2 * Unix SMB/CIFS implementation.
4 * Winbind rpc backend functions
6 * Copyright (c) 2000-2003 Tim Potter
7 * Copyright (c) 2001 Andrew Tridgell
8 * Copyright (c) 2005 Volker Lendecke
9 * Copyright (c) 2008 Guenther Deschner (pidl conversion)
10 * Copyright (c) 2010 Andreas Schneider <asn@samba.org>
12 * This program is free software; you can redistribute it and/or modify
13 * it under the terms of the GNU General Public License as published by
14 * the Free Software Foundation; either version 3 of the License, or
15 * (at your option) any later version.
17 * This program is distributed in the hope that it will be useful,
18 * but WITHOUT ANY WARRANTY; without even the implied warranty of
19 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
20 * GNU General Public License for more details.
22 * You should have received a copy of the GNU General Public License
23 * along with this program. If not, see <http://www.gnu.org/licenses/>.
28 #include "winbindd_rpc.h"
29 #include "rpc_client/rpc_client.h"
30 #include "librpc/gen_ndr/ndr_samr_c.h"
31 #include "librpc/gen_ndr/ndr_lsa_c.h"
32 #include "rpc_client/cli_samr.h"
33 #include "rpc_client/cli_lsarpc.h"
34 #include "../libcli/security/security.h"
36 /* Query display info for a domain */
37 NTSTATUS rpc_query_user_list(TALLOC_CTX *mem_ctx,
38 struct rpc_pipe_client *samr_pipe,
39 struct policy_handle *samr_policy,
40 const struct dom_sid *domain_sid,
43 uint32_t *rids = NULL;
44 uint32_t num_rids = 0;
45 uint32_t loop_count = 0;
46 uint32_t start_idx = 0;
48 NTSTATUS status, result;
49 struct dcerpc_binding_handle *b = samr_pipe->binding_handle;
55 uint32_t num_dom_users;
56 uint32_t max_entries, max_size;
57 uint32_t total_size, returned_size;
58 union samr_DispInfo disp_info;
60 dcerpc_get_query_dispinfo_params(loop_count,
64 status = dcerpc_samr_QueryDisplayInfo(b,
75 if (!NT_STATUS_IS_OK(status)) {
78 if (!NT_STATUS_IS_OK(result)) {
79 if (!NT_STATUS_EQUAL(result, STATUS_MORE_ENTRIES)) {
84 /* increment required start query values */
85 start_idx += disp_info.info1.count;
87 num_dom_users = disp_info.info1.count;
89 num_rids += num_dom_users;
90 /* If there are no user to enumerate we're done */
95 rids = talloc_realloc(mem_ctx, rids, uint32_t, num_rids);
97 return NT_STATUS_NO_MEMORY;
100 for (j = 0; j < num_dom_users; j++) {
101 rids[i++] = disp_info.info1.entries[j].rid;
103 } while (NT_STATUS_EQUAL(result, STATUS_MORE_ENTRIES));
110 /* List all domain groups */
111 NTSTATUS rpc_enum_dom_groups(TALLOC_CTX *mem_ctx,
112 struct rpc_pipe_client *samr_pipe,
113 struct policy_handle *samr_policy,
115 struct wb_acct_info **pinfo)
117 struct wb_acct_info *info = NULL;
119 uint32_t num_info = 0;
120 NTSTATUS status, result;
121 struct dcerpc_binding_handle *b = samr_pipe->binding_handle;
126 struct samr_SamArray *sam_array = NULL;
130 /* start is updated by this call. */
