2 * Unix SMB/CIFS implementation.
3 * RPC Pipe client / server routines
4 * Copyright (C) Andrew Tridgell 1992-1997,
5 * Copyright (C) Luke Kenneth Casson Leighton 1996-1997,
6 * Copyright (C) Paul Ashton 1997,
7 * Copyright (C) Jeremy Allison 2001, 2006.
8 * Copyright (C) Rafal Szczesniak 2002,
9 * Copyright (C) Jim McDonough <jmcd@us.ibm.com> 2002,
10 * Copyright (C) Simo Sorce 2003.
11 * Copyright (C) Gerald (Jerry) Carter 2005.
12 * Copyright (C) Volker Lendecke 2005.
13 * Copyright (C) Guenther Deschner 2008.
14 * Copyright (C) Andrew Bartlett 2010.
16 * This program is free software; you can redistribute it and/or modify
17 * it under the terms of the GNU General Public License as published by
18 * the Free Software Foundation; either version 3 of the License, or
19 * (at your option) any later version.
21 * This program is distributed in the hope that it will be useful,
22 * but WITHOUT ANY WARRANTY; without even the implied warranty of
23 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
24 * GNU General Public License for more details.
26 * You should have received a copy of the GNU General Public License
27 * along with this program; if not, see <http://www.gnu.org/licenses/>.
30 /* This is the implementation of the lsa server code. */
33 #include "../librpc/gen_ndr/srv_lsa.h"
35 #include "../librpc/gen_ndr/netlogon.h"
36 #include "rpc_client/init_lsa.h"
37 #include "../libcli/security/security.h"
38 #include "../libcli/security/dom_sid.h"
39 #include "../librpc/gen_ndr/drsblobs.h"
40 #include "../librpc/gen_ndr/ndr_drsblobs.h"
41 #include "../lib/crypto/arcfour.h"
44 #define DBGC_CLASS DBGC_RPC_SRV
46 #define MAX_LOOKUP_SIDS 0x5000 /* 20480 */
48 enum lsa_handle_type {
49 LSA_HANDLE_POLICY_TYPE = 1,
50 LSA_HANDLE_ACCOUNT_TYPE = 2,
51 LSA_HANDLE_TRUST_TYPE = 3};
57 enum lsa_handle_type type;
58 struct security_descriptor *sd;
61 const struct generic_mapping lsa_account_mapping = {
65 LSA_ACCOUNT_ALL_ACCESS
68 const struct generic_mapping lsa_policy_mapping = {
75 const struct generic_mapping lsa_secret_mapping = {
82 const struct generic_mapping lsa_trusted_domain_mapping = {
83 LSA_TRUSTED_DOMAIN_READ,
84 LSA_TRUSTED_DOMAIN_WRITE,
85 LSA_TRUSTED_DOMAIN_EXECUTE,
86 LSA_TRUSTED_DOMAIN_ALL_ACCESS
89 /***************************************************************************
90 init_lsa_ref_domain_list - adds a domain if it's not already in, returns the index.
91 ***************************************************************************/
93 static int init_lsa_ref_domain_list(TALLOC_CTX *mem_ctx,
94 struct lsa_RefDomainList *ref,
96 struct dom_sid *dom_sid)
100 if (dom_name != NULL) {
101 for (num = 0; num < ref->count; num++) {
102 if (dom_sid_equal(dom_sid, ref->domains[num].sid)) {
110 if (num >= LSA_REF_DOMAIN_LIST_MULTIPLIER) {
111 /* index not found, already at maximum domain limit */
115 ref->count = num + 1;
116 ref->max_size = LSA_REF_DOMAIN_LIST_MULTIPLIER;
118 ref->domains = TALLOC_REALLOC_ARRAY(mem_ctx, ref->domains,
119 struct lsa_DomainInfo, ref->count);
124 ZERO_STRUCT(ref->domains[num]);
126 init_lsa_StringLarge(&ref->domains[num].name, dom_name);
127 ref->domains[num].sid = dom_sid_dup(mem_ctx, dom_sid);
128 if (!ref->domains[num].sid) {
136 /***************************************************************************
137 initialize a lsa_DomainInfo structure.
138 ***************************************************************************/
140 static void init_dom_query_3(struct lsa_DomainInfo *r,
144 init_lsa_StringLarge(&r->name, name);
148 /***************************************************************************
149 initialize a lsa_DomainInfo structure.
150 ***************************************************************************/
152 static void init_dom_query_5(struct lsa_DomainInfo *r,
156 init_lsa_StringLarge(&r->name, name);
160 /***************************************************************************
161 lookup_lsa_rids. Must be called as root for lookup_name to work.
162 ***************************************************************************/
164 static NTSTATUS lookup_lsa_rids(TALLOC_CTX *mem_ctx,
165 struct lsa_RefDomainList *ref,
166 struct lsa_TranslatedSid *prid,
167 uint32_t num_entries,
168 struct lsa_String *name,
170 uint32_t *pmapped_count)
172 uint32 mapped_count, i;
174 SMB_ASSERT(num_entries <= MAX_LOOKUP_SIDS);
179 for (i = 0; i < num_entries; i++) {
183 const char *full_name;
185 enum lsa_SidType type = SID_NAME_UNKNOWN;
187 /* Split name into domain and user component */
189 /* follow w2k8 behavior and return the builtin domain when no
190 * input has been passed in */
192 if (name[i].string) {
193 full_name = name[i].string;
195 full_name = "BUILTIN";
198 DEBUG(5, ("lookup_lsa_rids: looking up name %s\n", full_name));
200 /* We can ignore the result of lookup_name, it will not touch
201 "type" if it's not successful */
203 lookup_name(mem_ctx, full_name, flags, &domain, NULL,
208 case SID_NAME_DOM_GRP:
209 case SID_NAME_DOMAIN:
211 case SID_NAME_WKN_GRP:
212 DEBUG(5, ("init_lsa_rids: %s found\n", full_name));
213 /* Leave these unchanged */
216 /* Don't hand out anything but the list above */
217 DEBUG(5, ("init_lsa_rids: %s not found\n", full_name));
218 type = SID_NAME_UNKNOWN;
225 if (type != SID_NAME_UNKNOWN) {
226 if (type == SID_NAME_DOMAIN) {
229 sid_split_rid(&sid, &rid);
231 dom_idx = init_lsa_ref_domain_list(mem_ctx, ref, domain, &sid);
235 prid[i].sid_type = type;
237 prid[i].sid_index = dom_idx;
240 *pmapped_count = mapped_count;
244 /***************************************************************************
245 lookup_lsa_sids. Must be called as root for lookup_name to work.
246 ***************************************************************************/
248 static NTSTATUS lookup_lsa_sids(TALLOC_CTX *mem_ctx,
249 struct lsa_RefDomainList *ref,
250 struct lsa_TranslatedSid3 *trans_sids,
251 uint32_t num_entries,
252 struct lsa_String *name,
254 uint32 *pmapped_count)
256 uint32 mapped_count, i;
258 SMB_ASSERT(num_entries <= MAX_LOOKUP_SIDS);
263 for (i = 0; i < num_entries; i++) {
267 const char *full_name;
269 enum lsa_SidType type = SID_NAME_UNKNOWN;
273 /* Split name into domain and user component */
275 full_name = name[i].string;
276 if (full_name == NULL) {
277 return NT_STATUS_NO_MEMORY;
280 DEBUG(5, ("init_lsa_sids: looking up name %s\n", full_name));
282 /* We can ignore the result of lookup_name, it will not touch
283 "type" if it's not successful */
285 lookup_name(mem_ctx, full_name, flags, &domain, NULL,
290 case SID_NAME_DOM_GRP:
291 case SID_NAME_DOMAIN:
293 case SID_NAME_WKN_GRP:
294 DEBUG(5, ("init_lsa_sids: %s found\n", full_name));
295 /* Leave these unchanged */
298 /* Don't hand out anything but the list above */
299 DEBUG(5, ("init_lsa_sids: %s not found\n", full_name));
300 type = SID_NAME_UNKNOWN;
307 if (type != SID_NAME_UNKNOWN) {
308 struct dom_sid domain_sid;
309 sid_copy(&domain_sid, &sid);
310 sid_split_rid(&domain_sid, &rid);
311 dom_idx = init_lsa_ref_domain_list(mem_ctx, ref, domain, &domain_sid);
315 /* Initialize the lsa_TranslatedSid3 return. */
316 trans_sids[i].sid_type = type;
317 trans_sids[i].sid = dom_sid_dup(mem_ctx, &sid);
318 trans_sids[i].sid_index = dom_idx;
321 *pmapped_count = mapped_count;
325 static NTSTATUS make_lsa_object_sd(TALLOC_CTX *mem_ctx, struct security_descriptor **sd, size_t *sd_size,
326 const struct generic_mapping *map,
327 struct dom_sid *sid, uint32_t sid_access)
329 struct dom_sid adm_sid;
330 struct security_ace ace[5];
333 struct security_acl *psa = NULL;
335 /* READ|EXECUTE access for Everyone */
337 init_sec_ace(&ace[i++], &global_sid_World, SEC_ACE_TYPE_ACCESS_ALLOWED,
338 map->generic_execute | map->generic_read, 0);
340 /* Add Full Access 'BUILTIN\Administrators' and 'BUILTIN\Account Operators */
342 init_sec_ace(&ace[i++], &global_sid_Builtin_Administrators,
343 SEC_ACE_TYPE_ACCESS_ALLOWED, map->generic_all, 0);
344 init_sec_ace(&ace[i++], &global_sid_Builtin_Account_Operators,
345 SEC_ACE_TYPE_ACCESS_ALLOWED, map->generic_all, 0);
347 /* Add Full Access for Domain Admins */
348 sid_compose(&adm_sid, get_global_sam_sid(), DOMAIN_RID_ADMINS);
349 init_sec_ace(&ace[i++], &adm_sid, SEC_ACE_TYPE_ACCESS_ALLOWED,
350 map->generic_all, 0);
352 /* If we have a sid, give it some special access */
355 init_sec_ace(&ace[i++], sid, SEC_ACE_TYPE_ACCESS_ALLOWED,
359 if((psa = make_sec_acl(mem_ctx, NT4_ACL_REVISION, i, ace)) == NULL)
360 return NT_STATUS_NO_MEMORY;
362 if((*sd = make_sec_desc(mem_ctx, SECURITY_DESCRIPTOR_REVISION_1,
363 SEC_DESC_SELF_RELATIVE, &adm_sid, NULL, NULL,
364 psa, sd_size)) == NULL)
365 return NT_STATUS_NO_MEMORY;
370 /***************************************************************************
371 ***************************************************************************/
373 static NTSTATUS create_lsa_policy_handle(TALLOC_CTX *mem_ctx,
374 struct pipes_struct *p,
375 enum lsa_handle_type type,
376 uint32_t acc_granted,
379 const struct security_descriptor *sd,
380 struct policy_handle *handle)
382 struct lsa_info *info;
384 ZERO_STRUCTP(handle);
386 info = talloc_zero(mem_ctx, struct lsa_info);
388 return NT_STATUS_NO_MEMORY;
392 info->access = acc_granted;
395 sid_copy(&info->sid, sid);
398 info->name = talloc_strdup(info, name);
401 info->sd = dup_sec_desc(info, sd);
404 return NT_STATUS_NO_MEMORY;
408 if (!create_policy_hnd(p, handle, info)) {
410 ZERO_STRUCTP(handle);
411 return NT_STATUS_NO_MEMORY;
417 /***************************************************************************
419 ***************************************************************************/
421 NTSTATUS _lsa_OpenPolicy2(struct pipes_struct *p,
422 struct lsa_OpenPolicy2 *r)
424 struct security_descriptor *psd = NULL;
426 uint32 des_access = r->in.access_mask;
430 /* Work out max allowed. */
431 map_max_allowed_access(p->server_info->security_token,
432 &p->server_info->utok,
435 /* map the generic bits to the lsa policy ones */
436 se_map_generic(&des_access, &lsa_policy_mapping);
438 /* get the generic lsa policy SD until we store it */
439 status = make_lsa_object_sd(p->mem_ctx, &psd, &sd_size, &lsa_policy_mapping,
441 if (!NT_STATUS_IS_OK(status)) {
445 status = access_check_object(psd, p->server_info->security_token,
446 SEC_PRIV_INVALID, SEC_PRIV_INVALID, 0, des_access,
447 &acc_granted, "_lsa_OpenPolicy2" );
448 if (!NT_STATUS_IS_OK(status)) {
452 status = create_lsa_policy_handle(p->mem_ctx, p,
453 LSA_HANDLE_POLICY_TYPE,
455 get_global_sam_sid(),
459 if (!NT_STATUS_IS_OK(status)) {
460 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
466 /***************************************************************************
468 ***************************************************************************/
470 NTSTATUS _lsa_OpenPolicy(struct pipes_struct *p,
471 struct lsa_OpenPolicy *r)
473 struct lsa_OpenPolicy2 o;
475 o.in.system_name = NULL; /* should be ignored */
476 o.in.attr = r->in.attr;
477 o.in.access_mask = r->in.access_mask;
479 o.out.handle = r->out.handle;
481 return _lsa_OpenPolicy2(p, &o);
484 /***************************************************************************
485 _lsa_EnumTrustDom - this needs fixing to do more than return NULL ! JRA.
