2 * Unix SMB/CIFS implementation.
3 * RPC Pipe client / server routines
4 * Copyright (C) Andrew Tridgell 1992-1997,
5 * Copyright (C) Luke Kenneth Casson Leighton 1996-1997,
6 * Copyright (C) Paul Ashton 1997,
7 * Copyright (C) Jeremy Allison 2001, 2006.
8 * Copyright (C) Rafal Szczesniak 2002,
9 * Copyright (C) Jim McDonough <jmcd@us.ibm.com> 2002,
10 * Copyright (C) Simo Sorce 2003.
11 * Copyright (C) Gerald (Jerry) Carter 2005.
12 * Copyright (C) Volker Lendecke 2005.
13 * Copyright (C) Guenther Deschner 2008.
15 * This program is free software; you can redistribute it and/or modify
16 * it under the terms of the GNU General Public License as published by
17 * the Free Software Foundation; either version 3 of the License, or
18 * (at your option) any later version.
20 * This program is distributed in the hope that it will be useful,
21 * but WITHOUT ANY WARRANTY; without even the implied warranty of
22 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
23 * GNU General Public License for more details.
25 * You should have received a copy of the GNU General Public License
26 * along with this program; if not, see <http://www.gnu.org/licenses/>.
29 /* This is the implementation of the lsa server code. */
34 #define DBGC_CLASS DBGC_RPC_SRV
36 #define MAX_LOOKUP_SIDS 0x5000 /* 20480 */
40 enum lsa_handle_type { LSA_HANDLE_POLICY_TYPE = 1, LSA_HANDLE_ACCOUNT_TYPE };
45 enum lsa_handle_type type;
48 const struct generic_mapping lsa_account_mapping = {
52 LSA_ACCOUNT_ALL_ACCESS
55 const struct generic_mapping lsa_policy_mapping = {
62 /***************************************************************************
63 init_lsa_ref_domain_list - adds a domain if it's not already in, returns the index.
64 ***************************************************************************/
66 static int init_lsa_ref_domain_list(TALLOC_CTX *mem_ctx,
67 struct lsa_RefDomainList *ref,
73 if (dom_name != NULL) {
74 for (num = 0; num < ref->count; num++) {
75 if (sid_equal(dom_sid, ref->domains[num].sid)) {
83 if (num >= LSA_REF_DOMAIN_LIST_MULTIPLIER) {
84 /* index not found, already at maximum domain limit */
89 ref->max_size = LSA_REF_DOMAIN_LIST_MULTIPLIER;
91 ref->domains = TALLOC_REALLOC_ARRAY(mem_ctx, ref->domains,
92 struct lsa_DomainInfo, ref->count);
97 ZERO_STRUCT(ref->domains[num]);
99 init_lsa_StringLarge(&ref->domains[num].name, dom_name);
100 ref->domains[num].sid = sid_dup_talloc(mem_ctx, dom_sid);
101 if (!ref->domains[num].sid) {
109 /***************************************************************************
110 initialize a lsa_DomainInfo structure.
111 ***************************************************************************/
113 static void init_dom_query_3(struct lsa_DomainInfo *r,
117 init_lsa_StringLarge(&r->name, name);
121 /***************************************************************************
122 initialize a lsa_DomainInfo structure.
123 ***************************************************************************/
125 static void init_dom_query_5(struct lsa_DomainInfo *r,
129 init_lsa_StringLarge(&r->name, name);
133 /***************************************************************************
134 lookup_lsa_rids. Must be called as root for lookup_name to work.
135 ***************************************************************************/
137 static NTSTATUS lookup_lsa_rids(TALLOC_CTX *mem_ctx,
138 struct lsa_RefDomainList *ref,
139 struct lsa_TranslatedSid *prid,
140 uint32_t num_entries,
141 struct lsa_String *name,
143 uint32_t *pmapped_count)
145 uint32 mapped_count, i;
147 SMB_ASSERT(num_entries <= MAX_LOOKUP_SIDS);
152 for (i = 0; i < num_entries; i++) {
156 const char *full_name;
158 enum lsa_SidType type = SID_NAME_UNKNOWN;
160 /* Split name into domain and user component */
162 full_name = name[i].string;
163 if (full_name == NULL) {
164 prid[i].sid_type = type;
166 prid[i].sid_index = (uint32_t)-1;
170 DEBUG(5, ("lookup_lsa_rids: looking up name %s\n", full_name));
172 /* We can ignore the result of lookup_name, it will not touch
173 "type" if it's not successful */
175 lookup_name(mem_ctx, full_name, flags, &domain, NULL,
180 case SID_NAME_DOM_GRP:
181 case SID_NAME_DOMAIN:
183 case SID_NAME_WKN_GRP:
184 DEBUG(5, ("init_lsa_rids: %s found\n", full_name));
185 /* Leave these unchanged */
188 /* Don't hand out anything but the list above */
189 DEBUG(5, ("init_lsa_rids: %s not found\n", full_name));
190 type = SID_NAME_UNKNOWN;
197 if (type != SID_NAME_UNKNOWN) {
198 if (type == SID_NAME_DOMAIN) {
201 sid_split_rid(&sid, &rid);
203 dom_idx = init_lsa_ref_domain_list(mem_ctx, ref, domain, &sid);
207 prid[i].sid_type = type;
209 prid[i].sid_index = dom_idx;
212 *pmapped_count = mapped_count;
216 /***************************************************************************
217 lookup_lsa_sids. Must be called as root for lookup_name to work.
218 ***************************************************************************/
220 static NTSTATUS lookup_lsa_sids(TALLOC_CTX *mem_ctx,
221 struct lsa_RefDomainList *ref,
222 struct lsa_TranslatedSid3 *trans_sids,
223 uint32_t num_entries,
224 struct lsa_String *name,
226 uint32 *pmapped_count)
228 uint32 mapped_count, i;
230 SMB_ASSERT(num_entries <= MAX_LOOKUP_SIDS);
235 for (i = 0; i < num_entries; i++) {
239 const char *full_name;
241 enum lsa_SidType type = SID_NAME_UNKNOWN;
245 /* Split name into domain and user component */
247 full_name = name[i].string;
248 if (full_name == NULL) {
249 return NT_STATUS_NO_MEMORY;
252 DEBUG(5, ("init_lsa_sids: looking up name %s\n", full_name));
254 /* We can ignore the result of lookup_name, it will not touch
255 "type" if it's not successful */
257 lookup_name(mem_ctx, full_name, flags, &domain, NULL,
262 case SID_NAME_DOM_GRP:
263 case SID_NAME_DOMAIN:
265 case SID_NAME_WKN_GRP:
266 DEBUG(5, ("init_lsa_sids: %s found\n", full_name));
267 /* Leave these unchanged */
270 /* Don't hand out anything but the list above */
271 DEBUG(5, ("init_lsa_sids: %s not found\n", full_name));
272 type = SID_NAME_UNKNOWN;
279 if (type != SID_NAME_UNKNOWN) {
281 sid_copy(&domain_sid, &sid);
282 sid_split_rid(&domain_sid, &rid);
283 dom_idx = init_lsa_ref_domain_list(mem_ctx, ref, domain, &domain_sid);
287 /* Initialize the lsa_TranslatedSid3 return. */
288 trans_sids[i].sid_type = type;
289 trans_sids[i].sid = sid_dup_talloc(mem_ctx, &sid);
290 trans_sids[i].sid_index = dom_idx;
293 *pmapped_count = mapped_count;
297 static NTSTATUS make_lsa_object_sd(TALLOC_CTX *mem_ctx, SEC_DESC **sd, size_t *sd_size,
298 const struct generic_mapping *map,
299 DOM_SID *sid, uint32_t sid_access)
307 /* READ|EXECUTE access for Everyone */
309 init_sec_ace(&ace[i++], &global_sid_World, SEC_ACE_TYPE_ACCESS_ALLOWED,
310 map->generic_execute | map->generic_read, 0);
312 /* Add Full Access 'BUILTIN\Administrators' and 'BUILTIN\Account Operators */
314 init_sec_ace(&ace[i++], &global_sid_Builtin_Administrators,
315 SEC_ACE_TYPE_ACCESS_ALLOWED, map->generic_all, 0);
316 init_sec_ace(&ace[i++], &global_sid_Builtin_Account_Operators,
317 SEC_ACE_TYPE_ACCESS_ALLOWED, map->generic_all, 0);
319 /* Add Full Access for Domain Admins */
320 sid_copy(&adm_sid, get_global_sam_sid());
321 sid_append_rid(&adm_sid, DOMAIN_GROUP_RID_ADMINS);
322 init_sec_ace(&ace[i++], &adm_sid, SEC_ACE_TYPE_ACCESS_ALLOWED,
323 map->generic_all, 0);
325 /* If we have a sid, give it some special access */
328 init_sec_ace(&ace[i++], sid, SEC_ACE_TYPE_ACCESS_ALLOWED,
332 if((psa = make_sec_acl(mem_ctx, NT4_ACL_REVISION, i, ace)) == NULL)
333 return NT_STATUS_NO_MEMORY;
335 if((*sd = make_sec_desc(mem_ctx, SECURITY_DESCRIPTOR_REVISION_1,
336 SEC_DESC_SELF_RELATIVE, &adm_sid, NULL, NULL,
337 psa, sd_size)) == NULL)
338 return NT_STATUS_NO_MEMORY;
344 /***************************************************************************
346 ***************************************************************************/
348 NTSTATUS _lsa_OpenPolicy2(pipes_struct *p,
349 struct lsa_OpenPolicy2 *r)
351 struct lsa_info *info;
352 SEC_DESC *psd = NULL;
354 uint32 des_access = r->in.access_mask;
358 /* Work out max allowed. */
359 map_max_allowed_access(p->server_info->ptok,
360 &p->server_info->utok,
363 /* map the generic bits to the lsa policy ones */
364 se_map_generic(&des_access, &lsa_policy_mapping);
366 /* get the generic lsa policy SD until we store it */
367 status = make_lsa_object_sd(p->mem_ctx, &psd, &sd_size, &lsa_policy_mapping,
369 if (!NT_STATUS_IS_OK(status)) {
373 status = access_check_object(psd, p->server_info->ptok,
375 &acc_granted, "_lsa_OpenPolicy2" );
377 if (!NT_STATUS_IS_OK(status)) {
381 /* associate the domain SID with the (unique) handle. */
382 info = TALLOC_ZERO_P(p->mem_ctx, struct lsa_info);
384 return NT_STATUS_NO_MEMORY;
387 sid_copy(&info->sid,get_global_sam_sid());
388 info->access = acc_granted;
389 info->type = LSA_HANDLE_POLICY_TYPE;
391 /* set up the LSA QUERY INFO response */
392 if (!create_policy_hnd(p, r->out.handle, info))
393 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
398 /***************************************************************************
400 ***************************************************************************/
402 NTSTATUS _lsa_OpenPolicy(pipes_struct *p,
403 struct lsa_OpenPolicy *r)
405 struct lsa_OpenPolicy2 o;
407 o.in.system_name = NULL; /* should be ignored */
408 o.in.attr = r->in.attr;
409 o.in.access_mask = r->in.access_mask;
411 o.out.handle = r->out.handle;
413 return _lsa_OpenPolicy2(p, &o);
416 /***************************************************************************
417 _lsa_EnumTrustDom - this needs fixing to do more than return NULL ! JRA.
