2 * Unix SMB/CIFS implementation.
3 * RPC Pipe client / server routines
4 * Copyright (C) Andrew Tridgell 1992-1997,
5 * Copyright (C) Luke Kenneth Casson Leighton 1996-1997,
6 * Copyright (C) Paul Ashton 1997,
7 * Copyright (C) Jeremy Allison 2001, 2006.
8 * Copyright (C) Rafal Szczesniak 2002,
9 * Copyright (C) Jim McDonough <jmcd@us.ibm.com> 2002,
10 * Copyright (C) Simo Sorce 2003.
11 * Copyright (C) Gerald (Jerry) Carter 2005.
12 * Copyright (C) Volker Lendecke 2005.
13 * Copyright (C) Guenther Deschner 2008.
15 * This program is free software; you can redistribute it and/or modify
16 * it under the terms of the GNU General Public License as published by
17 * the Free Software Foundation; either version 3 of the License, or
18 * (at your option) any later version.
20 * This program is distributed in the hope that it will be useful,
21 * but WITHOUT ANY WARRANTY; without even the implied warranty of
22 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
23 * GNU General Public License for more details.
25 * You should have received a copy of the GNU General Public License
26 * along with this program; if not, see <http://www.gnu.org/licenses/>.
29 /* This is the implementation of the lsa server code. */
34 #define DBGC_CLASS DBGC_RPC_SRV
36 #define MAX_LOOKUP_SIDS 0x5000 /* 20480 */
40 enum lsa_handle_type { LSA_HANDLE_POLICY_TYPE = 1, LSA_HANDLE_ACCOUNT_TYPE };
46 enum lsa_handle_type type;
47 struct security_descriptor *sd;
50 const struct generic_mapping lsa_account_mapping = {
54 LSA_ACCOUNT_ALL_ACCESS
57 const struct generic_mapping lsa_policy_mapping = {
64 const struct generic_mapping lsa_secret_mapping = {
71 const struct generic_mapping lsa_trusted_domain_mapping = {
72 LSA_TRUSTED_DOMAIN_READ,
73 LSA_TRUSTED_DOMAIN_WRITE,
74 LSA_TRUSTED_DOMAIN_EXECUTE,
75 LSA_TRUSTED_DOMAIN_ALL_ACCESS
78 /***************************************************************************
79 init_lsa_ref_domain_list - adds a domain if it's not already in, returns the index.
80 ***************************************************************************/
82 static int init_lsa_ref_domain_list(TALLOC_CTX *mem_ctx,
83 struct lsa_RefDomainList *ref,
89 if (dom_name != NULL) {
90 for (num = 0; num < ref->count; num++) {
91 if (sid_equal(dom_sid, ref->domains[num].sid)) {
99 if (num >= LSA_REF_DOMAIN_LIST_MULTIPLIER) {
100 /* index not found, already at maximum domain limit */
104 ref->count = num + 1;
105 ref->max_size = LSA_REF_DOMAIN_LIST_MULTIPLIER;
107 ref->domains = TALLOC_REALLOC_ARRAY(mem_ctx, ref->domains,
108 struct lsa_DomainInfo, ref->count);
113 ZERO_STRUCT(ref->domains[num]);
115 init_lsa_StringLarge(&ref->domains[num].name, dom_name);
116 ref->domains[num].sid = sid_dup_talloc(mem_ctx, dom_sid);
117 if (!ref->domains[num].sid) {
125 /***************************************************************************
126 initialize a lsa_DomainInfo structure.
127 ***************************************************************************/
129 static void init_dom_query_3(struct lsa_DomainInfo *r,
133 init_lsa_StringLarge(&r->name, name);
137 /***************************************************************************
138 initialize a lsa_DomainInfo structure.
139 ***************************************************************************/
141 static void init_dom_query_5(struct lsa_DomainInfo *r,
145 init_lsa_StringLarge(&r->name, name);
149 /***************************************************************************
150 lookup_lsa_rids. Must be called as root for lookup_name to work.
151 ***************************************************************************/
153 static NTSTATUS lookup_lsa_rids(TALLOC_CTX *mem_ctx,
154 struct lsa_RefDomainList *ref,
155 struct lsa_TranslatedSid *prid,
156 uint32_t num_entries,
157 struct lsa_String *name,
159 uint32_t *pmapped_count)
161 uint32 mapped_count, i;
163 SMB_ASSERT(num_entries <= MAX_LOOKUP_SIDS);
168 for (i = 0; i < num_entries; i++) {
172 const char *full_name;
174 enum lsa_SidType type = SID_NAME_UNKNOWN;
176 /* Split name into domain and user component */
178 /* follow w2k8 behavior and return the builtin domain when no
179 * input has been passed in */
181 if (name[i].string) {
182 full_name = name[i].string;
184 full_name = "BUILTIN";
187 DEBUG(5, ("lookup_lsa_rids: looking up name %s\n", full_name));
189 /* We can ignore the result of lookup_name, it will not touch
190 "type" if it's not successful */
192 lookup_name(mem_ctx, full_name, flags, &domain, NULL,
197 case SID_NAME_DOM_GRP:
198 case SID_NAME_DOMAIN:
200 case SID_NAME_WKN_GRP:
201 DEBUG(5, ("init_lsa_rids: %s found\n", full_name));
202 /* Leave these unchanged */
205 /* Don't hand out anything but the list above */
206 DEBUG(5, ("init_lsa_rids: %s not found\n", full_name));
207 type = SID_NAME_UNKNOWN;
214 if (type != SID_NAME_UNKNOWN) {
215 if (type == SID_NAME_DOMAIN) {
218 sid_split_rid(&sid, &rid);
220 dom_idx = init_lsa_ref_domain_list(mem_ctx, ref, domain, &sid);
224 prid[i].sid_type = type;
226 prid[i].sid_index = dom_idx;
229 *pmapped_count = mapped_count;
233 /***************************************************************************
234 lookup_lsa_sids. Must be called as root for lookup_name to work.
235 ***************************************************************************/
237 static NTSTATUS lookup_lsa_sids(TALLOC_CTX *mem_ctx,
238 struct lsa_RefDomainList *ref,
239 struct lsa_TranslatedSid3 *trans_sids,
240 uint32_t num_entries,
241 struct lsa_String *name,
243 uint32 *pmapped_count)
245 uint32 mapped_count, i;
247 SMB_ASSERT(num_entries <= MAX_LOOKUP_SIDS);
252 for (i = 0; i < num_entries; i++) {
256 const char *full_name;
258 enum lsa_SidType type = SID_NAME_UNKNOWN;
262 /* Split name into domain and user component */
264 full_name = name[i].string;
265 if (full_name == NULL) {
266 return NT_STATUS_NO_MEMORY;
269 DEBUG(5, ("init_lsa_sids: looking up name %s\n", full_name));
271 /* We can ignore the result of lookup_name, it will not touch
272 "type" if it's not successful */
274 lookup_name(mem_ctx, full_name, flags, &domain, NULL,
279 case SID_NAME_DOM_GRP:
280 case SID_NAME_DOMAIN:
282 case SID_NAME_WKN_GRP:
283 DEBUG(5, ("init_lsa_sids: %s found\n", full_name));
284 /* Leave these unchanged */
287 /* Don't hand out anything but the list above */
288 DEBUG(5, ("init_lsa_sids: %s not found\n", full_name));
289 type = SID_NAME_UNKNOWN;
296 if (type != SID_NAME_UNKNOWN) {
298 sid_copy(&domain_sid, &sid);
299 sid_split_rid(&domain_sid, &rid);
300 dom_idx = init_lsa_ref_domain_list(mem_ctx, ref, domain, &domain_sid);
304 /* Initialize the lsa_TranslatedSid3 return. */
305 trans_sids[i].sid_type = type;
306 trans_sids[i].sid = sid_dup_talloc(mem_ctx, &sid);
307 trans_sids[i].sid_index = dom_idx;
310 *pmapped_count = mapped_count;
314 static NTSTATUS make_lsa_object_sd(TALLOC_CTX *mem_ctx, SEC_DESC **sd, size_t *sd_size,
315 const struct generic_mapping *map,
316 DOM_SID *sid, uint32_t sid_access)
324 /* READ|EXECUTE access for Everyone */
326 init_sec_ace(&ace[i++], &global_sid_World, SEC_ACE_TYPE_ACCESS_ALLOWED,
327 map->generic_execute | map->generic_read, 0);
329 /* Add Full Access 'BUILTIN\Administrators' and 'BUILTIN\Account Operators */
331 init_sec_ace(&ace[i++], &global_sid_Builtin_Administrators,
332 SEC_ACE_TYPE_ACCESS_ALLOWED, map->generic_all, 0);
333 init_sec_ace(&ace[i++], &global_sid_Builtin_Account_Operators,
334 SEC_ACE_TYPE_ACCESS_ALLOWED, map->generic_all, 0);
336 /* Add Full Access for Domain Admins */
337 sid_copy(&adm_sid, get_global_sam_sid());
338 sid_append_rid(&adm_sid, DOMAIN_GROUP_RID_ADMINS);
339 init_sec_ace(&ace[i++], &adm_sid, SEC_ACE_TYPE_ACCESS_ALLOWED,
340 map->generic_all, 0);
342 /* If we have a sid, give it some special access */
345 init_sec_ace(&ace[i++], sid, SEC_ACE_TYPE_ACCESS_ALLOWED,
349 if((psa = make_sec_acl(mem_ctx, NT4_ACL_REVISION, i, ace)) == NULL)
350 return NT_STATUS_NO_MEMORY;
352 if((*sd = make_sec_desc(mem_ctx, SECURITY_DESCRIPTOR_REVISION_1,
353 SEC_DESC_SELF_RELATIVE, &adm_sid, NULL, NULL,
354 psa, sd_size)) == NULL)
355 return NT_STATUS_NO_MEMORY;
361 /***************************************************************************
363 ***************************************************************************/
365 NTSTATUS _lsa_OpenPolicy2(pipes_struct *p,
366 struct lsa_OpenPolicy2 *r)
368 struct lsa_info *info;
369 SEC_DESC *psd = NULL;
371 uint32 des_access = r->in.access_mask;
375 /* Work out max allowed. */
376 map_max_allowed_access(p->server_info->ptok,
377 &p->server_info->utok,
380 /* map the generic bits to the lsa policy ones */
381 se_map_generic(&des_access, &lsa_policy_mapping);
383 /* get the generic lsa policy SD until we store it */
384 status = make_lsa_object_sd(p->mem_ctx, &psd, &sd_size, &lsa_policy_mapping,
386 if (!NT_STATUS_IS_OK(status)) {
390 status = access_check_object(psd, p->server_info->ptok,
392 &acc_granted, "_lsa_OpenPolicy2" );
393 if (!NT_STATUS_IS_OK(status)) {
397 /* associate the domain SID with the (unique) handle. */
398 info = TALLOC_ZERO_P(p->mem_ctx, struct lsa_info);
400 return NT_STATUS_NO_MEMORY;
403 sid_copy(&info->sid,get_global_sam_sid());
404 info->access = acc_granted;
405 info->type = LSA_HANDLE_POLICY_TYPE;
407 /* set up the LSA QUERY INFO response */
408 if (!create_policy_hnd(p, r->out.handle, info))
409 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
414 /***************************************************************************
416 ***************************************************************************/
418 NTSTATUS _lsa_OpenPolicy(pipes_struct *p,
419 struct lsa_OpenPolicy *r)
421 struct lsa_OpenPolicy2 o;
423 o.in.system_name = NULL; /* should be ignored */
424 o.in.attr = r->in.attr;
425 o.in.access_mask = r->in.access_mask;
427 o.out.handle = r->out.handle;
429 return _lsa_OpenPolicy2(p, &o);
432 /***************************************************************************
433 _lsa_EnumTrustDom - this needs fixing to do more than return NULL ! JRA.
