2 * Unix SMB/CIFS implementation.
3 * RPC Pipe client / server routines
4 * Copyright (C) Andrew Tridgell 1992-1997,
5 * Copyright (C) Luke Kenneth Casson Leighton 1996-1997,
6 * Copyright (C) Paul Ashton 1997,
7 * Copyright (C) Jeremy Allison 2001, 2006.
8 * Copyright (C) Rafal Szczesniak 2002,
9 * Copyright (C) Jim McDonough <jmcd@us.ibm.com> 2002,
10 * Copyright (C) Simo Sorce 2003.
11 * Copyright (C) Gerald (Jerry) Carter 2005.
12 * Copyright (C) Volker Lendecke 2005.
13 * Copyright (C) Guenther Deschner 2008.
15 * This program is free software; you can redistribute it and/or modify
16 * it under the terms of the GNU General Public License as published by
17 * the Free Software Foundation; either version 3 of the License, or
18 * (at your option) any later version.
20 * This program is distributed in the hope that it will be useful,
21 * but WITHOUT ANY WARRANTY; without even the implied warranty of
22 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
23 * GNU General Public License for more details.
25 * You should have received a copy of the GNU General Public License
26 * along with this program; if not, see <http://www.gnu.org/licenses/>.
29 /* This is the implementation of the lsa server code. */
34 #define DBGC_CLASS DBGC_RPC_SRV
36 #define MAX_LOOKUP_SIDS 0x5000 /* 20480 */
45 const struct generic_mapping lsa_generic_mapping = {
52 /***************************************************************************
53 init_lsa_ref_domain_list - adds a domain if it's not already in, returns the index.
54 ***************************************************************************/
56 static int init_lsa_ref_domain_list(TALLOC_CTX *mem_ctx,
57 struct lsa_RefDomainList *ref,
63 if (dom_name != NULL) {
64 for (num = 0; num < ref->count; num++) {
65 if (sid_equal(dom_sid, ref->domains[num].sid)) {
73 if (num >= LSA_REF_DOMAIN_LIST_MULTIPLIER) {
74 /* index not found, already at maximum domain limit */
79 ref->max_size = LSA_REF_DOMAIN_LIST_MULTIPLIER;
81 ref->domains = TALLOC_REALLOC_ARRAY(mem_ctx, ref->domains,
82 struct lsa_DomainInfo, ref->count);
87 ZERO_STRUCT(ref->domains[num]);
89 init_lsa_StringLarge(&ref->domains[num].name, dom_name);
90 ref->domains[num].sid = sid_dup_talloc(mem_ctx, dom_sid);
91 if (!ref->domains[num].sid) {
99 /***************************************************************************
100 initialize a lsa_DomainInfo structure.
101 ***************************************************************************/
103 static void init_dom_query_3(struct lsa_DomainInfo *r,
107 init_lsa_StringLarge(&r->name, name);
111 /***************************************************************************
112 initialize a lsa_DomainInfo structure.
113 ***************************************************************************/
115 static void init_dom_query_5(struct lsa_DomainInfo *r,
119 init_lsa_StringLarge(&r->name, name);
123 /***************************************************************************
124 lookup_lsa_rids. Must be called as root for lookup_name to work.
125 ***************************************************************************/
127 static NTSTATUS lookup_lsa_rids(TALLOC_CTX *mem_ctx,
128 struct lsa_RefDomainList *ref,
129 struct lsa_TranslatedSid *prid,
130 uint32_t num_entries,
131 struct lsa_String *name,
133 uint32_t *pmapped_count)
135 uint32 mapped_count, i;
137 SMB_ASSERT(num_entries <= MAX_LOOKUP_SIDS);
142 for (i = 0; i < num_entries; i++) {
146 const char *full_name;
148 enum lsa_SidType type = SID_NAME_UNKNOWN;
150 /* Split name into domain and user component */
152 full_name = name[i].string;
153 if (full_name == NULL) {
154 return NT_STATUS_NO_MEMORY;
157 DEBUG(5, ("lookup_lsa_rids: looking up name %s\n", full_name));
159 /* We can ignore the result of lookup_name, it will not touch
160 "type" if it's not successful */
162 lookup_name(mem_ctx, full_name, flags, &domain, NULL,
167 case SID_NAME_DOM_GRP:
168 case SID_NAME_DOMAIN:
170 case SID_NAME_WKN_GRP:
171 DEBUG(5, ("init_lsa_rids: %s found\n", full_name));
172 /* Leave these unchanged */
175 /* Don't hand out anything but the list above */
176 DEBUG(5, ("init_lsa_rids: %s not found\n", full_name));
177 type = SID_NAME_UNKNOWN;
184 if (type != SID_NAME_UNKNOWN) {
185 sid_split_rid(&sid, &rid);
186 dom_idx = init_lsa_ref_domain_list(mem_ctx, ref, domain, &sid);
190 prid[i].sid_type = type;
192 prid[i].sid_index = dom_idx;
195 *pmapped_count = mapped_count;
199 /***************************************************************************
200 lookup_lsa_sids. Must be called as root for lookup_name to work.
201 ***************************************************************************/
203 static NTSTATUS lookup_lsa_sids(TALLOC_CTX *mem_ctx,
204 struct lsa_RefDomainList *ref,
205 struct lsa_TranslatedSid3 *trans_sids,
206 uint32_t num_entries,
207 struct lsa_String *name,
209 uint32 *pmapped_count)
211 uint32 mapped_count, i;
213 SMB_ASSERT(num_entries <= MAX_LOOKUP_SIDS);
218 for (i = 0; i < num_entries; i++) {
222 const char *full_name;
224 enum lsa_SidType type = SID_NAME_UNKNOWN;
228 /* Split name into domain and user component */
230 full_name = name[i].string;
231 if (full_name == NULL) {
232 return NT_STATUS_NO_MEMORY;
235 DEBUG(5, ("init_lsa_sids: looking up name %s\n", full_name));
237 /* We can ignore the result of lookup_name, it will not touch
238 "type" if it's not successful */
240 lookup_name(mem_ctx, full_name, flags, &domain, NULL,
245 case SID_NAME_DOM_GRP:
246 case SID_NAME_DOMAIN:
248 case SID_NAME_WKN_GRP:
249 DEBUG(5, ("init_lsa_sids: %s found\n", full_name));
250 /* Leave these unchanged */
253 /* Don't hand out anything but the list above */
254 DEBUG(5, ("init_lsa_sids: %s not found\n", full_name));
255 type = SID_NAME_UNKNOWN;
262 if (type != SID_NAME_UNKNOWN) {
264 sid_copy(&domain_sid, &sid);
265 sid_split_rid(&domain_sid, &rid);
266 dom_idx = init_lsa_ref_domain_list(mem_ctx, ref, domain, &domain_sid);
270 /* Initialize the lsa_TranslatedSid3 return. */
271 trans_sids[i].sid_type = type;
272 trans_sids[i].sid = sid_dup_talloc(mem_ctx, &sid);
273 trans_sids[i].sid_index = dom_idx;
276 *pmapped_count = mapped_count;
280 static NTSTATUS lsa_get_generic_sd(TALLOC_CTX *mem_ctx, SEC_DESC **sd, size_t *sd_size)
282 DOM_SID local_adm_sid;
289 init_sec_ace(&ace[0], &global_sid_World, SEC_ACE_TYPE_ACCESS_ALLOWED, LSA_POLICY_EXECUTE, 0);
291 sid_copy(&adm_sid, get_global_sam_sid());
292 sid_append_rid(&adm_sid, DOMAIN_GROUP_RID_ADMINS);
293 init_sec_ace(&ace[1], &adm_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, LSA_POLICY_ALL_ACCESS, 0);
295 sid_copy(&local_adm_sid, &global_sid_Builtin);
296 sid_append_rid(&local_adm_sid, BUILTIN_ALIAS_RID_ADMINS);
297 init_sec_ace(&ace[2], &local_adm_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, LSA_POLICY_ALL_ACCESS, 0);
299 if((psa = make_sec_acl(mem_ctx, NT4_ACL_REVISION, 3, ace)) == NULL)
300 return NT_STATUS_NO_MEMORY;
302 if((*sd = make_sec_desc(mem_ctx, SECURITY_DESCRIPTOR_REVISION_1,
303 SEC_DESC_SELF_RELATIVE, &adm_sid, NULL, NULL,
304 psa, sd_size)) == NULL)
305 return NT_STATUS_NO_MEMORY;
310 #if 0 /* AD DC work in ongoing in Samba 4 */
312 /***************************************************************************
314 ***************************************************************************/
316 static void init_dns_dom_info(LSA_DNS_DOM_INFO *r_l, const char *nb_name,
317 const char *dns_name, const char *forest_name,
318 struct GUID *dom_guid, DOM_SID *dom_sid)
320 if (nb_name && *nb_name) {
321 init_unistr2(&r_l->uni_nb_dom_name, nb_name, UNI_FLAGS_NONE);
322 init_uni_hdr(&r_l->hdr_nb_dom_name, &r_l->uni_nb_dom_name);
323 r_l->hdr_nb_dom_name.uni_max_len += 2;
324 r_l->uni_nb_dom_name.uni_max_len += 1;
327 if (dns_name && *dns_name) {
328 init_unistr2(&r_l->uni_dns_dom_name, dns_name, UNI_FLAGS_NONE);
329 init_uni_hdr(&r_l->hdr_dns_dom_name, &r_l->uni_dns_dom_name);
330 r_l->hdr_dns_dom_name.uni_max_len += 2;
331 r_l->uni_dns_dom_name.uni_max_len += 1;
334 if (forest_name && *forest_name) {
335 init_unistr2(&r_l->uni_forest_name, forest_name, UNI_FLAGS_NONE);
336 init_uni_hdr(&r_l->hdr_forest_name, &r_l->uni_forest_name);
337 r_l->hdr_forest_name.uni_max_len += 2;
338 r_l->uni_forest_name.uni_max_len += 1;
