s3-lsa: Fix _lsa_EnumTrustDom().
[ira/wip.git] / source3 / rpc_server / srv_lsa_nt.c
1 /*
2  *  Unix SMB/CIFS implementation.
3  *  RPC Pipe client / server routines
4  *  Copyright (C) Andrew Tridgell              1992-1997,
5  *  Copyright (C) Luke Kenneth Casson Leighton 1996-1997,
6  *  Copyright (C) Paul Ashton                       1997,
7  *  Copyright (C) Jeremy Allison                    2001, 2006.
8  *  Copyright (C) Rafal Szczesniak                  2002,
9  *  Copyright (C) Jim McDonough <jmcd@us.ibm.com>   2002,
10  *  Copyright (C) Simo Sorce                        2003.
11  *  Copyright (C) Gerald (Jerry) Carter             2005.
12  *  Copyright (C) Volker Lendecke                   2005.
13  *  Copyright (C) Guenther Deschner                 2008.
14  *
15  *  This program is free software; you can redistribute it and/or modify
16  *  it under the terms of the GNU General Public License as published by
17  *  the Free Software Foundation; either version 3 of the License, or
18  *  (at your option) any later version.
19  *
20  *  This program is distributed in the hope that it will be useful,
21  *  but WITHOUT ANY WARRANTY; without even the implied warranty of
22  *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
23  *  GNU General Public License for more details.
24  *
25  *  You should have received a copy of the GNU General Public License
26  *  along with this program; if not, see <http://www.gnu.org/licenses/>.
27  */
28
29 /* This is the implementation of the lsa server code. */
30
31 #include "includes.h"
32
33 #undef DBGC_CLASS
34 #define DBGC_CLASS DBGC_RPC_SRV
35
36 #define MAX_LOOKUP_SIDS 0x5000 /* 20480 */
37
38 extern PRIVS privs[];
39
40 enum lsa_handle_type { LSA_HANDLE_POLICY_TYPE = 1, LSA_HANDLE_ACCOUNT_TYPE };
41
42 struct lsa_info {
43         DOM_SID sid;
44         uint32 access;
45         enum lsa_handle_type type;
46 };
47
48 const struct generic_mapping lsa_account_mapping = {
49         LSA_ACCOUNT_READ,
50         LSA_ACCOUNT_WRITE,
51         LSA_ACCOUNT_EXECUTE,
52         LSA_ACCOUNT_ALL_ACCESS
53 };
54
55 const struct generic_mapping lsa_policy_mapping = {
56         LSA_POLICY_READ,
57         LSA_POLICY_WRITE,
58         LSA_POLICY_EXECUTE,
59         LSA_POLICY_ALL_ACCESS
60 };
61
62 /***************************************************************************
63  init_lsa_ref_domain_list - adds a domain if it's not already in, returns the index.
64 ***************************************************************************/
65
66 static int init_lsa_ref_domain_list(TALLOC_CTX *mem_ctx,
67                                     struct lsa_RefDomainList *ref,
68                                     const char *dom_name,
69                                     DOM_SID *dom_sid)
70 {
71         int num = 0;
72
73         if (dom_name != NULL) {
74                 for (num = 0; num < ref->count; num++) {
75                         if (sid_equal(dom_sid, ref->domains[num].sid)) {
76                                 return num;
77                         }
78                 }
79         } else {
80                 num = ref->count;
81         }
82
83         if (num >= LSA_REF_DOMAIN_LIST_MULTIPLIER) {
84                 /* index not found, already at maximum domain limit */
85                 return -1;
86         }
87
88         ref->count = num + 1;
89         ref->max_size = LSA_REF_DOMAIN_LIST_MULTIPLIER;
90
91         ref->domains = TALLOC_REALLOC_ARRAY(mem_ctx, ref->domains,
92                                             struct lsa_DomainInfo, ref->count);
93         if (!ref->domains) {
94                 return -1;
95         }
96
97         ZERO_STRUCT(ref->domains[num]);
98
99         init_lsa_StringLarge(&ref->domains[num].name, dom_name);
100         ref->domains[num].sid = sid_dup_talloc(mem_ctx, dom_sid);
101         if (!ref->domains[num].sid) {
102                 return -1;
103         }
104
105         return num;
106 }
107
108
109 /***************************************************************************
110  initialize a lsa_DomainInfo structure.
111  ***************************************************************************/
112
113 static void init_dom_query_3(struct lsa_DomainInfo *r,
114                              const char *name,
115                              DOM_SID *sid)
116 {
117         init_lsa_StringLarge(&r->name, name);
118         r->sid = sid;
119 }
120
121 /***************************************************************************
122  initialize a lsa_DomainInfo structure.
123  ***************************************************************************/
124
125 static void init_dom_query_5(struct lsa_DomainInfo *r,
126                              const char *name,
127                              DOM_SID *sid)
128 {
129         init_lsa_StringLarge(&r->name, name);
130         r->sid = sid;
131 }
132
133 /***************************************************************************
134  lookup_lsa_rids. Must be called as root for lookup_name to work.
135  ***************************************************************************/
136
137 static NTSTATUS lookup_lsa_rids(TALLOC_CTX *mem_ctx,
138                                 struct lsa_RefDomainList *ref,
139                                 struct lsa_TranslatedSid *prid,
140                                 uint32_t num_entries,
141                                 struct lsa_String *name,
142                                 int flags,
143                                 uint32_t *pmapped_count)
144 {
145         uint32 mapped_count, i;
146
147         SMB_ASSERT(num_entries <= MAX_LOOKUP_SIDS);
148
149         mapped_count = 0;
150         *pmapped_count = 0;
151
152         for (i = 0; i < num_entries; i++) {
153                 DOM_SID sid;
154                 uint32 rid;
155                 int dom_idx;
156                 const char *full_name;
157                 const char *domain;
158                 enum lsa_SidType type = SID_NAME_UNKNOWN;
159
160                 /* Split name into domain and user component */
161
162                 full_name = name[i].string;
163                 if (full_name == NULL) {
164                         prid[i].sid_type        = type;
165                         prid[i].rid             = 0;
166                         prid[i].sid_index       = (uint32_t)-1;
167                         continue;
168                 }
169
170                 DEBUG(5, ("lookup_lsa_rids: looking up name %s\n", full_name));
171
172                 /* We can ignore the result of lookup_name, it will not touch
173                    "type" if it's not successful */
174
175                 lookup_name(mem_ctx, full_name, flags, &domain, NULL,
176                             &sid, &type);
177
178                 switch (type) {
179                 case SID_NAME_USER:
180                 case SID_NAME_DOM_GRP:
181                 case SID_NAME_DOMAIN:
182                 case SID_NAME_ALIAS:
183                 case SID_NAME_WKN_GRP:
184                         DEBUG(5, ("init_lsa_rids: %s found\n", full_name));
185                         /* Leave these unchanged */
186                         break;
187                 default:
188                         /* Don't hand out anything but the list above */
189                         DEBUG(5, ("init_lsa_rids: %s not found\n", full_name));
190                         type = SID_NAME_UNKNOWN;
191                         break;
192                 }
193
194                 rid = 0;
195                 dom_idx = -1;
196
197                 if (type != SID_NAME_UNKNOWN) {
198                         if (type == SID_NAME_DOMAIN) {
199                                 rid = (uint32_t)-1;
200                         } else {
201                                 sid_split_rid(&sid, &rid);
202                         }
203                         dom_idx = init_lsa_ref_domain_list(mem_ctx, ref, domain, &sid);
204                         mapped_count++;
205                 }
206
207                 prid[i].sid_type        = type;
208                 prid[i].rid             = rid;
209                 prid[i].sid_index       = dom_idx;
210         }
211
212         *pmapped_count = mapped_count;
213         return NT_STATUS_OK;
214 }
215
216 /***************************************************************************
217  lookup_lsa_sids. Must be called as root for lookup_name to work.
218  ***************************************************************************/
219
220 static NTSTATUS lookup_lsa_sids(TALLOC_CTX *mem_ctx,
221                                 struct lsa_RefDomainList *ref,
222                                 struct lsa_TranslatedSid3 *trans_sids,
223                                 uint32_t num_entries,
224                                 struct lsa_String *name,
225                                 int flags,
226                                 uint32 *pmapped_count)
227 {
228         uint32 mapped_count, i;
229
230         SMB_ASSERT(num_entries <= MAX_LOOKUP_SIDS);
231
232         mapped_count = 0;
233         *pmapped_count = 0;
234
235         for (i = 0; i < num_entries; i++) {
236                 DOM_SID sid;
237                 uint32 rid;
238                 int dom_idx;
239                 const char *full_name;
240                 const char *domain;
241                 enum lsa_SidType type = SID_NAME_UNKNOWN;
242
243                 ZERO_STRUCT(sid);
244
245                 /* Split name into domain and user component */
246
247                 full_name = name[i].string;
248                 if (full_name == NULL) {
249                         return NT_STATUS_NO_MEMORY;
250                 }
251
252                 DEBUG(5, ("init_lsa_sids: looking up name %s\n", full_name));
253
254                 /* We can ignore the result of lookup_name, it will not touch
255                    "type" if it's not successful */
256
257                 lookup_name(mem_ctx, full_name, flags, &domain, NULL,
258                             &sid, &type);
259
260                 switch (type) {
261                 case SID_NAME_USER:
262                 case SID_NAME_DOM_GRP:
263                 case SID_NAME_DOMAIN:
264                 case SID_NAME_ALIAS:
265                 case SID_NAME_WKN_GRP:
266                         DEBUG(5, ("init_lsa_sids: %s found\n", full_name));
267                         /* Leave these unchanged */
268                         break;
269                 default:
270                         /* Don't hand out anything but the list above */
271                         DEBUG(5, ("init_lsa_sids: %s not found\n", full_name));
272                         type = SID_NAME_UNKNOWN;
273                         break;
274                 }
275
276                 rid = 0;
277                 dom_idx = -1;
278
279                 if (type != SID_NAME_UNKNOWN) {
280                         DOM_SID domain_sid;
281                         sid_copy(&domain_sid, &sid);
282                         sid_split_rid(&domain_sid, &rid);
283                         dom_idx = init_lsa_ref_domain_list(mem_ctx, ref, domain, &domain_sid);
284                         mapped_count++;
285                 }
286
287                 /* Initialize the lsa_TranslatedSid3 return. */
288                 trans_sids[i].sid_type = type;
289                 trans_sids[i].sid = sid_dup_talloc(mem_ctx, &sid);
290                 trans_sids[i].sid_index = dom_idx;
291         }
292
293         *pmapped_count = mapped_count;
294         return NT_STATUS_OK;
295 }
296
297 static NTSTATUS make_lsa_object_sd(TALLOC_CTX *mem_ctx, SEC_DESC **sd, size_t *sd_size,
298                                         const struct generic_mapping *map,
299                                         DOM_SID *sid, uint32_t sid_access)
300 {
301         DOM_SID adm_sid;
302         SEC_ACE ace[5];
303         size_t i = 0;
304
305         SEC_ACL *psa = NULL;
306
307         /* READ|EXECUTE access for Everyone */
308
309         init_sec_ace(&ace[i++], &global_sid_World, SEC_ACE_TYPE_ACCESS_ALLOWED,
310                         map->generic_execute | map->generic_read, 0);
311
312         /* Add Full Access 'BUILTIN\Administrators' and 'BUILTIN\Account Operators */
313
314         init_sec_ace(&ace[i++], &global_sid_Builtin_Administrators,
315                         SEC_ACE_TYPE_ACCESS_ALLOWED, map->generic_all, 0);
316         init_sec_ace(&ace[i++], &global_sid_Builtin_Account_Operators,
317                         SEC_ACE_TYPE_ACCESS_ALLOWED, map->generic_all, 0);
318
319         /* Add Full Access for Domain Admins */
320         sid_copy(&adm_sid, get_global_sam_sid());
321         sid_append_rid(&adm_sid, DOMAIN_GROUP_RID_ADMINS);
322         init_sec_ace(&ace[i++], &adm_sid, SEC_ACE_TYPE_ACCESS_ALLOWED,
323                         map->generic_all, 0);
324
325         /* If we have a sid, give it some special access */
326
327         if (sid) {
328                 init_sec_ace(&ace[i++], sid, SEC_ACE_TYPE_ACCESS_ALLOWED,
329                         sid_access, 0);
330         }
331
332         if((psa = make_sec_acl(mem_ctx, NT4_ACL_REVISION, i, ace)) == NULL)
333                 return NT_STATUS_NO_MEMORY;
334
335         if((*sd = make_sec_desc(mem_ctx, SECURITY_DESCRIPTOR_REVISION_1,
336                                 SEC_DESC_SELF_RELATIVE, &adm_sid, NULL, NULL,
337                                 psa, sd_size)) == NULL)
338                 return NT_STATUS_NO_MEMORY;
339
340         return NT_STATUS_OK;
341 }
342
343
344 /***************************************************************************
345  _lsa_OpenPolicy2
346  ***************************************************************************/
347
348 NTSTATUS _lsa_OpenPolicy2(pipes_struct *p,
349                           struct lsa_OpenPolicy2 *r)
350 {
351         struct lsa_info *info;
352         SEC_DESC *psd = NULL;
353         size_t sd_size;
354         uint32 des_access = r->in.access_mask;
355         uint32 acc_granted;
356         NTSTATUS status;
357
358         /* Work out max allowed. */
359         map_max_allowed_access(p->server_info->ptok,
360                                &p->server_info->utok,
361                                &des_access);
362
363         /* map the generic bits to the lsa policy ones */
364         se_map_generic(&des_access, &lsa_policy_mapping);
365
366         /* get the generic lsa policy SD until we store it */
367         status = make_lsa_object_sd(p->mem_ctx, &psd, &sd_size, &lsa_policy_mapping,
368                         NULL, 0);
369         if (!NT_STATUS_IS_OK(status)) {
370                 return status;
371         }
372
373         status = access_check_object(psd, p->server_info->ptok,
374                 NULL, 0, des_access,
375                 &acc_granted, "_lsa_OpenPolicy2" );
376
377         if (!NT_STATUS_IS_OK(status)) {
378                 return status;
379         }
380
381         /* associate the domain SID with the (unique) handle. */
382         info = TALLOC_ZERO_P(p->mem_ctx, struct lsa_info);
383         if (info == NULL) {
384                 return NT_STATUS_NO_MEMORY;
385         }
386
387         sid_copy(&info->sid,get_global_sam_sid());
388         info->access = acc_granted;
389         info->type = LSA_HANDLE_POLICY_TYPE;
390
391         /* set up the LSA QUERY INFO response */
392         if (!create_policy_hnd(p, r->out.handle, info))
393                 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
394
395         return NT_STATUS_OK;
396 }
397
398 /***************************************************************************
399  _lsa_OpenPolicy
400  ***************************************************************************/
401
402 NTSTATUS _lsa_OpenPolicy(pipes_struct *p,
403                          struct lsa_OpenPolicy *r)
404 {
405         struct lsa_OpenPolicy2 o;
406
407         o.in.system_name        = NULL; /* should be ignored */
408         o.in.attr               = r->in.attr;
409         o.in.access_mask        = r->in.access_mask;
410
411         o.out.handle            = r->out.handle;
412
413         return _lsa_OpenPolicy2(p, &o);
414 }
415
416 /***************************************************************************
417  _lsa_EnumTrustDom - this needs fixing to do more than return NULL ! JRA.