487 ***************************************************************************/
489 NTSTATUS _lsa_EnumTrustDom(struct pipes_struct *p,
490 struct lsa_EnumTrustDom *r)
492 struct lsa_info *info;
494 struct trustdom_info **domains;
495 struct lsa_DomainInfo *entries;
499 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
500 return NT_STATUS_INVALID_HANDLE;
502 if (info->type != LSA_HANDLE_POLICY_TYPE) {
503 return NT_STATUS_INVALID_HANDLE;
506 /* check if the user has enough rights */
507 if (!(info->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
508 return NT_STATUS_ACCESS_DENIED;
511 nt_status = pdb_enum_trusteddoms(p->mem_ctx, &count, &domains);
514 if (!NT_STATUS_IS_OK(nt_status)) {
518 entries = TALLOC_ZERO_ARRAY(p->mem_ctx, struct lsa_DomainInfo, count);
520 return NT_STATUS_NO_MEMORY;
523 for (i=0; i<count; i++) {
524 init_lsa_StringLarge(&entries[i].name, domains[i]->name);
525 entries[i].sid = &domains[i]->sid;
528 if (*r->in.resume_handle >= count) {
529 *r->out.resume_handle = -1;
530 TALLOC_FREE(entries);
531 return NT_STATUS_NO_MORE_ENTRIES;
534 /* return the rest, limit by max_size. Note that we
535 use the w2k3 element size value of 60 */
536 r->out.domains->count = count - *r->in.resume_handle;
537 r->out.domains->count = MIN(r->out.domains->count,
538 1+(r->in.max_size/LSA_ENUM_TRUST_DOMAIN_MULTIPLIER));
540 r->out.domains->domains = entries + *r->in.resume_handle;
542 if (r->out.domains->count < count - *r->in.resume_handle) {
543 *r->out.resume_handle = *r->in.resume_handle + r->out.domains->count;
544 return STATUS_MORE_ENTRIES;
547 /* according to MS-LSAD 3.1.4.7.8 output resume handle MUST
548 * always be larger than the previous input resume handle, in
549 * particular when hitting the last query it is vital to set the
550 * resume handle correctly to avoid infinite client loops, as
551 * seen e.g. with Windows XP SP3 when resume handle is 0 and
552 * status is NT_STATUS_OK - gd */
554 *r->out.resume_handle = (uint32_t)-1;
559 #define LSA_AUDIT_NUM_CATEGORIES_NT4 7
560 #define LSA_AUDIT_NUM_CATEGORIES_WIN2K 9
561 #define LSA_AUDIT_NUM_CATEGORIES LSA_AUDIT_NUM_CATEGORIES_NT4
563 /***************************************************************************
565 ***************************************************************************/
567 NTSTATUS _lsa_QueryInfoPolicy(struct pipes_struct *p,
568 struct lsa_QueryInfoPolicy *r)
570 NTSTATUS status = NT_STATUS_OK;
571 struct lsa_info *handle;
572 struct dom_sid domain_sid;
574 struct dom_sid *sid = NULL;
575 union lsa_PolicyInformation *info = NULL;
576 uint32_t acc_required = 0;
578 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle))
579 return NT_STATUS_INVALID_HANDLE;
581 if (handle->type != LSA_HANDLE_POLICY_TYPE) {
582 return NT_STATUS_INVALID_HANDLE;
585 switch (r->in.level) {
586 case LSA_POLICY_INFO_AUDIT_LOG:
587 case LSA_POLICY_INFO_AUDIT_EVENTS:
588 acc_required = LSA_POLICY_VIEW_AUDIT_INFORMATION;
590 case LSA_POLICY_INFO_DOMAIN:
591 acc_required = LSA_POLICY_VIEW_LOCAL_INFORMATION;
593 case LSA_POLICY_INFO_PD:
594 acc_required = LSA_POLICY_GET_PRIVATE_INFORMATION;
596 case LSA_POLICY_INFO_ACCOUNT_DOMAIN:
597 acc_required = LSA_POLICY_VIEW_LOCAL_INFORMATION;
599 case LSA_POLICY_INFO_ROLE:
600 case LSA_POLICY_INFO_REPLICA:
601 acc_required = LSA_POLICY_VIEW_LOCAL_INFORMATION;
603 case LSA_POLICY_INFO_QUOTA:
604 acc_required = LSA_POLICY_VIEW_LOCAL_INFORMATION;
606 case LSA_POLICY_INFO_MOD:
607 case LSA_POLICY_INFO_AUDIT_FULL_SET:
608 /* according to MS-LSAD 3.1.4.4.3 */
609 return NT_STATUS_INVALID_PARAMETER;
610 case LSA_POLICY_INFO_AUDIT_FULL_QUERY:
611 acc_required = LSA_POLICY_VIEW_AUDIT_INFORMATION;
613 case LSA_POLICY_INFO_DNS:
614 case LSA_POLICY_INFO_DNS_INT:
615 case LSA_POLICY_INFO_L_ACCOUNT_DOMAIN:
616 acc_required = LSA_POLICY_VIEW_LOCAL_INFORMATION;
622 if (!(handle->access & acc_required)) {
623 /* return NT_STATUS_ACCESS_DENIED; */
626 info = TALLOC_ZERO_P(p->mem_ctx, union lsa_PolicyInformation);
628 return NT_STATUS_NO_MEMORY;
631 switch (r->in.level) {
632 /* according to MS-LSAD 3.1.4.4.3 */
633 case LSA_POLICY_INFO_MOD:
634 case LSA_POLICY_INFO_AUDIT_FULL_SET:
635 case LSA_POLICY_INFO_AUDIT_FULL_QUERY:
636 return NT_STATUS_INVALID_PARAMETER;
637 case LSA_POLICY_INFO_AUDIT_LOG:
638 info->audit_log.percent_full = 0;
639 info->audit_log.maximum_log_size = 0;
640 info->audit_log.retention_time = 0;
641 info->audit_log.shutdown_in_progress = 0;
642 info->audit_log.time_to_shutdown = 0;
643 info->audit_log.next_audit_record = 0;
644 status = NT_STATUS_OK;
646 case LSA_POLICY_INFO_PD:
647 info->pd.name.string = NULL;
648 status = NT_STATUS_OK;
650 case LSA_POLICY_INFO_REPLICA:
651 info->replica.source.string = NULL;
652 info->replica.account.string = NULL;
653 status = NT_STATUS_OK;
655 case LSA_POLICY_INFO_QUOTA:
656 info->quota.paged_pool = 0;
657 info->quota.non_paged_pool = 0;
658 info->quota.min_wss = 0;
659 info->quota.max_wss = 0;
660 info->quota.pagefile = 0;
661 info->quota.unknown = 0;
662 status = NT_STATUS_OK;
664 case LSA_POLICY_INFO_AUDIT_EVENTS:
667 uint32 policy_def = LSA_AUDIT_POLICY_ALL;
669 /* check if the user has enough rights */
670 if (!(handle->access & LSA_POLICY_VIEW_AUDIT_INFORMATION)) {
671 DEBUG(10,("_lsa_QueryInfoPolicy: insufficient access rights\n"));
672 return NT_STATUS_ACCESS_DENIED;
675 /* fake info: We audit everything. ;) */
677 info->audit_events.auditing_mode = true;
678 info->audit_events.count = LSA_AUDIT_NUM_CATEGORIES;
679 info->audit_events.settings = TALLOC_ZERO_ARRAY(p->mem_ctx,
680 enum lsa_PolicyAuditPolicy,
681 info->audit_events.count);
682 if (!info->audit_events.settings) {
683 return NT_STATUS_NO_MEMORY;
686 info->audit_events.settings[LSA_AUDIT_CATEGORY_ACCOUNT_MANAGEMENT] = policy_def;
687 info->audit_events.settings[LSA_AUDIT_CATEGORY_FILE_AND_OBJECT_ACCESS] = policy_def;
688 info->audit_events.settings[LSA_AUDIT_CATEGORY_LOGON] = policy_def;
689 info->audit_events.settings[LSA_AUDIT_CATEGORY_PROCCESS_TRACKING] = policy_def;
690 info->audit_events.settings[LSA_AUDIT_CATEGORY_SECURITY_POLICY_CHANGES] = policy_def;
691 info->audit_events.settings[LSA_AUDIT_CATEGORY_SYSTEM] = policy_def;
692 info->audit_events.settings[LSA_AUDIT_CATEGORY_USE_OF_USER_RIGHTS] = policy_def;
696 case LSA_POLICY_INFO_DOMAIN:
697 /* check if the user has enough rights */
698 if (!(handle->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
699 return NT_STATUS_ACCESS_DENIED;
701 /* Request PolicyPrimaryDomainInformation. */
702 switch (lp_server_role()) {
703 case ROLE_DOMAIN_PDC:
704 case ROLE_DOMAIN_BDC:
705 name = get_global_sam_name();
706 sid = dom_sid_dup(p->mem_ctx, get_global_sam_sid());
708 return NT_STATUS_NO_MEMORY;
711 case ROLE_DOMAIN_MEMBER:
712 name = lp_workgroup();
713 /* We need to return the Domain SID here. */
714 if (secrets_fetch_domain_sid(lp_workgroup(), &domain_sid)) {
715 sid = dom_sid_dup(p->mem_ctx, &domain_sid);
717 return NT_STATUS_NO_MEMORY;
720 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
723 case ROLE_STANDALONE:
724 name = lp_workgroup();
728 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
730 init_dom_query_3(&info->domain, name, sid);
732 case LSA_POLICY_INFO_ACCOUNT_DOMAIN:
733 /* check if the user has enough rights */
734 if (!(handle->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
735 return NT_STATUS_ACCESS_DENIED;
737 /* Request PolicyAccountDomainInformation. */
738 name = get_global_sam_name();
739 sid = get_global_sam_sid();
741 init_dom_query_5(&info->account_domain, name, sid);
743 case LSA_POLICY_INFO_ROLE:
744 /* check if the user has enough rights */
745 if (!(handle->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
746 return NT_STATUS_ACCESS_DENIED;
748 switch (lp_server_role()) {
749 case ROLE_DOMAIN_BDC:
751 * only a BDC is a backup controller
752 * of the domain, it controls.
754 info->role.role = LSA_ROLE_BACKUP;
758 * any other role is a primary
759 * of the domain, it controls.
761 info->role.role = LSA_ROLE_PRIMARY;
765 case LSA_POLICY_INFO_DNS:
766 case LSA_POLICY_INFO_DNS_INT: {
767 struct pdb_domain_info *dominfo;
769 if ((pdb_capabilities() & PDB_CAP_ADS) == 0) {
770 DEBUG(10, ("Not replying to LSA_POLICY_INFO_DNS "
771 "without ADS passdb backend\n"));
772 status = NT_STATUS_INVALID_INFO_CLASS;
776 dominfo = pdb_get_domain_info(info);
777 if (dominfo == NULL) {
778 status = NT_STATUS_NO_MEMORY;
782 init_lsa_StringLarge(&info->dns.name,
784 init_lsa_StringLarge(&info->dns.dns_domain,
785 dominfo->dns_domain);
786 init_lsa_StringLarge(&info->dns.dns_forest,
787 dominfo->dns_forest);
788 info->dns.domain_guid = dominfo->guid;
789 info->dns.sid = &dominfo->sid;
793 DEBUG(0,("_lsa_QueryInfoPolicy: unknown info level in Lsa Query: %d\n",
795 status = NT_STATUS_INVALID_INFO_CLASS;
804 /***************************************************************************
805 _lsa_QueryInfoPolicy2
806 ***************************************************************************/
808 NTSTATUS _lsa_QueryInfoPolicy2(struct pipes_struct *p,
809 struct lsa_QueryInfoPolicy2 *r2)
811 struct lsa_QueryInfoPolicy r;
813 if ((pdb_capabilities() & PDB_CAP_ADS) == 0) {
814 p->rng_fault_state = True;
815 return NT_STATUS_NOT_IMPLEMENTED;
819 r.in.handle = r2->in.handle;
820 r.in.level = r2->in.level;
821 r.out.info = r2->out.info;
823 return _lsa_QueryInfoPolicy(p, &r);
826 /***************************************************************************
827 _lsa_lookup_sids_internal
828 ***************************************************************************/
830 static NTSTATUS _lsa_lookup_sids_internal(struct pipes_struct *p,
832 uint16_t level, /* input */
833 int num_sids, /* input */
834 struct lsa_SidPtr *sid, /* input */
835 struct lsa_RefDomainList **pp_ref, /* input/output */
836 struct lsa_TranslatedName2 **pp_names,/* input/output */
837 uint32_t *pp_mapped_count) /* input/output */
841 const struct dom_sid **sids = NULL;
842 struct lsa_RefDomainList *ref = NULL;
843 uint32 mapped_count = 0;
844 struct lsa_dom_info *dom_infos = NULL;
845 struct lsa_name_info *name_infos = NULL;
846 struct lsa_TranslatedName2 *names = NULL;
848 *pp_mapped_count = 0;
856 sids = TALLOC_ARRAY(p->mem_ctx, const struct dom_sid *, num_sids);
857 ref = TALLOC_ZERO_P(p->mem_ctx, struct lsa_RefDomainList);
859 if (sids == NULL || ref == NULL) {
860 return NT_STATUS_NO_MEMORY;
863 for (i=0; i<num_sids; i++) {
864 sids[i] = sid[i].sid;
867 status = lookup_sids(p->mem_ctx, num_sids, sids, level,
868 &dom_infos, &name_infos);
870 if (!NT_STATUS_IS_OK(status)) {
874 names = TALLOC_ARRAY(p->mem_ctx, struct lsa_TranslatedName2, num_sids);
876 return NT_STATUS_NO_MEMORY;
879 for (i=0; i<LSA_REF_DOMAIN_LIST_MULTIPLIER; i++) {
881 if (!dom_infos[i].valid) {
885 if (init_lsa_ref_domain_list(mem_ctx, ref,
887 &dom_infos[i].sid) != i) {
888 DEBUG(0, ("Domain %s mentioned twice??\n",
890 return NT_STATUS_INTERNAL_ERROR;
894 for (i=0; i<num_sids; i++) {
895 struct lsa_name_info *name = &name_infos[i];
897 if (name->type == SID_NAME_UNKNOWN) {
900 /* Unknown sids should return the string
901 * representation of the SID. Windows 2003 behaves
902 * rather erratic here, in many cases it returns the
903 * RID as 8 bytes hex, in others it returns the full
904 * SID. We (Jerry/VL) could not figure out which the
905 * hard cases are, so leave it with the SID. */
906 name->name = talloc_asprintf(p->mem_ctx, "%s",
909 if (name->name == NULL) {
910 return NT_STATUS_NO_MEMORY;
916 names[i].sid_type = name->type;
917 names[i].name.string = name->name;
918 names[i].sid_index = name->dom_idx;
919 names[i].unknown = 0;
922 status = NT_STATUS_NONE_MAPPED;
923 if (mapped_count > 0) {
924 status = (mapped_count < num_sids) ?
