2 * Unix SMB/CIFS implementation.
3 * RPC Pipe client / server routines
4 * Copyright (C) Andrew Tridgell 1992-1997,
5 * Copyright (C) Luke Kenneth Casson Leighton 1996-1997,
6 * Copyright (C) Paul Ashton 1997,
7 * Copyright (C) Jeremy Allison 2001, 2006.
8 * Copyright (C) Rafal Szczesniak 2002,
9 * Copyright (C) Jim McDonough <jmcd@us.ibm.com> 2002,
10 * Copyright (C) Simo Sorce 2003.
11 * Copyright (C) Gerald (Jerry) Carter 2005.
12 * Copyright (C) Volker Lendecke 2005.
13 * Copyright (C) Guenther Deschner 2008.
15 * This program is free software; you can redistribute it and/or modify
16 * it under the terms of the GNU General Public License as published by
17 * the Free Software Foundation; either version 3 of the License, or
18 * (at your option) any later version.
20 * This program is distributed in the hope that it will be useful,
21 * but WITHOUT ANY WARRANTY; without even the implied warranty of
22 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
23 * GNU General Public License for more details.
25 * You should have received a copy of the GNU General Public License
26 * along with this program; if not, see <http://www.gnu.org/licenses/>.
29 /* This is the implementation of the lsa server code. */
34 #define DBGC_CLASS DBGC_RPC_SRV
36 #define MAX_LOOKUP_SIDS 0x5000 /* 20480 */
40 enum lsa_handle_type { LSA_HANDLE_POLICY_TYPE = 1, LSA_HANDLE_ACCOUNT_TYPE };
45 enum lsa_handle_type type;
48 const struct generic_mapping lsa_account_mapping = {
52 LSA_ACCOUNT_ALL_ACCESS
55 const struct generic_mapping lsa_policy_mapping = {
62 /***************************************************************************
63 init_lsa_ref_domain_list - adds a domain if it's not already in, returns the index.
64 ***************************************************************************/
66 static int init_lsa_ref_domain_list(TALLOC_CTX *mem_ctx,
67 struct lsa_RefDomainList *ref,
73 if (dom_name != NULL) {
74 for (num = 0; num < ref->count; num++) {
75 if (sid_equal(dom_sid, ref->domains[num].sid)) {
83 if (num >= LSA_REF_DOMAIN_LIST_MULTIPLIER) {
84 /* index not found, already at maximum domain limit */
89 ref->max_size = LSA_REF_DOMAIN_LIST_MULTIPLIER;
91 ref->domains = TALLOC_REALLOC_ARRAY(mem_ctx, ref->domains,
92 struct lsa_DomainInfo, ref->count);
97 ZERO_STRUCT(ref->domains[num]);
99 init_lsa_StringLarge(&ref->domains[num].name, dom_name);
100 ref->domains[num].sid = sid_dup_talloc(mem_ctx, dom_sid);
101 if (!ref->domains[num].sid) {
109 /***************************************************************************
110 initialize a lsa_DomainInfo structure.
111 ***************************************************************************/
113 static void init_dom_query_3(struct lsa_DomainInfo *r,
117 init_lsa_StringLarge(&r->name, name);
121 /***************************************************************************
122 initialize a lsa_DomainInfo structure.
123 ***************************************************************************/
125 static void init_dom_query_5(struct lsa_DomainInfo *r,
129 init_lsa_StringLarge(&r->name, name);
133 /***************************************************************************
134 lookup_lsa_rids. Must be called as root for lookup_name to work.
135 ***************************************************************************/
137 static NTSTATUS lookup_lsa_rids(TALLOC_CTX *mem_ctx,
138 struct lsa_RefDomainList *ref,
139 struct lsa_TranslatedSid *prid,
140 uint32_t num_entries,
141 struct lsa_String *name,
143 uint32_t *pmapped_count)
145 uint32 mapped_count, i;
147 SMB_ASSERT(num_entries <= MAX_LOOKUP_SIDS);
152 for (i = 0; i < num_entries; i++) {
156 const char *full_name;
158 enum lsa_SidType type = SID_NAME_UNKNOWN;
160 /* Split name into domain and user component */
162 full_name = name[i].string;
163 if (full_name == NULL) {
164 return NT_STATUS_NO_MEMORY;
167 DEBUG(5, ("lookup_lsa_rids: looking up name %s\n", full_name));
169 /* We can ignore the result of lookup_name, it will not touch
170 "type" if it's not successful */
172 lookup_name(mem_ctx, full_name, flags, &domain, NULL,
177 case SID_NAME_DOM_GRP:
178 case SID_NAME_DOMAIN:
180 case SID_NAME_WKN_GRP:
181 DEBUG(5, ("init_lsa_rids: %s found\n", full_name));
182 /* Leave these unchanged */
185 /* Don't hand out anything but the list above */
186 DEBUG(5, ("init_lsa_rids: %s not found\n", full_name));
187 type = SID_NAME_UNKNOWN;
194 if (type != SID_NAME_UNKNOWN) {
195 sid_split_rid(&sid, &rid);
196 dom_idx = init_lsa_ref_domain_list(mem_ctx, ref, domain, &sid);
200 prid[i].sid_type = type;
202 prid[i].sid_index = dom_idx;
205 *pmapped_count = mapped_count;
209 /***************************************************************************
210 lookup_lsa_sids. Must be called as root for lookup_name to work.
211 ***************************************************************************/
213 static NTSTATUS lookup_lsa_sids(TALLOC_CTX *mem_ctx,
214 struct lsa_RefDomainList *ref,
215 struct lsa_TranslatedSid3 *trans_sids,
216 uint32_t num_entries,
217 struct lsa_String *name,
219 uint32 *pmapped_count)
221 uint32 mapped_count, i;
223 SMB_ASSERT(num_entries <= MAX_LOOKUP_SIDS);
228 for (i = 0; i < num_entries; i++) {
232 const char *full_name;
234 enum lsa_SidType type = SID_NAME_UNKNOWN;
238 /* Split name into domain and user component */
240 full_name = name[i].string;
241 if (full_name == NULL) {
242 return NT_STATUS_NO_MEMORY;
245 DEBUG(5, ("init_lsa_sids: looking up name %s\n", full_name));
247 /* We can ignore the result of lookup_name, it will not touch
248 "type" if it's not successful */
250 lookup_name(mem_ctx, full_name, flags, &domain, NULL,
255 case SID_NAME_DOM_GRP:
256 case SID_NAME_DOMAIN:
258 case SID_NAME_WKN_GRP:
259 DEBUG(5, ("init_lsa_sids: %s found\n", full_name));
260 /* Leave these unchanged */
263 /* Don't hand out anything but the list above */
264 DEBUG(5, ("init_lsa_sids: %s not found\n", full_name));
265 type = SID_NAME_UNKNOWN;
272 if (type != SID_NAME_UNKNOWN) {
274 sid_copy(&domain_sid, &sid);
275 sid_split_rid(&domain_sid, &rid);
276 dom_idx = init_lsa_ref_domain_list(mem_ctx, ref, domain, &domain_sid);
280 /* Initialize the lsa_TranslatedSid3 return. */
281 trans_sids[i].sid_type = type;
282 trans_sids[i].sid = sid_dup_talloc(mem_ctx, &sid);
283 trans_sids[i].sid_index = dom_idx;
286 *pmapped_count = mapped_count;
290 static NTSTATUS make_lsa_object_sd(TALLOC_CTX *mem_ctx, SEC_DESC **sd, size_t *sd_size,
291 const struct generic_mapping *map,
292 DOM_SID *sid, uint32_t sid_access)
300 /* READ|EXECUTE access for Everyone */
302 init_sec_ace(&ace[i++], &global_sid_World, SEC_ACE_TYPE_ACCESS_ALLOWED,
303 map->generic_execute | map->generic_read, 0);
305 /* Add Full Access 'BUILTIN\Administrators' and 'BUILTIN\Account Operators */
307 init_sec_ace(&ace[i++], &global_sid_Builtin_Administrators,
308 SEC_ACE_TYPE_ACCESS_ALLOWED, map->generic_all, 0);
309 init_sec_ace(&ace[i++], &global_sid_Builtin_Account_Operators,
310 SEC_ACE_TYPE_ACCESS_ALLOWED, map->generic_all, 0);
312 /* Add Full Access for Domain Admins */
313 sid_copy(&adm_sid, get_global_sam_sid());
314 sid_append_rid(&adm_sid, DOMAIN_GROUP_RID_ADMINS);
315 init_sec_ace(&ace[i++], &adm_sid, SEC_ACE_TYPE_ACCESS_ALLOWED,
316 map->generic_all, 0);
318 /* If we have a sid, give it some special access */
321 init_sec_ace(&ace[i++], sid, SEC_ACE_TYPE_ACCESS_ALLOWED,
325 if((psa = make_sec_acl(mem_ctx, NT4_ACL_REVISION, i, ace)) == NULL)
326 return NT_STATUS_NO_MEMORY;
328 if((*sd = make_sec_desc(mem_ctx, SECURITY_DESCRIPTOR_REVISION_1,
329 SEC_DESC_SELF_RELATIVE, &adm_sid, NULL, NULL,
330 psa, sd_size)) == NULL)
331 return NT_STATUS_NO_MEMORY;
337 /***************************************************************************
339 ***************************************************************************/
341 NTSTATUS _lsa_OpenPolicy2(pipes_struct *p,
342 struct lsa_OpenPolicy2 *r)
344 struct lsa_info *info;
345 SEC_DESC *psd = NULL;
347 uint32 des_access = r->in.access_mask;
351 /* Work out max allowed. */
352 map_max_allowed_access(p->server_info->ptok,
353 &p->server_info->utok,
356 /* map the generic bits to the lsa policy ones */
357 se_map_generic(&des_access, &lsa_policy_mapping);
359 /* get the generic lsa policy SD until we store it */
360 status = make_lsa_object_sd(p->mem_ctx, &psd, &sd_size, &lsa_policy_mapping,
362 if (!NT_STATUS_IS_OK(status)) {
366 status = access_check_object(psd, p->server_info->ptok,
368 &acc_granted, "_lsa_OpenPolicy2" );
370 if (!NT_STATUS_IS_OK(status)) {
374 /* associate the domain SID with the (unique) handle. */
375 info = TALLOC_ZERO_P(p->mem_ctx, struct lsa_info);
377 return NT_STATUS_NO_MEMORY;
380 sid_copy(&info->sid,get_global_sam_sid());
381 info->access = acc_granted;
382 info->type = LSA_HANDLE_POLICY_TYPE;
384 /* set up the LSA QUERY INFO response */
385 if (!create_policy_hnd(p, r->out.handle, info))
386 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
391 /***************************************************************************
393 ***************************************************************************/
395 NTSTATUS _lsa_OpenPolicy(pipes_struct *p,
396 struct lsa_OpenPolicy *r)
398 struct lsa_OpenPolicy2 o;
400 o.in.system_name = NULL; /* should be ignored */
401 o.in.attr = r->in.attr;
402 o.in.access_mask = r->in.access_mask;
404 o.out.handle = r->out.handle;
406 return _lsa_OpenPolicy2(p, &o);
409 /***************************************************************************
410 _lsa_EnumTrustDom - this needs fixing to do more than return NULL ! JRA.
