2 * Unix SMB/CIFS implementation.
3 * RPC Pipe client / server routines
4 * Copyright (C) Andrew Tridgell 1992-1997,
5 * Copyright (C) Luke Kenneth Casson Leighton 1996-1997,
6 * Copyright (C) Paul Ashton 1997,
7 * Copyright (C) Jeremy Allison 2001, 2006.
8 * Copyright (C) Rafal Szczesniak 2002,
9 * Copyright (C) Jim McDonough <jmcd@us.ibm.com> 2002,
10 * Copyright (C) Simo Sorce 2003.
11 * Copyright (C) Gerald (Jerry) Carter 2005.
12 * Copyright (C) Volker Lendecke 2005.
13 * Copyright (C) Guenther Deschner 2008.
15 * This program is free software; you can redistribute it and/or modify
16 * it under the terms of the GNU General Public License as published by
17 * the Free Software Foundation; either version 3 of the License, or
18 * (at your option) any later version.
20 * This program is distributed in the hope that it will be useful,
21 * but WITHOUT ANY WARRANTY; without even the implied warranty of
22 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
23 * GNU General Public License for more details.
25 * You should have received a copy of the GNU General Public License
26 * along with this program; if not, see <http://www.gnu.org/licenses/>.
29 /* This is the implementation of the lsa server code. */
34 #define DBGC_CLASS DBGC_RPC_SRV
36 #define MAX_LOOKUP_SIDS 0x5000 /* 20480 */
40 enum lsa_handle_type { LSA_HANDLE_POLICY_TYPE = 1, LSA_HANDLE_ACCOUNT_TYPE };
45 enum lsa_handle_type type;
48 const struct generic_mapping lsa_account_mapping = {
52 LSA_ACCOUNT_ALL_ACCESS
55 const struct generic_mapping lsa_policy_mapping = {
62 /***************************************************************************
63 init_lsa_ref_domain_list - adds a domain if it's not already in, returns the index.
64 ***************************************************************************/
66 static int init_lsa_ref_domain_list(TALLOC_CTX *mem_ctx,
67 struct lsa_RefDomainList *ref,
73 if (dom_name != NULL) {
74 for (num = 0; num < ref->count; num++) {
75 if (sid_equal(dom_sid, ref->domains[num].sid)) {
83 if (num >= LSA_REF_DOMAIN_LIST_MULTIPLIER) {
84 /* index not found, already at maximum domain limit */
89 ref->max_size = LSA_REF_DOMAIN_LIST_MULTIPLIER;
91 ref->domains = TALLOC_REALLOC_ARRAY(mem_ctx, ref->domains,
92 struct lsa_DomainInfo, ref->count);
97 ZERO_STRUCT(ref->domains[num]);
99 init_lsa_StringLarge(&ref->domains[num].name, dom_name);
100 ref->domains[num].sid = sid_dup_talloc(mem_ctx, dom_sid);
101 if (!ref->domains[num].sid) {
109 /***************************************************************************
110 initialize a lsa_DomainInfo structure.
111 ***************************************************************************/
113 static void init_dom_query_3(struct lsa_DomainInfo *r,
117 init_lsa_StringLarge(&r->name, name);
121 /***************************************************************************
122 initialize a lsa_DomainInfo structure.
123 ***************************************************************************/
125 static void init_dom_query_5(struct lsa_DomainInfo *r,
129 init_lsa_StringLarge(&r->name, name);
133 /***************************************************************************
134 lookup_lsa_rids. Must be called as root for lookup_name to work.
135 ***************************************************************************/
137 static NTSTATUS lookup_lsa_rids(TALLOC_CTX *mem_ctx,
138 struct lsa_RefDomainList *ref,
139 struct lsa_TranslatedSid *prid,
140 uint32_t num_entries,
141 struct lsa_String *name,
143 uint32_t *pmapped_count)
145 uint32 mapped_count, i;
147 SMB_ASSERT(num_entries <= MAX_LOOKUP_SIDS);
152 for (i = 0; i < num_entries; i++) {
156 const char *full_name;
158 enum lsa_SidType type = SID_NAME_UNKNOWN;
160 /* Split name into domain and user component */
162 full_name = name[i].string;
163 if (full_name == NULL) {
164 return NT_STATUS_NO_MEMORY;
167 DEBUG(5, ("lookup_lsa_rids: looking up name %s\n", full_name));
169 /* We can ignore the result of lookup_name, it will not touch
170 "type" if it's not successful */
172 lookup_name(mem_ctx, full_name, flags, &domain, NULL,
177 case SID_NAME_DOM_GRP:
178 case SID_NAME_DOMAIN:
180 case SID_NAME_WKN_GRP:
181 DEBUG(5, ("init_lsa_rids: %s found\n", full_name));
182 /* Leave these unchanged */
185 /* Don't hand out anything but the list above */
186 DEBUG(5, ("init_lsa_rids: %s not found\n", full_name));
187 type = SID_NAME_UNKNOWN;
194 if (type != SID_NAME_UNKNOWN) {
195 sid_split_rid(&sid, &rid);
196 dom_idx = init_lsa_ref_domain_list(mem_ctx, ref, domain, &sid);
200 prid[i].sid_type = type;
202 prid[i].sid_index = dom_idx;
205 *pmapped_count = mapped_count;
209 /***************************************************************************
210 lookup_lsa_sids. Must be called as root for lookup_name to work.
211 ***************************************************************************/
213 static NTSTATUS lookup_lsa_sids(TALLOC_CTX *mem_ctx,
214 struct lsa_RefDomainList *ref,
215 struct lsa_TranslatedSid3 *trans_sids,
216 uint32_t num_entries,
217 struct lsa_String *name,
219 uint32 *pmapped_count)
221 uint32 mapped_count, i;
223 SMB_ASSERT(num_entries <= MAX_LOOKUP_SIDS);
228 for (i = 0; i < num_entries; i++) {
232 const char *full_name;
234 enum lsa_SidType type = SID_NAME_UNKNOWN;
238 /* Split name into domain and user component */
240 full_name = name[i].string;
241 if (full_name == NULL) {
242 return NT_STATUS_NO_MEMORY;
245 DEBUG(5, ("init_lsa_sids: looking up name %s\n", full_name));
247 /* We can ignore the result of lookup_name, it will not touch
248 "type" if it's not successful */
250 lookup_name(mem_ctx, full_name, flags, &domain, NULL,
255 case SID_NAME_DOM_GRP:
256 case SID_NAME_DOMAIN:
258 case SID_NAME_WKN_GRP:
259 DEBUG(5, ("init_lsa_sids: %s found\n", full_name));
260 /* Leave these unchanged */
263 /* Don't hand out anything but the list above */
264 DEBUG(5, ("init_lsa_sids: %s not found\n", full_name));
265 type = SID_NAME_UNKNOWN;
272 if (type != SID_NAME_UNKNOWN) {
274 sid_copy(&domain_sid, &sid);
275 sid_split_rid(&domain_sid, &rid);
276 dom_idx = init_lsa_ref_domain_list(mem_ctx, ref, domain, &domain_sid);
280 /* Initialize the lsa_TranslatedSid3 return. */
281 trans_sids[i].sid_type = type;
282 trans_sids[i].sid = sid_dup_talloc(mem_ctx, &sid);
283 trans_sids[i].sid_index = dom_idx;
286 *pmapped_count = mapped_count;
290 static NTSTATUS make_lsa_object_sd(TALLOC_CTX *mem_ctx, SEC_DESC **sd, size_t *sd_size,
291 const struct generic_mapping *map,
292 DOM_SID *sid, uint32_t sid_access)
300 /* READ|EXECUTE access for Everyone */
302 init_sec_ace(&ace[i++], &global_sid_World, SEC_ACE_TYPE_ACCESS_ALLOWED,
303 map->generic_execute | map->generic_read, 0);
305 /* Add Full Access 'BUILTIN\Administrators' and 'BUILTIN\Account Operators */
307 init_sec_ace(&ace[i++], &global_sid_Builtin_Administrators,
308 SEC_ACE_TYPE_ACCESS_ALLOWED, map->generic_all, 0);
309 init_sec_ace(&ace[i++], &global_sid_Builtin_Account_Operators,
310 SEC_ACE_TYPE_ACCESS_ALLOWED, map->generic_all, 0);
312 /* Add Full Access for Domain Admins */
313 sid_copy(&adm_sid, get_global_sam_sid());
314 sid_append_rid(&adm_sid, DOMAIN_GROUP_RID_ADMINS);
315 init_sec_ace(&ace[i++], &adm_sid, SEC_ACE_TYPE_ACCESS_ALLOWED,
316 map->generic_all, 0);
318 /* If we have a sid, give it some special access */
321 init_sec_ace(&ace[i++], sid, SEC_ACE_TYPE_ACCESS_ALLOWED,
325 if((psa = make_sec_acl(mem_ctx, NT4_ACL_REVISION, i, ace)) == NULL)
326 return NT_STATUS_NO_MEMORY;
328 if((*sd = make_sec_desc(mem_ctx, SECURITY_DESCRIPTOR_REVISION_1,
329 SEC_DESC_SELF_RELATIVE, &adm_sid, NULL, NULL,
330 psa, sd_size)) == NULL)
331 return NT_STATUS_NO_MEMORY;
337 /***************************************************************************
339 ***************************************************************************/
341 NTSTATUS _lsa_OpenPolicy2(pipes_struct *p,
342 struct lsa_OpenPolicy2 *r)
344 struct lsa_info *info;
345 SEC_DESC *psd = NULL;
347 uint32 des_access = r->in.access_mask;
351 /* Work out max allowed. */
352 map_max_allowed_access(p->server_info->ptok, &des_access);
354 /* map the generic bits to the lsa policy ones */
355 se_map_generic(&des_access, &lsa_policy_mapping);
357 /* get the generic lsa policy SD until we store it */
358 status = make_lsa_object_sd(p->mem_ctx, &psd, &sd_size, &lsa_policy_mapping,
360 if (!NT_STATUS_IS_OK(status)) {
364 status = access_check_object(psd, p->server_info->ptok,
366 &acc_granted, "_lsa_OpenPolicy2" );
368 if (!NT_STATUS_IS_OK(status)) {
372 /* associate the domain SID with the (unique) handle. */
373 info = TALLOC_ZERO_P(p->mem_ctx, struct lsa_info);
375 return NT_STATUS_NO_MEMORY;
378 sid_copy(&info->sid,get_global_sam_sid());
379 info->access = acc_granted;
380 info->type = LSA_HANDLE_POLICY_TYPE;
382 /* set up the LSA QUERY INFO response */
383 if (!create_policy_hnd(p, r->out.handle, info))
384 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
389 /***************************************************************************
391 ***************************************************************************/
393 NTSTATUS _lsa_OpenPolicy(pipes_struct *p,
394 struct lsa_OpenPolicy *r)
396 struct lsa_OpenPolicy2 o;
398 o.in.system_name = NULL; /* should be ignored */
399 o.in.attr = r->in.attr;
400 o.in.access_mask = r->in.access_mask;
402 o.out.handle = r->out.handle;
404 return _lsa_OpenPolicy2(p, &o);
407 /***************************************************************************
408 _lsa_EnumTrustDom - this needs fixing to do more than return NULL ! JRA.
