2 * Unix SMB/CIFS implementation.
3 * RPC Pipe client / server routines
4 * Copyright (C) Andrew Tridgell 1992-1997,
5 * Copyright (C) Luke Kenneth Casson Leighton 1996-1997,
6 * Copyright (C) Paul Ashton 1997,
7 * Copyright (C) Jeremy Allison 2001, 2006.
8 * Copyright (C) Rafal Szczesniak 2002,
9 * Copyright (C) Jim McDonough <jmcd@us.ibm.com> 2002,
10 * Copyright (C) Simo Sorce 2003.
11 * Copyright (C) Gerald (Jerry) Carter 2005.
12 * Copyright (C) Volker Lendecke 2005.
13 * Copyright (C) Guenther Deschner 2008.
15 * This program is free software; you can redistribute it and/or modify
16 * it under the terms of the GNU General Public License as published by
17 * the Free Software Foundation; either version 3 of the License, or
18 * (at your option) any later version.
20 * This program is distributed in the hope that it will be useful,
21 * but WITHOUT ANY WARRANTY; without even the implied warranty of
22 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
23 * GNU General Public License for more details.
25 * You should have received a copy of the GNU General Public License
26 * along with this program; if not, see <http://www.gnu.org/licenses/>.
29 /* This is the implementation of the lsa server code. */
34 #define DBGC_CLASS DBGC_RPC_SRV
36 #define MAX_LOOKUP_SIDS 0x5000 /* 20480 */
40 enum lsa_handle_type { LSA_HANDLE_POLICY_TYPE = 1, LSA_HANDLE_ACCOUNT_TYPE };
45 enum lsa_handle_type type;
48 const struct generic_mapping lsa_account_mapping = {
52 LSA_ACCOUNT_ALL_ACCESS
55 const struct generic_mapping lsa_policy_mapping = {
62 /***************************************************************************
63 init_lsa_ref_domain_list - adds a domain if it's not already in, returns the index.
64 ***************************************************************************/
66 static int init_lsa_ref_domain_list(TALLOC_CTX *mem_ctx,
67 struct lsa_RefDomainList *ref,
73 if (dom_name != NULL) {
74 for (num = 0; num < ref->count; num++) {
75 if (sid_equal(dom_sid, ref->domains[num].sid)) {
83 if (num >= LSA_REF_DOMAIN_LIST_MULTIPLIER) {
84 /* index not found, already at maximum domain limit */
89 ref->max_size = LSA_REF_DOMAIN_LIST_MULTIPLIER;
91 ref->domains = TALLOC_REALLOC_ARRAY(mem_ctx, ref->domains,
92 struct lsa_DomainInfo, ref->count);
97 ZERO_STRUCT(ref->domains[num]);
99 init_lsa_StringLarge(&ref->domains[num].name, dom_name);
100 ref->domains[num].sid = sid_dup_talloc(mem_ctx, dom_sid);
101 if (!ref->domains[num].sid) {
109 /***************************************************************************
110 initialize a lsa_DomainInfo structure.
111 ***************************************************************************/
113 static void init_dom_query_3(struct lsa_DomainInfo *r,
117 init_lsa_StringLarge(&r->name, name);
121 /***************************************************************************
122 initialize a lsa_DomainInfo structure.
123 ***************************************************************************/
125 static void init_dom_query_5(struct lsa_DomainInfo *r,
129 init_lsa_StringLarge(&r->name, name);
133 /***************************************************************************
134 lookup_lsa_rids. Must be called as root for lookup_name to work.
135 ***************************************************************************/
137 static NTSTATUS lookup_lsa_rids(TALLOC_CTX *mem_ctx,
138 struct lsa_RefDomainList *ref,
139 struct lsa_TranslatedSid *prid,
140 uint32_t num_entries,
141 struct lsa_String *name,
143 uint32_t *pmapped_count)
145 uint32 mapped_count, i;
147 SMB_ASSERT(num_entries <= MAX_LOOKUP_SIDS);
152 for (i = 0; i < num_entries; i++) {
156 const char *full_name;
158 enum lsa_SidType type = SID_NAME_UNKNOWN;
160 /* Split name into domain and user component */
162 full_name = name[i].string;
163 if (full_name == NULL) {
164 return NT_STATUS_NO_MEMORY;
167 DEBUG(5, ("lookup_lsa_rids: looking up name %s\n", full_name));
169 /* We can ignore the result of lookup_name, it will not touch
170 "type" if it's not successful */
172 lookup_name(mem_ctx, full_name, flags, &domain, NULL,
177 case SID_NAME_DOM_GRP:
178 case SID_NAME_DOMAIN:
180 case SID_NAME_WKN_GRP:
181 DEBUG(5, ("init_lsa_rids: %s found\n", full_name));
182 /* Leave these unchanged */
185 /* Don't hand out anything but the list above */
186 DEBUG(5, ("init_lsa_rids: %s not found\n", full_name));
187 type = SID_NAME_UNKNOWN;
194 if (type != SID_NAME_UNKNOWN) {
195 sid_split_rid(&sid, &rid);
196 dom_idx = init_lsa_ref_domain_list(mem_ctx, ref, domain, &sid);
200 prid[i].sid_type = type;
202 prid[i].sid_index = dom_idx;
205 *pmapped_count = mapped_count;
209 /***************************************************************************
210 lookup_lsa_sids. Must be called as root for lookup_name to work.
211 ***************************************************************************/
213 static NTSTATUS lookup_lsa_sids(TALLOC_CTX *mem_ctx,
214 struct lsa_RefDomainList *ref,
215 struct lsa_TranslatedSid3 *trans_sids,
216 uint32_t num_entries,
217 struct lsa_String *name,
219 uint32 *pmapped_count)
221 uint32 mapped_count, i;
223 SMB_ASSERT(num_entries <= MAX_LOOKUP_SIDS);
228 for (i = 0; i < num_entries; i++) {
232 const char *full_name;
234 enum lsa_SidType type = SID_NAME_UNKNOWN;
238 /* Split name into domain and user component */
240 full_name = name[i].string;
241 if (full_name == NULL) {
242 return NT_STATUS_NO_MEMORY;
245 DEBUG(5, ("init_lsa_sids: looking up name %s\n", full_name));
247 /* We can ignore the result of lookup_name, it will not touch
248 "type" if it's not successful */
250 lookup_name(mem_ctx, full_name, flags, &domain, NULL,
255 case SID_NAME_DOM_GRP:
256 case SID_NAME_DOMAIN:
258 case SID_NAME_WKN_GRP:
259 DEBUG(5, ("init_lsa_sids: %s found\n", full_name));
260 /* Leave these unchanged */
263 /* Don't hand out anything but the list above */
264 DEBUG(5, ("init_lsa_sids: %s not found\n", full_name));
265 type = SID_NAME_UNKNOWN;
272 if (type != SID_NAME_UNKNOWN) {
274 sid_copy(&domain_sid, &sid);
275 sid_split_rid(&domain_sid, &rid);
276 dom_idx = init_lsa_ref_domain_list(mem_ctx, ref, domain, &domain_sid);
280 /* Initialize the lsa_TranslatedSid3 return. */
281 trans_sids[i].sid_type = type;
282 trans_sids[i].sid = sid_dup_talloc(mem_ctx, &sid);
283 trans_sids[i].sid_index = dom_idx;
286 *pmapped_count = mapped_count;
290 static NTSTATUS make_lsa_object_sd(TALLOC_CTX *mem_ctx, SEC_DESC **sd, size_t *sd_size,
291 const struct generic_mapping *map,
292 DOM_SID *sid, uint32_t sid_access)
300 /* READ|EXECUTE access for Everyone */
302 init_sec_ace(&ace[i++], &global_sid_World, SEC_ACE_TYPE_ACCESS_ALLOWED,
303 map->generic_execute | map->generic_read, 0);
305 /* Add Full Access 'BUILTIN\Administrators' and 'BUILTIN\Account Operators */
307 init_sec_ace(&ace[i++], &global_sid_Builtin_Administrators,
308 SEC_ACE_TYPE_ACCESS_ALLOWED, map->generic_all, 0);
309 init_sec_ace(&ace[i++], &global_sid_Builtin_Account_Operators,
310 SEC_ACE_TYPE_ACCESS_ALLOWED, map->generic_all, 0);
312 /* Add Full Access for Domain Admins */
313 sid_copy(&adm_sid, get_global_sam_sid());
314 sid_append_rid(&adm_sid, DOMAIN_GROUP_RID_ADMINS);
315 init_sec_ace(&ace[i++], &adm_sid, SEC_ACE_TYPE_ACCESS_ALLOWED,
316 map->generic_all, 0);
318 /* If we have a sid, give it some special access */
321 init_sec_ace(&ace[i++], sid, SEC_ACE_TYPE_ACCESS_ALLOWED,
325 if((psa = make_sec_acl(mem_ctx, NT4_ACL_REVISION, i, ace)) == NULL)
326 return NT_STATUS_NO_MEMORY;
328 if((*sd = make_sec_desc(mem_ctx, SECURITY_DESCRIPTOR_REVISION_1,
329 SEC_DESC_SELF_RELATIVE, &adm_sid, NULL, NULL,
330 psa, sd_size)) == NULL)
331 return NT_STATUS_NO_MEMORY;
337 /***************************************************************************
339 ***************************************************************************/
341 NTSTATUS _lsa_OpenPolicy2(pipes_struct *p,
342 struct lsa_OpenPolicy2 *r)
344 struct lsa_info *info;
345 SEC_DESC *psd = NULL;
347 uint32 des_access = r->in.access_mask;
351 /* Work out max allowed. */
352 map_max_allowed_access(p->server_info->ptok,
353 &p->server_info->utok,
356 /* map the generic bits to the lsa policy ones */
357 se_map_generic(&des_access, &lsa_policy_mapping);
359 /* get the generic lsa policy SD until we store it */
360 status = make_lsa_object_sd(p->mem_ctx, &psd, &sd_size, &lsa_policy_mapping,
362 if (!NT_STATUS_IS_OK(status)) {
366 status = access_check_object(psd, p->server_info->ptok,
368 &acc_granted, "_lsa_OpenPolicy2" );
370 if (!NT_STATUS_IS_OK(status)) {
374 /* associate the domain SID with the (unique) handle. */
375 info = TALLOC_ZERO_P(p->mem_ctx, struct lsa_info);
377 return NT_STATUS_NO_MEMORY;
380 sid_copy(&info->sid,get_global_sam_sid());
381 info->access = acc_granted;
382 info->type = LSA_HANDLE_POLICY_TYPE;
384 /* set up the LSA QUERY INFO response */
385 if (!create_policy_hnd(p, r->out.handle, info))
386 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
391 /***************************************************************************
393 ***************************************************************************/
395 NTSTATUS _lsa_OpenPolicy(pipes_struct *p,
396 struct lsa_OpenPolicy *r)
398 struct lsa_OpenPolicy2 o;
400 o.in.system_name = NULL; /* should be ignored */
401 o.in.attr = r->in.attr;
402 o.in.access_mask = r->in.access_mask;
404 o.out.handle = r->out.handle;
406 return _lsa_OpenPolicy2(p, &o);
409 /***************************************************************************
410 _lsa_EnumTrustDom - this needs fixing to do more than return NULL ! JRA.