412 ***************************************************************************/
414 NTSTATUS _lsa_EnumTrustDom(pipes_struct *p,
415 struct lsa_EnumTrustDom *r)
417 struct lsa_info *info;
419 struct trustdom_info **domains;
420 struct lsa_DomainInfo *lsa_domains = NULL;
424 * preferred length is set to 5 as a "our" preferred length
425 * nt sets this parameter to 2
426 * update (20.08.2002): it's not preferred length, but preferred size!
427 * it needs further investigation how to optimally choose this value
429 uint32 max_num_domains =
430 r->in.max_size < 5 ? r->in.max_size : 10;
435 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
436 return NT_STATUS_INVALID_HANDLE;
438 if (info->type != LSA_HANDLE_POLICY_TYPE) {
439 return NT_STATUS_INVALID_HANDLE;
442 /* check if the user has enough rights */
443 if (!(info->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
444 return NT_STATUS_ACCESS_DENIED;
447 nt_status = pdb_enum_trusteddoms(p->mem_ctx, &num_domains, &domains);
450 if (!NT_STATUS_IS_OK(nt_status)) {
454 if (*r->in.resume_handle < num_domains) {
455 num_thistime = MIN(num_domains, max_num_domains);
457 nt_status = STATUS_MORE_ENTRIES;
459 if (*r->in.resume_handle + num_thistime > num_domains) {
460 num_thistime = num_domains - *r->in.resume_handle;
461 nt_status = NT_STATUS_OK;
464 next_idx = *r->in.resume_handle + num_thistime;
467 next_idx = 0xffffffff;
468 nt_status = NT_STATUS_NO_MORE_ENTRIES;
471 /* set up the lsa_enum_trust_dom response */
473 lsa_domains = TALLOC_ZERO_ARRAY(p->mem_ctx, struct lsa_DomainInfo,
476 return NT_STATUS_NO_MEMORY;
479 for (i=0; i<num_thistime; i++) {
480 init_lsa_StringLarge(&lsa_domains[i].name, domains[i]->name);
481 lsa_domains[i].sid = &domains[i]->sid;
484 *r->out.resume_handle = next_idx;
485 r->out.domains->count = num_thistime;
486 r->out.domains->domains = lsa_domains;
491 #define LSA_AUDIT_NUM_CATEGORIES_NT4 7
492 #define LSA_AUDIT_NUM_CATEGORIES_WIN2K 9
493 #define LSA_AUDIT_NUM_CATEGORIES LSA_AUDIT_NUM_CATEGORIES_NT4
495 /***************************************************************************
497 ***************************************************************************/
499 NTSTATUS _lsa_QueryInfoPolicy(pipes_struct *p,
500 struct lsa_QueryInfoPolicy *r)
502 NTSTATUS status = NT_STATUS_OK;
503 struct lsa_info *handle;
507 union lsa_PolicyInformation *info = NULL;
509 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle))
510 return NT_STATUS_INVALID_HANDLE;
512 if (handle->type != LSA_HANDLE_POLICY_TYPE) {
513 return NT_STATUS_INVALID_HANDLE;
516 info = TALLOC_ZERO_P(p->mem_ctx, union lsa_PolicyInformation);
518 return NT_STATUS_NO_MEMORY;
521 switch (r->in.level) {
522 case LSA_POLICY_INFO_AUDIT_EVENTS:
525 uint32 policy_def = LSA_AUDIT_POLICY_ALL;
527 /* check if the user has enough rights */
528 if (!(handle->access & LSA_POLICY_VIEW_AUDIT_INFORMATION)) {
529 DEBUG(10,("_lsa_QueryInfoPolicy: insufficient access rights\n"));
530 return NT_STATUS_ACCESS_DENIED;
533 /* fake info: We audit everything. ;) */
535 info->audit_events.auditing_mode = true;
536 info->audit_events.count = LSA_AUDIT_NUM_CATEGORIES;
537 info->audit_events.settings = TALLOC_ZERO_ARRAY(p->mem_ctx,
538 enum lsa_PolicyAuditPolicy,
539 info->audit_events.count);
540 if (!info->audit_events.settings) {
541 return NT_STATUS_NO_MEMORY;
544 info->audit_events.settings[LSA_AUDIT_CATEGORY_ACCOUNT_MANAGEMENT] = policy_def;
545 info->audit_events.settings[LSA_AUDIT_CATEGORY_FILE_AND_OBJECT_ACCESS] = policy_def;
546 info->audit_events.settings[LSA_AUDIT_CATEGORY_LOGON] = policy_def;
547 info->audit_events.settings[LSA_AUDIT_CATEGORY_PROCCESS_TRACKING] = policy_def;
548 info->audit_events.settings[LSA_AUDIT_CATEGORY_SECURITY_POLICY_CHANGES] = policy_def;
549 info->audit_events.settings[LSA_AUDIT_CATEGORY_SYSTEM] = policy_def;
550 info->audit_events.settings[LSA_AUDIT_CATEGORY_USE_OF_USER_RIGHTS] = policy_def;
554 case LSA_POLICY_INFO_DOMAIN:
555 /* check if the user has enough rights */
556 if (!(handle->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
557 return NT_STATUS_ACCESS_DENIED;
559 /* Request PolicyPrimaryDomainInformation. */
560 switch (lp_server_role()) {
561 case ROLE_DOMAIN_PDC:
562 case ROLE_DOMAIN_BDC:
563 name = get_global_sam_name();
564 sid = sid_dup_talloc(p->mem_ctx, get_global_sam_sid());
566 return NT_STATUS_NO_MEMORY;
569 case ROLE_DOMAIN_MEMBER:
570 name = lp_workgroup();
571 /* We need to return the Domain SID here. */
572 if (secrets_fetch_domain_sid(lp_workgroup(), &domain_sid)) {
573 sid = sid_dup_talloc(p->mem_ctx, &domain_sid);
575 return NT_STATUS_NO_MEMORY;
578 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
581 case ROLE_STANDALONE:
582 name = lp_workgroup();
586 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
588 init_dom_query_3(&info->domain, name, sid);
590 case LSA_POLICY_INFO_ACCOUNT_DOMAIN:
591 /* check if the user has enough rights */
592 if (!(handle->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
593 return NT_STATUS_ACCESS_DENIED;
595 /* Request PolicyAccountDomainInformation. */
596 name = get_global_sam_name();
597 sid = get_global_sam_sid();
599 init_dom_query_5(&info->account_domain, name, sid);
601 case LSA_POLICY_INFO_ROLE:
602 /* check if the user has enough rights */
603 if (!(handle->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
604 return NT_STATUS_ACCESS_DENIED;
606 switch (lp_server_role()) {
607 case ROLE_DOMAIN_BDC:
609 * only a BDC is a backup controller
610 * of the domain, it controls.
612 info->role.role = LSA_ROLE_BACKUP;
616 * any other role is a primary
617 * of the domain, it controls.
619 info->role.role = LSA_ROLE_PRIMARY;
623 case LSA_POLICY_INFO_DNS: {
624 struct pdb_domain_info *dominfo;
626 if ((pdb_capabilities() & PDB_CAP_ADS) == 0) {
627 DEBUG(10, ("Not replying to LSA_POLICY_INFO_DNS "
628 "without ADS passdb backend\n"));
629 status = NT_STATUS_INVALID_INFO_CLASS;
633 dominfo = pdb_get_domain_info(info);
634 if (dominfo == NULL) {
635 status = NT_STATUS_NO_MEMORY;
639 init_lsa_StringLarge(&info->dns.name,
641 init_lsa_StringLarge(&info->dns.dns_domain,
642 dominfo->dns_domain);
643 init_lsa_StringLarge(&info->dns.dns_forest,
644 dominfo->dns_forest);
645 info->dns.domain_guid = dominfo->guid;
646 info->dns.sid = &dominfo->sid;
650 DEBUG(0,("_lsa_QueryInfoPolicy: unknown info level in Lsa Query: %d\n",
652 status = NT_STATUS_INVALID_INFO_CLASS;
661 /***************************************************************************
662 _lsa_lookup_sids_internal
663 ***************************************************************************/
665 static NTSTATUS _lsa_lookup_sids_internal(pipes_struct *p,
667 uint16_t level, /* input */
668 int num_sids, /* input */
669 struct lsa_SidPtr *sid, /* input */
670 struct lsa_RefDomainList **pp_ref, /* input/output */
671 struct lsa_TranslatedName2 **pp_names,/* input/output */
672 uint32_t *pp_mapped_count) /* input/output */
676 const DOM_SID **sids = NULL;
677 struct lsa_RefDomainList *ref = NULL;
678 uint32 mapped_count = 0;
679 struct lsa_dom_info *dom_infos = NULL;
680 struct lsa_name_info *name_infos = NULL;
681 struct lsa_TranslatedName2 *names = NULL;
683 *pp_mapped_count = 0;
691 sids = TALLOC_ARRAY(p->mem_ctx, const DOM_SID *, num_sids);
692 ref = TALLOC_ZERO_P(p->mem_ctx, struct lsa_RefDomainList);
694 if (sids == NULL || ref == NULL) {
695 return NT_STATUS_NO_MEMORY;
698 for (i=0; i<num_sids; i++) {
699 sids[i] = sid[i].sid;
702 status = lookup_sids(p->mem_ctx, num_sids, sids, level,
703 &dom_infos, &name_infos);
705 if (!NT_STATUS_IS_OK(status)) {
709 names = TALLOC_ARRAY(p->mem_ctx, struct lsa_TranslatedName2, num_sids);
711 return NT_STATUS_NO_MEMORY;
714 for (i=0; i<LSA_REF_DOMAIN_LIST_MULTIPLIER; i++) {
716 if (!dom_infos[i].valid) {
720 if (init_lsa_ref_domain_list(mem_ctx, ref,
722 &dom_infos[i].sid) != i) {
723 DEBUG(0, ("Domain %s mentioned twice??\n",
725 return NT_STATUS_INTERNAL_ERROR;
729 for (i=0; i<num_sids; i++) {
730 struct lsa_name_info *name = &name_infos[i];
732 if (name->type == SID_NAME_UNKNOWN) {
735 /* Unknown sids should return the string
736 * representation of the SID. Windows 2003 behaves
737 * rather erratic here, in many cases it returns the
738 * RID as 8 bytes hex, in others it returns the full
739 * SID. We (Jerry/VL) could not figure out which the
740 * hard cases are, so leave it with the SID. */
741 name->name = talloc_asprintf(p->mem_ctx, "%s",
744 if (name->name == NULL) {
745 return NT_STATUS_NO_MEMORY;
751 names[i].sid_type = name->type;
752 names[i].name.string = name->name;
753 names[i].sid_index = name->dom_idx;
754 names[i].unknown = 0;
757 status = NT_STATUS_NONE_MAPPED;
758 if (mapped_count > 0) {
759 status = (mapped_count < num_sids) ?
