2 * Unix SMB/CIFS implementation.
3 * RPC Pipe client / server routines
4 * Copyright (C) Andrew Tridgell 1992-1997,
5 * Copyright (C) Luke Kenneth Casson Leighton 1996-1997,
6 * Copyright (C) Paul Ashton 1997,
7 * Copyright (C) Jeremy Allison 2001, 2006.
8 * Copyright (C) Rafal Szczesniak 2002,
9 * Copyright (C) Jim McDonough <jmcd@us.ibm.com> 2002,
10 * Copyright (C) Simo Sorce 2003.
11 * Copyright (C) Gerald (Jerry) Carter 2005.
12 * Copyright (C) Volker Lendecke 2005.
13 * Copyright (C) Guenther Deschner 2008.
15 * This program is free software; you can redistribute it and/or modify
16 * it under the terms of the GNU General Public License as published by
17 * the Free Software Foundation; either version 3 of the License, or
18 * (at your option) any later version.
20 * This program is distributed in the hope that it will be useful,
21 * but WITHOUT ANY WARRANTY; without even the implied warranty of
22 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
23 * GNU General Public License for more details.
25 * You should have received a copy of the GNU General Public License
26 * along with this program; if not, see <http://www.gnu.org/licenses/>.
29 /* This is the implementation of the lsa server code. */
34 #define DBGC_CLASS DBGC_RPC_SRV
36 #define MAX_LOOKUP_SIDS 0x5000 /* 20480 */
40 enum lsa_handle_type { LSA_HANDLE_POLICY_TYPE = 1, LSA_HANDLE_ACCOUNT_TYPE };
45 enum lsa_handle_type type;
48 const struct generic_mapping lsa_account_mapping = {
52 LSA_ACCOUNT_ALL_ACCESS
55 const struct generic_mapping lsa_policy_mapping = {
62 /***************************************************************************
63 init_lsa_ref_domain_list - adds a domain if it's not already in, returns the index.
64 ***************************************************************************/
66 static int init_lsa_ref_domain_list(TALLOC_CTX *mem_ctx,
67 struct lsa_RefDomainList *ref,
73 if (dom_name != NULL) {
74 for (num = 0; num < ref->count; num++) {
75 if (sid_equal(dom_sid, ref->domains[num].sid)) {
83 if (num >= LSA_REF_DOMAIN_LIST_MULTIPLIER) {
84 /* index not found, already at maximum domain limit */
89 ref->max_size = LSA_REF_DOMAIN_LIST_MULTIPLIER;
91 ref->domains = TALLOC_REALLOC_ARRAY(mem_ctx, ref->domains,
92 struct lsa_DomainInfo, ref->count);
97 ZERO_STRUCT(ref->domains[num]);
99 init_lsa_StringLarge(&ref->domains[num].name, dom_name);
100 ref->domains[num].sid = sid_dup_talloc(mem_ctx, dom_sid);
101 if (!ref->domains[num].sid) {
109 /***************************************************************************
110 initialize a lsa_DomainInfo structure.
111 ***************************************************************************/
113 static void init_dom_query_3(struct lsa_DomainInfo *r,
117 init_lsa_StringLarge(&r->name, name);
121 /***************************************************************************
122 initialize a lsa_DomainInfo structure.
123 ***************************************************************************/
125 static void init_dom_query_5(struct lsa_DomainInfo *r,
129 init_lsa_StringLarge(&r->name, name);
133 /***************************************************************************
134 lookup_lsa_rids. Must be called as root for lookup_name to work.
135 ***************************************************************************/
137 static NTSTATUS lookup_lsa_rids(TALLOC_CTX *mem_ctx,
138 struct lsa_RefDomainList *ref,
139 struct lsa_TranslatedSid *prid,
140 uint32_t num_entries,
141 struct lsa_String *name,
143 uint32_t *pmapped_count)
145 uint32 mapped_count, i;
147 SMB_ASSERT(num_entries <= MAX_LOOKUP_SIDS);
152 for (i = 0; i < num_entries; i++) {
156 const char *full_name;
158 enum lsa_SidType type = SID_NAME_UNKNOWN;
160 /* Split name into domain and user component */
162 full_name = name[i].string;
163 if (full_name == NULL) {
164 return NT_STATUS_NO_MEMORY;
167 DEBUG(5, ("lookup_lsa_rids: looking up name %s\n", full_name));
169 /* We can ignore the result of lookup_name, it will not touch
170 "type" if it's not successful */
172 lookup_name(mem_ctx, full_name, flags, &domain, NULL,
177 case SID_NAME_DOM_GRP:
178 case SID_NAME_DOMAIN:
180 case SID_NAME_WKN_GRP:
181 DEBUG(5, ("init_lsa_rids: %s found\n", full_name));
182 /* Leave these unchanged */
185 /* Don't hand out anything but the list above */
186 DEBUG(5, ("init_lsa_rids: %s not found\n", full_name));
187 type = SID_NAME_UNKNOWN;
194 if (type != SID_NAME_UNKNOWN) {
195 sid_split_rid(&sid, &rid);
196 dom_idx = init_lsa_ref_domain_list(mem_ctx, ref, domain, &sid);
200 prid[i].sid_type = type;
202 prid[i].sid_index = dom_idx;
205 *pmapped_count = mapped_count;
209 /***************************************************************************
210 lookup_lsa_sids. Must be called as root for lookup_name to work.
211 ***************************************************************************/
213 static NTSTATUS lookup_lsa_sids(TALLOC_CTX *mem_ctx,
214 struct lsa_RefDomainList *ref,
215 struct lsa_TranslatedSid3 *trans_sids,
216 uint32_t num_entries,
217 struct lsa_String *name,
219 uint32 *pmapped_count)
221 uint32 mapped_count, i;
223 SMB_ASSERT(num_entries <= MAX_LOOKUP_SIDS);
228 for (i = 0; i < num_entries; i++) {
232 const char *full_name;
234 enum lsa_SidType type = SID_NAME_UNKNOWN;
238 /* Split name into domain and user component */
240 full_name = name[i].string;
241 if (full_name == NULL) {
242 return NT_STATUS_NO_MEMORY;
245 DEBUG(5, ("init_lsa_sids: looking up name %s\n", full_name));
247 /* We can ignore the result of lookup_name, it will not touch
248 "type" if it's not successful */
250 lookup_name(mem_ctx, full_name, flags, &domain, NULL,
255 case SID_NAME_DOM_GRP:
256 case SID_NAME_DOMAIN:
258 case SID_NAME_WKN_GRP:
259 DEBUG(5, ("init_lsa_sids: %s found\n", full_name));
260 /* Leave these unchanged */
263 /* Don't hand out anything but the list above */
264 DEBUG(5, ("init_lsa_sids: %s not found\n", full_name));
265 type = SID_NAME_UNKNOWN;
272 if (type != SID_NAME_UNKNOWN) {
274 sid_copy(&domain_sid, &sid);
275 sid_split_rid(&domain_sid, &rid);
276 dom_idx = init_lsa_ref_domain_list(mem_ctx, ref, domain, &domain_sid);
280 /* Initialize the lsa_TranslatedSid3 return. */
281 trans_sids[i].sid_type = type;
282 trans_sids[i].sid = sid_dup_talloc(mem_ctx, &sid);
283 trans_sids[i].sid_index = dom_idx;
286 *pmapped_count = mapped_count;
290 static NTSTATUS make_lsa_object_sd(TALLOC_CTX *mem_ctx, SEC_DESC **sd, size_t *sd_size,
291 const struct generic_mapping *map,
292 DOM_SID *sid, uint32_t sid_access)
300 /* READ|EXECUTE access for Everyone */
302 init_sec_ace(&ace[i++], &global_sid_World, SEC_ACE_TYPE_ACCESS_ALLOWED,
303 map->generic_execute | map->generic_read, 0);
305 /* Add Full Access 'BUILTIN\Administrators' and 'BUILTIN\Account Operators */
307 init_sec_ace(&ace[i++], &global_sid_Builtin_Administrators,
308 SEC_ACE_TYPE_ACCESS_ALLOWED, map->generic_all, 0);
309 init_sec_ace(&ace[i++], &global_sid_Builtin_Account_Operators,
310 SEC_ACE_TYPE_ACCESS_ALLOWED, map->generic_all, 0);
312 /* Add Full Access for Domain Admins */
313 sid_copy(&adm_sid, get_global_sam_sid());
314 sid_append_rid(&adm_sid, DOMAIN_GROUP_RID_ADMINS);
315 init_sec_ace(&ace[i++], &adm_sid, SEC_ACE_TYPE_ACCESS_ALLOWED,
316 map->generic_all, 0);
318 /* If we have a sid, give it some special access */
321 init_sec_ace(&ace[i++], sid, SEC_ACE_TYPE_ACCESS_ALLOWED,
325 if((psa = make_sec_acl(mem_ctx, NT4_ACL_REVISION, i, ace)) == NULL)
326 return NT_STATUS_NO_MEMORY;
328 if((*sd = make_sec_desc(mem_ctx, SECURITY_DESCRIPTOR_REVISION_1,
329 SEC_DESC_SELF_RELATIVE, &adm_sid, NULL, NULL,
330 psa, sd_size)) == NULL)
331 return NT_STATUS_NO_MEMORY;
337 /***************************************************************************
339 ***************************************************************************/
341 NTSTATUS _lsa_OpenPolicy2(pipes_struct *p,
342 struct lsa_OpenPolicy2 *r)
344 struct lsa_info *info;
345 SEC_DESC *psd = NULL;
347 uint32 des_access = r->in.access_mask;
351 /* Work out max allowed. */
352 map_max_allowed_access(p->server_info->ptok,
353 &p->server_info->utok,
356 /* map the generic bits to the lsa policy ones */
357 se_map_generic(&des_access, &lsa_policy_mapping);
359 /* get the generic lsa policy SD until we store it */
360 status = make_lsa_object_sd(p->mem_ctx, &psd, &sd_size, &lsa_policy_mapping,
362 if (!NT_STATUS_IS_OK(status)) {
366 status = access_check_object(psd, p->server_info->ptok,
368 &acc_granted, "_lsa_OpenPolicy2" );
370 if (!NT_STATUS_IS_OK(status)) {
374 /* associate the domain SID with the (unique) handle. */
375 info = TALLOC_ZERO_P(p->mem_ctx, struct lsa_info);
377 return NT_STATUS_NO_MEMORY;
380 sid_copy(&info->sid,get_global_sam_sid());
381 info->access = acc_granted;
382 info->type = LSA_HANDLE_POLICY_TYPE;
384 /* set up the LSA QUERY INFO response */
385 if (!create_policy_hnd(p, r->out.handle, info))
386 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
391 /***************************************************************************
393 ***************************************************************************/
395 NTSTATUS _lsa_OpenPolicy(pipes_struct *p,
396 struct lsa_OpenPolicy *r)
398 struct lsa_OpenPolicy2 o;
400 o.in.system_name = NULL; /* should be ignored */
401 o.in.attr = r->in.attr;
402 o.in.access_mask = r->in.access_mask;
404 o.out.handle = r->out.handle;
406 return _lsa_OpenPolicy2(p, &o);
409 /***************************************************************************
410 _lsa_EnumTrustDom - this needs fixing to do more than return NULL ! JRA.
