2 * Unix SMB/CIFS implementation.
3 * RPC Pipe client / server routines
4 * Copyright (C) Andrew Tridgell 1992-1997,
5 * Copyright (C) Luke Kenneth Casson Leighton 1996-1997,
6 * Copyright (C) Paul Ashton 1997,
7 * Copyright (C) Jeremy Allison 2001, 2006.
8 * Copyright (C) Rafal Szczesniak 2002,
9 * Copyright (C) Jim McDonough <jmcd@us.ibm.com> 2002,
10 * Copyright (C) Simo Sorce 2003.
11 * Copyright (C) Gerald (Jerry) Carter 2005.
12 * Copyright (C) Volker Lendecke 2005.
13 * Copyright (C) Guenther Deschner 2008.
15 * This program is free software; you can redistribute it and/or modify
16 * it under the terms of the GNU General Public License as published by
17 * the Free Software Foundation; either version 3 of the License, or
18 * (at your option) any later version.
20 * This program is distributed in the hope that it will be useful,
21 * but WITHOUT ANY WARRANTY; without even the implied warranty of
22 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
23 * GNU General Public License for more details.
25 * You should have received a copy of the GNU General Public License
26 * along with this program; if not, see <http://www.gnu.org/licenses/>.
29 /* This is the implementation of the lsa server code. */
34 #define DBGC_CLASS DBGC_RPC_SRV
36 #define MAX_LOOKUP_SIDS 0x5000 /* 20480 */
45 const struct generic_mapping lsa_generic_mapping = {
52 /***************************************************************************
53 init_lsa_ref_domain_list - adds a domain if it's not already in, returns the index.
54 ***************************************************************************/
56 static int init_lsa_ref_domain_list(TALLOC_CTX *mem_ctx,
57 struct lsa_RefDomainList *ref,
63 if (dom_name != NULL) {
64 for (num = 0; num < ref->count; num++) {
65 if (sid_equal(dom_sid, ref->domains[num].sid)) {
73 if (num >= LSA_REF_DOMAIN_LIST_MULTIPLIER) {
74 /* index not found, already at maximum domain limit */
79 ref->max_size = LSA_REF_DOMAIN_LIST_MULTIPLIER;
81 ref->domains = TALLOC_REALLOC_ARRAY(mem_ctx, ref->domains,
82 struct lsa_DomainInfo, ref->count);
87 ZERO_STRUCT(ref->domains[num]);
89 init_lsa_StringLarge(&ref->domains[num].name, dom_name);
90 ref->domains[num].sid = sid_dup_talloc(mem_ctx, dom_sid);
91 if (!ref->domains[num].sid) {
99 /***************************************************************************
100 initialize a lsa_DomainInfo structure.
101 ***************************************************************************/
103 static void init_dom_query_3(struct lsa_DomainInfo *r,
107 init_lsa_StringLarge(&r->name, name);
111 /***************************************************************************
112 initialize a lsa_DomainInfo structure.
113 ***************************************************************************/
115 static void init_dom_query_5(struct lsa_DomainInfo *r,
119 init_lsa_StringLarge(&r->name, name);
123 /***************************************************************************
124 lookup_lsa_rids. Must be called as root for lookup_name to work.
125 ***************************************************************************/
127 static NTSTATUS lookup_lsa_rids(TALLOC_CTX *mem_ctx,
128 struct lsa_RefDomainList *ref,
129 struct lsa_TranslatedSid *prid,
130 uint32_t num_entries,
131 struct lsa_String *name,
133 uint32_t *pmapped_count)
135 uint32 mapped_count, i;
137 SMB_ASSERT(num_entries <= MAX_LOOKUP_SIDS);
142 for (i = 0; i < num_entries; i++) {
146 const char *full_name;
148 enum lsa_SidType type = SID_NAME_UNKNOWN;
150 /* Split name into domain and user component */
152 full_name = name[i].string;
153 if (full_name == NULL) {
154 return NT_STATUS_NO_MEMORY;
157 DEBUG(5, ("lookup_lsa_rids: looking up name %s\n", full_name));
159 /* We can ignore the result of lookup_name, it will not touch
160 "type" if it's not successful */
162 lookup_name(mem_ctx, full_name, flags, &domain, NULL,
167 case SID_NAME_DOM_GRP:
168 case SID_NAME_DOMAIN:
170 case SID_NAME_WKN_GRP:
171 DEBUG(5, ("init_lsa_rids: %s found\n", full_name));
172 /* Leave these unchanged */
175 /* Don't hand out anything but the list above */
176 DEBUG(5, ("init_lsa_rids: %s not found\n", full_name));
177 type = SID_NAME_UNKNOWN;
184 if (type != SID_NAME_UNKNOWN) {
185 sid_split_rid(&sid, &rid);
186 dom_idx = init_lsa_ref_domain_list(mem_ctx, ref, domain, &sid);
190 prid[i].sid_type = type;
192 prid[i].sid_index = dom_idx;
195 *pmapped_count = mapped_count;
199 /***************************************************************************
200 lookup_lsa_sids. Must be called as root for lookup_name to work.
201 ***************************************************************************/
203 static NTSTATUS lookup_lsa_sids(TALLOC_CTX *mem_ctx,
204 struct lsa_RefDomainList *ref,
205 struct lsa_TranslatedSid3 *trans_sids,
206 uint32_t num_entries,
207 struct lsa_String *name,
209 uint32 *pmapped_count)
211 uint32 mapped_count, i;
213 SMB_ASSERT(num_entries <= MAX_LOOKUP_SIDS);
218 for (i = 0; i < num_entries; i++) {
222 const char *full_name;
224 enum lsa_SidType type = SID_NAME_UNKNOWN;
228 /* Split name into domain and user component */
230 full_name = name[i].string;
231 if (full_name == NULL) {
232 return NT_STATUS_NO_MEMORY;
235 DEBUG(5, ("init_lsa_sids: looking up name %s\n", full_name));
237 /* We can ignore the result of lookup_name, it will not touch
238 "type" if it's not successful */
240 lookup_name(mem_ctx, full_name, flags, &domain, NULL,
245 case SID_NAME_DOM_GRP:
246 case SID_NAME_DOMAIN:
248 case SID_NAME_WKN_GRP:
249 DEBUG(5, ("init_lsa_sids: %s found\n", full_name));
250 /* Leave these unchanged */
253 /* Don't hand out anything but the list above */
254 DEBUG(5, ("init_lsa_sids: %s not found\n", full_name));
255 type = SID_NAME_UNKNOWN;
262 if (type != SID_NAME_UNKNOWN) {
264 sid_copy(&domain_sid, &sid);
265 sid_split_rid(&domain_sid, &rid);
266 dom_idx = init_lsa_ref_domain_list(mem_ctx, ref, domain, &domain_sid);
270 /* Initialize the lsa_TranslatedSid3 return. */
271 trans_sids[i].sid_type = type;
272 trans_sids[i].sid = sid_dup_talloc(mem_ctx, &sid);
273 trans_sids[i].sid_index = dom_idx;
276 *pmapped_count = mapped_count;
280 static NTSTATUS lsa_get_generic_sd(TALLOC_CTX *mem_ctx, SEC_DESC **sd, size_t *sd_size)
282 DOM_SID local_adm_sid;
289 init_sec_ace(&ace[0], &global_sid_World, SEC_ACE_TYPE_ACCESS_ALLOWED,
290 LSA_POLICY_READ|LSA_POLICY_EXECUTE, 0);
292 sid_copy(&adm_sid, get_global_sam_sid());
293 sid_append_rid(&adm_sid, DOMAIN_GROUP_RID_ADMINS);
294 init_sec_ace(&ace[1], &adm_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, LSA_POLICY_ALL_ACCESS, 0);
296 sid_copy(&local_adm_sid, &global_sid_Builtin);
297 sid_append_rid(&local_adm_sid, BUILTIN_ALIAS_RID_ADMINS);
298 init_sec_ace(&ace[2], &local_adm_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, LSA_POLICY_ALL_ACCESS, 0);
300 if((psa = make_sec_acl(mem_ctx, NT4_ACL_REVISION, 3, ace)) == NULL)
301 return NT_STATUS_NO_MEMORY;
303 if((*sd = make_sec_desc(mem_ctx, SECURITY_DESCRIPTOR_REVISION_1,
304 SEC_DESC_SELF_RELATIVE, &adm_sid, NULL, NULL,
305 psa, sd_size)) == NULL)
306 return NT_STATUS_NO_MEMORY;
311 #if 0 /* AD DC work in ongoing in Samba 4 */
313 /***************************************************************************
315 ***************************************************************************/
317 static void init_dns_dom_info(LSA_DNS_DOM_INFO *r_l, const char *nb_name,
318 const char *dns_name, const char *forest_name,
319 struct GUID *dom_guid, DOM_SID *dom_sid)
321 if (nb_name && *nb_name) {
322 init_unistr2(&r_l->uni_nb_dom_name, nb_name, UNI_FLAGS_NONE);
323 init_uni_hdr(&r_l->hdr_nb_dom_name, &r_l->uni_nb_dom_name);
324 r_l->hdr_nb_dom_name.uni_max_len += 2;
325 r_l->uni_nb_dom_name.uni_max_len += 1;
328 if (dns_name && *dns_name) {
329 init_unistr2(&r_l->uni_dns_dom_name, dns_name, UNI_FLAGS_NONE);
330 init_uni_hdr(&r_l->hdr_dns_dom_name, &r_l->uni_dns_dom_name);
331 r_l->hdr_dns_dom_name.uni_max_len += 2;
332 r_l->uni_dns_dom_name.uni_max_len += 1;
335 if (forest_name && *forest_name) {
336 init_unistr2(&r_l->uni_forest_name, forest_name, UNI_FLAGS_NONE);
337 init_uni_hdr(&r_l->hdr_forest_name, &r_l->uni_forest_name);
338 r_l->hdr_forest_name.uni_max_len += 2;
339 r_l->uni_forest_name.uni_max_len += 1;
342 /* how do we init the guid ? probably should write an init fn */
344 memcpy(&r_l->dom_guid, dom_guid, sizeof(struct GUID));
348 r_l->ptr_dom_sid = 1;
349 init_dom_sid2(&r_l->dom_sid, dom_sid);
352 #endif /* AD DC work in ongoing in Samba 4 */
355 /***************************************************************************
357 ***************************************************************************/
359 NTSTATUS _lsa_OpenPolicy2(pipes_struct *p,
360 struct lsa_OpenPolicy2 *r)
362 struct lsa_info *info;
363 SEC_DESC *psd = NULL;
365 uint32 des_access = r->in.access_mask;
369 /* Work out max allowed. */
370 map_max_allowed_access(p->server_info->ptok, &des_access);
372 /* map the generic bits to the lsa policy ones */
373 se_map_generic(&des_access, &lsa_generic_mapping);
375 /* get the generic lsa policy SD until we store it */
376 lsa_get_generic_sd(p->mem_ctx, &psd, &sd_size);
378 status = access_check_object(psd, p->server_info->ptok,
380 &acc_granted, "_lsa_OpenPolicy2" );
382 if (!NT_STATUS_IS_OK(status)) {
386 /* associate the domain SID with the (unique) handle. */
387 info = TALLOC_ZERO_P(p->mem_ctx, struct lsa_info);
389 return NT_STATUS_NO_MEMORY;
392 sid_copy(&info->sid,get_global_sam_sid());
393 info->access = acc_granted;
395 /* set up the LSA QUERY INFO response */
396 if (!create_policy_hnd(p, r->out.handle, info))
397 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
402 /***************************************************************************
404 ***************************************************************************/
406 NTSTATUS _lsa_OpenPolicy(pipes_struct *p,
407 struct lsa_OpenPolicy *r)
409 struct lsa_OpenPolicy2 o;
411 o.in.system_name = NULL; /* should be ignored */
412 o.in.attr = r->in.attr;
413 o.in.access_mask = r->in.access_mask;
415 o.out.handle = r->out.handle;
417 return _lsa_OpenPolicy2(p, &o);
420 /***************************************************************************
421 _lsa_EnumTrustDom - this needs fixing to do more than return NULL ! JRA.
