP_NAME_ALL;
1304 domains = TALLOC_ZERO_P(p->mem_ctx, struct lsa_RefDomainList);
1306 return NT_STATUS_NO_MEMORY;
1310 trans_sids = TALLOC_ZERO_ARRAY(p->mem_ctx, struct lsa_TranslatedSid3,
1313 return NT_STATUS_NO_MEMORY;
1321 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle)) {
1322 status = NT_STATUS_INVALID_HANDLE;
1326 if (handle->type != LSA_HANDLE_POLICY_TYPE) {
1327 return NT_STATUS_INVALID_HANDLE;
1330 /* check if the user has enough rights */
1331 if (!(handle->access & LSA_POLICY_LOOKUP_NAMES)) {
1332 status = NT_STATUS_ACCESS_DENIED;
1337 /* set up the LSA Lookup SIDs response */
1338 become_root(); /* lookup_name can require root privs */
1339 status = lookup_lsa_sids(p->mem_ctx, domains, trans_sids, num_entries,
1340 names, flags, &mapped_count);
1345 if (NT_STATUS_IS_OK(status)) {
1346 if (mapped_count == 0) {
1347 status = NT_STATUS_NONE_MAPPED;
1348 } else if (mapped_count != num_entries) {
1349 status = STATUS_SOME_UNMAPPED;
1353 *r->out.count = mapped_count;
1354 *r->out.domains = domains;
1355 r->out.sids->sids = trans_sids;
1356 r->out.sids->count = num_entries;
1361 /***************************************************************************
1363 ***************************************************************************/
1365 NTSTATUS _lsa_LookupNames4(struct pipes_struct *p,
1366 struct lsa_LookupNames4 *r)
1368 struct lsa_LookupNames3 q;
1370 /* No policy handle on this call. Restrict to crypto connections. */
1371 if (p->auth.auth_type != DCERPC_AUTH_TYPE_SCHANNEL) {
1372 DEBUG(0,("_lsa_lookup_names4: client %s not using schannel for netlogon\n",
1373 get_remote_machine_name() ));
1374 return NT_STATUS_INVALID_PARAMETER;
1378 q.in.num_names = r->in.num_names;
1379 q.in.names = r->in.names;
1380 q.in.level = r->in.level;
1381 q.in.lookup_options = r->in.lookup_options;
1382 q.in.client_revision = r->in.client_revision;
1383 q.in.sids = r->in.sids;
1384 q.in.count = r->in.count;
1386 q.out.domains = r->out.domains;
1387 q.out.sids = r->out.sids;
1388 q.out.count = r->out.count;
1390 return _lsa_LookupNames3(p, &q);
1393 /***************************************************************************
1394 _lsa_close. Also weird - needs to check if lsa handle is correct. JRA.
1395 ***************************************************************************/
1397 NTSTATUS _lsa_Close(struct pipes_struct *p, struct lsa_Close *r)
1399 if (!find_policy_by_hnd(p, r->in.handle, NULL)) {
1400 return NT_STATUS_INVALID_HANDLE;
1403 close_policy_hnd(p, r->in.handle);
1404 ZERO_STRUCTP(r->out.handle);
1405 return NT_STATUS_OK;
1408 /***************************************************************************
1409 ***************************************************************************/
1411 NTSTATUS _lsa_OpenSecret(struct pipes_struct *p, struct lsa_OpenSecret *r)
1413 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
1416 /***************************************************************************
1417 ***************************************************************************/
1419 NTSTATUS _lsa_OpenTrustedDomain(struct pipes_struct *p,
1420 struct lsa_OpenTrustedDomain *r)
1422 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
1425 /***************************************************************************
1426 ***************************************************************************/
1428 NTSTATUS _lsa_CreateTrustedDomain(struct pipes_struct *p,
1429 struct lsa_CreateTrustedDomain *r)
1431 return NT_STATUS_ACCESS_DENIED;
1434 /***************************************************************************
1435 ***************************************************************************/
1437 NTSTATUS _lsa_CreateSecret(struct pipes_struct *p, struct lsa_CreateSecret *r)
1439 return NT_STATUS_ACCESS_DENIED;
1442 /***************************************************************************
1443 ***************************************************************************/
1445 NTSTATUS _lsa_SetSecret(struct pipes_struct *p, struct lsa_SetSecret *r)
1447 return NT_STATUS_ACCESS_DENIED;
1450 /***************************************************************************
1452 ***************************************************************************/
1454 NTSTATUS _lsa_DeleteObject(struct pipes_struct *p,
1455 struct lsa_DeleteObject *r)
1458 struct lsa_info *info = NULL;
1460 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info)) {
1461 return NT_STATUS_INVALID_HANDLE;
1464 if (!(info->access & SEC_STD_DELETE)) {
1465 return NT_STATUS_ACCESS_DENIED;
1468 switch (info->type) {
1469 case LSA_HANDLE_ACCOUNT_TYPE:
1470 status = privilege_delete_account(&info->sid);
1471 if (!NT_STATUS_IS_OK(status)) {
1472 DEBUG(10,("_lsa_DeleteObject: privilege_delete_account gave: %s\n",
1473 nt_errstr(status)));
1478 return NT_STATUS_INVALID_HANDLE;
1481 close_policy_hnd(p, r->in.handle);
1482 ZERO_STRUCTP(r->out.handle);