341 /* how do we init the guid ? probably should write an init fn */
343 memcpy(&r_l->dom_guid, dom_guid, sizeof(struct GUID));
347 r_l->ptr_dom_sid = 1;
348 init_dom_sid2(&r_l->dom_sid, dom_sid);
351 #endif /* AD DC work in ongoing in Samba 4 */
354 /***************************************************************************
356 ***************************************************************************/
358 NTSTATUS _lsa_OpenPolicy2(pipes_struct *p,
359 struct lsa_OpenPolicy2 *r)
361 struct lsa_info *info;
362 SEC_DESC *psd = NULL;
364 uint32 des_access = r->in.access_mask;
369 /* map the generic bits to the lsa policy ones */
370 se_map_generic(&des_access, &lsa_generic_mapping);
372 /* get the generic lsa policy SD until we store it */
373 lsa_get_generic_sd(p->mem_ctx, &psd, &sd_size);
375 status = se_access_check(psd, p->server_info->ptok, des_access,
377 if (!NT_STATUS_IS_OK(status)) {
378 if (p->server_info->utok.uid != sec_initial_uid()) {
381 DEBUG(4,("ACCESS should be DENIED (granted: %#010x; required: %#010x)\n",
382 acc_granted, des_access));
383 DEBUGADD(4,("but overwritten by euid == 0\n"));
386 /* This is needed for lsa_open_account and rpcclient .... :-) */
388 if (p->server_info->utok.uid == sec_initial_uid())
389 acc_granted = LSA_POLICY_ALL_ACCESS;
391 /* associate the domain SID with the (unique) handle. */
392 info = TALLOC_ZERO_P(p->mem_ctx, struct lsa_info);
394 return NT_STATUS_NO_MEMORY;
397 sid_copy(&info->sid,get_global_sam_sid());
398 info->access = acc_granted;
400 /* set up the LSA QUERY INFO response */
401 if (!create_policy_hnd(p, r->out.handle, info))
402 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
407 /***************************************************************************
409 ***************************************************************************/
411 NTSTATUS _lsa_OpenPolicy(pipes_struct *p,
412 struct lsa_OpenPolicy *r)
414 struct lsa_info *info;
415 SEC_DESC *psd = NULL;
417 uint32 des_access= r->in.access_mask;
422 /* map the generic bits to the lsa policy ones */
423 se_map_generic(&des_access, &lsa_generic_mapping);
425 /* get the generic lsa policy SD until we store it */
426 lsa_get_generic_sd(p->mem_ctx, &psd, &sd_size);
428 status = se_access_check(psd, p->server_info->ptok, des_access,
430 if (!NT_STATUS_IS_OK(status)) {
431 if (p->server_info->utok.uid != sec_initial_uid()) {
434 DEBUG(4,("ACCESS should be DENIED (granted: %#010x; required: %#010x)\n",
435 acc_granted, des_access));
436 DEBUGADD(4,("but overwritten by euid == 0\n"));
437 acc_granted = des_access;
440 /* associate the domain SID with the (unique) handle. */
441 info = TALLOC_ZERO_P(p->mem_ctx, struct lsa_info);
443 return NT_STATUS_NO_MEMORY;
446 sid_copy(&info->sid,get_global_sam_sid());
447 info->access = acc_granted;
449 /* set up the LSA QUERY INFO response */
450 if (!create_policy_hnd(p, r->out.handle, info))
451 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
456 /***************************************************************************
457 _lsa_EnumTrustDom - this needs fixing to do more than return NULL ! JRA.
459 ***************************************************************************/
461 NTSTATUS _lsa_EnumTrustDom(pipes_struct *p,
462 struct lsa_EnumTrustDom *r)
464 struct lsa_info *info;
466 struct trustdom_info **domains;
467 struct lsa_DomainInfo *lsa_domains = NULL;
471 * preferred length is set to 5 as a "our" preferred length
472 * nt sets this parameter to 2
473 * update (20.08.2002): it's not preferred length, but preferred size!
474 * it needs further investigation how to optimally choose this value
476 uint32 max_num_domains =
477 r->in.max_size < 5 ? r->in.max_size : 10;
482 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
483 return NT_STATUS_INVALID_HANDLE;
485 /* check if the user has enough rights */
486 if (!(info->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
487 return NT_STATUS_ACCESS_DENIED;
490 nt_status = pdb_enum_trusteddoms(p->mem_ctx, &num_domains, &domains);
493 if (!NT_STATUS_IS_OK(nt_status)) {
497 if (*r->in.resume_handle < num_domains) {
498 num_thistime = MIN(num_domains, max_num_domains);
500 nt_status = STATUS_MORE_ENTRIES;
502 if (*r->in.resume_handle + num_thistime > num_domains) {
503 num_thistime = num_domains - *r->in.resume_handle;
504 nt_status = NT_STATUS_OK;
507 next_idx = *r->in.resume_handle + num_thistime;
510 next_idx = 0xffffffff;
511 nt_status = NT_STATUS_NO_MORE_ENTRIES;
514 /* set up the lsa_enum_trust_dom response */
516 lsa_domains = TALLOC_ZERO_ARRAY(p->mem_ctx, struct lsa_DomainInfo,
519 return NT_STATUS_NO_MEMORY;
522 for (i=0; i<num_thistime; i++) {
523 init_lsa_StringLarge(&lsa_domains[i].name, domains[i]->name);
524 lsa_domains[i].sid = &domains[i]->sid;
527 *r->out.resume_handle = next_idx;
528 r->out.domains->count = num_thistime;
529 r->out.domains->domains = lsa_domains;
534 #define LSA_AUDIT_NUM_CATEGORIES_NT4 7
535 #define LSA_AUDIT_NUM_CATEGORIES_WIN2K 9
536 #define LSA_AUDIT_NUM_CATEGORIES LSA_AUDIT_NUM_CATEGORIES_NT4
538 /***************************************************************************
540 ***************************************************************************/
542 NTSTATUS _lsa_QueryInfoPolicy(pipes_struct *p,
543 struct lsa_QueryInfoPolicy *r)
545 NTSTATUS status = NT_STATUS_OK;
546 struct lsa_info *handle;
550 union lsa_PolicyInformation *info = NULL;
552 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle))
553 return NT_STATUS_INVALID_HANDLE;
555 info = TALLOC_ZERO_P(p->mem_ctx, union lsa_PolicyInformation);
557 return NT_STATUS_NO_MEMORY;
560 switch (r->in.level) {
564 uint32 policy_def = LSA_AUDIT_POLICY_ALL;
566 /* check if the user has enough rights */
567 if (!(handle->access & LSA_POLICY_VIEW_AUDIT_INFORMATION)) {
568 DEBUG(10,("_lsa_QueryInfoPolicy: insufficient access rights\n"));
569 return NT_STATUS_ACCESS_DENIED;
572 /* fake info: We audit everything. ;) */
574 info->audit_events.auditing_mode = true;
575 info->audit_events.count = LSA_AUDIT_NUM_CATEGORIES;
576 info->audit_events.settings = TALLOC_ZERO_ARRAY(p->mem_ctx,
577 enum lsa_PolicyAuditPolicy,
578 info->audit_events.count);
579 if (!info->audit_events.settings) {
580 return NT_STATUS_NO_MEMORY;
583 info->audit_events.settings[LSA_AUDIT_CATEGORY_ACCOUNT_MANAGEMENT] = policy_def;
584 info->audit_events.settings[LSA_AUDIT_CATEGORY_FILE_AND_OBJECT_ACCESS] = policy_def;
585 info->audit_events.settings[LSA_AUDIT_CATEGORY_LOGON] = policy_def;
586 info->audit_events.settings[LSA_AUDIT_CATEGORY_PROCCESS_TRACKING] = policy_def;
587 info->audit_events.settings[LSA_AUDIT_CATEGORY_SECURITY_POLICY_CHANGES] = policy_def;
588 info->audit_events.settings[LSA_AUDIT_CATEGORY_SYSTEM] = policy_def;
589 info->audit_events.settings[LSA_AUDIT_CATEGORY_USE_OF_USER_RIGHTS] = policy_def;
594 /* check if the user has enough rights */
595 if (!(handle->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
596 return NT_STATUS_ACCESS_DENIED;
598 /* Request PolicyPrimaryDomainInformation. */
599 switch (lp_server_role()) {
600 case ROLE_DOMAIN_PDC:
601 case ROLE_DOMAIN_BDC:
602 name = get_global_sam_name();
603 sid = sid_dup_talloc(p->mem_ctx, get_global_sam_sid());
605 return NT_STATUS_NO_MEMORY;
608 case ROLE_DOMAIN_MEMBER:
609 name = lp_workgroup();
610 /* We need to return the Domain SID here. */
611 if (secrets_fetch_domain_sid(lp_workgroup(), &domain_sid)) {
612 sid = sid_dup_talloc(p->mem_ctx, &domain_sid);
614 return NT_STATUS_NO_MEMORY;
617 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
620 case ROLE_STANDALONE:
621 name = lp_workgroup();
625 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
627 init_dom_query_3(&info->domain, name, sid);
630 /* check if the user has enough rights */
631 if (!(handle->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
632 return NT_STATUS_ACCESS_DENIED;
634 /* Request PolicyAccountDomainInformation. */
635 name = get_global_sam_name();
636 sid = get_global_sam_sid();
638 init_dom_query_5(&info->account_domain, name, sid);
641 /* check if the user has enough rights */
642 if (!(handle->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
643 return NT_STATUS_ACCESS_DENIED;
645 switch (lp_server_role()) {
646 case ROLE_DOMAIN_BDC:
648 * only a BDC is a backup controller
649 * of the domain, it controls.