410 ***************************************************************************/
412 NTSTATUS _lsa_EnumTrustDom(pipes_struct *p,
413 struct lsa_EnumTrustDom *r)
415 struct lsa_info *info;
417 struct trustdom_info **domains;
418 struct lsa_DomainInfo *lsa_domains = NULL;
422 * preferred length is set to 5 as a "our" preferred length
423 * nt sets this parameter to 2
424 * update (20.08.2002): it's not preferred length, but preferred size!
425 * it needs further investigation how to optimally choose this value
427 uint32 max_num_domains =
428 r->in.max_size < 5 ? r->in.max_size : 10;
433 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
434 return NT_STATUS_INVALID_HANDLE;
436 if (info->type != LSA_HANDLE_POLICY_TYPE) {
437 return NT_STATUS_INVALID_HANDLE;
440 /* check if the user has enough rights */
441 if (!(info->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
442 return NT_STATUS_ACCESS_DENIED;
445 nt_status = pdb_enum_trusteddoms(p->mem_ctx, &num_domains, &domains);
448 if (!NT_STATUS_IS_OK(nt_status)) {
452 if (*r->in.resume_handle < num_domains) {
453 num_thistime = MIN(num_domains, max_num_domains);
455 nt_status = STATUS_MORE_ENTRIES;
457 if (*r->in.resume_handle + num_thistime > num_domains) {
458 num_thistime = num_domains - *r->in.resume_handle;
459 nt_status = NT_STATUS_OK;
462 next_idx = *r->in.resume_handle + num_thistime;
465 next_idx = 0xffffffff;
466 nt_status = NT_STATUS_NO_MORE_ENTRIES;
469 /* set up the lsa_enum_trust_dom response */
471 lsa_domains = TALLOC_ZERO_ARRAY(p->mem_ctx, struct lsa_DomainInfo,
474 return NT_STATUS_NO_MEMORY;
477 for (i=0; i<num_thistime; i++) {
478 init_lsa_StringLarge(&lsa_domains[i].name, domains[i]->name);
479 lsa_domains[i].sid = &domains[i]->sid;
482 *r->out.resume_handle = next_idx;
483 r->out.domains->count = num_thistime;
484 r->out.domains->domains = lsa_domains;
489 #define LSA_AUDIT_NUM_CATEGORIES_NT4 7
490 #define LSA_AUDIT_NUM_CATEGORIES_WIN2K 9
491 #define LSA_AUDIT_NUM_CATEGORIES LSA_AUDIT_NUM_CATEGORIES_NT4
493 /***************************************************************************
495 ***************************************************************************/
497 NTSTATUS _lsa_QueryInfoPolicy(pipes_struct *p,
498 struct lsa_QueryInfoPolicy *r)
500 NTSTATUS status = NT_STATUS_OK;
501 struct lsa_info *handle;
505 union lsa_PolicyInformation *info = NULL;
507 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle))
508 return NT_STATUS_INVALID_HANDLE;
510 if (handle->type != LSA_HANDLE_POLICY_TYPE) {
511 return NT_STATUS_INVALID_HANDLE;
514 info = TALLOC_ZERO_P(p->mem_ctx, union lsa_PolicyInformation);
516 return NT_STATUS_NO_MEMORY;
519 switch (r->in.level) {
520 case LSA_POLICY_INFO_AUDIT_EVENTS:
523 uint32 policy_def = LSA_AUDIT_POLICY_ALL;
525 /* check if the user has enough rights */
526 if (!(handle->access & LSA_POLICY_VIEW_AUDIT_INFORMATION)) {
527 DEBUG(10,("_lsa_QueryInfoPolicy: insufficient access rights\n"));
528 return NT_STATUS_ACCESS_DENIED;
531 /* fake info: We audit everything. ;) */
533 info->audit_events.auditing_mode = true;
534 info->audit_events.count = LSA_AUDIT_NUM_CATEGORIES;
535 info->audit_events.settings = TALLOC_ZERO_ARRAY(p->mem_ctx,
536 enum lsa_PolicyAuditPolicy,
537 info->audit_events.count);
538 if (!info->audit_events.settings) {
539 return NT_STATUS_NO_MEMORY;
542 info->audit_events.settings[LSA_AUDIT_CATEGORY_ACCOUNT_MANAGEMENT] = policy_def;
543 info->audit_events.settings[LSA_AUDIT_CATEGORY_FILE_AND_OBJECT_ACCESS] = policy_def;
544 info->audit_events.settings[LSA_AUDIT_CATEGORY_LOGON] = policy_def;
545 info->audit_events.settings[LSA_AUDIT_CATEGORY_PROCCESS_TRACKING] = policy_def;
546 info->audit_events.settings[LSA_AUDIT_CATEGORY_SECURITY_POLICY_CHANGES] = policy_def;
547 info->audit_events.settings[LSA_AUDIT_CATEGORY_SYSTEM] = policy_def;
548 info->audit_events.settings[LSA_AUDIT_CATEGORY_USE_OF_USER_RIGHTS] = policy_def;
552 case LSA_POLICY_INFO_DOMAIN:
553 /* check if the user has enough rights */
554 if (!(handle->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
555 return NT_STATUS_ACCESS_DENIED;
557 /* Request PolicyPrimaryDomainInformation. */
558 switch (lp_server_role()) {
559 case ROLE_DOMAIN_PDC:
560 case ROLE_DOMAIN_BDC:
561 name = get_global_sam_name();
562 sid = sid_dup_talloc(p->mem_ctx, get_global_sam_sid());
564 return NT_STATUS_NO_MEMORY;
567 case ROLE_DOMAIN_MEMBER:
568 name = lp_workgroup();
569 /* We need to return the Domain SID here. */
570 if (secrets_fetch_domain_sid(lp_workgroup(), &domain_sid)) {
571 sid = sid_dup_talloc(p->mem_ctx, &domain_sid);
573 return NT_STATUS_NO_MEMORY;
576 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
579 case ROLE_STANDALONE:
580 name = lp_workgroup();
584 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
586 init_dom_query_3(&info->domain, name, sid);
588 case LSA_POLICY_INFO_ACCOUNT_DOMAIN:
589 /* check if the user has enough rights */
590 if (!(handle->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
591 return NT_STATUS_ACCESS_DENIED;
593 /* Request PolicyAccountDomainInformation. */
594 name = get_global_sam_name();
595 sid = get_global_sam_sid();
597 init_dom_query_5(&info->account_domain, name, sid);
599 case LSA_POLICY_INFO_ROLE:
600 /* check if the user has enough rights */
601 if (!(handle->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
602 return NT_STATUS_ACCESS_DENIED;
604 switch (lp_server_role()) {
605 case ROLE_DOMAIN_BDC:
607 * only a BDC is a backup controller
608 * of the domain, it controls.
610 info->role.role = LSA_ROLE_BACKUP;
614 * any other role is a primary
615 * of the domain, it controls.