760 STATUS_SOME_UNMAPPED : NT_STATUS_OK;
763 DEBUG(10, ("num_sids %d, mapped_count %d, status %s\n",
764 num_sids, mapped_count, nt_errstr(status)));
766 *pp_mapped_count = mapped_count;
773 /***************************************************************************
775 ***************************************************************************/
777 NTSTATUS _lsa_LookupSids(pipes_struct *p,
778 struct lsa_LookupSids *r)
781 struct lsa_info *handle;
782 int num_sids = r->in.sids->num_sids;
783 uint32 mapped_count = 0;
784 struct lsa_RefDomainList *domains = NULL;
785 struct lsa_TranslatedName *names_out = NULL;
786 struct lsa_TranslatedName2 *names = NULL;
789 if ((r->in.level < 1) || (r->in.level > 6)) {
790 return NT_STATUS_INVALID_PARAMETER;
793 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle)) {
794 return NT_STATUS_INVALID_HANDLE;
797 if (handle->type != LSA_HANDLE_POLICY_TYPE) {
798 return NT_STATUS_INVALID_HANDLE;
801 /* check if the user has enough rights */
802 if (!(handle->access & LSA_POLICY_LOOKUP_NAMES)) {
803 return NT_STATUS_ACCESS_DENIED;
806 if (num_sids > MAX_LOOKUP_SIDS) {
807 DEBUG(5,("_lsa_LookupSids: limit of %d exceeded, requested %d\n",
808 MAX_LOOKUP_SIDS, num_sids));
809 return NT_STATUS_NONE_MAPPED;
812 status = _lsa_lookup_sids_internal(p,
821 /* Only return here when there is a real error.
822 NT_STATUS_NONE_MAPPED is a special case as it indicates that none of
823 the requested sids could be resolved. Older versions of XP (pre SP3)
824 rely that we return with the string representations of those SIDs in
825 that case. If we don't, XP crashes - Guenther
828 if (NT_STATUS_IS_ERR(status) &&
829 !NT_STATUS_EQUAL(status, NT_STATUS_NONE_MAPPED)) {
833 /* Convert from lsa_TranslatedName2 to lsa_TranslatedName */
834 names_out = TALLOC_ARRAY(p->mem_ctx, struct lsa_TranslatedName,
837 return NT_STATUS_NO_MEMORY;
840 for (i=0; i<num_sids; i++) {
841 names_out[i].sid_type = names[i].sid_type;
842 names_out[i].name = names[i].name;
843 names_out[i].sid_index = names[i].sid_index;
846 *r->out.domains = domains;
847 r->out.names->count = num_sids;
848 r->out.names->names = names_out;
849 *r->out.count = mapped_count;
854 /***************************************************************************
856 ***************************************************************************/
858 NTSTATUS _lsa_LookupSids2(pipes_struct *p,
859 struct lsa_LookupSids2 *r)
862 struct lsa_info *handle;
863 int num_sids = r->in.sids->num_sids;
864 uint32 mapped_count = 0;
865 struct lsa_RefDomainList *domains = NULL;
866 struct lsa_TranslatedName2 *names = NULL;
867 bool check_policy = true;
869 switch (p->hdr_req.opnum) {
870 case NDR_LSA_LOOKUPSIDS3:
871 check_policy = false;
873 case NDR_LSA_LOOKUPSIDS2:
878 if ((r->in.level < 1) || (r->in.level > 6)) {
879 return NT_STATUS_INVALID_PARAMETER;
883 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle)) {
884 return NT_STATUS_INVALID_HANDLE;
887 if (handle->type != LSA_HANDLE_POLICY_TYPE) {
888 return NT_STATUS_INVALID_HANDLE;
891 /* check if the user has enough rights */
892 if (!(handle->access & LSA_POLICY_LOOKUP_NAMES)) {
893 return NT_STATUS_ACCESS_DENIED;
897 if (num_sids > MAX_LOOKUP_SIDS) {
898 DEBUG(5,("_lsa_LookupSids2: limit of %d exceeded, requested %d\n",
899 MAX_LOOKUP_SIDS, num_sids));
900 return NT_STATUS_NONE_MAPPED;
903 status = _lsa_lookup_sids_internal(p,
912 *r->out.domains = domains;
913 r->out.names->count = num_sids;
914 r->out.names->names = names;
915 *r->out.count = mapped_count;
920 /***************************************************************************
922 ***************************************************************************/
924 NTSTATUS _lsa_LookupSids3(pipes_struct *p,
925 struct lsa_LookupSids3 *r)
927 struct lsa_LookupSids2 q;
929 /* No policy handle on this call. Restrict to crypto connections. */
930 if (p->auth.auth_type != PIPE_AUTH_TYPE_SCHANNEL) {
931 DEBUG(0,("_lsa_LookupSids3: client %s not using schannel for netlogon\n",
932 get_remote_machine_name() ));
933 return NT_STATUS_INVALID_PARAMETER;
937 q.in.sids = r->in.sids;
938 q.in.level = r->in.level;
939 q.in.unknown1 = r->in.unknown1;
940 q.in.unknown2 = r->in.unknown2;
941 q.in.names = r->in.names;
942 q.in.count = r->in.count;
944 q.out.domains = r->out.domains;
945 q.out.names = r->out.names;
946 q.out.count = r->out.count;
948 return _lsa_LookupSids2(p, &q);
951 /***************************************************************************
952 ***************************************************************************/
954 static int lsa_lookup_level_to_flags(uint16 level)
960 flags = LOOKUP_NAME_ALL;
963 flags = LOOKUP_NAME_DOMAIN|LOOKUP_NAME_REMOTE|LOOKUP_NAME_ISOLATED;
966 flags = LOOKUP_NAME_DOMAIN|LOOKUP_NAME_ISOLATED;
972 flags = LOOKUP_NAME_NONE;
979 /***************************************************************************
981 ***************************************************************************/
983 NTSTATUS _lsa_LookupNames(pipes_struct *p,
984 struct lsa_LookupNames *r)
986 NTSTATUS status = NT_STATUS_NONE_MAPPED;
987 struct lsa_info *handle;
988 struct lsa_String *names = r->in.names;
989 uint32 num_entries = r->in.num_names;
990 struct lsa_RefDomainList *domains = NULL;
991 struct lsa_TranslatedSid *rids = NULL;
992 uint32 mapped_count = 0;
995 if (num_entries > MAX_LOOKUP_SIDS) {
996 num_entries = MAX_LOOKUP_SIDS;
997 DEBUG(5,("_lsa_LookupNames: truncating name lookup list to %d\n",
1001 flags = lsa_lookup_level_to_flags(r->in.level);
1003 domains = TALLOC_ZERO_P(p->mem_ctx, struct lsa_RefDomainList);
1005 return NT_STATUS_NO_MEMORY;
1009 rids = TALLOC_ZERO_ARRAY(p->mem_ctx, struct lsa_TranslatedSid,
1012 return NT_STATUS_NO_MEMORY;
1018 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle)) {
1019 status = NT_STATUS_INVALID_HANDLE;
1023 if (handle->type != LSA_HANDLE_POLICY_TYPE) {
1024 return NT_STATUS_INVALID_HANDLE;
1027 /* check if the user has enough rights */
1028 if (!(handle->access & LSA_POLICY_LOOKUP_NAMES)) {
1029 status = NT_STATUS_ACCESS_DENIED;
1033 /* set up the LSA Lookup RIDs response */
1034 become_root(); /* lookup_name can require root privs */
1035 status = lookup_lsa_rids(p->mem_ctx, domains, rids, num_entries,
1036 names, flags, &mapped_count);
1041 if (NT_STATUS_IS_OK(status) && (num_entries != 0) ) {
1042 if (mapped_count == 0) {
1043 status = NT_STATUS_NONE_MAPPED;
1044 } else if (mapped_count != num_entries) {
1045 status = STATUS_SOME_UNMAPPED;
1049 *r->out.count = mapped_count;
1050 *r->out.domains = domains;
1051 r->out.sids->sids = rids;
1052 r->out.sids->count = num_entries;
1057 /***************************************************************************
1059 ***************************************************************************/
1061 NTSTATUS _lsa_LookupNames2(pipes_struct *p,
1062 struct lsa_LookupNames2 *r)
1065 struct lsa_LookupNames q;
1066 struct lsa_TransSidArray2 *sid_array2 = r->in.sids;
1067 struct lsa_TransSidArray *sid_array = NULL;
1070 sid_array = TALLOC_ZERO_P(p->mem_ctx, struct lsa_TransSidArray);
1072 return NT_STATUS_NO_MEMORY;
1075 q.in.handle = r->in.handle;
1076 q.in.num_names = r->in.num_names;
1077 q.in.names = r->in.names;
1078 q.in.level = r->in.level;
1079 q.in.sids = sid_array;
1080 q.in.count = r->in.count;
1081 /* we do not know what this is for */
1082 /* = r->in.unknown1; */
1083 /* = r->in.unknown2; */
1085 q.out.domains = r->out.domains;
1086 q.out.sids = sid_array;
1087 q.out.count = r->out.count;
1089 status = _lsa_LookupNames(p, &q);
1091 sid_array2->count = sid_array->count;
1092 sid_array2->sids = TALLOC_ARRAY(p->mem_ctx, struct lsa_TranslatedSid2, sid_array->count);
1093 if (!sid_array2->sids) {
1094 return NT_STATUS_NO_MEMORY;
1097 for (i=0; i<sid_array->count; i++) {
1098 sid_array2->sids[i].sid_type = sid_array->sids[i].sid_type;
1099 sid_array2->sids[i].rid = sid_array->sids[i].rid;
1100 sid_array2->sids[i].sid_index = sid_array->sids[i].sid_index;
1101 sid_array2->sids[i].unknown = 0;
1104 r->out.sids = sid_array2;
