r5246: We can't use a pointer to struct lsa_info until is has been
[ira/wip.git] / source / rpc_server / srv_lsa_nt.c
1 /*
2  *  Unix SMB/CIFS implementation.
3  *  RPC Pipe client / server routines
4  *  Copyright (C) Andrew Tridgell              1992-1997,
5  *  Copyright (C) Luke Kenneth Casson Leighton 1996-1997,
6  *  Copyright (C) Paul Ashton                       1997,
7  *  Copyright (C) Jeremy Allison                    2001,
8  *  Copyright (C) Rafal Szczesniak                  2002,
9  *  Copyright (C) Jim McDonough <jmcd@us.ibm.com>   2002,
10  *  Copyright (C) Simo Sorce                        2003.
11  *
12  *  This program is free software; you can redistribute it and/or modify
13  *  it under the terms of the GNU General Public License as published by
14  *  the Free Software Foundation; either version 2 of the License, or
15  *  (at your option) any later version.
16  *  
17  *  This program is distributed in the hope that it will be useful,
18  *  but WITHOUT ANY WARRANTY; without even the implied warranty of
19  *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
20  *  GNU General Public License for more details.
21  *  
22  *  You should have received a copy of the GNU General Public License
23  *  along with this program; if not, write to the Free Software
24  *  Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
25  */
26
27 /* This is the implementation of the lsa server code. */
28
29 #include "includes.h"
30
31 #undef DBGC_CLASS
32 #define DBGC_CLASS DBGC_RPC_SRV
33
34 extern PRIVS privs[];
35
36 struct lsa_info {
37         DOM_SID sid;
38         uint32 access;
39 };
40
41 struct generic_mapping lsa_generic_mapping = {
42         POLICY_READ,
43         POLICY_WRITE,
44         POLICY_EXECUTE,
45         POLICY_ALL_ACCESS
46 };
47
48 /*******************************************************************
49  Function to free the per handle data.
50  ********************************************************************/
51
52 static void free_lsa_info(void *ptr)
53 {
54         struct lsa_info *lsa = (struct lsa_info *)ptr;
55
56         SAFE_FREE(lsa);
57 }
58
59 /***************************************************************************
60 Init dom_query
61  ***************************************************************************/
62
63 static void init_dom_query(DOM_QUERY *d_q, const char *dom_name, DOM_SID *dom_sid)
64 {
65         d_q->buffer_dom_name = (dom_name != NULL) ? 1 : 0; /* domain buffer pointer */
66         d_q->buffer_dom_sid = (dom_sid != NULL) ? 1 : 0;  /* domain sid pointer */
67
68         /* this string is supposed to be non-null terminated. */
69         /* But the maxlen in this UNISTR2 must include the terminating null. */
70         init_unistr2(&d_q->uni_domain_name, dom_name, UNI_BROKEN_NON_NULL);
71
72         /*
73          * I'm not sure why this really odd combination of length
74          * values works, but it does appear to. I need to look at
75          * this *much* more closely - but at the moment leave alone
76          * until it's understood. This allows a W2k client to join
77          * a domain with both odd and even length names... JRA.
78          */
79
80         /*
81          * IMPORTANT NOTE !!!!
82          * The two fields below probably are reversed in meaning, ie.
83          * the first field is probably the str_len, the second the max
84          * len. Both are measured in bytes anyway.
85          */
86
87         d_q->uni_dom_str_len = d_q->uni_domain_name.uni_max_len * 2;
88         d_q->uni_dom_max_len = d_q->uni_domain_name.uni_str_len * 2;
89
90         if (dom_sid != NULL)
91                 init_dom_sid2(&d_q->dom_sid, dom_sid);
92 }
93
94 /***************************************************************************
95  init_dom_ref - adds a domain if it's not already in, returns the index.
96 ***************************************************************************/
97
98 static int init_dom_ref(DOM_R_REF *ref, char *dom_name, DOM_SID *dom_sid)
99 {
100         int num = 0;
101
102         if (dom_name != NULL) {
103                 for (num = 0; num < ref->num_ref_doms_1; num++) {
104                         fstring domname;
105                         rpcstr_pull(domname, ref->ref_dom[num].uni_dom_name.buffer, sizeof(domname), -1, 0);
106                         if (strequal(domname, dom_name))
107                                 return num;
108                 }
109         } else {
110                 num = ref->num_ref_doms_1;
111         }
112
113         if (num >= MAX_REF_DOMAINS) {
114                 /* index not found, already at maximum domain limit */
115                 return -1;
116         }
117
118         ref->num_ref_doms_1 = num+1;
119         ref->ptr_ref_dom  = 1;
120         ref->max_entries = MAX_REF_DOMAINS;
121         ref->num_ref_doms_2 = num+1;
122
123         ref->hdr_ref_dom[num].ptr_dom_sid = dom_sid != NULL ? 1 : 0;
124
125         init_unistr2(&ref->ref_dom[num].uni_dom_name, dom_name, UNI_FLAGS_NONE);
126         init_uni_hdr(&ref->hdr_ref_dom[num].hdr_dom_name, &ref->ref_dom[num].uni_dom_name);
127
128         init_dom_sid2(&ref->ref_dom[num].ref_dom, dom_sid );
129
130         return num;
131 }
132
133 /***************************************************************************
134  init_lsa_rid2s
135  ***************************************************************************/
136
137 static void init_lsa_rid2s(DOM_R_REF *ref, DOM_RID2 *rid2,
138                                 int num_entries, UNISTR2 *name,
139                                 uint32 *mapped_count, BOOL endian)
140 {
141         int i;
142         int total = 0;
143         *mapped_count = 0;
144
145         SMB_ASSERT(num_entries <= MAX_LOOKUP_SIDS);
146
147         become_root(); /* lookup_name can require root privs */
148
149         for (i = 0; i < num_entries; i++) {
150                 BOOL status = False;
151                 DOM_SID sid;
152                 uint32 rid = 0xffffffff;
153                 int dom_idx = -1;
154                 pstring full_name;
155                 fstring dom_name, user;
156                 enum SID_NAME_USE name_type = SID_NAME_UNKNOWN;
157
158                 /* Split name into domain and user component */
159
160                 unistr2_to_ascii(full_name, &name[i], sizeof(full_name));
161                 split_domain_name(full_name, dom_name, user);
162
163                 /* Lookup name */
164
165                 DEBUG(5, ("init_lsa_rid2s: looking up name %s\n", full_name));
166
167                 status = lookup_name(dom_name, user, &sid, &name_type);
168
169                 if((name_type == SID_NAME_UNKNOWN) && (lp_server_role() == ROLE_DOMAIN_MEMBER)  && (strncmp(dom_name, full_name, strlen(dom_name)) != 0)) {
170                         DEBUG(5, ("init_lsa_rid2s: domain name not provided and local account not found, using member domain\n"));
171                         fstrcpy(dom_name, lp_workgroup());
172                         status = lookup_name(dom_name, user, &sid, &name_type);
173                 }
174
175 #if 0 /* This is not true. */
176                 if (name_type == SID_NAME_WKN_GRP) {
177                         /* BUILTIN aliases are still aliases :-) */
178                         name_type = SID_NAME_ALIAS;
179                 }
180 #endif
181
182                 DEBUG(5, ("init_lsa_rid2s: %s\n", status ? "found" : 
183                           "not found"));
184
185                 if (status && name_type != SID_NAME_UNKNOWN) {
186                         sid_split_rid(&sid, &rid);
187                         dom_idx = init_dom_ref(ref, dom_name, &sid);
188                         (*mapped_count)++;
189                 } else {
190                         dom_idx = -1;
191                         rid = 0;
192                         name_type = SID_NAME_UNKNOWN;
193                 }
194
195                 init_dom_rid2(&rid2[total], rid, name_type, dom_idx);
196                 total++;
197         }
198
199         unbecome_root();
200 }
201
202 /***************************************************************************
203  init_reply_lookup_names
204  ***************************************************************************/
205
206 static void init_reply_lookup_names(LSA_R_LOOKUP_NAMES *r_l,
207                 DOM_R_REF *ref, uint32 num_entries,
208                 DOM_RID2 *rid2, uint32 mapped_count)
209 {
210         r_l->ptr_dom_ref  = 1;
211         r_l->dom_ref      = ref;
212
213         r_l->num_entries  = num_entries;
214         r_l->ptr_entries  = 1;
215         r_l->num_entries2 = num_entries;
216         r_l->dom_rid      = rid2;
217
218         r_l->mapped_count = mapped_count;