617 info->role.role = LSA_ROLE_PRIMARY;
621 case LSA_POLICY_INFO_DNS: {
622 struct pdb_domain_info *dominfo;
624 if ((pdb_capabilities() & PDB_CAP_ADS) == 0) {
625 DEBUG(10, ("Not replying to LSA_POLICY_INFO_DNS "
626 "without ADS passdb backend\n"));
627 status = NT_STATUS_INVALID_INFO_CLASS;
631 dominfo = pdb_get_domain_info(info);
632 if (dominfo == NULL) {
633 status = NT_STATUS_NO_MEMORY;
637 init_lsa_StringLarge(&info->dns.name,
639 init_lsa_StringLarge(&info->dns.dns_domain,
640 dominfo->dns_domain);
641 init_lsa_StringLarge(&info->dns.dns_forest,
642 dominfo->dns_forest);
643 info->dns.domain_guid = dominfo->guid;
644 info->dns.sid = &dominfo->sid;
648 DEBUG(0,("_lsa_QueryInfoPolicy: unknown info level in Lsa Query: %d\n",
650 status = NT_STATUS_INVALID_INFO_CLASS;
659 /***************************************************************************
660 _lsa_lookup_sids_internal
661 ***************************************************************************/
663 static NTSTATUS _lsa_lookup_sids_internal(pipes_struct *p,
665 uint16_t level, /* input */
666 int num_sids, /* input */
667 struct lsa_SidPtr *sid, /* input */
668 struct lsa_RefDomainList **pp_ref, /* input/output */
669 struct lsa_TranslatedName2 **pp_names,/* input/output */
670 uint32_t *pp_mapped_count) /* input/output */
674 const DOM_SID **sids = NULL;
675 struct lsa_RefDomainList *ref = NULL;
676 uint32 mapped_count = 0;
677 struct lsa_dom_info *dom_infos = NULL;
678 struct lsa_name_info *name_infos = NULL;
679 struct lsa_TranslatedName2 *names = NULL;
681 *pp_mapped_count = 0;
689 sids = TALLOC_ARRAY(p->mem_ctx, const DOM_SID *, num_sids);
690 ref = TALLOC_ZERO_P(p->mem_ctx, struct lsa_RefDomainList);
692 if (sids == NULL || ref == NULL) {
693 return NT_STATUS_NO_MEMORY;
696 for (i=0; i<num_sids; i++) {
697 sids[i] = sid[i].sid;
700 status = lookup_sids(p->mem_ctx, num_sids, sids, level,
701 &dom_infos, &name_infos);
703 if (!NT_STATUS_IS_OK(status)) {
707 names = TALLOC_ARRAY(p->mem_ctx, struct lsa_TranslatedName2, num_sids);
709 return NT_STATUS_NO_MEMORY;
712 for (i=0; i<LSA_REF_DOMAIN_LIST_MULTIPLIER; i++) {
714 if (!dom_infos[i].valid) {
718 if (init_lsa_ref_domain_list(mem_ctx, ref,
720 &dom_infos[i].sid) != i) {
721 DEBUG(0, ("Domain %s mentioned twice??\n",
723 return NT_STATUS_INTERNAL_ERROR;
727 for (i=0; i<num_sids; i++) {
728 struct lsa_name_info *name = &name_infos[i];
730 if (name->type == SID_NAME_UNKNOWN) {
733 /* Unknown sids should return the string
734 * representation of the SID. Windows 2003 behaves
735 * rather erratic here, in many cases it returns the
736 * RID as 8 bytes hex, in others it returns the full
737 * SID. We (Jerry/VL) could not figure out which the
738 * hard cases are, so leave it with the SID. */
739 name->name = talloc_asprintf(p->mem_ctx, "%s",
742 if (name->name == NULL) {
743 return NT_STATUS_NO_MEMORY;
749 names[i].sid_type = name->type;
750 names[i].name.string = name->name;
751 names[i].sid_index = name->dom_idx;
752 names[i].unknown = 0;
755 status = NT_STATUS_NONE_MAPPED;
756 if (mapped_count > 0) {
757 status = (mapped_count < num_sids) ?
758 STATUS_SOME_UNMAPPED : NT_STATUS_OK;
761 DEBUG(10, ("num_sids %d, mapped_count %d, status %s\n",
762 num_sids, mapped_count, nt_errstr(status)));
764 *pp_mapped_count = mapped_count;
771 /***************************************************************************
773 ***************************************************************************/
775 NTSTATUS _lsa_LookupSids(pipes_struct *p,
776 struct lsa_LookupSids *r)
779 struct lsa_info *handle;
780 int num_sids = r->in.sids->num_sids;
781 uint32 mapped_count = 0;
782 struct lsa_RefDomainList *domains = NULL;
783 struct lsa_TranslatedName *names_out = NULL;
784 struct lsa_TranslatedName2 *names = NULL;
787 if ((r->in.level < 1) || (r->in.level > 6)) {
788 return NT_STATUS_INVALID_PARAMETER;
791 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle)) {
792 return NT_STATUS_INVALID_HANDLE;
795 if (handle->type != LSA_HANDLE_POLICY_TYPE) {
796 return NT_STATUS_INVALID_HANDLE;
799 /* check if the user has enough rights */
800 if (!(handle->access & LSA_POLICY_LOOKUP_NAMES)) {
801 return NT_STATUS_ACCESS_DENIED;
804 if (num_sids > MAX_LOOKUP_SIDS) {
805 DEBUG(5,("_lsa_LookupSids: limit of %d exceeded, requested %d\n",
806 MAX_LOOKUP_SIDS, num_sids));
807 return NT_STATUS_NONE_MAPPED;
810 status = _lsa_lookup_sids_internal(p,
819 /* Only return here when there is a real error.
820 NT_STATUS_NONE_MAPPED is a special case as it indicates that none of
821 the requested sids could be resolved. Older versions of XP (pre SP3)
822 rely that we return with the string representations of those SIDs in
823 that case. If we don't, XP crashes - Guenther
826 if (NT_STATUS_IS_ERR(status) &&
827 !NT_STATUS_EQUAL(status, NT_STATUS_NONE_MAPPED)) {
831 /* Convert from lsa_TranslatedName2 to lsa_TranslatedName */
832 names_out = TALLOC_ARRAY(p->mem_ctx, struct lsa_TranslatedName,
835 return NT_STATUS_NO_MEMORY;
838 for (i=0; i<num_sids; i++) {
839 names_out[i].sid_type = names[i].sid_type;
840 names_out[i].name = names[i].name;
841 names_out[i].sid_index = names[i].sid_index;
844 *r->out.domains = domains;
845 r->out.names->count = num_sids;
846 r->out.names->names = names_out;
847 *r->out.count = mapped_count;
852 /***************************************************************************
854 ***************************************************************************/
856 NTSTATUS _lsa_LookupSids2(pipes_struct *p,
857 struct lsa_LookupSids2 *r)
860 struct lsa_info *handle;
861 int num_sids = r->in.sids->num_sids;
862 uint32 mapped_count = 0;
863 struct lsa_RefDomainList *domains = NULL;
864 struct lsa_TranslatedName2 *names = NULL;
865 bool check_policy = true;
867 switch (p->hdr_req.opnum) {
868 case NDR_LSA_LOOKUPSIDS3:
869 check_policy = false;
871 case NDR_LSA_LOOKUPSIDS2:
876 if ((r->in.level < 1) || (r->in.level > 6)) {
877 return NT_STATUS_INVALID_PARAMETER;
881 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle)) {
882 return NT_STATUS_INVALID_HANDLE;
885 if (handle->type != LSA_HANDLE_POLICY_TYPE) {
886 return NT_STATUS_INVALID_HANDLE;
889 /* check if the user has enough rights */
890 if (!(handle->access & LSA_POLICY_LOOKUP_NAMES)) {
891 return NT_STATUS_ACCESS_DENIED;
895 if (num_sids > MAX_LOOKUP_SIDS) {
896 DEBUG(5,("_lsa_LookupSids2: limit of %d exceeded, requested %d\n",
897 MAX_LOOKUP_SIDS, num_sids));
898 return NT_STATUS_NONE_MAPPED;
901 status = _lsa_lookup_sids_internal(p,
910 *r->out.domains = domains;
911 r->out.names->count = num_sids;
912 r->out.names->names = names;
913 *r->out.count = mapped_count;
918 /***************************************************************************
920 ***************************************************************************/
922 NTSTATUS _lsa_LookupSids3(pipes_struct *p,
923 struct lsa_LookupSids3 *r)
925 struct lsa_LookupSids2 q;
927 /* No policy handle on this call. Restrict to crypto connections. */
928 if (p->auth.auth_type != PIPE_AUTH_TYPE_SCHANNEL) {
929 DEBUG(0,("_lsa_LookupSids3: client %s not using schannel for netlogon\n",
930 get_remote_machine_name() ));
931 return NT_STATUS_INVALID_PARAMETER;
935 q.in.sids = r->in.sids;
936 q.in.level = r->in.level;
937 q.in.unknown1 = r->in.unknown1;
938 q.in.unknown2 = r->in.unknown2;
939 q.in.names = r->in.names;
940 q.in.count = r->in.count;
942 q.out.domains = r->out.domains;
943 q.out.names = r->out.names;
944 q.out.count = r->out.count;
946 return _lsa_LookupSids2(p, &q);
949 /***************************************************************************
950 ***************************************************************************/
952 static int lsa_lookup_level_to_flags(uint16 level)
958 flags = LOOKUP_NAME_ALL;
961 flags = LOOKUP_NAME_DOMAIN|LOOKUP_NAME_REMOTE|LOOKUP_NAME_ISOLATED;
964 flags = LOOKUP_NAME_DOMAIN|LOOKUP_NAME_ISOLATED;
970 flags = LOOKUP_NAME_NONE;
977 /***************************************************************************
979 ***************************************************************************/
981 NTSTATUS _lsa_LookupNames(pipes_struct *p,
982 struct lsa_LookupNames *r)
984 NTSTATUS status = NT_STATUS_NONE_MAPPED;
985 struct lsa_info *handle;
986 struct lsa_String *names = r->in.names;
987 uint32 num_entries = r->in.num_names;
988 struct lsa_RefDomainList *domains = NULL;
989 struct lsa_TranslatedSid *rids = NULL;
990 uint32 mapped_count = 0;
993 if (num_entries > MAX_LOOKUP_SIDS) {
994 num_entries = MAX_LOOKUP_SIDS;
995 DEBUG(5,("_lsa_LookupNames: truncating name lookup list to %d\n",
999 flags = lsa_lookup_level_to_flags(r->in.level);
1001 domains = TALLOC_ZERO_P(p->mem_ctx, struct lsa_RefDomainList);
1003 return NT_STATUS_NO_MEMORY;
1007 rids = TALLOC_ZERO_ARRAY(p->mem_ctx, struct lsa_TranslatedSid,
1010 return NT_STATUS_NO_MEMORY;
1016 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle)) {
1017 status = NT_STATUS_INVALID_HANDLE;
1021 if (handle->type != LSA_HANDLE_POLICY_TYPE) {
1022 return NT_STATUS_INVALID_HANDLE;
1025 /* check if the user has enough rights */
1026 if (!(handle->access & LSA_POLICY_LOOKUP_NAMES)) {
1027 status = NT_STATUS_ACCESS_DENIED;
1031 /* set up the LSA Lookup RIDs response */
1032 become_root(); /* lookup_name can require root privs */
1033 status = lookup_lsa_rids(p->mem_ctx, domains, rids, num_entries,
1034 names, flags, &mapped_count);
1039 if (NT_STATUS_IS_OK(status) && (num_entries != 0) ) {
1040 if (mapped_count == 0) {
1041 status = NT_STATUS_NONE_MAPPED;
1042 } else if (mapped_count != num_entries) {
1043 status = STATUS_SOME_UNMAPPED;