418  ufff, done :)  mimir
419  ***************************************************************************/
420
421 NTSTATUS _lsa_EnumTrustDom(pipes_struct *p,
422                            struct lsa_EnumTrustDom *r)
423 {
424         struct lsa_info *info;
425         uint32_t count;
426         struct trustdom_info **domains;
427         struct lsa_DomainInfo *entries;
428         int i;
429         NTSTATUS nt_status;
430
431         if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
432                 return NT_STATUS_INVALID_HANDLE;
433
434         if (info->type != LSA_HANDLE_POLICY_TYPE) {
435                 return NT_STATUS_INVALID_HANDLE;
436         }
437
438         /* check if the user has enough rights */
439         if (!(info->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
440                 return NT_STATUS_ACCESS_DENIED;
441
442         become_root();
443         nt_status = pdb_enum_trusteddoms(p->mem_ctx, &count, &domains);
444         unbecome_root();
445
446         if (!NT_STATUS_IS_OK(nt_status)) {
447                 return nt_status;
448         }
449
450         entries = TALLOC_ZERO_ARRAY(p->mem_ctx, struct lsa_DomainInfo, count);
451         if (!entries) {
452                 return NT_STATUS_NO_MEMORY;
453         }
454
455         for (i=0; i<count; i++) {
456                 init_lsa_StringLarge(&entries[i].name, domains[i]->name);
457                 entries[i].sid = &domains[i]->sid;
458         }
459
460         if (*r->in.resume_handle >= count) {
461                 *r->out.resume_handle = -1;
462                 TALLOC_FREE(entries);
463                 return NT_STATUS_NO_MORE_ENTRIES;
464         }
465
466         /* return the rest, limit by max_size. Note that we
467            use the w2k3 element size value of 60 */
468         r->out.domains->count = count - *r->in.resume_handle;
469         r->out.domains->count = MIN(r->out.domains->count,
470                                  1+(r->in.max_size/LSA_ENUM_TRUST_DOMAIN_MULTIPLIER));
471
472         r->out.domains->domains = entries + *r->in.resume_handle;
473
474         if (r->out.domains->count < count - *r->in.resume_handle) {
475                 *r->out.resume_handle = *r->in.resume_handle + r->out.domains->count;
476                 return STATUS_MORE_ENTRIES;
477         }
478
479         return NT_STATUS_OK;
480 }
481
482 #define LSA_AUDIT_NUM_CATEGORIES_NT4    7
483 #define LSA_AUDIT_NUM_CATEGORIES_WIN2K  9
484 #define LSA_AUDIT_NUM_CATEGORIES LSA_AUDIT_NUM_CATEGORIES_NT4
485
486 /***************************************************************************
487  _lsa_QueryInfoPolicy
488  ***************************************************************************/
489
490 NTSTATUS _lsa_QueryInfoPolicy(pipes_struct *p,
491                               struct lsa_QueryInfoPolicy *r)
492 {
493         NTSTATUS status = NT_STATUS_OK;
494         struct lsa_info *handle;
495         DOM_SID domain_sid;
496         const char *name;
497         DOM_SID *sid = NULL;
498         union lsa_PolicyInformation *info = NULL;
499         uint32_t acc_required = 0;
500
501         if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle))
502                 return NT_STATUS_INVALID_HANDLE;
503
504         if (handle->type != LSA_HANDLE_POLICY_TYPE) {
505                 return NT_STATUS_INVALID_HANDLE;
506         }
507
508         switch (r->in.level) {
509         case LSA_POLICY_INFO_AUDIT_LOG:
510         case LSA_POLICY_INFO_AUDIT_EVENTS:
511                 acc_required = LSA_POLICY_VIEW_AUDIT_INFORMATION;
512                 break;
513         case LSA_POLICY_INFO_DOMAIN:
514                 acc_required = LSA_POLICY_VIEW_LOCAL_INFORMATION;
515                 break;
516         case LSA_POLICY_INFO_PD:
517                 acc_required = LSA_POLICY_GET_PRIVATE_INFORMATION;
518                 break;
519         case LSA_POLICY_INFO_ACCOUNT_DOMAIN:
520                 acc_required = LSA_POLICY_VIEW_LOCAL_INFORMATION;
521                 break;
522         case LSA_POLICY_INFO_ROLE:
523         case LSA_POLICY_INFO_REPLICA:
524                 acc_required = LSA_POLICY_VIEW_LOCAL_INFORMATION;
525                 break;
526         case LSA_POLICY_INFO_QUOTA:
527                 acc_required = LSA_POLICY_VIEW_LOCAL_INFORMATION;
528                 break;
529         case LSA_POLICY_INFO_MOD:
530         case LSA_POLICY_INFO_AUDIT_FULL_SET:
531                 /* according to MS-LSAD 3.1.4.4.3 */
532                 return NT_STATUS_INVALID_PARAMETER;
533         case LSA_POLICY_INFO_AUDIT_FULL_QUERY:
534                 acc_required = LSA_POLICY_VIEW_AUDIT_INFORMATION;
535                 break;
536         case LSA_POLICY_INFO_DNS:
537         case LSA_POLICY_INFO_DNS_INT:
538         case LSA_POLICY_INFO_L_ACCOUNT_DOMAIN:
539                 acc_required = LSA_POLICY_VIEW_LOCAL_INFORMATION;
540                 break;
541         default:
542                 break;
543         }
544
545         if (!(handle->access & acc_required)) {
546                 /* return NT_STATUS_ACCESS_DENIED; */
547         }
548
549         info = TALLOC_ZERO_P(p->mem_ctx, union lsa_PolicyInformation);
550         if (!info) {
551                 return NT_STATUS_NO_MEMORY;
552         }
553
554         switch (r->in.level) {
555         case LSA_POLICY_INFO_AUDIT_EVENTS:
556                 {
557
558                 uint32 policy_def = LSA_AUDIT_POLICY_ALL;
559
560                 /* check if the user has enough rights */
561                 if (!(handle->access & LSA_POLICY_VIEW_AUDIT_INFORMATION)) {
562                         DEBUG(10,("_lsa_QueryInfoPolicy: insufficient access rights\n"));
563                         return NT_STATUS_ACCESS_DENIED;
564                 }
565
566                 /* fake info: We audit everything. ;) */
567
568                 info->audit_events.auditing_mode = true;
569                 info->audit_events.count = LSA_AUDIT_NUM_CATEGORIES;
570                 info->audit_events.settings = TALLOC_ZERO_ARRAY(p->mem_ctx,
571                                                                 enum lsa_PolicyAuditPolicy,
572                                                                 info->audit_events.count);
573                 if (!info->audit_events.settings) {
574                         return NT_STATUS_NO_MEMORY;
575                 }
576
577                 info->audit_events.settings[LSA_AUDIT_CATEGORY_ACCOUNT_MANAGEMENT] = policy_def;
578                 info->audit_events.settings[LSA_AUDIT_CATEGORY_FILE_AND_OBJECT_ACCESS] = policy_def;
579                 info->audit_events.settings[LSA_AUDIT_CATEGORY_LOGON] = policy_def;
580                 info->audit_events.settings[LSA_AUDIT_CATEGORY_PROCCESS_TRACKING] = policy_def;
581                 info->audit_events.settings[LSA_AUDIT_CATEGORY_SECURITY_POLICY_CHANGES] = policy_def;
582                 info->audit_events.settings[LSA_AUDIT_CATEGORY_SYSTEM] = policy_def;
583                 info->audit_events.settings[LSA_AUDIT_CATEGORY_USE_OF_USER_RIGHTS] = policy_def;
584
585                 break;
586                 }
587         case LSA_POLICY_INFO_DOMAIN:
588                 /* check if the user has enough rights */
589                 if (!(handle->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
590                         return NT_STATUS_ACCESS_DENIED;
591
592                 /* Request PolicyPrimaryDomainInformation. */
593                 switch (lp_server_role()) {
594                         case ROLE_DOMAIN_PDC:
595                         case ROLE_DOMAIN_BDC:
596                                 name = get_global_sam_name();
597                                 sid = sid_dup_talloc(p->mem_ctx, get_global_sam_sid());
598                                 if (!sid) {
599                                         return NT_STATUS_NO_MEMORY;
600                                 }
601                                 break;
602                         case ROLE_DOMAIN_MEMBER:
603                                 name = lp_workgroup();
604                                 /* We need to return the Domain SID here. */
605                                 if (secrets_fetch_domain_sid(lp_workgroup(), &domain_sid)) {
606                                         sid = sid_dup_talloc(p->mem_ctx, &domain_sid);
607                                         if (!sid) {
608                                                 return NT_STATUS_NO_MEMORY;
609                                         }
610                                 } else {
611                                         return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
612                                 }
613                                 break;
614                         case ROLE_STANDALONE:
615                                 name = lp_workgroup();
616                                 sid = NULL;
617                                 break;
618                         default:
619                                 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
620                 }
621                 init_dom_query_3(&info->domain, name, sid);
622                 break;
623         case LSA_POLICY_INFO_ACCOUNT_DOMAIN:
624                 /* check if the user has enough rights */
625                 if (!(handle->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
626                         return NT_STATUS_ACCESS_DENIED;
627
628                 /* Request PolicyAccountDomainInformation. */
629                 name = get_global_sam_name();
630                 sid = get_global_sam_sid();
631
632                 init_dom_query_5(&info->account_domain, name, sid);
633                 break;
634         case LSA_POLICY_INFO_ROLE:
635                 /* check if the user has enough rights */
636                 if (!(handle->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
637                         return NT_STATUS_ACCESS_DENIED;
638
639                 switch (lp_server_role()) {
640                         case ROLE_DOMAIN_BDC:
641                                 /*
642                                  * only a BDC is a backup controller
643                                  * of the domain, it controls.
644                                  */
645                                 info->role.role = LSA_ROLE_BACKUP;
646                                 break;
647                         default:
648                                 /*
649                                  * any other role is a primary
650                                  * of the domain, it controls.