412 ***************************************************************************/
414 NTSTATUS _lsa_EnumTrustDom(pipes_struct *p,
415 struct lsa_EnumTrustDom *r)
417 struct lsa_info *info;
419 struct trustdom_info **domains;
420 struct lsa_DomainInfo *lsa_domains = NULL;
424 * preferred length is set to 5 as a "our" preferred length
425 * nt sets this parameter to 2
426 * update (20.08.2002): it's not preferred length, but preferred size!
427 * it needs further investigation how to optimally choose this value
429 uint32 max_num_domains =
430 r->in.max_size < 5 ? r->in.max_size : 10;
435 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
436 return NT_STATUS_INVALID_HANDLE;
438 if (info->type != LSA_HANDLE_POLICY_TYPE) {
439 return NT_STATUS_INVALID_HANDLE;
442 /* check if the user has enough rights */
443 if (!(info->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
444 return NT_STATUS_ACCESS_DENIED;
447 nt_status = pdb_enum_trusteddoms(p->mem_ctx, &num_domains, &domains);
450 if (!NT_STATUS_IS_OK(nt_status)) {
454 if (*r->in.resume_handle < num_domains) {
455 num_thistime = MIN(num_domains, max_num_domains);
457 nt_status = STATUS_MORE_ENTRIES;
459 if (*r->in.resume_handle + num_thistime > num_domains) {
460 num_thistime = num_domains - *r->in.resume_handle;
461 nt_status = NT_STATUS_OK;
464 next_idx = *r->in.resume_handle + num_thistime;
467 next_idx = 0xffffffff;
468 nt_status = NT_STATUS_NO_MORE_ENTRIES;
471 /* set up the lsa_enum_trust_dom response */
473 lsa_domains = TALLOC_ZERO_ARRAY(p->mem_ctx, struct lsa_DomainInfo,
476 return NT_STATUS_NO_MEMORY;
479 for (i=0; i<num_thistime; i++) {
480 init_lsa_StringLarge(&lsa_domains[i].name, domains[i]->name);
481 lsa_domains[i].sid = &domains[i]->sid;
484 *r->out.resume_handle = next_idx;
485 r->out.domains->count = num_thistime;
486 r->out.domains->domains = lsa_domains;
491 #define LSA_AUDIT_NUM_CATEGORIES_NT4 7
492 #define LSA_AUDIT_NUM_CATEGORIES_WIN2K 9
493 #define LSA_AUDIT_NUM_CATEGORIES LSA_AUDIT_NUM_CATEGORIES_NT4
495 /***************************************************************************
497 ***************************************************************************/
499 NTSTATUS _lsa_QueryInfoPolicy(pipes_struct *p,
500 struct lsa_QueryInfoPolicy *r)
502 NTSTATUS status = NT_STATUS_OK;
503 struct lsa_info *handle;
507 union lsa_PolicyInformation *info = NULL;
508 uint32_t acc_required = 0;
510 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle))
511 return NT_STATUS_INVALID_HANDLE;
513 if (handle->type != LSA_HANDLE_POLICY_TYPE) {
514 return NT_STATUS_INVALID_HANDLE;
517 switch (r->in.level) {
518 case LSA_POLICY_INFO_AUDIT_LOG:
519 case LSA_POLICY_INFO_AUDIT_EVENTS:
520 acc_required = LSA_POLICY_VIEW_AUDIT_INFORMATION;
522 case LSA_POLICY_INFO_DOMAIN:
523 acc_required = LSA_POLICY_VIEW_LOCAL_INFORMATION;
525 case LSA_POLICY_INFO_PD:
526 acc_required = LSA_POLICY_GET_PRIVATE_INFORMATION;
528 case LSA_POLICY_INFO_ACCOUNT_DOMAIN:
529 acc_required = LSA_POLICY_VIEW_LOCAL_INFORMATION;
531 case LSA_POLICY_INFO_ROLE:
532 case LSA_POLICY_INFO_REPLICA:
533 acc_required = LSA_POLICY_VIEW_LOCAL_INFORMATION;
535 case LSA_POLICY_INFO_QUOTA:
536 acc_required = LSA_POLICY_VIEW_LOCAL_INFORMATION;
538 case LSA_POLICY_INFO_MOD:
539 case LSA_POLICY_INFO_AUDIT_FULL_SET:
540 /* according to MS-LSAD 3.1.4.4.3 */
541 return NT_STATUS_INVALID_PARAMETER;
542 case LSA_POLICY_INFO_AUDIT_FULL_QUERY:
543 acc_required = LSA_POLICY_VIEW_AUDIT_INFORMATION;
545 case LSA_POLICY_INFO_DNS:
546 case LSA_POLICY_INFO_DNS_INT:
547 case LSA_POLICY_INFO_L_ACCOUNT_DOMAIN:
548 acc_required = LSA_POLICY_VIEW_LOCAL_INFORMATION;
554 if (!(handle->access & acc_required)) {
555 /* return NT_STATUS_ACCESS_DENIED; */
558 info = TALLOC_ZERO_P(p->mem_ctx, union lsa_PolicyInformation);
560 return NT_STATUS_NO_MEMORY;
563 switch (r->in.level) {
564 case LSA_POLICY_INFO_AUDIT_EVENTS:
567 uint32 policy_def = LSA_AUDIT_POLICY_ALL;
569 /* check if the user has enough rights */
570 if (!(handle->access & LSA_POLICY_VIEW_AUDIT_INFORMATION)) {
571 DEBUG(10,("_lsa_QueryInfoPolicy: insufficient access rights\n"));
572 return NT_STATUS_ACCESS_DENIED;
575 /* fake info: We audit everything. ;) */
577 info->audit_events.auditing_mode = true;
578 info->audit_events.count = LSA_AUDIT_NUM_CATEGORIES;
579 info->audit_events.settings = TALLOC_ZERO_ARRAY(p->mem_ctx,
580 enum lsa_PolicyAuditPolicy,
581 info->audit_events.count);
582 if (!info->audit_events.settings) {
583 return NT_STATUS_NO_MEMORY;
586 info->audit_events.settings[LSA_AUDIT_CATEGORY_ACCOUNT_MANAGEMENT] = policy_def;
587 info->audit_events.settings[LSA_AUDIT_CATEGORY_FILE_AND_OBJECT_ACCESS] = policy_def;
588 info->audit_events.settings[LSA_AUDIT_CATEGORY_LOGON] = policy_def;
589 info->audit_events.settings[LSA_AUDIT_CATEGORY_PROCCESS_TRACKING] = policy_def;
590 info->audit_events.settings[LSA_AUDIT_CATEGORY_SECURITY_POLICY_CHANGES] = policy_def;
591 info->audit_events.settings[LSA_AUDIT_CATEGORY_SYSTEM] = policy_def;
592 info->audit_events.settings[LSA_AUDIT_CATEGORY_USE_OF_USER_RIGHTS] = policy_def;
596 case LSA_POLICY_INFO_DOMAIN:
597 /* check if the user has enough rights */
598 if (!(handle->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
599 return NT_STATUS_ACCESS_DENIED;
601 /* Request PolicyPrimaryDomainInformation. */
602 switch (lp_server_role()) {
603 case ROLE_DOMAIN_PDC:
604 case ROLE_DOMAIN_BDC:
605 name = get_global_sam_name();
606 sid = sid_dup_talloc(p->mem_ctx, get_global_sam_sid());
608 return NT_STATUS_NO_MEMORY;
611 case ROLE_DOMAIN_MEMBER:
612 name = lp_workgroup();
613 /* We need to return the Domain SID here. */
614 if (secrets_fetch_domain_sid(lp_workgroup(), &domain_sid)) {
615 sid = sid_dup_talloc(p->mem_ctx, &domain_sid);
617 return NT_STATUS_NO_MEMORY;
620 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
623 case ROLE_STANDALONE:
624 name = lp_workgroup();
628 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
630 init_dom_query_3(&info->domain, name, sid);
632 case LSA_POLICY_INFO_ACCOUNT_DOMAIN:
633 /* check if the user has enough rights */
634 if (!(handle->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
635 return NT_STATUS_ACCESS_DENIED;
637 /* Request PolicyAccountDomainInformation. */
638 name = get_global_sam_name();
639 sid = get_global_sam_sid();
641 init_dom_query_5(&info->account_domain, name, sid);
643 case LSA_POLICY_INFO_ROLE:
644 /* check if the user has enough rights */
645 if (!(handle->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
646 return NT_STATUS_ACCESS_DENIED;
648 switch (lp_server_role()) {
649 case ROLE_DOMAIN_BDC:
651 * only a BDC is a backup controller
652 * of the domain, it controls.
654 info->role.role = LSA_ROLE_BACKUP;
658 * any other role is a primary
659 * of the domain, it controls.