419 ***************************************************************************/
421 NTSTATUS _lsa_EnumTrustDom(pipes_struct *p,
422 struct lsa_EnumTrustDom *r)
424 struct lsa_info *info;
426 struct trustdom_info **domains;
427 struct lsa_DomainInfo *lsa_domains = NULL;
431 * preferred length is set to 5 as a "our" preferred length
432 * nt sets this parameter to 2
433 * update (20.08.2002): it's not preferred length, but preferred size!
434 * it needs further investigation how to optimally choose this value
436 uint32 max_num_domains =
437 r->in.max_size < 5 ? r->in.max_size : 10;
442 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
443 return NT_STATUS_INVALID_HANDLE;
445 if (info->type != LSA_HANDLE_POLICY_TYPE) {
446 return NT_STATUS_INVALID_HANDLE;
449 /* check if the user has enough rights */
450 if (!(info->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
451 return NT_STATUS_ACCESS_DENIED;
454 nt_status = pdb_enum_trusteddoms(p->mem_ctx, &num_domains, &domains);
457 if (!NT_STATUS_IS_OK(nt_status)) {
461 if (*r->in.resume_handle < num_domains) {
462 num_thistime = MIN(num_domains, max_num_domains);
464 nt_status = STATUS_MORE_ENTRIES;
466 if (*r->in.resume_handle + num_thistime > num_domains) {
467 num_thistime = num_domains - *r->in.resume_handle;
468 nt_status = NT_STATUS_OK;
471 next_idx = *r->in.resume_handle + num_thistime;
474 next_idx = 0xffffffff;
475 nt_status = NT_STATUS_NO_MORE_ENTRIES;
478 /* set up the lsa_enum_trust_dom response */
480 lsa_domains = TALLOC_ZERO_ARRAY(p->mem_ctx, struct lsa_DomainInfo,
483 return NT_STATUS_NO_MEMORY;
486 for (i=0; i<num_thistime; i++) {
487 init_lsa_StringLarge(&lsa_domains[i].name, domains[i]->name);
488 lsa_domains[i].sid = &domains[i]->sid;
491 *r->out.resume_handle = next_idx;
492 r->out.domains->count = num_thistime;
493 r->out.domains->domains = lsa_domains;
498 #define LSA_AUDIT_NUM_CATEGORIES_NT4 7
499 #define LSA_AUDIT_NUM_CATEGORIES_WIN2K 9
500 #define LSA_AUDIT_NUM_CATEGORIES LSA_AUDIT_NUM_CATEGORIES_NT4
502 /***************************************************************************
504 ***************************************************************************/
506 NTSTATUS _lsa_QueryInfoPolicy(pipes_struct *p,
507 struct lsa_QueryInfoPolicy *r)
509 NTSTATUS status = NT_STATUS_OK;
510 struct lsa_info *handle;
514 union lsa_PolicyInformation *info = NULL;
515 uint32_t acc_required = 0;
517 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle))
518 return NT_STATUS_INVALID_HANDLE;
520 if (handle->type != LSA_HANDLE_POLICY_TYPE) {
521 return NT_STATUS_INVALID_HANDLE;
524 switch (r->in.level) {
525 case LSA_POLICY_INFO_AUDIT_LOG:
526 case LSA_POLICY_INFO_AUDIT_EVENTS:
527 acc_required = LSA_POLICY_VIEW_AUDIT_INFORMATION;
529 case LSA_POLICY_INFO_DOMAIN:
530 acc_required = LSA_POLICY_VIEW_LOCAL_INFORMATION;
532 case LSA_POLICY_INFO_PD:
533 acc_required = LSA_POLICY_GET_PRIVATE_INFORMATION;
535 case LSA_POLICY_INFO_ACCOUNT_DOMAIN:
536 acc_required = LSA_POLICY_VIEW_LOCAL_INFORMATION;
538 case LSA_POLICY_INFO_ROLE:
539 case LSA_POLICY_INFO_REPLICA:
540 acc_required = LSA_POLICY_VIEW_LOCAL_INFORMATION;
542 case LSA_POLICY_INFO_QUOTA:
543 acc_required = LSA_POLICY_VIEW_LOCAL_INFORMATION;
545 case LSA_POLICY_INFO_MOD:
546 case LSA_POLICY_INFO_AUDIT_FULL_SET:
547 /* according to MS-LSAD 3.1.4.4.3 */
548 return NT_STATUS_INVALID_PARAMETER;
549 case LSA_POLICY_INFO_AUDIT_FULL_QUERY:
550 acc_required = LSA_POLICY_VIEW_AUDIT_INFORMATION;
552 case LSA_POLICY_INFO_DNS:
553 case LSA_POLICY_INFO_DNS_INT:
554 case LSA_POLICY_INFO_L_ACCOUNT_DOMAIN:
555 acc_required = LSA_POLICY_VIEW_LOCAL_INFORMATION;
561 if (!(handle->access & acc_required)) {
562 /* return NT_STATUS_ACCESS_DENIED; */
565 info = TALLOC_ZERO_P(p->mem_ctx, union lsa_PolicyInformation);
567 return NT_STATUS_NO_MEMORY;
570 switch (r->in.level) {
571 case LSA_POLICY_INFO_AUDIT_EVENTS:
574 uint32 policy_def = LSA_AUDIT_POLICY_ALL;
576 /* check if the user has enough rights */
577 if (!(handle->access & LSA_POLICY_VIEW_AUDIT_INFORMATION)) {
578 DEBUG(10,("_lsa_QueryInfoPolicy: insufficient access rights\n"));
579 return NT_STATUS_ACCESS_DENIED;
582 /* fake info: We audit everything. ;) */
584 info->audit_events.auditing_mode = true;
585 info->audit_events.count = LSA_AUDIT_NUM_CATEGORIES;
586 info->audit_events.settings = TALLOC_ZERO_ARRAY(p->mem_ctx,
587 enum lsa_PolicyAuditPolicy,
588 info->audit_events.count);
589 if (!info->audit_events.settings) {
590 return NT_STATUS_NO_MEMORY;
593 info->audit_events.settings[LSA_AUDIT_CATEGORY_ACCOUNT_MANAGEMENT] = policy_def;
594 info->audit_events.settings[LSA_AUDIT_CATEGORY_FILE_AND_OBJECT_ACCESS] = policy_def;
595 info->audit_events.settings[LSA_AUDIT_CATEGORY_LOGON] = policy_def;
596 info->audit_events.settings[LSA_AUDIT_CATEGORY_PROCCESS_TRACKING] = policy_def;
597 info->audit_events.settings[LSA_AUDIT_CATEGORY_SECURITY_POLICY_CHANGES] = policy_def;
598 info->audit_events.settings[LSA_AUDIT_CATEGORY_SYSTEM] = policy_def;
599 info->audit_events.settings[LSA_AUDIT_CATEGORY_USE_OF_USER_RIGHTS] = policy_def;
603 case LSA_POLICY_INFO_DOMAIN:
604 /* check if the user has enough rights */
605 if (!(handle->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
606 return NT_STATUS_ACCESS_DENIED;
608 /* Request PolicyPrimaryDomainInformation. */
609 switch (lp_server_role()) {
610 case ROLE_DOMAIN_PDC:
611 case ROLE_DOMAIN_BDC:
612 name = get_global_sam_name();
613 sid = sid_dup_talloc(p->mem_ctx, get_global_sam_sid());
615 return NT_STATUS_NO_MEMORY;
618 case ROLE_DOMAIN_MEMBER:
619 name = lp_workgroup();
620 /* We need to return the Domain SID here. */
621 if (secrets_fetch_domain_sid(lp_workgroup(), &domain_sid)) {
622 sid = sid_dup_talloc(p->mem_ctx, &domain_sid);
624 return NT_STATUS_NO_MEMORY;
627 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
630 case ROLE_STANDALONE:
631 name = lp_workgroup();
635 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
637 init_dom_query_3(&info->domain, name, sid);
639 case LSA_POLICY_INFO_ACCOUNT_DOMAIN:
640 /* check if the user has enough rights */
641 if (!(handle->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
642 return NT_STATUS_ACCESS_DENIED;
644 /* Request PolicyAccountDomainInformation. */
645 name = get_global_sam_name();
646 sid = get_global_sam_sid();
648 init_dom_query_5(&info->account_domain, name, sid);
650 case LSA_POLICY_INFO_ROLE:
651 /* check if the user has enough rights */
652 if (!(handle->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
653 return NT_STATUS_ACCESS_DENIED;
655 switch (lp_server_role()) {
656 case ROLE_DOMAIN_BDC:
658 * only a BDC is a backup controller
659 * of the domain, it controls.
661 info->role.role = LSA_ROLE_BACKUP;
665 * any other role is a primary
666 * of the domain, it controls.