651                                  */
652                                 info->role.role = LSA_ROLE_PRIMARY;
653                                 break;
654                 }
655                 break;
656         case LSA_POLICY_INFO_DNS:
657         case LSA_POLICY_INFO_DNS_INT: {
658                 struct pdb_domain_info *dominfo;
659
660                 if ((pdb_capabilities() & PDB_CAP_ADS) == 0) {
661                         DEBUG(10, ("Not replying to LSA_POLICY_INFO_DNS "
662                                    "without ADS passdb backend\n"));
663                         status = NT_STATUS_INVALID_INFO_CLASS;
664                         break;
665                 }
666
667                 dominfo = pdb_get_domain_info(info);
668                 if (dominfo == NULL) {
669                         status = NT_STATUS_NO_MEMORY;
670                         break;
671                 }
672
673                 init_lsa_StringLarge(&info->dns.name,
674                                      dominfo->name);
675                 init_lsa_StringLarge(&info->dns.dns_domain,
676                                      dominfo->dns_domain);
677                 init_lsa_StringLarge(&info->dns.dns_forest,
678                                      dominfo->dns_forest);
679                 info->dns.domain_guid = dominfo->guid;
680                 info->dns.sid = &dominfo->sid;
681                 break;
682         }
683         default:
684                 DEBUG(0,("_lsa_QueryInfoPolicy: unknown info level in Lsa Query: %d\n",
685                         r->in.level));
686                 status = NT_STATUS_INVALID_INFO_CLASS;
687                 break;
688         }
689
690         *r->out.info = info;
691
692         return status;
693 }
694
695 /***************************************************************************
696  _lsa_QueryInfoPolicy2
697  ***************************************************************************/
698
699 NTSTATUS _lsa_QueryInfoPolicy2(pipes_struct *p,
700                                struct lsa_QueryInfoPolicy2 *r2)
701 {
702         struct lsa_QueryInfoPolicy r;
703
704         if ((pdb_capabilities() & PDB_CAP_ADS) == 0) {
705                 p->rng_fault_state = True;
706                 return NT_STATUS_NOT_IMPLEMENTED;
707         }
708
709         ZERO_STRUCT(r);
710         r.in.handle = r2->in.handle;
711         r.in.level = r2->in.level;
712         r.out.info = r2->out.info;
713
714         return _lsa_QueryInfoPolicy(p, &r);
715 }
716
717 /***************************************************************************
718  _lsa_lookup_sids_internal
719  ***************************************************************************/
720
721 static NTSTATUS _lsa_lookup_sids_internal(pipes_struct *p,
722                                           TALLOC_CTX *mem_ctx,
723                                           uint16_t level,                       /* input */
724                                           int num_sids,                         /* input */
725                                           struct lsa_SidPtr *sid,               /* input */
726                                           struct lsa_RefDomainList **pp_ref,    /* input/output */
727                                           struct lsa_TranslatedName2 **pp_names,/* input/output */
728                                           uint32_t *pp_mapped_count)            /* input/output */
729 {
730         NTSTATUS status;
731         int i;
732         const DOM_SID **sids = NULL;
733         struct lsa_RefDomainList *ref = NULL;
734         uint32 mapped_count = 0;
735         struct lsa_dom_info *dom_infos = NULL;
736         struct lsa_name_info *name_infos = NULL;
737         struct lsa_TranslatedName2 *names = NULL;
738
739         *pp_mapped_count = 0;
740         *pp_names = NULL;
741         *pp_ref = NULL;
742
743         if (num_sids == 0) {
744                 return NT_STATUS_OK;
745         }
746
747         sids = TALLOC_ARRAY(p->mem_ctx, const DOM_SID *, num_sids);
748         ref = TALLOC_ZERO_P(p->mem_ctx, struct lsa_RefDomainList);
749
750         if (sids == NULL || ref == NULL) {
751                 return NT_STATUS_NO_MEMORY;
752         }
753
754         for (i=0; i<num_sids; i++) {
755                 sids[i] = sid[i].sid;
756         }
757
758         status = lookup_sids(p->mem_ctx, num_sids, sids, level,
759                                   &dom_infos, &name_infos);
760
761         if (!NT_STATUS_IS_OK(status)) {
762                 return status;
763         }
764
765         names = TALLOC_ARRAY(p->mem_ctx, struct lsa_TranslatedName2, num_sids);
766         if (names == NULL) {
767                 return NT_STATUS_NO_MEMORY;
768         }
769
770         for (i=0; i<LSA_REF_DOMAIN_LIST_MULTIPLIER; i++) {
771
772                 if (!dom_infos[i].valid) {
773                         break;
774                 }
775
776                 if (init_lsa_ref_domain_list(mem_ctx, ref,
777                                              dom_infos[i].name,
778                                              &dom_infos[i].sid) != i) {
779                         DEBUG(0, ("Domain %s mentioned twice??\n",
780                                   dom_infos[i].name));
781                         return NT_STATUS_INTERNAL_ERROR;
782                 }
783         }
784
785         for (i=0; i<num_sids; i++) {
786                 struct lsa_name_info *name = &name_infos[i];
787
788                 if (name->type == SID_NAME_UNKNOWN) {
789                         fstring tmp;
790                         name->dom_idx = -1;
791                         /* Unknown sids should return the string
792                          * representation of the SID. Windows 2003 behaves
793                          * rather erratic here, in many cases it returns the
794                          * RID as 8 bytes hex, in others it returns the full
795                          * SID. We (Jerry/VL) could not figure out which the
796                          * hard cases are, so leave it with the SID.  */
797                         name->name = talloc_asprintf(p->mem_ctx, "%s",
798                                                      sid_to_fstring(tmp,
799                                                                     sids[i]));
800                         if (name->name == NULL) {
801                                 return NT_STATUS_NO_MEMORY;
802                         }
803                 } else {
804                         mapped_count += 1;
805                 }
806
807                 names[i].sid_type       = name->type;
808                 names[i].name.string    = name->name;
809                 names[i].sid_index      = name->dom_idx;
810                 names[i].unknown        = 0;
811         }
812
813         status = NT_STATUS_NONE_MAPPED;
814         if (mapped_count > 0) {
815                 status = (mapped_count < num_sids) ?
816                         STATUS_SOME_UNMAPPED : NT_STATUS_OK;
817         }
818
819         DEBUG(10, ("num_sids %d, mapped_count %d, status %s\n",
820                    num_sids, mapped_count, nt_errstr(status)));
821
822         *pp_mapped_count = mapped_count;
823         *pp_names = names;
824         *pp_ref = ref;
825
826         return status;
827 }
828
829 /***************************************************************************
830  _lsa_LookupSids
831  ***************************************************************************/
832
833 NTSTATUS _lsa_LookupSids(pipes_struct *p,
834                          struct lsa_LookupSids *r)
835 {
836         NTSTATUS status;
837         struct lsa_info *handle;
838         int num_sids = r->in.sids->num_sids;
839         uint32 mapped_count = 0;
840         struct lsa_RefDomainList *domains = NULL;
841         struct lsa_TranslatedName *names_out = NULL;
842         struct lsa_TranslatedName2 *names = NULL;
843         int i;
844
845         if ((r->in.level < 1) || (r->in.level > 6)) {
846                 return NT_STATUS_INVALID_PARAMETER;
847         }
848
849         if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle)) {
850                 return NT_STATUS_INVALID_HANDLE;
851         }
852
853         if (handle->type != LSA_HANDLE_POLICY_TYPE) {
854                 return NT_STATUS_INVALID_HANDLE;
855         }
856
857         /* check if the user has enough rights */
858         if (!(handle->access & LSA_POLICY_LOOKUP_NAMES)) {
859                 return NT_STATUS_ACCESS_DENIED;
860         }
861
862         if (num_sids >  MAX_LOOKUP_SIDS) {
863                 DEBUG(5,("_lsa_LookupSids: limit of %d exceeded, requested %d\n",
864                          MAX_LOOKUP_SIDS, num_sids));
865                 return NT_STATUS_NONE_MAPPED;
866         }
867
868         status = _lsa_lookup_sids_internal(p,
869                                            p->mem_ctx,
870                                            r->in.level,
871                                            num_sids,
872                                            r->in.sids->sids,
873                                            &domains,
874                                            &names,
875                                            &mapped_count);
876
877         /* Only return here when there is a real error.
878            NT_STATUS_NONE_MAPPED is a special case as it indicates that none of
879            the requested sids could be resolved. Older versions of XP (pre SP3)
880            rely that we return with the string representations of those SIDs in
881            that case. If we don't, XP crashes - Guenther
882            */
883
884         if (NT_STATUS_IS_ERR(status) &&
885             !NT_STATUS_EQUAL(status, NT_STATUS_NONE_MAPPED)) {
886                 return status;
887         }
888
889         /* Convert from lsa_TranslatedName2 to lsa_TranslatedName */
890         names_out = TALLOC_ARRAY(p->mem_ctx, struct lsa_TranslatedName,
891                                  num_sids);
892         if (!names_out) {
893                 return NT_STATUS_NO_MEMORY;
894         }
895
896         for (i=0; i<num_sids; i++) {
897                 names_out[i].sid_type = names[i].sid_type;
898                 names_out[i].name = names[i].name;
899                 names_out[i].sid_index = names[i].sid_index;
900         }
901
902         *r->out.domains = domains;
903         r->out.names->count = num_sids;
904         r->out.names->names = names_out;
905         *r->out.count = mapped_count;
906
907         return status;
908 }
909
910 /***************************************************************************
911  _lsa_LookupSids2
912  ***************************************************************************/
913
914 NTSTATUS _lsa_LookupSids2(pipes_struct *p,
915                           struct lsa_LookupSids2 *r)
916 {
917         NTSTATUS status;
918         struct lsa_info *handle;
919         int num_sids = r->in.sids->num_sids;
920         uint32 mapped_count = 0;
921         struct lsa_RefDomainList *domains = NULL;
922         struct lsa_TranslatedName2 *names = NULL;
923         bool check_policy = true;
924
925         switch (p->hdr_req.opnum) {
926                 case NDR_LSA_LOOKUPSIDS3:
927                         check_policy = false;
928                         break;
929                 case NDR_LSA_LOOKUPSIDS2:
930                 default:
931                         check_policy = true;
932         }
933
934         if ((r->in.level < 1) || (r->in.level > 6)) {
935                 return NT_STATUS_INVALID_PARAMETER;
936         }
937
938         if (check_policy) {
939                 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle)) {
940                         return NT_STATUS_INVALID_HANDLE;
941                 }
942
943                 if (handle->type != LSA_HANDLE_POLICY_TYPE) {
944                         return NT_STATUS_INVALID_HANDLE;
945                 }
946
947                 /* check if the user has enough rights */
948                 if (!(handle->access & LSA_POLICY_LOOKUP_NAMES)) {
949                         return NT_STATUS_ACCESS_DENIED;
950                 }
951         }
952
953         if (num_sids >  MAX_LOOKUP_SIDS) {
954                 DEBUG(5,("_lsa_LookupSids2: limit of %d exceeded, requested %d\n",
955                          MAX_LOOKUP_SIDS, num_sids));
956                 return NT_STATUS_NONE_MAPPED;
957         }
958
959         status = _lsa_lookup_sids_internal(p,
960                                            p->mem_ctx,
961                                            r->in.level,
962                                            num_sids,
963                                            r->in.sids->sids,
964                                            &domains,
965                                            &names,
966                                            &mapped_count);
967
968         *r->out.domains = domains;
969         r->out.names->count = num_sids;
970         r->out.names->names = names;
971         *r->out.count = mapped_count;
972
973         return status;
974 }
975
976 /***************************************************************************
977  _lsa_LookupSids3
978  ***************************************************************************/
979
980 NTSTATUS _lsa_LookupSids3(pipes_struct *p,
981                           struct lsa_LookupSids3 *r)
982 {
983         struct lsa_LookupSids2 q;
984
985         /* No policy handle on this call. Restrict to crypto connections. */
986         if (p->auth.auth_type != PIPE_AUTH_TYPE_SCHANNEL) {
987                 DEBUG(0,("_lsa_LookupSids3: client %s not using schannel for netlogon\n",
988                         get_remote_machine_name() ));
989                 return NT_STATUS_INVALID_PARAMETER;
990         }
991
992         q.in.handle             = NULL;
993         q.in.sids               = r->in.sids;
994         q.in.level              = r->in.level;
995         q.in.lookup_options     = r->in.lookup_options;
996         q.in.client_revision    = r->in.client_revision;
997         q.in.names              = r->in.names;
998         q.in.count              = r->in.count;
999
1000         q.out.domains           = r->out.domains;
1001         q.out.names             = r->out.names;
1002         q.out.count             = r->out.count;
1003
1004         return _lsa_LookupSids2(p, &q);
1005 }
1006
1007 /***************************************************************************
1008  ***************************************************************************/
1009
1010 static int lsa_lookup_level_to_flags(uint16 level)
1011 {
1012         int flags;
1013
1014         switch (level) {
1015                 case 1:
1016                         flags = LOOKUP_NAME_ALL;
1017                         break;
1018                 case 2:
1019                         flags = LOOKUP_NAME_DOMAIN|LOOKUP_NAME_REMOTE|LOOKUP_NAME_ISOLATED;
1020                         break;
1021                 case 3:
1022                         flags = LOOKUP_NAME_DOMAIN|LOOKUP_NAME_ISOLATED;
1023                         break;
1024                 case 4:
1025                 case 5:
1026                 case 6:
1027                 default:
1028                         flags = LOOKUP_NAME_NONE;
1029                         break;
1030         }
1031
1032         return flags;
1033 }
1034
1035 /***************************************************************************
1036  _lsa_LookupNames
1037  ***************************************************************************/
1038
1039 NTSTATUS _lsa_LookupNames(pipes_struct *p,
1040                           struct lsa_LookupNames *r)
1041 {
1042         NTSTATUS status = NT_STATUS_NONE_MAPPED;
1043         struct lsa_info *handle;
1044         struct lsa_String *names = r->in.names;
1045         uint32 num_entries = r->in.num_names;
1046         struct lsa_RefDomainList *domains = NULL;
1047         struct lsa_TranslatedSid *rids = NULL;
1048         uint32 mapped_count = 0;
1049         int flags = 0;
1050
1051         if (num_entries >  MAX_LOOKUP_SIDS) {
1052                 num_entries = MAX_LOOKUP_SIDS;
