2 * Unix SMB/CIFS implementation.
3 * RPC Pipe client / server routines
4 * Copyright (C) Andrew Tridgell 1992-1997,
5 * Copyright (C) Luke Kenneth Casson Leighton 1996-1997,
6 * Copyright (C) Paul Ashton 1997,
7 * Copyright (C) Jeremy Allison 2001, 2006.
8 * Copyright (C) Rafal Szczesniak 2002,
9 * Copyright (C) Jim McDonough <jmcd@us.ibm.com> 2002,
10 * Copyright (C) Simo Sorce 2003.
11 * Copyright (C) Gerald (Jerry) Carter 2005.
12 * Copyright (C) Volker Lendecke 2005.
13 * Copyright (C) Guenther Deschner 2008.
15 * This program is free software; you can redistribute it and/or modify
16 * it under the terms of the GNU General Public License as published by
17 * the Free Software Foundation; either version 3 of the License, or
18 * (at your option) any later version.
20 * This program is distributed in the hope that it will be useful,
21 * but WITHOUT ANY WARRANTY; without even the implied warranty of
22 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
23 * GNU General Public License for more details.
25 * You should have received a copy of the GNU General Public License
26 * along with this program; if not, see <http://www.gnu.org/licenses/>.
29 /* This is the implementation of the lsa server code. */
32 #include "../librpc/gen_ndr/srv_lsa.h"
34 #include "../librpc/gen_ndr/netlogon.h"
35 #include "rpc_client/init_lsa.h"
38 #define DBGC_CLASS DBGC_RPC_SRV
40 #define MAX_LOOKUP_SIDS 0x5000 /* 20480 */
44 enum lsa_handle_type { LSA_HANDLE_POLICY_TYPE = 1, LSA_HANDLE_ACCOUNT_TYPE };
50 enum lsa_handle_type type;
51 struct security_descriptor *sd;
54 const struct generic_mapping lsa_account_mapping = {
58 LSA_ACCOUNT_ALL_ACCESS
61 const struct generic_mapping lsa_policy_mapping = {
68 const struct generic_mapping lsa_secret_mapping = {
75 const struct generic_mapping lsa_trusted_domain_mapping = {
76 LSA_TRUSTED_DOMAIN_READ,
77 LSA_TRUSTED_DOMAIN_WRITE,
78 LSA_TRUSTED_DOMAIN_EXECUTE,
79 LSA_TRUSTED_DOMAIN_ALL_ACCESS
82 /***************************************************************************
83 init_lsa_ref_domain_list - adds a domain if it's not already in, returns the index.
84 ***************************************************************************/
86 static int init_lsa_ref_domain_list(TALLOC_CTX *mem_ctx,
87 struct lsa_RefDomainList *ref,
89 struct dom_sid *dom_sid)
93 if (dom_name != NULL) {
94 for (num = 0; num < ref->count; num++) {
95 if (sid_equal(dom_sid, ref->domains[num].sid)) {
103 if (num >= LSA_REF_DOMAIN_LIST_MULTIPLIER) {
104 /* index not found, already at maximum domain limit */
108 ref->count = num + 1;
109 ref->max_size = LSA_REF_DOMAIN_LIST_MULTIPLIER;
111 ref->domains = TALLOC_REALLOC_ARRAY(mem_ctx, ref->domains,
112 struct lsa_DomainInfo, ref->count);
117 ZERO_STRUCT(ref->domains[num]);
119 init_lsa_StringLarge(&ref->domains[num].name, dom_name);
120 ref->domains[num].sid = sid_dup_talloc(mem_ctx, dom_sid);
121 if (!ref->domains[num].sid) {
129 /***************************************************************************
130 initialize a lsa_DomainInfo structure.
131 ***************************************************************************/
133 static void init_dom_query_3(struct lsa_DomainInfo *r,
137 init_lsa_StringLarge(&r->name, name);
141 /***************************************************************************
142 initialize a lsa_DomainInfo structure.
143 ***************************************************************************/
145 static void init_dom_query_5(struct lsa_DomainInfo *r,
149 init_lsa_StringLarge(&r->name, name);
153 /***************************************************************************
154 lookup_lsa_rids. Must be called as root for lookup_name to work.
155 ***************************************************************************/
157 static NTSTATUS lookup_lsa_rids(TALLOC_CTX *mem_ctx,
158 struct lsa_RefDomainList *ref,
159 struct lsa_TranslatedSid *prid,
160 uint32_t num_entries,
161 struct lsa_String *name,
163 uint32_t *pmapped_count)
165 uint32 mapped_count, i;
167 SMB_ASSERT(num_entries <= MAX_LOOKUP_SIDS);
172 for (i = 0; i < num_entries; i++) {
176 const char *full_name;
178 enum lsa_SidType type = SID_NAME_UNKNOWN;
180 /* Split name into domain and user component */
182 /* follow w2k8 behavior and return the builtin domain when no
183 * input has been passed in */
185 if (name[i].string) {
186 full_name = name[i].string;
188 full_name = "BUILTIN";
191 DEBUG(5, ("lookup_lsa_rids: looking up name %s\n", full_name));
193 /* We can ignore the result of lookup_name, it will not touch
194 "type" if it's not successful */
196 lookup_name(mem_ctx, full_name, flags, &domain, NULL,
201 case SID_NAME_DOM_GRP:
202 case SID_NAME_DOMAIN:
204 case SID_NAME_WKN_GRP:
205 DEBUG(5, ("init_lsa_rids: %s found\n", full_name));
206 /* Leave these unchanged */
209 /* Don't hand out anything but the list above */
210 DEBUG(5, ("init_lsa_rids: %s not found\n", full_name));
211 type = SID_NAME_UNKNOWN;
218 if (type != SID_NAME_UNKNOWN) {
219 if (type == SID_NAME_DOMAIN) {
222 sid_split_rid(&sid, &rid);
224 dom_idx = init_lsa_ref_domain_list(mem_ctx, ref, domain, &sid);
228 prid[i].sid_type = type;
230 prid[i].sid_index = dom_idx;
233 *pmapped_count = mapped_count;
237 /***************************************************************************
238 lookup_lsa_sids. Must be called as root for lookup_name to work.
239 ***************************************************************************/
241 static NTSTATUS lookup_lsa_sids(TALLOC_CTX *mem_ctx,
242 struct lsa_RefDomainList *ref,
243 struct lsa_TranslatedSid3 *trans_sids,
244 uint32_t num_entries,
245 struct lsa_String *name,
247 uint32 *pmapped_count)
249 uint32 mapped_count, i;
251 SMB_ASSERT(num_entries <= MAX_LOOKUP_SIDS);
256 for (i = 0; i < num_entries; i++) {
260 const char *full_name;
262 enum lsa_SidType type = SID_NAME_UNKNOWN;
266 /* Split name into domain and user component */
268 full_name = name[i].string;
269 if (full_name == NULL) {
270 return NT_STATUS_NO_MEMORY;
273 DEBUG(5, ("init_lsa_sids: looking up name %s\n", full_name));
275 /* We can ignore the result of lookup_name, it will not touch
276 "type" if it's not successful */
278 lookup_name(mem_ctx, full_name, flags, &domain, NULL,
283 case SID_NAME_DOM_GRP:
284 case SID_NAME_DOMAIN:
286 case SID_NAME_WKN_GRP:
287 DEBUG(5, ("init_lsa_sids: %s found\n", full_name));
288 /* Leave these unchanged */
291 /* Don't hand out anything but the list above */
292 DEBUG(5, ("init_lsa_sids: %s not found\n", full_name));
293 type = SID_NAME_UNKNOWN;
300 if (type != SID_NAME_UNKNOWN) {
301 struct dom_sid domain_sid;
302 sid_copy(&domain_sid, &sid);
303 sid_split_rid(&domain_sid, &rid);
304 dom_idx = init_lsa_ref_domain_list(mem_ctx, ref, domain, &domain_sid);
308 /* Initialize the lsa_TranslatedSid3 return. */
309 trans_sids[i].sid_type = type;
310 trans_sids[i].sid = sid_dup_talloc(mem_ctx, &sid);
311 trans_sids[i].sid_index = dom_idx;
314 *pmapped_count = mapped_count;
318 static NTSTATUS make_lsa_object_sd(TALLOC_CTX *mem_ctx, struct security_descriptor **sd, size_t *sd_size,
319 const struct generic_mapping *map,
320 struct dom_sid *sid, uint32_t sid_access)
322 struct dom_sid adm_sid;
323 struct security_ace ace[5];
326 struct security_acl *psa = NULL;
328 /* READ|EXECUTE access for Everyone */
330 init_sec_ace(&ace[i++], &global_sid_World, SEC_ACE_TYPE_ACCESS_ALLOWED,
331 map->generic_execute | map->generic_read, 0);
333 /* Add Full Access 'BUILTIN\Administrators' and 'BUILTIN\Account Operators */
335 init_sec_ace(&ace[i++], &global_sid_Builtin_Administrators,
336 SEC_ACE_TYPE_ACCESS_ALLOWED, map->generic_all, 0);
337 init_sec_ace(&ace[i++], &global_sid_Builtin_Account_Operators,
338 SEC_ACE_TYPE_ACCESS_ALLOWED, map->generic_all, 0);
340 /* Add Full Access for Domain Admins */
341 sid_compose(&adm_sid, get_global_sam_sid(), DOMAIN_RID_ADMINS);
342 init_sec_ace(&ace[i++], &adm_sid, SEC_ACE_TYPE_ACCESS_ALLOWED,
343 map->generic_all, 0);
345 /* If we have a sid, give it some special access */
348 init_sec_ace(&ace[i++], sid, SEC_ACE_TYPE_ACCESS_ALLOWED,
352 if((psa = make_sec_acl(mem_ctx, NT4_ACL_REVISION, i, ace)) == NULL)
353 return NT_STATUS_NO_MEMORY;
355 if((*sd = make_sec_desc(mem_ctx, SECURITY_DESCRIPTOR_REVISION_1,
356 SEC_DESC_SELF_RELATIVE, &adm_sid, NULL, NULL,
357 psa, sd_size)) == NULL)
358 return NT_STATUS_NO_MEMORY;
364 /***************************************************************************
366 ***************************************************************************/
368 NTSTATUS _lsa_OpenPolicy2(struct pipes_struct *p,
369 struct lsa_OpenPolicy2 *r)
371 struct lsa_info *info;
372 struct security_descriptor *psd = NULL;
374 uint32 des_access = r->in.access_mask;
378 /* Work out max allowed. */
379 map_max_allowed_access(p->server_info->ptok,
380 &p->server_info->utok,
383 /* map the generic bits to the lsa policy ones */
384 se_map_generic(&des_access, &lsa_policy_mapping);
386 /* get the generic lsa policy SD until we store it */
387 status = make_lsa_object_sd(p->mem_ctx, &psd, &sd_size, &lsa_policy_mapping,
389 if (!NT_STATUS_IS_OK(status)) {
393 status = access_check_object(psd, p->server_info->ptok,
395 &acc_granted, "_lsa_OpenPolicy2" );
396 if (!NT_STATUS_IS_OK(status)) {
400 /* associate the domain SID with the (unique) handle. */
401 info = TALLOC_ZERO_P(p->mem_ctx, struct lsa_info);
403 return NT_STATUS_NO_MEMORY;
406 sid_copy(&info->sid,get_global_sam_sid());
407 info->access = acc_granted;
408 info->type = LSA_HANDLE_POLICY_TYPE;
410 /* set up the LSA QUERY INFO response */
411 if (!create_policy_hnd(p, r->out.handle, info))
412 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
417 /***************************************************************************
419 ***************************************************************************/
421 NTSTATUS _lsa_OpenPolicy(struct pipes_struct *p,
422 struct lsa_OpenPolicy *r)
424 struct lsa_OpenPolicy2 o;
426 o.in.system_name = NULL; /* should be ignored */
427 o.in.attr = r->in.attr;
428 o.in.access_mask = r->in.access_mask;
430 o.out.handle = r->out.handle;
432 return _lsa_OpenPolicy2(p, &o);
435 /***************************************************************************
436 _lsa_EnumTrustDom - this needs fixing to do more than return NULL ! JRA.