651 info->role.role = LSA_ROLE_BACKUP;
655 * any other role is a primary
656 * of the domain, it controls.
658 info->role.role = LSA_ROLE_PRIMARY;
663 DEBUG(0,("_lsa_QueryInfoPolicy: unknown info level in Lsa Query: %d\n",
665 status = NT_STATUS_INVALID_INFO_CLASS;
674 /***************************************************************************
675 _lsa_lookup_sids_internal
676 ***************************************************************************/
678 static NTSTATUS _lsa_lookup_sids_internal(pipes_struct *p,
680 uint16_t level, /* input */
681 int num_sids, /* input */
682 struct lsa_SidPtr *sid, /* input */
683 struct lsa_RefDomainList **pp_ref, /* input/output */
684 struct lsa_TranslatedName2 **pp_names,/* input/output */
685 uint32_t *pp_mapped_count) /* input/output */
689 const DOM_SID **sids = NULL;
690 struct lsa_RefDomainList *ref = NULL;
691 uint32 mapped_count = 0;
692 struct lsa_dom_info *dom_infos = NULL;
693 struct lsa_name_info *name_infos = NULL;
694 struct lsa_TranslatedName2 *names = NULL;
696 *pp_mapped_count = 0;
704 sids = TALLOC_ARRAY(p->mem_ctx, const DOM_SID *, num_sids);
705 ref = TALLOC_ZERO_P(p->mem_ctx, struct lsa_RefDomainList);
707 if (sids == NULL || ref == NULL) {
708 return NT_STATUS_NO_MEMORY;
711 for (i=0; i<num_sids; i++) {
712 sids[i] = sid[i].sid;
715 status = lookup_sids(p->mem_ctx, num_sids, sids, level,
716 &dom_infos, &name_infos);
718 if (!NT_STATUS_IS_OK(status)) {
722 names = TALLOC_ARRAY(p->mem_ctx, struct lsa_TranslatedName2, num_sids);
724 return NT_STATUS_NO_MEMORY;
727 for (i=0; i<LSA_REF_DOMAIN_LIST_MULTIPLIER; i++) {
729 if (!dom_infos[i].valid) {
733 if (init_lsa_ref_domain_list(mem_ctx, ref,
735 &dom_infos[i].sid) != i) {
736 DEBUG(0, ("Domain %s mentioned twice??\n",
738 return NT_STATUS_INTERNAL_ERROR;
742 for (i=0; i<num_sids; i++) {
743 struct lsa_name_info *name = &name_infos[i];
745 if (name->type == SID_NAME_UNKNOWN) {
748 /* Unknown sids should return the string
749 * representation of the SID. Windows 2003 behaves
750 * rather erratic here, in many cases it returns the
751 * RID as 8 bytes hex, in others it returns the full
752 * SID. We (Jerry/VL) could not figure out which the
753 * hard cases are, so leave it with the SID. */
754 name->name = talloc_asprintf(p->mem_ctx, "%s",
757 if (name->name == NULL) {
758 return NT_STATUS_NO_MEMORY;
764 names[i].sid_type = name->type;
765 names[i].name.string = name->name;
766 names[i].sid_index = name->dom_idx;
767 names[i].unknown = 0;
770 status = NT_STATUS_NONE_MAPPED;
771 if (mapped_count > 0) {
772 status = (mapped_count < num_sids) ?
773 STATUS_SOME_UNMAPPED : NT_STATUS_OK;
776 DEBUG(10, ("num_sids %d, mapped_count %d, status %s\n",
777 num_sids, mapped_count, nt_errstr(status)));
779 *pp_mapped_count = mapped_count;
786 /***************************************************************************
788 ***************************************************************************/
790 NTSTATUS _lsa_LookupSids(pipes_struct *p,
791 struct lsa_LookupSids *r)
794 struct lsa_info *handle;
795 int num_sids = r->in.sids->num_sids;
796 uint32 mapped_count = 0;
797 struct lsa_RefDomainList *domains = NULL;
798 struct lsa_TranslatedName *names_out = NULL;
799 struct lsa_TranslatedName2 *names = NULL;
802 if ((r->in.level < 1) || (r->in.level > 6)) {
803 return NT_STATUS_INVALID_PARAMETER;
806 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle)) {
807 return NT_STATUS_INVALID_HANDLE;
810 /* check if the user has enough rights */
811 if (!(handle->access & LSA_POLICY_LOOKUP_NAMES)) {
812 return NT_STATUS_ACCESS_DENIED;
815 if (num_sids > MAX_LOOKUP_SIDS) {
816 DEBUG(5,("_lsa_LookupSids: limit of %d exceeded, requested %d\n",
817 MAX_LOOKUP_SIDS, num_sids));
818 return NT_STATUS_NONE_MAPPED;
821 status = _lsa_lookup_sids_internal(p,
830 /* Only return here when there is a real error.
831 NT_STATUS_NONE_MAPPED is a special case as it indicates that none of
832 the requested sids could be resolved. Older versions of XP (pre SP3)
833 rely that we return with the string representations of those SIDs in
834 that case. If we don't, XP crashes - Guenther
837 if (NT_STATUS_IS_ERR(status) &&
838 !NT_STATUS_EQUAL(status, NT_STATUS_NONE_MAPPED)) {
842 /* Convert from lsa_TranslatedName2 to lsa_TranslatedName */
843 names_out = TALLOC_ARRAY(p->mem_ctx, struct lsa_TranslatedName,
846 return NT_STATUS_NO_MEMORY;
849 for (i=0; i<num_sids; i++) {
850 names_out[i].sid_type = names[i].sid_type;
851 names_out[i].name = names[i].name;
852 names_out[i].sid_index = names[i].sid_index;
855 *r->out.domains = domains;
856 r->out.names->count = num_sids;
857 r->out.names->names = names_out;
858 *r->out.count = mapped_count;
863 /***************************************************************************
865 ***************************************************************************/
867 NTSTATUS _lsa_LookupSids2(pipes_struct *p,
868 struct lsa_LookupSids2 *r)
871 struct lsa_info *handle;
872 int num_sids = r->in.sids->num_sids;
873 uint32 mapped_count = 0;
874 struct lsa_RefDomainList *domains = NULL;
875 struct lsa_TranslatedName2 *names = NULL;
876 bool check_policy = true;
878 switch (p->hdr_req.opnum) {
879 case NDR_LSA_LOOKUPSIDS3:
880 check_policy = false;
882 case NDR_LSA_LOOKUPSIDS2:
887 if ((r->in.level < 1) || (r->in.level > 6)) {
888 return NT_STATUS_INVALID_PARAMETER;
892 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle)) {
893 return NT_STATUS_INVALID_HANDLE;
896 /* check if the user has enough rights */
897 if (!(handle->access & LSA_POLICY_LOOKUP_NAMES)) {
898 return NT_STATUS_ACCESS_DENIED;
902 if (num_sids > MAX_LOOKUP_SIDS) {
903 DEBUG(5,("_lsa_LookupSids2: limit of %d exceeded, requested %d\n",
904 MAX_LOOKUP_SIDS, num_sids));
905 return NT_STATUS_NONE_MAPPED;
908 status = _lsa_lookup_sids_internal(p,
917 *r->out.domains = domains;
918 r->out.names->count = num_sids;
919 r->out.names->names = names;
920 *r->out.count = mapped_count;
925 /***************************************************************************
927 ***************************************************************************/
929 NTSTATUS _lsa_LookupSids3(pipes_struct *p,
930 struct lsa_LookupSids3 *r)
932 struct lsa_LookupSids2 q;
934 /* No policy handle on this call. Restrict to crypto connections. */
935 if (p->auth.auth_type != PIPE_AUTH_TYPE_SCHANNEL) {
936 DEBUG(0,("_lsa_LookupSids3: client %s not using schannel for netlogon\n",
937 get_remote_machine_name() ));
938 return NT_STATUS_INVALID_PARAMETER;
942 q.in.sids = r->in.sids;
943 q.in.level = r->in.level;
944 q.in.unknown1 = r->in.unknown1;
945 q.in.unknown2 = r->in.unknown2;
946 q.in.names = r->in.names;
947 q.in.count = r->in.count;
949 q.out.domains = r->out.domains;
950 q.out.names = r->out.names;
951 q.out.count = r->out.count;
953 return _lsa_LookupSids2(p, &q);
956 /***************************************************************************
957 ***************************************************************************/
959 static int lsa_lookup_level_to_flags(uint16 level)
965 flags = LOOKUP_NAME_ALL;
968 flags = LOOKUP_NAME_DOMAIN|LOOKUP_NAME_REMOTE|LOOKUP_NAME_ISOLATED;
971 flags = LOOKUP_NAME_DOMAIN|LOOKUP_NAME_ISOLATED;
977 flags = LOOKUP_NAME_NONE;
984 /***************************************************************************
986 ***************************************************************************/
988 NTSTATUS _lsa_LookupNames(pipes_struct *p,
989 struct lsa_LookupNames *r)
991 NTSTATUS status = NT_STATUS_NONE_MAPPED;
992 struct lsa_info *handle;
993 struct lsa_String *names = r->in.names;
994 uint32 num_entries = r->in.num_names;
995 struct lsa_RefDomainList *domains = NULL;
996 struct lsa_TranslatedSid *rids = NULL;
997 uint32 mapped_count = 0;
1000 if (num_entries > MAX_LOOKUP_SIDS) {
1001 num_entries = MAX_LOOKUP_SIDS;
1002 DEBUG(5,("_lsa_LookupNames: truncating name lookup list to %d\n",
1006 flags = lsa_lookup_level_to_flags(r->in.level);
1008 domains = TALLOC_ZERO_P(p->mem_ctx, struct lsa_RefDomainList);
1010 return NT_STATUS_NO_MEMORY;
1014 rids = TALLOC_ZERO_ARRAY(p->mem_ctx, struct lsa_TranslatedSid,
1017 return NT_STATUS_NO_MEMORY;
1023 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle)) {
1024 status = NT_STATUS_INVALID_HANDLE;
1028 /* check if the user has enough rights */
1029 if (!(handle->access & LSA_POLICY_LOOKUP_NAMES)) {
1030 status = NT_STATUS_ACCESS_DENIED;
1034 /* set up the LSA Lookup RIDs response */
1035 become_root(); /* lookup_name can require root privs */
1036 status = lookup_lsa_rids(p->mem_ctx, domains, rids, num_entries,
1037 names, flags, &mapped_count);
1042 if (NT_STATUS_IS_OK(status) && (num_entries != 0) ) {
1043 if (mapped_count == 0) {
1044 status = NT_STATUS_NONE_MAPPED;
1045 } else if (mapped_count != num_entries) {
1046 status = STATUS_SOME_UNMAPPED;
1050 *r->out.count = mapped_count;
