2 * Unix SMB/CIFS implementation.
3 * RPC Pipe client / server routines
4 * Copyright (C) Andrew Tridgell 1992-1997,
5 * Copyright (C) Luke Kenneth Casson Leighton 1996-1997,
6 * Copyright (C) Paul Ashton 1997,
7 * Copyright (C) Jeremy Allison 2001, 2006.
8 * Copyright (C) Rafal Szczesniak 2002,
9 * Copyright (C) Jim McDonough <jmcd@us.ibm.com> 2002,
10 * Copyright (C) Simo Sorce 2003.
11 * Copyright (C) Gerald (Jerry) Carter 2005.
12 * Copyright (C) Volker Lendecke 2005.
13 * Copyright (C) Guenther Deschner 2008.
15 * This program is free software; you can redistribute it and/or modify
16 * it under the terms of the GNU General Public License as published by
17 * the Free Software Foundation; either version 3 of the License, or
18 * (at your option) any later version.
20 * This program is distributed in the hope that it will be useful,
21 * but WITHOUT ANY WARRANTY; without even the implied warranty of
22 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
23 * GNU General Public License for more details.
25 * You should have received a copy of the GNU General Public License
26 * along with this program; if not, see <http://www.gnu.org/licenses/>.
29 /* This is the implementation of the lsa server code. */
32 #include "../librpc/gen_ndr/srv_lsa.h"
34 #include "../librpc/gen_ndr/netlogon.h"
35 #include "rpc_client/init_lsa.h"
38 #define DBGC_CLASS DBGC_RPC_SRV
40 #define MAX_LOOKUP_SIDS 0x5000 /* 20480 */
44 enum lsa_handle_type { LSA_HANDLE_POLICY_TYPE = 1, LSA_HANDLE_ACCOUNT_TYPE };
50 enum lsa_handle_type type;
51 struct security_descriptor *sd;
54 const struct generic_mapping lsa_account_mapping = {
58 LSA_ACCOUNT_ALL_ACCESS
61 const struct generic_mapping lsa_policy_mapping = {
68 const struct generic_mapping lsa_secret_mapping = {
75 const struct generic_mapping lsa_trusted_domain_mapping = {
76 LSA_TRUSTED_DOMAIN_READ,
77 LSA_TRUSTED_DOMAIN_WRITE,
78 LSA_TRUSTED_DOMAIN_EXECUTE,
79 LSA_TRUSTED_DOMAIN_ALL_ACCESS
82 /***************************************************************************
83 init_lsa_ref_domain_list - adds a domain if it's not already in, returns the index.
84 ***************************************************************************/
86 static int init_lsa_ref_domain_list(TALLOC_CTX *mem_ctx,
87 struct lsa_RefDomainList *ref,
89 struct dom_sid *dom_sid)
93 if (dom_name != NULL) {
94 for (num = 0; num < ref->count; num++) {
95 if (sid_equal(dom_sid, ref->domains[num].sid)) {
103 if (num >= LSA_REF_DOMAIN_LIST_MULTIPLIER) {
104 /* index not found, already at maximum domain limit */
108 ref->count = num + 1;
109 ref->max_size = LSA_REF_DOMAIN_LIST_MULTIPLIER;
111 ref->domains = TALLOC_REALLOC_ARRAY(mem_ctx, ref->domains,
112 struct lsa_DomainInfo, ref->count);
117 ZERO_STRUCT(ref->domains[num]);
119 init_lsa_StringLarge(&ref->domains[num].name, dom_name);
120 ref->domains[num].sid = sid_dup_talloc(mem_ctx, dom_sid);
121 if (!ref->domains[num].sid) {
129 /***************************************************************************
130 initialize a lsa_DomainInfo structure.
131 ***************************************************************************/
133 static void init_dom_query_3(struct lsa_DomainInfo *r,
137 init_lsa_StringLarge(&r->name, name);
141 /***************************************************************************
142 initialize a lsa_DomainInfo structure.
143 ***************************************************************************/
145 static void init_dom_query_5(struct lsa_DomainInfo *r,
149 init_lsa_StringLarge(&r->name, name);
153 /***************************************************************************
154 lookup_lsa_rids. Must be called as root for lookup_name to work.
155 ***************************************************************************/
157 static NTSTATUS lookup_lsa_rids(TALLOC_CTX *mem_ctx,
158 struct lsa_RefDomainList *ref,
159 struct lsa_TranslatedSid *prid,
160 uint32_t num_entries,
161 struct lsa_String *name,
163 uint32_t *pmapped_count)
165 uint32 mapped_count, i;
167 SMB_ASSERT(num_entries <= MAX_LOOKUP_SIDS);
172 for (i = 0; i < num_entries; i++) {
176 const char *full_name;
178 enum lsa_SidType type = SID_NAME_UNKNOWN;
180 /* Split name into domain and user component */
182 /* follow w2k8 behavior and return the builtin domain when no
183 * input has been passed in */
185 if (name[i].string) {
186 full_name = name[i].string;
188 full_name = "BUILTIN";
191 DEBUG(5, ("lookup_lsa_rids: looking up name %s\n", full_name));
193 /* We can ignore the result of lookup_name, it will not touch
194 "type" if it's not successful */
196 lookup_name(mem_ctx, full_name, flags, &domain, NULL,
201 case SID_NAME_DOM_GRP:
202 case SID_NAME_DOMAIN:
204 case SID_NAME_WKN_GRP:
205 DEBUG(5, ("init_lsa_rids: %s found\n", full_name));
206 /* Leave these unchanged */
209 /* Don't hand out anything but the list above */
210 DEBUG(5, ("init_lsa_rids: %s not found\n", full_name));
211 type = SID_NAME_UNKNOWN;
218 if (type != SID_NAME_UNKNOWN) {
219 if (type == SID_NAME_DOMAIN) {
222 sid_split_rid(&sid, &rid);
224 dom_idx = init_lsa_ref_domain_list(mem_ctx, ref, domain, &sid);
228 prid[i].sid_type = type;
230 prid[i].sid_index = dom_idx;
233 *pmapped_count = mapped_count;
237 /***************************************************************************
238 lookup_lsa_sids. Must be called as root for lookup_name to work.
239 ***************************************************************************/
241 static NTSTATUS lookup_lsa_sids(TALLOC_CTX *mem_ctx,
242 struct lsa_RefDomainList *ref,
243 struct lsa_TranslatedSid3 *trans_sids,
244 uint32_t num_entries,
245 struct lsa_String *name,
247 uint32 *pmapped_count)
249 uint32 mapped_count, i;
251 SMB_ASSERT(num_entries <= MAX_LOOKUP_SIDS);
256 for (i = 0; i < num_entries; i++) {
260 const char *full_name;
262 enum lsa_SidType type = SID_NAME_UNKNOWN;
266 /* Split name into domain and user component */
268 full_name = name[i].string;
269 if (full_name == NULL) {
270 return NT_STATUS_NO_MEMORY;
273 DEBUG(5, ("init_lsa_sids: looking up name %s\n", full_name));
275 /* We can ignore the result of lookup_name, it will not touch
276 "type" if it's not successful */
278 lookup_name(mem_ctx, full_name, flags, &domain, NULL,
283 case SID_NAME_DOM_GRP:
284 case SID_NAME_DOMAIN:
286 case SID_NAME_WKN_GRP:
287 DEBUG(5, ("init_lsa_sids: %s found\n", full_name));
288 /* Leave these unchanged */
291 /* Don't hand out anything but the list above */
292 DEBUG(5, ("init_lsa_sids: %s not found\n", full_name));
293 type = SID_NAME_UNKNOWN;
300 if (type != SID_NAME_UNKNOWN) {
301 struct dom_sid domain_sid;
302 sid_copy(&domain_sid, &sid);
303 sid_split_rid(&domain_sid, &rid);
304 dom_idx = init_lsa_ref_domain_list(mem_ctx, ref, domain, &domain_sid);
308 /* Initialize the lsa_TranslatedSid3 return. */
309 trans_sids[i].sid_type = type;
310 trans_sids[i].sid = sid_dup_talloc(mem_ctx, &sid);
311 trans_sids[i].sid_index = dom_idx;
314 *pmapped_count = mapped_count;
318 static NTSTATUS make_lsa_object_sd(TALLOC_CTX *mem_ctx, struct security_descriptor **sd, size_t *sd_size,
319 const struct generic_mapping *map,
320 struct dom_sid *sid, uint32_t sid_access)
322 struct dom_sid adm_sid;
323 struct security_ace ace[5];
326 struct security_acl *psa = NULL;
328 /* READ|EXECUTE access for Everyone */
330 init_sec_ace(&ace[i++], &global_sid_World, SEC_ACE_TYPE_ACCESS_ALLOWED,
331 map->generic_execute | map->generic_read, 0);
333 /* Add Full Access 'BUILTIN\Administrators' and 'BUILTIN\Account Operators */
335 init_sec_ace(&ace[i++], &global_sid_Builtin_Administrators,
336 SEC_ACE_TYPE_ACCESS_ALLOWED, map->generic_all, 0);
337 init_sec_ace(&ace[i++], &global_sid_Builtin_Account_Operators,
338 SEC_ACE_TYPE_ACCESS_ALLOWED, map->generic_all, 0);
340 /* Add Full Access for Domain Admins */
341 sid_compose(&adm_sid, get_global_sam_sid(), DOMAIN_RID_ADMINS);
342 init_sec_ace(&ace[i++], &adm_sid, SEC_ACE_TYPE_ACCESS_ALLOWED,
343 map->generic_all, 0);
345 /* If we have a sid, give it some special access */
348 init_sec_ace(&ace[i++], sid, SEC_ACE_TYPE_ACCESS_ALLOWED,
352 if((psa = make_sec_acl(mem_ctx, NT4_ACL_REVISION, i, ace)) == NULL)
353 return NT_STATUS_NO_MEMORY;
355 if((*sd = make_sec_desc(mem_ctx, SECURITY_DESCRIPTOR_REVISION_1,
356 SEC_DESC_SELF_RELATIVE, &adm_sid, NULL, NULL,
357 psa, sd_size)) == NULL)
358 return NT_STATUS_NO_MEMORY;
364 /***************************************************************************
366 ***************************************************************************/
368 NTSTATUS _lsa_OpenPolicy2(struct pipes_struct *p,
369 struct lsa_OpenPolicy2 *r)
371 struct lsa_info *info;
372 struct security_descriptor *psd = NULL;
374 uint32 des_access = r->in.access_mask;
378 /* Work out max allowed. */
379 map_max_allowed_access(p->server_info->ptok,
380 &p->server_info->utok,
383 /* map the generic bits to the lsa policy ones */
384 se_map_generic(&des_access, &lsa_policy_mapping);
386 /* get the generic lsa policy SD until we store it */
387 status = make_lsa_object_sd(p->mem_ctx, &psd, &sd_size, &lsa_policy_mapping,
389 if (!NT_STATUS_IS_OK(status)) {
393 status = access_check_object(psd, p->server_info->ptok,
395 &acc_granted, "_lsa_OpenPolicy2" );
396 if (!NT_STATUS_IS_OK(status)) {
400 /* associate the domain SID with the (unique) handle. */
401 info = TALLOC_ZERO_P(p->mem_ctx, struct lsa_info);
403 return NT_STATUS_NO_MEMORY;
406 sid_copy(&info->sid,get_global_sam_sid());
407 info->access = acc_granted;
408 info->type = LSA_HANDLE_POLICY_TYPE;
410 /* set up the LSA QUERY INFO response */
411 if (!create_policy_hnd(p, r->out.handle, info))
412 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
417 /***************************************************************************
419 ***************************************************************************/
421 NTSTATUS _lsa_OpenPolicy(struct pipes_struct *p,
422 struct lsa_OpenPolicy *r)
424 struct lsa_OpenPolicy2 o;
426 o.in.system_name = NULL; /* should be ignored */
427 o.in.attr = r->in.attr;
428 o.in.access_mask = r->in.access_mask;
430 o.out.handle = r->out.handle;
432 return _lsa_OpenPolicy2(p, &o);
435 /***************************************************************************
436 _lsa_EnumTrustDom - this needs fixing to do more than return NULL ! JRA.