219 }
220
221 /***************************************************************************
222  Init lsa_trans_names.
223  ***************************************************************************/
224
225 static void init_lsa_trans_names(TALLOC_CTX *ctx, DOM_R_REF *ref, LSA_TRANS_NAME_ENUM *trn,
226                                  int num_entries, DOM_SID2 *sid,
227                                  uint32 *mapped_count)
228 {
229         int i;
230         int total = 0;
231         *mapped_count = 0;
232
233         /* Allocate memory for list of names */
234
235         if (num_entries > 0) {
236                 if (!(trn->name = TALLOC_ARRAY(ctx, LSA_TRANS_NAME, num_entries))) {
237                         DEBUG(0, ("init_lsa_trans_names(): out of memory\n"));
238                         return;
239                 }
240
241                 if (!(trn->uni_name = TALLOC_ARRAY(ctx, UNISTR2, num_entries))) {
242                         DEBUG(0, ("init_lsa_trans_names(): out of memory\n"));
243                         return;
244                 }
245         }
246
247         become_root(); /* Need root to get to passdb to for local sids */
248
249         for (i = 0; i < num_entries; i++) {
250                 BOOL status = False;
251                 DOM_SID find_sid = sid[i].sid;
252                 uint32 rid = 0xffffffff;
253                 int dom_idx = -1;
254                 fstring name, dom_name;
255                 enum SID_NAME_USE sid_name_use = (enum SID_NAME_USE)0;
256
257                 sid_to_string(name, &find_sid);
258                 DEBUG(5, ("init_lsa_trans_names: looking up sid %s\n", name));
259
260                 /* Lookup sid from winbindd */
261
262                 status = lookup_sid(&find_sid, dom_name, name, &sid_name_use);
263
264                 DEBUG(5, ("init_lsa_trans_names: %s\n", status ? "found" : 
265                           "not found"));
266
267                 if (!status) {
268                         sid_name_use = SID_NAME_UNKNOWN;
269                         memset(dom_name, '\0', sizeof(dom_name));
270                         sid_to_string(name, &find_sid);
271                         dom_idx = -1;
272
273                         DEBUG(10,("init_lsa_trans_names: added unknown user '%s' to "
274                                   "referenced list.\n", name ));
275                 } else {
276                         (*mapped_count)++;
277                         /* Store domain sid in ref array */
278                         if (find_sid.num_auths == 5) {
279                                 sid_split_rid(&find_sid, &rid);
280                         }
281                         dom_idx = init_dom_ref(ref, dom_name, &find_sid);
282
283                         DEBUG(10,("init_lsa_trans_names: added %s '%s\\%s' (%d) to referenced list.\n", 
284                                 sid_type_lookup(sid_name_use), dom_name, name, sid_name_use ));
285
286                 }
287
288                 init_lsa_trans_name(&trn->name[total], &trn->uni_name[total],
289                                         sid_name_use, name, dom_idx);
290                 total++;
291         }
292
293         unbecome_root();
294
295         trn->num_entries = total;
296         trn->ptr_trans_names = 1;
297         trn->num_entries2 = total;
298 }
299
300 /***************************************************************************
301  Init_reply_lookup_sids.
302  ***************************************************************************/
303
304 static void init_reply_lookup_sids(LSA_R_LOOKUP_SIDS *r_l,
305                 DOM_R_REF *ref, LSA_TRANS_NAME_ENUM *names,
306                 uint32 mapped_count)
307 {
308         r_l->ptr_dom_ref  = 1;
309         r_l->dom_ref      = ref;
310         r_l->names        = names;
311         r_l->mapped_count = mapped_count;
312 }
313
314 static NTSTATUS lsa_get_generic_sd(TALLOC_CTX *mem_ctx, SEC_DESC **sd, size_t *sd_size)
315 {
316         extern DOM_SID global_sid_World;
317         extern DOM_SID global_sid_Builtin;
318         DOM_SID local_adm_sid;
319         DOM_SID adm_sid;
320
321         SEC_ACE ace[3];
322         SEC_ACCESS mask;
323
324         SEC_ACL *psa = NULL;
325
326         init_sec_access(&mask, POLICY_EXECUTE);
327         init_sec_ace(&ace[0], &global_sid_World, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0);
328
329         sid_copy(&adm_sid, get_global_sam_sid());
330         sid_append_rid(&adm_sid, DOMAIN_GROUP_RID_ADMINS);
331         init_sec_access(&mask, POLICY_ALL_ACCESS);
332         init_sec_ace(&ace[1], &adm_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0);
333
334         sid_copy(&local_adm_sid, &global_sid_Builtin);
335         sid_append_rid(&local_adm_sid, BUILTIN_ALIAS_RID_ADMINS);
336         init_sec_access(&mask, POLICY_ALL_ACCESS);
337         init_sec_ace(&ace[2], &local_adm_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0);
338
339         if((psa = make_sec_acl(mem_ctx, NT4_ACL_REVISION, 3, ace)) == NULL)
340                 return NT_STATUS_NO_MEMORY;
341
342         if((*sd = make_sec_desc(mem_ctx, SEC_DESC_REVISION, SEC_DESC_SELF_RELATIVE, &adm_sid, NULL, NULL, psa, sd_size)) == NULL)
343                 return NT_STATUS_NO_MEMORY;
344
345         return NT_STATUS_OK;
346 }
347
348 /***************************************************************************
349  Init_dns_dom_info.
350 ***************************************************************************/
351
352 static void init_dns_dom_info(LSA_DNS_DOM_INFO *r_l, const char *nb_name,
353                               const char *dns_name, const char *forest_name,
354                               struct uuid *dom_guid, DOM_SID *dom_sid)
355 {
356         if (nb_name && *nb_name) {
357                 init_unistr2(&r_l->uni_nb_dom_name, nb_name, UNI_FLAGS_NONE);
358                 init_uni_hdr(&r_l->hdr_nb_dom_name, &r_l->uni_nb_dom_name);
359                 r_l->hdr_nb_dom_name.uni_max_len += 2;
360                 r_l->uni_nb_dom_name.uni_max_len += 1;
361         }
362         
363         if (dns_name && *dns_name) {
364                 init_unistr2(&r_l->uni_dns_dom_name, dns_name, UNI_FLAGS_NONE);
365                 init_uni_hdr(&r_l->hdr_dns_dom_name, &r_l->uni_dns_dom_name);
366                 r_l->hdr_dns_dom_name.uni_max_len += 2;
367                 r_l->uni_dns_dom_name.uni_max_len += 1;
368         }
369
370         if (forest_name && *forest_name) {
371                 init_unistr2(&r_l->uni_forest_name, forest_name, UNI_FLAGS_NONE);
372                 init_uni_hdr(&r_l->hdr_forest_name, &r_l->uni_forest_name);
373                 r_l->hdr_forest_name.uni_max_len += 2;
374                 r_l->uni_forest_name.uni_max_len += 1;
375         }
376
377         /* how do we init the guid ? probably should write an init fn */
378         if (dom_guid) {
379                 memcpy(&r_l->dom_guid, dom_guid, sizeof(struct uuid));
380         }
381         
382         if (dom_sid) {
383                 r_l->ptr_dom_sid = 1;
384                 init_dom_sid2(&r_l->dom_sid, dom_sid);
385         }
386 }
387
388 /***************************************************************************
389  _lsa_open_policy2.
