s3-lsa: Fix _lsa_CreateAccount() for usage of SEC_FLAG_MAXIMUM_ALLOWED.
[ira/wip.git] / source3 / rpc_server / srv_lsa_nt.c
1 /*
2  *  Unix SMB/CIFS implementation.
3  *  RPC Pipe client / server routines
4  *  Copyright (C) Andrew Tridgell              1992-1997,
5  *  Copyright (C) Luke Kenneth Casson Leighton 1996-1997,
6  *  Copyright (C) Paul Ashton                       1997,
7  *  Copyright (C) Jeremy Allison                    2001, 2006.
8  *  Copyright (C) Rafal Szczesniak                  2002,
9  *  Copyright (C) Jim McDonough <jmcd@us.ibm.com>   2002,
10  *  Copyright (C) Simo Sorce                        2003.
11  *  Copyright (C) Gerald (Jerry) Carter             2005.
12  *  Copyright (C) Volker Lendecke                   2005.
13  *  Copyright (C) Guenther Deschner                 2008.
14  *
15  *  This program is free software; you can redistribute it and/or modify
16  *  it under the terms of the GNU General Public License as published by
17  *  the Free Software Foundation; either version 3 of the License, or
18  *  (at your option) any later version.
19  *
20  *  This program is distributed in the hope that it will be useful,
21  *  but WITHOUT ANY WARRANTY; without even the implied warranty of
22  *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
23  *  GNU General Public License for more details.
24  *
25  *  You should have received a copy of the GNU General Public License
26  *  along with this program; if not, see <http://www.gnu.org/licenses/>.
27  */
28
29 /* This is the implementation of the lsa server code. */
30
31 #include "includes.h"
32
33 #undef DBGC_CLASS
34 #define DBGC_CLASS DBGC_RPC_SRV
35
36 #define MAX_LOOKUP_SIDS 0x5000 /* 20480 */
37
38 extern PRIVS privs[];
39
40 enum lsa_handle_type { LSA_HANDLE_POLICY_TYPE = 1, LSA_HANDLE_ACCOUNT_TYPE };
41
42 struct lsa_info {
43         DOM_SID sid;
44         uint32 access;
45         enum lsa_handle_type type;
46 };
47
48 const struct generic_mapping lsa_account_mapping = {
49         LSA_ACCOUNT_READ,
50         LSA_ACCOUNT_WRITE,
51         LSA_ACCOUNT_EXECUTE,
52         LSA_ACCOUNT_ALL_ACCESS
53 };
54
55 const struct generic_mapping lsa_policy_mapping = {
56         LSA_POLICY_READ,
57         LSA_POLICY_WRITE,
58         LSA_POLICY_EXECUTE,
59         LSA_POLICY_ALL_ACCESS
60 };
61
62 /***************************************************************************
63  init_lsa_ref_domain_list - adds a domain if it's not already in, returns the index.
64 ***************************************************************************/
65
66 static int init_lsa_ref_domain_list(TALLOC_CTX *mem_ctx,
67                                     struct lsa_RefDomainList *ref,
68                                     const char *dom_name,
69                                     DOM_SID *dom_sid)
70 {
71         int num = 0;
72
73         if (dom_name != NULL) {
74                 for (num = 0; num < ref->count; num++) {
75                         if (sid_equal(dom_sid, ref->domains[num].sid)) {
76                                 return num;
77                         }
78                 }
79         } else {
80                 num = ref->count;
81         }
82
83         if (num >= LSA_REF_DOMAIN_LIST_MULTIPLIER) {
84                 /* index not found, already at maximum domain limit */
85                 return -1;
86         }
87
88         ref->count = num + 1;
89         ref->max_size = LSA_REF_DOMAIN_LIST_MULTIPLIER;
90
91         ref->domains = TALLOC_REALLOC_ARRAY(mem_ctx, ref->domains,
92                                             struct lsa_DomainInfo, ref->count);
93         if (!ref->domains) {
94                 return -1;
95         }
96
97         ZERO_STRUCT(ref->domains[num]);
98
99         init_lsa_StringLarge(&ref->domains[num].name, dom_name);
100         ref->domains[num].sid = sid_dup_talloc(mem_ctx, dom_sid);
101         if (!ref->domains[num].sid) {
102                 return -1;
103         }
104
105         return num;
106 }
107
108
109 /***************************************************************************
110  initialize a lsa_DomainInfo structure.
111  ***************************************************************************/
112
113 static void init_dom_query_3(struct lsa_DomainInfo *r,
114                              const char *name,
115                              DOM_SID *sid)
116 {
117         init_lsa_StringLarge(&r->name, name);
118         r->sid = sid;
119 }
120
121 /***************************************************************************
122  initialize a lsa_DomainInfo structure.
123  ***************************************************************************/
124
125 static void init_dom_query_5(struct lsa_DomainInfo *r,
126                              const char *name,
127                              DOM_SID *sid)
128 {
129         init_lsa_StringLarge(&r->name, name);
130         r->sid = sid;
131 }
132
133 /***************************************************************************
134  lookup_lsa_rids. Must be called as root for lookup_name to work.
135  ***************************************************************************/
136
137 static NTSTATUS lookup_lsa_rids(TALLOC_CTX *mem_ctx,
138                                 struct lsa_RefDomainList *ref,
139                                 struct lsa_TranslatedSid *prid,
140                                 uint32_t num_entries,
141                                 struct lsa_String *name,
142                                 int flags,
143                                 uint32_t *pmapped_count)
144 {
145         uint32 mapped_count, i;
146
147         SMB_ASSERT(num_entries <= MAX_LOOKUP_SIDS);
148
149         mapped_count = 0;
150         *pmapped_count = 0;
151
152         for (i = 0; i < num_entries; i++) {
153                 DOM_SID sid;
154                 uint32 rid;
155                 int dom_idx;
156                 const char *full_name;
157                 const char *domain;
158                 enum lsa_SidType type = SID_NAME_UNKNOWN;
159
160                 /* Split name into domain and user component */
161
162                 full_name = name[i].string;
163                 if (full_name == NULL) {
164                         prid[i].sid_type        = type;
165                         prid[i].rid             = 0;
166                         prid[i].sid_index       = (uint32_t)-1;
167                         continue;
168                 }
169
170                 DEBUG(5, ("lookup_lsa_rids: looking up name %s\n", full_name));
171
172                 /* We can ignore the result of lookup_name, it will not touch
173                    "type" if it's not successful */
174
175                 lookup_name(mem_ctx, full_name, flags, &domain, NULL,
176                             &sid, &type);
177
178                 switch (type) {
179                 case SID_NAME_USER:
180                 case SID_NAME_DOM_GRP:
181                 case SID_NAME_DOMAIN:
182                 case SID_NAME_ALIAS:
183                 case SID_NAME_WKN_GRP:
184                         DEBUG(5, ("init_lsa_rids: %s found\n", full_name));
185                         /* Leave these unchanged */
186                         break;
187                 default:
188                         /* Don't hand out anything but the list above */
189                         DEBUG(5, ("init_lsa_rids: %s not found\n", full_name));
190                         type = SID_NAME_UNKNOWN;
191                         break;
192                 }
193
194                 rid = 0;
195                 dom_idx = -1;
196
197                 if (type != SID_NAME_UNKNOWN) {
198                         if (type == SID_NAME_DOMAIN) {
199                                 rid = (uint32_t)-1;
200                         } else {
201                                 sid_split_rid(&sid, &rid);
202                         }
203                         dom_idx = init_lsa_ref_domain_list(mem_ctx, ref, domain, &sid);
204                         mapped_count++;
205                 }
206
207                 prid[i].sid_type        = type;
208                 prid[i].rid             = rid;
209                 prid[i].sid_index       = dom_idx;
210         }
211
212         *pmapped_count = mapped_count;
213         return NT_STATUS_OK;
214 }
215
216 /***************************************************************************
217  lookup_lsa_sids. Must be called as root for lookup_name to work.
218  ***************************************************************************/
219
220 static NTSTATUS lookup_lsa_sids(TALLOC_CTX *mem_ctx,
221                                 struct lsa_RefDomainList *ref,
222                                 struct lsa_TranslatedSid3 *trans_sids,
223                                 uint32_t num_entries,
224                                 struct lsa_String *name,
225                                 int flags,
226                                 uint32 *pmapped_count)
227 {
228         uint32 mapped_count, i;
229
230         SMB_ASSERT(num_entries <= MAX_LOOKUP_SIDS);
231
232         mapped_count = 0;
233         *pmapped_count = 0;
234
235         for (i = 0; i < num_entries; i++) {
236                 DOM_SID sid;
237                 uint32 rid;
238                 int dom_idx;
239                 const char *full_name;
240                 const char *domain;
241                 enum lsa_SidType type = SID_NAME_UNKNOWN;
242
243                 ZERO_STRUCT(sid);
244
245                 /* Split name into domain and user component */
246
247                 full_name = name[i].string;
248                 if (full_name == NULL) {
249                         return NT_STATUS_NO_MEMORY;
250                 }
251
252                 DEBUG(5, ("init_lsa_sids: looking up name %s\n", full_name));
253
254                 /* We can ignore the result of lookup_name, it will not touch
255                    "type" if it's not successful */
256
257                 lookup_name(mem_ctx, full_name, flags, &domain, NULL,
258                             &sid, &type);
259
260                 switch (type) {
261                 case SID_NAME_USER:
262                 case SID_NAME_DOM_GRP:
263                 case SID_NAME_DOMAIN:
264                 case SID_NAME_ALIAS:
265                 case SID_NAME_WKN_GRP:
266                         DEBUG(5, ("init_lsa_sids: %s found\n", full_name));
267                         /* Leave these unchanged */
268                         break;
269                 default:
270                         /* Don't hand out anything but the list above */
271                         DEBUG(5, ("init_lsa_sids: %s not found\n", full_name));
272                         type = SID_NAME_UNKNOWN;
273                         break;
274                 }
275
276                 rid = 0;
277                 dom_idx = -1;
278
279                 if (type != SID_NAME_UNKNOWN) {
280                         DOM_SID domain_sid;
281                         sid_copy(&domain_sid, &sid);
282                         sid_split_rid(&domain_sid, &rid);
283                         dom_idx = init_lsa_ref_domain_list(mem_ctx, ref, domain, &domain_sid);
284                         mapped_count++;
285                 }
286
287                 /* Initialize the lsa_TranslatedSid3 return. */
288                 trans_sids[i].sid_type = type;
289                 trans_sids[i].sid = sid_dup_talloc(mem_ctx, &sid);
290                 trans_sids[i].sid_index = dom_idx;
291         }
292
293         *pmapped_count = mapped_count;
294         return NT_STATUS_OK;
295 }
296
297 static NTSTATUS make_lsa_object_sd(TALLOC_CTX *mem_ctx, SEC_DESC **sd, size_t *sd_size,
298                                         const struct generic_mapping *map,
299                                         DOM_SID *sid, uint32_t sid_access)
300 {
301         DOM_SID adm_sid;
302         SEC_ACE ace[5];
303         size_t i = 0;
304
305         SEC_ACL *psa = NULL;
306
307         /* READ|EXECUTE access for Everyone */
308
309         init_sec_ace(&ace[i++], &global_sid_World, SEC_ACE_TYPE_ACCESS_ALLOWED,
310                         map->generic_execute | map->generic_read, 0);
311
312         /* Add Full Access 'BUILTIN\Administrators' and 'BUILTIN\Account Operators */
313
314         init_sec_ace(&ace[i++], &global_sid_Builtin_Administrators,
315                         SEC_ACE_TYPE_ACCESS_ALLOWED, map->generic_all, 0);
316         init_sec_ace(&ace[i++], &global_sid_Builtin_Account_Operators,
317                         SEC_ACE_TYPE_ACCESS_ALLOWED, map->generic_all, 0);
318
319         /* Add Full Access for Domain Admins */
320         sid_copy(&adm_sid, get_global_sam_sid());
321         sid_append_rid(&adm_sid, DOMAIN_GROUP_RID_ADMINS);
322         init_sec_ace(&ace[i++], &adm_sid, SEC_ACE_TYPE_ACCESS_ALLOWED,
323                         map->generic_all, 0);
324
325         /* If we have a sid, give it some special access */
326
327         if (sid) {
328                 init_sec_ace(&ace[i++], sid, SEC_ACE_TYPE_ACCESS_ALLOWED,
329                         sid_access, 0);
330         }
331
332         if((psa = make_sec_acl(mem_ctx, NT4_ACL_REVISION, i, ace)) == NULL)
333                 return NT_STATUS_NO_MEMORY;
334
335         if((*sd = make_sec_desc(mem_ctx, SECURITY_DESCRIPTOR_REVISION_1,
336                                 SEC_DESC_SELF_RELATIVE, &adm_sid, NULL, NULL,
337                                 psa, sd_size)) == NULL)
338                 return NT_STATUS_NO_MEMORY;
339
340         return NT_STATUS_OK;
341 }
342
343
344 /***************************************************************************
345  _lsa_OpenPolicy2
346  ***************************************************************************/
347
348 NTSTATUS _lsa_OpenPolicy2(pipes_struct *p,
349                           struct lsa_OpenPolicy2 *r)
350 {
351         struct lsa_info *info;
352         SEC_DESC *psd = NULL;
353         size_t sd_size;
354         uint32 des_access = r->in.access_mask;
355         uint32 acc_granted;
356         NTSTATUS status;
357
358         /* Work out max allowed. */
359         map_max_allowed_access(p->server_info->ptok,
360                                &p->server_info->utok,
361                                &des_access);
362
363         /* map the generic bits to the lsa policy ones */
364         se_map_generic(&des_access, &lsa_policy_mapping);
365
366         /* get the generic lsa policy SD until we store it */
367         status = make_lsa_object_sd(p->mem_ctx, &psd, &sd_size, &lsa_policy_mapping,
368                         NULL, 0);
369         if (!NT_STATUS_IS_OK(status)) {
370                 return status;
371         }
372
373         status = access_check_object(psd, p->server_info->ptok,
374                 NULL, 0, des_access,
375                 &acc_granted, "_lsa_OpenPolicy2" );
376
377         if (!NT_STATUS_IS_OK(status)) {
378                 return status;
379         }
380
381         /* associate the domain SID with the (unique) handle. */
382         info = TALLOC_ZERO_P(p->mem_ctx, struct lsa_info);
383         if (info == NULL) {
384                 return NT_STATUS_NO_MEMORY;
385         }
386
387         sid_copy(&info->sid,get_global_sam_sid());
388         info->access = acc_granted;
389         info->type = LSA_HANDLE_POLICY_TYPE;
390
391         /* set up the LSA QUERY INFO response */
392         if (!create_policy_hnd(p, r->out.handle, info))
393                 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
394
395         return NT_STATUS_OK;
396 }
397
398 /***************************************************************************
399  _lsa_OpenPolicy
400  ***************************************************************************/
401
402 NTSTATUS _lsa_OpenPolicy(pipes_struct *p,
403                          struct lsa_OpenPolicy *r)
404 {
405         struct lsa_OpenPolicy2 o;
406
407         o.in.system_name        = NULL; /* should be ignored */
408         o.in.attr               = r->in.attr;
409         o.in.access_mask        = r->in.access_mask;
410
411         o.out.handle            = r->out.handle;
412
413         return _lsa_OpenPolicy2(p, &o);
414 }
415
416 /***************************************************************************
417  _lsa_EnumTrustDom - this needs fixing to do more than return NULL ! JRA.