661 info->role.role = LSA_ROLE_PRIMARY;
665 case LSA_POLICY_INFO_DNS:
666 case LSA_POLICY_INFO_DNS_INT: {
667 struct pdb_domain_info *dominfo;
669 if ((pdb_capabilities() & PDB_CAP_ADS) == 0) {
670 DEBUG(10, ("Not replying to LSA_POLICY_INFO_DNS "
671 "without ADS passdb backend\n"));
672 status = NT_STATUS_INVALID_INFO_CLASS;
676 dominfo = pdb_get_domain_info(info);
677 if (dominfo == NULL) {
678 status = NT_STATUS_NO_MEMORY;
682 init_lsa_StringLarge(&info->dns.name,
684 init_lsa_StringLarge(&info->dns.dns_domain,
685 dominfo->dns_domain);
686 init_lsa_StringLarge(&info->dns.dns_forest,
687 dominfo->dns_forest);
688 info->dns.domain_guid = dominfo->guid;
689 info->dns.sid = &dominfo->sid;
693 DEBUG(0,("_lsa_QueryInfoPolicy: unknown info level in Lsa Query: %d\n",
695 status = NT_STATUS_INVALID_INFO_CLASS;
704 /***************************************************************************
705 _lsa_QueryInfoPolicy2
706 ***************************************************************************/
708 NTSTATUS _lsa_QueryInfoPolicy2(pipes_struct *p,
709 struct lsa_QueryInfoPolicy2 *r2)
711 struct lsa_QueryInfoPolicy r;
713 if ((pdb_capabilities() & PDB_CAP_ADS) == 0) {
714 p->rng_fault_state = True;
715 return NT_STATUS_NOT_IMPLEMENTED;
719 r.in.handle = r2->in.handle;
720 r.in.level = r2->in.level;
721 r.out.info = r2->out.info;
723 return _lsa_QueryInfoPolicy(p, &r);
726 /***************************************************************************
727 _lsa_lookup_sids_internal
728 ***************************************************************************/
730 static NTSTATUS _lsa_lookup_sids_internal(pipes_struct *p,
732 uint16_t level, /* input */
733 int num_sids, /* input */
734 struct lsa_SidPtr *sid, /* input */
735 struct lsa_RefDomainList **pp_ref, /* input/output */
736 struct lsa_TranslatedName2 **pp_names,/* input/output */
737 uint32_t *pp_mapped_count) /* input/output */
741 const DOM_SID **sids = NULL;
742 struct lsa_RefDomainList *ref = NULL;
743 uint32 mapped_count = 0;
744 struct lsa_dom_info *dom_infos = NULL;
745 struct lsa_name_info *name_infos = NULL;
746 struct lsa_TranslatedName2 *names = NULL;
748 *pp_mapped_count = 0;
756 sids = TALLOC_ARRAY(p->mem_ctx, const DOM_SID *, num_sids);
757 ref = TALLOC_ZERO_P(p->mem_ctx, struct lsa_RefDomainList);
759 if (sids == NULL || ref == NULL) {
760 return NT_STATUS_NO_MEMORY;
763 for (i=0; i<num_sids; i++) {
764 sids[i] = sid[i].sid;
767 status = lookup_sids(p->mem_ctx, num_sids, sids, level,
768 &dom_infos, &name_infos);
770 if (!NT_STATUS_IS_OK(status)) {
774 names = TALLOC_ARRAY(p->mem_ctx, struct lsa_TranslatedName2, num_sids);
776 return NT_STATUS_NO_MEMORY;
779 for (i=0; i<LSA_REF_DOMAIN_LIST_MULTIPLIER; i++) {
781 if (!dom_infos[i].valid) {
785 if (init_lsa_ref_domain_list(mem_ctx, ref,
787 &dom_infos[i].sid) != i) {
788 DEBUG(0, ("Domain %s mentioned twice??\n",
790 return NT_STATUS_INTERNAL_ERROR;
794 for (i=0; i<num_sids; i++) {
795 struct lsa_name_info *name = &name_infos[i];
797 if (name->type == SID_NAME_UNKNOWN) {
800 /* Unknown sids should return the string
801 * representation of the SID. Windows 2003 behaves
802 * rather erratic here, in many cases it returns the
803 * RID as 8 bytes hex, in others it returns the full
804 * SID. We (Jerry/VL) could not figure out which the
805 * hard cases are, so leave it with the SID. */
806 name->name = talloc_asprintf(p->mem_ctx, "%s",
809 if (name->name == NULL) {
810 return NT_STATUS_NO_MEMORY;
816 names[i].sid_type = name->type;
817 names[i].name.string = name->name;
818 names[i].sid_index = name->dom_idx;
819 names[i].unknown = 0;
822 status = NT_STATUS_NONE_MAPPED;
823 if (mapped_count > 0) {
824 status = (mapped_count < num_sids) ?
825 STATUS_SOME_UNMAPPED : NT_STATUS_OK;
828 DEBUG(10, ("num_sids %d, mapped_count %d, status %s\n",
829 num_sids, mapped_count, nt_errstr(status)));
831 *pp_mapped_count = mapped_count;
838 /***************************************************************************
840 ***************************************************************************/
842 NTSTATUS _lsa_LookupSids(pipes_struct *p,
843 struct lsa_LookupSids *r)
846 struct lsa_info *handle;
847 int num_sids = r->in.sids->num_sids;
848 uint32 mapped_count = 0;
849 struct lsa_RefDomainList *domains = NULL;
850 struct lsa_TranslatedName *names_out = NULL;
851 struct lsa_TranslatedName2 *names = NULL;
854 if ((r->in.level < 1) || (r->in.level > 6)) {
855 return NT_STATUS_INVALID_PARAMETER;
858 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle)) {
859 return NT_STATUS_INVALID_HANDLE;
862 if (handle->type != LSA_HANDLE_POLICY_TYPE) {
863 return NT_STATUS_INVALID_HANDLE;
866 /* check if the user has enough rights */
867 if (!(handle->access & LSA_POLICY_LOOKUP_NAMES)) {
868 return NT_STATUS_ACCESS_DENIED;
871 if (num_sids > MAX_LOOKUP_SIDS) {
872 DEBUG(5,("_lsa_LookupSids: limit of %d exceeded, requested %d\n",
873 MAX_LOOKUP_SIDS, num_sids));
874 return NT_STATUS_NONE_MAPPED;
877 status = _lsa_lookup_sids_internal(p,
886 /* Only return here when there is a real error.
887 NT_STATUS_NONE_MAPPED is a special case as it indicates that none of
888 the requested sids could be resolved. Older versions of XP (pre SP3)
889 rely that we return with the string representations of those SIDs in
890 that case. If we don't, XP crashes - Guenther
893 if (NT_STATUS_IS_ERR(status) &&
894 !NT_STATUS_EQUAL(status, NT_STATUS_NONE_MAPPED)) {
898 /* Convert from lsa_TranslatedName2 to lsa_TranslatedName */
899 names_out = TALLOC_ARRAY(p->mem_ctx, struct lsa_TranslatedName,
902 return NT_STATUS_NO_MEMORY;
905 for (i=0; i<num_sids; i++) {
906 names_out[i].sid_type = names[i].sid_type;
907 names_out[i].name = names[i].name;
908 names_out[i].sid_index = names[i].sid_index;
911 *r->out.domains = domains;
912 r->out.names->count = num_sids;
913 r->out.names->names = names_out;
914 *r->out.count = mapped_count;
919 /***************************************************************************
921 ***************************************************************************/
923 NTSTATUS _lsa_LookupSids2(pipes_struct *p,
924 struct lsa_LookupSids2 *r)
927 struct lsa_info *handle;
928 int num_sids = r->in.sids->num_sids;
929 uint32 mapped_count = 0;
930 struct lsa_RefDomainList *domains = NULL;
931 struct lsa_TranslatedName2 *names = NULL;
932 bool check_policy = true;
934 switch (p->hdr_req.opnum) {
935 case NDR_LSA_LOOKUPSIDS3:
936 check_policy = false;
938 case NDR_LSA_LOOKUPSIDS2:
943 if ((r->in.level < 1) || (r->in.level > 6)) {
944 return NT_STATUS_INVALID_PARAMETER;
948 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle)) {
949 return NT_STATUS_INVALID_HANDLE;
952 if (handle->type != LSA_HANDLE_POLICY_TYPE) {
953 return NT_STATUS_INVALID_HANDLE;
956 /* check if the user has enough rights */
957 if (!(handle->access & LSA_POLICY_LOOKUP_NAMES)) {
958 return NT_STATUS_ACCESS_DENIED;
962 if (num_sids > MAX_LOOKUP_SIDS) {
963 DEBUG(5,("_lsa_LookupSids2: limit of %d exceeded, requested %d\n",
964 MAX_LOOKUP_SIDS, num_sids));
965 return NT_STATUS_NONE_MAPPED;
968 status = _lsa_lookup_sids_internal(p,
977 *r->out.domains = domains;
978 r->out.names->count = num_sids;
979 r->out.names->names = names;
980 *r->out.count = mapped_count;
985 /***************************************************************************
987 ***************************************************************************/
989 NTSTATUS _lsa_LookupSids3(pipes_struct *p,
990 struct lsa_LookupSids3 *r)
992 struct lsa_LookupSids2 q;
994 /* No policy handle on this call. Restrict to crypto connections. */
995 if (p->auth.auth_type != PIPE_AUTH_TYPE_SCHANNEL) {
996 DEBUG(0,("_lsa_LookupSids3: client %s not using schannel for netlogon\n",
997 get_remote_machine_name() ));
998 return NT_STATUS_INVALID_PARAMETER;
1002 q.in.sids = r->in.sids;
1003 q.in.level = r->in.level;
1004 q.in.unknown1 = r->in.unknown1;
1005 q.in.unknown2 = r->in.unknown2;
1006 q.in.names = r->in.names;
1007 q.in.count = r->in.count;
1009 q.out.domains = r->out.domains;
1010 q.out.names = r->out.names;
1011 q.out.count = r->out.count;
1013 return _lsa_LookupSids2(p, &q);
1016 /***************************************************************************
1017 ***************************************************************************/
1019 static int lsa_lookup_level_to_flags(uint16 level)
1025 flags = LOOKUP_NAME_ALL;
1028 flags = LOOKUP_NAME_DOMAIN|LOOKUP_NAME_REMOTE|LOOKUP_NAME_ISOLATED;
1031 flags = LOOKUP_NAME_DOMAIN|LOOKUP_NAME_ISOLATED;
1037 flags = LOOKUP_NAME_NONE;
1044 /***************************************************************************
1046 ***************************************************************************/
1048 NTSTATUS _lsa_LookupNames(pipes_struct *p,
1049 struct lsa_LookupNames *r)
1051 NTSTATUS status = NT_STATUS_NONE_MAPPED;
1052 struct lsa_info *handle;
1053 struct lsa_String *names = r->in.names;
1054 uint32 num_entries = r->in.num_names;
1055 struct lsa_RefDomainList *domains = NULL;
1056 struct lsa_TranslatedSid *rids = NULL;
1057 uint32 mapped_count = 0;
1060 if (num_entries > MAX_LOOKUP_SIDS) {
1061 num_entries = MAX_LOOKUP_SIDS;
1062 DEBUG(5,("_lsa_LookupNames: truncating name lookup list to %d\n",
1066 flags = lsa_lookup_level_to_flags(r->in.level);
1068 domains = TALLOC_ZERO_P(p->mem_ctx, struct lsa_RefDomainList);
1070 return NT_STATUS_NO_MEMORY;
1074 rids = TALLOC_ZERO_ARRAY(p->mem_ctx, struct lsa_TranslatedSid,
1077 return NT_STATUS_NO_MEMORY;
1083 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle)) {
1084 status = NT_STATUS_INVALID_HANDLE;
1088 if (handle->type != LSA_HANDLE_POLICY_TYPE) {
1089 return NT_STATUS_INVALID_HANDLE;
1092 /* check if the user has enough rights */
1093 if (!(handle->access & LSA_POLICY_LOOKUP_NAMES)) {
1094 status = NT_STATUS_ACCESS_DENIED;
1098 /* set up the LSA Lookup RIDs response */
1099 become_root(); /* lookup_name can require root privs */
1100 status = lookup_lsa_rids(p->mem_ctx, domains, rids, num_entries,