438 ***************************************************************************/
440 NTSTATUS _lsa_EnumTrustDom(struct pipes_struct *p,
441 struct lsa_EnumTrustDom *r)
443 struct lsa_info *info;
445 struct trustdom_info **domains;
446 struct lsa_DomainInfo *entries;
450 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
451 return NT_STATUS_INVALID_HANDLE;
453 if (info->type != LSA_HANDLE_POLICY_TYPE) {
454 return NT_STATUS_INVALID_HANDLE;
457 /* check if the user has enough rights */
458 if (!(info->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
459 return NT_STATUS_ACCESS_DENIED;
462 nt_status = pdb_enum_trusteddoms(p->mem_ctx, &count, &domains);
465 if (!NT_STATUS_IS_OK(nt_status)) {
469 entries = TALLOC_ZERO_ARRAY(p->mem_ctx, struct lsa_DomainInfo, count);
471 return NT_STATUS_NO_MEMORY;
474 for (i=0; i<count; i++) {
475 init_lsa_StringLarge(&entries[i].name, domains[i]->name);
476 entries[i].sid = &domains[i]->sid;
479 if (*r->in.resume_handle >= count) {
480 *r->out.resume_handle = -1;
481 TALLOC_FREE(entries);
482 return NT_STATUS_NO_MORE_ENTRIES;
485 /* return the rest, limit by max_size. Note that we
486 use the w2k3 element size value of 60 */
487 r->out.domains->count = count - *r->in.resume_handle;
488 r->out.domains->count = MIN(r->out.domains->count,
489 1+(r->in.max_size/LSA_ENUM_TRUST_DOMAIN_MULTIPLIER));
491 r->out.domains->domains = entries + *r->in.resume_handle;
493 if (r->out.domains->count < count - *r->in.resume_handle) {
494 *r->out.resume_handle = *r->in.resume_handle + r->out.domains->count;
495 return STATUS_MORE_ENTRIES;
498 /* according to MS-LSAD 3.1.4.7.8 output resume handle MUST
499 * always be larger than the previous input resume handle, in
500 * particular when hitting the last query it is vital to set the
501 * resume handle correctly to avoid infinite client loops, as
502 * seen e.g. with Windows XP SP3 when resume handle is 0 and
503 * status is NT_STATUS_OK - gd */
505 *r->out.resume_handle = (uint32_t)-1;
510 #define LSA_AUDIT_NUM_CATEGORIES_NT4 7
511 #define LSA_AUDIT_NUM_CATEGORIES_WIN2K 9
512 #define LSA_AUDIT_NUM_CATEGORIES LSA_AUDIT_NUM_CATEGORIES_NT4
514 /***************************************************************************
516 ***************************************************************************/
518 NTSTATUS _lsa_QueryInfoPolicy(struct pipes_struct *p,
519 struct lsa_QueryInfoPolicy *r)
521 NTSTATUS status = NT_STATUS_OK;
522 struct lsa_info *handle;
523 struct dom_sid domain_sid;
525 struct dom_sid *sid = NULL;
526 union lsa_PolicyInformation *info = NULL;
527 uint32_t acc_required = 0;
529 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle))
530 return NT_STATUS_INVALID_HANDLE;
532 if (handle->type != LSA_HANDLE_POLICY_TYPE) {
533 return NT_STATUS_INVALID_HANDLE;
536 switch (r->in.level) {
537 case LSA_POLICY_INFO_AUDIT_LOG:
538 case LSA_POLICY_INFO_AUDIT_EVENTS:
539 acc_required = LSA_POLICY_VIEW_AUDIT_INFORMATION;
541 case LSA_POLICY_INFO_DOMAIN:
542 acc_required = LSA_POLICY_VIEW_LOCAL_INFORMATION;
544 case LSA_POLICY_INFO_PD:
545 acc_required = LSA_POLICY_GET_PRIVATE_INFORMATION;
547 case LSA_POLICY_INFO_ACCOUNT_DOMAIN:
548 acc_required = LSA_POLICY_VIEW_LOCAL_INFORMATION;
550 case LSA_POLICY_INFO_ROLE:
551 case LSA_POLICY_INFO_REPLICA:
552 acc_required = LSA_POLICY_VIEW_LOCAL_INFORMATION;
554 case LSA_POLICY_INFO_QUOTA:
555 acc_required = LSA_POLICY_VIEW_LOCAL_INFORMATION;
557 case LSA_POLICY_INFO_MOD:
558 case LSA_POLICY_INFO_AUDIT_FULL_SET:
559 /* according to MS-LSAD 3.1.4.4.3 */
560 return NT_STATUS_INVALID_PARAMETER;
561 case LSA_POLICY_INFO_AUDIT_FULL_QUERY:
562 acc_required = LSA_POLICY_VIEW_AUDIT_INFORMATION;
564 case LSA_POLICY_INFO_DNS:
565 case LSA_POLICY_INFO_DNS_INT:
566 case LSA_POLICY_INFO_L_ACCOUNT_DOMAIN:
567 acc_required = LSA_POLICY_VIEW_LOCAL_INFORMATION;
573 if (!(handle->access & acc_required)) {
574 /* return NT_STATUS_ACCESS_DENIED; */
577 info = TALLOC_ZERO_P(p->mem_ctx, union lsa_PolicyInformation);
579 return NT_STATUS_NO_MEMORY;
582 switch (r->in.level) {
583 /* according to MS-LSAD 3.1.4.4.3 */
584 case LSA_POLICY_INFO_MOD:
585 case LSA_POLICY_INFO_AUDIT_FULL_SET:
586 case LSA_POLICY_INFO_AUDIT_FULL_QUERY:
587 return NT_STATUS_INVALID_PARAMETER;
588 case LSA_POLICY_INFO_AUDIT_LOG:
589 info->audit_log.percent_full = 0;
590 info->audit_log.maximum_log_size = 0;
591 info->audit_log.retention_time = 0;
592 info->audit_log.shutdown_in_progress = 0;
593 info->audit_log.time_to_shutdown = 0;
594 info->audit_log.next_audit_record = 0;
595 status = NT_STATUS_OK;
597 case LSA_POLICY_INFO_PD:
598 info->pd.name.string = NULL;
599 status = NT_STATUS_OK;
601 case LSA_POLICY_INFO_REPLICA:
602 info->replica.source.string = NULL;
603 info->replica.account.string = NULL;
604 status = NT_STATUS_OK;
606 case LSA_POLICY_INFO_QUOTA:
607 info->quota.paged_pool = 0;
608 info->quota.non_paged_pool = 0;
609 info->quota.min_wss = 0;
610 info->quota.max_wss = 0;
611 info->quota.pagefile = 0;
612 info->quota.unknown = 0;
613 status = NT_STATUS_OK;
615 case LSA_POLICY_INFO_AUDIT_EVENTS:
618 uint32 policy_def = LSA_AUDIT_POLICY_ALL;
620 /* check if the user has enough rights */
621 if (!(handle->access & LSA_POLICY_VIEW_AUDIT_INFORMATION)) {
622 DEBUG(10,("_lsa_QueryInfoPolicy: insufficient access rights\n"));
623 return NT_STATUS_ACCESS_DENIED;
626 /* fake info: We audit everything. ;) */
628 info->audit_events.auditing_mode = true;
629 info->audit_events.count = LSA_AUDIT_NUM_CATEGORIES;
630 info->audit_events.settings = TALLOC_ZERO_ARRAY(p->mem_ctx,
631 enum lsa_PolicyAuditPolicy,
632 info->audit_events.count);
633 if (!info->audit_events.settings) {
634 return NT_STATUS_NO_MEMORY;
637 info->audit_events.settings[LSA_AUDIT_CATEGORY_ACCOUNT_MANAGEMENT] = policy_def;
638 info->audit_events.settings[LSA_AUDIT_CATEGORY_FILE_AND_OBJECT_ACCESS] = policy_def;
639 info->audit_events.settings[LSA_AUDIT_CATEGORY_LOGON] = policy_def;
640 info->audit_events.settings[LSA_AUDIT_CATEGORY_PROCCESS_TRACKING] = policy_def;
641 info->audit_events.settings[LSA_AUDIT_CATEGORY_SECURITY_POLICY_CHANGES] = policy_def;
642 info->audit_events.settings[LSA_AUDIT_CATEGORY_SYSTEM] = policy_def;
643 info->audit_events.settings[LSA_AUDIT_CATEGORY_USE_OF_USER_RIGHTS] = policy_def;
647 case LSA_POLICY_INFO_DOMAIN:
648 /* check if the user has enough rights */
649 if (!(handle->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
650 return NT_STATUS_ACCESS_DENIED;
652 /* Request PolicyPrimaryDomainInformation. */
653 switch (lp_server_role()) {
654 case ROLE_DOMAIN_PDC:
655 case ROLE_DOMAIN_BDC:
656 name = get_global_sam_name();
657 sid = sid_dup_talloc(p->mem_ctx, get_global_sam_sid());
659 return NT_STATUS_NO_MEMORY;
662 case ROLE_DOMAIN_MEMBER:
663 name = lp_workgroup();
664 /* We need to return the Domain SID here. */
665 if (secrets_fetch_domain_sid(lp_workgroup(), &domain_sid)) {
666 sid = sid_dup_talloc(p->mem_ctx, &domain_sid);
668 return NT_STATUS_NO_MEMORY;
671 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
674 case ROLE_STANDALONE:
675 name = lp_workgroup();
679 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
681 init_dom_query_3(&info->domain, name, sid);
683 case LSA_POLICY_INFO_ACCOUNT_DOMAIN:
684 /* check if the user has enough rights */
685 if (!(handle->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
686 return NT_STATUS_ACCESS_DENIED;
688 /* Request PolicyAccountDomainInformation. */
689 name = get_global_sam_name();
690 sid = get_global_sam_sid();
692 init_dom_query_5(&info->account_domain, name, sid);
694 case LSA_POLICY_INFO_ROLE:
695 /* check if the user has enough rights */
696 if (!(handle->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
697 return NT_STATUS_ACCESS_DENIED;
699 switch (lp_server_role()) {
700 case ROLE_DOMAIN_BDC:
702 * only a BDC is a backup controller
703 * of the domain, it controls.