925 STATUS_SOME_UNMAPPED : NT_STATUS_OK;
928 DEBUG(10, ("num_sids %d, mapped_count %d, status %s\n",
929 num_sids, mapped_count, nt_errstr(status)));
931 *pp_mapped_count = mapped_count;
938 /***************************************************************************
940 ***************************************************************************/
942 NTSTATUS _lsa_LookupSids(struct pipes_struct *p,
943 struct lsa_LookupSids *r)
946 struct lsa_info *handle;
947 int num_sids = r->in.sids->num_sids;
948 uint32 mapped_count = 0;
949 struct lsa_RefDomainList *domains = NULL;
950 struct lsa_TranslatedName *names_out = NULL;
951 struct lsa_TranslatedName2 *names = NULL;
954 if ((r->in.level < 1) || (r->in.level > 6)) {
955 return NT_STATUS_INVALID_PARAMETER;
958 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle)) {
959 return NT_STATUS_INVALID_HANDLE;
962 if (handle->type != LSA_HANDLE_POLICY_TYPE) {
963 return NT_STATUS_INVALID_HANDLE;
966 /* check if the user has enough rights */
967 if (!(handle->access & LSA_POLICY_LOOKUP_NAMES)) {
968 return NT_STATUS_ACCESS_DENIED;
971 if (num_sids > MAX_LOOKUP_SIDS) {
972 DEBUG(5,("_lsa_LookupSids: limit of %d exceeded, requested %d\n",
973 MAX_LOOKUP_SIDS, num_sids));
974 return NT_STATUS_NONE_MAPPED;
977 status = _lsa_lookup_sids_internal(p,
986 /* Only return here when there is a real error.
987 NT_STATUS_NONE_MAPPED is a special case as it indicates that none of
988 the requested sids could be resolved. Older versions of XP (pre SP3)
989 rely that we return with the string representations of those SIDs in
990 that case. If we don't, XP crashes - Guenther
993 if (NT_STATUS_IS_ERR(status) &&
994 !NT_STATUS_EQUAL(status, NT_STATUS_NONE_MAPPED)) {
998 /* Convert from lsa_TranslatedName2 to lsa_TranslatedName */
999 names_out = TALLOC_ARRAY(p->mem_ctx, struct lsa_TranslatedName,
1002 return NT_STATUS_NO_MEMORY;
1005 for (i=0; i<num_sids; i++) {
1006 names_out[i].sid_type = names[i].sid_type;
1007 names_out[i].name = names[i].name;
1008 names_out[i].sid_index = names[i].sid_index;
1011 *r->out.domains = domains;
1012 r->out.names->count = num_sids;
1013 r->out.names->names = names_out;
1014 *r->out.count = mapped_count;
1019 /***************************************************************************
1021 ***************************************************************************/
1023 NTSTATUS _lsa_LookupSids2(struct pipes_struct *p,
1024 struct lsa_LookupSids2 *r)
1027 struct lsa_info *handle;
1028 int num_sids = r->in.sids->num_sids;
1029 uint32 mapped_count = 0;
1030 struct lsa_RefDomainList *domains = NULL;
1031 struct lsa_TranslatedName2 *names = NULL;
1032 bool check_policy = true;
1035 case NDR_LSA_LOOKUPSIDS3:
1036 check_policy = false;
1038 case NDR_LSA_LOOKUPSIDS2:
1040 check_policy = true;
1043 if ((r->in.level < 1) || (r->in.level > 6)) {
1044 return NT_STATUS_INVALID_PARAMETER;
1048 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle)) {
1049 return NT_STATUS_INVALID_HANDLE;
1052 if (handle->type != LSA_HANDLE_POLICY_TYPE) {
1053 return NT_STATUS_INVALID_HANDLE;
1056 /* check if the user has enough rights */
1057 if (!(handle->access & LSA_POLICY_LOOKUP_NAMES)) {
1058 return NT_STATUS_ACCESS_DENIED;
1062 if (num_sids > MAX_LOOKUP_SIDS) {
1063 DEBUG(5,("_lsa_LookupSids2: limit of %d exceeded, requested %d\n",
1064 MAX_LOOKUP_SIDS, num_sids));
1065 return NT_STATUS_NONE_MAPPED;
1068 status = _lsa_lookup_sids_internal(p,
1077 *r->out.domains = domains;
1078 r->out.names->count = num_sids;
1079 r->out.names->names = names;
1080 *r->out.count = mapped_count;
1085 /***************************************************************************
1087 ***************************************************************************/
1089 NTSTATUS _lsa_LookupSids3(struct pipes_struct *p,
1090 struct lsa_LookupSids3 *r)
1092 struct lsa_LookupSids2 q;
1094 /* No policy handle on this call. Restrict to crypto connections. */
1095 if (p->auth.auth_type != DCERPC_AUTH_TYPE_SCHANNEL) {
1096 DEBUG(0,("_lsa_LookupSids3: client %s not using schannel for netlogon\n",
1097 get_remote_machine_name() ));
1098 return NT_STATUS_INVALID_PARAMETER;
1102 q.in.sids = r->in.sids;
1103 q.in.level = r->in.level;
1104 q.in.lookup_options = r->in.lookup_options;
1105 q.in.client_revision = r->in.client_revision;
1106 q.in.names = r->in.names;
1107 q.in.count = r->in.count;
1109 q.out.domains = r->out.domains;
1110 q.out.names = r->out.names;
1111 q.out.count = r->out.count;
1113 return _lsa_LookupSids2(p, &q);
1116 /***************************************************************************
1117 ***************************************************************************/
1119 static int lsa_lookup_level_to_flags(enum lsa_LookupNamesLevel level)
1124 case LSA_LOOKUP_NAMES_ALL: /* 1 */
1125 flags = LOOKUP_NAME_ALL;
1127 case LSA_LOOKUP_NAMES_DOMAINS_ONLY: /* 2 */
1128 flags = LOOKUP_NAME_DOMAIN|LOOKUP_NAME_REMOTE|LOOKUP_NAME_ISOLATED;
1130 case LSA_LOOKUP_NAMES_PRIMARY_DOMAIN_ONLY: /* 3 */
1131 flags = LOOKUP_NAME_DOMAIN|LOOKUP_NAME_ISOLATED;
1133 case LSA_LOOKUP_NAMES_UPLEVEL_TRUSTS_ONLY: /* 4 */
1134 case LSA_LOOKUP_NAMES_FOREST_TRUSTS_ONLY: /* 5 */
1135 case LSA_LOOKUP_NAMES_UPLEVEL_TRUSTS_ONLY2: /* 6 */
1136 case LSA_LOOKUP_NAMES_RODC_REFERRAL_TO_FULL_DC: /* 7 */
1138 flags = LOOKUP_NAME_NONE;
1145 /***************************************************************************
1147 ***************************************************************************/
1149 NTSTATUS _lsa_LookupNames(struct pipes_struct *p,
1150 struct lsa_LookupNames *r)
1152 NTSTATUS status = NT_STATUS_NONE_MAPPED;
1153 struct lsa_info *handle;
1154 struct lsa_String *names = r->in.names;
1155 uint32 num_entries = r->in.num_names;
1156 struct lsa_RefDomainList *domains = NULL;
1157 struct lsa_TranslatedSid *rids = NULL;
1158 uint32 mapped_count = 0;
1161 if (num_entries > MAX_LOOKUP_SIDS) {
1162 num_entries = MAX_LOOKUP_SIDS;
1163 DEBUG(5,("_lsa_LookupNames: truncating name lookup list to %d\n",
1167 flags = lsa_lookup_level_to_flags(r->in.level);
1169 domains = TALLOC_ZERO_P(p->mem_ctx, struct lsa_RefDomainList);
1171 return NT_STATUS_NO_MEMORY;
1175 rids = TALLOC_ZERO_ARRAY(p->mem_ctx, struct lsa_TranslatedSid,
1178 return NT_STATUS_NO_MEMORY;
1184 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle)) {
1185 status = NT_STATUS_INVALID_HANDLE;
1189 if (handle->type != LSA_HANDLE_POLICY_TYPE) {
1190 return NT_STATUS_INVALID_HANDLE;
1193 /* check if the user has enough rights */
1194 if (!(handle->access & LSA_POLICY_LOOKUP_NAMES)) {
1195 status = NT_STATUS_ACCESS_DENIED;
1199 /* set up the LSA Lookup RIDs response */
1200 become_root(); /* lookup_name can require root privs */
1201 status = lookup_lsa_rids(p->mem_ctx, domains, rids, num_entries,
1202 names, flags, &mapped_count);
1207 if (NT_STATUS_IS_OK(status) && (num_entries != 0) ) {
1208 if (mapped_count == 0) {
1209 status = NT_STATUS_NONE_MAPPED;
1210 } else if (mapped_count != num_entries) {
1211 status = STATUS_SOME_UNMAPPED;
1215 *r->out.count = mapped_count;
1216 *r->out.domains = domains;
1217 r->out.sids->sids = rids;
1218 r->out.sids->count = num_entries;
1223 /***************************************************************************
1225 ***************************************************************************/
1227 NTSTATUS _lsa_LookupNames2(struct pipes_struct *p,
1228 struct lsa_LookupNames2 *r)
1231 struct lsa_LookupNames q;
1232 struct lsa_TransSidArray2 *sid_array2 = r->in.sids;
1233 struct lsa_TransSidArray *sid_array = NULL;
1236 sid_array = TALLOC_ZERO_P(p->mem_ctx, struct lsa_TransSidArray);
1238 return NT_STATUS_NO_MEMORY;
1241 q.in.handle = r->in.handle;
1242 q.in.num_names = r->in.num_names;
1243 q.in.names = r->in.names;
1244 q.in.level = r->in.level;
1245 q.in.sids = sid_array;
1246 q.in.count = r->in.count;
1247 /* we do not know what this is for */
1248 /* = r->in.unknown1; */
1249 /* = r->in.unknown2; */
1251 q.out.domains = r->out.domains;
1252 q.out.sids = sid_array;
1253 q.out.count = r->out.count;
1255 status = _lsa_LookupNames(p, &q);
1257 sid_array2->count = sid_array->count;
1258 sid_array2->sids = TALLOC_ARRAY(p->mem_ctx, struct lsa_TranslatedSid2, sid_array->count);
1259 if (!sid_array2->sids) {
1260 return NT_STATUS_NO_MEMORY;
1263 for (i=0; i<sid_array->count; i++) {
1264 sid_array2->sids[i].sid_type = sid_array->sids[i].sid_type;
1265 sid_array2->sids[i].rid = sid_array->sids[i].rid;
1266 sid_array2->sids[i].sid_index = sid_array->sids[i].sid_index;
1267 sid_array2->sids[i].unknown = 0;
1270 r->out.sids = sid_array2;
1275 /***************************************************************************
1277 ***************************************************************************/
1279 NTSTATUS _lsa_LookupNames3(struct pipes_struct *p,
1280 struct lsa_LookupNames3 *r)
1283 struct lsa_info *handle;
1284 struct lsa_String *names = r->in.names;
1285 uint32 num_entries = r->in.num_names;
1286 struct lsa_RefDomainList *domains = NULL;
1287 struct lsa_TranslatedSid3 *trans_sids = NULL;
1288 uint32 mapped_count = 0;
1290 bool check_policy = true;
1293 case NDR_LSA_LOOKUPNAMES4:
1294 check_policy = false;
1296 case NDR_LSA_LOOKUPNAMES3:
1298 check_policy = true;
1301 if (num_entries > MAX_LOOKUP_SIDS) {
1302 num_entries = MAX_LOOKUP_SIDS;
1303 DEBUG(5,("_lsa_LookupNames3: truncating name lookup list to %d\n", num_entries));
1306 /* Probably the lookup_level is some sort of bitmask. */
1307 if (r->in.level == 1) {
1308 flags = LOOKUP_NAME_ALL;
1311 domains = TALLOC_ZERO_P(p->mem_ctx, struct lsa_RefDomainList);
1313 return NT_STATUS_NO_MEMORY;
1317 trans_sids = TALLOC_ZERO_ARRAY(p->mem_ctx, struct lsa_TranslatedSid3,
1320 return NT_STATUS_NO_MEMORY;
1328 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle)) {
1329 status = NT_STATUS_INVALID_HANDLE;
1333 if (handle->type != LSA_HANDLE_POLICY_TYPE) {
1334 return NT_STATUS_INVALID_HANDLE;
1337 /* check if the user has enough rights */
1338 if (!(handle->access & LSA_POLICY_LOOKUP_NAMES)) {
1339 status = NT_STATUS_ACCESS_DENIED;
1344 /* set up the LSA Lookup SIDs response */
1345 become_root(); /* lookup_name can require root privs */
1346 status = lookup_lsa_sids(p->mem_ctx, domains, trans_sids, num_entries,
1347 names, flags, &mapped_count);
1352 if (NT_STATUS_IS_OK(status)) {
1353 if (mapped_count == 0) {
1354 status = NT_STATUS_NONE_MAPPED;
1355 } else if (mapped_count != num_entries) {
1356 status = STATUS_SOME_UNMAPPED;
1360 *r->out.count = mapped_count;
1361 *r->out.domains = domains;
1362 r->out.sids->sids = trans_sids;
1363 r->out.sids->count = num_entries;
1368 /***************************************************************************
1370 ***************************************************************************/
1372 NTSTATUS _lsa_LookupNames4(struct pipes_struct *p,
1373 struct lsa_LookupNames4 *r)
1375 struct lsa_LookupNames3 q;
1377 /* No policy handle on this call. Restrict to crypto connections. */
1378 if (p->auth.auth_type != DCERPC_AUTH_TYPE_SCHANNEL) {
1379 DEBUG(0,("_lsa_lookup_names4: client %s not using schannel for netlogon\n",
1380 get_remote_machine_name() ));
1381 return NT_STATUS_INVALID_PARAMETER;
1385 q.in.num_names = r->in.num_names;
1386 q.in.names = r->in.names;
1387 q.in.level = r->in.level;
1388 q.in.lookup_options = r->in.lookup_options;
1389 q.in.client_revision = r->in.client_revision;
1390 q.in.sids = r->in.sids;
1391 q.in.count = r->in.count;
1393 q.out.domains = r->out.domains;
1394 q.out.sids = r->out.sids;
1395 q.out.count = r->out.count;
1397 return _lsa_LookupNames3(p, &q);
1400 /***************************************************************************
1401 _lsa_close. Also weird - needs to check if lsa handle is correct. JRA.
