s3-lsa: make s3 pass against RPC-LSA-LOOKUPNAMES again.
[ira/wip.git] / source3 / rpc_server / srv_lsa_nt.c
1 /*
2  *  Unix SMB/CIFS implementation.
3  *  RPC Pipe client / server routines
4  *  Copyright (C) Andrew Tridgell              1992-1997,
5  *  Copyright (C) Luke Kenneth Casson Leighton 1996-1997,
6  *  Copyright (C) Paul Ashton                       1997,
7  *  Copyright (C) Jeremy Allison                    2001, 2006.
8  *  Copyright (C) Rafal Szczesniak                  2002,
9  *  Copyright (C) Jim McDonough <jmcd@us.ibm.com>   2002,
10  *  Copyright (C) Simo Sorce                        2003.
11  *  Copyright (C) Gerald (Jerry) Carter             2005.
12  *  Copyright (C) Volker Lendecke                   2005.
13  *  Copyright (C) Guenther Deschner                 2008.
14  *
15  *  This program is free software; you can redistribute it and/or modify
16  *  it under the terms of the GNU General Public License as published by
17  *  the Free Software Foundation; either version 3 of the License, or
18  *  (at your option) any later version.
19  *
20  *  This program is distributed in the hope that it will be useful,
21  *  but WITHOUT ANY WARRANTY; without even the implied warranty of
22  *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
23  *  GNU General Public License for more details.
24  *
25  *  You should have received a copy of the GNU General Public License
26  *  along with this program; if not, see <http://www.gnu.org/licenses/>.
27  */
28
29 /* This is the implementation of the lsa server code. */
30
31 #include "includes.h"
32
33 #undef DBGC_CLASS
34 #define DBGC_CLASS DBGC_RPC_SRV
35
36 #define MAX_LOOKUP_SIDS 0x5000 /* 20480 */
37
38 extern PRIVS privs[];
39
40 enum lsa_handle_type { LSA_HANDLE_POLICY_TYPE = 1, LSA_HANDLE_ACCOUNT_TYPE };
41
42 struct lsa_info {
43         DOM_SID sid;
44         uint32 access;
45         enum lsa_handle_type type;
46 };
47
48 const struct generic_mapping lsa_account_mapping = {
49         LSA_ACCOUNT_READ,
50         LSA_ACCOUNT_WRITE,
51         LSA_ACCOUNT_EXECUTE,
52         LSA_ACCOUNT_ALL_ACCESS
53 };
54
55 const struct generic_mapping lsa_policy_mapping = {
56         LSA_POLICY_READ,
57         LSA_POLICY_WRITE,
58         LSA_POLICY_EXECUTE,
59         LSA_POLICY_ALL_ACCESS
60 };
61
62 /***************************************************************************
63  init_lsa_ref_domain_list - adds a domain if it's not already in, returns the index.
64 ***************************************************************************/
65
66 static int init_lsa_ref_domain_list(TALLOC_CTX *mem_ctx,
67                                     struct lsa_RefDomainList *ref,
68                                     const char *dom_name,
69                                     DOM_SID *dom_sid)
70 {
71         int num = 0;
72
73         if (dom_name != NULL) {
74                 for (num = 0; num < ref->count; num++) {
75                         if (sid_equal(dom_sid, ref->domains[num].sid)) {
76                                 return num;
77                         }
78                 }
79         } else {
80                 num = ref->count;
81         }
82
83         if (num >= LSA_REF_DOMAIN_LIST_MULTIPLIER) {
84                 /* index not found, already at maximum domain limit */
85                 return -1;
86         }
87
88         ref->count = num + 1;
89         ref->max_size = LSA_REF_DOMAIN_LIST_MULTIPLIER;
90
91         ref->domains = TALLOC_REALLOC_ARRAY(mem_ctx, ref->domains,
92                                             struct lsa_DomainInfo, ref->count);
93         if (!ref->domains) {
94                 return -1;
95         }
96
97         ZERO_STRUCT(ref->domains[num]);
98
99         init_lsa_StringLarge(&ref->domains[num].name, dom_name);
100         ref->domains[num].sid = sid_dup_talloc(mem_ctx, dom_sid);
101         if (!ref->domains[num].sid) {
102                 return -1;
103         }
104
105         return num;
106 }
107
108
109 /***************************************************************************
110  initialize a lsa_DomainInfo structure.
111  ***************************************************************************/
112
113 static void init_dom_query_3(struct lsa_DomainInfo *r,
114                              const char *name,
115                              DOM_SID *sid)
116 {
117         init_lsa_StringLarge(&r->name, name);
118         r->sid = sid;
119 }
120
121 /***************************************************************************
122  initialize a lsa_DomainInfo structure.
123  ***************************************************************************/
124
125 static void init_dom_query_5(struct lsa_DomainInfo *r,
126                              const char *name,
127                              DOM_SID *sid)
128 {
129         init_lsa_StringLarge(&r->name, name);
130         r->sid = sid;
131 }
132
133 /***************************************************************************
134  lookup_lsa_rids. Must be called as root for lookup_name to work.
135  ***************************************************************************/
136
137 static NTSTATUS lookup_lsa_rids(TALLOC_CTX *mem_ctx,
138                                 struct lsa_RefDomainList *ref,
139                                 struct lsa_TranslatedSid *prid,
140                                 uint32_t num_entries,
141                                 struct lsa_String *name,
142                                 int flags,
143                                 uint32_t *pmapped_count)
144 {
145         uint32 mapped_count, i;
146
147         SMB_ASSERT(num_entries <= MAX_LOOKUP_SIDS);
148
149         mapped_count = 0;
150         *pmapped_count = 0;
151
152         for (i = 0; i < num_entries; i++) {
153                 DOM_SID sid;
154                 uint32 rid;
155                 int dom_idx;
156                 const char *full_name;
157                 const char *domain;
158                 enum lsa_SidType type = SID_NAME_UNKNOWN;
159
160                 /* Split name into domain and user component */
161
162                 /* follow w2k8 behavior and return the builtin domain when no
163                  * input has been passed in */
164
165                 if (name[i].string) {
166                         full_name = name[i].string;
167                 } else {
168                         full_name = "BUILTIN";
169                 }
170
171                 DEBUG(5, ("lookup_lsa_rids: looking up name %s\n", full_name));
172
173                 /* We can ignore the result of lookup_name, it will not touch
174                    "type" if it's not successful */
175
176                 lookup_name(mem_ctx, full_name, flags, &domain, NULL,
177                             &sid, &type);
178
179                 switch (type) {
180                 case SID_NAME_USER:
181                 case SID_NAME_DOM_GRP:
182                 case SID_NAME_DOMAIN:
183                 case SID_NAME_ALIAS:
184                 case SID_NAME_WKN_GRP:
185                         DEBUG(5, ("init_lsa_rids: %s found\n", full_name));
186                         /* Leave these unchanged */
187                         break;
188                 default:
189                         /* Don't hand out anything but the list above */
190                         DEBUG(5, ("init_lsa_rids: %s not found\n", full_name));
191                         type = SID_NAME_UNKNOWN;
192                         break;
193                 }
194
195                 rid = 0;
196                 dom_idx = -1;
197
198                 if (type != SID_NAME_UNKNOWN) {
199                         if (type == SID_NAME_DOMAIN) {
200                                 rid = (uint32_t)-1;
201                         } else {
202                                 sid_split_rid(&sid, &rid);
203                         }
204                         dom_idx = init_lsa_ref_domain_list(mem_ctx, ref, domain, &sid);
205                         mapped_count++;
206                 }
207
208                 prid[i].sid_type        = type;
209                 prid[i].rid             = rid;
210                 prid[i].sid_index       = dom_idx;
211         }
212
213         *pmapped_count = mapped_count;
214         return NT_STATUS_OK;
215 }
216
217 /***************************************************************************
218  lookup_lsa_sids. Must be called as root for lookup_name to work.
219  ***************************************************************************/
220
221 static NTSTATUS lookup_lsa_sids(TALLOC_CTX *mem_ctx,
222                                 struct lsa_RefDomainList *ref,
223                                 struct lsa_TranslatedSid3 *trans_sids,
224                                 uint32_t num_entries,
225                                 struct lsa_String *name,
226                                 int flags,
227                                 uint32 *pmapped_count)
228 {
229         uint32 mapped_count, i;
230
231         SMB_ASSERT(num_entries <= MAX_LOOKUP_SIDS);
232
233         mapped_count = 0;
234         *pmapped_count = 0;
235
236         for (i = 0; i < num_entries; i++) {
237                 DOM_SID sid;
238                 uint32 rid;
239                 int dom_idx;
240                 const char *full_name;
241                 const char *domain;
242                 enum lsa_SidType type = SID_NAME_UNKNOWN;
243
244                 ZERO_STRUCT(sid);
245
246                 /* Split name into domain and user component */
247
248                 full_name = name[i].string;
249                 if (full_name == NULL) {
250                         return NT_STATUS_NO_MEMORY;
251                 }
252
253                 DEBUG(5, ("init_lsa_sids: looking up name %s\n", full_name));
254
255                 /* We can ignore the result of lookup_name, it will not touch
256                    "type" if it's not successful */
257
258                 lookup_name(mem_ctx, full_name, flags, &domain, NULL,
259                             &sid, &type);
260
261                 switch (type) {
262                 case SID_NAME_USER:
263                 case SID_NAME_DOM_GRP:
264                 case SID_NAME_DOMAIN:
265                 case SID_NAME_ALIAS:
266                 case SID_NAME_WKN_GRP:
267                         DEBUG(5, ("init_lsa_sids: %s found\n", full_name));
268                         /* Leave these unchanged */
269                         break;
270                 default:
271                         /* Don't hand out anything but the list above */
272                         DEBUG(5, ("init_lsa_sids: %s not found\n", full_name));
273                         type = SID_NAME_UNKNOWN;
274                         break;
275                 }
276
277                 rid = 0;
278                 dom_idx = -1;
279
280                 if (type != SID_NAME_UNKNOWN) {
281                         DOM_SID domain_sid;
282                         sid_copy(&domain_sid, &sid);
283                         sid_split_rid(&domain_sid, &rid);
284                         dom_idx = init_lsa_ref_domain_list(mem_ctx, ref, domain, &domain_sid);
285                         mapped_count++;
286                 }
287
288                 /* Initialize the lsa_TranslatedSid3 return. */
289                 trans_sids[i].sid_type = type;
290                 trans_sids[i].sid = sid_dup_talloc(mem_ctx, &sid);
291                 trans_sids[i].sid_index = dom_idx;
292         }
293
294         *pmapped_count = mapped_count;
295         return NT_STATUS_OK;
296 }
297
298 static NTSTATUS make_lsa_object_sd(TALLOC_CTX *mem_ctx, SEC_DESC **sd, size_t *sd_size,
299                                         const struct generic_mapping *map,
300                                         DOM_SID *sid, uint32_t sid_access)
301 {
302         DOM_SID adm_sid;
303         SEC_ACE ace[5];
304         size_t i = 0;
305
306         SEC_ACL *psa = NULL;
307
308         /* READ|EXECUTE access for Everyone */
309
310         init_sec_ace(&ace[i++], &global_sid_World, SEC_ACE_TYPE_ACCESS_ALLOWED,
311                         map->generic_execute | map->generic_read, 0);
312
313         /* Add Full Access 'BUILTIN\Administrators' and 'BUILTIN\Account Operators */
314
315         init_sec_ace(&ace[i++], &global_sid_Builtin_Administrators,
316                         SEC_ACE_TYPE_ACCESS_ALLOWED, map->generic_all, 0);
317         init_sec_ace(&ace[i++], &global_sid_Builtin_Account_Operators,
318                         SEC_ACE_TYPE_ACCESS_ALLOWED, map->generic_all, 0);
319
320         /* Add Full Access for Domain Admins */
321         sid_copy(&adm_sid, get_global_sam_sid());
322         sid_append_rid(&adm_sid, DOMAIN_GROUP_RID_ADMINS);
323         init_sec_ace(&ace[i++], &adm_sid, SEC_ACE_TYPE_ACCESS_ALLOWED,
324                         map->generic_all, 0);
325
326         /* If we have a sid, give it some special access */
327
328         if (sid) {
329                 init_sec_ace(&ace[i++], sid, SEC_ACE_TYPE_ACCESS_ALLOWED,
330                         sid_access, 0);
331         }
332
333         if((psa = make_sec_acl(mem_ctx, NT4_ACL_REVISION, i, ace)) == NULL)
334                 return NT_STATUS_NO_MEMORY;
335
336         if((*sd = make_sec_desc(mem_ctx, SECURITY_DESCRIPTOR_REVISION_1,
337                                 SEC_DESC_SELF_RELATIVE, &adm_sid, NULL, NULL,
338                                 psa, sd_size)) == NULL)
339                 return NT_STATUS_NO_MEMORY;
340
341         return NT_STATUS_OK;
342 }
343
344
345 /***************************************************************************
346  _lsa_OpenPolicy2
347  ***************************************************************************/
348
349 NTSTATUS _lsa_OpenPolicy2(pipes_struct *p,
350                           struct lsa_OpenPolicy2 *r)
351 {
352         struct lsa_info *info;
353         SEC_DESC *psd = NULL;
354         size_t sd_size;
355         uint32 des_access = r->in.access_mask;
356         uint32 acc_granted;
357         NTSTATUS status;
358
359         /* Work out max allowed. */
360         map_max_allowed_access(p->server_info->ptok,
361                                &p->server_info->utok,
362                                &des_access);
363
364         /* map the generic bits to the lsa policy ones */
365         se_map_generic(&des_access, &lsa_policy_mapping);
366
367         /* get the generic lsa policy SD until we store it */
368         status = make_lsa_object_sd(p->mem_ctx, &psd, &sd_size, &lsa_policy_mapping,
369                         NULL, 0);
370         if (!NT_STATUS_IS_OK(status)) {
371                 return status;
372         }
373
374         status = access_check_object(psd, p->server_info->ptok,
375                 NULL, 0, des_access,
376                 &acc_granted, "_lsa_OpenPolicy2" );
377
378         if (!NT_STATUS_IS_OK(status)) {
379                 return status;
380         }
381
382         /* associate the domain SID with the (unique) handle. */
383         info = TALLOC_ZERO_P(p->mem_ctx, struct lsa_info);
384         if (info == NULL) {
385                 return NT_STATUS_NO_MEMORY;
386         }
387
388         sid_copy(&info->sid,get_global_sam_sid());
389         info->access = acc_granted;
390         info->type = LSA_HANDLE_POLICY_TYPE;
391
392         /* set up the LSA QUERY INFO response */
393         if (!create_policy_hnd(p, r->out.handle, info))
394                 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
395
396         return NT_STATUS_OK;
397 }
398
399 /***************************************************************************
400  _lsa_OpenPolicy
401  ***************************************************************************/
402
403 NTSTATUS _lsa_OpenPolicy(pipes_struct *p,
404                          struct lsa_OpenPolicy *r)
405 {
406         struct lsa_OpenPolicy2 o;
407
408         o.in.system_name        = NULL; /* should be ignored */
409         o.in.attr               = r->in.attr;
410         o.in.access_mask        = r->in.access_mask;
411
412         o.out.handle            = r->out.handle;
413
414         return _lsa_OpenPolicy2(p, &o);
415 }
416
417 /***************************************************************************
418  _lsa_EnumTrustDom - this needs fixing to do more than return NULL ! JRA.