412 ***************************************************************************/
414 NTSTATUS _lsa_EnumTrustDom(pipes_struct *p,
415 struct lsa_EnumTrustDom *r)
417 struct lsa_info *info;
419 struct trustdom_info **domains;
420 struct lsa_DomainInfo *lsa_domains = NULL;
424 * preferred length is set to 5 as a "our" preferred length
425 * nt sets this parameter to 2
426 * update (20.08.2002): it's not preferred length, but preferred size!
427 * it needs further investigation how to optimally choose this value
429 uint32 max_num_domains =
430 r->in.max_size < 5 ? r->in.max_size : 10;
435 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
436 return NT_STATUS_INVALID_HANDLE;
438 if (info->type != LSA_HANDLE_POLICY_TYPE) {
439 return NT_STATUS_INVALID_HANDLE;
442 /* check if the user has enough rights */
443 if (!(info->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
444 return NT_STATUS_ACCESS_DENIED;
447 nt_status = pdb_enum_trusteddoms(p->mem_ctx, &num_domains, &domains);
450 if (!NT_STATUS_IS_OK(nt_status)) {
454 if (*r->in.resume_handle < num_domains) {
455 num_thistime = MIN(num_domains, max_num_domains);
457 nt_status = STATUS_MORE_ENTRIES;
459 if (*r->in.resume_handle + num_thistime > num_domains) {
460 num_thistime = num_domains - *r->in.resume_handle;
461 nt_status = NT_STATUS_OK;
464 next_idx = *r->in.resume_handle + num_thistime;
467 next_idx = 0xffffffff;
468 nt_status = NT_STATUS_NO_MORE_ENTRIES;
471 /* set up the lsa_enum_trust_dom response */
473 lsa_domains = TALLOC_ZERO_ARRAY(p->mem_ctx, struct lsa_DomainInfo,
476 return NT_STATUS_NO_MEMORY;
479 for (i=0; i<num_thistime; i++) {
480 init_lsa_StringLarge(&lsa_domains[i].name, domains[i]->name);
481 lsa_domains[i].sid = &domains[i]->sid;
484 *r->out.resume_handle = next_idx;
485 r->out.domains->count = num_thistime;
486 r->out.domains->domains = lsa_domains;
491 #define LSA_AUDIT_NUM_CATEGORIES_NT4 7
492 #define LSA_AUDIT_NUM_CATEGORIES_WIN2K 9
493 #define LSA_AUDIT_NUM_CATEGORIES LSA_AUDIT_NUM_CATEGORIES_NT4
495 /***************************************************************************
497 ***************************************************************************/
499 NTSTATUS _lsa_QueryInfoPolicy(pipes_struct *p,
500 struct lsa_QueryInfoPolicy *r)
502 NTSTATUS status = NT_STATUS_OK;
503 struct lsa_info *handle;
507 union lsa_PolicyInformation *info = NULL;
509 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle))
510 return NT_STATUS_INVALID_HANDLE;
512 if (handle->type != LSA_HANDLE_POLICY_TYPE) {
513 return NT_STATUS_INVALID_HANDLE;
516 info = TALLOC_ZERO_P(p->mem_ctx, union lsa_PolicyInformation);
518 return NT_STATUS_NO_MEMORY;
521 switch (r->in.level) {
522 case LSA_POLICY_INFO_AUDIT_EVENTS:
525 uint32 policy_def = LSA_AUDIT_POLICY_ALL;
527 /* check if the user has enough rights */
528 if (!(handle->access & LSA_POLICY_VIEW_AUDIT_INFORMATION)) {
529 DEBUG(10,("_lsa_QueryInfoPolicy: insufficient access rights\n"));
530 return NT_STATUS_ACCESS_DENIED;
533 /* fake info: We audit everything. ;) */
535 info->audit_events.auditing_mode = true;
536 info->audit_events.count = LSA_AUDIT_NUM_CATEGORIES;
537 info->audit_events.settings = TALLOC_ZERO_ARRAY(p->mem_ctx,
538 enum lsa_PolicyAuditPolicy,
539 info->audit_events.count);
540 if (!info->audit_events.settings) {
541 return NT_STATUS_NO_MEMORY;
544 info->audit_events.settings[LSA_AUDIT_CATEGORY_ACCOUNT_MANAGEMENT] = policy_def;
545 info->audit_events.settings[LSA_AUDIT_CATEGORY_FILE_AND_OBJECT_ACCESS] = policy_def;
546 info->audit_events.settings[LSA_AUDIT_CATEGORY_LOGON] = policy_def;
547 info->audit_events.settings[LSA_AUDIT_CATEGORY_PROCCESS_TRACKING] = policy_def;
548 info->audit_events.settings[LSA_AUDIT_CATEGORY_SECURITY_POLICY_CHANGES] = policy_def;
549 info->audit_events.settings[LSA_AUDIT_CATEGORY_SYSTEM] = policy_def;
550 info->audit_events.settings[LSA_AUDIT_CATEGORY_USE_OF_USER_RIGHTS] = policy_def;
554 case LSA_POLICY_INFO_DOMAIN:
555 /* check if the user has enough rights */
556 if (!(handle->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
557 return NT_STATUS_ACCESS_DENIED;
559 /* Request PolicyPrimaryDomainInformation. */
560 switch (lp_server_role()) {
561 case ROLE_DOMAIN_PDC:
562 case ROLE_DOMAIN_BDC:
563 name = get_global_sam_name();
564 sid = sid_dup_talloc(p->mem_ctx, get_global_sam_sid());
566 return NT_STATUS_NO_MEMORY;
569 case ROLE_DOMAIN_MEMBER:
570 name = lp_workgroup();
571 /* We need to return the Domain SID here. */
572 if (secrets_fetch_domain_sid(lp_workgroup(), &domain_sid)) {
573 sid = sid_dup_talloc(p->mem_ctx, &domain_sid);
575 return NT_STATUS_NO_MEMORY;
578 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
581 case ROLE_STANDALONE:
582 name = lp_workgroup();
586 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
588 init_dom_query_3(&info->domain, name, sid);
590 case LSA_POLICY_INFO_ACCOUNT_DOMAIN:
591 /* check if the user has enough rights */
592 if (!(handle->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
593 return NT_STATUS_ACCESS_DENIED;
595 /* Request PolicyAccountDomainInformation. */
596 name = get_global_sam_name();
597 sid = get_global_sam_sid();
599 init_dom_query_5(&info->account_domain, name, sid);
601 case LSA_POLICY_INFO_ROLE:
602 /* check if the user has enough rights */
603 if (!(handle->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
604 return NT_STATUS_ACCESS_DENIED;
606 switch (lp_server_role()) {
607 case ROLE_DOMAIN_BDC:
609 * only a BDC is a backup controller
610 * of the domain, it controls.
612 info->role.role = LSA_ROLE_BACKUP;
616 * any other role is a primary
617 * of the domain, it controls.
619 info->role.role = LSA_ROLE_PRIMARY;
623 case LSA_POLICY_INFO_DNS:
624 case LSA_POLICY_INFO_DNS_INT: {
625 struct pdb_domain_info *dominfo;
627 if ((pdb_capabilities() & PDB_CAP_ADS) == 0) {
628 DEBUG(10, ("Not replying to LSA_POLICY_INFO_DNS "
629 "without ADS passdb backend\n"));
630 status = NT_STATUS_INVALID_INFO_CLASS;
634 dominfo = pdb_get_domain_info(info);
635 if (dominfo == NULL) {
636 status = NT_STATUS_NO_MEMORY;
640 init_lsa_StringLarge(&info->dns.name,
642 init_lsa_StringLarge(&info->dns.dns_domain,
643 dominfo->dns_domain);
644 init_lsa_StringLarge(&info->dns.dns_forest,
645 dominfo->dns_forest);
646 info->dns.domain_guid = dominfo->guid;
647 info->dns.sid = &dominfo->sid;
651 DEBUG(0,("_lsa_QueryInfoPolicy: unknown info level in Lsa Query: %d\n",
653 status = NT_STATUS_INVALID_INFO_CLASS;
662 /***************************************************************************
663 _lsa_QueryInfoPolicy2
664 ***************************************************************************/
666 NTSTATUS _lsa_QueryInfoPolicy2(pipes_struct *p,
667 struct lsa_QueryInfoPolicy2 *r2)
669 struct lsa_QueryInfoPolicy r;
671 if ((pdb_capabilities() & PDB_CAP_ADS) == 0) {
672 p->rng_fault_state = True;
673 return NT_STATUS_NOT_IMPLEMENTED;
677 r.in.handle = r2->in.handle;
678 r.in.level = r2->in.level;
679 r.out.info = r2->out.info;
681 return _lsa_QueryInfoPolicy(p, &r);
684 /***************************************************************************
685 _lsa_lookup_sids_internal
686 ***************************************************************************/
688 static NTSTATUS _lsa_lookup_sids_internal(pipes_struct *p,
690 uint16_t level, /* input */
691 int num_sids, /* input */
692 struct lsa_SidPtr *sid, /* input */
693 struct lsa_RefDomainList **pp_ref, /* input/output */
694 struct lsa_TranslatedName2 **pp_names,/* input/output */
695 uint32_t *pp_mapped_count) /* input/output */
699 const DOM_SID **sids = NULL;
700 struct lsa_RefDomainList *ref = NULL;
701 uint32 mapped_count = 0;
702 struct lsa_dom_info *dom_infos = NULL;
703 struct lsa_name_info *name_infos = NULL;
704 struct lsa_TranslatedName2 *names = NULL;
706 *pp_mapped_count = 0;
714 sids = TALLOC_ARRAY(p->mem_ctx, const DOM_SID *, num_sids);
715 ref = TALLOC_ZERO_P(p->mem_ctx, struct lsa_RefDomainList);
717 if (sids == NULL || ref == NULL) {
718 return NT_STATUS_NO_MEMORY;
721 for (i=0; i<num_sids; i++) {
722 sids[i] = sid[i].sid;
725 status = lookup_sids(p->mem_ctx, num_sids, sids, level,
726 &dom_infos, &name_infos);
728 if (!NT_STATUS_IS_OK(status)) {
732 names = TALLOC_ARRAY(p->mem_ctx, struct lsa_TranslatedName2, num_sids);
734 return NT_STATUS_NO_MEMORY;
737 for (i=0; i<LSA_REF_DOMAIN_LIST_MULTIPLIER; i++) {
739 if (!dom_infos[i].valid) {
743 if (init_lsa_ref_domain_list(mem_ctx, ref,
745 &dom_infos[i].sid) != i) {
746 DEBUG(0, ("Domain %s mentioned twice??\n",
748 return NT_STATUS_INTERNAL_ERROR;
752 for (i=0; i<num_sids; i++) {
753 struct lsa_name_info *name = &name_infos[i];
755 if (name->type == SID_NAME_UNKNOWN) {
758 /* Unknown sids should return the string
759 * representation of the SID. Windows 2003 behaves
760 * rather erratic here, in many cases it returns the
761 * RID as 8 bytes hex, in others it returns the full
762 * SID. We (Jerry/VL) could not figure out which the
763 * hard cases are, so leave it with the SID. */
764 name->name = talloc_asprintf(p->mem_ctx, "%s",
767 if (name->name == NULL) {
768 return NT_STATUS_NO_MEMORY;
774 names[i].sid_type = name->type;
775 names[i].name.string = name->name;
776 names[i].sid_index = name->dom_idx;
777 names[i].unknown = 0;
780 status = NT_STATUS_NONE_MAPPED;
781 if (mapped_count > 0) {
782 status = (mapped_count < num_sids) ?