390  ***************************************************************************/
391
392 NTSTATUS _lsa_open_policy2(pipes_struct *p, LSA_Q_OPEN_POL2 *q_u, LSA_R_OPEN_POL2 *r_u)
393 {
394         struct lsa_info *info;
395         SEC_DESC *psd = NULL;
396         size_t sd_size;
397         uint32 des_access=q_u->des_access;
398         uint32 acc_granted;
399         NTSTATUS status;
400
401
402         /* map the generic bits to the lsa policy ones */
403         se_map_generic(&des_access, &lsa_generic_mapping);
404
405         /* get the generic lsa policy SD until we store it */
406         lsa_get_generic_sd(p->mem_ctx, &psd, &sd_size);
407
408         if(!se_access_check(psd, p->pipe_user.nt_user_token, des_access, &acc_granted, &status)) {
409                 if (geteuid() != 0) {
410                         return status;
411                 }
412                 DEBUG(4,("ACCESS should be DENIED (granted: %#010x;  required: %#010x)\n",
413                          acc_granted, des_access));
414                 DEBUGADD(4,("but overwritten by euid == 0\n"));
415         }
416
417         /* This is needed for lsa_open_account and rpcclient .... :-) */
418
419         if (geteuid() == 0)
420                 acc_granted = POLICY_ALL_ACCESS;
421
422         /* associate the domain SID with the (unique) handle. */
423         if ((info = SMB_MALLOC_P(struct lsa_info)) == NULL)
424                 return NT_STATUS_NO_MEMORY;
425
426         ZERO_STRUCTP(info);
427         sid_copy(&info->sid,get_global_sam_sid());
428         info->access = acc_granted;
429
430         /* set up the LSA QUERY INFO response */
431         if (!create_policy_hnd(p, &r_u->pol, free_lsa_info, (void *)info))
432                 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
433
434         return NT_STATUS_OK;
435 }
436
437 /***************************************************************************
438  _lsa_open_policy
439  ***************************************************************************/
440
441 NTSTATUS _lsa_open_policy(pipes_struct *p, LSA_Q_OPEN_POL *q_u, LSA_R_OPEN_POL *r_u)
442 {
443         struct lsa_info *info;
444         SEC_DESC *psd = NULL;
445         size_t sd_size;
446         uint32 des_access=q_u->des_access;
447         uint32 acc_granted;
448         NTSTATUS status;
449
450
451         /* map the generic bits to the lsa policy ones */
452         se_map_generic(&des_access, &lsa_generic_mapping);
453
454         /* get the generic lsa policy SD until we store it */
455         lsa_get_generic_sd(p->mem_ctx, &psd, &sd_size);
456
457         if(!se_access_check(psd, p->pipe_user.nt_user_token, des_access, &acc_granted, &status)) {
458                 if (geteuid() != 0) {
459                         return status;
460                 }
461                 DEBUG(4,("ACCESS should be DENIED (granted: %#010x;  required: %#010x)\n",
462                          acc_granted, des_access));
463                 DEBUGADD(4,("but overwritten by euid == 0\n"));
464                 acc_granted = des_access;
465         }
466
467         /* associate the domain SID with the (unique) handle. */
468         if ((info = SMB_MALLOC_P(struct lsa_info)) == NULL)
469                 return NT_STATUS_NO_MEMORY;
470
471         ZERO_STRUCTP(info);
472         sid_copy(&info->sid,get_global_sam_sid());
473         info->access = acc_granted;
474
475         /* set up the LSA QUERY INFO response */
476         if (!create_policy_hnd(p, &r_u->pol, free_lsa_info, (void *)info))
477                 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
478
479         return NT_STATUS_OK;
480 }
481
482 /***************************************************************************
483  _lsa_enum_trust_dom - this needs fixing to do more than return NULL ! JRA.
484  ufff, done :)  mimir
485  ***************************************************************************/
486
487 NTSTATUS _lsa_enum_trust_dom(pipes_struct *p, LSA_Q_ENUM_TRUST_DOM *q_u, LSA_R_ENUM_TRUST_DOM *r_u)
488 {
489         struct lsa_info *info;
490         uint32 enum_context = q_u->enum_context;
491
492         /*
493          * preferred length is set to 5 as a "our" preferred length
494          * nt sets this parameter to 2
495          * update (20.08.2002): it's not preferred length, but preferred size!
496          * it needs further investigation how to optimally choose this value
497          */
498         uint32 max_num_domains = q_u->preferred_len < 5 ? q_u->preferred_len : 10;
499         TRUSTDOM **trust_doms;
500         uint32 num_domains;
501         NTSTATUS nt_status;
502
503         if (!find_policy_by_hnd(p, &q_u->pol, (void **)&info))
504                 return NT_STATUS_INVALID_HANDLE;
505
506         /* check if the user have enough rights */
507         if (!(info->access & POLICY_VIEW_LOCAL_INFORMATION))
508                 return NT_STATUS_ACCESS_DENIED;
509
510         nt_status = secrets_get_trusted_domains(p->mem_ctx, (int *)&enum_context, max_num_domains, (int *)&num_domains, &trust_doms);
511
512         if (!NT_STATUS_IS_OK(nt_status) &&
513             !NT_STATUS_EQUAL(nt_status, STATUS_MORE_ENTRIES) &&
514             !NT_STATUS_EQUAL(nt_status, NT_STATUS_NO_MORE_ENTRIES)) {
515                 return nt_status;
516         } else {
517                 r_u->status = nt_status;
518         }
519
520         /* set up the lsa_enum_trust_dom response */
521         init_r_enum_trust_dom(p->mem_ctx, r_u, enum_context, max_num_domains, num_domains, trust_doms);
522
523         return r_u->status;
524 }
525
526 /***************************************************************************
527  _lsa_query_info. See the POLICY_INFOMATION_CLASS docs at msdn.