1109 /***************************************************************************
1111 ***************************************************************************/
1113 NTSTATUS _lsa_LookupNames3(pipes_struct *p,
1114 struct lsa_LookupNames3 *r)
1117 struct lsa_info *handle;
1118 struct lsa_String *names = r->in.names;
1119 uint32 num_entries = r->in.num_names;
1120 struct lsa_RefDomainList *domains = NULL;
1121 struct lsa_TranslatedSid3 *trans_sids = NULL;
1122 uint32 mapped_count = 0;
1124 bool check_policy = true;
1126 switch (p->hdr_req.opnum) {
1127 case NDR_LSA_LOOKUPNAMES4:
1128 check_policy = false;
1130 case NDR_LSA_LOOKUPNAMES3:
1132 check_policy = true;
1135 if (num_entries > MAX_LOOKUP_SIDS) {
1136 num_entries = MAX_LOOKUP_SIDS;
1137 DEBUG(5,("_lsa_LookupNames3: truncating name lookup list to %d\n", num_entries));
1140 /* Probably the lookup_level is some sort of bitmask. */
1141 if (r->in.level == 1) {
1142 flags = LOOKUP_NAME_ALL;
1145 domains = TALLOC_ZERO_P(p->mem_ctx, struct lsa_RefDomainList);
1147 return NT_STATUS_NO_MEMORY;
1151 trans_sids = TALLOC_ZERO_ARRAY(p->mem_ctx, struct lsa_TranslatedSid3,
1154 return NT_STATUS_NO_MEMORY;
1162 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle)) {
1163 status = NT_STATUS_INVALID_HANDLE;
1167 if (handle->type != LSA_HANDLE_POLICY_TYPE) {
1168 return NT_STATUS_INVALID_HANDLE;
1171 /* check if the user has enough rights */
1172 if (!(handle->access & LSA_POLICY_LOOKUP_NAMES)) {
1173 status = NT_STATUS_ACCESS_DENIED;
1178 /* set up the LSA Lookup SIDs response */
1179 become_root(); /* lookup_name can require root privs */
1180 status = lookup_lsa_sids(p->mem_ctx, domains, trans_sids, num_entries,
1181 names, flags, &mapped_count);
1186 if (NT_STATUS_IS_OK(status)) {
1187 if (mapped_count == 0) {
1188 status = NT_STATUS_NONE_MAPPED;
1189 } else if (mapped_count != num_entries) {
1190 status = STATUS_SOME_UNMAPPED;
1194 *r->out.count = mapped_count;
1195 *r->out.domains = domains;
1196 r->out.sids->sids = trans_sids;
1197 r->out.sids->count = num_entries;
1202 /***************************************************************************
1204 ***************************************************************************/
1206 NTSTATUS _lsa_LookupNames4(pipes_struct *p,
1207 struct lsa_LookupNames4 *r)
1209 struct lsa_LookupNames3 q;
1211 /* No policy handle on this call. Restrict to crypto connections. */
1212 if (p->auth.auth_type != PIPE_AUTH_TYPE_SCHANNEL) {
1213 DEBUG(0,("_lsa_lookup_names4: client %s not using schannel for netlogon\n",
1214 get_remote_machine_name() ));
1215 return NT_STATUS_INVALID_PARAMETER;
1219 q.in.num_names = r->in.num_names;
1220 q.in.names = r->in.names;
1221 q.in.level = r->in.level;
1222 q.in.lookup_options = r->in.lookup_options;
1223 q.in.client_revision = r->in.client_revision;
1224 q.in.sids = r->in.sids;
1225 q.in.count = r->in.count;
1227 q.out.domains = r->out.domains;
1228 q.out.sids = r->out.sids;
1229 q.out.count = r->out.count;
1231 return _lsa_LookupNames3(p, &q);
1234 /***************************************************************************
1235 _lsa_close. Also weird - needs to check if lsa handle is correct. JRA.
1236 ***************************************************************************/
1238 NTSTATUS _lsa_Close(pipes_struct *p, struct lsa_Close *r)
1240 if (!find_policy_by_hnd(p, r->in.handle, NULL)) {
1241 return NT_STATUS_INVALID_HANDLE;
1244 close_policy_hnd(p, r->in.handle);
1245 ZERO_STRUCTP(r->out.handle);
1246 return NT_STATUS_OK;
1249 /***************************************************************************
1250 ***************************************************************************/
1252 NTSTATUS _lsa_OpenSecret(pipes_struct *p, struct lsa_OpenSecret *r)
1254 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
1257 /***************************************************************************
1258 ***************************************************************************/
1260 NTSTATUS _lsa_OpenTrustedDomain(pipes_struct *p, struct lsa_OpenTrustedDomain *r)
1262 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
1265 /***************************************************************************
1266 ***************************************************************************/
1268 NTSTATUS _lsa_CreateTrustedDomain(pipes_struct *p, struct lsa_CreateTrustedDomain *r)
1270 return NT_STATUS_ACCESS_DENIED;
1273 /***************************************************************************
1274 ***************************************************************************/
1276 NTSTATUS _lsa_CreateSecret(pipes_struct *p, struct lsa_CreateSecret *r)
1278 return NT_STATUS_ACCESS_DENIED;
1281 /***************************************************************************
1282 ***************************************************************************/
1284 NTSTATUS _lsa_SetSecret(pipes_struct *p, struct lsa_SetSecret *r)
1286 return NT_STATUS_ACCESS_DENIED;
1289 /***************************************************************************
1291 ***************************************************************************/
1293 NTSTATUS _lsa_DeleteObject(pipes_struct *p,
1294 struct lsa_DeleteObject *r)
1297 struct lsa_info *info = NULL;
1299 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info)) {
1300 return NT_STATUS_INVALID_HANDLE;
1303 if (!(info->access & STD_RIGHT_DELETE_ACCESS)) {
1304 return NT_STATUS_ACCESS_DENIED;
1307 status = privilege_delete_account(&info->sid);
1308 if (!NT_STATUS_IS_OK(status)) {
1309 DEBUG(10,("_lsa_DeleteObject: privilege_delete_account gave: %s\n",
1310 nt_errstr(status)));
1316 /***************************************************************************
1318 ***************************************************************************/
1320 NTSTATUS _lsa_EnumPrivs(pipes_struct *p,
1321 struct lsa_EnumPrivs *r)
1323 struct lsa_info *handle;
1325 uint32 enum_context = *r->in.resume_handle;
1326 int num_privs = count_all_privileges();
1327 struct lsa_PrivEntry *entries = NULL;
1330 /* remember that the enum_context starts at 0 and not 1 */
1332 if ( enum_context >= num_privs )
1333 return NT_STATUS_NO_MORE_ENTRIES;
1335 DEBUG(10,("_lsa_EnumPrivs: enum_context:%d total entries:%d\n",
1336 enum_context, num_privs));
1338 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle))
1339 return NT_STATUS_INVALID_HANDLE;
1341 if (handle->type != LSA_HANDLE_POLICY_TYPE) {
1342 return NT_STATUS_INVALID_HANDLE;
1345 /* check if the user has enough rights
1346 I don't know if it's the right one. not documented. */
1348 if (!(handle->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
1349 return NT_STATUS_ACCESS_DENIED;
1352 entries = TALLOC_ZERO_ARRAY(p->mem_ctx, struct lsa_PrivEntry, num_privs);
1354 return NT_STATUS_NO_MEMORY;
1360 for (i = 0; i < num_privs; i++) {
1361 if( i < enum_context) {
1363 init_lsa_StringLarge(&entries[i].name, NULL);
1365 entries[i].luid.low = 0;
1366 entries[i].luid.high = 0;
1369 init_lsa_StringLarge(&entries[i].name, privs[i].name);
1371 luid = get_privilege_luid( &privs[i].se_priv );
1373 entries[i].luid.low = luid.luid.low;
1374 entries[i].luid.high = luid.luid.high;
1378 enum_context = num_privs;
1380 *r->out.resume_handle = enum_context;
1381 r->out.privs->count = num_privs;
1382 r->out.privs->privs = entries;
1384 return NT_STATUS_OK;
1387 /***************************************************************************
1388 _lsa_LookupPrivDisplayName
1389 ***************************************************************************/
1391 NTSTATUS _lsa_LookupPrivDisplayName(pipes_struct *p,
1392 struct lsa_LookupPrivDisplayName *r)
1394 struct lsa_info *handle;
1395 const char *description;
1396 struct lsa_StringLarge *lsa_name;
1398 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle))
1399 return NT_STATUS_INVALID_HANDLE;
1401 if (handle->type != LSA_HANDLE_POLICY_TYPE) {
1402 return NT_STATUS_INVALID_HANDLE;
1405 /* check if the user has enough rights */
1408 * I don't know if it's the right one. not documented.