783 STATUS_SOME_UNMAPPED : NT_STATUS_OK;
786 DEBUG(10, ("num_sids %d, mapped_count %d, status %s\n",
787 num_sids, mapped_count, nt_errstr(status)));
789 *pp_mapped_count = mapped_count;
796 /***************************************************************************
798 ***************************************************************************/
800 NTSTATUS _lsa_LookupSids(pipes_struct *p,
801 struct lsa_LookupSids *r)
804 struct lsa_info *handle;
805 int num_sids = r->in.sids->num_sids;
806 uint32 mapped_count = 0;
807 struct lsa_RefDomainList *domains = NULL;
808 struct lsa_TranslatedName *names_out = NULL;
809 struct lsa_TranslatedName2 *names = NULL;
812 if ((r->in.level < 1) || (r->in.level > 6)) {
813 return NT_STATUS_INVALID_PARAMETER;
816 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle)) {
817 return NT_STATUS_INVALID_HANDLE;
820 if (handle->type != LSA_HANDLE_POLICY_TYPE) {
821 return NT_STATUS_INVALID_HANDLE;
824 /* check if the user has enough rights */
825 if (!(handle->access & LSA_POLICY_LOOKUP_NAMES)) {
826 return NT_STATUS_ACCESS_DENIED;
829 if (num_sids > MAX_LOOKUP_SIDS) {
830 DEBUG(5,("_lsa_LookupSids: limit of %d exceeded, requested %d\n",
831 MAX_LOOKUP_SIDS, num_sids));
832 return NT_STATUS_NONE_MAPPED;
835 status = _lsa_lookup_sids_internal(p,
844 /* Only return here when there is a real error.
845 NT_STATUS_NONE_MAPPED is a special case as it indicates that none of
846 the requested sids could be resolved. Older versions of XP (pre SP3)
847 rely that we return with the string representations of those SIDs in
848 that case. If we don't, XP crashes - Guenther
851 if (NT_STATUS_IS_ERR(status) &&
852 !NT_STATUS_EQUAL(status, NT_STATUS_NONE_MAPPED)) {
856 /* Convert from lsa_TranslatedName2 to lsa_TranslatedName */
857 names_out = TALLOC_ARRAY(p->mem_ctx, struct lsa_TranslatedName,
860 return NT_STATUS_NO_MEMORY;
863 for (i=0; i<num_sids; i++) {
864 names_out[i].sid_type = names[i].sid_type;
865 names_out[i].name = names[i].name;
866 names_out[i].sid_index = names[i].sid_index;
869 *r->out.domains = domains;
870 r->out.names->count = num_sids;
871 r->out.names->names = names_out;
872 *r->out.count = mapped_count;
877 /***************************************************************************
879 ***************************************************************************/
881 NTSTATUS _lsa_LookupSids2(pipes_struct *p,
882 struct lsa_LookupSids2 *r)
885 struct lsa_info *handle;
886 int num_sids = r->in.sids->num_sids;
887 uint32 mapped_count = 0;
888 struct lsa_RefDomainList *domains = NULL;
889 struct lsa_TranslatedName2 *names = NULL;
890 bool check_policy = true;
892 switch (p->hdr_req.opnum) {
893 case NDR_LSA_LOOKUPSIDS3:
894 check_policy = false;
896 case NDR_LSA_LOOKUPSIDS2:
901 if ((r->in.level < 1) || (r->in.level > 6)) {
902 return NT_STATUS_INVALID_PARAMETER;
906 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle)) {
907 return NT_STATUS_INVALID_HANDLE;
910 if (handle->type != LSA_HANDLE_POLICY_TYPE) {
911 return NT_STATUS_INVALID_HANDLE;
914 /* check if the user has enough rights */
915 if (!(handle->access & LSA_POLICY_LOOKUP_NAMES)) {
916 return NT_STATUS_ACCESS_DENIED;
920 if (num_sids > MAX_LOOKUP_SIDS) {
921 DEBUG(5,("_lsa_LookupSids2: limit of %d exceeded, requested %d\n",
922 MAX_LOOKUP_SIDS, num_sids));
923 return NT_STATUS_NONE_MAPPED;
926 status = _lsa_lookup_sids_internal(p,
935 *r->out.domains = domains;
936 r->out.names->count = num_sids;
937 r->out.names->names = names;
938 *r->out.count = mapped_count;
943 /***************************************************************************
945 ***************************************************************************/
947 NTSTATUS _lsa_LookupSids3(pipes_struct *p,
948 struct lsa_LookupSids3 *r)
950 struct lsa_LookupSids2 q;
952 /* No policy handle on this call. Restrict to crypto connections. */
953 if (p->auth.auth_type != PIPE_AUTH_TYPE_SCHANNEL) {
954 DEBUG(0,("_lsa_LookupSids3: client %s not using schannel for netlogon\n",
955 get_remote_machine_name() ));
956 return NT_STATUS_INVALID_PARAMETER;
960 q.in.sids = r->in.sids;
961 q.in.level = r->in.level;
962 q.in.unknown1 = r->in.unknown1;
963 q.in.unknown2 = r->in.unknown2;
964 q.in.names = r->in.names;
965 q.in.count = r->in.count;
967 q.out.domains = r->out.domains;
968 q.out.names = r->out.names;
969 q.out.count = r->out.count;
971 return _lsa_LookupSids2(p, &q);
974 /***************************************************************************
975 ***************************************************************************/
977 static int lsa_lookup_level_to_flags(uint16 level)
983 flags = LOOKUP_NAME_ALL;
986 flags = LOOKUP_NAME_DOMAIN|LOOKUP_NAME_REMOTE|LOOKUP_NAME_ISOLATED;
989 flags = LOOKUP_NAME_DOMAIN|LOOKUP_NAME_ISOLATED;
995 flags = LOOKUP_NAME_NONE;
1002 /***************************************************************************
1004 ***************************************************************************/
1006 NTSTATUS _lsa_LookupNames(pipes_struct *p,
1007 struct lsa_LookupNames *r)
1009 NTSTATUS status = NT_STATUS_NONE_MAPPED;
1010 struct lsa_info *handle;
1011 struct lsa_String *names = r->in.names;
1012 uint32 num_entries = r->in.num_names;
1013 struct lsa_RefDomainList *domains = NULL;
1014 struct lsa_TranslatedSid *rids = NULL;
1015 uint32 mapped_count = 0;
1018 if (num_entries > MAX_LOOKUP_SIDS) {
1019 num_entries = MAX_LOOKUP_SIDS;
1020 DEBUG(5,("_lsa_LookupNames: truncating name lookup list to %d\n",
1024 flags = lsa_lookup_level_to_flags(r->in.level);
1026 domains = TALLOC_ZERO_P(p->mem_ctx, struct lsa_RefDomainList);
1028 return NT_STATUS_NO_MEMORY;
1032 rids = TALLOC_ZERO_ARRAY(p->mem_ctx, struct lsa_TranslatedSid,
1035 return NT_STATUS_NO_MEMORY;
1041 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle)) {
1042 status = NT_STATUS_INVALID_HANDLE;
1046 if (handle->type != LSA_HANDLE_POLICY_TYPE) {
1047 return NT_STATUS_INVALID_HANDLE;
1050 /* check if the user has enough rights */
1051 if (!(handle->access & LSA_POLICY_LOOKUP_NAMES)) {
1052 status = NT_STATUS_ACCESS_DENIED;
1056 /* set up the LSA Lookup RIDs response */
1057 become_root(); /* lookup_name can require root privs */
1058 status = lookup_lsa_rids(p->mem_ctx, domains, rids, num_entries,
1059 names, flags, &mapped_count);
1064 if (NT_STATUS_IS_OK(status) && (num_entries != 0) ) {
1065 if (mapped_count == 0) {
1066 status = NT_STATUS_NONE_MAPPED;
1067 } else if (mapped_count != num_entries) {
1068 status = STATUS_SOME_UNMAPPED;
1072 *r->out.count = mapped_count;
1073 *r->out.domains = domains;
1074 r->out.sids->sids = rids;
1075 r->out.sids->count = num_entries;
1080 /***************************************************************************
1082 ***************************************************************************/
1084 NTSTATUS _lsa_LookupNames2(pipes_struct *p,
1085 struct lsa_LookupNames2 *r)
1088 struct lsa_LookupNames q;
1089 struct lsa_TransSidArray2 *sid_array2 = r->in.sids;
1090 struct lsa_TransSidArray *sid_array = NULL;
1093 sid_array = TALLOC_ZERO_P(p->mem_ctx, struct lsa_TransSidArray);
1095 return NT_STATUS_NO_MEMORY;
1098 q.in.handle = r->in.handle;
1099 q.in.num_names = r->in.num_names;
1100 q.in.names = r->in.names;
1101 q.in.level = r->in.level;
1102 q.in.sids = sid_array;
1103 q.in.count = r->in.count;
1104 /* we do not know what this is for */
1105 /* = r->in.unknown1; */
1106 /* = r->in.unknown2; */
1108 q.out.domains = r->out.domains;
1109 q.out.sids = sid_array;
1110 q.out.count = r->out.count;
1112 status = _lsa_LookupNames(p, &q);
1114 sid_array2->count = sid_array->count;
1115 sid_array2->sids = TALLOC_ARRAY(p->mem_ctx, struct lsa_TranslatedSid2, sid_array->count);
1116 if (!sid_array2->sids) {
1117 return NT_STATUS_NO_MEMORY;
1120 for (i=0; i<sid_array->count; i++) {
1121 sid_array2->sids[i].sid_type = sid_array->sids[i].sid_type;
1122 sid_array2->sids[i].rid = sid_array->sids[i].rid;
1123 sid_array2->sids[i].sid_index = sid_array->sids[i].sid_index;
1124 sid_array2->sids[i].unknown = 0;
1127 r->out.sids = sid_array2;
1132 /***************************************************************************
