s3-lsa: allow to have NULL strings in lsa LookupName queries.
[ira/wip.git] / source3 / rpc_server / srv_lsa_nt.c
1 /*
2  *  Unix SMB/CIFS implementation.
3  *  RPC Pipe client / server routines
4  *  Copyright (C) Andrew Tridgell              1992-1997,
5  *  Copyright (C) Luke Kenneth Casson Leighton 1996-1997,
6  *  Copyright (C) Paul Ashton                       1997,
7  *  Copyright (C) Jeremy Allison                    2001, 2006.
8  *  Copyright (C) Rafal Szczesniak                  2002,
9  *  Copyright (C) Jim McDonough <jmcd@us.ibm.com>   2002,
10  *  Copyright (C) Simo Sorce                        2003.
11  *  Copyright (C) Gerald (Jerry) Carter             2005.
12  *  Copyright (C) Volker Lendecke                   2005.
13  *  Copyright (C) Guenther Deschner                 2008.
14  *
15  *  This program is free software; you can redistribute it and/or modify
16  *  it under the terms of the GNU General Public License as published by
17  *  the Free Software Foundation; either version 3 of the License, or
18  *  (at your option) any later version.
19  *
20  *  This program is distributed in the hope that it will be useful,
21  *  but WITHOUT ANY WARRANTY; without even the implied warranty of
22  *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
23  *  GNU General Public License for more details.
24  *
25  *  You should have received a copy of the GNU General Public License
26  *  along with this program; if not, see <http://www.gnu.org/licenses/>.
27  */
28
29 /* This is the implementation of the lsa server code. */
30
31 #include "includes.h"
32
33 #undef DBGC_CLASS
34 #define DBGC_CLASS DBGC_RPC_SRV
35
36 #define MAX_LOOKUP_SIDS 0x5000 /* 20480 */
37
38 extern PRIVS privs[];
39
40 enum lsa_handle_type { LSA_HANDLE_POLICY_TYPE = 1, LSA_HANDLE_ACCOUNT_TYPE };
41
42 struct lsa_info {
43         DOM_SID sid;
44         uint32 access;
45         enum lsa_handle_type type;
46 };
47
48 const struct generic_mapping lsa_account_mapping = {
49         LSA_ACCOUNT_READ,
50         LSA_ACCOUNT_WRITE,
51         LSA_ACCOUNT_EXECUTE,
52         LSA_ACCOUNT_ALL_ACCESS
53 };
54
55 const struct generic_mapping lsa_policy_mapping = {
56         LSA_POLICY_READ,
57         LSA_POLICY_WRITE,
58         LSA_POLICY_EXECUTE,
59         LSA_POLICY_ALL_ACCESS
60 };
61
62 /***************************************************************************
63  init_lsa_ref_domain_list - adds a domain if it's not already in, returns the index.
64 ***************************************************************************/
65
66 static int init_lsa_ref_domain_list(TALLOC_CTX *mem_ctx,
67                                     struct lsa_RefDomainList *ref,
68                                     const char *dom_name,
69                                     DOM_SID *dom_sid)
70 {
71         int num = 0;
72
73         if (dom_name != NULL) {
74                 for (num = 0; num < ref->count; num++) {
75                         if (sid_equal(dom_sid, ref->domains[num].sid)) {
76                                 return num;
77                         }
78                 }
79         } else {
80                 num = ref->count;
81         }
82
83         if (num >= LSA_REF_DOMAIN_LIST_MULTIPLIER) {
84                 /* index not found, already at maximum domain limit */
85                 return -1;
86         }
87
88         ref->count = num + 1;
89         ref->max_size = LSA_REF_DOMAIN_LIST_MULTIPLIER;
90
91         ref->domains = TALLOC_REALLOC_ARRAY(mem_ctx, ref->domains,
92                                             struct lsa_DomainInfo, ref->count);
93         if (!ref->domains) {
94                 return -1;
95         }
96
97         ZERO_STRUCT(ref->domains[num]);
98
99         init_lsa_StringLarge(&ref->domains[num].name, dom_name);
100         ref->domains[num].sid = sid_dup_talloc(mem_ctx, dom_sid);
101         if (!ref->domains[num].sid) {
102                 return -1;
103         }
104
105         return num;
106 }
107
108
109 /***************************************************************************
110  initialize a lsa_DomainInfo structure.
111  ***************************************************************************/
112
113 static void init_dom_query_3(struct lsa_DomainInfo *r,
114                              const char *name,
115                              DOM_SID *sid)
116 {
117         init_lsa_StringLarge(&r->name, name);
118         r->sid = sid;
119 }
120
121 /***************************************************************************
122  initialize a lsa_DomainInfo structure.
123  ***************************************************************************/
124
125 static void init_dom_query_5(struct lsa_DomainInfo *r,
126                              const char *name,
127                              DOM_SID *sid)
128 {
129         init_lsa_StringLarge(&r->name, name);
130         r->sid = sid;
131 }
132
133 /***************************************************************************
134  lookup_lsa_rids. Must be called as root for lookup_name to work.
135  ***************************************************************************/
136
137 static NTSTATUS lookup_lsa_rids(TALLOC_CTX *mem_ctx,
138                                 struct lsa_RefDomainList *ref,
139                                 struct lsa_TranslatedSid *prid,
140                                 uint32_t num_entries,
141                                 struct lsa_String *name,
142                                 int flags,
143                                 uint32_t *pmapped_count)
144 {
145         uint32 mapped_count, i;
146
147         SMB_ASSERT(num_entries <= MAX_LOOKUP_SIDS);
148
149         mapped_count = 0;
150         *pmapped_count = 0;
151
152         for (i = 0; i < num_entries; i++) {
153                 DOM_SID sid;
154                 uint32 rid;
155                 int dom_idx;
156                 const char *full_name;
157                 const char *domain;
158                 enum lsa_SidType type = SID_NAME_UNKNOWN;
159
160                 /* Split name into domain and user component */
161
162                 full_name = name[i].string;
163                 if (full_name == NULL) {
164                         prid[i].sid_type        = type;
165                         prid[i].rid             = 0;
166                         prid[i].sid_index       = (uint32_t)-1;
167                         continue;
168                 }
169
170                 DEBUG(5, ("lookup_lsa_rids: looking up name %s\n", full_name));
171
172                 /* We can ignore the result of lookup_name, it will not touch
173                    "type" if it's not successful */
174
175                 lookup_name(mem_ctx, full_name, flags, &domain, NULL,
176                             &sid, &type);
177
178                 switch (type) {
179                 case SID_NAME_USER:
180                 case SID_NAME_DOM_GRP:
181                 case SID_NAME_DOMAIN:
182                 case SID_NAME_ALIAS:
183                 case SID_NAME_WKN_GRP:
184                         DEBUG(5, ("init_lsa_rids: %s found\n", full_name));
185                         /* Leave these unchanged */
186                         break;
187                 default:
188                         /* Don't hand out anything but the list above */
189                         DEBUG(5, ("init_lsa_rids: %s not found\n", full_name));
190                         type = SID_NAME_UNKNOWN;
191                         break;
192                 }
193
194                 rid = 0;
195                 dom_idx = -1;
196
197                 if (type != SID_NAME_UNKNOWN) {
198                         sid_split_rid(&sid, &rid);
199                         dom_idx = init_lsa_ref_domain_list(mem_ctx, ref, domain, &sid);
200                         mapped_count++;
201                 }
202
203                 prid[i].sid_type        = type;
204                 prid[i].rid             = rid;
205                 prid[i].sid_index       = dom_idx;
206         }
207
208         *pmapped_count = mapped_count;
209         return NT_STATUS_OK;
210 }
211
212 /***************************************************************************
213  lookup_lsa_sids. Must be called as root for lookup_name to work.
214  ***************************************************************************/
215
216 static NTSTATUS lookup_lsa_sids(TALLOC_CTX *mem_ctx,
217                                 struct lsa_RefDomainList *ref,
218                                 struct lsa_TranslatedSid3 *trans_sids,
219                                 uint32_t num_entries,
220                                 struct lsa_String *name,
221                                 int flags,
222                                 uint32 *pmapped_count)
223 {
224         uint32 mapped_count, i;
225
226         SMB_ASSERT(num_entries <= MAX_LOOKUP_SIDS);
227
228         mapped_count = 0;
229         *pmapped_count = 0;
230
231         for (i = 0; i < num_entries; i++) {
232                 DOM_SID sid;
233                 uint32 rid;
234                 int dom_idx;
235                 const char *full_name;
236                 const char *domain;
237                 enum lsa_SidType type = SID_NAME_UNKNOWN;
238
239                 ZERO_STRUCT(sid);
240
241                 /* Split name into domain and user component */
242
243                 full_name = name[i].string;
244                 if (full_name == NULL) {
245                         return NT_STATUS_NO_MEMORY;
246                 }
247
248                 DEBUG(5, ("init_lsa_sids: looking up name %s\n", full_name));
249
250                 /* We can ignore the result of lookup_name, it will not touch
251                    "type" if it's not successful */
252
253                 lookup_name(mem_ctx, full_name, flags, &domain, NULL,
254                             &sid, &type);
255
256                 switch (type) {
257                 case SID_NAME_USER:
258                 case SID_NAME_DOM_GRP:
259                 case SID_NAME_DOMAIN:
260                 case SID_NAME_ALIAS:
261                 case SID_NAME_WKN_GRP:
262                         DEBUG(5, ("init_lsa_sids: %s found\n", full_name));
263                         /* Leave these unchanged */
264                         break;
265                 default:
266                         /* Don't hand out anything but the list above */
267                         DEBUG(5, ("init_lsa_sids: %s not found\n", full_name));
268                         type = SID_NAME_UNKNOWN;
269                         break;
270                 }
271
272                 rid = 0;
273                 dom_idx = -1;
274
275                 if (type != SID_NAME_UNKNOWN) {
276                         DOM_SID domain_sid;
277                         sid_copy(&domain_sid, &sid);
278                         sid_split_rid(&domain_sid, &rid);
279                         dom_idx = init_lsa_ref_domain_list(mem_ctx, ref, domain, &domain_sid);
280                         mapped_count++;
281                 }
282
283                 /* Initialize the lsa_TranslatedSid3 return. */
284                 trans_sids[i].sid_type = type;
285                 trans_sids[i].sid = sid_dup_talloc(mem_ctx, &sid);
286                 trans_sids[i].sid_index = dom_idx;
287         }
288
289         *pmapped_count = mapped_count;
290         return NT_STATUS_OK;
291 }
292
293 static NTSTATUS make_lsa_object_sd(TALLOC_CTX *mem_ctx, SEC_DESC **sd, size_t *sd_size,
294                                         const struct generic_mapping *map,
295                                         DOM_SID *sid, uint32_t sid_access)
296 {
297         DOM_SID adm_sid;
298         SEC_ACE ace[5];
299         size_t i = 0;
300
301         SEC_ACL *psa = NULL;
302
303         /* READ|EXECUTE access for Everyone */
304
305         init_sec_ace(&ace[i++], &global_sid_World, SEC_ACE_TYPE_ACCESS_ALLOWED,
306                         map->generic_execute | map->generic_read, 0);
307
308         /* Add Full Access 'BUILTIN\Administrators' and 'BUILTIN\Account Operators */
309
310         init_sec_ace(&ace[i++], &global_sid_Builtin_Administrators,
311                         SEC_ACE_TYPE_ACCESS_ALLOWED, map->generic_all, 0);
312         init_sec_ace(&ace[i++], &global_sid_Builtin_Account_Operators,
313                         SEC_ACE_TYPE_ACCESS_ALLOWED, map->generic_all, 0);
314
315         /* Add Full Access for Domain Admins */
316         sid_copy(&adm_sid, get_global_sam_sid());
317         sid_append_rid(&adm_sid, DOMAIN_GROUP_RID_ADMINS);
318         init_sec_ace(&ace[i++], &adm_sid, SEC_ACE_TYPE_ACCESS_ALLOWED,
319                         map->generic_all, 0);
320
321         /* If we have a sid, give it some special access */
322
323         if (sid) {
324                 init_sec_ace(&ace[i++], sid, SEC_ACE_TYPE_ACCESS_ALLOWED,
325                         sid_access, 0);
326         }
327
328         if((psa = make_sec_acl(mem_ctx, NT4_ACL_REVISION, i, ace)) == NULL)
329                 return NT_STATUS_NO_MEMORY;
330
331         if((*sd = make_sec_desc(mem_ctx, SECURITY_DESCRIPTOR_REVISION_1,
332                                 SEC_DESC_SELF_RELATIVE, &adm_sid, NULL, NULL,
333                                 psa, sd_size)) == NULL)
334                 return NT_STATUS_NO_MEMORY;
335
336         return NT_STATUS_OK;
337 }
338
339
340 /***************************************************************************
341  _lsa_OpenPolicy2
342  ***************************************************************************/
343
344 NTSTATUS _lsa_OpenPolicy2(pipes_struct *p,
345                           struct lsa_OpenPolicy2 *r)
346 {
347         struct lsa_info *info;
348         SEC_DESC *psd = NULL;
349         size_t sd_size;
350         uint32 des_access = r->in.access_mask;
351         uint32 acc_granted;
352         NTSTATUS status;
353
354         /* Work out max allowed. */
355         map_max_allowed_access(p->server_info->ptok,
356                                &p->server_info->utok,
357                                &des_access);
358
359         /* map the generic bits to the lsa policy ones */
360         se_map_generic(&des_access, &lsa_policy_mapping);
361
362         /* get the generic lsa policy SD until we store it */
363         status = make_lsa_object_sd(p->mem_ctx, &psd, &sd_size, &lsa_policy_mapping,
364                         NULL, 0);
365         if (!NT_STATUS_IS_OK(status)) {
366                 return status;
367         }
368
369         status = access_check_object(psd, p->server_info->ptok,
370                 NULL, 0, des_access,
371                 &acc_granted, "_lsa_OpenPolicy2" );
372
373         if (!NT_STATUS_IS_OK(status)) {
374                 return status;
375         }
376
377         /* associate the domain SID with the (unique) handle. */
378         info = TALLOC_ZERO_P(p->mem_ctx, struct lsa_info);
379         if (info == NULL) {
380                 return NT_STATUS_NO_MEMORY;
381         }
382
383         sid_copy(&info->sid,get_global_sam_sid());
384         info->access = acc_granted;
385         info->type = LSA_HANDLE_POLICY_TYPE;
386
387         /* set up the LSA QUERY INFO response */
388         if (!create_policy_hnd(p, r->out.handle, info))
389                 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
390
391         return NT_STATUS_OK;
392 }
393
394 /***************************************************************************
395  _lsa_OpenPolicy
396  ***************************************************************************/
397
398 NTSTATUS _lsa_OpenPolicy(pipes_struct *p,
399                          struct lsa_OpenPolicy *r)
400 {
401         struct lsa_OpenPolicy2 o;
402
403         o.in.system_name        = NULL; /* should be ignored */
404         o.in.attr               = r->in.attr;
405         o.in.access_mask        = r->in.access_mask;
406
407         o.out.handle            = r->out.handle;
408
409         return _lsa_OpenPolicy2(p, &o);
410 }
411
412 /***************************************************************************
413  _lsa_EnumTrustDom - this needs fixing to do more than return NULL ! JRA.