528  ***************************************************************************/
529
530 NTSTATUS _lsa_query_info(pipes_struct *p, LSA_Q_QUERY_INFO *q_u, LSA_R_QUERY_INFO *r_u)
531 {
532         struct lsa_info *handle;
533         LSA_INFO_UNION *info = &r_u->dom;
534         DOM_SID domain_sid;
535         const char *name;
536         DOM_SID *sid = NULL;
537
538         r_u->status = NT_STATUS_OK;
539
540         if (!find_policy_by_hnd(p, &q_u->pol, (void **)&handle))
541                 return NT_STATUS_INVALID_HANDLE;
542
543         switch (q_u->info_class) {
544         case 0x02:
545                 {
546                 unsigned int i;
547                 /* check if the user have enough rights */
548                 if (!(handle->access & POLICY_VIEW_AUDIT_INFORMATION))
549                         return NT_STATUS_ACCESS_DENIED;
550
551                 /* fake info: We audit everything. ;) */
552                 info->id2.auditing_enabled = 1;
553                 info->id2.count1 = 7;
554                 info->id2.count2 = 7;
555                 if ((info->id2.auditsettings = TALLOC_ARRAY(p->mem_ctx,uint32, 7)) == NULL)
556                         return NT_STATUS_NO_MEMORY;
557                 for (i = 0; i < 7; i++)
558                         info->id2.auditsettings[i] = 3;
559                 break;
560                 }
561         case 0x03:
562                 /* check if the user have enough rights */
563                 if (!(handle->access & POLICY_VIEW_LOCAL_INFORMATION))
564                         return NT_STATUS_ACCESS_DENIED;
565
566                 /* Request PolicyPrimaryDomainInformation. */
567                 switch (lp_server_role()) {
568                         case ROLE_DOMAIN_PDC:
569                         case ROLE_DOMAIN_BDC:
570                                 name = get_global_sam_name();
571                                 sid = get_global_sam_sid();
572                                 break;
573                         case ROLE_DOMAIN_MEMBER:
574                                 name = lp_workgroup();
575                                 /* We need to return the Domain SID here. */
576                                 if (secrets_fetch_domain_sid(lp_workgroup(), &domain_sid))
577                                         sid = &domain_sid;
578                                 else
579                                         return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
580                                 break;
581                         case ROLE_STANDALONE:
582                                 name = lp_workgroup();
583                                 sid = NULL;
584                                 break;
585                         default:
586                                 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
587                 }
588                 init_dom_query(&r_u->dom.id3, name, sid);
589                 break;
590         case 0x05:
591                 /* check if the user have enough rights */
592                 if (!(handle->access & POLICY_VIEW_LOCAL_INFORMATION))
593                         return NT_STATUS_ACCESS_DENIED;
594
595                 /* Request PolicyAccountDomainInformation. */
596                 name = get_global_sam_name();
597                 sid = get_global_sam_sid();
598                 init_dom_query(&r_u->dom.id5, name, sid);
599                 break;
600         case 0x06:
601                 /* check if the user have enough rights */
602                 if (!(handle->access & POLICY_VIEW_LOCAL_INFORMATION))
603                         return NT_STATUS_ACCESS_DENIED;
604
605                 switch (lp_server_role()) {
606                         case ROLE_DOMAIN_BDC:
607                                 /*
608                                  * only a BDC is a backup controller
609                                  * of the domain, it controls.
610                                  */
611                                 info->id6.server_role = 2;
612                                 break;
613                         default:
614                                 /*
615                                  * any other role is a primary
616                                  * of the domain, it controls.
617                                  */
618                                 info->id6.server_role = 3;
619                                 break; 
620                 }
621                 break;
622         default:
623                 DEBUG(0,("_lsa_query_info: unknown info level in Lsa Query: %d\n", q_u->info_class));
624                 r_u->status = NT_STATUS_INVALID_INFO_CLASS;
625                 break;
626         }
627
628         if (NT_STATUS_IS_OK(r_u->status)) {
629                 r_u->undoc_buffer = 0x22000000; /* bizarre */
630                 r_u->info_class = q_u->info_class;
631         }
632
633         return r_u->status;
634 }
635
636 /***************************************************************************
637  _lsa_lookup_sids
638  ***************************************************************************/
639
640 NTSTATUS _lsa_lookup_sids(pipes_struct *p, LSA_Q_LOOKUP_SIDS *q_u, LSA_R_LOOKUP_SIDS *r_u)
641 {
642         struct lsa_info *handle;
643         DOM_SID2 *sid = q_u->sids.sid;
644         int num_entries = q_u->sids.num_entries;
645         DOM_R_REF *ref = NULL;
646         LSA_TRANS_NAME_ENUM *names = NULL;
647         uint32 mapped_count = 0;
648
649         if (num_entries >  MAX_LOOKUP_SIDS) {
650                 num_entries = MAX_LOOKUP_SIDS;
651                 DEBUG(5,("_lsa_lookup_sids: truncating SID lookup list to %d\n", num_entries));
652         }
653
654         ref = TALLOC_ZERO_P(p->mem_ctx, DOM_R_REF);
655         names = TALLOC_ZERO_P(p->mem_ctx, LSA_TRANS_NAME_ENUM);
656
657         if (!find_policy_by_hnd(p, &q_u->pol, (void **)&handle)) {
658                 r_u->status = NT_STATUS_INVALID_HANDLE;
659                 goto done;
660         }
661
662         /* check if the user have enough rights */
663         if (!(handle->access & POLICY_LOOKUP_NAMES)) {
664                 r_u->status = NT_STATUS_ACCESS_DENIED;
665                 goto done;
666         }
667         if (!ref || !names)
668                 return NT_STATUS_NO_MEMORY;
669
670 done:
671
672         /* set up the LSA Lookup SIDs response */
673         init_lsa_trans_names(p->mem_ctx, ref, names, num_entries, sid, &mapped_count);
674         if (NT_STATUS_IS_OK(r_u->status)) {
675                 if (mapped_count == 0)
676                         r_u->status = NT_STATUS_NONE_MAPPED;
677                 else if (mapped_count != num_entries)
678                         r_u->status = STATUS_SOME_UNMAPPED;
679         }
680         init_reply_lookup_sids(r_u, ref, names, mapped_count);
681
682         return r_u->status;
683 }
684
685 /***************************************************************************
686 lsa_reply_lookup_names
687  ***************************************************************************/
688
689 NTSTATUS _lsa_lookup_names(pipes_struct *p,LSA_Q_LOOKUP_NAMES *q_u, LSA_R_LOOKUP_NAMES *r_u)
690 {
691         struct lsa_info *handle;
692         UNISTR2 *names = q_u->uni_name;
693         int num_entries = q_u->num_entries;
694         DOM_R_REF *ref;
695         DOM_RID2 *rids;
696         uint32 mapped_count = 0;
697
698         if (num_entries >  MAX_LOOKUP_SIDS) {
699                 num_entries = MAX_LOOKUP_SIDS;
700                 DEBUG(5,("_lsa_lookup_names: truncating name lookup list to %d\n", num_entries));
701         }
702                 
703         ref = TALLOC_ZERO_P(p->mem_ctx, DOM_R_REF);
704         rids = TALLOC_ZERO_ARRAY(p->mem_ctx, DOM_RID2, num_entries);
705
706         if (!find_policy_by_hnd(p, &q_u->pol, (void **)&handle)) {
707                 r_u->status = NT_STATUS_INVALID_HANDLE;
708                 goto done;
709         }
710
711         /* check if the user have enough rights */
712         if (!(handle->access & POLICY_LOOKUP_NAMES)) {
713                 r_u->status = NT_STATUS_ACCESS_DENIED;
714                 goto done;
715         }
716
717         if (!ref || !rids)
718                 return NT_STATUS_NO_MEMORY;
719
720 done:
721
722         /* set up the LSA Lookup RIDs response */
723         init_lsa_rid2s(ref, rids, num_entries, names, &mapped_count, p->endian);
724         if (NT_STATUS_IS_OK(r_u->status)) {
725                 if (mapped_count == 0)
726                         r_u->status = NT_STATUS_NONE_MAPPED;
727                 else if (mapped_count != num_entries)
728                         r_u->status = STATUS_SOME_UNMAPPED;
729         }
730         init_reply_lookup_names(r_u, ref, num_entries, rids, mapped_count);
731
732         return r_u->status;
733 }
734
735 /***************************************************************************
736  _lsa_close. Also weird - needs to check if lsa handle is correct. JRA.
737  ***************************************************************************/
738
739 NTSTATUS _lsa_close(pipes_struct *p, LSA_Q_CLOSE *q_u, LSA_R_CLOSE *r_u)
740 {
741         if (!find_policy_by_hnd(p, &q_u->pol, NULL))
742                 return NT_STATUS_INVALID_HANDLE;
743
744         close_policy_hnd(p, &q_u->pol);
745         return NT_STATUS_OK;
746 }
747
748 /***************************************************************************
749   "No more secrets Marty...." :-).