1134 ***************************************************************************/
1136 NTSTATUS _lsa_LookupNames3(pipes_struct *p,
1137 struct lsa_LookupNames3 *r)
1140 struct lsa_info *handle;
1141 struct lsa_String *names = r->in.names;
1142 uint32 num_entries = r->in.num_names;
1143 struct lsa_RefDomainList *domains = NULL;
1144 struct lsa_TranslatedSid3 *trans_sids = NULL;
1145 uint32 mapped_count = 0;
1147 bool check_policy = true;
1149 switch (p->hdr_req.opnum) {
1150 case NDR_LSA_LOOKUPNAMES4:
1151 check_policy = false;
1153 case NDR_LSA_LOOKUPNAMES3:
1155 check_policy = true;
1158 if (num_entries > MAX_LOOKUP_SIDS) {
1159 num_entries = MAX_LOOKUP_SIDS;
1160 DEBUG(5,("_lsa_LookupNames3: truncating name lookup list to %d\n", num_entries));
1163 /* Probably the lookup_level is some sort of bitmask. */
1164 if (r->in.level == 1) {
1165 flags = LOOKUP_NAME_ALL;
1168 domains = TALLOC_ZERO_P(p->mem_ctx, struct lsa_RefDomainList);
1170 return NT_STATUS_NO_MEMORY;
1174 trans_sids = TALLOC_ZERO_ARRAY(p->mem_ctx, struct lsa_TranslatedSid3,
1177 return NT_STATUS_NO_MEMORY;
1185 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle)) {
1186 status = NT_STATUS_INVALID_HANDLE;
1190 if (handle->type != LSA_HANDLE_POLICY_TYPE) {
1191 return NT_STATUS_INVALID_HANDLE;
1194 /* check if the user has enough rights */
1195 if (!(handle->access & LSA_POLICY_LOOKUP_NAMES)) {
1196 status = NT_STATUS_ACCESS_DENIED;
1201 /* set up the LSA Lookup SIDs response */
1202 become_root(); /* lookup_name can require root privs */
1203 status = lookup_lsa_sids(p->mem_ctx, domains, trans_sids, num_entries,
1204 names, flags, &mapped_count);
1209 if (NT_STATUS_IS_OK(status)) {
1210 if (mapped_count == 0) {
1211 status = NT_STATUS_NONE_MAPPED;
1212 } else if (mapped_count != num_entries) {
1213 status = STATUS_SOME_UNMAPPED;
1217 *r->out.count = mapped_count;
1218 *r->out.domains = domains;
1219 r->out.sids->sids = trans_sids;
1220 r->out.sids->count = num_entries;
1225 /***************************************************************************
1227 ***************************************************************************/
1229 NTSTATUS _lsa_LookupNames4(pipes_struct *p,
1230 struct lsa_LookupNames4 *r)
1232 struct lsa_LookupNames3 q;
1234 /* No policy handle on this call. Restrict to crypto connections. */
1235 if (p->auth.auth_type != PIPE_AUTH_TYPE_SCHANNEL) {
1236 DEBUG(0,("_lsa_lookup_names4: client %s not using schannel for netlogon\n",
1237 get_remote_machine_name() ));
1238 return NT_STATUS_INVALID_PARAMETER;
1242 q.in.num_names = r->in.num_names;
1243 q.in.names = r->in.names;
1244 q.in.level = r->in.level;
1245 q.in.lookup_options = r->in.lookup_options;
1246 q.in.client_revision = r->in.client_revision;
1247 q.in.sids = r->in.sids;
1248 q.in.count = r->in.count;
1250 q.out.domains = r->out.domains;
1251 q.out.sids = r->out.sids;
1252 q.out.count = r->out.count;
1254 return _lsa_LookupNames3(p, &q);
1257 /***************************************************************************
1258 _lsa_close. Also weird - needs to check if lsa handle is correct. JRA.
1259 ***************************************************************************/
1261 NTSTATUS _lsa_Close(pipes_struct *p, struct lsa_Close *r)
1263 if (!find_policy_by_hnd(p, r->in.handle, NULL)) {
1264 return NT_STATUS_INVALID_HANDLE;
1267 close_policy_hnd(p, r->in.handle);
1268 ZERO_STRUCTP(r->out.handle);
1269 return NT_STATUS_OK;
1272 /***************************************************************************
1273 ***************************************************************************/
1275 NTSTATUS _lsa_OpenSecret(pipes_struct *p, struct lsa_OpenSecret *r)
1277 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
1280 /***************************************************************************
1281 ***************************************************************************/
1283 NTSTATUS _lsa_OpenTrustedDomain(pipes_struct *p, struct lsa_OpenTrustedDomain *r)
1285 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
1288 /***************************************************************************
1289 ***************************************************************************/
1291 NTSTATUS _lsa_CreateTrustedDomain(pipes_struct *p, struct lsa_CreateTrustedDomain *r)
1293 return NT_STATUS_ACCESS_DENIED;
1296 /***************************************************************************
1297 ***************************************************************************/
1299 NTSTATUS _lsa_CreateSecret(pipes_struct *p, struct lsa_CreateSecret *r)
1301 return NT_STATUS_ACCESS_DENIED;
1304 /***************************************************************************
1305 ***************************************************************************/
1307 NTSTATUS _lsa_SetSecret(pipes_struct *p, struct lsa_SetSecret *r)
1309 return NT_STATUS_ACCESS_DENIED;
1312 /***************************************************************************
1314 ***************************************************************************/
1316 NTSTATUS _lsa_DeleteObject(pipes_struct *p,
1317 struct lsa_DeleteObject *r)
1320 struct lsa_info *info = NULL;
1322 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info)) {
1323 return NT_STATUS_INVALID_HANDLE;
1326 if (!(info->access & STD_RIGHT_DELETE_ACCESS)) {
1327 return NT_STATUS_ACCESS_DENIED;
1330 switch (info->type) {
1331 case LSA_HANDLE_ACCOUNT_TYPE:
1332 status = privilege_delete_account(&info->sid);
1333 if (!NT_STATUS_IS_OK(status)) {
1334 DEBUG(10,("_lsa_DeleteObject: privilege_delete_account gave: %s\n",
1335 nt_errstr(status)));
1340 return NT_STATUS_INVALID_HANDLE;
1343 close_policy_hnd(p, r->in.handle);
1344 ZERO_STRUCTP(r->out.handle);
1349 /***************************************************************************
1351 ***************************************************************************/
1353 NTSTATUS _lsa_EnumPrivs(pipes_struct *p,
1354 struct lsa_EnumPrivs *r)
1356 struct lsa_info *handle;
1358 uint32 enum_context = *r->in.resume_handle;
1359 int num_privs = count_all_privileges();
1360 struct lsa_PrivEntry *entries = NULL;
1363 /* remember that the enum_context starts at 0 and not 1 */
1365 if ( enum_context >= num_privs )
1366 return NT_STATUS_NO_MORE_ENTRIES;
1368 DEBUG(10,("_lsa_EnumPrivs: enum_context:%d total entries:%d\n",
1369 enum_context, num_privs));
1371 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle))
1372 return NT_STATUS_INVALID_HANDLE;
1374 if (handle->type != LSA_HANDLE_POLICY_TYPE) {
1375 return NT_STATUS_INVALID_HANDLE;
1378 /* check if the user has enough rights
1379 I don't know if it's the right one. not documented. */
1381 if (!(handle->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
1382 return NT_STATUS_ACCESS_DENIED;
1385 entries = TALLOC_ZERO_ARRAY(p->mem_ctx, struct lsa_PrivEntry, num_privs);
1387 return NT_STATUS_NO_MEMORY;
1393 for (i = 0; i < num_privs; i++) {
1394 if( i < enum_context) {
1396 init_lsa_StringLarge(&entries[i].name, NULL);
1398 entries[i].luid.low = 0;
1399 entries[i].luid.high = 0;
1402 init_lsa_StringLarge(&entries[i].name, privs[i].name);
1404 luid = get_privilege_luid( &privs[i].se_priv );
1406 entries[i].luid.low = luid.luid.low;
1407 entries[i].luid.high = luid.luid.high;
1411 enum_context = num_privs;
1413 *r->out.resume_handle = enum_context;
1414 r->out.privs->count = num_privs;
1415 r->out.privs->privs = entries;
1417 return NT_STATUS_OK;
1420 /***************************************************************************
1421 _lsa_LookupPrivDisplayName
1422 ***************************************************************************/
1424 NTSTATUS _lsa_LookupPrivDisplayName(pipes_struct *p,
1425 struct lsa_LookupPrivDisplayName *r)
1427 struct lsa_info *handle;
1428 const char *description;
1429 struct lsa_StringLarge *lsa_name;
1431 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle))
1432 return NT_STATUS_INVALID_HANDLE;
1434 if (handle->type != LSA_HANDLE_POLICY_TYPE) {
1435 return NT_STATUS_INVALID_HANDLE;
1438 /* check if the user has enough rights */
1441 * I don't know if it's the right one. not documented.