705 info->role.role = LSA_ROLE_BACKUP;
709 * any other role is a primary
710 * of the domain, it controls.
712 info->role.role = LSA_ROLE_PRIMARY;
716 case LSA_POLICY_INFO_DNS:
717 case LSA_POLICY_INFO_DNS_INT: {
718 struct pdb_domain_info *dominfo;
720 if ((pdb_capabilities() & PDB_CAP_ADS) == 0) {
721 DEBUG(10, ("Not replying to LSA_POLICY_INFO_DNS "
722 "without ADS passdb backend\n"));
723 status = NT_STATUS_INVALID_INFO_CLASS;
727 dominfo = pdb_get_domain_info(info);
728 if (dominfo == NULL) {
729 status = NT_STATUS_NO_MEMORY;
733 init_lsa_StringLarge(&info->dns.name,
735 init_lsa_StringLarge(&info->dns.dns_domain,
736 dominfo->dns_domain);
737 init_lsa_StringLarge(&info->dns.dns_forest,
738 dominfo->dns_forest);
739 info->dns.domain_guid = dominfo->guid;
740 info->dns.sid = &dominfo->sid;
744 DEBUG(0,("_lsa_QueryInfoPolicy: unknown info level in Lsa Query: %d\n",
746 status = NT_STATUS_INVALID_INFO_CLASS;
755 /***************************************************************************
756 _lsa_QueryInfoPolicy2
757 ***************************************************************************/
759 NTSTATUS _lsa_QueryInfoPolicy2(struct pipes_struct *p,
760 struct lsa_QueryInfoPolicy2 *r2)
762 struct lsa_QueryInfoPolicy r;
764 if ((pdb_capabilities() & PDB_CAP_ADS) == 0) {
765 p->rng_fault_state = True;
766 return NT_STATUS_NOT_IMPLEMENTED;
770 r.in.handle = r2->in.handle;
771 r.in.level = r2->in.level;
772 r.out.info = r2->out.info;
774 return _lsa_QueryInfoPolicy(p, &r);
777 /***************************************************************************
778 _lsa_lookup_sids_internal
779 ***************************************************************************/
781 static NTSTATUS _lsa_lookup_sids_internal(struct pipes_struct *p,
783 uint16_t level, /* input */
784 int num_sids, /* input */
785 struct lsa_SidPtr *sid, /* input */
786 struct lsa_RefDomainList **pp_ref, /* input/output */
787 struct lsa_TranslatedName2 **pp_names,/* input/output */
788 uint32_t *pp_mapped_count) /* input/output */
792 const struct dom_sid **sids = NULL;
793 struct lsa_RefDomainList *ref = NULL;
794 uint32 mapped_count = 0;
795 struct lsa_dom_info *dom_infos = NULL;
796 struct lsa_name_info *name_infos = NULL;
797 struct lsa_TranslatedName2 *names = NULL;
799 *pp_mapped_count = 0;
807 sids = TALLOC_ARRAY(p->mem_ctx, const struct dom_sid *, num_sids);
808 ref = TALLOC_ZERO_P(p->mem_ctx, struct lsa_RefDomainList);
810 if (sids == NULL || ref == NULL) {
811 return NT_STATUS_NO_MEMORY;
814 for (i=0; i<num_sids; i++) {
815 sids[i] = sid[i].sid;
818 status = lookup_sids(p->mem_ctx, num_sids, sids, level,
819 &dom_infos, &name_infos);
821 if (!NT_STATUS_IS_OK(status)) {
825 names = TALLOC_ARRAY(p->mem_ctx, struct lsa_TranslatedName2, num_sids);
827 return NT_STATUS_NO_MEMORY;
830 for (i=0; i<LSA_REF_DOMAIN_LIST_MULTIPLIER; i++) {
832 if (!dom_infos[i].valid) {
836 if (init_lsa_ref_domain_list(mem_ctx, ref,
838 &dom_infos[i].sid) != i) {
839 DEBUG(0, ("Domain %s mentioned twice??\n",
841 return NT_STATUS_INTERNAL_ERROR;
845 for (i=0; i<num_sids; i++) {
846 struct lsa_name_info *name = &name_infos[i];
848 if (name->type == SID_NAME_UNKNOWN) {
851 /* Unknown sids should return the string
852 * representation of the SID. Windows 2003 behaves
853 * rather erratic here, in many cases it returns the
854 * RID as 8 bytes hex, in others it returns the full
855 * SID. We (Jerry/VL) could not figure out which the
856 * hard cases are, so leave it with the SID. */
857 name->name = talloc_asprintf(p->mem_ctx, "%s",
860 if (name->name == NULL) {
861 return NT_STATUS_NO_MEMORY;
867 names[i].sid_type = name->type;
868 names[i].name.string = name->name;
869 names[i].sid_index = name->dom_idx;
870 names[i].unknown = 0;
873 status = NT_STATUS_NONE_MAPPED;
874 if (mapped_count > 0) {
875 status = (mapped_count < num_sids) ?
876 STATUS_SOME_UNMAPPED : NT_STATUS_OK;
879 DEBUG(10, ("num_sids %d, mapped_count %d, status %s\n",
880 num_sids, mapped_count, nt_errstr(status)));
882 *pp_mapped_count = mapped_count;
889 /***************************************************************************
891 ***************************************************************************/
893 NTSTATUS _lsa_LookupSids(struct pipes_struct *p,
894 struct lsa_LookupSids *r)
897 struct lsa_info *handle;
898 int num_sids = r->in.sids->num_sids;
899 uint32 mapped_count = 0;
900 struct lsa_RefDomainList *domains = NULL;
901 struct lsa_TranslatedName *names_out = NULL;
902 struct lsa_TranslatedName2 *names = NULL;
905 if ((r->in.level < 1) || (r->in.level > 6)) {
906 return NT_STATUS_INVALID_PARAMETER;
909 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle)) {
910 return NT_STATUS_INVALID_HANDLE;
913 if (handle->type != LSA_HANDLE_POLICY_TYPE) {
914 return NT_STATUS_INVALID_HANDLE;
917 /* check if the user has enough rights */
918 if (!(handle->access & LSA_POLICY_LOOKUP_NAMES)) {
919 return NT_STATUS_ACCESS_DENIED;
922 if (num_sids > MAX_LOOKUP_SIDS) {
923 DEBUG(5,("_lsa_LookupSids: limit of %d exceeded, requested %d\n",
924 MAX_LOOKUP_SIDS, num_sids));
925 return NT_STATUS_NONE_MAPPED;
928 status = _lsa_lookup_sids_internal(p,
937 /* Only return here when there is a real error.
938 NT_STATUS_NONE_MAPPED is a special case as it indicates that none of
939 the requested sids could be resolved. Older versions of XP (pre SP3)
940 rely that we return with the string representations of those SIDs in
941 that case. If we don't, XP crashes - Guenther
944 if (NT_STATUS_IS_ERR(status) &&
945 !NT_STATUS_EQUAL(status, NT_STATUS_NONE_MAPPED)) {
949 /* Convert from lsa_TranslatedName2 to lsa_TranslatedName */
950 names_out = TALLOC_ARRAY(p->mem_ctx, struct lsa_TranslatedName,
953 return NT_STATUS_NO_MEMORY;
956 for (i=0; i<num_sids; i++) {
957 names_out[i].sid_type = names[i].sid_type;
958 names_out[i].name = names[i].name;
959 names_out[i].sid_index = names[i].sid_index;
962 *r->out.domains = domains;
963 r->out.names->count = num_sids;
964 r->out.names->names = names_out;
965 *r->out.count = mapped_count;
970 /***************************************************************************
972 ***************************************************************************/
974 NTSTATUS _lsa_LookupSids2(struct pipes_struct *p,
975 struct lsa_LookupSids2 *r)
978 struct lsa_info *handle;
979 int num_sids = r->in.sids->num_sids;
980 uint32 mapped_count = 0;
981 struct lsa_RefDomainList *domains = NULL;
982 struct lsa_TranslatedName2 *names = NULL;
983 bool check_policy = true;
986 case NDR_LSA_LOOKUPSIDS3:
987 check_policy = false;
989 case NDR_LSA_LOOKUPSIDS2:
994 if ((r->in.level < 1) || (r->in.level > 6)) {
995 return NT_STATUS_INVALID_PARAMETER;
999 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle)) {
1000 return NT_STATUS_INVALID_HANDLE;
1003 if (handle->type != LSA_HANDLE_POLICY_TYPE) {
1004 return NT_STATUS_INVALID_HANDLE;
1007 /* check if the user has enough rights */
1008 if (!(handle->access & LSA_POLICY_LOOKUP_NAMES)) {
1009 return NT_STATUS_ACCESS_DENIED;
1013 if (num_sids > MAX_LOOKUP_SIDS) {
1014 DEBUG(5,("_lsa_LookupSids2: limit of %d exceeded, requested %d\n",
1015 MAX_LOOKUP_SIDS, num_sids));
1016 return NT_STATUS_NONE_MAPPED;
1019 status = _lsa_lookup_sids_internal(p,
1028 *r->out.domains = domains;
1029 r->out.names->count = num_sids;
1030 r->out.names->names = names;
1031 *r->out.count = mapped_count;
1036 /***************************************************************************
1038 ***************************************************************************/
1040 NTSTATUS _lsa_LookupSids3(struct pipes_struct *p,
1041 struct lsa_LookupSids3 *r)
1043 struct lsa_LookupSids2 q;
1045 /* No policy handle on this call. Restrict to crypto connections. */
1046 if (p->auth.auth_type != DCERPC_AUTH_TYPE_SCHANNEL) {
1047 DEBUG(0,("_lsa_LookupSids3: client %s not using schannel for netlogon\n",
1048 get_remote_machine_name() ));
1049 return NT_STATUS_INVALID_PARAMETER;
1053 q.in.sids = r->in.sids;
1054 q.in.level = r->in.level;
1055 q.in.lookup_options = r->in.lookup_options;
1056 q.in.client_revision = r->in.client_revision;
1057 q.in.names = r->in.names;
1058 q.in.count = r->in.count;
1060 q.out.domains = r->out.domains;
1061 q.out.names = r->out.names;
1062 q.out.count = r->out.count;
1064 return _lsa_LookupSids2(p, &q);
1067 /***************************************************************************
1068 ***************************************************************************/
1070 static int lsa_lookup_level_to_flags(enum lsa_LookupNamesLevel level)
1075 case LSA_LOOKUP_NAMES_ALL: /* 1 */
1076 flags = LOOKUP_NAME_ALL;
1078 case LSA_LOOKUP_NAMES_DOMAINS_ONLY: /* 2 */
1079 flags = LOOKUP_NAME_DOMAIN|LOOKUP_NAME_REMOTE|LOOKUP_NAME_ISOLATED;
1081 case LSA_LOOKUP_NAMES_PRIMARY_DOMAIN_ONLY: /* 3 */
1082 flags = LOOKUP_NAME_DOMAIN|LOOKUP_NAME_ISOLATED;
1084 case LSA_LOOKUP_NAMES_UPLEVEL_TRUSTS_ONLY: /* 4 */
1085 case LSA_LOOKUP_NAMES_FOREST_TRUSTS_ONLY: /* 5 */
1086 case LSA_LOOKUP_NAMES_UPLEVEL_TRUSTS_ONLY2: /* 6 */
1087 case LSA_LOOKUP_NAMES_RODC_REFERRAL_TO_FULL_DC: /* 7 */
1089 flags = LOOKUP_NAME_NONE;
1096 /***************************************************************************
1098 ***************************************************************************/
1100 NTSTATUS _lsa_LookupNames(struct pipes_struct *p,
1101 struct lsa_LookupNames *r)
1103 NTSTATUS status = NT_STATUS_NONE_MAPPED;
1104 struct lsa_info *handle;
1105 struct lsa_String *names = r->in.names;
1106 uint32 num_entries = r->in.num_names;
1107 struct lsa_RefDomainList *domains = NULL;
1108 struct lsa_TranslatedSid *rids = NULL;
1109 uint32 mapped_count = 0;
1112 if (num_entries > MAX_LOOKUP_SIDS) {
1113 num_entries = MAX_LOOKUP_SIDS;
1114 DEBUG(5,("_lsa_LookupNames: truncating name lookup list to %d\n",
1118 flags = lsa_lookup_level_to_flags(r->in.level);
1120 domains = TALLOC_ZERO_P(p->mem_ctx, struct lsa_RefDomainList);
1122 return NT_STATUS_NO_MEMORY;
1126 rids = TALLOC_ZERO_ARRAY(p->mem_ctx, struct lsa_TranslatedSid,
1129 return NT_STATUS_NO_MEMORY;
1135 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle)) {
1136 status = NT_STATUS_INVALID_HANDLE;
1140 if (handle->type != LSA_HANDLE_POLICY_TYPE) {
1141 return NT_STATUS_INVALID_HANDLE;
1144 /* check if the user has enough rights */
1145 if (!(handle->access & LSA_POLICY_LOOKUP_NAMES)) {