668 info->role.role = LSA_ROLE_PRIMARY;
672 case LSA_POLICY_INFO_DNS:
673 case LSA_POLICY_INFO_DNS_INT: {
674 struct pdb_domain_info *dominfo;
676 if ((pdb_capabilities() & PDB_CAP_ADS) == 0) {
677 DEBUG(10, ("Not replying to LSA_POLICY_INFO_DNS "
678 "without ADS passdb backend\n"));
679 status = NT_STATUS_INVALID_INFO_CLASS;
683 dominfo = pdb_get_domain_info(info);
684 if (dominfo == NULL) {
685 status = NT_STATUS_NO_MEMORY;
689 init_lsa_StringLarge(&info->dns.name,
691 init_lsa_StringLarge(&info->dns.dns_domain,
692 dominfo->dns_domain);
693 init_lsa_StringLarge(&info->dns.dns_forest,
694 dominfo->dns_forest);
695 info->dns.domain_guid = dominfo->guid;
696 info->dns.sid = &dominfo->sid;
700 DEBUG(0,("_lsa_QueryInfoPolicy: unknown info level in Lsa Query: %d\n",
702 status = NT_STATUS_INVALID_INFO_CLASS;
711 /***************************************************************************
712 _lsa_QueryInfoPolicy2
713 ***************************************************************************/
715 NTSTATUS _lsa_QueryInfoPolicy2(pipes_struct *p,
716 struct lsa_QueryInfoPolicy2 *r2)
718 struct lsa_QueryInfoPolicy r;
720 if ((pdb_capabilities() & PDB_CAP_ADS) == 0) {
721 p->rng_fault_state = True;
722 return NT_STATUS_NOT_IMPLEMENTED;
726 r.in.handle = r2->in.handle;
727 r.in.level = r2->in.level;
728 r.out.info = r2->out.info;
730 return _lsa_QueryInfoPolicy(p, &r);
733 /***************************************************************************
734 _lsa_lookup_sids_internal
735 ***************************************************************************/
737 static NTSTATUS _lsa_lookup_sids_internal(pipes_struct *p,
739 uint16_t level, /* input */
740 int num_sids, /* input */
741 struct lsa_SidPtr *sid, /* input */
742 struct lsa_RefDomainList **pp_ref, /* input/output */
743 struct lsa_TranslatedName2 **pp_names,/* input/output */
744 uint32_t *pp_mapped_count) /* input/output */
748 const DOM_SID **sids = NULL;
749 struct lsa_RefDomainList *ref = NULL;
750 uint32 mapped_count = 0;
751 struct lsa_dom_info *dom_infos = NULL;
752 struct lsa_name_info *name_infos = NULL;
753 struct lsa_TranslatedName2 *names = NULL;
755 *pp_mapped_count = 0;
763 sids = TALLOC_ARRAY(p->mem_ctx, const DOM_SID *, num_sids);
764 ref = TALLOC_ZERO_P(p->mem_ctx, struct lsa_RefDomainList);
766 if (sids == NULL || ref == NULL) {
767 return NT_STATUS_NO_MEMORY;
770 for (i=0; i<num_sids; i++) {
771 sids[i] = sid[i].sid;
774 status = lookup_sids(p->mem_ctx, num_sids, sids, level,
775 &dom_infos, &name_infos);
777 if (!NT_STATUS_IS_OK(status)) {
781 names = TALLOC_ARRAY(p->mem_ctx, struct lsa_TranslatedName2, num_sids);
783 return NT_STATUS_NO_MEMORY;
786 for (i=0; i<LSA_REF_DOMAIN_LIST_MULTIPLIER; i++) {
788 if (!dom_infos[i].valid) {
792 if (init_lsa_ref_domain_list(mem_ctx, ref,
794 &dom_infos[i].sid) != i) {
795 DEBUG(0, ("Domain %s mentioned twice??\n",
797 return NT_STATUS_INTERNAL_ERROR;
801 for (i=0; i<num_sids; i++) {
802 struct lsa_name_info *name = &name_infos[i];
804 if (name->type == SID_NAME_UNKNOWN) {
807 /* Unknown sids should return the string
808 * representation of the SID. Windows 2003 behaves
809 * rather erratic here, in many cases it returns the
810 * RID as 8 bytes hex, in others it returns the full
811 * SID. We (Jerry/VL) could not figure out which the
812 * hard cases are, so leave it with the SID. */
813 name->name = talloc_asprintf(p->mem_ctx, "%s",
816 if (name->name == NULL) {
817 return NT_STATUS_NO_MEMORY;
823 names[i].sid_type = name->type;
824 names[i].name.string = name->name;
825 names[i].sid_index = name->dom_idx;
826 names[i].unknown = 0;
829 status = NT_STATUS_NONE_MAPPED;
830 if (mapped_count > 0) {
831 status = (mapped_count < num_sids) ?
832 STATUS_SOME_UNMAPPED : NT_STATUS_OK;
835 DEBUG(10, ("num_sids %d, mapped_count %d, status %s\n",
836 num_sids, mapped_count, nt_errstr(status)));
838 *pp_mapped_count = mapped_count;
845 /***************************************************************************
847 ***************************************************************************/
849 NTSTATUS _lsa_LookupSids(pipes_struct *p,
850 struct lsa_LookupSids *r)
853 struct lsa_info *handle;
854 int num_sids = r->in.sids->num_sids;
855 uint32 mapped_count = 0;
856 struct lsa_RefDomainList *domains = NULL;
857 struct lsa_TranslatedName *names_out = NULL;
858 struct lsa_TranslatedName2 *names = NULL;
861 if ((r->in.level < 1) || (r->in.level > 6)) {
862 return NT_STATUS_INVALID_PARAMETER;
865 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle)) {
866 return NT_STATUS_INVALID_HANDLE;
869 if (handle->type != LSA_HANDLE_POLICY_TYPE) {
870 return NT_STATUS_INVALID_HANDLE;
873 /* check if the user has enough rights */
874 if (!(handle->access & LSA_POLICY_LOOKUP_NAMES)) {
875 return NT_STATUS_ACCESS_DENIED;
878 if (num_sids > MAX_LOOKUP_SIDS) {
879 DEBUG(5,("_lsa_LookupSids: limit of %d exceeded, requested %d\n",
880 MAX_LOOKUP_SIDS, num_sids));
881 return NT_STATUS_NONE_MAPPED;
884 status = _lsa_lookup_sids_internal(p,
893 /* Only return here when there is a real error.
894 NT_STATUS_NONE_MAPPED is a special case as it indicates that none of
895 the requested sids could be resolved. Older versions of XP (pre SP3)
896 rely that we return with the string representations of those SIDs in
897 that case. If we don't, XP crashes - Guenther
900 if (NT_STATUS_IS_ERR(status) &&
901 !NT_STATUS_EQUAL(status, NT_STATUS_NONE_MAPPED)) {
905 /* Convert from lsa_TranslatedName2 to lsa_TranslatedName */
906 names_out = TALLOC_ARRAY(p->mem_ctx, struct lsa_TranslatedName,
909 return NT_STATUS_NO_MEMORY;
912 for (i=0; i<num_sids; i++) {
913 names_out[i].sid_type = names[i].sid_type;
914 names_out[i].name = names[i].name;
915 names_out[i].sid_index = names[i].sid_index;
918 *r->out.domains = domains;
919 r->out.names->count = num_sids;
920 r->out.names->names = names_out;
921 *r->out.count = mapped_count;
926 /***************************************************************************
928 ***************************************************************************/
930 NTSTATUS _lsa_LookupSids2(pipes_struct *p,
931 struct lsa_LookupSids2 *r)
934 struct lsa_info *handle;
935 int num_sids = r->in.sids->num_sids;
936 uint32 mapped_count = 0;
937 struct lsa_RefDomainList *domains = NULL;
938 struct lsa_TranslatedName2 *names = NULL;
939 bool check_policy = true;
941 switch (p->hdr_req.opnum) {
942 case NDR_LSA_LOOKUPSIDS3:
943 check_policy = false;
945 case NDR_LSA_LOOKUPSIDS2:
950 if ((r->in.level < 1) || (r->in.level > 6)) {
951 return NT_STATUS_INVALID_PARAMETER;
955 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle)) {
956 return NT_STATUS_INVALID_HANDLE;
959 if (handle->type != LSA_HANDLE_POLICY_TYPE) {
960 return NT_STATUS_INVALID_HANDLE;
963 /* check if the user has enough rights */
964 if (!(handle->access & LSA_POLICY_LOOKUP_NAMES)) {
965 return NT_STATUS_ACCESS_DENIED;
969 if (num_sids > MAX_LOOKUP_SIDS) {
970 DEBUG(5,("_lsa_LookupSids2: limit of %d exceeded, requested %d\n",
971 MAX_LOOKUP_SIDS, num_sids));
972 return NT_STATUS_NONE_MAPPED;
975 status = _lsa_lookup_sids_internal(p,
984 *r->out.domains = domains;
985 r->out.names->count = num_sids;
986 r->out.names->names = names;
987 *r->out.count = mapped_count;
992 /***************************************************************************
994 ***************************************************************************/
996 NTSTATUS _lsa_LookupSids3(pipes_struct *p,
997 struct lsa_LookupSids3 *r)
999 struct lsa_LookupSids2 q;
1001 /* No policy handle on this call. Restrict to crypto connections. */
1002 if (p->auth.auth_type != PIPE_AUTH_TYPE_SCHANNEL) {
1003 DEBUG(0,("_lsa_LookupSids3: client %s not using schannel for netlogon\n",
1004 get_remote_machine_name() ));
1005 return NT_STATUS_INVALID_PARAMETER;
1009 q.in.sids = r->in.sids;
1010 q.in.level = r->in.level;
1011 q.in.lookup_options = r->in.lookup_options;
1012 q.in.client_revision = r->in.client_revision;
1013 q.in.names = r->in.names;
1014 q.in.count = r->in.count;
1016 q.out.domains = r->out.domains;
1017 q.out.names = r->out.names;
1018 q.out.count = r->out.count;
1020 return _lsa_LookupSids2(p, &q);
1023 /***************************************************************************
1024 ***************************************************************************/
1026 static int lsa_lookup_level_to_flags(uint16 level)
1032 flags = LOOKUP_NAME_ALL;
1035 flags = LOOKUP_NAME_DOMAIN|LOOKUP_NAME_REMOTE|LOOKUP_NAME_ISOLATED;
1038 flags = LOOKUP_NAME_DOMAIN|LOOKUP_NAME_ISOLATED;
1044 flags = LOOKUP_NAME_NONE;
1051 /***************************************************************************
1053 ***************************************************************************/
1055 NTSTATUS _lsa_LookupNames(pipes_struct *p,
1056 struct lsa_LookupNames *r)
1058 NTSTATUS status = NT_STATUS_NONE_MAPPED;
1059 struct lsa_info *handle;
1060 struct lsa_String *names = r->in.names;
1061 uint32 num_entries = r->in.num_names;
1062 struct lsa_RefDomainList *domains = NULL;
1063 struct lsa_TranslatedSid *rids = NULL;
1064 uint32 mapped_count = 0;
1067 if (num_entries > MAX_LOOKUP_SIDS) {
1068 num_entries = MAX_LOOKUP_SIDS;
1069 DEBUG(5,("_lsa_LookupNames: truncating name lookup list to %d\n",
1073 flags = lsa_lookup_level_to_flags(r->in.level);
1075 domains = TALLOC_ZERO_P(p->mem_ctx, struct lsa_RefDomainList);
1077 return NT_STATUS_NO_MEMORY;
1081 rids = TALLOC_ZERO_ARRAY(p->mem_ctx, struct lsa_TranslatedSid,
1084 return NT_STATUS_NO_MEMORY;
1090 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle)) {
1091 status = NT_STATUS_INVALID_HANDLE;
1095 if (handle->type != LSA_HANDLE_POLICY_TYPE) {
1096 return NT_STATUS_INVALID_HANDLE;
1099 /* check if the user has enough rights */
1100 if (!(handle->access & LSA_POLICY_LOOKUP_NAMES)) {
1101 status = NT_STATUS_ACCESS_DENIED;
1105 /* set up the LSA Lookup RIDs response */
1106 become_root(); /* lookup_name can require root privs */
1107 status = lookup_lsa_rids(p->mem_ctx, domains, rids, num_entries,