1443 if (!(handle->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
1444 return NT_STATUS_ACCESS_DENIED;
1446 DEBUG(10,("_lsa_LookupPrivDisplayName: name = %s\n", r->in.name->string));
1448 description = get_privilege_dispname(r->in.name->string);
1450 DEBUG(10,("_lsa_LookupPrivDisplayName: doesn't exist\n"));
1451 return NT_STATUS_NO_SUCH_PRIVILEGE;
1454 DEBUG(10,("_lsa_LookupPrivDisplayName: display name = %s\n", description));
1456 lsa_name = TALLOC_ZERO_P(p->mem_ctx, struct lsa_StringLarge);
1458 return NT_STATUS_NO_MEMORY;
1461 init_lsa_StringLarge(lsa_name, description);
1463 *r->out.returned_language_id = r->in.language_id;
1464 *r->out.disp_name = lsa_name;
1466 return NT_STATUS_OK;
1469 /***************************************************************************
1471 ***************************************************************************/
1473 NTSTATUS _lsa_EnumAccounts(pipes_struct *p,
1474 struct lsa_EnumAccounts *r)
1476 struct lsa_info *handle;
1478 int i, j, num_entries;
1480 struct lsa_SidPtr *sids = NULL;
1482 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle))
1483 return NT_STATUS_INVALID_HANDLE;
1485 if (handle->type != LSA_HANDLE_POLICY_TYPE) {
1486 return NT_STATUS_INVALID_HANDLE;
1489 if (!(handle->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
1490 return NT_STATUS_ACCESS_DENIED;
1495 /* The only way we can currently find out all the SIDs that have been
1496 privileged is to scan all privileges */
1498 status = privilege_enumerate_accounts(&sid_list, &num_entries);
1499 if (!NT_STATUS_IS_OK(status)) {
1503 if (*r->in.resume_handle >= num_entries) {
1504 return NT_STATUS_NO_MORE_ENTRIES;
1507 if (num_entries - *r->in.resume_handle) {
1508 sids = TALLOC_ZERO_ARRAY(p->mem_ctx, struct lsa_SidPtr,
1509 num_entries - *r->in.resume_handle);
1511 talloc_free(sid_list);
1512 return NT_STATUS_NO_MEMORY;
1515 for (i = *r->in.resume_handle, j = 0; i < num_entries; i++, j++) {
1516 sids[j].sid = sid_dup_talloc(p->mem_ctx, &sid_list[i]);
1518 talloc_free(sid_list);
1519 return NT_STATUS_NO_MEMORY;
1524 talloc_free(sid_list);
1526 *r->out.resume_handle = num_entries;
1527 r->out.sids->num_sids = num_entries;
1528 r->out.sids->sids = sids;
1530 return NT_STATUS_OK;
1533 /***************************************************************************
1535 ***************************************************************************/
1537 NTSTATUS _lsa_GetUserName(pipes_struct *p,
1538 struct lsa_GetUserName *r)
1540 const char *username, *domname;
1541 struct lsa_String *account_name = NULL;
1542 struct lsa_String *authority_name = NULL;
1544 if (r->in.account_name &&
1545 *r->in.account_name) {
1546 return NT_STATUS_INVALID_PARAMETER;
1549 if (r->in.authority_name &&
1550 *r->in.authority_name) {
1551 return NT_STATUS_INVALID_PARAMETER;
1554 if (p->server_info->guest) {
1556 * I'm 99% sure this is not the right place to do this,
1557 * global_sid_Anonymous should probably be put into the token
1558 * instead of the guest id -- vl
1560 if (!lookup_sid(p->mem_ctx, &global_sid_Anonymous,
1561 &domname, &username, NULL)) {
1562 return NT_STATUS_NO_MEMORY;
1565 username = p->server_info->sanitized_username;
1566 domname = pdb_get_domain(p->server_info->sam_account);
1569 account_name = TALLOC_P(p->mem_ctx, struct lsa_String);
1570 if (!account_name) {
1571 return NT_STATUS_NO_MEMORY;
1573 init_lsa_String(account_name, username);
1575 if (r->out.authority_name) {
1576 authority_name = TALLOC_P(p->mem_ctx, struct lsa_String);
1577 if (!authority_name) {
1578 return NT_STATUS_NO_MEMORY;
1580 init_lsa_String(authority_name, domname);
1583 *r->out.account_name = account_name;
1584 if (r->out.authority_name) {
1585 *r->out.authority_name = authority_name;
1588 return NT_STATUS_OK;
1591 /***************************************************************************
1593 ***************************************************************************/
1595 NTSTATUS _lsa_CreateAccount(pipes_struct *p,
1596 struct lsa_CreateAccount *r)
1598 struct lsa_info *handle;
1599 struct lsa_info *info;
1601 /* find the connection policy handle. */
1602 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle))
1603 return NT_STATUS_INVALID_HANDLE;
1605 if (handle->type != LSA_HANDLE_POLICY_TYPE) {
1606 return NT_STATUS_INVALID_HANDLE;
1609 /* check if the user has enough rights */
1612 * I don't know if it's the right one. not documented.
1613 * but guessed with rpcclient.
1615 if (!(handle->access & LSA_POLICY_CREATE_ACCOUNT))
1616 return NT_STATUS_ACCESS_DENIED;
1618 if ( is_privileged_sid( r->in.sid ) )
1619 return NT_STATUS_OBJECT_NAME_COLLISION;
1621 /* associate the user/group SID with the (unique) handle. */
1623 info = TALLOC_ZERO_P(p->mem_ctx, struct lsa_info);
1625 return NT_STATUS_NO_MEMORY;
1628 info->sid = *r->in.sid;
1629 info->access = r->in.access_mask;
1630 info->type = LSA_HANDLE_ACCOUNT_TYPE;
1632 /* get a (unique) handle. open a policy on it. */
1633 if (!create_policy_hnd(p, r->out.acct_handle, info))
1634 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
1636 return privilege_create_account( &info->sid );
1639 /***************************************************************************
1641 ***************************************************************************/
1643 NTSTATUS _lsa_OpenAccount(pipes_struct *p,
1644 struct lsa_OpenAccount *r)
1646 struct lsa_info *handle;
1647 struct lsa_info *info;
1648 SEC_DESC *psd = NULL;
1650 uint32_t des_access = r->in.access_mask;
1651 uint32_t acc_granted;
1654 /* find the connection policy handle. */
1655 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle))
1656 return NT_STATUS_INVALID_HANDLE;
1658 if (handle->type != LSA_HANDLE_POLICY_TYPE) {
1659 return NT_STATUS_INVALID_HANDLE;
1662 /* des_access is for the account here, not the policy
1663 * handle - so don't check against policy handle. */
1665 /* Work out max allowed. */
1666 map_max_allowed_access(p->server_info->ptok,
1667 &p->server_info->utok,
1670 /* map the generic bits to the lsa account ones */
1671 se_map_generic(&des_access, &lsa_account_mapping);
1673 /* get the generic lsa account SD until we store it */
1674 status = make_lsa_object_sd(p->mem_ctx, &psd, &sd_size,
1675 &lsa_account_mapping,
1676 r->in.sid, LSA_ACCOUNT_ALL_ACCESS);
1677 if (!NT_STATUS_IS_OK(status)) {
1681 status = access_check_object(psd, p->server_info->ptok,
1682 NULL, 0, des_access,
1683 &acc_granted, "_lsa_OpenAccount" );
1685 if (!NT_STATUS_IS_OK(status)) {
1689 /* TODO: Fis the parsing routine before reenabling this check! */
1691 if (!lookup_sid(&handle->sid, dom_name, name, &type))
1692 return NT_STATUS_ACCESS_DENIED;
1694 /* associate the user/group SID with the (unique) handle. */
1695 info = TALLOC_ZERO_P(p->mem_ctx, struct lsa_info);
1697 return NT_STATUS_NO_MEMORY;
1700 info->sid = *r->in.sid;
1701 info->access = acc_granted;
1702 info->type = LSA_HANDLE_ACCOUNT_TYPE;
1704 /* get a (unique) handle. open a policy on it. */
1705 if (!create_policy_hnd(p, r->out.acct_handle, info))
1706 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
1708 return NT_STATUS_OK;
1711 /***************************************************************************