418  ufff, done :)  mimir
419  ***************************************************************************/
420
421 NTSTATUS _lsa_EnumTrustDom(pipes_struct *p,
422                            struct lsa_EnumTrustDom *r)
423 {
424         struct lsa_info *info;
425         uint32 next_idx;
426         struct trustdom_info **domains;
427         struct lsa_DomainInfo *lsa_domains = NULL;
428         int i;
429
430         /*
431          * preferred length is set to 5 as a "our" preferred length
432          * nt sets this parameter to 2
433          * update (20.08.2002): it's not preferred length, but preferred size!
434          * it needs further investigation how to optimally choose this value
435          */
436         uint32 max_num_domains =
437                 r->in.max_size < 5 ? r->in.max_size : 10;
438         uint32 num_domains;
439         NTSTATUS nt_status;
440         uint32 num_thistime;
441
442         if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
443                 return NT_STATUS_INVALID_HANDLE;
444
445         if (info->type != LSA_HANDLE_POLICY_TYPE) {
446                 return NT_STATUS_INVALID_HANDLE;
447         }
448
449         /* check if the user has enough rights */
450         if (!(info->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
451                 return NT_STATUS_ACCESS_DENIED;
452
453         become_root();
454         nt_status = pdb_enum_trusteddoms(p->mem_ctx, &num_domains, &domains);
455         unbecome_root();
456
457         if (!NT_STATUS_IS_OK(nt_status)) {
458                 return nt_status;
459         }
460
461         if (*r->in.resume_handle < num_domains) {
462                 num_thistime = MIN(num_domains, max_num_domains);
463
464                 nt_status = STATUS_MORE_ENTRIES;
465
466                 if (*r->in.resume_handle + num_thistime > num_domains) {
467                         num_thistime = num_domains - *r->in.resume_handle;
468                         nt_status = NT_STATUS_OK;
469                 }
470
471                 next_idx = *r->in.resume_handle + num_thistime;
472         } else {
473                 num_thistime = 0;
474                 next_idx = 0xffffffff;
475                 nt_status = NT_STATUS_NO_MORE_ENTRIES;
476         }
477
478         /* set up the lsa_enum_trust_dom response */
479
480         lsa_domains = TALLOC_ZERO_ARRAY(p->mem_ctx, struct lsa_DomainInfo,
481                                         num_thistime);
482         if (!lsa_domains) {
483                 return NT_STATUS_NO_MEMORY;
484         }
485
486         for (i=0; i<num_thistime; i++) {
487                 init_lsa_StringLarge(&lsa_domains[i].name, domains[i]->name);
488                 lsa_domains[i].sid = &domains[i]->sid;
489         }
490
491         *r->out.resume_handle = next_idx;
492         r->out.domains->count = num_thistime;
493         r->out.domains->domains = lsa_domains;
494
495         return nt_status;
496 }
497
498 #define LSA_AUDIT_NUM_CATEGORIES_NT4    7
499 #define LSA_AUDIT_NUM_CATEGORIES_WIN2K  9
500 #define LSA_AUDIT_NUM_CATEGORIES LSA_AUDIT_NUM_CATEGORIES_NT4
501
502 /***************************************************************************
503  _lsa_QueryInfoPolicy
504  ***************************************************************************/
505
506 NTSTATUS _lsa_QueryInfoPolicy(pipes_struct *p,
507                               struct lsa_QueryInfoPolicy *r)
508 {
509         NTSTATUS status = NT_STATUS_OK;
510         struct lsa_info *handle;
511         DOM_SID domain_sid;
512         const char *name;
513         DOM_SID *sid = NULL;
514         union lsa_PolicyInformation *info = NULL;
515         uint32_t acc_required = 0;
516
517         if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle))
518                 return NT_STATUS_INVALID_HANDLE;
519
520         if (handle->type != LSA_HANDLE_POLICY_TYPE) {
521                 return NT_STATUS_INVALID_HANDLE;
522         }
523
524         switch (r->in.level) {
525         case LSA_POLICY_INFO_AUDIT_LOG:
526         case LSA_POLICY_INFO_AUDIT_EVENTS:
527                 acc_required = LSA_POLICY_VIEW_AUDIT_INFORMATION;
528                 break;
529         case LSA_POLICY_INFO_DOMAIN:
530                 acc_required = LSA_POLICY_VIEW_LOCAL_INFORMATION;
531                 break;
532         case LSA_POLICY_INFO_PD:
533                 acc_required = LSA_POLICY_GET_PRIVATE_INFORMATION;
534                 break;
535         case LSA_POLICY_INFO_ACCOUNT_DOMAIN:
536                 acc_required = LSA_POLICY_VIEW_LOCAL_INFORMATION;
537                 break;
538         case LSA_POLICY_INFO_ROLE:
539         case LSA_POLICY_INFO_REPLICA:
540                 acc_required = LSA_POLICY_VIEW_LOCAL_INFORMATION;
541                 break;
542         case LSA_POLICY_INFO_QUOTA:
543                 acc_required = LSA_POLICY_VIEW_LOCAL_INFORMATION;
544                 break;
545         case LSA_POLICY_INFO_MOD:
546         case LSA_POLICY_INFO_AUDIT_FULL_SET:
547                 /* according to MS-LSAD 3.1.4.4.3 */
548                 return NT_STATUS_INVALID_PARAMETER;
549         case LSA_POLICY_INFO_AUDIT_FULL_QUERY:
550                 acc_required = LSA_POLICY_VIEW_AUDIT_INFORMATION;
551                 break;
552         case LSA_POLICY_INFO_DNS:
553         case LSA_POLICY_INFO_DNS_INT:
554         case LSA_POLICY_INFO_L_ACCOUNT_DOMAIN:
555                 acc_required = LSA_POLICY_VIEW_LOCAL_INFORMATION;
556                 break;
557         default:
558                 break;
559         }
560
561         if (!(handle->access & acc_required)) {
562                 /* return NT_STATUS_ACCESS_DENIED; */
563         }
564
565         info = TALLOC_ZERO_P(p->mem_ctx, union lsa_PolicyInformation);
566         if (!info) {
567                 return NT_STATUS_NO_MEMORY;
568         }
569
570         switch (r->in.level) {
571         case LSA_POLICY_INFO_AUDIT_EVENTS:
572                 {
573
574                 uint32 policy_def = LSA_AUDIT_POLICY_ALL;
575
576                 /* check if the user has enough rights */
577                 if (!(handle->access & LSA_POLICY_VIEW_AUDIT_INFORMATION)) {
578                         DEBUG(10,("_lsa_QueryInfoPolicy: insufficient access rights\n"));
579                         return NT_STATUS_ACCESS_DENIED;
580                 }
581
582                 /* fake info: We audit everything. ;) */
583
584                 info->audit_events.auditing_mode = true;
585                 info->audit_events.count = LSA_AUDIT_NUM_CATEGORIES;
586                 info->audit_events.settings = TALLOC_ZERO_ARRAY(p->mem_ctx,
587                                                                 enum lsa_PolicyAuditPolicy,
588                                                                 info->audit_events.count);
589                 if (!info->audit_events.settings) {
590                         return NT_STATUS_NO_MEMORY;
591                 }
592
593                 info->audit_events.settings[LSA_AUDIT_CATEGORY_ACCOUNT_MANAGEMENT] = policy_def;
594                 info->audit_events.settings[LSA_AUDIT_CATEGORY_FILE_AND_OBJECT_ACCESS] = policy_def;
595                 info->audit_events.settings[LSA_AUDIT_CATEGORY_LOGON] = policy_def;
596                 info->audit_events.settings[LSA_AUDIT_CATEGORY_PROCCESS_TRACKING] = policy_def;
597                 info->audit_events.settings[LSA_AUDIT_CATEGORY_SECURITY_POLICY_CHANGES] = policy_def;
598                 info->audit_events.settings[LSA_AUDIT_CATEGORY_SYSTEM] = policy_def;
599                 info->audit_events.settings[LSA_AUDIT_CATEGORY_USE_OF_USER_RIGHTS] = policy_def;
600
601                 break;
602                 }
603         case LSA_POLICY_INFO_DOMAIN:
604                 /* check if the user has enough rights */
605                 if (!(handle->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
606                         return NT_STATUS_ACCESS_DENIED;
607
608                 /* Request PolicyPrimaryDomainInformation. */
609                 switch (lp_server_role()) {
610                         case ROLE_DOMAIN_PDC:
611                         case ROLE_DOMAIN_BDC:
612                                 name = get_global_sam_name();
613                                 sid = sid_dup_talloc(p->mem_ctx, get_global_sam_sid());
614                                 if (!sid) {
615                                         return NT_STATUS_NO_MEMORY;
616                                 }
617                                 break;
618                         case ROLE_DOMAIN_MEMBER:
619                                 name = lp_workgroup();
620                                 /* We need to return the Domain SID here. */
621                                 if (secrets_fetch_domain_sid(lp_workgroup(), &domain_sid)) {
622                                         sid = sid_dup_talloc(p->mem_ctx, &domain_sid);
623                                         if (!sid) {
624                                                 return NT_STATUS_NO_MEMORY;
625                                         }
626                                 } else {
627                                         return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
628                                 }
629                                 break;
630                         case ROLE_STANDALONE:
631                                 name = lp_workgroup();
632                                 sid = NULL;
633                                 break;
634                         default:
635                                 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
636                 }
637                 init_dom_query_3(&info->domain, name, sid);
638                 break;
639         case LSA_POLICY_INFO_ACCOUNT_DOMAIN:
640                 /* check if the user has enough rights */
641                 if (!(handle->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
642                         return NT_STATUS_ACCESS_DENIED;
643
644                 /* Request PolicyAccountDomainInformation. */
645                 name = get_global_sam_name();
646                 sid = get_global_sam_sid();
647
648                 init_dom_query_5(&info->account_domain, name, sid);
649                 break;
650         case LSA_POLICY_INFO_ROLE:
651                 /* check if the user has enough rights */
652                 if (!(handle->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
653                         return NT_STATUS_ACCESS_DENIED;
654
655                 switch (lp_server_role()) {
656                         case ROLE_DOMAIN_BDC:
657                                 /*
658                                  * only a BDC is a backup controller
659                                  * of the domain, it controls.
660                                  */
661                                 info->role.role = LSA_ROLE_BACKUP;
662                                 break;
663                         default:
664                                 /*
665                                  * any other role is a primary
666                                  * of the domain, it controls.