1487 /***************************************************************************
1489 ***************************************************************************/
1491 NTSTATUS _lsa_EnumPrivs(struct pipes_struct *p,
1492 struct lsa_EnumPrivs *r)
1494 struct lsa_info *handle;
1496 uint32 enum_context = *r->in.resume_handle;
1497 int num_privs = num_privileges_in_short_list();
1498 struct lsa_PrivEntry *entries = NULL;
1500 /* remember that the enum_context starts at 0 and not 1 */
1502 if ( enum_context >= num_privs )
1503 return NT_STATUS_NO_MORE_ENTRIES;
1505 DEBUG(10,("_lsa_EnumPrivs: enum_context:%d total entries:%d\n",
1506 enum_context, num_privs));
1508 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle))
1509 return NT_STATUS_INVALID_HANDLE;
1511 if (handle->type != LSA_HANDLE_POLICY_TYPE) {
1512 return NT_STATUS_INVALID_HANDLE;
1515 /* check if the user has enough rights
1516 I don't know if it's the right one. not documented. */
1518 if (!(handle->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
1519 return NT_STATUS_ACCESS_DENIED;
1522 entries = TALLOC_ZERO_ARRAY(p->mem_ctx, struct lsa_PrivEntry, num_privs);
1524 return NT_STATUS_NO_MEMORY;
1530 for (i = 0; i < num_privs; i++) {
1531 if( i < enum_context) {
1533 init_lsa_StringLarge(&entries[i].name, NULL);
1535 entries[i].luid.low = 0;
1536 entries[i].luid.high = 0;
1539 init_lsa_StringLarge(&entries[i].name, sec_privilege_name_from_index(i));
1541 entries[i].luid.low = sec_privilege_from_index(i);
1542 entries[i].luid.high = 0;
1546 enum_context = num_privs;
1548 *r->out.resume_handle = enum_context;
1549 r->out.privs->count = num_privs;
1550 r->out.privs->privs = entries;
1552 return NT_STATUS_OK;
1555 /***************************************************************************
1556 _lsa_LookupPrivDisplayName
1557 ***************************************************************************/
1559 NTSTATUS _lsa_LookupPrivDisplayName(struct pipes_struct *p,
1560 struct lsa_LookupPrivDisplayName *r)
1562 struct lsa_info *handle;
1563 const char *description;
1564 struct lsa_StringLarge *lsa_name;
1566 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle))
1567 return NT_STATUS_INVALID_HANDLE;
1569 if (handle->type != LSA_HANDLE_POLICY_TYPE) {
1570 return NT_STATUS_INVALID_HANDLE;
1573 /* check if the user has enough rights */
1576 * I don't know if it's the right one. not documented.
1578 if (!(handle->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
1579 return NT_STATUS_ACCESS_DENIED;
1581 DEBUG(10,("_lsa_LookupPrivDisplayName: name = %s\n", r->in.name->string));
1583 description = get_privilege_dispname(r->in.name->string);
1585 DEBUG(10,("_lsa_LookupPrivDisplayName: doesn't exist\n"));
1586 return NT_STATUS_NO_SUCH_PRIVILEGE;
1589 DEBUG(10,("_lsa_LookupPrivDisplayName: display name = %s\n", description));
1591 lsa_name = TALLOC_ZERO_P(p->mem_ctx, struct lsa_StringLarge);
1593 return NT_STATUS_NO_MEMORY;
1596 init_lsa_StringLarge(lsa_name, description);
1598 *r->out.returned_language_id = r->in.language_id;
1599 *r->out.disp_name = lsa_name;
1601 return NT_STATUS_OK;
1604 /***************************************************************************
1606 ***************************************************************************/
1608 NTSTATUS _lsa_EnumAccounts(struct pipes_struct *p,
1609 struct lsa_EnumAccounts *r)
1611 struct lsa_info *handle;
1612 struct dom_sid *sid_list;
1613 int i, j, num_entries;
1615 struct lsa_SidPtr *sids = NULL;
1617 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle))
1618 return NT_STATUS_INVALID_HANDLE;
1620 if (handle->type != LSA_HANDLE_POLICY_TYPE) {
1621 return NT_STATUS_INVALID_HANDLE;
1624 if (!(handle->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
1625 return NT_STATUS_ACCESS_DENIED;
1630 /* The only way we can currently find out all the SIDs that have been
1631 privileged is to scan all privileges */
1633 status = privilege_enumerate_accounts(&sid_list, &num_entries);
1634 if (!NT_STATUS_IS_OK(status)) {
1638 if (*r->in.resume_handle >= num_entries) {
1639 return NT_STATUS_NO_MORE_ENTRIES;
1642 if (num_entries - *r->in.resume_handle) {
1643 sids = TALLOC_ZERO_ARRAY(p->mem_ctx, struct lsa_SidPtr,
1644 num_entries - *r->in.resume_handle);
1646 talloc_free(sid_list);
1647 return NT_STATUS_NO_MEMORY;
1650 for (i = *r->in.resume_handle, j = 0; i < num_entries; i++, j++) {
1651 sids[j].sid = dom_sid_dup(p->mem_ctx, &sid_list[i]);
1653 talloc_free(sid_list);
1654 return NT_STATUS_NO_MEMORY;
1659 talloc_free(sid_list);
1661 *r->out.resume_handle = num_entries;
1662 r->out.sids->num_sids = num_entries;
1663 r->out.sids->sids = sids;
1665 return NT_STATUS_OK;
1668 /***************************************************************************
1670 ***************************************************************************/
1672 NTSTATUS _lsa_GetUserName(struct pipes_struct *p,
1673 struct lsa_GetUserName *r)
