s3-talloc Change TALLOC_ARRAY() to talloc_array()
[samba.git] / source3 / rpc_server / lsa / srv_lsa_nt.c
index ed9ee8bb6f257f8af1a8f33ba63f6ee58164cad5..a120c6e7fe9c5c2e563c44aee7db27ab43192d93 100644 (file)
@@ -30,6 +30,7 @@
 /* This is the implementation of the lsa server code. */
 
 #include "includes.h"
+#include "ntdomain.h"
 #include "../librpc/gen_ndr/srv_lsa.h"
 #include "secrets.h"
 #include "../librpc/gen_ndr/netlogon.h"
 #include "../librpc/gen_ndr/drsblobs.h"
 #include "../librpc/gen_ndr/ndr_drsblobs.h"
 #include "../lib/crypto/arcfour.h"
+#include "../libcli/security/dom_sid.h"
+#include "../librpc/gen_ndr/ndr_security.h"
+#include "passdb.h"
+#include "auth.h"
+#include "lib/privileges.h"
+#include "rpc_server/srv_access_check.h"
 
 #undef DBGC_CLASS
 #define DBGC_CLASS DBGC_RPC_SRV
@@ -115,7 +122,7 @@ static int init_lsa_ref_domain_list(TALLOC_CTX *mem_ctx,
        ref->count = num + 1;
        ref->max_size = LSA_REF_DOMAIN_LIST_MULTIPLIER;
 
-       ref->domains = TALLOC_REALLOC_ARRAY(mem_ctx, ref->domains,
+       ref->domains = talloc_realloc(mem_ctx, ref->domains,
                                            struct lsa_DomainInfo, ref->count);
        if (!ref->domains) {
                return -1;
@@ -182,7 +189,7 @@ static NTSTATUS lookup_lsa_rids(TALLOC_CTX *mem_ctx,
                int dom_idx;
                const char *full_name;
                const char *domain;
-               enum lsa_SidType type = SID_NAME_UNKNOWN;
+               enum lsa_SidType type;
 
                /* Split name into domain and user component */
 
@@ -197,11 +204,10 @@ static NTSTATUS lookup_lsa_rids(TALLOC_CTX *mem_ctx,
 
                DEBUG(5, ("lookup_lsa_rids: looking up name %s\n", full_name));
 
-               /* We can ignore the result of lookup_name, it will not touch
-                  "type" if it's not successful */
-
-               lookup_name(mem_ctx, full_name, flags, &domain, NULL,
-                           &sid, &type);
+               if (!lookup_name(mem_ctx, full_name, flags, &domain, NULL,
+                                &sid, &type)) {
+                       type = SID_NAME_UNKNOWN;
+               }
 
                switch (type) {
                case SID_NAME_USER:
@@ -266,7 +272,7 @@ static NTSTATUS lookup_lsa_sids(TALLOC_CTX *mem_ctx,
                int dom_idx;
                const char *full_name;
                const char *domain;
-               enum lsa_SidType type = SID_NAME_UNKNOWN;
+               enum lsa_SidType type;
 
                ZERO_STRUCT(sid);
 
@@ -279,11 +285,10 @@ static NTSTATUS lookup_lsa_sids(TALLOC_CTX *mem_ctx,
 
                DEBUG(5, ("init_lsa_sids: looking up name %s\n", full_name));
 
-               /* We can ignore the result of lookup_name, it will not touch
-                  "type" if it's not successful */
-
-               lookup_name(mem_ctx, full_name, flags, &domain, NULL,
-                           &sid, &type);
+               if (!lookup_name(mem_ctx, full_name, flags, &domain, NULL,
+                                &sid, &type)) {
+                       type = SID_NAME_UNKNOWN;
+               }
 
                switch (type) {
                case SID_NAME_USER:
@@ -428,8 +433,8 @@ NTSTATUS _lsa_OpenPolicy2(struct pipes_struct *p,
        NTSTATUS status;
 
        /* Work out max allowed. */
-       map_max_allowed_access(p->server_info->security_token,
-                              &p->server_info->utok,
+       map_max_allowed_access(p->session_info->security_token,
+                              &p->session_info->utok,
                               &des_access);
 
        /* map the generic bits to the lsa policy ones */
@@ -442,7 +447,7 @@ NTSTATUS _lsa_OpenPolicy2(struct pipes_struct *p,
                return status;
        }
 
-       status = access_check_object(psd, p->server_info->security_token,
+       status = access_check_object(psd, p->session_info->security_token,
                                     SEC_PRIV_INVALID, SEC_PRIV_INVALID, 0, des_access,
                                     &acc_granted, "_lsa_OpenPolicy2" );
        if (!NT_STATUS_IS_OK(status)) {
@@ -853,7 +858,7 @@ static NTSTATUS _lsa_lookup_sids_internal(struct pipes_struct *p,
                return NT_STATUS_OK;
        }
 
-       sids = TALLOC_ARRAY(p->mem_ctx, const struct dom_sid *, num_sids);
+       sids = talloc_array(p->mem_ctx, const struct dom_sid *, num_sids);
        ref = TALLOC_ZERO_P(p->mem_ctx, struct lsa_RefDomainList);
 
        if (sids == NULL || ref == NULL) {
@@ -871,7 +876,7 @@ static NTSTATUS _lsa_lookup_sids_internal(struct pipes_struct *p,
                return status;
        }
 