419  ufff, done :)  mimir
420  ***************************************************************************/
421
422 NTSTATUS _lsa_EnumTrustDom(pipes_struct *p,
423                            struct lsa_EnumTrustDom *r)
424 {
425         struct lsa_info *info;
426         uint32_t count;
427         struct trustdom_info **domains;
428         struct lsa_DomainInfo *entries;
429         int i;
430         NTSTATUS nt_status;
431
432         if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
433                 return NT_STATUS_INVALID_HANDLE;
434
435         if (info->type != LSA_HANDLE_POLICY_TYPE) {
436                 return NT_STATUS_INVALID_HANDLE;
437         }
438
439         /* check if the user has enough rights */
440         if (!(info->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
441                 return NT_STATUS_ACCESS_DENIED;
442
443         become_root();
444         nt_status = pdb_enum_trusteddoms(p->mem_ctx, &count, &domains);
445         unbecome_root();
446
447         if (!NT_STATUS_IS_OK(nt_status)) {
448                 return nt_status;
449         }
450
451         entries = TALLOC_ZERO_ARRAY(p->mem_ctx, struct lsa_DomainInfo, count);
452         if (!entries) {
453                 return NT_STATUS_NO_MEMORY;
454         }
455
456         for (i=0; i<count; i++) {
457                 init_lsa_StringLarge(&entries[i].name, domains[i]->name);
458                 entries[i].sid = &domains[i]->sid;
459         }
460
461         if (*r->in.resume_handle >= count) {
462                 *r->out.resume_handle = -1;
463                 TALLOC_FREE(entries);
464                 return NT_STATUS_NO_MORE_ENTRIES;
465         }
466
467         /* return the rest, limit by max_size. Note that we
468            use the w2k3 element size value of 60 */
469         r->out.domains->count = count - *r->in.resume_handle;
470         r->out.domains->count = MIN(r->out.domains->count,
471                                  1+(r->in.max_size/LSA_ENUM_TRUST_DOMAIN_MULTIPLIER));
472
473         r->out.domains->domains = entries + *r->in.resume_handle;
474
475         if (r->out.domains->count < count - *r->in.resume_handle) {
476                 *r->out.resume_handle = *r->in.resume_handle + r->out.domains->count;
477                 return STATUS_MORE_ENTRIES;
478         }
479
480         return NT_STATUS_OK;
481 }
482
483 #define LSA_AUDIT_NUM_CATEGORIES_NT4    7
484 #define LSA_AUDIT_NUM_CATEGORIES_WIN2K  9
485 #define LSA_AUDIT_NUM_CATEGORIES LSA_AUDIT_NUM_CATEGORIES_NT4
486
487 /***************************************************************************
488  _lsa_QueryInfoPolicy
489  ***************************************************************************/
490
491 NTSTATUS _lsa_QueryInfoPolicy(pipes_struct *p,
492                               struct lsa_QueryInfoPolicy *r)
493 {
494         NTSTATUS status = NT_STATUS_OK;
495         struct lsa_info *handle;
496         DOM_SID domain_sid;
497         const char *name;
498         DOM_SID *sid = NULL;
499         union lsa_PolicyInformation *info = NULL;
500         uint32_t acc_required = 0;
501
502         if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle))
503                 return NT_STATUS_INVALID_HANDLE;
504
505         if (handle->type != LSA_HANDLE_POLICY_TYPE) {
506                 return NT_STATUS_INVALID_HANDLE;
507         }
508
509         switch (r->in.level) {
510         case LSA_POLICY_INFO_AUDIT_LOG:
511         case LSA_POLICY_INFO_AUDIT_EVENTS:
512                 acc_required = LSA_POLICY_VIEW_AUDIT_INFORMATION;
513                 break;
514         case LSA_POLICY_INFO_DOMAIN:
515                 acc_required = LSA_POLICY_VIEW_LOCAL_INFORMATION;
516                 break;
517         case LSA_POLICY_INFO_PD:
518                 acc_required = LSA_POLICY_GET_PRIVATE_INFORMATION;
519                 break;
520         case LSA_POLICY_INFO_ACCOUNT_DOMAIN:
521                 acc_required = LSA_POLICY_VIEW_LOCAL_INFORMATION;
522                 break;
523         case LSA_POLICY_INFO_ROLE:
524         case LSA_POLICY_INFO_REPLICA:
525                 acc_required = LSA_POLICY_VIEW_LOCAL_INFORMATION;
526                 break;
527         case LSA_POLICY_INFO_QUOTA:
528                 acc_required = LSA_POLICY_VIEW_LOCAL_INFORMATION;
529                 break;
530         case LSA_POLICY_INFO_MOD:
531         case LSA_POLICY_INFO_AUDIT_FULL_SET:
532                 /* according to MS-LSAD 3.1.4.4.3 */
533                 return NT_STATUS_INVALID_PARAMETER;
534         case LSA_POLICY_INFO_AUDIT_FULL_QUERY:
535                 acc_required = LSA_POLICY_VIEW_AUDIT_INFORMATION;
536                 break;
537         case LSA_POLICY_INFO_DNS:
538         case LSA_POLICY_INFO_DNS_INT:
539         case LSA_POLICY_INFO_L_ACCOUNT_DOMAIN:
540                 acc_required = LSA_POLICY_VIEW_LOCAL_INFORMATION;
541                 break;
542         default:
543                 break;
544         }
545
546         if (!(handle->access & acc_required)) {
547                 /* return NT_STATUS_ACCESS_DENIED; */
548         }
549
550         info = TALLOC_ZERO_P(p->mem_ctx, union lsa_PolicyInformation);
551         if (!info) {
552                 return NT_STATUS_NO_MEMORY;
553         }
554
555         switch (r->in.level) {
556         case LSA_POLICY_INFO_AUDIT_EVENTS:
557                 {
558
559                 uint32 policy_def = LSA_AUDIT_POLICY_ALL;
560
561                 /* check if the user has enough rights */
562                 if (!(handle->access & LSA_POLICY_VIEW_AUDIT_INFORMATION)) {
563                         DEBUG(10,("_lsa_QueryInfoPolicy: insufficient access rights\n"));
564                         return NT_STATUS_ACCESS_DENIED;
565                 }
566
567                 /* fake info: We audit everything. ;) */
568
569                 info->audit_events.auditing_mode = true;
570                 info->audit_events.count = LSA_AUDIT_NUM_CATEGORIES;
571                 info->audit_events.settings = TALLOC_ZERO_ARRAY(p->mem_ctx,
572                                                                 enum lsa_PolicyAuditPolicy,
573                                                                 info->audit_events.count);
574                 if (!info->audit_events.settings) {
575                         return NT_STATUS_NO_MEMORY;
576                 }
577
578                 info->audit_events.settings[LSA_AUDIT_CATEGORY_ACCOUNT_MANAGEMENT] = policy_def;
579                 info->audit_events.settings[LSA_AUDIT_CATEGORY_FILE_AND_OBJECT_ACCESS] = policy_def;
580                 info->audit_events.settings[LSA_AUDIT_CATEGORY_LOGON] = policy_def;
581                 info->audit_events.settings[LSA_AUDIT_CATEGORY_PROCCESS_TRACKING] = policy_def;
582                 info->audit_events.settings[LSA_AUDIT_CATEGORY_SECURITY_POLICY_CHANGES] = policy_def;
583                 info->audit_events.settings[LSA_AUDIT_CATEGORY_SYSTEM] = policy_def;
584                 info->audit_events.settings[LSA_AUDIT_CATEGORY_USE_OF_USER_RIGHTS] = policy_def;
585
586                 break;
587                 }
588         case LSA_POLICY_INFO_DOMAIN:
589                 /* check if the user has enough rights */
590                 if (!(handle->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
591                         return NT_STATUS_ACCESS_DENIED;
592
593                 /* Request PolicyPrimaryDomainInformation. */
594                 switch (lp_server_role()) {
595                         case ROLE_DOMAIN_PDC:
596                         case ROLE_DOMAIN_BDC:
597                                 name = get_global_sam_name();
598                                 sid = sid_dup_talloc(p->mem_ctx, get_global_sam_sid());
599                                 if (!sid) {
600                                         return NT_STATUS_NO_MEMORY;
601                                 }
602                                 break;
603                         case ROLE_DOMAIN_MEMBER:
604                                 name = lp_workgroup();
605                                 /* We need to return the Domain SID here. */
606                                 if (secrets_fetch_domain_sid(lp_workgroup(), &domain_sid)) {
607                                         sid = sid_dup_talloc(p->mem_ctx, &domain_sid);
608                                         if (!sid) {
609                                                 return NT_STATUS_NO_MEMORY;
610                                         }
611                                 } else {
612                                         return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
613                                 }
614                                 break;
615                         case ROLE_STANDALONE:
616                                 name = lp_workgroup();
617                                 sid = NULL;
618                                 break;
619                         default:
620                                 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
621                 }
622                 init_dom_query_3(&info->domain, name, sid);
623                 break;
624         case LSA_POLICY_INFO_ACCOUNT_DOMAIN:
625                 /* check if the user has enough rights */
626                 if (!(handle->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
627                         return NT_STATUS_ACCESS_DENIED;
628
629                 /* Request PolicyAccountDomainInformation. */
630                 name = get_global_sam_name();
631                 sid = get_global_sam_sid();
632
633                 init_dom_query_5(&info->account_domain, name, sid);
634                 break;
635         case LSA_POLICY_INFO_ROLE:
636                 /* check if the user has enough rights */
637                 if (!(handle->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
638                         return NT_STATUS_ACCESS_DENIED;
639
640                 switch (lp_server_role()) {
641                         case ROLE_DOMAIN_BDC:
642                                 /*
643                                  * only a BDC is a backup controller
644                                  * of the domain, it controls.
645                                  */
646                                 info->role.role = LSA_ROLE_BACKUP;
647                                 break;
648                         default:
649                                 /*
650                                  * any other role is a primary
651                                  * of the domain, it controls.