1047 *r->out.count = mapped_count;
1048 *r->out.domains = domains;
1049 r->out.sids->sids = rids;
1050 r->out.sids->count = num_entries;
1055 /***************************************************************************
1057 ***************************************************************************/
1059 NTSTATUS _lsa_LookupNames2(pipes_struct *p,
1060 struct lsa_LookupNames2 *r)
1063 struct lsa_LookupNames q;
1064 struct lsa_TransSidArray2 *sid_array2 = r->in.sids;
1065 struct lsa_TransSidArray *sid_array = NULL;
1068 sid_array = TALLOC_ZERO_P(p->mem_ctx, struct lsa_TransSidArray);
1070 return NT_STATUS_NO_MEMORY;
1073 q.in.handle = r->in.handle;
1074 q.in.num_names = r->in.num_names;
1075 q.in.names = r->in.names;
1076 q.in.level = r->in.level;
1077 q.in.sids = sid_array;
1078 q.in.count = r->in.count;
1079 /* we do not know what this is for */
1080 /* = r->in.unknown1; */
1081 /* = r->in.unknown2; */
1083 q.out.domains = r->out.domains;
1084 q.out.sids = sid_array;
1085 q.out.count = r->out.count;
1087 status = _lsa_LookupNames(p, &q);
1089 sid_array2->count = sid_array->count;
1090 sid_array2->sids = TALLOC_ARRAY(p->mem_ctx, struct lsa_TranslatedSid2, sid_array->count);
1091 if (!sid_array2->sids) {
1092 return NT_STATUS_NO_MEMORY;
1095 for (i=0; i<sid_array->count; i++) {
1096 sid_array2->sids[i].sid_type = sid_array->sids[i].sid_type;
1097 sid_array2->sids[i].rid = sid_array->sids[i].rid;
1098 sid_array2->sids[i].sid_index = sid_array->sids[i].sid_index;
1099 sid_array2->sids[i].unknown = 0;
1102 r->out.sids = sid_array2;
1107 /***************************************************************************
1109 ***************************************************************************/
1111 NTSTATUS _lsa_LookupNames3(pipes_struct *p,
1112 struct lsa_LookupNames3 *r)
1115 struct lsa_info *handle;
1116 struct lsa_String *names = r->in.names;
1117 uint32 num_entries = r->in.num_names;
1118 struct lsa_RefDomainList *domains = NULL;
1119 struct lsa_TranslatedSid3 *trans_sids = NULL;
1120 uint32 mapped_count = 0;
1122 bool check_policy = true;
1124 switch (p->hdr_req.opnum) {
1125 case NDR_LSA_LOOKUPNAMES4:
1126 check_policy = false;
1128 case NDR_LSA_LOOKUPNAMES3:
1130 check_policy = true;
1133 if (num_entries > MAX_LOOKUP_SIDS) {
1134 num_entries = MAX_LOOKUP_SIDS;
1135 DEBUG(5,("_lsa_LookupNames3: truncating name lookup list to %d\n", num_entries));
1138 /* Probably the lookup_level is some sort of bitmask. */
1139 if (r->in.level == 1) {
1140 flags = LOOKUP_NAME_ALL;
1143 domains = TALLOC_ZERO_P(p->mem_ctx, struct lsa_RefDomainList);
1145 return NT_STATUS_NO_MEMORY;
1149 trans_sids = TALLOC_ZERO_ARRAY(p->mem_ctx, struct lsa_TranslatedSid3,
1152 return NT_STATUS_NO_MEMORY;
1160 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle)) {
1161 status = NT_STATUS_INVALID_HANDLE;
1165 if (handle->type != LSA_HANDLE_POLICY_TYPE) {
1166 return NT_STATUS_INVALID_HANDLE;
1169 /* check if the user has enough rights */
1170 if (!(handle->access & LSA_POLICY_LOOKUP_NAMES)) {
1171 status = NT_STATUS_ACCESS_DENIED;
1176 /* set up the LSA Lookup SIDs response */
1177 become_root(); /* lookup_name can require root privs */
1178 status = lookup_lsa_sids(p->mem_ctx, domains, trans_sids, num_entries,
1179 names, flags, &mapped_count);
1184 if (NT_STATUS_IS_OK(status)) {
1185 if (mapped_count == 0) {
1186 status = NT_STATUS_NONE_MAPPED;
1187 } else if (mapped_count != num_entries) {
1188 status = STATUS_SOME_UNMAPPED;
1192 *r->out.count = mapped_count;
1193 *r->out.domains = domains;
1194 r->out.sids->sids = trans_sids;
1195 r->out.sids->count = num_entries;
1200 /***************************************************************************
1202 ***************************************************************************/
1204 NTSTATUS _lsa_LookupNames4(pipes_struct *p,
1205 struct lsa_LookupNames4 *r)
1207 struct lsa_LookupNames3 q;
1209 /* No policy handle on this call. Restrict to crypto connections. */
1210 if (p->auth.auth_type != PIPE_AUTH_TYPE_SCHANNEL) {
1211 DEBUG(0,("_lsa_lookup_names4: client %s not using schannel for netlogon\n",
1212 get_remote_machine_name() ));
1213 return NT_STATUS_INVALID_PARAMETER;
1217 q.in.num_names = r->in.num_names;
1218 q.in.names = r->in.names;
1219 q.in.level = r->in.level;
1220 q.in.lookup_options = r->in.lookup_options;
1221 q.in.client_revision = r->in.client_revision;
1222 q.in.sids = r->in.sids;
1223 q.in.count = r->in.count;
1225 q.out.domains = r->out.domains;
1226 q.out.sids = r->out.sids;
1227 q.out.count = r->out.count;
1229 return _lsa_LookupNames3(p, &q);
1232 /***************************************************************************
1233 _lsa_close. Also weird - needs to check if lsa handle is correct. JRA.
1234 ***************************************************************************/
1236 NTSTATUS _lsa_Close(pipes_struct *p, struct lsa_Close *r)
1238 if (!find_policy_by_hnd(p, r->in.handle, NULL)) {
1239 return NT_STATUS_INVALID_HANDLE;
1242 close_policy_hnd(p, r->in.handle);
1243 ZERO_STRUCTP(r->out.handle);
1244 return NT_STATUS_OK;
1247 /***************************************************************************
1248 ***************************************************************************/
1250 NTSTATUS _lsa_OpenSecret(pipes_struct *p, struct lsa_OpenSecret *r)
1252 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
1255 /***************************************************************************
1256 ***************************************************************************/
1258 NTSTATUS _lsa_OpenTrustedDomain(pipes_struct *p, struct lsa_OpenTrustedDomain *r)
1260 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
1263 /***************************************************************************
1264 ***************************************************************************/
1266 NTSTATUS _lsa_CreateTrustedDomain(pipes_struct *p, struct lsa_CreateTrustedDomain *r)
1268 return NT_STATUS_ACCESS_DENIED;
1271 /***************************************************************************
1272 ***************************************************************************/
1274 NTSTATUS _lsa_CreateSecret(pipes_struct *p, struct lsa_CreateSecret *r)
1276 return NT_STATUS_ACCESS_DENIED;
1279 /***************************************************************************
1280 ***************************************************************************/
1282 NTSTATUS _lsa_SetSecret(pipes_struct *p, struct lsa_SetSecret *r)
1284 return NT_STATUS_ACCESS_DENIED;
1287 /***************************************************************************
1289 ***************************************************************************/
1291 NTSTATUS _lsa_DeleteObject(pipes_struct *p,
1292 struct lsa_DeleteObject *r)
1295 struct lsa_info *info = NULL;
1297 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info)) {
1298 return NT_STATUS_INVALID_HANDLE;
1301 if (!(info->access & STD_RIGHT_DELETE_ACCESS)) {
1302 return NT_STATUS_ACCESS_DENIED;
1305 status = privilege_delete_account(&info->sid);
1306 if (!NT_STATUS_IS_OK(status)) {
1307 DEBUG(10,("_lsa_DeleteObject: privilege_delete_account gave: %s\n",
1308 nt_errstr(status)));
1314 /***************************************************************************
1316 ***************************************************************************/
1318 NTSTATUS _lsa_EnumPrivs(pipes_struct *p,
1319 struct lsa_EnumPrivs *r)
1321 struct lsa_info *handle;
1323 uint32 enum_context = *r->in.resume_handle;
1324 int num_privs = count_all_privileges();
1325 struct lsa_PrivEntry *entries = NULL;
1328 /* remember that the enum_context starts at 0 and not 1 */
1330 if ( enum_context >= num_privs )
1331 return NT_STATUS_NO_MORE_ENTRIES;
1333 DEBUG(10,("_lsa_EnumPrivs: enum_context:%d total entries:%d\n",
1334 enum_context, num_privs));
1336 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle))
1337 return NT_STATUS_INVALID_HANDLE;
1339 if (handle->type != LSA_HANDLE_POLICY_TYPE) {
1340 return NT_STATUS_INVALID_HANDLE;
1343 /* check if the user has enough rights
1344 I don't know if it's the right one. not documented. */
1346 if (!(handle->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
1347 return NT_STATUS_ACCESS_DENIED;
1350 entries = TALLOC_ZERO_ARRAY(p->mem_ctx, struct lsa_PrivEntry, num_privs);
1352 return NT_STATUS_NO_MEMORY;
1358 for (i = 0; i < num_privs; i++) {
1359 if( i < enum_context) {
1361 init_lsa_StringLarge(&entries[i].name, NULL);
1363 entries[i].luid.low = 0;
1364 entries[i].luid.high = 0;
1367 init_lsa_StringLarge(&entries[i].name, privs[i].name);
1369 luid = get_privilege_luid( &privs[i].se_priv );
1371 entries[i].luid.low = luid.luid.low;
1372 entries[i].luid.high = luid.luid.high;
1376 enum_context = num_privs;
1378 *r->out.resume_handle = enum_context;
1379 r->out.privs->count = num_privs;
1380 r->out.privs->privs = entries;
1382 return NT_STATUS_OK;
1385 /***************************************************************************
1386 _lsa_LookupPrivDisplayName
1387 ***************************************************************************/
1389 NTSTATUS _lsa_LookupPrivDisplayName(pipes_struct *p,
1390 struct lsa_LookupPrivDisplayName *r)
1392 struct lsa_info *handle;
1393 const char *description;
1394 struct lsa_StringLarge *lsa_name;
1396 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle))
1397 return NT_STATUS_INVALID_HANDLE;
1399 if (handle->type != LSA_HANDLE_POLICY_TYPE) {
1400 return NT_STATUS_INVALID_HANDLE;
1403 /* check if the user has enough rights */
1406 * I don't know if it's the right one. not documented.