1108 names, flags, &mapped_count);
1113 if (NT_STATUS_IS_OK(status) && (num_entries != 0) ) {
1114 if (mapped_count == 0) {
1115 status = NT_STATUS_NONE_MAPPED;
1116 } else if (mapped_count != num_entries) {
1117 status = STATUS_SOME_UNMAPPED;
1121 *r->out.count = mapped_count;
1122 *r->out.domains = domains;
1123 r->out.sids->sids = rids;
1124 r->out.sids->count = num_entries;
1129 /***************************************************************************
1131 ***************************************************************************/
1133 NTSTATUS _lsa_LookupNames2(pipes_struct *p,
1134 struct lsa_LookupNames2 *r)
1137 struct lsa_LookupNames q;
1138 struct lsa_TransSidArray2 *sid_array2 = r->in.sids;
1139 struct lsa_TransSidArray *sid_array = NULL;
1142 sid_array = TALLOC_ZERO_P(p->mem_ctx, struct lsa_TransSidArray);
1144 return NT_STATUS_NO_MEMORY;
1147 q.in.handle = r->in.handle;
1148 q.in.num_names = r->in.num_names;
1149 q.in.names = r->in.names;
1150 q.in.level = r->in.level;
1151 q.in.sids = sid_array;
1152 q.in.count = r->in.count;
1153 /* we do not know what this is for */
1154 /* = r->in.unknown1; */
1155 /* = r->in.unknown2; */
1157 q.out.domains = r->out.domains;
1158 q.out.sids = sid_array;
1159 q.out.count = r->out.count;
1161 status = _lsa_LookupNames(p, &q);
1163 sid_array2->count = sid_array->count;
1164 sid_array2->sids = TALLOC_ARRAY(p->mem_ctx, struct lsa_TranslatedSid2, sid_array->count);
1165 if (!sid_array2->sids) {
1166 return NT_STATUS_NO_MEMORY;
1169 for (i=0; i<sid_array->count; i++) {
1170 sid_array2->sids[i].sid_type = sid_array->sids[i].sid_type;
1171 sid_array2->sids[i].rid = sid_array->sids[i].rid;
1172 sid_array2->sids[i].sid_index = sid_array->sids[i].sid_index;
1173 sid_array2->sids[i].unknown = 0;
1176 r->out.sids = sid_array2;
1181 /***************************************************************************
1183 ***************************************************************************/
1185 NTSTATUS _lsa_LookupNames3(pipes_struct *p,
1186 struct lsa_LookupNames3 *r)
1189 struct lsa_info *handle;
1190 struct lsa_String *names = r->in.names;
1191 uint32 num_entries = r->in.num_names;
1192 struct lsa_RefDomainList *domains = NULL;
1193 struct lsa_TranslatedSid3 *trans_sids = NULL;
1194 uint32 mapped_count = 0;
1196 bool check_policy = true;
1198 switch (p->hdr_req.opnum) {
1199 case NDR_LSA_LOOKUPNAMES4:
1200 check_policy = false;
1202 case NDR_LSA_LOOKUPNAMES3:
1204 check_policy = true;
1207 if (num_entries > MAX_LOOKUP_SIDS) {
1208 num_entries = MAX_LOOKUP_SIDS;
1209 DEBUG(5,("_lsa_LookupNames3: truncating name lookup list to %d\n", num_entries));
1212 /* Probably the lookup_level is some sort of bitmask. */
1213 if (r->in.level == 1) {
1214 flags = LOOKUP_NAME_ALL;
1217 domains = TALLOC_ZERO_P(p->mem_ctx, struct lsa_RefDomainList);
1219 return NT_STATUS_NO_MEMORY;
1223 trans_sids = TALLOC_ZERO_ARRAY(p->mem_ctx, struct lsa_TranslatedSid3,
1226 return NT_STATUS_NO_MEMORY;
1234 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle)) {
1235 status = NT_STATUS_INVALID_HANDLE;
1239 if (handle->type != LSA_HANDLE_POLICY_TYPE) {
1240 return NT_STATUS_INVALID_HANDLE;
1243 /* check if the user has enough rights */
1244 if (!(handle->access & LSA_POLICY_LOOKUP_NAMES)) {
1245 status = NT_STATUS_ACCESS_DENIED;
1250 /* set up the LSA Lookup SIDs response */
1251 become_root(); /* lookup_name can require root privs */
1252 status = lookup_lsa_sids(p->mem_ctx, domains, trans_sids, num_entries,
1253 names, flags, &mapped_count);
1258 if (NT_STATUS_IS_OK(status)) {
1259 if (mapped_count == 0) {
1260 status = NT_STATUS_NONE_MAPPED;
1261 } else if (mapped_count != num_entries) {
1262 status = STATUS_SOME_UNMAPPED;
1266 *r->out.count = mapped_count;
1267 *r->out.domains = domains;
1268 r->out.sids->sids = trans_sids;
1269 r->out.sids->count = num_entries;
1274 /***************************************************************************
1276 ***************************************************************************/
1278 NTSTATUS _lsa_LookupNames4(pipes_struct *p,
1279 struct lsa_LookupNames4 *r)
1281 struct lsa_LookupNames3 q;
1283 /* No policy handle on this call. Restrict to crypto connections. */
1284 if (p->auth.auth_type != PIPE_AUTH_TYPE_SCHANNEL) {
1285 DEBUG(0,("_lsa_lookup_names4: client %s not using schannel for netlogon\n",
1286 get_remote_machine_name() ));
1287 return NT_STATUS_INVALID_PARAMETER;
1291 q.in.num_names = r->in.num_names;
1292 q.in.names = r->in.names;
1293 q.in.level = r->in.level;
1294 q.in.lookup_options = r->in.lookup_options;
1295 q.in.client_revision = r->in.client_revision;
1296 q.in.sids = r->in.sids;
1297 q.in.count = r->in.count;
1299 q.out.domains = r->out.domains;
1300 q.out.sids = r->out.sids;
1301 q.out.count = r->out.count;
1303 return _lsa_LookupNames3(p, &q);
1306 /***************************************************************************
1307 _lsa_close. Also weird - needs to check if lsa handle is correct. JRA.
1308 ***************************************************************************/
1310 NTSTATUS _lsa_Close(pipes_struct *p, struct lsa_Close *r)
1312 if (!find_policy_by_hnd(p, r->in.handle, NULL)) {
1313 return NT_STATUS_INVALID_HANDLE;
1316 close_policy_hnd(p, r->in.handle);
1317 ZERO_STRUCTP(r->out.handle);
1318 return NT_STATUS_OK;
1321 /***************************************************************************
1322 ***************************************************************************/
1324 NTSTATUS _lsa_OpenSecret(pipes_struct *p, struct lsa_OpenSecret *r)
1326 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
1329 /***************************************************************************
1330 ***************************************************************************/
1332 NTSTATUS _lsa_OpenTrustedDomain(pipes_struct *p, struct lsa_OpenTrustedDomain *r)
1334 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
1337 /***************************************************************************
1338 ***************************************************************************/
1340 NTSTATUS _lsa_CreateTrustedDomain(pipes_struct *p, struct lsa_CreateTrustedDomain *r)
1342 return NT_STATUS_ACCESS_DENIED;
1345 /***************************************************************************
1346 ***************************************************************************/
1348 NTSTATUS _lsa_CreateSecret(pipes_struct *p, struct lsa_CreateSecret *r)
1350 return NT_STATUS_ACCESS_DENIED;
1353 /***************************************************************************
1354 ***************************************************************************/
1356 NTSTATUS _lsa_SetSecret(pipes_struct *p, struct lsa_SetSecret *r)
1358 return NT_STATUS_ACCESS_DENIED;
1361 /***************************************************************************
1363 ***************************************************************************/
1365 NTSTATUS _lsa_DeleteObject(pipes_struct *p,
1366 struct lsa_DeleteObject *r)
1369 struct lsa_info *info = NULL;
1371 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info)) {
1372 return NT_STATUS_INVALID_HANDLE;
1375 if (!(info->access & STD_RIGHT_DELETE_ACCESS)) {
1376 return NT_STATUS_ACCESS_DENIED;
1379 switch (info->type) {
1380 case LSA_HANDLE_ACCOUNT_TYPE:
1381 status = privilege_delete_account(&info->sid);
1382 if (!NT_STATUS_IS_OK(status)) {
1383 DEBUG(10,("_lsa_DeleteObject: privilege_delete_account gave: %s\n",
1384 nt_errstr(status)));
1389 return NT_STATUS_INVALID_HANDLE;
1392 close_policy_hnd(p, r->in.handle);
1393 ZERO_STRUCTP(r->out.handle);
1398 /***************************************************************************
1400 ***************************************************************************/
1402 NTSTATUS _lsa_EnumPrivs(pipes_struct *p,
1403 struct lsa_EnumPrivs *r)
1405 struct lsa_info *handle;
1407 uint32 enum_context = *r->in.resume_handle;
1408 int num_privs = count_all_privileges();
1409 struct lsa_PrivEntry *entries = NULL;
1412 /* remember that the enum_context starts at 0 and not 1 */
1414 if ( enum_context >= num_privs )
1415 return NT_STATUS_NO_MORE_ENTRIES;
1417 DEBUG(10,("_lsa_EnumPrivs: enum_context:%d total entries:%d\n",
1418 enum_context, num_privs));
1420 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle))
1421 return NT_STATUS_INVALID_HANDLE;
1423 if (handle->type != LSA_HANDLE_POLICY_TYPE) {
1424 return NT_STATUS_INVALID_HANDLE;
1427 /* check if the user has enough rights
1428 I don't know if it's the right one. not documented. */
1430 if (!(handle->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
1431 return NT_STATUS_ACCESS_DENIED;
1434 entries = TALLOC_ZERO_ARRAY(p->mem_ctx, struct lsa_PrivEntry, num_privs);
1436 return NT_STATUS_NO_MEMORY;
1442 for (i = 0; i < num_privs; i++) {
1443 if( i < enum_context) {
1445 init_lsa_StringLarge(&entries[i].name, NULL);
1447 entries[i].luid.low = 0;
1448 entries[i].luid.high = 0;
1451 init_lsa_StringLarge(&entries[i].name, privs[i].name);
1453 luid = get_privilege_luid( &privs[i].se_priv );
1455 entries[i].luid.low = luid.luid.low;
1456 entries[i].luid.high = luid.luid.high;
1460 enum_context = num_privs;
1462 *r->out.resume_handle = enum_context;
1463 r->out.privs->count = num_privs;
1464 r->out.privs->privs = entries;
1466 return NT_STATUS_OK;
1469 /***************************************************************************
1470 _lsa_LookupPrivDisplayName
1471 ***************************************************************************/
1473 NTSTATUS _lsa_LookupPrivDisplayName(pipes_struct *p,
1474 struct lsa_LookupPrivDisplayName *r)
1476 struct lsa_info *handle;
1477 const char *description;
1478 struct lsa_StringLarge *lsa_name;
1480 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle))
1481 return NT_STATUS_INVALID_HANDLE;
1483 if (handle->type != LSA_HANDLE_POLICY_TYPE) {
1484 return NT_STATUS_INVALID_HANDLE;
1487 /* check if the user has enough rights */
1490 * I don't know if it's the right one. not documented.