1146 status = NT_STATUS_ACCESS_DENIED;
1150 /* set up the LSA Lookup RIDs response */
1151 become_root(); /* lookup_name can require root privs */
1152 status = lookup_lsa_rids(p->mem_ctx, domains, rids, num_entries,
1153 names, flags, &mapped_count);
1158 if (NT_STATUS_IS_OK(status) && (num_entries != 0) ) {
1159 if (mapped_count == 0) {
1160 status = NT_STATUS_NONE_MAPPED;
1161 } else if (mapped_count != num_entries) {
1162 status = STATUS_SOME_UNMAPPED;
1166 *r->out.count = mapped_count;
1167 *r->out.domains = domains;
1168 r->out.sids->sids = rids;
1169 r->out.sids->count = num_entries;
1174 /***************************************************************************
1176 ***************************************************************************/
1178 NTSTATUS _lsa_LookupNames2(struct pipes_struct *p,
1179 struct lsa_LookupNames2 *r)
1182 struct lsa_LookupNames q;
1183 struct lsa_TransSidArray2 *sid_array2 = r->in.sids;
1184 struct lsa_TransSidArray *sid_array = NULL;
1187 sid_array = TALLOC_ZERO_P(p->mem_ctx, struct lsa_TransSidArray);
1189 return NT_STATUS_NO_MEMORY;
1192 q.in.handle = r->in.handle;
1193 q.in.num_names = r->in.num_names;
1194 q.in.names = r->in.names;
1195 q.in.level = r->in.level;
1196 q.in.sids = sid_array;
1197 q.in.count = r->in.count;
1198 /* we do not know what this is for */
1199 /* = r->in.unknown1; */
1200 /* = r->in.unknown2; */
1202 q.out.domains = r->out.domains;
1203 q.out.sids = sid_array;
1204 q.out.count = r->out.count;
1206 status = _lsa_LookupNames(p, &q);
1208 sid_array2->count = sid_array->count;
1209 sid_array2->sids = TALLOC_ARRAY(p->mem_ctx, struct lsa_TranslatedSid2, sid_array->count);
1210 if (!sid_array2->sids) {
1211 return NT_STATUS_NO_MEMORY;
1214 for (i=0; i<sid_array->count; i++) {
1215 sid_array2->sids[i].sid_type = sid_array->sids[i].sid_type;
1216 sid_array2->sids[i].rid = sid_array->sids[i].rid;
1217 sid_array2->sids[i].sid_index = sid_array->sids[i].sid_index;
1218 sid_array2->sids[i].unknown = 0;
1221 r->out.sids = sid_array2;
1226 /***************************************************************************
1228 ***************************************************************************/
1230 NTSTATUS _lsa_LookupNames3(struct pipes_struct *p,
1231 struct lsa_LookupNames3 *r)
1234 struct lsa_info *handle;
1235 struct lsa_String *names = r->in.names;
1236 uint32 num_entries = r->in.num_names;
1237 struct lsa_RefDomainList *domains = NULL;
1238 struct lsa_TranslatedSid3 *trans_sids = NULL;
1239 uint32 mapped_count = 0;
1241 bool check_policy = true;
1244 case NDR_LSA_LOOKUPNAMES4:
1245 check_policy = false;
1247 case NDR_LSA_LOOKUPNAMES3:
1249 check_policy = true;
1252 if (num_entries > MAX_LOOKUP_SIDS) {
1253 num_entries = MAX_LOOKUP_SIDS;
1254 DEBUG(5,("_lsa_LookupNames3: truncating name lookup list to %d\n", num_entries));
1257 /* Probably the lookup_level is some sort of bitmask. */
1258 if (r->in.level == 1) {
1259 flags = LOOKUP_NAME_ALL;
1262 domains = TALLOC_ZERO_P(p->mem_ctx, struct lsa_RefDomainList);
1264 return NT_STATUS_NO_MEMORY;
1268 trans_sids = TALLOC_ZERO_ARRAY(p->mem_ctx, struct lsa_TranslatedSid3,
1271 return NT_STATUS_NO_MEMORY;
1279 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle)) {
1280 status = NT_STATUS_INVALID_HANDLE;
1284 if (handle->type != LSA_HANDLE_POLICY_TYPE) {
1285 return NT_STATUS_INVALID_HANDLE;
1288 /* check if the user has enough rights */
1289 if (!(handle->access & LSA_POLICY_LOOKUP_NAMES)) {
1290 status = NT_STATUS_ACCESS_DENIED;
1295 /* set up the LSA Lookup SIDs response */
1296 become_root(); /* lookup_name can require root privs */
1297 status = lookup_lsa_sids(p->mem_ctx, domains, trans_sids, num_entries,
1298 names, flags, &mapped_count);
1303 if (NT_STATUS_IS_OK(status)) {
1304 if (mapped_count == 0) {
1305 status = NT_STATUS_NONE_MAPPED;
1306 } else if (mapped_count != num_entries) {
1307 status = STATUS_SOME_UNMAPPED;
1311 *r->out.count = mapped_count;
1312 *r->out.domains = domains;
1313 r->out.sids->sids = trans_sids;
1314 r->out.sids->count = num_entries;
1319 /***************************************************************************
1321 ***************************************************************************/
1323 NTSTATUS _lsa_LookupNames4(struct pipes_struct *p,
1324 struct lsa_LookupNames4 *r)
1326 struct lsa_LookupNames3 q;
1328 /* No policy handle on this call. Restrict to crypto connections. */
1329 if (p->auth.auth_type != DCERPC_AUTH_TYPE_SCHANNEL) {
1330 DEBUG(0,("_lsa_lookup_names4: client %s not using schannel for netlogon\n",
1331 get_remote_machine_name() ));
1332 return NT_STATUS_INVALID_PARAMETER;
1336 q.in.num_names = r->in.num_names;
1337 q.in.names = r->in.names;
1338 q.in.level = r->in.level;
1339 q.in.lookup_options = r->in.lookup_options;
1340 q.in.client_revision = r->in.client_revision;
1341 q.in.sids = r->in.sids;
1342 q.in.count = r->in.count;
1344 q.out.domains = r->out.domains;
1345 q.out.sids = r->out.sids;
1346 q.out.count = r->out.count;
1348 return _lsa_LookupNames3(p, &q);
1351 /***************************************************************************
1352 _lsa_close. Also weird - needs to check if lsa handle is correct. JRA.
1353 ***************************************************************************/
1355 NTSTATUS _lsa_Close(struct pipes_struct *p, struct lsa_Close *r)
1357 if (!find_policy_by_hnd(p, r->in.handle, NULL)) {
1358 return NT_STATUS_INVALID_HANDLE;
1361 close_policy_hnd(p, r->in.handle);
1362 ZERO_STRUCTP(r->out.handle);
1363 return NT_STATUS_OK;
1366 /***************************************************************************
1367 ***************************************************************************/
1369 NTSTATUS _lsa_OpenSecret(struct pipes_struct *p, struct lsa_OpenSecret *r)
1371 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
1374 /***************************************************************************
1375 ***************************************************************************/
1377 NTSTATUS _lsa_OpenTrustedDomain(struct pipes_struct *p,
1378 struct lsa_OpenTrustedDomain *r)
1380 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
1383 /***************************************************************************
1384 ***************************************************************************/
1386 NTSTATUS _lsa_CreateTrustedDomain(struct pipes_struct *p,
1387 struct lsa_CreateTrustedDomain *r)
1389 return NT_STATUS_ACCESS_DENIED;
1392 /***************************************************************************
1393 ***************************************************************************/
1395 NTSTATUS _lsa_CreateSecret(struct pipes_struct *p, struct lsa_CreateSecret *r)
1397 return NT_STATUS_ACCESS_DENIED;
1400 /***************************************************************************
1401 ***************************************************************************/
1403 NTSTATUS _lsa_SetSecret(struct pipes_struct *p, struct lsa_SetSecret *r)
1405 return NT_STATUS_ACCESS_DENIED;
1408 /***************************************************************************
1410 ***************************************************************************/
1412 NTSTATUS _lsa_DeleteObject(struct pipes_struct *p,
1413 struct lsa_DeleteObject *r)
1416 struct lsa_info *info = NULL;
1418 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info)) {
1419 return NT_STATUS_INVALID_HANDLE;
1422 if (!(info->access & SEC_STD_DELETE)) {
1423 return NT_STATUS_ACCESS_DENIED;
1426 switch (info->type) {
1427 case LSA_HANDLE_ACCOUNT_TYPE:
1428 status = privilege_delete_account(&info->sid);
1429 if (!NT_STATUS_IS_OK(status)) {
1430 DEBUG(10,("_lsa_DeleteObject: privilege_delete_account gave: %s\n",
1431 nt_errstr(status)));
1436 return NT_STATUS_INVALID_HANDLE;
1439 close_policy_hnd(p, r->in.handle);
1440 ZERO_STRUCTP(r->out.handle);
1445 /***************************************************************************
1447 ***************************************************************************/
1449 NTSTATUS _lsa_EnumPrivs(struct pipes_struct *p,
1450 struct lsa_EnumPrivs *r)
1452 struct lsa_info *handle;
1454 uint32 enum_context = *r->in.resume_handle;
1455 int num_privs = count_all_privileges();
1456 struct lsa_PrivEntry *entries = NULL;
1457 struct lsa_LUIDAttribute luid;
1459 /* remember that the enum_context starts at 0 and not 1 */
1461 if ( enum_context >= num_privs )
1462 return NT_STATUS_NO_MORE_ENTRIES;
1464 DEBUG(10,("_lsa_EnumPrivs: enum_context:%d total entries:%d\n",
1465 enum_context, num_privs));
1467 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle))
1468 return NT_STATUS_INVALID_HANDLE;
1470 if (handle->type != LSA_HANDLE_POLICY_TYPE) {
1471 return NT_STATUS_INVALID_HANDLE;
1474 /* check if the user has enough rights
1475 I don't know if it's the right one. not documented. */
1477 if (!(handle->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
1478 return NT_STATUS_ACCESS_DENIED;
1481 entries = TALLOC_ZERO_ARRAY(p->mem_ctx, struct lsa_PrivEntry, num_privs);
1483 return NT_STATUS_NO_MEMORY;
1489 for (i = 0; i < num_privs; i++) {
1490 if( i < enum_context) {
1492 init_lsa_StringLarge(&entries[i].name, NULL);
1494 entries[i].luid.low = 0;
1495 entries[i].luid.high = 0;
1498 init_lsa_StringLarge(&entries[i].name, privs[i].name);
1500 luid = get_privilege_luid( &privs[i].privilege_mask );
1502 entries[i].luid.low = luid.luid.low;
1503 entries[i].luid.high = luid.luid.high;
1507 enum_context = num_privs;
1509 *r->out.resume_handle = enum_context;
1510 r->out.privs->count = num_privs;
1511 r->out.privs->privs = entries;
1513 return NT_STATUS_OK;
1516 /***************************************************************************
1517 _lsa_LookupPrivDisplayName
1518 ***************************************************************************/
1520 NTSTATUS _lsa_LookupPrivDisplayName(struct pipes_struct *p,
1521 struct lsa_LookupPrivDisplayName *r)
1523 struct lsa_info *handle;
1524 const char *description;
1525 struct lsa_StringLarge *lsa_name;
1527 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle))
1528 return NT_STATUS_INVALID_HANDLE;
1530 if (handle->type != LSA_HANDLE_POLICY_TYPE) {
1531 return NT_STATUS_INVALID_HANDLE;
1534 /* check if the user has enough rights */
1537 * I don't know if it's the right one. not documented.