414  ufff, done :)  mimir
415  ***************************************************************************/
416
417 NTSTATUS _lsa_EnumTrustDom(pipes_struct *p,
418                            struct lsa_EnumTrustDom *r)
419 {
420         struct lsa_info *info;
421         uint32 next_idx;
422         struct trustdom_info **domains;
423         struct lsa_DomainInfo *lsa_domains = NULL;
424         int i;
425
426         /*
427          * preferred length is set to 5 as a "our" preferred length
428          * nt sets this parameter to 2
429          * update (20.08.2002): it's not preferred length, but preferred size!
430          * it needs further investigation how to optimally choose this value
431          */
432         uint32 max_num_domains =
433                 r->in.max_size < 5 ? r->in.max_size : 10;
434         uint32 num_domains;
435         NTSTATUS nt_status;
436         uint32 num_thistime;
437
438         if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
439                 return NT_STATUS_INVALID_HANDLE;
440
441         if (info->type != LSA_HANDLE_POLICY_TYPE) {
442                 return NT_STATUS_INVALID_HANDLE;
443         }
444
445         /* check if the user has enough rights */
446         if (!(info->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
447                 return NT_STATUS_ACCESS_DENIED;
448
449         become_root();
450         nt_status = pdb_enum_trusteddoms(p->mem_ctx, &num_domains, &domains);
451         unbecome_root();
452
453         if (!NT_STATUS_IS_OK(nt_status)) {
454                 return nt_status;
455         }
456
457         if (*r->in.resume_handle < num_domains) {
458                 num_thistime = MIN(num_domains, max_num_domains);
459
460                 nt_status = STATUS_MORE_ENTRIES;
461
462                 if (*r->in.resume_handle + num_thistime > num_domains) {
463                         num_thistime = num_domains - *r->in.resume_handle;
464                         nt_status = NT_STATUS_OK;
465                 }
466
467                 next_idx = *r->in.resume_handle + num_thistime;
468         } else {
469                 num_thistime = 0;
470                 next_idx = 0xffffffff;
471                 nt_status = NT_STATUS_NO_MORE_ENTRIES;
472         }
473
474         /* set up the lsa_enum_trust_dom response */
475
476         lsa_domains = TALLOC_ZERO_ARRAY(p->mem_ctx, struct lsa_DomainInfo,
477                                         num_thistime);
478         if (!lsa_domains) {
479                 return NT_STATUS_NO_MEMORY;
480         }
481
482         for (i=0; i<num_thistime; i++) {
483                 init_lsa_StringLarge(&lsa_domains[i].name, domains[i]->name);
484                 lsa_domains[i].sid = &domains[i]->sid;
485         }
486
487         *r->out.resume_handle = next_idx;
488         r->out.domains->count = num_thistime;
489         r->out.domains->domains = lsa_domains;
490
491         return nt_status;
492 }
493
494 #define LSA_AUDIT_NUM_CATEGORIES_NT4    7
495 #define LSA_AUDIT_NUM_CATEGORIES_WIN2K  9
496 #define LSA_AUDIT_NUM_CATEGORIES LSA_AUDIT_NUM_CATEGORIES_NT4
497
498 /***************************************************************************
499  _lsa_QueryInfoPolicy
500  ***************************************************************************/
501
502 NTSTATUS _lsa_QueryInfoPolicy(pipes_struct *p,
503                               struct lsa_QueryInfoPolicy *r)
504 {
505         NTSTATUS status = NT_STATUS_OK;
506         struct lsa_info *handle;
507         DOM_SID domain_sid;
508         const char *name;
509         DOM_SID *sid = NULL;
510         union lsa_PolicyInformation *info = NULL;
511         uint32_t acc_required = 0;
512
513         if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle))
514                 return NT_STATUS_INVALID_HANDLE;
515
516         if (handle->type != LSA_HANDLE_POLICY_TYPE) {
517                 return NT_STATUS_INVALID_HANDLE;
518         }
519
520         switch (r->in.level) {
521         case LSA_POLICY_INFO_AUDIT_LOG:
522         case LSA_POLICY_INFO_AUDIT_EVENTS:
523                 acc_required = LSA_POLICY_VIEW_AUDIT_INFORMATION;
524                 break;
525         case LSA_POLICY_INFO_DOMAIN:
526                 acc_required = LSA_POLICY_VIEW_LOCAL_INFORMATION;
527                 break;
528         case LSA_POLICY_INFO_PD:
529                 acc_required = LSA_POLICY_GET_PRIVATE_INFORMATION;
530                 break;
531         case LSA_POLICY_INFO_ACCOUNT_DOMAIN:
532                 acc_required = LSA_POLICY_VIEW_LOCAL_INFORMATION;
533                 break;
534         case LSA_POLICY_INFO_ROLE:
535         case LSA_POLICY_INFO_REPLICA:
536                 acc_required = LSA_POLICY_VIEW_LOCAL_INFORMATION;
537                 break;
538         case LSA_POLICY_INFO_QUOTA:
539                 acc_required = LSA_POLICY_VIEW_LOCAL_INFORMATION;
540                 break;
541         case LSA_POLICY_INFO_MOD:
542         case LSA_POLICY_INFO_AUDIT_FULL_SET:
543                 /* according to MS-LSAD 3.1.4.4.3 */
544                 return NT_STATUS_INVALID_PARAMETER;
545         case LSA_POLICY_INFO_AUDIT_FULL_QUERY:
546                 acc_required = LSA_POLICY_VIEW_AUDIT_INFORMATION;
547                 break;
548         case LSA_POLICY_INFO_DNS:
549         case LSA_POLICY_INFO_DNS_INT:
550         case LSA_POLICY_INFO_L_ACCOUNT_DOMAIN:
551                 acc_required = LSA_POLICY_VIEW_LOCAL_INFORMATION;
552                 break;
553         default:
554                 break;
555         }
556
557         if (!(handle->access & acc_required)) {
558                 /* return NT_STATUS_ACCESS_DENIED; */
559         }
560
561         info = TALLOC_ZERO_P(p->mem_ctx, union lsa_PolicyInformation);
562         if (!info) {
563                 return NT_STATUS_NO_MEMORY;
564         }
565
566         switch (r->in.level) {
567         case LSA_POLICY_INFO_AUDIT_EVENTS:
568                 {
569
570                 uint32 policy_def = LSA_AUDIT_POLICY_ALL;
571
572                 /* check if the user has enough rights */
573                 if (!(handle->access & LSA_POLICY_VIEW_AUDIT_INFORMATION)) {
574                         DEBUG(10,("_lsa_QueryInfoPolicy: insufficient access rights\n"));
575                         return NT_STATUS_ACCESS_DENIED;
576                 }
577
578                 /* fake info: We audit everything. ;) */
579
580                 info->audit_events.auditing_mode = true;
581                 info->audit_events.count = LSA_AUDIT_NUM_CATEGORIES;
582                 info->audit_events.settings = TALLOC_ZERO_ARRAY(p->mem_ctx,
583                                                                 enum lsa_PolicyAuditPolicy,
584                                                                 info->audit_events.count);
585                 if (!info->audit_events.settings) {
586                         return NT_STATUS_NO_MEMORY;
587                 }
588
589                 info->audit_events.settings[LSA_AUDIT_CATEGORY_ACCOUNT_MANAGEMENT] = policy_def;
590                 info->audit_events.settings[LSA_AUDIT_CATEGORY_FILE_AND_OBJECT_ACCESS] = policy_def;
591                 info->audit_events.settings[LSA_AUDIT_CATEGORY_LOGON] = policy_def;
592                 info->audit_events.settings[LSA_AUDIT_CATEGORY_PROCCESS_TRACKING] = policy_def;
593                 info->audit_events.settings[LSA_AUDIT_CATEGORY_SECURITY_POLICY_CHANGES] = policy_def;
594                 info->audit_events.settings[LSA_AUDIT_CATEGORY_SYSTEM] = policy_def;
595                 info->audit_events.settings[LSA_AUDIT_CATEGORY_USE_OF_USER_RIGHTS] = policy_def;
596
597                 break;
598                 }
599         case LSA_POLICY_INFO_DOMAIN:
600                 /* check if the user has enough rights */
601                 if (!(handle->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
602                         return NT_STATUS_ACCESS_DENIED;
603
604                 /* Request PolicyPrimaryDomainInformation. */
605                 switch (lp_server_role()) {
606                         case ROLE_DOMAIN_PDC:
607                         case ROLE_DOMAIN_BDC:
608                                 name = get_global_sam_name();
609                                 sid = sid_dup_talloc(p->mem_ctx, get_global_sam_sid());
610                                 if (!sid) {
611                                         return NT_STATUS_NO_MEMORY;
612                                 }
613                                 break;
614                         case ROLE_DOMAIN_MEMBER:
615                                 name = lp_workgroup();
616                                 /* We need to return the Domain SID here. */
617                                 if (secrets_fetch_domain_sid(lp_workgroup(), &domain_sid)) {
618                                         sid = sid_dup_talloc(p->mem_ctx, &domain_sid);
619                                         if (!sid) {
620                                                 return NT_STATUS_NO_MEMORY;
621                                         }
622                                 } else {
623                                         return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
624                                 }
625                                 break;
626                         case ROLE_STANDALONE:
627                                 name = lp_workgroup();
628                                 sid = NULL;
629                                 break;
630                         default:
631                                 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
632                 }
633                 init_dom_query_3(&info->domain, name, sid);
634                 break;
635         case LSA_POLICY_INFO_ACCOUNT_DOMAIN:
636                 /* check if the user has enough rights */
637                 if (!(handle->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
638                         return NT_STATUS_ACCESS_DENIED;
639
640                 /* Request PolicyAccountDomainInformation. */
641                 name = get_global_sam_name();
642                 sid = get_global_sam_sid();
643
644                 init_dom_query_5(&info->account_domain, name, sid);
645                 break;
646         case LSA_POLICY_INFO_ROLE:
647                 /* check if the user has enough rights */
648                 if (!(handle->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
649                         return NT_STATUS_ACCESS_DENIED;
650
651                 switch (lp_server_role()) {
652                         case ROLE_DOMAIN_BDC:
653                                 /*
654                                  * only a BDC is a backup controller
655                                  * of the domain, it controls.
656                                  */
657                                 info->role.role = LSA_ROLE_BACKUP;
658                                 break;
659                         default:
660                                 /*
661                                  * any other role is a primary
662                                  * of the domain, it controls.