1402 ***************************************************************************/
1404 NTSTATUS _lsa_Close(struct pipes_struct *p, struct lsa_Close *r)
1406 if (!find_policy_by_hnd(p, r->in.handle, NULL)) {
1407 return NT_STATUS_INVALID_HANDLE;
1410 close_policy_hnd(p, r->in.handle);
1411 ZERO_STRUCTP(r->out.handle);
1412 return NT_STATUS_OK;
1415 /***************************************************************************
1416 ***************************************************************************/
1418 static NTSTATUS lsa_lookup_trusted_domain_by_sid(TALLOC_CTX *mem_ctx,
1419 const struct dom_sid *sid,
1420 struct trustdom_info **info)
1423 uint32_t num_domains = 0;
1424 struct trustdom_info **domains = NULL;
1427 status = pdb_enum_trusteddoms(mem_ctx, &num_domains, &domains);
1428 if (!NT_STATUS_IS_OK(status)) {
1432 for (i=0; i < num_domains; i++) {
1433 if (dom_sid_equal(&domains[i]->sid, sid)) {
1438 if (i == num_domains) {
1439 return NT_STATUS_INVALID_PARAMETER;
1444 return NT_STATUS_OK;
1447 /***************************************************************************
1448 ***************************************************************************/
1450 static NTSTATUS lsa_lookup_trusted_domain_by_name(TALLOC_CTX *mem_ctx,
1451 const char *netbios_domain_name,
1452 struct trustdom_info **info_p)
1455 struct trustdom_info *info;
1456 struct pdb_trusted_domain *td;
1458 status = pdb_get_trusted_domain(mem_ctx, netbios_domain_name, &td);
1459 if (!NT_STATUS_IS_OK(status)) {
1463 info = talloc(mem_ctx, struct trustdom_info);
1465 return NT_STATUS_NO_MEMORY;
1468 info->name = talloc_strdup(info, netbios_domain_name);
1469 NT_STATUS_HAVE_NO_MEMORY(info->name);
1471 sid_copy(&info->sid, &td->security_identifier);
1475 return NT_STATUS_OK;
1478 /***************************************************************************
1479 ***************************************************************************/
1481 NTSTATUS _lsa_OpenSecret(struct pipes_struct *p, struct lsa_OpenSecret *r)
1483 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
1486 /***************************************************************************
1487 _lsa_OpenTrustedDomain_base
1488 ***************************************************************************/
1490 static NTSTATUS _lsa_OpenTrustedDomain_base(struct pipes_struct *p,
1491 uint32_t access_mask,
1492 struct trustdom_info *info,
1493 struct policy_handle *handle)
1495 struct security_descriptor *psd = NULL;
1497 uint32_t acc_granted;
1500 /* des_access is for the account here, not the policy
1501 * handle - so don't check against policy handle. */
1503 /* Work out max allowed. */
1504 map_max_allowed_access(p->server_info->security_token,
1505 &p->server_info->utok,
1508 /* map the generic bits to the lsa account ones */
1509 se_map_generic(&access_mask, &lsa_account_mapping);
1511 /* get the generic lsa account SD until we store it */
1512 status = make_lsa_object_sd(p->mem_ctx, &psd, &sd_size,
1513 &lsa_trusted_domain_mapping,
1515 if (!NT_STATUS_IS_OK(status)) {
1519 status = access_check_object(psd, p->server_info->security_token,
1520 SEC_PRIV_INVALID, SEC_PRIV_INVALID, 0,
1521 access_mask, &acc_granted,
1522 "_lsa_OpenTrustedDomain");
1523 if (!NT_STATUS_IS_OK(status)) {
1527 status = create_lsa_policy_handle(p->mem_ctx, p,
1528 LSA_HANDLE_TRUST_TYPE,
1534 if (!NT_STATUS_IS_OK(status)) {
1535 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
1538 return NT_STATUS_OK;
1541 /***************************************************************************
1542 _lsa_OpenTrustedDomain
1543 ***************************************************************************/
1545 NTSTATUS _lsa_OpenTrustedDomain(struct pipes_struct *p,
1546 struct lsa_OpenTrustedDomain *r)
1548 struct lsa_info *handle = NULL;
1549 struct trustdom_info *info;
1552 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle)) {
1553 return NT_STATUS_INVALID_HANDLE;
1556 if (handle->type != LSA_HANDLE_POLICY_TYPE) {
1557 return NT_STATUS_INVALID_HANDLE;
1560 status = lsa_lookup_trusted_domain_by_sid(p->mem_ctx,
1563 if (!NT_STATUS_IS_OK(status)) {
1567 return _lsa_OpenTrustedDomain_base(p, r->in.access_mask, info,
1568 r->out.trustdom_handle);
1571 /***************************************************************************
1572 _lsa_OpenTrustedDomainByName
1573 ***************************************************************************/
1575 NTSTATUS _lsa_OpenTrustedDomainByName(struct pipes_struct *p,
1576 struct lsa_OpenTrustedDomainByName *r)
1578 struct lsa_info *handle = NULL;
1579 struct trustdom_info *info;
1582 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle)) {
1583 return NT_STATUS_INVALID_HANDLE;
1586 if (handle->type != LSA_HANDLE_POLICY_TYPE) {
1587 return NT_STATUS_INVALID_HANDLE;
1590 status = lsa_lookup_trusted_domain_by_name(p->mem_ctx,
1593 if (!NT_STATUS_IS_OK(status)) {
1597 return _lsa_OpenTrustedDomain_base(p, r->in.access_mask, info,
1598 r->out.trustdom_handle);
1601 static NTSTATUS add_trusted_domain_user(TALLOC_CTX *mem_ctx,
1602 const char *netbios_name,
1603 struct trustDomainPasswords auth_struct)
1606 struct samu *sam_acct;
1609 struct dom_sid user_sid;
1614 sam_acct = samu_new(mem_ctx);
1615 if (sam_acct == NULL) {
1616 return NT_STATUS_NO_MEMORY;
1619 acct_name = talloc_asprintf(mem_ctx, "%s$", netbios_name);
1620 if (acct_name == NULL) {
1621 return NT_STATUS_NO_MEMORY;
1623 if (!pdb_set_username(sam_acct, acct_name, PDB_SET)) {
1624 return NT_STATUS_UNSUCCESSFUL;
1627 if (!pdb_set_domain(sam_acct, get_global_sam_name(), PDB_SET)) {
1628 return NT_STATUS_UNSUCCESSFUL;
1631 if (!pdb_set_acct_ctrl(sam_acct, ACB_DOMTRUST, PDB_SET)) {
1632 return NT_STATUS_UNSUCCESSFUL;
1635 if (!pdb_new_rid(&rid)) {
1636 return NT_STATUS_DS_NO_MORE_RIDS;
1638 sid_compose(&user_sid, get_global_sam_sid(), rid);
1639 if (!pdb_set_user_sid(sam_acct, &user_sid, PDB_SET)) {
1640 return NT_STATUS_UNSUCCESSFUL;
1643 for (i = 0; i < auth_struct.incoming.count; i++) {
1644 switch (auth_struct.incoming.current.array[i].AuthType) {
1645 case TRUST_AUTH_TYPE_CLEAR:
1646 if (!convert_string_talloc(mem_ctx,
1649 auth_struct.incoming.current.array[i].AuthInfo.clear.password,
1650 auth_struct.incoming.current.array[i].AuthInfo.clear.size,
1654 return NT_STATUS_UNSUCCESSFUL;
1656 if (!pdb_set_plaintext_passwd(sam_acct, dummy)) {
1657 return NT_STATUS_UNSUCCESSFUL;
1665 status = pdb_add_sam_account(sam_acct);
1666 if (!NT_STATUS_IS_OK(status)) {
1670 return NT_STATUS_OK;
1673 /***************************************************************************
1674 _lsa_CreateTrustedDomainEx2
1675 ***************************************************************************/
1677 NTSTATUS _lsa_CreateTrustedDomainEx2(struct pipes_struct *p,
1678 struct lsa_CreateTrustedDomainEx2 *r)
1680 struct lsa_info *policy;
1682 uint32_t acc_granted;
1683 struct security_descriptor *psd;
1685 struct pdb_trusted_domain td;
1686 struct trustDomainPasswords auth_struct;
1687 enum ndr_err_code ndr_err;
1688 DATA_BLOB auth_blob;
1691 return NT_STATUS_NOT_SUPPORTED;
1694 if (!find_policy_by_hnd(p, r->in.policy_handle, (void **)(void *)&policy)) {
1695 return NT_STATUS_INVALID_HANDLE;
1698 if (!(policy->access & LSA_POLICY_TRUST_ADMIN)) {
1699 return NT_STATUS_ACCESS_DENIED;
1702 if (p->server_info->utok.uid != sec_initial_uid() &&
1703 !nt_token_check_domain_rid(p->server_info->security_token, DOMAIN_RID_ADMINS)) {
1704 return NT_STATUS_ACCESS_DENIED;
1707 /* Work out max allowed. */
1708 map_max_allowed_access(p->server_info->security_token,
1709 &p->server_info->utok,
1710 &r->in.access_mask);
1712 /* map the generic bits to the lsa policy ones */
1713 se_map_generic(&r->in.access_mask, &lsa_account_mapping);
1715 status = make_lsa_object_sd(p->mem_ctx, &psd, &sd_size,
1716 &lsa_trusted_domain_mapping,
1718 if (!NT_STATUS_IS_OK(status)) {
1722 status = access_check_object(psd, p->server_info->security_token,
1723 SEC_PRIV_INVALID, SEC_PRIV_INVALID, 0,
1724 r->in.access_mask, &acc_granted,
1725 "_lsa_CreateTrustedDomainEx2");
1726 if (!NT_STATUS_IS_OK(status)) {
1732 td.domain_name = talloc_strdup(p->mem_ctx,
1733 r->in.info->domain_name.string);
1734 if (td.domain_name == NULL) {
1735 return NT_STATUS_NO_MEMORY;
1737 td.netbios_name = talloc_strdup(p->mem_ctx,
1738 r->in.info->netbios_name.string);
1739 if (td.netbios_name == NULL) {
1740 return NT_STATUS_NO_MEMORY;
1742 sid_copy(&td.security_identifier, r->in.info->sid);
1743 td.trust_direction = r->in.info->trust_direction;
1744 td.trust_type = r->in.info->trust_type;
1745 td.trust_attributes = r->in.info->trust_attributes;
1747 if (r->in.auth_info->auth_blob.size != 0) {
1748 auth_blob.length = r->in.auth_info->auth_blob.size;
1749 auth_blob.data = r->in.auth_info->auth_blob.data;
1751 arcfour_crypt_blob(auth_blob.data, auth_blob.length,
1752 &p->server_info->user_session_key);
1754 ndr_err = ndr_pull_struct_blob(&auth_blob, p->mem_ctx,
1756 (ndr_pull_flags_fn_t) ndr_pull_trustDomainPasswords);
1757 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
1758 return NT_STATUS_UNSUCCESSFUL;
1761 ndr_err = ndr_push_struct_blob(&td.trust_auth_incoming, p->mem_ctx,
1762 &auth_struct.incoming,
1763 (ndr_push_flags_fn_t) ndr_push_trustAuthInOutBlob);
1764 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
1765 return NT_STATUS_UNSUCCESSFUL;
1768 ndr_err = ndr_push_struct_blob(&td.trust_auth_outgoing, p->mem_ctx,
1769 &auth_struct.outgoing,
1770 (ndr_push_flags_fn_t) ndr_push_trustAuthInOutBlob);
1771 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
1772 return NT_STATUS_UNSUCCESSFUL;
1775 td.trust_auth_incoming.data = NULL;
1776 td.trust_auth_incoming.length = 0;
1777 td.trust_auth_outgoing.data = NULL;
1778 td.trust_auth_outgoing.length = 0;
1781 status = pdb_set_trusted_domain(r->in.info->domain_name.string, &td);
1782 if (!NT_STATUS_IS_OK(status)) {
1786 if (r->in.info->trust_direction & LSA_TRUST_DIRECTION_INBOUND) {
1787 status = add_trusted_domain_user(p->mem_ctx,
1788 r->in.info->netbios_name.string,
1790 if (!NT_STATUS_IS_OK(status)) {
1795 status = create_lsa_policy_handle(p->mem_ctx, p,
1796 LSA_HANDLE_TRUST_TYPE,
1799 r->in.info->netbios_name.string,
1801 r->out.trustdom_handle);
1802 if (!NT_STATUS_IS_OK(status)) {
1803 pdb_del_trusteddom_pw(r->in.info->netbios_name.string);
1804 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
1807 return NT_STATUS_OK;
1810 /***************************************************************************
1811 _lsa_CreateTrustedDomainEx
1812 ***************************************************************************/
1814 NTSTATUS _lsa_CreateTrustedDomainEx(struct pipes_struct *p,
1815 struct lsa_CreateTrustedDomainEx *r)
1817 struct lsa_CreateTrustedDomainEx2 q;
1819 q.in.policy_handle = r->in.policy_handle;
1820 q.in.info = r->in.info;
1821 q.in.auth_info = r->in.auth_info;
1822 q.in.access_mask = r->in.access_mask;
1823 q.out.trustdom_handle = r->out.trustdom_handle;
1825 return _lsa_CreateTrustedDomainEx2(p, &q);
1828 /***************************************************************************
1829 _lsa_CreateTrustedDomain
1830 ***************************************************************************/
1832 NTSTATUS _lsa_CreateTrustedDomain(struct pipes_struct *p,
1833 struct lsa_CreateTrustedDomain *r)
1835 struct lsa_CreateTrustedDomainEx2 c;
1836 struct lsa_TrustDomainInfoInfoEx info;
1837 struct lsa_TrustDomainInfoAuthInfoInternal auth_info;
1839 ZERO_STRUCT(auth_info);
1841 info.domain_name = r->in.info->name;
1842 info.netbios_name = r->in.info->name;
1843 info.sid = r->in.info->sid;
1844 info.trust_direction = LSA_TRUST_DIRECTION_OUTBOUND;
1845 info.trust_type = LSA_TRUST_TYPE_DOWNLEVEL;
1846 info.trust_attributes = 0;
1848 c.in.policy_handle = r->in.policy_handle;
1850 c.in.auth_info = &auth_info;
1851 c.in.access_mask = r->in.access_mask;
1852 c.out.trustdom_handle = r->out.trustdom_handle;
1854 return _lsa_CreateTrustedDomainEx2(p, &c);