-       names = TALLOC_ARRAY(p->mem_ctx, struct lsa_TranslatedName2, num_sids);
+       names = talloc_array(p->mem_ctx, struct lsa_TranslatedName2, num_sids);
        if (names == NULL) {
                return NT_STATUS_NO_MEMORY;
        }
@@ -895,7 +900,6 @@ static NTSTATUS _lsa_lookup_sids_internal(struct pipes_struct *p,
                struct lsa_name_info *name = &name_infos[i];
 
                if (name->type == SID_NAME_UNKNOWN) {
-                       fstring tmp;
                        name->dom_idx = -1;
                        /* Unknown sids should return the string
                         * representation of the SID. Windows 2003 behaves
@@ -903,9 +907,7 @@ static NTSTATUS _lsa_lookup_sids_internal(struct pipes_struct *p,
                         * RID as 8 bytes hex, in others it returns the full
                         * SID. We (Jerry/VL) could not figure out which the
                         * hard cases are, so leave it with the SID.  */
-                       name->name = talloc_asprintf(p->mem_ctx, "%s",
-                                                    sid_to_fstring(tmp,
-                                                                   sids[i]));
+                       name->name = dom_sid_string(p->mem_ctx, sids[i]);
                        if (name->name == NULL) {
                                return NT_STATUS_NO_MEMORY;
                        }
@@ -996,7 +998,7 @@ NTSTATUS _lsa_LookupSids(struct pipes_struct *p,
        }
 
        /* Convert from lsa_TranslatedName2 to lsa_TranslatedName */
-       names_out = TALLOC_ARRAY(p->mem_ctx, struct lsa_TranslatedName,
+       names_out = talloc_array(p->mem_ctx, struct lsa_TranslatedName,
                                 num_sids);
        if (!names_out) {
                return NT_STATUS_NO_MEMORY;
@@ -1255,7 +1257,7 @@ NTSTATUS _lsa_LookupNames2(struct pipes_struct *p,
        status = _lsa_LookupNames(p, &q);
 
        sid_array2->count = sid_array->count;
-       sid_array2->sids = TALLOC_ARRAY(p->mem_ctx, struct lsa_TranslatedSid2, sid_array->count);
+       sid_array2->sids = talloc_array(p->mem_ctx, struct lsa_TranslatedSid2, sid_array->count);
        if (!sid_array2->sids) {
                return NT_STATUS_NO_MEMORY;
        }
@@ -1501,8 +1503,8 @@ static NTSTATUS _lsa_OpenTrustedDomain_base(struct pipes_struct *p,
         * handle - so don't check against policy handle. */
 
        /* Work out max allowed. */
-       map_max_allowed_access(p->server_info->security_token,
-                              &p->server_info->utok,
+       map_max_allowed_access(p->session_info->security_token,
+                              &p->session_info->utok,
                               &access_mask);
 
        /* map the generic bits to the lsa account ones */
@@ -1516,7 +1518,7 @@ static NTSTATUS _lsa_OpenTrustedDomain_base(struct pipes_struct *p,
                return status;
        }
 
-       status = access_check_object(psd, p->server_info->security_token,
+       status = access_check_object(psd, p->session_info->security_token,
                                     SEC_PRIV_INVALID, SEC_PRIV_INVALID, 0,
                                     access_mask, &acc_granted,
                                     "_lsa_OpenTrustedDomain");
@@ -1546,7 +1548,7 @@ NTSTATUS _lsa_OpenTrustedDomain(struct pipes_struct *p,
                                struct lsa_OpenTrustedDomain *r)
 {
        struct lsa_info *handle = NULL;
-       struct trustdom_info *info;
+       struct trustdom_info *info = NULL;
        NTSTATUS status;
 
        if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle)) {
@@ -1576,7 +1578,7 @@ NTSTATUS _lsa_OpenTrustedDomainByName(struct pipes_struct *p,
                                      struct lsa_OpenTrustedDomainByName *r)
 {
        struct lsa_info *handle = NULL;
-       struct trustdom_info *info;
+       struct trustdom_info *info = NULL;
        NTSTATUS status;
 
        if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle)) {
@@ -1598,6 +1600,78 @@ NTSTATUS _lsa_OpenTrustedDomainByName(struct pipes_struct *p,
                                           r->out.trustdom_handle);
 }
 