663                                  */
664                                 info->role.role = LSA_ROLE_PRIMARY;
665                                 break;
666                 }
667                 break;
668         case LSA_POLICY_INFO_DNS:
669         case LSA_POLICY_INFO_DNS_INT: {
670                 struct pdb_domain_info *dominfo;
671
672                 if ((pdb_capabilities() & PDB_CAP_ADS) == 0) {
673                         DEBUG(10, ("Not replying to LSA_POLICY_INFO_DNS "
674                                    "without ADS passdb backend\n"));
675                         status = NT_STATUS_INVALID_INFO_CLASS;
676                         break;
677                 }
678
679                 dominfo = pdb_get_domain_info(info);
680                 if (dominfo == NULL) {
681                         status = NT_STATUS_NO_MEMORY;
682                         break;
683                 }
684
685                 init_lsa_StringLarge(&info->dns.name,
686                                      dominfo->name);
687                 init_lsa_StringLarge(&info->dns.dns_domain,
688                                      dominfo->dns_domain);
689                 init_lsa_StringLarge(&info->dns.dns_forest,
690                                      dominfo->dns_forest);
691                 info->dns.domain_guid = dominfo->guid;
692                 info->dns.sid = &dominfo->sid;
693                 break;
694         }
695         default:
696                 DEBUG(0,("_lsa_QueryInfoPolicy: unknown info level in Lsa Query: %d\n",
697                         r->in.level));
698                 status = NT_STATUS_INVALID_INFO_CLASS;
699                 break;
700         }
701
702         *r->out.info = info;
703
704         return status;
705 }
706
707 /***************************************************************************
708  _lsa_QueryInfoPolicy2
709  ***************************************************************************/
710
711 NTSTATUS _lsa_QueryInfoPolicy2(pipes_struct *p,
712                                struct lsa_QueryInfoPolicy2 *r2)
713 {
714         struct lsa_QueryInfoPolicy r;
715
716         if ((pdb_capabilities() & PDB_CAP_ADS) == 0) {
717                 p->rng_fault_state = True;
718                 return NT_STATUS_NOT_IMPLEMENTED;
719         }
720
721         ZERO_STRUCT(r);
722         r.in.handle = r2->in.handle;
723         r.in.level = r2->in.level;
724         r.out.info = r2->out.info;
725
726         return _lsa_QueryInfoPolicy(p, &r);
727 }
728
729 /***************************************************************************
730  _lsa_lookup_sids_internal
731  ***************************************************************************/
732
733 static NTSTATUS _lsa_lookup_sids_internal(pipes_struct *p,
734                                           TALLOC_CTX *mem_ctx,
735                                           uint16_t level,                       /* input */
736                                           int num_sids,                         /* input */
737                                           struct lsa_SidPtr *sid,               /* input */
738                                           struct lsa_RefDomainList **pp_ref,    /* input/output */
739                                           struct lsa_TranslatedName2 **pp_names,/* input/output */
740                                           uint32_t *pp_mapped_count)            /* input/output */
741 {
742         NTSTATUS status;
743         int i;
744         const DOM_SID **sids = NULL;
745         struct lsa_RefDomainList *ref = NULL;
746         uint32 mapped_count = 0;
747         struct lsa_dom_info *dom_infos = NULL;
748         struct lsa_name_info *name_infos = NULL;
749         struct lsa_TranslatedName2 *names = NULL;
750
751         *pp_mapped_count = 0;
752         *pp_names = NULL;
753         *pp_ref = NULL;
754
755         if (num_sids == 0) {
756                 return NT_STATUS_OK;
757         }
758
759         sids = TALLOC_ARRAY(p->mem_ctx, const DOM_SID *, num_sids);
760         ref = TALLOC_ZERO_P(p->mem_ctx, struct lsa_RefDomainList);
761
762         if (sids == NULL || ref == NULL) {
763                 return NT_STATUS_NO_MEMORY;
764         }
765
766         for (i=0; i<num_sids; i++) {
767                 sids[i] = sid[i].sid;
768         }
769
770         status = lookup_sids(p->mem_ctx, num_sids, sids, level,
771                                   &dom_infos, &name_infos);
772
773         if (!NT_STATUS_IS_OK(status)) {
774                 return status;
775         }
776
777         names = TALLOC_ARRAY(p->mem_ctx, struct lsa_TranslatedName2, num_sids);
778         if (names == NULL) {
779                 return NT_STATUS_NO_MEMORY;
780         }
781
782         for (i=0; i<LSA_REF_DOMAIN_LIST_MULTIPLIER; i++) {
783
784                 if (!dom_infos[i].valid) {
785                         break;
786                 }
787
788                 if (init_lsa_ref_domain_list(mem_ctx, ref,
789                                              dom_infos[i].name,
790                                              &dom_infos[i].sid) != i) {
791                         DEBUG(0, ("Domain %s mentioned twice??\n",
792                                   dom_infos[i].name));
793                         return NT_STATUS_INTERNAL_ERROR;
794                 }
795         }
796
797         for (i=0; i<num_sids; i++) {
798                 struct lsa_name_info *name = &name_infos[i];
799
800                 if (name->type == SID_NAME_UNKNOWN) {
801                         fstring tmp;
802                         name->dom_idx = -1;
803                         /* Unknown sids should return the string
804                          * representation of the SID. Windows 2003 behaves
805                          * rather erratic here, in many cases it returns the
806                          * RID as 8 bytes hex, in others it returns the full
807                          * SID. We (Jerry/VL) could not figure out which the
808                          * hard cases are, so leave it with the SID.  */
809                         name->name = talloc_asprintf(p->mem_ctx, "%s",
810                                                      sid_to_fstring(tmp,
811                                                                     sids[i]));
812                         if (name->name == NULL) {
813                                 return NT_STATUS_NO_MEMORY;
814                         }
815                 } else {
816                         mapped_count += 1;
817                 }
818
819                 names[i].sid_type       = name->type;
820                 names[i].name.string    = name->name;
821                 names[i].sid_index      = name->dom_idx;
822                 names[i].unknown        = 0;
823         }
824
825         status = NT_STATUS_NONE_MAPPED;
826         if (mapped_count > 0) {
827                 status = (mapped_count < num_sids) ?
828                         STATUS_SOME_UNMAPPED : NT_STATUS_OK;
829         }
830
831         DEBUG(10, ("num_sids %d, mapped_count %d, status %s\n",
832                    num_sids, mapped_count, nt_errstr(status)));
833
834         *pp_mapped_count = mapped_count;
835         *pp_names = names;
836         *pp_ref = ref;
837
838         return status;
839 }
840
841 /***************************************************************************
842  _lsa_LookupSids
843  ***************************************************************************/
844
845 NTSTATUS _lsa_LookupSids(pipes_struct *p,
846                          struct lsa_LookupSids *r)
847 {
848         NTSTATUS status;
849         struct lsa_info *handle;
850         int num_sids = r->in.sids->num_sids;
851         uint32 mapped_count = 0;
852         struct lsa_RefDomainList *domains = NULL;
853         struct lsa_TranslatedName *names_out = NULL;
854         struct lsa_TranslatedName2 *names = NULL;
855         int i;
856
857         if ((r->in.level < 1) || (r->in.level > 6)) {
858                 return NT_STATUS_INVALID_PARAMETER;
859         }
860
861         if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle)) {
862                 return NT_STATUS_INVALID_HANDLE;
863         }
864
865         if (handle->type != LSA_HANDLE_POLICY_TYPE) {
866                 return NT_STATUS_INVALID_HANDLE;
867         }
868
869         /* check if the user has enough rights */
870         if (!(handle->access & LSA_POLICY_LOOKUP_NAMES)) {
871                 return NT_STATUS_ACCESS_DENIED;
872         }
873
874         if (num_sids >  MAX_LOOKUP_SIDS) {
875                 DEBUG(5,("_lsa_LookupSids: limit of %d exceeded, requested %d\n",
876                          MAX_LOOKUP_SIDS, num_sids));
877                 return NT_STATUS_NONE_MAPPED;
878         }
879
880         status = _lsa_lookup_sids_internal(p,
881                                            p->mem_ctx,
882                                            r->in.level,
883                                            num_sids,
884                                            r->in.sids->sids,
885                                            &domains,
886                                            &names,
887                                            &mapped_count);
888
889         /* Only return here when there is a real error.
890            NT_STATUS_NONE_MAPPED is a special case as it indicates that none of
891            the requested sids could be resolved. Older versions of XP (pre SP3)
892            rely that we return with the string representations of those SIDs in
893            that case. If we don't, XP crashes - Guenther
894            */
895
896         if (NT_STATUS_IS_ERR(status) &&
897             !NT_STATUS_EQUAL(status, NT_STATUS_NONE_MAPPED)) {
898                 return status;
899         }
900
901         /* Convert from lsa_TranslatedName2 to lsa_TranslatedName */
902         names_out = TALLOC_ARRAY(p->mem_ctx, struct lsa_TranslatedName,
903                                  num_sids);
904         if (!names_out) {
905                 return NT_STATUS_NO_MEMORY;
906         }
907
908         for (i=0; i<num_sids; i++) {
909                 names_out[i].sid_type = names[i].sid_type;
910                 names_out[i].name = names[i].name;
911                 names_out[i].sid_index = names[i].sid_index;
912         }
913
914         *r->out.domains = domains;
915         r->out.names->count = num_sids;
916         r->out.names->names = names_out;
917         *r->out.count = mapped_count;
918
919         return status;
920 }
921
922 /***************************************************************************
923  _lsa_LookupSids2
924  ***************************************************************************/
925
926 NTSTATUS _lsa_LookupSids2(pipes_struct *p,
927                           struct lsa_LookupSids2 *r)
928 {
929         NTSTATUS status;
930         struct lsa_info *handle;
931         int num_sids = r->in.sids->num_sids;
932         uint32 mapped_count = 0;
933         struct lsa_RefDomainList *domains = NULL;
934         struct lsa_TranslatedName2 *names = NULL;
935         bool check_policy = true;
936
937         switch (p->hdr_req.opnum) {
938                 case NDR_LSA_LOOKUPSIDS3:
939                         check_policy = false;
940                         break;
941                 case NDR_LSA_LOOKUPSIDS2:
942                 default:
943                         check_policy = true;
944         }
945
946         if ((r->in.level < 1) || (r->in.level > 6)) {
947                 return NT_STATUS_INVALID_PARAMETER;
948         }
949
950         if (check_policy) {
951                 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle)) {
952                         return NT_STATUS_INVALID_HANDLE;
953                 }
954
955                 if (handle->type != LSA_HANDLE_POLICY_TYPE) {
956                         return NT_STATUS_INVALID_HANDLE;
957                 }
958
959                 /* check if the user has enough rights */
960                 if (!(handle->access & LSA_POLICY_LOOKUP_NAMES)) {
961                         return NT_STATUS_ACCESS_DENIED;
962                 }
963         }
964
965         if (num_sids >  MAX_LOOKUP_SIDS) {
966                 DEBUG(5,("_lsa_LookupSids2: limit of %d exceeded, requested %d\n",
967                          MAX_LOOKUP_SIDS, num_sids));
968                 return NT_STATUS_NONE_MAPPED;
969         }
970
971         status = _lsa_lookup_sids_internal(p,
972                                            p->mem_ctx,
973                                            r->in.level,
974                                            num_sids,
975                                            r->in.sids->sids,
976                                            &domains,