438 ***************************************************************************/
440 NTSTATUS _lsa_EnumTrustDom(struct pipes_struct *p,
441 struct lsa_EnumTrustDom *r)
443 struct lsa_info *info;
445 struct trustdom_info **domains;
446 struct lsa_DomainInfo *entries;
450 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
451 return NT_STATUS_INVALID_HANDLE;
453 if (info->type != LSA_HANDLE_POLICY_TYPE) {
454 return NT_STATUS_INVALID_HANDLE;
457 /* check if the user has enough rights */
458 if (!(info->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
459 return NT_STATUS_ACCESS_DENIED;
462 nt_status = pdb_enum_trusteddoms(p->mem_ctx, &count, &domains);
465 if (!NT_STATUS_IS_OK(nt_status)) {
469 entries = TALLOC_ZERO_ARRAY(p->mem_ctx, struct lsa_DomainInfo, count);
471 return NT_STATUS_NO_MEMORY;
474 for (i=0; i<count; i++) {
475 init_lsa_StringLarge(&entries[i].name, domains[i]->name);
476 entries[i].sid = &domains[i]->sid;
479 if (*r->in.resume_handle >= count) {
480 *r->out.resume_handle = -1;
481 TALLOC_FREE(entries);
482 return NT_STATUS_NO_MORE_ENTRIES;
485 /* return the rest, limit by max_size. Note that we
486 use the w2k3 element size value of 60 */
487 r->out.domains->count = count - *r->in.resume_handle;
488 r->out.domains->count = MIN(r->out.domains->count,
489 1+(r->in.max_size/LSA_ENUM_TRUST_DOMAIN_MULTIPLIER));
491 r->out.domains->domains = entries + *r->in.resume_handle;
493 if (r->out.domains->count < count - *r->in.resume_handle) {
494 *r->out.resume_handle = *r->in.resume_handle + r->out.domains->count;
495 return STATUS_MORE_ENTRIES;
498 /* according to MS-LSAD 3.1.4.7.8 output resume handle MUST
499 * always be larger than the previous input resume handle, in
500 * particular when hitting the last query it is vital to set the
501 * resume handle correctly to avoid infinite client loops, as
502 * seen e.g. with Windows XP SP3 when resume handle is 0 and
503 * status is NT_STATUS_OK - gd */
505 *r->out.resume_handle = (uint32_t)-1;
510 #define LSA_AUDIT_NUM_CATEGORIES_NT4 7
511 #define LSA_AUDIT_NUM_CATEGORIES_WIN2K 9
512 #define LSA_AUDIT_NUM_CATEGORIES LSA_AUDIT_NUM_CATEGORIES_NT4
514 /***************************************************************************
516 ***************************************************************************/
518 NTSTATUS _lsa_QueryInfoPolicy(struct pipes_struct *p,
519 struct lsa_QueryInfoPolicy *r)
521 NTSTATUS status = NT_STATUS_OK;
522 struct lsa_info *handle;
523 struct dom_sid domain_sid;
525 struct dom_sid *sid = NULL;
526 union lsa_PolicyInformation *info = NULL;
527 uint32_t acc_required = 0;
529 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle))
530 return NT_STATUS_INVALID_HANDLE;
532 if (handle->type != LSA_HANDLE_POLICY_TYPE) {
533 return NT_STATUS_INVALID_HANDLE;
536 switch (r->in.level) {
537 case LSA_POLICY_INFO_AUDIT_LOG:
538 case LSA_POLICY_INFO_AUDIT_EVENTS:
539 acc_required = LSA_POLICY_VIEW_AUDIT_INFORMATION;
541 case LSA_POLICY_INFO_DOMAIN:
542 acc_required = LSA_POLICY_VIEW_LOCAL_INFORMATION;
544 case LSA_POLICY_INFO_PD:
545 acc_required = LSA_POLICY_GET_PRIVATE_INFORMATION;
547 case LSA_POLICY_INFO_ACCOUNT_DOMAIN:
548 acc_required = LSA_POLICY_VIEW_LOCAL_INFORMATION;
550 case LSA_POLICY_INFO_ROLE:
551 case LSA_POLICY_INFO_REPLICA:
552 acc_required = LSA_POLICY_VIEW_LOCAL_INFORMATION;
554 case LSA_POLICY_INFO_QUOTA:
555 acc_required = LSA_POLICY_VIEW_LOCAL_INFORMATION;
557 case LSA_POLICY_INFO_MOD:
558 case LSA_POLICY_INFO_AUDIT_FULL_SET:
559 /* according to MS-LSAD 3.1.4.4.3 */
560 return NT_STATUS_INVALID_PARAMETER;
561 case LSA_POLICY_INFO_AUDIT_FULL_QUERY:
562 acc_required = LSA_POLICY_VIEW_AUDIT_INFORMATION;
564 case LSA_POLICY_INFO_DNS:
565 case LSA_POLICY_INFO_DNS_INT:
566 case LSA_POLICY_INFO_L_ACCOUNT_DOMAIN:
567 acc_required = LSA_POLICY_VIEW_LOCAL_INFORMATION;
573 if (!(handle->access & acc_required)) {
574 /* return NT_STATUS_ACCESS_DENIED; */
577 info = TALLOC_ZERO_P(p->mem_ctx, union lsa_PolicyInformation);
579 return NT_STATUS_NO_MEMORY;
582 switch (r->in.level) {
583 /* according to MS-LSAD 3.1.4.4.3 */
584 case LSA_POLICY_INFO_MOD:
585 case LSA_POLICY_INFO_AUDIT_FULL_SET:
586 case LSA_POLICY_INFO_AUDIT_FULL_QUERY:
587 return NT_STATUS_INVALID_PARAMETER;
588 case LSA_POLICY_INFO_AUDIT_LOG:
589 info->audit_log.percent_full = 0;
590 info->audit_log.maximum_log_size = 0;
591 info->audit_log.retention_time = 0;
592 info->audit_log.shutdown_in_progress = 0;
593 info->audit_log.time_to_shutdown = 0;
594 info->audit_log.next_audit_record = 0;
595 status = NT_STATUS_OK;
597 case LSA_POLICY_INFO_PD:
598 info->pd.name.string = NULL;
599 status = NT_STATUS_OK;
601 case LSA_POLICY_INFO_REPLICA:
602 info->replica.source.string = NULL;
603 info->replica.account.string = NULL;
604 status = NT_STATUS_OK;
606 case LSA_POLICY_INFO_QUOTA:
607 info->quota.paged_pool = 0;
608 info->quota.non_paged_pool = 0;
609 info->quota.min_wss = 0;
610 info->quota.max_wss = 0;
611 info->quota.pagefile = 0;
612 info->quota.unknown = 0;
613 status = NT_STATUS_OK;
615 case LSA_POLICY_INFO_AUDIT_EVENTS:
618 uint32 policy_def = LSA_AUDIT_POLICY_ALL;
620 /* check if the user has enough rights */
621 if (!(handle->access & LSA_POLICY_VIEW_AUDIT_INFORMATION)) {
622 DEBUG(10,("_lsa_QueryInfoPolicy: insufficient access rights\n"));
623 return NT_STATUS_ACCESS_DENIED;
626 /* fake info: We audit everything. ;) */
628 info->audit_events.auditing_mode = true;
629 info->audit_events.count = LSA_AUDIT_NUM_CATEGORIES;
630 info->audit_events.settings = TALLOC_ZERO_ARRAY(p->mem_ctx,
631 enum lsa_PolicyAuditPolicy,
632 info->audit_events.count);
633 if (!info->audit_events.settings) {
634 return NT_STATUS_NO_MEMORY;
637 info->audit_events.settings[LSA_AUDIT_CATEGORY_ACCOUNT_MANAGEMENT] = policy_def;
638 info->audit_events.settings[LSA_AUDIT_CATEGORY_FILE_AND_OBJECT_ACCESS] = policy_def;
639 info->audit_events.settings[LSA_AUDIT_CATEGORY_LOGON] = policy_def;
640 info->audit_events.settings[LSA_AUDIT_CATEGORY_PROCCESS_TRACKING] = policy_def;
641 info->audit_events.settings[LSA_AUDIT_CATEGORY_SECURITY_POLICY_CHANGES] = policy_def;
642 info->audit_events.settings[LSA_AUDIT_CATEGORY_SYSTEM] = policy_def;
643 info->audit_events.settings[LSA_AUDIT_CATEGORY_USE_OF_USER_RIGHTS] = policy_def;
647 case LSA_POLICY_INFO_DOMAIN:
648 /* check if the user has enough rights */
649 if (!(handle->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
650 return NT_STATUS_ACCESS_DENIED;
652 /* Request PolicyPrimaryDomainInformation. */
653 switch (lp_server_role()) {
654 case ROLE_DOMAIN_PDC:
655 case ROLE_DOMAIN_BDC:
656 name = get_global_sam_name();
657 sid = sid_dup_talloc(p->mem_ctx, get_global_sam_sid());
659 return NT_STATUS_NO_MEMORY;
662 case ROLE_DOMAIN_MEMBER:
663 name = lp_workgroup();
664 /* We need to return the Domain SID here. */
665 if (secrets_fetch_domain_sid(lp_workgroup(), &domain_sid)) {
666 sid = sid_dup_talloc(p->mem_ctx, &domain_sid);
668 return NT_STATUS_NO_MEMORY;
671 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
674 case ROLE_STANDALONE:
675 name = lp_workgroup();
679 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
681 init_dom_query_3(&info->domain, name, sid);
683 case LSA_POLICY_INFO_ACCOUNT_DOMAIN:
684 /* check if the user has enough rights */
685 if (!(handle->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
686 return NT_STATUS_ACCESS_DENIED;
688 /* Request PolicyAccountDomainInformation. */
689 name = get_global_sam_name();
690 sid = get_global_sam_sid();
692 init_dom_query_5(&info->account_domain, name, sid);
694 case LSA_POLICY_INFO_ROLE:
695 /* check if the user has enough rights */
696 if (!(handle->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
697 return NT_STATUS_ACCESS_DENIED;
699 switch (lp_server_role()) {
700 case ROLE_DOMAIN_BDC:
702 * only a BDC is a backup controller
703 * of the domain, it controls.