435 ***************************************************************************/
437 NTSTATUS _lsa_EnumTrustDom(pipes_struct *p,
438 struct lsa_EnumTrustDom *r)
440 struct lsa_info *info;
442 struct trustdom_info **domains;
443 struct lsa_DomainInfo *entries;
447 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
448 return NT_STATUS_INVALID_HANDLE;
450 if (info->type != LSA_HANDLE_POLICY_TYPE) {
451 return NT_STATUS_INVALID_HANDLE;
454 /* check if the user has enough rights */
455 if (!(info->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
456 return NT_STATUS_ACCESS_DENIED;
459 nt_status = pdb_enum_trusteddoms(p->mem_ctx, &count, &domains);
462 if (!NT_STATUS_IS_OK(nt_status)) {
466 entries = TALLOC_ZERO_ARRAY(p->mem_ctx, struct lsa_DomainInfo, count);
468 return NT_STATUS_NO_MEMORY;
471 for (i=0; i<count; i++) {
472 init_lsa_StringLarge(&entries[i].name, domains[i]->name);
473 entries[i].sid = &domains[i]->sid;
476 if (*r->in.resume_handle >= count) {
477 *r->out.resume_handle = -1;
478 TALLOC_FREE(entries);
479 return NT_STATUS_NO_MORE_ENTRIES;
482 /* return the rest, limit by max_size. Note that we
483 use the w2k3 element size value of 60 */
484 r->out.domains->count = count - *r->in.resume_handle;
485 r->out.domains->count = MIN(r->out.domains->count,
486 1+(r->in.max_size/LSA_ENUM_TRUST_DOMAIN_MULTIPLIER));
488 r->out.domains->domains = entries + *r->in.resume_handle;
490 if (r->out.domains->count < count - *r->in.resume_handle) {
491 *r->out.resume_handle = *r->in.resume_handle + r->out.domains->count;
492 return STATUS_MORE_ENTRIES;
495 /* according to MS-LSAD 3.1.4.7.8 output resume handle MUST
496 * always be larger than the previous input resume handle, in
497 * particular when hitting the last query it is vital to set the
498 * resume handle correctly to avoid infinite client loops, as
499 * seen e.g. with Windows XP SP3 when resume handle is 0 and
500 * status is NT_STATUS_OK - gd */
502 *r->out.resume_handle = (uint32_t)-1;
507 #define LSA_AUDIT_NUM_CATEGORIES_NT4 7
508 #define LSA_AUDIT_NUM_CATEGORIES_WIN2K 9
509 #define LSA_AUDIT_NUM_CATEGORIES LSA_AUDIT_NUM_CATEGORIES_NT4
511 /***************************************************************************
513 ***************************************************************************/
515 NTSTATUS _lsa_QueryInfoPolicy(pipes_struct *p,
516 struct lsa_QueryInfoPolicy *r)
518 NTSTATUS status = NT_STATUS_OK;
519 struct lsa_info *handle;
523 union lsa_PolicyInformation *info = NULL;
524 uint32_t acc_required = 0;
526 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle))
527 return NT_STATUS_INVALID_HANDLE;
529 if (handle->type != LSA_HANDLE_POLICY_TYPE) {
530 return NT_STATUS_INVALID_HANDLE;
533 switch (r->in.level) {
534 case LSA_POLICY_INFO_AUDIT_LOG:
535 case LSA_POLICY_INFO_AUDIT_EVENTS:
536 acc_required = LSA_POLICY_VIEW_AUDIT_INFORMATION;
538 case LSA_POLICY_INFO_DOMAIN:
539 acc_required = LSA_POLICY_VIEW_LOCAL_INFORMATION;
541 case LSA_POLICY_INFO_PD:
542 acc_required = LSA_POLICY_GET_PRIVATE_INFORMATION;
544 case LSA_POLICY_INFO_ACCOUNT_DOMAIN:
545 acc_required = LSA_POLICY_VIEW_LOCAL_INFORMATION;
547 case LSA_POLICY_INFO_ROLE:
548 case LSA_POLICY_INFO_REPLICA:
549 acc_required = LSA_POLICY_VIEW_LOCAL_INFORMATION;
551 case LSA_POLICY_INFO_QUOTA:
552 acc_required = LSA_POLICY_VIEW_LOCAL_INFORMATION;
554 case LSA_POLICY_INFO_MOD:
555 case LSA_POLICY_INFO_AUDIT_FULL_SET:
556 /* according to MS-LSAD 3.1.4.4.3 */
557 return NT_STATUS_INVALID_PARAMETER;
558 case LSA_POLICY_INFO_AUDIT_FULL_QUERY:
559 acc_required = LSA_POLICY_VIEW_AUDIT_INFORMATION;
561 case LSA_POLICY_INFO_DNS:
562 case LSA_POLICY_INFO_DNS_INT:
563 case LSA_POLICY_INFO_L_ACCOUNT_DOMAIN:
564 acc_required = LSA_POLICY_VIEW_LOCAL_INFORMATION;
570 if (!(handle->access & acc_required)) {
571 /* return NT_STATUS_ACCESS_DENIED; */
574 info = TALLOC_ZERO_P(p->mem_ctx, union lsa_PolicyInformation);
576 return NT_STATUS_NO_MEMORY;
579 switch (r->in.level) {
580 case LSA_POLICY_INFO_AUDIT_EVENTS:
583 uint32 policy_def = LSA_AUDIT_POLICY_ALL;
585 /* check if the user has enough rights */
586 if (!(handle->access & LSA_POLICY_VIEW_AUDIT_INFORMATION)) {
587 DEBUG(10,("_lsa_QueryInfoPolicy: insufficient access rights\n"));
588 return NT_STATUS_ACCESS_DENIED;
591 /* fake info: We audit everything. ;) */
593 info->audit_events.auditing_mode = true;
594 info->audit_events.count = LSA_AUDIT_NUM_CATEGORIES;
595 info->audit_events.settings = TALLOC_ZERO_ARRAY(p->mem_ctx,
596 enum lsa_PolicyAuditPolicy,
597 info->audit_events.count);
598 if (!info->audit_events.settings) {
599 return NT_STATUS_NO_MEMORY;
602 info->audit_events.settings[LSA_AUDIT_CATEGORY_ACCOUNT_MANAGEMENT] = policy_def;
603 info->audit_events.settings[LSA_AUDIT_CATEGORY_FILE_AND_OBJECT_ACCESS] = policy_def;
604 info->audit_events.settings[LSA_AUDIT_CATEGORY_LOGON] = policy_def;
605 info->audit_events.settings[LSA_AUDIT_CATEGORY_PROCCESS_TRACKING] = policy_def;
606 info->audit_events.settings[LSA_AUDIT_CATEGORY_SECURITY_POLICY_CHANGES] = policy_def;
607 info->audit_events.settings[LSA_AUDIT_CATEGORY_SYSTEM] = policy_def;
608 info->audit_events.settings[LSA_AUDIT_CATEGORY_USE_OF_USER_RIGHTS] = policy_def;
612 case LSA_POLICY_INFO_DOMAIN:
613 /* check if the user has enough rights */
614 if (!(handle->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
615 return NT_STATUS_ACCESS_DENIED;
617 /* Request PolicyPrimaryDomainInformation. */
618 switch (lp_server_role()) {
619 case ROLE_DOMAIN_PDC:
620 case ROLE_DOMAIN_BDC:
621 name = get_global_sam_name();
622 sid = sid_dup_talloc(p->mem_ctx, get_global_sam_sid());
624 return NT_STATUS_NO_MEMORY;
627 case ROLE_DOMAIN_MEMBER:
628 name = lp_workgroup();
629 /* We need to return the Domain SID here. */
630 if (secrets_fetch_domain_sid(lp_workgroup(), &domain_sid)) {
631 sid = sid_dup_talloc(p->mem_ctx, &domain_sid);
633 return NT_STATUS_NO_MEMORY;
636 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
639 case ROLE_STANDALONE:
640 name = lp_workgroup();
644 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
646 init_dom_query_3(&info->domain, name, sid);
648 case LSA_POLICY_INFO_ACCOUNT_DOMAIN:
649 /* check if the user has enough rights */
650 if (!(handle->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
651 return NT_STATUS_ACCESS_DENIED;
653 /* Request PolicyAccountDomainInformation. */
654 name = get_global_sam_name();
655 sid = get_global_sam_sid();
657 init_dom_query_5(&info->account_domain, name, sid);
659 case LSA_POLICY_INFO_ROLE:
660 /* check if the user has enough rights */
661 if (!(handle->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
662 return NT_STATUS_ACCESS_DENIED;
664 switch (lp_server_role()) {
665 case ROLE_DOMAIN_BDC:
667 * only a BDC is a backup controller
668 * of the domain, it controls.
670 info->role.role = LSA_ROLE_BACKUP;
674 * any other role is a primary
675 * of the domain, it controls.
