/* This is the implementation of the lsa server code. */
#include "includes.h"
+#include "../librpc/gen_ndr/srv_lsa.h"
#undef DBGC_CLASS
#define DBGC_CLASS DBGC_RPC_SRV
struct lsa_info {
DOM_SID sid;
+ const char *name;
uint32 access;
enum lsa_handle_type type;
+ struct security_descriptor *sd;
};
const struct generic_mapping lsa_account_mapping = {
LSA_POLICY_ALL_ACCESS
};
+const struct generic_mapping lsa_secret_mapping = {
+ LSA_SECRET_READ,
+ LSA_SECRET_WRITE,
+ LSA_SECRET_EXECUTE,
+ LSA_SECRET_ALL_ACCESS
+};
+
+const struct generic_mapping lsa_trusted_domain_mapping = {
+ LSA_TRUSTED_DOMAIN_READ,
+ LSA_TRUSTED_DOMAIN_WRITE,
+ LSA_TRUSTED_DOMAIN_EXECUTE,
+ LSA_TRUSTED_DOMAIN_ALL_ACCESS
+};
+
/***************************************************************************
init_lsa_ref_domain_list - adds a domain if it's not already in, returns the index.
***************************************************************************/
}
switch (r->in.level) {
+ /* according to MS-LSAD 3.1.4.4.3 */
+ case LSA_POLICY_INFO_MOD:
+ case LSA_POLICY_INFO_AUDIT_FULL_SET:
+ case LSA_POLICY_INFO_AUDIT_FULL_QUERY:
+ return NT_STATUS_INVALID_PARAMETER;
+ case LSA_POLICY_INFO_AUDIT_LOG:
+ info->audit_log.percent_full = 0;
+ info->audit_log.maximum_log_size = 0;
+ info->audit_log.retention_time = 0;
+ info->audit_log.shutdown_in_progress = 0;
+ info->audit_log.time_to_shutdown = 0;
+ info->audit_log.next_audit_record = 0;
+ status = NT_STATUS_OK;
+ break;
+ case LSA_POLICY_INFO_PD:
+ info->pd.name.string = NULL;
+ status = NT_STATUS_OK;
+ break;
+ case LSA_POLICY_INFO_REPLICA:
+ info->replica.source.string = NULL;
+ info->replica.account.string = NULL;
+ status = NT_STATUS_OK;
+ break;
+ case LSA_POLICY_INFO_QUOTA:
+ info->quota.paged_pool = 0;
+ info->quota.non_paged_pool = 0;
+ info->quota.min_wss = 0;
+ info->quota.max_wss = 0;
+ info->quota.pagefile = 0;
+ info->quota.unknown = 0;
+ status = NT_STATUS_OK;
+ break;
case LSA_POLICY_INFO_AUDIT_EVENTS:
{
struct lsa_info *handle;
struct lsa_info *info;
uint32_t acc_granted;
+ uint32_t owner_access = (LSA_ACCOUNT_ALL_ACCESS &
+ ~(LSA_ACCOUNT_ADJUST_PRIVILEGES|
+ LSA_ACCOUNT_ADJUST_SYSTEM_ACCESS|
+ STD_RIGHT_DELETE_ACCESS));
struct security_descriptor *psd;
size_t sd_size;
status = make_lsa_object_sd(p->mem_ctx, &psd, &sd_size,
&lsa_account_mapping,
- r->in.sid, LSA_POLICY_ALL_ACCESS);
+ r->in.sid, owner_access);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
size_t sd_size;
uint32_t des_access = r->in.access_mask;
uint32_t acc_granted;
+ uint32_t owner_access = (LSA_ACCOUNT_ALL_ACCESS &
+ ~(LSA_ACCOUNT_ADJUST_PRIVILEGES|
+ LSA_ACCOUNT_ADJUST_SYSTEM_ACCESS|
+ STD_RIGHT_DELETE_ACCESS));
NTSTATUS status;
/* find the connection policy handle. */
/* get the generic lsa account SD until we store it */
status = make_lsa_object_sd(p->mem_ctx, &psd, &sd_size,
&lsa_account_mapping,
- r->in.sid, LSA_ACCOUNT_ALL_ACCESS);
+ r->in.sid, owner_access);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle))
return NT_STATUS_INVALID_HANDLE;
- if (handle->type == LSA_HANDLE_POLICY_TYPE) {
+ switch (handle->type) {
+ case LSA_HANDLE_POLICY_TYPE:
status = make_lsa_object_sd(p->mem_ctx, &psd, &sd_size,
&lsa_policy_mapping, NULL, 0);
- } else if (handle->type == LSA_HANDLE_ACCOUNT_TYPE) {
+ break;
+ case LSA_HANDLE_ACCOUNT_TYPE:
status = make_lsa_object_sd(p->mem_ctx, &psd, &sd_size,
&lsa_account_mapping,
&handle->sid, LSA_ACCOUNT_ALL_ACCESS);
- } else {
+ break;
+ default:
status = NT_STATUS_INVALID_HANDLE;
+ break;
}
if (!NT_STATUS_IS_OK(status)) {
return NT_STATUS_INVALID_HANDLE;
}
- /* get the generic lsa account SD for this SID until we store it */
+ /* get the generic lsa account SD until we store it */
status = make_lsa_object_sd(p->mem_ctx, &psd, &sd_size,
&lsa_account_mapping,
- r->in.sid, LSA_ACCOUNT_ALL_ACCESS);
+ NULL, 0);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
return NT_STATUS_INVALID_HANDLE;
}
- /* get the generic lsa account SD for this SID until we store it */
+ /* get the generic lsa account SD until we store it */
status = make_lsa_object_sd(p->mem_ctx, &psd, &sd_size,
&lsa_account_mapping,
- r->in.sid, LSA_ACCOUNT_ALL_ACCESS);
+ NULL, 0);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
NULL, 0,
LSA_ACCOUNT_ADJUST_PRIVILEGES|LSA_ACCOUNT_ADJUST_SYSTEM_ACCESS|
LSA_ACCOUNT_VIEW|STD_RIGHT_DELETE_ACCESS,
- &acc_granted, "_lsa_AddAccountRights" );
+ &acc_granted, "_lsa_RemoveAccountRights");
if (!NT_STATUS_IS_OK(status)) {
return status;
}