131 status = dcerpc_samr_EnumDomainGroups(b,
136 0xFFFF, /* buffer size? */
139 if (!NT_STATUS_IS_OK(status)) {
142 if (!NT_STATUS_IS_OK(result)) {
143 if (!NT_STATUS_EQUAL(result, STATUS_MORE_ENTRIES)) {
144 DEBUG(2,("query_user_list: failed to enum domain groups: %s\n",
150 info = talloc_realloc(mem_ctx,
155 return NT_STATUS_NO_MEMORY;
158 for (g = 0; g < count; g++) {
159 struct wb_acct_info *i = &info[num_info + g];
161 fstrcpy(i->acct_name,
162 sam_array->entries[g].name.string);
163 fstrcpy(i->acct_desc, "");
164 i->rid = sam_array->entries[g].idx;
168 } while (NT_STATUS_EQUAL(result, STATUS_MORE_ENTRIES));
170 *pnum_info = num_info;
176 NTSTATUS rpc_enum_local_groups(TALLOC_CTX *mem_ctx,
177 struct rpc_pipe_client *samr_pipe,
178 struct policy_handle *samr_policy,
180 struct wb_acct_info **pinfo)
182 struct wb_acct_info *info = NULL;
183 uint32_t num_info = 0;
184 NTSTATUS status, result;
185 struct dcerpc_binding_handle *b = samr_pipe->binding_handle;
190 struct samr_SamArray *sam_array = NULL;
192 uint32_t start = num_info;
195 status = dcerpc_samr_EnumDomainAliases(b,
200 0xFFFF, /* buffer size? */
203 if (!NT_STATUS_IS_OK(status)) {
206 if (!NT_STATUS_IS_OK(result)) {
207 if (!NT_STATUS_EQUAL(result, STATUS_MORE_ENTRIES)) {
212 info = talloc_realloc(mem_ctx,
217 return NT_STATUS_NO_MEMORY;
220 for (g = 0; g < count; g++) {
221 struct wb_acct_info *i = &info[num_info + g];
223 fstrcpy(i->acct_name,
224 sam_array->entries[g].name.string);
225 fstrcpy(i->acct_desc, "");
226 i->rid = sam_array->entries[g].idx;
230 } while (NT_STATUS_EQUAL(result, STATUS_MORE_ENTRIES));
232 *pnum_info = num_info;
238 /* convert a single name to a sid in a domain */
239 NTSTATUS rpc_name_to_sid(TALLOC_CTX *mem_ctx,
240 struct rpc_pipe_client *lsa_pipe,
241 struct policy_handle *lsa_policy,
242 const char *domain_name,
246 enum lsa_SidType *type)
248 enum lsa_SidType *types = NULL;
249 struct dom_sid *sids = NULL;
250 char *full_name = NULL;
251 const char *names[1];
252 char *mapped_name = NULL;
255 if (name == NULL || name[0] == '\0') {
256 full_name = talloc_asprintf(mem_ctx, "%s", domain_name);
257 } else if (domain_name == NULL || domain_name[0] == '\0') {
258 full_name = talloc_asprintf(mem_ctx, "%s", name);
260 full_name = talloc_asprintf(mem_ctx, "%s\\%s", domain_name, name);
263 if (full_name == NULL) {
264 return NT_STATUS_NO_MEMORY;
267 status = normalize_name_unmap(mem_ctx, full_name, &mapped_name);
268 /* Reset the full_name pointer if we mapped anything */
269 if (NT_STATUS_IS_OK(status) ||
270 NT_STATUS_EQUAL(status, NT_STATUS_FILE_RENAMED)) {
271 full_name = mapped_name;
274 DEBUG(3,("name_to_sid: %s for domain %s\n",
275 full_name ? full_name : "", domain_name ));
277 names[0] = full_name;
280 * We don't run into deadlocks here, cause winbind_off() is
281 * called in the main function.