677 info->role.role = LSA_ROLE_PRIMARY;
681 case LSA_POLICY_INFO_DNS:
682 case LSA_POLICY_INFO_DNS_INT: {
683 struct pdb_domain_info *dominfo;
685 if ((pdb_capabilities() & PDB_CAP_ADS) == 0) {
686 DEBUG(10, ("Not replying to LSA_POLICY_INFO_DNS "
687 "without ADS passdb backend\n"));
688 status = NT_STATUS_INVALID_INFO_CLASS;
692 dominfo = pdb_get_domain_info(info);
693 if (dominfo == NULL) {
694 status = NT_STATUS_NO_MEMORY;
698 init_lsa_StringLarge(&info->dns.name,
700 init_lsa_StringLarge(&info->dns.dns_domain,
701 dominfo->dns_domain);
702 init_lsa_StringLarge(&info->dns.dns_forest,
703 dominfo->dns_forest);
704 info->dns.domain_guid = dominfo->guid;
705 info->dns.sid = &dominfo->sid;
709 DEBUG(0,("_lsa_QueryInfoPolicy: unknown info level in Lsa Query: %d\n",
711 status = NT_STATUS_INVALID_INFO_CLASS;
720 /***************************************************************************
721 _lsa_QueryInfoPolicy2
722 ***************************************************************************/
724 NTSTATUS _lsa_QueryInfoPolicy2(pipes_struct *p,
725 struct lsa_QueryInfoPolicy2 *r2)
727 struct lsa_QueryInfoPolicy r;
729 if ((pdb_capabilities() & PDB_CAP_ADS) == 0) {
730 p->rng_fault_state = True;
731 return NT_STATUS_NOT_IMPLEMENTED;
735 r.in.handle = r2->in.handle;
736 r.in.level = r2->in.level;
737 r.out.info = r2->out.info;
739 return _lsa_QueryInfoPolicy(p, &r);
742 /***************************************************************************
743 _lsa_lookup_sids_internal
744 ***************************************************************************/
746 static NTSTATUS _lsa_lookup_sids_internal(pipes_struct *p,
748 uint16_t level, /* input */
749 int num_sids, /* input */
750 struct lsa_SidPtr *sid, /* input */
751 struct lsa_RefDomainList **pp_ref, /* input/output */
752 struct lsa_TranslatedName2 **pp_names,/* input/output */
753 uint32_t *pp_mapped_count) /* input/output */
757 const DOM_SID **sids = NULL;
758 struct lsa_RefDomainList *ref = NULL;
759 uint32 mapped_count = 0;
760 struct lsa_dom_info *dom_infos = NULL;
761 struct lsa_name_info *name_infos = NULL;
762 struct lsa_TranslatedName2 *names = NULL;
764 *pp_mapped_count = 0;
772 sids = TALLOC_ARRAY(p->mem_ctx, const DOM_SID *, num_sids);
773 ref = TALLOC_ZERO_P(p->mem_ctx, struct lsa_RefDomainList);
775 if (sids == NULL || ref == NULL) {
776 return NT_STATUS_NO_MEMORY;
779 for (i=0; i<num_sids; i++) {
780 sids[i] = sid[i].sid;
783 status = lookup_sids(p->mem_ctx, num_sids, sids, level,
784 &dom_infos, &name_infos);
786 if (!NT_STATUS_IS_OK(status)) {
790 names = TALLOC_ARRAY(p->mem_ctx, struct lsa_TranslatedName2, num_sids);
792 return NT_STATUS_NO_MEMORY;
795 for (i=0; i<LSA_REF_DOMAIN_LIST_MULTIPLIER; i++) {
797 if (!dom_infos[i].valid) {
801 if (init_lsa_ref_domain_list(mem_ctx, ref,
803 &dom_infos[i].sid) != i) {
804 DEBUG(0, ("Domain %s mentioned twice??\n",
806 return NT_STATUS_INTERNAL_ERROR;
810 for (i=0; i<num_sids; i++) {
811 struct lsa_name_info *name = &name_infos[i];
813 if (name->type == SID_NAME_UNKNOWN) {
816 /* Unknown sids should return the string
817 * representation of the SID. Windows 2003 behaves
818 * rather erratic here, in many cases it returns the
819 * RID as 8 bytes hex, in others it returns the full
820 * SID. We (Jerry/VL) could not figure out which the
821 * hard cases are, so leave it with the SID. */
822 name->name = talloc_asprintf(p->mem_ctx, "%s",
825 if (name->name == NULL) {
826 return NT_STATUS_NO_MEMORY;
832 names[i].sid_type = name->type;
833 names[i].name.string = name->name;
834 names[i].sid_index = name->dom_idx;
835 names[i].unknown = 0;
838 status = NT_STATUS_NONE_MAPPED;
839 if (mapped_count > 0) {
840 status = (mapped_count < num_sids) ?
841 STATUS_SOME_UNMAPPED : NT_STATUS_OK;
844 DEBUG(10, ("num_sids %d, mapped_count %d, status %s\n",
845 num_sids, mapped_count, nt_errstr(status)));
847 *pp_mapped_count = mapped_count;
854 /***************************************************************************
856 ***************************************************************************/
858 NTSTATUS _lsa_LookupSids(pipes_struct *p,
859 struct lsa_LookupSids *r)
862 struct lsa_info *handle;
863 int num_sids = r->in.sids->num_sids;
864 uint32 mapped_count = 0;
865 struct lsa_RefDomainList *domains = NULL;
866 struct lsa_TranslatedName *names_out = NULL;
867 struct lsa_TranslatedName2 *names = NULL;
870 if ((r->in.level < 1) || (r->in.level > 6)) {
871 return NT_STATUS_INVALID_PARAMETER;
874 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle)) {
875 return NT_STATUS_INVALID_HANDLE;
878 if (handle->type != LSA_HANDLE_POLICY_TYPE) {
879 return NT_STATUS_INVALID_HANDLE;
882 /* check if the user has enough rights */
883 if (!(handle->access & LSA_POLICY_LOOKUP_NAMES)) {
884 return NT_STATUS_ACCESS_DENIED;
887 if (num_sids > MAX_LOOKUP_SIDS) {
888 DEBUG(5,("_lsa_LookupSids: limit of %d exceeded, requested %d\n",
889 MAX_LOOKUP_SIDS, num_sids));
890 return NT_STATUS_NONE_MAPPED;
893 status = _lsa_lookup_sids_internal(p,
902 /* Only return here when there is a real error.
903 NT_STATUS_NONE_MAPPED is a special case as it indicates that none of
904 the requested sids could be resolved. Older versions of XP (pre SP3)
905 rely that we return with the string representations of those SIDs in
906 that case. If we don't, XP crashes - Guenther
909 if (NT_STATUS_IS_ERR(status) &&
910 !NT_STATUS_EQUAL(status, NT_STATUS_NONE_MAPPED)) {
914 /* Convert from lsa_TranslatedName2 to lsa_TranslatedName */
915 names_out = TALLOC_ARRAY(p->mem_ctx, struct lsa_TranslatedName,
918 return NT_STATUS_NO_MEMORY;
921 for (i=0; i<num_sids; i++) {
922 names_out[i].sid_type = names[i].sid_type;
923 names_out[i].name = names[i].name;
924 names_out[i].sid_index = names[i].sid_index;
927 *r->out.domains = domains;
928 r->out.names->count = num_sids;
929 r->out.names->names = names_out;
930 *r->out.count = mapped_count;
935 /***************************************************************************
937 ***************************************************************************/
939 NTSTATUS _lsa_LookupSids2(pipes_struct *p,
940 struct lsa_LookupSids2 *r)
943 struct lsa_info *handle;
944 int num_sids = r->in.sids->num_sids;
945 uint32 mapped_count = 0;
946 struct lsa_RefDomainList *domains = NULL;
947 struct lsa_TranslatedName2 *names = NULL;
948 bool check_policy = true;
950 switch (p->hdr_req.opnum) {
951 case NDR_LSA_LOOKUPSIDS3:
952 check_policy = false;
954 case NDR_LSA_LOOKUPSIDS2:
959 if ((r->in.level < 1) || (r->in.level > 6)) {
960 return NT_STATUS_INVALID_PARAMETER;
964 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle)) {
965 return NT_STATUS_INVALID_HANDLE;
968 if (handle->type != LSA_HANDLE_POLICY_TYPE) {
969 return NT_STATUS_INVALID_HANDLE;
972 /* check if the user has enough rights */
973 if (!(handle->access & LSA_POLICY_LOOKUP_NAMES)) {
974 return NT_STATUS_ACCESS_DENIED;
978 if (num_sids > MAX_LOOKUP_SIDS) {
979 DEBUG(5,("_lsa_LookupSids2: limit of %d exceeded, requested %d\n",
980 MAX_LOOKUP_SIDS, num_sids));
981 return NT_STATUS_NONE_MAPPED;
984 status = _lsa_lookup_sids_internal(p,
993 *r->out.domains = domains;
994 r->out.names->count = num_sids;
995 r->out.names->names = names;
996 *r->out.count = mapped_count;
1001 /***************************************************************************
1003 ***************************************************************************/
1005 NTSTATUS _lsa_LookupSids3(pipes_struct *p,
1006 struct lsa_LookupSids3 *r)
1008 struct lsa_LookupSids2 q;
1010 /* No policy handle on this call. Restrict to crypto connections. */
1011 if (p->auth.auth_type != PIPE_AUTH_TYPE_SCHANNEL) {
1012 DEBUG(0,("_lsa_LookupSids3: client %s not using schannel for netlogon\n",
1013 get_remote_machine_name() ));
1014 return NT_STATUS_INVALID_PARAMETER;
1018 q.in.sids = r->in.sids;
1019 q.in.level = r->in.level;
1020 q.in.lookup_options = r->in.lookup_options;
1021 q.in.client_revision = r->in.client_revision;
1022 q.in.names = r->in.names;
1023 q.in.count = r->in.count;
1025 q.out.domains = r->out.domains;
1026 q.out.names = r->out.names;
1027 q.out.count = r->out.count;
1029 return _lsa_LookupSids2(p, &q);
1032 /***************************************************************************
1033 ***************************************************************************/
1035 static int lsa_lookup_level_to_flags(enum lsa_LookupNamesLevel level)
1040 case LSA_LOOKUP_NAMES_ALL: /* 1 */
1041 flags = LOOKUP_NAME_ALL;
1043 case LSA_LOOKUP_NAMES_DOMAINS_ONLY: /* 2 */
1044 flags = LOOKUP_NAME_DOMAIN|LOOKUP_NAME_REMOTE|LOOKUP_NAME_ISOLATED;
1046 case LSA_LOOKUP_NAMES_PRIMARY_DOMAIN_ONLY: /* 3 */
1047 flags = LOOKUP_NAME_DOMAIN|LOOKUP_NAME_ISOLATED;
1049 case LSA_LOOKUP_NAMES_UPLEVEL_TRUSTS_ONLY: /* 4 */
1050 case LSA_LOOKUP_NAMES_FOREST_TRUSTS_ONLY: /* 5 */
1051 case LSA_LOOKUP_NAMES_UPLEVEL_TRUSTS_ONLY2: /* 6 */
1052 case LSA_LOOKUP_NAMES_RODC_REFERRAL_TO_FULL_DC: /* 7 */
1054 flags = LOOKUP_NAME_NONE;
1061 /***************************************************************************
1063 ***************************************************************************/
1065 NTSTATUS _lsa_LookupNames(pipes_struct *p,
1066 struct lsa_LookupNames *r)
1068 NTSTATUS status = NT_STATUS_NONE_MAPPED;
1069 struct lsa_info *handle;
1070 struct lsa_String *names = r->in.names;
1071 uint32 num_entries = r->in.num_names;
1072 struct lsa_RefDomainList *domains = NULL;
1073 struct lsa_TranslatedSid *rids = NULL;
1074 uint32 mapped_count = 0;
1077 if (num_entries > MAX_LOOKUP_SIDS) {
1078 num_entries = MAX_LOOKUP_SIDS;
1079 DEBUG(5,("_lsa_LookupNames: truncating name lookup list to %d\n",
1083 flags = lsa_lookup_level_to_flags(r->in.level);
1085 domains = TALLOC_ZERO_P(p->mem_ctx, struct lsa_RefDomainList);
1087 return NT_STATUS_NO_MEMORY;
1091 rids = TALLOC_ZERO_ARRAY(p->mem_ctx, struct lsa_TranslatedSid,
1094 return NT_STATUS_NO_MEMORY;
1100 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle)) {
1101 status = NT_STATUS_INVALID_HANDLE;
1105 if (handle->type != LSA_HANDLE_POLICY_TYPE) {
1106 return NT_STATUS_INVALID_HANDLE;
1109 /* check if the user has enough rights */
1110 if (!(handle->access & LSA_POLICY_LOOKUP_NAMES)) {