423 ***************************************************************************/
425 NTSTATUS _lsa_EnumTrustDom(pipes_struct *p,
426 struct lsa_EnumTrustDom *r)
428 struct lsa_info *info;
430 struct trustdom_info **domains;
431 struct lsa_DomainInfo *lsa_domains = NULL;
435 * preferred length is set to 5 as a "our" preferred length
436 * nt sets this parameter to 2
437 * update (20.08.2002): it's not preferred length, but preferred size!
438 * it needs further investigation how to optimally choose this value
440 uint32 max_num_domains =
441 r->in.max_size < 5 ? r->in.max_size : 10;
446 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
447 return NT_STATUS_INVALID_HANDLE;
449 /* check if the user has enough rights */
450 if (!(info->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
451 return NT_STATUS_ACCESS_DENIED;
454 nt_status = pdb_enum_trusteddoms(p->mem_ctx, &num_domains, &domains);
457 if (!NT_STATUS_IS_OK(nt_status)) {
461 if (*r->in.resume_handle < num_domains) {
462 num_thistime = MIN(num_domains, max_num_domains);
464 nt_status = STATUS_MORE_ENTRIES;
466 if (*r->in.resume_handle + num_thistime > num_domains) {
467 num_thistime = num_domains - *r->in.resume_handle;
468 nt_status = NT_STATUS_OK;
471 next_idx = *r->in.resume_handle + num_thistime;
474 next_idx = 0xffffffff;
475 nt_status = NT_STATUS_NO_MORE_ENTRIES;
478 /* set up the lsa_enum_trust_dom response */
480 lsa_domains = TALLOC_ZERO_ARRAY(p->mem_ctx, struct lsa_DomainInfo,
483 return NT_STATUS_NO_MEMORY;
486 for (i=0; i<num_thistime; i++) {
487 init_lsa_StringLarge(&lsa_domains[i].name, domains[i]->name);
488 lsa_domains[i].sid = &domains[i]->sid;
491 *r->out.resume_handle = next_idx;
492 r->out.domains->count = num_thistime;
493 r->out.domains->domains = lsa_domains;
498 #define LSA_AUDIT_NUM_CATEGORIES_NT4 7
499 #define LSA_AUDIT_NUM_CATEGORIES_WIN2K 9
500 #define LSA_AUDIT_NUM_CATEGORIES LSA_AUDIT_NUM_CATEGORIES_NT4
502 /***************************************************************************
504 ***************************************************************************/
506 NTSTATUS _lsa_QueryInfoPolicy(pipes_struct *p,
507 struct lsa_QueryInfoPolicy *r)
509 NTSTATUS status = NT_STATUS_OK;
510 struct lsa_info *handle;
514 union lsa_PolicyInformation *info = NULL;
516 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle))
517 return NT_STATUS_INVALID_HANDLE;
519 info = TALLOC_ZERO_P(p->mem_ctx, union lsa_PolicyInformation);
521 return NT_STATUS_NO_MEMORY;
524 switch (r->in.level) {
528 uint32 policy_def = LSA_AUDIT_POLICY_ALL;
530 /* check if the user has enough rights */
531 if (!(handle->access & LSA_POLICY_VIEW_AUDIT_INFORMATION)) {
532 DEBUG(10,("_lsa_QueryInfoPolicy: insufficient access rights\n"));
533 return NT_STATUS_ACCESS_DENIED;
536 /* fake info: We audit everything. ;) */
538 info->audit_events.auditing_mode = true;
539 info->audit_events.count = LSA_AUDIT_NUM_CATEGORIES;
540 info->audit_events.settings = TALLOC_ZERO_ARRAY(p->mem_ctx,
541 enum lsa_PolicyAuditPolicy,
542 info->audit_events.count);
543 if (!info->audit_events.settings) {
544 return NT_STATUS_NO_MEMORY;
547 info->audit_events.settings[LSA_AUDIT_CATEGORY_ACCOUNT_MANAGEMENT] = policy_def;
548 info->audit_events.settings[LSA_AUDIT_CATEGORY_FILE_AND_OBJECT_ACCESS] = policy_def;
549 info->audit_events.settings[LSA_AUDIT_CATEGORY_LOGON] = policy_def;
550 info->audit_events.settings[LSA_AUDIT_CATEGORY_PROCCESS_TRACKING] = policy_def;
551 info->audit_events.settings[LSA_AUDIT_CATEGORY_SECURITY_POLICY_CHANGES] = policy_def;
552 info->audit_events.settings[LSA_AUDIT_CATEGORY_SYSTEM] = policy_def;
553 info->audit_events.settings[LSA_AUDIT_CATEGORY_USE_OF_USER_RIGHTS] = policy_def;
558 /* check if the user has enough rights */
559 if (!(handle->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
560 return NT_STATUS_ACCESS_DENIED;
562 /* Request PolicyPrimaryDomainInformation. */
563 switch (lp_server_role()) {
564 case ROLE_DOMAIN_PDC:
565 case ROLE_DOMAIN_BDC:
566 name = get_global_sam_name();
567 sid = sid_dup_talloc(p->mem_ctx, get_global_sam_sid());
569 return NT_STATUS_NO_MEMORY;
572 case ROLE_DOMAIN_MEMBER:
573 name = lp_workgroup();
574 /* We need to return the Domain SID here. */
575 if (secrets_fetch_domain_sid(lp_workgroup(), &domain_sid)) {
576 sid = sid_dup_talloc(p->mem_ctx, &domain_sid);
578 return NT_STATUS_NO_MEMORY;
581 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
584 case ROLE_STANDALONE:
585 name = lp_workgroup();
589 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
591 init_dom_query_3(&info->domain, name, sid);
594 /* check if the user has enough rights */
595 if (!(handle->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
596 return NT_STATUS_ACCESS_DENIED;
598 /* Request PolicyAccountDomainInformation. */
599 name = get_global_sam_name();
600 sid = get_global_sam_sid();
602 init_dom_query_5(&info->account_domain, name, sid);
605 /* check if the user has enough rights */
606 if (!(handle->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
607 return NT_STATUS_ACCESS_DENIED;
609 switch (lp_server_role()) {
610 case ROLE_DOMAIN_BDC:
612 * only a BDC is a backup controller
613 * of the domain, it controls.
615 info->role.role = LSA_ROLE_BACKUP;
619 * any other role is a primary
620 * of the domain, it controls.