1539 if (!(handle->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
1540 return NT_STATUS_ACCESS_DENIED;
1542 DEBUG(10,("_lsa_LookupPrivDisplayName: name = %s\n", r->in.name->string));
1544 description = get_privilege_dispname(r->in.name->string);
1546 DEBUG(10,("_lsa_LookupPrivDisplayName: doesn't exist\n"));
1547 return NT_STATUS_NO_SUCH_PRIVILEGE;
1550 DEBUG(10,("_lsa_LookupPrivDisplayName: display name = %s\n", description));
1552 lsa_name = TALLOC_ZERO_P(p->mem_ctx, struct lsa_StringLarge);
1554 return NT_STATUS_NO_MEMORY;
1557 init_lsa_StringLarge(lsa_name, description);
1559 *r->out.returned_language_id = r->in.language_id;
1560 *r->out.disp_name = lsa_name;
1562 return NT_STATUS_OK;
1565 /***************************************************************************
1567 ***************************************************************************/
1569 NTSTATUS _lsa_EnumAccounts(struct pipes_struct *p,
1570 struct lsa_EnumAccounts *r)
1572 struct lsa_info *handle;
1573 struct dom_sid *sid_list;
1574 int i, j, num_entries;
1576 struct lsa_SidPtr *sids = NULL;
1578 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle))
1579 return NT_STATUS_INVALID_HANDLE;
1581 if (handle->type != LSA_HANDLE_POLICY_TYPE) {
1582 return NT_STATUS_INVALID_HANDLE;
1585 if (!(handle->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
1586 return NT_STATUS_ACCESS_DENIED;
1591 /* The only way we can currently find out all the SIDs that have been
1592 privileged is to scan all privileges */
1594 status = privilege_enumerate_accounts(&sid_list, &num_entries);
1595 if (!NT_STATUS_IS_OK(status)) {
1599 if (*r->in.resume_handle >= num_entries) {
1600 return NT_STATUS_NO_MORE_ENTRIES;
1603 if (num_entries - *r->in.resume_handle) {
1604 sids = TALLOC_ZERO_ARRAY(p->mem_ctx, struct lsa_SidPtr,
1605 num_entries - *r->in.resume_handle);
1607 talloc_free(sid_list);
1608 return NT_STATUS_NO_MEMORY;
1611 for (i = *r->in.resume_handle, j = 0; i < num_entries; i++, j++) {
1612 sids[j].sid = sid_dup_talloc(p->mem_ctx, &sid_list[i]);
1614 talloc_free(sid_list);
1615 return NT_STATUS_NO_MEMORY;
1620 talloc_free(sid_list);
1622 *r->out.resume_handle = num_entries;
1623 r->out.sids->num_sids = num_entries;
1624 r->out.sids->sids = sids;
1626 return NT_STATUS_OK;
1629 /***************************************************************************
1631 ***************************************************************************/
1633 NTSTATUS _lsa_GetUserName(struct pipes_struct *p,
1634 struct lsa_GetUserName *r)
1636 const char *username, *domname;
1637 struct lsa_String *account_name = NULL;
1638 struct lsa_String *authority_name = NULL;
1640 if (r->in.account_name &&
1641 *r->in.account_name) {
1642 return NT_STATUS_INVALID_PARAMETER;
1645 if (r->in.authority_name &&
1646 *r->in.authority_name) {
1647 return NT_STATUS_INVALID_PARAMETER;
1650 if (p->server_info->guest) {
1652 * I'm 99% sure this is not the right place to do this,
1653 * global_sid_Anonymous should probably be put into the token
1654 * instead of the guest id -- vl
1656 if (!lookup_sid(p->mem_ctx, &global_sid_Anonymous,
1657 &domname, &username, NULL)) {
1658 return NT_STATUS_NO_MEMORY;
1661 username = p->server_info->sanitized_username;
1662 domname = p->server_info->info3->base.domain.string;
1665 account_name = TALLOC_P(p->mem_ctx, struct lsa_String);
1666 if (!account_name) {
1667 return NT_STATUS_NO_MEMORY;
1669 init_lsa_String(account_name, username);
1671 if (r->out.authority_name) {
1672 authority_name = TALLOC_P(p->mem_ctx, struct lsa_String);
1673 if (!authority_name) {
1674 return NT_STATUS_NO_MEMORY;
1676 init_lsa_String(authority_name, domname);
1679 *r->out.account_name = account_name;
1680 if (r->out.authority_name) {
1681 *r->out.authority_name = authority_name;
1684 return NT_STATUS_OK;
1687 /***************************************************************************
1689 ***************************************************************************/
1691 NTSTATUS _lsa_CreateAccount(struct pipes_struct *p,
1692 struct lsa_CreateAccount *r)
1695 struct lsa_info *handle;
1696 struct lsa_info *info;
1697 uint32_t acc_granted;
1698 struct security_descriptor *psd;
1701 /* find the connection policy handle. */
1702 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle))
1703 return NT_STATUS_INVALID_HANDLE;
1705 if (handle->type != LSA_HANDLE_POLICY_TYPE) {
1706 return NT_STATUS_INVALID_HANDLE;
1709 /* check if the user has enough rights */
1711 if (!(handle->access & LSA_POLICY_CREATE_ACCOUNT)) {
1712 return NT_STATUS_ACCESS_DENIED;
1715 /* Work out max allowed. */
1716 map_max_allowed_access(p->server_info->ptok,
1717 &p->server_info->utok,
1718 &r->in.access_mask);
1720 /* map the generic bits to the lsa policy ones */
1721 se_map_generic(&r->in.access_mask, &lsa_account_mapping);
1723 status = make_lsa_object_sd(p->mem_ctx, &psd, &sd_size,
1724 &lsa_account_mapping,
1725 r->in.sid, LSA_POLICY_ALL_ACCESS);
1726 if (!NT_STATUS_IS_OK(status)) {
1730 status = access_check_object(psd, p->server_info->ptok,
1731 NULL, 0, r->in.access_mask,
1732 &acc_granted, "_lsa_CreateAccount");
1733 if (!NT_STATUS_IS_OK(status)) {
1737 if ( is_privileged_sid( r->in.sid ) )
1738 return NT_STATUS_OBJECT_NAME_COLLISION;
1740 /* associate the user/group SID with the (unique) handle. */
1742 info = TALLOC_ZERO_P(p->mem_ctx, struct lsa_info);
1744 return NT_STATUS_NO_MEMORY;
1747 info->sid = *r->in.sid;
1748 info->access = acc_granted;
1749 info->type = LSA_HANDLE_ACCOUNT_TYPE;
1751 /* get a (unique) handle. open a policy on it. */
1752 if (!create_policy_hnd(p, r->out.acct_handle, info))
1753 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
1755 return privilege_create_account( &info->sid );
1758 /***************************************************************************
1760 ***************************************************************************/
1762 NTSTATUS _lsa_OpenAccount(struct pipes_struct *p,
1763 struct lsa_OpenAccount *r)
1765 struct lsa_info *handle;
1766 struct lsa_info *info;
1767 struct security_descriptor *psd = NULL;
1769 uint32_t des_access = r->in.access_mask;
1770 uint32_t acc_granted;
1773 /* find the connection policy handle. */
1774 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle))
1775 return NT_STATUS_INVALID_HANDLE;
1777 if (handle->type != LSA_HANDLE_POLICY_TYPE) {
1778 return NT_STATUS_INVALID_HANDLE;
1781 /* des_access is for the account here, not the policy
1782 * handle - so don't check against policy handle. */
1784 /* Work out max allowed. */
1785 map_max_allowed_access(p->server_info->ptok,
1786 &p->server_info->utok,
1789 /* map the generic bits to the lsa account ones */
1790 se_map_generic(&des_access, &lsa_account_mapping);
1792 /* get the generic lsa account SD until we store it */
1793 status = make_lsa_object_sd(p->mem_ctx, &psd, &sd_size,
1794 &lsa_account_mapping,
1795 r->in.sid, LSA_ACCOUNT_ALL_ACCESS);
1796 if (!NT_STATUS_IS_OK(status)) {
1800 status = access_check_object(psd, p->server_info->ptok,
1801 NULL, 0, des_access,
1802 &acc_granted, "_lsa_OpenAccount" );
1803 if (!NT_STATUS_IS_OK(status)) {
1807 /* TODO: Fis the parsing routine before reenabling this check! */
1809 if (!lookup_sid(&handle->sid, dom_name, name, &type))
1810 return NT_STATUS_ACCESS_DENIED;
1812 /* associate the user/group SID with the (unique) handle. */
1813 info = TALLOC_ZERO_P(p->mem_ctx, struct lsa_info);
1815 return NT_STATUS_NO_MEMORY;
1818 info->sid = *r->in.sid;
1819 info->access = acc_granted;
1820 info->type = LSA_HANDLE_ACCOUNT_TYPE;
1822 /* get a (unique) handle. open a policy on it. */
1823 if (!create_policy_hnd(p, r->out.acct_handle, info))
1824 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
1826 return NT_STATUS_OK;
1829 /***************************************************************************