1111 status = NT_STATUS_ACCESS_DENIED;
1115 /* set up the LSA Lookup RIDs response */
1116 become_root(); /* lookup_name can require root privs */
1117 status = lookup_lsa_rids(p->mem_ctx, domains, rids, num_entries,
1118 names, flags, &mapped_count);
1123 if (NT_STATUS_IS_OK(status) && (num_entries != 0) ) {
1124 if (mapped_count == 0) {
1125 status = NT_STATUS_NONE_MAPPED;
1126 } else if (mapped_count != num_entries) {
1127 status = STATUS_SOME_UNMAPPED;
1131 *r->out.count = mapped_count;
1132 *r->out.domains = domains;
1133 r->out.sids->sids = rids;
1134 r->out.sids->count = num_entries;
1139 /***************************************************************************
1141 ***************************************************************************/
1143 NTSTATUS _lsa_LookupNames2(pipes_struct *p,
1144 struct lsa_LookupNames2 *r)
1147 struct lsa_LookupNames q;
1148 struct lsa_TransSidArray2 *sid_array2 = r->in.sids;
1149 struct lsa_TransSidArray *sid_array = NULL;
1152 sid_array = TALLOC_ZERO_P(p->mem_ctx, struct lsa_TransSidArray);
1154 return NT_STATUS_NO_MEMORY;
1157 q.in.handle = r->in.handle;
1158 q.in.num_names = r->in.num_names;
1159 q.in.names = r->in.names;
1160 q.in.level = r->in.level;
1161 q.in.sids = sid_array;
1162 q.in.count = r->in.count;
1163 /* we do not know what this is for */
1164 /* = r->in.unknown1; */
1165 /* = r->in.unknown2; */
1167 q.out.domains = r->out.domains;
1168 q.out.sids = sid_array;
1169 q.out.count = r->out.count;
1171 status = _lsa_LookupNames(p, &q);
1173 sid_array2->count = sid_array->count;
1174 sid_array2->sids = TALLOC_ARRAY(p->mem_ctx, struct lsa_TranslatedSid2, sid_array->count);
1175 if (!sid_array2->sids) {
1176 return NT_STATUS_NO_MEMORY;
1179 for (i=0; i<sid_array->count; i++) {
1180 sid_array2->sids[i].sid_type = sid_array->sids[i].sid_type;
1181 sid_array2->sids[i].rid = sid_array->sids[i].rid;
1182 sid_array2->sids[i].sid_index = sid_array->sids[i].sid_index;
1183 sid_array2->sids[i].unknown = 0;
1186 r->out.sids = sid_array2;
1191 /***************************************************************************
1193 ***************************************************************************/
1195 NTSTATUS _lsa_LookupNames3(pipes_struct *p,
1196 struct lsa_LookupNames3 *r)
1199 struct lsa_info *handle;
1200 struct lsa_String *names = r->in.names;
1201 uint32 num_entries = r->in.num_names;
1202 struct lsa_RefDomainList *domains = NULL;
1203 struct lsa_TranslatedSid3 *trans_sids = NULL;
1204 uint32 mapped_count = 0;
1206 bool check_policy = true;
1208 switch (p->hdr_req.opnum) {
1209 case NDR_LSA_LOOKUPNAMES4:
1210 check_policy = false;
1212 case NDR_LSA_LOOKUPNAMES3:
1214 check_policy = true;
1217 if (num_entries > MAX_LOOKUP_SIDS) {
1218 num_entries = MAX_LOOKUP_SIDS;
1219 DEBUG(5,("_lsa_LookupNames3: truncating name lookup list to %d\n", num_entries));
1222 /* Probably the lookup_level is some sort of bitmask. */
1223 if (r->in.level == 1) {
1224 flags = LOOKUP_NAME_ALL;
1227 domains = TALLOC_ZERO_P(p->mem_ctx, struct lsa_RefDomainList);
1229 return NT_STATUS_NO_MEMORY;
1233 trans_sids = TALLOC_ZERO_ARRAY(p->mem_ctx, struct lsa_TranslatedSid3,
1236 return NT_STATUS_NO_MEMORY;
1244 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle)) {
1245 status = NT_STATUS_INVALID_HANDLE;
1249 if (handle->type != LSA_HANDLE_POLICY_TYPE) {
1250 return NT_STATUS_INVALID_HANDLE;
1253 /* check if the user has enough rights */
1254 if (!(handle->access & LSA_POLICY_LOOKUP_NAMES)) {
1255 status = NT_STATUS_ACCESS_DENIED;
1260 /* set up the LSA Lookup SIDs response */
1261 become_root(); /* lookup_name can require root privs */
1262 status = lookup_lsa_sids(p->mem_ctx, domains, trans_sids, num_entries,
1263 names, flags, &mapped_count);
1268 if (NT_STATUS_IS_OK(status)) {
1269 if (mapped_count == 0) {
1270 status = NT_STATUS_NONE_MAPPED;
1271 } else if (mapped_count != num_entries) {
1272 status = STATUS_SOME_UNMAPPED;
1276 *r->out.count = mapped_count;
1277 *r->out.domains = domains;
1278 r->out.sids->sids = trans_sids;
1279 r->out.sids->count = num_entries;
1284 /***************************************************************************
1286 ***************************************************************************/
1288 NTSTATUS _lsa_LookupNames4(pipes_struct *p,
1289 struct lsa_LookupNames4 *r)
1291 struct lsa_LookupNames3 q;
1293 /* No policy handle on this call. Restrict to crypto connections. */
1294 if (p->auth.auth_type != PIPE_AUTH_TYPE_SCHANNEL) {
1295 DEBUG(0,("_lsa_lookup_names4: client %s not using schannel for netlogon\n",
1296 get_remote_machine_name() ));
1297 return NT_STATUS_INVALID_PARAMETER;
1301 q.in.num_names = r->in.num_names;
1302 q.in.names = r->in.names;
1303 q.in.level = r->in.level;
1304 q.in.lookup_options = r->in.lookup_options;
1305 q.in.client_revision = r->in.client_revision;
1306 q.in.sids = r->in.sids;
1307 q.in.count = r->in.count;
1309 q.out.domains = r->out.domains;
1310 q.out.sids = r->out.sids;
1311 q.out.count = r->out.count;
1313 return _lsa_LookupNames3(p, &q);
1316 /***************************************************************************
1317 _lsa_close. Also weird - needs to check if lsa handle is correct. JRA.
1318 ***************************************************************************/
1320 NTSTATUS _lsa_Close(pipes_struct *p, struct lsa_Close *r)
1322 if (!find_policy_by_hnd(p, r->in.handle, NULL)) {
1323 return NT_STATUS_INVALID_HANDLE;
1326 close_policy_hnd(p, r->in.handle);
1327 ZERO_STRUCTP(r->out.handle);
1328 return NT_STATUS_OK;
1331 /***************************************************************************
1332 ***************************************************************************/
1334 NTSTATUS _lsa_OpenSecret(pipes_struct *p, struct lsa_OpenSecret *r)
1336 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
1339 /***************************************************************************
1340 ***************************************************************************/
1342 NTSTATUS _lsa_OpenTrustedDomain(pipes_struct *p, struct lsa_OpenTrustedDomain *r)
1344 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
1347 /***************************************************************************
1348 ***************************************************************************/
1350 NTSTATUS _lsa_CreateTrustedDomain(pipes_struct *p, struct lsa_CreateTrustedDomain *r)
1352 return NT_STATUS_ACCESS_DENIED;
1355 /***************************************************************************
1356 ***************************************************************************/
1358 NTSTATUS _lsa_CreateSecret(pipes_struct *p, struct lsa_CreateSecret *r)
1360 return NT_STATUS_ACCESS_DENIED;
1363 /***************************************************************************
1364 ***************************************************************************/
1366 NTSTATUS _lsa_SetSecret(pipes_struct *p, struct lsa_SetSecret *r)
1368 return NT_STATUS_ACCESS_DENIED;
1371 /***************************************************************************
1373 ***************************************************************************/
1375 NTSTATUS _lsa_DeleteObject(pipes_struct *p,
1376 struct lsa_DeleteObject *r)
1379 struct lsa_info *info = NULL;
1381 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info)) {
1382 return NT_STATUS_INVALID_HANDLE;
1385 if (!(info->access & STD_RIGHT_DELETE_ACCESS)) {
1386 return NT_STATUS_ACCESS_DENIED;
1389 switch (info->type) {
1390 case LSA_HANDLE_ACCOUNT_TYPE:
1391 status = privilege_delete_account(&info->sid);
1392 if (!NT_STATUS_IS_OK(status)) {
1393 DEBUG(10,("_lsa_DeleteObject: privilege_delete_account gave: %s\n",
1394 nt_errstr(status)));
1399 return NT_STATUS_INVALID_HANDLE;
1402 close_policy_hnd(p, r->in.handle);
1403 ZERO_STRUCTP(r->out.handle);
1408 /***************************************************************************
1410 ***************************************************************************/
1412 NTSTATUS _lsa_EnumPrivs(pipes_struct *p,
1413 struct lsa_EnumPrivs *r)
1415 struct lsa_info *handle;
1417 uint32 enum_context = *r->in.resume_handle;
1418 int num_privs = count_all_privileges();
1419 struct lsa_PrivEntry *entries = NULL;
1422 /* remember that the enum_context starts at 0 and not 1 */
1424 if ( enum_context >= num_privs )
1425 return NT_STATUS_NO_MORE_ENTRIES;
1427 DEBUG(10,("_lsa_EnumPrivs: enum_context:%d total entries:%d\n",
1428 enum_context, num_privs));
1430 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle))
1431 return NT_STATUS_INVALID_HANDLE;
1433 if (handle->type != LSA_HANDLE_POLICY_TYPE) {
1434 return NT_STATUS_INVALID_HANDLE;
1437 /* check if the user has enough rights
1438 I don't know if it's the right one. not documented. */
1440 if (!(handle->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
1441 return NT_STATUS_ACCESS_DENIED;
1444 entries = TALLOC_ZERO_ARRAY(p->mem_ctx, struct lsa_PrivEntry, num_privs);
1446 return NT_STATUS_NO_MEMORY;
1452 for (i = 0; i < num_privs; i++) {
1453 if( i < enum_context) {
1455 init_lsa_StringLarge(&entries[i].name, NULL);
1457 entries[i].luid.low = 0;
1458 entries[i].luid.high = 0;
1461 init_lsa_StringLarge(&entries[i].name, privs[i].name);
1463 luid = get_privilege_luid( &privs[i].se_priv );
1465 entries[i].luid.low = luid.luid.low;
1466 entries[i].luid.high = luid.luid.high;
1470 enum_context = num_privs;
1472 *r->out.resume_handle = enum_context;
1473 r->out.privs->count = num_privs;
1474 r->out.privs->privs = entries;
1476 return NT_STATUS_OK;
1479 /***************************************************************************
1480 _lsa_LookupPrivDisplayName
1481 ***************************************************************************/
1483 NTSTATUS _lsa_LookupPrivDisplayName(pipes_struct *p,
1484 struct lsa_LookupPrivDisplayName *r)
1486 struct lsa_info *handle;
1487 const char *description;
1488 struct lsa_StringLarge *lsa_name;
1490 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle))
1491 return NT_STATUS_INVALID_HANDLE;
1493 if (handle->type != LSA_HANDLE_POLICY_TYPE) {
1494 return NT_STATUS_INVALID_HANDLE;
1497 /* check if the user has enough rights */
1500 * I don't know if it's the right one. not documented.
