a3a1218956efc4fb29334f00e7df706a1dd9ae0c
[ira/wip.git] / source3 / rpc_server / srv_lsa_nt.c
1 /*
2  *  Unix SMB/CIFS implementation.
3  *  RPC Pipe client / server routines
4  *  Copyright (C) Andrew Tridgell              1992-1997,
5  *  Copyright (C) Luke Kenneth Casson Leighton 1996-1997,
6  *  Copyright (C) Paul Ashton                       1997,
7  *  Copyright (C) Jeremy Allison                    2001, 2006.
8  *  Copyright (C) Rafal Szczesniak                  2002,
9  *  Copyright (C) Jim McDonough <jmcd@us.ibm.com>   2002,
10  *  Copyright (C) Simo Sorce                        2003.
11  *  Copyright (C) Gerald (Jerry) Carter             2005.
12  *  Copyright (C) Volker Lendecke                   2005.
13  *  Copyright (C) Guenther Deschner                 2008.
14  *
15  *  This program is free software; you can redistribute it and/or modify
16  *  it under the terms of the GNU General Public License as published by
17  *  the Free Software Foundation; either version 3 of the License, or
18  *  (at your option) any later version.
19  *
20  *  This program is distributed in the hope that it will be useful,
21  *  but WITHOUT ANY WARRANTY; without even the implied warranty of
22  *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
23  *  GNU General Public License for more details.
24  *
25  *  You should have received a copy of the GNU General Public License
26  *  along with this program; if not, see <http://www.gnu.org/licenses/>.
27  */
28
29 /* This is the implementation of the lsa server code. */
30
31 #include "includes.h"
32
33 #undef DBGC_CLASS
34 #define DBGC_CLASS DBGC_RPC_SRV
35
36 #define MAX_LOOKUP_SIDS 0x5000 /* 20480 */
37
38 extern PRIVS privs[];
39
40 enum lsa_handle_type { LSA_HANDLE_POLICY_TYPE = 1, LSA_HANDLE_ACCOUNT_TYPE };
41
42 struct lsa_info {
43         DOM_SID sid;
44         uint32 access;
45         enum lsa_handle_type type;
46 };
47
48 const struct generic_mapping lsa_account_mapping = {
49         LSA_ACCOUNT_READ,
50         LSA_ACCOUNT_WRITE,
51         LSA_ACCOUNT_EXECUTE,
52         LSA_ACCOUNT_ALL_ACCESS
53 };
54
55 const struct generic_mapping lsa_policy_mapping = {
56         LSA_POLICY_READ,
57         LSA_POLICY_WRITE,
58         LSA_POLICY_EXECUTE,
59         LSA_POLICY_ALL_ACCESS
60 };
61
62 /***************************************************************************
63  init_lsa_ref_domain_list - adds a domain if it's not already in, returns the index.
64 ***************************************************************************/
65
66 static int init_lsa_ref_domain_list(TALLOC_CTX *mem_ctx,
67                                     struct lsa_RefDomainList *ref,
68                                     const char *dom_name,
69                                     DOM_SID *dom_sid)
70 {
71         int num = 0;
72
73         if (dom_name != NULL) {
74                 for (num = 0; num < ref->count; num++) {
75                         if (sid_equal(dom_sid, ref->domains[num].sid)) {
76                                 return num;
77                         }
78                 }
79         } else {
80                 num = ref->count;
81         }
82
83         if (num >= LSA_REF_DOMAIN_LIST_MULTIPLIER) {
84                 /* index not found, already at maximum domain limit */
85                 return -1;
86         }
87
88         ref->count = num + 1;
89         ref->max_size = LSA_REF_DOMAIN_LIST_MULTIPLIER;
90
91         ref->domains = TALLOC_REALLOC_ARRAY(mem_ctx, ref->domains,
92                                             struct lsa_DomainInfo, ref->count);
93         if (!ref->domains) {
94                 return -1;
95         }
96
97         ZERO_STRUCT(ref->domains[num]);
98
99         init_lsa_StringLarge(&ref->domains[num].name, dom_name);
100         ref->domains[num].sid = sid_dup_talloc(mem_ctx, dom_sid);
101         if (!ref->domains[num].sid) {
102                 return -1;
103         }
104
105         return num;
106 }
107
108
109 /***************************************************************************
110  initialize a lsa_DomainInfo structure.
111  ***************************************************************************/
112
113 static void init_dom_query_3(struct lsa_DomainInfo *r,
114                              const char *name,
115                              DOM_SID *sid)
116 {
117         init_lsa_StringLarge(&r->name, name);
118         r->sid = sid;
119 }
120
121 /***************************************************************************
122  initialize a lsa_DomainInfo structure.
123  ***************************************************************************/
124
125 static void init_dom_query_5(struct lsa_DomainInfo *r,
126                              const char *name,
127                              DOM_SID *sid)
128 {
129         init_lsa_StringLarge(&r->name, name);
130         r->sid = sid;
131 }
132
133 /***************************************************************************
134  lookup_lsa_rids. Must be called as root for lookup_name to work.
135  ***************************************************************************/
136
137 static NTSTATUS lookup_lsa_rids(TALLOC_CTX *mem_ctx,
138                                 struct lsa_RefDomainList *ref,
139                                 struct lsa_TranslatedSid *prid,
140                                 uint32_t num_entries,
141                                 struct lsa_String *name,
142                                 int flags,
143                                 uint32_t *pmapped_count)
144 {
145         uint32 mapped_count, i;
146
147         SMB_ASSERT(num_entries <= MAX_LOOKUP_SIDS);
148
149         mapped_count = 0;
150         *pmapped_count = 0;
151
152         for (i = 0; i < num_entries; i++) {
153                 DOM_SID sid;
154                 uint32 rid;
155                 int dom_idx;
156                 const char *full_name;
157                 const char *domain;
158                 enum lsa_SidType type = SID_NAME_UNKNOWN;
159
160                 /* Split name into domain and user component */
161
162                 full_name = name[i].string;
163                 if (full_name == NULL) {
164                         prid[i].sid_type        = type;
165                         prid[i].rid             = 0;
166                         prid[i].sid_index       = (uint32_t)-1;
167                         continue;
168                 }
169
170                 DEBUG(5, ("lookup_lsa_rids: looking up name %s\n", full_name));
171
172                 /* We can ignore the result of lookup_name, it will not touch
173                    "type" if it's not successful */
174
175                 lookup_name(mem_ctx, full_name, flags, &domain, NULL,
176                             &sid, &type);
177
178                 switch (type) {
179                 case SID_NAME_USER:
180                 case SID_NAME_DOM_GRP:
181                 case SID_NAME_DOMAIN:
182                 case SID_NAME_ALIAS:
183                 case SID_NAME_WKN_GRP:
184                         DEBUG(5, ("init_lsa_rids: %s found\n", full_name));
185                         /* Leave these unchanged */
186                         break;
187                 default:
188                         /* Don't hand out anything but the list above */
189                         DEBUG(5, ("init_lsa_rids: %s not found\n", full_name));
190                         type = SID_NAME_UNKNOWN;
191                         break;
192                 }
193
194                 rid = 0;
195                 dom_idx = -1;
196
197                 if (type != SID_NAME_UNKNOWN) {
198                         if (type == SID_NAME_DOMAIN) {
199                                 rid = (uint32_t)-1;
200                         } else {
201                                 sid_split_rid(&sid, &rid);
202                         }
203                         dom_idx = init_lsa_ref_domain_list(mem_ctx, ref, domain, &sid);
204                         mapped_count++;
205                 }
206
207                 prid[i].sid_type        = type;
208                 prid[i].rid             = rid;
209                 prid[i].sid_index       = dom_idx;
210         }
211
212         *pmapped_count = mapped_count;
213         return NT_STATUS_OK;
214 }
215
216 /***************************************************************************
217  lookup_lsa_sids. Must be called as root for lookup_name to work.
218  ***************************************************************************/
219
220 static NTSTATUS lookup_lsa_sids(TALLOC_CTX *mem_ctx,
221                                 struct lsa_RefDomainList *ref,
222                                 struct lsa_TranslatedSid3 *trans_sids,
223                                 uint32_t num_entries,
224                                 struct lsa_String *name,
225                                 int flags,
226                                 uint32 *pmapped_count)
227 {
228         uint32 mapped_count, i;
229
230         SMB_ASSERT(num_entries <= MAX_LOOKUP_SIDS);
231
232         mapped_count = 0;
233         *pmapped_count = 0;
234
235         for (i = 0; i < num_entries; i++) {
236                 DOM_SID sid;
237                 uint32 rid;
238                 int dom_idx;
239                 const char *full_name;
240                 const char *domain;
241                 enum lsa_SidType type = SID_NAME_UNKNOWN;
242
243                 ZERO_STRUCT(sid);
244
245                 /* Split name into domain and user component */
246
247                 full_name = name[i].string;
248                 if (full_name == NULL) {
249                         return NT_STATUS_NO_MEMORY;
250                 }
251
252                 DEBUG(5, ("init_lsa_sids: looking up name %s\n", full_name));
253
254                 /* We can ignore the result of lookup_name, it will not touch
255                    "type" if it's not successful */
256
257                 lookup_name(mem_ctx, full_name, flags, &domain, NULL,
258                             &sid, &type);
259
260                 switch (type) {
261                 case SID_NAME_USER:
262                 case SID_NAME_DOM_GRP:
263                 case SID_NAME_DOMAIN:
264                 case SID_NAME_ALIAS:
265                 case SID_NAME_WKN_GRP:
266                         DEBUG(5, ("init_lsa_sids: %s found\n", full_name));
267                         /* Leave these unchanged */
268                         break;
269                 default:
270                         /* Don't hand out anything but the list above */
271                         DEBUG(5, ("init_lsa_sids: %s not found\n", full_name));
272                         type = SID_NAME_UNKNOWN;
273                         break;
274                 }
275
276                 rid = 0;
277                 dom_idx = -1;
278
279                 if (type != SID_NAME_UNKNOWN) {
280                         DOM_SID domain_sid;
281                         sid_copy(&domain_sid, &sid);
282                         sid_split_rid(&domain_sid, &rid);
283                         dom_idx = init_lsa_ref_domain_list(mem_ctx, ref, domain, &domain_sid);
284                         mapped_count++;
285                 }
286
287                 /* Initialize the lsa_TranslatedSid3 return. */
288                 trans_sids[i].sid_type = type;
289                 trans_sids[i].sid = sid_dup_talloc(mem_ctx, &sid);
290                 trans_sids[i].sid_index = dom_idx;
291         }
292
293         *pmapped_count = mapped_count;
294         return NT_STATUS_OK;
295 }
296
297 static NTSTATUS make_lsa_object_sd(TALLOC_CTX *mem_ctx, SEC_DESC **sd, size_t *sd_size,
298                                         const struct generic_mapping *map,
299                                         DOM_SID *sid, uint32_t sid_access)
300 {
301         DOM_SID adm_sid;
302         SEC_ACE ace[5];
303         size_t i = 0;
304
305         SEC_ACL *psa = NULL;
306
307         /* READ|EXECUTE access for Everyone */
308
309         init_sec_ace(&ace[i++], &global_sid_World, SEC_ACE_TYPE_ACCESS_ALLOWED,
310                         map->generic_execute | map->generic_read, 0);
311
312         /* Add Full Access 'BUILTIN\Administrators' and 'BUILTIN\Account Operators */
313
314         init_sec_ace(&ace[i++], &global_sid_Builtin_Administrators,
315                         SEC_ACE_TYPE_ACCESS_ALLOWED, map->generic_all, 0);
316         init_sec_ace(&ace[i++], &global_sid_Builtin_Account_Operators,
317                         SEC_ACE_TYPE_ACCESS_ALLOWED, map->generic_all, 0);
318
319         /* Add Full Access for Domain Admins */
320         sid_copy(&adm_sid, get_global_sam_sid());
321         sid_append_rid(&adm_sid, DOMAIN_GROUP_RID_ADMINS);
322         init_sec_ace(&ace[i++], &adm_sid, SEC_ACE_TYPE_ACCESS_ALLOWED,
323                         map->generic_all, 0);
324
325         /* If we have a sid, give it some special access */
326
327         if (sid) {
328                 init_sec_ace(&ace[i++], sid, SEC_ACE_TYPE_ACCESS_ALLOWED,
329                         sid_access, 0);
330         }
331
332         if((psa = make_sec_acl(mem_ctx, NT4_ACL_REVISION, i, ace)) == NULL)
333                 return NT_STATUS_NO_MEMORY;
334
335         if((*sd = make_sec_desc(mem_ctx, SECURITY_DESCRIPTOR_REVISION_1,
336                                 SEC_DESC_SELF_RELATIVE, &adm_sid, NULL, NULL,
337                                 psa, sd_size)) == NULL)
338                 return NT_STATUS_NO_MEMORY;
339
340         return NT_STATUS_OK;
341 }
342
343
344 /***************************************************************************
345  _lsa_OpenPolicy2
346  ***************************************************************************/
347
348 NTSTATUS _lsa_OpenPolicy2(pipes_struct *p,
349                           struct lsa_OpenPolicy2 *r)
350 {
351         struct lsa_info *info;
352         SEC_DESC *psd = NULL;
353         size_t sd_size;
354         uint32 des_access = r->in.access_mask;
355         uint32 acc_granted;
356         NTSTATUS status;
357
358         /* Work out max allowed. */
359         map_max_allowed_access(p->server_info->ptok,
360                                &p->server_info->utok,
361                                &des_access);
362
363         /* map the generic bits to the lsa policy ones */
364         se_map_generic(&des_access, &lsa_policy_mapping);
365
366         /* get the generic lsa policy SD until we store it */
367         status = make_lsa_object_sd(p->mem_ctx, &psd, &sd_size, &lsa_policy_mapping,
368                         NULL, 0);
369         if (!NT_STATUS_IS_OK(status)) {
370                 return status;
371         }
372
373         status = access_check_object(psd, p->server_info->ptok,
374                 NULL, 0, des_access,
375                 &acc_granted, "_lsa_OpenPolicy2" );
376
377         if (!NT_STATUS_IS_OK(status)) {
378                 return status;
379         }
380
381         /* associate the domain SID with the (unique) handle. */
382         info = TALLOC_ZERO_P(p->mem_ctx, struct lsa_info);
383         if (info == NULL) {
384                 return NT_STATUS_NO_MEMORY;
385         }
386
387         sid_copy(&info->sid,get_global_sam_sid());
388         info->access = acc_granted;
389         info->type = LSA_HANDLE_POLICY_TYPE;
390
391         /* set up the LSA QUERY INFO response */
392         if (!create_policy_hnd(p, r->out.handle, info))
393                 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
394
395         return NT_STATUS_OK;
396 }
397
398 /***************************************************************************
399  _lsa_OpenPolicy
400  ***************************************************************************/
401
402 NTSTATUS _lsa_OpenPolicy(pipes_struct *p,
403                          struct lsa_OpenPolicy *r)
404 {
405         struct lsa_OpenPolicy2 o;
406
407         o.in.system_name        = NULL; /* should be ignored */
408         o.in.attr               = r->in.attr;
409         o.in.access_mask        = r->in.access_mask;
410
411         o.out.handle            = r->out.handle;
412
413         return _lsa_OpenPolicy2(p, &o);
414 }
415
416 /***************************************************************************
417  _lsa_EnumTrustDom - this needs fixing to do more than return NULL ! JRA.