1675 const char *username, *domname;
1676 struct lsa_String *account_name = NULL;
1677 struct lsa_String *authority_name = NULL;
1679 if (r->in.account_name &&
1680 *r->in.account_name) {
1681 return NT_STATUS_INVALID_PARAMETER;
1684 if (r->in.authority_name &&
1685 *r->in.authority_name) {
1686 return NT_STATUS_INVALID_PARAMETER;
1689 if (p->server_info->guest) {
1691 * I'm 99% sure this is not the right place to do this,
1692 * global_sid_Anonymous should probably be put into the token
1693 * instead of the guest id -- vl
1695 if (!lookup_sid(p->mem_ctx, &global_sid_Anonymous,
1696 &domname, &username, NULL)) {
1697 return NT_STATUS_NO_MEMORY;
1700 username = p->server_info->sanitized_username;
1701 domname = p->server_info->info3->base.domain.string;
1704 account_name = TALLOC_P(p->mem_ctx, struct lsa_String);
1705 if (!account_name) {
1706 return NT_STATUS_NO_MEMORY;
1708 init_lsa_String(account_name, username);
1710 if (r->out.authority_name) {
1711 authority_name = TALLOC_P(p->mem_ctx, struct lsa_String);
1712 if (!authority_name) {
1713 return NT_STATUS_NO_MEMORY;
1715 init_lsa_String(authority_name, domname);
1718 *r->out.account_name = account_name;
1719 if (r->out.authority_name) {
1720 *r->out.authority_name = authority_name;
1723 return NT_STATUS_OK;
1726 /***************************************************************************
1728 ***************************************************************************/
1730 NTSTATUS _lsa_CreateAccount(struct pipes_struct *p,
1731 struct lsa_CreateAccount *r)
1734 struct lsa_info *handle;
1735 uint32_t acc_granted;
1736 struct security_descriptor *psd;
1739 /* find the connection policy handle. */
1740 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle))
1741 return NT_STATUS_INVALID_HANDLE;
1743 if (handle->type != LSA_HANDLE_POLICY_TYPE) {
1744 return NT_STATUS_INVALID_HANDLE;
1747 /* check if the user has enough rights */
1749 if (!(handle->access & LSA_POLICY_CREATE_ACCOUNT)) {
1750 return NT_STATUS_ACCESS_DENIED;
1753 /* Work out max allowed. */
1754 map_max_allowed_access(p->server_info->security_token,
1755 &p->server_info->utok,
1756 &r->in.access_mask);
1758 /* map the generic bits to the lsa policy ones */
1759 se_map_generic(&r->in.access_mask, &lsa_account_mapping);
1761 status = make_lsa_object_sd(p->mem_ctx, &psd, &sd_size,
1762 &lsa_account_mapping,
1763 r->in.sid, LSA_POLICY_ALL_ACCESS);
1764 if (!NT_STATUS_IS_OK(status)) {
1768 status = access_check_object(psd, p->server_info->security_token,
1769 SEC_PRIV_INVALID, SEC_PRIV_INVALID, 0, r->in.access_mask,
1770 &acc_granted, "_lsa_CreateAccount");
1771 if (!NT_STATUS_IS_OK(status)) {
1775 if ( is_privileged_sid( r->in.sid ) )
1776 return NT_STATUS_OBJECT_NAME_COLLISION;
1778 status = create_lsa_policy_handle(p->mem_ctx, p,
1779 LSA_HANDLE_ACCOUNT_TYPE,
1784 r->out.acct_handle);
1785 if (!NT_STATUS_IS_OK(status)) {
1786 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
1789 return privilege_create_account(r->in.sid);
1792 /***************************************************************************
1794 ***************************************************************************/
1796 NTSTATUS _lsa_OpenAccount(struct pipes_struct *p,
1797 struct lsa_OpenAccount *r)
1799 struct lsa_info *handle;
1800 struct security_descriptor *psd = NULL;
1802 uint32_t des_access = r->in.access_mask;
1803 uint32_t acc_granted;
1806 /* find the connection policy handle. */
1807 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle))
1808 return NT_STATUS_INVALID_HANDLE;
1810 if (handle->type != LSA_HANDLE_POLICY_TYPE) {
1811 return NT_STATUS_INVALID_HANDLE;
1814 /* des_access is for the account here, not the policy
1815 * handle - so don't check against policy handle. */
1817 /* Work out max allowed. */
1818 map_max_allowed_access(p->server_info->security_token,
1819 &p->server_info->utok,
1822 /* map the generic bits to the lsa account ones */
1823 se_map_generic(&des_access, &lsa_account_mapping);
1825 /* get the generic lsa account SD until we store it */
1826 status = make_lsa_object_sd(p->mem_ctx, &psd, &sd_size,
1827 &lsa_account_mapping,
1828 r->in.sid, LSA_ACCOUNT_ALL_ACCESS);
1829 if (!NT_STATUS_IS_OK(status)) {
1833 status = access_check_object(psd, p->server_info->security_token,
1834 SEC_PRIV_INVALID, SEC_PRIV_INVALID, 0, des_access,
1835 &acc_granted, "_lsa_OpenAccount" );
1836 if (!NT_STATUS_IS_OK(status)) {
1840 /* TODO: Fis the parsing routine before reenabling this check! */
1842 if (!lookup_sid(&handle->sid, dom_name, name, &type))
1843 return NT_STATUS_ACCESS_DENIED;
1846 status = create_lsa_policy_handle(p->mem_ctx, p,
1847 LSA_HANDLE_ACCOUNT_TYPE,
1852 r->out.acct_handle);
1853 if (!NT_STATUS_IS_OK(status)) {
1854 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
1857 return NT_STATUS_OK;
1860 /***************************************************************************