+static NTSTATUS add_trusted_domain_user(TALLOC_CTX *mem_ctx,
+                                       const char *netbios_name,
+                                       const char *domain_name,
+                                       const struct trustDomainPasswords *auth_struct)
+{
+       NTSTATUS status;
+       struct samu *sam_acct;
+       char *acct_name;
+       uint32_t rid;
+       struct dom_sid user_sid;
+       int i;
+       char *dummy;
+       size_t dummy_size;
+
+       sam_acct = samu_new(mem_ctx);
+       if (sam_acct == NULL) {
+               return NT_STATUS_NO_MEMORY;
+       }
+
+       acct_name = talloc_asprintf(mem_ctx, "%s$", netbios_name);
+       if (acct_name == NULL) {
+               return NT_STATUS_NO_MEMORY;
+       }
+       if (!pdb_set_username(sam_acct, acct_name, PDB_SET)) {
+               return NT_STATUS_UNSUCCESSFUL;
+       }
+
+       if (!pdb_set_domain(sam_acct, domain_name, PDB_SET)) {
+               return NT_STATUS_UNSUCCESSFUL;
+       }
+
+       if (!pdb_set_acct_ctrl(sam_acct, ACB_DOMTRUST, PDB_SET)) {
+               return NT_STATUS_UNSUCCESSFUL;
+       }
+
+       if (!pdb_new_rid(&rid)) {
+               return NT_STATUS_DS_NO_MORE_RIDS;
+       }
+       sid_compose(&user_sid, get_global_sam_sid(), rid);
+       if (!pdb_set_user_sid(sam_acct, &user_sid, PDB_SET)) {
+               return NT_STATUS_UNSUCCESSFUL;
+       }
+
+       for (i = 0; i < auth_struct->incoming.count; i++) {
+               switch (auth_struct->incoming.current.array[i].AuthType) {
+                       case TRUST_AUTH_TYPE_CLEAR:
+                               if (!convert_string_talloc(mem_ctx,
+                                                          CH_UTF16LE,
+                                                          CH_UNIX,
+                                                          auth_struct->incoming.current.array[i].AuthInfo.clear.password,
+                                                          auth_struct->incoming.current.array[i].AuthInfo.clear.size,
+                                                          &dummy,
+                                                          &dummy_size)) {
+                                       return NT_STATUS_UNSUCCESSFUL;
+                               }
+                               if (!pdb_set_plaintext_passwd(sam_acct, dummy)) {
+                                       return NT_STATUS_UNSUCCESSFUL;
+                               }
+                               break;
+                       default:
+                               continue;
+               }
+       }
+
+       status = pdb_add_sam_account(sam_acct);
+       if (!NT_STATUS_IS_OK(status)) {
+               return status;
+       }
+
+       return NT_STATUS_OK;
+}
+
 /***************************************************************************
  _lsa_CreateTrustedDomainEx2
  ***************************************************************************/
@@ -1627,14 +1701,14 @@ NTSTATUS _lsa_CreateTrustedDomainEx2(struct pipes_struct *p,
                return NT_STATUS_ACCESS_DENIED;
        }
 
-       if (p->server_info->utok.uid != sec_initial_uid() &&
-           !nt_token_check_domain_rid(p->server_info->security_token, DOMAIN_RID_ADMINS)) {
+       if (p->session_info->utok.uid != sec_initial_uid() &&
+           !nt_token_check_domain_rid(p->session_info->security_token, DOMAIN_RID_ADMINS)) {
                return NT_STATUS_ACCESS_DENIED;
        }
 
        /* Work out max allowed. */
-       map_max_allowed_access(p->server_info->security_token,
-                              &p->server_info->utok,
+       map_max_allowed_access(p->session_info->security_token,
+                              &p->session_info->utok,
                               &r->in.access_mask);
 
        /* map the generic bits to the lsa policy ones */
@@ -1647,7 +1721,7 @@ NTSTATUS _lsa_CreateTrustedDomainEx2(struct pipes_struct *p,
                return status;
        }
 
-       status = access_check_object(psd, p->server_info->security_token,
+       status = access_check_object(psd, p->session_info->security_token,
                                     SEC_PRIV_INVALID, SEC_PRIV_INVALID, 0,
                                     r->in.access_mask, &acc_granted,
                                     "_lsa_CreateTrustedDomainEx2");
@@ -1677,7 +1751,7 @@ NTSTATUS _lsa_CreateTrustedDomainEx2(struct pipes_struct *p,
                auth_blob.data = r->in.auth_info->auth_blob.data;
 
                arcfour_crypt_blob(auth_blob.data, auth_blob.length,
-                                  &p->server_info->user_session_key);
+                                  &p->session_info->session_key);
 
                ndr_err = ndr_pull_struct_blob(&auth_blob, p->mem_ctx,
                                               &auth_struct,
@@ -1711,6 +1785,16 @@ NTSTATUS _lsa_CreateTrustedDomainEx2(struct pipes_struct *p,
                return status;
        }
 
+       if (r->in.info->trust_direction & LSA_TRUST_DIRECTION_INBOUND) {
+               status = add_trusted_domain_user(p->mem_ctx,
+                                                r->in.info->netbios_name.string,
+                                                r->in.info->domain_name.string,
+                                                &auth_struct);
+               if (!NT_STATUS_IS_OK(status)) {
+                       return status;
+               }
+       }
+
        status = create_lsa_policy_handle(p->mem_ctx, p,
                                          LSA_HANDLE_TRUST_TYPE,
                                          acc_granted,
@@ -1782,7 +1866,9 @@ NTSTATUS _lsa_DeleteTrustedDomain(struct pipes_struct *p,
 {
        NTSTATUS status;
        struct lsa_info *handle;
-       struct trustdom_info *info;
+       struct pdb_trusted_domain *td;
+       struct samu *sam_acct;
+       char *acct_name;
 
        /* find the connection policy handle. */
        if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle)) {
@@ -1797,14 +1883,37 @@ NTSTATUS _lsa_DeleteTrustedDomain(struct pipes_struct *p,
                return NT_STATUS_ACCESS_DENIED;
        }
 