977                                            &names,
978                                            &mapped_count);
979
980         *r->out.domains = domains;
981         r->out.names->count = num_sids;
982         r->out.names->names = names;
983         *r->out.count = mapped_count;
984
985         return status;
986 }
987
988 /***************************************************************************
989  _lsa_LookupSids3
990  ***************************************************************************/
991
992 NTSTATUS _lsa_LookupSids3(pipes_struct *p,
993                           struct lsa_LookupSids3 *r)
994 {
995         struct lsa_LookupSids2 q;
996
997         /* No policy handle on this call. Restrict to crypto connections. */
998         if (p->auth.auth_type != PIPE_AUTH_TYPE_SCHANNEL) {
999                 DEBUG(0,("_lsa_LookupSids3: client %s not using schannel for netlogon\n",
1000                         get_remote_machine_name() ));
1001                 return NT_STATUS_INVALID_PARAMETER;
1002         }
1003
1004         q.in.handle             = NULL;
1005         q.in.sids               = r->in.sids;
1006         q.in.level              = r->in.level;
1007         q.in.lookup_options     = r->in.lookup_options;
1008         q.in.client_revision    = r->in.client_revision;
1009         q.in.names              = r->in.names;
1010         q.in.count              = r->in.count;
1011
1012         q.out.domains           = r->out.domains;
1013         q.out.names             = r->out.names;
1014         q.out.count             = r->out.count;
1015
1016         return _lsa_LookupSids2(p, &q);
1017 }
1018
1019 /***************************************************************************
1020  ***************************************************************************/
1021
1022 static int lsa_lookup_level_to_flags(uint16 level)
1023 {
1024         int flags;
1025
1026         switch (level) {
1027                 case 1:
1028                         flags = LOOKUP_NAME_ALL;
1029                         break;
1030                 case 2:
1031                         flags = LOOKUP_NAME_DOMAIN|LOOKUP_NAME_REMOTE|LOOKUP_NAME_ISOLATED;
1032                         break;
1033                 case 3:
1034                         flags = LOOKUP_NAME_DOMAIN|LOOKUP_NAME_ISOLATED;
1035                         break;
1036                 case 4:
1037                 case 5:
1038                 case 6:
1039                 default:
1040                         flags = LOOKUP_NAME_NONE;
1041                         break;
1042         }
1043
1044         return flags;
1045 }
1046
1047 /***************************************************************************
1048  _lsa_LookupNames
1049  ***************************************************************************/
1050
1051 NTSTATUS _lsa_LookupNames(pipes_struct *p,
1052                           struct lsa_LookupNames *r)
1053 {
1054         NTSTATUS status = NT_STATUS_NONE_MAPPED;
1055         struct lsa_info *handle;
1056         struct lsa_String *names = r->in.names;
1057         uint32 num_entries = r->in.num_names;
1058         struct lsa_RefDomainList *domains = NULL;
1059         struct lsa_TranslatedSid *rids = NULL;
1060         uint32 mapped_count = 0;
1061         int flags = 0;
1062
1063         if (num_entries >  MAX_LOOKUP_SIDS) {
1064                 num_entries = MAX_LOOKUP_SIDS;
1065                 DEBUG(5,("_lsa_LookupNames: truncating name lookup list to %d\n",
1066                         num_entries));
1067         }
1068
1069         flags = lsa_lookup_level_to_flags(r->in.level);
1070
1071         domains = TALLOC_ZERO_P(p->mem_ctx, struct lsa_RefDomainList);
1072         if (!domains) {
1073                 return NT_STATUS_NO_MEMORY;
1074         }
1075
1076         if (num_entries) {
1077                 rids = TALLOC_ZERO_ARRAY(p->mem_ctx, struct lsa_TranslatedSid,
1078                                          num_entries);
1079                 if (!rids) {
1080                         return NT_STATUS_NO_MEMORY;
1081                 }
1082         } else {
1083                 rids = NULL;
1084         }
1085
1086         if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle)) {
1087                 status = NT_STATUS_INVALID_HANDLE;
1088                 goto done;
1089         }
1090
1091         if (handle->type != LSA_HANDLE_POLICY_TYPE) {
1092                 return NT_STATUS_INVALID_HANDLE;
1093         }
1094
1095         /* check if the user has enough rights */
1096         if (!(handle->access & LSA_POLICY_LOOKUP_NAMES)) {
1097                 status = NT_STATUS_ACCESS_DENIED;
1098                 goto done;
1099         }
1100
1101         /* set up the LSA Lookup RIDs response */
1102         become_root(); /* lookup_name can require root privs */
1103         status = lookup_lsa_rids(p->mem_ctx, domains, rids, num_entries,
1104                                  names, flags, &mapped_count);
1105         unbecome_root();
1106
1107 done:
1108
1109         if (NT_STATUS_IS_OK(status) && (num_entries != 0) ) {
1110                 if (mapped_count == 0) {
1111                         status = NT_STATUS_NONE_MAPPED;
1112                 } else if (mapped_count != num_entries) {
1113                         status = STATUS_SOME_UNMAPPED;
1114                 }
1115         }
1116
1117         *r->out.count = mapped_count;
1118         *r->out.domains = domains;
1119         r->out.sids->sids = rids;
1120         r->out.sids->count = num_entries;
1121
1122         return status;
1123 }
1124
1125 /***************************************************************************
1126  _lsa_LookupNames2
1127  ***************************************************************************/
1128
1129 NTSTATUS _lsa_LookupNames2(pipes_struct *p,
1130                            struct lsa_LookupNames2 *r)
1131 {
1132         NTSTATUS status;
1133         struct lsa_LookupNames q;
1134         struct lsa_TransSidArray2 *sid_array2 = r->in.sids;
1135         struct lsa_TransSidArray *sid_array = NULL;
1136         uint32_t i;
1137
1138         sid_array = TALLOC_ZERO_P(p->mem_ctx, struct lsa_TransSidArray);
1139         if (!sid_array) {
1140                 return NT_STATUS_NO_MEMORY;
1141         }
1142
1143         q.in.handle             = r->in.handle;
1144         q.in.num_names          = r->in.num_names;
1145         q.in.names              = r->in.names;
1146         q.in.level              = r->in.level;
1147         q.in.sids               = sid_array;
1148         q.in.count              = r->in.count;
1149         /* we do not know what this is for */
1150         /*                      = r->in.unknown1; */
1151         /*                      = r->in.unknown2; */
1152
1153         q.out.domains           = r->out.domains;
1154         q.out.sids              = sid_array;
1155         q.out.count             = r->out.count;
1156
1157         status = _lsa_LookupNames(p, &q);
1158
1159         sid_array2->count = sid_array->count;
1160         sid_array2->sids = TALLOC_ARRAY(p->mem_ctx, struct lsa_TranslatedSid2, sid_array->count);
1161         if (!sid_array2->sids) {
1162                 return NT_STATUS_NO_MEMORY;
1163         }
1164
1165         for (i=0; i<sid_array->count; i++) {
1166                 sid_array2->sids[i].sid_type  = sid_array->sids[i].sid_type;
1167                 sid_array2->sids[i].rid       = sid_array->sids[i].rid;
1168                 sid_array2->sids[i].sid_index = sid_array->sids[i].sid_index;
1169                 sid_array2->sids[i].unknown   = 0;
1170         }
1171
1172         r->out.sids = sid_array2;
1173
1174         return status;
1175 }
1176
1177 /***************************************************************************
1178  _lsa_LookupNames3
1179  ***************************************************************************/
1180
1181 NTSTATUS _lsa_LookupNames3(pipes_struct *p,
1182                            struct lsa_LookupNames3 *r)
1183 {
1184         NTSTATUS status;
1185         struct lsa_info *handle;
1186         struct lsa_String *names = r->in.names;
1187         uint32 num_entries = r->in.num_names;
1188         struct lsa_RefDomainList *domains = NULL;
1189         struct lsa_TranslatedSid3 *trans_sids = NULL;
1190         uint32 mapped_count = 0;
1191         int flags = 0;
1192         bool check_policy = true;
1193
1194         switch (p->hdr_req.opnum) {
1195                 case NDR_LSA_LOOKUPNAMES4:
1196                         check_policy = false;
1197                         break;
1198                 case NDR_LSA_LOOKUPNAMES3:
1199                 default:
1200                         check_policy = true;
1201         }
1202
1203         if (num_entries >  MAX_LOOKUP_SIDS) {
1204                 num_entries = MAX_LOOKUP_SIDS;
1205                 DEBUG(5,("_lsa_LookupNames3: truncating name lookup list to %d\n", num_entries));
1206         }
1207
1208         /* Probably the lookup_level is some sort of bitmask. */
1209         if (r->in.level == 1) {
1210                 flags = LOOKUP_NAME_ALL;
1211         }
1212
1213         domains = TALLOC_ZERO_P(p->mem_ctx, struct lsa_RefDomainList);
1214         if (!domains) {
1215                 return NT_STATUS_NO_MEMORY;
1216         }
1217
1218         if (num_entries) {
1219                 trans_sids = TALLOC_ZERO_ARRAY(p->mem_ctx, struct lsa_TranslatedSid3,
1220                                                num_entries);
1221                 if (!trans_sids) {
1222                         return NT_STATUS_NO_MEMORY;
1223                 }
1224         } else {
1225                 trans_sids = NULL;
1226         }
1227
1228         if (check_policy) {
1229
1230                 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle)) {
1231                         status = NT_STATUS_INVALID_HANDLE;
1232                         goto done;
1233                 }
1234
1235                 if (handle->type != LSA_HANDLE_POLICY_TYPE) {
1236                         return NT_STATUS_INVALID_HANDLE;
1237                 }
1238
1239                 /* check if the user has enough rights */
1240                 if (!(handle->access & LSA_POLICY_LOOKUP_NAMES)) {
1241                         status = NT_STATUS_ACCESS_DENIED;
1242                         goto done;
1243                 }
1244         }
1245
1246         /* set up the LSA Lookup SIDs response */
1247         become_root(); /* lookup_name can require root privs */
1248         status = lookup_lsa_sids(p->mem_ctx, domains, trans_sids, num_entries,
1249                                  names, flags, &mapped_count);
1250         unbecome_root();
1251
1252 done:
1253
1254         if (NT_STATUS_IS_OK(status)) {
1255                 if (mapped_count == 0) {
1256                         status = NT_STATUS_NONE_MAPPED;
1257                 } else if (mapped_count != num_entries) {
1258                         status = STATUS_SOME_UNMAPPED;
1259                 }
1260         }
1261
1262         *r->out.count = mapped_count;
1263         *r->out.domains = domains;
1264         r->out.sids->sids = trans_sids;
1265         r->out.sids->count = num_entries;
1266
1267         return status;
1268 }
1269
1270 /***************************************************************************
1271  _lsa_LookupNames4
1272  ***************************************************************************/
1273
1274 NTSTATUS _lsa_LookupNames4(pipes_struct *p,
1275                            struct lsa_LookupNames4 *r)
1276 {
1277         struct lsa_LookupNames3 q;
1278
1279         /* No policy handle on this call. Restrict to crypto connections. */
1280         if (p->auth.auth_type != PIPE_AUTH_TYPE_SCHANNEL) {
1281                 DEBUG(0,("_lsa_lookup_names4: client %s not using schannel for netlogon\n",
1282                         get_remote_machine_name() ));
1283                 return NT_STATUS_INVALID_PARAMETER;
1284         }
1285
1286         q.in.handle             = NULL;
1287         q.in.num_names          = r->in.num_names;
1288         q.in.names              = r->in.names;
1289         q.in.level              = r->in.level;
1290         q.in.lookup_options     = r->in.lookup_options;
1291         q.in.client_revision    = r->in.client_revision;
1292         q.in.sids               = r->in.sids;
1293         q.in.count              = r->in.count;
1294
1295         q.out.domains           = r->out.domains;
1296         q.out.sids              = r->out.sids;
1297         q.out.count             = r->out.count;
1298
1299         return _lsa_LookupNames3(p, &q);
1300 }
1301
1302 /***************************************************************************
1303  _lsa_close. Also weird - needs to check if lsa handle is correct. JRA.