652                                  */
653                                 info->role.role = LSA_ROLE_PRIMARY;
654                                 break;
655                 }
656                 break;
657         case LSA_POLICY_INFO_DNS:
658         case LSA_POLICY_INFO_DNS_INT: {
659                 struct pdb_domain_info *dominfo;
660
661                 if ((pdb_capabilities() & PDB_CAP_ADS) == 0) {
662                         DEBUG(10, ("Not replying to LSA_POLICY_INFO_DNS "
663                                    "without ADS passdb backend\n"));
664                         status = NT_STATUS_INVALID_INFO_CLASS;
665                         break;
666                 }
667
668                 dominfo = pdb_get_domain_info(info);
669                 if (dominfo == NULL) {
670                         status = NT_STATUS_NO_MEMORY;
671                         break;
672                 }
673
674                 init_lsa_StringLarge(&info->dns.name,
675                                      dominfo->name);
676                 init_lsa_StringLarge(&info->dns.dns_domain,
677                                      dominfo->dns_domain);
678                 init_lsa_StringLarge(&info->dns.dns_forest,
679                                      dominfo->dns_forest);
680                 info->dns.domain_guid = dominfo->guid;
681                 info->dns.sid = &dominfo->sid;
682                 break;
683         }
684         default:
685                 DEBUG(0,("_lsa_QueryInfoPolicy: unknown info level in Lsa Query: %d\n",
686                         r->in.level));
687                 status = NT_STATUS_INVALID_INFO_CLASS;
688                 break;
689         }
690
691         *r->out.info = info;
692
693         return status;
694 }
695
696 /***************************************************************************
697  _lsa_QueryInfoPolicy2
698  ***************************************************************************/
699
700 NTSTATUS _lsa_QueryInfoPolicy2(pipes_struct *p,
701                                struct lsa_QueryInfoPolicy2 *r2)
702 {
703         struct lsa_QueryInfoPolicy r;
704
705         if ((pdb_capabilities() & PDB_CAP_ADS) == 0) {
706                 p->rng_fault_state = True;
707                 return NT_STATUS_NOT_IMPLEMENTED;
708         }
709
710         ZERO_STRUCT(r);
711         r.in.handle = r2->in.handle;
712         r.in.level = r2->in.level;
713         r.out.info = r2->out.info;
714
715         return _lsa_QueryInfoPolicy(p, &r);
716 }
717
718 /***************************************************************************
719  _lsa_lookup_sids_internal
720  ***************************************************************************/
721
722 static NTSTATUS _lsa_lookup_sids_internal(pipes_struct *p,
723                                           TALLOC_CTX *mem_ctx,
724                                           uint16_t level,                       /* input */
725                                           int num_sids,                         /* input */
726                                           struct lsa_SidPtr *sid,               /* input */
727                                           struct lsa_RefDomainList **pp_ref,    /* input/output */
728                                           struct lsa_TranslatedName2 **pp_names,/* input/output */
729                                           uint32_t *pp_mapped_count)            /* input/output */
730 {
731         NTSTATUS status;
732         int i;
733         const DOM_SID **sids = NULL;
734         struct lsa_RefDomainList *ref = NULL;
735         uint32 mapped_count = 0;
736         struct lsa_dom_info *dom_infos = NULL;
737         struct lsa_name_info *name_infos = NULL;
738         struct lsa_TranslatedName2 *names = NULL;
739
740         *pp_mapped_count = 0;
741         *pp_names = NULL;
742         *pp_ref = NULL;
743
744         if (num_sids == 0) {
745                 return NT_STATUS_OK;
746         }
747
748         sids = TALLOC_ARRAY(p->mem_ctx, const DOM_SID *, num_sids);
749         ref = TALLOC_ZERO_P(p->mem_ctx, struct lsa_RefDomainList);
750
751         if (sids == NULL || ref == NULL) {
752                 return NT_STATUS_NO_MEMORY;
753         }
754
755         for (i=0; i<num_sids; i++) {
756                 sids[i] = sid[i].sid;
757         }
758
759         status = lookup_sids(p->mem_ctx, num_sids, sids, level,
760                                   &dom_infos, &name_infos);
761
762         if (!NT_STATUS_IS_OK(status)) {
763                 return status;
764         }
765
766         names = TALLOC_ARRAY(p->mem_ctx, struct lsa_TranslatedName2, num_sids);
767         if (names == NULL) {
768                 return NT_STATUS_NO_MEMORY;
769         }
770
771         for (i=0; i<LSA_REF_DOMAIN_LIST_MULTIPLIER; i++) {
772
773                 if (!dom_infos[i].valid) {
774                         break;
775                 }
776
777                 if (init_lsa_ref_domain_list(mem_ctx, ref,
778                                              dom_infos[i].name,
779                                              &dom_infos[i].sid) != i) {
780                         DEBUG(0, ("Domain %s mentioned twice??\n",
781                                   dom_infos[i].name));
782                         return NT_STATUS_INTERNAL_ERROR;
783                 }
784         }
785
786         for (i=0; i<num_sids; i++) {
787                 struct lsa_name_info *name = &name_infos[i];
788
789                 if (name->type == SID_NAME_UNKNOWN) {
790                         fstring tmp;
791                         name->dom_idx = -1;
792                         /* Unknown sids should return the string
793                          * representation of the SID. Windows 2003 behaves
794                          * rather erratic here, in many cases it returns the
795                          * RID as 8 bytes hex, in others it returns the full
796                          * SID. We (Jerry/VL) could not figure out which the
797                          * hard cases are, so leave it with the SID.  */
798                         name->name = talloc_asprintf(p->mem_ctx, "%s",
799                                                      sid_to_fstring(tmp,
800                                                                     sids[i]));
801                         if (name->name == NULL) {
802                                 return NT_STATUS_NO_MEMORY;
803                         }
804                 } else {
805                         mapped_count += 1;
806                 }
807
808                 names[i].sid_type       = name->type;
809                 names[i].name.string    = name->name;
810                 names[i].sid_index      = name->dom_idx;
811                 names[i].unknown        = 0;
812         }
813
814         status = NT_STATUS_NONE_MAPPED;
815         if (mapped_count > 0) {
816                 status = (mapped_count < num_sids) ?
817                         STATUS_SOME_UNMAPPED : NT_STATUS_OK;
818         }
819
820         DEBUG(10, ("num_sids %d, mapped_count %d, status %s\n",
821                    num_sids, mapped_count, nt_errstr(status)));
822
823         *pp_mapped_count = mapped_count;
824         *pp_names = names;
825         *pp_ref = ref;
826
827         return status;
828 }
829
830 /***************************************************************************
831  _lsa_LookupSids
832  ***************************************************************************/
833
834 NTSTATUS _lsa_LookupSids(pipes_struct *p,
835                          struct lsa_LookupSids *r)
836 {
837         NTSTATUS status;
838         struct lsa_info *handle;
839         int num_sids = r->in.sids->num_sids;
840         uint32 mapped_count = 0;
841         struct lsa_RefDomainList *domains = NULL;
842         struct lsa_TranslatedName *names_out = NULL;
843         struct lsa_TranslatedName2 *names = NULL;
844         int i;
845
846         if ((r->in.level < 1) || (r->in.level > 6)) {
847                 return NT_STATUS_INVALID_PARAMETER;
848         }
849
850         if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle)) {
851                 return NT_STATUS_INVALID_HANDLE;
852         }
853
854         if (handle->type != LSA_HANDLE_POLICY_TYPE) {
855                 return NT_STATUS_INVALID_HANDLE;
856         }
857
858         /* check if the user has enough rights */
859         if (!(handle->access & LSA_POLICY_LOOKUP_NAMES)) {
860                 return NT_STATUS_ACCESS_DENIED;
861         }
862
863         if (num_sids >  MAX_LOOKUP_SIDS) {
864                 DEBUG(5,("_lsa_LookupSids: limit of %d exceeded, requested %d\n",
865                          MAX_LOOKUP_SIDS, num_sids));
866                 return NT_STATUS_NONE_MAPPED;
867         }
868
869         status = _lsa_lookup_sids_internal(p,
870                                            p->mem_ctx,
871                                            r->in.level,
872                                            num_sids,
873                                            r->in.sids->sids,
874                                            &domains,
875                                            &names,
876                                            &mapped_count);
877
878         /* Only return here when there is a real error.
879            NT_STATUS_NONE_MAPPED is a special case as it indicates that none of
880            the requested sids could be resolved. Older versions of XP (pre SP3)
881            rely that we return with the string representations of those SIDs in
882            that case. If we don't, XP crashes - Guenther
883            */
884
885         if (NT_STATUS_IS_ERR(status) &&
886             !NT_STATUS_EQUAL(status, NT_STATUS_NONE_MAPPED)) {
887                 return status;
888         }
889
890         /* Convert from lsa_TranslatedName2 to lsa_TranslatedName */
891         names_out = TALLOC_ARRAY(p->mem_ctx, struct lsa_TranslatedName,
892                                  num_sids);
893         if (!names_out) {
894                 return NT_STATUS_NO_MEMORY;
895         }
896
897         for (i=0; i<num_sids; i++) {
898                 names_out[i].sid_type = names[i].sid_type;
899                 names_out[i].name = names[i].name;
900                 names_out[i].sid_index = names[i].sid_index;
901         }
902
903         *r->out.domains = domains;
904         r->out.names->count = num_sids;
905         r->out.names->names = names_out;
906         *r->out.count = mapped_count;
907
908         return status;
909 }
910
911 /***************************************************************************
912  _lsa_LookupSids2
913  ***************************************************************************/
914
915 NTSTATUS _lsa_LookupSids2(pipes_struct *p,
916                           struct lsa_LookupSids2 *r)
917 {
918         NTSTATUS status;
919         struct lsa_info *handle;
920         int num_sids = r->in.sids->num_sids;
921         uint32 mapped_count = 0;
922         struct lsa_RefDomainList *domains = NULL;
923         struct lsa_TranslatedName2 *names = NULL;
924         bool check_policy = true;
925
926         switch (p->hdr_req.opnum) {
927                 case NDR_LSA_LOOKUPSIDS3:
928                         check_policy = false;
929                         break;
930                 case NDR_LSA_LOOKUPSIDS2:
931                 default:
932                         check_policy = true;
933         }
934
935         if ((r->in.level < 1) || (r->in.level > 6)) {
936                 return NT_STATUS_INVALID_PARAMETER;
937         }
938
939         if (check_policy) {
940                 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle)) {
941                         return NT_STATUS_INVALID_HANDLE;
942                 }
943
944                 if (handle->type != LSA_HANDLE_POLICY_TYPE) {
945                         return NT_STATUS_INVALID_HANDLE;
946                 }
947
948                 /* check if the user has enough rights */
949                 if (!(handle->access & LSA_POLICY_LOOKUP_NAMES)) {
950                         return NT_STATUS_ACCESS_DENIED;
951                 }
952         }
953
954         if (num_sids >  MAX_LOOKUP_SIDS) {
955                 DEBUG(5,("_lsa_LookupSids2: limit of %d exceeded, requested %d\n",
956                          MAX_LOOKUP_SIDS, num_sids));
957                 return NT_STATUS_NONE_MAPPED;
958         }
959
960         status = _lsa_lookup_sids_internal(p,
961                                            p->mem_ctx,
962                                            r->in.level,
963                                            num_sids,
964                                            r->in.sids->sids,
965                                            &domains,
966                                            &names,
967                                            &mapped_count);
968
969         *r->out.domains = domains;
970         r->out.names->count = num_sids;
971         r->out.names->names = names;
972         *r->out.count = mapped_count;
973
974         return status;
975 }
976
977 /***************************************************************************
978  _lsa_LookupSids3
979  ***************************************************************************/
980
981 NTSTATUS _lsa_LookupSids3(pipes_struct *p,
982                           struct lsa_LookupSids3 *r)
983 {
984         struct lsa_LookupSids2 q;
985
986         /* No policy handle on this call. Restrict to crypto connections. */
987         if (p->auth.auth_type != PIPE_AUTH_TYPE_SCHANNEL) {
988                 DEBUG(0,("_lsa_LookupSids3: client %s not using schannel for netlogon\n",
989                         get_remote_machine_name() ));
990                 return NT_STATUS_INVALID_PARAMETER;
991         }
992
993         q.in.handle             = NULL;
994         q.in.sids               = r->in.sids;
995         q.in.level              = r->in.level;
996         q.in.lookup_options     = r->in.lookup_options;
997         q.in.client_revision    = r->in.client_revision;
998         q.in.names              = r->in.names;
999         q.in.count              = r->in.count;
1000
1001         q.out.domains           = r->out.domains;
1002         q.out.names             = r->out.names;
1003         q.out.count             = r->out.count;
1004
1005         return _lsa_LookupSids2(p, &q);
1006 }
1007
1008 /***************************************************************************
1009  ***************************************************************************/
1010
1011 static int lsa_lookup_level_to_flags(uint16 level)
1012 {
1013         int flags;
1014
1015         switch (level) {
1016                 case 1:
1017                         flags = LOOKUP_NAME_ALL;
1018                         break;
1019                 case 2:
1020                         flags = LOOKUP_NAME_DOMAIN|LOOKUP_NAME_REMOTE|LOOKUP_NAME_ISOLATED;
1021                         break;
1022                 case 3:
1023                         flags = LOOKUP_NAME_DOMAIN|LOOKUP_NAME_ISOLATED;
1024                         break;
1025                 case 4:
1026                 case 5:
1027                 case 6:
1028                 default:
1029                         flags = LOOKUP_NAME_NONE;
1030                         break;
1031         }
1032
1033         return flags;
1034 }
1035
1036 /***************************************************************************
1037  _lsa_LookupNames
1038  ***************************************************************************/
1039
1040 NTSTATUS _lsa_LookupNames(pipes_struct *p,
1041                           struct lsa_LookupNames *r)
1042 {
1043         NTSTATUS status = NT_STATUS_NONE_MAPPED;
1044         struct lsa_info *handle;
1045         struct lsa_String *names = r->in.names;
1046         uint32 num_entries = r->in.num_names;
1047         struct lsa_RefDomainList *domains = NULL;
1048         struct lsa_TranslatedSid *rids = NULL;
1049         uint32 mapped_count = 0;
1050         int flags = 0;
1051
1052         if (num_entries >  MAX_LOOKUP_SIDS) {
1053                 num_entries = MAX_LOOKUP_SIDS;