1857 /***************************************************************************
1858 _lsa_DeleteTrustedDomain
1859 ***************************************************************************/
1861 NTSTATUS _lsa_DeleteTrustedDomain(struct pipes_struct *p,
1862 struct lsa_DeleteTrustedDomain *r)
1865 struct lsa_info *handle;
1866 struct pdb_trusted_domain *td;
1867 struct samu *sam_acct;
1870 /* find the connection policy handle. */
1871 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle)) {
1872 return NT_STATUS_INVALID_HANDLE;
1875 if (handle->type != LSA_HANDLE_POLICY_TYPE) {
1876 return NT_STATUS_INVALID_HANDLE;
1879 if (!(handle->access & LSA_POLICY_TRUST_ADMIN)) {
1880 return NT_STATUS_ACCESS_DENIED;
1883 status = pdb_get_trusted_domain_by_sid(p->mem_ctx, r->in.dom_sid, &td);
1884 if (!NT_STATUS_IS_OK(status)) {
1888 if (td->netbios_name == NULL || *td->netbios_name == '\0') {
1889 DEBUG(10, ("Missing netbios name for for trusted domain %s.\n",
1890 sid_string_tos(r->in.dom_sid)));
1891 return NT_STATUS_UNSUCCESSFUL;
1894 if (td->trust_direction & LSA_TRUST_DIRECTION_INBOUND) {
1895 sam_acct = samu_new(p->mem_ctx);
1896 if (sam_acct == NULL) {
1897 return NT_STATUS_NO_MEMORY;
1900 acct_name = talloc_asprintf(p->mem_ctx, "%s$", td->netbios_name);
1901 if (acct_name == NULL) {
1902 return NT_STATUS_NO_MEMORY;
1904 if (!pdb_set_username(sam_acct, acct_name, PDB_SET)) {
1905 return NT_STATUS_UNSUCCESSFUL;
1907 status = pdb_delete_sam_account(sam_acct);
1908 if (!NT_STATUS_IS_OK(status)) {
1913 status = pdb_del_trusted_domain(td->netbios_name);
1914 if (!NT_STATUS_IS_OK(status)) {
1918 return NT_STATUS_OK;
1921 /***************************************************************************
1922 _lsa_CloseTrustedDomainEx
1923 ***************************************************************************/
1925 NTSTATUS _lsa_CloseTrustedDomainEx(struct pipes_struct *p,
1926 struct lsa_CloseTrustedDomainEx *r)
1928 return NT_STATUS_NOT_IMPLEMENTED;
1931 /***************************************************************************
1932 _lsa_QueryTrustedDomainInfo
1933 ***************************************************************************/
1935 NTSTATUS _lsa_QueryTrustedDomainInfo(struct pipes_struct *p,
1936 struct lsa_QueryTrustedDomainInfo *r)
1939 struct lsa_info *handle;
1940 union lsa_TrustedDomainInfo *info;
1941 struct pdb_trusted_domain *td;
1942 uint32_t acc_required;
1944 /* find the connection policy handle. */
1945 if (!find_policy_by_hnd(p, r->in.trustdom_handle, (void **)(void *)&handle)) {
1946 return NT_STATUS_INVALID_HANDLE;
1949 if (handle->type != LSA_HANDLE_TRUST_TYPE) {
1950 return NT_STATUS_INVALID_HANDLE;
1953 switch (r->in.level) {
1954 case LSA_TRUSTED_DOMAIN_INFO_NAME:
1955 acc_required = LSA_TRUSTED_QUERY_DOMAIN_NAME;
1957 case LSA_TRUSTED_DOMAIN_INFO_CONTROLLERS:
1958 acc_required = LSA_TRUSTED_QUERY_CONTROLLERS;
1960 case LSA_TRUSTED_DOMAIN_INFO_POSIX_OFFSET:
1961 acc_required = LSA_TRUSTED_QUERY_POSIX;
1963 case LSA_TRUSTED_DOMAIN_INFO_PASSWORD:
1964 acc_required = LSA_TRUSTED_QUERY_AUTH;
1966 case LSA_TRUSTED_DOMAIN_INFO_BASIC:
1967 acc_required = LSA_TRUSTED_QUERY_DOMAIN_NAME;
1969 case LSA_TRUSTED_DOMAIN_INFO_INFO_EX:
1970 acc_required = LSA_TRUSTED_QUERY_DOMAIN_NAME;
1972 case LSA_TRUSTED_DOMAIN_INFO_AUTH_INFO:
1973 acc_required = LSA_TRUSTED_QUERY_AUTH;
1975 case LSA_TRUSTED_DOMAIN_INFO_FULL_INFO:
1976 acc_required = LSA_TRUSTED_QUERY_DOMAIN_NAME |
1977 LSA_TRUSTED_QUERY_POSIX |
1978 LSA_TRUSTED_QUERY_AUTH;
1980 case LSA_TRUSTED_DOMAIN_INFO_AUTH_INFO_INTERNAL:
1981 acc_required = LSA_TRUSTED_QUERY_AUTH;
1983 case LSA_TRUSTED_DOMAIN_INFO_FULL_INFO_INTERNAL:
1984 acc_required = LSA_TRUSTED_QUERY_DOMAIN_NAME |
1985 LSA_TRUSTED_QUERY_POSIX |
1986 LSA_TRUSTED_QUERY_AUTH;
1988 case LSA_TRUSTED_DOMAIN_INFO_INFO_EX2_INTERNAL:
1989 acc_required = LSA_TRUSTED_QUERY_DOMAIN_NAME;
1991 case LSA_TRUSTED_DOMAIN_INFO_FULL_INFO_2_INTERNAL:
1992 acc_required = LSA_TRUSTED_QUERY_DOMAIN_NAME |
1993 LSA_TRUSTED_QUERY_POSIX |
1994 LSA_TRUSTED_QUERY_AUTH;
1996 case LSA_TRUSTED_DOMAIN_SUPPORTED_ENCRYPTION_TYPES:
1997 acc_required = LSA_TRUSTED_QUERY_POSIX;
2000 return NT_STATUS_INVALID_PARAMETER;
2003 if (!(handle->access & acc_required)) {
2004 return NT_STATUS_ACCESS_DENIED;
2007 status = pdb_get_trusted_domain_by_sid(p->mem_ctx, &handle->sid, &td);
2008 if (!NT_STATUS_IS_OK(status)) {
2012 info = TALLOC_ZERO_P(p->mem_ctx, union lsa_TrustedDomainInfo);
2014 return NT_STATUS_NO_MEMORY;
2017 switch (r->in.level) {
2018 case LSA_TRUSTED_DOMAIN_INFO_NAME:
2019 init_lsa_StringLarge(&info->name.netbios_name, td->netbios_name);
2021 case LSA_TRUSTED_DOMAIN_INFO_CONTROLLERS:
2022 return NT_STATUS_INVALID_PARAMETER;
2023 case LSA_TRUSTED_DOMAIN_INFO_POSIX_OFFSET:
2025 case LSA_TRUSTED_DOMAIN_INFO_PASSWORD:
2026 return NT_STATUS_INVALID_INFO_CLASS;
2027 case LSA_TRUSTED_DOMAIN_INFO_BASIC:
2028 return NT_STATUS_INVALID_PARAMETER;
2029 case LSA_TRUSTED_DOMAIN_INFO_INFO_EX:
2030 init_lsa_StringLarge(&info->info_ex.domain_name, td->domain_name);
2031 init_lsa_StringLarge(&info->info_ex.netbios_name, td->netbios_name);
2032 info->info_ex.sid = dom_sid_dup(info, &td->security_identifier);
2033 if (!info->info_ex.sid) {
2034 return NT_STATUS_NO_MEMORY;
2036 info->info_ex.trust_direction = td->trust_direction;
2037 info->info_ex.trust_type = td->trust_type;
2038 info->info_ex.trust_attributes = td->trust_attributes;
2040 case LSA_TRUSTED_DOMAIN_INFO_AUTH_INFO:
2041 return NT_STATUS_INVALID_INFO_CLASS;
2042 case LSA_TRUSTED_DOMAIN_INFO_FULL_INFO:
2044 case LSA_TRUSTED_DOMAIN_INFO_AUTH_INFO_INTERNAL:
2045 return NT_STATUS_INVALID_INFO_CLASS;
2046 case LSA_TRUSTED_DOMAIN_INFO_FULL_INFO_INTERNAL:
2047 return NT_STATUS_INVALID_INFO_CLASS;
2048 case LSA_TRUSTED_DOMAIN_INFO_INFO_EX2_INTERNAL:
2049 return NT_STATUS_INVALID_PARAMETER;
2050 case LSA_TRUSTED_DOMAIN_INFO_FULL_INFO_2_INTERNAL:
2052 case LSA_TRUSTED_DOMAIN_SUPPORTED_ENCRYPTION_TYPES:
2055 return NT_STATUS_INVALID_PARAMETER;
2058 *r->out.info = info;
2060 return NT_STATUS_OK;
2063 /***************************************************************************
2064 _lsa_QueryTrustedDomainInfoBySid
2065 ***************************************************************************/
2067 NTSTATUS _lsa_QueryTrustedDomainInfoBySid(struct pipes_struct *p,
2068 struct lsa_QueryTrustedDomainInfoBySid *r)
2071 struct policy_handle trustdom_handle;
2072 struct lsa_OpenTrustedDomain o;
2073 struct lsa_QueryTrustedDomainInfo q;
2076 o.in.handle = r->in.handle;
2077 o.in.sid = r->in.dom_sid;
2078 o.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
2079 o.out.trustdom_handle = &trustdom_handle;
2081 status = _lsa_OpenTrustedDomain(p, &o);
2082 if (!NT_STATUS_IS_OK(status)) {
2086 q.in.trustdom_handle = &trustdom_handle;
2087 q.in.level = r->in.level;
2088 q.out.info = r->out.info;
2090 status = _lsa_QueryTrustedDomainInfo(p, &q);
2091 if (!NT_STATUS_IS_OK(status)) {
2095 c.in.handle = &trustdom_handle;
2096 c.out.handle = &trustdom_handle;
2098 return _lsa_Close(p, &c);
2101 /***************************************************************************
2102 _lsa_QueryTrustedDomainInfoByName
2103 ***************************************************************************/
2105 NTSTATUS _lsa_QueryTrustedDomainInfoByName(struct pipes_struct *p,
2106 struct lsa_QueryTrustedDomainInfoByName *r)
2109 struct policy_handle trustdom_handle;
2110 struct lsa_OpenTrustedDomainByName o;
2111 struct lsa_QueryTrustedDomainInfo q;
2114 o.in.handle = r->in.handle;
2115 o.in.name.string = r->in.trusted_domain->string;
2116 o.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
2117 o.out.trustdom_handle = &trustdom_handle;
2119 status = _lsa_OpenTrustedDomainByName(p, &o);
2120 if (!NT_STATUS_IS_OK(status)) {
2121 if (NT_STATUS_EQUAL(status, NT_STATUS_NO_SUCH_DOMAIN)) {
2122 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
2127 q.in.trustdom_handle = &trustdom_handle;
2128 q.in.level = r->in.level;
2129 q.out.info = r->out.info;
2131 status = _lsa_QueryTrustedDomainInfo(p, &q);
2132 if (!NT_STATUS_IS_OK(status)) {
2136 c.in.handle = &trustdom_handle;
2137 c.out.handle = &trustdom_handle;
2139 return _lsa_Close(p, &c);
2142 /***************************************************************************
2143 ***************************************************************************/
2145 NTSTATUS _lsa_CreateSecret(struct pipes_struct *p, struct lsa_CreateSecret *r)
2147 return NT_STATUS_ACCESS_DENIED;
2150 /***************************************************************************
2151 ***************************************************************************/
2153 NTSTATUS _lsa_SetSecret(struct pipes_struct *p, struct lsa_SetSecret *r)
2155 return NT_STATUS_ACCESS_DENIED;
2158 /***************************************************************************
2160 ***************************************************************************/
2162 NTSTATUS _lsa_DeleteObject(struct pipes_struct *p,
2163 struct lsa_DeleteObject *r)
2166 struct lsa_info *info = NULL;
2168 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info)) {
2169 return NT_STATUS_INVALID_HANDLE;
2172 if (!(info->access & SEC_STD_DELETE)) {
2173 return NT_STATUS_ACCESS_DENIED;
2176 switch (info->type) {
2177 case LSA_HANDLE_ACCOUNT_TYPE:
2178 status = privilege_delete_account(&info->sid);
2179 if (!NT_STATUS_IS_OK(status)) {
2180 DEBUG(10,("_lsa_DeleteObject: privilege_delete_account gave: %s\n",
2181 nt_errstr(status)));
2186 return NT_STATUS_INVALID_HANDLE;
2189 close_policy_hnd(p, r->in.handle);
2190 ZERO_STRUCTP(r->out.handle);
2195 /***************************************************************************
2197 ***************************************************************************/
2199 NTSTATUS _lsa_EnumPrivs(struct pipes_struct *p,
2200 struct lsa_EnumPrivs *r)
2202 struct lsa_info *handle;
2204 uint32 enum_context = *r->in.resume_handle;
2205 int num_privs = num_privileges_in_short_list();
2206 struct lsa_PrivEntry *entries = NULL;
2208 /* remember that the enum_context starts at 0 and not 1 */
2210 if ( enum_context >= num_privs )
2211 return NT_STATUS_NO_MORE_ENTRIES;
2213 DEBUG(10,("_lsa_EnumPrivs: enum_context:%d total entries:%d\n",
2214 enum_context, num_privs));
2216 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle))
2217 return NT_STATUS_INVALID_HANDLE;
2219 if (handle->type != LSA_HANDLE_POLICY_TYPE) {
2220 return NT_STATUS_INVALID_HANDLE;
2223 /* check if the user has enough rights
2224 I don't know if it's the right one. not documented. */
2226 if (!(handle->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
2227 return NT_STATUS_ACCESS_DENIED;
2230 entries = TALLOC_ZERO_ARRAY(p->mem_ctx, struct lsa_PrivEntry, num_privs);
2232 return NT_STATUS_NO_MEMORY;
2238 for (i = 0; i < num_privs; i++) {
2239 if( i < enum_context) {
2241 init_lsa_StringLarge(&entries[i].name, NULL);
2243 entries[i].luid.low = 0;
2244 entries[i].luid.high = 0;
2247 init_lsa_StringLarge(&entries[i].name, sec_privilege_name_from_index(i));
2249 entries[i].luid.low = sec_privilege_from_index(i);
2250 entries[i].luid.high = 0;
2254 enum_context = num_privs;
2256 *r->out.resume_handle = enum_context;
2257 r->out.privs->count = num_privs;
2258 r->out.privs->privs = entries;
2260 return NT_STATUS_OK;
2263 /***************************************************************************
2264 _lsa_LookupPrivDisplayName
2265 ***************************************************************************/
2267 NTSTATUS _lsa_LookupPrivDisplayName(struct pipes_struct *p,
2268 struct lsa_LookupPrivDisplayName *r)
2270 struct lsa_info *handle;
2271 const char *description;
2272 struct lsa_StringLarge *lsa_name;
2274 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle))
2275 return NT_STATUS_INVALID_HANDLE;
2277 if (handle->type != LSA_HANDLE_POLICY_TYPE) {
2278 return NT_STATUS_INVALID_HANDLE;
2281 /* check if the user has enough rights */
2284 * I don't know if it's the right one. not documented.