1712 _lsa_EnumPrivsAccount
1713 For a given SID, enumerate all the privilege this account has.
1714 ***************************************************************************/
1716 NTSTATUS _lsa_EnumPrivsAccount(pipes_struct *p,
1717 struct lsa_EnumPrivsAccount *r)
1719 NTSTATUS status = NT_STATUS_OK;
1720 struct lsa_info *info=NULL;
1722 PRIVILEGE_SET privileges;
1723 struct lsa_PrivilegeSet *priv_set = NULL;
1724 struct lsa_LUIDAttribute *luid_attrs = NULL;
1727 /* find the connection policy handle. */
1728 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
1729 return NT_STATUS_INVALID_HANDLE;
1731 if (info->type != LSA_HANDLE_ACCOUNT_TYPE) {
1732 return NT_STATUS_INVALID_HANDLE;
1735 if (!(info->access & LSA_ACCOUNT_VIEW))
1736 return NT_STATUS_ACCESS_DENIED;
1738 get_privileges_for_sids(&mask, &info->sid, 1);
1740 privilege_set_init( &privileges );
1742 priv_set = TALLOC_ZERO_P(p->mem_ctx, struct lsa_PrivilegeSet);
1744 status = NT_STATUS_NO_MEMORY;
1748 if ( se_priv_to_privilege_set( &privileges, &mask ) ) {
1750 DEBUG(10,("_lsa_EnumPrivsAccount: %s has %d privileges\n",
1751 sid_string_dbg(&info->sid),
1754 luid_attrs = TALLOC_ZERO_ARRAY(p->mem_ctx,
1755 struct lsa_LUIDAttribute,
1758 status = NT_STATUS_NO_MEMORY;
1762 for (i=0; i<privileges.count; i++) {
1763 luid_attrs[i].luid.low = privileges.set[i].luid.low;
1764 luid_attrs[i].luid.high = privileges.set[i].luid.high;
1765 luid_attrs[i].attribute = privileges.set[i].attr;
1768 priv_set->count = privileges.count;
1769 priv_set->unknown = 0;
1770 priv_set->set = luid_attrs;
1773 priv_set->count = 0;
1774 priv_set->unknown = 0;
1775 priv_set->set = NULL;
1778 *r->out.privs = priv_set;
1781 privilege_set_free( &privileges );
1786 /***************************************************************************
1787 _lsa_GetSystemAccessAccount
1788 ***************************************************************************/
1790 NTSTATUS _lsa_GetSystemAccessAccount(pipes_struct *p,
1791 struct lsa_GetSystemAccessAccount *r)
1794 struct lsa_info *info = NULL;
1795 struct lsa_EnumPrivsAccount e;
1796 struct lsa_PrivilegeSet *privset;
1798 /* find the connection policy handle. */
1800 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
1801 return NT_STATUS_INVALID_HANDLE;
1803 if (info->type != LSA_HANDLE_ACCOUNT_TYPE) {
1804 return NT_STATUS_INVALID_HANDLE;
1807 if (!(info->access & LSA_ACCOUNT_VIEW))
1808 return NT_STATUS_ACCESS_DENIED;
1810 privset = talloc_zero(p->mem_ctx, struct lsa_PrivilegeSet);
1812 return NT_STATUS_NO_MEMORY;
1815 e.in.handle = r->in.handle;
1816 e.out.privs = &privset;
1818 status = _lsa_EnumPrivsAccount(p, &e);
1819 if (!NT_STATUS_IS_OK(status)) {
1820 DEBUG(10,("_lsa_GetSystemAccessAccount: "
1821 "failed to call _lsa_EnumPrivsAccount(): %s\n",
1822 nt_errstr(status)));
1826 /* Samba4 would iterate over the privset to merge the policy mode bits,
1827 * not sure samba3 can do the same here, so just return what we did in
1831 0x01 -> Log on locally
1832 0x02 -> Access this computer from network
1833 0x04 -> Log on as a batch job
1834 0x10 -> Log on as a service
1836 they can be ORed together
1839 *r->out.access_mask = LSA_POLICY_MODE_INTERACTIVE |
1840 LSA_POLICY_MODE_NETWORK;
1842 return NT_STATUS_OK;
1845 /***************************************************************************
1846 update the systemaccount information
1847 ***************************************************************************/
1849 NTSTATUS _lsa_SetSystemAccessAccount(pipes_struct *p,
1850 struct lsa_SetSystemAccessAccount *r)
1852 struct lsa_info *info=NULL;
1855 /* find the connection policy handle. */
1856 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
1857 return NT_STATUS_INVALID_HANDLE;
1859 if (info->type != LSA_HANDLE_ACCOUNT_TYPE) {
1860 return NT_STATUS_INVALID_HANDLE;
1863 if (!(info->access & LSA_ACCOUNT_ADJUST_SYSTEM_ACCESS)) {
1864 return NT_STATUS_ACCESS_DENIED;
1867 if (!pdb_getgrsid(&map, info->sid))
1868 return NT_STATUS_NO_SUCH_GROUP;
1870 return pdb_update_group_mapping_entry(&map);
1873 /***************************************************************************
1874 _lsa_AddPrivilegesToAccount
1875 For a given SID, add some privileges.
1876 ***************************************************************************/
1878 NTSTATUS _lsa_AddPrivilegesToAccount(pipes_struct *p,
1879 struct lsa_AddPrivilegesToAccount *r)
1881 struct lsa_info *info = NULL;
1883 struct lsa_PrivilegeSet *set = NULL;
1885 /* find the connection policy handle. */
1886 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
1887 return NT_STATUS_INVALID_HANDLE;
1889 if (info->type != LSA_HANDLE_ACCOUNT_TYPE) {
1890 return NT_STATUS_INVALID_HANDLE;
1893 if (!(info->access & LSA_ACCOUNT_ADJUST_PRIVILEGES)) {
1894 return NT_STATUS_ACCESS_DENIED;
1898 if ( !privilege_set_to_se_priv( &mask, set ) )
1899 return NT_STATUS_NO_SUCH_PRIVILEGE;
1901 if ( !grant_privilege( &info->sid, &mask ) ) {
1902 DEBUG(3,("_lsa_AddPrivilegesToAccount: grant_privilege(%s) failed!\n",
1903 sid_string_dbg(&info->sid) ));
1904 DEBUG(3,("Privilege mask:\n"));
1905 dump_se_priv( DBGC_ALL, 3, &mask );
1906 return NT_STATUS_NO_SUCH_PRIVILEGE;
1909 return NT_STATUS_OK;
1912 /***************************************************************************
1913 _lsa_RemovePrivilegesFromAccount
1914 For a given SID, remove some privileges.
1915 ***************************************************************************/
1917 NTSTATUS _lsa_RemovePrivilegesFromAccount(pipes_struct *p,
1918 struct lsa_RemovePrivilegesFromAccount *r)
1920 struct lsa_info *info = NULL;
1922 struct lsa_PrivilegeSet *set = NULL;
1924 /* find the connection policy handle. */
1925 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
1926 return NT_STATUS_INVALID_HANDLE;
1928 if (info->type != LSA_HANDLE_ACCOUNT_TYPE) {
1929 return NT_STATUS_INVALID_HANDLE;
1932 if (!(info->access & LSA_ACCOUNT_ADJUST_PRIVILEGES)) {
1933 return NT_STATUS_ACCESS_DENIED;
1938 if ( !privilege_set_to_se_priv( &mask, set ) )
1939 return NT_STATUS_NO_SUCH_PRIVILEGE;
1941 if ( !revoke_privilege( &info->sid, &mask ) ) {
1942 DEBUG(3,("_lsa_RemovePrivilegesFromAccount: revoke_privilege(%s) failed!\n",
1943 sid_string_dbg(&info->sid) ));
1944 DEBUG(3,("Privilege mask:\n"));
1945 dump_se_priv( DBGC_ALL, 3, &mask );
1946 return NT_STATUS_NO_SUCH_PRIVILEGE;
1949 return NT_STATUS_OK;
1952 /***************************************************************************
1954 ***************************************************************************/
1956 NTSTATUS _lsa_LookupPrivName(pipes_struct *p,
1957 struct lsa_LookupPrivName *r)
1959 struct lsa_info *info = NULL;
1961 struct lsa_StringLarge *lsa_name;
1963 /* find the connection policy handle. */
1964 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info)) {
1965 return NT_STATUS_INVALID_HANDLE;
1968 if (info->type != LSA_HANDLE_POLICY_TYPE) {
1969 return NT_STATUS_INVALID_HANDLE;
1972 if (!(info->access & LSA_POLICY_VIEW_LOCAL_INFORMATION)) {
1973 return NT_STATUS_ACCESS_DENIED;
1976 name = luid_to_privilege_name((LUID *)r->in.luid);
1978 return NT_STATUS_NO_SUCH_PRIVILEGE;
1981 lsa_name = TALLOC_ZERO_P(p->mem_ctx, struct lsa_StringLarge);
1983 return NT_STATUS_NO_MEMORY;
1986 lsa_name->string = talloc_strdup(lsa_name, name);
1987 if (!lsa_name->string) {
1988 TALLOC_FREE(lsa_name);
1989 return NT_STATUS_NO_MEMORY;
1992 *r->out.name = lsa_name;
1994 return NT_STATUS_OK;
1997 /***************************************************************************
1999 ***************************************************************************/
2001 NTSTATUS _lsa_QuerySecurity(pipes_struct *p,
2002 struct lsa_QuerySecurity *r)
2004 struct lsa_info *handle=NULL;
2005 SEC_DESC *psd = NULL;
2009 /* find the connection policy handle. */
2010 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle))
2011 return NT_STATUS_INVALID_HANDLE;
2013 if (handle->type == LSA_HANDLE_POLICY_TYPE) {
2014 status = make_lsa_object_sd(p->mem_ctx, &psd, &sd_size,
2015 &lsa_policy_mapping, NULL, 0);
2016 } else if (handle->type == LSA_HANDLE_ACCOUNT_TYPE) {
2017 status = make_lsa_object_sd(p->mem_ctx, &psd, &sd_size,
2018 &lsa_account_mapping,
2019 &handle->sid, LSA_ACCOUNT_ALL_ACCESS);
2021 status = NT_STATUS_INVALID_HANDLE;
2024 if (!NT_STATUS_IS_OK(status)) {
2028 *r->out.sdbuf = make_sec_desc_buf(p->mem_ctx, sd_size, psd);
2029 if (!*r->out.sdbuf) {
2030 return NT_STATUS_NO_MEMORY;
2036 /***************************************************************************
2037 _lsa_AddAccountRights
2038 ***************************************************************************/
2040 NTSTATUS _lsa_AddAccountRights(pipes_struct *p,
2041 struct lsa_AddAccountRights *r)
2043 struct lsa_info *info = NULL;
2045 uint32_t acc_granted = 0;
2046 SEC_DESC *psd = NULL;
2051 /* find the connection policy handle. */
2052 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
2053 return NT_STATUS_INVALID_HANDLE;
2055 if (info->type != LSA_HANDLE_POLICY_TYPE) {
2056 return NT_STATUS_INVALID_HANDLE;
2059 /* get the generic lsa account SD for this SID until we store it */
2060 status = make_lsa_object_sd(p->mem_ctx, &psd, &sd_size,
2061 &lsa_account_mapping,
2062 r->in.sid, LSA_ACCOUNT_ALL_ACCESS);
2063 if (!NT_STATUS_IS_OK(status)) {
2068 * From the MS DOCs. If the sid doesn't exist, ask for LSA_POLICY_CREATE_ACCOUNT
2069 * on the policy handle. If it does, ask for
2070 * LSA_ACCOUNT_ADJUST_PRIVILEGES|LSA_ACCOUNT_ADJUST_SYSTEM_ACCESS|LSA_ACCOUNT_VIEW,
2071 * on the account sid. We don't check here so just use the latter. JRA.