1861 _lsa_EnumPrivsAccount
1862 For a given SID, enumerate all the privilege this account has.
1863 ***************************************************************************/
1865 NTSTATUS _lsa_EnumPrivsAccount(struct pipes_struct *p,
1866 struct lsa_EnumPrivsAccount *r)
1868 NTSTATUS status = NT_STATUS_OK;
1869 struct lsa_info *info=NULL;
1870 PRIVILEGE_SET *privileges;
1871 struct lsa_PrivilegeSet *priv_set = NULL;
1873 /* find the connection policy handle. */
1874 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
1875 return NT_STATUS_INVALID_HANDLE;
1877 if (info->type != LSA_HANDLE_ACCOUNT_TYPE) {
1878 return NT_STATUS_INVALID_HANDLE;
1881 if (!(info->access & LSA_ACCOUNT_VIEW))
1882 return NT_STATUS_ACCESS_DENIED;
1884 status = get_privileges_for_sid_as_set(p->mem_ctx, &privileges, &info->sid);
1885 if (!NT_STATUS_IS_OK(status)) {
1889 *r->out.privs = priv_set = TALLOC_ZERO_P(p->mem_ctx, struct lsa_PrivilegeSet);
1891 return NT_STATUS_NO_MEMORY;
1894 DEBUG(10,("_lsa_EnumPrivsAccount: %s has %d privileges\n",
1895 sid_string_dbg(&info->sid),
1896 privileges->count));
1898 priv_set->count = privileges->count;
1899 priv_set->unknown = 0;
1900 priv_set->set = talloc_move(priv_set, &privileges->set);
1905 /***************************************************************************
1906 _lsa_GetSystemAccessAccount
1907 ***************************************************************************/
1909 NTSTATUS _lsa_GetSystemAccessAccount(struct pipes_struct *p,
1910 struct lsa_GetSystemAccessAccount *r)
1913 struct lsa_info *info = NULL;
1914 struct lsa_EnumPrivsAccount e;
1915 struct lsa_PrivilegeSet *privset;
1917 /* find the connection policy handle. */
1919 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
1920 return NT_STATUS_INVALID_HANDLE;
1922 if (info->type != LSA_HANDLE_ACCOUNT_TYPE) {
1923 return NT_STATUS_INVALID_HANDLE;
1926 if (!(info->access & LSA_ACCOUNT_VIEW))
1927 return NT_STATUS_ACCESS_DENIED;
1929 privset = talloc_zero(p->mem_ctx, struct lsa_PrivilegeSet);
1931 return NT_STATUS_NO_MEMORY;
1934 e.in.handle = r->in.handle;
1935 e.out.privs = &privset;
1937 status = _lsa_EnumPrivsAccount(p, &e);
1938 if (!NT_STATUS_IS_OK(status)) {
1939 DEBUG(10,("_lsa_GetSystemAccessAccount: "
1940 "failed to call _lsa_EnumPrivsAccount(): %s\n",
1941 nt_errstr(status)));
1945 /* Samba4 would iterate over the privset to merge the policy mode bits,
1946 * not sure samba3 can do the same here, so just return what we did in
1950 0x01 -> Log on locally
1951 0x02 -> Access this computer from network
1952 0x04 -> Log on as a batch job
1953 0x10 -> Log on as a service
1955 they can be ORed together
1958 *r->out.access_mask = LSA_POLICY_MODE_INTERACTIVE |
1959 LSA_POLICY_MODE_NETWORK;
1961 return NT_STATUS_OK;
1964 /***************************************************************************
1965 update the systemaccount information
1966 ***************************************************************************/
1968 NTSTATUS _lsa_SetSystemAccessAccount(struct pipes_struct *p,
1969 struct lsa_SetSystemAccessAccount *r)
1971 struct lsa_info *info=NULL;
1974 /* find the connection policy handle. */
1975 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
1976 return NT_STATUS_INVALID_HANDLE;
1978 if (info->type != LSA_HANDLE_ACCOUNT_TYPE) {
1979 return NT_STATUS_INVALID_HANDLE;
1982 if (!(info->access & LSA_ACCOUNT_ADJUST_SYSTEM_ACCESS)) {
1983 return NT_STATUS_ACCESS_DENIED;
1986 if (!pdb_getgrsid(&map, info->sid))
1987 return NT_STATUS_NO_SUCH_GROUP;
1989 return pdb_update_group_mapping_entry(&map);
1992 /***************************************************************************
1993 _lsa_AddPrivilegesToAccount
1994 For a given SID, add some privileges.
1995 ***************************************************************************/
1997 NTSTATUS _lsa_AddPrivilegesToAccount(struct pipes_struct *p,
1998 struct lsa_AddPrivilegesToAccount *r)
2000 struct lsa_info *info = NULL;
2001 struct lsa_PrivilegeSet *set = NULL;
2003 /* find the connection policy handle. */
2004 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
2005 return NT_STATUS_INVALID_HANDLE;
2007 if (info->type != LSA_HANDLE_ACCOUNT_TYPE) {
2008 return NT_STATUS_INVALID_HANDLE;
2011 if (!(info->access & LSA_ACCOUNT_ADJUST_PRIVILEGES)) {
2012 return NT_STATUS_ACCESS_DENIED;
2017 if ( !grant_privilege_set( &info->sid, set ) ) {
2018 DEBUG(3,("_lsa_AddPrivilegesToAccount: grant_privilege_set(%s) failed!\n",
2019 sid_string_dbg(&info->sid) ));
2020 return NT_STATUS_NO_SUCH_PRIVILEGE;
2023 return NT_STATUS_OK;
2026 /***************************************************************************
2027 _lsa_RemovePrivilegesFromAccount
2028 For a given SID, remove some privileges.
2029 ***************************************************************************/
2031 NTSTATUS _lsa_RemovePrivilegesFromAccount(struct pipes_struct *p,
2032 struct lsa_RemovePrivilegesFromAccount *r)
2034 struct lsa_info *info = NULL;
2035 struct lsa_PrivilegeSet *set = NULL;
2037 /* find the connection policy handle. */
2038 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
2039 return NT_STATUS_INVALID_HANDLE;
2041 if (info->type != LSA_HANDLE_ACCOUNT_TYPE) {
2042 return NT_STATUS_INVALID_HANDLE;
2045 if (!(info->access & LSA_ACCOUNT_ADJUST_PRIVILEGES)) {
2046 return NT_STATUS_ACCESS_DENIED;
2051 if ( !revoke_privilege_set( &info->sid, set) ) {