1408 if (!(handle->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
1409 return NT_STATUS_ACCESS_DENIED;
1411 DEBUG(10,("_lsa_LookupPrivDisplayName: name = %s\n", r->in.name->string));
1413 description = get_privilege_dispname(r->in.name->string);
1415 DEBUG(10,("_lsa_LookupPrivDisplayName: doesn't exist\n"));
1416 return NT_STATUS_NO_SUCH_PRIVILEGE;
1419 DEBUG(10,("_lsa_LookupPrivDisplayName: display name = %s\n", description));
1421 lsa_name = TALLOC_ZERO_P(p->mem_ctx, struct lsa_StringLarge);
1423 return NT_STATUS_NO_MEMORY;
1426 init_lsa_StringLarge(lsa_name, description);
1428 *r->out.returned_language_id = r->in.language_id;
1429 *r->out.disp_name = lsa_name;
1431 return NT_STATUS_OK;
1434 /***************************************************************************
1436 ***************************************************************************/
1438 NTSTATUS _lsa_EnumAccounts(pipes_struct *p,
1439 struct lsa_EnumAccounts *r)
1441 struct lsa_info *handle;
1443 int i, j, num_entries;
1445 struct lsa_SidPtr *sids = NULL;
1447 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle))
1448 return NT_STATUS_INVALID_HANDLE;
1450 if (handle->type != LSA_HANDLE_POLICY_TYPE) {
1451 return NT_STATUS_INVALID_HANDLE;
1454 if (!(handle->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
1455 return NT_STATUS_ACCESS_DENIED;
1460 /* The only way we can currently find out all the SIDs that have been
1461 privileged is to scan all privileges */
1463 status = privilege_enumerate_accounts(&sid_list, &num_entries);
1464 if (!NT_STATUS_IS_OK(status)) {
1468 if (*r->in.resume_handle >= num_entries) {
1469 return NT_STATUS_NO_MORE_ENTRIES;
1472 if (num_entries - *r->in.resume_handle) {
1473 sids = TALLOC_ZERO_ARRAY(p->mem_ctx, struct lsa_SidPtr,
1474 num_entries - *r->in.resume_handle);
1476 talloc_free(sid_list);
1477 return NT_STATUS_NO_MEMORY;
1480 for (i = *r->in.resume_handle, j = 0; i < num_entries; i++, j++) {
1481 sids[j].sid = sid_dup_talloc(p->mem_ctx, &sid_list[i]);
1483 talloc_free(sid_list);
1484 return NT_STATUS_NO_MEMORY;
1489 talloc_free(sid_list);
1491 *r->out.resume_handle = num_entries;
1492 r->out.sids->num_sids = num_entries;
1493 r->out.sids->sids = sids;
1495 return NT_STATUS_OK;
1498 /***************************************************************************
1500 ***************************************************************************/
1502 NTSTATUS _lsa_GetUserName(pipes_struct *p,
1503 struct lsa_GetUserName *r)
1505 const char *username, *domname;
1506 struct lsa_String *account_name = NULL;
1507 struct lsa_String *authority_name = NULL;
1509 if (r->in.account_name &&
1510 *r->in.account_name) {
1511 return NT_STATUS_INVALID_PARAMETER;
1514 if (r->in.authority_name &&
1515 *r->in.authority_name) {
1516 return NT_STATUS_INVALID_PARAMETER;
1519 if (p->server_info->guest) {
1521 * I'm 99% sure this is not the right place to do this,
1522 * global_sid_Anonymous should probably be put into the token
1523 * instead of the guest id -- vl
1525 if (!lookup_sid(p->mem_ctx, &global_sid_Anonymous,
1526 &domname, &username, NULL)) {
1527 return NT_STATUS_NO_MEMORY;
1530 username = p->server_info->sanitized_username;
1531 domname = pdb_get_domain(p->server_info->sam_account);
1534 account_name = TALLOC_P(p->mem_ctx, struct lsa_String);
1535 if (!account_name) {
1536 return NT_STATUS_NO_MEMORY;
1538 init_lsa_String(account_name, username);
1540 if (r->out.authority_name) {
1541 authority_name = TALLOC_P(p->mem_ctx, struct lsa_String);
1542 if (!authority_name) {
1543 return NT_STATUS_NO_MEMORY;
1545 init_lsa_String(authority_name, domname);
1548 *r->out.account_name = account_name;
1549 if (r->out.authority_name) {
1550 *r->out.authority_name = authority_name;
1553 return NT_STATUS_OK;
1556 /***************************************************************************
1558 ***************************************************************************/
1560 NTSTATUS _lsa_CreateAccount(pipes_struct *p,
1561 struct lsa_CreateAccount *r)
1563 struct lsa_info *handle;
1564 struct lsa_info *info;
1566 /* find the connection policy handle. */
1567 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle))
1568 return NT_STATUS_INVALID_HANDLE;
1570 if (handle->type != LSA_HANDLE_POLICY_TYPE) {
1571 return NT_STATUS_INVALID_HANDLE;
1574 /* check if the user has enough rights */
1577 * I don't know if it's the right one. not documented.
1578 * but guessed with rpcclient.
1580 if (!(handle->access & LSA_POLICY_CREATE_ACCOUNT))
1581 return NT_STATUS_ACCESS_DENIED;
1583 if ( is_privileged_sid( r->in.sid ) )
1584 return NT_STATUS_OBJECT_NAME_COLLISION;
1586 /* associate the user/group SID with the (unique) handle. */
1588 info = TALLOC_ZERO_P(p->mem_ctx, struct lsa_info);
1590 return NT_STATUS_NO_MEMORY;
1593 info->sid = *r->in.sid;
1594 info->access = r->in.access_mask;
1595 info->type = LSA_HANDLE_ACCOUNT_TYPE;
1597 /* get a (unique) handle. open a policy on it. */
1598 if (!create_policy_hnd(p, r->out.acct_handle, info))
1599 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
1601 return privilege_create_account( &info->sid );
1604 /***************************************************************************
1606 ***************************************************************************/
1608 NTSTATUS _lsa_OpenAccount(pipes_struct *p,
1609 struct lsa_OpenAccount *r)
1611 struct lsa_info *handle;
1612 struct lsa_info *info;
1613 SEC_DESC *psd = NULL;
1615 uint32_t des_access = r->in.access_mask;
1616 uint32_t acc_granted;
1619 /* find the connection policy handle. */
1620 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle))
1621 return NT_STATUS_INVALID_HANDLE;
1623 if (handle->type != LSA_HANDLE_POLICY_TYPE) {
1624 return NT_STATUS_INVALID_HANDLE;
1627 /* des_access is for the account here, not the policy
1628 * handle - so don't check against policy handle. */
1630 /* Work out max allowed. */
1631 map_max_allowed_access(p->server_info->ptok, &des_access);
1633 /* map the generic bits to the lsa account ones */
1634 se_map_generic(&des_access, &lsa_account_mapping);
1636 /* get the generic lsa account SD until we store it */
1637 status = make_lsa_object_sd(p->mem_ctx, &psd, &sd_size,
1638 &lsa_account_mapping,
1639 r->in.sid, LSA_ACCOUNT_ALL_ACCESS);
1640 if (!NT_STATUS_IS_OK(status)) {
1644 status = access_check_object(psd, p->server_info->ptok,
1645 NULL, 0, des_access,
1646 &acc_granted, "_lsa_OpenAccount" );
1648 if (!NT_STATUS_IS_OK(status)) {
1652 /* TODO: Fis the parsing routine before reenabling this check! */
1654 if (!lookup_sid(&handle->sid, dom_name, name, &type))
1655 return NT_STATUS_ACCESS_DENIED;
1657 /* associate the user/group SID with the (unique) handle. */
1658 info = TALLOC_ZERO_P(p->mem_ctx, struct lsa_info);
1660 return NT_STATUS_NO_MEMORY;
1663 info->sid = *r->in.sid;
1664 info->access = acc_granted;
1665 info->type = LSA_HANDLE_ACCOUNT_TYPE;
1667 /* get a (unique) handle. open a policy on it. */
1668 if (!create_policy_hnd(p, r->out.acct_handle, info))
1669 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
1671 return NT_STATUS_OK;
1674 /***************************************************************************