2074 status = access_check_object(psd, p->server_info->ptok,
2075 NULL, 0, LSA_ACCOUNT_ADJUST_PRIVILEGES|LSA_ACCOUNT_ADJUST_SYSTEM_ACCESS|LSA_ACCOUNT_VIEW,
2076 &acc_granted, "_lsa_AddAccountRights" );
2078 if (!NT_STATUS_IS_OK(status)) {
2082 /* according to an NT4 PDC, you can add privileges to SIDs even without
2083 call_lsa_create_account() first. And you can use any arbitrary SID. */
2085 sid_copy( &sid, r->in.sid );
2087 for ( i=0; i < r->in.rights->count; i++ ) {
2089 const char *privname = r->in.rights->names[i].string;
2091 /* only try to add non-null strings */
2096 if ( !grant_privilege_by_name( &sid, privname ) ) {
2097 DEBUG(2,("_lsa_AddAccountRights: Failed to add privilege [%s]\n",
2099 return NT_STATUS_NO_SUCH_PRIVILEGE;
2103 return NT_STATUS_OK;
2106 /***************************************************************************
2107 _lsa_RemoveAccountRights
2108 ***************************************************************************/
2110 NTSTATUS _lsa_RemoveAccountRights(pipes_struct *p,
2111 struct lsa_RemoveAccountRights *r)
2113 struct lsa_info *info = NULL;
2115 SEC_DESC *psd = NULL;
2118 const char *privname = NULL;
2119 uint32_t acc_granted = 0;
2122 /* find the connection policy handle. */
2123 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
2124 return NT_STATUS_INVALID_HANDLE;
2126 if (info->type != LSA_HANDLE_POLICY_TYPE) {
2127 return NT_STATUS_INVALID_HANDLE;
2130 /* get the generic lsa account SD for this SID until we store it */
2131 status = make_lsa_object_sd(p->mem_ctx, &psd, &sd_size,
2132 &lsa_account_mapping,
2133 r->in.sid, LSA_ACCOUNT_ALL_ACCESS);
2134 if (!NT_STATUS_IS_OK(status)) {
2139 * From the MS DOCs. We need
2140 * LSA_ACCOUNT_ADJUST_PRIVILEGES|LSA_ACCOUNT_ADJUST_SYSTEM_ACCESS|LSA_ACCOUNT_VIEW
2141 * and DELETE on the account sid.
2144 status = access_check_object(psd, p->server_info->ptok,
2145 NULL, 0, LSA_ACCOUNT_ADJUST_PRIVILEGES|LSA_ACCOUNT_ADJUST_SYSTEM_ACCESS|
2146 LSA_ACCOUNT_VIEW|STD_RIGHT_DELETE_ACCESS,
2147 &acc_granted, "_lsa_AddAccountRights" );
2149 if (!NT_STATUS_IS_OK(status)) {
2153 sid_copy( &sid, r->in.sid );
2155 if ( r->in.remove_all ) {
2156 if ( !revoke_all_privileges( &sid ) )
2157 return NT_STATUS_ACCESS_DENIED;
2159 return NT_STATUS_OK;
2162 for ( i=0; i < r->in.rights->count; i++ ) {
2164 privname = r->in.rights->names[i].string;
2166 /* only try to add non-null strings */
2171 if ( !revoke_privilege_by_name( &sid, privname ) ) {
2172 DEBUG(2,("_lsa_RemoveAccountRights: Failed to revoke privilege [%s]\n",
2174 return NT_STATUS_NO_SUCH_PRIVILEGE;
2178 return NT_STATUS_OK;
2181 /*******************************************************************
2182 ********************************************************************/
2184 static NTSTATUS init_lsa_right_set(TALLOC_CTX *mem_ctx,
2185 struct lsa_RightSet *r,
2186 PRIVILEGE_SET *privileges)
2189 const char *privname;
2190 const char **privname_array = NULL;
2193 for (i=0; i<privileges->count; i++) {
2195 privname = luid_to_privilege_name(&privileges->set[i].luid);
2197 if (!add_string_to_array(mem_ctx, privname,
2198 &privname_array, &num_priv)) {
2199 return NT_STATUS_NO_MEMORY;
2206 r->names = TALLOC_ZERO_ARRAY(mem_ctx, struct lsa_StringLarge,
2209 return NT_STATUS_NO_MEMORY;
2212 for (i=0; i<num_priv; i++) {
2213 init_lsa_StringLarge(&r->names[i], privname_array[i]);
2216 r->count = num_priv;
2219 return NT_STATUS_OK;
2222 /***************************************************************************
2223 _lsa_EnumAccountRights
2224 ***************************************************************************/
2226 NTSTATUS _lsa_EnumAccountRights(pipes_struct *p,
2227 struct lsa_EnumAccountRights *r)
2230 struct lsa_info *info = NULL;
2232 PRIVILEGE_SET privileges;
2235 /* find the connection policy handle. */
2237 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
2238 return NT_STATUS_INVALID_HANDLE;
2240 if (info->type != LSA_HANDLE_POLICY_TYPE) {
2241 return NT_STATUS_INVALID_HANDLE;
2244 if (!(info->access & LSA_ACCOUNT_VIEW)) {
2245 return NT_STATUS_ACCESS_DENIED;
2248 /* according to an NT4 PDC, you can add privileges to SIDs even without
2249 call_lsa_create_account() first. And you can use any arbitrary SID. */
2251 sid_copy( &sid, r->in.sid );
2253 /* according to MS-LSAD 3.1.4.5.10 it is required to return
2254 * NT_STATUS_OBJECT_NAME_NOT_FOUND if the account sid was not found in
2255 * the lsa database */
2257 if (!get_privileges_for_sids(&mask, &sid, 1)) {
2258 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
2261 status = privilege_set_init(&privileges);
2262 if (!NT_STATUS_IS_OK(status)) {
2266 se_priv_to_privilege_set(&privileges, &mask);
2268 DEBUG(10,("_lsa_EnumAccountRights: %s has %d privileges\n",
2269 sid_string_dbg(&sid), privileges.count));
2271 status = init_lsa_right_set(p->mem_ctx, r->out.rights, &privileges);
2273 privilege_set_free( &privileges );
2278 /***************************************************************************
2279 _lsa_LookupPrivValue
2280 ***************************************************************************/
2282 NTSTATUS _lsa_LookupPrivValue(pipes_struct *p,
2283 struct lsa_LookupPrivValue *r)
2285 struct lsa_info *info = NULL;
2286 const char *name = NULL;
2287 LUID_ATTR priv_luid;
2290 /* find the connection policy handle. */
2292 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
2293 return NT_STATUS_INVALID_HANDLE;
2295 if (info->type != LSA_HANDLE_POLICY_TYPE) {
2296 return NT_STATUS_INVALID_HANDLE;
2299 if (!(info->access & LSA_POLICY_LOOKUP_NAMES))
2300 return NT_STATUS_ACCESS_DENIED;
2302 name = r->in.name->string;
2304 DEBUG(10,("_lsa_lookup_priv_value: name = %s\n", name));
2306 if ( !se_priv_from_name( name, &mask ) )
2307 return NT_STATUS_NO_SUCH_PRIVILEGE;
2309 priv_luid = get_privilege_luid( &mask );
2311 r->out.luid->low = priv_luid.luid.low;
2312 r->out.luid->high = priv_luid.luid.high;
2314 return NT_STATUS_OK;
2317 /***************************************************************************
2318 _lsa_EnumAccountsWithUserRight
2319 ***************************************************************************/
2321 NTSTATUS _lsa_EnumAccountsWithUserRight(pipes_struct *p,
2322 struct lsa_EnumAccountsWithUserRight *r)
2325 struct lsa_info *info = NULL;
2326 struct dom_sid *sids = NULL;
2331 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info)) {
2332 return NT_STATUS_INVALID_HANDLE;
2335 if (info->type != LSA_HANDLE_POLICY_TYPE) {
2336 return NT_STATUS_INVALID_HANDLE;
2339 if (!(info->access & LSA_POLICY_LOOKUP_NAMES)) {
2340 return NT_STATUS_ACCESS_DENIED;
2343 if (!r->in.name || !r->in.name->string) {
2344 return NT_STATUS_NO_SUCH_PRIVILEGE;
2347 if (!se_priv_from_name(r->in.name->string, &mask)) {
2348 return NT_STATUS_NO_SUCH_PRIVILEGE;
2351 status = privilege_enum_sids(&mask, p->mem_ctx,
2353 if (!NT_STATUS_IS_OK(status)) {
2357 r->out.sids->num_sids = num_sids;
2358 r->out.sids->sids = talloc_array(p->mem_ctx, struct lsa_SidPtr,
2359 r->out.sids->num_sids);
2361 for (i=0; i < r->out.sids->num_sids; i++) {
2362 r->out.sids->sids[i].sid = sid_dup_talloc(r->out.sids->sids,
2364 if (!r->out.sids->sids[i].sid) {
2365 TALLOC_FREE(r->out.sids->sids);
2366 r->out.sids->num_sids = 0;
2367 return NT_STATUS_NO_MEMORY;
2371 return NT_STATUS_OK;
2375 * From here on the server routines are just dummy ones to make smbd link with
2376 * librpc/gen_ndr/srv_lsa.c. These routines are actually never called, we are
2377 * pulling the server stubs across one by one.