-       status = lsa_lookup_trusted_domain_by_sid(p->mem_ctx,
-                                                 r->in.dom_sid,
-                                                 &info);
+       status = pdb_get_trusted_domain_by_sid(p->mem_ctx, r->in.dom_sid, &td);
        if (!NT_STATUS_IS_OK(status)) {
                return status;
        }
 
-       status = pdb_del_trusted_domain(info->name);
+       if (td->netbios_name == NULL || *td->netbios_name == '\0') {
+               DEBUG(10, ("Missing netbios name for for trusted domain %s.\n",
+                          sid_string_tos(r->in.dom_sid)));
+               return NT_STATUS_UNSUCCESSFUL;
+       }
+
+       if (td->trust_direction & LSA_TRUST_DIRECTION_INBOUND) {
+               sam_acct = samu_new(p->mem_ctx);
+               if (sam_acct == NULL) {
+                       return NT_STATUS_NO_MEMORY;
+               }
+
+               acct_name = talloc_asprintf(p->mem_ctx, "%s$", td->netbios_name);
+               if (acct_name == NULL) {
+                       return NT_STATUS_NO_MEMORY;
+               }
+               if (!pdb_set_username(sam_acct, acct_name, PDB_SET)) {
+                       return NT_STATUS_UNSUCCESSFUL;
+               }
+               status = pdb_delete_sam_account(sam_acct);
+               if (!NT_STATUS_IS_OK(status)) {
+                       return status;
+               }
+       }
+
+       status = pdb_del_trusted_domain(td->netbios_name);
        if (!NT_STATUS_IS_OK(status)) {
                return status;
        }
@@ -2288,7 +2397,7 @@ NTSTATUS _lsa_GetUserName(struct pipes_struct *p,
                return NT_STATUS_INVALID_PARAMETER;
        }
 
-       if (p->server_info->guest) {
+       if (p->session_info->guest) {
                /*
                 * I'm 99% sure this is not the right place to do this,
                 * global_sid_Anonymous should probably be put into the token
@@ -2299,8 +2408,8 @@ NTSTATUS _lsa_GetUserName(struct pipes_struct *p,
                        return NT_STATUS_NO_MEMORY;
                }
        } else {
-               username = p->server_info->sanitized_username;
-               domname = p->server_info->info3->base.domain.string;
+               username = p->session_info->sanitized_username;
+               domname = p->session_info->info3->base.domain.string;
        }
 
        account_name = TALLOC_P(p->mem_ctx, struct lsa_String);
@@ -2353,8 +2462,8 @@ NTSTATUS _lsa_CreateAccount(struct pipes_struct *p,
        }
 
        /* Work out max allowed. */
-       map_max_allowed_access(p->server_info->security_token,
-                              &p->server_info->utok,
+       map_max_allowed_access(p->session_info->security_token,
+                              &p->session_info->utok,
                               &r->in.access_mask);
 
        /* map the generic bits to the lsa policy ones */
@@ -2367,7 +2476,7 @@ NTSTATUS _lsa_CreateAccount(struct pipes_struct *p,
                return status;
        }
 
-       status = access_check_object(psd, p->server_info->security_token,
+       status = access_check_object(psd, p->session_info->security_token,
                                     SEC_PRIV_INVALID, SEC_PRIV_INVALID, 0, r->in.access_mask,
                                     &acc_granted, "_lsa_CreateAccount");
        if (!NT_STATUS_IS_OK(status)) {
@@ -2417,8 +2526,8 @@ NTSTATUS _lsa_OpenAccount(struct pipes_struct *p,
         * handle - so don't check against policy handle. */
 
        /* Work out max allowed. */
-       map_max_allowed_access(p->server_info->security_token,
-                              &p->server_info->utok,
+       map_max_allowed_access(p->session_info->security_token,
+                              &p->session_info->utok,
                               &des_access);
 
        /* map the generic bits to the lsa account ones */
@@ -2432,7 +2541,7 @@ NTSTATUS _lsa_OpenAccount(struct pipes_struct *p,
                return status;
        }
 
-       status = access_check_object(psd, p->server_info->security_token,
+       status = access_check_object(psd, p->session_info->security_token,
                                     SEC_PRIV_INVALID, SEC_PRIV_INVALID, 0, des_access,
                                     &acc_granted, "_lsa_OpenAccount" );
        if (!NT_STATUS_IS_OK(status)) {
@@ -2717,7 +2826,7 @@ NTSTATUS _lsa_QuerySecurity(struct pipes_struct *p,
 {
        struct lsa_info *handle=NULL;
        struct security_descriptor *psd = NULL;
-       size_t sd_size;
+       size_t sd_size = 0;
        NTSTATUS status;
 
        /* find the connection policy handle. */
@@ -2726,13 +2835,11 @@ NTSTATUS _lsa_QuerySecurity(struct pipes_struct *p,
 
        switch (handle->type) {
        case LSA_HANDLE_POLICY_TYPE:
-               status = make_lsa_object_sd(p->mem_ctx, &psd, &sd_size,
-                               &lsa_policy_mapping, NULL, 0);
-               break;
        case LSA_HANDLE_ACCOUNT_TYPE:
-               status = make_lsa_object_sd(p->mem_ctx, &psd, &sd_size,
-                               &lsa_account_mapping,
-                               &handle->sid, LSA_ACCOUNT_ALL_ACCESS);
+       case LSA_HANDLE_TRUST_TYPE:
+               psd = handle->sd;
+               sd_size = ndr_size_security_descriptor(psd, 0);
+               status = NT_STATUS_OK;
                break;
        default:
                status = NT_STATUS_INVALID_HANDLE;
@@ -2789,7 +2896,7 @@ NTSTATUS _lsa_AddAccountRights(struct pipes_struct *p,
         * on the account sid. We don't check here so just use the latter. JRA.
         */
 