622 info->role.role = LSA_ROLE_PRIMARY;
627 DEBUG(0,("_lsa_QueryInfoPolicy: unknown info level in Lsa Query: %d\n",
629 status = NT_STATUS_INVALID_INFO_CLASS;
638 /***************************************************************************
639 _lsa_lookup_sids_internal
640 ***************************************************************************/
642 static NTSTATUS _lsa_lookup_sids_internal(pipes_struct *p,
644 uint16_t level, /* input */
645 int num_sids, /* input */
646 struct lsa_SidPtr *sid, /* input */
647 struct lsa_RefDomainList **pp_ref, /* input/output */
648 struct lsa_TranslatedName2 **pp_names,/* input/output */
649 uint32_t *pp_mapped_count) /* input/output */
653 const DOM_SID **sids = NULL;
654 struct lsa_RefDomainList *ref = NULL;
655 uint32 mapped_count = 0;
656 struct lsa_dom_info *dom_infos = NULL;
657 struct lsa_name_info *name_infos = NULL;
658 struct lsa_TranslatedName2 *names = NULL;
660 *pp_mapped_count = 0;
668 sids = TALLOC_ARRAY(p->mem_ctx, const DOM_SID *, num_sids);
669 ref = TALLOC_ZERO_P(p->mem_ctx, struct lsa_RefDomainList);
671 if (sids == NULL || ref == NULL) {
672 return NT_STATUS_NO_MEMORY;
675 for (i=0; i<num_sids; i++) {
676 sids[i] = sid[i].sid;
679 status = lookup_sids(p->mem_ctx, num_sids, sids, level,
680 &dom_infos, &name_infos);
682 if (!NT_STATUS_IS_OK(status)) {
686 names = TALLOC_ARRAY(p->mem_ctx, struct lsa_TranslatedName2, num_sids);
688 return NT_STATUS_NO_MEMORY;
691 for (i=0; i<LSA_REF_DOMAIN_LIST_MULTIPLIER; i++) {
693 if (!dom_infos[i].valid) {
697 if (init_lsa_ref_domain_list(mem_ctx, ref,
699 &dom_infos[i].sid) != i) {
700 DEBUG(0, ("Domain %s mentioned twice??\n",
702 return NT_STATUS_INTERNAL_ERROR;
706 for (i=0; i<num_sids; i++) {
707 struct lsa_name_info *name = &name_infos[i];
709 if (name->type == SID_NAME_UNKNOWN) {
712 /* Unknown sids should return the string
713 * representation of the SID. Windows 2003 behaves
714 * rather erratic here, in many cases it returns the
715 * RID as 8 bytes hex, in others it returns the full
716 * SID. We (Jerry/VL) could not figure out which the
717 * hard cases are, so leave it with the SID. */
718 name->name = talloc_asprintf(p->mem_ctx, "%s",
721 if (name->name == NULL) {
722 return NT_STATUS_NO_MEMORY;
728 names[i].sid_type = name->type;
729 names[i].name.string = name->name;
730 names[i].sid_index = name->dom_idx;
731 names[i].unknown = 0;
734 status = NT_STATUS_NONE_MAPPED;
735 if (mapped_count > 0) {
736 status = (mapped_count < num_sids) ?
737 STATUS_SOME_UNMAPPED : NT_STATUS_OK;
740 DEBUG(10, ("num_sids %d, mapped_count %d, status %s\n",
741 num_sids, mapped_count, nt_errstr(status)));
743 *pp_mapped_count = mapped_count;
750 /***************************************************************************
752 ***************************************************************************/
754 NTSTATUS _lsa_LookupSids(pipes_struct *p,
755 struct lsa_LookupSids *r)
758 struct lsa_info *handle;
759 int num_sids = r->in.sids->num_sids;
760 uint32 mapped_count = 0;
761 struct lsa_RefDomainList *domains = NULL;
762 struct lsa_TranslatedName *names_out = NULL;
763 struct lsa_TranslatedName2 *names = NULL;
766 if ((r->in.level < 1) || (r->in.level > 6)) {
767 return NT_STATUS_INVALID_PARAMETER;
770 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle)) {
771 return NT_STATUS_INVALID_HANDLE;
774 /* check if the user has enough rights */
775 if (!(handle->access & LSA_POLICY_LOOKUP_NAMES)) {
776 return NT_STATUS_ACCESS_DENIED;
779 if (num_sids > MAX_LOOKUP_SIDS) {
780 DEBUG(5,("_lsa_LookupSids: limit of %d exceeded, requested %d\n",
781 MAX_LOOKUP_SIDS, num_sids));
782 return NT_STATUS_NONE_MAPPED;
785 status = _lsa_lookup_sids_internal(p,
794 /* Only return here when there is a real error.
795 NT_STATUS_NONE_MAPPED is a special case as it indicates that none of
796 the requested sids could be resolved. Older versions of XP (pre SP3)
797 rely that we return with the string representations of those SIDs in
798 that case. If we don't, XP crashes - Guenther
801 if (NT_STATUS_IS_ERR(status) &&
802 !NT_STATUS_EQUAL(status, NT_STATUS_NONE_MAPPED)) {
806 /* Convert from lsa_TranslatedName2 to lsa_TranslatedName */
807 names_out = TALLOC_ARRAY(p->mem_ctx, struct lsa_TranslatedName,
810 return NT_STATUS_NO_MEMORY;
813 for (i=0; i<num_sids; i++) {
814 names_out[i].sid_type = names[i].sid_type;
815 names_out[i].name = names[i].name;
816 names_out[i].sid_index = names[i].sid_index;
819 *r->out.domains = domains;
820 r->out.names->count = num_sids;
821 r->out.names->names = names_out;
822 *r->out.count = mapped_count;
827 /***************************************************************************
829 ***************************************************************************/
831 NTSTATUS _lsa_LookupSids2(pipes_struct *p,
832 struct lsa_LookupSids2 *r)
835 struct lsa_info *handle;
836 int num_sids = r->in.sids->num_sids;
837 uint32 mapped_count = 0;
838 struct lsa_RefDomainList *domains = NULL;
839 struct lsa_TranslatedName2 *names = NULL;
840 bool check_policy = true;
842 switch (p->hdr_req.opnum) {
843 case NDR_LSA_LOOKUPSIDS3:
844 check_policy = false;
846 case NDR_LSA_LOOKUPSIDS2:
851 if ((r->in.level < 1) || (r->in.level > 6)) {
852 return NT_STATUS_INVALID_PARAMETER;
856 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle)) {
857 return NT_STATUS_INVALID_HANDLE;
860 /* check if the user has enough rights */
861 if (!(handle->access & LSA_POLICY_LOOKUP_NAMES)) {
862 return NT_STATUS_ACCESS_DENIED;
866 if (num_sids > MAX_LOOKUP_SIDS) {
867 DEBUG(5,("_lsa_LookupSids2: limit of %d exceeded, requested %d\n",
868 MAX_LOOKUP_SIDS, num_sids));
869 return NT_STATUS_NONE_MAPPED;
872 status = _lsa_lookup_sids_internal(p,
881 *r->out.domains = domains;
882 r->out.names->count = num_sids;
883 r->out.names->names = names;
884 *r->out.count = mapped_count;
889 /***************************************************************************
891 ***************************************************************************/
893 NTSTATUS _lsa_LookupSids3(pipes_struct *p,
894 struct lsa_LookupSids3 *r)
896 struct lsa_LookupSids2 q;
898 /* No policy handle on this call. Restrict to crypto connections. */
899 if (p->auth.auth_type != PIPE_AUTH_TYPE_SCHANNEL) {
900 DEBUG(0,("_lsa_LookupSids3: client %s not using schannel for netlogon\n",
901 get_remote_machine_name() ));
902 return NT_STATUS_INVALID_PARAMETER;
906 q.in.sids = r->in.sids;
907 q.in.level = r->in.level;
908 q.in.unknown1 = r->in.unknown1;
909 q.in.unknown2 = r->in.unknown2;
910 q.in.names = r->in.names;
911 q.in.count = r->in.count;
913 q.out.domains = r->out.domains;
914 q.out.names = r->out.names;
915 q.out.count = r->out.count;
917 return _lsa_LookupSids2(p, &q);
920 /***************************************************************************
921 ***************************************************************************/
923 static int lsa_lookup_level_to_flags(uint16 level)
929 flags = LOOKUP_NAME_ALL;
932 flags = LOOKUP_NAME_DOMAIN|LOOKUP_NAME_REMOTE|LOOKUP_NAME_ISOLATED;
935 flags = LOOKUP_NAME_DOMAIN|LOOKUP_NAME_ISOLATED;
941 flags = LOOKUP_NAME_NONE;
948 /***************************************************************************
950 ***************************************************************************/
952 NTSTATUS _lsa_LookupNames(pipes_struct *p,
953 struct lsa_LookupNames *r)
955 NTSTATUS status = NT_STATUS_NONE_MAPPED;
956 struct lsa_info *handle;
957 struct lsa_String *names = r->in.names;
958 uint32 num_entries = r->in.num_names;
959 struct lsa_RefDomainList *domains = NULL;
960 struct lsa_TranslatedSid *rids = NULL;
961 uint32 mapped_count = 0;
964 if (num_entries > MAX_LOOKUP_SIDS) {
965 num_entries = MAX_LOOKUP_SIDS;
966 DEBUG(5,("_lsa_LookupNames: truncating name lookup list to %d\n",
970 flags = lsa_lookup_level_to_flags(r->in.level);
972 domains = TALLOC_ZERO_P(p->mem_ctx, struct lsa_RefDomainList);
974 return NT_STATUS_NO_MEMORY;
978 rids = TALLOC_ZERO_ARRAY(p->mem_ctx, struct lsa_TranslatedSid,
981 return NT_STATUS_NO_MEMORY;
987 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle)) {
988 status = NT_STATUS_INVALID_HANDLE;
992 /* check if the user has enough rights */
993 if (!(handle->access & LSA_POLICY_LOOKUP_NAMES)) {
994 status = NT_STATUS_ACCESS_DENIED;
998 /* set up the LSA Lookup RIDs response */
999 become_root(); /* lookup_name can require root privs */
1000 status = lookup_lsa_rids(p->mem_ctx, domains, rids, num_entries,
1001 names, flags, &mapped_count);
1006 if (NT_STATUS_IS_OK(status) && (num_entries != 0) ) {
1007 if (mapped_count == 0) {
1008 status = NT_STATUS_NONE_MAPPED;
1009 } else if (mapped_count != num_entries) {
1010 status = STATUS_SOME_UNMAPPED;
1014 *r->out.count = mapped_count;
1015 *r->out.domains = domains;
1016 r->out.sids->sids = rids;
1017 r->out.sids->count = num_entries;
1022 /***************************************************************************
1024 ***************************************************************************/
1026 NTSTATUS _lsa_LookupNames2(pipes_struct *p,
1027 struct lsa_LookupNames2 *r)
1030 struct lsa_LookupNames q;