1502 if (!(handle->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
1503 return NT_STATUS_ACCESS_DENIED;
1505 DEBUG(10,("_lsa_LookupPrivDisplayName: name = %s\n", r->in.name->string));
1507 description = get_privilege_dispname(r->in.name->string);
1509 DEBUG(10,("_lsa_LookupPrivDisplayName: doesn't exist\n"));
1510 return NT_STATUS_NO_SUCH_PRIVILEGE;
1513 DEBUG(10,("_lsa_LookupPrivDisplayName: display name = %s\n", description));
1515 lsa_name = TALLOC_ZERO_P(p->mem_ctx, struct lsa_StringLarge);
1517 return NT_STATUS_NO_MEMORY;
1520 init_lsa_StringLarge(lsa_name, description);
1522 *r->out.returned_language_id = r->in.language_id;
1523 *r->out.disp_name = lsa_name;
1525 return NT_STATUS_OK;
1528 /***************************************************************************
1530 ***************************************************************************/
1532 NTSTATUS _lsa_EnumAccounts(pipes_struct *p,
1533 struct lsa_EnumAccounts *r)
1535 struct lsa_info *handle;
1537 int i, j, num_entries;
1539 struct lsa_SidPtr *sids = NULL;
1541 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle))
1542 return NT_STATUS_INVALID_HANDLE;
1544 if (handle->type != LSA_HANDLE_POLICY_TYPE) {
1545 return NT_STATUS_INVALID_HANDLE;
1548 if (!(handle->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
1549 return NT_STATUS_ACCESS_DENIED;
1554 /* The only way we can currently find out all the SIDs that have been
1555 privileged is to scan all privileges */
1557 status = privilege_enumerate_accounts(&sid_list, &num_entries);
1558 if (!NT_STATUS_IS_OK(status)) {
1562 if (*r->in.resume_handle >= num_entries) {
1563 return NT_STATUS_NO_MORE_ENTRIES;
1566 if (num_entries - *r->in.resume_handle) {
1567 sids = TALLOC_ZERO_ARRAY(p->mem_ctx, struct lsa_SidPtr,
1568 num_entries - *r->in.resume_handle);
1570 talloc_free(sid_list);
1571 return NT_STATUS_NO_MEMORY;
1574 for (i = *r->in.resume_handle, j = 0; i < num_entries; i++, j++) {
1575 sids[j].sid = sid_dup_talloc(p->mem_ctx, &sid_list[i]);
1577 talloc_free(sid_list);
1578 return NT_STATUS_NO_MEMORY;
1583 talloc_free(sid_list);
1585 *r->out.resume_handle = num_entries;
1586 r->out.sids->num_sids = num_entries;
1587 r->out.sids->sids = sids;
1589 return NT_STATUS_OK;
1592 /***************************************************************************
1594 ***************************************************************************/
1596 NTSTATUS _lsa_GetUserName(pipes_struct *p,
1597 struct lsa_GetUserName *r)
1599 const char *username, *domname;
1600 struct lsa_String *account_name = NULL;
1601 struct lsa_String *authority_name = NULL;
1603 if (r->in.account_name &&
1604 *r->in.account_name) {
1605 return NT_STATUS_INVALID_PARAMETER;
1608 if (r->in.authority_name &&
1609 *r->in.authority_name) {
1610 return NT_STATUS_INVALID_PARAMETER;
1613 if (p->server_info->guest) {
1615 * I'm 99% sure this is not the right place to do this,
1616 * global_sid_Anonymous should probably be put into the token
1617 * instead of the guest id -- vl
1619 if (!lookup_sid(p->mem_ctx, &global_sid_Anonymous,
1620 &domname, &username, NULL)) {
1621 return NT_STATUS_NO_MEMORY;
1624 username = p->server_info->sanitized_username;
1625 domname = pdb_get_domain(p->server_info->sam_account);
1628 account_name = TALLOC_P(p->mem_ctx, struct lsa_String);
1629 if (!account_name) {
1630 return NT_STATUS_NO_MEMORY;
1632 init_lsa_String(account_name, username);
1634 if (r->out.authority_name) {
1635 authority_name = TALLOC_P(p->mem_ctx, struct lsa_String);
1636 if (!authority_name) {
1637 return NT_STATUS_NO_MEMORY;
1639 init_lsa_String(authority_name, domname);
1642 *r->out.account_name = account_name;
1643 if (r->out.authority_name) {
1644 *r->out.authority_name = authority_name;
1647 return NT_STATUS_OK;
1650 /***************************************************************************
1652 ***************************************************************************/
1654 NTSTATUS _lsa_CreateAccount(pipes_struct *p,
1655 struct lsa_CreateAccount *r)
1658 struct lsa_info *handle;
1659 struct lsa_info *info;
1660 uint32_t acc_granted;
1661 struct security_descriptor *psd;
1664 /* find the connection policy handle. */
1665 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle))
1666 return NT_STATUS_INVALID_HANDLE;
1668 if (handle->type != LSA_HANDLE_POLICY_TYPE) {
1669 return NT_STATUS_INVALID_HANDLE;
1672 /* check if the user has enough rights */
1674 if (!(handle->access & LSA_POLICY_CREATE_ACCOUNT)) {
1675 return NT_STATUS_ACCESS_DENIED;
1678 /* Work out max allowed. */
1679 map_max_allowed_access(p->server_info->ptok,
1680 &p->server_info->utok,
1681 &r->in.access_mask);
1683 /* map the generic bits to the lsa policy ones */
1684 se_map_generic(&r->in.access_mask, &lsa_account_mapping);
1686 status = make_lsa_object_sd(p->mem_ctx, &psd, &sd_size,
1687 &lsa_account_mapping,
1688 r->in.sid, LSA_POLICY_ALL_ACCESS);
1689 if (!NT_STATUS_IS_OK(status)) {
1693 status = access_check_object(psd, p->server_info->ptok,
1694 NULL, 0, r->in.access_mask,
1695 &acc_granted, "_lsa_CreateAccount");
1696 if (!NT_STATUS_IS_OK(status)) {
1700 if ( is_privileged_sid( r->in.sid ) )
1701 return NT_STATUS_OBJECT_NAME_COLLISION;
1703 /* associate the user/group SID with the (unique) handle. */
1705 info = TALLOC_ZERO_P(p->mem_ctx, struct lsa_info);
1707 return NT_STATUS_NO_MEMORY;
1710 info->sid = *r->in.sid;
1711 info->access = acc_granted;
1712 info->type = LSA_HANDLE_ACCOUNT_TYPE;
1714 /* get a (unique) handle. open a policy on it. */
1715 if (!create_policy_hnd(p, r->out.acct_handle, info))
1716 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
1718 return privilege_create_account( &info->sid );
1721 /***************************************************************************
1723 ***************************************************************************/
1725 NTSTATUS _lsa_OpenAccount(pipes_struct *p,
1726 struct lsa_OpenAccount *r)
1728 struct lsa_info *handle;
1729 struct lsa_info *info;
1730 SEC_DESC *psd = NULL;
1732 uint32_t des_access = r->in.access_mask;
1733 uint32_t acc_granted;
1736 /* find the connection policy handle. */
1737 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle))
1738 return NT_STATUS_INVALID_HANDLE;
1740 if (handle->type != LSA_HANDLE_POLICY_TYPE) {
1741 return NT_STATUS_INVALID_HANDLE;
1744 /* des_access is for the account here, not the policy
1745 * handle - so don't check against policy handle. */
1747 /* Work out max allowed. */
1748 map_max_allowed_access(p->server_info->ptok,
1749 &p->server_info->utok,
1752 /* map the generic bits to the lsa account ones */
1753 se_map_generic(&des_access, &lsa_account_mapping);
1755 /* get the generic lsa account SD until we store it */
1756 status = make_lsa_object_sd(p->mem_ctx, &psd, &sd_size,
1757 &lsa_account_mapping,
1758 r->in.sid, LSA_ACCOUNT_ALL_ACCESS);
1759 if (!NT_STATUS_IS_OK(status)) {
1763 status = access_check_object(psd, p->server_info->ptok,
1764 NULL, 0, des_access,
1765 &acc_granted, "_lsa_OpenAccount" );
1766 if (!NT_STATUS_IS_OK(status)) {
1770 /* TODO: Fis the parsing routine before reenabling this check! */
1772 if (!lookup_sid(&handle->sid, dom_name, name, &type))
1773 return NT_STATUS_ACCESS_DENIED;
1775 /* associate the user/group SID with the (unique) handle. */
1776 info = TALLOC_ZERO_P(p->mem_ctx, struct lsa_info);
1778 return NT_STATUS_NO_MEMORY;
1781 info->sid = *r->in.sid;
1782 info->access = acc_granted;
1783 info->type = LSA_HANDLE_ACCOUNT_TYPE;
1785 /* get a (unique) handle. open a policy on it. */
1786 if (!create_policy_hnd(p, r->out.acct_handle, info))
1787 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
1789 return NT_STATUS_OK;
1792 /***************************************************************************