705 info->role.role = LSA_ROLE_BACKUP;
709 * any other role is a primary
710 * of the domain, it controls.
712 info->role.role = LSA_ROLE_PRIMARY;
716 case LSA_POLICY_INFO_DNS:
717 case LSA_POLICY_INFO_DNS_INT: {
718 struct pdb_domain_info *dominfo;
720 if ((pdb_capabilities() & PDB_CAP_ADS) == 0) {
721 DEBUG(10, ("Not replying to LSA_POLICY_INFO_DNS "
722 "without ADS passdb backend\n"));
723 status = NT_STATUS_INVALID_INFO_CLASS;
727 dominfo = pdb_get_domain_info(info);
728 if (dominfo == NULL) {
729 status = NT_STATUS_NO_MEMORY;
733 init_lsa_StringLarge(&info->dns.name,
735 init_lsa_StringLarge(&info->dns.dns_domain,
736 dominfo->dns_domain);
737 init_lsa_StringLarge(&info->dns.dns_forest,
738 dominfo->dns_forest);
739 info->dns.domain_guid = dominfo->guid;
740 info->dns.sid = &dominfo->sid;
744 DEBUG(0,("_lsa_QueryInfoPolicy: unknown info level in Lsa Query: %d\n",
746 status = NT_STATUS_INVALID_INFO_CLASS;
755 /***************************************************************************
756 _lsa_QueryInfoPolicy2
757 ***************************************************************************/
759 NTSTATUS _lsa_QueryInfoPolicy2(struct pipes_struct *p,
760 struct lsa_QueryInfoPolicy2 *r2)
762 struct lsa_QueryInfoPolicy r;
764 if ((pdb_capabilities() & PDB_CAP_ADS) == 0) {
765 p->rng_fault_state = True;
766 return NT_STATUS_NOT_IMPLEMENTED;
770 r.in.handle = r2->in.handle;
771 r.in.level = r2->in.level;
772 r.out.info = r2->out.info;
774 return _lsa_QueryInfoPolicy(p, &r);
777 /***************************************************************************
778 _lsa_lookup_sids_internal
779 ***************************************************************************/
781 static NTSTATUS _lsa_lookup_sids_internal(struct pipes_struct *p,
783 uint16_t level, /* input */
784 int num_sids, /* input */
785 struct lsa_SidPtr *sid, /* input */
786 struct lsa_RefDomainList **pp_ref, /* input/output */
787 struct lsa_TranslatedName2 **pp_names,/* input/output */
788 uint32_t *pp_mapped_count) /* input/output */
792 const struct dom_sid **sids = NULL;
793 struct lsa_RefDomainList *ref = NULL;
794 uint32 mapped_count = 0;
795 struct lsa_dom_info *dom_infos = NULL;
796 struct lsa_name_info *name_infos = NULL;
797 struct lsa_TranslatedName2 *names = NULL;
799 *pp_mapped_count = 0;
807 sids = TALLOC_ARRAY(p->mem_ctx, const struct dom_sid *, num_sids);
808 ref = TALLOC_ZERO_P(p->mem_ctx, struct lsa_RefDomainList);
810 if (sids == NULL || ref == NULL) {
811 return NT_STATUS_NO_MEMORY;
814 for (i=0; i<num_sids; i++) {
815 sids[i] = sid[i].sid;
818 status = lookup_sids(p->mem_ctx, num_sids, sids, level,
819 &dom_infos, &name_infos);
821 if (!NT_STATUS_IS_OK(status)) {
825 names = TALLOC_ARRAY(p->mem_ctx, struct lsa_TranslatedName2, num_sids);
827 return NT_STATUS_NO_MEMORY;
830 for (i=0; i<LSA_REF_DOMAIN_LIST_MULTIPLIER; i++) {
832 if (!dom_infos[i].valid) {
836 if (init_lsa_ref_domain_list(mem_ctx, ref,
838 &dom_infos[i].sid) != i) {
839 DEBUG(0, ("Domain %s mentioned twice??\n",
841 return NT_STATUS_INTERNAL_ERROR;
845 for (i=0; i<num_sids; i++) {
846 struct lsa_name_info *name = &name_infos[i];
848 if (name->type == SID_NAME_UNKNOWN) {
851 /* Unknown sids should return the string
852 * representation of the SID. Windows 2003 behaves
853 * rather erratic here, in many cases it returns the
854 * RID as 8 bytes hex, in others it returns the full
855 * SID. We (Jerry/VL) could not figure out which the
856 * hard cases are, so leave it with the SID. */
857 name->name = talloc_asprintf(p->mem_ctx, "%s",
860 if (name->name == NULL) {
861 return NT_STATUS_NO_MEMORY;
867 names[i].sid_type = name->type;
868 names[i].name.string = name->name;
869 names[i].sid_index = name->dom_idx;
870 names[i].unknown = 0;
873 status = NT_STATUS_NONE_MAPPED;
874 if (mapped_count > 0) {
875 status = (mapped_count < num_sids) ?
876 STATUS_SOME_UNMAPPED : NT_STATUS_OK;
879 DEBUG(10, ("num_sids %d, mapped_count %d, status %s\n",
880 num_sids, mapped_count, nt_errstr(status)));
882 *pp_mapped_count = mapped_count;
889 /***************************************************************************
891 ***************************************************************************/
893 NTSTATUS _lsa_LookupSids(struct pipes_struct *p,
894 struct lsa_LookupSids *r)
897 struct lsa_info *handle;
898 int num_sids = r->in.sids->num_sids;
899 uint32 mapped_count = 0;
900 struct lsa_RefDomainList *domains = NULL;
901 struct lsa_TranslatedName *names_out = NULL;
902 struct lsa_TranslatedName2 *names = NULL;
905 if ((r->in.level < 1) || (r->in.level > 6)) {
906 return NT_STATUS_INVALID_PARAMETER;
909 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle)) {
910 return NT_STATUS_INVALID_HANDLE;
913 if (handle->type != LSA_HANDLE_POLICY_TYPE) {
914 return NT_STATUS_INVALID_HANDLE;
917 /* check if the user has enough rights */
918 if (!(handle->access & LSA_POLICY_LOOKUP_NAMES)) {
919 return NT_STATUS_ACCESS_DENIED;
922 if (num_sids > MAX_LOOKUP_SIDS) {
923 DEBUG(5,("_lsa_LookupSids: limit of %d exceeded, requested %d\n",
924 MAX_LOOKUP_SIDS, num_sids));
925 return NT_STATUS_NONE_MAPPED;
928 status = _lsa_lookup_sids_internal(p,
937 /* Only return here when there is a real error.
938 NT_STATUS_NONE_MAPPED is a special case as it indicates that none of
939 the requested sids could be resolved. Older versions of XP (pre SP3)
940 rely that we return with the string representations of those SIDs in
941 that case. If we don't, XP crashes - Guenther
944 if (NT_STATUS_IS_ERR(status) &&
945 !NT_STATUS_EQUAL(status, NT_STATUS_NONE_MAPPED)) {
949 /* Convert from lsa_TranslatedName2 to lsa_TranslatedName */
950 names_out = TALLOC_ARRAY(p->mem_ctx, struct lsa_TranslatedName,
953 return NT_STATUS_NO_MEMORY;
956 for (i=0; i<num_sids; i++) {
957 names_out[i].sid_type = names[i].sid_type;
958 names_out[i].name = names[i].name;
959 names_out[i].sid_index = names[i].sid_index;
962 *r->out.domains = domains;
963 r->out.names->count = num_sids;
964 r->out.names->names = names_out;
965 *r->out.count = mapped_count;
970 /***************************************************************************
972 ***************************************************************************/
974 NTSTATUS _lsa_LookupSids2(struct pipes_struct *p,
975 struct lsa_LookupSids2 *r)
978 struct lsa_info *handle;
979 int num_sids = r->in.sids->num_sids;
980 uint32 mapped_count = 0;
981 struct lsa_RefDomainList *domains = NULL;
982 struct lsa_TranslatedName2 *names = NULL;
983 bool check_policy = true;
986 case NDR_LSA_LOOKUPSIDS3:
987 check_policy = false;
989 case NDR_LSA_LOOKUPSIDS2:
994 if ((r->in.level < 1) || (r->in.level > 6)) {
995 return NT_STATUS_INVALID_PARAMETER;
999 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle)) {
1000 return NT_STATUS_INVALID_HANDLE;
1003 if (handle->type != LSA_HANDLE_POLICY_TYPE) {
1004 return NT_STATUS_INVALID_HANDLE;
1007 /* check if the user has enough rights */
1008 if (!(handle->access & LSA_POLICY_LOOKUP_NAMES)) {
1009 return NT_STATUS_ACCESS_DENIED;
1013 if (num_sids > MAX_LOOKUP_SIDS) {
1014 DEBUG(5,("_lsa_LookupSids2: limit of %d exceeded, requested %d\n",
1015 MAX_LOOKUP_SIDS, num_sids));
1016 return NT_STATUS_NONE_MAPPED;
1019 status = _lsa_lookup_sids_internal(p,
1028 *r->out.domains = domains;
1029 r->out.names->count = num_sids;
1030 r->out.names->names = names;
1031 *r->out.count = mapped_count;
1036 /***************************************************************************
1038 ***************************************************************************/
1040 NTSTATUS _lsa_LookupSids3(struct pipes_struct *p,
1041 struct lsa_LookupSids3 *r)
1043 struct lsa_LookupSids2 q;
1045 /* No policy handle on this call. Restrict to crypto connections. */
1046 if (p->auth.auth_type != DCERPC_AUTH_TYPE_SCHANNEL) {
1047 DEBUG(0,("_lsa_LookupSids3: client %s not using schannel for netlogon\n",
1048 get_remote_machine_name() ));
1049 return NT_STATUS_INVALID_PARAMETER;
1053 q.in.sids = r->in.sids;
1054 q.in.level = r->in.level;
1055 q.in.lookup_options = r->in.lookup_options;
1056 q.in.client_revision = r->in.client_revision;
1057 q.in.names = r->in.names;
1058 q.in.count = r->in.count;
1060 q.out.domains = r->out.domains;
1061 q.out.names = r->out.names;
1062 q.out.count = r->out.count;
1064 return _lsa_LookupSids2(p, &q);
1067 /***************************************************************************
1068 ***************************************************************************/
1070 static int lsa_lookup_level_to_flags(enum lsa_LookupNamesLevel level)
1075 case LSA_LOOKUP_NAMES_ALL: /* 1 */
1076 flags = LOOKUP_NAME_ALL;
1078 case LSA_LOOKUP_NAMES_DOMAINS_ONLY: /* 2 */
1079 flags = LOOKUP_NAME_DOMAIN|LOOKUP_NAME_REMOTE|LOOKUP_NAME_ISOLATED;
1081 case LSA_LOOKUP_NAMES_PRIMARY_DOMAIN_ONLY: /* 3 */
1082 flags = LOOKUP_NAME_DOMAIN|LOOKUP_NAME_ISOLATED;
1084 case LSA_LOOKUP_NAMES_UPLEVEL_TRUSTS_ONLY: /* 4 */
1085 case LSA_LOOKUP_NAMES_FOREST_TRUSTS_ONLY: /* 5 */
1086 case LSA_LOOKUP_NAMES_UPLEVEL_TRUSTS_ONLY2: /* 6 */
1087 case LSA_LOOKUP_NAMES_RODC_REFERRAL_TO_FULL_DC: /* 7 */
1089 flags = LOOKUP_NAME_NONE;
1096 /***************************************************************************
1098 ***************************************************************************/
1100 NTSTATUS _lsa_LookupNames(struct pipes_struct *p,
1101 struct lsa_LookupNames *r)
1103 NTSTATUS status = NT_STATUS_NONE_MAPPED;
1104 struct lsa_info *handle;
1105 struct lsa_String *names = r->in.names;
1106 uint32 num_entries = r->in.num_names;
1107 struct lsa_RefDomainList *domains = NULL;
1108 struct lsa_TranslatedSid *rids = NULL;
1109 uint32 mapped_count = 0;
1112 if (num_entries > MAX_LOOKUP_SIDS) {
1113 num_entries = MAX_LOOKUP_SIDS;
1114 DEBUG(5,("_lsa_LookupNames: truncating name lookup list to %d\n",
1118 flags = lsa_lookup_level_to_flags(r->in.level);
1120 domains = TALLOC_ZERO_P(p->mem_ctx, struct lsa_RefDomainList);
1122 return NT_STATUS_NO_MEMORY;
1126 rids = TALLOC_ZERO_ARRAY(p->mem_ctx, struct lsa_TranslatedSid,
1129 return NT_STATUS_NO_MEMORY;
1135 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle)) {
1136 status = NT_STATUS_INVALID_HANDLE;
1140 if (handle->type != LSA_HANDLE_POLICY_TYPE) {
1141 return NT_STATUS_INVALID_HANDLE;
1144 /* check if the user has enough rights */
1145 if (!(handle->access & LSA_POLICY_LOOKUP_NAMES)) {