1031 struct lsa_TransSidArray2 *sid_array2 = r->in.sids;
1032 struct lsa_TransSidArray *sid_array = NULL;
1035 sid_array = TALLOC_ZERO_P(p->mem_ctx, struct lsa_TransSidArray);
1037 return NT_STATUS_NO_MEMORY;
1040 q.in.handle = r->in.handle;
1041 q.in.num_names = r->in.num_names;
1042 q.in.names = r->in.names;
1043 q.in.level = r->in.level;
1044 q.in.sids = sid_array;
1045 q.in.count = r->in.count;
1046 /* we do not know what this is for */
1047 /* = r->in.unknown1; */
1048 /* = r->in.unknown2; */
1050 q.out.domains = r->out.domains;
1051 q.out.sids = sid_array;
1052 q.out.count = r->out.count;
1054 status = _lsa_LookupNames(p, &q);
1056 sid_array2->count = sid_array->count;
1057 sid_array2->sids = TALLOC_ARRAY(p->mem_ctx, struct lsa_TranslatedSid2, sid_array->count);
1058 if (!sid_array2->sids) {
1059 return NT_STATUS_NO_MEMORY;
1062 for (i=0; i<sid_array->count; i++) {
1063 sid_array2->sids[i].sid_type = sid_array->sids[i].sid_type;
1064 sid_array2->sids[i].rid = sid_array->sids[i].rid;
1065 sid_array2->sids[i].sid_index = sid_array->sids[i].sid_index;
1066 sid_array2->sids[i].unknown = 0;
1069 r->out.sids = sid_array2;
1074 /***************************************************************************
1076 ***************************************************************************/
1078 NTSTATUS _lsa_LookupNames3(pipes_struct *p,
1079 struct lsa_LookupNames3 *r)
1082 struct lsa_info *handle;
1083 struct lsa_String *names = r->in.names;
1084 uint32 num_entries = r->in.num_names;
1085 struct lsa_RefDomainList *domains = NULL;
1086 struct lsa_TranslatedSid3 *trans_sids = NULL;
1087 uint32 mapped_count = 0;
1089 bool check_policy = true;
1091 switch (p->hdr_req.opnum) {
1092 case NDR_LSA_LOOKUPNAMES4:
1093 check_policy = false;
1095 case NDR_LSA_LOOKUPNAMES3:
1097 check_policy = true;
1100 if (num_entries > MAX_LOOKUP_SIDS) {
1101 num_entries = MAX_LOOKUP_SIDS;
1102 DEBUG(5,("_lsa_LookupNames3: truncating name lookup list to %d\n", num_entries));
1105 /* Probably the lookup_level is some sort of bitmask. */
1106 if (r->in.level == 1) {
1107 flags = LOOKUP_NAME_ALL;
1110 domains = TALLOC_ZERO_P(p->mem_ctx, struct lsa_RefDomainList);
1112 return NT_STATUS_NO_MEMORY;
1116 trans_sids = TALLOC_ZERO_ARRAY(p->mem_ctx, struct lsa_TranslatedSid3,
1119 return NT_STATUS_NO_MEMORY;
1127 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle)) {
1128 status = NT_STATUS_INVALID_HANDLE;
1132 /* check if the user has enough rights */
1133 if (!(handle->access & LSA_POLICY_LOOKUP_NAMES)) {
1134 status = NT_STATUS_ACCESS_DENIED;
1139 /* set up the LSA Lookup SIDs response */
1140 become_root(); /* lookup_name can require root privs */
1141 status = lookup_lsa_sids(p->mem_ctx, domains, trans_sids, num_entries,
1142 names, flags, &mapped_count);
1147 if (NT_STATUS_IS_OK(status)) {
1148 if (mapped_count == 0) {
1149 status = NT_STATUS_NONE_MAPPED;
1150 } else if (mapped_count != num_entries) {
1151 status = STATUS_SOME_UNMAPPED;
1155 *r->out.count = mapped_count;
1156 *r->out.domains = domains;
1157 r->out.sids->sids = trans_sids;
1158 r->out.sids->count = num_entries;
1163 /***************************************************************************
1165 ***************************************************************************/
1167 NTSTATUS _lsa_LookupNames4(pipes_struct *p,
1168 struct lsa_LookupNames4 *r)
1170 struct lsa_LookupNames3 q;
1172 /* No policy handle on this call. Restrict to crypto connections. */
1173 if (p->auth.auth_type != PIPE_AUTH_TYPE_SCHANNEL) {
1174 DEBUG(0,("_lsa_lookup_names4: client %s not using schannel for netlogon\n",
1175 get_remote_machine_name() ));
1176 return NT_STATUS_INVALID_PARAMETER;
1180 q.in.num_names = r->in.num_names;
1181 q.in.names = r->in.names;
1182 q.in.level = r->in.level;
1183 q.in.lookup_options = r->in.lookup_options;
1184 q.in.client_revision = r->in.client_revision;
1185 q.in.sids = r->in.sids;
1186 q.in.count = r->in.count;
1188 q.out.domains = r->out.domains;
1189 q.out.sids = r->out.sids;
1190 q.out.count = r->out.count;
1192 return _lsa_LookupNames3(p, &q);
1195 /***************************************************************************
1196 _lsa_close. Also weird - needs to check if lsa handle is correct. JRA.
1197 ***************************************************************************/
1199 NTSTATUS _lsa_Close(pipes_struct *p, struct lsa_Close *r)
1201 if (!find_policy_by_hnd(p, r->in.handle, NULL)) {
1202 return NT_STATUS_INVALID_HANDLE;
1205 close_policy_hnd(p, r->in.handle);
1206 ZERO_STRUCTP(r->out.handle);
1207 return NT_STATUS_OK;
1210 /***************************************************************************
1211 ***************************************************************************/
1213 NTSTATUS _lsa_OpenSecret(pipes_struct *p, struct lsa_OpenSecret *r)
1215 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
1218 /***************************************************************************
1219 ***************************************************************************/
1221 NTSTATUS _lsa_OpenTrustedDomain(pipes_struct *p, struct lsa_OpenTrustedDomain *r)
1223 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
1226 /***************************************************************************
1227 ***************************************************************************/
1229 NTSTATUS _lsa_CreateTrustedDomain(pipes_struct *p, struct lsa_CreateTrustedDomain *r)
1231 return NT_STATUS_ACCESS_DENIED;
1234 /***************************************************************************
1235 ***************************************************************************/
1237 NTSTATUS _lsa_CreateSecret(pipes_struct *p, struct lsa_CreateSecret *r)
1239 return NT_STATUS_ACCESS_DENIED;
1242 /***************************************************************************
1243 ***************************************************************************/
1245 NTSTATUS _lsa_SetSecret(pipes_struct *p, struct lsa_SetSecret *r)
1247 return NT_STATUS_ACCESS_DENIED;
1250 /***************************************************************************
1252 ***************************************************************************/
1254 NTSTATUS _lsa_DeleteObject(pipes_struct *p,
1255 struct lsa_DeleteObject *r)
1258 struct lsa_info *info = NULL;
1260 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info)) {
1261 return NT_STATUS_INVALID_HANDLE;
1264 /* check to see if the pipe_user is root or a Domain Admin since
1265 account_pol.tdb was already opened as root, this is all we have */
1267 if (p->server_info->utok.uid != sec_initial_uid() &&
1268 !nt_token_check_domain_rid(p->server_info->ptok,
1269 DOMAIN_GROUP_RID_ADMINS)) {
1270 return NT_STATUS_ACCESS_DENIED;
1273 status = privilege_delete_account(&info->sid);
1274 if (!NT_STATUS_IS_OK(status)) {
1275 DEBUG(10,("_lsa_DeleteObject: privilege_delete_account gave: %s\n",
1276 nt_errstr(status)));
1282 /***************************************************************************
1284 ***************************************************************************/
1286 NTSTATUS _lsa_EnumPrivs(pipes_struct *p,
1287 struct lsa_EnumPrivs *r)
1289 struct lsa_info *handle;
1291 uint32 enum_context = *r->in.resume_handle;
1292 int num_privs = count_all_privileges();
1293 struct lsa_PrivEntry *entries = NULL;
1296 /* remember that the enum_context starts at 0 and not 1 */
1298 if ( enum_context >= num_privs )
1299 return NT_STATUS_NO_MORE_ENTRIES;
1301 DEBUG(10,("_lsa_EnumPrivs: enum_context:%d total entries:%d\n",
1302 enum_context, num_privs));
1304 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle))
1305 return NT_STATUS_INVALID_HANDLE;
1307 /* check if the user has enough rights
1308 I don't know if it's the right one. not documented. */
1310 if (!(handle->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
1311 return NT_STATUS_ACCESS_DENIED;
1314 entries = TALLOC_ZERO_ARRAY(p->mem_ctx, struct lsa_PrivEntry, num_privs);
1316 return NT_STATUS_NO_MEMORY;
1322 for (i = 0; i < num_privs; i++) {
1323 if( i < enum_context) {
1325 init_lsa_StringLarge(&entries[i].name, NULL);
1327 entries[i].luid.low = 0;
1328 entries[i].luid.high = 0;
1331 init_lsa_StringLarge(&entries[i].name, privs[i].name);
1333 luid = get_privilege_luid( &privs[i].se_priv );
1335 entries[i].luid.low = luid.luid.low;
1336 entries[i].luid.high = luid.luid.high;
1340 enum_context = num_privs;
1342 *r->out.resume_handle = enum_context;
1343 r->out.privs->count = num_privs;
1344 r->out.privs->privs = entries;
1346 return NT_STATUS_OK;
1349 /***************************************************************************
1350 _lsa_LookupPrivDisplayName
1351 ***************************************************************************/
1353 NTSTATUS _lsa_LookupPrivDisplayName(pipes_struct *p,
1354 struct lsa_LookupPrivDisplayName *r)
1356 struct lsa_info *handle;
1357 const char *description;
1358 struct lsa_StringLarge *lsa_name;
1360 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle))
1361 return NT_STATUS_INVALID_HANDLE;
1363 /* check if the user has enough rights */
1366 * I don't know if it's the right one. not documented.