2380 NTSTATUS _lsa_Delete(pipes_struct *p, struct lsa_Delete *r)
2382 p->rng_fault_state = True;
2383 return NT_STATUS_NOT_IMPLEMENTED;
2386 NTSTATUS _lsa_SetSecObj(pipes_struct *p, struct lsa_SetSecObj *r)
2388 p->rng_fault_state = True;
2389 return NT_STATUS_NOT_IMPLEMENTED;
2392 NTSTATUS _lsa_ChangePassword(pipes_struct *p, struct lsa_ChangePassword *r)
2394 p->rng_fault_state = True;
2395 return NT_STATUS_NOT_IMPLEMENTED;
2398 NTSTATUS _lsa_SetInfoPolicy(pipes_struct *p, struct lsa_SetInfoPolicy *r)
2400 p->rng_fault_state = True;
2401 return NT_STATUS_NOT_IMPLEMENTED;
2404 NTSTATUS _lsa_ClearAuditLog(pipes_struct *p, struct lsa_ClearAuditLog *r)
2406 p->rng_fault_state = True;
2407 return NT_STATUS_NOT_IMPLEMENTED;
2410 NTSTATUS _lsa_GetQuotasForAccount(pipes_struct *p, struct lsa_GetQuotasForAccount *r)
2412 p->rng_fault_state = True;
2413 return NT_STATUS_NOT_IMPLEMENTED;
2416 NTSTATUS _lsa_SetQuotasForAccount(pipes_struct *p, struct lsa_SetQuotasForAccount *r)
2418 p->rng_fault_state = True;
2419 return NT_STATUS_NOT_IMPLEMENTED;
2422 NTSTATUS _lsa_QueryTrustedDomainInfo(pipes_struct *p, struct lsa_QueryTrustedDomainInfo *r)
2424 p->rng_fault_state = True;
2425 return NT_STATUS_NOT_IMPLEMENTED;
2428 NTSTATUS _lsa_SetInformationTrustedDomain(pipes_struct *p, struct lsa_SetInformationTrustedDomain *r)
2430 p->rng_fault_state = True;
2431 return NT_STATUS_NOT_IMPLEMENTED;
2434 NTSTATUS _lsa_QuerySecret(pipes_struct *p, struct lsa_QuerySecret *r)
2436 p->rng_fault_state = True;
2437 return NT_STATUS_NOT_IMPLEMENTED;
2440 NTSTATUS _lsa_QueryTrustedDomainInfoBySid(pipes_struct *p, struct lsa_QueryTrustedDomainInfoBySid *r)
2442 p->rng_fault_state = True;
2443 return NT_STATUS_NOT_IMPLEMENTED;
2446 NTSTATUS _lsa_SetTrustedDomainInfo(pipes_struct *p, struct lsa_SetTrustedDomainInfo *r)
2448 p->rng_fault_state = True;
2449 return NT_STATUS_NOT_IMPLEMENTED;
2452 NTSTATUS _lsa_DeleteTrustedDomain(pipes_struct *p, struct lsa_DeleteTrustedDomain *r)
2454 p->rng_fault_state = True;
2455 return NT_STATUS_NOT_IMPLEMENTED;
2458 NTSTATUS _lsa_StorePrivateData(pipes_struct *p, struct lsa_StorePrivateData *r)
2460 p->rng_fault_state = True;
2461 return NT_STATUS_NOT_IMPLEMENTED;
2464 NTSTATUS _lsa_RetrievePrivateData(pipes_struct *p, struct lsa_RetrievePrivateData *r)
2466 p->rng_fault_state = True;
2467 return NT_STATUS_NOT_IMPLEMENTED;
2470 NTSTATUS _lsa_SetInfoPolicy2(pipes_struct *p, struct lsa_SetInfoPolicy2 *r)
2472 p->rng_fault_state = True;
2473 return NT_STATUS_NOT_IMPLEMENTED;
2476 NTSTATUS _lsa_QueryTrustedDomainInfoByName(pipes_struct *p, struct lsa_QueryTrustedDomainInfoByName *r)
2478 p->rng_fault_state = True;
2479 return NT_STATUS_NOT_IMPLEMENTED;
2482 NTSTATUS _lsa_SetTrustedDomainInfoByName(pipes_struct *p, struct lsa_SetTrustedDomainInfoByName *r)
2484 p->rng_fault_state = True;
2485 return NT_STATUS_NOT_IMPLEMENTED;
2488 NTSTATUS _lsa_EnumTrustedDomainsEx(pipes_struct *p, struct lsa_EnumTrustedDomainsEx *r)
2490 p->rng_fault_state = True;
2491 return NT_STATUS_NOT_IMPLEMENTED;
2494 NTSTATUS _lsa_CreateTrustedDomainEx(pipes_struct *p, struct lsa_CreateTrustedDomainEx *r)
2496 p->rng_fault_state = True;
2497 return NT_STATUS_NOT_IMPLEMENTED;
2500 NTSTATUS _lsa_CloseTrustedDomainEx(pipes_struct *p, struct lsa_CloseTrustedDomainEx *r)
2502 p->rng_fault_state = True;
2503 return NT_STATUS_NOT_IMPLEMENTED;
2506 NTSTATUS _lsa_QueryDomainInformationPolicy(pipes_struct *p, struct lsa_QueryDomainInformationPolicy *r)
2508 p->rng_fault_state = True;
2509 return NT_STATUS_NOT_IMPLEMENTED;
2512 NTSTATUS _lsa_SetDomainInformationPolicy(pipes_struct *p, struct lsa_SetDomainInformationPolicy *r)
2514 p->rng_fault_state = True;
2515 return NT_STATUS_NOT_IMPLEMENTED;
2518 NTSTATUS _lsa_OpenTrustedDomainByName(pipes_struct *p, struct lsa_OpenTrustedDomainByName *r)
2520 p->rng_fault_state = True;
2521 return NT_STATUS_NOT_IMPLEMENTED;
2524 NTSTATUS _lsa_TestCall(pipes_struct *p, struct lsa_TestCall *r)
2526 p->rng_fault_state = True;
2527 return NT_STATUS_NOT_IMPLEMENTED;
2530 NTSTATUS _lsa_CreateTrustedDomainEx2(pipes_struct *p, struct lsa_CreateTrustedDomainEx2 *r)
2532 p->rng_fault_state = True;
2533 return NT_STATUS_NOT_IMPLEMENTED;
2536 NTSTATUS _lsa_CREDRWRITE(pipes_struct *p, struct lsa_CREDRWRITE *r)
2538 p->rng_fault_state = True;
2539 return NT_STATUS_NOT_IMPLEMENTED;
2542 NTSTATUS _lsa_CREDRREAD(pipes_struct *p, struct lsa_CREDRREAD *r)
2544 p->rng_fault_state = True;
2545 return NT_STATUS_NOT_IMPLEMENTED;
2548 NTSTATUS _lsa_CREDRENUMERATE(pipes_struct *p, struct lsa_CREDRENUMERATE *r)
2550 p->rng_fault_state = True;
2551 return NT_STATUS_NOT_IMPLEMENTED;
2554 NTSTATUS _lsa_CREDRWRITEDOMAINCREDENTIALS(pipes_struct *p, struct lsa_CREDRWRITEDOMAINCREDENTIALS *r)
2556 p->rng_fault_state = True;
2557 return NT_STATUS_NOT_IMPLEMENTED;
2560 NTSTATUS _lsa_CREDRREADDOMAINCREDENTIALS(pipes_struct *p, struct lsa_CREDRREADDOMAINCREDENTIALS *r)
2562 p->rng_fault_state = True;
2563 return NT_STATUS_NOT_IMPLEMENTED;
2566 NTSTATUS _lsa_CREDRDELETE(pipes_struct *p, struct lsa_CREDRDELETE *r)
2568 p->rng_fault_state = True;
2569 return NT_STATUS_NOT_IMPLEMENTED;
2572 NTSTATUS _lsa_CREDRGETTARGETINFO(pipes_struct *p, struct lsa_CREDRGETTARGETINFO *r)
2574 p->rng_fault_state = True;
2575 return NT_STATUS_NOT_IMPLEMENTED;
2578 NTSTATUS _lsa_CREDRPROFILELOADED(pipes_struct *p, struct lsa_CREDRPROFILELOADED *r)
2580 p->rng_fault_state = True;
2581 return NT_STATUS_NOT_IMPLEMENTED;
2584 NTSTATUS _lsa_CREDRGETSESSIONTYPES(pipes_struct *p, struct lsa_CREDRGETSESSIONTYPES *r)
2586 p->rng_fault_state = True;
2587 return NT_STATUS_NOT_IMPLEMENTED;
2590 NTSTATUS _lsa_LSARREGISTERAUDITEVENT(pipes_struct *p, struct lsa_LSARREGISTERAUDITEVENT *r)
2592 p->rng_fault_state = True;
2593 return NT_STATUS_NOT_IMPLEMENTED;
2596 NTSTATUS _lsa_LSARGENAUDITEVENT(pipes_struct *p, struct lsa_LSARGENAUDITEVENT *r)
2598 p->rng_fault_state = True;
2599 return NT_STATUS_NOT_IMPLEMENTED;
2602 NTSTATUS _lsa_LSARUNREGISTERAUDITEVENT(pipes_struct *p, struct lsa_LSARUNREGISTERAUDITEVENT *r)
2604 p->rng_fault_state = True;
2605 return NT_STATUS_NOT_IMPLEMENTED;
2608 NTSTATUS _lsa_lsaRQueryForestTrustInformation(pipes_struct *p, struct lsa_lsaRQueryForestTrustInformation *r)
2610 p->rng_fault_state = True;
2611 return NT_STATUS_NOT_IMPLEMENTED;
2614 NTSTATUS _lsa_LSARSETFORESTTRUSTINFORMATION(pipes_struct *p, struct lsa_LSARSETFORESTTRUSTINFORMATION *r)
2616 p->rng_fault_state = True;
2617 return NT_STATUS_NOT_IMPLEMENTED;
2620 NTSTATUS _lsa_CREDRRENAME(pipes_struct *p, struct lsa_CREDRRENAME *r)
2622 p->rng_fault_state = True;
2623 return NT_STATUS_NOT_IMPLEMENTED;
2626 NTSTATUS _lsa_LSAROPENPOLICYSCE(pipes_struct *p, struct lsa_LSAROPENPOLICYSCE *r)
2628 p->rng_fault_state = True;
2629 return NT_STATUS_NOT_IMPLEMENTED;
2632 NTSTATUS _lsa_LSARADTREGISTERSECURITYEVENTSOURCE(pipes_struct *p, struct lsa_LSARADTREGISTERSECURITYEVENTSOURCE *r)
2634 p->rng_fault_state = True;
2635 return NT_STATUS_NOT_IMPLEMENTED;
2638 NTSTATUS _lsa_LSARADTUNREGISTERSECURITYEVENTSOURCE(pipes_struct *p, struct lsa_LSARADTUNREGISTERSECURITYEVENTSOURCE *r)
2640 p->rng_fault_state = True;
2641 return NT_STATUS_NOT_IMPLEMENTED;
2644 NTSTATUS _lsa_LSARADTREPORTSECURITYEVENT(pipes_struct *p, struct lsa_LSARADTREPORTSECURITYEVENT *r)
2646 p->rng_fault_state = True;
2647 return NT_STATUS_NOT_IMPLEMENTED;