1051 *r->out.domains = domains;
1052 r->out.sids->sids = rids;
1053 r->out.sids->count = num_entries;
1058 /***************************************************************************
1060 ***************************************************************************/
1062 NTSTATUS _lsa_LookupNames2(pipes_struct *p,
1063 struct lsa_LookupNames2 *r)
1066 struct lsa_LookupNames q;
1067 struct lsa_TransSidArray2 *sid_array2 = r->in.sids;
1068 struct lsa_TransSidArray *sid_array = NULL;
1071 sid_array = TALLOC_ZERO_P(p->mem_ctx, struct lsa_TransSidArray);
1073 return NT_STATUS_NO_MEMORY;
1076 q.in.handle = r->in.handle;
1077 q.in.num_names = r->in.num_names;
1078 q.in.names = r->in.names;
1079 q.in.level = r->in.level;
1080 q.in.sids = sid_array;
1081 q.in.count = r->in.count;
1082 /* we do not know what this is for */
1083 /* = r->in.unknown1; */
1084 /* = r->in.unknown2; */
1086 q.out.domains = r->out.domains;
1087 q.out.sids = sid_array;
1088 q.out.count = r->out.count;
1090 status = _lsa_LookupNames(p, &q);
1092 sid_array2->sids = TALLOC_ARRAY(p->mem_ctx, struct lsa_TranslatedSid2, sid_array->count);
1093 if (!sid_array2->sids) {
1094 return NT_STATUS_NO_MEMORY;
1097 for (i=0; i<sid_array->count; i++) {
1098 sid_array2->sids[i].sid_type = sid_array->sids[i].sid_type;
1099 sid_array2->sids[i].rid = sid_array->sids[i].rid;
1100 sid_array2->sids[i].sid_index = sid_array->sids[i].sid_index;
1101 sid_array2->sids[i].unknown = 0;
1104 r->out.sids = sid_array2;
1109 /***************************************************************************
1111 ***************************************************************************/
1113 NTSTATUS _lsa_LookupNames3(pipes_struct *p,
1114 struct lsa_LookupNames3 *r)
1117 struct lsa_info *handle;
1118 struct lsa_String *names = r->in.names;
1119 uint32 num_entries = r->in.num_names;
1120 struct lsa_RefDomainList *domains = NULL;
1121 struct lsa_TranslatedSid3 *trans_sids = NULL;
1122 uint32 mapped_count = 0;
1124 bool check_policy = true;
1126 switch (p->hdr_req.opnum) {
1127 case NDR_LSA_LOOKUPNAMES4:
1128 check_policy = false;
1130 case NDR_LSA_LOOKUPNAMES3:
1132 check_policy = true;
1135 if (num_entries > MAX_LOOKUP_SIDS) {
1136 num_entries = MAX_LOOKUP_SIDS;
1137 DEBUG(5,("_lsa_LookupNames3: truncating name lookup list to %d\n", num_entries));
1140 /* Probably the lookup_level is some sort of bitmask. */
1141 if (r->in.level == 1) {
1142 flags = LOOKUP_NAME_ALL;
1145 domains = TALLOC_ZERO_P(p->mem_ctx, struct lsa_RefDomainList);
1147 return NT_STATUS_NO_MEMORY;
1151 trans_sids = TALLOC_ZERO_ARRAY(p->mem_ctx, struct lsa_TranslatedSid3,
1154 return NT_STATUS_NO_MEMORY;
1162 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle)) {
1163 status = NT_STATUS_INVALID_HANDLE;
1167 /* check if the user has enough rights */
1168 if (!(handle->access & LSA_POLICY_LOOKUP_NAMES)) {
1169 status = NT_STATUS_ACCESS_DENIED;
1174 /* set up the LSA Lookup SIDs response */
1175 become_root(); /* lookup_name can require root privs */
1176 status = lookup_lsa_sids(p->mem_ctx, domains, trans_sids, num_entries,
1177 names, flags, &mapped_count);
1182 if (NT_STATUS_IS_OK(status)) {
1183 if (mapped_count == 0) {
1184 status = NT_STATUS_NONE_MAPPED;
1185 } else if (mapped_count != num_entries) {
1186 status = STATUS_SOME_UNMAPPED;
1190 *r->out.count = mapped_count;
1191 *r->out.domains = domains;
1192 r->out.sids->sids = trans_sids;
1193 r->out.sids->count = num_entries;
1198 /***************************************************************************
1200 ***************************************************************************/
1202 NTSTATUS _lsa_LookupNames4(pipes_struct *p,
1203 struct lsa_LookupNames4 *r)
1205 struct lsa_LookupNames3 q;
1207 /* No policy handle on this call. Restrict to crypto connections. */
1208 if (p->auth.auth_type != PIPE_AUTH_TYPE_SCHANNEL) {
1209 DEBUG(0,("_lsa_lookup_names4: client %s not using schannel for netlogon\n",
1210 get_remote_machine_name() ));
1211 return NT_STATUS_INVALID_PARAMETER;
1215 q.in.num_names = r->in.num_names;
1216 q.in.names = r->in.names;
1217 q.in.level = r->in.level;
1218 q.in.lookup_options = r->in.lookup_options;
1219 q.in.client_revision = r->in.client_revision;
1220 q.in.sids = r->in.sids;
1221 q.in.count = r->in.count;
1223 q.out.domains = r->out.domains;
1224 q.out.sids = r->out.sids;
1225 q.out.count = r->out.count;
1227 return _lsa_LookupNames3(p, &q);
1230 /***************************************************************************
1231 _lsa_close. Also weird - needs to check if lsa handle is correct. JRA.
1232 ***************************************************************************/
1234 NTSTATUS _lsa_Close(pipes_struct *p, struct lsa_Close *r)
1236 if (!find_policy_by_hnd(p, r->in.handle, NULL)) {
1237 return NT_STATUS_INVALID_HANDLE;
1240 close_policy_hnd(p, r->in.handle);
1241 ZERO_STRUCTP(r->out.handle);
1242 return NT_STATUS_OK;
1245 /***************************************************************************
1246 ***************************************************************************/
1248 NTSTATUS _lsa_OpenSecret(pipes_struct *p, struct lsa_OpenSecret *r)
1250 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
1253 /***************************************************************************
1254 ***************************************************************************/
1256 NTSTATUS _lsa_OpenTrustedDomain(pipes_struct *p, struct lsa_OpenTrustedDomain *r)
1258 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
1261 /***************************************************************************
1262 ***************************************************************************/
1264 NTSTATUS _lsa_CreateTrustedDomain(pipes_struct *p, struct lsa_CreateTrustedDomain *r)
1266 return NT_STATUS_ACCESS_DENIED;
1269 /***************************************************************************
1270 ***************************************************************************/
1272 NTSTATUS _lsa_CreateSecret(pipes_struct *p, struct lsa_CreateSecret *r)
1274 return NT_STATUS_ACCESS_DENIED;
1277 /***************************************************************************
1278 ***************************************************************************/
1280 NTSTATUS _lsa_SetSecret(pipes_struct *p, struct lsa_SetSecret *r)
1282 return NT_STATUS_ACCESS_DENIED;
1285 /***************************************************************************
1287 ***************************************************************************/
1289 NTSTATUS _lsa_DeleteObject(pipes_struct *p,
1290 struct lsa_DeleteObject *r)
1292 return NT_STATUS_ACCESS_DENIED;
1295 /***************************************************************************
1297 ***************************************************************************/
1299 NTSTATUS _lsa_EnumPrivs(pipes_struct *p,
1300 struct lsa_EnumPrivs *r)
1302 struct lsa_info *handle;
1304 uint32 enum_context = *r->in.resume_handle;
1305 int num_privs = count_all_privileges();
1306 struct lsa_PrivEntry *entries = NULL;
1309 /* remember that the enum_context starts at 0 and not 1 */
1311 if ( enum_context >= num_privs )
1312 return NT_STATUS_NO_MORE_ENTRIES;
1314 DEBUG(10,("_lsa_EnumPrivs: enum_context:%d total entries:%d\n",
1315 enum_context, num_privs));
1317 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle))
1318 return NT_STATUS_INVALID_HANDLE;
1320 /* check if the user has enough rights
1321 I don't know if it's the right one. not documented. */
1323 if (!(handle->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
1324 return NT_STATUS_ACCESS_DENIED;
1327 entries = TALLOC_ZERO_ARRAY(p->mem_ctx, struct lsa_PrivEntry, num_privs);
1329 return NT_STATUS_NO_MEMORY;
1335 for (i = 0; i < num_privs; i++) {
1336 if( i < enum_context) {
1338 init_lsa_StringLarge(&entries[i].name, NULL);
1340 entries[i].luid.low = 0;
1341 entries[i].luid.high = 0;
1344 init_lsa_StringLarge(&entries[i].name, privs[i].name);
1346 luid = get_privilege_luid( &privs[i].se_priv );
1348 entries[i].luid.low = luid.luid.low;
1349 entries[i].luid.high = luid.luid.high;
1353 enum_context = num_privs;
1355 *r->out.resume_handle = enum_context;
1356 r->out.privs->count = num_privs;
1357 r->out.privs->privs = entries;
1359 return NT_STATUS_OK;
1362 /***************************************************************************
1363 _lsa_LookupPrivDisplayName
1364 ***************************************************************************/
1366 NTSTATUS _lsa_LookupPrivDisplayName(pipes_struct *p,
1367 struct lsa_LookupPrivDisplayName *r)
1369 struct lsa_info *handle;
1370 const char *description;
1371 struct lsa_StringLarge *lsa_name;
1373 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle))
1374 return NT_STATUS_INVALID_HANDLE;
1376 /* check if the user has enough rights */
1379 * I don't know if it's the right one. not documented.