1368 if (!(handle->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
1369 return NT_STATUS_ACCESS_DENIED;
1371 DEBUG(10,("_lsa_LookupPrivDisplayName: name = %s\n", r->in.name->string));
1373 description = get_privilege_dispname(r->in.name->string);
1375 DEBUG(10,("_lsa_LookupPrivDisplayName: doesn't exist\n"));
1376 return NT_STATUS_NO_SUCH_PRIVILEGE;
1379 DEBUG(10,("_lsa_LookupPrivDisplayName: display name = %s\n", description));
1381 lsa_name = TALLOC_ZERO_P(p->mem_ctx, struct lsa_StringLarge);
1383 return NT_STATUS_NO_MEMORY;
1386 init_lsa_StringLarge(lsa_name, description);
1388 *r->out.returned_language_id = r->in.language_id;
1389 *r->out.disp_name = lsa_name;
1391 return NT_STATUS_OK;
1394 /***************************************************************************
1396 ***************************************************************************/
1398 NTSTATUS _lsa_EnumAccounts(pipes_struct *p,
1399 struct lsa_EnumAccounts *r)
1401 struct lsa_info *handle;
1403 int i, j, num_entries;
1405 struct lsa_SidPtr *sids = NULL;
1407 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle))
1408 return NT_STATUS_INVALID_HANDLE;
1410 if (!(handle->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
1411 return NT_STATUS_ACCESS_DENIED;
1416 /* The only way we can currently find out all the SIDs that have been
1417 privileged is to scan all privileges */
1419 status = privilege_enumerate_accounts(&sid_list, &num_entries);
1420 if (!NT_STATUS_IS_OK(status)) {
1424 if (*r->in.resume_handle >= num_entries) {
1425 return NT_STATUS_NO_MORE_ENTRIES;
1428 if (num_entries - *r->in.resume_handle) {
1429 sids = TALLOC_ZERO_ARRAY(p->mem_ctx, struct lsa_SidPtr,
1430 num_entries - *r->in.resume_handle);
1432 talloc_free(sid_list);
1433 return NT_STATUS_NO_MEMORY;
1436 for (i = *r->in.resume_handle, j = 0; i < num_entries; i++, j++) {
1437 sids[j].sid = sid_dup_talloc(p->mem_ctx, &sid_list[i]);
1439 talloc_free(sid_list);
1440 return NT_STATUS_NO_MEMORY;
1445 talloc_free(sid_list);
1447 *r->out.resume_handle = num_entries;
1448 r->out.sids->num_sids = num_entries;
1449 r->out.sids->sids = sids;
1451 return NT_STATUS_OK;
1454 /***************************************************************************
1456 ***************************************************************************/
1458 NTSTATUS _lsa_GetUserName(pipes_struct *p,
1459 struct lsa_GetUserName *r)
1461 const char *username, *domname;
1462 struct lsa_String *account_name = NULL;
1463 struct lsa_String *authority_name = NULL;
1465 if (r->in.account_name &&
1466 *r->in.account_name) {
1467 return NT_STATUS_INVALID_PARAMETER;
1470 if (r->in.authority_name &&
1471 *r->in.authority_name) {
1472 return NT_STATUS_INVALID_PARAMETER;
1475 if (p->server_info->guest) {
1477 * I'm 99% sure this is not the right place to do this,
1478 * global_sid_Anonymous should probably be put into the token
1479 * instead of the guest id -- vl
1481 if (!lookup_sid(p->mem_ctx, &global_sid_Anonymous,
1482 &domname, &username, NULL)) {
1483 return NT_STATUS_NO_MEMORY;
1486 username = p->server_info->sanitized_username;
1487 domname = pdb_get_domain(p->server_info->sam_account);
1490 account_name = TALLOC_P(p->mem_ctx, struct lsa_String);
1491 if (!account_name) {
1492 return NT_STATUS_NO_MEMORY;
1494 init_lsa_String(account_name, username);
1496 if (r->out.authority_name) {
1497 authority_name = TALLOC_P(p->mem_ctx, struct lsa_String);
1498 if (!authority_name) {
1499 return NT_STATUS_NO_MEMORY;
1501 init_lsa_String(authority_name, domname);
1504 *r->out.account_name = account_name;
1505 if (r->out.authority_name) {
1506 *r->out.authority_name = authority_name;
1509 return NT_STATUS_OK;
1512 /***************************************************************************
1514 ***************************************************************************/
1516 NTSTATUS _lsa_CreateAccount(pipes_struct *p,
1517 struct lsa_CreateAccount *r)
1519 struct lsa_info *handle;
1520 struct lsa_info *info;
1522 /* find the connection policy handle. */
1523 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle))
1524 return NT_STATUS_INVALID_HANDLE;
1526 /* check if the user has enough rights */
1529 * I don't know if it's the right one. not documented.
1530 * but guessed with rpcclient.
1532 if (!(handle->access & LSA_POLICY_GET_PRIVATE_INFORMATION))
1533 return NT_STATUS_ACCESS_DENIED;
1535 /* check to see if the pipe_user is a Domain Admin since
1536 account_pol.tdb was already opened as root, this is all we have */
1538 if ( p->server_info->utok.uid != sec_initial_uid()
1539 && !nt_token_check_domain_rid( p->server_info->ptok,
1540 DOMAIN_GROUP_RID_ADMINS ) )
1541 return NT_STATUS_ACCESS_DENIED;
1543 if ( is_privileged_sid( r->in.sid ) )
1544 return NT_STATUS_OBJECT_NAME_COLLISION;
1546 /* associate the user/group SID with the (unique) handle. */
1548 info = TALLOC_ZERO_P(p->mem_ctx, struct lsa_info);
1550 return NT_STATUS_NO_MEMORY;
1553 info->sid = *r->in.sid;
1554 info->access = r->in.access_mask;
1556 /* get a (unique) handle. open a policy on it. */
1557 if (!create_policy_hnd(p, r->out.acct_handle, info))
1558 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
1560 return privilege_create_account( &info->sid );
1563 /***************************************************************************
1565 ***************************************************************************/
1567 NTSTATUS _lsa_OpenAccount(pipes_struct *p,
1568 struct lsa_OpenAccount *r)
1570 struct lsa_info *handle;
1571 struct lsa_info *info;
1573 /* find the connection policy handle. */
1574 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle))
1575 return NT_STATUS_INVALID_HANDLE;
1577 /* check if the user has enough rights */
1580 * I don't know if it's the right one. not documented.
1581 * but guessed with rpcclient.
1583 if (!(handle->access & LSA_POLICY_GET_PRIVATE_INFORMATION))
1584 return NT_STATUS_ACCESS_DENIED;
1586 /* TODO: Fis the parsing routine before reenabling this check! */
1588 if (!lookup_sid(&handle->sid, dom_name, name, &type))
1589 return NT_STATUS_ACCESS_DENIED;
1591 /* associate the user/group SID with the (unique) handle. */
1592 info = TALLOC_ZERO_P(p->mem_ctx, struct lsa_info);
1594 return NT_STATUS_NO_MEMORY;
1597 info->sid = *r->in.sid;
1598 info->access = r->in.access_mask;
1600 /* get a (unique) handle. open a policy on it. */
1601 if (!create_policy_hnd(p, r->out.acct_handle, info))
1602 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
1604 return NT_STATUS_OK;
1607 /***************************************************************************