1053                 DEBUG(5,("_lsa_LookupNames: truncating name lookup list to %d\n",
1054                         num_entries));
1055         }
1056
1057         flags = lsa_lookup_level_to_flags(r->in.level);
1058
1059         domains = TALLOC_ZERO_P(p->mem_ctx, struct lsa_RefDomainList);
1060         if (!domains) {
1061                 return NT_STATUS_NO_MEMORY;
1062         }
1063
1064         if (num_entries) {
1065                 rids = TALLOC_ZERO_ARRAY(p->mem_ctx, struct lsa_TranslatedSid,
1066                                          num_entries);
1067                 if (!rids) {
1068                         return NT_STATUS_NO_MEMORY;
1069                 }
1070         } else {
1071                 rids = NULL;
1072         }
1073
1074         if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle)) {
1075                 status = NT_STATUS_INVALID_HANDLE;
1076                 goto done;
1077         }
1078
1079         if (handle->type != LSA_HANDLE_POLICY_TYPE) {
1080                 return NT_STATUS_INVALID_HANDLE;
1081         }
1082
1083         /* check if the user has enough rights */
1084         if (!(handle->access & LSA_POLICY_LOOKUP_NAMES)) {
1085                 status = NT_STATUS_ACCESS_DENIED;
1086                 goto done;
1087         }
1088
1089         /* set up the LSA Lookup RIDs response */
1090         become_root(); /* lookup_name can require root privs */
1091         status = lookup_lsa_rids(p->mem_ctx, domains, rids, num_entries,
1092                                  names, flags, &mapped_count);
1093         unbecome_root();
1094
1095 done:
1096
1097         if (NT_STATUS_IS_OK(status) && (num_entries != 0) ) {
1098                 if (mapped_count == 0) {
1099                         status = NT_STATUS_NONE_MAPPED;
1100                 } else if (mapped_count != num_entries) {
1101                         status = STATUS_SOME_UNMAPPED;
1102                 }
1103         }
1104
1105         *r->out.count = mapped_count;
1106         *r->out.domains = domains;
1107         r->out.sids->sids = rids;
1108         r->out.sids->count = num_entries;
1109
1110         return status;
1111 }
1112
1113 /***************************************************************************
1114  _lsa_LookupNames2
1115  ***************************************************************************/
1116
1117 NTSTATUS _lsa_LookupNames2(pipes_struct *p,
1118                            struct lsa_LookupNames2 *r)
1119 {
1120         NTSTATUS status;
1121         struct lsa_LookupNames q;
1122         struct lsa_TransSidArray2 *sid_array2 = r->in.sids;
1123         struct lsa_TransSidArray *sid_array = NULL;
1124         uint32_t i;
1125
1126         sid_array = TALLOC_ZERO_P(p->mem_ctx, struct lsa_TransSidArray);
1127         if (!sid_array) {
1128                 return NT_STATUS_NO_MEMORY;
1129         }
1130
1131         q.in.handle             = r->in.handle;
1132         q.in.num_names          = r->in.num_names;
1133         q.in.names              = r->in.names;
1134         q.in.level              = r->in.level;
1135         q.in.sids               = sid_array;
1136         q.in.count              = r->in.count;
1137         /* we do not know what this is for */
1138         /*                      = r->in.unknown1; */
1139         /*                      = r->in.unknown2; */
1140
1141         q.out.domains           = r->out.domains;
1142         q.out.sids              = sid_array;
1143         q.out.count             = r->out.count;
1144
1145         status = _lsa_LookupNames(p, &q);
1146
1147         sid_array2->count = sid_array->count;
1148         sid_array2->sids = TALLOC_ARRAY(p->mem_ctx, struct lsa_TranslatedSid2, sid_array->count);
1149         if (!sid_array2->sids) {
1150                 return NT_STATUS_NO_MEMORY;
1151         }
1152
1153         for (i=0; i<sid_array->count; i++) {
1154                 sid_array2->sids[i].sid_type  = sid_array->sids[i].sid_type;
1155                 sid_array2->sids[i].rid       = sid_array->sids[i].rid;
1156                 sid_array2->sids[i].sid_index = sid_array->sids[i].sid_index;
1157                 sid_array2->sids[i].unknown   = 0;
1158         }
1159
1160         r->out.sids = sid_array2;
1161
1162         return status;
1163 }
1164
1165 /***************************************************************************
1166  _lsa_LookupNames3
1167  ***************************************************************************/
1168
1169 NTSTATUS _lsa_LookupNames3(pipes_struct *p,
1170                            struct lsa_LookupNames3 *r)
1171 {
1172         NTSTATUS status;
1173         struct lsa_info *handle;
1174         struct lsa_String *names = r->in.names;
1175         uint32 num_entries = r->in.num_names;
1176         struct lsa_RefDomainList *domains = NULL;
1177         struct lsa_TranslatedSid3 *trans_sids = NULL;
1178         uint32 mapped_count = 0;
1179         int flags = 0;
1180         bool check_policy = true;
1181
1182         switch (p->hdr_req.opnum) {
1183                 case NDR_LSA_LOOKUPNAMES4:
1184                         check_policy = false;
1185                         break;
1186                 case NDR_LSA_LOOKUPNAMES3:
1187                 default:
1188                         check_policy = true;
1189         }
1190
1191         if (num_entries >  MAX_LOOKUP_SIDS) {
1192                 num_entries = MAX_LOOKUP_SIDS;
1193                 DEBUG(5,("_lsa_LookupNames3: truncating name lookup list to %d\n", num_entries));
1194         }
1195
1196         /* Probably the lookup_level is some sort of bitmask. */
1197         if (r->in.level == 1) {
1198                 flags = LOOKUP_NAME_ALL;
1199         }
1200
1201         domains = TALLOC_ZERO_P(p->mem_ctx, struct lsa_RefDomainList);
1202         if (!domains) {
1203                 return NT_STATUS_NO_MEMORY;
1204         }
1205
1206         if (num_entries) {
1207                 trans_sids = TALLOC_ZERO_ARRAY(p->mem_ctx, struct lsa_TranslatedSid3,
1208                                                num_entries);
1209                 if (!trans_sids) {
1210                         return NT_STATUS_NO_MEMORY;
1211                 }
1212         } else {
1213                 trans_sids = NULL;
1214         }
1215
1216         if (check_policy) {
1217
1218                 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle)) {
1219                         status = NT_STATUS_INVALID_HANDLE;
1220                         goto done;
1221                 }
1222
1223                 if (handle->type != LSA_HANDLE_POLICY_TYPE) {
1224                         return NT_STATUS_INVALID_HANDLE;
1225                 }
1226
1227                 /* check if the user has enough rights */
1228                 if (!(handle->access & LSA_POLICY_LOOKUP_NAMES)) {
1229                         status = NT_STATUS_ACCESS_DENIED;
1230                         goto done;
1231                 }
1232         }
1233
1234         /* set up the LSA Lookup SIDs response */
1235         become_root(); /* lookup_name can require root privs */
1236         status = lookup_lsa_sids(p->mem_ctx, domains, trans_sids, num_entries,
1237                                  names, flags, &mapped_count);
1238         unbecome_root();
1239
1240 done:
1241
1242         if (NT_STATUS_IS_OK(status)) {
1243                 if (mapped_count == 0) {
1244                         status = NT_STATUS_NONE_MAPPED;
1245                 } else if (mapped_count != num_entries) {
1246                         status = STATUS_SOME_UNMAPPED;
1247                 }
1248         }
1249
1250         *r->out.count = mapped_count;
1251         *r->out.domains = domains;
1252         r->out.sids->sids = trans_sids;
1253         r->out.sids->count = num_entries;
1254
1255         return status;
1256 }
1257
1258 /***************************************************************************
1259  _lsa_LookupNames4
1260  ***************************************************************************/
1261
1262 NTSTATUS _lsa_LookupNames4(pipes_struct *p,
1263                            struct lsa_LookupNames4 *r)
1264 {
1265         struct lsa_LookupNames3 q;
1266
1267         /* No policy handle on this call. Restrict to crypto connections. */
1268         if (p->auth.auth_type != PIPE_AUTH_TYPE_SCHANNEL) {
1269                 DEBUG(0,("_lsa_lookup_names4: client %s not using schannel for netlogon\n",
1270                         get_remote_machine_name() ));
1271                 return NT_STATUS_INVALID_PARAMETER;
1272         }
1273
1274         q.in.handle             = NULL;
1275         q.in.num_names          = r->in.num_names;
1276         q.in.names              = r->in.names;
1277         q.in.level              = r->in.level;
1278         q.in.lookup_options     = r->in.lookup_options;
1279         q.in.client_revision    = r->in.client_revision;
1280         q.in.sids               = r->in.sids;
1281         q.in.count              = r->in.count;
1282
1283         q.out.domains           = r->out.domains;
1284         q.out.sids              = r->out.sids;
1285         q.out.count             = r->out.count;
1286
1287         return _lsa_LookupNames3(p, &q);
1288 }
1289
1290 /***************************************************************************
1291  _lsa_close. Also weird - needs to check if lsa handle is correct. JRA.
1292  ***************************************************************************/
1293
1294 NTSTATUS _lsa_Close(pipes_struct *p, struct lsa_Close *r)
1295 {
1296         if (!find_policy_by_hnd(p, r->in.handle, NULL)) {
1297                 return NT_STATUS_INVALID_HANDLE;
1298         }
1299
1300         close_policy_hnd(p, r->in.handle);
1301         ZERO_STRUCTP(r->out.handle);
1302         return NT_STATUS_OK;
1303 }
1304
1305 /***************************************************************************
1306  ***************************************************************************/
1307
1308 NTSTATUS _lsa_OpenSecret(pipes_struct *p, struct lsa_OpenSecret *r)
1309 {
1310         return NT_STATUS_OBJECT_NAME_NOT_FOUND;
1311 }
1312
1313 /***************************************************************************
1314  ***************************************************************************/
1315
1316 NTSTATUS _lsa_OpenTrustedDomain(pipes_struct *p, struct lsa_OpenTrustedDomain *r)
1317 {
1318         return NT_STATUS_OBJECT_NAME_NOT_FOUND;
1319 }
1320
1321 /***************************************************************************
1322  ***************************************************************************/
1323
1324 NTSTATUS _lsa_CreateTrustedDomain(pipes_struct *p, struct lsa_CreateTrustedDomain *r)
1325 {
1326         return NT_STATUS_ACCESS_DENIED;
1327 }
1328
1329 /***************************************************************************
1330  ***************************************************************************/
1331
1332 NTSTATUS _lsa_CreateSecret(pipes_struct *p, struct lsa_CreateSecret *r)
1333 {
1334         return NT_STATUS_ACCESS_DENIED;
1335 }
1336
1337 /***************************************************************************
1338  ***************************************************************************/
1339
1340 NTSTATUS _lsa_SetSecret(pipes_struct *p, struct lsa_SetSecret *r)
1341 {
1342         return NT_STATUS_ACCESS_DENIED;
1343 }
1344
1345 /***************************************************************************
1346  _lsa_DeleteObject
1347  ***************************************************************************/
1348
1349 NTSTATUS _lsa_DeleteObject(pipes_struct *p,
1350                            struct lsa_DeleteObject *r)
1351 {
1352         NTSTATUS status;
1353         struct lsa_info *info = NULL;
1354
1355         if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info)) {
1356                 return NT_STATUS_INVALID_HANDLE;
1357         }
1358
1359         if (!(info->access & STD_RIGHT_DELETE_ACCESS)) {
1360                 return NT_STATUS_ACCESS_DENIED;
1361         }
1362
1363         switch (info->type) {
1364         case LSA_HANDLE_ACCOUNT_TYPE:
1365                 status = privilege_delete_account(&info->sid);
1366                 if (!NT_STATUS_IS_OK(status)) {
1367                         DEBUG(10,("_lsa_DeleteObject: privilege_delete_account gave: %s\n",
1368                                 nt_errstr(status)));
1369                         return status;
1370                 }
1371                 break;
1372         default:
1373                 return NT_STATUS_INVALID_HANDLE;
1374         }
1375
1376         close_policy_hnd(p, r->in.handle);
1377         ZERO_STRUCTP(r->out.handle);
1378
1379         return status;
1380 }
1381
1382 /***************************************************************************
1383  _lsa_EnumPrivs
1384  ***************************************************************************/
1385
1386 NTSTATUS _lsa_EnumPrivs(pipes_struct *p,
1387                         struct lsa_EnumPrivs *r)
1388 {
1389         struct lsa_info *handle;
1390         uint32 i;
1391         uint32 enum_context = *r->in.resume_handle;
1392         int num_privs = count_all_privileges();
1393         struct lsa_PrivEntry *entries = NULL;
1394         LUID_ATTR luid;
1395
1396         /* remember that the enum_context starts at 0 and not 1 */
1397
1398         if ( enum_context >= num_privs )
1399                 return NT_STATUS_NO_MORE_ENTRIES;
1400
1401         DEBUG(10,("_lsa_EnumPrivs: enum_context:%d total entries:%d\n",
1402                 enum_context, num_privs));
1403
1404         if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle))
1405                 return NT_STATUS_INVALID_HANDLE;
1406
1407         if (handle->type != LSA_HANDLE_POLICY_TYPE) {
1408                 return NT_STATUS_INVALID_HANDLE;
1409         }
1410
1411         /* check if the user has enough rights
1412            I don't know if it's the right one. not documented.  */
1413
1414         if (!(handle->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
1415                 return NT_STATUS_ACCESS_DENIED;
1416
1417         if (num_privs) {
1418                 entries = TALLOC_ZERO_ARRAY(p->mem_ctx, struct lsa_PrivEntry, num_privs);
1419                 if (!entries) {
1420                         return NT_STATUS_NO_MEMORY;
1421                 }
1422         } else {
1423                 entries = NULL;
1424         }
1425
1426         for (i = 0; i < num_privs; i++) {
1427                 if( i < enum_context) {
1428
1429                         init_lsa_StringLarge(&entries[i].name, NULL);
1430
1431                         entries[i].luid.low = 0;
1432                         entries[i].luid.high = 0;
1433                 } else {
1434
1435                         init_lsa_StringLarge(&entries[i].name, privs[i].name);
1436
1437                         luid = get_privilege_luid( &privs[i].se_priv );
1438
1439                         entries[i].luid.low = luid.luid.low;
1440                         entries[i].luid.high = luid.luid.high;
1441                 }
1442         }
1443
1444         enum_context = num_privs;
1445
1446         *r->out.resume_handle = enum_context;
1447         r->out.privs->count = num_privs;
1448         r->out.privs->privs = entries;
1449
1450         return NT_STATUS_OK;
1451 }
1452
1453 /***************************************************************************
1454  _lsa_LookupPrivDisplayName
1455  ***************************************************************************/
1456
1457 NTSTATUS _lsa_LookupPrivDisplayName(pipes_struct *p,
1458                                     struct lsa_LookupPrivDisplayName *r)
1459 {
1460         struct lsa_info *handle;
1461         const char *description;
1462         struct lsa_StringLarge *lsa_name;
1463
1464         if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle))
1465                 return NT_STATUS_INVALID_HANDLE;
1466
1467         if (handle->type != LSA_HANDLE_POLICY_TYPE) {
1468                 return NT_STATUS_INVALID_HANDLE;
1469         }
1470
1471         /* check if the user has enough rights */
1472
1473         /*
1474          * I don't know if it's the right one. not documented.