1381 if (!(handle->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
1382 return NT_STATUS_ACCESS_DENIED;
1384 DEBUG(10,("_lsa_LookupPrivDisplayName: name = %s\n", r->in.name->string));
1386 description = get_privilege_dispname(r->in.name->string);
1388 DEBUG(10,("_lsa_LookupPrivDisplayName: doesn't exist\n"));
1389 return NT_STATUS_NO_SUCH_PRIVILEGE;
1392 DEBUG(10,("_lsa_LookupPrivDisplayName: display name = %s\n", description));
1394 lsa_name = TALLOC_ZERO_P(p->mem_ctx, struct lsa_StringLarge);
1396 return NT_STATUS_NO_MEMORY;
1399 init_lsa_StringLarge(lsa_name, description);
1401 *r->out.returned_language_id = r->in.language_id;
1402 *r->out.disp_name = lsa_name;
1404 return NT_STATUS_OK;
1407 /***************************************************************************
1409 ***************************************************************************/
1411 NTSTATUS _lsa_EnumAccounts(pipes_struct *p,
1412 struct lsa_EnumAccounts *r)
1414 struct lsa_info *handle;
1416 int i, j, num_entries;
1418 struct lsa_SidPtr *sids = NULL;
1420 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle))
1421 return NT_STATUS_INVALID_HANDLE;
1423 if (!(handle->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
1424 return NT_STATUS_ACCESS_DENIED;
1429 /* The only way we can currently find out all the SIDs that have been
1430 privileged is to scan all privileges */
1432 status = privilege_enumerate_accounts(&sid_list, &num_entries);
1433 if (!NT_STATUS_IS_OK(status)) {
1437 if (*r->in.resume_handle >= num_entries) {
1438 return NT_STATUS_NO_MORE_ENTRIES;
1441 if (num_entries - *r->in.resume_handle) {
1442 sids = TALLOC_ZERO_ARRAY(p->mem_ctx, struct lsa_SidPtr,
1443 num_entries - *r->in.resume_handle);
1445 talloc_free(sid_list);
1446 return NT_STATUS_NO_MEMORY;
1449 for (i = *r->in.resume_handle, j = 0; i < num_entries; i++, j++) {
1450 sids[j].sid = sid_dup_talloc(p->mem_ctx, &sid_list[i]);
1452 talloc_free(sid_list);
1453 return NT_STATUS_NO_MEMORY;
1458 talloc_free(sid_list);
1460 *r->out.resume_handle = num_entries;
1461 r->out.sids->num_sids = num_entries;
1462 r->out.sids->sids = sids;
1464 return NT_STATUS_OK;
1467 /***************************************************************************
1469 ***************************************************************************/
1471 NTSTATUS _lsa_GetUserName(pipes_struct *p,
1472 struct lsa_GetUserName *r)
1474 const char *username, *domname;
1475 struct lsa_String *account_name = NULL;
1476 struct lsa_String *authority_name = NULL;
1478 if (r->in.account_name &&
1479 *r->in.account_name) {
1480 return NT_STATUS_INVALID_PARAMETER;
1483 if (r->in.authority_name &&
1484 *r->in.authority_name) {
1485 return NT_STATUS_INVALID_PARAMETER;
1488 if (p->server_info->guest) {
1490 * I'm 99% sure this is not the right place to do this,
1491 * global_sid_Anonymous should probably be put into the token
1492 * instead of the guest id -- vl
1494 if (!lookup_sid(p->mem_ctx, &global_sid_Anonymous,
1495 &domname, &username, NULL)) {
1496 return NT_STATUS_NO_MEMORY;
1499 username = p->server_info->sanitized_username;
1500 domname = pdb_get_domain(p->server_info->sam_account);
1503 account_name = TALLOC_P(p->mem_ctx, struct lsa_String);
1504 if (!account_name) {
1505 return NT_STATUS_NO_MEMORY;
1507 init_lsa_String(account_name, username);
1509 if (r->out.authority_name) {
1510 authority_name = TALLOC_P(p->mem_ctx, struct lsa_String);
1511 if (!authority_name) {
1512 return NT_STATUS_NO_MEMORY;
1514 init_lsa_String(authority_name, domname);
1517 *r->out.account_name = account_name;
1518 if (r->out.authority_name) {
1519 *r->out.authority_name = authority_name;
1522 return NT_STATUS_OK;
1525 /***************************************************************************
1527 ***************************************************************************/
1529 NTSTATUS _lsa_CreateAccount(pipes_struct *p,
1530 struct lsa_CreateAccount *r)
1532 struct lsa_info *handle;
1533 struct lsa_info *info;
1535 /* find the connection policy handle. */
1536 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle))
1537 return NT_STATUS_INVALID_HANDLE;
1539 /* check if the user has enough rights */
1542 * I don't know if it's the right one. not documented.
1543 * but guessed with rpcclient.
1545 if (!(handle->access & LSA_POLICY_GET_PRIVATE_INFORMATION))
1546 return NT_STATUS_ACCESS_DENIED;
1548 /* check to see if the pipe_user is a Domain Admin since
1549 account_pol.tdb was already opened as root, this is all we have */
1551 if ( p->server_info->utok.uid != sec_initial_uid()
1552 && !nt_token_check_domain_rid( p->server_info->ptok,
1553 DOMAIN_GROUP_RID_ADMINS ) )
1554 return NT_STATUS_ACCESS_DENIED;
1556 if ( is_privileged_sid( r->in.sid ) )
1557 return NT_STATUS_OBJECT_NAME_COLLISION;
1559 /* associate the user/group SID with the (unique) handle. */
1561 info = TALLOC_ZERO_P(p->mem_ctx, struct lsa_info);
1563 return NT_STATUS_NO_MEMORY;
1566 info->sid = *r->in.sid;
1567 info->access = r->in.access_mask;
1569 /* get a (unique) handle. open a policy on it. */
1570 if (!create_policy_hnd(p, r->out.acct_handle, info))
1571 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
1573 return privilege_create_account( &info->sid );
1577 /***************************************************************************
1579 ***************************************************************************/
1581 NTSTATUS _lsa_OpenAccount(pipes_struct *p,
1582 struct lsa_OpenAccount *r)
1584 struct lsa_info *handle;
1585 struct lsa_info *info;
1587 /* find the connection policy handle. */
1588 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle))
1589 return NT_STATUS_INVALID_HANDLE;
1591 /* check if the user has enough rights */
1594 * I don't know if it's the right one. not documented.
1595 * but guessed with rpcclient.
1597 if (!(handle->access & LSA_POLICY_GET_PRIVATE_INFORMATION))
1598 return NT_STATUS_ACCESS_DENIED;
1600 /* TODO: Fis the parsing routine before reenabling this check! */
1602 if (!lookup_sid(&handle->sid, dom_name, name, &type))
1603 return NT_STATUS_ACCESS_DENIED;
1605 /* associate the user/group SID with the (unique) handle. */
1606 info = TALLOC_ZERO_P(p->mem_ctx, struct lsa_info);
1608 return NT_STATUS_NO_MEMORY;
1611 info->sid = *r->in.sid;
1612 info->access = r->in.access_mask;
1614 /* get a (unique) handle. open a policy on it. */
1615 if (!create_policy_hnd(p, r->out.acct_handle, info))
1616 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
1618 return NT_STATUS_OK;
1621 /***************************************************************************