667                                  */
668                                 info->role.role = LSA_ROLE_PRIMARY;
669                                 break;
670                 }
671                 break;
672         case LSA_POLICY_INFO_DNS:
673         case LSA_POLICY_INFO_DNS_INT: {
674                 struct pdb_domain_info *dominfo;
675
676                 if ((pdb_capabilities() & PDB_CAP_ADS) == 0) {
677                         DEBUG(10, ("Not replying to LSA_POLICY_INFO_DNS "
678                                    "without ADS passdb backend\n"));
679                         status = NT_STATUS_INVALID_INFO_CLASS;
680                         break;
681                 }
682
683                 dominfo = pdb_get_domain_info(info);
684                 if (dominfo == NULL) {
685                         status = NT_STATUS_NO_MEMORY;
686                         break;
687                 }
688
689                 init_lsa_StringLarge(&info->dns.name,
690                                      dominfo->name);
691                 init_lsa_StringLarge(&info->dns.dns_domain,
692                                      dominfo->dns_domain);
693                 init_lsa_StringLarge(&info->dns.dns_forest,
694                                      dominfo->dns_forest);
695                 info->dns.domain_guid = dominfo->guid;
696                 info->dns.sid = &dominfo->sid;
697                 break;
698         }
699         default:
700                 DEBUG(0,("_lsa_QueryInfoPolicy: unknown info level in Lsa Query: %d\n",
701                         r->in.level));
702                 status = NT_STATUS_INVALID_INFO_CLASS;
703                 break;
704         }
705
706         *r->out.info = info;
707
708         return status;
709 }
710
711 /***************************************************************************
712  _lsa_QueryInfoPolicy2
713  ***************************************************************************/
714
715 NTSTATUS _lsa_QueryInfoPolicy2(pipes_struct *p,
716                                struct lsa_QueryInfoPolicy2 *r2)
717 {
718         struct lsa_QueryInfoPolicy r;
719
720         if ((pdb_capabilities() & PDB_CAP_ADS) == 0) {
721                 p->rng_fault_state = True;
722                 return NT_STATUS_NOT_IMPLEMENTED;
723         }
724
725         ZERO_STRUCT(r);
726         r.in.handle = r2->in.handle;
727         r.in.level = r2->in.level;
728         r.out.info = r2->out.info;
729
730         return _lsa_QueryInfoPolicy(p, &r);
731 }
732
733 /***************************************************************************
734  _lsa_lookup_sids_internal
735  ***************************************************************************/
736
737 static NTSTATUS _lsa_lookup_sids_internal(pipes_struct *p,
738                                           TALLOC_CTX *mem_ctx,
739                                           uint16_t level,                       /* input */
740                                           int num_sids,                         /* input */
741                                           struct lsa_SidPtr *sid,               /* input */
742                                           struct lsa_RefDomainList **pp_ref,    /* input/output */
743                                           struct lsa_TranslatedName2 **pp_names,/* input/output */
744                                           uint32_t *pp_mapped_count)            /* input/output */
745 {
746         NTSTATUS status;
747         int i;
748         const DOM_SID **sids = NULL;
749         struct lsa_RefDomainList *ref = NULL;
750         uint32 mapped_count = 0;
751         struct lsa_dom_info *dom_infos = NULL;
752         struct lsa_name_info *name_infos = NULL;
753         struct lsa_TranslatedName2 *names = NULL;
754
755         *pp_mapped_count = 0;
756         *pp_names = NULL;
757         *pp_ref = NULL;
758
759         if (num_sids == 0) {
760                 return NT_STATUS_OK;
761         }
762
763         sids = TALLOC_ARRAY(p->mem_ctx, const DOM_SID *, num_sids);
764         ref = TALLOC_ZERO_P(p->mem_ctx, struct lsa_RefDomainList);
765
766         if (sids == NULL || ref == NULL) {
767                 return NT_STATUS_NO_MEMORY;
768         }
769
770         for (i=0; i<num_sids; i++) {
771                 sids[i] = sid[i].sid;
772         }
773
774         status = lookup_sids(p->mem_ctx, num_sids, sids, level,
775                                   &dom_infos, &name_infos);
776
777         if (!NT_STATUS_IS_OK(status)) {
778                 return status;
779         }
780
781         names = TALLOC_ARRAY(p->mem_ctx, struct lsa_TranslatedName2, num_sids);
782         if (names == NULL) {
783                 return NT_STATUS_NO_MEMORY;
784         }
785
786         for (i=0; i<LSA_REF_DOMAIN_LIST_MULTIPLIER; i++) {
787
788                 if (!dom_infos[i].valid) {
789                         break;
790                 }
791
792                 if (init_lsa_ref_domain_list(mem_ctx, ref,
793                                              dom_infos[i].name,
794                                              &dom_infos[i].sid) != i) {
795                         DEBUG(0, ("Domain %s mentioned twice??\n",
796                                   dom_infos[i].name));
797                         return NT_STATUS_INTERNAL_ERROR;
798                 }
799         }
800
801         for (i=0; i<num_sids; i++) {
802                 struct lsa_name_info *name = &name_infos[i];
803
804                 if (name->type == SID_NAME_UNKNOWN) {
805                         fstring tmp;
806                         name->dom_idx = -1;
807                         /* Unknown sids should return the string
808                          * representation of the SID. Windows 2003 behaves
809                          * rather erratic here, in many cases it returns the
810                          * RID as 8 bytes hex, in others it returns the full
811                          * SID. We (Jerry/VL) could not figure out which the
812                          * hard cases are, so leave it with the SID.  */
813                         name->name = talloc_asprintf(p->mem_ctx, "%s",
814                                                      sid_to_fstring(tmp,
815                                                                     sids[i]));
816                         if (name->name == NULL) {
817                                 return NT_STATUS_NO_MEMORY;
818                         }
819                 } else {
820                         mapped_count += 1;
821                 }
822
823                 names[i].sid_type       = name->type;
824                 names[i].name.string    = name->name;
825                 names[i].sid_index      = name->dom_idx;
826                 names[i].unknown        = 0;
827         }
828
829         status = NT_STATUS_NONE_MAPPED;
830         if (mapped_count > 0) {
831                 status = (mapped_count < num_sids) ?
832                         STATUS_SOME_UNMAPPED : NT_STATUS_OK;
833         }
834
835         DEBUG(10, ("num_sids %d, mapped_count %d, status %s\n",
836                    num_sids, mapped_count, nt_errstr(status)));
837
838         *pp_mapped_count = mapped_count;
839         *pp_names = names;
840         *pp_ref = ref;
841
842         return status;
843 }
844
845 /***************************************************************************
846  _lsa_LookupSids
847  ***************************************************************************/
848
849 NTSTATUS _lsa_LookupSids(pipes_struct *p,
850                          struct lsa_LookupSids *r)
851 {
852         NTSTATUS status;
853         struct lsa_info *handle;
854         int num_sids = r->in.sids->num_sids;
855         uint32 mapped_count = 0;
856         struct lsa_RefDomainList *domains = NULL;
857         struct lsa_TranslatedName *names_out = NULL;
858         struct lsa_TranslatedName2 *names = NULL;
859         int i;
860
861         if ((r->in.level < 1) || (r->in.level > 6)) {
862                 return NT_STATUS_INVALID_PARAMETER;
863         }
864
865         if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle)) {
866                 return NT_STATUS_INVALID_HANDLE;
867         }
868
869         if (handle->type != LSA_HANDLE_POLICY_TYPE) {
870                 return NT_STATUS_INVALID_HANDLE;
871         }
872
873         /* check if the user has enough rights */
874         if (!(handle->access & LSA_POLICY_LOOKUP_NAMES)) {
875                 return NT_STATUS_ACCESS_DENIED;
876         }
877
878         if (num_sids >  MAX_LOOKUP_SIDS) {
879                 DEBUG(5,("_lsa_LookupSids: limit of %d exceeded, requested %d\n",
880                          MAX_LOOKUP_SIDS, num_sids));
881                 return NT_STATUS_NONE_MAPPED;
882         }
883
884         status = _lsa_lookup_sids_internal(p,
885                                            p->mem_ctx,
886                                            r->in.level,
887                                            num_sids,
888                                            r->in.sids->sids,
889                                            &domains,
890                                            &names,
891                                            &mapped_count);
892
893         /* Only return here when there is a real error.
894            NT_STATUS_NONE_MAPPED is a special case as it indicates that none of
895            the requested sids could be resolved. Older versions of XP (pre SP3)
896            rely that we return with the string representations of those SIDs in
897            that case. If we don't, XP crashes - Guenther
898            */
899
900         if (NT_STATUS_IS_ERR(status) &&
901             !NT_STATUS_EQUAL(status, NT_STATUS_NONE_MAPPED)) {
902                 return status;
903         }
904
905         /* Convert from lsa_TranslatedName2 to lsa_TranslatedName */
906         names_out = TALLOC_ARRAY(p->mem_ctx, struct lsa_TranslatedName,
907                                  num_sids);
908         if (!names_out) {
909                 return NT_STATUS_NO_MEMORY;
910         }
911
912         for (i=0; i<num_sids; i++) {
913                 names_out[i].sid_type = names[i].sid_type;
914                 names_out[i].name = names[i].name;
915                 names_out[i].sid_index = names[i].sid_index;
916         }
917
918         *r->out.domains = domains;
919         r->out.names->count = num_sids;
920         r->out.names->names = names_out;
921         *r->out.count = mapped_count;
922
923         return status;
924 }
925
926 /***************************************************************************
927  _lsa_LookupSids2
928  ***************************************************************************/
929
930 NTSTATUS _lsa_LookupSids2(pipes_struct *p,
931                           struct lsa_LookupSids2 *r)
932 {
933         NTSTATUS status;
934         struct lsa_info *handle;
935         int num_sids = r->in.sids->num_sids;
936         uint32 mapped_count = 0;
937         struct lsa_RefDomainList *domains = NULL;
938         struct lsa_TranslatedName2 *names = NULL;
939         bool check_policy = true;
940
941         switch (p->hdr_req.opnum) {
942                 case NDR_LSA_LOOKUPSIDS3:
943                         check_policy = false;
944                         break;
945                 case NDR_LSA_LOOKUPSIDS2:
946                 default:
947                         check_policy = true;
948         }
949
950         if ((r->in.level < 1) || (r->in.level > 6)) {
951                 return NT_STATUS_INVALID_PARAMETER;
952         }
953
954         if (check_policy) {
955                 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle)) {
956                         return NT_STATUS_INVALID_HANDLE;
957                 }
958
959                 if (handle->type != LSA_HANDLE_POLICY_TYPE) {
960                         return NT_STATUS_INVALID_HANDLE;
961                 }
962
963                 /* check if the user has enough rights */
964                 if (!(handle->access & LSA_POLICY_LOOKUP_NAMES)) {
965                         return NT_STATUS_ACCESS_DENIED;
966                 }
967         }
968
969         if (num_sids >  MAX_LOOKUP_SIDS) {
970                 DEBUG(5,("_lsa_LookupSids2: limit of %d exceeded, requested %d\n",
971                          MAX_LOOKUP_SIDS, num_sids));
972                 return NT_STATUS_NONE_MAPPED;
973         }
974
975         status = _lsa_lookup_sids_internal(p,
976                                            p->mem_ctx,
977                                            r->in.level,
978                                            num_sids,
979                                            r->in.sids->sids,
980                                            &domains,