1054                 DEBUG(5,("_lsa_LookupNames: truncating name lookup list to %d\n",
1055                         num_entries));
1056         }
1057
1058         flags = lsa_lookup_level_to_flags(r->in.level);
1059
1060         domains = TALLOC_ZERO_P(p->mem_ctx, struct lsa_RefDomainList);
1061         if (!domains) {
1062                 return NT_STATUS_NO_MEMORY;
1063         }
1064
1065         if (num_entries) {
1066                 rids = TALLOC_ZERO_ARRAY(p->mem_ctx, struct lsa_TranslatedSid,
1067                                          num_entries);
1068                 if (!rids) {
1069                         return NT_STATUS_NO_MEMORY;
1070                 }
1071         } else {
1072                 rids = NULL;
1073         }
1074
1075         if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle)) {
1076                 status = NT_STATUS_INVALID_HANDLE;
1077                 goto done;
1078         }
1079
1080         if (handle->type != LSA_HANDLE_POLICY_TYPE) {
1081                 return NT_STATUS_INVALID_HANDLE;
1082         }
1083
1084         /* check if the user has enough rights */
1085         if (!(handle->access & LSA_POLICY_LOOKUP_NAMES)) {
1086                 status = NT_STATUS_ACCESS_DENIED;
1087                 goto done;
1088         }
1089
1090         /* set up the LSA Lookup RIDs response */
1091         become_root(); /* lookup_name can require root privs */
1092         status = lookup_lsa_rids(p->mem_ctx, domains, rids, num_entries,
1093                                  names, flags, &mapped_count);
1094         unbecome_root();
1095
1096 done:
1097
1098         if (NT_STATUS_IS_OK(status) && (num_entries != 0) ) {
1099                 if (mapped_count == 0) {
1100                         status = NT_STATUS_NONE_MAPPED;
1101                 } else if (mapped_count != num_entries) {
1102                         status = STATUS_SOME_UNMAPPED;
1103                 }
1104         }
1105
1106         *r->out.count = mapped_count;
1107         *r->out.domains = domains;
1108         r->out.sids->sids = rids;
1109         r->out.sids->count = num_entries;
1110
1111         return status;
1112 }
1113
1114 /***************************************************************************
1115  _lsa_LookupNames2
1116  ***************************************************************************/
1117
1118 NTSTATUS _lsa_LookupNames2(pipes_struct *p,
1119                            struct lsa_LookupNames2 *r)
1120 {
1121         NTSTATUS status;
1122         struct lsa_LookupNames q;
1123         struct lsa_TransSidArray2 *sid_array2 = r->in.sids;
1124         struct lsa_TransSidArray *sid_array = NULL;
1125         uint32_t i;
1126
1127         sid_array = TALLOC_ZERO_P(p->mem_ctx, struct lsa_TransSidArray);
1128         if (!sid_array) {
1129                 return NT_STATUS_NO_MEMORY;
1130         }
1131
1132         q.in.handle             = r->in.handle;
1133         q.in.num_names          = r->in.num_names;
1134         q.in.names              = r->in.names;
1135         q.in.level              = r->in.level;
1136         q.in.sids               = sid_array;
1137         q.in.count              = r->in.count;
1138         /* we do not know what this is for */
1139         /*                      = r->in.unknown1; */
1140         /*                      = r->in.unknown2; */
1141
1142         q.out.domains           = r->out.domains;
1143         q.out.sids              = sid_array;
1144         q.out.count             = r->out.count;
1145
1146         status = _lsa_LookupNames(p, &q);
1147
1148         sid_array2->count = sid_array->count;
1149         sid_array2->sids = TALLOC_ARRAY(p->mem_ctx, struct lsa_TranslatedSid2, sid_array->count);
1150         if (!sid_array2->sids) {
1151                 return NT_STATUS_NO_MEMORY;
1152         }
1153
1154         for (i=0; i<sid_array->count; i++) {
1155                 sid_array2->sids[i].sid_type  = sid_array->sids[i].sid_type;
1156                 sid_array2->sids[i].rid       = sid_array->sids[i].rid;
1157                 sid_array2->sids[i].sid_index = sid_array->sids[i].sid_index;
1158                 sid_array2->sids[i].unknown   = 0;
1159         }
1160
1161         r->out.sids = sid_array2;
1162
1163         return status;
1164 }
1165
1166 /***************************************************************************
1167  _lsa_LookupNames3
1168  ***************************************************************************/
1169
1170 NTSTATUS _lsa_LookupNames3(pipes_struct *p,
1171                            struct lsa_LookupNames3 *r)
1172 {
1173         NTSTATUS status;
1174         struct lsa_info *handle;
1175         struct lsa_String *names = r->in.names;
1176         uint32 num_entries = r->in.num_names;
1177         struct lsa_RefDomainList *domains = NULL;
1178         struct lsa_TranslatedSid3 *trans_sids = NULL;
1179         uint32 mapped_count = 0;
1180         int flags = 0;
1181         bool check_policy = true;
1182
1183         switch (p->hdr_req.opnum) {
1184                 case NDR_LSA_LOOKUPNAMES4:
1185                         check_policy = false;
1186                         break;
1187                 case NDR_LSA_LOOKUPNAMES3:
1188                 default:
1189                         check_policy = true;
1190         }
1191
1192         if (num_entries >  MAX_LOOKUP_SIDS) {
1193                 num_entries = MAX_LOOKUP_SIDS;
1194                 DEBUG(5,("_lsa_LookupNames3: truncating name lookup list to %d\n", num_entries));
1195         }
1196
1197         /* Probably the lookup_level is some sort of bitmask. */
1198         if (r->in.level == 1) {
1199                 flags = LOOKUP_NAME_ALL;
1200         }
1201
1202         domains = TALLOC_ZERO_P(p->mem_ctx, struct lsa_RefDomainList);
1203         if (!domains) {
1204                 return NT_STATUS_NO_MEMORY;
1205         }
1206
1207         if (num_entries) {
1208                 trans_sids = TALLOC_ZERO_ARRAY(p->mem_ctx, struct lsa_TranslatedSid3,
1209                                                num_entries);
1210                 if (!trans_sids) {
1211                         return NT_STATUS_NO_MEMORY;
1212                 }
1213         } else {
1214                 trans_sids = NULL;
1215         }
1216
1217         if (check_policy) {
1218
1219                 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle)) {
1220                         status = NT_STATUS_INVALID_HANDLE;
1221                         goto done;
1222                 }
1223
1224                 if (handle->type != LSA_HANDLE_POLICY_TYPE) {
1225                         return NT_STATUS_INVALID_HANDLE;
1226                 }
1227
1228                 /* check if the user has enough rights */
1229                 if (!(handle->access & LSA_POLICY_LOOKUP_NAMES)) {
1230                         status = NT_STATUS_ACCESS_DENIED;
1231                         goto done;
1232                 }
1233         }
1234
1235         /* set up the LSA Lookup SIDs response */
1236         become_root(); /* lookup_name can require root privs */
1237         status = lookup_lsa_sids(p->mem_ctx, domains, trans_sids, num_entries,
1238                                  names, flags, &mapped_count);
1239         unbecome_root();
1240
1241 done:
1242
1243         if (NT_STATUS_IS_OK(status)) {
1244                 if (mapped_count == 0) {
1245                         status = NT_STATUS_NONE_MAPPED;
1246                 } else if (mapped_count != num_entries) {
1247                         status = STATUS_SOME_UNMAPPED;
1248                 }
1249         }
1250
1251         *r->out.count = mapped_count;
1252         *r->out.domains = domains;
1253         r->out.sids->sids = trans_sids;
1254         r->out.sids->count = num_entries;
1255
1256         return status;
1257 }
1258
1259 /***************************************************************************
1260  _lsa_LookupNames4
1261  ***************************************************************************/
1262
1263 NTSTATUS _lsa_LookupNames4(pipes_struct *p,
1264                            struct lsa_LookupNames4 *r)
1265 {
1266         struct lsa_LookupNames3 q;
1267
1268         /* No policy handle on this call. Restrict to crypto connections. */
1269         if (p->auth.auth_type != PIPE_AUTH_TYPE_SCHANNEL) {
1270                 DEBUG(0,("_lsa_lookup_names4: client %s not using schannel for netlogon\n",
1271                         get_remote_machine_name() ));
1272                 return NT_STATUS_INVALID_PARAMETER;
1273         }
1274
1275         q.in.handle             = NULL;
1276         q.in.num_names          = r->in.num_names;
1277         q.in.names              = r->in.names;
1278         q.in.level              = r->in.level;
1279         q.in.lookup_options     = r->in.lookup_options;
1280         q.in.client_revision    = r->in.client_revision;
1281         q.in.sids               = r->in.sids;
1282         q.in.count              = r->in.count;
1283
1284         q.out.domains           = r->out.domains;
1285         q.out.sids              = r->out.sids;
1286         q.out.count             = r->out.count;
1287
1288         return _lsa_LookupNames3(p, &q);
1289 }
1290
1291 /***************************************************************************
1292  _lsa_close. Also weird - needs to check if lsa handle is correct. JRA.
1293  ***************************************************************************/
1294
1295 NTSTATUS _lsa_Close(pipes_struct *p, struct lsa_Close *r)
1296 {
1297         if (!find_policy_by_hnd(p, r->in.handle, NULL)) {
1298                 return NT_STATUS_INVALID_HANDLE;
1299         }
1300
1301         close_policy_hnd(p, r->in.handle);
1302         ZERO_STRUCTP(r->out.handle);
1303         return NT_STATUS_OK;
1304 }
1305
1306 /***************************************************************************
1307  ***************************************************************************/
1308
1309 NTSTATUS _lsa_OpenSecret(pipes_struct *p, struct lsa_OpenSecret *r)
1310 {
1311         return NT_STATUS_OBJECT_NAME_NOT_FOUND;
1312 }
1313
1314 /***************************************************************************
1315  ***************************************************************************/
1316
1317 NTSTATUS _lsa_OpenTrustedDomain(pipes_struct *p, struct lsa_OpenTrustedDomain *r)
1318 {
1319         return NT_STATUS_OBJECT_NAME_NOT_FOUND;
1320 }
1321
1322 /***************************************************************************
1323  ***************************************************************************/
1324
1325 NTSTATUS _lsa_CreateTrustedDomain(pipes_struct *p, struct lsa_CreateTrustedDomain *r)
1326 {
1327         return NT_STATUS_ACCESS_DENIED;
1328 }
1329
1330 /***************************************************************************
1331  ***************************************************************************/
1332
1333 NTSTATUS _lsa_CreateSecret(pipes_struct *p, struct lsa_CreateSecret *r)
1334 {
1335         return NT_STATUS_ACCESS_DENIED;
1336 }
1337
1338 /***************************************************************************
1339  ***************************************************************************/
1340
1341 NTSTATUS _lsa_SetSecret(pipes_struct *p, struct lsa_SetSecret *r)
1342 {
1343         return NT_STATUS_ACCESS_DENIED;
1344 }
1345
1346 /***************************************************************************
1347  _lsa_DeleteObject
1348  ***************************************************************************/
1349
1350 NTSTATUS _lsa_DeleteObject(pipes_struct *p,
1351                            struct lsa_DeleteObject *r)
1352 {
1353         NTSTATUS status;
1354         struct lsa_info *info = NULL;
1355
1356         if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info)) {
1357                 return NT_STATUS_INVALID_HANDLE;
1358         }
1359
1360         if (!(info->access & STD_RIGHT_DELETE_ACCESS)) {
1361                 return NT_STATUS_ACCESS_DENIED;
1362         }
1363
1364         switch (info->type) {
1365         case LSA_HANDLE_ACCOUNT_TYPE:
1366                 status = privilege_delete_account(&info->sid);
1367                 if (!NT_STATUS_IS_OK(status)) {
1368                         DEBUG(10,("_lsa_DeleteObject: privilege_delete_account gave: %s\n",
1369                                 nt_errstr(status)));
1370                         return status;
1371                 }
1372                 break;
1373         default:
1374                 return NT_STATUS_INVALID_HANDLE;
1375         }
1376
1377         close_policy_hnd(p, r->in.handle);
1378         ZERO_STRUCTP(r->out.handle);
1379
1380         return status;
1381 }
1382
1383 /***************************************************************************
1384  _lsa_EnumPrivs
1385  ***************************************************************************/
1386
1387 NTSTATUS _lsa_EnumPrivs(pipes_struct *p,
1388                         struct lsa_EnumPrivs *r)
1389 {
1390         struct lsa_info *handle;
1391         uint32 i;
1392         uint32 enum_context = *r->in.resume_handle;
1393         int num_privs = count_all_privileges();
1394         struct lsa_PrivEntry *entries = NULL;
1395         LUID_ATTR luid;
1396
1397         /* remember that the enum_context starts at 0 and not 1 */
1398
1399         if ( enum_context >= num_privs )
1400                 return NT_STATUS_NO_MORE_ENTRIES;
1401
1402         DEBUG(10,("_lsa_EnumPrivs: enum_context:%d total entries:%d\n",
1403                 enum_context, num_privs));
1404
1405         if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle))
1406                 return NT_STATUS_INVALID_HANDLE;
1407
1408         if (handle->type != LSA_HANDLE_POLICY_TYPE) {
1409                 return NT_STATUS_INVALID_HANDLE;
1410         }
1411
1412         /* check if the user has enough rights
1413            I don't know if it's the right one. not documented.  */
1414
1415         if (!(handle->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
1416                 return NT_STATUS_ACCESS_DENIED;
1417
1418         if (num_privs) {
1419                 entries = TALLOC_ZERO_ARRAY(p->mem_ctx, struct lsa_PrivEntry, num_privs);
1420                 if (!entries) {
1421                         return NT_STATUS_NO_MEMORY;
1422                 }
1423         } else {
1424                 entries = NULL;
1425         }
1426
1427         for (i = 0; i < num_privs; i++) {
1428                 if( i < enum_context) {
1429
1430                         init_lsa_StringLarge(&entries[i].name, NULL);
1431
1432                         entries[i].luid.low = 0;
1433                         entries[i].luid.high = 0;
1434                 } else {
1435
1436                         init_lsa_StringLarge(&entries[i].name, privs[i].name);
1437
1438                         luid = get_privilege_luid( &privs[i].se_priv );
1439
1440                         entries[i].luid.low = luid.luid.low;
1441                         entries[i].luid.high = luid.luid.high;
1442                 }
1443         }
1444
1445         enum_context = num_privs;
1446
1447         *r->out.resume_handle = enum_context;
1448         r->out.privs->count = num_privs;
1449         r->out.privs->privs = entries;
1450
1451         return NT_STATUS_OK;
1452 }
1453
1454 /***************************************************************************
1455  _lsa_LookupPrivDisplayName
1456  ***************************************************************************/
1457
1458 NTSTATUS _lsa_LookupPrivDisplayName(pipes_struct *p,
1459                                     struct lsa_LookupPrivDisplayName *r)
1460 {
1461         struct lsa_info *handle;
1462         const char *description;
1463         struct lsa_StringLarge *lsa_name;
1464
1465         if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle))
1466                 return NT_STATUS_INVALID_HANDLE;
1467
1468         if (handle->type != LSA_HANDLE_POLICY_TYPE) {
1469                 return NT_STATUS_INVALID_HANDLE;
1470         }
1471
1472         /* check if the user has enough rights */
1473
1474         /*
1475          * I don't know if it's the right one. not documented.