418  ufff, done :)  mimir
419  ***************************************************************************/
420
421 NTSTATUS _lsa_EnumTrustDom(pipes_struct *p,
422                            struct lsa_EnumTrustDom *r)
423 {
424         struct lsa_info *info;
425         uint32 next_idx;
426         struct trustdom_info **domains;
427         struct lsa_DomainInfo *lsa_domains = NULL;
428         int i;
429
430         /*
431          * preferred length is set to 5 as a "our" preferred length
432          * nt sets this parameter to 2
433          * update (20.08.2002): it's not preferred length, but preferred size!
434          * it needs further investigation how to optimally choose this value
435          */
436         uint32 max_num_domains =
437                 r->in.max_size < 5 ? r->in.max_size : 10;
438         uint32 num_domains;
439         NTSTATUS nt_status;
440         uint32 num_thistime;
441
442         if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
443                 return NT_STATUS_INVALID_HANDLE;
444
445         if (info->type != LSA_HANDLE_POLICY_TYPE) {
446                 return NT_STATUS_INVALID_HANDLE;
447         }
448
449         /* check if the user has enough rights */
450         if (!(info->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
451                 return NT_STATUS_ACCESS_DENIED;
452
453         become_root();
454         nt_status = pdb_enum_trusteddoms(p->mem_ctx, &num_domains, &domains);
455         unbecome_root();
456
457         if (!NT_STATUS_IS_OK(nt_status)) {
458                 return nt_status;
459         }
460
461         if (*r->in.resume_handle < num_domains) {
462                 num_thistime = MIN(num_domains, max_num_domains);
463
464                 nt_status = STATUS_MORE_ENTRIES;
465
466                 if (*r->in.resume_handle + num_thistime > num_domains) {
467                         num_thistime = num_domains - *r->in.resume_handle;
468                         nt_status = NT_STATUS_OK;
469                 }
470
471                 next_idx = *r->in.resume_handle + num_thistime;
472         } else {
473                 num_thistime = 0;
474                 next_idx = 0xffffffff;
475                 nt_status = NT_STATUS_NO_MORE_ENTRIES;
476         }
477
478         /* set up the lsa_enum_trust_dom response */
479
480         lsa_domains = TALLOC_ZERO_ARRAY(p->mem_ctx, struct lsa_DomainInfo,
481                                         num_thistime);
482         if (!lsa_domains) {
483                 return NT_STATUS_NO_MEMORY;
484         }
485
486         for (i=0; i<num_thistime; i++) {
487                 init_lsa_StringLarge(&lsa_domains[i].name, domains[i]->name);
488                 lsa_domains[i].sid = &domains[i]->sid;
489         }
490
491         *r->out.resume_handle = next_idx;
492         r->out.domains->count = num_thistime;
493         r->out.domains->domains = lsa_domains;
494
495         return nt_status;
496 }
497
498 #define LSA_AUDIT_NUM_CATEGORIES_NT4    7
499 #define LSA_AUDIT_NUM_CATEGORIES_WIN2K  9
500 #define LSA_AUDIT_NUM_CATEGORIES LSA_AUDIT_NUM_CATEGORIES_NT4
501
502 /***************************************************************************
503  _lsa_QueryInfoPolicy
504  ***************************************************************************/
505
506 NTSTATUS _lsa_QueryInfoPolicy(pipes_struct *p,
507                               struct lsa_QueryInfoPolicy *r)
508 {
509         NTSTATUS status = NT_STATUS_OK;
510         struct lsa_info *handle;
511         DOM_SID domain_sid;
512         const char *name;
513         DOM_SID *sid = NULL;
514         union lsa_PolicyInformation *info = NULL;
515         uint32_t acc_required = 0;
516
517         if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle))
518                 return NT_STATUS_INVALID_HANDLE;
519
520         if (handle->type != LSA_HANDLE_POLICY_TYPE) {
521                 return NT_STATUS_INVALID_HANDLE;
522         }
523
524         switch (r->in.level) {
525         case LSA_POLICY_INFO_AUDIT_LOG:
526         case LSA_POLICY_INFO_AUDIT_EVENTS:
527                 acc_required = LSA_POLICY_VIEW_AUDIT_INFORMATION;
528                 break;
529         case LSA_POLICY_INFO_DOMAIN:
530                 acc_required = LSA_POLICY_VIEW_LOCAL_INFORMATION;
531                 break;
532         case LSA_POLICY_INFO_PD:
533                 acc_required = LSA_POLICY_GET_PRIVATE_INFORMATION;
534                 break;
535         case LSA_POLICY_INFO_ACCOUNT_DOMAIN:
536                 acc_required = LSA_POLICY_VIEW_LOCAL_INFORMATION;
537                 break;
538         case LSA_POLICY_INFO_ROLE:
539         case LSA_POLICY_INFO_REPLICA:
540                 acc_required = LSA_POLICY_VIEW_LOCAL_INFORMATION;
541                 break;
542         case LSA_POLICY_INFO_QUOTA:
543                 acc_required = LSA_POLICY_VIEW_LOCAL_INFORMATION;
544                 break;
545         case LSA_POLICY_INFO_MOD:
546         case LSA_POLICY_INFO_AUDIT_FULL_SET:
547                 /* according to MS-LSAD 3.1.4.4.3 */
548                 return NT_STATUS_INVALID_PARAMETER;
549         case LSA_POLICY_INFO_AUDIT_FULL_QUERY:
550                 acc_required = LSA_POLICY_VIEW_AUDIT_INFORMATION;
551                 break;
552         case LSA_POLICY_INFO_DNS:
553         case LSA_POLICY_INFO_DNS_INT:
554         case LSA_POLICY_INFO_L_ACCOUNT_DOMAIN:
555                 acc_required = LSA_POLICY_VIEW_LOCAL_INFORMATION;
556                 break;
557         default:
558                 break;
559         }
560
561         if (!(handle->access & acc_required)) {
562                 /* return NT_STATUS_ACCESS_DENIED; */
563         }
564
565         info = TALLOC_ZERO_P(p->mem_ctx, union lsa_PolicyInformation);
566         if (!info) {
567                 return NT_STATUS_NO_MEMORY;
568         }
569
570         switch (r->in.level) {
571         case LSA_POLICY_INFO_AUDIT_EVENTS:
572                 {
573
574                 uint32 policy_def = LSA_AUDIT_POLICY_ALL;
575
576                 /* check if the user has enough rights */
577                 if (!(handle->access & LSA_POLICY_VIEW_AUDIT_INFORMATION)) {
578                         DEBUG(10,("_lsa_QueryInfoPolicy: insufficient access rights\n"));
579                         return NT_STATUS_ACCESS_DENIED;
580                 }
581
582                 /* fake info: We audit everything. ;) */
583
584                 info->audit_events.auditing_mode = true;
585                 info->audit_events.count = LSA_AUDIT_NUM_CATEGORIES;
586                 info->audit_events.settings = TALLOC_ZERO_ARRAY(p->mem_ctx,
587                                                                 enum lsa_PolicyAuditPolicy,
588                                                                 info->audit_events.count);
589                 if (!info->audit_events.settings) {
590                         return NT_STATUS_NO_MEMORY;
591                 }
592
593                 info->audit_events.settings[LSA_AUDIT_CATEGORY_ACCOUNT_MANAGEMENT] = policy_def;
594                 info->audit_events.settings[LSA_AUDIT_CATEGORY_FILE_AND_OBJECT_ACCESS] = policy_def;
595                 info->audit_events.settings[LSA_AUDIT_CATEGORY_LOGON] = policy_def;
596                 info->audit_events.settings[LSA_AUDIT_CATEGORY_PROCCESS_TRACKING] = policy_def;
597                 info->audit_events.settings[LSA_AUDIT_CATEGORY_SECURITY_POLICY_CHANGES] = policy_def;
598                 info->audit_events.settings[LSA_AUDIT_CATEGORY_SYSTEM] = policy_def;
599                 info->audit_events.settings[LSA_AUDIT_CATEGORY_USE_OF_USER_RIGHTS] = policy_def;
600
601                 break;
602                 }
603         case LSA_POLICY_INFO_DOMAIN:
604                 /* check if the user has enough rights */
605                 if (!(handle->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
606                         return NT_STATUS_ACCESS_DENIED;
607
608                 /* Request PolicyPrimaryDomainInformation. */
609                 switch (lp_server_role()) {
610                         case ROLE_DOMAIN_PDC:
611                         case ROLE_DOMAIN_BDC:
612                                 name = get_global_sam_name();
613                                 sid = sid_dup_talloc(p->mem_ctx, get_global_sam_sid());
614                                 if (!sid) {
615                                         return NT_STATUS_NO_MEMORY;
616                                 }
617                                 break;
618                         case ROLE_DOMAIN_MEMBER:
619                                 name = lp_workgroup();
620                                 /* We need to return the Domain SID here. */
621                                 if (secrets_fetch_domain_sid(lp_workgroup(), &domain_sid)) {
622                                         sid = sid_dup_talloc(p->mem_ctx, &domain_sid);
623                                         if (!sid) {
624                                                 return NT_STATUS_NO_MEMORY;
625                                         }
626                                 } else {
627                                         return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
628                                 }
629                                 break;
630                         case ROLE_STANDALONE:
631                                 name = lp_workgroup();
632                                 sid = NULL;
633                                 break;
634                         default:
635                                 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
636                 }
637                 init_dom_query_3(&info->domain, name, sid);
638                 break;
639         case LSA_POLICY_INFO_ACCOUNT_DOMAIN:
640                 /* check if the user has enough rights */
641                 if (!(handle->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
642                         return NT_STATUS_ACCESS_DENIED;
643
644                 /* Request PolicyAccountDomainInformation. */
645                 name = get_global_sam_name();
646                 sid = get_global_sam_sid();
647
648                 init_dom_query_5(&info->account_domain, name, sid);
649                 break;
650         case LSA_POLICY_INFO_ROLE:
651                 /* check if the user has enough rights */
652                 if (!(handle->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
653                         return NT_STATUS_ACCESS_DENIED;
654
655                 switch (lp_server_role()) {
656                         case ROLE_DOMAIN_BDC:
657                                 /*
658                                  * only a BDC is a backup controller
659                                  * of the domain, it controls.
660                                  */
661                                 info->role.role = LSA_ROLE_BACKUP;
662                                 break;
663                         default:
664                                 /*
665                                  * any other role is a primary
666                                  * of the domain, it controls.