1830 _lsa_EnumPrivsAccount
1831 For a given SID, enumerate all the privilege this account has.
1832 ***************************************************************************/
1834 NTSTATUS _lsa_EnumPrivsAccount(struct pipes_struct *p,
1835 struct lsa_EnumPrivsAccount *r)
1837 NTSTATUS status = NT_STATUS_OK;
1838 struct lsa_info *info=NULL;
1840 PRIVILEGE_SET privileges;
1841 struct lsa_PrivilegeSet *priv_set = NULL;
1842 struct lsa_LUIDAttribute *luid_attrs = NULL;
1845 /* find the connection policy handle. */
1846 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
1847 return NT_STATUS_INVALID_HANDLE;
1849 if (info->type != LSA_HANDLE_ACCOUNT_TYPE) {
1850 return NT_STATUS_INVALID_HANDLE;
1853 if (!(info->access & LSA_ACCOUNT_VIEW))
1854 return NT_STATUS_ACCESS_DENIED;
1856 get_privileges_for_sids(&mask, &info->sid, 1);
1858 privilege_set_init( &privileges );
1860 priv_set = TALLOC_ZERO_P(p->mem_ctx, struct lsa_PrivilegeSet);
1862 status = NT_STATUS_NO_MEMORY;
1866 if ( se_priv_to_privilege_set( &privileges, &mask ) ) {
1868 DEBUG(10,("_lsa_EnumPrivsAccount: %s has %d privileges\n",
1869 sid_string_dbg(&info->sid),
1872 luid_attrs = TALLOC_ZERO_ARRAY(p->mem_ctx,
1873 struct lsa_LUIDAttribute,
1876 status = NT_STATUS_NO_MEMORY;
1880 for (i=0; i<privileges.count; i++) {
1881 luid_attrs[i] = privileges.set[i];
1884 priv_set->count = privileges.count;
1885 priv_set->unknown = 0;
1886 priv_set->set = luid_attrs;
1889 priv_set->count = 0;
1890 priv_set->unknown = 0;
1891 priv_set->set = NULL;
1894 *r->out.privs = priv_set;
1897 privilege_set_free( &privileges );
1902 /***************************************************************************
1903 _lsa_GetSystemAccessAccount
1904 ***************************************************************************/
1906 NTSTATUS _lsa_GetSystemAccessAccount(struct pipes_struct *p,
1907 struct lsa_GetSystemAccessAccount *r)
1910 struct lsa_info *info = NULL;
1911 struct lsa_EnumPrivsAccount e;
1912 struct lsa_PrivilegeSet *privset;
1914 /* find the connection policy handle. */
1916 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
1917 return NT_STATUS_INVALID_HANDLE;
1919 if (info->type != LSA_HANDLE_ACCOUNT_TYPE) {
1920 return NT_STATUS_INVALID_HANDLE;
1923 if (!(info->access & LSA_ACCOUNT_VIEW))
1924 return NT_STATUS_ACCESS_DENIED;
1926 privset = talloc_zero(p->mem_ctx, struct lsa_PrivilegeSet);
1928 return NT_STATUS_NO_MEMORY;
1931 e.in.handle = r->in.handle;
1932 e.out.privs = &privset;
1934 status = _lsa_EnumPrivsAccount(p, &e);
1935 if (!NT_STATUS_IS_OK(status)) {
1936 DEBUG(10,("_lsa_GetSystemAccessAccount: "
1937 "failed to call _lsa_EnumPrivsAccount(): %s\n",
1938 nt_errstr(status)));
1942 /* Samba4 would iterate over the privset to merge the policy mode bits,
1943 * not sure samba3 can do the same here, so just return what we did in
1947 0x01 -> Log on locally
1948 0x02 -> Access this computer from network
1949 0x04 -> Log on as a batch job
1950 0x10 -> Log on as a service
1952 they can be ORed together
1955 *r->out.access_mask = LSA_POLICY_MODE_INTERACTIVE |
1956 LSA_POLICY_MODE_NETWORK;
1958 return NT_STATUS_OK;
1961 /***************************************************************************
1962 update the systemaccount information
1963 ***************************************************************************/
1965 NTSTATUS _lsa_SetSystemAccessAccount(struct pipes_struct *p,
1966 struct lsa_SetSystemAccessAccount *r)
1968 struct lsa_info *info=NULL;
1971 /* find the connection policy handle. */
1972 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
1973 return NT_STATUS_INVALID_HANDLE;
1975 if (info->type != LSA_HANDLE_ACCOUNT_TYPE) {
1976 return NT_STATUS_INVALID_HANDLE;
1979 if (!(info->access & LSA_ACCOUNT_ADJUST_SYSTEM_ACCESS)) {
1980 return NT_STATUS_ACCESS_DENIED;
1983 if (!pdb_getgrsid(&map, info->sid))
1984 return NT_STATUS_NO_SUCH_GROUP;
1986 return pdb_update_group_mapping_entry(&map);
1989 /***************************************************************************
1990 _lsa_AddPrivilegesToAccount
1991 For a given SID, add some privileges.
1992 ***************************************************************************/
1994 NTSTATUS _lsa_AddPrivilegesToAccount(struct pipes_struct *p,
1995 struct lsa_AddPrivilegesToAccount *r)
1997 struct lsa_info *info = NULL;
1999 struct lsa_PrivilegeSet *set = NULL;
2001 /* find the connection policy handle. */
2002 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
2003 return NT_STATUS_INVALID_HANDLE;
2005 if (info->type != LSA_HANDLE_ACCOUNT_TYPE) {
2006 return NT_STATUS_INVALID_HANDLE;
2009 if (!(info->access & LSA_ACCOUNT_ADJUST_PRIVILEGES)) {
2010 return NT_STATUS_ACCESS_DENIED;
2014 if ( !privilege_set_to_se_priv( &mask, set ) )
2015 return NT_STATUS_NO_SUCH_PRIVILEGE;
2017 if ( !grant_privilege( &info->sid, &mask ) ) {
2018 DEBUG(3,("_lsa_AddPrivilegesToAccount: grant_privilege(%s) failed!\n",
2019 sid_string_dbg(&info->sid) ));
2020 DEBUG(3,("Privilege mask:\n"));
2021 dump_se_priv( DBGC_ALL, 3, &mask );
2022 return NT_STATUS_NO_SUCH_PRIVILEGE;
2025 return NT_STATUS_OK;
2028 /***************************************************************************
2029 _lsa_RemovePrivilegesFromAccount
2030 For a given SID, remove some privileges.
2031 ***************************************************************************/
2033 NTSTATUS _lsa_RemovePrivilegesFromAccount(struct pipes_struct *p,
2034 struct lsa_RemovePrivilegesFromAccount *r)
2036 struct lsa_info *info = NULL;
2038 struct lsa_PrivilegeSet *set = NULL;
2040 /* find the connection policy handle. */
2041 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
2042 return NT_STATUS_INVALID_HANDLE;
2044 if (info->type != LSA_HANDLE_ACCOUNT_TYPE) {
2045 return NT_STATUS_INVALID_HANDLE;
2048 if (!(info->access & LSA_ACCOUNT_ADJUST_PRIVILEGES)) {
2049 return NT_STATUS_ACCESS_DENIED;
2054 if ( !privilege_set_to_se_priv( &mask, set ) )
2055 return NT_STATUS_NO_SUCH_PRIVILEGE;
2057 if ( !revoke_privilege( &info->sid, &mask ) ) {
2058 DEBUG(3,("_lsa_RemovePrivilegesFromAccount: revoke_privilege(%s) failed!\n",
2059 sid_string_dbg(&info->sid) ));
2060 DEBUG(3,("Privilege mask:\n"));
2061 dump_se_priv( DBGC_ALL, 3, &mask );
2062 return NT_STATUS_NO_SUCH_PRIVILEGE;
2065 return NT_STATUS_OK;
2068 /***************************************************************************
2070 ***************************************************************************/
2072 NTSTATUS _lsa_LookupPrivName(struct pipes_struct *p,
2073 struct lsa_LookupPrivName *r)
2075 struct lsa_info *info = NULL;
2077 struct lsa_StringLarge *lsa_name;
2079 /* find the connection policy handle. */
2080 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info)) {
2081 return NT_STATUS_INVALID_HANDLE;
2084 if (info->type != LSA_HANDLE_POLICY_TYPE) {
2085 return NT_STATUS_INVALID_HANDLE;
2088 if (!(info->access & LSA_POLICY_VIEW_LOCAL_INFORMATION)) {
2089 return NT_STATUS_ACCESS_DENIED;
2092 name = luid_to_privilege_name(r->in.luid);
2094 return NT_STATUS_NO_SUCH_PRIVILEGE;
2097 lsa_name = TALLOC_ZERO_P(p->mem_ctx, struct lsa_StringLarge);
2099 return NT_STATUS_NO_MEMORY;
2102 lsa_name->string = talloc_strdup(lsa_name, name);
2103 if (!lsa_name->string) {
2104 TALLOC_FREE(lsa_name);
2105 return NT_STATUS_NO_MEMORY;
2108 *r->out.name = lsa_name;
2110 return NT_STATUS_OK;
2113 /***************************************************************************
2115 ***************************************************************************/
2117 NTSTATUS _lsa_QuerySecurity(struct pipes_struct *p,
2118 struct lsa_QuerySecurity *r)
2120 struct lsa_info *handle=NULL;
2121 struct security_descriptor *psd = NULL;
2125 /* find the connection policy handle. */
2126 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle))
2127 return NT_STATUS_INVALID_HANDLE;
2129 switch (handle->type) {
2130 case LSA_HANDLE_POLICY_TYPE:
2131 status = make_lsa_object_sd(p->mem_ctx, &psd, &sd_size,
2132 &lsa_policy_mapping, NULL, 0);
2134 case LSA_HANDLE_ACCOUNT_TYPE:
2135 status = make_lsa_object_sd(p->mem_ctx, &psd, &sd_size,
2136 &lsa_account_mapping,
2137 &handle->sid, LSA_ACCOUNT_ALL_ACCESS);
2140 status = NT_STATUS_INVALID_HANDLE;
2144 if (!NT_STATUS_IS_OK(status)) {
2148 *r->out.sdbuf = make_sec_desc_buf(p->mem_ctx, sd_size, psd);
2149 if (!*r->out.sdbuf) {
2150 return NT_STATUS_NO_MEMORY;
2156 /***************************************************************************
2157 _lsa_AddAccountRights
2158 ***************************************************************************/
2160 NTSTATUS _lsa_AddAccountRights(struct pipes_struct *p,
2161 struct lsa_AddAccountRights *r)
2163 struct lsa_info *info = NULL;
2165 uint32_t acc_granted = 0;
2166 struct security_descriptor *psd = NULL;
2171 /* find the connection policy handle. */
2172 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
2173 return NT_STATUS_INVALID_HANDLE;
2175 if (info->type != LSA_HANDLE_POLICY_TYPE) {
2176 return NT_STATUS_INVALID_HANDLE;
2179 /* get the generic lsa account SD for this SID until we store it */
2180 status = make_lsa_object_sd(p->mem_ctx, &psd, &sd_size,
2181 &lsa_account_mapping,
2182 r->in.sid, LSA_ACCOUNT_ALL_ACCESS);
2183 if (!NT_STATUS_IS_OK(status)) {
2188 * From the MS DOCs. If the sid doesn't exist, ask for LSA_POLICY_CREATE_ACCOUNT
2189 * on the policy handle. If it does, ask for
2190 * LSA_ACCOUNT_ADJUST_PRIVILEGES|LSA_ACCOUNT_ADJUST_SYSTEM_ACCESS|LSA_ACCOUNT_VIEW,
2191 * on the account sid. We don't check here so just use the latter. JRA.