1476          */
1477         if (!(handle->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
1478                 return NT_STATUS_ACCESS_DENIED;
1479
1480         DEBUG(10,("_lsa_LookupPrivDisplayName: name = %s\n", r->in.name->string));
1481
1482         description = get_privilege_dispname(r->in.name->string);
1483         if (!description) {
1484                 DEBUG(10,("_lsa_LookupPrivDisplayName: doesn't exist\n"));
1485                 return NT_STATUS_NO_SUCH_PRIVILEGE;
1486         }
1487
1488         DEBUG(10,("_lsa_LookupPrivDisplayName: display name = %s\n", description));
1489
1490         lsa_name = TALLOC_ZERO_P(p->mem_ctx, struct lsa_StringLarge);
1491         if (!lsa_name) {
1492                 return NT_STATUS_NO_MEMORY;
1493         }
1494
1495         init_lsa_StringLarge(lsa_name, description);
1496
1497         *r->out.returned_language_id = r->in.language_id;
1498         *r->out.disp_name = lsa_name;
1499
1500         return NT_STATUS_OK;
1501 }
1502
1503 /***************************************************************************
1504  _lsa_EnumAccounts
1505  ***************************************************************************/
1506
1507 NTSTATUS _lsa_EnumAccounts(pipes_struct *p,
1508                            struct lsa_EnumAccounts *r)
1509 {
1510         struct lsa_info *handle;
1511         DOM_SID *sid_list;
1512         int i, j, num_entries;
1513         NTSTATUS status;
1514         struct lsa_SidPtr *sids = NULL;
1515
1516         if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle))
1517                 return NT_STATUS_INVALID_HANDLE;
1518
1519         if (handle->type != LSA_HANDLE_POLICY_TYPE) {
1520                 return NT_STATUS_INVALID_HANDLE;
1521         }
1522
1523         if (!(handle->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
1524                 return NT_STATUS_ACCESS_DENIED;
1525
1526         sid_list = NULL;
1527         num_entries = 0;
1528
1529         /* The only way we can currently find out all the SIDs that have been
1530            privileged is to scan all privileges */
1531
1532         status = privilege_enumerate_accounts(&sid_list, &num_entries);
1533         if (!NT_STATUS_IS_OK(status)) {
1534                 return status;
1535         }
1536
1537         if (*r->in.resume_handle >= num_entries) {
1538                 return NT_STATUS_NO_MORE_ENTRIES;
1539         }
1540
1541         if (num_entries - *r->in.resume_handle) {
1542                 sids = TALLOC_ZERO_ARRAY(p->mem_ctx, struct lsa_SidPtr,
1543                                          num_entries - *r->in.resume_handle);
1544                 if (!sids) {
1545                         talloc_free(sid_list);
1546                         return NT_STATUS_NO_MEMORY;
1547                 }
1548
1549                 for (i = *r->in.resume_handle, j = 0; i < num_entries; i++, j++) {
1550                         sids[j].sid = sid_dup_talloc(p->mem_ctx, &sid_list[i]);
1551                         if (!sids[j].sid) {
1552                                 talloc_free(sid_list);
1553                                 return NT_STATUS_NO_MEMORY;
1554                         }
1555                 }
1556         }
1557
1558         talloc_free(sid_list);
1559
1560         *r->out.resume_handle = num_entries;
1561         r->out.sids->num_sids = num_entries;
1562         r->out.sids->sids = sids;
1563
1564         return NT_STATUS_OK;
1565 }
1566
1567 /***************************************************************************
1568  _lsa_GetUserName
1569  ***************************************************************************/
1570
1571 NTSTATUS _lsa_GetUserName(pipes_struct *p,
1572                           struct lsa_GetUserName *r)
1573 {
1574         const char *username, *domname;
1575         struct lsa_String *account_name = NULL;
1576         struct lsa_String *authority_name = NULL;
1577
1578         if (r->in.account_name &&
1579            *r->in.account_name) {
1580                 return NT_STATUS_INVALID_PARAMETER;
1581         }
1582
1583         if (r->in.authority_name &&
1584            *r->in.authority_name) {
1585                 return NT_STATUS_INVALID_PARAMETER;
1586         }
1587
1588         if (p->server_info->guest) {
1589                 /*
1590                  * I'm 99% sure this is not the right place to do this,
1591                  * global_sid_Anonymous should probably be put into the token
1592                  * instead of the guest id -- vl
1593                  */
1594                 if (!lookup_sid(p->mem_ctx, &global_sid_Anonymous,
1595                                 &domname, &username, NULL)) {
1596                         return NT_STATUS_NO_MEMORY;
1597                 }
1598         } else {
1599                 username = p->server_info->sanitized_username;
1600                 domname = pdb_get_domain(p->server_info->sam_account);
1601         }
1602
1603         account_name = TALLOC_P(p->mem_ctx, struct lsa_String);
1604         if (!account_name) {
1605                 return NT_STATUS_NO_MEMORY;
1606         }
1607         init_lsa_String(account_name, username);
1608
1609         if (r->out.authority_name) {
1610                 authority_name = TALLOC_P(p->mem_ctx, struct lsa_String);
1611                 if (!authority_name) {
1612                         return NT_STATUS_NO_MEMORY;
1613                 }
1614                 init_lsa_String(authority_name, domname);
1615         }
1616
1617         *r->out.account_name = account_name;
1618         if (r->out.authority_name) {
1619                 *r->out.authority_name = authority_name;
1620         }
1621
1622         return NT_STATUS_OK;
1623 }
1624
1625 /***************************************************************************
1626  _lsa_CreateAccount
1627  ***************************************************************************/
1628
1629 NTSTATUS _lsa_CreateAccount(pipes_struct *p,
1630                             struct lsa_CreateAccount *r)
1631 {
1632         NTSTATUS status;
1633         struct lsa_info *handle;
1634         struct lsa_info *info;
1635         uint32_t acc_granted;
1636         struct security_descriptor *psd;
1637         size_t sd_size;
1638
1639         /* find the connection policy handle. */
1640         if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle))
1641                 return NT_STATUS_INVALID_HANDLE;
1642
1643         if (handle->type != LSA_HANDLE_POLICY_TYPE) {
1644                 return NT_STATUS_INVALID_HANDLE;
1645         }
1646
1647         /* check if the user has enough rights */
1648
1649         if (!(handle->access & LSA_POLICY_CREATE_ACCOUNT)) {
1650                 return NT_STATUS_ACCESS_DENIED;
1651         }
1652
1653         /* Work out max allowed. */
1654         map_max_allowed_access(p->server_info->ptok,
1655                                &p->server_info->utok,
1656                                &r->in.access_mask);
1657
1658         /* map the generic bits to the lsa policy ones */
1659         se_map_generic(&r->in.access_mask, &lsa_account_mapping);
1660
1661         status = make_lsa_object_sd(p->mem_ctx, &psd, &sd_size,
1662                                     &lsa_account_mapping,
1663                                     r->in.sid, LSA_POLICY_ALL_ACCESS);
1664         if (!NT_STATUS_IS_OK(status)) {
1665                 return status;
1666         }
1667
1668         status = access_check_object(psd, p->server_info->ptok,
1669                 NULL, 0, r->in.access_mask,
1670                 &acc_granted, "_lsa_CreateAccount");
1671         if (!NT_STATUS_IS_OK(status)) {
1672                 return status;
1673         }
1674
1675         if ( is_privileged_sid( r->in.sid ) )
1676                 return NT_STATUS_OBJECT_NAME_COLLISION;
1677
1678         /* associate the user/group SID with the (unique) handle. */
1679
1680         info = TALLOC_ZERO_P(p->mem_ctx, struct lsa_info);
1681         if (info == NULL) {
1682                 return NT_STATUS_NO_MEMORY;
1683         }
1684
1685         info->sid = *r->in.sid;
1686         info->access = acc_granted;
1687         info->type = LSA_HANDLE_ACCOUNT_TYPE;
1688
1689         /* get a (unique) handle.  open a policy on it. */
1690         if (!create_policy_hnd(p, r->out.acct_handle, info))
1691                 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
1692
1693         return privilege_create_account( &info->sid );
1694 }
1695
1696 /***************************************************************************
1697  _lsa_OpenAccount
1698  ***************************************************************************/
1699
1700 NTSTATUS _lsa_OpenAccount(pipes_struct *p,
1701                           struct lsa_OpenAccount *r)
1702 {
1703         struct lsa_info *handle;
1704         struct lsa_info *info;
1705         SEC_DESC *psd = NULL;
1706         size_t sd_size;
1707         uint32_t des_access = r->in.access_mask;
1708         uint32_t acc_granted;
1709         NTSTATUS status;
1710
1711         /* find the connection policy handle. */
1712         if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle))
1713                 return NT_STATUS_INVALID_HANDLE;
1714
1715         if (handle->type != LSA_HANDLE_POLICY_TYPE) {
1716                 return NT_STATUS_INVALID_HANDLE;
1717         }
1718
1719         /* des_access is for the account here, not the policy
1720          * handle - so don't check against policy handle. */
1721
1722         /* Work out max allowed. */
1723         map_max_allowed_access(p->server_info->ptok,
1724                                &p->server_info->utok,
1725                                &des_access);
1726
1727         /* map the generic bits to the lsa account ones */
1728         se_map_generic(&des_access, &lsa_account_mapping);
1729
1730         /* get the generic lsa account SD until we store it */
1731         status = make_lsa_object_sd(p->mem_ctx, &psd, &sd_size,
1732                                 &lsa_account_mapping,
1733                                 r->in.sid, LSA_ACCOUNT_ALL_ACCESS);
1734         if (!NT_STATUS_IS_OK(status)) {
1735                 return status;
1736         }
1737
1738         status = access_check_object(psd, p->server_info->ptok,
1739                 NULL, 0, des_access,
1740                 &acc_granted, "_lsa_OpenAccount" );
1741
1742         if (!NT_STATUS_IS_OK(status)) {
1743                 return status;
1744         }
1745
1746         /* TODO: Fis the parsing routine before reenabling this check! */
1747         #if 0
1748         if (!lookup_sid(&handle->sid, dom_name, name, &type))
1749                 return NT_STATUS_ACCESS_DENIED;
1750         #endif
1751         /* associate the user/group SID with the (unique) handle. */
1752         info = TALLOC_ZERO_P(p->mem_ctx, struct lsa_info);
1753         if (info == NULL) {
1754                 return NT_STATUS_NO_MEMORY;
1755         }
1756
1757         info->sid = *r->in.sid;
1758         info->access = acc_granted;
1759         info->type = LSA_HANDLE_ACCOUNT_TYPE;
1760
1761         /* get a (unique) handle.  open a policy on it. */
1762         if (!create_policy_hnd(p, r->out.acct_handle, info))
1763                 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
1764
1765         return NT_STATUS_OK;
1766 }
1767
1768 /***************************************************************************