667                                  */
668                                 info->role.role = LSA_ROLE_PRIMARY;
669                                 break;
670                 }
671                 break;
672         case LSA_POLICY_INFO_DNS:
673         case LSA_POLICY_INFO_DNS_INT: {
674                 struct pdb_domain_info *dominfo;
675
676                 if ((pdb_capabilities() & PDB_CAP_ADS) == 0) {
677                         DEBUG(10, ("Not replying to LSA_POLICY_INFO_DNS "
678                                    "without ADS passdb backend\n"));
679                         status = NT_STATUS_INVALID_INFO_CLASS;
680                         break;
681                 }
682
683                 dominfo = pdb_get_domain_info(info);
684                 if (dominfo == NULL) {
685                         status = NT_STATUS_NO_MEMORY;
686                         break;
687                 }
688
689                 init_lsa_StringLarge(&info->dns.name,
690                                      dominfo->name);
691                 init_lsa_StringLarge(&info->dns.dns_domain,
692                                      dominfo->dns_domain);
693                 init_lsa_StringLarge(&info->dns.dns_forest,
694                                      dominfo->dns_forest);
695                 info->dns.domain_guid = dominfo->guid;
696                 info->dns.sid = &dominfo->sid;
697                 break;
698         }
699         default:
700                 DEBUG(0,("_lsa_QueryInfoPolicy: unknown info level in Lsa Query: %d\n",
701                         r->in.level));
702                 status = NT_STATUS_INVALID_INFO_CLASS;
703                 break;
704         }
705
706         *r->out.info = info;
707
708         return status;
709 }
710
711 /***************************************************************************
712  _lsa_QueryInfoPolicy2
713  ***************************************************************************/
714
715 NTSTATUS _lsa_QueryInfoPolicy2(pipes_struct *p,
716                                struct lsa_QueryInfoPolicy2 *r2)
717 {
718         struct lsa_QueryInfoPolicy r;
719
720         if ((pdb_capabilities() & PDB_CAP_ADS) == 0) {
721                 p->rng_fault_state = True;
722                 return NT_STATUS_NOT_IMPLEMENTED;
723         }
724
725         ZERO_STRUCT(r);
726         r.in.handle = r2->in.handle;
727         r.in.level = r2->in.level;
728         r.out.info = r2->out.info;
729
730         return _lsa_QueryInfoPolicy(p, &r);
731 }
732
733 /***************************************************************************
734  _lsa_lookup_sids_internal
735  ***************************************************************************/
736
737 static NTSTATUS _lsa_lookup_sids_internal(pipes_struct *p,
738                                           TALLOC_CTX *mem_ctx,
739                                           uint16_t level,                       /* input */
740                                           int num_sids,                         /* input */
741                                           struct lsa_SidPtr *sid,               /* input */
742                                           struct lsa_RefDomainList **pp_ref,    /* input/output */
743                                           struct lsa_TranslatedName2 **pp_names,/* input/output */
744                                           uint32_t *pp_mapped_count)            /* input/output */
745 {
746         NTSTATUS status;
747         int i;
748         const DOM_SID **sids = NULL;
749         struct lsa_RefDomainList *ref = NULL;
750         uint32 mapped_count = 0;
751         struct lsa_dom_info *dom_infos = NULL;
752         struct lsa_name_info *name_infos = NULL;
753         struct lsa_TranslatedName2 *names = NULL;
754
755         *pp_mapped_count = 0;
756         *pp_names = NULL;
757         *pp_ref = NULL;
758
759         if (num_sids == 0) {
760                 return NT_STATUS_OK;
761         }
762
763         sids = TALLOC_ARRAY(p->mem_ctx, const DOM_SID *, num_sids);
764         ref = TALLOC_ZERO_P(p->mem_ctx, struct lsa_RefDomainList);
765
766         if (sids == NULL || ref == NULL) {
767                 return NT_STATUS_NO_MEMORY;
768         }
769
770         for (i=0; i<num_sids; i++) {
771                 sids[i] = sid[i].sid;
772         }
773
774         status = lookup_sids(p->mem_ctx, num_sids, sids, level,
775                                   &dom_infos, &name_infos);
776
777         if (!NT_STATUS_IS_OK(status)) {
778                 return status;
779         }
780
781         names = TALLOC_ARRAY(p->mem_ctx, struct lsa_TranslatedName2, num_sids);
782         if (names == NULL) {
783                 return NT_STATUS_NO_MEMORY;
784         }
785
786         for (i=0; i<LSA_REF_DOMAIN_LIST_MULTIPLIER; i++) {
787
788                 if (!dom_infos[i].valid) {
789                         break;
790                 }
791
792                 if (init_lsa_ref_domain_list(mem_ctx, ref,
793                                              dom_infos[i].name,
794                                              &dom_infos[i].sid) != i) {
795                         DEBUG(0, ("Domain %s mentioned twice??\n",
796                                   dom_infos[i].name));
797                         return NT_STATUS_INTERNAL_ERROR;
798                 }
799         }
800
801         for (i=0; i<num_sids; i++) {
802                 struct lsa_name_info *name = &name_infos[i];
803
804                 if (name->type == SID_NAME_UNKNOWN) {
805                         fstring tmp;
806                         name->dom_idx = -1;
807                         /* Unknown sids should return the string
808                          * representation of the SID. Windows 2003 behaves
809                          * rather erratic here, in many cases it returns the
810                          * RID as 8 bytes hex, in others it returns the full
811                          * SID. We (Jerry/VL) could not figure out which the
812                          * hard cases are, so leave it with the SID.  */
813                         name->name = talloc_asprintf(p->mem_ctx, "%s",
814                                                      sid_to_fstring(tmp,
815                                                                     sids[i]));
816                         if (name->name == NULL) {
817                                 return NT_STATUS_NO_MEMORY;
818                         }
819                 } else {
820                         mapped_count += 1;
821                 }
822
823                 names[i].sid_type       = name->type;
824                 names[i].name.string    = name->name;
825                 names[i].sid_index      = name->dom_idx;
826                 names[i].unknown        = 0;
827         }
828
829         status = NT_STATUS_NONE_MAPPED;
830         if (mapped_count > 0) {
831                 status = (mapped_count < num_sids) ?
832                         STATUS_SOME_UNMAPPED : NT_STATUS_OK;
833         }
834
835         DEBUG(10, ("num_sids %d, mapped_count %d, status %s\n",
836                    num_sids, mapped_count, nt_errstr(status)));
837
838         *pp_mapped_count = mapped_count;
839         *pp_names = names;
840         *pp_ref = ref;
841
842         return status;
843 }
844
845 /***************************************************************************
846  _lsa_LookupSids
847  ***************************************************************************/
848
849 NTSTATUS _lsa_LookupSids(pipes_struct *p,
850                          struct lsa_LookupSids *r)
851 {
852         NTSTATUS status;
853         struct lsa_info *handle;
854         int num_sids = r->in.sids->num_sids;
855         uint32 mapped_count = 0;
856         struct lsa_RefDomainList *domains = NULL;
857         struct lsa_TranslatedName *names_out = NULL;
858         struct lsa_TranslatedName2 *names = NULL;
859         int i;
860
861         if ((r->in.level < 1) || (r->in.level > 6)) {
862                 return NT_STATUS_INVALID_PARAMETER;
863         }
864
865         if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle)) {
866                 return NT_STATUS_INVALID_HANDLE;
867         }
868
869         if (handle->type != LSA_HANDLE_POLICY_TYPE) {
870                 return NT_STATUS_INVALID_HANDLE;
871         }
872
873         /* check if the user has enough rights */
874         if (!(handle->access & LSA_POLICY_LOOKUP_NAMES)) {
875                 return NT_STATUS_ACCESS_DENIED;
876         }
877
878         if (num_sids >  MAX_LOOKUP_SIDS) {
879                 DEBUG(5,("_lsa_LookupSids: limit of %d exceeded, requested %d\n",
880                          MAX_LOOKUP_SIDS, num_sids));
881                 return NT_STATUS_NONE_MAPPED;
882         }
883
884         status = _lsa_lookup_sids_internal(p,
885                                            p->mem_ctx,
886                                            r->in.level,
887                                            num_sids,
888                                            r->in.sids->sids,
889                                            &domains,
890                                            &names,
891                                            &mapped_count);
892
893         /* Only return here when there is a real error.
894            NT_STATUS_NONE_MAPPED is a special case as it indicates that none of
895            the requested sids could be resolved. Older versions of XP (pre SP3)
896            rely that we return with the string representations of those SIDs in
897            that case. If we don't, XP crashes - Guenther
898            */
899
900         if (NT_STATUS_IS_ERR(status) &&
901             !NT_STATUS_EQUAL(status, NT_STATUS_NONE_MAPPED)) {
902                 return status;
903         }
904
905         /* Convert from lsa_TranslatedName2 to lsa_TranslatedName */
906         names_out = TALLOC_ARRAY(p->mem_ctx, struct lsa_TranslatedName,
907                                  num_sids);
908         if (!names_out) {
909                 return NT_STATUS_NO_MEMORY;
910         }
911
912         for (i=0; i<num_sids; i++) {
913                 names_out[i].sid_type = names[i].sid_type;
914                 names_out[i].name = names[i].name;
915                 names_out[i].sid_index = names[i].sid_index;
916         }
917
918         *r->out.domains = domains;
919         r->out.names->count = num_sids;
920         r->out.names->names = names_out;
921         *r->out.count = mapped_count;
922
923         return status;
924 }
925
926 /***************************************************************************
927  _lsa_LookupSids2
928  ***************************************************************************/
929
930 NTSTATUS _lsa_LookupSids2(pipes_struct *p,
931                           struct lsa_LookupSids2 *r)
932 {
933         NTSTATUS status;
934         struct lsa_info *handle;
935         int num_sids = r->in.sids->num_sids;
936         uint32 mapped_count = 0;
937         struct lsa_RefDomainList *domains = NULL;
938         struct lsa_TranslatedName2 *names = NULL;
939         bool check_policy = true;
940
941         switch (p->hdr_req.opnum) {
942                 case NDR_LSA_LOOKUPSIDS3:
943                         check_policy = false;
944                         break;
945                 case NDR_LSA_LOOKUPSIDS2:
946                 default:
947                         check_policy = true;
948         }
949
950         if ((r->in.level < 1) || (r->in.level > 6)) {
951                 return NT_STATUS_INVALID_PARAMETER;
952         }
953
954         if (check_policy) {
955                 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle)) {
956                         return NT_STATUS_INVALID_HANDLE;
957                 }
958
959                 if (handle->type != LSA_HANDLE_POLICY_TYPE) {
960                         return NT_STATUS_INVALID_HANDLE;
961                 }
962
963                 /* check if the user has enough rights */
964                 if (!(handle->access & LSA_POLICY_LOOKUP_NAMES)) {
965                         return NT_STATUS_ACCESS_DENIED;
966                 }
967         }
968
969         if (num_sids >  MAX_LOOKUP_SIDS) {
970                 DEBUG(5,("_lsa_LookupSids2: limit of %d exceeded, requested %d\n",
971                          MAX_LOOKUP_SIDS, num_sids));
972                 return NT_STATUS_NONE_MAPPED;
973         }
974
975         status = _lsa_lookup_sids_internal(p,
976                                            p->mem_ctx,
977                                            r->in.level,
978                                            num_sids,
979                                            r->in.sids->sids,
980                                            &domains,