1793 _lsa_EnumPrivsAccount
1794 For a given SID, enumerate all the privilege this account has.
1795 ***************************************************************************/
1797 NTSTATUS _lsa_EnumPrivsAccount(pipes_struct *p,
1798 struct lsa_EnumPrivsAccount *r)
1800 NTSTATUS status = NT_STATUS_OK;
1801 struct lsa_info *info=NULL;
1803 PRIVILEGE_SET privileges;
1804 struct lsa_PrivilegeSet *priv_set = NULL;
1805 struct lsa_LUIDAttribute *luid_attrs = NULL;
1808 /* find the connection policy handle. */
1809 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
1810 return NT_STATUS_INVALID_HANDLE;
1812 if (info->type != LSA_HANDLE_ACCOUNT_TYPE) {
1813 return NT_STATUS_INVALID_HANDLE;
1816 if (!(info->access & LSA_ACCOUNT_VIEW))
1817 return NT_STATUS_ACCESS_DENIED;
1819 get_privileges_for_sids(&mask, &info->sid, 1);
1821 privilege_set_init( &privileges );
1823 priv_set = TALLOC_ZERO_P(p->mem_ctx, struct lsa_PrivilegeSet);
1825 status = NT_STATUS_NO_MEMORY;
1829 if ( se_priv_to_privilege_set( &privileges, &mask ) ) {
1831 DEBUG(10,("_lsa_EnumPrivsAccount: %s has %d privileges\n",
1832 sid_string_dbg(&info->sid),
1835 luid_attrs = TALLOC_ZERO_ARRAY(p->mem_ctx,
1836 struct lsa_LUIDAttribute,
1839 status = NT_STATUS_NO_MEMORY;
1843 for (i=0; i<privileges.count; i++) {
1844 luid_attrs[i].luid.low = privileges.set[i].luid.low;
1845 luid_attrs[i].luid.high = privileges.set[i].luid.high;
1846 luid_attrs[i].attribute = privileges.set[i].attr;
1849 priv_set->count = privileges.count;
1850 priv_set->unknown = 0;
1851 priv_set->set = luid_attrs;
1854 priv_set->count = 0;
1855 priv_set->unknown = 0;
1856 priv_set->set = NULL;
1859 *r->out.privs = priv_set;
1862 privilege_set_free( &privileges );
1867 /***************************************************************************
1868 _lsa_GetSystemAccessAccount
1869 ***************************************************************************/
1871 NTSTATUS _lsa_GetSystemAccessAccount(pipes_struct *p,
1872 struct lsa_GetSystemAccessAccount *r)
1875 struct lsa_info *info = NULL;
1876 struct lsa_EnumPrivsAccount e;
1877 struct lsa_PrivilegeSet *privset;
1879 /* find the connection policy handle. */
1881 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
1882 return NT_STATUS_INVALID_HANDLE;
1884 if (info->type != LSA_HANDLE_ACCOUNT_TYPE) {
1885 return NT_STATUS_INVALID_HANDLE;
1888 if (!(info->access & LSA_ACCOUNT_VIEW))
1889 return NT_STATUS_ACCESS_DENIED;
1891 privset = talloc_zero(p->mem_ctx, struct lsa_PrivilegeSet);
1893 return NT_STATUS_NO_MEMORY;
1896 e.in.handle = r->in.handle;
1897 e.out.privs = &privset;
1899 status = _lsa_EnumPrivsAccount(p, &e);
1900 if (!NT_STATUS_IS_OK(status)) {
1901 DEBUG(10,("_lsa_GetSystemAccessAccount: "
1902 "failed to call _lsa_EnumPrivsAccount(): %s\n",
1903 nt_errstr(status)));
1907 /* Samba4 would iterate over the privset to merge the policy mode bits,
1908 * not sure samba3 can do the same here, so just return what we did in
1912 0x01 -> Log on locally
1913 0x02 -> Access this computer from network
1914 0x04 -> Log on as a batch job
1915 0x10 -> Log on as a service
1917 they can be ORed together
1920 *r->out.access_mask = LSA_POLICY_MODE_INTERACTIVE |
1921 LSA_POLICY_MODE_NETWORK;
1923 return NT_STATUS_OK;
1926 /***************************************************************************
1927 update the systemaccount information
1928 ***************************************************************************/
1930 NTSTATUS _lsa_SetSystemAccessAccount(pipes_struct *p,
1931 struct lsa_SetSystemAccessAccount *r)
1933 struct lsa_info *info=NULL;
1936 /* find the connection policy handle. */
1937 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
1938 return NT_STATUS_INVALID_HANDLE;
1940 if (info->type != LSA_HANDLE_ACCOUNT_TYPE) {
1941 return NT_STATUS_INVALID_HANDLE;
1944 if (!(info->access & LSA_ACCOUNT_ADJUST_SYSTEM_ACCESS)) {
1945 return NT_STATUS_ACCESS_DENIED;
1948 if (!pdb_getgrsid(&map, info->sid))
1949 return NT_STATUS_NO_SUCH_GROUP;
1951 return pdb_update_group_mapping_entry(&map);
1954 /***************************************************************************
1955 _lsa_AddPrivilegesToAccount
1956 For a given SID, add some privileges.
1957 ***************************************************************************/
1959 NTSTATUS _lsa_AddPrivilegesToAccount(pipes_struct *p,
1960 struct lsa_AddPrivilegesToAccount *r)
1962 struct lsa_info *info = NULL;
1964 struct lsa_PrivilegeSet *set = NULL;
1966 /* find the connection policy handle. */
1967 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
1968 return NT_STATUS_INVALID_HANDLE;
1970 if (info->type != LSA_HANDLE_ACCOUNT_TYPE) {
1971 return NT_STATUS_INVALID_HANDLE;
1974 if (!(info->access & LSA_ACCOUNT_ADJUST_PRIVILEGES)) {
1975 return NT_STATUS_ACCESS_DENIED;
1979 if ( !privilege_set_to_se_priv( &mask, set ) )
1980 return NT_STATUS_NO_SUCH_PRIVILEGE;
1982 if ( !grant_privilege( &info->sid, &mask ) ) {
1983 DEBUG(3,("_lsa_AddPrivilegesToAccount: grant_privilege(%s) failed!\n",
1984 sid_string_dbg(&info->sid) ));
1985 DEBUG(3,("Privilege mask:\n"));
1986 dump_se_priv( DBGC_ALL, 3, &mask );
1987 return NT_STATUS_NO_SUCH_PRIVILEGE;
1990 return NT_STATUS_OK;
1993 /***************************************************************************
1994 _lsa_RemovePrivilegesFromAccount
1995 For a given SID, remove some privileges.
1996 ***************************************************************************/
1998 NTSTATUS _lsa_RemovePrivilegesFromAccount(pipes_struct *p,
1999 struct lsa_RemovePrivilegesFromAccount *r)
2001 struct lsa_info *info = NULL;
2003 struct lsa_PrivilegeSet *set = NULL;
2005 /* find the connection policy handle. */
2006 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
2007 return NT_STATUS_INVALID_HANDLE;
2009 if (info->type != LSA_HANDLE_ACCOUNT_TYPE) {
2010 return NT_STATUS_INVALID_HANDLE;
2013 if (!(info->access & LSA_ACCOUNT_ADJUST_PRIVILEGES)) {
2014 return NT_STATUS_ACCESS_DENIED;
2019 if ( !privilege_set_to_se_priv( &mask, set ) )
2020 return NT_STATUS_NO_SUCH_PRIVILEGE;
2022 if ( !revoke_privilege( &info->sid, &mask ) ) {
2023 DEBUG(3,("_lsa_RemovePrivilegesFromAccount: revoke_privilege(%s) failed!\n",
2024 sid_string_dbg(&info->sid) ));
2025 DEBUG(3,("Privilege mask:\n"));
2026 dump_se_priv( DBGC_ALL, 3, &mask );
2027 return NT_STATUS_NO_SUCH_PRIVILEGE;
2030 return NT_STATUS_OK;
2033 /***************************************************************************
2035 ***************************************************************************/
2037 NTSTATUS _lsa_LookupPrivName(pipes_struct *p,
2038 struct lsa_LookupPrivName *r)
2040 struct lsa_info *info = NULL;
2042 struct lsa_StringLarge *lsa_name;
2044 /* find the connection policy handle. */
2045 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info)) {
2046 return NT_STATUS_INVALID_HANDLE;
2049 if (info->type != LSA_HANDLE_POLICY_TYPE) {
2050 return NT_STATUS_INVALID_HANDLE;
2053 if (!(info->access & LSA_POLICY_VIEW_LOCAL_INFORMATION)) {
2054 return NT_STATUS_ACCESS_DENIED;
2057 name = luid_to_privilege_name((LUID *)r->in.luid);
2059 return NT_STATUS_NO_SUCH_PRIVILEGE;
2062 lsa_name = TALLOC_ZERO_P(p->mem_ctx, struct lsa_StringLarge);
2064 return NT_STATUS_NO_MEMORY;
2067 lsa_name->string = talloc_strdup(lsa_name, name);
2068 if (!lsa_name->string) {
2069 TALLOC_FREE(lsa_name);
2070 return NT_STATUS_NO_MEMORY;
2073 *r->out.name = lsa_name;
2075 return NT_STATUS_OK;
2078 /***************************************************************************
2080 ***************************************************************************/
2082 NTSTATUS _lsa_QuerySecurity(pipes_struct *p,
2083 struct lsa_QuerySecurity *r)
2085 struct lsa_info *handle=NULL;
2086 SEC_DESC *psd = NULL;
2090 /* find the connection policy handle. */
2091 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle))
2092 return NT_STATUS_INVALID_HANDLE;
2094 switch (handle->type) {
2095 case LSA_HANDLE_POLICY_TYPE:
2096 status = make_lsa_object_sd(p->mem_ctx, &psd, &sd_size,
2097 &lsa_policy_mapping, NULL, 0);
2099 case LSA_HANDLE_ACCOUNT_TYPE:
2100 status = make_lsa_object_sd(p->mem_ctx, &psd, &sd_size,
2101 &lsa_account_mapping,
2102 &handle->sid, LSA_ACCOUNT_ALL_ACCESS);
2105 status = NT_STATUS_INVALID_HANDLE;
2109 if (!NT_STATUS_IS_OK(status)) {
2113 *r->out.sdbuf = make_sec_desc_buf(p->mem_ctx, sd_size, psd);
2114 if (!*r->out.sdbuf) {
2115 return NT_STATUS_NO_MEMORY;
2121 /***************************************************************************
2122 _lsa_AddAccountRights
2123 ***************************************************************************/
2125 NTSTATUS _lsa_AddAccountRights(pipes_struct *p,
2126 struct lsa_AddAccountRights *r)
2128 struct lsa_info *info = NULL;
2130 uint32_t acc_granted = 0;
2131 SEC_DESC *psd = NULL;
2136 /* find the connection policy handle. */
2137 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
2138 return NT_STATUS_INVALID_HANDLE;
2140 if (info->type != LSA_HANDLE_POLICY_TYPE) {
2141 return NT_STATUS_INVALID_HANDLE;
2144 /* get the generic lsa account SD for this SID until we store it */
2145 status = make_lsa_object_sd(p->mem_ctx, &psd, &sd_size,
2146 &lsa_account_mapping,
2147 r->in.sid, LSA_ACCOUNT_ALL_ACCESS);
2148 if (!NT_STATUS_IS_OK(status)) {
2153 * From the MS DOCs. If the sid doesn't exist, ask for LSA_POLICY_CREATE_ACCOUNT
2154 * on the policy handle. If it does, ask for
2155 * LSA_ACCOUNT_ADJUST_PRIVILEGES|LSA_ACCOUNT_ADJUST_SYSTEM_ACCESS|LSA_ACCOUNT_VIEW,
2156 * on the account sid. We don't check here so just use the latter. JRA.