981                                            &names,
982                                            &mapped_count);
983
984         *r->out.domains = domains;
985         r->out.names->count = num_sids;
986         r->out.names->names = names;
987         *r->out.count = mapped_count;
988
989         return status;
990 }
991
992 /***************************************************************************
993  _lsa_LookupSids3
994  ***************************************************************************/
995
996 NTSTATUS _lsa_LookupSids3(pipes_struct *p,
997                           struct lsa_LookupSids3 *r)
998 {
999         struct lsa_LookupSids2 q;
1000
1001         /* No policy handle on this call. Restrict to crypto connections. */
1002         if (p->auth.auth_type != PIPE_AUTH_TYPE_SCHANNEL) {
1003                 DEBUG(0,("_lsa_LookupSids3: client %s not using schannel for netlogon\n",
1004                         get_remote_machine_name() ));
1005                 return NT_STATUS_INVALID_PARAMETER;
1006         }
1007
1008         q.in.handle             = NULL;
1009         q.in.sids               = r->in.sids;
1010         q.in.level              = r->in.level;
1011         q.in.lookup_options     = r->in.lookup_options;
1012         q.in.client_revision    = r->in.client_revision;
1013         q.in.names              = r->in.names;
1014         q.in.count              = r->in.count;
1015
1016         q.out.domains           = r->out.domains;
1017         q.out.names             = r->out.names;
1018         q.out.count             = r->out.count;
1019
1020         return _lsa_LookupSids2(p, &q);
1021 }
1022
1023 /***************************************************************************
1024  ***************************************************************************/
1025
1026 static int lsa_lookup_level_to_flags(uint16 level)
1027 {
1028         int flags;
1029
1030         switch (level) {
1031                 case 1:
1032                         flags = LOOKUP_NAME_ALL;
1033                         break;
1034                 case 2:
1035                         flags = LOOKUP_NAME_DOMAIN|LOOKUP_NAME_REMOTE|LOOKUP_NAME_ISOLATED;
1036                         break;
1037                 case 3:
1038                         flags = LOOKUP_NAME_DOMAIN|LOOKUP_NAME_ISOLATED;
1039                         break;
1040                 case 4:
1041                 case 5:
1042                 case 6:
1043                 default:
1044                         flags = LOOKUP_NAME_NONE;
1045                         break;
1046         }
1047
1048         return flags;
1049 }
1050
1051 /***************************************************************************
1052  _lsa_LookupNames
1053  ***************************************************************************/
1054
1055 NTSTATUS _lsa_LookupNames(pipes_struct *p,
1056                           struct lsa_LookupNames *r)
1057 {
1058         NTSTATUS status = NT_STATUS_NONE_MAPPED;
1059         struct lsa_info *handle;
1060         struct lsa_String *names = r->in.names;
1061         uint32 num_entries = r->in.num_names;
1062         struct lsa_RefDomainList *domains = NULL;
1063         struct lsa_TranslatedSid *rids = NULL;
1064         uint32 mapped_count = 0;
1065         int flags = 0;
1066
1067         if (num_entries >  MAX_LOOKUP_SIDS) {
1068                 num_entries = MAX_LOOKUP_SIDS;
1069                 DEBUG(5,("_lsa_LookupNames: truncating name lookup list to %d\n",
1070                         num_entries));
1071         }
1072
1073         flags = lsa_lookup_level_to_flags(r->in.level);
1074
1075         domains = TALLOC_ZERO_P(p->mem_ctx, struct lsa_RefDomainList);
1076         if (!domains) {
1077                 return NT_STATUS_NO_MEMORY;
1078         }
1079
1080         if (num_entries) {
1081                 rids = TALLOC_ZERO_ARRAY(p->mem_ctx, struct lsa_TranslatedSid,
1082                                          num_entries);
1083                 if (!rids) {
1084                         return NT_STATUS_NO_MEMORY;
1085                 }
1086         } else {
1087                 rids = NULL;
1088         }
1089
1090         if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle)) {
1091                 status = NT_STATUS_INVALID_HANDLE;
1092                 goto done;
1093         }
1094
1095         if (handle->type != LSA_HANDLE_POLICY_TYPE) {
1096                 return NT_STATUS_INVALID_HANDLE;
1097         }
1098
1099         /* check if the user has enough rights */
1100         if (!(handle->access & LSA_POLICY_LOOKUP_NAMES)) {
1101                 status = NT_STATUS_ACCESS_DENIED;
1102                 goto done;
1103         }
1104
1105         /* set up the LSA Lookup RIDs response */
1106         become_root(); /* lookup_name can require root privs */
1107         status = lookup_lsa_rids(p->mem_ctx, domains, rids, num_entries,
1108                                  names, flags, &mapped_count);
1109         unbecome_root();
1110
1111 done:
1112
1113         if (NT_STATUS_IS_OK(status) && (num_entries != 0) ) {
1114                 if (mapped_count == 0) {
1115                         status = NT_STATUS_NONE_MAPPED;
1116                 } else if (mapped_count != num_entries) {
1117                         status = STATUS_SOME_UNMAPPED;
1118                 }
1119         }
1120
1121         *r->out.count = mapped_count;
1122         *r->out.domains = domains;
1123         r->out.sids->sids = rids;
1124         r->out.sids->count = num_entries;
1125
1126         return status;
1127 }
1128
1129 /***************************************************************************
1130  _lsa_LookupNames2
1131  ***************************************************************************/
1132
1133 NTSTATUS _lsa_LookupNames2(pipes_struct *p,
1134                            struct lsa_LookupNames2 *r)
1135 {
1136         NTSTATUS status;
1137         struct lsa_LookupNames q;
1138         struct lsa_TransSidArray2 *sid_array2 = r->in.sids;
1139         struct lsa_TransSidArray *sid_array = NULL;
1140         uint32_t i;
1141
1142         sid_array = TALLOC_ZERO_P(p->mem_ctx, struct lsa_TransSidArray);
1143         if (!sid_array) {
1144                 return NT_STATUS_NO_MEMORY;
1145         }
1146
1147         q.in.handle             = r->in.handle;
1148         q.in.num_names          = r->in.num_names;
1149         q.in.names              = r->in.names;
1150         q.in.level              = r->in.level;
1151         q.in.sids               = sid_array;
1152         q.in.count              = r->in.count;
1153         /* we do not know what this is for */
1154         /*                      = r->in.unknown1; */
1155         /*                      = r->in.unknown2; */
1156
1157         q.out.domains           = r->out.domains;
1158         q.out.sids              = sid_array;
1159         q.out.count             = r->out.count;
1160
1161         status = _lsa_LookupNames(p, &q);
1162
1163         sid_array2->count = sid_array->count;
1164         sid_array2->sids = TALLOC_ARRAY(p->mem_ctx, struct lsa_TranslatedSid2, sid_array->count);
1165         if (!sid_array2->sids) {
1166                 return NT_STATUS_NO_MEMORY;
1167         }
1168
1169         for (i=0; i<sid_array->count; i++) {
1170                 sid_array2->sids[i].sid_type  = sid_array->sids[i].sid_type;
1171                 sid_array2->sids[i].rid       = sid_array->sids[i].rid;
1172                 sid_array2->sids[i].sid_index = sid_array->sids[i].sid_index;
1173                 sid_array2->sids[i].unknown   = 0;
1174         }
1175
1176         r->out.sids = sid_array2;
1177
1178         return status;
1179 }
1180
1181 /***************************************************************************
1182  _lsa_LookupNames3
1183  ***************************************************************************/
1184
1185 NTSTATUS _lsa_LookupNames3(pipes_struct *p,
1186                            struct lsa_LookupNames3 *r)
1187 {
1188         NTSTATUS status;
1189         struct lsa_info *handle;
1190         struct lsa_String *names = r->in.names;
1191         uint32 num_entries = r->in.num_names;
1192         struct lsa_RefDomainList *domains = NULL;
1193         struct lsa_TranslatedSid3 *trans_sids = NULL;
1194         uint32 mapped_count = 0;
1195         int flags = 0;
1196         bool check_policy = true;
1197
1198         switch (p->hdr_req.opnum) {
1199                 case NDR_LSA_LOOKUPNAMES4:
1200                         check_policy = false;
1201                         break;
1202                 case NDR_LSA_LOOKUPNAMES3:
1203                 default:
1204                         check_policy = true;
1205         }
1206
1207         if (num_entries >  MAX_LOOKUP_SIDS) {
1208                 num_entries = MAX_LOOKUP_SIDS;
1209                 DEBUG(5,("_lsa_LookupNames3: truncating name lookup list to %d\n", num_entries));
1210         }
1211
1212         /* Probably the lookup_level is some sort of bitmask. */
1213         if (r->in.level == 1) {
1214                 flags = LOOKUP_NAME_ALL;
1215         }
1216
1217         domains = TALLOC_ZERO_P(p->mem_ctx, struct lsa_RefDomainList);
1218         if (!domains) {
1219                 return NT_STATUS_NO_MEMORY;
1220         }
1221
1222         if (num_entries) {
1223                 trans_sids = TALLOC_ZERO_ARRAY(p->mem_ctx, struct lsa_TranslatedSid3,
1224                                                num_entries);
1225                 if (!trans_sids) {
1226                         return NT_STATUS_NO_MEMORY;
1227                 }
1228         } else {
1229                 trans_sids = NULL;
1230         }
1231
1232         if (check_policy) {
1233
1234                 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle)) {
1235                         status = NT_STATUS_INVALID_HANDLE;
1236                         goto done;
1237                 }
1238
1239                 if (handle->type != LSA_HANDLE_POLICY_TYPE) {
1240                         return NT_STATUS_INVALID_HANDLE;
1241                 }
1242
1243                 /* check if the user has enough rights */
1244                 if (!(handle->access & LSA_POLICY_LOOKUP_NAMES)) {
1245                         status = NT_STATUS_ACCESS_DENIED;
1246                         goto done;
1247                 }
1248         }
1249
1250         /* set up the LSA Lookup SIDs response */
1251         become_root(); /* lookup_name can require root privs */
1252         status = lookup_lsa_sids(p->mem_ctx, domains, trans_sids, num_entries,
1253                                  names, flags, &mapped_count);
1254         unbecome_root();
1255
1256 done:
1257
1258         if (NT_STATUS_IS_OK(status)) {
1259                 if (mapped_count == 0) {
1260                         status = NT_STATUS_NONE_MAPPED;
1261                 } else if (mapped_count != num_entries) {
1262                         status = STATUS_SOME_UNMAPPED;
1263                 }
1264         }
1265
1266         *r->out.count = mapped_count;
1267         *r->out.domains = domains;
1268         r->out.sids->sids = trans_sids;
1269         r->out.sids->count = num_entries;
1270
1271         return status;
1272 }
1273
1274 /***************************************************************************
1275  _lsa_LookupNames4
1276  ***************************************************************************/
1277
1278 NTSTATUS _lsa_LookupNames4(pipes_struct *p,
1279                            struct lsa_LookupNames4 *r)
1280 {
1281         struct lsa_LookupNames3 q;
1282
1283         /* No policy handle on this call. Restrict to crypto connections. */
1284         if (p->auth.auth_type != PIPE_AUTH_TYPE_SCHANNEL) {
1285                 DEBUG(0,("_lsa_lookup_names4: client %s not using schannel for netlogon\n",
1286                         get_remote_machine_name() ));
1287                 return NT_STATUS_INVALID_PARAMETER;
1288         }
1289
1290         q.in.handle             = NULL;
1291         q.in.num_names          = r->in.num_names;
1292         q.in.names              = r->in.names;
1293         q.in.level              = r->in.level;
1294         q.in.lookup_options     = r->in.lookup_options;
1295         q.in.client_revision    = r->in.client_revision;
1296         q.in.sids               = r->in.sids;
1297         q.in.count              = r->in.count;
1298
1299         q.out.domains           = r->out.domains;
1300         q.out.sids              = r->out.sids;
1301         q.out.count             = r->out.count;
1302
1303         return _lsa_LookupNames3(p, &q);
1304 }
1305
1306 /***************************************************************************
1307  _lsa_close. Also weird - needs to check if lsa handle is correct. JRA.