2286 if (!(handle->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
2287 return NT_STATUS_ACCESS_DENIED;
2289 DEBUG(10,("_lsa_LookupPrivDisplayName: name = %s\n", r->in.name->string));
2291 description = get_privilege_dispname(r->in.name->string);
2293 DEBUG(10,("_lsa_LookupPrivDisplayName: doesn't exist\n"));
2294 return NT_STATUS_NO_SUCH_PRIVILEGE;
2297 DEBUG(10,("_lsa_LookupPrivDisplayName: display name = %s\n", description));
2299 lsa_name = TALLOC_ZERO_P(p->mem_ctx, struct lsa_StringLarge);
2301 return NT_STATUS_NO_MEMORY;
2304 init_lsa_StringLarge(lsa_name, description);
2306 *r->out.returned_language_id = r->in.language_id;
2307 *r->out.disp_name = lsa_name;
2309 return NT_STATUS_OK;
2312 /***************************************************************************
2314 ***************************************************************************/
2316 NTSTATUS _lsa_EnumAccounts(struct pipes_struct *p,
2317 struct lsa_EnumAccounts *r)
2319 struct lsa_info *handle;
2320 struct dom_sid *sid_list;
2321 int i, j, num_entries;
2323 struct lsa_SidPtr *sids = NULL;
2325 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle))
2326 return NT_STATUS_INVALID_HANDLE;
2328 if (handle->type != LSA_HANDLE_POLICY_TYPE) {
2329 return NT_STATUS_INVALID_HANDLE;
2332 if (!(handle->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
2333 return NT_STATUS_ACCESS_DENIED;
2338 /* The only way we can currently find out all the SIDs that have been
2339 privileged is to scan all privileges */
2341 status = privilege_enumerate_accounts(&sid_list, &num_entries);
2342 if (!NT_STATUS_IS_OK(status)) {
2346 if (*r->in.resume_handle >= num_entries) {
2347 return NT_STATUS_NO_MORE_ENTRIES;
2350 if (num_entries - *r->in.resume_handle) {
2351 sids = TALLOC_ZERO_ARRAY(p->mem_ctx, struct lsa_SidPtr,
2352 num_entries - *r->in.resume_handle);
2354 talloc_free(sid_list);
2355 return NT_STATUS_NO_MEMORY;
2358 for (i = *r->in.resume_handle, j = 0; i < num_entries; i++, j++) {
2359 sids[j].sid = dom_sid_dup(p->mem_ctx, &sid_list[i]);
2361 talloc_free(sid_list);
2362 return NT_STATUS_NO_MEMORY;
2367 talloc_free(sid_list);
2369 *r->out.resume_handle = num_entries;
2370 r->out.sids->num_sids = num_entries;
2371 r->out.sids->sids = sids;
2373 return NT_STATUS_OK;
2376 /***************************************************************************
2378 ***************************************************************************/
2380 NTSTATUS _lsa_GetUserName(struct pipes_struct *p,
2381 struct lsa_GetUserName *r)
2383 const char *username, *domname;
2384 struct lsa_String *account_name = NULL;
2385 struct lsa_String *authority_name = NULL;
2387 if (r->in.account_name &&
2388 *r->in.account_name) {
2389 return NT_STATUS_INVALID_PARAMETER;
2392 if (r->in.authority_name &&
2393 *r->in.authority_name) {
2394 return NT_STATUS_INVALID_PARAMETER;
2397 if (p->server_info->guest) {
2399 * I'm 99% sure this is not the right place to do this,
2400 * global_sid_Anonymous should probably be put into the token
2401 * instead of the guest id -- vl
2403 if (!lookup_sid(p->mem_ctx, &global_sid_Anonymous,
2404 &domname, &username, NULL)) {
2405 return NT_STATUS_NO_MEMORY;
2408 username = p->server_info->sanitized_username;
2409 domname = p->server_info->info3->base.domain.string;
2412 account_name = TALLOC_P(p->mem_ctx, struct lsa_String);
2413 if (!account_name) {
2414 return NT_STATUS_NO_MEMORY;
2416 init_lsa_String(account_name, username);
2418 if (r->out.authority_name) {
2419 authority_name = TALLOC_P(p->mem_ctx, struct lsa_String);
2420 if (!authority_name) {
2421 return NT_STATUS_NO_MEMORY;
2423 init_lsa_String(authority_name, domname);
2426 *r->out.account_name = account_name;
2427 if (r->out.authority_name) {
2428 *r->out.authority_name = authority_name;
2431 return NT_STATUS_OK;
2434 /***************************************************************************
2436 ***************************************************************************/
2438 NTSTATUS _lsa_CreateAccount(struct pipes_struct *p,
2439 struct lsa_CreateAccount *r)
2442 struct lsa_info *handle;
2443 uint32_t acc_granted;
2444 struct security_descriptor *psd;
2447 /* find the connection policy handle. */
2448 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle))
2449 return NT_STATUS_INVALID_HANDLE;
2451 if (handle->type != LSA_HANDLE_POLICY_TYPE) {
2452 return NT_STATUS_INVALID_HANDLE;
2455 /* check if the user has enough rights */
2457 if (!(handle->access & LSA_POLICY_CREATE_ACCOUNT)) {
2458 return NT_STATUS_ACCESS_DENIED;
2461 /* Work out max allowed. */
2462 map_max_allowed_access(p->server_info->security_token,
2463 &p->server_info->utok,
2464 &r->in.access_mask);
2466 /* map the generic bits to the lsa policy ones */
2467 se_map_generic(&r->in.access_mask, &lsa_account_mapping);
2469 status = make_lsa_object_sd(p->mem_ctx, &psd, &sd_size,
2470 &lsa_account_mapping,
2471 r->in.sid, LSA_POLICY_ALL_ACCESS);
2472 if (!NT_STATUS_IS_OK(status)) {
2476 status = access_check_object(psd, p->server_info->security_token,
2477 SEC_PRIV_INVALID, SEC_PRIV_INVALID, 0, r->in.access_mask,
2478 &acc_granted, "_lsa_CreateAccount");
2479 if (!NT_STATUS_IS_OK(status)) {
2483 if ( is_privileged_sid( r->in.sid ) )
2484 return NT_STATUS_OBJECT_NAME_COLLISION;
2486 status = create_lsa_policy_handle(p->mem_ctx, p,
2487 LSA_HANDLE_ACCOUNT_TYPE,
2492 r->out.acct_handle);
2493 if (!NT_STATUS_IS_OK(status)) {
2494 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
2497 return privilege_create_account(r->in.sid);
2500 /***************************************************************************
2502 ***************************************************************************/
2504 NTSTATUS _lsa_OpenAccount(struct pipes_struct *p,
2505 struct lsa_OpenAccount *r)
2507 struct lsa_info *handle;
2508 struct security_descriptor *psd = NULL;
2510 uint32_t des_access = r->in.access_mask;
2511 uint32_t acc_granted;
2514 /* find the connection policy handle. */
2515 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle))
2516 return NT_STATUS_INVALID_HANDLE;
2518 if (handle->type != LSA_HANDLE_POLICY_TYPE) {
2519 return NT_STATUS_INVALID_HANDLE;
2522 /* des_access is for the account here, not the policy
2523 * handle - so don't check against policy handle. */
2525 /* Work out max allowed. */
2526 map_max_allowed_access(p->server_info->security_token,
2527 &p->server_info->utok,
2530 /* map the generic bits to the lsa account ones */
2531 se_map_generic(&des_access, &lsa_account_mapping);
2533 /* get the generic lsa account SD until we store it */
2534 status = make_lsa_object_sd(p->mem_ctx, &psd, &sd_size,
2535 &lsa_account_mapping,
2536 r->in.sid, LSA_ACCOUNT_ALL_ACCESS);
2537 if (!NT_STATUS_IS_OK(status)) {
2541 status = access_check_object(psd, p->server_info->security_token,
2542 SEC_PRIV_INVALID, SEC_PRIV_INVALID, 0, des_access,
2543 &acc_granted, "_lsa_OpenAccount" );
2544 if (!NT_STATUS_IS_OK(status)) {
2548 /* TODO: Fis the parsing routine before reenabling this check! */
2550 if (!lookup_sid(&handle->sid, dom_name, name, &type))
2551 return NT_STATUS_ACCESS_DENIED;
2554 status = create_lsa_policy_handle(p->mem_ctx, p,
2555 LSA_HANDLE_ACCOUNT_TYPE,
2560 r->out.acct_handle);
2561 if (!NT_STATUS_IS_OK(status)) {
2562 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
2565 return NT_STATUS_OK;
2568 /***************************************************************************
2569 _lsa_EnumPrivsAccount
2570 For a given SID, enumerate all the privilege this account has.
2571 ***************************************************************************/
2573 NTSTATUS _lsa_EnumPrivsAccount(struct pipes_struct *p,
2574 struct lsa_EnumPrivsAccount *r)
2576 NTSTATUS status = NT_STATUS_OK;
2577 struct lsa_info *info=NULL;
2578 PRIVILEGE_SET *privileges;
2579 struct lsa_PrivilegeSet *priv_set = NULL;
2581 /* find the connection policy handle. */
2582 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
2583 return NT_STATUS_INVALID_HANDLE;
2585 if (info->type != LSA_HANDLE_ACCOUNT_TYPE) {
2586 return NT_STATUS_INVALID_HANDLE;
2589 if (!(info->access & LSA_ACCOUNT_VIEW))
2590 return NT_STATUS_ACCESS_DENIED;
2592 status = get_privileges_for_sid_as_set(p->mem_ctx, &privileges, &info->sid);
2593 if (!NT_STATUS_IS_OK(status)) {
2597 *r->out.privs = priv_set = TALLOC_ZERO_P(p->mem_ctx, struct lsa_PrivilegeSet);
2599 return NT_STATUS_NO_MEMORY;
2602 DEBUG(10,("_lsa_EnumPrivsAccount: %s has %d privileges\n",
2603 sid_string_dbg(&info->sid),
2604 privileges->count));
2606 priv_set->count = privileges->count;
2607 priv_set->unknown = 0;
2608 priv_set->set = talloc_move(priv_set, &privileges->set);
2613 /***************************************************************************
2614 _lsa_GetSystemAccessAccount
2615 ***************************************************************************/
2617 NTSTATUS _lsa_GetSystemAccessAccount(struct pipes_struct *p,
2618 struct lsa_GetSystemAccessAccount *r)
2621 struct lsa_info *info = NULL;
2622 struct lsa_EnumPrivsAccount e;
2623 struct lsa_PrivilegeSet *privset;
2625 /* find the connection policy handle. */
2627 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
2628 return NT_STATUS_INVALID_HANDLE;
2630 if (info->type != LSA_HANDLE_ACCOUNT_TYPE) {
2631 return NT_STATUS_INVALID_HANDLE;
2634 if (!(info->access & LSA_ACCOUNT_VIEW))
2635 return NT_STATUS_ACCESS_DENIED;
2637 privset = talloc_zero(p->mem_ctx, struct lsa_PrivilegeSet);
2639 return NT_STATUS_NO_MEMORY;
2642 e.in.handle = r->in.handle;
2643 e.out.privs = &privset;
2645 status = _lsa_EnumPrivsAccount(p, &e);
2646 if (!NT_STATUS_IS_OK(status)) {
2647 DEBUG(10,("_lsa_GetSystemAccessAccount: "
2648 "failed to call _lsa_EnumPrivsAccount(): %s\n",
2649 nt_errstr(status)));
2653 /* Samba4 would iterate over the privset to merge the policy mode bits,
2654 * not sure samba3 can do the same here, so just return what we did in
2658 0x01 -> Log on locally
2659 0x02 -> Access this computer from network
2660 0x04 -> Log on as a batch job
2661 0x10 -> Log on as a service
2663 they can be ORed together
2666 *r->out.access_mask = LSA_POLICY_MODE_INTERACTIVE |
2667 LSA_POLICY_MODE_NETWORK;
2669 return NT_STATUS_OK;
2672 /***************************************************************************
2673 update the systemaccount information
2674 ***************************************************************************/
2676 NTSTATUS _lsa_SetSystemAccessAccount(struct pipes_struct *p,
2677 struct lsa_SetSystemAccessAccount *r)
2679 struct lsa_info *info=NULL;
2682 /* find the connection policy handle. */
2683 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
2684 return NT_STATUS_INVALID_HANDLE;
2686 if (info->type != LSA_HANDLE_ACCOUNT_TYPE) {
2687 return NT_STATUS_INVALID_HANDLE;
2690 if (!(info->access & LSA_ACCOUNT_ADJUST_SYSTEM_ACCESS)) {
2691 return NT_STATUS_ACCESS_DENIED;
2694 if (!pdb_getgrsid(&map, info->sid))
2695 return NT_STATUS_NO_SUCH_GROUP;
2697 return pdb_update_group_mapping_entry(&map);
2700 /***************************************************************************