1675 _lsa_EnumPrivsAccount
1676 For a given SID, enumerate all the privilege this account has.
1677 ***************************************************************************/
1679 NTSTATUS _lsa_EnumPrivsAccount(pipes_struct *p,
1680 struct lsa_EnumPrivsAccount *r)
1682 NTSTATUS status = NT_STATUS_OK;
1683 struct lsa_info *info=NULL;
1685 PRIVILEGE_SET privileges;
1686 struct lsa_PrivilegeSet *priv_set = NULL;
1687 struct lsa_LUIDAttribute *luid_attrs = NULL;
1690 /* find the connection policy handle. */
1691 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
1692 return NT_STATUS_INVALID_HANDLE;
1694 if (info->type != LSA_HANDLE_ACCOUNT_TYPE) {
1695 return NT_STATUS_INVALID_HANDLE;
1698 if (!(info->access & LSA_ACCOUNT_VIEW))
1699 return NT_STATUS_ACCESS_DENIED;
1701 get_privileges_for_sids(&mask, &info->sid, 1);
1703 privilege_set_init( &privileges );
1705 priv_set = TALLOC_ZERO_P(p->mem_ctx, struct lsa_PrivilegeSet);
1707 status = NT_STATUS_NO_MEMORY;
1711 if ( se_priv_to_privilege_set( &privileges, &mask ) ) {
1713 DEBUG(10,("_lsa_EnumPrivsAccount: %s has %d privileges\n",
1714 sid_string_dbg(&info->sid),
1717 luid_attrs = TALLOC_ZERO_ARRAY(p->mem_ctx,
1718 struct lsa_LUIDAttribute,
1721 status = NT_STATUS_NO_MEMORY;
1725 for (i=0; i<privileges.count; i++) {
1726 luid_attrs[i].luid.low = privileges.set[i].luid.low;
1727 luid_attrs[i].luid.high = privileges.set[i].luid.high;
1728 luid_attrs[i].attribute = privileges.set[i].attr;
1731 priv_set->count = privileges.count;
1732 priv_set->unknown = 0;
1733 priv_set->set = luid_attrs;
1736 priv_set->count = 0;
1737 priv_set->unknown = 0;
1738 priv_set->set = NULL;
1741 *r->out.privs = priv_set;
1744 privilege_set_free( &privileges );
1749 /***************************************************************************
1750 _lsa_GetSystemAccessAccount
1751 ***************************************************************************/
1753 NTSTATUS _lsa_GetSystemAccessAccount(pipes_struct *p,
1754 struct lsa_GetSystemAccessAccount *r)
1757 struct lsa_info *info = NULL;
1758 struct lsa_EnumPrivsAccount e;
1759 struct lsa_PrivilegeSet *privset;
1761 /* find the connection policy handle. */
1763 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
1764 return NT_STATUS_INVALID_HANDLE;
1766 if (info->type != LSA_HANDLE_ACCOUNT_TYPE) {
1767 return NT_STATUS_INVALID_HANDLE;
1770 if (!(info->access & LSA_ACCOUNT_VIEW))
1771 return NT_STATUS_ACCESS_DENIED;
1773 privset = talloc_zero(p->mem_ctx, struct lsa_PrivilegeSet);
1775 return NT_STATUS_NO_MEMORY;
1778 e.in.handle = r->in.handle;
1779 e.out.privs = &privset;
1781 status = _lsa_EnumPrivsAccount(p, &e);
1782 if (!NT_STATUS_IS_OK(status)) {
1783 DEBUG(10,("_lsa_GetSystemAccessAccount: "
1784 "failed to call _lsa_EnumPrivsAccount(): %s\n",
1785 nt_errstr(status)));
1789 /* Samba4 would iterate over the privset to merge the policy mode bits,
1790 * not sure samba3 can do the same here, so just return what we did in
1794 0x01 -> Log on locally
1795 0x02 -> Access this computer from network
1796 0x04 -> Log on as a batch job
1797 0x10 -> Log on as a service
1799 they can be ORed together
1802 *r->out.access_mask = LSA_POLICY_MODE_INTERACTIVE |
1803 LSA_POLICY_MODE_NETWORK;
1805 return NT_STATUS_OK;
1808 /***************************************************************************
1809 update the systemaccount information
1810 ***************************************************************************/
1812 NTSTATUS _lsa_SetSystemAccessAccount(pipes_struct *p,
1813 struct lsa_SetSystemAccessAccount *r)
1815 struct lsa_info *info=NULL;
1818 /* find the connection policy handle. */
1819 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
1820 return NT_STATUS_INVALID_HANDLE;
1822 if (info->type != LSA_HANDLE_ACCOUNT_TYPE) {
1823 return NT_STATUS_INVALID_HANDLE;
1826 if (!(info->access & LSA_ACCOUNT_ADJUST_SYSTEM_ACCESS)) {
1827 return NT_STATUS_ACCESS_DENIED;
1830 if (!pdb_getgrsid(&map, info->sid))
1831 return NT_STATUS_NO_SUCH_GROUP;
1833 return pdb_update_group_mapping_entry(&map);
1836 /***************************************************************************
1837 _lsa_AddPrivilegesToAccount
1838 For a given SID, add some privileges.
1839 ***************************************************************************/
1841 NTSTATUS _lsa_AddPrivilegesToAccount(pipes_struct *p,
1842 struct lsa_AddPrivilegesToAccount *r)
1844 struct lsa_info *info = NULL;
1846 struct lsa_PrivilegeSet *set = NULL;
1848 /* find the connection policy handle. */
1849 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
1850 return NT_STATUS_INVALID_HANDLE;
1852 if (info->type != LSA_HANDLE_ACCOUNT_TYPE) {
1853 return NT_STATUS_INVALID_HANDLE;
1856 if (!(info->access & LSA_ACCOUNT_ADJUST_PRIVILEGES)) {
1857 return NT_STATUS_ACCESS_DENIED;
1861 if ( !privilege_set_to_se_priv( &mask, set ) )
1862 return NT_STATUS_NO_SUCH_PRIVILEGE;
1864 if ( !grant_privilege( &info->sid, &mask ) ) {
1865 DEBUG(3,("_lsa_AddPrivilegesToAccount: grant_privilege(%s) failed!\n",
1866 sid_string_dbg(&info->sid) ));
1867 DEBUG(3,("Privilege mask:\n"));
1868 dump_se_priv( DBGC_ALL, 3, &mask );
1869 return NT_STATUS_NO_SUCH_PRIVILEGE;
1872 return NT_STATUS_OK;
1875 /***************************************************************************
1876 _lsa_RemovePrivilegesFromAccount
1877 For a given SID, remove some privileges.
1878 ***************************************************************************/
1880 NTSTATUS _lsa_RemovePrivilegesFromAccount(pipes_struct *p,
1881 struct lsa_RemovePrivilegesFromAccount *r)
1883 struct lsa_info *info = NULL;
1885 struct lsa_PrivilegeSet *set = NULL;
1887 /* find the connection policy handle. */
1888 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
1889 return NT_STATUS_INVALID_HANDLE;
1891 if (info->type != LSA_HANDLE_ACCOUNT_TYPE) {
1892 return NT_STATUS_INVALID_HANDLE;
1895 if (!(info->access & LSA_ACCOUNT_ADJUST_PRIVILEGES)) {
1896 return NT_STATUS_ACCESS_DENIED;
1901 if ( !privilege_set_to_se_priv( &mask, set ) )
1902 return NT_STATUS_NO_SUCH_PRIVILEGE;
1904 if ( !revoke_privilege( &info->sid, &mask ) ) {
1905 DEBUG(3,("_lsa_RemovePrivilegesFromAccount: revoke_privilege(%s) failed!\n",
1906 sid_string_dbg(&info->sid) ));
1907 DEBUG(3,("Privilege mask:\n"));
1908 dump_se_priv( DBGC_ALL, 3, &mask );
1909 return NT_STATUS_NO_SUCH_PRIVILEGE;
1912 return NT_STATUS_OK;
1915 /***************************************************************************
1917 ***************************************************************************/
1919 NTSTATUS _lsa_QuerySecurity(pipes_struct *p,
1920 struct lsa_QuerySecurity *r)
1922 struct lsa_info *handle=NULL;
1923 SEC_DESC *psd = NULL;
1927 /* find the connection policy handle. */
1928 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle))
1929 return NT_STATUS_INVALID_HANDLE;
1931 if (handle->type == LSA_HANDLE_POLICY_TYPE) {
1932 status = make_lsa_object_sd(p->mem_ctx, &psd, &sd_size,
1933 &lsa_policy_mapping, NULL, 0);
1934 } else if (handle->type == LSA_HANDLE_ACCOUNT_TYPE) {
1935 status = make_lsa_object_sd(p->mem_ctx, &psd, &sd_size,
1936 &lsa_account_mapping,
1937 &handle->sid, LSA_ACCOUNT_ALL_ACCESS);
1939 status = NT_STATUS_INVALID_HANDLE;
1942 if (!NT_STATUS_IS_OK(status)) {
1946 switch (r->in.sec_info) {
1948 /* SD contains only the owner */
1949 if((*r->out.sdbuf = make_sec_desc_buf(p->mem_ctx, sd_size, psd)) == NULL)
1950 return NT_STATUS_NO_MEMORY;
1953 /* SD contains only the ACL */
1954 if((*r->out.sdbuf = make_sec_desc_buf(p->mem_ctx, sd_size, psd)) == NULL)
1955 return NT_STATUS_NO_MEMORY;
1958 return NT_STATUS_INVALID_LEVEL;
1964 /***************************************************************************
1965 _lsa_AddAccountRights
1966 ***************************************************************************/
1968 NTSTATUS _lsa_AddAccountRights(pipes_struct *p,
1969 struct lsa_AddAccountRights *r)
1971 struct lsa_info *info = NULL;
1973 uint32_t acc_granted = 0;
1974 SEC_DESC *psd = NULL;
1979 /* find the connection policy handle. */
1980 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
1981 return NT_STATUS_INVALID_HANDLE;
1983 if (info->type != LSA_HANDLE_POLICY_TYPE) {
1984 return NT_STATUS_INVALID_HANDLE;
1987 /* get the generic lsa account SD for this SID until we store it */
1988 status = make_lsa_object_sd(p->mem_ctx, &psd, &sd_size,
1989 &lsa_account_mapping,
1990 r->in.sid, LSA_ACCOUNT_ALL_ACCESS);
1991 if (!NT_STATUS_IS_OK(status)) {
1996 * From the MS DOCs. If the sid doesn't exist, ask for LSA_POLICY_CREATE_ACCOUNT
1997 * on the policy handle. If it does, ask for
1998 * LSA_ACCOUNT_ADJUST_PRIVILEGES|LSA_ACCOUNT_ADJUST_SYSTEM_ACCESS|LSA_ACCOUNT_VIEW,
1999 * on the account sid. We don't check here so just use the latter. JRA.