1304  ***************************************************************************/
1305
1306 NTSTATUS _lsa_Close(pipes_struct *p, struct lsa_Close *r)
1307 {
1308         if (!find_policy_by_hnd(p, r->in.handle, NULL)) {
1309                 return NT_STATUS_INVALID_HANDLE;
1310         }
1311
1312         close_policy_hnd(p, r->in.handle);
1313         ZERO_STRUCTP(r->out.handle);
1314         return NT_STATUS_OK;
1315 }
1316
1317 /***************************************************************************
1318  ***************************************************************************/
1319
1320 NTSTATUS _lsa_OpenSecret(pipes_struct *p, struct lsa_OpenSecret *r)
1321 {
1322         return NT_STATUS_OBJECT_NAME_NOT_FOUND;
1323 }
1324
1325 /***************************************************************************
1326  ***************************************************************************/
1327
1328 NTSTATUS _lsa_OpenTrustedDomain(pipes_struct *p, struct lsa_OpenTrustedDomain *r)
1329 {
1330         return NT_STATUS_OBJECT_NAME_NOT_FOUND;
1331 }
1332
1333 /***************************************************************************
1334  ***************************************************************************/
1335
1336 NTSTATUS _lsa_CreateTrustedDomain(pipes_struct *p, struct lsa_CreateTrustedDomain *r)
1337 {
1338         return NT_STATUS_ACCESS_DENIED;
1339 }
1340
1341 /***************************************************************************
1342  ***************************************************************************/
1343
1344 NTSTATUS _lsa_CreateSecret(pipes_struct *p, struct lsa_CreateSecret *r)
1345 {
1346         return NT_STATUS_ACCESS_DENIED;
1347 }
1348
1349 /***************************************************************************
1350  ***************************************************************************/
1351
1352 NTSTATUS _lsa_SetSecret(pipes_struct *p, struct lsa_SetSecret *r)
1353 {
1354         return NT_STATUS_ACCESS_DENIED;
1355 }
1356
1357 /***************************************************************************
1358  _lsa_DeleteObject
1359  ***************************************************************************/
1360
1361 NTSTATUS _lsa_DeleteObject(pipes_struct *p,
1362                            struct lsa_DeleteObject *r)
1363 {
1364         NTSTATUS status;
1365         struct lsa_info *info = NULL;
1366
1367         if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info)) {
1368                 return NT_STATUS_INVALID_HANDLE;
1369         }
1370
1371         if (!(info->access & STD_RIGHT_DELETE_ACCESS)) {
1372                 return NT_STATUS_ACCESS_DENIED;
1373         }
1374
1375         switch (info->type) {
1376         case LSA_HANDLE_ACCOUNT_TYPE:
1377                 status = privilege_delete_account(&info->sid);
1378                 if (!NT_STATUS_IS_OK(status)) {
1379                         DEBUG(10,("_lsa_DeleteObject: privilege_delete_account gave: %s\n",
1380                                 nt_errstr(status)));
1381                         return status;
1382                 }
1383                 break;
1384         default:
1385                 return NT_STATUS_INVALID_HANDLE;
1386         }
1387
1388         close_policy_hnd(p, r->in.handle);
1389         ZERO_STRUCTP(r->out.handle);
1390
1391         return status;
1392 }
1393
1394 /***************************************************************************
1395  _lsa_EnumPrivs
1396  ***************************************************************************/
1397
1398 NTSTATUS _lsa_EnumPrivs(pipes_struct *p,
1399                         struct lsa_EnumPrivs *r)
1400 {
1401         struct lsa_info *handle;
1402         uint32 i;
1403         uint32 enum_context = *r->in.resume_handle;
1404         int num_privs = count_all_privileges();
1405         struct lsa_PrivEntry *entries = NULL;
1406         LUID_ATTR luid;
1407
1408         /* remember that the enum_context starts at 0 and not 1 */
1409
1410         if ( enum_context >= num_privs )
1411                 return NT_STATUS_NO_MORE_ENTRIES;
1412
1413         DEBUG(10,("_lsa_EnumPrivs: enum_context:%d total entries:%d\n",
1414                 enum_context, num_privs));
1415
1416         if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle))
1417                 return NT_STATUS_INVALID_HANDLE;
1418
1419         if (handle->type != LSA_HANDLE_POLICY_TYPE) {
1420                 return NT_STATUS_INVALID_HANDLE;
1421         }
1422
1423         /* check if the user has enough rights
1424            I don't know if it's the right one. not documented.  */
1425
1426         if (!(handle->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
1427                 return NT_STATUS_ACCESS_DENIED;
1428
1429         if (num_privs) {
1430                 entries = TALLOC_ZERO_ARRAY(p->mem_ctx, struct lsa_PrivEntry, num_privs);
1431                 if (!entries) {
1432                         return NT_STATUS_NO_MEMORY;
1433                 }
1434         } else {
1435                 entries = NULL;
1436         }
1437
1438         for (i = 0; i < num_privs; i++) {
1439                 if( i < enum_context) {
1440
1441                         init_lsa_StringLarge(&entries[i].name, NULL);
1442
1443                         entries[i].luid.low = 0;
1444                         entries[i].luid.high = 0;
1445                 } else {
1446
1447                         init_lsa_StringLarge(&entries[i].name, privs[i].name);
1448
1449                         luid = get_privilege_luid( &privs[i].se_priv );
1450
1451                         entries[i].luid.low = luid.luid.low;
1452                         entries[i].luid.high = luid.luid.high;
1453                 }
1454         }
1455
1456         enum_context = num_privs;
1457
1458         *r->out.resume_handle = enum_context;
1459         r->out.privs->count = num_privs;
1460         r->out.privs->privs = entries;
1461
1462         return NT_STATUS_OK;
1463 }
1464
1465 /***************************************************************************
1466  _lsa_LookupPrivDisplayName
1467  ***************************************************************************/
1468
1469 NTSTATUS _lsa_LookupPrivDisplayName(pipes_struct *p,
1470                                     struct lsa_LookupPrivDisplayName *r)
1471 {
1472         struct lsa_info *handle;
1473         const char *description;
1474         struct lsa_StringLarge *lsa_name;
1475
1476         if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle))
1477                 return NT_STATUS_INVALID_HANDLE;
1478
1479         if (handle->type != LSA_HANDLE_POLICY_TYPE) {
1480                 return NT_STATUS_INVALID_HANDLE;
1481         }
1482
1483         /* check if the user has enough rights */
1484
1485         /*
1486          * I don't know if it's the right one. not documented.
1487          */
1488         if (!(handle->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
1489                 return NT_STATUS_ACCESS_DENIED;
1490
1491         DEBUG(10,("_lsa_LookupPrivDisplayName: name = %s\n", r->in.name->string));
1492
1493         description = get_privilege_dispname(r->in.name->string);
1494         if (!description) {
1495                 DEBUG(10,("_lsa_LookupPrivDisplayName: doesn't exist\n"));
1496                 return NT_STATUS_NO_SUCH_PRIVILEGE;
1497         }
1498
1499         DEBUG(10,("_lsa_LookupPrivDisplayName: display name = %s\n", description));
1500
1501         lsa_name = TALLOC_ZERO_P(p->mem_ctx, struct lsa_StringLarge);
1502         if (!lsa_name) {
1503                 return NT_STATUS_NO_MEMORY;
1504         }
1505
1506         init_lsa_StringLarge(lsa_name, description);
1507
1508         *r->out.returned_language_id = r->in.language_id;
1509         *r->out.disp_name = lsa_name;
1510
1511         return NT_STATUS_OK;
1512 }
1513
1514 /***************************************************************************
1515  _lsa_EnumAccounts
1516  ***************************************************************************/
1517
1518 NTSTATUS _lsa_EnumAccounts(pipes_struct *p,
1519                            struct lsa_EnumAccounts *r)
1520 {
1521         struct lsa_info *handle;
1522         DOM_SID *sid_list;
1523         int i, j, num_entries;
1524         NTSTATUS status;
1525         struct lsa_SidPtr *sids = NULL;
1526
1527         if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle))
1528                 return NT_STATUS_INVALID_HANDLE;
1529
1530         if (handle->type != LSA_HANDLE_POLICY_TYPE) {
1531                 return NT_STATUS_INVALID_HANDLE;
1532         }
1533
1534         if (!(handle->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
1535                 return NT_STATUS_ACCESS_DENIED;
1536
1537         sid_list = NULL;
1538         num_entries = 0;
1539
1540         /* The only way we can currently find out all the SIDs that have been
1541            privileged is to scan all privileges */
1542
1543         status = privilege_enumerate_accounts(&sid_list, &num_entries);
1544         if (!NT_STATUS_IS_OK(status)) {
1545                 return status;
1546         }
1547
1548         if (*r->in.resume_handle >= num_entries) {
1549                 return NT_STATUS_NO_MORE_ENTRIES;
1550         }
1551
1552         if (num_entries - *r->in.resume_handle) {
1553                 sids = TALLOC_ZERO_ARRAY(p->mem_ctx, struct lsa_SidPtr,
1554                                          num_entries - *r->in.resume_handle);
1555                 if (!sids) {
1556                         talloc_free(sid_list);
1557                         return NT_STATUS_NO_MEMORY;
1558                 }
1559
1560                 for (i = *r->in.resume_handle, j = 0; i < num_entries; i++, j++) {
1561                         sids[j].sid = sid_dup_talloc(p->mem_ctx, &sid_list[i]);
1562                         if (!sids[j].sid) {
1563                                 talloc_free(sid_list);
1564                                 return NT_STATUS_NO_MEMORY;
1565                         }
1566                 }
1567         }
1568
1569         talloc_free(sid_list);
1570
1571         *r->out.resume_handle = num_entries;
1572         r->out.sids->num_sids = num_entries;
1573         r->out.sids->sids = sids;
1574
1575         return NT_STATUS_OK;
1576 }
1577
1578 /***************************************************************************
1579  _lsa_GetUserName
1580  ***************************************************************************/
1581
1582 NTSTATUS _lsa_GetUserName(pipes_struct *p,
1583                           struct lsa_GetUserName *r)
1584 {
1585         const char *username, *domname;
1586         struct lsa_String *account_name = NULL;
1587         struct lsa_String *authority_name = NULL;
1588
1589         if (r->in.account_name &&
1590            *r->in.account_name) {
1591                 return NT_STATUS_INVALID_PARAMETER;
1592         }
1593
1594         if (r->in.authority_name &&
1595            *r->in.authority_name) {
1596                 return NT_STATUS_INVALID_PARAMETER;
1597         }
1598
1599         if (p->server_info->guest) {
1600                 /*
1601                  * I'm 99% sure this is not the right place to do this,
1602                  * global_sid_Anonymous should probably be put into the token
1603                  * instead of the guest id -- vl
1604                  */
1605                 if (!lookup_sid(p->mem_ctx, &global_sid_Anonymous,
1606                                 &domname, &username, NULL)) {
1607                         return NT_STATUS_NO_MEMORY;
1608                 }
1609         } else {
1610                 username = p->server_info->sanitized_username;
1611                 domname = pdb_get_domain(p->server_info->sam_account);
1612         }
1613
1614         account_name = TALLOC_P(p->mem_ctx, struct lsa_String);
1615         if (!account_name) {
1616                 return NT_STATUS_NO_MEMORY;
1617         }
1618         init_lsa_String(account_name, username);
1619
1620         if (r->out.authority_name) {
1621                 authority_name = TALLOC_P(p->mem_ctx, struct lsa_String);
1622                 if (!authority_name) {
1623                         return NT_STATUS_NO_MEMORY;
1624                 }
1625                 init_lsa_String(authority_name, domname);
1626         }
1627
1628         *r->out.account_name = account_name;
1629         if (r->out.authority_name) {
1630                 *r->out.authority_name = authority_name;
1631         }
1632
1633         return NT_STATUS_OK;
1634 }
1635
1636 /***************************************************************************
1637  _lsa_CreateAccount
1638  ***************************************************************************/
1639
1640 NTSTATUS _lsa_CreateAccount(pipes_struct *p,
1641                             struct lsa_CreateAccount *r)
1642 {
1643         NTSTATUS status;
1644         struct lsa_info *handle;
1645         struct lsa_info *info;
1646         uint32_t acc_granted;
1647         struct security_descriptor *psd;
1648         size_t sd_size;
1649
1650         /* find the connection policy handle. */
1651         if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle))
1652                 return NT_STATUS_INVALID_HANDLE;
1653
1654         if (handle->type != LSA_HANDLE_POLICY_TYPE) {
1655                 return NT_STATUS_INVALID_HANDLE;
1656         }
1657
1658         /* check if the user has enough rights */
1659
1660         if (!(handle->access & LSA_POLICY_CREATE_ACCOUNT)) {
1661                 return NT_STATUS_ACCESS_DENIED;
1662         }
1663
1664         /* map the generic bits to the lsa policy ones */
1665         se_map_generic(&r->in.access_mask, &lsa_account_mapping);
1666
1667         status = make_lsa_object_sd(p->mem_ctx, &psd, &sd_size,
1668                                     &lsa_account_mapping,
1669                                     r->in.sid, LSA_POLICY_ALL_ACCESS);
1670         if (!NT_STATUS_IS_OK(status)) {
1671                 return status;
1672         }
1673
1674         status = access_check_object(psd, p->server_info->ptok,
1675                 NULL, 0, r->in.access_mask,
1676                 &acc_granted, "_lsa_CreateAccount");
1677         if (!NT_STATUS_IS_OK(status)) {
1678                 return status;
1679         }
1680
1681         if ( is_privileged_sid( r->in.sid ) )
1682                 return NT_STATUS_OBJECT_NAME_COLLISION;
1683
1684         /* associate the user/group SID with the (unique) handle. */
1685
1686         info = TALLOC_ZERO_P(p->mem_ctx, struct lsa_info);
1687         if (info == NULL) {
1688                 return NT_STATUS_NO_MEMORY;
1689         }
1690
1691         info->sid = *r->in.sid;
1692         info->access = acc_granted;
1693         info->type = LSA_HANDLE_ACCOUNT_TYPE;
1694
1695         /* get a (unique) handle.  open a policy on it. */
1696         if (!create_policy_hnd(p, r->out.acct_handle, info))
1697                 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
1698
1699         return privilege_create_account( &info->sid );
1700 }
1701
1702 /***************************************************************************
1703  _lsa_OpenAccount
1704  ***************************************************************************/
1705
1706 NTSTATUS _lsa_OpenAccount(pipes_struct *p,
1707                           struct lsa_OpenAccount *r)
1708 {
1709         struct lsa_info *handle;
1710         struct lsa_info *info;
1711         SEC_DESC *psd = NULL;
1712         size_t sd_size;
1713         uint32_t des_access = r->in.access_mask;
1714         uint32_t acc_granted;
1715         NTSTATUS status;
1716
1717         /* find the connection policy handle. */
1718         if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle))
1719                 return NT_STATUS_INVALID_HANDLE;
1720
1721         if (handle->type != LSA_HANDLE_POLICY_TYPE) {
1722                 return NT_STATUS_INVALID_HANDLE;
1723         }
1724
1725         /* des_access is for the account here, not the policy
1726          * handle - so don't check against policy handle. */
1727
1728         /* Work out max allowed. */
1729         map_max_allowed_access(p->server_info->ptok,
1730                                &p->server_info->utok,
1731                                &des_access);
1732
1733         /* map the generic bits to the lsa account ones */
1734         se_map_generic(&des_access, &lsa_account_mapping);
1735
1736         /* get the generic lsa account SD until we store it */
1737         status = make_lsa_object_sd(p->mem_ctx, &psd, &sd_size,
1738                                 &lsa_account_mapping,
1739                                 r->in.sid, LSA_ACCOUNT_ALL_ACCESS);
1740         if (!NT_STATUS_IS_OK(status)) {
1741                 return status;
1742         }
1743
1744         status = access_check_object(psd, p->server_info->ptok,
1745                 NULL, 0, des_access,
1746                 &acc_granted, "_lsa_OpenAccount" );
1747
1748         if (!NT_STATUS_IS_OK(status)) {
1749                 return status;
1750         }
1751
1752         /* TODO: Fis the parsing routine before reenabling this check! */
1753         #if 0
1754         if (!lookup_sid(&handle->sid, dom_name, name, &type))
1755                 return NT_STATUS_ACCESS_DENIED;
1756         #endif
1757         /* associate the user/group SID with the (unique) handle. */
1758         info = TALLOC_ZERO_P(p->mem_ctx, struct lsa_info);
1759         if (info == NULL) {
1760                 return NT_STATUS_NO_MEMORY;
1761         }
1762
1763         info->sid = *r->in.sid;
1764         info->access = acc_granted;
1765         info->type = LSA_HANDLE_ACCOUNT_TYPE;
1766
1767         /* get a (unique) handle.  open a policy on it. */
1768         if (!create_policy_hnd(p, r->out.acct_handle, info))
1769                 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
1770
1771         return NT_STATUS_OK;
1772 }
1773
1774 /***************************************************************************