1410 if (!(handle->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
1411 return NT_STATUS_ACCESS_DENIED;
1413 DEBUG(10,("_lsa_LookupPrivDisplayName: name = %s\n", r->in.name->string));
1415 description = get_privilege_dispname(r->in.name->string);
1417 DEBUG(10,("_lsa_LookupPrivDisplayName: doesn't exist\n"));
1418 return NT_STATUS_NO_SUCH_PRIVILEGE;
1421 DEBUG(10,("_lsa_LookupPrivDisplayName: display name = %s\n", description));
1423 lsa_name = TALLOC_ZERO_P(p->mem_ctx, struct lsa_StringLarge);
1425 return NT_STATUS_NO_MEMORY;
1428 init_lsa_StringLarge(lsa_name, description);
1430 *r->out.returned_language_id = r->in.language_id;
1431 *r->out.disp_name = lsa_name;
1433 return NT_STATUS_OK;
1436 /***************************************************************************
1438 ***************************************************************************/
1440 NTSTATUS _lsa_EnumAccounts(pipes_struct *p,
1441 struct lsa_EnumAccounts *r)
1443 struct lsa_info *handle;
1445 int i, j, num_entries;
1447 struct lsa_SidPtr *sids = NULL;
1449 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle))
1450 return NT_STATUS_INVALID_HANDLE;
1452 if (handle->type != LSA_HANDLE_POLICY_TYPE) {
1453 return NT_STATUS_INVALID_HANDLE;
1456 if (!(handle->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
1457 return NT_STATUS_ACCESS_DENIED;
1462 /* The only way we can currently find out all the SIDs that have been
1463 privileged is to scan all privileges */
1465 status = privilege_enumerate_accounts(&sid_list, &num_entries);
1466 if (!NT_STATUS_IS_OK(status)) {
1470 if (*r->in.resume_handle >= num_entries) {
1471 return NT_STATUS_NO_MORE_ENTRIES;
1474 if (num_entries - *r->in.resume_handle) {
1475 sids = TALLOC_ZERO_ARRAY(p->mem_ctx, struct lsa_SidPtr,
1476 num_entries - *r->in.resume_handle);
1478 talloc_free(sid_list);
1479 return NT_STATUS_NO_MEMORY;
1482 for (i = *r->in.resume_handle, j = 0; i < num_entries; i++, j++) {
1483 sids[j].sid = sid_dup_talloc(p->mem_ctx, &sid_list[i]);
1485 talloc_free(sid_list);
1486 return NT_STATUS_NO_MEMORY;
1491 talloc_free(sid_list);
1493 *r->out.resume_handle = num_entries;
1494 r->out.sids->num_sids = num_entries;
1495 r->out.sids->sids = sids;
1497 return NT_STATUS_OK;
1500 /***************************************************************************
1502 ***************************************************************************/
1504 NTSTATUS _lsa_GetUserName(pipes_struct *p,
1505 struct lsa_GetUserName *r)
1507 const char *username, *domname;
1508 struct lsa_String *account_name = NULL;
1509 struct lsa_String *authority_name = NULL;
1511 if (r->in.account_name &&
1512 *r->in.account_name) {
1513 return NT_STATUS_INVALID_PARAMETER;
1516 if (r->in.authority_name &&
1517 *r->in.authority_name) {
1518 return NT_STATUS_INVALID_PARAMETER;
1521 if (p->server_info->guest) {
1523 * I'm 99% sure this is not the right place to do this,
1524 * global_sid_Anonymous should probably be put into the token
1525 * instead of the guest id -- vl
1527 if (!lookup_sid(p->mem_ctx, &global_sid_Anonymous,
1528 &domname, &username, NULL)) {
1529 return NT_STATUS_NO_MEMORY;
1532 username = p->server_info->sanitized_username;
1533 domname = pdb_get_domain(p->server_info->sam_account);
1536 account_name = TALLOC_P(p->mem_ctx, struct lsa_String);
1537 if (!account_name) {
1538 return NT_STATUS_NO_MEMORY;
1540 init_lsa_String(account_name, username);
1542 if (r->out.authority_name) {
1543 authority_name = TALLOC_P(p->mem_ctx, struct lsa_String);
1544 if (!authority_name) {
1545 return NT_STATUS_NO_MEMORY;
1547 init_lsa_String(authority_name, domname);
1550 *r->out.account_name = account_name;
1551 if (r->out.authority_name) {
1552 *r->out.authority_name = authority_name;
1555 return NT_STATUS_OK;
1558 /***************************************************************************
1560 ***************************************************************************/
1562 NTSTATUS _lsa_CreateAccount(pipes_struct *p,
1563 struct lsa_CreateAccount *r)
1565 struct lsa_info *handle;
1566 struct lsa_info *info;
1568 /* find the connection policy handle. */
1569 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle))
1570 return NT_STATUS_INVALID_HANDLE;
1572 if (handle->type != LSA_HANDLE_POLICY_TYPE) {
1573 return NT_STATUS_INVALID_HANDLE;
1576 /* check if the user has enough rights */
1579 * I don't know if it's the right one. not documented.
1580 * but guessed with rpcclient.
1582 if (!(handle->access & LSA_POLICY_CREATE_ACCOUNT))
1583 return NT_STATUS_ACCESS_DENIED;
1585 if ( is_privileged_sid( r->in.sid ) )
1586 return NT_STATUS_OBJECT_NAME_COLLISION;
1588 /* associate the user/group SID with the (unique) handle. */
1590 info = TALLOC_ZERO_P(p->mem_ctx, struct lsa_info);
1592 return NT_STATUS_NO_MEMORY;
1595 info->sid = *r->in.sid;
1596 info->access = r->in.access_mask;
1597 info->type = LSA_HANDLE_ACCOUNT_TYPE;
1599 /* get a (unique) handle. open a policy on it. */
1600 if (!create_policy_hnd(p, r->out.acct_handle, info))
1601 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
1603 return privilege_create_account( &info->sid );
1606 /***************************************************************************
1608 ***************************************************************************/
1610 NTSTATUS _lsa_OpenAccount(pipes_struct *p,
1611 struct lsa_OpenAccount *r)
1613 struct lsa_info *handle;
1614 struct lsa_info *info;
1615 SEC_DESC *psd = NULL;
1617 uint32_t des_access = r->in.access_mask;
1618 uint32_t acc_granted;
1621 /* find the connection policy handle. */
1622 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle))
1623 return NT_STATUS_INVALID_HANDLE;
1625 if (handle->type != LSA_HANDLE_POLICY_TYPE) {
1626 return NT_STATUS_INVALID_HANDLE;
1629 /* des_access is for the account here, not the policy
1630 * handle - so don't check against policy handle. */
1632 /* Work out max allowed. */
1633 map_max_allowed_access(p->server_info->ptok,
1634 &p->server_info->utok,
1637 /* map the generic bits to the lsa account ones */
1638 se_map_generic(&des_access, &lsa_account_mapping);
1640 /* get the generic lsa account SD until we store it */
1641 status = make_lsa_object_sd(p->mem_ctx, &psd, &sd_size,
1642 &lsa_account_mapping,
1643 r->in.sid, LSA_ACCOUNT_ALL_ACCESS);
1644 if (!NT_STATUS_IS_OK(status)) {
1648 status = access_check_object(psd, p->server_info->ptok,
1649 NULL, 0, des_access,
1650 &acc_granted, "_lsa_OpenAccount" );
1652 if (!NT_STATUS_IS_OK(status)) {
1656 /* TODO: Fis the parsing routine before reenabling this check! */
1658 if (!lookup_sid(&handle->sid, dom_name, name, &type))
1659 return NT_STATUS_ACCESS_DENIED;
1661 /* associate the user/group SID with the (unique) handle. */
1662 info = TALLOC_ZERO_P(p->mem_ctx, struct lsa_info);
1664 return NT_STATUS_NO_MEMORY;
1667 info->sid = *r->in.sid;
1668 info->access = acc_granted;
1669 info->type = LSA_HANDLE_ACCOUNT_TYPE;
1671 /* get a (unique) handle. open a policy on it. */
1672 if (!create_policy_hnd(p, r->out.acct_handle, info))
1673 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
1675 return NT_STATUS_OK;
1678 /***************************************************************************