-       status = access_check_object(psd, p->server_info->security_token,
+       status = access_check_object(psd, p->session_info->security_token,
                                     SEC_PRIV_INVALID, SEC_PRIV_INVALID, 0,
                                     LSA_ACCOUNT_ADJUST_PRIVILEGES|LSA_ACCOUNT_ADJUST_SYSTEM_ACCESS|LSA_ACCOUNT_VIEW,
                                     &acc_granted, "_lsa_AddAccountRights" );
@@ -2859,7 +2966,7 @@ NTSTATUS _lsa_RemoveAccountRights(struct pipes_struct *p,
         * and DELETE on the account sid.
         */
 
-       status = access_check_object(psd, p->server_info->security_token,
+       status = access_check_object(psd, p->session_info->security_token,
                                     SEC_PRIV_INVALID, SEC_PRIV_INVALID, 0,
                                     LSA_ACCOUNT_ADJUST_PRIVILEGES|LSA_ACCOUNT_ADJUST_SYSTEM_ACCESS|
                                     LSA_ACCOUNT_VIEW|SEC_STD_DELETE,
@@ -3188,6 +3295,15 @@ NTSTATUS _lsa_EnumTrustedDomainsEx(struct pipes_struct *p,
        int i;
        NTSTATUS nt_status;
 
+       /* bail out early if pdb backend is not capable of ex trusted domains,
+        * if we dont do that, the client might not call
+        * _lsa_EnumTrustedDomains() afterwards - gd */
+
+       if (!(pdb_capabilities() & PDB_CAP_TRUSTED_DOMAINS_EX)) {
+               p->rng_fault_state = True;
+               return NT_STATUS_NOT_IMPLEMENTED;
+       }
+
        if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
                return NT_STATUS_INVALID_HANDLE;
 
@@ -3357,11 +3473,510 @@ NTSTATUS _lsa_lsaRQueryForestTrustInformation(struct pipes_struct *p,
        return NT_STATUS_NOT_IMPLEMENTED;
 }
 