1769  _lsa_EnumPrivsAccount
1770  For a given SID, enumerate all the privilege this account has.
1771  ***************************************************************************/
1772
1773 NTSTATUS _lsa_EnumPrivsAccount(pipes_struct *p,
1774                                struct lsa_EnumPrivsAccount *r)
1775 {
1776         NTSTATUS status = NT_STATUS_OK;
1777         struct lsa_info *info=NULL;
1778         SE_PRIV mask;
1779         PRIVILEGE_SET privileges;
1780         struct lsa_PrivilegeSet *priv_set = NULL;
1781         struct lsa_LUIDAttribute *luid_attrs = NULL;
1782         int i;
1783
1784         /* find the connection policy handle. */
1785         if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
1786                 return NT_STATUS_INVALID_HANDLE;
1787
1788         if (info->type != LSA_HANDLE_ACCOUNT_TYPE) {
1789                 return NT_STATUS_INVALID_HANDLE;
1790         }
1791
1792         if (!(info->access & LSA_ACCOUNT_VIEW))
1793                 return NT_STATUS_ACCESS_DENIED;
1794
1795         get_privileges_for_sids(&mask, &info->sid, 1);
1796
1797         privilege_set_init( &privileges );
1798
1799         priv_set = TALLOC_ZERO_P(p->mem_ctx, struct lsa_PrivilegeSet);
1800         if (!priv_set) {
1801                 status = NT_STATUS_NO_MEMORY;
1802                 goto done;
1803         }
1804
1805         if ( se_priv_to_privilege_set( &privileges, &mask ) ) {
1806
1807                 DEBUG(10,("_lsa_EnumPrivsAccount: %s has %d privileges\n",
1808                           sid_string_dbg(&info->sid),
1809                           privileges.count));
1810
1811                 luid_attrs = TALLOC_ZERO_ARRAY(p->mem_ctx,
1812                                                struct lsa_LUIDAttribute,
1813                                                privileges.count);
1814                 if (!luid_attrs) {
1815                         status = NT_STATUS_NO_MEMORY;
1816                         goto done;
1817                 }
1818
1819                 for (i=0; i<privileges.count; i++) {
1820                         luid_attrs[i].luid.low = privileges.set[i].luid.low;
1821                         luid_attrs[i].luid.high = privileges.set[i].luid.high;
1822                         luid_attrs[i].attribute = privileges.set[i].attr;
1823                 }
1824
1825                 priv_set->count = privileges.count;
1826                 priv_set->unknown = 0;
1827                 priv_set->set = luid_attrs;
1828
1829         } else {
1830                 priv_set->count = 0;
1831                 priv_set->unknown = 0;
1832                 priv_set->set = NULL;
1833         }
1834
1835         *r->out.privs = priv_set;
1836
1837  done:
1838         privilege_set_free( &privileges );
1839
1840         return status;
1841 }
1842
1843 /***************************************************************************
1844  _lsa_GetSystemAccessAccount
1845  ***************************************************************************/
1846
1847 NTSTATUS _lsa_GetSystemAccessAccount(pipes_struct *p,
1848                                      struct lsa_GetSystemAccessAccount *r)
1849 {
1850         NTSTATUS status;
1851         struct lsa_info *info = NULL;
1852         struct lsa_EnumPrivsAccount e;
1853         struct lsa_PrivilegeSet *privset;
1854
1855         /* find the connection policy handle. */
1856
1857         if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
1858                 return NT_STATUS_INVALID_HANDLE;
1859
1860         if (info->type != LSA_HANDLE_ACCOUNT_TYPE) {
1861                 return NT_STATUS_INVALID_HANDLE;
1862         }
1863
1864         if (!(info->access & LSA_ACCOUNT_VIEW))
1865                 return NT_STATUS_ACCESS_DENIED;
1866
1867         privset = talloc_zero(p->mem_ctx, struct lsa_PrivilegeSet);
1868         if (!privset) {
1869                 return NT_STATUS_NO_MEMORY;
1870         }
1871
1872         e.in.handle = r->in.handle;
1873         e.out.privs = &privset;
1874
1875         status = _lsa_EnumPrivsAccount(p, &e);
1876         if (!NT_STATUS_IS_OK(status)) {
1877                 DEBUG(10,("_lsa_GetSystemAccessAccount: "
1878                         "failed to call _lsa_EnumPrivsAccount(): %s\n",
1879                         nt_errstr(status)));
1880                 return status;
1881         }
1882
1883         /* Samba4 would iterate over the privset to merge the policy mode bits,
1884          * not sure samba3 can do the same here, so just return what we did in
1885          * the past - gd */
1886
1887         /*
1888           0x01 -> Log on locally
1889           0x02 -> Access this computer from network
1890           0x04 -> Log on as a batch job
1891           0x10 -> Log on as a service
1892
1893           they can be ORed together
1894         */
1895
1896         *r->out.access_mask = LSA_POLICY_MODE_INTERACTIVE |
1897                               LSA_POLICY_MODE_NETWORK;
1898
1899         return NT_STATUS_OK;
1900 }
1901
1902 /***************************************************************************
1903   update the systemaccount information
1904  ***************************************************************************/
1905
1906 NTSTATUS _lsa_SetSystemAccessAccount(pipes_struct *p,
1907                                      struct lsa_SetSystemAccessAccount *r)
1908 {
1909         struct lsa_info *info=NULL;
1910         GROUP_MAP map;
1911
1912         /* find the connection policy handle. */
1913         if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
1914                 return NT_STATUS_INVALID_HANDLE;
1915
1916         if (info->type != LSA_HANDLE_ACCOUNT_TYPE) {
1917                 return NT_STATUS_INVALID_HANDLE;
1918         }
1919
1920         if (!(info->access & LSA_ACCOUNT_ADJUST_SYSTEM_ACCESS)) {
1921                 return NT_STATUS_ACCESS_DENIED;
1922         }
1923
1924         if (!pdb_getgrsid(&map, info->sid))
1925                 return NT_STATUS_NO_SUCH_GROUP;
1926
1927         return pdb_update_group_mapping_entry(&map);
1928 }
1929
1930 /***************************************************************************
1931  _lsa_AddPrivilegesToAccount
1932  For a given SID, add some privileges.
1933  ***************************************************************************/
1934
1935 NTSTATUS _lsa_AddPrivilegesToAccount(pipes_struct *p,
1936                                      struct lsa_AddPrivilegesToAccount *r)
1937 {
1938         struct lsa_info *info = NULL;
1939         SE_PRIV mask;
1940         struct lsa_PrivilegeSet *set = NULL;
1941
1942         /* find the connection policy handle. */
1943         if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
1944                 return NT_STATUS_INVALID_HANDLE;
1945
1946         if (info->type != LSA_HANDLE_ACCOUNT_TYPE) {
1947                 return NT_STATUS_INVALID_HANDLE;
1948         }
1949
1950         if (!(info->access & LSA_ACCOUNT_ADJUST_PRIVILEGES)) {
1951                 return NT_STATUS_ACCESS_DENIED;
1952         }
1953
1954         set = r->in.privs;
1955         if ( !privilege_set_to_se_priv( &mask, set ) )
1956                 return NT_STATUS_NO_SUCH_PRIVILEGE;
1957
1958         if ( !grant_privilege( &info->sid, &mask ) ) {
1959                 DEBUG(3,("_lsa_AddPrivilegesToAccount: grant_privilege(%s) failed!\n",
1960                          sid_string_dbg(&info->sid) ));
1961                 DEBUG(3,("Privilege mask:\n"));
1962                 dump_se_priv( DBGC_ALL, 3, &mask );
1963                 return NT_STATUS_NO_SUCH_PRIVILEGE;
1964         }
1965
1966         return NT_STATUS_OK;
1967 }
1968
1969 /***************************************************************************
1970  _lsa_RemovePrivilegesFromAccount
1971  For a given SID, remove some privileges.
1972  ***************************************************************************/
1973
1974 NTSTATUS _lsa_RemovePrivilegesFromAccount(pipes_struct *p,
1975                                           struct lsa_RemovePrivilegesFromAccount *r)
1976 {
1977         struct lsa_info *info = NULL;
1978         SE_PRIV mask;
1979         struct lsa_PrivilegeSet *set = NULL;
1980
1981         /* find the connection policy handle. */
1982         if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
1983                 return NT_STATUS_INVALID_HANDLE;
1984
1985         if (info->type != LSA_HANDLE_ACCOUNT_TYPE) {
1986                 return NT_STATUS_INVALID_HANDLE;
1987         }
1988
1989         if (!(info->access & LSA_ACCOUNT_ADJUST_PRIVILEGES)) {
1990                 return NT_STATUS_ACCESS_DENIED;
1991         }
1992
1993         set = r->in.privs;
1994
1995         if ( !privilege_set_to_se_priv( &mask, set ) )
1996                 return NT_STATUS_NO_SUCH_PRIVILEGE;
1997
1998         if ( !revoke_privilege( &info->sid, &mask ) ) {
1999                 DEBUG(3,("_lsa_RemovePrivilegesFromAccount: revoke_privilege(%s) failed!\n",
2000                          sid_string_dbg(&info->sid) ));
2001                 DEBUG(3,("Privilege mask:\n"));
2002                 dump_se_priv( DBGC_ALL, 3, &mask );
2003                 return NT_STATUS_NO_SUCH_PRIVILEGE;
2004         }
2005
2006         return NT_STATUS_OK;
2007 }
2008
2009 /***************************************************************************
2010  _lsa_LookupPrivName
2011  ***************************************************************************/
2012
2013 NTSTATUS _lsa_LookupPrivName(pipes_struct *p,
2014                              struct lsa_LookupPrivName *r)
2015 {
2016         struct lsa_info *info = NULL;
2017         const char *name;
2018         struct lsa_StringLarge *lsa_name;
2019
2020         /* find the connection policy handle. */
2021         if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info)) {
2022                 return NT_STATUS_INVALID_HANDLE;
2023         }
2024
2025         if (info->type != LSA_HANDLE_POLICY_TYPE) {
2026                 return NT_STATUS_INVALID_HANDLE;
2027         }
2028
2029         if (!(info->access & LSA_POLICY_VIEW_LOCAL_INFORMATION)) {
2030                 return NT_STATUS_ACCESS_DENIED;
2031         }
2032
2033         name = luid_to_privilege_name((LUID *)r->in.luid);
2034         if (!name) {
2035                 return NT_STATUS_NO_SUCH_PRIVILEGE;
2036         }
2037
2038         lsa_name = TALLOC_ZERO_P(p->mem_ctx, struct lsa_StringLarge);
2039         if (!lsa_name) {
2040                 return NT_STATUS_NO_MEMORY;
2041         }
2042
2043         lsa_name->string = talloc_strdup(lsa_name, name);
2044         if (!lsa_name->string) {
2045                 TALLOC_FREE(lsa_name);
2046                 return NT_STATUS_NO_MEMORY;
2047         }
2048
2049         *r->out.name = lsa_name;
2050
2051         return NT_STATUS_OK;
2052 }
2053
2054 /***************************************************************************
2055  _lsa_QuerySecurity
2056  ***************************************************************************/
2057
2058 NTSTATUS _lsa_QuerySecurity(pipes_struct *p,
2059                             struct lsa_QuerySecurity *r)
2060 {
2061         struct lsa_info *handle=NULL;
2062         SEC_DESC *psd = NULL;
2063         size_t sd_size;
2064         NTSTATUS status;
2065
2066         /* find the connection policy handle. */
2067         if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle))
2068                 return NT_STATUS_INVALID_HANDLE;
2069
2070         if (handle->type == LSA_HANDLE_POLICY_TYPE) {
2071                 status = make_lsa_object_sd(p->mem_ctx, &psd, &sd_size,
2072                                 &lsa_policy_mapping, NULL, 0);
2073         } else if (handle->type == LSA_HANDLE_ACCOUNT_TYPE) {
2074                 status = make_lsa_object_sd(p->mem_ctx, &psd, &sd_size,
2075                                 &lsa_account_mapping,
2076                                 &handle->sid, LSA_ACCOUNT_ALL_ACCESS);
2077         } else {
2078                 status = NT_STATUS_INVALID_HANDLE;
2079         }
2080
2081         if (!NT_STATUS_IS_OK(status)) {
2082                 return status;
2083         }
2084
2085         *r->out.sdbuf = make_sec_desc_buf(p->mem_ctx, sd_size, psd);
2086         if (!*r->out.sdbuf) {
2087                 return NT_STATUS_NO_MEMORY;
2088         }
2089
2090         return status;
2091 }
2092
2093 /***************************************************************************
2094  _lsa_AddAccountRights
2095  ***************************************************************************/
2096
2097 NTSTATUS _lsa_AddAccountRights(pipes_struct *p,
2098                                struct lsa_AddAccountRights *r)
2099 {
2100         struct lsa_info *info = NULL;
2101         int i = 0;
2102         uint32_t acc_granted = 0;
2103         SEC_DESC *psd = NULL;
2104         size_t sd_size;
2105         DOM_SID sid;
2106         NTSTATUS status;
2107
2108         /* find the connection policy handle. */
2109         if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
2110                 return NT_STATUS_INVALID_HANDLE;
2111
2112         if (info->type != LSA_HANDLE_POLICY_TYPE) {
2113                 return NT_STATUS_INVALID_HANDLE;
2114         }
2115
2116         /* get the generic lsa account SD for this SID until we store it */
2117         status = make_lsa_object_sd(p->mem_ctx, &psd, &sd_size,
2118                                 &lsa_account_mapping,
2119                                 r->in.sid, LSA_ACCOUNT_ALL_ACCESS);
2120         if (!NT_STATUS_IS_OK(status)) {
2121                 return status;
2122         }
2123
2124         /*
2125          * From the MS DOCs. If the sid doesn't exist, ask for LSA_POLICY_CREATE_ACCOUNT
2126          * on the policy handle. If it does, ask for
2127          * LSA_ACCOUNT_ADJUST_PRIVILEGES|LSA_ACCOUNT_ADJUST_SYSTEM_ACCESS|LSA_ACCOUNT_VIEW,
2128          * on the account sid. We don't check here so just use the latter. JRA.