2701 _lsa_AddPrivilegesToAccount
2702 For a given SID, add some privileges.
2703 ***************************************************************************/
2705 NTSTATUS _lsa_AddPrivilegesToAccount(struct pipes_struct *p,
2706 struct lsa_AddPrivilegesToAccount *r)
2708 struct lsa_info *info = NULL;
2709 struct lsa_PrivilegeSet *set = NULL;
2711 /* find the connection policy handle. */
2712 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
2713 return NT_STATUS_INVALID_HANDLE;
2715 if (info->type != LSA_HANDLE_ACCOUNT_TYPE) {
2716 return NT_STATUS_INVALID_HANDLE;
2719 if (!(info->access & LSA_ACCOUNT_ADJUST_PRIVILEGES)) {
2720 return NT_STATUS_ACCESS_DENIED;
2725 if ( !grant_privilege_set( &info->sid, set ) ) {
2726 DEBUG(3,("_lsa_AddPrivilegesToAccount: grant_privilege_set(%s) failed!\n",
2727 sid_string_dbg(&info->sid) ));
2728 return NT_STATUS_NO_SUCH_PRIVILEGE;
2731 return NT_STATUS_OK;
2734 /***************************************************************************
2735 _lsa_RemovePrivilegesFromAccount
2736 For a given SID, remove some privileges.
2737 ***************************************************************************/
2739 NTSTATUS _lsa_RemovePrivilegesFromAccount(struct pipes_struct *p,
2740 struct lsa_RemovePrivilegesFromAccount *r)
2742 struct lsa_info *info = NULL;
2743 struct lsa_PrivilegeSet *set = NULL;
2745 /* find the connection policy handle. */
2746 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
2747 return NT_STATUS_INVALID_HANDLE;
2749 if (info->type != LSA_HANDLE_ACCOUNT_TYPE) {
2750 return NT_STATUS_INVALID_HANDLE;
2753 if (!(info->access & LSA_ACCOUNT_ADJUST_PRIVILEGES)) {
2754 return NT_STATUS_ACCESS_DENIED;
2759 if ( !revoke_privilege_set( &info->sid, set) ) {
2760 DEBUG(3,("_lsa_RemovePrivilegesFromAccount: revoke_privilege(%s) failed!\n",
2761 sid_string_dbg(&info->sid) ));
2762 return NT_STATUS_NO_SUCH_PRIVILEGE;
2765 return NT_STATUS_OK;
2768 /***************************************************************************
2770 ***************************************************************************/
2772 NTSTATUS _lsa_LookupPrivName(struct pipes_struct *p,
2773 struct lsa_LookupPrivName *r)
2775 struct lsa_info *info = NULL;
2777 struct lsa_StringLarge *lsa_name;
2779 /* find the connection policy handle. */
2780 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info)) {
2781 return NT_STATUS_INVALID_HANDLE;
2784 if (info->type != LSA_HANDLE_POLICY_TYPE) {
2785 return NT_STATUS_INVALID_HANDLE;
2788 if (!(info->access & LSA_POLICY_VIEW_LOCAL_INFORMATION)) {
2789 return NT_STATUS_ACCESS_DENIED;
2792 if (r->in.luid->high != 0) {
2793 return NT_STATUS_NO_SUCH_PRIVILEGE;
2796 name = sec_privilege_name(r->in.luid->low);
2798 return NT_STATUS_NO_SUCH_PRIVILEGE;
2801 lsa_name = TALLOC_ZERO_P(p->mem_ctx, struct lsa_StringLarge);
2803 return NT_STATUS_NO_MEMORY;
2806 lsa_name->string = talloc_strdup(lsa_name, name);
2807 if (!lsa_name->string) {
2808 TALLOC_FREE(lsa_name);
2809 return NT_STATUS_NO_MEMORY;
2812 *r->out.name = lsa_name;
2814 return NT_STATUS_OK;
2817 /***************************************************************************
2819 ***************************************************************************/
2821 NTSTATUS _lsa_QuerySecurity(struct pipes_struct *p,
2822 struct lsa_QuerySecurity *r)
2824 struct lsa_info *handle=NULL;
2825 struct security_descriptor *psd = NULL;
2829 /* find the connection policy handle. */
2830 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle))
2831 return NT_STATUS_INVALID_HANDLE;
2833 switch (handle->type) {
2834 case LSA_HANDLE_POLICY_TYPE:
2835 status = make_lsa_object_sd(p->mem_ctx, &psd, &sd_size,
2836 &lsa_policy_mapping, NULL, 0);
2838 case LSA_HANDLE_ACCOUNT_TYPE:
2839 status = make_lsa_object_sd(p->mem_ctx, &psd, &sd_size,
2840 &lsa_account_mapping,
2841 &handle->sid, LSA_ACCOUNT_ALL_ACCESS);
2844 status = NT_STATUS_INVALID_HANDLE;
2848 if (!NT_STATUS_IS_OK(status)) {
2852 *r->out.sdbuf = make_sec_desc_buf(p->mem_ctx, sd_size, psd);
2853 if (!*r->out.sdbuf) {
2854 return NT_STATUS_NO_MEMORY;
2860 /***************************************************************************
2861 _lsa_AddAccountRights
2862 ***************************************************************************/
2864 NTSTATUS _lsa_AddAccountRights(struct pipes_struct *p,
2865 struct lsa_AddAccountRights *r)
2867 struct lsa_info *info = NULL;
2869 uint32_t acc_granted = 0;
2870 struct security_descriptor *psd = NULL;
2875 /* find the connection policy handle. */
2876 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
2877 return NT_STATUS_INVALID_HANDLE;
2879 if (info->type != LSA_HANDLE_POLICY_TYPE) {
2880 return NT_STATUS_INVALID_HANDLE;
2883 /* get the generic lsa account SD for this SID until we store it */
2884 status = make_lsa_object_sd(p->mem_ctx, &psd, &sd_size,
2885 &lsa_account_mapping,
2886 r->in.sid, LSA_ACCOUNT_ALL_ACCESS);
2887 if (!NT_STATUS_IS_OK(status)) {
2892 * From the MS DOCs. If the sid doesn't exist, ask for LSA_POLICY_CREATE_ACCOUNT
2893 * on the policy handle. If it does, ask for
2894 * LSA_ACCOUNT_ADJUST_PRIVILEGES|LSA_ACCOUNT_ADJUST_SYSTEM_ACCESS|LSA_ACCOUNT_VIEW,
2895 * on the account sid. We don't check here so just use the latter. JRA.
2898 status = access_check_object(psd, p->server_info->security_token,
2899 SEC_PRIV_INVALID, SEC_PRIV_INVALID, 0,
2900 LSA_ACCOUNT_ADJUST_PRIVILEGES|LSA_ACCOUNT_ADJUST_SYSTEM_ACCESS|LSA_ACCOUNT_VIEW,
2901 &acc_granted, "_lsa_AddAccountRights" );
2902 if (!NT_STATUS_IS_OK(status)) {
2906 /* according to an NT4 PDC, you can add privileges to SIDs even without
2907 call_lsa_create_account() first. And you can use any arbitrary SID. */
2909 sid_copy( &sid, r->in.sid );
2911 for ( i=0; i < r->in.rights->count; i++ ) {
2913 const char *privname = r->in.rights->names[i].string;
2915 /* only try to add non-null strings */
2920 if ( !grant_privilege_by_name( &sid, privname ) ) {
2921 DEBUG(2,("_lsa_AddAccountRights: Failed to add privilege [%s]\n",
2923 return NT_STATUS_NO_SUCH_PRIVILEGE;
2927 return NT_STATUS_OK;
2930 /***************************************************************************
2931 _lsa_RemoveAccountRights
2932 ***************************************************************************/
2934 NTSTATUS _lsa_RemoveAccountRights(struct pipes_struct *p,
2935 struct lsa_RemoveAccountRights *r)
2937 struct lsa_info *info = NULL;
2939 struct security_descriptor *psd = NULL;
2942 const char *privname = NULL;
2943 uint32_t acc_granted = 0;
2946 /* find the connection policy handle. */
2947 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
2948 return NT_STATUS_INVALID_HANDLE;
2950 if (info->type != LSA_HANDLE_POLICY_TYPE) {
2951 return NT_STATUS_INVALID_HANDLE;
2954 /* get the generic lsa account SD for this SID until we store it */
2955 status = make_lsa_object_sd(p->mem_ctx, &psd, &sd_size,
2956 &lsa_account_mapping,
2957 r->in.sid, LSA_ACCOUNT_ALL_ACCESS);
2958 if (!NT_STATUS_IS_OK(status)) {
2963 * From the MS DOCs. We need
2964 * LSA_ACCOUNT_ADJUST_PRIVILEGES|LSA_ACCOUNT_ADJUST_SYSTEM_ACCESS|LSA_ACCOUNT_VIEW
2965 * and DELETE on the account sid.
2968 status = access_check_object(psd, p->server_info->security_token,
2969 SEC_PRIV_INVALID, SEC_PRIV_INVALID, 0,
2970 LSA_ACCOUNT_ADJUST_PRIVILEGES|LSA_ACCOUNT_ADJUST_SYSTEM_ACCESS|
2971 LSA_ACCOUNT_VIEW|SEC_STD_DELETE,
2972 &acc_granted, "_lsa_RemoveAccountRights");
2973 if (!NT_STATUS_IS_OK(status)) {
2977 sid_copy( &sid, r->in.sid );
2979 if ( r->in.remove_all ) {
2980 if ( !revoke_all_privileges( &sid ) )
2981 return NT_STATUS_ACCESS_DENIED;
2983 return NT_STATUS_OK;
2986 for ( i=0; i < r->in.rights->count; i++ ) {
2988 privname = r->in.rights->names[i].string;
2990 /* only try to add non-null strings */
2995 if ( !revoke_privilege_by_name( &sid, privname ) ) {
2996 DEBUG(2,("_lsa_RemoveAccountRights: Failed to revoke privilege [%s]\n",
2998 return NT_STATUS_NO_SUCH_PRIVILEGE;
3002 return NT_STATUS_OK;
3005 /*******************************************************************
3006 ********************************************************************/
3008 static NTSTATUS init_lsa_right_set(TALLOC_CTX *mem_ctx,
3009 struct lsa_RightSet *r,
3010 PRIVILEGE_SET *privileges)
3013 const char *privname;
3014 const char **privname_array = NULL;
3017 for (i=0; i<privileges->count; i++) {
3018 if (privileges->set[i].luid.high) {
3021 privname = sec_privilege_name(privileges->set[i].luid.low);
3023 if (!add_string_to_array(mem_ctx, privname,
3024 &privname_array, &num_priv)) {
3025 return NT_STATUS_NO_MEMORY;
3032 r->names = TALLOC_ZERO_ARRAY(mem_ctx, struct lsa_StringLarge,
3035 return NT_STATUS_NO_MEMORY;
3038 for (i=0; i<num_priv; i++) {
3039 init_lsa_StringLarge(&r->names[i], privname_array[i]);
3042 r->count = num_priv;
3045 return NT_STATUS_OK;
3048 /***************************************************************************
3049 _lsa_EnumAccountRights
3050 ***************************************************************************/
3052 NTSTATUS _lsa_EnumAccountRights(struct pipes_struct *p,
3053 struct lsa_EnumAccountRights *r)
3056 struct lsa_info *info = NULL;
3057 PRIVILEGE_SET *privileges;
3059 /* find the connection policy handle. */
3061 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
3062 return NT_STATUS_INVALID_HANDLE;
3064 if (info->type != LSA_HANDLE_POLICY_TYPE) {
3065 return NT_STATUS_INVALID_HANDLE;
3068 if (!(info->access & LSA_ACCOUNT_VIEW)) {
3069 return NT_STATUS_ACCESS_DENIED;
3072 /* according to an NT4 PDC, you can add privileges to SIDs even without
3073 call_lsa_create_account() first. And you can use any arbitrary SID. */
3075 /* according to MS-LSAD 3.1.4.5.10 it is required to return
3076 * NT_STATUS_OBJECT_NAME_NOT_FOUND if the account sid was not found in
3077 * the lsa database */
3079 status = get_privileges_for_sid_as_set(p->mem_ctx, &privileges, r->in.sid);
3080 if (!NT_STATUS_IS_OK(status)) {
3084 DEBUG(10,("_lsa_EnumAccountRights: %s has %d privileges\n",
3085 sid_string_dbg(r->in.sid), privileges->count));
3087 status = init_lsa_right_set(p->mem_ctx, r->out.rights, privileges);
3092 /***************************************************************************
3093 _lsa_LookupPrivValue
3094 ***************************************************************************/
3096 NTSTATUS _lsa_LookupPrivValue(struct pipes_struct *p,
3097 struct lsa_LookupPrivValue *r)
3099 struct lsa_info *info = NULL;
3100 const char *name = NULL;
3102 /* find the connection policy handle. */
3104 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
3105 return NT_STATUS_INVALID_HANDLE;
3107 if (info->type != LSA_HANDLE_POLICY_TYPE) {
3108 return NT_STATUS_INVALID_HANDLE;
3111 if (!(info->access & LSA_POLICY_LOOKUP_NAMES))
3112 return NT_STATUS_ACCESS_DENIED;
3114 name = r->in.name->string;
3116 DEBUG(10,("_lsa_lookup_priv_value: name = %s\n", name));
3118 r->out.luid->low = sec_privilege_id(name);
3119 r->out.luid->high = 0;
3120 if (r->out.luid->low == SEC_PRIV_INVALID) {
3121 return NT_STATUS_NO_SUCH_PRIVILEGE;
3123 return NT_STATUS_OK;
3126 /***************************************************************************
3127 _lsa_EnumAccountsWithUserRight
3128 ***************************************************************************/
3130 NTSTATUS _lsa_EnumAccountsWithUserRight(struct pipes_struct *p,
3131 struct lsa_EnumAccountsWithUserRight *r)
3134 struct lsa_info *info = NULL;
3135 struct dom_sid *sids = NULL;
3138 enum sec_privilege privilege;
3140 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info)) {
3141 return NT_STATUS_INVALID_HANDLE;
3144 if (info->type != LSA_HANDLE_POLICY_TYPE) {
3145 return NT_STATUS_INVALID_HANDLE;
3148 if (!(info->access & LSA_POLICY_LOOKUP_NAMES)) {
3149 return NT_STATUS_ACCESS_DENIED;
3152 if (!r->in.name || !r->in.name->string) {
3153 return NT_STATUS_NO_SUCH_PRIVILEGE;
3156 privilege = sec_privilege_id(r->in.name->string);
3157 if (privilege == SEC_PRIV_INVALID) {
3158 return NT_STATUS_NO_SUCH_PRIVILEGE;
3161 status = privilege_enum_sids(privilege, p->mem_ctx,
3163 if (!NT_STATUS_IS_OK(status)) {
3167 r->out.sids->num_sids = num_sids;
3168 r->out.sids->sids = talloc_array(p->mem_ctx, struct lsa_SidPtr,
3169 r->out.sids->num_sids);
3171 for (i=0; i < r->out.sids->num_sids; i++) {
3172 r->out.sids->sids[i].sid = dom_sid_dup(r->out.sids->sids,
3174 if (!r->out.sids->sids[i].sid) {
3175 TALLOC_FREE(r->out.sids->sids);
3176 r->out.sids->num_sids = 0;
3177 return NT_STATUS_NO_MEMORY;
3181 return NT_STATUS_OK;
3184 /***************************************************************************
3186 ***************************************************************************/
3188 NTSTATUS _lsa_Delete(struct pipes_struct *p,
3189 struct lsa_Delete *r)
3191 return NT_STATUS_NOT_SUPPORTED;
3195 * From here on the server routines are just dummy ones to make smbd link with
3196 * librpc/gen_ndr/srv_lsa.c. These routines are actually never called, we are
3197 * pulling the server stubs across one by one.