1101 names, flags, &mapped_count);
1106 if (NT_STATUS_IS_OK(status) && (num_entries != 0) ) {
1107 if (mapped_count == 0) {
1108 status = NT_STATUS_NONE_MAPPED;
1109 } else if (mapped_count != num_entries) {
1110 status = STATUS_SOME_UNMAPPED;
1114 *r->out.count = mapped_count;
1115 *r->out.domains = domains;
1116 r->out.sids->sids = rids;
1117 r->out.sids->count = num_entries;
1122 /***************************************************************************
1124 ***************************************************************************/
1126 NTSTATUS _lsa_LookupNames2(pipes_struct *p,
1127 struct lsa_LookupNames2 *r)
1130 struct lsa_LookupNames q;
1131 struct lsa_TransSidArray2 *sid_array2 = r->in.sids;
1132 struct lsa_TransSidArray *sid_array = NULL;
1135 sid_array = TALLOC_ZERO_P(p->mem_ctx, struct lsa_TransSidArray);
1137 return NT_STATUS_NO_MEMORY;
1140 q.in.handle = r->in.handle;
1141 q.in.num_names = r->in.num_names;
1142 q.in.names = r->in.names;
1143 q.in.level = r->in.level;
1144 q.in.sids = sid_array;
1145 q.in.count = r->in.count;
1146 /* we do not know what this is for */
1147 /* = r->in.unknown1; */
1148 /* = r->in.unknown2; */
1150 q.out.domains = r->out.domains;
1151 q.out.sids = sid_array;
1152 q.out.count = r->out.count;
1154 status = _lsa_LookupNames(p, &q);
1156 sid_array2->count = sid_array->count;
1157 sid_array2->sids = TALLOC_ARRAY(p->mem_ctx, struct lsa_TranslatedSid2, sid_array->count);
1158 if (!sid_array2->sids) {
1159 return NT_STATUS_NO_MEMORY;
1162 for (i=0; i<sid_array->count; i++) {
1163 sid_array2->sids[i].sid_type = sid_array->sids[i].sid_type;
1164 sid_array2->sids[i].rid = sid_array->sids[i].rid;
1165 sid_array2->sids[i].sid_index = sid_array->sids[i].sid_index;
1166 sid_array2->sids[i].unknown = 0;
1169 r->out.sids = sid_array2;
1174 /***************************************************************************
1176 ***************************************************************************/
1178 NTSTATUS _lsa_LookupNames3(pipes_struct *p,
1179 struct lsa_LookupNames3 *r)
1182 struct lsa_info *handle;
1183 struct lsa_String *names = r->in.names;
1184 uint32 num_entries = r->in.num_names;
1185 struct lsa_RefDomainList *domains = NULL;
1186 struct lsa_TranslatedSid3 *trans_sids = NULL;
1187 uint32 mapped_count = 0;
1189 bool check_policy = true;
1191 switch (p->hdr_req.opnum) {
1192 case NDR_LSA_LOOKUPNAMES4:
1193 check_policy = false;
1195 case NDR_LSA_LOOKUPNAMES3:
1197 check_policy = true;
1200 if (num_entries > MAX_LOOKUP_SIDS) {
1201 num_entries = MAX_LOOKUP_SIDS;
1202 DEBUG(5,("_lsa_LookupNames3: truncating name lookup list to %d\n", num_entries));
1205 /* Probably the lookup_level is some sort of bitmask. */
1206 if (r->in.level == 1) {
1207 flags = LOOKUP_NAME_ALL;
1210 domains = TALLOC_ZERO_P(p->mem_ctx, struct lsa_RefDomainList);
1212 return NT_STATUS_NO_MEMORY;
1216 trans_sids = TALLOC_ZERO_ARRAY(p->mem_ctx, struct lsa_TranslatedSid3,
1219 return NT_STATUS_NO_MEMORY;
1227 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle)) {
1228 status = NT_STATUS_INVALID_HANDLE;
1232 if (handle->type != LSA_HANDLE_POLICY_TYPE) {
1233 return NT_STATUS_INVALID_HANDLE;
1236 /* check if the user has enough rights */
1237 if (!(handle->access & LSA_POLICY_LOOKUP_NAMES)) {
1238 status = NT_STATUS_ACCESS_DENIED;
1243 /* set up the LSA Lookup SIDs response */
1244 become_root(); /* lookup_name can require root privs */
1245 status = lookup_lsa_sids(p->mem_ctx, domains, trans_sids, num_entries,
1246 names, flags, &mapped_count);
1251 if (NT_STATUS_IS_OK(status)) {
1252 if (mapped_count == 0) {
1253 status = NT_STATUS_NONE_MAPPED;
1254 } else if (mapped_count != num_entries) {
1255 status = STATUS_SOME_UNMAPPED;
1259 *r->out.count = mapped_count;
1260 *r->out.domains = domains;
1261 r->out.sids->sids = trans_sids;
1262 r->out.sids->count = num_entries;
1267 /***************************************************************************
1269 ***************************************************************************/
1271 NTSTATUS _lsa_LookupNames4(pipes_struct *p,
1272 struct lsa_LookupNames4 *r)
1274 struct lsa_LookupNames3 q;
1276 /* No policy handle on this call. Restrict to crypto connections. */
1277 if (p->auth.auth_type != PIPE_AUTH_TYPE_SCHANNEL) {
1278 DEBUG(0,("_lsa_lookup_names4: client %s not using schannel for netlogon\n",
1279 get_remote_machine_name() ));
1280 return NT_STATUS_INVALID_PARAMETER;
1284 q.in.num_names = r->in.num_names;
1285 q.in.names = r->in.names;
1286 q.in.level = r->in.level;
1287 q.in.lookup_options = r->in.lookup_options;
1288 q.in.client_revision = r->in.client_revision;
1289 q.in.sids = r->in.sids;
1290 q.in.count = r->in.count;
1292 q.out.domains = r->out.domains;
1293 q.out.sids = r->out.sids;
1294 q.out.count = r->out.count;
1296 return _lsa_LookupNames3(p, &q);
1299 /***************************************************************************
1300 _lsa_close. Also weird - needs to check if lsa handle is correct. JRA.
1301 ***************************************************************************/
1303 NTSTATUS _lsa_Close(pipes_struct *p, struct lsa_Close *r)
1305 if (!find_policy_by_hnd(p, r->in.handle, NULL)) {
1306 return NT_STATUS_INVALID_HANDLE;
1309 close_policy_hnd(p, r->in.handle);
1310 ZERO_STRUCTP(r->out.handle);
1311 return NT_STATUS_OK;
1314 /***************************************************************************
1315 ***************************************************************************/
1317 NTSTATUS _lsa_OpenSecret(pipes_struct *p, struct lsa_OpenSecret *r)
1319 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
1322 /***************************************************************************
1323 ***************************************************************************/
1325 NTSTATUS _lsa_OpenTrustedDomain(pipes_struct *p, struct lsa_OpenTrustedDomain *r)
1327 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
1330 /***************************************************************************
1331 ***************************************************************************/
1333 NTSTATUS _lsa_CreateTrustedDomain(pipes_struct *p, struct lsa_CreateTrustedDomain *r)
1335 return NT_STATUS_ACCESS_DENIED;
1338 /***************************************************************************
1339 ***************************************************************************/
1341 NTSTATUS _lsa_CreateSecret(pipes_struct *p, struct lsa_CreateSecret *r)
1343 return NT_STATUS_ACCESS_DENIED;
1346 /***************************************************************************
1347 ***************************************************************************/
1349 NTSTATUS _lsa_SetSecret(pipes_struct *p, struct lsa_SetSecret *r)
1351 return NT_STATUS_ACCESS_DENIED;
1354 /***************************************************************************
1356 ***************************************************************************/
1358 NTSTATUS _lsa_DeleteObject(pipes_struct *p,
1359 struct lsa_DeleteObject *r)
1362 struct lsa_info *info = NULL;
1364 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info)) {
1365 return NT_STATUS_INVALID_HANDLE;
1368 if (!(info->access & STD_RIGHT_DELETE_ACCESS)) {
1369 return NT_STATUS_ACCESS_DENIED;
1372 switch (info->type) {
1373 case LSA_HANDLE_ACCOUNT_TYPE:
1374 status = privilege_delete_account(&info->sid);
1375 if (!NT_STATUS_IS_OK(status)) {
1376 DEBUG(10,("_lsa_DeleteObject: privilege_delete_account gave: %s\n",
1377 nt_errstr(status)));
1382 return NT_STATUS_INVALID_HANDLE;
1385 close_policy_hnd(p, r->in.handle);
1386 ZERO_STRUCTP(r->out.handle);
1391 /***************************************************************************
1393 ***************************************************************************/
1395 NTSTATUS _lsa_EnumPrivs(pipes_struct *p,
1396 struct lsa_EnumPrivs *r)
1398 struct lsa_info *handle;
1400 uint32 enum_context = *r->in.resume_handle;
1401 int num_privs = count_all_privileges();
1402 struct lsa_PrivEntry *entries = NULL;
1405 /* remember that the enum_context starts at 0 and not 1 */
1407 if ( enum_context >= num_privs )
1408 return NT_STATUS_NO_MORE_ENTRIES;
1410 DEBUG(10,("_lsa_EnumPrivs: enum_context:%d total entries:%d\n",
1411 enum_context, num_privs));
1413 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle))
1414 return NT_STATUS_INVALID_HANDLE;
1416 if (handle->type != LSA_HANDLE_POLICY_TYPE) {
1417 return NT_STATUS_INVALID_HANDLE;
1420 /* check if the user has enough rights
1421 I don't know if it's the right one. not documented. */
1423 if (!(handle->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
1424 return NT_STATUS_ACCESS_DENIED;
1427 entries = TALLOC_ZERO_ARRAY(p->mem_ctx, struct lsa_PrivEntry, num_privs);
1429 return NT_STATUS_NO_MEMORY;
1435 for (i = 0; i < num_privs; i++) {
1436 if( i < enum_context) {
1438 init_lsa_StringLarge(&entries[i].name, NULL);
1440 entries[i].luid.low = 0;
1441 entries[i].luid.high = 0;
1444 init_lsa_StringLarge(&entries[i].name, privs[i].name);
1446 luid = get_privilege_luid( &privs[i].se_priv );
1448 entries[i].luid.low = luid.luid.low;
1449 entries[i].luid.high = luid.luid.high;
1453 enum_context = num_privs;
1455 *r->out.resume_handle = enum_context;
1456 r->out.privs->count = num_privs;
1457 r->out.privs->privs = entries;
1459 return NT_STATUS_OK;
1462 /***************************************************************************
1463 _lsa_LookupPrivDisplayName
1464 ***************************************************************************/
1466 NTSTATUS _lsa_LookupPrivDisplayName(pipes_struct *p,
1467 struct lsa_LookupPrivDisplayName *r)
1469 struct lsa_info *handle;
1470 const char *description;
1471 struct lsa_StringLarge *lsa_name;
1473 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle))
1474 return NT_STATUS_INVALID_HANDLE;
1476 if (handle->type != LSA_HANDLE_POLICY_TYPE) {
1477 return NT_STATUS_INVALID_HANDLE;
1480 /* check if the user has enough rights */
1483 * I don't know if it's the right one. not documented.