1475          */
1476         if (!(handle->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
1477                 return NT_STATUS_ACCESS_DENIED;
1478
1479         DEBUG(10,("_lsa_LookupPrivDisplayName: name = %s\n", r->in.name->string));
1480
1481         description = get_privilege_dispname(r->in.name->string);
1482         if (!description) {
1483                 DEBUG(10,("_lsa_LookupPrivDisplayName: doesn't exist\n"));
1484                 return NT_STATUS_NO_SUCH_PRIVILEGE;
1485         }
1486
1487         DEBUG(10,("_lsa_LookupPrivDisplayName: display name = %s\n", description));
1488
1489         lsa_name = TALLOC_ZERO_P(p->mem_ctx, struct lsa_StringLarge);
1490         if (!lsa_name) {
1491                 return NT_STATUS_NO_MEMORY;
1492         }
1493
1494         init_lsa_StringLarge(lsa_name, description);
1495
1496         *r->out.returned_language_id = r->in.language_id;
1497         *r->out.disp_name = lsa_name;
1498
1499         return NT_STATUS_OK;
1500 }
1501
1502 /***************************************************************************
1503  _lsa_EnumAccounts
1504  ***************************************************************************/
1505
1506 NTSTATUS _lsa_EnumAccounts(pipes_struct *p,
1507                            struct lsa_EnumAccounts *r)
1508 {
1509         struct lsa_info *handle;
1510         DOM_SID *sid_list;
1511         int i, j, num_entries;
1512         NTSTATUS status;
1513         struct lsa_SidPtr *sids = NULL;
1514
1515         if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle))
1516                 return NT_STATUS_INVALID_HANDLE;
1517
1518         if (handle->type != LSA_HANDLE_POLICY_TYPE) {
1519                 return NT_STATUS_INVALID_HANDLE;
1520         }
1521
1522         if (!(handle->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
1523                 return NT_STATUS_ACCESS_DENIED;
1524
1525         sid_list = NULL;
1526         num_entries = 0;
1527
1528         /* The only way we can currently find out all the SIDs that have been
1529            privileged is to scan all privileges */
1530
1531         status = privilege_enumerate_accounts(&sid_list, &num_entries);
1532         if (!NT_STATUS_IS_OK(status)) {
1533                 return status;
1534         }
1535
1536         if (*r->in.resume_handle >= num_entries) {
1537                 return NT_STATUS_NO_MORE_ENTRIES;
1538         }
1539
1540         if (num_entries - *r->in.resume_handle) {
1541                 sids = TALLOC_ZERO_ARRAY(p->mem_ctx, struct lsa_SidPtr,
1542                                          num_entries - *r->in.resume_handle);
1543                 if (!sids) {
1544                         talloc_free(sid_list);
1545                         return NT_STATUS_NO_MEMORY;
1546                 }
1547
1548                 for (i = *r->in.resume_handle, j = 0; i < num_entries; i++, j++) {
1549                         sids[j].sid = sid_dup_talloc(p->mem_ctx, &sid_list[i]);
1550                         if (!sids[j].sid) {
1551                                 talloc_free(sid_list);
1552                                 return NT_STATUS_NO_MEMORY;
1553                         }
1554                 }
1555         }
1556
1557         talloc_free(sid_list);
1558
1559         *r->out.resume_handle = num_entries;
1560         r->out.sids->num_sids = num_entries;
1561         r->out.sids->sids = sids;
1562
1563         return NT_STATUS_OK;
1564 }
1565
1566 /***************************************************************************
1567  _lsa_GetUserName
1568  ***************************************************************************/
1569
1570 NTSTATUS _lsa_GetUserName(pipes_struct *p,
1571                           struct lsa_GetUserName *r)
1572 {
1573         const char *username, *domname;
1574         struct lsa_String *account_name = NULL;
1575         struct lsa_String *authority_name = NULL;
1576
1577         if (r->in.account_name &&
1578            *r->in.account_name) {
1579                 return NT_STATUS_INVALID_PARAMETER;
1580         }
1581
1582         if (r->in.authority_name &&
1583            *r->in.authority_name) {
1584                 return NT_STATUS_INVALID_PARAMETER;
1585         }
1586
1587         if (p->server_info->guest) {
1588                 /*
1589                  * I'm 99% sure this is not the right place to do this,
1590                  * global_sid_Anonymous should probably be put into the token
1591                  * instead of the guest id -- vl
1592                  */
1593                 if (!lookup_sid(p->mem_ctx, &global_sid_Anonymous,
1594                                 &domname, &username, NULL)) {
1595                         return NT_STATUS_NO_MEMORY;
1596                 }
1597         } else {
1598                 username = p->server_info->sanitized_username;
1599                 domname = pdb_get_domain(p->server_info->sam_account);
1600         }
1601
1602         account_name = TALLOC_P(p->mem_ctx, struct lsa_String);
1603         if (!account_name) {
1604                 return NT_STATUS_NO_MEMORY;
1605         }
1606         init_lsa_String(account_name, username);
1607
1608         if (r->out.authority_name) {
1609                 authority_name = TALLOC_P(p->mem_ctx, struct lsa_String);
1610                 if (!authority_name) {
1611                         return NT_STATUS_NO_MEMORY;
1612                 }
1613                 init_lsa_String(authority_name, domname);
1614         }
1615
1616         *r->out.account_name = account_name;
1617         if (r->out.authority_name) {
1618                 *r->out.authority_name = authority_name;
1619         }
1620
1621         return NT_STATUS_OK;
1622 }
1623
1624 /***************************************************************************
1625  _lsa_CreateAccount
1626  ***************************************************************************/
1627
1628 NTSTATUS _lsa_CreateAccount(pipes_struct *p,
1629                             struct lsa_CreateAccount *r)
1630 {
1631         NTSTATUS status;
1632         struct lsa_info *handle;
1633         struct lsa_info *info;
1634         uint32_t acc_granted;
1635         struct security_descriptor *psd;
1636         size_t sd_size;
1637
1638         /* find the connection policy handle. */
1639         if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle))
1640                 return NT_STATUS_INVALID_HANDLE;
1641
1642         if (handle->type != LSA_HANDLE_POLICY_TYPE) {
1643                 return NT_STATUS_INVALID_HANDLE;
1644         }
1645
1646         /* check if the user has enough rights */
1647
1648         if (!(handle->access & LSA_POLICY_CREATE_ACCOUNT)) {
1649                 return NT_STATUS_ACCESS_DENIED;
1650         }
1651
1652         /* Work out max allowed. */
1653         map_max_allowed_access(p->server_info->ptok,
1654                                &p->server_info->utok,
1655                                &r->in.access_mask);
1656
1657         /* map the generic bits to the lsa policy ones */
1658         se_map_generic(&r->in.access_mask, &lsa_account_mapping);
1659
1660         status = make_lsa_object_sd(p->mem_ctx, &psd, &sd_size,
1661                                     &lsa_account_mapping,
1662                                     r->in.sid, LSA_POLICY_ALL_ACCESS);
1663         if (!NT_STATUS_IS_OK(status)) {
1664                 return status;
1665         }
1666
1667         status = access_check_object(psd, p->server_info->ptok,
1668                 NULL, 0, r->in.access_mask,
1669                 &acc_granted, "_lsa_CreateAccount");
1670         if (!NT_STATUS_IS_OK(status)) {
1671                 return status;
1672         }
1673
1674         if ( is_privileged_sid( r->in.sid ) )
1675                 return NT_STATUS_OBJECT_NAME_COLLISION;
1676
1677         /* associate the user/group SID with the (unique) handle. */
1678
1679         info = TALLOC_ZERO_P(p->mem_ctx, struct lsa_info);
1680         if (info == NULL) {
1681                 return NT_STATUS_NO_MEMORY;
1682         }
1683
1684         info->sid = *r->in.sid;
1685         info->access = acc_granted;
1686         info->type = LSA_HANDLE_ACCOUNT_TYPE;
1687
1688         /* get a (unique) handle.  open a policy on it. */
1689         if (!create_policy_hnd(p, r->out.acct_handle, info))
1690                 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
1691
1692         return privilege_create_account( &info->sid );
1693 }
1694
1695 /***************************************************************************
1696  _lsa_OpenAccount
1697  ***************************************************************************/
1698
1699 NTSTATUS _lsa_OpenAccount(pipes_struct *p,
1700                           struct lsa_OpenAccount *r)
1701 {
1702         struct lsa_info *handle;
1703         struct lsa_info *info;
1704         SEC_DESC *psd = NULL;
1705         size_t sd_size;
1706         uint32_t des_access = r->in.access_mask;
1707         uint32_t acc_granted;
1708         NTSTATUS status;
1709
1710         /* find the connection policy handle. */
1711         if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle))
1712                 return NT_STATUS_INVALID_HANDLE;
1713
1714         if (handle->type != LSA_HANDLE_POLICY_TYPE) {
1715                 return NT_STATUS_INVALID_HANDLE;
1716         }
1717
1718         /* des_access is for the account here, not the policy
1719          * handle - so don't check against policy handle. */
1720
1721         /* Work out max allowed. */
1722         map_max_allowed_access(p->server_info->ptok,
1723                                &p->server_info->utok,
1724                                &des_access);
1725
1726         /* map the generic bits to the lsa account ones */
1727         se_map_generic(&des_access, &lsa_account_mapping);
1728
1729         /* get the generic lsa account SD until we store it */
1730         status = make_lsa_object_sd(p->mem_ctx, &psd, &sd_size,
1731                                 &lsa_account_mapping,
1732                                 r->in.sid, LSA_ACCOUNT_ALL_ACCESS);
1733         if (!NT_STATUS_IS_OK(status)) {
1734                 return status;
1735         }
1736
1737         status = access_check_object(psd, p->server_info->ptok,
1738                 NULL, 0, des_access,
1739                 &acc_granted, "_lsa_OpenAccount" );
1740
1741         if (!NT_STATUS_IS_OK(status)) {
1742                 return status;
1743         }
1744
1745         /* TODO: Fis the parsing routine before reenabling this check! */
1746         #if 0
1747         if (!lookup_sid(&handle->sid, dom_name, name, &type))
1748                 return NT_STATUS_ACCESS_DENIED;
1749         #endif
1750         /* associate the user/group SID with the (unique) handle. */
1751         info = TALLOC_ZERO_P(p->mem_ctx, struct lsa_info);
1752         if (info == NULL) {
1753                 return NT_STATUS_NO_MEMORY;
1754         }
1755
1756         info->sid = *r->in.sid;
1757         info->access = acc_granted;
1758         info->type = LSA_HANDLE_ACCOUNT_TYPE;
1759
1760         /* get a (unique) handle.  open a policy on it. */
1761         if (!create_policy_hnd(p, r->out.acct_handle, info))
1762                 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
1763
1764         return NT_STATUS_OK;
1765 }
1766
1767 /***************************************************************************