1146 status = NT_STATUS_ACCESS_DENIED;
1150 /* set up the LSA Lookup RIDs response */
1151 become_root(); /* lookup_name can require root privs */
1152 status = lookup_lsa_rids(p->mem_ctx, domains, rids, num_entries,
1153 names, flags, &mapped_count);
1158 if (NT_STATUS_IS_OK(status) && (num_entries != 0) ) {
1159 if (mapped_count == 0) {
1160 status = NT_STATUS_NONE_MAPPED;
1161 } else if (mapped_count != num_entries) {
1162 status = STATUS_SOME_UNMAPPED;
1166 *r->out.count = mapped_count;
1167 *r->out.domains = domains;
1168 r->out.sids->sids = rids;
1169 r->out.sids->count = num_entries;
1174 /***************************************************************************
1176 ***************************************************************************/
1178 NTSTATUS _lsa_LookupNames2(struct pipes_struct *p,
1179 struct lsa_LookupNames2 *r)
1182 struct lsa_LookupNames q;
1183 struct lsa_TransSidArray2 *sid_array2 = r->in.sids;
1184 struct lsa_TransSidArray *sid_array = NULL;
1187 sid_array = TALLOC_ZERO_P(p->mem_ctx, struct lsa_TransSidArray);
1189 return NT_STATUS_NO_MEMORY;
1192 q.in.handle = r->in.handle;
1193 q.in.num_names = r->in.num_names;
1194 q.in.names = r->in.names;
1195 q.in.level = r->in.level;
1196 q.in.sids = sid_array;
1197 q.in.count = r->in.count;
1198 /* we do not know what this is for */
1199 /* = r->in.unknown1; */
1200 /* = r->in.unknown2; */
1202 q.out.domains = r->out.domains;
1203 q.out.sids = sid_array;
1204 q.out.count = r->out.count;
1206 status = _lsa_LookupNames(p, &q);
1208 sid_array2->count = sid_array->count;
1209 sid_array2->sids = TALLOC_ARRAY(p->mem_ctx, struct lsa_TranslatedSid2, sid_array->count);
1210 if (!sid_array2->sids) {
1211 return NT_STATUS_NO_MEMORY;
1214 for (i=0; i<sid_array->count; i++) {
1215 sid_array2->sids[i].sid_type = sid_array->sids[i].sid_type;
1216 sid_array2->sids[i].rid = sid_array->sids[i].rid;
1217 sid_array2->sids[i].sid_index = sid_array->sids[i].sid_index;
1218 sid_array2->sids[i].unknown = 0;
1221 r->out.sids = sid_array2;
1226 /***************************************************************************
1228 ***************************************************************************/
1230 NTSTATUS _lsa_LookupNames3(struct pipes_struct *p,
1231 struct lsa_LookupNames3 *r)
1234 struct lsa_info *handle;
1235 struct lsa_String *names = r->in.names;
1236 uint32 num_entries = r->in.num_names;
1237 struct lsa_RefDomainList *domains = NULL;
1238 struct lsa_TranslatedSid3 *trans_sids = NULL;
1239 uint32 mapped_count = 0;
1241 bool check_policy = true;
1244 case NDR_LSA_LOOKUPNAMES4:
1245 check_policy = false;
1247 case NDR_LSA_LOOKUPNAMES3:
1249 check_policy = true;
1252 if (num_entries > MAX_LOOKUP_SIDS) {
1253 num_entries = MAX_LOOKUP_SIDS;
1254 DEBUG(5,("_lsa_LookupNames3: truncating name lookup list to %d\n", num_entries));
1257 /* Probably the lookup_level is some sort of bitmask. */
1258 if (r->in.level == 1) {
1259 flags = LOOKUP_NAME_ALL;
1262 domains = TALLOC_ZERO_P(p->mem_ctx, struct lsa_RefDomainList);
1264 return NT_STATUS_NO_MEMORY;
1268 trans_sids = TALLOC_ZERO_ARRAY(p->mem_ctx, struct lsa_TranslatedSid3,
1271 return NT_STATUS_NO_MEMORY;
1279 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle)) {
1280 status = NT_STATUS_INVALID_HANDLE;
1284 if (handle->type != LSA_HANDLE_POLICY_TYPE) {
1285 return NT_STATUS_INVALID_HANDLE;
1288 /* check if the user has enough rights */
1289 if (!(handle->access & LSA_POLICY_LOOKUP_NAMES)) {
1290 status = NT_STATUS_ACCESS_DENIED;
1295 /* set up the LSA Lookup SIDs response */
1296 become_root(); /* lookup_name can require root privs */
1297 status = lookup_lsa_sids(p->mem_ctx, domains, trans_sids, num_entries,
1298 names, flags, &mapped_count);
1303 if (NT_STATUS_IS_OK(status)) {
1304 if (mapped_count == 0) {
1305 status = NT_STATUS_NONE_MAPPED;
1306 } else if (mapped_count != num_entries) {
1307 status = STATUS_SOME_UNMAPPED;
1311 *r->out.count = mapped_count;
1312 *r->out.domains = domains;
1313 r->out.sids->sids = trans_sids;
1314 r->out.sids->count = num_entries;
1319 /***************************************************************************
1321 ***************************************************************************/
1323 NTSTATUS _lsa_LookupNames4(struct pipes_struct *p,
1324 struct lsa_LookupNames4 *r)
1326 struct lsa_LookupNames3 q;
1328 /* No policy handle on this call. Restrict to crypto connections. */
1329 if (p->auth.auth_type != DCERPC_AUTH_TYPE_SCHANNEL) {
1330 DEBUG(0,("_lsa_lookup_names4: client %s not using schannel for netlogon\n",
1331 get_remote_machine_name() ));
1332 return NT_STATUS_INVALID_PARAMETER;
1336 q.in.num_names = r->in.num_names;
1337 q.in.names = r->in.names;
1338 q.in.level = r->in.level;
1339 q.in.lookup_options = r->in.lookup_options;
1340 q.in.client_revision = r->in.client_revision;
1341 q.in.sids = r->in.sids;
1342 q.in.count = r->in.count;
1344 q.out.domains = r->out.domains;
1345 q.out.sids = r->out.sids;
1346 q.out.count = r->out.count;
1348 return _lsa_LookupNames3(p, &q);
1351 /***************************************************************************
1352 _lsa_close. Also weird - needs to check if lsa handle is correct. JRA.
1353 ***************************************************************************/
1355 NTSTATUS _lsa_Close(struct pipes_struct *p, struct lsa_Close *r)
1357 if (!find_policy_by_hnd(p, r->in.handle, NULL)) {
1358 return NT_STATUS_INVALID_HANDLE;
1361 close_policy_hnd(p, r->in.handle);
1362 ZERO_STRUCTP(r->out.handle);
1363 return NT_STATUS_OK;
1366 /***************************************************************************
1367 ***************************************************************************/
1369 NTSTATUS _lsa_OpenSecret(struct pipes_struct *p, struct lsa_OpenSecret *r)
1371 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
1374 /***************************************************************************
1375 ***************************************************************************/
1377 NTSTATUS _lsa_OpenTrustedDomain(struct pipes_struct *p,
1378 struct lsa_OpenTrustedDomain *r)
1380 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
1383 /***************************************************************************
1384 ***************************************************************************/
1386 NTSTATUS _lsa_CreateTrustedDomain(struct pipes_struct *p,
1387 struct lsa_CreateTrustedDomain *r)
1389 return NT_STATUS_ACCESS_DENIED;
1392 /***************************************************************************
1393 ***************************************************************************/
1395 NTSTATUS _lsa_CreateSecret(struct pipes_struct *p, struct lsa_CreateSecret *r)
1397 return NT_STATUS_ACCESS_DENIED;
1400 /***************************************************************************
1401 ***************************************************************************/
1403 NTSTATUS _lsa_SetSecret(struct pipes_struct *p, struct lsa_SetSecret *r)
1405 return NT_STATUS_ACCESS_DENIED;
1408 /***************************************************************************
1410 ***************************************************************************/
1412 NTSTATUS _lsa_DeleteObject(struct pipes_struct *p,
1413 struct lsa_DeleteObject *r)
1416 struct lsa_info *info = NULL;
1418 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info)) {
1419 return NT_STATUS_INVALID_HANDLE;
1422 if (!(info->access & SEC_STD_DELETE)) {
1423 return NT_STATUS_ACCESS_DENIED;
1426 switch (info->type) {
1427 case LSA_HANDLE_ACCOUNT_TYPE:
1428 status = privilege_delete_account(&info->sid);
1429 if (!NT_STATUS_IS_OK(status)) {
1430 DEBUG(10,("_lsa_DeleteObject: privilege_delete_account gave: %s\n",
1431 nt_errstr(status)));
1436 return NT_STATUS_INVALID_HANDLE;
1439 close_policy_hnd(p, r->in.handle);
1440 ZERO_STRUCTP(r->out.handle);
1445 /***************************************************************************
1447 ***************************************************************************/
1449 NTSTATUS _lsa_EnumPrivs(struct pipes_struct *p,
1450 struct lsa_EnumPrivs *r)
1452 struct lsa_info *handle;
1454 uint32 enum_context = *r->in.resume_handle;
1455 int num_privs = count_all_privileges();
1456 struct lsa_PrivEntry *entries = NULL;
1457 struct lsa_LUIDAttribute luid;
1459 /* remember that the enum_context starts at 0 and not 1 */
1461 if ( enum_context >= num_privs )
1462 return NT_STATUS_NO_MORE_ENTRIES;
1464 DEBUG(10,("_lsa_EnumPrivs: enum_context:%d total entries:%d\n",
1465 enum_context, num_privs));
1467 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle))
1468 return NT_STATUS_INVALID_HANDLE;
1470 if (handle->type != LSA_HANDLE_POLICY_TYPE) {
1471 return NT_STATUS_INVALID_HANDLE;
1474 /* check if the user has enough rights
1475 I don't know if it's the right one. not documented. */
1477 if (!(handle->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
1478 return NT_STATUS_ACCESS_DENIED;
1481 entries = TALLOC_ZERO_ARRAY(p->mem_ctx, struct lsa_PrivEntry, num_privs);
1483 return NT_STATUS_NO_MEMORY;
1489 for (i = 0; i < num_privs; i++) {
1490 if( i < enum_context) {
1492 init_lsa_StringLarge(&entries[i].name, NULL);
1494 entries[i].luid.low = 0;
1495 entries[i].luid.high = 0;
1498 init_lsa_StringLarge(&entries[i].name, privs[i].name);
1500 luid = get_privilege_luid( &privs[i].privilege_mask );
1502 entries[i].luid.low = luid.luid.low;
1503 entries[i].luid.high = luid.luid.high;
1507 enum_context = num_privs;
1509 *r->out.resume_handle = enum_context;
1510 r->out.privs->count = num_privs;
1511 r->out.privs->privs = entries;
1513 return NT_STATUS_OK;
1516 /***************************************************************************
1517 _lsa_LookupPrivDisplayName
1518 ***************************************************************************/
1520 NTSTATUS _lsa_LookupPrivDisplayName(struct pipes_struct *p,
1521 struct lsa_LookupPrivDisplayName *r)
1523 struct lsa_info *handle;
1524 const char *description;
1525 struct lsa_StringLarge *lsa_name;
1527 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle))
1528 return NT_STATUS_INVALID_HANDLE;
1530 if (handle->type != LSA_HANDLE_POLICY_TYPE) {
1531 return NT_STATUS_INVALID_HANDLE;
1534 /* check if the user has enough rights */
1537 * I don't know if it's the right one. not documented.