283 status = rpccli_lsa_lookup_names(lsa_pipe,
292 if (!NT_STATUS_IS_OK(status)) {
293 DEBUG(2,("name_to_sid: failed to lookup name: %s\n",
298 sid_copy(sid, &sids[0]);
304 /* Convert a domain SID to a user or group name */
305 NTSTATUS rpc_sid_to_name(TALLOC_CTX *mem_ctx,
306 struct rpc_pipe_client *lsa_pipe,
307 struct policy_handle *lsa_policy,
308 struct winbindd_domain *domain,
309 const struct dom_sid *sid,
312 enum lsa_SidType *ptype)
314 char *mapped_name = NULL;
315 char **domains = NULL;
317 enum lsa_SidType *types = NULL;
321 status = rpccli_lsa_lookup_sids(lsa_pipe,
329 if (!NT_STATUS_IS_OK(status)) {
330 DEBUG(2,("sid_to_name: failed to lookup sids: %s\n",
335 *ptype = (enum lsa_SidType) types[0];
337 map_status = normalize_name_map(mem_ctx,
341 if (NT_STATUS_IS_OK(map_status) ||
342 NT_STATUS_EQUAL(map_status, NT_STATUS_FILE_RENAMED)) {
343 *pname = talloc_strdup(mem_ctx, mapped_name);
344 DEBUG(5,("returning mapped name -- %s\n", *pname));
346 *pname = talloc_strdup(mem_ctx, names[0]);
348 if ((names[0] != NULL) && (*pname == NULL)) {
349 return NT_STATUS_NO_MEMORY;
352 *pdomain_name = talloc_strdup(mem_ctx, domains[0]);
353 if (*pdomain_name == NULL) {
354 return NT_STATUS_NO_MEMORY;
360 /* Convert a bunch of rids to user or group names */
361 NTSTATUS rpc_rids_to_names(TALLOC_CTX *mem_ctx,
362 struct rpc_pipe_client *lsa_pipe,
363 struct policy_handle *lsa_policy,
364 struct winbindd_domain *domain,
365 const struct dom_sid *sid,
370 enum lsa_SidType **ptypes)
372 enum lsa_SidType *types = NULL;
373 char *domain_name = NULL;
374 char **domains = NULL;
376 struct dom_sid *sids;
381 sids = talloc_array(mem_ctx, struct dom_sid, num_rids);
383 return NT_STATUS_NO_MEMORY;
389 for (i = 0; i < num_rids; i++) {
390 if (!sid_compose(&sids[i], sid, rids[i])) {
391 return NT_STATUS_INTERNAL_ERROR;
395 status = rpccli_lsa_lookup_sids(lsa_pipe,
403 if (!NT_STATUS_IS_OK(status) &&
404 !NT_STATUS_EQUAL(status, STATUS_SOME_UNMAPPED)) {
405 DEBUG(2,("rids_to_names: failed to lookup sids: %s\n",
410 for (i = 0; i < num_rids; i++) {
411 char *mapped_name = NULL;
414 if (types[i] != SID_NAME_UNKNOWN) {
415 map_status = normalize_name_map(mem_ctx,
419 if (NT_STATUS_IS_OK(map_status) ||
420 NT_STATUS_EQUAL(map_status, NT_STATUS_FILE_RENAMED)) {
421 TALLOC_FREE(names[i]);
422 names[i] = talloc_strdup(names, mapped_name);
423 if (names[i] == NULL) {
424 return NT_STATUS_NO_MEMORY;
428 domain_name = domains[i];
432 *pdomain_name = domain_name;
439 NTSTATUS rpc_lookup_useraliases(TALLOC_CTX *mem_ctx,
440 struct rpc_pipe_client *samr_pipe,
441 struct policy_handle *samr_policy,
443 const struct dom_sid *sids,
444 uint32_t *pnum_aliases,
445 uint32_t **palias_rids)
447 #define MAX_SAM_ENTRIES_W2K 0x400 /* 1024 */
448 uint32_t num_query_sids = 0;
449 uint32_t num_queries = 1;
450 uint32_t num_aliases = 0;
451 uint32_t total_sids = 0;
452 uint32_t *alias_rids = NULL;
453 uint32_t rangesize = MAX_SAM_ENTRIES_W2K;
455 struct samr_Ids alias_rids_query;
456 NTSTATUS status, result;
457 struct dcerpc_binding_handle *b = samr_pipe->binding_handle;
461 struct lsa_SidArray sid_array;
463 ZERO_STRUCT(sid_array);