1622 _lsa_EnumPrivsAccount
1623 For a given SID, enumerate all the privilege this account has.
1624 ***************************************************************************/
1626 NTSTATUS _lsa_EnumPrivsAccount(pipes_struct *p,
1627 struct lsa_EnumPrivsAccount *r)
1629 NTSTATUS status = NT_STATUS_OK;
1630 struct lsa_info *info=NULL;
1632 PRIVILEGE_SET privileges;
1633 struct lsa_PrivilegeSet *priv_set = NULL;
1634 struct lsa_LUIDAttribute *luid_attrs = NULL;
1637 /* find the connection policy handle. */
1638 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
1639 return NT_STATUS_INVALID_HANDLE;
1641 if (!(info->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
1642 return NT_STATUS_ACCESS_DENIED;
1644 if ( !get_privileges_for_sids( &mask, &info->sid, 1 ) )
1645 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
1647 privilege_set_init( &privileges );
1649 if ( se_priv_to_privilege_set( &privileges, &mask ) ) {
1651 DEBUG(10,("_lsa_EnumPrivsAccount: %s has %d privileges\n",
1652 sid_string_dbg(&info->sid),
1655 priv_set = TALLOC_ZERO_P(p->mem_ctx, struct lsa_PrivilegeSet);
1657 status = NT_STATUS_NO_MEMORY;
1661 luid_attrs = TALLOC_ZERO_ARRAY(p->mem_ctx,
1662 struct lsa_LUIDAttribute,
1665 status = NT_STATUS_NO_MEMORY;
1669 for (i=0; i<privileges.count; i++) {
1670 luid_attrs[i].luid.low = privileges.set[i].luid.low;
1671 luid_attrs[i].luid.high = privileges.set[i].luid.high;
1672 luid_attrs[i].attribute = privileges.set[i].attr;
1675 priv_set->count = privileges.count;
1676 priv_set->unknown = 0;
1677 priv_set->set = luid_attrs;
1679 *r->out.privs = priv_set;
1681 status = NT_STATUS_NO_SUCH_PRIVILEGE;
1685 privilege_set_free( &privileges );
1690 /***************************************************************************
1691 _lsa_GetSystemAccessAccount
1692 ***************************************************************************/
1694 NTSTATUS _lsa_GetSystemAccessAccount(pipes_struct *p,
1695 struct lsa_GetSystemAccessAccount *r)
1697 struct lsa_info *info=NULL;
1699 /* find the connection policy handle. */
1701 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
1702 return NT_STATUS_INVALID_HANDLE;
1704 if (!(info->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
1705 return NT_STATUS_ACCESS_DENIED;
1707 if (!lookup_sid(p->mem_ctx, &info->sid, NULL, NULL, NULL))
1708 return NT_STATUS_ACCESS_DENIED;
1711 0x01 -> Log on locally
1712 0x02 -> Access this computer from network
1713 0x04 -> Log on as a batch job
1714 0x10 -> Log on as a service
1716 they can be ORed together
1719 *r->out.access_mask = LSA_POLICY_MODE_INTERACTIVE |
1720 LSA_POLICY_MODE_NETWORK;
1722 return NT_STATUS_OK;
1725 /***************************************************************************
1726 update the systemaccount information
1727 ***************************************************************************/
1729 NTSTATUS _lsa_SetSystemAccessAccount(pipes_struct *p,
1730 struct lsa_SetSystemAccessAccount *r)
1732 struct lsa_info *info=NULL;
1735 /* find the connection policy handle. */
1736 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
1737 return NT_STATUS_INVALID_HANDLE;
1739 /* check to see if the pipe_user is a Domain Admin since
1740 account_pol.tdb was already opened as root, this is all we have */
1742 if ( p->server_info->utok.uid != sec_initial_uid()
1743 && !nt_token_check_domain_rid( p->server_info->ptok,
1744 DOMAIN_GROUP_RID_ADMINS ) )
1745 return NT_STATUS_ACCESS_DENIED;
1747 if (!pdb_getgrsid(&map, info->sid))
1748 return NT_STATUS_NO_SUCH_GROUP;
1750 return pdb_update_group_mapping_entry(&map);
1753 /***************************************************************************
1754 _lsa_AddPrivilegesToAccount
1755 For a given SID, add some privileges.
1756 ***************************************************************************/
1758 NTSTATUS _lsa_AddPrivilegesToAccount(pipes_struct *p,
1759 struct lsa_AddPrivilegesToAccount *r)
1761 struct lsa_info *info = NULL;
1763 struct lsa_PrivilegeSet *set = NULL;
1765 /* find the connection policy handle. */
1766 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
1767 return NT_STATUS_INVALID_HANDLE;
1769 /* check to see if the pipe_user is root or a Domain Admin since
1770 account_pol.tdb was already opened as root, this is all we have */
1772 if ( p->server_info->utok.uid != sec_initial_uid()
1773 && !nt_token_check_domain_rid( p->server_info->ptok,
1774 DOMAIN_GROUP_RID_ADMINS ) )
1776 return NT_STATUS_ACCESS_DENIED;
1780 if ( !privilege_set_to_se_priv( &mask, set ) )
1781 return NT_STATUS_NO_SUCH_PRIVILEGE;
1783 if ( !grant_privilege( &info->sid, &mask ) ) {
1784 DEBUG(3,("_lsa_AddPrivilegesToAccount: grant_privilege(%s) failed!\n",
1785 sid_string_dbg(&info->sid) ));
1786 DEBUG(3,("Privilege mask:\n"));
1787 dump_se_priv( DBGC_ALL, 3, &mask );
1788 return NT_STATUS_NO_SUCH_PRIVILEGE;
1791 return NT_STATUS_OK;
1794 /***************************************************************************
1795 _lsa_RemovePrivilegesFromAccount
1796 For a given SID, remove some privileges.
1797 ***************************************************************************/
1799 NTSTATUS _lsa_RemovePrivilegesFromAccount(pipes_struct *p,
1800 struct lsa_RemovePrivilegesFromAccount *r)
1802 struct lsa_info *info = NULL;
1804 struct lsa_PrivilegeSet *set = NULL;
1806 /* find the connection policy handle. */
1807 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
1808 return NT_STATUS_INVALID_HANDLE;
1810 /* check to see if the pipe_user is root or a Domain Admin since
1811 account_pol.tdb was already opened as root, this is all we have */
1813 if ( p->server_info->utok.uid != sec_initial_uid()
1814 && !nt_token_check_domain_rid( p->server_info->ptok,
1815 DOMAIN_GROUP_RID_ADMINS ) )
1817 return NT_STATUS_ACCESS_DENIED;
1822 if ( !privilege_set_to_se_priv( &mask, set ) )
1823 return NT_STATUS_NO_SUCH_PRIVILEGE;
1825 if ( !revoke_privilege( &info->sid, &mask ) ) {
1826 DEBUG(3,("_lsa_RemovePrivilegesFromAccount: revoke_privilege(%s) failed!\n",
1827 sid_string_dbg(&info->sid) ));
1828 DEBUG(3,("Privilege mask:\n"));
1829 dump_se_priv( DBGC_ALL, 3, &mask );
1830 return NT_STATUS_NO_SUCH_PRIVILEGE;
1833 return NT_STATUS_OK;
1836 /***************************************************************************
1838 ***************************************************************************/
1840 NTSTATUS _lsa_QuerySecurity(pipes_struct *p,
1841 struct lsa_QuerySecurity *r)
1843 struct lsa_info *handle=NULL;
1844 SEC_DESC *psd = NULL;
1848 /* find the connection policy handle. */
1849 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle))
1850 return NT_STATUS_INVALID_HANDLE;
1852 /* check if the user has enough rights */
1853 if (!(handle->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
1854 return NT_STATUS_ACCESS_DENIED;
1856 switch (r->in.sec_info) {
1858 /* SD contains only the owner */
1860 status=lsa_get_generic_sd(p->mem_ctx, &psd, &sd_size);
1861 if(!NT_STATUS_IS_OK(status))
1862 return NT_STATUS_NO_MEMORY;
1865 if((*r->out.sdbuf = make_sec_desc_buf(p->mem_ctx, sd_size, psd)) == NULL)
1866 return NT_STATUS_NO_MEMORY;
1869 /* SD contains only the ACL */
1871 status=lsa_get_generic_sd(p->mem_ctx, &psd, &sd_size);
1872 if(!NT_STATUS_IS_OK(status))
1873 return NT_STATUS_NO_MEMORY;
1875 if((*r->out.sdbuf = make_sec_desc_buf(p->mem_ctx, sd_size, psd)) == NULL)
1876 return NT_STATUS_NO_MEMORY;
1879 return NT_STATUS_INVALID_LEVEL;
1885 #if 0 /* AD DC work in ongoing in Samba 4 */
1887 /***************************************************************************