1485 if (!(handle->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
1486 return NT_STATUS_ACCESS_DENIED;
1488 DEBUG(10,("_lsa_LookupPrivDisplayName: name = %s\n", r->in.name->string));
1490 description = get_privilege_dispname(r->in.name->string);
1492 DEBUG(10,("_lsa_LookupPrivDisplayName: doesn't exist\n"));
1493 return NT_STATUS_NO_SUCH_PRIVILEGE;
1496 DEBUG(10,("_lsa_LookupPrivDisplayName: display name = %s\n", description));
1498 lsa_name = TALLOC_ZERO_P(p->mem_ctx, struct lsa_StringLarge);
1500 return NT_STATUS_NO_MEMORY;
1503 init_lsa_StringLarge(lsa_name, description);
1505 *r->out.returned_language_id = r->in.language_id;
1506 *r->out.disp_name = lsa_name;
1508 return NT_STATUS_OK;
1511 /***************************************************************************
1513 ***************************************************************************/
1515 NTSTATUS _lsa_EnumAccounts(pipes_struct *p,
1516 struct lsa_EnumAccounts *r)
1518 struct lsa_info *handle;
1520 int i, j, num_entries;
1522 struct lsa_SidPtr *sids = NULL;
1524 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle))
1525 return NT_STATUS_INVALID_HANDLE;
1527 if (handle->type != LSA_HANDLE_POLICY_TYPE) {
1528 return NT_STATUS_INVALID_HANDLE;
1531 if (!(handle->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
1532 return NT_STATUS_ACCESS_DENIED;
1537 /* The only way we can currently find out all the SIDs that have been
1538 privileged is to scan all privileges */
1540 status = privilege_enumerate_accounts(&sid_list, &num_entries);
1541 if (!NT_STATUS_IS_OK(status)) {
1545 if (*r->in.resume_handle >= num_entries) {
1546 return NT_STATUS_NO_MORE_ENTRIES;
1549 if (num_entries - *r->in.resume_handle) {
1550 sids = TALLOC_ZERO_ARRAY(p->mem_ctx, struct lsa_SidPtr,
1551 num_entries - *r->in.resume_handle);
1553 talloc_free(sid_list);
1554 return NT_STATUS_NO_MEMORY;
1557 for (i = *r->in.resume_handle, j = 0; i < num_entries; i++, j++) {
1558 sids[j].sid = sid_dup_talloc(p->mem_ctx, &sid_list[i]);
1560 talloc_free(sid_list);
1561 return NT_STATUS_NO_MEMORY;
1566 talloc_free(sid_list);
1568 *r->out.resume_handle = num_entries;
1569 r->out.sids->num_sids = num_entries;
1570 r->out.sids->sids = sids;
1572 return NT_STATUS_OK;
1575 /***************************************************************************
1577 ***************************************************************************/
1579 NTSTATUS _lsa_GetUserName(pipes_struct *p,
1580 struct lsa_GetUserName *r)
1582 const char *username, *domname;
1583 struct lsa_String *account_name = NULL;
1584 struct lsa_String *authority_name = NULL;
1586 if (r->in.account_name &&
1587 *r->in.account_name) {
1588 return NT_STATUS_INVALID_PARAMETER;
1591 if (r->in.authority_name &&
1592 *r->in.authority_name) {
1593 return NT_STATUS_INVALID_PARAMETER;
1596 if (p->server_info->guest) {
1598 * I'm 99% sure this is not the right place to do this,
1599 * global_sid_Anonymous should probably be put into the token
1600 * instead of the guest id -- vl
1602 if (!lookup_sid(p->mem_ctx, &global_sid_Anonymous,
1603 &domname, &username, NULL)) {
1604 return NT_STATUS_NO_MEMORY;
1607 username = p->server_info->sanitized_username;
1608 domname = pdb_get_domain(p->server_info->sam_account);
1611 account_name = TALLOC_P(p->mem_ctx, struct lsa_String);
1612 if (!account_name) {
1613 return NT_STATUS_NO_MEMORY;
1615 init_lsa_String(account_name, username);
1617 if (r->out.authority_name) {
1618 authority_name = TALLOC_P(p->mem_ctx, struct lsa_String);
1619 if (!authority_name) {
1620 return NT_STATUS_NO_MEMORY;
1622 init_lsa_String(authority_name, domname);
1625 *r->out.account_name = account_name;
1626 if (r->out.authority_name) {
1627 *r->out.authority_name = authority_name;
1630 return NT_STATUS_OK;
1633 /***************************************************************************
1635 ***************************************************************************/
1637 NTSTATUS _lsa_CreateAccount(pipes_struct *p,
1638 struct lsa_CreateAccount *r)
1640 struct lsa_info *handle;
1641 struct lsa_info *info;
1643 /* find the connection policy handle. */
1644 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle))
1645 return NT_STATUS_INVALID_HANDLE;
1647 if (handle->type != LSA_HANDLE_POLICY_TYPE) {
1648 return NT_STATUS_INVALID_HANDLE;
1651 /* check if the user has enough rights */
1654 * I don't know if it's the right one. not documented.
1655 * but guessed with rpcclient.
1657 if (!(handle->access & LSA_POLICY_CREATE_ACCOUNT))
1658 return NT_STATUS_ACCESS_DENIED;
1660 if ( is_privileged_sid( r->in.sid ) )
1661 return NT_STATUS_OBJECT_NAME_COLLISION;
1663 /* associate the user/group SID with the (unique) handle. */
1665 info = TALLOC_ZERO_P(p->mem_ctx, struct lsa_info);
1667 return NT_STATUS_NO_MEMORY;
1670 info->sid = *r->in.sid;
1671 info->access = r->in.access_mask;
1672 info->type = LSA_HANDLE_ACCOUNT_TYPE;
1674 /* get a (unique) handle. open a policy on it. */
1675 if (!create_policy_hnd(p, r->out.acct_handle, info))
1676 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
1678 return privilege_create_account( &info->sid );
1681 /***************************************************************************
1683 ***************************************************************************/
1685 NTSTATUS _lsa_OpenAccount(pipes_struct *p,
1686 struct lsa_OpenAccount *r)
1688 struct lsa_info *handle;
1689 struct lsa_info *info;
1690 SEC_DESC *psd = NULL;
1692 uint32_t des_access = r->in.access_mask;
1693 uint32_t acc_granted;
1696 /* find the connection policy handle. */
1697 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle))
1698 return NT_STATUS_INVALID_HANDLE;
1700 if (handle->type != LSA_HANDLE_POLICY_TYPE) {
1701 return NT_STATUS_INVALID_HANDLE;
1704 /* des_access is for the account here, not the policy
1705 * handle - so don't check against policy handle. */
1707 /* Work out max allowed. */
1708 map_max_allowed_access(p->server_info->ptok,
1709 &p->server_info->utok,
1712 /* map the generic bits to the lsa account ones */
1713 se_map_generic(&des_access, &lsa_account_mapping);
1715 /* get the generic lsa account SD until we store it */
1716 status = make_lsa_object_sd(p->mem_ctx, &psd, &sd_size,
1717 &lsa_account_mapping,
1718 r->in.sid, LSA_ACCOUNT_ALL_ACCESS);
1719 if (!NT_STATUS_IS_OK(status)) {
1723 status = access_check_object(psd, p->server_info->ptok,
1724 NULL, 0, des_access,
1725 &acc_granted, "_lsa_OpenAccount" );
1727 if (!NT_STATUS_IS_OK(status)) {
1731 /* TODO: Fis the parsing routine before reenabling this check! */
1733 if (!lookup_sid(&handle->sid, dom_name, name, &type))
1734 return NT_STATUS_ACCESS_DENIED;
1736 /* associate the user/group SID with the (unique) handle. */
1737 info = TALLOC_ZERO_P(p->mem_ctx, struct lsa_info);
1739 return NT_STATUS_NO_MEMORY;
1742 info->sid = *r->in.sid;
1743 info->access = acc_granted;
1744 info->type = LSA_HANDLE_ACCOUNT_TYPE;
1746 /* get a (unique) handle. open a policy on it. */
1747 if (!create_policy_hnd(p, r->out.acct_handle, info))
1748 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
1750 return NT_STATUS_OK;
1753 /***************************************************************************