750  ***************************************************************************/
751
752 NTSTATUS _lsa_open_secret(pipes_struct *p, LSA_Q_OPEN_SECRET *q_u, LSA_R_OPEN_SECRET *r_u)
753 {
754         return NT_STATUS_OBJECT_NAME_NOT_FOUND;
755 }
756
757 /***************************************************************************
758 _lsa_enum_privs.
759  ***************************************************************************/
760
761 NTSTATUS _lsa_enum_privs(pipes_struct *p, LSA_Q_ENUM_PRIVS *q_u, LSA_R_ENUM_PRIVS *r_u)
762 {
763         struct lsa_info *handle;
764         uint32 i;
765         uint32 enum_context = q_u->enum_context;
766         int num_privs = count_all_privileges();
767         LSA_PRIV_ENTRY *entries = NULL;
768         LUID_ATTR luid;
769
770         /* remember that the enum_context starts at 0 and not 1 */
771
772         if ( enum_context >= num_privs )
773                 return NT_STATUS_NO_MORE_ENTRIES;
774                 
775         DEBUG(10,("_lsa_enum_privs: enum_context:%d total entries:%d\n", 
776                 enum_context, num_privs));
777         
778         if ( !(entries = TALLOC_ZERO_ARRAY(p->mem_ctx, LSA_PRIV_ENTRY, num_privs + 1)))
779                 return NT_STATUS_NO_MEMORY;
780
781         if (!find_policy_by_hnd(p, &q_u->pol, (void **)&handle))
782                 return NT_STATUS_INVALID_HANDLE;
783
784         /* check if the user have enough rights
785            I don't know if it's the right one. not documented.  */
786
787         if (!(handle->access & POLICY_VIEW_LOCAL_INFORMATION))
788                 return NT_STATUS_ACCESS_DENIED;
789
790         if ( !(entries = TALLOC_ZERO_ARRAY(p->mem_ctx, LSA_PRIV_ENTRY, num_privs )) )
791                 return NT_STATUS_NO_MEMORY;
792
793
794         for (i = 0; i < num_privs; i++) {
795                 if( i < enum_context) {
796                         init_unistr2(&entries[i].name, NULL, UNI_FLAGS_NONE);
797                         init_uni_hdr(&entries[i].hdr_name, &entries[i].name);
798                         
799                         entries[i].luid_low = 0;
800                         entries[i].luid_high = 0;
801                 } else {
802                         init_unistr2(&entries[i].name, privs[i].name, UNI_FLAGS_NONE);
803                         init_uni_hdr(&entries[i].hdr_name, &entries[i].name);
804                         
805                         luid = get_privilege_luid( &privs[i].se_priv );
806                         
807                         entries[i].luid_low = luid.luid.low;
808                         entries[i].luid_high = luid.luid.high;
809                 }
810         }
811
812         enum_context = num_privs;
813         
814         init_lsa_r_enum_privs(r_u, enum_context, num_privs, entries);
815
816         return NT_STATUS_OK;
817 }
818
819 /***************************************************************************
820 _lsa_priv_get_dispname.
821  ***************************************************************************/
822
823 NTSTATUS _lsa_priv_get_dispname(pipes_struct *p, LSA_Q_PRIV_GET_DISPNAME *q_u, LSA_R_PRIV_GET_DISPNAME *r_u)
824 {
825         struct lsa_info *handle;
826         fstring name_asc;
827         const char *description;
828
829         if (!find_policy_by_hnd(p, &q_u->pol, (void **)&handle))
830                 return NT_STATUS_INVALID_HANDLE;
831
832         /* check if the user have enough rights */
833
834         /*
835          * I don't know if it's the right one. not documented.
836          */
837         if (!(handle->access & POLICY_VIEW_LOCAL_INFORMATION))
838                 return NT_STATUS_ACCESS_DENIED;
839
840         unistr2_to_ascii(name_asc, &q_u->name, sizeof(name_asc));
841
842         DEBUG(10,("_lsa_priv_get_dispname: name = %s\n", name_asc));
843
844         description = get_privilege_dispname( name_asc );
845         
846         if ( description ) {
847                 DEBUG(10,("_lsa_priv_get_dispname: display name = %s\n", description));
848                 
849                 init_unistr2(&r_u->desc, description, UNI_FLAGS_NONE);
850                 init_uni_hdr(&r_u->hdr_desc, &r_u->desc);
851
852                 r_u->ptr_info = 0xdeadbeef;
853                 r_u->lang_id = q_u->lang_id;
854                 
855                 return NT_STATUS_OK;
856         } else {
857                 DEBUG(10,("_lsa_priv_get_dispname: doesn't exist\n"));
858                 
859                 r_u->ptr_info = 0;
860                 
861                 return NT_STATUS_NO_SUCH_PRIVILEGE;
862         }
863 }
864
865 /***************************************************************************
866 _lsa_enum_accounts.
867  ***************************************************************************/
868
869 NTSTATUS _lsa_enum_accounts(pipes_struct *p, LSA_Q_ENUM_ACCOUNTS *q_u, LSA_R_ENUM_ACCOUNTS *r_u)
870 {
871         struct lsa_info *handle;
872         DOM_SID *sid_list;
873         int i, j, num_entries;
874         LSA_SID_ENUM *sids=&r_u->sids;
875         NTSTATUS ret;
876
877         if (!find_policy_by_hnd(p, &q_u->pol, (void **)&handle))
878                 return NT_STATUS_INVALID_HANDLE;
879
880         if (!(handle->access & POLICY_VIEW_LOCAL_INFORMATION))
881                 return NT_STATUS_ACCESS_DENIED;
882
883         sid_list = NULL;
884         num_entries = 0;
885
886         /* The only way we can currently find out all the SIDs that have been
887            privileged is to scan all privileges */
888
889         if (!NT_STATUS_IS_OK(ret = privilege_enumerate_accounts(&sid_list, &num_entries))) {
890                 return ret;
891         }
892
893         if (q_u->enum_context >= num_entries)
894                 return NT_STATUS_NO_MORE_ENTRIES;
895
896         sids->ptr_sid = TALLOC_ZERO_ARRAY(p->mem_ctx, uint32, num_entries-q_u->enum_context);
897         sids->sid = TALLOC_ZERO_ARRAY(p->mem_ctx, DOM_SID2, num_entries-q_u->enum_context);
898
899         if (sids->ptr_sid==NULL || sids->sid==NULL) {
900                 SAFE_FREE(sid_list);
901                 return NT_STATUS_NO_MEMORY;
902         }
903
904         for (i = q_u->enum_context, j = 0; i < num_entries; i++, j++) {
905                 init_dom_sid2(&(*sids).sid[j], &sid_list[i]);
906                 (*sids).ptr_sid[j] = 1;
907         }
908
909         SAFE_FREE(sid_list);
910
911         init_lsa_r_enum_accounts(r_u, num_entries);
912
913         return NT_STATUS_OK;
914 }
915
916
917 NTSTATUS _lsa_unk_get_connuser(pipes_struct *p, LSA_Q_UNK_GET_CONNUSER *q_u, LSA_R_UNK_GET_CONNUSER *r_u)
918 {
919         fstring username, domname;
920         user_struct *vuser = get_valid_user_struct(p->vuid);
921   
922         if (vuser == NULL)
923                 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
924   
925         fstrcpy(username, vuser->user.smb_name);
926         fstrcpy(domname, vuser->user.domain);
927   
928         r_u->ptr_user_name = 1;
929         init_unistr2(&r_u->uni2_user_name, username, UNI_STR_TERMINATE);
930         init_uni_hdr(&r_u->hdr_user_name, &r_u->uni2_user_name);
931
932         r_u->unk1 = 1;
933   
934         r_u->ptr_dom_name = 1;
935         init_unistr2(&r_u->uni2_dom_name, domname,  UNI_STR_TERMINATE);
936         init_uni_hdr(&r_u->hdr_dom_name, &r_u->uni2_dom_name);
937
938         r_u->status = NT_STATUS_OK;
939   
940         return r_u->status;
941 }
942
943 /***************************************************************************
944  Lsa Create Account 
945  ***************************************************************************/
946
947 NTSTATUS _lsa_create_account(pipes_struct *p, LSA_Q_CREATEACCOUNT *q_u, LSA_R_CREATEACCOUNT *r_u)
948 {
949         struct lsa_info *handle;
950         struct lsa_info *info;
951
952         /* find the connection policy handle. */
953         if (!find_policy_by_hnd(p, &q_u->pol, (void **)&handle))
954                 return NT_STATUS_INVALID_HANDLE;
955
956         /* check if the user have enough rights */
957
958         /*
959          * I don't know if it's the right one. not documented.