1679 _lsa_EnumPrivsAccount
1680 For a given SID, enumerate all the privilege this account has.
1681 ***************************************************************************/
1683 NTSTATUS _lsa_EnumPrivsAccount(pipes_struct *p,
1684 struct lsa_EnumPrivsAccount *r)
1686 NTSTATUS status = NT_STATUS_OK;
1687 struct lsa_info *info=NULL;
1689 PRIVILEGE_SET privileges;
1690 struct lsa_PrivilegeSet *priv_set = NULL;
1691 struct lsa_LUIDAttribute *luid_attrs = NULL;
1694 /* find the connection policy handle. */
1695 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
1696 return NT_STATUS_INVALID_HANDLE;
1698 if (info->type != LSA_HANDLE_ACCOUNT_TYPE) {
1699 return NT_STATUS_INVALID_HANDLE;
1702 if (!(info->access & LSA_ACCOUNT_VIEW))
1703 return NT_STATUS_ACCESS_DENIED;
1705 get_privileges_for_sids(&mask, &info->sid, 1);
1707 privilege_set_init( &privileges );
1709 priv_set = TALLOC_ZERO_P(p->mem_ctx, struct lsa_PrivilegeSet);
1711 status = NT_STATUS_NO_MEMORY;
1715 if ( se_priv_to_privilege_set( &privileges, &mask ) ) {
1717 DEBUG(10,("_lsa_EnumPrivsAccount: %s has %d privileges\n",
1718 sid_string_dbg(&info->sid),
1721 luid_attrs = TALLOC_ZERO_ARRAY(p->mem_ctx,
1722 struct lsa_LUIDAttribute,
1725 status = NT_STATUS_NO_MEMORY;
1729 for (i=0; i<privileges.count; i++) {
1730 luid_attrs[i].luid.low = privileges.set[i].luid.low;
1731 luid_attrs[i].luid.high = privileges.set[i].luid.high;
1732 luid_attrs[i].attribute = privileges.set[i].attr;
1735 priv_set->count = privileges.count;
1736 priv_set->unknown = 0;
1737 priv_set->set = luid_attrs;
1740 priv_set->count = 0;
1741 priv_set->unknown = 0;
1742 priv_set->set = NULL;
1745 *r->out.privs = priv_set;
1748 privilege_set_free( &privileges );
1753 /***************************************************************************
1754 _lsa_GetSystemAccessAccount
1755 ***************************************************************************/
1757 NTSTATUS _lsa_GetSystemAccessAccount(pipes_struct *p,
1758 struct lsa_GetSystemAccessAccount *r)
1761 struct lsa_info *info = NULL;
1762 struct lsa_EnumPrivsAccount e;
1763 struct lsa_PrivilegeSet *privset;
1765 /* find the connection policy handle. */
1767 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
1768 return NT_STATUS_INVALID_HANDLE;
1770 if (info->type != LSA_HANDLE_ACCOUNT_TYPE) {
1771 return NT_STATUS_INVALID_HANDLE;
1774 if (!(info->access & LSA_ACCOUNT_VIEW))
1775 return NT_STATUS_ACCESS_DENIED;
1777 privset = talloc_zero(p->mem_ctx, struct lsa_PrivilegeSet);
1779 return NT_STATUS_NO_MEMORY;
1782 e.in.handle = r->in.handle;
1783 e.out.privs = &privset;
1785 status = _lsa_EnumPrivsAccount(p, &e);
1786 if (!NT_STATUS_IS_OK(status)) {
1787 DEBUG(10,("_lsa_GetSystemAccessAccount: "
1788 "failed to call _lsa_EnumPrivsAccount(): %s\n",
1789 nt_errstr(status)));
1793 /* Samba4 would iterate over the privset to merge the policy mode bits,
1794 * not sure samba3 can do the same here, so just return what we did in
1798 0x01 -> Log on locally
1799 0x02 -> Access this computer from network
1800 0x04 -> Log on as a batch job
1801 0x10 -> Log on as a service
1803 they can be ORed together
1806 *r->out.access_mask = LSA_POLICY_MODE_INTERACTIVE |
1807 LSA_POLICY_MODE_NETWORK;
1809 return NT_STATUS_OK;
1812 /***************************************************************************
1813 update the systemaccount information
1814 ***************************************************************************/
1816 NTSTATUS _lsa_SetSystemAccessAccount(pipes_struct *p,
1817 struct lsa_SetSystemAccessAccount *r)
1819 struct lsa_info *info=NULL;
1822 /* find the connection policy handle. */
1823 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
1824 return NT_STATUS_INVALID_HANDLE;
1826 if (info->type != LSA_HANDLE_ACCOUNT_TYPE) {
1827 return NT_STATUS_INVALID_HANDLE;
1830 if (!(info->access & LSA_ACCOUNT_ADJUST_SYSTEM_ACCESS)) {
1831 return NT_STATUS_ACCESS_DENIED;
1834 if (!pdb_getgrsid(&map, info->sid))
1835 return NT_STATUS_NO_SUCH_GROUP;
1837 return pdb_update_group_mapping_entry(&map);
1840 /***************************************************************************
1841 _lsa_AddPrivilegesToAccount
1842 For a given SID, add some privileges.
1843 ***************************************************************************/
1845 NTSTATUS _lsa_AddPrivilegesToAccount(pipes_struct *p,
1846 struct lsa_AddPrivilegesToAccount *r)
1848 struct lsa_info *info = NULL;
1850 struct lsa_PrivilegeSet *set = NULL;
1852 /* find the connection policy handle. */
1853 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
1854 return NT_STATUS_INVALID_HANDLE;
1856 if (info->type != LSA_HANDLE_ACCOUNT_TYPE) {
1857 return NT_STATUS_INVALID_HANDLE;
1860 if (!(info->access & LSA_ACCOUNT_ADJUST_PRIVILEGES)) {
1861 return NT_STATUS_ACCESS_DENIED;
1865 if ( !privilege_set_to_se_priv( &mask, set ) )
1866 return NT_STATUS_NO_SUCH_PRIVILEGE;
1868 if ( !grant_privilege( &info->sid, &mask ) ) {
1869 DEBUG(3,("_lsa_AddPrivilegesToAccount: grant_privilege(%s) failed!\n",
1870 sid_string_dbg(&info->sid) ));
1871 DEBUG(3,("Privilege mask:\n"));
1872 dump_se_priv( DBGC_ALL, 3, &mask );
1873 return NT_STATUS_NO_SUCH_PRIVILEGE;
1876 return NT_STATUS_OK;
1879 /***************************************************************************
1880 _lsa_RemovePrivilegesFromAccount
1881 For a given SID, remove some privileges.
1882 ***************************************************************************/
1884 NTSTATUS _lsa_RemovePrivilegesFromAccount(pipes_struct *p,
1885 struct lsa_RemovePrivilegesFromAccount *r)
1887 struct lsa_info *info = NULL;
1889 struct lsa_PrivilegeSet *set = NULL;
1891 /* find the connection policy handle. */
1892 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
1893 return NT_STATUS_INVALID_HANDLE;
1895 if (info->type != LSA_HANDLE_ACCOUNT_TYPE) {
1896 return NT_STATUS_INVALID_HANDLE;
1899 if (!(info->access & LSA_ACCOUNT_ADJUST_PRIVILEGES)) {
1900 return NT_STATUS_ACCESS_DENIED;
1905 if ( !privilege_set_to_se_priv( &mask, set ) )
1906 return NT_STATUS_NO_SUCH_PRIVILEGE;
1908 if ( !revoke_privilege( &info->sid, &mask ) ) {
1909 DEBUG(3,("_lsa_RemovePrivilegesFromAccount: revoke_privilege(%s) failed!\n",
1910 sid_string_dbg(&info->sid) ));
1911 DEBUG(3,("Privilege mask:\n"));
1912 dump_se_priv( DBGC_ALL, 3, &mask );
1913 return NT_STATUS_NO_SUCH_PRIVILEGE;
1916 return NT_STATUS_OK;
1919 /***************************************************************************
1921 ***************************************************************************/
1923 NTSTATUS _lsa_QuerySecurity(pipes_struct *p,
1924 struct lsa_QuerySecurity *r)
1926 struct lsa_info *handle=NULL;
1927 SEC_DESC *psd = NULL;
1931 /* find the connection policy handle. */
1932 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle))
1933 return NT_STATUS_INVALID_HANDLE;
1935 if (handle->type == LSA_HANDLE_POLICY_TYPE) {
1936 status = make_lsa_object_sd(p->mem_ctx, &psd, &sd_size,
1937 &lsa_policy_mapping, NULL, 0);
1938 } else if (handle->type == LSA_HANDLE_ACCOUNT_TYPE) {
1939 status = make_lsa_object_sd(p->mem_ctx, &psd, &sd_size,
1940 &lsa_account_mapping,
1941 &handle->sid, LSA_ACCOUNT_ALL_ACCESS);
1943 status = NT_STATUS_INVALID_HANDLE;
1946 if (!NT_STATUS_IS_OK(status)) {
1950 switch (r->in.sec_info) {
1952 /* SD contains only the owner */
1953 if((*r->out.sdbuf = make_sec_desc_buf(p->mem_ctx, sd_size, psd)) == NULL)
1954 return NT_STATUS_NO_MEMORY;
1957 /* SD contains only the ACL */
1958 if((*r->out.sdbuf = make_sec_desc_buf(p->mem_ctx, sd_size, psd)) == NULL)
1959 return NT_STATUS_NO_MEMORY;
1962 return NT_STATUS_INVALID_LEVEL;
1968 /***************************************************************************
1969 _lsa_AddAccountRights
1970 ***************************************************************************/
1972 NTSTATUS _lsa_AddAccountRights(pipes_struct *p,
1973 struct lsa_AddAccountRights *r)
1975 struct lsa_info *info = NULL;
1977 uint32_t acc_granted = 0;
1978 SEC_DESC *psd = NULL;
1983 /* find the connection policy handle. */
1984 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
1985 return NT_STATUS_INVALID_HANDLE;
1987 if (info->type != LSA_HANDLE_POLICY_TYPE) {
1988 return NT_STATUS_INVALID_HANDLE;
1991 /* get the generic lsa account SD for this SID until we store it */
1992 status = make_lsa_object_sd(p->mem_ctx, &psd, &sd_size,
1993 &lsa_account_mapping,
1994 r->in.sid, LSA_ACCOUNT_ALL_ACCESS);
1995 if (!NT_STATUS_IS_OK(status)) {
2000 * From the MS DOCs. If the sid doesn't exist, ask for LSA_POLICY_CREATE_ACCOUNT
2001 * on the policy handle. If it does, ask for
2002 * LSA_ACCOUNT_ADJUST_PRIVILEGES|LSA_ACCOUNT_ADJUST_SYSTEM_ACCESS|LSA_ACCOUNT_VIEW,
2003 * on the account sid. We don't check here so just use the latter. JRA.
2006 status = access_check_object(psd, p->server_info->ptok,
2007 NULL, 0, LSA_ACCOUNT_ADJUST_PRIVILEGES|LSA_ACCOUNT_ADJUST_SYSTEM_ACCESS|LSA_ACCOUNT_VIEW,
2008 &acc_granted, "_lsa_AddAccountRights" );
2010 if (!NT_STATUS_IS_OK(status)) {
2014 /* according to an NT4 PDC, you can add privileges to SIDs even without
2015 call_lsa_create_account() first. And you can use any arbitrary SID. */
2017 sid_copy( &sid, r->in.sid );
2019 for ( i=0; i < r->in.rights->count; i++ ) {
2021 const char *privname = r->in.rights->names[i].string;
2023 /* only try to add non-null strings */
2028 if ( !grant_privilege_by_name( &sid, privname ) ) {
2029 DEBUG(2,("_lsa_AddAccountRights: Failed to add privilege [%s]\n",
2031 return NT_STATUS_NO_SUCH_PRIVILEGE;
2035 return NT_STATUS_OK;
2038 /***************************************************************************
2039 _lsa_RemoveAccountRights
2040 ***************************************************************************/
2042 NTSTATUS _lsa_RemoveAccountRights(pipes_struct *p,
2043 struct lsa_RemoveAccountRights *r)
2045 struct lsa_info *info = NULL;
2047 SEC_DESC *psd = NULL;
2050 const char *privname = NULL;
2051 uint32_t acc_granted = 0;
2054 /* find the connection policy handle. */
2055 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
2056 return NT_STATUS_INVALID_HANDLE;
2058 if (info->type != LSA_HANDLE_POLICY_TYPE) {
2059 return NT_STATUS_INVALID_HANDLE;
2062 /* get the generic lsa account SD for this SID until we store it */
2063 status = make_lsa_object_sd(p->mem_ctx, &psd, &sd_size,
2064 &lsa_account_mapping,
2065 r->in.sid, LSA_ACCOUNT_ALL_ACCESS);
2066 if (!NT_STATUS_IS_OK(status)) {
2071 * From the MS DOCs. We need
2072 * LSA_ACCOUNT_ADJUST_PRIVILEGES|LSA_ACCOUNT_ADJUST_SYSTEM_ACCESS|LSA_ACCOUNT_VIEW
2073 * and DELETE on the account sid.