1888 ***************************************************************************/
1890 NTSTATUS _lsa_query_info2(pipes_struct *p, LSA_Q_QUERY_INFO2 *q_u, LSA_R_QUERY_INFO2 *r_u)
1892 struct lsa_info *handle;
1893 const char *nb_name;
1894 char *dns_name = NULL;
1895 char *forest_name = NULL;
1896 DOM_SID *sid = NULL;
1901 r_u->status = NT_STATUS_OK;
1903 if (!find_policy_by_hnd(p, &q_u->pol, (void **)(void *)&handle))
1904 return NT_STATUS_INVALID_HANDLE;
1906 switch (q_u->info_class) {
1908 /* check if the user has enough rights */
1909 if (!(handle->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
1910 return NT_STATUS_ACCESS_DENIED;
1912 /* Request PolicyPrimaryDomainInformation. */
1913 switch (lp_server_role()) {
1914 case ROLE_DOMAIN_PDC:
1915 case ROLE_DOMAIN_BDC:
1916 nb_name = get_global_sam_name();
1917 /* ugly temp hack for these next two */
1919 /* This should be a 'netbios domain -> DNS domain' mapping */
1920 dnsdomname = get_mydnsdomname(p->mem_ctx);
1921 if (!dnsdomname || !*dnsdomname) {
1922 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
1924 strlower_m(dnsdomname);
1926 dns_name = dnsdomname;
1927 forest_name = dnsdomname;
1929 sid = get_global_sam_sid();
1930 secrets_fetch_domain_guid(lp_workgroup(), &guid);
1933 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
1935 init_dns_dom_info(&r_u->info.dns_dom_info, nb_name, dns_name,
1936 forest_name,&guid,sid);
1939 DEBUG(0,("_lsa_query_info2: unknown info level in Lsa Query: %d\n", q_u->info_class));
1940 r_u->status = NT_STATUS_INVALID_INFO_CLASS;
1944 if (NT_STATUS_IS_OK(r_u->status)) {
1946 r_u->info_class = q_u->info_class;
1951 #endif /* AD DC work in ongoing in Samba 4 */
1953 /***************************************************************************
1954 _lsa_AddAccountRights
1955 ***************************************************************************/
1957 NTSTATUS _lsa_AddAccountRights(pipes_struct *p,
1958 struct lsa_AddAccountRights *r)
1960 struct lsa_info *info = NULL;
1964 /* find the connection policy handle. */
1965 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
1966 return NT_STATUS_INVALID_HANDLE;
1968 /* check to see if the pipe_user is a Domain Admin since
1969 account_pol.tdb was already opened as root, this is all we have */
1971 if ( p->server_info->utok.uid != sec_initial_uid()
1972 && !nt_token_check_domain_rid( p->server_info->ptok,
1973 DOMAIN_GROUP_RID_ADMINS ) )
1975 return NT_STATUS_ACCESS_DENIED;
1978 /* according to an NT4 PDC, you can add privileges to SIDs even without
1979 call_lsa_create_account() first. And you can use any arbitrary SID. */
1981 sid_copy( &sid, r->in.sid );
1983 for ( i=0; i < r->in.rights->count; i++ ) {
1985 const char *privname = r->in.rights->names[i].string;
1987 /* only try to add non-null strings */
1992 if ( !grant_privilege_by_name( &sid, privname ) ) {
1993 DEBUG(2,("_lsa_AddAccountRights: Failed to add privilege [%s]\n",
1995 return NT_STATUS_NO_SUCH_PRIVILEGE;
1999 return NT_STATUS_OK;
2002 /***************************************************************************
2003 _lsa_RemoveAccountRights
2004 ***************************************************************************/
2006 NTSTATUS _lsa_RemoveAccountRights(pipes_struct *p,
2007 struct lsa_RemoveAccountRights *r)
2009 struct lsa_info *info = NULL;
2012 const char *privname = NULL;
2014 /* find the connection policy handle. */
2015 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
2016 return NT_STATUS_INVALID_HANDLE;
2018 /* check to see if the pipe_user is a Domain Admin since
2019 account_pol.tdb was already opened as root, this is all we have */
2021 if ( p->server_info->utok.uid != sec_initial_uid()
2022 && !nt_token_check_domain_rid( p->server_info->ptok,
2023 DOMAIN_GROUP_RID_ADMINS ) )
2025 return NT_STATUS_ACCESS_DENIED;
2028 sid_copy( &sid, r->in.sid );
2030 if ( r->in.remove_all ) {
2031 if ( !revoke_all_privileges( &sid ) )
2032 return NT_STATUS_ACCESS_DENIED;
2034 return NT_STATUS_OK;
2037 for ( i=0; i < r->in.rights->count; i++ ) {
2039 privname = r->in.rights->names[i].string;
2041 /* only try to add non-null strings */
2046 if ( !revoke_privilege_by_name( &sid, privname ) ) {
2047 DEBUG(2,("_lsa_RemoveAccountRights: Failed to revoke privilege [%s]\n",
2049 return NT_STATUS_NO_SUCH_PRIVILEGE;
2053 return NT_STATUS_OK;
2056 /*******************************************************************
2057 ********************************************************************/
2059 static NTSTATUS init_lsa_right_set(TALLOC_CTX *mem_ctx,
2060 struct lsa_RightSet *r,
2061 PRIVILEGE_SET *privileges)
2064 const char *privname;
2065 const char **privname_array = NULL;
2068 for (i=0; i<privileges->count; i++) {
2070 privname = luid_to_privilege_name(&privileges->set[i].luid);
2072 if (!add_string_to_array(mem_ctx, privname,
2073 &privname_array, &num_priv)) {
2074 return NT_STATUS_NO_MEMORY;
2081 r->names = TALLOC_ZERO_ARRAY(mem_ctx, struct lsa_StringLarge,
2084 return NT_STATUS_NO_MEMORY;
2087 for (i=0; i<num_priv; i++) {
2088 init_lsa_StringLarge(&r->names[i], privname_array[i]);
2091 r->count = num_priv;
2094 return NT_STATUS_OK;
2097 /***************************************************************************
2098 _lsa_EnumAccountRights
2099 ***************************************************************************/
2101 NTSTATUS _lsa_EnumAccountRights(pipes_struct *p,
2102 struct lsa_EnumAccountRights *r)
2105 struct lsa_info *info = NULL;
2107 PRIVILEGE_SET privileges;
2110 /* find the connection policy handle. */
2112 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
2113 return NT_STATUS_INVALID_HANDLE;
2115 if (!(info->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
2116 return NT_STATUS_ACCESS_DENIED;
2118 /* according to an NT4 PDC, you can add privileges to SIDs even without
2119 call_lsa_create_account() first. And you can use any arbitrary SID. */
2121 sid_copy( &sid, r->in.sid );
2123 if ( !get_privileges_for_sids( &mask, &sid, 1 ) )
2124 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
2126 privilege_set_init( &privileges );
2128 if ( se_priv_to_privilege_set( &privileges, &mask ) ) {
2130 DEBUG(10,("_lsa_EnumAccountRights: %s has %d privileges\n",
2131 sid_string_dbg(&sid), privileges.count));
2133 status = init_lsa_right_set(p->mem_ctx, r->out.rights, &privileges);
2135 status = NT_STATUS_NO_SUCH_PRIVILEGE;
2138 privilege_set_free( &privileges );
2143 /***************************************************************************
2144 _lsa_LookupPrivValue
2145 ***************************************************************************/
2147 NTSTATUS _lsa_LookupPrivValue(pipes_struct *p,
2148 struct lsa_LookupPrivValue *r)
2150 struct lsa_info *info = NULL;
2151 const char *name = NULL;
2152 LUID_ATTR priv_luid;
2155 /* find the connection policy handle. */
2157 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
2158 return NT_STATUS_INVALID_HANDLE;
2160 if (!(info->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
2161 return NT_STATUS_ACCESS_DENIED;
2163 name = r->in.name->string;
2165 DEBUG(10,("_lsa_lookup_priv_value: name = %s\n", name));
2167 if ( !se_priv_from_name( name, &mask ) )
2168 return NT_STATUS_NO_SUCH_PRIVILEGE;
2170 priv_luid = get_privilege_luid( &mask );
2172 r->out.luid->low = priv_luid.luid.low;
2173 r->out.luid->high = priv_luid.luid.high;
2175 return NT_STATUS_OK;
2179 * From here on the server routines are just dummy ones to make smbd link with
2180 * librpc/gen_ndr/srv_lsa.c. These routines are actually never called, we are
2181 * pulling the server stubs across one by one.