1754 _lsa_EnumPrivsAccount
1755 For a given SID, enumerate all the privilege this account has.
1756 ***************************************************************************/
1758 NTSTATUS _lsa_EnumPrivsAccount(pipes_struct *p,
1759 struct lsa_EnumPrivsAccount *r)
1761 NTSTATUS status = NT_STATUS_OK;
1762 struct lsa_info *info=NULL;
1764 PRIVILEGE_SET privileges;
1765 struct lsa_PrivilegeSet *priv_set = NULL;
1766 struct lsa_LUIDAttribute *luid_attrs = NULL;
1769 /* find the connection policy handle. */
1770 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
1771 return NT_STATUS_INVALID_HANDLE;
1773 if (info->type != LSA_HANDLE_ACCOUNT_TYPE) {
1774 return NT_STATUS_INVALID_HANDLE;
1777 if (!(info->access & LSA_ACCOUNT_VIEW))
1778 return NT_STATUS_ACCESS_DENIED;
1780 get_privileges_for_sids(&mask, &info->sid, 1);
1782 privilege_set_init( &privileges );
1784 priv_set = TALLOC_ZERO_P(p->mem_ctx, struct lsa_PrivilegeSet);
1786 status = NT_STATUS_NO_MEMORY;
1790 if ( se_priv_to_privilege_set( &privileges, &mask ) ) {
1792 DEBUG(10,("_lsa_EnumPrivsAccount: %s has %d privileges\n",
1793 sid_string_dbg(&info->sid),
1796 luid_attrs = TALLOC_ZERO_ARRAY(p->mem_ctx,
1797 struct lsa_LUIDAttribute,
1800 status = NT_STATUS_NO_MEMORY;
1804 for (i=0; i<privileges.count; i++) {
1805 luid_attrs[i].luid.low = privileges.set[i].luid.low;
1806 luid_attrs[i].luid.high = privileges.set[i].luid.high;
1807 luid_attrs[i].attribute = privileges.set[i].attr;
1810 priv_set->count = privileges.count;
1811 priv_set->unknown = 0;
1812 priv_set->set = luid_attrs;
1815 priv_set->count = 0;
1816 priv_set->unknown = 0;
1817 priv_set->set = NULL;
1820 *r->out.privs = priv_set;
1823 privilege_set_free( &privileges );
1828 /***************************************************************************
1829 _lsa_GetSystemAccessAccount
1830 ***************************************************************************/
1832 NTSTATUS _lsa_GetSystemAccessAccount(pipes_struct *p,
1833 struct lsa_GetSystemAccessAccount *r)
1836 struct lsa_info *info = NULL;
1837 struct lsa_EnumPrivsAccount e;
1838 struct lsa_PrivilegeSet *privset;
1840 /* find the connection policy handle. */
1842 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
1843 return NT_STATUS_INVALID_HANDLE;
1845 if (info->type != LSA_HANDLE_ACCOUNT_TYPE) {
1846 return NT_STATUS_INVALID_HANDLE;
1849 if (!(info->access & LSA_ACCOUNT_VIEW))
1850 return NT_STATUS_ACCESS_DENIED;
1852 privset = talloc_zero(p->mem_ctx, struct lsa_PrivilegeSet);
1854 return NT_STATUS_NO_MEMORY;
1857 e.in.handle = r->in.handle;
1858 e.out.privs = &privset;
1860 status = _lsa_EnumPrivsAccount(p, &e);
1861 if (!NT_STATUS_IS_OK(status)) {
1862 DEBUG(10,("_lsa_GetSystemAccessAccount: "
1863 "failed to call _lsa_EnumPrivsAccount(): %s\n",
1864 nt_errstr(status)));
1868 /* Samba4 would iterate over the privset to merge the policy mode bits,
1869 * not sure samba3 can do the same here, so just return what we did in
1873 0x01 -> Log on locally
1874 0x02 -> Access this computer from network
1875 0x04 -> Log on as a batch job
1876 0x10 -> Log on as a service
1878 they can be ORed together
1881 *r->out.access_mask = LSA_POLICY_MODE_INTERACTIVE |
1882 LSA_POLICY_MODE_NETWORK;
1884 return NT_STATUS_OK;
1887 /***************************************************************************
1888 update the systemaccount information
1889 ***************************************************************************/
1891 NTSTATUS _lsa_SetSystemAccessAccount(pipes_struct *p,
1892 struct lsa_SetSystemAccessAccount *r)
1894 struct lsa_info *info=NULL;
1897 /* find the connection policy handle. */
1898 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
1899 return NT_STATUS_INVALID_HANDLE;
1901 if (info->type != LSA_HANDLE_ACCOUNT_TYPE) {
1902 return NT_STATUS_INVALID_HANDLE;
1905 if (!(info->access & LSA_ACCOUNT_ADJUST_SYSTEM_ACCESS)) {
1906 return NT_STATUS_ACCESS_DENIED;
1909 if (!pdb_getgrsid(&map, info->sid))
1910 return NT_STATUS_NO_SUCH_GROUP;
1912 return pdb_update_group_mapping_entry(&map);
1915 /***************************************************************************
1916 _lsa_AddPrivilegesToAccount
1917 For a given SID, add some privileges.
1918 ***************************************************************************/
1920 NTSTATUS _lsa_AddPrivilegesToAccount(pipes_struct *p,
1921 struct lsa_AddPrivilegesToAccount *r)
1923 struct lsa_info *info = NULL;
1925 struct lsa_PrivilegeSet *set = NULL;
1927 /* find the connection policy handle. */
1928 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
1929 return NT_STATUS_INVALID_HANDLE;
1931 if (info->type != LSA_HANDLE_ACCOUNT_TYPE) {
1932 return NT_STATUS_INVALID_HANDLE;
1935 if (!(info->access & LSA_ACCOUNT_ADJUST_PRIVILEGES)) {
1936 return NT_STATUS_ACCESS_DENIED;
1940 if ( !privilege_set_to_se_priv( &mask, set ) )
1941 return NT_STATUS_NO_SUCH_PRIVILEGE;
1943 if ( !grant_privilege( &info->sid, &mask ) ) {
1944 DEBUG(3,("_lsa_AddPrivilegesToAccount: grant_privilege(%s) failed!\n",
1945 sid_string_dbg(&info->sid) ));
1946 DEBUG(3,("Privilege mask:\n"));
1947 dump_se_priv( DBGC_ALL, 3, &mask );
1948 return NT_STATUS_NO_SUCH_PRIVILEGE;
1951 return NT_STATUS_OK;
1954 /***************************************************************************
1955 _lsa_RemovePrivilegesFromAccount
1956 For a given SID, remove some privileges.
1957 ***************************************************************************/
1959 NTSTATUS _lsa_RemovePrivilegesFromAccount(pipes_struct *p,
1960 struct lsa_RemovePrivilegesFromAccount *r)
1962 struct lsa_info *info = NULL;
1964 struct lsa_PrivilegeSet *set = NULL;
1966 /* find the connection policy handle. */
1967 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
1968 return NT_STATUS_INVALID_HANDLE;
1970 if (info->type != LSA_HANDLE_ACCOUNT_TYPE) {
1971 return NT_STATUS_INVALID_HANDLE;
1974 if (!(info->access & LSA_ACCOUNT_ADJUST_PRIVILEGES)) {
1975 return NT_STATUS_ACCESS_DENIED;
1980 if ( !privilege_set_to_se_priv( &mask, set ) )
1981 return NT_STATUS_NO_SUCH_PRIVILEGE;
1983 if ( !revoke_privilege( &info->sid, &mask ) ) {
1984 DEBUG(3,("_lsa_RemovePrivilegesFromAccount: revoke_privilege(%s) failed!\n",
1985 sid_string_dbg(&info->sid) ));
1986 DEBUG(3,("Privilege mask:\n"));
1987 dump_se_priv( DBGC_ALL, 3, &mask );
1988 return NT_STATUS_NO_SUCH_PRIVILEGE;
1991 return NT_STATUS_OK;
1994 /***************************************************************************
1996 ***************************************************************************/
1998 NTSTATUS _lsa_LookupPrivName(pipes_struct *p,
1999 struct lsa_LookupPrivName *r)
2001 struct lsa_info *info = NULL;
2003 struct lsa_StringLarge *lsa_name;
2005 /* find the connection policy handle. */
2006 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info)) {
2007 return NT_STATUS_INVALID_HANDLE;
2010 if (info->type != LSA_HANDLE_POLICY_TYPE) {
2011 return NT_STATUS_INVALID_HANDLE;
2014 if (!(info->access & LSA_POLICY_VIEW_LOCAL_INFORMATION)) {
2015 return NT_STATUS_ACCESS_DENIED;
2018 name = luid_to_privilege_name((LUID *)r->in.luid);
2020 return NT_STATUS_NO_SUCH_PRIVILEGE;
2023 lsa_name = TALLOC_ZERO_P(p->mem_ctx, struct lsa_StringLarge);
2025 return NT_STATUS_NO_MEMORY;
2028 lsa_name->string = talloc_strdup(lsa_name, name);
2029 if (!lsa_name->string) {
2030 TALLOC_FREE(lsa_name);
2031 return NT_STATUS_NO_MEMORY;
2034 *r->out.name = lsa_name;
2036 return NT_STATUS_OK;
2039 /***************************************************************************
2041 ***************************************************************************/
2043 NTSTATUS _lsa_QuerySecurity(pipes_struct *p,
2044 struct lsa_QuerySecurity *r)
2046 struct lsa_info *handle=NULL;
2047 SEC_DESC *psd = NULL;
2051 /* find the connection policy handle. */
2052 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle))
2053 return NT_STATUS_INVALID_HANDLE;
2055 if (handle->type == LSA_HANDLE_POLICY_TYPE) {
2056 status = make_lsa_object_sd(p->mem_ctx, &psd, &sd_size,
2057 &lsa_policy_mapping, NULL, 0);
2058 } else if (handle->type == LSA_HANDLE_ACCOUNT_TYPE) {
2059 status = make_lsa_object_sd(p->mem_ctx, &psd, &sd_size,
2060 &lsa_account_mapping,
2061 &handle->sid, LSA_ACCOUNT_ALL_ACCESS);
2063 status = NT_STATUS_INVALID_HANDLE;
2066 if (!NT_STATUS_IS_OK(status)) {
2070 *r->out.sdbuf = make_sec_desc_buf(p->mem_ctx, sd_size, psd);
2071 if (!*r->out.sdbuf) {
2072 return NT_STATUS_NO_MEMORY;
2078 /***************************************************************************
2079 _lsa_AddAccountRights
2080 ***************************************************************************/
2082 NTSTATUS _lsa_AddAccountRights(pipes_struct *p,
2083 struct lsa_AddAccountRights *r)
2085 struct lsa_info *info = NULL;
2087 uint32_t acc_granted = 0;
2088 SEC_DESC *psd = NULL;
2093 /* find the connection policy handle. */
2094 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
2095 return NT_STATUS_INVALID_HANDLE;
2097 if (info->type != LSA_HANDLE_POLICY_TYPE) {
2098 return NT_STATUS_INVALID_HANDLE;
2101 /* get the generic lsa account SD for this SID until we store it */
2102 status = make_lsa_object_sd(p->mem_ctx, &psd, &sd_size,
2103 &lsa_account_mapping,
2104 r->in.sid, LSA_ACCOUNT_ALL_ACCESS);
2105 if (!NT_STATUS_IS_OK(status)) {
2110 * From the MS DOCs. If the sid doesn't exist, ask for LSA_POLICY_CREATE_ACCOUNT
2111 * on the policy handle. If it does, ask for
2112 * LSA_ACCOUNT_ADJUST_PRIVILEGES|LSA_ACCOUNT_ADJUST_SYSTEM_ACCESS|LSA_ACCOUNT_VIEW,
2113 * on the account sid. We don't check here so just use the latter. JRA.