981                                            &names,
982                                            &mapped_count);
983
984         *r->out.domains = domains;
985         r->out.names->count = num_sids;
986         r->out.names->names = names;
987         *r->out.count = mapped_count;
988
989         return status;
990 }
991
992 /***************************************************************************
993  _lsa_LookupSids3
994  ***************************************************************************/
995
996 NTSTATUS _lsa_LookupSids3(pipes_struct *p,
997                           struct lsa_LookupSids3 *r)
998 {
999         struct lsa_LookupSids2 q;
1000
1001         /* No policy handle on this call. Restrict to crypto connections. */
1002         if (p->auth.auth_type != PIPE_AUTH_TYPE_SCHANNEL) {
1003                 DEBUG(0,("_lsa_LookupSids3: client %s not using schannel for netlogon\n",
1004                         get_remote_machine_name() ));
1005                 return NT_STATUS_INVALID_PARAMETER;
1006         }
1007
1008         q.in.handle             = NULL;
1009         q.in.sids               = r->in.sids;
1010         q.in.level              = r->in.level;
1011         q.in.lookup_options     = r->in.lookup_options;
1012         q.in.client_revision    = r->in.client_revision;
1013         q.in.names              = r->in.names;
1014         q.in.count              = r->in.count;
1015
1016         q.out.domains           = r->out.domains;
1017         q.out.names             = r->out.names;
1018         q.out.count             = r->out.count;
1019
1020         return _lsa_LookupSids2(p, &q);
1021 }
1022
1023 /***************************************************************************
1024  ***************************************************************************/
1025
1026 static int lsa_lookup_level_to_flags(uint16 level)
1027 {
1028         int flags;
1029
1030         switch (level) {
1031                 case 1:
1032                         flags = LOOKUP_NAME_ALL;
1033                         break;
1034                 case 2:
1035                         flags = LOOKUP_NAME_DOMAIN|LOOKUP_NAME_REMOTE|LOOKUP_NAME_ISOLATED;
1036                         break;
1037                 case 3:
1038                         flags = LOOKUP_NAME_DOMAIN|LOOKUP_NAME_ISOLATED;
1039                         break;
1040                 case 4:
1041                 case 5:
1042                 case 6:
1043                 default:
1044                         flags = LOOKUP_NAME_NONE;
1045                         break;
1046         }
1047
1048         return flags;
1049 }
1050
1051 /***************************************************************************
1052  _lsa_LookupNames
1053  ***************************************************************************/
1054
1055 NTSTATUS _lsa_LookupNames(pipes_struct *p,
1056                           struct lsa_LookupNames *r)
1057 {
1058         NTSTATUS status = NT_STATUS_NONE_MAPPED;
1059         struct lsa_info *handle;
1060         struct lsa_String *names = r->in.names;
1061         uint32 num_entries = r->in.num_names;
1062         struct lsa_RefDomainList *domains = NULL;
1063         struct lsa_TranslatedSid *rids = NULL;
1064         uint32 mapped_count = 0;
1065         int flags = 0;
1066
1067         if (num_entries >  MAX_LOOKUP_SIDS) {
1068                 num_entries = MAX_LOOKUP_SIDS;
1069                 DEBUG(5,("_lsa_LookupNames: truncating name lookup list to %d\n",
1070                         num_entries));
1071         }
1072
1073         flags = lsa_lookup_level_to_flags(r->in.level);
1074
1075         domains = TALLOC_ZERO_P(p->mem_ctx, struct lsa_RefDomainList);
1076         if (!domains) {
1077                 return NT_STATUS_NO_MEMORY;
1078         }
1079
1080         if (num_entries) {
1081                 rids = TALLOC_ZERO_ARRAY(p->mem_ctx, struct lsa_TranslatedSid,
1082                                          num_entries);
1083                 if (!rids) {
1084                         return NT_STATUS_NO_MEMORY;
1085                 }
1086         } else {
1087                 rids = NULL;
1088         }
1089
1090         if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle)) {
1091                 status = NT_STATUS_INVALID_HANDLE;
1092                 goto done;
1093         }
1094
1095         if (handle->type != LSA_HANDLE_POLICY_TYPE) {
1096                 return NT_STATUS_INVALID_HANDLE;
1097         }
1098
1099         /* check if the user has enough rights */
1100         if (!(handle->access & LSA_POLICY_LOOKUP_NAMES)) {
1101                 status = NT_STATUS_ACCESS_DENIED;
1102                 goto done;
1103         }
1104
1105         /* set up the LSA Lookup RIDs response */
1106         become_root(); /* lookup_name can require root privs */
1107         status = lookup_lsa_rids(p->mem_ctx, domains, rids, num_entries,
1108                                  names, flags, &mapped_count);
1109         unbecome_root();
1110
1111 done:
1112
1113         if (NT_STATUS_IS_OK(status) && (num_entries != 0) ) {
1114                 if (mapped_count == 0) {
1115                         status = NT_STATUS_NONE_MAPPED;
1116                 } else if (mapped_count != num_entries) {
1117                         status = STATUS_SOME_UNMAPPED;
1118                 }
1119         }
1120
1121         *r->out.count = mapped_count;
1122         *r->out.domains = domains;
1123         r->out.sids->sids = rids;
1124         r->out.sids->count = num_entries;
1125
1126         return status;
1127 }
1128
1129 /***************************************************************************
1130  _lsa_LookupNames2
1131  ***************************************************************************/
1132
1133 NTSTATUS _lsa_LookupNames2(pipes_struct *p,
1134                            struct lsa_LookupNames2 *r)
1135 {
1136         NTSTATUS status;
1137         struct lsa_LookupNames q;
1138         struct lsa_TransSidArray2 *sid_array2 = r->in.sids;
1139         struct lsa_TransSidArray *sid_array = NULL;
1140         uint32_t i;
1141
1142         sid_array = TALLOC_ZERO_P(p->mem_ctx, struct lsa_TransSidArray);
1143         if (!sid_array) {
1144                 return NT_STATUS_NO_MEMORY;
1145         }
1146
1147         q.in.handle             = r->in.handle;
1148         q.in.num_names          = r->in.num_names;
1149         q.in.names              = r->in.names;
1150         q.in.level              = r->in.level;
1151         q.in.sids               = sid_array;
1152         q.in.count              = r->in.count;
1153         /* we do not know what this is for */
1154         /*                      = r->in.unknown1; */
1155         /*                      = r->in.unknown2; */
1156
1157         q.out.domains           = r->out.domains;
1158         q.out.sids              = sid_array;
1159         q.out.count             = r->out.count;
1160
1161         status = _lsa_LookupNames(p, &q);
1162
1163         sid_array2->count = sid_array->count;
1164         sid_array2->sids = TALLOC_ARRAY(p->mem_ctx, struct lsa_TranslatedSid2, sid_array->count);
1165         if (!sid_array2->sids) {
1166                 return NT_STATUS_NO_MEMORY;
1167         }
1168
1169         for (i=0; i<sid_array->count; i++) {
1170                 sid_array2->sids[i].sid_type  = sid_array->sids[i].sid_type;
1171                 sid_array2->sids[i].rid       = sid_array->sids[i].rid;
1172                 sid_array2->sids[i].sid_index = sid_array->sids[i].sid_index;
1173                 sid_array2->sids[i].unknown   = 0;
1174         }
1175
1176         r->out.sids = sid_array2;
1177
1178         return status;
1179 }
1180
1181 /***************************************************************************
1182  _lsa_LookupNames3
1183  ***************************************************************************/
1184
1185 NTSTATUS _lsa_LookupNames3(pipes_struct *p,
1186                            struct lsa_LookupNames3 *r)
1187 {
1188         NTSTATUS status;
1189         struct lsa_info *handle;
1190         struct lsa_String *names = r->in.names;
1191         uint32 num_entries = r->in.num_names;
1192         struct lsa_RefDomainList *domains = NULL;
1193         struct lsa_TranslatedSid3 *trans_sids = NULL;
1194         uint32 mapped_count = 0;
1195         int flags = 0;
1196         bool check_policy = true;
1197
1198         switch (p->hdr_req.opnum) {
1199                 case NDR_LSA_LOOKUPNAMES4:
1200                         check_policy = false;
1201                         break;
1202                 case NDR_LSA_LOOKUPNAMES3:
1203                 default:
1204                         check_policy = true;
1205         }
1206
1207         if (num_entries >  MAX_LOOKUP_SIDS) {
1208                 num_entries = MAX_LOOKUP_SIDS;
1209                 DEBUG(5,("_lsa_LookupNames3: truncating name lookup list to %d\n", num_entries));
1210         }
1211
1212         /* Probably the lookup_level is some sort of bitmask. */
1213         if (r->in.level == 1) {
1214                 flags = LOOKUP_NAME_ALL;
1215         }
1216
1217         domains = TALLOC_ZERO_P(p->mem_ctx, struct lsa_RefDomainList);
1218         if (!domains) {
1219                 return NT_STATUS_NO_MEMORY;
1220         }
1221
1222         if (num_entries) {
1223                 trans_sids = TALLOC_ZERO_ARRAY(p->mem_ctx, struct lsa_TranslatedSid3,
1224                                                num_entries);
1225                 if (!trans_sids) {
1226                         return NT_STATUS_NO_MEMORY;
1227                 }
1228         } else {
1229                 trans_sids = NULL;
1230         }
1231
1232         if (check_policy) {
1233
1234                 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle)) {
1235                         status = NT_STATUS_INVALID_HANDLE;
1236                         goto done;
1237                 }
1238
1239                 if (handle->type != LSA_HANDLE_POLICY_TYPE) {
1240                         return NT_STATUS_INVALID_HANDLE;
1241                 }
1242
1243                 /* check if the user has enough rights */
1244                 if (!(handle->access & LSA_POLICY_LOOKUP_NAMES)) {
1245                         status = NT_STATUS_ACCESS_DENIED;
1246                         goto done;
1247                 }
1248         }
1249
1250         /* set up the LSA Lookup SIDs response */
1251         become_root(); /* lookup_name can require root privs */
1252         status = lookup_lsa_sids(p->mem_ctx, domains, trans_sids, num_entries,
1253                                  names, flags, &mapped_count);
1254         unbecome_root();
1255
1256 done:
1257
1258         if (NT_STATUS_IS_OK(status)) {
1259                 if (mapped_count == 0) {
1260                         status = NT_STATUS_NONE_MAPPED;
1261                 } else if (mapped_count != num_entries) {
1262                         status = STATUS_SOME_UNMAPPED;
1263                 }
1264         }
1265
1266         *r->out.count = mapped_count;
1267         *r->out.domains = domains;
1268         r->out.sids->sids = trans_sids;
1269         r->out.sids->count = num_entries;
1270
1271         return status;
1272 }
1273
1274 /***************************************************************************
1275  _lsa_LookupNames4
1276  ***************************************************************************/
1277
1278 NTSTATUS _lsa_LookupNames4(pipes_struct *p,
1279                            struct lsa_LookupNames4 *r)
1280 {
1281         struct lsa_LookupNames3 q;
1282
1283         /* No policy handle on this call. Restrict to crypto connections. */
1284         if (p->auth.auth_type != PIPE_AUTH_TYPE_SCHANNEL) {
1285                 DEBUG(0,("_lsa_lookup_names4: client %s not using schannel for netlogon\n",
1286                         get_remote_machine_name() ));
1287                 return NT_STATUS_INVALID_PARAMETER;
1288         }
1289
1290         q.in.handle             = NULL;
1291         q.in.num_names          = r->in.num_names;
1292         q.in.names              = r->in.names;
1293         q.in.level              = r->in.level;
1294         q.in.lookup_options     = r->in.lookup_options;
1295         q.in.client_revision    = r->in.client_revision;
1296         q.in.sids               = r->in.sids;
1297         q.in.count              = r->in.count;
1298
1299         q.out.domains           = r->out.domains;
1300         q.out.sids              = r->out.sids;
1301         q.out.count             = r->out.count;
1302
1303         return _lsa_LookupNames3(p, &q);
1304 }
1305
1306 /***************************************************************************
1307  _lsa_close. Also weird - needs to check if lsa handle is correct. JRA.