960          * but guessed with rpcclient.
961          */
962         if (!(handle->access & POLICY_GET_PRIVATE_INFORMATION))
963                 return NT_STATUS_ACCESS_DENIED;
964
965         /* check to see if the pipe_user is a Domain Admin since 
966            account_pol.tdb was already opened as root, this is all we have */
967            
968         if ( !nt_token_check_domain_rid( p->pipe_user.nt_user_token, DOMAIN_GROUP_RID_ADMINS ) )
969                 return NT_STATUS_ACCESS_DENIED;
970                 
971         if ( is_privileged_sid( &q_u->sid.sid ) )
972                 return NT_STATUS_OBJECT_NAME_COLLISION;
973
974         /* associate the user/group SID with the (unique) handle. */
975         
976         if ((info = SMB_MALLOC_P(struct lsa_info)) == NULL)
977                 return NT_STATUS_NO_MEMORY;
978
979         ZERO_STRUCTP(info);
980         info->sid = q_u->sid.sid;
981         info->access = q_u->access;
982
983         /* get a (unique) handle.  open a policy on it. */
984         if (!create_policy_hnd(p, &r_u->pol, free_lsa_info, (void *)info))
985                 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
986
987         return privilege_create_account( &info->sid );
988 }
989
990
991 /***************************************************************************
992  Lsa Open Account
993  ***************************************************************************/
994
995 NTSTATUS _lsa_open_account(pipes_struct *p, LSA_Q_OPENACCOUNT *q_u, LSA_R_OPENACCOUNT *r_u)
996 {
997         struct lsa_info *handle;
998         struct lsa_info *info;
999
1000         /* find the connection policy handle. */
1001         if (!find_policy_by_hnd(p, &q_u->pol, (void **)&handle))
1002                 return NT_STATUS_INVALID_HANDLE;
1003
1004         /* check if the user have enough rights */
1005
1006         /*
1007          * I don't know if it's the right one. not documented.
1008          * but guessed with rpcclient.
1009          */
1010         if (!(handle->access & POLICY_GET_PRIVATE_INFORMATION))
1011                 return NT_STATUS_ACCESS_DENIED;
1012
1013         /* TODO: Fis the parsing routine before reenabling this check! */
1014         #if 0
1015         if (!lookup_sid(&handle->sid, dom_name, name, &type))
1016                 return NT_STATUS_ACCESS_DENIED;
1017         #endif
1018         /* associate the user/group SID with the (unique) handle. */
1019         if ((info = SMB_MALLOC_P(struct lsa_info)) == NULL)
1020                 return NT_STATUS_NO_MEMORY;
1021
1022         ZERO_STRUCTP(info);
1023         info->sid = q_u->sid.sid;
1024         info->access = q_u->access;
1025
1026         /* get a (unique) handle.  open a policy on it. */
1027         if (!create_policy_hnd(p, &r_u->pol, free_lsa_info, (void *)info))
1028                 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
1029
1030         return NT_STATUS_OK;
1031 }
1032
1033 /***************************************************************************
1034  For a given SID, enumerate all the privilege this account has.
1035  ***************************************************************************/
1036
1037 NTSTATUS _lsa_enum_privsaccount(pipes_struct *p, prs_struct *ps, LSA_Q_ENUMPRIVSACCOUNT *q_u, LSA_R_ENUMPRIVSACCOUNT *r_u)
1038 {
1039         struct lsa_info *info=NULL;
1040         SE_PRIV mask;
1041         PRIVILEGE_SET privileges;
1042
1043         /* find the connection policy handle. */
1044         if (!find_policy_by_hnd(p, &q_u->pol, (void **)&info))
1045                 return NT_STATUS_INVALID_HANDLE;
1046
1047         if ( !get_privileges_for_sids( &mask, &info->sid, 1 ) ) 
1048                 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
1049
1050         privilege_set_init( &privileges );
1051
1052         if ( se_priv_to_privilege_set( &privileges, &mask ) ) {
1053
1054                 DEBUG(10,("_lsa_enum_privsaccount: %s has %d privileges\n", 
1055                         sid_string_static(&info->sid), privileges.count));
1056
1057                 r_u->status = init_lsa_r_enum_privsaccount(ps->mem_ctx, r_u, privileges.set, privileges.count, 0);
1058         }
1059         else
1060                 r_u->status = NT_STATUS_NO_SUCH_PRIVILEGE;
1061
1062         privilege_set_free( &privileges );
1063
1064         return r_u->status;
1065 }
1066
1067 /***************************************************************************
1068  
1069  ***************************************************************************/
1070
1071 NTSTATUS _lsa_getsystemaccount(pipes_struct *p, LSA_Q_GETSYSTEMACCOUNT *q_u, LSA_R_GETSYSTEMACCOUNT *r_u)
1072 {
1073         struct lsa_info *info=NULL;
1074         fstring name, dom_name;
1075         enum SID_NAME_USE type;
1076
1077         /* find the connection policy handle. */
1078
1079         if (!find_policy_by_hnd(p, &q_u->pol, (void **)&info))
1080                 return NT_STATUS_INVALID_HANDLE;
1081
1082         if (!lookup_sid(&info->sid, dom_name, name, &type))
1083                 return NT_STATUS_ACCESS_DENIED;
1084
1085         /*
1086           0x01 -> Log on locally
1087           0x02 -> Access this computer from network
1088           0x04 -> Log on as a batch job
1089           0x10 -> Log on as a service
1090           
1091           they can be ORed together
1092         */
1093
1094         r_u->access = PR_LOG_ON_LOCALLY | PR_ACCESS_FROM_NETWORK;
1095
1096         return NT_STATUS_OK;
1097 }
1098
1099 /***************************************************************************
1100   update the systemaccount information
1101  ***************************************************************************/
1102
1103 NTSTATUS _lsa_setsystemaccount(pipes_struct *p, LSA_Q_SETSYSTEMACCOUNT *q_u, LSA_R_SETSYSTEMACCOUNT *r_u)
1104 {
1105         struct lsa_info *info=NULL;
1106         GROUP_MAP map;
1107         r_u->status = NT_STATUS_OK;
1108
1109         /* find the connection policy handle. */
1110         if (!find_policy_by_hnd(p, &q_u->pol, (void **)&info))
1111                 return NT_STATUS_INVALID_HANDLE;
1112
1113         /* check to see if the pipe_user is a Domain Admin since 
1114            account_pol.tdb was already opened as root, this is all we have */
1115            
1116         if ( !nt_token_check_domain_rid( p->pipe_user.nt_user_token, DOMAIN_GROUP_RID_ADMINS ) )
1117                 return NT_STATUS_ACCESS_DENIED;
1118
1119         if (!pdb_getgrsid(&map, info->sid))
1120                 return NT_STATUS_NO_SUCH_GROUP;
1121
1122         if(!pdb_update_group_mapping_entry(&map))
1123                 return NT_STATUS_NO_SUCH_GROUP;
1124
1125         return r_u->status;
1126 }
1127
1128 /***************************************************************************