1539 if (!(handle->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
1540 return NT_STATUS_ACCESS_DENIED;
1542 DEBUG(10,("_lsa_LookupPrivDisplayName: name = %s\n", r->in.name->string));
1544 description = get_privilege_dispname(r->in.name->string);
1546 DEBUG(10,("_lsa_LookupPrivDisplayName: doesn't exist\n"));
1547 return NT_STATUS_NO_SUCH_PRIVILEGE;
1550 DEBUG(10,("_lsa_LookupPrivDisplayName: display name = %s\n", description));
1552 lsa_name = TALLOC_ZERO_P(p->mem_ctx, struct lsa_StringLarge);
1554 return NT_STATUS_NO_MEMORY;
1557 init_lsa_StringLarge(lsa_name, description);
1559 *r->out.returned_language_id = r->in.language_id;
1560 *r->out.disp_name = lsa_name;
1562 return NT_STATUS_OK;
1565 /***************************************************************************
1567 ***************************************************************************/
1569 NTSTATUS _lsa_EnumAccounts(struct pipes_struct *p,
1570 struct lsa_EnumAccounts *r)
1572 struct lsa_info *handle;
1573 struct dom_sid *sid_list;
1574 int i, j, num_entries;
1576 struct lsa_SidPtr *sids = NULL;
1578 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle))
1579 return NT_STATUS_INVALID_HANDLE;
1581 if (handle->type != LSA_HANDLE_POLICY_TYPE) {
1582 return NT_STATUS_INVALID_HANDLE;
1585 if (!(handle->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
1586 return NT_STATUS_ACCESS_DENIED;
1591 /* The only way we can currently find out all the SIDs that have been
1592 privileged is to scan all privileges */
1594 status = privilege_enumerate_accounts(&sid_list, &num_entries);
1595 if (!NT_STATUS_IS_OK(status)) {
1599 if (*r->in.resume_handle >= num_entries) {
1600 return NT_STATUS_NO_MORE_ENTRIES;
1603 if (num_entries - *r->in.resume_handle) {
1604 sids = TALLOC_ZERO_ARRAY(p->mem_ctx, struct lsa_SidPtr,
1605 num_entries - *r->in.resume_handle);
1607 talloc_free(sid_list);
1608 return NT_STATUS_NO_MEMORY;
1611 for (i = *r->in.resume_handle, j = 0; i < num_entries; i++, j++) {
1612 sids[j].sid = sid_dup_talloc(p->mem_ctx, &sid_list[i]);
1614 talloc_free(sid_list);
1615 return NT_STATUS_NO_MEMORY;
1620 talloc_free(sid_list);
1622 *r->out.resume_handle = num_entries;
1623 r->out.sids->num_sids = num_entries;
1624 r->out.sids->sids = sids;
1626 return NT_STATUS_OK;
1629 /***************************************************************************
1631 ***************************************************************************/
1633 NTSTATUS _lsa_GetUserName(struct pipes_struct *p,
1634 struct lsa_GetUserName *r)
1636 const char *username, *domname;
1637 struct lsa_String *account_name = NULL;
1638 struct lsa_String *authority_name = NULL;
1640 if (r->in.account_name &&
1641 *r->in.account_name) {
1642 return NT_STATUS_INVALID_PARAMETER;
1645 if (r->in.authority_name &&
1646 *r->in.authority_name) {
1647 return NT_STATUS_INVALID_PARAMETER;
1650 if (p->server_info->guest) {
1652 * I'm 99% sure this is not the right place to do this,
1653 * global_sid_Anonymous should probably be put into the token
1654 * instead of the guest id -- vl
1656 if (!lookup_sid(p->mem_ctx, &global_sid_Anonymous,
1657 &domname, &username, NULL)) {
1658 return NT_STATUS_NO_MEMORY;
1661 username = p->server_info->sanitized_username;
1662 domname = p->server_info->info3->base.domain.string;
1665 account_name = TALLOC_P(p->mem_ctx, struct lsa_String);
1666 if (!account_name) {
1667 return NT_STATUS_NO_MEMORY;
1669 init_lsa_String(account_name, username);
1671 if (r->out.authority_name) {
1672 authority_name = TALLOC_P(p->mem_ctx, struct lsa_String);
1673 if (!authority_name) {
1674 return NT_STATUS_NO_MEMORY;
1676 init_lsa_String(authority_name, domname);
1679 *r->out.account_name = account_name;
1680 if (r->out.authority_name) {
1681 *r->out.authority_name = authority_name;
1684 return NT_STATUS_OK;
1687 /***************************************************************************
1689 ***************************************************************************/
1691 NTSTATUS _lsa_CreateAccount(struct pipes_struct *p,
1692 struct lsa_CreateAccount *r)
1695 struct lsa_info *handle;
1696 struct lsa_info *info;
1697 uint32_t acc_granted;
1698 struct security_descriptor *psd;
1701 /* find the connection policy handle. */
1702 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle))
1703 return NT_STATUS_INVALID_HANDLE;
1705 if (handle->type != LSA_HANDLE_POLICY_TYPE) {
1706 return NT_STATUS_INVALID_HANDLE;
1709 /* check if the user has enough rights */
1711 if (!(handle->access & LSA_POLICY_CREATE_ACCOUNT)) {
1712 return NT_STATUS_ACCESS_DENIED;
1715 /* Work out max allowed. */
1716 map_max_allowed_access(p->server_info->ptok,
1717 &p->server_info->utok,
1718 &r->in.access_mask);
1720 /* map the generic bits to the lsa policy ones */
1721 se_map_generic(&r->in.access_mask, &lsa_account_mapping);
1723 status = make_lsa_object_sd(p->mem_ctx, &psd, &sd_size,
1724 &lsa_account_mapping,
1725 r->in.sid, LSA_POLICY_ALL_ACCESS);
1726 if (!NT_STATUS_IS_OK(status)) {
1730 status = access_check_object(psd, p->server_info->ptok,
1731 NULL, 0, r->in.access_mask,
1732 &acc_granted, "_lsa_CreateAccount");
1733 if (!NT_STATUS_IS_OK(status)) {
1737 if ( is_privileged_sid( r->in.sid ) )
1738 return NT_STATUS_OBJECT_NAME_COLLISION;
1740 /* associate the user/group SID with the (unique) handle. */
1742 info = TALLOC_ZERO_P(p->mem_ctx, struct lsa_info);
1744 return NT_STATUS_NO_MEMORY;
1747 info->sid = *r->in.sid;
1748 info->access = acc_granted;
1749 info->type = LSA_HANDLE_ACCOUNT_TYPE;
1751 /* get a (unique) handle. open a policy on it. */
1752 if (!create_policy_hnd(p, r->out.acct_handle, info))
1753 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
1755 return privilege_create_account( &info->sid );
1758 /***************************************************************************
1760 ***************************************************************************/
1762 NTSTATUS _lsa_OpenAccount(struct pipes_struct *p,
1763 struct lsa_OpenAccount *r)
1765 struct lsa_info *handle;
1766 struct lsa_info *info;
1767 struct security_descriptor *psd = NULL;
1769 uint32_t des_access = r->in.access_mask;
1770 uint32_t acc_granted;
1773 /* find the connection policy handle. */
1774 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle))
1775 return NT_STATUS_INVALID_HANDLE;
1777 if (handle->type != LSA_HANDLE_POLICY_TYPE) {
1778 return NT_STATUS_INVALID_HANDLE;
1781 /* des_access is for the account here, not the policy
1782 * handle - so don't check against policy handle. */
1784 /* Work out max allowed. */
1785 map_max_allowed_access(p->server_info->ptok,
1786 &p->server_info->utok,
1789 /* map the generic bits to the lsa account ones */
1790 se_map_generic(&des_access, &lsa_account_mapping);
1792 /* get the generic lsa account SD until we store it */
1793 status = make_lsa_object_sd(p->mem_ctx, &psd, &sd_size,
1794 &lsa_account_mapping,
1795 r->in.sid, LSA_ACCOUNT_ALL_ACCESS);
1796 if (!NT_STATUS_IS_OK(status)) {
1800 status = access_check_object(psd, p->server_info->ptok,
1801 NULL, 0, des_access,
1802 &acc_granted, "_lsa_OpenAccount" );
1803 if (!NT_STATUS_IS_OK(status)) {
1807 /* TODO: Fis the parsing routine before reenabling this check! */
1809 if (!lookup_sid(&handle->sid, dom_name, name, &type))
1810 return NT_STATUS_ACCESS_DENIED;
1812 /* associate the user/group SID with the (unique) handle. */
1813 info = TALLOC_ZERO_P(p->mem_ctx, struct lsa_info);
1815 return NT_STATUS_NO_MEMORY;
1818 info->sid = *r->in.sid;
1819 info->access = acc_granted;
1820 info->type = LSA_HANDLE_ACCOUNT_TYPE;
1822 /* get a (unique) handle. open a policy on it. */
1823 if (!create_policy_hnd(p, r->out.acct_handle, info))
1824 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
1826 return NT_STATUS_OK;
1829 /***************************************************************************