1308  ***************************************************************************/
1309
1310 NTSTATUS _lsa_Close(pipes_struct *p, struct lsa_Close *r)
1311 {
1312         if (!find_policy_by_hnd(p, r->in.handle, NULL)) {
1313                 return NT_STATUS_INVALID_HANDLE;
1314         }
1315
1316         close_policy_hnd(p, r->in.handle);
1317         ZERO_STRUCTP(r->out.handle);
1318         return NT_STATUS_OK;
1319 }
1320
1321 /***************************************************************************
1322  ***************************************************************************/
1323
1324 NTSTATUS _lsa_OpenSecret(pipes_struct *p, struct lsa_OpenSecret *r)
1325 {
1326         return NT_STATUS_OBJECT_NAME_NOT_FOUND;
1327 }
1328
1329 /***************************************************************************
1330  ***************************************************************************/
1331
1332 NTSTATUS _lsa_OpenTrustedDomain(pipes_struct *p, struct lsa_OpenTrustedDomain *r)
1333 {
1334         return NT_STATUS_OBJECT_NAME_NOT_FOUND;
1335 }
1336
1337 /***************************************************************************
1338  ***************************************************************************/
1339
1340 NTSTATUS _lsa_CreateTrustedDomain(pipes_struct *p, struct lsa_CreateTrustedDomain *r)
1341 {
1342         return NT_STATUS_ACCESS_DENIED;
1343 }
1344
1345 /***************************************************************************
1346  ***************************************************************************/
1347
1348 NTSTATUS _lsa_CreateSecret(pipes_struct *p, struct lsa_CreateSecret *r)
1349 {
1350         return NT_STATUS_ACCESS_DENIED;
1351 }
1352
1353 /***************************************************************************
1354  ***************************************************************************/
1355
1356 NTSTATUS _lsa_SetSecret(pipes_struct *p, struct lsa_SetSecret *r)
1357 {
1358         return NT_STATUS_ACCESS_DENIED;
1359 }
1360
1361 /***************************************************************************
1362  _lsa_DeleteObject
1363  ***************************************************************************/
1364
1365 NTSTATUS _lsa_DeleteObject(pipes_struct *p,
1366                            struct lsa_DeleteObject *r)
1367 {
1368         NTSTATUS status;
1369         struct lsa_info *info = NULL;
1370
1371         if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info)) {
1372                 return NT_STATUS_INVALID_HANDLE;
1373         }
1374
1375         if (!(info->access & STD_RIGHT_DELETE_ACCESS)) {
1376                 return NT_STATUS_ACCESS_DENIED;
1377         }
1378
1379         switch (info->type) {
1380         case LSA_HANDLE_ACCOUNT_TYPE:
1381                 status = privilege_delete_account(&info->sid);
1382                 if (!NT_STATUS_IS_OK(status)) {
1383                         DEBUG(10,("_lsa_DeleteObject: privilege_delete_account gave: %s\n",
1384                                 nt_errstr(status)));
1385                         return status;
1386                 }
1387                 break;
1388         default:
1389                 return NT_STATUS_INVALID_HANDLE;
1390         }
1391
1392         close_policy_hnd(p, r->in.handle);
1393         ZERO_STRUCTP(r->out.handle);
1394
1395         return status;
1396 }
1397
1398 /***************************************************************************
1399  _lsa_EnumPrivs
1400  ***************************************************************************/
1401
1402 NTSTATUS _lsa_EnumPrivs(pipes_struct *p,
1403                         struct lsa_EnumPrivs *r)
1404 {
1405         struct lsa_info *handle;
1406         uint32 i;
1407         uint32 enum_context = *r->in.resume_handle;
1408         int num_privs = count_all_privileges();
1409         struct lsa_PrivEntry *entries = NULL;
1410         LUID_ATTR luid;
1411
1412         /* remember that the enum_context starts at 0 and not 1 */
1413
1414         if ( enum_context >= num_privs )
1415                 return NT_STATUS_NO_MORE_ENTRIES;
1416
1417         DEBUG(10,("_lsa_EnumPrivs: enum_context:%d total entries:%d\n",
1418                 enum_context, num_privs));
1419
1420         if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle))
1421                 return NT_STATUS_INVALID_HANDLE;
1422
1423         if (handle->type != LSA_HANDLE_POLICY_TYPE) {
1424                 return NT_STATUS_INVALID_HANDLE;
1425         }
1426
1427         /* check if the user has enough rights
1428            I don't know if it's the right one. not documented.  */
1429
1430         if (!(handle->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
1431                 return NT_STATUS_ACCESS_DENIED;
1432
1433         if (num_privs) {
1434                 entries = TALLOC_ZERO_ARRAY(p->mem_ctx, struct lsa_PrivEntry, num_privs);
1435                 if (!entries) {
1436                         return NT_STATUS_NO_MEMORY;
1437                 }
1438         } else {
1439                 entries = NULL;
1440         }
1441
1442         for (i = 0; i < num_privs; i++) {
1443                 if( i < enum_context) {
1444
1445                         init_lsa_StringLarge(&entries[i].name, NULL);
1446
1447                         entries[i].luid.low = 0;
1448                         entries[i].luid.high = 0;
1449                 } else {
1450
1451                         init_lsa_StringLarge(&entries[i].name, privs[i].name);
1452
1453                         luid = get_privilege_luid( &privs[i].se_priv );
1454
1455                         entries[i].luid.low = luid.luid.low;
1456                         entries[i].luid.high = luid.luid.high;
1457                 }
1458         }
1459
1460         enum_context = num_privs;
1461
1462         *r->out.resume_handle = enum_context;
1463         r->out.privs->count = num_privs;
1464         r->out.privs->privs = entries;
1465
1466         return NT_STATUS_OK;
1467 }
1468
1469 /***************************************************************************
1470  _lsa_LookupPrivDisplayName
1471  ***************************************************************************/
1472
1473 NTSTATUS _lsa_LookupPrivDisplayName(pipes_struct *p,
1474                                     struct lsa_LookupPrivDisplayName *r)
1475 {
1476         struct lsa_info *handle;
1477         const char *description;
1478         struct lsa_StringLarge *lsa_name;
1479
1480         if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle))
1481                 return NT_STATUS_INVALID_HANDLE;
1482
1483         if (handle->type != LSA_HANDLE_POLICY_TYPE) {
1484                 return NT_STATUS_INVALID_HANDLE;
1485         }
1486
1487         /* check if the user has enough rights */
1488
1489         /*
1490          * I don't know if it's the right one. not documented.
1491          */
1492         if (!(handle->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
1493                 return NT_STATUS_ACCESS_DENIED;
1494
1495         DEBUG(10,("_lsa_LookupPrivDisplayName: name = %s\n", r->in.name->string));
1496
1497         description = get_privilege_dispname(r->in.name->string);
1498         if (!description) {
1499                 DEBUG(10,("_lsa_LookupPrivDisplayName: doesn't exist\n"));
1500                 return NT_STATUS_NO_SUCH_PRIVILEGE;
1501         }
1502
1503         DEBUG(10,("_lsa_LookupPrivDisplayName: display name = %s\n", description));
1504
1505         lsa_name = TALLOC_ZERO_P(p->mem_ctx, struct lsa_StringLarge);
1506         if (!lsa_name) {
1507                 return NT_STATUS_NO_MEMORY;
1508         }
1509
1510         init_lsa_StringLarge(lsa_name, description);
1511
1512         *r->out.returned_language_id = r->in.language_id;
1513         *r->out.disp_name = lsa_name;
1514
1515         return NT_STATUS_OK;
1516 }
1517
1518 /***************************************************************************
1519  _lsa_EnumAccounts
1520  ***************************************************************************/
1521
1522 NTSTATUS _lsa_EnumAccounts(pipes_struct *p,
1523                            struct lsa_EnumAccounts *r)
1524 {
1525         struct lsa_info *handle;
1526         DOM_SID *sid_list;
1527         int i, j, num_entries;
1528         NTSTATUS status;
1529         struct lsa_SidPtr *sids = NULL;
1530
1531         if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle))
1532                 return NT_STATUS_INVALID_HANDLE;
1533
1534         if (handle->type != LSA_HANDLE_POLICY_TYPE) {
1535                 return NT_STATUS_INVALID_HANDLE;
1536         }
1537
1538         if (!(handle->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
1539                 return NT_STATUS_ACCESS_DENIED;
1540
1541         sid_list = NULL;
1542         num_entries = 0;
1543
1544         /* The only way we can currently find out all the SIDs that have been
1545            privileged is to scan all privileges */
1546
1547         status = privilege_enumerate_accounts(&sid_list, &num_entries);
1548         if (!NT_STATUS_IS_OK(status)) {
1549                 return status;
1550         }
1551
1552         if (*r->in.resume_handle >= num_entries) {
1553                 return NT_STATUS_NO_MORE_ENTRIES;
1554         }
1555
1556         if (num_entries - *r->in.resume_handle) {
1557                 sids = TALLOC_ZERO_ARRAY(p->mem_ctx, struct lsa_SidPtr,
1558                                          num_entries - *r->in.resume_handle);
1559                 if (!sids) {
1560                         talloc_free(sid_list);
1561                         return NT_STATUS_NO_MEMORY;
1562                 }
1563
1564                 for (i = *r->in.resume_handle, j = 0; i < num_entries; i++, j++) {
1565                         sids[j].sid = sid_dup_talloc(p->mem_ctx, &sid_list[i]);
1566                         if (!sids[j].sid) {
1567                                 talloc_free(sid_list);
1568                                 return NT_STATUS_NO_MEMORY;
1569                         }
1570                 }
1571         }
1572
1573         talloc_free(sid_list);
1574
1575         *r->out.resume_handle = num_entries;
1576         r->out.sids->num_sids = num_entries;
1577         r->out.sids->sids = sids;
1578
1579         return NT_STATUS_OK;
1580 }
1581
1582 /***************************************************************************
1583  _lsa_GetUserName
1584  ***************************************************************************/
1585
1586 NTSTATUS _lsa_GetUserName(pipes_struct *p,
1587                           struct lsa_GetUserName *r)
1588 {
1589         const char *username, *domname;
1590         struct lsa_String *account_name = NULL;
1591         struct lsa_String *authority_name = NULL;
1592
1593         if (r->in.account_name &&
1594            *r->in.account_name) {
1595                 return NT_STATUS_INVALID_PARAMETER;
1596         }
1597
1598         if (r->in.authority_name &&
1599            *r->in.authority_name) {
1600                 return NT_STATUS_INVALID_PARAMETER;
1601         }
1602
1603         if (p->server_info->guest) {
1604                 /*
1605                  * I'm 99% sure this is not the right place to do this,
1606                  * global_sid_Anonymous should probably be put into the token
1607                  * instead of the guest id -- vl
1608                  */
1609                 if (!lookup_sid(p->mem_ctx, &global_sid_Anonymous,
1610                                 &domname, &username, NULL)) {
1611                         return NT_STATUS_NO_MEMORY;
1612                 }
1613         } else {
1614                 username = p->server_info->sanitized_username;
1615                 domname = pdb_get_domain(p->server_info->sam_account);
1616         }
1617
1618         account_name = TALLOC_P(p->mem_ctx, struct lsa_String);
1619         if (!account_name) {
1620                 return NT_STATUS_NO_MEMORY;
1621         }
1622         init_lsa_String(account_name, username);
1623
1624         if (r->out.authority_name) {
1625                 authority_name = TALLOC_P(p->mem_ctx, struct lsa_String);
1626                 if (!authority_name) {
1627                         return NT_STATUS_NO_MEMORY;
1628                 }
1629                 init_lsa_String(authority_name, domname);
1630         }
1631
1632         *r->out.account_name = account_name;
1633         if (r->out.authority_name) {
1634                 *r->out.authority_name = authority_name;
1635         }
1636
1637         return NT_STATUS_OK;
1638 }
1639
1640 /***************************************************************************
1641  _lsa_CreateAccount
1642  ***************************************************************************/
1643
1644 NTSTATUS _lsa_CreateAccount(pipes_struct *p,
1645                             struct lsa_CreateAccount *r)
1646 {
1647         NTSTATUS status;
1648         struct lsa_info *handle;
1649         struct lsa_info *info;
1650         uint32_t acc_granted;
1651         struct security_descriptor *psd;
1652         size_t sd_size;
1653
1654         /* find the connection policy handle. */
1655         if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle))
1656                 return NT_STATUS_INVALID_HANDLE;
1657
1658         if (handle->type != LSA_HANDLE_POLICY_TYPE) {
1659                 return NT_STATUS_INVALID_HANDLE;
1660         }
1661
1662         /* check if the user has enough rights */
1663
1664         if (!(handle->access & LSA_POLICY_CREATE_ACCOUNT)) {
1665                 return NT_STATUS_ACCESS_DENIED;
1666         }
1667
1668         /* map the generic bits to the lsa policy ones */
1669         se_map_generic(&r->in.access_mask, &lsa_account_mapping);
1670
1671         status = make_lsa_object_sd(p->mem_ctx, &psd, &sd_size,
1672                                     &lsa_account_mapping,
1673                                     r->in.sid, LSA_POLICY_ALL_ACCESS);
1674         if (!NT_STATUS_IS_OK(status)) {
1675                 return status;
1676         }
1677
1678         status = access_check_object(psd, p->server_info->ptok,
1679                 NULL, 0, r->in.access_mask,
1680                 &acc_granted, "_lsa_CreateAccount");
1681         if (!NT_STATUS_IS_OK(status)) {
1682                 return status;
1683         }
1684
1685         if ( is_privileged_sid( r->in.sid ) )
1686                 return NT_STATUS_OBJECT_NAME_COLLISION;
1687
1688         /* associate the user/group SID with the (unique) handle. */
1689
1690         info = TALLOC_ZERO_P(p->mem_ctx, struct lsa_info);
1691         if (info == NULL) {
1692                 return NT_STATUS_NO_MEMORY;
1693         }
1694
1695         info->sid = *r->in.sid;
1696         info->access = acc_granted;
1697         info->type = LSA_HANDLE_ACCOUNT_TYPE;
1698
1699         /* get a (unique) handle.  open a policy on it. */
1700         if (!create_policy_hnd(p, r->out.acct_handle, info))
1701                 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
1702
1703         return privilege_create_account( &info->sid );
1704 }
1705
1706 /***************************************************************************
1707  _lsa_OpenAccount
1708  ***************************************************************************/
1709
1710 NTSTATUS _lsa_OpenAccount(pipes_struct *p,
1711                           struct lsa_OpenAccount *r)
1712 {
1713         struct lsa_info *handle;
1714         struct lsa_info *info;
1715         SEC_DESC *psd = NULL;
1716         size_t sd_size;
1717         uint32_t des_access = r->in.access_mask;
1718         uint32_t acc_granted;
1719         NTSTATUS status;
1720
1721         /* find the connection policy handle. */
1722         if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle))
1723                 return NT_STATUS_INVALID_HANDLE;
1724
1725         if (handle->type != LSA_HANDLE_POLICY_TYPE) {
1726                 return NT_STATUS_INVALID_HANDLE;
1727         }
1728
1729         /* des_access is for the account here, not the policy
1730          * handle - so don't check against policy handle. */
1731
1732         /* Work out max allowed. */
1733         map_max_allowed_access(p->server_info->ptok,
1734                                &p->server_info->utok,
1735                                &des_access);
1736
1737         /* map the generic bits to the lsa account ones */
1738         se_map_generic(&des_access, &lsa_account_mapping);
1739
1740         /* get the generic lsa account SD until we store it */
1741         status = make_lsa_object_sd(p->mem_ctx, &psd, &sd_size,
1742                                 &lsa_account_mapping,
1743                                 r->in.sid, LSA_ACCOUNT_ALL_ACCESS);
1744         if (!NT_STATUS_IS_OK(status)) {
1745                 return status;
1746         }
1747
1748         status = access_check_object(psd, p->server_info->ptok,
1749                 NULL, 0, des_access,
1750                 &acc_granted, "_lsa_OpenAccount" );
1751
1752         if (!NT_STATUS_IS_OK(status)) {
1753                 return status;
1754         }
1755
1756         /* TODO: Fis the parsing routine before reenabling this check! */
1757         #if 0
1758         if (!lookup_sid(&handle->sid, dom_name, name, &type))
1759                 return NT_STATUS_ACCESS_DENIED;
1760         #endif
1761         /* associate the user/group SID with the (unique) handle. */
1762         info = TALLOC_ZERO_P(p->mem_ctx, struct lsa_info);
1763         if (info == NULL) {
1764                 return NT_STATUS_NO_MEMORY;
1765         }
1766
1767         info->sid = *r->in.sid;
1768         info->access = acc_granted;
1769         info->type = LSA_HANDLE_ACCOUNT_TYPE;
1770
1771         /* get a (unique) handle.  open a policy on it. */
1772         if (!create_policy_hnd(p, r->out.acct_handle, info))
1773                 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
1774
1775         return NT_STATUS_OK;
1776 }
1777
1778 /***************************************************************************