2159 status = access_check_object(psd, p->server_info->ptok,
2161 LSA_ACCOUNT_ADJUST_PRIVILEGES|LSA_ACCOUNT_ADJUST_SYSTEM_ACCESS|LSA_ACCOUNT_VIEW,
2162 &acc_granted, "_lsa_AddAccountRights" );
2163 if (!NT_STATUS_IS_OK(status)) {
2167 /* according to an NT4 PDC, you can add privileges to SIDs even without
2168 call_lsa_create_account() first. And you can use any arbitrary SID. */
2170 sid_copy( &sid, r->in.sid );
2172 for ( i=0; i < r->in.rights->count; i++ ) {
2174 const char *privname = r->in.rights->names[i].string;
2176 /* only try to add non-null strings */
2181 if ( !grant_privilege_by_name( &sid, privname ) ) {
2182 DEBUG(2,("_lsa_AddAccountRights: Failed to add privilege [%s]\n",
2184 return NT_STATUS_NO_SUCH_PRIVILEGE;
2188 return NT_STATUS_OK;
2191 /***************************************************************************
2192 _lsa_RemoveAccountRights
2193 ***************************************************************************/
2195 NTSTATUS _lsa_RemoveAccountRights(pipes_struct *p,
2196 struct lsa_RemoveAccountRights *r)
2198 struct lsa_info *info = NULL;
2200 SEC_DESC *psd = NULL;
2203 const char *privname = NULL;
2204 uint32_t acc_granted = 0;
2207 /* find the connection policy handle. */
2208 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
2209 return NT_STATUS_INVALID_HANDLE;
2211 if (info->type != LSA_HANDLE_POLICY_TYPE) {
2212 return NT_STATUS_INVALID_HANDLE;
2215 /* get the generic lsa account SD for this SID until we store it */
2216 status = make_lsa_object_sd(p->mem_ctx, &psd, &sd_size,
2217 &lsa_account_mapping,
2218 r->in.sid, LSA_ACCOUNT_ALL_ACCESS);
2219 if (!NT_STATUS_IS_OK(status)) {
2224 * From the MS DOCs. We need
2225 * LSA_ACCOUNT_ADJUST_PRIVILEGES|LSA_ACCOUNT_ADJUST_SYSTEM_ACCESS|LSA_ACCOUNT_VIEW
2226 * and DELETE on the account sid.
2229 status = access_check_object(psd, p->server_info->ptok,
2231 LSA_ACCOUNT_ADJUST_PRIVILEGES|LSA_ACCOUNT_ADJUST_SYSTEM_ACCESS|
2232 LSA_ACCOUNT_VIEW|STD_RIGHT_DELETE_ACCESS,
2233 &acc_granted, "_lsa_RemoveAccountRights");
2234 if (!NT_STATUS_IS_OK(status)) {
2238 sid_copy( &sid, r->in.sid );
2240 if ( r->in.remove_all ) {
2241 if ( !revoke_all_privileges( &sid ) )
2242 return NT_STATUS_ACCESS_DENIED;
2244 return NT_STATUS_OK;
2247 for ( i=0; i < r->in.rights->count; i++ ) {
2249 privname = r->in.rights->names[i].string;
2251 /* only try to add non-null strings */
2256 if ( !revoke_privilege_by_name( &sid, privname ) ) {
2257 DEBUG(2,("_lsa_RemoveAccountRights: Failed to revoke privilege [%s]\n",
2259 return NT_STATUS_NO_SUCH_PRIVILEGE;
2263 return NT_STATUS_OK;
2266 /*******************************************************************
2267 ********************************************************************/
2269 static NTSTATUS init_lsa_right_set(TALLOC_CTX *mem_ctx,
2270 struct lsa_RightSet *r,
2271 PRIVILEGE_SET *privileges)
2274 const char *privname;
2275 const char **privname_array = NULL;
2278 for (i=0; i<privileges->count; i++) {
2280 privname = luid_to_privilege_name(&privileges->set[i].luid);
2282 if (!add_string_to_array(mem_ctx, privname,
2283 &privname_array, &num_priv)) {
2284 return NT_STATUS_NO_MEMORY;
2291 r->names = TALLOC_ZERO_ARRAY(mem_ctx, struct lsa_StringLarge,
2294 return NT_STATUS_NO_MEMORY;
2297 for (i=0; i<num_priv; i++) {
2298 init_lsa_StringLarge(&r->names[i], privname_array[i]);
2301 r->count = num_priv;
2304 return NT_STATUS_OK;
2307 /***************************************************************************
2308 _lsa_EnumAccountRights
2309 ***************************************************************************/
2311 NTSTATUS _lsa_EnumAccountRights(pipes_struct *p,
2312 struct lsa_EnumAccountRights *r)
2315 struct lsa_info *info = NULL;
2317 PRIVILEGE_SET privileges;
2320 /* find the connection policy handle. */
2322 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
2323 return NT_STATUS_INVALID_HANDLE;
2325 if (info->type != LSA_HANDLE_POLICY_TYPE) {
2326 return NT_STATUS_INVALID_HANDLE;
2329 if (!(info->access & LSA_ACCOUNT_VIEW)) {
2330 return NT_STATUS_ACCESS_DENIED;
2333 /* according to an NT4 PDC, you can add privileges to SIDs even without
2334 call_lsa_create_account() first. And you can use any arbitrary SID. */
2336 sid_copy( &sid, r->in.sid );
2338 /* according to MS-LSAD 3.1.4.5.10 it is required to return
2339 * NT_STATUS_OBJECT_NAME_NOT_FOUND if the account sid was not found in
2340 * the lsa database */
2342 if (!get_privileges_for_sids(&mask, &sid, 1)) {
2343 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
2346 status = privilege_set_init(&privileges);
2347 if (!NT_STATUS_IS_OK(status)) {
2351 se_priv_to_privilege_set(&privileges, &mask);
2353 DEBUG(10,("_lsa_EnumAccountRights: %s has %d privileges\n",
2354 sid_string_dbg(&sid), privileges.count));
2356 status = init_lsa_right_set(p->mem_ctx, r->out.rights, &privileges);
2358 privilege_set_free( &privileges );
2363 /***************************************************************************
2364 _lsa_LookupPrivValue
2365 ***************************************************************************/
2367 NTSTATUS _lsa_LookupPrivValue(pipes_struct *p,
2368 struct lsa_LookupPrivValue *r)
2370 struct lsa_info *info = NULL;
2371 const char *name = NULL;
2372 LUID_ATTR priv_luid;
2375 /* find the connection policy handle. */
2377 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
2378 return NT_STATUS_INVALID_HANDLE;
2380 if (info->type != LSA_HANDLE_POLICY_TYPE) {
2381 return NT_STATUS_INVALID_HANDLE;
2384 if (!(info->access & LSA_POLICY_LOOKUP_NAMES))
2385 return NT_STATUS_ACCESS_DENIED;
2387 name = r->in.name->string;
2389 DEBUG(10,("_lsa_lookup_priv_value: name = %s\n", name));
2391 if ( !se_priv_from_name( name, &mask ) )
2392 return NT_STATUS_NO_SUCH_PRIVILEGE;
2394 priv_luid = get_privilege_luid( &mask );
2396 r->out.luid->low = priv_luid.luid.low;
2397 r->out.luid->high = priv_luid.luid.high;
2399 return NT_STATUS_OK;
2402 /***************************************************************************
2403 _lsa_EnumAccountsWithUserRight
2404 ***************************************************************************/
2406 NTSTATUS _lsa_EnumAccountsWithUserRight(pipes_struct *p,
2407 struct lsa_EnumAccountsWithUserRight *r)
2410 struct lsa_info *info = NULL;
2411 struct dom_sid *sids = NULL;
2416 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info)) {
2417 return NT_STATUS_INVALID_HANDLE;
2420 if (info->type != LSA_HANDLE_POLICY_TYPE) {
2421 return NT_STATUS_INVALID_HANDLE;
2424 if (!(info->access & LSA_POLICY_LOOKUP_NAMES)) {
2425 return NT_STATUS_ACCESS_DENIED;
2428 if (!r->in.name || !r->in.name->string) {
2429 return NT_STATUS_NO_SUCH_PRIVILEGE;
2432 if (!se_priv_from_name(r->in.name->string, &mask)) {
2433 return NT_STATUS_NO_SUCH_PRIVILEGE;
2436 status = privilege_enum_sids(&mask, p->mem_ctx,
2438 if (!NT_STATUS_IS_OK(status)) {
2442 r->out.sids->num_sids = num_sids;
2443 r->out.sids->sids = talloc_array(p->mem_ctx, struct lsa_SidPtr,
2444 r->out.sids->num_sids);
2446 for (i=0; i < r->out.sids->num_sids; i++) {
2447 r->out.sids->sids[i].sid = sid_dup_talloc(r->out.sids->sids,
2449 if (!r->out.sids->sids[i].sid) {
2450 TALLOC_FREE(r->out.sids->sids);
2451 r->out.sids->num_sids = 0;
2452 return NT_STATUS_NO_MEMORY;
2456 return NT_STATUS_OK;
2459 /***************************************************************************
2461 ***************************************************************************/
2463 NTSTATUS _lsa_Delete(pipes_struct *p,
2464 struct lsa_Delete *r)
2466 return NT_STATUS_NOT_SUPPORTED;
2470 * From here on the server routines are just dummy ones to make smbd link with
2471 * librpc/gen_ndr/srv_lsa.c. These routines are actually never called, we are
2472 * pulling the server stubs across one by one.