1608 _lsa_EnumPrivsAccount
1609 For a given SID, enumerate all the privilege this account has.
1610 ***************************************************************************/
1612 NTSTATUS _lsa_EnumPrivsAccount(pipes_struct *p,
1613 struct lsa_EnumPrivsAccount *r)
1615 NTSTATUS status = NT_STATUS_OK;
1616 struct lsa_info *info=NULL;
1618 PRIVILEGE_SET privileges;
1619 struct lsa_PrivilegeSet *priv_set = NULL;
1620 struct lsa_LUIDAttribute *luid_attrs = NULL;
1623 /* find the connection policy handle. */
1624 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
1625 return NT_STATUS_INVALID_HANDLE;
1627 if (!(info->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
1628 return NT_STATUS_ACCESS_DENIED;
1630 if ( !get_privileges_for_sids( &mask, &info->sid, 1 ) )
1631 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
1633 privilege_set_init( &privileges );
1635 if ( se_priv_to_privilege_set( &privileges, &mask ) ) {
1637 DEBUG(10,("_lsa_EnumPrivsAccount: %s has %d privileges\n",
1638 sid_string_dbg(&info->sid),
1641 priv_set = TALLOC_ZERO_P(p->mem_ctx, struct lsa_PrivilegeSet);
1643 status = NT_STATUS_NO_MEMORY;
1647 luid_attrs = TALLOC_ZERO_ARRAY(p->mem_ctx,
1648 struct lsa_LUIDAttribute,
1651 status = NT_STATUS_NO_MEMORY;
1655 for (i=0; i<privileges.count; i++) {
1656 luid_attrs[i].luid.low = privileges.set[i].luid.low;
1657 luid_attrs[i].luid.high = privileges.set[i].luid.high;
1658 luid_attrs[i].attribute = privileges.set[i].attr;
1661 priv_set->count = privileges.count;
1662 priv_set->unknown = 0;
1663 priv_set->set = luid_attrs;
1665 *r->out.privs = priv_set;
1667 status = NT_STATUS_NO_SUCH_PRIVILEGE;
1671 privilege_set_free( &privileges );
1676 /***************************************************************************
1677 _lsa_GetSystemAccessAccount
1678 ***************************************************************************/
1680 NTSTATUS _lsa_GetSystemAccessAccount(pipes_struct *p,
1681 struct lsa_GetSystemAccessAccount *r)
1684 struct lsa_info *info = NULL;
1685 struct lsa_EnumPrivsAccount e;
1686 struct lsa_PrivilegeSet *privset;
1688 /* find the connection policy handle. */
1690 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
1691 return NT_STATUS_INVALID_HANDLE;
1693 if (!(info->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
1694 return NT_STATUS_ACCESS_DENIED;
1696 privset = talloc_zero(p->mem_ctx, struct lsa_PrivilegeSet);
1698 return NT_STATUS_NO_MEMORY;
1701 e.in.handle = r->in.handle;
1702 e.out.privs = &privset;
1704 status = _lsa_EnumPrivsAccount(p, &e);
1705 if (!NT_STATUS_IS_OK(status)) {
1706 DEBUG(10,("_lsa_GetSystemAccessAccount: "
1707 "failed to call _lsa_EnumPrivsAccount(): %s\n",
1708 nt_errstr(status)));
1712 /* Samba4 would iterate over the privset to merge the policy mode bits,
1713 * not sure samba3 can do the same here, so just return what we did in
1717 0x01 -> Log on locally
1718 0x02 -> Access this computer from network
1719 0x04 -> Log on as a batch job
1720 0x10 -> Log on as a service
1722 they can be ORed together
1725 *r->out.access_mask = LSA_POLICY_MODE_INTERACTIVE |
1726 LSA_POLICY_MODE_NETWORK;
1728 return NT_STATUS_OK;
1731 /***************************************************************************
1732 update the systemaccount information
1733 ***************************************************************************/
1735 NTSTATUS _lsa_SetSystemAccessAccount(pipes_struct *p,
1736 struct lsa_SetSystemAccessAccount *r)
1738 struct lsa_info *info=NULL;
1741 /* find the connection policy handle. */
1742 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
1743 return NT_STATUS_INVALID_HANDLE;
1745 /* check to see if the pipe_user is a Domain Admin since
1746 account_pol.tdb was already opened as root, this is all we have */
1748 if ( p->server_info->utok.uid != sec_initial_uid()
1749 && !nt_token_check_domain_rid( p->server_info->ptok,
1750 DOMAIN_GROUP_RID_ADMINS ) )
1751 return NT_STATUS_ACCESS_DENIED;
1753 if (!pdb_getgrsid(&map, info->sid))
1754 return NT_STATUS_NO_SUCH_GROUP;
1756 return pdb_update_group_mapping_entry(&map);
1759 /***************************************************************************
1760 _lsa_AddPrivilegesToAccount
1761 For a given SID, add some privileges.
1762 ***************************************************************************/
1764 NTSTATUS _lsa_AddPrivilegesToAccount(pipes_struct *p,
1765 struct lsa_AddPrivilegesToAccount *r)
1767 struct lsa_info *info = NULL;
1769 struct lsa_PrivilegeSet *set = NULL;
1771 /* find the connection policy handle. */
1772 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
1773 return NT_STATUS_INVALID_HANDLE;
1775 /* check to see if the pipe_user is root or a Domain Admin since
1776 account_pol.tdb was already opened as root, this is all we have */
1778 if ( p->server_info->utok.uid != sec_initial_uid()
1779 && !nt_token_check_domain_rid( p->server_info->ptok,
1780 DOMAIN_GROUP_RID_ADMINS ) )
1782 return NT_STATUS_ACCESS_DENIED;
1786 if ( !privilege_set_to_se_priv( &mask, set ) )
1787 return NT_STATUS_NO_SUCH_PRIVILEGE;
1789 if ( !grant_privilege( &info->sid, &mask ) ) {
1790 DEBUG(3,("_lsa_AddPrivilegesToAccount: grant_privilege(%s) failed!\n",
1791 sid_string_dbg(&info->sid) ));
1792 DEBUG(3,("Privilege mask:\n"));
1793 dump_se_priv( DBGC_ALL, 3, &mask );
1794 return NT_STATUS_NO_SUCH_PRIVILEGE;
1797 return NT_STATUS_OK;
1800 /***************************************************************************
1801 _lsa_RemovePrivilegesFromAccount
1802 For a given SID, remove some privileges.
1803 ***************************************************************************/
1805 NTSTATUS _lsa_RemovePrivilegesFromAccount(pipes_struct *p,
1806 struct lsa_RemovePrivilegesFromAccount *r)
1808 struct lsa_info *info = NULL;
1810 struct lsa_PrivilegeSet *set = NULL;
1812 /* find the connection policy handle. */
1813 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
1814 return NT_STATUS_INVALID_HANDLE;
1816 /* check to see if the pipe_user is root or a Domain Admin since
1817 account_pol.tdb was already opened as root, this is all we have */
1819 if ( p->server_info->utok.uid != sec_initial_uid()
1820 && !nt_token_check_domain_rid( p->server_info->ptok,
1821 DOMAIN_GROUP_RID_ADMINS ) )
1823 return NT_STATUS_ACCESS_DENIED;
1828 if ( !privilege_set_to_se_priv( &mask, set ) )
1829 return NT_STATUS_NO_SUCH_PRIVILEGE;
1831 if ( !revoke_privilege( &info->sid, &mask ) ) {
1832 DEBUG(3,("_lsa_RemovePrivilegesFromAccount: revoke_privilege(%s) failed!\n",
1833 sid_string_dbg(&info->sid) ));
1834 DEBUG(3,("Privilege mask:\n"));
1835 dump_se_priv( DBGC_ALL, 3, &mask );
1836 return NT_STATUS_NO_SUCH_PRIVILEGE;
1839 return NT_STATUS_OK;
1842 /***************************************************************************
1844 ***************************************************************************/
1846 NTSTATUS _lsa_QuerySecurity(pipes_struct *p,
1847 struct lsa_QuerySecurity *r)
1849 struct lsa_info *handle=NULL;
1850 SEC_DESC *psd = NULL;
1854 /* find the connection policy handle. */
1855 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle))
1856 return NT_STATUS_INVALID_HANDLE;
1858 /* check if the user has enough rights */
1859 if (!(handle->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
1860 return NT_STATUS_ACCESS_DENIED;
1862 switch (r->in.sec_info) {
1864 /* SD contains only the owner */
1866 status=lsa_get_generic_sd(p->mem_ctx, &psd, &sd_size);
1867 if(!NT_STATUS_IS_OK(status))
1868 return NT_STATUS_NO_MEMORY;
1871 if((*r->out.sdbuf = make_sec_desc_buf(p->mem_ctx, sd_size, psd)) == NULL)
1872 return NT_STATUS_NO_MEMORY;
1875 /* SD contains only the ACL */
1877 status=lsa_get_generic_sd(p->mem_ctx, &psd, &sd_size);
1878 if(!NT_STATUS_IS_OK(status))
1879 return NT_STATUS_NO_MEMORY;
1881 if((*r->out.sdbuf = make_sec_desc_buf(p->mem_ctx, sd_size, psd)) == NULL)