1308  ***************************************************************************/
1309
1310 NTSTATUS _lsa_Close(pipes_struct *p, struct lsa_Close *r)
1311 {
1312         if (!find_policy_by_hnd(p, r->in.handle, NULL)) {
1313                 return NT_STATUS_INVALID_HANDLE;
1314         }
1315
1316         close_policy_hnd(p, r->in.handle);
1317         ZERO_STRUCTP(r->out.handle);
1318         return NT_STATUS_OK;
1319 }
1320
1321 /***************************************************************************
1322  ***************************************************************************/
1323
1324 NTSTATUS _lsa_OpenSecret(pipes_struct *p, struct lsa_OpenSecret *r)
1325 {
1326         return NT_STATUS_OBJECT_NAME_NOT_FOUND;
1327 }
1328
1329 /***************************************************************************
1330  ***************************************************************************/
1331
1332 NTSTATUS _lsa_OpenTrustedDomain(pipes_struct *p, struct lsa_OpenTrustedDomain *r)
1333 {
1334         return NT_STATUS_OBJECT_NAME_NOT_FOUND;
1335 }
1336
1337 /***************************************************************************
1338  ***************************************************************************/
1339
1340 NTSTATUS _lsa_CreateTrustedDomain(pipes_struct *p, struct lsa_CreateTrustedDomain *r)
1341 {
1342         return NT_STATUS_ACCESS_DENIED;
1343 }
1344
1345 /***************************************************************************
1346  ***************************************************************************/
1347
1348 NTSTATUS _lsa_CreateSecret(pipes_struct *p, struct lsa_CreateSecret *r)
1349 {
1350         return NT_STATUS_ACCESS_DENIED;
1351 }
1352
1353 /***************************************************************************
1354  ***************************************************************************/
1355
1356 NTSTATUS _lsa_SetSecret(pipes_struct *p, struct lsa_SetSecret *r)
1357 {
1358         return NT_STATUS_ACCESS_DENIED;
1359 }
1360
1361 /***************************************************************************
1362  _lsa_DeleteObject
1363  ***************************************************************************/
1364
1365 NTSTATUS _lsa_DeleteObject(pipes_struct *p,
1366                            struct lsa_DeleteObject *r)
1367 {
1368         NTSTATUS status;
1369         struct lsa_info *info = NULL;
1370
1371         if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info)) {
1372                 return NT_STATUS_INVALID_HANDLE;
1373         }
1374
1375         if (!(info->access & STD_RIGHT_DELETE_ACCESS)) {
1376                 return NT_STATUS_ACCESS_DENIED;
1377         }
1378
1379         switch (info->type) {
1380         case LSA_HANDLE_ACCOUNT_TYPE:
1381                 status = privilege_delete_account(&info->sid);
1382                 if (!NT_STATUS_IS_OK(status)) {
1383                         DEBUG(10,("_lsa_DeleteObject: privilege_delete_account gave: %s\n",
1384                                 nt_errstr(status)));
1385                         return status;
1386                 }
1387                 break;
1388         default:
1389                 return NT_STATUS_INVALID_HANDLE;
1390         }
1391
1392         close_policy_hnd(p, r->in.handle);
1393         ZERO_STRUCTP(r->out.handle);
1394
1395         return status;
1396 }
1397
1398 /***************************************************************************
1399  _lsa_EnumPrivs
1400  ***************************************************************************/
1401
1402 NTSTATUS _lsa_EnumPrivs(pipes_struct *p,
1403                         struct lsa_EnumPrivs *r)
1404 {
1405         struct lsa_info *handle;
1406         uint32 i;
1407         uint32 enum_context = *r->in.resume_handle;
1408         int num_privs = count_all_privileges();
1409         struct lsa_PrivEntry *entries = NULL;
1410         LUID_ATTR luid;
1411
1412         /* remember that the enum_context starts at 0 and not 1 */
1413
1414         if ( enum_context >= num_privs )
1415                 return NT_STATUS_NO_MORE_ENTRIES;
1416
1417         DEBUG(10,("_lsa_EnumPrivs: enum_context:%d total entries:%d\n",
1418                 enum_context, num_privs));
1419
1420         if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle))
1421                 return NT_STATUS_INVALID_HANDLE;
1422
1423         if (handle->type != LSA_HANDLE_POLICY_TYPE) {
1424                 return NT_STATUS_INVALID_HANDLE;
1425         }
1426
1427         /* check if the user has enough rights
1428            I don't know if it's the right one. not documented.  */
1429
1430         if (!(handle->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
1431                 return NT_STATUS_ACCESS_DENIED;
1432
1433         if (num_privs) {
1434                 entries = TALLOC_ZERO_ARRAY(p->mem_ctx, struct lsa_PrivEntry, num_privs);
1435                 if (!entries) {
1436                         return NT_STATUS_NO_MEMORY;
1437                 }
1438         } else {
1439                 entries = NULL;
1440         }
1441
1442         for (i = 0; i < num_privs; i++) {
1443                 if( i < enum_context) {
1444
1445                         init_lsa_StringLarge(&entries[i].name, NULL);
1446
1447                         entries[i].luid.low = 0;
1448                         entries[i].luid.high = 0;
1449                 } else {
1450
1451                         init_lsa_StringLarge(&entries[i].name, privs[i].name);
1452
1453                         luid = get_privilege_luid( &privs[i].se_priv );
1454
1455                         entries[i].luid.low = luid.luid.low;
1456                         entries[i].luid.high = luid.luid.high;
1457                 }
1458         }
1459
1460         enum_context = num_privs;
1461
1462         *r->out.resume_handle = enum_context;
1463         r->out.privs->count = num_privs;
1464         r->out.privs->privs = entries;
1465
1466         return NT_STATUS_OK;
1467 }
1468
1469 /***************************************************************************
1470  _lsa_LookupPrivDisplayName
1471  ***************************************************************************/
1472
1473 NTSTATUS _lsa_LookupPrivDisplayName(pipes_struct *p,
1474                                     struct lsa_LookupPrivDisplayName *r)
1475 {
1476         struct lsa_info *handle;
1477         const char *description;
1478         struct lsa_StringLarge *lsa_name;
1479
1480         if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle))
1481                 return NT_STATUS_INVALID_HANDLE;
1482
1483         if (handle->type != LSA_HANDLE_POLICY_TYPE) {
1484                 return NT_STATUS_INVALID_HANDLE;
1485         }
1486
1487         /* check if the user has enough rights */
1488
1489         /*
1490          * I don't know if it's the right one. not documented.
1491          */
1492         if (!(handle->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
1493                 return NT_STATUS_ACCESS_DENIED;
1494
1495         DEBUG(10,("_lsa_LookupPrivDisplayName: name = %s\n", r->in.name->string));
1496
1497         description = get_privilege_dispname(r->in.name->string);
1498         if (!description) {
1499                 DEBUG(10,("_lsa_LookupPrivDisplayName: doesn't exist\n"));
1500                 return NT_STATUS_NO_SUCH_PRIVILEGE;
1501         }
1502
1503         DEBUG(10,("_lsa_LookupPrivDisplayName: display name = %s\n", description));
1504
1505         lsa_name = TALLOC_ZERO_P(p->mem_ctx, struct lsa_StringLarge);
1506         if (!lsa_name) {
1507                 return NT_STATUS_NO_MEMORY;
1508         }
1509
1510         init_lsa_StringLarge(lsa_name, description);
1511
1512         *r->out.returned_language_id = r->in.language_id;
1513         *r->out.disp_name = lsa_name;
1514
1515         return NT_STATUS_OK;
1516 }
1517
1518 /***************************************************************************
1519  _lsa_EnumAccounts
1520  ***************************************************************************/
1521
1522 NTSTATUS _lsa_EnumAccounts(pipes_struct *p,
1523                            struct lsa_EnumAccounts *r)
1524 {
1525         struct lsa_info *handle;
1526         DOM_SID *sid_list;
1527         int i, j, num_entries;
1528         NTSTATUS status;
1529         struct lsa_SidPtr *sids = NULL;
1530
1531         if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle))
1532                 return NT_STATUS_INVALID_HANDLE;
1533
1534         if (handle->type != LSA_HANDLE_POLICY_TYPE) {
1535                 return NT_STATUS_INVALID_HANDLE;
1536         }
1537
1538         if (!(handle->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
1539                 return NT_STATUS_ACCESS_DENIED;
1540
1541         sid_list = NULL;
1542         num_entries = 0;
1543
1544         /* The only way we can currently find out all the SIDs that have been
1545            privileged is to scan all privileges */
1546
1547         status = privilege_enumerate_accounts(&sid_list, &num_entries);
1548         if (!NT_STATUS_IS_OK(status)) {
1549                 return status;
1550         }
1551
1552         if (*r->in.resume_handle >= num_entries) {
1553                 return NT_STATUS_NO_MORE_ENTRIES;
1554         }
1555
1556         if (num_entries - *r->in.resume_handle) {
1557                 sids = TALLOC_ZERO_ARRAY(p->mem_ctx, struct lsa_SidPtr,
1558                                          num_entries - *r->in.resume_handle);
1559                 if (!sids) {
1560                         talloc_free(sid_list);
1561                         return NT_STATUS_NO_MEMORY;
1562                 }
1563
1564                 for (i = *r->in.resume_handle, j = 0; i < num_entries; i++, j++) {
1565                         sids[j].sid = sid_dup_talloc(p->mem_ctx, &sid_list[i]);
1566                         if (!sids[j].sid) {
1567                                 talloc_free(sid_list);
1568                                 return NT_STATUS_NO_MEMORY;
1569                         }
1570                 }
1571         }
1572
1573         talloc_free(sid_list);
1574
1575         *r->out.resume_handle = num_entries;
1576         r->out.sids->num_sids = num_entries;
1577         r->out.sids->sids = sids;
1578
1579         return NT_STATUS_OK;
1580 }
1581
1582 /***************************************************************************
1583  _lsa_GetUserName
1584  ***************************************************************************/
1585
1586 NTSTATUS _lsa_GetUserName(pipes_struct *p,
1587                           struct lsa_GetUserName *r)
1588 {
1589         const char *username, *domname;
1590         struct lsa_String *account_name = NULL;
1591         struct lsa_String *authority_name = NULL;
1592
1593         if (r->in.account_name &&
1594            *r->in.account_name) {
1595                 return NT_STATUS_INVALID_PARAMETER;
1596         }
1597
1598         if (r->in.authority_name &&
1599            *r->in.authority_name) {
1600                 return NT_STATUS_INVALID_PARAMETER;
1601         }
1602
1603         if (p->server_info->guest) {
1604                 /*
1605                  * I'm 99% sure this is not the right place to do this,
1606                  * global_sid_Anonymous should probably be put into the token
1607                  * instead of the guest id -- vl
1608                  */
1609                 if (!lookup_sid(p->mem_ctx, &global_sid_Anonymous,
1610                                 &domname, &username, NULL)) {
1611                         return NT_STATUS_NO_MEMORY;
1612                 }
1613         } else {
1614                 username = p->server_info->sanitized_username;
1615                 domname = pdb_get_domain(p->server_info->sam_account);
1616         }
1617
1618         account_name = TALLOC_P(p->mem_ctx, struct lsa_String);
1619         if (!account_name) {
1620                 return NT_STATUS_NO_MEMORY;
1621         }
1622         init_lsa_String(account_name, username);
1623
1624         if (r->out.authority_name) {
1625                 authority_name = TALLOC_P(p->mem_ctx, struct lsa_String);
1626                 if (!authority_name) {
1627                         return NT_STATUS_NO_MEMORY;
1628                 }
1629                 init_lsa_String(authority_name, domname);
1630         }
1631
1632         *r->out.account_name = account_name;
1633         if (r->out.authority_name) {
1634                 *r->out.authority_name = authority_name;
1635         }
1636
1637         return NT_STATUS_OK;
1638 }
1639
1640 /***************************************************************************
1641  _lsa_CreateAccount
1642  ***************************************************************************/
1643
1644 NTSTATUS _lsa_CreateAccount(pipes_struct *p,
1645                             struct lsa_CreateAccount *r)
1646 {
1647         NTSTATUS status;
1648         struct lsa_info *handle;
1649         struct lsa_info *info;
1650         uint32_t acc_granted;
1651         struct security_descriptor *psd;
1652         size_t sd_size;
1653
1654         /* find the connection policy handle. */
1655         if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle))
1656                 return NT_STATUS_INVALID_HANDLE;
1657
1658         if (handle->type != LSA_HANDLE_POLICY_TYPE) {
1659                 return NT_STATUS_INVALID_HANDLE;
1660         }
1661
1662         /* check if the user has enough rights */
1663
1664         if (!(handle->access & LSA_POLICY_CREATE_ACCOUNT)) {
1665                 return NT_STATUS_ACCESS_DENIED;
1666         }
1667
1668         /* Work out max allowed. */
1669         map_max_allowed_access(p->server_info->ptok,
1670                                &p->server_info->utok,
1671                                &r->in.access_mask);
1672
1673         /* map the generic bits to the lsa policy ones */
1674         se_map_generic(&r->in.access_mask, &lsa_account_mapping);
1675
1676         status = make_lsa_object_sd(p->mem_ctx, &psd, &sd_size,
1677                                     &lsa_account_mapping,
1678                                     r->in.sid, LSA_POLICY_ALL_ACCESS);
1679         if (!NT_STATUS_IS_OK(status)) {
1680                 return status;
1681         }
1682
1683         status = access_check_object(psd, p->server_info->ptok,
1684                 NULL, 0, r->in.access_mask,
1685                 &acc_granted, "_lsa_CreateAccount");
1686         if (!NT_STATUS_IS_OK(status)) {
1687                 return status;
1688         }
1689
1690         if ( is_privileged_sid( r->in.sid ) )
1691                 return NT_STATUS_OBJECT_NAME_COLLISION;
1692
1693         /* associate the user/group SID with the (unique) handle. */
1694
1695         info = TALLOC_ZERO_P(p->mem_ctx, struct lsa_info);
1696         if (info == NULL) {
1697                 return NT_STATUS_NO_MEMORY;
1698         }
1699
1700         info->sid = *r->in.sid;
1701         info->access = acc_granted;
1702         info->type = LSA_HANDLE_ACCOUNT_TYPE;
1703
1704         /* get a (unique) handle.  open a policy on it. */
1705         if (!create_policy_hnd(p, r->out.acct_handle, info))
1706                 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
1707
1708         return privilege_create_account( &info->sid );
1709 }
1710
1711 /***************************************************************************
1712  _lsa_OpenAccount
1713  ***************************************************************************/
1714
1715 NTSTATUS _lsa_OpenAccount(pipes_struct *p,
1716                           struct lsa_OpenAccount *r)
1717 {
1718         struct lsa_info *handle;
1719         struct lsa_info *info;
1720         SEC_DESC *psd = NULL;
1721         size_t sd_size;
1722         uint32_t des_access = r->in.access_mask;
1723         uint32_t acc_granted;
1724         NTSTATUS status;
1725
1726         /* find the connection policy handle. */
1727         if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle))
1728                 return NT_STATUS_INVALID_HANDLE;
1729
1730         if (handle->type != LSA_HANDLE_POLICY_TYPE) {
1731                 return NT_STATUS_INVALID_HANDLE;
1732         }
1733
1734         /* des_access is for the account here, not the policy
1735          * handle - so don't check against policy handle. */
1736
1737         /* Work out max allowed. */
1738         map_max_allowed_access(p->server_info->ptok,
1739                                &p->server_info->utok,
1740                                &des_access);
1741
1742         /* map the generic bits to the lsa account ones */
1743         se_map_generic(&des_access, &lsa_account_mapping);
1744
1745         /* get the generic lsa account SD until we store it */
1746         status = make_lsa_object_sd(p->mem_ctx, &psd, &sd_size,
1747                                 &lsa_account_mapping,
1748                                 r->in.sid, LSA_ACCOUNT_ALL_ACCESS);
1749         if (!NT_STATUS_IS_OK(status)) {
1750                 return status;
1751         }
1752
1753         status = access_check_object(psd, p->server_info->ptok,
1754                 NULL, 0, des_access,
1755                 &acc_granted, "_lsa_OpenAccount" );
1756
1757         if (!NT_STATUS_IS_OK(status)) {
1758                 return status;
1759         }
1760
1761         /* TODO: Fis the parsing routine before reenabling this check! */
1762         #if 0
1763         if (!lookup_sid(&handle->sid, dom_name, name, &type))
1764                 return NT_STATUS_ACCESS_DENIED;
1765         #endif
1766         /* associate the user/group SID with the (unique) handle. */
1767         info = TALLOC_ZERO_P(p->mem_ctx, struct lsa_info);
1768         if (info == NULL) {
1769                 return NT_STATUS_NO_MEMORY;
1770         }
1771
1772         info->sid = *r->in.sid;
1773         info->access = acc_granted;
1774         info->type = LSA_HANDLE_ACCOUNT_TYPE;
1775
1776         /* get a (unique) handle.  open a policy on it. */
1777         if (!create_policy_hnd(p, r->out.acct_handle, info))
1778                 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
1779
1780         return NT_STATUS_OK;
1781 }
1782
1783 /***************************************************************************