1830 _lsa_EnumPrivsAccount
1831 For a given SID, enumerate all the privilege this account has.
1832 ***************************************************************************/
1834 NTSTATUS _lsa_EnumPrivsAccount(struct pipes_struct *p,
1835 struct lsa_EnumPrivsAccount *r)
1837 NTSTATUS status = NT_STATUS_OK;
1838 struct lsa_info *info=NULL;
1840 PRIVILEGE_SET privileges;
1841 struct lsa_PrivilegeSet *priv_set = NULL;
1842 struct lsa_LUIDAttribute *luid_attrs = NULL;
1845 /* find the connection policy handle. */
1846 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
1847 return NT_STATUS_INVALID_HANDLE;
1849 if (info->type != LSA_HANDLE_ACCOUNT_TYPE) {
1850 return NT_STATUS_INVALID_HANDLE;
1853 if (!(info->access & LSA_ACCOUNT_VIEW))
1854 return NT_STATUS_ACCESS_DENIED;
1856 get_privileges_for_sids(&mask, &info->sid, 1);
1858 privilege_set_init( &privileges );
1860 priv_set = TALLOC_ZERO_P(p->mem_ctx, struct lsa_PrivilegeSet);
1862 status = NT_STATUS_NO_MEMORY;
1866 if ( se_priv_to_privilege_set( &privileges, &mask ) ) {
1868 DEBUG(10,("_lsa_EnumPrivsAccount: %s has %d privileges\n",
1869 sid_string_dbg(&info->sid),
1872 luid_attrs = TALLOC_ZERO_ARRAY(p->mem_ctx,
1873 struct lsa_LUIDAttribute,
1876 status = NT_STATUS_NO_MEMORY;
1880 for (i=0; i<privileges.count; i++) {
1881 luid_attrs[i] = privileges.set[i];
1884 priv_set->count = privileges.count;
1885 priv_set->unknown = 0;
1886 priv_set->set = luid_attrs;
1889 priv_set->count = 0;
1890 priv_set->unknown = 0;
1891 priv_set->set = NULL;
1894 *r->out.privs = priv_set;
1897 privilege_set_free( &privileges );
1902 /***************************************************************************
1903 _lsa_GetSystemAccessAccount
1904 ***************************************************************************/
1906 NTSTATUS _lsa_GetSystemAccessAccount(struct pipes_struct *p,
1907 struct lsa_GetSystemAccessAccount *r)
1910 struct lsa_info *info = NULL;
1911 struct lsa_EnumPrivsAccount e;
1912 struct lsa_PrivilegeSet *privset;
1914 /* find the connection policy handle. */
1916 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
1917 return NT_STATUS_INVALID_HANDLE;
1919 if (info->type != LSA_HANDLE_ACCOUNT_TYPE) {
1920 return NT_STATUS_INVALID_HANDLE;
1923 if (!(info->access & LSA_ACCOUNT_VIEW))
1924 return NT_STATUS_ACCESS_DENIED;
1926 privset = talloc_zero(p->mem_ctx, struct lsa_PrivilegeSet);
1928 return NT_STATUS_NO_MEMORY;
1931 e.in.handle = r->in.handle;
1932 e.out.privs = &privset;
1934 status = _lsa_EnumPrivsAccount(p, &e);
1935 if (!NT_STATUS_IS_OK(status)) {
1936 DEBUG(10,("_lsa_GetSystemAccessAccount: "
1937 "failed to call _lsa_EnumPrivsAccount(): %s\n",
1938 nt_errstr(status)));
1942 /* Samba4 would iterate over the privset to merge the policy mode bits,
1943 * not sure samba3 can do the same here, so just return what we did in
1947 0x01 -> Log on locally
1948 0x02 -> Access this computer from network
1949 0x04 -> Log on as a batch job
1950 0x10 -> Log on as a service
1952 they can be ORed together
1955 *r->out.access_mask = LSA_POLICY_MODE_INTERACTIVE |
1956 LSA_POLICY_MODE_NETWORK;
1958 return NT_STATUS_OK;
1961 /***************************************************************************
1962 update the systemaccount information
1963 ***************************************************************************/
1965 NTSTATUS _lsa_SetSystemAccessAccount(struct pipes_struct *p,
1966 struct lsa_SetSystemAccessAccount *r)
1968 struct lsa_info *info=NULL;
1971 /* find the connection policy handle. */
1972 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
1973 return NT_STATUS_INVALID_HANDLE;
1975 if (info->type != LSA_HANDLE_ACCOUNT_TYPE) {
1976 return NT_STATUS_INVALID_HANDLE;
1979 if (!(info->access & LSA_ACCOUNT_ADJUST_SYSTEM_ACCESS)) {
1980 return NT_STATUS_ACCESS_DENIED;
1983 if (!pdb_getgrsid(&map, info->sid))
1984 return NT_STATUS_NO_SUCH_GROUP;
1986 return pdb_update_group_mapping_entry(&map);
1989 /***************************************************************************
1990 _lsa_AddPrivilegesToAccount
1991 For a given SID, add some privileges.
1992 ***************************************************************************/
1994 NTSTATUS _lsa_AddPrivilegesToAccount(struct pipes_struct *p,
1995 struct lsa_AddPrivilegesToAccount *r)
1997 struct lsa_info *info = NULL;
1999 struct lsa_PrivilegeSet *set = NULL;
2001 /* find the connection policy handle. */
2002 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
2003 return NT_STATUS_INVALID_HANDLE;
2005 if (info->type != LSA_HANDLE_ACCOUNT_TYPE) {
2006 return NT_STATUS_INVALID_HANDLE;
2009 if (!(info->access & LSA_ACCOUNT_ADJUST_PRIVILEGES)) {
2010 return NT_STATUS_ACCESS_DENIED;
2014 if ( !privilege_set_to_se_priv( &mask, set ) )
2015 return NT_STATUS_NO_SUCH_PRIVILEGE;
2017 if ( !grant_privilege( &info->sid, &mask ) ) {
2018 DEBUG(3,("_lsa_AddPrivilegesToAccount: grant_privilege(%s) failed!\n",
2019 sid_string_dbg(&info->sid) ));
2020 DEBUG(3,("Privilege mask: 0x%llx\n", (unsigned long long)mask));
2021 return NT_STATUS_NO_SUCH_PRIVILEGE;
2024 return NT_STATUS_OK;
2027 /***************************************************************************
2028 _lsa_RemovePrivilegesFromAccount
2029 For a given SID, remove some privileges.
2030 ***************************************************************************/
2032 NTSTATUS _lsa_RemovePrivilegesFromAccount(struct pipes_struct *p,
2033 struct lsa_RemovePrivilegesFromAccount *r)
2035 struct lsa_info *info = NULL;
2037 struct lsa_PrivilegeSet *set = NULL;
2039 /* find the connection policy handle. */
2040 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
2041 return NT_STATUS_INVALID_HANDLE;
2043 if (info->type != LSA_HANDLE_ACCOUNT_TYPE) {
2044 return NT_STATUS_INVALID_HANDLE;
2047 if (!(info->access & LSA_ACCOUNT_ADJUST_PRIVILEGES)) {
2048 return NT_STATUS_ACCESS_DENIED;
2053 if ( !privilege_set_to_se_priv( &mask, set ) )
2054 return NT_STATUS_NO_SUCH_PRIVILEGE;
2056 if ( !revoke_privilege( &info->sid, &mask ) ) {
2057 DEBUG(3,("_lsa_RemovePrivilegesFromAccount: revoke_privilege(%s) failed!\n",
2058 sid_string_dbg(&info->sid) ));
2059 DEBUG(3,("Privilege mask: 0x%llx\n", (unsigned long long)mask));
2060 return NT_STATUS_NO_SUCH_PRIVILEGE;
2063 return NT_STATUS_OK;
2066 /***************************************************************************
2068 ***************************************************************************/
2070 NTSTATUS _lsa_LookupPrivName(struct pipes_struct *p,
2071 struct lsa_LookupPrivName *r)
2073 struct lsa_info *info = NULL;
2075 struct lsa_StringLarge *lsa_name;
2077 /* find the connection policy handle. */
2078 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info)) {
2079 return NT_STATUS_INVALID_HANDLE;
2082 if (info->type != LSA_HANDLE_POLICY_TYPE) {
2083 return NT_STATUS_INVALID_HANDLE;
2086 if (!(info->access & LSA_POLICY_VIEW_LOCAL_INFORMATION)) {
2087 return NT_STATUS_ACCESS_DENIED;
2090 name = luid_to_privilege_name(r->in.luid);
2092 return NT_STATUS_NO_SUCH_PRIVILEGE;
2095 lsa_name = TALLOC_ZERO_P(p->mem_ctx, struct lsa_StringLarge);
2097 return NT_STATUS_NO_MEMORY;
2100 lsa_name->string = talloc_strdup(lsa_name, name);
2101 if (!lsa_name->string) {
2102 TALLOC_FREE(lsa_name);
2103 return NT_STATUS_NO_MEMORY;
2106 *r->out.name = lsa_name;
2108 return NT_STATUS_OK;
2111 /***************************************************************************
2113 ***************************************************************************/
2115 NTSTATUS _lsa_QuerySecurity(struct pipes_struct *p,
2116 struct lsa_QuerySecurity *r)
2118 struct lsa_info *handle=NULL;
2119 struct security_descriptor *psd = NULL;
2123 /* find the connection policy handle. */
2124 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle))
2125 return NT_STATUS_INVALID_HANDLE;
2127 switch (handle->type) {
2128 case LSA_HANDLE_POLICY_TYPE:
2129 status = make_lsa_object_sd(p->mem_ctx, &psd, &sd_size,
2130 &lsa_policy_mapping, NULL, 0);
2132 case LSA_HANDLE_ACCOUNT_TYPE:
2133 status = make_lsa_object_sd(p->mem_ctx, &psd, &sd_size,
2134 &lsa_account_mapping,
2135 &handle->sid, LSA_ACCOUNT_ALL_ACCESS);
2138 status = NT_STATUS_INVALID_HANDLE;
2142 if (!NT_STATUS_IS_OK(status)) {
2146 *r->out.sdbuf = make_sec_desc_buf(p->mem_ctx, sd_size, psd);
2147 if (!*r->out.sdbuf) {
2148 return NT_STATUS_NO_MEMORY;
2154 /***************************************************************************
2155 _lsa_AddAccountRights
2156 ***************************************************************************/
2158 NTSTATUS _lsa_AddAccountRights(struct pipes_struct *p,
2159 struct lsa_AddAccountRights *r)
2161 struct lsa_info *info = NULL;
2163 uint32_t acc_granted = 0;
2164 struct security_descriptor *psd = NULL;
2169 /* find the connection policy handle. */
2170 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
2171 return NT_STATUS_INVALID_HANDLE;
2173 if (info->type != LSA_HANDLE_POLICY_TYPE) {
2174 return NT_STATUS_INVALID_HANDLE;
2177 /* get the generic lsa account SD for this SID until we store it */
2178 status = make_lsa_object_sd(p->mem_ctx, &psd, &sd_size,
2179 &lsa_account_mapping,
2180 r->in.sid, LSA_ACCOUNT_ALL_ACCESS);
2181 if (!NT_STATUS_IS_OK(status)) {
2186 * From the MS DOCs. If the sid doesn't exist, ask for LSA_POLICY_CREATE_ACCOUNT
2187 * on the policy handle. If it does, ask for
2188 * LSA_ACCOUNT_ADJUST_PRIVILEGES|LSA_ACCOUNT_ADJUST_SYSTEM_ACCESS|LSA_ACCOUNT_VIEW,
2189 * on the account sid. We don't check here so just use the latter. JRA.