1882 return NT_STATUS_NO_MEMORY;
1885 return NT_STATUS_INVALID_LEVEL;
1891 #if 0 /* AD DC work in ongoing in Samba 4 */
1893 /***************************************************************************
1894 ***************************************************************************/
1896 NTSTATUS _lsa_query_info2(pipes_struct *p, LSA_Q_QUERY_INFO2 *q_u, LSA_R_QUERY_INFO2 *r_u)
1898 struct lsa_info *handle;
1899 const char *nb_name;
1900 char *dns_name = NULL;
1901 char *forest_name = NULL;
1902 DOM_SID *sid = NULL;
1907 r_u->status = NT_STATUS_OK;
1909 if (!find_policy_by_hnd(p, &q_u->pol, (void **)(void *)&handle))
1910 return NT_STATUS_INVALID_HANDLE;
1912 switch (q_u->info_class) {
1914 /* check if the user has enough rights */
1915 if (!(handle->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
1916 return NT_STATUS_ACCESS_DENIED;
1918 /* Request PolicyPrimaryDomainInformation. */
1919 switch (lp_server_role()) {
1920 case ROLE_DOMAIN_PDC:
1921 case ROLE_DOMAIN_BDC:
1922 nb_name = get_global_sam_name();
1923 /* ugly temp hack for these next two */
1925 /* This should be a 'netbios domain -> DNS domain' mapping */
1926 dnsdomname = get_mydnsdomname(p->mem_ctx);
1927 if (!dnsdomname || !*dnsdomname) {
1928 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
1930 strlower_m(dnsdomname);
1932 dns_name = dnsdomname;
1933 forest_name = dnsdomname;
1935 sid = get_global_sam_sid();
1936 secrets_fetch_domain_guid(lp_workgroup(), &guid);
1939 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
1941 init_dns_dom_info(&r_u->info.dns_dom_info, nb_name, dns_name,
1942 forest_name,&guid,sid);
1945 DEBUG(0,("_lsa_query_info2: unknown info level in Lsa Query: %d\n", q_u->info_class));
1946 r_u->status = NT_STATUS_INVALID_INFO_CLASS;
1950 if (NT_STATUS_IS_OK(r_u->status)) {
1952 r_u->info_class = q_u->info_class;
1957 #endif /* AD DC work in ongoing in Samba 4 */
1959 /***************************************************************************
1960 _lsa_AddAccountRights
1961 ***************************************************************************/
1963 NTSTATUS _lsa_AddAccountRights(pipes_struct *p,
1964 struct lsa_AddAccountRights *r)
1966 struct lsa_info *info = NULL;
1970 /* find the connection policy handle. */
1971 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
1972 return NT_STATUS_INVALID_HANDLE;
1974 /* check to see if the pipe_user is a Domain Admin since
1975 account_pol.tdb was already opened as root, this is all we have */
1977 if ( p->server_info->utok.uid != sec_initial_uid()
1978 && !nt_token_check_domain_rid( p->server_info->ptok,
1979 DOMAIN_GROUP_RID_ADMINS ) )
1981 return NT_STATUS_ACCESS_DENIED;
1984 /* according to an NT4 PDC, you can add privileges to SIDs even without
1985 call_lsa_create_account() first. And you can use any arbitrary SID. */
1987 sid_copy( &sid, r->in.sid );
1989 for ( i=0; i < r->in.rights->count; i++ ) {
1991 const char *privname = r->in.rights->names[i].string;
1993 /* only try to add non-null strings */
1998 if ( !grant_privilege_by_name( &sid, privname ) ) {
1999 DEBUG(2,("_lsa_AddAccountRights: Failed to add privilege [%s]\n",
2001 return NT_STATUS_NO_SUCH_PRIVILEGE;
2005 return NT_STATUS_OK;
2008 /***************************************************************************
2009 _lsa_RemoveAccountRights
2010 ***************************************************************************/
2012 NTSTATUS _lsa_RemoveAccountRights(pipes_struct *p,
2013 struct lsa_RemoveAccountRights *r)
2015 struct lsa_info *info = NULL;
2018 const char *privname = NULL;
2020 /* find the connection policy handle. */
2021 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
2022 return NT_STATUS_INVALID_HANDLE;
2024 /* check to see if the pipe_user is a Domain Admin since
2025 account_pol.tdb was already opened as root, this is all we have */
2027 if ( p->server_info->utok.uid != sec_initial_uid()
2028 && !nt_token_check_domain_rid( p->server_info->ptok,
2029 DOMAIN_GROUP_RID_ADMINS ) )
2031 return NT_STATUS_ACCESS_DENIED;
2034 sid_copy( &sid, r->in.sid );
2036 if ( r->in.remove_all ) {
2037 if ( !revoke_all_privileges( &sid ) )
2038 return NT_STATUS_ACCESS_DENIED;
2040 return NT_STATUS_OK;
2043 for ( i=0; i < r->in.rights->count; i++ ) {
2045 privname = r->in.rights->names[i].string;
2047 /* only try to add non-null strings */
2052 if ( !revoke_privilege_by_name( &sid, privname ) ) {
2053 DEBUG(2,("_lsa_RemoveAccountRights: Failed to revoke privilege [%s]\n",
2055 return NT_STATUS_NO_SUCH_PRIVILEGE;
2059 return NT_STATUS_OK;
2062 /*******************************************************************
2063 ********************************************************************/
2065 static NTSTATUS init_lsa_right_set(TALLOC_CTX *mem_ctx,
2066 struct lsa_RightSet *r,
2067 PRIVILEGE_SET *privileges)
2070 const char *privname;
2071 const char **privname_array = NULL;
2074 for (i=0; i<privileges->count; i++) {
2076 privname = luid_to_privilege_name(&privileges->set[i].luid);
2078 if (!add_string_to_array(mem_ctx, privname,
2079 &privname_array, &num_priv)) {
2080 return NT_STATUS_NO_MEMORY;
2087 r->names = TALLOC_ZERO_ARRAY(mem_ctx, struct lsa_StringLarge,
2090 return NT_STATUS_NO_MEMORY;
2093 for (i=0; i<num_priv; i++) {
2094 init_lsa_StringLarge(&r->names[i], privname_array[i]);
2097 r->count = num_priv;
2100 return NT_STATUS_OK;
2103 /***************************************************************************
2104 _lsa_EnumAccountRights
2105 ***************************************************************************/
2107 NTSTATUS _lsa_EnumAccountRights(pipes_struct *p,
2108 struct lsa_EnumAccountRights *r)
2111 struct lsa_info *info = NULL;
2113 PRIVILEGE_SET privileges;
2116 /* find the connection policy handle. */
2118 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
2119 return NT_STATUS_INVALID_HANDLE;
2121 if (!(info->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
2122 return NT_STATUS_ACCESS_DENIED;
2124 /* according to an NT4 PDC, you can add privileges to SIDs even without
2125 call_lsa_create_account() first. And you can use any arbitrary SID. */
2127 sid_copy( &sid, r->in.sid );
2129 if ( !get_privileges_for_sids( &mask, &sid, 1 ) )
2130 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
2132 privilege_set_init( &privileges );
2134 if ( se_priv_to_privilege_set( &privileges, &mask ) ) {
2136 DEBUG(10,("_lsa_EnumAccountRights: %s has %d privileges\n",
2137 sid_string_dbg(&sid), privileges.count));
2139 status = init_lsa_right_set(p->mem_ctx, r->out.rights, &privileges);
2141 status = NT_STATUS_NO_SUCH_PRIVILEGE;
2144 privilege_set_free( &privileges );
2149 /***************************************************************************
2150 _lsa_LookupPrivValue
2151 ***************************************************************************/
2153 NTSTATUS _lsa_LookupPrivValue(pipes_struct *p,
2154 struct lsa_LookupPrivValue *r)
2156 struct lsa_info *info = NULL;
2157 const char *name = NULL;
2158 LUID_ATTR priv_luid;
2161 /* find the connection policy handle. */
2163 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
2164 return NT_STATUS_INVALID_HANDLE;
2166 if (!(info->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
2167 return NT_STATUS_ACCESS_DENIED;
2169 name = r->in.name->string;
2171 DEBUG(10,("_lsa_lookup_priv_value: name = %s\n", name));
2173 if ( !se_priv_from_name( name, &mask ) )
2174 return NT_STATUS_NO_SUCH_PRIVILEGE;
2176 priv_luid = get_privilege_luid( &mask );
2178 r->out.luid->low = priv_luid.luid.low;
2179 r->out.luid->high = priv_luid.luid.high;
2181 return NT_STATUS_OK;
2185 * From here on the server routines are just dummy ones to make smbd link with
2186 * librpc/gen_ndr/srv_lsa.c. These routines are actually never called, we are
2187 * pulling the server stubs across one by one.