1129  For a given SID, add some privileges.
1130  ***************************************************************************/
1131
1132 NTSTATUS _lsa_addprivs(pipes_struct *p, LSA_Q_ADDPRIVS *q_u, LSA_R_ADDPRIVS *r_u)
1133 {
1134         struct lsa_info *info = NULL;
1135         SE_PRIV mask;
1136         PRIVILEGE_SET *set = NULL;
1137         struct current_user user;
1138
1139         /* find the connection policy handle. */
1140         if (!find_policy_by_hnd(p, &q_u->pol, (void **)&info))
1141                 return NT_STATUS_INVALID_HANDLE;
1142                 
1143         /* check to see if the pipe_user is root or a Domain Admin since 
1144            account_pol.tdb was already opened as root, this is all we have */
1145
1146         get_current_user( &user, p );
1147         if ( user.uid != sec_initial_uid() 
1148                 && !nt_token_check_domain_rid( p->pipe_user.nt_user_token, DOMAIN_GROUP_RID_ADMINS ) )
1149         {
1150                 return NT_STATUS_ACCESS_DENIED;
1151         }
1152
1153         set = &q_u->set;
1154
1155         if ( !privilege_set_to_se_priv( &mask, set ) )
1156                 return NT_STATUS_NO_SUCH_PRIVILEGE;
1157
1158         if ( !grant_privilege( &info->sid, &mask ) ) {
1159                 DEBUG(3,("_lsa_addprivs: grant_privilege(%s) failed!\n",
1160                         sid_string_static(&info->sid) ));
1161                 DEBUG(3,("Privilege mask:\n"));
1162                 dump_se_priv( DBGC_ALL, 3, &mask );
1163                 return NT_STATUS_NO_SUCH_PRIVILEGE;
1164         }
1165
1166         return NT_STATUS_OK;
1167 }
1168
1169 /***************************************************************************
1170  For a given SID, remove some privileges.
1171  ***************************************************************************/
1172
1173 NTSTATUS _lsa_removeprivs(pipes_struct *p, LSA_Q_REMOVEPRIVS *q_u, LSA_R_REMOVEPRIVS *r_u)
1174 {
1175         struct lsa_info *info = NULL;
1176         SE_PRIV mask;
1177         PRIVILEGE_SET *set = NULL;
1178         struct current_user user;
1179
1180         /* find the connection policy handle. */
1181         if (!find_policy_by_hnd(p, &q_u->pol, (void **)&info))
1182                 return NT_STATUS_INVALID_HANDLE;
1183
1184         /* check to see if the pipe_user is root or a Domain Admin since 
1185            account_pol.tdb was already opened as root, this is all we have */
1186
1187         get_current_user( &user, p );
1188         if ( user.uid != sec_initial_uid()
1189                 && !nt_token_check_domain_rid( p->pipe_user.nt_user_token, DOMAIN_GROUP_RID_ADMINS ) ) 
1190         {
1191                 return NT_STATUS_ACCESS_DENIED;
1192         }
1193
1194         set = &q_u->set;
1195
1196         if ( !privilege_set_to_se_priv( &mask, set ) )
1197                 return NT_STATUS_NO_SUCH_PRIVILEGE;
1198
1199         if ( !revoke_privilege( &info->sid, &mask ) ) {
1200                 DEBUG(3,("_lsa_removeprivs: revoke_privilege(%s) failed!\n",
1201                         sid_string_static(&info->sid) ));
1202                 DEBUG(3,("Privilege mask:\n"));
1203                 dump_se_priv( DBGC_ALL, 3, &mask );
1204                 return NT_STATUS_NO_SUCH_PRIVILEGE;
1205         }
1206
1207         return NT_STATUS_OK;
1208 }
1209
1210 /***************************************************************************
1211  For a given SID, remove some privileges.
1212  ***************************************************************************/
1213
1214 NTSTATUS _lsa_query_secobj(pipes_struct *p, LSA_Q_QUERY_SEC_OBJ *q_u, LSA_R_QUERY_SEC_OBJ *r_u)
1215 {
1216         struct lsa_info *handle=NULL;
1217         SEC_DESC *psd = NULL;
1218         size_t sd_size;
1219         NTSTATUS status;
1220
1221         r_u->status = NT_STATUS_OK;
1222
1223         /* find the connection policy handle. */
1224         if (!find_policy_by_hnd(p, &q_u->pol, (void **)&handle))
1225                 return NT_STATUS_INVALID_HANDLE;
1226
1227         /* check if the user have enough rights */
1228         if (!(handle->access & POLICY_VIEW_LOCAL_INFORMATION))
1229                 return NT_STATUS_ACCESS_DENIED;
1230
1231
1232         switch (q_u->sec_info) {
1233         case 1:
1234                 /* SD contains only the owner */
1235
1236                 status=lsa_get_generic_sd(p->mem_ctx, &psd, &sd_size);
1237                 if(!NT_STATUS_IS_OK(status))
1238                         return NT_STATUS_NO_MEMORY;
1239
1240
1241                 if((r_u->buf = make_sec_desc_buf(p->mem_ctx, sd_size, psd)) == NULL)
1242                         return NT_STATUS_NO_MEMORY;
1243                 break;
1244         case 4:
1245                 /* SD contains only the ACL */
1246
1247                 status=lsa_get_generic_sd(p->mem_ctx, &psd, &sd_size);
1248                 if(!NT_STATUS_IS_OK(status))
1249                         return NT_STATUS_NO_MEMORY;
1250
1251                 if((r_u->buf = make_sec_desc_buf(p->mem_ctx, sd_size, psd)) == NULL)
1252                         return NT_STATUS_NO_MEMORY;
1253                 break;
1254         default:
1255                 return NT_STATUS_INVALID_LEVEL;
1256         }
1257
1258         r_u->ptr=1;
1259
1260         return r_u->status;
1261 }
1262
1263 /***************************************************************************
1264  ***************************************************************************/
1265
1266 NTSTATUS _lsa_query_info2(pipes_struct *p, LSA_Q_QUERY_INFO2 *q_u, LSA_R_QUERY_INFO2 *r_u)
1267 {
1268         struct lsa_info *handle;
1269         const char *nb_name;
1270         char *dns_name = NULL;
1271         char *forest_name = NULL;
1272         DOM_SID *sid = NULL;
1273         struct uuid guid;
1274         fstring dnsdomname;
1275
1276         ZERO_STRUCT(guid);
1277         r_u->status = NT_STATUS_OK;
1278
1279         if (!find_policy_by_hnd(p, &q_u->pol, (void **)&handle))
1280                 return NT_STATUS_INVALID_HANDLE;
1281
1282         switch (q_u->info_class) {
1283         case 0x0c:
1284                 /* check if the user have enough rights */
1285                 if (!(handle->access & POLICY_VIEW_LOCAL_INFORMATION))
1286                         return NT_STATUS_ACCESS_DENIED;
1287
1288                 /* Request PolicyPrimaryDomainInformation. */
1289                 switch (lp_server_role()) {
1290                         case ROLE_DOMAIN_PDC:
1291                         case ROLE_DOMAIN_BDC:
1292                                 nb_name = get_global_sam_name();
1293                                 /* ugly temp hack for these next two */
1294
1295                                 /* This should be a 'netbios domain -> DNS domain' mapping */
1296                                 dnsdomname[0] = '\0';
1297                                 get_mydnsdomname(dnsdomname);
1298                                 strlower_m(dnsdomname);
1299                                 