1779  _lsa_EnumPrivsAccount
1780  For a given SID, enumerate all the privilege this account has.
1781  ***************************************************************************/
1782
1783 NTSTATUS _lsa_EnumPrivsAccount(pipes_struct *p,
1784                                struct lsa_EnumPrivsAccount *r)
1785 {
1786         NTSTATUS status = NT_STATUS_OK;
1787         struct lsa_info *info=NULL;
1788         SE_PRIV mask;
1789         PRIVILEGE_SET privileges;
1790         struct lsa_PrivilegeSet *priv_set = NULL;
1791         struct lsa_LUIDAttribute *luid_attrs = NULL;
1792         int i;
1793
1794         /* find the connection policy handle. */
1795         if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
1796                 return NT_STATUS_INVALID_HANDLE;
1797
1798         if (info->type != LSA_HANDLE_ACCOUNT_TYPE) {
1799                 return NT_STATUS_INVALID_HANDLE;
1800         }
1801
1802         if (!(info->access & LSA_ACCOUNT_VIEW))
1803                 return NT_STATUS_ACCESS_DENIED;
1804
1805         get_privileges_for_sids(&mask, &info->sid, 1);
1806
1807         privilege_set_init( &privileges );
1808
1809         priv_set = TALLOC_ZERO_P(p->mem_ctx, struct lsa_PrivilegeSet);
1810         if (!priv_set) {
1811                 status = NT_STATUS_NO_MEMORY;
1812                 goto done;
1813         }
1814
1815         if ( se_priv_to_privilege_set( &privileges, &mask ) ) {
1816
1817                 DEBUG(10,("_lsa_EnumPrivsAccount: %s has %d privileges\n",
1818                           sid_string_dbg(&info->sid),
1819                           privileges.count));
1820
1821                 luid_attrs = TALLOC_ZERO_ARRAY(p->mem_ctx,
1822                                                struct lsa_LUIDAttribute,
1823                                                privileges.count);
1824                 if (!luid_attrs) {
1825                         status = NT_STATUS_NO_MEMORY;
1826                         goto done;
1827                 }
1828
1829                 for (i=0; i<privileges.count; i++) {
1830                         luid_attrs[i].luid.low = privileges.set[i].luid.low;
1831                         luid_attrs[i].luid.high = privileges.set[i].luid.high;
1832                         luid_attrs[i].attribute = privileges.set[i].attr;
1833                 }
1834
1835                 priv_set->count = privileges.count;
1836                 priv_set->unknown = 0;
1837                 priv_set->set = luid_attrs;
1838
1839         } else {
1840                 priv_set->count = 0;
1841                 priv_set->unknown = 0;
1842                 priv_set->set = NULL;
1843         }
1844
1845         *r->out.privs = priv_set;
1846
1847  done:
1848         privilege_set_free( &privileges );
1849
1850         return status;
1851 }
1852
1853 /***************************************************************************
1854  _lsa_GetSystemAccessAccount
1855  ***************************************************************************/
1856
1857 NTSTATUS _lsa_GetSystemAccessAccount(pipes_struct *p,
1858                                      struct lsa_GetSystemAccessAccount *r)
1859 {
1860         NTSTATUS status;
1861         struct lsa_info *info = NULL;
1862         struct lsa_EnumPrivsAccount e;
1863         struct lsa_PrivilegeSet *privset;
1864
1865         /* find the connection policy handle. */
1866
1867         if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
1868                 return NT_STATUS_INVALID_HANDLE;
1869
1870         if (info->type != LSA_HANDLE_ACCOUNT_TYPE) {
1871                 return NT_STATUS_INVALID_HANDLE;
1872         }
1873
1874         if (!(info->access & LSA_ACCOUNT_VIEW))
1875                 return NT_STATUS_ACCESS_DENIED;
1876
1877         privset = talloc_zero(p->mem_ctx, struct lsa_PrivilegeSet);
1878         if (!privset) {
1879                 return NT_STATUS_NO_MEMORY;
1880         }
1881
1882         e.in.handle = r->in.handle;
1883         e.out.privs = &privset;
1884
1885         status = _lsa_EnumPrivsAccount(p, &e);
1886         if (!NT_STATUS_IS_OK(status)) {
1887                 DEBUG(10,("_lsa_GetSystemAccessAccount: "
1888                         "failed to call _lsa_EnumPrivsAccount(): %s\n",
1889                         nt_errstr(status)));
1890                 return status;
1891         }
1892
1893         /* Samba4 would iterate over the privset to merge the policy mode bits,
1894          * not sure samba3 can do the same here, so just return what we did in
1895          * the past - gd */
1896
1897         /*
1898           0x01 -> Log on locally
1899           0x02 -> Access this computer from network
1900           0x04 -> Log on as a batch job
1901           0x10 -> Log on as a service
1902
1903           they can be ORed together
1904         */
1905
1906         *r->out.access_mask = LSA_POLICY_MODE_INTERACTIVE |
1907                               LSA_POLICY_MODE_NETWORK;
1908
1909         return NT_STATUS_OK;
1910 }
1911
1912 /***************************************************************************
1913   update the systemaccount information
1914  ***************************************************************************/
1915
1916 NTSTATUS _lsa_SetSystemAccessAccount(pipes_struct *p,
1917                                      struct lsa_SetSystemAccessAccount *r)
1918 {
1919         struct lsa_info *info=NULL;
1920         GROUP_MAP map;
1921
1922         /* find the connection policy handle. */
1923         if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
1924                 return NT_STATUS_INVALID_HANDLE;
1925
1926         if (info->type != LSA_HANDLE_ACCOUNT_TYPE) {
1927                 return NT_STATUS_INVALID_HANDLE;
1928         }
1929
1930         if (!(info->access & LSA_ACCOUNT_ADJUST_SYSTEM_ACCESS)) {
1931                 return NT_STATUS_ACCESS_DENIED;
1932         }
1933
1934         if (!pdb_getgrsid(&map, info->sid))
1935                 return NT_STATUS_NO_SUCH_GROUP;
1936
1937         return pdb_update_group_mapping_entry(&map);
1938 }
1939
1940 /***************************************************************************
1941  _lsa_AddPrivilegesToAccount
1942  For a given SID, add some privileges.
1943  ***************************************************************************/
1944
1945 NTSTATUS _lsa_AddPrivilegesToAccount(pipes_struct *p,
1946                                      struct lsa_AddPrivilegesToAccount *r)
1947 {
1948         struct lsa_info *info = NULL;
1949         SE_PRIV mask;
1950         struct lsa_PrivilegeSet *set = NULL;
1951
1952         /* find the connection policy handle. */
1953         if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
1954                 return NT_STATUS_INVALID_HANDLE;
1955
1956         if (info->type != LSA_HANDLE_ACCOUNT_TYPE) {
1957                 return NT_STATUS_INVALID_HANDLE;
1958         }
1959
1960         if (!(info->access & LSA_ACCOUNT_ADJUST_PRIVILEGES)) {
1961                 return NT_STATUS_ACCESS_DENIED;
1962         }
1963
1964         set = r->in.privs;
1965         if ( !privilege_set_to_se_priv( &mask, set ) )
1966                 return NT_STATUS_NO_SUCH_PRIVILEGE;
1967
1968         if ( !grant_privilege( &info->sid, &mask ) ) {
1969                 DEBUG(3,("_lsa_AddPrivilegesToAccount: grant_privilege(%s) failed!\n",
1970                          sid_string_dbg(&info->sid) ));
1971                 DEBUG(3,("Privilege mask:\n"));
1972                 dump_se_priv( DBGC_ALL, 3, &mask );
1973                 return NT_STATUS_NO_SUCH_PRIVILEGE;
1974         }
1975
1976         return NT_STATUS_OK;
1977 }
1978
1979 /***************************************************************************
1980  _lsa_RemovePrivilegesFromAccount
1981  For a given SID, remove some privileges.
1982  ***************************************************************************/
1983
1984 NTSTATUS _lsa_RemovePrivilegesFromAccount(pipes_struct *p,
1985                                           struct lsa_RemovePrivilegesFromAccount *r)
1986 {
1987         struct lsa_info *info = NULL;
1988         SE_PRIV mask;
1989         struct lsa_PrivilegeSet *set = NULL;
1990
1991         /* find the connection policy handle. */
1992         if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
1993                 return NT_STATUS_INVALID_HANDLE;
1994
1995         if (info->type != LSA_HANDLE_ACCOUNT_TYPE) {
1996                 return NT_STATUS_INVALID_HANDLE;
1997         }
1998
1999         if (!(info->access & LSA_ACCOUNT_ADJUST_PRIVILEGES)) {
2000                 return NT_STATUS_ACCESS_DENIED;
2001         }
2002
2003         set = r->in.privs;
2004
2005         if ( !privilege_set_to_se_priv( &mask, set ) )
2006                 return NT_STATUS_NO_SUCH_PRIVILEGE;
2007
2008         if ( !revoke_privilege( &info->sid, &mask ) ) {
2009                 DEBUG(3,("_lsa_RemovePrivilegesFromAccount: revoke_privilege(%s) failed!\n",
2010                          sid_string_dbg(&info->sid) ));
2011                 DEBUG(3,("Privilege mask:\n"));
2012                 dump_se_priv( DBGC_ALL, 3, &mask );
2013                 return NT_STATUS_NO_SUCH_PRIVILEGE;
2014         }
2015
2016         return NT_STATUS_OK;
2017 }
2018
2019 /***************************************************************************
2020  _lsa_LookupPrivName
2021  ***************************************************************************/
2022
2023 NTSTATUS _lsa_LookupPrivName(pipes_struct *p,
2024                              struct lsa_LookupPrivName *r)
2025 {
2026         struct lsa_info *info = NULL;
2027         const char *name;
2028         struct lsa_StringLarge *lsa_name;
2029
2030         /* find the connection policy handle. */
2031         if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info)) {
2032                 return NT_STATUS_INVALID_HANDLE;
2033         }
2034
2035         if (info->type != LSA_HANDLE_POLICY_TYPE) {
2036                 return NT_STATUS_INVALID_HANDLE;
2037         }
2038
2039         if (!(info->access & LSA_POLICY_VIEW_LOCAL_INFORMATION)) {
2040                 return NT_STATUS_ACCESS_DENIED;
2041         }
2042
2043         name = luid_to_privilege_name((LUID *)r->in.luid);
2044         if (!name) {
2045                 return NT_STATUS_NO_SUCH_PRIVILEGE;
2046         }
2047
2048         lsa_name = TALLOC_ZERO_P(p->mem_ctx, struct lsa_StringLarge);
2049         if (!lsa_name) {
2050                 return NT_STATUS_NO_MEMORY;
2051         }
2052
2053         lsa_name->string = talloc_strdup(lsa_name, name);
2054         if (!lsa_name->string) {
2055                 TALLOC_FREE(lsa_name);
2056                 return NT_STATUS_NO_MEMORY;
2057         }
2058
2059         *r->out.name = lsa_name;
2060
2061         return NT_STATUS_OK;
2062 }
2063
2064 /***************************************************************************
2065  _lsa_QuerySecurity
2066  ***************************************************************************/
2067
2068 NTSTATUS _lsa_QuerySecurity(pipes_struct *p,
2069                             struct lsa_QuerySecurity *r)
2070 {
2071         struct lsa_info *handle=NULL;
2072         SEC_DESC *psd = NULL;
2073         size_t sd_size;
2074         NTSTATUS status;
2075
2076         /* find the connection policy handle. */
2077         if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle))
2078                 return NT_STATUS_INVALID_HANDLE;
2079
2080         if (handle->type == LSA_HANDLE_POLICY_TYPE) {
2081                 status = make_lsa_object_sd(p->mem_ctx, &psd, &sd_size,
2082                                 &lsa_policy_mapping, NULL, 0);
2083         } else if (handle->type == LSA_HANDLE_ACCOUNT_TYPE) {
2084                 status = make_lsa_object_sd(p->mem_ctx, &psd, &sd_size,
2085                                 &lsa_account_mapping,
2086                                 &handle->sid, LSA_ACCOUNT_ALL_ACCESS);
2087         } else {
2088                 status = NT_STATUS_INVALID_HANDLE;
2089         }
2090
2091         if (!NT_STATUS_IS_OK(status)) {
2092                 return status;
2093         }
2094
2095         *r->out.sdbuf = make_sec_desc_buf(p->mem_ctx, sd_size, psd);
2096         if (!*r->out.sdbuf) {
2097                 return NT_STATUS_NO_MEMORY;
2098         }
2099
2100         return status;
2101 }
2102
2103 /***************************************************************************
2104  _lsa_AddAccountRights
2105  ***************************************************************************/
2106
2107 NTSTATUS _lsa_AddAccountRights(pipes_struct *p,
2108                                struct lsa_AddAccountRights *r)
2109 {
2110         struct lsa_info *info = NULL;
2111         int i = 0;
2112         uint32_t acc_granted = 0;
2113         SEC_DESC *psd = NULL;
2114         size_t sd_size;
2115         DOM_SID sid;
2116         NTSTATUS status;
2117
2118         /* find the connection policy handle. */
2119         if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
2120                 return NT_STATUS_INVALID_HANDLE;
2121
2122         if (info->type != LSA_HANDLE_POLICY_TYPE) {
2123                 return NT_STATUS_INVALID_HANDLE;
2124         }
2125
2126         /* get the generic lsa account SD for this SID until we store it */
2127         status = make_lsa_object_sd(p->mem_ctx, &psd, &sd_size,
2128                                 &lsa_account_mapping,
2129                                 r->in.sid, LSA_ACCOUNT_ALL_ACCESS);
2130         if (!NT_STATUS_IS_OK(status)) {
2131                 return status;
2132         }
2133
2134         /*
2135          * From the MS DOCs. If the sid doesn't exist, ask for LSA_POLICY_CREATE_ACCOUNT
2136          * on the policy handle. If it does, ask for
2137          * LSA_ACCOUNT_ADJUST_PRIVILEGES|LSA_ACCOUNT_ADJUST_SYSTEM_ACCESS|LSA_ACCOUNT_VIEW,
2138          * on the account sid. We don't check here so just use the latter. JRA.