+#define DNS_CMP_MATCH 0
+#define DNS_CMP_FIRST_IS_CHILD 1
+#define DNS_CMP_SECOND_IS_CHILD 2
+#define DNS_CMP_NO_MATCH 3
+
+/* this function assumes names are well formed DNS names.
+ * it doesn't validate them */
+static int dns_cmp(const char *s1, size_t l1,
+                  const char *s2, size_t l2)
+{
+       const char *p1, *p2;
+       size_t t1, t2;
+       int cret;
+
+       if (l1 == l2) {
+               if (strcasecmp_m(s1, s2) == 0) {
+                       return DNS_CMP_MATCH;
+               }
+               return DNS_CMP_NO_MATCH;
+       }
+
+       if (l1 > l2) {
+               p1 = s1;
+               p2 = s2;
+               t1 = l1;
+               t2 = l2;
+               cret = DNS_CMP_FIRST_IS_CHILD;
+       } else {
+               p1 = s2;
+               p2 = s1;
+               t1 = l2;
+               t2 = l1;
+               cret = DNS_CMP_SECOND_IS_CHILD;
+       }
+
+       if (p1[t1 - t2 - 1] != '.') {
+               return DNS_CMP_NO_MATCH;
+       }
+
+       if (strcasecmp_m(&p1[t1 - t2], p2) == 0) {
+               return cret;
+       }
+
+       return DNS_CMP_NO_MATCH;
+}
+
+static NTSTATUS make_ft_info(TALLOC_CTX *mem_ctx,
+                            struct lsa_ForestTrustInformation *lfti,
+                            struct ForestTrustInfo *fti)
+{
+       struct lsa_ForestTrustRecord *lrec;
+       struct ForestTrustInfoRecord *rec;
+       struct lsa_StringLarge *tln;
+       struct lsa_ForestTrustDomainInfo *info;
+       uint32_t i;
+
+       fti->version = 1;
+       fti->count = lfti->count;
+       fti->records = talloc_array(mem_ctx,
+                                   struct ForestTrustInfoRecordArmor,
+                                   fti->count);
+       if (!fti->records) {
+               return NT_STATUS_NO_MEMORY;
+       }
+       for (i = 0; i < fti->count; i++) {
+               lrec = lfti->entries[i];
+               rec = &fti->records[i].record;
+
+               rec->flags = lrec->flags;
+               rec->timestamp = lrec->time;
+               rec->type = lrec->type;
+
+               switch (lrec->type) {
+               case LSA_FOREST_TRUST_TOP_LEVEL_NAME:
+               case LSA_FOREST_TRUST_TOP_LEVEL_NAME_EX:
+                       tln = &lrec->forest_trust_data.top_level_name;
+                       rec->data.name.string =
+                               talloc_strdup(mem_ctx, tln->string);
+                       if (!rec->data.name.string) {
+                               return NT_STATUS_NO_MEMORY;
+                       }
+                       rec->data.name.size = strlen(rec->data.name.string);
+                       break;
+               case LSA_FOREST_TRUST_DOMAIN_INFO:
+                       info = &lrec->forest_trust_data.domain_info;
+                       rec->data.info.sid = *info->domain_sid;
+                       rec->data.info.dns_name.string =
+                               talloc_strdup(mem_ctx,
+                                           info->dns_domain_name.string);
+                       if (!rec->data.info.dns_name.string) {
+                               return NT_STATUS_NO_MEMORY;
+                       }
+                       rec->data.info.dns_name.size =
+                               strlen(rec->data.info.dns_name.string);
+                       rec->data.info.netbios_name.string =
+                               talloc_strdup(mem_ctx,
+                                           info->netbios_domain_name.string);
+                       if (!rec->data.info.netbios_name.string) {
+                               return NT_STATUS_NO_MEMORY;
+                       }
+                       rec->data.info.netbios_name.size =
+                               strlen(rec->data.info.netbios_name.string);
+                       break;
+               default:
+                       return NT_STATUS_INVALID_DOMAIN_STATE;
+               }
+       }
+
+       return NT_STATUS_OK;
+}
+
+static NTSTATUS add_collision(struct lsa_ForestTrustCollisionInfo *c_info,
+                             uint32_t index, uint32_t collision_type,
+                             uint32_t conflict_type, const char *tdo_name);
+
+static NTSTATUS check_ft_info(TALLOC_CTX *mem_ctx,
+                             const char *tdo_name,
+                             struct ForestTrustInfo *tdo_fti,
+                             struct ForestTrustInfo *new_fti,
+                             struct lsa_ForestTrustCollisionInfo *c_info)
+{
+       struct ForestTrustInfoRecord *nrec;
+       struct ForestTrustInfoRecord *trec;
+       const char *dns_name;
+       const char *nb_name = NULL;
+       struct dom_sid *sid = NULL;
+       const char *tname = NULL;
+       size_t dns_len = 0;
+       size_t nb_len;
+       size_t tlen = 0;
+       NTSTATUS nt_status;
+       uint32_t new_fti_idx;
+       uint32_t i;
+       /* use always TDO type, until we understand when Xref can be used */
+       uint32_t collision_type = LSA_FOREST_TRUST_COLLISION_TDO;
+       bool tln_conflict;
+       bool sid_conflict;
+       bool nb_conflict;
+       bool exclusion;
+       bool ex_rule = false;
+       int ret;
+
+       for (new_fti_idx = 0; new_fti_idx < new_fti->count; new_fti_idx++) {
+
+               nrec = &new_fti->records[new_fti_idx].record;
+               dns_name = NULL;
+               tln_conflict = false;
+               sid_conflict = false;
+               nb_conflict = false;
+               exclusion = false;
+
+               switch (nrec->type) {
+               case LSA_FOREST_TRUST_TOP_LEVEL_NAME_EX:
+                       /* exclusions do not conflict by definition */
+                       break;
+
+               case FOREST_TRUST_TOP_LEVEL_NAME:
+                       dns_name = nrec->data.name.string;
+                       dns_len = nrec->data.name.size;
+                       break;
+
+               case LSA_FOREST_TRUST_DOMAIN_INFO:
+                       dns_name = nrec->data.info.dns_name.string;
+                       dns_len = nrec->data.info.dns_name.size;
+                       nb_name = nrec->data.info.netbios_name.string;
+                       nb_len = nrec->data.info.netbios_name.size;