2129          */
2130
2131         status = access_check_object(psd, p->server_info->ptok,
2132                 NULL, 0, LSA_ACCOUNT_ADJUST_PRIVILEGES|LSA_ACCOUNT_ADJUST_SYSTEM_ACCESS|LSA_ACCOUNT_VIEW,
2133                 &acc_granted, "_lsa_AddAccountRights" );
2134
2135         if (!NT_STATUS_IS_OK(status)) {
2136                 return status;
2137         }
2138
2139         /* according to an NT4 PDC, you can add privileges to SIDs even without
2140            call_lsa_create_account() first.  And you can use any arbitrary SID. */
2141
2142         sid_copy( &sid, r->in.sid );
2143
2144         for ( i=0; i < r->in.rights->count; i++ ) {
2145
2146                 const char *privname = r->in.rights->names[i].string;
2147
2148                 /* only try to add non-null strings */
2149
2150                 if ( !privname )
2151                         continue;
2152
2153                 if ( !grant_privilege_by_name( &sid, privname ) ) {
2154                         DEBUG(2,("_lsa_AddAccountRights: Failed to add privilege [%s]\n",
2155                                 privname ));
2156                         return NT_STATUS_NO_SUCH_PRIVILEGE;
2157                 }
2158         }
2159
2160         return NT_STATUS_OK;
2161 }
2162
2163 /***************************************************************************
2164  _lsa_RemoveAccountRights
2165  ***************************************************************************/
2166
2167 NTSTATUS _lsa_RemoveAccountRights(pipes_struct *p,
2168                                   struct lsa_RemoveAccountRights *r)
2169 {
2170         struct lsa_info *info = NULL;
2171         int i = 0;
2172         SEC_DESC *psd = NULL;
2173         size_t sd_size;
2174         DOM_SID sid;
2175         const char *privname = NULL;
2176         uint32_t acc_granted = 0;
2177         NTSTATUS status;
2178
2179         /* find the connection policy handle. */
2180         if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
2181                 return NT_STATUS_INVALID_HANDLE;
2182
2183         if (info->type != LSA_HANDLE_POLICY_TYPE) {
2184                 return NT_STATUS_INVALID_HANDLE;
2185         }
2186
2187         /* get the generic lsa account SD for this SID until we store it */
2188         status = make_lsa_object_sd(p->mem_ctx, &psd, &sd_size,
2189                                 &lsa_account_mapping,
2190                                 r->in.sid, LSA_ACCOUNT_ALL_ACCESS);
2191         if (!NT_STATUS_IS_OK(status)) {
2192                 return status;
2193         }
2194
2195         /*
2196          * From the MS DOCs. We need
2197          * LSA_ACCOUNT_ADJUST_PRIVILEGES|LSA_ACCOUNT_ADJUST_SYSTEM_ACCESS|LSA_ACCOUNT_VIEW
2198          * and DELETE on the account sid.
2199          */
2200
2201         status = access_check_object(psd, p->server_info->ptok,
2202                 NULL, 0, LSA_ACCOUNT_ADJUST_PRIVILEGES|LSA_ACCOUNT_ADJUST_SYSTEM_ACCESS|
2203                         LSA_ACCOUNT_VIEW|STD_RIGHT_DELETE_ACCESS,
2204                 &acc_granted, "_lsa_AddAccountRights" );
2205
2206         if (!NT_STATUS_IS_OK(status)) {
2207                 return status;
2208         }
2209
2210         sid_copy( &sid, r->in.sid );
2211
2212         if ( r->in.remove_all ) {
2213                 if ( !revoke_all_privileges( &sid ) )
2214                         return NT_STATUS_ACCESS_DENIED;
2215
2216                 return NT_STATUS_OK;
2217         }
2218
2219         for ( i=0; i < r->in.rights->count; i++ ) {
2220
2221                 privname = r->in.rights->names[i].string;
2222
2223                 /* only try to add non-null strings */
2224
2225                 if ( !privname )
2226                         continue;
2227
2228                 if ( !revoke_privilege_by_name( &sid, privname ) ) {
2229                         DEBUG(2,("_lsa_RemoveAccountRights: Failed to revoke privilege [%s]\n",
2230                                 privname ));
2231                         return NT_STATUS_NO_SUCH_PRIVILEGE;
2232                 }
2233         }
2234
2235         return NT_STATUS_OK;
2236 }
2237
2238 /*******************************************************************
2239 ********************************************************************/
2240
2241 static NTSTATUS init_lsa_right_set(TALLOC_CTX *mem_ctx,
2242                                    struct lsa_RightSet *r,
2243                                    PRIVILEGE_SET *privileges)
2244 {
2245         uint32 i;
2246         const char *privname;
2247         const char **privname_array = NULL;
2248         int num_priv = 0;
2249
2250         for (i=0; i<privileges->count; i++) {
2251
2252                 privname = luid_to_privilege_name(&privileges->set[i].luid);
2253                 if (privname) {
2254                         if (!add_string_to_array(mem_ctx, privname,
2255                                                  &privname_array, &num_priv)) {
2256                                 return NT_STATUS_NO_MEMORY;
2257                         }
2258                 }
2259         }
2260
2261         if (num_priv) {
2262
2263                 r->names = TALLOC_ZERO_ARRAY(mem_ctx, struct lsa_StringLarge,
2264                                              num_priv);
2265                 if (!r->names) {
2266                         return NT_STATUS_NO_MEMORY;
2267                 }
2268
2269                 for (i=0; i<num_priv; i++) {
2270                         init_lsa_StringLarge(&r->names[i], privname_array[i]);
2271                 }
2272
2273                 r->count = num_priv;
2274         }
2275
2276         return NT_STATUS_OK;
2277 }
2278
2279 /***************************************************************************
2280  _lsa_EnumAccountRights
2281  ***************************************************************************/
2282
2283 NTSTATUS _lsa_EnumAccountRights(pipes_struct *p,
2284                                 struct lsa_EnumAccountRights *r)
2285 {
2286         NTSTATUS status;
2287         struct lsa_info *info = NULL;
2288         DOM_SID sid;
2289         PRIVILEGE_SET privileges;
2290         SE_PRIV mask;
2291
2292         /* find the connection policy handle. */
2293
2294         if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
2295                 return NT_STATUS_INVALID_HANDLE;
2296
2297         if (info->type != LSA_HANDLE_POLICY_TYPE) {
2298                 return NT_STATUS_INVALID_HANDLE;
2299         }
2300
2301         if (!(info->access & LSA_ACCOUNT_VIEW)) {
2302                 return NT_STATUS_ACCESS_DENIED;
2303         }
2304
2305         /* according to an NT4 PDC, you can add privileges to SIDs even without
2306            call_lsa_create_account() first.  And you can use any arbitrary SID. */
2307
2308         sid_copy( &sid, r->in.sid );
2309
2310         /* according to MS-LSAD 3.1.4.5.10 it is required to return
2311          * NT_STATUS_OBJECT_NAME_NOT_FOUND if the account sid was not found in
2312          * the lsa database */
2313
2314         if (!get_privileges_for_sids(&mask, &sid, 1)) {
2315                 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
2316         }
2317
2318         status = privilege_set_init(&privileges);
2319         if (!NT_STATUS_IS_OK(status)) {
2320                 return status;
2321         }
2322
2323         se_priv_to_privilege_set(&privileges, &mask);
2324
2325         DEBUG(10,("_lsa_EnumAccountRights: %s has %d privileges\n",
2326                   sid_string_dbg(&sid), privileges.count));
2327
2328         status = init_lsa_right_set(p->mem_ctx, r->out.rights, &privileges);
2329
2330         privilege_set_free( &privileges );
2331
2332         return status;
2333 }
2334
2335 /***************************************************************************
2336  _lsa_LookupPrivValue
2337  ***************************************************************************/
2338
2339 NTSTATUS _lsa_LookupPrivValue(pipes_struct *p,
2340                               struct lsa_LookupPrivValue *r)
2341 {
2342         struct lsa_info *info = NULL;
2343         const char *name = NULL;
2344         LUID_ATTR priv_luid;
2345         SE_PRIV mask;
2346
2347         /* find the connection policy handle. */
2348
2349         if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
2350                 return NT_STATUS_INVALID_HANDLE;
2351
2352         if (info->type != LSA_HANDLE_POLICY_TYPE) {
2353                 return NT_STATUS_INVALID_HANDLE;
2354         }
2355
2356         if (!(info->access & LSA_POLICY_LOOKUP_NAMES))
2357                 return NT_STATUS_ACCESS_DENIED;
2358
2359         name = r->in.name->string;
2360
2361         DEBUG(10,("_lsa_lookup_priv_value: name = %s\n", name));
2362
2363         if ( !se_priv_from_name( name, &mask ) )
2364                 return NT_STATUS_NO_SUCH_PRIVILEGE;
2365
2366         priv_luid = get_privilege_luid( &mask );
2367
2368         r->out.luid->low = priv_luid.luid.low;
2369         r->out.luid->high = priv_luid.luid.high;
2370
2371         return NT_STATUS_OK;
2372 }
2373
2374 /***************************************************************************
2375  _lsa_EnumAccountsWithUserRight
2376  ***************************************************************************/
2377
2378 NTSTATUS _lsa_EnumAccountsWithUserRight(pipes_struct *p,
2379                                         struct lsa_EnumAccountsWithUserRight *r)
2380 {
2381         NTSTATUS status;
2382         struct lsa_info *info = NULL;
2383         struct dom_sid *sids = NULL;
2384         int num_sids = 0;
2385         uint32_t i;
2386         SE_PRIV mask;
2387
2388         if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info)) {
2389                 return NT_STATUS_INVALID_HANDLE;
2390         }
2391
2392         if (info->type != LSA_HANDLE_POLICY_TYPE) {
2393                 return NT_STATUS_INVALID_HANDLE;
2394         }
2395
2396         if (!(info->access & LSA_POLICY_LOOKUP_NAMES)) {
2397                 return NT_STATUS_ACCESS_DENIED;
2398         }
2399
2400         if (!r->in.name || !r->in.name->string) {
2401                 return NT_STATUS_NO_SUCH_PRIVILEGE;
2402         }
2403
2404         if (!se_priv_from_name(r->in.name->string, &mask)) {
2405                 return NT_STATUS_NO_SUCH_PRIVILEGE;
2406         }
2407
2408         status = privilege_enum_sids(&mask, p->mem_ctx,
2409                                      &sids, &num_sids);
2410         if (!NT_STATUS_IS_OK(status)) {
2411                 return status;
2412         }
2413
2414         r->out.sids->num_sids = num_sids;
2415         r->out.sids->sids = talloc_array(p->mem_ctx, struct lsa_SidPtr,
2416                                          r->out.sids->num_sids);
2417
2418         for (i=0; i < r->out.sids->num_sids; i++) {
2419                 r->out.sids->sids[i].sid = sid_dup_talloc(r->out.sids->sids,
2420                                                           &sids[i]);
2421                 if (!r->out.sids->sids[i].sid) {
2422                         TALLOC_FREE(r->out.sids->sids);
2423                         r->out.sids->num_sids = 0;
2424                         return NT_STATUS_NO_MEMORY;
2425                 }
2426         }
2427
2428         return NT_STATUS_OK;
2429 }
2430
2431 /***************************************************************************
2432  _lsa_Delete
2433  ***************************************************************************/
2434
2435 NTSTATUS _lsa_Delete(pipes_struct *p,
2436                      struct lsa_Delete *r)
2437 {
2438         return NT_STATUS_NOT_SUPPORTED;
2439 }
2440
2441 /*
2442  * From here on the server routines are just dummy ones to make smbd link with
2443  * librpc/gen_ndr/srv_lsa.c. These routines are actually never called, we are
2444  * pulling the server stubs across one by one.