2139          */
2140
2141         status = access_check_object(psd, p->server_info->ptok,
2142                 NULL, 0, LSA_ACCOUNT_ADJUST_PRIVILEGES|LSA_ACCOUNT_ADJUST_SYSTEM_ACCESS|LSA_ACCOUNT_VIEW,
2143                 &acc_granted, "_lsa_AddAccountRights" );
2144
2145         if (!NT_STATUS_IS_OK(status)) {
2146                 return status;
2147         }
2148
2149         /* according to an NT4 PDC, you can add privileges to SIDs even without
2150            call_lsa_create_account() first.  And you can use any arbitrary SID. */
2151
2152         sid_copy( &sid, r->in.sid );
2153
2154         for ( i=0; i < r->in.rights->count; i++ ) {
2155
2156                 const char *privname = r->in.rights->names[i].string;
2157
2158                 /* only try to add non-null strings */
2159
2160                 if ( !privname )
2161                         continue;
2162
2163                 if ( !grant_privilege_by_name( &sid, privname ) ) {
2164                         DEBUG(2,("_lsa_AddAccountRights: Failed to add privilege [%s]\n",
2165                                 privname ));
2166                         return NT_STATUS_NO_SUCH_PRIVILEGE;
2167                 }
2168         }
2169
2170         return NT_STATUS_OK;
2171 }
2172
2173 /***************************************************************************
2174  _lsa_RemoveAccountRights
2175  ***************************************************************************/
2176
2177 NTSTATUS _lsa_RemoveAccountRights(pipes_struct *p,
2178                                   struct lsa_RemoveAccountRights *r)
2179 {
2180         struct lsa_info *info = NULL;
2181         int i = 0;
2182         SEC_DESC *psd = NULL;
2183         size_t sd_size;
2184         DOM_SID sid;
2185         const char *privname = NULL;
2186         uint32_t acc_granted = 0;
2187         NTSTATUS status;
2188
2189         /* find the connection policy handle. */
2190         if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
2191                 return NT_STATUS_INVALID_HANDLE;
2192
2193         if (info->type != LSA_HANDLE_POLICY_TYPE) {
2194                 return NT_STATUS_INVALID_HANDLE;
2195         }
2196
2197         /* get the generic lsa account SD for this SID until we store it */
2198         status = make_lsa_object_sd(p->mem_ctx, &psd, &sd_size,
2199                                 &lsa_account_mapping,
2200                                 r->in.sid, LSA_ACCOUNT_ALL_ACCESS);
2201         if (!NT_STATUS_IS_OK(status)) {
2202                 return status;
2203         }
2204
2205         /*
2206          * From the MS DOCs. We need
2207          * LSA_ACCOUNT_ADJUST_PRIVILEGES|LSA_ACCOUNT_ADJUST_SYSTEM_ACCESS|LSA_ACCOUNT_VIEW
2208          * and DELETE on the account sid.
2209          */
2210
2211         status = access_check_object(psd, p->server_info->ptok,
2212                 NULL, 0, LSA_ACCOUNT_ADJUST_PRIVILEGES|LSA_ACCOUNT_ADJUST_SYSTEM_ACCESS|
2213                         LSA_ACCOUNT_VIEW|STD_RIGHT_DELETE_ACCESS,
2214                 &acc_granted, "_lsa_AddAccountRights" );
2215
2216         if (!NT_STATUS_IS_OK(status)) {
2217                 return status;
2218         }
2219
2220         sid_copy( &sid, r->in.sid );
2221
2222         if ( r->in.remove_all ) {
2223                 if ( !revoke_all_privileges( &sid ) )
2224                         return NT_STATUS_ACCESS_DENIED;
2225
2226                 return NT_STATUS_OK;
2227         }
2228
2229         for ( i=0; i < r->in.rights->count; i++ ) {
2230
2231                 privname = r->in.rights->names[i].string;
2232
2233                 /* only try to add non-null strings */
2234
2235                 if ( !privname )
2236                         continue;
2237
2238                 if ( !revoke_privilege_by_name( &sid, privname ) ) {
2239                         DEBUG(2,("_lsa_RemoveAccountRights: Failed to revoke privilege [%s]\n",
2240                                 privname ));
2241                         return NT_STATUS_NO_SUCH_PRIVILEGE;
2242                 }
2243         }
2244
2245         return NT_STATUS_OK;
2246 }
2247
2248 /*******************************************************************
2249 ********************************************************************/
2250
2251 static NTSTATUS init_lsa_right_set(TALLOC_CTX *mem_ctx,
2252                                    struct lsa_RightSet *r,
2253                                    PRIVILEGE_SET *privileges)
2254 {
2255         uint32 i;
2256         const char *privname;
2257         const char **privname_array = NULL;
2258         int num_priv = 0;
2259
2260         for (i=0; i<privileges->count; i++) {
2261
2262                 privname = luid_to_privilege_name(&privileges->set[i].luid);
2263                 if (privname) {
2264                         if (!add_string_to_array(mem_ctx, privname,
2265                                                  &privname_array, &num_priv)) {
2266                                 return NT_STATUS_NO_MEMORY;
2267                         }
2268                 }
2269         }
2270
2271         if (num_priv) {
2272
2273                 r->names = TALLOC_ZERO_ARRAY(mem_ctx, struct lsa_StringLarge,
2274                                              num_priv);
2275                 if (!r->names) {
2276                         return NT_STATUS_NO_MEMORY;
2277                 }
2278
2279                 for (i=0; i<num_priv; i++) {
2280                         init_lsa_StringLarge(&r->names[i], privname_array[i]);
2281                 }
2282
2283                 r->count = num_priv;
2284         }
2285
2286         return NT_STATUS_OK;
2287 }
2288
2289 /***************************************************************************
2290  _lsa_EnumAccountRights
2291  ***************************************************************************/
2292
2293 NTSTATUS _lsa_EnumAccountRights(pipes_struct *p,
2294                                 struct lsa_EnumAccountRights *r)
2295 {
2296         NTSTATUS status;
2297         struct lsa_info *info = NULL;
2298         DOM_SID sid;
2299         PRIVILEGE_SET privileges;
2300         SE_PRIV mask;
2301
2302         /* find the connection policy handle. */
2303
2304         if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
2305                 return NT_STATUS_INVALID_HANDLE;
2306
2307         if (info->type != LSA_HANDLE_POLICY_TYPE) {
2308                 return NT_STATUS_INVALID_HANDLE;
2309         }
2310
2311         if (!(info->access & LSA_ACCOUNT_VIEW)) {
2312                 return NT_STATUS_ACCESS_DENIED;
2313         }
2314
2315         /* according to an NT4 PDC, you can add privileges to SIDs even without
2316            call_lsa_create_account() first.  And you can use any arbitrary SID. */
2317
2318         sid_copy( &sid, r->in.sid );
2319
2320         /* according to MS-LSAD 3.1.4.5.10 it is required to return
2321          * NT_STATUS_OBJECT_NAME_NOT_FOUND if the account sid was not found in
2322          * the lsa database */
2323
2324         if (!get_privileges_for_sids(&mask, &sid, 1)) {
2325                 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
2326         }
2327
2328         status = privilege_set_init(&privileges);
2329         if (!NT_STATUS_IS_OK(status)) {
2330                 return status;
2331         }
2332
2333         se_priv_to_privilege_set(&privileges, &mask);
2334
2335         DEBUG(10,("_lsa_EnumAccountRights: %s has %d privileges\n",
2336                   sid_string_dbg(&sid), privileges.count));
2337
2338         status = init_lsa_right_set(p->mem_ctx, r->out.rights, &privileges);
2339
2340         privilege_set_free( &privileges );
2341
2342         return status;
2343 }
2344
2345 /***************************************************************************
2346  _lsa_LookupPrivValue
2347  ***************************************************************************/
2348
2349 NTSTATUS _lsa_LookupPrivValue(pipes_struct *p,
2350                               struct lsa_LookupPrivValue *r)
2351 {
2352         struct lsa_info *info = NULL;
2353         const char *name = NULL;
2354         LUID_ATTR priv_luid;
2355         SE_PRIV mask;
2356
2357         /* find the connection policy handle. */
2358
2359         if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
2360                 return NT_STATUS_INVALID_HANDLE;
2361
2362         if (info->type != LSA_HANDLE_POLICY_TYPE) {
2363                 return NT_STATUS_INVALID_HANDLE;
2364         }
2365
2366         if (!(info->access & LSA_POLICY_LOOKUP_NAMES))
2367                 return NT_STATUS_ACCESS_DENIED;
2368
2369         name = r->in.name->string;
2370
2371         DEBUG(10,("_lsa_lookup_priv_value: name = %s\n", name));
2372
2373         if ( !se_priv_from_name( name, &mask ) )
2374                 return NT_STATUS_NO_SUCH_PRIVILEGE;
2375
2376         priv_luid = get_privilege_luid( &mask );
2377
2378         r->out.luid->low = priv_luid.luid.low;
2379         r->out.luid->high = priv_luid.luid.high;
2380
2381         return NT_STATUS_OK;
2382 }
2383
2384 /***************************************************************************
2385  _lsa_EnumAccountsWithUserRight
2386  ***************************************************************************/
2387
2388 NTSTATUS _lsa_EnumAccountsWithUserRight(pipes_struct *p,
2389                                         struct lsa_EnumAccountsWithUserRight *r)
2390 {
2391         NTSTATUS status;
2392         struct lsa_info *info = NULL;
2393         struct dom_sid *sids = NULL;
2394         int num_sids = 0;
2395         uint32_t i;
2396         SE_PRIV mask;
2397
2398         if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info)) {
2399                 return NT_STATUS_INVALID_HANDLE;
2400         }
2401
2402         if (info->type != LSA_HANDLE_POLICY_TYPE) {
2403                 return NT_STATUS_INVALID_HANDLE;
2404         }
2405
2406         if (!(info->access & LSA_POLICY_LOOKUP_NAMES)) {
2407                 return NT_STATUS_ACCESS_DENIED;
2408         }
2409
2410         if (!r->in.name || !r->in.name->string) {
2411                 return NT_STATUS_NO_SUCH_PRIVILEGE;
2412         }
2413
2414         if (!se_priv_from_name(r->in.name->string, &mask)) {
2415                 return NT_STATUS_NO_SUCH_PRIVILEGE;
2416         }
2417
2418         status = privilege_enum_sids(&mask, p->mem_ctx,
2419                                      &sids, &num_sids);
2420         if (!NT_STATUS_IS_OK(status)) {
2421                 return status;
2422         }
2423
2424         r->out.sids->num_sids = num_sids;
2425         r->out.sids->sids = talloc_array(p->mem_ctx, struct lsa_SidPtr,
2426                                          r->out.sids->num_sids);
2427
2428         for (i=0; i < r->out.sids->num_sids; i++) {
2429                 r->out.sids->sids[i].sid = sid_dup_talloc(r->out.sids->sids,
2430                                                           &sids[i]);
2431                 if (!r->out.sids->sids[i].sid) {
2432                         TALLOC_FREE(r->out.sids->sids);
2433                         r->out.sids->num_sids = 0;
2434                         return NT_STATUS_NO_MEMORY;
2435                 }
2436         }
2437
2438         return NT_STATUS_OK;
2439 }
2440
2441 /***************************************************************************
2442  _lsa_Delete
2443  ***************************************************************************/
2444
2445 NTSTATUS _lsa_Delete(pipes_struct *p,
2446                      struct lsa_Delete *r)
2447 {
2448         return NT_STATUS_NOT_SUPPORTED;
2449 }
2450
2451 /*
2452  * From here on the server routines are just dummy ones to make smbd link with
2453  * librpc/gen_ndr/srv_lsa.c. These routines are actually never called, we are
2454  * pulling the server stubs across one by one.