1492 if (!(handle->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
1493 return NT_STATUS_ACCESS_DENIED;
1495 DEBUG(10,("_lsa_LookupPrivDisplayName: name = %s\n", r->in.name->string));
1497 description = get_privilege_dispname(r->in.name->string);
1499 DEBUG(10,("_lsa_LookupPrivDisplayName: doesn't exist\n"));
1500 return NT_STATUS_NO_SUCH_PRIVILEGE;
1503 DEBUG(10,("_lsa_LookupPrivDisplayName: display name = %s\n", description));
1505 lsa_name = TALLOC_ZERO_P(p->mem_ctx, struct lsa_StringLarge);
1507 return NT_STATUS_NO_MEMORY;
1510 init_lsa_StringLarge(lsa_name, description);
1512 *r->out.returned_language_id = r->in.language_id;
1513 *r->out.disp_name = lsa_name;
1515 return NT_STATUS_OK;
1518 /***************************************************************************
1520 ***************************************************************************/
1522 NTSTATUS _lsa_EnumAccounts(pipes_struct *p,
1523 struct lsa_EnumAccounts *r)
1525 struct lsa_info *handle;
1527 int i, j, num_entries;
1529 struct lsa_SidPtr *sids = NULL;
1531 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle))
1532 return NT_STATUS_INVALID_HANDLE;
1534 if (handle->type != LSA_HANDLE_POLICY_TYPE) {
1535 return NT_STATUS_INVALID_HANDLE;
1538 if (!(handle->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
1539 return NT_STATUS_ACCESS_DENIED;
1544 /* The only way we can currently find out all the SIDs that have been
1545 privileged is to scan all privileges */
1547 status = privilege_enumerate_accounts(&sid_list, &num_entries);
1548 if (!NT_STATUS_IS_OK(status)) {
1552 if (*r->in.resume_handle >= num_entries) {
1553 return NT_STATUS_NO_MORE_ENTRIES;
1556 if (num_entries - *r->in.resume_handle) {
1557 sids = TALLOC_ZERO_ARRAY(p->mem_ctx, struct lsa_SidPtr,
1558 num_entries - *r->in.resume_handle);
1560 talloc_free(sid_list);
1561 return NT_STATUS_NO_MEMORY;
1564 for (i = *r->in.resume_handle, j = 0; i < num_entries; i++, j++) {
1565 sids[j].sid = sid_dup_talloc(p->mem_ctx, &sid_list[i]);
1567 talloc_free(sid_list);
1568 return NT_STATUS_NO_MEMORY;
1573 talloc_free(sid_list);
1575 *r->out.resume_handle = num_entries;
1576 r->out.sids->num_sids = num_entries;
1577 r->out.sids->sids = sids;
1579 return NT_STATUS_OK;
1582 /***************************************************************************
1584 ***************************************************************************/
1586 NTSTATUS _lsa_GetUserName(pipes_struct *p,
1587 struct lsa_GetUserName *r)
1589 const char *username, *domname;
1590 struct lsa_String *account_name = NULL;
1591 struct lsa_String *authority_name = NULL;
1593 if (r->in.account_name &&
1594 *r->in.account_name) {
1595 return NT_STATUS_INVALID_PARAMETER;
1598 if (r->in.authority_name &&
1599 *r->in.authority_name) {
1600 return NT_STATUS_INVALID_PARAMETER;
1603 if (p->server_info->guest) {
1605 * I'm 99% sure this is not the right place to do this,
1606 * global_sid_Anonymous should probably be put into the token
1607 * instead of the guest id -- vl
1609 if (!lookup_sid(p->mem_ctx, &global_sid_Anonymous,
1610 &domname, &username, NULL)) {
1611 return NT_STATUS_NO_MEMORY;
1614 username = p->server_info->sanitized_username;
1615 domname = pdb_get_domain(p->server_info->sam_account);
1618 account_name = TALLOC_P(p->mem_ctx, struct lsa_String);
1619 if (!account_name) {
1620 return NT_STATUS_NO_MEMORY;
1622 init_lsa_String(account_name, username);
1624 if (r->out.authority_name) {
1625 authority_name = TALLOC_P(p->mem_ctx, struct lsa_String);
1626 if (!authority_name) {
1627 return NT_STATUS_NO_MEMORY;
1629 init_lsa_String(authority_name, domname);
1632 *r->out.account_name = account_name;
1633 if (r->out.authority_name) {
1634 *r->out.authority_name = authority_name;
1637 return NT_STATUS_OK;
1640 /***************************************************************************
1642 ***************************************************************************/
1644 NTSTATUS _lsa_CreateAccount(pipes_struct *p,
1645 struct lsa_CreateAccount *r)
1648 struct lsa_info *handle;
1649 struct lsa_info *info;
1650 uint32_t acc_granted;
1651 struct security_descriptor *psd;
1654 /* find the connection policy handle. */
1655 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle))
1656 return NT_STATUS_INVALID_HANDLE;
1658 if (handle->type != LSA_HANDLE_POLICY_TYPE) {
1659 return NT_STATUS_INVALID_HANDLE;
1662 /* check if the user has enough rights */
1664 if (!(handle->access & LSA_POLICY_CREATE_ACCOUNT)) {
1665 return NT_STATUS_ACCESS_DENIED;
1668 /* Work out max allowed. */
1669 map_max_allowed_access(p->server_info->ptok,
1670 &p->server_info->utok,
1671 &r->in.access_mask);
1673 /* map the generic bits to the lsa policy ones */
1674 se_map_generic(&r->in.access_mask, &lsa_account_mapping);
1676 status = make_lsa_object_sd(p->mem_ctx, &psd, &sd_size,
1677 &lsa_account_mapping,
1678 r->in.sid, LSA_POLICY_ALL_ACCESS);
1679 if (!NT_STATUS_IS_OK(status)) {
1683 status = access_check_object(psd, p->server_info->ptok,
1684 NULL, 0, r->in.access_mask,
1685 &acc_granted, "_lsa_CreateAccount");
1686 if (!NT_STATUS_IS_OK(status)) {
1690 if ( is_privileged_sid( r->in.sid ) )
1691 return NT_STATUS_OBJECT_NAME_COLLISION;
1693 /* associate the user/group SID with the (unique) handle. */
1695 info = TALLOC_ZERO_P(p->mem_ctx, struct lsa_info);
1697 return NT_STATUS_NO_MEMORY;
1700 info->sid = *r->in.sid;
1701 info->access = acc_granted;
1702 info->type = LSA_HANDLE_ACCOUNT_TYPE;
1704 /* get a (unique) handle. open a policy on it. */
1705 if (!create_policy_hnd(p, r->out.acct_handle, info))
1706 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
1708 return privilege_create_account( &info->sid );
1711 /***************************************************************************
1713 ***************************************************************************/
1715 NTSTATUS _lsa_OpenAccount(pipes_struct *p,
1716 struct lsa_OpenAccount *r)
1718 struct lsa_info *handle;
1719 struct lsa_info *info;
1720 SEC_DESC *psd = NULL;
1722 uint32_t des_access = r->in.access_mask;
1723 uint32_t acc_granted;
1726 /* find the connection policy handle. */
1727 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle))
1728 return NT_STATUS_INVALID_HANDLE;
1730 if (handle->type != LSA_HANDLE_POLICY_TYPE) {
1731 return NT_STATUS_INVALID_HANDLE;
1734 /* des_access is for the account here, not the policy
1735 * handle - so don't check against policy handle. */
1737 /* Work out max allowed. */
1738 map_max_allowed_access(p->server_info->ptok,
1739 &p->server_info->utok,
1742 /* map the generic bits to the lsa account ones */
1743 se_map_generic(&des_access, &lsa_account_mapping);
1745 /* get the generic lsa account SD until we store it */
1746 status = make_lsa_object_sd(p->mem_ctx, &psd, &sd_size,
1747 &lsa_account_mapping,
1748 r->in.sid, LSA_ACCOUNT_ALL_ACCESS);
1749 if (!NT_STATUS_IS_OK(status)) {
1753 status = access_check_object(psd, p->server_info->ptok,
1754 NULL, 0, des_access,
1755 &acc_granted, "_lsa_OpenAccount" );
1757 if (!NT_STATUS_IS_OK(status)) {
1761 /* TODO: Fis the parsing routine before reenabling this check! */
1763 if (!lookup_sid(&handle->sid, dom_name, name, &type))
1764 return NT_STATUS_ACCESS_DENIED;
1766 /* associate the user/group SID with the (unique) handle. */
1767 info = TALLOC_ZERO_P(p->mem_ctx, struct lsa_info);
1769 return NT_STATUS_NO_MEMORY;
1772 info->sid = *r->in.sid;
1773 info->access = acc_granted;
1774 info->type = LSA_HANDLE_ACCOUNT_TYPE;
1776 /* get a (unique) handle. open a policy on it. */
1777 if (!create_policy_hnd(p, r->out.acct_handle, info))
1778 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
1780 return NT_STATUS_OK;
1783 /***************************************************************************