+                       sid = &nrec->data.info.sid;
+                       break;
+               }
+
+               if (!dns_name) continue;
+
+               /* check if this is already taken and not excluded */
+               for (i = 0; i < tdo_fti->count; i++) {
+                       trec = &tdo_fti->records[i].record;
+
+                       switch (trec->type) {
+                       case FOREST_TRUST_TOP_LEVEL_NAME:
+                               ex_rule = false;
+                               tname = trec->data.name.string;
+                               tlen = trec->data.name.size;
+                               break;
+                       case FOREST_TRUST_TOP_LEVEL_NAME_EX:
+                               ex_rule = true;
+                               tname = trec->data.name.string;
+                               tlen = trec->data.name.size;
+                               break;
+                       case FOREST_TRUST_DOMAIN_INFO:
+                               ex_rule = false;
+                               tname = trec->data.info.dns_name.string;
+                               tlen = trec->data.info.dns_name.size;
+                               break;
+                       default:
+                               return NT_STATUS_INVALID_PARAMETER;
+                       }
+                       ret = dns_cmp(dns_name, dns_len, tname, tlen);
+                       switch (ret) {
+                       case DNS_CMP_MATCH:
+                               /* if it matches exclusion,
+                                * it doesn't conflict */
+                               if (ex_rule) {
+                                       exclusion = true;
+                                       break;
+                               }
+                               /* fall through */
+                       case DNS_CMP_FIRST_IS_CHILD:
+                       case DNS_CMP_SECOND_IS_CHILD:
+                               tln_conflict = true;
+                               /* fall through */
+                       default:
+                               break;
+                       }
+
+                       /* explicit exclusion, no dns name conflict here */
+                       if (exclusion) {
+                               tln_conflict = false;
+                       }
+
+                       if (trec->type != FOREST_TRUST_DOMAIN_INFO) {
+                               continue;
+                       }
+
+                       /* also test for domain info */
+                       if (!(trec->flags & LSA_SID_DISABLED_ADMIN) &&
+                           dom_sid_compare(&trec->data.info.sid, sid) == 0) {
+                               sid_conflict = true;
+                       }
+                       if (!(trec->flags & LSA_NB_DISABLED_ADMIN) &&
+                           strcasecmp_m(trec->data.info.netbios_name.string,
+                                      nb_name) == 0) {
+                               nb_conflict = true;
+                       }
+               }
+
+               if (tln_conflict) {
+                       nt_status = add_collision(c_info, new_fti_idx,
+                                                 collision_type,
+                                                 LSA_TLN_DISABLED_CONFLICT,
+                                                 tdo_name);
+               }
+               if (sid_conflict) {
+                       nt_status = add_collision(c_info, new_fti_idx,
+                                                 collision_type,
+                                                 LSA_SID_DISABLED_CONFLICT,
+                                                 tdo_name);
+               }
+               if (nb_conflict) {
+                       nt_status = add_collision(c_info, new_fti_idx,
+                                                 collision_type,
+                                                 LSA_NB_DISABLED_CONFLICT,
+                                                 tdo_name);
+               }
+       }
+
+       return NT_STATUS_OK;
+}
+
+static NTSTATUS add_collision(struct lsa_ForestTrustCollisionInfo *c_info,
+                             uint32_t idx, uint32_t collision_type,
+                             uint32_t conflict_type, const char *tdo_name)
+{
+       struct lsa_ForestTrustCollisionRecord **es;
+       uint32_t i = c_info->count;
+
+       es = talloc_realloc(c_info, c_info->entries,
+                           struct lsa_ForestTrustCollisionRecord *, i + 1);
+       if (!es) {
+               return NT_STATUS_NO_MEMORY;
+       }
+       c_info->entries = es;
+       c_info->count = i + 1;
+
+       es[i] = talloc(es, struct lsa_ForestTrustCollisionRecord);
+       if (!es[i]) {
+               return NT_STATUS_NO_MEMORY;
+       }
+
+       es[i]->index = idx;
+       es[i]->type = collision_type;
+       es[i]->flags.flags = conflict_type;
+       es[i]->name.string = talloc_strdup(es[i], tdo_name);
+       if (!es[i]->name.string) {
+               return NT_STATUS_NO_MEMORY;
+       }
+       es[i]->name.size = strlen(es[i]->name.string);
+
+       return NT_STATUS_OK;
+}
+
+static NTSTATUS get_ft_info(TALLOC_CTX *mem_ctx,
+                           struct pdb_trusted_domain *td,
+                           struct ForestTrustInfo *info)
+{
+       enum ndr_err_code ndr_err;
+
+       if (td->trust_forest_trust_info.length == 0 ||
+           td->trust_forest_trust_info.data == NULL) {
+               return NT_STATUS_OBJECT_NAME_NOT_FOUND;
+       }
+       ndr_err = ndr_pull_struct_blob_all(&td->trust_forest_trust_info, mem_ctx,
+                                          info,
+                                          (ndr_pull_flags_fn_t)ndr_pull_ForestTrustInfo);
+       if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
+               return NT_STATUS_INVALID_DOMAIN_STATE;
+       }
+
+       return NT_STATUS_OK;
+}
+
+static NTSTATUS own_ft_info(struct pdb_domain_info *dom_info,
+                           struct ForestTrustInfo *fti)
+{
+       struct ForestTrustDataDomainInfo *info;
+       struct ForestTrustInfoRecord *rec;
+
+       fti->version = 1;
+       fti->count = 2;
+       fti->records = talloc_array(fti,