465 num_query_sids = MIN(num_sids - total_sids, rangesize);
467 DEBUG(10,("rpc: lookup_useraliases: entering query %d for %d sids\n",
468 num_queries, num_query_sids));
470 if (num_query_sids) {
471 sid_array.sids = talloc_zero_array(mem_ctx, struct lsa_SidPtr, num_query_sids);
472 if (sid_array.sids == NULL) {
473 return NT_STATUS_NO_MEMORY;
476 sid_array.sids = NULL;
479 for (i = 0; i < num_query_sids; i++) {
480 sid_array.sids[i].sid = dom_sid_dup(mem_ctx, &sids[total_sids++]);
481 if (sid_array.sids[i].sid == NULL) {
482 return NT_STATUS_NO_MEMORY;
485 sid_array.num_sids = num_query_sids;
488 status = dcerpc_samr_GetAliasMembership(b,
494 if (!NT_STATUS_IS_OK(status)) {
497 if (!NT_STATUS_IS_OK(result)) {
502 for (i = 0; i < alias_rids_query.count; i++) {
503 size_t na = num_aliases;
505 if (!add_rid_to_array_unique(mem_ctx,
506 alias_rids_query.ids[i],
509 return NT_STATUS_NO_MEMORY;
516 } while (total_sids < num_sids);
518 DEBUG(10,("rpc: rpc_lookup_useraliases: got %d aliases in %d queries "
519 "(rangesize: %d)\n", num_aliases, num_queries, rangesize));
521 *pnum_aliases = num_aliases;
522 *palias_rids = alias_rids;
525 #undef MAX_SAM_ENTRIES_W2K
528 /* Lookup group membership given a rid. */
529 NTSTATUS rpc_lookup_groupmem(TALLOC_CTX *mem_ctx,
530 struct rpc_pipe_client *samr_pipe,
531 struct policy_handle *samr_policy,
532 const char *domain_name,
533 const struct dom_sid *domain_sid,
534 const struct dom_sid *group_sid,
535 enum lsa_SidType type,
536 uint32_t *pnum_names,
537 struct dom_sid **psid_mem,
539 uint32_t **pname_types)
541 struct policy_handle group_policy;
543 uint32_t *rid_mem = NULL;
545 uint32_t num_names = 0;
546 uint32_t total_names = 0;
547 struct dom_sid *sid_mem = NULL;
549 uint32_t *name_types = NULL;
551 struct lsa_Strings tmp_names;
552 struct samr_Ids tmp_types;
555 NTSTATUS status, result;
556 struct dcerpc_binding_handle *b = samr_pipe->binding_handle;
558 if (!sid_peek_check_rid(domain_sid, group_sid, &group_rid)) {
559 return NT_STATUS_UNSUCCESSFUL;
563 case SID_NAME_DOM_GRP:
565 struct samr_RidAttrArray *rids = NULL;
567 status = dcerpc_samr_OpenGroup(b,
570 SEC_FLAG_MAXIMUM_ALLOWED,
574 if (!NT_STATUS_IS_OK(status)) {
577 if (!NT_STATUS_IS_OK(result)) {
582 * Step #1: Get a list of user rids that are the members of the group.
584 status = dcerpc_samr_QueryGroupMember(b,
591 dcerpc_samr_Close(b, mem_ctx, &group_policy, &_result);
594 if (!NT_STATUS_IS_OK(status)) {
597 if (!NT_STATUS_IS_OK(result)) {
602 if (rids == NULL || rids->count == 0) {
611 num_names = rids->count;
612 rid_mem = rids->rids;
616 case SID_NAME_WKN_GRP:
619 struct lsa_SidArray sid_array;
620 struct lsa_SidPtr sid_ptr;
621 struct samr_Ids rids_query;
623 sid_ptr.sid = dom_sid_dup(mem_ctx, group_sid);
624 if (sid_ptr.sid == NULL) {
625 return NT_STATUS_NO_MEMORY;
628 sid_array.num_sids = 1;
629 sid_array.sids = &sid_ptr;
631 status = dcerpc_samr_GetAliasMembership(b,
637 if (!NT_STATUS_IS_OK(status)) {
640 if (!NT_STATUS_IS_OK(result)) {
644 if (rids_query.count == 0) {
653 num_names = rids_query.count;
654 rid_mem = rids_query.ids;
659 return NT_STATUS_UNSUCCESSFUL;
663 * Step #2: Convert list of rids into list of usernames.