1775  _lsa_EnumPrivsAccount
1776  For a given SID, enumerate all the privilege this account has.
1777  ***************************************************************************/
1778
1779 NTSTATUS _lsa_EnumPrivsAccount(pipes_struct *p,
1780                                struct lsa_EnumPrivsAccount *r)
1781 {
1782         NTSTATUS status = NT_STATUS_OK;
1783         struct lsa_info *info=NULL;
1784         SE_PRIV mask;
1785         PRIVILEGE_SET privileges;
1786         struct lsa_PrivilegeSet *priv_set = NULL;
1787         struct lsa_LUIDAttribute *luid_attrs = NULL;
1788         int i;
1789
1790         /* find the connection policy handle. */
1791         if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
1792                 return NT_STATUS_INVALID_HANDLE;
1793
1794         if (info->type != LSA_HANDLE_ACCOUNT_TYPE) {
1795                 return NT_STATUS_INVALID_HANDLE;
1796         }
1797
1798         if (!(info->access & LSA_ACCOUNT_VIEW))
1799                 return NT_STATUS_ACCESS_DENIED;
1800
1801         get_privileges_for_sids(&mask, &info->sid, 1);
1802
1803         privilege_set_init( &privileges );
1804
1805         priv_set = TALLOC_ZERO_P(p->mem_ctx, struct lsa_PrivilegeSet);
1806         if (!priv_set) {
1807                 status = NT_STATUS_NO_MEMORY;
1808                 goto done;
1809         }
1810
1811         if ( se_priv_to_privilege_set( &privileges, &mask ) ) {
1812
1813                 DEBUG(10,("_lsa_EnumPrivsAccount: %s has %d privileges\n",
1814                           sid_string_dbg(&info->sid),
1815                           privileges.count));
1816
1817                 luid_attrs = TALLOC_ZERO_ARRAY(p->mem_ctx,
1818                                                struct lsa_LUIDAttribute,
1819                                                privileges.count);
1820                 if (!luid_attrs) {
1821                         status = NT_STATUS_NO_MEMORY;
1822                         goto done;
1823                 }
1824
1825                 for (i=0; i<privileges.count; i++) {
1826                         luid_attrs[i].luid.low = privileges.set[i].luid.low;
1827                         luid_attrs[i].luid.high = privileges.set[i].luid.high;
1828                         luid_attrs[i].attribute = privileges.set[i].attr;
1829                 }
1830
1831                 priv_set->count = privileges.count;
1832                 priv_set->unknown = 0;
1833                 priv_set->set = luid_attrs;
1834
1835         } else {
1836                 priv_set->count = 0;
1837                 priv_set->unknown = 0;
1838                 priv_set->set = NULL;
1839         }
1840
1841         *r->out.privs = priv_set;
1842
1843  done:
1844         privilege_set_free( &privileges );
1845
1846         return status;
1847 }
1848
1849 /***************************************************************************
1850  _lsa_GetSystemAccessAccount
1851  ***************************************************************************/
1852
1853 NTSTATUS _lsa_GetSystemAccessAccount(pipes_struct *p,
1854                                      struct lsa_GetSystemAccessAccount *r)
1855 {
1856         NTSTATUS status;
1857         struct lsa_info *info = NULL;
1858         struct lsa_EnumPrivsAccount e;
1859         struct lsa_PrivilegeSet *privset;
1860
1861         /* find the connection policy handle. */
1862
1863         if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
1864                 return NT_STATUS_INVALID_HANDLE;
1865
1866         if (info->type != LSA_HANDLE_ACCOUNT_TYPE) {
1867                 return NT_STATUS_INVALID_HANDLE;
1868         }
1869
1870         if (!(info->access & LSA_ACCOUNT_VIEW))
1871                 return NT_STATUS_ACCESS_DENIED;
1872
1873         privset = talloc_zero(p->mem_ctx, struct lsa_PrivilegeSet);
1874         if (!privset) {
1875                 return NT_STATUS_NO_MEMORY;
1876         }
1877
1878         e.in.handle = r->in.handle;
1879         e.out.privs = &privset;
1880
1881         status = _lsa_EnumPrivsAccount(p, &e);
1882         if (!NT_STATUS_IS_OK(status)) {
1883                 DEBUG(10,("_lsa_GetSystemAccessAccount: "
1884                         "failed to call _lsa_EnumPrivsAccount(): %s\n",
1885                         nt_errstr(status)));
1886                 return status;
1887         }
1888
1889         /* Samba4 would iterate over the privset to merge the policy mode bits,
1890          * not sure samba3 can do the same here, so just return what we did in
1891          * the past - gd */
1892
1893         /*
1894           0x01 -> Log on locally
1895           0x02 -> Access this computer from network
1896           0x04 -> Log on as a batch job
1897           0x10 -> Log on as a service
1898
1899           they can be ORed together
1900         */
1901
1902         *r->out.access_mask = LSA_POLICY_MODE_INTERACTIVE |
1903                               LSA_POLICY_MODE_NETWORK;
1904
1905         return NT_STATUS_OK;
1906 }
1907
1908 /***************************************************************************
1909   update the systemaccount information
1910  ***************************************************************************/
1911
1912 NTSTATUS _lsa_SetSystemAccessAccount(pipes_struct *p,
1913                                      struct lsa_SetSystemAccessAccount *r)
1914 {
1915         struct lsa_info *info=NULL;
1916         GROUP_MAP map;
1917
1918         /* find the connection policy handle. */
1919         if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
1920                 return NT_STATUS_INVALID_HANDLE;
1921
1922         if (info->type != LSA_HANDLE_ACCOUNT_TYPE) {
1923                 return NT_STATUS_INVALID_HANDLE;
1924         }
1925
1926         if (!(info->access & LSA_ACCOUNT_ADJUST_SYSTEM_ACCESS)) {
1927                 return NT_STATUS_ACCESS_DENIED;
1928         }
1929
1930         if (!pdb_getgrsid(&map, info->sid))
1931                 return NT_STATUS_NO_SUCH_GROUP;
1932
1933         return pdb_update_group_mapping_entry(&map);
1934 }
1935
1936 /***************************************************************************
1937  _lsa_AddPrivilegesToAccount
1938  For a given SID, add some privileges.
1939  ***************************************************************************/
1940
1941 NTSTATUS _lsa_AddPrivilegesToAccount(pipes_struct *p,
1942                                      struct lsa_AddPrivilegesToAccount *r)
1943 {
1944         struct lsa_info *info = NULL;
1945         SE_PRIV mask;
1946         struct lsa_PrivilegeSet *set = NULL;
1947
1948         /* find the connection policy handle. */
1949         if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
1950                 return NT_STATUS_INVALID_HANDLE;
1951
1952         if (info->type != LSA_HANDLE_ACCOUNT_TYPE) {
1953                 return NT_STATUS_INVALID_HANDLE;
1954         }
1955
1956         if (!(info->access & LSA_ACCOUNT_ADJUST_PRIVILEGES)) {
1957                 return NT_STATUS_ACCESS_DENIED;
1958         }
1959
1960         set = r->in.privs;
1961         if ( !privilege_set_to_se_priv( &mask, set ) )
1962                 return NT_STATUS_NO_SUCH_PRIVILEGE;
1963
1964         if ( !grant_privilege( &info->sid, &mask ) ) {
1965                 DEBUG(3,("_lsa_AddPrivilegesToAccount: grant_privilege(%s) failed!\n",
1966                          sid_string_dbg(&info->sid) ));
1967                 DEBUG(3,("Privilege mask:\n"));
1968                 dump_se_priv( DBGC_ALL, 3, &mask );
1969                 return NT_STATUS_NO_SUCH_PRIVILEGE;
1970         }
1971
1972         return NT_STATUS_OK;
1973 }
1974
1975 /***************************************************************************
1976  _lsa_RemovePrivilegesFromAccount
1977  For a given SID, remove some privileges.
1978  ***************************************************************************/
1979
1980 NTSTATUS _lsa_RemovePrivilegesFromAccount(pipes_struct *p,
1981                                           struct lsa_RemovePrivilegesFromAccount *r)
1982 {
1983         struct lsa_info *info = NULL;
1984         SE_PRIV mask;
1985         struct lsa_PrivilegeSet *set = NULL;
1986
1987         /* find the connection policy handle. */
1988         if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
1989                 return NT_STATUS_INVALID_HANDLE;
1990
1991         if (info->type != LSA_HANDLE_ACCOUNT_TYPE) {
1992                 return NT_STATUS_INVALID_HANDLE;
1993         }
1994
1995         if (!(info->access & LSA_ACCOUNT_ADJUST_PRIVILEGES)) {
1996                 return NT_STATUS_ACCESS_DENIED;
1997         }
1998
1999         set = r->in.privs;
2000
2001         if ( !privilege_set_to_se_priv( &mask, set ) )
2002                 return NT_STATUS_NO_SUCH_PRIVILEGE;
2003
2004         if ( !revoke_privilege( &info->sid, &mask ) ) {
2005                 DEBUG(3,("_lsa_RemovePrivilegesFromAccount: revoke_privilege(%s) failed!\n",
2006                          sid_string_dbg(&info->sid) ));
2007                 DEBUG(3,("Privilege mask:\n"));
2008                 dump_se_priv( DBGC_ALL, 3, &mask );
2009                 return NT_STATUS_NO_SUCH_PRIVILEGE;
2010         }
2011
2012         return NT_STATUS_OK;
2013 }
2014
2015 /***************************************************************************
2016  _lsa_LookupPrivName
2017  ***************************************************************************/
2018
2019 NTSTATUS _lsa_LookupPrivName(pipes_struct *p,
2020                              struct lsa_LookupPrivName *r)
2021 {
2022         struct lsa_info *info = NULL;
2023         const char *name;
2024         struct lsa_StringLarge *lsa_name;
2025
2026         /* find the connection policy handle. */
2027         if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info)) {
2028                 return NT_STATUS_INVALID_HANDLE;
2029         }
2030
2031         if (info->type != LSA_HANDLE_POLICY_TYPE) {
2032                 return NT_STATUS_INVALID_HANDLE;
2033         }
2034
2035         if (!(info->access & LSA_POLICY_VIEW_LOCAL_INFORMATION)) {
2036                 return NT_STATUS_ACCESS_DENIED;
2037         }
2038
2039         name = luid_to_privilege_name((LUID *)r->in.luid);
2040         if (!name) {
2041                 return NT_STATUS_NO_SUCH_PRIVILEGE;
2042         }
2043
2044         lsa_name = TALLOC_ZERO_P(p->mem_ctx, struct lsa_StringLarge);
2045         if (!lsa_name) {
2046                 return NT_STATUS_NO_MEMORY;
2047         }
2048
2049         lsa_name->string = talloc_strdup(lsa_name, name);
2050         if (!lsa_name->string) {
2051                 TALLOC_FREE(lsa_name);
2052                 return NT_STATUS_NO_MEMORY;
2053         }
2054
2055         *r->out.name = lsa_name;
2056
2057         return NT_STATUS_OK;
2058 }
2059
2060 /***************************************************************************
2061  _lsa_QuerySecurity
2062  ***************************************************************************/
2063
2064 NTSTATUS _lsa_QuerySecurity(pipes_struct *p,
2065                             struct lsa_QuerySecurity *r)
2066 {
2067         struct lsa_info *handle=NULL;
2068         SEC_DESC *psd = NULL;
2069         size_t sd_size;
2070         NTSTATUS status;
2071
2072         /* find the connection policy handle. */
2073         if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle))
2074                 return NT_STATUS_INVALID_HANDLE;
2075
2076         if (handle->type == LSA_HANDLE_POLICY_TYPE) {
2077                 status = make_lsa_object_sd(p->mem_ctx, &psd, &sd_size,
2078                                 &lsa_policy_mapping, NULL, 0);
2079         } else if (handle->type == LSA_HANDLE_ACCOUNT_TYPE) {
2080                 status = make_lsa_object_sd(p->mem_ctx, &psd, &sd_size,
2081                                 &lsa_account_mapping,
2082                                 &handle->sid, LSA_ACCOUNT_ALL_ACCESS);
2083         } else {
2084                 status = NT_STATUS_INVALID_HANDLE;
2085         }
2086
2087         if (!NT_STATUS_IS_OK(status)) {
2088                 return status;
2089         }
2090
2091         *r->out.sdbuf = make_sec_desc_buf(p->mem_ctx, sd_size, psd);
2092         if (!*r->out.sdbuf) {
2093                 return NT_STATUS_NO_MEMORY;
2094         }
2095
2096         return status;
2097 }
2098
2099 /***************************************************************************
2100  _lsa_AddAccountRights
2101  ***************************************************************************/
2102
2103 NTSTATUS _lsa_AddAccountRights(pipes_struct *p,
2104                                struct lsa_AddAccountRights *r)
2105 {
2106         struct lsa_info *info = NULL;
2107         int i = 0;
2108         uint32_t acc_granted = 0;
2109         SEC_DESC *psd = NULL;
2110         size_t sd_size;
2111         DOM_SID sid;
2112         NTSTATUS status;
2113
2114         /* find the connection policy handle. */
2115         if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
2116                 return NT_STATUS_INVALID_HANDLE;
2117
2118         if (info->type != LSA_HANDLE_POLICY_TYPE) {
2119                 return NT_STATUS_INVALID_HANDLE;
2120         }
2121
2122         /* get the generic lsa account SD for this SID until we store it */
2123         status = make_lsa_object_sd(p->mem_ctx, &psd, &sd_size,
2124                                 &lsa_account_mapping,
2125                                 r->in.sid, LSA_ACCOUNT_ALL_ACCESS);
2126         if (!NT_STATUS_IS_OK(status)) {
2127                 return status;
2128         }
2129
2130         /*
2131          * From the MS DOCs. If the sid doesn't exist, ask for LSA_POLICY_CREATE_ACCOUNT
2132          * on the policy handle. If it does, ask for
2133          * LSA_ACCOUNT_ADJUST_PRIVILEGES|LSA_ACCOUNT_ADJUST_SYSTEM_ACCESS|LSA_ACCOUNT_VIEW,
2134          * on the account sid. We don't check here so just use the latter. JRA.