2184 NTSTATUS _lsa_Delete(pipes_struct *p, struct lsa_Delete *r)
2186 p->rng_fault_state = True;
2187 return NT_STATUS_NOT_IMPLEMENTED;
2190 NTSTATUS _lsa_SetSecObj(pipes_struct *p, struct lsa_SetSecObj *r)
2192 p->rng_fault_state = True;
2193 return NT_STATUS_NOT_IMPLEMENTED;
2196 NTSTATUS _lsa_ChangePassword(pipes_struct *p, struct lsa_ChangePassword *r)
2198 p->rng_fault_state = True;
2199 return NT_STATUS_NOT_IMPLEMENTED;
2202 NTSTATUS _lsa_SetInfoPolicy(pipes_struct *p, struct lsa_SetInfoPolicy *r)
2204 p->rng_fault_state = True;
2205 return NT_STATUS_NOT_IMPLEMENTED;
2208 NTSTATUS _lsa_ClearAuditLog(pipes_struct *p, struct lsa_ClearAuditLog *r)
2210 p->rng_fault_state = True;
2211 return NT_STATUS_NOT_IMPLEMENTED;
2214 NTSTATUS _lsa_GetQuotasForAccount(pipes_struct *p, struct lsa_GetQuotasForAccount *r)
2216 p->rng_fault_state = True;
2217 return NT_STATUS_NOT_IMPLEMENTED;
2220 NTSTATUS _lsa_SetQuotasForAccount(pipes_struct *p, struct lsa_SetQuotasForAccount *r)
2222 p->rng_fault_state = True;
2223 return NT_STATUS_NOT_IMPLEMENTED;
2226 NTSTATUS _lsa_QueryTrustedDomainInfo(pipes_struct *p, struct lsa_QueryTrustedDomainInfo *r)
2228 p->rng_fault_state = True;
2229 return NT_STATUS_NOT_IMPLEMENTED;
2232 NTSTATUS _lsa_SetInformationTrustedDomain(pipes_struct *p, struct lsa_SetInformationTrustedDomain *r)
2234 p->rng_fault_state = True;
2235 return NT_STATUS_NOT_IMPLEMENTED;
2238 NTSTATUS _lsa_QuerySecret(pipes_struct *p, struct lsa_QuerySecret *r)
2240 p->rng_fault_state = True;
2241 return NT_STATUS_NOT_IMPLEMENTED;
2244 NTSTATUS _lsa_LookupPrivName(pipes_struct *p, struct lsa_LookupPrivName *r)
2246 p->rng_fault_state = True;
2247 return NT_STATUS_NOT_IMPLEMENTED;
2250 NTSTATUS _lsa_EnumAccountsWithUserRight(pipes_struct *p, struct lsa_EnumAccountsWithUserRight *r)
2252 p->rng_fault_state = True;
2253 return NT_STATUS_NOT_IMPLEMENTED;
2256 NTSTATUS _lsa_QueryTrustedDomainInfoBySid(pipes_struct *p, struct lsa_QueryTrustedDomainInfoBySid *r)
2258 p->rng_fault_state = True;
2259 return NT_STATUS_NOT_IMPLEMENTED;
2262 NTSTATUS _lsa_SetTrustedDomainInfo(pipes_struct *p, struct lsa_SetTrustedDomainInfo *r)
2264 p->rng_fault_state = True;
2265 return NT_STATUS_NOT_IMPLEMENTED;
2268 NTSTATUS _lsa_DeleteTrustedDomain(pipes_struct *p, struct lsa_DeleteTrustedDomain *r)
2270 p->rng_fault_state = True;
2271 return NT_STATUS_NOT_IMPLEMENTED;
2274 NTSTATUS _lsa_StorePrivateData(pipes_struct *p, struct lsa_StorePrivateData *r)
2276 p->rng_fault_state = True;
2277 return NT_STATUS_NOT_IMPLEMENTED;
2280 NTSTATUS _lsa_RetrievePrivateData(pipes_struct *p, struct lsa_RetrievePrivateData *r)
2282 p->rng_fault_state = True;
2283 return NT_STATUS_NOT_IMPLEMENTED;
2286 NTSTATUS _lsa_QueryInfoPolicy2(pipes_struct *p, struct lsa_QueryInfoPolicy2 *r)
2288 p->rng_fault_state = True;
2289 return NT_STATUS_NOT_IMPLEMENTED;
2292 NTSTATUS _lsa_SetInfoPolicy2(pipes_struct *p, struct lsa_SetInfoPolicy2 *r)
2294 p->rng_fault_state = True;
2295 return NT_STATUS_NOT_IMPLEMENTED;
2298 NTSTATUS _lsa_QueryTrustedDomainInfoByName(pipes_struct *p, struct lsa_QueryTrustedDomainInfoByName *r)
2300 p->rng_fault_state = True;
2301 return NT_STATUS_NOT_IMPLEMENTED;
2304 NTSTATUS _lsa_SetTrustedDomainInfoByName(pipes_struct *p, struct lsa_SetTrustedDomainInfoByName *r)
2306 p->rng_fault_state = True;
2307 return NT_STATUS_NOT_IMPLEMENTED;
2310 NTSTATUS _lsa_EnumTrustedDomainsEx(pipes_struct *p, struct lsa_EnumTrustedDomainsEx *r)
2312 p->rng_fault_state = True;
2313 return NT_STATUS_NOT_IMPLEMENTED;
2316 NTSTATUS _lsa_CreateTrustedDomainEx(pipes_struct *p, struct lsa_CreateTrustedDomainEx *r)
2318 p->rng_fault_state = True;
2319 return NT_STATUS_NOT_IMPLEMENTED;
2322 NTSTATUS _lsa_CloseTrustedDomainEx(pipes_struct *p, struct lsa_CloseTrustedDomainEx *r)
2324 p->rng_fault_state = True;
2325 return NT_STATUS_NOT_IMPLEMENTED;
2328 NTSTATUS _lsa_QueryDomainInformationPolicy(pipes_struct *p, struct lsa_QueryDomainInformationPolicy *r)
2330 p->rng_fault_state = True;
2331 return NT_STATUS_NOT_IMPLEMENTED;
2334 NTSTATUS _lsa_SetDomainInformationPolicy(pipes_struct *p, struct lsa_SetDomainInformationPolicy *r)
2336 p->rng_fault_state = True;
2337 return NT_STATUS_NOT_IMPLEMENTED;
2340 NTSTATUS _lsa_OpenTrustedDomainByName(pipes_struct *p, struct lsa_OpenTrustedDomainByName *r)
2342 p->rng_fault_state = True;
2343 return NT_STATUS_NOT_IMPLEMENTED;
2346 NTSTATUS _lsa_TestCall(pipes_struct *p, struct lsa_TestCall *r)
2348 p->rng_fault_state = True;
2349 return NT_STATUS_NOT_IMPLEMENTED;
2352 NTSTATUS _lsa_CreateTrustedDomainEx2(pipes_struct *p, struct lsa_CreateTrustedDomainEx2 *r)
2354 p->rng_fault_state = True;
2355 return NT_STATUS_NOT_IMPLEMENTED;
2358 NTSTATUS _lsa_CREDRWRITE(pipes_struct *p, struct lsa_CREDRWRITE *r)
2360 p->rng_fault_state = True;
2361 return NT_STATUS_NOT_IMPLEMENTED;
2364 NTSTATUS _lsa_CREDRREAD(pipes_struct *p, struct lsa_CREDRREAD *r)
2366 p->rng_fault_state = True;
2367 return NT_STATUS_NOT_IMPLEMENTED;
2370 NTSTATUS _lsa_CREDRENUMERATE(pipes_struct *p, struct lsa_CREDRENUMERATE *r)
2372 p->rng_fault_state = True;
2373 return NT_STATUS_NOT_IMPLEMENTED;
2376 NTSTATUS _lsa_CREDRWRITEDOMAINCREDENTIALS(pipes_struct *p, struct lsa_CREDRWRITEDOMAINCREDENTIALS *r)
2378 p->rng_fault_state = True;
2379 return NT_STATUS_NOT_IMPLEMENTED;
2382 NTSTATUS _lsa_CREDRREADDOMAINCREDENTIALS(pipes_struct *p, struct lsa_CREDRREADDOMAINCREDENTIALS *r)
2384 p->rng_fault_state = True;
2385 return NT_STATUS_NOT_IMPLEMENTED;
2388 NTSTATUS _lsa_CREDRDELETE(pipes_struct *p, struct lsa_CREDRDELETE *r)
2390 p->rng_fault_state = True;
2391 return NT_STATUS_NOT_IMPLEMENTED;
2394 NTSTATUS _lsa_CREDRGETTARGETINFO(pipes_struct *p, struct lsa_CREDRGETTARGETINFO *r)
2396 p->rng_fault_state = True;
2397 return NT_STATUS_NOT_IMPLEMENTED;
2400 NTSTATUS _lsa_CREDRPROFILELOADED(pipes_struct *p, struct lsa_CREDRPROFILELOADED *r)
2402 p->rng_fault_state = True;
2403 return NT_STATUS_NOT_IMPLEMENTED;
2406 NTSTATUS _lsa_CREDRGETSESSIONTYPES(pipes_struct *p, struct lsa_CREDRGETSESSIONTYPES *r)
2408 p->rng_fault_state = True;
2409 return NT_STATUS_NOT_IMPLEMENTED;
2412 NTSTATUS _lsa_LSARREGISTERAUDITEVENT(pipes_struct *p, struct lsa_LSARREGISTERAUDITEVENT *r)
2414 p->rng_fault_state = True;
2415 return NT_STATUS_NOT_IMPLEMENTED;
2418 NTSTATUS _lsa_LSARGENAUDITEVENT(pipes_struct *p, struct lsa_LSARGENAUDITEVENT *r)
2420 p->rng_fault_state = True;
2421 return NT_STATUS_NOT_IMPLEMENTED;
2424 NTSTATUS _lsa_LSARUNREGISTERAUDITEVENT(pipes_struct *p, struct lsa_LSARUNREGISTERAUDITEVENT *r)
2426 p->rng_fault_state = True;
2427 return NT_STATUS_NOT_IMPLEMENTED;
2430 NTSTATUS _lsa_lsaRQueryForestTrustInformation(pipes_struct *p, struct lsa_lsaRQueryForestTrustInformation *r)
2432 p->rng_fault_state = True;
2433 return NT_STATUS_NOT_IMPLEMENTED;
2436 NTSTATUS _lsa_LSARSETFORESTTRUSTINFORMATION(pipes_struct *p, struct lsa_LSARSETFORESTTRUSTINFORMATION *r)
2438 p->rng_fault_state = True;
2439 return NT_STATUS_NOT_IMPLEMENTED;
2442 NTSTATUS _lsa_CREDRRENAME(pipes_struct *p, struct lsa_CREDRRENAME *r)
2444 p->rng_fault_state = True;
2445 return NT_STATUS_NOT_IMPLEMENTED;
2448 NTSTATUS _lsa_LSAROPENPOLICYSCE(pipes_struct *p, struct lsa_LSAROPENPOLICYSCE *r)
2450 p->rng_fault_state = True;
2451 return NT_STATUS_NOT_IMPLEMENTED;
2454 NTSTATUS _lsa_LSARADTREGISTERSECURITYEVENTSOURCE(pipes_struct *p, struct lsa_LSARADTREGISTERSECURITYEVENTSOURCE *r)
2456 p->rng_fault_state = True;
2457 return NT_STATUS_NOT_IMPLEMENTED;
2460 NTSTATUS _lsa_LSARADTUNREGISTERSECURITYEVENTSOURCE(pipes_struct *p, struct lsa_LSARADTUNREGISTERSECURITYEVENTSOURCE *r)
2462 p->rng_fault_state = True;
2463 return NT_STATUS_NOT_IMPLEMENTED;
2466 NTSTATUS _lsa_LSARADTREPORTSECURITYEVENT(pipes_struct *p, struct lsa_LSARADTREPORTSECURITYEVENT *r)
2468 p->rng_fault_state = True;
2469 return NT_STATUS_NOT_IMPLEMENTED;