666 names = talloc_zero_array(mem_ctx, char *, num_names);
667 name_types = talloc_zero_array(mem_ctx, uint32_t, num_names);
668 sid_mem = talloc_zero_array(mem_ctx, struct dom_sid, num_names);
669 if (names == NULL || name_types == NULL || sid_mem == NULL) {
670 return NT_STATUS_NO_MEMORY;
674 for (j = 0; j < num_names; j++) {
675 sid_compose(&sid_mem[j], domain_sid, rid_mem[j]);
678 status = dcerpc_samr_LookupRids(b,
686 if (!NT_STATUS_IS_OK(status)) {
690 if (!NT_STATUS_IS_OK(result)) {
691 if (!NT_STATUS_EQUAL(result, STATUS_SOME_UNMAPPED)) {
696 /* Copy result into array. The talloc system will take
697 care of freeing the temporary arrays later on. */
698 if (tmp_names.count != num_names) {
699 return NT_STATUS_INVALID_NETWORK_RESPONSE;
701 if (tmp_types.count != num_names) {
702 return NT_STATUS_INVALID_NETWORK_RESPONSE;
705 for (r = 0; r < tmp_names.count; r++) {
706 if (tmp_types.ids[r] == SID_NAME_UNKNOWN) {
709 if (total_names >= num_names) {
712 names[total_names] = fill_domain_username_talloc(names,
714 tmp_names.names[r].string,
716 if (names[total_names] == NULL) {
717 return NT_STATUS_NO_MEMORY;
719 name_types[total_names] = tmp_types.ids[r];
723 *pnum_names = total_names;
725 *pname_types = name_types;
731 /* Find the sequence number for a domain */
732 NTSTATUS rpc_sequence_number(TALLOC_CTX *mem_ctx,
733 struct rpc_pipe_client *samr_pipe,
734 struct policy_handle *samr_policy,
735 const char *domain_name,
738 union samr_DomainInfo *info = NULL;
739 bool got_seq_num = false;
740 NTSTATUS status, result;
741 struct dcerpc_binding_handle *b = samr_pipe->binding_handle;
743 /* query domain info */
744 status = dcerpc_samr_QueryDomainInfo(b,
750 if (NT_STATUS_IS_OK(status) && NT_STATUS_IS_OK(result)) {
751 *pseq = info->info8.sequence_num;
756 /* retry with info-level 2 in case the dc does not support info-level 8
757 * (like all older samba2 and samba3 dc's) - Guenther */
758 status = dcerpc_samr_QueryDomainInfo(b,
764 if (NT_STATUS_IS_OK(status) && NT_STATUS_IS_OK(result)) {
765 *pseq = info->general.sequence_num;
770 if (!NT_STATUS_IS_OK(status)) {
778 DEBUG(10,("domain_sequence_number: for domain %s is %u\n",
779 domain_name, (unsigned) *pseq));
781 DEBUG(10,("domain_sequence_number: failed to get sequence "
782 "number (%u) for domain %s\n",
783 (unsigned) *pseq, domain_name ));
784 status = NT_STATUS_OK;
790 /* Get a list of trusted domains */
791 NTSTATUS rpc_trusted_domains(TALLOC_CTX *mem_ctx,
792 struct rpc_pipe_client *lsa_pipe,
793 struct policy_handle *lsa_policy,
794 uint32_t *pnum_trusts,
795 struct netr_DomainTrust **ptrusts)
797 struct netr_DomainTrust *array = NULL;
798 uint32_t enum_ctx = 0;
800 NTSTATUS status, result;
801 struct dcerpc_binding_handle *b = lsa_pipe->binding_handle;
804 struct lsa_DomainList dom_list;
805 struct lsa_DomainListEx dom_list_ex;
810 * We don't run into deadlocks here, cause winbind_off() is
811 * called in the main function.
813 status = dcerpc_lsa_EnumTrustedDomainsEx(b,
820 if (NT_STATUS_IS_OK(status) && !NT_STATUS_IS_ERR(result) &&
821 dom_list_ex.count > 0) {
822 count += dom_list_ex.count;
825 status = dcerpc_lsa_EnumTrustDom(b,
832 if (!NT_STATUS_IS_OK(status)) {
835 if (!NT_STATUS_IS_OK(result)) {
836 if (!NT_STATUS_EQUAL(result, STATUS_MORE_ENTRIES)) {
841 count += dom_list.count;
844 array = talloc_realloc(mem_ctx,
846 struct netr_DomainTrust,
849 return NT_STATUS_NO_MEMORY;
852 for (i = 0; i < count; i++) {