2052 DEBUG(3,("_lsa_RemovePrivilegesFromAccount: revoke_privilege(%s) failed!\n",
2053 sid_string_dbg(&info->sid) ));
2054 return NT_STATUS_NO_SUCH_PRIVILEGE;
2057 return NT_STATUS_OK;
2060 /***************************************************************************
2062 ***************************************************************************/
2064 NTSTATUS _lsa_LookupPrivName(struct pipes_struct *p,
2065 struct lsa_LookupPrivName *r)
2067 struct lsa_info *info = NULL;
2069 struct lsa_StringLarge *lsa_name;
2071 /* find the connection policy handle. */
2072 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info)) {
2073 return NT_STATUS_INVALID_HANDLE;
2076 if (info->type != LSA_HANDLE_POLICY_TYPE) {
2077 return NT_STATUS_INVALID_HANDLE;
2080 if (!(info->access & LSA_POLICY_VIEW_LOCAL_INFORMATION)) {
2081 return NT_STATUS_ACCESS_DENIED;
2084 if (r->in.luid->high != 0) {
2085 return NT_STATUS_NO_SUCH_PRIVILEGE;
2088 name = sec_privilege_name(r->in.luid->low);
2090 return NT_STATUS_NO_SUCH_PRIVILEGE;
2093 lsa_name = TALLOC_ZERO_P(p->mem_ctx, struct lsa_StringLarge);
2095 return NT_STATUS_NO_MEMORY;
2098 lsa_name->string = talloc_strdup(lsa_name, name);
2099 if (!lsa_name->string) {
2100 TALLOC_FREE(lsa_name);
2101 return NT_STATUS_NO_MEMORY;
2104 *r->out.name = lsa_name;
2106 return NT_STATUS_OK;
2109 /***************************************************************************
2111 ***************************************************************************/
2113 NTSTATUS _lsa_QuerySecurity(struct pipes_struct *p,
2114 struct lsa_QuerySecurity *r)
2116 struct lsa_info *handle=NULL;
2117 struct security_descriptor *psd = NULL;
2121 /* find the connection policy handle. */
2122 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle))
2123 return NT_STATUS_INVALID_HANDLE;
2125 switch (handle->type) {
2126 case LSA_HANDLE_POLICY_TYPE:
2127 status = make_lsa_object_sd(p->mem_ctx, &psd, &sd_size,
2128 &lsa_policy_mapping, NULL, 0);
2130 case LSA_HANDLE_ACCOUNT_TYPE:
2131 status = make_lsa_object_sd(p->mem_ctx, &psd, &sd_size,
2132 &lsa_account_mapping,
2133 &handle->sid, LSA_ACCOUNT_ALL_ACCESS);
2136 status = NT_STATUS_INVALID_HANDLE;
2140 if (!NT_STATUS_IS_OK(status)) {
2144 *r->out.sdbuf = make_sec_desc_buf(p->mem_ctx, sd_size, psd);
2145 if (!*r->out.sdbuf) {
2146 return NT_STATUS_NO_MEMORY;
2152 /***************************************************************************
2153 _lsa_AddAccountRights
2154 ***************************************************************************/
2156 NTSTATUS _lsa_AddAccountRights(struct pipes_struct *p,
2157 struct lsa_AddAccountRights *r)
2159 struct lsa_info *info = NULL;
2161 uint32_t acc_granted = 0;
2162 struct security_descriptor *psd = NULL;
2167 /* find the connection policy handle. */
2168 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
2169 return NT_STATUS_INVALID_HANDLE;
2171 if (info->type != LSA_HANDLE_POLICY_TYPE) {
2172 return NT_STATUS_INVALID_HANDLE;
2175 /* get the generic lsa account SD for this SID until we store it */
2176 status = make_lsa_object_sd(p->mem_ctx, &psd, &sd_size,
2177 &lsa_account_mapping,
2178 r->in.sid, LSA_ACCOUNT_ALL_ACCESS);
2179 if (!NT_STATUS_IS_OK(status)) {
2184 * From the MS DOCs. If the sid doesn't exist, ask for LSA_POLICY_CREATE_ACCOUNT
2185 * on the policy handle. If it does, ask for
2186 * LSA_ACCOUNT_ADJUST_PRIVILEGES|LSA_ACCOUNT_ADJUST_SYSTEM_ACCESS|LSA_ACCOUNT_VIEW,
2187 * on the account sid. We don't check here so just use the latter. JRA.
2190 status = access_check_object(psd, p->server_info->security_token,
2191 SEC_PRIV_INVALID, SEC_PRIV_INVALID, 0,
2192 LSA_ACCOUNT_ADJUST_PRIVILEGES|LSA_ACCOUNT_ADJUST_SYSTEM_ACCESS|LSA_ACCOUNT_VIEW,
2193 &acc_granted, "_lsa_AddAccountRights" );
2194 if (!NT_STATUS_IS_OK(status)) {
2198 /* according to an NT4 PDC, you can add privileges to SIDs even without
2199 call_lsa_create_account() first. And you can use any arbitrary SID. */
2201 sid_copy( &sid, r->in.sid );
2203 for ( i=0; i < r->in.rights->count; i++ ) {
2205 const char *privname = r->in.rights->names[i].string;
2207 /* only try to add non-null strings */
2212 if ( !grant_privilege_by_name( &sid, privname ) ) {
2213 DEBUG(2,("_lsa_AddAccountRights: Failed to add privilege [%s]\n",
2215 return NT_STATUS_NO_SUCH_PRIVILEGE;
2219 return NT_STATUS_OK;
2222 /***************************************************************************
2223 _lsa_RemoveAccountRights
2224 ***************************************************************************/
2226 NTSTATUS _lsa_RemoveAccountRights(struct pipes_struct *p,
2227 struct lsa_RemoveAccountRights *r)
2229 struct lsa_info *info = NULL;
2231 struct security_descriptor *psd = NULL;
2234 const char *privname = NULL;
2235 uint32_t acc_granted = 0;
2238 /* find the connection policy handle. */
2239 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
2240 return NT_STATUS_INVALID_HANDLE;
2242 if (info->type != LSA_HANDLE_POLICY_TYPE) {
2243 return NT_STATUS_INVALID_HANDLE;
2246 /* get the generic lsa account SD for this SID until we store it */
2247 status = make_lsa_object_sd(p->mem_ctx, &psd, &sd_size,
2248 &lsa_account_mapping,
2249 r->in.sid, LSA_ACCOUNT_ALL_ACCESS);
2250 if (!NT_STATUS_IS_OK(status)) {
2255 * From the MS DOCs. We need
2256 * LSA_ACCOUNT_ADJUST_PRIVILEGES|LSA_ACCOUNT_ADJUST_SYSTEM_ACCESS|LSA_ACCOUNT_VIEW
2257 * and DELETE on the account sid.