1784 _lsa_EnumPrivsAccount
1785 For a given SID, enumerate all the privilege this account has.
1786 ***************************************************************************/
1788 NTSTATUS _lsa_EnumPrivsAccount(pipes_struct *p,
1789 struct lsa_EnumPrivsAccount *r)
1791 NTSTATUS status = NT_STATUS_OK;
1792 struct lsa_info *info=NULL;
1794 PRIVILEGE_SET privileges;
1795 struct lsa_PrivilegeSet *priv_set = NULL;
1796 struct lsa_LUIDAttribute *luid_attrs = NULL;
1799 /* find the connection policy handle. */
1800 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
1801 return NT_STATUS_INVALID_HANDLE;
1803 if (info->type != LSA_HANDLE_ACCOUNT_TYPE) {
1804 return NT_STATUS_INVALID_HANDLE;
1807 if (!(info->access & LSA_ACCOUNT_VIEW))
1808 return NT_STATUS_ACCESS_DENIED;
1810 get_privileges_for_sids(&mask, &info->sid, 1);
1812 privilege_set_init( &privileges );
1814 priv_set = TALLOC_ZERO_P(p->mem_ctx, struct lsa_PrivilegeSet);
1816 status = NT_STATUS_NO_MEMORY;
1820 if ( se_priv_to_privilege_set( &privileges, &mask ) ) {
1822 DEBUG(10,("_lsa_EnumPrivsAccount: %s has %d privileges\n",
1823 sid_string_dbg(&info->sid),
1826 luid_attrs = TALLOC_ZERO_ARRAY(p->mem_ctx,
1827 struct lsa_LUIDAttribute,
1830 status = NT_STATUS_NO_MEMORY;
1834 for (i=0; i<privileges.count; i++) {
1835 luid_attrs[i].luid.low = privileges.set[i].luid.low;
1836 luid_attrs[i].luid.high = privileges.set[i].luid.high;
1837 luid_attrs[i].attribute = privileges.set[i].attr;
1840 priv_set->count = privileges.count;
1841 priv_set->unknown = 0;
1842 priv_set->set = luid_attrs;
1845 priv_set->count = 0;
1846 priv_set->unknown = 0;
1847 priv_set->set = NULL;
1850 *r->out.privs = priv_set;
1853 privilege_set_free( &privileges );
1858 /***************************************************************************
1859 _lsa_GetSystemAccessAccount
1860 ***************************************************************************/
1862 NTSTATUS _lsa_GetSystemAccessAccount(pipes_struct *p,
1863 struct lsa_GetSystemAccessAccount *r)
1866 struct lsa_info *info = NULL;
1867 struct lsa_EnumPrivsAccount e;
1868 struct lsa_PrivilegeSet *privset;
1870 /* find the connection policy handle. */
1872 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
1873 return NT_STATUS_INVALID_HANDLE;
1875 if (info->type != LSA_HANDLE_ACCOUNT_TYPE) {
1876 return NT_STATUS_INVALID_HANDLE;
1879 if (!(info->access & LSA_ACCOUNT_VIEW))
1880 return NT_STATUS_ACCESS_DENIED;
1882 privset = talloc_zero(p->mem_ctx, struct lsa_PrivilegeSet);
1884 return NT_STATUS_NO_MEMORY;
1887 e.in.handle = r->in.handle;
1888 e.out.privs = &privset;
1890 status = _lsa_EnumPrivsAccount(p, &e);
1891 if (!NT_STATUS_IS_OK(status)) {
1892 DEBUG(10,("_lsa_GetSystemAccessAccount: "
1893 "failed to call _lsa_EnumPrivsAccount(): %s\n",
1894 nt_errstr(status)));
1898 /* Samba4 would iterate over the privset to merge the policy mode bits,
1899 * not sure samba3 can do the same here, so just return what we did in
1903 0x01 -> Log on locally
1904 0x02 -> Access this computer from network
1905 0x04 -> Log on as a batch job
1906 0x10 -> Log on as a service
1908 they can be ORed together
1911 *r->out.access_mask = LSA_POLICY_MODE_INTERACTIVE |
1912 LSA_POLICY_MODE_NETWORK;
1914 return NT_STATUS_OK;
1917 /***************************************************************************
1918 update the systemaccount information
1919 ***************************************************************************/
1921 NTSTATUS _lsa_SetSystemAccessAccount(pipes_struct *p,
1922 struct lsa_SetSystemAccessAccount *r)
1924 struct lsa_info *info=NULL;
1927 /* find the connection policy handle. */
1928 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
1929 return NT_STATUS_INVALID_HANDLE;
1931 if (info->type != LSA_HANDLE_ACCOUNT_TYPE) {
1932 return NT_STATUS_INVALID_HANDLE;
1935 if (!(info->access & LSA_ACCOUNT_ADJUST_SYSTEM_ACCESS)) {
1936 return NT_STATUS_ACCESS_DENIED;
1939 if (!pdb_getgrsid(&map, info->sid))
1940 return NT_STATUS_NO_SUCH_GROUP;
1942 return pdb_update_group_mapping_entry(&map);
1945 /***************************************************************************
1946 _lsa_AddPrivilegesToAccount
1947 For a given SID, add some privileges.
1948 ***************************************************************************/
1950 NTSTATUS _lsa_AddPrivilegesToAccount(pipes_struct *p,
1951 struct lsa_AddPrivilegesToAccount *r)
1953 struct lsa_info *info = NULL;
1955 struct lsa_PrivilegeSet *set = NULL;
1957 /* find the connection policy handle. */
1958 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
1959 return NT_STATUS_INVALID_HANDLE;
1961 if (info->type != LSA_HANDLE_ACCOUNT_TYPE) {
1962 return NT_STATUS_INVALID_HANDLE;
1965 if (!(info->access & LSA_ACCOUNT_ADJUST_PRIVILEGES)) {
1966 return NT_STATUS_ACCESS_DENIED;
1970 if ( !privilege_set_to_se_priv( &mask, set ) )
1971 return NT_STATUS_NO_SUCH_PRIVILEGE;
1973 if ( !grant_privilege( &info->sid, &mask ) ) {
1974 DEBUG(3,("_lsa_AddPrivilegesToAccount: grant_privilege(%s) failed!\n",
1975 sid_string_dbg(&info->sid) ));
1976 DEBUG(3,("Privilege mask:\n"));
1977 dump_se_priv( DBGC_ALL, 3, &mask );
1978 return NT_STATUS_NO_SUCH_PRIVILEGE;
1981 return NT_STATUS_OK;
1984 /***************************************************************************
1985 _lsa_RemovePrivilegesFromAccount
1986 For a given SID, remove some privileges.
1987 ***************************************************************************/
1989 NTSTATUS _lsa_RemovePrivilegesFromAccount(pipes_struct *p,
1990 struct lsa_RemovePrivilegesFromAccount *r)
1992 struct lsa_info *info = NULL;
1994 struct lsa_PrivilegeSet *set = NULL;
1996 /* find the connection policy handle. */
1997 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
1998 return NT_STATUS_INVALID_HANDLE;
2000 if (info->type != LSA_HANDLE_ACCOUNT_TYPE) {
2001 return NT_STATUS_INVALID_HANDLE;
2004 if (!(info->access & LSA_ACCOUNT_ADJUST_PRIVILEGES)) {
2005 return NT_STATUS_ACCESS_DENIED;
2010 if ( !privilege_set_to_se_priv( &mask, set ) )
2011 return NT_STATUS_NO_SUCH_PRIVILEGE;
2013 if ( !revoke_privilege( &info->sid, &mask ) ) {
2014 DEBUG(3,("_lsa_RemovePrivilegesFromAccount: revoke_privilege(%s) failed!\n",
2015 sid_string_dbg(&info->sid) ));
2016 DEBUG(3,("Privilege mask:\n"));
2017 dump_se_priv( DBGC_ALL, 3, &mask );
2018 return NT_STATUS_NO_SUCH_PRIVILEGE;
2021 return NT_STATUS_OK;
2024 /***************************************************************************
2026 ***************************************************************************/
2028 NTSTATUS _lsa_LookupPrivName(pipes_struct *p,
2029 struct lsa_LookupPrivName *r)
2031 struct lsa_info *info = NULL;
2033 struct lsa_StringLarge *lsa_name;
2035 /* find the connection policy handle. */
2036 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info)) {
2037 return NT_STATUS_INVALID_HANDLE;
2040 if (info->type != LSA_HANDLE_POLICY_TYPE) {
2041 return NT_STATUS_INVALID_HANDLE;
2044 if (!(info->access & LSA_POLICY_VIEW_LOCAL_INFORMATION)) {
2045 return NT_STATUS_ACCESS_DENIED;
2048 name = luid_to_privilege_name((LUID *)r->in.luid);
2050 return NT_STATUS_NO_SUCH_PRIVILEGE;
2053 lsa_name = TALLOC_ZERO_P(p->mem_ctx, struct lsa_StringLarge);
2055 return NT_STATUS_NO_MEMORY;
2058 lsa_name->string = talloc_strdup(lsa_name, name);
2059 if (!lsa_name->string) {
2060 TALLOC_FREE(lsa_name);
2061 return NT_STATUS_NO_MEMORY;
2064 *r->out.name = lsa_name;
2066 return NT_STATUS_OK;
2069 /***************************************************************************
2071 ***************************************************************************/
2073 NTSTATUS _lsa_QuerySecurity(pipes_struct *p,
2074 struct lsa_QuerySecurity *r)
2076 struct lsa_info *handle=NULL;
2077 SEC_DESC *psd = NULL;
2081 /* find the connection policy handle. */
2082 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle))
2083 return NT_STATUS_INVALID_HANDLE;
2085 if (handle->type == LSA_HANDLE_POLICY_TYPE) {
2086 status = make_lsa_object_sd(p->mem_ctx, &psd, &sd_size,
2087 &lsa_policy_mapping, NULL, 0);
2088 } else if (handle->type == LSA_HANDLE_ACCOUNT_TYPE) {
2089 status = make_lsa_object_sd(p->mem_ctx, &psd, &sd_size,
2090 &lsa_account_mapping,
2091 &handle->sid, LSA_ACCOUNT_ALL_ACCESS);
2093 status = NT_STATUS_INVALID_HANDLE;
2096 if (!NT_STATUS_IS_OK(status)) {
2100 *r->out.sdbuf = make_sec_desc_buf(p->mem_ctx, sd_size, psd);
2101 if (!*r->out.sdbuf) {
2102 return NT_STATUS_NO_MEMORY;
2108 /***************************************************************************
2109 _lsa_AddAccountRights
2110 ***************************************************************************/
2112 NTSTATUS _lsa_AddAccountRights(pipes_struct *p,
2113 struct lsa_AddAccountRights *r)
2115 struct lsa_info *info = NULL;
2117 uint32_t acc_granted = 0;
2118 SEC_DESC *psd = NULL;
2123 /* find the connection policy handle. */
2124 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
2125 return NT_STATUS_INVALID_HANDLE;
2127 if (info->type != LSA_HANDLE_POLICY_TYPE) {
2128 return NT_STATUS_INVALID_HANDLE;
2131 /* get the generic lsa account SD for this SID until we store it */
2132 status = make_lsa_object_sd(p->mem_ctx, &psd, &sd_size,
2133 &lsa_account_mapping,
2134 r->in.sid, LSA_ACCOUNT_ALL_ACCESS);
2135 if (!NT_STATUS_IS_OK(status)) {
2140 * From the MS DOCs. If the sid doesn't exist, ask for LSA_POLICY_CREATE_ACCOUNT
2141 * on the policy handle. If it does, ask for
2142 * LSA_ACCOUNT_ADJUST_PRIVILEGES|LSA_ACCOUNT_ADJUST_SYSTEM_ACCESS|LSA_ACCOUNT_VIEW,
2143 * on the account sid. We don't check here so just use the latter. JRA.