1768  _lsa_EnumPrivsAccount
1769  For a given SID, enumerate all the privilege this account has.
1770  ***************************************************************************/
1771
1772 NTSTATUS _lsa_EnumPrivsAccount(pipes_struct *p,
1773                                struct lsa_EnumPrivsAccount *r)
1774 {
1775         NTSTATUS status = NT_STATUS_OK;
1776         struct lsa_info *info=NULL;
1777         SE_PRIV mask;
1778         PRIVILEGE_SET privileges;
1779         struct lsa_PrivilegeSet *priv_set = NULL;
1780         struct lsa_LUIDAttribute *luid_attrs = NULL;
1781         int i;
1782
1783         /* find the connection policy handle. */
1784         if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
1785                 return NT_STATUS_INVALID_HANDLE;
1786
1787         if (info->type != LSA_HANDLE_ACCOUNT_TYPE) {
1788                 return NT_STATUS_INVALID_HANDLE;
1789         }
1790
1791         if (!(info->access & LSA_ACCOUNT_VIEW))
1792                 return NT_STATUS_ACCESS_DENIED;
1793
1794         get_privileges_for_sids(&mask, &info->sid, 1);
1795
1796         privilege_set_init( &privileges );
1797
1798         priv_set = TALLOC_ZERO_P(p->mem_ctx, struct lsa_PrivilegeSet);
1799         if (!priv_set) {
1800                 status = NT_STATUS_NO_MEMORY;
1801                 goto done;
1802         }
1803
1804         if ( se_priv_to_privilege_set( &privileges, &mask ) ) {
1805
1806                 DEBUG(10,("_lsa_EnumPrivsAccount: %s has %d privileges\n",
1807                           sid_string_dbg(&info->sid),
1808                           privileges.count));
1809
1810                 luid_attrs = TALLOC_ZERO_ARRAY(p->mem_ctx,
1811                                                struct lsa_LUIDAttribute,
1812                                                privileges.count);
1813                 if (!luid_attrs) {
1814                         status = NT_STATUS_NO_MEMORY;
1815                         goto done;
1816                 }
1817
1818                 for (i=0; i<privileges.count; i++) {
1819                         luid_attrs[i].luid.low = privileges.set[i].luid.low;
1820                         luid_attrs[i].luid.high = privileges.set[i].luid.high;
1821                         luid_attrs[i].attribute = privileges.set[i].attr;
1822                 }
1823
1824                 priv_set->count = privileges.count;
1825                 priv_set->unknown = 0;
1826                 priv_set->set = luid_attrs;
1827
1828         } else {
1829                 priv_set->count = 0;
1830                 priv_set->unknown = 0;
1831                 priv_set->set = NULL;
1832         }
1833
1834         *r->out.privs = priv_set;
1835
1836  done:
1837         privilege_set_free( &privileges );
1838
1839         return status;
1840 }
1841
1842 /***************************************************************************
1843  _lsa_GetSystemAccessAccount
1844  ***************************************************************************/
1845
1846 NTSTATUS _lsa_GetSystemAccessAccount(pipes_struct *p,
1847                                      struct lsa_GetSystemAccessAccount *r)
1848 {
1849         NTSTATUS status;
1850         struct lsa_info *info = NULL;
1851         struct lsa_EnumPrivsAccount e;
1852         struct lsa_PrivilegeSet *privset;
1853
1854         /* find the connection policy handle. */
1855
1856         if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
1857                 return NT_STATUS_INVALID_HANDLE;
1858
1859         if (info->type != LSA_HANDLE_ACCOUNT_TYPE) {
1860                 return NT_STATUS_INVALID_HANDLE;
1861         }
1862
1863         if (!(info->access & LSA_ACCOUNT_VIEW))
1864                 return NT_STATUS_ACCESS_DENIED;
1865
1866         privset = talloc_zero(p->mem_ctx, struct lsa_PrivilegeSet);
1867         if (!privset) {
1868                 return NT_STATUS_NO_MEMORY;
1869         }
1870
1871         e.in.handle = r->in.handle;
1872         e.out.privs = &privset;
1873
1874         status = _lsa_EnumPrivsAccount(p, &e);
1875         if (!NT_STATUS_IS_OK(status)) {
1876                 DEBUG(10,("_lsa_GetSystemAccessAccount: "
1877                         "failed to call _lsa_EnumPrivsAccount(): %s\n",
1878                         nt_errstr(status)));
1879                 return status;
1880         }
1881
1882         /* Samba4 would iterate over the privset to merge the policy mode bits,
1883          * not sure samba3 can do the same here, so just return what we did in
1884          * the past - gd */
1885
1886         /*
1887           0x01 -> Log on locally
1888           0x02 -> Access this computer from network
1889           0x04 -> Log on as a batch job
1890           0x10 -> Log on as a service
1891
1892           they can be ORed together
1893         */
1894
1895         *r->out.access_mask = LSA_POLICY_MODE_INTERACTIVE |
1896                               LSA_POLICY_MODE_NETWORK;
1897
1898         return NT_STATUS_OK;
1899 }
1900
1901 /***************************************************************************
1902   update the systemaccount information
1903  ***************************************************************************/
1904
1905 NTSTATUS _lsa_SetSystemAccessAccount(pipes_struct *p,
1906                                      struct lsa_SetSystemAccessAccount *r)
1907 {
1908         struct lsa_info *info=NULL;
1909         GROUP_MAP map;
1910
1911         /* find the connection policy handle. */
1912         if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
1913                 return NT_STATUS_INVALID_HANDLE;
1914
1915         if (info->type != LSA_HANDLE_ACCOUNT_TYPE) {
1916                 return NT_STATUS_INVALID_HANDLE;
1917         }
1918
1919         if (!(info->access & LSA_ACCOUNT_ADJUST_SYSTEM_ACCESS)) {
1920                 return NT_STATUS_ACCESS_DENIED;
1921         }
1922
1923         if (!pdb_getgrsid(&map, info->sid))
1924                 return NT_STATUS_NO_SUCH_GROUP;
1925
1926         return pdb_update_group_mapping_entry(&map);
1927 }
1928
1929 /***************************************************************************
1930  _lsa_AddPrivilegesToAccount
1931  For a given SID, add some privileges.
1932  ***************************************************************************/
1933
1934 NTSTATUS _lsa_AddPrivilegesToAccount(pipes_struct *p,
1935                                      struct lsa_AddPrivilegesToAccount *r)
1936 {
1937         struct lsa_info *info = NULL;
1938         SE_PRIV mask;
1939         struct lsa_PrivilegeSet *set = NULL;
1940
1941         /* find the connection policy handle. */
1942         if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
1943                 return NT_STATUS_INVALID_HANDLE;
1944
1945         if (info->type != LSA_HANDLE_ACCOUNT_TYPE) {
1946                 return NT_STATUS_INVALID_HANDLE;
1947         }
1948
1949         if (!(info->access & LSA_ACCOUNT_ADJUST_PRIVILEGES)) {
1950                 return NT_STATUS_ACCESS_DENIED;
1951         }
1952
1953         set = r->in.privs;
1954         if ( !privilege_set_to_se_priv( &mask, set ) )
1955                 return NT_STATUS_NO_SUCH_PRIVILEGE;
1956
1957         if ( !grant_privilege( &info->sid, &mask ) ) {
1958                 DEBUG(3,("_lsa_AddPrivilegesToAccount: grant_privilege(%s) failed!\n",
1959                          sid_string_dbg(&info->sid) ));
1960                 DEBUG(3,("Privilege mask:\n"));
1961                 dump_se_priv( DBGC_ALL, 3, &mask );
1962                 return NT_STATUS_NO_SUCH_PRIVILEGE;
1963         }
1964
1965         return NT_STATUS_OK;
1966 }
1967
1968 /***************************************************************************
1969  _lsa_RemovePrivilegesFromAccount
1970  For a given SID, remove some privileges.
1971  ***************************************************************************/
1972
1973 NTSTATUS _lsa_RemovePrivilegesFromAccount(pipes_struct *p,
1974                                           struct lsa_RemovePrivilegesFromAccount *r)
1975 {
1976         struct lsa_info *info = NULL;
1977         SE_PRIV mask;
1978         struct lsa_PrivilegeSet *set = NULL;
1979
1980         /* find the connection policy handle. */
1981         if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
1982                 return NT_STATUS_INVALID_HANDLE;
1983
1984         if (info->type != LSA_HANDLE_ACCOUNT_TYPE) {
1985                 return NT_STATUS_INVALID_HANDLE;
1986         }
1987
1988         if (!(info->access & LSA_ACCOUNT_ADJUST_PRIVILEGES)) {
1989                 return NT_STATUS_ACCESS_DENIED;
1990         }
1991
1992         set = r->in.privs;
1993
1994         if ( !privilege_set_to_se_priv( &mask, set ) )
1995                 return NT_STATUS_NO_SUCH_PRIVILEGE;
1996
1997         if ( !revoke_privilege( &info->sid, &mask ) ) {
1998                 DEBUG(3,("_lsa_RemovePrivilegesFromAccount: revoke_privilege(%s) failed!\n",
1999                          sid_string_dbg(&info->sid) ));
2000                 DEBUG(3,("Privilege mask:\n"));
2001                 dump_se_priv( DBGC_ALL, 3, &mask );
2002                 return NT_STATUS_NO_SUCH_PRIVILEGE;
2003         }
2004
2005         return NT_STATUS_OK;
2006 }
2007
2008 /***************************************************************************
2009  _lsa_LookupPrivName
2010  ***************************************************************************/
2011
2012 NTSTATUS _lsa_LookupPrivName(pipes_struct *p,
2013                              struct lsa_LookupPrivName *r)
2014 {
2015         struct lsa_info *info = NULL;
2016         const char *name;
2017         struct lsa_StringLarge *lsa_name;
2018
2019         /* find the connection policy handle. */
2020         if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info)) {
2021                 return NT_STATUS_INVALID_HANDLE;
2022         }
2023
2024         if (info->type != LSA_HANDLE_POLICY_TYPE) {
2025                 return NT_STATUS_INVALID_HANDLE;
2026         }
2027
2028         if (!(info->access & LSA_POLICY_VIEW_LOCAL_INFORMATION)) {
2029                 return NT_STATUS_ACCESS_DENIED;
2030         }
2031
2032         name = luid_to_privilege_name((LUID *)r->in.luid);
2033         if (!name) {
2034                 return NT_STATUS_NO_SUCH_PRIVILEGE;
2035         }
2036
2037         lsa_name = TALLOC_ZERO_P(p->mem_ctx, struct lsa_StringLarge);
2038         if (!lsa_name) {
2039                 return NT_STATUS_NO_MEMORY;
2040         }
2041
2042         lsa_name->string = talloc_strdup(lsa_name, name);
2043         if (!lsa_name->string) {
2044                 TALLOC_FREE(lsa_name);
2045                 return NT_STATUS_NO_MEMORY;
2046         }
2047
2048         *r->out.name = lsa_name;
2049
2050         return NT_STATUS_OK;
2051 }
2052
2053 /***************************************************************************
2054  _lsa_QuerySecurity
2055  ***************************************************************************/
2056
2057 NTSTATUS _lsa_QuerySecurity(pipes_struct *p,
2058                             struct lsa_QuerySecurity *r)
2059 {
2060         struct lsa_info *handle=NULL;
2061         SEC_DESC *psd = NULL;
2062         size_t sd_size;
2063         NTSTATUS status;
2064
2065         /* find the connection policy handle. */
2066         if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle))
2067                 return NT_STATUS_INVALID_HANDLE;
2068
2069         if (handle->type == LSA_HANDLE_POLICY_TYPE) {
2070                 status = make_lsa_object_sd(p->mem_ctx, &psd, &sd_size,
2071                                 &lsa_policy_mapping, NULL, 0);
2072         } else if (handle->type == LSA_HANDLE_ACCOUNT_TYPE) {
2073                 status = make_lsa_object_sd(p->mem_ctx, &psd, &sd_size,
2074                                 &lsa_account_mapping,
2075                                 &handle->sid, LSA_ACCOUNT_ALL_ACCESS);
2076         } else {
2077                 status = NT_STATUS_INVALID_HANDLE;
2078         }
2079
2080         if (!NT_STATUS_IS_OK(status)) {
2081                 return status;
2082         }
2083
2084         *r->out.sdbuf = make_sec_desc_buf(p->mem_ctx, sd_size, psd);
2085         if (!*r->out.sdbuf) {
2086                 return NT_STATUS_NO_MEMORY;
2087         }
2088
2089         return status;
2090 }
2091
2092 /***************************************************************************
2093  _lsa_AddAccountRights
2094  ***************************************************************************/
2095
2096 NTSTATUS _lsa_AddAccountRights(pipes_struct *p,
2097                                struct lsa_AddAccountRights *r)
2098 {
2099         struct lsa_info *info = NULL;
2100         int i = 0;
2101         uint32_t acc_granted = 0;
2102         SEC_DESC *psd = NULL;
2103         size_t sd_size;
2104         DOM_SID sid;
2105         NTSTATUS status;
2106
2107         /* find the connection policy handle. */
2108         if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
2109                 return NT_STATUS_INVALID_HANDLE;
2110
2111         if (info->type != LSA_HANDLE_POLICY_TYPE) {
2112                 return NT_STATUS_INVALID_HANDLE;
2113         }
2114
2115         /* get the generic lsa account SD for this SID until we store it */
2116         status = make_lsa_object_sd(p->mem_ctx, &psd, &sd_size,
2117                                 &lsa_account_mapping,
2118                                 r->in.sid, LSA_ACCOUNT_ALL_ACCESS);
2119         if (!NT_STATUS_IS_OK(status)) {
2120                 return status;
2121         }
2122
2123         /*
2124          * From the MS DOCs. If the sid doesn't exist, ask for LSA_POLICY_CREATE_ACCOUNT
2125          * on the policy handle. If it does, ask for
2126          * LSA_ACCOUNT_ADJUST_PRIVILEGES|LSA_ACCOUNT_ADJUST_SYSTEM_ACCESS|LSA_ACCOUNT_VIEW,
2127          * on the account sid. We don't check here so just use the latter. JRA.