2445  */
2446
2447 NTSTATUS _lsa_SetSecObj(pipes_struct *p, struct lsa_SetSecObj *r)
2448 {
2449         p->rng_fault_state = True;
2450         return NT_STATUS_NOT_IMPLEMENTED;
2451 }
2452
2453 NTSTATUS _lsa_ChangePassword(pipes_struct *p, struct lsa_ChangePassword *r)
2454 {
2455         p->rng_fault_state = True;
2456         return NT_STATUS_NOT_IMPLEMENTED;
2457 }
2458
2459 NTSTATUS _lsa_SetInfoPolicy(pipes_struct *p, struct lsa_SetInfoPolicy *r)
2460 {
2461         p->rng_fault_state = True;
2462         return NT_STATUS_NOT_IMPLEMENTED;
2463 }
2464
2465 NTSTATUS _lsa_ClearAuditLog(pipes_struct *p, struct lsa_ClearAuditLog *r)
2466 {
2467         p->rng_fault_state = True;
2468         return NT_STATUS_NOT_IMPLEMENTED;
2469 }
2470
2471 NTSTATUS _lsa_GetQuotasForAccount(pipes_struct *p, struct lsa_GetQuotasForAccount *r)
2472 {
2473         p->rng_fault_state = True;
2474         return NT_STATUS_NOT_IMPLEMENTED;
2475 }
2476
2477 NTSTATUS _lsa_SetQuotasForAccount(pipes_struct *p, struct lsa_SetQuotasForAccount *r)
2478 {
2479         p->rng_fault_state = True;
2480         return NT_STATUS_NOT_IMPLEMENTED;
2481 }
2482
2483 NTSTATUS _lsa_QueryTrustedDomainInfo(pipes_struct *p, struct lsa_QueryTrustedDomainInfo *r)
2484 {
2485         p->rng_fault_state = True;
2486         return NT_STATUS_NOT_IMPLEMENTED;
2487 }
2488
2489 NTSTATUS _lsa_SetInformationTrustedDomain(pipes_struct *p, struct lsa_SetInformationTrustedDomain *r)
2490 {
2491         p->rng_fault_state = True;
2492         return NT_STATUS_NOT_IMPLEMENTED;
2493 }
2494
2495 NTSTATUS _lsa_QuerySecret(pipes_struct *p, struct lsa_QuerySecret *r)
2496 {
2497         p->rng_fault_state = True;
2498         return NT_STATUS_NOT_IMPLEMENTED;
2499 }
2500
2501 NTSTATUS _lsa_QueryTrustedDomainInfoBySid(pipes_struct *p, struct lsa_QueryTrustedDomainInfoBySid *r)
2502 {
2503         p->rng_fault_state = True;
2504         return NT_STATUS_NOT_IMPLEMENTED;
2505 }
2506
2507 NTSTATUS _lsa_SetTrustedDomainInfo(pipes_struct *p, struct lsa_SetTrustedDomainInfo *r)
2508 {
2509         p->rng_fault_state = True;
2510         return NT_STATUS_NOT_IMPLEMENTED;
2511 }
2512
2513 NTSTATUS _lsa_DeleteTrustedDomain(pipes_struct *p, struct lsa_DeleteTrustedDomain *r)
2514 {
2515         p->rng_fault_state = True;
2516         return NT_STATUS_NOT_IMPLEMENTED;
2517 }
2518
2519 NTSTATUS _lsa_StorePrivateData(pipes_struct *p, struct lsa_StorePrivateData *r)
2520 {
2521         p->rng_fault_state = True;
2522         return NT_STATUS_NOT_IMPLEMENTED;
2523 }
2524
2525 NTSTATUS _lsa_RetrievePrivateData(pipes_struct *p, struct lsa_RetrievePrivateData *r)
2526 {
2527         p->rng_fault_state = True;
2528         return NT_STATUS_NOT_IMPLEMENTED;
2529 }
2530
2531 NTSTATUS _lsa_SetInfoPolicy2(pipes_struct *p, struct lsa_SetInfoPolicy2 *r)
2532 {
2533         p->rng_fault_state = True;
2534         return NT_STATUS_NOT_IMPLEMENTED;
2535 }
2536
2537 NTSTATUS _lsa_QueryTrustedDomainInfoByName(pipes_struct *p, struct lsa_QueryTrustedDomainInfoByName *r)
2538 {
2539         p->rng_fault_state = True;
2540         return NT_STATUS_NOT_IMPLEMENTED;
2541 }
2542
2543 NTSTATUS _lsa_SetTrustedDomainInfoByName(pipes_struct *p, struct lsa_SetTrustedDomainInfoByName *r)
2544 {
2545         p->rng_fault_state = True;
2546         return NT_STATUS_NOT_IMPLEMENTED;
2547 }
2548
2549 NTSTATUS _lsa_EnumTrustedDomainsEx(pipes_struct *p, struct lsa_EnumTrustedDomainsEx *r)
2550 {
2551         p->rng_fault_state = True;
2552         return NT_STATUS_NOT_IMPLEMENTED;
2553 }
2554
2555 NTSTATUS _lsa_CreateTrustedDomainEx(pipes_struct *p, struct lsa_CreateTrustedDomainEx *r)
2556 {
2557         p->rng_fault_state = True;
2558         return NT_STATUS_NOT_IMPLEMENTED;
2559 }
2560
2561 NTSTATUS _lsa_CloseTrustedDomainEx(pipes_struct *p, struct lsa_CloseTrustedDomainEx *r)
2562 {
2563         p->rng_fault_state = True;
2564         return NT_STATUS_NOT_IMPLEMENTED;
2565 }
2566
2567 NTSTATUS _lsa_QueryDomainInformationPolicy(pipes_struct *p, struct lsa_QueryDomainInformationPolicy *r)
2568 {
2569         p->rng_fault_state = True;
2570         return NT_STATUS_NOT_IMPLEMENTED;
2571 }
2572
2573 NTSTATUS _lsa_SetDomainInformationPolicy(pipes_struct *p, struct lsa_SetDomainInformationPolicy *r)
2574 {
2575         p->rng_fault_state = True;
2576         return NT_STATUS_NOT_IMPLEMENTED;
2577 }
2578
2579 NTSTATUS _lsa_OpenTrustedDomainByName(pipes_struct *p, struct lsa_OpenTrustedDomainByName *r)
2580 {
2581         p->rng_fault_state = True;
2582         return NT_STATUS_NOT_IMPLEMENTED;
2583 }
2584
2585 NTSTATUS _lsa_TestCall(pipes_struct *p, struct lsa_TestCall *r)
2586 {
2587         p->rng_fault_state = True;
2588         return NT_STATUS_NOT_IMPLEMENTED;
2589 }
2590
2591 NTSTATUS _lsa_CreateTrustedDomainEx2(pipes_struct *p, struct lsa_CreateTrustedDomainEx2 *r)
2592 {
2593         p->rng_fault_state = True;
2594         return NT_STATUS_NOT_IMPLEMENTED;
2595 }
2596
2597 NTSTATUS _lsa_CREDRWRITE(pipes_struct *p, struct lsa_CREDRWRITE *r)
2598 {
2599         p->rng_fault_state = True;
2600         return NT_STATUS_NOT_IMPLEMENTED;
2601 }
2602
2603 NTSTATUS _lsa_CREDRREAD(pipes_struct *p, struct lsa_CREDRREAD *r)
2604 {
2605         p->rng_fault_state = True;
2606         return NT_STATUS_NOT_IMPLEMENTED;
2607 }
2608
2609 NTSTATUS _lsa_CREDRENUMERATE(pipes_struct *p, struct lsa_CREDRENUMERATE *r)
2610 {
2611         p->rng_fault_state = True;
2612         return NT_STATUS_NOT_IMPLEMENTED;
2613 }
2614
2615 NTSTATUS _lsa_CREDRWRITEDOMAINCREDENTIALS(pipes_struct *p, struct lsa_CREDRWRITEDOMAINCREDENTIALS *r)
2616 {
2617         p->rng_fault_state = True;
2618         return NT_STATUS_NOT_IMPLEMENTED;
2619 }
2620
2621 NTSTATUS _lsa_CREDRREADDOMAINCREDENTIALS(pipes_struct *p, struct lsa_CREDRREADDOMAINCREDENTIALS *r)
2622 {
2623         p->rng_fault_state = True;
2624         return NT_STATUS_NOT_IMPLEMENTED;
2625 }
2626
2627 NTSTATUS _lsa_CREDRDELETE(pipes_struct *p, struct lsa_CREDRDELETE *r)
2628 {
2629         p->rng_fault_state = True;
2630         return NT_STATUS_NOT_IMPLEMENTED;
2631 }
2632
2633 NTSTATUS _lsa_CREDRGETTARGETINFO(pipes_struct *p, struct lsa_CREDRGETTARGETINFO *r)
2634 {
2635         p->rng_fault_state = True;
2636         return NT_STATUS_NOT_IMPLEMENTED;
2637 }
2638
2639 NTSTATUS _lsa_CREDRPROFILELOADED(pipes_struct *p, struct lsa_CREDRPROFILELOADED *r)
2640 {
2641         p->rng_fault_state = True;
2642         return NT_STATUS_NOT_IMPLEMENTED;
2643 }
2644
2645 NTSTATUS _lsa_CREDRGETSESSIONTYPES(pipes_struct *p, struct lsa_CREDRGETSESSIONTYPES *r)
2646 {
2647         p->rng_fault_state = True;
2648         return NT_STATUS_NOT_IMPLEMENTED;
2649 }
2650
2651 NTSTATUS _lsa_LSARREGISTERAUDITEVENT(pipes_struct *p, struct lsa_LSARREGISTERAUDITEVENT *r)
2652 {
2653         p->rng_fault_state = True;
2654         return NT_STATUS_NOT_IMPLEMENTED;
2655 }
2656
2657 NTSTATUS _lsa_LSARGENAUDITEVENT(pipes_struct *p, struct lsa_LSARGENAUDITEVENT *r)
2658 {
2659         p->rng_fault_state = True;
2660         return NT_STATUS_NOT_IMPLEMENTED;
2661 }
2662
2663 NTSTATUS _lsa_LSARUNREGISTERAUDITEVENT(pipes_struct *p, struct lsa_LSARUNREGISTERAUDITEVENT *r)
2664 {
2665         p->rng_fault_state = True;
2666         return NT_STATUS_NOT_IMPLEMENTED;
2667 }
2668
2669 NTSTATUS _lsa_lsaRQueryForestTrustInformation(pipes_struct *p, struct lsa_lsaRQueryForestTrustInformation *r)
2670 {
2671         p->rng_fault_state = True;
2672         return NT_STATUS_NOT_IMPLEMENTED;
2673 }
2674
2675 NTSTATUS _lsa_LSARSETFORESTTRUSTINFORMATION(pipes_struct *p, struct lsa_LSARSETFORESTTRUSTINFORMATION *r)
2676 {
2677         p->rng_fault_state = True;
2678         return NT_STATUS_NOT_IMPLEMENTED;
2679 }
2680
2681 NTSTATUS _lsa_CREDRRENAME(pipes_struct *p, struct lsa_CREDRRENAME *r)
2682 {
2683         p->rng_fault_state = True;
2684         return NT_STATUS_NOT_IMPLEMENTED;
2685 }
2686
2687 NTSTATUS _lsa_LSAROPENPOLICYSCE(pipes_struct *p, struct lsa_LSAROPENPOLICYSCE *r)
2688 {
2689         p->rng_fault_state = True;
2690         return NT_STATUS_NOT_IMPLEMENTED;
2691 }
2692
2693 NTSTATUS _lsa_LSARADTREGISTERSECURITYEVENTSOURCE(pipes_struct *p, struct lsa_LSARADTREGISTERSECURITYEVENTSOURCE *r)
2694 {
2695         p->rng_fault_state = True;
2696         return NT_STATUS_NOT_IMPLEMENTED;
2697 }
2698
2699 NTSTATUS _lsa_LSARADTUNREGISTERSECURITYEVENTSOURCE(pipes_struct *p, struct lsa_LSARADTUNREGISTERSECURITYEVENTSOURCE *r)
2700 {
2701         p->rng_fault_state = True;
2702         return NT_STATUS_NOT_IMPLEMENTED;
2703 }
2704
2705 NTSTATUS _lsa_LSARADTREPORTSECURITYEVENT(pipes_struct *p, struct lsa_LSARADTREPORTSECURITYEVENT *r)
2706 {
2707         p->rng_fault_state = True;
2708         return NT_STATUS_NOT_IMPLEMENTED;
2709 }