2146 status = access_check_object(psd, p->server_info->ptok,
2147 NULL, 0, LSA_ACCOUNT_ADJUST_PRIVILEGES|LSA_ACCOUNT_ADJUST_SYSTEM_ACCESS|LSA_ACCOUNT_VIEW,
2148 &acc_granted, "_lsa_AddAccountRights" );
2150 if (!NT_STATUS_IS_OK(status)) {
2154 /* according to an NT4 PDC, you can add privileges to SIDs even without
2155 call_lsa_create_account() first. And you can use any arbitrary SID. */
2157 sid_copy( &sid, r->in.sid );
2159 for ( i=0; i < r->in.rights->count; i++ ) {
2161 const char *privname = r->in.rights->names[i].string;
2163 /* only try to add non-null strings */
2168 if ( !grant_privilege_by_name( &sid, privname ) ) {
2169 DEBUG(2,("_lsa_AddAccountRights: Failed to add privilege [%s]\n",
2171 return NT_STATUS_NO_SUCH_PRIVILEGE;
2175 return NT_STATUS_OK;
2178 /***************************************************************************
2179 _lsa_RemoveAccountRights
2180 ***************************************************************************/
2182 NTSTATUS _lsa_RemoveAccountRights(pipes_struct *p,
2183 struct lsa_RemoveAccountRights *r)
2185 struct lsa_info *info = NULL;
2187 SEC_DESC *psd = NULL;
2190 const char *privname = NULL;
2191 uint32_t acc_granted = 0;
2194 /* find the connection policy handle. */
2195 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
2196 return NT_STATUS_INVALID_HANDLE;
2198 if (info->type != LSA_HANDLE_POLICY_TYPE) {
2199 return NT_STATUS_INVALID_HANDLE;
2202 /* get the generic lsa account SD for this SID until we store it */
2203 status = make_lsa_object_sd(p->mem_ctx, &psd, &sd_size,
2204 &lsa_account_mapping,
2205 r->in.sid, LSA_ACCOUNT_ALL_ACCESS);
2206 if (!NT_STATUS_IS_OK(status)) {
2211 * From the MS DOCs. We need
2212 * LSA_ACCOUNT_ADJUST_PRIVILEGES|LSA_ACCOUNT_ADJUST_SYSTEM_ACCESS|LSA_ACCOUNT_VIEW
2213 * and DELETE on the account sid.
2216 status = access_check_object(psd, p->server_info->ptok,
2217 NULL, 0, LSA_ACCOUNT_ADJUST_PRIVILEGES|LSA_ACCOUNT_ADJUST_SYSTEM_ACCESS|
2218 LSA_ACCOUNT_VIEW|STD_RIGHT_DELETE_ACCESS,
2219 &acc_granted, "_lsa_AddAccountRights" );
2221 if (!NT_STATUS_IS_OK(status)) {
2225 sid_copy( &sid, r->in.sid );
2227 if ( r->in.remove_all ) {
2228 if ( !revoke_all_privileges( &sid ) )
2229 return NT_STATUS_ACCESS_DENIED;
2231 return NT_STATUS_OK;
2234 for ( i=0; i < r->in.rights->count; i++ ) {
2236 privname = r->in.rights->names[i].string;
2238 /* only try to add non-null strings */
2243 if ( !revoke_privilege_by_name( &sid, privname ) ) {
2244 DEBUG(2,("_lsa_RemoveAccountRights: Failed to revoke privilege [%s]\n",
2246 return NT_STATUS_NO_SUCH_PRIVILEGE;
2250 return NT_STATUS_OK;
2253 /*******************************************************************
2254 ********************************************************************/
2256 static NTSTATUS init_lsa_right_set(TALLOC_CTX *mem_ctx,
2257 struct lsa_RightSet *r,
2258 PRIVILEGE_SET *privileges)
2261 const char *privname;
2262 const char **privname_array = NULL;
2265 for (i=0; i<privileges->count; i++) {
2267 privname = luid_to_privilege_name(&privileges->set[i].luid);
2269 if (!add_string_to_array(mem_ctx, privname,
2270 &privname_array, &num_priv)) {
2271 return NT_STATUS_NO_MEMORY;
2278 r->names = TALLOC_ZERO_ARRAY(mem_ctx, struct lsa_StringLarge,
2281 return NT_STATUS_NO_MEMORY;
2284 for (i=0; i<num_priv; i++) {
2285 init_lsa_StringLarge(&r->names[i], privname_array[i]);
2288 r->count = num_priv;
2291 return NT_STATUS_OK;
2294 /***************************************************************************
2295 _lsa_EnumAccountRights
2296 ***************************************************************************/
2298 NTSTATUS _lsa_EnumAccountRights(pipes_struct *p,
2299 struct lsa_EnumAccountRights *r)
2302 struct lsa_info *info = NULL;
2304 PRIVILEGE_SET privileges;
2307 /* find the connection policy handle. */
2309 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
2310 return NT_STATUS_INVALID_HANDLE;
2312 if (info->type != LSA_HANDLE_POLICY_TYPE) {
2313 return NT_STATUS_INVALID_HANDLE;
2316 if (!(info->access & LSA_ACCOUNT_VIEW)) {
2317 return NT_STATUS_ACCESS_DENIED;
2320 /* according to an NT4 PDC, you can add privileges to SIDs even without
2321 call_lsa_create_account() first. And you can use any arbitrary SID. */
2323 sid_copy( &sid, r->in.sid );
2325 /* according to MS-LSAD 3.1.4.5.10 it is required to return
2326 * NT_STATUS_OBJECT_NAME_NOT_FOUND if the account sid was not found in
2327 * the lsa database */
2329 if (!get_privileges_for_sids(&mask, &sid, 1)) {
2330 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
2333 status = privilege_set_init(&privileges);
2334 if (!NT_STATUS_IS_OK(status)) {
2338 se_priv_to_privilege_set(&privileges, &mask);
2340 DEBUG(10,("_lsa_EnumAccountRights: %s has %d privileges\n",
2341 sid_string_dbg(&sid), privileges.count));
2343 status = init_lsa_right_set(p->mem_ctx, r->out.rights, &privileges);
2345 privilege_set_free( &privileges );
2350 /***************************************************************************
2351 _lsa_LookupPrivValue
2352 ***************************************************************************/
2354 NTSTATUS _lsa_LookupPrivValue(pipes_struct *p,
2355 struct lsa_LookupPrivValue *r)
2357 struct lsa_info *info = NULL;
2358 const char *name = NULL;
2359 LUID_ATTR priv_luid;
2362 /* find the connection policy handle. */
2364 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
2365 return NT_STATUS_INVALID_HANDLE;
2367 if (info->type != LSA_HANDLE_POLICY_TYPE) {
2368 return NT_STATUS_INVALID_HANDLE;
2371 if (!(info->access & LSA_POLICY_LOOKUP_NAMES))
2372 return NT_STATUS_ACCESS_DENIED;
2374 name = r->in.name->string;
2376 DEBUG(10,("_lsa_lookup_priv_value: name = %s\n", name));
2378 if ( !se_priv_from_name( name, &mask ) )
2379 return NT_STATUS_NO_SUCH_PRIVILEGE;
2381 priv_luid = get_privilege_luid( &mask );
2383 r->out.luid->low = priv_luid.luid.low;
2384 r->out.luid->high = priv_luid.luid.high;
2386 return NT_STATUS_OK;
2389 /***************************************************************************
2390 _lsa_EnumAccountsWithUserRight
2391 ***************************************************************************/
2393 NTSTATUS _lsa_EnumAccountsWithUserRight(pipes_struct *p,
2394 struct lsa_EnumAccountsWithUserRight *r)
2397 struct lsa_info *info = NULL;
2398 struct dom_sid *sids = NULL;
2403 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info)) {
2404 return NT_STATUS_INVALID_HANDLE;
2407 if (info->type != LSA_HANDLE_POLICY_TYPE) {
2408 return NT_STATUS_INVALID_HANDLE;
2411 if (!(info->access & LSA_POLICY_LOOKUP_NAMES)) {
2412 return NT_STATUS_ACCESS_DENIED;
2415 if (!r->in.name || !r->in.name->string) {
2416 return NT_STATUS_NO_SUCH_PRIVILEGE;
2419 if (!se_priv_from_name(r->in.name->string, &mask)) {
2420 return NT_STATUS_NO_SUCH_PRIVILEGE;
2423 status = privilege_enum_sids(&mask, p->mem_ctx,
2425 if (!NT_STATUS_IS_OK(status)) {
2429 r->out.sids->num_sids = num_sids;
2430 r->out.sids->sids = talloc_array(p->mem_ctx, struct lsa_SidPtr,
2431 r->out.sids->num_sids);
2433 for (i=0; i < r->out.sids->num_sids; i++) {
2434 r->out.sids->sids[i].sid = sid_dup_talloc(r->out.sids->sids,
2436 if (!r->out.sids->sids[i].sid) {
2437 TALLOC_FREE(r->out.sids->sids);
2438 r->out.sids->num_sids = 0;
2439 return NT_STATUS_NO_MEMORY;
2443 return NT_STATUS_OK;
2446 /***************************************************************************
2448 ***************************************************************************/
2450 NTSTATUS _lsa_Delete(pipes_struct *p,
2451 struct lsa_Delete *r)
2453 return NT_STATUS_NOT_SUPPORTED;
2457 * From here on the server routines are just dummy ones to make smbd link with
2458 * librpc/gen_ndr/srv_lsa.c. These routines are actually never called, we are
2459 * pulling the server stubs across one by one.