2128          */
2129
2130         status = access_check_object(psd, p->server_info->ptok,
2131                 NULL, 0, LSA_ACCOUNT_ADJUST_PRIVILEGES|LSA_ACCOUNT_ADJUST_SYSTEM_ACCESS|LSA_ACCOUNT_VIEW,
2132                 &acc_granted, "_lsa_AddAccountRights" );
2133
2134         if (!NT_STATUS_IS_OK(status)) {
2135                 return status;
2136         }
2137
2138         /* according to an NT4 PDC, you can add privileges to SIDs even without
2139            call_lsa_create_account() first.  And you can use any arbitrary SID. */
2140
2141         sid_copy( &sid, r->in.sid );
2142
2143         for ( i=0; i < r->in.rights->count; i++ ) {
2144
2145                 const char *privname = r->in.rights->names[i].string;
2146
2147                 /* only try to add non-null strings */
2148
2149                 if ( !privname )
2150                         continue;
2151
2152                 if ( !grant_privilege_by_name( &sid, privname ) ) {
2153                         DEBUG(2,("_lsa_AddAccountRights: Failed to add privilege [%s]\n",
2154                                 privname ));
2155                         return NT_STATUS_NO_SUCH_PRIVILEGE;
2156                 }
2157         }
2158
2159         return NT_STATUS_OK;
2160 }
2161
2162 /***************************************************************************
2163  _lsa_RemoveAccountRights
2164  ***************************************************************************/
2165
2166 NTSTATUS _lsa_RemoveAccountRights(pipes_struct *p,
2167                                   struct lsa_RemoveAccountRights *r)
2168 {
2169         struct lsa_info *info = NULL;
2170         int i = 0;
2171         SEC_DESC *psd = NULL;
2172         size_t sd_size;
2173         DOM_SID sid;
2174         const char *privname = NULL;
2175         uint32_t acc_granted = 0;
2176         NTSTATUS status;
2177
2178         /* find the connection policy handle. */
2179         if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
2180                 return NT_STATUS_INVALID_HANDLE;
2181
2182         if (info->type != LSA_HANDLE_POLICY_TYPE) {
2183                 return NT_STATUS_INVALID_HANDLE;
2184         }
2185
2186         /* get the generic lsa account SD for this SID until we store it */
2187         status = make_lsa_object_sd(p->mem_ctx, &psd, &sd_size,
2188                                 &lsa_account_mapping,
2189                                 r->in.sid, LSA_ACCOUNT_ALL_ACCESS);
2190         if (!NT_STATUS_IS_OK(status)) {
2191                 return status;
2192         }
2193
2194         /*
2195          * From the MS DOCs. We need
2196          * LSA_ACCOUNT_ADJUST_PRIVILEGES|LSA_ACCOUNT_ADJUST_SYSTEM_ACCESS|LSA_ACCOUNT_VIEW
2197          * and DELETE on the account sid.
2198          */
2199
2200         status = access_check_object(psd, p->server_info->ptok,
2201                 NULL, 0, LSA_ACCOUNT_ADJUST_PRIVILEGES|LSA_ACCOUNT_ADJUST_SYSTEM_ACCESS|
2202                         LSA_ACCOUNT_VIEW|STD_RIGHT_DELETE_ACCESS,
2203                 &acc_granted, "_lsa_AddAccountRights" );
2204
2205         if (!NT_STATUS_IS_OK(status)) {
2206                 return status;
2207         }
2208
2209         sid_copy( &sid, r->in.sid );
2210
2211         if ( r->in.remove_all ) {
2212                 if ( !revoke_all_privileges( &sid ) )
2213                         return NT_STATUS_ACCESS_DENIED;
2214
2215                 return NT_STATUS_OK;
2216         }
2217
2218         for ( i=0; i < r->in.rights->count; i++ ) {
2219
2220                 privname = r->in.rights->names[i].string;
2221
2222                 /* only try to add non-null strings */
2223
2224                 if ( !privname )
2225                         continue;
2226
2227                 if ( !revoke_privilege_by_name( &sid, privname ) ) {
2228                         DEBUG(2,("_lsa_RemoveAccountRights: Failed to revoke privilege [%s]\n",
2229                                 privname ));
2230                         return NT_STATUS_NO_SUCH_PRIVILEGE;
2231                 }
2232         }
2233
2234         return NT_STATUS_OK;
2235 }
2236
2237 /*******************************************************************
2238 ********************************************************************/
2239
2240 static NTSTATUS init_lsa_right_set(TALLOC_CTX *mem_ctx,
2241                                    struct lsa_RightSet *r,
2242                                    PRIVILEGE_SET *privileges)
2243 {
2244         uint32 i;
2245         const char *privname;
2246         const char **privname_array = NULL;
2247         int num_priv = 0;
2248
2249         for (i=0; i<privileges->count; i++) {
2250
2251                 privname = luid_to_privilege_name(&privileges->set[i].luid);
2252                 if (privname) {
2253                         if (!add_string_to_array(mem_ctx, privname,
2254                                                  &privname_array, &num_priv)) {
2255                                 return NT_STATUS_NO_MEMORY;
2256                         }
2257                 }
2258         }
2259
2260         if (num_priv) {
2261
2262                 r->names = TALLOC_ZERO_ARRAY(mem_ctx, struct lsa_StringLarge,
2263                                              num_priv);
2264                 if (!r->names) {
2265                         return NT_STATUS_NO_MEMORY;
2266                 }
2267
2268                 for (i=0; i<num_priv; i++) {
2269                         init_lsa_StringLarge(&r->names[i], privname_array[i]);
2270                 }
2271
2272                 r->count = num_priv;
2273         }
2274
2275         return NT_STATUS_OK;
2276 }
2277
2278 /***************************************************************************
2279  _lsa_EnumAccountRights
2280  ***************************************************************************/
2281
2282 NTSTATUS _lsa_EnumAccountRights(pipes_struct *p,
2283                                 struct lsa_EnumAccountRights *r)
2284 {
2285         NTSTATUS status;
2286         struct lsa_info *info = NULL;
2287         DOM_SID sid;
2288         PRIVILEGE_SET privileges;
2289         SE_PRIV mask;
2290
2291         /* find the connection policy handle. */
2292
2293         if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
2294                 return NT_STATUS_INVALID_HANDLE;
2295
2296         if (info->type != LSA_HANDLE_POLICY_TYPE) {
2297                 return NT_STATUS_INVALID_HANDLE;
2298         }
2299
2300         if (!(info->access & LSA_ACCOUNT_VIEW)) {
2301                 return NT_STATUS_ACCESS_DENIED;
2302         }
2303
2304         /* according to an NT4 PDC, you can add privileges to SIDs even without
2305            call_lsa_create_account() first.  And you can use any arbitrary SID. */
2306
2307         sid_copy( &sid, r->in.sid );
2308
2309         /* according to MS-LSAD 3.1.4.5.10 it is required to return
2310          * NT_STATUS_OBJECT_NAME_NOT_FOUND if the account sid was not found in
2311          * the lsa database */
2312
2313         if (!get_privileges_for_sids(&mask, &sid, 1)) {
2314                 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
2315         }
2316
2317         status = privilege_set_init(&privileges);
2318         if (!NT_STATUS_IS_OK(status)) {
2319                 return status;
2320         }
2321
2322         se_priv_to_privilege_set(&privileges, &mask);
2323
2324         DEBUG(10,("_lsa_EnumAccountRights: %s has %d privileges\n",
2325                   sid_string_dbg(&sid), privileges.count));
2326
2327         status = init_lsa_right_set(p->mem_ctx, r->out.rights, &privileges);
2328
2329         privilege_set_free( &privileges );
2330
2331         return status;
2332 }
2333
2334 /***************************************************************************
2335  _lsa_LookupPrivValue
2336  ***************************************************************************/
2337
2338 NTSTATUS _lsa_LookupPrivValue(pipes_struct *p,
2339                               struct lsa_LookupPrivValue *r)
2340 {
2341         struct lsa_info *info = NULL;
2342         const char *name = NULL;
2343         LUID_ATTR priv_luid;
2344         SE_PRIV mask;
2345
2346         /* find the connection policy handle. */
2347
2348         if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
2349                 return NT_STATUS_INVALID_HANDLE;
2350
2351         if (info->type != LSA_HANDLE_POLICY_TYPE) {
2352                 return NT_STATUS_INVALID_HANDLE;
2353         }
2354
2355         if (!(info->access & LSA_POLICY_LOOKUP_NAMES))
2356                 return NT_STATUS_ACCESS_DENIED;
2357
2358         name = r->in.name->string;
2359
2360         DEBUG(10,("_lsa_lookup_priv_value: name = %s\n", name));
2361
2362         if ( !se_priv_from_name( name, &mask ) )
2363                 return NT_STATUS_NO_SUCH_PRIVILEGE;
2364
2365         priv_luid = get_privilege_luid( &mask );
2366
2367         r->out.luid->low = priv_luid.luid.low;
2368         r->out.luid->high = priv_luid.luid.high;
2369
2370         return NT_STATUS_OK;
2371 }
2372
2373 /***************************************************************************
2374  _lsa_EnumAccountsWithUserRight
2375  ***************************************************************************/
2376
2377 NTSTATUS _lsa_EnumAccountsWithUserRight(pipes_struct *p,
2378                                         struct lsa_EnumAccountsWithUserRight *r)
2379 {
2380         NTSTATUS status;
2381         struct lsa_info *info = NULL;
2382         struct dom_sid *sids = NULL;
2383         int num_sids = 0;
2384         uint32_t i;
2385         SE_PRIV mask;
2386
2387         if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info)) {
2388                 return NT_STATUS_INVALID_HANDLE;
2389         }
2390
2391         if (info->type != LSA_HANDLE_POLICY_TYPE) {
2392                 return NT_STATUS_INVALID_HANDLE;
2393         }
2394
2395         if (!(info->access & LSA_POLICY_LOOKUP_NAMES)) {
2396                 return NT_STATUS_ACCESS_DENIED;
2397         }
2398
2399         if (!r->in.name || !r->in.name->string) {
2400                 return NT_STATUS_NO_SUCH_PRIVILEGE;
2401         }
2402
2403         if (!se_priv_from_name(r->in.name->string, &mask)) {
2404                 return NT_STATUS_NO_SUCH_PRIVILEGE;
2405         }
2406
2407         status = privilege_enum_sids(&mask, p->mem_ctx,
2408                                      &sids, &num_sids);
2409         if (!NT_STATUS_IS_OK(status)) {
2410                 return status;
2411         }
2412
2413         r->out.sids->num_sids = num_sids;
2414         r->out.sids->sids = talloc_array(p->mem_ctx, struct lsa_SidPtr,
2415                                          r->out.sids->num_sids);
2416
2417         for (i=0; i < r->out.sids->num_sids; i++) {
2418                 r->out.sids->sids[i].sid = sid_dup_talloc(r->out.sids->sids,
2419                                                           &sids[i]);
2420                 if (!r->out.sids->sids[i].sid) {
2421                         TALLOC_FREE(r->out.sids->sids);
2422                         r->out.sids->num_sids = 0;
2423                         return NT_STATUS_NO_MEMORY;
2424                 }
2425         }
2426
2427         return NT_STATUS_OK;
2428 }
2429
2430 /***************************************************************************
2431  _lsa_Delete
2432  ***************************************************************************/
2433
2434 NTSTATUS _lsa_Delete(pipes_struct *p,
2435                      struct lsa_Delete *r)
2436 {
2437         return NT_STATUS_NOT_SUPPORTED;
2438 }
2439
2440 /*
2441  * From here on the server routines are just dummy ones to make smbd link with
2442  * librpc/gen_ndr/srv_lsa.c. These routines are actually never called, we are
2443  * pulling the server stubs across one by one.