1784  _lsa_EnumPrivsAccount
1785  For a given SID, enumerate all the privilege this account has.
1786  ***************************************************************************/
1787
1788 NTSTATUS _lsa_EnumPrivsAccount(pipes_struct *p,
1789                                struct lsa_EnumPrivsAccount *r)
1790 {
1791         NTSTATUS status = NT_STATUS_OK;
1792         struct lsa_info *info=NULL;
1793         SE_PRIV mask;
1794         PRIVILEGE_SET privileges;
1795         struct lsa_PrivilegeSet *priv_set = NULL;
1796         struct lsa_LUIDAttribute *luid_attrs = NULL;
1797         int i;
1798
1799         /* find the connection policy handle. */
1800         if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
1801                 return NT_STATUS_INVALID_HANDLE;
1802
1803         if (info->type != LSA_HANDLE_ACCOUNT_TYPE) {
1804                 return NT_STATUS_INVALID_HANDLE;
1805         }
1806
1807         if (!(info->access & LSA_ACCOUNT_VIEW))
1808                 return NT_STATUS_ACCESS_DENIED;
1809
1810         get_privileges_for_sids(&mask, &info->sid, 1);
1811
1812         privilege_set_init( &privileges );
1813
1814         priv_set = TALLOC_ZERO_P(p->mem_ctx, struct lsa_PrivilegeSet);
1815         if (!priv_set) {
1816                 status = NT_STATUS_NO_MEMORY;
1817                 goto done;
1818         }
1819
1820         if ( se_priv_to_privilege_set( &privileges, &mask ) ) {
1821
1822                 DEBUG(10,("_lsa_EnumPrivsAccount: %s has %d privileges\n",
1823                           sid_string_dbg(&info->sid),
1824                           privileges.count));
1825
1826                 luid_attrs = TALLOC_ZERO_ARRAY(p->mem_ctx,
1827                                                struct lsa_LUIDAttribute,
1828                                                privileges.count);
1829                 if (!luid_attrs) {
1830                         status = NT_STATUS_NO_MEMORY;
1831                         goto done;
1832                 }
1833
1834                 for (i=0; i<privileges.count; i++) {
1835                         luid_attrs[i].luid.low = privileges.set[i].luid.low;
1836                         luid_attrs[i].luid.high = privileges.set[i].luid.high;
1837                         luid_attrs[i].attribute = privileges.set[i].attr;
1838                 }
1839
1840                 priv_set->count = privileges.count;
1841                 priv_set->unknown = 0;
1842                 priv_set->set = luid_attrs;
1843
1844         } else {
1845                 priv_set->count = 0;
1846                 priv_set->unknown = 0;
1847                 priv_set->set = NULL;
1848         }
1849
1850         *r->out.privs = priv_set;
1851
1852  done:
1853         privilege_set_free( &privileges );
1854
1855         return status;
1856 }
1857
1858 /***************************************************************************
1859  _lsa_GetSystemAccessAccount
1860  ***************************************************************************/
1861
1862 NTSTATUS _lsa_GetSystemAccessAccount(pipes_struct *p,
1863                                      struct lsa_GetSystemAccessAccount *r)
1864 {
1865         NTSTATUS status;
1866         struct lsa_info *info = NULL;
1867         struct lsa_EnumPrivsAccount e;
1868         struct lsa_PrivilegeSet *privset;
1869
1870         /* find the connection policy handle. */
1871
1872         if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
1873                 return NT_STATUS_INVALID_HANDLE;
1874
1875         if (info->type != LSA_HANDLE_ACCOUNT_TYPE) {
1876                 return NT_STATUS_INVALID_HANDLE;
1877         }
1878
1879         if (!(info->access & LSA_ACCOUNT_VIEW))
1880                 return NT_STATUS_ACCESS_DENIED;
1881
1882         privset = talloc_zero(p->mem_ctx, struct lsa_PrivilegeSet);
1883         if (!privset) {
1884                 return NT_STATUS_NO_MEMORY;
1885         }
1886
1887         e.in.handle = r->in.handle;
1888         e.out.privs = &privset;
1889
1890         status = _lsa_EnumPrivsAccount(p, &e);
1891         if (!NT_STATUS_IS_OK(status)) {
1892                 DEBUG(10,("_lsa_GetSystemAccessAccount: "
1893                         "failed to call _lsa_EnumPrivsAccount(): %s\n",
1894                         nt_errstr(status)));
1895                 return status;
1896         }
1897
1898         /* Samba4 would iterate over the privset to merge the policy mode bits,
1899          * not sure samba3 can do the same here, so just return what we did in
1900          * the past - gd */
1901
1902         /*
1903           0x01 -> Log on locally
1904           0x02 -> Access this computer from network
1905           0x04 -> Log on as a batch job
1906           0x10 -> Log on as a service
1907
1908           they can be ORed together
1909         */
1910
1911         *r->out.access_mask = LSA_POLICY_MODE_INTERACTIVE |
1912                               LSA_POLICY_MODE_NETWORK;
1913
1914         return NT_STATUS_OK;
1915 }
1916
1917 /***************************************************************************
1918   update the systemaccount information
1919  ***************************************************************************/
1920
1921 NTSTATUS _lsa_SetSystemAccessAccount(pipes_struct *p,
1922                                      struct lsa_SetSystemAccessAccount *r)
1923 {
1924         struct lsa_info *info=NULL;
1925         GROUP_MAP map;
1926
1927         /* find the connection policy handle. */
1928         if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
1929                 return NT_STATUS_INVALID_HANDLE;
1930
1931         if (info->type != LSA_HANDLE_ACCOUNT_TYPE) {
1932                 return NT_STATUS_INVALID_HANDLE;
1933         }
1934
1935         if (!(info->access & LSA_ACCOUNT_ADJUST_SYSTEM_ACCESS)) {
1936                 return NT_STATUS_ACCESS_DENIED;
1937         }
1938
1939         if (!pdb_getgrsid(&map, info->sid))
1940                 return NT_STATUS_NO_SUCH_GROUP;
1941
1942         return pdb_update_group_mapping_entry(&map);
1943 }
1944
1945 /***************************************************************************
1946  _lsa_AddPrivilegesToAccount
1947  For a given SID, add some privileges.
1948  ***************************************************************************/
1949
1950 NTSTATUS _lsa_AddPrivilegesToAccount(pipes_struct *p,
1951                                      struct lsa_AddPrivilegesToAccount *r)
1952 {
1953         struct lsa_info *info = NULL;
1954         SE_PRIV mask;
1955         struct lsa_PrivilegeSet *set = NULL;
1956
1957         /* find the connection policy handle. */
1958         if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
1959                 return NT_STATUS_INVALID_HANDLE;
1960
1961         if (info->type != LSA_HANDLE_ACCOUNT_TYPE) {
1962                 return NT_STATUS_INVALID_HANDLE;
1963         }
1964
1965         if (!(info->access & LSA_ACCOUNT_ADJUST_PRIVILEGES)) {
1966                 return NT_STATUS_ACCESS_DENIED;
1967         }
1968
1969         set = r->in.privs;
1970         if ( !privilege_set_to_se_priv( &mask, set ) )
1971                 return NT_STATUS_NO_SUCH_PRIVILEGE;
1972
1973         if ( !grant_privilege( &info->sid, &mask ) ) {
1974                 DEBUG(3,("_lsa_AddPrivilegesToAccount: grant_privilege(%s) failed!\n",
1975                          sid_string_dbg(&info->sid) ));
1976                 DEBUG(3,("Privilege mask:\n"));
1977                 dump_se_priv( DBGC_ALL, 3, &mask );
1978                 return NT_STATUS_NO_SUCH_PRIVILEGE;
1979         }
1980
1981         return NT_STATUS_OK;
1982 }
1983
1984 /***************************************************************************
1985  _lsa_RemovePrivilegesFromAccount
1986  For a given SID, remove some privileges.
1987  ***************************************************************************/
1988
1989 NTSTATUS _lsa_RemovePrivilegesFromAccount(pipes_struct *p,
1990                                           struct lsa_RemovePrivilegesFromAccount *r)
1991 {
1992         struct lsa_info *info = NULL;
1993         SE_PRIV mask;
1994         struct lsa_PrivilegeSet *set = NULL;
1995
1996         /* find the connection policy handle. */
1997         if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
1998                 return NT_STATUS_INVALID_HANDLE;
1999
2000         if (info->type != LSA_HANDLE_ACCOUNT_TYPE) {
2001                 return NT_STATUS_INVALID_HANDLE;
2002         }
2003
2004         if (!(info->access & LSA_ACCOUNT_ADJUST_PRIVILEGES)) {
2005                 return NT_STATUS_ACCESS_DENIED;
2006         }
2007
2008         set = r->in.privs;
2009
2010         if ( !privilege_set_to_se_priv( &mask, set ) )
2011                 return NT_STATUS_NO_SUCH_PRIVILEGE;
2012
2013         if ( !revoke_privilege( &info->sid, &mask ) ) {
2014                 DEBUG(3,("_lsa_RemovePrivilegesFromAccount: revoke_privilege(%s) failed!\n",
2015                          sid_string_dbg(&info->sid) ));
2016                 DEBUG(3,("Privilege mask:\n"));
2017                 dump_se_priv( DBGC_ALL, 3, &mask );
2018                 return NT_STATUS_NO_SUCH_PRIVILEGE;
2019         }
2020
2021         return NT_STATUS_OK;
2022 }
2023
2024 /***************************************************************************
2025  _lsa_LookupPrivName
2026  ***************************************************************************/
2027
2028 NTSTATUS _lsa_LookupPrivName(pipes_struct *p,
2029                              struct lsa_LookupPrivName *r)
2030 {
2031         struct lsa_info *info = NULL;
2032         const char *name;
2033         struct lsa_StringLarge *lsa_name;
2034
2035         /* find the connection policy handle. */
2036         if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info)) {
2037                 return NT_STATUS_INVALID_HANDLE;
2038         }
2039
2040         if (info->type != LSA_HANDLE_POLICY_TYPE) {
2041                 return NT_STATUS_INVALID_HANDLE;
2042         }
2043
2044         if (!(info->access & LSA_POLICY_VIEW_LOCAL_INFORMATION)) {
2045                 return NT_STATUS_ACCESS_DENIED;
2046         }
2047
2048         name = luid_to_privilege_name((LUID *)r->in.luid);
2049         if (!name) {
2050                 return NT_STATUS_NO_SUCH_PRIVILEGE;
2051         }
2052
2053         lsa_name = TALLOC_ZERO_P(p->mem_ctx, struct lsa_StringLarge);
2054         if (!lsa_name) {
2055                 return NT_STATUS_NO_MEMORY;
2056         }
2057
2058         lsa_name->string = talloc_strdup(lsa_name, name);
2059         if (!lsa_name->string) {
2060                 TALLOC_FREE(lsa_name);
2061                 return NT_STATUS_NO_MEMORY;
2062         }
2063
2064         *r->out.name = lsa_name;
2065
2066         return NT_STATUS_OK;
2067 }
2068
2069 /***************************************************************************
2070  _lsa_QuerySecurity
2071  ***************************************************************************/
2072
2073 NTSTATUS _lsa_QuerySecurity(pipes_struct *p,
2074                             struct lsa_QuerySecurity *r)
2075 {
2076         struct lsa_info *handle=NULL;
2077         SEC_DESC *psd = NULL;
2078         size_t sd_size;
2079         NTSTATUS status;
2080
2081         /* find the connection policy handle. */
2082         if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle))
2083                 return NT_STATUS_INVALID_HANDLE;
2084
2085         if (handle->type == LSA_HANDLE_POLICY_TYPE) {
2086                 status = make_lsa_object_sd(p->mem_ctx, &psd, &sd_size,
2087                                 &lsa_policy_mapping, NULL, 0);
2088         } else if (handle->type == LSA_HANDLE_ACCOUNT_TYPE) {
2089                 status = make_lsa_object_sd(p->mem_ctx, &psd, &sd_size,
2090                                 &lsa_account_mapping,
2091                                 &handle->sid, LSA_ACCOUNT_ALL_ACCESS);
2092         } else {
2093                 status = NT_STATUS_INVALID_HANDLE;
2094         }
2095
2096         if (!NT_STATUS_IS_OK(status)) {
2097                 return status;
2098         }
2099
2100         *r->out.sdbuf = make_sec_desc_buf(p->mem_ctx, sd_size, psd);
2101         if (!*r->out.sdbuf) {
2102                 return NT_STATUS_NO_MEMORY;
2103         }
2104
2105         return status;
2106 }
2107
2108 /***************************************************************************
2109  _lsa_AddAccountRights
2110  ***************************************************************************/
2111
2112 NTSTATUS _lsa_AddAccountRights(pipes_struct *p,
2113                                struct lsa_AddAccountRights *r)
2114 {
2115         struct lsa_info *info = NULL;
2116         int i = 0;
2117         uint32_t acc_granted = 0;
2118         SEC_DESC *psd = NULL;
2119         size_t sd_size;
2120         DOM_SID sid;
2121         NTSTATUS status;
2122
2123         /* find the connection policy handle. */
2124         if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
2125                 return NT_STATUS_INVALID_HANDLE;
2126
2127         if (info->type != LSA_HANDLE_POLICY_TYPE) {
2128                 return NT_STATUS_INVALID_HANDLE;
2129         }
2130
2131         /* get the generic lsa account SD for this SID until we store it */
2132         status = make_lsa_object_sd(p->mem_ctx, &psd, &sd_size,
2133                                 &lsa_account_mapping,
2134                                 r->in.sid, LSA_ACCOUNT_ALL_ACCESS);
2135         if (!NT_STATUS_IS_OK(status)) {
2136                 return status;
2137         }
2138
2139         /*
2140          * From the MS DOCs. If the sid doesn't exist, ask for LSA_POLICY_CREATE_ACCOUNT
2141          * on the policy handle. If it does, ask for
2142          * LSA_ACCOUNT_ADJUST_PRIVILEGES|LSA_ACCOUNT_ADJUST_SYSTEM_ACCESS|LSA_ACCOUNT_VIEW,
2143          * on the account sid. We don't check here so just use the latter. JRA.