2462 NTSTATUS _lsa_SetSecObj(pipes_struct *p, struct lsa_SetSecObj *r)
2464 p->rng_fault_state = True;
2465 return NT_STATUS_NOT_IMPLEMENTED;
2468 NTSTATUS _lsa_ChangePassword(pipes_struct *p, struct lsa_ChangePassword *r)
2470 p->rng_fault_state = True;
2471 return NT_STATUS_NOT_IMPLEMENTED;
2474 NTSTATUS _lsa_SetInfoPolicy(pipes_struct *p, struct lsa_SetInfoPolicy *r)
2476 p->rng_fault_state = True;
2477 return NT_STATUS_NOT_IMPLEMENTED;
2480 NTSTATUS _lsa_ClearAuditLog(pipes_struct *p, struct lsa_ClearAuditLog *r)
2482 p->rng_fault_state = True;
2483 return NT_STATUS_NOT_IMPLEMENTED;
2486 NTSTATUS _lsa_GetQuotasForAccount(pipes_struct *p, struct lsa_GetQuotasForAccount *r)
2488 p->rng_fault_state = True;
2489 return NT_STATUS_NOT_IMPLEMENTED;
2492 NTSTATUS _lsa_SetQuotasForAccount(pipes_struct *p, struct lsa_SetQuotasForAccount *r)
2494 p->rng_fault_state = True;
2495 return NT_STATUS_NOT_IMPLEMENTED;
2498 NTSTATUS _lsa_QueryTrustedDomainInfo(pipes_struct *p, struct lsa_QueryTrustedDomainInfo *r)
2500 p->rng_fault_state = True;
2501 return NT_STATUS_NOT_IMPLEMENTED;
2504 NTSTATUS _lsa_SetInformationTrustedDomain(pipes_struct *p, struct lsa_SetInformationTrustedDomain *r)
2506 p->rng_fault_state = True;
2507 return NT_STATUS_NOT_IMPLEMENTED;
2510 NTSTATUS _lsa_QuerySecret(pipes_struct *p, struct lsa_QuerySecret *r)
2512 p->rng_fault_state = True;
2513 return NT_STATUS_NOT_IMPLEMENTED;
2516 NTSTATUS _lsa_QueryTrustedDomainInfoBySid(pipes_struct *p, struct lsa_QueryTrustedDomainInfoBySid *r)
2518 p->rng_fault_state = True;
2519 return NT_STATUS_NOT_IMPLEMENTED;
2522 NTSTATUS _lsa_SetTrustedDomainInfo(pipes_struct *p, struct lsa_SetTrustedDomainInfo *r)
2524 p->rng_fault_state = True;
2525 return NT_STATUS_NOT_IMPLEMENTED;
2528 NTSTATUS _lsa_DeleteTrustedDomain(pipes_struct *p, struct lsa_DeleteTrustedDomain *r)
2530 p->rng_fault_state = True;
2531 return NT_STATUS_NOT_IMPLEMENTED;
2534 NTSTATUS _lsa_StorePrivateData(pipes_struct *p, struct lsa_StorePrivateData *r)
2536 p->rng_fault_state = True;
2537 return NT_STATUS_NOT_IMPLEMENTED;
2540 NTSTATUS _lsa_RetrievePrivateData(pipes_struct *p, struct lsa_RetrievePrivateData *r)
2542 p->rng_fault_state = True;
2543 return NT_STATUS_NOT_IMPLEMENTED;
2546 NTSTATUS _lsa_SetInfoPolicy2(pipes_struct *p, struct lsa_SetInfoPolicy2 *r)
2548 p->rng_fault_state = True;
2549 return NT_STATUS_NOT_IMPLEMENTED;
2552 NTSTATUS _lsa_QueryTrustedDomainInfoByName(pipes_struct *p, struct lsa_QueryTrustedDomainInfoByName *r)
2554 p->rng_fault_state = True;
2555 return NT_STATUS_NOT_IMPLEMENTED;
2558 NTSTATUS _lsa_SetTrustedDomainInfoByName(pipes_struct *p, struct lsa_SetTrustedDomainInfoByName *r)
2560 p->rng_fault_state = True;
2561 return NT_STATUS_NOT_IMPLEMENTED;
2564 NTSTATUS _lsa_EnumTrustedDomainsEx(pipes_struct *p, struct lsa_EnumTrustedDomainsEx *r)
2566 p->rng_fault_state = True;
2567 return NT_STATUS_NOT_IMPLEMENTED;
2570 NTSTATUS _lsa_CreateTrustedDomainEx(pipes_struct *p, struct lsa_CreateTrustedDomainEx *r)
2572 p->rng_fault_state = True;
2573 return NT_STATUS_NOT_IMPLEMENTED;
2576 NTSTATUS _lsa_CloseTrustedDomainEx(pipes_struct *p, struct lsa_CloseTrustedDomainEx *r)
2578 p->rng_fault_state = True;
2579 return NT_STATUS_NOT_IMPLEMENTED;
2582 NTSTATUS _lsa_QueryDomainInformationPolicy(pipes_struct *p, struct lsa_QueryDomainInformationPolicy *r)
2584 p->rng_fault_state = True;
2585 return NT_STATUS_NOT_IMPLEMENTED;
2588 NTSTATUS _lsa_SetDomainInformationPolicy(pipes_struct *p, struct lsa_SetDomainInformationPolicy *r)
2590 p->rng_fault_state = True;
2591 return NT_STATUS_NOT_IMPLEMENTED;
2594 NTSTATUS _lsa_OpenTrustedDomainByName(pipes_struct *p, struct lsa_OpenTrustedDomainByName *r)
2596 p->rng_fault_state = True;
2597 return NT_STATUS_NOT_IMPLEMENTED;
2600 NTSTATUS _lsa_TestCall(pipes_struct *p, struct lsa_TestCall *r)
2602 p->rng_fault_state = True;
2603 return NT_STATUS_NOT_IMPLEMENTED;
2606 NTSTATUS _lsa_CreateTrustedDomainEx2(pipes_struct *p, struct lsa_CreateTrustedDomainEx2 *r)
2608 p->rng_fault_state = True;
2609 return NT_STATUS_NOT_IMPLEMENTED;
2612 NTSTATUS _lsa_CREDRWRITE(pipes_struct *p, struct lsa_CREDRWRITE *r)
2614 p->rng_fault_state = True;
2615 return NT_STATUS_NOT_IMPLEMENTED;
2618 NTSTATUS _lsa_CREDRREAD(pipes_struct *p, struct lsa_CREDRREAD *r)
2620 p->rng_fault_state = True;
2621 return NT_STATUS_NOT_IMPLEMENTED;
2624 NTSTATUS _lsa_CREDRENUMERATE(pipes_struct *p, struct lsa_CREDRENUMERATE *r)
2626 p->rng_fault_state = True;
2627 return NT_STATUS_NOT_IMPLEMENTED;
2630 NTSTATUS _lsa_CREDRWRITEDOMAINCREDENTIALS(pipes_struct *p, struct lsa_CREDRWRITEDOMAINCREDENTIALS *r)
2632 p->rng_fault_state = True;
2633 return NT_STATUS_NOT_IMPLEMENTED;
2636 NTSTATUS _lsa_CREDRREADDOMAINCREDENTIALS(pipes_struct *p, struct lsa_CREDRREADDOMAINCREDENTIALS *r)
2638 p->rng_fault_state = True;
2639 return NT_STATUS_NOT_IMPLEMENTED;
2642 NTSTATUS _lsa_CREDRDELETE(pipes_struct *p, struct lsa_CREDRDELETE *r)
2644 p->rng_fault_state = True;
2645 return NT_STATUS_NOT_IMPLEMENTED;
2648 NTSTATUS _lsa_CREDRGETTARGETINFO(pipes_struct *p, struct lsa_CREDRGETTARGETINFO *r)
2650 p->rng_fault_state = True;
2651 return NT_STATUS_NOT_IMPLEMENTED;
2654 NTSTATUS _lsa_CREDRPROFILELOADED(pipes_struct *p, struct lsa_CREDRPROFILELOADED *r)
2656 p->rng_fault_state = True;
2657 return NT_STATUS_NOT_IMPLEMENTED;
2660 NTSTATUS _lsa_CREDRGETSESSIONTYPES(pipes_struct *p, struct lsa_CREDRGETSESSIONTYPES *r)
2662 p->rng_fault_state = True;
2663 return NT_STATUS_NOT_IMPLEMENTED;
2666 NTSTATUS _lsa_LSARREGISTERAUDITEVENT(pipes_struct *p, struct lsa_LSARREGISTERAUDITEVENT *r)
2668 p->rng_fault_state = True;
2669 return NT_STATUS_NOT_IMPLEMENTED;
2672 NTSTATUS _lsa_LSARGENAUDITEVENT(pipes_struct *p, struct lsa_LSARGENAUDITEVENT *r)
2674 p->rng_fault_state = True;
2675 return NT_STATUS_NOT_IMPLEMENTED;
2678 NTSTATUS _lsa_LSARUNREGISTERAUDITEVENT(pipes_struct *p, struct lsa_LSARUNREGISTERAUDITEVENT *r)
2680 p->rng_fault_state = True;
2681 return NT_STATUS_NOT_IMPLEMENTED;
2684 NTSTATUS _lsa_lsaRQueryForestTrustInformation(pipes_struct *p, struct lsa_lsaRQueryForestTrustInformation *r)
2686 p->rng_fault_state = True;
2687 return NT_STATUS_NOT_IMPLEMENTED;
2690 NTSTATUS _lsa_LSARSETFORESTTRUSTINFORMATION(pipes_struct *p, struct lsa_LSARSETFORESTTRUSTINFORMATION *r)
2692 p->rng_fault_state = True;
2693 return NT_STATUS_NOT_IMPLEMENTED;
2696 NTSTATUS _lsa_CREDRRENAME(pipes_struct *p, struct lsa_CREDRRENAME *r)
2698 p->rng_fault_state = True;
2699 return NT_STATUS_NOT_IMPLEMENTED;
2702 NTSTATUS _lsa_LSAROPENPOLICYSCE(pipes_struct *p, struct lsa_LSAROPENPOLICYSCE *r)
2704 p->rng_fault_state = True;
2705 return NT_STATUS_NOT_IMPLEMENTED;
2708 NTSTATUS _lsa_LSARADTREGISTERSECURITYEVENTSOURCE(pipes_struct *p, struct lsa_LSARADTREGISTERSECURITYEVENTSOURCE *r)
2710 p->rng_fault_state = True;
2711 return NT_STATUS_NOT_IMPLEMENTED;
2714 NTSTATUS _lsa_LSARADTUNREGISTERSECURITYEVENTSOURCE(pipes_struct *p, struct lsa_LSARADTUNREGISTERSECURITYEVENTSOURCE *r)
2716 p->rng_fault_state = True;
2717 return NT_STATUS_NOT_IMPLEMENTED;
2720 NTSTATUS _lsa_LSARADTREPORTSECURITYEVENT(pipes_struct *p, struct lsa_LSARADTREPORTSECURITYEVENT *r)
2722 p->rng_fault_state = True;
2723 return NT_STATUS_NOT_IMPLEMENTED;