2192 status = access_check_object(psd, p->server_info->ptok,
2194 LSA_ACCOUNT_ADJUST_PRIVILEGES|LSA_ACCOUNT_ADJUST_SYSTEM_ACCESS|LSA_ACCOUNT_VIEW,
2195 &acc_granted, "_lsa_AddAccountRights" );
2196 if (!NT_STATUS_IS_OK(status)) {
2200 /* according to an NT4 PDC, you can add privileges to SIDs even without
2201 call_lsa_create_account() first. And you can use any arbitrary SID. */
2203 sid_copy( &sid, r->in.sid );
2205 for ( i=0; i < r->in.rights->count; i++ ) {
2207 const char *privname = r->in.rights->names[i].string;
2209 /* only try to add non-null strings */
2214 if ( !grant_privilege_by_name( &sid, privname ) ) {
2215 DEBUG(2,("_lsa_AddAccountRights: Failed to add privilege [%s]\n",
2217 return NT_STATUS_NO_SUCH_PRIVILEGE;
2221 return NT_STATUS_OK;
2224 /***************************************************************************
2225 _lsa_RemoveAccountRights
2226 ***************************************************************************/
2228 NTSTATUS _lsa_RemoveAccountRights(struct pipes_struct *p,
2229 struct lsa_RemoveAccountRights *r)
2231 struct lsa_info *info = NULL;
2233 struct security_descriptor *psd = NULL;
2236 const char *privname = NULL;
2237 uint32_t acc_granted = 0;
2240 /* find the connection policy handle. */
2241 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
2242 return NT_STATUS_INVALID_HANDLE;
2244 if (info->type != LSA_HANDLE_POLICY_TYPE) {
2245 return NT_STATUS_INVALID_HANDLE;
2248 /* get the generic lsa account SD for this SID until we store it */
2249 status = make_lsa_object_sd(p->mem_ctx, &psd, &sd_size,
2250 &lsa_account_mapping,
2251 r->in.sid, LSA_ACCOUNT_ALL_ACCESS);
2252 if (!NT_STATUS_IS_OK(status)) {
2257 * From the MS DOCs. We need
2258 * LSA_ACCOUNT_ADJUST_PRIVILEGES|LSA_ACCOUNT_ADJUST_SYSTEM_ACCESS|LSA_ACCOUNT_VIEW
2259 * and DELETE on the account sid.
2262 status = access_check_object(psd, p->server_info->ptok,
2264 LSA_ACCOUNT_ADJUST_PRIVILEGES|LSA_ACCOUNT_ADJUST_SYSTEM_ACCESS|
2265 LSA_ACCOUNT_VIEW|SEC_STD_DELETE,
2266 &acc_granted, "_lsa_RemoveAccountRights");
2267 if (!NT_STATUS_IS_OK(status)) {
2271 sid_copy( &sid, r->in.sid );
2273 if ( r->in.remove_all ) {
2274 if ( !revoke_all_privileges( &sid ) )
2275 return NT_STATUS_ACCESS_DENIED;
2277 return NT_STATUS_OK;
2280 for ( i=0; i < r->in.rights->count; i++ ) {
2282 privname = r->in.rights->names[i].string;
2284 /* only try to add non-null strings */
2289 if ( !revoke_privilege_by_name( &sid, privname ) ) {
2290 DEBUG(2,("_lsa_RemoveAccountRights: Failed to revoke privilege [%s]\n",
2292 return NT_STATUS_NO_SUCH_PRIVILEGE;
2296 return NT_STATUS_OK;
2299 /*******************************************************************
2300 ********************************************************************/
2302 static NTSTATUS init_lsa_right_set(TALLOC_CTX *mem_ctx,
2303 struct lsa_RightSet *r,
2304 PRIVILEGE_SET *privileges)
2307 const char *privname;
2308 const char **privname_array = NULL;
2311 for (i=0; i<privileges->count; i++) {
2313 privname = luid_to_privilege_name(&privileges->set[i].luid);
2315 if (!add_string_to_array(mem_ctx, privname,
2316 &privname_array, &num_priv)) {
2317 return NT_STATUS_NO_MEMORY;
2324 r->names = TALLOC_ZERO_ARRAY(mem_ctx, struct lsa_StringLarge,
2327 return NT_STATUS_NO_MEMORY;
2330 for (i=0; i<num_priv; i++) {
2331 init_lsa_StringLarge(&r->names[i], privname_array[i]);
2334 r->count = num_priv;
2337 return NT_STATUS_OK;
2340 /***************************************************************************
2341 _lsa_EnumAccountRights
2342 ***************************************************************************/
2344 NTSTATUS _lsa_EnumAccountRights(struct pipes_struct *p,
2345 struct lsa_EnumAccountRights *r)
2348 struct lsa_info *info = NULL;
2350 PRIVILEGE_SET privileges;
2353 /* find the connection policy handle. */
2355 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
2356 return NT_STATUS_INVALID_HANDLE;
2358 if (info->type != LSA_HANDLE_POLICY_TYPE) {
2359 return NT_STATUS_INVALID_HANDLE;
2362 if (!(info->access & LSA_ACCOUNT_VIEW)) {
2363 return NT_STATUS_ACCESS_DENIED;
2366 /* according to an NT4 PDC, you can add privileges to SIDs even without
2367 call_lsa_create_account() first. And you can use any arbitrary SID. */
2369 sid_copy( &sid, r->in.sid );
2371 /* according to MS-LSAD 3.1.4.5.10 it is required to return
2372 * NT_STATUS_OBJECT_NAME_NOT_FOUND if the account sid was not found in
2373 * the lsa database */
2375 if (!get_privileges_for_sids(&mask, &sid, 1)) {
2376 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
2379 status = privilege_set_init(&privileges);
2380 if (!NT_STATUS_IS_OK(status)) {
2384 se_priv_to_privilege_set(&privileges, &mask);
2386 DEBUG(10,("_lsa_EnumAccountRights: %s has %d privileges\n",
2387 sid_string_dbg(&sid), privileges.count));
2389 status = init_lsa_right_set(p->mem_ctx, r->out.rights, &privileges);
2391 privilege_set_free( &privileges );
2396 /***************************************************************************
2397 _lsa_LookupPrivValue
2398 ***************************************************************************/
2400 NTSTATUS _lsa_LookupPrivValue(struct pipes_struct *p,
2401 struct lsa_LookupPrivValue *r)
2403 struct lsa_info *info = NULL;
2404 const char *name = NULL;
2405 struct lsa_LUIDAttribute priv_luid;
2408 /* find the connection policy handle. */
2410 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
2411 return NT_STATUS_INVALID_HANDLE;
2413 if (info->type != LSA_HANDLE_POLICY_TYPE) {
2414 return NT_STATUS_INVALID_HANDLE;
2417 if (!(info->access & LSA_POLICY_LOOKUP_NAMES))
2418 return NT_STATUS_ACCESS_DENIED;
2420 name = r->in.name->string;
2422 DEBUG(10,("_lsa_lookup_priv_value: name = %s\n", name));
2424 if ( !se_priv_from_name( name, &mask ) )
2425 return NT_STATUS_NO_SUCH_PRIVILEGE;
2427 priv_luid = get_privilege_luid( &mask );
2429 r->out.luid->low = priv_luid.luid.low;
2430 r->out.luid->high = priv_luid.luid.high;
2432 return NT_STATUS_OK;
2435 /***************************************************************************
2436 _lsa_EnumAccountsWithUserRight
2437 ***************************************************************************/
2439 NTSTATUS _lsa_EnumAccountsWithUserRight(struct pipes_struct *p,
2440 struct lsa_EnumAccountsWithUserRight *r)
2443 struct lsa_info *info = NULL;
2444 struct dom_sid *sids = NULL;
2449 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info)) {
2450 return NT_STATUS_INVALID_HANDLE;
2453 if (info->type != LSA_HANDLE_POLICY_TYPE) {
2454 return NT_STATUS_INVALID_HANDLE;
2457 if (!(info->access & LSA_POLICY_LOOKUP_NAMES)) {
2458 return NT_STATUS_ACCESS_DENIED;
2461 if (!r->in.name || !r->in.name->string) {
2462 return NT_STATUS_NO_SUCH_PRIVILEGE;
2465 if (!se_priv_from_name(r->in.name->string, &mask)) {
2466 return NT_STATUS_NO_SUCH_PRIVILEGE;
2469 status = privilege_enum_sids(&mask, p->mem_ctx,
2471 if (!NT_STATUS_IS_OK(status)) {
2475 r->out.sids->num_sids = num_sids;
2476 r->out.sids->sids = talloc_array(p->mem_ctx, struct lsa_SidPtr,
2477 r->out.sids->num_sids);
2479 for (i=0; i < r->out.sids->num_sids; i++) {
2480 r->out.sids->sids[i].sid = sid_dup_talloc(r->out.sids->sids,
2482 if (!r->out.sids->sids[i].sid) {
2483 TALLOC_FREE(r->out.sids->sids);
2484 r->out.sids->num_sids = 0;
2485 return NT_STATUS_NO_MEMORY;
2489 return NT_STATUS_OK;
2492 /***************************************************************************
2494 ***************************************************************************/
2496 NTSTATUS _lsa_Delete(struct pipes_struct *p,
2497 struct lsa_Delete *r)
2499 return NT_STATUS_NOT_SUPPORTED;
2503 * From here on the server routines are just dummy ones to make smbd link with
2504 * librpc/gen_ndr/srv_lsa.c. These routines are actually never called, we are
2505 * pulling the server stubs across one by one.