2076 status = access_check_object(psd, p->server_info->ptok,
2077 NULL, 0, LSA_ACCOUNT_ADJUST_PRIVILEGES|LSA_ACCOUNT_ADJUST_SYSTEM_ACCESS|
2078 LSA_ACCOUNT_VIEW|STD_RIGHT_DELETE_ACCESS,
2079 &acc_granted, "_lsa_AddAccountRights" );
2081 if (!NT_STATUS_IS_OK(status)) {
2085 sid_copy( &sid, r->in.sid );
2087 if ( r->in.remove_all ) {
2088 if ( !revoke_all_privileges( &sid ) )
2089 return NT_STATUS_ACCESS_DENIED;
2091 return NT_STATUS_OK;
2094 for ( i=0; i < r->in.rights->count; i++ ) {
2096 privname = r->in.rights->names[i].string;
2098 /* only try to add non-null strings */
2103 if ( !revoke_privilege_by_name( &sid, privname ) ) {
2104 DEBUG(2,("_lsa_RemoveAccountRights: Failed to revoke privilege [%s]\n",
2106 return NT_STATUS_NO_SUCH_PRIVILEGE;
2110 return NT_STATUS_OK;
2113 /*******************************************************************
2114 ********************************************************************/
2116 static NTSTATUS init_lsa_right_set(TALLOC_CTX *mem_ctx,
2117 struct lsa_RightSet *r,
2118 PRIVILEGE_SET *privileges)
2121 const char *privname;
2122 const char **privname_array = NULL;
2125 for (i=0; i<privileges->count; i++) {
2127 privname = luid_to_privilege_name(&privileges->set[i].luid);
2129 if (!add_string_to_array(mem_ctx, privname,
2130 &privname_array, &num_priv)) {
2131 return NT_STATUS_NO_MEMORY;
2138 r->names = TALLOC_ZERO_ARRAY(mem_ctx, struct lsa_StringLarge,
2141 return NT_STATUS_NO_MEMORY;
2144 for (i=0; i<num_priv; i++) {
2145 init_lsa_StringLarge(&r->names[i], privname_array[i]);
2148 r->count = num_priv;
2151 return NT_STATUS_OK;
2154 /***************************************************************************
2155 _lsa_EnumAccountRights
2156 ***************************************************************************/
2158 NTSTATUS _lsa_EnumAccountRights(pipes_struct *p,
2159 struct lsa_EnumAccountRights *r)
2162 struct lsa_info *info = NULL;
2164 PRIVILEGE_SET privileges;
2167 /* find the connection policy handle. */
2169 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
2170 return NT_STATUS_INVALID_HANDLE;
2172 if (info->type != LSA_HANDLE_POLICY_TYPE) {
2173 return NT_STATUS_INVALID_HANDLE;
2176 if (!(info->access & LSA_ACCOUNT_VIEW)) {
2177 return NT_STATUS_ACCESS_DENIED;
2180 /* according to an NT4 PDC, you can add privileges to SIDs even without
2181 call_lsa_create_account() first. And you can use any arbitrary SID. */
2183 sid_copy( &sid, r->in.sid );
2185 /* according to MS-LSAD 3.1.4.5.10 it is required to return
2186 * NT_STATUS_OBJECT_NAME_NOT_FOUND if the account sid was not found in
2187 * the lsa database */
2189 if (!get_privileges_for_sids(&mask, &sid, 1)) {
2190 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
2193 status = privilege_set_init(&privileges);
2194 if (!NT_STATUS_IS_OK(status)) {
2198 se_priv_to_privilege_set(&privileges, &mask);
2200 DEBUG(10,("_lsa_EnumAccountRights: %s has %d privileges\n",
2201 sid_string_dbg(&sid), privileges.count));
2203 status = init_lsa_right_set(p->mem_ctx, r->out.rights, &privileges);
2205 privilege_set_free( &privileges );
2210 /***************************************************************************
2211 _lsa_LookupPrivValue
2212 ***************************************************************************/
2214 NTSTATUS _lsa_LookupPrivValue(pipes_struct *p,
2215 struct lsa_LookupPrivValue *r)
2217 struct lsa_info *info = NULL;
2218 const char *name = NULL;
2219 LUID_ATTR priv_luid;
2222 /* find the connection policy handle. */
2224 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
2225 return NT_STATUS_INVALID_HANDLE;
2227 if (info->type != LSA_HANDLE_POLICY_TYPE) {
2228 return NT_STATUS_INVALID_HANDLE;
2231 if (!(info->access & LSA_POLICY_LOOKUP_NAMES))
2232 return NT_STATUS_ACCESS_DENIED;
2234 name = r->in.name->string;
2236 DEBUG(10,("_lsa_lookup_priv_value: name = %s\n", name));
2238 if ( !se_priv_from_name( name, &mask ) )
2239 return NT_STATUS_NO_SUCH_PRIVILEGE;
2241 priv_luid = get_privilege_luid( &mask );
2243 r->out.luid->low = priv_luid.luid.low;
2244 r->out.luid->high = priv_luid.luid.high;
2246 return NT_STATUS_OK;
2249 /***************************************************************************
2250 _lsa_EnumAccountsWithUserRight
2251 ***************************************************************************/
2253 NTSTATUS _lsa_EnumAccountsWithUserRight(pipes_struct *p,
2254 struct lsa_EnumAccountsWithUserRight *r)
2257 struct lsa_info *info = NULL;
2258 struct dom_sid *sids = NULL;
2263 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info)) {
2264 return NT_STATUS_INVALID_HANDLE;
2267 if (info->type != LSA_HANDLE_POLICY_TYPE) {
2268 return NT_STATUS_INVALID_HANDLE;
2271 if (!(info->access & LSA_POLICY_LOOKUP_NAMES)) {
2272 return NT_STATUS_ACCESS_DENIED;
2275 if (!r->in.name || !r->in.name->string) {
2276 return NT_STATUS_NO_SUCH_PRIVILEGE;
2279 if (!se_priv_from_name(r->in.name->string, &mask)) {
2280 return NT_STATUS_NO_SUCH_PRIVILEGE;
2283 status = privilege_enum_sids(&mask, p->mem_ctx,
2285 if (!NT_STATUS_IS_OK(status)) {
2289 r->out.sids->num_sids = num_sids;
2290 r->out.sids->sids = talloc_array(p->mem_ctx, struct lsa_SidPtr,
2291 r->out.sids->num_sids);
2293 for (i=0; i < r->out.sids->num_sids; i++) {
2294 r->out.sids->sids[i].sid = sid_dup_talloc(r->out.sids->sids,
2296 if (!r->out.sids->sids[i].sid) {
2297 TALLOC_FREE(r->out.sids->sids);
2298 r->out.sids->num_sids = 0;
2299 return NT_STATUS_NO_MEMORY;
2303 return NT_STATUS_OK;
2307 * From here on the server routines are just dummy ones to make smbd link with
2308 * librpc/gen_ndr/srv_lsa.c. These routines are actually never called, we are
2309 * pulling the server stubs across one by one.