3200 NTSTATUS _lsa_SetSecObj(struct pipes_struct *p, struct lsa_SetSecObj *r)
3202 p->rng_fault_state = True;
3203 return NT_STATUS_NOT_IMPLEMENTED;
3206 NTSTATUS _lsa_ChangePassword(struct pipes_struct *p,
3207 struct lsa_ChangePassword *r)
3209 p->rng_fault_state = True;
3210 return NT_STATUS_NOT_IMPLEMENTED;
3213 NTSTATUS _lsa_SetInfoPolicy(struct pipes_struct *p, struct lsa_SetInfoPolicy *r)
3215 p->rng_fault_state = True;
3216 return NT_STATUS_NOT_IMPLEMENTED;
3219 NTSTATUS _lsa_ClearAuditLog(struct pipes_struct *p, struct lsa_ClearAuditLog *r)
3221 p->rng_fault_state = True;
3222 return NT_STATUS_NOT_IMPLEMENTED;
3225 NTSTATUS _lsa_GetQuotasForAccount(struct pipes_struct *p,
3226 struct lsa_GetQuotasForAccount *r)
3228 p->rng_fault_state = True;
3229 return NT_STATUS_NOT_IMPLEMENTED;
3232 NTSTATUS _lsa_SetQuotasForAccount(struct pipes_struct *p,
3233 struct lsa_SetQuotasForAccount *r)
3235 p->rng_fault_state = True;
3236 return NT_STATUS_NOT_IMPLEMENTED;
3239 NTSTATUS _lsa_SetInformationTrustedDomain(struct pipes_struct *p,
3240 struct lsa_SetInformationTrustedDomain *r)
3242 p->rng_fault_state = True;
3243 return NT_STATUS_NOT_IMPLEMENTED;
3246 NTSTATUS _lsa_QuerySecret(struct pipes_struct *p, struct lsa_QuerySecret *r)
3248 p->rng_fault_state = True;
3249 return NT_STATUS_NOT_IMPLEMENTED;
3252 NTSTATUS _lsa_SetTrustedDomainInfo(struct pipes_struct *p,
3253 struct lsa_SetTrustedDomainInfo *r)
3255 p->rng_fault_state = True;
3256 return NT_STATUS_NOT_IMPLEMENTED;
3259 NTSTATUS _lsa_StorePrivateData(struct pipes_struct *p,
3260 struct lsa_StorePrivateData *r)
3262 p->rng_fault_state = True;
3263 return NT_STATUS_NOT_IMPLEMENTED;
3266 NTSTATUS _lsa_RetrievePrivateData(struct pipes_struct *p,
3267 struct lsa_RetrievePrivateData *r)
3269 p->rng_fault_state = True;
3270 return NT_STATUS_NOT_IMPLEMENTED;
3273 NTSTATUS _lsa_SetInfoPolicy2(struct pipes_struct *p,
3274 struct lsa_SetInfoPolicy2 *r)
3276 p->rng_fault_state = True;
3277 return NT_STATUS_NOT_IMPLEMENTED;
3280 NTSTATUS _lsa_SetTrustedDomainInfoByName(struct pipes_struct *p,
3281 struct lsa_SetTrustedDomainInfoByName *r)
3283 p->rng_fault_state = True;
3284 return NT_STATUS_NOT_IMPLEMENTED;
3287 NTSTATUS _lsa_EnumTrustedDomainsEx(struct pipes_struct *p,
3288 struct lsa_EnumTrustedDomainsEx *r)
3290 struct lsa_info *info;
3292 struct pdb_trusted_domain **domains;
3293 struct lsa_TrustDomainInfoInfoEx *entries;
3297 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
3298 return NT_STATUS_INVALID_HANDLE;
3300 if (info->type != LSA_HANDLE_POLICY_TYPE) {
3301 return NT_STATUS_INVALID_HANDLE;
3304 /* check if the user has enough rights */
3305 if (!(info->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
3306 return NT_STATUS_ACCESS_DENIED;
3309 nt_status = pdb_enum_trusted_domains(p->mem_ctx, &count, &domains);
3312 if (!NT_STATUS_IS_OK(nt_status)) {
3316 entries = TALLOC_ZERO_ARRAY(p->mem_ctx, struct lsa_TrustDomainInfoInfoEx,
3319 return NT_STATUS_NO_MEMORY;
3322 for (i=0; i<count; i++) {
3323 init_lsa_StringLarge(&entries[i].netbios_name,
3324 domains[i]->netbios_name);
3325 entries[i].sid = &domains[i]->security_identifier;
3328 if (*r->in.resume_handle >= count) {
3329 *r->out.resume_handle = -1;
3330 TALLOC_FREE(entries);
3331 return NT_STATUS_NO_MORE_ENTRIES;
3334 /* return the rest, limit by max_size. Note that we
3335 use the w2k3 element size value of 60 */
3336 r->out.domains->count = count - *r->in.resume_handle;
3337 r->out.domains->count = MIN(r->out.domains->count,
3338 (r->in.max_size/LSA_ENUM_TRUST_DOMAIN_EX_MULTIPLIER));
3340 r->out.domains->domains = entries + *r->in.resume_handle;
3342 if (r->out.domains->count < count - *r->in.resume_handle) {
3343 *r->out.resume_handle = *r->in.resume_handle + r->out.domains->count;
3344 return STATUS_MORE_ENTRIES;
3347 /* according to MS-LSAD 3.1.4.7.8 output resume handle MUST
3348 * always be larger than the previous input resume handle, in
3349 * particular when hitting the last query it is vital to set the
3350 * resume handle correctly to avoid infinite client loops, as
3351 * seen e.g. with Windows XP SP3 when resume handle is 0 and
3352 * status is NT_STATUS_OK - gd */
3354 *r->out.resume_handle = (uint32_t)-1;
3356 return NT_STATUS_OK;
3359 NTSTATUS _lsa_QueryDomainInformationPolicy(struct pipes_struct *p,
3360 struct lsa_QueryDomainInformationPolicy *r)
3362 p->rng_fault_state = True;
3363 return NT_STATUS_NOT_IMPLEMENTED;
3366 NTSTATUS _lsa_SetDomainInformationPolicy(struct pipes_struct *p,
3367 struct lsa_SetDomainInformationPolicy *r)
3369 p->rng_fault_state = True;
3370 return NT_STATUS_NOT_IMPLEMENTED;
3373 NTSTATUS _lsa_TestCall(struct pipes_struct *p, struct lsa_TestCall *r)
3375 p->rng_fault_state = True;
3376 return NT_STATUS_NOT_IMPLEMENTED;
3379 NTSTATUS _lsa_CREDRWRITE(struct pipes_struct *p, struct lsa_CREDRWRITE *r)
3381 p->rng_fault_state = True;
3382 return NT_STATUS_NOT_IMPLEMENTED;
3385 NTSTATUS _lsa_CREDRREAD(struct pipes_struct *p, struct lsa_CREDRREAD *r)
3387 p->rng_fault_state = True;
3388 return NT_STATUS_NOT_IMPLEMENTED;
3391 NTSTATUS _lsa_CREDRENUMERATE(struct pipes_struct *p, struct lsa_CREDRENUMERATE *r)
3393 p->rng_fault_state = True;
3394 return NT_STATUS_NOT_IMPLEMENTED;
3397 NTSTATUS _lsa_CREDRWRITEDOMAINCREDENTIALS(struct pipes_struct *p,
3398 struct lsa_CREDRWRITEDOMAINCREDENTIALS *r)
3400 p->rng_fault_state = True;
3401 return NT_STATUS_NOT_IMPLEMENTED;
3404 NTSTATUS _lsa_CREDRREADDOMAINCREDENTIALS(struct pipes_struct *p,
3405 struct lsa_CREDRREADDOMAINCREDENTIALS *r)
3407 p->rng_fault_state = True;
3408 return NT_STATUS_NOT_IMPLEMENTED;
3411 NTSTATUS _lsa_CREDRDELETE(struct pipes_struct *p, struct lsa_CREDRDELETE *r)
3413 p->rng_fault_state = True;
3414 return NT_STATUS_NOT_IMPLEMENTED;
3417 NTSTATUS _lsa_CREDRGETTARGETINFO(struct pipes_struct *p,
3418 struct lsa_CREDRGETTARGETINFO *r)
3420 p->rng_fault_state = True;
3421 return NT_STATUS_NOT_IMPLEMENTED;
3424 NTSTATUS _lsa_CREDRPROFILELOADED(struct pipes_struct *p,
3425 struct lsa_CREDRPROFILELOADED *r)
3427 p->rng_fault_state = True;
3428 return NT_STATUS_NOT_IMPLEMENTED;
3431 NTSTATUS _lsa_CREDRGETSESSIONTYPES(struct pipes_struct *p,
3432 struct lsa_CREDRGETSESSIONTYPES *r)
3434 p->rng_fault_state = True;
3435 return NT_STATUS_NOT_IMPLEMENTED;
3438 NTSTATUS _lsa_LSARREGISTERAUDITEVENT(struct pipes_struct *p,
3439 struct lsa_LSARREGISTERAUDITEVENT *r)
3441 p->rng_fault_state = True;
3442 return NT_STATUS_NOT_IMPLEMENTED;
3445 NTSTATUS _lsa_LSARGENAUDITEVENT(struct pipes_struct *p,
3446 struct lsa_LSARGENAUDITEVENT *r)
3448 p->rng_fault_state = True;
3449 return NT_STATUS_NOT_IMPLEMENTED;
3452 NTSTATUS _lsa_LSARUNREGISTERAUDITEVENT(struct pipes_struct *p,
3453 struct lsa_LSARUNREGISTERAUDITEVENT *r)
3455 p->rng_fault_state = True;
3456 return NT_STATUS_NOT_IMPLEMENTED;
3459 NTSTATUS _lsa_lsaRQueryForestTrustInformation(struct pipes_struct *p,
3460 struct lsa_lsaRQueryForestTrustInformation *r)
3462 p->rng_fault_state = True;
3463 return NT_STATUS_NOT_IMPLEMENTED;
3466 NTSTATUS _lsa_lsaRSetForestTrustInformation(struct pipes_struct *p,
3467 struct lsa_lsaRSetForestTrustInformation *r)
3469 p->rng_fault_state = True;
3470 return NT_STATUS_NOT_IMPLEMENTED;
3473 NTSTATUS _lsa_CREDRRENAME(struct pipes_struct *p,
3474 struct lsa_CREDRRENAME *r)
3476 p->rng_fault_state = True;
3477 return NT_STATUS_NOT_IMPLEMENTED;
3480 NTSTATUS _lsa_LSAROPENPOLICYSCE(struct pipes_struct *p,
3481 struct lsa_LSAROPENPOLICYSCE *r)
3483 p->rng_fault_state = True;
3484 return NT_STATUS_NOT_IMPLEMENTED;
3487 NTSTATUS _lsa_LSARADTREGISTERSECURITYEVENTSOURCE(struct pipes_struct *p,
3488 struct lsa_LSARADTREGISTERSECURITYEVENTSOURCE *r)
3490 p->rng_fault_state = True;
3491 return NT_STATUS_NOT_IMPLEMENTED;
3494 NTSTATUS _lsa_LSARADTUNREGISTERSECURITYEVENTSOURCE(struct pipes_struct *p,
3495 struct lsa_LSARADTUNREGISTERSECURITYEVENTSOURCE *r)
3497 p->rng_fault_state = True;
3498 return NT_STATUS_NOT_IMPLEMENTED;
3501 NTSTATUS _lsa_LSARADTREPORTSECURITYEVENT(struct pipes_struct *p,
3502 struct lsa_LSARADTREPORTSECURITYEVENT *r)
3504 p->rng_fault_state = True;
3505 return NT_STATUS_NOT_IMPLEMENTED;