2116 status = access_check_object(psd, p->server_info->ptok,
2117 NULL, 0, LSA_ACCOUNT_ADJUST_PRIVILEGES|LSA_ACCOUNT_ADJUST_SYSTEM_ACCESS|LSA_ACCOUNT_VIEW,
2118 &acc_granted, "_lsa_AddAccountRights" );
2120 if (!NT_STATUS_IS_OK(status)) {
2124 /* according to an NT4 PDC, you can add privileges to SIDs even without
2125 call_lsa_create_account() first. And you can use any arbitrary SID. */
2127 sid_copy( &sid, r->in.sid );
2129 for ( i=0; i < r->in.rights->count; i++ ) {
2131 const char *privname = r->in.rights->names[i].string;
2133 /* only try to add non-null strings */
2138 if ( !grant_privilege_by_name( &sid, privname ) ) {
2139 DEBUG(2,("_lsa_AddAccountRights: Failed to add privilege [%s]\n",
2141 return NT_STATUS_NO_SUCH_PRIVILEGE;
2145 return NT_STATUS_OK;
2148 /***************************************************************************
2149 _lsa_RemoveAccountRights
2150 ***************************************************************************/
2152 NTSTATUS _lsa_RemoveAccountRights(pipes_struct *p,
2153 struct lsa_RemoveAccountRights *r)
2155 struct lsa_info *info = NULL;
2157 SEC_DESC *psd = NULL;
2160 const char *privname = NULL;
2161 uint32_t acc_granted = 0;
2164 /* find the connection policy handle. */
2165 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
2166 return NT_STATUS_INVALID_HANDLE;
2168 if (info->type != LSA_HANDLE_POLICY_TYPE) {
2169 return NT_STATUS_INVALID_HANDLE;
2172 /* get the generic lsa account SD for this SID until we store it */
2173 status = make_lsa_object_sd(p->mem_ctx, &psd, &sd_size,
2174 &lsa_account_mapping,
2175 r->in.sid, LSA_ACCOUNT_ALL_ACCESS);
2176 if (!NT_STATUS_IS_OK(status)) {
2181 * From the MS DOCs. We need
2182 * LSA_ACCOUNT_ADJUST_PRIVILEGES|LSA_ACCOUNT_ADJUST_SYSTEM_ACCESS|LSA_ACCOUNT_VIEW
2183 * and DELETE on the account sid.
2186 status = access_check_object(psd, p->server_info->ptok,
2187 NULL, 0, LSA_ACCOUNT_ADJUST_PRIVILEGES|LSA_ACCOUNT_ADJUST_SYSTEM_ACCESS|
2188 LSA_ACCOUNT_VIEW|STD_RIGHT_DELETE_ACCESS,
2189 &acc_granted, "_lsa_AddAccountRights" );
2191 if (!NT_STATUS_IS_OK(status)) {
2195 sid_copy( &sid, r->in.sid );
2197 if ( r->in.remove_all ) {
2198 if ( !revoke_all_privileges( &sid ) )
2199 return NT_STATUS_ACCESS_DENIED;
2201 return NT_STATUS_OK;
2204 for ( i=0; i < r->in.rights->count; i++ ) {
2206 privname = r->in.rights->names[i].string;
2208 /* only try to add non-null strings */
2213 if ( !revoke_privilege_by_name( &sid, privname ) ) {
2214 DEBUG(2,("_lsa_RemoveAccountRights: Failed to revoke privilege [%s]\n",
2216 return NT_STATUS_NO_SUCH_PRIVILEGE;
2220 return NT_STATUS_OK;
2223 /*******************************************************************
2224 ********************************************************************/
2226 static NTSTATUS init_lsa_right_set(TALLOC_CTX *mem_ctx,
2227 struct lsa_RightSet *r,
2228 PRIVILEGE_SET *privileges)
2231 const char *privname;
2232 const char **privname_array = NULL;
2235 for (i=0; i<privileges->count; i++) {
2237 privname = luid_to_privilege_name(&privileges->set[i].luid);
2239 if (!add_string_to_array(mem_ctx, privname,
2240 &privname_array, &num_priv)) {
2241 return NT_STATUS_NO_MEMORY;
2248 r->names = TALLOC_ZERO_ARRAY(mem_ctx, struct lsa_StringLarge,
2251 return NT_STATUS_NO_MEMORY;
2254 for (i=0; i<num_priv; i++) {
2255 init_lsa_StringLarge(&r->names[i], privname_array[i]);
2258 r->count = num_priv;
2261 return NT_STATUS_OK;
2264 /***************************************************************************
2265 _lsa_EnumAccountRights
2266 ***************************************************************************/
2268 NTSTATUS _lsa_EnumAccountRights(pipes_struct *p,
2269 struct lsa_EnumAccountRights *r)
2272 struct lsa_info *info = NULL;
2274 PRIVILEGE_SET privileges;
2277 /* find the connection policy handle. */
2279 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
2280 return NT_STATUS_INVALID_HANDLE;
2282 if (info->type != LSA_HANDLE_POLICY_TYPE) {
2283 return NT_STATUS_INVALID_HANDLE;
2286 if (!(info->access & LSA_ACCOUNT_VIEW)) {
2287 return NT_STATUS_ACCESS_DENIED;
2290 /* according to an NT4 PDC, you can add privileges to SIDs even without
2291 call_lsa_create_account() first. And you can use any arbitrary SID. */
2293 sid_copy( &sid, r->in.sid );
2295 /* according to MS-LSAD 3.1.4.5.10 it is required to return
2296 * NT_STATUS_OBJECT_NAME_NOT_FOUND if the account sid was not found in
2297 * the lsa database */
2299 if (!get_privileges_for_sids(&mask, &sid, 1)) {
2300 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
2303 status = privilege_set_init(&privileges);
2304 if (!NT_STATUS_IS_OK(status)) {
2308 se_priv_to_privilege_set(&privileges, &mask);
2310 DEBUG(10,("_lsa_EnumAccountRights: %s has %d privileges\n",
2311 sid_string_dbg(&sid), privileges.count));
2313 status = init_lsa_right_set(p->mem_ctx, r->out.rights, &privileges);
2315 privilege_set_free( &privileges );
2320 /***************************************************************************
2321 _lsa_LookupPrivValue
2322 ***************************************************************************/
2324 NTSTATUS _lsa_LookupPrivValue(pipes_struct *p,
2325 struct lsa_LookupPrivValue *r)
2327 struct lsa_info *info = NULL;
2328 const char *name = NULL;
2329 LUID_ATTR priv_luid;
2332 /* find the connection policy handle. */
2334 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
2335 return NT_STATUS_INVALID_HANDLE;
2337 if (info->type != LSA_HANDLE_POLICY_TYPE) {
2338 return NT_STATUS_INVALID_HANDLE;
2341 if (!(info->access & LSA_POLICY_LOOKUP_NAMES))
2342 return NT_STATUS_ACCESS_DENIED;
2344 name = r->in.name->string;
2346 DEBUG(10,("_lsa_lookup_priv_value: name = %s\n", name));
2348 if ( !se_priv_from_name( name, &mask ) )
2349 return NT_STATUS_NO_SUCH_PRIVILEGE;
2351 priv_luid = get_privilege_luid( &mask );
2353 r->out.luid->low = priv_luid.luid.low;
2354 r->out.luid->high = priv_luid.luid.high;
2356 return NT_STATUS_OK;
2359 /***************************************************************************
2360 _lsa_EnumAccountsWithUserRight
2361 ***************************************************************************/
2363 NTSTATUS _lsa_EnumAccountsWithUserRight(pipes_struct *p,
2364 struct lsa_EnumAccountsWithUserRight *r)
2367 struct lsa_info *info = NULL;
2368 struct dom_sid *sids = NULL;
2373 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info)) {
2374 return NT_STATUS_INVALID_HANDLE;
2377 if (info->type != LSA_HANDLE_POLICY_TYPE) {
2378 return NT_STATUS_INVALID_HANDLE;
2381 if (!(info->access & LSA_POLICY_LOOKUP_NAMES)) {
2382 return NT_STATUS_ACCESS_DENIED;
2385 if (!r->in.name || !r->in.name->string) {
2386 return NT_STATUS_NO_SUCH_PRIVILEGE;
2389 if (!se_priv_from_name(r->in.name->string, &mask)) {
2390 return NT_STATUS_NO_SUCH_PRIVILEGE;
2393 status = privilege_enum_sids(&mask, p->mem_ctx,
2395 if (!NT_STATUS_IS_OK(status)) {
2399 r->out.sids->num_sids = num_sids;
2400 r->out.sids->sids = talloc_array(p->mem_ctx, struct lsa_SidPtr,
2401 r->out.sids->num_sids);
2403 for (i=0; i < r->out.sids->num_sids; i++) {
2404 r->out.sids->sids[i].sid = sid_dup_talloc(r->out.sids->sids,
2406 if (!r->out.sids->sids[i].sid) {
2407 TALLOC_FREE(r->out.sids->sids);
2408 r->out.sids->num_sids = 0;
2409 return NT_STATUS_NO_MEMORY;
2413 return NT_STATUS_OK;
2417 * From here on the server routines are just dummy ones to make smbd link with
2418 * librpc/gen_ndr/srv_lsa.c. These routines are actually never called, we are
2419 * pulling the server stubs across one by one.