2260 status = access_check_object(psd, p->server_info->security_token,
2261 SEC_PRIV_INVALID, SEC_PRIV_INVALID, 0,
2262 LSA_ACCOUNT_ADJUST_PRIVILEGES|LSA_ACCOUNT_ADJUST_SYSTEM_ACCESS|
2263 LSA_ACCOUNT_VIEW|SEC_STD_DELETE,
2264 &acc_granted, "_lsa_RemoveAccountRights");
2265 if (!NT_STATUS_IS_OK(status)) {
2269 sid_copy( &sid, r->in.sid );
2271 if ( r->in.remove_all ) {
2272 if ( !revoke_all_privileges( &sid ) )
2273 return NT_STATUS_ACCESS_DENIED;
2275 return NT_STATUS_OK;
2278 for ( i=0; i < r->in.rights->count; i++ ) {
2280 privname = r->in.rights->names[i].string;
2282 /* only try to add non-null strings */
2287 if ( !revoke_privilege_by_name( &sid, privname ) ) {
2288 DEBUG(2,("_lsa_RemoveAccountRights: Failed to revoke privilege [%s]\n",
2290 return NT_STATUS_NO_SUCH_PRIVILEGE;
2294 return NT_STATUS_OK;
2297 /*******************************************************************
2298 ********************************************************************/
2300 static NTSTATUS init_lsa_right_set(TALLOC_CTX *mem_ctx,
2301 struct lsa_RightSet *r,
2302 PRIVILEGE_SET *privileges)
2305 const char *privname;
2306 const char **privname_array = NULL;
2309 for (i=0; i<privileges->count; i++) {
2310 if (privileges->set[i].luid.high) {
2313 privname = sec_privilege_name(privileges->set[i].luid.low);
2315 if (!add_string_to_array(mem_ctx, privname,
2316 &privname_array, &num_priv)) {
2317 return NT_STATUS_NO_MEMORY;
2324 r->names = TALLOC_ZERO_ARRAY(mem_ctx, struct lsa_StringLarge,
2327 return NT_STATUS_NO_MEMORY;
2330 for (i=0; i<num_priv; i++) {
2331 init_lsa_StringLarge(&r->names[i], privname_array[i]);
2334 r->count = num_priv;
2337 return NT_STATUS_OK;
2340 /***************************************************************************
2341 _lsa_EnumAccountRights
2342 ***************************************************************************/
2344 NTSTATUS _lsa_EnumAccountRights(struct pipes_struct *p,
2345 struct lsa_EnumAccountRights *r)
2348 struct lsa_info *info = NULL;
2349 PRIVILEGE_SET *privileges;
2351 /* find the connection policy handle. */
2353 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
2354 return NT_STATUS_INVALID_HANDLE;
2356 if (info->type != LSA_HANDLE_POLICY_TYPE) {
2357 return NT_STATUS_INVALID_HANDLE;
2360 if (!(info->access & LSA_ACCOUNT_VIEW)) {
2361 return NT_STATUS_ACCESS_DENIED;
2364 /* according to an NT4 PDC, you can add privileges to SIDs even without
2365 call_lsa_create_account() first. And you can use any arbitrary SID. */
2367 /* according to MS-LSAD 3.1.4.5.10 it is required to return
2368 * NT_STATUS_OBJECT_NAME_NOT_FOUND if the account sid was not found in
2369 * the lsa database */
2371 status = get_privileges_for_sid_as_set(p->mem_ctx, &privileges, r->in.sid);
2372 if (!NT_STATUS_IS_OK(status)) {
2376 DEBUG(10,("_lsa_EnumAccountRights: %s has %d privileges\n",
2377 sid_string_dbg(r->in.sid), privileges->count));
2379 status = init_lsa_right_set(p->mem_ctx, r->out.rights, privileges);
2384 /***************************************************************************
2385 _lsa_LookupPrivValue
2386 ***************************************************************************/
2388 NTSTATUS _lsa_LookupPrivValue(struct pipes_struct *p,
2389 struct lsa_LookupPrivValue *r)
2391 struct lsa_info *info = NULL;
2392 const char *name = NULL;
2394 /* find the connection policy handle. */
2396 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
2397 return NT_STATUS_INVALID_HANDLE;
2399 if (info->type != LSA_HANDLE_POLICY_TYPE) {
2400 return NT_STATUS_INVALID_HANDLE;
2403 if (!(info->access & LSA_POLICY_LOOKUP_NAMES))
2404 return NT_STATUS_ACCESS_DENIED;
2406 name = r->in.name->string;
2408 DEBUG(10,("_lsa_lookup_priv_value: name = %s\n", name));
2410 r->out.luid->low = sec_privilege_id(name);
2411 r->out.luid->high = 0;
2412 if (r->out.luid->low == SEC_PRIV_INVALID) {
2413 return NT_STATUS_NO_SUCH_PRIVILEGE;
2415 return NT_STATUS_OK;
2418 /***************************************************************************
2419 _lsa_EnumAccountsWithUserRight
2420 ***************************************************************************/
2422 NTSTATUS _lsa_EnumAccountsWithUserRight(struct pipes_struct *p,
2423 struct lsa_EnumAccountsWithUserRight *r)
2426 struct lsa_info *info = NULL;
2427 struct dom_sid *sids = NULL;
2430 enum sec_privilege privilege;
2432 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info)) {
2433 return NT_STATUS_INVALID_HANDLE;
2436 if (info->type != LSA_HANDLE_POLICY_TYPE) {
2437 return NT_STATUS_INVALID_HANDLE;
2440 if (!(info->access & LSA_POLICY_LOOKUP_NAMES)) {
2441 return NT_STATUS_ACCESS_DENIED;
2444 if (!r->in.name || !r->in.name->string) {
2445 return NT_STATUS_NO_SUCH_PRIVILEGE;
2448 privilege = sec_privilege_id(r->in.name->string);
2449 if (privilege == SEC_PRIV_INVALID) {
2450 return NT_STATUS_NO_SUCH_PRIVILEGE;
2453 status = privilege_enum_sids(privilege, p->mem_ctx,
2455 if (!NT_STATUS_IS_OK(status)) {
2459 r->out.sids->num_sids = num_sids;
2460 r->out.sids->sids = talloc_array(p->mem_ctx, struct lsa_SidPtr,
2461 r->out.sids->num_sids);
2463 for (i=0; i < r->out.sids->num_sids; i++) {
2464 r->out.sids->sids[i].sid = dom_sid_dup(r->out.sids->sids,
2466 if (!r->out.sids->sids[i].sid) {
2467 TALLOC_FREE(r->out.sids->sids);
2468 r->out.sids->num_sids = 0;
2469 return NT_STATUS_NO_MEMORY;
2473 return NT_STATUS_OK;
2476 /***************************************************************************
2478 ***************************************************************************/
2480 NTSTATUS _lsa_Delete(struct pipes_struct *p,
2481 struct lsa_Delete *r)
2483 return NT_STATUS_NOT_SUPPORTED;
2487 * From here on the server routines are just dummy ones to make smbd link with
2488 * librpc/gen_ndr/srv_lsa.c. These routines are actually never called, we are
2489 * pulling the server stubs across one by one.