2144          */
2145
2146         status = access_check_object(psd, p->server_info->ptok,
2147                 NULL, 0, LSA_ACCOUNT_ADJUST_PRIVILEGES|LSA_ACCOUNT_ADJUST_SYSTEM_ACCESS|LSA_ACCOUNT_VIEW,
2148                 &acc_granted, "_lsa_AddAccountRights" );
2149
2150         if (!NT_STATUS_IS_OK(status)) {
2151                 return status;
2152         }
2153
2154         /* according to an NT4 PDC, you can add privileges to SIDs even without
2155            call_lsa_create_account() first.  And you can use any arbitrary SID. */
2156
2157         sid_copy( &sid, r->in.sid );
2158
2159         for ( i=0; i < r->in.rights->count; i++ ) {
2160
2161                 const char *privname = r->in.rights->names[i].string;
2162
2163                 /* only try to add non-null strings */
2164
2165                 if ( !privname )
2166                         continue;
2167
2168                 if ( !grant_privilege_by_name( &sid, privname ) ) {
2169                         DEBUG(2,("_lsa_AddAccountRights: Failed to add privilege [%s]\n",
2170                                 privname ));
2171                         return NT_STATUS_NO_SUCH_PRIVILEGE;
2172                 }
2173         }
2174
2175         return NT_STATUS_OK;
2176 }
2177
2178 /***************************************************************************
2179  _lsa_RemoveAccountRights
2180  ***************************************************************************/
2181
2182 NTSTATUS _lsa_RemoveAccountRights(pipes_struct *p,
2183                                   struct lsa_RemoveAccountRights *r)
2184 {
2185         struct lsa_info *info = NULL;
2186         int i = 0;
2187         SEC_DESC *psd = NULL;
2188         size_t sd_size;
2189         DOM_SID sid;
2190         const char *privname = NULL;
2191         uint32_t acc_granted = 0;
2192         NTSTATUS status;
2193
2194         /* find the connection policy handle. */
2195         if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
2196                 return NT_STATUS_INVALID_HANDLE;
2197
2198         if (info->type != LSA_HANDLE_POLICY_TYPE) {
2199                 return NT_STATUS_INVALID_HANDLE;
2200         }
2201
2202         /* get the generic lsa account SD for this SID until we store it */
2203         status = make_lsa_object_sd(p->mem_ctx, &psd, &sd_size,
2204                                 &lsa_account_mapping,
2205                                 r->in.sid, LSA_ACCOUNT_ALL_ACCESS);
2206         if (!NT_STATUS_IS_OK(status)) {
2207                 return status;
2208         }
2209
2210         /*
2211          * From the MS DOCs. We need
2212          * LSA_ACCOUNT_ADJUST_PRIVILEGES|LSA_ACCOUNT_ADJUST_SYSTEM_ACCESS|LSA_ACCOUNT_VIEW
2213          * and DELETE on the account sid.
2214          */
2215
2216         status = access_check_object(psd, p->server_info->ptok,
2217                 NULL, 0, LSA_ACCOUNT_ADJUST_PRIVILEGES|LSA_ACCOUNT_ADJUST_SYSTEM_ACCESS|
2218                         LSA_ACCOUNT_VIEW|STD_RIGHT_DELETE_ACCESS,
2219                 &acc_granted, "_lsa_AddAccountRights" );
2220
2221         if (!NT_STATUS_IS_OK(status)) {
2222                 return status;
2223         }
2224
2225         sid_copy( &sid, r->in.sid );
2226
2227         if ( r->in.remove_all ) {
2228                 if ( !revoke_all_privileges( &sid ) )
2229                         return NT_STATUS_ACCESS_DENIED;
2230
2231                 return NT_STATUS_OK;
2232         }
2233
2234         for ( i=0; i < r->in.rights->count; i++ ) {
2235
2236                 privname = r->in.rights->names[i].string;
2237
2238                 /* only try to add non-null strings */
2239
2240                 if ( !privname )
2241                         continue;
2242
2243                 if ( !revoke_privilege_by_name( &sid, privname ) ) {
2244                         DEBUG(2,("_lsa_RemoveAccountRights: Failed to revoke privilege [%s]\n",
2245                                 privname ));
2246                         return NT_STATUS_NO_SUCH_PRIVILEGE;
2247                 }
2248         }
2249
2250         return NT_STATUS_OK;
2251 }
2252
2253 /*******************************************************************
2254 ********************************************************************/
2255
2256 static NTSTATUS init_lsa_right_set(TALLOC_CTX *mem_ctx,
2257                                    struct lsa_RightSet *r,
2258                                    PRIVILEGE_SET *privileges)
2259 {
2260         uint32 i;
2261         const char *privname;
2262         const char **privname_array = NULL;
2263         int num_priv = 0;
2264
2265         for (i=0; i<privileges->count; i++) {
2266
2267                 privname = luid_to_privilege_name(&privileges->set[i].luid);
2268                 if (privname) {
2269                         if (!add_string_to_array(mem_ctx, privname,
2270                                                  &privname_array, &num_priv)) {
2271                                 return NT_STATUS_NO_MEMORY;
2272                         }
2273                 }
2274         }
2275
2276         if (num_priv) {
2277
2278                 r->names = TALLOC_ZERO_ARRAY(mem_ctx, struct lsa_StringLarge,
2279                                              num_priv);
2280                 if (!r->names) {
2281                         return NT_STATUS_NO_MEMORY;
2282                 }
2283
2284                 for (i=0; i<num_priv; i++) {
2285                         init_lsa_StringLarge(&r->names[i], privname_array[i]);
2286                 }
2287
2288                 r->count = num_priv;
2289         }
2290
2291         return NT_STATUS_OK;
2292 }
2293
2294 /***************************************************************************
2295  _lsa_EnumAccountRights
2296  ***************************************************************************/
2297
2298 NTSTATUS _lsa_EnumAccountRights(pipes_struct *p,
2299                                 struct lsa_EnumAccountRights *r)
2300 {
2301         NTSTATUS status;
2302         struct lsa_info *info = NULL;
2303         DOM_SID sid;
2304         PRIVILEGE_SET privileges;
2305         SE_PRIV mask;
2306
2307         /* find the connection policy handle. */
2308
2309         if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
2310                 return NT_STATUS_INVALID_HANDLE;
2311
2312         if (info->type != LSA_HANDLE_POLICY_TYPE) {
2313                 return NT_STATUS_INVALID_HANDLE;
2314         }
2315
2316         if (!(info->access & LSA_ACCOUNT_VIEW)) {
2317                 return NT_STATUS_ACCESS_DENIED;
2318         }
2319
2320         /* according to an NT4 PDC, you can add privileges to SIDs even without
2321            call_lsa_create_account() first.  And you can use any arbitrary SID. */
2322
2323         sid_copy( &sid, r->in.sid );
2324
2325         /* according to MS-LSAD 3.1.4.5.10 it is required to return
2326          * NT_STATUS_OBJECT_NAME_NOT_FOUND if the account sid was not found in
2327          * the lsa database */
2328
2329         if (!get_privileges_for_sids(&mask, &sid, 1)) {
2330                 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
2331         }
2332
2333         status = privilege_set_init(&privileges);
2334         if (!NT_STATUS_IS_OK(status)) {
2335                 return status;
2336         }
2337
2338         se_priv_to_privilege_set(&privileges, &mask);
2339
2340         DEBUG(10,("_lsa_EnumAccountRights: %s has %d privileges\n",
2341                   sid_string_dbg(&sid), privileges.count));
2342
2343         status = init_lsa_right_set(p->mem_ctx, r->out.rights, &privileges);
2344
2345         privilege_set_free( &privileges );
2346
2347         return status;
2348 }
2349
2350 /***************************************************************************
2351  _lsa_LookupPrivValue
2352  ***************************************************************************/
2353
2354 NTSTATUS _lsa_LookupPrivValue(pipes_struct *p,
2355                               struct lsa_LookupPrivValue *r)
2356 {
2357         struct lsa_info *info = NULL;
2358         const char *name = NULL;
2359         LUID_ATTR priv_luid;
2360         SE_PRIV mask;
2361
2362         /* find the connection policy handle. */
2363
2364         if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
2365                 return NT_STATUS_INVALID_HANDLE;
2366
2367         if (info->type != LSA_HANDLE_POLICY_TYPE) {
2368                 return NT_STATUS_INVALID_HANDLE;
2369         }
2370
2371         if (!(info->access & LSA_POLICY_LOOKUP_NAMES))
2372                 return NT_STATUS_ACCESS_DENIED;
2373
2374         name = r->in.name->string;
2375
2376         DEBUG(10,("_lsa_lookup_priv_value: name = %s\n", name));
2377
2378         if ( !se_priv_from_name( name, &mask ) )
2379                 return NT_STATUS_NO_SUCH_PRIVILEGE;
2380
2381         priv_luid = get_privilege_luid( &mask );
2382
2383         r->out.luid->low = priv_luid.luid.low;
2384         r->out.luid->high = priv_luid.luid.high;
2385
2386         return NT_STATUS_OK;
2387 }
2388
2389 /***************************************************************************
2390  _lsa_EnumAccountsWithUserRight
2391  ***************************************************************************/
2392
2393 NTSTATUS _lsa_EnumAccountsWithUserRight(pipes_struct *p,
2394                                         struct lsa_EnumAccountsWithUserRight *r)
2395 {
2396         NTSTATUS status;
2397         struct lsa_info *info = NULL;
2398         struct dom_sid *sids = NULL;
2399         int num_sids = 0;
2400         uint32_t i;
2401         SE_PRIV mask;
2402
2403         if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info)) {
2404                 return NT_STATUS_INVALID_HANDLE;
2405         }
2406
2407         if (info->type != LSA_HANDLE_POLICY_TYPE) {
2408                 return NT_STATUS_INVALID_HANDLE;
2409         }
2410
2411         if (!(info->access & LSA_POLICY_LOOKUP_NAMES)) {
2412                 return NT_STATUS_ACCESS_DENIED;
2413         }
2414
2415         if (!r->in.name || !r->in.name->string) {
2416                 return NT_STATUS_NO_SUCH_PRIVILEGE;
2417         }
2418
2419         if (!se_priv_from_name(r->in.name->string, &mask)) {
2420                 return NT_STATUS_NO_SUCH_PRIVILEGE;
2421         }
2422
2423         status = privilege_enum_sids(&mask, p->mem_ctx,
2424                                      &sids, &num_sids);
2425         if (!NT_STATUS_IS_OK(status)) {
2426                 return status;
2427         }
2428
2429         r->out.sids->num_sids = num_sids;
2430         r->out.sids->sids = talloc_array(p->mem_ctx, struct lsa_SidPtr,
2431                                          r->out.sids->num_sids);
2432
2433         for (i=0; i < r->out.sids->num_sids; i++) {
2434                 r->out.sids->sids[i].sid = sid_dup_talloc(r->out.sids->sids,
2435                                                           &sids[i]);
2436                 if (!r->out.sids->sids[i].sid) {
2437                         TALLOC_FREE(r->out.sids->sids);
2438                         r->out.sids->num_sids = 0;
2439                         return NT_STATUS_NO_MEMORY;
2440                 }
2441         }
2442
2443         return NT_STATUS_OK;
2444 }
2445
2446 /***************************************************************************
2447  _lsa_Delete
2448  ***************************************************************************/
2449
2450 NTSTATUS _lsa_Delete(pipes_struct *p,
2451                      struct lsa_Delete *r)
2452 {
2453         return NT_STATUS_NOT_SUPPORTED;
2454 }
2455
2456 /*
2457  * From here on the server routines are just dummy ones to make smbd link with
2458  * librpc/gen_ndr/srv_lsa.c. These routines are actually never called, we are
2459  * pulling the server stubs across one by one.