2444  */
2445
2446 NTSTATUS _lsa_SetSecObj(pipes_struct *p, struct lsa_SetSecObj *r)
2447 {
2448         p->rng_fault_state = True;
2449         return NT_STATUS_NOT_IMPLEMENTED;
2450 }
2451
2452 NTSTATUS _lsa_ChangePassword(pipes_struct *p, struct lsa_ChangePassword *r)
2453 {
2454         p->rng_fault_state = True;
2455         return NT_STATUS_NOT_IMPLEMENTED;
2456 }
2457
2458 NTSTATUS _lsa_SetInfoPolicy(pipes_struct *p, struct lsa_SetInfoPolicy *r)
2459 {
2460         p->rng_fault_state = True;
2461         return NT_STATUS_NOT_IMPLEMENTED;
2462 }
2463
2464 NTSTATUS _lsa_ClearAuditLog(pipes_struct *p, struct lsa_ClearAuditLog *r)
2465 {
2466         p->rng_fault_state = True;
2467         return NT_STATUS_NOT_IMPLEMENTED;
2468 }
2469
2470 NTSTATUS _lsa_GetQuotasForAccount(pipes_struct *p, struct lsa_GetQuotasForAccount *r)
2471 {
2472         p->rng_fault_state = True;
2473         return NT_STATUS_NOT_IMPLEMENTED;
2474 }
2475
2476 NTSTATUS _lsa_SetQuotasForAccount(pipes_struct *p, struct lsa_SetQuotasForAccount *r)
2477 {
2478         p->rng_fault_state = True;
2479         return NT_STATUS_NOT_IMPLEMENTED;
2480 }
2481
2482 NTSTATUS _lsa_QueryTrustedDomainInfo(pipes_struct *p, struct lsa_QueryTrustedDomainInfo *r)
2483 {
2484         p->rng_fault_state = True;
2485         return NT_STATUS_NOT_IMPLEMENTED;
2486 }
2487
2488 NTSTATUS _lsa_SetInformationTrustedDomain(pipes_struct *p, struct lsa_SetInformationTrustedDomain *r)
2489 {
2490         p->rng_fault_state = True;
2491         return NT_STATUS_NOT_IMPLEMENTED;
2492 }
2493
2494 NTSTATUS _lsa_QuerySecret(pipes_struct *p, struct lsa_QuerySecret *r)
2495 {
2496         p->rng_fault_state = True;
2497         return NT_STATUS_NOT_IMPLEMENTED;
2498 }
2499
2500 NTSTATUS _lsa_QueryTrustedDomainInfoBySid(pipes_struct *p, struct lsa_QueryTrustedDomainInfoBySid *r)
2501 {
2502         p->rng_fault_state = True;
2503         return NT_STATUS_NOT_IMPLEMENTED;
2504 }
2505
2506 NTSTATUS _lsa_SetTrustedDomainInfo(pipes_struct *p, struct lsa_SetTrustedDomainInfo *r)
2507 {
2508         p->rng_fault_state = True;
2509         return NT_STATUS_NOT_IMPLEMENTED;
2510 }
2511
2512 NTSTATUS _lsa_DeleteTrustedDomain(pipes_struct *p, struct lsa_DeleteTrustedDomain *r)
2513 {
2514         p->rng_fault_state = True;
2515         return NT_STATUS_NOT_IMPLEMENTED;
2516 }
2517
2518 NTSTATUS _lsa_StorePrivateData(pipes_struct *p, struct lsa_StorePrivateData *r)
2519 {
2520         p->rng_fault_state = True;
2521         return NT_STATUS_NOT_IMPLEMENTED;
2522 }
2523
2524 NTSTATUS _lsa_RetrievePrivateData(pipes_struct *p, struct lsa_RetrievePrivateData *r)
2525 {
2526         p->rng_fault_state = True;
2527         return NT_STATUS_NOT_IMPLEMENTED;
2528 }
2529
2530 NTSTATUS _lsa_SetInfoPolicy2(pipes_struct *p, struct lsa_SetInfoPolicy2 *r)
2531 {
2532         p->rng_fault_state = True;
2533         return NT_STATUS_NOT_IMPLEMENTED;
2534 }
2535
2536 NTSTATUS _lsa_QueryTrustedDomainInfoByName(pipes_struct *p, struct lsa_QueryTrustedDomainInfoByName *r)
2537 {
2538         p->rng_fault_state = True;
2539         return NT_STATUS_NOT_IMPLEMENTED;
2540 }
2541
2542 NTSTATUS _lsa_SetTrustedDomainInfoByName(pipes_struct *p, struct lsa_SetTrustedDomainInfoByName *r)
2543 {
2544         p->rng_fault_state = True;
2545         return NT_STATUS_NOT_IMPLEMENTED;
2546 }
2547
2548 NTSTATUS _lsa_EnumTrustedDomainsEx(pipes_struct *p, struct lsa_EnumTrustedDomainsEx *r)
2549 {
2550         p->rng_fault_state = True;
2551         return NT_STATUS_NOT_IMPLEMENTED;
2552 }
2553
2554 NTSTATUS _lsa_CreateTrustedDomainEx(pipes_struct *p, struct lsa_CreateTrustedDomainEx *r)
2555 {
2556         p->rng_fault_state = True;
2557         return NT_STATUS_NOT_IMPLEMENTED;
2558 }
2559
2560 NTSTATUS _lsa_CloseTrustedDomainEx(pipes_struct *p, struct lsa_CloseTrustedDomainEx *r)
2561 {
2562         p->rng_fault_state = True;
2563         return NT_STATUS_NOT_IMPLEMENTED;
2564 }
2565
2566 NTSTATUS _lsa_QueryDomainInformationPolicy(pipes_struct *p, struct lsa_QueryDomainInformationPolicy *r)
2567 {
2568         p->rng_fault_state = True;
2569         return NT_STATUS_NOT_IMPLEMENTED;
2570 }
2571
2572 NTSTATUS _lsa_SetDomainInformationPolicy(pipes_struct *p, struct lsa_SetDomainInformationPolicy *r)
2573 {
2574         p->rng_fault_state = True;
2575         return NT_STATUS_NOT_IMPLEMENTED;
2576 }
2577
2578 NTSTATUS _lsa_OpenTrustedDomainByName(pipes_struct *p, struct lsa_OpenTrustedDomainByName *r)
2579 {
2580         p->rng_fault_state = True;
2581         return NT_STATUS_NOT_IMPLEMENTED;
2582 }
2583
2584 NTSTATUS _lsa_TestCall(pipes_struct *p, struct lsa_TestCall *r)
2585 {
2586         p->rng_fault_state = True;
2587         return NT_STATUS_NOT_IMPLEMENTED;
2588 }
2589
2590 NTSTATUS _lsa_CreateTrustedDomainEx2(pipes_struct *p, struct lsa_CreateTrustedDomainEx2 *r)
2591 {
2592         p->rng_fault_state = True;
2593         return NT_STATUS_NOT_IMPLEMENTED;
2594 }
2595
2596 NTSTATUS _lsa_CREDRWRITE(pipes_struct *p, struct lsa_CREDRWRITE *r)
2597 {
2598         p->rng_fault_state = True;
2599         return NT_STATUS_NOT_IMPLEMENTED;
2600 }
2601
2602 NTSTATUS _lsa_CREDRREAD(pipes_struct *p, struct lsa_CREDRREAD *r)
2603 {
2604         p->rng_fault_state = True;
2605         return NT_STATUS_NOT_IMPLEMENTED;
2606 }
2607
2608 NTSTATUS _lsa_CREDRENUMERATE(pipes_struct *p, struct lsa_CREDRENUMERATE *r)
2609 {
2610         p->rng_fault_state = True;
2611         return NT_STATUS_NOT_IMPLEMENTED;
2612 }
2613
2614 NTSTATUS _lsa_CREDRWRITEDOMAINCREDENTIALS(pipes_struct *p, struct lsa_CREDRWRITEDOMAINCREDENTIALS *r)
2615 {
2616         p->rng_fault_state = True;
2617         return NT_STATUS_NOT_IMPLEMENTED;
2618 }
2619
2620 NTSTATUS _lsa_CREDRREADDOMAINCREDENTIALS(pipes_struct *p, struct lsa_CREDRREADDOMAINCREDENTIALS *r)
2621 {
2622         p->rng_fault_state = True;
2623         return NT_STATUS_NOT_IMPLEMENTED;
2624 }
2625
2626 NTSTATUS _lsa_CREDRDELETE(pipes_struct *p, struct lsa_CREDRDELETE *r)
2627 {
2628         p->rng_fault_state = True;
2629         return NT_STATUS_NOT_IMPLEMENTED;
2630 }
2631
2632 NTSTATUS _lsa_CREDRGETTARGETINFO(pipes_struct *p, struct lsa_CREDRGETTARGETINFO *r)
2633 {
2634         p->rng_fault_state = True;
2635         return NT_STATUS_NOT_IMPLEMENTED;
2636 }
2637
2638 NTSTATUS _lsa_CREDRPROFILELOADED(pipes_struct *p, struct lsa_CREDRPROFILELOADED *r)
2639 {
2640         p->rng_fault_state = True;
2641         return NT_STATUS_NOT_IMPLEMENTED;
2642 }
2643
2644 NTSTATUS _lsa_CREDRGETSESSIONTYPES(pipes_struct *p, struct lsa_CREDRGETSESSIONTYPES *r)
2645 {
2646         p->rng_fault_state = True;
2647         return NT_STATUS_NOT_IMPLEMENTED;
2648 }
2649
2650 NTSTATUS _lsa_LSARREGISTERAUDITEVENT(pipes_struct *p, struct lsa_LSARREGISTERAUDITEVENT *r)
2651 {
2652         p->rng_fault_state = True;
2653         return NT_STATUS_NOT_IMPLEMENTED;
2654 }
2655
2656 NTSTATUS _lsa_LSARGENAUDITEVENT(pipes_struct *p, struct lsa_LSARGENAUDITEVENT *r)
2657 {
2658         p->rng_fault_state = True;
2659         return NT_STATUS_NOT_IMPLEMENTED;
2660 }
2661
2662 NTSTATUS _lsa_LSARUNREGISTERAUDITEVENT(pipes_struct *p, struct lsa_LSARUNREGISTERAUDITEVENT *r)
2663 {
2664         p->rng_fault_state = True;
2665         return NT_STATUS_NOT_IMPLEMENTED;
2666 }
2667
2668 NTSTATUS _lsa_lsaRQueryForestTrustInformation(pipes_struct *p, struct lsa_lsaRQueryForestTrustInformation *r)
2669 {
2670         p->rng_fault_state = True;
2671         return NT_STATUS_NOT_IMPLEMENTED;
2672 }
2673
2674 NTSTATUS _lsa_LSARSETFORESTTRUSTINFORMATION(pipes_struct *p, struct lsa_LSARSETFORESTTRUSTINFORMATION *r)
2675 {
2676         p->rng_fault_state = True;
2677         return NT_STATUS_NOT_IMPLEMENTED;
2678 }
2679
2680 NTSTATUS _lsa_CREDRRENAME(pipes_struct *p, struct lsa_CREDRRENAME *r)
2681 {
2682         p->rng_fault_state = True;
2683         return NT_STATUS_NOT_IMPLEMENTED;
2684 }
2685
2686 NTSTATUS _lsa_LSAROPENPOLICYSCE(pipes_struct *p, struct lsa_LSAROPENPOLICYSCE *r)
2687 {
2688         p->rng_fault_state = True;
2689         return NT_STATUS_NOT_IMPLEMENTED;
2690 }
2691
2692 NTSTATUS _lsa_LSARADTREGISTERSECURITYEVENTSOURCE(pipes_struct *p, struct lsa_LSARADTREGISTERSECURITYEVENTSOURCE *r)
2693 {
2694         p->rng_fault_state = True;
2695         return NT_STATUS_NOT_IMPLEMENTED;
2696 }
2697
2698 NTSTATUS _lsa_LSARADTUNREGISTERSECURITYEVENTSOURCE(pipes_struct *p, struct lsa_LSARADTUNREGISTERSECURITYEVENTSOURCE *r)
2699 {
2700         p->rng_fault_state = True;
2701         return NT_STATUS_NOT_IMPLEMENTED;
2702 }
2703
2704 NTSTATUS _lsa_LSARADTREPORTSECURITYEVENT(pipes_struct *p, struct lsa_LSARADTREPORTSECURITYEVENT *r)
2705 {
2706         p->rng_fault_state = True;
2707         return NT_STATUS_NOT_IMPLEMENTED;
2708 }