2002 status = access_check_object(psd, p->server_info->ptok,
2003 NULL, 0, LSA_ACCOUNT_ADJUST_PRIVILEGES|LSA_ACCOUNT_ADJUST_SYSTEM_ACCESS|LSA_ACCOUNT_VIEW,
2004 &acc_granted, "_lsa_AddAccountRights" );
2006 if (!NT_STATUS_IS_OK(status)) {
2010 /* according to an NT4 PDC, you can add privileges to SIDs even without
2011 call_lsa_create_account() first. And you can use any arbitrary SID. */
2013 sid_copy( &sid, r->in.sid );
2015 for ( i=0; i < r->in.rights->count; i++ ) {
2017 const char *privname = r->in.rights->names[i].string;
2019 /* only try to add non-null strings */
2024 if ( !grant_privilege_by_name( &sid, privname ) ) {
2025 DEBUG(2,("_lsa_AddAccountRights: Failed to add privilege [%s]\n",
2027 return NT_STATUS_NO_SUCH_PRIVILEGE;
2031 return NT_STATUS_OK;
2034 /***************************************************************************
2035 _lsa_RemoveAccountRights
2036 ***************************************************************************/
2038 NTSTATUS _lsa_RemoveAccountRights(pipes_struct *p,
2039 struct lsa_RemoveAccountRights *r)
2041 struct lsa_info *info = NULL;
2043 SEC_DESC *psd = NULL;
2046 const char *privname = NULL;
2047 uint32_t acc_granted = 0;
2050 /* find the connection policy handle. */
2051 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
2052 return NT_STATUS_INVALID_HANDLE;
2054 if (info->type != LSA_HANDLE_POLICY_TYPE) {
2055 return NT_STATUS_INVALID_HANDLE;
2058 /* get the generic lsa account SD for this SID until we store it */
2059 status = make_lsa_object_sd(p->mem_ctx, &psd, &sd_size,
2060 &lsa_account_mapping,
2061 r->in.sid, LSA_ACCOUNT_ALL_ACCESS);
2062 if (!NT_STATUS_IS_OK(status)) {
2067 * From the MS DOCs. We need
2068 * LSA_ACCOUNT_ADJUST_PRIVILEGES|LSA_ACCOUNT_ADJUST_SYSTEM_ACCESS|LSA_ACCOUNT_VIEW
2069 * and DELETE on the account sid.
2072 status = access_check_object(psd, p->server_info->ptok,
2073 NULL, 0, LSA_ACCOUNT_ADJUST_PRIVILEGES|LSA_ACCOUNT_ADJUST_SYSTEM_ACCESS|
2074 LSA_ACCOUNT_VIEW|STD_RIGHT_DELETE_ACCESS,
2075 &acc_granted, "_lsa_AddAccountRights" );
2077 if (!NT_STATUS_IS_OK(status)) {
2081 sid_copy( &sid, r->in.sid );
2083 if ( r->in.remove_all ) {
2084 if ( !revoke_all_privileges( &sid ) )
2085 return NT_STATUS_ACCESS_DENIED;
2087 return NT_STATUS_OK;
2090 for ( i=0; i < r->in.rights->count; i++ ) {
2092 privname = r->in.rights->names[i].string;
2094 /* only try to add non-null strings */
2099 if ( !revoke_privilege_by_name( &sid, privname ) ) {
2100 DEBUG(2,("_lsa_RemoveAccountRights: Failed to revoke privilege [%s]\n",
2102 return NT_STATUS_NO_SUCH_PRIVILEGE;
2106 return NT_STATUS_OK;
2109 /*******************************************************************
2110 ********************************************************************/
2112 static NTSTATUS init_lsa_right_set(TALLOC_CTX *mem_ctx,
2113 struct lsa_RightSet *r,
2114 PRIVILEGE_SET *privileges)
2117 const char *privname;
2118 const char **privname_array = NULL;
2121 for (i=0; i<privileges->count; i++) {
2123 privname = luid_to_privilege_name(&privileges->set[i].luid);
2125 if (!add_string_to_array(mem_ctx, privname,
2126 &privname_array, &num_priv)) {
2127 return NT_STATUS_NO_MEMORY;
2134 r->names = TALLOC_ZERO_ARRAY(mem_ctx, struct lsa_StringLarge,
2137 return NT_STATUS_NO_MEMORY;
2140 for (i=0; i<num_priv; i++) {
2141 init_lsa_StringLarge(&r->names[i], privname_array[i]);
2144 r->count = num_priv;
2147 return NT_STATUS_OK;
2150 /***************************************************************************
2151 _lsa_EnumAccountRights
2152 ***************************************************************************/
2154 NTSTATUS _lsa_EnumAccountRights(pipes_struct *p,
2155 struct lsa_EnumAccountRights *r)
2158 struct lsa_info *info = NULL;
2160 PRIVILEGE_SET privileges;
2163 /* find the connection policy handle. */
2165 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
2166 return NT_STATUS_INVALID_HANDLE;
2168 if (info->type != LSA_HANDLE_POLICY_TYPE) {
2169 return NT_STATUS_INVALID_HANDLE;
2172 if (!(info->access & LSA_ACCOUNT_VIEW)) {
2173 return NT_STATUS_ACCESS_DENIED;
2176 /* according to an NT4 PDC, you can add privileges to SIDs even without
2177 call_lsa_create_account() first. And you can use any arbitrary SID. */
2179 sid_copy( &sid, r->in.sid );
2181 /* according to MS-LSAD 3.1.4.5.10 it is required to return
2182 * NT_STATUS_OBJECT_NAME_NOT_FOUND if the account sid was not found in
2183 * the lsa database */
2185 if (!get_privileges_for_sids(&mask, &sid, 1)) {
2186 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
2189 status = privilege_set_init(&privileges);
2190 if (!NT_STATUS_IS_OK(status)) {
2194 se_priv_to_privilege_set(&privileges, &mask);
2196 DEBUG(10,("_lsa_EnumAccountRights: %s has %d privileges\n",
2197 sid_string_dbg(&sid), privileges.count));
2199 status = init_lsa_right_set(p->mem_ctx, r->out.rights, &privileges);
2201 privilege_set_free( &privileges );
2206 /***************************************************************************
2207 _lsa_LookupPrivValue
2208 ***************************************************************************/
2210 NTSTATUS _lsa_LookupPrivValue(pipes_struct *p,
2211 struct lsa_LookupPrivValue *r)
2213 struct lsa_info *info = NULL;
2214 const char *name = NULL;
2215 LUID_ATTR priv_luid;
2218 /* find the connection policy handle. */
2220 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
2221 return NT_STATUS_INVALID_HANDLE;
2223 if (info->type != LSA_HANDLE_POLICY_TYPE) {
2224 return NT_STATUS_INVALID_HANDLE;
2227 if (!(info->access & LSA_POLICY_LOOKUP_NAMES))
2228 return NT_STATUS_ACCESS_DENIED;
2230 name = r->in.name->string;
2232 DEBUG(10,("_lsa_lookup_priv_value: name = %s\n", name));
2234 if ( !se_priv_from_name( name, &mask ) )
2235 return NT_STATUS_NO_SUCH_PRIVILEGE;
2237 priv_luid = get_privilege_luid( &mask );
2239 r->out.luid->low = priv_luid.luid.low;
2240 r->out.luid->high = priv_luid.luid.high;
2242 return NT_STATUS_OK;
2246 * From here on the server routines are just dummy ones to make smbd link with
2247 * librpc/gen_ndr/srv_lsa.c. These routines are actually never called, we are
2248 * pulling the server stubs across one by one.