2312 NTSTATUS _lsa_Delete(pipes_struct *p, struct lsa_Delete *r)
2314 p->rng_fault_state = True;
2315 return NT_STATUS_NOT_IMPLEMENTED;
2318 NTSTATUS _lsa_SetSecObj(pipes_struct *p, struct lsa_SetSecObj *r)
2320 p->rng_fault_state = True;
2321 return NT_STATUS_NOT_IMPLEMENTED;
2324 NTSTATUS _lsa_ChangePassword(pipes_struct *p, struct lsa_ChangePassword *r)
2326 p->rng_fault_state = True;
2327 return NT_STATUS_NOT_IMPLEMENTED;
2330 NTSTATUS _lsa_SetInfoPolicy(pipes_struct *p, struct lsa_SetInfoPolicy *r)
2332 p->rng_fault_state = True;
2333 return NT_STATUS_NOT_IMPLEMENTED;
2336 NTSTATUS _lsa_ClearAuditLog(pipes_struct *p, struct lsa_ClearAuditLog *r)
2338 p->rng_fault_state = True;
2339 return NT_STATUS_NOT_IMPLEMENTED;
2342 NTSTATUS _lsa_GetQuotasForAccount(pipes_struct *p, struct lsa_GetQuotasForAccount *r)
2344 p->rng_fault_state = True;
2345 return NT_STATUS_NOT_IMPLEMENTED;
2348 NTSTATUS _lsa_SetQuotasForAccount(pipes_struct *p, struct lsa_SetQuotasForAccount *r)
2350 p->rng_fault_state = True;
2351 return NT_STATUS_NOT_IMPLEMENTED;
2354 NTSTATUS _lsa_QueryTrustedDomainInfo(pipes_struct *p, struct lsa_QueryTrustedDomainInfo *r)
2356 p->rng_fault_state = True;
2357 return NT_STATUS_NOT_IMPLEMENTED;
2360 NTSTATUS _lsa_SetInformationTrustedDomain(pipes_struct *p, struct lsa_SetInformationTrustedDomain *r)
2362 p->rng_fault_state = True;
2363 return NT_STATUS_NOT_IMPLEMENTED;
2366 NTSTATUS _lsa_QuerySecret(pipes_struct *p, struct lsa_QuerySecret *r)
2368 p->rng_fault_state = True;
2369 return NT_STATUS_NOT_IMPLEMENTED;
2372 NTSTATUS _lsa_LookupPrivName(pipes_struct *p, struct lsa_LookupPrivName *r)
2374 p->rng_fault_state = True;
2375 return NT_STATUS_NOT_IMPLEMENTED;
2378 NTSTATUS _lsa_QueryTrustedDomainInfoBySid(pipes_struct *p, struct lsa_QueryTrustedDomainInfoBySid *r)
2380 p->rng_fault_state = True;
2381 return NT_STATUS_NOT_IMPLEMENTED;
2384 NTSTATUS _lsa_SetTrustedDomainInfo(pipes_struct *p, struct lsa_SetTrustedDomainInfo *r)
2386 p->rng_fault_state = True;
2387 return NT_STATUS_NOT_IMPLEMENTED;
2390 NTSTATUS _lsa_DeleteTrustedDomain(pipes_struct *p, struct lsa_DeleteTrustedDomain *r)
2392 p->rng_fault_state = True;
2393 return NT_STATUS_NOT_IMPLEMENTED;
2396 NTSTATUS _lsa_StorePrivateData(pipes_struct *p, struct lsa_StorePrivateData *r)
2398 p->rng_fault_state = True;
2399 return NT_STATUS_NOT_IMPLEMENTED;
2402 NTSTATUS _lsa_RetrievePrivateData(pipes_struct *p, struct lsa_RetrievePrivateData *r)
2404 p->rng_fault_state = True;
2405 return NT_STATUS_NOT_IMPLEMENTED;
2408 NTSTATUS _lsa_QueryInfoPolicy2(pipes_struct *p,
2409 struct lsa_QueryInfoPolicy2 *r2)
2411 struct lsa_QueryInfoPolicy r;
2413 if ((pdb_capabilities() & PDB_CAP_ADS) == 0) {
2414 p->rng_fault_state = True;
2415 return NT_STATUS_NOT_IMPLEMENTED;
2419 r.in.handle = r2->in.handle;
2420 r.in.level = r2->in.level;
2421 r.out.info = r2->out.info;
2423 return _lsa_QueryInfoPolicy(p, &r);
2426 NTSTATUS _lsa_SetInfoPolicy2(pipes_struct *p, struct lsa_SetInfoPolicy2 *r)
2428 p->rng_fault_state = True;
2429 return NT_STATUS_NOT_IMPLEMENTED;
2432 NTSTATUS _lsa_QueryTrustedDomainInfoByName(pipes_struct *p, struct lsa_QueryTrustedDomainInfoByName *r)
2434 p->rng_fault_state = True;
2435 return NT_STATUS_NOT_IMPLEMENTED;
2438 NTSTATUS _lsa_SetTrustedDomainInfoByName(pipes_struct *p, struct lsa_SetTrustedDomainInfoByName *r)
2440 p->rng_fault_state = True;
2441 return NT_STATUS_NOT_IMPLEMENTED;
2444 NTSTATUS _lsa_EnumTrustedDomainsEx(pipes_struct *p, struct lsa_EnumTrustedDomainsEx *r)
2446 p->rng_fault_state = True;
2447 return NT_STATUS_NOT_IMPLEMENTED;
2450 NTSTATUS _lsa_CreateTrustedDomainEx(pipes_struct *p, struct lsa_CreateTrustedDomainEx *r)
2452 p->rng_fault_state = True;
2453 return NT_STATUS_NOT_IMPLEMENTED;
2456 NTSTATUS _lsa_CloseTrustedDomainEx(pipes_struct *p, struct lsa_CloseTrustedDomainEx *r)
2458 p->rng_fault_state = True;
2459 return NT_STATUS_NOT_IMPLEMENTED;
2462 NTSTATUS _lsa_QueryDomainInformationPolicy(pipes_struct *p, struct lsa_QueryDomainInformationPolicy *r)
2464 p->rng_fault_state = True;
2465 return NT_STATUS_NOT_IMPLEMENTED;
2468 NTSTATUS _lsa_SetDomainInformationPolicy(pipes_struct *p, struct lsa_SetDomainInformationPolicy *r)
2470 p->rng_fault_state = True;
2471 return NT_STATUS_NOT_IMPLEMENTED;
2474 NTSTATUS _lsa_OpenTrustedDomainByName(pipes_struct *p, struct lsa_OpenTrustedDomainByName *r)
2476 p->rng_fault_state = True;
2477 return NT_STATUS_NOT_IMPLEMENTED;
2480 NTSTATUS _lsa_TestCall(pipes_struct *p, struct lsa_TestCall *r)
2482 p->rng_fault_state = True;
2483 return NT_STATUS_NOT_IMPLEMENTED;
2486 NTSTATUS _lsa_CreateTrustedDomainEx2(pipes_struct *p, struct lsa_CreateTrustedDomainEx2 *r)
2488 p->rng_fault_state = True;
2489 return NT_STATUS_NOT_IMPLEMENTED;
2492 NTSTATUS _lsa_CREDRWRITE(pipes_struct *p, struct lsa_CREDRWRITE *r)
2494 p->rng_fault_state = True;
2495 return NT_STATUS_NOT_IMPLEMENTED;
2498 NTSTATUS _lsa_CREDRREAD(pipes_struct *p, struct lsa_CREDRREAD *r)
2500 p->rng_fault_state = True;
2501 return NT_STATUS_NOT_IMPLEMENTED;
2504 NTSTATUS _lsa_CREDRENUMERATE(pipes_struct *p, struct lsa_CREDRENUMERATE *r)
2506 p->rng_fault_state = True;
2507 return NT_STATUS_NOT_IMPLEMENTED;
2510 NTSTATUS _lsa_CREDRWRITEDOMAINCREDENTIALS(pipes_struct *p, struct lsa_CREDRWRITEDOMAINCREDENTIALS *r)
2512 p->rng_fault_state = True;
2513 return NT_STATUS_NOT_IMPLEMENTED;
2516 NTSTATUS _lsa_CREDRREADDOMAINCREDENTIALS(pipes_struct *p, struct lsa_CREDRREADDOMAINCREDENTIALS *r)
2518 p->rng_fault_state = True;
2519 return NT_STATUS_NOT_IMPLEMENTED;
2522 NTSTATUS _lsa_CREDRDELETE(pipes_struct *p, struct lsa_CREDRDELETE *r)
2524 p->rng_fault_state = True;
2525 return NT_STATUS_NOT_IMPLEMENTED;
2528 NTSTATUS _lsa_CREDRGETTARGETINFO(pipes_struct *p, struct lsa_CREDRGETTARGETINFO *r)
2530 p->rng_fault_state = True;
2531 return NT_STATUS_NOT_IMPLEMENTED;
2534 NTSTATUS _lsa_CREDRPROFILELOADED(pipes_struct *p, struct lsa_CREDRPROFILELOADED *r)
2536 p->rng_fault_state = True;
2537 return NT_STATUS_NOT_IMPLEMENTED;
2540 NTSTATUS _lsa_CREDRGETSESSIONTYPES(pipes_struct *p, struct lsa_CREDRGETSESSIONTYPES *r)
2542 p->rng_fault_state = True;
2543 return NT_STATUS_NOT_IMPLEMENTED;
2546 NTSTATUS _lsa_LSARREGISTERAUDITEVENT(pipes_struct *p, struct lsa_LSARREGISTERAUDITEVENT *r)
2548 p->rng_fault_state = True;
2549 return NT_STATUS_NOT_IMPLEMENTED;
2552 NTSTATUS _lsa_LSARGENAUDITEVENT(pipes_struct *p, struct lsa_LSARGENAUDITEVENT *r)
2554 p->rng_fault_state = True;
2555 return NT_STATUS_NOT_IMPLEMENTED;
2558 NTSTATUS _lsa_LSARUNREGISTERAUDITEVENT(pipes_struct *p, struct lsa_LSARUNREGISTERAUDITEVENT *r)
2560 p->rng_fault_state = True;
2561 return NT_STATUS_NOT_IMPLEMENTED;
2564 NTSTATUS _lsa_lsaRQueryForestTrustInformation(pipes_struct *p, struct lsa_lsaRQueryForestTrustInformation *r)
2566 p->rng_fault_state = True;
2567 return NT_STATUS_NOT_IMPLEMENTED;
2570 NTSTATUS _lsa_LSARSETFORESTTRUSTINFORMATION(pipes_struct *p, struct lsa_LSARSETFORESTTRUSTINFORMATION *r)
2572 p->rng_fault_state = True;
2573 return NT_STATUS_NOT_IMPLEMENTED;
2576 NTSTATUS _lsa_CREDRRENAME(pipes_struct *p, struct lsa_CREDRRENAME *r)
2578 p->rng_fault_state = True;
2579 return NT_STATUS_NOT_IMPLEMENTED;
2582 NTSTATUS _lsa_LSAROPENPOLICYSCE(pipes_struct *p, struct lsa_LSAROPENPOLICYSCE *r)
2584 p->rng_fault_state = True;
2585 return NT_STATUS_NOT_IMPLEMENTED;
2588 NTSTATUS _lsa_LSARADTREGISTERSECURITYEVENTSOURCE(pipes_struct *p, struct lsa_LSARADTREGISTERSECURITYEVENTSOURCE *r)
2590 p->rng_fault_state = True;
2591 return NT_STATUS_NOT_IMPLEMENTED;
2594 NTSTATUS _lsa_LSARADTUNREGISTERSECURITYEVENTSOURCE(pipes_struct *p, struct lsa_LSARADTUNREGISTERSECURITYEVENTSOURCE *r)
2596 p->rng_fault_state = True;
2597 return NT_STATUS_NOT_IMPLEMENTED;
2600 NTSTATUS _lsa_LSARADTREPORTSECURITYEVENT(pipes_struct *p, struct lsa_LSARADTREPORTSECURITYEVENT *r)
2602 p->rng_fault_state = True;
2603 return NT_STATUS_NOT_IMPLEMENTED;