2422 NTSTATUS _lsa_Delete(pipes_struct *p, struct lsa_Delete *r)
2424 p->rng_fault_state = True;
2425 return NT_STATUS_NOT_IMPLEMENTED;
2428 NTSTATUS _lsa_SetSecObj(pipes_struct *p, struct lsa_SetSecObj *r)
2430 p->rng_fault_state = True;
2431 return NT_STATUS_NOT_IMPLEMENTED;
2434 NTSTATUS _lsa_ChangePassword(pipes_struct *p, struct lsa_ChangePassword *r)
2436 p->rng_fault_state = True;
2437 return NT_STATUS_NOT_IMPLEMENTED;
2440 NTSTATUS _lsa_SetInfoPolicy(pipes_struct *p, struct lsa_SetInfoPolicy *r)
2442 p->rng_fault_state = True;
2443 return NT_STATUS_NOT_IMPLEMENTED;
2446 NTSTATUS _lsa_ClearAuditLog(pipes_struct *p, struct lsa_ClearAuditLog *r)
2448 p->rng_fault_state = True;
2449 return NT_STATUS_NOT_IMPLEMENTED;
2452 NTSTATUS _lsa_GetQuotasForAccount(pipes_struct *p, struct lsa_GetQuotasForAccount *r)
2454 p->rng_fault_state = True;
2455 return NT_STATUS_NOT_IMPLEMENTED;
2458 NTSTATUS _lsa_SetQuotasForAccount(pipes_struct *p, struct lsa_SetQuotasForAccount *r)
2460 p->rng_fault_state = True;
2461 return NT_STATUS_NOT_IMPLEMENTED;
2464 NTSTATUS _lsa_QueryTrustedDomainInfo(pipes_struct *p, struct lsa_QueryTrustedDomainInfo *r)
2466 p->rng_fault_state = True;
2467 return NT_STATUS_NOT_IMPLEMENTED;
2470 NTSTATUS _lsa_SetInformationTrustedDomain(pipes_struct *p, struct lsa_SetInformationTrustedDomain *r)
2472 p->rng_fault_state = True;
2473 return NT_STATUS_NOT_IMPLEMENTED;
2476 NTSTATUS _lsa_QuerySecret(pipes_struct *p, struct lsa_QuerySecret *r)
2478 p->rng_fault_state = True;
2479 return NT_STATUS_NOT_IMPLEMENTED;
2482 NTSTATUS _lsa_QueryTrustedDomainInfoBySid(pipes_struct *p, struct lsa_QueryTrustedDomainInfoBySid *r)
2484 p->rng_fault_state = True;
2485 return NT_STATUS_NOT_IMPLEMENTED;
2488 NTSTATUS _lsa_SetTrustedDomainInfo(pipes_struct *p, struct lsa_SetTrustedDomainInfo *r)
2490 p->rng_fault_state = True;
2491 return NT_STATUS_NOT_IMPLEMENTED;
2494 NTSTATUS _lsa_DeleteTrustedDomain(pipes_struct *p, struct lsa_DeleteTrustedDomain *r)
2496 p->rng_fault_state = True;
2497 return NT_STATUS_NOT_IMPLEMENTED;
2500 NTSTATUS _lsa_StorePrivateData(pipes_struct *p, struct lsa_StorePrivateData *r)
2502 p->rng_fault_state = True;
2503 return NT_STATUS_NOT_IMPLEMENTED;
2506 NTSTATUS _lsa_RetrievePrivateData(pipes_struct *p, struct lsa_RetrievePrivateData *r)
2508 p->rng_fault_state = True;
2509 return NT_STATUS_NOT_IMPLEMENTED;
2512 NTSTATUS _lsa_SetInfoPolicy2(pipes_struct *p, struct lsa_SetInfoPolicy2 *r)
2514 p->rng_fault_state = True;
2515 return NT_STATUS_NOT_IMPLEMENTED;
2518 NTSTATUS _lsa_QueryTrustedDomainInfoByName(pipes_struct *p, struct lsa_QueryTrustedDomainInfoByName *r)
2520 p->rng_fault_state = True;
2521 return NT_STATUS_NOT_IMPLEMENTED;
2524 NTSTATUS _lsa_SetTrustedDomainInfoByName(pipes_struct *p, struct lsa_SetTrustedDomainInfoByName *r)
2526 p->rng_fault_state = True;
2527 return NT_STATUS_NOT_IMPLEMENTED;
2530 NTSTATUS _lsa_EnumTrustedDomainsEx(pipes_struct *p, struct lsa_EnumTrustedDomainsEx *r)
2532 p->rng_fault_state = True;
2533 return NT_STATUS_NOT_IMPLEMENTED;
2536 NTSTATUS _lsa_CreateTrustedDomainEx(pipes_struct *p, struct lsa_CreateTrustedDomainEx *r)
2538 p->rng_fault_state = True;
2539 return NT_STATUS_NOT_IMPLEMENTED;
2542 NTSTATUS _lsa_CloseTrustedDomainEx(pipes_struct *p, struct lsa_CloseTrustedDomainEx *r)
2544 p->rng_fault_state = True;
2545 return NT_STATUS_NOT_IMPLEMENTED;
2548 NTSTATUS _lsa_QueryDomainInformationPolicy(pipes_struct *p, struct lsa_QueryDomainInformationPolicy *r)
2550 p->rng_fault_state = True;
2551 return NT_STATUS_NOT_IMPLEMENTED;
2554 NTSTATUS _lsa_SetDomainInformationPolicy(pipes_struct *p, struct lsa_SetDomainInformationPolicy *r)
2556 p->rng_fault_state = True;
2557 return NT_STATUS_NOT_IMPLEMENTED;
2560 NTSTATUS _lsa_OpenTrustedDomainByName(pipes_struct *p, struct lsa_OpenTrustedDomainByName *r)
2562 p->rng_fault_state = True;
2563 return NT_STATUS_NOT_IMPLEMENTED;
2566 NTSTATUS _lsa_TestCall(pipes_struct *p, struct lsa_TestCall *r)
2568 p->rng_fault_state = True;
2569 return NT_STATUS_NOT_IMPLEMENTED;
2572 NTSTATUS _lsa_CreateTrustedDomainEx2(pipes_struct *p, struct lsa_CreateTrustedDomainEx2 *r)
2574 p->rng_fault_state = True;
2575 return NT_STATUS_NOT_IMPLEMENTED;
2578 NTSTATUS _lsa_CREDRWRITE(pipes_struct *p, struct lsa_CREDRWRITE *r)
2580 p->rng_fault_state = True;
2581 return NT_STATUS_NOT_IMPLEMENTED;
2584 NTSTATUS _lsa_CREDRREAD(pipes_struct *p, struct lsa_CREDRREAD *r)
2586 p->rng_fault_state = True;
2587 return NT_STATUS_NOT_IMPLEMENTED;
2590 NTSTATUS _lsa_CREDRENUMERATE(pipes_struct *p, struct lsa_CREDRENUMERATE *r)
2592 p->rng_fault_state = True;
2593 return NT_STATUS_NOT_IMPLEMENTED;
2596 NTSTATUS _lsa_CREDRWRITEDOMAINCREDENTIALS(pipes_struct *p, struct lsa_CREDRWRITEDOMAINCREDENTIALS *r)
2598 p->rng_fault_state = True;
2599 return NT_STATUS_NOT_IMPLEMENTED;
2602 NTSTATUS _lsa_CREDRREADDOMAINCREDENTIALS(pipes_struct *p, struct lsa_CREDRREADDOMAINCREDENTIALS *r)
2604 p->rng_fault_state = True;
2605 return NT_STATUS_NOT_IMPLEMENTED;
2608 NTSTATUS _lsa_CREDRDELETE(pipes_struct *p, struct lsa_CREDRDELETE *r)
2610 p->rng_fault_state = True;
2611 return NT_STATUS_NOT_IMPLEMENTED;
2614 NTSTATUS _lsa_CREDRGETTARGETINFO(pipes_struct *p, struct lsa_CREDRGETTARGETINFO *r)
2616 p->rng_fault_state = True;
2617 return NT_STATUS_NOT_IMPLEMENTED;
2620 NTSTATUS _lsa_CREDRPROFILELOADED(pipes_struct *p, struct lsa_CREDRPROFILELOADED *r)
2622 p->rng_fault_state = True;
2623 return NT_STATUS_NOT_IMPLEMENTED;
2626 NTSTATUS _lsa_CREDRGETSESSIONTYPES(pipes_struct *p, struct lsa_CREDRGETSESSIONTYPES *r)
2628 p->rng_fault_state = True;
2629 return NT_STATUS_NOT_IMPLEMENTED;
2632 NTSTATUS _lsa_LSARREGISTERAUDITEVENT(pipes_struct *p, struct lsa_LSARREGISTERAUDITEVENT *r)
2634 p->rng_fault_state = True;
2635 return NT_STATUS_NOT_IMPLEMENTED;
2638 NTSTATUS _lsa_LSARGENAUDITEVENT(pipes_struct *p, struct lsa_LSARGENAUDITEVENT *r)
2640 p->rng_fault_state = True;
2641 return NT_STATUS_NOT_IMPLEMENTED;
2644 NTSTATUS _lsa_LSARUNREGISTERAUDITEVENT(pipes_struct *p, struct lsa_LSARUNREGISTERAUDITEVENT *r)
2646 p->rng_fault_state = True;
2647 return NT_STATUS_NOT_IMPLEMENTED;
2650 NTSTATUS _lsa_lsaRQueryForestTrustInformation(pipes_struct *p, struct lsa_lsaRQueryForestTrustInformation *r)
2652 p->rng_fault_state = True;
2653 return NT_STATUS_NOT_IMPLEMENTED;
2656 NTSTATUS _lsa_LSARSETFORESTTRUSTINFORMATION(pipes_struct *p, struct lsa_LSARSETFORESTTRUSTINFORMATION *r)
2658 p->rng_fault_state = True;
2659 return NT_STATUS_NOT_IMPLEMENTED;
2662 NTSTATUS _lsa_CREDRRENAME(pipes_struct *p, struct lsa_CREDRRENAME *r)
2664 p->rng_fault_state = True;
2665 return NT_STATUS_NOT_IMPLEMENTED;
2668 NTSTATUS _lsa_LSAROPENPOLICYSCE(pipes_struct *p, struct lsa_LSAROPENPOLICYSCE *r)
2670 p->rng_fault_state = True;
2671 return NT_STATUS_NOT_IMPLEMENTED;
2674 NTSTATUS _lsa_LSARADTREGISTERSECURITYEVENTSOURCE(pipes_struct *p, struct lsa_LSARADTREGISTERSECURITYEVENTSOURCE *r)
2676 p->rng_fault_state = True;
2677 return NT_STATUS_NOT_IMPLEMENTED;
2680 NTSTATUS _lsa_LSARADTUNREGISTERSECURITYEVENTSOURCE(pipes_struct *p, struct lsa_LSARADTUNREGISTERSECURITYEVENTSOURCE *r)
2682 p->rng_fault_state = True;
2683 return NT_STATUS_NOT_IMPLEMENTED;
2686 NTSTATUS _lsa_LSARADTREPORTSECURITYEVENT(pipes_struct *p, struct lsa_LSARADTREPORTSECURITYEVENT *r)
2688 p->rng_fault_state = True;
2689 return NT_STATUS_NOT_IMPLEMENTED;