2460  */
2461
2462 NTSTATUS _lsa_SetSecObj(pipes_struct *p, struct lsa_SetSecObj *r)
2463 {
2464         p->rng_fault_state = True;
2465         return NT_STATUS_NOT_IMPLEMENTED;
2466 }
2467
2468 NTSTATUS _lsa_ChangePassword(pipes_struct *p, struct lsa_ChangePassword *r)
2469 {
2470         p->rng_fault_state = True;
2471         return NT_STATUS_NOT_IMPLEMENTED;
2472 }
2473
2474 NTSTATUS _lsa_SetInfoPolicy(pipes_struct *p, struct lsa_SetInfoPolicy *r)
2475 {
2476         p->rng_fault_state = True;
2477         return NT_STATUS_NOT_IMPLEMENTED;
2478 }
2479
2480 NTSTATUS _lsa_ClearAuditLog(pipes_struct *p, struct lsa_ClearAuditLog *r)
2481 {
2482         p->rng_fault_state = True;
2483         return NT_STATUS_NOT_IMPLEMENTED;
2484 }
2485
2486 NTSTATUS _lsa_GetQuotasForAccount(pipes_struct *p, struct lsa_GetQuotasForAccount *r)
2487 {
2488         p->rng_fault_state = True;
2489         return NT_STATUS_NOT_IMPLEMENTED;
2490 }
2491
2492 NTSTATUS _lsa_SetQuotasForAccount(pipes_struct *p, struct lsa_SetQuotasForAccount *r)
2493 {
2494         p->rng_fault_state = True;
2495         return NT_STATUS_NOT_IMPLEMENTED;
2496 }
2497
2498 NTSTATUS _lsa_QueryTrustedDomainInfo(pipes_struct *p, struct lsa_QueryTrustedDomainInfo *r)
2499 {
2500         p->rng_fault_state = True;
2501         return NT_STATUS_NOT_IMPLEMENTED;
2502 }
2503
2504 NTSTATUS _lsa_SetInformationTrustedDomain(pipes_struct *p, struct lsa_SetInformationTrustedDomain *r)
2505 {
2506         p->rng_fault_state = True;
2507         return NT_STATUS_NOT_IMPLEMENTED;
2508 }
2509
2510 NTSTATUS _lsa_QuerySecret(pipes_struct *p, struct lsa_QuerySecret *r)
2511 {
2512         p->rng_fault_state = True;
2513         return NT_STATUS_NOT_IMPLEMENTED;
2514 }
2515
2516 NTSTATUS _lsa_QueryTrustedDomainInfoBySid(pipes_struct *p, struct lsa_QueryTrustedDomainInfoBySid *r)
2517 {
2518         p->rng_fault_state = True;
2519         return NT_STATUS_NOT_IMPLEMENTED;
2520 }
2521
2522 NTSTATUS _lsa_SetTrustedDomainInfo(pipes_struct *p, struct lsa_SetTrustedDomainInfo *r)
2523 {
2524         p->rng_fault_state = True;
2525         return NT_STATUS_NOT_IMPLEMENTED;
2526 }
2527
2528 NTSTATUS _lsa_DeleteTrustedDomain(pipes_struct *p, struct lsa_DeleteTrustedDomain *r)
2529 {
2530         p->rng_fault_state = True;
2531         return NT_STATUS_NOT_IMPLEMENTED;
2532 }
2533
2534 NTSTATUS _lsa_StorePrivateData(pipes_struct *p, struct lsa_StorePrivateData *r)
2535 {
2536         p->rng_fault_state = True;
2537         return NT_STATUS_NOT_IMPLEMENTED;
2538 }
2539
2540 NTSTATUS _lsa_RetrievePrivateData(pipes_struct *p, struct lsa_RetrievePrivateData *r)
2541 {
2542         p->rng_fault_state = True;
2543         return NT_STATUS_NOT_IMPLEMENTED;
2544 }
2545
2546 NTSTATUS _lsa_SetInfoPolicy2(pipes_struct *p, struct lsa_SetInfoPolicy2 *r)
2547 {
2548         p->rng_fault_state = True;
2549         return NT_STATUS_NOT_IMPLEMENTED;
2550 }
2551
2552 NTSTATUS _lsa_QueryTrustedDomainInfoByName(pipes_struct *p, struct lsa_QueryTrustedDomainInfoByName *r)
2553 {
2554         p->rng_fault_state = True;
2555         return NT_STATUS_NOT_IMPLEMENTED;
2556 }
2557
2558 NTSTATUS _lsa_SetTrustedDomainInfoByName(pipes_struct *p, struct lsa_SetTrustedDomainInfoByName *r)
2559 {
2560         p->rng_fault_state = True;
2561         return NT_STATUS_NOT_IMPLEMENTED;
2562 }
2563
2564 NTSTATUS _lsa_EnumTrustedDomainsEx(pipes_struct *p, struct lsa_EnumTrustedDomainsEx *r)
2565 {
2566         p->rng_fault_state = True;
2567         return NT_STATUS_NOT_IMPLEMENTED;
2568 }
2569
2570 NTSTATUS _lsa_CreateTrustedDomainEx(pipes_struct *p, struct lsa_CreateTrustedDomainEx *r)
2571 {
2572         p->rng_fault_state = True;
2573         return NT_STATUS_NOT_IMPLEMENTED;
2574 }
2575
2576 NTSTATUS _lsa_CloseTrustedDomainEx(pipes_struct *p, struct lsa_CloseTrustedDomainEx *r)
2577 {
2578         p->rng_fault_state = True;
2579         return NT_STATUS_NOT_IMPLEMENTED;
2580 }
2581
2582 NTSTATUS _lsa_QueryDomainInformationPolicy(pipes_struct *p, struct lsa_QueryDomainInformationPolicy *r)
2583 {
2584         p->rng_fault_state = True;
2585         return NT_STATUS_NOT_IMPLEMENTED;
2586 }
2587
2588 NTSTATUS _lsa_SetDomainInformationPolicy(pipes_struct *p, struct lsa_SetDomainInformationPolicy *r)
2589 {
2590         p->rng_fault_state = True;
2591         return NT_STATUS_NOT_IMPLEMENTED;
2592 }
2593
2594 NTSTATUS _lsa_OpenTrustedDomainByName(pipes_struct *p, struct lsa_OpenTrustedDomainByName *r)
2595 {
2596         p->rng_fault_state = True;
2597         return NT_STATUS_NOT_IMPLEMENTED;
2598 }
2599
2600 NTSTATUS _lsa_TestCall(pipes_struct *p, struct lsa_TestCall *r)
2601 {
2602         p->rng_fault_state = True;
2603         return NT_STATUS_NOT_IMPLEMENTED;
2604 }
2605
2606 NTSTATUS _lsa_CreateTrustedDomainEx2(pipes_struct *p, struct lsa_CreateTrustedDomainEx2 *r)
2607 {
2608         p->rng_fault_state = True;
2609         return NT_STATUS_NOT_IMPLEMENTED;
2610 }
2611
2612 NTSTATUS _lsa_CREDRWRITE(pipes_struct *p, struct lsa_CREDRWRITE *r)
2613 {
2614         p->rng_fault_state = True;
2615         return NT_STATUS_NOT_IMPLEMENTED;
2616 }
2617
2618 NTSTATUS _lsa_CREDRREAD(pipes_struct *p, struct lsa_CREDRREAD *r)
2619 {
2620         p->rng_fault_state = True;
2621         return NT_STATUS_NOT_IMPLEMENTED;
2622 }
2623
2624 NTSTATUS _lsa_CREDRENUMERATE(pipes_struct *p, struct lsa_CREDRENUMERATE *r)
2625 {
2626         p->rng_fault_state = True;
2627         return NT_STATUS_NOT_IMPLEMENTED;
2628 }
2629
2630 NTSTATUS _lsa_CREDRWRITEDOMAINCREDENTIALS(pipes_struct *p, struct lsa_CREDRWRITEDOMAINCREDENTIALS *r)
2631 {
2632         p->rng_fault_state = True;
2633         return NT_STATUS_NOT_IMPLEMENTED;
2634 }
2635
2636 NTSTATUS _lsa_CREDRREADDOMAINCREDENTIALS(pipes_struct *p, struct lsa_CREDRREADDOMAINCREDENTIALS *r)
2637 {
2638         p->rng_fault_state = True;
2639         return NT_STATUS_NOT_IMPLEMENTED;
2640 }
2641
2642 NTSTATUS _lsa_CREDRDELETE(pipes_struct *p, struct lsa_CREDRDELETE *r)
2643 {
2644         p->rng_fault_state = True;
2645         return NT_STATUS_NOT_IMPLEMENTED;
2646 }
2647
2648 NTSTATUS _lsa_CREDRGETTARGETINFO(pipes_struct *p, struct lsa_CREDRGETTARGETINFO *r)
2649 {
2650         p->rng_fault_state = True;
2651         return NT_STATUS_NOT_IMPLEMENTED;
2652 }
2653
2654 NTSTATUS _lsa_CREDRPROFILELOADED(pipes_struct *p, struct lsa_CREDRPROFILELOADED *r)
2655 {
2656         p->rng_fault_state = True;
2657         return NT_STATUS_NOT_IMPLEMENTED;
2658 }
2659
2660 NTSTATUS _lsa_CREDRGETSESSIONTYPES(pipes_struct *p, struct lsa_CREDRGETSESSIONTYPES *r)
2661 {
2662         p->rng_fault_state = True;
2663         return NT_STATUS_NOT_IMPLEMENTED;
2664 }
2665
2666 NTSTATUS _lsa_LSARREGISTERAUDITEVENT(pipes_struct *p, struct lsa_LSARREGISTERAUDITEVENT *r)
2667 {
2668         p->rng_fault_state = True;
2669         return NT_STATUS_NOT_IMPLEMENTED;
2670 }
2671
2672 NTSTATUS _lsa_LSARGENAUDITEVENT(pipes_struct *p, struct lsa_LSARGENAUDITEVENT *r)
2673 {
2674         p->rng_fault_state = True;
2675         return NT_STATUS_NOT_IMPLEMENTED;
2676 }
2677
2678 NTSTATUS _lsa_LSARUNREGISTERAUDITEVENT(pipes_struct *p, struct lsa_LSARUNREGISTERAUDITEVENT *r)
2679 {
2680         p->rng_fault_state = True;
2681         return NT_STATUS_NOT_IMPLEMENTED;
2682 }
2683
2684 NTSTATUS _lsa_lsaRQueryForestTrustInformation(pipes_struct *p, struct lsa_lsaRQueryForestTrustInformation *r)
2685 {
2686         p->rng_fault_state = True;
2687         return NT_STATUS_NOT_IMPLEMENTED;
2688 }
2689
2690 NTSTATUS _lsa_LSARSETFORESTTRUSTINFORMATION(pipes_struct *p, struct lsa_LSARSETFORESTTRUSTINFORMATION *r)
2691 {
2692         p->rng_fault_state = True;
2693         return NT_STATUS_NOT_IMPLEMENTED;
2694 }
2695
2696 NTSTATUS _lsa_CREDRRENAME(pipes_struct *p, struct lsa_CREDRRENAME *r)
2697 {
2698         p->rng_fault_state = True;
2699         return NT_STATUS_NOT_IMPLEMENTED;
2700 }
2701
2702 NTSTATUS _lsa_LSAROPENPOLICYSCE(pipes_struct *p, struct lsa_LSAROPENPOLICYSCE *r)
2703 {
2704         p->rng_fault_state = True;
2705         return NT_STATUS_NOT_IMPLEMENTED;
2706 }
2707
2708 NTSTATUS _lsa_LSARADTREGISTERSECURITYEVENTSOURCE(pipes_struct *p, struct lsa_LSARADTREGISTERSECURITYEVENTSOURCE *r)
2709 {
2710         p->rng_fault_state = True;
2711         return NT_STATUS_NOT_IMPLEMENTED;
2712 }
2713
2714 NTSTATUS _lsa_LSARADTUNREGISTERSECURITYEVENTSOURCE(pipes_struct *p, struct lsa_LSARADTUNREGISTERSECURITYEVENTSOURCE *r)
2715 {
2716         p->rng_fault_state = True;
2717         return NT_STATUS_NOT_IMPLEMENTED;
2718 }
2719
2720 NTSTATUS _lsa_LSARADTREPORTSECURITYEVENT(pipes_struct *p, struct lsa_LSARADTREPORTSECURITYEVENT *r)
2721 {
2722         p->rng_fault_state = True;
2723         return NT_STATUS_NOT_IMPLEMENTED;
2724 }