2194 status = access_check_object(psd, p->server_info->ptok,
2196 LSA_ACCOUNT_ADJUST_PRIVILEGES|LSA_ACCOUNT_ADJUST_SYSTEM_ACCESS|LSA_ACCOUNT_VIEW,
2197 &acc_granted, "_lsa_AddAccountRights" );
2198 if (!NT_STATUS_IS_OK(status)) {
2202 /* according to an NT4 PDC, you can add privileges to SIDs even without
2203 call_lsa_create_account() first. And you can use any arbitrary SID. */
2205 sid_copy( &sid, r->in.sid );
2207 for ( i=0; i < r->in.rights->count; i++ ) {
2209 const char *privname = r->in.rights->names[i].string;
2211 /* only try to add non-null strings */
2216 if ( !grant_privilege_by_name( &sid, privname ) ) {
2217 DEBUG(2,("_lsa_AddAccountRights: Failed to add privilege [%s]\n",
2219 return NT_STATUS_NO_SUCH_PRIVILEGE;
2223 return NT_STATUS_OK;
2226 /***************************************************************************
2227 _lsa_RemoveAccountRights
2228 ***************************************************************************/
2230 NTSTATUS _lsa_RemoveAccountRights(struct pipes_struct *p,
2231 struct lsa_RemoveAccountRights *r)
2233 struct lsa_info *info = NULL;
2235 struct security_descriptor *psd = NULL;
2238 const char *privname = NULL;
2239 uint32_t acc_granted = 0;
2242 /* find the connection policy handle. */
2243 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
2244 return NT_STATUS_INVALID_HANDLE;
2246 if (info->type != LSA_HANDLE_POLICY_TYPE) {
2247 return NT_STATUS_INVALID_HANDLE;
2250 /* get the generic lsa account SD for this SID until we store it */
2251 status = make_lsa_object_sd(p->mem_ctx, &psd, &sd_size,
2252 &lsa_account_mapping,
2253 r->in.sid, LSA_ACCOUNT_ALL_ACCESS);
2254 if (!NT_STATUS_IS_OK(status)) {
2259 * From the MS DOCs. We need
2260 * LSA_ACCOUNT_ADJUST_PRIVILEGES|LSA_ACCOUNT_ADJUST_SYSTEM_ACCESS|LSA_ACCOUNT_VIEW
2261 * and DELETE on the account sid.
2264 status = access_check_object(psd, p->server_info->ptok,
2266 LSA_ACCOUNT_ADJUST_PRIVILEGES|LSA_ACCOUNT_ADJUST_SYSTEM_ACCESS|
2267 LSA_ACCOUNT_VIEW|SEC_STD_DELETE,
2268 &acc_granted, "_lsa_RemoveAccountRights");
2269 if (!NT_STATUS_IS_OK(status)) {
2273 sid_copy( &sid, r->in.sid );
2275 if ( r->in.remove_all ) {
2276 if ( !revoke_all_privileges( &sid ) )
2277 return NT_STATUS_ACCESS_DENIED;
2279 return NT_STATUS_OK;
2282 for ( i=0; i < r->in.rights->count; i++ ) {
2284 privname = r->in.rights->names[i].string;
2286 /* only try to add non-null strings */
2291 if ( !revoke_privilege_by_name( &sid, privname ) ) {
2292 DEBUG(2,("_lsa_RemoveAccountRights: Failed to revoke privilege [%s]\n",
2294 return NT_STATUS_NO_SUCH_PRIVILEGE;
2298 return NT_STATUS_OK;
2301 /*******************************************************************
2302 ********************************************************************/
2304 static NTSTATUS init_lsa_right_set(TALLOC_CTX *mem_ctx,
2305 struct lsa_RightSet *r,
2306 PRIVILEGE_SET *privileges)
2309 const char *privname;
2310 const char **privname_array = NULL;
2313 for (i=0; i<privileges->count; i++) {
2315 privname = luid_to_privilege_name(&privileges->set[i].luid);
2317 if (!add_string_to_array(mem_ctx, privname,
2318 &privname_array, &num_priv)) {
2319 return NT_STATUS_NO_MEMORY;
2326 r->names = TALLOC_ZERO_ARRAY(mem_ctx, struct lsa_StringLarge,
2329 return NT_STATUS_NO_MEMORY;
2332 for (i=0; i<num_priv; i++) {
2333 init_lsa_StringLarge(&r->names[i], privname_array[i]);
2336 r->count = num_priv;
2339 return NT_STATUS_OK;
2342 /***************************************************************************
2343 _lsa_EnumAccountRights
2344 ***************************************************************************/
2346 NTSTATUS _lsa_EnumAccountRights(struct pipes_struct *p,
2347 struct lsa_EnumAccountRights *r)
2350 struct lsa_info *info = NULL;
2352 PRIVILEGE_SET privileges;
2355 /* find the connection policy handle. */
2357 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
2358 return NT_STATUS_INVALID_HANDLE;
2360 if (info->type != LSA_HANDLE_POLICY_TYPE) {
2361 return NT_STATUS_INVALID_HANDLE;
2364 if (!(info->access & LSA_ACCOUNT_VIEW)) {
2365 return NT_STATUS_ACCESS_DENIED;
2368 /* according to an NT4 PDC, you can add privileges to SIDs even without
2369 call_lsa_create_account() first. And you can use any arbitrary SID. */
2371 sid_copy( &sid, r->in.sid );
2373 /* according to MS-LSAD 3.1.4.5.10 it is required to return
2374 * NT_STATUS_OBJECT_NAME_NOT_FOUND if the account sid was not found in
2375 * the lsa database */
2377 if (!get_privileges_for_sids(&mask, &sid, 1)) {
2378 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
2381 status = privilege_set_init(&privileges);
2382 if (!NT_STATUS_IS_OK(status)) {
2386 se_priv_to_privilege_set(&privileges, &mask);
2388 DEBUG(10,("_lsa_EnumAccountRights: %s has %d privileges\n",
2389 sid_string_dbg(&sid), privileges.count));
2391 status = init_lsa_right_set(p->mem_ctx, r->out.rights, &privileges);
2393 privilege_set_free( &privileges );
2398 /***************************************************************************
2399 _lsa_LookupPrivValue
2400 ***************************************************************************/
2402 NTSTATUS _lsa_LookupPrivValue(struct pipes_struct *p,
2403 struct lsa_LookupPrivValue *r)
2405 struct lsa_info *info = NULL;
2406 const char *name = NULL;
2407 struct lsa_LUIDAttribute priv_luid;
2410 /* find the connection policy handle. */
2412 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
2413 return NT_STATUS_INVALID_HANDLE;
2415 if (info->type != LSA_HANDLE_POLICY_TYPE) {
2416 return NT_STATUS_INVALID_HANDLE;
2419 if (!(info->access & LSA_POLICY_LOOKUP_NAMES))
2420 return NT_STATUS_ACCESS_DENIED;
2422 name = r->in.name->string;
2424 DEBUG(10,("_lsa_lookup_priv_value: name = %s\n", name));
2426 if ( !se_priv_from_name( name, &mask ) )
2427 return NT_STATUS_NO_SUCH_PRIVILEGE;
2429 priv_luid = get_privilege_luid( &mask );
2431 r->out.luid->low = priv_luid.luid.low;
2432 r->out.luid->high = priv_luid.luid.high;
2434 return NT_STATUS_OK;
2437 /***************************************************************************
2438 _lsa_EnumAccountsWithUserRight
2439 ***************************************************************************/
2441 NTSTATUS _lsa_EnumAccountsWithUserRight(struct pipes_struct *p,
2442 struct lsa_EnumAccountsWithUserRight *r)
2445 struct lsa_info *info = NULL;
2446 struct dom_sid *sids = NULL;
2451 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info)) {
2452 return NT_STATUS_INVALID_HANDLE;
2455 if (info->type != LSA_HANDLE_POLICY_TYPE) {
2456 return NT_STATUS_INVALID_HANDLE;
2459 if (!(info->access & LSA_POLICY_LOOKUP_NAMES)) {
2460 return NT_STATUS_ACCESS_DENIED;
2463 if (!r->in.name || !r->in.name->string) {
2464 return NT_STATUS_NO_SUCH_PRIVILEGE;
2467 if (!se_priv_from_name(r->in.name->string, &mask)) {
2468 return NT_STATUS_NO_SUCH_PRIVILEGE;
2471 status = privilege_enum_sids(&mask, p->mem_ctx,
2473 if (!NT_STATUS_IS_OK(status)) {
2477 r->out.sids->num_sids = num_sids;
2478 r->out.sids->sids = talloc_array(p->mem_ctx, struct lsa_SidPtr,
2479 r->out.sids->num_sids);
2481 for (i=0; i < r->out.sids->num_sids; i++) {
2482 r->out.sids->sids[i].sid = sid_dup_talloc(r->out.sids->sids,
2484 if (!r->out.sids->sids[i].sid) {
2485 TALLOC_FREE(r->out.sids->sids);
2486 r->out.sids->num_sids = 0;
2487 return NT_STATUS_NO_MEMORY;
2491 return NT_STATUS_OK;
2494 /***************************************************************************
2496 ***************************************************************************/
2498 NTSTATUS _lsa_Delete(struct pipes_struct *p,
2499 struct lsa_Delete *r)
2501 return NT_STATUS_NOT_SUPPORTED;
2505 * From here on the server routines are just dummy ones to make smbd link with
2506 * librpc/gen_ndr/srv_lsa.c. These routines are actually never called, we are
2507 * pulling the server stubs across one by one.