2135          */
2136
2137         status = access_check_object(psd, p->server_info->ptok,
2138                 NULL, 0, LSA_ACCOUNT_ADJUST_PRIVILEGES|LSA_ACCOUNT_ADJUST_SYSTEM_ACCESS|LSA_ACCOUNT_VIEW,
2139                 &acc_granted, "_lsa_AddAccountRights" );
2140
2141         if (!NT_STATUS_IS_OK(status)) {
2142                 return status;
2143         }
2144
2145         /* according to an NT4 PDC, you can add privileges to SIDs even without
2146            call_lsa_create_account() first.  And you can use any arbitrary SID. */
2147
2148         sid_copy( &sid, r->in.sid );
2149
2150         for ( i=0; i < r->in.rights->count; i++ ) {
2151
2152                 const char *privname = r->in.rights->names[i].string;
2153
2154                 /* only try to add non-null strings */
2155
2156                 if ( !privname )
2157                         continue;
2158
2159                 if ( !grant_privilege_by_name( &sid, privname ) ) {
2160                         DEBUG(2,("_lsa_AddAccountRights: Failed to add privilege [%s]\n",
2161                                 privname ));
2162                         return NT_STATUS_NO_SUCH_PRIVILEGE;
2163                 }
2164         }
2165
2166         return NT_STATUS_OK;
2167 }
2168
2169 /***************************************************************************
2170  _lsa_RemoveAccountRights
2171  ***************************************************************************/
2172
2173 NTSTATUS _lsa_RemoveAccountRights(pipes_struct *p,
2174                                   struct lsa_RemoveAccountRights *r)
2175 {
2176         struct lsa_info *info = NULL;
2177         int i = 0;
2178         SEC_DESC *psd = NULL;
2179         size_t sd_size;
2180         DOM_SID sid;
2181         const char *privname = NULL;
2182         uint32_t acc_granted = 0;
2183         NTSTATUS status;
2184
2185         /* find the connection policy handle. */
2186         if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
2187                 return NT_STATUS_INVALID_HANDLE;
2188
2189         if (info->type != LSA_HANDLE_POLICY_TYPE) {
2190                 return NT_STATUS_INVALID_HANDLE;
2191         }
2192
2193         /* get the generic lsa account SD for this SID until we store it */
2194         status = make_lsa_object_sd(p->mem_ctx, &psd, &sd_size,
2195                                 &lsa_account_mapping,
2196                                 r->in.sid, LSA_ACCOUNT_ALL_ACCESS);
2197         if (!NT_STATUS_IS_OK(status)) {
2198                 return status;
2199         }
2200
2201         /*
2202          * From the MS DOCs. We need
2203          * LSA_ACCOUNT_ADJUST_PRIVILEGES|LSA_ACCOUNT_ADJUST_SYSTEM_ACCESS|LSA_ACCOUNT_VIEW
2204          * and DELETE on the account sid.
2205          */
2206
2207         status = access_check_object(psd, p->server_info->ptok,
2208                 NULL, 0, LSA_ACCOUNT_ADJUST_PRIVILEGES|LSA_ACCOUNT_ADJUST_SYSTEM_ACCESS|
2209                         LSA_ACCOUNT_VIEW|STD_RIGHT_DELETE_ACCESS,
2210                 &acc_granted, "_lsa_AddAccountRights" );
2211
2212         if (!NT_STATUS_IS_OK(status)) {
2213                 return status;
2214         }
2215
2216         sid_copy( &sid, r->in.sid );
2217
2218         if ( r->in.remove_all ) {
2219                 if ( !revoke_all_privileges( &sid ) )
2220                         return NT_STATUS_ACCESS_DENIED;
2221
2222                 return NT_STATUS_OK;
2223         }
2224
2225         for ( i=0; i < r->in.rights->count; i++ ) {
2226
2227                 privname = r->in.rights->names[i].string;
2228
2229                 /* only try to add non-null strings */
2230
2231                 if ( !privname )
2232                         continue;
2233
2234                 if ( !revoke_privilege_by_name( &sid, privname ) ) {
2235                         DEBUG(2,("_lsa_RemoveAccountRights: Failed to revoke privilege [%s]\n",
2236                                 privname ));
2237                         return NT_STATUS_NO_SUCH_PRIVILEGE;
2238                 }
2239         }
2240
2241         return NT_STATUS_OK;
2242 }
2243
2244 /*******************************************************************
2245 ********************************************************************/
2246
2247 static NTSTATUS init_lsa_right_set(TALLOC_CTX *mem_ctx,
2248                                    struct lsa_RightSet *r,
2249                                    PRIVILEGE_SET *privileges)
2250 {
2251         uint32 i;
2252         const char *privname;
2253         const char **privname_array = NULL;
2254         int num_priv = 0;
2255
2256         for (i=0; i<privileges->count; i++) {
2257
2258                 privname = luid_to_privilege_name(&privileges->set[i].luid);
2259                 if (privname) {
2260                         if (!add_string_to_array(mem_ctx, privname,
2261                                                  &privname_array, &num_priv)) {
2262                                 return NT_STATUS_NO_MEMORY;
2263                         }
2264                 }
2265         }
2266
2267         if (num_priv) {
2268
2269                 r->names = TALLOC_ZERO_ARRAY(mem_ctx, struct lsa_StringLarge,
2270                                              num_priv);
2271                 if (!r->names) {
2272                         return NT_STATUS_NO_MEMORY;
2273                 }
2274
2275                 for (i=0; i<num_priv; i++) {
2276                         init_lsa_StringLarge(&r->names[i], privname_array[i]);
2277                 }
2278
2279                 r->count = num_priv;
2280         }
2281
2282         return NT_STATUS_OK;
2283 }
2284
2285 /***************************************************************************
2286  _lsa_EnumAccountRights
2287  ***************************************************************************/
2288
2289 NTSTATUS _lsa_EnumAccountRights(pipes_struct *p,
2290                                 struct lsa_EnumAccountRights *r)
2291 {
2292         NTSTATUS status;
2293         struct lsa_info *info = NULL;
2294         DOM_SID sid;
2295         PRIVILEGE_SET privileges;
2296         SE_PRIV mask;
2297
2298         /* find the connection policy handle. */
2299
2300         if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
2301                 return NT_STATUS_INVALID_HANDLE;
2302
2303         if (info->type != LSA_HANDLE_POLICY_TYPE) {
2304                 return NT_STATUS_INVALID_HANDLE;
2305         }
2306
2307         if (!(info->access & LSA_ACCOUNT_VIEW)) {
2308                 return NT_STATUS_ACCESS_DENIED;
2309         }
2310
2311         /* according to an NT4 PDC, you can add privileges to SIDs even without
2312            call_lsa_create_account() first.  And you can use any arbitrary SID. */
2313
2314         sid_copy( &sid, r->in.sid );
2315
2316         /* according to MS-LSAD 3.1.4.5.10 it is required to return
2317          * NT_STATUS_OBJECT_NAME_NOT_FOUND if the account sid was not found in
2318          * the lsa database */
2319
2320         if (!get_privileges_for_sids(&mask, &sid, 1)) {
2321                 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
2322         }
2323
2324         status = privilege_set_init(&privileges);
2325         if (!NT_STATUS_IS_OK(status)) {
2326                 return status;
2327         }
2328
2329         se_priv_to_privilege_set(&privileges, &mask);
2330
2331         DEBUG(10,("_lsa_EnumAccountRights: %s has %d privileges\n",
2332                   sid_string_dbg(&sid), privileges.count));
2333
2334         status = init_lsa_right_set(p->mem_ctx, r->out.rights, &privileges);
2335
2336         privilege_set_free( &privileges );
2337
2338         return status;
2339 }
2340
2341 /***************************************************************************
2342  _lsa_LookupPrivValue
2343  ***************************************************************************/
2344
2345 NTSTATUS _lsa_LookupPrivValue(pipes_struct *p,
2346                               struct lsa_LookupPrivValue *r)
2347 {
2348         struct lsa_info *info = NULL;
2349         const char *name = NULL;
2350         LUID_ATTR priv_luid;
2351         SE_PRIV mask;
2352
2353         /* find the connection policy handle. */
2354
2355         if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
2356                 return NT_STATUS_INVALID_HANDLE;
2357
2358         if (info->type != LSA_HANDLE_POLICY_TYPE) {
2359                 return NT_STATUS_INVALID_HANDLE;
2360         }
2361
2362         if (!(info->access & LSA_POLICY_LOOKUP_NAMES))
2363                 return NT_STATUS_ACCESS_DENIED;
2364
2365         name = r->in.name->string;
2366
2367         DEBUG(10,("_lsa_lookup_priv_value: name = %s\n", name));
2368
2369         if ( !se_priv_from_name( name, &mask ) )
2370                 return NT_STATUS_NO_SUCH_PRIVILEGE;
2371
2372         priv_luid = get_privilege_luid( &mask );
2373
2374         r->out.luid->low = priv_luid.luid.low;
2375         r->out.luid->high = priv_luid.luid.high;
2376
2377         return NT_STATUS_OK;
2378 }
2379
2380 /***************************************************************************
2381  _lsa_EnumAccountsWithUserRight
2382  ***************************************************************************/
2383
2384 NTSTATUS _lsa_EnumAccountsWithUserRight(pipes_struct *p,
2385                                         struct lsa_EnumAccountsWithUserRight *r)
2386 {
2387         NTSTATUS status;
2388         struct lsa_info *info = NULL;
2389         struct dom_sid *sids = NULL;
2390         int num_sids = 0;
2391         uint32_t i;
2392         SE_PRIV mask;
2393
2394         if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info)) {
2395                 return NT_STATUS_INVALID_HANDLE;
2396         }
2397
2398         if (info->type != LSA_HANDLE_POLICY_TYPE) {
2399                 return NT_STATUS_INVALID_HANDLE;
2400         }
2401
2402         if (!(info->access & LSA_POLICY_LOOKUP_NAMES)) {
2403                 return NT_STATUS_ACCESS_DENIED;
2404         }
2405
2406         if (!r->in.name || !r->in.name->string) {
2407                 return NT_STATUS_NO_SUCH_PRIVILEGE;
2408         }
2409
2410         if (!se_priv_from_name(r->in.name->string, &mask)) {
2411                 return NT_STATUS_NO_SUCH_PRIVILEGE;
2412         }
2413
2414         status = privilege_enum_sids(&mask, p->mem_ctx,
2415                                      &sids, &num_sids);
2416         if (!NT_STATUS_IS_OK(status)) {
2417                 return status;
2418         }
2419
2420         r->out.sids->num_sids = num_sids;
2421         r->out.sids->sids = talloc_array(p->mem_ctx, struct lsa_SidPtr,
2422                                          r->out.sids->num_sids);
2423
2424         for (i=0; i < r->out.sids->num_sids; i++) {
2425                 r->out.sids->sids[i].sid = sid_dup_talloc(r->out.sids->sids,
2426                                                           &sids[i]);
2427                 if (!r->out.sids->sids[i].sid) {
2428                         TALLOC_FREE(r->out.sids->sids);
2429                         r->out.sids->num_sids = 0;
2430                         return NT_STATUS_NO_MEMORY;
2431                 }
2432         }
2433
2434         return NT_STATUS_OK;
2435 }
2436
2437 /***************************************************************************
2438  _lsa_Delete
2439  ***************************************************************************/
2440
2441 NTSTATUS _lsa_Delete(pipes_struct *p,
2442                      struct lsa_Delete *r)
2443 {
2444         return NT_STATUS_NOT_SUPPORTED;
2445 }
2446
2447 /*
2448  * From here on the server routines are just dummy ones to make smbd link with
2449  * librpc/gen_ndr/srv_lsa.c. These routines are actually never called, we are
2450  * pulling the server stubs across one by one.