2455  */
2456
2457 NTSTATUS _lsa_SetSecObj(pipes_struct *p, struct lsa_SetSecObj *r)
2458 {
2459         p->rng_fault_state = True;
2460         return NT_STATUS_NOT_IMPLEMENTED;
2461 }
2462
2463 NTSTATUS _lsa_ChangePassword(pipes_struct *p, struct lsa_ChangePassword *r)
2464 {
2465         p->rng_fault_state = True;
2466         return NT_STATUS_NOT_IMPLEMENTED;
2467 }
2468
2469 NTSTATUS _lsa_SetInfoPolicy(pipes_struct *p, struct lsa_SetInfoPolicy *r)
2470 {
2471         p->rng_fault_state = True;
2472         return NT_STATUS_NOT_IMPLEMENTED;
2473 }
2474
2475 NTSTATUS _lsa_ClearAuditLog(pipes_struct *p, struct lsa_ClearAuditLog *r)
2476 {
2477         p->rng_fault_state = True;
2478         return NT_STATUS_NOT_IMPLEMENTED;
2479 }
2480
2481 NTSTATUS _lsa_GetQuotasForAccount(pipes_struct *p, struct lsa_GetQuotasForAccount *r)
2482 {
2483         p->rng_fault_state = True;
2484         return NT_STATUS_NOT_IMPLEMENTED;
2485 }
2486
2487 NTSTATUS _lsa_SetQuotasForAccount(pipes_struct *p, struct lsa_SetQuotasForAccount *r)
2488 {
2489         p->rng_fault_state = True;
2490         return NT_STATUS_NOT_IMPLEMENTED;
2491 }
2492
2493 NTSTATUS _lsa_QueryTrustedDomainInfo(pipes_struct *p, struct lsa_QueryTrustedDomainInfo *r)
2494 {
2495         p->rng_fault_state = True;
2496         return NT_STATUS_NOT_IMPLEMENTED;
2497 }
2498
2499 NTSTATUS _lsa_SetInformationTrustedDomain(pipes_struct *p, struct lsa_SetInformationTrustedDomain *r)
2500 {
2501         p->rng_fault_state = True;
2502         return NT_STATUS_NOT_IMPLEMENTED;
2503 }
2504
2505 NTSTATUS _lsa_QuerySecret(pipes_struct *p, struct lsa_QuerySecret *r)
2506 {
2507         p->rng_fault_state = True;
2508         return NT_STATUS_NOT_IMPLEMENTED;
2509 }
2510
2511 NTSTATUS _lsa_QueryTrustedDomainInfoBySid(pipes_struct *p, struct lsa_QueryTrustedDomainInfoBySid *r)
2512 {
2513         p->rng_fault_state = True;
2514         return NT_STATUS_NOT_IMPLEMENTED;
2515 }
2516
2517 NTSTATUS _lsa_SetTrustedDomainInfo(pipes_struct *p, struct lsa_SetTrustedDomainInfo *r)
2518 {
2519         p->rng_fault_state = True;
2520         return NT_STATUS_NOT_IMPLEMENTED;
2521 }
2522
2523 NTSTATUS _lsa_DeleteTrustedDomain(pipes_struct *p, struct lsa_DeleteTrustedDomain *r)
2524 {
2525         p->rng_fault_state = True;
2526         return NT_STATUS_NOT_IMPLEMENTED;
2527 }
2528
2529 NTSTATUS _lsa_StorePrivateData(pipes_struct *p, struct lsa_StorePrivateData *r)
2530 {
2531         p->rng_fault_state = True;
2532         return NT_STATUS_NOT_IMPLEMENTED;
2533 }
2534
2535 NTSTATUS _lsa_RetrievePrivateData(pipes_struct *p, struct lsa_RetrievePrivateData *r)
2536 {
2537         p->rng_fault_state = True;
2538         return NT_STATUS_NOT_IMPLEMENTED;
2539 }
2540
2541 NTSTATUS _lsa_SetInfoPolicy2(pipes_struct *p, struct lsa_SetInfoPolicy2 *r)
2542 {
2543         p->rng_fault_state = True;
2544         return NT_STATUS_NOT_IMPLEMENTED;
2545 }
2546
2547 NTSTATUS _lsa_QueryTrustedDomainInfoByName(pipes_struct *p, struct lsa_QueryTrustedDomainInfoByName *r)
2548 {
2549         p->rng_fault_state = True;
2550         return NT_STATUS_NOT_IMPLEMENTED;
2551 }
2552
2553 NTSTATUS _lsa_SetTrustedDomainInfoByName(pipes_struct *p, struct lsa_SetTrustedDomainInfoByName *r)
2554 {
2555         p->rng_fault_state = True;
2556         return NT_STATUS_NOT_IMPLEMENTED;
2557 }
2558
2559 NTSTATUS _lsa_EnumTrustedDomainsEx(pipes_struct *p, struct lsa_EnumTrustedDomainsEx *r)
2560 {
2561         p->rng_fault_state = True;
2562         return NT_STATUS_NOT_IMPLEMENTED;
2563 }
2564
2565 NTSTATUS _lsa_CreateTrustedDomainEx(pipes_struct *p, struct lsa_CreateTrustedDomainEx *r)
2566 {
2567         p->rng_fault_state = True;
2568         return NT_STATUS_NOT_IMPLEMENTED;
2569 }
2570
2571 NTSTATUS _lsa_CloseTrustedDomainEx(pipes_struct *p, struct lsa_CloseTrustedDomainEx *r)
2572 {
2573         p->rng_fault_state = True;
2574         return NT_STATUS_NOT_IMPLEMENTED;
2575 }
2576
2577 NTSTATUS _lsa_QueryDomainInformationPolicy(pipes_struct *p, struct lsa_QueryDomainInformationPolicy *r)
2578 {
2579         p->rng_fault_state = True;
2580         return NT_STATUS_NOT_IMPLEMENTED;
2581 }
2582
2583 NTSTATUS _lsa_SetDomainInformationPolicy(pipes_struct *p, struct lsa_SetDomainInformationPolicy *r)
2584 {
2585         p->rng_fault_state = True;
2586         return NT_STATUS_NOT_IMPLEMENTED;
2587 }
2588
2589 NTSTATUS _lsa_OpenTrustedDomainByName(pipes_struct *p, struct lsa_OpenTrustedDomainByName *r)
2590 {
2591         p->rng_fault_state = True;
2592         return NT_STATUS_NOT_IMPLEMENTED;
2593 }
2594
2595 NTSTATUS _lsa_TestCall(pipes_struct *p, struct lsa_TestCall *r)
2596 {
2597         p->rng_fault_state = True;
2598         return NT_STATUS_NOT_IMPLEMENTED;
2599 }
2600
2601 NTSTATUS _lsa_CreateTrustedDomainEx2(pipes_struct *p, struct lsa_CreateTrustedDomainEx2 *r)
2602 {
2603         p->rng_fault_state = True;
2604         return NT_STATUS_NOT_IMPLEMENTED;
2605 }
2606
2607 NTSTATUS _lsa_CREDRWRITE(pipes_struct *p, struct lsa_CREDRWRITE *r)
2608 {
2609         p->rng_fault_state = True;
2610         return NT_STATUS_NOT_IMPLEMENTED;
2611 }
2612
2613 NTSTATUS _lsa_CREDRREAD(pipes_struct *p, struct lsa_CREDRREAD *r)
2614 {
2615         p->rng_fault_state = True;
2616         return NT_STATUS_NOT_IMPLEMENTED;
2617 }
2618
2619 NTSTATUS _lsa_CREDRENUMERATE(pipes_struct *p, struct lsa_CREDRENUMERATE *r)
2620 {
2621         p->rng_fault_state = True;
2622         return NT_STATUS_NOT_IMPLEMENTED;
2623 }
2624
2625 NTSTATUS _lsa_CREDRWRITEDOMAINCREDENTIALS(pipes_struct *p, struct lsa_CREDRWRITEDOMAINCREDENTIALS *r)
2626 {
2627         p->rng_fault_state = True;
2628         return NT_STATUS_NOT_IMPLEMENTED;
2629 }
2630
2631 NTSTATUS _lsa_CREDRREADDOMAINCREDENTIALS(pipes_struct *p, struct lsa_CREDRREADDOMAINCREDENTIALS *r)
2632 {
2633         p->rng_fault_state = True;
2634         return NT_STATUS_NOT_IMPLEMENTED;
2635 }
2636
2637 NTSTATUS _lsa_CREDRDELETE(pipes_struct *p, struct lsa_CREDRDELETE *r)
2638 {
2639         p->rng_fault_state = True;
2640         return NT_STATUS_NOT_IMPLEMENTED;
2641 }
2642
2643 NTSTATUS _lsa_CREDRGETTARGETINFO(pipes_struct *p, struct lsa_CREDRGETTARGETINFO *r)
2644 {
2645         p->rng_fault_state = True;
2646         return NT_STATUS_NOT_IMPLEMENTED;
2647 }
2648
2649 NTSTATUS _lsa_CREDRPROFILELOADED(pipes_struct *p, struct lsa_CREDRPROFILELOADED *r)
2650 {
2651         p->rng_fault_state = True;
2652         return NT_STATUS_NOT_IMPLEMENTED;
2653 }
2654
2655 NTSTATUS _lsa_CREDRGETSESSIONTYPES(pipes_struct *p, struct lsa_CREDRGETSESSIONTYPES *r)
2656 {
2657         p->rng_fault_state = True;
2658         return NT_STATUS_NOT_IMPLEMENTED;
2659 }
2660
2661 NTSTATUS _lsa_LSARREGISTERAUDITEVENT(pipes_struct *p, struct lsa_LSARREGISTERAUDITEVENT *r)
2662 {
2663         p->rng_fault_state = True;
2664         return NT_STATUS_NOT_IMPLEMENTED;
2665 }
2666
2667 NTSTATUS _lsa_LSARGENAUDITEVENT(pipes_struct *p, struct lsa_LSARGENAUDITEVENT *r)
2668 {
2669         p->rng_fault_state = True;
2670         return NT_STATUS_NOT_IMPLEMENTED;
2671 }
2672
2673 NTSTATUS _lsa_LSARUNREGISTERAUDITEVENT(pipes_struct *p, struct lsa_LSARUNREGISTERAUDITEVENT *r)
2674 {
2675         p->rng_fault_state = True;
2676         return NT_STATUS_NOT_IMPLEMENTED;
2677 }
2678
2679 NTSTATUS _lsa_lsaRQueryForestTrustInformation(pipes_struct *p, struct lsa_lsaRQueryForestTrustInformation *r)
2680 {
2681         p->rng_fault_state = True;
2682         return NT_STATUS_NOT_IMPLEMENTED;
2683 }
2684
2685 NTSTATUS _lsa_LSARSETFORESTTRUSTINFORMATION(pipes_struct *p, struct lsa_LSARSETFORESTTRUSTINFORMATION *r)
2686 {
2687         p->rng_fault_state = True;
2688         return NT_STATUS_NOT_IMPLEMENTED;
2689 }
2690
2691 NTSTATUS _lsa_CREDRRENAME(pipes_struct *p, struct lsa_CREDRRENAME *r)
2692 {
2693         p->rng_fault_state = True;
2694         return NT_STATUS_NOT_IMPLEMENTED;
2695 }
2696
2697 NTSTATUS _lsa_LSAROPENPOLICYSCE(pipes_struct *p, struct lsa_LSAROPENPOLICYSCE *r)
2698 {
2699         p->rng_fault_state = True;
2700         return NT_STATUS_NOT_IMPLEMENTED;
2701 }
2702
2703 NTSTATUS _lsa_LSARADTREGISTERSECURITYEVENTSOURCE(pipes_struct *p, struct lsa_LSARADTREGISTERSECURITYEVENTSOURCE *r)
2704 {
2705         p->rng_fault_state = True;
2706         return NT_STATUS_NOT_IMPLEMENTED;
2707 }
2708
2709 NTSTATUS _lsa_LSARADTUNREGISTERSECURITYEVENTSOURCE(pipes_struct *p, struct lsa_LSARADTUNREGISTERSECURITYEVENTSOURCE *r)
2710 {
2711         p->rng_fault_state = True;
2712         return NT_STATUS_NOT_IMPLEMENTED;
2713 }
2714
2715 NTSTATUS _lsa_LSARADTREPORTSECURITYEVENT(pipes_struct *p, struct lsa_LSARADTREPORTSECURITYEVENT *r)
2716 {
2717         p->rng_fault_state = True;
2718         return NT_STATUS_NOT_IMPLEMENTED;
2719 }