2508 NTSTATUS _lsa_SetSecObj(struct pipes_struct *p, struct lsa_SetSecObj *r)
2510 p->rng_fault_state = True;
2511 return NT_STATUS_NOT_IMPLEMENTED;
2514 NTSTATUS _lsa_ChangePassword(struct pipes_struct *p,
2515 struct lsa_ChangePassword *r)
2517 p->rng_fault_state = True;
2518 return NT_STATUS_NOT_IMPLEMENTED;
2521 NTSTATUS _lsa_SetInfoPolicy(struct pipes_struct *p, struct lsa_SetInfoPolicy *r)
2523 p->rng_fault_state = True;
2524 return NT_STATUS_NOT_IMPLEMENTED;
2527 NTSTATUS _lsa_ClearAuditLog(struct pipes_struct *p, struct lsa_ClearAuditLog *r)
2529 p->rng_fault_state = True;
2530 return NT_STATUS_NOT_IMPLEMENTED;
2533 NTSTATUS _lsa_GetQuotasForAccount(struct pipes_struct *p,
2534 struct lsa_GetQuotasForAccount *r)
2536 p->rng_fault_state = True;
2537 return NT_STATUS_NOT_IMPLEMENTED;
2540 NTSTATUS _lsa_SetQuotasForAccount(struct pipes_struct *p,
2541 struct lsa_SetQuotasForAccount *r)
2543 p->rng_fault_state = True;
2544 return NT_STATUS_NOT_IMPLEMENTED;
2547 NTSTATUS _lsa_QueryTrustedDomainInfo(struct pipes_struct *p,
2548 struct lsa_QueryTrustedDomainInfo *r)
2550 p->rng_fault_state = True;
2551 return NT_STATUS_NOT_IMPLEMENTED;
2554 NTSTATUS _lsa_SetInformationTrustedDomain(struct pipes_struct *p,
2555 struct lsa_SetInformationTrustedDomain *r)
2557 p->rng_fault_state = True;
2558 return NT_STATUS_NOT_IMPLEMENTED;
2561 NTSTATUS _lsa_QuerySecret(struct pipes_struct *p, struct lsa_QuerySecret *r)
2563 p->rng_fault_state = True;
2564 return NT_STATUS_NOT_IMPLEMENTED;
2567 NTSTATUS _lsa_QueryTrustedDomainInfoBySid(struct pipes_struct *p,
2568 struct lsa_QueryTrustedDomainInfoBySid *r)
2570 p->rng_fault_state = True;
2571 return NT_STATUS_NOT_IMPLEMENTED;
2574 NTSTATUS _lsa_SetTrustedDomainInfo(struct pipes_struct *p,
2575 struct lsa_SetTrustedDomainInfo *r)
2577 p->rng_fault_state = True;
2578 return NT_STATUS_NOT_IMPLEMENTED;
2581 NTSTATUS _lsa_DeleteTrustedDomain(struct pipes_struct *p,
2582 struct lsa_DeleteTrustedDomain *r)
2584 p->rng_fault_state = True;
2585 return NT_STATUS_NOT_IMPLEMENTED;
2588 NTSTATUS _lsa_StorePrivateData(struct pipes_struct *p,
2589 struct lsa_StorePrivateData *r)
2591 p->rng_fault_state = True;
2592 return NT_STATUS_NOT_IMPLEMENTED;
2595 NTSTATUS _lsa_RetrievePrivateData(struct pipes_struct *p,
2596 struct lsa_RetrievePrivateData *r)
2598 p->rng_fault_state = True;
2599 return NT_STATUS_NOT_IMPLEMENTED;
2602 NTSTATUS _lsa_SetInfoPolicy2(struct pipes_struct *p,
2603 struct lsa_SetInfoPolicy2 *r)
2605 p->rng_fault_state = True;
2606 return NT_STATUS_NOT_IMPLEMENTED;
2609 NTSTATUS _lsa_QueryTrustedDomainInfoByName(struct pipes_struct *p,
2610 struct lsa_QueryTrustedDomainInfoByName *r)
2612 p->rng_fault_state = True;
2613 return NT_STATUS_NOT_IMPLEMENTED;
2616 NTSTATUS _lsa_SetTrustedDomainInfoByName(struct pipes_struct *p,
2617 struct lsa_SetTrustedDomainInfoByName *r)
2619 p->rng_fault_state = True;
2620 return NT_STATUS_NOT_IMPLEMENTED;
2623 NTSTATUS _lsa_EnumTrustedDomainsEx(struct pipes_struct *p,
2624 struct lsa_EnumTrustedDomainsEx *r)
2626 p->rng_fault_state = True;
2627 return NT_STATUS_NOT_IMPLEMENTED;
2630 NTSTATUS _lsa_CreateTrustedDomainEx(struct pipes_struct *p,
2631 struct lsa_CreateTrustedDomainEx *r)
2633 p->rng_fault_state = True;
2634 return NT_STATUS_NOT_IMPLEMENTED;
2637 NTSTATUS _lsa_CloseTrustedDomainEx(struct pipes_struct *p,
2638 struct lsa_CloseTrustedDomainEx *r)
2640 p->rng_fault_state = True;
2641 return NT_STATUS_NOT_IMPLEMENTED;
2644 NTSTATUS _lsa_QueryDomainInformationPolicy(struct pipes_struct *p,
2645 struct lsa_QueryDomainInformationPolicy *r)
2647 p->rng_fault_state = True;
2648 return NT_STATUS_NOT_IMPLEMENTED;
2651 NTSTATUS _lsa_SetDomainInformationPolicy(struct pipes_struct *p,
2652 struct lsa_SetDomainInformationPolicy *r)
2654 p->rng_fault_state = True;
2655 return NT_STATUS_NOT_IMPLEMENTED;
2658 NTSTATUS _lsa_OpenTrustedDomainByName(struct pipes_struct *p,
2659 struct lsa_OpenTrustedDomainByName *r)
2661 p->rng_fault_state = True;
2662 return NT_STATUS_NOT_IMPLEMENTED;
2665 NTSTATUS _lsa_TestCall(struct pipes_struct *p, struct lsa_TestCall *r)
2667 p->rng_fault_state = True;
2668 return NT_STATUS_NOT_IMPLEMENTED;
2671 NTSTATUS _lsa_CreateTrustedDomainEx2(struct pipes_struct *p,
2672 struct lsa_CreateTrustedDomainEx2 *r)
2674 p->rng_fault_state = True;
2675 return NT_STATUS_NOT_IMPLEMENTED;
2678 NTSTATUS _lsa_CREDRWRITE(struct pipes_struct *p, struct lsa_CREDRWRITE *r)
2680 p->rng_fault_state = True;
2681 return NT_STATUS_NOT_IMPLEMENTED;
2684 NTSTATUS _lsa_CREDRREAD(struct pipes_struct *p, struct lsa_CREDRREAD *r)
2686 p->rng_fault_state = True;
2687 return NT_STATUS_NOT_IMPLEMENTED;
2690 NTSTATUS _lsa_CREDRENUMERATE(struct pipes_struct *p, struct lsa_CREDRENUMERATE *r)
2692 p->rng_fault_state = True;
2693 return NT_STATUS_NOT_IMPLEMENTED;
2696 NTSTATUS _lsa_CREDRWRITEDOMAINCREDENTIALS(struct pipes_struct *p,
2697 struct lsa_CREDRWRITEDOMAINCREDENTIALS *r)
2699 p->rng_fault_state = True;
2700 return NT_STATUS_NOT_IMPLEMENTED;
2703 NTSTATUS _lsa_CREDRREADDOMAINCREDENTIALS(struct pipes_struct *p,
2704 struct lsa_CREDRREADDOMAINCREDENTIALS *r)
2706 p->rng_fault_state = True;
2707 return NT_STATUS_NOT_IMPLEMENTED;
2710 NTSTATUS _lsa_CREDRDELETE(struct pipes_struct *p, struct lsa_CREDRDELETE *r)
2712 p->rng_fault_state = True;
2713 return NT_STATUS_NOT_IMPLEMENTED;
2716 NTSTATUS _lsa_CREDRGETTARGETINFO(struct pipes_struct *p,
2717 struct lsa_CREDRGETTARGETINFO *r)
2719 p->rng_fault_state = True;
2720 return NT_STATUS_NOT_IMPLEMENTED;
2723 NTSTATUS _lsa_CREDRPROFILELOADED(struct pipes_struct *p,
2724 struct lsa_CREDRPROFILELOADED *r)
2726 p->rng_fault_state = True;
2727 return NT_STATUS_NOT_IMPLEMENTED;
2730 NTSTATUS _lsa_CREDRGETSESSIONTYPES(struct pipes_struct *p,
2731 struct lsa_CREDRGETSESSIONTYPES *r)
2733 p->rng_fault_state = True;
2734 return NT_STATUS_NOT_IMPLEMENTED;
2737 NTSTATUS _lsa_LSARREGISTERAUDITEVENT(struct pipes_struct *p,
2738 struct lsa_LSARREGISTERAUDITEVENT *r)
2740 p->rng_fault_state = True;
2741 return NT_STATUS_NOT_IMPLEMENTED;
2744 NTSTATUS _lsa_LSARGENAUDITEVENT(struct pipes_struct *p,
2745 struct lsa_LSARGENAUDITEVENT *r)
2747 p->rng_fault_state = True;
2748 return NT_STATUS_NOT_IMPLEMENTED;
2751 NTSTATUS _lsa_LSARUNREGISTERAUDITEVENT(struct pipes_struct *p,
2752 struct lsa_LSARUNREGISTERAUDITEVENT *r)
2754 p->rng_fault_state = True;
2755 return NT_STATUS_NOT_IMPLEMENTED;
2758 NTSTATUS _lsa_lsaRQueryForestTrustInformation(struct pipes_struct *p,
2759 struct lsa_lsaRQueryForestTrustInformation *r)
2761 p->rng_fault_state = True;
2762 return NT_STATUS_NOT_IMPLEMENTED;
2765 NTSTATUS _lsa_lsaRSetForestTrustInformation(struct pipes_struct *p,
2766 struct lsa_lsaRSetForestTrustInformation *r)
2768 p->rng_fault_state = True;
2769 return NT_STATUS_NOT_IMPLEMENTED;
2772 NTSTATUS _lsa_CREDRRENAME(struct pipes_struct *p,
2773 struct lsa_CREDRRENAME *r)
2775 p->rng_fault_state = True;
2776 return NT_STATUS_NOT_IMPLEMENTED;
2779 NTSTATUS _lsa_LSAROPENPOLICYSCE(struct pipes_struct *p,
2780 struct lsa_LSAROPENPOLICYSCE *r)
2782 p->rng_fault_state = True;
2783 return NT_STATUS_NOT_IMPLEMENTED;
2786 NTSTATUS _lsa_LSARADTREGISTERSECURITYEVENTSOURCE(struct pipes_struct *p,
2787 struct lsa_LSARADTREGISTERSECURITYEVENTSOURCE *r)
2789 p->rng_fault_state = True;
2790 return NT_STATUS_NOT_IMPLEMENTED;
2793 NTSTATUS _lsa_LSARADTUNREGISTERSECURITYEVENTSOURCE(struct pipes_struct *p,
2794 struct lsa_LSARADTUNREGISTERSECURITYEVENTSOURCE *r)
2796 p->rng_fault_state = True;
2797 return NT_STATUS_NOT_IMPLEMENTED;
2800 NTSTATUS _lsa_LSARADTREPORTSECURITYEVENT(struct pipes_struct *p,
2801 struct lsa_LSARADTREPORTSECURITYEVENT *r)
2803 p->rng_fault_state = True;
2804 return NT_STATUS_NOT_IMPLEMENTED;