2451  */
2452
2453 NTSTATUS _lsa_SetSecObj(pipes_struct *p, struct lsa_SetSecObj *r)
2454 {
2455         p->rng_fault_state = True;
2456         return NT_STATUS_NOT_IMPLEMENTED;
2457 }
2458
2459 NTSTATUS _lsa_ChangePassword(pipes_struct *p, struct lsa_ChangePassword *r)
2460 {
2461         p->rng_fault_state = True;
2462         return NT_STATUS_NOT_IMPLEMENTED;
2463 }
2464
2465 NTSTATUS _lsa_SetInfoPolicy(pipes_struct *p, struct lsa_SetInfoPolicy *r)
2466 {
2467         p->rng_fault_state = True;
2468         return NT_STATUS_NOT_IMPLEMENTED;
2469 }
2470
2471 NTSTATUS _lsa_ClearAuditLog(pipes_struct *p, struct lsa_ClearAuditLog *r)
2472 {
2473         p->rng_fault_state = True;
2474         return NT_STATUS_NOT_IMPLEMENTED;
2475 }
2476
2477 NTSTATUS _lsa_GetQuotasForAccount(pipes_struct *p, struct lsa_GetQuotasForAccount *r)
2478 {
2479         p->rng_fault_state = True;
2480         return NT_STATUS_NOT_IMPLEMENTED;
2481 }
2482
2483 NTSTATUS _lsa_SetQuotasForAccount(pipes_struct *p, struct lsa_SetQuotasForAccount *r)
2484 {
2485         p->rng_fault_state = True;
2486         return NT_STATUS_NOT_IMPLEMENTED;
2487 }
2488
2489 NTSTATUS _lsa_QueryTrustedDomainInfo(pipes_struct *p, struct lsa_QueryTrustedDomainInfo *r)
2490 {
2491         p->rng_fault_state = True;
2492         return NT_STATUS_NOT_IMPLEMENTED;
2493 }
2494
2495 NTSTATUS _lsa_SetInformationTrustedDomain(pipes_struct *p, struct lsa_SetInformationTrustedDomain *r)
2496 {
2497         p->rng_fault_state = True;
2498         return NT_STATUS_NOT_IMPLEMENTED;
2499 }
2500
2501 NTSTATUS _lsa_QuerySecret(pipes_struct *p, struct lsa_QuerySecret *r)
2502 {
2503         p->rng_fault_state = True;
2504         return NT_STATUS_NOT_IMPLEMENTED;
2505 }
2506
2507 NTSTATUS _lsa_QueryTrustedDomainInfoBySid(pipes_struct *p, struct lsa_QueryTrustedDomainInfoBySid *r)
2508 {
2509         p->rng_fault_state = True;
2510         return NT_STATUS_NOT_IMPLEMENTED;
2511 }
2512
2513 NTSTATUS _lsa_SetTrustedDomainInfo(pipes_struct *p, struct lsa_SetTrustedDomainInfo *r)
2514 {
2515         p->rng_fault_state = True;
2516         return NT_STATUS_NOT_IMPLEMENTED;
2517 }
2518
2519 NTSTATUS _lsa_DeleteTrustedDomain(pipes_struct *p, struct lsa_DeleteTrustedDomain *r)
2520 {
2521         p->rng_fault_state = True;
2522         return NT_STATUS_NOT_IMPLEMENTED;
2523 }
2524
2525 NTSTATUS _lsa_StorePrivateData(pipes_struct *p, struct lsa_StorePrivateData *r)
2526 {
2527         p->rng_fault_state = True;
2528         return NT_STATUS_NOT_IMPLEMENTED;
2529 }
2530
2531 NTSTATUS _lsa_RetrievePrivateData(pipes_struct *p, struct lsa_RetrievePrivateData *r)
2532 {
2533         p->rng_fault_state = True;
2534         return NT_STATUS_NOT_IMPLEMENTED;
2535 }
2536
2537 NTSTATUS _lsa_SetInfoPolicy2(pipes_struct *p, struct lsa_SetInfoPolicy2 *r)
2538 {
2539         p->rng_fault_state = True;
2540         return NT_STATUS_NOT_IMPLEMENTED;
2541 }
2542
2543 NTSTATUS _lsa_QueryTrustedDomainInfoByName(pipes_struct *p, struct lsa_QueryTrustedDomainInfoByName *r)
2544 {
2545         p->rng_fault_state = True;
2546         return NT_STATUS_NOT_IMPLEMENTED;
2547 }
2548
2549 NTSTATUS _lsa_SetTrustedDomainInfoByName(pipes_struct *p, struct lsa_SetTrustedDomainInfoByName *r)
2550 {
2551         p->rng_fault_state = True;
2552         return NT_STATUS_NOT_IMPLEMENTED;
2553 }
2554
2555 NTSTATUS _lsa_EnumTrustedDomainsEx(pipes_struct *p, struct lsa_EnumTrustedDomainsEx *r)
2556 {
2557         p->rng_fault_state = True;
2558         return NT_STATUS_NOT_IMPLEMENTED;
2559 }
2560
2561 NTSTATUS _lsa_CreateTrustedDomainEx(pipes_struct *p, struct lsa_CreateTrustedDomainEx *r)
2562 {
2563         p->rng_fault_state = True;
2564         return NT_STATUS_NOT_IMPLEMENTED;
2565 }
2566
2567 NTSTATUS _lsa_CloseTrustedDomainEx(pipes_struct *p, struct lsa_CloseTrustedDomainEx *r)
2568 {
2569         p->rng_fault_state = True;
2570         return NT_STATUS_NOT_IMPLEMENTED;
2571 }
2572
2573 NTSTATUS _lsa_QueryDomainInformationPolicy(pipes_struct *p, struct lsa_QueryDomainInformationPolicy *r)
2574 {
2575         p->rng_fault_state = True;
2576         return NT_STATUS_NOT_IMPLEMENTED;
2577 }
2578
2579 NTSTATUS _lsa_SetDomainInformationPolicy(pipes_struct *p, struct lsa_SetDomainInformationPolicy *r)
2580 {
2581         p->rng_fault_state = True;
2582         return NT_STATUS_NOT_IMPLEMENTED;
2583 }
2584
2585 NTSTATUS _lsa_OpenTrustedDomainByName(pipes_struct *p, struct lsa_OpenTrustedDomainByName *r)
2586 {
2587         p->rng_fault_state = True;
2588         return NT_STATUS_NOT_IMPLEMENTED;
2589 }
2590
2591 NTSTATUS _lsa_TestCall(pipes_struct *p, struct lsa_TestCall *r)
2592 {
2593         p->rng_fault_state = True;
2594         return NT_STATUS_NOT_IMPLEMENTED;
2595 }
2596
2597 NTSTATUS _lsa_CreateTrustedDomainEx2(pipes_struct *p, struct lsa_CreateTrustedDomainEx2 *r)
2598 {
2599         p->rng_fault_state = True;
2600         return NT_STATUS_NOT_IMPLEMENTED;
2601 }
2602
2603 NTSTATUS _lsa_CREDRWRITE(pipes_struct *p, struct lsa_CREDRWRITE *r)
2604 {
2605         p->rng_fault_state = True;
2606         return NT_STATUS_NOT_IMPLEMENTED;
2607 }
2608
2609 NTSTATUS _lsa_CREDRREAD(pipes_struct *p, struct lsa_CREDRREAD *r)
2610 {
2611         p->rng_fault_state = True;
2612         return NT_STATUS_NOT_IMPLEMENTED;
2613 }
2614
2615 NTSTATUS _lsa_CREDRENUMERATE(pipes_struct *p, struct lsa_CREDRENUMERATE *r)
2616 {
2617         p->rng_fault_state = True;
2618         return NT_STATUS_NOT_IMPLEMENTED;
2619 }
2620
2621 NTSTATUS _lsa_CREDRWRITEDOMAINCREDENTIALS(pipes_struct *p, struct lsa_CREDRWRITEDOMAINCREDENTIALS *r)
2622 {
2623         p->rng_fault_state = True;
2624         return NT_STATUS_NOT_IMPLEMENTED;
2625 }
2626
2627 NTSTATUS _lsa_CREDRREADDOMAINCREDENTIALS(pipes_struct *p, struct lsa_CREDRREADDOMAINCREDENTIALS *r)
2628 {
2629         p->rng_fault_state = True;
2630         return NT_STATUS_NOT_IMPLEMENTED;
2631 }
2632
2633 NTSTATUS _lsa_CREDRDELETE(pipes_struct *p, struct lsa_CREDRDELETE *r)
2634 {
2635         p->rng_fault_state = True;
2636         return NT_STATUS_NOT_IMPLEMENTED;
2637 }
2638
2639 NTSTATUS _lsa_CREDRGETTARGETINFO(pipes_struct *p, struct lsa_CREDRGETTARGETINFO *r)
2640 {
2641         p->rng_fault_state = True;
2642         return NT_STATUS_NOT_IMPLEMENTED;
2643 }
2644
2645 NTSTATUS _lsa_CREDRPROFILELOADED(pipes_struct *p, struct lsa_CREDRPROFILELOADED *r)
2646 {
2647         p->rng_fault_state = True;
2648         return NT_STATUS_NOT_IMPLEMENTED;
2649 }
2650
2651 NTSTATUS _lsa_CREDRGETSESSIONTYPES(pipes_struct *p, struct lsa_CREDRGETSESSIONTYPES *r)
2652 {
2653         p->rng_fault_state = True;
2654         return NT_STATUS_NOT_IMPLEMENTED;
2655 }
2656
2657 NTSTATUS _lsa_LSARREGISTERAUDITEVENT(pipes_struct *p, struct lsa_LSARREGISTERAUDITEVENT *r)
2658 {
2659         p->rng_fault_state = True;
2660         return NT_STATUS_NOT_IMPLEMENTED;
2661 }
2662
2663 NTSTATUS _lsa_LSARGENAUDITEVENT(pipes_struct *p, struct lsa_LSARGENAUDITEVENT *r)
2664 {
2665         p->rng_fault_state = True;
2666         return NT_STATUS_NOT_IMPLEMENTED;
2667 }
2668
2669 NTSTATUS _lsa_LSARUNREGISTERAUDITEVENT(pipes_struct *p, struct lsa_LSARUNREGISTERAUDITEVENT *r)
2670 {
2671         p->rng_fault_state = True;
2672         return NT_STATUS_NOT_IMPLEMENTED;
2673 }
2674
2675 NTSTATUS _lsa_lsaRQueryForestTrustInformation(pipes_struct *p, struct lsa_lsaRQueryForestTrustInformation *r)
2676 {
2677         p->rng_fault_state = True;
2678         return NT_STATUS_NOT_IMPLEMENTED;
2679 }
2680
2681 NTSTATUS _lsa_LSARSETFORESTTRUSTINFORMATION(pipes_struct *p, struct lsa_LSARSETFORESTTRUSTINFORMATION *r)
2682 {
2683         p->rng_fault_state = True;
2684         return NT_STATUS_NOT_IMPLEMENTED;
2685 }
2686
2687 NTSTATUS _lsa_CREDRRENAME(pipes_struct *p, struct lsa_CREDRRENAME *r)
2688 {
2689         p->rng_fault_state = True;
2690         return NT_STATUS_NOT_IMPLEMENTED;
2691 }
2692
2693 NTSTATUS _lsa_LSAROPENPOLICYSCE(pipes_struct *p, struct lsa_LSAROPENPOLICYSCE *r)
2694 {
2695         p->rng_fault_state = True;
2696         return NT_STATUS_NOT_IMPLEMENTED;
2697 }
2698
2699 NTSTATUS _lsa_LSARADTREGISTERSECURITYEVENTSOURCE(pipes_struct *p, struct lsa_LSARADTREGISTERSECURITYEVENTSOURCE *r)
2700 {
2701         p->rng_fault_state = True;
2702         return NT_STATUS_NOT_IMPLEMENTED;
2703 }
2704
2705 NTSTATUS _lsa_LSARADTUNREGISTERSECURITYEVENTSOURCE(pipes_struct *p, struct lsa_LSARADTUNREGISTERSECURITYEVENTSOURCE *r)
2706 {
2707         p->rng_fault_state = True;
2708         return NT_STATUS_NOT_IMPLEMENTED;
2709 }
2710
2711 NTSTATUS _lsa_LSARADTREPORTSECURITYEVENT(pipes_struct *p, struct lsa_LSARADTREPORTSECURITYEVENT *r)
2712 {
2713         p->rng_fault_state = True;
2714         return NT_STATUS_NOT_IMPLEMENTED;
2715 }