2510 NTSTATUS _lsa_SetSecObj(struct pipes_struct *p, struct lsa_SetSecObj *r)
2512 p->rng_fault_state = True;
2513 return NT_STATUS_NOT_IMPLEMENTED;
2516 NTSTATUS _lsa_ChangePassword(struct pipes_struct *p,
2517 struct lsa_ChangePassword *r)
2519 p->rng_fault_state = True;
2520 return NT_STATUS_NOT_IMPLEMENTED;
2523 NTSTATUS _lsa_SetInfoPolicy(struct pipes_struct *p, struct lsa_SetInfoPolicy *r)
2525 p->rng_fault_state = True;
2526 return NT_STATUS_NOT_IMPLEMENTED;
2529 NTSTATUS _lsa_ClearAuditLog(struct pipes_struct *p, struct lsa_ClearAuditLog *r)
2531 p->rng_fault_state = True;
2532 return NT_STATUS_NOT_IMPLEMENTED;
2535 NTSTATUS _lsa_GetQuotasForAccount(struct pipes_struct *p,
2536 struct lsa_GetQuotasForAccount *r)
2538 p->rng_fault_state = True;
2539 return NT_STATUS_NOT_IMPLEMENTED;
2542 NTSTATUS _lsa_SetQuotasForAccount(struct pipes_struct *p,
2543 struct lsa_SetQuotasForAccount *r)
2545 p->rng_fault_state = True;
2546 return NT_STATUS_NOT_IMPLEMENTED;
2549 NTSTATUS _lsa_QueryTrustedDomainInfo(struct pipes_struct *p,
2550 struct lsa_QueryTrustedDomainInfo *r)
2552 p->rng_fault_state = True;
2553 return NT_STATUS_NOT_IMPLEMENTED;
2556 NTSTATUS _lsa_SetInformationTrustedDomain(struct pipes_struct *p,
2557 struct lsa_SetInformationTrustedDomain *r)
2559 p->rng_fault_state = True;
2560 return NT_STATUS_NOT_IMPLEMENTED;
2563 NTSTATUS _lsa_QuerySecret(struct pipes_struct *p, struct lsa_QuerySecret *r)
2565 p->rng_fault_state = True;
2566 return NT_STATUS_NOT_IMPLEMENTED;
2569 NTSTATUS _lsa_QueryTrustedDomainInfoBySid(struct pipes_struct *p,
2570 struct lsa_QueryTrustedDomainInfoBySid *r)
2572 p->rng_fault_state = True;
2573 return NT_STATUS_NOT_IMPLEMENTED;
2576 NTSTATUS _lsa_SetTrustedDomainInfo(struct pipes_struct *p,
2577 struct lsa_SetTrustedDomainInfo *r)
2579 p->rng_fault_state = True;
2580 return NT_STATUS_NOT_IMPLEMENTED;
2583 NTSTATUS _lsa_DeleteTrustedDomain(struct pipes_struct *p,
2584 struct lsa_DeleteTrustedDomain *r)
2586 p->rng_fault_state = True;
2587 return NT_STATUS_NOT_IMPLEMENTED;
2590 NTSTATUS _lsa_StorePrivateData(struct pipes_struct *p,
2591 struct lsa_StorePrivateData *r)
2593 p->rng_fault_state = True;
2594 return NT_STATUS_NOT_IMPLEMENTED;
2597 NTSTATUS _lsa_RetrievePrivateData(struct pipes_struct *p,
2598 struct lsa_RetrievePrivateData *r)
2600 p->rng_fault_state = True;
2601 return NT_STATUS_NOT_IMPLEMENTED;
2604 NTSTATUS _lsa_SetInfoPolicy2(struct pipes_struct *p,
2605 struct lsa_SetInfoPolicy2 *r)
2607 p->rng_fault_state = True;
2608 return NT_STATUS_NOT_IMPLEMENTED;
2611 NTSTATUS _lsa_QueryTrustedDomainInfoByName(struct pipes_struct *p,
2612 struct lsa_QueryTrustedDomainInfoByName *r)
2614 p->rng_fault_state = True;
2615 return NT_STATUS_NOT_IMPLEMENTED;
2618 NTSTATUS _lsa_SetTrustedDomainInfoByName(struct pipes_struct *p,
2619 struct lsa_SetTrustedDomainInfoByName *r)
2621 p->rng_fault_state = True;
2622 return NT_STATUS_NOT_IMPLEMENTED;
2625 NTSTATUS _lsa_EnumTrustedDomainsEx(struct pipes_struct *p,
2626 struct lsa_EnumTrustedDomainsEx *r)
2628 p->rng_fault_state = True;
2629 return NT_STATUS_NOT_IMPLEMENTED;
2632 NTSTATUS _lsa_CreateTrustedDomainEx(struct pipes_struct *p,
2633 struct lsa_CreateTrustedDomainEx *r)
2635 p->rng_fault_state = True;
2636 return NT_STATUS_NOT_IMPLEMENTED;
2639 NTSTATUS _lsa_CloseTrustedDomainEx(struct pipes_struct *p,
2640 struct lsa_CloseTrustedDomainEx *r)
2642 p->rng_fault_state = True;
2643 return NT_STATUS_NOT_IMPLEMENTED;
2646 NTSTATUS _lsa_QueryDomainInformationPolicy(struct pipes_struct *p,
2647 struct lsa_QueryDomainInformationPolicy *r)
2649 p->rng_fault_state = True;
2650 return NT_STATUS_NOT_IMPLEMENTED;
2653 NTSTATUS _lsa_SetDomainInformationPolicy(struct pipes_struct *p,
2654 struct lsa_SetDomainInformationPolicy *r)
2656 p->rng_fault_state = True;
2657 return NT_STATUS_NOT_IMPLEMENTED;
2660 NTSTATUS _lsa_OpenTrustedDomainByName(struct pipes_struct *p,
2661 struct lsa_OpenTrustedDomainByName *r)
2663 p->rng_fault_state = True;
2664 return NT_STATUS_NOT_IMPLEMENTED;
2667 NTSTATUS _lsa_TestCall(struct pipes_struct *p, struct lsa_TestCall *r)
2669 p->rng_fault_state = True;
2670 return NT_STATUS_NOT_IMPLEMENTED;
2673 NTSTATUS _lsa_CreateTrustedDomainEx2(struct pipes_struct *p,
2674 struct lsa_CreateTrustedDomainEx2 *r)
2676 p->rng_fault_state = True;
2677 return NT_STATUS_NOT_IMPLEMENTED;
2680 NTSTATUS _lsa_CREDRWRITE(struct pipes_struct *p, struct lsa_CREDRWRITE *r)
2682 p->rng_fault_state = True;
2683 return NT_STATUS_NOT_IMPLEMENTED;
2686 NTSTATUS _lsa_CREDRREAD(struct pipes_struct *p, struct lsa_CREDRREAD *r)
2688 p->rng_fault_state = True;
2689 return NT_STATUS_NOT_IMPLEMENTED;
2692 NTSTATUS _lsa_CREDRENUMERATE(struct pipes_struct *p, struct lsa_CREDRENUMERATE *r)
2694 p->rng_fault_state = True;
2695 return NT_STATUS_NOT_IMPLEMENTED;
2698 NTSTATUS _lsa_CREDRWRITEDOMAINCREDENTIALS(struct pipes_struct *p,
2699 struct lsa_CREDRWRITEDOMAINCREDENTIALS *r)
2701 p->rng_fault_state = True;
2702 return NT_STATUS_NOT_IMPLEMENTED;
2705 NTSTATUS _lsa_CREDRREADDOMAINCREDENTIALS(struct pipes_struct *p,
2706 struct lsa_CREDRREADDOMAINCREDENTIALS *r)
2708 p->rng_fault_state = True;
2709 return NT_STATUS_NOT_IMPLEMENTED;
2712 NTSTATUS _lsa_CREDRDELETE(struct pipes_struct *p, struct lsa_CREDRDELETE *r)
2714 p->rng_fault_state = True;
2715 return NT_STATUS_NOT_IMPLEMENTED;
2718 NTSTATUS _lsa_CREDRGETTARGETINFO(struct pipes_struct *p,
2719 struct lsa_CREDRGETTARGETINFO *r)
2721 p->rng_fault_state = True;
2722 return NT_STATUS_NOT_IMPLEMENTED;
2725 NTSTATUS _lsa_CREDRPROFILELOADED(struct pipes_struct *p,
2726 struct lsa_CREDRPROFILELOADED *r)
2728 p->rng_fault_state = True;
2729 return NT_STATUS_NOT_IMPLEMENTED;
2732 NTSTATUS _lsa_CREDRGETSESSIONTYPES(struct pipes_struct *p,
2733 struct lsa_CREDRGETSESSIONTYPES *r)
2735 p->rng_fault_state = True;
2736 return NT_STATUS_NOT_IMPLEMENTED;
2739 NTSTATUS _lsa_LSARREGISTERAUDITEVENT(struct pipes_struct *p,
2740 struct lsa_LSARREGISTERAUDITEVENT *r)
2742 p->rng_fault_state = True;
2743 return NT_STATUS_NOT_IMPLEMENTED;
2746 NTSTATUS _lsa_LSARGENAUDITEVENT(struct pipes_struct *p,
2747 struct lsa_LSARGENAUDITEVENT *r)
2749 p->rng_fault_state = True;
2750 return NT_STATUS_NOT_IMPLEMENTED;
2753 NTSTATUS _lsa_LSARUNREGISTERAUDITEVENT(struct pipes_struct *p,
2754 struct lsa_LSARUNREGISTERAUDITEVENT *r)
2756 p->rng_fault_state = True;
2757 return NT_STATUS_NOT_IMPLEMENTED;
2760 NTSTATUS _lsa_lsaRQueryForestTrustInformation(struct pipes_struct *p,
2761 struct lsa_lsaRQueryForestTrustInformation *r)
2763 p->rng_fault_state = True;
2764 return NT_STATUS_NOT_IMPLEMENTED;
2767 NTSTATUS _lsa_lsaRSetForestTrustInformation(struct pipes_struct *p,
2768 struct lsa_lsaRSetForestTrustInformation *r)
2770 p->rng_fault_state = True;
2771 return NT_STATUS_NOT_IMPLEMENTED;
2774 NTSTATUS _lsa_CREDRRENAME(struct pipes_struct *p,
2775 struct lsa_CREDRRENAME *r)
2777 p->rng_fault_state = True;
2778 return NT_STATUS_NOT_IMPLEMENTED;
2781 NTSTATUS _lsa_LSAROPENPOLICYSCE(struct pipes_struct *p,
2782 struct lsa_LSAROPENPOLICYSCE *r)
2784 p->rng_fault_state = True;
2785 return NT_STATUS_NOT_IMPLEMENTED;
2788 NTSTATUS _lsa_LSARADTREGISTERSECURITYEVENTSOURCE(struct pipes_struct *p,
2789 struct lsa_LSARADTREGISTERSECURITYEVENTSOURCE *r)
2791 p->rng_fault_state = True;
2792 return NT_STATUS_NOT_IMPLEMENTED;
2795 NTSTATUS _lsa_LSARADTUNREGISTERSECURITYEVENTSOURCE(struct pipes_struct *p,
2796 struct lsa_LSARADTUNREGISTERSECURITYEVENTSOURCE *r)
2798 p->rng_fault_state = True;
2799 return NT_STATUS_NOT_IMPLEMENTED;
2802 NTSTATUS _lsa_LSARADTREPORTSECURITYEVENT(struct pipes_struct *p,
2803 struct lsa_LSARADTREPORTSECURITYEVENT *r)
2805 p->rng_fault_state = True;
2806 return NT_STATUS_NOT_IMPLEMENTED;