2475 NTSTATUS _lsa_SetSecObj(pipes_struct *p, struct lsa_SetSecObj *r)
2477 p->rng_fault_state = True;
2478 return NT_STATUS_NOT_IMPLEMENTED;
2481 NTSTATUS _lsa_ChangePassword(pipes_struct *p, struct lsa_ChangePassword *r)
2483 p->rng_fault_state = True;
2484 return NT_STATUS_NOT_IMPLEMENTED;
2487 NTSTATUS _lsa_SetInfoPolicy(pipes_struct *p, struct lsa_SetInfoPolicy *r)
2489 p->rng_fault_state = True;
2490 return NT_STATUS_NOT_IMPLEMENTED;
2493 NTSTATUS _lsa_ClearAuditLog(pipes_struct *p, struct lsa_ClearAuditLog *r)
2495 p->rng_fault_state = True;
2496 return NT_STATUS_NOT_IMPLEMENTED;
2499 NTSTATUS _lsa_GetQuotasForAccount(pipes_struct *p, struct lsa_GetQuotasForAccount *r)
2501 p->rng_fault_state = True;
2502 return NT_STATUS_NOT_IMPLEMENTED;
2505 NTSTATUS _lsa_SetQuotasForAccount(pipes_struct *p, struct lsa_SetQuotasForAccount *r)
2507 p->rng_fault_state = True;
2508 return NT_STATUS_NOT_IMPLEMENTED;
2511 NTSTATUS _lsa_QueryTrustedDomainInfo(pipes_struct *p, struct lsa_QueryTrustedDomainInfo *r)
2513 p->rng_fault_state = True;
2514 return NT_STATUS_NOT_IMPLEMENTED;
2517 NTSTATUS _lsa_SetInformationTrustedDomain(pipes_struct *p, struct lsa_SetInformationTrustedDomain *r)
2519 p->rng_fault_state = True;
2520 return NT_STATUS_NOT_IMPLEMENTED;
2523 NTSTATUS _lsa_QuerySecret(pipes_struct *p, struct lsa_QuerySecret *r)
2525 p->rng_fault_state = True;
2526 return NT_STATUS_NOT_IMPLEMENTED;
2529 NTSTATUS _lsa_QueryTrustedDomainInfoBySid(pipes_struct *p, struct lsa_QueryTrustedDomainInfoBySid *r)
2531 p->rng_fault_state = True;
2532 return NT_STATUS_NOT_IMPLEMENTED;
2535 NTSTATUS _lsa_SetTrustedDomainInfo(pipes_struct *p, struct lsa_SetTrustedDomainInfo *r)
2537 p->rng_fault_state = True;
2538 return NT_STATUS_NOT_IMPLEMENTED;
2541 NTSTATUS _lsa_DeleteTrustedDomain(pipes_struct *p, struct lsa_DeleteTrustedDomain *r)
2543 p->rng_fault_state = True;
2544 return NT_STATUS_NOT_IMPLEMENTED;
2547 NTSTATUS _lsa_StorePrivateData(pipes_struct *p, struct lsa_StorePrivateData *r)
2549 p->rng_fault_state = True;
2550 return NT_STATUS_NOT_IMPLEMENTED;
2553 NTSTATUS _lsa_RetrievePrivateData(pipes_struct *p, struct lsa_RetrievePrivateData *r)
2555 p->rng_fault_state = True;
2556 return NT_STATUS_NOT_IMPLEMENTED;
2559 NTSTATUS _lsa_SetInfoPolicy2(pipes_struct *p, struct lsa_SetInfoPolicy2 *r)
2561 p->rng_fault_state = True;
2562 return NT_STATUS_NOT_IMPLEMENTED;
2565 NTSTATUS _lsa_QueryTrustedDomainInfoByName(pipes_struct *p, struct lsa_QueryTrustedDomainInfoByName *r)
2567 p->rng_fault_state = True;
2568 return NT_STATUS_NOT_IMPLEMENTED;
2571 NTSTATUS _lsa_SetTrustedDomainInfoByName(pipes_struct *p, struct lsa_SetTrustedDomainInfoByName *r)
2573 p->rng_fault_state = True;
2574 return NT_STATUS_NOT_IMPLEMENTED;
2577 NTSTATUS _lsa_EnumTrustedDomainsEx(pipes_struct *p, struct lsa_EnumTrustedDomainsEx *r)
2579 p->rng_fault_state = True;
2580 return NT_STATUS_NOT_IMPLEMENTED;
2583 NTSTATUS _lsa_CreateTrustedDomainEx(pipes_struct *p, struct lsa_CreateTrustedDomainEx *r)
2585 p->rng_fault_state = True;
2586 return NT_STATUS_NOT_IMPLEMENTED;
2589 NTSTATUS _lsa_CloseTrustedDomainEx(pipes_struct *p, struct lsa_CloseTrustedDomainEx *r)
2591 p->rng_fault_state = True;
2592 return NT_STATUS_NOT_IMPLEMENTED;
2595 NTSTATUS _lsa_QueryDomainInformationPolicy(pipes_struct *p, struct lsa_QueryDomainInformationPolicy *r)
2597 p->rng_fault_state = True;
2598 return NT_STATUS_NOT_IMPLEMENTED;
2601 NTSTATUS _lsa_SetDomainInformationPolicy(pipes_struct *p, struct lsa_SetDomainInformationPolicy *r)
2603 p->rng_fault_state = True;
2604 return NT_STATUS_NOT_IMPLEMENTED;
2607 NTSTATUS _lsa_OpenTrustedDomainByName(pipes_struct *p, struct lsa_OpenTrustedDomainByName *r)
2609 p->rng_fault_state = True;
2610 return NT_STATUS_NOT_IMPLEMENTED;
2613 NTSTATUS _lsa_TestCall(pipes_struct *p, struct lsa_TestCall *r)
2615 p->rng_fault_state = True;
2616 return NT_STATUS_NOT_IMPLEMENTED;
2619 NTSTATUS _lsa_CreateTrustedDomainEx2(pipes_struct *p, struct lsa_CreateTrustedDomainEx2 *r)
2621 p->rng_fault_state = True;
2622 return NT_STATUS_NOT_IMPLEMENTED;
2625 NTSTATUS _lsa_CREDRWRITE(pipes_struct *p, struct lsa_CREDRWRITE *r)
2627 p->rng_fault_state = True;
2628 return NT_STATUS_NOT_IMPLEMENTED;
2631 NTSTATUS _lsa_CREDRREAD(pipes_struct *p, struct lsa_CREDRREAD *r)
2633 p->rng_fault_state = True;
2634 return NT_STATUS_NOT_IMPLEMENTED;
2637 NTSTATUS _lsa_CREDRENUMERATE(pipes_struct *p, struct lsa_CREDRENUMERATE *r)
2639 p->rng_fault_state = True;
2640 return NT_STATUS_NOT_IMPLEMENTED;
2643 NTSTATUS _lsa_CREDRWRITEDOMAINCREDENTIALS(pipes_struct *p, struct lsa_CREDRWRITEDOMAINCREDENTIALS *r)
2645 p->rng_fault_state = True;
2646 return NT_STATUS_NOT_IMPLEMENTED;
2649 NTSTATUS _lsa_CREDRREADDOMAINCREDENTIALS(pipes_struct *p, struct lsa_CREDRREADDOMAINCREDENTIALS *r)
2651 p->rng_fault_state = True;
2652 return NT_STATUS_NOT_IMPLEMENTED;
2655 NTSTATUS _lsa_CREDRDELETE(pipes_struct *p, struct lsa_CREDRDELETE *r)
2657 p->rng_fault_state = True;
2658 return NT_STATUS_NOT_IMPLEMENTED;
2661 NTSTATUS _lsa_CREDRGETTARGETINFO(pipes_struct *p, struct lsa_CREDRGETTARGETINFO *r)
2663 p->rng_fault_state = True;
2664 return NT_STATUS_NOT_IMPLEMENTED;
2667 NTSTATUS _lsa_CREDRPROFILELOADED(pipes_struct *p, struct lsa_CREDRPROFILELOADED *r)
2669 p->rng_fault_state = True;
2670 return NT_STATUS_NOT_IMPLEMENTED;
2673 NTSTATUS _lsa_CREDRGETSESSIONTYPES(pipes_struct *p, struct lsa_CREDRGETSESSIONTYPES *r)
2675 p->rng_fault_state = True;
2676 return NT_STATUS_NOT_IMPLEMENTED;
2679 NTSTATUS _lsa_LSARREGISTERAUDITEVENT(pipes_struct *p, struct lsa_LSARREGISTERAUDITEVENT *r)
2681 p->rng_fault_state = True;
2682 return NT_STATUS_NOT_IMPLEMENTED;
2685 NTSTATUS _lsa_LSARGENAUDITEVENT(pipes_struct *p, struct lsa_LSARGENAUDITEVENT *r)
2687 p->rng_fault_state = True;
2688 return NT_STATUS_NOT_IMPLEMENTED;
2691 NTSTATUS _lsa_LSARUNREGISTERAUDITEVENT(pipes_struct *p, struct lsa_LSARUNREGISTERAUDITEVENT *r)
2693 p->rng_fault_state = True;
2694 return NT_STATUS_NOT_IMPLEMENTED;
2697 NTSTATUS _lsa_lsaRQueryForestTrustInformation(pipes_struct *p, struct lsa_lsaRQueryForestTrustInformation *r)
2699 p->rng_fault_state = True;
2700 return NT_STATUS_NOT_IMPLEMENTED;
2703 NTSTATUS _lsa_LSARSETFORESTTRUSTINFORMATION(pipes_struct *p, struct lsa_LSARSETFORESTTRUSTINFORMATION *r)
2705 p->rng_fault_state = True;
2706 return NT_STATUS_NOT_IMPLEMENTED;
2709 NTSTATUS _lsa_CREDRRENAME(pipes_struct *p, struct lsa_CREDRRENAME *r)
2711 p->rng_fault_state = True;
2712 return NT_STATUS_NOT_IMPLEMENTED;
2715 NTSTATUS _lsa_LSAROPENPOLICYSCE(pipes_struct *p, struct lsa_LSAROPENPOLICYSCE *r)
2717 p->rng_fault_state = True;
2718 return NT_STATUS_NOT_IMPLEMENTED;
2721 NTSTATUS _lsa_LSARADTREGISTERSECURITYEVENTSOURCE(pipes_struct *p, struct lsa_LSARADTREGISTERSECURITYEVENTSOURCE *r)
2723 p->rng_fault_state = True;
2724 return NT_STATUS_NOT_IMPLEMENTED;
2727 NTSTATUS _lsa_LSARADTUNREGISTERSECURITYEVENTSOURCE(pipes_struct *p, struct lsa_LSARADTUNREGISTERSECURITYEVENTSOURCE *r)
2729 p->rng_fault_state = True;
2730 return NT_STATUS_NOT_IMPLEMENTED;
2733 NTSTATUS _lsa_LSARADTREPORTSECURITYEVENT(pipes_struct *p, struct lsa_LSARADTREPORTSECURITYEVENT *r)
2735 p->rng_fault_state = True;
2736 return NT_STATUS_NOT_IMPLEMENTED;
git.samba.org / abartlet / samba.git / .git / blob