853 struct netr_DomainTrust *trust = &array[i];
858 sid = talloc(array, struct dom_sid);
860 return NT_STATUS_NO_MEMORY;
864 trust->netbios_name = talloc_move(array,
865 &dom_list_ex.domains[i].netbios_name.string);
866 trust->dns_name = talloc_move(array,
867 &dom_list_ex.domains[i].domain_name.string);
868 if (dom_list_ex.domains[i].sid == NULL) {
869 DEBUG(0, ("Trusted Domain %s has no SID, aborting!\n", trust->dns_name));
870 return NT_STATUS_INVALID_NETWORK_RESPONSE;
872 sid_copy(sid, dom_list_ex.domains[i].sid);
874 trust->netbios_name = talloc_move(array,
875 &dom_list.domains[i].name.string);
876 trust->dns_name = NULL;
878 if (dom_list.domains[i].sid == NULL) {
879 DEBUG(0, ("Trusted Domain %s has no SID, aborting!\n", trust->netbios_name));
880 return NT_STATUS_INVALID_NETWORK_RESPONSE;
883 sid_copy(sid, dom_list.domains[i].sid);
888 } while (NT_STATUS_EQUAL(result, STATUS_MORE_ENTRIES));
890 *pnum_trusts = count;
896 static NTSTATUS rpc_try_lookup_sids3(TALLOC_CTX *mem_ctx,
897 struct winbindd_domain *domain,
898 struct rpc_pipe_client *cli,
899 struct lsa_SidArray *sids,
900 struct lsa_RefDomainList **pdomains,
901 struct lsa_TransNameArray **pnames)
903 struct lsa_TransNameArray2 lsa_names2;
904 struct lsa_TransNameArray *names = *pnames;
905 uint32_t i, count = 0;
906 NTSTATUS status, result;
908 ZERO_STRUCT(lsa_names2);
909 status = dcerpc_lsa_LookupSids3(cli->binding_handle,
914 LSA_LOOKUP_NAMES_ALL,
916 LSA_LOOKUP_OPTION_SEARCH_ISOLATED_NAMES,
917 LSA_CLIENT_REVISION_2,
919 if (!NT_STATUS_IS_OK(status)) {
922 if (NT_STATUS_IS_ERR(result)) {
925 if (sids->num_sids != lsa_names2.count) {
926 return NT_STATUS_INVALID_NETWORK_RESPONSE;
929 names->count = lsa_names2.count;
930 names->names = talloc_array(names, struct lsa_TranslatedName,
932 if (names->names == NULL) {
933 return NT_STATUS_NO_MEMORY;
935 for (i=0; i<names->count; i++) {
936 names->names[i].sid_type = lsa_names2.names[i].sid_type;
937 names->names[i].name.string = talloc_move(
938 names->names, &lsa_names2.names[i].name.string);
939 names->names[i].sid_index = lsa_names2.names[i].sid_index;
941 if (names->names[i].sid_index == UINT32_MAX) {
944 if ((*pdomains) == NULL) {
945 return NT_STATUS_INVALID_NETWORK_RESPONSE;
947 if (names->names[i].sid_index >= (*pdomains)->count) {
948 return NT_STATUS_INVALID_NETWORK_RESPONSE;
954 NTSTATUS rpc_lookup_sids(TALLOC_CTX *mem_ctx,
955 struct winbindd_domain *domain,
956 struct lsa_SidArray *sids,
957 struct lsa_RefDomainList **pdomains,
958 struct lsa_TransNameArray **pnames)
960 struct lsa_TransNameArray *names = *pnames;
961 struct rpc_pipe_client *cli = NULL;
962 struct policy_handle lsa_policy;
965 NTSTATUS status, result;
967 status = cm_connect_lsat(domain, mem_ctx, &cli, &lsa_policy);
968 if (!NT_STATUS_IS_OK(status)) {
972 if (cli->transport->transport == NCACN_IP_TCP) {
973 return rpc_try_lookup_sids3(mem_ctx, domain, cli, sids,
977 status = dcerpc_lsa_LookupSids(cli->binding_handle, mem_ctx,
978 &lsa_policy, sids, pdomains,
979 names, LSA_LOOKUP_NAMES_ALL,
981 if (!NT_STATUS_IS_OK(status)) {
984 if (NT_STATUS_IS_ERR(result)) {
988 if (sids->num_sids != names->count) {
989 return NT_STATUS_INVALID_NETWORK_RESPONSE;
992 for (i=0; i < names->count; i++) {
993 if (names->names[i].sid_index == UINT32_MAX) {
996 if ((*pdomains) == NULL) {
997 return NT_STATUS_INVALID_NETWORK_RESPONSE;
999 if (names->names[i].sid_index >= (*pdomains)->count) {
1000 return NT_STATUS_INVALID_NETWORK_RESPONSE;