+                                   struct ForestTrustInfoRecordArmor, 2);
+       if (!fti->records) {
+               return NT_STATUS_NO_MEMORY;
+       }
+
+        /* TLN info */
+       rec = &fti->records[0].record;
+
+       rec->flags = 0;
+       rec->timestamp = 0;
+       rec->type = LSA_FOREST_TRUST_TOP_LEVEL_NAME;
+
+       rec->data.name.string = talloc_strdup(fti, dom_info->dns_forest);
+       if (!rec->data.name.string) {
+               return NT_STATUS_NO_MEMORY;
+       }
+       rec->data.name.size = strlen(rec->data.name.string);
+
+        /* DOMAIN info */
+       rec = &fti->records[1].record;
+
+       rec->flags = 0;
+       rec->timestamp = 0;
+       rec->type = LSA_FOREST_TRUST_DOMAIN_INFO;
+
+        info = &rec->data.info;
+
+       info->sid = dom_info->sid;
+       info->dns_name.string = talloc_strdup(fti, dom_info->dns_domain);
+       if (!info->dns_name.string) {
+               return NT_STATUS_NO_MEMORY;
+       }
+       info->dns_name.size = strlen(info->dns_name.string);
+       info->netbios_name.string = talloc_strdup(fti, dom_info->name);
+       if (!info->netbios_name.string) {
+               return NT_STATUS_NO_MEMORY;
+       }
+       info->netbios_name.size = strlen(info->netbios_name.string);
+
+       return NT_STATUS_OK;
+}
+
 NTSTATUS _lsa_lsaRSetForestTrustInformation(struct pipes_struct *p,
                                            struct lsa_lsaRSetForestTrustInformation *r)
 {
-       p->rng_fault_state = True;
-       return NT_STATUS_NOT_IMPLEMENTED;
+       NTSTATUS status;
+       int i;
+       int j;
+       struct lsa_info *handle;
+       uint32_t num_domains;
+       struct pdb_trusted_domain **domains;
+       struct ForestTrustInfo *nfti;
+       struct ForestTrustInfo *fti;
+       struct lsa_ForestTrustCollisionInfo *c_info;
+       struct pdb_domain_info *dom_info;
+       enum ndr_err_code ndr_err;
+
+       if (!IS_DC) {
+               return NT_STATUS_NOT_SUPPORTED;
+       }
+
+       if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle)) {
+               return NT_STATUS_INVALID_HANDLE;
+       }
+
+       if (handle->type != LSA_HANDLE_TRUST_TYPE) {
+               return NT_STATUS_INVALID_HANDLE;
+       }
+
+       if (!(handle->access & LSA_TRUSTED_SET_AUTH)) {
+               return NT_STATUS_ACCESS_DENIED;
+       }
+
+       status = pdb_enum_trusted_domains(p->mem_ctx, &num_domains, &domains);
+       if (!NT_STATUS_IS_OK(status)) {
+               return status;
+       }
+       if (num_domains == 0) {
+               return NT_STATUS_NO_SUCH_DOMAIN;
+       }
+
+       for (i = 0; i < num_domains; i++) {
+               if (domains[i]->domain_name == NULL) {
+                       return NT_STATUS_INVALID_DOMAIN_STATE;
+               }
+               if (strcasecmp_m(domains[i]->domain_name,
+                              r->in.trusted_domain_name->string) == 0) {
+                       break;
+               }
+       }
+       if (i >= num_domains) {
+               return NT_STATUS_NO_SUCH_DOMAIN;
+       }
+
+       if (!(domains[i]->trust_attributes &
+             LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE)) {
+               return NT_STATUS_INVALID_PARAMETER;
+       }
+
+       if (r->in.highest_record_type >= LSA_FOREST_TRUST_RECORD_TYPE_LAST) {
+               return NT_STATUS_INVALID_PARAMETER;
+       }
+
+       /* The following section until COPY_END is a copy from
+        * source4/rpmc_server/lsa/scesrc_lsa.c */
+       nfti = talloc(p->mem_ctx, struct ForestTrustInfo);
+       if (!nfti) {
+               return NT_STATUS_NO_MEMORY;
+       }
+
+       status = make_ft_info(nfti, r->in.forest_trust_info, nfti);
+       if (!NT_STATUS_IS_OK(status)) {
+               return status;
+       }
+
+       c_info = talloc_zero(r->out.collision_info,
+                            struct lsa_ForestTrustCollisionInfo);
+       if (!c_info) {
+               return NT_STATUS_NO_MEMORY;
+       }
+
+        /* first check own info, then other domains */
+       fti = talloc(p->mem_ctx, struct ForestTrustInfo);
+       if (!fti) {
+               return NT_STATUS_NO_MEMORY;
+       }
+
+       dom_info = pdb_get_domain_info(p->mem_ctx);
+
+       status = own_ft_info(dom_info, fti);
+       if (!NT_STATUS_IS_OK(status)) {
+               return status;
+       }
+
+       status = check_ft_info(c_info, dom_info->dns_domain, fti, nfti, c_info);
+       if (!NT_STATUS_IS_OK(status)) {
+               return status;
+       }
+
+       for (j = 0; j < num_domains; j++) {
+               fti = talloc(p->mem_ctx, struct ForestTrustInfo);
+               if (!fti) {
+                       return NT_STATUS_NO_MEMORY;
+               }
+
+               status = get_ft_info(p->mem_ctx, domains[j], fti);
+               if (!NT_STATUS_IS_OK(status)) {
+                       if (NT_STATUS_EQUAL(status,
+                           NT_STATUS_OBJECT_NAME_NOT_FOUND)) {
+                               continue;
+                       }
+                       return status;
+               }
+
+               if (domains[j]->domain_name == NULL) {
+                       return NT_STATUS_INVALID_DOMAIN_STATE;
+               }
+
+               status = check_ft_info(c_info, domains[j]->domain_name,
+                                      fti, nfti, c_info);
+               if (!NT_STATUS_IS_OK(status)) {
+                       return status;
+               }
+       }
+
+       *r->out.collision_info = c_info;
+
+       if (r->in.check_only != 0) {
+               return NT_STATUS_OK;
+       }
+
+       /* COPY_END */
+
+       ndr_err = ndr_push_struct_blob(&domains[i]->trust_forest_trust_info,
+                                      p->mem_ctx, nfti,
+                                      (ndr_push_flags_fn_t)ndr_push_ForestTrustInfo);
+       if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
+               return NT_STATUS_INVALID_PARAMETER;
+       }
+
+       status = pdb_set_trusted_domain(domains[i]->domain_name, domains[i]);
+       if (!NT_STATUS_IS_OK(status)) {
+               return status;
+       }
+
+       return NT_STATUS_OK;
 }
 
 NTSTATUS _lsa_CREDRRENAME(struct pipes_struct *p,