2190 NTSTATUS _lsa_Delete(pipes_struct *p, struct lsa_Delete *r)
2192 p->rng_fault_state = True;
2193 return NT_STATUS_NOT_IMPLEMENTED;
2196 NTSTATUS _lsa_SetSecObj(pipes_struct *p, struct lsa_SetSecObj *r)
2198 p->rng_fault_state = True;
2199 return NT_STATUS_NOT_IMPLEMENTED;
2202 NTSTATUS _lsa_ChangePassword(pipes_struct *p, struct lsa_ChangePassword *r)
2204 p->rng_fault_state = True;
2205 return NT_STATUS_NOT_IMPLEMENTED;
2208 NTSTATUS _lsa_SetInfoPolicy(pipes_struct *p, struct lsa_SetInfoPolicy *r)
2210 p->rng_fault_state = True;
2211 return NT_STATUS_NOT_IMPLEMENTED;
2214 NTSTATUS _lsa_ClearAuditLog(pipes_struct *p, struct lsa_ClearAuditLog *r)
2216 p->rng_fault_state = True;
2217 return NT_STATUS_NOT_IMPLEMENTED;
2220 NTSTATUS _lsa_GetQuotasForAccount(pipes_struct *p, struct lsa_GetQuotasForAccount *r)
2222 p->rng_fault_state = True;
2223 return NT_STATUS_NOT_IMPLEMENTED;
2226 NTSTATUS _lsa_SetQuotasForAccount(pipes_struct *p, struct lsa_SetQuotasForAccount *r)
2228 p->rng_fault_state = True;
2229 return NT_STATUS_NOT_IMPLEMENTED;
2232 NTSTATUS _lsa_QueryTrustedDomainInfo(pipes_struct *p, struct lsa_QueryTrustedDomainInfo *r)
2234 p->rng_fault_state = True;
2235 return NT_STATUS_NOT_IMPLEMENTED;
2238 NTSTATUS _lsa_SetInformationTrustedDomain(pipes_struct *p, struct lsa_SetInformationTrustedDomain *r)
2240 p->rng_fault_state = True;
2241 return NT_STATUS_NOT_IMPLEMENTED;
2244 NTSTATUS _lsa_QuerySecret(pipes_struct *p, struct lsa_QuerySecret *r)
2246 p->rng_fault_state = True;
2247 return NT_STATUS_NOT_IMPLEMENTED;
2250 NTSTATUS _lsa_LookupPrivName(pipes_struct *p, struct lsa_LookupPrivName *r)
2252 p->rng_fault_state = True;
2253 return NT_STATUS_NOT_IMPLEMENTED;
2256 NTSTATUS _lsa_EnumAccountsWithUserRight(pipes_struct *p, struct lsa_EnumAccountsWithUserRight *r)
2258 p->rng_fault_state = True;
2259 return NT_STATUS_NOT_IMPLEMENTED;
2262 NTSTATUS _lsa_QueryTrustedDomainInfoBySid(pipes_struct *p, struct lsa_QueryTrustedDomainInfoBySid *r)
2264 p->rng_fault_state = True;
2265 return NT_STATUS_NOT_IMPLEMENTED;
2268 NTSTATUS _lsa_SetTrustedDomainInfo(pipes_struct *p, struct lsa_SetTrustedDomainInfo *r)
2270 p->rng_fault_state = True;
2271 return NT_STATUS_NOT_IMPLEMENTED;
2274 NTSTATUS _lsa_DeleteTrustedDomain(pipes_struct *p, struct lsa_DeleteTrustedDomain *r)
2276 p->rng_fault_state = True;
2277 return NT_STATUS_NOT_IMPLEMENTED;
2280 NTSTATUS _lsa_StorePrivateData(pipes_struct *p, struct lsa_StorePrivateData *r)
2282 p->rng_fault_state = True;
2283 return NT_STATUS_NOT_IMPLEMENTED;
2286 NTSTATUS _lsa_RetrievePrivateData(pipes_struct *p, struct lsa_RetrievePrivateData *r)
2288 p->rng_fault_state = True;
2289 return NT_STATUS_NOT_IMPLEMENTED;
2292 NTSTATUS _lsa_QueryInfoPolicy2(pipes_struct *p, struct lsa_QueryInfoPolicy2 *r)
2294 p->rng_fault_state = True;
2295 return NT_STATUS_NOT_IMPLEMENTED;
2298 NTSTATUS _lsa_SetInfoPolicy2(pipes_struct *p, struct lsa_SetInfoPolicy2 *r)
2300 p->rng_fault_state = True;
2301 return NT_STATUS_NOT_IMPLEMENTED;
2304 NTSTATUS _lsa_QueryTrustedDomainInfoByName(pipes_struct *p, struct lsa_QueryTrustedDomainInfoByName *r)
2306 p->rng_fault_state = True;
2307 return NT_STATUS_NOT_IMPLEMENTED;
2310 NTSTATUS _lsa_SetTrustedDomainInfoByName(pipes_struct *p, struct lsa_SetTrustedDomainInfoByName *r)
2312 p->rng_fault_state = True;
2313 return NT_STATUS_NOT_IMPLEMENTED;
2316 NTSTATUS _lsa_EnumTrustedDomainsEx(pipes_struct *p, struct lsa_EnumTrustedDomainsEx *r)
2318 p->rng_fault_state = True;
2319 return NT_STATUS_NOT_IMPLEMENTED;
2322 NTSTATUS _lsa_CreateTrustedDomainEx(pipes_struct *p, struct lsa_CreateTrustedDomainEx *r)
2324 p->rng_fault_state = True;
2325 return NT_STATUS_NOT_IMPLEMENTED;
2328 NTSTATUS _lsa_CloseTrustedDomainEx(pipes_struct *p, struct lsa_CloseTrustedDomainEx *r)
2330 p->rng_fault_state = True;
2331 return NT_STATUS_NOT_IMPLEMENTED;
2334 NTSTATUS _lsa_QueryDomainInformationPolicy(pipes_struct *p, struct lsa_QueryDomainInformationPolicy *r)
2336 p->rng_fault_state = True;
2337 return NT_STATUS_NOT_IMPLEMENTED;
2340 NTSTATUS _lsa_SetDomainInformationPolicy(pipes_struct *p, struct lsa_SetDomainInformationPolicy *r)
2342 p->rng_fault_state = True;
2343 return NT_STATUS_NOT_IMPLEMENTED;
2346 NTSTATUS _lsa_OpenTrustedDomainByName(pipes_struct *p, struct lsa_OpenTrustedDomainByName *r)
2348 p->rng_fault_state = True;
2349 return NT_STATUS_NOT_IMPLEMENTED;
2352 NTSTATUS _lsa_TestCall(pipes_struct *p, struct lsa_TestCall *r)
2354 p->rng_fault_state = True;
2355 return NT_STATUS_NOT_IMPLEMENTED;
2358 NTSTATUS _lsa_CreateTrustedDomainEx2(pipes_struct *p, struct lsa_CreateTrustedDomainEx2 *r)
2360 p->rng_fault_state = True;
2361 return NT_STATUS_NOT_IMPLEMENTED;
2364 NTSTATUS _lsa_CREDRWRITE(pipes_struct *p, struct lsa_CREDRWRITE *r)
2366 p->rng_fault_state = True;
2367 return NT_STATUS_NOT_IMPLEMENTED;
2370 NTSTATUS _lsa_CREDRREAD(pipes_struct *p, struct lsa_CREDRREAD *r)
2372 p->rng_fault_state = True;
2373 return NT_STATUS_NOT_IMPLEMENTED;
2376 NTSTATUS _lsa_CREDRENUMERATE(pipes_struct *p, struct lsa_CREDRENUMERATE *r)
2378 p->rng_fault_state = True;
2379 return NT_STATUS_NOT_IMPLEMENTED;
2382 NTSTATUS _lsa_CREDRWRITEDOMAINCREDENTIALS(pipes_struct *p, struct lsa_CREDRWRITEDOMAINCREDENTIALS *r)
2384 p->rng_fault_state = True;
2385 return NT_STATUS_NOT_IMPLEMENTED;
2388 NTSTATUS _lsa_CREDRREADDOMAINCREDENTIALS(pipes_struct *p, struct lsa_CREDRREADDOMAINCREDENTIALS *r)
2390 p->rng_fault_state = True;
2391 return NT_STATUS_NOT_IMPLEMENTED;
2394 NTSTATUS _lsa_CREDRDELETE(pipes_struct *p, struct lsa_CREDRDELETE *r)
2396 p->rng_fault_state = True;
2397 return NT_STATUS_NOT_IMPLEMENTED;
2400 NTSTATUS _lsa_CREDRGETTARGETINFO(pipes_struct *p, struct lsa_CREDRGETTARGETINFO *r)
2402 p->rng_fault_state = True;
2403 return NT_STATUS_NOT_IMPLEMENTED;
2406 NTSTATUS _lsa_CREDRPROFILELOADED(pipes_struct *p, struct lsa_CREDRPROFILELOADED *r)
2408 p->rng_fault_state = True;
2409 return NT_STATUS_NOT_IMPLEMENTED;
2412 NTSTATUS _lsa_CREDRGETSESSIONTYPES(pipes_struct *p, struct lsa_CREDRGETSESSIONTYPES *r)
2414 p->rng_fault_state = True;
2415 return NT_STATUS_NOT_IMPLEMENTED;
2418 NTSTATUS _lsa_LSARREGISTERAUDITEVENT(pipes_struct *p, struct lsa_LSARREGISTERAUDITEVENT *r)
2420 p->rng_fault_state = True;
2421 return NT_STATUS_NOT_IMPLEMENTED;
2424 NTSTATUS _lsa_LSARGENAUDITEVENT(pipes_struct *p, struct lsa_LSARGENAUDITEVENT *r)
2426 p->rng_fault_state = True;
2427 return NT_STATUS_NOT_IMPLEMENTED;
2430 NTSTATUS _lsa_LSARUNREGISTERAUDITEVENT(pipes_struct *p, struct lsa_LSARUNREGISTERAUDITEVENT *r)
2432 p->rng_fault_state = True;
2433 return NT_STATUS_NOT_IMPLEMENTED;
2436 NTSTATUS _lsa_lsaRQueryForestTrustInformation(pipes_struct *p, struct lsa_lsaRQueryForestTrustInformation *r)
2438 p->rng_fault_state = True;
2439 return NT_STATUS_NOT_IMPLEMENTED;
2442 NTSTATUS _lsa_LSARSETFORESTTRUSTINFORMATION(pipes_struct *p, struct lsa_LSARSETFORESTTRUSTINFORMATION *r)
2444 p->rng_fault_state = True;
2445 return NT_STATUS_NOT_IMPLEMENTED;
2448 NTSTATUS _lsa_CREDRRENAME(pipes_struct *p, struct lsa_CREDRRENAME *r)
2450 p->rng_fault_state = True;
2451 return NT_STATUS_NOT_IMPLEMENTED;
2454 NTSTATUS _lsa_LSAROPENPOLICYSCE(pipes_struct *p, struct lsa_LSAROPENPOLICYSCE *r)
2456 p->rng_fault_state = True;
2457 return NT_STATUS_NOT_IMPLEMENTED;
2460 NTSTATUS _lsa_LSARADTREGISTERSECURITYEVENTSOURCE(pipes_struct *p, struct lsa_LSARADTREGISTERSECURITYEVENTSOURCE *r)
2462 p->rng_fault_state = True;
2463 return NT_STATUS_NOT_IMPLEMENTED;
2466 NTSTATUS _lsa_LSARADTUNREGISTERSECURITYEVENTSOURCE(pipes_struct *p, struct lsa_LSARADTUNREGISTERSECURITYEVENTSOURCE *r)
2468 p->rng_fault_state = True;
2469 return NT_STATUS_NOT_IMPLEMENTED;
2472 NTSTATUS _lsa_LSARADTREPORTSECURITYEVENT(pipes_struct *p, struct lsa_LSARADTREPORTSECURITYEVENT *r)
2474 p->rng_fault_state = True;
2475 return NT_STATUS_NOT_IMPLEMENTED;