1300                                 dns_name = dnsdomname;
1301                                 forest_name = dnsdomname;
1302
1303                                 sid = get_global_sam_sid();
1304                                 secrets_fetch_domain_guid(lp_workgroup(), &guid);
1305                                 break;
1306                         default:
1307                                 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
1308                 }
1309                 init_dns_dom_info(&r_u->info.dns_dom_info, nb_name, dns_name, 
1310                                   forest_name,&guid,sid);
1311                 break;
1312         default:
1313                 DEBUG(0,("_lsa_query_info2: unknown info level in Lsa Query: %d\n", q_u->info_class));
1314                 r_u->status = NT_STATUS_INVALID_INFO_CLASS;
1315                 break;
1316         }
1317
1318         if (NT_STATUS_IS_OK(r_u->status)) {
1319                 r_u->ptr = 0x1;
1320                 r_u->info_class = q_u->info_class;
1321         }
1322
1323         return r_u->status;
1324 }
1325
1326 /***************************************************************************
1327  ***************************************************************************/
1328
1329 NTSTATUS _lsa_add_acct_rights(pipes_struct *p, LSA_Q_ADD_ACCT_RIGHTS *q_u, LSA_R_ADD_ACCT_RIGHTS *r_u)
1330 {
1331         struct lsa_info *info = NULL;
1332         int i = 0;
1333         DOM_SID sid;
1334         fstring privname;
1335         UNISTR2_ARRAY *uni_privnames = &q_u->rights;
1336         
1337
1338         /* find the connection policy handle. */
1339         if (!find_policy_by_hnd(p, &q_u->pol, (void **)&info))
1340                 return NT_STATUS_INVALID_HANDLE;
1341                 
1342         /* check to see if the pipe_user is a Domain Admin since 
1343            account_pol.tdb was already opened as root, this is all we have */
1344            
1345         if ( !nt_token_check_domain_rid( p->pipe_user.nt_user_token, DOMAIN_GROUP_RID_ADMINS ) )
1346                 return NT_STATUS_ACCESS_DENIED;
1347
1348         /* according to an NT4 PDC, you can add privileges to SIDs even without
1349            call_lsa_create_account() first.  And you can use any arbitrary SID. */
1350            
1351         sid_copy( &sid, &q_u->sid.sid );
1352         
1353         /* just a little sanity check */
1354         
1355         if ( q_u->count != uni_privnames->count ) {
1356                 DEBUG(0,("_lsa_add_acct_rights: count != number of UNISTR2 elements!\n"));
1357                 return NT_STATUS_INVALID_HANDLE;        
1358         }
1359                 
1360         for ( i=0; i<q_u->count; i++ ) {
1361                 unistr2_to_ascii( privname, &uni_privnames->strings[i].string, sizeof(fstring)-1 );
1362                 
1363                 /* only try to add non-null strings */
1364                 
1365                 if ( *privname && !grant_privilege_by_name( &sid, privname ) ) {
1366                         DEBUG(2,("_lsa_add_acct_rights: Failed to add privilege [%s]\n", privname ));
1367                         return NT_STATUS_NO_SUCH_PRIVILEGE;
1368                 }
1369         }
1370
1371         return NT_STATUS_OK;
1372 }
1373
1374 /***************************************************************************
1375  ***************************************************************************/
1376
1377 NTSTATUS _lsa_remove_acct_rights(pipes_struct *p, LSA_Q_REMOVE_ACCT_RIGHTS *q_u, LSA_R_REMOVE_ACCT_RIGHTS *r_u)
1378 {
1379         struct lsa_info *info = NULL;
1380         int i = 0;
1381         DOM_SID sid;
1382         fstring privname;
1383         UNISTR2_ARRAY *uni_privnames = &q_u->rights;
1384         
1385
1386         /* find the connection policy handle. */
1387         if (!find_policy_by_hnd(p, &q_u->pol, (void **)&info))
1388                 return NT_STATUS_INVALID_HANDLE;
1389                 
1390         /* check to see if the pipe_user is a Domain Admin since 
1391            account_pol.tdb was already opened as root, this is all we have */
1392            
1393         if ( !nt_token_check_domain_rid( p->pipe_user.nt_user_token, DOMAIN_GROUP_RID_ADMINS ) )
1394                 return NT_STATUS_ACCESS_DENIED;
1395
1396         sid_copy( &sid, &q_u->sid.sid );
1397
1398         if ( q_u->removeall ) {
1399                 if ( !revoke_all_privileges( &sid ) ) 
1400                         return NT_STATUS_ACCESS_DENIED;
1401         
1402                 return NT_STATUS_OK;
1403         }
1404         
1405         /* just a little sanity check */
1406         
1407         if ( q_u->count != uni_privnames->count ) {
1408                 DEBUG(0,("_lsa_add_acct_rights: count != number of UNISTR2 elements!\n"));
1409                 return NT_STATUS_INVALID_HANDLE;        
1410         }
1411                 
1412         for ( i=0; i<q_u->count; i++ ) {
1413                 unistr2_to_ascii( privname, &uni_privnames->strings[i].string, sizeof(fstring)-1 );
1414                 
1415                 /* only try to add non-null strings */
1416                 
1417                 if ( *privname && !revoke_privilege_by_name( &sid, privname ) ) {
1418                         DEBUG(2,("_lsa_remove_acct_rights: Failed to revoke privilege [%s]\n", privname ));
1419                         return NT_STATUS_NO_SUCH_PRIVILEGE;
1420                 }
1421         }
1422
1423         return NT_STATUS_OK;
1424 }
1425
1426
1427 NTSTATUS _lsa_enum_acct_rights(pipes_struct *p, LSA_Q_ENUM_ACCT_RIGHTS *q_u, LSA_R_ENUM_ACCT_RIGHTS *r_u)
1428 {
1429         struct lsa_info *info = NULL;
1430         DOM_SID sid;
1431         PRIVILEGE_SET privileges;
1432         SE_PRIV mask;
1433         
1434
1435         /* find the connection policy handle. */
1436         
1437         if (!find_policy_by_hnd(p, &q_u->pol, (void **)&info))
1438                 return NT_STATUS_INVALID_HANDLE;
1439                 
1440         /* according to an NT4 PDC, you can add privileges to SIDs even without
1441            call_lsa_create_account() first.  And you can use any arbitrary SID. */
1442            
1443         sid_copy( &sid, &q_u->sid.sid );
1444         
1445         if ( !get_privileges_for_sids( &mask, &sid, 1 ) )
1446                 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
1447
1448         privilege_set_init( &privileges );
1449
1450         if ( se_priv_to_privilege_set( &privileges, &mask ) ) {
1451
1452                 DEBUG(10,("_lsa_enum_acct_rights: %s has %d privileges\n", 
1453                         sid_string_static(&sid), privileges.count));
1454
1455                 r_u->status = init_r_enum_acct_rights( r_u, &privileges );
1456         }
1457         else 
1458                 r_u->status = NT_STATUS_NO_SUCH_PRIVILEGE;
1459
1460         privilege_set_free( &privileges );
1461
1462         return r_u->status;
1463 }
1464
1465