2492 NTSTATUS _lsa_SetSecObj(struct pipes_struct *p, struct lsa_SetSecObj *r)
2494 p->rng_fault_state = True;
2495 return NT_STATUS_NOT_IMPLEMENTED;
2498 NTSTATUS _lsa_ChangePassword(struct pipes_struct *p,
2499 struct lsa_ChangePassword *r)
2501 p->rng_fault_state = True;
2502 return NT_STATUS_NOT_IMPLEMENTED;
2505 NTSTATUS _lsa_SetInfoPolicy(struct pipes_struct *p, struct lsa_SetInfoPolicy *r)
2507 p->rng_fault_state = True;
2508 return NT_STATUS_NOT_IMPLEMENTED;
2511 NTSTATUS _lsa_ClearAuditLog(struct pipes_struct *p, struct lsa_ClearAuditLog *r)
2513 p->rng_fault_state = True;
2514 return NT_STATUS_NOT_IMPLEMENTED;
2517 NTSTATUS _lsa_GetQuotasForAccount(struct pipes_struct *p,
2518 struct lsa_GetQuotasForAccount *r)
2520 p->rng_fault_state = True;
2521 return NT_STATUS_NOT_IMPLEMENTED;
2524 NTSTATUS _lsa_SetQuotasForAccount(struct pipes_struct *p,
2525 struct lsa_SetQuotasForAccount *r)
2527 p->rng_fault_state = True;
2528 return NT_STATUS_NOT_IMPLEMENTED;
2531 NTSTATUS _lsa_QueryTrustedDomainInfo(struct pipes_struct *p,
2532 struct lsa_QueryTrustedDomainInfo *r)
2534 p->rng_fault_state = True;
2535 return NT_STATUS_NOT_IMPLEMENTED;
2538 NTSTATUS _lsa_SetInformationTrustedDomain(struct pipes_struct *p,
2539 struct lsa_SetInformationTrustedDomain *r)
2541 p->rng_fault_state = True;
2542 return NT_STATUS_NOT_IMPLEMENTED;
2545 NTSTATUS _lsa_QuerySecret(struct pipes_struct *p, struct lsa_QuerySecret *r)
2547 p->rng_fault_state = True;
2548 return NT_STATUS_NOT_IMPLEMENTED;
2551 NTSTATUS _lsa_QueryTrustedDomainInfoBySid(struct pipes_struct *p,
2552 struct lsa_QueryTrustedDomainInfoBySid *r)
2554 p->rng_fault_state = True;
2555 return NT_STATUS_NOT_IMPLEMENTED;
2558 NTSTATUS _lsa_SetTrustedDomainInfo(struct pipes_struct *p,
2559 struct lsa_SetTrustedDomainInfo *r)
2561 p->rng_fault_state = True;
2562 return NT_STATUS_NOT_IMPLEMENTED;
2565 NTSTATUS _lsa_DeleteTrustedDomain(struct pipes_struct *p,
2566 struct lsa_DeleteTrustedDomain *r)
2568 p->rng_fault_state = True;
2569 return NT_STATUS_NOT_IMPLEMENTED;
2572 NTSTATUS _lsa_StorePrivateData(struct pipes_struct *p,
2573 struct lsa_StorePrivateData *r)
2575 p->rng_fault_state = True;
2576 return NT_STATUS_NOT_IMPLEMENTED;
2579 NTSTATUS _lsa_RetrievePrivateData(struct pipes_struct *p,
2580 struct lsa_RetrievePrivateData *r)
2582 p->rng_fault_state = True;
2583 return NT_STATUS_NOT_IMPLEMENTED;
2586 NTSTATUS _lsa_SetInfoPolicy2(struct pipes_struct *p,
2587 struct lsa_SetInfoPolicy2 *r)
2589 p->rng_fault_state = True;
2590 return NT_STATUS_NOT_IMPLEMENTED;
2593 NTSTATUS _lsa_QueryTrustedDomainInfoByName(struct pipes_struct *p,
2594 struct lsa_QueryTrustedDomainInfoByName *r)
2596 p->rng_fault_state = True;
2597 return NT_STATUS_NOT_IMPLEMENTED;
2600 NTSTATUS _lsa_SetTrustedDomainInfoByName(struct pipes_struct *p,
2601 struct lsa_SetTrustedDomainInfoByName *r)
2603 p->rng_fault_state = True;
2604 return NT_STATUS_NOT_IMPLEMENTED;
2607 NTSTATUS _lsa_EnumTrustedDomainsEx(struct pipes_struct *p,
2608 struct lsa_EnumTrustedDomainsEx *r)
2610 p->rng_fault_state = True;
2611 return NT_STATUS_NOT_IMPLEMENTED;
2614 NTSTATUS _lsa_CreateTrustedDomainEx(struct pipes_struct *p,
2615 struct lsa_CreateTrustedDomainEx *r)
2617 p->rng_fault_state = True;
2618 return NT_STATUS_NOT_IMPLEMENTED;
2621 NTSTATUS _lsa_CloseTrustedDomainEx(struct pipes_struct *p,
2622 struct lsa_CloseTrustedDomainEx *r)
2624 p->rng_fault_state = True;
2625 return NT_STATUS_NOT_IMPLEMENTED;
2628 NTSTATUS _lsa_QueryDomainInformationPolicy(struct pipes_struct *p,
2629 struct lsa_QueryDomainInformationPolicy *r)
2631 p->rng_fault_state = True;
2632 return NT_STATUS_NOT_IMPLEMENTED;
2635 NTSTATUS _lsa_SetDomainInformationPolicy(struct pipes_struct *p,
2636 struct lsa_SetDomainInformationPolicy *r)
2638 p->rng_fault_state = True;
2639 return NT_STATUS_NOT_IMPLEMENTED;