2251 NTSTATUS _lsa_Delete(pipes_struct *p, struct lsa_Delete *r)
2253 p->rng_fault_state = True;
2254 return NT_STATUS_NOT_IMPLEMENTED;
2257 NTSTATUS _lsa_SetSecObj(pipes_struct *p, struct lsa_SetSecObj *r)
2259 p->rng_fault_state = True;
2260 return NT_STATUS_NOT_IMPLEMENTED;
2263 NTSTATUS _lsa_ChangePassword(pipes_struct *p, struct lsa_ChangePassword *r)
2265 p->rng_fault_state = True;
2266 return NT_STATUS_NOT_IMPLEMENTED;
2269 NTSTATUS _lsa_SetInfoPolicy(pipes_struct *p, struct lsa_SetInfoPolicy *r)
2271 p->rng_fault_state = True;
2272 return NT_STATUS_NOT_IMPLEMENTED;
2275 NTSTATUS _lsa_ClearAuditLog(pipes_struct *p, struct lsa_ClearAuditLog *r)
2277 p->rng_fault_state = True;
2278 return NT_STATUS_NOT_IMPLEMENTED;
2281 NTSTATUS _lsa_GetQuotasForAccount(pipes_struct *p, struct lsa_GetQuotasForAccount *r)
2283 p->rng_fault_state = True;
2284 return NT_STATUS_NOT_IMPLEMENTED;
2287 NTSTATUS _lsa_SetQuotasForAccount(pipes_struct *p, struct lsa_SetQuotasForAccount *r)
2289 p->rng_fault_state = True;
2290 return NT_STATUS_NOT_IMPLEMENTED;
2293 NTSTATUS _lsa_QueryTrustedDomainInfo(pipes_struct *p, struct lsa_QueryTrustedDomainInfo *r)
2295 p->rng_fault_state = True;
2296 return NT_STATUS_NOT_IMPLEMENTED;
2299 NTSTATUS _lsa_SetInformationTrustedDomain(pipes_struct *p, struct lsa_SetInformationTrustedDomain *r)
2301 p->rng_fault_state = True;
2302 return NT_STATUS_NOT_IMPLEMENTED;
2305 NTSTATUS _lsa_QuerySecret(pipes_struct *p, struct lsa_QuerySecret *r)
2307 p->rng_fault_state = True;
2308 return NT_STATUS_NOT_IMPLEMENTED;
2311 NTSTATUS _lsa_LookupPrivName(pipes_struct *p, struct lsa_LookupPrivName *r)
2313 p->rng_fault_state = True;
2314 return NT_STATUS_NOT_IMPLEMENTED;
2317 NTSTATUS _lsa_EnumAccountsWithUserRight(pipes_struct *p, struct lsa_EnumAccountsWithUserRight *r)
2319 p->rng_fault_state = True;
2320 return NT_STATUS_NOT_IMPLEMENTED;
2323 NTSTATUS _lsa_QueryTrustedDomainInfoBySid(pipes_struct *p, struct lsa_QueryTrustedDomainInfoBySid *r)
2325 p->rng_fault_state = True;
2326 return NT_STATUS_NOT_IMPLEMENTED;
2329 NTSTATUS _lsa_SetTrustedDomainInfo(pipes_struct *p, struct lsa_SetTrustedDomainInfo *r)
2331 p->rng_fault_state = True;
2332 return NT_STATUS_NOT_IMPLEMENTED;
2335 NTSTATUS _lsa_DeleteTrustedDomain(pipes_struct *p, struct lsa_DeleteTrustedDomain *r)
2337 p->rng_fault_state = True;
2338 return NT_STATUS_NOT_IMPLEMENTED;
2341 NTSTATUS _lsa_StorePrivateData(pipes_struct *p, struct lsa_StorePrivateData *r)
2343 p->rng_fault_state = True;
2344 return NT_STATUS_NOT_IMPLEMENTED;
2347 NTSTATUS _lsa_RetrievePrivateData(pipes_struct *p, struct lsa_RetrievePrivateData *r)
2349 p->rng_fault_state = True;
2350 return NT_STATUS_NOT_IMPLEMENTED;
2353 NTSTATUS _lsa_QueryInfoPolicy2(pipes_struct *p,
2354 struct lsa_QueryInfoPolicy2 *r2)
2356 struct lsa_QueryInfoPolicy r;
2358 if ((pdb_capabilities() & PDB_CAP_ADS) == 0) {
2359 p->rng_fault_state = True;
2360 return NT_STATUS_NOT_IMPLEMENTED;
2364 r.in.handle = r2->in.handle;
2365 r.in.level = r2->in.level;
2366 r.out.info = r2->out.info;
2368 return _lsa_QueryInfoPolicy(p, &r);
2371 NTSTATUS _lsa_SetInfoPolicy2(pipes_struct *p, struct lsa_SetInfoPolicy2 *r)
2373 p->rng_fault_state = True;
2374 return NT_STATUS_NOT_IMPLEMENTED;
2377 NTSTATUS _lsa_QueryTrustedDomainInfoByName(pipes_struct *p, struct lsa_QueryTrustedDomainInfoByName *r)
2379 p->rng_fault_state = True;
2380 return NT_STATUS_NOT_IMPLEMENTED;
2383 NTSTATUS _lsa_SetTrustedDomainInfoByName(pipes_struct *p, struct lsa_SetTrustedDomainInfoByName *r)
2385 p->rng_fault_state = True;
2386 return NT_STATUS_NOT_IMPLEMENTED;
2389 NTSTATUS _lsa_EnumTrustedDomainsEx(pipes_struct *p, struct lsa_EnumTrustedDomainsEx *r)
2391 p->rng_fault_state = True;
2392 return NT_STATUS_NOT_IMPLEMENTED;
2395 NTSTATUS _lsa_CreateTrustedDomainEx(pipes_struct *p, struct lsa_CreateTrustedDomainEx *r)
2397 p->rng_fault_state = True;
2398 return NT_STATUS_NOT_IMPLEMENTED;
2401 NTSTATUS _lsa_CloseTrustedDomainEx(pipes_struct *p, struct lsa_CloseTrustedDomainEx *r)
2403 p->rng_fault_state = True;
2404 return NT_STATUS_NOT_IMPLEMENTED;
2407 NTSTATUS _lsa_QueryDomainInformationPolicy(pipes_struct *p, struct lsa_QueryDomainInformationPolicy *r)
2409 p->rng_fault_state = True;
2410 return NT_STATUS_NOT_IMPLEMENTED;
2413 NTSTATUS _lsa_SetDomainInformationPolicy(pipes_struct *p, struct lsa_SetDomainInformationPolicy *r)
2415 p->rng_fault_state = True;
2416 return NT_STATUS_NOT_IMPLEMENTED;
2419 NTSTATUS _lsa_OpenTrustedDomainByName(pipes_struct *p, struct lsa_OpenTrustedDomainByName *r)
2421 p->rng_fault_state = True;
2422 return NT_STATUS_NOT_IMPLEMENTED;
2425 NTSTATUS _lsa_TestCall(pipes_struct *p, struct lsa_TestCall *r)
2427 p->rng_fault_state = True;
2428 return NT_STATUS_NOT_IMPLEMENTED;
2431 NTSTATUS _lsa_CreateTrustedDomainEx2(pipes_struct *p, struct lsa_CreateTrustedDomainEx2 *r)
2433 p->rng_fault_state = True;
2434 return NT_STATUS_NOT_IMPLEMENTED;
2437 NTSTATUS _lsa_CREDRWRITE(pipes_struct *p, struct lsa_CREDRWRITE *r)
2439 p->rng_fault_state = True;
2440 return NT_STATUS_NOT_IMPLEMENTED;
2443 NTSTATUS _lsa_CREDRREAD(pipes_struct *p, struct lsa_CREDRREAD *r)
2445 p->rng_fault_state = True;
2446 return NT_STATUS_NOT_IMPLEMENTED;
2449 NTSTATUS _lsa_CREDRENUMERATE(pipes_struct *p, struct lsa_CREDRENUMERATE *r)
2451 p->rng_fault_state = True;
2452 return NT_STATUS_NOT_IMPLEMENTED;
2455 NTSTATUS _lsa_CREDRWRITEDOMAINCREDENTIALS(pipes_struct *p, struct lsa_CREDRWRITEDOMAINCREDENTIALS *r)
2457 p->rng_fault_state = True;
2458 return NT_STATUS_NOT_IMPLEMENTED;
2461 NTSTATUS _lsa_CREDRREADDOMAINCREDENTIALS(pipes_struct *p, struct lsa_CREDRREADDOMAINCREDENTIALS *r)
2463 p->rng_fault_state = True;
2464 return NT_STATUS_NOT_IMPLEMENTED;
2467 NTSTATUS _lsa_CREDRDELETE(pipes_struct *p, struct lsa_CREDRDELETE *r)
2469 p->rng_fault_state = True;
2470 return NT_STATUS_NOT_IMPLEMENTED;
2473 NTSTATUS _lsa_CREDRGETTARGETINFO(pipes_struct *p, struct lsa_CREDRGETTARGETINFO *r)
2475 p->rng_fault_state = True;
2476 return NT_STATUS_NOT_IMPLEMENTED;
2479 NTSTATUS _lsa_CREDRPROFILELOADED(pipes_struct *p, struct lsa_CREDRPROFILELOADED *r)
2481 p->rng_fault_state = True;
2482 return NT_STATUS_NOT_IMPLEMENTED;
2485 NTSTATUS _lsa_CREDRGETSESSIONTYPES(pipes_struct *p, struct lsa_CREDRGETSESSIONTYPES *r)
2487 p->rng_fault_state = True;
2488 return NT_STATUS_NOT_IMPLEMENTED;
2491 NTSTATUS _lsa_LSARREGISTERAUDITEVENT(pipes_struct *p, struct lsa_LSARREGISTERAUDITEVENT *r)
2493 p->rng_fault_state = True;
2494 return NT_STATUS_NOT_IMPLEMENTED;
2497 NTSTATUS _lsa_LSARGENAUDITEVENT(pipes_struct *p, struct lsa_LSARGENAUDITEVENT *r)
2499 p->rng_fault_state = True;
2500 return NT_STATUS_NOT_IMPLEMENTED;
2503 NTSTATUS _lsa_LSARUNREGISTERAUDITEVENT(pipes_struct *p, struct lsa_LSARUNREGISTERAUDITEVENT *r)
2505 p->rng_fault_state = True;
2506 return NT_STATUS_NOT_IMPLEMENTED;
2509 NTSTATUS _lsa_lsaRQueryForestTrustInformation(pipes_struct *p, struct lsa_lsaRQueryForestTrustInformation *r)
2511 p->rng_fault_state = True;
2512 return NT_STATUS_NOT_IMPLEMENTED;
2515 NTSTATUS _lsa_LSARSETFORESTTRUSTINFORMATION(pipes_struct *p, struct lsa_LSARSETFORESTTRUSTINFORMATION *r)
2517 p->rng_fault_state = True;
2518 return NT_STATUS_NOT_IMPLEMENTED;
2521 NTSTATUS _lsa_CREDRRENAME(pipes_struct *p, struct lsa_CREDRRENAME *r)
2523 p->rng_fault_state = True;
2524 return NT_STATUS_NOT_IMPLEMENTED;
2527 NTSTATUS _lsa_LSAROPENPOLICYSCE(pipes_struct *p, struct lsa_LSAROPENPOLICYSCE *r)
2529 p->rng_fault_state = True;
2530 return NT_STATUS_NOT_IMPLEMENTED;
2533 NTSTATUS _lsa_LSARADTREGISTERSECURITYEVENTSOURCE(pipes_struct *p, struct lsa_LSARADTREGISTERSECURITYEVENTSOURCE *r)
2535 p->rng_fault_state = True;
2536 return NT_STATUS_NOT_IMPLEMENTED;
2539 NTSTATUS _lsa_LSARADTUNREGISTERSECURITYEVENTSOURCE(pipes_struct *p, struct lsa_LSARADTUNREGISTERSECURITYEVENTSOURCE *r)
2541 p->rng_fault_state = True;
2542 return NT_STATUS_NOT_IMPLEMENTED;
2545 NTSTATUS _lsa_LSARADTREPORTSECURITYEVENT(pipes_struct *p, struct lsa_LSARADTREPORTSECURITYEVENT *r)
2547 p->rng_fault_state = True;
2548 return NT_STATUS_NOT_IMPLEMENTED;