2642 NTSTATUS _lsa_OpenTrustedDomainByName(struct pipes_struct *p,
2643 struct lsa_OpenTrustedDomainByName *r)
2645 p->rng_fault_state = True;
2646 return NT_STATUS_NOT_IMPLEMENTED;
2649 NTSTATUS _lsa_TestCall(struct pipes_struct *p, struct lsa_TestCall *r)
2651 p->rng_fault_state = True;
2652 return NT_STATUS_NOT_IMPLEMENTED;
2655 NTSTATUS _lsa_CreateTrustedDomainEx2(struct pipes_struct *p,
2656 struct lsa_CreateTrustedDomainEx2 *r)
2658 p->rng_fault_state = True;
2659 return NT_STATUS_NOT_IMPLEMENTED;
2662 NTSTATUS _lsa_CREDRWRITE(struct pipes_struct *p, struct lsa_CREDRWRITE *r)
2664 p->rng_fault_state = True;
2665 return NT_STATUS_NOT_IMPLEMENTED;
2668 NTSTATUS _lsa_CREDRREAD(struct pipes_struct *p, struct lsa_CREDRREAD *r)
2670 p->rng_fault_state = True;
2671 return NT_STATUS_NOT_IMPLEMENTED;
2674 NTSTATUS _lsa_CREDRENUMERATE(struct pipes_struct *p, struct lsa_CREDRENUMERATE *r)
2676 p->rng_fault_state = True;
2677 return NT_STATUS_NOT_IMPLEMENTED;
2680 NTSTATUS _lsa_CREDRWRITEDOMAINCREDENTIALS(struct pipes_struct *p,
2681 struct lsa_CREDRWRITEDOMAINCREDENTIALS *r)
2683 p->rng_fault_state = True;
2684 return NT_STATUS_NOT_IMPLEMENTED;
2687 NTSTATUS _lsa_CREDRREADDOMAINCREDENTIALS(struct pipes_struct *p,
2688 struct lsa_CREDRREADDOMAINCREDENTIALS *r)
2690 p->rng_fault_state = True;
2691 return NT_STATUS_NOT_IMPLEMENTED;
2694 NTSTATUS _lsa_CREDRDELETE(struct pipes_struct *p, struct lsa_CREDRDELETE *r)
2696 p->rng_fault_state = True;
2697 return NT_STATUS_NOT_IMPLEMENTED;
2700 NTSTATUS _lsa_CREDRGETTARGETINFO(struct pipes_struct *p,
2701 struct lsa_CREDRGETTARGETINFO *r)
2703 p->rng_fault_state = True;
2704 return NT_STATUS_NOT_IMPLEMENTED;
2707 NTSTATUS _lsa_CREDRPROFILELOADED(struct pipes_struct *p,
2708 struct lsa_CREDRPROFILELOADED *r)
2710 p->rng_fault_state = True;
2711 return NT_STATUS_NOT_IMPLEMENTED;
2714 NTSTATUS _lsa_CREDRGETSESSIONTYPES(struct pipes_struct *p,
2715 struct lsa_CREDRGETSESSIONTYPES *r)
2717 p->rng_fault_state = True;
2718 return NT_STATUS_NOT_IMPLEMENTED;
2721 NTSTATUS _lsa_LSARREGISTERAUDITEVENT(struct pipes_struct *p,
2722 struct lsa_LSARREGISTERAUDITEVENT *r)
2724 p->rng_fault_state = True;
2725 return NT_STATUS_NOT_IMPLEMENTED;
2728 NTSTATUS _lsa_LSARGENAUDITEVENT(struct pipes_struct *p,
2729 struct lsa_LSARGENAUDITEVENT *r)
2731 p->rng_fault_state = True;
2732 return NT_STATUS_NOT_IMPLEMENTED;
2735 NTSTATUS _lsa_LSARUNREGISTERAUDITEVENT(struct pipes_struct *p,
2736 struct lsa_LSARUNREGISTERAUDITEVENT *r)
2738 p->rng_fault_state = True;
2739 return NT_STATUS_NOT_IMPLEMENTED;
2742 NTSTATUS _lsa_lsaRQueryForestTrustInformation(struct pipes_struct *p,
2743 struct lsa_lsaRQueryForestTrustInformation *r)
2745 p->rng_fault_state = True;
2746 return NT_STATUS_NOT_IMPLEMENTED;
2749 NTSTATUS _lsa_lsaRSetForestTrustInformation(struct pipes_struct *p,
2750 struct lsa_lsaRSetForestTrustInformation *r)
2752 p->rng_fault_state = True;
2753 return NT_STATUS_NOT_IMPLEMENTED;
2756 NTSTATUS _lsa_CREDRRENAME(struct pipes_struct *p,
2757 struct lsa_CREDRRENAME *r)
2759 p->rng_fault_state = True;
2760 return NT_STATUS_NOT_IMPLEMENTED;
2763 NTSTATUS _lsa_LSAROPENPOLICYSCE(struct pipes_struct *p,
2764 struct lsa_LSAROPENPOLICYSCE *r)
2766 p->rng_fault_state = True;
2767 return NT_STATUS_NOT_IMPLEMENTED;
2770 NTSTATUS _lsa_LSARADTREGISTERSECURITYEVENTSOURCE(struct pipes_struct *p,
2771 struct lsa_LSARADTREGISTERSECURITYEVENTSOURCE *r)
2773 p->rng_fault_state = True;
2774 return NT_STATUS_NOT_IMPLEMENTED;
2777 NTSTATUS _lsa_LSARADTUNREGISTERSECURITYEVENTSOURCE(struct pipes_struct *p,
2778 struct lsa_LSARADTUNREGISTERSECURITYEVENTSOURCE *r)
2780 p->rng_fault_state = True;
2781 return NT_STATUS_NOT_IMPLEMENTED;
2784 NTSTATUS _lsa_LSARADTREPORTSECURITYEVENT(struct pipes_struct *p,
2785 struct lsa_LSARADTREPORTSECURITYEVENT *r)
2787 p->rng_fault_state = True;
2788 return NT_STATUS_NOT_IMPLEMENTED;